)]}' { "log": [ { "commit": "927942aabbbe506bf9bc70a16dc5460ecc64c148", "tree": "2c53ccb405bd4afb03ff9f7acab892fafc7e9b0f", "parents": [ "9156235b3427d6f01c5c95022f72f381f07583f5" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Jun 11 17:31:10 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:27 2010 +1000" }, "message": "KEYS: Make /proc/keys check to see if a key is possessed before security check\n\nMake /proc/keys check to see if the calling process possesses each key before\nperforming the security check. The possession check can be skipped if the key\ndoesn\u0027t have the possessor-view permission bit set.\n\nThis causes the keys a process possesses to show up in /proc/keys, even if they\ndon\u0027t have matching user/group/other view permissions.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0ffbe2699cda6afbe08501098dff8a8c2fe6ae09", "tree": "81b1a2305d16c873371b65c5a863c0268036cefe", "parents": [ "4e5d6f7ec3833c0da9cf34fa5c53c6058c5908b6", "7ebd467551ed6ae200d7835a84bbda0dcadaa511" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:07 2010 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:07 2010 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "c5b60b5e67af8be4c58d3ffcc36894f69c4fbdc1", "tree": "5ca471fad635ee8d91a24c7b5448dbcad3de74ef", "parents": [ "822cceec7248013821d655545ea45d1c6a9d15b3" ], "author": { "name": "Justin P. Mattock", "email": "justinmattock@gmail.com", "time": "Wed Apr 21 00:02:11 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 23 10:10:23 2010 +1000" }, "message": "security: whitespace coding style fixes\n\nWhitespace coding style fixes.\n\nSigned-off-by: Justin P. Mattock \u003cjustinmattock@gmail.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5a0e3ad6af8660be21ca98a971cd00f331318c05", "tree": "5bfb7be11a03176a87296a43ac6647975c00a1d1", "parents": [ "ed391f4ebf8f701d3566423ce8f17e614cde9806" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Wed Mar 24 17:04:11 2010 +0900" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Tue Mar 30 22:02:32 2010 +0900" }, "message": "include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h\n\npercpu.h is included by sched.h and module.h and thus ends up being\nincluded when building most .c files. percpu.h includes slab.h which\nin turn includes gfp.h making everything defined by the two files\nuniversally available and complicating inclusion dependencies.\n\npercpu.h -\u003e slab.h dependency is about to be removed. Prepare for\nthis change by updating users of gfp and slab facilities include those\nheaders directly instead of assuming availability. As this conversion\nneeds to touch large number of source files, the following script is\nused as the basis of conversion.\n\n http://userweb.kernel.org/~tj/misc/slabh-sweep.py\n\nThe script does the followings.\n\n* Scan files for gfp and slab usages and update includes such that\n only the necessary includes are there. ie. if only gfp is used,\n gfp.h, if slab is used, slab.h.\n\n* When the script inserts a new include, it looks at the include\n blocks and try to put the new include such that its order conforms\n to its surrounding. It\u0027s put in the include block which contains\n core kernel includes, in the same order that the rest are ordered -\n alphabetical, Christmas tree, rev-Xmas-tree or at the end if there\n doesn\u0027t seem to be any matching order.\n\n* If the script can\u0027t find a place to put a new include (mostly\n because the file doesn\u0027t have fitting include block), it prints out\n an error message indicating which .h file needs to be added to the\n file.\n\nThe conversion was done in the following steps.\n\n1. The initial automatic conversion of all .c files updated slightly\n over 4000 files, deleting around 700 includes and adding ~480 gfp.h\n and ~3000 slab.h inclusions. The script emitted errors for ~400\n files.\n\n2. Each error was manually checked. Some didn\u0027t need the inclusion,\n some needed manual addition while adding it to implementation .h or\n embedding .c file was more appropriate for others. This step added\n inclusions to around 150 files.\n\n3. The script was run again and the output was compared to the edits\n from #2 to make sure no file was left behind.\n\n4. Several build tests were done and a couple of problems were fixed.\n e.g. lib/decompress_*.c used malloc/free() wrappers around slab\n APIs requiring slab.h to be added manually.\n\n5. The script was run on all .h files but without automatically\n editing them as sprinkling gfp.h and slab.h inclusions around .h\n files could easily lead to inclusion dependency hell. Most gfp.h\n inclusion directives were ignored as stuff from gfp.h was usually\n wildly available and often used in preprocessor macros. Each\n slab.h inclusion directive was examined and added manually as\n necessary.\n\n6. percpu.h was updated not to include slab.h.\n\n7. Build test were done on the following configurations and failures\n were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my\n distributed build env didn\u0027t work with gcov compiles) and a few\n more options had to be turned off depending on archs to make things\n build (like ipr on powerpc/64 which failed due to missing writeq).\n\n * x86 and x86_64 UP and SMP allmodconfig and a custom test config.\n * powerpc and powerpc64 SMP allmodconfig\n * sparc and sparc64 SMP allmodconfig\n * ia64 SMP allmodconfig\n * s390 SMP allmodconfig\n * alpha SMP allmodconfig\n * um on x86_64 SMP allmodconfig\n\n8. percpu.h modifications were reverted so that it could be applied as\n a separate patch and serve as bisection point.\n\nGiven the fact that I had only a couple of failures from tests on step\n6, I\u0027m fairly confident about the coverage of this conversion patch.\nIf there is a breakage, it\u0027s likely to be something in one of the arch\nheaders which should be easily discoverable easily on most builds of\nthe specific arch.\n\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nGuess-its-ok-by: Christoph Lameter \u003ccl@linux-foundation.org\u003e\nCc: Ingo Molnar \u003cmingo@redhat.com\u003e\nCc: Lee Schermerhorn \u003cLee.Schermerhorn@hp.com\u003e\n" }, { "commit": "7b1b9164598286fe93927ff41eed2a2609fd9056", "tree": "b37a8f4991c5aa6416e269f4edd7317dacc2c67c", "parents": [ "ad73a717e0fc6949c44e587ca5d63c273a30e6f5" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:14:11 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:16 2009 +1000" }, "message": "KEYS: Do some whitespace cleanups [try #6]\n\nDo some whitespace cleanups in the key management code.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ad73a717e0fc6949c44e587ca5d63c273a30e6f5", "tree": "28aa8de2eb924a60713abd01bbc790879da5b70c", "parents": [ "5d135440faf7db8d566de0c6fab36b16cf9cfc3b" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Wed Sep 02 09:14:05 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:14 2009 +1000" }, "message": "KEYS: Make /proc/keys use keyid not numread as file position [try #6]\n\nMake the file position maintained by /proc/keys represent the ID of the key\njust read rather than the number of keys read. This should make it faster to\nperform a lookup as we don\u0027t have to scan the key ID tree from the beginning to\nfind the current position.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "86abcf9cebf7b5ceb33facde297face5ec4d2260", "tree": "1b71608a4c025882f82a952d56d0f546d461736b", "parents": [ "20dda18be9035c487c2e9534e4d18d2a1e1deade" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 18 22:00:05 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 25 00:09:12 2009 +1000" }, "message": "keys: annotate seqfile ops with __releases and __acquires\n\nAnnotate seqfile ops with __releases and __acquires to stop sparse\ncomplaining about unbalanced locking.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nReviewed-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\n" }, { "commit": "454804ab0302b354e35d992d08e53fe03313baaf", "tree": "e01a4928e19ac2e8318bc88d0b79970cccc60665", "parents": [ "2ea190d0a006ce5218baa6e798512652446a605a" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Feb 26 18:28:04 2009 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 27 12:35:15 2009 +1100" }, "message": "keys: make procfiles per-user-namespace\n\nRestrict the /proc/keys and /proc/key-users output to keys\nbelonging to the same user namespace as the reading task.\n\nWe may want to make this more complicated - so that any\nkeys in a user-namespace which is belongs to the reading\ntask are also shown. But let\u0027s see if anyone wants that\nfirst.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d84f4f992cbd76e8f39c488cf0c5d123843923b1", "tree": "fc4a0349c42995715b93d0f7a3c78e9ea9b3f36e", "parents": [ "745ca2475a6ac596e3d8d37c2759c0fbe2586227" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "message": "CRED: Inaugurate COW credentials\n\nInaugurate copy-on-write credentials management. This uses RCU to manage the\ncredentials pointer in the task_struct with respect to accesses by other tasks.\nA process may only modify its own credentials, and so does not need locking to\naccess or modify its own credentials.\n\nA mutex (cred_replace_mutex) is added to the task_struct to control the effect\nof PTRACE_ATTACHED on credential calculations, particularly with respect to\nexecve().\n\nWith this patch, the contents of an active credentials struct may not be\nchanged directly; rather a new set of credentials must be prepared, modified\nand committed using something like the following sequence of events:\n\n\tstruct cred *new \u003d prepare_creds();\n\tint ret \u003d blah(new);\n\tif (ret \u003c 0) {\n\t\tabort_creds(new);\n\t\treturn ret;\n\t}\n\treturn commit_creds(new);\n\nThere are some exceptions to this rule: the keyrings pointed to by the active\ncredentials may be instantiated - keyrings violate the COW rule as managing\nCOW keyrings is tricky, given that it is possible for a task to directly alter\nthe keys in a keyring in use by another task.\n\nTo help enforce this, various pointers to sets of credentials, such as those in\nthe task_struct, are declared const. The purpose of this is compile-time\ndiscouragement of altering credentials through those pointers. Once a set of\ncredentials has been made public through one of these pointers, it may not be\nmodified, except under special circumstances:\n\n (1) Its reference count may incremented and decremented.\n\n (2) The keyrings to which it points may be modified, but not replaced.\n\nThe only safe way to modify anything else is to create a replacement and commit\nusing the functions described in Documentation/credentials.txt (which will be\nadded by a later patch).\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n This now prepares and commits credentials in various places in the\n security code rather than altering the current creds directly.\n\n (2) Temporary credential overrides.\n\n do_coredump() and sys_faccessat() now prepare their own credentials and\n temporarily override the ones currently on the acting thread, whilst\n preventing interference from other threads by holding cred_replace_mutex\n on the thread being dumped.\n\n This will be replaced in a future patch by something that hands down the\n credentials directly to the functions being called, rather than altering\n the task\u0027s objective credentials.\n\n (3) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_capset_check(), -\u003ecapset_check()\n (*) security_capset_set(), -\u003ecapset_set()\n\n \t Removed in favour of security_capset().\n\n (*) security_capset(), -\u003ecapset()\n\n \t New. This is passed a pointer to the new creds, a pointer to the old\n \t creds and the proposed capability sets. It should fill in the new\n \t creds or return an error. All pointers, barring the pointer to the\n \t new creds, are now const.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n\n \t Changed; now returns a value, which will cause the process to be\n \t killed if it\u0027s an error.\n\n (*) security_task_alloc(), -\u003etask_alloc_security()\n\n \t Removed in favour of security_prepare_creds().\n\n (*) security_cred_free(), -\u003ecred_free()\n\n \t New. Free security data attached to cred-\u003esecurity.\n\n (*) security_prepare_creds(), -\u003ecred_prepare()\n\n \t New. Duplicate any security data attached to cred-\u003esecurity.\n\n (*) security_commit_creds(), -\u003ecred_commit()\n\n \t New. Apply any security effects for the upcoming installation of new\n \t security by commit_creds().\n\n (*) security_task_post_setuid(), -\u003etask_post_setuid()\n\n \t Removed in favour of security_task_fix_setuid().\n\n (*) security_task_fix_setuid(), -\u003etask_fix_setuid()\n\n \t Fix up the proposed new credentials for setuid(). This is used by\n \t cap_set_fix_setuid() to implicitly adjust capabilities in line with\n \t setuid() changes. Changes are made to the new credentials, rather\n \t than the task itself as in security_task_post_setuid().\n\n (*) security_task_reparent_to_init(), -\u003etask_reparent_to_init()\n\n \t Removed. Instead the task being reparented to init is referred\n \t directly to init\u0027s credentials.\n\n\t NOTE! This results in the loss of some state: SELinux\u0027s osid no\n\t longer records the sid of the thread that forked it.\n\n (*) security_key_alloc(), -\u003ekey_alloc()\n (*) security_key_permission(), -\u003ekey_permission()\n\n \t Changed. These now take cred pointers rather than task pointers to\n \t refer to the security context.\n\n (4) sys_capset().\n\n This has been simplified and uses less locking. The LSM functions it\n calls have been merged.\n\n (5) reparent_to_kthreadd().\n\n This gives the current thread the same credentials as init by simply using\n commit_thread() to point that way.\n\n (6) __sigqueue_alloc() and switch_uid()\n\n __sigqueue_alloc() can\u0027t stop the target task from changing its creds\n beneath it, so this function gets a reference to the currently applicable\n user_struct which it then passes into the sigqueue struct it returns if\n successful.\n\n switch_uid() is now called from commit_creds(), and possibly should be\n folded into that. commit_creds() should take care of protecting\n __sigqueue_alloc().\n\n (7) [sg]et[ug]id() and co and [sg]et_current_groups.\n\n The set functions now all use prepare_creds(), commit_creds() and\n abort_creds() to build and check a new set of credentials before applying\n it.\n\n security_task_set[ug]id() is called inside the prepared section. This\n guarantees that nothing else will affect the creds until we\u0027ve finished.\n\n The calling of set_dumpable() has been moved into commit_creds().\n\n Much of the functionality of set_user() has been moved into\n commit_creds().\n\n The get functions all simply access the data directly.\n\n (8) security_task_prctl() and cap_task_prctl().\n\n security_task_prctl() has been modified to return -ENOSYS if it doesn\u0027t\n want to handle a function, or otherwise return the return value directly\n rather than through an argument.\n\n Additionally, cap_task_prctl() now prepares a new set of credentials, even\n if it doesn\u0027t end up using it.\n\n (9) Keyrings.\n\n A number of changes have been made to the keyrings code:\n\n (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have\n \t all been dropped and built in to the credentials functions directly.\n \t They may want separating out again later.\n\n (b) key_alloc() and search_process_keyrings() now take a cred pointer\n \t rather than a task pointer to specify the security context.\n\n (c) copy_creds() gives a new thread within the same thread group a new\n \t thread keyring if its parent had one, otherwise it discards the thread\n \t keyring.\n\n (d) The authorisation key now points directly to the credentials to extend\n \t the search into rather pointing to the task that carries them.\n\n (e) Installing thread, process or session keyrings causes a new set of\n \t credentials to be created, even though it\u0027s not strictly necessary for\n \t process or session keyrings (they\u0027re shared).\n\n(10) Usermode helper.\n\n The usermode helper code now carries a cred struct pointer in its\n subprocess_info struct instead of a new session keyring pointer. This set\n of credentials is derived from init_cred and installed on the new process\n after it has been cloned.\n\n call_usermodehelper_setup() allocates the new credentials and\n call_usermodehelper_freeinfo() discards them if they haven\u0027t been used. A\n special cred function (prepare_usermodeinfo_creds()) is provided\n specifically for call_usermodehelper_setup() to call.\n\n call_usermodehelper_setkeys() adjusts the credentials to sport the\n supplied keyring as the new session keyring.\n\n(11) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) selinux_setprocattr() no longer does its check for whether the\n \t current ptracer can access processes with the new SID inside the lock\n \t that covers getting the ptracer\u0027s SID. Whilst this lock ensures that\n \t the check is done with the ptracer pinned, the result is only valid\n \t until the lock is released, so there\u0027s no point doing it inside the\n \t lock.\n\n(12) is_single_threaded().\n\n This function has been extracted from selinux_setprocattr() and put into\n a file of its own in the lib/ directory as join_session_keyring() now\n wants to use it too.\n\n The code in SELinux just checked to see whether a task shared mm_structs\n with other tasks (CLONE_VM), but that isn\u0027t good enough. We really want\n to know if they\u0027re part of the same thread group (CLONE_THREAD).\n\n(13) nfsd.\n\n The NFS server daemon now has to use the COW credentials to set the\n credentials it is going to use. It really needs to pass the credentials\n down to the functions it calls, but it can\u0027t do that until other patches\n in this series have been applied.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0b77f5bfb45c13e1e5142374f9d6ca75292252a4", "tree": "cf62055536d267e9a4abe6518e5d9f683a1ceb75", "parents": [ "69664cf16af4f31cd54d77948a4baf9c7e0ca7b9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:32 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:17 2008 -0700" }, "message": "keys: make the keyring quotas controllable through /proc/sys\n\nMake the keyring quotas controllable through /proc/sys files:\n\n (*) /proc/sys/kernel/keys/root_maxkeys\n /proc/sys/kernel/keys/root_maxbytes\n\n Maximum number of keys that root may have and the maximum total number of\n bytes of data that root may have stored in those keys.\n\n (*) /proc/sys/kernel/keys/maxkeys\n /proc/sys/kernel/keys/maxbytes\n\n Maximum number of keys that each non-root user may have and the maximum\n total number of bytes of data that each of those users may have stored in\n their keys.\n\nAlso increase the quotas as a number of people have been complaining that it\u0027s\nnot big enough. I\u0027m not sure that it\u0027s big enough now either, but on the\nother hand, it can now be set in /etc/sysctl.conf.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: \u003ckwc@citi.umich.edu\u003e\nCc: \u003carunsr@cse.iitk.ac.in\u003e\nCc: \u003cdwalsh@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "da91d2ef9fe4fd84cc0a8a729201d38e40ac9f2e", "tree": "091f2781c5256eac28665a1512038fe07227f9b0", "parents": [ "70a5bb72b55e82fbfbf1e22cae6975fac58a1e2d" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@sw.ru", "time": "Tue Apr 29 01:01:27 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:16 2008 -0700" }, "message": "keys: switch to proc_create()\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@sw.ru\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "1996a10948e50e546dc2b64276723c0b64d3173b", "tree": "971b235907b7c6911c21c9139e0ba85c5b84ef80", "parents": [ "63cb34492351078479b2d4bae6a881806a396286" ], "author": { "name": "Jan Engelhardt", "email": "jengelh@computergmbh.de", "time": "Wed Jan 23 00:02:58 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:54 2008 +1100" }, "message": "security/selinux: constify function pointer tables and fields\n\nConstify function pointer tables and fields.\n\nSigned-off-by: Jan Engelhardt \u003cjengelh@computergmbh.de\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9c2e08c592cd357a8330c34def1e8ecfdcf53275", "tree": "62e7449e43bb502f2e9630ab41832ceccd9a0f65", "parents": [ "da7071d7e32d15149cc513f096a3638097b66387" ], "author": { "name": "Arjan van de Ven", "email": "arjan@linux.intel.com", "time": "Mon Feb 12 00:55:37 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Feb 12 09:48:46 2007 -0800" }, "message": "[PATCH] mark struct file_operations const 9\n\nMany struct file_operations in the kernel can be \"const\". Marking them const\nmoves these to the .rodata section, which avoids false sharing with potential\ndirty data. In addition it\u0027ll catch accidental writes at compile time to\nthese shared resources.\n\nSigned-off-by: Arjan van de Ven \u003carjan@linux.intel.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "06ec7be557a1259611d6093a00463c42650dc71a", "tree": "b83cdbc8405e0a174939d36e4fe40fb8adb51071", "parents": [ "e51f6d343789a4f0a2a7587ad7ec7746969d5c1c" ], "author": { "name": "Michael LeMay", "email": "mdlemay@epoch.ncsc.mil", "time": "Mon Jun 26 00:24:56 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:18 2006 -0700" }, "message": "[PATCH] keys: restrict contents of /proc/keys to Viewable keys\n\nRestrict /proc/keys such that only those keys to which the current task is\ngranted View permission are presented.\n\nThe documentation is also updated to reflect these changes.\n\nSigned-off-by: Michael LeMay \u003cmdlemay@epoch.ncsc.mil\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "664cceb0093b755739e56572b836a99104ee8a75", "tree": "dbaa3ab802803879f29532db4d8a91a54294cf88", "parents": [ "5134fc15b643dc36eb9aa77e4318b886844a9ac5" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 28 17:03:15 2005 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Wed Sep 28 09:10:47 2005 -0700" }, "message": "[PATCH] Keys: Add possessor permissions to keys [try #3]\n\nThe attached patch adds extra permission grants to keys for the possessor of a\nkey in addition to the owner, group and other permissions bits. This makes\nSUID binaries easier to support without going as far as labelling keys and key\ntargets using the LSM facilities.\n\nThis patch adds a second \"pointer type\" to key structures (struct key_ref *)\nthat can have the bottom bit of the address set to indicate the possession of\na key. This is propagated through searches from the keyring to the discovered\nkey. It has been made a separate type so that the compiler can spot attempts\nto dereference a potentially incorrect pointer.\n\nThe \"possession\" attribute can\u0027t be attached to a key structure directly as\nit\u0027s not an intrinsic property of a key.\n\nPointers to keys have been replaced with struct key_ref *\u0027s wherever\npossession information needs to be passed through.\n\nThis does assume that the bottom bit of the pointer will always be zero on\nreturn from kmem_cache_alloc().\n\nThe key reference type has been made into a typedef so that at least it can be\nlocated in the sources, even though it\u0027s basically a pointer to an undefined\ntype. I\u0027ve also renamed the accessor functions to be more useful, and all\nreference variables should now end in \"_ref\".\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "76d8aeabfeb1c42641a81c44280177b9a08670d8", "tree": "0a584439bb44e440717aa77a1398ba9eea24a137", "parents": [ "7286aa9b9ab35f20b1ff16d867f4535701df99b5" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jun 23 22:00:49 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Fri Jun 24 00:05:18 2005 -0700" }, "message": "[PATCH] keys: Discard key spinlock and use RCU for key payload\n\nThe attached patch changes the key implementation in a number of ways:\n\n (1) It removes the spinlock from the key structure.\n\n (2) The key flags are now accessed using atomic bitops instead of\n write-locking the key spinlock and using C bitwise operators.\n\n The three instantiation flags are dealt with with the construction\n semaphore held during the request_key/instantiate/negate sequence, thus\n rendering the spinlock superfluous.\n\n The key flags are also now bit numbers not bit masks.\n\n (3) The key payload is now accessed using RCU. This permits the recursive\n keyring search algorithm to be simplified greatly since no locks need be\n taken other than the usual RCU preemption disablement. Searching now does\n not require any locks or semaphores to be held; merely that the starting\n keyring be pinned.\n\n (4) The keyring payload now includes an RCU head so that it can be disposed\n of by call_rcu(). This requires that the payload be copied on unlink to\n prevent introducing races in copy-down vs search-up.\n\n (5) The user key payload is now a structure with the data following it. It\n includes an RCU head like the keyring payload and for the same reason. It\n also contains a data length because the data length in the key may be\n changed on another CPU whilst an RCU protected read is in progress on the\n payload. This would then see the supposed RCU payload and the on-key data\n length getting out of sync.\n\n I\u0027m tempted to drop the key\u0027s datalen entirely, except that it\u0027s used in\n conjunction with quota management and so is a little tricky to get rid\n of.\n\n (6) Update the keys documentation.\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }