)]}' { "log": [ { "commit": "3cfc2c42c1cbc8e238bb9c0612c0df4565e3a8b4", "tree": "5adc1ff2eaf64d450bf28bb6b2ce890db2567288", "parents": [ "5cf65713f87775c548e3eb48dbafa32e12f28000", "0ea6e61122196509af82cc4f36cbdaacbefb8227" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Aug 04 15:31:02 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Aug 04 15:31:02 2010 -0700" }, "message": "Merge branch \u0027for-next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial\n\n* \u0027for-next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (48 commits)\n Documentation: update broken web addresses.\n fix comment typo \"choosed\" -\u003e \"chosen\"\n hostap:hostap_hw.c Fix typo in comment\n Fix spelling contorller -\u003e controller in comments\n Kconfig.debug: FAIL_IO_TIMEOUT: typo Faul -\u003e Fault\n fs/Kconfig: Fix typo Userpace -\u003e Userspace\n Removing dead MACH_U300_BS26\n drivers/infiniband: Remove unnecessary casts of private_data\n fs/ocfs2: Remove unnecessary casts of private_data\n libfc: use ARRAY_SIZE\n scsi: bfa: use ARRAY_SIZE\n drm: i915: use ARRAY_SIZE\n drm: drm_edid: use ARRAY_SIZE\n synclink: use ARRAY_SIZE\n block: cciss: use ARRAY_SIZE\n comment typo fixes: charater \u003d\u003e character\n fix comment typos concerning \"challenge\"\n arm: plat-spear: fix typo in kerneldoc\n reiserfs: typo comment fix\n update email address\n ...\n" }, { "commit": "d09ca73979460b96d5d4684d588b188be9a1f57d", "tree": "217543affc5c1c76181ffca00c23cfa69f1dd4f6", "parents": [ "9cfcac810e8993fa7a5bfd24b1a21f1dbbb03a7b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 23 11:43:57 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:07 2010 +1000" }, "message": "security: make LSMs explicitly mask off permissions\n\nSELinux needs to pass the MAY_ACCESS flag so it can handle auditting\ncorrectly. Presently the masking of MAY_* flags is done in the VFS. In\norder to allow LSMs to decide what flags they care about and what flags\nthey don\u0027t just pass them all and the each LSM mask off what they don\u0027t\nneed. This patch should contain no functional changes to either the VFS or\nany LSM.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "af4f136056c984b0aa67feed7d3170b958370b2f", "tree": "30b62cd9174044cbdfdddc1fe5e0f21e7ddde85c", "parents": [ "5ad18a0d59ba9e65b3c8b2b489fd23bc6b3daf94" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Jul 01 15:07:43 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:57 2010 +1000" }, "message": "security: move LSM xattrnames to xattr.h\n\nMake the security extended attributes names global. Updated to move\nthe remaining Smack xattrs.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3e62cbb8436f6c0cb799c8b7f106de7f662a7b8d", "tree": "d36565a4a6f7e0372a1fd9a8750b005635c9c335", "parents": [ "c3ef1500ec833890275172c7d063333404b64d60" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Tue Jun 01 09:14:04 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:33:39 2010 +1000" }, "message": "smack: opt_dentry is never null in in smack_d_instantiate()\n\nThis patch removes some unneeded code for if opt_dentry is null because\nthat can never happen.\n\nThe function dereferences \"opt_dentry\" earlier when it checks\n\"if (opt_dentry-\u003ed_parent \u003d\u003d opt_dentry) {\". That code was added in\n2008.\n\nThis function called from security_d_instantiate(). I checked all the\nplaces which call security_d_instantiate() and dentry is always non-null.\nI also checked the selinux version of this hook and there is a comment\nwhich says that dentry should be non-null if called from\nd_instantiate().\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "421f91d21ad6f799dc7b489bb33cc560ccc56f98", "tree": "aaf9f6385233fdf9277e634603156c89ede7f770", "parents": [ "65155b3708137fabee865dc4da822763c0c41208" ], "author": { "name": "Uwe Kleine-König", "email": "u.kleine-koenig@pengutronix.de", "time": "Fri Jun 11 12:17:00 2010 +0200" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Wed Jun 16 18:05:05 2010 +0200" }, "message": "fix typos concerning \"initiali[zs]e\"\n\nSigned-off-by: Uwe Kleine-König \u003cu.kleine-koenig@pengutronix.de\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.cz\u003e\n" }, { "commit": "0ffbe2699cda6afbe08501098dff8a8c2fe6ae09", "tree": "81b1a2305d16c873371b65c5a863c0268036cefe", "parents": [ "4e5d6f7ec3833c0da9cf34fa5c53c6058c5908b6", "7ebd467551ed6ae200d7835a84bbda0dcadaa511" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:07 2010 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:07 2010 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "98ec4373bab1d839f794e9a4edc29f77eb9d897e", "tree": "d1ad9adfa7551e7bbbe4d631162c66ae2804b89d", "parents": [ "c5b60b5e67af8be4c58d3ffcc36894f69c4fbdc1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 23 12:48:12 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 27 08:46:00 2010 +1000" }, "message": "SMACK: Don\u0027t #include Ext2 headers\n\nDon\u0027t #include Ext2 headers into Smack unnecessarily.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e2902eb79fdea3c3bf679a8f15f3432b393cb2c0", "tree": "ce72f1fa2838313fb724ac3b9aa98e553f1fffd0", "parents": [ "dd3e7836bfe093fc611f715c323cf53be9252b27" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:10:35 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 08 09:20:21 2010 +1000" }, "message": "SMACK: remove dead cred_commit hook\n\nThis is an unused hook in SMACK so remove it.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5a0e3ad6af8660be21ca98a971cd00f331318c05", "tree": "5bfb7be11a03176a87296a43ac6647975c00a1d1", "parents": [ "ed391f4ebf8f701d3566423ce8f17e614cde9806" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Wed Mar 24 17:04:11 2010 +0900" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Tue Mar 30 22:02:32 2010 +0900" }, "message": "include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h\n\npercpu.h is included by sched.h and module.h and thus ends up being\nincluded when building most .c files. percpu.h includes slab.h which\nin turn includes gfp.h making everything defined by the two files\nuniversally available and complicating inclusion dependencies.\n\npercpu.h -\u003e slab.h dependency is about to be removed. Prepare for\nthis change by updating users of gfp and slab facilities include those\nheaders directly instead of assuming availability. As this conversion\nneeds to touch large number of source files, the following script is\nused as the basis of conversion.\n\n http://userweb.kernel.org/~tj/misc/slabh-sweep.py\n\nThe script does the followings.\n\n* Scan files for gfp and slab usages and update includes such that\n only the necessary includes are there. ie. if only gfp is used,\n gfp.h, if slab is used, slab.h.\n\n* When the script inserts a new include, it looks at the include\n blocks and try to put the new include such that its order conforms\n to its surrounding. It\u0027s put in the include block which contains\n core kernel includes, in the same order that the rest are ordered -\n alphabetical, Christmas tree, rev-Xmas-tree or at the end if there\n doesn\u0027t seem to be any matching order.\n\n* If the script can\u0027t find a place to put a new include (mostly\n because the file doesn\u0027t have fitting include block), it prints out\n an error message indicating which .h file needs to be added to the\n file.\n\nThe conversion was done in the following steps.\n\n1. The initial automatic conversion of all .c files updated slightly\n over 4000 files, deleting around 700 includes and adding ~480 gfp.h\n and ~3000 slab.h inclusions. The script emitted errors for ~400\n files.\n\n2. Each error was manually checked. Some didn\u0027t need the inclusion,\n some needed manual addition while adding it to implementation .h or\n embedding .c file was more appropriate for others. This step added\n inclusions to around 150 files.\n\n3. The script was run again and the output was compared to the edits\n from #2 to make sure no file was left behind.\n\n4. Several build tests were done and a couple of problems were fixed.\n e.g. lib/decompress_*.c used malloc/free() wrappers around slab\n APIs requiring slab.h to be added manually.\n\n5. The script was run on all .h files but without automatically\n editing them as sprinkling gfp.h and slab.h inclusions around .h\n files could easily lead to inclusion dependency hell. Most gfp.h\n inclusion directives were ignored as stuff from gfp.h was usually\n wildly available and often used in preprocessor macros. Each\n slab.h inclusion directive was examined and added manually as\n necessary.\n\n6. percpu.h was updated not to include slab.h.\n\n7. Build test were done on the following configurations and failures\n were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my\n distributed build env didn\u0027t work with gcov compiles) and a few\n more options had to be turned off depending on archs to make things\n build (like ipr on powerpc/64 which failed due to missing writeq).\n\n * x86 and x86_64 UP and SMP allmodconfig and a custom test config.\n * powerpc and powerpc64 SMP allmodconfig\n * sparc and sparc64 SMP allmodconfig\n * ia64 SMP allmodconfig\n * s390 SMP allmodconfig\n * alpha SMP allmodconfig\n * um on x86_64 SMP allmodconfig\n\n8. percpu.h modifications were reverted so that it could be applied as\n a separate patch and serve as bisection point.\n\nGiven the fact that I had only a couple of failures from tests on step\n6, I\u0027m fairly confident about the coverage of this conversion patch.\nIf there is a breakage, it\u0027s likely to be something in one of the arch\nheaders which should be easily discoverable easily on most builds of\nthe specific arch.\n\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nGuess-its-ok-by: Christoph Lameter \u003ccl@linux-foundation.org\u003e\nCc: Ingo Molnar \u003cmingo@redhat.com\u003e\nCc: Lee Schermerhorn \u003cLee.Schermerhorn@hp.com\u003e\n" }, { "commit": "0f2cc4ecd81dc1917a041dc93db0ada28f8356fa", "tree": "f128b50f48f50f0cda6d2b20b53e9ad6e2dfded3", "parents": [ "1fae4cfb97302289bb5df6a8195eb28385d0b002", "9643f5d94aadd47a5fa9754fb60f2c957de05903" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 04 08:15:33 2010 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 04 08:15:33 2010 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6: (52 commits)\n init: Open /dev/console from rootfs\n mqueue: fix typo \"failues\" -\u003e \"failures\"\n mqueue: only set error codes if they are really necessary\n mqueue: simplify do_open() error handling\n mqueue: apply mathematics distributivity on mq_bytes calculation\n mqueue: remove unneeded info-\u003emessages initialization\n mqueue: fix mq_open() file descriptor leak on user-space processes\n fix race in d_splice_alias()\n set S_DEAD on unlink() and non-directory rename() victims\n vfs: add NOFOLLOW flag to umount(2)\n get rid of -\u003emnt_parent in tomoyo/realpath\n hppfs can use existing proc_mnt, no need for do_kern_mount() in there\n Mirror MS_KERNMOUNT in -\u003emnt_flags\n get rid of useless vfsmount_lock use in put_mnt_ns()\n Take vfsmount_lock to fs/internal.h\n get rid of insanity with namespace roots in tomoyo\n take check for new events in namespace (guts of mounts_poll()) to namespace.c\n Don\u0027t mess with generic_permission() under -\u003ed_lock in hpfs\n sanitize const/signedness for udf\n nilfs: sanitize const/signedness in dealing with -\u003ed_name.name\n ...\n\nFix up fairly trivial (famous last words...) conflicts in\ndrivers/infiniband/core/uverbs_main.c and security/tomoyo/realpath.c\n" }, { "commit": "de27a5bf9caef3f1fca1f315aa58eee54fbf929a", "tree": "807ac88de94235afb40117b27d4400bd32573cea", "parents": [ "f694869709cc39a5fbde21aa40f22999ddad0e6e" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Jan 30 15:27:27 2010 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Mar 03 14:07:56 2010 -0500" }, "message": "fix mnt_mountpoint abuse in smack\n\n(mnt,mnt_mountpoint) pair is conceptually wrong; if you want\nto use it for generating pathname and for nothing else *and*\nif you know that vfsmount tree is unchanging, you can get\naway with that, but the right solution for that is (mnt,mnt_root).\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "002345925e6c45861f60db6f4fc6236713fd8847", "tree": "d7849eafe1755116597166bbebf43e2bee86cb76", "parents": [ "0719aaf5ead7555b7b7a4a080ebf2826a871384e" ], "author": { "name": "Kees Cook", "email": "kees.cook@canonical.com", "time": "Wed Feb 03 15:36:43 2010 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 04 14:20:12 2010 +1100" }, "message": "syslog: distinguish between /proc/kmsg and syscalls\n\nThis allows the LSM to distinguish between syslog functions originating\nfrom /proc/kmsg access and direct syscalls. By default, the commoncaps\nwill now no longer require CAP_SYS_ADMIN to read an opened /proc/kmsg\nfile descriptor. For example the kernel syslog reader can now drop\nprivileges after opening /proc/kmsg, instead of staying privileged with\nCAP_SYS_ADMIN. MAC systems that implement security_syslog have unchanged\nbehavior.\n\nSigned-off-by: Kees Cook \u003ckees.cook@canonical.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8964be4a9a5ca8cab1219bb046db2f6d1936227c", "tree": "8838c73a03cc69c010b55928fce3725d17bc26a9", "parents": [ "fa9a6fed87df1b50804405e700f8d30251d3aaf1" ], "author": { "name": "Eric Dumazet", "email": "eric.dumazet@gmail.com", "time": "Fri Nov 20 15:35:04 2009 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Nov 20 15:35:04 2009 -0800" }, "message": "net: rename skb-\u003eiif to skb-\u003eskb_iif\n\nTo help grep games, rename iif to skb_iif\n\nSigned-off-by: Eric Dumazet \u003ceric.dumazet@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "88e9d34c727883d7d6f02cf1475b3ec98b8480c7", "tree": "475f544536d52739e0929e7727cab5124e855a06", "parents": [ "b7ed698cc9d556306a4088c238e2ea9311ea2cb3" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 22 16:43:43 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Sep 23 07:39:29 2009 -0700" }, "message": "seq_file: constify seq_operations\n\nMake all seq_operations structs const, to help mitigate against\nrevectoring user-triggerable function pointers.\n\nThis is derived from the grsecurity patch, although generated from scratch\nbecause it\u0027s simpler than extracting the changes from there.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "1fd7317d02ec03c6fdf072317841287933d06d24", "tree": "b7ac4d511896dbb21c1b76a27f6c4d5b4cb6c7bb", "parents": [ "af91322ef3f29ae4114e736e2a72e28b4d619cf9" ], "author": { "name": "Nick Black", "email": "dank@qemfd.net", "time": "Tue Sep 22 16:43:33 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Sep 23 07:39:28 2009 -0700" }, "message": "Move magic numbers into magic.h\n\nMove various magic-number definitions into magic.h.\n\nSigned-off-by: Nick Black \u003cdank@qemfd.net\u003e\nAcked-by: Pekka Enberg \u003cpenberg@cs.helsinki.fi\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: \"David S. Miller\" \u003cdavem@davemloft.net\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "ddd29ec6597125c830f7badb608a86c98b936b64", "tree": "e6df1ef9a635179de78650d006ecb4cd1453ebb1", "parents": [ "1ee65e37e904b959c24404139f5752edc66319d5" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Wed Sep 09 14:25:37 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Sep 10 10:11:29 2009 +1000" }, "message": "sysfs: Add labeling support for sysfs\n\nThis patch adds a setxattr handler to the file, directory, and symlink\ninode_operations structures for sysfs. The patch uses hooks introduced in the\nprevious patch to handle the getting and setting of security information for\nthe sysfs inodes. As was suggested by Eric Biederman the struct iattr in the\nsysfs_dirent structure has been replaced by a structure which contains the\niattr, secdata and secdata length to allow the changes to persist in the event\nthat the inode representing the sysfs_dirent is evicted. Because sysfs only\nstores this information when a change is made all the optional data is moved\ninto one dynamically allocated field.\n\nThis patch addresses an issue where SELinux was denying virtd access to the PCI\nconfiguration entries in sysfs. The lack of setxattr handlers for sysfs\nrequired that a single label be assigned to all entries in sysfs. Granting virtd\naccess to every entry in sysfs is not an acceptable solution so fine grained\nlabeling of sysfs is required such that individual entries can be labeled\nappropriately.\n\n[sds: Fixed compile-time warnings, coding style, and setting of inode security init flags.]\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nSigned-off-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1ee65e37e904b959c24404139f5752edc66319d5", "tree": "587c1ef70ae7ee41a7b9b531161a4ef5689838f7", "parents": [ "b1ab7e4b2a88d3ac13771463be8f302ce1616cfc" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Thu Sep 03 14:25:57 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Sep 10 10:11:24 2009 +1000" }, "message": "LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information.\n\nThis patch introduces three new hooks. The inode_getsecctx hook is used to get\nall relevant information from an LSM about an inode. The inode_setsecctx is\nused to set both the in-core and on-disk state for the inode based on a context\nderived from inode_getsecctx.The final hook inode_notifysecctx will notify the\nLSM of a change for the in-core state of the inode in question. These hooks are\nfor use in the labeled NFS code and addresses concerns of how to set security\non an inode in a multi-xattr LSM. For historical reasons Stephen Smalley\u0027s\nexplanation of the reason for these hooks is pasted below.\n\nQuote Stephen Smalley\n\ninode_setsecctx: Change the security context of an inode. Updates the\nin core security context managed by the security module and invokes the\nfs code as needed (via __vfs_setxattr_noperm) to update any backing\nxattrs that represent the context. Example usage: NFS server invokes\nthis hook to change the security context in its incore inode and on the\nbacking file system to a value provided by the client on a SETATTR\noperation.\n\ninode_notifysecctx: Notify the security module of what the security\ncontext of an inode should be. Initializes the incore security context\nmanaged by the security module for this inode. Example usage: NFS\nclient invokes this hook to initialize the security context in its\nincore inode to the value provided by the server for the file when the\nserver returned the file\u0027s attributes to the client.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ee18d64c1f632043a02e6f5ba5e045bb26a5465f", "tree": "80b5a4d530ec7d5fd69799920f0db7b78aba6b9d", "parents": [ "d0420c83f39f79afb82010c2d2cafd150eef651b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:14:21 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:22 2009 +1000" }, "message": "KEYS: Add a keyctl to install a process\u0027s session keyring on its parent [try #6]\n\nAdd a keyctl to install a process\u0027s session keyring onto its parent. This\nreplaces the parent\u0027s session keyring. Because the COW credential code does\nnot permit one process to change another process\u0027s credentials directly, the\nchange is deferred until userspace next starts executing again. Normally this\nwill be after a wait*() syscall.\n\nTo support this, three new security hooks have been provided:\ncred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in\nthe blank security creds and key_session_to_parent() - which asks the LSM if\nthe process may replace its parent\u0027s session keyring.\n\nThe replacement may only happen if the process has the same ownership details\nas its parent, and the process has LINK permission on the session keyring, and\nthe session keyring is owned by the process, and the LSM permits it.\n\nNote that this requires alteration to each architecture\u0027s notify_resume path.\nThis has been done for all arches barring blackfin, m68k* and xtensa, all of\nwhich need assembly alteration to support TIF_NOTIFY_RESUME. This allows the\nreplacement to be performed at the point the parent process resumes userspace\nexecution.\n\nThis allows the userspace AFS pioctl emulation to fully emulate newpag() and\nthe VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to\nalter the parent process\u0027s PAG membership. However, since kAFS doesn\u0027t use\nPAGs per se, but rather dumps the keys into the session keyring, the session\nkeyring of the parent must be replaced if, for example, VIOCSETTOK is passed\nthe newpag flag.\n\nThis can be tested with the following program:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\n\t#define KEYCTL_SESSION_TO_PARENT\t18\n\n\t#define OSERROR(X, S) do { if ((long)(X) \u003d\u003d -1) { perror(S); exit(1); } } while(0)\n\n\tint main(int argc, char **argv)\n\t{\n\t\tkey_serial_t keyring, key;\n\t\tlong ret;\n\n\t\tkeyring \u003d keyctl_join_session_keyring(argv[1]);\n\t\tOSERROR(keyring, \"keyctl_join_session_keyring\");\n\n\t\tkey \u003d add_key(\"user\", \"a\", \"b\", 1, keyring);\n\t\tOSERROR(key, \"add_key\");\n\n\t\tret \u003d keyctl(KEYCTL_SESSION_TO_PARENT);\n\t\tOSERROR(ret, \"KEYCTL_SESSION_TO_PARENT\");\n\n\t\treturn 0;\n\t}\n\nCompiled and linked with -lkeyutils, you should see something like:\n\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t355907932 --alswrv 4043 -1 \\_ keyring: _uid.4043\n\t[dhowells@andromeda ~]$ /tmp/newpag\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t1055658746 --alswrv 4043 4043 \\_ user: a\n\t[dhowells@andromeda ~]$ /tmp/newpag hello\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: hello\n\t340417692 --alswrv 4043 4043 \\_ user: a\n\nWhere the test program creates a new session keyring, sticks a user key named\n\u0027a\u0027 into it and then installs it on its parent.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "da34d4248bd2013ee64ce51e63ec0ebd1f32b46c", "tree": "3934c6582b73fb3411799050ea5268daf2b2b814", "parents": [ "1c388ad054fb1ead3dc354b1719570b99e464135" ], "author": { "name": "Julia Lawall", "email": "julia@diku.dk", "time": "Wed Aug 05 14:34:55 2009 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 06 08:46:15 2009 +1000" }, "message": "security/smack: Use AF_INET for sin_family field\n\nElsewhere the sin_family field holds a value with a name of the form\nAF_..., so it seems reasonable to do so here as well. Also the values of\nPF_INET and AF_INET are the same.\n\nThe semantic patch that makes this change is as follows:\n(http://coccinelle.lip6.fr/)\n\n// \u003csmpl\u003e\n@@\nstruct sockaddr_in sip;\n@@\n\n(\nsip.sin_family \u003d\u003d\n- PF_INET\n+ AF_INET\n|\nsip.sin_family !\u003d\n- PF_INET\n+ AF_INET\n|\nsip.sin_family \u003d\n- PF_INET\n+ AF_INET\n)\n// \u003c/smpl\u003e\n\nSigned-off-by: Julia Lawall \u003cjulia@diku.dk\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d4131ded4d4c1a5c1363ddd93ca104ed97dd0458", "tree": "137da0f52d5928eeb461218ac8109d22e65d579b", "parents": [ "ed5215a21460f63d6bdc118cb55a9e6d1b433f35" ], "author": { "name": "Thomas Liu", "email": "tliu@redhat.com", "time": "Thu Jul 09 10:00:30 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jul 10 08:58:39 2009 +1000" }, "message": "security: Make lsm_priv union in lsm_audit.h anonymous\n\nMade the lsm_priv union in include/linux/lsm_audit.h\nanonymous.\n\nSigned-off-by: Thomas Liu \u003ctliu@redhat.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ed5215a21460f63d6bdc118cb55a9e6d1b433f35", "tree": "8134723eb6a5d73162a7e5d9c11ac66440f11b82", "parents": [ "ac7242142b03421c96b0a2f8d99f146d075614c2" ], "author": { "name": "Thomas Liu", "email": "tliu@redhat.com", "time": "Thu Jul 09 10:00:29 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jul 10 08:54:14 2009 +1000" }, "message": "Move variable function in lsm_audit.h into SMACK private space\n\nMoved variable function in include/linux/lsm_audit.h into the\nsmack_audit_data struct since it is never used outside of it.\n\nAlso removed setting of function in the COMMON_AUDIT_DATA_INIT\nmacro because that variable is now private to SMACK.\n\nSigned-off-by: Thomas Liu \u003ctliu@redhat.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nI-dont-see-any-problems-with-it: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9e48858f7d36a6a3849f1d1b40c3bf5624b4ee7c", "tree": "5d8fe586c5b1bbab36acc3b76b2b4dd1bc538968", "parents": [ "86abcf9cebf7b5ceb33facde297face5ec4d2260" ], "author": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Thu May 07 19:26:19 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 25 00:18:05 2009 +1000" }, "message": "security: rename ptrace_may_access \u003d\u003e ptrace_access_check\n\nThe -\u003eptrace_may_access() methods are named confusingly - the real\nptrace_may_access() returns a bool, while these security checks have\na retval convention.\n\nRename it to ptrace_access_check, to reduce the confusion factor.\n\n[ Impact: cleanup, no code changed ]\n\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3296ca27f50ecbd71db1d808c7a72d311027f919", "tree": "833eaa58b2013bda86d4bd95faf6efad7a2d5ca4", "parents": [ "e893123c7378192c094747dadec326b7c000c190", "73fbad283cfbbcf02939bdbda31fc4a30e729cca" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 11 10:01:41 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 11 10:01:41 2009 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (44 commits)\n nommu: Provide mmap_min_addr definition.\n TOMOYO: Add description of lists and structures.\n TOMOYO: Remove unused field.\n integrity: ima audit dentry_open failure\n TOMOYO: Remove unused parameter.\n security: use mmap_min_addr indepedently of security models\n TOMOYO: Simplify policy reader.\n TOMOYO: Remove redundant markers.\n SELinux: define audit permissions for audit tree netlink messages\n TOMOYO: Remove unused mutex.\n tomoyo: avoid get+put of task_struct\n smack: Remove redundant initialization.\n integrity: nfsd imbalance bug fix\n rootplug: Remove redundant initialization.\n smack: do not beyond ARRAY_SIZE of data\n integrity: move ima_counts_get\n integrity: path_check update\n IMA: Add __init notation to ima functions\n IMA: Minimal IMA policy and boot param for TCB IMA policy\n selinux: remove obsolete read buffer limit from sel_read_bool\n ...\n" }, { "commit": "20f3f3ca499d2c211771ba552685398b65d83859", "tree": "41b460196a0860e11d12e33e3172463973cb0078", "parents": [ "769f3e8c384795cc350e2aae27de2a12374d19d4", "41c51c98f588edcdf6141cff1895df738e03ddd4" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 10 19:50:03 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 10 19:50:03 2009 -0700" }, "message": "Merge branch \u0027rcu-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip\n\n* \u0027rcu-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:\n rcu: rcu_sched_grace_period(): kill the bogus flush_signals()\n rculist: use list_entry_rcu in places where it\u0027s appropriate\n rculist.h: introduce list_entry_rcu() and list_first_entry_rcu()\n rcu: Update RCU tracing documentation for __rcu_pending\n rcu: Add __rcu_pending tracing to hierarchical RCU\n RCU: make treercu be default\n" }, { "commit": "13b297d943828c4594527a2bd9c30ecd04e37886", "tree": "9a4e7ea9e0f161f5a3edecfa8300d2677b24cfd9", "parents": [ "14dba5331b90c20588ae6504fea8049c7283028d" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Tue May 26 14:18:07 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 28 11:57:09 2009 +1000" }, "message": "smack: Remove redundant initialization.\n\nWe don\u0027t need to explicitly initialize to cap_* because\nit will be filled by security_fixup_ops().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6470c077cae12227318f40f3e6d756caadcce4b0", "tree": "c8a543bccd29dfcf7d4bbb104a4786da0c93cf56", "parents": [ "c9d9ac525a0285a5b5ad9c3f9aa8b7c1753e6121" ], "author": { "name": "Roel Kluin", "email": "roel.kluin@gmail.com", "time": "Thu May 21 18:42:54 2009 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 22 12:34:48 2009 +1000" }, "message": "smack: do not beyond ARRAY_SIZE of data\n\nDo not go beyond ARRAY_SIZE of data\n\nSigned-off-by: Roel Kluin \u003croel.kluin@gmail.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d254117099d711f215e62427f55dfb8ebd5ad011", "tree": "0848ff8dd74314fec14a86497f8d288c86ba7c65", "parents": [ "07ff7a0b187f3951788f64ae1f30e8109bc8e9eb", "8c9ed899b44c19e81859fbb0e9d659fe2f8630fc" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 08 17:56:47 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 08 17:56:47 2009 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "defc433ba3bc587826bb467ce0e63452deafa65d", "tree": "fb11744178f227598b1b26e1c6f24041261c3b98", "parents": [ "aefe6475720bd5eb8aacbc881488f3aa65618562" ], "author": { "name": "Etienne Basset", "email": "etienne.basset@numericable.fr", "time": "Thu Apr 16 23:58:42 2009 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Apr 18 12:58:25 2009 +1000" }, "message": "Smack: check for SMACK xattr validity in smack_inode_setxattr\n\nthe following patch moves checks for SMACK xattr validity\nfrom smack_inode_post_setxattr (which cannot return an error to the user)\nto smack_inode_setxattr (which can return an error).\n\nSigned-off-by: Etienne Basset \u003cetienne.basset@numericable.fr\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "05725f7eb4b8acb147c5fc7b91397b1f6bcab00d", "tree": "1f22c6bec3429f7ec9ebb8acd25672249e39b380", "parents": [ "72c6a9870f901045f2464c3dc6ee8914bfdc07aa" ], "author": { "name": "Jiri Pirko", "email": "jpirko@redhat.com", "time": "Tue Apr 14 20:17:16 2009 +0200" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Wed Apr 15 12:05:25 2009 +0200" }, "message": "rculist: use list_entry_rcu in places where it\u0027s appropriate\n\nUse previously introduced list_entry_rcu instead of an open-coded\nlist_entry + rcu_dereference combination.\n\nSigned-off-by: Jiri Pirko \u003cjpirko@redhat.com\u003e\nReviewed-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nCc: dipankar@in.ibm.com\nLKML-Reference: \u003c20090414181715.GA3634@psychotron.englab.brq.redhat.com\u003e\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\n" }, { "commit": "ecfcc53fef3c357574bb6143dce6631e6d56295c", "tree": "d7bee04b64c5ad2ba0ed273bff2c8c7c98b3eee5", "parents": [ "6e837fb152410e571a81aaadbd9884f0bc46a55e" ], "author": { "name": "Etienne Basset", "email": "etienne.basset@numericable.fr", "time": "Wed Apr 08 20:40:06 2009 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 14 09:00:23 2009 +1000" }, "message": "smack: implement logging V3\n\nthe following patch, add logging of Smack security decisions.\nThis is of course very useful to understand what your current smack policy does.\nAs suggested by Casey, it also now forbids labels with \u0027, \" or \\\n\nIt introduces a \u0027/smack/logging\u0027 switch :\n0: no logging\n1: log denied (default)\n2: log accepted\n3: log denied\u0026accepted\n\nSigned-off-by: Etienne Basset \u003cetienne.basset@numericable.fr\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4303154e86597885bc3cbc178a48ccbc8213875f", "tree": "11989bcc2ec5d9cd5a1b7952f169ec5cbd8abb8e", "parents": [ "07feee8f812f7327a46186f7604df312c8c81962" ], "author": { "name": "Etienne Basset", "email": "etienne.basset@numericable.fr", "time": "Fri Mar 27 17:11:01 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:37 2009 +1100" }, "message": "smack: Add a new \u0027-CIPSO\u0027 option to the network address label configuration\n\nThis patch adds a new special option \u0027-CIPSO\u0027 to the Smack subsystem. When used\nin the netlabel list, it means \"use CIPSO networking\". A use case is when your\nlocal network speaks CIPSO and you want also to connect to the unlabeled\nInternet. This patch also add some documentation describing that. The patch\nalso corrects an oops when setting a \u0027\u0027 SMACK64 xattr to a file.\n\nSigned-off-by: Etienne Basset \u003cetienne.basset@numericable.fr\u003e\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "07feee8f812f7327a46186f7604df312c8c81962", "tree": "73eac643b60532aa82d7680a7de193ba2b62eddd", "parents": [ "8651d5c0b1f874c5b8307ae2b858bc40f9f02482" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:54 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:37 2009 +1100" }, "message": "netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections\n\nThis patch cleans up a lot of the Smack network access control code. The\nlargest changes are to fix the labeling of incoming TCP connections in a\nmanner similar to the recent SELinux changes which use the\nsecurity_inet_conn_request() hook to label the request_sock and let the label\nmove to the child socket via the normal network stack mechanisms. In addition\nto the incoming TCP connection fixes this patch also removes the smk_labled\nfield from the socket_smack struct as the minor optimization advantage was\noutweighed by the difficulty in maintaining it\u0027s proper state.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "389fb800ac8be2832efedd19978a2b8ced37eb61", "tree": "fa0bc16050dfb491aa05f76b54fa4c167de96376", "parents": [ "284904aa79466a4736f4c775fdbe5c7407fa136c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:34 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:36 2009 +1100" }, "message": "netlabel: Label incoming TCP connections correctly in SELinux\n\nThe current NetLabel/SELinux behavior for incoming TCP connections works but\nonly through a series of happy coincidences that rely on the limited nature of\nstandard CIPSO (only able to convey MLS attributes) and the write equality\nimposed by the SELinux MLS constraints. The problem is that network sockets\ncreated as the result of an incoming TCP connection were not on-the-wire\nlabeled based on the security attributes of the parent socket but rather based\non the wire label of the remote peer. The issue had to do with how IP options\nwere managed as part of the network stack and where the LSM hooks were in\nrelation to the code which set the IP options on these newly created child\nsockets. While NetLabel/SELinux did correctly set the socket\u0027s on-the-wire\nlabel it was promptly cleared by the network stack and reset based on the IP\noptions of the remote peer.\n\nThis patch, in conjunction with a prior patch that adjusted the LSM hook\nlocations, works to set the correct on-the-wire label format for new incoming\nconnections through the security_inet_conn_request() hook. Besides the\ncorrect behavior there are many advantages to this change, the most significant\nis that all of the NetLabel socket labeling code in SELinux now lives in hooks\nwhich can return error codes to the core stack which allows us to finally get\nride of the selinux_netlbl_inode_permission() logic which greatly simplfies\nthe NetLabel/SELinux glue code. In the process of developing this patch I\nalso ran into a small handful of AF_INET6 cleanliness issues that have been\nfixed which should make the code safer and easier to extend in the future.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7198e2eeb44b3fe7cc97f997824002da47a9c644", "tree": "4989ad0f9727ac4b861189217760517aa8beea43", "parents": [ "703a3cd72817e99201cef84a8a7aecc60b2b3581" ], "author": { "name": "Etienne Basset", "email": "etienne.basset@numericable.fr", "time": "Tue Mar 24 20:53:24 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 26 09:17:04 2009 +1100" }, "message": "smack: convert smack to standard linux lists\n\nthe following patch (on top of 2.6.29) converts Smack lists to standard linux lists\nPlease review and consider for inclusion in 2.6.30-rc\n\nregards,\nEtienne\n\nSigned-off-by: Etienne Basset \u003cetienne.basset@numericable.fr\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "703a3cd72817e99201cef84a8a7aecc60b2b3581", "tree": "3e943755178ff410694722bb031f523136fbc432", "parents": [ "df7f54c012b92ec93d56b68547351dcdf8a163d3", "8e0ee43bc2c3e19db56a4adaa9a9b04ce885cd84" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 24 10:52:46 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 24 10:52:46 2009 +1100" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "211a40c0870457b29100cffea0180fa5083caf96", "tree": "fae71ac7a443a45391ee6049f2300a5c25fe2272", "parents": [ "559595a985e106d2fa9f0c79b7f5805453fed593" ], "author": { "name": "etienne", "email": "etienne.basset@numericable.fr", "time": "Wed Mar 04 07:33:51 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 05 08:36:34 2009 +1100" }, "message": "smack: fixes for unlabeled host support\n\nThe following patch (against 2.6.29rc5) fixes a few issues in the\nsmack/netlabel \"unlabeled host support\" functionnality that was added in\n2.6.29rc. It should go in before -final.\n\n1) smack_host_label disregard a \"0.0.0.0/0 @\" rule (or other label),\npreventing \u0027tagged\u0027 tasks to access Internet (many systems drop packets with\nIP options)\n\n2) netmasks were not handled correctly, they were stored in a way _not\nequivalent_ to conversion to be32 (it was equivalent for /0, /8, /16, /24,\n/32 masks but not other masks)\n\n3) smack_netlbladdr prefixes (IP/mask) were not consistent (mask\u0026IP was not\ndone), so there could have been different list entries for the same IP\nprefix; if those entries had different labels, well ...\n\n4) they were not sorted\n\n1) 2) 3) are bugs, 4) is a more cosmetic issue.\nThe patch :\n\n-creates a new helper smk_netlbladdr_insert to insert a smk_netlbladdr,\n-sorted by netmask length\n\n-use the new sorted nature of smack_netlbladdrs list to simplify\n smack_host_label : the first match _will_ be the more specific\n\n-corrects endianness issues in smk_write_netlbladdr \u0026 netlbladdr_seq_show\n\nSigned-off-by: \u003cetienne.basset@numericable.fr\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "113a0e4590881ce579ca992a80ddc562b3372ede", "tree": "29dd1cd1c5f594efb51cdf9530a90ba2f3f2854e", "parents": [ "454804ab0302b354e35d992d08e53fe03313baaf" ], "author": { "name": "etienne", "email": "etienne.basset@numericable.fr", "time": "Wed Mar 04 07:33:51 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 05 08:30:01 2009 +1100" }, "message": "smack: fixes for unlabeled host support\n\nThe following patch (against 2.6.29rc5) fixes a few issues in the\nsmack/netlabel \"unlabeled host support\" functionnality that was added in\n2.6.29rc. It should go in before -final.\n\n1) smack_host_label disregard a \"0.0.0.0/0 @\" rule (or other label),\npreventing \u0027tagged\u0027 tasks to access Internet (many systems drop packets with\nIP options)\n\n2) netmasks were not handled correctly, they were stored in a way _not\nequivalent_ to conversion to be32 (it was equivalent for /0, /8, /16, /24,\n/32 masks but not other masks)\n\n3) smack_netlbladdr prefixes (IP/mask) were not consistent (mask\u0026IP was not\ndone), so there could have been different list entries for the same IP\nprefix; if those entries had different labels, well ...\n\n4) they were not sorted\n\n1) 2) 3) are bugs, 4) is a more cosmetic issue.\nThe patch :\n\n-creates a new helper smk_netlbladdr_insert to insert a smk_netlbladdr,\n-sorted by netmask length\n\n-use the new sorted nature of smack_netlbladdrs list to simplify\n smack_host_label : the first match _will_ be the more specific\n\n-corrects endianness issues in smk_write_netlbladdr \u0026 netlbladdr_seq_show\n\nSigned-off-by: \u003cetienne.basset@numericable.fr\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "251a2a958b0455d11b711aeeb57cabad66259461", "tree": "6e89b9a3f79c4a46573682044188c7d4692f0cb5", "parents": [ "e5a3b95f581da62e2054ef79d3be2d383e9ed664" ], "author": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Wed Feb 18 11:42:33 2009 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 19 15:51:10 2009 +1100" }, "message": "smack: fix lots of kernel-doc notation\n\nFix/add kernel-doc notation and fix typos in security/smack/.\n\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "152a649b647a8ef47bb74ff9e11850fa6001bedc", "tree": "ea626697e2cbf07f1cba973158b99125e98344ae", "parents": [ "e4a7ca29039e615ce13a61b9c6abfb2aa394e9a1" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Tue Jan 27 19:56:30 2009 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jan 27 20:13:32 2009 -0800" }, "message": "smackfs load append mode fix\n\nGiven just how hard it is to find the code that uses MAY_APPEND\nit\u0027s probably not a big surprise that this went unnoticed for so\nlong. The Smack rules loading code is incorrectly setting the\nMAY_READ bit when MAY_APPEND is requested.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c19a28e1193a6c854738d609ae9b2fe2f6e6bea4", "tree": "79a354f827a5d3656be3f55d18d31265750d9d06", "parents": [ "f15659628b43b27c20447c731456c39cbec973e9" ], "author": { "name": "Fernando Carrijo", "email": "fcarrijo@yahoo.com.br", "time": "Wed Jan 07 18:09:08 2009 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jan 08 08:31:14 2009 -0800" }, "message": "remove lots of double-semicolons\n\nCc: Ingo Molnar \u003cmingo@elte.hu\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nAcked-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nAcked-by: Mark Fasheh \u003cmfasheh@suse.com\u003e\nAcked-by: David S. Miller \u003cdavem@davemloft.net\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nAcked-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "ac8cc0fa5395fe2278e305a4cbed48e90d88d878", "tree": "515f577bfddd054ee4373228be7c974dfb8133af", "parents": [ "238c6d54830c624f34ac9cf123ac04aebfca5013", "3699c53c485bf0168e6500d0ed18bf931584dd7c" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:58:22 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:58:22 2009 +1100" }, "message": "Merge branch \u0027next\u0027 into for-linus\n" }, { "commit": "29881c4502ba05f46bc12ae8053d4e08d7e2615c", "tree": "536ea4ac63554e836438bd5f370ddecaa343f1f4", "parents": [ "76f7ba35d4b5219fcc4cb072134c020ec77d030d" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:21:54 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:21:54 2009 +1100" }, "message": "Revert \"CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]\"\n\nThis reverts commit 14eaddc967b16017d4a1a24d2be6c28ecbe06ed8.\n\nDavid has a better version to come.\n" }, { "commit": "14eaddc967b16017d4a1a24d2be6c28ecbe06ed8", "tree": "ce10216d592f0fa89ae02c4e4e9e9497010e7714", "parents": [ "5c8c40be4b5a2944483bfc1a45d6c3fa02551af3" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Dec 31 15:15:42 2008 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 05 11:17:04 2009 +1100" }, "message": "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]\n\nFix a regression in cap_capable() due to:\n\n\tcommit 5ff7711e635b32f0a1e558227d030c7e45b4a465\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Wed Dec 31 02:52:28 2008 +0000\n\n\t CRED: Differentiate objective and effective subjective credentials on a task\n\nThe problem is that the above patch allows a process to have two sets of\ncredentials, and for the most part uses the subjective credentials when\naccessing current\u0027s creds.\n\nThere is, however, one exception: cap_capable(), and thus capable(), uses the\nreal/objective credentials of the target task, whether or not it is the current\ntask.\n\nOrdinarily this doesn\u0027t matter, since usually the two cred pointers in current\npoint to the same set of creds. However, sys_faccessat() makes use of this\nfacility to override the credentials of the calling process to make its test,\nwithout affecting the creds as seen from other processes.\n\nOne of the things sys_faccessat() does is to make an adjustment to the\neffective capabilities mask, which cap_capable(), as it stands, then ignores.\n\nThe affected capability check is in generic_permission():\n\n\tif (!(mask \u0026 MAY_EXEC) || execute_ok(inode))\n\t\tif (capable(CAP_DAC_OVERRIDE))\n\t\t\treturn 0;\n\nThis change splits capable() from has_capability() down into the commoncap and\nSELinux code. The capable() security op now only deals with the current\nprocess, and uses the current process\u0027s subjective creds. A new security op -\ntask_capable() - is introduced that can check any task\u0027s objective creds.\n\nstrictly the capable() security op is superfluous with the presence of the\ntask_capable() op, however it should be faster to call the capable() op since\ntwo fewer arguments need be passed down through the various layers.\n\nThis can be tested by compiling the following program from the XFS testsuite:\n\n/*\n * t_access_root.c - trivial test program to show permission bug.\n *\n * Written by Michael Kerrisk - copyright ownership not pursued.\n * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html\n */\n#include \u003climits.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003csys/stat.h\u003e\n\n#define UID 500\n#define GID 100\n#define PERM 0\n#define TESTPATH \"/tmp/t_access\"\n\nstatic void\nerrExit(char *msg)\n{\n perror(msg);\n exit(EXIT_FAILURE);\n} /* errExit */\n\nstatic void\naccessTest(char *file, int mask, char *mstr)\n{\n printf(\"access(%s, %s) returns %d\\n\", file, mstr, access(file, mask));\n} /* accessTest */\n\nint\nmain(int argc, char *argv[])\n{\n int fd, perm, uid, gid;\n char *testpath;\n char cmd[PATH_MAX + 20];\n\n testpath \u003d (argc \u003e 1) ? argv[1] : TESTPATH;\n perm \u003d (argc \u003e 2) ? strtoul(argv[2], NULL, 8) : PERM;\n uid \u003d (argc \u003e 3) ? atoi(argv[3]) : UID;\n gid \u003d (argc \u003e 4) ? atoi(argv[4]) : GID;\n\n unlink(testpath);\n\n fd \u003d open(testpath, O_RDWR | O_CREAT, 0);\n if (fd \u003d\u003d -1) errExit(\"open\");\n\n if (fchown(fd, uid, gid) \u003d\u003d -1) errExit(\"fchown\");\n if (fchmod(fd, perm) \u003d\u003d -1) errExit(\"fchmod\");\n close(fd);\n\n snprintf(cmd, sizeof(cmd), \"ls -l %s\", testpath);\n system(cmd);\n\n if (seteuid(uid) \u003d\u003d -1) errExit(\"seteuid\");\n\n accessTest(testpath, 0, \"0\");\n accessTest(testpath, R_OK, \"R_OK\");\n accessTest(testpath, W_OK, \"W_OK\");\n accessTest(testpath, X_OK, \"X_OK\");\n accessTest(testpath, R_OK | W_OK, \"R_OK | W_OK\");\n accessTest(testpath, R_OK | X_OK, \"R_OK | X_OK\");\n accessTest(testpath, W_OK | X_OK, \"W_OK | X_OK\");\n accessTest(testpath, R_OK | W_OK | X_OK, \"R_OK | W_OK | X_OK\");\n\n exit(EXIT_SUCCESS);\n} /* main */\n\nThis can be run against an Ext3 filesystem as well as against an XFS\nfilesystem. If successful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns 0\n\taccess(/tmp/xxx, W_OK) returns 0\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns 0\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nIf unsuccessful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns -1\n\taccess(/tmp/xxx, W_OK) returns -1\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns -1\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nI\u0027ve also tested the fix with the SELinux and syscalls LTP testsuites.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5af75d8d58d0f9f7b7c0515b35786b22892d5f12", "tree": "65707c5309133a33140c39145ae91b7c1679a877", "parents": [ "36c4f1b18c8a7d0adb4085e7f531860b837bb6b0" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Dec 16 05:59:26 2008 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jan 04 15:14:42 2009 -0500" }, "message": "audit: validate comparison operations, store them in sane form\n\nDon\u0027t store the field-\u003eop in the messy (and very inconvenient for e.g.\naudit_comparator()) form; translate to dense set of values and do full\nvalidation of userland-submitted value while we are at it.\n\n-\u003eaudit_init_rule() and -\u003eaudit_match_rule() get new values now; in-tree\ninstances updated.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "6d3dc07cbb1e88deed2e8710e215f232a56b1dce", "tree": "4c294d1ddac8c9f417bcd406771993aa58106f6d", "parents": [ "277d342fc423fca5e66e677fe629d1b2f8f1b9e2" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Wed Dec 31 12:54:12 2008 -0500" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Dec 31 12:54:12 2008 -0500" }, "message": "smack: Add support for unlabeled network hosts and networks\n\nAdd support for unlabeled network hosts and networks.\nRelies heavily on Paul Moore\u0027s netlabel support.\n\nCreates a new entry in /smack called netlabel. Writes to /smack/netlabel\ntake the form:\n\n A.B.C.D LABEL\nor\n A.B.C.D/N LABEL\n\nwhere A.B.C.D is a network address, N is an integer between 0-32,\nand LABEL is the Smack label to be used. If /N is omitted /32 is\nassumed. N designates the netmask for the address. Entries are\nmatched by the most specific address/mask pair. 0.0.0.0/0 will\nmatch everything, while 192.168.1.117/32 will match exactly one\nhost.\n\nA new system label \"@\", pronounced \"web\", is defined. Processes\ncan not be assigned the web label. An address assigned the web\nlabel can be written to by any process, and packets coming from\na web address can be written to any socket. Use of the web label\nis a violation of any strict MAC policy, but the web label has\nbeen requested many times.\n\nThe nltype entry has been removed from /smack. It did not work right\nand the netlabel interface can be used to specify that all hosts\nbe treated as unlabeled.\n\nCIPSO labels on incoming packets will be honored, even from designated\nsingle label hosts. Single label hosts can only be written to by\nprocesses with labels that can write to the label of the host.\nPackets sent to single label hosts will always be unlabeled.\n\nOnce added a single label designation cannot be removed, however\nthe label may be changed.\n\nThe behavior of the ambient label remains unchanged.\n\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\n" }, { "commit": "6c2e8ac0953fccdd24dc6c4b9e08e8f1cd68cf07", "tree": "c52e242ec5e5c2d131af2d9dbb038f78f724a74c", "parents": [ "6a94cb73064c952255336cc57731904174b2c58f" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Dec 31 12:54:11 2008 -0500" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Dec 31 12:54:11 2008 -0500" }, "message": "netlabel: Update kernel configuration API\n\nUpdate the NetLabel kernel API to expose the new features added in kernel\nreleases 2.6.25 and 2.6.28: the static/fallback label functionality and network\naddress based selectors.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\n" }, { "commit": "81ea714bf148fce35e931edcbdfd3aedda20d1dc", "tree": "e3cabfd2ce35bc8be542910bffc4b9b99288a7f4", "parents": [ "74192246910ff4fb95309ba1a683215644beeb62" ], "author": { "name": "Sergio Luis", "email": "sergio@larces.uece.br", "time": "Mon Dec 22 01:16:15 2008 -0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 25 12:14:55 2008 +1100" }, "message": "smackfs: check for allocation failures in smk_set_access()\n\nsmackfs: check for allocation failures in smk_set_access()\n\n While adding a new subject/object pair to smack_list, smk_set_access()\n didn\u0027t check the return of kzalloc().\n\n This patch changes smk_set_access() to return 0 or -ENOMEM, based on\n kzalloc()\u0027s return. It also updates its caller, smk_write_load(), to\n check for smk_set_access()\u0027s return, given it is no longer a void\n return function.\n\n Signed-off-by: Sergio Luis \u003csergio@larces.uece.br\u003e\n To: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n Cc: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\n Cc: LSM \u003clinux-security-module@vger.kernel.org\u003e\n Cc: LKLM \u003clinux-kernel@vger.kernel.org\u003e\n\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "12204e24b1330428c3062faee10a0d80b8a5cb61", "tree": "d92ee705a86f0ec2bf85c8a797239dbb840d5927", "parents": [ "459c19f524a9d89c65717a7d061d5f11ecf6bcb8" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Dec 19 10:44:42 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Dec 20 09:02:39 2008 +1100" }, "message": "security: pass mount flags to security_sb_kern_mount()\n\nPass mount flags to security_sb_kern_mount(), so security modules\ncan determine if a mount operation is being performed by the kernel.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "3a3b7ce9336952ea7b9564d976d068a238976c9d", "tree": "3f0a3be33022492161f534636a20a4b1059f8236", "parents": [ "1bfdc75ae077d60a01572a7781ec6264d55ab1b9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "message": "CRED: Allow kernel services to override LSM settings for task actions\n\nAllow kernel services to override LSM settings appropriate to the actions\nperformed by a task by duplicating a set of credentials, modifying it and then\nusing task_struct::cred to point to it when performing operations on behalf of\na task.\n\nThis is used, for example, by CacheFiles which has to transparently access the\ncache on behalf of a process that thinks it is doing, say, NFS accesses with a\npotentially inappropriate (with respect to accessing the cache) set of\ncredentials.\n\nThis patch provides two LSM hooks for modifying a task security record:\n\n (*) security_kernel_act_as() which allows modification of the security datum\n with which a task acts on other objects (most notably files).\n\n (*) security_kernel_create_files_as() which allows modification of the\n security datum that is used to initialise the security data on a file that\n a task creates.\n\nThe patch also provides four new credentials handling functions, which wrap the\nLSM functions:\n\n (1) prepare_kernel_cred()\n\n Prepare a set of credentials for a kernel service to use, based either on\n a daemon\u0027s credentials or on init_cred. All the keyrings are cleared.\n\n (2) set_security_override()\n\n Set the LSM security ID in a set of credentials to a specific security\n context, assuming permission from the LSM policy.\n\n (3) set_security_override_from_ctx()\n\n As (2), but takes the security context as a string.\n\n (4) set_create_files_as()\n\n Set the file creation LSM security ID in a set of credentials to be the\n same as that on a particular inode.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e [Smack changes]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a6f76f23d297f70e2a6b3ec607f7aeeea9e37e8d", "tree": "8f95617996d0974507f176163459212a7def8b9a", "parents": [ "d84f4f992cbd76e8f39c488cf0c5d123843923b1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "message": "CRED: Make execve() take advantage of copy-on-write credentials\n\nMake execve() take advantage of copy-on-write credentials, allowing it to set\nup the credentials in advance, and then commit the whole lot after the point\nof no return.\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n The credential bits from struct linux_binprm are, for the most part,\n replaced with a single credentials pointer (bprm-\u003ecred). This means that\n all the creds can be calculated in advance and then applied at the point\n of no return with no possibility of failure.\n\n I would like to replace bprm-\u003ecap_effective with:\n\n\tcap_isclear(bprm-\u003ecap_effective)\n\n but this seems impossible due to special behaviour for processes of pid 1\n (they always retain their parent\u0027s capability masks where normally they\u0027d\n be changed - see cap_bprm_set_creds()).\n\n The following sequence of events now happens:\n\n (a) At the start of do_execve, the current task\u0027s cred_exec_mutex is\n \t locked to prevent PTRACE_ATTACH from obsoleting the calculation of\n \t creds that we make.\n\n (a) prepare_exec_creds() is then called to make a copy of the current\n \t task\u0027s credentials and prepare it. This copy is then assigned to\n \t bprm-\u003ecred.\n\n \t This renders security_bprm_alloc() and security_bprm_free()\n \t unnecessary, and so they\u0027ve been removed.\n\n (b) The determination of unsafe execution is now performed immediately\n \t after (a) rather than later on in the code. The result is stored in\n \t bprm-\u003eunsafe for future reference.\n\n (c) prepare_binprm() is called, possibly multiple times.\n\n \t (i) This applies the result of set[ug]id binaries to the new creds\n \t attached to bprm-\u003ecred. Personality bit clearance is recorded,\n \t but now deferred on the basis that the exec procedure may yet\n \t fail.\n\n (ii) This then calls the new security_bprm_set_creds(). This should\n\t calculate the new LSM and capability credentials into *bprm-\u003ecred.\n\n\t This folds together security_bprm_set() and parts of\n\t security_bprm_apply_creds() (these two have been removed).\n\t Anything that might fail must be done at this point.\n\n (iii) bprm-\u003ecred_prepared is set to 1.\n\n\t bprm-\u003ecred_prepared is 0 on the first pass of the security\n\t calculations, and 1 on all subsequent passes. This allows SELinux\n\t in (ii) to base its calculations only on the initial script and\n\t not on the interpreter.\n\n (d) flush_old_exec() is called to commit the task to execution. This\n \t performs the following steps with regard to credentials:\n\n\t (i) Clear pdeath_signal and set dumpable on certain circumstances that\n\t may not be covered by commit_creds().\n\n (ii) Clear any bits in current-\u003epersonality that were deferred from\n (c.i).\n\n (e) install_exec_creds() [compute_creds() as was] is called to install the\n \t new credentials. This performs the following steps with regard to\n \t credentials:\n\n (i) Calls security_bprm_committing_creds() to apply any security\n requirements, such as flushing unauthorised files in SELinux, that\n must be done before the credentials are changed.\n\n\t This is made up of bits of security_bprm_apply_creds() and\n\t security_bprm_post_apply_creds(), both of which have been removed.\n\t This function is not allowed to fail; anything that might fail\n\t must have been done in (c.ii).\n\n (ii) Calls commit_creds() to apply the new credentials in a single\n assignment (more or less). Possibly pdeath_signal and dumpable\n should be part of struct creds.\n\n\t (iii) Unlocks the task\u0027s cred_replace_mutex, thus allowing\n\t PTRACE_ATTACH to take place.\n\n (iv) Clears The bprm-\u003ecred pointer as the credentials it was holding\n are now immutable.\n\n (v) Calls security_bprm_committed_creds() to apply any security\n alterations that must be done after the creds have been changed.\n SELinux uses this to flush signals and signal handlers.\n\n (f) If an error occurs before (d.i), bprm_free() will call abort_creds()\n \t to destroy the proposed new credentials and will then unlock\n \t cred_replace_mutex. No changes to the credentials will have been\n \t made.\n\n (2) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_bprm_alloc(), -\u003ebprm_alloc_security()\n (*) security_bprm_free(), -\u003ebprm_free_security()\n\n \t Removed in favour of preparing new credentials and modifying those.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n (*) security_bprm_post_apply_creds(), -\u003ebprm_post_apply_creds()\n\n \t Removed; split between security_bprm_set_creds(),\n \t security_bprm_committing_creds() and security_bprm_committed_creds().\n\n (*) security_bprm_set(), -\u003ebprm_set_security()\n\n \t Removed; folded into security_bprm_set_creds().\n\n (*) security_bprm_set_creds(), -\u003ebprm_set_creds()\n\n \t New. The new credentials in bprm-\u003ecreds should be checked and set up\n \t as appropriate. bprm-\u003ecred_prepared is 0 on the first call, 1 on the\n \t second and subsequent calls.\n\n (*) security_bprm_committing_creds(), -\u003ebprm_committing_creds()\n (*) security_bprm_committed_creds(), -\u003ebprm_committed_creds()\n\n \t New. Apply the security effects of the new credentials. This\n \t includes closing unauthorised files in SELinux. This function may not\n \t fail. When the former is called, the creds haven\u0027t yet been applied\n \t to the process; when the latter is called, they have.\n\n \t The former may access bprm-\u003ecred, the latter may not.\n\n (3) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) The bprm_security_struct struct has been removed in favour of using\n \t the credentials-under-construction approach.\n\n (c) flush_unauthorized_files() now takes a cred pointer and passes it on\n \t to inode_has_perm(), file_has_perm() and dentry_open().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d84f4f992cbd76e8f39c488cf0c5d123843923b1", "tree": "fc4a0349c42995715b93d0f7a3c78e9ea9b3f36e", "parents": [ "745ca2475a6ac596e3d8d37c2759c0fbe2586227" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "message": "CRED: Inaugurate COW credentials\n\nInaugurate copy-on-write credentials management. This uses RCU to manage the\ncredentials pointer in the task_struct with respect to accesses by other tasks.\nA process may only modify its own credentials, and so does not need locking to\naccess or modify its own credentials.\n\nA mutex (cred_replace_mutex) is added to the task_struct to control the effect\nof PTRACE_ATTACHED on credential calculations, particularly with respect to\nexecve().\n\nWith this patch, the contents of an active credentials struct may not be\nchanged directly; rather a new set of credentials must be prepared, modified\nand committed using something like the following sequence of events:\n\n\tstruct cred *new \u003d prepare_creds();\n\tint ret \u003d blah(new);\n\tif (ret \u003c 0) {\n\t\tabort_creds(new);\n\t\treturn ret;\n\t}\n\treturn commit_creds(new);\n\nThere are some exceptions to this rule: the keyrings pointed to by the active\ncredentials may be instantiated - keyrings violate the COW rule as managing\nCOW keyrings is tricky, given that it is possible for a task to directly alter\nthe keys in a keyring in use by another task.\n\nTo help enforce this, various pointers to sets of credentials, such as those in\nthe task_struct, are declared const. The purpose of this is compile-time\ndiscouragement of altering credentials through those pointers. Once a set of\ncredentials has been made public through one of these pointers, it may not be\nmodified, except under special circumstances:\n\n (1) Its reference count may incremented and decremented.\n\n (2) The keyrings to which it points may be modified, but not replaced.\n\nThe only safe way to modify anything else is to create a replacement and commit\nusing the functions described in Documentation/credentials.txt (which will be\nadded by a later patch).\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n This now prepares and commits credentials in various places in the\n security code rather than altering the current creds directly.\n\n (2) Temporary credential overrides.\n\n do_coredump() and sys_faccessat() now prepare their own credentials and\n temporarily override the ones currently on the acting thread, whilst\n preventing interference from other threads by holding cred_replace_mutex\n on the thread being dumped.\n\n This will be replaced in a future patch by something that hands down the\n credentials directly to the functions being called, rather than altering\n the task\u0027s objective credentials.\n\n (3) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_capset_check(), -\u003ecapset_check()\n (*) security_capset_set(), -\u003ecapset_set()\n\n \t Removed in favour of security_capset().\n\n (*) security_capset(), -\u003ecapset()\n\n \t New. This is passed a pointer to the new creds, a pointer to the old\n \t creds and the proposed capability sets. It should fill in the new\n \t creds or return an error. All pointers, barring the pointer to the\n \t new creds, are now const.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n\n \t Changed; now returns a value, which will cause the process to be\n \t killed if it\u0027s an error.\n\n (*) security_task_alloc(), -\u003etask_alloc_security()\n\n \t Removed in favour of security_prepare_creds().\n\n (*) security_cred_free(), -\u003ecred_free()\n\n \t New. Free security data attached to cred-\u003esecurity.\n\n (*) security_prepare_creds(), -\u003ecred_prepare()\n\n \t New. Duplicate any security data attached to cred-\u003esecurity.\n\n (*) security_commit_creds(), -\u003ecred_commit()\n\n \t New. Apply any security effects for the upcoming installation of new\n \t security by commit_creds().\n\n (*) security_task_post_setuid(), -\u003etask_post_setuid()\n\n \t Removed in favour of security_task_fix_setuid().\n\n (*) security_task_fix_setuid(), -\u003etask_fix_setuid()\n\n \t Fix up the proposed new credentials for setuid(). This is used by\n \t cap_set_fix_setuid() to implicitly adjust capabilities in line with\n \t setuid() changes. Changes are made to the new credentials, rather\n \t than the task itself as in security_task_post_setuid().\n\n (*) security_task_reparent_to_init(), -\u003etask_reparent_to_init()\n\n \t Removed. Instead the task being reparented to init is referred\n \t directly to init\u0027s credentials.\n\n\t NOTE! This results in the loss of some state: SELinux\u0027s osid no\n\t longer records the sid of the thread that forked it.\n\n (*) security_key_alloc(), -\u003ekey_alloc()\n (*) security_key_permission(), -\u003ekey_permission()\n\n \t Changed. These now take cred pointers rather than task pointers to\n \t refer to the security context.\n\n (4) sys_capset().\n\n This has been simplified and uses less locking. The LSM functions it\n calls have been merged.\n\n (5) reparent_to_kthreadd().\n\n This gives the current thread the same credentials as init by simply using\n commit_thread() to point that way.\n\n (6) __sigqueue_alloc() and switch_uid()\n\n __sigqueue_alloc() can\u0027t stop the target task from changing its creds\n beneath it, so this function gets a reference to the currently applicable\n user_struct which it then passes into the sigqueue struct it returns if\n successful.\n\n switch_uid() is now called from commit_creds(), and possibly should be\n folded into that. commit_creds() should take care of protecting\n __sigqueue_alloc().\n\n (7) [sg]et[ug]id() and co and [sg]et_current_groups.\n\n The set functions now all use prepare_creds(), commit_creds() and\n abort_creds() to build and check a new set of credentials before applying\n it.\n\n security_task_set[ug]id() is called inside the prepared section. This\n guarantees that nothing else will affect the creds until we\u0027ve finished.\n\n The calling of set_dumpable() has been moved into commit_creds().\n\n Much of the functionality of set_user() has been moved into\n commit_creds().\n\n The get functions all simply access the data directly.\n\n (8) security_task_prctl() and cap_task_prctl().\n\n security_task_prctl() has been modified to return -ENOSYS if it doesn\u0027t\n want to handle a function, or otherwise return the return value directly\n rather than through an argument.\n\n Additionally, cap_task_prctl() now prepares a new set of credentials, even\n if it doesn\u0027t end up using it.\n\n (9) Keyrings.\n\n A number of changes have been made to the keyrings code:\n\n (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have\n \t all been dropped and built in to the credentials functions directly.\n \t They may want separating out again later.\n\n (b) key_alloc() and search_process_keyrings() now take a cred pointer\n \t rather than a task pointer to specify the security context.\n\n (c) copy_creds() gives a new thread within the same thread group a new\n \t thread keyring if its parent had one, otherwise it discards the thread\n \t keyring.\n\n (d) The authorisation key now points directly to the credentials to extend\n \t the search into rather pointing to the task that carries them.\n\n (e) Installing thread, process or session keyrings causes a new set of\n \t credentials to be created, even though it\u0027s not strictly necessary for\n \t process or session keyrings (they\u0027re shared).\n\n(10) Usermode helper.\n\n The usermode helper code now carries a cred struct pointer in its\n subprocess_info struct instead of a new session keyring pointer. This set\n of credentials is derived from init_cred and installed on the new process\n after it has been cloned.\n\n call_usermodehelper_setup() allocates the new credentials and\n call_usermodehelper_freeinfo() discards them if they haven\u0027t been used. A\n special cred function (prepare_usermodeinfo_creds()) is provided\n specifically for call_usermodehelper_setup() to call.\n\n call_usermodehelper_setkeys() adjusts the credentials to sport the\n supplied keyring as the new session keyring.\n\n(11) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) selinux_setprocattr() no longer does its check for whether the\n \t current ptracer can access processes with the new SID inside the lock\n \t that covers getting the ptracer\u0027s SID. Whilst this lock ensures that\n \t the check is done with the ptracer pinned, the result is only valid\n \t until the lock is released, so there\u0027s no point doing it inside the\n \t lock.\n\n(12) is_single_threaded().\n\n This function has been extracted from selinux_setprocattr() and put into\n a file of its own in the lib/ directory as join_session_keyring() now\n wants to use it too.\n\n The code in SELinux just checked to see whether a task shared mm_structs\n with other tasks (CLONE_VM), but that isn\u0027t good enough. We really want\n to know if they\u0027re part of the same thread group (CLONE_THREAD).\n\n(13) nfsd.\n\n The NFS server daemon now has to use the COW credentials to set the\n credentials it is going to use. It really needs to pass the credentials\n down to the functions it calls, but it can\u0027t do that until other patches\n in this series have been applied.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c69e8d9c01db2adc503464993c358901c9af9de4", "tree": "bed94aaa9aeb7a7834d1c880f72b62a11a752c78", "parents": [ "86a264abe542cfececb4df129bc45a0338d8cdb9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "message": "CRED: Use RCU to access another task\u0027s creds and to release a task\u0027s own creds\n\nUse RCU to access another task\u0027s creds and to release a task\u0027s own creds.\nThis means that it will be possible for the credentials of a task to be\nreplaced without another task (a) requiring a full lock to read them, and (b)\nseeing deallocated memory.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "86a264abe542cfececb4df129bc45a0338d8cdb9", "tree": "30152f04ba847f311028d5ca697f864c16c7ebb3", "parents": [ "f1752eec6145c97163dbce62d17cf5d928e28a27" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:18 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:18 2008 +1100" }, "message": "CRED: Wrap current-\u003ecred and a few other accessors\n\nWrap current-\u003ecred and a few other accessors to hide their actual\nimplementation.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f1752eec6145c97163dbce62d17cf5d928e28a27", "tree": "16bc51166d38815092de36a461b845b0b4b522f9", "parents": [ "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:17 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:17 2008 +1100" }, "message": "CRED: Detach the credentials from task_struct\n\nDetach the credentials from task_struct, duplicating them in copy_process()\nand releasing them in __put_task_struct().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a", "tree": "9e76f972eb7ce9b84e0146c8e4126a3f86acb428", "parents": [ "15a2460ed0af7538ca8e6c610fe607a2cd9da142" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "message": "CRED: Separate task security context from task_struct\n\nSeparate the task security context from task_struct. At this point, the\nsecurity data is temporarily embedded in the task_struct with two pointers\npointing to it.\n\nNote that the Alpha arch is altered as it refers to (E)UID and (E)GID in\nentry.S via asm-offsets.\n\nWith comment fixes Signed-off-by: Marc Dionne \u003cmarc.c.dionne@gmail.com\u003e\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0da939b0058742ad2d8580b7db6b966d0fc72252", "tree": "47cb109fdf97135191bff5db4e3bfc905136bf8b", "parents": [ "4bdec11f560b8f405a011288a50e65b1a81b3654", "d91d40799165b0c84c97e7c71fb8039494ff07dc" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 11 09:26:14 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 11 09:26:14 2008 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/pcmoore/lblnet-2.6_next into next\n" }, { "commit": "b1edeb102397546438ab4624489c6ccd7b410d97", "tree": "ce7033f678ffe46ec3f517bb2771b9cbb04d62bb", "parents": [ "a8134296ba9940b5b271d908666e532d34430a3c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "message": "netlabel: Replace protocol/NetLabel linking with refrerence counts\n\nNetLabel has always had a list of backpointers in the CIPSO DOI definition\nstructure which pointed to the NetLabel LSM domain mapping structures which\nreferenced the CIPSO DOI struct. The rationale for this was that when an\nadministrator removed a CIPSO DOI from the system all of the associated\nNetLabel LSM domain mappings should be removed as well; a list of\nbackpointers made this a simple operation.\n\nUnfortunately, while the backpointers did make the removal easier they were\na bit of a mess from an implementation point of view which was making\nfurther development difficult. Since the removal of a CIPSO DOI is a\nrealtively rare event it seems to make sense to remove this backpointer\nlist as the optimization was hurting us more then it was helping. However,\nwe still need to be able to track when a CIPSO DOI definition is being used\nso replace the backpointer list with a reference count. In order to\npreserve the current functionality of removing the associated LSM domain\nmappings when a CIPSO DOI is removed we walk the LSM domain mapping table,\nremoving the relevant entries.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a8134296ba9940b5b271d908666e532d34430a3c", "tree": "28ef03dc3c6a56bd43e5c9d4b8b303749e815342", "parents": [ "dfaebe9825ff34983778f287101bc5f3bce00640" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "message": "smack: Fix missing calls to netlbl_skbuff_err()\n\nSmack needs to call netlbl_skbuff_err() to let NetLabel do the necessary\nprotocol specific error handling.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "86d688984deefa3ae5a802880c11f2b408b5d6cf", "tree": "7ea5e8189b0a774626d3ed7c3c87df2495a4c4a0", "parents": [ "93c06cbbf9fea5d5be1778febb7fa9ab1a74e5f5", "4c246edd2550304df5b766cc841584b2bb058843" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 28 10:47:34 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 28 10:47:34 2008 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "5cd9c58fbe9ec92b45b27e131719af4f2bd9eb40", "tree": "8573db001b4dc3c2ad97102dda42b841c40b5f6c", "parents": [ "8d0968abd03ec6b407df117adc773562386702fa" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Aug 14 11:37:28 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 14 22:59:43 2008 +1000" }, "message": "security: Fix setting of PF_SUPERPRIV by __capable()\n\nFix the setting of PF_SUPERPRIV by __capable() as it could corrupt the flags\nthe target process if that is not the current process and it is trying to\nchange its own flags in a different way at the same time.\n\n__capable() is using neither atomic ops nor locking to protect t-\u003eflags. This\npatch removes __capable() and introduces has_capability() that doesn\u0027t set\nPF_SUPERPRIV on the process being queried.\n\nThis patch further splits security_ptrace() in two:\n\n (1) security_ptrace_may_access(). This passes judgement on whether one\n process may access another only (PTRACE_MODE_ATTACH for ptrace() and\n PTRACE_MODE_READ for /proc), and takes a pointer to the child process.\n current is the parent.\n\n (2) security_ptrace_traceme(). This passes judgement on PTRACE_TRACEME only,\n and takes only a pointer to the parent process. current is the child.\n\n In Smack and commoncap, this uses has_capability() to determine whether\n the parent will be permitted to use PTRACE_ATTACH if normal checks fail.\n This does not set PF_SUPERPRIV.\n\nTwo of the instances of __capable() actually only act on current, and so have\nbeen changed to calls to capable().\n\nOf the places that were using __capable():\n\n (1) The OOM killer calls __capable() thrice when weighing the killability of a\n process. All of these now use has_capability().\n\n (2) cap_ptrace() and smack_ptrace() were using __capable() to check to see\n whether the parent was allowed to trace any process. As mentioned above,\n these have been split. For PTRACE_ATTACH and /proc, capable() is now\n used, and for PTRACE_TRACEME, has_capability() is used.\n\n (3) cap_safe_nice() only ever saw current, so now uses capable().\n\n (4) smack_setprocattr() rejected accesses to tasks other than current just\n after calling __capable(), so the order of these two tests have been\n switched and capable() is used instead.\n\n (5) In smack_file_send_sigiotask(), we need to allow privileged processes to\n receive SIGIO on files they\u0027re manipulating.\n\n (6) In smack_task_wait(), we let a process wait for a privileged process,\n whether or not the process doing the waiting is privileged.\n\nI\u0027ve tested this with the LTP SELinux and syscalls testscripts.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "15446235367fa4a621ff5abfa4b6ebbe25b33763", "tree": "bc6823055afbef26560c63f8041caeadd4cef078", "parents": [ "cf9481e289247fe9cf40f2e2481220d899132049" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Wed Jul 30 15:37:11 2008 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 05 10:55:53 2008 +1000" }, "message": "smack: limit privilege by label\n\nThere have been a number of requests to make the Smack LSM\nenforce MAC even in the face of privilege, either capability\nbased or superuser based. This is not universally desired,\nhowever, so it seems desirable to make it optional. Further,\nat least one legacy OS implemented a scheme whereby only\nprocesses running with one particular label could be exempt\nfrom MAC. This patch supports these three cases.\n\nIf /smack/onlycap is empty (unset or null-string) privilege\nis enforced in the normal way.\n\nIf /smack/onlycap contains a label only processes running with\nthat label may be MAC exempt.\n\nIf the label in /smack/onlycap is the star label (\"*\") the\nsemantics of the star label combine with the privilege\nrestrictions to prevent any violations of MAC, even in the\npresence of privilege.\n\nAgain, this will be independent of the privilege scheme.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b77b0646ef4efe31a7449bb3d9360fd00f95433d", "tree": "f8487fe832fbe23400c9f98e808555f0251fb158", "parents": [ "a110343f0d6d41f68b7cf8c00b57a3172c67f816" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Jul 17 09:37:02 2008 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Jul 26 20:53:22 2008 -0400" }, "message": "[PATCH] pass MAY_OPEN to vfs_permission() explicitly\n\n... and get rid of the last \"let\u0027s deduce mask from nameidata-\u003eflags\"\nbit.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "6f0f0fd496333777d53daff21a4e3b28c4d03a6d", "tree": "202de67376fce2547b44ae5b016d6424c3c7409c", "parents": [ "93cbace7a058bce7f99319ef6ceff4b78cf45051" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jul 10 17:02:07 2008 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:04:06 2008 +1000" }, "message": "security: remove register_security hook\n\nThe register security hook is no longer required, as the capability\nmodule is always registered. LSMs wishing to stack capability as\na secondary module should do so explicitly.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\n" }, { "commit": "006ebb40d3d65338bd74abb03b945f8d60e362bd", "tree": "c548c678b54b307e1fb9acf94676fb7bfd849501", "parents": [ "feb2a5b82d87fbdc01c00b7e9413e4b5f4c1f0c1" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon May 19 08:32:49 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:47 2008 +1000" }, "message": "Security: split proc ptrace checking into read vs. attach\n\nEnable security modules to distinguish reading of process state via\nproc from full ptrace access by renaming ptrace_may_attach to\nptrace_may_access and adding a mode argument indicating whether only\nread access or full attach access is requested. This allows security\nmodules to permit access to reading process state without granting\nfull ptrace access. The base DAC/capability checking remains unchanged.\n\nRead access to /proc/pid/mem continues to apply a full ptrace attach\ncheck since check_mem_permission() already requires the current task\nto already be ptracing the target. The other ptrace checks within\nproc for elements like environ, maps, and fds are changed to pass the\nread mode instead of attach.\n\nIn the SELinux case, we model such reading of process state as a\nreading of a proc file labeled with the target process\u0027 label. This\nenables SELinux policy to permit such reading of process state without\npermitting control or manipulation of the target process, as there are\na number of cases where programs probe for such information via proc\nbut do not need to be able to control the target (e.g. procps,\nlsof, PolicyKit, ConsoleKit). At present we have to choose between\nallowing full ptrace in policy (more permissive than required/desired)\nor breaking functionality (or in some cases just silencing the denials\nvia dontaudit rules but this can hide genuine attacks).\n\nThis version of the patch incorporates comments from Casey Schaufler\n(change/replace existing ptrace_may_attach interface, pass access\nmode), and Chris Wright (provide greater consistency in the checking).\n\nNote that like their predecessors __ptrace_may_attach and\nptrace_may_attach, the __ptrace_may_access and ptrace_may_access\ninterfaces use different return value conventions from each other (0\nor -errno vs. 1 or 0). I retained this difference to avoid any\nchanges to the caller logic but made the difference clearer by\nchanging the latter interface to return a bool rather than an int and\nby adding a comment about it to ptrace.h for any future callers.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e97dcb0eadbb821eccd549d4987b653cf61e2374", "tree": "0dc9cddcac54dcdc35f7e1ddf6e190947ec86320", "parents": [ "246dd412d31e4f5de1d43aa6422a325b785f36e4" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Mon Jun 02 10:04:32 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 04 08:50:43 2008 -0700" }, "message": "Smack: fuse mount hang fix\n\nThe d_instantiate hook for Smack can hang on the root inode of a\nfilesystem if the file system code has not really done all the set-up.\nFuse is known to encounter this problem.\n\nThis change detects an attempt to instantiate a root inode and addresses\nit early in the processing, before any attempt is made to do something\nthat might hang.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nTested-by: Luiz Fernando N. Capitulino \u003clcapitulino@mandriva.com.br\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3b5e9e53c6f31b5a5a0f5c43707503c62bdefa46", "tree": "1244b7cf2755c06a8a793149ce4717e4a1311218", "parents": [ "9e3bd6c3fb2334be171e69b432039cd18bce4458" ], "author": { "name": "Oleg Nesterov", "email": "oleg@tv-sign.ru", "time": "Wed Apr 30 00:52:42 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Apr 30 08:29:34 2008 -0700" }, "message": "signals: cleanup security_task_kill() usage/implementation\n\nEvery implementation of -\u003etask_kill() does nothing when the signal comes from\nthe kernel. This is correct, but means that check_kill_permission() should\ncall security_task_kill() only for SI_FROMUSER() case, and we can remove the\nsame check from -\u003etask_kill() implementations.\n\n(sadly, check_kill_permission() is the last user of signal-\u003esession/__session\n but we can\u0027t s/task_session_nr/task_session/ here).\n\nNOTE: Eric W. Biederman pointed out cap_task_kill() should die, and I think\nhe is very right.\n\nSigned-off-by: Oleg Nesterov \u003coleg@tv-sign.ru\u003e\nCc: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Roland McGrath \u003croland@redhat.com\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: David Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nCc: Eric Paris \u003ceparis@redhat.com\u003e\nCc: Harald Welte \u003claforge@gnumonks.org\u003e\nCc: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "d20bdda6d45a4035e48ca7ae467a0d955c1ffc60", "tree": "634f8bcc6ad7382a79be1081575ee12e7006c375", "parents": [ "780db6c104de48104501f5943361f2371564b85d" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Wed Apr 30 08:34:10 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 30 08:34:10 2008 +1000" }, "message": "Smack: Integrate Smack with Audit\n\nSetup the new Audit hooks for Smack. SELinux Audit rule fields are recycled\nto avoid `auditd\u0027 userspace modifications. Currently only equality testing\nis supported on labels acting as a subject (AUDIT_SUBJ_USER) or as an object\n(AUDIT_OBJ_USER).\n\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "e52c1764f18a62776a0f2bc6752fb76b6e345827", "tree": "b60a62585dfe511d9216cdd4a207fd07df1b2f99", "parents": [ "7663c1e2792a9662b23dec6e19bfcd3d55360b8f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 20:52:51 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 30 08:23:51 2008 +1000" }, "message": "Security: Make secctx_to_secid() take const secdata\n\nMake secctx_to_secid() take constant secdata.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9781db7b345b5dfe93787aaaf310c861db7c1ede", "tree": "d9796e29fd914ca04835636be95bbd5082a034fd", "parents": [ "97094dcf5cefc8ccfdf93839f54dac2c4d316165", "8b67dca9420474623709e00d72a066068a502b20" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 11:41:22 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 11:41:22 2008 -0700" }, "message": "Merge branch \u0027audit.b50\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current\n\n* \u0027audit.b50\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:\n [PATCH] new predicate - AUDIT_FILETYPE\n [patch 2/2] Use find_task_by_vpid in audit code\n [patch 1/2] audit: let userspace fully control TTY input auditing\n [PATCH 2/2] audit: fix sparse shadowed variable warnings\n [PATCH 1/2] audit: move extern declarations to audit.h\n Audit: MAINTAINERS update\n Audit: increase the maximum length of the key field\n Audit: standardize string audit interfaces\n Audit: stop deadlock from signals under load\n Audit: save audit_backlog_limit audit messages in case auditd comes back\n Audit: collect sessionid in netlink messages\n Audit: end printk with newline\n" }, { "commit": "8f0cfa52a1d4ffacd8e7de906d19662f5da58d58", "tree": "2aa82e3682e75330d9b5d601855e3af3c57c03d8", "parents": [ "7ec02ef1596bb3c829a7e8b65ebf13b87faf1819" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 00:59:41 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:06 2008 -0700" }, "message": "xattr: add missing consts to function arguments\n\nAdd missing consts to xattr function arguments.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Andreas Gruenbacher \u003cagruen@suse.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "1236cc3cf8c69bd316c940b2e94f91b3795f97fe", "tree": "c33374ffa89d34f901d91888851970071700c38d", "parents": [ "30aa4faf62b2dd9b239ae06ca7a85f1d36d7ef25" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Mon Apr 28 02:13:43 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Apr 28 08:58:27 2008 -0700" }, "message": "smack: use cap_task_prctl\n\nWith the introduction of per-process securebits, the capabilities-related\nprctl callbacks were moved into cap_task_prctl(). Have smack use\ncap_task_prctl() so that PR_SET_KEEPCAPS is defined.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "30aa4faf62b2dd9b239ae06ca7a85f1d36d7ef25", "tree": "37eb2c4fa1195f668d1d3a16653bdc93da5f5e6b", "parents": [ "55d00ccfb336b4f85a476a24e18c17b2eaff919e" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Mon Apr 28 02:13:43 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Apr 28 08:58:27 2008 -0700" }, "message": "smack: make smk_cipso_doi() and smk_unlbl_ambient()\n\nThe functions smk_cipso_doi and smk_unlbl_ambient are not used outside\nsmackfs.c and should hence be static.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c60264c494a119cd3a716a22edc0137b11de6d1e", "tree": "db985b1529a6a136a7f439a9a557bcb80278e471", "parents": [ "3898b1b4ebff8dcfbcf1807e0661585e06c9a91c" ], "author": { "name": "Harvey Harrison", "email": "harvey.harrison@gmail.com", "time": "Mon Apr 28 02:13:41 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Apr 28 08:58:27 2008 -0700" }, "message": "smack: fix integer as NULL pointer warning in smack_lsm.c\n\nsecurity/smack/smack_lsm.c:1257:16: warning: Using plain integer as NULL pointer\n\nSigned-off-by: Harvey Harrison \u003charvey.harrison@gmail.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "2532386f480eefbdd67b48be55fb4fb3e5a6081c", "tree": "dd6a5a3c4116a67380a1336319c16632f04f80f9", "parents": [ "436c405c7d19455a71f42c9bec5fd5e028f1eb4e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Apr 18 10:09:25 2008 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Apr 28 06:18:03 2008 -0400" }, "message": "Audit: collect sessionid in netlink messages\n\nPreviously I added sessionid output to all audit messages where it was\navailable but we still didn\u0027t know the sessionid of the sender of\nnetlink messages. This patch adds that information to netlink messages\nso we can audit who sent netlink messages.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "b5266eb4c8d1a2887a19aaec8144ee4ad1b054c3", "tree": "37105d0640169ad758d20847cf3effe77381f50f", "parents": [ "1a60a280778ff90270fc7390d9ec102f713a5a29" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Mar 22 17:48:24 2008 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Apr 21 23:13:23 2008 -0400" }, "message": "[PATCH] switch a bunch of LSM hooks from nameidata to path\n\nNamely, ones from namespace.c\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "3925e6fc1f774048404fdd910b0345b06c699eb4", "tree": "c9a58417d9492f39f7fe81d4721d674c34dd8be2", "parents": [ "334d094504c2fe1c44211ecb49146ae6bca8c321", "7cea51be4e91edad05bd834f3235b45c57783f0d" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Apr 18 18:18:30 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Apr 18 18:18:30 2008 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:\n security: fix up documentation for security_module_enable\n Security: Introduce security\u003d boot parameter\n Audit: Final renamings and cleanup\n SELinux: use new audit hooks, remove redundant exports\n Audit: internally use the new LSM audit hooks\n LSM/Audit: Introduce generic Audit LSM hooks\n SELinux: remove redundant exports\n Netlink: Use generic LSM hook\n Audit: use new LSM hooks instead of SELinux exports\n SELinux: setup new inode/ipc getsecid hooks\n LSM: Introduce inode_getsecid and ipc_getsecid hooks\n" }, { "commit": "076c54c5bcaed2081c0cba94a6f77c4d470236ad", "tree": "5e8f05cab20a49922618bb3af697a6b46e610eee", "parents": [ "04305e4aff8b0533dc05f9f6f1a34d0796bd985f" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Thu Mar 06 18:09:10 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Apr 19 10:00:51 2008 +1000" }, "message": "Security: Introduce security\u003d boot parameter\n\nAdd the security\u003d boot parameter. This is done to avoid LSM\nregistration clashes in case of more than one bult-in module.\n\nUser can choose a security module to enable at boot. If no\nsecurity\u003d boot parameter is specified, only the first LSM\nasking for registration will be loaded. An invalid security\nmodule name will be treated as if no module has been chosen.\n\nLSM modules must check now if they are allowed to register\nby calling security_module_enable(ops) first. Modify SELinux\nand SMACK to do so.\n\nDo not let SMACK register smackfs if it was not chosen on\nboot. Smackfs assumes that smack hooks are registered and\nthe initial task security setup (swapper-\u003esecurity) is done.\n\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "00447872a643787411c2c0cb1df6169dda8b0c47", "tree": "ea4215f6f3040507b46bf90fe133ca73a59c9c0e", "parents": [ "b9f3124f08fffe2ad706fd164f6702fdca409a91" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Sat Apr 12 19:06:42 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Apr 12 19:06:42 2008 -0700" }, "message": "NetLabel: Allow passing the LSM domain as a shared pointer\n\nSmack doesn\u0027t have the need to create a private copy of the LSM \"domain\" when\nsetting NetLabel security attributes like SELinux, however, the current\nNetLabel code requires a private copy of the LSM \"domain\". This patches fixes\nthat by letting the LSM determine how it wants to pass the domain value.\n\n * NETLBL_SECATTR_DOMAIN_CPY\n The current behavior, NetLabel assumes that the domain value is a copy and\n frees it when done\n\n * NETLBL_SECATTR_DOMAIN\n New, Smack-friendly behavior, NetLabel assumes that the domain value is a\n reference to a string managed by the LSM and does not free it when done\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "cb622bbb69e41f2746aadf5d7d527e77597abe2e", "tree": "537a1ce6f76bd915bf9acd197d6bf4d042063998", "parents": [ "58336114af4d2cce830201aae49e50b93ede6c5c" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Mon Mar 24 12:29:49 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Mar 24 19:22:19 2008 -0700" }, "message": "smackfs: remove redundant lock, fix open(,O_RDWR)\n\nOlder smackfs was parsing MAC rules by characters, thus a need of locking\nwrite sessions on open() was needed. This lock is no longer useful now since\neach rule is handled by a single write() call.\n\nThis is also a bugfix since seq_open() was not called if an open() O_RDWR flag\nwas given, leading to a seq_read() without an initialized seq_file, thus an\nOops.\n\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nReported-by: Jonathan Corbet \u003ccorbet@lwn.net\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "aedb60a67c10a0861af179725d060765262ba0fb", "tree": "4a4a316f9f7d1ab0bf4da2cdd5c802bfb05c947f", "parents": [ "457fb605834504af294916411be128a9b21fc3f6" ], "author": { "name": "Serge Hallyn", "email": "serge@hallyn.com", "time": "Fri Feb 29 15:14:57 2008 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 20 09:46:36 2008 -0700" }, "message": "file capabilities: remove cap_task_kill()\n\nThe original justification for cap_task_kill() was as follows:\n\n\tcheck_kill_permission() does appropriate uid equivalence checks.\n\tHowever with file capabilities it becomes possible for an\n\tunprivileged user to execute a file with file capabilities\n\tresulting in a more privileged task with the same uid.\n\nHowever now that cap_task_kill() always returns 0 (permission\ngranted) when p-\u003euid\u003d\u003dcurrent-\u003euid, the whole hook is worthless,\nand only likely to create more subtle problems in the corner cases\nwhere it might still be called but return -EPERM. Those cases\nare basically when uids are different but euid/suid is equivalent\nas per the check in check_kill_permission().\n\nOne example of a still-broken application is \u0027at\u0027 for non-root users.\n\nThis patch removes cap_task_kill().\n\nSigned-off-by: Serge Hallyn \u003cserge@hallyn.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nEarlier-version-tested-by: Luiz Fernando N. Capitulino \u003clcapitulino@mandriva.com.br\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "1d252fb870aa9cd227c4beb1a226ecd434f57f28", "tree": "4a7b956c01487454b139e1df271518f36ca32285", "parents": [ "4ebf89845bea44a164d1fbb8fa319379ec7132de" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Wed Mar 19 17:00:51 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 19 18:53:36 2008 -0700" }, "message": "smack: do not dereference NULL ipc object\n\nIn the SYSV ipc msgctl(),semctl(),shmctl() family, if the user passed *_INFO\nas the desired operation, no specific object is meant to be controlled and\nonly system-wide information is returned. This leads to a NULL IPC object in\nthe LSM hooks if the _INFO flag is given.\n\nAvoid dereferencing this NULL pointer in Smack ipc *ctl() methods.\n\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b500ce8d24d1f14426643da5f6fada28c1f60533", "tree": "17b6084b29434a968f787e238548a843126e2ec3", "parents": [ "93d74463d018ddf05c169ad399e62e90e0f82fc0" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Thu Mar 13 12:32:34 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 13 13:11:43 2008 -0700" }, "message": "smackfs: do not trust `count\u0027 in inodes write()s\n\nSmackfs write() implementation does not put a higher bound on the number of\nbytes to copy from user-space. This may lead to a DOS attack if a malicious\n`count\u0027 field is given.\n\nAssure that given `count\u0027 is exactly the length needed for a /smack/load rule.\n In case of /smack/cipso where the length is relative, assure that `count\u0027\ndoes not exceed the size needed for a buffer representing maximum possible\nnumber of CIPSO 2.2 categories.\n\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e0007529893c1c064be90bd21422ca0da4a0198e", "tree": "c2334ba940e682183a18d18972cf95bd3a3da46a", "parents": [ "29e8c3c304b62f31b799565c9ee85d42bd163f80" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Mar 05 10:31:54 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 06 08:40:53 2008 +1100" }, "message": "LSM/SELinux: Interfaces to allow FS to control mount options\n\nIntroduce new LSM interfaces to allow an FS to deal with their own mount\noptions. This includes a new string parsing function exported from the\nLSM that an FS can use to get a security data blob and a new security\ndata blob. This is particularly useful for an FS which uses binary\nmount data, like NFS, which does not pass strings into the vfs to be\nhandled by the loaded LSM. Also fix a BUG() in both SELinux and SMACK\nwhen dealing with binary mount data. If the binary mount data is less\nthan one page the copy_page() in security_sb_copy_data() can cause an\nillegal page fault and boom. Remove all NFSisms from the SELinux code\nsince they were broken by past NFS changes.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bcdca225bfa016100985e5fc7e51cdc1d68beaa6", "tree": "4af588f69c754a6380dae17b00de20b0f2f3b149", "parents": [ "43627582799db317e966ecb0002c2c3c9805ec0f" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Sat Feb 23 15:24:04 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Sat Feb 23 17:13:24 2008 -0800" }, "message": "Smack: update for file capabilities\n\nUpdate the Smack LSM to allow the registration of the capability \"module\"\nas a secondary LSM. Integrate the new hooks required for file based\ncapabilities.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4bc87e62775052aac0be7574d5f84ff06f61c6b4", "tree": "23063e82de8f7b7506d795919d7d4c13725e74a0", "parents": [ "9a4c8546f3e7c893888bccc2b3416d6214f2664a" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Fri Feb 15 15:24:25 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 19 07:51:00 2008 -0800" }, "message": "Smack: unlabeled outgoing ambient packets\n\nSmack uses CIPSO labeling, but allows for unlabeled packets by\nspecifying an \"ambient\" label that is applied to incoming unlabeled\npackets.\n\nBecause the other end of the connection may dislike IP options, and ssh\nis one know application that behaves thus, it is prudent to respond in\nkind.\n\nThis patch changes the network labeling behavior such that an outgoing\npacket that would be given a CIPSO label that matches the ambient label\nis left unlabeled. An \"unlbl\" domain is added and the netlabel\ndefaulting mechanism invoked rather than assuming that everything is\nCIPSO. Locking has been added around changes to the ambient label as\nthe mechanisms used to do so are more involved.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4ac9137858e08a19f29feac4e1f4df7c268b0ba5", "tree": "f5b5d84fd12fcc2b0ba0e7ce1a79ff381ad8f5dd", "parents": [ "c5e725f33b733a77de622e91b6ba5645fcf070be" ], "author": { "name": "Jan Blunck", "email": "jblunck@suse.de", "time": "Thu Feb 14 19:34:32 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Feb 14 21:13:33 2008 -0800" }, "message": "Embed a struct path into struct nameidata instead of nd-\u003e{dentry,mnt}\n\nThis is the central patch of a cleanup series. In most cases there is no good\nreason why someone would want to use a dentry for itself. This series reflects\nthat fact and embeds a struct path into nameidata.\n\nTogether with the other patches of this series\n- it enforced the correct order of getting/releasing the reference count on\n \u003cdentry,vfsmount\u003e pairs\n- it prepares the VFS for stacking support since it is essential to have a\n struct path in every place where the stack can be traversed\n- it reduces the overall code size:\n\nwithout patch series:\n text data bss dec hex filename\n5321639 858418 715768 6895825 6938d1 vmlinux\n\nwith patch series:\n text data bss dec hex filename\n5320026 858418 715768 6894212 693284 vmlinux\n\nThis patch:\n\nSwitch from nd-\u003e{dentry,mnt} to nd-\u003epath.{dentry,mnt} everywhere.\n\n[akpm@linux-foundation.org: coding-style fixes]\n[akpm@linux-foundation.org: fix cifs]\n[akpm@linux-foundation.org: fix smack]\nSigned-off-by: Jan Blunck \u003cjblunck@suse.de\u003e\nSigned-off-by: Andreas Gruenbacher \u003cagruen@suse.de\u003e\nAcked-by: Christoph Hellwig \u003chch@lst.de\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "2e1d146a19f2941aec08f60ca67fb2763baad595", "tree": "14831c6332b2d4004a7551354be46526a0c6f426", "parents": [ "cba44359d15ac7a3bca2c9199b7ff403d7edc69e" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Wed Feb 13 15:03:34 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Feb 13 16:21:20 2008 -0800" }, "message": "Smack: check for \u0027struct socket\u0027 with NULL sk\n\nThere\u0027s a small problem with smack and NFS. A similar report was also\nsent here: http://lkml.org/lkml/2007/10/27/85\n\nI\u0027ve also added similar checks in inode_{get/set}security(). Cheating from\nSELinux post_create_socket(), it does the same.\n\n[akpm@linux-foundation.org: remove uneeded BUG_ON()]\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schuafler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e114e473771c848c3cfec05f0123e70f1cdbdc99", "tree": "933b840f3ccac6860da56291c742094f9b5a20cb", "parents": [ "eda61d32e8ad1d9102872f9a0abf3344bf9c5e67" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Mon Feb 04 22:29:50 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "Smack: Simplified Mandatory Access Control Kernel\n\nSmack is the Simplified Mandatory Access Control Kernel.\n\nSmack implements mandatory access control (MAC) using labels\nattached to tasks and data containers, including files, SVIPC,\nand other tasks. Smack is a kernel based scheme that requires\nan absolute minimum of application support and a very small\namount of configuration data.\n\nSmack uses extended attributes and\nprovides a set of general mount options, borrowing technics used\nelsewhere. Smack uses netlabel for CIPSO labeling. Smack provides\na pseudo-filesystem smackfs that is used for manipulation of\nsystem Smack attributes.\n\nThe patch, patches for ls and sshd, a README, a startup script,\nand x86 binaries for ls and sshd are also available on\n\n http://www.schaufler-ca.com\n\nDevelopment has been done using Fedora Core 7 in a virtual machine\nenvironment and on an old Sony laptop.\n\nSmack provides mandatory access controls based on the label attached\nto a task and the label attached to the object it is attempting to\naccess. Smack labels are deliberately short (1-23 characters) text\nstrings. Single character labels using special characters are reserved\nfor system use. The only operation applied to Smack labels is equality\ncomparison. No wildcards or expressions, regular or otherwise, are\nused. Smack labels are composed of printable characters and may not\ninclude \"/\".\n\nA file always gets the Smack label of the task that created it.\n\nSmack defines and uses these labels:\n\n \"*\" - pronounced \"star\"\n \"_\" - pronounced \"floor\"\n \"^\" - pronounced \"hat\"\n \"?\" - pronounced \"huh\"\n\nThe access rules enforced by Smack are, in order:\n\n1. Any access requested by a task labeled \"*\" is denied.\n2. A read or execute access requested by a task labeled \"^\"\n is permitted.\n3. A read or execute access requested on an object labeled \"_\"\n is permitted.\n4. Any access requested on an object labeled \"*\" is permitted.\n5. Any access requested by a task on an object with the same\n label is permitted.\n6. Any access requested that is explicitly defined in the loaded\n rule set is permitted.\n7. Any other access is denied.\n\nRules may be explicitly defined by writing subject,object,access\ntriples to /smack/load.\n\nSmack rule sets can be easily defined that describe Bell\u0026LaPadula\nsensitivity, Biba integrity, and a variety of interesting\nconfigurations. Smack rule sets can be modified on the fly to\naccommodate changes in the operating environment or even the time\nof day.\n\nSome practical use cases:\n\nHierarchical levels. The less common of the two usual uses\nfor MLS systems is to define hierarchical levels, often\nunclassified, confidential, secret, and so on. To set up smack\nto support this, these rules could be defined:\n\n C Unclass rx\n S C rx\n S Unclass rx\n TS S rx\n TS C rx\n TS Unclass rx\n\nA TS process can read S, C, and Unclass data, but cannot write it.\nAn S process can read C and Unclass. Note that specifying that\nTS can read S and S can read C does not imply TS can read C, it\nhas to be explicitly stated.\n\nNon-hierarchical categories. This is the more common of the\nusual uses for an MLS system. Since the default rule is that a\nsubject cannot access an object with a different label no\naccess rules are required to implement compartmentalization.\n\nA case that the Bell \u0026 LaPadula policy does not allow is demonstrated\nwith this Smack access rule:\n\nA case that Bell\u0026LaPadula does not allow that Smack does:\n\n ESPN ABC r\n ABC ESPN r\n\nOn my portable video device I have two applications, one that\nshows ABC programming and the other ESPN programming. ESPN wants\nto show me sport stories that show up as news, and ABC will\nonly provide minimal information about a sports story if ESPN\nis covering it. Each side can look at the other\u0027s info, neither\ncan change the other. Neither can see what FOX is up to, which\nis just as well all things considered.\n\nAnother case that I especially like:\n\n SatData Guard w\n Guard Publish w\n\nA program running with the Guard label opens a UDP socket and\naccepts messages sent by a program running with a SatData label.\nThe Guard program inspects the message to ensure it is wholesome\nand if it is sends it to a program running with the Publish label.\nThis program then puts the information passed in an appropriate\nplace. Note that the Guard program cannot write to a Publish\nfile system object because file system semanitic require read as\nwell as write.\n\nThe four cases (categories, levels, mutual read, guardbox) here\nare all quite real, and problems I\u0027ve been asked to solve over\nthe years. The first two are easy to do with traditonal MLS systems\nwhile the last two you can\u0027t without invoking privilege, at least\nfor a while.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: Joshua Brindle \u003cmethod@manicmethod.com\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: \"Ahmed S. Darwish\" \u003cdarwish.07@gmail.com\u003e\nCc: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" } ] }