)]}' { "log": [ { "commit": "e8c26255992474a2161c63ce9d385827302e4530", "tree": "08d247a53eca56a6e161ca784a4536b3ea7662f7", "parents": [ "01a05b337a5b647909e1d6670f57e7202318a5fb" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Mar 23 06:36:54 2010 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri May 21 18:31:17 2010 -0400" }, "message": "switch selinux delayed superblock handling to iterate_supers()\n\n... kill their private list, while we are at it\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "fcaaade1db63bb2d6f7611d7824eb50d2f07a546", "tree": "9091dbdd0c9bd1e3af9ece6f5cce5c0d6c258253", "parents": [ "cb84aa9b42b506299e5aea1ba4da26c03ab12877" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed Apr 28 15:57:57 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 29 08:58:45 2010 +1000" }, "message": "selinux: generalize disabling of execmem for plt-in-heap archs\n\nOn Tue, 2010-04-27 at 11:47 -0700, David Miller wrote:\n\u003e From: \"Tom \\\"spot\\\" Callaway\" \u003ctcallawa@redhat.com\u003e\n\u003e Date: Tue, 27 Apr 2010 14:20:21 -0400\n\u003e\n\u003e \u003e [root@apollo ~]$ cat /proc/2174/maps\n\u003e \u003e 00010000-00014000 r-xp 00000000 fd:00 15466577\n\u003e \u003e /sbin/mingetty\n\u003e \u003e 00022000-00024000 rwxp 00002000 fd:00 15466577\n\u003e \u003e /sbin/mingetty\n\u003e \u003e 00024000-00046000 rwxp 00000000 00:00 0\n\u003e \u003e [heap]\n\u003e\n\u003e SELINUX probably barfs on the executable heap, the PLT is in the HEAP\n\u003e just like powerpc32 and that\u0027s why VM_DATA_DEFAULT_FLAGS has to set\n\u003e both executable and writable.\n\u003e\n\u003e You also can\u0027t remove the CONFIG_PPC32 ifdefs in selinux, since\n\u003e because of the VM_DATA_DEFAULT_FLAGS setting used still in that arch,\n\u003e the heap will always have executable permission, just like sparc does.\n\u003e You have to support those binaries forever, whether you like it or not.\n\u003e\n\u003e Let\u0027s just replace the CONFIG_PPC32 ifdef in SELINUX with CONFIG_PPC32\n\u003e || CONFIG_SPARC as in Tom\u0027s original patch and let\u0027s be done with\n\u003e this.\n\u003e\n\u003e In fact I would go through all the arch/ header files and check the\n\u003e VM_DATA_DEFAULT_FLAGS settings and add the necessary new ifdefs to the\n\u003e SELINUX code so that other platforms don\u0027t have the pain of having to\n\u003e go through this process too.\n\nTo avoid maintaining per-arch ifdefs, it seems that we could just\ndirectly use (VM_DATA_DEFAULT_FLAGS \u0026 VM_EXEC) as the basis for deciding\nwhether to enable or disable these checks. VM_DATA_DEFAULT_FLAGS isn\u0027t\nconstant on some architectures but instead depends on\ncurrent-\u003epersonality, but we want this applied uniformly. So we\u0027ll just\nuse the initial task state to determine whether or not to enable these\nchecks.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dd3e7836bfe093fc611f715c323cf53be9252b27", "tree": "5e789062f3b74ed7c0ec370785eba234ee1ff472", "parents": [ "d25d6fa1a95f465ff1ec4458ca15e30b2c8dffec" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:08:46 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 08 09:17:02 2010 +1000" }, "message": "selinux: always call sk_security_struct sksec\n\ntrying to grep everything that messes with a sk_security_struct isn\u0027t easy\nsince we don\u0027t always call it sksec. Just rename everything sksec.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c43a7523470dc2d9947fa114a0b54317975d4c04", "tree": "30a72ed1e9079f19b814263197761820f57c39ce", "parents": [ "eaa5eec739637f32f8733d528ff0b94fd62b1214", "634a539e16bd7a1ba31c3f832baa725565cc9f96" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 09 12:46:47 2010 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 09 12:46:47 2010 +1100" }, "message": "Merge branch \u0027next-queue\u0027 into next\n" }, { "commit": "634a539e16bd7a1ba31c3f832baa725565cc9f96", "tree": "cdc26f167c3a2764fecdf3427b2303d28bf05671", "parents": [ "c8563473c1259f5686ceb918c548c80132089f79" ], "author": { "name": "Stephen Hemminger", "email": "shemminger@vyatta.com", "time": "Thu Mar 04 21:59:03 2010 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Mar 08 09:33:53 2010 +1100" }, "message": "selinux: const strings in tables\n\nSeveral places strings tables are used that should be declared\nconst.\n\nSigned-off-by: Stephen Hemminger \u003cshemminger@vyatta.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ef57471a73b67a7b65fd8708fd55c77cb7c619af", "tree": "0cb8f8dea197999d79bf69d192719be69cd36244", "parents": [ "1fcdc7c527010b144d3951f9ce25faedf264933c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Feb 26 01:56:16 2010 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 26 14:54:23 2010 +1100" }, "message": "SELinux: Make selinux_kernel_create_files_as() shouldn\u0027t just always return 0\n\nMake selinux_kernel_create_files_as() return an error when it gets one, rather\nthan unconditionally returning 0.\n\nWithout this, cachefiles doesn\u0027t return an error if the SELinux policy doesn\u0027t\nlet it create files with the label of the directory at the base of the cache.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "189b3b1c89761054fee3438f063d7f257306e2d8", "tree": "8099352fa731fca91b95d862ac0d7199f21ca54d", "parents": [ "2ae3ba39389b51d8502123de0a59374bec899c4d" ], "author": { "name": "wzt.wzt@gmail.com", "email": "wzt.wzt@gmail.com", "time": "Tue Feb 23 23:15:28 2010 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Feb 24 08:11:02 2010 +1100" }, "message": "Security: add static to security_ops and default_security_ops variable\n\nEnhance the security framework to support resetting the active security\nmodule. This eliminates the need for direct use of the security_ops and\ndefault_security_ops variables outside of security.c, so make security_ops\nand default_security_ops static. Also remove the secondary_ops variable as\na cleanup since there is no use for that. secondary_ops was originally used by\nSELinux to call the \"secondary\" security module (capability or dummy),\nbut that was replaced by direct calls to capability and the only\nremaining use is to save and restore the original security ops pointer\nvalue if SELinux is disabled by early userspace based on /etc/selinux/config.\nFurther, if we support this directly in the security framework, then we can\njust use \u0026default_security_ops for this purpose since that is now available.\n\nSigned-off-by: Zhitong Wang \u003czhitong.wangzt@alibaba-inc.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d78ca3cd733d8a2c3dcd88471beb1a15d973eed8", "tree": "a27ccf86f5f7df3cc987d0203ed0bff2db46db57", "parents": [ "002345925e6c45861f60db6f4fc6236713fd8847" ], "author": { "name": "Kees Cook", "email": "kees.cook@canonical.com", "time": "Wed Feb 03 15:37:13 2010 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 04 14:20:41 2010 +1100" }, "message": "syslog: use defined constants instead of raw numbers\n\nRight now the syslog \"type\" action are just raw numbers which makes\nthe source difficult to follow. This patch replaces the raw numbers\nwith defined constants for some level of sanity.\n\nSigned-off-by: Kees Cook \u003ckees.cook@canonical.com\u003e\nAcked-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "002345925e6c45861f60db6f4fc6236713fd8847", "tree": "d7849eafe1755116597166bbebf43e2bee86cb76", "parents": [ "0719aaf5ead7555b7b7a4a080ebf2826a871384e" ], "author": { "name": "Kees Cook", "email": "kees.cook@canonical.com", "time": "Wed Feb 03 15:36:43 2010 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 04 14:20:12 2010 +1100" }, "message": "syslog: distinguish between /proc/kmsg and syscalls\n\nThis allows the LSM to distinguish between syslog functions originating\nfrom /proc/kmsg access and direct syscalls. By default, the commoncaps\nwill now no longer require CAP_SYS_ADMIN to read an opened /proc/kmsg\nfile descriptor. For example the kernel syslog reader can now drop\nprivileges after opening /proc/kmsg, instead of staying privileged with\nCAP_SYS_ADMIN. MAC systems that implement security_syslog have unchanged\nbehavior.\n\nSigned-off-by: Kees Cook \u003ckees.cook@canonical.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "17740d89785aeb4143770923d67c293849414710", "tree": "58f332b0eb828017eb4571e2f7323e859b6c268d", "parents": [ "45d28b097280a78893ce25a5d0db41e6a2717853" ], "author": { "name": "Jiri Slaby", "email": "jirislaby@gmail.com", "time": "Fri Aug 28 10:47:16 2009 +0200" }, "committer": { "name": "Jiri Slaby", "email": "jslaby@suse.cz", "time": "Mon Jan 04 11:27:18 2010 +0100" }, "message": "SECURITY: selinux, fix update_rlimit_cpu parameter\n\nDon\u0027t pass current RLIMIT_RTTIME to update_rlimit_cpu() in\nselinux_bprm_committing_creds, since update_rlimit_cpu expects\nRLIMIT_CPU limit.\n\nUse proper rlim[RLIMIT_CPU].rlim_cur instead to fix that.\n\nSigned-off-by: Jiri Slaby \u003cjirislaby@gmail.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Eric Paris \u003ceparis@parisplace.org\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "28b4d5cc17c20786848cdc07b7ea237a309776bb", "tree": "bae406a4b17229dcce7c11be5073f7a67665e477", "parents": [ "d29cecda036f251aee4947f47eea0fe9ed8cc931", "96fa2b508d2d3fe040cf4ef2fffb955f0a537ea1" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Dec 05 15:22:26 2009 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Dec 05 15:22:26 2009 -0800" }, "message": "Merge branch \u0027master\u0027 of /home/davem/src/GIT/linux-2.6/\n\nConflicts:\n\tdrivers/net/pcmcia/fmvj18x_cs.c\n\tdrivers/net/pcmcia/nmclan_cs.c\n\tdrivers/net/pcmcia/xirc2ps_cs.c\n\tdrivers/net/wireless/ray_cs.c\n" }, { "commit": "8964be4a9a5ca8cab1219bb046db2f6d1936227c", "tree": "8838c73a03cc69c010b55928fce3725d17bc26a9", "parents": [ "fa9a6fed87df1b50804405e700f8d30251d3aaf1" ], "author": { "name": "Eric Dumazet", "email": "eric.dumazet@gmail.com", "time": "Fri Nov 20 15:35:04 2009 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Nov 20 15:35:04 2009 -0800" }, "message": "net: rename skb-\u003eiif to skb-\u003eskb_iif\n\nTo help grep games, rename iif to skb_iif\n\nSigned-off-by: Eric Dumazet \u003ceric.dumazet@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "dd8dbf2e6880e30c00b18600c962d0cb5a03c555", "tree": "24835aaf40cec5ceb2aeecccde9240ee173f70f1", "parents": [ "6e65f92ff0d6f18580737321718d09035085a3fb" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 03 16:35:32 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 10 09:33:46 2009 +1100" }, "message": "security: report the module name to security_module_request\n\nFor SELinux to do better filtering in userspace we send the name of the\nmodule along with the AVC denial when a program is denied module_request.\n\nExample output:\n\ntype\u003dSYSCALL msg\u003daudit(11/03/2009 10:59:43.510:9) : arch\u003dx86_64 syscall\u003dwrite success\u003dyes exit\u003d2 a0\u003d3 a1\u003d7fc28c0d56c0 a2\u003d2 a3\u003d7fffca0d7440 items\u003d0 ppid\u003d1727 pid\u003d1729 auid\u003dunset uid\u003droot gid\u003droot euid\u003droot suid\u003droot fsuid\u003droot egid\u003droot sgid\u003droot fsgid\u003droot tty\u003d(none) ses\u003dunset comm\u003drpc.nfsd exe\u003d/usr/sbin/rpc.nfsd subj\u003dsystem_u:system_r:nfsd_t:s0 key\u003d(null)\ntype\u003dAVC msg\u003daudit(11/03/2009 10:59:43.510:9) : avc: denied { module_request } for pid\u003d1729 comm\u003drpc.nfsd kmod\u003d\"net-pf-10\" scontext\u003dsystem_u:system_r:nfsd_t:s0 tcontext\u003dsystem_u:system_r:kernel_t:s0 tclass\u003dsystem\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "941fc5b2bf8f7dd1d0a9c502e152fa719ff6578e", "tree": "c2f579e6fcc5bee6659527db7ccfb661acfe196c", "parents": [ "8753f6bec352392b52ed9b5e290afb34379f4612" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Thu Oct 01 14:48:23 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Oct 07 21:56:46 2009 +1100" }, "message": "selinux: drop remapping of netlink classes\n\nDrop remapping of netlink classes and bypass of permission checking\nbased on netlink message type for policy version \u003c 18. This removes\ncompatibility code introduced when the original single netlink\nsecurity class used for all netlink sockets was split into\nfiner-grained netlink classes based on netlink protocol and when\npermission checking was added based on netlink message type in Linux\n2.6.8. The only known distribution that shipped with SELinux and\npolicy \u003c 18 was Fedora Core 2, which was EOL\u0027d on 2005-04-11.\n\nGiven that the remapping code was never updated to address the\naddition of newer netlink classes, that the corresponding userland\nsupport was dropped in 2005, and that the assumptions made by the\nremapping code about the fixed ordering among netlink classes in the\npolicy may be violated in the future due to the dynamic class/perm\ndiscovery support, we should drop this compatibility code now.