)]}' { "log": [ { "commit": "1e456a124353a753e9d1fadfbf5cd459c2f197ae", "tree": "4977d4fa275faafc0ba99a635d4c853a1f0df2a1", "parents": [ "fc1caf6eafb30ea185720e29f7f5eccca61ecd60" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Aug 06 16:08:27 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Aug 06 09:17:02 2010 -0700" }, "message": "KEYS: request_key() should return -ENOKEY if the constructed key is negative\n\nrequest_key() should return -ENOKEY if the key it constructs has been\nnegatively instantiated.\n\nWithout this, request_key() can return an unusable key to its caller,\nand if the caller then does key_validate() that won\u0027t catch the problem.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "5ad18a0d59ba9e65b3c8b2b489fd23bc6b3daf94", "tree": "9de21bbe321012bd8e51d9d8ed09b81785cfcbec", "parents": [ "94fd8405ea62bd2d4a40f3013e8e6935b6643235" ], "author": { "name": "Justin P. Mattock", "email": "justinmattock@gmail.com", "time": "Wed Jun 30 10:39:11 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:56 2010 +1000" }, "message": "KEYS: Reinstate lost passing of process keyring ID in call_sbin_request_key()\n\nIn commit bb952bb98a7e479262c7eb25d5592545a3af147d there was the accidental\ndeletion of a statement from call_sbin_request_key() to render the process\nkeyring ID to a text string so that it can be passed to /sbin/request-key.\n\nWith gcc 4.6.0 this causes the following warning:\n\n CC security/keys/request_key.o\nsecurity/keys/request_key.c: In function \u0027call_sbin_request_key\u0027:\nsecurity/keys/request_key.c:102:15: warning: variable \u0027prkey\u0027 set but not used\n\nThis patch reinstates that statement.\n\nWithout this statement, /sbin/request-key will get some random rubbish from the\nstack as that parameter.\n\nSigned-off-by: Justin P. Mattock \u003cjustinmattock@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "94fd8405ea62bd2d4a40f3013e8e6935b6643235", "tree": "14bff044866db418ec7f84944fc80998df851a99", "parents": [ "0849e3ba53c3ef603dffa9758a73e07ed186a937" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Jun 28 14:05:04 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:56 2010 +1000" }, "message": "KEYS: Use the variable \u0027key\u0027 in keyctl_describe_key()\n\nkeyctl_describe_key() turns the key reference it gets into a usable key pointer\nand assigns that to a variable called \u0027key\u0027, which it then ignores in favour of\nrecomputing the key pointer each time it needs it. Make it use the precomputed\npointer instead.\n\nWithout this patch, gcc 4.6 reports that the variable key is set but not used:\n\n\tbuilding with gcc 4.6 I\u0027m getting a warning message:\n\t CC security/keys/keyctl.o\n\tsecurity/keys/keyctl.c: In function \u0027keyctl_describe_key\u0027:\n\tsecurity/keys/keyctl.c:472:14: warning: variable \u0027key\u0027 set but not used\n\nReported-by: Justin P. Mattock \u003cjustinmattock@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "927942aabbbe506bf9bc70a16dc5460ecc64c148", "tree": "2c53ccb405bd4afb03ff9f7acab892fafc7e9b0f", "parents": [ "9156235b3427d6f01c5c95022f72f381f07583f5" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Jun 11 17:31:10 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:27 2010 +1000" }, "message": "KEYS: Make /proc/keys check to see if a key is possessed before security check\n\nMake /proc/keys check to see if the calling process possesses each key before\nperforming the security check. The possession check can be skipped if the key\ndoesn\u0027t have the possessor-view permission bit set.\n\nThis causes the keys a process possesses to show up in /proc/keys, even if they\ndon\u0027t have matching user/group/other view permissions.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9156235b3427d6f01c5c95022f72f381f07583f5", "tree": "16df30be93847e73a3b188b98f9ef2e034d82a90", "parents": [ "57c2590fb7fd38bd52708ff2716a577d0c2b3c5a" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Jun 11 17:31:05 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:27 2010 +1000" }, "message": "KEYS: Authorise keyctl_set_timeout() on a key if we have its authorisation key\n\nAuthorise a process to perform keyctl_set_timeout() on an uninstantiated key if\nthat process has the authorisation key for it.\n\nThis allows the instantiator to set the timeout on a key it is instantiating -\nprovided it does it before instantiating the key.\n\nFor instance, the test upcall script provided with the keyutils package could\nbe modified to set the expiry to an hour hence before instantiating the key:\n\n\t[/usr/share/keyutils/request-key-debug.sh]\n\t if [ \"$3\" !\u003d \"neg\" ]\n\t then\n\t+ keyctl timeout $1 3600\n\t keyctl instantiate $1 \"Debug $3\" $4 || exit 1\n\t else\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4303ef19c6e6d16ea845c04b02b9cf086bcb8ed7", "tree": "83e649d3b9d3583c7576920a0feb08e38a19d1b5", "parents": [ "7e27d6e778cd87b6f2415515d7127eba53fe5d02" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Fri Jun 11 17:30:05 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Jun 27 07:02:34 2010 -0700" }, "message": "KEYS: Propagate error code instead of returning -EINVAL\n\nThis is from a Smatch check I\u0027m writing.\n\nstrncpy_from_user() returns -EFAULT on error so the first change just\nsilences a warning but doesn\u0027t change how the code works.\n\nThe other change is a bug fix because install_thread_keyring_to_cred()\ncan return a variety of errors such as -EINVAL, -EEXIST, -ENOMEM or\n-EKEYREVOKED.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "dd98acf74762764fbc4382a1d9a244f11a2658cc", "tree": "e194cc516ccc8812a0424dfd2ca1c32bf1052cd4", "parents": [ "5089a9768041206c76fac299ccd82a528c24c254" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Wed May 26 14:43:23 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 27 09:12:47 2010 -0700" }, "message": "keyctl_session_to_parent(): use thread_group_empty() to check singlethreadness\n\nNo functional changes.\n\nkeyctl_session_to_parent() is the only user of signal-\u003ecount which needs\nthe correct value. Change it to use thread_group_empty() instead, this\nmust be strictly equivalent under tasklist, and imho looks better.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nAcked-by: Roland McGrath \u003croland@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "685bfd2c48bb3284d31e73ff3151c957d76deda9", "tree": "177210787515f48c0eaad5216bd012f4a2fb2149", "parents": [ "898b374af6f71041bd3bceebe257e564f3f1d458" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Wed May 26 14:43:00 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 27 09:12:45 2010 -0700" }, "message": "umh: creds: convert call_usermodehelper_keys() to use subprocess_info-\u003einit()\n\ncall_usermodehelper_keys() uses call_usermodehelper_setkeys() to change\nsubprocess_info-\u003ecred in advance. Now that we have info-\u003einit() we can\nchange this code to set tgcred-\u003esession_keyring in context of execing\nkernel thread.\n\nNote: since currently call_usermodehelper_keys() is never called with\nUMH_NO_WAIT, call_usermodehelper_keys()-\u003ekey_get() and umh_keys_cleanup()\nare not really needed, we could rely on install_session_keyring_to_cred()\nwhich does key_get() on success.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nAcked-by: Neil Horman \u003cnhorman@tuxdriver.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4be929be34f9bdeffa40d815d32d7d60d2c7f03b", "tree": "4d2c6e2b8ef766e565e2e050ee151de2e02081d3", "parents": [ "940370fc86b920b51a34217a1facc3e9e97c2456" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Mon May 24 14:33:03 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue May 25 08:07:02 2010 -0700" }, "message": "kernel-wide: replace USHORT_MAX, SHORT_MAX and SHORT_MIN with USHRT_MAX, SHRT_MAX and SHRT_MIN\n\n- C99 knows about USHRT_MAX/SHRT_MAX/SHRT_MIN, not\n USHORT_MAX/SHORT_MAX/SHORT_MIN.\n\n- Make SHRT_MIN of type s16, not int, for consistency.\n\n[akpm@linux-foundation.org: fix drivers/dma/timb_dma.c]\n[akpm@linux-foundation.org: fix security/keys/keyring.c]\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nAcked-by: WANG Cong \u003cxiyou.wangcong@gmail.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4d09ec0f705cf88a12add029c058b53f288cfaa2", "tree": "d756921f5391953295404ccf3ba570ddaaca404f", "parents": [ "c80901f2755c582e3096e6708028a8daca59e6e2" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Mon May 17 14:42:35 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 18 08:50:55 2010 +1000" }, "message": "KEYS: Return more accurate error codes\n\nWe were using the wrong variable here so the error codes weren\u0027t being returned\nproperly. The original code returns -ENOKEY.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f70e2e06196ad4c1c762037da2f75354f6c16b81", "tree": "9632a1e655efb684c87f8c7be6d091fbb1a430e7", "parents": [ "043b4d40f53131c5f72eca2a46555fe35328a930" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 30 14:32:39 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 22:25:02 2010 +1000" }, "message": "KEYS: Do preallocation for __key_link()\n\nDo preallocation for __key_link() so that the various callers in request_key.c\ncan deal with any errors from this source before attempting to construct a key.\nThis allows them to assume that the actual linkage step is guaranteed to be\nsuccessful.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "043b4d40f53131c5f72eca2a46555fe35328a930", "tree": "02a40eeb688f7ed9730e26a22f39ad7e04378de2", "parents": [ "292823814261e085cdcef06b6b691e6c2563fbd4", "722154e4cacf015161efe60009ae9be23d492296" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 22:21:04 2010 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 22:21:04 2010 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\tsecurity/keys/keyring.c\n\nResolved conflict with whitespace fix in find_keyring_by_name()\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2b9e4688fad8867b6e918610f396af3ab9246898", "tree": "c0146493e6ea4dff7b51259de1d7e83729a26c94", "parents": [ "553d603c8fce8cf727eb26e4bf6b9549cd4623f1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 30 14:32:34 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:55 2010 +1000" }, "message": "KEYS: Better handling of errors from construct_alloc_key()\n\nErrors from construct_alloc_key() shouldn\u0027t just be ignored in the way they are\nby construct_key_and_link(). The only error that can be ignored so is\nEINPROGRESS as that is used to indicate that we\u0027ve found a key and don\u0027t need\nto construct one.\n\nWe don\u0027t, however, handle ENOMEM, EDQUOT or EACCES to indicate allocation\nfailures of one sort or another.\n\nReported-by: Vegard Nossum \u003cvegard.nossum@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "553d603c8fce8cf727eb26e4bf6b9549cd4623f1", "tree": "137d9976ac663371d5f4f9ccf59ef4fb1ea9bc88", "parents": [ "0ffbe2699cda6afbe08501098dff8a8c2fe6ae09" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 30 14:32:28 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:52 2010 +1000" }, "message": "KEYS: keyring_serialise_link_sem is only needed for keyring-\u003ekeyring links\n\nkeyring_serialise_link_sem is only needed for keyring-\u003ekeyring links as it\u0027s\nused to prevent cycle detection from being avoided by parallel keyring\nadditions.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0ffbe2699cda6afbe08501098dff8a8c2fe6ae09", "tree": "81b1a2305d16c873371b65c5a863c0268036cefe", "parents": [ "4e5d6f7ec3833c0da9cf34fa5c53c6058c5908b6", "7ebd467551ed6ae200d7835a84bbda0dcadaa511" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:07 2010 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:07 2010 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "896903c2f5f79f029388f033a00c3b813bc91201", "tree": "f679108ab3c9cda3f5e1f6240afccc6ee3984406", "parents": [ "f0641cba7729e5e14f82d2eedc398103f5fa31b1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 30 14:32:23 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 05 23:50:24 2010 +1000" }, "message": "KEYS: call_sbin_request_key() must write lock keyrings before modifying them\n\ncall_sbin_request_key() creates a keyring and then attempts to insert a link to\nthe authorisation key into that keyring, but does so without holding a write\nlock on the keyring semaphore.\n\nIt will normally get away with this because it hasn\u0027t told anyone that the\nkeyring exists yet. The new keyring, however, has had its serial number\npublished, which means it can be accessed directly by that handle.\n\nThis was found by a previous patch that adds RCU lockdep checks to the code\nthat reads the keyring payload pointer, which includes a check that the keyring\nsemaphore is actually locked.\n\nWithout this patch, the following command:\n\n\tkeyctl request2 user b a @s\n\nwill provoke the following lockdep warning is displayed in dmesg:\n\n\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\t[ INFO: suspicious rcu_dereference_check() usage. ]\n\t---------------------------------------------------\n\tsecurity/keys/keyring.c:727 invoked rcu_dereference_check() without protection!\n\n\tother info that might help us debug this:\n\n\trcu_scheduler_active \u003d 1, debug_locks \u003d 0\n\t2 locks held by keyctl/2076:\n\t #0: (key_types_sem){.+.+.+}, at: [\u003cffffffff811a5b29\u003e] key_type_lookup+0x1c/0x71\n\t #1: (keyring_serialise_link_sem){+.+.+.}, at: [\u003cffffffff811a6d1e\u003e] __key_link+0x4d/0x3c5\n\n\tstack backtrace:\n\tPid: 2076, comm: keyctl Not tainted 2.6.34-rc6-cachefs #54\n\tCall Trace:\n\t [\u003cffffffff81051fdc\u003e] lockdep_rcu_dereference+0xaa/0xb2\n\t [\u003cffffffff811a6d1e\u003e] ? __key_link+0x4d/0x3c5\n\t [\u003cffffffff811a6e6f\u003e] __key_link+0x19e/0x3c5\n\t [\u003cffffffff811a5952\u003e] ? __key_instantiate_and_link+0xb1/0xdc\n\t [\u003cffffffff811a59bf\u003e] ? key_instantiate_and_link+0x42/0x5f\n\t [\u003cffffffff811aa0dc\u003e] call_sbin_request_key+0xe7/0x33b\n\t [\u003cffffffff8139376a\u003e] ? mutex_unlock+0x9/0xb\n\t [\u003cffffffff811a5952\u003e] ? __key_instantiate_and_link+0xb1/0xdc\n\t [\u003cffffffff811a59bf\u003e] ? key_instantiate_and_link+0x42/0x5f\n\t [\u003cffffffff811aa6fa\u003e] ? request_key_auth_new+0x1c2/0x23c\n\t [\u003cffffffff810aaf15\u003e] ? cache_alloc_debugcheck_after+0x108/0x173\n\t [\u003cffffffff811a9d00\u003e] ? request_key_and_link+0x146/0x300\n\t [\u003cffffffff810ac568\u003e] ? kmem_cache_alloc+0xe1/0x118\n\t [\u003cffffffff811a9e45\u003e] request_key_and_link+0x28b/0x300\n\t [\u003cffffffff811a89ac\u003e] sys_request_key+0xf7/0x14a\n\t [\u003cffffffff81052c0b\u003e] ? trace_hardirqs_on_caller+0x10c/0x130\n\t [\u003cffffffff81394fb9\u003e] ? trace_hardirqs_on_thunk+0x3a/0x3f\n\t [\u003cffffffff81001eeb\u003e] system_call_fastpath+0x16/0x1b\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f0641cba7729e5e14f82d2eedc398103f5fa31b1", "tree": "578cc4ea4686528eb587f3df7fbd908e1819fe66", "parents": [ "cea7daa3589d6b550546a8c8963599f7c1a3ae5c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 30 14:32:18 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 05 23:50:12 2010 +1000" }, "message": "KEYS: Use RCU dereference wrappers in keyring key type code\n\nThe keyring key type code should use RCU dereference wrappers, even when it\nholds the keyring\u0027s key semaphore.