)]}' { "log": [ { "commit": "dd98acf74762764fbc4382a1d9a244f11a2658cc", "tree": "e194cc516ccc8812a0424dfd2ca1c32bf1052cd4", "parents": [ "5089a9768041206c76fac299ccd82a528c24c254" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Wed May 26 14:43:23 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 27 09:12:47 2010 -0700" }, "message": "keyctl_session_to_parent(): use thread_group_empty() to check singlethreadness\n\nNo functional changes.\n\nkeyctl_session_to_parent() is the only user of signal-\u003ecount which needs\nthe correct value. Change it to use thread_group_empty() instead, this\nmust be strictly equivalent under tasklist, and imho looks better.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nAcked-by: Roland McGrath \u003croland@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c5b60b5e67af8be4c58d3ffcc36894f69c4fbdc1", "tree": "5ca471fad635ee8d91a24c7b5448dbcad3de74ef", "parents": [ "822cceec7248013821d655545ea45d1c6a9d15b3" ], "author": { "name": "Justin P. Mattock", "email": "justinmattock@gmail.com", "time": "Wed Apr 21 00:02:11 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 23 10:10:23 2010 +1000" }, "message": "security: whitespace coding style fixes\n\nWhitespace coding style fixes.\n\nSigned-off-by: Justin P. Mattock \u003cjustinmattock@gmail.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3011a344cdcda34cdbcb40c3fb3d1a6e89954abb", "tree": "43db9abc5f96cd8ec31a4a24f0d52dae76680a1c", "parents": [ "6307f8fee295b364716d28686df6e69c2fee751a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:15:19 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:19:18 2010 +1000" }, "message": "security: remove dead hook key_session_to_parent\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a00ae4d21b2fa9379914f270ffffd8d3bec55430", "tree": "81950b31b2bbd816e5ad119acba46d859de9aceb", "parents": [ "6e1415467614e854fee660ff6648bd10fa976e95" ], "author": { "name": "Geert Uytterhoeven", "email": "geert@linux-m68k.org", "time": "Sun Dec 13 20:21:34 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 17 09:27:59 2009 +1100" }, "message": "Keys: KEYCTL_SESSION_TO_PARENT needs TIF_NOTIFY_RESUME architecture support\n\nAs of commit ee18d64c1f632043a02e6f5ba5e045bb26a5465f (\"KEYS: Add a keyctl to\ninstall a process\u0027s session keyring on its parent [try #6]\"), CONFIG_KEYS\u003dy\nfails to build on architectures that haven\u0027t implemented TIF_NOTIFY_RESUME yet:\n\nsecurity/keys/keyctl.c: In function \u0027keyctl_session_to_parent\u0027:\nsecurity/keys/keyctl.c:1312: error: \u0027TIF_NOTIFY_RESUME\u0027 undeclared (first use in this function)\nsecurity/keys/keyctl.c:1312: error: (Each undeclared identifier is reported only once\nsecurity/keys/keyctl.c:1312: error: for each function it appears in.)\n\nMake KEYCTL_SESSION_TO_PARENT depend on TIF_NOTIFY_RESUME until\nm68k, and xtensa have implemented it.\n\nSigned-off-by: Geert Uytterhoeven \u003cgeert@linux-m68k.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Mike Frysinger \u003cvapier@gentoo.org\u003e\n" }, { "commit": "fa1cc7b5a5c4171dfdcac855428295340ccf87ec", "tree": "eccd00dd480c980a45159e3964038cee255ff9f8", "parents": [ "d4220f987cf473c65a342ca69e3eb13dea919a49" ], "author": { "name": "Roel Kluin", "email": "roel.kluin@gmail.com", "time": "Tue Dec 15 15:05:12 2009 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 17 09:23:48 2009 +1100" }, "message": "keys: PTR_ERR return of wrong pointer in keyctl_get_security()\n\nReturn the PTR_ERR of the correct pointer.\n\nSigned-off-by: Roel Kluin \u003croel.kluin@gmail.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "21279cfa107af07ef985539ac0de2152b9cba5f5", "tree": "a31f1447e0246316c00b26fb599c1595301bb4b5", "parents": [ "37a08b13eba6ce3b42df30b2a5ca3a9845f429ec" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Oct 15 10:14:35 2009 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Oct 15 15:19:58 2009 -0700" }, "message": "KEYS: get_instantiation_keyring() should inc the keyring refcount in all cases\n\nThe destination keyring specified to request_key() and co. is made available to\nthe process that instantiates the key (the slave process started by\n/sbin/request-key typically). This is passed in the request_key_auth struct as\nthe dest_keyring member.\n\nkeyctl_instantiate_key and keyctl_negate_key() call get_instantiation_keyring()\nto get the keyring to attach the newly constructed key to at the end of\ninstantiation. This may be given a specific keyring into which a link will be\nmade later, or it may be asked to find the keyring passed to request_key(). In\nthe former case, it returns a keyring with the refcount incremented by\nlookup_user_key(); in the latter case, it returns the keyring from the\nrequest_key_auth struct - and does _not_ increment the refcount.\n\nThe latter case will eventually result in an oops when the keyring prematurely\nruns out of references and gets destroyed. The effect may take some time to\nshow up as the key is destroyed lazily.\n\nTo fix this, the keyring returned by get_instantiation_keyring() must always\nhave its refcount incremented, no matter where it comes from.\n\nThis can be tested by setting /etc/request-key.conf to:\n\n#OP\tTYPE\tDESCRIPTION\tCALLOUT INFO\tPROGRAM ARG1 ARG2 ARG3 ...\n#\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\ncreate *\ttest:*\t\t*\t\t|/bin/false %u %g %d %{user:_display}\nnegate\t*\t*\t\t*\t\t/bin/keyctl negate %k 10 @u\n\nand then doing:\n\n\tkeyctl add user _display aaaaaaaa @u\n while keyctl request2 user test:x test:x @u \u0026\u0026\n keyctl list @u;\n do\n keyctl request2 user test:x test:x @u;\n sleep 31;\n keyctl list @u;\n done\n\nwhich will oops eventually. Changing the negate line to have @u rather than\n%S at the end is important as that forces the latter case by passing a special\nkeyring ID rather than an actual keyring ID.\n\nReported-by: Alexander Zangerl \u003caz@bond.edu.au\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Alexander Zangerl \u003caz@bond.edu.au\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c08ef808ef24df32e25fbd949fe5310172f3c408", "tree": "12bae6fd48e1cdcc1b792c221376c727d9472cc6", "parents": [ "5c84342a3e147a23752276650340801c237d0e56" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Sep 14 17:26:13 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 15 09:11:02 2009 +1000" }, "message": "KEYS: Fix garbage collector\n\nFix a number of problems with the new key garbage collector:\n\n (1) A rogue semicolon in keyring_gc() was causing the initial count of dead\n keys to be miscalculated.\n\n (2) A missing return in keyring_gc() meant that under certain circumstances,\n the keyring semaphore would be unlocked twice.\n\n (3) The key serial tree iterator (key_garbage_collector()) part of the garbage\n collector has been modified to:\n\n (a) Complete each scan of the keyrings before setting the new timer.\n\n (b) Only set the new timer for keys that have yet to expire. This means\n that the new timer is now calculated correctly, and the gc doesn\u0027t\n get into a loop continually scanning for keys that have expired, and\n preventing other things from happening, like RCU cleaning up the old\n keyring contents.\n\n (c) Perform an extra scan if any keys were garbage collected in this one\n \t as a key might become garbage during a scan, and (b) could mean we\n \t don\u0027t set the timer again.\n\n (4) Made key_schedule_gc() take the time at which to do a collection run,\n rather than the time at which the key expires. This means the collection\n of dead keys (key type unregistered) can happen immediately.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5c84342a3e147a23752276650340801c237d0e56", "tree": "a57a81dd9b48f8bd837ab13e319375c248cc7b89", "parents": [ "4a5d6ba1914d1bf1fcfb5e15834c29d84a879219" ], "author": { "name": "Marc Dionne", "email": "marc.c.dionne@gmail.com", "time": "Mon Sep 14 12:46:23 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 15 09:10:59 2009 +1000" }, "message": "KEYS: Unlock tasklist when exiting early from keyctl_session_to_parent\n\nWhen we exit early from keyctl_session_to_parent because of permissions or\nbecause the session keyring is the same as the parent, we need to unlock the\ntasklist.\n\nThe missing unlock causes the system to hang completely when using\nkeyctl(KEYCTL_SESSION_TO_PARENT) with a keyring shared with the parent.\n\nSigned-off-by: Marc Dionne \u003cmarc.c.dionne@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ee18d64c1f632043a02e6f5ba5e045bb26a5465f", "tree": "80b5a4d530ec7d5fd69799920f0db7b78aba6b9d", "parents": [ "d0420c83f39f79afb82010c2d2cafd150eef651b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:14:21 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:22 2009 +1000" }, "message": "KEYS: Add a keyctl to install a process\u0027s session keyring on its parent [try #6]\n\nAdd a keyctl to install a process\u0027s session keyring onto its parent. This\nreplaces the parent\u0027s session keyring. Because the COW credential code does\nnot permit one process to change another process\u0027s credentials directly, the\nchange is deferred until userspace next starts executing again. Normally this\nwill be after a wait*() syscall.\n\nTo support this, three new security hooks have been provided:\ncred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in\nthe blank security creds and key_session_to_parent() - which asks the LSM if\nthe process may replace its parent\u0027s session keyring.\n\nThe replacement may only happen if the process has the same ownership details\nas its parent, and the process has LINK permission on the session keyring, and\nthe session keyring is owned by the process, and the LSM permits it.\n\nNote that this requires alteration to each architecture\u0027s notify_resume path.\nThis has been done for all arches barring blackfin, m68k* and xtensa, all of\nwhich need assembly alteration to support TIF_NOTIFY_RESUME. This allows the\nreplacement to be performed at the point the parent process resumes userspace\nexecution.\n\nThis allows the userspace AFS pioctl emulation to fully emulate newpag() and\nthe VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to\nalter the parent process\u0027s PAG membership. However, since kAFS doesn\u0027t use\nPAGs per se, but rather dumps the keys into the session keyring, the session\nkeyring of the parent must be replaced if, for example, VIOCSETTOK is passed\nthe newpag flag.\n\nThis can be tested with the following program:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\n\t#define KEYCTL_SESSION_TO_PARENT\t18\n\n\t#define OSERROR(X, S) do { if ((long)(X) \u003d\u003d -1) { perror(S); exit(1); } } while(0)\n\n\tint main(int argc, char **argv)\n\t{\n\t\tkey_serial_t keyring, key;\n\t\tlong ret;\n\n\t\tkeyring \u003d keyctl_join_session_keyring(argv[1]);\n\t\tOSERROR(keyring, \"keyctl_join_session_keyring\");\n\n\t\tkey \u003d add_key(\"user\", \"a\", \"b\", 1, keyring);\n\t\tOSERROR(key, \"add_key\");\n\n\t\tret \u003d keyctl(KEYCTL_SESSION_TO_PARENT);\n\t\tOSERROR(ret, \"KEYCTL_SESSION_TO_PARENT\");\n\n\t\treturn 0;\n\t}\n\nCompiled and linked with -lkeyutils, you should see something like:\n\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t355907932 --alswrv 4043 -1 \\_ keyring: _uid.4043\n\t[dhowells@andromeda ~]$ /tmp/newpag\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t1055658746 --alswrv 4043 4043 \\_ user: a\n\t[dhowells@andromeda ~]$ /tmp/newpag hello\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: hello\n\t340417692 --alswrv 4043 4043 \\_ user: a\n\nWhere the test program creates a new session keyring, sticks a user key named\n\u0027a\u0027 into it and then installs it on its parent.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5d135440faf7db8d566de0c6fab36b16cf9cfc3b", "tree": "d9c022e73ed51dfe5729fde9a97150cb64b68196", "parents": [ "f041ae2f99d49adc914153a34a2d0e14e4389d90" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:14:00 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:11 2009 +1000" }, "message": "KEYS: Add garbage collection for dead, revoked and expired keys. [try #6]\n\nAdd garbage collection for dead, revoked and expired keys. This involved\nerasing all links to such keys from keyrings that point to them. At that\npoint, the key will be deleted in the normal manner.\n\nKeyrings from which garbage collection occurs are shrunk and their quota\nconsumption reduced as appropriate.\n\nDead keys (for which the key type has been removed) will be garbage collected\nimmediately.\n\nRevoked and expired keys will hang around for a number of seconds, as set in\n/proc/sys/kernel/keys/gc_delay before being automatically removed. The default\nis 5 minutes.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0c2c9a3fc77e8b60d43d9bd2ca46eb4dddb0ff76", "tree": "e718aa64ab3b5d4fd73f7a837ee9ea0debfcc773", "parents": [ "5593122eec26b061cc0b6fbff32118f1aadf4a27" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:13:50 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:06 2009 +1000" }, "message": "KEYS: Allow keyctl_revoke() on keys that have SETATTR but not WRITE perm [try #6]\n\nAllow keyctl_revoke() to operate on keys that have SETATTR but not WRITE\npermission, rather than only on keys that have WRITE permission.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5593122eec26b061cc0b6fbff32118f1aadf4a27", "tree": "f148b182ada54b722962607567bd5b1ace06640a", "parents": [ "e0e817392b9acf2c98d3be80c233dddb1b52003d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:13:45 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:04 2009 +1000" }, "message": "KEYS: Deal with dead-type keys appropriately [try #6]\n\nAllow keys for which the key type has been removed to be unlinked. Currently\ndead-type keys can only be disposed of by completely clearing the keyrings\nthat point to them.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1d1e97562e5e2ac60fb7b25437ba619f95f67fab", "tree": "68a9c52ecbff0782dd9b9438685afc3b40b6f707", "parents": [ "be38e0fd5f90a91d09e0a85ffb294b70a7be6259" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Feb 26 18:27:38 2009 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 27 12:35:06 2009 +1100" }, "message": "keys: distinguish per-uid keys in different namespaces\n\nper-uid keys were looked by uid only. Use the user namespace\nto distinguish the same uid in different namespaces.\n\nThis does not address key_permission. So a task can for instance\ntry to join a keyring owned by the same uid in another namespace.\nThat will be handled by a separate patch.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0d54ee1c7850a954026deec4cd4885f331da35cc", "tree": "00f5219a49428dabca10428cbeaaa2c44e774808", "parents": [ "1de9e8e70f5acc441550ca75433563d91b269bbe" ], "author": { "name": "Vegard Nossum", "email": "vegard.nossum@gmail.com", "time": "Sat Jan 17 17:45:45 2009 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jan 17 14:24:46 2009 -0800" }, "message": "security: introduce missing kfree\n\nPlug this leak.\n\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: \u003cstable@kernel.org\u003e\nSigned-off-by: Vegard Nossum \u003cvegard.nossum@gmail.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "938bb9f5e840eddbf54e4f62f6c5ba9b3ae12c9d", "tree": "a25324159ed8cc96b97a4d39aaf228bbd07e3824", "parents": [ "1e7bfb2134dfec37ce04fb3a4ca89299e892d10c" ], "author": { "name": "Heiko Carstens", "email": "heiko.carstens@de.ibm.com", "time": "Wed Jan 14 14:14:30 2009 +0100" }, "committer": { "name": "Heiko Carstens", "email": "heiko.carstens@de.ibm.com", "time": "Wed Jan 14 14:15:30 2009 +0100" }, "message": "[CVE-2009-0029] System call wrappers part 28\n\nSigned-off-by: Heiko Carstens \u003cheiko.carstens@de.ibm.com\u003e\n" }, { "commit": "1e7bfb2134dfec37ce04fb3a4ca89299e892d10c", "tree": "99c676262e696754dcbfb2d6f59499972cd0c38c", "parents": [ "c4ea37c26a691ad0b7e86aa5884aab27830e95c9" ], "author": { "name": "Heiko Carstens", "email": "heiko.carstens@de.ibm.com", "time": "Wed Jan 14 14:14:29 2009 +0100" }, "committer": { "name": "Heiko Carstens", "email": "heiko.carstens@de.ibm.com", "time": "Wed Jan 14 14:15:29 2009 +0100" }, "message": "[CVE-2009-0029] System call wrappers part 27\n\nSigned-off-by: Heiko Carstens \u003cheiko.carstens@de.ibm.com\u003e\n" }, { "commit": "90bd49ab6649269cd10d0edc86d0e0f62864726a", "tree": "504e95359f2e021ae1ba4c53a1000dd08ad63c55", "parents": [ "6a94cb73064c952255336cc57731904174b2c58f" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Dec 29 14:35:35 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 01 10:32:44 2009 +1100" }, "message": "keys: fix sparse warning by adding __user annotation to cast\n\nFix the following sparse warning:\n\n CC security/keys/key.o\n security/keys/keyctl.c:1297:10: warning: incorrect type in argument 2 (different address spaces)\n security/keys/keyctl.c:1297:10: expected char [noderef] \u003casn:1\u003e*buffer\n security/keys/keyctl.c:1297:10: got char *\u003cnoident\u003e\n\nwhich appears to be caused by lack of __user annotation to the cast of\na syscall argument.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "eca1bf5b4fab56d2feb1572d34d59fcd92ea7df3", "tree": "58ce85049625d01d52f3b32a6035bce9dbbc4ebf", "parents": [ "3c92ec8ae91ecf59d88c798301833d7cf83f2179" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Dec 29 00:41:51 2008 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Dec 29 14:24:43 2008 +1100" }, "message": "KEYS: Fix variable uninitialisation warnings\n\nFix variable uninitialisation warnings introduced in:\n\n\tcommit 8bbf4976b59fc9fc2861e79cab7beb3f6d647640\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Fri Nov 14 10:39:14 2008 +1100\n\n\tKEYS: Alter use of key instantiation link-to-keyring argument\n\nAs:\n\n security/keys/keyctl.c: In function \u0027keyctl_negate_key\u0027:\n security/keys/keyctl.c:976: warning: \u0027dest_keyring\u0027 may be used uninitialized in this function\n security/keys/keyctl.c: In function \u0027keyctl_instantiate_key\u0027:\n security/keys/keyctl.c:898: warning: \u0027dest_keyring\u0027 may be used uninitialized in this function\n\nSome versions of gcc notice that get_instantiation_key() doesn\u0027t always set\n*_dest_keyring, but fail to observe that if this happens then *_dest_keyring\nwill not be read by the caller.\n\nReported-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d84f4f992cbd76e8f39c488cf0c5d123843923b1", "tree": "fc4a0349c42995715b93d0f7a3c78e9ea9b3f36e", "parents": [ "745ca2475a6ac596e3d8d37c2759c0fbe2586227" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "message": "CRED: Inaugurate COW credentials\n\nInaugurate copy-on-write credentials management. This uses RCU to manage the\ncredentials pointer in the task_struct with respect to accesses by other tasks.\nA process may only modify its own credentials, and so does not need locking to\naccess or modify its own credentials.\n\nA mutex (cred_replace_mutex) is added to the task_struct to control the effect\nof PTRACE_ATTACHED on credential calculations, particularly with respect to\nexecve().\n\nWith this patch, the contents of an active credentials struct may not be\nchanged directly; rather a new set of credentials must be prepared, modified\nand committed using something like the following sequence of events:\n\n\tstruct cred *new \u003d prepare_creds();\n\tint ret \u003d blah(new);\n\tif (ret \u003c 0) {\n\t\tabort_creds(new);\n\t\treturn ret;\n\t}\n\treturn commit_creds(new);\n\nThere are some exceptions to this rule: the keyrings pointed to by the active\ncredentials may be instantiated - keyrings violate the COW rule as managing\nCOW keyrings is tricky, given that it is possible for a task to directly alter\nthe keys in a keyring in use by another task.\n\nTo help enforce this, various pointers to sets of credentials, such as those in\nthe task_struct, are declared const. The purpose of this is compile-time\ndiscouragement of altering credentials through those pointers. Once a set of\ncredentials has been made public through one of these pointers, it may not be\nmodified, except under special circumstances:\n\n (1) Its reference count may incremented and decremented.\n\n (2) The keyrings to which it points may be modified, but not replaced.\n\nThe only safe way to modify anything else is to create a replacement and commit\nusing the functions described in Documentation/credentials.txt (which will be\nadded by a later patch).\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n This now prepares and commits credentials in various places in the\n security code rather than altering the current creds directly.\n\n (2) Temporary credential overrides.\n\n do_coredump() and sys_faccessat() now prepare their own credentials and\n temporarily override the ones currently on the acting thread, whilst\n preventing interference from other threads by holding cred_replace_mutex\n on the thread being dumped.\n\n This will be replaced in a future patch by something that hands down the\n credentials directly to the functions being called, rather than altering\n the task\u0027s objective credentials.\n\n (3) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_capset_check(), -\u003ecapset_check()\n (*) security_capset_set(), -\u003ecapset_set()\n\n \t Removed in favour of security_capset().\n\n (*) security_capset(), -\u003ecapset()\n\n \t New. This is passed a pointer to the new creds, a pointer to the old\n \t creds and the proposed capability sets. It should fill in the new\n \t creds or return an error. All pointers, barring the pointer to the\n \t new creds, are now const.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n\n \t Changed; now returns a value, which will cause the process to be\n \t killed if it\u0027s an error.\n\n (*) security_task_alloc(), -\u003etask_alloc_security()\n\n \t Removed in favour of security_prepare_creds().\n\n (*) security_cred_free(), -\u003ecred_free()\n\n \t New. Free security data attached to cred-\u003esecurity.\n\n (*) security_prepare_creds(), -\u003ecred_prepare()\n\n \t New. Duplicate any security data attached to cred-\u003esecurity.\n\n (*) security_commit_creds(), -\u003ecred_commit()\n\n \t New. Apply any security effects for the upcoming installation of new\n \t security by commit_creds().\n\n (*) security_task_post_setuid(), -\u003etask_post_setuid()\n\n \t Removed in favour of security_task_fix_setuid().\n\n (*) security_task_fix_setuid(), -\u003etask_fix_setuid()\n\n \t Fix up the proposed new credentials for setuid(). This is used by\n \t cap_set_fix_setuid() to implicitly adjust capabilities in line with\n \t setuid() changes. Changes are made to the new credentials, rather\n \t than the task itself as in security_task_post_setuid().\n\n (*) security_task_reparent_to_init(), -\u003etask_reparent_to_init()\n\n \t Removed. Instead the task being reparented to init is referred\n \t directly to init\u0027s credentials.\n\n\t NOTE! This results in the loss of some state: SELinux\u0027s osid no\n\t longer records the sid of the thread that forked it.\n\n (*) security_key_alloc(), -\u003ekey_alloc()\n (*) security_key_permission(), -\u003ekey_permission()\n\n \t Changed. These now take cred pointers rather than task pointers to\n \t refer to the security context.\n\n (4) sys_capset().\n\n This has been simplified and uses less locking. The LSM functions it\n calls have been merged.\n\n (5) reparent_to_kthreadd().\n\n This gives the current thread the same credentials as init by simply using\n commit_thread() to point that way.\n\n (6) __sigqueue_alloc() and switch_uid()\n\n __sigqueue_alloc() can\u0027t stop the target task from changing its creds\n beneath it, so this function gets a reference to the currently applicable\n user_struct which it then passes into the sigqueue struct it returns if\n successful.\n\n switch_uid() is now called from commit_creds(), and possibly should be\n folded into that. commit_creds() should take care of protecting\n __sigqueue_alloc().\n\n (7) [sg]et[ug]id() and co and [sg]et_current_groups.\n\n The set functions now all use prepare_creds(), commit_creds() and\n abort_creds() to build and check a new set of credentials before applying\n it.\n\n security_task_set[ug]id() is called inside the prepared section. This\n guarantees that nothing else will affect the creds until we\u0027ve finished.\n\n The calling of set_dumpable() has been moved into commit_creds().\n\n Much of the functionality of set_user() has been moved into\n commit_creds().\n\n The get functions all simply access the data directly.\n\n (8) security_task_prctl() and cap_task_prctl().\n\n security_task_prctl() has been modified to return -ENOSYS if it doesn\u0027t\n want to handle a function, or otherwise return the return value directly\n rather than through an argument.\n\n Additionally, cap_task_prctl() now prepares a new set of credentials, even\n if it doesn\u0027t end up using it.\n\n (9) Keyrings.\n\n A number of changes have been made to the keyrings code:\n\n (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have\n \t all been dropped and built in to the credentials functions directly.\n \t They may want separating out again later.\n\n (b) key_alloc() and search_process_keyrings() now take a cred pointer\n \t rather than a task pointer to specify the security context.\n\n (c) copy_creds() gives a new thread within the same thread group a new\n \t thread keyring if its parent had one, otherwise it discards the thread\n \t keyring.\n\n (d) The authorisation key now points directly to the credentials to extend\n \t the search into rather pointing to the task that carries them.\n\n (e) Installing thread, process or session keyrings causes a new set of\n \t credentials to be created, even though it\u0027s not strictly necessary for\n \t process or session keyrings (they\u0027re shared).\n\n(10) Usermode helper.\n\n The usermode helper code now carries a cred struct pointer in its\n subprocess_info struct instead of a new session keyring pointer. This set\n of credentials is derived from init_cred and installed on the new process\n after it has been cloned.\n\n call_usermodehelper_setup() allocates the new credentials and\n call_usermodehelper_freeinfo() discards them if they haven\u0027t been used. A\n special cred function (prepare_usermodeinfo_creds()) is provided\n specifically for call_usermodehelper_setup() to call.\n\n call_usermodehelper_setkeys() adjusts the credentials to sport the\n supplied keyring as the new session keyring.\n\n(11) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) selinux_setprocattr() no longer does its check for whether the\n \t current ptracer can access processes with the new SID inside the lock\n \t that covers getting the ptracer\u0027s SID. Whilst this lock ensures that\n \t the check is done with the ptracer pinned, the result is only valid\n \t until the lock is released, so there\u0027s no point doing it inside the\n \t lock.\n\n(12) is_single_threaded().\n\n This function has been extracted from selinux_setprocattr() and put into\n a file of its own in the lib/ directory as join_session_keyring() now\n wants to use it too.\n\n The code in SELinux just checked to see whether a task shared mm_structs\n with other tasks (CLONE_VM), but that isn\u0027t good enough. We really want\n to know if they\u0027re part of the same thread group (CLONE_THREAD).\n\n(13) nfsd.\n\n The NFS server daemon now has to use the COW credentials to set the\n credentials it is going to use. It really needs to pass the credentials\n down to the functions it calls, but it can\u0027t do that until other patches\n in this series have been applied.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a", "tree": "9e76f972eb7ce9b84e0146c8e4126a3f86acb428", "parents": [ "15a2460ed0af7538ca8e6c610fe607a2cd9da142" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "message": "CRED: Separate task security context from task_struct\n\nSeparate the task security context from task_struct. At this point, the\nsecurity data is temporarily embedded in the task_struct with two pointers\npointing to it.\n\nNote that the Alpha arch is altered as it refers to (E)UID and (E)GID in\nentry.S via asm-offsets.\n\nWith comment fixes Signed-off-by: Marc Dionne \u003cmarc.c.dionne@gmail.com\u003e\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8bbf4976b59fc9fc2861e79cab7beb3f6d647640", "tree": "9bd621217cbdfcf94aca5b220de7363254d7fc23", "parents": [ "e9e349b051d98799b743ebf248cc2d986fedf090" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "message": "KEYS: Alter use of key instantiation link-to-keyring argument\n\nAlter the use of the key instantiation and negation functions\u0027 link-to-keyring\narguments. Currently this specifies a keyring in the target process to link\nthe key into, creating the keyring if it doesn\u0027t exist. This, however, can be\na problem for copy-on-write credentials as it means that the instantiating\nprocess can alter the credentials of the requesting process.\n\nThis patch alters the behaviour such that:\n\n (1) If keyctl_instantiate_key() or keyctl_negate_key() are given a specific\n keyring by ID (ringid \u003e\u003d 0), then that keyring will be used.\n\n (2) If keyctl_instantiate_key() or keyctl_negate_key() are given one of the\n special constants that refer to the requesting process\u0027s keyrings\n (KEY_SPEC_*_KEYRING, all \u003c\u003d 0), then:\n\n (a) If sys_request_key() was given a keyring to use (destringid) then the\n \t key will be attached to that keyring.\n\n (b) If sys_request_key() was given a NULL keyring, then the key being\n \t instantiated will be attached to the default keyring as set by\n \t keyctl_set_reqkey_keyring().\n\n (3) No extra link will be made.\n\nDecision point (1) follows current behaviour, and allows those instantiators\nwho\u0027ve searched for a specifically named keyring in the requestor\u0027s keyring so\nas to partition the keys by type to still have their named keyrings.\n\nDecision point (2) allows the requestor to make sure that the key or keys that\nget produced by request_key() go where they want, whilst allowing the\ninstantiator to request that the key is retained. This is mainly useful for\nsituations where the instantiator makes a secondary request, the key for which\nshould be retained by the initial requestor:\n\n\t+-----------+ +--------------+ +--------------+\n\t| | | | | |\n\t| Requestor |-------\u003e| Instantiator |-------\u003e| Instantiator |\n\t| | | | | |\n\t+-----------+ +--------------+ +--------------+\n\t request_key() request_key()\n\nThis might be useful, for example, in Kerberos, where the requestor requests a\nticket, and then the ticket instantiator requests the TGT, which someone else\nthen has to go and fetch. The TGT, however, should be retained in the\nkeyrings of the requestor, not the first instantiator. To make this explict\nan extra special keyring constant is also added.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "47d804bfa1857b0edcac972c86499dcd14df3cf2", "tree": "200b2d1190e29be40c771bf6a4e0db0ef9e7d383", "parents": [ "8192b0c482d7078fcdcb4854341b977426f6f09b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:11 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:11 2008 +1100" }, "message": "CRED: Wrap task credential accesses in the key management code\n\nWrap access to task credentials so that they can be separated more easily from\nthe task_struct during the introduction of COW creds.\n\nChange most current-\u003e(|e|s|fs)[ug]id to current_(|e|s|fs)[ug]id().\n\nChange some task-\u003ee?[ug]id to task_e?[ug]id(). In some places it makes more\nsense to use RCU directly rather than a convenient wrapper; these will be\naddressed by later patches.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0b77f5bfb45c13e1e5142374f9d6ca75292252a4", "tree": "cf62055536d267e9a4abe6518e5d9f683a1ceb75", "parents": [ "69664cf16af4f31cd54d77948a4baf9c7e0ca7b9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:32 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:17 2008 -0700" }, "message": "keys: make the keyring quotas controllable through /proc/sys\n\nMake the keyring quotas controllable through /proc/sys files:\n\n (*) /proc/sys/kernel/keys/root_maxkeys\n /proc/sys/kernel/keys/root_maxbytes\n\n Maximum number of keys that root may have and the maximum total number of\n bytes of data that root may have stored in those keys.\n\n (*) /proc/sys/kernel/keys/maxkeys\n /proc/sys/kernel/keys/maxbytes\n\n Maximum number of keys that each non-root user may have and the maximum\n total number of bytes of data that each of those users may have stored in\n their keys.\n\nAlso increase the quotas as a number of people have been complaining that it\u0027s\nnot big enough. I\u0027m not sure that it\u0027s big enough now either, but on the\nother hand, it can now be set in /etc/sysctl.conf.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: \u003ckwc@citi.umich.edu\u003e\nCc: \u003carunsr@cse.iitk.ac.in\u003e\nCc: \u003cdwalsh@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "6b79ccb5144f9ffb4d4596c23e7570238dd12abc", "tree": "e674339e9f86c3607304496792b417b0ed66de6f", "parents": [ "da91d2ef9fe4fd84cc0a8a729201d38e40ac9f2e" ], "author": { "name": "Arun Raghavan", "email": "arunsr@cse.iitk.ac.in", "time": "Tue Apr 29 01:01:28 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:16 2008 -0700" }, "message": "keys: allow clients to set key perms in key_create_or_update()\n\nThe key_create_or_update() function provided by the keyring code has a default\nset of permissions that are always applied to the key when created. This\nmight not be desirable to all clients.\n\nHere\u0027s a patch that adds a \"perm\" parameter to the function to address this,\nwhich can be set to KEY_PERM_UNDEF to revert to the current behaviour.\n\nSigned-off-by: Arun Raghavan \u003carunsr@cse.iitk.ac.in\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Satyam Sharma \u003cssatyam@cse.iitk.ac.in\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "70a5bb72b55e82fbfbf1e22cae6975fac58a1e2d", "tree": "8e6dcaf5630388d81b23845f293789f2d6a3596b", "parents": [ "4a38e122e2cc6294779021ff4ccc784a3997059e" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:26 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:16 2008 -0700" }, "message": "keys: add keyctl function to get a security label\n\nAdd a keyctl() function to get the security label of a key.\n\nThe following is added to Documentation/keys.txt:\n\n (*) Get the LSM security context attached to a key.\n\n\tlong keyctl(KEYCTL_GET_SECURITY, key_serial_t key, char *buffer,\n\t\t size_t buflen)\n\n This function returns a string that represents the LSM security context\n attached to a key in the buffer provided.\n\n Unless there\u0027s an error, it always returns the amount of data it could\n produce, even if that\u0027s too big for the buffer, but it won\u0027t copy more\n than requested to userspace. If the buffer pointer is NULL then no copy\n will take place.\n\n A NUL character is included at the end of the string if the buffer is\n sufficiently big. This is included in the returned count. If no LSM is\n in force then an empty string will be returned.\n\n A process must have view permission on the key for this function to be\n successful.\n\n[akpm@linux-foundation.org: declare keyctl_get_security()]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Kevin Coffman \u003ckwc@citi.umich.edu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4a38e122e2cc6294779021ff4ccc784a3997059e", "tree": "84b401b44e0550b04f831d98a91eacfd7cffb51d", "parents": [ "dceba9944181b1fd5993417b5c8fa0e3dda38f8d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:24 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:16 2008 -0700" }, "message": "keys: allow the callout data to be passed as a blob rather than a string\n\nAllow the callout data to be passed as a blob rather than a string for\ninternal kernel services that call any request_key_*() interface other than\nrequest_key(). request_key() itself still takes a NUL-terminated string.\n\nThe functions that change are:\n\n\trequest_key_with_auxdata()\n\trequest_key_async()\n\trequest_key_async_with_auxdata()\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Kevin Coffman \u003ckwc@citi.umich.edu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "38bbca6b6f164e08a4a9cdfd719fff679af98375", "tree": "c4d4839e57bbcbae1ecfa7867b810c6203b0d601", "parents": [ "4220b7fe89f8c0623e09168ab81dd0da2fdadd72" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:19 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:16 2008 -0700" }, "message": "keys: increase the payload size when instantiating a key\n\nIncrease the size of a payload that can be used to instantiate a key in\nadd_key() and keyctl_instantiate_key(). This permits huge CIFS SPNEGO blobs\nto be passed around. The limit is raised to 1MB. If kmalloc() can\u0027t allocate\na buffer of sufficient size, vmalloc() will be tried instead.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Kevin Coffman \u003ckwc@citi.umich.edu\u003e\nCc: Steven French \u003csfrench@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4e54f08543d05e519e601368571cc3787fefae96", "tree": "0cd9d982e5bb25abcb9251d26c36ff11e7dc81a5", "parents": [ "94583779e6625154e8d7fce33d097ae7d089e9de" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jun 29 02:24:28 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Thu Jun 29 10:26:20 2006 -0700" }, "message": "[PATCH] Keys: Allow in-kernel key requestor to pass auxiliary data to upcaller\n\nThe proposed NFS key type uses its own method of passing key requests to\nuserspace (upcalling) rather than invoking /sbin/request-key. This is\nbecause the responsible userspace daemon should already be running and will\nbe contacted through rpc_pipefs.\n\nThis patch permits the NFS filesystem to pass auxiliary data to the upcall\noperation (struct key_type::request_key) so that the upcaller can use a\npre-existing communications channel more easily.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-By: Kevin Coffman \u003ckwc@citi.umich.edu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "5801649d8b83e7cb9b15839761bdee594653c294", "tree": "4534b606908596651a533b2f51418444b5a1e705", "parents": [ "31204ed925b067d2bb65adb89501656f8274a32a" ], "author": { "name": "Fredrik Tolf", "email": "fredrik@dolda2000.com", "time": "Mon Jun 26 00:24:51 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:18 2006 -0700" }, "message": "[PATCH] keys: let keyctl_chown() change a key\u0027s owner\n\nLet keyctl_chown() change a key\u0027s owner, including attempting to transfer the\nquota burden to the new user.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "7e047ef5fe2d52e83020e856b1bf2556a6a2ce98", "tree": "97656e2c56a27be9d1da451dde627b693b8643f2", "parents": [ "f116629d03655adaf7832b93b03c99391d09d4a7" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Jun 26 00:24:50 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:18 2006 -0700" }, "message": "[PATCH] keys: sort out key quota system\n\nAdd the ability for key creation to overrun the user\u0027s quota in some\ncircumstances - notably when a session keyring is created and assigned to a\nprocess that didn\u0027t previously have one.\n\nThis means it\u0027s still possible to log in, should PAM require the creation of a\nnew session keyring, and fix an overburdened key quota.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "0cb409d98e351e6817e0bc37fe6815fc14b2c036", "tree": "2d3636949d65d5e4911bc9106ddfdf75872c2380", "parents": [ "24277dda3a54aa5e6265487e1a3091e27f3c0c45" ], "author": { "name": "Davi Arnaut", "email": "davi.arnaut@gmail.com", "time": "Fri Mar 24 03:18:43 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Mar 24 07:33:31 2006 -0800" }, "message": "[PATCH] strndup_user: convert keyctl\n\nCopies user-space string with strndup_user() and moves the type string\nduplication code to a function (thus fixing a wrong check on the length of the\ntype.)\n\nSigned-off-by: Davi Arnaut \u003cdavi.arnaut@gmail.com\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "6d94074f0804143eac6bce72dc04447c0040e7d8", "tree": "2833a03682e12d81d4bd849435cd9f95e64e9350", "parents": [ "353368dffb56b066cbe00264581a56caf0241b29" ], "author": { "name": "Davi Arnaut", "email": "davi.arnaut@gmail.com", "time": "Fri Feb 03 03:04:46 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Feb 03 08:32:10 2006 -0800" }, "message": "[PATCH] Fix keyctl usage of strnlen_user()\n\nIn the small window between strnlen_user() and copy_from_user() userspace\ncould alter the terminating `\\0\u0027 character.\n\nSigned-off-by: Davi Arnaut \u003cdavi.arnaut@gmail.com\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nCc: \u003cstable@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "c59ede7b78db329949d9cdcd7064e22d357560ef", "tree": "f9dc9d464fdad5bfd464d983e77c1af031389dda", "parents": [ "e16885c5ad624a6efe1b1bf764e075d75f65a788" ], "author": { "name": "Randy.Dunlap", "email": "rdunlap@xenotime.net", "time": "Wed Jan 11 12:17:46 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Wed Jan 11 18:42:13 2006 -0800" }, "message": "[PATCH] move capable() to capability.h\n\n- Move capable() from sched.h to capability.h;\n\n- Use \u003clinux/capability.h\u003e where capable() is used\n\t(in include/, block/, ipc/, kernel/, a few drivers/,\n\tmm/, security/, \u0026 sound/;\n\tmany more drivers/ to go)\n\nSigned-off-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "b5f545c880a2a47947ba2118b2509644ab7a2969", "tree": "8720e02262b0ff6309ae79603f6c63965296d378", "parents": [ "cab8eb594e84b434d20412fc5a3985b0bee3ab9f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Sun Jan 08 01:02:47 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sun Jan 08 20:13:53 2006 -0800" }, "message": "[PATCH] keys: Permit running process to instantiate keys\n\nMake it possible for a running process (such as gssapid) to be able to\ninstantiate a key, as was requested by Trond Myklebust for NFS4.\n\nThe patch makes the following changes:\n\n (1) A new, optional key type method has been added. This permits a key type\n to intercept requests at the point /sbin/request-key is about to be\n spawned and do something else with them - passing them over the\n rpc_pipefs files or netlink sockets for instance.\n\n The uninstantiated key, the authorisation key and the intended operation\n name are passed to the method.\n\n (2) The callout_info is no longer passed as an argument to /sbin/request-key\n to prevent unauthorised viewing of this data using ps or by looking in\n /proc/pid/cmdline.\n\n This means that the old /sbin/request-key program will not work with the\n patched kernel as it will expect to see an extra argument that is no\n longer there.\n\n A revised keyutils package will be made available tomorrow.\n\n (3) The callout_info is now attached to the authorisation key. Reading this\n key will retrieve the information.\n\n (4) A new field has been added to the task_struct. This holds the\n authorisation key currently active for a thread. Searches now look here\n for the caller\u0027s set of keys rather than looking for an auth key in the\n lowest level of the session keyring.\n\n This permits a thread to be servicing multiple requests at once and to\n switch between them. Note that this is per-thread, not per-process, and\n so is usable in multithreaded programs.\n\n The setting of this field is inherited across fork and exec.\n\n (5) A new keyctl function (KEYCTL_ASSUME_AUTHORITY) has been added that\n permits a thread to assume the authority to deal with an uninstantiated\n key. Assumption is only permitted if the authorisation key associated\n with the uninstantiated key is somewhere in the thread\u0027s keyrings.\n\n This function can also clear the assumption.\n\n (6) A new magic key specifier has been added to refer to the currently\n assumed authorisation key (KEY_SPEC_REQKEY_AUTH_KEY).\n\n (7) Instantiation will only proceed if the appropriate authorisation key is\n assumed first. The assumed authorisation key is discarded if\n instantiation is successful.\n\n (8) key_validate() is moved from the file of request_key functions to the\n file of permissions functions.\n\n (9) The documentation is updated.\n\nFrom: \u003cValdis.Kletnieks@vt.edu\u003e\n\n Build fix.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Trond Myklebust \u003ctrond.myklebust@fys.uio.no\u003e\nCc: Alexander Zangerl \u003caz@bond.edu.au\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "017679c4d45783158dba1dd6f79e712c22bb3d9a", "tree": "a536f0b581eacd88a64077f5ff15b29d23fc6405", "parents": [ "cd140a5c1f456f50897af4a2e9a23d228a5fe719" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Sun Jan 08 01:02:43 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sun Jan 08 20:13:53 2006 -0800" }, "message": "[PATCH] keys: Permit key expiry time to be set\n\nAdd a new keyctl function that allows the expiry time to be set on a key or\nremoved from a key, provided the caller has attribute modification access.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Trond Myklebust \u003ctrond.myklebust@fys.uio.no\u003e\nCc: Alexander Zangerl \u003caz@bond.edu.au\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "29db9190634067c5a328ee5fcc2890251b836b4b", "tree": "07ec242789230824f1fa8bcbbe681fd5bf166fa8", "parents": [ "2aa349f6e37ce030060c994d3aebbff4ab703565" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Sun Oct 30 15:02:44 2005 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sun Oct 30 17:37:23 2005 -0800" }, "message": "[PATCH] Keys: Add LSM hooks for key management [try #3]\n\nThe attached patch adds LSM hooks for key management facilities. The notable\nchanges are:\n\n (1) The key struct now supports a security pointer for the use of security\n modules. This will permit key labelling and restrictions on which\n programs may access a key.\n\n (2) Security modules get a chance to note (or abort) the allocation of a key.\n\n (3) The key permission checking can now be enhanced by the security modules;\n the permissions check consults LSM if all other checks bear out.\n\n (4) The key permissions checking functions now return an error code rather\n than a boolean value.\n\n (5) An extra permission has been added to govern the modification of\n attributes (UID, GID, permissions).\n\nNote that there isn\u0027t an LSM hook specifically for each keyctl() operation,\nbut rather the permissions hook allows control of individual operations based\non the permission request bits.\n\nKey management access control through LSM is enabled by automatically if both\nCONFIG_KEYS and CONFIG_SECURITY are enabled.\n\nThis should be applied on top of the patch ensubjected:\n\n\t[PATCH] Keys: Possessor permissions should be additive\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Chris Wright \u003cchrisw@osdl.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "664cceb0093b755739e56572b836a99104ee8a75", "tree": "dbaa3ab802803879f29532db4d8a91a54294cf88", "parents": [ "5134fc15b643dc36eb9aa77e4318b886844a9ac5" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 28 17:03:15 2005 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Wed Sep 28 09:10:47 2005 -0700" }, "message": "[PATCH] Keys: Add possessor permissions to keys [try #3]\n\nThe attached patch adds extra permission grants to keys for the possessor of a\nkey in addition to the owner, group and other permissions bits. This makes\nSUID binaries easier to support without going as far as labelling keys and key\ntargets using the LSM facilities.\n\nThis patch adds a second \"pointer type\" to key structures (struct key_ref *)\nthat can have the bottom bit of the address set to indicate the possession of\na key. This is propagated through searches from the keyring to the discovered\nkey. It has been made a separate type so that the compiler can spot attempts\nto dereference a potentially incorrect pointer.\n\nThe \"possession\" attribute can\u0027t be attached to a key structure directly as\nit\u0027s not an intrinsic property of a key.\n\nPointers to keys have been replaced with struct key_ref *\u0027s wherever\npossession information needs to be passed through.\n\nThis does assume that the bottom bit of the pointer will always be zero on\nreturn from kmem_cache_alloc().\n\nThe key reference type has been made into a typedef so that at least it can be\nlocated in the sources, even though it\u0027s basically a pointer to an undefined\ntype. I\u0027ve also renamed the accessor functions to be more useful, and all\nreference variables should now end in \"_ref\".\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "1260f801b4e4ba7be200886b4a53d730de05ca19", "tree": "319a68125252ac50df21b6e84cc1131c96e60d6f", "parents": [ "c36f19e02a96488f550fdb678c92500afca3109b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Aug 04 11:50:01 2005 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Thu Aug 04 08:20:47 2005 -0700" }, "message": "[PATCH] Keys: Fix key management syscall interface bugs\n\nThis fixes five bugs in the key management syscall interface:\n\n (1) add_key() returns 0 rather than EINVAL if the key type is \"\".\n\n Checking the key type isn\u0027t \"\" should be left to lookup_user_key().\n\n (2) request_key() returns ENOKEY rather than EPERM if the key type begins\n with a \".\".\n\n lookup_user_key() can\u0027t do this because internal key types begin with a\n \".\".\n\n (3) Key revocation always returns 0, even if it fails.\n\n (4) Key read can return EAGAIN rather than EACCES under some circumstances.\n\n A key is permitted to by read by a process if it doesn\u0027t grant read\n access, but it does grant search access and it is in the process\u0027s\n keyrings. That search returns EAGAIN if it fails, and this needs\n translating to EACCES.\n\n (5) request_key() never adds the new key to the destination keyring if one is\n supplied.\n\n The wrong macro was being used to test for an error condition: PTR_ERR()\n will always return true, whether or not there\u0027s an error; this should\u0027ve\n been IS_ERR().\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\nSigned-Off-By: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "3e30148c3d524a9c1c63ca28261bc24c457eb07a", "tree": "a2fcc46cc11fe871ad976c07476d934a07313576", "parents": [ "8589b4e00e352f983259140f25a262d973be6bc5" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jun 23 22:00:56 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Fri Jun 24 00:05:19 2005 -0700" }, "message": "[PATCH] Keys: Make request-key create an authorisation key\n\nThe attached patch makes the following changes:\n\n (1) There\u0027s a new special key type called \".request_key_auth\".\n\n This is an authorisation key for when one process requests a key and\n another process is started to construct it. This type of key cannot be\n created by the user; nor can it be requested by kernel services.\n\n Authorisation keys hold two references:\n\n (a) Each refers to a key being constructed. When the key being\n \t constructed is instantiated the authorisation key is revoked,\n \t rendering it of no further use.\n\n (b) The \"authorising process\". This is either:\n\n \t (i) the process that called request_key(), or:\n\n \t (ii) if the process that called request_key() itself had an\n \t authorisation key in its session keyring, then the authorising\n \t process referred to by that authorisation key will also be\n \t referred to by the new authorisation key.\n\n\t This means that the process that initiated a chain of key requests\n\t will authorise the lot of them, and will, by default, wind up with\n\t the keys obtained from them in its keyrings.\n\n (2) request_key() creates an authorisation key which is then passed to\n /sbin/request-key in as part of a new session keyring.\n\n (3) When request_key() is searching for a key to hand back to the caller, if\n it comes across an authorisation key in the session keyring of the\n calling process, it will also search the keyrings of the process\n specified therein and it will use the specified process\u0027s credentials\n (fsuid, fsgid, groups) to do that rather than the calling process\u0027s\n credentials.\n\n This allows a process started by /sbin/request-key to find keys belonging\n to the authorising process.\n\n (4) A key can be read, even if the process executing KEYCTL_READ doesn\u0027t have\n direct read or search permission if that key is contained within the\n keyrings of a process specified by an authorisation key found within the\n calling process\u0027s session keyring, and is searchable using the\n credentials of the authorising process.\n\n This allows a process started by /sbin/request-key to read keys belonging\n to the authorising process.\n\n (5) The magic KEY_SPEC_*_KEYRING key IDs when passed to KEYCTL_INSTANTIATE or\n KEYCTL_NEGATE will specify a keyring of the authorising process, rather\n than the process doing the instantiation.\n\n (6) One of the process keyrings can be nominated as the default to which\n request_key() should attach new keys if not otherwise specified. This is\n done with KEYCTL_SET_REQKEY_KEYRING and one of the KEY_REQKEY_DEFL_*\n constants. The current setting can also be read using this call.\n\n (7) request_key() is partially interruptible. If it is waiting for another\n process to finish constructing a key, it can be interrupted. This permits\n a request-key cycle to be broken without recourse to rebooting.\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\nSigned-Off-By: Benoit Boissinot \u003cbenoit.boissinot@ens-lyon.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "76d8aeabfeb1c42641a81c44280177b9a08670d8", "tree": "0a584439bb44e440717aa77a1398ba9eea24a137", "parents": [ "7286aa9b9ab35f20b1ff16d867f4535701df99b5" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jun 23 22:00:49 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Fri Jun 24 00:05:18 2005 -0700" }, "message": "[PATCH] keys: Discard key spinlock and use RCU for key payload\n\nThe attached patch changes the key implementation in a number of ways:\n\n (1) It removes the spinlock from the key structure.\n\n (2) The key flags are now accessed using atomic bitops instead of\n write-locking the key spinlock and using C bitwise operators.\n\n The three instantiation flags are dealt with with the construction\n semaphore held during the request_key/instantiate/negate sequence, thus\n rendering the spinlock superfluous.\n\n The key flags are also now bit numbers not bit masks.\n\n (3) The key payload is now accessed using RCU. This permits the recursive\n keyring search algorithm to be simplified greatly since no locks need be\n taken other than the usual RCU preemption disablement. Searching now does\n not require any locks or semaphores to be held; merely that the starting\n keyring be pinned.\n\n (4) The keyring payload now includes an RCU head so that it can be disposed\n of by call_rcu(). This requires that the payload be copied on unlink to\n prevent introducing races in copy-down vs search-up.\n\n (5) The user key payload is now a structure with the data following it. It\n includes an RCU head like the keyring payload and for the same reason. It\n also contains a data length because the data length in the key may be\n changed on another CPU whilst an RCU protected read is in progress on the\n payload. This would then see the supposed RCU payload and the on-key data\n length getting out of sync.\n\n I\u0027m tempted to drop the key\u0027s datalen entirely, except that it\u0027s used in\n conjunction with quota management and so is a little tricky to get rid\n of.\n\n (6) Update the keys documentation.\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }