)]}' { "log": [ { "commit": "58bfbb51ff2b0fdc6c732ff3d72f50aa632b67a2", "tree": "41132587adbb6816b56b9d28105826b8ef0fd7b9", "parents": [ "389fb800ac8be2832efedd19978a2b8ced37eb61" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:41 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:37 2009 +1100" }, "message": "selinux: Remove the \"compat_net\" compatibility code\n\nThe SELinux \"compat_net\" is marked as deprecated, the time has come to\nfinally remove it from the kernel. Further code simplifications are\nlikely in the future, but this patch was intended to be a simple,\nstraight-up removal of the compat_net code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "389fb800ac8be2832efedd19978a2b8ced37eb61", "tree": "fa0bc16050dfb491aa05f76b54fa4c167de96376", "parents": [ "284904aa79466a4736f4c775fdbe5c7407fa136c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:34 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:36 2009 +1100" }, "message": "netlabel: Label incoming TCP connections correctly in SELinux\n\nThe current NetLabel/SELinux behavior for incoming TCP connections works but\nonly through a series of happy coincidences that rely on the limited nature of\nstandard CIPSO (only able to convey MLS attributes) and the write equality\nimposed by the SELinux MLS constraints. The problem is that network sockets\ncreated as the result of an incoming TCP connection were not on-the-wire\nlabeled based on the security attributes of the parent socket but rather based\non the wire label of the remote peer. The issue had to do with how IP options\nwere managed as part of the network stack and where the LSM hooks were in\nrelation to the code which set the IP options on these newly created child\nsockets. While NetLabel/SELinux did correctly set the socket\u0027s on-the-wire\nlabel it was promptly cleared by the network stack and reset based on the IP\noptions of the remote peer.\n\nThis patch, in conjunction with a prior patch that adjusted the LSM hook\nlocations, works to set the correct on-the-wire label format for new incoming\nconnections through the security_inet_conn_request() hook. Besides the\ncorrect behavior there are many advantages to this change, the most significant\nis that all of the NetLabel socket labeling code in SELinux now lives in hooks\nwhich can return error codes to the core stack which allows us to finally get\nride of the selinux_netlbl_inode_permission() logic which greatly simplfies\nthe NetLabel/SELinux glue code. In the process of developing this patch I\nalso ran into a small handful of AF_INET6 cleanliness issues that have been\nfixed which should make the code safer and easier to extend in the future.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "703a3cd72817e99201cef84a8a7aecc60b2b3581", "tree": "3e943755178ff410694722bb031f523136fbc432", "parents": [ "df7f54c012b92ec93d56b68547351dcdf8a163d3", "8e0ee43bc2c3e19db56a4adaa9a9b04ce885cd84" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 24 10:52:46 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 24 10:52:46 2009 +1100" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "df7f54c012b92ec93d56b68547351dcdf8a163d3", "tree": "07039542feca94d4d467c430521319950819a4e1", "parents": [ "dd34b5d75a0405814a3de83f02a44ac297e81629" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Mar 09 14:35:58 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 10 08:40:02 2009 +1100" }, "message": "SELinux: inode_doinit_with_dentry drop no dentry printk\n\nDrop the printk message when an inode is found without an associated\ndentry. This should only happen when userspace can\u0027t be accessing those\ninodes and those labels will get set correctly on the next d_instantiate.\nThus there is no reason to send this message.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dd34b5d75a0405814a3de83f02a44ac297e81629", "tree": "f24939a7b7f6b33c44939ee4022d7e95b3f670b6", "parents": [ "6a25b27d602aac24f3c642722377ba5d778417ec" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 05 13:43:35 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 06 08:50:21 2009 +1100" }, "message": "SELinux: new permission between tty audit and audit socket\n\nNew selinux permission to separate the ability to turn on tty auditing from\nthe ability to set audit rules.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6a25b27d602aac24f3c642722377ba5d778417ec", "tree": "ba334617326c65ccd98e7f4733c75fa0ac2ae5ca", "parents": [ "113a0e4590881ce579ca992a80ddc562b3372ede" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 05 13:40:35 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 06 08:50:18 2009 +1100" }, "message": "SELinux: open perm for sock files\n\nWhen I did open permissions I didn\u0027t think any sockets would have an open.\nTurns out AF_UNIX sockets can have an open when they are bound to the\nfilesystem namespace. This patch adds a new SOCK_FILE__OPEN permission.\nIt\u0027s safe to add this as the open perms are already predicated on\ncapabilities and capabilities means we have unknown perm handling so\nsystems should be as backwards compatible as the policy wants them to\nbe.\n\nhttps://bugzilla.redhat.com/show_bug.cgi?id\u003d475224\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d7f59dc4642ce2fc7b79fcd4ec02ffce7f21eb02", "tree": "1557550ed6478a38cc04ad480a5977580d97b5cd", "parents": [ "778ef1e6cbb049c9bcbf405936ee6f2b6e451892" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Feb 27 15:00:03 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Mar 02 09:30:04 2009 +1100" }, "message": "selinux: Fix a panic in selinux_netlbl_inode_permission()\n\nRick McNeal from LSI identified a panic in selinux_netlbl_inode_permission()\ncaused by a certain sequence of SUNRPC operations. The problem appears to be\ndue to the lack of NULL pointer checking in the function; this patch adds the\npointer checks so the function will exit safely in the cases where the socket\nis not completely initialized.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "09c50b4a52c01a1f450b8eec819089e228655bfb", "tree": "d97bcaf9544e58a8a6bc6aeb40ca9793411d3e79", "parents": [ "586c25003707067f074043d80fb2071671c58db0" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Feb 20 16:33:02 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 23 10:05:55 2009 +1100" }, "message": "selinux: Fix the NetLabel glue code for setsockopt()\n\nAt some point we (okay, I) managed to break the ability for users to use the\nsetsockopt() syscall to set IPv4 options when NetLabel was not active on the\nsocket in question. The problem was noticed by someone trying to use the\n\"-R\" (record route) option of ping:\n\n # ping -R 10.0.0.1\n ping: record route: No message of desired type\n\nThe solution is relatively simple, we catch the unlabeled socket case and\nclear the error code, allowing the operation to succeed. Please note that we\nstill deny users the ability to override IPv4 options on socket\u0027s which have\nNetLabel labeling active; this is done to ensure the labeling remains intact.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "26036651c562609d1f52d181f9d2cccbf89929b1", "tree": "db68ab98d574d6763f562ac87cc7810385496f22", "parents": [ "edf3d1aecd0d608acbd561b0c527e1d41abcb657" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:51:04 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:23:48 2009 +1100" }, "message": "SELinux: convert the avc cache hash list to an hlist\n\nWe do not need O(1) access to the tail of the avc cache lists and so we are\nwasting lots of space using struct list_head instead of struct hlist_head.\nThis patch converts the avc cache to use hlists in which there is a single\npointer from the head which saves us about 4k of global memory.\n\nResulted in about a 1.5% decrease in time spent in avc_has_perm_noaudit based\non oprofile sampling of tbench. Although likely within the noise....\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "edf3d1aecd0d608acbd561b0c527e1d41abcb657", "tree": "49d88ec27a59f602784b47e2f951934d245f7de8", "parents": [ "f1c6381a6e337adcecf84be2a838bd9e610e2365" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:59 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:23:45 2009 +1100" }, "message": "SELinux: code readability with avc_cache\n\nThe code making use of struct avc_cache was not easy to read thanks to liberal\nuse of \u0026avc_cache.{slots_lock,slots}[hvalue] throughout. This patch simply\ncreates local pointers and uses those instead of the long global names.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f1c6381a6e337adcecf84be2a838bd9e610e2365", "tree": "a6e0857db27a38b0976fb422836f9443241b4b61", "parents": [ "21193dcd1f3570ddfd8a04f4465e484c1f94252f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:54 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:23:08 2009 +1100" }, "message": "SELinux: remove unused av.decided field\n\nIt appears there was an intention to have the security server only decide\ncertain permissions and leave other for later as some sort of a portential\nperformance win. We are currently always deciding all 32 bits of\npermissions and this is a useless couple of branches and wasted space.\nThis patch completely drops the av.decided concept.\n\nThis in a 17% reduction in the time spent in avc_has_perm_noaudit\nbased on oprofile sampling of a tbench benchmark.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "21193dcd1f3570ddfd8a04f4465e484c1f94252f", "tree": "b6cab3861103261a3ab27ff3ea3485cb53af5a92", "parents": [ "906d27d9d28fd50fb40026e56842d8f6806a7a04" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:49 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:23:04 2009 +1100" }, "message": "SELinux: more careful use of avd in avc_has_perm_noaudit\n\nwe are often needlessly jumping through hoops when it comes to avd\nentries in avc_has_perm_noaudit and we have extra initialization and memcpy\nwhich are just wasting performance. Try to clean the function up a bit.\n\nThis patch resulted in a 13% drop in time spent in avc_has_perm_noaudit in my\noprofile sampling of a tbench benchmark.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "906d27d9d28fd50fb40026e56842d8f6806a7a04", "tree": "4f73e1396a09349a307f38b1de19767f558bedb1", "parents": [ "a5dda683328f99c781f92c66cc52ffc0639bef58" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:43 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:37 2009 +1100" }, "message": "SELinux: remove the unused ae.used\n\nCurrently SELinux code has an atomic which was intended to track how many\ntimes an avc entry was used and to evict entries when they haven\u0027t been\nused recently. Instead we never let this atomic get above 1 and evict when\nit is first checked for eviction since it hits zero. This is a total waste\nof time so I\u0027m completely dropping ae.used.\n\nThis change resulted in about a 3% faster avc_has_perm_noaudit when running\noprofile against a tbench benchmark.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a5dda683328f99c781f92c66cc52ffc0639bef58", "tree": "2432f51e505fd9242f7081d5bf4e21ff322b73d6", "parents": [ "4cb912f1d1447077160ace9ce3b3a10696dd74e5" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:11 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:34 2009 +1100" }, "message": "SELinux: check seqno when updating an avc_node\n\nThe avc update node callbacks do not check the seqno of the caller with the\nseqno of the node found. It is possible that a policy change could happen\n(although almost impossibly unlikely) in which a permissive or\npermissive_domain decision is not valid for the entry found. Simply pass\nand check that the seqno of the caller and the seqno of the node found\nmatch.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4cb912f1d1447077160ace9ce3b3a10696dd74e5", "tree": "916f112de07ca626b0f398a0fc85943f15306146", "parents": [ "4ba0a8ad63e12a03ae01c039482967cc496b9174" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:05 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:30 2009 +1100" }, "message": "SELinux: NULL terminate al contexts from disk\n\nWhen a context is pulled in from disk we don\u0027t know that it is null\nterminated. This patch forecebly null terminates contexts when we pull\nthem from disk.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4ba0a8ad63e12a03ae01c039482967cc496b9174", "tree": "340aa55aa98cc42c33cff4297f0813f14f46b121", "parents": [ "200ac532a4bc3134147ca06686c56a6420e66c46" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 15:01:10 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:27 2009 +1100" }, "message": "SELinux: better printk when file with invalid label found\n\nCurrently when an inode is read into the kernel with an invalid label\nstring (can often happen with removable media) we output a string like:\n\nSELinux: inode_doinit_with_dentry: context_to_sid([SOME INVALID LABEL])\nreturned -22 dor dev\u003d[blah] ino\u003d[blah]\n\nWhich is all but incomprehensible to all but a couple of us. Instead, on\nEINVAL only, I plan to output a much more user friendly string and I plan to\nratelimit the printk since many of these could be generated very rapidly.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "200ac532a4bc3134147ca06686c56a6420e66c46", "tree": "f9b1779458df389052c758ea23cf61695a021e67", "parents": [ "b53fab9d48e9bd9aeba0b500dec550becd981a91" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 15:01:04 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:24 2009 +1100" }, "message": "SELinux: call capabilities code directory\n\nFor cleanliness and efficiency remove all calls to secondary-\u003e and instead\ncall capabilities code directly. capabilities are the only module that\nselinux stacks with and so the code should not indicate that other stacking\nmight be possible.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cb5629b10d64a8006622ce3a52bc887d91057d69", "tree": "7c06d8f30783115e3384721046258ce615b129c5", "parents": [ "8920d5ad6ba74ae8ab020e90cc4d976980e68701", "f01d1d546abb2f4028b5299092f529eefb01253a" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 11:01:45 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 11:01:45 2009 +1100" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\tfs/namei.c\n\nManually merged per:\n\ndiff --cc fs/namei.c\nindex 734f2b5,bbc15c2..0000000\n--- a/fs/namei.c\n+++ b/fs/namei.c\n@@@ -860,9 -848,8 +849,10 @@@ static int __link_path_walk(const char\n \t\tnd-\u003eflags |\u003d LOOKUP_CONTINUE;\n \t\terr \u003d exec_permission_lite(inode);\n \t\tif (err \u003d\u003d -EAGAIN)\n- \t\t\terr \u003d vfs_permission(nd, MAY_EXEC);\n+ \t\t\terr \u003d inode_permission(nd-\u003epath.dentry-\u003ed_inode,\n+ \t\t\t\t\t MAY_EXEC);\n +\t\tif (!err)\n +\t\t\terr \u003d ima_path_check(\u0026nd-\u003epath, MAY_EXEC);\n \t\tif (err)\n \t\t\tbreak;\n\n@@@ -1525,14 -1506,9 +1509,14 @@@ int may_open(struct path *path, int acc\n \t\tflag \u0026\u003d ~O_TRUNC;\n \t}\n\n- \terror \u003d vfs_permission(nd, acc_mode);\n+ \terror \u003d inode_permission(inode, acc_mode);\n \tif (error)\n \t\treturn error;\n +\n- \terror \u003d ima_path_check(\u0026nd-\u003epath,\n++\terror \u003d ima_path_check(path,\n +\t\t\t acc_mode \u0026 (MAY_READ | MAY_WRITE | MAY_EXEC));\n +\tif (error)\n +\t\treturn error;\n \t/*\n \t * An append-only file must be opened in append mode for writing.\n \t */\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5626d3e86141390c8efc7bcb929b6a4b58b00480", "tree": "aafff4163d6bc40f78c025fe3c4f8eda232ef5c9", "parents": [ "95c14904b6f6f8a35365f0c58d530c85b4fb96b4" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 10:05:06 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 02 09:20:34 2009 +1100" }, "message": "selinux: remove hooks which simply defer to capabilities\n\nRemove SELinux hooks which do nothing except defer to the capabilites\nhooks (or in one case, replicates the function).\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "95c14904b6f6f8a35365f0c58d530c85b4fb96b4", "tree": "a228c81abe6409c61f7c90f7cebeebcb3da902af", "parents": [ "5c4054ccfafb6a446e9b65c524af1741656c6c60" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:37:58 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:16 2009 +1100" }, "message": "selinux: remove secondary ops call to shm_shmat\n\nRemove secondary ops call to shm_shmat, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5c4054ccfafb6a446e9b65c524af1741656c6c60", "tree": "6d54e11d617e4daf53c3afc5c1edb321b32d9315", "parents": [ "2cbbd19812b7636c1c37bcf50c403e7af5278d73" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:34:53 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:15 2009 +1100" }, "message": "selinux: remove secondary ops call to unix_stream_connect\n\nRemove secondary ops call to unix_stream_connect, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2cbbd19812b7636c1c37bcf50c403e7af5278d73", "tree": "e12a8b56308adc047d77ed5e52b0c8a28304d80b", "parents": [ "ef76e748faa823a738d632ee4c8ed9adaabc8a40" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:32:50 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:14 2009 +1100" }, "message": "selinux: remove secondary ops call to task_kill\n\nRemove secondary ops call to task_kill, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ef76e748faa823a738d632ee4c8ed9adaabc8a40", "tree": "af59b8bad81255e4b22e36749dd702cb8db543b1", "parents": [ "ca5143d3ff3c7a4e1c2c8bdcf0f53aea227a7722" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:30:28 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:13 2009 +1100" }, "message": "selinux: remove secondary ops call to task_setrlimit\n\nRemove secondary ops call to task_setrlimit, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ca5143d3ff3c7a4e1c2c8bdcf0f53aea227a7722", "tree": "1b86d2487e8051664c6d0b2cf959ff0131f8371e", "parents": [ "af294e41d0c95a291cc821a1b43ec2cd13976a8b" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:26:14 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:12 2009 +1100" }, "message": "selinux: remove unused cred_commit hook\n\nRemove unused cred_commit hook from SELinux. This\ncurrently calls into the capabilities hook, which is a noop.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "af294e41d0c95a291cc821a1b43ec2cd13976a8b", "tree": "051fcc87fd27422af41809fb25e821c7b3b4a628", "parents": [ "d541bbee6902d5ffb8a03d63ac8f4b1364c2ff93" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:23:36 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:11 2009 +1100" }, "message": "selinux: remove secondary ops call to task_create\n\nRemove secondary ops call to task_create, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d541bbee6902d5ffb8a03d63ac8f4b1364c2ff93", "tree": "f6b3f9547807d9eb8995885f259e4d5140d70405", "parents": [ "438add6b32d9295db6e3ecd4d9e137086ec5b5d9" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:19:51 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:11 2009 +1100" }, "message": "selinux: remove secondary ops call to file_mprotect\n\nRemove secondary ops call to file_mprotect, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "438add6b32d9295db6e3ecd4d9e137086ec5b5d9", "tree": "70658fa14a51af66a3359e306d263955d3eaf13f", "parents": [ "188fbcca9dd02f15dcf45cfc51ce0dd6c13993f6" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:15:59 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:10 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_setattr\n\nRemove secondary ops call to inode_setattr, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "188fbcca9dd02f15dcf45cfc51ce0dd6c13993f6", "tree": "92523a4606e5ac1e29d61286c4f1f3851eec5553", "parents": [ "f51115b9ab5b9cfd0b7be1cce75afbf3ffbcdd87" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:14:03 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:09 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_permission\n\nRemove secondary ops call to inode_permission, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f51115b9ab5b9cfd0b7be1cce75afbf3ffbcdd87", "tree": "bc93812358e9a76c24ca970224fcd8298fe8b80c", "parents": [ "dd4907a6d4e038dc65839fcd4030ebefe2f5f439" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:10:56 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:08 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_follow_link\n\nRemove secondary ops call to inode_follow_link, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dd4907a6d4e038dc65839fcd4030ebefe2f5f439", "tree": "1ad9f9754d9b929f7003cdf1a30a2f8ee5b04e3a", "parents": [ "e4737250b751b4e0e802adae9a4d3ae0227b580b" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:08:34 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:07 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_mknod\n\nRemove secondary ops call to inode_mknod, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e4737250b751b4e0e802adae9a4d3ae0227b580b", "tree": "98b121f355b548e02369cebfc8d871a805724d00", "parents": [ "efdfac437607e4acfed66c383091a376525eaec4" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 12:00:08 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:06 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_unlink\n\nRemove secondary ops call to inode_unlink, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "efdfac437607e4acfed66c383091a376525eaec4", "tree": "6fd072bfca2ff589f8b5c7ed5274f91bb079c6c3", "parents": [ "97422ab9ef45118cb7418d799dc69040f17108ce" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:57:34 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:06 2009 +1100" }, "message": "selinux: remove secondary ops call to inode_link\n\nRemove secondary ops call to inode_link, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "97422ab9ef45118cb7418d799dc69040f17108ce", "tree": "2dd03b47495711916bc86cc79c23197bbdd1c965", "parents": [ "ef935b9136eeaa203f75bf0b4d6e398c29f44d27" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:55:02 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:05 2009 +1100" }, "message": "selinux: remove secondary ops call to sb_umount\n\nRemove secondary ops call to sb_umount, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ef935b9136eeaa203f75bf0b4d6e398c29f44d27", "tree": "22f961625dda1d64cd78f443bb7023ac16eb860d", "parents": [ "5565b0b865f672e3d7e31936ad1d40710ab7bfc4" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:51:11 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:04 2009 +1100" }, "message": "selinux: remove secondary ops call to sb_mount\n\nRemove secondary ops call to sb_mount, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5565b0b865f672e3d7e31936ad1d40710ab7bfc4", "tree": "85ad552370fc50fbbe5426e62e6c4f320f7d4461", "parents": [ "2ec5dbe23d68bddc043a85d1226bfc499a724b1c" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:47:49 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:03 2009 +1100" }, "message": "selinux: remove secondary ops call to bprm_committed_creds\n\nRemove secondary ops call to bprm_committed_creds, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2ec5dbe23d68bddc043a85d1226bfc499a724b1c", "tree": "f0c87a4250b4531fe6c6cac2b1f9117292efcdc1", "parents": [ "bc05595845f58c065adc0763a678187647ec040f" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:46:14 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:02 2009 +1100" }, "message": "selinux: remove secondary ops call to bprm_committing_creds\n\nRemove secondary ops call to bprm_committing_creds, which is\na noop in capabilities.\n\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bc05595845f58c065adc0763a678187647ec040f", "tree": "b8126f1aadcac62f87ebd34fc44e48488ddf716e", "parents": [ "cd89596f0ccfa3ccb8a81ce47782231cf7ea7296" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 29 11:28:33 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 30 08:55:01 2009 +1100" }, "message": "selinux: remove unused bprm_check_security hook\n\nRemove unused bprm_check_security hook from SELinux. This\ncurrently calls into the capabilities hook, which is a noop.\n\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cd89596f0ccfa3ccb8a81ce47782231cf7ea7296", "tree": "d91149851e14a21d1e535c325aa93ebd15130f51", "parents": [ "11689d47f0957121920c9ec646eb5d838755853a" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jan 16 09:22:04 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@macbook.localdomain", "time": "Mon Jan 19 09:47:14 2009 +1100" }, "message": "SELinux: Unify context mount and genfs behavior\n\nContext mounts and genfs labeled file systems behave differently with respect to\nsetting file system labels. This patch brings genfs labeled file systems in line\nwith context mounts in that setxattr calls to them should return EOPNOTSUPP and\nfscreate calls will be ignored.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@macbook.localdomain\u003e\n" }, { "commit": "11689d47f0957121920c9ec646eb5d838755853a", "tree": "187b4179c0b7b9430bb9e62f6bba474a2d011235", "parents": [ "0d90a7ec48c704025307b129413bc62451b20ab3" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jan 16 09:22:03 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@macbook.localdomain", "time": "Mon Jan 19 09:47:06 2009 +1100" }, "message": "SELinux: Add new security mount option to indicate security label support.\n\nThere is no easy way to tell if a file system supports SELinux security labeling.\nBecause of this a new flag is being added to the super block security structure\nto indicate that the particular super block supports labeling. This flag is set\nfor file systems using the xattr, task, and transition labeling methods unless\nthat behavior is overridden by context mounts.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@macbook.localdomain\u003e\n" }, { "commit": "0d90a7ec48c704025307b129413bc62451b20ab3", "tree": "38cc8a7f5ff3afaccd16d2978455ccc002d69933", "parents": [ "c8334dc8fb6413b363df3e1419e287f5b25bce32" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jan 16 09:22:02 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@macbook.localdomain", "time": "Mon Jan 19 09:46:40 2009 +1100" }, "message": "SELinux: Condense super block security structure flags and cleanup necessary code.\n\nThe super block security structure currently has three fields for what are\nessentially flags. The flags field is used for mount options while two other\nchar fields are used for initialization and proc flags. These latter two fields are\nessentially bit fields since the only used values are 0 and 1. These fields\nhave been collapsed into the flags field and new bit masks have been added for\nthem. The code is also fixed to work with these new flags.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@macbook.localdomain\u003e\n" }, { "commit": "ac8cc0fa5395fe2278e305a4cbed48e90d88d878", "tree": "515f577bfddd054ee4373228be7c974dfb8133af", "parents": [ "238c6d54830c624f34ac9cf123ac04aebfca5013", "3699c53c485bf0168e6500d0ed18bf931584dd7c" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:58:22 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:58:22 2009 +1100" }, "message": "Merge branch \u0027next\u0027 into for-linus\n" }, { "commit": "3699c53c485bf0168e6500d0ed18bf931584dd7c", "tree": "eee63a8ddbdb0665bc6a4a053a2405ca7a5b867f", "parents": [ "29881c4502ba05f46bc12ae8053d4e08d7e2615c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 06 22:27:01 2009 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:38:48 2009 +1100" }, "message": "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #3]\n\nFix a regression in cap_capable() due to:\n\n\tcommit 3b11a1decef07c19443d24ae926982bc8ec9f4c0\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Fri Nov 14 10:39:26 2008 +1100\n\n\t CRED: Differentiate objective and effective subjective credentials on a task\n\nThe problem is that the above patch allows a process to have two sets of\ncredentials, and for the most part uses the subjective credentials when\naccessing current\u0027s creds.\n\nThere is, however, one exception: cap_capable(), and thus capable(), uses the\nreal/objective credentials of the target task, whether or not it is the current\ntask.\n\nOrdinarily this doesn\u0027t matter, since usually the two cred pointers in current\npoint to the same set of creds. However, sys_faccessat() makes use of this\nfacility to override the credentials of the calling process to make its test,\nwithout affecting the creds as seen from other processes.\n\nOne of the things sys_faccessat() does is to make an adjustment to the\neffective capabilities mask, which cap_capable(), as it stands, then ignores.\n\nThe affected capability check is in generic_permission():\n\n\tif (!(mask \u0026 MAY_EXEC) || execute_ok(inode))\n\t\tif (capable(CAP_DAC_OVERRIDE))\n\t\t\treturn 0;\n\nThis change passes the set of credentials to be tested down into the commoncap\nand SELinux code. The security functions called by capable() and\nhas_capability() select the appropriate set of credentials from the process\nbeing checked.\n\nThis can be tested by compiling the following program from the XFS testsuite:\n\n/*\n * t_access_root.c - trivial test program to show permission bug.\n *\n * Written by Michael Kerrisk - copyright ownership not pursued.\n * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html\n */\n#include \u003climits.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003csys/stat.h\u003e\n\n#define UID 500\n#define GID 100\n#define PERM 0\n#define TESTPATH \"/tmp/t_access\"\n\nstatic void\nerrExit(char *msg)\n{\n perror(msg);\n exit(EXIT_FAILURE);\n} /* errExit */\n\nstatic void\naccessTest(char *file, int mask, char *mstr)\n{\n printf(\"access(%s, %s) returns %d\\n\", file, mstr, access(file, mask));\n} /* accessTest */\n\nint\nmain(int argc, char *argv[])\n{\n int fd, perm, uid, gid;\n char *testpath;\n char cmd[PATH_MAX + 20];\n\n testpath \u003d (argc \u003e 1) ? argv[1] : TESTPATH;\n perm \u003d (argc \u003e 2) ? strtoul(argv[2], NULL, 8) : PERM;\n uid \u003d (argc \u003e 3) ? atoi(argv[3]) : UID;\n gid \u003d (argc \u003e 4) ? atoi(argv[4]) : GID;\n\n unlink(testpath);\n\n fd \u003d open(testpath, O_RDWR | O_CREAT, 0);\n if (fd \u003d\u003d -1) errExit(\"open\");\n\n if (fchown(fd, uid, gid) \u003d\u003d -1) errExit(\"fchown\");\n if (fchmod(fd, perm) \u003d\u003d -1) errExit(\"fchmod\");\n close(fd);\n\n snprintf(cmd, sizeof(cmd), \"ls -l %s\", testpath);\n system(cmd);\n\n if (seteuid(uid) \u003d\u003d -1) errExit(\"seteuid\");\n\n accessTest(testpath, 0, \"0\");\n accessTest(testpath, R_OK, \"R_OK\");\n accessTest(testpath, W_OK, \"W_OK\");\n accessTest(testpath, X_OK, \"X_OK\");\n accessTest(testpath, R_OK | W_OK, \"R_OK | W_OK\");\n accessTest(testpath, R_OK | X_OK, \"R_OK | X_OK\");\n accessTest(testpath, W_OK | X_OK, \"W_OK | X_OK\");\n accessTest(testpath, R_OK | W_OK | X_OK, \"R_OK | W_OK | X_OK\");\n\n exit(EXIT_SUCCESS);\n} /* main */\n\nThis can be run against an Ext3 filesystem as well as against an XFS\nfilesystem. If successful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns 0\n\taccess(/tmp/xxx, W_OK) returns 0\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns 0\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nIf unsuccessful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns -1\n\taccess(/tmp/xxx, W_OK) returns -1\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns -1\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nI\u0027ve also tested the fix with the SELinux and syscalls LTP testsuites.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: J. Bruce Fields \u003cbfields@citi.umich.edu\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "29881c4502ba05f46bc12ae8053d4e08d7e2615c", "tree": "536ea4ac63554e836438bd5f370ddecaa343f1f4", "parents": [ "76f7ba35d4b5219fcc4cb072134c020ec77d030d" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:21:54 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:21:54 2009 +1100" }, "message": "Revert \"CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]\"\n\nThis reverts commit 14eaddc967b16017d4a1a24d2be6c28ecbe06ed8.\n\nDavid has a better version to come.\n" }, { "commit": "520c85346666d4d9a6fcaaa8450542302dc28b91", "tree": "9c9cc9e2493b606104dd8602302ae28258ebeac0", "parents": [ "e8c82c2e23e3527e0c9dc195e432c16784d270fa", "4ae8978cf92a96257cd8998a49e781be83571d64" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 05 18:32:06 2009 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 05 18:32:06 2009 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:\n inotify: fix type errors in interfaces\n fix breakage in reiserfs_new_inode()\n fix the treatment of jfs special inodes\n vfs: remove duplicate code in get_fs_type()\n add a vfs_fsync helper\n sys_execve and sys_uselib do not call into fsnotify\n zero i_uid/i_gid on inode allocation\n inode-\u003ei_op is never NULL\n ntfs: don\u0027t NULL i_op\n isofs check for NULL -\u003ei_op in root directory is dead code\n affs: do not zero -\u003ei_op\n kill suid bit only for regular files\n vfs: lseek(fd, 0, SEEK_CUR) race condition\n" }, { "commit": "56ff5efad96182f4d3cb3dc6b07396762c658f16", "tree": "cb91f93aa2324573527165d56d230b606a3111ed", "parents": [ "acfa4380efe77e290d3a96b11cd4c9f24f4fbb18" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Dec 09 09:34:39 2008 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Jan 05 11:54:28 2009 -0500" }, "message": "zero i_uid/i_gid on inode allocation\n\n... and don\u0027t bother in callers. Don\u0027t bother with zeroing i_blocks,\nwhile we are at it - it\u0027s already been zeroed.\n\ni_mode is not worth the effort; it has no common default value.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "76f7ba35d4b5219fcc4cb072134c020ec77d030d", "tree": "971ec5f913a688d98e9be2a04b0c675adcc4166b", "parents": [ "14eaddc967b16017d4a1a24d2be6c28ecbe06ed8" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jan 02 17:40:06 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 05 19:19:55 2009 +1100" }, "message": "SELinux: shrink sizeof av_inhert selinux_class_perm and context\n\nI started playing with pahole today and decided to put it against the\nselinux structures. Found we could save a little bit of space on x86_64\n(and no harm on i686) just reorganizing some structs.\n\nObject size changes:\nav_inherit: 24 -\u003e 16\nselinux_class_perm: 48 -\u003e 40\ncontext: 80 -\u003e 72\n\nAdmittedly there aren\u0027t many of av_inherit or selinux_class_perm\u0027s in\nthe kernel (33 and 1 respectively) But the change to the size of struct\ncontext reverberate out a bit. I can get some hard number if they are\nneeded, but I don\u0027t see why they would be. We do change which cacheline\ncontext-\u003elen and context-\u003estr would be on, but I don\u0027t see that as a\nproblem since we are clearly going to have to load both if the context\nis to be of any value. I\u0027ve run with the patch and don\u0027t seem to be\nhaving any problems.\n\nAn example of what\u0027s going on using struct av_inherit would be:\n\nform: to:\nstruct av_inherit {\t\t\tstruct av_inherit {\n\tu16 tclass;\t\t\t\tconst char **common_pts;\n\tconst char **common_pts;\t\tu32 common_base;\n\tu32 common_base;\t\t\tu16 tclass;\n};\n\n(notice all I did was move u16 tclass to the end of the struct instead\nof the beginning)\n\nMemory layout before the change:\nstruct av_inherit {\n\tu16 tclass; /* 2 */\n\t/* 6 bytes hole */\n\tconst char** common_pts; /* 8 */\n\tu32 common_base; /* 4 */\n\t/* 4 byes padding */\n\n\t/* size: 24, cachelines: 1 */\n\t/* sum members: 14, holes: 1, sum holes: 6 */\n\t/* padding: 4 */\n};\n\nMemory layout after the change:\nstruct av_inherit {\n\tconst char ** common_pts; /* 8 */\n\tu32 common_base; /* 4 */\n\tu16 tclass; /* 2 */\n\t/* 2 bytes padding */\n\n\t/* size: 16, cachelines: 1 */\n\t/* sum members: 14, holes: 0, sum holes: 0 */\n\t/* padding: 2 */\n};\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "14eaddc967b16017d4a1a24d2be6c28ecbe06ed8", "tree": "ce10216d592f0fa89ae02c4e4e9e9497010e7714", "parents": [ "5c8c40be4b5a2944483bfc1a45d6c3fa02551af3" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Dec 31 15:15:42 2008 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 05 11:17:04 2009 +1100" }, "message": "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]\n\nFix a regression in cap_capable() due to:\n\n\tcommit 5ff7711e635b32f0a1e558227d030c7e45b4a465\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Wed Dec 31 02:52:28 2008 +0000\n\n\t CRED: Differentiate objective and effective subjective credentials on a task\n\nThe problem is that the above patch allows a process to have two sets of\ncredentials, and for the most part uses the subjective credentials when\naccessing current\u0027s creds.