)]}' { "log": [ { "commit": "d9e66c7296f3a39f6ac847f11ada8ddf10a4f8b1", "tree": "99c4ff2a8a2ea9daaec22b37ad5deddf14a95c6a", "parents": [ "d0f35dde6e748fa1a3f5d8e23a200ad1d5a4a749" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Mar 29 16:34:56 2009 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Mar 31 23:00:28 2009 -0400" }, "message": "Don\u0027t crap into descriptor table in binfmt_som\n\nSame story as in binfmt_elf, except that in binfmt_som we\nactually forget to close the sucker.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "a6f76f23d297f70e2a6b3ec607f7aeeea9e37e8d", "tree": "8f95617996d0974507f176163459212a7def8b9a", "parents": [ "d84f4f992cbd76e8f39c488cf0c5d123843923b1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "message": "CRED: Make execve() take advantage of copy-on-write credentials\n\nMake execve() take advantage of copy-on-write credentials, allowing it to set\nup the credentials in advance, and then commit the whole lot after the point\nof no return.\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n The credential bits from struct linux_binprm are, for the most part,\n replaced with a single credentials pointer (bprm-\u003ecred). This means that\n all the creds can be calculated in advance and then applied at the point\n of no return with no possibility of failure.\n\n I would like to replace bprm-\u003ecap_effective with:\n\n\tcap_isclear(bprm-\u003ecap_effective)\n\n but this seems impossible due to special behaviour for processes of pid 1\n (they always retain their parent\u0027s capability masks where normally they\u0027d\n be changed - see cap_bprm_set_creds()).\n\n The following sequence of events now happens:\n\n (a) At the start of do_execve, the current task\u0027s cred_exec_mutex is\n \t locked to prevent PTRACE_ATTACH from obsoleting the calculation of\n \t creds that we make.\n\n (a) prepare_exec_creds() is then called to make a copy of the current\n \t task\u0027s credentials and prepare it. This copy is then assigned to\n \t bprm-\u003ecred.\n\n \t This renders security_bprm_alloc() and security_bprm_free()\n \t unnecessary, and so they\u0027ve been removed.\n\n (b) The determination of unsafe execution is now performed immediately\n \t after (a) rather than later on in the code. The result is stored in\n \t bprm-\u003eunsafe for future reference.\n\n (c) prepare_binprm() is called, possibly multiple times.\n\n \t (i) This applies the result of set[ug]id binaries to the new creds\n \t attached to bprm-\u003ecred. Personality bit clearance is recorded,\n \t but now deferred on the basis that the exec procedure may yet\n \t fail.\n\n (ii) This then calls the new security_bprm_set_creds(). This should\n\t calculate the new LSM and capability credentials into *bprm-\u003ecred.\n\n\t This folds together security_bprm_set() and parts of\n\t security_bprm_apply_creds() (these two have been removed).\n\t Anything that might fail must be done at this point.\n\n (iii) bprm-\u003ecred_prepared is set to 1.\n\n\t bprm-\u003ecred_prepared is 0 on the first pass of the security\n\t calculations, and 1 on all subsequent passes. This allows SELinux\n\t in (ii) to base its calculations only on the initial script and\n\t not on the interpreter.\n\n (d) flush_old_exec() is called to commit the task to execution. This\n \t performs the following steps with regard to credentials:\n\n\t (i) Clear pdeath_signal and set dumpable on certain circumstances that\n\t may not be covered by commit_creds().\n\n (ii) Clear any bits in current-\u003epersonality that were deferred from\n (c.i).\n\n (e) install_exec_creds() [compute_creds() as was] is called to install the\n \t new credentials. This performs the following steps with regard to\n \t credentials:\n\n (i) Calls security_bprm_committing_creds() to apply any security\n requirements, such as flushing unauthorised files in SELinux, that\n must be done before the credentials are changed.\n\n\t This is made up of bits of security_bprm_apply_creds() and\n\t security_bprm_post_apply_creds(), both of which have been removed.\n\t This function is not allowed to fail; anything that might fail\n\t must have been done in (c.ii).\n\n (ii) Calls commit_creds() to apply the new credentials in a single\n assignment (more or less). Possibly pdeath_signal and dumpable\n should be part of struct creds.\n\n\t (iii) Unlocks the task\u0027s cred_replace_mutex, thus allowing\n\t PTRACE_ATTACH to take place.\n\n (iv) Clears The bprm-\u003ecred pointer as the credentials it was holding\n are now immutable.\n\n (v) Calls security_bprm_committed_creds() to apply any security\n alterations that must be done after the creds have been changed.\n SELinux uses this to flush signals and signal handlers.\n\n (f) If an error occurs before (d.i), bprm_free() will call abort_creds()\n \t to destroy the proposed new credentials and will then unlock\n \t cred_replace_mutex. No changes to the credentials will have been\n \t made.\n\n (2) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_bprm_alloc(), -\u003ebprm_alloc_security()\n (*) security_bprm_free(), -\u003ebprm_free_security()\n\n \t Removed in favour of preparing new credentials and modifying those.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n (*) security_bprm_post_apply_creds(), -\u003ebprm_post_apply_creds()\n\n \t Removed; split between security_bprm_set_creds(),\n \t security_bprm_committing_creds() and security_bprm_committed_creds().\n\n (*) security_bprm_set(), -\u003ebprm_set_security()\n\n \t Removed; folded into security_bprm_set_creds().\n\n (*) security_bprm_set_creds(), -\u003ebprm_set_creds()\n\n \t New. The new credentials in bprm-\u003ecreds should be checked and set up\n \t as appropriate. bprm-\u003ecred_prepared is 0 on the first call, 1 on the\n \t second and subsequent calls.\n\n (*) security_bprm_committing_creds(), -\u003ebprm_committing_creds()\n (*) security_bprm_committed_creds(), -\u003ebprm_committed_creds()\n\n \t New. Apply the security effects of the new credentials. This\n \t includes closing unauthorised files in SELinux. This function may not\n \t fail. When the former is called, the creds haven\u0027t yet been applied\n \t to the process; when the latter is called, they have.\n\n \t The former may access bprm-\u003ecred, the latter may not.\n\n (3) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) The bprm_security_struct struct has been removed in favour of using\n \t the credentials-under-construction approach.\n\n (c) flush_unauthorized_files() now takes a cred pointer and passes it on\n \t to inode_has_perm(), file_has_perm() and dentry_open().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cde162c2a963dba6d1b6921b58917ef8f27f4150", "tree": "b72bf1d76d3dce7d5992a5e92578082d4c8ef56b", "parents": [ "6e144ee546b4bb4902524e639dc9c2cd4f7f97a4" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Wed Oct 15 22:02:37 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Oct 16 11:21:38 2008 -0700" }, "message": "binfmt_som.c: add MODULE_LICENSE\n\nAdd the missing MODULE_LICENSE(\"GPL\").\n\nReported-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nCc: Matthew Wilcox \u003cmatthew@wil.cx\u003e\nCc: Grant Grundler \u003cgrundler@parisc-linux.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "6341c393fcc37d58727865f1ee2f65e632e9d4f0", "tree": "6e88d928e17f663b225884e81877a7a069d7c514", "parents": [ "88ac2921a71f788ed693bcd44731dd6bc1994640" ], "author": { "name": "Roland McGrath", "email": "roland@redhat.com", "time": "Fri Jul 25 19:45:44 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jul 26 12:00:08 2008 -0700" }, "message": "tracehook: exec\n\nThis moves all the ptrace hooks related to exec into tracehook.h inlines.\n\nThis also lifts the calls for tracing out of the binfmt load_binary hooks\ninto search_binary_handler() after it calls into the binfmt module. This\nchange has no effect, since all the binfmt modules\u0027 load_binary functions\ndid the call at the end on success, and now search_binary_handler() does\nit immediately after return if successful. We consolidate the repeated\ncode, and binfmt modules no longer need to import ptrace_notify().\n\nSigned-off-by: Roland McGrath \u003croland@redhat.com\u003e\nCc: Oleg Nesterov \u003coleg@tv-sign.ru\u003e\nReviewed-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "fd8328be874f4190a811c58cd4778ec2c74d2c05", "tree": "b44ae8e99ce96a1a4739b04d4d1a23c40ab8b163", "parents": [ "6b335d9c80d7f3c2a3f6545f664ae9007a0f3821" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Apr 22 05:11:59 2008 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri Apr 25 09:23:53 2008 -0400" }, "message": "[PATCH] sanitize handling of shared descriptor tables in failing execve()\n\n* unshare_files() can fail; doing it after irreversible actions is wrong\n and de_thread() is certainly irreversible.\n* since we do it unconditionally anyway, we might as well do it in do_execve()\n and save ourselves the PITA in binfmt handlers, etc.\n* while we are at it, binfmt_som actually leaked files_struct on failure.\n\nAs a side benefit, unshare_files(), put_files_struct() and reset_files_struct()\nbecome unexported.