)]}' { "log": [ { "commit": "a447c0932445f92ce6f4c1bd020f62c5097a7842", "tree": "bacf05bc7f9764515cdd6f7dc5e2254776b4f160", "parents": [ "54cebc68c81eacac41a21bdfe99dc889d3882c60" ], "author": { "name": "Steven Whitehouse", "email": "swhiteho@redhat.com", "time": "Mon Oct 13 10:46:57 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 10:10:37 2008 -0700" }, "message": "vfs: Use const for kernel parser table\n\nThis is a much better version of a previous patch to make the parser\ntables constant. Rather than changing the typedef, we put the \"const\" in\nall the various places where its required, allowing the __initconst\nexception for nfsroot which was the cause of the previous trouble.\n\nThis was posted for review some time ago and I believe its been in -mm\nsince then.\n\nSigned-off-by: Steven Whitehouse \u003cswhiteho@redhat.com\u003e\nCc: Alexander Viro \u003caviro@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8d71ff0bef9cf4e70108a9a2762f2361e607abde", "tree": "a79487fceb6ec18e956373a3019416a43b269f1d", "parents": [ "244dc4e54b73567fae7f8fd9ba56584be9375442", "92562927826fceb2f8e69c89e28161b8c1e0b125" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 10:00:44 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 10:00:44 2008 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (24 commits)\n integrity: special fs magic\n As pointed out by Jonathan Corbet, the timer must be deleted before\n ERROR: code indent should use tabs where possible\n The tpm_dev_release function is only called for platform devices, not pnp\n Protect tpm_chip_list when transversing it.\n Renames num_open to is_open, as only one process can open the file at a time.\n Remove the BKL calls from the TPM driver, which were added in the overall\n netlabel: Add configuration support for local labeling\n cipso: Add support for native local labeling and fixup mapping names\n netlabel: Changes to the NetLabel security attributes to allow LSMs to pass full contexts\n selinux: Cache NetLabel secattrs in the socket\u0027s security struct\n selinux: Set socket NetLabel based on connection endpoint\n netlabel: Add functionality to set the security attributes of a packet\n netlabel: Add network address selectors to the NetLabel/LSM domain mapping\n netlabel: Add a generic way to create ordered linked lists of network addrs\n netlabel: Replace protocol/NetLabel linking with refrerence counts\n smack: Fix missing calls to netlbl_skbuff_err()\n selinux: Fix missing calls to netlbl_skbuff_err()\n selinux: Fix a problem in security_netlbl_sid_to_secattr()\n selinux: Better local/forward check in selinux_ip_postroute()\n ...\n" }, { "commit": "934e6ebf96e8c1a0f299e64129fdaebc1132a427", "tree": "ab4bd754997b097f06a5cfefd9e3671d56e628f4", "parents": [ "2cb5998b5f0ccc886fdda3509059eef297b49577" ], "author": { "name": "Alan Cox", "email": "alan@redhat.com", "time": "Mon Oct 13 10:40:43 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 09:51:41 2008 -0700" }, "message": "tty: Redo current tty locking\n\nCurrently it is sometimes locked by the tty mutex and sometimes by the\nsighand lock. The latter is in fact correct and now we can hand back referenced\nobjects we can fix this up without problems around sleeping functions.\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "452a00d2ee288f2cbc36f676edd06cb14d2878c1", "tree": "c8251c73924a6ac9b174bc557357bfeff0c8d1a8", "parents": [ "f4d2a6c2096b764decb20070b1bf4356de9144a8" ], "author": { "name": "Alan Cox", "email": "alan@redhat.com", "time": "Mon Oct 13 10:39:13 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 09:51:41 2008 -0700" }, "message": "tty: Make get_current_tty use a kref\n\nWe now return a kref covered tty reference. That ensures the tty structure\ndoesn\u0027t go away when you have a return from get_current_tty. This is not\nenough to protect you from most of the resources being freed behind your\nback - yet.\n\n[Updated to include fixes for SELinux problems found by Andrew Morton and\n an s390 leak found while debugging the former]\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "0da939b0058742ad2d8580b7db6b966d0fc72252", "tree": "47cb109fdf97135191bff5db4e3bfc905136bf8b", "parents": [ "4bdec11f560b8f405a011288a50e65b1a81b3654", "d91d40799165b0c84c97e7c71fb8039494ff07dc" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 11 09:26:14 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 11 09:26:14 2008 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/pcmoore/lblnet-2.6_next into next\n" }, { "commit": "6c5b3fc0147f79d714d2fe748b5869d7892ef2e7", "tree": "2cff691b2d4da2afd69660cb4ee647f6b553cdf9", "parents": [ "014ab19a69c325f52d7bae54ceeda73d6307ae0c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "message": "selinux: Cache NetLabel secattrs in the socket\u0027s security struct\n\nPrevious work enabled the use of address based NetLabel selectors, which\nwhile highly useful, brought the potential for additional per-packet overhead\nwhen used. This patch attempts to mitigate some of that overhead by caching\nthe NetLabel security attribute struct within the SELinux socket security\nstructure. This should help eliminate the need to recreate the NetLabel\nsecattr structure for each packet resulting in less overhead.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "014ab19a69c325f52d7bae54ceeda73d6307ae0c", "tree": "8a69c490accb7d5454bdfeb8c078d846729aeb60", "parents": [ "948bf85c1bc9a84754786a9d5dd99b7ecc46451e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "message": "selinux: Set socket NetLabel based on connection endpoint\n\nPrevious work enabled the use of address based NetLabel selectors, which while\nhighly useful, brought the potential for additional per-packet overhead when\nused. This patch attempts to solve that by applying NetLabel socket labels\nwhen sockets are connect()\u0027d. This should alleviate the per-packet NetLabel\nlabeling for all connected sockets (yes, it even works for connected DGRAM\nsockets).\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "948bf85c1bc9a84754786a9d5dd99b7ecc46451e", "tree": "a4706be1f4a5a37408774ef3c4cab8cf2e7775b5", "parents": [ "63c41688743760631188cf0f4ae986a6793ccb0a" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:32 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:32 2008 -0400" }, "message": "netlabel: Add functionality to set the security attributes of a packet\n\nThis patch builds upon the new NetLabel address selector functionality by\nproviding the NetLabel KAPI and CIPSO engine support needed to enable the\nnew packet-based labeling. The only new addition to the NetLabel KAPI at\nthis point is shown below:\n\n * int netlbl_skbuff_setattr(skb, family, secattr)\n\n... and is designed to be called from a Netfilter hook after the packet\u0027s\nIP header has been populated such as in the FORWARD or LOCAL_OUT hooks.\n\nThis patch also provides the necessary SELinux hooks to support this new\nfunctionality. Smack support is not currently included due to uncertainty\nregarding the permissions needed to expand the Smack network access controls.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dfaebe9825ff34983778f287101bc5f3bce00640", "tree": "4dccdcdcecd57fc8bfc083ff30d9e0ecb2e7ecba", "parents": [ "99d854d231ce141850b988bdc7e2e7c78f49b03a" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "message": "selinux: Fix missing calls to netlbl_skbuff_err()\n\nAt some point I think I messed up and dropped the calls to netlbl_skbuff_err()\nwhich are necessary for CIPSO to send error notifications to remote systems.\nThis patch re-introduces the error handling calls into the SELinux code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d8395c876bb8a560c8a032887e191b95499a25d6", "tree": "6c2ef0d59e04b90a9ef673fa34e1c042d22f128e", "parents": [ "948a72438d4178d0728c4b0a38836d280b846939" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:30 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:30 2008 -0400" }, "message": "selinux: Better local/forward check in selinux_ip_postroute()\n\nIt turns out that checking to see if skb-\u003esk is NULL is not a very good\nindicator of a forwarded packet as some locally generated packets also have\nskb-\u003esk set to NULL. Fix this by not only checking the skb-\u003esk field but also\nthe IP[6]CB(skb)-\u003eflags field for the IP[6]SKB_FORWARDED flag. While we are\nat it, we are calling selinux_parse_skb() much earlier than we really should\nresulting in potentially wasted cycles parsing packets for information we\nmight no use; so shuffle the code around a bit to fix this.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "aa86290089a1e57b4bdbbb4720072233f66bd5b2", "tree": "9ab16f4d22056297f1571bb7b2b988bff84c8a10", "parents": [ "accc609322ef5ed44cba6d2d70c741afc76385fb" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "message": "selinux: Correctly handle IPv4 packets on IPv6 sockets in all cases\n\nWe did the right thing in a few cases but there were several areas where we\ndetermined a packet\u0027s address family based on the socket\u0027s address family which\nis not the right thing to do since we can get IPv4 packets on IPv6 sockets.\nThis patch fixes these problems by either taking the address family directly\nfrom the packet.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ea6b184f7d521a503ecab71feca6e4057562252b", "tree": "89724ca76ba9bc8a7029f3fd3edc49557ec6ab40", "parents": [ "de45e806a84909648623119dfe6fc1d31e71ceba" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon Sep 22 15:41:19 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 30 00:26:53 2008 +1000" }, "message": "selinux: use default proc sid on symlinks\n\nAs we are not concerned with fine-grained control over reading of\nsymlinks in proc, always use the default proc SID for all proc symlinks.\nThis should help avoid permission issues upon changes to the proc tree\nas in the /proc/net -\u003e /proc/self/net example.\nThis does not alter labeling of symlinks within /proc/pid directories.\nls -Zd /proc/net output before and after the patch should show the difference.\n\nSigned-off-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d9250dea3f89fe808a525f08888016b495240ed4", "tree": "c4b039ce0b29714e8f4c3bbc6d407adc361cc122", "parents": [ "da31894ed7b654e2e1741e7ac4ef6c15be0dd14b" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Thu Aug 28 16:35:57 2008 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Aug 29 00:33:33 2008 +1000" }, "message": "SELinux: add boundary support and thread context assignment\n\nThe purpose of this patch is to assign per-thread security context\nunder a constraint. It enables multi-threaded server application\nto kick a request handler with its fair security context, and\nhelps some of userspace object managers to handle user\u0027s request.\n\nWhen we assign a per-thread security context, it must not have wider\npermissions than the original one. Because a multi-threaded process\nshares a single local memory, an arbitary per-thread security context\nalso means another thread can easily refer violated information.\n\nThe constraint on a per-thread security context requires a new domain\nhas to be equal or weaker than its original one, when it tries to assign\na per-thread security context.\n\nBounds relationship between two types is a way to ensure a domain can\nnever have wider permission than its bounds. We can define it in two\nexplicit or implicit ways.\n\nThe first way is using new TYPEBOUNDS statement. It enables to define\na boundary of types explicitly. The other one expand the concept of\nexisting named based hierarchy. If we defines a type with \".\" separated\nname like \"httpd_t.php\", toolchain implicitly set its bounds on \"httpd_t\".\n\nThis feature requires a new policy version.\nThe 24th version (POLICYDB_VERSION_BOUNDARY) enables to ship them into\nkernel space, and the following patch enables to handle it.