)]}' { "log": [ { "commit": "eca1bf5b4fab56d2feb1572d34d59fcd92ea7df3", "tree": "58ce85049625d01d52f3b32a6035bce9dbbc4ebf", "parents": [ "3c92ec8ae91ecf59d88c798301833d7cf83f2179" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Dec 29 00:41:51 2008 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Dec 29 14:24:43 2008 +1100" }, "message": "KEYS: Fix variable uninitialisation warnings\n\nFix variable uninitialisation warnings introduced in:\n\n\tcommit 8bbf4976b59fc9fc2861e79cab7beb3f6d647640\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Fri Nov 14 10:39:14 2008 +1100\n\n\tKEYS: Alter use of key instantiation link-to-keyring argument\n\nAs:\n\n security/keys/keyctl.c: In function \u0027keyctl_negate_key\u0027:\n security/keys/keyctl.c:976: warning: \u0027dest_keyring\u0027 may be used uninitialized in this function\n security/keys/keyctl.c: In function \u0027keyctl_instantiate_key\u0027:\n security/keys/keyctl.c:898: warning: \u0027dest_keyring\u0027 may be used uninitialized in this function\n\nSome versions of gcc notice that get_instantiation_key() doesn\u0027t always set\n*_dest_keyring, but fail to observe that if this happens then *_dest_keyring\nwill not be read by the caller.\n\nReported-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "54d2f649a67109d877ca143c09cdeba61fe51bcf", "tree": "3ecea866513c1d95831c3e13b359ad8d631de1c7", "parents": [ "541ef5cbb8e68189d47272cea52a69abc30259bc", "81ea714bf148fce35e931edcbdfd3aedda20d1dc" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Dec 29 09:57:38 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Dec 29 09:57:38 2008 +1100" }, "message": "Merge branch \u0027next\u0027 into for-linus\n" }, { "commit": "0191b625ca5a46206d2fb862bb08f36f2fcb3b31", "tree": "454d1842b1833d976da62abcbd5c47521ebe9bd7", "parents": [ "54a696bd07c14d3b1192d03ce7269bc59b45209a", "eb56092fc168bf5af199d47af50c0d84a96db898" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Dec 28 12:49:40 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Dec 28 12:49:40 2008 -0800" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1429 commits)\n net: Allow dependancies of FDDI \u0026 Tokenring to be modular.\n igb: Fix build warning when DCA is disabled.\n net: Fix warning fallout from recent NAPI interface changes.\n gro: Fix potential use after free\n sfc: If AN is enabled, always read speed/duplex from the AN advertising bits\n sfc: When disabling the NIC, close the device rather than unregistering it\n sfc: SFT9001: Add cable diagnostics\n sfc: Add support for multiple PHY self-tests\n sfc: Merge top-level functions for self-tests\n sfc: Clean up PHY mode management in loopback self-test\n sfc: Fix unreliable link detection in some loopback modes\n sfc: Generate unique names for per-NIC workqueues\n 802.3ad: use standard ethhdr instead of ad_header\n 802.3ad: generalize out mac address initializer\n 802.3ad: initialize ports LACPDU from const initializer\n 802.3ad: remove typedef around ad_system\n 802.3ad: turn ports is_individual into a bool\n 802.3ad: turn ports is_enabled into a bool\n 802.3ad: make ntt bool\n ixgbe: Fix set_ringparam in ixgbe to use the same memory pools.\n ...\n\nFixed trivial IPv4/6 address printing conflicts in fs/cifs/connect.c due\nto the conversion to %pI (in this networking merge) and the addition of\ndoing IPv6 addresses (from the earlier merge of CIFS).\n" }, { "commit": "81ea714bf148fce35e931edcbdfd3aedda20d1dc", "tree": "e3cabfd2ce35bc8be542910bffc4b9b99288a7f4", "parents": [ "74192246910ff4fb95309ba1a683215644beeb62" ], "author": { "name": "Sergio Luis", "email": "sergio@larces.uece.br", "time": "Mon Dec 22 01:16:15 2008 -0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 25 12:14:55 2008 +1100" }, "message": "smackfs: check for allocation failures in smk_set_access()\n\nsmackfs: check for allocation failures in smk_set_access()\n\n While adding a new subject/object pair to smack_list, smk_set_access()\n didn\u0027t check the return of kzalloc().\n\n This patch changes smk_set_access() to return 0 or -ENOMEM, based on\n kzalloc()\u0027s return. It also updates its caller, smk_write_load(), to\n check for smk_set_access()\u0027s return, given it is no longer a void\n return function.\n\n Signed-off-by: Sergio Luis \u003csergio@larces.uece.br\u003e\n To: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n Cc: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\n Cc: LSM \u003clinux-security-module@vger.kernel.org\u003e\n Cc: LKLM \u003clinux-kernel@vger.kernel.org\u003e\n\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "74192246910ff4fb95309ba1a683215644beeb62", "tree": "ff6daed6c494ac83afad70049a28f20ec5770b44", "parents": [ "12204e24b1330428c3062faee10a0d80b8a5cb61" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Dec 19 11:41:10 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Dec 20 09:03:39 2008 +1100" }, "message": "SELinux: don\u0027t check permissions for kernel mounts\n\nDon\u0027t bother checking permissions when the kernel performs an\ninternal mount, as this should always be allowed.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "12204e24b1330428c3062faee10a0d80b8a5cb61", "tree": "d92ee705a86f0ec2bf85c8a797239dbb840d5927", "parents": [ "459c19f524a9d89c65717a7d061d5f11ecf6bcb8" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Dec 19 10:44:42 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Dec 20 09:02:39 2008 +1100" }, "message": "security: pass mount flags to security_sb_kern_mount()\n\nPass mount flags to security_sb_kern_mount(), so security modules\ncan determine if a mount operation is being performed by the kernel.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "459c19f524a9d89c65717a7d061d5f11ecf6bcb8", "tree": "e3026017e0d58736e46406f13bd370b75cfdf674", "parents": [ "1e641743f055f075ed9a4edd75f1fb1e05669ddc" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Dec 05 09:12:19 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Dec 20 09:01:03 2008 +1100" }, "message": "SELinux: correctly detect proc filesystems of the form \"proc/foo\"\n\nMap all of these proc/ filesystem types to \"proc\" for the policy lookup at\nfilesystem mount time.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "200036ca9b3f0b2250912142552ce56682190f95", "tree": "2588521766ea0d6ec0a79c18bceee1d81e30dab1", "parents": [ "9789cfe22e5d7bc10cad841a4ea96ecedb34b267" ], "author": { "name": "Hannes Eder", "email": "hannes@hanneseder.net", "time": "Mon Nov 24 22:14:43 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 25 06:33:17 2008 +0530" }, "message": "CRED: fix sparse warnings\n\nImpact: fix sparse warnings\n\nFix the following sparse warnings:\n\n security/security.c:228:2: warning: returning void-valued expression\n security/security.c:233:2: warning: returning void-valued expression\n security/security.c:616:2: warning: returning void-valued expression\n\nSigned-off-by: Hannes Eder \u003channes@hanneseder.net\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e50a906e0200084f04f8f3b7c3a14b0442d1347f", "tree": "125b64c41d4a81f0fa67808ba6a4673b1be339c5", "parents": [ "2b828925652340277a889cbc11b2d0637f7cdaf7" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Nov 13 18:37:25 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Nov 15 08:50:52 2008 +1100" }, "message": "capabilities: define get_vfs_caps_from_disk when file caps are not enabled\n\nWhen CONFIG_SECURITY_FILE_CAPABILITIES is not set the audit system may\ntry to call into the capabilities function vfs_cap_from_file. This\npatch defines that function so kernels can build and work.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3a3b7ce9336952ea7b9564d976d068a238976c9d", "tree": "3f0a3be33022492161f534636a20a4b1059f8236", "parents": [ "1bfdc75ae077d60a01572a7781ec6264d55ab1b9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "message": "CRED: Allow kernel services to override LSM settings for task actions\n\nAllow kernel services to override LSM settings appropriate to the actions\nperformed by a task by duplicating a set of credentials, modifying it and then\nusing task_struct::cred to point to it when performing operations on behalf of\na task.\n\nThis is used, for example, by CacheFiles which has to transparently access the\ncache on behalf of a process that thinks it is doing, say, NFS accesses with a\npotentially inappropriate (with respect to accessing the cache) set of\ncredentials.\n\nThis patch provides two LSM hooks for modifying a task security record:\n\n (*) security_kernel_act_as() which allows modification of the security datum\n with which a task acts on other objects (most notably files).\n\n (*) security_kernel_create_files_as() which allows modification of the\n security datum that is used to initialise the security data on a file that\n a task creates.\n\nThe patch also provides four new credentials handling functions, which wrap the\nLSM functions:\n\n (1) prepare_kernel_cred()\n\n Prepare a set of credentials for a kernel service to use, based either on\n a daemon\u0027s credentials or on init_cred. All the keyrings are cleared.\n\n (2) set_security_override()\n\n Set the LSM security ID in a set of credentials to a specific security\n context, assuming permission from the LSM policy.\n\n (3) set_security_override_from_ctx()\n\n As (2), but takes the security context as a string.\n\n (4) set_create_files_as()\n\n Set the file creation LSM security ID in a set of credentials to be the\n same as that on a particular inode.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e [Smack changes]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1bfdc75ae077d60a01572a7781ec6264d55ab1b9", "tree": "627cbbca1232725bbea68677cb904bf36e73b35c", "parents": [ "3b11a1decef07c19443d24ae926982bc8ec9f4c0" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:27 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:27 2008 +1100" }, "message": "CRED: Add a kernel_service object class to SELinux\n\nAdd a \u0027kernel_service\u0027 object class to SELinux and give this object class two\naccess vectors: \u0027use_as_override\u0027 and \u0027create_files_as\u0027.\n\nThe first vector is used to grant a process the right to nominate an alternate\nprocess security ID for the kernel to use as an override for the SELinux\nsubjective security when accessing stuff on behalf of another process.\n\nFor example, CacheFiles when accessing the cache on behalf on a process\naccessing an NFS file needs to use a subjective security ID appropriate to the\ncache rather then the one the calling process is using. The cachefilesd\ndaemon will nominate the security ID to be used.\n\nThe second vector is used to grant a process the right to nominate a file\ncreation label for a kernel service to use.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3b11a1decef07c19443d24ae926982bc8ec9f4c0", "tree": "b6555f0e5b07f4b2badd332a0a900b974920c49d", "parents": [ "98870ab0a5a3f1822aee681d2997017e1c87d026" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:26 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:26 2008 +1100" }, "message": "CRED: Differentiate objective and effective subjective credentials on a task\n\nDifferentiate the objective and real subjective credentials from the effective\nsubjective credentials on a task by introducing a second credentials pointer\ninto the task_struct.\n\ntask_struct::real_cred then refers to the objective and apparent real\nsubjective credentials of a task, as perceived by the other tasks in the\nsystem.\n\ntask_struct::cred then refers to the effective subjective credentials of a\ntask, as used by that task when it\u0027s actually running. These are not visible\nto the other tasks in the system.\n\n__task_cred(task) then refers to the objective/real credentials of the task in\nquestion.\n\ncurrent_cred() refers to the effective subjective credentials of the current\ntask.\n\nprepare_creds() uses the objective creds as a base and commit_creds() changes\nboth pointers in the task_struct (indeed commit_creds() requires them to be the\nsame).\n\noverride_creds() and revert_creds() change the subjective creds pointer only,\nand the former returns the old subjective creds. These are used by NFSD,\nfaccessat() and do_coredump(), and will by used by CacheFiles.\n\nIn SELinux, current_has_perm() is provided as an alternative to\ntask_has_perm(). This uses the effective subjective context of current,\nwhereas task_has_perm() uses the objective/real context of the subject.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1d045980e1eff4800472f0e81df9460640c8eee9", "tree": "6c326912e7fc49cdcd02f219a22e6ffb843aceeb", "parents": [ "a6f76f23d297f70e2a6b3ec607f7aeeea9e37e8d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "message": "CRED: Prettify commoncap.c\n\nPrettify commoncap.c.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a6f76f23d297f70e2a6b3ec607f7aeeea9e37e8d", "tree": "8f95617996d0974507f176163459212a7def8b9a", "parents": [ "d84f4f992cbd76e8f39c488cf0c5d123843923b1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "message": "CRED: Make execve() take advantage of copy-on-write credentials\n\nMake execve() take advantage of copy-on-write credentials, allowing it to set\nup the credentials in advance, and then commit the whole lot after the point\nof no return.\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n The credential bits from struct linux_binprm are, for the most part,\n replaced with a single credentials pointer (bprm-\u003ecred). This means that\n all the creds can be calculated in advance and then applied at the point\n of no return with no possibility of failure.\n\n I would like to replace bprm-\u003ecap_effective with:\n\n\tcap_isclear(bprm-\u003ecap_effective)\n\n but this seems impossible due to special behaviour for processes of pid 1\n (they always retain their parent\u0027s capability masks where normally they\u0027d\n be changed - see cap_bprm_set_creds()).\n\n The following sequence of events now happens:\n\n (a) At the start of do_execve, the current task\u0027s cred_exec_mutex is\n \t locked to prevent PTRACE_ATTACH from obsoleting the calculation of\n \t creds that we make.\n\n (a) prepare_exec_creds() is then called to make a copy of the current\n \t task\u0027s credentials and prepare it. This copy is then assigned to\n \t bprm-\u003ecred.\n\n \t This renders security_bprm_alloc() and security_bprm_free()\n \t unnecessary, and so they\u0027ve been removed.\n\n (b) The determination of unsafe execution is now performed immediately\n \t after (a) rather than later on in the code. The result is stored in\n \t bprm-\u003eunsafe for future reference.\n\n (c) prepare_binprm() is called, possibly multiple times.\n\n \t (i) This applies the result of set[ug]id binaries to the new creds\n \t attached to bprm-\u003ecred. Personality bit clearance is recorded,\n \t but now deferred on the basis that the exec procedure may yet\n \t fail.\n\n (ii) This then calls the new security_bprm_set_creds(). This should\n\t calculate the new LSM and capability credentials into *bprm-\u003ecred.\n\n\t This folds together security_bprm_set() and parts of\n\t security_bprm_apply_creds() (these two have been removed).\n\t Anything that might fail must be done at this point.\n\n (iii) bprm-\u003ecred_prepared is set to 1.\n\n\t bprm-\u003ecred_prepared is 0 on the first pass of the security\n\t calculations, and 1 on all subsequent passes. This allows SELinux\n\t in (ii) to base its calculations only on the initial script and\n\t not on the interpreter.\n\n (d) flush_old_exec() is called to commit the task to execution. This\n \t performs the following steps with regard to credentials:\n\n\t (i) Clear pdeath_signal and set dumpable on certain circumstances that\n\t may not be covered by commit_creds().\n\n (ii) Clear any bits in current-\u003epersonality that were deferred from\n (c.i).\n\n (e) install_exec_creds() [compute_creds() as was] is called to install the\n \t new credentials. This performs the following steps with regard to\n \t credentials:\n\n (i) Calls security_bprm_committing_creds() to apply any security\n requirements, such as flushing unauthorised files in SELinux, that\n must be done before the credentials are changed.\n\n\t This is made up of bits of security_bprm_apply_creds() and\n\t security_bprm_post_apply_creds(), both of which have been removed.\n\t This function is not allowed to fail; anything that might fail\n\t must have been done in (c.ii).\n\n (ii) Calls commit_creds() to apply the new credentials in a single\n assignment (more or less). Possibly pdeath_signal and dumpable\n should be part of struct creds.\n\n\t (iii) Unlocks the task\u0027s cred_replace_mutex, thus allowing\n\t PTRACE_ATTACH to take place.\n\n (iv) Clears The bprm-\u003ecred pointer as the credentials it was holding\n are now immutable.\n\n (v) Calls security_bprm_committed_creds() to apply any security\n alterations that must be done after the creds have been changed.\n SELinux uses this to flush signals and signal handlers.\n\n (f) If an error occurs before (d.i), bprm_free() will call abort_creds()\n \t to destroy the proposed new credentials and will then unlock\n \t cred_replace_mutex. No changes to the credentials will have been\n \t made.\n\n (2) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_bprm_alloc(), -\u003ebprm_alloc_security()\n (*) security_bprm_free(), -\u003ebprm_free_security()\n\n \t Removed in favour of preparing new credentials and modifying those.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n (*) security_bprm_post_apply_creds(), -\u003ebprm_post_apply_creds()\n\n \t Removed; split between security_bprm_set_creds(),\n \t security_bprm_committing_creds() and security_bprm_committed_creds().\n\n (*) security_bprm_set(), -\u003ebprm_set_security()\n\n \t Removed; folded into security_bprm_set_creds().\n\n (*) security_bprm_set_creds(), -\u003ebprm_set_creds()\n\n \t New. The new credentials in bprm-\u003ecreds should be checked and set up\n \t as appropriate. bprm-\u003ecred_prepared is 0 on the first call, 1 on the\n \t second and subsequent calls.\n\n (*) security_bprm_committing_creds(), -\u003ebprm_committing_creds()\n (*) security_bprm_committed_creds(), -\u003ebprm_committed_creds()\n\n \t New. Apply the security effects of the new credentials. This\n \t includes closing unauthorised files in SELinux. This function may not\n \t fail. When the former is called, the creds haven\u0027t yet been applied\n \t to the process; when the latter is called, they have.\n\n \t The former may access bprm-\u003ecred, the latter may not.\n\n (3) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) The bprm_security_struct struct has been removed in favour of using\n \t the credentials-under-construction approach.\n\n (c) flush_unauthorized_files() now takes a cred pointer and passes it on\n \t to inode_has_perm(), file_has_perm() and dentry_open().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d84f4f992cbd76e8f39c488cf0c5d123843923b1", "tree": "fc4a0349c42995715b93d0f7a3c78e9ea9b3f36e", "parents": [ "745ca2475a6ac596e3d8d37c2759c0fbe2586227" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "message": "CRED: Inaugurate COW credentials\n\nInaugurate copy-on-write credentials management. This uses RCU to manage the\ncredentials pointer in the task_struct with respect to accesses by other tasks.\nA process may only modify its own credentials, and so does not need locking to\naccess or modify its own credentials.\n\nA mutex (cred_replace_mutex) is added to the task_struct to control the effect\nof PTRACE_ATTACHED on credential calculations, particularly with respect to\nexecve().\n\nWith this patch, the contents of an active credentials struct may not be\nchanged directly; rather a new set of credentials must be prepared, modified\nand committed using something like the following sequence of events:\n\n\tstruct cred *new \u003d prepare_creds();\n\tint ret \u003d blah(new);\n\tif (ret \u003c 0) {\n\t\tabort_creds(new);\n\t\treturn ret;\n\t}\n\treturn commit_creds(new);\n\nThere are some exceptions to this rule: the keyrings pointed to by the active\ncredentials may be instantiated - keyrings violate the COW rule as managing\nCOW keyrings is tricky, given that it is possible for a task to directly alter\nthe keys in a keyring in use by another task.\n\nTo help enforce this, various pointers to sets of credentials, such as those in\nthe task_struct, are declared const. The purpose of this is compile-time\ndiscouragement of altering credentials through those pointers. Once a set of\ncredentials has been made public through one of these pointers, it may not be\nmodified, except under special circumstances:\n\n (1) Its reference count may incremented and decremented.\n\n (2) The keyrings to which it points may be modified, but not replaced.\n\nThe only safe way to modify anything else is to create a replacement and commit\nusing the functions described in Documentation/credentials.txt (which will be\nadded by a later patch).\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n This now prepares and commits credentials in various places in the\n security code rather than altering the current creds directly.\n\n (2) Temporary credential overrides.\n\n do_coredump() and sys_faccessat() now prepare their own credentials and\n temporarily override the ones currently on the acting thread, whilst\n preventing interference from other threads by holding cred_replace_mutex\n on the thread being dumped.\n\n This will be replaced in a future patch by something that hands down the\n credentials directly to the functions being called, rather than altering\n the task\u0027s objective credentials.\n\n (3) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_capset_check(), -\u003ecapset_check()\n (*) security_capset_set(), -\u003ecapset_set()\n\n \t Removed in favour of security_capset().\n\n (*) security_capset(), -\u003ecapset()\n\n \t New. This is passed a pointer to the new creds, a pointer to the old\n \t creds and the proposed capability sets. It should fill in the new\n \t creds or return an error. All pointers, barring the pointer to the\n \t new creds, are now const.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n\n \t Changed; now returns a value, which will cause the process to be\n \t killed if it\u0027s an error.\n\n (*) security_task_alloc(), -\u003etask_alloc_security()\n\n \t Removed in favour of security_prepare_creds().\n\n (*) security_cred_free(), -\u003ecred_free()\n\n \t New. Free security data attached to cred-\u003esecurity.\n\n (*) security_prepare_creds(), -\u003ecred_prepare()\n\n \t New. Duplicate any security data attached to cred-\u003esecurity.\n\n (*) security_commit_creds(), -\u003ecred_commit()\n\n \t New. Apply any security effects for the upcoming installation of new\n \t security by commit_creds().\n\n (*) security_task_post_setuid(), -\u003etask_post_setuid()\n\n \t Removed in favour of security_task_fix_setuid().\n\n (*) security_task_fix_setuid(), -\u003etask_fix_setuid()\n\n \t Fix up the proposed new credentials for setuid(). This is used by\n \t cap_set_fix_setuid() to implicitly adjust capabilities in line with\n \t setuid() changes. Changes are made to the new credentials, rather\n \t than the task itself as in security_task_post_setuid().\n\n (*) security_task_reparent_to_init(), -\u003etask_reparent_to_init()\n\n \t Removed. Instead the task being reparented to init is referred\n \t directly to init\u0027s credentials.\n\n\t NOTE! This results in the loss of some state: SELinux\u0027s osid no\n\t longer records the sid of the thread that forked it.\n\n (*) security_key_alloc(), -\u003ekey_alloc()\n (*) security_key_permission(), -\u003ekey_permission()\n\n \t Changed. These now take cred pointers rather than task pointers to\n \t refer to the security context.\n\n (4) sys_capset().\n\n This has been simplified and uses less locking. The LSM functions it\n calls have been merged.\n\n (5) reparent_to_kthreadd().\n\n This gives the current thread the same credentials as init by simply using\n commit_thread() to point that way.\n\n (6) __sigqueue_alloc() and switch_uid()\n\n __sigqueue_alloc() can\u0027t stop the target task from changing its creds\n beneath it, so this function gets a reference to the currently applicable\n user_struct which it then passes into the sigqueue struct it returns if\n successful.\n\n switch_uid() is now called from commit_creds(), and possibly should be\n folded into that. commit_creds() should take care of protecting\n __sigqueue_alloc().\n\n (7) [sg]et[ug]id() and co and [sg]et_current_groups.\n\n The set functions now all use prepare_creds(), commit_creds() and\n abort_creds() to build and check a new set of credentials before applying\n it.\n\n security_task_set[ug]id() is called inside the prepared section. This\n guarantees that nothing else will affect the creds until we\u0027ve finished.\n\n The calling of set_dumpable() has been moved into commit_creds().\n\n Much of the functionality of set_user() has been moved into\n commit_creds().\n\n The get functions all simply access the data directly.\n\n (8) security_task_prctl() and cap_task_prctl().\n\n security_task_prctl() has been modified to return -ENOSYS if it doesn\u0027t\n want to handle a function, or otherwise return the return value directly\n rather than through an argument.\n\n Additionally, cap_task_prctl() now prepares a new set of credentials, even\n if it doesn\u0027t end up using it.\n\n (9) Keyrings.\n\n A number of changes have been made to the keyrings code:\n\n (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have\n \t all been dropped and built in to the credentials functions directly.\n \t They may want separating out again later.\n\n (b) key_alloc() and search_process_keyrings() now take a cred pointer\n \t rather than a task pointer to specify the security context.\n\n (c) copy_creds() gives a new thread within the same thread group a new\n \t thread keyring if its parent had one, otherwise it discards the thread\n \t keyring.\n\n (d) The authorisation key now points directly to the credentials to extend\n \t the search into rather pointing to the task that carries them.\n\n (e) Installing thread, process or session keyrings causes a new set of\n \t credentials to be created, even though it\u0027s not strictly necessary for\n \t process or session keyrings (they\u0027re shared).\n\n(10) Usermode helper.\n\n The usermode helper code now carries a cred struct pointer in its\n subprocess_info struct instead of a new session keyring pointer. This set\n of credentials is derived from init_cred and installed on the new process\n after it has been cloned.\n\n call_usermodehelper_setup() allocates the new credentials and\n call_usermodehelper_freeinfo() discards them if they haven\u0027t been used. A\n special cred function (prepare_usermodeinfo_creds()) is provided\n specifically for call_usermodehelper_setup() to call.\n\n call_usermodehelper_setkeys() adjusts the credentials to sport the\n supplied keyring as the new session keyring.\n\n(11) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) selinux_setprocattr() no longer does its check for whether the\n \t current ptracer can access processes with the new SID inside the lock\n \t that covers getting the ptracer\u0027s SID. Whilst this lock ensures that\n \t the check is done with the ptracer pinned, the result is only valid\n \t until the lock is released, so there\u0027s no point doing it inside the\n \t lock.\n\n(12) is_single_threaded().\n\n This function has been extracted from selinux_setprocattr() and put into\n a file of its own in the lib/ directory as join_session_keyring() now\n wants to use it too.\n\n The code in SELinux just checked to see whether a task shared mm_structs\n with other tasks (CLONE_VM), but that isn\u0027t good enough. We really want\n to know if they\u0027re part of the same thread group (CLONE_THREAD).\n\n(13) nfsd.\n\n The NFS server daemon now has to use the COW credentials to set the\n credentials it is going to use. It really needs to pass the credentials\n down to the functions it calls, but it can\u0027t do that until other patches\n in this series have been applied.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "745ca2475a6ac596e3d8d37c2759c0fbe2586227", "tree": "f87c34bdfbc8542477b16a014bbb4e3b415b286a", "parents": [ "88e67f3b8898c5ea81d2916dd5b8bc9c0c35ba13" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:22 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:22 2008 +1100" }, "message": "CRED: Pass credentials through dentry_open()\n\nPass credentials through dentry_open() so that the COW creds patch can have\nSELinux\u0027s flush_unauthorized_files() pass the appropriate creds back to itself\nwhen it opens its null chardev.\n\nThe security_dentry_open() call also now takes a creds pointer, as does the\ndentry_open hook in struct security_operations.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "88e67f3b8898c5ea81d2916dd5b8bc9c0c35ba13", "tree": "1ce706510a4062d69ca25801023825331d420be0", "parents": [ "6cc88bc45ce8043171089c9592da223dfab91823" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:21 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:21 2008 +1100" }, "message": "CRED: Make inode_has_perm() and file_has_perm() take a cred pointer\n\nMake inode_has_perm() and file_has_perm() take a cred pointer rather than a\ntask pointer.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bb952bb98a7e479262c7eb25d5592545a3af147d", "tree": "9a2158c07a22a5fbddcec412944d2e7534eecc8f", "parents": [ "275bb41e9d058fbb327e7642f077e1beaeac162e" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:20 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:20 2008 +1100" }, "message": "CRED: Separate per-task-group keyrings from signal_struct\n\nSeparate per-task-group keyrings from signal_struct and dangle their anchor\nfrom the cred struct rather than the signal_struct.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "275bb41e9d058fbb327e7642f077e1beaeac162e", "tree": "049fdbb39ca43e7b3b9abf36ad279b31488121bc", "parents": [ "c69e8d9c01db2adc503464993c358901c9af9de4" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "message": "CRED: Wrap access to SELinux\u0027s task SID\n\nWrap access to SELinux\u0027s task SID, using task_sid() and current_sid() as\nappropriate.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c69e8d9c01db2adc503464993c358901c9af9de4", "tree": "bed94aaa9aeb7a7834d1c880f72b62a11a752c78", "parents": [ "86a264abe542cfececb4df129bc45a0338d8cdb9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "message": "CRED: Use RCU to access another task\u0027s creds and to release a task\u0027s own creds\n\nUse RCU to access another task\u0027s creds and to release a task\u0027s own creds.\nThis means that it will be possible for the credentials of a task to be\nreplaced without another task (a) requiring a full lock to read them, and (b)\nseeing deallocated memory.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "86a264abe542cfececb4df129bc45a0338d8cdb9", "tree": "30152f04ba847f311028d5ca697f864c16c7ebb3", "parents": [ "f1752eec6145c97163dbce62d17cf5d928e28a27" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:18 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:18 2008 +1100" }, "message": "CRED: Wrap current-\u003ecred and a few other accessors\n\nWrap current-\u003ecred and a few other accessors to hide their actual\nimplementation.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f1752eec6145c97163dbce62d17cf5d928e28a27", "tree": "16bc51166d38815092de36a461b845b0b4b522f9", "parents": [ "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:17 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:17 2008 +1100" }, "message": "CRED: Detach the credentials from task_struct\n\nDetach the credentials from task_struct, duplicating them in copy_process()\nand releasing them in __put_task_struct().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a", "tree": "9e76f972eb7ce9b84e0146c8e4126a3f86acb428", "parents": [ "15a2460ed0af7538ca8e6c610fe607a2cd9da142" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "message": "CRED: Separate task security context from task_struct\n\nSeparate the task security context from task_struct. At this point, the\nsecurity data is temporarily embedded in the task_struct with two pointers\npointing to it.\n\nNote that the Alpha arch is altered as it refers to (E)UID and (E)GID in\nentry.S via asm-offsets.\n\nWith comment fixes Signed-off-by: Marc Dionne \u003cmarc.c.dionne@gmail.com\u003e\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "15a2460ed0af7538ca8e6c610fe607a2cd9da142", "tree": "3611bc03e9c30fe0d11454f6966e6b0ca7f1dbd0", "parents": [ "1cdcbec1a3372c0c49c59d292e708fd07b509f18" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:15 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:15 2008 +1100" }, "message": "CRED: Constify the kernel_cap_t arguments to the capset LSM hooks\n\nConstify the kernel_cap_t arguments to the capset LSM hooks.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1cdcbec1a3372c0c49c59d292e708fd07b509f18", "tree": "d1bd302c8d66862da45b494cbc766fb4caa5e23e", "parents": [ "8bbf4976b59fc9fc2861e79cab7beb3f6d647640" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "message": "CRED: Neuter sys_capset()\n\nTake away the ability for sys_capset() to affect processes other than current.\n\nThis means that current will not need to lock its own credentials when reading\nthem against interference by other processes.\n\nThis has effectively been the case for a while anyway, since:\n\n (1) Without LSM enabled, sys_capset() is disallowed.\n\n (2) With file-based capabilities, sys_capset() is neutered.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8bbf4976b59fc9fc2861e79cab7beb3f6d647640", "tree": "9bd621217cbdfcf94aca5b220de7363254d7fc23", "parents": [ "e9e349b051d98799b743ebf248cc2d986fedf090" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "message": "KEYS: Alter use of key instantiation link-to-keyring argument\n\nAlter the use of the key instantiation and negation functions\u0027 link-to-keyring\narguments. Currently this specifies a keyring in the target process to link\nthe key into, creating the keyring if it doesn\u0027t exist. This, however, can be\na problem for copy-on-write credentials as it means that the instantiating\nprocess can alter the credentials of the requesting process.\n\nThis patch alters the behaviour such that:\n\n (1) If keyctl_instantiate_key() or keyctl_negate_key() are given a specific\n keyring by ID (ringid \u003e\u003d 0), then that keyring will be used.\n\n (2) If keyctl_instantiate_key() or keyctl_negate_key() are given one of the\n special constants that refer to the requesting process\u0027s keyrings\n (KEY_SPEC_*_KEYRING, all \u003c\u003d 0), then:\n\n (a) If sys_request_key() was given a keyring to use (destringid) then the\n \t key will be attached to that keyring.\n\n (b) If sys_request_key() was given a NULL keyring, then the key being\n \t instantiated will be attached to the default keyring as set by\n \t keyctl_set_reqkey_keyring().\n\n (3) No extra link will be made.\n\nDecision point (1) follows current behaviour, and allows those instantiators\nwho\u0027ve searched for a specifically named keyring in the requestor\u0027s keyring so\nas to partition the keys by type to still have their named keyrings.\n\nDecision point (2) allows the requestor to make sure that the key or keys that\nget produced by request_key() go where they want, whilst allowing the\ninstantiator to request that the key is retained. This is mainly useful for\nsituations where the instantiator makes a secondary request, the key for which\nshould be retained by the initial requestor:\n\n\t+-----------+ +--------------+ +--------------+\n\t| | | | | |\n\t| Requestor |-------\u003e| Instantiator |-------\u003e| Instantiator |\n\t| | | | | |\n\t+-----------+ +--------------+ +--------------+\n\t request_key() request_key()\n\nThis might be useful, for example, in Kerberos, where the requestor requests a\nticket, and then the ticket instantiator requests the TGT, which someone else\nthen has to go and fetch. The TGT, however, should be retained in the\nkeyrings of the requestor, not the first instantiator. To make this explict\nan extra special keyring constant is also added.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e9e349b051d98799b743ebf248cc2d986fedf090", "tree": "d59a46ae39d81d27bcf605663ce0e24d1c6db375", "parents": [ "76aac0e9a17742e60d408be1a706e9aaad370891" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:13 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:13 2008 +1100" }, "message": "KEYS: Disperse linux/key_ui.h\n\nDisperse the bits of linux/key_ui.h as the reason they were put here (keyfs)\ndidn\u0027t get in.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b103c59883f1ec6e4d548b25054608cb5724453c", "tree": "d7ab5f035674e8d49404b29bff6df64e2e83616d", "parents": [ "47d804bfa1857b0edcac972c86499dcd14df3cf2" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:11 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:11 2008 +1100" }, "message": "CRED: Wrap task credential accesses in the capabilities code\n\nWrap access to task credentials so that they can be separated more easily from\nthe task_struct during the introduction of COW creds.\n\nChange most current-\u003e(|e|s|fs)[ug]id to current_(|e|s|fs)[ug]id().\n\nChange some task-\u003ee?[ug]id to task_e?[ug]id(). In some places it makes more\nsense to use RCU directly rather than a convenient wrapper; these will be\naddressed by later patches.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "47d804bfa1857b0edcac972c86499dcd14df3cf2", "tree": "200b2d1190e29be40c771bf6a4e0db0ef9e7d383", "parents": [ "8192b0c482d7078fcdcb4854341b977426f6f09b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:11 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:11 2008 +1100" }, "message": "CRED: Wrap task credential accesses in the key management code\n\nWrap access to task credentials so that they can be separated more easily from\nthe task_struct during the introduction of COW creds.\n\nChange most current-\u003e(|e|s|fs)[ug]id to current_(|e|s|fs)[ug]id().\n\nChange some task-\u003ee?[ug]id to task_e?[ug]id(). In some places it makes more\nsense to use RCU directly rather than a convenient wrapper; these will be\naddressed by later patches.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7e452baf6b96b5aeba097afd91501d33d390cc97", "tree": "9b0e062d3677d50d731ffd0fba47423bfdee9253", "parents": [ "3ac38c3a2e7dac3f8f35a56eb85c27881a4c3833", "f21f237cf55494c3a4209de323281a3b0528da10" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Nov 11 15:43:02 2008 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Nov 11 15:43:02 2008 -0800" }, "message": "Merge branch \u0027master\u0027 of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6\n\nConflicts:\n\n\tdrivers/message/fusion/mptlan.c\n\tdrivers/net/sfc/ethtool.c\n\tnet/mac80211/debugfs_sta.c\n" }, { "commit": "066746796bd2f0a1ba210c0dded3b6ee4032692a", "tree": "868832ca0e199e4f173e23375cffb5fc3870402c", "parents": [ "a2f2945a99057c7d44043465906c6bb63c3368a0" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 11 22:02:57 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 11 22:02:57 2008 +1100" }, "message": "Currently SELinux jumps through some ugly hoops to not audit a capbility\ncheck when determining if a process has additional powers to override\nmemory limits or when trying to read/write illegal file labels. Use\nthe new noaudit call instead.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "06112163f5fd9e491a7f810443d81efa9d88e247", "tree": "48039f7488abbec36c0982a57405b57d47311dd6", "parents": [ "637d32dc720897616e8a1a4f9e9609e29d431800" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 11 22:02:50 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 11 22:02:50 2008 +1100" }, "message": "Add a new capable interface that will be used by systems that use audit to\nmake an A or B type decision instead of a security decision. Currently\nthis is the case at least for filesystems when deciding if a process can use\nthe reserved \u0027root\u0027 blocks and for the case of things like the oom\nalgorithm determining if processes are root processes and should be less\nlikely to be killed. These types of security system requests should not be\naudited or logged since they are not really security decisions. It would be\npossible to solve this problem like the vm_enough_memory security check did\nby creating a new LSM interface and moving all of the policy into that\ninterface but proves the needlessly bloat the LSM and provide complex\nindirection.\n\nThis merely allows those decisions to be made where they belong and to not\nflood logs or printk with denials for thing that are not security decisions.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3fc689e96c0c90b6fede5946d6c31075e9464f69", "tree": "5e59b6c607eb595ababa74bad18787cfa49b16e9", "parents": [ "851f7ff56d9c21272f289dd85fb3f1b6cf7a6e10" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 11 21:48:18 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 11 21:48:18 2008 +1100" }, "message": "Any time fcaps or a setuid app under SECURE_NOROOT is used to result in a\nnon-zero pE we will crate a new audit record which contains the entire set\nof known information about the executable in question, fP, fI, fE, fversion\nand includes the process\u0027s pE, pI, pP. Before and after the bprm capability\nare applied. This record type will only be emitted from execve syscalls.\n\nan example of making ping use fcaps instead of setuid:\n\nsetcap \"cat_net_raw+pe\" /bin/ping\n\ntype\u003dSYSCALL msg\u003daudit(1225742021.015:236): arch\u003dc000003e syscall\u003d59 success\u003dyes exit\u003d0 a0\u003d1457f30 a1\u003d14606b0 a2\u003d1463940 a3\u003d321b770a70 items\u003d2 ppid\u003d2929 pid\u003d2963 auid\u003d0 uid\u003d500 gid\u003d500 euid\u003d500 suid\u003d500 fsuid\u003d500 egid\u003d500 sgid\u003d500 fsgid\u003d500 tty\u003dpts0 ses\u003d3 comm\u003d\"ping\" exe\u003d\"/bin/ping\" subj\u003dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key\u003d(null)\ntype\u003dUNKNOWN[1321] msg\u003daudit(1225742021.015:236): fver\u003d2 fp\u003d0000000000002000 fi\u003d0000000000000000 fe\u003d1 old_pp\u003d0000000000000000 old_pi\u003d0000000000000000 old_pe\u003d0000000000000000 new_pp\u003d0000000000002000 new_pi\u003d0000000000000000 new_pe\u003d0000000000002000\ntype\u003dEXECVE msg\u003daudit(1225742021.015:236): argc\u003d2 a0\u003d\"ping\" a1\u003d\"127.0.0.1\"\ntype\u003dCWD msg\u003daudit(1225742021.015:236): cwd\u003d\"/home/test\"\ntype\u003dPATH msg\u003daudit(1225742021.015:236): item\u003d0 name\u003d\"/bin/ping\" inode\u003d49256 dev\u003dfd:00 mode\u003d0100755 ouid\u003d0 ogid\u003d0 rdev\u003d00:00 obj\u003dsystem_u:object_r:ping_exec_t:s0 cap_fp\u003d0000000000002000 cap_fe\u003d1 cap_fver\u003d2\ntype\u003dPATH msg\u003daudit(1225742021.015:236): item\u003d1 name\u003d(null) inode\u003d507915 dev\u003dfd:00 mode\u003d0100755 ouid\u003d0 ogid\u003d0 rdev\u003d00:00 obj\u003dsystem_u:object_r:ld_so_t:s0\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c0b004413a46a0a5744e6d2b85220fe9d2c33d48", "tree": "f66ee9e4cf14ce961e42a9dd356927478bab4574", "parents": [ "9d36be76c55ad2c2bb29683b752b0d9ad2e4eeef" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 11 21:48:10 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 11 21:48:10 2008 +1100" }, "message": "This patch add a generic cpu endian caps structure and externally available\nfunctions which retrieve fcaps information from disk. This information is\nnecessary so fcaps information can be collected and recorded by the audit\nsystem.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1f8f5cf6e4f038552a3e47b66085452c08556d71", "tree": "ccbfebc2fd565b8a979bde1f50d58b32328e4ddf", "parents": [ "3ad4f597058301c97f362e500a32f63f5c950a45" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Nov 10 19:00:05 2008 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Nov 10 13:20:57 2008 -0800" }, "message": "KEYS: Make request key instantiate the per-user keyrings\n\nMake request_key() instantiate the per-user keyrings so that it doesn\u0027t oops\nif it needs to get hold of the user session keyring because there isn\u0027t a\nsession keyring in place.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Steve French \u003csmfrench@gmail.com\u003e\nTested-by: Rutger Nijlunsing \u003crutger.nijlunsing@gmail.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "39c9aede2b4a252bd296c0a86be832c3d3d0a273", "tree": "2c802930511c40a6d150166a892e68f83fee9851", "parents": [ "1f29fae29709b4668979e244c09b2fa78ff1ad59" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Nov 05 09:34:42 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sun Nov 09 07:33:18 2008 +0800" }, "message": "SELinux: Use unknown perm handling to handle unknown netlink msg types\n\nCurrently when SELinux has not been updated to handle a netlink message\ntype the operation is denied with EINVAL. This patch will leave the\naudit/warning message so things get fixed but if policy chose to allow\nunknowns this will allow the netlink operation.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9eeda9abd1faf489f3df9a1f557975f4c8650363", "tree": "3e0a58e25b776cfbee193195460324dccb1886c7", "parents": [ "61c9eaf90081cbe6dc4f389e0056bff76eca19ec", "4bab0ea1d42dd1927af9df6fbf0003fc00617c50" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Nov 06 22:43:03 2008 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Nov 06 22:43:03 2008 -0800" }, "message": "Merge branch \u0027master\u0027 of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6\n\nConflicts:\n\n\tdrivers/net/wireless/ath5k/base.c\n\tnet/8021q/vlan_core.c\n" }, { "commit": "1f29fae29709b4668979e244c09b2fa78ff1ad59", "tree": "d50129066cd1f131551eb364d04542dfcf923050", "parents": [ "e21e696edb498c7f7eed42ba3096f6bbe13927b6" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Wed Nov 05 16:08:52 2008 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 06 07:14:51 2008 +0800" }, "message": "file capabilities: add no_file_caps switch (v4)\n\nAdd a no_file_caps boot option when file capabilities are\ncompiled into the kernel (CONFIG_SECURITY_FILE_CAPABILITIES\u003dy).\n\nThis allows distributions to ship a kernel with file capabilities\ncompiled in, without forcing users to use (and understand and\ntrust) them.\n\nWhen no_file_caps is specified at boot, then when a process executes\na file, any file capabilities stored with that file will not be\nused in the calculation of the process\u0027 new capability sets.\n\nThis means that booting with the no_file_caps boot option will\nnot be the same as booting a kernel with file capabilities\ncompiled out - in particular a task with CAP_SETPCAP will not\nhave any chance of passing capabilities to another task (which\nisn\u0027t \"really\" possible anyway, and which may soon by killed\naltogether by David Howells in any case), and it will instead\nbe able to put new capabilities in its pI. However since fI\nwill always be empty and pI is masked with fI, it gains the\ntask nothing.\n\nWe also support the extra prctl options, setting securebits and\ndropping capabilities from the per-process bounding set.\n\nThe other remaining difference is that killpriv, task_setscheduler,\nsetioprio, and setnice will continue to be hooked. That will\nbe noticable in the case where a root task changed its uid\nwhile keeping some caps, and another task owned by the new uid\ntries to change settings for the more privileged task.\n\nChangelog:\n\tNov 05 2008: (v4) trivial port on top of always-start-\\\n\t\twith-clear-caps patch\n\tSep 23 2008: nixed file_caps_enabled when file caps are\n\t\tnot compiled in as it isn\u0027t used.\n\t\tDocument no_file_caps in kernel-parameters.txt.\n\nSigned-off-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e21e696edb498c7f7eed42ba3096f6bbe13927b6", "tree": "73b0bc28e45b0268f05c4b384a17bfb2140a73bc", "parents": [ "2f99db28af90957271a6448479c3e492ccf7c697", "75fa67706cce5272bcfc51ed646f2da21f3bdb6e" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 06 07:12:34 2008 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 06 07:12:34 2008 +0800" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "2f99db28af90957271a6448479c3e492ccf7c697", "tree": "00386a75dd8c998621d2204609425b41be420f62", "parents": [ "41d9f9c524a53477467b7e0111ff3d644198f191" ], "author": { "name": "Michal Schmidt", "email": "mschmidt@redhat.com", "time": "Wed Nov 05 13:35:06 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 06 07:08:36 2008 +0800" }, "message": "selinux: recognize netlink messages for \u0027ip addrlabel\u0027\n\nIn enforcing mode \u0027/sbin/ip addrlabel\u0027 results in a SELinux error:\ntype\u003dSELINUX_ERR msg\u003daudit(1225698822.073:42): SELinux: unrecognized\nnetlink message type\u003d74 for sclass\u003d43\n\nThe problem is missing RTM_*ADDRLABEL entries in SELinux\u0027s netlink\nmessage types table.\n\nReported in https://bugzilla.redhat.com/show_bug.cgi?id\u003d469423\n\nSigned-off-by: Michal Schmidt \u003cmschmidt@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "41d9f9c524a53477467b7e0111ff3d644198f191", "tree": "b891d648d756d7195bab5c0f55f105cd00d8f94a", "parents": [ "8b6a5a37f87a414ef8636e36ec75accb27bb7508" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 04 15:18:26 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Nov 05 08:44:11 2008 +1100" }, "message": "SELinux: hold tasklist_lock and siglock while waking wait_chldexit\n\nSELinux has long been calling wake_up_interruptible() on\ncurrent-\u003eparent-\u003esignal-\u003ewait_chldexit without holding any locks. It\nappears that this operation should hold the tasklist_lock to dereference\ncurrent-\u003eparent and we should hold the siglock when waking up the\nsignal-\u003ewait_chldexit.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0a6d2fac615972142715d736289abeeb7382e81d", "tree": "828bd68949a5d4dd3a958c2be215695170b9b29c", "parents": [ "76f8bef0db031f03bf286c8bbccfaf83f0b22224", "37dd0bd04a3240d2922786d501e2f12cec858fbf" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Nov 01 09:50:38 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Nov 01 09:50:38 2008 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:\n SELinux: properly handle empty tty_files list\n" }, { "commit": "3318a386e4ca68c76e0294363d29bdc46fcad670", "tree": "da0da58f10bcb7dd7a885f6032b46d1025af208b", "parents": [ "e06f42d6c127883e58b747048752f44ae208ae47" ], "author": { "name": "Serge Hallyn", "email": "serue@us.ibm.com", "time": "Thu Oct 30 11:52:23 2008 -0500" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Nov 01 09:49:45 2008 -0700" }, "message": "file caps: always start with clear bprm-\u003ecaps_*\n\nWhile Linux doesn\u0027t honor setuid on scripts. However, it mistakenly\nbehaves differently for file capabilities.\n\nThis patch fixes that behavior by making sure that get_file_caps()\nbegins with empty bprm-\u003ecaps_*. That way when a script is loaded,\nits bprm-\u003ecaps_* may be filled when binfmt_misc calls prepare_binprm(),\nbut they will be cleared again when binfmt_elf calls prepare_binprm()\nnext to read the interpreter\u0027s file capabilities.\n\nSigned-off-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "37dd0bd04a3240d2922786d501e2f12cec858fbf", "tree": "d4fa5a124a95d33bf22276429a82822ec8d4810a", "parents": [ "721d5dfe7e516954c501d5e9d0dfab379cf4241a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Oct 31 17:40:00 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Nov 01 09:38:48 2008 +1100" }, "message": "SELinux: properly handle empty tty_files list\n\nSELinux has wrongly (since 2004) had an incorrect test for an empty\ntty-\u003etty_files list. With an empty list selinux would be pointing to part\nof the tty struct itself and would then proceed to dereference that value\nand again dereference that result. An F10 change to plymouth on a ppc64\nsystem is actually currently triggering this bug. This patch uses\nlist_empty() to handle empty lists rather than looking at a meaningless\nlocation.\n\n[note, this fixes the oops reported in\nhttps://bugzilla.redhat.com/show_bug.cgi?id\u003d469079]\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3685f25de1b0447fff381c420de1e25bd57c9efb", "tree": "90a5d87c0ced1b27f654606d50a9ff13ded6f862", "parents": [ "be859405487324ed548f1ba11dc949b8230ab991" ], "author": { "name": "Harvey Harrison", "email": "harvey.harrison@gmail.com", "time": "Fri Oct 31 00:56:49 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Oct 31 00:56:49 2008 -0700" }, "message": "misc: replace NIPQUAD()\n\nUsing NIPQUAD() with NIPQUAD_FMT, %d.%d.%d.%d or %u.%u.%u.%u\ncan be replaced with %pI4\n\nSigned-off-by: Harvey Harrison \u003charvey.harrison@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a1744d3bee19d3b9cbfb825ab316a101b9c9f109", "tree": "c0e2324c09beca0eb5782eb5abf241ea2b7a4a11", "parents": [ "275f165fa970174f8a98205529750e8abb6c0a33", "a432226614c5616e3cfd211e0acffa0acfb4770c" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Oct 31 00:17:34 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Oct 31 00:17:34 2008 -0700" }, "message": "Merge branch \u0027master\u0027 of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6\n\nConflicts:\n\n\tdrivers/net/wireless/p54/p54common.c\n" }, { "commit": "731572d39fcd3498702eda4600db4c43d51e0b26", "tree": "f892907ae20539845f353d72d2a2bf202b67e007", "parents": [ "6c89161b10f5771ee0b51ada0fce0e8835e72ade" ], "author": { "name": "Alan Cox", "email": "alan@redhat.com", "time": "Wed Oct 29 14:01:20 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Oct 30 11:38:47 2008 -0700" }, "message": "nfsd: fix vm overcommit crash\n\nJunjiro R. Okajima reported a problem where knfsd crashes if you are\nusing it to export shmemfs objects and run strict overcommit. In this\nsituation the current-\u003emm based modifier to the overcommit goes through a\nNULL pointer.\n\nWe could simply check for NULL and skip the modifier but we\u0027ve caught\nother real bugs in the past from mm being NULL here - cases where we did\nneed a valid mm set up (eg the exec bug about a year ago).