)]}' { "log": [ { "commit": "3fc5e98d8cf85e0d77fc597b49e9268dff67400e", "tree": "acd7c7a2579f945ff856bd570988f48f652f93c1", "parents": [ "44658a11f312fb9217674cb90b1a11cbe17fd18d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Dec 22 16:24:13 2010 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Dec 23 15:31:48 2010 -0800" }, "message": "KEYS: Don\u0027t call up_write() if __key_link_begin() returns an error\n\nIn construct_alloc_key(), up_write() is called in the error path if\n__key_link_begin() fails, but this is incorrect as __key_link_begin() only\nreturns with the nominated keyring locked if it returns successfully.\n\nWithout this patch, you might see the following in dmesg:\n\n\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\t[ BUG: bad unlock balance detected! ]\n\t-------------------------------------\n\tmount.cifs/5769 is trying to release lock (\u0026key-\u003esem) at:\n\t[\u003cffffffff81201159\u003e] request_key_and_link+0x263/0x3fc\n\tbut there are no more locks to release!\n\n\tother info that might help us debug this:\n\t3 locks held by mount.cifs/5769:\n\t #0: (\u0026type-\u003es_umount_key#41/1){+.+.+.}, at: [\u003cffffffff81131321\u003e] sget+0x278/0x3e7\n\t #1: (\u0026ret_buf-\u003esession_mutex){+.+.+.}, at: [\u003cffffffffa0258e59\u003e] cifs_get_smb_ses+0x35a/0x443 [cifs]\n\t #2: (root_key_user.cons_lock){+.+.+.}, at: [\u003cffffffff81201000\u003e] request_key_and_link+0x10a/0x3fc\n\n\tstack backtrace:\n\tPid: 5769, comm: mount.cifs Not tainted 2.6.37-rc6+ #1\n\tCall Trace:\n\t [\u003cffffffff81201159\u003e] ? request_key_and_link+0x263/0x3fc\n\t [\u003cffffffff81081601\u003e] print_unlock_inbalance_bug+0xca/0xd5\n\t [\u003cffffffff81083248\u003e] lock_release_non_nested+0xc1/0x263\n\t [\u003cffffffff81201159\u003e] ? request_key_and_link+0x263/0x3fc\n\t [\u003cffffffff81201159\u003e] ? request_key_and_link+0x263/0x3fc\n\t [\u003cffffffff81083567\u003e] lock_release+0x17d/0x1a4\n\t [\u003cffffffff81073f45\u003e] up_write+0x23/0x3b\n\t [\u003cffffffff81201159\u003e] request_key_and_link+0x263/0x3fc\n\t [\u003cffffffffa026fe9e\u003e] ? cifs_get_spnego_key+0x61/0x21f [cifs]\n\t [\u003cffffffff812013c5\u003e] request_key+0x41/0x74\n\t [\u003cffffffffa027003d\u003e] cifs_get_spnego_key+0x200/0x21f [cifs]\n\t [\u003cffffffffa026e296\u003e] CIFS_SessSetup+0x55d/0x1273 [cifs]\n\t [\u003cffffffffa02589e1\u003e] cifs_setup_session+0x90/0x1ae [cifs]\n\t [\u003cffffffffa0258e7e\u003e] cifs_get_smb_ses+0x37f/0x443 [cifs]\n\t [\u003cffffffffa025a9e3\u003e] cifs_mount+0x1aa1/0x23f3 [cifs]\n\t [\u003cffffffff8111fd94\u003e] ? alloc_debug_processing+0xdb/0x120\n\t [\u003cffffffffa027002c\u003e] ? cifs_get_spnego_key+0x1ef/0x21f [cifs]\n\t [\u003cffffffffa024cc71\u003e] cifs_do_mount+0x165/0x2b3 [cifs]\n\t [\u003cffffffff81130e72\u003e] vfs_kern_mount+0xaf/0x1dc\n\t [\u003cffffffff81131007\u003e] do_kern_mount+0x4d/0xef\n\t [\u003cffffffff811483b9\u003e] do_mount+0x6f4/0x733\n\t [\u003cffffffff8114861f\u003e] sys_mount+0x88/0xc2\n\t [\u003cffffffff8100ac42\u003e] system_call_fastpath+0x16/0x1b\n\nReported-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-and-Tested-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "12b3052c3ee8f508b2c7ee4ddd63ed03423409d8", "tree": "b97d0f209f363cfad94ce9d075312274e349da89", "parents": [ "6800e4c0ea3e96cf78953b8b5743381cb1bb9e37" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 15 18:36:29 2010 -0500" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Nov 15 15:40:01 2010 -0800" }, "message": "capabilities/syslog: open code cap_syslog logic to fix build failure\n\nThe addition of CONFIG_SECURITY_DMESG_RESTRICT resulted in a build\nfailure when CONFIG_PRINTK\u003dn. This is because the capabilities code\nwhich used the new option was built even though the variable in question\ndidn\u0027t exist.\n\nThe patch here fixes this by moving the capabilities checks out of the\nLSM and into the caller. All (known) LSMs should have been calling the\ncapabilities hook already so it actually makes the code organization\nbetter to eliminate the hook altogether.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "fe7e96f66b2622d8492ee9dd7fc08b811086caca", "tree": "524b78f3a5a9c35bee8b437e9c4738d42fc454a7", "parents": [ "0f90933c477c061df6daf42d814ff2012aea43cc", "a26d279ea87e9fef2cf8a44b371e48e6091975a6" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Nov 12 08:00:25 2010 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Nov 12 08:00:25 2010 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:\n APPARMOR: Fix memory leak of apparmor_init()\n APPARMOR: Fix memory leak of alloc_namespace()\n" }, { "commit": "eaf06b241b091357e72b76863ba16e89610d31bd", "tree": "83bc8667309050b3538630707513574c14c51f37", "parents": [ "203f40a5a030ed4048cd40e3bd9ab5df6c5df589" ], "author": { "name": "Dan Rosenberg", "email": "drosenberg@vsecurity.com", "time": "Thu Nov 11 14:05:18 2010 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Nov 12 07:55:32 2010 -0800" }, "message": "Restrict unprivileged access to kernel syslog\n\nThe kernel syslog contains debugging information that is often useful\nduring exploitation of other vulnerabilities, such as kernel heap\naddresses. Rather than futilely attempt to sanitize hundreds (or\nthousands) of printk statements and simultaneously cripple useful\ndebugging functionality, it is far simpler to create an option that\nprevents unprivileged users from reading the syslog.\n\nThis patch, loosely based on grsecurity\u0027s GRKERNSEC_DMESG, creates the\ndmesg_restrict sysctl. When set to \"0\", the default, no restrictions are\nenforced. When set to \"1\", only users with CAP_SYS_ADMIN can read the\nkernel syslog via dmesg(8) or other mechanisms.\n\n[akpm@linux-foundation.org: explain the config option in kernel.txt]\nSigned-off-by: Dan Rosenberg \u003cdrosenberg@vsecurity.com\u003e\nAcked-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nAcked-by: Eugene Teo \u003ceugeneteo@kernel.org\u003e\nAcked-by: Kees Cook \u003ckees.cook@canonical.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "a26d279ea87e9fef2cf8a44b371e48e6091975a6", "tree": "fe1a1a007c0fc1419e8f8e3e845ad18a377569bc", "parents": [ "246c3fb16b08193837a8009ff15ef6908534ba71" ], "author": { "name": "wzt.wzt@gmail.com", "email": "wzt.wzt@gmail.com", "time": "Wed Nov 10 16:05:15 2010 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 11 07:36:22 2010 +1100" }, "message": "APPARMOR: Fix memory leak of apparmor_init()\n\nset_init_cxt() allocted sizeof(struct aa_task_cxt) bytes for cxt,\nif register_security() failed, it will cause memory leak.\n\nSigned-off-by: Zhitong Wang \u003czhitong.wangzt@alibaba-inc.com\u003e\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "246c3fb16b08193837a8009ff15ef6908534ba71", "tree": "47c8fb1d63c3f0cfd7c3e1507e6c1e16a6837264", "parents": [ "f6614b7bb405a9b35dd28baea989a749492c46b2" ], "author": { "name": "wzt.wzt@gmail.com", "email": "wzt.wzt@gmail.com", "time": "Wed Nov 10 11:31:55 2010 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 11 07:36:18 2010 +1100" }, "message": "APPARMOR: Fix memory leak of alloc_namespace()\n\npolicy-\u003ename is a substring of policy-\u003ehname, if prefix is not NULL, it will\nallocted strlen(prefix) + strlen(name) + 3 bytes to policy-\u003ehname in policy_init().\nuse kzfree(ns-\u003ebase.name) will casue memory leak if alloc_namespace() failed.\n\nSigned-off-by: Zhitong Wang \u003czhitong.wangzt@alibaba-inc.com\u003e\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "fc14f2fef682df677d64a145256dbd263df2aa7b", "tree": "74f6b939fbad959a43c04ec646cd0adc8af5f53a", "parents": [ "848b83a59b772b8f102bc5e3f1187c2fa5676959" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jul 25 01:48:30 2010 +0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri Oct 29 04:16:28 2010 -0400" }, "message": "convert get_sb_single() users\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "27d6379894be4a81984da4d48002196a83939ca9", "tree": "1d5a7338b0fc66ba4c0b799eb60df44b8f0fc08a", "parents": [ "765aaafe38050790301e89745b991dbdf3dded4c" ], "author": { "name": "Andi Kleen", "email": "ak@linux.intel.com", "time": "Thu Oct 28 13:16:13 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Oct 28 09:02:15 2010 -0700" }, "message": "Fix install_process_keyring error handling\n\nFix an incorrect error check that returns 1 for error instead of the\nexpected error code.\n\nSigned-off-by: Andi Kleen \u003cak@linux.intel.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "426e1f5cec4821945642230218876b0e89aafab1", "tree": "2728ace018d0698886989da586210ef1543a7098", "parents": [ "9e5fca251f44832cb996961048ea977f80faf6ea", "63997e98a3be68d7cec806d22bf9b02b2e1daabb" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 17:58:44 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 17:58:44 2010 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6: (52 commits)\n split invalidate_inodes()\n fs: skip I_FREEING inodes in writeback_sb_inodes\n fs: fold invalidate_list into invalidate_inodes\n fs: do not drop inode_lock in dispose_list\n fs: inode split IO and LRU lists\n fs: switch bdev inode bdi\u0027s correctly\n fs: fix buffer invalidation in invalidate_list\n fsnotify: use dget_parent\n smbfs: use dget_parent\n exportfs: use dget_parent\n fs: use RCU read side protection in d_validate\n fs: clean up dentry lru modification\n fs: split __shrink_dcache_sb\n fs: improve DCACHE_REFERENCED usage\n fs: use percpu counter for nr_dentry and nr_dentry_unused\n fs: simplify __d_free\n fs: take dcache_lock inside __d_path\n fs: do not assign default i_ino in new_inode\n fs: introduce a per-cpu last_ino allocator\n new helper: ihold()\n ...\n" }, { "commit": "f9ba5375a8aae4aeea6be15df77e24707a429812", "tree": "c6388d7e40f0f6a70d7ba6a4d4aeaa0d1f5591f6", "parents": [ "45352bbf48e95078b4acd20774f49e72676e1e0f", "bade72d607c4eb1b1d6c7852c493b75f065a56b5" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:48 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:48 2010 -0700" }, "message": "Merge branch \u0027ima-memory-use-fixes\u0027\n\n* ima-memory-use-fixes:\n IMA: fix the ToMToU logic\n IMA: explicit IMA i_flag to remove global lock on inode_delete\n IMA: drop refcnt from ima_iint_cache since it isn\u0027t needed\n IMA: only allocate iint when needed\n IMA: move read counter into struct inode\n IMA: use i_writecount rather than a private counter\n IMA: use inode-\u003ei_lock to protect read and write counters\n IMA: convert internal flags from long to char\n IMA: use unsigned int instead of long for counters\n IMA: drop the inode opencount since it isn\u0027t needed for operation\n IMA: use rbtree instead of radix tree for inode information cache\n" }, { "commit": "bade72d607c4eb1b1d6c7852c493b75f065a56b5", "tree": "95aafb198d9a8a08e6b7813de0403658e6a1b04a", "parents": [ "196f518128d2ee6e0028b50e6fec0313640db142" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:25 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:19 2010 -0700" }, "message": "IMA: fix the ToMToU logic\n\nCurrent logic looks like this:\n\n rc \u003d ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK);\n if (rc \u003c 0)\n goto out;\n\n if (mode \u0026 FMODE_WRITE) {\n if (inode-\u003ei_readcount)\n send_tomtou \u003d true;\n goto out;\n }\n\n if (atomic_read(\u0026inode-\u003ei_writecount) \u003e 0)\n send_writers \u003d true;\n\nLets assume we have a policy which states that all files opened for read\nby root must be measured.\n\nLets assume the file has permissions 777.\n\nLets assume that root has the given file open for read.\n\nLets assume that a non-root process opens the file write.\n\nThe non-root process will get to ima_counts_get() and will check the\nima_must_measure(). Since it is not supposed to measure it will goto\nout.\n\nWe should check the i_readcount no matter what since we might be causing\na ToMToU voilation!\n\nThis is close to correct, but still not quite perfect. The situation\ncould have been that root, which was interested in the mesurement opened\nand closed the file and another process which is not interested in the\nmeasurement is the one holding the i_readcount ATM. This is just overly\nstrict on ToMToU violations, which is better than not strict enough...\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "196f518128d2ee6e0028b50e6fec0313640db142", "tree": "43a1d76bee477dbaa682233979e86f58a98369f0", "parents": [ "64c62f06bef8314a64d3189cb9c78062d54169b3" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:19 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:19 2010 -0700" }, "message": "IMA: explicit IMA i_flag to remove global lock on inode_delete\n\nCurrently for every removed inode IMA must take a global lock and search\nthe IMA rbtree looking for an associated integrity structure. Instead\nwe explicitly mark an inode when we add an integrity structure so we\nonly have to take the global lock and do the removal if it exists.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "64c62f06bef8314a64d3189cb9c78062d54169b3", "tree": "63f542bf6a0de4eb2c9742376f7c314ac78e65ec", "parents": [ "bc7d2a3e66b40477270c3cbe3b89b47093276e7a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:12 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:19 2010 -0700" }, "message": "IMA: drop refcnt from ima_iint_cache since it isn\u0027t needed\n\nSince finding a struct ima_iint_cache requires a valid struct inode, and\nthe struct ima_iint_cache is supposed to have the same lifetime as a\nstruct inode (technically they die together but don\u0027t need to be created\nat the same time) we don\u0027t have to worry about the ima_iint_cache\noutliving or dieing before the inode. So the refcnt isn\u0027t useful. Just\nget rid of it and free the structure when the inode is freed.\n\nSigned-off-by: Eric Paris \u003ceapris@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "bc7d2a3e66b40477270c3cbe3b89b47093276e7a", "tree": "8f0198b8ad455fde11b24e32a2e32c008a5ececb", "parents": [ "a178d2027d3198b0a04517d764326ab71cd73da2" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:05 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: only allocate iint when needed\n\nIMA always allocates an integrity structure to hold information about\nevery inode, but only needed this structure to track the number of\nreaders and writers currently accessing a given inode. Since that\ninformation was moved into struct inode instead of the integrity struct\nthis patch stops allocating the integrity stucture until it is needed.\nThus greatly reducing memory usage.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "a178d2027d3198b0a04517d764326ab71cd73da2", "tree": "d81b9336328ba1741231b318a6f8187f627581fd", "parents": [ "b9593d309d17c57e9ddc3934d641902533896ca9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:59 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: move read counter into struct inode\n\nIMA currently allocated an inode integrity structure for every inode in\ncore. This stucture is about 120 bytes long. Most files however\n(especially on a system which doesn\u0027t make use of IMA) will never need\nany of this space. The problem is that if IMA is enabled we need to\nknow information about the number of readers and the number of writers\nfor every inode on the box. At the moment we collect that information\nin the per inode iint structure and waste the rest of the space. This\npatch moves those counters into the struct inode so we can eventually\nstop allocating an IMA integrity structure except when absolutely\nneeded.\n\nThis patch does the minimum needed to move the location of the data.\nFurther cleanups, especially the location of counter updates, may still\nbe possible.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b9593d309d17c57e9ddc3934d641902533896ca9", "tree": "fa7fd9ced4a79f102e653ee4a5dc348aa1a41c21", "parents": [ "ad16ad00c34d3f320a5876b3d711ef6bc81362e1" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:52 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: use i_writecount rather than a private counter\n\nIMA tracks the number of struct files which are holding a given inode\nreadonly and the number which are holding the inode write or r/w. It\nneeds this information so when a new reader or writer comes in it can\ntell if this new file will be able to invalidate results it already made\nabout existing files.\n\naka if a task is holding a struct file open RO, IMA measured the file\nand recorded those measurements and then a task opens the file RW IMA\nneeds to note in the logs that the old measurement may not be correct.\nIt\u0027s called a \"Time of Measure Time of Use\" (ToMToU) issue. The same is\ntrue is a RO file is opened to an inode which has an open writer. We\ncannot, with any validity, measure the file in question since it could\nbe changing.\n\nThis patch attempts to use the i_writecount field to track writers. The\ni_writecount field actually embeds more information in it\u0027s value than\nIMA needs but it should work for our purposes and allow us to shrink the\nstruct inode even more.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "ad16ad00c34d3f320a5876b3d711ef6bc81362e1", "tree": "7cf3b755567fde2850d2ea7f4a186a0dcea6b80f", "parents": [ "15aac676778f206b42c4d7782b08f89246680485" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:45 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: use inode-\u003ei_lock to protect read and write counters\n\nCurrently IMA used the iint-\u003emutex to protect the i_readcount and\ni_writecount. This patch uses the inode-\u003ei_lock since we are going to\nstart using in inode objects and that is the most appropriate lock.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "15aac676778f206b42c4d7782b08f89246680485", "tree": "d4d2625139f8a52ffa7bd0cb1848a446518652ec", "parents": [ "497f32337073a2da102c49a53779097b5394711b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:39 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: convert internal flags from long to char\n\nThe IMA flags is an unsigned long but there is only 1 flag defined.\nLets save a little space and make it a char. This packs nicely next to\nthe array of u8\u0027s.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "497f32337073a2da102c49a53779097b5394711b", "tree": "203cbcd3f9462737d872e24fb2c847ce9a69de45", "parents": [ "b575156dafef208415ff0842c392733d16d4ccf1" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:32 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: use unsigned int instead of long for counters\n\nCurrently IMA uses 2 longs in struct inode. To save space (and as it\nseems impossible to overflow 32 bits) we switch these to unsigned int.\nThe switch to unsigned does require slightly different checks for\nunderflow, but it isn\u0027t complex.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b575156dafef208415ff0842c392733d16d4ccf1", "tree": "52e4afd6a1969a975bd9e4b882d97d5ab659fa20", "parents": [ "8549164143a5431f9d9ea846acaa35a862410d9c" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:26 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:17 2010 -0700" }, "message": "IMA: drop the inode opencount since it isn\u0027t needed for operation\n\nThe opencount was used to help debugging to make sure that everything\nwhich created a struct file also correctly made the IMA calls. Since we\nmoved all of that into the VFS this isn\u0027t as necessary. We should be\nable to get the same amount of debugging out of just the reader and\nwrite count.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8549164143a5431f9d9ea846acaa35a862410d9c", "tree": "79b0d2aeb2674f221854866cb067947dc47f2203", "parents": [ "f6f94e2ab1b33f0082ac22d71f66385a60d8157f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:18 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:17 2010 -0700" }, "message": "IMA: use rbtree instead of radix tree for inode information cache\n\nThe IMA code needs to store the number of tasks which have an open fd\ngranting permission to write a file even when IMA is not in use. It\nneeds this information in order to be enabled at a later point in time\nwithout losing it\u0027s integrity garantees.\n\nAt the moment that means we store a little bit of data about every inode\nin a cache. We use a radix tree key\u0027d on the inode\u0027s memory address.\nDave Chinner pointed out that a radix tree is a terrible data structure\nfor such a sparse key space. This patch switches to using an rbtree\nwhich should be more efficient.\n\nBug report from Dave:\n\n \"I just noticed that slabtop was reporting an awfully high usage of\n radix tree nodes:\n\n OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME\n 4200331 2778082 66% 0.55K 144839 29 2317424K radix_tree_node\n 2321500 2060290 88% 1.00K 72581 32 2322592K xfs_inode\n 2235648 2069791 92% 0.12K 69864 32 279456K iint_cache\n\n That is, 2.7M radix tree nodes are allocated, and the cache itself is\n consuming 2.3GB of RAM. I know that the XFS inodei caches are indexed\n by radix tree node, but for 2 million cached inodes that would mean a\n density of 1 inode per radix tree node, which for a system with 16M\n inodes in the filsystems is an impossibly low density. The worst I\u0027ve\n seen in a production system like kernel.org is about 20-25% density,\n which would mean about 150-200k radix tree nodes for that many inodes.\n So it\u0027s not the inode cache.\n\n So I looked up what the iint_cache was. It appears to used for\n storing per-inode IMA information, and uses a radix tree for indexing.\n It uses the *address* of the struct inode as the indexing key. That\n means the key space is extremely sparse - for XFS the struct inode\n addresses are approximately 1000 bytes apart, which means the closest\n the radix tree index keys get is ~1000. Which means that there is a\n single entry per radix tree leaf node, so the radix tree is using\n roughly 550 bytes for every 120byte structure being cached. For the\n above example, it\u0027s probably wasting close to 1GB of RAM....\"\n\nReported-by: Dave Chinner \u003cdavid@fromorbit.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "be148247cfbe2422f5709e77d9c3e10b8a6394da", "tree": "f04605bb5ea21cefd455b6fd81c51d8bb02c1521", "parents": [ "85fe4025c616a7c0ed07bc2fc8c5371b07f3888c" ], "author": { "name": "Christoph Hellwig", "email": "hch@infradead.org", "time": "Sun Oct 10 05:36:21 2010 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Oct 25 21:26:12 2010 -0400" }, "message": "fs: take dcache_lock inside __d_path\n\nAll callers take dcache_lock just around the call to __d_path, so\ntake the lock into it in preparation of getting rid of dcache_lock.\n\nSigned-off-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "85fe4025c616a7c0ed07bc2fc8c5371b07f3888c", "tree": "7a5db7accb6192f2911f2473b4e3191227b914cc", "parents": [ "f991bd2e14210fb93d722cb23e54991de20e8a3d" ], "author": { "name": "Christoph Hellwig", "email": "hch@lst.de", "time": "Sat Oct 23 11:19:54 2010 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Oct 25 21:26:11 2010 -0400" }, "message": "fs: do not assign default i_ino in new_inode\n\nInstead of always assigning an increasing inode number in new_inode\nmove the call to assign it into those callers that actually need it.\nFor now callers that need it is estimated conservatively, that is\nthe call is added to all filesystems that do not assign an i_ino\nby themselves. For a few more filesystems we can avoid assigning\nany inode number given that they aren\u0027t user visible, and for others\nit could be done lazily when an inode number is actually needed,\nbut that\u0027s left for later patches.\n\nSigned-off-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Dave Chinner \u003cdchinner@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "092e0e7e520a1fca03e13c9f2d157432a8657ff2", "tree": "451897252c4c08c4b5a8ef535da156f1e817e80b", "parents": [ "79f14b7c56d3b3ba58f8b43d1f70b9b71477a800", "776c163b1b93c8dfa5edba885bc2bfbc2d228a5f" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Oct 22 10:52:56 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Oct 22 10:52:56 2010 -0700" }, "message": "Merge branch \u0027llseek\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl\n\n* \u0027llseek\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl:\n vfs: make no_llseek the default\n vfs: don\u0027t use BKL in default_llseek\n llseek: automatically add .llseek fop\n libfs: use generic_file_llseek for simple_attr\n mac80211: disallow seeks in minstrel debug code\n lirc: make chardev nonseekable\n viotape: use noop_llseek\n raw: use explicit llseek file operations\n ibmasmfs: use generic_file_llseek\n spufs: use llseek in all file operations\n arm/omap: use generic_file_llseek in iommu_debug\n lkdtm: use generic_file_llseek in debugfs\n net/wireless: use generic_file_llseek in debugfs\n drm: use noop_llseek\n" }, { "commit": "f0d3d9894e43fc68d47948e2c6f03e32da88b799", "tree": "685f386b1f114a29c6db8d5f2f947620b4df0285", "parents": [ "ff660c80d00b52287f1f67ee6c115dc0057bcdde" ], "author": { "name": "Stephen Rothwell", "email": "sfr@canb.auug.org.au", "time": "Wed Oct 20 16:08:00 2010 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:13:01 2010 +1100" }, "message": "selinux: include vmalloc.h for vmalloc_user\n\nInclude vmalloc.h for vmalloc_user (fixes ppc build warning).\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "845ca30fe9691f1bab7cfbf30b6d11c944eb4abd", "tree": "eabf2b17957c2214375f870387eaab6c43d9e931", "parents": [ "cee74f47a6baba0ac457e87687fdcf0abd599f0a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 17:50:31 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:59 2010 +1100" }, "message": "selinux: implement mmap on /selinux/policy\n\n/selinux/policy allows a user to copy the policy back out of the kernel.\nThis patch allows userspace to actually mmap that file and use it directly.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cee74f47a6baba0ac457e87687fdcf0abd599f0a", "tree": "3d9fdb073050664e62d9cdb6c28112090cd138da", "parents": [ "00d85c83ac52e2c1a66397f1abc589f80c543425" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 17:50:25 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:58 2010 +1100" }, "message": "SELinux: allow userspace to read policy back out of the kernel\n\nThere is interest in being able to see what the actual policy is that was\nloaded into the kernel. The patch creates a new selinuxfs file\n/selinux/policy which can be read by userspace. The actual policy that is\nloaded into the kernel will be written back out to userspace.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "00d85c83ac52e2c1a66397f1abc589f80c543425", "tree": "86f297ed90f988d46e6bb8c56a60fbc3b3eb8d66", "parents": [ "4419aae1f4f380a3fba0f4f12ffbbbdf3f267c51" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 17:50:19 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:57 2010 +1100" }, "message": "SELinux: drop useless (and incorrect) AVTAB_MAX_SIZE\n\nAVTAB_MAX_SIZE was a define which was supposed to be used in userspace to\ndefine a maximally sized avtab when userspace wasn\u0027t sure how big of a table\nit needed. It doesn\u0027t make sense in the kernel since we always know our table\nsizes. The only place it is used we have a more appropiately named define\ncalled AVTAB_MAX_HASH_BUCKETS, use that instead.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4419aae1f4f380a3fba0f4f12ffbbbdf3f267c51", "tree": "e2f7e4850dc84768f6dd66e38a1454b8e3574714", "parents": [ "b28efd54d9d5c8005a29cd8782335beb9daaa32d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 17:50:14 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:56 2010 +1100" }, "message": "SELinux: deterministic ordering of range transition rules\n\nRange transition rules are placed in the hash table in an (almost)\narbitrary order. This patch inserts them in a fixed order to make policy\nretrival more predictable.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d5630b9d276bd389299ffea620b7c340ab19bcf5", "tree": "4e97cadf12518fb107f9e7140fa94343bd6643f5", "parents": [ "2606fd1fa5710205b23ee859563502aa18362447" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 16:24:48 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:50 2010 +1100" }, "message": "security: secid_to_secctx returns len when data is NULL\n\nWith the (long ago) interface change to have the secid_to_secctx functions\ndo the string allocation instead of having the caller do the allocation we\nlost the ability to query the security server for the length of the\nupcoming string. The SECMARK code would like to allocate a netlink skb\nwith enough length to hold the string but it is just too unclean to do the\nstring allocation twice or to do the allocation the first time and hold\nonto the string and slen. This patch adds the ability to call\nsecurity_secid_to_secctx() with a NULL data pointer and it will just set\nthe slen pointer.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2606fd1fa5710205b23ee859563502aa18362447", "tree": "f79becd7010a2da1a765829fce0e09327cd50531", "parents": [ "15714f7b58011cf3948cab2988abea560240c74f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 16:24:41 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:48 2010 +1100" }, "message": "secmark: make secmark object handling generic\n\nRight now secmark has lots of direct selinux calls. Use all LSM calls and\nremove all SELinux specific knowledge. The only SELinux specific knowledge\nwe leave is the mode. The only point is to make sure that other LSMs at\nleast test this generic code before they assume it works. (They may also\nhave to make changes if they do not represent labels as strings)\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3ed02ada2a5e695e2fbb5e4a0008cfcb0f50feaa", "tree": "8b01e83cfa6b18fe8b83b342733931d5f98bc1b2", "parents": [ "9f1c1d426b0402b25cd0d7ca719ffc8e20e46d5f" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Sat Oct 09 00:47:53 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:46 2010 +1100" }, "message": "AppArmor: Ensure the size of the copy is \u003c the buffer allocated to hold it\n\nActually I think in this case the appropriate thing to do is to BUG as there\nis currently a case (remove) where the alloc_size needs to be larger than\nthe copy_size, and if copy_size is ever greater than alloc_size there is\na mistake in the caller code.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nAcked-by: Kees Cook \u003ckees.cook@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9f1c1d426b0402b25cd0d7ca719ffc8e20e46d5f", "tree": "5d31ff027688a90cef5ccea5bee1cb3e65639b37", "parents": [ "b0ae19811375031ae3b3fecc65b702a9c6e5cc28" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Fri Oct 08 14:43:22 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:45 2010 +1100" }, "message": "TOMOYO: Print URL information before panic().\n\nConfiguration files for TOMOYO 2.3 are not compatible with TOMOYO 2.2.\nBut current panic() message is too unfriendly and is confusing users.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nReviewed-by: KOSAKI Motohiro \u003ckosaki.motohiro@jp.fujitsu.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b0ae19811375031ae3b3fecc65b702a9c6e5cc28", "tree": "a765b71155fbed1ed3a3cff35c1044ad49a002ae", "parents": [ "9b3056cca09529d34af2d81305b2a9c6b622ca1b" ], "author": { "name": "KOSAKI Motohiro", "email": "kosaki.motohiro@jp.fujitsu.com", "time": "Fri Oct 15 04:21:18 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:44 2010 +1100" }, "message": "security: remove unused parameter from security_task_setscheduler()\n\nAll security modules shouldn\u0027t change sched_param parameter of\nsecurity_task_setscheduler(). This is not only meaningless, but also\nmake a harmful result if caller pass a static variable.\n\nThis patch remove policy and sched_param parameter from\nsecurity_task_setscheduler() becuase none of security module is\nusing it.\n\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: KOSAKI Motohiro \u003ckosaki.motohiro@jp.fujitsu.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "36f7f28416c97dbb725154930066d115b4447e17", "tree": "c09aed0142158c6fda679bab87012144e5a60372", "parents": [ "8b0c543e5cb1e47a54d3ea791b8a03b9c8a715db" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Thu Sep 30 11:49:55 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:41 2010 +1100" }, "message": "selinux: fix up style problem on /selinux/status\n\nThis patch fixes up coding-style problem at this commit:\n\n 4f27a7d49789b04404eca26ccde5f527231d01d5\n selinux: fast status update interface (/selinux/status)\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8b0c543e5cb1e47a54d3ea791b8a03b9c8a715db", "tree": "82391c4dc20e071f0ebcee867a7cc27119928114", "parents": [ "60272da0341e9eaa136e1dc072bfef72c995d851" ], "author": { "name": "matt mooney", "email": "mfm@muteddisk.com", "time": "Wed Sep 22 23:50:06 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:40 2010 +1100" }, "message": "selinux: change to new flag variable\n\nReplace EXTRA_CFLAGS with ccflags-y.\n\nSigned-off-by: matt mooney \u003cmfm@muteddisk.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "60272da0341e9eaa136e1dc072bfef72c995d851", "tree": "9441606f03330f1e2951ff0613d8059f90a353ec", "parents": [ "ceba72a68d17ee36ef24a71b80dde39ee934ece8" ], "author": { "name": "Paul Gortmaker", "email": "paul.gortmaker@windriver.com", "time": "Wed Sep 15 20:14:53 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:39 2010 +1100" }, "message": "selinux: really fix dependency causing parallel compile failure.\n\nWhile the previous change to the selinux Makefile reduced the window\nsignificantly for this failure, it is still possible to see a compile\nfailure where cpp starts processing selinux files before the auto\ngenerated flask.h file is completed. This is easily reproduced by\nadding the following temporary change to expose the issue everytime:\n\n- cmd_flask \u003d scripts/selinux/genheaders/genheaders ...\n+ cmd_flask \u003d sleep 30 ; scripts/selinux/genheaders/genheaders ...\n\nThis failure happens because the creation of the object files in the ss\nsubdir also depends on flask.h. So simply incorporate them into the\nparent Makefile, as the ss/Makefile really doesn\u0027t do anything unique.\n\nWith this change, compiling of all selinux files is dependent on\ncompletion of the header file generation, and this test case with\nthe \"sleep 30\" now confirms it is functioning as expected.\n\nSigned-off-by: Paul Gortmaker \u003cpaul.gortmaker@windriver.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ceba72a68d17ee36ef24a71b80dde39ee934ece8", "tree": "912582b629745d650e9f8ae6fecb42e4345e3900", "parents": [ "119041672592d1890d89dd8f194bd0919d801dc8" ], "author": { "name": "Paul Gortmaker", "email": "paul.gortmaker@windriver.com", "time": "Mon Aug 09 17:34:25 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:38 2010 +1100" }, "message": "selinux: fix parallel compile error\n\nSelinux has an autogenerated file, \"flask.h\" which is included by\ntwo other selinux files. The current makefile has a single dependency\non the first object file in the selinux-y list, assuming that will get\nflask.h generated before anyone looks for it, but that assumption breaks\ndown in a \"make -jN\" situation and you get:\n\n selinux/selinuxfs.c:35: fatal error: flask.h: No such file or directory\n compilation terminated.\n remake[9]: *** [security/selinux/selinuxfs.o] Error 1\n\nSince flask.h is included by security.h which in turn is included\nnearly everywhere, make the dependency apply to all of the selinux-y\nlist of objs.\n\nSigned-off-by: Paul Gortmaker \u003cpaul.gortmaker@windriver.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "119041672592d1890d89dd8f194bd0919d801dc8", "tree": "b994abb42446b8637f072194c57359fd80d52a97", "parents": [ "4b04a7cfc5ccb573ca3752429c81d37f8dd2f7c6" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Tue Sep 14 18:28:39 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:36 2010 +1100" }, "message": "selinux: fast status update interface (/selinux/status)\n\nThis patch provides a new /selinux/status entry which allows applications\nread-only mmap(2).\nThis region reflects selinux_kernel_status structure in kernel space.\n struct selinux_kernel_status\n {\n u32 length; /* length of this structure */\n u32 sequence; /* sequence number of seqlock logic */\n u32 enforcing; /* current setting of enforcing mode */\n u32 policyload; /* times of policy reloaded */\n u32 deny_unknown; /* current setting of deny_unknown */\n };\n\nWhen userspace object manager caches access control decisions provided\nby SELinux, it needs to invalidate the cache on policy reload and setenforce\nto keep consistency.\nHowever, the applications need to check the kernel state for each accesses\non userspace avc, or launch a background worker process.