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "1eb114112381eb66ebacdace1b6e70d30d603f9c", "tree": "3b97926b1a90aa996f99a23281809c3d960fd3d8", "parents": [ "7fa3031500ec9b0a7460c8c23751799006ffee74" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Feb 08 04:19:29 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Feb 08 09:22:30 2008 -0800" }, "message": "aout: remove unnecessary inclusions of {asm, linux}/a.out.h\n\nRemove now unnecessary inclusions of {asm,linux}/a.out.h.\n\n[akpm@linux-foundation.org: fix alpha build]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: \u003clinux-arch@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "7dc0b22e3c54f1f4730354fef84a20f5944f6c5e", "tree": "8b281ed3315699eb0b21f00b5933b6222add5b5a", "parents": [ "8e2b705649e294f43a8cd1ea79e4c594c0bd1d9d" ], "author": { "name": "Neil Horman", "email": "nhorman@tuxdriver.com", "time": "Tue Oct 16 23:26:34 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:42:50 2007 -0700" }, "message": "core_pattern: ignore RLIMIT_CORE if core_pattern is a pipe\n\nFor some time /proc/sys/kernel/core_pattern has been able to set its output\ndestination as a pipe, allowing a user space helper to receive and\nintellegently process a core. This infrastructure however has some\nshortcommings which can be enhanced. Specifically:\n\n1) The coredump code in the kernel should ignore RLIMIT_CORE limitation\n when core_pattern is a pipe, since file system resources are not being\n consumed in this case, unless the user application wishes to save the core,\n at which point the app is restricted by usual file system limits and\n restrictions.\n\n2) The core_pattern code should be able to parse and pass options to the\n user space helper as an argv array. The real core limit of the uid of the\n crashing proces should also be passable to the user space helper (since it\n is overridden to zero when called).\n\n3) Some miscellaneous bugs need to be cleaned up (specifically the\n recognition of a recursive core dump, should the user mode helper itself\n crash. Also, the core dump code in the kernel should not wait for the user\n mode helper to exit, since the same context is responsible for writing to\n the pipe, and a read of the pipe by the user mode helper will result in a\n deadlock.\n\nThis patch:\n\nRemove the check of RLIMIT_CORE if core_pattern is a pipe. In the event that\ncore_pattern is a pipe, the entire core will be fed to the user mode helper.\n\nSigned-off-by: Neil Horman \u003cnhorman@tuxdriver.com\u003e\nCc: \u003cmartin.pitt@ubuntu.com\u003e\nCc: \u003cwwoods@redhat.com\u003e\nCc: Jeremy Fitzhardinge \u003cjeremy@goop.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "dc02747da7897cb89b62bb08aeb06fa0bb1e7319", "tree": "8c1c43d4d98b24f92d68592462be8140b7795ba8", "parents": [ "8d0b7d1055bedca784b143b0af9b37bd971b7cd2" ], "author": { "name": "Matthew Wilcox", "email": "matthew@wil.cx", "time": "Sun Sep 24 13:35:50 2006 -0600" }, "committer": { "name": "Matthew Wilcox", "email": "willy@parisc-linux.org", "time": "Wed Oct 04 06:51:26 2006 -0600" }, "message": "[PARISC] Fix fs/binfmt_som.c\n\nFix compilation (missing include of a.out.h)\nFix security hole (need to call unshare_files)\n\nSigned-off-by: Matthew Wilcox \u003cmatthew@wil.cx\u003e\nSigned-off-by: Kyle McMartin \u003ckyle@parisc-linux.org\u003e\n" }, { "commit": "6ab3d5624e172c553004ecc862bfeac16d9d68b7", "tree": "6d98881fe91fd9583c109208d5c27131b93fa248", "parents": [ "e02169b682bc448ccdc819dc8639ed34a23cedd8" ], "author": { "name": "Jörn Engel", "email": "joern@wohnheim.fh-wedel.de", "time": "Fri Jun 30 19:25:36 2006 +0200" }, "committer": { "name": "Adrian Bunk", "email": "bunk@stusta.de", "time": "Fri Jun 30 19:25:36 2006 +0200" }, "message": "Remove obsolete #include \u003clinux/config.h\u003e\n\nSigned-off-by: Jörn Engel \u003cjoern@wohnheim.fh-wedel.de\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@stusta.de\u003e\n" }, { "commit": "404351e67a9facb475abf1492245374a28d13e90", "tree": "5ef4e78b399b36a46eda339ad0cd27556fc5b9a2", "parents": [ "fc2acab31be8e869b2d5f6de12f557f6f054f19c" ], "author": { "name": "Hugh Dickins", "email": "hugh@veritas.com", "time": "Sat Oct 29 18:16:04 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sat Oct 29 21:40:38 2005 -0700" }, "message": "[PATCH] mm: mm_init set_mm_counters\n\nHow is anon_rss initialized? In dup_mmap, and by mm_alloc\u0027s memset; but\nthat\u0027s not so good if an mm_counter_t is a special type. And how is rss\ninitialized? By set_mm_counter, all over the place. Come on, we just need to\ninitialize them both at once by set_mm_counter in mm_init (which follows the\nmemcpy when forking).\n\nSigned-off-by: Hugh Dickins \u003chugh@veritas.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }