)]}' { "log": [ { "commit": "6f239284542bae297d27355d06afbb8df23c5db9", "tree": "b0ba42fb54cd05178c61584e0913be38a57f0384", "parents": [ "609cfda586c7fe3e5d1a02c51edb587506294167", "bf69d41d198138e3c601e9a6645f4f1369aff7e0" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 04 11:59:34 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 04 11:59:34 2011 +1000" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.infradead.org/users/eparis/selinux into for-linus\n" }, { "commit": "5d30b10bd68df007e7ae21e77d1e0ce184b53040", "tree": "61d97a80d0fac7c6dfd97db7040fedd75771adda", "parents": [ "cb1e922fa104bb0bb3aa5fc6ca7f7e070f3b55e9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:55:52 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 16:12:47 2011 -0400" }, "message": "flex_array: flex_array_prealloc takes a number of elements, not an end\n\nChange flex_array_prealloc to take the number of elements for which space\nshould be allocated instead of the last (inclusive) element. Users\nand documentation are updated accordingly. flex_arrays got introduced before\nthey had users. When folks started using it, they ended up needing a\ndifferent API than was coded up originally. This swaps over to the API that\nfolks apparently need.\n\nBased-on-patch-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nTested-by: Chris Richards \u003cgizmo@giz-works.com\u003e\nAcked-by: Dave Hansen \u003cdave@linux.vnet.ibm.com\u003e\nCc: stable@kernel.org [2.6.38+]\n" }, { "commit": "cb1e922fa104bb0bb3aa5fc6ca7f7e070f3b55e9", "tree": "c776ceca8e63dd8de70f242fe6883320004884eb", "parents": [ "fe3fa43039d47ee4e22caf460b79b62a14937f79" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:11:21 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 16:12:41 2011 -0400" }, "message": "SELinux: pass last path component in may_create\n\nNew inodes are created in a two stage process. We first will compute the\nlabel on a new inode in security_inode_create() and check if the\noperation is allowed. We will then actually re-compute that same label and\napply it in security_inode_init_security(). The change to do new label\ncalculations based in part on the last component of the path name only\npassed the path component information all the way down the\nsecurity_inode_init_security hook. Down the security_inode_create hook the\npath information did not make it past may_create. Thus the two calculations\ncame up differently and the permissions check might not actually be against\nthe label that is created. Pass and use the same information in both places\nto harmonize the calculations and checks.\n\nReported-by: Dominick Grift \u003cdomg472@gmail.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "9ade0cf440a1e5800dc68eef2e77b8d9d83a6dff", "tree": "17a06970af5a26cd340b785a894f20f262335575", "parents": [ "1879fd6a26571fd4e8e1f4bb3e7537bc936b1fe7" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 16:26:29 2011 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Apr 25 18:16:32 2011 -0700" }, "message": "SELINUX: Make selinux cache VFS RCU walks safe\n\nNow that the security modules can decide whether they support the\ndcache RCU walk or not it\u0027s possible to make selinux a bit more\nRCU friendly. The SELinux AVC and security server access decision\ncode is RCU safe. A specific piece of the LSM audit code may not\nbe RCU safe.\n\nThis patch makes the VFS RCU walk retry if it would hit the non RCU\nsafe chunk of code. It will normally just work under RCU. This is\ndone simply by passing the VFS RCU state as a flag down into the\navc_audit() code and returning ECHILD there if it would have an issue.\n\nBased-on-patch-by: Andi Kleen \u003cak@linux.intel.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8c9e80ed276fc4b9c9fadf29d8bf6b3576112f1a", "tree": "7595dd217545593675d40f85cfb11d69697a8300", "parents": [ "8d082f8f3fb89e8a1fcb5120ad98cd9860c8a3e8" ], "author": { "name": "Andi Kleen", "email": "ak@linux.intel.com", "time": "Thu Apr 21 17:23:19 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Apr 22 16:17:29 2011 -0700" }, "message": "SECURITY: Move exec_permission RCU checks into security modules\n\nRight now all RCU walks fall back to reference walk when CONFIG_SECURITY\nis enabled, even though just the standard capability module is active.\nThis is because security_inode_exec_permission unconditionally fails\nRCU walks.\n\nMove this decision to the low level security module. This requires\npassing the RCU flags down the security hook. This way at least\nthe capability module and a few easy cases in selinux/smack work\nwith RCU walks with CONFIG_SECURITY\u003dy\n\nSigned-off-by: Andi Kleen \u003cak@linux.intel.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "25985edcedea6396277003854657b5f3cb31a628", "tree": "f026e810210a2ee7290caeb737c23cb6472b7c38", "parents": [ "6aba74f2791287ec407e0f92487a725a25908067" ], "author": { "name": "Lucas De Marchi", "email": "lucas.demarchi@profusion.mobi", "time": "Wed Mar 30 22:57:33 2011 -0300" }, "committer": { "name": "Lucas De Marchi", "email": "lucas.demarchi@profusion.mobi", "time": "Thu Mar 31 11:26:23 2011 -0300" }, "message": "Fix common misspellings\n\nFixes generated by \u0027codespell\u0027 and manually reviewed.\n\nSigned-off-by: Lucas De Marchi \u003clucas.demarchi@profusion.mobi\u003e\n" }, { "commit": "85cd6da53a8073d3f4503f56e4ea6cddccbb1c7f", "tree": "9c71a1426c09767e7470fea2c244c9ebd3ec4d8c", "parents": [ "036a98263a30930a329e7bb184d5e77f27358e40" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Mar 25 10:13:43 2011 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 29 10:26:30 2011 +1100" }, "message": "selinux: Fix regression for Xorg\n\nCommit 6f5317e730505d5cbc851c435a2dfe3d5a21d343 introduced a bug in the\nhandling of userspace object classes that is causing breakage for Xorg\nwhen XSELinux is enabled. Fix the bug by changing map_class() to return\nSECCLASS_NULL when the class cannot be mapped to a kernel object class.\n\nReported-by: \"Justin P. Mattock\" \u003cjustinmattock@gmail.com\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2e1496707560ecf98e9b0604622c0990f94861d3", "tree": "d1473b70fad31a903fedc87221680678a6c6c5f6", "parents": [ "e795b71799ff0b27365020c9ddaa25d0d83f99c8" ], "author": { "name": "Serge E. Hallyn", "email": "serge@hallyn.com", "time": "Wed Mar 23 16:43:26 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 23 19:47:13 2011 -0700" }, "message": "userns: rename is_owner_or_cap to inode_owner_or_capable\n\nAnd give it a kernel-doc comment.\n\n[akpm@linux-foundation.org: btrfs changed in linux-next]\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nCc: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nCc: Daniel Lezcano \u003cdaniel.lezcano@free.fr\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3486740a4f32a6a466f5ac931654d154790ba648", "tree": "ac5d968a66057fa84933b8f89fd3e916270dffed", "parents": [ "59607db367c57f515183cb203642291bb14d9c40" ], "author": { "name": "Serge E. Hallyn", "email": "serge@hallyn.com", "time": "Wed Mar 23 16:43:17 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 23 19:47:02 2011 -0700" }, "message": "userns: security: make capabilities relative to the user namespace\n\n- Introduce ns_capable to test for a capability in a non-default\n user namespace.\n- Teach cap_capable to handle capabilities in a non-default\n user namespace.\n\nThe motivation is to get to the unprivileged creation of new\nnamespaces. It looks like this gets us 90% of the way there, with\nonly potential uid confusion issues left.\n\nI still need to handle getting all caps after creation but otherwise I\nthink I have a good starter patch that achieves all of your goals.\n\nChangelog:\n\t11/05/2010: [serge] add apparmor\n\t12/14/2010: [serge] fix capabilities to created user namespaces\n\tWithout this, if user serge creates a user_ns, he won\u0027t have\n\tcapabilities to the user_ns he created. THis is because we\n\twere first checking whether his effective caps had the caps\n\the needed and returning -EPERM if not, and THEN checking whether\n\the was the creator. Reverse those checks.\n\t12/16/2010: [serge] security_real_capable needs ns argument in !security case\n\t01/11/2011: [serge] add task_ns_capable helper\n\t01/11/2011: [serge] add nsown_capable() helper per Bastian Blank suggestion\n\t02/16/2011: [serge] fix a logic bug: the root user is always creator of\n\t\t init_user_ns, but should not always have capabilities to\n\t\t it! Fix the check in cap_capable().\n\t02/21/2011: Add the required user_ns parameter to security_capable,\n\t\t fixing a compile failure.\n\t02/23/2011: Convert some macros to functions as per akpm comments. Some\n\t\t couldn\u0027t be converted because we can\u0027t easily forward-declare\n\t\t them (they are inline if !SECURITY, extern if SECURITY). Add\n\t\t a current_user_ns function so we can use it in capability.h\n\t\t without #including cred.h. Move all forward declarations\n\t\t together to the top of the #ifdef __KERNEL__ section, and use\n\t\t kernel-doc format.\n\t02/23/2011: Per dhowells, clean up comment in cap_capable().\n\t02/23/2011: Per akpm, remove unreachable \u0027return -EPERM\u0027 in cap_capable.\n\n(Original written and signed off by Eric; latest, modified version\nacked by him)\n\n[akpm@linux-foundation.org: fix build]\n[akpm@linux-foundation.org: export current_user_ns() for ecryptfs]\n[serge.hallyn@canonical.com: remove unneeded extra argument in selinux\u0027s task_has_capability]\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nAcked-by: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nAcked-by: Daniel Lezcano \u003cdaniel.lezcano@free.fr\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "7a6362800cb7d1d618a697a650c7aaed3eb39320", "tree": "087f9bc6c13ef1fad4b392c5cf9325cd28fa8523", "parents": [ "6445ced8670f37cfc2c5e24a9de9b413dbfc788d", "ceda86a108671294052cbf51660097b6534672f5" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 16 16:29:25 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 16 16:29:25 2011 -0700" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1480 commits)\n bonding: enable netpoll without checking link status\n xfrm: Refcount destination entry on xfrm_lookup\n net: introduce rx_handler results and logic around that\n bonding: get rid of IFF_SLAVE_INACTIVE netdev-\u003epriv_flag\n bonding: wrap slave state work\n net: get rid of multiple bond-related netdevice-\u003epriv_flags\n bonding: register slave pointer for rx_handler\n be2net: Bump up the version number\n be2net: Copyright notice change. Update to Emulex instead of ServerEngines\n e1000e: fix kconfig for crc32 dependency\n netfilter ebtables: fix xt_AUDIT to work with ebtables\n xen network backend driver\n bonding: Improve syslog message at device creation time\n bonding: Call netif_carrier_off after register_netdevice\n bonding: Incorrect TX queue offset\n net_sched: fix ip_tos2prio\n xfrm: fix __xfrm_route_forward()\n be2net: Fix UDP packet detected status in RX compl\n Phonet: fix aligned-mode pipe socket buffer header reserve\n netxen: support for GbE port settings\n ...