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "af8ff04917169805b151280155bf772d3ca9bec0", "tree": "1a1ec17d0926b4bbe9f8b243231582dde02ef1f5", "parents": [ "1669b049db50fc7f1d4e694fb115a0f408c63fce" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Sun Sep 20 21:23:01 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 30 19:17:06 2009 +1000" }, "message": "SELinux: reset the security_ops before flushing the avc cache\n\nThis patch resets the security_ops to the secondary_ops before it flushes\nthe avc. It\u0027s still possible that a task on another processor could have\nalready passed the security_ops dereference and be executing an selinux hook\nfunction which would add a new avc entry. That entry would still not be\nfreed. This should however help to reduce the number of needless avcs the\nkernel has when selinux is disabled at run time. There is no wasted\nmemory if selinux is disabled on the command line or not compiled.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0b7570e77f7c3abd43107dabc47ea89daf9a1cba", "tree": "8dd93b4a189b4e98384d4470a289ecfb7818cc26", "parents": [ "a2322e1d272938d192d8c24cdacf57c0c7a2683f" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Wed Sep 23 15:56:46 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Sep 24 07:20:59 2009 -0700" }, "message": "do_wait() wakeup optimization: change __wake_up_parent() to use filtered wakeup\n\nRatan Nalumasu reported that in a process with many threads doing\nunnecessary wakeups. Every waiting thread in the process wakes up to loop\nthrough the children and see that the only ones it cares about are still\nnot ready.\n\nNow that we have struct wait_opts we can change do_wait/__wake_up_parent\nto use filtered wakeups.\n\nWe can make child_wait_callback() more clever later, right now it only\nchecks eligible_child().\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nAcked-by: Roland McGrath \u003croland@redhat.com\u003e\nCc: Ingo Molnar \u003cmingo@elte.hu\u003e\nCc: Ratan Nalumasu \u003crnalumasu@gmail.com\u003e\nCc: Vitaly Mayatskikh \u003cvmayatsk@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nTested-by: Valdis Kletnieks \u003cvaldis.kletnieks@vt.edu\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "ddd29ec6597125c830f7badb608a86c98b936b64", "tree": "e6df1ef9a635179de78650d006ecb4cd1453ebb1", "parents": [ "1ee65e37e904b959c24404139f5752edc66319d5" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Wed Sep 09 14:25:37 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Sep 10 10:11:29 2009 +1000" }, "message": "sysfs: Add labeling support for sysfs\n\nThis patch adds a setxattr handler to the file, directory, and symlink\ninode_operations structures for sysfs. The patch uses hooks introduced in the\nprevious patch to handle the getting and setting of security information for\nthe sysfs inodes. As was suggested by Eric Biederman the struct iattr in the\nsysfs_dirent structure has been replaced by a structure which contains the\niattr, secdata and secdata length to allow the changes to persist in the event\nthat the inode representing the sysfs_dirent is evicted. Because sysfs only\nstores this information when a change is made all the optional data is moved\ninto one dynamically allocated field.\n\nThis patch addresses an issue where SELinux was denying virtd access to the PCI\nconfiguration entries in sysfs. The lack of setxattr handlers for sysfs\nrequired that a single label be assigned to all entries in sysfs. Granting virtd\naccess to every entry in sysfs is not an acceptable solution so fine grained\nlabeling of sysfs is required such that individual entries can be labeled\nappropriately.\n\n[sds: Fixed compile-time warnings, coding style, and setting of inode security init flags.]\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nSigned-off-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1ee65e37e904b959c24404139f5752edc66319d5", "tree": "587c1ef70ae7ee41a7b9b531161a4ef5689838f7", "parents": [ "b1ab7e4b2a88d3ac13771463be8f302ce1616cfc" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Thu Sep 03 14:25:57 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Sep 10 10:11:24 2009 +1000" }, "message": "LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information.\n\nThis patch introduces three new hooks. The inode_getsecctx hook is used to get\nall relevant information from an LSM about an inode. The inode_setsecctx is\nused to set both the in-core and on-disk state for the inode based on a context\nderived from inode_getsecctx.The final hook inode_notifysecctx will notify the\nLSM of a change for the in-core state of the inode in question. These hooks are\nfor use in the labeled NFS code and addresses concerns of how to set security\non an inode in a multi-xattr LSM. For historical reasons Stephen Smalley\u0027s\nexplanation of the reason for these hooks is pasted below.\n\nQuote Stephen Smalley\n\ninode_setsecctx: Change the security context of an inode. Updates the\nin core security context managed by the security module and invokes the\nfs code as needed (via __vfs_setxattr_noperm) to update any backing\nxattrs that represent the context. Example usage: NFS server invokes\nthis hook to change the security context in its incore inode and on the\nbacking file system to a value provided by the client on a SETATTR\noperation.\n\ninode_notifysecctx: Notify the security module of what the security\ncontext of an inode should be. Initializes the incore security context\nmanaged by the security module for this inode. Example usage: NFS\nclient invokes this hook to initialize the security context in its\nincore inode to the value provided by the server for the file when the\nserver returned the file\u0027s attributes to the client.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ee18d64c1f632043a02e6f5ba5e045bb26a5465f", "tree": "80b5a4d530ec7d5fd69799920f0db7b78aba6b9d", "parents": [ "d0420c83f39f79afb82010c2d2cafd150eef651b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:14:21 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:22 2009 +1000" }, "message": "KEYS: Add a keyctl to install a process\u0027s session keyring on its parent [try #6]\n\nAdd a keyctl to install a process\u0027s session keyring onto its parent. This\nreplaces the parent\u0027s session keyring. Because the COW credential code does\nnot permit one process to change another process\u0027s credentials directly, the\nchange is deferred until userspace next starts executing again. Normally this\nwill be after a wait*() syscall.\n\nTo support this, three new security hooks have been provided:\ncred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in\nthe blank security creds and key_session_to_parent() - which asks the LSM if\nthe process may replace its parent\u0027s session keyring.\n\nThe replacement may only happen if the process has the same ownership details\nas its parent, and the process has LINK permission on the session keyring, and\nthe session keyring is owned by the process, and the LSM permits it.\n\nNote that this requires alteration to each architecture\u0027s notify_resume path.\nThis has been done for all arches barring blackfin, m68k* and xtensa, all of\nwhich need assembly alteration to support TIF_NOTIFY_RESUME. This allows the\nreplacement to be performed at the point the parent process resumes userspace\nexecution.\n\nThis allows the userspace AFS pioctl emulation to fully emulate newpag() and\nthe VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to\nalter the parent process\u0027s PAG membership. However, since kAFS doesn\u0027t use\nPAGs per se, but rather dumps the keys into the session keyring, the session\nkeyring of the parent must be replaced if, for example, VIOCSETTOK is passed\nthe newpag flag.\n\nThis can be tested with the following program:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\n\t#define KEYCTL_SESSION_TO_PARENT\t18\n\n\t#define OSERROR(X, S) do { if ((long)(X) \u003d\u003d -1) { perror(S); exit(1); } } while(0)\n\n\tint main(int argc, char **argv)\n\t{\n\t\tkey_serial_t keyring, key;\n\t\tlong ret;\n\n\t\tkeyring \u003d keyctl_join_session_keyring(argv[1]);\n\t\tOSERROR(keyring, \"keyctl_join_session_keyring\");\n\n\t\tkey \u003d add_key(\"user\", \"a\", \"b\", 1, keyring);\n\t\tOSERROR(key, \"add_key\");\n\n\t\tret \u003d keyctl(KEYCTL_SESSION_TO_PARENT);\n\t\tOSERROR(ret, \"KEYCTL_SESSION_TO_PARENT\");\n\n\t\treturn 0;\n\t}\n\nCompiled and linked with -lkeyutils, you should see something like:\n\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t355907932 --alswrv 4043 -1 \\_ keyring: _uid.4043\n\t[dhowells@andromeda ~]$ /tmp/newpag\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t1055658746 --alswrv 4043 4043 \\_ user: a\n\t[dhowells@andromeda ~]$ /tmp/newpag hello\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: hello\n\t340417692 --alswrv 4043 4043 \\_ user: a\n\nWhere the test program creates a new session keyring, sticks a user key named\n\u0027a\u0027 into it and then installs it on its parent.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e0e817392b9acf2c98d3be80c233dddb1b52003d", "tree": "ee680c020039313c9f9c40ab3542bb30a7363381", "parents": [ "ed6d76e4c32de0c2ad5f1d572b948ef49e465176" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:13:40 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:01 2009 +1000" }, "message": "CRED: Add some configurable debugging [try #6]\n\nAdd a config option (CONFIG_DEBUG_CREDENTIALS) to turn on some debug checking\nfor credential management. The additional code keeps track of the number of\npointers from task_structs to any given cred struct, and checks to see that\nthis number never exceeds the usage count of the cred struct (which includes\nall references, not just those from task_structs).\n\nFurthermore, if SELinux is enabled, the code also checks that the security\npointer in the cred struct is never seen to be invalid.\n\nThis attempts to catch the bug whereby inode_has_perm() faults in an nfsd\nkernel thread on seeing cred-\u003esecurity be a NULL pointer (it appears that the\ncredential struct has been previously released):\n\n\thttp://www.kerneloops.org/oops.php?number\u003d252883\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ed6d76e4c32de0c2ad5f1d572b948ef49e465176", "tree": "893914916ad849fefed72df48bca0bf9c78e392d", "parents": [ "2b980dbd77d229eb60588802162c9659726b11f4" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Aug 28 18:12:49 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 01 08:29:52 2009 +1000" }, "message": "selinux: Support for the new TUN LSM hooks\n\nAdd support for the new TUN LSM hooks: security_tun_dev_create(),\nsecurity_tun_dev_post_create() and security_tun_dev_attach(). This includes\nthe addition of a new object class, tun_socket, which represents the socks\nassociated with TUN devices. The _tun_dev_create() and _tun_dev_post_create()\nhooks are fairly similar to the standard socket functions but _tun_dev_attach()\nis a bit special. The _tun_dev_attach() is unique because it involves a\ndomain attaching to an existing TUN device and its associated tun_socket\nobject, an operation which does not exist with standard sockets and most\nclosely resembles a relabel operation.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Eric Paris \u003ceparis@parisplace.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bc6a6008e5e3c7a30191a7f19ab19e85b14b1705", "tree": "46504659c2303224cb3c8ad13e1d1b580351b41b", "parents": [ "ece13879e74313e62109e0755dd3d4f172df89e2" ], "author": { "name": "Amerigo Wang", "email": "amwang@redhat.com", "time": "Thu Aug 20 19:29:02 2009 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Aug 21 14:25:30 2009 +1000" }, "message": "selinux: adjust rules for ATTR_FORCE\n\nAs suggested by OGAWA Hirofumi in thread:\nhttp://lkml.org/lkml/2009/8/7/132, we should let selinux_inode_setattr()\nto match our ATTR_* rules. ATTR_FORCE should not force things like\nATTR_SIZE.\n\n[hirofumi@mail.parknet.co.jp: tweaks]\nSigned-off-by: WANG Cong \u003camwang@redhat.com\u003e\nSigned-off-by: OGAWA Hirofumi \u003chirofumi@mail.parknet.co.jp\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nCc: Eugene Teo \u003ceteo@redhat.com\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Christoph Hellwig \u003chch@lst.de\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ece13879e74313e62109e0755dd3d4f172df89e2", "tree": "1fe96ab392c1ff203a6fb3f67ed0ed577056572e", "parents": [ "b08dc3eba0c34027010caeda258f495074ae3a54", "6c30c53fd5ae6a99a23ad78e90c428d2c8ffb07f" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 20 09:18:42 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 20 09:18:42 2009 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\tsecurity/Kconfig\n\nManual fix.