\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "86d688984deefa3ae5a802880c11f2b408b5d6cf", "tree": "7ea5e8189b0a774626d3ed7c3c87df2495a4c4a0", "parents": [ "93c06cbbf9fea5d5be1778febb7fa9ab1a74e5f5", "4c246edd2550304df5b766cc841584b2bb058843" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 28 10:47:34 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 28 10:47:34 2008 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "5cd9c58fbe9ec92b45b27e131719af4f2bd9eb40", "tree": "8573db001b4dc3c2ad97102dda42b841c40b5f6c", "parents": [ "8d0968abd03ec6b407df117adc773562386702fa" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Aug 14 11:37:28 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 14 22:59:43 2008 +1000" }, "message": "security: Fix setting of PF_SUPERPRIV by __capable()\n\nFix the setting of PF_SUPERPRIV by __capable() as it could corrupt the flags\nthe target process if that is not the current process and it is trying to\nchange its own flags in a different way at the same time.\n\n__capable() is using neither atomic ops nor locking to protect t-\u003eflags. This\npatch removes __capable() and introduces has_capability() that doesn\u0027t set\nPF_SUPERPRIV on the process being queried.\n\nThis patch further splits security_ptrace() in two:\n\n (1) security_ptrace_may_access(). This passes judgement on whether one\n process may access another only (PTRACE_MODE_ATTACH for ptrace() and\n PTRACE_MODE_READ for /proc), and takes a pointer to the child process.\n current is the parent.\n\n (2) security_ptrace_traceme(). This passes judgement on PTRACE_TRACEME only,\n and takes only a pointer to the parent process. current is the child.\n\n In Smack and commoncap, this uses has_capability() to determine whether\n the parent will be permitted to use PTRACE_ATTACH if normal checks fail.\n This does not set PF_SUPERPRIV.\n\nTwo of the instances of __capable() actually only act on current, and so have\nbeen changed to calls to capable().\n\nOf the places that were using __capable():\n\n (1) The OOM killer calls __capable() thrice when weighing the killability of a\n process. All of these now use has_capability().\n\n (2) cap_ptrace() and smack_ptrace() were using __capable() to check to see\n whether the parent was allowed to trace any process. As mentioned above,\n these have been split. For PTRACE_ATTACH and /proc, capable() is now\n used, and for PTRACE_TRACEME, has_capability() is used.\n\n (3) cap_safe_nice() only ever saw current, so now uses capable().\n\n (4) smack_setprocattr() rejected accesses to tasks other than current just\n after calling __capable(), so the order of these two tests have been\n switched and capable() is used instead.\n\n (5) In smack_file_send_sigiotask(), we need to allow privileged processes to\n receive SIGIO on files they\u0027re manipulating.\n\n (6) In smack_task_wait(), we let a process wait for a privileged process,\n whether or not the process doing the waiting is privileged.\n\nI\u0027ve tested this with the LTP SELinux and syscalls testscripts.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cf9481e289247fe9cf40f2e2481220d899132049", "tree": "39b8e15d27876cd84acb07c9543b423c29d66a7f", "parents": [ "0c0e186f812457e527c420f7a4d02865fd0dc7d2" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Sun Jul 27 21:31:07 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 05 10:55:47 2008 +1000" }, "message": "SELinux: Fix a potentially uninitialised variable in SELinux hooks\n\nFix a potentially uninitialised variable in SELinux hooks that\u0027s given a\npointer to the network address by selinux_parse_skb() passing a pointer back\nthrough its argument list. By restructuring selinux_parse_skb(), the compiler\ncan see that the error case need not set it as the caller will return\nimmediately.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3583a71183a02c51ca71cd180e9189cfb0411cc1", "tree": "3e613e3fc087131a2e4d2f3c5bdf36ecca02e0bd", "parents": [ "2b12a4c524812fb3f6ee590a02e65b95c8c32229" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Tue Jul 22 20:21:23 2008 +0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 05 10:55:24 2008 +1000" }, "message": "make selinux_write_opts() static\n\nThis patch makes the needlessly global selinux_write_opts() static.\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "383795c206946777d87ed5f6d61d6659110f9344", "tree": "839c3a69e5a8603ce4bc494fc5b7e81c1e02e87b", "parents": [ "6e86841d05f371b5b9b86ce76c02aaee83352298" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Jul 29 17:07:26 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jul 30 08:31:28 2008 +1000" }, "message": "SELinux: /proc/mounts should show what it can\n\nGiven a hosed SELinux config in which a system never loads policy or\ndisables SELinux we currently just return -EINVAL for anyone trying to\nread /proc/mounts. This is a configuration problem but we can certainly\nbe more graceful. This patch just ignores -EINVAL when displaying LSM\noptions and causes /proc/mounts display everything else it can. If\npolicy isn\u0027t loaded the obviously there are no options, so we aren\u0027t\nreally loosing any information here.\n\nThis is safe as the only other return of EINVAL comes from\nsecurity_sid_to_context_core() in the case of an invalid sid. Even if a\nFS was mounted with a now invalidated context that sid should have been\nremapped to unlabeled and so we won\u0027t hit the EINVAL and will work like\nwe should. (yes, I tested to make sure it worked like I thought)\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nTested-by: Marc Dionne \u003cmarc.c.dionne@gmail.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4836e3007882984279ca63d3c42bf0b14616eb78", "tree": "28bf22726964e068b825491d71a141eefedbe5f8", "parents": [ "5c7c204aeca51ccfad63caab4fcdc5d8026c0fd8", "4e1e018ecc6f7bfd10fc75b3ff9715cc8164e0a2" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jul 26 20:23:44 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jul 26 20:23:44 2008 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6: (39 commits)\n [PATCH] fix RLIM_NOFILE handling\n [PATCH] get rid of corner case in dup3() entirely\n [PATCH] remove remaining namei_{32,64}.h crap\n [PATCH] get rid of indirect users of namei.h\n [PATCH] get rid of __user_path_lookup_open\n [PATCH] f_count may wrap around\n [PATCH] dup3 fix\n [PATCH] don\u0027t pass nameidata to __ncp_lookup_validate()\n [PATCH] don\u0027t pass nameidata to gfs2_lookupi()\n [PATCH] new (local) helper: user_path_parent()\n [PATCH] sanitize __user_walk_fd() et.al.\n [PATCH] preparation to __user_walk_fd cleanup\n [PATCH] kill nameidata passing to permission(), rename to inode_permission()\n [PATCH] take noexec checks to very few callers that care\n Re: [PATCH 3/6] vfs: open_exec cleanup\n [patch 4/4] vfs: immutable inode checking cleanup\n [patch 3/4] fat: dont call notify_change\n [patch 2/4] vfs: utimes cleanup\n [patch 1/4] vfs: utimes: move owner check into inode_change_ok()\n [PATCH] vfs: use kstrdup() and check failing allocation\n ...\n" }, { "commit": "228428428138e231a155464239880201e5cc8b44", "tree": "89b437f5501d03ca36b717e232337426d0de77ca", "parents": [ "78681ac08a611313595d13cafabae1183b71ef48", "6c3b8fc618905d7599dcc514c99ce4293d476f39" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jul 26 20:17:56 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jul 26 20:17:56 2008 -0700" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:\n netns: fix ip_rt_frag_needed rt_is_expired\n netfilter: nf_conntrack_extend: avoid unnecessary \"ct-\u003eext\" dereferences\n netfilter: fix double-free and use-after free\n netfilter: arptables in netns for real\n netfilter: ip{,6}tables_security: fix future section mismatch\n selinux: use nf_register_hooks()\n netfilter: ebtables: use nf_register_hooks()\n Revert \"pkt_sched: sch_sfq: dump a real number of flows\"\n qeth: use dev-\u003eml_priv instead of dev-\u003epriv\n syncookies: Make sure ECN is disabled\n net: drop unused BUG_TRAP()\n net: convert BUG_TRAP to generic WARN_ON\n drivers/net: convert BUG_TRAP to generic WARN_ON\n" }, { "commit": "b77b0646ef4efe31a7449bb3d9360fd00f95433d", "tree": "f8487fe832fbe23400c9f98e808555f0251fb158", "parents": [ "a110343f0d6d41f68b7cf8c00b57a3172c67f816" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Jul 17 09:37:02 2008 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Jul 26 20:53:22 2008 -0400" }, "message": "[PATCH] pass MAY_OPEN to vfs_permission() explicitly\n\n... and get rid of the last \"let\u0027s deduce mask from nameidata-\u003eflags\"\nbit.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "6c5a9d2e1599a099b0e47235a1c1502162b14310", "tree": "517e577b1485b8a40458cff1e3780eab556f4749", "parents": [ "e40f51a36a6ca718e829c0933ab1e79333ac932e" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Sat Jul 26 17:48:15 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Jul 26 17:48:15 2008 -0700" }, "message": "selinux: use nf_register_hooks()\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "0d094efeb1e98010c6b99923f1eb7e17bf1e3a74", "tree": "6ee271b6da5796e5321d2ab6f9d7d9ba03c300a2", "parents": [ "dae33574dcf5211e1f43c7e45fa29f73ba3e00cb" ], "author": { "name": "Roland McGrath", "email": "roland@redhat.com", "time": "Fri Jul 25 19:45:49 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jul 26 12:00:08 2008 -0700" }, "message": "tracehook: tracehook_tracer_task\n\nThis adds the tracehook_tracer_task() hook to consolidate all forms of\n\"Who is using ptrace on me?\" logic. This is used for \"TracerPid:\" in\n/proc and for permission checks. We also clean up the selinux code the\ncalled an identical accessor.\n\nSigned-off-by: Roland McGrath \u003croland@redhat.com\u003e\nCc: Oleg Nesterov \u003coleg@tv-sign.ru\u003e\nReviewed-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "089be43e403a78cd6889cde2fba164fefe9dfd89", "tree": "de401b27c91c528dbf64c712e6b64d185ded0c54", "parents": [ "50515af207d410c9f228380e529c56f43c3de0bd" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jul 15 18:32:49 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jul 15 18:32:49 2008 +1000" }, "message": "Revert \"SELinux: allow fstype unknown to policy to use xattrs if present\"\n\nThis reverts commit 811f3799279e567aa354c649ce22688d949ac7a9.\n\nFrom Eric Paris:\n\n\"Please drop this patch for now. It deadlocks on ntfs-3g. I need to\nrework it to handle fuse filesystems better. (casey was right)\"\n" }, { "commit": "6f0f0fd496333777d53daff21a4e3b28c4d03a6d", "tree": "202de67376fce2547b44ae5b016d6424c3c7409c", "parents": [ "93cbace7a058bce7f99319ef6ceff4b78cf45051" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jul 10 17:02:07 2008 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:04:06 2008 +1000" }, "message": "security: remove register_security hook\n\nThe register security hook is no longer required, as the capability\nmodule is always registered. LSMs wishing to stack capability as\na secondary module should do so explicitly.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\n" }, { "commit": "b478a9f9889c81e88077d1495daadee64c0af541", "tree": "d1a843fab53dd4b28b45172ba0b90417c4eefc48", "parents": [ "2069f457848f846cb31149c9aa29b330a6b66d1b" ], "author": { "name": "Miklos Szeredi", "email": "mszeredi@suse.cz", "time": "Thu Jul 03 20:56:04 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:02:05 2008 +1000" }, "message": "security: remove unused sb_get_mnt_opts hook\n\nThe sb_get_mnt_opts() hook is unused, and is superseded by the\nsb_show_options() hook.\n\nSigned-off-by: Miklos Szeredi \u003cmszeredi@suse.cz\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2069f457848f846cb31149c9aa29b330a6b66d1b", "tree": "199e7bb15e7d7b5cf008cd6fdb6cefc0d6af7f13", "parents": [ "811f3799279e567aa354c649ce22688d949ac7a9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 04 09:47:13 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:02:05 2008 +1000" }, "message": "LSM/SELinux: show LSM mount options in /proc/mounts\n\nThis patch causes SELinux mount options to show up in /proc/mounts. As\nwith other code in the area seq_put errors are ignored. Other LSM\u0027s\nwill not have their mount options displayed until they fill in their own\nsecurity_sb_show_options() function.