\n\nFix up conflicts in drivers/staging/brcm80211/brcmsmac/wl_mac80211.c\nwith the staging updates.\n" }, { "commit": "1d28f42c1bd4bb2363d88df74d0128b4da135b4a", "tree": "cb2e652fe79a2bc307e871bc2d3fa51cc8051e45", "parents": [ "ca116922afa8cc5ad46b00c0a637b1cde5ca478a" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Mar 12 00:29:39 2011 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Mar 12 15:08:44 2011 -0800" }, "message": "net: Put flowi_* prefix on AF independent members of struct flowi\n\nI intend to turn struct flowi into a union of AF specific flowi\nstructs. There will be a common structure that each variant includes\nfirst, much like struct sock_common.\n\nThis is the first step to move in that direction.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "fe3fa43039d47ee4e22caf460b79b62a14937f79", "tree": "9eab8d00f1227b9fe0959f32a62d892ed35803ba", "parents": [ "ee009e4a0d4555ed522a631bae9896399674f064", "026eb167ae77244458fa4b4b9fc171209c079ba7" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:38:10 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:38:10 2011 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/eparis/selinux into next\n" }, { "commit": "1cc26bada9f6807814806db2f0d78792eecdac71", "tree": "5509b5139db04af6c13db0a580c84116a4a54039", "parents": [ "eae61f3c829439f8f9121b5cd48a14be04df451f", "214d93b02c4fe93638ad268613c9702a81ed9192" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 10:55:06 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 10:55:06 2011 +1100" }, "message": "Merge branch \u0027master\u0027; commit \u0027v2.6.38-rc7\u0027 into next\n" }, { "commit": "026eb167ae77244458fa4b4b9fc171209c079ba7", "tree": "1e66fcfeb0b43a6fb764e1d07f8f0200d0c99094", "parents": [ "ff36fe2c845cab2102e4826c1ffa0a6ebf487c65" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 16:09:14 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 16:12:28 2011 -0500" }, "message": "SELinux: implement the new sb_remount LSM hook\n\nFor SELinux we do not allow security information to change during a remount\noperation. Thus this hook simply strips the security module options from\nthe data and verifies that those are the same options as exist on the\ncurrent superblock.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2ad18bdf3b8f84c85c7da7e4de365f7c5701fb3f", "tree": "7b45743dee9e9de69714da3801aa3f987a3db365", "parents": [ "6f5317e730505d5cbc851c435a2dfe3d5a21d343" ], "author": { "name": "Harry Ciao", "email": "qingtao.cao@windriver.com", "time": "Wed Mar 02 13:32:34 2011 +0800" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 15:19:44 2011 -0500" }, "message": "SELinux: Compute SID for the newly created socket\n\nThe security context for the newly created socket shares the same\nuser, role and MLS attribute as its creator but may have a different\ntype, which could be specified by a type_transition rule in the relevant\npolicy package.\n\nSigned-off-by: Harry Ciao \u003cqingtao.cao@windriver.com\u003e\n[fix call to security_transition_sid to include qstr, Eric Paris]\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "6f5317e730505d5cbc851c435a2dfe3d5a21d343", "tree": "02088cf519a00db5c6fbdb2cc8776402413eb662", "parents": [ "4bc6c2d5d8386800fde23a8e78cd4f04a0ade0ad" ], "author": { "name": "Harry Ciao", "email": "qingtao.cao@windriver.com", "time": "Wed Mar 02 13:32:33 2011 +0800" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 15:19:43 2011 -0500" }, "message": "SELinux: Socket retains creator role and MLS attribute\n\nThe socket SID would be computed on creation and no longer inherit\nits creator\u0027s SID by default. Socket may have a different type but\nneeds to retain the creator\u0027s role and MLS attribute in order not\nto break labeled networking and network access control.\n\nThe kernel value for a class would be used to determine if the class\nif one of socket classes. If security_compute_sid is called from\nuserspace the policy value for a class would be mapped to the relevant\nkernel value first.\n\nSigned-off-by: Harry Ciao \u003cqingtao.cao@windriver.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "4bc6c2d5d8386800fde23a8e78cd4f04a0ade0ad", "tree": "9ed72f305050b876d846b44ccf13f63fcbab1ff4", "parents": [ "0b24dcb7f2f7a0ce9b762eef0362c21c88f47b32" ], "author": { "name": "Harry Ciao", "email": "qingtao.cao@windriver.com", "time": "Wed Mar 02 13:46:08 2011 +0800" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 15:19:43 2011 -0500" }, "message": "SELinux: Auto-generate security_is_socket_class\n\nThe security_is_socket_class() is auto-generated by genheaders based\non classmap.h to reduce maintenance effort when a new class is defined\nin SELinux kernel. The name for any socket class should be suffixed by\n\"socket\" and doesn\u0027t contain more than one substr of \"socket\".\n\nSigned-off-by: Harry Ciao \u003cqingtao.cao@windriver.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6", "tree": "9bb539a7731af94cac0112b8f13771e4a33e0450", "parents": [ "06dc94b1ed05f91e246315afeb1c652d6d0dc9ab" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Thu Mar 03 10:55:40 2011 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Mar 03 10:55:40 2011 -0800" }, "message": "netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parms\n\nNetlink message processing in the kernel is synchronous these days, the\nsession information can be collected when needed.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "0b24dcb7f2f7a0ce9b762eef0362c21c88f47b32", "tree": "9c7dc83e169cd4a2e5fd248e4b940f82131627b6", "parents": [ "47ac19ea429aee561f66e9cd05b908e8ffbc498a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:39:20 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:40:00 2011 -0500" }, "message": "Revert \"selinux: simplify ioctl checking\"\n\nThis reverts commit 242631c49d4cf39642741d6627750151b058233b.\n\nConflicts:\n\n\tsecurity/selinux/hooks.c\n\nSELinux used to recognize certain individual ioctls and check\npermissions based on the knowledge of the individual ioctl. In commit\n242631c49d4cf396 the SELinux code stopped trying to understand\nindividual ioctls and to instead looked at the ioctl access bits to\ndetermine in we should check read or write for that operation. This\nsame suggestion was made to SMACK (and I believe copied into TOMOYO).\nBut this suggestion is total rubbish. The ioctl access bits are\nactually the access requirements for the structure being passed into the\nioctl, and are completely unrelated to the operation of the ioctl or the\nobject the ioctl is being performed upon.\n\nTake FS_IOC_FIEMAP as an example. FS_IOC_FIEMAP is defined as:\n\nFS_IOC_FIEMAP _IOWR(\u0027f\u0027, 11, struct fiemap)\n\nSo it has access bits R and W. What this really means is that the\nkernel is going to both read and write to the struct fiemap. It has\nnothing at all to do with the operations that this ioctl might perform\non the file itself!\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "47ac19ea429aee561f66e9cd05b908e8ffbc498a", "tree": "22a95f4b75ab4dd71949f8f337463638ff6711e3", "parents": [ "4a7ab3dcad0b66a486c468ccf0d6197c5dbe3326" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:39:20 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:40:00 2011 -0500" }, "message": "selinux: drop unused packet flow permissions\n\nThese permissions are not used and can be dropped in the kernel\ndefinitions.\n\nSuggested-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "4a7ab3dcad0b66a486c468ccf0d6197c5dbe3326", "tree": "b88badda1de339ed01149caf05601400d2e2a9dd", "parents": [ "b9679a76187694138099e09d7f5091b73086e6d7" ], "author": { "name": "Steffen Klassert", "email": "steffen.klassert@secunet.com", "time": "Wed Feb 23 12:56:23 2011 +0100" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:00:51 2011 -0500" }, "message": "selinux: Fix packet forwarding checks on postrouting\n\nThe IPSKB_FORWARDED and IP6SKB_FORWARDED flags are used only in the\nmulticast forwarding case to indicate that a packet looped back after\nforward. So these flags are not a good indicator for packet forwarding.\nA better indicator is the incoming interface. If we have no socket context,\nbut an incoming interface and we see the packet in the ip postroute hook,\nthe packet is going to be forwarded.\n\nWith this patch we use the incoming interface as an indicator on packet\nforwarding.\n\nSigned-off-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "b9679a76187694138099e09d7f5091b73086e6d7", "tree": "224bfa579013b55ed6c459879ba0aab6d28e8ae2", "parents": [ "8f82a6880d8d03961181d973388e1df2772a8b24" ], "author": { "name": "Steffen Klassert", "email": "steffen.klassert@secunet.com", "time": "Wed Feb 23 12:55:21 2011 +0100" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:00:47 2011 -0500" }, "message": "selinux: Fix wrong checks for selinux_policycap_netpeer\n\nselinux_sock_rcv_skb_compat and selinux_ip_postroute_compat are just\ncalled if selinux_policycap_netpeer is not set. However in these\nfunctions we check if selinux_policycap_netpeer is set. This leads\nto some dead code and to the fact that selinux_xfrm_postroute_last\nis never executed. This patch removes the dead code and the checks\nfor selinux_policycap_netpeer in the compatibility functions.\n\nSigned-off-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "8f82a6880d8d03961181d973388e1df2772a8b24", "tree": "b2eb1374f143610dbf06a686fcfee6b77bff110b", "parents": [ "4916ca401e3051dad326ddd69765bd0e3f32fb9b" ], "author": { "name": "Steffen Klassert", "email": "steffen.klassert@secunet.com", "time": "Wed Feb 23 12:54:33 2011 +0100" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:00:44 2011 -0500" }, "message": "selinux: Fix check for xfrm selinux context algorithm\n\nselinux_xfrm_sec_ctx_alloc accidentally checks the xfrm domain of\ninterpretation against the selinux context algorithm. This patch\nfixes this by checking ctx_alg against the selinux context algorithm.\n\nSigned-off-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "e33f770426674a565a188042caf3f974f8b3722d", "tree": "6ee309a1cbccec1cef9972fc6c8f8d9b280978f5", "parents": [ "e1ad2ab2cf0cabcd81861e2c61870fc27bb27ded" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Feb 22 18:13:15 2011 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Feb 22 18:13:15 2011 -0800" }, "message": "xfrm: Mark flowi arg to security_xfrm_state_pol_flow_match() const.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "2edeaa34a6e3f2c43b667f6c4f7b27944b811695", "tree": "37dd9156645491a86844ba9198fe05e4e6fe44c5", "parents": [ "257a65d79581880032e0bf0c452f4041b693664c" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Feb 07 13:36:10 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Feb 07 14:04:00 2011 -0800" }, "message": "CRED: Fix BUG() upon security_cred_alloc_blank() failure\n\nIn cred_alloc_blank() since 2.6.32, abort_creds(new) is called with\nnew-\u003esecurity \u003d\u003d NULL and new-\u003emagic \u003d\u003d 0 when security_cred_alloc_blank()\nreturns an error. As a result, BUG() will be triggered if SELinux is enabled\nor CONFIG_DEBUG_CREDENTIALS\u003dy.