\n\nThere is, however, one exception: cap_capable(), and thus capable(), uses the\nreal/objective credentials of the target task, whether or not it is the current\ntask.\n\nOrdinarily this doesn\u0027t matter, since usually the two cred pointers in current\npoint to the same set of creds. However, sys_faccessat() makes use of this\nfacility to override the credentials of the calling process to make its test,\nwithout affecting the creds as seen from other processes.\n\nOne of the things sys_faccessat() does is to make an adjustment to the\neffective capabilities mask, which cap_capable(), as it stands, then ignores.\n\nThe affected capability check is in generic_permission():\n\n\tif (!(mask \u0026 MAY_EXEC) || execute_ok(inode))\n\t\tif (capable(CAP_DAC_OVERRIDE))\n\t\t\treturn 0;\n\nThis change splits capable() from has_capability() down into the commoncap and\nSELinux code. The capable() security op now only deals with the current\nprocess, and uses the current process\u0027s subjective creds. A new security op -\ntask_capable() - is introduced that can check any task\u0027s objective creds.\n\nstrictly the capable() security op is superfluous with the presence of the\ntask_capable() op, however it should be faster to call the capable() op since\ntwo fewer arguments need be passed down through the various layers.\n\nThis can be tested by compiling the following program from the XFS testsuite:\n\n/*\n * t_access_root.c - trivial test program to show permission bug.\n *\n * Written by Michael Kerrisk - copyright ownership not pursued.\n * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html\n */\n#include \u003climits.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003csys/stat.h\u003e\n\n#define UID 500\n#define GID 100\n#define PERM 0\n#define TESTPATH \"/tmp/t_access\"\n\nstatic void\nerrExit(char *msg)\n{\n perror(msg);\n exit(EXIT_FAILURE);\n} /* errExit */\n\nstatic void\naccessTest(char *file, int mask, char *mstr)\n{\n printf(\"access(%s, %s) returns %d\\n\", file, mstr, access(file, mask));\n} /* accessTest */\n\nint\nmain(int argc, char *argv[])\n{\n int fd, perm, uid, gid;\n char *testpath;\n char cmd[PATH_MAX + 20];\n\n testpath \u003d (argc \u003e 1) ? argv[1] : TESTPATH;\n perm \u003d (argc \u003e 2) ? strtoul(argv[2], NULL, 8) : PERM;\n uid \u003d (argc \u003e 3) ? atoi(argv[3]) : UID;\n gid \u003d (argc \u003e 4) ? atoi(argv[4]) : GID;\n\n unlink(testpath);\n\n fd \u003d open(testpath, O_RDWR | O_CREAT, 0);\n if (fd \u003d\u003d -1) errExit(\"open\");\n\n if (fchown(fd, uid, gid) \u003d\u003d -1) errExit(\"fchown\");\n if (fchmod(fd, perm) \u003d\u003d -1) errExit(\"fchmod\");\n close(fd);\n\n snprintf(cmd, sizeof(cmd), \"ls -l %s\", testpath);\n system(cmd);\n\n if (seteuid(uid) \u003d\u003d -1) errExit(\"seteuid\");\n\n accessTest(testpath, 0, \"0\");\n accessTest(testpath, R_OK, \"R_OK\");\n accessTest(testpath, W_OK, \"W_OK\");\n accessTest(testpath, X_OK, \"X_OK\");\n accessTest(testpath, R_OK | W_OK, \"R_OK | W_OK\");\n accessTest(testpath, R_OK | X_OK, \"R_OK | X_OK\");\n accessTest(testpath, W_OK | X_OK, \"W_OK | X_OK\");\n accessTest(testpath, R_OK | W_OK | X_OK, \"R_OK | W_OK | X_OK\");\n\n exit(EXIT_SUCCESS);\n} /* main */\n\nThis can be run against an Ext3 filesystem as well as against an XFS\nfilesystem. If successful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns 0\n\taccess(/tmp/xxx, W_OK) returns 0\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns 0\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nIf unsuccessful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns -1\n\taccess(/tmp/xxx, W_OK) returns -1\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns -1\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nI\u0027ve also tested the fix with the SELinux and syscalls LTP testsuites.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5af75d8d58d0f9f7b7c0515b35786b22892d5f12", "tree": "65707c5309133a33140c39145ae91b7c1679a877", "parents": [ "36c4f1b18c8a7d0adb4085e7f531860b837bb6b0" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Dec 16 05:59:26 2008 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jan 04 15:14:42 2009 -0500" }, "message": "audit: validate comparison operations, store them in sane form\n\nDon\u0027t store the field-\u003eop in the messy (and very inconvenient for e.g.\naudit_comparator()) form; translate to dense set of values and do full\nvalidation of userland-submitted value while we are at it.\n\n-\u003eaudit_init_rule() and -\u003eaudit_match_rule() get new values now; in-tree\ninstances updated.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "4f4b6c1a94a8735bbdc030a2911cf395495645b6", "tree": "0572f8b8be03a32b4ae7b3deb4b1412226a0f598", "parents": [ "9e2f913df70b378379a358a44e7d286f7b765e8e" ], "author": { "name": "Rusty Russell", "email": "rusty@rustcorp.com.au", "time": "Thu Jan 01 10:12:15 2009 +1030" }, "committer": { "name": "Rusty Russell", "email": "rusty@rustcorp.com.au", "time": "Thu Jan 01 10:12:15 2009 +1030" }, "message": "cpumask: prepare for iterators to only go to nr_cpu_ids/nr_cpumask_bits.: core\n\nImpact: cleanup\n\nIn future, all cpumask ops will only be valid (in general) for bit\nnumbers \u003c nr_cpu_ids. So use that instead of NR_CPUS in iterators\nand other comparisons.\n\nThis is always safe: no cpu number can be \u003e\u003d nr_cpu_ids, and\nnr_cpu_ids is initialized to NR_CPUS at boot.\n\nSigned-off-by: Rusty Russell \u003crusty@rustcorp.com.au\u003e\nSigned-off-by: Mike Travis \u003ctravis@sgi.com\u003e\nAcked-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Eric Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "277d342fc423fca5e66e677fe629d1b2f8f1b9e2", "tree": "733f8694020df6ff8d9e21e2419b0df71aeb4351", "parents": [ "6c2e8ac0953fccdd24dc6c4b9e08e8f1cd68cf07" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Dec 31 12:54:11 2008 -0500" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Dec 31 12:54:11 2008 -0500" }, "message": "selinux: Deprecate and schedule the removal of the the compat_net functionality\n\nThis patch is the first step towards removing the old \"compat_net\" code from\nthe kernel. Secmark, the \"compat_net\" replacement was first introduced in\n2.6.18 (September 2006) and the major Linux distributions with SELinux support\nhave transitioned to Secmark so it is time to start deprecating the \"compat_net\"\nmechanism. Testing a patched version of 2.6.28-rc6 with the initial release of\nFedora Core 5 did not show any problems when running in enforcing mode.\n\nThis patch adds an entry to the feature-removal-schedule.txt file and removes\nthe SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing\nSecmark on by default although it can still be disabled at runtime. The patch\nalso makes the Secmark permission checks \"dynamic\" in the sense that they are\nonly executed when Secmark is configured; this should help prevent problems\nwith older distributions that have not yet migrated to Secmark.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0191b625ca5a46206d2fb862bb08f36f2fcb3b31", "tree": "454d1842b1833d976da62abcbd5c47521ebe9bd7", "parents": [ "54a696bd07c14d3b1192d03ce7269bc59b45209a", "eb56092fc168bf5af199d47af50c0d84a96db898" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Dec 28 12:49:40 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Dec 28 12:49:40 2008 -0800" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1429 commits)\n net: Allow dependancies of FDDI \u0026 Tokenring to be modular.\n igb: Fix build warning when DCA is disabled.\n net: Fix warning fallout from recent NAPI interface changes.\n gro: Fix potential use after free\n sfc: If AN is enabled, always read speed/duplex from the AN advertising bits\n sfc: When disabling the NIC, close the device rather than unregistering it\n sfc: SFT9001: Add cable diagnostics\n sfc: Add support for multiple PHY self-tests\n sfc: Merge top-level functions for self-tests\n sfc: Clean up PHY mode management in loopback self-test\n sfc: Fix unreliable link detection in some loopback modes\n sfc: Generate unique names for per-NIC workqueues\n 802.3ad: use standard ethhdr instead of ad_header\n 802.3ad: generalize out mac address initializer\n 802.3ad: initialize ports LACPDU from const initializer\n 802.3ad: remove typedef around ad_system\n 802.3ad: turn ports is_individual into a bool\n 802.3ad: turn ports is_enabled into a bool\n 802.3ad: make ntt bool\n ixgbe: Fix set_ringparam in ixgbe to use the same memory pools.\n ...\n\nFixed trivial IPv4/6 address printing conflicts in fs/cifs/connect.c due\nto the conversion to %pI (in this networking merge) and the addition of\ndoing IPv6 addresses (from the earlier merge of CIFS).\n" }, { "commit": "74192246910ff4fb95309ba1a683215644beeb62", "tree": "ff6daed6c494ac83afad70049a28f20ec5770b44", "parents": [ "12204e24b1330428c3062faee10a0d80b8a5cb61" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Dec 19 11:41:10 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Dec 20 09:03:39 2008 +1100" }, "message": "SELinux: don\u0027t check permissions for kernel mounts\n\nDon\u0027t bother checking permissions when the kernel performs an\ninternal mount, as this should always be allowed.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "12204e24b1330428c3062faee10a0d80b8a5cb61", "tree": "d92ee705a86f0ec2bf85c8a797239dbb840d5927", "parents": [ "459c19f524a9d89c65717a7d061d5f11ecf6bcb8" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Dec 19 10:44:42 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Dec 20 09:02:39 2008 +1100" }, "message": "security: pass mount flags to security_sb_kern_mount()\n\nPass mount flags to security_sb_kern_mount(), so security modules\ncan determine if a mount operation is being performed by the kernel.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "459c19f524a9d89c65717a7d061d5f11ecf6bcb8", "tree": "e3026017e0d58736e46406f13bd370b75cfdf674", "parents": [ "1e641743f055f075ed9a4edd75f1fb1e05669ddc" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Dec 05 09:12:19 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Dec 20 09:01:03 2008 +1100" }, "message": "SELinux: correctly detect proc filesystems of the form \"proc/foo\"\n\nMap all of these proc/ filesystem types to \"proc\" for the policy lookup at\nfilesystem mount time.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3a3b7ce9336952ea7b9564d976d068a238976c9d", "tree": "3f0a3be33022492161f534636a20a4b1059f8236", "parents": [ "1bfdc75ae077d60a01572a7781ec6264d55ab1b9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "message": "CRED: Allow kernel services to override LSM settings for task actions\n\nAllow kernel services to override LSM settings appropriate to the actions\nperformed by a task by duplicating a set of credentials, modifying it and then\nusing task_struct::cred to point to it when performing operations on behalf of\na task.\n\nThis is used, for example, by CacheFiles which has to transparently access the\ncache on behalf of a process that thinks it is doing, say, NFS accesses with a\npotentially inappropriate (with respect to accessing the cache) set of\ncredentials.\n\nThis patch provides two LSM hooks for modifying a task security record:\n\n (*) security_kernel_act_as() which allows modification of the security datum\n with which a task acts on other objects (most notably files).\n\n (*) security_kernel_create_files_as() which allows modification of the\n security datum that is used to initialise the security data on a file that\n a task creates.\n\nThe patch also provides four new credentials handling functions, which wrap the\nLSM functions:\n\n (1) prepare_kernel_cred()\n\n Prepare a set of credentials for a kernel service to use, based either on\n a daemon\u0027s credentials or on init_cred. All the keyrings are cleared.\n\n (2) set_security_override()\n\n Set the LSM security ID in a set of credentials to a specific security\n context, assuming permission from the LSM policy.\n\n (3) set_security_override_from_ctx()\n\n As (2), but takes the security context as a string.\n\n (4) set_create_files_as()\n\n Set the file creation LSM security ID in a set of credentials to be the\n same as that on a particular inode.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e [Smack changes]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1bfdc75ae077d60a01572a7781ec6264d55ab1b9", "tree": "627cbbca1232725bbea68677cb904bf36e73b35c", "parents": [ "3b11a1decef07c19443d24ae926982bc8ec9f4c0" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:27 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:27 2008 +1100" }, "message": "CRED: Add a kernel_service object class to SELinux\n\nAdd a \u0027kernel_service\u0027 object class to SELinux and give this object class two\naccess vectors: \u0027use_as_override\u0027 and \u0027create_files_as\u0027.\n\nThe first vector is used to grant a process the right to nominate an alternate\nprocess security ID for the kernel to use as an override for the SELinux\nsubjective security when accessing stuff on behalf of another process.\n\nFor example, CacheFiles when accessing the cache on behalf on a process\naccessing an NFS file needs to use a subjective security ID appropriate to the\ncache rather then the one the calling process is using. The cachefilesd\ndaemon will nominate the security ID to be used.\n\nThe second vector is used to grant a process the right to nominate a file\ncreation label for a kernel service to use.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3b11a1decef07c19443d24ae926982bc8ec9f4c0", "tree": "b6555f0e5b07f4b2badd332a0a900b974920c49d", "parents": [ "98870ab0a5a3f1822aee681d2997017e1c87d026" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:26 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:26 2008 +1100" }, "message": "CRED: Differentiate objective and effective subjective credentials on a task\n\nDifferentiate the objective and real subjective credentials from the effective\nsubjective credentials on a task by introducing a second credentials pointer\ninto the task_struct.\n\ntask_struct::real_cred then refers to the objective and apparent real\nsubjective credentials of a task, as perceived by the other tasks in the\nsystem.\n\ntask_struct::cred then refers to the effective subjective credentials of a\ntask, as used by that task when it\u0027s actually running. These are not visible\nto the other tasks in the system.\n\n__task_cred(task) then refers to the objective/real credentials of the task in\nquestion.\n\ncurrent_cred() refers to the effective subjective credentials of the current\ntask.\n\nprepare_creds() uses the objective creds as a base and commit_creds() changes\nboth pointers in the task_struct (indeed commit_creds() requires them to be the\nsame).\n\noverride_creds() and revert_creds() change the subjective creds pointer only,\nand the former returns the old subjective creds. These are used by NFSD,\nfaccessat() and do_coredump(), and will by used by CacheFiles.\n\nIn SELinux, current_has_perm() is provided as an alternative to\ntask_has_perm(). This uses the effective subjective context of current,\nwhereas task_has_perm() uses the objective/real context of the subject.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a6f76f23d297f70e2a6b3ec607f7aeeea9e37e8d", "tree": "8f95617996d0974507f176163459212a7def8b9a", "parents": [ "d84f4f992cbd76e8f39c488cf0c5d123843923b1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "message": "CRED: Make execve() take advantage of copy-on-write credentials\n\nMake execve() take advantage of copy-on-write credentials, allowing it to set\nup the credentials in advance, and then commit the whole lot after the point\nof no return.\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n The credential bits from struct linux_binprm are, for the most part,\n replaced with a single credentials pointer (bprm-\u003ecred). This means that\n all the creds can be calculated in advance and then applied at the point\n of no return with no possibility of failure.\n\n I would like to replace bprm-\u003ecap_effective with:\n\n\tcap_isclear(bprm-\u003ecap_effective)\n\n but this seems impossible due to special behaviour for processes of pid 1\n (they always retain their parent\u0027s capability masks where normally they\u0027d\n be changed - see cap_bprm_set_creds()).\n\n The following sequence of events now happens:\n\n (a) At the start of do_execve, the current task\u0027s cred_exec_mutex is\n \t locked to prevent PTRACE_ATTACH from obsoleting the calculation of\n \t creds that we make.\n\n (a) prepare_exec_creds() is then called to make a copy of the current\n \t task\u0027s credentials and prepare it. This copy is then assigned to\n \t bprm-\u003ecred.\n\n \t This renders security_bprm_alloc() and security_bprm_free()\n \t unnecessary, and so they\u0027ve been removed.\n\n (b) The determination of unsafe execution is now performed immediately\n \t after (a) rather than later on in the code. The result is stored in\n \t bprm-\u003eunsafe for future reference.\n\n (c) prepare_binprm() is called, possibly multiple times.\n\n \t (i) This applies the result of set[ug]id binaries to the new creds\n \t attached to bprm-\u003ecred. Personality bit clearance is recorded,\n \t but now deferred on the basis that the exec procedure may yet\n \t fail.\n\n (ii) This then calls the new security_bprm_set_creds(). This should\n\t calculate the new LSM and capability credentials into *bprm-\u003ecred.\n\n\t This folds together security_bprm_set() and parts of\n\t security_bprm_apply_creds() (these two have been removed).\n\t Anything that might fail must be done at this point.\n\n (iii) bprm-\u003ecred_prepared is set to 1.\n\n\t bprm-\u003ecred_prepared is 0 on the first pass of the security\n\t calculations, and 1 on all subsequent passes. This allows SELinux\n\t in (ii) to base its calculations only on the initial script and\n\t not on the interpreter.\n\n (d) flush_old_exec() is called to commit the task to execution. This\n \t performs the following steps with regard to credentials:\n\n\t (i) Clear pdeath_signal and set dumpable on certain circumstances that\n\t may not be covered by commit_creds().\n\n (ii) Clear any bits in current-\u003epersonality that were deferred from\n (c.i).\n\n (e) install_exec_creds() [compute_creds() as was] is called to install the\n \t new credentials. This performs the following steps with regard to\n \t credentials:\n\n (i) Calls security_bprm_committing_creds() to apply any security\n requirements, such as flushing unauthorised files in SELinux, that\n must be done before the credentials are changed.\n\n\t This is made up of bits of security_bprm_apply_creds() and\n\t security_bprm_post_apply_creds(), both of which have been removed.\n\t This function is not allowed to fail; anything that might fail\n\t must have been done in (c.ii).\n\n (ii) Calls commit_creds() to apply the new credentials in a single\n assignment (more or less). Possibly pdeath_signal and dumpable\n should be part of struct creds.\n\n\t (iii) Unlocks the task\u0027s cred_replace_mutex, thus allowing\n\t PTRACE_ATTACH to take place.\n\n (iv) Clears The bprm-\u003ecred pointer as the credentials it was holding\n are now immutable.\n\n (v) Calls security_bprm_committed_creds() to apply any security\n alterations that must be done after the creds have been changed.\n SELinux uses this to flush signals and signal handlers.\n\n (f) If an error occurs before (d.i), bprm_free() will call abort_creds()\n \t to destroy the proposed new credentials and will then unlock\n \t cred_replace_mutex. No changes to the credentials will have been\n \t made.\n\n (2) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_bprm_alloc(), -\u003ebprm_alloc_security()\n (*) security_bprm_free(), -\u003ebprm_free_security()\n\n \t Removed in favour of preparing new credentials and modifying those.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n (*) security_bprm_post_apply_creds(), -\u003ebprm_post_apply_creds()\n\n \t Removed; split between security_bprm_set_creds(),\n \t security_bprm_committing_creds() and security_bprm_committed_creds().\n\n (*) security_bprm_set(), -\u003ebprm_set_security()\n\n \t Removed; folded into security_bprm_set_creds().\n\n (*) security_bprm_set_creds(), -\u003ebprm_set_creds()\n\n \t New. The new credentials in bprm-\u003ecreds should be checked and set up\n \t as appropriate. bprm-\u003ecred_prepared is 0 on the first call, 1 on the\n \t second and subsequent calls.\n\n (*) security_bprm_committing_creds(), -\u003ebprm_committing_creds()\n (*) security_bprm_committed_creds(), -\u003ebprm_committed_creds()\n\n \t New. Apply the security effects of the new credentials. This\n \t includes closing unauthorised files in SELinux. This function may not\n \t fail. When the former is called, the creds haven\u0027t yet been applied\n \t to the process; when the latter is called, they have.\n\n \t The former may access bprm-\u003ecred, the latter may not.\n\n (3) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) The bprm_security_struct struct has been removed in favour of using\n \t the credentials-under-construction approach.\n\n (c) flush_unauthorized_files() now takes a cred pointer and passes it on\n \t to inode_has_perm(), file_has_perm() and dentry_open().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d84f4f992cbd76e8f39c488cf0c5d123843923b1", "tree": "fc4a0349c42995715b93d0f7a3c78e9ea9b3f36e", "parents": [ "745ca2475a6ac596e3d8d37c2759c0fbe2586227" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "message": "CRED: Inaugurate COW credentials\n\nInaugurate copy-on-write credentials management. This uses RCU to manage the\ncredentials pointer in the task_struct with respect to accesses by other tasks.\nA process may only modify its own credentials, and so does not need locking to\naccess or modify its own credentials.\n\nA mutex (cred_replace_mutex) is added to the task_struct to control the effect\nof PTRACE_ATTACHED on credential calculations, particularly with respect to\nexecve().\n\nWith this patch, the contents of an active credentials struct may not be\nchanged directly; rather a new set of credentials must be prepared, modified\nand committed using something like the following sequence of events:\n\n\tstruct cred *new \u003d prepare_creds();\n\tint ret \u003d blah(new);\n\tif (ret \u003c 0) {\n\t\tabort_creds(new);\n\t\treturn ret;\n\t}\n\treturn commit_creds(new);\n\nThere are some exceptions to this rule: the keyrings pointed to by the active\ncredentials may be instantiated - keyrings violate the COW rule as managing\nCOW keyrings is tricky, given that it is possible for a task to directly alter\nthe keys in a keyring in use by another task.\n\nTo help enforce this, various pointers to sets of credentials, such as those in\nthe task_struct, are declared const. The purpose of this is compile-time\ndiscouragement of altering credentials through those pointers. Once a set of\ncredentials has been made public through one of these pointers, it may not be\nmodified, except under special circumstances:\n\n (1) Its reference count may incremented and decremented.\n\n (2) The keyrings to which it points may be modified, but not replaced.\n\nThe only safe way to modify anything else is to create a replacement and commit\nusing the functions described in Documentation/credentials.txt (which will be\nadded by a later patch).\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n This now prepares and commits credentials in various places in the\n security code rather than altering the current creds directly.\n\n (2) Temporary credential overrides.\n\n do_coredump() and sys_faccessat() now prepare their own credentials and\n temporarily override the ones currently on the acting thread, whilst\n preventing interference from other threads by holding cred_replace_mutex\n on the thread being dumped.\n\n This will be replaced in a future patch by something that hands down the\n credentials directly to the functions being called, rather than altering\n the task\u0027s objective credentials.\n\n (3) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_capset_check(), -\u003ecapset_check()\n (*) security_capset_set(), -\u003ecapset_set()\n\n \t Removed in favour of security_capset().\n\n (*) security_capset(), -\u003ecapset()\n\n \t New. This is passed a pointer to the new creds, a pointer to the old\n \t creds and the proposed capability sets. It should fill in the new\n \t creds or return an error. All pointers, barring the pointer to the\n \t new creds, are now const.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n\n \t Changed; now returns a value, which will cause the process to be\n \t killed if it\u0027s an error.\n\n (*) security_task_alloc(), -\u003etask_alloc_security()\n\n \t Removed in favour of security_prepare_creds().\n\n (*) security_cred_free(), -\u003ecred_free()\n\n \t New. Free security data attached to cred-\u003esecurity.\n\n (*) security_prepare_creds(), -\u003ecred_prepare()\n\n \t New. Duplicate any security data attached to cred-\u003esecurity.\n\n (*) security_commit_creds(), -\u003ecred_commit()\n\n \t New. Apply any security effects for the upcoming installation of new\n \t security by commit_creds().\n\n (*) security_task_post_setuid(), -\u003etask_post_setuid()\n\n \t Removed in favour of security_task_fix_setuid().\n\n (*) security_task_fix_setuid(), -\u003etask_fix_setuid()\n\n \t Fix up the proposed new credentials for setuid(). This is used by\n \t cap_set_fix_setuid() to implicitly adjust capabilities in line with\n \t setuid() changes. Changes are made to the new credentials, rather\n \t than the task itself as in security_task_post_setuid().\n\n (*) security_task_reparent_to_init(), -\u003etask_reparent_to_init()\n\n \t Removed. Instead the task being reparented to init is referred\n \t directly to init\u0027s credentials.\n\n\t NOTE! This results in the loss of some state: SELinux\u0027s osid no\n\t longer records the sid of the thread that forked it.\n\n (*) security_key_alloc(), -\u003ekey_alloc()\n (*) security_key_permission(), -\u003ekey_permission()\n\n \t Changed. These now take cred pointers rather than task pointers to\n \t refer to the security context.\n\n (4) sys_capset().\n\n This has been simplified and uses less locking. The LSM functions it\n calls have been merged.\n\n (5) reparent_to_kthreadd().\n\n This gives the current thread the same credentials as init by simply using\n commit_thread() to point that way.\n\n (6) __sigqueue_alloc() and switch_uid()\n\n __sigqueue_alloc() can\u0027t stop the target task from changing its creds\n beneath it, so this function gets a reference to the currently applicable\n user_struct which it then passes into the sigqueue struct it returns if\n successful.\n\n switch_uid() is now called from commit_creds(), and possibly should be\n folded into that. commit_creds() should take care of protecting\n __sigqueue_alloc().\n\n (7) [sg]et[ug]id() and co and [sg]et_current_groups.\n\n The set functions now all use prepare_creds(), commit_creds() and\n abort_creds() to build and check a new set of credentials before applying\n it.\n\n security_task_set[ug]id() is called inside the prepared section. This\n guarantees that nothing else will affect the creds until we\u0027ve finished.\n\n The calling of set_dumpable() has been moved into commit_creds().\n\n Much of the functionality of set_user() has been moved into\n commit_creds().\n\n The get functions all simply access the data directly.\n\n (8) security_task_prctl() and cap_task_prctl().\n\n security_task_prctl() has been modified to return -ENOSYS if it doesn\u0027t\n want to handle a function, or otherwise return the return value directly\n rather than through an argument.\n\n Additionally, cap_task_prctl() now prepares a new set of credentials, even\n if it doesn\u0027t end up using it.\n\n (9) Keyrings.\n\n A number of changes have been made to the keyrings code:\n\n (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have\n \t all been dropped and built in to the credentials functions directly.\n \t They may want separating out again later.\n\n (b) key_alloc() and search_process_keyrings() now take a cred pointer\n \t rather than a task pointer to specify the security context.\n\n (c) copy_creds() gives a new thread within the same thread group a new\n \t thread keyring if its parent had one, otherwise it discards the thread\n \t keyring.\n\n (d) The authorisation key now points directly to the credentials to extend\n \t the search into rather pointing to the task that carries them.\n\n (e) Installing thread, process or session keyrings causes a new set of\n \t credentials to be created, even though it\u0027s not strictly necessary for\n \t process or session keyrings (they\u0027re shared).\n\n(10) Usermode helper.\n\n The usermode helper code now carries a cred struct pointer in its\n subprocess_info struct instead of a new session keyring pointer. This set\n of credentials is derived from init_cred and installed on the new process\n after it has been cloned.\n\n call_usermodehelper_setup() allocates the new credentials and\n call_usermodehelper_freeinfo() discards them if they haven\u0027t been used. A\n special cred function (prepare_usermodeinfo_creds()) is provided\n specifically for call_usermodehelper_setup() to call.\n\n call_usermodehelper_setkeys() adjusts the credentials to sport the\n supplied keyring as the new session keyring.\n\n(11) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) selinux_setprocattr() no longer does its check for whether the\n \t current ptracer can access processes with the new SID inside the lock\n \t that covers getting the ptracer\u0027s SID. Whilst this lock ensures that\n \t the check is done with the ptracer pinned, the result is only valid\n \t until the lock is released, so there\u0027s no point doing it inside the\n \t lock.\n\n(12) is_single_threaded().\n\n This function has been extracted from selinux_setprocattr() and put into\n a file of its own in the lib/ directory as join_session_keyring() now\n wants to use it too.\n\n The code in SELinux just checked to see whether a task shared mm_structs\n with other tasks (CLONE_VM), but that isn\u0027t good enough. We really want\n to know if they\u0027re part of the same thread group (CLONE_THREAD).\n\n(13) nfsd.\n\n The NFS server daemon now has to use the COW credentials to set the\n credentials it is going to use. It really needs to pass the credentials\n down to the functions it calls, but it can\u0027t do that until other patches\n in this series have been applied.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "745ca2475a6ac596e3d8d37c2759c0fbe2586227", "tree": "f87c34bdfbc8542477b16a014bbb4e3b415b286a", "parents": [ "88e67f3b8898c5ea81d2916dd5b8bc9c0c35ba13" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:22 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:22 2008 +1100" }, "message": "CRED: Pass credentials through dentry_open()\n\nPass credentials through dentry_open() so that the COW creds patch can have\nSELinux\u0027s flush_unauthorized_files() pass the appropriate creds back to itself\nwhen it opens its null chardev.\n\nThe security_dentry_open() call also now takes a creds pointer, as does the\ndentry_open hook in struct security_operations.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "88e67f3b8898c5ea81d2916dd5b8bc9c0c35ba13", "tree": "1ce706510a4062d69ca25801023825331d420be0", "parents": [ "6cc88bc45ce8043171089c9592da223dfab91823" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:21 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:21 2008 +1100" }, "message": "CRED: Make inode_has_perm() and file_has_perm() take a cred pointer\n\nMake inode_has_perm() and file_has_perm() take a cred pointer rather than a\ntask pointer.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "275bb41e9d058fbb327e7642f077e1beaeac162e", "tree": "049fdbb39ca43e7b3b9abf36ad279b31488121bc", "parents": [ "c69e8d9c01db2adc503464993c358901c9af9de4" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "message": "CRED: Wrap access to SELinux\u0027s task SID\n\nWrap access to SELinux\u0027s task SID, using task_sid() and current_sid() as\nappropriate.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c69e8d9c01db2adc503464993c358901c9af9de4", "tree": "bed94aaa9aeb7a7834d1c880f72b62a11a752c78", "parents": [ "86a264abe542cfececb4df129bc45a0338d8cdb9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "message": "CRED: Use RCU to access another task\u0027s creds and to release a task\u0027s own creds\n\nUse RCU to access another task\u0027s creds and to release a task\u0027s own creds.\nThis means that it will be possible for the credentials of a task to be\nreplaced without another task (a) requiring a full lock to read them, and (b)\nseeing deallocated memory.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "86a264abe542cfececb4df129bc45a0338d8cdb9", "tree": "30152f04ba847f311028d5ca697f864c16c7ebb3", "parents": [ "f1752eec6145c97163dbce62d17cf5d928e28a27" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:18 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:18 2008 +1100" }, "message": "CRED: Wrap current-\u003ecred and a few other accessors\n\nWrap current-\u003ecred and a few other accessors to hide their actual\nimplementation.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f1752eec6145c97163dbce62d17cf5d928e28a27", "tree": "16bc51166d38815092de36a461b845b0b4b522f9", "parents": [ "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:17 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:17 2008 +1100" }, "message": "CRED: Detach the credentials from task_struct\n\nDetach the credentials from task_struct, duplicating them in copy_process()\nand releasing them in __put_task_struct().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a", "tree": "9e76f972eb7ce9b84e0146c8e4126a3f86acb428", "parents": [ "15a2460ed0af7538ca8e6c610fe607a2cd9da142" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "message": "CRED: Separate task security context from task_struct\n\nSeparate the task security context from task_struct. At this point, the\nsecurity data is temporarily embedded in the task_struct with two pointers\npointing to it.\n\nNote that the Alpha arch is altered as it refers to (E)UID and (E)GID in\nentry.S via asm-offsets.\n\nWith comment fixes Signed-off-by: Marc Dionne \u003cmarc.c.dionne@gmail.com\u003e\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "15a2460ed0af7538ca8e6c610fe607a2cd9da142", "tree": "3611bc03e9c30fe0d11454f6966e6b0ca7f1dbd0", "parents": [ "1cdcbec1a3372c0c49c59d292e708fd07b509f18" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:15 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:15 2008 +1100" }, "message": "CRED: Constify the kernel_cap_t arguments to the capset LSM hooks\n\nConstify the kernel_cap_t arguments to the capset LSM hooks.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1cdcbec1a3372c0c49c59d292e708fd07b509f18", "tree": "d1bd302c8d66862da45b494cbc766fb4caa5e23e", "parents": [ "8bbf4976b59fc9fc2861e79cab7beb3f6d647640" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "message": "CRED: Neuter sys_capset()\n\nTake away the ability for sys_capset() to affect processes other than current.\n\nThis means that current will not need to lock its own credentials when reading\nthem against interference by other processes.\n\nThis has effectively been the case for a while anyway, since:\n\n (1) Without LSM enabled, sys_capset() is disallowed.\n\n (2) With file-based capabilities, sys_capset() is neutered.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "066746796bd2f0a1ba210c0dded3b6ee4032692a", "tree": "868832ca0e199e4f173e23375cffb5fc3870402c", "parents": [ "a2f2945a99057c7d44043465906c6bb63c3368a0" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 11 22:02:57 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 11 22:02:57 2008 +1100" }, "message": "Currently SELinux jumps through some ugly hoops to not audit a capbility\ncheck when determining if a process has additional powers to override\nmemory limits or when trying to read/write illegal file labels. Use\nthe new noaudit call instead.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "06112163f5fd9e491a7f810443d81efa9d88e247", "tree": "48039f7488abbec36c0982a57405b57d47311dd6", "parents": [ "637d32dc720897616e8a1a4f9e9609e29d431800" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 11 22:02:50 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 11 22:02:50 2008 +1100" }, "message": "Add a new capable interface that will be used by systems that use audit to\nmake an A or B type decision instead of a security decision. Currently\nthis is the case at least for filesystems when deciding if a process can use\nthe reserved \u0027root\u0027 blocks and for the case of things like the oom\nalgorithm determining if processes are root processes and should be less\nlikely to be killed. These types of security system requests should not be\naudited or logged since they are not really security decisions. It would be\npossible to solve this problem like the vm_enough_memory security check did\nby creating a new LSM interface and moving all of the policy into that\ninterface but proves the needlessly bloat the LSM and provide complex\nindirection.\n\nThis merely allows those decisions to be made where they belong and to not\nflood logs or printk with denials for thing that are not security decisions.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "39c9aede2b4a252bd296c0a86be832c3d3d0a273", "tree": "2c802930511c40a6d150166a892e68f83fee9851", "parents": [ "1f29fae29709b4668979e244c09b2fa78ff1ad59" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Nov 05 09:34:42 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sun Nov 09 07:33:18 2008 +0800" }, "message": "SELinux: Use unknown perm handling to handle unknown netlink msg types\n\nCurrently when SELinux has not been updated to handle a netlink message\ntype the operation is denied with EINVAL. This patch will leave the\naudit/warning message so things get fixed but if policy chose to allow\nunknowns this will allow the netlink operation.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9eeda9abd1faf489f3df9a1f557975f4c8650363", "tree": "3e0a58e25b776cfbee193195460324dccb1886c7", "parents": [ "61c9eaf90081cbe6dc4f389e0056bff76eca19ec", "4bab0ea1d42dd1927af9df6fbf0003fc00617c50" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Nov 06 22:43:03 2008 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Nov 06 22:43:03 2008 -0800" }, "message": "Merge branch \u0027master\u0027 of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6\n\nConflicts:\n\n\tdrivers/net/wireless/ath5k/base.c\n\tnet/8021q/vlan_core.c\n" }, { "commit": "e21e696edb498c7f7eed42ba3096f6bbe13927b6", "tree": "73b0bc28e45b0268f05c4b384a17bfb2140a73bc", "parents": [ "2f99db28af90957271a6448479c3e492ccf7c697", "75fa67706cce5272bcfc51ed646f2da21f3bdb6e" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 06 07:12:34 2008 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 06 07:12:34 2008 +0800" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "2f99db28af90957271a6448479c3e492ccf7c697", "tree": "00386a75dd8c998621d2204609425b41be420f62", "parents": [ "41d9f9c524a53477467b7e0111ff3d644198f191" ], "author": { "name": "Michal Schmidt", "email": "mschmidt@redhat.com", "time": "Wed Nov 05 13:35:06 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 06 07:08:36 2008 +0800" }, "message": "selinux: recognize netlink messages for \u0027ip addrlabel\u0027\n\nIn enforcing mode \u0027/sbin/ip addrlabel\u0027 results in a SELinux error:\ntype\u003dSELINUX_ERR msg\u003daudit(1225698822.073:42): SELinux: unrecognized\nnetlink message type\u003d74 for sclass\u003d43\n\nThe problem is missing RTM_*ADDRLABEL entries in SELinux\u0027s netlink\nmessage types table.\n\nReported in https://bugzilla.redhat.com/show_bug.cgi?id\u003d469423\n\nSigned-off-by: Michal Schmidt \u003cmschmidt@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "41d9f9c524a53477467b7e0111ff3d644198f191", "tree": "b891d648d756d7195bab5c0f55f105cd00d8f94a", "parents": [ "8b6a5a37f87a414ef8636e36ec75accb27bb7508" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 04 15:18:26 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Nov 05 08:44:11 2008 +1100" }, "message": "SELinux: hold tasklist_lock and siglock while waking wait_chldexit\n\nSELinux has long been calling wake_up_interruptible() on\ncurrent-\u003eparent-\u003esignal-\u003ewait_chldexit without holding any locks. It\nappears that this operation should hold the tasklist_lock to dereference\ncurrent-\u003eparent and we should hold the siglock when waking up the\nsignal-\u003ewait_chldexit.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "37dd0bd04a3240d2922786d501e2f12cec858fbf", "tree": "d4fa5a124a95d33bf22276429a82822ec8d4810a", "parents": [ "721d5dfe7e516954c501d5e9d0dfab379cf4241a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Oct 31 17:40:00 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Nov 01 09:38:48 2008 +1100" }, "message": "SELinux: properly handle empty tty_files list\n\nSELinux has wrongly (since 2004) had an incorrect test for an empty\ntty-\u003etty_files list. With an empty list selinux would be pointing to part\nof the tty struct itself and would then proceed to dereference that value\nand again dereference that result. An F10 change to plymouth on a ppc64\nsystem is actually currently triggering this bug. This patch uses\nlist_empty() to handle empty lists rather than looking at a meaningless\nlocation.\n\n[note, this fixes the oops reported in\nhttps://bugzilla.redhat.com/show_bug.cgi?id\u003d469079]\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3685f25de1b0447fff381c420de1e25bd57c9efb", "tree": "90a5d87c0ced1b27f654606d50a9ff13ded6f862", "parents": [ "be859405487324ed548f1ba11dc949b8230ab991" ], "author": { "name": "Harvey Harrison", "email": "harvey.harrison@gmail.com", "time": "Fri Oct 31 00:56:49 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Oct 31 00:56:49 2008 -0700" }, "message": "misc: replace NIPQUAD()\n\nUsing NIPQUAD() with NIPQUAD_FMT, %d.%d.%d.%d or %u.%u.%u.%u\ncan be replaced with %pI4\n\nSigned-off-by: Harvey Harrison \u003charvey.harrison@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "8b6a5a37f87a414ef8636e36ec75accb27bb7508", "tree": "26ff1dddb3c8727118b24819e83b4b7c500ff595", "parents": [ "0da939b0058742ad2d8580b7db6b966d0fc72252" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 29 17:06:46 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Oct 31 02:00:52 2008 +1100" }, "message": "SELinux: check open perms in dentry_open not inode_permission\n\nSome operations, like searching a directory path or connecting a unix domain\nsocket, make explicit calls into inode_permission. Our choices are to\neither try to come up with a signature for all of the explicit calls to\ninode_permission and do not check open on those, or to move the open checks to\ndentry_open where we know this is always an open operation. This patch moves\nthe checks to dentry_open.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5b095d98928fdb9e3b75be20a54b7a6cbf6ca9ad", "tree": "b6caa0cdbaac016447a790881ad4a6c5dfce6900", "parents": [ "4b7a4274ca63dadd9c4f17fc953f3a5d19855c4c" ], "author": { "name": "Harvey Harrison", "email": "harvey.harrison@gmail.com", "time": "Wed Oct 29 12:52:50 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Oct 29 12:52:50 2008 -0700" }, "message": "net: replace %p6 with %pI6\n\nSigned-off-by: Harvey Harrison \u003charvey.harrison@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "1afa67f5e70b4733d5b237df61e6d639af6283bb", "tree": "34912ebf8e13c40e00bc5ab13c365a5556d684ca", "parents": [ "b071195deba14b37ce896c26f20349b46e5f9fd2" ], "author": { "name": "Harvey Harrison", "email": "harvey.harrison@gmail.com", "time": "Tue Oct 28 16:06:44 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Oct 28 16:06:44 2008 -0700" }, "message": "misc: replace NIP6_FMT with %p6 format specifier\n\nThe iscsi_ibft.c changes are almost certainly a bugfix as the\npointer \u0027ip\u0027 is a u8 *, so they never print the last 8 bytes\nof the IPv6 address, and the eight bytes they do print have\na zero byte with them in each 16-bit word.\n\nOther than that, this should cause no difference in functionality.\n\nSigned-off-by: Harvey Harrison \u003charvey.harrison@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "def8b4faff5ca349beafbbfeb2c51f3602a6ef3a", "tree": "a90fbb0b6ae2a49c507465801f31df77bc5ebf9d", "parents": [ "b057efd4d226fcc3a92b0dc6d8ea8e8185ecb260" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Tue Oct 28 13:24:06 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Oct 28 13:24:06 2008 -0700" }, "message": "net: reduce structures when XFRM\u003dn\n\nifdef out\n* struct sk_buff::sp\t\t(pointer)\n* struct dst_entry::xfrm\t(pointer)\n* struct sock::sk_policy\t(2 pointers)\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c465a76af658b443075d6efee1c3131257643020", "tree": "63c28c9fab02dedec7f03cee4a3ef7fe4dc1c072", "parents": [ "2d42244ae71d6c7b0884b5664cf2eda30fb2ae68", "1b02469088ac7a13d7e622b618b7410d0f1ce5ec", "fb02fbc14d17837b4b7b02dbb36142c16a7bf208", "d40e944c25fb4642adb2a4c580a48218a9f3f824", "1508487e7f16d992ad23cabd3712563ff912f413", "322acf6585f3c4e82ee32a246b0483ca0f6ad3f4" ], "author": { "name": "Thomas Gleixner", "email": "tglx@linutronix.de", "time": "Mon Oct 20 13:14:06 2008 +0200" }, "committer": { "name": "Thomas Gleixner", "email": "tglx@linutronix.de", "time": "Mon Oct 20 13:14:06 2008 +0200" }, "message": "Merge branches \u0027timers/clocksource\u0027, \u0027timers/hrtimers\u0027, \u0027timers/nohz\u0027, \u0027timers/ntp\u0027, \u0027timers/posixtimers\u0027 and \u0027timers/debug\u0027 into v28-timers-for-linus\n" }, { "commit": "a447c0932445f92ce6f4c1bd020f62c5097a7842", "tree": "bacf05bc7f9764515cdd6f7dc5e2254776b4f160", "parents": [ "54cebc68c81eacac41a21bdfe99dc889d3882c60" ], "author": { "name": "Steven Whitehouse", "email": "swhiteho@redhat.com", "time": "Mon Oct 13 10:46:57 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 10:10:37 2008 -0700" }, "message": "vfs: Use const for kernel parser table\n\nThis is a much better version of a previous patch to make the parser\ntables constant. Rather than changing the typedef, we put the \"const\" in\nall the various places where its required, allowing the __initconst\nexception for nfsroot which was the cause of the previous trouble.\n\nThis was posted for review some time ago and I believe its been in -mm\nsince then.\n\nSigned-off-by: Steven Whitehouse \u003cswhiteho@redhat.com\u003e\nCc: Alexander Viro \u003caviro@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8d71ff0bef9cf4e70108a9a2762f2361e607abde", "tree": "a79487fceb6ec18e956373a3019416a43b269f1d", "parents": [ "244dc4e54b73567fae7f8fd9ba56584be9375442", "92562927826fceb2f8e69c89e28161b8c1e0b125" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 10:00:44 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 10:00:44 2008 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (24 commits)\n integrity: special fs magic\n As pointed out by Jonathan Corbet, the timer must be deleted before\n ERROR: code indent should use tabs where possible\n The tpm_dev_release function is only called for platform devices, not pnp\n Protect tpm_chip_list when transversing it.\n Renames num_open to is_open, as only one process can open the file at a time.\n Remove the BKL calls from the TPM driver, which were added in the overall\n netlabel: Add configuration support for local labeling\n cipso: Add support for native local labeling and fixup mapping names\n netlabel: Changes to the NetLabel security attributes to allow LSMs to pass full contexts\n selinux: Cache NetLabel secattrs in the socket\u0027s security struct\n selinux: Set socket NetLabel based on connection endpoint\n netlabel: Add functionality to set the security attributes of a packet\n netlabel: Add network address selectors to the NetLabel/LSM domain mapping\n netlabel: Add a generic way to create ordered linked lists of network addrs\n netlabel: Replace protocol/NetLabel linking with refrerence counts\n smack: Fix missing calls to netlbl_skbuff_err()\n selinux: Fix missing calls to netlbl_skbuff_err()\n selinux: Fix a problem in security_netlbl_sid_to_secattr()\n selinux: Better local/forward check in selinux_ip_postroute()\n ...\n" }, { "commit": "934e6ebf96e8c1a0f299e64129fdaebc1132a427", "tree": "ab4bd754997b097f06a5cfefd9e3671d56e628f4", "parents": [ "2cb5998b5f0ccc886fdda3509059eef297b49577" ], "author": { "name": "Alan Cox", "email": "alan@redhat.com", "time": "Mon Oct 13 10:40:43 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 09:51:41 2008 -0700" }, "message": "tty: Redo current tty locking\n\nCurrently it is sometimes locked by the tty mutex and sometimes by the\nsighand lock. The latter is in fact correct and now we can hand back referenced\nobjects we can fix this up without problems around sleeping functions.\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "452a00d2ee288f2cbc36f676edd06cb14d2878c1", "tree": "c8251c73924a6ac9b174bc557357bfeff0c8d1a8", "parents": [ "f4d2a6c2096b764decb20070b1bf4356de9144a8" ], "author": { "name": "Alan Cox", "email": "alan@redhat.com", "time": "Mon Oct 13 10:39:13 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 09:51:41 2008 -0700" }, "message": "tty: Make get_current_tty use a kref\n\nWe now return a kref covered tty reference. That ensures the tty structure\ndoesn\u0027t go away when you have a return from get_current_tty. This is not\nenough to protect you from most of the resources being freed behind your\nback - yet.\n\n[Updated to include fixes for SELinux problems found by Andrew Morton and\n an s390 leak found while debugging the former]\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "0da939b0058742ad2d8580b7db6b966d0fc72252", "tree": "47cb109fdf97135191bff5db4e3bfc905136bf8b", "parents": [ "4bdec11f560b8f405a011288a50e65b1a81b3654", "d91d40799165b0c84c97e7c71fb8039494ff07dc" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 11 09:26:14 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 11 09:26:14 2008 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/pcmoore/lblnet-2.6_next into next\n" }, { "commit": "8d75899d033617316e06296b7c0729612f56aba0", "tree": "47ab64d46b26b86089e20c337e9ba22b00e2d94f", "parents": [ "6c5b3fc0147f79d714d2fe748b5869d7892ef2e7" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "message": "netlabel: Changes to the NetLabel security attributes to allow LSMs to pass full contexts\n\nThis patch provides support for including the LSM\u0027s secid in addition to\nthe LSM\u0027s MLS information in the NetLabel security attributes structure.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6c5b3fc0147f79d714d2fe748b5869d7892ef2e7", "tree": "2cff691b2d4da2afd69660cb4ee647f6b553cdf9", "parents": [ "014ab19a69c325f52d7bae54ceeda73d6307ae0c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "message": "selinux: Cache NetLabel secattrs in the socket\u0027s security struct\n\nPrevious work enabled the use of address based NetLabel selectors, which\nwhile highly useful, brought the potential for additional per-packet overhead\nwhen used. This patch attempts to mitigate some of that overhead by caching\nthe NetLabel security attribute struct within the SELinux socket security\nstructure. This should help eliminate the need to recreate the NetLabel\nsecattr structure for each packet resulting in less overhead.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "014ab19a69c325f52d7bae54ceeda73d6307ae0c", "tree": "8a69c490accb7d5454bdfeb8c078d846729aeb60", "parents": [ "948bf85c1bc9a84754786a9d5dd99b7ecc46451e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "message": "selinux: Set socket NetLabel based on connection endpoint\n\nPrevious work enabled the use of address based NetLabel selectors, which while\nhighly useful, brought the potential for additional per-packet overhead when\nused. This patch attempts to solve that by applying NetLabel socket labels\nwhen sockets are connect()\u0027d. This should alleviate the per-packet NetLabel\nlabeling for all connected sockets (yes, it even works for connected DGRAM\nsockets).\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "948bf85c1bc9a84754786a9d5dd99b7ecc46451e", "tree": "a4706be1f4a5a37408774ef3c4cab8cf2e7775b5", "parents": [ "63c41688743760631188cf0f4ae986a6793ccb0a" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:32 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:32 2008 -0400" }, "message": "netlabel: Add functionality to set the security attributes of a packet\n\nThis patch builds upon the new NetLabel address selector functionality by\nproviding the NetLabel KAPI and CIPSO engine support needed to enable the\nnew packet-based labeling. The only new addition to the NetLabel KAPI at\nthis point is shown below:\n\n * int netlbl_skbuff_setattr(skb, family, secattr)\n\n... and is designed to be called from a Netfilter hook after the packet\u0027s\nIP header has been populated such as in the FORWARD or LOCAL_OUT hooks.\n\nThis patch also provides the necessary SELinux hooks to support this new\nfunctionality. Smack support is not currently included due to uncertainty\nregarding the permissions needed to expand the Smack network access controls.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dfaebe9825ff34983778f287101bc5f3bce00640", "tree": "4dccdcdcecd57fc8bfc083ff30d9e0ecb2e7ecba", "parents": [ "99d854d231ce141850b988bdc7e2e7c78f49b03a" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "message": "selinux: Fix missing calls to netlbl_skbuff_err()\n\nAt some point I think I messed up and dropped the calls to netlbl_skbuff_err()\nwhich are necessary for CIPSO to send error notifications to remote systems.\nThis patch re-introduces the error handling calls into the SELinux code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "99d854d231ce141850b988bdc7e2e7c78f49b03a", "tree": "d9da2a23471f38f6b25ec2bcfe982622ee51adba", "parents": [ "d8395c876bb8a560c8a032887e191b95499a25d6" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:30 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:30 2008 -0400" }, "message": "selinux: Fix a problem in security_netlbl_sid_to_secattr()\n\nCurrently when SELinux fails to allocate memory in\nsecurity_netlbl_sid_to_secattr() the NetLabel LSM domain field is set to\nNULL which triggers the default NetLabel LSM domain mapping which may not\nalways be the desired mapping. This patch fixes this by returning an error\nwhen the kernel is unable to allocate memory. This could result in more\nfailures on a system with heavy memory pressure but it is the \"correct\"\nthing to do.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d8395c876bb8a560c8a032887e191b95499a25d6", "tree": "6c2ef0d59e04b90a9ef673fa34e1c042d22f128e", "parents": [ "948a72438d4178d0728c4b0a38836d280b846939" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:30 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:30 2008 -0400" }, "message": "selinux: Better local/forward check in selinux_ip_postroute()\n\nIt turns out that checking to see if skb-\u003esk is NULL is not a very good\nindicator of a forwarded packet as some locally generated packets also have\nskb-\u003esk set to NULL. Fix this by not only checking the skb-\u003esk field but also\nthe IP[6]CB(skb)-\u003eflags field for the IP[6]SKB_FORWARDED flag. While we are\nat it, we are calling selinux_parse_skb() much earlier than we really should\nresulting in potentially wasted cycles parsing packets for information we\nmight no use; so shuffle the code around a bit to fix this.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "aa86290089a1e57b4bdbbb4720072233f66bd5b2", "tree": "9ab16f4d22056297f1571bb7b2b988bff84c8a10", "parents": [ "accc609322ef5ed44cba6d2d70c741afc76385fb" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "message": "selinux: Correctly handle IPv4 packets on IPv6 sockets in all cases\n\nWe did the right thing in a few cases but there were several areas where we\ndetermined a packet\u0027s address family based on the socket\u0027s address family which\nis not the right thing to do since we can get IPv4 packets on IPv6 sockets.\nThis patch fixes these problems by either taking the address family directly\nfrom the packet.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "accc609322ef5ed44cba6d2d70c741afc76385fb", "tree": "4a86c08a2fad7302b14e0f419b5e6bd11111330f", "parents": [ "561967010edef40f539dacf2aa125e20773ab40b" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "message": "selinux: Cleanup the NetLabel glue code\n\nWe were doing a lot of extra work in selinux_netlbl_sock_graft() what wasn\u0027t\nnecessary so this patch removes that code. It also removes the redundant\nsecond argument to selinux_netlbl_sock_setsid() which allows us to simplify a\nfew other functions.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3040a6d5a2655c7967bd42b5fb4903d48daa747f", "tree": "a4342a6b272a8be9acc16131d39d971536a3e8da", "parents": [ "b5ff7df3df9efab511244d5a299fce706c71af48" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 03 10:51:15 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 04 08:25:18 2008 +1000" }, "message": "selinux: Fix an uninitialized variable BUG/panic in selinux_secattr_to_sid()\n\nAt some point during the 2.6.27 development cycle two new fields were added\nto the SELinux context structure, a string pointer and a length field. The\ncode in selinux_secattr_to_sid() was not modified and as a result these two\nfields were left uninitialized which could result in erratic behavior,\nincluding kernel panics, when NetLabel is used. This patch fixes the\nproblem by fully initializing the context in selinux_secattr_to_sid() before\nuse and reducing the level of direct context manipulation done to help\nprevent future problems.\n\nPlease apply this to the 2.6.27-rcX release stream.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "81990fbdd18b9cfdc93dc221ff3250f81468aed8", "tree": "7c8298b58173e9e67f972890bdb209590ac93cab", "parents": [ "ea6b184f7d521a503ecab71feca6e4057562252b" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 03 10:51:15 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 04 08:18:18 2008 +1000" }, "message": "selinux: Fix an uninitialized variable BUG/panic in selinux_secattr_to_sid()\n\nAt some point during the 2.6.27 development cycle two new fields were added\nto the SELinux context structure, a string pointer and a length field. The\ncode in selinux_secattr_to_sid() was not modified and as a result these two\nfields were left uninitialized which could result in erratic behavior,\nincluding kernel panics, when NetLabel is used. This patch fixes the\nproblem by fully initializing the context in selinux_secattr_to_sid() before\nuse and reducing the level of direct context manipulation done to help\nprevent future problems.\n\nPlease apply this to the 2.6.27-rcX release stream.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ea6b184f7d521a503ecab71feca6e4057562252b", "tree": "89724ca76ba9bc8a7029f3fd3edc49557ec6ab40", "parents": [ "de45e806a84909648623119dfe6fc1d31e71ceba" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon Sep 22 15:41:19 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 30 00:26:53 2008 +1000" }, "message": "selinux: use default proc sid on symlinks\n\nAs we are not concerned with fine-grained control over reading of\nsymlinks in proc, always use the default proc SID for all proc symlinks.\nThis should help avoid permission issues upon changes to the proc tree\nas in the /proc/net -\u003e /proc/self/net example.\nThis does not alter labeling of symlinks within /proc/pid directories.\nls -Zd /proc/net output before and after the patch should show the difference.\n\nSigned-off-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ab2b49518e743962f71b94246855c44ee9cf52cc", "tree": "26b260a350f0a0a0d19b558bf147b812e3a1564c", "parents": [ "f058925b201357fba48d56cc9c1719ae274b2022", "72d31053f62c4bc464c2783974926969614a8649" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sun Sep 21 17:41:56 2008 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sun Sep 21 17:41:56 2008 -0700" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\n\tMAINTAINERS\n\nThanks for breaking my tree :-)\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ], "next": "f06febc96ba8e0af80bcc3eaec0a109e88275fac" }