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "788084aba2ab7348257597496befcbccabdc98a3", "tree": "2da42d746d67b16ef705229a1b5a3528ec19c725", "parents": [ "8cf948e744e0218af604c32edecde10006dc8e9e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 31 12:54:11 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 17 15:09:11 2009 +1000" }, "message": "Security/SELinux: seperate lsm specific mmap_min_addr\n\nCurrently SELinux enforcement of controls on the ability to map low memory\nis determined by the mmap_min_addr tunable. This patch causes SELinux to\nignore the tunable and instead use a seperate Kconfig option specific to how\nmuch space the LSM should protect.\n\nThe tunable will now only control the need for CAP_SYS_RAWIO and SELinux\npermissions will always protect the amount of low memory designated by\nCONFIG_LSM_MMAP_MIN_ADDR.\n\nThis allows users who need to disable the mmap_min_addr controls (usual reason\nbeing they run WINE as a non-root user) to do so and still have SELinux\ncontrols preventing confined domains (like a web server) from being able to\nmap some area of low memory.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8cf948e744e0218af604c32edecde10006dc8e9e", "tree": "c5d48e9210976e28e5ce07d69ca9b87d4c437389", "parents": [ "9c0d90103c7e0eb6e638e5b649e9f6d8d9c1b4b3" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 31 12:54:05 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 17 15:08:48 2009 +1000" }, "message": "SELinux: call cap_file_mmap in selinux_file_mmap\n\nCurrently SELinux does not check CAP_SYS_RAWIO in the file_mmap hook. This\nmeans there is no DAC check on the ability to mmap low addresses in the\nmemory space. This function adds the DAC check for CAP_SYS_RAWIO while\nmaintaining the selinux check on mmap_zero. This means that processes\nwhich need to mmap low memory will need CAP_SYS_RAWIO and mmap_zero but will\nNOT need the SELinux sys_rawio capability.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2bf49690325b62480a42f7afed5e9f164173c570", "tree": "bc8525f6a45ea3ffaed9449084df7644bcd4e3c2", "parents": [ "f322abf83feddc3c37c3a91794e0c5aece4af18e" ], "author": { "name": "Thomas Liu", "email": "tliu@redhat.com", "time": "Tue Jul 14 12:14:09 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 17 08:37:18 2009 +1000" }, "message": "SELinux: Convert avc_audit to use lsm_audit.h\n\nConvert avc_audit in security/selinux/avc.c to use lsm_audit.h,\nfor better maintainability.\n\n - changed selinux to use common_audit_data instead of\n avc_audit_data\n - eliminated code in avc.c and used code from lsm_audit.h instead.\n\nHad to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit\ncan call common_lsm_audit and do the pre and post callbacks without\ndoing the actual dump. This makes it so that the patched version\nbehaves the same way as the unpatched version.\n\nAlso added a denied field to the selinux_audit_data private space,\nonce again to make it so that the patched version behaves like the\nunpatched.\n\nI\u0027ve tested and confirmed that AVCs look the same before and after\nthis patch.\n\nSigned-off-by: Thomas Liu \u003ctliu@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "25354c4fee169710fd9da15f3bb2abaa24dcf933", "tree": "7fb462945c15ce09392ae858c8ae757290b5ed2d", "parents": [ "9188499cdb117d86a1ea6b04374095b098d56936" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Aug 13 09:45:03 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Aug 14 11:18:40 2009 +1000" }, "message": "SELinux: add selinux_kernel_module_request\n\nThis patch adds a new selinux hook so SELinux can arbitrate if a given\nprocess should be allowed to trigger a request for the kernel to try to\nload a module. This is a different operation than a process trying to load\na module itself, which is already protected by CAP_SYS_MODULE.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "314dabb83a547ec4da819e8cbc78fac9cec605cd", "tree": "8e32efc47c52a218bfb4eb517ae2ba14d496adcc", "parents": [ "85dfd81dc57e8183a277ddd7a56aa65c96f3f487" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 10 22:00:13 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 11 08:37:13 2009 +1000" }, "message": "SELinux: fix memory leakage in /security/selinux/hooks.c\n\nFix memory leakage in /security/selinux/hooks.c\n\nThe buffer always needs to be freed here; we either error\nout or allocate more memory.\n\nReported-by: iceberg \u003cstrakh@ispras.ru\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "a2551df7ec568d87793d2eea4ca744e86318f205", "tree": "3bdd4257bf757d9d1d64d9d7aa10cd144cd3a657", "parents": [ "84336d1a77ccd2c06a730ddd38e695c2324a7386" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 31 12:54:11 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 06 09:02:23 2009 +1000" }, "message": "Security/SELinux: seperate lsm specific mmap_min_addr\n\nCurrently SELinux enforcement of controls on the ability to map low memory\nis determined by the mmap_min_addr tunable. This patch causes SELinux to\nignore the tunable and instead use a seperate Kconfig option specific to how\nmuch space the LSM should protect.\n\nThe tunable will now only control the need for CAP_SYS_RAWIO and SELinux\npermissions will always protect the amount of low memory designated by\nCONFIG_LSM_MMAP_MIN_ADDR.\n\nThis allows users who need to disable the mmap_min_addr controls (usual reason\nbeing they run WINE as a non-root user) to do so and still have SELinux\ncontrols preventing confined domains (like a web server) from being able to\nmap some area of low memory.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "84336d1a77ccd2c06a730ddd38e695c2324a7386", "tree": "9eeb414eff58e5b7165daa36c2ce3c2e7422632b", "parents": [ "7c73875e7dda627040b12c19b01db634fa7f0fd1" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 31 12:54:05 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 06 09:02:21 2009 +1000" }, "message": "SELinux: call cap_file_mmap in selinux_file_mmap\n\nCurrently SELinux does not check CAP_SYS_RAWIO in the file_mmap hook. This\nmeans there is no DAC check on the ability to mmap low addresses in the\nmemory space. This function adds the DAC check for CAP_SYS_RAWIO while\nmaintaining the selinux check on mmap_zero. This means that processes\nwhich need to mmap low memory will need CAP_SYS_RAWIO and mmap_zero but will\nNOT need the SELinux sys_rawio capability.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5bb459bb45d1ad3c177485dcf0af01580aa31125", "tree": "fd6d11d424d222b97f56d8b870bdecbacaab8a17", "parents": [ "d2e3ee9b29f5de5b01e611b04e6fb29760589b01" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Fri Jul 10 03:48:23 2009 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jul 17 09:10:42 2009 +1000" }, "message": "kernel: rename is_single_threaded(task) to current_is_single_threaded(void)\n\n- is_single_threaded(task) is not safe unless task \u003d\u003d current,\n we can\u0027t use task-\u003esignal or task-\u003emm.\n\n- it doesn\u0027t make sense unless task \u003d\u003d current, the task can\n fork right after the check.\n\nRename it to current_is_single_threaded() and kill the argument.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "be940d6279c30a2d7c4e8d1d5435f957f594d66d", "tree": "965805d563cb756879fd3595230c3ca205da76d1", "parents": [ "b3a633c8527ef155b1a4e22e8f5abc58f7af54c9" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 13 10:39:36 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 13 10:39:36 2009 +1000" }, "message": "Revert \"SELinux: Convert avc_audit to use lsm_audit.h\"\n\nThis reverts commit 8113a8d80f4c6a3dc3724b39b470f3fee9c426b6.\n\nThe patch causes a stack overflow on my system during boot.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8113a8d80f4c6a3dc3724b39b470f3fee9c426b6", "tree": "27eb775108daaff8390ad564010a9f2fbd5187a2", "parents": [ "65c3f0a2d0f72d210c879e4974c2d222b7951321" ], "author": { "name": "Thomas Liu", "email": "tliu@redhat.com", "time": "Fri Jul 10 10:31:04 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 13 07:54:48 2009 +1000" }, "message": "SELinux: Convert avc_audit to use lsm_audit.h\n\nConvert avc_audit in security/selinux/avc.c to use lsm_audit.h,\nfor better maintainability and for less code duplication.\n\n - changed selinux to use common_audit_data instead of\n avc_audit_data\n - eliminated code in avc.c and used code from lsm_audit.h instead.\n\nI have tested to make sure that the avcs look the same before and\nafter this patch.\n\nSigned-off-by: Thomas Liu \u003ctliu@redhat.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "89c86576ecde504da1eeb4f4882b2189ac2f9c4a", "tree": "94674a48becd9cfde298e9fe6b58db8da28fe238", "parents": [ "a893a84e8799270fbec5c3708d001650aab47138" ], "author": { "name": "Thomas Liu", "email": "tliu@redhat.com", "time": "Wed Jun 24 17:58:05 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 25 08:29:16 2009 +1000" }, "message": "selinux: clean up avc node cache when disabling selinux\n\nAdded a call to free the avc_node_cache when inside selinux_disable because\nit should not waste resources allocated during avc_init if SELinux is disabled\nand the cache will never be used.\n\nSigned-off-by: Thomas Liu \u003ctliu@redhat.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9e48858f7d36a6a3849f1d1b40c3bf5624b4ee7c", "tree": "5d8fe586c5b1bbab36acc3b76b2b4dd1bc538968", "parents": [ "86abcf9cebf7b5ceb33facde297face5ec4d2260" ], "author": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Thu May 07 19:26:19 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 25 00:18:05 2009 +1000" }, "message": "security: rename ptrace_may_access \u003d\u003e ptrace_access_check\n\nThe -\u003eptrace_may_access() methods are named confusingly - the real\nptrace_may_access() returns a bool, while these security checks have\na retval convention.\n\nRename it to ptrace_access_check, to reduce the confusion factor.\n\n[ Impact: cleanup, no code changed ]\n\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "20dda18be9035c487c2e9534e4d18d2a1e1deade", "tree": "5d50d2727e1495ccd8fa2a2340332f25c290670c", "parents": [ "56f8c9bc410deb55f21698e6a0d59f559ae1d794" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon Jun 22 14:54:53 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 23 08:19:58 2009 +1000" }, "message": "selinux: restore optimization to selinux_file_permission\n\nRestore the optimization to skip revalidation in selinux_file_permission\nif nothing has changed since the dentry_open checks, accidentally removed by\n389fb800. Also remove redundant test from selinux_revalidate_file_permission.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9cbc1cb8cd46ce1f7645b9de249b2ce8460129bb", "tree": "8d104ec2a459346b99413b0b77421ca7b9936c1a", "parents": [ "ca44d6e60f9de26281fda203f58b570e1748c015", "45e3e1935e2857c54783291107d33323b3ef33c8" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Jun 15 03:02:23 2009 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Jun 15 03:02:23 2009 -0700" }, "message": "Merge branch \u0027master\u0027 of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6\n\nConflicts:\n\tDocumentation/feature-removal-schedule.txt\n\tdrivers/scsi/fcoe/fcoe.c\n\tnet/core/drop_monitor.c\n\tnet/core/net-traces.c\n" }, { "commit": "adf30907d63893e4208dfe3f5c88ae12bc2f25d5", "tree": "0f07542bb95de2ad537540868aba6cf87a86e17d", "parents": [ "511c3f92ad5b6d9f8f6464be1b4f85f0422be91a" ], "author": { "name": "Eric Dumazet", "email": "eric.dumazet@gmail.com", "time": "Tue Jun 02 05:19:30 2009 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Jun 03 02:51:04 2009 -0700" }, "message": "net: skb-\u003edst accessors\n\nDefine three accessors to get/set dst attached to a skb\n\nstruct dst_entry *skb_dst(const struct sk_buff *skb)\n\nvoid skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)\n\nvoid skb_dst_drop(struct sk_buff *skb)\nThis one should replace occurrences of :\ndst_release(skb-\u003edst)\nskb-\u003edst \u003d NULL;\n\nDelete skb-\u003edst field\n\nSigned-off-by: Eric Dumazet \u003ceric.dumazet@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "d254117099d711f215e62427f55dfb8ebd5ad011", "tree": "0848ff8dd74314fec14a86497f8d288c86ba7c65", "parents": [ "07ff7a0b187f3951788f64ae1f30e8109bc8e9eb", "8c9ed899b44c19e81859fbb0e9d659fe2f8630fc" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 08 17:56:47 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 08 17:56:47 2009 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "65c90bca0dba56f60dc4ce2a529140c3cc440f22", "tree": "fd8f5e6338f04ba47fe91de1303b92a22da78daf", "parents": [ "091438dd5668396328a3419abcbc6591159eb8d1" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon May 04 15:43:18 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 05 08:31:03 2009 +1000" }, "message": "selinux: Fix send_sigiotask hook\n\nThe CRED patch incorrectly converted the SELinux send_sigiotask hook to\nuse the current task SID rather than the target task SID in its\npermission check, yielding the wrong permission check. This fixes the\nhook function. Detected by the ltp selinux testsuite and confirmed to\ncorrect the test failure.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ecd6de3c88e8cbcad175b2eab48ba05c2014f7b6", "tree": "ab9257bbe3f3bc9379cf0d252110f9abffba7751", "parents": [ "3bcac0263f0b45e67a64034ebcb69eb9abb742f4" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Wed Apr 29 16:02:24 2009 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 30 09:08:48 2009 +1000" }, "message": "selinux: selinux_bprm_committed_creds() should wake up -\u003ereal_parent, not -\u003eparent.\n\nWe shouldn\u0027t worry about the tracer if current is ptraced, exec() must not\nsucceed if the tracer has no rights to trace this task after cred changing.\nBut we should notify -\u003ereal_parent which is, well, real parent.\n\nAlso, we don\u0027t need _irq to take tasklist, and we don\u0027t need parent\u0027s\n-\u003esiglock to wake_up_interruptible(real_parent-\u003esignal-\u003ewait_chldexit).\nSince we hold tasklist, real_parent-\u003esignal must be stable. Otherwise\nspin_lock(siglock) is not safe too and can\u0027t help anyway.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3bcac0263f0b45e67a64034ebcb69eb9abb742f4", "tree": "33f4db08edaa12e1c20df348e2fa28c7c2198ebe", "parents": [ "88c48db9788862d0290831d081bc3c64e13b592f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Apr 29 13:45:05 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 30 09:07:13 2009 +1000" }, "message": "SELinux: Don\u0027t flush inherited SIGKILL during execve()\n\nDon\u0027t flush inherited SIGKILL during execve() in SELinux\u0027s post cred commit\nhook. This isn\u0027t really a security problem: if the SIGKILL came before the\ncredentials were changed, then we were right to receive it at the time, and\nshould honour it; if it came after the creds were changed, then we definitely\nshould honour it; and in any case, all that will happen is that the process\nwill be scrapped before it ever returns to userspace.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "88c48db9788862d0290831d081bc3c64e13b592f", "tree": "5d0e0aedd2c5c0ea8db4007cac66f930ddbe73d7", "parents": [ "19e4529ee7345079eeacc8e40cf69a304a64dc23" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 29 14:00:25 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 30 08:45:56 2009 +1000" }, "message": "SELinux: drop secondary_ops-\u003esysctl\n\nWe are still calling secondary_ops-\u003esysctl even though the capabilities\nmodule does not define a sysctl operation.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "58bfbb51ff2b0fdc6c732ff3d72f50aa632b67a2", "tree": "41132587adbb6816b56b9d28105826b8ef0fd7b9", "parents": [ "389fb800ac8be2832efedd19978a2b8ced37eb61" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:41 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:37 2009 +1100" }, "message": "selinux: Remove the \"compat_net\" compatibility code\n\nThe SELinux \"compat_net\" is marked as deprecated, the time has come to\nfinally remove it from the kernel. Further code simplifications are\nlikely in the future, but this patch was intended to be a simple,\nstraight-up removal of the compat_net code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "389fb800ac8be2832efedd19978a2b8ced37eb61", "tree": "fa0bc16050dfb491aa05f76b54fa4c167de96376", "parents": [ "284904aa79466a4736f4c775fdbe5c7407fa136c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:34 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:36 2009 +1100" }, "message": "netlabel: Label incoming TCP connections correctly in SELinux\n\nThe current NetLabel/SELinux behavior for incoming TCP connections works but\nonly through a series of happy coincidences that rely on the limited nature of\nstandard CIPSO (only able to convey MLS attributes) and the write equality\nimposed by the SELinux MLS constraints. The problem is that network sockets\ncreated as the result of an incoming TCP connection were not on-the-wire\nlabeled based on the security attributes of the parent socket but rather based\non the wire label of the remote peer. The issue had to do with how IP options\nwere managed as part of the network stack and where the LSM hooks were in\nrelation to the code which set the IP options on these newly created child\nsockets. While NetLabel/SELinux did correctly set the socket\u0027s on-the-wire\nlabel it was promptly cleared by the network stack and reset based on the IP\noptions of the remote peer.\n\nThis patch, in conjunction with a prior patch that adjusted the LSM hook\nlocations, works to set the correct on-the-wire label format for new incoming\nconnections through the security_inet_conn_request() hook. Besides the\ncorrect behavior there are many advantages to this change, the most significant\nis that all of the NetLabel socket labeling code in SELinux now lives in hooks\nwhich can return error codes to the core stack which allows us to finally get\nride of the selinux_netlbl_inode_permission() logic which greatly simplfies\nthe NetLabel/SELinux glue code. In the process of developing this patch I\nalso ran into a small handful of AF_INET6 cleanliness issues that have been\nfixed which should make the code safer and easier to extend in the future.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "df7f54c012b92ec93d56b68547351dcdf8a163d3", "tree": "07039542feca94d4d467c430521319950819a4e1", "parents": [ "dd34b5d75a0405814a3de83f02a44ac297e81629" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Mar 09 14:35:58 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 10 08:40:02 2009 +1100" }, "message": "SELinux: inode_doinit_with_dentry drop no dentry printk\n\nDrop the printk message when an inode is found without an associated\ndentry. This should only happen when userspace can\u0027t be accessing those\ninodes and those labels will get set correctly on the next d_instantiate.\nThus there is no reason to send this message.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6a25b27d602aac24f3c642722377ba5d778417ec", "tree": "ba334617326c65ccd98e7f4733c75fa0ac2ae5ca", "parents": [ "113a0e4590881ce579ca992a80ddc562b3372ede" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 05 13:40:35 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 06 08:50:18 2009 +1100" }, "message": "SELinux: open perm for sock files\n\nWhen I did open permissions I didn\u0027t think any sockets would have an open.\nTurns out AF_UNIX sockets can have an open when they are bound to the\nfilesystem namespace. This patch adds a new SOCK_FILE__OPEN permission.\nIt\u0027s safe to add this as the open perms are already predicated on\ncapabilities and capabilities means we have unknown perm handling so\nsystems should be as backwards compatible as the policy wants them to\nbe.\n\nhttps://bugzilla.redhat.com/show_bug.cgi?id\u003d475224\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4cb912f1d1447077160ace9ce3b3a10696dd74e5", "tree": "916f112de07ca626b0f398a0fc85943f15306146", "parents": [ "4ba0a8ad63e12a03ae01c039482967cc496b9174" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:05 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:30 2009 +1100" }, "message": "SELinux: NULL terminate al contexts from disk\n\nWhen a context is pulled in from disk we don\u0027t know that it is null\nterminated. This patch forecebly null terminates contexts when we pull\nthem from disk.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4ba0a8ad63e12a03ae01c039482967cc496b9174", "tree": "340aa55aa98cc42c33cff4297f0813f14f46b121", "parents": [ "200ac532a4bc3134147ca06686c56a6420e66c46" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 15:01:10 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:27 2009 +1100" }, "message": "SELinux: better printk when file with invalid label found\n\nCurrently when an inode is read into the kernel with an invalid label\nstring (can often happen with removable media) we output a string like:\n\nSELinux: inode_doinit_with_dentry: context_to_sid([SOME INVALID LABEL])\nreturned -22 dor dev\u003d[blah] ino\u003d[blah]\n\nWhich is all but incomprehensible to all but a couple of us. Instead, on\nEINVAL only, I plan to output a much more user friendly string and I plan to\nratelimit the printk since many of these could be generated very rapidly.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "200ac532a4bc3134147ca06686c56a6420e66c46", "tree": "f9b1779458df389052c758ea23cf61695a021e67", "parents": [ "b53fab9d48e9bd9aeba0b500dec550becd981a91" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 15:01:04 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:24 2009 +1100" }, "message": "SELinux: call capabilities code directory\n\nFor cleanliness and efficiency remove all calls to secondary-\u003e and instead\ncall capabilities code directly. capabilities are the only module that\nselinux stacks with and so the code should not indicate that other stacking\nmight be possible.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5626d3e86141390c8efc7bcb929b6a4b58b00480", "tree": "aafff4163d6bc40f78c025fe3c4f8eda232ef5c9", "parents": [ "95c14904b6f6f8a35365f0c58d530c85b4fb96b4" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 10:05:06 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 02 09:20:34 2009 +1100" }, "message": "selinux: remove hooks which simply defer to capabilities\n\nRemove SELinux hooks which do nothing except defer to the capabilites\nhooks (or in one case, replicates the function).\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "95c14904b6f6f8a35365f0c58d530c85b4fb96b4", "tree": "a228c81abe6409c61f7c90f7cebeebcb3da902af", "parents": [ "5c4054ccfafb6a446e9b65c524af1741656c6c60" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:37:58 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:16 2009 +1100" }, "message": "selinux: remove secondary ops call to shm_shmat\n\nRemove secondary ops call to shm_shmat, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5c4054ccfafb6a446e9b65c524af1741656c6c60", "tree": "6d54e11d617e4daf53c3afc5c1edb321b32d9315", "parents": [ "2cbbd19812b7636c1c37bcf50c403e7af5278d73" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:34:53 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:15 2009 +1100" }, "message": "selinux: remove secondary ops call to unix_stream_connect\n\nRemove secondary ops call to unix_stream_connect, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2cbbd19812b7636c1c37bcf50c403e7af5278d73", "tree": "e12a8b56308adc047d77ed5e52b0c8a28304d80b", "parents": [ "ef76e748faa823a738d632ee4c8ed9adaabc8a40" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:32:50 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:14 2009 +1100" }, "message": "selinux: remove secondary ops call to task_kill\n\nRemove secondary ops call to task_kill, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ef76e748faa823a738d632ee4c8ed9adaabc8a40", "tree": "af59b8bad81255e4b22e36749dd702cb8db543b1", "parents": [ "ca5143d3ff3c7a4e1c2c8bdcf0f53aea227a7722" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:30:28 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:13 2009 +1100" }, "message": "selinux: remove secondary ops call to task_setrlimit\n\nRemove secondary ops call to task_setrlimit, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ca5143d3ff3c7a4e1c2c8bdcf0f53aea227a7722", "tree": "1b86d2487e8051664c6d0b2cf959ff0131f8371e", "parents": [ "af294e41d0c95a291cc821a1b43ec2cd13976a8b" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:26:14 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:12 2009 +1100" }, "message": "selinux: remove unused cred_commit hook\n\nRemove unused cred_commit hook from SELinux. This\ncurrently calls into the capabilities hook, which is a noop.