\n\nIf CONFIG_DEBUG_CREDENTIALS\u003dy, BUG() is called from __invalid_creds() because\ncred-\u003emagic \u003d\u003d 0. Failing that, BUG() is called from selinux_cred_free()\nbecause selinux_cred_free() is not expecting cred-\u003esecurity \u003d\u003d NULL. This does\nnot affect smack_cred_free(), tomoyo_cred_free() or apparmor_cred_free().\n\nFix these bugs by\n\n(1) Set new-\u003emagic before calling security_cred_alloc_blank().\n\n(2) Handle null cred-\u003esecurity in creds_are_invalid() and selinux_cred_free().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8e6c96935fcc1ed3dbebc96fddfef3f2f2395afc", "tree": "c26297c8ca479972010cadf2058aacd63ce1744f", "parents": [ "652bb9b0d6ce007f37c098947b2cc0c45efa3f66" ], "author": { "name": "Lucian Adrian Grijincu", "email": "lucian.grijincu@gmail.com", "time": "Tue Feb 01 18:42:22 2011 +0200" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:53:54 2011 -0500" }, "message": "security/selinux: fix /proc/sys/ labeling\n\nThis fixes an old (2007) selinux regression: filesystem labeling for\n/proc/sys returned\n -r--r--r-- unknown /proc/sys/fs/file-nr\ninstead of\n -r--r--r-- system_u:object_r:sysctl_fs_t:s0 /proc/sys/fs/file-nr\n\nEvents that lead to breaking of /proc/sys/ selinux labeling:\n\n1) sysctl was reimplemented to route all calls through /proc/sys/\n\n commit 77b14db502cb85a031fe8fde6c85d52f3e0acb63\n [PATCH] sysctl: reimplement the sysctl proc support\n\n2) proc_dir_entry was removed from ctl_table:\n\n commit 3fbfa98112fc3962c416452a0baf2214381030e6\n [PATCH] sysctl: remove the proc_dir_entry member for the sysctl tables\n\n3) selinux still walked the proc_dir_entry tree to apply\n labeling. Because ctl_tables don\u0027t have a proc_dir_entry, we did\n not label /proc/sys/ inodes any more. To achieve this the /proc/sys/\n inodes were marked private and private inodes were ignored by\n selinux.\n\n commit bbaca6c2e7ef0f663bc31be4dad7cf530f6c4962\n [PATCH] selinux: enhance selinux to always ignore private inodes\n\n commit 86a71dbd3e81e8870d0f0e56b87875f57e58222b\n [PATCH] sysctl: hide the sysctl proc inodes from selinux\n\nAccess control checks have been done by means of a special sysctl hook\nthat was called for read/write accesses to any /proc/sys/ entry.\n\nWe don\u0027t have to do this because, instead of walking the\nproc_dir_entry tree we can walk the dentry tree (as done in this\npatch). With this patch:\n* we don\u0027t mark /proc/sys/ inodes as private\n* we don\u0027t need the sysclt security hook\n* we walk the dentry tree to find the path to the inode.\n\nWe have to strip the PID in /proc/PID/ entries that have a\nproc_dir_entry because selinux does not know how to label paths like\n\u0027/1/net/rpc/nfsd.fh\u0027 (and defaults to \u0027proc_t\u0027 labeling). Selinux does\nknow of \u0027/net/rpc/nfsd.fh\u0027 (and applies the \u0027sysctl_rpc_t\u0027 label).\n\nPID stripping from the path was done implicitly in the previous code\nbecause the proc_dir_entry tree had the root in \u0027/net\u0027 in the example\nfrom above. The dentry tree has the root in \u0027/1\u0027.\n\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nSigned-off-by: Lucian Adrian Grijincu \u003clucian.grijincu@gmail.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "652bb9b0d6ce007f37c098947b2cc0c45efa3f66", "tree": "7bf76f04a1fcaa401761a9a734b94682e2ac8b8c", "parents": [ "2a7dba391e5628ad665ce84ef9a6648da541ebab" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:05:40 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:12:30 2011 -0500" }, "message": "SELinux: Use dentry name in new object labeling\n\nCurrently SELinux has rules which label new objects according to 3 criteria.\nThe label of the process creating the object, the label of the parent\ndirectory, and the type of object (reg, dir, char, block, etc.) This patch\nadds a 4th criteria, the dentry name, thus we can distinguish between\ncreating a file in an etc_t directory called shadow and one called motd.\n\nThere is no file globbing, regex parsing, or anything mystical. Either the\npolicy exactly (strcmp) matches the dentry name of the object or it doesn\u0027t.\nThis patch has no changes from today if policy does not implement the new\nrules.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "2a7dba391e5628ad665ce84ef9a6648da541ebab", "tree": "ba0722bd74d2c883dbda7ff721850bab411cac04", "parents": [ "821404434f3324bf23f545050ff64055a149766e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:05:39 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:12:29 2011 -0500" }, "message": "fs/vfs/security: pass last path component to LSM on inode creation\n\nSELinux would like to implement a new labeling behavior of newly created\ninodes. We currently label new inodes based on the parent and the creating\nprocess. This new behavior would also take into account the name of the\nnew object when deciding the new label. This is not the (supposed) full path,\njust the last component of the path.\n\nThis is very useful because creating /etc/shadow is different than creating\n/etc/passwd but the kernel hooks are unable to differentiate these\noperations. We currently require that userspace realize it is doing some\ndifficult operation like that and than userspace jumps through SELinux hoops\nto get things set up correctly. This patch does not implement new\nbehavior, that is obviously contained in a seperate SELinux patch, but it\ndoes pass the needed name down to the correct LSM hook. If no such name\nexists it is fine to pass NULL.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "3ac285ff23cd6e1bc402b6db836521bce006eb89", "tree": "449a7788ba52f3ac0cb7a5ae6a467934163745c2", "parents": [ "e5cce6c13c25d9ac56955a3ae2fd562719848172" ], "author": { "name": "Davidlohr Bueso", "email": "dave@gnu.org", "time": "Fri Jan 21 12:28:04 2011 -0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 24 11:35:47 2011 +1100" }, "message": "selinux: return -ENOMEM when memory allocation fails\n\nReturn -ENOMEM when memory allocation fails in cond_init_bool_indexes,\ncorrectly propagating error code to caller.\n\nSigned-off-by: Davidlohr Bueso \u003cdave@gnu.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ced3b93018a9633447ddeb12a96f25e08154cbe7", "tree": "3d227ef6d2630c35127f8f25c123b1c4a0a4ad1f", "parents": [ "7898e1f8e9eb1bee88c92d636e0ab93f2cbe31c6" ], "author": { "name": "Shan Wei", "email": "shanwei@cn.fujitsu.com", "time": "Wed Jan 19 17:21:44 2011 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 24 10:36:11 2011 +1100" }, "message": "security:selinux: kill unused MAX_AVTAB_HASH_MASK and ebitmap_startbit\n\nKill unused MAX_AVTAB_HASH_MASK and ebitmap_startbit.\n\nSigned-off-by: Shan Wei \u003cshanwei@cn.fujitsu.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e0e736fc0d33861335e2a132e4f688f7fd380c61", "tree": "d9febe9ca1ef1e24efc5e6e1e34e412316d246bd", "parents": [ "a08948812b30653eb2c536ae613b635a989feb6f", "aeda4ac3efc29e4d55989abd0a73530453aa69ba" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 10 11:18:59 2011 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 10 11:18:59 2011 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (30 commits)\n MAINTAINERS: Add tomoyo-dev-en ML.\n SELinux: define permissions for DCB netlink messages\n encrypted-keys: style and other cleanup\n encrypted-keys: verify datablob size before converting to binary\n trusted-keys: kzalloc and other cleanup\n trusted-keys: additional TSS return code and other error handling\n syslog: check cap_syslog when dmesg_restrict\n Smack: Transmute labels on specified directories\n selinux: cache sidtab_context_to_sid results\n SELinux: do not compute transition labels on mountpoint labeled filesystems\n This patch adds a new security attribute to Smack called SMACK64EXEC. It defines label that is used while task is running.\n SELinux: merge policydb_index_classes and policydb_index_others\n selinux: convert part of the sym_val_to_name array to use flex_array\n selinux: convert type_val_to_struct to flex_array\n flex_array: fix flex_array_put_ptr macro to be valid C\n SELinux: do not set automatic i_ino in selinuxfs\n selinux: rework security_netlbl_secattr_to_sid\n SELinux: standardize return code handling in selinuxfs.c\n SELinux: standardize return code handling in selinuxfs.c\n SELinux: standardize return code handling in policydb.c\n ...\n" }, { "commit": "37721e1b0cf98cb65895f234d8c500d270546529", "tree": "6fb3ec6910513b18e100b17432864fa8c46d55e4", "parents": [ "9f99a2f0e44663517b99b69a3e4a499d0ba877df" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Mon Jan 10 08:17:10 2011 +0200" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 10 08:51:44 2011 -0800" }, "message": "headers: path.h redux\n\nRemove path.h from sched.h and other files.\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "aeda4ac3efc29e4d55989abd0a73530453aa69ba", "tree": "35b3d2cca8bfb49cf08bf1c6b55b586c1e5971e7", "parents": [ "d2e7ad19229f982fc1eb731827d82ceac90abfb3", "350e4f31e0eaf56dfc3b328d24a11bdf42a41fb8" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 10:40:42 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 10:40:42 2011 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/eparis/selinux into next\n" }, { "commit": "d2e7ad19229f982fc1eb731827d82ceac90abfb3", "tree": "98a3741b4d4b27a48b3c7ea9babe331e539416a8", "parents": [ "d03a5d888fb688c832d470b749acc5ed38e0bc1d", "0c21e3aaf6ae85bee804a325aa29c325209180fd" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 09:46:24 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 09:46:24 2011 +1100" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\tsecurity/smack/smack_lsm.c\n\nVerified and added fix by Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nOk\u0027d by Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b4a45f5fe8078bfc10837dbd5b98735058bc4698", "tree": "df6f13a27610a3ec7eb4a661448cd779a8f84c79", "parents": [ "01539ba2a706ab7d35fc0667dff919ade7f87d63", "b3e19d924b6eaf2ca7d22cba99a517c5171007b6" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 07 08:56:33 2011 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 07 08:56:33 2011 -0800" }, "message": "Merge branch \u0027vfs-scale-working\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/npiggin/linux-npiggin\n\n* \u0027vfs-scale-working\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/npiggin/linux-npiggin: (57 commits)\n fs: scale mntget/mntput\n fs: rename vfsmount counter helpers\n fs: implement faster dentry memcmp\n fs: prefetch inode data in dcache lookup\n fs: improve scalability of pseudo filesystems\n fs: dcache per-inode inode alias locking\n fs: dcache per-bucket dcache hash locking\n bit_spinlock: add required includes\n kernel: add bl_list\n xfs: provide simple rcu-walk ACL implementation\n btrfs: provide simple rcu-walk ACL implementation\n ext2,3,4: provide simple rcu-walk ACL implementation\n fs: provide simple rcu-walk generic_check_acl implementation\n fs: provide rcu-walk aware permission i_ops\n fs: rcu-walk aware d_revalidate method\n fs: cache optimise dentry and inode for rcu-walk\n fs: dcache reduce branches in lookup path\n fs: dcache remove d_mounted\n fs: fs_struct use seqlock\n fs: rcu-walk for path lookup\n ...\n" }, { "commit": "dc0474be3e27463d4d4a2793f82366eed906f223", "tree": "41f75e638442cb343bacdcfbabb17ffc3bd5b4ce", "parents": [ "357f8e658bba8a085c4a5d4331e30894be8096b8" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:49:43 2011 +1100" }, "committer": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:50:24 2011 +1100" }, "message": "fs: dcache rationalise dget variants\n\ndget_locked was a shortcut to avoid the lazy lru manipulation when we already\nheld dcache_lock (lru manipulation was relatively cheap at that point).\nHowever, how that the lru lock is an innermost one, we never hold it at any\ncaller, so the lock cost can now be avoided. We already have well working lazy\ndcache LRU, so it should be fine to defer LRU manipulations to scan time.\n\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\n" }, { "commit": "b5c84bf6f6fa3a7dfdcb556023a62953574b60ee", "tree": "7a2c299a180713e21d5cb653cb933121adf53c31", "parents": [ "949854d02455080d20cd3e1db28a3a18daf7599d" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:49:38 2011 +1100" }, "committer": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:50:23 2011 +1100" }, "message": "fs: dcache remove dcache_lock\n\ndcache_lock no longer protects anything. remove it.\n\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\n" }, { "commit": "2fd6b7f50797f2e993eea59e0a0b8c6399c811dc", "tree": "ce33b94b34844c09103836cf4cfa4364b742f217", "parents": [ "da5029563a0a026c64821b09e8e7b4fd81d3fe1b" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:49:34 2011 +1100" }, "committer": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:50:21 2011 +1100" }, "message": "fs: dcache scale subdirs\n\nProtect d_subdirs and d_child with d_lock, except in filesystems that aren\u0027t\nusing dcache_lock for these anyway (eg. using i_mutex).\n\nNote: if we change the locking rule in future so that -\u003ed_child protection is\nprovided only with -\u003ed_parent-\u003ed_lock, it may allow us to reduce some locking.\nBut it would be an exception to an otherwise regular locking scheme, so we\u0027d\nhave to see some good results. Probably not worthwhile.\n\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\n" }, { "commit": "3610cda53f247e176bcbb7a7cca64bc53b12acdb", "tree": "d780bc1e405116e75a194b2f4693a6f9bbe9f58f", "parents": [ "44b8288308ac9da27eab7d7bdbf1375a568805c3" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Jan 05 15:38:53 2011 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Jan 05 15:38:53 2011 -0800" }, "message": "af_unix: Avoid socket-\u003esk NULL OOPS in stream connect security hooks.\n\nunix_release() can asynchornously set socket-\u003esk to NULL, and\nit does so without holding the unix_state_lock() on \"other\"\nduring stream connects.\n\nHowever, the reverse mapping, sk-\u003esk_socket, is only transitioned\nto NULL under the unix_state_lock().\n\nTherefore make the security hooks follow the reverse mapping instead\nof the forward mapping.\n\nReported-by: Jeremy Fitzhardinge \u003cjeremy@goop.org\u003e\nReported-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "17f7f4d9fcce8f1b75b5f735569309dee7665968", "tree": "14d7e49ca0053a0fcab3c33b5023bf3f90c5c08a", "parents": [ "041110a439e21cd40709ead4ffbfa8034619ad77", "d7c1255a3a21e98bdc64df8ccf005a174d7e6289" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sun Dec 26 22:37:05 2010 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sun Dec 26 22:37:05 2010 -0800" }, "message": "Merge branch \u0027master\u0027 of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6\n\nConflicts:\n\tnet/ipv4/fib_frontend.c\n" }, { "commit": "350e4f31e0eaf56dfc3b328d24a11bdf42a41fb8", "tree": "8b825e93e80367fc55f43641037301abfcca0b17", "parents": [ "73ff5fc0a86b28b77e02a6963b388d1dbfa0a263" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Dec 16 11:46:51 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Dec 16 12:50:17 2010 -0500" }, "message": "SELinux: define permissions for DCB netlink messages\n\nCommit 2f90b865 added two new netlink message types to the netlink route\nsocket. SELinux has hooks to define if netlink messages are allowed to\nbe sent or received, but it did not know about these two new message\ntypes. By default we allow such actions so noone likely noticed. This\npatch adds the proper definitions and thus proper permissions\nenforcement.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "73ff5fc0a86b28b77e02a6963b388d1dbfa0a263", "tree": "7b84f738078e6b96f6b35805c8b6c4fa699968ed", "parents": [ "415103f9932d45f7927f4b17e3a9a13834cdb9a1" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Dec 07 16:17:28 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Dec 07 16:44:01 2010 -0500" }, "message": "selinux: cache sidtab_context_to_sid results\n\nsidtab_context_to_sid takes up a large share of time when creating large\nnumbers of new inodes (~30-40% in oprofile runs). This patch implements a\ncache of 3 entries which is checked before we do a full context_to_sid lookup.\nOn one system this showed over a x3 improvement in the number of inodes that\ncould be created per second and around a 20% improvement on another system.\n\nAny time we look up the same context string sucessivly (imagine ls -lZ) we\nshould hit this cache hot. A cache miss should have a relatively minor affect\non performance next to doing the full table search.\n\nAll operations on the cache are done COMPLETELY lockless. We know that all\nstruct sidtab_node objects created will never be deleted until a new policy is\nloaded thus we never have to worry about a pointer being dereferenced. Since\nwe also know that pointer assignment is atomic we know that the cache will\nalways have valid pointers. Given this information we implement a FIFO cache\nin an array of 3 pointers. Every result (whether a cache hit or table lookup)\nwill be places in the 0 spot of the cache and the rest of the entries moved\ndown one spot. The 3rd entry will be lost.\n\nRaces are possible and are even likely to happen. Lets assume that 4 tasks\nare hitting sidtab_context_to_sid. The first task checks against the first\nentry in the cache and it is a miss. Now lets assume a second task updates\nthe cache with a new entry. This will push the first entry back to the second\nspot. Now the first task might check against the second entry (which it\nalready checked) and will miss again. Now say some third task updates the\ncache and push the second entry to the third spot. The first task my check\nthe third entry (for the third time!) and again have a miss. At which point\nit will just do a full table lookup. No big deal!\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "415103f9932d45f7927f4b17e3a9a13834cdb9a1", "tree": "271746ba59ca5b19185574538b5af3e30178c04f", "parents": [ "1d9bc6dc5b6b9cc9299739f0245ce4841f066b92" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Dec 02 16:13:40 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Dec 02 16:14:51 2010 -0500" }, "message": "SELinux: do not compute transition labels on mountpoint labeled filesystems\n\nselinux_inode_init_security computes transitions sids even for filesystems\nthat use mount point labeling. It shouldn\u0027t do that. It should just use\nthe mount point label always and no matter what.\n\nThis causes 2 problems. 1) it makes file creation slower than it needs to be\nsince we calculate the transition sid and 2) it allows files to be created\nwith a different label than the mount point!\n\n# id -Z\nstaff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023\n# sesearch --type --class file --source sysadm_t --target tmp_t\nFound 1 semantic te rules:\n type_transition sysadm_t tmp_t : file user_tmp_t;\n\n# mount -o loop,context\u003d\"system_u:object_r:tmp_t:s0\" /tmp/fs /mnt/tmp\n\n# ls -lZ /mnt/tmp\ndrwx------. root root system_u:object_r:tmp_t:s0 lost+found\n# touch /mnt/tmp/file1\n# ls -lZ /mnt/tmp\n-rw-r--r--. root root staff_u:object_r:user_tmp_t:s0 file1\ndrwx------. root root system_u:object_r:tmp_t:s0 lost+found\n\nWhoops, we have a mount point labeled filesystem tmp_t with a user_tmp_t\nlabeled file!\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Reviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1d9bc6dc5b6b9cc9299739f0245ce4841f066b92", "tree": "aa1fe241ebdd6fb74ae468c1cf301dff4315db49", "parents": [ "ac76c05becb6beedbb458d0827d3deaa6f479a72" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 29 15:47:09 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:58 2010 -0500" }, "message": "SELinux: merge policydb_index_classes and policydb_index_others\n\nWe duplicate functionality in policydb_index_classes() and\npolicydb_index_others(). This patch merges those functions just to make it\nclear there is nothing special happening here.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "ac76c05becb6beedbb458d0827d3deaa6f479a72", "tree": "255276b52f7b031671ae5948b39d7c92e50ba420", "parents": [ "23bdecb000c806cf4ec52764499a600f7200d7a9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 29 15:47:09 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:58 2010 -0500" }, "message": "selinux: convert part of the sym_val_to_name array to use flex_array\n\nThe sym_val_to_name type array can be quite large as it grows linearly with\nthe number of types. With known policies having over 5k types these\nallocations are growing large enough that they are likely to fail. Convert\nthose to flex_array so no allocation is larger than PAGE_SIZE\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "23bdecb000c806cf4ec52764499a600f7200d7a9", "tree": "f13a523f6bec22c5e7ec58ea02a4988aefe7c8ac", "parents": [ "c41ab6a1b9028de33e74101cb0aae13098a56fdb" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 29 15:47:09 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:57 2010 -0500" }, "message": "selinux: convert type_val_to_struct to flex_array\n\nIn rawhide type_val_to_struct will allocate 26848 bytes, an order 3\nallocations. While this hasn\u0027t been seen to fail it isn\u0027t outside the\nrealm of possibiliy on systems with severe memory fragmentation. Convert\nto flex_array so no allocation will ever be bigger than PAGE_SIZE.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "c9e86a9b95f198d7df49b25fcd808ee39cba218f", "tree": "0e62d348103f25a612d649c796cab225db2372c3", "parents": [ "7ae9f23cbd3ef9daff7f768da4bfd4c56b19300d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 29 15:46:39 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:57 2010 -0500" }, "message": "SELinux: do not set automatic i_ino in selinuxfs\n\nselinuxfs carefully uses i_ino to figure out what the inode refers to. The\nVFS used to generically set this value and we would reset it to something\nuseable. After 85fe4025c616 each filesystem sets this value to a default\nif needed. Since selinuxfs doesn\u0027t use the default value and it can only\nlead to problems (I\u0027d rather have 2 inodes with i_ino \u003d\u003d 0 than one\npointing to the wrong data) lets just stop setting a default.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7ae9f23cbd3ef9daff7f768da4bfd4c56b19300d", "tree": "8a92d6d1f05268c27f0e37d5684e947c6111d89e", "parents": [ "4b02b524487622ce1cf472123899520b583f47dc" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 11:40:09 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:57 2010 -0500" }, "message": "selinux: rework security_netlbl_secattr_to_sid\n\nsecurity_netlbl_secattr_to_sid is difficult to follow, especially the\nreturn codes. Try to make the function obvious.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "4b02b524487622ce1cf472123899520b583f47dc", "tree": "58802e2968852cb1eb0f8f6303fbfaf3d85ecc53", "parents": [ "b77a493b1dc8010245feeac001e5c7ed0988678f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 11:40:08 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:57 2010 -0500" }, "message": "SELinux: standardize return code handling in selinuxfs.c\n\nselinuxfs.c has lots of different standards on how to handle return paths on\nerror. For the most part transition to\n\n\trc\u003derrno\n\tif (failure)\n\t\tgoto out;\n[...]\nout:\n\tcleanup()\n\treturn rc;\n\nInstead of doing cleanup mid function, or having multiple returns or other\noptions. This doesn\u0027t do that for every function, but most of the complex\nfunctions which have cleanup routines on error.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "b77a493b1dc8010245feeac001e5c7ed0988678f", "tree": "f0d2364ce8ed46ab569f3a41cbebb9a51bffb0f0", "parents": [ "9398c7f794078dc1768cc061b3da8cdd59f179a5" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 11:40:08 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:57 2010 -0500" }, "message": "SELinux: standardize return code handling in selinuxfs.c\n\nselinuxfs.c has lots of different standards on how to handle return paths on\nerror. For the most part transition to\n\n\trc\u003derrno\n\tif (failure)\n\t\tgoto out;\n[...]\nout:\n\tcleanup()\n\treturn rc;\n\nInstead of doing cleanup mid function, or having multiple returns or other\noptions. This doesn\u0027t do that for every function, but most of the complex\nfunctions which have cleanup routines on error.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "9398c7f794078dc1768cc061b3da8cdd59f179a5", "tree": "16e665d3bf7160e2da67b236b27a6bf87a73d5e2", "parents": [ "e8a7e48bb248a1196484d3f8afa53bded2b24e71" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 11:40:08 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:56 2010 -0500" }, "message": "SELinux: standardize return code handling in policydb.c\n\npolicydb.c has lots of different standards on how to handle return paths on\nerror. For the most part transition to\n\n\trc\u003derrno\n\tif (failure)\n\t\tgoto out;\n[...]\nout:\n\tcleanup()\n\treturn rc;\n\nInstead of doing cleanup mid function, or having multiple returns or other\noptions. This doesn\u0027t do that for every function, but most of the complex\nfunctions which have cleanup routines on error.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "ce6ada35bdf710d16582cc4869c26722547e6f11", "tree": "c2b5fd46c883f4b7285b191bac55940022662b43", "parents": [ "1d6d75684d869406e5bb2ac5d3ed9454f52d0cab" ], "author": { "name": "Serge E. Hallyn", "email": "serge@hallyn.com", "time": "Thu Nov 25 17:11:32 2010 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Nov 29 08:35:12 2010 +1100" }, "message": "security: Define CAP_SYSLOG\n\nPrivileged syslog operations currently require CAP_SYS_ADMIN. Split\nthis off into a new CAP_SYSLOG privilege which we can sanely take away\nfrom a container through the capability bounding set.\n\nWith this patch, an lxc container can be prevented from messing with\nthe host\u0027s syslog (i.e. dmesg -c).\n\nChangelog: mar 12 2010: add selinux capability2:cap_syslog perm\nChangelog: nov 22 2010:\n\t. port to new kernel\n\t. add a WARN_ONCE if userspace isn\u0027t using CAP_SYSLOG\n\nSigned-off-by: Serge Hallyn \u003cserge.hallyn@ubuntu.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-By: Kees Cook \u003ckees.cook@canonical.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Michael Kerrisk \u003cmtk.manpages@gmail.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: \"Christopher J. PeBenito\" \u003ccpebenito@tresys.com\u003e\nCc: Eric Paris \u003ceparis@parisplace.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2fe66ec242d3f76e3b0101f36419e7e5405bcff3", "tree": "2091420d53ae1bf9e7673c2275b36c6b1e6aac1b", "parents": [ "04f6d70f6e64900a5d70a5fc199dd9d5fa787738" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 06:28:08 2010 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Nov 23 10:50:17 2010 -0800" }, "message": "SELinux: indicate fatal error in compat netfilter code\n\nThe SELinux ip postroute code indicates when policy rejected a packet and\npasses the error back up the stack. The compat code does not. This patch\nsends the same kind of error back up the stack in the compat code.\n\nBased-on-patch-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "04f6d70f6e64900a5d70a5fc199dd9d5fa787738", "tree": "68d369f422f98842031ae4ada17e391140165b54", "parents": [ "eb06acdc85585f28864261f28659157848762ee4" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 06:28:02 2010 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Nov 23 10:50:17 2010 -0800" }, "message": "SELinux: Only return netlink error when we know the return is fatal\n\nSome of the SELinux netlink code returns a fatal error when the error might\nactually be transient. This patch just silently drops packets on\npotentially transient errors but continues to return a permanant error\nindicator when the denial was because of policy.\n\nBased-on-comments-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "1f1aaf82825865a50cef0b4722607abb12aeee52", "tree": "9ab2495097fa2944404ab41bfb3038de374f5626", "parents": [ "ee58681195bf243bafc44ca53f3c24429d096cce" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 16 11:52:57 2010 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Nov 17 10:54:35 2010 -0800" }, "message": "SELinux: return -ECONNREFUSED from ip_postroute to signal fatal error\n\nThe SELinux netfilter hooks just return NF_DROP if they drop a packet. We\nwant to signal that a drop in this hook is a permanant fatal error and is not\ntransient. If we do this the error will be passed back up the stack in some\nplaces and applications will get a faster interaction that something went\nwrong.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "12b3052c3ee8f508b2c7ee4ddd63ed03423409d8", "tree": "b97d0f209f363cfad94ce9d075312274e349da89", "parents": [ "6800e4c0ea3e96cf78953b8b5743381cb1bb9e37" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 15 18:36:29 2010 -0500" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Nov 15 15:40:01 2010 -0800" }, "message": "capabilities/syslog: open code cap_syslog logic to fix build failure\n\nThe addition of CONFIG_SECURITY_DMESG_RESTRICT resulted in a build\nfailure when CONFIG_PRINTK\u003dn. This is because the capabilities code\nwhich used the new option was built even though the variable in question\ndidn\u0027t exist.\n\nThe patch here fixes this by moving the capabilities checks out of the\nLSM and into the caller. All (known) LSMs should have been calling the\ncapabilities hook already so it actually makes the code organization\nbetter to eliminate the hook altogether.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "fc14f2fef682df677d64a145256dbd263df2aa7b", "tree": "74f6b939fbad959a43c04ec646cd0adc8af5f53a", "parents": [ "848b83a59b772b8f102bc5e3f1187c2fa5676959" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jul 25 01:48:30 2010 +0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri Oct 29 04:16:28 2010 -0400" }, "message": "convert get_sb_single() users\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "85fe4025c616a7c0ed07bc2fc8c5371b07f3888c", "tree": "7a5db7accb6192f2911f2473b4e3191227b914cc", "parents": [ "f991bd2e14210fb93d722cb23e54991de20e8a3d" ], "author": { "name": "Christoph Hellwig", "email": "hch@lst.de", "time": "Sat Oct 23 11:19:54 2010 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Oct 25 21:26:11 2010 -0400" }, "message": "fs: do not assign default i_ino in new_inode\n\nInstead of always assigning an increasing inode number in new_inode\nmove the call to assign it into those callers that actually need it.\nFor now callers that need it is estimated conservatively, that is\nthe call is added to all filesystems that do not assign an i_ino\nby themselves. For a few more filesystems we can avoid assigning\nany inode number given that they aren\u0027t user visible, and for others\nit could be done lazily when an inode number is actually needed,\nbut that\u0027s left for later patches.\n\nSigned-off-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Dave Chinner \u003cdchinner@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "f0d3d9894e43fc68d47948e2c6f03e32da88b799", "tree": "685f386b1f114a29c6db8d5f2f947620b4df0285", "parents": [ "ff660c80d00b52287f1f67ee6c115dc0057bcdde" ], "author": { "name": "Stephen Rothwell", "email": "sfr@canb.auug.org.au", "time": "Wed Oct 20 16:08:00 2010 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:13:01 2010 +1100" }, "message": "selinux: include vmalloc.h for vmalloc_user\n\nInclude vmalloc.h for vmalloc_user (fixes ppc build warning).\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "845ca30fe9691f1bab7cfbf30b6d11c944eb4abd", "tree": "eabf2b17957c2214375f870387eaab6c43d9e931", "parents": [ "cee74f47a6baba0ac457e87687fdcf0abd599f0a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 17:50:31 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:59 2010 +1100" }, "message": "selinux: implement mmap on /selinux/policy\n\n/selinux/policy allows a user to copy the policy back out of the kernel.\nThis patch allows userspace to actually mmap that file and use it directly.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cee74f47a6baba0ac457e87687fdcf0abd599f0a", "tree": "3d9fdb073050664e62d9cdb6c28112090cd138da", "parents": [ "00d85c83ac52e2c1a66397f1abc589f80c543425" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 17:50:25 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:58 2010 +1100" }, "message": "SELinux: allow userspace to read policy back out of the kernel\n\nThere is interest in being able to see what the actual policy is that was\nloaded into the kernel. The patch creates a new selinuxfs file\n/selinux/policy which can be read by userspace. The actual policy that is\nloaded into the kernel will be written back out to userspace.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "00d85c83ac52e2c1a66397f1abc589f80c543425", "tree": "86f297ed90f988d46e6bb8c56a60fbc3b3eb8d66", "parents": [ "4419aae1f4f380a3fba0f4f12ffbbbdf3f267c51" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 17:50:19 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:57 2010 +1100" }, "message": "SELinux: drop useless (and incorrect) AVTAB_MAX_SIZE\n\nAVTAB_MAX_SIZE was a define which was supposed to be used in userspace to\ndefine a maximally sized avtab when userspace wasn\u0027t sure how big of a table\nit needed. It doesn\u0027t make sense in the kernel since we always know our table\nsizes. The only place it is used we have a more appropiately named define\ncalled AVTAB_MAX_HASH_BUCKETS, use that instead.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4419aae1f4f380a3fba0f4f12ffbbbdf3f267c51", "tree": "e2f7e4850dc84768f6dd66e38a1454b8e3574714", "parents": [ "b28efd54d9d5c8005a29cd8782335beb9daaa32d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 17:50:14 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:56 2010 +1100" }, "message": "SELinux: deterministic ordering of range transition rules\n\nRange transition rules are placed in the hash table in an (almost)\narbitrary order. This patch inserts them in a fixed order to make policy\nretrival more predictable.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d5630b9d276bd389299ffea620b7c340ab19bcf5", "tree": "4e97cadf12518fb107f9e7140fa94343bd6643f5", "parents": [ "2606fd1fa5710205b23ee859563502aa18362447" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 16:24:48 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:50 2010 +1100" }, "message": "security: secid_to_secctx returns len when data is NULL\n\nWith the (long ago) interface change to have the secid_to_secctx functions\ndo the string allocation instead of having the caller do the allocation we\nlost the ability to query the security server for the length of the\nupcoming string. The SECMARK code would like to allocate a netlink skb\nwith enough length to hold the string but it is just too unclean to do the\nstring allocation twice or to do the allocation the first time and hold\nonto the string and slen. This patch adds the ability to call\nsecurity_secid_to_secctx() with a NULL data pointer and it will just set\nthe slen pointer.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2606fd1fa5710205b23ee859563502aa18362447", "tree": "f79becd7010a2da1a765829fce0e09327cd50531", "parents": [ "15714f7b58011cf3948cab2988abea560240c74f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 16:24:41 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:48 2010 +1100" }, "message": "secmark: make secmark object handling generic\n\nRight now secmark has lots of direct selinux calls. Use all LSM calls and\nremove all SELinux specific knowledge. The only SELinux specific knowledge\nwe leave is the mode. The only point is to make sure that other LSMs at\nleast test this generic code before they assume it works. (They may also\nhave to make changes if they do not represent labels as strings)\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b0ae19811375031ae3b3fecc65b702a9c6e5cc28", "tree": "a765b71155fbed1ed3a3cff35c1044ad49a002ae", "parents": [ "9b3056cca09529d34af2d81305b2a9c6b622ca1b" ], "author": { "name": "KOSAKI Motohiro", "email": "kosaki.motohiro@jp.fujitsu.com", "time": "Fri Oct 15 04:21:18 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:44 2010 +1100" }, "message": "security: remove unused parameter from security_task_setscheduler()\n\nAll security modules shouldn\u0027t change sched_param parameter of\nsecurity_task_setscheduler(). This is not only meaningless, but also\nmake a harmful result if caller pass a static variable.\n\nThis patch remove policy and sched_param parameter from\nsecurity_task_setscheduler() becuase none of security module is\nusing it.\n\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: KOSAKI Motohiro \u003ckosaki.motohiro@jp.fujitsu.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "36f7f28416c97dbb725154930066d115b4447e17", "tree": "c09aed0142158c6fda679bab87012144e5a60372", "parents": [ "8b0c543e5cb1e47a54d3ea791b8a03b9c8a715db" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Thu Sep 30 11:49:55 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:41 2010 +1100" }, "message": "selinux: fix up style problem on /selinux/status\n\nThis patch fixes up coding-style problem at this commit:\n\n 4f27a7d49789b04404eca26ccde5f527231d01d5\n selinux: fast status update interface (/selinux/status)\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8b0c543e5cb1e47a54d3ea791b8a03b9c8a715db", "tree": "82391c4dc20e071f0ebcee867a7cc27119928114", "parents": [ "60272da0341e9eaa136e1dc072bfef72c995d851" ], "author": { "name": "matt mooney", "email": "mfm@muteddisk.com", "time": "Wed Sep 22 23:50:06 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:40 2010 +1100" }, "message": "selinux: change to new flag variable\n\nReplace EXTRA_CFLAGS with ccflags-y.\n\nSigned-off-by: matt mooney \u003cmfm@muteddisk.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "60272da0341e9eaa136e1dc072bfef72c995d851", "tree": "9441606f03330f1e2951ff0613d8059f90a353ec", "parents": [ "ceba72a68d17ee36ef24a71b80dde39ee934ece8" ], "author": { "name": "Paul Gortmaker", "email": "paul.gortmaker@windriver.com", "time": "Wed Sep 15 20:14:53 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:39 2010 +1100" }, "message": "selinux: really fix dependency causing parallel compile failure.\n\nWhile the previous change to the selinux Makefile reduced the window\nsignificantly for this failure, it is still possible to see a compile\nfailure where cpp starts processing selinux files before the auto\ngenerated flask.h file is completed. This is easily reproduced by\nadding the following temporary change to expose the issue everytime:\n\n- cmd_flask \u003d scripts/selinux/genheaders/genheaders ...\n+ cmd_flask \u003d sleep 30 ; scripts/selinux/genheaders/genheaders ...\n\nThis failure happens because the creation of the object files in the ss\nsubdir also depends on flask.h. So simply incorporate them into the\nparent Makefile, as the ss/Makefile really doesn\u0027t do anything unique.\n\nWith this change, compiling of all selinux files is dependent on\ncompletion of the header file generation, and this test case with\nthe \"sleep 30\" now confirms it is functioning as expected.\n\nSigned-off-by: Paul Gortmaker \u003cpaul.gortmaker@windriver.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ceba72a68d17ee36ef24a71b80dde39ee934ece8", "tree": "912582b629745d650e9f8ae6fecb42e4345e3900", "parents": [ "119041672592d1890d89dd8f194bd0919d801dc8" ], "author": { "name": "Paul Gortmaker", "email": "paul.gortmaker@windriver.com", "time": "Mon Aug 09 17:34:25 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:38 2010 +1100" }, "message": "selinux: fix parallel compile error\n\nSelinux has an autogenerated file, \"flask.h\" which is included by\ntwo other selinux files. The current makefile has a single dependency\non the first object file in the selinux-y list, assuming that will get\nflask.h generated before anyone looks for it, but that assumption breaks\ndown in a \"make -jN\" situation and you get:\n\n selinux/selinuxfs.c:35: fatal error: flask.h: No such file or directory\n compilation terminated.\n remake[9]: *** [security/selinux/selinuxfs.o] Error 1\n\nSince flask.h is included by security.h which in turn is included\nnearly everywhere, make the dependency apply to all of the selinux-y\nlist of objs.\n\nSigned-off-by: Paul Gortmaker \u003cpaul.gortmaker@windriver.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "119041672592d1890d89dd8f194bd0919d801dc8", "tree": "b994abb42446b8637f072194c57359fd80d52a97", "parents": [ "4b04a7cfc5ccb573ca3752429c81d37f8dd2f7c6" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Tue Sep 14 18:28:39 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:36 2010 +1100" }, "message": "selinux: fast status update interface (/selinux/status)\n\nThis patch provides a new /selinux/status entry which allows applications\nread-only mmap(2).\nThis region reflects selinux_kernel_status structure in kernel space.\n struct selinux_kernel_status\n {\n u32 length; /* length of this structure */\n u32 sequence; /* sequence number of seqlock logic */\n u32 enforcing; /* current setting of enforcing mode */\n u32 policyload; /* times of policy reloaded */\n u32 deny_unknown; /* current setting of deny_unknown */\n };\n\nWhen userspace object manager caches access control decisions provided\nby SELinux, it needs to invalidate the cache on policy reload and setenforce\nto keep consistency.\nHowever, the applications need to check the kernel state for each accesses\non userspace avc, or launch a background worker process.\nIn heuristic, frequency of invalidation is much less than frequency of\nmaking access control decision, so it is annoying to invoke a system call\nto check we don\u0027t need to invalidate the userspace cache.\nIf we can use a background worker thread, it allows to receive invalidation\nmessages from the kernel. But it requires us an invasive coding toward the\nbase application in some cases; E.g, when we provide a feature performing\nwith SELinux as a plugin module, it is unwelcome manner to launch its own\nworker thread from the module.\n\nIf we could map /selinux/status to process memory space, application can\nknow updates of selinux status; policy reload or setenforce.\n\nA typical application checks selinux_kernel_status::sequence when it tries\nto reference userspace avc. If it was changed from the last time when it\nchecked userspace avc, it means something was updated in the kernel space.\nThen, the application can reset userspace avc or update current enforcing\nmode, without any system call invocations.\nThis sequence number is updated according to the seqlock logic, so we need\nto wait for a while if it is odd number.\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n--\n security/selinux/include/security.h | 21 ++++++\n security/selinux/selinuxfs.c | 56 +++++++++++++++\n security/selinux/ss/Makefile | 2 +-\n security/selinux/ss/services.c | 3 +\n security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++\n 5 files changed, 210 insertions(+), 1 deletions(-)\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "daa6d83a2863c28197b0c7dabfdf1e0606760b78", "tree": "0c1198f796847274aeead46e791bb8c84451bfd2", "parents": [ "68eda8f59081c74a51d037cc29893bd7c9b3c2d8" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Aug 03 15:26:05 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:33 2010 +1100" }, "message": "selinux: type_bounds_sanity_check has a meaningless variable declaration\n\ntype is not used at all, stop declaring and assigning it.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d996b62a8df1d935b01319bf8defb95b5709f7b8", "tree": "d81f8240da776336845a2063555d7bb4dce684bd", "parents": [ "ee2ffa0dfdd2db19705f2ba1c6a4c0bfe8122dd8" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Wed Aug 18 04:37:36 2010 +1000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Aug 18 08:35:47 2010 -0400" }, "message": "tty: fix fu_list abuse\n\ntty: fix fu_list abuse\n\ntty code abuses fu_list, which causes a bug in remount,ro handling.\n\nIf a tty device node is opened on a filesystem, then the last link to the inode\nremoved, the filesystem will be allowed to be remounted readonly. This is\nbecause fs_may_remount_ro does not find the 0 link tty inode on the file sb\nlist (because the tty code incorrectly removed it to use for its own purpose).\nThis can result in a filesystem with errors after it is marked \"clean\".\n\nTaking idea from Christoph\u0027s initial patch, allocate a tty private struct\nat file-\u003eprivate_data and put our required list fields in there, linking\nfile and tty. This makes tty nodes behave the same way as other device nodes\nand avoid meddling with the vfs, and avoids this bug.\n\nThe error handling is not trivial in the tty code, so for this bugfix, I take\nthe simple approach of using __GFP_NOFAIL and don\u0027t worry about memory errors.\nThis is not a problem because our allocator doesn\u0027t fail small allocs as a rule\nanyway. So proper error handling is left as an exercise for tty hackers.\n\n[ Arguably filesystem\u0027s device inode would ideally be divorced from the\ndriver\u0027s pseudo inode when it is opened, but in practice it\u0027s not clear whether\nthat will ever be worth implementing. ]\n\nCc: linux-kernel@vger.kernel.org\nCc: Christoph Hellwig \u003chch@infradead.org\u003e\nCc: Alan Cox \u003calan@lxorguk.ukuu.org.uk\u003e\nCc: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "ee2ffa0dfdd2db19705f2ba1c6a4c0bfe8122dd8", "tree": "e48400d1a33f8d2e68589ccfd61637aa64462f08", "parents": [ "b04f784e5d19ed58892833dae845738972cea260" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Wed Aug 18 04:37:35 2010 +1000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Aug 18 08:35:47 2010 -0400" }, "message": "fs: cleanup files_lock locking\n\nfs: cleanup files_lock locking\n\nLock tty_files with a new spinlock, tty_files_lock; provide helpers to\nmanipulate the per-sb files list; unexport the files_lock spinlock.\n\nCc: linux-kernel@vger.kernel.org\nCc: Christoph Hellwig \u003chch@infradead.org\u003e\nCc: Alan Cox \u003calan@lxorguk.ukuu.org.uk\u003e\nAcked-by: Andi Kleen \u003cak@linux.intel.com\u003e\nAcked-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "b34d8915c413acb51d837a45fb8747b61f65c020", "tree": "ced5fac166324634653d84b1afe2b958b3904f4d", "parents": [ "e8a89cebdbaab14caaa26debdb4ffd493b8831af", "f33ebbe9da2c3c24664a0ad4f8fd83f293547e63" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Aug 10 12:07:51 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Aug 10 12:07:51 2010 -0700" }, "message": "Merge branch \u0027writable_limits\u0027 of git://decibel.fi.muni.cz/~xslaby/linux\n\n* \u0027writable_limits\u0027 of git://decibel.fi.muni.cz/~xslaby/linux:\n unistd: add __NR_prlimit64 syscall numbers\n rlimits: implement prlimit64 syscall\n rlimits: switch more rlimit syscalls to do_prlimit\n rlimits: redo do_setrlimit to more generic do_prlimit\n rlimits: add rlimit64 structure\n rlimits: do security check under task_lock\n rlimits: allow setrlimit to non-current tasks\n rlimits: split sys_setrlimit\n rlimits: selinux, do rlimits changes under task_lock\n rlimits: make sure -\u003erlim_max never grows in sys_setrlimit\n rlimits: add task_struct to update_rlimit_cpu\n rlimits: security, add task_struct to setrlimit\n\nFix up various system call number conflicts. We not only added fanotify\nsystem calls in the meantime, but asm-generic/unistd.h added a wait4\nalong with a range of reserved per-architecture system calls.\n" }, { "commit": "a7a387cc596278af1516c534b50cc0bee171129d", "tree": "6b020262150ab47e2aaeb7ccdd57534460df2665", "parents": [ "06c22dadc6d3f9b65e55407a87faaf6a4a014112" ], "author": { "name": "Ralf Baechle", "email": "ralf@linux-mips.org", "time": "Fri Aug 06 20:37:56 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Aug 06 18:11:39 2010 -0400" }, "message": "SELINUX: Fix build error.\n\nFix build error caused by a stale security/selinux/av_permissions.h in the $(src)\ndirectory which will override a more recent version in $(obj) that is it\nappears to strike only when building with a separate object directory.\n\nSigned-off-by: Ralf Baechle \u003cralf@linux-mips.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6371dcd36f649d9d07823f31400618155a20dde1", "tree": "a08c4ed2ec77225abbfcc099e78ae8d643429787", "parents": [ "016d825fe02cd20fd8803ca37a1e6d428fe878f6" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jul 29 23:02:34 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:38:39 2010 +1000" }, "message": "selinux: convert the policy type_attr_map to flex_array\n\nCurrent selinux policy can have over 3000 types. The type_attr_map in\npolicy is an array sized by the number of types times sizeof(struct ebitmap)\n(12 on x86_64). Basic math tells us the array is going to be of length\n3000 x 12 \u003d 36,000 bytes. The largest \u0027safe\u0027 allocation on a long running\nsystem is 16k. Most of the time a 32k allocation will work. But on long\nrunning systems a 64k allocation (what we need) can fail quite regularly.\nIn order to deal with this I am converting the type_attr_map to use\nflex_arrays. Let the library code deal with breaking this into PAGE_SIZE\npieces.\n\n-v2\nrework some of the if(!obj) BUG() to be BUG_ON(!obj)\ndrop flex_array_put() calls and just use a _get() object directly\n\n-v3\nmake apply to James\u0027 tree (drop the policydb_write changes)\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b424485abe2b16580a178b469917a7b6ee0c152a", "tree": "d90d4662dd1ad229976354e4caa1a7632fb2a6d3", "parents": [ "49b7b8de46d293113a0a0bb026ff7bd833c73367" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 23 11:44:15 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:09 2010 +1000" }, "message": "SELinux: Move execmod to the common perms\n\nexecmod \"could\" show up on non regular files and non chr files. The current\nimplementation would actually make these checks against non-existant bits\nsince the code assumes the execmod permission is same for all file types.\nTo make this line up for chr files we had to define execute_no_trans and\nentrypoint permissions. These permissions are unreachable and only existed\nto to make FILE__EXECMOD and CHR_FILE__EXECMOD the same. This patch drops\nthose needless perms as well.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "49b7b8de46d293113a0a0bb026ff7bd833c73367", "tree": "ff29778c49a8ac1511249cc268ddbb2c6ddb86a9", "parents": [ "b782e0a68d17894d9a618ffea55b33639faa6bb4" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 23 11:44:09 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:08 2010 +1000" }, "message": "selinux: place open in the common file perms\n\nkernel can dynamically remap perms. Drop the open lookup table and put open\nin the common file perms.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b782e0a68d17894d9a618ffea55b33639faa6bb4", "tree": "307bc615153075a6e92be5d839a58ff48d6525f3", "parents": [ "d09ca73979460b96d5d4684d588b188be9a1f57d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 23 11:44:03 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:07 2010 +1000" }, "message": "SELinux: special dontaudit for access checks\n\nCurrently there are a number of applications (nautilus being the main one) which\ncalls access() on files in order to determine how they should be displayed. It\nis normal and expected that nautilus will want to see if files are executable\nor if they are really read/write-able. access() should return the real\npermission. SELinux policy checks are done in access() and can result in lots\nof AVC denials as policy denies RWX on files which DAC allows. Currently\nSELinux must dontaudit actual attempts to read/write/execute a file in\norder to silence these messages (and not flood the logs.) But dontaudit rules\nlike that can hide real attacks. This patch addes a new common file\npermission audit_access. This permission is special in that it is meaningless\nand should never show up in an allow rule. Instead the only place this\npermission has meaning is in a dontaudit rule like so:\n\ndontaudit nautilus_t sbin_t:file audit_access\n\nWith such a rule if nautilus just checks access() we will still get denied and\nthus userspace will still get the correct answer but we will not log the denial.\nIf nautilus attempted to actually perform one of the forbidden actions\n(rather than just querying access(2) about it) we would still log a denial.\nThis type of dontaudit rule should be used sparingly, as it could be a\nmethod for an attacker to probe the system permissions without detection.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d09ca73979460b96d5d4684d588b188be9a1f57d", "tree": "217543affc5c1c76181ffca00c23cfa69f1dd4f6", "parents": [ "9cfcac810e8993fa7a5bfd24b1a21f1dbbb03a7b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 23 11:43:57 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:07 2010 +1000" }, "message": "security: make LSMs explicitly mask off permissions\n\nSELinux needs to pass the MAY_ACCESS flag so it can handle auditting\ncorrectly. Presently the masking of MAY_* flags is done in the VFS. In\norder to allow LSMs to decide what flags they care about and what flags\nthey don\u0027t just pass them all and the each LSM mask off what they don\u0027t\nneed. This patch should contain no functional changes to either the VFS or\nany LSM.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "692a8a231b212dfc68f612956d63f34abf098e0f", "tree": "4af3c03535ebc49e38c3c0c8f67061adbdf44c72", "parents": [ "d1b43547e56b163bc5c622243c47d8a13626175b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Jul 21 12:51:03 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:06 2010 +1000" }, "message": "SELinux: break ocontext reading into a separate function\n\nMove the reading of ocontext type data out of policydb_read() in a separate\nfunction ocontext_read()\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d1b43547e56b163bc5c622243c47d8a13626175b", "tree": "29b2ddd50b3a0c6fe4dcf5f78c55c8698cd11679", "parents": [ "9a7982793c3aee6ce86d8e7e15306215257329f2" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Jul 21 12:50:57 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:05 2010 +1000" }, "message": "SELinux: move genfs read to a separate function\n\nmove genfs read functionality out of policydb_read() and into a new\nfunction called genfs_read()\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9a7982793c3aee6ce86d8e7e15306215257329f2", "tree": "4d85f6f7a57260cefd938dca7593aabf9c02a59c", "parents": [ "338437f6a09861cdf76e1396ed5fa6dee9c7cabe" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Sat Jun 12 20:57:39 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:04 2010 +1000" }, "message": "selinux: fix error codes in symtab_init()\n\nhashtab_create() only returns NULL on allocation failures to -ENOMEM is\nappropriate here.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "338437f6a09861cdf76e1396ed5fa6dee9c7cabe", "tree": "e693392adf370b81af129b326bba45bf43f03862", "parents": [ "38184c522249dc377366d4edc41dc500c2c3bb9e" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Sat Jun 12 20:56:01 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:04 2010 +1000" }, "message": "selinux: fix error codes in cond_read_bool()\n\nThe original code always returned -1 (-EPERM) on error. The new code\nreturns either -ENOMEM, or -EINVAL or it propagates the error codes from\nlower level functions next_entry() or hashtab_insert().\n\nnext_entry() returns -EINVAL.\nhashtab_insert() returns -EINVAL, -EEXIST, or -ENOMEM.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "38184c522249dc377366d4edc41dc500c2c3bb9e", "tree": "10c87bf5fdaea233a7842a79f04459792e1b5ba1", "parents": [ "fc5c126e4733e6fb3080d3d822ca63226e74fc84" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Sat Jun 12 20:55:01 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:03 2010 +1000" }, "message": "selinux: fix error codes in cond_policydb_init()\n\nIt\u0027s better to propagate the error code from avtab_init() instead of\nreturning -1 (-EPERM). It turns out that avtab_init() never fails so\nthis patch doesn\u0027t change how the code runs but it\u0027s still a clean up.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "fc5c126e4733e6fb3080d3d822ca63226e74fc84", "tree": "3320c22b66107c984ac0cf07c365420df42a4977", "parents": [ "9d623b17a740d5a85c12108cdc71c64fb15484fc" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Sat Jun 12 20:53:46 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:02 2010 +1000" }, "message": "selinux: fix error codes in cond_read_node()\n\nOriginally cond_read_node() returned -1 (-EPERM) on errors which was\nincorrect. Now it either propagates the error codes from lower level\nfunctions next_entry() or cond_read_av_list() or it returns -ENOMEM or\n-EINVAL.\n\nnext_entry() returns -EINVAL.\ncond_read_av_list() returns -EINVAL or -ENOMEM.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9d623b17a740d5a85c12108cdc71c64fb15484fc", "tree": "15434839a75f9c46c53a201520c6c859fad3c74b", "parents": [ "5241c1074f6e2f2276d45d857eb5d19fbdc2e4b2" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Sat Jun 12 20:52:19 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:02 2010 +1000" }, "message": "selinux: fix error codes in cond_read_av_list()\n\nAfter this patch cond_read_av_list() no longer returns -1 for any\nerrors. It just propagates error code back from lower levels. Those can\neither be -EINVAL or -ENOMEM.\n\nI also modified cond_insertf() since cond_read_av_list() passes that as a\nfunction pointer to avtab_read_item(). It isn\u0027t used anywhere else.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5241c1074f6e2f2276d45d857eb5d19fbdc2e4b2", "tree": "cf41e959668f5a9ec7a5d75059df864133569c91", "parents": [ "9e0bd4cba4460bff64fb07cfb07849cdfd4d325a" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Sat Jun 12 20:51:40 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:01 2010 +1000" }, "message": "selinux: propagate error codes in cond_read_list()\n\nThese are passed back when the security module gets loaded.\n\nThe original code always returned -1 (-EPERM) on error but after this\npatch it can return -EINVAL, or -ENOMEM or propagate the error code from\ncond_read_node(). cond_read_node() still returns -1 all the time, but I\nfix that in a later patch.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9e0bd4cba4460bff64fb07cfb07849cdfd4d325a", "tree": "feebec6167012e461d286c02ae45348ad0b2d3a1", "parents": [ "dce3a3d2ee038d230323fe06b061dbaace6b8f94" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Sat Jun 12 20:50:35 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:01 2010 +1000" }, "message": "selinux: cleanup return codes in avtab_read_item()\n\nThe avtab_read_item() function tends to return -1 as a default error\ncode which is wrong (-1 means -EPERM). I modified it to return\nappropriate error codes which is -EINVAL or the error code from\nnext_entry() or insertf().\n\nnext_entry() returns -EINVAL.\ninsertf() is a function pointer to either avtab_insert() or\ncond_insertf().\navtab_insert() returns -EINVAL, -ENOMEM, and -EEXIST.\ncond_insertf() currently returns -1, but I will fix it in a later patch.\n\nThere is code in avtab_read() which translates the -1 returns from\navtab_read_item() to -EINVAL. The translation is no longer needed, so I\nremoved it.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "57a62c2317d60b21b7761c319a733a894482a6af", "tree": "03329d5df0a390640fbe5a41be064e5914673b02", "parents": [ "cdcd90f9e450d4edb5fab0490119f9540874e882" ], "author": { "name": "Arnd Bergmann", "email": "arnd@arndb.de", "time": "Wed Jul 07 23:40:10 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:59 2010 +1000" }, "message": "selinux: use generic_file_llseek\n\nThe default for llseek will change to no_llseek,\nso selinuxfs needs to add explicit .llseek\nassignments. Since we\u0027re dealing with regular\nfiles from a VFS perspective, use generic_file_llseek.\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Eric Paris \u003ceparis@parisplace.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "af4f136056c984b0aa67feed7d3170b958370b2f", "tree": "30b62cd9174044cbdfdddc1fe5e0f21e7ddde85c", "parents": [ "5ad18a0d59ba9e65b3c8b2b489fd23bc6b3daf94" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Jul 01 15:07:43 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:57 2010 +1000" }, "message": "security: move LSM xattrnames to xattr.h\n\nMake the security extended attributes names global. Updated to move\nthe remaining Smack xattrs.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5fb49870e6d48d81d8ca0e1ef979073dc9a820f7", "tree": "136fdf4f4181907b89916f24a8e828c00ba3e6bd", "parents": [ "253bfae6e0ad97554799affa0266052968a45808" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Apr 22 14:46:19 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:39 2010 +1000" }, "message": "selinux: Use current_security() when possible\n\nThere were a number of places using the following code pattern:\n\n struct cred *cred \u003d current_cred();\n struct task_security_struct *tsec \u003d cred-\u003esecurity;\n\n... which were simplified to the following:\n\n struct task_security_struct *tsec \u003d current_security();\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "253bfae6e0ad97554799affa0266052968a45808", "tree": "c3599a18f06664160a55a20b30428ba4faf6e2c0", "parents": [ "84914b7ed1c5e0f3199a5a6997022758a70fcaff" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Apr 22 14:46:19 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:39 2010 +1000" }, "message": "selinux: Convert socket related access controls to use socket labels\n\nAt present, the socket related access controls use a mix of inode and\nsocket labels; while there should be no practical difference (they\n_should_ always be the same), it makes the code more confusing. This\npatch attempts to convert all of the socket related access control\npoints (with the exception of some of the inode/fd based controls) to\nuse the socket\u0027s own label. In the process, I also converted the\nsocket_has_perm() function to take a \u0027sock\u0027 argument instead of a\n\u0027socket\u0027 since that was adding a bit more overhead in some cases.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "84914b7ed1c5e0f3199a5a6997022758a70fcaff", "tree": "a0ac9631fba19280516ec26819c884e6b086b183", "parents": [ "d4f2d97841827cb876da8b607df05a3dab812416" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Apr 22 14:46:18 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:38 2010 +1000" }, "message": "selinux: Shuffle the sk_security_struct alloc and free routines\n\nThe sk_alloc_security() and sk_free_security() functions were only being\ncalled by the selinux_sk_alloc_security() and selinux_sk_free_security()\nfunctions so we just move the guts of the alloc/free routines to the\ncallers and eliminate a layer of indirection.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d4f2d97841827cb876da8b607df05a3dab812416", "tree": "8d3128128f465e23dbfc5ee4ccc50d9bc489f7d7", "parents": [ "4d1e24514d80cb266231d0c1b6c02161970ad019" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Apr 22 14:46:18 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:37 2010 +1000" }, "message": "selinux: Consolidate sockcreate_sid logic\n\nConsolidate the basic sockcreate_sid logic into a single helper function\nwhich allows us to do some cleanups in the related code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4d1e24514d80cb266231d0c1b6c02161970ad019", "tree": "2de35d44c52dc1afa28c8f1bf294180817834a9d", "parents": [ "e79acf0ef45e0b54aed47ebea7f25c540d3f527e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Apr 22 14:46:18 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:37 2010 +1000" }, "message": "selinux: Set the peer label correctly on connected UNIX domain sockets\n\nCorrect a problem where we weren\u0027t setting the peer label correctly on\nthe client end of a pair of connected UNIX sockets.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9ee0c823c18119914283358b35a1c3ebb14c2f90", "tree": "6e29e71f1c9c7ae65d92a15a3b3220ae1d173407", "parents": [ "d2f8b2348f3406652ee00ee7221441bd36fe0195" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jun 11 12:37:05 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:30 2010 +1000" }, "message": "SELinux: seperate range transition rules to a seperate function\n\nMove the range transition rule to a separate function, range_read(), rather\nthan doing it all in policydb_read()\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "babcd37821fba57048b30151969d28303f2a8b6b", "tree": "f3a22f93df9d0ccb95bc653c9b56476adab05876", "parents": [ "9fe6206f400646a2322096b56c59891d530e8d51" ], "author": { "name": "Paul E. McKenney", "email": "paulmck@linux.vnet.ibm.com", "time": "Tue May 18 12:11:25 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:33:35 2010 +1000" }, "message": "selinux: remove all rcu head initializations\n\nRemove all rcu head inits. We don\u0027t care about the RCU head state before passing\nit to call_rcu() anyway. Only leave the \"on_stack\" variants so debugobjects can\nkeep track of objects on stack.\n\nSigned-off-by: Mathieu Desnoyers \u003cmathieu.desnoyers@efficios.com\u003e\nSigned-off-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Eric Paris \u003ceparis@parisplace.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "eb2d55a32b9a91bca0dea299eedb560bafa8b14e", "tree": "1ba1a701c56614fc03d282b572164e1c409a0df0", "parents": [ "2fb9d2689a0041b88b25bc3187eada2968e25995" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Wed Jun 23 22:43:32 2010 +0200" }, "committer": { "name": "Jiri Slaby", "email": "jirislaby@gmail.com", "time": "Fri Jul 16 09:48:46 2010 +0200" }, "message": "rlimits: selinux, do rlimits changes under task_lock\n\nWhen doing an exec, selinux updates rlimits in its code of current\nprocess depending on current max. Make sure max or cur doesn\u0027t change\nin the meantime by grabbing task_lock which do_prlimit needs for\nchanging limits too.\n\nWhile at it, use rlimit helper for accessing CPU rlimit a line below.\nTo have a volatile access too.\n\nSigned-off-by: Jiri Slaby \u003cjslaby@suse.cz\u003e\nCc: Oleg Nesterov \u003coleg@redhat.com\u003e\n" } ], "next": "5ab46b345e418747b3a52f0892680c0745c4223c" }