)]}' { "log": [ { "commit": "5c1469de7545a35a16ff2b902e217044a7d2f8a5", "tree": "2a3b48da4dab1516234633ee5e71766801210e49", "parents": [ "812e876e842488221aa54cb4587a8a33445cfa9e" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Sun Jun 13 03:28:03 2010 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Jun 16 14:55:34 2010 -0700" }, "message": "user_ns: Introduce user_nsmap_uid and user_ns_map_gid.\n\nDefine what happens when a we view a uid from one user_namespace\nin another user_namepece.\n\n- If the user namespaces are the same no mapping is necessary.\n\n- For most cases of difference use overflowuid and overflowgid,\n the uid and gid currently used for 16bit apis when we have a 32bit uid\n that does fit in 16bits. Effectively the situation is the same,\n we want to return a uid or gid that is not assigned to any user.\n\n- For the case when we happen to be mapping the uid or gid of the\n creator of the target user namespace use uid 0 and gid as confusing\n that user with root is not a problem.\n\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nAcked-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "db1afffab0b5d9f6d31f8f4bea44c9cb3bc59351", "tree": "5ba8fd7a5018c0772d999b8c3aa945c0efb929e0", "parents": [ "dd336c554d8926c3348a2d5f2a5ef5597f6d1a06" ], "author": { "name": "NeilBrown", "email": "neilb@suse.de", "time": "Tue Mar 16 15:14:51 2010 +1100" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@suse.de", "time": "Fri May 21 09:37:29 2010 -0700" }, "message": "kref: remove kref_set\n\nOf the three uses of kref_set in the kernel:\n\n One really should be kref_put as the code is letting go of a\n reference,\n Two really should be kref_init because the kref is being\n initialised.\n\nThis suggests that making kref_set available encourages bad code.\nSo fix the three uses and remove kref_set completely.\n\nSigned-off-by: NeilBrown \u003cneilb@suse.de\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\n\n" }, { "commit": "5170836679185357dc1b7660bad13287b39e1e33", "tree": "0b470820e11df7c7eef7e3161657aefe90c7c35e", "parents": [ "8ca2f156b06bdcbfd1ab543355279246d05e2499" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Feb 27 14:03:03 2009 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Feb 27 16:26:21 2009 -0800" }, "message": "Fix recursive lock in free_uid()/free_user_ns()\n\nfree_uid() and free_user_ns() are corecursive when CONFIG_USER_SCHED\u003dn,\nbut free_user_ns() is called from free_uid() by way of uid_hash_remove(),\nwhich requires uidhash_lock to be held. free_user_ns() then calls\nfree_uid() to complete the destruction.\n\nFix this by deferring the destruction of the user_namespace.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "18b6e0414e42d95183f07d8177e3ff0241abd825", "tree": "91ca2f2d442055e31eb7bb551bf7060f3f4c4cc7", "parents": [ "9789cfe22e5d7bc10cad841a4ea96ecedb34b267" ], "author": { "name": "Serge Hallyn", "email": "serue@us.ibm.com", "time": "Wed Oct 15 16:38:45 2008 -0500" }, "committer": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Mon Nov 24 18:57:41 2008 -0500" }, "message": "User namespaces: set of cleanups (v2)\n\nThe user_ns is moved from nsproxy to user_struct, so that a struct\ncred by itself is sufficient to determine access (which it otherwise\nwould not be). Corresponding ecryptfs fixes (by David Howells) are\nhere as well.\n\nFix refcounting. The following rules now apply:\n 1. The task pins the user struct.\n 2. The user struct pins its user namespace.\n 3. The user namespace pins the struct user which created it.\n\nUser namespaces are cloned during copy_creds(). Unsharing a new user_ns\nis no longer possible. (We could re-add that, but it\u0027ll cause code\nduplication and doesn\u0027t seem useful if PAM doesn\u0027t need to clone user\nnamespaces).\n\nWhen a user namespace is created, its first user (uid 0) gets empty\nkeyrings and a clean group_info.\n\nThis incorporates a previous patch by David Howells. Here\nis his original patch description:\n\n\u003eI suggest adding the attached incremental patch. It makes the following\n\u003echanges:\n\u003e\n\u003e (1) Provides a current_user_ns() macro to wrap accesses to current\u0027s user\n\u003e namespace.\n\u003e\n\u003e (2) Fixes eCryptFS.\n\u003e\n\u003e (3) Renames create_new_userns() to create_user_ns() to be more consistent\n\u003e with the other associated functions and because the \u0027new\u0027 in the name is\n\u003e superfluous.\n\u003e\n\u003e (4) Moves the argument and permission checks made for CLONE_NEWUSER to the\n\u003e beginning of do_fork() so that they\u0027re done prior to making any attempts\n\u003e at allocation.\n\u003e\n\u003e (5) Calls create_user_ns() after prepare_creds(), and gives it the new creds\n\u003e to fill in rather than have it return the new root user. I don\u0027t imagine\n\u003e the new root user being used for anything other than filling in a cred\n\u003e struct.\n\u003e\n\u003e This also permits me to get rid of a get_uid() and a free_uid(), as the\n\u003e reference the creds were holding on the old user_struct can just be\n\u003e transferred to the new namespace\u0027s creator pointer.\n\u003e\n\u003e (6) Makes create_user_ns() reset the UIDs and GIDs of the creds under\n\u003e preparation rather than doing it in copy_creds().\n\u003e\n\u003eDavid\n\n\u003eSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n\nChangelog:\n\tOct 20: integrate dhowells comments\n\t\t1. leave thread_keyring alone\n\t\t2. use current_user_ns() in set_user()\n\nSigned-off-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\n" }, { "commit": "d84f4f992cbd76e8f39c488cf0c5d123843923b1", "tree": "fc4a0349c42995715b93d0f7a3c78e9ea9b3f36e", "parents": [ "745ca2475a6ac596e3d8d37c2759c0fbe2586227" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "message": "CRED: Inaugurate COW credentials\n\nInaugurate copy-on-write credentials management. This uses RCU to manage the\ncredentials pointer in the task_struct with respect to accesses by other tasks.\nA process may only modify its own credentials, and so does not need locking to\naccess or modify its own credentials.\n\nA mutex (cred_replace_mutex) is added to the task_struct to control the effect\nof PTRACE_ATTACHED on credential calculations, particularly with respect to\nexecve().\n\nWith this patch, the contents of an active credentials struct may not be\nchanged directly; rather a new set of credentials must be prepared, modified\nand committed using something like the following sequence of events:\n\n\tstruct cred *new \u003d prepare_creds();\n\tint ret \u003d blah(new);\n\tif (ret \u003c 0) {\n\t\tabort_creds(new);\n\t\treturn ret;\n\t}\n\treturn commit_creds(new);\n\nThere are some exceptions to this rule: the keyrings pointed to by the active\ncredentials may be instantiated - keyrings violate the COW rule as managing\nCOW keyrings is tricky, given that it is possible for a task to directly alter\nthe keys in a keyring in use by another task.\n\nTo help enforce this, various pointers to sets of credentials, such as those in\nthe task_struct, are declared const. The purpose of this is compile-time\ndiscouragement of altering credentials through those pointers. Once a set of\ncredentials has been made public through one of these pointers, it may not be\nmodified, except under special circumstances:\n\n (1) Its reference count may incremented and decremented.\n\n (2) The keyrings to which it points may be modified, but not replaced.\n\nThe only safe way to modify anything else is to create a replacement and commit\nusing the functions described in Documentation/credentials.txt (which will be\nadded by a later patch).\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n This now prepares and commits credentials in various places in the\n security code rather than altering the current creds directly.\n\n (2) Temporary credential overrides.\n\n do_coredump() and sys_faccessat() now prepare their own credentials and\n temporarily override the ones currently on the acting thread, whilst\n preventing interference from other threads by holding cred_replace_mutex\n on the thread being dumped.\n\n This will be replaced in a future patch by something that hands down the\n credentials directly to the functions being called, rather than altering\n the task\u0027s objective credentials.\n\n (3) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_capset_check(), -\u003ecapset_check()\n (*) security_capset_set(), -\u003ecapset_set()\n\n \t Removed in favour of security_capset().\n\n (*) security_capset(), -\u003ecapset()\n\n \t New. This is passed a pointer to the new creds, a pointer to the old\n \t creds and the proposed capability sets. It should fill in the new\n \t creds or return an error. All pointers, barring the pointer to the\n \t new creds, are now const.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n\n \t Changed; now returns a value, which will cause the process to be\n \t killed if it\u0027s an error.\n\n (*) security_task_alloc(), -\u003etask_alloc_security()\n\n \t Removed in favour of security_prepare_creds().\n\n (*) security_cred_free(), -\u003ecred_free()\n\n \t New. Free security data attached to cred-\u003esecurity.\n\n (*) security_prepare_creds(), -\u003ecred_prepare()\n\n \t New. Duplicate any security data attached to cred-\u003esecurity.\n\n (*) security_commit_creds(), -\u003ecred_commit()\n\n \t New. Apply any security effects for the upcoming installation of new\n \t security by commit_creds().\n\n (*) security_task_post_setuid(), -\u003etask_post_setuid()\n\n \t Removed in favour of security_task_fix_setuid().\n\n (*) security_task_fix_setuid(), -\u003etask_fix_setuid()\n\n \t Fix up the proposed new credentials for setuid(). This is used by\n \t cap_set_fix_setuid() to implicitly adjust capabilities in line with\n \t setuid() changes. Changes are made to the new credentials, rather\n \t than the task itself as in security_task_post_setuid().\n\n (*) security_task_reparent_to_init(), -\u003etask_reparent_to_init()\n\n \t Removed. Instead the task being reparented to init is referred\n \t directly to init\u0027s credentials.\n\n\t NOTE! This results in the loss of some state: SELinux\u0027s osid no\n\t longer records the sid of the thread that forked it.\n\n (*) security_key_alloc(), -\u003ekey_alloc()\n (*) security_key_permission(), -\u003ekey_permission()\n\n \t Changed. These now take cred pointers rather than task pointers to\n \t refer to the security context.\n\n (4) sys_capset().\n\n This has been simplified and uses less locking. The LSM functions it\n calls have been merged.\n\n (5) reparent_to_kthreadd().\n\n This gives the current thread the same credentials as init by simply using\n commit_thread() to point that way.\n\n (6) __sigqueue_alloc() and switch_uid()\n\n __sigqueue_alloc() can\u0027t stop the target task from changing its creds\n beneath it, so this function gets a reference to the currently applicable\n user_struct which it then passes into the sigqueue struct it returns if\n successful.\n\n switch_uid() is now called from commit_creds(), and possibly should be\n folded into that. commit_creds() should take care of protecting\n __sigqueue_alloc().\n\n (7) [sg]et[ug]id() and co and [sg]et_current_groups.\n\n The set functions now all use prepare_creds(), commit_creds() and\n abort_creds() to build and check a new set of credentials before applying\n it.\n\n security_task_set[ug]id() is called inside the prepared section. This\n guarantees that nothing else will affect the creds until we\u0027ve finished.\n\n The calling of set_dumpable() has been moved into commit_creds().\n\n Much of the functionality of set_user() has been moved into\n commit_creds().\n\n The get functions all simply access the data directly.\n\n (8) security_task_prctl() and cap_task_prctl().\n\n security_task_prctl() has been modified to return -ENOSYS if it doesn\u0027t\n want to handle a function, or otherwise return the return value directly\n rather than through an argument.\n\n Additionally, cap_task_prctl() now prepares a new set of credentials, even\n if it doesn\u0027t end up using it.\n\n (9) Keyrings.\n\n A number of changes have been made to the keyrings code:\n\n (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have\n \t all been dropped and built in to the credentials functions directly.\n \t They may want separating out again later.\n\n (b) key_alloc() and search_process_keyrings() now take a cred pointer\n \t rather than a task pointer to specify the security context.\n\n (c) copy_creds() gives a new thread within the same thread group a new\n \t thread keyring if its parent had one, otherwise it discards the thread\n \t keyring.\n\n (d) The authorisation key now points directly to the credentials to extend\n \t the search into rather pointing to the task that carries them.\n\n (e) Installing thread, process or session keyrings causes a new set of\n \t credentials to be created, even though it\u0027s not strictly necessary for\n \t process or session keyrings (they\u0027re shared).\n\n(10) Usermode helper.\n\n The usermode helper code now carries a cred struct pointer in its\n subprocess_info struct instead of a new session keyring pointer. This set\n of credentials is derived from init_cred and installed on the new process\n after it has been cloned.\n\n call_usermodehelper_setup() allocates the new credentials and\n call_usermodehelper_freeinfo() discards them if they haven\u0027t been used. A\n special cred function (prepare_usermodeinfo_creds()) is provided\n specifically for call_usermodehelper_setup() to call.\n\n call_usermodehelper_setkeys() adjusts the credentials to sport the\n supplied keyring as the new session keyring.\n\n(11) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) selinux_setprocattr() no longer does its check for whether the\n \t current ptracer can access processes with the new SID inside the lock\n \t that covers getting the ptracer\u0027s SID. Whilst this lock ensures that\n \t the check is done with the ptracer pinned, the result is only valid\n \t until the lock is released, so there\u0027s no point doing it inside the\n \t lock.\n\n(12) is_single_threaded().\n\n This function has been extracted from selinux_setprocattr() and put into\n a file of its own in the lib/ directory as join_session_keyring() now\n wants to use it too.\n\n The code in SELinux just checked to see whether a task shared mm_structs\n with other tasks (CLONE_VM), but that isn\u0027t good enough. We really want\n to know if they\u0027re part of the same thread group (CLONE_THREAD).\n\n(13) nfsd.\n\n The NFS server daemon now has to use the COW credentials to set the\n credentials it is going to use. It really needs to pass the credentials\n down to the functions it calls, but it can\u0027t do that until other patches\n in this series have been applied.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "76aac0e9a17742e60d408be1a706e9aaad370891", "tree": "e873a000d9c96209726e0958e311f005c13b2ed5", "parents": [ "b103c59883f1ec6e4d548b25054608cb5724453c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:12 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:12 2008 +1100" }, "message": "CRED: Wrap task credential accesses in the core kernel\n\nWrap access to task credentials so that they can be separated more easily from\nthe task_struct during the introduction of COW creds.\n\nChange most current-\u003e(|e|s|fs)[ug]id to current_(|e|s|fs)[ug]id().\n\nChange some task-\u003ee?[ug]id to task_e?[ug]id(). In some places it makes more\nsense to use RCU directly rather than a convenient wrapper; these will be\naddressed by later patches.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: linux-audit@redhat.com\nCc: containers@lists.linux-foundation.org\nCc: linux-mm@kvack.org\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7a8fc9b248e77a4eab0613acf30a6811799786b3", "tree": "24b3beb8bc0633db27ffdb791f94dce95d51b1d0", "parents": [ "d3ee1b405872214609868f3cde631ac157026dd0" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Sun Aug 17 17:36:59 2008 +0300" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Aug 23 12:14:12 2008 -0700" }, "message": "removed unused #include \u003clinux/version.h\u003e\u0027s\n\nThis patch lets the files using linux/version.h match the files that\n#include it.\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "6a3fd92e73fffd9e583650c56ad9558afe51dc5c", "tree": "d65917432ffd0e6223dab3500819205433de22bd", "parents": [ "f66e883eb6186bc43a79581b67aff7d1a69d0ff1" ], "author": { "name": "Michael Halcrow", "email": "mhalcrow@us.ibm.com", "time": "Tue Apr 29 00:59:52 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:07 2008 -0700" }, "message": "eCryptfs: make key module subsystem respect namespaces\n\nMake eCryptfs key module subsystem respect namespaces.\n\nSince I will be removing the netlink interface in a future patch, I just made\nchanges to the netlink.c code so that it will not break the build. With my\nrecent patches, the kernel module currently defaults to the device handle\ninterface rather than the netlink interface.\n\n[akpm@linux-foundation.org: export free_user_ns()]\nSigned-off-by: Michael Halcrow \u003cmhalcrow@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "1aeb272cf09f9e2cbc62163b9f37a9b4d1c7e81d", "tree": "17c76e18fa145affedae790460cff724f965646b", "parents": [ "3a2e7f47d71e1df86acc1dda6826890b6546a4e1" ], "author": { "name": "Robert P. J. Day", "email": "rpjday@crashcourse.ca", "time": "Tue Apr 29 00:59:25 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:04 2008 -0700" }, "message": "kernel: explicitly include required header files under kernel/\n\nFollowing an experimental deletion of the unnecessary directive\n\n #include \u003clinux/slab.h\u003e\n\nfrom the header file \u003clinux/percpu.h\u003e, these files under kernel/ were exposed\nas needing to include one of \u003clinux/slab.h\u003e or \u003clinux/gfp.h\u003e, so explicit\nincludes were added where necessary.\n\nSigned-off-by: Robert P. J. Day \u003crpjday@crashcourse.ca\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "aee16ce73c71a241190cef3aaa265f6a3ab8e035", "tree": "ccfded2678d36af2d4ba9ad106240acf65173b28", "parents": [ "ae5e1b22f17983da929a0d0178896269e19da186" ], "author": { "name": "Pavel Emelyanov", "email": "xemul@openvz.org", "time": "Fri Feb 08 04:18:23 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Feb 08 09:22:23 2008 -0800" }, "message": "namespaces: cleanup the code managed with the USER_NS option\n\nMake the user_namespace.o compilation depend on this option and move the\ninit_user_ns into user.c file to make the kernel compile and work without the\nnamespaces support. This make the user namespace code be organized similar to\nother namespaces\u0027.\n\nAlso mask the USER_NS option as \"depend on NAMESPACES\".\n\n[akpm@linux-foundation.org: coding-style fixes]\nSigned-off-by: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Cedric Le Goater \u003cclg@fr.ibm.com\u003e\nCc: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nCc: Herbert Poetzl \u003cherbert@13thfloor.at\u003e\nCc: Kirill Korotaev \u003cdev@sw.ru\u003e\nCc: Sukadev Bhattiprolu \u003csukadev@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "28f300d23674fa01ae747c66ce861d4ee6aebe8c", "tree": "52ea69a57a89760d7060597690cb289d049eb4d0", "parents": [ "735de2230f09741077a645a913de0a04b10208bf" ], "author": { "name": "Pavel Emelyanov", "email": "xemul@openvz.org", "time": "Tue Sep 18 22:46:45 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Sep 19 11:24:18 2007 -0700" }, "message": "Fix user namespace exiting OOPs\n\nIt turned out, that the user namespace is released during the do_exit() in\nexit_task_namespaces(), but the struct user_struct is released only during the\nput_task_struct(), i.e. MUCH later.\n\nOn debug kernels with poisoned slabs this will cause the oops in\nuid_hash_remove() because the head of the chain, which resides inside the\nstruct user_namespace, will be already freed and poisoned.\n\nSince the uid hash itself is required only when someone can search it, i.e.\nwhen the namespace is alive, we can safely unhash all the user_struct-s from\nit during the namespace exiting. The subsequent free_uid() will complete the\nuser_struct destruction.\n\nFor example simple program\n\n #include \u003csched.h\u003e\n\n char stack[2 * 1024 * 1024];\n\n int f(void *foo)\n {\n \treturn 0;\n }\n\n int main(void)\n {\n \tclone(f, stack + 1 * 1024 * 1024, 0x10000000, 0);\n \treturn 0;\n }\n\nrun on kernel with CONFIG_USER_NS turned on will oops the\nkernel immediately.\n\nThis was spotted during OpenVZ kernel testing.\n\nSigned-off-by: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@openvz.org\u003e\nAcked-by: \"Serge E. Hallyn\" \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "735de2230f09741077a645a913de0a04b10208bf", "tree": "b408a671c9c07bec41a9ca8056fa7a6710982f3b", "parents": [ "d8a4821dca693867a7953104c1e3cc830eb9191f" ], "author": { "name": "Pavel Emelyanov", "email": "xemul@openvz.org", "time": "Tue Sep 18 22:46:44 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Sep 19 11:24:18 2007 -0700" }, "message": "Convert uid hash to hlist\n\nSurprisingly, but (spotted by Alexey Dobriyan) the uid hash still uses\nlist_heads, thus occupying twice as much place as it could. Convert it to\nhlist_heads.\n\nSigned-off-by: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@openvz.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "99db67bc04af0f2e8cb710ac92aaeb9af135a7c6", "tree": "ccecbdec74517220854685ab2517ff15208f13c6", "parents": [ "59845b1ffd9121e5ef474ea5f27405fd7a83c85b" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@sw.ru", "time": "Thu Aug 30 23:56:34 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Aug 31 01:42:23 2007 -0700" }, "message": "userns: don\u0027t leak root user\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@sw.ru\u003e\nAcked-by: Cedric Le Goater \u003cclg@fr.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "467e9f4b5086a60a5cb2e032ccaf4a31abadc4c2", "tree": "f21b3975db312e4cdee1d9d3622549de2648b7ff", "parents": [ "3e733f071e16bdad13a75eedb102e8941b09927e" ], "author": { "name": "Cedric Le Goater", "email": "clg@fr.ibm.com", "time": "Sun Jul 15 23:41:06 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Jul 16 09:05:47 2007 -0700" }, "message": "fix create_new_namespaces() return value\n\ndup_mnt_ns() and clone_uts_ns() return NULL on failure. This is wrong,\ncreate_new_namespaces() uses ERR_PTR() to catch an error. This means that the\nsubsequent create_new_namespaces() will hit BUG_ON() in copy_mnt_ns() or\ncopy_utsname().\n\nModify create_new_namespaces() to also use the errors returned by the\ncopy_*_ns routines and not to systematically return ENOMEM.\n\n[oleg@tv-sign.ru: better changelog]\nSigned-off-by: Cedric Le Goater \u003cclg@fr.ibm.com\u003e\nCc: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Badari Pulavarty \u003cpbadari@us.ibm.com\u003e\nCc: Pavel Emelianov \u003cxemul@openvz.org\u003e\nCc: Herbert Poetzl \u003cherbert@13thfloor.at\u003e\nCc: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nCc: Oleg Nesterov \u003coleg@tv-sign.ru\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "77ec739d8d0979477fc91f530403805afa2581a4", "tree": "0cefb80a7ff8d57a8f735954fdeb88e9efbaf05c", "parents": [ "acce292c82d4d82d35553b928df2b0597c3a9c78" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Sun Jul 15 23:41:01 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Jul 16 09:05:47 2007 -0700" }, "message": "user namespace: add unshare\n\nThis patch enables the unshare of user namespaces.\n\nIt adds a new clone flag CLONE_NEWUSER and implements copy_user_ns() which\nresets the current user_struct and adds a new root user (uid \u003d\u003d 0)\n\nFor now, unsharing the user namespace allows a process to reset its\nuser_struct accounting and uid 0 in the new user namespace should be contained\nusing appropriate means, for instance selinux\n\nThe plan, when the full support is complete (all uid checks covered), is to\nkeep the original user\u0027s rights in the original namespace, and let a process\nbecome uid 0 in the new namespace, with full capabilities to the new\nnamespace.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Cedric Le Goater \u003cclg@fr.ibm.com\u003e\nAcked-by: Pavel Emelianov \u003cxemul@openvz.org\u003e\nCc: Herbert Poetzl \u003cherbert@13thfloor.at\u003e\nCc: Kirill Korotaev \u003cdev@sw.ru\u003e\nCc: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Andrew Morgan \u003cagm@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "acce292c82d4d82d35553b928df2b0597c3a9c78", "tree": "464288f40db9c254da214c400d0880ee50dc37f3", "parents": [ "7d69a1f4a72b18876c99c697692b78339d491568" ], "author": { "name": "Cedric Le Goater", "email": "clg@fr.ibm.com", "time": "Sun Jul 15 23:40:59 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Jul 16 09:05:47 2007 -0700" }, "message": "user namespace: add the framework\n\nBasically, it will allow a process to unshare its user_struct table,\nresetting at the same time its own user_struct and all the associated\naccounting.\n\nA new root user (uid \u003d\u003d 0) is added to the user namespace upon creation.\nSuch root users have full privileges and it seems that theses privileges\nshould be controlled through some means (process capabilities ?)\n\nThe unshare is not included in this patch.\n\nChanges since [try #4]:\n\t- Updated get_user_ns and put_user_ns to accept NULL, and\n\t get_user_ns to return the namespace.\n\nChanges since [try #3]:\n\t- moved struct user_namespace to files user_namespace.{c,h}\n\nChanges since [try #2]:\n\t- removed struct user_namespace* argument from find_user()\n\nChanges since [try #1]:\n\t- removed struct user_namespace* argument from find_user()\n\t- added a root_user per user namespace\n\nSigned-off-by: Cedric Le Goater \u003cclg@fr.ibm.com\u003e\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Pavel Emelianov \u003cxemul@openvz.org\u003e\nCc: Herbert Poetzl \u003cherbert@13thfloor.at\u003e\nCc: Kirill Korotaev \u003cdev@sw.ru\u003e\nCc: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Andrew Morgan \u003cagm@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" } ] }