\n\nTo preserve the checks and get the logic we want shuffle the checking\naround and add a new helper to the vm_ security wrappers\n\nAlso fix a current-\u003emm reference in nommu that should use the passed mm\n\n[akpm@linux-foundation.org: coding-style fixes]\n[akpm@linux-foundation.org: fix build]\nReported-by: Junjiro R. Okajima \u003chooanon05@yahoo.co.jp\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8b6a5a37f87a414ef8636e36ec75accb27bb7508", "tree": "26ff1dddb3c8727118b24819e83b4b7c500ff595", "parents": [ "0da939b0058742ad2d8580b7db6b966d0fc72252" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 29 17:06:46 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Oct 31 02:00:52 2008 +1100" }, "message": "SELinux: check open perms in dentry_open not inode_permission\n\nSome operations, like searching a directory path or connecting a unix domain\nsocket, make explicit calls into inode_permission. Our choices are to\neither try to come up with a signature for all of the explicit calls to\ninode_permission and do not check open on those, or to move the open checks to\ndentry_open where we know this is always an open operation. This patch moves\nthe checks to dentry_open.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5b095d98928fdb9e3b75be20a54b7a6cbf6ca9ad", "tree": "b6caa0cdbaac016447a790881ad4a6c5dfce6900", "parents": [ "4b7a4274ca63dadd9c4f17fc953f3a5d19855c4c" ], "author": { "name": "Harvey Harrison", "email": "harvey.harrison@gmail.com", "time": "Wed Oct 29 12:52:50 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Oct 29 12:52:50 2008 -0700" }, "message": "net: replace %p6 with %pI6\n\nSigned-off-by: Harvey Harrison \u003charvey.harrison@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "1afa67f5e70b4733d5b237df61e6d639af6283bb", "tree": "34912ebf8e13c40e00bc5ab13c365a5556d684ca", "parents": [ "b071195deba14b37ce896c26f20349b46e5f9fd2" ], "author": { "name": "Harvey Harrison", "email": "harvey.harrison@gmail.com", "time": "Tue Oct 28 16:06:44 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Oct 28 16:06:44 2008 -0700" }, "message": "misc: replace NIP6_FMT with %p6 format specifier\n\nThe iscsi_ibft.c changes are almost certainly a bugfix as the\npointer \u0027ip\u0027 is a u8 *, so they never print the last 8 bytes\nof the IPv6 address, and the eight bytes they do print have\na zero byte with them in each 16-bit word.\n\nOther than that, this should cause no difference in functionality.\n\nSigned-off-by: Harvey Harrison \u003charvey.harrison@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "def8b4faff5ca349beafbbfeb2c51f3602a6ef3a", "tree": "a90fbb0b6ae2a49c507465801f31df77bc5ebf9d", "parents": [ "b057efd4d226fcc3a92b0dc6d8ea8e8185ecb260" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Tue Oct 28 13:24:06 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Oct 28 13:24:06 2008 -0700" }, "message": "net: reduce structures when XFRM\u003dn\n\nifdef out\n* struct sk_buff::sp\t\t(pointer)\n* struct dst_entry::xfrm\t(pointer)\n* struct sock::sk_policy\t(2 pointers)\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "99ebcf8285df28f32fd2d1c19a7166e70f00309c", "tree": "caf45f39a77026b2fae2413c145067a1e5164701", "parents": [ "72558dde738b06cc01e16b3247a9659ca739e22d", "c465a76af658b443075d6efee1c3131257643020" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 20 13:19:56 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 20 13:19:56 2008 -0700" }, "message": "Merge branch \u0027v28-timers-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip\n\n* \u0027v28-timers-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: (36 commits)\n fix documentation of sysrq-q really\n Fix documentation of sysrq-q\n timer_list: add base address to clock base\n timer_list: print cpu number of clockevents device\n timer_list: print real timer address\n NOHZ: restart tick device from irq_enter()\n NOHZ: split tick_nohz_restart_sched_tick()\n NOHZ: unify the nohz function calls in irq_enter()\n timers: fix itimer/many thread hang, fix\n timers: fix itimer/many thread hang, v3\n ntp: improve adjtimex frequency rounding\n timekeeping: fix rounding problem during clock update\n ntp: let update_persistent_clock() sleep\n hrtimer: reorder struct hrtimer to save 8 bytes on 64bit builds\n posix-timers: lock_timer: make it readable\n posix-timers: lock_timer: kill the bogus -\u003eit_id check\n posix-timers: kill -\u003eit_sigev_signo and -\u003eit_sigev_value\n posix-timers: sys_timer_create: cleanup the error handling\n posix-timers: move the initialization of timer-\u003esigq from send to create path\n posix-timers: sys_timer_create: simplify and s/tasklist/rcu/\n ...\n\nFix trivial conflicts due to sysrq-q description clahes in\nDocumentation/sysrq.txt and drivers/char/sysrq.c\n" }, { "commit": "47c59803becb55b72b26cdab3838d621a15badc8", "tree": "63711f3e41f46288e2fa18db0b4ed734e9b1f668", "parents": [ "c012a54ae0b2ee2c73499f54596e0f5257288fec" ], "author": { "name": "Lai Jiangshan", "email": "laijs@cn.fujitsu.com", "time": "Sat Oct 18 20:28:07 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 20 08:52:38 2008 -0700" }, "message": "devcgroup: remove spin_lock()\n\nSince we introduced rcu for read side, spin_lock is used only for update.\nBut we always hold cgroup_lock() when update, so spin_lock() is not need.\n\nAdditional cleanup:\n1) include linux/rcupdate.h explicitly\n2) remove unused variable cur_devcgroup in devcgroup_update_access()\n\nSigned-off-by: Lai Jiangshan \u003claijs@cn.fujitsu.com\u003e\nAcked-by: \"Serge E. Hallyn\" \u003cserue@us.ibm.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c012a54ae0b2ee2c73499f54596e0f5257288fec", "tree": "4fab77415948c241c563a4de1e8e29fcc0604828", "parents": [ "2cdc7241a290bb2b9ef4c2e2969a4a3ed92abb63" ], "author": { "name": "Li Zefan", "email": "lizf@cn.fujitsu.com", "time": "Sat Oct 18 20:28:07 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 20 08:52:38 2008 -0700" }, "message": "devcgroup: remove unused variable\n\nSigned-off-by: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "2cdc7241a290bb2b9ef4c2e2969a4a3ed92abb63", "tree": "c544eeca8ed7777580ebd91f97778792d5ff6d07", "parents": [ "886465f407e57d6c3c81013c919ea670ce1ae0d0" ], "author": { "name": "Li Zefan", "email": "lizf@cn.fujitsu.com", "time": "Sat Oct 18 20:28:06 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 20 08:52:38 2008 -0700" }, "message": "devcgroup: use kmemdup()\n\nThis saves 40 bytes on my x86_32 box.\n\nSigned-off-by: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c465a76af658b443075d6efee1c3131257643020", "tree": "63c28c9fab02dedec7f03cee4a3ef7fe4dc1c072", "parents": [ "2d42244ae71d6c7b0884b5664cf2eda30fb2ae68", "1b02469088ac7a13d7e622b618b7410d0f1ce5ec", "fb02fbc14d17837b4b7b02dbb36142c16a7bf208", "d40e944c25fb4642adb2a4c580a48218a9f3f824", "1508487e7f16d992ad23cabd3712563ff912f413", "322acf6585f3c4e82ee32a246b0483ca0f6ad3f4" ], "author": { "name": "Thomas Gleixner", "email": "tglx@linutronix.de", "time": "Mon Oct 20 13:14:06 2008 +0200" }, "committer": { "name": "Thomas Gleixner", "email": "tglx@linutronix.de", "time": "Mon Oct 20 13:14:06 2008 +0200" }, "message": "Merge branches \u0027timers/clocksource\u0027, \u0027timers/hrtimers\u0027, \u0027timers/nohz\u0027, \u0027timers/ntp\u0027, \u0027timers/posixtimers\u0027 and \u0027timers/debug\u0027 into v28-timers-for-linus\n" }, { "commit": "a447c0932445f92ce6f4c1bd020f62c5097a7842", "tree": "bacf05bc7f9764515cdd6f7dc5e2254776b4f160", "parents": [ "54cebc68c81eacac41a21bdfe99dc889d3882c60" ], "author": { "name": "Steven Whitehouse", "email": "swhiteho@redhat.com", "time": "Mon Oct 13 10:46:57 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 10:10:37 2008 -0700" }, "message": "vfs: Use const for kernel parser table\n\nThis is a much better version of a previous patch to make the parser\ntables constant. Rather than changing the typedef, we put the \"const\" in\nall the various places where its required, allowing the __initconst\nexception for nfsroot which was the cause of the previous trouble.\n\nThis was posted for review some time ago and I believe its been in -mm\nsince then.\n\nSigned-off-by: Steven Whitehouse \u003cswhiteho@redhat.com\u003e\nCc: Alexander Viro \u003caviro@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8d71ff0bef9cf4e70108a9a2762f2361e607abde", "tree": "a79487fceb6ec18e956373a3019416a43b269f1d", "parents": [ "244dc4e54b73567fae7f8fd9ba56584be9375442", "92562927826fceb2f8e69c89e28161b8c1e0b125" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 10:00:44 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 10:00:44 2008 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (24 commits)\n integrity: special fs magic\n As pointed out by Jonathan Corbet, the timer must be deleted before\n ERROR: code indent should use tabs where possible\n The tpm_dev_release function is only called for platform devices, not pnp\n Protect tpm_chip_list when transversing it.\n Renames num_open to is_open, as only one process can open the file at a time.\n Remove the BKL calls from the TPM driver, which were added in the overall\n netlabel: Add configuration support for local labeling\n cipso: Add support for native local labeling and fixup mapping names\n netlabel: Changes to the NetLabel security attributes to allow LSMs to pass full contexts\n selinux: Cache NetLabel secattrs in the socket\u0027s security struct\n selinux: Set socket NetLabel based on connection endpoint\n netlabel: Add functionality to set the security attributes of a packet\n netlabel: Add network address selectors to the NetLabel/LSM domain mapping\n netlabel: Add a generic way to create ordered linked lists of network addrs\n netlabel: Replace protocol/NetLabel linking with refrerence counts\n smack: Fix missing calls to netlbl_skbuff_err()\n selinux: Fix missing calls to netlbl_skbuff_err()\n selinux: Fix a problem in security_netlbl_sid_to_secattr()\n selinux: Better local/forward check in selinux_ip_postroute()\n ...\n" }, { "commit": "934e6ebf96e8c1a0f299e64129fdaebc1132a427", "tree": "ab4bd754997b097f06a5cfefd9e3671d56e628f4", "parents": [ "2cb5998b5f0ccc886fdda3509059eef297b49577" ], "author": { "name": "Alan Cox", "email": "alan@redhat.com", "time": "Mon Oct 13 10:40:43 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 09:51:41 2008 -0700" }, "message": "tty: Redo current tty locking\n\nCurrently it is sometimes locked by the tty mutex and sometimes by the\nsighand lock. The latter is in fact correct and now we can hand back referenced\nobjects we can fix this up without problems around sleeping functions.\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "452a00d2ee288f2cbc36f676edd06cb14d2878c1", "tree": "c8251c73924a6ac9b174bc557357bfeff0c8d1a8", "parents": [ "f4d2a6c2096b764decb20070b1bf4356de9144a8" ], "author": { "name": "Alan Cox", "email": "alan@redhat.com", "time": "Mon Oct 13 10:39:13 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 09:51:41 2008 -0700" }, "message": "tty: Make get_current_tty use a kref\n\nWe now return a kref covered tty reference. That ensures the tty structure\ndoesn\u0027t go away when you have a return from get_current_tty. This is not\nenough to protect you from most of the resources being freed behind your\nback - yet.\n\n[Updated to include fixes for SELinux problems found by Andrew Morton and\n an s390 leak found while debugging the former]\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "92562927826fceb2f8e69c89e28161b8c1e0b125", "tree": "e44f22406ea4d3753a4834feed7e7d271da28ab8", "parents": [ "93db628658197aa46bd7f83d429908b6f187ec9c" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Oct 07 14:00:12 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Oct 13 09:47:43 2008 +1100" }, "message": "integrity: special fs magic\n\nDiscussion on the mailing list questioned the use of these\nmagic values in userspace, concluding these values are already\nexported to userspace via statfs and their correct/incorrect\nusage is left up to the userspace application.\n\n - Move special fs magic number definitions to magic.h\n - Add magic.h include\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0da939b0058742ad2d8580b7db6b966d0fc72252", "tree": "47cb109fdf97135191bff5db4e3bfc905136bf8b", "parents": [ "4bdec11f560b8f405a011288a50e65b1a81b3654", "d91d40799165b0c84c97e7c71fb8039494ff07dc" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 11 09:26:14 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 11 09:26:14 2008 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/pcmoore/lblnet-2.6_next into next\n" }, { "commit": "8d75899d033617316e06296b7c0729612f56aba0", "tree": "47ab64d46b26b86089e20c337e9ba22b00e2d94f", "parents": [ "6c5b3fc0147f79d714d2fe748b5869d7892ef2e7" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "message": "netlabel: Changes to the NetLabel security attributes to allow LSMs to pass full contexts\n\nThis patch provides support for including the LSM\u0027s secid in addition to\nthe LSM\u0027s MLS information in the NetLabel security attributes structure.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6c5b3fc0147f79d714d2fe748b5869d7892ef2e7", "tree": "2cff691b2d4da2afd69660cb4ee647f6b553cdf9", "parents": [ "014ab19a69c325f52d7bae54ceeda73d6307ae0c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "message": "selinux: Cache NetLabel secattrs in the socket\u0027s security struct\n\nPrevious work enabled the use of address based NetLabel selectors, which\nwhile highly useful, brought the potential for additional per-packet overhead\nwhen used. This patch attempts to mitigate some of that overhead by caching\nthe NetLabel security attribute struct within the SELinux socket security\nstructure. This should help eliminate the need to recreate the NetLabel\nsecattr structure for each packet resulting in less overhead.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "014ab19a69c325f52d7bae54ceeda73d6307ae0c", "tree": "8a69c490accb7d5454bdfeb8c078d846729aeb60", "parents": [ "948bf85c1bc9a84754786a9d5dd99b7ecc46451e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "message": "selinux: Set socket NetLabel based on connection endpoint\n\nPrevious work enabled the use of address based NetLabel selectors, which while\nhighly useful, brought the potential for additional per-packet overhead when\nused. This patch attempts to solve that by applying NetLabel socket labels\nwhen sockets are connect()\u0027d. This should alleviate the per-packet NetLabel\nlabeling for all connected sockets (yes, it even works for connected DGRAM\nsockets).\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "948bf85c1bc9a84754786a9d5dd99b7ecc46451e", "tree": "a4706be1f4a5a37408774ef3c4cab8cf2e7775b5", "parents": [ "63c41688743760631188cf0f4ae986a6793ccb0a" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:32 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:32 2008 -0400" }, "message": "netlabel: Add functionality to set the security attributes of a packet\n\nThis patch builds upon the new NetLabel address selector functionality by\nproviding the NetLabel KAPI and CIPSO engine support needed to enable the\nnew packet-based labeling. The only new addition to the NetLabel KAPI at\nthis point is shown below:\n\n * int netlbl_skbuff_setattr(skb, family, secattr)\n\n... and is designed to be called from a Netfilter hook after the packet\u0027s\nIP header has been populated such as in the FORWARD or LOCAL_OUT hooks.\n\nThis patch also provides the necessary SELinux hooks to support this new\nfunctionality. Smack support is not currently included due to uncertainty\nregarding the permissions needed to expand the Smack network access controls.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b1edeb102397546438ab4624489c6ccd7b410d97", "tree": "ce7033f678ffe46ec3f517bb2771b9cbb04d62bb", "parents": [ "a8134296ba9940b5b271d908666e532d34430a3c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "message": "netlabel: Replace protocol/NetLabel linking with refrerence counts\n\nNetLabel has always had a list of backpointers in the CIPSO DOI definition\nstructure which pointed to the NetLabel LSM domain mapping structures which\nreferenced the CIPSO DOI struct. The rationale for this was that when an\nadministrator removed a CIPSO DOI from the system all of the associated\nNetLabel LSM domain mappings should be removed as well; a list of\nbackpointers made this a simple operation.\n\nUnfortunately, while the backpointers did make the removal easier they were\na bit of a mess from an implementation point of view which was making\nfurther development difficult. Since the removal of a CIPSO DOI is a\nrealtively rare event it seems to make sense to remove this backpointer\nlist as the optimization was hurting us more then it was helping. However,\nwe still need to be able to track when a CIPSO DOI definition is being used\nso replace the backpointer list with a reference count. In order to\npreserve the current functionality of removing the associated LSM domain\nmappings when a CIPSO DOI is removed we walk the LSM domain mapping table,\nremoving the relevant entries.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a8134296ba9940b5b271d908666e532d34430a3c", "tree": "28ef03dc3c6a56bd43e5c9d4b8b303749e815342", "parents": [ "dfaebe9825ff34983778f287101bc5f3bce00640" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "message": "smack: Fix missing calls to netlbl_skbuff_err()\n\nSmack needs to call netlbl_skbuff_err() to let NetLabel do the necessary\nprotocol specific error handling.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "dfaebe9825ff34983778f287101bc5f3bce00640", "tree": "4dccdcdcecd57fc8bfc083ff30d9e0ecb2e7ecba", "parents": [ "99d854d231ce141850b988bdc7e2e7c78f49b03a" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "message": "selinux: Fix missing calls to netlbl_skbuff_err()\n\nAt some point I think I messed up and dropped the calls to netlbl_skbuff_err()\nwhich are necessary for CIPSO to send error notifications to remote systems.\nThis patch re-introduces the error handling calls into the SELinux code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "99d854d231ce141850b988bdc7e2e7c78f49b03a", "tree": "d9da2a23471f38f6b25ec2bcfe982622ee51adba", "parents": [ "d8395c876bb8a560c8a032887e191b95499a25d6" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:30 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:30 2008 -0400" }, "message": "selinux: Fix a problem in security_netlbl_sid_to_secattr()\n\nCurrently when SELinux fails to allocate memory in\nsecurity_netlbl_sid_to_secattr() the NetLabel LSM domain field is set to\nNULL which triggers the default NetLabel LSM domain mapping which may not\nalways be the desired mapping. This patch fixes this by returning an error\nwhen the kernel is unable to allocate memory. This could result in more\nfailures on a system with heavy memory pressure but it is the \"correct\"\nthing to do.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d8395c876bb8a560c8a032887e191b95499a25d6", "tree": "6c2ef0d59e04b90a9ef673fa34e1c042d22f128e", "parents": [ "948a72438d4178d0728c4b0a38836d280b846939" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:30 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:30 2008 -0400" }, "message": "selinux: Better local/forward check in selinux_ip_postroute()\n\nIt turns out that checking to see if skb-\u003esk is NULL is not a very good\nindicator of a forwarded packet as some locally generated packets also have\nskb-\u003esk set to NULL. Fix this by not only checking the skb-\u003esk field but also\nthe IP[6]CB(skb)-\u003eflags field for the IP[6]SKB_FORWARDED flag. While we are\nat it, we are calling selinux_parse_skb() much earlier than we really should\nresulting in potentially wasted cycles parsing packets for information we\nmight no use; so shuffle the code around a bit to fix this.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "aa86290089a1e57b4bdbbb4720072233f66bd5b2", "tree": "9ab16f4d22056297f1571bb7b2b988bff84c8a10", "parents": [ "accc609322ef5ed44cba6d2d70c741afc76385fb" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "message": "selinux: Correctly handle IPv4 packets on IPv6 sockets in all cases\n\nWe did the right thing in a few cases but there were several areas where we\ndetermined a packet\u0027s address family based on the socket\u0027s address family which\nis not the right thing to do since we can get IPv4 packets on IPv6 sockets.\nThis patch fixes these problems by either taking the address family directly\nfrom the packet.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "accc609322ef5ed44cba6d2d70c741afc76385fb", "tree": "4a86c08a2fad7302b14e0f419b5e6bd11111330f", "parents": [ "561967010edef40f539dacf2aa125e20773ab40b" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "message": "selinux: Cleanup the NetLabel glue code\n\nWe were doing a lot of extra work in selinux_netlbl_sock_graft() what wasn\u0027t\nnecessary so this patch removes that code. It also removes the redundant\nsecond argument to selinux_netlbl_sock_setsid() which allows us to simplify a\nfew other functions.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3040a6d5a2655c7967bd42b5fb4903d48daa747f", "tree": "a4342a6b272a8be9acc16131d39d971536a3e8da", "parents": [ "b5ff7df3df9efab511244d5a299fce706c71af48" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 03 10:51:15 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 04 08:25:18 2008 +1000" }, "message": "selinux: Fix an uninitialized variable BUG/panic in selinux_secattr_to_sid()\n\nAt some point during the 2.6.27 development cycle two new fields were added\nto the SELinux context structure, a string pointer and a length field. The\ncode in selinux_secattr_to_sid() was not modified and as a result these two\nfields were left uninitialized which could result in erratic behavior,\nincluding kernel panics, when NetLabel is used. This patch fixes the\nproblem by fully initializing the context in selinux_secattr_to_sid() before\nuse and reducing the level of direct context manipulation done to help\nprevent future problems.\n\nPlease apply this to the 2.6.27-rcX release stream.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "81990fbdd18b9cfdc93dc221ff3250f81468aed8", "tree": "7c8298b58173e9e67f972890bdb209590ac93cab", "parents": [ "ea6b184f7d521a503ecab71feca6e4057562252b" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 03 10:51:15 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 04 08:18:18 2008 +1000" }, "message": "selinux: Fix an uninitialized variable BUG/panic in selinux_secattr_to_sid()\n\nAt some point during the 2.6.27 development cycle two new fields were added\nto the SELinux context structure, a string pointer and a length field. The\ncode in selinux_secattr_to_sid() was not modified and as a result these two\nfields were left uninitialized which could result in erratic behavior,\nincluding kernel panics, when NetLabel is used. This patch fixes the\nproblem by fully initializing the context in selinux_secattr_to_sid() before\nuse and reducing the level of direct context manipulation done to help\nprevent future problems.\n\nPlease apply this to the 2.6.27-rcX release stream.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ea6b184f7d521a503ecab71feca6e4057562252b", "tree": "89724ca76ba9bc8a7029f3fd3edc49557ec6ab40", "parents": [ "de45e806a84909648623119dfe6fc1d31e71ceba" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon Sep 22 15:41:19 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 30 00:26:53 2008 +1000" }, "message": "selinux: use default proc sid on symlinks\n\nAs we are not concerned with fine-grained control over reading of\nsymlinks in proc, always use the default proc SID for all proc symlinks.\nThis should help avoid permission issues upon changes to the proc tree\nas in the /proc/net -\u003e /proc/self/net example.\nThis does not alter labeling of symlinks within /proc/pid directories.\nls -Zd /proc/net output before and after the patch should show the difference.\n\nSigned-off-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "de45e806a84909648623119dfe6fc1d31e71ceba", "tree": "ca10329190483178175c43ad84862faa04c57195", "parents": [ "ab2b49518e743962f71b94246855c44ee9cf52cc" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Fri Sep 26 22:27:47 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Sep 27 15:07:56 2008 +1000" }, "message": "file capabilities: uninline cap_safe_nice\n\nThis reduces the kernel size by 289 bytes.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ab2b49518e743962f71b94246855c44ee9cf52cc", "tree": "26b260a350f0a0a0d19b558bf147b812e3a1564c", "parents": [ "f058925b201357fba48d56cc9c1719ae274b2022", "72d31053f62c4bc464c2783974926969614a8649" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sun Sep 21 17:41:56 2008 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sun Sep 21 17:41:56 2008 -0700" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\n\tMAINTAINERS\n\nThanks for breaking my tree :-)\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f06febc96ba8e0af80bcc3eaec0a109e88275fac", "tree": "46dba9432ef25d2eae9434ff2df638c7a268c0f1", "parents": [ "6bfb09a1005193be5c81ebac9f3ef85210142650" ], "author": { "name": "Frank Mayhar", "email": "fmayhar@google.com", "time": "Fri Sep 12 09:54:39 2008 -0700" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Sun Sep 14 16:25:35 2008 +0200" }, "message": "timers: fix itimer/many thread hang\n\nOverview\n\nThis patch reworks the handling of POSIX CPU timers, including the\nITIMER_PROF, ITIMER_VIRT timers and rlimit handling. It was put together\nwith the help of Roland McGrath, the owner and original writer of this code.\n\nThe problem we ran into, and the reason for this rework, has to do with using\na profiling timer in a process with a large number of threads. It appears\nthat the performance of the old implementation of run_posix_cpu_timers() was\nat least O(n*3) (where \"n\" is the number of threads in a process) or worse.\nEverything is fine with an increasing number of threads until the time taken\nfor that routine to run becomes the same as or greater than the tick time, at\nwhich point things degrade rather quickly.\n\nThis patch fixes bug 9906, \"Weird hang with NPTL and SIGPROF.\"\n\nCode Changes\n\nThis rework corrects the implementation of run_posix_cpu_timers() to make it\nrun in constant time for a particular machine. (Performance may vary between\none machine and another depending upon whether the kernel is built as single-\nor multiprocessor and, in the latter case, depending upon the number of\nrunning processors.) To do this, at each tick we now update fields in\nsignal_struct as well as task_struct. The run_posix_cpu_timers() function\nuses those fields to make its decisions.\n\nWe define a new structure, \"task_cputime,\" to contain user, system and\nscheduler times and use these in appropriate places:\n\nstruct task_cputime {\n\tcputime_t utime;\n\tcputime_t stime;\n\tunsigned long long sum_exec_runtime;\n};\n\nThis is included in the structure \"thread_group_cputime,\" which is a new\nsubstructure of signal_struct and which varies for uniprocessor versus\nmultiprocessor kernels. For uniprocessor kernels, it uses \"task_cputime\" as\na simple substructure, while for multiprocessor kernels it is a pointer:\n\nstruct thread_group_cputime {\n\tstruct task_cputime totals;\n};\n\nstruct thread_group_cputime {\n\tstruct task_cputime *totals;\n};\n\nWe also add a new task_cputime substructure directly to signal_struct, to\ncache the earliest expiration of process-wide timers, and task_cputime also\nreplaces the it_*_expires fields of task_struct (used for earliest expiration\nof thread timers). The \"thread_group_cputime\" structure contains process-wide\ntimers that are updated via account_user_time() and friends. In the non-SMP\ncase the structure is a simple aggregator; unfortunately in the SMP case that\nsimplicity was not achievable due to cache-line contention between CPUs (in\none measured case performance was actually _worse_ on a 16-cpu system than\nthe same test on a 4-cpu system, due to this contention). For SMP, the\nthread_group_cputime counters are maintained as a per-cpu structure allocated\nusing alloc_percpu(). The timer functions update only the timer field in\nthe structure corresponding to the running CPU, obtained using per_cpu_ptr().\n\nWe define a set of inline functions in sched.h that we use to maintain the\nthread_group_cputime structure and hide the differences between UP and SMP\nimplementations from the rest of the kernel. The thread_group_cputime_init()\nfunction initializes the thread_group_cputime structure for the given task.\nThe thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the\nout-of-line function thread_group_cputime_alloc_smp() to allocate and fill\nin the per-cpu structures and fields. The thread_group_cputime_free()\nfunction, also a no-op for UP, in SMP frees the per-cpu structures. The\nthread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls\nthread_group_cputime_alloc() if the per-cpu structures haven\u0027t yet been\nallocated. The thread_group_cputime() function fills the task_cputime\nstructure it is passed with the contents of the thread_group_cputime fields;\nin UP it\u0027s that simple but in SMP it must also safely check that tsk-\u003esignal\nis non-NULL (if it is it just uses the appropriate fields of task_struct) and,\nif so, sums the per-cpu values for each online CPU. Finally, the three\nfunctions account_group_user_time(), account_group_system_time() and\naccount_group_exec_runtime() are used by timer functions to update the\nrespective fields of the thread_group_cputime structure.\n\nNon-SMP operation is trivial and will not be mentioned further.\n\nThe per-cpu structure is always allocated when a task creates its first new\nthread, via a call to thread_group_cputime_clone_thread() from copy_signal().\nIt is freed at process exit via a call to thread_group_cputime_free() from\ncleanup_signal().\n\nAll functions that formerly summed utime/stime/sum_sched_runtime values from\nfrom all threads in the thread group now use thread_group_cputime() to\nsnapshot the values in the thread_group_cputime structure or the values in\nthe task structure itself if the per-cpu structure hasn\u0027t been allocated.\n\nFinally, the code in kernel/posix-cpu-timers.c has changed quite a bit.\nThe run_posix_cpu_timers() function has been split into a fast path and a\nslow path; the former safely checks whether there are any expired thread\ntimers and, if not, just returns, while the slow path does the heavy lifting.\nWith the dedicated thread group fields, timers are no longer \"rebalanced\" and\nthe process_timer_rebalance() function and related code has gone away. All\nsumming loops are gone and all code that used them now uses the\nthread_group_cputime() inline. When process-wide timers are set, the new\ntask_cputime structure in signal_struct is used to cache the earliest\nexpiration; this is checked in the fast path.\n\nPerformance\n\nThe fix appears not to add significant overhead to existing operations. It\ngenerally performs the same as the current code except in two cases, one in\nwhich it performs slightly worse (Case 5 below) and one in which it performs\nvery significantly better (Case 2 below). Overall it\u0027s a wash except in those\ntwo cases.\n\nI\u0027ve since done somewhat more involved testing on a dual-core Opteron system.\n\nCase 1: With no itimer running, for a test with 100,000 threads, the fixed\n\tkernel took 1428.5 seconds, 513 seconds more than the unfixed system,\n\tall of which was spent in the system. There were twice as many\n\tvoluntary context switches with the fix as without it.\n\nCase 2: With an itimer running at .01 second ticks and 4000 threads (the most\n\tan unmodified kernel can handle), the fixed kernel ran the test in\n\teight percent of the time (5.8 seconds as opposed to 70 seconds) and\n\thad better tick accuracy (.012 seconds per tick as opposed to .023\n\tseconds per tick).\n\nCase 3: A 4000-thread test with an initial timer tick of .01 second and an\n\tinterval of 10,000 seconds (i.e. a timer that ticks only once) had\n\tvery nearly the same performance in both cases: 6.3 seconds elapsed\n\tfor the fixed kernel versus 5.5 seconds for the unfixed kernel.\n\nWith fewer threads (eight in these tests), the Case 1 test ran in essentially\nthe same time on both the modified and unmodified kernels (5.2 seconds versus\n5.8 seconds). The Case 2 test ran in about the same time as well, 5.9 seconds\nversus 5.4 seconds but again with much better tick accuracy, .013 seconds per\ntick versus .025 seconds per tick for the unmodified kernel.\n\nSince the fix affected the rlimit code, I also tested soft and hard CPU limits.\n\nCase 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer\n\trunning), the modified kernel was very slightly favored in that while\n\tit killed the process in 19.997 seconds of CPU time (5.002 seconds of\n\twall time), only .003 seconds of that was system time, the rest was\n\tuser time. The unmodified kernel killed the process in 20.001 seconds\n\tof CPU (5.014 seconds of wall time) of which .016 seconds was system\n\ttime. Really, though, the results were too close to call. The results\n\twere essentially the same with no itimer running.\n\nCase 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds\n\t(where the hard limit would never be reached) and an itimer running,\n\tthe modified kernel exhibited worse tick accuracy than the unmodified\n\tkernel: .050 seconds/tick versus .028 seconds/tick. Otherwise,\n\tperformance was almost indistinguishable. With no itimer running this\n\ttest exhibited virtually identical behavior and times in both cases.\n\nIn times past I did some limited performance testing. those results are below.\n\nOn a four-cpu Opteron system without this fix, a sixteen-thread test executed\nin 3569.991 seconds, of which user was 3568.435s and system was 1.556s. On\nthe same system with the fix, user and elapsed time were about the same, but\nsystem time dropped to 0.007 seconds. Performance with eight, four and one\nthread were comparable. Interestingly, the timer ticks with the fix seemed\nmore accurate: The sixteen-thread test with the fix received 149543 ticks\nfor 0.024 seconds per tick, while the same test without the fix received 58720\nfor 0.061 seconds per tick. Both cases were configured for an interval of\n0.01 seconds. Again, the other tests were comparable. Each thread in this\ntest computed the primes up to 25,000,000.\n\nI also did a test with a large number of threads, 100,000 threads, which is\nimpossible without the fix. In this case each thread computed the primes only\nup to 10,000 (to make the runtime manageable). System time dominated, at\n1546.968 seconds out of a total 2176.906 seconds (giving a user time of\n629.938s). It received 147651 ticks for 0.015 seconds per tick, still quite\naccurate. There is obviously no comparable test without the fix.\n\nSigned-off-by: Frank Mayhar \u003cfmayhar@google.com\u003e\nCc: Roland McGrath \u003croland@redhat.com\u003e\nCc: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nCc: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\n" }, { "commit": "f058925b201357fba48d56cc9c1719ae274b2022", "tree": "796868dcdeb2ee3e2d296eeb25a8cedbb422a5a1", "parents": [ "b56c8c221d192e4ffa719d00907c3b60fbaa2737" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Thu Sep 11 09:20:26 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 12 00:44:08 2008 +1000" }, "message": "Update selinux info in MAINTAINERS and Kconfig help text\n\nUpdate the SELinux entry in MAINTAINERS and drop the obsolete information\nfrom the selinux Kconfig help text.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8e531af90f3940615623dc0aa6c94866a6773601", "tree": "d618b12f26648de917cbec53677c734362e6bfc2", "parents": [ "ec0c15afb41fd9ad45b53468b60db50170e22346" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Sep 03 11:49:47 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Sep 04 08:35:13 2008 +1000" }, "message": "SELinux: memory leak in security_context_to_sid_core\n\nFix a bug and a philosophical decision about who handles errors.\n\nsecurity_context_to_sid_core() was leaking a context in the common case.\nThis was causing problems on fedora systems which recently have started\nmaking extensive use of this function.\n\nIn discussion it was decided that if string_to_context_struct() had an\nerror it was its own responsibility to clean up any mess it created\nalong the way.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "36fd71d293898a59b14e49da1f6e81c1a58f2035", "tree": "e67d5a0f6fc6caa83558f57588d9f69a46e5f4c9", "parents": [ "09a2910e54646f7a334702fbafa7a6129dc072e6" ], "author": { "name": "Li Zefan", "email": "lizf@cn.fujitsu.com", "time": "Tue Sep 02 14:35:52 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Sep 02 19:21:38 2008 -0700" }, "message": "devcgroup: fix race against rmdir()\n\nDuring the use of a dev_cgroup, we should guarantee the corresponding\ncgroup won\u0027t be deleted (i.e. via rmdir). This can be done through\ncss_get(\u0026dev_cgroup-\u003ecss), but here we can just get and use the dev_cgroup\nunder rcu_read_lock.\n\nAnd also remove checking NULL dev_cgroup, it won\u0027t be NULL since a task\nalways belongs to a cgroup.\n\nSigned-off-by: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "d9250dea3f89fe808a525f08888016b495240ed4", "tree": "c4b039ce0b29714e8f4c3bbc6d407adc361cc122", "parents": [ "da31894ed7b654e2e1741e7ac4ef6c15be0dd14b" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Thu Aug 28 16:35:57 2008 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Aug 29 00:33:33 2008 +1000" }, "message": "SELinux: add boundary support and thread context assignment\n\nThe purpose of this patch is to assign per-thread security context\nunder a constraint. It enables multi-threaded server application\nto kick a request handler with its fair security context, and\nhelps some of userspace object managers to handle user\u0027s request.\n\nWhen we assign a per-thread security context, it must not have wider\npermissions than the original one. Because a multi-threaded process\nshares a single local memory, an arbitary per-thread security context\nalso means another thread can easily refer violated information.\n\nThe constraint on a per-thread security context requires a new domain\nhas to be equal or weaker than its original one, when it tries to assign\na per-thread security context.\n\nBounds relationship between two types is a way to ensure a domain can\nnever have wider permission than its bounds. We can define it in two\nexplicit or implicit ways.\n\nThe first way is using new TYPEBOUNDS statement. It enables to define\na boundary of types explicitly. The other one expand the concept of\nexisting named based hierarchy. If we defines a type with \".\" separated\nname like \"httpd_t.php\", toolchain implicitly set its bounds on \"httpd_t\".\n\nThis feature requires a new policy version.\nThe 24th version (POLICYDB_VERSION_BOUNDARY) enables to ship them into\nkernel space, and the following patch enables to handle it.\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "da31894ed7b654e2e1741e7ac4ef6c15be0dd14b", "tree": "7247357082b105a4aab13a2fb7dad73886f1a9e5", "parents": [ "86d688984deefa3ae5a802880c11f2b408b5d6cf" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Aug 22 11:35:57 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 28 10:47:42 2008 +1000" }, "message": "securityfs: do not depend on CONFIG_SECURITY\n\nAdd a new Kconfig option SECURITYFS which will build securityfs support\nbut does not require CONFIG_SECURITY. The only current user of\nsecurityfs does not depend on CONFIG_SECURITY and there is no reason the\nfull LSM needs to be built to build this fs.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "86d688984deefa3ae5a802880c11f2b408b5d6cf", "tree": "7ea5e8189b0a774626d3ed7c3c87df2495a4c4a0", "parents": [ "93c06cbbf9fea5d5be1778febb7fa9ab1a74e5f5", "4c246edd2550304df5b766cc841584b2bb058843" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 28 10:47:34 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 28 10:47:34 2008 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "3f23d815c5049c9d7022226cec2242e384dd0b43", "tree": "7917329366ccac8e9a21d5572b9df948409cee36", "parents": [ "dbc74c65b3fd841985935f676388c82d6b85c485" ], "author": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Sun Aug 17 21:44:22 2008 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Aug 20 20:16:32 2008 +1000" }, "message": "security: add/fix security kernel-doc\n\nAdd security/inode.c functions to the kernel-api docbook.\nUse \u0027%\u0027 on constants in kernel-doc notation.\nFix several typos/spellos in security function descriptions.\n\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dbc74c65b3fd841985935f676388c82d6b85c485", "tree": "8ebbf88795fa70f56a9eb64bfc0b21dd8666d97f", "parents": [ "421fae06be9e0dac45747494756b3580643815f9" ], "author": { "name": "Vesa-Matti Kari", "email": "vmkari@cc.helsinki.fi", "time": "Thu Aug 07 03:18:20 2008 +0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Aug 15 08:40:47 2008 +1000" }, "message": "selinux: Unify for- and while-loop style\n\nReplace \"thing !\u003d NULL\" comparisons with just \"thing\" to make\nthe code look more uniform (mixed styles were used even in the\nsame source file).\n\nSigned-off-by: Vesa-Matti Kari \u003cvmkari@cc.helsinki.fi\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5cd9c58fbe9ec92b45b27e131719af4f2bd9eb40", "tree": "8573db001b4dc3c2ad97102dda42b841c40b5f6c", "parents": [ "8d0968abd03ec6b407df117adc773562386702fa" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Aug 14 11:37:28 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 14 22:59:43 2008 +1000" }, "message": "security: Fix setting of PF_SUPERPRIV by __capable()\n\nFix the setting of PF_SUPERPRIV by __capable() as it could corrupt the flags\nthe target process if that is not the current process and it is trying to\nchange its own flags in a different way at the same time.\n\n__capable() is using neither atomic ops nor locking to protect t-\u003eflags. This\npatch removes __capable() and introduces has_capability() that doesn\u0027t set\nPF_SUPERPRIV on the process being queried.\n\nThis patch further splits security_ptrace() in two:\n\n (1) security_ptrace_may_access(). This passes judgement on whether one\n process may access another only (PTRACE_MODE_ATTACH for ptrace() and\n PTRACE_MODE_READ for /proc), and takes a pointer to the child process.\n current is the parent.\n\n (2) security_ptrace_traceme(). This passes judgement on PTRACE_TRACEME only,\n and takes only a pointer to the parent process. current is the child.\n\n In Smack and commoncap, this uses has_capability() to determine whether\n the parent will be permitted to use PTRACE_ATTACH if normal checks fail.\n This does not set PF_SUPERPRIV.\n\nTwo of the instances of __capable() actually only act on current, and so have\nbeen changed to calls to capable().\n\nOf the places that were using __capable():\n\n (1) The OOM killer calls __capable() thrice when weighing the killability of a\n process. All of these now use has_capability().\n\n (2) cap_ptrace() and smack_ptrace() were using __capable() to check to see\n whether the parent was allowed to trace any process. As mentioned above,\n these have been split. For PTRACE_ATTACH and /proc, capable() is now\n used, and for PTRACE_TRACEME, has_capability() is used.\n\n (3) cap_safe_nice() only ever saw current, so now uses capable().\n\n (4) smack_setprocattr() rejected accesses to tasks other than current just\n after calling __capable(), so the order of these two tests have been\n switched and capable() is used instead.\n\n (5) In smack_file_send_sigiotask(), we need to allow privileged processes to\n receive SIGIO on files they\u0027re manipulating.\n\n (6) In smack_task_wait(), we let a process wait for a privileged process,\n whether or not the process doing the waiting is privileged.\n\nI\u0027ve tested this with the LTP SELinux and syscalls testscripts.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "421fae06be9e0dac45747494756b3580643815f9", "tree": "8b390e53636092477c82304b7f7f10524df6fd1b", "parents": [ "15446235367fa4a621ff5abfa4b6ebbe25b33763" ], "author": { "name": "Vesa-Matti Kari", "email": "vmkari@cc.helsinki.fi", "time": "Wed Aug 06 18:24:51 2008 +0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 07 08:56:16 2008 +1000" }, "message": "selinux: conditional expression type validation was off-by-one\n\nexpr_isvalid() in conditional.c was off-by-one and allowed\ninvalid expression type COND_LAST. However, it is this header file\nthat needs to be fixed. That way the if-statement\u0027s disjunction\u0027s\nsecond component reads more naturally, \"if expr type is greater than\nthe last allowed value\" ( rather than using \"\u003e\u003d\" in conditional.c):\n\n if (expr-\u003eexpr_type \u003c\u003d 0 || expr-\u003eexpr_type \u003e COND_LAST)\n\nSigned-off-by: Vesa-Matti Kari \u003cvmkari@cc.helsinki.fi\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "15446235367fa4a621ff5abfa4b6ebbe25b33763", "tree": "bc6823055afbef26560c63f8041caeadd4cef078", "parents": [ "cf9481e289247fe9cf40f2e2481220d899132049" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Wed Jul 30 15:37:11 2008 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 05 10:55:53 2008 +1000" }, "message": "smack: limit privilege by label\n\nThere have been a number of requests to make the Smack LSM\nenforce MAC even in the face of privilege, either capability\nbased or superuser based. This is not universally desired,\nhowever, so it seems desirable to make it optional. Further,\nat least one legacy OS implemented a scheme whereby only\nprocesses running with one particular label could be exempt\nfrom MAC. This patch supports these three cases.\n\nIf /smack/onlycap is empty (unset or null-string) privilege\nis enforced in the normal way.\n\nIf /smack/onlycap contains a label only processes running with\nthat label may be MAC exempt.\n\nIf the label in /smack/onlycap is the star label (\"*\") the\nsemantics of the star label combine with the privilege\nrestrictions to prevent any violations of MAC, even in the\npresence of privilege.\n\nAgain, this will be independent of the privilege scheme.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cf9481e289247fe9cf40f2e2481220d899132049", "tree": "39b8e15d27876cd84acb07c9543b423c29d66a7f", "parents": [ "0c0e186f812457e527c420f7a4d02865fd0dc7d2" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Sun Jul 27 21:31:07 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 05 10:55:47 2008 +1000" }, "message": "SELinux: Fix a potentially uninitialised variable in SELinux hooks\n\nFix a potentially uninitialised variable in SELinux hooks that\u0027s given a\npointer to the network address by selinux_parse_skb() passing a pointer back\nthrough its argument list. By restructuring selinux_parse_skb(), the compiler\ncan see that the error case need not set it as the caller will return\nimmediately.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0c0e186f812457e527c420f7a4d02865fd0dc7d2", "tree": "3561fb50e5ec5d0f9466c187312797e7769cef60", "parents": [ "df4ea865f09580b1cad621c0426612f598847815" ], "author": { "name": "Vesa-Matti J Kari", "email": "vmkari@cc.helsinki.fi", "time": "Mon Jul 21 02:50:20 2008 +0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 05 10:55:38 2008 +1000" }, "message": "SELinux: trivial, remove unneeded local variable\n\nHello,\n\nRemove unneeded local variable:\n\n struct avtab_node *newnode\n\nSigned-off-by: Vesa-Matti Kari \u003cvmkari@cc.helsinki.fi\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "df4ea865f09580b1cad621c0426612f598847815", "tree": "57c7e7cc2cb1e4144f1a101a8bc93f74d4b64db9", "parents": [ "3583a71183a02c51ca71cd180e9189cfb0411cc1" ], "author": { "name": "Vesa-Matti J Kari", "email": "vmkari@cc.helsinki.fi", "time": "Sun Jul 20 23:57:01 2008 +0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 05 10:55:30 2008 +1000" }, "message": "SELinux: Trivial minor fixes that change C null character style\n\nTrivial minor fixes that change C null character style.\n\nSigned-off-by: Vesa-Matti Kari \u003cvmkari@cc.helsinki.fi\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3583a71183a02c51ca71cd180e9189cfb0411cc1", "tree": "3e613e3fc087131a2e4d2f3c5bdf36ecca02e0bd", "parents": [ "2b12a4c524812fb3f6ee590a02e65b95c8c32229" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Tue Jul 22 20:21:23 2008 +0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 05 10:55:24 2008 +1000" }, "message": "make selinux_write_opts() static\n\nThis patch makes the needlessly global selinux_write_opts() static.\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "383795c206946777d87ed5f6d61d6659110f9344", "tree": "839c3a69e5a8603ce4bc494fc5b7e81c1e02e87b", "parents": [ "6e86841d05f371b5b9b86ce76c02aaee83352298" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Jul 29 17:07:26 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jul 30 08:31:28 2008 +1000" }, "message": "SELinux: /proc/mounts should show what it can\n\nGiven a hosed SELinux config in which a system never loads policy or\ndisables SELinux we currently just return -EINVAL for anyone trying to\nread /proc/mounts. This is a configuration problem but we can certainly\nbe more graceful. This patch just ignores -EINVAL when displaying LSM\noptions and causes /proc/mounts display everything else it can. If\npolicy isn\u0027t loaded the obviously there are no options, so we aren\u0027t\nreally loosing any information here.\n\nThis is safe as the only other return of EINVAL comes from\nsecurity_sid_to_context_core() in the case of an invalid sid. Even if a\nFS was mounted with a now invalidated context that sid should have been\nremapped to unlabeled and so we won\u0027t hit the EINVAL and will work like\nwe should. (yes, I tested to make sure it worked like I thought)\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nTested-by: Marc Dionne \u003cmarc.c.dionne@gmail.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4836e3007882984279ca63d3c42bf0b14616eb78", "tree": "28bf22726964e068b825491d71a141eefedbe5f8", "parents": [ "5c7c204aeca51ccfad63caab4fcdc5d8026c0fd8", "4e1e018ecc6f7bfd10fc75b3ff9715cc8164e0a2" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jul 26 20:23:44 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jul 26 20:23:44 2008 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6: (39 commits)\n [PATCH] fix RLIM_NOFILE handling\n [PATCH] get rid of corner case in dup3() entirely\n [PATCH] remove remaining namei_{32,64}.h crap\n [PATCH] get rid of indirect users of namei.h\n [PATCH] get rid of __user_path_lookup_open\n [PATCH] f_count may wrap around\n [PATCH] dup3 fix\n [PATCH] don\u0027t pass nameidata to __ncp_lookup_validate()\n [PATCH] don\u0027t pass nameidata to gfs2_lookupi()\n [PATCH] new (local) helper: user_path_parent()\n [PATCH] sanitize __user_walk_fd() et.al.\n [PATCH] preparation to __user_walk_fd cleanup\n [PATCH] kill nameidata passing to permission(), rename to inode_permission()\n [PATCH] take noexec checks to very few callers that care\n Re: [PATCH 3/6] vfs: open_exec cleanup\n [patch 4/4] vfs: immutable inode checking cleanup\n [patch 3/4] fat: dont call notify_change\n [patch 2/4] vfs: utimes cleanup\n [patch 1/4] vfs: utimes: move owner check into inode_change_ok()\n [PATCH] vfs: use kstrdup() and check failing allocation\n ...\n" }, { "commit": "228428428138e231a155464239880201e5cc8b44", "tree": "89b437f5501d03ca36b717e232337426d0de77ca", "parents": [ "78681ac08a611313595d13cafabae1183b71ef48", "6c3b8fc618905d7599dcc514c99ce4293d476f39" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jul 26 20:17:56 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jul 26 20:17:56 2008 -0700" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:\n netns: fix ip_rt_frag_needed rt_is_expired\n netfilter: nf_conntrack_extend: avoid unnecessary \"ct-\u003eext\" dereferences\n netfilter: fix double-free and use-after free\n netfilter: arptables in netns for real\n netfilter: ip{,6}tables_security: fix future section mismatch\n selinux: use nf_register_hooks()\n netfilter: ebtables: use nf_register_hooks()\n Revert \"pkt_sched: sch_sfq: dump a real number of flows\"\n qeth: use dev-\u003eml_priv instead of dev-\u003epriv\n syncookies: Make sure ECN is disabled\n net: drop unused BUG_TRAP()\n net: convert BUG_TRAP to generic WARN_ON\n drivers/net: convert BUG_TRAP to generic WARN_ON\n" }, { "commit": "b1da47e29e467f1ec36dc78d009bfb109fd533c7", "tree": "13d72e54e6b7d9bbb0e48158c84bcb26561b0ecb", "parents": [ "e9b76fedc61235da80b6b7f81dfd67ec224dfb49" ], "author": { "name": "Miklos Szeredi", "email": "mszeredi@suse.cz", "time": "Tue Jul 01 15:01:28 2008 +0200" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Jul 26 20:53:27 2008 -0400" }, "message": "[patch 3/4] fat: dont call notify_change\n\nThe FAT_IOCTL_SET_ATTRIBUTES ioctl() calls notify_change() to change\nthe file mode before changing the inode attributes. Replace with\nexplicit calls to security_inode_setattr(), fat_setattr() and\nfsnotify_change().\n\nThis is equivalent to the original. The reason it is needed, is that\nlater in the series we move the immutable check into notify_change().\nThat would break the FAT_IOCTL_SET_ATTRIBUTES ioctl, as it needs to\nperform the mode change regardless of the immutability of the file.\n\n[Fix error if fat is built as a module. Thanks to OGAWA Hirofumi for\nnoticing.]\n\nSigned-off-by: Miklos Szeredi \u003cmszeredi@suse.cz\u003e\nAcked-by: OGAWA Hirofumi \u003chirofumi@mail.parknet.co.jp\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "b77b0646ef4efe31a7449bb3d9360fd00f95433d", "tree": "f8487fe832fbe23400c9f98e808555f0251fb158", "parents": [ "a110343f0d6d41f68b7cf8c00b57a3172c67f816" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Jul 17 09:37:02 2008 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Jul 26 20:53:22 2008 -0400" }, "message": "[PATCH] pass MAY_OPEN to vfs_permission() explicitly\n\n... and get rid of the last \"let\u0027s deduce mask from nameidata-\u003eflags\"\nbit.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "6c5a9d2e1599a099b0e47235a1c1502162b14310", "tree": "517e577b1485b8a40458cff1e3780eab556f4749", "parents": [ "e40f51a36a6ca718e829c0933ab1e79333ac932e" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Sat Jul 26 17:48:15 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Jul 26 17:48:15 2008 -0700" }, "message": "selinux: use nf_register_hooks()\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" } ], "next": "0d094efeb1e98010c6b99923f1eb7e17bf1e3a74" }