\n\nReported-by: Vegard Nossum \u003cvegard.nossum@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cea7daa3589d6b550546a8c8963599f7c1a3ae5c", "tree": "6d3a0bd38756f03b85f50273c64c26f0b6027143", "parents": [ "7ebd467551ed6ae200d7835a84bbda0dcadaa511" ], "author": { "name": "Toshiyuki Okajima", "email": "toshi.okajima@jp.fujitsu.com", "time": "Fri Apr 30 14:32:13 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 05 23:49:10 2010 +1000" }, "message": "KEYS: find_keyring_by_name() can gain access to a freed keyring\n\nfind_keyring_by_name() can gain access to a keyring that has had its reference\ncount reduced to zero, and is thus ready to be freed. This then allows the\ndead keyring to be brought back into use whilst it is being destroyed.\n\nThe following timeline illustrates the process:\n\n|(cleaner) (user)\n|\n| free_user(user) sys_keyctl()\n| | |\n| key_put(user-\u003esession_keyring) keyctl_get_keyring_ID()\n| ||\t//\u003d\u003e keyring-\u003eusage \u003d 0 |\n| |schedule_work(\u0026key_cleanup_task) lookup_user_key()\n| || |\n| kmem_cache_free(,user) |\n| . |[KEY_SPEC_USER_KEYRING]\n| . install_user_keyrings()\n| . ||\n| key_cleanup() [\u003c\u003d worker_thread()] ||\n| | ||\n| [spin_lock(\u0026key_serial_lock)] |[mutex_lock(\u0026key_user_keyr..mutex)]\n| | ||\n| atomic_read() \u003d\u003d 0 ||\n| |{ rb_ease(\u0026key-\u003eserial_node,) } ||\n| | ||\n| [spin_unlock(\u0026key_serial_lock)] |find_keyring_by_name()\n| | |||\n| keyring_destroy(keyring) ||[read_lock(\u0026keyring_name_lock)]\n| || |||\n| |[write_lock(\u0026keyring_name_lock)] ||atomic_inc(\u0026keyring-\u003eusage)\n| |. ||| *** GET freeing keyring ***\n| |. ||[read_unlock(\u0026keyring_name_lock)]\n| || ||\n| |list_del() |[mutex_unlock(\u0026key_user_k..mutex)]\n| || |\n| |[write_unlock(\u0026keyring_name_lock)] ** INVALID keyring is returned **\n| | .\n| kmem_cache_free(,keyring) .\n| .\n| atomic_dec(\u0026keyring-\u003eusage)\nv *** DESTROYED ***\nTIME\n\nIf CONFIG_SLUB_DEBUG\u003dy then we may see the following message generated:\n\n\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\tBUG key_jar: Poison overwritten\n\t-----------------------------------------------------------------------------\n\n\tINFO: 0xffff880197a7e200-0xffff880197a7e200. First byte 0x6a instead of 0x6b\n\tINFO: Allocated in key_alloc+0x10b/0x35f age\u003d25 cpu\u003d1 pid\u003d5086\n\tINFO: Freed in key_cleanup+0xd0/0xd5 age\u003d12 cpu\u003d1 pid\u003d10\n\tINFO: Slab 0xffffea000592cb90 objects\u003d16 used\u003d2 fp\u003d0xffff880197a7e200 flags\u003d0x200000000000c3\n\tINFO: Object 0xffff880197a7e200 @offset\u003d512 fp\u003d0xffff880197a7e300\n\n\tBytes b4 0xffff880197a7e1f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ\n\t Object 0xffff880197a7e200: 6a 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b jkkkkkkkkkkkkkkk\n\nAlternatively, we may see a system panic happen, such as:\n\n\tBUG: unable to handle kernel NULL pointer dereference at 0000000000000001\n\tIP: [\u003cffffffff810e61a3\u003e] kmem_cache_alloc+0x5b/0xe9\n\tPGD 6b2b4067 PUD 6a80d067 PMD 0\n\tOops: 0000 [#1] SMP\n\tlast sysfs file: /sys/kernel/kexec_crash_loaded\n\tCPU 1\n\t...\n\tPid: 31245, comm: su Not tainted 2.6.34-rc5-nofixed-nodebug #2 D2089/PRIMERGY\n\tRIP: 0010:[\u003cffffffff810e61a3\u003e] [\u003cffffffff810e61a3\u003e] kmem_cache_alloc+0x5b/0xe9\n\tRSP: 0018:ffff88006af3bd98 EFLAGS: 00010002\n\tRAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88007d19900b\n\tRDX: 0000000100000000 RSI: 00000000000080d0 RDI: ffffffff81828430\n\tRBP: ffffffff81828430 R08: ffff88000a293750 R09: 0000000000000000\n\tR10: 0000000000000001 R11: 0000000000100000 R12: 00000000000080d0\n\tR13: 00000000000080d0 R14: 0000000000000296 R15: ffffffff810f20ce\n\tFS: 00007f97116bc700(0000) GS:ffff88000a280000(0000) knlGS:0000000000000000\n\tCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\tCR2: 0000000000000001 CR3: 000000006a91c000 CR4: 00000000000006e0\n\tDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n\tDR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\n\tProcess su (pid: 31245, threadinfo ffff88006af3a000, task ffff8800374414c0)\n\tStack:\n\t 0000000512e0958e 0000000000008000 ffff880037f8d180 0000000000000001\n\t 0000000000000000 0000000000008001 ffff88007d199000 ffffffff810f20ce\n\t 0000000000008000 ffff88006af3be48 0000000000000024 ffffffff810face3\n\tCall Trace:\n\t [\u003cffffffff810f20ce\u003e] ? get_empty_filp+0x70/0x12f\n\t [\u003cffffffff810face3\u003e] ? do_filp_open+0x145/0x590\n\t [\u003cffffffff810ce208\u003e] ? tlb_finish_mmu+0x2a/0x33\n\t [\u003cffffffff810ce43c\u003e] ? unmap_region+0xd3/0xe2\n\t [\u003cffffffff810e4393\u003e] ? virt_to_head_page+0x9/0x2d\n\t [\u003cffffffff81103916\u003e] ? alloc_fd+0x69/0x10e\n\t [\u003cffffffff810ef4ed\u003e] ? do_sys_open+0x56/0xfc\n\t [\u003cffffffff81008a02\u003e] ? system_call_fastpath+0x16/0x1b\n\tCode: 0f 1f 44 00 00 49 89 c6 fa 66 0f 1f 44 00 00 65 4c 8b 04 25 60 e8 00 00 48 8b 45 00 49 01 c0 49 8b 18 48 85 db 74 0d 48 63 45 18 \u003c48\u003e 8b 04 03 49 89 00 eb 14 4c 89 f9 83 ca ff 44 89 e6 48 89 ef\n\tRIP [\u003cffffffff810e61a3\u003e] kmem_cache_alloc+0x5b/0xe9\n\nThis problem is that find_keyring_by_name does not confirm that the keyring is\nvalid before accepting it.\n\nSkipping keyrings that have been reduced to a zero count seems the way to go.\nTo this end, use atomic_inc_not_zero() to increment the usage count and skip\nthe candidate keyring if that returns false.\n\nThe following script _may_ cause the bug to happen, but there\u0027s no guarantee\nas the window of opportunity is small:\n\n\t#!/bin/sh\n\tLOOP\u003d100000\n\tUSER\u003ddummy_user\n\t/bin/su -c \"exit;\" $USER || { /usr/sbin/adduser -m $USER; add\u003d1; }\n\tfor ((i\u003d0; i\u003cLOOP; i++))\n\tdo\n\t\t/bin/su -c \"echo \u0027$i\u0027 \u003e /dev/null\" $USER\n\tdone\n\t(( add \u003d\u003d 1 )) \u0026\u0026 /usr/sbin/userdel -r $USER\n\texit\n\nNote that the nominated user must not be in use.\n\nAn alternative way of testing this may be:\n\n\tfor ((i\u003d0; i\u003c100000; i++))\n\tdo\n\t\tkeyctl session foo /bin/true || break\n\tdone \u003e\u0026/dev/null\n\nas that uses a keyring named \"foo\" rather than relying on the user and\nuser-session named keyrings.\n\nReported-by: Toshiyuki Okajima \u003ctoshi.okajima@jp.fujitsu.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Toshiyuki Okajima \u003ctoshi.okajima@jp.fujitsu.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cf8304e8f380903de3a15dc6ebd551c9e6cf1a21", "tree": "fe94f3ebb044b5026b1062631b2d89e77c8b674e", "parents": [ "d9a9b4aeea334e7912ce3d878d7f5cc6fdf1ffe4" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue May 04 14:16:10 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 05 11:39:23 2010 +1000" }, "message": "KEYS: Fix RCU handling in key_gc_keyring()\n\nkey_gc_keyring() needs to either hold the RCU read lock or hold the keyring\nsemaphore if it\u0027s going to scan the keyring\u0027s list. Given that it only needs\nto read the key list, and it\u0027s doing so under a spinlock, the RCU read lock is\nthe thing to use.\n\nFurthermore, the RCU check added in e7b0a61b7929632d36cf052d9e2820ef0a9c1bfe is\nincorrect as holding the spinlock on key_serial_lock is not grounds for\nassuming a keyring\u0027s pointer list can be read safely. Instead, a simple\nrcu_dereference() inside of the previously mentioned RCU read lock is what we\nwant.\n\nReported-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: \"Paul E. McKenney\" \u003cpaulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d9a9b4aeea334e7912ce3d878d7f5cc6fdf1ffe4", "tree": "cf822ea9020aec6bd54d986231097983680c8ede", "parents": [ "a66f6375bdeb64d7a56c532bda7c006358845820" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 30 14:32:08 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 05 11:38:52 2010 +1000" }, "message": "KEYS: Fix an RCU warning in the reading of user keys\n\nFix an RCU warning in the reading of user keys:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n[ INFO: suspicious rcu_dereference_check() usage. ]\n---------------------------------------------------\nsecurity/keys/user_defined.c:202 invoked rcu_dereference_check() without protection!\n\nother info that might help us debug this:\n\nrcu_scheduler_active \u003d 1, debug_locks \u003d 0\n1 lock held by keyctl/3637:\n #0: (\u0026key-\u003esem){+++++.}, at: [\u003cffffffff811a80ae\u003e] keyctl_read_key+0x9c/0xcf\n\nstack backtrace:\nPid: 3637, comm: keyctl Not tainted 2.6.34-rc5-cachefs #18\nCall Trace:\n [\u003cffffffff81051f6c\u003e] lockdep_rcu_dereference+0xaa/0xb2\n [\u003cffffffff811aa55f\u003e] user_read+0x47/0x91\n [\u003cffffffff811a80be\u003e] keyctl_read_key+0xac/0xcf\n [\u003cffffffff811a8a06\u003e] sys_keyctl+0x75/0xb7\n [\u003cffffffff81001eeb\u003e] system_call_fastpath+0x16/0x1b\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1600f9def09de07c5dbeb539e978fa73880690dd", "tree": "a8fa5c0891c68740543425d139414fec3d38b26e", "parents": [ "11e39d993dc693e0bfc5521d367b2494cb3bcd38", "b59ec78cdcc57e02bc3dddfa7134a2f0fd15c34d" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 27 16:26:46 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 27 16:26:46 2010 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:\n keys: don\u0027t need to use RCU in keyring_read() as semaphore is held\n" }, { "commit": "03449cd9eaa4fa3a7faa4a59474bafe2e90bd143", "tree": "f0f8b573553e0ac436b06b3f7853033a46b90a8e", "parents": [ "a2cb9aeb3c9b2475955cec328487484034f414e4" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 27 13:13:08 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 27 16:26:03 2010 -0700" }, "message": "keys: the request_key() syscall should link an existing key to the dest keyring\n\nThe request_key() system call and request_key_and_link() should make a\nlink from an existing key to the destination keyring (if supplied), not\njust from a new key to the destination keyring.\n\nThis can be tested by:\n\n\tring\u003d`keyctl newring fred @s`\n\tkeyctl request2 user debug:a a\n\tkeyctl request user debug:a $ring\n\tkeyctl list $ring\n\nIf it says:\n\n\tkeyring is empty\n\nthen it didn\u0027t work. If it shows something like:\n\n\t1 key in keyring:\n\t1070462727: --alswrv 0 0 user: debug:a\n\nthen it did.\n\nrequest_key() system call is meant to recursively search all your keyrings for\nthe key you desire, and, optionally, if it doesn\u0027t exist, call out to userspace\nto create one for you.\n\nIf request_key() finds or creates a key, it should, optionally, create a link\nto that key from the destination keyring specified.\n\nTherefore, if, after a successful call to request_key() with a desination\nkeyring specified, you see the destination keyring empty, the code didn\u0027t work\ncorrectly.\n\nIf you see the found key in the keyring, then it did - which is what the patch\nis required for.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: \u003cstable@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b59ec78cdcc57e02bc3dddfa7134a2f0fd15c34d", "tree": "60ba3c907d4d83873bce5eb645ae8bd9415399b8", "parents": [ "b91ce4d14a21fc04d165be30319541e0f9204f15" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 27 14:05:11 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 28 08:37:15 2010 +1000" }, "message": "keys: don\u0027t need to use RCU in keyring_read() as semaphore is held\n\nkeyring_read() doesn\u0027t need to use rcu_dereference() to access the keyring\npayload as the caller holds the key semaphore to prevent modifications\nfrom happening whilst the data is read out.\n\nThis should solve the following warning:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n[ INFO: suspicious rcu_dereference_check() usage. ]\n---------------------------------------------------\nsecurity/keys/keyring.c:204 invoked rcu_dereference_check() without protection!\n\nother info that might help us debug this:\n\nrcu_scheduler_active \u003d 1, debug_locks \u003d 0\n1 lock held by keyctl/2144:\n #0: (\u0026key-\u003esem){+++++.}, at: [\u003cffffffff81177f7c\u003e] keyctl_read_key+0x9c/0xcf\n\nstack backtrace:\nPid: 2144, comm: keyctl Not tainted 2.6.34-rc2-cachefs #113\nCall Trace:\n [\u003cffffffff8105121f\u003e] lockdep_rcu_dereference+0xaa/0xb2\n [\u003cffffffff811762d5\u003e] keyring_read+0x4d/0xe7\n [\u003cffffffff81177f8c\u003e] keyctl_read_key+0xac/0xcf\n [\u003cffffffff811788d4\u003e] sys_keyctl+0x75/0xb9\n [\u003cffffffff81001eeb\u003e] system_call_fastpath+0x16/0x1b\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "93b4a44f3ad69520d605aace3f3486b8eb754b96", "tree": "8eb946db950ccc6aee1d00b226739f44141dd310", "parents": [ "ccdb40048b2972f10bdc944913c0e0ee26b5d1f2" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 23 13:18:00 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Apr 24 11:31:25 2010 -0700" }, "message": "keys: fix an RCU warning\n\nFix the following RCU warning:\n\n \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n [ INFO: suspicious rcu_dereference_check() usage. ]\n ---------------------------------------------------\n security/keys/request_key.c:116 invoked rcu_dereference_check() without protection!\n\nThis was caused by doing:\n\n\t[root@andromeda ~]# keyctl newring fred @s\n\t539196288\n\t[root@andromeda ~]# keyctl request2 user a a 539196288\n\trequest_key: Required key not available\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Eric Dumazet \u003ceric.dumazet@gmail.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c5b60b5e67af8be4c58d3ffcc36894f69c4fbdc1", "tree": "5ca471fad635ee8d91a24c7b5448dbcad3de74ef", "parents": [ "822cceec7248013821d655545ea45d1c6a9d15b3" ], "author": { "name": "Justin P. Mattock", "email": "justinmattock@gmail.com", "time": "Wed Apr 21 00:02:11 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 23 10:10:23 2010 +1000" }, "message": "security: whitespace coding style fixes\n\nWhitespace coding style fixes.\n\nSigned-off-by: Justin P. Mattock \u003cjustinmattock@gmail.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3011a344cdcda34cdbcb40c3fb3d1a6e89954abb", "tree": "43db9abc5f96cd8ec31a4a24f0d52dae76680a1c", "parents": [ "6307f8fee295b364716d28686df6e69c2fee751a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:15:19 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:19:18 2010 +1000" }, "message": "security: remove dead hook key_session_to_parent\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5a0e3ad6af8660be21ca98a971cd00f331318c05", "tree": "5bfb7be11a03176a87296a43ac6647975c00a1d1", "parents": [ "ed391f4ebf8f701d3566423ce8f17e614cde9806" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Wed Mar 24 17:04:11 2010 +0900" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Tue Mar 30 22:02:32 2010 +0900" }, "message": "include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h\n\npercpu.h is included by sched.h and module.h and thus ends up being\nincluded when building most .c files. percpu.h includes slab.h which\nin turn includes gfp.h making everything defined by the two files\nuniversally available and complicating inclusion dependencies.\n\npercpu.h -\u003e slab.h dependency is about to be removed. Prepare for\nthis change by updating users of gfp and slab facilities include those\nheaders directly instead of assuming availability. As this conversion\nneeds to touch large number of source files, the following script is\nused as the basis of conversion.\n\n http://userweb.kernel.org/~tj/misc/slabh-sweep.py\n\nThe script does the followings.\n\n* Scan files for gfp and slab usages and update includes such that\n only the necessary includes are there. ie. if only gfp is used,\n gfp.h, if slab is used, slab.h.\n\n* When the script inserts a new include, it looks at the include\n blocks and try to put the new include such that its order conforms\n to its surrounding. It\u0027s put in the include block which contains\n core kernel includes, in the same order that the rest are ordered -\n alphabetical, Christmas tree, rev-Xmas-tree or at the end if there\n doesn\u0027t seem to be any matching order.\n\n* If the script can\u0027t find a place to put a new include (mostly\n because the file doesn\u0027t have fitting include block), it prints out\n an error message indicating which .h file needs to be added to the\n file.\n\nThe conversion was done in the following steps.\n\n1. The initial automatic conversion of all .c files updated slightly\n over 4000 files, deleting around 700 includes and adding ~480 gfp.h\n and ~3000 slab.h inclusions. The script emitted errors for ~400\n files.\n\n2. Each error was manually checked. Some didn\u0027t need the inclusion,\n some needed manual addition while adding it to implementation .h or\n embedding .c file was more appropriate for others. This step added\n inclusions to around 150 files.\n\n3. The script was run again and the output was compared to the edits\n from #2 to make sure no file was left behind.\n\n4. Several build tests were done and a couple of problems were fixed.\n e.g. lib/decompress_*.c used malloc/free() wrappers around slab\n APIs requiring slab.h to be added manually.\n\n5. The script was run on all .h files but without automatically\n editing them as sprinkling gfp.h and slab.h inclusions around .h\n files could easily lead to inclusion dependency hell. Most gfp.h\n inclusion directives were ignored as stuff from gfp.h was usually\n wildly available and often used in preprocessor macros. Each\n slab.h inclusion directive was examined and added manually as\n necessary.\n\n6. percpu.h was updated not to include slab.h.\n\n7. Build test were done on the following configurations and failures\n were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my\n distributed build env didn\u0027t work with gcov compiles) and a few\n more options had to be turned off depending on archs to make things\n build (like ipr on powerpc/64 which failed due to missing writeq).\n\n * x86 and x86_64 UP and SMP allmodconfig and a custom test config.\n * powerpc and powerpc64 SMP allmodconfig\n * sparc and sparc64 SMP allmodconfig\n * ia64 SMP allmodconfig\n * s390 SMP allmodconfig\n * alpha SMP allmodconfig\n * um on x86_64 SMP allmodconfig\n\n8. percpu.h modifications were reverted so that it could be applied as\n a separate patch and serve as bisection point.\n\nGiven the fact that I had only a couple of failures from tests on step\n6, I\u0027m fairly confident about the coverage of this conversion patch.\nIf there is a breakage, it\u0027s likely to be something in one of the arch\nheaders which should be easily discoverable easily on most builds of\nthe specific arch.\n\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nGuess-its-ok-by: Christoph Lameter \u003ccl@linux-foundation.org\u003e\nCc: Ingo Molnar \u003cmingo@redhat.com\u003e\nCc: Lee Schermerhorn \u003cLee.Schermerhorn@hp.com\u003e\n" }, { "commit": "512ea3bc30c0e052a961e1abce8e783f3e28c92a", "tree": "2e50e5bd7d257ec010d9c9d1af87bd61fccead6c", "parents": [ "c43a7523470dc2d9947fa114a0b54317975d4c04" ], "author": { "name": "Chihau Chau", "email": "chihau@gmail.com", "time": "Mon Mar 08 20:11:34 2010 -0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Mar 10 08:46:15 2010 +1100" }, "message": "Security: key: keyring: fix some code style issues\n\nThis fixes to include \u003clinux/uaccess.h\u003e instead \u003casm/uaccess.h\u003e and some\ncode style issues like to put a else sentence below close brace \u0027}\u0027 and\nto replace a tab instead of some space characters.\n\nSigned-off-by: Chihau Chau \u003cchihau@gmail.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c8563473c1259f5686ceb918c548c80132089f79", "tree": "45bd8a0cf2fcdbe388acdd2526897bbc59007436", "parents": [ "06b9b72df43800b9ae4e77202c8bf5848c9d6998" ], "author": { "name": "wzt.wzt@gmail.com", "email": "wzt.wzt@gmail.com", "time": "Thu Mar 04 21:26:23 2010 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 05 09:49:02 2010 +1100" }, "message": "Security: Fix some coding styles in security/keys/keyring.c\n\nFix some coding styles in security/keys/keyring.c\n\nSigned-off-by: Zhitong Wang \u003czhitong.wangzt@alibaba-inc.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e7b0a61b7929632d36cf052d9e2820ef0a9c1bfe", "tree": "69dbe6f03abc5a9ef0dea3a2c28921cebcc59a08", "parents": [ "96be753af91fc9d582450a84722f6a6721d218ad" ], "author": { "name": "Paul E. McKenney", "email": "paulmck@linux.vnet.ibm.com", "time": "Mon Feb 22 17:04:56 2010 -0800" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Thu Feb 25 10:34:52 2010 +0100" }, "message": "security: Apply lockdep-based checking to rcu_dereference() uses\n\nApply lockdep-ified RCU primitives to key_gc_keyring() and\nkeyring_destroy().\n\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nCc: laijs@cn.fujitsu.com\nCc: dipankar@in.ibm.com\nCc: mathieu.desnoyers@polymtl.ca\nCc: josh@joshtriplett.org\nCc: dvhltc@us.ibm.com\nCc: niv@us.ibm.com\nCc: peterz@infradead.org\nCc: rostedt@goodmis.org\nCc: Valdis.Kletnieks@vt.edu\nCc: dhowells@redhat.com\nLKML-Reference: \u003c1266887105-1528-12-git-send-email-paulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\n" }, { "commit": "a00ae4d21b2fa9379914f270ffffd8d3bec55430", "tree": "81950b31b2bbd816e5ad119acba46d859de9aceb", "parents": [ "6e1415467614e854fee660ff6648bd10fa976e95" ], "author": { "name": "Geert Uytterhoeven", "email": "geert@linux-m68k.org", "time": "Sun Dec 13 20:21:34 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 17 09:27:59 2009 +1100" }, "message": "Keys: KEYCTL_SESSION_TO_PARENT needs TIF_NOTIFY_RESUME architecture support\n\nAs of commit ee18d64c1f632043a02e6f5ba5e045bb26a5465f (\"KEYS: Add a keyctl to\ninstall a process\u0027s session keyring on its parent [try #6]\"), CONFIG_KEYS\u003dy\nfails to build on architectures that haven\u0027t implemented TIF_NOTIFY_RESUME yet:\n\nsecurity/keys/keyctl.c: In function \u0027keyctl_session_to_parent\u0027:\nsecurity/keys/keyctl.c:1312: error: \u0027TIF_NOTIFY_RESUME\u0027 undeclared (first use in this function)\nsecurity/keys/keyctl.c:1312: error: (Each undeclared identifier is reported only once\nsecurity/keys/keyctl.c:1312: error: for each function it appears in.)\n\nMake KEYCTL_SESSION_TO_PARENT depend on TIF_NOTIFY_RESUME until\nm68k, and xtensa have implemented it.\n\nSigned-off-by: Geert Uytterhoeven \u003cgeert@linux-m68k.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Mike Frysinger \u003cvapier@gentoo.org\u003e\n" }, { "commit": "fa1cc7b5a5c4171dfdcac855428295340ccf87ec", "tree": "eccd00dd480c980a45159e3964038cee255ff9f8", "parents": [ "d4220f987cf473c65a342ca69e3eb13dea919a49" ], "author": { "name": "Roel Kluin", "email": "roel.kluin@gmail.com", "time": "Tue Dec 15 15:05:12 2009 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 17 09:23:48 2009 +1100" }, "message": "keys: PTR_ERR return of wrong pointer in keyctl_get_security()\n\nReturn the PTR_ERR of the correct pointer.\n\nSigned-off-by: Roel Kluin \u003croel.kluin@gmail.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6d4561110a3e9fa742aeec6717248a491dfb1878", "tree": "689e2abf19940416ce597ba56ed31026ff59bd21", "parents": [ "86926d0096279b9739ceeff40f68d3c33b9119a9" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Mon Nov 16 03:11:48 2009 -0800" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Wed Nov 18 08:37:40 2009 -0800" }, "message": "sysctl: Drop \u0026 in front of every proc_handler.\n\nFor consistency drop \u0026 in front of every proc_handler. Explicity\ntaking the address is unnecessary and it prevents optimizations\nlike stubbing the proc_handlers to NULL.\n\nCc: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nCc: Ingo Molnar \u003cmingo@elte.hu\u003e\nCc: Joe Perches \u003cjoe@perches.com\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "5cdb35557d022f8dc51b532b5cd1a8e9ed7bcdb7", "tree": "f2d947dd3d0302b23ef7dc515f0ff4841e5a5b87", "parents": [ "56992309ccbe71f4321ddd50ee2f76f91b412c1a" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Fri Apr 03 05:08:03 2009 -0700" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Thu Nov 12 02:04:56 2009 -0800" }, "message": "sysctl security/keys: Remove dead binary sysctl support\n\nNow that sys_sysctl is a generic wrapper around /proc/sys .ctl_name\nand .strategy members of sysctl tables are dead code. Remove them.\n\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "21279cfa107af07ef985539ac0de2152b9cba5f5", "tree": "a31f1447e0246316c00b26fb599c1595301bb4b5", "parents": [ "37a08b13eba6ce3b42df30b2a5ca3a9845f429ec" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Oct 15 10:14:35 2009 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Oct 15 15:19:58 2009 -0700" }, "message": "KEYS: get_instantiation_keyring() should inc the keyring refcount in all cases\n\nThe destination keyring specified to request_key() and co. is made available to\nthe process that instantiates the key (the slave process started by\n/sbin/request-key typically). This is passed in the request_key_auth struct as\nthe dest_keyring member.\n\nkeyctl_instantiate_key and keyctl_negate_key() call get_instantiation_keyring()\nto get the keyring to attach the newly constructed key to at the end of\ninstantiation. This may be given a specific keyring into which a link will be\nmade later, or it may be asked to find the keyring passed to request_key(). In\nthe former case, it returns a keyring with the refcount incremented by\nlookup_user_key(); in the latter case, it returns the keyring from the\nrequest_key_auth struct - and does _not_ increment the refcount.\n\nThe latter case will eventually result in an oops when the keyring prematurely\nruns out of references and gets destroyed. The effect may take some time to\nshow up as the key is destroyed lazily.\n\nTo fix this, the keyring returned by get_instantiation_keyring() must always\nhave its refcount incremented, no matter where it comes from.\n\nThis can be tested by setting /etc/request-key.conf to:\n\n#OP\tTYPE\tDESCRIPTION\tCALLOUT INFO\tPROGRAM ARG1 ARG2 ARG3 ...\n#\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\ncreate *\ttest:*\t\t*\t\t|/bin/false %u %g %d %{user:_display}\nnegate\t*\t*\t\t*\t\t/bin/keyctl negate %k 10 @u\n\nand then doing:\n\n\tkeyctl add user _display aaaaaaaa @u\n while keyctl request2 user test:x test:x @u \u0026\u0026\n keyctl list @u;\n do\n keyctl request2 user test:x test:x @u;\n sleep 31;\n keyctl list @u;\n done\n\nwhich will oops eventually. Changing the negate line to have @u rather than\n%S at the end is important as that forces the latter case by passing a special\nkeyring ID rather than an actual keyring ID.\n\nReported-by: Alexander Zangerl \u003caz@bond.edu.au\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Alexander Zangerl \u003caz@bond.edu.au\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "606531c316d30e9639473a6da09ee917125ab467", "tree": "b83f3d8d82597401bdee6a451facaa5c2de006d1", "parents": [ "0afd9056f1b43c9fcbfdf933b263d72023d382fe" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 16 15:54:14 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 23 11:03:47 2009 -0700" }, "message": "KEYS: Have the garbage collector set its timer for live expired keys\n\nThe key garbage collector sets a timer to start a new collection cycle at the\npoint the earliest key to expire should be considered garbage. However, it\ncurrently only does this if the key it is considering hasn\u0027t yet expired.\n\nIf the key being considering has expired, but hasn\u0027t yet reached the collection\ntime then it is ignored, and won\u0027t be collected until some other key provokes a\nround of collection.\n\nMake the garbage collector set the timer for the earliest key that hasn\u0027t yet\npassed its collection time, rather than the earliest key that hasn\u0027t yet\nexpired.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c08ef808ef24df32e25fbd949fe5310172f3c408", "tree": "12bae6fd48e1cdcc1b792c221376c727d9472cc6", "parents": [ "5c84342a3e147a23752276650340801c237d0e56" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Sep 14 17:26:13 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 15 09:11:02 2009 +1000" }, "message": "KEYS: Fix garbage collector\n\nFix a number of problems with the new key garbage collector:\n\n (1) A rogue semicolon in keyring_gc() was causing the initial count of dead\n keys to be miscalculated.\n\n (2) A missing return in keyring_gc() meant that under certain circumstances,\n the keyring semaphore would be unlocked twice.\n\n (3) The key serial tree iterator (key_garbage_collector()) part of the garbage\n collector has been modified to:\n\n (a) Complete each scan of the keyrings before setting the new timer.\n\n (b) Only set the new timer for keys that have yet to expire. This means\n that the new timer is now calculated correctly, and the gc doesn\u0027t\n get into a loop continually scanning for keys that have expired, and\n preventing other things from happening, like RCU cleaning up the old\n keyring contents.\n\n (c) Perform an extra scan if any keys were garbage collected in this one\n \t as a key might become garbage during a scan, and (b) could mean we\n \t don\u0027t set the timer again.\n\n (4) Made key_schedule_gc() take the time at which to do a collection run,\n rather than the time at which the key expires. This means the collection\n of dead keys (key type unregistered) can happen immediately.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5c84342a3e147a23752276650340801c237d0e56", "tree": "a57a81dd9b48f8bd837ab13e319375c248cc7b89", "parents": [ "4a5d6ba1914d1bf1fcfb5e15834c29d84a879219" ], "author": { "name": "Marc Dionne", "email": "marc.c.dionne@gmail.com", "time": "Mon Sep 14 12:46:23 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 15 09:10:59 2009 +1000" }, "message": "KEYS: Unlock tasklist when exiting early from keyctl_session_to_parent\n\nWhen we exit early from keyctl_session_to_parent because of permissions or\nbecause the session keyring is the same as the parent, we need to unlock the\ntasklist.\n\nThe missing unlock causes the system to hang completely when using\nkeyctl(KEYCTL_SESSION_TO_PARENT) with a keyring shared with the parent.\n\nSigned-off-by: Marc Dionne \u003cmarc.c.dionne@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ee18d64c1f632043a02e6f5ba5e045bb26a5465f", "tree": "80b5a4d530ec7d5fd69799920f0db7b78aba6b9d", "parents": [ "d0420c83f39f79afb82010c2d2cafd150eef651b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:14:21 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:22 2009 +1000" }, "message": "KEYS: Add a keyctl to install a process\u0027s session keyring on its parent [try #6]\n\nAdd a keyctl to install a process\u0027s session keyring onto its parent. This\nreplaces the parent\u0027s session keyring. Because the COW credential code does\nnot permit one process to change another process\u0027s credentials directly, the\nchange is deferred until userspace next starts executing again. Normally this\nwill be after a wait*() syscall.\n\nTo support this, three new security hooks have been provided:\ncred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in\nthe blank security creds and key_session_to_parent() - which asks the LSM if\nthe process may replace its parent\u0027s session keyring.\n\nThe replacement may only happen if the process has the same ownership details\nas its parent, and the process has LINK permission on the session keyring, and\nthe session keyring is owned by the process, and the LSM permits it.\n\nNote that this requires alteration to each architecture\u0027s notify_resume path.\nThis has been done for all arches barring blackfin, m68k* and xtensa, all of\nwhich need assembly alteration to support TIF_NOTIFY_RESUME. This allows the\nreplacement to be performed at the point the parent process resumes userspace\nexecution.\n\nThis allows the userspace AFS pioctl emulation to fully emulate newpag() and\nthe VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to\nalter the parent process\u0027s PAG membership. However, since kAFS doesn\u0027t use\nPAGs per se, but rather dumps the keys into the session keyring, the session\nkeyring of the parent must be replaced if, for example, VIOCSETTOK is passed\nthe newpag flag.\n\nThis can be tested with the following program:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\n\t#define KEYCTL_SESSION_TO_PARENT\t18\n\n\t#define OSERROR(X, S) do { if ((long)(X) \u003d\u003d -1) { perror(S); exit(1); } } while(0)\n\n\tint main(int argc, char **argv)\n\t{\n\t\tkey_serial_t keyring, key;\n\t\tlong ret;\n\n\t\tkeyring \u003d keyctl_join_session_keyring(argv[1]);\n\t\tOSERROR(keyring, \"keyctl_join_session_keyring\");\n\n\t\tkey \u003d add_key(\"user\", \"a\", \"b\", 1, keyring);\n\t\tOSERROR(key, \"add_key\");\n\n\t\tret \u003d keyctl(KEYCTL_SESSION_TO_PARENT);\n\t\tOSERROR(ret, \"KEYCTL_SESSION_TO_PARENT\");\n\n\t\treturn 0;\n\t}\n\nCompiled and linked with -lkeyutils, you should see something like:\n\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t355907932 --alswrv 4043 -1 \\_ keyring: _uid.4043\n\t[dhowells@andromeda ~]$ /tmp/newpag\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t1055658746 --alswrv 4043 4043 \\_ user: a\n\t[dhowells@andromeda ~]$ /tmp/newpag hello\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: hello\n\t340417692 --alswrv 4043 4043 \\_ user: a\n\nWhere the test program creates a new session keyring, sticks a user key named\n\u0027a\u0027 into it and then installs it on its parent.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7b1b9164598286fe93927ff41eed2a2609fd9056", "tree": "b37a8f4991c5aa6416e269f4edd7317dacc2c67c", "parents": [ "ad73a717e0fc6949c44e587ca5d63c273a30e6f5" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:14:11 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:16 2009 +1000" }, "message": "KEYS: Do some whitespace cleanups [try #6]\n\nDo some whitespace cleanups in the key management code.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ad73a717e0fc6949c44e587ca5d63c273a30e6f5", "tree": "28aa8de2eb924a60713abd01bbc790879da5b70c", "parents": [ "5d135440faf7db8d566de0c6fab36b16cf9cfc3b" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Wed Sep 02 09:14:05 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:14 2009 +1000" }, "message": "KEYS: Make /proc/keys use keyid not numread as file position [try #6]\n\nMake the file position maintained by /proc/keys represent the ID of the key\njust read rather than the number of keys read. This should make it faster to\nperform a lookup as we don\u0027t have to scan the key ID tree from the beginning to\nfind the current position.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5d135440faf7db8d566de0c6fab36b16cf9cfc3b", "tree": "d9c022e73ed51dfe5729fde9a97150cb64b68196", "parents": [ "f041ae2f99d49adc914153a34a2d0e14e4389d90" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:14:00 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:11 2009 +1000" }, "message": "KEYS: Add garbage collection for dead, revoked and expired keys. [try #6]\n\nAdd garbage collection for dead, revoked and expired keys. This involved\nerasing all links to such keys from keyrings that point to them. At that\npoint, the key will be deleted in the normal manner.\n\nKeyrings from which garbage collection occurs are shrunk and their quota\nconsumption reduced as appropriate.\n\nDead keys (for which the key type has been removed) will be garbage collected\nimmediately.\n\nRevoked and expired keys will hang around for a number of seconds, as set in\n/proc/sys/kernel/keys/gc_delay before being automatically removed. The default\nis 5 minutes.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f041ae2f99d49adc914153a34a2d0e14e4389d90", "tree": "02cf0a1e85920122e1059496942b979e5832ff1b", "parents": [ "0c2c9a3fc77e8b60d43d9bd2ca46eb4dddb0ff76" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:13:55 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:09 2009 +1000" }, "message": "KEYS: Flag dead keys to induce EKEYREVOKED [try #6]\n\nSet the KEY_FLAG_DEAD flag on keys for which the type has been removed. This\ncauses the key_permission() function to return EKEYREVOKED in response to\nvarious commands. It does not, however, prevent unlinking or clearing of\nkeyrings from detaching the key.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0c2c9a3fc77e8b60d43d9bd2ca46eb4dddb0ff76", "tree": "e718aa64ab3b5d4fd73f7a837ee9ea0debfcc773", "parents": [ "5593122eec26b061cc0b6fbff32118f1aadf4a27" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:13:50 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:06 2009 +1000" }, "message": "KEYS: Allow keyctl_revoke() on keys that have SETATTR but not WRITE perm [try #6]\n\nAllow keyctl_revoke() to operate on keys that have SETATTR but not WRITE\npermission, rather than only on keys that have WRITE permission.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5593122eec26b061cc0b6fbff32118f1aadf4a27", "tree": "f148b182ada54b722962607567bd5b1ace06640a", "parents": [ "e0e817392b9acf2c98d3be80c233dddb1b52003d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:13:45 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:04 2009 +1000" }, "message": "KEYS: Deal with dead-type keys appropriately [try #6]\n\nAllow keys for which the key type has been removed to be unlinked. Currently\ndead-type keys can only be disposed of by completely clearing the keyrings\nthat point to them.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5bb459bb45d1ad3c177485dcf0af01580aa31125", "tree": "fd6d11d424d222b97f56d8b870bdecbacaab8a17", "parents": [ "d2e3ee9b29f5de5b01e611b04e6fb29760589b01" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Fri Jul 10 03:48:23 2009 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jul 17 09:10:42 2009 +1000" }, "message": "kernel: rename is_single_threaded(task) to current_is_single_threaded(void)\n\n- is_single_threaded(task) is not safe unless task \u003d\u003d current,\n we can\u0027t use task-\u003esignal or task-\u003emm.\n\n- it doesn\u0027t make sense unless task \u003d\u003d current, the task can\n fork right after the check.\n\nRename it to current_is_single_threaded() and kill the argument.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "86abcf9cebf7b5ceb33facde297face5ec4d2260", "tree": "1b71608a4c025882f82a952d56d0f546d461736b", "parents": [ "20dda18be9035c487c2e9534e4d18d2a1e1deade" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 18 22:00:05 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 25 00:09:12 2009 +1000" }, "message": "keys: annotate seqfile ops with __releases and __acquires\n\nAnnotate seqfile ops with __releases and __acquires to stop sparse\ncomplaining about unbalanced locking.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nReviewed-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\n" }, { "commit": "34574dd10b6d0697b86703388d6d6af9cbf4bb48", "tree": "89eb52c0777687d4704d3ab3a370c50c1fe9479c", "parents": [ "11ff5f6affe9b75f115a900a5584db339d46002b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Apr 09 17:14:05 2009 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 09 10:41:19 2009 -0700" }, "message": "keys: Handle there being no fallback destination keyring for request_key()\n\nWhen request_key() is called, without there being any standard process\nkeyrings on which to fall back if a destination keyring is not specified, an\noops is liable to occur when construct_alloc_key() calls down_write() on\ndest_keyring\u0027s semaphore.\n\nDue to function inlining this may be seen as an oops in down_write() as called\nfrom request_key_and_link().\n\nThis situation crops up during boot, where request_key() is called from within\nthe kernel (such as in CIFS mounts) where nobody is actually logged in, and so\nPAM has not had a chance to create a session keyring and user keyrings to act\nas the fallback.\n\nTo fix this, make construct_alloc_key() not attempt to cache a key if there is\nno fallback key if no destination keyring is given specifically.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "454804ab0302b354e35d992d08e53fe03313baaf", "tree": "e01a4928e19ac2e8318bc88d0b79970cccc60665", "parents": [ "2ea190d0a006ce5218baa6e798512652446a605a" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Feb 26 18:28:04 2009 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 27 12:35:15 2009 +1100" }, "message": "keys: make procfiles per-user-namespace\n\nRestrict the /proc/keys and /proc/key-users output to keys\nbelonging to the same user namespace as the reading task.\n\nWe may want to make this more complicated - so that any\nkeys in a user-namespace which is belongs to the reading\ntask are also shown. But let\u0027s see if anyone wants that\nfirst.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2ea190d0a006ce5218baa6e798512652446a605a", "tree": "1d8612678355c77d8ea9f316ef6ce7d80ee6d613", "parents": [ "8ff3bc3138a400294ee9e126ac75fc9a9fae4e0b" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Feb 26 18:27:55 2009 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 27 12:35:12 2009 +1100" }, "message": "keys: skip keys from another user namespace\n\nWhen listing keys, do not return keys belonging to the\nsame uid in another user namespace. Otherwise uid 500\nin another user namespace will return keyrings called\nuid.500 for another user namespace.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8ff3bc3138a400294ee9e126ac75fc9a9fae4e0b", "tree": "f1e2f21f17268cb9a88446da2f1ced9dbccd5138", "parents": [ "1d1e97562e5e2ac60fb7b25437ba619f95f67fab" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Feb 26 18:27:47 2009 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 27 12:35:09 2009 +1100" }, "message": "keys: consider user namespace in key_permission\n\nIf a key is owned by another user namespace, then treat the\nkey as though it is owned by both another uid and gid.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1d1e97562e5e2ac60fb7b25437ba619f95f67fab", "tree": "68a9c52ecbff0782dd9b9438685afc3b40b6f707", "parents": [ "be38e0fd5f90a91d09e0a85ffb294b70a7be6259" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Feb 26 18:27:38 2009 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 27 12:35:06 2009 +1100" }, "message": "keys: distinguish per-uid keys in different namespaces\n\nper-uid keys were looked by uid only. Use the user namespace\nto distinguish the same uid in different namespaces.\n\nThis does not address key_permission. So a task can for instance\ntry to join a keyring owned by the same uid in another namespace.\nThat will be handled by a separate patch.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0d54ee1c7850a954026deec4cd4885f331da35cc", "tree": "00f5219a49428dabca10428cbeaaa2c44e774808", "parents": [ "1de9e8e70f5acc441550ca75433563d91b269bbe" ], "author": { "name": "Vegard Nossum", "email": "vegard.nossum@gmail.com", "time": "Sat Jan 17 17:45:45 2009 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jan 17 14:24:46 2009 -0800" }, "message": "security: introduce missing kfree\n\nPlug this leak.\n\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: \u003cstable@kernel.org\u003e\nSigned-off-by: Vegard Nossum \u003cvegard.nossum@gmail.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "938bb9f5e840eddbf54e4f62f6c5ba9b3ae12c9d", "tree": "a25324159ed8cc96b97a4d39aaf228bbd07e3824", "parents": [ "1e7bfb2134dfec37ce04fb3a4ca89299e892d10c" ], "author": { "name": "Heiko Carstens", "email": "heiko.carstens@de.ibm.com", "time": "Wed Jan 14 14:14:30 2009 +0100" }, "committer": { "name": "Heiko Carstens", "email": "heiko.carstens@de.ibm.com", "time": "Wed Jan 14 14:15:30 2009 +0100" }, "message": "[CVE-2009-0029] System call wrappers part 28\n\nSigned-off-by: Heiko Carstens \u003cheiko.carstens@de.ibm.com\u003e\n" }, { "commit": "1e7bfb2134dfec37ce04fb3a4ca89299e892d10c", "tree": "99c676262e696754dcbfb2d6f59499972cd0c38c", "parents": [ "c4ea37c26a691ad0b7e86aa5884aab27830e95c9" ], "author": { "name": "Heiko Carstens", "email": "heiko.carstens@de.ibm.com", "time": "Wed Jan 14 14:14:29 2009 +0100" }, "committer": { "name": "Heiko Carstens", "email": "heiko.carstens@de.ibm.com", "time": "Wed Jan 14 14:15:29 2009 +0100" }, "message": "[CVE-2009-0029] System call wrappers part 27\n\nSigned-off-by: Heiko Carstens \u003cheiko.carstens@de.ibm.com\u003e\n" }, { "commit": "90bd49ab6649269cd10d0edc86d0e0f62864726a", "tree": "504e95359f2e021ae1ba4c53a1000dd08ad63c55", "parents": [ "6a94cb73064c952255336cc57731904174b2c58f" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Dec 29 14:35:35 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 01 10:32:44 2009 +1100" }, "message": "keys: fix sparse warning by adding __user annotation to cast\n\nFix the following sparse warning:\n\n CC security/keys/key.o\n security/keys/keyctl.c:1297:10: warning: incorrect type in argument 2 (different address spaces)\n security/keys/keyctl.c:1297:10: expected char [noderef] \u003casn:1\u003e*buffer\n security/keys/keyctl.c:1297:10: got char *\u003cnoident\u003e\n\nwhich appears to be caused by lack of __user annotation to the cast of\na syscall argument.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "eca1bf5b4fab56d2feb1572d34d59fcd92ea7df3", "tree": "58ce85049625d01d52f3b32a6035bce9dbbc4ebf", "parents": [ "3c92ec8ae91ecf59d88c798301833d7cf83f2179" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Dec 29 00:41:51 2008 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Dec 29 14:24:43 2008 +1100" }, "message": "KEYS: Fix variable uninitialisation warnings\n\nFix variable uninitialisation warnings introduced in:\n\n\tcommit 8bbf4976b59fc9fc2861e79cab7beb3f6d647640\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Fri Nov 14 10:39:14 2008 +1100\n\n\tKEYS: Alter use of key instantiation link-to-keyring argument\n\nAs:\n\n security/keys/keyctl.c: In function \u0027keyctl_negate_key\u0027:\n security/keys/keyctl.c:976: warning: \u0027dest_keyring\u0027 may be used uninitialized in this function\n security/keys/keyctl.c: In function \u0027keyctl_instantiate_key\u0027:\n security/keys/keyctl.c:898: warning: \u0027dest_keyring\u0027 may be used uninitialized in this function\n\nSome versions of gcc notice that get_instantiation_key() doesn\u0027t always set\n*_dest_keyring, but fail to observe that if this happens then *_dest_keyring\nwill not be read by the caller.\n\nReported-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a6f76f23d297f70e2a6b3ec607f7aeeea9e37e8d", "tree": "8f95617996d0974507f176163459212a7def8b9a", "parents": [ "d84f4f992cbd76e8f39c488cf0c5d123843923b1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "message": "CRED: Make execve() take advantage of copy-on-write credentials\n\nMake execve() take advantage of copy-on-write credentials, allowing it to set\nup the credentials in advance, and then commit the whole lot after the point\nof no return.\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n The credential bits from struct linux_binprm are, for the most part,\n replaced with a single credentials pointer (bprm-\u003ecred). This means that\n all the creds can be calculated in advance and then applied at the point\n of no return with no possibility of failure.\n\n I would like to replace bprm-\u003ecap_effective with:\n\n\tcap_isclear(bprm-\u003ecap_effective)\n\n but this seems impossible due to special behaviour for processes of pid 1\n (they always retain their parent\u0027s capability masks where normally they\u0027d\n be changed - see cap_bprm_set_creds()).\n\n The following sequence of events now happens:\n\n (a) At the start of do_execve, the current task\u0027s cred_exec_mutex is\n \t locked to prevent PTRACE_ATTACH from obsoleting the calculation of\n \t creds that we make.\n\n (a) prepare_exec_creds() is then called to make a copy of the current\n \t task\u0027s credentials and prepare it. This copy is then assigned to\n \t bprm-\u003ecred.\n\n \t This renders security_bprm_alloc() and security_bprm_free()\n \t unnecessary, and so they\u0027ve been removed.\n\n (b) The determination of unsafe execution is now performed immediately\n \t after (a) rather than later on in the code. The result is stored in\n \t bprm-\u003eunsafe for future reference.\n\n (c) prepare_binprm() is called, possibly multiple times.\n\n \t (i) This applies the result of set[ug]id binaries to the new creds\n \t attached to bprm-\u003ecred. Personality bit clearance is recorded,\n \t but now deferred on the basis that the exec procedure may yet\n \t fail.\n\n (ii) This then calls the new security_bprm_set_creds(). This should\n\t calculate the new LSM and capability credentials into *bprm-\u003ecred.\n\n\t This folds together security_bprm_set() and parts of\n\t security_bprm_apply_creds() (these two have been removed).\n\t Anything that might fail must be done at this point.\n\n (iii) bprm-\u003ecred_prepared is set to 1.\n\n\t bprm-\u003ecred_prepared is 0 on the first pass of the security\n\t calculations, and 1 on all subsequent passes. This allows SELinux\n\t in (ii) to base its calculations only on the initial script and\n\t not on the interpreter.\n\n (d) flush_old_exec() is called to commit the task to execution. This\n \t performs the following steps with regard to credentials:\n\n\t (i) Clear pdeath_signal and set dumpable on certain circumstances that\n\t may not be covered by commit_creds().\n\n (ii) Clear any bits in current-\u003epersonality that were deferred from\n (c.i).\n\n (e) install_exec_creds() [compute_creds() as was] is called to install the\n \t new credentials. This performs the following steps with regard to\n \t credentials:\n\n (i) Calls security_bprm_committing_creds() to apply any security\n requirements, such as flushing unauthorised files in SELinux, that\n must be done before the credentials are changed.\n\n\t This is made up of bits of security_bprm_apply_creds() and\n\t security_bprm_post_apply_creds(), both of which have been removed.\n\t This function is not allowed to fail; anything that might fail\n\t must have been done in (c.ii).\n\n (ii) Calls commit_creds() to apply the new credentials in a single\n assignment (more or less). Possibly pdeath_signal and dumpable\n should be part of struct creds.\n\n\t (iii) Unlocks the task\u0027s cred_replace_mutex, thus allowing\n\t PTRACE_ATTACH to take place.\n\n (iv) Clears The bprm-\u003ecred pointer as the credentials it was holding\n are now immutable.\n\n (v) Calls security_bprm_committed_creds() to apply any security\n alterations that must be done after the creds have been changed.\n SELinux uses this to flush signals and signal handlers.\n\n (f) If an error occurs before (d.i), bprm_free() will call abort_creds()\n \t to destroy the proposed new credentials and will then unlock\n \t cred_replace_mutex. No changes to the credentials will have been\n \t made.\n\n (2) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_bprm_alloc(), -\u003ebprm_alloc_security()\n (*) security_bprm_free(), -\u003ebprm_free_security()\n\n \t Removed in favour of preparing new credentials and modifying those.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n (*) security_bprm_post_apply_creds(), -\u003ebprm_post_apply_creds()\n\n \t Removed; split between security_bprm_set_creds(),\n \t security_bprm_committing_creds() and security_bprm_committed_creds().\n\n (*) security_bprm_set(), -\u003ebprm_set_security()\n\n \t Removed; folded into security_bprm_set_creds().\n\n (*) security_bprm_set_creds(), -\u003ebprm_set_creds()\n\n \t New. The new credentials in bprm-\u003ecreds should be checked and set up\n \t as appropriate. bprm-\u003ecred_prepared is 0 on the first call, 1 on the\n \t second and subsequent calls.\n\n (*) security_bprm_committing_creds(), -\u003ebprm_committing_creds()\n (*) security_bprm_committed_creds(), -\u003ebprm_committed_creds()\n\n \t New. Apply the security effects of the new credentials. This\n \t includes closing unauthorised files in SELinux. This function may not\n \t fail. When the former is called, the creds haven\u0027t yet been applied\n \t to the process; when the latter is called, they have.\n\n \t The former may access bprm-\u003ecred, the latter may not.\n\n (3) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) The bprm_security_struct struct has been removed in favour of using\n \t the credentials-under-construction approach.\n\n (c) flush_unauthorized_files() now takes a cred pointer and passes it on\n \t to inode_has_perm(), file_has_perm() and dentry_open().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d84f4f992cbd76e8f39c488cf0c5d123843923b1", "tree": "fc4a0349c42995715b93d0f7a3c78e9ea9b3f36e", "parents": [ "745ca2475a6ac596e3d8d37c2759c0fbe2586227" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "message": "CRED: Inaugurate COW credentials\n\nInaugurate copy-on-write credentials management. This uses RCU to manage the\ncredentials pointer in the task_struct with respect to accesses by other tasks.\nA process may only modify its own credentials, and so does not need locking to\naccess or modify its own credentials.\n\nA mutex (cred_replace_mutex) is added to the task_struct to control the effect\nof PTRACE_ATTACHED on credential calculations, particularly with respect to\nexecve().\n\nWith this patch, the contents of an active credentials struct may not be\nchanged directly; rather a new set of credentials must be prepared, modified\nand committed using something like the following sequence of events:\n\n\tstruct cred *new \u003d prepare_creds();\n\tint ret \u003d blah(new);\n\tif (ret \u003c 0) {\n\t\tabort_creds(new);\n\t\treturn ret;\n\t}\n\treturn commit_creds(new);\n\nThere are some exceptions to this rule: the keyrings pointed to by the active\ncredentials may be instantiated - keyrings violate the COW rule as managing\nCOW keyrings is tricky, given that it is possible for a task to directly alter\nthe keys in a keyring in use by another task.\n\nTo help enforce this, various pointers to sets of credentials, such as those in\nthe task_struct, are declared const. The purpose of this is compile-time\ndiscouragement of altering credentials through those pointers. Once a set of\ncredentials has been made public through one of these pointers, it may not be\nmodified, except under special circumstances:\n\n (1) Its reference count may incremented and decremented.\n\n (2) The keyrings to which it points may be modified, but not replaced.\n\nThe only safe way to modify anything else is to create a replacement and commit\nusing the functions described in Documentation/credentials.txt (which will be\nadded by a later patch).\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n This now prepares and commits credentials in various places in the\n security code rather than altering the current creds directly.\n\n (2) Temporary credential overrides.\n\n do_coredump() and sys_faccessat() now prepare their own credentials and\n temporarily override the ones currently on the acting thread, whilst\n preventing interference from other threads by holding cred_replace_mutex\n on the thread being dumped.\n\n This will be replaced in a future patch by something that hands down the\n credentials directly to the functions being called, rather than altering\n the task\u0027s objective credentials.\n\n (3) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_capset_check(), -\u003ecapset_check()\n (*) security_capset_set(), -\u003ecapset_set()\n\n \t Removed in favour of security_capset().\n\n (*) security_capset(), -\u003ecapset()\n\n \t New. This is passed a pointer to the new creds, a pointer to the old\n \t creds and the proposed capability sets. It should fill in the new\n \t creds or return an error. All pointers, barring the pointer to the\n \t new creds, are now const.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n\n \t Changed; now returns a value, which will cause the process to be\n \t killed if it\u0027s an error.\n\n (*) security_task_alloc(), -\u003etask_alloc_security()\n\n \t Removed in favour of security_prepare_creds().\n\n (*) security_cred_free(), -\u003ecred_free()\n\n \t New. Free security data attached to cred-\u003esecurity.\n\n (*) security_prepare_creds(), -\u003ecred_prepare()\n\n \t New. Duplicate any security data attached to cred-\u003esecurity.\n\n (*) security_commit_creds(), -\u003ecred_commit()\n\n \t New. Apply any security effects for the upcoming installation of new\n \t security by commit_creds().\n\n (*) security_task_post_setuid(), -\u003etask_post_setuid()\n\n \t Removed in favour of security_task_fix_setuid().\n\n (*) security_task_fix_setuid(), -\u003etask_fix_setuid()\n\n \t Fix up the proposed new credentials for setuid(). This is used by\n \t cap_set_fix_setuid() to implicitly adjust capabilities in line with\n \t setuid() changes. Changes are made to the new credentials, rather\n \t than the task itself as in security_task_post_setuid().\n\n (*) security_task_reparent_to_init(), -\u003etask_reparent_to_init()\n\n \t Removed. Instead the task being reparented to init is referred\n \t directly to init\u0027s credentials.\n\n\t NOTE! This results in the loss of some state: SELinux\u0027s osid no\n\t longer records the sid of the thread that forked it.\n\n (*) security_key_alloc(), -\u003ekey_alloc()\n (*) security_key_permission(), -\u003ekey_permission()\n\n \t Changed. These now take cred pointers rather than task pointers to\n \t refer to the security context.\n\n (4) sys_capset().\n\n This has been simplified and uses less locking. The LSM functions it\n calls have been merged.\n\n (5) reparent_to_kthreadd().\n\n This gives the current thread the same credentials as init by simply using\n commit_thread() to point that way.\n\n (6) __sigqueue_alloc() and switch_uid()\n\n __sigqueue_alloc() can\u0027t stop the target task from changing its creds\n beneath it, so this function gets a reference to the currently applicable\n user_struct which it then passes into the sigqueue struct it returns if\n successful.\n\n switch_uid() is now called from commit_creds(), and possibly should be\n folded into that. commit_creds() should take care of protecting\n __sigqueue_alloc().\n\n (7) [sg]et[ug]id() and co and [sg]et_current_groups.\n\n The set functions now all use prepare_creds(), commit_creds() and\n abort_creds() to build and check a new set of credentials before applying\n it.\n\n security_task_set[ug]id() is called inside the prepared section. This\n guarantees that nothing else will affect the creds until we\u0027ve finished.\n\n The calling of set_dumpable() has been moved into commit_creds().\n\n Much of the functionality of set_user() has been moved into\n commit_creds().\n\n The get functions all simply access the data directly.\n\n (8) security_task_prctl() and cap_task_prctl().\n\n security_task_prctl() has been modified to return -ENOSYS if it doesn\u0027t\n want to handle a function, or otherwise return the return value directly\n rather than through an argument.\n\n Additionally, cap_task_prctl() now prepares a new set of credentials, even\n if it doesn\u0027t end up using it.\n\n (9) Keyrings.\n\n A number of changes have been made to the keyrings code:\n\n (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have\n \t all been dropped and built in to the credentials functions directly.\n \t They may want separating out again later.\n\n (b) key_alloc() and search_process_keyrings() now take a cred pointer\n \t rather than a task pointer to specify the security context.\n\n (c) copy_creds() gives a new thread within the same thread group a new\n \t thread keyring if its parent had one, otherwise it discards the thread\n \t keyring.\n\n (d) The authorisation key now points directly to the credentials to extend\n \t the search into rather pointing to the task that carries them.\n\n (e) Installing thread, process or session keyrings causes a new set of\n \t credentials to be created, even though it\u0027s not strictly necessary for\n \t process or session keyrings (they\u0027re shared).\n\n(10) Usermode helper.\n\n The usermode helper code now carries a cred struct pointer in its\n subprocess_info struct instead of a new session keyring pointer. This set\n of credentials is derived from init_cred and installed on the new process\n after it has been cloned.\n\n call_usermodehelper_setup() allocates the new credentials and\n call_usermodehelper_freeinfo() discards them if they haven\u0027t been used. A\n special cred function (prepare_usermodeinfo_creds()) is provided\n specifically for call_usermodehelper_setup() to call.\n\n call_usermodehelper_setkeys() adjusts the credentials to sport the\n supplied keyring as the new session keyring.\n\n(11) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) selinux_setprocattr() no longer does its check for whether the\n \t current ptracer can access processes with the new SID inside the lock\n \t that covers getting the ptracer\u0027s SID. Whilst this lock ensures that\n \t the check is done with the ptracer pinned, the result is only valid\n \t until the lock is released, so there\u0027s no point doing it inside the\n \t lock.\n\n(12) is_single_threaded().\n\n This function has been extracted from selinux_setprocattr() and put into\n a file of its own in the lib/ directory as join_session_keyring() now\n wants to use it too.\n\n The code in SELinux just checked to see whether a task shared mm_structs\n with other tasks (CLONE_VM), but that isn\u0027t good enough. We really want\n to know if they\u0027re part of the same thread group (CLONE_THREAD).\n\n(13) nfsd.\n\n The NFS server daemon now has to use the COW credentials to set the\n credentials it is going to use. It really needs to pass the credentials\n down to the functions it calls, but it can\u0027t do that until other patches\n in this series have been applied.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bb952bb98a7e479262c7eb25d5592545a3af147d", "tree": "9a2158c07a22a5fbddcec412944d2e7534eecc8f", "parents": [ "275bb41e9d058fbb327e7642f077e1beaeac162e" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:20 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:20 2008 +1100" }, "message": "CRED: Separate per-task-group keyrings from signal_struct\n\nSeparate per-task-group keyrings from signal_struct and dangle their anchor\nfrom the cred struct rather than the signal_struct.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c69e8d9c01db2adc503464993c358901c9af9de4", "tree": "bed94aaa9aeb7a7834d1c880f72b62a11a752c78", "parents": [ "86a264abe542cfececb4df129bc45a0338d8cdb9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "message": "CRED: Use RCU to access another task\u0027s creds and to release a task\u0027s own creds\n\nUse RCU to access another task\u0027s creds and to release a task\u0027s own creds.\nThis means that it will be possible for the credentials of a task to be\nreplaced without another task (a) requiring a full lock to read them, and (b)\nseeing deallocated memory.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "86a264abe542cfececb4df129bc45a0338d8cdb9", "tree": "30152f04ba847f311028d5ca697f864c16c7ebb3", "parents": [ "f1752eec6145c97163dbce62d17cf5d928e28a27" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:18 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:18 2008 +1100" }, "message": "CRED: Wrap current-\u003ecred and a few other accessors\n\nWrap current-\u003ecred and a few other accessors to hide their actual\nimplementation.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a", "tree": "9e76f972eb7ce9b84e0146c8e4126a3f86acb428", "parents": [ "15a2460ed0af7538ca8e6c610fe607a2cd9da142" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "message": "CRED: Separate task security context from task_struct\n\nSeparate the task security context from task_struct. At this point, the\nsecurity data is temporarily embedded in the task_struct with two pointers\npointing to it.\n\nNote that the Alpha arch is altered as it refers to (E)UID and (E)GID in\nentry.S via asm-offsets.\n\nWith comment fixes Signed-off-by: Marc Dionne \u003cmarc.c.dionne@gmail.com\u003e\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8bbf4976b59fc9fc2861e79cab7beb3f6d647640", "tree": "9bd621217cbdfcf94aca5b220de7363254d7fc23", "parents": [ "e9e349b051d98799b743ebf248cc2d986fedf090" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "message": "KEYS: Alter use of key instantiation link-to-keyring argument\n\nAlter the use of the key instantiation and negation functions\u0027 link-to-keyring\narguments. Currently this specifies a keyring in the target process to link\nthe key into, creating the keyring if it doesn\u0027t exist. This, however, can be\na problem for copy-on-write credentials as it means that the instantiating\nprocess can alter the credentials of the requesting process.\n\nThis patch alters the behaviour such that:\n\n (1) If keyctl_instantiate_key() or keyctl_negate_key() are given a specific\n keyring by ID (ringid \u003e\u003d 0), then that keyring will be used.\n\n (2) If keyctl_instantiate_key() or keyctl_negate_key() are given one of the\n special constants that refer to the requesting process\u0027s keyrings\n (KEY_SPEC_*_KEYRING, all \u003c\u003d 0), then:\n\n (a) If sys_request_key() was given a keyring to use (destringid) then the\n \t key will be attached to that keyring.\n\n (b) If sys_request_key() was given a NULL keyring, then the key being\n \t instantiated will be attached to the default keyring as set by\n \t keyctl_set_reqkey_keyring().\n\n (3) No extra link will be made.\n\nDecision point (1) follows current behaviour, and allows those instantiators\nwho\u0027ve searched for a specifically named keyring in the requestor\u0027s keyring so\nas to partition the keys by type to still have their named keyrings.\n\nDecision point (2) allows the requestor to make sure that the key or keys that\nget produced by request_key() go where they want, whilst allowing the\ninstantiator to request that the key is retained. This is mainly useful for\nsituations where the instantiator makes a secondary request, the key for which\nshould be retained by the initial requestor:\n\n\t+-----------+ +--------------+ +--------------+\n\t| | | | | |\n\t| Requestor |-------\u003e| Instantiator |-------\u003e| Instantiator |\n\t| | | | | |\n\t+-----------+ +--------------+ +--------------+\n\t request_key() request_key()\n\nThis might be useful, for example, in Kerberos, where the requestor requests a\nticket, and then the ticket instantiator requests the TGT, which someone else\nthen has to go and fetch. The TGT, however, should be retained in the\nkeyrings of the requestor, not the first instantiator. To make this explict\nan extra special keyring constant is also added.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e9e349b051d98799b743ebf248cc2d986fedf090", "tree": "d59a46ae39d81d27bcf605663ce0e24d1c6db375", "parents": [ "76aac0e9a17742e60d408be1a706e9aaad370891" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:13 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:13 2008 +1100" }, "message": "KEYS: Disperse linux/key_ui.h\n\nDisperse the bits of linux/key_ui.h as the reason they were put here (keyfs)\ndidn\u0027t get in.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "47d804bfa1857b0edcac972c86499dcd14df3cf2", "tree": "200b2d1190e29be40c771bf6a4e0db0ef9e7d383", "parents": [ "8192b0c482d7078fcdcb4854341b977426f6f09b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:11 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:11 2008 +1100" }, "message": "CRED: Wrap task credential accesses in the key management code\n\nWrap access to task credentials so that they can be separated more easily from\nthe task_struct during the introduction of COW creds.\n\nChange most current-\u003e(|e|s|fs)[ug]id to current_(|e|s|fs)[ug]id().\n\nChange some task-\u003ee?[ug]id to task_e?[ug]id(). In some places it makes more\nsense to use RCU directly rather than a convenient wrapper; these will be\naddressed by later patches.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dba6a4d32d8677c99e73798d3375417f8a6d46de", "tree": "1011eef6e948f2db35805c017324648e1eddb61a", "parents": [ "37340746a66e5e7feed5945f28cb75d90a8fd9f6" ], "author": { "name": "Daniel Walker", "email": "dwalker@mvista.com", "time": "Thu Jun 05 22:46:32 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jun 06 11:29:11 2008 -0700" }, "message": "keys: remove unused key_alloc_sem\n\nThis semaphore doesn\u0027t appear to be used, so remove it.\n\nSigned-off-by: Daniel Walker \u003cdwalker@mvista.com\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "fdb89bce6c9ccb17dae13ec43a25d2fdd405233f", "tree": "1b6c0e38bc194758e7d6ad2cbb509977900591b9", "parents": [ "0b77f5bfb45c13e1e5142374f9d6ca75292252a4" ], "author": { "name": "Robert P. J. Day", "email": "rpjday@crashcourse.ca", "time": "Tue Apr 29 01:01:32 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:17 2008 -0700" }, "message": "keys: explicitly include required slab.h header file.\n\nSince these two source files invoke kmalloc(), they should explicitly\ninclude \u003clinux/slab.h\u003e.\n\nSigned-off-by: Robert P. J. Day \u003crpjday@crashcourse.ca\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "0b77f5bfb45c13e1e5142374f9d6ca75292252a4", "tree": "cf62055536d267e9a4abe6518e5d9f683a1ceb75", "parents": [ "69664cf16af4f31cd54d77948a4baf9c7e0ca7b9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:32 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:17 2008 -0700" }, "message": "keys: make the keyring quotas controllable through /proc/sys\n\nMake the keyring quotas controllable through /proc/sys files:\n\n (*) /proc/sys/kernel/keys/root_maxkeys\n /proc/sys/kernel/keys/root_maxbytes\n\n Maximum number of keys that root may have and the maximum total number of\n bytes of data that root may have stored in those keys.\n\n (*) /proc/sys/kernel/keys/maxkeys\n /proc/sys/kernel/keys/maxbytes\n\n Maximum number of keys that each non-root user may have and the maximum\n total number of bytes of data that each of those users may have stored in\n their keys.\n\nAlso increase the quotas as a number of people have been complaining that it\u0027s\nnot big enough. I\u0027m not sure that it\u0027s big enough now either, but on the\nother hand, it can now be set in /etc/sysctl.conf.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: \u003ckwc@citi.umich.edu\u003e\nCc: \u003carunsr@cse.iitk.ac.in\u003e\nCc: \u003cdwalsh@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "69664cf16af4f31cd54d77948a4baf9c7e0ca7b9", "tree": "3ff4ecae21c140a2beed25cfa9e55b788f9814ac", "parents": [ "6b79ccb5144f9ffb4d4596c23e7570238dd12abc" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:31 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:17 2008 -0700" }, "message": "keys: don\u0027t generate user and user session keyrings unless they\u0027re accessed\n\nDon\u0027t generate the per-UID user and user session keyrings unless they\u0027re\nexplicitly accessed. This solves a problem during a login process whereby\nset*uid() is called before the SELinux PAM module, resulting in the per-UID\nkeyrings having the wrong security labels.\n\nThis also cures the problem of multiple per-UID keyrings sometimes appearing\ndue to PAM modules (including pam_keyinit) setuiding and causing user_structs\nto come into and go out of existence whilst the session keyring pins the user\nkeyring. This is achieved by first searching for extant per-UID keyrings\nbefore inventing new ones.\n\nThe serial bound argument is also dropped from find_keyring_by_name() as it\u0027s\nnot currently made use of (setting it to 0 disables the feature).\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: \u003ckwc@citi.umich.edu\u003e\nCc: \u003carunsr@cse.iitk.ac.in\u003e\nCc: \u003cdwalsh@redhat.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "6b79ccb5144f9ffb4d4596c23e7570238dd12abc", "tree": "e674339e9f86c3607304496792b417b0ed66de6f", "parents": [ "da91d2ef9fe4fd84cc0a8a729201d38e40ac9f2e" ], "author": { "name": "Arun Raghavan", "email": "arunsr@cse.iitk.ac.in", "time": "Tue Apr 29 01:01:28 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:16 2008 -0700" }, "message": "keys: allow clients to set key perms in key_create_or_update()\n\nThe key_create_or_update() function provided by the keyring code has a default\nset of permissions that are always applied to the key when created. This\nmight not be desirable to all clients.\n\nHere\u0027s a patch that adds a \"perm\" parameter to the function to address this,\nwhich can be set to KEY_PERM_UNDEF to revert to the current behaviour.\n\nSigned-off-by: Arun Raghavan \u003carunsr@cse.iitk.ac.in\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Satyam Sharma \u003cssatyam@cse.iitk.ac.in\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "da91d2ef9fe4fd84cc0a8a729201d38e40ac9f2e", "tree": "091f2781c5256eac28665a1512038fe07227f9b0", "parents": [ "70a5bb72b55e82fbfbf1e22cae6975fac58a1e2d" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@sw.ru", "time": "Tue Apr 29 01:01:27 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:16 2008 -0700" }, "message": "keys: switch to proc_create()\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@sw.ru\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "70a5bb72b55e82fbfbf1e22cae6975fac58a1e2d", "tree": "8e6dcaf5630388d81b23845f293789f2d6a3596b", "parents": [ "4a38e122e2cc6294779021ff4ccc784a3997059e" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:26 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:16 2008 -0700" }, "message": "keys: add keyctl function to get a security label\n\nAdd a keyctl() function to get the security label of a key.\n\nThe following is added to Documentation/keys.txt:\n\n (*) Get the LSM security context attached to a key.\n\n\tlong keyctl(KEYCTL_GET_SECURITY, key_serial_t key, char *buffer,\n\t\t size_t buflen)\n\n This function returns a string that represents the LSM security context\n attached to a key in the buffer provided.\n\n Unless there\u0027s an error, it always returns the amount of data it could\n produce, even if that\u0027s too big for the buffer, but it won\u0027t copy more\n than requested to userspace. If the buffer pointer is NULL then no copy\n will take place.\n\n A NUL character is included at the end of the string if the buffer is\n sufficiently big. This is included in the returned count. If no LSM is\n in force then an empty string will be returned.\n\n A process must have view permission on the key for this function to be\n successful.\n\n[akpm@linux-foundation.org: declare keyctl_get_security()]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Kevin Coffman \u003ckwc@citi.umich.edu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4a38e122e2cc6294779021ff4ccc784a3997059e", "tree": "84b401b44e0550b04f831d98a91eacfd7cffb51d", "parents": [ "dceba9944181b1fd5993417b5c8fa0e3dda38f8d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:24 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:16 2008 -0700" }, "message": "keys: allow the callout data to be passed as a blob rather than a string\n\nAllow the callout data to be passed as a blob rather than a string for\ninternal kernel services that call any request_key_*() interface other than\nrequest_key(). request_key() itself still takes a NUL-terminated string.\n\nThe functions that change are:\n\n\trequest_key_with_auxdata()\n\trequest_key_async()\n\trequest_key_async_with_auxdata()\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Kevin Coffman \u003ckwc@citi.umich.edu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "dceba9944181b1fd5993417b5c8fa0e3dda38f8d", "tree": "697e247a7a99c81af7ba4d7ad5d9cdf9941b3741", "parents": [ "38bbca6b6f164e08a4a9cdfd719fff679af98375" ], "author": { "name": "Kevin Coffman", "email": "kwc@citi.umich.edu", "time": "Tue Apr 29 01:01:22 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:16 2008 -0700" }, "message": "keys: check starting keyring as part of search\n\nCheck the starting keyring as part of the search to (a) see if that is what\nwe\u0027re searching for, and (b) to check it is still valid for searching.\n\nThe scenario: User in process A does things that cause things to be created in\nits process session keyring. The user then does an su to another user and\nstarts a new process, B. The two processes now share the same process session\nkeyring.\n\nProcess B does an NFS access which results in an upcall to gssd. When gssd\nattempts to instantiate the context key (to be linked into the process session\nkeyring), it is denied access even though it has an authorization key.\n\nThe order of calls is:\n\n keyctl_instantiate_key()\n lookup_user_key()\t\t\t\t (the default: case)\n search_process_keyrings(current)\n\t search_process_keyrings(rka-\u003econtext) (recursive call)\n\t keyring_search_aux()\n\nkeyring_search_aux() verifies the keys and keyrings underneath the top-level\nkeyring it is given, but that top-level keyring is neither fully validated nor\nchecked to see if it is the thing being searched for.\n\nThis patch changes keyring_search_aux() to:\n1) do more validation on the top keyring it is given and\n2) check whether that top-level keyring is the thing being searched for\n\nSigned-off-by: Kevin Coffman \u003ckwc@citi.umich.edu\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Kevin Coffman \u003ckwc@citi.umich.edu\u003e\nCc: Trond Myklebust \u003ctrond.myklebust@fys.uio.no\u003e\nCc: \"J. Bruce Fields\" \u003cbfields@fieldses.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "38bbca6b6f164e08a4a9cdfd719fff679af98375", "tree": "c4d4839e57bbcbae1ecfa7867b810c6203b0d601", "parents": [ "4220b7fe89f8c0623e09168ab81dd0da2fdadd72" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:19 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:16 2008 -0700" }, "message": "keys: increase the payload size when instantiating a key\n\nIncrease the size of a payload that can be used to instantiate a key in\nadd_key() and keyctl_instantiate_key(). This permits huge CIFS SPNEGO blobs\nto be passed around. The limit is raised to 1MB. If kmalloc() can\u0027t allocate\na buffer of sufficient size, vmalloc() will be tried instead.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Kevin Coffman \u003ckwc@citi.umich.edu\u003e\nCc: Steven French \u003csfrench@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "dd6f953adb5c4deb9cd7b6a5054e7d5eafe4ed71", "tree": "0ed459ca8da43b7e0486c8f0a840845a731920bf", "parents": [ "b0c636b99997c8594da6a46e166ce4fcf6956fda" ], "author": { "name": "Harvey Harrison", "email": "harvey.harrison@gmail.com", "time": "Thu Mar 06 10:03:59 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:07 2008 +1000" }, "message": "security: replace remaining __FUNCTION__ occurrences\n\n__FUNCTION__ is gcc-specific, use __func__\n\nSigned-off-by: Harvey Harrison \u003charvey.harrison@gmail.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e231c2ee64eb1c5cd3c63c31da9dac7d888dcf7f", "tree": "d4b17ef65960594681397a3acac02c2d248200b5", "parents": [ "d1bc8e95445224276d7896b8b08cbb0b28a0ca80" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Feb 07 00:15:26 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Feb 07 08:42:26 2008 -0800" }, "message": "Convert ERR_PTR(PTR_ERR(p)) instances to ERR_CAST(p)\n\nConvert instances of ERR_PTR(PTR_ERR(p)) to ERR_CAST(p) using:\n\nperl -spi -e \u0027s/ERR_PTR[(]PTR_ERR[(](.*)[)][)]/ERR_CAST(\\1)/\u0027 `grep -rl \u0027ERR_PTR[(]*PTR_ERR\u0027 fs crypto net security`\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "1996a10948e50e546dc2b64276723c0b64d3173b", "tree": "971b235907b7c6911c21c9139e0ba85c5b84ef80", "parents": [ "63cb34492351078479b2d4bae6a881806a396286" ], "author": { "name": "Jan Engelhardt", "email": "jengelh@computergmbh.de", "time": "Wed Jan 23 00:02:58 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:54 2008 +1100" }, "message": "security/selinux: constify function pointer tables and fields\n\nConstify function pointer tables and fields.\n\nSigned-off-by: Jan Engelhardt \u003cjengelh@computergmbh.de\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "76181c134f87479fa13bf2548ddf2999055d34d4", "tree": "34694341c190e7ecdd3111ee48e4b98602ff012f", "parents": [ "398c95bdf2c24d7866692a40ba04425aef238cdd" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Oct 16 23:29:46 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:42:57 2007 -0700" }, "message": "KEYS: Make request_key() and co fundamentally asynchronous\n\nMake request_key() and co fundamentally asynchronous to make it easier for\nNFS to make use of them. There are now accessor functions that do\nasynchronous constructions, a wait function to wait for construction to\ncomplete, and a completion function for the key type to indicate completion\nof construction.\n\nNote that the construction queue is now gone. Instead, keys under\nconstruction are linked in to the appropriate keyring in advance, and that\nanyone encountering one must wait for it to be complete before they can use\nit. This is done automatically for userspace.\n\nThe following auxiliary changes are also made:\n\n (1) Key type implementation stuff is split from linux/key.h into\n linux/key-type.h.\n\n (2) AF_RXRPC provides a way to allocate null rxrpc-type keys so that AFS does\n not need to call key_instantiate_and_link() directly.\n\n (3) Adjust the debugging macros so that they\u0027re -Wformat checked even if\n they are disabled, and make it so they can be enabled simply by defining\n __KDEBUG to be consistent with other code of mine.\n\n (3) Documentation.\n\n[alan@lxorguk.ukuu.org.uk: keys: missing word in documentation]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "20c2df83d25c6a95affe6157a4c9cac4cf5ffaac", "tree": "415c4453d2b17a50abe7a3e515177e1fa337bd67", "parents": [ "64fb98fc40738ae1a98bcea9ca3145b89fb71524" ], "author": { "name": "Paul Mundt", "email": "lethal@linux-sh.org", "time": "Fri Jul 20 10:11:58 2007 +0900" }, "committer": { "name": "Paul Mundt", "email": "lethal@linux-sh.org", "time": "Fri Jul 20 10:11:58 2007 +0900" }, "message": "mm: Remove slab destructors from kmem_cache_create().\n\nSlab destructors were no longer supported after Christoph\u0027s\nc59def9f222d44bb7e2f0a559f2906191a0862d7 change. They\u0027ve been\nBUGs for both slab and slub, and slob never supported them\neither.\n\nThis rips out support for the dtor pointer from kmem_cache_create()\ncompletely and fixes up every single callsite in the kernel (there were\nabout 224, not including the slab allocator definitions themselves,\nor the documentation references).\n\nSigned-off-by: Paul Mundt \u003clethal@linux-sh.org\u003e\n" }, { "commit": "86313c488a6848b7ec2ba04e74f25f79dd32a0b7", "tree": "3b190f7afc338362470573b563f65a1eb83795ac", "parents": [ "10a0a8d4e3f6bf2d077f94344441909abe670f5a" ], "author": { "name": "Jeremy Fitzhardinge", "email": "jeremy@xensource.com", "time": "Tue Jul 17 18:37:03 2007 -0700" }, "committer": { "name": "Jeremy Fitzhardinge", "email": "jeremy@goop.org", "time": "Wed Jul 18 08:47:40 2007 -0700" }, "message": "usermodehelper: Tidy up waiting\n\nRather than using a tri-state integer for the wait flag in\ncall_usermodehelper_exec, define a proper enum, and use that. I\u0027ve\npreserved the integer values so that any callers I\u0027ve missed should\nstill work OK.\n\nSigned-off-by: Jeremy Fitzhardinge \u003cjeremy@xensource.com\u003e\nCc: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\nCc: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nCc: Christoph Hellwig \u003chch@infradead.org\u003e\nCc: Andi Kleen \u003cak@suse.de\u003e\nCc: Paul Mackerras \u003cpaulus@samba.org\u003e\nCc: Johannes Berg \u003cjohannes@sipsolutions.net\u003e\nCc: Ralf Baechle \u003cralf@linux-mips.org\u003e\nCc: Bjorn Helgaas \u003cbjorn.helgaas@hp.com\u003e\nCc: Joel Becker \u003cjoel.becker@oracle.com\u003e\nCc: Tony Luck \u003ctony.luck@intel.com\u003e\nCc: Kay Sievers \u003ckay.sievers@vrfy.org\u003e\nCc: Srivatsa Vaddagiri \u003cvatsa@in.ibm.com\u003e\nCc: Oleg Nesterov \u003coleg@tv-sign.ru\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "7318226ea2931a627f3572e5f4804c91ca19ecbc", "tree": "d2492bb7e87a9c1740432c4dcde13e75ee46ad8d", "parents": [ "071b638689464c6b39407025eedd810d5b5e6f5d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Apr 26 15:46:23 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Apr 26 15:46:23 2007 -0700" }, "message": "[AF_RXRPC]: Key facility changes for AF_RXRPC\n\nExport the keyring key type definition and document its availability.\n\nAdd alternative types into the key\u0027s type_data union to make it more useful.\nNot all users necessarily want to use it as a list_head (AF_RXRPC doesn\u0027t, for\nexample), so make it clear that it can be used in other ways.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "cd354f1ae75e6466a7e31b727faede57a1f89ca5", "tree": "09a2da1672465fefbc7fe06ff4e6084f1dd14c6b", "parents": [ "3fc605a2aa38899c12180ca311f1eeb61a6d867e" ], "author": { "name": "Tim Schmielau", "email": "tim@physik3.uni-rostock.de", "time": "Wed Feb 14 00:33:14 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Feb 14 08:09:54 2007 -0800" }, "message": "[PATCH] remove many unneeded #includes of sched.h\n\nAfter Al Viro (finally) succeeded in removing the sched.h #include in module.h\nrecently, it makes sense again to remove other superfluous sched.h includes.\nThere are quite a lot of files which include it but don\u0027t actually need\nanything defined in there. Presumably these includes were once needed for\nmacros that used to live in sched.h, but moved to other header files in the\ncourse of cleaning it up.\n\nTo ease the pain, this time I did not fiddle with any header files and only\nremoved #includes from .c-files, which tend to cause less trouble.\n\nCompile tested against 2.6.20-rc2 and 2.6.20-rc2-mm2 (with offsets) on alpha,\narm, i386, ia64, mips, powerpc, and x86_64 with allnoconfig, defconfig,\nallmodconfig, and allyesconfig as well as a few randconfigs on x86_64 and all\nconfigs in arch/arm/configs on arm. I also checked that no new warnings were\nintroduced by the patch (actually, some warnings are removed that were emitted\nby unnecessarily included header files).\n\nSigned-off-by: Tim Schmielau \u003ctim@physik3.uni-rostock.de\u003e\nAcked-by: Russell King \u003crmk+kernel@arm.linux.org.uk\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "9c2e08c592cd357a8330c34def1e8ecfdcf53275", "tree": "62e7449e43bb502f2e9630ab41832ceccd9a0f65", "parents": [ "da7071d7e32d15149cc513f096a3638097b66387" ], "author": { "name": "Arjan van de Ven", "email": "arjan@linux.intel.com", "time": "Mon Feb 12 00:55:37 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Feb 12 09:48:46 2007 -0800" }, "message": "[PATCH] mark struct file_operations const 9\n\nMany struct file_operations in the kernel can be \"const\". Marking them const\nmoves these to the .rodata section, which avoids false sharing with potential\ndirty data. In addition it\u0027ll catch accidental writes at compile time to\nthese shared resources.\n\nSigned-off-by: Arjan van de Ven \u003carjan@linux.intel.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "9ad0830f307bcd8dc285cfae58998d43b21727f4", "tree": "237119861640847301c6af758650b05ea353a1da", "parents": [ "768c242b30d9ec5581dd245e8289acb6b77815d1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Feb 06 13:45:51 2007 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 06 14:45:00 2007 -0800" }, "message": "[PATCH] Keys: Fix key serial number collision handling\n\nFix the key serial number collision avoidance code in key_alloc_serial().\n\nThis didn\u0027t use to be so much of a problem as the key serial numbers were\nallocated from a simple incremental counter, and it would have to go through\ntwo billion keys before it could possibly encounter a collision. However, now\nthat random numbers are used instead, collisions are much more likely.\n\nThis is fixed by finding a hole in the rbtree where the next unused serial\nnumber ought to be and using that by going almost back to the top of the\ninsertion routine and redoing the insertion with the new serial number rather\nthan trying to be clever and attempting to work out the insertion point\npointer directly.\n\nThis fixes kernel BZ #7727.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "6cfd76a26d9fe2ba54b9d496a48c1d9285e5c5ed", "tree": "1114a0630c5045d0650c6d78a8097fdea6f94d8e", "parents": [ "a4c410f00f7ca4bd448b0d63f6f882fd244dc991" ], "author": { "name": "Peter Zijlstra", "email": "a.p.zijlstra@chello.nl", "time": "Wed Dec 06 20:37:22 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.osdl.org", "time": "Thu Dec 07 08:39:36 2006 -0800" }, "message": "[PATCH] lockdep: name some old style locks\n\nName some of the remaning \u0027old_style_spin_init\u0027 locks\n\nSigned-off-by: Peter Zijlstra \u003ca.p.zijlstra@chello.nl\u003e\nAcked-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "48ad504ee7d598431cb2d0b2f01c6d1aff1d2a07", "tree": "52862e12cdca605b04959fc0fa28164dc015013b", "parents": [ "7cf9c2c76c1a17b32f2da85b50cd4fe468ed44b5" ], "author": { "name": "Eric Sesterhenn", "email": "snakebyte@gmx.de", "time": "Wed Dec 06 20:33:47 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.osdl.org", "time": "Thu Dec 07 08:39:25 2006 -0800" }, "message": "[PATCH] security/keys/*: user kmemdup()\n\nSigned-off-by: Eric Sesterhenn \u003csnakebyte@gmx.de\u003e\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nAcked-By: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "e18b890bb0881bbab6f4f1a6cd20d9c60d66b003", "tree": "4828be07e1c24781c264b42c5a75bcd968223c3f", "parents": [ "441e143e95f5aa1e04026cb0aa71c801ba53982f" ], "author": { "name": "Christoph Lameter", "email": "clameter@sgi.com", "time": "Wed Dec 06 20:33:20 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.osdl.org", "time": "Thu Dec 07 08:39:25 2006 -0800" }, "message": "[PATCH] slab: remove kmem_cache_t\n\nReplace all uses of kmem_cache_t with struct kmem_cache.\n\nThe patch was generated using the following script:\n\n\t#!/bin/sh\n\t#\n\t# Replace one string by another in all the kernel sources.\n\t#\n\n\tset -e\n\n\tfor file in `find * -name \"*.c\" -o -name \"*.h\"|xargs grep -l $1`; do\n\t\tquilt add $file\n\t\tsed -e \"1,\\$s/$1/$2/g\" $file \u003e/tmp/$$\n\t\tmv /tmp/$$ $file\n\t\tquilt refresh\n\tdone\n\nThe script was run like this\n\n\tsh replace kmem_cache_t \"struct kmem_cache\"\n\nSigned-off-by: Christoph Lameter \u003cclameter@sgi.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "e94b1766097d53e6f3ccfb36c8baa562ffeda3fc", "tree": "93fa0a8ab84976d4e89c50768ca8b8878d642a0d", "parents": [ "54e6ecb23951b195d02433a741c7f7cb0b796c78" ], "author": { "name": "Christoph Lameter", "email": "clameter@sgi.com", "time": "Wed Dec 06 20:33:17 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.osdl.org", "time": "Thu Dec 07 08:39:24 2006 -0800" }, "message": "[PATCH] slab: remove SLAB_KERNEL\n\nSLAB_KERNEL is an alias of GFP_KERNEL.\n\nSigned-off-by: Christoph Lameter \u003cclameter@sgi.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "65f27f38446e1976cc98fd3004b110fedcddd189", "tree": "68f8be93feae31dfa018c22db392a05546b63ee1", "parents": [ "365970a1ea76d81cb1ad2f652acb605f06dae256" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Nov 22 14:55:48 2006 +0000" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Nov 22 14:55:48 2006 +0000" }, "message": "WorkStruct: Pass the work_struct pointer instead of context data\n\nPass the work_struct pointer to the work function rather than context data.\nThe work function can use container_of() to work out the data.\n\nFor the cases where the container of the work_struct may go away the moment the\npending bit is cleared, it is made possible to defer the release of the\nstructure by deferring the clearing of the pending bit.\n\nTo make this work, an extra flag is introduced into the management side of the\nwork_struct. This governs auto-release of the structure upon execution.\n\nOrdinarily, the work queue executor would release the work_struct for further\nscheduling or deallocation by clearing the pending bit prior to jumping to the\nwork function. This means that, unless the driver makes some guarantee itself\nthat the work_struct won\u0027t go away, the work function may not access anything\nelse in the work_struct or its container lest they be deallocated.. This is a\nproblem if the auxiliary data is taken away (as done by the last patch).\n\nHowever, if the pending bit is *not* cleared before jumping to the work\nfunction, then the work function *may* access the work_struct and its container\nwith no problems. But then the work function must itself release the\nwork_struct by calling work_release().\n\nIn most cases, automatic release is fine, so this is the default. Special\ninitiators exist for the non-auto-release case (ending in _NAR).\n\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "4e54f08543d05e519e601368571cc3787fefae96", "tree": "0cd9d982e5bb25abcb9251d26c36ff11e7dc81a5", "parents": [ "94583779e6625154e8d7fce33d097ae7d089e9de" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jun 29 02:24:28 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Thu Jun 29 10:26:20 2006 -0700" }, "message": "[PATCH] Keys: Allow in-kernel key requestor to pass auxiliary data to upcaller\n\nThe proposed NFS key type uses its own method of passing key requests to\nuserspace (upcalling) rather than invoking /sbin/request-key. This is\nbecause the responsible userspace daemon should already be running and will\nbe contacted through rpc_pipefs.\n\nThis patch permits the NFS filesystem to pass auxiliary data to the upcall\noperation (struct key_type::request_key) so that the upcaller can use a\npre-existing communications channel more easily.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-By: Kevin Coffman \u003ckwc@citi.umich.edu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "a7807a32bbb027ab9955b96734fdc7f1e6497a9f", "tree": "8ed62e305638e1b853f1c80b5bb7ed818418765c", "parents": [ "b3c681e09193559ba15f6c9562bd37045f120a96" ], "author": { "name": "Randy Dunlap", "email": "rdunlap@xenotime.net", "time": "Tue Jun 27 02:53:54 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Tue Jun 27 17:32:38 2006 -0700" }, "message": "[PATCH] poison: add \u0026 use more constants\n\nAdd more poison values to include/linux/poison.h. It\u0027s not clear to me\nwhether some others should be added or not, so I haven\u0027t added any of\nthese:\n\n./include/linux/libata.h:#define ATA_TAG_POISON\t\t0xfafbfcfdU\n./arch/ppc/8260_io/fcc_enet.c:1918:\tmemset((char *)(\u0026(immap-\u003eim_dprambase[(mem_addr+64)])), 0x88, 32);\n./drivers/usb/mon/mon_text.c:429:\tmemset(mem, 0xe5, sizeof(struct mon_event_text));\n./drivers/char/ftape/lowlevel/ftape-ctl.c:738:\t\tmemset(ft_buffer[i]-\u003eaddress, 0xAA, FT_BUFF_SIZE);\n./drivers/block/sx8.c:/* 0xf is just arbitrary, non-zero noise; this is sorta like poisoning */\n\nSigned-off-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "06ec7be557a1259611d6093a00463c42650dc71a", "tree": "b83cdbc8405e0a174939d36e4fe40fb8adb51071", "parents": [ "e51f6d343789a4f0a2a7587ad7ec7746969d5c1c" ], "author": { "name": "Michael LeMay", "email": "mdlemay@epoch.ncsc.mil", "time": "Mon Jun 26 00:24:56 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:18 2006 -0700" }, "message": "[PATCH] keys: restrict contents of /proc/keys to Viewable keys\n\nRestrict /proc/keys such that only those keys to which the current task is\ngranted View permission are presented.\n\nThe documentation is also updated to reflect these changes.\n\nSigned-off-by: Michael LeMay \u003cmdlemay@epoch.ncsc.mil\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "e51f6d343789a4f0a2a7587ad7ec7746969d5c1c", "tree": "39ca4e05c0dda995f3eaaea1aaa2c8689003f1d0", "parents": [ "5801649d8b83e7cb9b15839761bdee594653c294" ], "author": { "name": "Michael LeMay", "email": "mdlemay@epoch.ncsc.mil", "time": "Mon Jun 26 00:24:54 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:18 2006 -0700" }, "message": "[PATCH] keys: allocate key serial numbers randomly\n\nCause key_alloc_serial() to generate key serial numbers randomly rather than\nin linear sequence.\n\nUsing an linear sequence permits a covert communication channel to be\nestablished, in which one process can communicate with another by creating or\nnot creating new keys within a certain timeframe. The second process can\nprobe for the expected next key serial number and judge its existence by the\nerror returned.\n\nThis is a problem as the serial number namespace is globally shared between\nall tasks, regardless of their context.\n\nFor more information on this topic, this old TCSEC guide is recommended:\n\n\thttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-030.html\n\nSigned-off-by: Michael LeMay \u003cmdlemay@epoch.ncsc.mil\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "5801649d8b83e7cb9b15839761bdee594653c294", "tree": "4534b606908596651a533b2f51418444b5a1e705", "parents": [ "31204ed925b067d2bb65adb89501656f8274a32a" ], "author": { "name": "Fredrik Tolf", "email": "fredrik@dolda2000.com", "time": "Mon Jun 26 00:24:51 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:18 2006 -0700" }, "message": "[PATCH] keys: let keyctl_chown() change a key\u0027s owner\n\nLet keyctl_chown() change a key\u0027s owner, including attempting to transfer the\nquota burden to the new user.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "31204ed925b067d2bb65adb89501656f8274a32a", "tree": "a5c3e5101e9f79bf39672f02c0eea573e7a47cb8", "parents": [ "7e047ef5fe2d52e83020e856b1bf2556a6a2ce98" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Jun 26 00:24:51 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:18 2006 -0700" }, "message": "[PATCH] keys: discard the contents of a key on revocation\n\nCause the keys linked to a keyring to be unlinked from it when revoked and it\ncauses the data attached to a user-defined key to be discarded when revoked.\n\nThis frees up most of the quota a key occupied at that point, rather than\nwaiting for the key to actually be destroyed.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "7e047ef5fe2d52e83020e856b1bf2556a6a2ce98", "tree": "97656e2c56a27be9d1da451dde627b693b8643f2", "parents": [ "f116629d03655adaf7832b93b03c99391d09d4a7" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Jun 26 00:24:50 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:18 2006 -0700" }, "message": "[PATCH] keys: sort out key quota system\n\nAdd the ability for key creation to overrun the user\u0027s quota in some\ncircumstances - notably when a session keyring is created and assigned to a\nprocess that didn\u0027t previously have one.\n\nThis means it\u0027s still possible to log in, should PAM require the creation of a\nnew session keyring, and fix an overburdened key quota.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "04c567d9313e4927b9835361d8ac0318ce65af6b", "tree": "d040ef59337342603f2cc30917493fb6a74a212a", "parents": [ "d720024e94de4e8b7f10ee83c532926f3ad5d708" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jun 22 14:47:18 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Thu Jun 22 15:05:56 2006 -0700" }, "message": "[PATCH] Keys: Fix race between two instantiators of a key\n\nAdd a revocation notification method to the key type and calls it whilst\nthe key\u0027s semaphore is still write-locked after setting the revocation\nflag.\n\nThe patch then uses this to maintain a reference on the task_struct of the\nprocess that calls request_key() for as long as the authorisation key\nremains unrevoked.\n\nThis fixes a potential race between two processes both of which have\nassumed the authority to instantiate a key (one may have forked the other\nfor example). The problem is that there\u0027s no locking around the check for\nrevocation of the auth key and the use of the task_struct it points to, nor\ndoes the auth key keep a reference on the task_struct.\n\nAccess to the \"context\" pointer in the auth key must thenceforth be done\nwith the auth key semaphore held. The revocation method is called with the\ntarget key semaphore held write-locked and the search of the context\nprocess\u0027s keyrings is done with the auth key semaphore read-locked.\n\nThe check for the revocation state of the auth key just prior to searching\nit is done after the auth key is read-locked for the search. This ensures\nthat the auth key can\u0027t be revoked between the check and the search.\n\nThe revocation notification method is added so that the context task_struct\ncan be released as soon as instantiation happens rather than waiting for\nthe auth key to be destroyed, thus avoiding the unnecessary pinning of the\nrequesting process.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "d720024e94de4e8b7f10ee83c532926f3ad5d708", "tree": "8f21613c29a26bfbeb334cb0104b8b998b09fbdc", "parents": [ "f893afbe1262e27e91234506f72e17716190dd2f" ], "author": { "name": "Michael LeMay", "email": "mdlemay@epoch.ncsc.mil", "time": "Thu Jun 22 14:47:17 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Thu Jun 22 15:05:55 2006 -0700" }, "message": "[PATCH] selinux: add hooks for key subsystem\n\nIntroduce SELinux hooks to support the access key retention subsystem\nwithin the kernel. Incorporate new flask headers from a modified version\nof the SELinux reference policy, with support for the new security class\nrepresenting retained keys. Extend the \"key_alloc\" security hook with a\ntask parameter representing the intended ownership context for the key\nbeing allocated. Attach security information to root\u0027s default keyrings\nwithin the SELinux initialization routine.\n\nHas passed David\u0027s testsuite.\n\nSigned-off-by: Michael LeMay \u003cmdlemay@epoch.ncsc.mil\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" } ], "next": "fed306f2baa170220b0299198a39c6be2a91bf19" }