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Miklos Szeredi \u003cmszeredi@suse.cz\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "811f3799279e567aa354c649ce22688d949ac7a9", "tree": "2a4d8c30821de84d5adcf37a09562ebba92f9f23", "parents": [ "65fc7668006b537f7ae8451990c0ed9ec882544e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Jun 18 09:50:04 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:02:04 2008 +1000" }, "message": "SELinux: allow fstype unknown to policy to use xattrs if present\n\nCurrently if a FS is mounted for which SELinux policy does not define an\nfs_use_* that FS will either be genfs labeled or not labeled at all.\nThis decision is based on the existence of a genfscon rule in policy and\nis irrespective of the capabilities of the filesystem itself. This\npatch allows the kernel to check if the filesystem supports security\nxattrs and if so will use those if there is no fs_use_* rule in policy.\nAn fstype with a no fs_use_* rule but with a genfs rule will use xattrs\nif available and will follow the genfs rule.\n\nThis can be particularly interesting for things like ecryptfs which\nactually overlays a real underlying FS. If we define excryptfs in\npolicy to use xattrs we will likely get this wrong at times, so with\nthis path we just don\u0027t need to define it!\n\nOverlay ecryptfs on top of NFS with no xattr support:\nSELinux: initialized (dev ecryptfs, type ecryptfs), uses genfs_contexts\nOverlay ecryptfs on top of ext4 with xattr support:\nSELinux: initialized (dev ecryptfs, type ecryptfs), uses xattr\n\nIt is also useful as the kernel adds new FS we don\u0027t need to add them in\npolicy if they support xattrs and that is how we want to handle them.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2baf06df85b27c1d64867883a0692519594f1ef2", "tree": "b4f8f2ba2c4175983fea740a607d7cc3cfef26ec", "parents": [ "e399f98224a03d2e85fb45eacba367c47173f6f9" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 12 01:42:35 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:02:02 2008 +1000" }, "message": "SELinux: use do_each_thread as a proper do/while block\n\nUse do_each_thread as a proper do/while block. Sparse complained.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "e399f98224a03d2e85fb45eacba367c47173f6f9", "tree": "b21f310e9317c2726acc5d27763c95a128528b4d", "parents": [ "6cbe27061a69ab89d25dbe42d1a4f33a8425fe88" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 12 01:39:58 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:02:01 2008 +1000" }, "message": "SELinux: remove unused and shadowed addrlen variable\n\nRemove unused and shadowed addrlen variable. Picked up by sparse.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\n" }, { "commit": "242631c49d4cf39642741d6627750151b058233b", "tree": "26756c2b256cf5b14ca279a634d5bcc5e67b2b41", "parents": [ "abc69bb633931bf54c6db798bcdc6fd1e0284742" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Thu Jun 05 09:21:28 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:53 2008 +1000" }, "message": "selinux: simplify ioctl checking\n\nSimplify and improve the robustness of the SELinux ioctl checking by\nusing the \"access mode\" bits of the ioctl command to determine the\npermission check rather than dealing with individual command values.\nThis removes any knowledge of specific ioctl commands from SELinux\nand follows the same guidance we gave to Smack earlier.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "abc69bb633931bf54c6db798bcdc6fd1e0284742", "tree": "711aaf6c5e1d8bdd57138e8baf3a369ed832602d", "parents": [ "006ebb40d3d65338bd74abb03b945f8d60e362bd" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed May 21 14:16:12 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:52 2008 +1000" }, "message": "SELinux: enable processes with mac_admin to get the raw inode contexts\n\nEnable processes with CAP_MAC_ADMIN + mac_admin permission in policy\nto get undefined contexts on inodes. This extends the support for\ndeferred mapping of security contexts in order to permit restorecon\nand similar programs to see the raw file contexts unknown to the\nsystem policy in order to check them.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "006ebb40d3d65338bd74abb03b945f8d60e362bd", "tree": "c548c678b54b307e1fb9acf94676fb7bfd849501", "parents": [ "feb2a5b82d87fbdc01c00b7e9413e4b5f4c1f0c1" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon May 19 08:32:49 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:47 2008 +1000" }, "message": "Security: split proc ptrace checking into read vs. attach\n\nEnable security modules to distinguish reading of process state via\nproc from full ptrace access by renaming ptrace_may_attach to\nptrace_may_access and adding a mode argument indicating whether only\nread access or full attach access is requested. This allows security\nmodules to permit access to reading process state without granting\nfull ptrace access. The base DAC/capability checking remains unchanged.\n\nRead access to /proc/pid/mem continues to apply a full ptrace attach\ncheck since check_mem_permission() already requires the current task\nto already be ptracing the target. The other ptrace checks within\nproc for elements like environ, maps, and fds are changed to pass the\nread mode instead of attach.\n\nIn the SELinux case, we model such reading of process state as a\nreading of a proc file labeled with the target process\u0027 label. This\nenables SELinux policy to permit such reading of process state without\npermitting control or manipulation of the target process, as there are\na number of cases where programs probe for such information via proc\nbut do not need to be able to control the target (e.g. procps,\nlsof, PolicyKit, ConsoleKit). At present we have to choose between\nallowing full ptrace in policy (more permissive than required/desired)\nor breaking functionality (or in some cases just silencing the denials\nvia dontaudit rules but this can hide genuine attacks).\n\nThis version of the patch incorporates comments from Casey Schaufler\n(change/replace existing ptrace_may_attach interface, pass access\nmode), and Chris Wright (provide greater consistency in the checking).\n\nNote that like their predecessors __ptrace_may_attach and\nptrace_may_attach, the __ptrace_may_access and ptrace_may_access\ninterfaces use different return value conventions from each other (0\nor -errno vs. 1 or 0). I retained this difference to avoid any\nchanges to the caller logic but made the difference clearer by\nchanging the latter interface to return a bool rather than an int and\nby adding a comment about it to ptrace.h for any future callers.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f5269710789f666a65cf1132c4f1d14fbc8d3c29", "tree": "8c61f74cb04505e3f16483baf1d7113e750968d7", "parents": [ "9a59daa03df72526d234b91dd3e32ded5aebd3ef" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed May 14 11:27:45 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:36 2008 +1000" }, "message": "SELinux: keep the code clean formating and syntax\n\nFormatting and syntax changes\n\nwhitespace, tabs to spaces, trailing space\nput open { on same line as struct def\nremove unneeded {} after if statements\nchange printk(\"Lu\") to printk(\"llu\")\nconvert asm/uaccess.h to linux/uaacess.h includes\nremove unnecessary asm/bug.h includes\nconvert all users of simple_strtol to strict_strtol\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "12b29f34558b9b45a2c6eabd4f3c6be939a3980f", "tree": "9b7921724226cd81901070026572bf05014dc41c", "parents": [ "bce7f793daec3e65ec5c5705d2457b81fe7b5725" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed May 07 13:03:20 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:34 2008 +1000" }, "message": "selinux: support deferred mapping of contexts\n\nIntroduce SELinux support for deferred mapping of security contexts in\nthe SID table upon policy reload, and use this support for inode\nsecurity contexts when the context is not yet valid under the current\npolicy. Only processes with CAP_MAC_ADMIN + mac_admin permission in\npolicy can set undefined security contexts on inodes. Inodes with\nsuch undefined contexts are treated as having the unlabeled context\nuntil the context becomes valid upon a policy reload that defines the\ncontext. Context invalidation upon policy reload also uses this\nsupport to save the context information in the SID table and later\nrecover it upon a subsequent policy reload that defines the context\nagain.\n\nThis support is to enable package managers and similar programs to set\ndown file contexts unknown to the system policy at the time the file\nis created in order to better support placing loadable policy modules\nin packages and to support build systems that need to create images of\ndifferent distro releases with different policies w/o requiring all of\nthe contexts to be defined or legal in the build host policy.\n\nWith this patch applied, the following sequence is possible, although\nin practice it is recommended that this permission only be allowed to\nspecific program domains such as the package manager.\n\n# rmdir baz\n# rm bar\n# touch bar\n# chcon -t foo_exec_t bar # foo_exec_t is not yet defined\nchcon: failed to change context of `bar\u0027 to `system_u:object_r:foo_exec_t\u0027: Invalid argument\n# mkdir -Z system_u:object_r:foo_exec_t baz\nmkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t\u0027: Invalid argument\n# cat setundefined.te\npolicy_module(setundefined, 1.0)\nrequire {\n\ttype unconfined_t;\n\ttype unlabeled_t;\n}\nfiles_type(unlabeled_t)\nallow unconfined_t self:capability2 mac_admin;\n# make -f /usr/share/selinux/devel/Makefile setundefined.pp\n# semodule -i setundefined.pp\n# chcon -t foo_exec_t bar # foo_exec_t is not yet defined\n# mkdir -Z system_u:object_r:foo_exec_t baz\n# ls -Zd bar baz\n-rw-r--r-- root root system_u:object_r:unlabeled_t bar\ndrwxr-xr-x root root system_u:object_r:unlabeled_t baz\n# cat foo.te\npolicy_module(foo, 1.0)\ntype foo_exec_t;\nfiles_type(foo_exec_t)\n# make -f /usr/share/selinux/devel/Makefile foo.pp\n# semodule -i foo.pp # defines foo_exec_t\n# ls -Zd bar baz\n-rw-r--r-- root root user_u:object_r:foo_exec_t bar\ndrwxr-xr-x root root system_u:object_r:foo_exec_t baz\n# semodule -r foo\n# ls -Zd bar baz\n-rw-r--r-- root root system_u:object_r:unlabeled_t bar\ndrwxr-xr-x root root system_u:object_r:unlabeled_t baz\n# semodule -i foo.pp\n# ls -Zd bar baz\n-rw-r--r-- root root user_u:object_r:foo_exec_t bar\ndrwxr-xr-x root root system_u:object_r:foo_exec_t baz\n# semodule -r setundefined foo\n# chcon -t foo_exec_t bar # no longer defined and not allowed\nchcon: failed to change context of `bar\u0027 to `system_u:object_r:foo_exec_t\u0027: Invalid argument\n# rmdir baz\n# mkdir -Z system_u:object_r:foo_exec_t baz\nmkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t\u0027: Invalid argument\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9f3acc3140444a900ab280de942291959f0f615d", "tree": "0d7f3f9698071ff90fb9a127a4c6e86e1c37c945", "parents": [ "a2dcb44c3c5a8151d2d9f6ac8ad0789efcdbe184" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Apr 24 07:44:08 2008 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu May 01 13:08:16 2008 -0400" }, "message": "[PATCH] split linux/file.h\n\nInitial splitoff of the low-level stuff; taken to fdtable.h\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "3b5e9e53c6f31b5a5a0f5c43707503c62bdefa46", "tree": "1244b7cf2755c06a8a793149ce4717e4a1311218", "parents": [ "9e3bd6c3fb2334be171e69b432039cd18bce4458" ], "author": { "name": "Oleg Nesterov", "email": "oleg@tv-sign.ru", "time": "Wed Apr 30 00:52:42 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Apr 30 08:29:34 2008 -0700" }, "message": "signals: cleanup security_task_kill() usage/implementation\n\nEvery implementation of -\u003etask_kill() does nothing when the signal comes from\nthe kernel. This is correct, but means that check_kill_permission() should\ncall security_task_kill() only for SI_FROMUSER() case, and we can remove the\nsame check from -\u003etask_kill() implementations.\n\n(sadly, check_kill_permission() is the last user of signal-\u003esession/__session\n but we can\u0027t s/task_session_nr/task_session/ here).\n\nNOTE: Eric W. Biederman pointed out cap_task_kill() should die, and I think\nhe is very right.\n\nSigned-off-by: Oleg Nesterov \u003coleg@tv-sign.ru\u003e\nCc: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Roland McGrath \u003croland@redhat.com\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: David Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nCc: Eric Paris \u003ceparis@redhat.com\u003e\nCc: Harald Welte \u003claforge@gnumonks.org\u003e\nCc: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "7bf570dc8dcf76df2a9f583bef2da96d4289ed0d", "tree": "b60a62585dfe511d9216cdd4a207fd07df1b2f99", "parents": [ "7663c1e2792a9662b23dec6e19bfcd3d55360b8f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 20:52:51 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 13:22:56 2008 -0700" }, "message": "Security: Make secctx_to_secid() take const secdata\n\nMake secctx_to_secid() take constant secdata.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "69664cf16af4f31cd54d77948a4baf9c7e0ca7b9", "tree": "3ff4ecae21c140a2beed25cfa9e55b788f9814ac", "parents": [ "6b79ccb5144f9ffb4d4596c23e7570238dd12abc" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:31 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:17 2008 -0700" }, "message": "keys: don\u0027t generate user and user session keyrings unless they\u0027re accessed\n\nDon\u0027t generate the per-UID user and user session keyrings unless they\u0027re\nexplicitly accessed. This solves a problem during a login process whereby\nset*uid() is called before the SELinux PAM module, resulting in the per-UID\nkeyrings having the wrong security labels.\n\nThis also cures the problem of multiple per-UID keyrings sometimes appearing\ndue to PAM modules (including pam_keyinit) setuiding and causing user_structs\nto come into and go out of existence whilst the session keyring pins the user\nkeyring. This is achieved by first searching for extant per-UID keyrings\nbefore inventing new ones.\n\nThe serial bound argument is also dropped from find_keyring_by_name() as it\u0027s\nnot currently made use of (setting it to 0 disables the feature).\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: \u003ckwc@citi.umich.edu\u003e\nCc: \u003carunsr@cse.iitk.ac.in\u003e\nCc: \u003cdwalsh@redhat.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "70a5bb72b55e82fbfbf1e22cae6975fac58a1e2d", "tree": "8e6dcaf5630388d81b23845f293789f2d6a3596b", "parents": [ "4a38e122e2cc6294779021ff4ccc784a3997059e" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:26 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:16 2008 -0700" }, "message": "keys: add keyctl function to get a security label\n\nAdd a keyctl() function to get the security label of a key.\n\nThe following is added to Documentation/keys.txt:\n\n (*) Get the LSM security context attached to a key.\n\n\tlong keyctl(KEYCTL_GET_SECURITY, key_serial_t key, char *buffer,\n\t\t size_t buflen)\n\n This function returns a string that represents the LSM security context\n attached to a key in the buffer provided.\n\n Unless there\u0027s an error, it always returns the amount of data it could\n produce, even if that\u0027s too big for the buffer, but it won\u0027t copy more\n than requested to userspace. If the buffer pointer is NULL then no copy\n will take place.\n\n A NUL character is included at the end of the string if the buffer is\n sufficiently big. This is included in the returned count. If no LSM is\n in force then an empty string will be returned.\n\n A process must have view permission on the key for this function to be\n successful.\n\n[akpm@linux-foundation.org: declare keyctl_get_security()]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Kevin Coffman \u003ckwc@citi.umich.edu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8f0cfa52a1d4ffacd8e7de906d19662f5da58d58", "tree": "2aa82e3682e75330d9b5d601855e3af3c57c03d8", "parents": [ "7ec02ef1596bb3c829a7e8b65ebf13b87faf1819" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 00:59:41 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:06 2008 -0700" }, "message": "xattr: add missing consts to function arguments\n\nAdd missing consts to xattr function arguments.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Andreas Gruenbacher \u003cagruen@suse.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3898b1b4ebff8dcfbcf1807e0661585e06c9a91c", "tree": "69a338864dfe654f68064a599c5d0da460df34ac", "parents": [ "4016a1390d07f15b267eecb20e76a48fd5c524ef" ], "author": { "name": "Andrew G. Morgan", "email": "morgan@kernel.org", "time": "Mon Apr 28 02:13:40 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Apr 28 08:58:26 2008 -0700" }, "message": "capabilities: implement per-process securebits\n\nFilesystem capability support makes it possible to do away with (set)uid-0\nbased privilege and use capabilities instead. That is, with filesystem\nsupport for capabilities but without this present patch, it is (conceptually)\npossible to manage a system with capabilities alone and never need to obtain\nprivilege via (set)uid-0.\n\nOf course, conceptually isn\u0027t quite the same as currently possible since few\nuser applications, certainly not enough to run a viable system, are currently\nprepared to leverage capabilities to exercise privilege. Further, many\napplications exist that may never get upgraded in this way, and the kernel\nwill continue to want to support their setuid-0 base privilege needs.\n\nWhere pure-capability applications evolve and replace setuid-0 binaries, it is\ndesirable that there be a mechanisms by which they can contain their\nprivilege. In addition to leveraging the per-process bounding and inheritable\nsets, this should include suppressing the privilege of the uid-0 superuser\nfrom the process\u0027 tree of children.\n\nThe feature added by this patch can be leveraged to suppress the privilege\nassociated with (set)uid-0. This suppression requires CAP_SETPCAP to\ninitiate, and only immediately affects the \u0027current\u0027 process (it is inherited\nthrough fork()/exec()). This reimplementation differs significantly from the\nhistorical support for securebits which was system-wide, unwieldy and which\nhas ultimately withered to a dead relic in the source of the modern kernel.\n\nWith this patch applied a process, that is capable(CAP_SETPCAP), can now drop\nall legacy privilege (through uid\u003d0) for itself and all subsequently\nfork()\u0027d/exec()\u0027d children with:\n\n prctl(PR_SET_SECUREBITS, 0x2f);\n\nThis patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES is\nenabled at configure time.\n\n[akpm@linux-foundation.org: fix uninitialised var warning]\n[serue@us.ibm.com: capabilities: use cap_task_prctl when !CONFIG_SECURITY]\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "94bc891b00e40cbec375feb4568780af183fd7f4", "tree": "fd48d354c61d2e736aa593c324a6d794afd8a4e7", "parents": [ "934b7024f0ed29003c95cef447d92737ab86dc4f", "1ec7f1ddbe5ba49f7b10c3b129d6d5c90c43526c" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 22 18:27:56 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 22 18:28:34 2008 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:\n [PATCH] get rid of __exit_files(), __exit_fs() and __put_fs_struct()\n [PATCH] proc_readfd_common() race fix\n [PATCH] double-free of inode on alloc_file() failure exit in create_write_pipe()\n [PATCH] teach seq_file to discard entries\n [PATCH] umount_tree() will unhash everything itself\n [PATCH] get rid of more nameidata passing in namespace.c\n [PATCH] switch a bunch of LSM hooks from nameidata to path\n [PATCH] lock exclusively in collect_mounts() and drop_collected_mounts()\n [PATCH] move a bunch of declarations to fs/internal.h\n" }, { "commit": "b5266eb4c8d1a2887a19aaec8144ee4ad1b054c3", "tree": "37105d0640169ad758d20847cf3effe77381f50f", "parents": [ "1a60a280778ff90270fc7390d9ec102f713a5a29" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Mar 22 17:48:24 2008 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Apr 21 23:13:23 2008 -0400" }, "message": "[PATCH] switch a bunch of LSM hooks from nameidata to path\n\nNamely, ones from namespace.c\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "0f5e64200f20fc8f5b759c4010082f577ab0af3f", "tree": "e59565d010a5538910a89f0c44122e802ba011a3", "parents": [ "e9b62693ae0a1e13ccc97a6792d9a7770c8d1b5b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 21 16:24:11 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 22 10:00:09 2008 +1000" }, "message": "SELinux: no BUG_ON(!ss_initialized) in selinux_clone_mnt_opts\n\nThe Fedora installer actually makes multiple NFS mounts before it loads\nselinux policy. The code in selinux_clone_mnt_opts() assumed that the\ninit process would always be loading policy before NFS was up and\nrunning. It might be possible to hit this in a diskless environment as\nwell, I\u0027m not sure. There is no need to BUG_ON() in this situation\nsince we can safely continue given the circumstances.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "828dfe1da54fce81f80f97275353ba33be09a76e", "tree": "c3eec5cf7ae7858614b2ba705aa53944861c19c2", "parents": [ "744ba35e455b0d5cf4f85208a8ca0edcc9976b95" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 17 13:17:49 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 21 19:11:56 2008 +1000" }, "message": "SELinux: whitespace and formating fixes for hooks.c\n\nAll whitespace and formatting. Nothing interesting to see here. About\nthe only thing to remember is that we aren\u0027t supposed to initialize\nstatic variables to 0/NULL. It is done for us and doing it ourselves\nputs them in a different section.\n\nWith this patch running checkpatch.pl against hooks.c only gives us\ncomplaints about busting the 80 character limit and declaring extern\u0027s\nin .c files. Apparently they don\u0027t like it, but I don\u0027t feel like going\nto the trouble of moving those to .h files...\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "744ba35e455b0d5cf4f85208a8ca0edcc9976b95", "tree": "1b242324aeba16d07e1a3811df041969c10422a6", "parents": [ "11670889380b144adfa5a91dc184c8f6300c4b28" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 17 11:52:44 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 21 19:09:26 2008 +1000" }, "message": "SELinux: clean up printks\n\nMake sure all printk start with KERN_*\nMake sure all printk end with \\n\nMake sure all printk have the word \u0027selinux\u0027 in them\nChange \"function name\" to \"%s\", __func__ (found 2 wrong)\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "076c54c5bcaed2081c0cba94a6f77c4d470236ad", "tree": "5e8f05cab20a49922618bb3af697a6b46e610eee", "parents": [ "04305e4aff8b0533dc05f9f6f1a34d0796bd985f" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Thu Mar 06 18:09:10 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Apr 19 10:00:51 2008 +1000" }, "message": "Security: Introduce security\u003d boot parameter\n\nAdd the security\u003d boot parameter. This is done to avoid LSM\nregistration clashes in case of more than one bult-in module.\n\nUser can choose a security module to enable at boot. If no\nsecurity\u003d boot parameter is specified, only the first LSM\nasking for registration will be loaded. An invalid security\nmodule name will be treated as if no module has been chosen.\n\nLSM modules must check now if they are allowed to register\nby calling security_module_enable(ops) first. Modify SELinux\nand SMACK to do so.\n\nDo not let SMACK register smackfs if it was not chosen on\nboot. Smackfs assumes that smack hooks are registered and\nthe initial task security setup (swapper-\u003esecurity) is done.