)]}' { "log": [ { "commit": "a0558fc3491c0494feb8472cf6c0119e43fd9484", "tree": "e26a2baaa63c07761686f97cde9aa4aaa527f82f", "parents": [ "d508afb437daee7cf07da085b635c44a4ebf9b38" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Apr 06 20:49:14 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 07 16:08:56 2009 +1000" }, "message": "tomoyo: remove \"undelete domain\" command.\n\nSince TOMOYO\u0027s policy management tools does not use the \"undelete domain\"\ncommand, we decided to remove that command.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "800a964787faef3509d194fa33268628c3d1daa9", "tree": "37a722ed9d269d60bc26f6d8f0862d87e45a2424", "parents": [ "385e1ca5f21c4680ad6a46a3aa2ea8af99e99c92" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 03 16:42:40 2009 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 03 16:42:40 2009 +0100" }, "message": "CacheFiles: Export things for CacheFiles\n\nExport a number of functions for CacheFiles\u0027s use.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Steve Dickson \u003csteved@redhat.com\u003e\nAcked-by: Trond Myklebust \u003cTrond.Myklebust@netapp.com\u003e\nAcked-by: Rik van Riel \u003criel@redhat.com\u003e\nAcked-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nTested-by: Daire Byrne \u003cDaire.Byrne@framestore.com\u003e\n" }, { "commit": "8fe74cf053de7ad2124a894996f84fa890a81093", "tree": "77dcd8fbf33ce53a3821942233962fb28c6f2848", "parents": [ "c2eb2fa6d2b6fe122d3479ec5b28d978418b2698", "ced117c73edc917e96dea7cca98c91383f0792f7" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 21:09:10 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 21:09:10 2009 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:\n Remove two unneeded exports and make two symbols static in fs/mpage.c\n Cleanup after commit 585d3bc06f4ca57f975a5a1f698f65a45ea66225\n Trim includes of fdtable.h\n Don\u0027t crap into descriptor table in binfmt_som\n Trim includes in binfmt_elf\n Don\u0027t mess with descriptor table in load_elf_binary()\n Get rid of indirect include of fs_struct.h\n New helper - current_umask()\n check_unsafe_exec() doesn\u0027t care about signal handlers sharing\n New locking/refcounting for fs_struct\n Take fs_struct handling to new file (fs/fs_struct.c)\n Get rid of bumping fs_struct refcount in pivot_root(2)\n Kill unsharing fs_struct in __set_personality()\n" }, { "commit": "b4046f00ee7c1e5615261b496cf7309683275b29", "tree": "8ef312b95b03f362f7780a37620167c54bf55e8f", "parents": [ "d969fbe69e07fcceb0558b35d4c75eb046041c5e" ], "author": { "name": "Li Zefan", "email": "lizf@cn.fujitsu.com", "time": "Thu Apr 02 16:57:32 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 19:04:55 2009 -0700" }, "message": "devcgroup: avoid using cgroup_lock\n\nThere is nothing special that has to be protected by cgroup_lock,\nso introduce devcgroup_mtuex for it\u0027s own use.\n\nSigned-off-by: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Balbir Singh \u003cbalbir@in.ibm.com\u003e\nCc: KAMEZAWA Hiroyuki \u003ckamezawa.hiroyu@jp.fujitsu.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "5ad4e53bd5406ee214ddc5a41f03f779b8b2d526", "tree": "b3dab5140284b3edf02bf2b13f74bfddb25aa62a", "parents": [ "ce3b0f8d5c2203301fc87f3aaaed73e5819e2a48" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Mar 29 19:50:06 2009 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Mar 31 23:00:27 2009 -0400" }, "message": "Get rid of indirect include of fs_struct.h\n\nDon\u0027t pull it in sched.h; very few files actually need it and those\ncan include directly. sched.h itself only needs forward declaration\nof struct fs_struct;\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "4303154e86597885bc3cbc178a48ccbc8213875f", "tree": "11989bcc2ec5d9cd5a1b7952f169ec5cbd8abb8e", "parents": [ "07feee8f812f7327a46186f7604df312c8c81962" ], "author": { "name": "Etienne Basset", "email": "etienne.basset@numericable.fr", "time": "Fri Mar 27 17:11:01 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:37 2009 +1100" }, "message": "smack: Add a new \u0027-CIPSO\u0027 option to the network address label configuration\n\nThis patch adds a new special option \u0027-CIPSO\u0027 to the Smack subsystem. When used\nin the netlabel list, it means \"use CIPSO networking\". A use case is when your\nlocal network speaks CIPSO and you want also to connect to the unlabeled\nInternet. This patch also add some documentation describing that. The patch\nalso corrects an oops when setting a \u0027\u0027 SMACK64 xattr to a file.\n\nSigned-off-by: Etienne Basset \u003cetienne.basset@numericable.fr\u003e\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "07feee8f812f7327a46186f7604df312c8c81962", "tree": "73eac643b60532aa82d7680a7de193ba2b62eddd", "parents": [ "8651d5c0b1f874c5b8307ae2b858bc40f9f02482" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:54 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:37 2009 +1100" }, "message": "netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections\n\nThis patch cleans up a lot of the Smack network access control code. The\nlargest changes are to fix the labeling of incoming TCP connections in a\nmanner similar to the recent SELinux changes which use the\nsecurity_inet_conn_request() hook to label the request_sock and let the label\nmove to the child socket via the normal network stack mechanisms. In addition\nto the incoming TCP connection fixes this patch also removes the smk_labled\nfield from the socket_smack struct as the minor optimization advantage was\noutweighed by the difficulty in maintaining it\u0027s proper state.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8651d5c0b1f874c5b8307ae2b858bc40f9f02482", "tree": "c09bee8fdc4c659d155b47911dc87ce4c09b6676", "parents": [ "58bfbb51ff2b0fdc6c732ff3d72f50aa632b67a2" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:48 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:37 2009 +1100" }, "message": "lsm: Remove the socket_post_accept() hook\n\nThe socket_post_accept() hook is not currently used by any in-tree modules\nand its existence continues to cause problems by confusing people about\nwhat can be safely accomplished using this hook. If a legitimate need for\nthis hook arises in the future it can always be reintroduced.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "58bfbb51ff2b0fdc6c732ff3d72f50aa632b67a2", "tree": "41132587adbb6816b56b9d28105826b8ef0fd7b9", "parents": [ "389fb800ac8be2832efedd19978a2b8ced37eb61" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:41 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:37 2009 +1100" }, "message": "selinux: Remove the \"compat_net\" compatibility code\n\nThe SELinux \"compat_net\" is marked as deprecated, the time has come to\nfinally remove it from the kernel. Further code simplifications are\nlikely in the future, but this patch was intended to be a simple,\nstraight-up removal of the compat_net code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "389fb800ac8be2832efedd19978a2b8ced37eb61", "tree": "fa0bc16050dfb491aa05f76b54fa4c167de96376", "parents": [ "284904aa79466a4736f4c775fdbe5c7407fa136c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:34 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:36 2009 +1100" }, "message": "netlabel: Label incoming TCP connections correctly in SELinux\n\nThe current NetLabel/SELinux behavior for incoming TCP connections works but\nonly through a series of happy coincidences that rely on the limited nature of\nstandard CIPSO (only able to convey MLS attributes) and the write equality\nimposed by the SELinux MLS constraints. The problem is that network sockets\ncreated as the result of an incoming TCP connection were not on-the-wire\nlabeled based on the security attributes of the parent socket but rather based\non the wire label of the remote peer. The issue had to do with how IP options\nwere managed as part of the network stack and where the LSM hooks were in\nrelation to the code which set the IP options on these newly created child\nsockets. While NetLabel/SELinux did correctly set the socket\u0027s on-the-wire\nlabel it was promptly cleared by the network stack and reset based on the IP\noptions of the remote peer.\n\nThis patch, in conjunction with a prior patch that adjusted the LSM hook\nlocations, works to set the correct on-the-wire label format for new incoming\nconnections through the security_inet_conn_request() hook. Besides the\ncorrect behavior there are many advantages to this change, the most significant\nis that all of the NetLabel socket labeling code in SELinux now lives in hooks\nwhich can return error codes to the core stack which allows us to finally get\nride of the selinux_netlbl_inode_permission() logic which greatly simplfies\nthe NetLabel/SELinux glue code. In the process of developing this patch I\nalso ran into a small handful of AF_INET6 cleanliness issues that have been\nfixed which should make the code safer and easier to extend in the future.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a106cbfd1f3703402fc2d95d97e7a054102250f0", "tree": "f386efb92e2c68bbd15900b6f14a56c444c28556", "parents": [ "1987f17d2266e882862528841429b5bf67bc8fe5" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Fri Mar 27 13:12:16 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 27 19:03:44 2009 +1100" }, "message": "TOMOYO: Fix a typo.\n\nFix a typo.\n\nReported-by: Pavel Machek \u003cpavel@ucw.cz\u003e\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7198e2eeb44b3fe7cc97f997824002da47a9c644", "tree": "4989ad0f9727ac4b861189217760517aa8beea43", "parents": [ "703a3cd72817e99201cef84a8a7aecc60b2b3581" ], "author": { "name": "Etienne Basset", "email": "etienne.basset@numericable.fr", "time": "Tue Mar 24 20:53:24 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 26 09:17:04 2009 +1100" }, "message": "smack: convert smack to standard linux lists\n\nthe following patch (on top of 2.6.29) converts Smack lists to standard linux lists\nPlease review and consider for inclusion in 2.6.30-rc\n\nregards,\nEtienne\n\nSigned-off-by: Etienne Basset \u003cetienne.basset@numericable.fr\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "703a3cd72817e99201cef84a8a7aecc60b2b3581", "tree": "3e943755178ff410694722bb031f523136fbc432", "parents": [ "df7f54c012b92ec93d56b68547351dcdf8a163d3", "8e0ee43bc2c3e19db56a4adaa9a9b04ce885cd84" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 24 10:52:46 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 24 10:52:46 2009 +1100" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "df7f54c012b92ec93d56b68547351dcdf8a163d3", "tree": "07039542feca94d4d467c430521319950819a4e1", "parents": [ "dd34b5d75a0405814a3de83f02a44ac297e81629" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Mar 09 14:35:58 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 10 08:40:02 2009 +1100" }, "message": "SELinux: inode_doinit_with_dentry drop no dentry printk\n\nDrop the printk message when an inode is found without an associated\ndentry. This should only happen when userspace can\u0027t be accessing those\ninodes and those labels will get set correctly on the next d_instantiate.\nThus there is no reason to send this message.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dd34b5d75a0405814a3de83f02a44ac297e81629", "tree": "f24939a7b7f6b33c44939ee4022d7e95b3f670b6", "parents": [ "6a25b27d602aac24f3c642722377ba5d778417ec" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 05 13:43:35 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 06 08:50:21 2009 +1100" }, "message": "SELinux: new permission between tty audit and audit socket\n\nNew selinux permission to separate the ability to turn on tty auditing from\nthe ability to set audit rules.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6a25b27d602aac24f3c642722377ba5d778417ec", "tree": "ba334617326c65ccd98e7f4733c75fa0ac2ae5ca", "parents": [ "113a0e4590881ce579ca992a80ddc562b3372ede" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 05 13:40:35 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 06 08:50:18 2009 +1100" }, "message": "SELinux: open perm for sock files\n\nWhen I did open permissions I didn\u0027t think any sockets would have an open.\nTurns out AF_UNIX sockets can have an open when they are bound to the\nfilesystem namespace. This patch adds a new SOCK_FILE__OPEN permission.\nIt\u0027s safe to add this as the open perms are already predicated on\ncapabilities and capabilities means we have unknown perm handling so\nsystems should be as backwards compatible as the policy wants them to\nbe.\n\nhttps://bugzilla.redhat.com/show_bug.cgi?id\u003d475224\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "211a40c0870457b29100cffea0180fa5083caf96", "tree": "fae71ac7a443a45391ee6049f2300a5c25fe2272", "parents": [ "559595a985e106d2fa9f0c79b7f5805453fed593" ], "author": { "name": "etienne", "email": "etienne.basset@numericable.fr", "time": "Wed Mar 04 07:33:51 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 05 08:36:34 2009 +1100" }, "message": "smack: fixes for unlabeled host support\n\nThe following patch (against 2.6.29rc5) fixes a few issues in the\nsmack/netlabel \"unlabeled host support\" functionnality that was added in\n2.6.29rc. It should go in before -final.\n\n1) smack_host_label disregard a \"0.0.0.0/0 @\" rule (or other label),\npreventing \u0027tagged\u0027 tasks to access Internet (many systems drop packets with\nIP options)\n\n2) netmasks were not handled correctly, they were stored in a way _not\nequivalent_ to conversion to be32 (it was equivalent for /0, /8, /16, /24,\n/32 masks but not other masks)\n\n3) smack_netlbladdr prefixes (IP/mask) were not consistent (mask\u0026IP was not\ndone), so there could have been different list entries for the same IP\nprefix; if those entries had different labels, well ...\n\n4) they were not sorted\n\n1) 2) 3) are bugs, 4) is a more cosmetic issue.\nThe patch :\n\n-creates a new helper smk_netlbladdr_insert to insert a smk_netlbladdr,\n-sorted by netmask length\n\n-use the new sorted nature of smack_netlbladdrs list to simplify\n smack_host_label : the first match _will_ be the more specific\n\n-corrects endianness issues in smk_write_netlbladdr \u0026 netlbladdr_seq_show\n\nSigned-off-by: \u003cetienne.basset@numericable.fr\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "113a0e4590881ce579ca992a80ddc562b3372ede", "tree": "29dd1cd1c5f594efb51cdf9530a90ba2f3f2854e", "parents": [ "454804ab0302b354e35d992d08e53fe03313baaf" ], "author": { "name": "etienne", "email": "etienne.basset@numericable.fr", "time": "Wed Mar 04 07:33:51 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 05 08:30:01 2009 +1100" }, "message": "smack: fixes for unlabeled host support\n\nThe following patch (against 2.6.29rc5) fixes a few issues in the\nsmack/netlabel \"unlabeled host support\" functionnality that was added in\n2.6.29rc. It should go in before -final.\n\n1) smack_host_label disregard a \"0.0.0.0/0 @\" rule (or other label),\npreventing \u0027tagged\u0027 tasks to access Internet (many systems drop packets with\nIP options)\n\n2) netmasks were not handled correctly, they were stored in a way _not\nequivalent_ to conversion to be32 (it was equivalent for /0, /8, /16, /24,\n/32 masks but not other masks)\n\n3) smack_netlbladdr prefixes (IP/mask) were not consistent (mask\u0026IP was not\ndone), so there could have been different list entries for the same IP\nprefix; if those entries had different labels, well ...\n\n4) they were not sorted\n\n1) 2) 3) are bugs, 4) is a more cosmetic issue.\nThe patch :\n\n-creates a new helper smk_netlbladdr_insert to insert a smk_netlbladdr,\n-sorted by netmask length\n\n-use the new sorted nature of smack_netlbladdrs list to simplify\n smack_host_label : the first match _will_ be the more specific\n\n-corrects endianness issues in smk_write_netlbladdr \u0026 netlbladdr_seq_show\n\nSigned-off-by: \u003cetienne.basset@numericable.fr\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d7f59dc4642ce2fc7b79fcd4ec02ffce7f21eb02", "tree": "1557550ed6478a38cc04ad480a5977580d97b5cd", "parents": [ "778ef1e6cbb049c9bcbf405936ee6f2b6e451892" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Feb 27 15:00:03 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Mar 02 09:30:04 2009 +1100" }, "message": "selinux: Fix a panic in selinux_netlbl_inode_permission()\n\nRick McNeal from LSI identified a panic in selinux_netlbl_inode_permission()\ncaused by a certain sequence of SUNRPC operations. The problem appears to be\ndue to the lack of NULL pointer checking in the function; this patch adds the\npointer checks so the function will exit safely in the cases where the socket\nis not completely initialized.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "454804ab0302b354e35d992d08e53fe03313baaf", "tree": "e01a4928e19ac2e8318bc88d0b79970cccc60665", "parents": [ "2ea190d0a006ce5218baa6e798512652446a605a" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Feb 26 18:28:04 2009 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 27 12:35:15 2009 +1100" }, "message": "keys: make procfiles per-user-namespace\n\nRestrict the /proc/keys and /proc/key-users output to keys\nbelonging to the same user namespace as the reading task.\n\nWe may want to make this more complicated - so that any\nkeys in a user-namespace which is belongs to the reading\ntask are also shown. But let\u0027s see if anyone wants that\nfirst.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2ea190d0a006ce5218baa6e798512652446a605a", "tree": "1d8612678355c77d8ea9f316ef6ce7d80ee6d613", "parents": [ "8ff3bc3138a400294ee9e126ac75fc9a9fae4e0b" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Feb 26 18:27:55 2009 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 27 12:35:12 2009 +1100" }, "message": "keys: skip keys from another user namespace\n\nWhen listing keys, do not return keys belonging to the\nsame uid in another user namespace. Otherwise uid 500\nin another user namespace will return keyrings called\nuid.500 for another user namespace.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8ff3bc3138a400294ee9e126ac75fc9a9fae4e0b", "tree": "f1e2f21f17268cb9a88446da2f1ced9dbccd5138", "parents": [ "1d1e97562e5e2ac60fb7b25437ba619f95f67fab" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Feb 26 18:27:47 2009 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 27 12:35:09 2009 +1100" }, "message": "keys: consider user namespace in key_permission\n\nIf a key is owned by another user namespace, then treat the\nkey as though it is owned by both another uid and gid.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1d1e97562e5e2ac60fb7b25437ba619f95f67fab", "tree": "68a9c52ecbff0782dd9b9438685afc3b40b6f707", "parents": [ "be38e0fd5f90a91d09e0a85ffb294b70a7be6259" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Feb 26 18:27:38 2009 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 27 12:35:06 2009 +1100" }, "message": "keys: distinguish per-uid keys in different namespaces\n\nper-uid keys were looked by uid only. Use the user namespace\nto distinguish the same uid in different namespaces.\n\nThis does not address key_permission. So a task can for instance\ntry to join a keyring owned by the same uid in another namespace.\nThat will be handled by a separate patch.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "09c50b4a52c01a1f450b8eec819089e228655bfb", "tree": "d97bcaf9544e58a8a6bc6aeb40ca9793411d3e79", "parents": [ "586c25003707067f074043d80fb2071671c58db0" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Feb 20 16:33:02 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 23 10:05:55 2009 +1100" }, "message": "selinux: Fix the NetLabel glue code for setsockopt()\n\nAt some point we (okay, I) managed to break the ability for users to use the\nsetsockopt() syscall to set IPv4 options when NetLabel was not active on the\nsocket in question. The problem was noticed by someone trying to use the\n\"-R\" (record route) option of ping:\n\n # ping -R 10.0.0.1\n ping: record route: No message of desired type\n\nThe solution is relatively simple, we catch the unlabeled socket case and\nclear the error code, allowing the operation to succeed. Please note that we\nstill deny users the ability to override IPv4 options on socket\u0027s which have\nNetLabel labeling active; this is done to ensure the labeling remains intact.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "be38e0fd5f90a91d09e0a85ffb294b70a7be6259", "tree": "8e48b770e6c2012185fd68c0a1098991ad3c56cb", "parents": [ "1581e7ddbdd97443a134e1a0cc9d81256baf77a4" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Feb 20 14:28:29 2009 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 23 09:54:53 2009 +1100" }, "message": "integrity: ima iint radix_tree_lookup locking fix\n\nBased on Andrew Morton\u0027s comments:\n- add missing locks around radix_tree_lookup in ima_iint_insert()\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1581e7ddbdd97443a134e1a0cc9d81256baf77a4", "tree": "54134783d9b61dea08b434e0d6e447ac8f8924b2", "parents": [ "0da0a420bb542b13ebae142109a9d2045ade0cb1" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Sat Feb 21 20:40:50 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 23 09:45:05 2009 +1100" }, "message": "TOMOYO: Do not call tomoyo_realpath_init unless registered.\n\ntomoyo_realpath_init() is unconditionally called by security_initcall().\nBut nobody will use realpath related functions if TOMOYO is not registered.\n\nSo, let tomoyo_init() call tomoyo_realpath_init().\n\nThis patch saves 4KB of memory allocation if TOMOYO is not registered.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0da0a420bb542b13ebae142109a9d2045ade0cb1", "tree": "995a02bed11d55c9f8d963735b12f670ddca19cc", "parents": [ "251a2a958b0455d11b711aeeb57cabad66259461" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Feb 19 21:23:50 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 21 00:29:59 2009 +1100" }, "message": "integrity: ima scatterlist bug fix\n\nBased on Alexander Beregalov\u0027s post http://lkml.org/lkml/2009/2/19/198\n\n- replaced sg_set_buf() with sg_init_one()\n\n kernel BUG at include/linux/scatterlist.h:65!\n invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC\n last sysfs file:\n CPU 2\n Modules linked in:\n Pid: 1, comm: swapper Not tainted 2.6.29-rc5-next-20090219 #5 PowerEdge 1950\n RIP: 0010:[\u003cffffffff8045ec70\u003e] [\u003cffffffff8045ec70\u003e] ima_calc_hash+0xc0/0x160\n RSP: 0018:ffff88007f46bc40 EFLAGS: 00010286\n RAX: ffffe200032c45e8 RBX: 00000000fffffff4 RCX: 0000000087654321\n RDX: 0000000000000002 RSI: 0000000000000001 RDI: ffff88007cf71048\n RBP: ffff88007f46bcd0 R08: 0000000000000000 R09: 0000000000000163\n R10: ffff88007f4707a8 R11: 0000000000000000 R12: ffff88007cf71048\n R13: 0000000000001000 R14: 0000000000000000 R15: 0000000000009d98\n FS: 0000000000000000(0000) GS:ffff8800051ac000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b\n CR2: 0000000000000000 CR3: 0000000000201000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nTested-by: Alexander Beregalov \u003ca.beregalov@gmail.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "251a2a958b0455d11b711aeeb57cabad66259461", "tree": "6e89b9a3f79c4a46573682044188c7d4692f0cb5", "parents": [ "e5a3b95f581da62e2054ef79d3be2d383e9ed664" ], "author": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Wed Feb 18 11:42:33 2009 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 19 15:51:10 2009 +1100" }, "message": "smack: fix lots of kernel-doc notation\n\nFix/add kernel-doc notation and fix typos in security/smack/.\n\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e5a3b95f581da62e2054ef79d3be2d383e9ed664", "tree": "6a55bf40033c92b2c82fa0643c2511dbe7124b32", "parents": [ "33043cbb9fd49a957089f5948fe814764d7abbd6" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Sat Feb 14 11:46:56 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 16 09:01:48 2009 +1100" }, "message": "TOMOYO: Don\u0027t create securityfs entries unless registered.\n\nTOMOYO should not create /sys/kernel/security/tomoyo/ interface unless\nTOMOYO is registered.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "33043cbb9fd49a957089f5948fe814764d7abbd6", "tree": "66be66415be5a1108788291194cc5b2bc89fb6fe", "parents": [ "26036651c562609d1f52d181f9d2cccbf89929b1" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Fri Feb 13 16:00:58 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 12:33:30 2009 +1100" }, "message": "TOMOYO: Fix exception policy read failure.\n\nDue to wrong initialization, \"cat /sys/kernel/security/tomoyo/exception_policy\"\nreturned nothing.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "26036651c562609d1f52d181f9d2cccbf89929b1", "tree": "db68ab98d574d6763f562ac87cc7810385496f22", "parents": [ "edf3d1aecd0d608acbd561b0c527e1d41abcb657" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:51:04 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:23:48 2009 +1100" }, "message": "SELinux: convert the avc cache hash list to an hlist\n\nWe do not need O(1) access to the tail of the avc cache lists and so we are\nwasting lots of space using struct list_head instead of struct hlist_head.\nThis patch converts the avc cache to use hlists in which there is a single\npointer from the head which saves us about 4k of global memory.\n\nResulted in about a 1.5% decrease in time spent in avc_has_perm_noaudit based\non oprofile sampling of tbench. Although likely within the noise....\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "edf3d1aecd0d608acbd561b0c527e1d41abcb657", "tree": "49d88ec27a59f602784b47e2f951934d245f7de8", "parents": [ "f1c6381a6e337adcecf84be2a838bd9e610e2365" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:59 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:23:45 2009 +1100" }, "message": "SELinux: code readability with avc_cache\n\nThe code making use of struct avc_cache was not easy to read thanks to liberal\nuse of \u0026avc_cache.{slots_lock,slots}[hvalue] throughout. This patch simply\ncreates local pointers and uses those instead of the long global names.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f1c6381a6e337adcecf84be2a838bd9e610e2365", "tree": "a6e0857db27a38b0976fb422836f9443241b4b61", "parents": [ "21193dcd1f3570ddfd8a04f4465e484c1f94252f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:54 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:23:08 2009 +1100" }, "message": "SELinux: remove unused av.decided field\n\nIt appears there was an intention to have the security server only decide\ncertain permissions and leave other for later as some sort of a portential\nperformance win. We are currently always deciding all 32 bits of\npermissions and this is a useless couple of branches and wasted space.\nThis patch completely drops the av.decided concept.\n\nThis in a 17% reduction in the time spent in avc_has_perm_noaudit\nbased on oprofile sampling of a tbench benchmark.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "21193dcd1f3570ddfd8a04f4465e484c1f94252f", "tree": "b6cab3861103261a3ab27ff3ea3485cb53af5a92", "parents": [ "906d27d9d28fd50fb40026e56842d8f6806a7a04" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:49 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:23:04 2009 +1100" }, "message": "SELinux: more careful use of avd in avc_has_perm_noaudit\n\nwe are often needlessly jumping through hoops when it comes to avd\nentries in avc_has_perm_noaudit and we have extra initialization and memcpy\nwhich are just wasting performance. Try to clean the function up a bit.\n\nThis patch resulted in a 13% drop in time spent in avc_has_perm_noaudit in my\noprofile sampling of a tbench benchmark.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "906d27d9d28fd50fb40026e56842d8f6806a7a04", "tree": "4f73e1396a09349a307f38b1de19767f558bedb1", "parents": [ "a5dda683328f99c781f92c66cc52ffc0639bef58" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:43 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:37 2009 +1100" }, "message": "SELinux: remove the unused ae.used\n\nCurrently SELinux code has an atomic which was intended to track how many\ntimes an avc entry was used and to evict entries when they haven\u0027t been\nused recently. Instead we never let this atomic get above 1 and evict when\nit is first checked for eviction since it hits zero. This is a total waste\nof time so I\u0027m completely dropping ae.used.\n\nThis change resulted in about a 3% faster avc_has_perm_noaudit when running\noprofile against a tbench benchmark.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a5dda683328f99c781f92c66cc52ffc0639bef58", "tree": "2432f51e505fd9242f7081d5bf4e21ff322b73d6", "parents": [ "4cb912f1d1447077160ace9ce3b3a10696dd74e5" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:11 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:34 2009 +1100" }, "message": "SELinux: check seqno when updating an avc_node\n\nThe avc update node callbacks do not check the seqno of the caller with the\nseqno of the node found. It is possible that a policy change could happen\n(although almost impossibly unlikely) in which a permissive or\npermissive_domain decision is not valid for the entry found. Simply pass\nand check that the seqno of the caller and the seqno of the node found\nmatch.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4cb912f1d1447077160ace9ce3b3a10696dd74e5", "tree": "916f112de07ca626b0f398a0fc85943f15306146", "parents": [ "4ba0a8ad63e12a03ae01c039482967cc496b9174" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:05 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:30 2009 +1100" }, "message": "SELinux: NULL terminate al contexts from disk\n\nWhen a context is pulled in from disk we don\u0027t know that it is null\nterminated. This patch forecebly null terminates contexts when we pull\nthem from disk.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4ba0a8ad63e12a03ae01c039482967cc496b9174", "tree": "340aa55aa98cc42c33cff4297f0813f14f46b121", "parents": [ "200ac532a4bc3134147ca06686c56a6420e66c46" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 15:01:10 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:27 2009 +1100" }, "message": "SELinux: better printk when file with invalid label found\n\nCurrently when an inode is read into the kernel with an invalid label\nstring (can often happen with removable media) we output a string like:\n\nSELinux: inode_doinit_with_dentry: context_to_sid([SOME INVALID LABEL])\nreturned -22 dor dev\u003d[blah] ino\u003d[blah]\n\nWhich is all but incomprehensible to all but a couple of us. Instead, on\nEINVAL only, I plan to output a much more user friendly string and I plan to\nratelimit the printk since many of these could be generated very rapidly.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "200ac532a4bc3134147ca06686c56a6420e66c46", "tree": "f9b1779458df389052c758ea23cf61695a021e67", "parents": [ "b53fab9d48e9bd9aeba0b500dec550becd981a91" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 15:01:04 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:24 2009 +1100" }, "message": "SELinux: call capabilities code directory\n\nFor cleanliness and efficiency remove all calls to secondary-\u003e and instead\ncall capabilities code directly. capabilities are the only module that\nselinux stacks with and so the code should not indicate that other stacking\nmight be possible.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b53fab9d48e9bd9aeba0b500dec550becd981a91", "tree": "19e17d0aa255624bf6455ac35a5089ac550abdb6", "parents": [ "35d50e60e8b12e4adc2fa317343a176d87294a72" ], "author": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Thu Feb 12 09:54:14 2009 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 13 09:27:56 2009 +1100" }, "message": "ima: fix build error\n\nIMA_LSM_RULES requires AUDIT. This is automatic if SECURITY_SELINUX\u003dy\nbut not when SECURITY_SMACK\u003dy (and SECURITY_SELINUX\u003dn), so make the\ndependency explicit. This fixes the following build error:\n\nsecurity/integrity/ima/ima_policy.c:111:error: implicit declaration of function \u0027security_audit_rule_match\u0027\nsecurity/integrity/ima/ima_policy.c:230:error: implicit declaration of function \u0027security_audit_rule_init\u0027\n\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "35d50e60e8b12e4adc2fa317343a176d87294a72", "tree": "d4374d08677dafdf940fc8bdaaadc0aeefa06126", "parents": [ "42d5aaa2d826f54924e260b58a8e410e59d54163" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Thu Feb 12 15:53:38 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 20:21:10 2009 +1100" }, "message": "tomoyo: fix sparse warning\n\nFix sparse warning.\n\n$ make C\u003d2 SUBDIRS\u003dsecurity/tomoyo CF\u003d\"-D__cold__\u003d\"\n CHECK security/tomoyo/common.c\n CHECK security/tomoyo/realpath.c\n CHECK security/tomoyo/tomoyo.c\nsecurity/tomoyo/tomoyo.c:110:8: warning: symbol \u0027buf\u0027 shadows an earlier one\nsecurity/tomoyo/tomoyo.c:100:7: originally declared here\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "42d5aaa2d826f54924e260b58a8e410e59d54163", "tree": "64e3c400671d3adf1ed40f5179e95655400ce1cc", "parents": [ "d74db3b22a75fac474abe711f582ffe25eacce25" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 16:29:04 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 16:29:04 2009 +1100" }, "message": "security: change link order of LSMs so security\u003dtomoyo works\n\nLSMs need to be linked before root_plug to ensure the security\u003d\nboot parameter works with them. Do this for Tomoyo.\n\n(root_plug probably needs to be taken out and shot at some point,\ntoo).\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "00d7d6f840ddc947237307e022de5e75ded4105f", "tree": "53669494101f93becdd401be2e70073bc7c6fe0b", "parents": [ "f7433243770c77979c396b4c7449a10e9b3521db" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:17 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:19:00 2009 +1100" }, "message": "Kconfig and Makefile\n\nTOMOYO uses LSM hooks for pathname based access control and securityfs support.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f7433243770c77979c396b4c7449a10e9b3521db", "tree": "8bcb3d92ddb65b73f1802c5476d75f92814477d8", "parents": [ "26a2a1c9eb88d9aca8891575b3b986812e073872" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:16 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:05 2009 +1100" }, "message": "LSM adapter functions.\n\nDAC\u0027s permissions and TOMOYO\u0027s permissions are not one-to-one mapping.\n\nRegarding DAC, there are \"read\", \"write\", \"execute\" permissions.\nRegarding TOMOYO, there are \"allow_read\", \"allow_write\", \"allow_read/write\",\n\"allow_execute\", \"allow_create\", \"allow_unlink\", \"allow_mkdir\", \"allow_rmdir\",\n\"allow_mkfifo\", \"allow_mksock\", \"allow_mkblock\", \"allow_mkchar\",\n\"allow_truncate\", \"allow_symlink\", \"allow_rewrite\", \"allow_link\",\n\"allow_rename\" permissions.\n\n+----------------------------------+----------------------------------+\n| requested operation | required TOMOYO\u0027s permission |\n+----------------------------------+----------------------------------+\n| sys_open(O_RDONLY) | allow_read |\n+----------------------------------+----------------------------------+\n| sys_open(O_WRONLY) | allow_write |\n+----------------------------------+----------------------------------+\n| sys_open(O_RDWR) | allow_read/write |\n+----------------------------------+----------------------------------+\n| open_exec() from do_execve() | allow_execute |\n+----------------------------------+----------------------------------+\n| open_exec() from !do_execve() | allow_read |\n+----------------------------------+----------------------------------+\n| sys_read() | (none) |\n+----------------------------------+----------------------------------+\n| sys_write() | (none) |\n+----------------------------------+----------------------------------+\n| sys_mmap() | (none) |\n+----------------------------------+----------------------------------+\n| sys_uselib() | allow_read |\n+----------------------------------+----------------------------------+\n| sys_open(O_CREAT) | allow_create |\n+----------------------------------+----------------------------------+\n| sys_open(O_TRUNC) | allow_truncate |\n+----------------------------------+----------------------------------+\n| sys_truncate() | allow_truncate |\n+----------------------------------+----------------------------------+\n| sys_ftruncate() | allow_truncate |\n+----------------------------------+----------------------------------+\n| sys_open() without O_APPEND | allow_rewrite |\n+----------------------------------+----------------------------------+\n| setfl() without O_APPEND | allow_rewrite |\n+----------------------------------+----------------------------------+\n| sys_sysctl() for writing | allow_write |\n+----------------------------------+----------------------------------+\n| sys_sysctl() for reading | allow_read |\n+----------------------------------+----------------------------------+\n| sys_unlink() | allow_unlink |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFREG) | allow_create |\n+----------------------------------+----------------------------------+\n| sys_mknod(0) | allow_create |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFIFO) | allow_mkfifo |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFSOCK) | allow_mksock |\n+----------------------------------+----------------------------------+\n| sys_bind(AF_UNIX) | allow_mksock |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFBLK) | allow_mkblock |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFCHR) | allow_mkchar |\n+----------------------------------+----------------------------------+\n| sys_symlink() | allow_symlink |\n+----------------------------------+----------------------------------+\n| sys_mkdir() | allow_mkdir |\n+----------------------------------+----------------------------------+\n| sys_rmdir() | allow_rmdir |\n+----------------------------------+----------------------------------+\n| sys_link() | allow_link |\n+----------------------------------+----------------------------------+\n| sys_rename() | allow_rename |\n+----------------------------------+----------------------------------+\n\nTOMOYO requires \"allow_execute\" permission of a pathname passed to do_execve()\nbut does not require \"allow_read\" permission of that pathname.\nLet\u0027s consider 3 patterns (statically linked, dynamically linked,\nshell script). This description is to some degree simplified.\n\n $ cat hello.c\n #include \u003cstdio.h\u003e\n int main() {\n printf(\"Hello\\n\");\n return 0;\n }\n $ cat hello.sh\n #! /bin/sh\n echo \"Hello\"\n $ gcc -static -o hello-static hello.c\n $ gcc -o hello-dynamic hello.c\n $ chmod 755 hello.sh\n\nCase 1 -- Executing hello-static from bash.\n\n (1) The bash process calls fork() and the child process requests\n do_execve(\"hello-static\").\n\n (2) The kernel checks \"allow_execute hello-static\" from \"bash\" domain.\n\n (3) The kernel calculates \"bash hello-static\" as the domain to transit to.\n\n (4) The kernel overwrites the child process by \"hello-static\".\n\n (5) The child process transits to \"bash hello-static\" domain.\n\n (6) The \"hello-static\" starts and finishes.\n\nCase 2 -- Executing hello-dynamic from bash.\n\n (1) The bash process calls fork() and the child process requests\n do_execve(\"hello-dynamic\").\n\n (2) The kernel checks \"allow_execute hello-dynamic\" from \"bash\" domain.\n\n (3) The kernel calculates \"bash hello-dynamic\" as the domain to transit to.\n\n (4) The kernel checks \"allow_read ld-linux.so\" from \"bash hello-dynamic\"\n domain. I think permission to access ld-linux.so should be charged\n hello-dynamic program, for \"hello-dynamic needs ld-linux.so\" is not\n a fault of bash program.\n\n (5) The kernel overwrites the child process by \"hello-dynamic\".\n\n (6) The child process transits to \"bash hello-dynamic\" domain.\n\n (7) The \"hello-dynamic\" starts and finishes.\n\nCase 3 -- Executing hello.sh from bash.\n\n (1) The bash process calls fork() and the child process requests\n do_execve(\"hello.sh\").\n\n (2) The kernel checks \"allow_execute hello.sh\" from \"bash\" domain.\n\n (3) The kernel calculates \"bash hello.sh\" as the domain to transit to.\n\n (4) The kernel checks \"allow_read /bin/sh\" from \"bash hello.sh\" domain.\n I think permission to access /bin/sh should be charged hello.sh program,\n for \"hello.sh needs /bin/sh\" is not a fault of bash program.\n\n (5) The kernel overwrites the child process by \"/bin/sh\".\n\n (6) The child process transits to \"bash hello.sh\" domain.\n\n (7) The \"/bin/sh\" requests open(\"hello.sh\").\n\n (8) The kernel checks \"allow_read hello.sh\" from \"bash hello.sh\" domain.\n\n (9) The \"/bin/sh\" starts and finishes.\n\nWhether a file is interpreted as a program or not depends on an application.\nThe kernel cannot know whether the file is interpreted as a program or not.\nThus, TOMOYO treats \"hello-static\" \"hello-dynamic\" \"ld-linux.so\" \"hello.sh\"\n\"/bin/sh\" equally as merely files; no distinction between executable and\nnon-executable. Therefore, TOMOYO doesn\u0027t check DAC\u0027s execute permission.\nTOMOYO checks \"allow_read\" permission instead.\n\nCalling do_execve() is a bold gesture that an old program\u0027s instance (i.e.\ncurrent process) is ready to be overwritten by a new program and is ready to\ntransfer control to the new program. To split purview of programs, TOMOYO\nrequires \"allow_execute\" permission of the new program against the old\nprogram\u0027s instance and performs domain transition. If do_execve() succeeds,\nthe old program is no longer responsible against the consequence of the new\nprogram\u0027s behavior. Only the new program is responsible for all consequences.\n\nBut TOMOYO doesn\u0027t require \"allow_read\" permission of the new program.\nIf TOMOYO requires \"allow_read\" permission of the new program, TOMOYO will\nallow an attacker (who hijacked the old program\u0027s instance) to open the new\nprogram and steal data from the new program. Requiring \"allow_read\" permission\nwill widen purview of the old program.\n\nNot requiring \"allow_read\" permission of the new program against the old\nprogram\u0027s instance is my design for reducing purview of the old program.\nTo be able to know whether the current process is in do_execve() or not,\nI want to add in_execve flag to \"task_struct\".\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "26a2a1c9eb88d9aca8891575b3b986812e073872", "tree": "4abec8ee7800aa52c1055ad74185156c7894e743", "parents": [ "b69a54ee582373d76e4b5560970db5b8c618b12a" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:15 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:05 2009 +1100" }, "message": "Domain transition handler.\n\nThis file controls domain creation/deletion/transition.\n\nEvery process belongs to a domain in TOMOYO Linux.\nDomain transition occurs when execve(2) is called\nand the domain is expressed as \u0027process invocation history\u0027,\nsuch as \u0027\u003ckernel\u003e /sbin/init /etc/init.d/rc\u0027.\nDomain information is stored in current-\u003ecred-\u003esecurity field.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b69a54ee582373d76e4b5560970db5b8c618b12a", "tree": "5889c074f7885187104906c921da0bab318bfe64", "parents": [ "9590837b89aaa4523209ac91c52db5ea0d9142fd" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:14 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:05 2009 +1100" }, "message": "File operation restriction part.\n\nThis file controls file related operations of TOMOYO Linux.\n\ntomoyo/tomoyo.c calls the following six functions in this file.\nEach function handles the following access types.\n\n * tomoyo_check_file_perm\nsysctl()\u0027s \"read\" and \"write\".\n\n * tomoyo_check_exec_perm\n\"execute\".\n\n * tomoyo_check_open_permission\nopen(2) for \"read\" and \"write\".\n\n * tomoyo_check_1path_perm\n\"create\", \"unlink\", \"mkdir\", \"rmdir\", \"mkfifo\",\n\"mksock\", \"mkblock\", \"mkchar\", \"truncate\" and \"symlink\".\n\n * tomoyo_check_2path_perm\n\"rename\" and \"unlink\".\n\n * tomoyo_check_rewrite_permission\n\"rewrite\".\n(\"rewrite\" are operations which may lose already recorded data of a file,\ni.e. open(!O_APPEND) || open(O_TRUNC) || truncate() || ftruncate())\n\nThe functions which actually checks ACLs are the following three functions.\nEach function handles the following access types.\nACL directive is expressed by \"allow_\u003caccess type\u003e\".\n\n * tomoyo_check_file_acl\nOpen() operation and execve() operation.\n(\"read\", \"write\", \"read/write\" and \"execute\")\n\n * tomoyo_check_single_write_acl\nDirectory modification operations with 1 pathname.\n(\"create\", \"unlink\", \"mkdir\", \"rmdir\", \"mkfifo\", \"mksock\",\n \"mkblock\", \"mkchar\", \"truncate\", \"symlink\" and \"rewrite\")\n\n * tomoyo_check_double_write_acl\nDirectory modification operations with 2 pathname.\n(\"link\" and \"rename\")\n\nAlso, this file contains handlers of some utility directives\nfor file related operations.\n\n * \"allow_read\": specifies globally (for all domains) readable files.\n * \"path_group\": specifies pathname macro.\n * \"deny_rewrite\": restricts rewrite operation.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9590837b89aaa4523209ac91c52db5ea0d9142fd", "tree": "0e7e3febb1f6106be0e45c281309078f6c1cd7e6", "parents": [ "c73bd6d473ceb5d643d3afd7e75b7dc2e6918558" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:13 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:04 2009 +1100" }, "message": "Common functions for TOMOYO Linux.\n\nThis file contains common functions (e.g. policy I/O, pattern matching).\n\n-------------------- About pattern matching --------------------\n\nSince TOMOYO Linux is a name based access control, TOMOYO Linux seriously\nconsiders \"safe\" string representation.\n\nTOMOYO Linux\u0027s string manipulation functions make reviewers feel crazy,\nbut there are reasons why TOMOYO Linux needs its own string manipulation\nfunctions.\n\n----- Part 1 : preconditions -----\n\nPeople definitely want to use wild card.\n\n To support pattern matching, we have to support wild card characters.\n\n In a typical Linux system, filenames are likely consists of only alphabets,\n numbers, and some characters (e.g. + - ~ . / ).\n But theoretically, the Linux kernel accepts all characters but NUL character\n (which is used as a terminator of a string).\n\n Some Linux systems can have filenames which contain * ? ** etc.\n\nTherefore, we have to somehow modify string so that we can distinguish\nwild card characters and normal characters.\n\n It might be possible for some application\u0027s configuration files to restrict\n acceptable characters.\n It is impossible for kernel to restrict acceptable characters.\n\n We can\u0027t accept approaches which will cause troubles for applications.\n\n----- Part 2 : commonly used approaches -----\n\nText formatted strings separated by space character (0x20) and new line\ncharacter (0x0A) is more preferable for users over array of NUL-terminated\nstring.\n\n Thus, people use text formatted configuration files separated by space\n character and new line.\n\nWe sometimes need to handle non-printable characters.\n\n Thus, people use \\ character (0x5C) as escape character and represent\n non-printable characters using octal or hexadecimal format.\n\nAt this point, we remind (at least) 3 approaches.\n\n (1) Shell glob style expression\n (2) POSIX regular expression (UNIX style regular expression)\n (3) Maverick wild card expression\n\nOn the surface, (1) and (2) sound good choices. But they have a big pitfall.\nAll meta-characters in (1) and (2) are legal characters for representing\na pathname, and users easily write incorrect expression. What is worse, users\nunlikely notice incorrect expressions because characters used for regular\npathnames unlikely contain meta-characters. This incorrect use of\nmeta-characters in pathname representation reveals vulnerability\n(e.g. unexpected results) only when irregular pathname is specified.\n\nThe authors of TOMOYO Linux think that approaches which adds some character\nfor interpreting meta-characters as normal characters (i.e. (1) and (2)) are\nnot suitable for security use.\n\nTherefore, the authors of TOMOYO Linux propose (3).\n\n----- Part 3: consideration points -----\n\nWe need to solve encoding problem.\n\n A single character can be represented in several ways using encodings.\n\n For Japanese language, there are \"ShiftJIS\", \"ISO-2022-JP\", \"EUC-JP\",\n \"UTF-8\" and more.\n\n Some languages (e.g. Japanese language) supports multi-byte characters\n (where a single character is represented using several bytes).\n\n Some multi-byte characters may match the escape character.\n\n For Japanese language, some characters in \"ShiftJIS\" encoding match\n \\ character, and bothering Web\u0027s CGI developers.\n\n It is important that the kernel string is not bothered by encoding problem.\n\n Linus said, \"I really would expect that kernel strings don\u0027t have\n an encoding. They\u0027re just C strings: a NUL-terminated stream of bytes.\"\n http://lkml.org/lkml/2007/11/6/142\n\n Yes. The kernel strings are just C strings.\n We are talking about how to store and carry \"kernel strings\" safely.\n\n If we store \"kernel string\" into policy file as-is, the \"kernel string\" will\n be interpreted differently depending on application\u0027s encoding settings.\n One application may interpret \"kernel string\" as \"UTF-8\",\n another application may interpret \"kernel string\" as \"ShiftJIS\".\n\n Therefore, we propose to represent strings using ASCII encoding.\n In this way, we are no longer bothered by encoding problems.\n\nWe need to avoid information loss caused by display.\n\n It is difficult to input and display non-printable characters, but we have to\n be able to handle such characters because the kernel string is a C string.\n\n If we use only ASCII printable characters (from 0x21 to 0x7E) and space\n character (0x20) and new line character (0x0A), it is easy to input from\n keyboard and display on all terminals which is running Linux.\n\n Therefore, we propose to represent strings using only characters which value\n is one of \"from 0x21 to 0x7E\", \"0x20\", \"0x0A\".\n\nWe need to consider ease of splitting strings from a line.\n\n If we use an approach which uses \"\\ \" for representing a space character\n within a string, we have to count the string from the beginning to check\n whether this space character is accompanied with \\ character or not.\n As a result, we cannot monotonically split a line using space character.\n\n If we use an approach which uses \"\\040\" for representing a space character\n within a string, we can monotonically split a line using space character.\n\n If we use an approach which uses NUL character as a delimiter, we cannot\n use string manipulation functions for splitting strings from a line.\n\n Therefore, we propose that we represent space character as \"\\040\".\n\nWe need to avoid wrong designations (incorrect use of special characters).\n\n Not all users can understand and utilize POSIX\u0027s regular expressions\n correctly and perfectly.\n\n If a character acts as a wild card by default, the user will get unexpected\n result if that user didn\u0027t know the meaning of that character.\n\n Therefore, we propose that all characters but \\ character act as\n a normal character and let the user add \\ character to make a character\n act as a wild card.\n\n In this way, users needn\u0027t to know all wild card characters beforehand.\n They can learn when they encountered an unseen wild card character\n for their first time.\n\n----- Part 4: supported wild card expressions -----\n\nAt this point, we have wild card expressions listed below.\n\n +-----------+--------------------------------------------------------------+\n | Wild card | Meaning and example |\n +-----------+--------------------------------------------------------------+\n | \\* | More than or equals to 0 character other than \u0027/\u0027. |\n | | /var/log/samba/\\* |\n +-----------+--------------------------------------------------------------+\n | \\@ | More than or equals to 0 character other than \u0027/\u0027 or \u0027.\u0027. |\n | | /var/www/html/\\@.html |\n +-----------+--------------------------------------------------------------+\n | \\? | 1 byte character other than \u0027/\u0027. |\n | | /tmp/mail.\\?\\?\\?\\?\\?\\? |\n +-----------+--------------------------------------------------------------+\n | \\$ | More than or equals to 1 decimal digit. |\n | | /proc/\\$/cmdline |\n +-----------+--------------------------------------------------------------+\n | \\+ | 1 decimal digit. |\n | | /var/tmp/my_work.\\+ |\n +-----------+--------------------------------------------------------------+\n | \\X | More than or equals to 1 hexadecimal digit. |\n | | /var/tmp/my-work.\\X |\n +-----------+--------------------------------------------------------------+\n | \\x | 1 hexadecimal digit. |\n | | /tmp/my-work.\\x |\n +-----------+--------------------------------------------------------------+\n | \\A | More than or equals to 1 alphabet character. |\n | | /var/log/my-work/\\$-\\A-\\$.log |\n +-----------+--------------------------------------------------------------+\n | \\a | 1 alphabet character. |\n | | /home/users/\\a/\\*/public_html/\\*.html |\n +-----------+--------------------------------------------------------------+\n | \\- | Pathname subtraction operator. |\n | | +---------------------+------------------------------------+ |\n | | | Example | Meaning | |\n | | +---------------------+------------------------------------+ |\n | | | /etc/\\* | All files in /etc/ directory. | |\n | | +---------------------+------------------------------------+ |\n | | | /etc/\\*\\-\\*shadow\\* | /etc/\\* other than /etc/\\*shadow\\* | |\n | | +---------------------+------------------------------------+ |\n | | | /\\*\\-proc\\-sys/ | /\\*/ other than /proc/ /sys/ | |\n | | +---------------------+------------------------------------+ |\n +-----------+--------------------------------------------------------------+\n\n +----------------+---------------------------------------------------------+\n | Representation | Meaning and example |\n +----------------+---------------------------------------------------------+\n | \\\\ | backslash character itself. |\n +----------------+---------------------------------------------------------+\n | \\ooo | 1 byte character. |\n | | ooo is 001 \u003c\u003d ooo \u003c\u003d 040 || 177 \u003c\u003d ooo \u003c\u003d 377. |\n | | |\n | | \\040 for space character. |\n | | \\177 for del character. |\n | | |\n +----------------+---------------------------------------------------------+\n\n----- Part 5: Advantages -----\n\nWe can obtain extensibility.\n\n Since our proposed approach adds \\ to a character to interpret as a wild\n card, we can introduce new wild card in future while maintaining backward\n compatibility.\n\nWe can process monotonically.\n\n Since our proposed approach separates strings using a space character,\n we can split strings using existing string manipulation functions.