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "af294e41d0c95a291cc821a1b43ec2cd13976a8b", "tree": "051fcc87fd27422af41809fb25e821c7b3b4a628", "parents": [ "d541bbee6902d5ffb8a03d63ac8f4b1364c2ff93" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:23:36 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:11 2009 +1100" }, "message": "selinux: remove secondary ops call to task_create\n\nRemove secondary ops call to task_create, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d541bbee6902d5ffb8a03d63ac8f4b1364c2ff93", "tree": "f6b3f9547807d9eb8995885f259e4d5140d70405", "parents": [ "438add6b32d9295db6e3ecd4d9e137086ec5b5d9" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:19:51 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:11 2009 +1100" }, "message": "selinux: remove secondary ops call to file_mprotect\n\nRemove secondary ops call to file_mprotect, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "438add6b32d9295db6e3ecd4d9e137086ec5b5d9", "tree": "70658fa14a51af66a3359e306d263955d3eaf13f", "parents": [ "188fbcca9dd02f15dcf45cfc51ce0dd6c13993f6" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:15:59 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:10 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_setattr\n\nRemove secondary ops call to inode_setattr, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "188fbcca9dd02f15dcf45cfc51ce0dd6c13993f6", "tree": "92523a4606e5ac1e29d61286c4f1f3851eec5553", "parents": [ "f51115b9ab5b9cfd0b7be1cce75afbf3ffbcdd87" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:14:03 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:09 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_permission\n\nRemove secondary ops call to inode_permission, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f51115b9ab5b9cfd0b7be1cce75afbf3ffbcdd87", "tree": "bc93812358e9a76c24ca970224fcd8298fe8b80c", "parents": [ "dd4907a6d4e038dc65839fcd4030ebefe2f5f439" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:10:56 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:08 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_follow_link\n\nRemove secondary ops call to inode_follow_link, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dd4907a6d4e038dc65839fcd4030ebefe2f5f439", "tree": "1ad9f9754d9b929f7003cdf1a30a2f8ee5b04e3a", "parents": [ "e4737250b751b4e0e802adae9a4d3ae0227b580b" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:08:34 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:07 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_mknod\n\nRemove secondary ops call to inode_mknod, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e4737250b751b4e0e802adae9a4d3ae0227b580b", "tree": "98b121f355b548e02369cebfc8d871a805724d00", "parents": [ "efdfac437607e4acfed66c383091a376525eaec4" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:00:08 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:06 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_unlink\n\nRemove secondary ops call to inode_unlink, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "efdfac437607e4acfed66c383091a376525eaec4", "tree": "6fd072bfca2ff589f8b5c7ed5274f91bb079c6c3", "parents": [ "97422ab9ef45118cb7418d799dc69040f17108ce" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:57:34 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:06 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_link\n\nRemove secondary ops call to inode_link, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "97422ab9ef45118cb7418d799dc69040f17108ce", "tree": "2dd03b47495711916bc86cc79c23197bbdd1c965", "parents": [ "ef935b9136eeaa203f75bf0b4d6e398c29f44d27" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:55:02 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:05 2009 +1100" }, "message": "selinux: remove secondary ops call to sb_umount\n\nRemove secondary ops call to sb_umount, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ef935b9136eeaa203f75bf0b4d6e398c29f44d27", "tree": "22f961625dda1d64cd78f443bb7023ac16eb860d", "parents": [ "5565b0b865f672e3d7e31936ad1d40710ab7bfc4" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:51:11 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:04 2009 +1100" }, "message": "selinux: remove secondary ops call to sb_mount\n\nRemove secondary ops call to sb_mount, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5565b0b865f672e3d7e31936ad1d40710ab7bfc4", "tree": "85ad552370fc50fbbe5426e62e6c4f320f7d4461", "parents": [ "2ec5dbe23d68bddc043a85d1226bfc499a724b1c" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:47:49 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:03 2009 +1100" }, "message": "selinux: remove secondary ops call to bprm_committed_creds\n\nRemove secondary ops call to bprm_committed_creds, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2ec5dbe23d68bddc043a85d1226bfc499a724b1c", "tree": "f0c87a4250b4531fe6c6cac2b1f9117292efcdc1", "parents": [ "bc05595845f58c065adc0763a678187647ec040f" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:46:14 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:02 2009 +1100" }, "message": "selinux: remove secondary ops call to bprm_committing_creds\n\nRemove secondary ops call to bprm_committing_creds, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bc05595845f58c065adc0763a678187647ec040f", "tree": "b8126f1aadcac62f87ebd34fc44e48488ddf716e", "parents": [ "cd89596f0ccfa3ccb8a81ce47782231cf7ea7296" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:28:33 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:01 2009 +1100" }, "message": "selinux: remove unused bprm_check_security hook\n\nRemove unused bprm_check_security hook from SELinux. This\ncurrently calls into the capabilities hook, which is a noop.\n\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cd89596f0ccfa3ccb8a81ce47782231cf7ea7296", "tree": "d91149851e14a21d1e535c325aa93ebd15130f51", "parents": [ "11689d47f0957121920c9ec646eb5d838755853a" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jan 16 09:22:04 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@macbook.localdomain", "time": "Mon Jan 19 09:47:14 2009 +1100" }, "message": "SELinux: Unify context mount and genfs behavior\n\nContext mounts and genfs labeled file systems behave differently with respect to\nsetting file system labels. This patch brings genfs labeled file systems in line\nwith context mounts in that setxattr calls to them should return EOPNOTSUPP and\nfscreate calls will be ignored.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@macbook.localdomain\u003e\n" }, { "commit": "11689d47f0957121920c9ec646eb5d838755853a", "tree": "187b4179c0b7b9430bb9e62f6bba474a2d011235", "parents": [ "0d90a7ec48c704025307b129413bc62451b20ab3" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jan 16 09:22:03 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@macbook.localdomain", "time": "Mon Jan 19 09:47:06 2009 +1100" }, "message": "SELinux: Add new security mount option to indicate security label support.\n\nThere is no easy way to tell if a file system supports SELinux security labeling.\nBecause of this a new flag is being added to the super block security structure\nto indicate that the particular super block supports labeling. This flag is set\nfor file systems using the xattr, task, and transition labeling methods unless\nthat behavior is overridden by context mounts.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@macbook.localdomain\u003e\n" }, { "commit": "0d90a7ec48c704025307b129413bc62451b20ab3", "tree": "38cc8a7f5ff3afaccd16d2978455ccc002d69933", "parents": [ "c8334dc8fb6413b363df3e1419e287f5b25bce32" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jan 16 09:22:02 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@macbook.localdomain", "time": "Mon Jan 19 09:46:40 2009 +1100" }, "message": "SELinux: Condense super block security structure flags and cleanup necessary code.\n\nThe super block security structure currently has three fields for what are\nessentially flags. The flags field is used for mount options while two other\nchar fields are used for initialization and proc flags. These latter two fields are\nessentially bit fields since the only used values are 0 and 1. These fields\nhave been collapsed into the flags field and new bit masks have been added for\nthem. The code is also fixed to work with these new flags.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@macbook.localdomain\u003e\n" }, { "commit": "3699c53c485bf0168e6500d0ed18bf931584dd7c", "tree": "eee63a8ddbdb0665bc6a4a053a2405ca7a5b867f", "parents": [ "29881c4502ba05f46bc12ae8053d4e08d7e2615c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 06 22:27:01 2009 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:38:48 2009 +1100" }, "message": "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #3]\n\nFix a regression in cap_capable() due to:\n\n\tcommit 3b11a1decef07c19443d24ae926982bc8ec9f4c0\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Fri Nov 14 10:39:26 2008 +1100\n\n\t CRED: Differentiate objective and effective subjective credentials on a task\n\nThe problem is that the above patch allows a process to have two sets of\ncredentials, and for the most part uses the subjective credentials when\naccessing current\u0027s creds.\n\nThere is, however, one exception: cap_capable(), and thus capable(), uses the\nreal/objective credentials of the target task, whether or not it is the current\ntask.\n\nOrdinarily this doesn\u0027t matter, since usually the two cred pointers in current\npoint to the same set of creds. However, sys_faccessat() makes use of this\nfacility to override the credentials of the calling process to make its test,\nwithout affecting the creds as seen from other processes.\n\nOne of the things sys_faccessat() does is to make an adjustment to the\neffective capabilities mask, which cap_capable(), as it stands, then ignores.\n\nThe affected capability check is in generic_permission():\n\n\tif (!(mask \u0026 MAY_EXEC) || execute_ok(inode))\n\t\tif (capable(CAP_DAC_OVERRIDE))\n\t\t\treturn 0;\n\nThis change passes the set of credentials to be tested down into the commoncap\nand SELinux code. The security functions called by capable() and\nhas_capability() select the appropriate set of credentials from the process\nbeing checked.\n\nThis can be tested by compiling the following program from the XFS testsuite:\n\n/*\n * t_access_root.c - trivial test program to show permission bug.\n *\n * Written by Michael Kerrisk - copyright ownership not pursued.\n * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html\n */\n#include \u003climits.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003csys/stat.h\u003e\n\n#define UID 500\n#define GID 100\n#define PERM 0\n#define TESTPATH \"/tmp/t_access\"\n\nstatic void\nerrExit(char *msg)\n{\n perror(msg);\n exit(EXIT_FAILURE);\n} /* errExit */\n\nstatic void\naccessTest(char *file, int mask, char *mstr)\n{\n printf(\"access(%s, %s) returns %d\\n\", file, mstr, access(file, mask));\n} /* accessTest */\n\nint\nmain(int argc, char *argv[])\n{\n int fd, perm, uid, gid;\n char *testpath;\n char cmd[PATH_MAX + 20];\n\n testpath \u003d (argc \u003e 1) ? argv[1] : TESTPATH;\n perm \u003d (argc \u003e 2) ? strtoul(argv[2], NULL, 8) : PERM;\n uid \u003d (argc \u003e 3) ? atoi(argv[3]) : UID;\n gid \u003d (argc \u003e 4) ? atoi(argv[4]) : GID;\n\n unlink(testpath);\n\n fd \u003d open(testpath, O_RDWR | O_CREAT, 0);\n if (fd \u003d\u003d -1) errExit(\"open\");\n\n if (fchown(fd, uid, gid) \u003d\u003d -1) errExit(\"fchown\");\n if (fchmod(fd, perm) \u003d\u003d -1) errExit(\"fchmod\");\n close(fd);\n\n snprintf(cmd, sizeof(cmd), \"ls -l %s\", testpath);\n system(cmd);\n\n if (seteuid(uid) \u003d\u003d -1) errExit(\"seteuid\");\n\n accessTest(testpath, 0, \"0\");\n accessTest(testpath, R_OK, \"R_OK\");\n accessTest(testpath, W_OK, \"W_OK\");\n accessTest(testpath, X_OK, \"X_OK\");\n accessTest(testpath, R_OK | W_OK, \"R_OK | W_OK\");\n accessTest(testpath, R_OK | X_OK, \"R_OK | X_OK\");\n accessTest(testpath, W_OK | X_OK, \"W_OK | X_OK\");\n accessTest(testpath, R_OK | W_OK | X_OK, \"R_OK | W_OK | X_OK\");\n\n exit(EXIT_SUCCESS);\n} /* main */\n\nThis can be run against an Ext3 filesystem as well as against an XFS\nfilesystem. If successful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns 0\n\taccess(/tmp/xxx, W_OK) returns 0\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns 0\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nIf unsuccessful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns -1\n\taccess(/tmp/xxx, W_OK) returns -1\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns -1\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nI\u0027ve also tested the fix with the SELinux and syscalls LTP testsuites.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: J. Bruce Fields \u003cbfields@citi.umich.edu\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "29881c4502ba05f46bc12ae8053d4e08d7e2615c", "tree": "536ea4ac63554e836438bd5f370ddecaa343f1f4", "parents": [ "76f7ba35d4b5219fcc4cb072134c020ec77d030d" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:21:54 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:21:54 2009 +1100" }, "message": "Revert \"CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]\"\n\nThis reverts commit 14eaddc967b16017d4a1a24d2be6c28ecbe06ed8.\n\nDavid has a better version to come.\n" }, { "commit": "14eaddc967b16017d4a1a24d2be6c28ecbe06ed8", "tree": "ce10216d592f0fa89ae02c4e4e9e9497010e7714", "parents": [ "5c8c40be4b5a2944483bfc1a45d6c3fa02551af3" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Dec 31 15:15:42 2008 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 05 11:17:04 2009 +1100" }, "message": "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]\n\nFix a regression in cap_capable() due to:\n\n\tcommit 5ff7711e635b32f0a1e558227d030c7e45b4a465\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Wed Dec 31 02:52:28 2008 +0000\n\n\t CRED: Differentiate objective and effective subjective credentials on a task\n\nThe problem is that the above patch allows a process to have two sets of\ncredentials, and for the most part uses the subjective credentials when\naccessing current\u0027s creds.\n\nThere is, however, one exception: cap_capable(), and thus capable(), uses the\nreal/objective credentials of the target task, whether or not it is the current\ntask.\n\nOrdinarily this doesn\u0027t matter, since usually the two cred pointers in current\npoint to the same set of creds. However, sys_faccessat() makes use of this\nfacility to override the credentials of the calling process to make its test,\nwithout affecting the creds as seen from other processes.\n\nOne of the things sys_faccessat() does is to make an adjustment to the\neffective capabilities mask, which cap_capable(), as it stands, then ignores.\n\nThe affected capability check is in generic_permission():\n\n\tif (!(mask \u0026 MAY_EXEC) || execute_ok(inode))\n\t\tif (capable(CAP_DAC_OVERRIDE))\n\t\t\treturn 0;\n\nThis change splits capable() from has_capability() down into the commoncap and\nSELinux code. The capable() security op now only deals with the current\nprocess, and uses the current process\u0027s subjective creds. A new security op -\ntask_capable() - is introduced that can check any task\u0027s objective creds.\n\nstrictly the capable() security op is superfluous with the presence of the\ntask_capable() op, however it should be faster to call the capable() op since\ntwo fewer arguments need be passed down through the various layers.\n\nThis can be tested by compiling the following program from the XFS testsuite:\n\n/*\n * t_access_root.c - trivial test program to show permission bug.\n *\n * Written by Michael Kerrisk - copyright ownership not pursued.\n * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html\n */\n#include \u003climits.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003csys/stat.h\u003e\n\n#define UID 500\n#define GID 100\n#define PERM 0\n#define TESTPATH \"/tmp/t_access\"\n\nstatic void\nerrExit(char *msg)\n{\n perror(msg);\n exit(EXIT_FAILURE);\n} /* errExit */\n\nstatic void\naccessTest(char *file, int mask, char *mstr)\n{\n printf(\"access(%s, %s) returns %d\\n\", file, mstr, access(file, mask));\n} /* accessTest */\n\nint\nmain(int argc, char *argv[])\n{\n int fd, perm, uid, gid;\n char *testpath;\n char cmd[PATH_MAX + 20];\n\n testpath \u003d (argc \u003e 1) ? argv[1] : TESTPATH;\n perm \u003d (argc \u003e 2) ? strtoul(argv[2], NULL, 8) : PERM;\n uid \u003d (argc \u003e 3) ? atoi(argv[3]) : UID;\n gid \u003d (argc \u003e 4) ? atoi(argv[4]) : GID;\n\n unlink(testpath);\n\n fd \u003d open(testpath, O_RDWR | O_CREAT, 0);\n if (fd \u003d\u003d -1) errExit(\"open\");\n\n if (fchown(fd, uid, gid) \u003d\u003d -1) errExit(\"fchown\");\n if (fchmod(fd, perm) \u003d\u003d -1) errExit(\"fchmod\");\n close(fd);\n\n snprintf(cmd, sizeof(cmd), \"ls -l %s\", testpath);\n system(cmd);\n\n if (seteuid(uid) \u003d\u003d -1) errExit(\"seteuid\");\n\n accessTest(testpath, 0, \"0\");\n accessTest(testpath, R_OK, \"R_OK\");\n accessTest(testpath, W_OK, \"W_OK\");\n accessTest(testpath, X_OK, \"X_OK\");\n accessTest(testpath, R_OK | W_OK, \"R_OK | W_OK\");\n accessTest(testpath, R_OK | X_OK, \"R_OK | X_OK\");\n accessTest(testpath, W_OK | X_OK, \"W_OK | X_OK\");\n accessTest(testpath, R_OK | W_OK | X_OK, \"R_OK | W_OK | X_OK\");\n\n exit(EXIT_SUCCESS);\n} /* main */\n\nThis can be run against an Ext3 filesystem as well as against an XFS\nfilesystem. If successful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns 0\n\taccess(/tmp/xxx, W_OK) returns 0\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns 0\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nIf unsuccessful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns -1\n\taccess(/tmp/xxx, W_OK) returns -1\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns -1\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nI\u0027ve also tested the fix with the SELinux and syscalls LTP testsuites.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "277d342fc423fca5e66e677fe629d1b2f8f1b9e2", "tree": "733f8694020df6ff8d9e21e2419b0df71aeb4351", "parents": [ "6c2e8ac0953fccdd24dc6c4b9e08e8f1cd68cf07" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Dec 31 12:54:11 2008 -0500" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Dec 31 12:54:11 2008 -0500" }, "message": "selinux: Deprecate and schedule the removal of the the compat_net functionality\n\nThis patch is the first step towards removing the old \"compat_net\" code from\nthe kernel. Secmark, the \"compat_net\" replacement was first introduced in\n2.6.18 (September 2006) and the major Linux distributions with SELinux support\nhave transitioned to Secmark so it is time to start deprecating the \"compat_net\"\nmechanism. Testing a patched version of 2.6.28-rc6 with the initial release of\nFedora Core 5 did not show any problems when running in enforcing mode.\n\nThis patch adds an entry to the feature-removal-schedule.txt file and removes\nthe SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing\nSecmark on by default although it can still be disabled at runtime. The patch\nalso makes the Secmark permission checks \"dynamic\" in the sense that they are\nonly executed when Secmark is configured; this should help prevent problems\nwith older distributions that have not yet migrated to Secmark.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0191b625ca5a46206d2fb862bb08f36f2fcb3b31", "tree": "454d1842b1833d976da62abcbd5c47521ebe9bd7", "parents": [ "54a696bd07c14d3b1192d03ce7269bc59b45209a", "eb56092fc168bf5af199d47af50c0d84a96db898" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Dec 28 12:49:40 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Dec 28 12:49:40 2008 -0800" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1429 commits)\n net: Allow dependancies of FDDI \u0026 Tokenring to be modular.\n igb: Fix build warning when DCA is disabled.\n net: Fix warning fallout from recent NAPI interface changes.\n gro: Fix potential use after free\n sfc: If AN is enabled, always read speed/duplex from the AN advertising bits\n sfc: When disabling the NIC, close the device rather than unregistering it\n sfc: SFT9001: Add cable diagnostics\n sfc: Add support for multiple PHY self-tests\n sfc: Merge top-level functions for self-tests\n sfc: Clean up PHY mode management in loopback self-test\n sfc: Fix unreliable link detection in some loopback modes\n sfc: Generate unique names for per-NIC workqueues\n 802.3ad: use standard ethhdr instead of ad_header\n 802.3ad: generalize out mac address initializer\n 802.3ad: initialize ports LACPDU from const initializer\n 802.3ad: remove typedef around ad_system\n 802.3ad: turn ports is_individual into a bool\n 802.3ad: turn ports is_enabled into a bool\n 802.3ad: make ntt bool\n ixgbe: Fix set_ringparam in ixgbe to use the same memory pools.\n ...\n\nFixed trivial IPv4/6 address printing conflicts in fs/cifs/connect.c due\nto the conversion to %pI (in this networking merge) and the addition of\ndoing IPv6 addresses (from the earlier merge of CIFS).\n" }, { "commit": "74192246910ff4fb95309ba1a683215644beeb62", "tree": "ff6daed6c494ac83afad70049a28f20ec5770b44", "parents": [ "12204e24b1330428c3062faee10a0d80b8a5cb61" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Dec 19 11:41:10 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Dec 20 09:03:39 2008 +1100" }, "message": "SELinux: don\u0027t check permissions for kernel mounts\n\nDon\u0027t bother checking permissions when the kernel performs an\ninternal mount, as this should always be allowed.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "12204e24b1330428c3062faee10a0d80b8a5cb61", "tree": "d92ee705a86f0ec2bf85c8a797239dbb840d5927", "parents": [ "459c19f524a9d89c65717a7d061d5f11ecf6bcb8" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Dec 19 10:44:42 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Dec 20 09:02:39 2008 +1100" }, "message": "security: pass mount flags to security_sb_kern_mount()\n\nPass mount flags to security_sb_kern_mount(), so security modules\ncan determine if a mount operation is being performed by the kernel.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "459c19f524a9d89c65717a7d061d5f11ecf6bcb8", "tree": "e3026017e0d58736e46406f13bd370b75cfdf674", "parents": [ "1e641743f055f075ed9a4edd75f1fb1e05669ddc" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Dec 05 09:12:19 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Dec 20 09:01:03 2008 +1100" }, "message": "SELinux: correctly detect proc filesystems of the form \"proc/foo\"\n\nMap all of these proc/ filesystem types to \"proc\" for the policy lookup at\nfilesystem mount time.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3a3b7ce9336952ea7b9564d976d068a238976c9d", "tree": "3f0a3be33022492161f534636a20a4b1059f8236", "parents": [ "1bfdc75ae077d60a01572a7781ec6264d55ab1b9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "message": "CRED: Allow kernel services to override LSM settings for task actions\n\nAllow kernel services to override LSM settings appropriate to the actions\nperformed by a task by duplicating a set of credentials, modifying it and then\nusing task_struct::cred to point to it when performing operations on behalf of\na task.\n\nThis is used, for example, by CacheFiles which has to transparently access the\ncache on behalf of a process that thinks it is doing, say, NFS accesses with a\npotentially inappropriate (with respect to accessing the cache) set of\ncredentials.\n\nThis patch provides two LSM hooks for modifying a task security record:\n\n (*) security_kernel_act_as() which allows modification of the security datum\n with which a task acts on other objects (most notably files).\n\n (*) security_kernel_create_files_as() which allows modification of the\n security datum that is used to initialise the security data on a file that\n a task creates.\n\nThe patch also provides four new credentials handling functions, which wrap the\nLSM functions:\n\n (1) prepare_kernel_cred()\n\n Prepare a set of credentials for a kernel service to use, based either on\n a daemon\u0027s credentials or on init_cred. All the keyrings are cleared.\n\n (2) set_security_override()\n\n Set the LSM security ID in a set of credentials to a specific security\n context, assuming permission from the LSM policy.\n\n (3) set_security_override_from_ctx()\n\n As (2), but takes the security context as a string.\n\n (4) set_create_files_as()\n\n Set the file creation LSM security ID in a set of credentials to be the\n same as that on a particular inode.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e [Smack changes]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3b11a1decef07c19443d24ae926982bc8ec9f4c0", "tree": "b6555f0e5b07f4b2badd332a0a900b974920c49d", "parents": [ "98870ab0a5a3f1822aee681d2997017e1c87d026" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:26 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:26 2008 +1100" }, "message": "CRED: Differentiate objective and effective subjective credentials on a task\n\nDifferentiate the objective and real subjective credentials from the effective\nsubjective credentials on a task by introducing a second credentials pointer\ninto the task_struct.\n\ntask_struct::real_cred then refers to the objective and apparent real\nsubjective credentials of a task, as perceived by the other tasks in the\nsystem.\n\ntask_struct::cred then refers to the effective subjective credentials of a\ntask, as used by that task when it\u0027s actually running. These are not visible\nto the other tasks in the system.\n\n__task_cred(task) then refers to the objective/real credentials of the task in\nquestion.\n\ncurrent_cred() refers to the effective subjective credentials of the current\ntask.\n\nprepare_creds() uses the objective creds as a base and commit_creds() changes\nboth pointers in the task_struct (indeed commit_creds() requires them to be the\nsame).\n\noverride_creds() and revert_creds() change the subjective creds pointer only,\nand the former returns the old subjective creds. These are used by NFSD,\nfaccessat() and do_coredump(), and will by used by CacheFiles.\n\nIn SELinux, current_has_perm() is provided as an alternative to\ntask_has_perm(). This uses the effective subjective context of current,\nwhereas task_has_perm() uses the objective/real context of the subject.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a6f76f23d297f70e2a6b3ec607f7aeeea9e37e8d", "tree": "8f95617996d0974507f176163459212a7def8b9a", "parents": [ "d84f4f992cbd76e8f39c488cf0c5d123843923b1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "message": "CRED: Make execve() take advantage of copy-on-write credentials\n\nMake execve() take advantage of copy-on-write credentials, allowing it to set\nup the credentials in advance, and then commit the whole lot after the point\nof no return.\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n The credential bits from struct linux_binprm are, for the most part,\n replaced with a single credentials pointer (bprm-\u003ecred). This means that\n all the creds can be calculated in advance and then applied at the point\n of no return with no possibility of failure.\n\n I would like to replace bprm-\u003ecap_effective with:\n\n\tcap_isclear(bprm-\u003ecap_effective)\n\n but this seems impossible due to special behaviour for processes of pid 1\n (they always retain their parent\u0027s capability masks where normally they\u0027d\n be changed - see cap_bprm_set_creds()).\n\n The following sequence of events now happens:\n\n (a) At the start of do_execve, the current task\u0027s cred_exec_mutex is\n \t locked to prevent PTRACE_ATTACH from obsoleting the calculation of\n \t creds that we make.\n\n (a) prepare_exec_creds() is then called to make a copy of the current\n \t task\u0027s credentials and prepare it. This copy is then assigned to\n \t bprm-\u003ecred.\n\n \t This renders security_bprm_alloc() and security_bprm_free()\n \t unnecessary, and so they\u0027ve been removed.\n\n (b) The determination of unsafe execution is now performed immediately\n \t after (a) rather than later on in the code. The result is stored in\n \t bprm-\u003eunsafe for future reference.\n\n (c) prepare_binprm() is called, possibly multiple times.\n\n \t (i) This applies the result of set[ug]id binaries to the new creds\n \t attached to bprm-\u003ecred. Personality bit clearance is recorded,\n \t but now deferred on the basis that the exec procedure may yet\n \t fail.\n\n (ii) This then calls the new security_bprm_set_creds(). This should\n\t calculate the new LSM and capability credentials into *bprm-\u003ecred.\n\n\t This folds together security_bprm_set() and parts of\n\t security_bprm_apply_creds() (these two have been removed).\n\t Anything that might fail must be done at this point.\n\n (iii) bprm-\u003ecred_prepared is set to 1.\n\n\t bprm-\u003ecred_prepared is 0 on the first pass of the security\n\t calculations, and 1 on all subsequent passes. This allows SELinux\n\t in (ii) to base its calculations only on the initial script and\n\t not on the interpreter.\n\n (d) flush_old_exec() is called to commit the task to execution. This\n \t performs the following steps with regard to credentials:\n\n\t (i) Clear pdeath_signal and set dumpable on certain circumstances that\n\t may not be covered by commit_creds().\n\n (ii) Clear any bits in current-\u003epersonality that were deferred from\n (c.i).\n\n (e) install_exec_creds() [compute_creds() as was] is called to install the\n \t new credentials. This performs the following steps with regard to\n \t credentials:\n\n (i) Calls security_bprm_committing_creds() to apply any security\n requirements, such as flushing unauthorised files in SELinux, that\n must be done before the credentials are changed.\n\n\t This is made up of bits of security_bprm_apply_creds() and\n\t security_bprm_post_apply_creds(), both of which have been removed.\n\t This function is not allowed to fail; anything that might fail\n\t must have been done in (c.ii).\n\n (ii) Calls commit_creds() to apply the new credentials in a single\n assignment (more or less). Possibly pdeath_signal and dumpable\n should be part of struct creds.\n\n\t (iii) Unlocks the task\u0027s cred_replace_mutex, thus allowing\n\t PTRACE_ATTACH to take place.\n\n (iv) Clears The bprm-\u003ecred pointer as the credentials it was holding\n are now immutable.\n\n (v) Calls security_bprm_committed_creds() to apply any security\n alterations that must be done after the creds have been changed.\n SELinux uses this to flush signals and signal handlers.\n\n (f) If an error occurs before (d.i), bprm_free() will call abort_creds()\n \t to destroy the proposed new credentials and will then unlock\n \t cred_replace_mutex. No changes to the credentials will have been\n \t made.\n\n (2) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_bprm_alloc(), -\u003ebprm_alloc_security()\n (*) security_bprm_free(), -\u003ebprm_free_security()\n\n \t Removed in favour of preparing new credentials and modifying those.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n (*) security_bprm_post_apply_creds(), -\u003ebprm_post_apply_creds()\n\n \t Removed; split between security_bprm_set_creds(),\n \t security_bprm_committing_creds() and security_bprm_committed_creds().\n\n (*) security_bprm_set(), -\u003ebprm_set_security()\n\n \t Removed; folded into security_bprm_set_creds().\n\n (*) security_bprm_set_creds(), -\u003ebprm_set_creds()\n\n \t New. The new credentials in bprm-\u003ecreds should be checked and set up\n \t as appropriate. bprm-\u003ecred_prepared is 0 on the first call, 1 on the\n \t second and subsequent calls.\n\n (*) security_bprm_committing_creds(), -\u003ebprm_committing_creds()\n (*) security_bprm_committed_creds(), -\u003ebprm_committed_creds()\n\n \t New. Apply the security effects of the new credentials. This\n \t includes closing unauthorised files in SELinux. This function may not\n \t fail. When the former is called, the creds haven\u0027t yet been applied\n \t to the process; when the latter is called, they have.\n\n \t The former may access bprm-\u003ecred, the latter may not.\n\n (3) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) The bprm_security_struct struct has been removed in favour of using\n \t the credentials-under-construction approach.\n\n (c) flush_unauthorized_files() now takes a cred pointer and passes it on\n \t to inode_has_perm(), file_has_perm() and dentry_open().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d84f4f992cbd76e8f39c488cf0c5d123843923b1", "tree": "fc4a0349c42995715b93d0f7a3c78e9ea9b3f36e", "parents": [ "745ca2475a6ac596e3d8d37c2759c0fbe2586227" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "message": "CRED: Inaugurate COW credentials\n\nInaugurate copy-on-write credentials management. This uses RCU to manage the\ncredentials pointer in the task_struct with respect to accesses by other tasks.\nA process may only modify its own credentials, and so does not need locking to\naccess or modify its own credentials.\n\nA mutex (cred_replace_mutex) is added to the task_struct to control the effect\nof PTRACE_ATTACHED on credential calculations, particularly with respect to\nexecve().\n\nWith this patch, the contents of an active credentials struct may not be\nchanged directly; rather a new set of credentials must be prepared, modified\nand committed using something like the following sequence of events:\n\n\tstruct cred *new \u003d prepare_creds();\n\tint ret \u003d blah(new);\n\tif (ret \u003c 0) {\n\t\tabort_creds(new);\n\t\treturn ret;\n\t}\n\treturn commit_creds(new);\n\nThere are some exceptions to this rule: the keyrings pointed to by the active\ncredentials may be instantiated - keyrings violate the COW rule as managing\nCOW keyrings is tricky, given that it is possible for a task to directly alter\nthe keys in a keyring in use by another task.\n\nTo help enforce this, various pointers to sets of credentials, such as those in\nthe task_struct, are declared const. The purpose of this is compile-time\ndiscouragement of altering credentials through those pointers. Once a set of\ncredentials has been made public through one of these pointers, it may not be\nmodified, except under special circumstances:\n\n (1) Its reference count may incremented and decremented.\n\n (2) The keyrings to which it points may be modified, but not replaced.\n\nThe only safe way to modify anything else is to create a replacement and commit\nusing the functions described in Documentation/credentials.txt (which will be\nadded by a later patch).\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n This now prepares and commits credentials in various places in the\n security code rather than altering the current creds directly.\n\n (2) Temporary credential overrides.\n\n do_coredump() and sys_faccessat() now prepare their own credentials and\n temporarily override the ones currently on the acting thread, whilst\n preventing interference from other threads by holding cred_replace_mutex\n on the thread being dumped.\n\n This will be replaced in a future patch by something that hands down the\n credentials directly to the functions being called, rather than altering\n the task\u0027s objective credentials.\n\n (3) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_capset_check(), -\u003ecapset_check()\n (*) security_capset_set(), -\u003ecapset_set()\n\n \t Removed in favour of security_capset().\n\n (*) security_capset(), -\u003ecapset()\n\n \t New. This is passed a pointer to the new creds, a pointer to the old\n \t creds and the proposed capability sets. It should fill in the new\n \t creds or return an error. All pointers, barring the pointer to the\n \t new creds, are now const.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n\n \t Changed; now returns a value, which will cause the process to be\n \t killed if it\u0027s an error.\n\n (*) security_task_alloc(), -\u003etask_alloc_security()\n\n \t Removed in favour of security_prepare_creds().\n\n (*) security_cred_free(), -\u003ecred_free()\n\n \t New. Free security data attached to cred-\u003esecurity.\n\n (*) security_prepare_creds(), -\u003ecred_prepare()\n\n \t New. Duplicate any security data attached to cred-\u003esecurity.\n\n (*) security_commit_creds(), -\u003ecred_commit()\n\n \t New. Apply any security effects for the upcoming installation of new\n \t security by commit_creds().\n\n (*) security_task_post_setuid(), -\u003etask_post_setuid()\n\n \t Removed in favour of security_task_fix_setuid().\n\n (*) security_task_fix_setuid(), -\u003etask_fix_setuid()\n\n \t Fix up the proposed new credentials for setuid(). This is used by\n \t cap_set_fix_setuid() to implicitly adjust capabilities in line with\n \t setuid() changes. Changes are made to the new credentials, rather\n \t than the task itself as in security_task_post_setuid().\n\n (*) security_task_reparent_to_init(), -\u003etask_reparent_to_init()\n\n \t Removed. Instead the task being reparented to init is referred\n \t directly to init\u0027s credentials.\n\n\t NOTE! This results in the loss of some state: SELinux\u0027s osid no\n\t longer records the sid of the thread that forked it.\n\n (*) security_key_alloc(), -\u003ekey_alloc()\n (*) security_key_permission(), -\u003ekey_permission()\n\n \t Changed. These now take cred pointers rather than task pointers to\n \t refer to the security context.\n\n (4) sys_capset().\n\n This has been simplified and uses less locking. The LSM functions it\n calls have been merged.\n\n (5) reparent_to_kthreadd().\n\n This gives the current thread the same credentials as init by simply using\n commit_thread() to point that way.\n\n (6) __sigqueue_alloc() and switch_uid()\n\n __sigqueue_alloc() can\u0027t stop the target task from changing its creds\n beneath it, so this function gets a reference to the currently applicable\n user_struct which it then passes into the sigqueue struct it returns if\n successful.\n\n switch_uid() is now called from commit_creds(), and possibly should be\n folded into that. commit_creds() should take care of protecting\n __sigqueue_alloc().\n\n (7) [sg]et[ug]id() and co and [sg]et_current_groups.\n\n The set functions now all use prepare_creds(), commit_creds() and\n abort_creds() to build and check a new set of credentials before applying\n it.\n\n security_task_set[ug]id() is called inside the prepared section. This\n guarantees that nothing else will affect the creds until we\u0027ve finished.\n\n The calling of set_dumpable() has been moved into commit_creds().\n\n Much of the functionality of set_user() has been moved into\n commit_creds().\n\n The get functions all simply access the data directly.\n\n (8) security_task_prctl() and cap_task_prctl().\n\n security_task_prctl() has been modified to return -ENOSYS if it doesn\u0027t\n want to handle a function, or otherwise return the return value directly\n rather than through an argument.\n\n Additionally, cap_task_prctl() now prepares a new set of credentials, even\n if it doesn\u0027t end up using it.\n\n (9) Keyrings.\n\n A number of changes have been made to the keyrings code:\n\n (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have\n \t all been dropped and built in to the credentials functions directly.\n \t They may want separating out again later.\n\n (b) key_alloc() and search_process_keyrings() now take a cred pointer\n \t rather than a task pointer to specify the security context.\n\n (c) copy_creds() gives a new thread within the same thread group a new\n \t thread keyring if its parent had one, otherwise it discards the thread\n \t keyring.