\n\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9d57a7f9e23dc30783d245280fc9907cf2c87837", "tree": "508b81e213f5dca1097ccf0ece8ba092b168607b", "parents": [ "d7a96f3a1ae279a2129653d6cb18d722f2f00f91" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Sat Mar 01 22:03:14 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Apr 19 09:53:46 2008 +1000" }, "message": "SELinux: use new audit hooks, remove redundant exports\n\nSetup the new Audit LSM hooks for SELinux.\nRemove the now redundant exported SELinux Audit interface.\n\nAudit: Export \u0027audit_krule\u0027 and \u0027audit_field\u0027 to the public\nsince their internals are needed by the implementation of the\nnew LSM hook \u0027audit_rule_known\u0027.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "713a04aeaba35bb95d442cdeb52055498519be25", "tree": "a9d995cdc850d159189886e29f44d4ee88516eba", "parents": [ "8a076191f373abaeb4aa5f6755d22e49db98940f" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Sat Mar 01 21:52:30 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Apr 19 09:52:33 2008 +1000" }, "message": "SELinux: setup new inode/ipc getsecid hooks\n\nSetup the new inode_getsecid and ipc_getsecid() LSM hooks\nfor SELinux.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\n" }, { "commit": "3e11217263d0521e212cb8a017fbc2a1514db78f", "tree": "d3b399c3d907cd90afd27003000fd9d99212f44b", "parents": [ "832cbd9aa1293cba57d06571f5fc8f0917c672af" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Apr 10 10:48:14 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:16 2008 +1000" }, "message": "SELinux: Add network port SID cache\n\nMuch like we added a network node cache, this patch adds a network port\ncache. The design is taken almost completely from the network node cache\nwhich in turn was taken from the network interface cache. The basic idea is\nto cache entries in a hash table based on protocol/port information. The\nhash function only takes the port number into account since the number of\ndifferent protocols in use at any one time is expected to be relatively\nsmall.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "832cbd9aa1293cba57d06571f5fc8f0917c672af", "tree": "85b1b550c71acde04294b69c08176adbaaf8641b", "parents": [ "0e55a004b58847c53e48d846b9a4570b1587c382" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 01 13:24:09 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:13 2008 +1000" }, "message": "SELinux: turn mount options strings into defines\n\nConvert the strings used for mount options into #defines rather than\nretyping the string throughout the SELinux code.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0356357c5158c71d4cbf20196b2f784435dd916c", "tree": "e680a4d0346286d2c318bb20914cceabc0596af1", "parents": [ "eda4f69ca5a532b425db5a6c2c6bc50717b9b5fe" ], "author": { "name": "Roland McGrath", "email": "roland@redhat.com", "time": "Wed Mar 26 15:46:39 2008 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:10 2008 +1000" }, "message": "selinux: remove ptrace_sid\n\nThis changes checks related to ptrace to get rid of the ptrace_sid tracking.\nIt\u0027s good to disentangle the security model from the ptrace implementation\ninternals. It\u0027s sufficient to check against the SID of the ptracer at the\ntime a tracee attempts a transition.\n\nSigned-off-by: Roland McGrath \u003croland@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f0115e6c8980ea9125a17858291c90ecd990bc1c", "tree": "f9b665c465b6813c421fc60660068197d178c53a", "parents": [ "dd6f953adb5c4deb9cd7b6a5054e7d5eafe4ed71" ], "author": { "name": "Andrew Morton", "email": "akpm@linux-foundation.org", "time": "Thu Mar 06 10:05:08 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:08 2008 +1000" }, "message": "security: code cleanup\n\nERROR: \"(foo*)\" should be \"(foo *)\"\n#168: FILE: security/selinux/hooks.c:2656:\n+\t\t \"%s, rc\u003d%d\\n\", __func__, (char*)value, -rc);\n\ntotal: 1 errors, 0 warnings, 195 lines checked\n\n./patches/security-replace-remaining-__function__-occurences.patch has style problems, please review. If any of these errors\nare false positives report them to the maintainer, see\nCHECKPATCH in MAINTAINERS.\n\nPlease run checkpatch prior to sending patches\n\nCc: Harvey Harrison \u003charvey.harrison@gmail.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dd6f953adb5c4deb9cd7b6a5054e7d5eafe4ed71", "tree": "0ed459ca8da43b7e0486c8f0a840845a731920bf", "parents": [ "b0c636b99997c8594da6a46e166ce4fcf6956fda" ], "author": { "name": "Harvey Harrison", "email": "harvey.harrison@gmail.com", "time": "Thu Mar 06 10:03:59 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:07 2008 +1000" }, "message": "security: replace remaining __FUNCTION__ occurrences\n\n__FUNCTION__ is gcc-specific, use __func__\n\nSigned-off-by: Harvey Harrison \u003charvey.harrison@gmail.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b0c636b99997c8594da6a46e166ce4fcf6956fda", "tree": "16308f0324846cd8c19180b6a45793268dd16f50", "parents": [ "d4ee4231a3a8731576ef0e0a7e1225e4fde1e659" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 28 12:58:40 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:06 2008 +1000" }, "message": "SELinux: create new open permission\n\nAdds a new open permission inside SELinux when \u0027opening\u0027 a file. The idea\nis that opening a file and reading/writing to that file are not the same\nthing. Its different if a program had its stdout redirected to /tmp/output\nthan if the program tried to directly open /tmp/output. This should allow\npolicy writers to more liberally give read/write permissions across the\npolicy while still blocking many design and programing flaws SELinux is so\ngood at catching today.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "98e9894650455426f67c2157db4f39bd14fac2f6", "tree": "bee5205f20c4d1faa6ec80f05d708eecad2959b3", "parents": [ "f74af6e816c940c678c235d49486fe40d7e49ce9" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Feb 26 09:52:58 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:04 2008 +1000" }, "message": "SELinux: remove unused backpointers from security objects\n\nRemove unused backpoiters from security objects.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f74af6e816c940c678c235d49486fe40d7e49ce9", "tree": "06f2fa54bd7ceabac2ad29a6ab0aca1deb87c032", "parents": [ "4b119e21d0c66c22e8ca03df05d9de623d0eb50f" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Mon Feb 25 11:40:33 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:03 2008 +1000" }, "message": "SELinux: Correct the NetLabel locking for the sk_security_struct\n\nThe RCU/spinlock locking approach for the nlbl_state in the sk_security_struct\nwas almost certainly overkill. This patch removes both the RCU and spinlock\nlocking, relying on the existing socket locks to handle the case of multiple\nwriters. This change also makes several code reductions possible.\n\nLess locking, less code - it\u0027s a Good Thing.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5a55261716e838f188598ab3d7a0abf9cf1338f8", "tree": "2acf7f919cb2edd77a4f9ed0a434b6dbec19708e", "parents": [ "7180c4c9e09888db0a188f729c96c6d7bd61fa83" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 09 14:08:35 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 10 08:51:01 2008 +1000" }, "message": "SELinux: don\u0027t BUG if fs reuses a superblock\n\nI (wrongly) assumed that nfs_xdev_get_sb() would not ever share a superblock\nand so cloning mount options would always be correct. Turns out that isn\u0027t\nthe case and we could fall over a BUG_ON() that wasn\u0027t a BUG at all. Since\nthere is little we can do to reconcile different mount options this patch\njust leaves the sb alone and the first set of options wins.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Trond Myklebust \u003ctrond.myklebust@fys.uio.no\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "869ab5147e1eead890245cfd4f652ba282b6ac26", "tree": "8334fe84734e14e247fb7b4ef78f9a43891249f0", "parents": [ "ff09e2afe742f3ff52a0c9a660e8a3fe30cf587c" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Apr 04 08:46:05 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 08 08:30:14 2008 +1000" }, "message": "SELinux: more GFP_NOFS fixups to prevent selinux from re-entering the fs code\n\nMore cases where SELinux must not re-enter the fs code. Called from the\nd_instantiate security hook.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a02fe13297af26c13d004b1d44f391c077094ea0", "tree": "d75879f0da229eec87e3b4a95a4c28db2ea4d713", "parents": [ "9597362d354f8655ece324b01d0c640a0e99c077" ], "author": { "name": "Josef Bacik", "email": "jbacik@redhat.com", "time": "Fri Apr 04 09:35:05 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 04 09:35:05 2008 +1100" }, "message": "selinux: prevent rentry into the FS\n\nBUG fix. Keep us from re-entering the fs when we aren\u0027t supposed to.\n\nSee discussion at\nhttp://marc.info/?t\u003d120716967100004\u0026r\u003d1\u0026w\u003d2\n\nSigned-off-by: Josef Bacik \u003cjbacik@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0794c66d49885a2f615618ce4940434b5b067d84", "tree": "b01be53c424c7d4793f5673539c11d09fbbe2b5a", "parents": [ "0e81a8ae37687845f7cdfa2adce14ea6a5f1dd34" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon Mar 17 08:55:18 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 02 16:05:52 2008 +1100" }, "message": "selinux: handle files opened with flags 3 by checking ioctl permission\n\nHandle files opened with flags 3 by checking ioctl permission.\n\nDefault to returning FILE__IOCTL from file_to_av() if the f_mode has neither\nFMODE_READ nor FMODE_WRITE, and thus check ioctl permission on exec or\ntransfer, thereby validating such descriptors early as with normal r/w\ndescriptors and catching leaks of them prior to attempted usage.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2e1479d95d02b43660fe03ab2c595ec9751a6f97", "tree": "6e4ff5a6eeda225390a19287cd95617b6345df63", "parents": [ "bde4f8fa8db2abd5ac9c542d76012d0fedab050f" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Mon Mar 17 22:29:23 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 18 09:17:22 2008 +1100" }, "message": "make selinux_parse_opts_str() static\n\nThis patch makes the needlessly global selinux_parse_opts_str() static.\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e0007529893c1c064be90bd21422ca0da4a0198e", "tree": "c2334ba940e682183a18d18972cf95bd3a3da46a", "parents": [ "29e8c3c304b62f31b799565c9ee85d42bd163f80" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Mar 05 10:31:54 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 06 08:40:53 2008 +1100" }, "message": "LSM/SELinux: Interfaces to allow FS to control mount options\n\nIntroduce new LSM interfaces to allow an FS to deal with their own mount\noptions. This includes a new string parsing function exported from the\nLSM that an FS can use to get a security data blob and a new security\ndata blob. This is particularly useful for an FS which uses binary\nmount data, like NFS, which does not pass strings into the vfs to be\nhandled by the loaded LSM. Also fix a BUG() in both SELinux and SMACK\nwhen dealing with binary mount data. If the binary mount data is less\nthan one page the copy_page() in security_sb_copy_data() can cause an\nillegal page fault and boom. Remove all NFSisms from the SELinux code\nsince they were broken by past NFS changes.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "44707fdf5938ad269ea5d6c5744d82f6a7328746", "tree": "7eb1704418eb41b859ad24bc48f6400135474d87", "parents": [ "a03a8a709a0c34b61b7aea1d54a0473a6b941fdb" ], "author": { "name": "Jan Blunck", "email": "jblunck@suse.de", "time": "Thu Feb 14 19:38:33 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Feb 14 21:17:08 2008 -0800" }, "message": "d_path: Use struct path in struct avc_audit_data\n\naudit_log_d_path() is a d_path() wrapper that is used by the audit code. To\nuse a struct path in audit_log_d_path() I need to embed it into struct\navc_audit_data.\n\n[akpm@linux-foundation.org: coding-style fixes]\nSigned-off-by: Jan Blunck \u003cjblunck@suse.de\u003e\nAcked-by: Christoph Hellwig \u003chch@infradead.org\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: \"J. Bruce Fields\" \u003cbfields@fieldses.org\u003e\nCc: Neil Brown \u003cneilb@suse.de\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4ac9137858e08a19f29feac4e1f4df7c268b0ba5", "tree": "f5b5d84fd12fcc2b0ba0e7ce1a79ff381ad8f5dd", "parents": [ "c5e725f33b733a77de622e91b6ba5645fcf070be" ], "author": { "name": "Jan Blunck", "email": "jblunck@suse.de", "time": "Thu Feb 14 19:34:32 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Feb 14 21:13:33 2008 -0800" }, "message": "Embed a struct path into struct nameidata instead of nd-\u003e{dentry,mnt}\n\nThis is the central patch of a cleanup series. In most cases there is no good\nreason why someone would want to use a dentry for itself. This series reflects\nthat fact and embeds a struct path into nameidata.\n\nTogether with the other patches of this series\n- it enforced the correct order of getting/releasing the reference count on\n \u003cdentry,vfsmount\u003e pairs\n- it prepares the VFS for stacking support since it is essential to have a\n struct path in every place where the stack can be traversed\n- it reduces the overall code size:\n\nwithout patch series:\n text data bss dec hex filename\n5321639 858418 715768 6895825 6938d1 vmlinux\n\nwith patch series:\n text data bss dec hex filename\n5320026 858418 715768 6894212 693284 vmlinux\n\nThis patch:\n\nSwitch from nd-\u003e{dentry,mnt} to nd-\u003epath.{dentry,mnt} everywhere.\n\n[akpm@linux-foundation.org: coding-style fixes]\n[akpm@linux-foundation.org: fix cifs]\n[akpm@linux-foundation.org: fix smack]\nSigned-off-by: Jan Blunck \u003cjblunck@suse.de\u003e\nSigned-off-by: Andreas Gruenbacher \u003cagruen@suse.de\u003e\nAcked-by: Christoph Hellwig \u003chch@lst.de\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b68e418c445e8a468634d0a7ca2fb63bbaa74028", "tree": "e49b4a94ef28a9288ed6735a994387205b7cc5bd", "parents": [ "19af35546de68c872dcb687613e0902a602cb20e" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Thu Feb 07 11:21:04 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 11 20:30:02 2008 +1100" }, "message": "selinux: support 64-bit capabilities\n\nFix SELinux to handle 64-bit capabilities correctly, and to catch\nfuture extensions of capabilities beyond 64 bits to ensure that SELinux\nis properly updated.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "42492594043d621a7910ff5877c3eb9202870b45", "tree": "9188d112c019a189606847dc1d90ccc63c1bacf2", "parents": [ "3729145821e3088a0c3c4183037fde356204bf97" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Mon Feb 04 22:29:39 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "VFS/Security: Rework inode_getsecurity and callers to return resulting buffer\n\nThis patch modifies the interface to inode_getsecurity to have the function\nreturn a buffer containing the security blob and its length via parameters\ninstead of relying on the calling function to give it an appropriately sized\nbuffer.\n\nSecurity blobs obtained with this function should be freed using the\nrelease_secctx LSM hook. This alleviates the problem of the caller having to\nguess a length and preallocate a buffer for this function allowing it to be\nused elsewhere for Labeled NFS.\n\nThe patch also removed the unused err parameter. The conversion is similar to\nthe one performed by Al Viro for the security_getprocattr hook.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "374ea019cacfa8b69ae49eea993b74cb5968970b", "tree": "822718af14d91f3beabbde3e9d5758c055e3bef8", "parents": [ "71f1cb05f773661b6fa98c7a635d7a395cd9c55d" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Tue Jan 29 00:11:52 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:44 2008 +1100" }, "message": "selinux: make selinux_set_mnt_opts() static\n\nselinux_set_mnt_opts() can become static.\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "71f1cb05f773661b6fa98c7a635d7a395cd9c55d", "tree": "a540f89c5d1d081ea2c09105f264adce44d92fa9", "parents": [ "effad8df44261031a882e1a895415f7186a5098e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:51:16 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:30 2008 +1100" }, "message": "SELinux: Add warning messages on network denial due to error\n\nCurrently network traffic can be sliently dropped due to non-avc errors which\ncan lead to much confusion when trying to debug the problem. This patch adds\nwarning messages so that when these events occur there is a user visible\nnotification.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "effad8df44261031a882e1a895415f7186a5098e", "tree": "42c04b3247ede13077546e13f82fe3da83ce7b90", "parents": [ "13541b3adad2dc2f56761c5193c2b88db3597f0e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:49:27 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:30 2008 +1100" }, "message": "SELinux: Add network ingress and egress control permission checks\n\nThis patch implements packet ingress/egress controls for SELinux which allow\nSELinux security policy to control the flow of all IPv4 and IPv6 packets into\nand out of the system. Currently SELinux does not have proper control over\nforwarded packets and this patch corrects this problem.\n\nSpecial thanks to Venkat Yekkirala \u003cvyekkirala@trustedcs.com\u003e whose earlier\nwork on this topic eventually led to this patch.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5dbe1eb0cfc144a2b0cb1466e22bcb6fc34229a8", "tree": "e1e028acaf0dd08cbcacd2c125f60230f820b442", "parents": [ "d621d35e576aa20a0ddae8022c3810f38357c8ff" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:44:18 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:27 2008 +1100" }, "message": "SELinux: Allow NetLabel to directly cache SIDs\n\nNow that the SELinux NetLabel \"base SID\" is always the netmsg initial SID we\ncan do a big optimization - caching the SID and not just the MLS attributes.\nThis not only saves a lot of per-packet memory allocations and copies but it\nhas a nice side effect of removing a chunk of code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d621d35e576aa20a0ddae8022c3810f38357c8ff", "tree": "318e8aa890dbe715b901b11b019ebac3badb693d", "parents": [ "220deb966ea51e0dedb6a187c0763120809f3e64" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:43:36 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:26 2008 +1100" }, "message": "SELinux: Enable dynamic enable/disable of the network access checks\n\nThis patch introduces a mechanism for checking when labeled IPsec or SECMARK\nare in use by keeping introducing a configuration reference counter for each\nsubsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry\nis created the labeled IPsec/XFRM reference count is increased and when the\nentry is removed it is decreased. In the case of SECMARK, when a SECMARK\ntarget is created the reference count is increased and later decreased when the\ntarget is removed. These reference counters allow SELinux to quickly determine\nif either of these subsystems are enabled.\n\nNetLabel already has a similar mechanism which provides the netlbl_enabled()\nfunction.\n\nThis patch also renames the selinux_relabel_packet_permission() function to\nselinux_secmark_relabel_packet_permission() as the original name and\ndescription were misleading in that they referenced a single packet label which\nis not the case.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "220deb966ea51e0dedb6a187c0763120809f3e64", "tree": "7d0e5dd8048907c364b4eeff294991937b466c7e", "parents": [ "f67f4f315f31e7907779adb3296fb6682e755342" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:23 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:25 2008 +1100" }, "message": "SELinux: Better integration between peer labeling subsystems\n\nRework the handling of network peer labels so that the different peer labeling\nsubsystems work better together. This includes moving both subsystems to a\nsingle \"peer\" object class which involves not only changes to the permission\nchecks but an improved method of consolidating multiple packet peer labels.\nAs part of this work the inbound packet permission check code has been heavily\nmodified to handle both the old and new behavior in as sane a fashion as\npossible.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "224dfbd81e1ff672eb46e7695469c395bd531083", "tree": "c89c3ab606634a7174db8807b2633df8bb024b8c", "parents": [ "da5645a28a15aed2e541a814ecf9f7ffcd4c4673" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:13 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:23 2008 +1100" }, "message": "SELinux: Add a network node caching mechanism similar to the sel_netif_*() functions\n\nThis patch adds a SELinux IP address/node SID caching mechanism similar to the\nsel_netif_*() functions. The node SID queries in the SELinux hooks files are\nalso modified to take advantage of this new functionality. In addition, remove\nthe address length information from the sk_buff parsing routines as it is\nredundant since we already have the address family.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "da5645a28a15aed2e541a814ecf9f7ffcd4c4673", "tree": "8cedccebd0e12308de30573ad593d703943e3cbb", "parents": [ "e8bfdb9d0dfc1231a6a71e849dfbd4447acdfff6" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:10 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:22 2008 +1100" }, "message": "SELinux: Only store the network interface\u0027s ifindex\n\nInstead of storing the packet\u0027s network interface name store the ifindex. This\nallows us to defer the need to lookup the net_device structure until the audit\nrecord is generated meaning that in the majority of cases we never need to\nbother with this at all.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e8bfdb9d0dfc1231a6a71e849dfbd4447acdfff6", "tree": "0d786c0ad972e43d1128296b8e7ae47275ab3ebd", "parents": [ "75e22910cf0c26802b09dac2e34c13e648d3ed02" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:08 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:21 2008 +1100" }, "message": "SELinux: Convert the netif code to use ifindex values\n\nThe current SELinux netif code requires the caller have a valid net_device\nstruct pointer to lookup network interface information. However, we don\u0027t\nalways have a valid net_device pointer so convert the netif code to use\nthe ifindex values we always have as part of the sk_buff. This patch also\nremoves the default message SID from the network interface record, it is\nnot being used and therefore is \"dead code\".\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "75e22910cf0c26802b09dac2e34c13e648d3ed02", "tree": "bf5f5c62f6db8a3057a0265dc7748bf310d26d4a", "parents": [ "16efd45435fa695b501b7f73c3259bd7c77cc12c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:04 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:20 2008 +1100" }, "message": "NetLabel: Add IP address family information to the netlbl_skbuff_getattr() function\n\nIn order to do any sort of IP header inspection of incoming packets we need to\nknow which address family, AF_INET/AF_INET6/etc., it belongs to and since the\nsk_buff structure does not store this information we need to pass along the\naddress family separate from the packet itself.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6e23ae2a48750bda407a4a58f52a4865d7308bf5", "tree": "633fd60b2a42bf6fdb86564f0c05a6d52d8dc92b", "parents": [ "1bf06cd2e338fd6fc29169d30eaf0df982338285" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Mon Nov 19 18:53:30 2007 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Jan 28 14:53:55 2008 -0800" }, "message": "[NETFILTER]: Introduce NF_INET_ hook values\n\nThe IPv4 and IPv6 hook values are identical, yet some code tries to figure\nout the \"correct\" value by looking at the address family. Introduce NF_INET_*\nvalues for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__\nsection for userspace compatibility.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nAcked-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "63cb34492351078479b2d4bae6a881806a396286", "tree": "d33ab15eda40c5195c4a723d9e49591a9b4950f9", "parents": [ "c43e259cc756ece387faae849af0058b56d78466" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 15 23:47:35 2008 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:53 2008 +1100" }, "message": "security: add a secctx_to_secid() hook\n\nAdd a secctx_to_secid() LSM hook to go along with the existing\nsecid_to_secctx() LSM hook. This patch also includes the SELinux\nimplementation for this hook.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c9180a57a9ab2d5525faf8815a332364ee9e89b7", "tree": "c677ec33735f3529d478a2b71fcc732d4fe59adf", "parents": [ "19c5fc198c369bb00f3ed9716ef40648865d8d94" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Nov 30 13:00:35 2007 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:46 2008 +1100" }, "message": "Security: add get, set, and cloning of superblock security information\n\nAdds security_get_sb_mnt_opts, security_set_sb_mnt_opts, and\nsecurity_clont_sb_mnt_opts to the LSM and to SELinux. This will allow\nfilesystems to directly own and control all of their mount options if they\nso choose. This interface deals only with option identifiers and strings so\nit should generic enough for any LSM which may come in the future.\n\nFilesystems which pass text mount data around in the kernel (almost all of\nthem) need not currently make use of this interface when dealing with\nSELinux since it will still parse those strings as it always has. I assume\nfuture LSM\u0027s would do the same. NFS is the primary FS which does not use\ntext mount data and thus must make use of this interface.\n\nAn LSM would need to implement these functions only if they had mount time\noptions, such as selinux has context\u003d or fscontext\u003d. If the LSM has no\nmount time options they could simply not implement and let the dummy ops\ntake care of things.\n\nAn LSM other than SELinux would need to define new option numbers in\nsecurity.h and any FS which decides to own there own security options would\nneed to be patched to use this new interface for every possible LSM. This\nis because it was stated to me very clearly that LSM\u0027s should not attempt to\nunderstand FS mount data and the burdon to understand security should be in\nthe FS which owns the options.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8a53514043e380aa573baa805298a7727c993985", "tree": "869d2c0f90390814430fc6639914dc8ea4c0c9c6", "parents": [ "55b70a0300b873c0ec7ea6e33752af56f41250ce" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 22 16:10:31 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Oct 23 08:47:48 2007 +1000" }, "message": "SELinux: always check SIGCHLD in selinux_task_wait\n\nWhen checking if we can wait on a child we were looking at\np-\u003eexit_signal and trying to make the decision based on if the signal\nwould eventually be allowed. One big flaw is that p-\u003eexit_signal is -1\nfor NPTL threads and so aignal_to_av was not actually checking SIGCHLD\nwhich is what would have been sent. Even is exit_signal was set to\nsomething strange it wouldn\u0027t change the fact that the child was there\nand needed to be waited on. This patch just assumes wait is based on\nSIGCHLD. Specific permission checks are made when the child actually\nattempts to send a signal.\n\nThis resolves the problem of things like using GDB on confined domains\nsuch as in RH BZ 232371. The confined domain did not have permission to\nsend a generic signal (exit_signal \u003d\u003d -1) back to the unconfined GDB.\nWith this patch the GDB wait works and since the actual signal sent is\nallowed everything functions as it should.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cbfee34520666862f8ff539e580c48958fbb7706", "tree": "ded5cafce333e908a0fbeda1f7c55eaf7c1fbaaa", "parents": [ "b53767719b6cd8789392ea3e7e2eb7b8906898f0" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Tue Oct 16 23:31:38 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "security/ cleanups\n\nThis patch contains the following cleanups that are now possible:\n- remove the unused security_operations-\u003einode_xattr_getsuffix\n- remove the no longer used security_operations-\u003eunregister_security\n- remove some no longer required exit code\n- remove a bunch of no longer used exports\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b53767719b6cd8789392ea3e7e2eb7b8906898f0", "tree": "a0279dc93c79b94d3865b0f19f6b7b353e20608c", "parents": [ "57c521ce6125e15e99e56c902cb8da96bee7b36d" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Tue Oct 16 23:31:36 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "Implement file posix capabilities\n\nImplement file posix capabilities. This allows programs to be given a\nsubset of root\u0027s powers regardless of who runs them, without having to use\nsetuid and giving the binary all of root\u0027s powers.\n\nThis version works with Kaigai Kohei\u0027s userspace tools, found at\nhttp://www.kaigai.gr.jp/index.php. For more information on how to use this\npatch, Chris Friedhoff has posted a nice page at\nhttp://www.friedhoff.org/fscaps.html.\n\nChangelog:\n\tNov 27:\n\tIncorporate fixes from Andrew Morton\n\t(security-introduce-file-caps-tweaks and\n\tsecurity-introduce-file-caps-warning-fix)\n\tFix Kconfig dependency.\n\tFix change signaling behavior when file caps are not compiled in.\n\n\tNov 13:\n\tIntegrate comments from Alexey: Remove CONFIG_ ifdef from\n\tcapability.h, and use %zd for printing a size_t.\n\n\tNov 13:\n\tFix endianness warnings by sparse as suggested by Alexey\n\tDobriyan.\n\n\tNov 09:\n\tAddress warnings of unused variables at cap_bprm_set_security\n\twhen file capabilities are disabled, and simultaneously clean\n\tup the code a little, by pulling the new code into a helper\n\tfunction.\n\n\tNov 08:\n\tFor pointers to required userspace tools and how to use\n\tthem, see http://www.friedhoff.org/fscaps.html.\n\n\tNov 07:\n\tFix the calculation of the highest bit checked in\n\tcheck_cap_sanity().\n\n\tNov 07:\n\tAllow file caps to be enabled without CONFIG_SECURITY, since\n\tcapabilities are the default.\n\tHook cap_task_setscheduler when !CONFIG_SECURITY.\n\tMove capable(TASK_KILL) to end of cap_task_kill to reduce\n\taudit messages.\n\n\tNov 05:\n\tAdd secondary calls in selinux/hooks.c to task_setioprio and\n\ttask_setscheduler so that selinux and capabilities with file\n\tcap support can be stacked.\n\n\tSep 05:\n\tAs Seth Arnold points out, uid checks are out of place\n\tfor capability code.\n\n\tSep 01:\n\tDefine task_setscheduler, task_setioprio, cap_task_kill, and\n\ttask_setnice to make sure a user cannot affect a process in which\n\tthey called a program with some fscaps.\n\n\tOne remaining question is the note under task_setscheduler: are we\n\tok with CAP_SYS_NICE being sufficient to confine a process to a\n\tcpuset?\n\n\tIt is a semantic change, as without fsccaps, attach_task doesn\u0027t\n\tallow CAP_SYS_NICE to override the uid equivalence check. But since\n\tit uses security_task_setscheduler, which elsewhere is used where\n\tCAP_SYS_NICE can be used to override the uid equivalence check,\n\tfixing it might be tough.\n\n\t task_setscheduler\n\t\t note: this also controls cpuset:attach_task. Are we ok with\n\t\t CAP_SYS_NICE being used to confine to a cpuset?\n\t task_setioprio\n\t task_setnice\n\t\t sys_setpriority uses this (through set_one_prio) for another\n\t\t process. Need same checks as setrlimit\n\n\tAug 21:\n\tUpdated secureexec implementation to reflect the fact that\n\teuid and uid might be the same and nonzero, but the process\n\tmight still have elevated caps.\n\n\tAug 15:\n\tHandle endianness of xattrs.\n\tEnforce capability version match between kernel and disk.\n\tEnforce that no bits beyond the known max capability are\n\tset, else return -EPERM.\n\tWith this extra processing, it may be worth reconsidering\n\tdoing all the work at bprm_set_security rather than\n\td_instantiate.\n\n\tAug 10:\n\tAlways call getxattr at bprm_set_security, rather than\n\tcaching it at d_instantiate.\n\n[morgan@kernel.org: file-caps clean up for linux/capability.h]\n[bunk@kernel.org: unexport cap_inode_killpriv]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "20510f2f4e2dabb0ff6c13901807627ec9452f98", "tree": "d64b9eeb90d577f7f9688a215c4c6c3c2405188a", "parents": [ "5c3b447457789374cdb7b03afe2540d48c649a36" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Oct 16 23:31:32 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "security: Convert LSM into a static interface\n\nConvert LSM into a static interface, as the ability to unload a security\nmodule is not required by in-tree users and potentially complicates the\noverall security architecture.\n\nNeedlessly exported LSM symbols have been unexported, to help reduce API\nabuse.\n\nParameters for the capability and root_plug modules are now specified\nat boot.\n\nThe SECURITY_FRAMEWORK_VERSION macro has also been removed.\n\nIn a nutshell, there is no safe way to unload an LSM. The modular interface\nis thus unecessary and broken infrastructure. It is used only by out-of-tree\nmodules, which are often binary-only, illegal, abusive of the API and\ndangerous, e.g. silently re-vectoring SELinux.\n\n[akpm@linux-foundation.org: cleanups]\n[akpm@linux-foundation.org: USB Kconfig fix]\n[randy.dunlap@oracle.com: fix LSM kernel-doc]\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: \"Serge E. Hallyn\" \u003cserue@us.ibm.com\u003e\nAcked-by: Arjan van de Ven \u003carjan@infradead.org\u003e\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "788e7dd4c22e6f41b3a118fd8c291f831f6fddbb", "tree": "cbe2d2a360aaf7dc243bef432e1c50507ae6db7b", "parents": [ "3232c110b56bd01c5f0fdfd16b4d695f2e05b0a9" ], "author": { "name": "Yuichi Nakamura", "email": "ynakam@hitachisoft.jp", "time": "Fri Sep 14 09:27:07 2007 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Oct 17 08:59:31 2007 +1000" }, "message": "SELinux: Improve read/write performance\n\nIt reduces the selinux overhead on read/write by only revalidating\npermissions in selinux_file_permission if the task or inode labels have\nchanged or the policy has changed since the open-time check. A new LSM\nhook, security_dentry_open, is added to capture the necessary state at open\ntime to allow this optimization.\n\n(see http://marc.info/?l\u003dselinux\u0026m\u003d118972995207740\u0026w\u003d2)\n\nSigned-off-by: Yuichi Nakamura\u003cynakam@hitachisoft.jp\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a224be766bf593f7bcd534ca0c48dbd3eaf7bfce", "tree": "b0a053b35fe654fb35199c1b5326a4d3932f79da", "parents": [ "762cc40801ad757a34527d5e548816cf3b6fc606" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Oct 15 02:58:25 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Oct 15 12:26:44 2007 -0700" }, "message": "[SELINUX]: Update for netfilter -\u003ehook() arg changes.\n\nThey take a \"struct sk_buff *\" instead of a \"struct sk_buff **\" now.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "227b60f5102cda4e4ab792b526a59c8cb20cd9f8", "tree": "2c9e372601ba794894833b0618bc531a9f5d57c4", "parents": [ "06393009000779b00a558fd2f280882cc7dc2008" ], "author": { "name": "Stephen Hemminger", "email": "shemminger@linux-foundation.org", "time": "Wed Oct 10 17:30:46 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Oct 10 17:30:46 2007 -0700" }, "message": "[INET]: local port range robustness\n\nExpansion of original idea from Denis V. Lunev \u003cden@openvz.org\u003e\n\nAdd robustness and locking to the local_port_range sysctl.\n1. Enforce that low \u003c high when setting.\n2. Use seqlock to ensure atomic update.\n\nThe locking might seem like overkill, but there are\ncases where sysadmin might want to change value in the\nmiddle of a DoS attack.\n\nSigned-off-by: Stephen Hemminger \u003cshemminger@linux-foundation.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "31e879309474d1666d645b96de99d0b682fa055f", "tree": "bb9d45dc85e03044b5ee7635f3646774bcbb30d4", "parents": [ "a88a8eff1e6e32d3288986a9d36c6a449c032d3a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Sep 19 17:19:12 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Sep 20 08:06:40 2007 +1000" }, "message": "SELinux: fix array out of bounds when mounting with selinux options\n\nGiven an illegal selinux option it was possible for match_token to work in\nrandom memory at the end of the match_table_t array.\n\nNote that privilege is required to perform a context mount, so this issue is\neffectively limited to root only.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4ac212ad4e8fafc22fa147fc255ff5fa5435cf33", "tree": "9ab703429a2b24ccafc6748c1e0f2147f2b47114", "parents": [ "a1c582d0720f2eff61043e90711767decf37b917" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed Aug 29 08:51:50 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@localhost.localdomain", "time": "Thu Aug 30 20:22:47 2007 -0400" }, "message": "SELinux: clear parent death signal on SID transitions\n\nClear parent death signal on SID transitions to prevent unauthorized\nsignaling between SIDs.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@parisplace.org\u003e\nSigned-off-by: James Morris \u003cjmorris@localhost.localdomain\u003e\n" }, { "commit": "34b4e4aa3c470ce8fa2bd78abb1741b4b58baad7", "tree": "91d620288f1aaf63c12dc84ca1015465818601f2", "parents": [ "afe1ab4d577892822de2c8e803fbfaed6ec44ba3" ], "author": { "name": "Alan Cox", "email": "alan@lxorguk.ukuu.org.uk", "time": "Wed Aug 22 14:01:28 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Aug 22 19:52:45 2007 -0700" }, "message": "fix NULL pointer dereference in __vm_enough_memory()\n\nThe new exec code inserts an accounted vma into an mm struct which is not\ncurrent-\u003emm. The existing memory check code has a hard coded assumption\nthat this does not happen as does the security code.\n\nAs the correct mm is known we pass the mm to the security method and the\nhelper function. A new security test is added for the case where we need\nto pass the mm and the existing one is modified to pass current-\u003emm to\navoid the need to change large amounts of code.\n\n(Thanks to Tobias for fixing rejects and testing)\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nCc: WU Fengguang \u003cwfg@mail.ustc.edu.cn\u003e\nCc: James Morris \u003cjmorris@redhat.com\u003e\nCc: Tobias Diedrich \u003cranma+kernel@tdiedrich.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "088999e98b8caecd31adc3b62223a228555c5ab7", "tree": "ee16fd7c6cdde90642550ee9937fafb96e979f67", "parents": [ "9534f71ca33e5a9de26dfd43c76af86e005005dd" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Aug 01 11:12:58 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 02 11:52:23 2007 -0400" }, "message": "SELinux: remove redundant pointer checks before calling kfree()\n\nWe don\u0027t need to check for NULL pointers before calling kfree().\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "20c2df83d25c6a95affe6157a4c9cac4cf5ffaac", "tree": "415c4453d2b17a50abe7a3e515177e1fa337bd67", "parents": [ "64fb98fc40738ae1a98bcea9ca3145b89fb71524" ], "author": { "name": "Paul Mundt", "email": "lethal@linux-sh.org", "time": "Fri Jul 20 10:11:58 2007 +0900" }, "committer": { "name": "Paul Mundt", "email": "lethal@linux-sh.org", "time": "Fri Jul 20 10:11:58 2007 +0900" }, "message": "mm: Remove slab destructors from kmem_cache_create().\n\nSlab destructors were no longer supported after Christoph\u0027s\nc59def9f222d44bb7e2f0a559f2906191a0862d7 change. They\u0027ve been\nBUGs for both slab and slub, and slob never supported them\neither.\n\nThis rips out support for the dtor pointer from kmem_cache_create()\ncompletely and fixes up every single callsite in the kernel (there were\nabout 224, not including the slab allocator definitions themselves,\nor the documentation references).\n\nSigned-off-by: Paul Mundt \u003clethal@linux-sh.org\u003e\n" }, { "commit": "f36158c410651fe66f438c17b2ab3ae813f8c060", "tree": "644e57a36d918fe2b2fcdd2f59daffb847cd8d36", "parents": [ "23bcdc1adebd3cb47d5666f2e9ecada95c0134e4" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Jul 18 12:28:46 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jul 19 10:21:13 2007 -0400" }, "message": "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel\n\nThese changes will make NetLabel behave like labeled IPsec where there is an\naccess check for both labeled and unlabeled packets as well as providing the\nability to restrict domains to receiving only labeled packets when NetLabel is\nin use. The changes to the policy are straight forward with the following\nnecessary to receive labeled traffic (with SECINITSID_NETMSG defined as\n\"netlabel_peer_t\"):\n\n allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;\n\nThe policy for unlabeled traffic would be:\n\n allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;\n\nThese policy changes, as well as more general NetLabel support, are included in\nthe latest SELinux Reference Policy release 20070629 or later. Users who make\nuse of NetLabel are strongly encouraged to upgrade their policy to avoid\nnetwork problems. Users who do not make use of NetLabel will not notice any\ndifference.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3bd858ab1c451725c07a805dcb315215dc85b86e", "tree": "5d49c4300e350d64fd81eb3230b81f754117e0c1", "parents": [ "49c13b51a15f1ba9f6d47e26e4a3886c4f3931e2" ], "author": { "name": "Satyam Sharma", "email": "ssatyam@cse.iitk.ac.in", "time": "Tue Jul 17 15:00:08 2007 +0530" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Jul 17 12:00:03 2007 -0700" }, "message": "Introduce is_owner_or_cap() to wrap CAP_FOWNER use with fsuid check\n\nIntroduce is_owner_or_cap() macro in fs.h, and convert over relevant\nusers to it. This is done because we want to avoid bugs in the future\nwhere we check for only effective fsuid of the current task against a\nfile\u0027s owning uid, without simultaneously checking for CAP_FOWNER as\nwell, thus violating its semantics.\n[ XFS uses special macros and structures, and in general looked ...\nuntouchable, so we leave it alone -- but it has been looked over. ]\n\nThe (current-\u003efsuid !\u003d inode-\u003ei_uid) check in generic_permission() and\nexec_permission_lite() is left alone, because those operations are\ncovered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH. Similarly operations\nfalling under the purview of CAP_CHOWN and CAP_LEASE are also left alone.\n\nSigned-off-by: Satyam Sharma \u003cssatyam@cse.iitk.ac.in\u003e\nCc: Al Viro \u003cviro@ftp.linux.org.uk\u003e\nAcked-by: Serge E. Hallyn \u003cserge@hallyn.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8d9107e8c50e1c4ff43c91c8841805833f3ecfb9", "tree": "abc57f38cf659d4031d5a9915a088f2c47b2cc7e", "parents": [ "16cefa8c3863721fd40445a1b34dea18cd16ccfe" ], "author": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Jul 13 16:53:18 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Jul 13 16:53:18 2007 -0700" }, "message": "Revert \"SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel\"\n\nThis reverts commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0.\n\nIt bit people like Michal Piotrowski:\n\n \"My system is too secure, I can not login :)\"\n\nbecause it changed how CONFIG_NETLABEL worked, and broke older SElinux\npolicies.\n\nAs a result, quoth James Morris:\n\n \"Can you please revert this patch?\n\n We thought it only affected people running MLS, but it will affect others.\n\n Sorry for the hassle.\"\n\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Michal Piotrowski \u003cmichal.k.k.piotrowski@gmail.com\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0", "tree": "ee167dc8c575dee062cdaf91d0b60a5997bba0c3", "parents": [ "ed0321895182ffb6ecf210e066d87911b270d587" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Jun 29 11:48:16 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jul 11 22:52:31 2007 -0400" }, "message": "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel\n\nThese changes will make NetLabel behave like labeled IPsec where there is an\naccess check for both labeled and unlabeled packets as well as providing the\nability to restrict domains to receiving only labeled packets when NetLabel\nis in use. The changes to the policy are straight forward with the\nfollowing necessary to receive labeled traffic (with SECINITSID_NETMSG\ndefined as \"netlabel_peer_t\"):\n\n allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;\n\nThe policy for unlabeled traffic would be:\n\n allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;\n\nThese policy changes, as well as more general NetLabel support, are included\nin the SELinux Reference Policy SVN tree, r2352 or later. Users who enable\nNetLabel support in the kernel are strongly encouraged to upgrade their\npolicy to avoid network problems.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ed0321895182ffb6ecf210e066d87911b270d587", "tree": "832bb54666f73b06e55322df40f915c5e9ef64d7", "parents": [ "13bddc2e9d591e31bf20020dc19ea6ca85de420e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jun 28 15:55:21 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jul 11 22:52:29 2007 -0400" }, "message": "security: Protection for exploiting null dereference using mmap\n\nAdd a new security check on mmap operations to see if the user is attempting\nto mmap to low area of the address space. The amount of space protected is\nindicated by the new proc tunable /proc/sys/vm/mmap_min_addr and defaults to\n0, preserving existing behavior.\n\nThis patch uses a new SELinux security class \"memprotect.\" Policy already\ncontains a number of allow rules like a_t self:process * (unconfined_t being\none of them) which mean that putting this check in the process class (its\nbest current fit) would make it useless as all user processes, which we also\nwant to protect against, would be allowed. By taking the memprotect name of\nthe new class it will also make it possible for us to move some of the other\nmemory protect permissions out of \u0027process\u0027 and into the new class next time\nwe bump the policy version number (which I also think is a good future idea)\n\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2c3c05dbcbc7b9d71549fe0e2b249f10f5a66518", "tree": "bab75df9fafc435f3370a6d773d3284716347249", "parents": [ "9dc9978084ea2a96b9f42752753d9e38a9f9d7b2" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Thu Jun 07 15:34:10 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jul 11 22:52:25 2007 -0400" }, "message": "SELinux: allow preemption between transition permission checks\n\nIn security_get_user_sids, move the transition permission checks\noutside of the section holding the policy rdlock, and use the AVC to\nperform the checks, calling cond_resched after each one. These\nchanges should allow preemption between the individual checks and\nenable caching of the results. It may however increase the overall\ntime spent in the function in some cases, particularly in the cache\nmiss case.\n\nThe long term fix will be to take much of this logic to userspace by\nexporting additional state via selinuxfs, and ultimately deprecating\nand eliminating this interface from the kernel.\n\nTested-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e63340ae6b6205fef26b40a75673d1c9c0c8bb90", "tree": "8d3212705515edec73c3936bb9e23c71d34a7b41", "parents": [ "04c9167f91e309c9c4ea982992aa08e83b2eb42e" ], "author": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Tue May 08 00:28:08 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue May 08 11:15:07 2007 -0700" }, "message": "header cleaning: don\u0027t include smp_lock.h when not used\n\nRemove includes of \u003clinux/smp_lock.h\u003e where it is not used/needed.\nSuggested by Al Viro.\n\nBuilds cleanly on x86_64, i386, alpha, ia64, powerpc, sparc,\nsparc64, and arm (all 59 defconfigs).\n\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" } ], "next": "98a27ba485c7508ef9d9527fe06e4686f3a163dc" }