\n\nWe can reliably analyze access logs.\n\n It is guaranteed that a string doesn\u0027t contain space character (0x20) and\n new line character (0x0A).\n\n It is guaranteed that a string won\u0027t be converted by FTP and won\u0027t be damaged\n by a terminal\u0027s settings.\n\n It is guaranteed that a string won\u0027t be affected by encoding converters\n (except encodings which insert NUL character (e.g. UTF-16)).\n\n----- Part 6: conclusion -----\n\nTOMOYO Linux is using its own encoding with reasons described above.\nThere is a disadvantage that we need to introduce a series of new string\nmanipulation functions. But TOMOYO Linux\u0027s encoding is useful for all users\n(including audit and AppArmor) who want to perform pattern matching and\nsafely exchange string information between the kernel and the userspace.\n\n-------------------- About policy interface --------------------\n\nTOMOYO Linux creates the following files on securityfs (normally\nmounted on /sys/kernel/security) as interfaces between kernel and\nuserspace. These files are for TOMOYO Linux management tools *only*,\nnot for general programs.\n\n * profile\n * exception_policy\n * domain_policy\n * manager\n * meminfo\n * self_domain\n * version\n * .domain_status\n * .process_status\n\n** /sys/kernel/security/tomoyo/profile **\n\nThis file is used to read or write profiles.\n\n\"profile\" means a running mode of process. A profile lists up\nfunctions and their modes in \"$number-$variable\u003d$value\" format. The\n$number is profile number between 0 and 255. Each domain is assigned\none profile. To assign profile to domains, use \"ccs-setprofile\" or\n\"ccs-editpolicy\" or \"ccs-loadpolicy\" commands.\n\n(Example)\n[root@tomoyo]# cat /sys/kernel/security/tomoyo/profile\n0-COMMENT\u003d-----Disabled Mode-----\n0-MAC_FOR_FILE\u003ddisabled\n0-MAX_ACCEPT_ENTRY\u003d2048\n0-TOMOYO_VERBOSE\u003ddisabled\n1-COMMENT\u003d-----Learning Mode-----\n1-MAC_FOR_FILE\u003dlearning\n1-MAX_ACCEPT_ENTRY\u003d2048\n1-TOMOYO_VERBOSE\u003ddisabled\n2-COMMENT\u003d-----Permissive Mode-----\n2-MAC_FOR_FILE\u003dpermissive\n2-MAX_ACCEPT_ENTRY\u003d2048\n2-TOMOYO_VERBOSE\u003denabled\n3-COMMENT\u003d-----Enforcing Mode-----\n3-MAC_FOR_FILE\u003denforcing\n3-MAX_ACCEPT_ENTRY\u003d2048\n3-TOMOYO_VERBOSE\u003denabled\n\n- MAC_FOR_FILE:\nSpecifies access control level regarding file access requests.\n- MAX_ACCEPT_ENTRY:\nLimits the max number of ACL entries that are automatically appended\nduring learning mode. Default is 2048.\n- TOMOYO_VERBOSE:\nSpecifies whether to print domain policy violation messages or not.\n\n** /sys/kernel/security/tomoyo/manager **\n\nThis file is used to read or append the list of programs or domains\nthat can write to /sys/kernel/security/tomoyo interface. By default,\nonly processes with both UID \u003d 0 and EUID \u003d 0 can modify policy via\n/sys/kernel/security/tomoyo interface. You can use keyword\n\"manage_by_non_root\" to allow policy modification by non root user.\n\n(Example)\n[root@tomoyo]# cat /sys/kernel/security/tomoyo/manager\n/usr/lib/ccs/loadpolicy\n/usr/lib/ccs/editpolicy\n/usr/lib/ccs/setlevel\n/usr/lib/ccs/setprofile\n/usr/lib/ccs/ld-watch\n/usr/lib/ccs/ccs-queryd\n\n** /sys/kernel/security/tomoyo/exception_policy **\n\nThis file is used to read and write system global settings. Each line\nhas a directive and operand pair. Directives are listed below.\n\n- initialize_domain:\nTo initialize domain transition when specific program is executed,\nuse initialize_domain directive.\n * initialize_domain \"program\" from \"domain\"\n * initialize_domain \"program\" from \"the last program part of domain\"\n * initialize_domain \"program\"\nIf the part \"from\" and after is not given, the entry is applied to\nall domain. If the \"domain\" doesn\u0027t start with \"\u003ckernel\u003e\", the entry\nis applied to all domain whose domainname ends with \"the last program\npart of domain\".\nThis directive is intended to aggregate domain transitions for daemon\nprogram and program that are invoked by the kernel on demand, by\ntransiting to different domain.\n\n- keep_domain\nTo prevent domain transition when program is executed from specific\ndomain, use keep_domain directive.\n * keep_domain \"program\" from \"domain\"\n * keep_domain \"program\" from \"the last program part of domain\"\n * keep_domain \"domain\"\n * keep_domain \"the last program part of domain\"\nIf the part \"from\" and before is not given, this entry is applied to\nall program. If the \"domain\" doesn\u0027t start with \"\u003ckernel\u003e\", the entry\nis applied to all domain whose domainname ends with \"the last program\npart of domain\".\nThis directive is intended to reduce total number of domains and\nmemory usage by suppressing unneeded domain transitions.\nTo declare domain keepers, use keep_domain directive followed by\ndomain definition.\nAny process that belongs to any domain declared with this directive,\nthe process stays at the same domain unless any program registered\nwith initialize_domain directive is executed.\n\nIn order to control domain transition in detail, you can use\nno_keep_domain/no_initialize_domain keywrods.\n\n- alias:\nTo allow executing programs using the name of symbolic links, use\nalias keyword followed by dereferenced pathname and reference\npathname. For example, /sbin/pidof is a symbolic link to\n/sbin/killall5 . In normal case, if /sbin/pidof is executed, the\ndomain is defined as if /sbin/killall5 is executed. By specifying\n\"alias /sbin/killall5 /sbin/pidof\", you can run /sbin/pidof in the\ndomain for /sbin/pidof .\n(Example)\nalias /sbin/killall5 /sbin/pidof\n\n- allow_read:\nTo grant unconditionally readable permissions, use allow_read keyword\nfollowed by canonicalized file. This keyword is intended to reduce\nsize of domain policy by granting read access to library files such\nas GLIBC and locale files. Exception is, if ignore_global_allow_read\nkeyword is given to a domain, entries specified by this keyword are\nignored.\n(Example)\nallow_read /lib/libc-2.5.so\n\n- file_pattern:\nTo declare pathname pattern, use file_pattern keyword followed by\npathname pattern. The pathname pattern must be a canonicalized\nPathname. This keyword is not applicable to neither granting execute\npermissions nor domain definitions.\nFor example, canonicalized pathname that contains a process ID\n(i.e. /proc/PID/ files) needs to be grouped in order to make access\ncontrol work well.\n(Example)\nfile_pattern /proc/\\$/cmdline\n\n- path_group\nTo declare pathname group, use path_group keyword followed by name of\nthe group and pathname pattern. For example, if you want to group all\nfiles under home directory, you can define\n path_group HOME-DIR-FILE /home/\\*/\\*\n path_group HOME-DIR-FILE /home/\\*/\\*/\\*\n path_group HOME-DIR-FILE /home/\\*/\\*/\\*/\\*\nin the exception policy and use like\n allow_read @HOME-DIR-FILE\nto grant file access permission.\n\n- deny_rewrite:\nTo deny overwriting already written contents of file (such as log\nfiles) by default, use deny_rewrite keyword followed by pathname\npattern. Files whose pathname match the patterns are not permitted to\nopen for writing without append mode or truncate unless the pathnames\nare explicitly granted using allow_rewrite keyword in domain policy.\n(Example)\ndeny_rewrite /var/log/\\*\n\n- aggregator\nTo deal multiple programs as a single program, use aggregator keyword\nfollowed by name of original program and aggregated program. This\nkeyword is intended to aggregate similar programs.\nFor example, /usr/bin/tac and /bin/cat are similar. By specifying\n\"aggregator /usr/bin/tac /bin/cat\", you can run /usr/bin/tac in the\ndomain for /bin/cat .\nFor example, /usr/sbin/logrotate for Fedora Core 3 generates programs\nlike /tmp/logrotate.\\?\\?\\?\\?\\?\\? and run them, but TOMOYO Linux\ndoesn\u0027t allow using patterns for granting execute permission and\ndefining domains. By specifying\n\"aggregator /tmp/logrotate.\\?\\?\\?\\?\\?\\? /tmp/logrotate.tmp\", you can\nrun /tmp/logrotate.\\?\\?\\?\\?\\?\\? as if /tmp/logrotate.tmp is running.\n\n** /sys/kernel/security/tomoyo/domain_policy **\n\nThis file contains definition of all domains and permissions that are\ngranted to each domain.\n\nLines from the next line to a domain definition ( any lines starting\nwith \"\u003ckernel\u003e\") to the previous line to the next domain definitions\nare interpreted as access permissions for that domain.\n\n** /sys/kernel/security/tomoyo/meminfo **\n\nThis file is to show the total RAM used to keep policy in the kernel\nby TOMOYO Linux in bytes.\n(Example)\n[root@tomoyo]# cat /sys/kernel/security/tomoyo/meminfo\nShared: 61440\nPrivate: 69632\nDynamic: 768\nTotal: 131840\n\nYou can set memory quota by writing to this file.\n(Example)\n[root@tomoyo]# echo Shared: 2097152 \u003e /sys/kernel/security/tomoyo/meminfo\n[root@tomoyo]# echo Private: 2097152 \u003e /sys/kernel/security/tomoyo/meminfo\n\n** /sys/kernel/security/tomoyo/self_domain **\n\nThis file is to show the name of domain the caller process belongs to.\n(Example)\n[root@etch]# cat /sys/kernel/security/tomoyo/self_domain\n\u003ckernel\u003e /usr/sbin/sshd /bin/zsh /bin/cat\n\n** /sys/kernel/security/tomoyo/version **\n\nThis file is used for getting TOMOYO Linux\u0027s version.\n(Example)\n[root@etch]# cat /sys/kernel/security/tomoyo/version\n2.2.0-pre\n\n** /sys/kernel/security/tomoyo/.domain_status **\n\nThis is a view (of a DBMS) that contains only profile number and\ndomainnames of domain so that \"ccs-setprofile\" command can do\nline-oriented processing easily.\n\n** /sys/kernel/security/tomoyo/.process_status **\n\nThis file is used by \"ccs-ccstree\" command to show \"list of processes\ncurrently running\" and \"domains which each process belongs to\" and\n\"profile number which the domain is currently assigned\" like \"pstree\"\ncommand. This file is writable by programs that aren\u0027t registered as\npolicy manager.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c73bd6d473ceb5d643d3afd7e75b7dc2e6918558", "tree": "76a800f3080d000215ec74f4c66fc73560b83a8f", "parents": [ "f9ce1f1cda8b73a36f47e424975a9dfa78b7840c" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:12 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:04 2009 +1100" }, "message": "Memory and pathname management functions.\n\nTOMOYO Linux performs pathname based access control.\nTo remove factors that make pathname based access control difficult\n(e.g. symbolic links, \"..\", \"//\" etc.), TOMOYO Linux derives realpath\nof requested pathname from \"struct dentry\" and \"struct vfsmount\".\n\nThe maximum length of string data is limited to 4000 including trailing \u0027\\0\u0027.\nSince TOMOYO Linux uses \u0027\\ooo\u0027 style representation for non ASCII printable\ncharacters, maybe TOMOYO Linux should be able to support 16336 (which means\n(NAME_MAX * (PATH_MAX / (NAME_MAX + 1)) * 4 + (PATH_MAX / (NAME_MAX + 1)))\nincluding trailing \u0027\\0\u0027), but I think 4000 is enough for practical use.\n\nTOMOYO uses only 0x21 - 0x7E (as printable characters) and 0x20 (as word\ndelimiter) and 0x0A (as line delimiter).\n0x01 - 0x20 and 0x80 - 0xFF is handled in \\ooo style representation.\nThe reason to use \\ooo is to guarantee that \"%s\" won\u0027t damage logs.\nUserland program can request\n\n open(\"/tmp/file granted.\\nAccess /tmp/file \", O_WRONLY | O_CREAT, 0600)\n\nand logging such crazy pathname using \"Access %s denied.\\n\" format will cause\n\"fabrication of logs\" like\n\n Access /tmp/file granted.\n Access /tmp/file denied.\n\nTOMOYO converts such characters to \\ooo so that the logs will become\n\n Access /tmp/file\\040granted.\\012Access\\040/tmp/file denied.\n\nand the administrator can read the logs safely using /bin/cat .\nLikewise, a crazy request like\n\n open(\"/tmp/\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\", O_WRONLY | O_CREAT, 0600)\n\nwill be processed safely by converting to\n\n Access /tmp/\\001\\002\\003\\004\\005\\006\\007\\010\\011 denied.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "523979adfa0b79d4e3aa053220c37a9233294206", "tree": "15ff42f935f9d443220edb118f3980432f924360", "parents": [ "ed850a52af971528b048812c4215cef298af0d3b" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Feb 11 11:12:28 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 09:40:14 2009 +1100" }, "message": "integrity: audit update\n\nBased on discussions on linux-audit, as per Steve Grubb\u0027s request\nhttp://lkml.org/lkml/2009/2/6/269, the following changes were made:\n- forced audit result to be either 0 or 1.\n- made template names const\n- Added new stand-alone message type: AUDIT_INTEGRITY_RULE\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Steve Grubb \u003csgrubb@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cb5629b10d64a8006622ce3a52bc887d91057d69", "tree": "7c06d8f30783115e3384721046258ce615b129c5", "parents": [ "8920d5ad6ba74ae8ab020e90cc4d976980e68701", "f01d1d546abb2f4028b5299092f529eefb01253a" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 11:01:45 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 11:01:45 2009 +1100" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\tfs/namei.c\n\nManually merged per:\n\ndiff --cc fs/namei.c\nindex 734f2b5,bbc15c2..0000000\n--- a/fs/namei.c\n+++ b/fs/namei.c\n@@@ -860,9 -848,8 +849,10 @@@ static int __link_path_walk(const char\n \t\tnd-\u003eflags |\u003d LOOKUP_CONTINUE;\n \t\terr \u003d exec_permission_lite(inode);\n \t\tif (err \u003d\u003d -EAGAIN)\n- \t\t\terr \u003d vfs_permission(nd, MAY_EXEC);\n+ \t\t\terr \u003d inode_permission(nd-\u003epath.dentry-\u003ed_inode,\n+ \t\t\t\t\t MAY_EXEC);\n +\t\tif (!err)\n +\t\t\terr \u003d ima_path_check(\u0026nd-\u003epath, MAY_EXEC);\n \t\tif (err)\n \t\t\tbreak;\n\n@@@ -1525,14 -1506,9 +1509,14 @@@ int may_open(struct path *path, int acc\n \t\tflag \u0026\u003d ~O_TRUNC;\n \t}\n\n- \terror \u003d vfs_permission(nd, acc_mode);\n+ \terror \u003d inode_permission(inode, acc_mode);\n \tif (error)\n \t\treturn error;\n +\n- \terror \u003d ima_path_check(\u0026nd-\u003epath,\n++\terror \u003d ima_path_check(path,\n +\t\t\t acc_mode \u0026 (MAY_READ | MAY_WRITE | MAY_EXEC));\n +\tif (error)\n +\t\treturn error;\n \t/*\n \t * An append-only file must be opened in append mode for writing.\n \t */\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "64c61d80a6e4c935a09ac5ff1d952967ca1268f8", "tree": "80d109d7b3218c925ee48d22254d704e23d31199", "parents": [ "aa7168f47d912459a99a01c93714f447b44bfa72" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 05 09:28:26 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 09:05:34 2009 +1100" }, "message": "IMA: fix ima_delete_rules() definition\n\nFix ima_delete_rules() definition so sparse doesn\u0027t complain.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1df9f0a73178718969ae47d813b8e7aab2cf073c", "tree": "6bd3d8838858f0e93acd8f7969b7d0e5ce2bfb08", "parents": [ "f4bd857bc8ed997c25ec06b56ef8064aafa6d4f3" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Feb 04 09:07:02 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 09:05:33 2009 +1100" }, "message": "Integrity: IMA file free imbalance\n\nThe number of calls to ima_path_check()/ima_file_free()\nshould be balanced. An extra call to fput(), indicates\nthe file could have been accessed without first being\nmeasured.\n\nAlthough f_count is incremented/decremented in places other\nthan fget/fput, like fget_light/fput_light and get_file, the\ncurrent task must already hold a file refcnt. The call to\n__fput() is delayed until the refcnt becomes 0, resulting\nin ima_file_free() flagging any changes.\n\n- add hook to increment opencount for IPC shared memory(SYSV),\n shmat files, and /dev/zero\n- moved NULL iint test in opencount_get()\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f4bd857bc8ed997c25ec06b56ef8064aafa6d4f3", "tree": "5326caddadc6144a1e7dee17a6714344ccefbb11", "parents": [ "4af4662fa4a9dc62289c580337ae2506339c4729" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Feb 04 09:07:01 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 09:05:32 2009 +1100" }, "message": "integrity: IMA policy open\n\nSequentialize access to the policy file\n- permit multiple attempts to replace default policy with a valid policy\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4af4662fa4a9dc62289c580337ae2506339c4729", "tree": "faec95258d2456eb35515f289eb688914ce3b54f", "parents": [ "bab739378758a1e2b2d7ddcee7bc06cf4c591c3c" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Feb 04 09:07:00 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 09:05:31 2009 +1100" }, "message": "integrity: IMA policy\n\nSupport for a user loadable policy through securityfs\nwith support for LSM specific policy data.\n- free invalid rule in ima_parse_add_rule()\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bab739378758a1e2b2d7ddcee7bc06cf4c591c3c", "tree": "5465ab3ccaf20ab8fb4f649aad8d1b08bfe49232", "parents": [ "3323eec921efd815178a23107ab63588c605c0b2" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Feb 04 09:06:59 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 09:05:31 2009 +1100" }, "message": "integrity: IMA display\n\nMake the measurement lists available through securityfs.\n- removed test for NULL return code from securityfs_create_file/dir\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3323eec921efd815178a23107ab63588c605c0b2", "tree": "bc9e9714ac4881ebc515c1bd155674c52c356d6a", "parents": [ "6146f0d5e47ca4047ffded0fb79b6c25359b386c" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Feb 04 09:06:58 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 09:05:30 2009 +1100" }, "message": "integrity: IMA as an integrity service provider\n\nIMA provides hardware (TPM) based measurement and attestation for\nfile measurements. As the Trusted Computing (TPM) model requires,\nIMA measures all files before they are accessed in any way (on the\nintegrity_bprm_check, integrity_path_check and integrity_file_mmap\nhooks), and commits the measurements to the TPM. Once added to the\nTPM, measurements can not be removed.\n\nIn addition, IMA maintains a list of these file measurements, which\ncan be used to validate the aggregate value stored in the TPM. The\nTPM can sign these measurements, and thus the system can prove, to\nitself and to a third party, the system\u0027s integrity in a way that\ncannot be circumvented by malicious or compromised software.\n\n- alloc ima_template_entry before calling ima_store_template()\n- log ima_add_boot_aggregate() failure\n- removed unused IMA_TEMPLATE_NAME_LEN\n- replaced hard coded string length with #define name\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "faa3aad75a959f55e7783f4dc7840253c7506571", "tree": "88e6c94cda322ff2b32f72bb8d96f9675cdad8aa", "parents": [ "5626d3e86141390c8efc7bcb929b6a4b58b00480" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Mon Feb 02 15:07:33 2009 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Feb 03 11:02:51 2009 +1100" }, "message": "securityfs: fix long-broken securityfs_create_file comment\n\nIf there is an error creating a file through securityfs_create_file,\nNULL is not returned, rather the error is propagated.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5626d3e86141390c8efc7bcb929b6a4b58b00480", "tree": "aafff4163d6bc40f78c025fe3c4f8eda232ef5c9", "parents": [ "95c14904b6f6f8a35365f0c58d530c85b4fb96b4" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 10:05:06 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 02 09:20:34 2009 +1100" }, "message": "selinux: remove hooks which simply defer to capabilities\n\nRemove SELinux hooks which do nothing except defer to the capabilites\nhooks (or in one case, replicates the function).\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "95c14904b6f6f8a35365f0c58d530c85b4fb96b4", "tree": "a228c81abe6409c61f7c90f7cebeebcb3da902af", "parents": [ "5c4054ccfafb6a446e9b65c524af1741656c6c60" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:37:58 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:16 2009 +1100" }, "message": "selinux: remove secondary ops call to shm_shmat\n\nRemove secondary ops call to shm_shmat, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5c4054ccfafb6a446e9b65c524af1741656c6c60", "tree": "6d54e11d617e4daf53c3afc5c1edb321b32d9315", "parents": [ "2cbbd19812b7636c1c37bcf50c403e7af5278d73" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:34:53 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:15 2009 +1100" }, "message": "selinux: remove secondary ops call to unix_stream_connect\n\nRemove secondary ops call to unix_stream_connect, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2cbbd19812b7636c1c37bcf50c403e7af5278d73", "tree": "e12a8b56308adc047d77ed5e52b0c8a28304d80b", "parents": [ "ef76e748faa823a738d632ee4c8ed9adaabc8a40" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:32:50 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:14 2009 +1100" }, "message": "selinux: remove secondary ops call to task_kill\n\nRemove secondary ops call to task_kill, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ef76e748faa823a738d632ee4c8ed9adaabc8a40", "tree": "af59b8bad81255e4b22e36749dd702cb8db543b1", "parents": [ "ca5143d3ff3c7a4e1c2c8bdcf0f53aea227a7722" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:30:28 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:13 2009 +1100" }, "message": "selinux: remove secondary ops call to task_setrlimit\n\nRemove secondary ops call to task_setrlimit, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ca5143d3ff3c7a4e1c2c8bdcf0f53aea227a7722", "tree": "1b86d2487e8051664c6d0b2cf959ff0131f8371e", "parents": [ "af294e41d0c95a291cc821a1b43ec2cd13976a8b" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:26:14 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:12 2009 +1100" }, "message": "selinux: remove unused cred_commit hook\n\nRemove unused cred_commit hook from SELinux. This\ncurrently calls into the capabilities hook, which is a noop.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "af294e41d0c95a291cc821a1b43ec2cd13976a8b", "tree": "051fcc87fd27422af41809fb25e821c7b3b4a628", "parents": [ "d541bbee6902d5ffb8a03d63ac8f4b1364c2ff93" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:23:36 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:11 2009 +1100" }, "message": "selinux: remove secondary ops call to task_create\n\nRemove secondary ops call to task_create, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d541bbee6902d5ffb8a03d63ac8f4b1364c2ff93", "tree": "f6b3f9547807d9eb8995885f259e4d5140d70405", "parents": [ "438add6b32d9295db6e3ecd4d9e137086ec5b5d9" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:19:51 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:11 2009 +1100" }, "message": "selinux: remove secondary ops call to file_mprotect\n\nRemove secondary ops call to file_mprotect, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "438add6b32d9295db6e3ecd4d9e137086ec5b5d9", "tree": "70658fa14a51af66a3359e306d263955d3eaf13f", "parents": [ "188fbcca9dd02f15dcf45cfc51ce0dd6c13993f6" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:15:59 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:10 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_setattr\n\nRemove secondary ops call to inode_setattr, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "188fbcca9dd02f15dcf45cfc51ce0dd6c13993f6", "tree": "92523a4606e5ac1e29d61286c4f1f3851eec5553", "parents": [ "f51115b9ab5b9cfd0b7be1cce75afbf3ffbcdd87" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:14:03 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:09 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_permission\n\nRemove secondary ops call to inode_permission, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f51115b9ab5b9cfd0b7be1cce75afbf3ffbcdd87", "tree": "bc93812358e9a76c24ca970224fcd8298fe8b80c", "parents": [ "dd4907a6d4e038dc65839fcd4030ebefe2f5f439" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:10:56 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:08 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_follow_link\n\nRemove secondary ops call to inode_follow_link, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dd4907a6d4e038dc65839fcd4030ebefe2f5f439", "tree": "1ad9f9754d9b929f7003cdf1a30a2f8ee5b04e3a", "parents": [ "e4737250b751b4e0e802adae9a4d3ae0227b580b" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:08:34 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:07 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_mknod\n\nRemove secondary ops call to inode_mknod, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e4737250b751b4e0e802adae9a4d3ae0227b580b", "tree": "98b121f355b548e02369cebfc8d871a805724d00", "parents": [ "efdfac437607e4acfed66c383091a376525eaec4" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:00:08 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:06 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_unlink\n\nRemove secondary ops call to inode_unlink, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "efdfac437607e4acfed66c383091a376525eaec4", "tree": "6fd072bfca2ff589f8b5c7ed5274f91bb079c6c3", "parents": [ "97422ab9ef45118cb7418d799dc69040f17108ce" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:57:34 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:06 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_link\n\nRemove secondary ops call to inode_link, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "97422ab9ef45118cb7418d799dc69040f17108ce", "tree": "2dd03b47495711916bc86cc79c23197bbdd1c965", "parents": [ "ef935b9136eeaa203f75bf0b4d6e398c29f44d27" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:55:02 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:05 2009 +1100" }, "message": "selinux: remove secondary ops call to sb_umount\n\nRemove secondary ops call to sb_umount, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ef935b9136eeaa203f75bf0b4d6e398c29f44d27", "tree": "22f961625dda1d64cd78f443bb7023ac16eb860d", "parents": [ "5565b0b865f672e3d7e31936ad1d40710ab7bfc4" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:51:11 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:04 2009 +1100" }, "message": "selinux: remove secondary ops call to sb_mount\n\nRemove secondary ops call to sb_mount, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5565b0b865f672e3d7e31936ad1d40710ab7bfc4", "tree": "85ad552370fc50fbbe5426e62e6c4f320f7d4461", "parents": [ "2ec5dbe23d68bddc043a85d1226bfc499a724b1c" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:47:49 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:03 2009 +1100" }, "message": "selinux: remove secondary ops call to bprm_committed_creds\n\nRemove secondary ops call to bprm_committed_creds, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2ec5dbe23d68bddc043a85d1226bfc499a724b1c", "tree": "f0c87a4250b4531fe6c6cac2b1f9117292efcdc1", "parents": [ "bc05595845f58c065adc0763a678187647ec040f" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:46:14 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:02 2009 +1100" }, "message": "selinux: remove secondary ops call to bprm_committing_creds\n\nRemove secondary ops call to bprm_committing_creds, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bc05595845f58c065adc0763a678187647ec040f", "tree": "b8126f1aadcac62f87ebd34fc44e48488ddf716e", "parents": [ "cd89596f0ccfa3ccb8a81ce47782231cf7ea7296" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:28:33 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:01 2009 +1100" }, "message": "selinux: remove unused bprm_check_security hook\n\nRemove unused bprm_check_security hook from SELinux. This\ncurrently calls into the capabilities hook, which is a noop.\n\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "152a649b647a8ef47bb74ff9e11850fa6001bedc", "tree": "ea626697e2cbf07f1cba973158b99125e98344ae", "parents": [ "e4a7ca29039e615ce13a61b9c6abfb2aa394e9a1" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Tue Jan 27 19:56:30 2009 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jan 27 20:13:32 2009 -0800" }, "message": "smackfs load append mode fix\n\nGiven just how hard it is to find the code that uses MAY_APPEND\nit\u0027s probably not a big surprise that this went unnoticed for so\nlong. The Smack rules loading code is incorrectly setting the\nMAY_READ bit when MAY_APPEND is requested.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "cd89596f0ccfa3ccb8a81ce47782231cf7ea7296", "tree": "d91149851e14a21d1e535c325aa93ebd15130f51", "parents": [ "11689d47f0957121920c9ec646eb5d838755853a" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jan 16 09:22:04 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@macbook.localdomain", "time": "Mon Jan 19 09:47:14 2009 +1100" }, "message": "SELinux: Unify context mount and genfs behavior\n\nContext mounts and genfs labeled file systems behave differently with respect to\nsetting file system labels. This patch brings genfs labeled file systems in line\nwith context mounts in that setxattr calls to them should return EOPNOTSUPP and\nfscreate calls will be ignored.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@macbook.localdomain\u003e\n" }, { "commit": "11689d47f0957121920c9ec646eb5d838755853a", "tree": "187b4179c0b7b9430bb9e62f6bba474a2d011235", "parents": [ "0d90a7ec48c704025307b129413bc62451b20ab3" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jan 16 09:22:03 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@macbook.localdomain", "time": "Mon Jan 19 09:47:06 2009 +1100" }, "message": "SELinux: Add new security mount option to indicate security label support.\n\nThere is no easy way to tell if a file system supports SELinux security labeling.\nBecause of this a new flag is being added to the super block security structure\nto indicate that the particular super block supports labeling. This flag is set\nfor file systems using the xattr, task, and transition labeling methods unless\nthat behavior is overridden by context mounts.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@macbook.localdomain\u003e\n" }, { "commit": "0d90a7ec48c704025307b129413bc62451b20ab3", "tree": "38cc8a7f5ff3afaccd16d2978455ccc002d69933", "parents": [ "c8334dc8fb6413b363df3e1419e287f5b25bce32" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jan 16 09:22:02 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@macbook.localdomain", "time": "Mon Jan 19 09:46:40 2009 +1100" }, "message": "SELinux: Condense super block security structure flags and cleanup necessary code.\n\nThe super block security structure currently has three fields for what are\nessentially flags. The flags field is used for mount options while two other\nchar fields are used for initialization and proc flags. These latter two fields are\nessentially bit fields since the only used values are 0 and 1. These fields\nhave been collapsed into the flags field and new bit masks have been added for\nthem. The code is also fixed to work with these new flags.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@macbook.localdomain\u003e\n" }, { "commit": "0d54ee1c7850a954026deec4cd4885f331da35cc", "tree": "00f5219a49428dabca10428cbeaaa2c44e774808", "parents": [ "1de9e8e70f5acc441550ca75433563d91b269bbe" ], "author": { "name": "Vegard Nossum", "email": "vegard.nossum@gmail.com", "time": "Sat Jan 17 17:45:45 2009 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jan 17 14:24:46 2009 -0800" }, "message": "security: introduce missing kfree\n\nPlug this leak.\n\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: \u003cstable@kernel.org\u003e\nSigned-off-by: Vegard Nossum \u003cvegard.nossum@gmail.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "938bb9f5e840eddbf54e4f62f6c5ba9b3ae12c9d", "tree": "a25324159ed8cc96b97a4d39aaf228bbd07e3824", "parents": [ "1e7bfb2134dfec37ce04fb3a4ca89299e892d10c" ], "author": { "name": "Heiko Carstens", "email": "heiko.carstens@de.ibm.com", "time": "Wed Jan 14 14:14:30 2009 +0100" }, "committer": { "name": "Heiko Carstens", "email": "heiko.carstens@de.ibm.com", "time": "Wed Jan 14 14:15:30 2009 +0100" }, "message": "[CVE-2009-0029] System call wrappers part 28\n\nSigned-off-by: Heiko Carstens \u003cheiko.carstens@de.ibm.com\u003e\n" }, { "commit": "1e7bfb2134dfec37ce04fb3a4ca89299e892d10c", "tree": "99c676262e696754dcbfb2d6f59499972cd0c38c", "parents": [ "c4ea37c26a691ad0b7e86aa5884aab27830e95c9" ], "author": { "name": "Heiko Carstens", "email": "heiko.carstens@de.ibm.com", "time": "Wed Jan 14 14:14:29 2009 +0100" }, "committer": { "name": "Heiko Carstens", "email": "heiko.carstens@de.ibm.com", "time": "Wed Jan 14 14:15:29 2009 +0100" }, "message": "[CVE-2009-0029] System call wrappers part 27\n\nSigned-off-by: Heiko Carstens \u003cheiko.carstens@de.ibm.com\u003e\n" }, { "commit": "c19a28e1193a6c854738d609ae9b2fe2f6e6bea4", "tree": "79a354f827a5d3656be3f55d18d31265750d9d06", "parents": [ "f15659628b43b27c20447c731456c39cbec973e9" ], "author": { "name": "Fernando Carrijo", "email": "fcarrijo@yahoo.com.br", "time": "Wed Jan 07 18:09:08 2009 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jan 08 08:31:14 2009 -0800" }, "message": "remove lots of double-semicolons\n\nCc: Ingo Molnar \u003cmingo@elte.hu\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nAcked-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nAcked-by: Mark Fasheh \u003cmfasheh@suse.com\u003e\nAcked-by: David S. Miller \u003cdavem@davemloft.net\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nAcked-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "0b82ac37b889ec881b645860da3775118effb3ca", "tree": "93407311725ac2588df5f37e261304a51064e200", "parents": [ "116e05751285c20edf5768ca3bcc00dad86181bb" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Wed Jan 07 18:07:46 2009 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jan 08 08:31:03 2009 -0800" }, "message": "devices cgroup: allow mkfifo\n\nThe devcgroup_inode_permission() hook in the devices whitelist cgroup has\nalways bypassed access checks on fifos. But the mknod hook did not. The\ndevices whitelist is only about block and char devices, and fifos can\u0027t\neven be added to the whitelist, so fifos can\u0027t be created at all except by\ntasks which have \u0027a\u0027 in their whitelist (meaning they have access to all\ndevices).\n\nFix the behavior by bypassing access checks to mkfifo.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nCc: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nCc: Lai Jiangshan \u003claijs@cn.fujitsu.com\u003e\nCc: KOSAKI Motohiro \u003ckosaki.motohiro@jp.fujitsu.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nReported-by: Daniel Lezcano \u003cdlezcano@fr.ibm.com\u003e\nCc: \u003cstable@kernel.org\u003e\t\t[2.6.27.x]\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "116e05751285c20edf5768ca3bcc00dad86181bb", "tree": "a95c51476e30fb1374dc50d6051c7216f23afa2f", "parents": [ "a47295e6bc42ad35f9c15ac66f598aa24debd4e2" ], "author": { "name": "Lai Jiangshan", "email": "laijs@cn.fujitsu.com", "time": "Wed Jan 07 18:07:45 2009 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jan 08 08:31:03 2009 -0800" }, "message": "devcgroup: use list_for_each_entry_rcu()\n\nWe should use list_for_each_entry_rcu in RCU read site.\n\nSigned-off-by: Lai Jiangshan \u003claijs@cn.fujitsu.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nCc: KAMEZAWA Hiroyuki \u003ckamezawa.hiroyu@jp.fujitsu.com\u003e\nCc: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nCc: Balbir Singh \u003cbalbir@in.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "ac8cc0fa5395fe2278e305a4cbed48e90d88d878", "tree": "515f577bfddd054ee4373228be7c974dfb8133af", "parents": [ "238c6d54830c624f34ac9cf123ac04aebfca5013", "3699c53c485bf0168e6500d0ed18bf931584dd7c" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:58:22 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:58:22 2009 +1100" }, "message": "Merge branch \u0027next\u0027 into for-linus\n" }, { "commit": "3699c53c485bf0168e6500d0ed18bf931584dd7c", "tree": "eee63a8ddbdb0665bc6a4a053a2405ca7a5b867f", "parents": [ "29881c4502ba05f46bc12ae8053d4e08d7e2615c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 06 22:27:01 2009 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:38:48 2009 +1100" }, "message": "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #3]\n\nFix a regression in cap_capable() due to:\n\n\tcommit 3b11a1decef07c19443d24ae926982bc8ec9f4c0\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Fri Nov 14 10:39:26 2008 +1100\n\n\t CRED: Differentiate objective and effective subjective credentials on a task\n\nThe problem is that the above patch allows a process to have two sets of\ncredentials, and for the most part uses the subjective credentials when\naccessing current\u0027s creds.\n\nThere is, however, one exception: cap_capable(), and thus capable(), uses the\nreal/objective credentials of the target task, whether or not it is the current\ntask.\n\nOrdinarily this doesn\u0027t matter, since usually the two cred pointers in current\npoint to the same set of creds. However, sys_faccessat() makes use of this\nfacility to override the credentials of the calling process to make its test,\nwithout affecting the creds as seen from other processes.\n\nOne of the things sys_faccessat() does is to make an adjustment to the\neffective capabilities mask, which cap_capable(), as it stands, then ignores.\n\nThe affected capability check is in generic_permission():\n\n\tif (!(mask \u0026 MAY_EXEC) || execute_ok(inode))\n\t\tif (capable(CAP_DAC_OVERRIDE))\n\t\t\treturn 0;\n\nThis change passes the set of credentials to be tested down into the commoncap\nand SELinux code. The security functions called by capable() and\nhas_capability() select the appropriate set of credentials from the process\nbeing checked.\n\nThis can be tested by compiling the following program from the XFS testsuite:\n\n/*\n * t_access_root.c - trivial test program to show permission bug.\n *\n * Written by Michael Kerrisk - copyright ownership not pursued.\n * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html\n */\n#include \u003climits.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003csys/stat.h\u003e\n\n#define UID 500\n#define GID 100\n#define PERM 0\n#define TESTPATH \"/tmp/t_access\"\n\nstatic void\nerrExit(char *msg)\n{\n perror(msg);\n exit(EXIT_FAILURE);\n} /* errExit */\n\nstatic void\naccessTest(char *file, int mask, char *mstr)\n{\n printf(\"access(%s, %s) returns %d\\n\", file, mstr, access(file, mask));\n} /* accessTest */\n\nint\nmain(int argc, char *argv[])\n{\n int fd, perm, uid, gid;\n char *testpath;\n char cmd[PATH_MAX + 20];\n\n testpath \u003d (argc \u003e 1) ? argv[1] : TESTPATH;\n perm \u003d (argc \u003e 2) ? strtoul(argv[2], NULL, 8) : PERM;\n uid \u003d (argc \u003e 3) ? atoi(argv[3]) : UID;\n gid \u003d (argc \u003e 4) ? atoi(argv[4]) : GID;\n\n unlink(testpath);\n\n fd \u003d open(testpath, O_RDWR | O_CREAT, 0);\n if (fd \u003d\u003d -1) errExit(\"open\");\n\n if (fchown(fd, uid, gid) \u003d\u003d -1) errExit(\"fchown\");\n if (fchmod(fd, perm) \u003d\u003d -1) errExit(\"fchmod\");\n close(fd);\n\n snprintf(cmd, sizeof(cmd), \"ls -l %s\", testpath);\n system(cmd);\n\n if (seteuid(uid) \u003d\u003d -1) errExit(\"seteuid\");\n\n accessTest(testpath, 0, \"0\");\n accessTest(testpath, R_OK, \"R_OK\");\n accessTest(testpath, W_OK, \"W_OK\");\n accessTest(testpath, X_OK, \"X_OK\");\n accessTest(testpath, R_OK | W_OK, \"R_OK | W_OK\");\n accessTest(testpath, R_OK | X_OK, \"R_OK | X_OK\");\n accessTest(testpath, W_OK | X_OK, \"W_OK | X_OK\");\n accessTest(testpath, R_OK | W_OK | X_OK, \"R_OK | W_OK | X_OK\");\n\n exit(EXIT_SUCCESS);\n} /* main */\n\nThis can be run against an Ext3 filesystem as well as against an XFS\nfilesystem. If successful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns 0\n\taccess(/tmp/xxx, W_OK) returns 0\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns 0\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nIf unsuccessful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns -1\n\taccess(/tmp/xxx, W_OK) returns -1\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns -1\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nI\u0027ve also tested the fix with the SELinux and syscalls LTP testsuites.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: J. Bruce Fields \u003cbfields@citi.umich.edu\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "29881c4502ba05f46bc12ae8053d4e08d7e2615c", "tree": "536ea4ac63554e836438bd5f370ddecaa343f1f4", "parents": [ "76f7ba35d4b5219fcc4cb072134c020ec77d030d" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:21:54 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:21:54 2009 +1100" }, "message": "Revert \"CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]\"\n\nThis reverts commit 14eaddc967b16017d4a1a24d2be6c28ecbe06ed8.\n\nDavid has a better version to come.