\n\n (d) The authorisation key now points directly to the credentials to extend\n \t the search into rather pointing to the task that carries them.\n\n (e) Installing thread, process or session keyrings causes a new set of\n \t credentials to be created, even though it\u0027s not strictly necessary for\n \t process or session keyrings (they\u0027re shared).\n\n(10) Usermode helper.\n\n The usermode helper code now carries a cred struct pointer in its\n subprocess_info struct instead of a new session keyring pointer. This set\n of credentials is derived from init_cred and installed on the new process\n after it has been cloned.\n\n call_usermodehelper_setup() allocates the new credentials and\n call_usermodehelper_freeinfo() discards them if they haven\u0027t been used. A\n special cred function (prepare_usermodeinfo_creds()) is provided\n specifically for call_usermodehelper_setup() to call.\n\n call_usermodehelper_setkeys() adjusts the credentials to sport the\n supplied keyring as the new session keyring.\n\n(11) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) selinux_setprocattr() no longer does its check for whether the\n \t current ptracer can access processes with the new SID inside the lock\n \t that covers getting the ptracer\u0027s SID. Whilst this lock ensures that\n \t the check is done with the ptracer pinned, the result is only valid\n \t until the lock is released, so there\u0027s no point doing it inside the\n \t lock.\n\n(12) is_single_threaded().\n\n This function has been extracted from selinux_setprocattr() and put into\n a file of its own in the lib/ directory as join_session_keyring() now\n wants to use it too.\n\n The code in SELinux just checked to see whether a task shared mm_structs\n with other tasks (CLONE_VM), but that isn\u0027t good enough. We really want\n to know if they\u0027re part of the same thread group (CLONE_THREAD).\n\n(13) nfsd.\n\n The NFS server daemon now has to use the COW credentials to set the\n credentials it is going to use. It really needs to pass the credentials\n down to the functions it calls, but it can\u0027t do that until other patches\n in this series have been applied.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "745ca2475a6ac596e3d8d37c2759c0fbe2586227", "tree": "f87c34bdfbc8542477b16a014bbb4e3b415b286a", "parents": [ "88e67f3b8898c5ea81d2916dd5b8bc9c0c35ba13" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:22 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:22 2008 +1100" }, "message": "CRED: Pass credentials through dentry_open()\n\nPass credentials through dentry_open() so that the COW creds patch can have\nSELinux\u0027s flush_unauthorized_files() pass the appropriate creds back to itself\nwhen it opens its null chardev.\n\nThe security_dentry_open() call also now takes a creds pointer, as does the\ndentry_open hook in struct security_operations.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "88e67f3b8898c5ea81d2916dd5b8bc9c0c35ba13", "tree": "1ce706510a4062d69ca25801023825331d420be0", "parents": [ "6cc88bc45ce8043171089c9592da223dfab91823" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:21 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:21 2008 +1100" }, "message": "CRED: Make inode_has_perm() and file_has_perm() take a cred pointer\n\nMake inode_has_perm() and file_has_perm() take a cred pointer rather than a\ntask pointer.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "275bb41e9d058fbb327e7642f077e1beaeac162e", "tree": "049fdbb39ca43e7b3b9abf36ad279b31488121bc", "parents": [ "c69e8d9c01db2adc503464993c358901c9af9de4" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "message": "CRED: Wrap access to SELinux\u0027s task SID\n\nWrap access to SELinux\u0027s task SID, using task_sid() and current_sid() as\nappropriate.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f1752eec6145c97163dbce62d17cf5d928e28a27", "tree": "16bc51166d38815092de36a461b845b0b4b522f9", "parents": [ "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:17 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:17 2008 +1100" }, "message": "CRED: Detach the credentials from task_struct\n\nDetach the credentials from task_struct, duplicating them in copy_process()\nand releasing them in __put_task_struct().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a", "tree": "9e76f972eb7ce9b84e0146c8e4126a3f86acb428", "parents": [ "15a2460ed0af7538ca8e6c610fe607a2cd9da142" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "message": "CRED: Separate task security context from task_struct\n\nSeparate the task security context from task_struct. At this point, the\nsecurity data is temporarily embedded in the task_struct with two pointers\npointing to it.\n\nNote that the Alpha arch is altered as it refers to (E)UID and (E)GID in\nentry.S via asm-offsets.\n\nWith comment fixes Signed-off-by: Marc Dionne \u003cmarc.c.dionne@gmail.com\u003e\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "15a2460ed0af7538ca8e6c610fe607a2cd9da142", "tree": "3611bc03e9c30fe0d11454f6966e6b0ca7f1dbd0", "parents": [ "1cdcbec1a3372c0c49c59d292e708fd07b509f18" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:15 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:15 2008 +1100" }, "message": "CRED: Constify the kernel_cap_t arguments to the capset LSM hooks\n\nConstify the kernel_cap_t arguments to the capset LSM hooks.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1cdcbec1a3372c0c49c59d292e708fd07b509f18", "tree": "d1bd302c8d66862da45b494cbc766fb4caa5e23e", "parents": [ "8bbf4976b59fc9fc2861e79cab7beb3f6d647640" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "message": "CRED: Neuter sys_capset()\n\nTake away the ability for sys_capset() to affect processes other than current.\n\nThis means that current will not need to lock its own credentials when reading\nthem against interference by other processes.\n\nThis has effectively been the case for a while anyway, since:\n\n (1) Without LSM enabled, sys_capset() is disallowed.\n\n (2) With file-based capabilities, sys_capset() is neutered.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "066746796bd2f0a1ba210c0dded3b6ee4032692a", "tree": "868832ca0e199e4f173e23375cffb5fc3870402c", "parents": [ "a2f2945a99057c7d44043465906c6bb63c3368a0" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 11 22:02:57 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 11 22:02:57 2008 +1100" }, "message": "Currently SELinux jumps through some ugly hoops to not audit a capbility\ncheck when determining if a process has additional powers to override\nmemory limits or when trying to read/write illegal file labels. Use\nthe new noaudit call instead.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "06112163f5fd9e491a7f810443d81efa9d88e247", "tree": "48039f7488abbec36c0982a57405b57d47311dd6", "parents": [ "637d32dc720897616e8a1a4f9e9609e29d431800" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 11 22:02:50 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 11 22:02:50 2008 +1100" }, "message": "Add a new capable interface that will be used by systems that use audit to\nmake an A or B type decision instead of a security decision. Currently\nthis is the case at least for filesystems when deciding if a process can use\nthe reserved \u0027root\u0027 blocks and for the case of things like the oom\nalgorithm determining if processes are root processes and should be less\nlikely to be killed. These types of security system requests should not be\naudited or logged since they are not really security decisions. It would be\npossible to solve this problem like the vm_enough_memory security check did\nby creating a new LSM interface and moving all of the policy into that\ninterface but proves the needlessly bloat the LSM and provide complex\nindirection.\n\nThis merely allows those decisions to be made where they belong and to not\nflood logs or printk with denials for thing that are not security decisions.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "39c9aede2b4a252bd296c0a86be832c3d3d0a273", "tree": "2c802930511c40a6d150166a892e68f83fee9851", "parents": [ "1f29fae29709b4668979e244c09b2fa78ff1ad59" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Nov 05 09:34:42 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sun Nov 09 07:33:18 2008 +0800" }, "message": "SELinux: Use unknown perm handling to handle unknown netlink msg types\n\nCurrently when SELinux has not been updated to handle a netlink message\ntype the operation is denied with EINVAL. This patch will leave the\naudit/warning message so things get fixed but if policy chose to allow\nunknowns this will allow the netlink operation.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9eeda9abd1faf489f3df9a1f557975f4c8650363", "tree": "3e0a58e25b776cfbee193195460324dccb1886c7", "parents": [ "61c9eaf90081cbe6dc4f389e0056bff76eca19ec", "4bab0ea1d42dd1927af9df6fbf0003fc00617c50" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Nov 06 22:43:03 2008 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Nov 06 22:43:03 2008 -0800" }, "message": "Merge branch \u0027master\u0027 of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6\n\nConflicts:\n\n\tdrivers/net/wireless/ath5k/base.c\n\tnet/8021q/vlan_core.c\n" }, { "commit": "e21e696edb498c7f7eed42ba3096f6bbe13927b6", "tree": "73b0bc28e45b0268f05c4b384a17bfb2140a73bc", "parents": [ "2f99db28af90957271a6448479c3e492ccf7c697", "75fa67706cce5272bcfc51ed646f2da21f3bdb6e" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 06 07:12:34 2008 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 06 07:12:34 2008 +0800" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "41d9f9c524a53477467b7e0111ff3d644198f191", "tree": "b891d648d756d7195bab5c0f55f105cd00d8f94a", "parents": [ "8b6a5a37f87a414ef8636e36ec75accb27bb7508" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 04 15:18:26 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Nov 05 08:44:11 2008 +1100" }, "message": "SELinux: hold tasklist_lock and siglock while waking wait_chldexit\n\nSELinux has long been calling wake_up_interruptible() on\ncurrent-\u003eparent-\u003esignal-\u003ewait_chldexit without holding any locks. It\nappears that this operation should hold the tasklist_lock to dereference\ncurrent-\u003eparent and we should hold the siglock when waking up the\nsignal-\u003ewait_chldexit.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "37dd0bd04a3240d2922786d501e2f12cec858fbf", "tree": "d4fa5a124a95d33bf22276429a82822ec8d4810a", "parents": [ "721d5dfe7e516954c501d5e9d0dfab379cf4241a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Oct 31 17:40:00 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Nov 01 09:38:48 2008 +1100" }, "message": "SELinux: properly handle empty tty_files list\n\nSELinux has wrongly (since 2004) had an incorrect test for an empty\ntty-\u003etty_files list. With an empty list selinux would be pointing to part\nof the tty struct itself and would then proceed to dereference that value\nand again dereference that result. An F10 change to plymouth on a ppc64\nsystem is actually currently triggering this bug. This patch uses\nlist_empty() to handle empty lists rather than looking at a meaningless\nlocation.\n\n[note, this fixes the oops reported in\nhttps://bugzilla.redhat.com/show_bug.cgi?id\u003d469079]\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8b6a5a37f87a414ef8636e36ec75accb27bb7508", "tree": "26ff1dddb3c8727118b24819e83b4b7c500ff595", "parents": [ "0da939b0058742ad2d8580b7db6b966d0fc72252" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 29 17:06:46 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Oct 31 02:00:52 2008 +1100" }, "message": "SELinux: check open perms in dentry_open not inode_permission\n\nSome operations, like searching a directory path or connecting a unix domain\nsocket, make explicit calls into inode_permission. Our choices are to\neither try to come up with a signature for all of the explicit calls to\ninode_permission and do not check open on those, or to move the open checks to\ndentry_open where we know this is always an open operation. This patch moves\nthe checks to dentry_open.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "def8b4faff5ca349beafbbfeb2c51f3602a6ef3a", "tree": "a90fbb0b6ae2a49c507465801f31df77bc5ebf9d", "parents": [ "b057efd4d226fcc3a92b0dc6d8ea8e8185ecb260" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Tue Oct 28 13:24:06 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Oct 28 13:24:06 2008 -0700" }, "message": "net: reduce structures when XFRM\u003dn\n\nifdef out\n* struct sk_buff::sp\t\t(pointer)\n* struct dst_entry::xfrm\t(pointer)\n* struct sock::sk_policy\t(2 pointers)\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" } ], "next": "c465a76af658b443075d6efee1c3131257643020" }