\nIn heuristic, frequency of invalidation is much less than frequency of\nmaking access control decision, so it is annoying to invoke a system call\nto check we don\u0027t need to invalidate the userspace cache.\nIf we can use a background worker thread, it allows to receive invalidation\nmessages from the kernel. But it requires us an invasive coding toward the\nbase application in some cases; E.g, when we provide a feature performing\nwith SELinux as a plugin module, it is unwelcome manner to launch its own\nworker thread from the module.\n\nIf we could map /selinux/status to process memory space, application can\nknow updates of selinux status; policy reload or setenforce.\n\nA typical application checks selinux_kernel_status::sequence when it tries\nto reference userspace avc. If it was changed from the last time when it\nchecked userspace avc, it means something was updated in the kernel space.\nThen, the application can reset userspace avc or update current enforcing\nmode, without any system call invocations.\nThis sequence number is updated according to the seqlock logic, so we need\nto wait for a while if it is odd number.\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n--\n security/selinux/include/security.h | 21 ++++++\n security/selinux/selinuxfs.c | 56 +++++++++++++++\n security/selinux/ss/Makefile | 2 +-\n security/selinux/ss/services.c | 3 +\n security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++\n 5 files changed, 210 insertions(+), 1 deletions(-)\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4b04a7cfc5ccb573ca3752429c81d37f8dd2f7c6", "tree": "d765918750208f7a99c714eddd398f4005051b6a", "parents": [ "065d78a0603cc6f8d288e96dbf761b96984b634f" ], "author": { "name": "Yong Zhang", "email": "yong.zhang@windriver.com", "time": "Sat Aug 28 10:25:09 2010 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:35 2010 +1100" }, "message": ".gitignore: ignore apparmor/rlim_names.h\n\nSigned-off-by: Yong Zhang \u003cyong.zhang0@gmail.com\u003e\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "065d78a0603cc6f8d288e96dbf761b96984b634f", "tree": "b95d865a91a6895d54b7b6486ebeb3b40bf2648e", "parents": [ "daa6d83a2863c28197b0c7dabfdf1e0606760b78" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Sat Aug 28 14:58:44 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:34 2010 +1100" }, "message": "LSM: Fix security_module_enable() error.\n\nWe can set default LSM module to DAC (which means \"enable no LSM module\").\nIf default LSM module was set to DAC, security_module_enable() must return 0\nunless overridden via boot time parameter.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Serge E. Hallyn \u003cserge@hallyn.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "daa6d83a2863c28197b0c7dabfdf1e0606760b78", "tree": "0c1198f796847274aeead46e791bb8c84451bfd2", "parents": [ "68eda8f59081c74a51d037cc29893bd7c9b3c2d8" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Aug 03 15:26:05 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:33 2010 +1100" }, "message": "selinux: type_bounds_sanity_check has a meaningless variable declaration\n\ntype is not used at all, stop declaring and assigning it.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "68eda8f59081c74a51d037cc29893bd7c9b3c2d8", "tree": "5970a384719568f6f36ee07efe72adb8cfab39f1", "parents": [ "f6f94e2ab1b33f0082ac22d71f66385a60d8157f" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Sun Aug 08 00:17:51 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:32 2010 +1100" }, "message": "tomoyo: cleanup. don\u0027t store bogus pointer\n\nIf domain is NULL then \u0026domain-\u003elist is a bogus address. Let\u0027s leave\nhead-\u003er.domain NULL instead of saving an unusable pointer.\n\nThis is just a cleanup. The current code always checks head-\u003er.eof\nbefore dereferencing head-\u003er.domain.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nAcked-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\n" }, { "commit": "6038f373a3dc1f1c26496e60b6c40b164716f07e", "tree": "a0d3bbd026eea41b9fc36b8c722cbaf56cd9f825", "parents": [ "1ec5584e3edf9c4bf2c88c846534d19cf986ba11" ], "author": { "name": "Arnd Bergmann", "email": "arnd@arndb.de", "time": "Sun Aug 15 18:52:59 2010 +0200" }, "committer": { "name": "Arnd Bergmann", "email": "arnd@arndb.de", "time": "Fri Oct 15 15:53:27 2010 +0200" }, "message": "llseek: automatically add .llseek fop\n\nAll file_operations should get a .llseek operation so we can make\nnonseekable_open the default for future file operations without a\n.llseek pointer.\n\nThe three cases that we can automatically detect are no_llseek, seq_lseek\nand default_llseek. For cases where we can we can automatically prove that\nthe file offset is always ignored, we use noop_llseek, which maintains\nthe current behavior of not returning an error from a seek.\n\nNew drivers should normally not use noop_llseek but instead use no_llseek\nand call nonseekable_open at open time. Existing drivers can be converted\nto do the same when the maintainer knows for certain that no user code\nrelies on calling seek on the device file.\n\nThe generated code is often incorrectly indented and right now contains\ncomments that clarify for each added line why a specific variant was\nchosen. In the version that gets submitted upstream, the comments will\nbe gone and I will manually fix the indentation, because there does not\nseem to be a way to do that using coccinelle.\n\nSome amount of new code is currently sitting in linux-next that should get\nthe same modifications, which I will do at the end of the merge window.\n\nMany thanks to Julia Lawall for helping me learn to write a semantic\npatch that does all this.\n\n\u003d\u003d\u003d\u003d\u003d begin semantic patch \u003d\u003d\u003d\u003d\u003d\n// This adds an llseek\u003d method to all file operations,\n// as a preparation for making no_llseek the default.\n//\n// The rules are\n// - use no_llseek explicitly if we do nonseekable_open\n// - use seq_lseek for sequential files\n// - use default_llseek if we know we access f_pos\n// - use noop_llseek if we know we don\u0027t access f_pos,\n// but we still want to allow users to call lseek\n//\n@ open1 exists @\nidentifier nested_open;\n@@\nnested_open(...)\n{\n\u003c+...\nnonseekable_open(...)\n...+\u003e\n}\n\n@ open exists@\nidentifier open_f;\nidentifier i, f;\nidentifier open1.nested_open;\n@@\nint open_f(struct inode *i, struct file *f)\n{\n\u003c+...\n(\nnonseekable_open(...)\n|\nnested_open(...)\n)\n...+\u003e\n}\n\n@ read disable optional_qualifier exists @\nidentifier read_f;\nidentifier f, p, s, off;\ntype ssize_t, size_t, loff_t;\nexpression E;\nidentifier func;\n@@\nssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)\n{\n\u003c+...\n(\n *off \u003d E\n|\n *off +\u003d E\n|\n func(..., off, ...)\n|\n E \u003d *off\n)\n...+\u003e\n}\n\n@ read_no_fpos disable optional_qualifier exists @\nidentifier read_f;\nidentifier f, p, s, off;\ntype ssize_t, size_t, loff_t;\n@@\nssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)\n{\n... when !\u003d off\n}\n\n@ write @\nidentifier write_f;\nidentifier f, p, s, off;\ntype ssize_t, size_t, loff_t;\nexpression E;\nidentifier func;\n@@\nssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)\n{\n\u003c+...\n(\n *off \u003d E\n|\n *off +\u003d E\n|\n func(..., off, ...)\n|\n E \u003d *off\n)\n...+\u003e\n}\n\n@ write_no_fpos @\nidentifier write_f;\nidentifier f, p, s, off;\ntype ssize_t, size_t, loff_t;\n@@\nssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)\n{\n... when !\u003d off\n}\n\n@ fops0 @\nidentifier fops;\n@@\nstruct file_operations fops \u003d {\n ...\n};\n\n@ has_llseek depends on fops0 @\nidentifier fops0.fops;\nidentifier llseek_f;\n@@\nstruct file_operations fops \u003d {\n...\n .llseek \u003d llseek_f,\n...\n};\n\n@ has_read depends on fops0 @\nidentifier fops0.fops;\nidentifier read_f;\n@@\nstruct file_operations fops \u003d {\n...\n .read \u003d read_f,\n...\n};\n\n@ has_write depends on fops0 @\nidentifier fops0.fops;\nidentifier write_f;\n@@\nstruct file_operations fops \u003d {\n...\n .write \u003d write_f,\n...\n};\n\n@ has_open depends on fops0 @\nidentifier fops0.fops;\nidentifier open_f;\n@@\nstruct file_operations fops \u003d {\n...\n .open \u003d open_f,\n...\n};\n\n// use no_llseek if we call nonseekable_open\n////////////////////////////////////////////\n@ nonseekable1 depends on !has_llseek \u0026\u0026 has_open @\nidentifier fops0.fops;\nidentifier nso ~\u003d \"nonseekable_open\";\n@@\nstruct file_operations fops \u003d {\n... .open \u003d nso, ...\n+.llseek \u003d no_llseek, /* nonseekable */\n};\n\n@ nonseekable2 depends on !has_llseek @\nidentifier fops0.fops;\nidentifier open.open_f;\n@@\nstruct file_operations fops \u003d {\n... .open \u003d open_f, ...\n+.llseek \u003d no_llseek, /* open uses nonseekable */\n};\n\n// use seq_lseek for sequential files\n/////////////////////////////////////\n@ seq depends on !has_llseek @\nidentifier fops0.fops;\nidentifier sr ~\u003d \"seq_read\";\n@@\nstruct file_operations fops \u003d {\n... .read \u003d sr, ...\n+.llseek \u003d seq_lseek, /* we have seq_read */\n};\n\n// use default_llseek if there is a readdir\n///////////////////////////////////////////\n@ fops1 depends on !has_llseek \u0026\u0026 !nonseekable1 \u0026\u0026 !nonseekable2 \u0026\u0026 !seq @\nidentifier fops0.fops;\nidentifier readdir_e;\n@@\n// any other fop is used that changes pos\nstruct file_operations fops \u003d {\n... .readdir \u003d readdir_e, ...\n+.llseek \u003d default_llseek, /* readdir is present */\n};\n\n// use default_llseek if at least one of read/write touches f_pos\n/////////////////////////////////////////////////////////////////\n@ fops2 depends on !fops1 \u0026\u0026 !has_llseek \u0026\u0026 !nonseekable1 \u0026\u0026 !nonseekable2 \u0026\u0026 !seq @\nidentifier fops0.fops;\nidentifier read.read_f;\n@@\n// read fops use offset\nstruct file_operations fops \u003d {\n... .read \u003d read_f, ...\n+.llseek \u003d default_llseek, /* read accesses f_pos */\n};\n\n@ fops3 depends on !fops1 \u0026\u0026 !fops2 \u0026\u0026 !has_llseek \u0026\u0026 !nonseekable1 \u0026\u0026 !nonseekable2 \u0026\u0026 !seq @\nidentifier fops0.fops;\nidentifier write.write_f;\n@@\n// write fops use offset\nstruct file_operations fops \u003d {\n... .write \u003d write_f, ...\n+\t.llseek \u003d default_llseek, /* write accesses f_pos */\n};\n\n// Use noop_llseek if neither read nor write accesses f_pos\n///////////////////////////////////////////////////////////\n\n@ fops4 depends on !fops1 \u0026\u0026 !fops2 \u0026\u0026 !fops3 \u0026\u0026 !has_llseek \u0026\u0026 !nonseekable1 \u0026\u0026 !nonseekable2 \u0026\u0026 !seq @\nidentifier fops0.fops;\nidentifier read_no_fpos.read_f;\nidentifier write_no_fpos.write_f;\n@@\n// write fops use offset\nstruct file_operations fops \u003d {\n...\n .write \u003d write_f,\n .read \u003d read_f,\n...\n+.llseek \u003d noop_llseek, /* read and write both use no f_pos */\n};\n\n@ depends on has_write \u0026\u0026 !has_read \u0026\u0026 !fops1 \u0026\u0026 !fops2 \u0026\u0026 !has_llseek \u0026\u0026 !nonseekable1 \u0026\u0026 !nonseekable2 \u0026\u0026 !seq @\nidentifier fops0.fops;\nidentifier write_no_fpos.write_f;\n@@\nstruct file_operations fops \u003d {\n... .write \u003d write_f, ...\n+.llseek \u003d noop_llseek, /* write uses no f_pos */\n};\n\n@ depends on has_read \u0026\u0026 !has_write \u0026\u0026 !fops1 \u0026\u0026 !fops2 \u0026\u0026 !has_llseek \u0026\u0026 !nonseekable1 \u0026\u0026 !nonseekable2 \u0026\u0026 !seq @\nidentifier fops0.fops;\nidentifier read_no_fpos.read_f;\n@@\nstruct file_operations fops \u003d {\n... .read \u003d read_f, ...\n+.llseek \u003d noop_llseek, /* read uses no f_pos */\n};\n\n@ depends on !has_read \u0026\u0026 !has_write \u0026\u0026 !fops1 \u0026\u0026 !fops2 \u0026\u0026 !has_llseek \u0026\u0026 !nonseekable1 \u0026\u0026 !nonseekable2 \u0026\u0026 !seq @\nidentifier fops0.fops;\n@@\nstruct file_operations fops \u003d {\n...\n+.llseek \u003d noop_llseek, /* no read or write fn */\n};\n\u003d\u003d\u003d\u003d\u003d End semantic patch \u003d\u003d\u003d\u003d\u003d\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nCc: Julia Lawall \u003cjulia@diku.dk\u003e\nCc: Christoph Hellwig \u003chch@infradead.org\u003e\n" }, { "commit": "c8da96e87d349e9035345293093ecc74792fb96a", "tree": "738b017e4fa8547feb2741969decd749ea6e98e1", "parents": [ "91e71c12c506e15028c252a5a097723f41c518dd" ], "author": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Sun Sep 26 05:55:13 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Sep 27 10:53:18 2010 +1000" }, "message": "TOMOYO: Don\u0027t abuse sys_getpid(), sys_getppid()\n\nSystem call entry functions sys_*() are never to be called from\ngeneral kernel code. The fact that they aren\u0027t declared in header\nfiles should have been a clue. These functions also don\u0027t exist on\nAlpha since it has sys_getxpid() instead.\n\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\nAcked-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3d96406c7da1ed5811ea52a3b0905f4f0e295376", "tree": "051e3a0ab6b0c9d9ac12b88fd244ff09766f8f50", "parents": [ "9d1ac65a9698513d00e5608d93fca0c53f536c14" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Sep 10 09:59:51 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Sep 10 07:30:00 2010 -0700" }, "message": "KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring\n\nFix a bug in keyctl_session_to_parent() whereby it tries to check the ownership\nof the parent process\u0027s session keyring whether or not the parent has a session\nkeyring [CVE-2010-2960].\n\nThis results in the following oops:\n\n BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0\n IP: [\u003cffffffff811ae4dd\u003e] keyctl_session_to_parent+0x251/0x443\n ...\n Call Trace:\n [\u003cffffffff811ae2f3\u003e] ? keyctl_session_to_parent+0x67/0x443\n [\u003cffffffff8109d286\u003e] ? __do_fault+0x24b/0x3d0\n [\u003cffffffff811af98c\u003e] sys_keyctl+0xb4/0xb8\n [\u003cffffffff81001eab\u003e] system_call_fastpath+0x16/0x1b\n\nif the parent process has no session keyring.\n\nIf the system is using pam_keyinit then it mostly protected against this as all\nprocesses derived from a login will have inherited the session keyring created\nby pam_keyinit during the log in procedure.\n\nTo test this, pam_keyinit calls need to be commented out in /etc/pam.d/.\n\nReported-by: Tavis Ormandy \u003ctaviso@cmpxchg8b.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Tavis Ormandy \u003ctaviso@cmpxchg8b.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "9d1ac65a9698513d00e5608d93fca0c53f536c14", "tree": "859809638bdf52f56b6b3890bedefcc1bae89b32", "parents": [ "ff3cb3fec3c5bbb5110e652bbdd410bc99a47e9f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Sep 10 09:59:46 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Sep 10 07:30:00 2010 -0700" }, "message": "KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()\n\nThere\u0027s an protected access to the parent process\u0027s credentials in the middle\nof keyctl_session_to_parent(). This results in the following RCU warning:\n\n \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n [ INFO: suspicious rcu_dereference_check() usage. ]\n ---------------------------------------------------\n security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!\n\n other info that might help us debug this:\n\n rcu_scheduler_active \u003d 1, debug_locks \u003d 0\n 1 lock held by keyctl-session-/2137:\n #0: (tasklist_lock){.+.+..}, at: [\u003cffffffff811ae2ec\u003e] keyctl_session_to_parent+0x60/0x236\n\n stack backtrace:\n Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1\n Call Trace:\n [\u003cffffffff8105606a\u003e] lockdep_rcu_dereference+0xaa/0xb3\n [\u003cffffffff811ae379\u003e] keyctl_session_to_parent+0xed/0x236\n [\u003cffffffff811af77e\u003e] sys_keyctl+0xb4/0xb6\n [\u003cffffffff81001eab\u003e] system_call_fastpath+0x16/0x1b\n\nThe code should take the RCU read lock to make sure the parents credentials\ndon\u0027t go away, even though it\u0027s holding a spinlock and has IRQ disabled.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e950598d43dce8d97e7d5270808393425d1e5cbd", "tree": "916c8a6c5dc63cd3486aa7200964269ea31b4d42", "parents": [ "999b4f0aa2314b76857775334cb94bafa053db64" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Aug 31 09:38:51 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 08 09:51:41 2010 +1000" }, "message": "ima: always maintain counters\n\ncommit 8262bb85da allocated the inode integrity struct (iint) before any\ninodes were created. Only after IMA was initialized in late_initcall were\nthe counters updated. This patch updates the counters, whether or not IMA\nhas been initialized, to resolve \u0027imbalance\u0027 messages.\n\nThis patch fixes the bug as reported in bugzilla: 15673. When the i915\nis builtin, the ring_buffer is initialized before IMA, causing the\nimbalance message on suspend.\n\nReported-by: Thomas Meyer \u003cthomas@m3y3r.de\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nTested-by: Thomas Meyer \u003cthomas@m3y3r.de\u003e\nTested-by: David Safford\u003csafford@watson.ibm.com\u003e\nCc: Stable Kernel \u003cstable@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "999b4f0aa2314b76857775334cb94bafa053db64", "tree": "0b2b9e6d54415d0d6f6ff59526c68108c09d1fd7", "parents": [ "04ccd53f09741c4bc54ab36db000bc1383e4812e" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Fri Aug 27 18:33:29 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 08 09:19:34 2010 +1000" }, "message": "AppArmor: Fix locking from removal of profile namespace\n\nThe locking for profile namespace removal is wrong, when removing a\nprofile namespace, it needs to be removed from its parent\u0027s list.\nLock the parent of namespace list instead of the namespace being removed.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "04ccd53f09741c4bc54ab36db000bc1383e4812e", "tree": "d8c6e27094cb3b042e852f01c09a3d21979150d2", "parents": [ "3a2dc8382a3e85a51ed9c6f57ea80665ea7a0c95" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Fri Aug 27 18:33:28 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 08 09:19:31 2010 +1000" }, "message": "AppArmor: Fix splitting an fqname into separate namespace and profile names\n\nAs per Dan Carpenter \u003cerror27@gmail.com\u003e\n If we have a ns name without a following profile then in the original\n code it did \"*ns_name \u003d \u0026name[1];\". \"name\" is NULL so \"*ns_name\" is\n 0x1. That isn\u0027t useful and could cause an oops when this function is\n called from aa_remove_profiles().\n\nBeyond this the assignment of the namespace name was wrong in the case\nwhere the profile name was provided as it was being set to \u0026name[1]\nafter name \u003d skip_spaces(split + 1);\n\nMove the ns_name assignment before updating name for the split and\nalso add skip_spaces, making the interface more robust.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3a2dc8382a3e85a51ed9c6f57ea80665ea7a0c95", "tree": "05b289dc97bf08459911d0b5500896ed80af25c7", "parents": [ "e819ff519b2d74373eca4a9a2b417ebf4c1e1b29" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Mon Sep 06 10:10:20 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 08 09:19:29 2010 +1000" }, "message": "AppArmor: Fix security_task_setrlimit logic for 2.6.36 changes\n\n2.6.36 introduced the abilitiy to specify the task that is having its\nrlimits set. Update mediation to ensure that confined tasks can only\nset their own group_leader as expected by current policy.\n\nAdd TODO note about extending policy to support setting other tasks\nrlimits.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e819ff519b2d74373eca4a9a2b417ebf4c1e1b29", "tree": "fe05eafda3b89816d9929f69e24433bf7879ad70", "parents": [ "98e52c373cdc1239a9ec6a2763f519cc1d99dcbc" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Fri Aug 27 18:33:26 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 08 09:19:24 2010 +1000" }, "message": "AppArmor: Drop hack to remove appended \" (deleted)\" string\n\nThe 2.6.36 kernel has refactored __d_path() so that it no longer appends\n\" (deleted)\" to unlinked paths. So drop the hack that was used to detect\nand remove the appended string.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "145c3ae46b37993b0debb0b3da6256daea4a6ec5", "tree": "0dbff382ce36b23b3d2dbff87d3eaab73a07a2a4", "parents": [ "81ca03a0e2ea0207b2df80e0edcf4c775c07a505", "99b7db7b8ffd6bb755eb0a175596421a0b581cb2" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Aug 18 09:35:08 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Aug 18 09:35:08 2010 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:\n fs: brlock vfsmount_lock\n fs: scale files_lock\n lglock: introduce special lglock and brlock spin locks\n tty: fix fu_list abuse\n fs: cleanup files_lock locking\n fs: remove extra lookup in __lookup_hash\n fs: fs_struct rwlock to spinlock\n apparmor: use task path helpers\n fs: dentry allocation consolidation\n fs: fix do_lookup false negative\n mbcache: Limit the maximum number of cache entries\n hostfs -\u003efollow_link() braino\n hostfs: dumb (and usually harmless) tpyo - strncpy instead of strlcpy\n remove SWRITE* I/O types\n kill BH_Ordered flag\n vfs: update ctime when changing the file\u0027s permission by setfacl\n cramfs: only unlock new inodes\n fix reiserfs_evict_inode end_writeback second call\n" }, { "commit": "d996b62a8df1d935b01319bf8defb95b5709f7b8", "tree": "d81f8240da776336845a2063555d7bb4dce684bd", "parents": [ "ee2ffa0dfdd2db19705f2ba1c6a4c0bfe8122dd8" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Wed Aug 18 04:37:36 2010 +1000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Aug 18 08:35:47 2010 -0400" }, "message": "tty: fix fu_list abuse\n\ntty: fix fu_list abuse\n\ntty code abuses fu_list, which causes a bug in remount,ro handling.\n\nIf a tty device node is opened on a filesystem, then the last link to the inode\nremoved, the filesystem will be allowed to be remounted readonly. This is\nbecause fs_may_remount_ro does not find the 0 link tty inode on the file sb\nlist (because the tty code incorrectly removed it to use for its own purpose).\nThis can result in a filesystem with errors after it is marked \"clean\".\n\nTaking idea from Christoph\u0027s initial patch, allocate a tty private struct\nat file-\u003eprivate_data and put our required list fields in there, linking\nfile and tty. This makes tty nodes behave the same way as other device nodes\nand avoid meddling with the vfs, and avoids this bug.\n\nThe error handling is not trivial in the tty code, so for this bugfix, I take\nthe simple approach of using __GFP_NOFAIL and don\u0027t worry about memory errors.\nThis is not a problem because our allocator doesn\u0027t fail small allocs as a rule\nanyway. So proper error handling is left as an exercise for tty hackers.\n\n[ Arguably filesystem\u0027s device inode would ideally be divorced from the\ndriver\u0027s pseudo inode when it is opened, but in practice it\u0027s not clear whether\nthat will ever be worth implementing. ]\n\nCc: linux-kernel@vger.kernel.org\nCc: Christoph Hellwig \u003chch@infradead.org\u003e\nCc: Alan Cox \u003calan@lxorguk.ukuu.org.uk\u003e\nCc: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "ee2ffa0dfdd2db19705f2ba1c6a4c0bfe8122dd8", "tree": "e48400d1a33f8d2e68589ccfd61637aa64462f08", "parents": [ "b04f784e5d19ed58892833dae845738972cea260" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Wed Aug 18 04:37:35 2010 +1000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Aug 18 08:35:47 2010 -0400" }, "message": "fs: cleanup files_lock locking\n\nfs: cleanup files_lock locking\n\nLock tty_files with a new spinlock, tty_files_lock; provide helpers to\nmanipulate the per-sb files list; unexport the files_lock spinlock.\n\nCc: linux-kernel@vger.kernel.org\nCc: Christoph Hellwig \u003chch@infradead.org\u003e\nCc: Alan Cox \u003calan@lxorguk.ukuu.org.uk\u003e\nAcked-by: Andi Kleen \u003cak@linux.intel.com\u003e\nAcked-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "44672e4fbd40e2dda8bbce7d0f71d24dbfc7e00e", "tree": "7d6251adb6eac69a0d0ba97e64dbf2c41c67928e", "parents": [ "baa0389073eb7beb9d36f6d13df97e16c1bfa626" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Wed Aug 18 04:37:32 2010 +1000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Aug 18 08:35:46 2010 -0400" }, "message": "apparmor: use task path helpers\n\napparmor: use task path helpers\n\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "3b89f56783a4ef796190ef1192c25e72e0b986b6", "tree": "9d34f03092a38fd79f14003c88489323f32d9334", "parents": [ "392abeea52db4dc870c0ea41912df8ca60b27d44", "7cb4dc9fc95f89587f57f287b47e091d7806255e" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Aug 17 18:37:03 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Aug 17 18:37:03 2010 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:\n AppArmor: fix task_setrlimit prototype\n" }, { "commit": "d7627467b7a8dd6944885290a03a07ceb28c10eb", "tree": "a18c83468418e878cfb2d44e4310d81b8db84ad7", "parents": [ "da5cabf80e2433131bf0ed8993abc0f7ea618c73" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Aug 17 23:52:56 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Aug 17 18:07:43 2010 -0700" }, "message": "Make do_execve() take a const filename pointer\n\nMake do_execve() take a const filename pointer so that kernel_execve() compiles\ncorrectly on ARM:\n\narch/arm/kernel/sys_arm.c:88: warning: passing argument 1 of \u0027do_execve\u0027 discards qualifiers from pointer target type\n\nThis also requires the argv and envp arguments to be consted twice, once for\nthe pointer array and once for the strings the array points to. This is\nbecause do_execve() passes a pointer to the filename (now const) to\ncopy_strings_kernel(). A simpler alternative would be to cast the filename\npointer in do_execve() when it\u0027s passed to copy_strings_kernel().\n\ndo_execve() may not change any of the strings it is passed as part of the argv\nor envp lists as they are some of them in .rodata, so marking these strings as\nconst should be fine.\n\nFurther kernel_execve() and sys_execve() need to be changed to match.\n\nThis has been test built on x86_64, frv, arm and mips.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Ralf Baechle \u003cralf@linux-mips.org\u003e\nAcked-by: Russell King \u003crmk+kernel@arm.linux.org.uk\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "7cb4dc9fc95f89587f57f287b47e091d7806255e", "tree": "41f68ee728c0ab1b894e425933a166e990e1eb41", "parents": [ "da5cabf80e2433131bf0ed8993abc0f7ea618c73" ], "author": { "name": "Jiri Slaby", "email": "jslaby@suse.cz", "time": "Wed Aug 11 11:28:02 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 17 08:06:09 2010 +1000" }, "message": "AppArmor: fix task_setrlimit prototype\n\nAfter rlimits tree was merged we get the following errors:\nsecurity/apparmor/lsm.c:663:2: warning: initialization from incompatible pointer type\n\nIt is because AppArmor was merged in the meantime, but uses the old\nprototype. So fix it by adding struct task_struct as a first parameter\nof apparmor_task_setrlimit.\n\nNOTE that this is ONLY a compilation warning fix (and crashes caused\nby that). It needs proper handling in AppArmor depending on who is the\n\u0027task\u0027.\n\nSigned-off-by: Jiri Slaby \u003cjslaby@suse.cz\u003e\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "26df0766a73a859bb93dc58e747c5028557a23fd", "tree": "4776de567425a7fb66ca9a87228309f9c84de633", "parents": [ "580287628cdd99366b10c9050c4479b387283be8", "a6de51b2787012ba3ab62c7d50df1b749b83d5f0" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Aug 12 10:01:59 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Aug 12 10:01:59 2010 -0700" }, "message": "Merge branch \u0027params\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus\n\n* \u0027params\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus: (22 commits)\n param: don\u0027t deref arg in __same_type() checks\n param: update drivers/acpi/debug.c to new scheme\n param: use module_param in drivers/message/fusion/mptbase.c\n ide: use module_param_named rather than module_param_call\n param: update drivers/char/ipmi/ipmi_watchdog.c to new scheme\n param: lock if_sdio\u0027s lbs_helper_name and lbs_fw_name against sysfs changes.\n param: lock myri10ge_fw_name against sysfs changes.\n param: simple locking for sysfs-writable charp parameters\n param: remove unnecessary writable charp\n param: add kerneldoc to moduleparam.h\n param: locking for kernel parameters\n param: make param sections const.\n param: use free hook for charp (fix leak of charp parameters)\n param: add a free hook to kernel_param_ops.\n param: silence .init.text references from param ops\n Add param ops struct for hvc_iucv driver.\n nfs: update for module_param_named API change\n AppArmor: update for module_param_named API change\n param: use ops in struct kernel_param, rather than get and set fns directly\n param: move the EXPORT_SYMBOL to after the definitions.\n ...\n" }, { "commit": "12fdff3fc2483f906ae6404a6e8dcf2550310b6f", "tree": "a79fb1365fce7c7529655a8802d6d6bf8509b374", "parents": [ "1490cf5f0cb07dd49cdab4bceb769d7f711d7ca6" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Aug 12 16:54:57 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Aug 12 09:51:35 2010 -0700" }, "message": "Add a dummy printk function for the maintenance of unused printks\n\nAdd a dummy printk function for the maintenance of unused printks through gcc\nformat checking, and also so that side-effect checking is maintained too.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "101d6c826fa03266f8538ea4f6a459190e6863e8", "tree": "56254b27ac0352339777dcb9e654a4456ac3e244", "parents": [ "9bbb9e5a33109b2832e2e63dcc7a132924ab374b" ], "author": { "name": "Stephen Rothwell", "email": "sfr@canb.auug.org.au", "time": "Mon Aug 02 12:00:43 2010 +1000" }, "committer": { "name": "Rusty Russell", "email": "rusty@rustcorp.com.au", "time": "Wed Aug 11 23:04:14 2010 +0930" }, "message": "AppArmor: update for module_param_named API change\n\nFixes these build errors:\nsecurity/apparmor/lsm.c:701: error: \u0027param_ops_aabool\u0027 undeclared here (not in a function)\nsecurity/apparmor/lsm.c:721: error: \u0027param_ops_aalockpolicy\u0027 undeclared here (not in a function)\nsecurity/apparmor/lsm.c:729: error: \u0027param_ops_aauint\u0027 undeclared here (not in a function)\n\nSigned-off-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: Rusty Russell \u003crusty@rustcorp.com.au\u003e\n" }, { "commit": "b34d8915c413acb51d837a45fb8747b61f65c020", "tree": "ced5fac166324634653d84b1afe2b958b3904f4d", "parents": [ "e8a89cebdbaab14caaa26debdb4ffd493b8831af", "f33ebbe9da2c3c24664a0ad4f8fd83f293547e63" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Aug 10 12:07:51 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Aug 10 12:07:51 2010 -0700" }, "message": "Merge branch \u0027writable_limits\u0027 of git://decibel.fi.muni.cz/~xslaby/linux\n\n* \u0027writable_limits\u0027 of git://decibel.fi.muni.cz/~xslaby/linux:\n unistd: add __NR_prlimit64 syscall numbers\n rlimits: implement prlimit64 syscall\n rlimits: switch more rlimit syscalls to do_prlimit\n rlimits: redo do_setrlimit to more generic do_prlimit\n rlimits: add rlimit64 structure\n rlimits: do security check under task_lock\n rlimits: allow setrlimit to non-current tasks\n rlimits: split sys_setrlimit\n rlimits: selinux, do rlimits changes under task_lock\n rlimits: make sure -\u003erlim_max never grows in sys_setrlimit\n rlimits: add task_struct to update_rlimit_cpu\n rlimits: security, add task_struct to setrlimit\n\nFix up various system call number conflicts. We not only added fanotify\nsystem calls in the meantime, but asm-generic/unistd.h added a wait4\nalong with a range of reserved per-architecture system calls.\n" }, { "commit": "8c8946f509a494769a8c602b5ed189df01917d39", "tree": "dfd96bd6ca5ea6803c6d77f65ba37e04f78b2d3b", "parents": [ "5f248c9c251c60af3403902b26e08de43964ea0b", "1968f5eed54ce47bde488fd9a450912e4a2d7138" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Aug 10 11:39:13 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Aug 10 11:39:13 2010 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.infradead.org/users/eparis/notify\n\n* \u0027for-linus\u0027 of git://git.infradead.org/users/eparis/notify: (132 commits)\n fanotify: use both marks when possible\n fsnotify: pass both the vfsmount mark and inode mark\n fsnotify: walk the inode and vfsmount lists simultaneously\n fsnotify: rework ignored mark flushing\n fsnotify: remove global fsnotify groups lists\n fsnotify: remove group-\u003emask\n fsnotify: remove the global masks\n fsnotify: cleanup should_send_event\n fanotify: use the mark in handler functions\n audit: use the mark in handler functions\n dnotify: use the mark in handler functions\n inotify: use the mark in handler functions\n fsnotify: send fsnotify_mark to groups in event handling functions\n fsnotify: Exchange list heads instead of moving elements\n fsnotify: srcu to protect read side of inode and vfsmount locks\n fsnotify: use an explicit flag to indicate fsnotify_destroy_mark has been called\n fsnotify: use _rcu functions for mark list traversal\n fsnotify: place marks on object in order of group memory address\n vfs/fsnotify: fsnotify_close can delay the final work in fput\n fsnotify: store struct file not struct path\n ...\n\nFix up trivial delete/modify conflict in fs/notify/inotify/inotify.c.\n" }, { "commit": "cd816a0d84377c4e87f55cbe934a23417f9f5743", "tree": "8834341f81dc570f9f255af57ac28041c317226a", "parents": [ "0d9f9e122c74583de15a86d1c660c08dc298f2c8", "a7a387cc596278af1516c534b50cc0bee171129d" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Aug 07 14:28:20 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Aug 07 14:28:20 2010 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:\n SELINUX: Fix build error.\n" }, { "commit": "a7a387cc596278af1516c534b50cc0bee171129d", "tree": "6b020262150ab47e2aaeb7ccdd57534460df2665", "parents": [ "06c22dadc6d3f9b65e55407a87faaf6a4a014112" ], "author": { "name": "Ralf Baechle", "email": "ralf@linux-mips.org", "time": "Fri Aug 06 20:37:56 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Aug 06 18:11:39 2010 -0400" }, "message": "SELINUX: Fix build error.\n\nFix build error caused by a stale security/selinux/av_permissions.h in the $(src)\ndirectory which will override a more recent version in $(obj) that is it\nappears to strike only when building with a separate object directory.\n\nSigned-off-by: Ralf Baechle \u003cralf@linux-mips.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1e456a124353a753e9d1fadfbf5cd459c2f197ae", "tree": "4977d4fa275faafc0ba99a635d4c853a1f0df2a1", "parents": [ "fc1caf6eafb30ea185720e29f7f5eccca61ecd60" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Aug 06 16:08:27 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Aug 06 09:17:02 2010 -0700" }, "message": "KEYS: request_key() should return -ENOKEY if the constructed key is negative\n\nrequest_key() should return -ENOKEY if the key it constructs has been\nnegatively instantiated.\n\nWithout this, request_key() can return an unusable key to its caller,\nand if the caller then does key_validate() that won\u0027t catch the problem.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "06c22dadc6d3f9b65e55407a87faaf6a4a014112", "tree": "e310b20a17014b491d86818fd58878839a48dffc", "parents": [ "3cfc2c42c1cbc8e238bb9c0612c0df4565e3a8b4" ], "author": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Mon Aug 02 10:52:18 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 05 07:36:51 2010 -0400" }, "message": "apparmor: depends on NET\n\nSECURITY_APPARMOR should depend on NET since AUDIT needs\n(depends on) NET.\n\nFixes 70-80 errors that occur when CONFIG_NET is not enabled,\nbut APPARMOR selects AUDIT without qualification. E.g.:\n\naudit.c:(.text+0x33361): undefined reference to `netlink_unicast\u0027\n(.text+0x333df): undefined reference to `netlink_unicast\u0027\naudit.c:(.text+0x3341d): undefined reference to `skb_queue_tail\u0027\naudit.c:(.text+0x33424): undefined reference to `kfree_skb\u0027\naudit.c:(.text+0x334cb): undefined reference to `kfree_skb\u0027\naudit.c:(.text+0x33597): undefined reference to `skb_put\u0027\naudit.c:(.text+0x3369b): undefined reference to `__alloc_skb\u0027\naudit.c:(.text+0x336d7): undefined reference to `kfree_skb\u0027\n(.text+0x3374c): undefined reference to `__alloc_skb\u0027\nauditfilter.c:(.text+0x35305): undefined reference to `skb_queue_tail\u0027\nlsm_audit.c:(.text+0x2873): undefined reference to `init_net\u0027\nlsm_audit.c:(.text+0x2878): undefined reference to `dev_get_by_index\u0027\n\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3cfc2c42c1cbc8e238bb9c0612c0df4565e3a8b4", "tree": "5adc1ff2eaf64d450bf28bb6b2ce890db2567288", "parents": [ "5cf65713f87775c548e3eb48dbafa32e12f28000", "0ea6e61122196509af82cc4f36cbdaacbefb8227" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Aug 04 15:31:02 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Aug 04 15:31:02 2010 -0700" }, "message": "Merge branch \u0027for-next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial\n\n* \u0027for-next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (48 commits)\n Documentation: update broken web addresses.\n fix comment typo \"choosed\" -\u003e \"chosen\"\n hostap:hostap_hw.c Fix typo in comment\n Fix spelling contorller -\u003e controller in comments\n Kconfig.debug: FAIL_IO_TIMEOUT: typo Faul -\u003e Fault\n fs/Kconfig: Fix typo Userpace -\u003e Userspace\n Removing dead MACH_U300_BS26\n drivers/infiniband: Remove unnecessary casts of private_data\n fs/ocfs2: Remove unnecessary casts of private_data\n libfc: use ARRAY_SIZE\n scsi: bfa: use ARRAY_SIZE\n drm: i915: use ARRAY_SIZE\n drm: drm_edid: use ARRAY_SIZE\n synclink: use ARRAY_SIZE\n block: cciss: use ARRAY_SIZE\n comment typo fixes: charater \u003d\u003e character\n fix comment typos concerning \"challenge\"\n arm: plat-spear: fix typo in kerneldoc\n reiserfs: typo comment fix\n update email address\n ...\n" }, { "commit": "d790d4d583aeaed9fc6f8a9f4d9f8ce6b1c15c7f", "tree": "854ab394486288d40fa8179cbfaf66e8bdc44b0f", "parents": [ "73b2c7165b76b20eb1290e7efebc33cfd21db1ca", "3a09b1be53d23df780a0cd0e4087a05e2ca4a00c" ], "author": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Wed Aug 04 15:14:38 2010 +0200" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Wed Aug 04 15:14:38 2010 +0200" }, "message": "Merge branch \u0027master\u0027 into for-next\n" }, { "commit": "77c80e6b2fd049848bfd1bdab67899ad3ac407a7", "tree": "672ccbe5316698e0ef4dae46ba0029fb234989bf", "parents": [ "6371dcd36f649d9d07823f31400618155a20dde1" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:49:00 2010 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:49:00 2010 +1000" }, "message": "AppArmor: fix build warnings for non-const use of get_task_cred\n\nFix build warnings for non-const use of get_task_cred.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6371dcd36f649d9d07823f31400618155a20dde1", "tree": "a08c4ed2ec77225abbfcc099e78ae8d643429787", "parents": [ "016d825fe02cd20fd8803ca37a1e6d428fe878f6" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jul 29 23:02:34 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:38:39 2010 +1000" }, "message": "selinux: convert the policy type_attr_map to flex_array\n\nCurrent selinux policy can have over 3000 types. The type_attr_map in\npolicy is an array sized by the number of types times sizeof(struct ebitmap)\n(12 on x86_64). Basic math tells us the array is going to be of length\n3000 x 12 \u003d 36,000 bytes. The largest \u0027safe\u0027 allocation on a long running\nsystem is 16k. Most of the time a 32k allocation will work. But on long\nrunning systems a 64k allocation (what we need) can fail quite regularly.\nIn order to deal with this I am converting the type_attr_map to use\nflex_arrays. Let the library code deal with breaking this into PAGE_SIZE\npieces.\n\n-v2\nrework some of the if(!obj) BUG() to be BUG_ON(!obj)\ndrop flex_array_put() calls and just use a _get() object directly\n\n-v3\nmake apply to James\u0027 tree (drop the policydb_write changes)\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "016d825fe02cd20fd8803ca37a1e6d428fe878f6", "tree": "b36bafad46e09a1a62f3521536a703c58540f675", "parents": [ "484ca79c653121d3c79fffb86e1deea724f2e20b" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Fri Jul 30 13:46:33 2010 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:38:39 2010 +1000" }, "message": "AppArmor: Enable configuring and building of the AppArmor security module\n\nKconfig and Makefiles to enable configuration and building of AppArmor.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "484ca79c653121d3c79fffb86e1deea724f2e20b", "tree": "457aa73e37c9b5e5b4306430f40d1985b59ca226", "parents": [ "4d6ec10bb4461fdc9a9ab94ef32934e13564e873" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Thu Jul 29 14:29:55 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:38:38 2010 +1000" }, "message": "TOMOYO: Use pathname specified by policy rather than execve()\n\nCommit c9e69318 \"TOMOYO: Allow wildcard for execute permission.\" changed execute\npermission and domainname to accept wildcards. But tomoyo_find_next_domain()\nwas using pathname passed to execve() rather than pathname specified by the\nexecute permission. As a result, processes were not able to transit to domains\nwhich contain wildcards in their domainnames.\n\nThis patch passes pathname specified by the execute permission back to\ntomoyo_find_next_domain() so that processes can transit to domains which\ncontain wildcards in their domainnames.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4d6ec10bb4461fdc9a9ab94ef32934e13564e873", "tree": "b252da668c7485b864dd012b33f58d7c108d99a1", "parents": [ "c88d4c7b049e87998ac0a9f455aa545cc895ef92" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jul 30 09:02:04 2010 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:38:37 2010 +1000" }, "message": "AppArmor: update path_truncate method to latest version\n\nRemove extraneous path_truncate arguments from the AppArmor hook,\nas they\u0027ve been removed from the LSM API.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c88d4c7b049e87998ac0a9f455aa545cc895ef92", "tree": "1859582b4afec1116b6831ea89ae27c35209991a", "parents": [ "736ec752d95e91e77cc0e8c97c057ab076ac2f51" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Thu Jul 29 14:48:00 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:38:37 2010 +1000" }, "message": "AppArmor: core policy routines\n\nThe basic routines and defines for AppArmor policy. AppArmor policy\nis defined by a few basic components.\n profiles - the basic unit of confinement contain all the information\n to enforce policy on a task\n\n Profiles tend to be named after an executable that they\n will attach to but this is not required.\n namespaces - a container for a set of profiles that will be used\n during attachment and transitions between profiles.\n sids - which provide a unique id for each profile\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "736ec752d95e91e77cc0e8c97c057ab076ac2f51", "tree": "128d330ecff67c5d83862062825b7975c92fee96", "parents": [ "0ed3b28ab8bf460a3a026f3f1782bf4c53840184" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Thu Jul 29 14:48:02 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:38:36 2010 +1000" }, "message": "AppArmor: policy routines for loading and unpacking policy\n\nAppArmor policy is loaded in a platform independent flattened binary\nstream. Verify and unpack the data converting it to the internal\nformat needed for enforcement.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0ed3b28ab8bf460a3a026f3f1782bf4c53840184", "tree": "9da3a2c6d9f55d3166726fe7c51671a6029c1269", "parents": [ "b5e95b48685e3481139a5634d14d630d12c7d5ce" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Thu Jul 29 14:48:05 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:38:35 2010 +1000" }, "message": "AppArmor: mediation of non file objects\n\nipc:\nAppArmor ipc is currently limited to mediation done by file mediation\nand basic ptrace tests. Improved mediation is a wip.\n\nrlimits:\nAppArmor provides basic abilities to set and control rlimits at\na per profile level. Only resources specified in a profile are controled\nor set. AppArmor rules set the hard limit to a value \u003c\u003d to the current\nhard limit (ie. they can not currently raise hard limits), and if\nnecessary will lower the soft limit to the new hard limit value.\n\nAppArmor does not track resource limits to reset them when a profile\nis left so that children processes inherit the limits set by the\nparent even if they are not confined by the same profile.\n\nCapabilities: AppArmor provides a per profile mask of capabilities,\nthat will further restrict.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b5e95b48685e3481139a5634d14d630d12c7d5ce", "tree": "1468141db6ff1a291bde0b6a960c2af7e520b52b", "parents": [ "f9ad1af53d5232a89a1ff1827102843999975dfa" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Thu Jul 29 14:48:07 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:38:35 2010 +1000" }, "message": "AppArmor: LSM interface, and security module initialization\n\nAppArmor hooks to interface with the LSM, module parameters and module\ninitialization.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f9ad1af53d5232a89a1ff1827102843999975dfa", "tree": "2d7f4c35208b74995651fa6eb47031a37f928503", "parents": [ "c1c124e91e7c6d5a600c98f6fb5b443c403a14f4" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Thu Jul 29 14:48:08 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:38:34 2010 +1000" }, "message": "AppArmor: Enable configuring and building of the AppArmor security module\n\nKconfig and Makefiles to enable configuration and building of AppArmor.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "898127c34ec03291c86f4ff3856d79e9e18952bc", "tree": "c8845bd204b1c4b120f1be1cceea4ff96f749e53", "parents": [ "6380bd8ddf613b29f478396308b591867d401de4" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Thu Jul 29 14:48:06 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:14 2010 +1000" }, "message": "AppArmor: functions for domain transitions\n\nAppArmor routines for controling domain transitions, which can occur at\nexec or through self directed change_profile/change_hat calls.\n\nUnconfined tasks are checked at exec against the profiles in the confining\nprofile namespace to determine if a profile should be attached to the task.\n\nConfined tasks execs are controlled by the profile which provides rules\ndetermining which execs are allowed and if so which profiles should be\ntransitioned to.\n\nSelf directed domain transitions allow a task to request transition\nto a given profile. If the transition is allowed then the profile will\nbe applied, either immeditately or at exec time depending on the request.\nImmeditate self directed transitions have several security limitations\nbut have uses in setting up stub transition profiles and other limited\ncases.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6380bd8ddf613b29f478396308b591867d401de4", "tree": "6d8fc9356a652f8452ccf49e7f79cc700cc2768d", "parents": [ "63e2b423771ab0bc7ad4d407f3f6517c6d05cdc0" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Thu Jul 29 14:48:04 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:14 2010 +1000" }, "message": "AppArmor: file enforcement routines\n\nAppArmor does files enforcement via pathname matching. Matching is done\nat file open using a dfa match engine. Permission is against the final\nfile object not parent directories, ie. the traversal of directories\nas part of the file match is implicitly allowed. In the case of nonexistant\nfiles (creation) permissions are checked against the target file not the\ndirectory. eg. In case of creating the file /dir/new, permissions are\nchecked against the match /dir/new not against /dir/.\n\nThe permissions for matches are currently stored in the dfa accept table,\nbut this will change to allow for dfa reuse and also to allow for sharing\nof wider accept states.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "63e2b423771ab0bc7ad4d407f3f6517c6d05cdc0", "tree": "e50efc9593c7558d3700ec55869f9ddbac283a1d", "parents": [ "e06f75a6a2b43bd3a7a197bd21466f9da130e4af" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Thu Jul 29 14:48:03 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:13 2010 +1000" }, "message": "AppArmor: userspace interfaces\n\nThe /proc/\u003cpid\u003e/attr/* interface is used for process introspection and\ncommands. While the apparmorfs interface is used for global introspection\nand loading and removing policy.\n\nThe interface currently only contains the files necessary for loading\npolicy, and will be extended in the future to include sysfs style\nsingle per file introspection inteface.\n\nThe old AppArmor 2.4 interface files have been removed into a compatibility\npatch, that distros can use to maintain backwards compatibility.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e06f75a6a2b43bd3a7a197bd21466f9da130e4af", "tree": "bf5aabceae66c62e317a0403b05ffb320aef54d2", "parents": [ "c75afcd153f6147d3b094f45a1d87e5df7f4f053" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Thu Jul 29 14:48:01 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:13 2010 +1000" }, "message": "AppArmor: dfa match engine\n\nA basic dfa matching engine based off the dfa engine in the Dragon\nBook. It uses simple row comb compression with a check field.\n\nThis allows AppArmor to do pattern matching in linear time, and also\navoids stack issues that an nfa based engine may have. The dfa\nengine uses a byte based comparison, with all values being valid.\nAny potential character encoding are handled user side when the dfa\ntables are created. By convention AppArmor uses \\0 to separate two\ndependent path matches since \\0 is not a valid path character\n(this is done in the link permission check).\n\nThe dfa tables are generated in user space and are verified at load\ntime to be internally consistent.\n\nThere are several future improvements planned for the dfa engine:\n* The dfa engine may be converted to a hybrid nfa-dfa engine, with\n a fixed size limited stack. This would allow for size time\n tradeoffs, by inserting limited nfa states to help control\n state explosion that can occur with dfas.\n* The dfa engine may pickup the ability to do limited dynamic\n variable matching, instead of fixing all variables at policy\n load time.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c75afcd153f6147d3b094f45a1d87e5df7f4f053", "tree": "4d072c7b76a1e198427716f66a46712e508d4597", "parents": [ "67012e8209df95a8290d135753ff5145431a666e" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Thu Jul 29 14:47:59 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:12 2010 +1000" }, "message": "AppArmor: contexts used in attaching policy to system objects\n\nAppArmor contexts attach profiles and state to tasks, files, etc. when\na direct profile reference is not sufficient.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "67012e8209df95a8290d135753ff5145431a666e", "tree": "fc95b2c33d2e2d206500d7ec7e78dd855d4b3d2c", "parents": [ "cdff264264254e0fabc8107a33f3bb75a95e981f" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Thu Jul 29 14:47:58 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:11 2010 +1000" }, "message": "AppArmor: basic auditing infrastructure.\n\nUpdate lsm_audit for AppArmor specific data, and add the core routines for\nAppArmor uses for auditing.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cdff264264254e0fabc8107a33f3bb75a95e981f", "tree": "a20956e2a7a38e195071ded57fca02e1d1b1314c", "parents": [ "e6f6a4cc955d626ed26562d98de5766bf1f73526" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Thu Jul 29 14:47:57 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:11 2010 +1000" }, "message": "AppArmor: misc. base functions and defines\n\nMiscellaneous functions and defines needed by AppArmor, including\nthe base path resolution routines.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e6f6a4cc955d626ed26562d98de5766bf1f73526", "tree": "308ef4b42db0e3ebc0078550c7b9cca59f117cd6", "parents": [ "7e3d199a4009a4094a955282daf5ecd43f2c8152" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Jul 27 17:17:06 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:10 2010 +1000" }, "message": "TOMOYO: Update version to 2.3.0\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7e3d199a4009a4094a955282daf5ecd43f2c8152", "tree": "ea65ba1835bc1465ab07d94e0f8c7e9a2e060b5f", "parents": [ "b424485abe2b16580a178b469917a7b6ee0c152a" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Jul 27 10:08:29 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:09 2010 +1000" }, "message": "TOMOYO: Fix quota check.\n\nCommit d74725b9 \"TOMOYO: Use callback for updating entries.\" broke\ntomoyo_domain_quota_is_ok() by counting deleted entries. It needs to\ncount non-deleted entries.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b424485abe2b16580a178b469917a7b6ee0c152a", "tree": "d90d4662dd1ad229976354e4caa1a7632fb2a6d3", "parents": [ "49b7b8de46d293113a0a0bb026ff7bd833c73367" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 23 11:44:15 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:09 2010 +1000" }, "message": "SELinux: Move execmod to the common perms\n\nexecmod \"could\" show up on non regular files and non chr files. The current\nimplementation would actually make these checks against non-existant bits\nsince the code assumes the execmod permission is same for all file types.\nTo make this line up for chr files we had to define execute_no_trans and\nentrypoint permissions. These permissions are unreachable and only existed\nto to make FILE__EXECMOD and CHR_FILE__EXECMOD the same. This patch drops\nthose needless perms as well.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "49b7b8de46d293113a0a0bb026ff7bd833c73367", "tree": "ff29778c49a8ac1511249cc268ddbb2c6ddb86a9", "parents": [ "b782e0a68d17894d9a618ffea55b33639faa6bb4" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 23 11:44:09 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:08 2010 +1000" }, "message": "selinux: place open in the common file perms\n\nkernel can dynamically remap perms. Drop the open lookup table and put open\nin the common file perms.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b782e0a68d17894d9a618ffea55b33639faa6bb4", "tree": "307bc615153075a6e92be5d839a58ff48d6525f3", "parents": [ "d09ca73979460b96d5d4684d588b188be9a1f57d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 23 11:44:03 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:07 2010 +1000" }, "message": "SELinux: special dontaudit for access checks\n\nCurrently there are a number of applications (nautilus being the main one) which\ncalls access() on files in order to determine how they should be displayed. It\nis normal and expected that nautilus will want to see if files are executable\nor if they are really read/write-able. access() should return the real\npermission. SELinux policy checks are done in access() and can result in lots\nof AVC denials as policy denies RWX on files which DAC allows. Currently\nSELinux must dontaudit actual attempts to read/write/execute a file in\norder to silence these messages (and not flood the logs.) But dontaudit rules\nlike that can hide real attacks. This patch addes a new common file\npermission audit_access. This permission is special in that it is meaningless\nand should never show up in an allow rule. Instead the only place this\npermission has meaning is in a dontaudit rule like so:\n\ndontaudit nautilus_t sbin_t:file audit_access\n\nWith such a rule if nautilus just checks access() we will still get denied and\nthus userspace will still get the correct answer but we will not log the denial.\nIf nautilus attempted to actually perform one of the forbidden actions\n(rather than just querying access(2) about it) we would still log a denial.\nThis type of dontaudit rule should be used sparingly, as it could be a\nmethod for an attacker to probe the system permissions without detection.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d09ca73979460b96d5d4684d588b188be9a1f57d", "tree": "217543affc5c1c76181ffca00c23cfa69f1dd4f6", "parents": [ "9cfcac810e8993fa7a5bfd24b1a21f1dbbb03a7b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 23 11:43:57 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:07 2010 +1000" }, "message": "security: make LSMs explicitly mask off permissions\n\nSELinux needs to pass the MAY_ACCESS flag so it can handle auditting\ncorrectly. Presently the masking of MAY_* flags is done in the VFS. In\norder to allow LSMs to decide what flags they care about and what flags\nthey don\u0027t just pass them all and the each LSM mask off what they don\u0027t\nneed. This patch should contain no functional changes to either the VFS or\nany LSM.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "692a8a231b212dfc68f612956d63f34abf098e0f", "tree": "4af3c03535ebc49e38c3c0c8f67061adbdf44c72", "parents": [ "d1b43547e56b163bc5c622243c47d8a13626175b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Jul 21 12:51:03 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:06 2010 +1000" }, "message": "SELinux: break ocontext reading into a separate function\n\nMove the reading of ocontext type data out of policydb_read() in a separate\nfunction ocontext_read()\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d1b43547e56b163bc5c622243c47d8a13626175b", "tree": "29b2ddd50b3a0c6fe4dcf5f78c55c8698cd11679", "parents": [ "9a7982793c3aee6ce86d8e7e15306215257329f2" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Jul 21 12:50:57 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:05 2010 +1000" }, "message": "SELinux: move genfs read to a separate function\n\nmove genfs read functionality out of policydb_read() and into a new\nfunction called genfs_read()\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9a7982793c3aee6ce86d8e7e15306215257329f2", "tree": "4d85f6f7a57260cefd938dca7593aabf9c02a59c", "parents": [ "338437f6a09861cdf76e1396ed5fa6dee9c7cabe" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Sat Jun 12 20:57:39 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:04 2010 +1000" }, "message": "selinux: fix error codes in symtab_init()\n\nhashtab_create() only returns NULL on allocation failures to -ENOMEM is\nappropriate here.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "338437f6a09861cdf76e1396ed5fa6dee9c7cabe", "tree": "e693392adf370b81af129b326bba45bf43f03862", "parents": [ "38184c522249dc377366d4edc41dc500c2c3bb9e" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Sat Jun 12 20:56:01 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:04 2010 +1000" }, "message": "selinux: fix error codes in cond_read_bool()\n\nThe original code always returned -1 (-EPERM) on error. The new code\nreturns either -ENOMEM, or -EINVAL or it propagates the error codes from\nlower level functions next_entry() or hashtab_insert().\n\nnext_entry() returns -EINVAL.\nhashtab_insert() returns -EINVAL, -EEXIST, or -ENOMEM.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "38184c522249dc377366d4edc41dc500c2c3bb9e", "tree": "10c87bf5fdaea233a7842a79f04459792e1b5ba1", "parents": [ "fc5c126e4733e6fb3080d3d822ca63226e74fc84" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Sat Jun 12 20:55:01 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:03 2010 +1000" }, "message": "selinux: fix error codes in cond_policydb_init()\n\nIt\u0027s better to propagate the error code from avtab_init() instead of\nreturning -1 (-EPERM). It turns out that avtab_init() never fails so\nthis patch doesn\u0027t change how the code runs but it\u0027s still a clean up.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "fc5c126e4733e6fb3080d3d822ca63226e74fc84", "tree": "3320c22b66107c984ac0cf07c365420df42a4977", "parents": [ "9d623b17a740d5a85c12108cdc71c64fb15484fc" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Sat Jun 12 20:53:46 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:02 2010 +1000" }, "message": "selinux: fix error codes in cond_read_node()\n\nOriginally cond_read_node() returned -1 (-EPERM) on errors which was\nincorrect. Now it either propagates the error codes from lower level\nfunctions next_entry() or cond_read_av_list() or it returns -ENOMEM or\n-EINVAL.\n\nnext_entry() returns -EINVAL.\ncond_read_av_list() returns -EINVAL or -ENOMEM.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9d623b17a740d5a85c12108cdc71c64fb15484fc", "tree": "15434839a75f9c46c53a201520c6c859fad3c74b", "parents": [ "5241c1074f6e2f2276d45d857eb5d19fbdc2e4b2" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Sat Jun 12 20:52:19 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:02 2010 +1000" }, "message": "selinux: fix error codes in cond_read_av_list()\n\nAfter this patch cond_read_av_list() no longer returns -1 for any\nerrors. It just propagates error code back from lower levels. Those can\neither be -EINVAL or -ENOMEM.\n\nI also modified cond_insertf() since cond_read_av_list() passes that as a\nfunction pointer to avtab_read_item(). It isn\u0027t used anywhere else.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ], "next": "5241c1074f6e2f2276d45d857eb5d19fbdc2e4b2" }