\n" }, { "commit": "520c85346666d4d9a6fcaaa8450542302dc28b91", "tree": "9c9cc9e2493b606104dd8602302ae28258ebeac0", "parents": [ "e8c82c2e23e3527e0c9dc195e432c16784d270fa", "4ae8978cf92a96257cd8998a49e781be83571d64" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 05 18:32:06 2009 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 05 18:32:06 2009 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:\n inotify: fix type errors in interfaces\n fix breakage in reiserfs_new_inode()\n fix the treatment of jfs special inodes\n vfs: remove duplicate code in get_fs_type()\n add a vfs_fsync helper\n sys_execve and sys_uselib do not call into fsnotify\n zero i_uid/i_gid on inode allocation\n inode-\u003ei_op is never NULL\n ntfs: don\u0027t NULL i_op\n isofs check for NULL -\u003ei_op in root directory is dead code\n affs: do not zero -\u003ei_op\n kill suid bit only for regular files\n vfs: lseek(fd, 0, SEEK_CUR) race condition\n" }, { "commit": "56ff5efad96182f4d3cb3dc6b07396762c658f16", "tree": "cb91f93aa2324573527165d56d230b606a3111ed", "parents": [ "acfa4380efe77e290d3a96b11cd4c9f24f4fbb18" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Dec 09 09:34:39 2008 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Jan 05 11:54:28 2009 -0500" }, "message": "zero i_uid/i_gid on inode allocation\n\n... and don\u0027t bother in callers. Don\u0027t bother with zeroing i_blocks,\nwhile we are at it - it\u0027s already been zeroed.\n\ni_mode is not worth the effort; it has no common default value.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "acfa4380efe77e290d3a96b11cd4c9f24f4fbb18", "tree": "d656232c7ef39c83681c2de4c8e28ba439242f66", "parents": [ "9742df331deb3fce95b321f38d4ea0c4e75edb63" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Dec 04 10:06:33 2008 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Jan 05 11:54:28 2009 -0500" }, "message": "inode-\u003ei_op is never NULL\n\nWe used to have rather schizophrenic set of checks for NULL -\u003ei_op even\nthough it had been eliminated years ago. You\u0027d need to go out of your\nway to set it to NULL explicitly _and_ a bunch of code would die on\nsuch inodes anyway. After killing two remaining places that still\ndid that bogosity, all that crap can go away.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "76f7ba35d4b5219fcc4cb072134c020ec77d030d", "tree": "971ec5f913a688d98e9be2a04b0c675adcc4166b", "parents": [ "14eaddc967b16017d4a1a24d2be6c28ecbe06ed8" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jan 02 17:40:06 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 05 19:19:55 2009 +1100" }, "message": "SELinux: shrink sizeof av_inhert selinux_class_perm and context\n\nI started playing with pahole today and decided to put it against the\nselinux structures. Found we could save a little bit of space on x86_64\n(and no harm on i686) just reorganizing some structs.\n\nObject size changes:\nav_inherit: 24 -\u003e 16\nselinux_class_perm: 48 -\u003e 40\ncontext: 80 -\u003e 72\n\nAdmittedly there aren\u0027t many of av_inherit or selinux_class_perm\u0027s in\nthe kernel (33 and 1 respectively) But the change to the size of struct\ncontext reverberate out a bit. I can get some hard number if they are\nneeded, but I don\u0027t see why they would be. We do change which cacheline\ncontext-\u003elen and context-\u003estr would be on, but I don\u0027t see that as a\nproblem since we are clearly going to have to load both if the context\nis to be of any value. I\u0027ve run with the patch and don\u0027t seem to be\nhaving any problems.\n\nAn example of what\u0027s going on using struct av_inherit would be:\n\nform: to:\nstruct av_inherit {\t\t\tstruct av_inherit {\n\tu16 tclass;\t\t\t\tconst char **common_pts;\n\tconst char **common_pts;\t\tu32 common_base;\n\tu32 common_base;\t\t\tu16 tclass;\n};\n\n(notice all I did was move u16 tclass to the end of the struct instead\nof the beginning)\n\nMemory layout before the change:\nstruct av_inherit {\n\tu16 tclass; /* 2 */\n\t/* 6 bytes hole */\n\tconst char** common_pts; /* 8 */\n\tu32 common_base; /* 4 */\n\t/* 4 byes padding */\n\n\t/* size: 24, cachelines: 1 */\n\t/* sum members: 14, holes: 1, sum holes: 6 */\n\t/* padding: 4 */\n};\n\nMemory layout after the change:\nstruct av_inherit {\n\tconst char ** common_pts; /* 8 */\n\tu32 common_base; /* 4 */\n\tu16 tclass; /* 2 */\n\t/* 2 bytes padding */\n\n\t/* size: 16, cachelines: 1 */\n\t/* sum members: 14, holes: 0, sum holes: 0 */\n\t/* padding: 2 */\n};\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "14eaddc967b16017d4a1a24d2be6c28ecbe06ed8", "tree": "ce10216d592f0fa89ae02c4e4e9e9497010e7714", "parents": [ "5c8c40be4b5a2944483bfc1a45d6c3fa02551af3" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Dec 31 15:15:42 2008 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 05 11:17:04 2009 +1100" }, "message": "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]\n\nFix a regression in cap_capable() due to:\n\n\tcommit 5ff7711e635b32f0a1e558227d030c7e45b4a465\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Wed Dec 31 02:52:28 2008 +0000\n\n\t CRED: Differentiate objective and effective subjective credentials on a task\n\nThe problem is that the above patch allows a process to have two sets of\ncredentials, and for the most part uses the subjective credentials when\naccessing current\u0027s creds.\n\nThere is, however, one exception: cap_capable(), and thus capable(), uses the\nreal/objective credentials of the target task, whether or not it is the current\ntask.\n\nOrdinarily this doesn\u0027t matter, since usually the two cred pointers in current\npoint to the same set of creds. However, sys_faccessat() makes use of this\nfacility to override the credentials of the calling process to make its test,\nwithout affecting the creds as seen from other processes.\n\nOne of the things sys_faccessat() does is to make an adjustment to the\neffective capabilities mask, which cap_capable(), as it stands, then ignores.\n\nThe affected capability check is in generic_permission():\n\n\tif (!(mask \u0026 MAY_EXEC) || execute_ok(inode))\n\t\tif (capable(CAP_DAC_OVERRIDE))\n\t\t\treturn 0;\n\nThis change splits capable() from has_capability() down into the commoncap and\nSELinux code. The capable() security op now only deals with the current\nprocess, and uses the current process\u0027s subjective creds. A new security op -\ntask_capable() - is introduced that can check any task\u0027s objective creds.\n\nstrictly the capable() security op is superfluous with the presence of the\ntask_capable() op, however it should be faster to call the capable() op since\ntwo fewer arguments need be passed down through the various layers.\n\nThis can be tested by compiling the following program from the XFS testsuite:\n\n/*\n * t_access_root.c - trivial test program to show permission bug.\n *\n * Written by Michael Kerrisk - copyright ownership not pursued.\n * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html\n */\n#include \u003climits.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003csys/stat.h\u003e\n\n#define UID 500\n#define GID 100\n#define PERM 0\n#define TESTPATH \"/tmp/t_access\"\n\nstatic void\nerrExit(char *msg)\n{\n perror(msg);\n exit(EXIT_FAILURE);\n} /* errExit */\n\nstatic void\naccessTest(char *file, int mask, char *mstr)\n{\n printf(\"access(%s, %s) returns %d\\n\", file, mstr, access(file, mask));\n} /* accessTest */\n\nint\nmain(int argc, char *argv[])\n{\n int fd, perm, uid, gid;\n char *testpath;\n char cmd[PATH_MAX + 20];\n\n testpath \u003d (argc \u003e 1) ? argv[1] : TESTPATH;\n perm \u003d (argc \u003e 2) ? strtoul(argv[2], NULL, 8) : PERM;\n uid \u003d (argc \u003e 3) ? atoi(argv[3]) : UID;\n gid \u003d (argc \u003e 4) ? atoi(argv[4]) : GID;\n\n unlink(testpath);\n\n fd \u003d open(testpath, O_RDWR | O_CREAT, 0);\n if (fd \u003d\u003d -1) errExit(\"open\");\n\n if (fchown(fd, uid, gid) \u003d\u003d -1) errExit(\"fchown\");\n if (fchmod(fd, perm) \u003d\u003d -1) errExit(\"fchmod\");\n close(fd);\n\n snprintf(cmd, sizeof(cmd), \"ls -l %s\", testpath);\n system(cmd);\n\n if (seteuid(uid) \u003d\u003d -1) errExit(\"seteuid\");\n\n accessTest(testpath, 0, \"0\");\n accessTest(testpath, R_OK, \"R_OK\");\n accessTest(testpath, W_OK, \"W_OK\");\n accessTest(testpath, X_OK, \"X_OK\");\n accessTest(testpath, R_OK | W_OK, \"R_OK | W_OK\");\n accessTest(testpath, R_OK | X_OK, \"R_OK | X_OK\");\n accessTest(testpath, W_OK | X_OK, \"W_OK | X_OK\");\n accessTest(testpath, R_OK | W_OK | X_OK, \"R_OK | W_OK | X_OK\");\n\n exit(EXIT_SUCCESS);\n} /* main */\n\nThis can be run against an Ext3 filesystem as well as against an XFS\nfilesystem. If successful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns 0\n\taccess(/tmp/xxx, W_OK) returns 0\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns 0\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nIf unsuccessful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns -1\n\taccess(/tmp/xxx, W_OK) returns -1\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns -1\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nI\u0027ve also tested the fix with the SELinux and syscalls LTP testsuites.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5c8c40be4b5a2944483bfc1a45d6c3fa02551af3", "tree": "d9a79fae500aa5172df7446a2c7a7bdd4e4d469c", "parents": [ "90bd49ab6649269cd10d0edc86d0e0f62864726a", "6d3dc07cbb1e88deed2e8710e215f232a56b1dce" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 05 08:56:01 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 05 08:56:01 2009 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/pcmoore/lblnet-2.6_next into next\n" }, { "commit": "5af75d8d58d0f9f7b7c0515b35786b22892d5f12", "tree": "65707c5309133a33140c39145ae91b7c1679a877", "parents": [ "36c4f1b18c8a7d0adb4085e7f531860b837bb6b0" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Dec 16 05:59:26 2008 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jan 04 15:14:42 2009 -0500" }, "message": "audit: validate comparison operations, store them in sane form\n\nDon\u0027t store the field-\u003eop in the messy (and very inconvenient for e.g.\naudit_comparator()) form; translate to dense set of values and do full\nvalidation of userland-submitted value while we are at it.\n\n-\u003eaudit_init_rule() and -\u003eaudit_match_rule() get new values now; in-tree\ninstances updated.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "7d3b56ba37a95f1f370f50258ed3954c304c524b", "tree": "86102527b92f02450aa245f084ffb491c18d2e0a", "parents": [ "269b012321f2f1f8e4648c43a93bf432b42c6668", "ab14398abd195af91a744c320a52a1bce814dd1e" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jan 03 12:04:39 2009 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jan 03 12:04:39 2009 -0800" }, "message": "Merge branch \u0027cpus4096-for-linus-3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip\n\n* \u0027cpus4096-for-linus-3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: (77 commits)\n x86: setup_per_cpu_areas() cleanup\n cpumask: fix compile error when CONFIG_NR_CPUS is not defined\n cpumask: use alloc_cpumask_var_node where appropriate\n cpumask: convert shared_cpu_map in acpi_processor* structs to cpumask_var_t\n x86: use cpumask_var_t in acpi/boot.c\n x86: cleanup some remaining usages of NR_CPUS where s/b nr_cpu_ids\n sched: put back some stack hog changes that were undone in kernel/sched.c\n x86: enable cpus display of kernel_max and offlined cpus\n ia64: cpumask fix for is_affinity_mask_valid()\n cpumask: convert RCU implementations, fix\n xtensa: define __fls\n mn10300: define __fls\n m32r: define __fls\n h8300: define __fls\n frv: define __fls\n cris: define __fls\n cpumask: CONFIG_DISABLE_OBSOLETE_CPUMASK_FUNCTIONS\n cpumask: zero extra bits in alloc_cpumask_var_node\n cpumask: replace for_each_cpu_mask_nr with for_each_cpu in kernel/time/\n cpumask: convert mm/\n ...\n" }, { "commit": "4f4b6c1a94a8735bbdc030a2911cf395495645b6", "tree": "0572f8b8be03a32b4ae7b3deb4b1412226a0f598", "parents": [ "9e2f913df70b378379a358a44e7d286f7b765e8e" ], "author": { "name": "Rusty Russell", "email": "rusty@rustcorp.com.au", "time": "Thu Jan 01 10:12:15 2009 +1030" }, "committer": { "name": "Rusty Russell", "email": "rusty@rustcorp.com.au", "time": "Thu Jan 01 10:12:15 2009 +1030" }, "message": "cpumask: prepare for iterators to only go to nr_cpu_ids/nr_cpumask_bits.: core\n\nImpact: cleanup\n\nIn future, all cpumask ops will only be valid (in general) for bit\nnumbers \u003c nr_cpu_ids. So use that instead of NR_CPUS in iterators\nand other comparisons.\n\nThis is always safe: no cpu number can be \u003e\u003d nr_cpu_ids, and\nnr_cpu_ids is initialized to NR_CPUS at boot.\n\nSigned-off-by: Rusty Russell \u003crusty@rustcorp.com.au\u003e\nSigned-off-by: Mike Travis \u003ctravis@sgi.com\u003e\nAcked-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Eric Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "90bd49ab6649269cd10d0edc86d0e0f62864726a", "tree": "504e95359f2e021ae1ba4c53a1000dd08ad63c55", "parents": [ "6a94cb73064c952255336cc57731904174b2c58f" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Dec 29 14:35:35 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 01 10:32:44 2009 +1100" }, "message": "keys: fix sparse warning by adding __user annotation to cast\n\nFix the following sparse warning:\n\n CC security/keys/key.o\n security/keys/keyctl.c:1297:10: warning: incorrect type in argument 2 (different address spaces)\n security/keys/keyctl.c:1297:10: expected char [noderef] \u003casn:1\u003e*buffer\n security/keys/keyctl.c:1297:10: got char *\u003cnoident\u003e\n\nwhich appears to be caused by lack of __user annotation to the cast of\na syscall argument.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d", "tree": "3a770f4cc676efeba443b28caa1ad195eeff49bc", "parents": [ "6a94cb73064c952255336cc57731904174b2c58f" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Wed Dec 17 13:24:15 2008 +0900" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Dec 31 18:07:37 2008 -0500" }, "message": "introduce new LSM hooks where vfsmount is available.\n\nAdd new LSM hooks for path-based checks. Call them on directory-modifying\noperations at the points where we still know the vfsmount involved.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" } ], "next": "6d3dc07cbb1e88deed2e8710e215f232a56b1dce" }