)]}' { "log": [ { "commit": "87fcd70d983d30eca4b933fff2e97d9a31743d0a", "tree": "2c79943f7691f80123af0145a8909f14011b0761", "parents": [ "91f433cacc9d1ae95ae46ce26d7bcf3a724c72d0" ], "author": { "name": "Al Viro", "email": "viro@hera.kernel.org", "time": "Mon Dec 04 22:00:55 2006 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.osdl.org", "time": "Mon Dec 04 19:32:44 2006 -0800" }, "message": "[PATCH] selinux endianness annotations\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "bb22f58087fdf8b617803c9b65bc86c6d26b5115", "tree": "ff68f85498cedce8858d44b80d0ae8c65b757056", "parents": [ "de64688ffb952a65ddbc5295ccd235d35f292593" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 17 23:01:03 2006 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:24:16 2006 -0800" }, "message": "Compile fix for \"peer secid consolidation for external network labeling\"\n\nUse a forward declaration instead of dragging in skbuff.h and\nrelated junk.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3de4bab5b9f8848a0c16a4b1ffe0452f0d670237", "tree": "f65c12b53bf2ad02645ea31522f67e7318019498", "parents": [ "9f2ad66509b182b399a5b03de487f45bde623524" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Nov 17 17:38:54 2006 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:24:14 2006 -0800" }, "message": "SELinux: peer secid consolidation for external network labeling\n\nNow that labeled IPsec makes use of the peer_sid field in the\nsk_security_struct we can remove a lot of the special cases between labeled\nIPsec and NetLabel. In addition, create a new function,\nsecurity_skb_extlbl_sid(), which we can use in several places to get the\nsecurity context of the packet\u0027s external label which allows us to further\nsimplify the code in a few places.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9f2ad66509b182b399a5b03de487f45bde623524", "tree": "8376dc2db99a78c1b043644f019c4dc224187f16", "parents": [ "9bb5fd2b05cb4dba229e225536faa59eaadd837d" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Nov 17 17:38:53 2006 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:24:13 2006 -0800" }, "message": "NetLabel: SELinux cleanups\n\nThis patch does a lot of cleanup in the SELinux NetLabel support code. A\nsummary of the changes include:\n\n* Use RCU locking for the NetLabel state variable in the skk_security_struct\n instead of using the inode_security_struct mutex.\n* Remove unnecessary parameters in selinux_netlbl_socket_post_create().\n* Rename selinux_netlbl_sk_clone_security() to\n selinux_netlbl_sk_security_clone() to better fit the other NetLabel\n sk_security functions.\n* Improvements to selinux_netlbl_inode_permission() to help reduce the cost of\n the common case.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2ee92d46c6cabedd50edf6f273fa8cf84f707618", "tree": "bdf7c64514a5063ba4ef41915f9efb6f803fc38a", "parents": [ "90833aa4f496d69ca374af6acef7d1614c8693ff" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Nov 13 16:09:01 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:22:24 2006 -0800" }, "message": "[SELinux]: Add support for DCCP\n\nThis patch implements SELinux kernel support for DCCP\n(http://linux-net.osdl.org/index.php/DCCP), which is similar in\noperation to TCP in terms of connected state between peers.\n\nThe SELinux support for DCCP is thus modeled on existing handling of\nTCP.\n\nA new DCCP socket class is introduced, to allow protocol\ndifferentation. The permissions for this class inherit all of the\nsocket permissions, as well as the current TCP permissions (node_bind,\nname_bind etc). IPv4 and IPv6 are supported, although labeled\nnetworking is not, at this stage.\n\nPatches for SELinux userspace are at:\nhttp://people.redhat.com/jmorris/selinux/dccp/user/\n\nI\u0027ve performed some basic testing, and it seems to be working as\nexpected. Adding policy support is similar to TCP, the only real\ndifference being that it\u0027s a different protocol.\n\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "67f83cbf081a70426ff667e8d14f94e13ed3bdca", "tree": "776a40733eacb9071478f865e6791daa3f6fd602", "parents": [ "6b877699c6f1efede4545bcecc367786a472eedb" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Wed Nov 08 17:04:26 2006 -0600" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:34 2006 -0800" }, "message": "SELinux: Fix SA selection semantics\n\nFix the selection of an SA for an outgoing packet to be at the same\ncontext as the originating socket/flow. This eliminates the SELinux\npolicy\u0027s ability to use/sendto SAs with contexts other than the socket\u0027s.\n\nWith this patch applied, the SELinux policy will require one or more of the\nfollowing for a socket to be able to communicate with/without SAs:\n\n1. To enable a socket to communicate without using labeled-IPSec SAs:\n\nallow socket_t unlabeled_t:association { sendto recvfrom }\n\n2. To enable a socket to communicate with labeled-IPSec SAs:\n\nallow socket_t self:association { sendto };\nallow socket_t peer_sa_t:association { recvfrom };\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6b877699c6f1efede4545bcecc367786a472eedb", "tree": "c0a60dc90578fa9f16d4496e2700bc285eab47c0", "parents": [ "c1a856c9640c9ff3d70bbd8214b6a0974609eef8" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Wed Nov 08 17:04:09 2006 -0600" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:33 2006 -0800" }, "message": "SELinux: Return correct context for SO_PEERSEC\n\nFix SO_PEERSEC for tcp sockets to return the security context of\nthe peer (as represented by the SA from the peer) as opposed to the\nSA used by the local/source socket.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c1a856c9640c9ff3d70bbd8214b6a0974609eef8", "tree": "76166bf784edd968ffac8c3dcc607d73580c509a", "parents": [ "e8db8c99100750ade5a9b4072b9469cab718a5b7" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Wed Nov 08 17:03:44 2006 -0600" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:31 2006 -0800" }, "message": "SELinux: Various xfrm labeling fixes\n\nSince the upstreaming of the mlsxfrm modification a few months back,\ntesting has resulted in the identification of the following issues/bugs that\nare resolved in this patch set.\n\n1. Fix the security context used in the IKE negotiation to be the context\n of the socket as opposed to the context of the SPD rule.\n\n2. Fix SO_PEERSEC for tcp sockets to return the security context of\n the peer as opposed to the source.\n\n3. Fix the selection of an SA for an outgoing packet to be at the same\n context as the originating socket/flow.\n\nThe following would be the result of applying this patchset:\n\n- SO_PEERSEC will now correctly return the peer\u0027s context.\n\n- IKE deamons will receive the context of the source socket/flow\n as opposed to the SPD rule\u0027s context so that the negotiated SA\n will be at the same context as the source socket/flow.\n\n- The SELinux policy will require one or more of the\n following for a socket to be able to communicate with/without SAs:\n\n 1. To enable a socket to communicate without using labeled-IPSec SAs:\n\n allow socket_t unlabeled_t:association { sendto recvfrom }\n\n 2. To enable a socket to communicate with labeled-IPSec SAs:\n\n allow socket_t self:association { sendto };\n allow socket_t peer_sa_t:association { recvfrom };\n\nThis Patch: Pass correct security context to IKE for use in negotiation\n\nFix the security context passed to IKE for use in negotiation to be the\ncontext of the socket as opposed to the context of the SPD rule so that\nthe SA carries the label of the originating socket/flow.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5c45899879e8caadb78f04c9c639f4c2025b9f00", "tree": "ee47228ccb816e523ac1051cfe41927059bc5ef9", "parents": [ "5a64d4438ed1e759ccd30d9e90842bf360f19298" ], "author": { "name": "Chad Sellers", "email": "csellers@tresys.com", "time": "Mon Nov 06 12:38:16 2006 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 28 12:04:36 2006 -0500" }, "message": "SELinux: export object class and permission definitions\n\nMoves the definition of the 3 structs containing object class and\npermission definitions from avc.c to avc_ss.h so that the security\nserver can access them for validation on policy load. This also adds\na new struct type, defined_classes_perms_t, suitable for allowing the\nsecurity server to access these data structures from the avc.\n\nSigned-off-by: Chad Sellers \u003ccsellers@tresys.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f8687afefcc821fc47c75775eec87731fe3de360", "tree": "9835a3c95fb94597ede42cfdf732b97cc495c9bf", "parents": [ "920b868ae1dfdac77c5e8c97e7067b23680f043e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Mon Oct 30 15:22:15 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Oct 30 15:24:49 2006 -0800" }, "message": "[NetLabel]: protect the CIPSOv4 socket option from setsockopt()\n\nThis patch makes two changes to protect applications from either removing or\ntampering with the CIPSOv4 IP option on a socket. The first is the requirement\nthat applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option\non a socket; this prevents untrusted applications from setting their own\nCIPSOv4 security attributes on the packets they send. The second change is to\nSELinux and it prevents applications from setting any IPv4 options when there\nis an IPOPT_CIPSO option already present on the socket; this prevents\napplications from removing CIPSOv4 security attributes from the packets they\nsend.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "5b368e61c2bcb2666bb66e2acf1d6d85ba6f474d", "tree": "293f595f737540a546ba186ba1f054389aa95f6f", "parents": [ "134b0fc544ba062498451611cb6f3e4454221b3d" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Thu Oct 05 15:42:18 2006 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 11 23:59:37 2006 -0700" }, "message": "IPsec: correct semantics for SELinux policy matching\n\nCurrently when an IPSec policy rule doesn\u0027t specify a security\ncontext, it is assumed to be \"unlabeled\" by SELinux, and so\nthe IPSec policy rule fails to match to a flow that it would\notherwise match to, unless one has explicitly added an SELinux\npolicy rule allowing the flow to \"polmatch\" to the \"unlabeled\"\nIPSec policy rules. In the absence of such an explicitly added\nSELinux policy rule, the IPSec policy rule fails to match and\nso the packet(s) flow in clear text without the otherwise applicable\nxfrm(s) applied.\n\nThe above SELinux behavior violates the SELinux security notion of\n\"deny by default\" which should actually translate to \"encrypt by\ndefault\" in the above case.\n\nThis was first reported by Evgeniy Polyakov and the way James Morris\nwas seeing the problem was when connecting via IPsec to a\nconfined service on an SELinux box (vsftpd), which did not have the\nappropriate SELinux policy permissions to send packets via IPsec.\n\nWith this patch applied, SELinux \"polmatching\" of flows Vs. IPSec\npolicy rules will only come into play when there\u0027s a explicit context\nspecified for the IPSec policy rule (which also means there\u0027s corresponding\nSELinux policy allowing appropriate domains/flows to polmatch to this context).\n\nSecondly, when a security module is loaded (in this case, SELinux), the\nsecurity_xfrm_policy_lookup() hook can return errors other than access denied,\nsuch as -EINVAL. We were not handling that correctly, and in fact\ninverting the return logic and propagating a false \"ok\" back up to\nxfrm_lookup(), which then allowed packets to pass as if they were not\nassociated with an xfrm policy.\n\nThe solution for this is to first ensure that errno values are\ncorrectly propagated all the way back up through the various call chains\nfrom security_xfrm_policy_lookup(), and handled correctly.\n\nThen, flow_cache_lookup() is modified, so that if the policy resolver\nfails (typically a permission denied via the security module), the flow\ncache entry is killed rather than having a null policy assigned (which\nindicates that the packet can pass freely). This also forces any future\nlookups for the same flow to consult the security module (e.g. SELinux)\nfor current security policy (rather than, say, caching the error on the\nflow cache entry).\n\nThis patch: Fix the selinux side of things.\n\nThis makes sure SELinux polmatching of flow contexts to IPSec policy\nrules comes into play only when an explicit context is associated\nwith the IPSec policy rule.\n\nAlso, this no longer defaults the context of a socket policy to\nthe context of the socket since the \"no explicit context\" case\nis now handled properly.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bc7e982b84aceef0a040c88ff659eb5c83818f72", "tree": "0e351e00c5fa90cd5b6a9b9f710e95ecb953b1f2", "parents": [ "23970741720360de9dd0a4e87fbeb1d5927aa474" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Sep 25 23:32:02 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Tue Sep 26 08:48:53 2006 -0700" }, "message": "[PATCH] SELinux: convert sbsec semaphore to a mutex\n\nThis patch converts the semaphore in the superblock security struct to a\nmutex. No locking changes or other code changes are done.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "23970741720360de9dd0a4e87fbeb1d5927aa474", "tree": "2dc28ddfeae751a673d43e1925fd131d6ed3e222", "parents": [ "296fddf7513c155adbd3a443d12add1f62b5cddb" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Sep 25 23:32:01 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Tue Sep 26 08:48:53 2006 -0700" }, "message": "[PATCH] SELinux: change isec semaphore to a mutex\n\nThis patch converts the remaining isec-\u003esem into a mutex. Very similar\nlocking is provided as before only in the faster smaller mutex rather than a\nsemaphore. An out_unlock path is introduced rather than the conditional\nunlocking found in the original code.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "f3f8771420737004da55159c2f2dc0b6f483a4ef", "tree": "01ff2aa4dc82cdc5b2383648f9fabb8378250d00", "parents": [ "016b9bdb81d9c9c7800e4e224ade38d8b37669d3" ], "author": { "name": "Darrel Goeddel", "email": "dgoeddel@TrustedCS.com", "time": "Mon Sep 25 23:31:59 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Tue Sep 26 08:48:52 2006 -0700" }, "message": "[PATCH] selinux: add support for range transitions on object classes\n\nIntroduces support for policy version 21. This version of the binary\nkernel policy allows for defining range transitions on security classes\nother than the process security class. As always, backwards compatibility\nfor older formats is retained. The security class is read in as specified\nwhen using the new format, while the \"process\" security class is assumed\nwhen using an older policy format.\n\nSigned-off-by: Darrel Goeddel \u003cdgoeddel@trustedcs.com\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "016b9bdb81d9c9c7800e4e224ade38d8b37669d3", "tree": "47335b123973d918a9686cd2647e5e314ed2c1dd", "parents": [ "9a2f44f01a67a6ecca71515af999895b45a2aeb0" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon Sep 25 23:31:58 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Tue Sep 26 08:48:52 2006 -0700" }, "message": "[PATCH] selinux: enable configuration of max policy version\n\nEnable configuration of SELinux maximum supported policy version to support\nlegacy userland (init) that does not gracefully handle kernels that support\nnewer policy versions two or more beyond the installed policy, as in FC3\nand FC4.\n\n[bunk@stusta.de: improve Kconfig help text]\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@stusta.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "7a0e1d602288370801c353221c6a938eab925053", "tree": "f11ef396a27549513a91fcaf7d06dafb2b84509a", "parents": [ "e448e931309e703f51d71a557973c620ff12fbda" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Aug 29 17:56:04 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:18:39 2006 -0700" }, "message": "[NetLabel]: add some missing #includes to various header files\n\nAdd some missing include files to the NetLabel related header files.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "e448e931309e703f51d71a557973c620ff12fbda", "tree": "8a738f5f45367965c29210402d28464fec3c04be", "parents": [ "7b3bbb926f4b3dd3a007dcf8dfa00203f52cb58d" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Aug 29 17:55:38 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:18:38 2006 -0700" }, "message": "[NetLabel]: uninline selinux_netlbl_inode_permission()\n\nUninline the selinux_netlbl_inode_permission() at the request of\nAndrew Morton.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "99f59ed073d3c1b890690064ab285a201dea2e35", "tree": "0f6ae012cf4f988d3ae0c665fd3b12ea05409ec8", "parents": [ "fc747e82b40ea50a62eb2aef55bedd4465607cb0" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Aug 29 17:53:48 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:18:34 2006 -0700" }, "message": "[NetLabel]: Correctly initialize the NetLabel fields.\n\nFix a problem where the NetLabel specific fields of the sk_security_struct\nstructure were not being initialized early enough in some cases.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "7420ed23a4f77480b5b7b3245e5da30dd24b7575", "tree": "016f5bb996c5eae66754b10243c5be6226d773f2", "parents": [ "96cb8e3313c7a12e026c1ed510522ae6f6023875" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Fri Aug 04 23:17:57 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:36 2006 -0700" }, "message": "[NetLabel]: SELinux support\n\nAdd NetLabel support to the SELinux LSM and modify the\nsocket_post_create() LSM hook to return an error code. The most\nsignificant part of this patch is the addition of NetLabel hooks into\nthe following SELinux LSM hooks:\n\n * selinux_file_permission()\n * selinux_socket_sendmsg()\n * selinux_socket_post_create()\n * selinux_socket_sock_rcv_skb()\n * selinux_socket_getpeersec_stream()\n * selinux_socket_getpeersec_dgram()\n * selinux_sock_graft()\n * selinux_inet_conn_request()\n\nThe basic reasoning behind this patch is that outgoing packets are\n\"NetLabel\u0027d\" by labeling their socket and the NetLabel security\nattributes are checked via the additional hook in\nselinux_socket_sock_rcv_skb(). NetLabel itself is only a labeling\nmechanism, similar to filesystem extended attributes, it is up to the\nSELinux enforcement mechanism to perform the actual access checks.\n\nIn addition to the changes outlined above this patch also includes\nsome changes to the extended bitmap (ebitmap) and multi-level security\n(mls) code to import and export SELinux TE/MLS attributes into and out\nof NetLabel.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a51c64f1e5c2876eab2a32955acd9e8015c91c15", "tree": "1cc49c6ee7a3135ea000956e5fef41ff4c8e2ebe", "parents": [ "4237c75c0a35535d7f9f2bfeeb4b4df1e068a0bf" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Thu Jul 27 22:01:34 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:30 2006 -0700" }, "message": "[MLSXFRM]: Fix build with SECURITY_NETWORK_XFRM disabled.\n\nThe following patch will fix the build problem (encountered by Andrew\nMorton) when SECURITY_NETWORK_XFRM is not enabled.\n\nAs compared to git-net-selinux_xfrm_decode_session-build-fix.patch in\n-mm, this patch sets the return parameter sid to SECSID_NULL in\nselinux_xfrm_decode_session() and handles this value in the caller\nselinux_inet_conn_request() appropriately.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "cb969f072b6d67770b559617f14e767f47e77ece", "tree": "4112eb0182e8b3e28b42aebaa40ca25454fc6b76", "parents": [ "beb8d13bed80f8388f1a9a107d07ddd342e627e8" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:32:20 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:28 2006 -0700" }, "message": "[MLSXFRM]: Default labeling of socket specific IPSec policies\n\nThis defaults the label of socket-specific IPSec policies to be the\nsame as the socket they are set on.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "beb8d13bed80f8388f1a9a107d07ddd342e627e8", "tree": "19d5763b9b3b8ff3969997565e5ec0edd6e4bd33", "parents": [ "4e2ba18eae7f370c7c3ed96eaca747cc9b39f917" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Fri Aug 04 23:12:42 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:27 2006 -0700" }, "message": "[MLSXFRM]: Add flow labeling\n\nThis labels the flows that could utilize IPSec xfrms at the points the\nflows are defined so that IPSec policy and SAs at the right label can\nbe used.\n\nThe following protos are currently not handled, but they should\ncontinue to be able to use single-labeled IPSec like they currently\ndo.\n\nipmr\nip_gre\nipip\nigmp\nsit\nsctp\nip6_tunnel (IPv6 over IPv6 tunnel device)\ndecnet\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "e0d1caa7b0d5f02e4f34aa09c695d04251310c6c", "tree": "bf023c17abf6813f2694ebf5fafff82edd6a1023", "parents": [ "b6340fcd761acf9249b3acbc95c4dc555d9beb07" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:29:07 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:24 2006 -0700" }, "message": "[MLSXFRM]: Flow based matching of xfrm policy and state\n\nThis implements a seemless mechanism for xfrm policy selection and\nstate matching based on the flow sid. This also includes the necessary\nSELinux enforcement pieces.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "892c141e62982272b9c738b5520ad0e5e1ad7b42", "tree": "c8e0c9b3e55106d2cb085a5047b9d02dbbb28653", "parents": [ "08554d6b33e60aa8ee40bbef94505941c0eefef2" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Fri Aug 04 23:08:56 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:22 2006 -0700" }, "message": "[MLSXFRM]: Add security sid to sock\n\nThis adds security for IP sockets at the sock level. Security at the\nsock level is needed to enforce the SELinux security policy for\nsecurity associations even when a sock is orphaned (such as in the TCP\nLAST_ACK state).\n\nThis will also be used to enforce SELinux controls over data arriving\nat or leaving a child socket while it\u0027s still waiting to be accepted.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "08554d6b33e60aa8ee40bbef94505941c0eefef2", "tree": "1610750ccd13872a33fffffcce057e10aa785d2e", "parents": [ "51bd39860ff829475aef611a3234309e37e090d9" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:27:16 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:21 2006 -0700" }, "message": "[MLSXFRM]: Define new SELinux service routine\n\nThis defines a routine that combines the Type Enforcement portion of\none sid with the MLS portion from the other sid to arrive at a new\nsid. This would be used to define a sid for a security association\nthat is to be negotiated by IKE as well as for determing the sid for\nopen requests and connection-oriented child sockets.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "51bd39860ff829475aef611a3234309e37e090d9", "tree": "2ff1569f44f54ecad1d1d232bacfa4c76b9502a6", "parents": [ "e6e5fee1426bef07f4e6c3c76f48343c14207938" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:26:30 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:20 2006 -0700" }, "message": "[MLSXFRM]: Granular IPSec associations for use in MLS environments\n\nThe current approach to labeling Security Associations for SELinux\npurposes uses a one-to-one mapping between xfrm policy rules and\nsecurity associations.\n\nThis doesn\u0027t address the needs of real world MLS (Multi-level System,\ntraditional Bell-LaPadula) environments where a single xfrm policy\nrule (pertaining to a range, classified to secret for example) might\nneed to map to multiple Security Associations (one each for\nclassified, secret, top secret and all the compartments applicable to\nthese security levels).\n\nThis patch set addresses the above problem by allowing for the mapping\nof a single xfrm policy rule to multiple security associations, with\neach association used in the security context it is defined for. It\nalso includes the security context to be used in IKE negotiation in\nthe acquire messages sent to the IKE daemon so that a unique SA can be\nnegotiated for each unique security context. A couple of bug fixes are\nalso included; checks to make sure the SAs used by a packet match\npolicy (security context-wise) on the inbound and also that the bundle\nused for the outbound matches the security context of the flow. This\npatch set also makes the use of the SELinux sid in flow cache lookups\nseemless by including the sid in the flow key itself. Also, open\nrequests as well as connection-oriented child sockets are labeled\nautomatically to be at the same level as the peer to allow for use of\nappropriately labeled IPSec associations.\n\nDescription of changes:\n\nA \"sid\" member has been added to the flow cache key resulting in the\nsid being available at all needed locations and the flow cache lookups\nautomatically using the sid. The flow sid is derived from the socket\non the outbound and the SAs (unlabeled where an SA was not used) on\nthe inbound.\n\nOutbound case:\n1. Find policy for the socket.\n\n2. OLD: Find an SA that matches the policy.\n NEW: Find an SA that matches BOTH the policy and the flow/socket.\n This is necessary since not every SA that matches the policy\n can be used for the flow/socket. Consider policy range Secret-TS,\n and SAs each for Secret and TS. We don\u0027t want a TS socket to\n use the Secret SA. Hence the additional check for the SA Vs. flow/socket.\n\n3. NEW: When looking thru bundles for a policy, make sure the\n flow/socket can use the bundle. If a bundle is not found,\n create one, calling for IKE if necessary. If using IKE,\n include the security context in the acquire message to the IKE\n daemon.\n\nInbound case:\n1. OLD: Find policy for the socket.\n NEW: Find policy for the incoming packet based on the sid of the\n SA(s) it used or the unlabeled sid if no SAs were\n used. (Consider a case where a socket is \"authorized\" for two\n policies (unclassified-confidential, secret-top_secret). If the\n packet has come in using a secret SA, we really ought to be\n using the latter policy (secret-top_secret).)\n\n2. OLD: BUG: No check to see if the SAs used by the packet agree with\n the policy sec_ctx-wise.\n\n (It was indicated in selinux_xfrm_sock_rcv_skb() that\n this was being accomplished by\n (x-\u003eid.spi \u003d\u003d tmpl-\u003eid.spi || !tmpl-\u003eid.spi) in xfrm_state_ok,\n\t but it turns out tmpl-\u003eid.spi\n would normally be zero (unless xfrm policy rules specify one\n at the template level, which they usually don\u0027t).\n NEW: The socket is checked for access to the SAs used (based on the\n sid of the SAs) in selinux_xfrm_sock_rcv_skb().\n\nForward case:\n This would be Step 1 from the Inbound case, followed by Steps 2 and 3\nfrom the Outbound case.\n\nOutstanding items/issues:\n\n- Timewait acknowledgements and such are generated in the\n current/upstream implementation using a NULL socket resulting in the\n any_socket sid (SYSTEM_HIGH) to be used. This problem is not addressed\n by this patch set.\n\nThis patch: Add new flask definitions to SELinux\n\nAdds a new avperm \"polmatch\" to arbitrate flow/state access to a xfrm\npolicy rule.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c312feb2931ded0582378712727b7ea017a951bd", "tree": "dd985aa4dd0b759690af9557a5170dabf589d87f", "parents": [ "2ed6e34f88a0d896a6f889b00693cae0fadacfd0" ], "author": { "name": "Eric Paris", "email": "eparis@parisplace.org", "time": "Mon Jul 10 04:43:53 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jul 10 13:24:13 2006 -0700" }, "message": "[PATCH] SELinux: decouple fscontext/context mount options\n\nRemove the conflict between fscontext and context mount options. If\ncontext\u003d is specified without fscontext it will operate just as before, if\nboth are specified we will use mount point labeling and all inodes will get\nthe label specified by context\u003d. The superblock will be labeled with the\nlabel of fscontext\u003d, thus affecting operations which check the superblock\nsecurity context, such as associate permissions.\n\nSigned-off-by: Eric Paris \u003ceparis@parisplace.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "42c3e03ef6b298813557cdb997bd6db619cd65a2", "tree": "c2fba776ccf7015d45651ff7d2aee89f06da6f42", "parents": [ "c1df7fb88a011b39ea722ac00975c5b8a803261b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Jun 26 00:26:03 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:26 2006 -0700" }, "message": "[PATCH] SELinux: Add sockcreate node to procattr API\n\nBelow is a patch to add a new /proc/self/attr/sockcreate A process may write a\ncontext into this interface and all subsequent sockets created will be labeled\nwith that context. This is the same idea as the fscreate interface where a\nprocess can specify the label of a file about to be created. At this time one\nenvisioned user of this will be xinetd. It will be able to better label\nsockets for the actual services. At this time all sockets take the label of\nthe creating process, so all xinitd sockets would just be labeled the same.\n\nI tested this by creating a tcp sender and listener. The sender was able to\nwrite to this new proc file and then create sockets with the specified label.\nI am able to be sure the new label was used since the avc denial messages\nkicked out by the kernel included both the new security permission\nsetsockcreate and all the socket denials were for the new label, not the label\nof the running process.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "4eb582cf1fbd7b9e5f466e3718a59c957e75254e", "tree": "4387e460a50efa8d46a54526d0cf0959c0e3b428", "parents": [ "06ec7be557a1259611d6093a00463c42650dc71a" ], "author": { "name": "Michael LeMay", "email": "mdlemay@epoch.ncsc.mil", "time": "Mon Jun 26 00:24:57 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:18 2006 -0700" }, "message": "[PATCH] keys: add a way to store the appropriate context for newly-created keys\n\nAdd a /proc/\u003cpid\u003e/attr/keycreate entry that stores the appropriate context for\nnewly-created keys. Modify the selinux_key_alloc hook to make use of the new\nentry. Update the flask headers to include a new \"setkeycreate\" permission\nfor processes. Update the flask headers to include a new \"create\" permission\nfor keys. Use the create permission to restrict which SIDs each task can\nassign to newly-created keys. Add a new parameter to the security hook\n\"security_key_alloc\" to indicate whether it is being invoked by the kernel, or\nfrom userspace. If it is being invoked by the kernel, the security hook\nshould never fail. Update the documentation to reflect these changes.\n\nSigned-off-by: Michael LeMay \u003cmdlemay@epoch.ncsc.mil\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "d720024e94de4e8b7f10ee83c532926f3ad5d708", "tree": "8f21613c29a26bfbeb334cb0104b8b998b09fbdc", "parents": [ "f893afbe1262e27e91234506f72e17716190dd2f" ], "author": { "name": "Michael LeMay", "email": "mdlemay@epoch.ncsc.mil", "time": "Thu Jun 22 14:47:17 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Thu Jun 22 15:05:55 2006 -0700" }, "message": "[PATCH] selinux: add hooks for key subsystem\n\nIntroduce SELinux hooks to support the access key retention subsystem\nwithin the kernel. Incorporate new flask headers from a modified version\nof the SELinux reference policy, with support for the new security class\nrepresenting retained keys. Extend the \"key_alloc\" security hook with a\ntask parameter representing the intended ownership context for the key\nbeing allocated. Attach security information to root\u0027s default keyrings\nwithin the SELinux initialization routine.\n\nHas passed David\u0027s testsuite.\n\nSigned-off-by: Michael LeMay \u003cmdlemay@epoch.ncsc.mil\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "4e5ab4cb85683cf77b507ba0c4d48871e1562305", "tree": "aef7ba8b6050fcaccbaf0d05f8e5ba860a143eaf", "parents": [ "100468e9c05c10fb6872751c1af523b996d6afa9" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 09 00:33:33 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:30:05 2006 -0700" }, "message": "[SECMARK]: Add new packet controls to SELinux\n\nAdd new per-packet access controls to SELinux, replacing the old\npacket controls.\n\nPackets are labeled with the iptables SECMARK and CONNSECMARK targets,\nthen security policy for the packets is enforced with these controls.\n\nTo allow for a smooth transition to the new controls, the old code is\nstill present, but not active by default. To restore previous\nbehavior, the old controls may be activated at runtime by writing a\n\u00271\u0027 to /selinux/compat_net, and also via the kernel boot parameter\nselinux_compat_net. Switching between the network control models\nrequires the security load_policy permission. The old controls will\nprobably eventually be removed and any continued use is discouraged.\n\nWith this patch, the new secmark controls for SElinux are disabled by\ndefault, so existing behavior is entirely preserved, and the user is\nnot affected at all.\n\nIt also provides a config option to enable the secmark controls by\ndefault (which can always be overridden at boot and runtime). It is\nalso noted in the kconfig help that the user will need updated\nuserspace if enabling secmark controls for SELinux and that they\u0027ll\nprobably need the SECMARK and CONNMARK targets, and conntrack protocol\nhelpers, although such decisions are beyond the scope of kernel\nconfiguration.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "29a395eac4c320c570e73f0a90d8953d80da8359", "tree": "9d34d7987754004e76de76d3f9facbee804779b7", "parents": [ "3e3ff15e6d8ba931fa9a6c7f9fe711edc77e96e5" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 09 00:27:28 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:29:53 2006 -0700" }, "message": "[SECMARK]: Add new flask definitions to SELinux\n\nSecmark implements a new scheme for adding security markings to\npackets via iptables, as well as changes to SELinux to use these\nmarkings for security policy enforcement. The rationale for this\nscheme is explained and discussed in detail in the original threads:\n\n http://thread.gmane.org/gmane.linux.network/34927/\n http://thread.gmane.org/gmane.linux.network/35244/\n\nExamples of policy and rulesets, as well as a full archive of patches\nfor iptables and SELinux userland, may be found at:\n\nhttp://people.redhat.com/jmorris/selinux/secmark/\n\nThe code has been tested with various compilation options and in\nseveral scenarios, including with \u0027complicated\u0027 protocols such as FTP\nand also with the new generic conntrack code with IPv6 connection\ntracking.\n\nThis patch:\n\nAdd support for a new object class (\u0027packet\u0027), and associated\npermissions (\u0027send\u0027, \u0027recv\u0027, \u0027relabelto\u0027). These are used to enforce\nsecurity policy for network packets labeled with SECMARK, and for\nadding labeling rules.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "3e3ff15e6d8ba931fa9a6c7f9fe711edc77e96e5", "tree": "e3b3edcf5092e9533539f6e8abdda83eee2cb96d", "parents": [ "6f68dc37759b1d6ff3b4d4a9d097605a09f8f043" ], "author": { "name": "Christopher J. PeBenito", "email": "cpebenito@tresys.com", "time": "Fri Jun 09 00:25:03 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:29:51 2006 -0700" }, "message": "[SELINUX]: add security class for appletalk sockets\n\nAdd a security class for appletalk sockets so that they can be\ndistinguished in SELinux policy. Please apply.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c8c05a8eec6f1258f6d5cb71a44ee5dc1e989b63", "tree": "b4a04dd9e2b940cb5b2911fb67fbe49c5f8b3fbf", "parents": [ "cec6f7f39c3db7d9f6091bf2f8fc8d520f372719" ], "author": { "name": "Catherine Zhang", "email": "cxzhang@watson.ibm.com", "time": "Thu Jun 08 23:39:49 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:29:45 2006 -0700" }, "message": "[LSM-IPsec]: SELinux Authorize\n\nThis patch contains a fix for the previous patch that adds security\ncontexts to IPsec policies and security associations. In the previous\npatch, no authorization (besides the check for write permissions to\nSAD and SPD) is required to delete IPsec policies and security\nassocations with security contexts. Thus a user authorized to change\nSAD and SPD can bypass the IPsec policy authorization by simply\ndeleteing policies with security contexts. To fix this security hole,\nan additional authorization check is added for removing security\npolicies and security associations with security contexts.\n\nNote that if no security context is supplied on add or present on\npolicy to be deleted, the SELinux module allows the change\nunconditionally. The hook is called on deletion when no context is\npresent, which we may want to change. At present, I left it up to the\nmodule.\n\nLSM changes:\n\nThe patch adds two new LSM hooks: xfrm_policy_delete and\nxfrm_state_delete. The new hooks are necessary to authorize deletion\nof IPsec policies that have security contexts. The existing hooks\nxfrm_policy_free and xfrm_state_free lack the context to do the\nauthorization, so I decided to split authorization of deletion and\nmemory management of security data, as is typical in the LSM\ninterface.\n\nUse:\n\nThe new delete hooks are checked when xfrm_policy or xfrm_state are\ndeleted by either the xfrm_user interface (xfrm_get_policy,\nxfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete).\n\nSELinux changes:\n\nThe new policy_delete and state_delete functions are added.\n\nSigned-off-by: Catherine Zhang \u003ccxzhang@watson.ibm.com\u003e\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "30d55280b867aa0cae99f836ad0181bb0bf8f9cb", "tree": "8df537addd3709f36f24dbd654662568b79ca943", "parents": [ "e17df688f7064dae1417ce425dd1e4b71d24d63b" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed May 03 10:52:36 2006 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Wed May 03 10:08:11 2006 -0700" }, "message": "[PATCH] selinux: Clear selinux_enabled flag upon runtime disable.\n\nClear selinux_enabled flag upon runtime disable of SELinux by userspace,\nand make sure it is defined even if selinux\u003d boot parameter support is\nnot enabled in configuration.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nTested-by: Jon Smirl \u003cjonsmirl@gmail.com\u003e\nAcked-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "e6f507196c2b50243beb09b1bfa4639f999d4d1e", "tree": "216886fba2700aa01970046e4c7412dce6638fa1", "parents": [ "543d9cfeec4d58ad3fd974db5531b06b6b95deb4" ], "author": { "name": "Catherine Zhang", "email": "cxzhang@watson.ibm.com", "time": "Mon Mar 20 22:49:00 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 22:49:00 2006 -0800" }, "message": "[SELINUX]: selinux_socket_getpeer_{stream,dgram} fixup\n\nSigned-off-by: Catherine Zhang \u003ccxzhang@watson.ibm.com\u003e\nSigned-off-by: Arnaldo Carvalho de Melo \u003cacme@mandriva.com\u003e\n" }, { "commit": "2c7946a7bf45ae86736ab3b43d0085e43947945c", "tree": "b956f301033ebaefe8d2701b257edfd947f537f3", "parents": [ "be33690d8fcf40377f16193c463681170eb6b295" ], "author": { "name": "Catherine Zhang", "email": "cxzhang@watson.ibm.com", "time": "Mon Mar 20 22:41:23 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 22:41:23 2006 -0800" }, "message": "[SECURITY]: TCP/UDP getpeersec\n\nThis patch implements an application of the LSM-IPSec networking\ncontrols whereby an application can determine the label of the\nsecurity association its TCP or UDP sockets are currently connected to\nvia getsockopt and the auxiliary data mechanism of recvmsg.\n\nPatch purpose:\n\nThis patch enables a security-aware application to retrieve the\nsecurity context of an IPSec security association a particular TCP or\nUDP socket is using. The application can then use this security\ncontext to determine the security context for processing on behalf of\nthe peer at the other end of this connection. In the case of UDP, the\nsecurity context is for each individual packet. An example\napplication is the inetd daemon, which could be modified to start\ndaemons running at security contexts dependent on the remote client.\n\nPatch design approach:\n\n- Design for TCP\nThe patch enables the SELinux LSM to set the peer security context for\na socket based on the security context of the IPSec security\nassociation. The application may retrieve this context using\ngetsockopt. When called, the kernel determines if the socket is a\nconnected (TCP_ESTABLISHED) TCP socket and, if so, uses the dst_entry\ncache on the socket to retrieve the security associations. If a\nsecurity association has a security context, the context string is\nreturned, as for UNIX domain sockets.\n\n- Design for UDP\nUnlike TCP, UDP is connectionless. This requires a somewhat different\nAPI to retrieve the peer security context. With TCP, the peer\nsecurity context stays the same throughout the connection, thus it can\nbe retrieved at any time between when the connection is established\nand when it is torn down. With UDP, each read/write can have\ndifferent peer and thus the security context might change every time.\nAs a result the security context retrieval must be done TOGETHER with\nthe packet retrieval.\n\nThe solution is to build upon the existing Unix domain socket API for\nretrieving user credentials. Linux offers the API for obtaining user\ncredentials via ancillary messages (i.e., out of band/control messages\nthat are bundled together with a normal message).\n\nPatch implementation details:\n\n- Implementation for TCP\nThe security context can be retrieved by applications using getsockopt\nwith the existing SO_PEERSEC flag. As an example (ignoring error\nchecking):\n\ngetsockopt(sockfd, SOL_SOCKET, SO_PEERSEC, optbuf, \u0026optlen);\nprintf(\"Socket peer context is: %s\\n\", optbuf);\n\nThe SELinux function, selinux_socket_getpeersec, is extended to check\nfor labeled security associations for connected (TCP_ESTABLISHED \u003d\u003d\nsk-\u003esk_state) TCP sockets only. If so, the socket has a dst_cache of\nstruct dst_entry values that may refer to security associations. If\nthese have security associations with security contexts, the security\ncontext is returned.\n\ngetsockopt returns a buffer that contains a security context string or\nthe buffer is unmodified.\n\n- Implementation for UDP\nTo retrieve the security context, the application first indicates to\nthe kernel such desire by setting the IP_PASSSEC option via\ngetsockopt. Then the application retrieves the security context using\nthe auxiliary data mechanism.\n\nAn example server application for UDP should look like this:\n\ntoggle \u003d 1;\ntoggle_len \u003d sizeof(toggle);\n\nsetsockopt(sockfd, SOL_IP, IP_PASSSEC, \u0026toggle, \u0026toggle_len);\nrecvmsg(sockfd, \u0026msg_hdr, 0);\nif (msg_hdr.msg_controllen \u003e sizeof(struct cmsghdr)) {\n cmsg_hdr \u003d CMSG_FIRSTHDR(\u0026msg_hdr);\n if (cmsg_hdr-\u003ecmsg_len \u003c\u003d CMSG_LEN(sizeof(scontext)) \u0026\u0026\n cmsg_hdr-\u003ecmsg_level \u003d\u003d SOL_IP \u0026\u0026\n cmsg_hdr-\u003ecmsg_type \u003d\u003d SCM_SECURITY) {\n memcpy(\u0026scontext, CMSG_DATA(cmsg_hdr), sizeof(scontext));\n }\n}\n\nip_setsockopt is enhanced with a new socket option IP_PASSSEC to allow\na server socket to receive security context of the peer. A new\nancillary message type SCM_SECURITY.\n\nWhen the packet is received we get the security context from the\nsec_path pointer which is contained in the sk_buff, and copy it to the\nancillary message space. An additional LSM hook,\nselinux_socket_getpeersec_udp, is defined to retrieve the security\ncontext from the SELinux space. The existing function,\nselinux_socket_getpeersec does not suit our purpose, because the\nsecurity context is copied directly to user space, rather than to\nkernel space.\n\nTesting:\n\nWe have tested the patch by setting up TCP and UDP connections between\napplications on two machines using the IPSec policies that result in\nlabeled security associations being built. For TCP, we can then\nextract the peer security context using getsockopt on either end. For\nUDP, the receiving end can retrieve the security context using the\nauxiliary data mechanism of recvmsg.\n\nSigned-off-by: Catherine Zhang \u003ccxzhang@watson.ibm.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "9ac49d22138348198f729f07371ffb11991368e6", "tree": "4fb692731e6e72d0dc50add294128f6e5083d205", "parents": [ "26d2a4be6a56eec575dac651f6606756a971f0fb" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed Feb 01 03:05:56 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Wed Feb 01 08:53:19 2006 -0800" }, "message": "[PATCH] selinux: remove security struct magic number fields and tests\n\nRemove the SELinux security structure magic number fields and tests, along\nwith some unnecessary tests for NULL security pointers. These fields and\ntests are leftovers from the early attempts to support SELinux as a\nloadable module during LSM development.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "5f8ac64b15172c7ced7d7990eb28342092bc751b", "tree": "63046817c9a6e8db513379337f01289c045a5d63", "parents": [ "69549ddd2f894c4cead50ee2b60cc02990c389ad" ], "author": { "name": "Trent Jaeger", "email": "tjaeger@cse.psu.edu", "time": "Fri Jan 06 13:22:39 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Jan 06 13:22:39 2006 -0800" }, "message": "[LSM-IPSec]: Corrections to LSM-IPSec Nethooks\n\nThis patch contains two corrections to the LSM-IPsec Nethooks patches\npreviously applied. \n\n(1) free a security context on a failed insert via xfrm_user \ninterface in xfrm_add_policy. Memory leak.\n\n(2) change the authorization of the allocation of a security context\nin a xfrm_policy or xfrm_state from both relabelfrom and relabelto \nto setcontext.\n\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "d28d1e080132f28ab773291f10ad6acca4c8bba2", "tree": "4cc6abef076393bc4c9f0d4e4c9952b78c04d3ee", "parents": [ "df71837d5024e2524cd51c93621e558aa7dd9f3f" ], "author": { "name": "Trent Jaeger", "email": "tjaeger@cse.psu.edu", "time": "Tue Dec 13 23:12:40 2005 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jan 03 13:10:25 2006 -0800" }, "message": "[LSM-IPSec]: Per-packet access control.\n\nThis patch series implements per packet access control via the\nextension of the Linux Security Modules (LSM) interface by hooks in\nthe XFRM and pfkey subsystems that leverage IPSec security\nassociations to label packets. Extensions to the SELinux LSM are\nincluded that leverage the patch for this purpose.\n\nThis patch implements the changes necessary to the SELinux LSM to\ncreate, deallocate, and use security contexts for policies\n(xfrm_policy) and security associations (xfrm_state) that enable\ncontrol of a socket\u0027s ability to send and receive packets.\n\nPatch purpose:\n\nThe patch is designed to enable the SELinux LSM to implement access\ncontrol on individual packets based on the strongly authenticated\nIPSec security association. Such access controls augment the existing\nones in SELinux based on network interface and IP address. The former\nare very coarse-grained, and the latter can be spoofed. By using\nIPSec, the SELinux can control access to remote hosts based on\ncryptographic keys generated using the IPSec mechanism. This enables\naccess control on a per-machine basis or per-application if the remote\nmachine is running the same mechanism and trusted to enforce the\naccess control policy.\n\nPatch design approach:\n\nThe patch\u0027s main function is to authorize a socket\u0027s access to a IPSec\npolicy based on their security contexts. Since the communication is\nimplemented by a security association, the patch ensures that the\nsecurity association\u0027s negotiated and used have the same security\ncontext. The patch enables allocation and deallocation of such\nsecurity contexts for policies and security associations. It also\nenables copying of the security context when policies are cloned.\nLastly, the patch ensures that packets that are sent without using a\nIPSec security assocation with a security context are allowed to be\nsent in that manner.\n\nA presentation available at\nwww.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf\nfrom the SELinux symposium describes the overall approach.\n\nPatch implementation details:\n\nThe function which authorizes a socket to perform a requested\noperation (send/receive) on a IPSec policy (xfrm_policy) is\nselinux_xfrm_policy_lookup. The Netfilter and rcv_skb hooks ensure\nthat if a IPSec SA with a securit y association has not been used,\nthen the socket is allowed to send or receive the packet,\nrespectively.\n\nThe patch implements SELinux function for allocating security contexts\nwhen policies (xfrm_policy) are created via the pfkey or xfrm_user\ninterfaces via selinux_xfrm_policy_alloc. When a security association\nis built, SELinux allocates the security context designated by the\nXFRM subsystem which is based on that of the authorized policy via\nselinux_xfrm_state_alloc.\n\nWhen a xfrm_policy is cloned, the security context of that policy, if\nany, is copied to the clone via selinux_xfrm_policy_clone.\n\nWhen a xfrm_policy or xfrm_state is freed, its security context, if\nany is also freed at selinux_xfrm_policy_free or\nselinux_xfrm_state_free.\n\nTesting:\n\nThe SELinux authorization function is tested using ipsec-tools. We\ncreated policies and security associations with particular security\ncontexts and added SELinux access control policy entries to verify the\nauthorization decision. We also made sure that packets for which no\nsecurity context was supplied (which either did or did not use\nsecurity associations) were authorized using an unlabelled context.\n\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a74574aafea3a63add3251047601611111f44562", "tree": "a8f4a809589513c666c6f5518cbe84f50ee5523e", "parents": [ "570bc1c2e5ccdb408081e77507a385dc7ebed7fa" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Sep 09 13:01:44 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Sep 09 13:57:28 2005 -0700" }, "message": "[PATCH] Remove security_inode_post_create/mkdir/symlink/mknod hooks\n\nThis patch removes the inode_post_create/mkdir/mknod/symlink LSM hooks as\nthey are obsoleted by the new inode_init_security hook that enables atomic\ninode security labeling.\n\nIf anyone sees any reason to retain these hooks, please speak now. Also,\nis anyone using the post_rename/link hooks; if not, those could also be\nremoved.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "5e41ff9e0650f327a6c819841fa412da95d57319", "tree": "a525df8bda34c2aa52f30326f94cd15109bb58b3", "parents": [ "f5ee56cc184e0944ebc9ff1691985219959596f6" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Sep 09 13:01:35 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Sep 09 13:57:27 2005 -0700" }, "message": "[PATCH] security: enable atomic inode security labeling\n\nThe following patch set enables atomic security labeling of newly created\ninodes by altering the fs code to invoke a new LSM hook to obtain the security\nattribute to apply to a newly created inode and to set up the incore inode\nsecurity state during the inode creation transaction. This parallels the\nexisting processing for setting ACLs on newly created inodes. Otherwise, it\nis possible for new inodes to be accessed by another thread via the dcache\nprior to complete security setup (presently handled by the\npost_create/mkdir/... LSM hooks in the VFS) and a newly created inode may be\nleft unlabeled on the disk in the event of a crash. SELinux presently works\naround the issue by ensuring that the incore inode security label is\ninitialized to a special SID that is inaccessible to unprivileged processes\n(in accordance with policy), thereby preventing inappropriate access but\npotentially causing false denials on legitimate accesses. A simple test\nprogram demonstrates such false denials on SELinux, and the patch solves the\nproblem. Similar such false denials have been encountered in real\napplications.\n\nThis patch defines a new inode_init_security LSM hook to obtain the security\nattribute to apply to a newly created inode and to set up the incore inode\nsecurity state for it, and adds a corresponding hook function implementation\nto SELinux.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "782ebb992ec20b5afdd5786ee8c2f1b58b631f24", "tree": "adf0af44fa591d803ec6b9ab7541ff3e5745dd93", "parents": [ "720d6c29e146e96cca858057469951e91e0e6850" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Sat Sep 03 15:55:16 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@evo.osdl.org", "time": "Mon Sep 05 00:05:50 2005 -0700" }, "message": "[PATCH] selinux: Reduce memory use by avtab\n\nThis patch improves memory use by SELinux by both reducing the avtab node\nsize and reducing the number of avtab nodes. The memory savings are\nsubstantial, e.g. on a 64-bit system after boot, James Morris reported the\nfollowing data for the targeted and strict policies:\n\n #objs objsize kernmem\nTargeted:\n Before: 237888 40 9.1MB\n After: 19968 24 468KB\n\nStrict:\n Before: 571680 40 21.81MB\n After: 221052 24 5.06MB\n\nThe improvement in memory use comes at a cost in the speed of security\nserver computations of access vectors, but these computations are only\nrequired on AVC cache misses, and performance measurements by James Morris\nusing a number of benchmarks have shown that the change does not cause any\nsignificant degradation.\n\nNote that a rebuilt policy via an updated policy toolchain\n(libsepol/checkpolicy) is required in order to gain the full benefits of\nthis patch, although some memory savings benefits are immediately applied\neven to older policies (in particular, the reduction in avtab node size).\nSources for the updated toolchain are presently available from the\nsourceforge CVS tree (http://sourceforge.net/cvs/?group_id\u003d21266), and\ntarballs are available from http://www.flux.utah.edu/~sds.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "f5c1d5b2aaf9a98f15a6dcdfbba1f494d0aaae52", "tree": "e896d0b6b9f561c9d124fa81efd261518ccbddf4", "parents": [ "e1699f508ab5098de4b258268fa8913db38d9d35" ], "author": { "name": "James Morris", "email": "jmorris@redhat.com", "time": "Thu Jul 28 01:07:37 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Thu Jul 28 08:39:02 2005 -0700" }, "message": "[PATCH] SELinux: default labeling of MLS field\n\nImplement kernel labeling of the MLS (multilevel security) field of\nsecurity contexts for files which have no existing MLS field. This is to\nenable upgrades of a system from non-MLS to MLS without performing a full\nfilesystem relabel including all of the mountpoints, which would be quite\npainful for users.\n\nWith this patch, with MLS enabled, if a file has no MLS field, the kernel\ninternally adds an MLS field to the in-core inode (but not to the on-disk\nfile). This MLS field added is the default for the superblock, allowing\nper-mountpoint control over the values via fixed policy or mount options.\n\nThis patch has been tested by enabling MLS without relabeling its\nfilesystem, and seems to be working correctly.\n\nSigned-off-by: James Morris \u003cjmorris@redhat.com\u003e\nSigned-off-by: Stephen Smalley \u003csds@epoch.ncsc.mil\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "09ffd94fb15d85fbf9eebb8180f50264b264d6fe", "tree": "688a5b60f9718a56a5d4386ef10596e77fb65b7b", "parents": [ "6b9921976f0861e04828b3aff66696c1f3fd900d" ], "author": { "name": "Lorenzo Hernández García-Hierro", "email": "lorenzo@gnu.org", "time": "Sat Jun 25 14:54:35 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Jun 25 16:24:26 2005 -0700" }, "message": "[PATCH] selinux: add executable heap check\n\nThis patch,based on sample code by Roland McGrath, adds an execheap\npermission check that controls the ability to make the heap executable so\nthat this can be prevented in almost all cases (the X server is presently\nan exception, but this will hopefully be resolved in the future) so that\neven programs with execmem permission will need to have the anonymous\nmemory mapped in order to make it executable.\n\nThe only reason that we use a permission check for such restriction (vs.\nmaking it unconditional) is that the X module loader presently needs it; it\ncould possibly be made unconditional in the future when X is changed.\n\nThe policy patch for the execheap permission is available at:\nhttp://pearls.tuxedo-es.org/patches/selinux/policy-execheap.patch\n\nSigned-off-by: Lorenzo Hernandez Garcia-Hierro \u003clorenzo@gnu.org\u003e\nAcked-by: James Morris \u003cjmorris@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "6b9921976f0861e04828b3aff66696c1f3fd900d", "tree": "be372b9dc81e393c909c7fecf8778e8864ba3a0d", "parents": [ "2d15cab85b85a56cc886037cab43cc292923ff22" ], "author": { "name": "Lorenzo Hernandez García-Hierro", "email": "lorenzo@gnu.org", "time": "Sat Jun 25 14:54:34 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Jun 25 16:24:26 2005 -0700" }, "message": "[PATCH] selinux: add executable stack check\n\nThis patch adds an execstack permission check that controls the ability to\nmake the main process stack executable so that attempts to make the stack\nexecutable can still be prevented even if the process is allowed the\nexisting execmem permission in order to e.g. perform runtime code\ngeneration. Note that this does not yet address thread stacks. Note also\nthat unlike the execmem check, the execstack check is only applied on\nmprotect calls, not mmap calls, as the current security_file_mmap hook is\nnot passed the necessary information presently.\n\nThe original author of the code that makes the distinction of the stack\nregion, is Ingo Molnar, who wrote it within his patch for\n/proc/\u003cpid\u003e/maps markers.\n(http://marc.theaimsgroup.com/?l\u003dlinux-kernel\u0026m\u003d110719881508591\u0026w\u003d2)\n\nThe patches also can be found at:\nhttp://pearls.tuxedo-es.org/patches/selinux/policy-execstack.patch\nhttp://pearls.tuxedo-es.org/patches/selinux/kernel-execstack.patch\n\npolicy-execstack.patch is the patch that needs to be applied to the policy in\norder to support the execstack permission and exclude it\nfrom general_domain_access within macros/core_macros.te.\n\nkernel-execstack.patch adds such permission to the SELinux code within\nthe kernel and adds the proper permission check to the selinux_file_mprotect() hook.\n\nSigned-off-by: Lorenzo Hernandez Garcia-Hierro \u003clorenzo@gnu.org\u003e\nAcked-by: James Morris \u003cjmorris@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "b207a290ea7dc83dba02e40b81cc8a29415a9c60", "tree": "fe76d1c494977ba95ab576e9207dc13c4a66a04a", "parents": [ "6af963f1d6789ef20abca5696cd52a758b396e52" ], "author": { "name": "James Morris", "email": "jmorris@redhat.com", "time": "Sun May 01 08:58:40 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sun May 01 08:58:40 2005 -0700" }, "message": "[PATCH] SELinux: add finer grained permissions to Netlink audit processing\n\nThis patch provides finer grained permissions for the audit family of\nNetlink sockets under SELinux.\n\n1. We need a way to differentiate between privileged and unprivileged\n reads of kernel data maintained by the audit subsystem. The AUDIT_GET\n operation is unprivileged: it returns the current status of the audit\n subsystem (e.g. whether it\u0027s enabled etc.). The AUDIT_LIST operation\n however returns a list of the current audit ruleset, which is considered\n privileged by the audit folk. To deal with this, a new SELinux\n permission has been implemented and applied to the operation:\n nlmsg_readpriv, which can be allocated to appropriately privileged\n domains. Unprivileged domains would only be allocated nlmsg_read.\n\n2. There is a requirement for certain domains to generate audit events\n from userspace. These events need to be collected by the kernel,\n collated and transmitted sequentially back to the audit daemon. An\n example is user level login, an auditable event under CAPP, where\n login-related domains generate AUDIT_USER messages via PAM which are\n relayed back to auditd via the kernel. To prevent handing out\n nlmsg_write permissions to such domains, a new permission has been\n added, nlmsg_relay, which is intended for this type of purpose: data is\n passed via the kernel back to userspace but no privileged information is\n written to the kernel.\n\nAlso, AUDIT_LOGIN messages are now valid only for kernel-\u003euser messaging,\nso this value has been removed from the SELinux nlmsgtab (which is only\nused to check user-\u003ekernel messages).\n\nSigned-off-by: James Morris \u003cjmorris@redhat.com\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "0c9b79429c83a404a04908be65baa9d97836bbb6", "tree": "66cdf9fc4cf40867ed8c9dc060661615941cd95f", "parents": [ "7e5c6bc0a600c49e5922591ad41ff41987f54eb4" ], "author": { "name": "James Morris", "email": "jmorris@redhat.com", "time": "Sat Apr 16 15:24:13 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:24:13 2005 -0700" }, "message": "[PATCH] SELinux: add support for NETLINK_KOBJECT_UEVENT\n\nThis patch adds SELinux support for the KOBJECT_UEVENT Netlink family, so\nthat SELinux can apply finer grained controls to it. For example, security\npolicy for hald can be locked down to the KOBJECT_UEVENT Netlink family\nonly. Currently, this family simply defaults to the default Netlink socket\nclass.\n\nNote that some new permission definitions are added to sync with changes in\nthe core userspace policy package, which auto-generates header files.\n\nSigned-off-by: James Morris \u003cjmorris@redhat.com\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }