)]}' { "log": [ { "commit": "a3ec4a603faf4244e275bf11b467aad092dfbd8a", "tree": "1c15009716b37629070ea221a00eb9fe2303a317", "parents": [ "51563cd53c4b1c1790fccd2e0af0e2b756589af9", "85e2efbb1db9a18d218006706d6e4fbeb0216213" ], "author": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Wed Feb 16 13:33:35 2011 +0100" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Wed Feb 16 13:33:41 2011 +0100" }, "message": "Merge commit \u0027v2.6.38-rc5\u0027 into core/locking\n\nMerge reason: pick up upstream fixes.\n\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\n" }, { "commit": "fb2b2a1d37f80cc818fd4487b510f4e11816e5e1", "tree": "00a16a9440fb1d522160a404c97ed327f77a92a1", "parents": [ "2edeaa34a6e3f2c43b667f6c4f7b27944b811695" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Feb 07 13:36:16 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Feb 07 14:04:00 2011 -0800" }, "message": "CRED: Fix memory and refcount leaks upon security_prepare_creds() failure\n\nIn prepare_kernel_cred() since 2.6.29, put_cred(new) is called without\nassigning new-\u003eusage when security_prepare_creds() returned an error. As a\nresult, memory for new and refcount for new-\u003e{user,group_info,tgcred} are\nleaked because put_cred(new) won\u0027t call __put_cred() unless old-\u003eusage \u003d\u003d 1.\n\nFix these leaks by assigning new-\u003eusage (and new-\u003esubscribers which was added\nin 2.6.32) before calling security_prepare_creds().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "2edeaa34a6e3f2c43b667f6c4f7b27944b811695", "tree": "37dd9156645491a86844ba9198fe05e4e6fe44c5", "parents": [ "257a65d79581880032e0bf0c452f4041b693664c" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Feb 07 13:36:10 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Feb 07 14:04:00 2011 -0800" }, "message": "CRED: Fix BUG() upon security_cred_alloc_blank() failure\n\nIn cred_alloc_blank() since 2.6.32, abort_creds(new) is called with\nnew-\u003esecurity \u003d\u003d NULL and new-\u003emagic \u003d\u003d 0 when security_cred_alloc_blank()\nreturns an error. As a result, BUG() will be triggered if SELinux is enabled\nor CONFIG_DEBUG_CREDENTIALS\u003dy.\n\nIf CONFIG_DEBUG_CREDENTIALS\u003dy, BUG() is called from __invalid_creds() because\ncred-\u003emagic \u003d\u003d 0. Failing that, BUG() is called from selinux_cred_free()\nbecause selinux_cred_free() is not expecting cred-\u003esecurity \u003d\u003d NULL. This does\nnot affect smack_cred_free(), tomoyo_cred_free() or apparmor_cred_free().\n\nFix these bugs by\n\n(1) Set new-\u003emagic before calling security_cred_alloc_blank().\n\n(2) Handle null cred-\u003esecurity in creds_are_invalid() and selinux_cred_free().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "10389a15e25fd4784d42de7e0e3fc8c242f2011d", "tree": "b0c43d7b3cba407d64b91051e1ce2116a331212b", "parents": [ "92578c0b8078f6919f9b47e7e16a1cf770bd127b" ], "author": { "name": "Thomas Gleixner", "email": "tglx@linutronix.de", "time": "Sun Jan 23 15:25:56 2011 +0100" }, "committer": { "name": "Thomas Gleixner", "email": "tglx@linutronix.de", "time": "Thu Jan 27 12:30:37 2011 +0100" }, "message": "cred: Replace deprecated spinlock initialization\n\nSPIN_LOCK_UNLOCK is deprecated. Use the lockdep capable variant\ninstead.\n\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\n" }, { "commit": "9b1bf12d5d51bca178dea21b04a0805e29d60cf1", "tree": "902a2c0e5882a2152da59a589958d6426dc84643", "parents": [ "b84011508360d6885a9d95a235ec77d56f133377" ], "author": { "name": "KOSAKI Motohiro", "email": "kosaki.motohiro@jp.fujitsu.com", "time": "Wed Oct 27 15:34:08 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Oct 27 18:03:12 2010 -0700" }, "message": "signals: move cred_guard_mutex from task_struct to signal_struct\n\nOleg Nesterov pointed out we have to prevent multiple-threads-inside-exec\nitself and we can reuse -\u003ecred_guard_mutex for it. Yes, concurrent\nexecve() has no worth.\n\nLet\u0027s move -\u003ecred_guard_mutex from task_struct to signal_struct. It\nnaturally prevent multiple-threads-inside-exec.\n\nSigned-off-by: KOSAKI Motohiro \u003ckosaki.motohiro@jp.fujitsu.com\u003e\nReviewed-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nAcked-by: Roland McGrath \u003croland@redhat.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "12fdff3fc2483f906ae6404a6e8dcf2550310b6f", "tree": "a79fb1365fce7c7529655a8802d6d6bf8509b374", "parents": [ "1490cf5f0cb07dd49cdab4bceb769d7f711d7ca6" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Aug 12 16:54:57 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Aug 12 09:51:35 2010 -0700" }, "message": "Add a dummy printk function for the maintenance of unused printks\n\nAdd a dummy printk function for the maintenance of unused printks through gcc\nformat checking, and also so that side-effect checking is maintained too.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "de09a9771a5346029f4d11e4ac886be7f9bfdd75", "tree": "ccce9e75753c98a9f38075d54ab98aa4b89e66c7", "parents": [ "540ad6b62b3a188a53b51cac81d8a60d40e29fbd" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jul 29 12:45:49 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jul 29 15:16:17 2010 -0700" }, "message": "CRED: Fix get_task_cred() and task_state() to not resurrect dead credentials\n\nIt\u0027s possible for get_task_cred() as it currently stands to \u0027corrupt\u0027 a set of\ncredentials by incrementing their usage count after their replacement by the\ntask being accessed.\n\nWhat happens is that get_task_cred() can race with commit_creds():\n\n\tTASK_1\t\t\tTASK_2\t\t\tRCU_CLEANER\n\t--\u003eget_task_cred(TASK_2)\n\trcu_read_lock()\n\t__cred \u003d __task_cred(TASK_2)\n\t\t\t\t--\u003ecommit_creds()\n\t\t\t\told_cred \u003d TASK_2-\u003ereal_cred\n\t\t\t\tTASK_2-\u003ereal_cred \u003d ...\n\t\t\t\tput_cred(old_cred)\n\t\t\t\t call_rcu(old_cred)\n\t\t[__cred-\u003eusage \u003d\u003d 0]\n\tget_cred(__cred)\n\t\t[__cred-\u003eusage \u003d\u003d 1]\n\trcu_read_unlock()\n\t\t\t\t\t\t\t--\u003eput_cred_rcu()\n\t\t\t\t\t\t\t[__cred-\u003eusage \u003d\u003d 1]\n\t\t\t\t\t\t\tpanic()\n\nHowever, since a tasks credentials are generally not changed very often, we can\nreasonably make use of a loop involving reading the creds pointer and using\natomic_inc_not_zero() to attempt to increment it if it hasn\u0027t already hit zero.\n\nIf successful, we can safely return the credentials in the knowledge that, even\nif the task we\u0027re accessing has released them, they haven\u0027t gone to the RCU\ncleanup code.\n\nWe then change task_state() in procfs to use get_task_cred() rather than\ncalling get_cred() on the result of __task_cred(), as that suffers from the\nsame problem.\n\nWithout this change, a BUG_ON in __put_cred() or in put_cred_rcu() can be\ntripped when it is noticed that the usage count is not zero as it ought to be,\nfor example:\n\nkernel BUG at kernel/cred.c:168!\ninvalid opcode: 0000 [#1] SMP\nlast sysfs file: /sys/kernel/mm/ksm/run\nCPU 0\nPid: 2436, comm: master Not tainted 2.6.33.3-85.fc13.x86_64 #1 0HR330/OptiPlex\n745\nRIP: 0010:[\u003cffffffff81069881\u003e] [\u003cffffffff81069881\u003e] __put_cred+0xc/0x45\nRSP: 0018:ffff88019e7e9eb8 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff880161514480 RCX: 00000000ffffffff\nRDX: 00000000ffffffff RSI: ffff880140c690c0 RDI: ffff880140c690c0\nRBP: ffff88019e7e9eb8 R08: 00000000000000d0 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000040 R12: ffff880140c690c0\nR13: ffff88019e77aea0 R14: 00007fff336b0a5c R15: 0000000000000001\nFS: 00007f12f50d97c0(0000) GS:ffff880007400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f461bc000 CR3: 00000001b26ce000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\nProcess master (pid: 2436, threadinfo ffff88019e7e8000, task ffff88019e77aea0)\nStack:\n ffff88019e7e9ec8 ffffffff810698cd ffff88019e7e9ef8 ffffffff81069b45\n\u003c0\u003e ffff880161514180 ffff880161514480 ffff880161514180 0000000000000000\n\u003c0\u003e ffff88019e7e9f28 ffffffff8106aace 0000000000000001 0000000000000246\nCall Trace:\n [\u003cffffffff810698cd\u003e] put_cred+0x13/0x15\n [\u003cffffffff81069b45\u003e] commit_creds+0x16b/0x175\n [\u003cffffffff8106aace\u003e] set_current_groups+0x47/0x4e\n [\u003cffffffff8106ac89\u003e] sys_setgroups+0xf6/0x105\n [\u003cffffffff81009b02\u003e] system_call_fastpath+0x16/0x1b\nCode: 48 8d 71 ff e8 7e 4e 15 00 85 c0 78 0b 8b 75 ec 48 89 df e8 ef 4a 15 00\n48 83 c4 18 5b c9 c3 55 8b 07 8b 07 48 89 e5 85 c0 74 04 \u003c0f\u003e 0b eb fe 65 48 8b\n04 25 00 cc 00 00 48 3b b8 58 04 00 00 75\nRIP [\u003cffffffff81069881\u003e] __put_cred+0xc/0x45\n RSP \u003cffff88019e7e9eb8\u003e\n---[ end trace df391256a100ebdd ]---\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jiri Olsa \u003cjolsa@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c70a626d3eba373514c72287c93588b6974a0059", "tree": "c23b890cbbeb824e52e1eaee6812bc88496a246d", "parents": [ "685bfd2c48bb3284d31e73ff3151c957d76deda9" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Wed May 26 14:43:01 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 27 09:12:45 2010 -0700" }, "message": "umh: creds: kill subprocess_info-\u003ecred logic\n\nNow that nobody ever changes subprocess_info-\u003ecred we can kill this member\nand related code. ____call_usermodehelper() always runs in the context of\nfreshly forked kernel thread, it has the proper -\u003ecred copied from its\nparent kthread, keventd.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nAcked-by: Neil Horman \u003cnhorman@tuxdriver.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "96b5b7f4f2d59b37c1fc2fba1ae25999accd6dcd", "tree": "cda421c6cd7533940b35504660a05a366a3ece0c", "parents": [ "f72caf7e496465182eeda842ac66a5e75404ddf1", "539c99fd7fc28f8db257c713c10fb4aceadf8887" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 20 08:55:50 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 20 08:55:50 2010 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (61 commits)\n KEYS: Return more accurate error codes\n LSM: Add __init to fixup function.\n TOMOYO: Add pathname grouping support.\n ima: remove ACPI dependency\n TPM: ACPI/PNP dependency removal\n security/selinux/ss: Use kstrdup\n TOMOYO: Use stack memory for pending entry.\n Revert \"ima: remove ACPI dependency\"\n Revert \"TPM: ACPI/PNP dependency removal\"\n KEYS: Do preallocation for __key_link()\n TOMOYO: Use mutex_lock_interruptible.\n KEYS: Better handling of errors from construct_alloc_key()\n KEYS: keyring_serialise_link_sem is only needed for keyring-\u003ekeyring links\n TOMOYO: Use GFP_NOFS rather than GFP_KERNEL.\n ima: remove ACPI dependency\n TPM: ACPI/PNP dependency removal\n selinux: generalize disabling of execmem for plt-in-heap archs\n LSM Audit: rename LSM_AUDIT_NO_AUDIT to LSM_AUDIT_DATA_NONE\n CRED: Holding a spinlock does not imply the holding of RCU read lock\n SMACK: Don\u0027t #include Ext2 headers\n ...\n" }, { "commit": "48652ced1533c3372f996a0d83b6e73b1f1c9381", "tree": "5e17729cfcdc97bf798a17b57cdb888b4ded65b0", "parents": [ "99bd5e2f245d8cd17d040c82d40becdb3efd9b69", "66f41d4c5c8a5deed66fdcc84509376c9a0bf9d8" ], "author": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Fri May 07 11:27:54 2010 +0200" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Fri May 07 11:27:54 2010 +0200" }, "message": "Merge commit \u0027v2.6.34-rc6\u0027 into sched/core\n" }, { "commit": "0ffbe2699cda6afbe08501098dff8a8c2fe6ae09", "tree": "81b1a2305d16c873371b65c5a863c0268036cefe", "parents": [ "4e5d6f7ec3833c0da9cf34fa5c53c6058c5908b6", "7ebd467551ed6ae200d7835a84bbda0dcadaa511" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:07 2010 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:07 2010 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "e134d200d57d43b171dcb0b55c178a1a0c7db14a", "tree": "4092cd25cd927eeac87c5bcd49f581a5cd06cbcf", "parents": [ "eff30363c0b8b057f773108589bfd8881659fe74" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Apr 21 10:28:25 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 22 09:14:29 2010 +1000" }, "message": "CRED: Fix a race in creds_are_invalid() in credentials debugging\n\ncreds_are_invalid() reads both cred-\u003eusage and cred-\u003esubscribers and then\ncompares them to make sure the number of processes subscribed to a cred struct\nnever exceeds the refcount of that cred struct.\n\nThe problem is that this can cause a race with both copy_creds() and\nexit_creds() as the two counters, whilst they are of atomic_t type, are only\natomic with respect to themselves, and not atomic with respect to each other.\n\nThis means that if creds_are_invalid() can read the values on one CPU whilst\nthey\u0027re being modified on another CPU, and so can observe an evolving state in\nwhich the subscribers count now is greater than the usage count a moment\nbefore.\n\nSwitching the order in which the counts are read cannot help, so the thing to\ndo is to remove that particular check.\n\nI had considered rechecking the values to see if they\u0027re in flux if the test\nfails, but I can\u0027t guarantee they won\u0027t appear the same, even if they\u0027ve\nchanged several times in the meantime.\n\nNote that this can only happen if CONFIG_DEBUG_CREDENTIALS is enabled.\n\nThe problem is only likely to occur with multithreaded programs, and can be\ntested by the tst-eintr1 program from glibc\u0027s \"make check\". The symptoms look\nlike:\n\n\tCRED: Invalid credentials\n\tCRED: At include/linux/cred.h:240\n\tCRED: Specified credentials: ffff88003dda5878 [real][eff]\n\tCRED: -\u003emagic\u003d43736564, put_addr\u003d(null)\n\tCRED: -\u003eusage\u003d766, subscr\u003d766\n\tCRED: -\u003e*uid \u003d { 0,0,0,0 }\n\tCRED: -\u003e*gid \u003d { 0,0,0,0 }\n\tCRED: -\u003esecurity is ffff88003d72f538\n\tCRED: -\u003esecurity {359, 359}\n\t------------[ cut here ]------------\n\tkernel BUG at kernel/cred.c:850!\n\t...\n\tRIP: 0010:[\u003cffffffff81049889\u003e] [\u003cffffffff81049889\u003e] __invalid_creds+0x4e/0x52\n\t...\n\tCall Trace:\n\t [\u003cffffffff8104a37b\u003e] copy_creds+0x6b/0x23f\n\nNote the -\u003eusage\u003d766 and subscr\u003d766. The values appear the same because\nthey\u0027ve been re-read since the check was made.\n\nReported-by: Roland McGrath \u003croland@redhat.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "eff30363c0b8b057f773108589bfd8881659fe74", "tree": "6ae631c2fa01174a24da347b68fc25f0c350bc2b", "parents": [ "05ce7bfe547c9fa967d9cab6c37867a9cb6fb3fa" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 20 22:41:18 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 21 09:20:35 2010 +1000" }, "message": "CRED: Fix double free in prepare_usermodehelper_creds() error handling\n\nPatch 570b8fb505896e007fd3bb07573ba6640e51851d:\n\n\tAuthor: Mathieu Desnoyers \u003cmathieu.desnoyers@efficios.com\u003e\n\tDate: Tue Mar 30 00:04:00 2010 +0100\n\tSubject: CRED: Fix memory leak in error handling\n\nattempts to fix a memory leak in the error handling by making the offending\nreturn statement into a jump down to the bottom of the function where a\nkfree(tgcred) is inserted.\n\nThis is, however, incorrect, as it does a kfree() after doing put_cred() if\nsecurity_prepare_creds() fails. That will result in a double free if \u0027error\u0027\nis jumped to as put_cred() will also attempt to free the new tgcred record by\nvirtue of it being pointed to by the new cred record.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b257c14ceb1194a6181144210056d38f22127189", "tree": "c803925f1d5bf2237e7495d306bf43929df0c952", "parents": [ "371fd7e7a56a5c136d31aa980011bd2f131c3ef5", "2ba3abd8186f24c7fb418927025b4e2120e3a362" ], "author": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Thu Apr 15 09:35:24 2010 +0200" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Thu Apr 15 09:36:16 2010 +0200" }, "message": "Merge branch \u0027linus\u0027 into sched/core\n\nMerge reason: merge the latest fixes, update to -rc4.\n\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\n" }, { "commit": "0968d0060a3c885e53d453380266c7792a55d302", "tree": "b8511f3bf4aa4cfb21421ab5dde8346f0119dbe3", "parents": [ "9d5ed77dadc66a72b40419c91df942adfa55a102" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:14:56 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:19:15 2010 +1000" }, "message": "security: remove dead hook cred_commit\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "336f5899d287f06d8329e208fc14ce50f7ec9698", "tree": "9b762d450d5eb248a6ff8317badb7e223d93ed58", "parents": [ "a4ab2773205e8b94c18625455f85e3b6bb9d7ad6", "db217dece3003df0841bacf9556b5c06aa097dae" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Mon Apr 05 11:37:28 2010 +0900" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Mon Apr 05 11:37:28 2010 +0900" }, "message": "Merge branch \u0027master\u0027 into export-slabh\n" }, { "commit": "32bd7eb5a7f4596c8440dd9440322fe9e686634d", "tree": "f1d0c0a215c1305aec0a8f407b431a975f7ad072", "parents": [ "c9494727cf293ae2ec66af57547a3e79c724fec2" ], "author": { "name": "Li Zefan", "email": "lizf@cn.fujitsu.com", "time": "Wed Mar 24 13:17:19 2010 +0800" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Fri Apr 02 20:12:00 2010 +0200" }, "message": "sched: Remove remaining USER_SCHED code\n\nThis is left over from commit 7c9414385e (\"sched: Remove USER_SCHED\"\")\n\nSigned-off-by: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nAcked-by: Dhaval Giani \u003cdhaval.giani@gmail.com\u003e\nSigned-off-by: Peter Zijlstra \u003ca.p.zijlstra@chello.nl\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nLKML-Reference: \u003c4BA9A05F.7010407@cn.fujitsu.com\u003e\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\n" }, { "commit": "5a0e3ad6af8660be21ca98a971cd00f331318c05", "tree": "5bfb7be11a03176a87296a43ac6647975c00a1d1", "parents": [ "ed391f4ebf8f701d3566423ce8f17e614cde9806" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Wed Mar 24 17:04:11 2010 +0900" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Tue Mar 30 22:02:32 2010 +0900" }, "message": "include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h\n\npercpu.h is included by sched.h and module.h and thus ends up being\nincluded when building most .c files. percpu.h includes slab.h which\nin turn includes gfp.h making everything defined by the two files\nuniversally available and complicating inclusion dependencies.\n\npercpu.h -\u003e slab.h dependency is about to be removed. Prepare for\nthis change by updating users of gfp and slab facilities include those\nheaders directly instead of assuming availability. As this conversion\nneeds to touch large number of source files, the following script is\nused as the basis of conversion.\n\n http://userweb.kernel.org/~tj/misc/slabh-sweep.py\n\nThe script does the followings.\n\n* Scan files for gfp and slab usages and update includes such that\n only the necessary includes are there. ie. if only gfp is used,\n gfp.h, if slab is used, slab.h.\n\n* When the script inserts a new include, it looks at the include\n blocks and try to put the new include such that its order conforms\n to its surrounding. It\u0027s put in the include block which contains\n core kernel includes, in the same order that the rest are ordered -\n alphabetical, Christmas tree, rev-Xmas-tree or at the end if there\n doesn\u0027t seem to be any matching order.\n\n* If the script can\u0027t find a place to put a new include (mostly\n because the file doesn\u0027t have fitting include block), it prints out\n an error message indicating which .h file needs to be added to the\n file.\n\nThe conversion was done in the following steps.\n\n1. The initial automatic conversion of all .c files updated slightly\n over 4000 files, deleting around 700 includes and adding ~480 gfp.h\n and ~3000 slab.h inclusions. The script emitted errors for ~400\n files.\n\n2. Each error was manually checked. Some didn\u0027t need the inclusion,\n some needed manual addition while adding it to implementation .h or\n embedding .c file was more appropriate for others. This step added\n inclusions to around 150 files.\n\n3. The script was run again and the output was compared to the edits\n from #2 to make sure no file was left behind.\n\n4. Several build tests were done and a couple of problems were fixed.\n e.g. lib/decompress_*.c used malloc/free() wrappers around slab\n APIs requiring slab.h to be added manually.\n\n5. The script was run on all .h files but without automatically\n editing them as sprinkling gfp.h and slab.h inclusions around .h\n files could easily lead to inclusion dependency hell. Most gfp.h\n inclusion directives were ignored as stuff from gfp.h was usually\n wildly available and often used in preprocessor macros. Each\n slab.h inclusion directive was examined and added manually as\n necessary.\n\n6. percpu.h was updated not to include slab.h.\n\n7. Build test were done on the following configurations and failures\n were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my\n distributed build env didn\u0027t work with gcov compiles) and a few\n more options had to be turned off depending on archs to make things\n build (like ipr on powerpc/64 which failed due to missing writeq).\n\n * x86 and x86_64 UP and SMP allmodconfig and a custom test config.\n * powerpc and powerpc64 SMP allmodconfig\n * sparc and sparc64 SMP allmodconfig\n * ia64 SMP allmodconfig\n * s390 SMP allmodconfig\n * alpha SMP allmodconfig\n * um on x86_64 SMP allmodconfig\n\n8. percpu.h modifications were reverted so that it could be applied as\n a separate patch and serve as bisection point.\n\nGiven the fact that I had only a couple of failures from tests on step\n6, I\u0027m fairly confident about the coverage of this conversion patch.\nIf there is a breakage, it\u0027s likely to be something in one of the arch\nheaders which should be easily discoverable easily on most builds of\nthe specific arch.\n\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nGuess-its-ok-by: Christoph Lameter \u003ccl@linux-foundation.org\u003e\nCc: Ingo Molnar \u003cmingo@redhat.com\u003e\nCc: Lee Schermerhorn \u003cLee.Schermerhorn@hp.com\u003e\n" }, { "commit": "570b8fb505896e007fd3bb07573ba6640e51851d", "tree": "fd36f685aa2028628605733708bbf7d1af62f3ec", "parents": [ "9623e5a23724d09283c238960946ec6f65733afe" ], "author": { "name": "Mathieu Desnoyers", "email": "mathieu.desnoyers@efficios.com", "time": "Tue Mar 30 00:04:00 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 30 17:15:38 2010 +1100" }, "message": "CRED: Fix memory leak in error handling\n\nFix a memory leak on an OOM condition in prepare_usermodehelper_creds().\n\nSigned-off-by: Mathieu Desnoyers \u003cmathieu.desnoyers@efficios.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b8a1d37c5f981cdd2e83c9fd98198832324cd57a", "tree": "fe3a2c7309a9c2d5bef8e3ba053ddbb446a39969", "parents": [ "1a45dcfe2525e9432cb4aba461d4994fc2befe42" ], "author": { "name": "Julia Lawall", "email": "julia@diku.dk", "time": "Wed Feb 03 09:31:36 2010 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Feb 03 10:21:57 2010 +1100" }, "message": "kernel/cred.c: use kmem_cache_free\n\nFree memory allocated using kmem_cache_zalloc using kmem_cache_free rather\nthan kfree.\n\nThe semantic patch that makes this change is as follows:\n(http://coccinelle.lip6.fr/)\n\n// \u003csmpl\u003e\n@@\nexpression x,E,c;\n@@\n\n x \u003d \\(kmem_cache_alloc\\|kmem_cache_zalloc\\|kmem_cache_alloc_node\\)(c,...)\n ... when !\u003d x \u003d E\n when !\u003d \u0026x\n?-kfree(x)\n+kmem_cache_free(c,x)\n// \u003c/smpl\u003e\n\nSigned-off-by: Julia Lawall \u003cjulia@diku.dk\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Steve Dickson \u003csteved@redhat.com\u003e\nCc: \u003cstable@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "764db03fee50f7a3de91de80ef4a943f0d720801", "tree": "e6d6442539ba3559d48610d89c510b122163cfe7", "parents": [ "74908a0009eb36054190ab80deb9671014efed96" ], "author": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Fri Sep 18 11:06:47 2009 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 23 11:02:26 2009 -0700" }, "message": "creds_are_invalid() needs to be exported for use by modules:\n\nERROR: \"creds_are_invalid\" [fs/cachefiles/cachefiles.ko] undefined!\n\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "74908a0009eb36054190ab80deb9671014efed96", "tree": "c763a2ca3e5fa4d9b356ab1fe1f1f85da4321109", "parents": [ "43c1266ce4dc06bfd236cec31e11e9ecd69c0bef" ], "author": { "name": "Andrew Morton", "email": "akpm@linux-foundation.org", "time": "Thu Sep 17 17:47:12 2009 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 23 11:01:25 2009 -0700" }, "message": "include/linux/cred.h: fix build\n\nmips allmodconfig:\n\ninclude/linux/cred.h: In function `creds_are_invalid\u0027:\ninclude/linux/cred.h:187: error: `PAGE_SIZE\u0027 undeclared (first use in this function)\ninclude/linux/cred.h:187: error: (Each undeclared identifier is reported only once\ninclude/linux/cred.h:187: error: for each function it appears in.)\n\nFixes\n\ncommit b6dff3ec5e116e3af6f537d4caedcad6b9e5082a\nAuthor: David Howells \u003cdhowells@redhat.com\u003e\nAuthorDate: Fri Nov 14 10:39:16 2008 +1100\nCommit: James Morris \u003cjmorris@namei.org\u003e\nCommitDate: Fri Nov 14 10:39:16 2008 +1100\n\n CRED: Separate task security context from task_struct\n\nI think.\n\nIt\u0027s way too large to be inlined anyway.\n\nDunno if this needs an EXPORT_SYMBOL() yet.\n\nCc: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4a5d6ba1914d1bf1fcfb5e15834c29d84a879219", "tree": "2e9e7895b1b9d2ac4a88e1fc9127ba644a7d0679", "parents": [ "4e6d0bffd3d72a32b620525c9007d2482c731775" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Sep 14 12:45:39 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 15 09:10:57 2009 +1000" }, "message": "CRED: Allow put_cred() to cope with a NULL groups list\n\nput_cred() will oops if given a NULL groups list, but that is now possible with\nthe existence of cred_alloc_blank(), as used in keyctl_session_to_parent().\n\nAdded in commit:\n\n\tcommit ee18d64c1f632043a02e6f5ba5e045bb26a5465f\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Wed Sep 2 09:14:21 2009 +0100\n\tKEYS: Add a keyctl to install a process\u0027s session keyring on its parent [try #6]\n\nReported-by: Marc Dionne \u003cmarc.c.dionne@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ee18d64c1f632043a02e6f5ba5e045bb26a5465f", "tree": "80b5a4d530ec7d5fd69799920f0db7b78aba6b9d", "parents": [ "d0420c83f39f79afb82010c2d2cafd150eef651b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:14:21 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:22 2009 +1000" }, "message": "KEYS: Add a keyctl to install a process\u0027s session keyring on its parent [try #6]\n\nAdd a keyctl to install a process\u0027s session keyring onto its parent. This\nreplaces the parent\u0027s session keyring. Because the COW credential code does\nnot permit one process to change another process\u0027s credentials directly, the\nchange is deferred until userspace next starts executing again. Normally this\nwill be after a wait*() syscall.\n\nTo support this, three new security hooks have been provided:\ncred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in\nthe blank security creds and key_session_to_parent() - which asks the LSM if\nthe process may replace its parent\u0027s session keyring.\n\nThe replacement may only happen if the process has the same ownership details\nas its parent, and the process has LINK permission on the session keyring, and\nthe session keyring is owned by the process, and the LSM permits it.\n\nNote that this requires alteration to each architecture\u0027s notify_resume path.\nThis has been done for all arches barring blackfin, m68k* and xtensa, all of\nwhich need assembly alteration to support TIF_NOTIFY_RESUME. This allows the\nreplacement to be performed at the point the parent process resumes userspace\nexecution.\n\nThis allows the userspace AFS pioctl emulation to fully emulate newpag() and\nthe VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to\nalter the parent process\u0027s PAG membership. However, since kAFS doesn\u0027t use\nPAGs per se, but rather dumps the keys into the session keyring, the session\nkeyring of the parent must be replaced if, for example, VIOCSETTOK is passed\nthe newpag flag.\n\nThis can be tested with the following program:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\n\t#define KEYCTL_SESSION_TO_PARENT\t18\n\n\t#define OSERROR(X, S) do { if ((long)(X) \u003d\u003d -1) { perror(S); exit(1); } } while(0)\n\n\tint main(int argc, char **argv)\n\t{\n\t\tkey_serial_t keyring, key;\n\t\tlong ret;\n\n\t\tkeyring \u003d keyctl_join_session_keyring(argv[1]);\n\t\tOSERROR(keyring, \"keyctl_join_session_keyring\");\n\n\t\tkey \u003d add_key(\"user\", \"a\", \"b\", 1, keyring);\n\t\tOSERROR(key, \"add_key\");\n\n\t\tret \u003d keyctl(KEYCTL_SESSION_TO_PARENT);\n\t\tOSERROR(ret, \"KEYCTL_SESSION_TO_PARENT\");\n\n\t\treturn 0;\n\t}\n\nCompiled and linked with -lkeyutils, you should see something like:\n\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t355907932 --alswrv 4043 -1 \\_ keyring: _uid.4043\n\t[dhowells@andromeda ~]$ /tmp/newpag\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t1055658746 --alswrv 4043 4043 \\_ user: a\n\t[dhowells@andromeda ~]$ /tmp/newpag hello\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: hello\n\t340417692 --alswrv 4043 4043 \\_ user: a\n\nWhere the test program creates a new session keyring, sticks a user key named\n\u0027a\u0027 into it and then installs it on its parent.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e0e817392b9acf2c98d3be80c233dddb1b52003d", "tree": "ee680c020039313c9f9c40ab3542bb30a7363381", "parents": [ "ed6d76e4c32de0c2ad5f1d572b948ef49e465176" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:13:40 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:01 2009 +1000" }, "message": "CRED: Add some configurable debugging [try #6]\n\nAdd a config option (CONFIG_DEBUG_CREDENTIALS) to turn on some debug checking\nfor credential management. The additional code keeps track of the number of\npointers from task_structs to any given cred struct, and checks to see that\nthis number never exceeds the usage count of the cred struct (which includes\nall references, not just those from task_structs).\n\nFurthermore, if SELinux is enabled, the code also checks that the security\npointer in the cred struct is never seen to be invalid.\n\nThis attempts to catch the bug whereby inode_has_perm() faults in an nfsd\nkernel thread on seeing cred-\u003esecurity be a NULL pointer (it appears that the\ncredential struct has been previously released):\n\n\thttp://www.kerneloops.org/oops.php?number\u003d252883\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5e751e992f3fb08ba35e1ca8095ec8fbf9eda523", "tree": "711b1b47622dc9661f1d3d9c67d55c0b21456e8c", "parents": [ "d254117099d711f215e62427f55dfb8ebd5ad011" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 08 13:55:22 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon May 11 08:15:36 2009 +1000" }, "message": "CRED: Rename cred_exec_mutex to reflect that it\u0027s a guard against ptrace\n\nRename cred_exec_mutex to reflect that it\u0027s a guard against foreign\nintervention on a process\u0027s credential state, such as is made by ptrace(). The\nattachment of a debugger to a process affects execve()\u0027s calculation of the new\ncredential state - _and_ also setprocattr()\u0027s calculation of that state.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1a7d0f0bec4be078ce2cfb11538c0f4ffbbed8e5", "tree": "266fafec84391c21383cfad7e6ae5ef6131f3ff1", "parents": [ "7d671f3e713fc5ff18a5227a8dc16dfdb8bc0664", "b9456371a73871d001e67b5f4eac118c2c278e1c" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 09 13:59:25 2009 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 09 13:59:25 2009 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:\n CRED: Fix commit_creds() on a process that has no mm\n" }, { "commit": "43529c97122f2c851126447963eedcb8cba74fbe", "tree": "4bcba354186ae52e84d57920012f94d47bf0f72b", "parents": [ "0de336814107358bc8c4173bf9ce2d42445173fe" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Jan 09 16:13:46 2009 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 09 11:53:53 2009 -0800" }, "message": "CRED: Must initialise the new creds in prepare_kernel_cred()\n\nThe newly allocated creds in prepare_kernel_cred() must be initialised\nbefore get_uid() and get_group_info() can access them. They should be\ncopied from the old credentials.\n\nReported-by: Steve Dickson \u003csteved@redhat.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Steve Dickson \u003csteved@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "0de336814107358bc8c4173bf9ce2d42445173fe", "tree": "df2b34b171e1310e16b136b151551150c4060be7", "parents": [ "29a41e9e029d21c306e3ad6e723700348b04706a" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Jan 09 16:13:41 2009 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 09 11:53:53 2009 -0800" }, "message": "CRED: Missing put_cred() in prepare_kernel_cred()\n\nMissing put_cred() in the error handling path of prepare_kernel_cred().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Steve Dickson \u003csteved@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b9456371a73871d001e67b5f4eac118c2c278e1c", "tree": "1bfe87d83dc3d7f34b9d7edf9a9ef3a693afcf29", "parents": [ "9e42d0cf5020aaf217433cad1a224745241d212a" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jan 08 11:18:31 2009 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 08 23:13:56 2009 +1100" }, "message": "CRED: Fix commit_creds() on a process that has no mm\n\nFix commit_creds()\u0027s handling of a process that has no mm (such as one that is\ncalling or has called daemonize()). commit_creds() should check to see if\ntask-\u003emm is not NULL before calling set_dumpable() on it.\n\nReported-by: Jiri Slaby \u003cjirislaby@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "18b6e0414e42d95183f07d8177e3ff0241abd825", "tree": "91ca2f2d442055e31eb7bb551bf7060f3f4c4cc7", "parents": [ "9789cfe22e5d7bc10cad841a4ea96ecedb34b267" ], "author": { "name": "Serge Hallyn", "email": "serue@us.ibm.com", "time": "Wed Oct 15 16:38:45 2008 -0500" }, "committer": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Mon Nov 24 18:57:41 2008 -0500" }, "message": "User namespaces: set of cleanups (v2)\n\nThe user_ns is moved from nsproxy to user_struct, so that a struct\ncred by itself is sufficient to determine access (which it otherwise\nwould not be). Corresponding ecryptfs fixes (by David Howells) are\nhere as well.\n\nFix refcounting. The following rules now apply:\n 1. The task pins the user struct.\n 2. The user struct pins its user namespace.\n 3. The user namespace pins the struct user which created it.\n\nUser namespaces are cloned during copy_creds(). Unsharing a new user_ns\nis no longer possible. (We could re-add that, but it\u0027ll cause code\nduplication and doesn\u0027t seem useful if PAM doesn\u0027t need to clone user\nnamespaces).\n\nWhen a user namespace is created, its first user (uid 0) gets empty\nkeyrings and a clean group_info.\n\nThis incorporates a previous patch by David Howells. Here\nis his original patch description:\n\n\u003eI suggest adding the attached incremental patch. It makes the following\n\u003echanges:\n\u003e\n\u003e (1) Provides a current_user_ns() macro to wrap accesses to current\u0027s user\n\u003e namespace.\n\u003e\n\u003e (2) Fixes eCryptFS.\n\u003e\n\u003e (3) Renames create_new_userns() to create_user_ns() to be more consistent\n\u003e with the other associated functions and because the \u0027new\u0027 in the name is\n\u003e superfluous.\n\u003e\n\u003e (4) Moves the argument and permission checks made for CLONE_NEWUSER to the\n\u003e beginning of do_fork() so that they\u0027re done prior to making any attempts\n\u003e at allocation.\n\u003e\n\u003e (5) Calls create_user_ns() after prepare_creds(), and gives it the new creds\n\u003e to fill in rather than have it return the new root user. I don\u0027t imagine\n\u003e the new root user being used for anything other than filling in a cred\n\u003e struct.\n\u003e\n\u003e This also permits me to get rid of a get_uid() and a free_uid(), as the\n\u003e reference the creds were holding on the old user_struct can just be\n\u003e transferred to the new namespace\u0027s creator pointer.\n\u003e\n\u003e (6) Makes create_user_ns() reset the UIDs and GIDs of the creds under\n\u003e preparation rather than doing it in copy_creds().\n\u003e\n\u003eDavid\n\n\u003eSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n\nChangelog:\n\tOct 20: integrate dhowells comments\n\t\t1. leave thread_keyring alone\n\t\t2. use current_user_ns() in set_user()\n\nSigned-off-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\n" }, { "commit": "3a3b7ce9336952ea7b9564d976d068a238976c9d", "tree": "3f0a3be33022492161f534636a20a4b1059f8236", "parents": [ "1bfdc75ae077d60a01572a7781ec6264d55ab1b9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "message": "CRED: Allow kernel services to override LSM settings for task actions\n\nAllow kernel services to override LSM settings appropriate to the actions\nperformed by a task by duplicating a set of credentials, modifying it and then\nusing task_struct::cred to point to it when performing operations on behalf of\na task.\n\nThis is used, for example, by CacheFiles which has to transparently access the\ncache on behalf of a process that thinks it is doing, say, NFS accesses with a\npotentially inappropriate (with respect to accessing the cache) set of\ncredentials.\n\nThis patch provides two LSM hooks for modifying a task security record:\n\n (*) security_kernel_act_as() which allows modification of the security datum\n with which a task acts on other objects (most notably files).\n\n (*) security_kernel_create_files_as() which allows modification of the\n security datum that is used to initialise the security data on a file that\n a task creates.\n\nThe patch also provides four new credentials handling functions, which wrap the\nLSM functions:\n\n (1) prepare_kernel_cred()\n\n Prepare a set of credentials for a kernel service to use, based either on\n a daemon\u0027s credentials or on init_cred. All the keyrings are cleared.\n\n (2) set_security_override()\n\n Set the LSM security ID in a set of credentials to a specific security\n context, assuming permission from the LSM policy.\n\n (3) set_security_override_from_ctx()\n\n As (2), but takes the security context as a string.\n\n (4) set_create_files_as()\n\n Set the file creation LSM security ID in a set of credentials to be the\n same as that on a particular inode.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e [Smack changes]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3b11a1decef07c19443d24ae926982bc8ec9f4c0", "tree": "b6555f0e5b07f4b2badd332a0a900b974920c49d", "parents": [ "98870ab0a5a3f1822aee681d2997017e1c87d026" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:26 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:26 2008 +1100" }, "message": "CRED: Differentiate objective and effective subjective credentials on a task\n\nDifferentiate the objective and real subjective credentials from the effective\nsubjective credentials on a task by introducing a second credentials pointer\ninto the task_struct.\n\ntask_struct::real_cred then refers to the objective and apparent real\nsubjective credentials of a task, as perceived by the other tasks in the\nsystem.\n\ntask_struct::cred then refers to the effective subjective credentials of a\ntask, as used by that task when it\u0027s actually running. These are not visible\nto the other tasks in the system.\n\n__task_cred(task) then refers to the objective/real credentials of the task in\nquestion.\n\ncurrent_cred() refers to the effective subjective credentials of the current\ntask.\n\nprepare_creds() uses the objective creds as a base and commit_creds() changes\nboth pointers in the task_struct (indeed commit_creds() requires them to be the\nsame).\n\noverride_creds() and revert_creds() change the subjective creds pointer only,\nand the former returns the old subjective creds. These are used by NFSD,\nfaccessat() and do_coredump(), and will by used by CacheFiles.\n\nIn SELinux, current_has_perm() is provided as an alternative to\ntask_has_perm(). This uses the effective subjective context of current,\nwhereas task_has_perm() uses the objective/real context of the subject.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "98870ab0a5a3f1822aee681d2997017e1c87d026", "tree": "4f28b9732777b114d5ef2f1647289a48e00a6fda", "parents": [ "d76b0d9b2d87cfc95686e148767cbf7d0e22bdc0" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:26 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:26 2008 +1100" }, "message": "CRED: Documentation\n\nDocument credentials and the new credentials API.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a6f76f23d297f70e2a6b3ec607f7aeeea9e37e8d", "tree": "8f95617996d0974507f176163459212a7def8b9a", "parents": [ "d84f4f992cbd76e8f39c488cf0c5d123843923b1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "message": "CRED: Make execve() take advantage of copy-on-write credentials\n\nMake execve() take advantage of copy-on-write credentials, allowing it to set\nup the credentials in advance, and then commit the whole lot after the point\nof no return.\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n The credential bits from struct linux_binprm are, for the most part,\n replaced with a single credentials pointer (bprm-\u003ecred). This means that\n all the creds can be calculated in advance and then applied at the point\n of no return with no possibility of failure.\n\n I would like to replace bprm-\u003ecap_effective with:\n\n\tcap_isclear(bprm-\u003ecap_effective)\n\n but this seems impossible due to special behaviour for processes of pid 1\n (they always retain their parent\u0027s capability masks where normally they\u0027d\n be changed - see cap_bprm_set_creds()).\n\n The following sequence of events now happens:\n\n (a) At the start of do_execve, the current task\u0027s cred_exec_mutex is\n \t locked to prevent PTRACE_ATTACH from obsoleting the calculation of\n \t creds that we make.\n\n (a) prepare_exec_creds() is then called to make a copy of the current\n \t task\u0027s credentials and prepare it. This copy is then assigned to\n \t bprm-\u003ecred.\n\n \t This renders security_bprm_alloc() and security_bprm_free()\n \t unnecessary, and so they\u0027ve been removed.\n\n (b) The determination of unsafe execution is now performed immediately\n \t after (a) rather than later on in the code. The result is stored in\n \t bprm-\u003eunsafe for future reference.\n\n (c) prepare_binprm() is called, possibly multiple times.\n\n \t (i) This applies the result of set[ug]id binaries to the new creds\n \t attached to bprm-\u003ecred. Personality bit clearance is recorded,\n \t but now deferred on the basis that the exec procedure may yet\n \t fail.\n\n (ii) This then calls the new security_bprm_set_creds(). This should\n\t calculate the new LSM and capability credentials into *bprm-\u003ecred.\n\n\t This folds together security_bprm_set() and parts of\n\t security_bprm_apply_creds() (these two have been removed).\n\t Anything that might fail must be done at this point.\n\n (iii) bprm-\u003ecred_prepared is set to 1.\n\n\t bprm-\u003ecred_prepared is 0 on the first pass of the security\n\t calculations, and 1 on all subsequent passes. This allows SELinux\n\t in (ii) to base its calculations only on the initial script and\n\t not on the interpreter.\n\n (d) flush_old_exec() is called to commit the task to execution. This\n \t performs the following steps with regard to credentials:\n\n\t (i) Clear pdeath_signal and set dumpable on certain circumstances that\n\t may not be covered by commit_creds().\n\n (ii) Clear any bits in current-\u003epersonality that were deferred from\n (c.i).\n\n (e) install_exec_creds() [compute_creds() as was] is called to install the\n \t new credentials. This performs the following steps with regard to\n \t credentials:\n\n (i) Calls security_bprm_committing_creds() to apply any security\n requirements, such as flushing unauthorised files in SELinux, that\n must be done before the credentials are changed.\n\n\t This is made up of bits of security_bprm_apply_creds() and\n\t security_bprm_post_apply_creds(), both of which have been removed.\n\t This function is not allowed to fail; anything that might fail\n\t must have been done in (c.ii).\n\n (ii) Calls commit_creds() to apply the new credentials in a single\n assignment (more or less). Possibly pdeath_signal and dumpable\n should be part of struct creds.\n\n\t (iii) Unlocks the task\u0027s cred_replace_mutex, thus allowing\n\t PTRACE_ATTACH to take place.\n\n (iv) Clears The bprm-\u003ecred pointer as the credentials it was holding\n are now immutable.\n\n (v) Calls security_bprm_committed_creds() to apply any security\n alterations that must be done after the creds have been changed.\n SELinux uses this to flush signals and signal handlers.\n\n (f) If an error occurs before (d.i), bprm_free() will call abort_creds()\n \t to destroy the proposed new credentials and will then unlock\n \t cred_replace_mutex. No changes to the credentials will have been\n \t made.\n\n (2) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_bprm_alloc(), -\u003ebprm_alloc_security()\n (*) security_bprm_free(), -\u003ebprm_free_security()\n\n \t Removed in favour of preparing new credentials and modifying those.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n (*) security_bprm_post_apply_creds(), -\u003ebprm_post_apply_creds()\n\n \t Removed; split between security_bprm_set_creds(),\n \t security_bprm_committing_creds() and security_bprm_committed_creds().\n\n (*) security_bprm_set(), -\u003ebprm_set_security()\n\n \t Removed; folded into security_bprm_set_creds().\n\n (*) security_bprm_set_creds(), -\u003ebprm_set_creds()\n\n \t New. The new credentials in bprm-\u003ecreds should be checked and set up\n \t as appropriate. bprm-\u003ecred_prepared is 0 on the first call, 1 on the\n \t second and subsequent calls.\n\n (*) security_bprm_committing_creds(), -\u003ebprm_committing_creds()\n (*) security_bprm_committed_creds(), -\u003ebprm_committed_creds()\n\n \t New. Apply the security effects of the new credentials. This\n \t includes closing unauthorised files in SELinux. This function may not\n \t fail. When the former is called, the creds haven\u0027t yet been applied\n \t to the process; when the latter is called, they have.\n\n \t The former may access bprm-\u003ecred, the latter may not.\n\n (3) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) The bprm_security_struct struct has been removed in favour of using\n \t the credentials-under-construction approach.\n\n (c) flush_unauthorized_files() now takes a cred pointer and passes it on\n \t to inode_has_perm(), file_has_perm() and dentry_open().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d84f4f992cbd76e8f39c488cf0c5d123843923b1", "tree": "fc4a0349c42995715b93d0f7a3c78e9ea9b3f36e", "parents": [ "745ca2475a6ac596e3d8d37c2759c0fbe2586227" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "message": "CRED: Inaugurate COW credentials\n\nInaugurate copy-on-write credentials management. This uses RCU to manage the\ncredentials pointer in the task_struct with respect to accesses by other tasks.\nA process may only modify its own credentials, and so does not need locking to\naccess or modify its own credentials.\n\nA mutex (cred_replace_mutex) is added to the task_struct to control the effect\nof PTRACE_ATTACHED on credential calculations, particularly with respect to\nexecve().\n\nWith this patch, the contents of an active credentials struct may not be\nchanged directly; rather a new set of credentials must be prepared, modified\nand committed using something like the following sequence of events:\n\n\tstruct cred *new \u003d prepare_creds();\n\tint ret \u003d blah(new);\n\tif (ret \u003c 0) {\n\t\tabort_creds(new);\n\t\treturn ret;\n\t}\n\treturn commit_creds(new);\n\nThere are some exceptions to this rule: the keyrings pointed to by the active\ncredentials may be instantiated - keyrings violate the COW rule as managing\nCOW keyrings is tricky, given that it is possible for a task to directly alter\nthe keys in a keyring in use by another task.\n\nTo help enforce this, various pointers to sets of credentials, such as those in\nthe task_struct, are declared const. The purpose of this is compile-time\ndiscouragement of altering credentials through those pointers. Once a set of\ncredentials has been made public through one of these pointers, it may not be\nmodified, except under special circumstances:\n\n (1) Its reference count may incremented and decremented.\n\n (2) The keyrings to which it points may be modified, but not replaced.\n\nThe only safe way to modify anything else is to create a replacement and commit\nusing the functions described in Documentation/credentials.txt (which will be\nadded by a later patch).\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n This now prepares and commits credentials in various places in the\n security code rather than altering the current creds directly.\n\n (2) Temporary credential overrides.\n\n do_coredump() and sys_faccessat() now prepare their own credentials and\n temporarily override the ones currently on the acting thread, whilst\n preventing interference from other threads by holding cred_replace_mutex\n on the thread being dumped.\n\n This will be replaced in a future patch by something that hands down the\n credentials directly to the functions being called, rather than altering\n the task\u0027s objective credentials.\n\n (3) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_capset_check(), -\u003ecapset_check()\n (*) security_capset_set(), -\u003ecapset_set()\n\n \t Removed in favour of security_capset().\n\n (*) security_capset(), -\u003ecapset()\n\n \t New. This is passed a pointer to the new creds, a pointer to the old\n \t creds and the proposed capability sets. It should fill in the new\n \t creds or return an error. All pointers, barring the pointer to the\n \t new creds, are now const.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n\n \t Changed; now returns a value, which will cause the process to be\n \t killed if it\u0027s an error.\n\n (*) security_task_alloc(), -\u003etask_alloc_security()\n\n \t Removed in favour of security_prepare_creds().\n\n (*) security_cred_free(), -\u003ecred_free()\n\n \t New. Free security data attached to cred-\u003esecurity.\n\n (*) security_prepare_creds(), -\u003ecred_prepare()\n\n \t New. Duplicate any security data attached to cred-\u003esecurity.\n\n (*) security_commit_creds(), -\u003ecred_commit()\n\n \t New. Apply any security effects for the upcoming installation of new\n \t security by commit_creds().\n\n (*) security_task_post_setuid(), -\u003etask_post_setuid()\n\n \t Removed in favour of security_task_fix_setuid().\n\n (*) security_task_fix_setuid(), -\u003etask_fix_setuid()\n\n \t Fix up the proposed new credentials for setuid(). This is used by\n \t cap_set_fix_setuid() to implicitly adjust capabilities in line with\n \t setuid() changes. Changes are made to the new credentials, rather\n \t than the task itself as in security_task_post_setuid().\n\n (*) security_task_reparent_to_init(), -\u003etask_reparent_to_init()\n\n \t Removed. Instead the task being reparented to init is referred\n \t directly to init\u0027s credentials.\n\n\t NOTE! This results in the loss of some state: SELinux\u0027s osid no\n\t longer records the sid of the thread that forked it.\n\n (*) security_key_alloc(), -\u003ekey_alloc()\n (*) security_key_permission(), -\u003ekey_permission()\n\n \t Changed. These now take cred pointers rather than task pointers to\n \t refer to the security context.\n\n (4) sys_capset().\n\n This has been simplified and uses less locking. The LSM functions it\n calls have been merged.\n\n (5) reparent_to_kthreadd().\n\n This gives the current thread the same credentials as init by simply using\n commit_thread() to point that way.\n\n (6) __sigqueue_alloc() and switch_uid()\n\n __sigqueue_alloc() can\u0027t stop the target task from changing its creds\n beneath it, so this function gets a reference to the currently applicable\n user_struct which it then passes into the sigqueue struct it returns if\n successful.\n\n switch_uid() is now called from commit_creds(), and possibly should be\n folded into that. commit_creds() should take care of protecting\n __sigqueue_alloc().\n\n (7) [sg]et[ug]id() and co and [sg]et_current_groups.\n\n The set functions now all use prepare_creds(), commit_creds() and\n abort_creds() to build and check a new set of credentials before applying\n it.\n\n security_task_set[ug]id() is called inside the prepared section. This\n guarantees that nothing else will affect the creds until we\u0027ve finished.\n\n The calling of set_dumpable() has been moved into commit_creds().\n\n Much of the functionality of set_user() has been moved into\n commit_creds().\n\n The get functions all simply access the data directly.\n\n (8) security_task_prctl() and cap_task_prctl().\n\n security_task_prctl() has been modified to return -ENOSYS if it doesn\u0027t\n want to handle a function, or otherwise return the return value directly\n rather than through an argument.\n\n Additionally, cap_task_prctl() now prepares a new set of credentials, even\n if it doesn\u0027t end up using it.\n\n (9) Keyrings.\n\n A number of changes have been made to the keyrings code:\n\n (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have\n \t all been dropped and built in to the credentials functions directly.\n \t They may want separating out again later.\n\n (b) key_alloc() and search_process_keyrings() now take a cred pointer\n \t rather than a task pointer to specify the security context.\n\n (c) copy_creds() gives a new thread within the same thread group a new\n \t thread keyring if its parent had one, otherwise it discards the thread\n \t keyring.\n\n (d) The authorisation key now points directly to the credentials to extend\n \t the search into rather pointing to the task that carries them.\n\n (e) Installing thread, process or session keyrings causes a new set of\n \t credentials to be created, even though it\u0027s not strictly necessary for\n \t process or session keyrings (they\u0027re shared).\n\n(10) Usermode helper.\n\n The usermode helper code now carries a cred struct pointer in its\n subprocess_info struct instead of a new session keyring pointer. This set\n of credentials is derived from init_cred and installed on the new process\n after it has been cloned.\n\n call_usermodehelper_setup() allocates the new credentials and\n call_usermodehelper_freeinfo() discards them if they haven\u0027t been used. A\n special cred function (prepare_usermodeinfo_creds()) is provided\n specifically for call_usermodehelper_setup() to call.\n\n call_usermodehelper_setkeys() adjusts the credentials to sport the\n supplied keyring as the new session keyring.\n\n(11) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) selinux_setprocattr() no longer does its check for whether the\n \t current ptracer can access processes with the new SID inside the lock\n \t that covers getting the ptracer\u0027s SID. Whilst this lock ensures that\n \t the check is done with the ptracer pinned, the result is only valid\n \t until the lock is released, so there\u0027s no point doing it inside the\n \t lock.\n\n(12) is_single_threaded().\n\n This function has been extracted from selinux_setprocattr() and put into\n a file of its own in the lib/ directory as join_session_keyring() now\n wants to use it too.\n\n The code in SELinux just checked to see whether a task shared mm_structs\n with other tasks (CLONE_VM), but that isn\u0027t good enough. We really want\n to know if they\u0027re part of the same thread group (CLONE_THREAD).\n\n(13) nfsd.\n\n The NFS server daemon now has to use the COW credentials to set the\n credentials it is going to use. It really needs to pass the credentials\n down to the functions it calls, but it can\u0027t do that until other patches\n in this series have been applied.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bb952bb98a7e479262c7eb25d5592545a3af147d", "tree": "9a2158c07a22a5fbddcec412944d2e7534eecc8f", "parents": [ "275bb41e9d058fbb327e7642f077e1beaeac162e" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:20 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:20 2008 +1100" }, "message": "CRED: Separate per-task-group keyrings from signal_struct\n\nSeparate per-task-group keyrings from signal_struct and dangle their anchor\nfrom the cred struct rather than the signal_struct.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f1752eec6145c97163dbce62d17cf5d928e28a27", "tree": "16bc51166d38815092de36a461b845b0b4b522f9", "parents": [ "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:17 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:17 2008 +1100" }, "message": "CRED: Detach the credentials from task_struct\n\nDetach the credentials from task_struct, duplicating them in copy_process()\nand releasing them in __put_task_struct().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ] }