)]}' { "log": [ { "commit": "3263245de48344ad7bdd0e7256bf1606d2592f88", "tree": "a6fa31305f5b6558d882b2dad29ed9a720167ee0", "parents": [ "8409cca7056113bee3236cb6a8e4d8d4d1eef102" ], "author": { "name": "Serge E. Hallyn", "email": "serge.hallyn@canonical.com", "time": "Wed Mar 23 16:43:21 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 23 19:47:06 2011 -0700" }, "message": "userns: make has_capability* into real functions\n\nSo we can let type safety keep things sane, and as a bonus we can remove\nthe declaration of init_user_ns in capability.h.\n\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nCc: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nCc: Daniel Lezcano \u003cdaniel.lezcano@free.fr\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3486740a4f32a6a466f5ac931654d154790ba648", "tree": "ac5d968a66057fa84933b8f89fd3e916270dffed", "parents": [ "59607db367c57f515183cb203642291bb14d9c40" ], "author": { "name": "Serge E. Hallyn", "email": "serge@hallyn.com", "time": "Wed Mar 23 16:43:17 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 23 19:47:02 2011 -0700" }, "message": "userns: security: make capabilities relative to the user namespace\n\n- Introduce ns_capable to test for a capability in a non-default\n user namespace.\n- Teach cap_capable to handle capabilities in a non-default\n user namespace.\n\nThe motivation is to get to the unprivileged creation of new\nnamespaces. It looks like this gets us 90% of the way there, with\nonly potential uid confusion issues left.\n\nI still need to handle getting all caps after creation but otherwise I\nthink I have a good starter patch that achieves all of your goals.\n\nChangelog:\n\t11/05/2010: [serge] add apparmor\n\t12/14/2010: [serge] fix capabilities to created user namespaces\n\tWithout this, if user serge creates a user_ns, he won\u0027t have\n\tcapabilities to the user_ns he created. THis is because we\n\twere first checking whether his effective caps had the caps\n\the needed and returning -EPERM if not, and THEN checking whether\n\the was the creator. Reverse those checks.\n\t12/16/2010: [serge] security_real_capable needs ns argument in !security case\n\t01/11/2011: [serge] add task_ns_capable helper\n\t01/11/2011: [serge] add nsown_capable() helper per Bastian Blank suggestion\n\t02/16/2011: [serge] fix a logic bug: the root user is always creator of\n\t\t init_user_ns, but should not always have capabilities to\n\t\t it! Fix the check in cap_capable().\n\t02/21/2011: Add the required user_ns parameter to security_capable,\n\t\t fixing a compile failure.\n\t02/23/2011: Convert some macros to functions as per akpm comments. Some\n\t\t couldn\u0027t be converted because we can\u0027t easily forward-declare\n\t\t them (they are inline if !SECURITY, extern if SECURITY). Add\n\t\t a current_user_ns function so we can use it in capability.h\n\t\t without #including cred.h. Move all forward declarations\n\t\t together to the top of the #ifdef __KERNEL__ section, and use\n\t\t kernel-doc format.\n\t02/23/2011: Per dhowells, clean up comment in cap_capable().\n\t02/23/2011: Per akpm, remove unreachable \u0027return -EPERM\u0027 in cap_capable.\n\n(Original written and signed off by Eric; latest, modified version\nacked by him)\n\n[akpm@linux-foundation.org: fix build]\n[akpm@linux-foundation.org: export current_user_ns() for ecryptfs]\n[serge.hallyn@canonical.com: remove unneeded extra argument in selinux\u0027s task_has_capability]\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nAcked-by: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nAcked-by: Daniel Lezcano \u003cdaniel.lezcano@free.fr\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "6037b715d6fab139742c3df8851db4c823081561", "tree": "aba9e9427debd4fa5b904daefa8e71a6320f4b93", "parents": [ "deabb19ba4bd8c06ae69bc262e3594b515e3a459" ], "author": { "name": "Chris Wright", "email": "chrisw@sous-sol.org", "time": "Wed Feb 09 22:11:51 2011 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 11 17:41:58 2011 +1100" }, "message": "security: add cred argument to security_capable()\n\nExpand security_capable() to include cred, so that it can be usable in a\nwider range of call sites.\n\nSigned-off-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "32bd7eb5a7f4596c8440dd9440322fe9e686634d", "tree": "f1d0c0a215c1305aec0a8f407b431a975f7ad072", "parents": [ "c9494727cf293ae2ec66af57547a3e79c724fec2" ], "author": { "name": "Li Zefan", "email": "lizf@cn.fujitsu.com", "time": "Wed Mar 24 13:17:19 2010 +0800" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Fri Apr 02 20:12:00 2010 +0200" }, "message": "sched: Remove remaining USER_SCHED code\n\nThis is left over from commit 7c9414385e (\"sched: Remove USER_SCHED\"\")\n\nSigned-off-by: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nAcked-by: Dhaval Giani \u003cdhaval.giani@gmail.com\u003e\nSigned-off-by: Peter Zijlstra \u003ca.p.zijlstra@chello.nl\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nLKML-Reference: \u003c4BA9A05F.7010407@cn.fujitsu.com\u003e\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\n" }, { "commit": "86fc80f16e8a2449d5827bf1a9838b7fd9f70097", "tree": "23f4d20995f9538c6f609baa2d0bf3315f013b46", "parents": [ "67fa4880c5e059428392ca6f7c2f9c38e8546fea" ], "author": { "name": "Thomas Gleixner", "email": "tglx@linutronix.de", "time": "Wed Dec 09 17:13:31 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 10 09:42:48 2009 +1100" }, "message": "capabilities: Use RCU to protect task lookup in sys_capget\n\ncap_get_target_pid() protects the task lookup with tasklist_lock.\nsecurity_capget() is called under tasklist_lock as well but\ntasklist_lock does not protect anything there. The capabilities are\nprotected by RCU already.\n\nSo tasklist_lock only protects the lookup and prevents the task going\naway, which can be done with rcu_read_lock() as well.\n\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b3a222e52e4d4be77cc4520a57af1a4a0d8222d1", "tree": "1c3d5df529a404636b996ef39c991c9b8813aa12", "parents": [ "0bce95279909aa4cc401a2e3140b4295ca22e72a" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Mon Nov 23 16:21:30 2009 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 24 15:06:47 2009 +1100" }, "message": "remove CONFIG_SECURITY_FILE_CAPABILITIES compile option\n\nAs far as I know, all distros currently ship kernels with default\nCONFIG_SECURITY_FILE_CAPABILITIES\u003dy. Since having the option on\nleaves a \u0027no_file_caps\u0027 option to boot without file capabilities,\nthe main reason to keep the option is that turning it off saves\nyou (on my s390x partition) 5k. In particular, vmlinux sizes\ncame to:\n\nwithout patch fscaps\u003dn:\t\t \t53598392\nwithout patch fscaps\u003dy:\t\t \t53603406\nwith this patch applied:\t\t53603342\n\nwith the security-next tree.\n\nAgainst this we must weigh the fact that there is no simple way for\nuserspace to figure out whether file capabilities are supported,\nwhile things like per-process securebits, capability bounding\nsets, and adding bits to pI if CAP_SETPCAP is in pE are not supported\nwith SECURITY_FILE_CAPABILITIES\u003dn, leaving a bit of a problem for\napplications wanting to know whether they can use them and/or why\nsomething failed.\n\nIt also adds another subtly different set of semantics which we must\nmaintain at the risk of severe security regressions.\n\nSo this patch removes the SECURITY_FILE_CAPABILITIES compile\noption. It drops the kernel size by about 50k over the stock\nSECURITY_FILE_CAPABILITIES\u003dy kernel, by removing the\ncap_limit_ptraced_target() function.\n\nChangelog:\n\tNov 20: remove cap_limit_ptraced_target() as it\u0027s logic\n\t\twas ifndef\u0027ed.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Andrew G. Morgan\" \u003cmorgan@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c4a5af54c8ef277a59189fc9358e190f3c1b8206", "tree": "eab45631ca769f92f01276066ee58861ad494d18", "parents": [ "fe542cf59bf0b31afe72b9e9749c0f6645419fa0" ], "author": { "name": "Andrew G. Morgan", "email": "morgan@kernel.org", "time": "Mon Nov 23 04:57:52 2009 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 24 08:53:29 2009 +1100" }, "message": "Silence the existing API for capability version compatibility check.\n\nWhen libcap, or other libraries attempt to confirm/determine the supported\ncapability version magic, they generally supply a NULL dataptr to capget().\n\nIn this case, while returning the supported/preferred magic (via a\nmodified header content), the return code of this system call may be 0,\n-EINVAL, or -EFAULT.\n\nNo libcap code depends on the previous -EINVAL etc. return code, and\nall of the above three return codes can accompany a valid (successful)\nattempt to determine the requested magic value.\n\nThis patch cleans up the system call to return 0, if the call is\nsuccessfully being used to determine the supported/preferred capability\nmagic value.\n\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Steve Grubb \u003csgrubb@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "825332e4ff1373c55d931b49408df7ec2298f71e", "tree": "f489a311e576eb1b45ff62cbc0cccbe3bea2baeb", "parents": [ "a27ab9f26b729326778271c1efd895aef4fda1c4" ], "author": { "name": "Arjan van de Ven", "email": "arjan@infradead.org", "time": "Wed Oct 14 08:17:36 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Oct 14 08:17:36 2009 +1100" }, "message": "capabilities: simplify bound checks for copy_from_user()\n\nThe capabilities syscall has a copy_from_user() call where gcc currently\ncannot prove to itself that the copy is always within bounds.\n\nThis patch adds a very explicity bound check to prove to gcc that this\ncopy_from_user cannot overflow its destination buffer.\n\nSigned-off-by: Arjan van de Ven \u003carjan@linux.intel.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b290ebe2c46d01b742b948ce03f09e8a3efb9a92", "tree": "4419602f911a8205de2160c56a0ff844f350557e", "parents": [ "ae1251ab785f6da87219df8352ffdac68bba23e4" ], "author": { "name": "Heiko Carstens", "email": "heiko.carstens@de.ibm.com", "time": "Wed Jan 14 14:14:06 2009 +0100" }, "committer": { "name": "Heiko Carstens", "email": "heiko.carstens@de.ibm.com", "time": "Wed Jan 14 14:15:19 2009 +0100" }, "message": "[CVE-2009-0029] System call wrappers part 04\n\nSigned-off-by: Heiko Carstens \u003cheiko.carstens@de.ibm.com\u003e\n" }, { "commit": "ac8cc0fa5395fe2278e305a4cbed48e90d88d878", "tree": "515f577bfddd054ee4373228be7c974dfb8133af", "parents": [ "238c6d54830c624f34ac9cf123ac04aebfca5013", "3699c53c485bf0168e6500d0ed18bf931584dd7c" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:58:22 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:58:22 2009 +1100" }, "message": "Merge branch \u0027next\u0027 into for-linus\n" }, { "commit": "3699c53c485bf0168e6500d0ed18bf931584dd7c", "tree": "eee63a8ddbdb0665bc6a4a053a2405ca7a5b867f", "parents": [ "29881c4502ba05f46bc12ae8053d4e08d7e2615c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 06 22:27:01 2009 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:38:48 2009 +1100" }, "message": "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #3]\n\nFix a regression in cap_capable() due to:\n\n\tcommit 3b11a1decef07c19443d24ae926982bc8ec9f4c0\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Fri Nov 14 10:39:26 2008 +1100\n\n\t CRED: Differentiate objective and effective subjective credentials on a task\n\nThe problem is that the above patch allows a process to have two sets of\ncredentials, and for the most part uses the subjective credentials when\naccessing current\u0027s creds.\n\nThere is, however, one exception: cap_capable(), and thus capable(), uses the\nreal/objective credentials of the target task, whether or not it is the current\ntask.\n\nOrdinarily this doesn\u0027t matter, since usually the two cred pointers in current\npoint to the same set of creds. However, sys_faccessat() makes use of this\nfacility to override the credentials of the calling process to make its test,\nwithout affecting the creds as seen from other processes.\n\nOne of the things sys_faccessat() does is to make an adjustment to the\neffective capabilities mask, which cap_capable(), as it stands, then ignores.\n\nThe affected capability check is in generic_permission():\n\n\tif (!(mask \u0026 MAY_EXEC) || execute_ok(inode))\n\t\tif (capable(CAP_DAC_OVERRIDE))\n\t\t\treturn 0;\n\nThis change passes the set of credentials to be tested down into the commoncap\nand SELinux code. The security functions called by capable() and\nhas_capability() select the appropriate set of credentials from the process\nbeing checked.\n\nThis can be tested by compiling the following program from the XFS testsuite:\n\n/*\n * t_access_root.c - trivial test program to show permission bug.\n *\n * Written by Michael Kerrisk - copyright ownership not pursued.\n * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html\n */\n#include \u003climits.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003csys/stat.h\u003e\n\n#define UID 500\n#define GID 100\n#define PERM 0\n#define TESTPATH \"/tmp/t_access\"\n\nstatic void\nerrExit(char *msg)\n{\n perror(msg);\n exit(EXIT_FAILURE);\n} /* errExit */\n\nstatic void\naccessTest(char *file, int mask, char *mstr)\n{\n printf(\"access(%s, %s) returns %d\\n\", file, mstr, access(file, mask));\n} /* accessTest */\n\nint\nmain(int argc, char *argv[])\n{\n int fd, perm, uid, gid;\n char *testpath;\n char cmd[PATH_MAX + 20];\n\n testpath \u003d (argc \u003e 1) ? argv[1] : TESTPATH;\n perm \u003d (argc \u003e 2) ? strtoul(argv[2], NULL, 8) : PERM;\n uid \u003d (argc \u003e 3) ? atoi(argv[3]) : UID;\n gid \u003d (argc \u003e 4) ? atoi(argv[4]) : GID;\n\n unlink(testpath);\n\n fd \u003d open(testpath, O_RDWR | O_CREAT, 0);\n if (fd \u003d\u003d -1) errExit(\"open\");\n\n if (fchown(fd, uid, gid) \u003d\u003d -1) errExit(\"fchown\");\n if (fchmod(fd, perm) \u003d\u003d -1) errExit(\"fchmod\");\n close(fd);\n\n snprintf(cmd, sizeof(cmd), \"ls -l %s\", testpath);\n system(cmd);\n\n if (seteuid(uid) \u003d\u003d -1) errExit(\"seteuid\");\n\n accessTest(testpath, 0, \"0\");\n accessTest(testpath, R_OK, \"R_OK\");\n accessTest(testpath, W_OK, \"W_OK\");\n accessTest(testpath, X_OK, \"X_OK\");\n accessTest(testpath, R_OK | W_OK, \"R_OK | W_OK\");\n accessTest(testpath, R_OK | X_OK, \"R_OK | X_OK\");\n accessTest(testpath, W_OK | X_OK, \"W_OK | X_OK\");\n accessTest(testpath, R_OK | W_OK | X_OK, \"R_OK | W_OK | X_OK\");\n\n exit(EXIT_SUCCESS);\n} /* main */\n\nThis can be run against an Ext3 filesystem as well as against an XFS\nfilesystem. If successful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns 0\n\taccess(/tmp/xxx, W_OK) returns 0\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns 0\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nIf unsuccessful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns -1\n\taccess(/tmp/xxx, W_OK) returns -1\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns -1\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nI\u0027ve also tested the fix with the SELinux and syscalls LTP testsuites.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: J. Bruce Fields \u003cbfields@citi.umich.edu\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "29881c4502ba05f46bc12ae8053d4e08d7e2615c", "tree": "536ea4ac63554e836438bd5f370ddecaa343f1f4", "parents": [ "76f7ba35d4b5219fcc4cb072134c020ec77d030d" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:21:54 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:21:54 2009 +1100" }, "message": "Revert \"CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]\"\n\nThis reverts commit 14eaddc967b16017d4a1a24d2be6c28ecbe06ed8.\n\nDavid has a better version to come.\n" }, { "commit": "14eaddc967b16017d4a1a24d2be6c28ecbe06ed8", "tree": "ce10216d592f0fa89ae02c4e4e9e9497010e7714", "parents": [ "5c8c40be4b5a2944483bfc1a45d6c3fa02551af3" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Dec 31 15:15:42 2008 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 05 11:17:04 2009 +1100" }, "message": "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]\n\nFix a regression in cap_capable() due to:\n\n\tcommit 5ff7711e635b32f0a1e558227d030c7e45b4a465\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Wed Dec 31 02:52:28 2008 +0000\n\n\t CRED: Differentiate objective and effective subjective credentials on a task\n\nThe problem is that the above patch allows a process to have two sets of\ncredentials, and for the most part uses the subjective credentials when\naccessing current\u0027s creds.\n\nThere is, however, one exception: cap_capable(), and thus capable(), uses the\nreal/objective credentials of the target task, whether or not it is the current\ntask.\n\nOrdinarily this doesn\u0027t matter, since usually the two cred pointers in current\npoint to the same set of creds. However, sys_faccessat() makes use of this\nfacility to override the credentials of the calling process to make its test,\nwithout affecting the creds as seen from other processes.\n\nOne of the things sys_faccessat() does is to make an adjustment to the\neffective capabilities mask, which cap_capable(), as it stands, then ignores.\n\nThe affected capability check is in generic_permission():\n\n\tif (!(mask \u0026 MAY_EXEC) || execute_ok(inode))\n\t\tif (capable(CAP_DAC_OVERRIDE))\n\t\t\treturn 0;\n\nThis change splits capable() from has_capability() down into the commoncap and\nSELinux code. The capable() security op now only deals with the current\nprocess, and uses the current process\u0027s subjective creds. A new security op -\ntask_capable() - is introduced that can check any task\u0027s objective creds.\n\nstrictly the capable() security op is superfluous with the presence of the\ntask_capable() op, however it should be faster to call the capable() op since\ntwo fewer arguments need be passed down through the various layers.\n\nThis can be tested by compiling the following program from the XFS testsuite:\n\n/*\n * t_access_root.c - trivial test program to show permission bug.\n *\n * Written by Michael Kerrisk - copyright ownership not pursued.\n * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html\n */\n#include \u003climits.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003csys/stat.h\u003e\n\n#define UID 500\n#define GID 100\n#define PERM 0\n#define TESTPATH \"/tmp/t_access\"\n\nstatic void\nerrExit(char *msg)\n{\n perror(msg);\n exit(EXIT_FAILURE);\n} /* errExit */\n\nstatic void\naccessTest(char *file, int mask, char *mstr)\n{\n printf(\"access(%s, %s) returns %d\\n\", file, mstr, access(file, mask));\n} /* accessTest */\n\nint\nmain(int argc, char *argv[])\n{\n int fd, perm, uid, gid;\n char *testpath;\n char cmd[PATH_MAX + 20];\n\n testpath \u003d (argc \u003e 1) ? argv[1] : TESTPATH;\n perm \u003d (argc \u003e 2) ? strtoul(argv[2], NULL, 8) : PERM;\n uid \u003d (argc \u003e 3) ? atoi(argv[3]) : UID;\n gid \u003d (argc \u003e 4) ? atoi(argv[4]) : GID;\n\n unlink(testpath);\n\n fd \u003d open(testpath, O_RDWR | O_CREAT, 0);\n if (fd \u003d\u003d -1) errExit(\"open\");\n\n if (fchown(fd, uid, gid) \u003d\u003d -1) errExit(\"fchown\");\n if (fchmod(fd, perm) \u003d\u003d -1) errExit(\"fchmod\");\n close(fd);\n\n snprintf(cmd, sizeof(cmd), \"ls -l %s\", testpath);\n system(cmd);\n\n if (seteuid(uid) \u003d\u003d -1) errExit(\"seteuid\");\n\n accessTest(testpath, 0, \"0\");\n accessTest(testpath, R_OK, \"R_OK\");\n accessTest(testpath, W_OK, \"W_OK\");\n accessTest(testpath, X_OK, \"X_OK\");\n accessTest(testpath, R_OK | W_OK, \"R_OK | W_OK\");\n accessTest(testpath, R_OK | X_OK, \"R_OK | X_OK\");\n accessTest(testpath, W_OK | X_OK, \"W_OK | X_OK\");\n accessTest(testpath, R_OK | W_OK | X_OK, \"R_OK | W_OK | X_OK\");\n\n exit(EXIT_SUCCESS);\n} /* main */\n\nThis can be run against an Ext3 filesystem as well as against an XFS\nfilesystem. If successful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns 0\n\taccess(/tmp/xxx, W_OK) returns 0\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns 0\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nIf unsuccessful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns -1\n\taccess(/tmp/xxx, W_OK) returns -1\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns -1\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nI\u0027ve also tested the fix with the SELinux and syscalls LTP testsuites.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "57f71a0af4244d9ba3c0bce74b1d2e66e8d520bd", "tree": "c089a97949fc1d459e137b18739c04e9217913d1", "parents": [ "157cf649a735a2f7e8dba0ed08e6e38b6c30d886" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jan 04 14:52:57 2009 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jan 04 15:14:41 2009 -0500" }, "message": "sanitize audit_log_capset()\n\n* no allocations\n* return void\n* don\u0027t duplicate checked for dummy context\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "d84f4f992cbd76e8f39c488cf0c5d123843923b1", "tree": "fc4a0349c42995715b93d0f7a3c78e9ea9b3f36e", "parents": [ "745ca2475a6ac596e3d8d37c2759c0fbe2586227" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "message": "CRED: Inaugurate COW credentials\n\nInaugurate copy-on-write credentials management. This uses RCU to manage the\ncredentials pointer in the task_struct with respect to accesses by other tasks.\nA process may only modify its own credentials, and so does not need locking to\naccess or modify its own credentials.\n\nA mutex (cred_replace_mutex) is added to the task_struct to control the effect\nof PTRACE_ATTACHED on credential calculations, particularly with respect to\nexecve().\n\nWith this patch, the contents of an active credentials struct may not be\nchanged directly; rather a new set of credentials must be prepared, modified\nand committed using something like the following sequence of events:\n\n\tstruct cred *new \u003d prepare_creds();\n\tint ret \u003d blah(new);\n\tif (ret \u003c 0) {\n\t\tabort_creds(new);\n\t\treturn ret;\n\t}\n\treturn commit_creds(new);\n\nThere are some exceptions to this rule: the keyrings pointed to by the active\ncredentials may be instantiated - keyrings violate the COW rule as managing\nCOW keyrings is tricky, given that it is possible for a task to directly alter\nthe keys in a keyring in use by another task.\n\nTo help enforce this, various pointers to sets of credentials, such as those in\nthe task_struct, are declared const. The purpose of this is compile-time\ndiscouragement of altering credentials through those pointers. Once a set of\ncredentials has been made public through one of these pointers, it may not be\nmodified, except under special circumstances:\n\n (1) Its reference count may incremented and decremented.\n\n (2) The keyrings to which it points may be modified, but not replaced.\n\nThe only safe way to modify anything else is to create a replacement and commit\nusing the functions described in Documentation/credentials.txt (which will be\nadded by a later patch).\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n This now prepares and commits credentials in various places in the\n security code rather than altering the current creds directly.\n\n (2) Temporary credential overrides.\n\n do_coredump() and sys_faccessat() now prepare their own credentials and\n temporarily override the ones currently on the acting thread, whilst\n preventing interference from other threads by holding cred_replace_mutex\n on the thread being dumped.\n\n This will be replaced in a future patch by something that hands down the\n credentials directly to the functions being called, rather than altering\n the task\u0027s objective credentials.\n\n (3) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_capset_check(), -\u003ecapset_check()\n (*) security_capset_set(), -\u003ecapset_set()\n\n \t Removed in favour of security_capset().\n\n (*) security_capset(), -\u003ecapset()\n\n \t New. This is passed a pointer to the new creds, a pointer to the old\n \t creds and the proposed capability sets. It should fill in the new\n \t creds or return an error. All pointers, barring the pointer to the\n \t new creds, are now const.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n\n \t Changed; now returns a value, which will cause the process to be\n \t killed if it\u0027s an error.\n\n (*) security_task_alloc(), -\u003etask_alloc_security()\n\n \t Removed in favour of security_prepare_creds().\n\n (*) security_cred_free(), -\u003ecred_free()\n\n \t New. Free security data attached to cred-\u003esecurity.\n\n (*) security_prepare_creds(), -\u003ecred_prepare()\n\n \t New. Duplicate any security data attached to cred-\u003esecurity.\n\n (*) security_commit_creds(), -\u003ecred_commit()\n\n \t New. Apply any security effects for the upcoming installation of new\n \t security by commit_creds().\n\n (*) security_task_post_setuid(), -\u003etask_post_setuid()\n\n \t Removed in favour of security_task_fix_setuid().\n\n (*) security_task_fix_setuid(), -\u003etask_fix_setuid()\n\n \t Fix up the proposed new credentials for setuid(). This is used by\n \t cap_set_fix_setuid() to implicitly adjust capabilities in line with\n \t setuid() changes. Changes are made to the new credentials, rather\n \t than the task itself as in security_task_post_setuid().\n\n (*) security_task_reparent_to_init(), -\u003etask_reparent_to_init()\n\n \t Removed. Instead the task being reparented to init is referred\n \t directly to init\u0027s credentials.\n\n\t NOTE! This results in the loss of some state: SELinux\u0027s osid no\n\t longer records the sid of the thread that forked it.\n\n (*) security_key_alloc(), -\u003ekey_alloc()\n (*) security_key_permission(), -\u003ekey_permission()\n\n \t Changed. These now take cred pointers rather than task pointers to\n \t refer to the security context.\n\n (4) sys_capset().\n\n This has been simplified and uses less locking. The LSM functions it\n calls have been merged.\n\n (5) reparent_to_kthreadd().\n\n This gives the current thread the same credentials as init by simply using\n commit_thread() to point that way.\n\n (6) __sigqueue_alloc() and switch_uid()\n\n __sigqueue_alloc() can\u0027t stop the target task from changing its creds\n beneath it, so this function gets a reference to the currently applicable\n user_struct which it then passes into the sigqueue struct it returns if\n successful.\n\n switch_uid() is now called from commit_creds(), and possibly should be\n folded into that. commit_creds() should take care of protecting\n __sigqueue_alloc().\n\n (7) [sg]et[ug]id() and co and [sg]et_current_groups.\n\n The set functions now all use prepare_creds(), commit_creds() and\n abort_creds() to build and check a new set of credentials before applying\n it.\n\n security_task_set[ug]id() is called inside the prepared section. This\n guarantees that nothing else will affect the creds until we\u0027ve finished.\n\n The calling of set_dumpable() has been moved into commit_creds().\n\n Much of the functionality of set_user() has been moved into\n commit_creds().\n\n The get functions all simply access the data directly.\n\n (8) security_task_prctl() and cap_task_prctl().\n\n security_task_prctl() has been modified to return -ENOSYS if it doesn\u0027t\n want to handle a function, or otherwise return the return value directly\n rather than through an argument.\n\n Additionally, cap_task_prctl() now prepares a new set of credentials, even\n if it doesn\u0027t end up using it.\n\n (9) Keyrings.\n\n A number of changes have been made to the keyrings code:\n\n (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have\n \t all been dropped and built in to the credentials functions directly.\n \t They may want separating out again later.\n\n (b) key_alloc() and search_process_keyrings() now take a cred pointer\n \t rather than a task pointer to specify the security context.\n\n (c) copy_creds() gives a new thread within the same thread group a new\n \t thread keyring if its parent had one, otherwise it discards the thread\n \t keyring.\n\n (d) The authorisation key now points directly to the credentials to extend\n \t the search into rather pointing to the task that carries them.\n\n (e) Installing thread, process or session keyrings causes a new set of\n \t credentials to be created, even though it\u0027s not strictly necessary for\n \t process or session keyrings (they\u0027re shared).\n\n(10) Usermode helper.\n\n The usermode helper code now carries a cred struct pointer in its\n subprocess_info struct instead of a new session keyring pointer. This set\n of credentials is derived from init_cred and installed on the new process\n after it has been cloned.\n\n call_usermodehelper_setup() allocates the new credentials and\n call_usermodehelper_freeinfo() discards them if they haven\u0027t been used. A\n special cred function (prepare_usermodeinfo_creds()) is provided\n specifically for call_usermodehelper_setup() to call.\n\n call_usermodehelper_setkeys() adjusts the credentials to sport the\n supplied keyring as the new session keyring.\n\n(11) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) selinux_setprocattr() no longer does its check for whether the\n \t current ptracer can access processes with the new SID inside the lock\n \t that covers getting the ptracer\u0027s SID. Whilst this lock ensures that\n \t the check is done with the ptracer pinned, the result is only valid\n \t until the lock is released, so there\u0027s no point doing it inside the\n \t lock.\n\n(12) is_single_threaded().\n\n This function has been extracted from selinux_setprocattr() and put into\n a file of its own in the lib/ directory as join_session_keyring() now\n wants to use it too.\n\n The code in SELinux just checked to see whether a task shared mm_structs\n with other tasks (CLONE_VM), but that isn\u0027t good enough. We really want\n to know if they\u0027re part of the same thread group (CLONE_THREAD).\n\n(13) nfsd.\n\n The NFS server daemon now has to use the COW credentials to set the\n credentials it is going to use. It really needs to pass the credentials\n down to the functions it calls, but it can\u0027t do that until other patches\n in this series have been applied.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a", "tree": "9e76f972eb7ce9b84e0146c8e4126a3f86acb428", "parents": [ "15a2460ed0af7538ca8e6c610fe607a2cd9da142" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "message": "CRED: Separate task security context from task_struct\n\nSeparate the task security context from task_struct. At this point, the\nsecurity data is temporarily embedded in the task_struct with two pointers\npointing to it.\n\nNote that the Alpha arch is altered as it refers to (E)UID and (E)GID in\nentry.S via asm-offsets.\n\nWith comment fixes Signed-off-by: Marc Dionne \u003cmarc.c.dionne@gmail.com\u003e\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1cdcbec1a3372c0c49c59d292e708fd07b509f18", "tree": "d1bd302c8d66862da45b494cbc766fb4caa5e23e", "parents": [ "8bbf4976b59fc9fc2861e79cab7beb3f6d647640" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "message": "CRED: Neuter sys_capset()\n\nTake away the ability for sys_capset() to affect processes other than current.\n\nThis means that current will not need to lock its own credentials when reading\nthem against interference by other processes.\n\nThis has effectively been the case for a while anyway, since:\n\n (1) Without LSM enabled, sys_capset() is disallowed.\n\n (2) With file-based capabilities, sys_capset() is neutered.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "637d32dc720897616e8a1a4f9e9609e29d431800", "tree": "6b9e500f4f9fa624da3b6bd28d6d161a615a3a63", "parents": [ "e68b75a027bb94066576139ee33676264f867b87" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 29 15:42:12 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 11 22:01:24 2008 +1100" }, "message": "Capabilities: BUG when an invalid capability is requested\n\nIf an invalid (large) capability is requested the capabilities system\nmay panic as it is dereferencing an array of fixed (short) length. Its\npossible (and actually often happens) that the capability system\naccidentally stumbled into a valid memory region but it also regularly\nhappens that it hits invalid memory and BUGs. If such an operation does\nget past cap_capable then the selinux system is sure to have problems as\nit already does a (simple) validity check and BUG. This is known to\nhappen by the broken and buggy firegl driver.\n\nThis patch cleanly checks all capable calls and BUG if a call is for an\ninvalid capability. This will likely break the firegl driver for some\nsituations, but it is the right thing to do. Garbage into a security\nsystem gets you killed/bugged\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Arjan van de Ven \u003carjan@linux.intel.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e68b75a027bb94066576139ee33676264f867b87", "tree": "2c31f59a4abe9d7bb3cb75fdf3b57772feeeb6f6", "parents": [ "3fc689e96c0c90b6fede5946d6c31075e9464f69" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 11 21:48:22 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 11 21:48:22 2008 +1100" }, "message": "When the capset syscall is used it is not possible for audit to record the\nactual capbilities being added/removed. This patch adds a new record type\nwhich emits the target pid and the eff, inh, and perm cap sets.\n\nexample output if you audit capset syscalls would be:\n\ntype\u003dSYSCALL msg\u003daudit(1225743140.465:76): arch\u003dc000003e syscall\u003d126 success\u003dyes exit\u003d0 a0\u003d17f2014 a1\u003d17f201c a2\u003d80000000 a3\u003d7fff2ab7f060 items\u003d0 ppid\u003d2160 pid\u003d2223 auid\u003d0 uid\u003d0 gid\u003d0 euid\u003d0 suid\u003d0 fsuid\u003d0 egid\u003d0 sgid\u003d0 fsgid\u003d0 tty\u003dpts0 ses\u003d1 comm\u003d\"setcap\" exe\u003d\"/usr/sbin/setcap\" subj\u003dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key\u003d(null)\ntype\u003dUNKNOWN[1322] msg\u003daudit(1225743140.465:76): pid\u003d0 cap_pi\u003dffffffffffffffff cap_pp\u003dffffffffffffffff cap_pe\u003dffffffffffffffff\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1f29fae29709b4668979e244c09b2fa78ff1ad59", "tree": "d50129066cd1f131551eb364d04542dfcf923050", "parents": [ "e21e696edb498c7f7eed42ba3096f6bbe13927b6" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Wed Nov 05 16:08:52 2008 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 06 07:14:51 2008 +0800" }, "message": "file capabilities: add no_file_caps switch (v4)\n\nAdd a no_file_caps boot option when file capabilities are\ncompiled into the kernel (CONFIG_SECURITY_FILE_CAPABILITIES\u003dy).\n\nThis allows distributions to ship a kernel with file capabilities\ncompiled in, without forcing users to use (and understand and\ntrust) them.\n\nWhen no_file_caps is specified at boot, then when a process executes\na file, any file capabilities stored with that file will not be\nused in the calculation of the process\u0027 new capability sets.\n\nThis means that booting with the no_file_caps boot option will\nnot be the same as booting a kernel with file capabilities\ncompiled out - in particular a task with CAP_SETPCAP will not\nhave any chance of passing capabilities to another task (which\nisn\u0027t \"really\" possible anyway, and which may soon by killed\naltogether by David Howells in any case), and it will instead\nbe able to put new capabilities in its pI. However since fI\nwill always be empty and pI is masked with fI, it gains the\ntask nothing.\n\nWe also support the extra prctl options, setting securebits and\ndropping capabilities from the per-process bounding set.\n\nThe other remaining difference is that killpriv, task_setscheduler,\nsetioprio, and setnice will continue to be hooked. That will\nbe noticable in the case where a root task changed its uid\nwhile keeping some caps, and another task owned by the new uid\ntries to change settings for the more privileged task.\n\nChangelog:\n\tNov 05 2008: (v4) trivial port on top of always-start-\\\n\t\twith-clear-caps patch\n\tSep 23 2008: nixed file_caps_enabled when file caps are\n\t\tnot compiled in as it isn\u0027t used.\n\t\tDocument no_file_caps in kernel-parameters.txt.\n\nSigned-off-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5cd9c58fbe9ec92b45b27e131719af4f2bd9eb40", "tree": "8573db001b4dc3c2ad97102dda42b841c40b5f6c", "parents": [ "8d0968abd03ec6b407df117adc773562386702fa" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Aug 14 11:37:28 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 14 22:59:43 2008 +1000" }, "message": "security: Fix setting of PF_SUPERPRIV by __capable()\n\nFix the setting of PF_SUPERPRIV by __capable() as it could corrupt the flags\nthe target process if that is not the current process and it is trying to\nchange its own flags in a different way at the same time.\n\n__capable() is using neither atomic ops nor locking to protect t-\u003eflags. This\npatch removes __capable() and introduces has_capability() that doesn\u0027t set\nPF_SUPERPRIV on the process being queried.\n\nThis patch further splits security_ptrace() in two:\n\n (1) security_ptrace_may_access(). This passes judgement on whether one\n process may access another only (PTRACE_MODE_ATTACH for ptrace() and\n PTRACE_MODE_READ for /proc), and takes a pointer to the child process.\n current is the parent.\n\n (2) security_ptrace_traceme(). This passes judgement on PTRACE_TRACEME only,\n and takes only a pointer to the parent process. current is the child.\n\n In Smack and commoncap, this uses has_capability() to determine whether\n the parent will be permitted to use PTRACE_ATTACH if normal checks fail.\n This does not set PF_SUPERPRIV.\n\nTwo of the instances of __capable() actually only act on current, and so have\nbeen changed to calls to capable().\n\nOf the places that were using __capable():\n\n (1) The OOM killer calls __capable() thrice when weighing the killability of a\n process. All of these now use has_capability().\n\n (2) cap_ptrace() and smack_ptrace() were using __capable() to check to see\n whether the parent was allowed to trace any process. As mentioned above,\n these have been split. For PTRACE_ATTACH and /proc, capable() is now\n used, and for PTRACE_TRACEME, has_capability() is used.\n\n (3) cap_safe_nice() only ever saw current, so now uses capable().\n\n (4) smack_setprocattr() rejected accesses to tasks other than current just\n after calling __capable(), so the order of these two tests have been\n switched and capable() is used instead.\n\n (5) In smack_file_send_sigiotask(), we need to allow privileged processes to\n receive SIGIO on files they\u0027re manipulating.\n\n (6) In smack_task_wait(), we let a process wait for a privileged process,\n whether or not the process doing the waiting is privileged.\n\nI\u0027ve tested this with the LTP SELinux and syscalls testscripts.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ab763c7112ce0e2559c73f921617c81dc7287ca6", "tree": "110f60462a54e869402346b5ae9cfaed012cf8f4", "parents": [ "5459c164f0591ee75ed0203bb8f3817f25948e2f" ], "author": { "name": "Andrew G. Morgan", "email": "morgan@kernel.org", "time": "Wed Jul 23 21:28:25 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jul 24 10:47:22 2008 -0700" }, "message": "security: filesystem capabilities refactor kernel code\n\nTo date, we\u0027ve tried hard to confine filesystem support for capabilities\nto the security modules. This has left a lot of the code in\nkernel/capability.c in a state where it looks like it supports something\nthat filesystem support for capabilities actually suppresses when the LSM\nsecurity/commmoncap.c code runs. What is left is a lot of code that uses\nsub-optimal locking in the main kernel\n\nWith this change we refactor the main kernel code and make it explicit\nwhich locks are needed and that the only remaining kernel races in this\narea are associated with non-filesystem capability code.\n\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "086f7316f0d400806d76323beefae996bb3849b1", "tree": "679405a89b7f8c7a75d3896e43c837b5a5115d7b", "parents": [ "abbaeff38c00cb7f6817ec1cef406b27081ebedd" ], "author": { "name": "Andrew G. Morgan", "email": "morgan@kernel.org", "time": "Fri Jul 04 09:59:58 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jul 04 10:40:08 2008 -0700" }, "message": "security: filesystem capabilities: fix fragile setuid fixup code\n\nThis commit includes a bugfix for the fragile setuid fixup code in the\ncase that filesystem capabilities are supported (in access()). The effect\nof this fix is gated on filesystem capability support because changing\nsecurebits is only supported when filesystem capabilities support is\nconfigured.)\n\n[akpm@linux-foundation.org: coding-style fixes]\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "ca05a99a54db1db5bca72eccb5866d2a86f8517f", "tree": "b39fba6604da4b4f77103d2769bb783118b9b508", "parents": [ "cc94bc37d5e02aaf8a6409a28e3c62bbd479b9a8" ], "author": { "name": "Andrew G. Morgan", "email": "morgan@kernel.org", "time": "Tue May 27 22:05:17 2008 -0700" }, "committer": { "name": "Chris Wright", "email": "chrisw@sous-sol.org", "time": "Sat May 31 16:36:16 2008 -0700" }, "message": "capabilities: remain source compatible with 32-bit raw legacy capability support.\n\nSource code out there hard-codes a notion of what the\n_LINUX_CAPABILITY_VERSION #define means in terms of the semantics of the\nraw capability system calls capget() and capset(). Its unfortunate, but\ntrue.\n\nSince the confusing header file has been in a released kernel, there is\nsoftware that is erroneously using 64-bit capabilities with the semantics\nof 32-bit compatibilities. These recently compiled programs may suffer\ncorruption of their memory when sys_getcap() overwrites more memory than\nthey are coded to expect, and the raising of added capabilities when using\nsys_capset().\n\nAs such, this patch does a number of things to clean up the situation\nfor all. It\n\n 1. forces the _LINUX_CAPABILITY_VERSION define to always retain its\n legacy value.\n\n 2. adopts a new #define strategy for the kernel\u0027s internal\n implementation of the preferred magic.\n\n 3. deprecates v2 capability magic in favor of a new (v3) magic\n number. The functionality of v3 is entirely equivalent to v2,\n the only difference being that the v2 magic causes the kernel\n to log a \"deprecated\" warning so the admin can find applications\n that may be using v2 inappropriately.\n\n[User space code continues to be encouraged to use the libcap API which\nprotects the application from details like this. libcap-2.10 is the first\nto support v3 capabilities.]\n\nFixes issue reported in https://bugzilla.redhat.com/show_bug.cgi?id\u003d447518.\nThanks to Bojan Smojver for the report.\n\n[akpm@linux-foundation.org: s/depreciate/deprecate/g]\n[akpm@linux-foundation.org: be robust about put_user size]\n[akpm@linux-foundation.org: coding-style fixes]\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Bojan Smojver \u003cbojan@rexursive.com\u003e\nCc: stable@kernel.org\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\n" }, { "commit": "e338d263a76af78fe8f38a72131188b58fceb591", "tree": "f3f046fc6fd66de43de7191830f0daf3bc4ec8eb", "parents": [ "8f6936f4d29aa14e54a2470b954a2e1f96322988" ], "author": { "name": "Andrew Morgan", "email": "morgan@kernel.org", "time": "Mon Feb 04 22:29:42 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "Add 64-bit capability support to the kernel\n\nThe patch supports legacy (32-bit) capability userspace, and where possible\ntranslates 32-bit capabilities to/from userspace and the VFS to 64-bit\nkernel space capabilities. If a capability set cannot be compressed into\n32-bits for consumption by user space, the system call fails, with -ERANGE.\n\nFWIW libcap-2.00 supports this change (and earlier capability formats)\n\n http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/\n\n[akpm@linux-foundation.org: coding-syle fixes]\n[akpm@linux-foundation.org: use get_task_comm()]\n[ezk@cs.sunysb.edu: build fix]\n[akpm@linux-foundation.org: do not initialise statics to 0 or NULL]\n[akpm@linux-foundation.org: unused var]\n[serue@us.ibm.com: export __cap_ symbols]\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Erez Zadok \u003cezk@cs.sunysb.edu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8990571eb573032c1192440febb17132074c5575", "tree": "c5cceff1dbac91ca12917e12f5768a5ab332ec75", "parents": [ "bac0abd6174e427404dd197cdbefece31e97329b" ], "author": { "name": "Pavel Emelyanov", "email": "xemul@openvz.org", "time": "Thu Oct 18 23:40:19 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Oct 19 11:53:41 2007 -0700" }, "message": "Uninline find_pid etc set of functions\n\nThe find_pid/_vpid/_pid_ns functions are used to find the struct pid by its\nid, depending on whic id - global or virtual - is used.\n\nThe find_vpid() is a macro that pushes the current-\u003ensproxy-\u003epid_ns on the\nstack to call another function - find_pid_ns(). It turned out, that this\ndereference together with the push itself cause the kernel text size to\ngrow too much.\n\nMove all these out-of-line. Together with the previous patch this saves a\nbit less that 400 bytes from .text section.\n\nSigned-off-by: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nCc: Sukadev Bhattiprolu \u003csukadev@us.ibm.com\u003e\nCc: Oleg Nesterov \u003coleg@tv-sign.ru\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nCc: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "228ebcbe634a30aec35132ea4375721bcc41bec0", "tree": "a875976fd5bde6e2f931aa235c34c88a2738493f", "parents": [ "b488893a390edfe027bae7a46e9af8083e740668" ], "author": { "name": "Pavel Emelyanov", "email": "xemul@openvz.org", "time": "Thu Oct 18 23:40:16 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Oct 19 11:53:40 2007 -0700" }, "message": "Uninline find_task_by_xxx set of functions\n\nThe find_task_by_something is a set of macros are used to find task by pid\ndepending on what kind of pid is proposed - global or virtual one. All of\nthem are wrappers above the most generic one - find_task_by_pid_type_ns() -\nand just substitute some args for it.\n\nIt turned out, that dereferencing the current-\u003ensproxy-\u003epid_ns construction\nand pushing one more argument on the stack inline cause kernel text size to\ngrow.\n\nThis patch moves all this stuff out-of-line into kernel/pid.c. Together\nwith the next patch it saves a bit less than 400 bytes from the .text\nsection.\n\nSigned-off-by: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nCc: Sukadev Bhattiprolu \u003csukadev@us.ibm.com\u003e\nCc: Oleg Nesterov \u003coleg@tv-sign.ru\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nCc: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nAcked-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b488893a390edfe027bae7a46e9af8083e740668", "tree": "c469a7f99ad01005a73011c029eb5e5d15454559", "parents": [ "3eb07c8c8adb6f0572baba844ba2d9e501654316" ], "author": { "name": "Pavel Emelyanov", "email": "xemul@openvz.org", "time": "Thu Oct 18 23:40:14 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Oct 19 11:53:40 2007 -0700" }, "message": "pid namespaces: changes to show virtual ids to user\n\nThis is the largest patch in the set. Make all (I hope) the places where\nthe pid is shown to or get from user operate on the virtual pids.\n\nThe idea is:\n - all in-kernel data structures must store either struct pid itself\n or the pid\u0027s global nr, obtained with pid_nr() call;\n - when seeking the task from kernel code with the stored id one\n should use find_task_by_pid() call that works with global pids;\n - when showing pid\u0027s numerical value to the user the virtual one\n should be used, but however when one shows task\u0027s pid outside this\n task\u0027s namespace the global one is to be used;\n - when getting the pid from userspace one need to consider this as\n the virtual one and use appropriate task/pid-searching functions.\n\n[akpm@linux-foundation.org: build fix]\n[akpm@linux-foundation.org: nuther build fix]\n[akpm@linux-foundation.org: yet nuther build fix]\n[akpm@linux-foundation.org: remove unneeded casts]\nSigned-off-by: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@openvz.org\u003e\nCc: Sukadev Bhattiprolu \u003csukadev@us.ibm.com\u003e\nCc: Oleg Nesterov \u003coleg@tv-sign.ru\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nCc: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b460cbc581a53cc088ceba80608021dd49c63c43", "tree": "83c28d0adbc15f4157c77b40fa60c40a71cb8673", "parents": [ "3743ca05ff464b8a9e345c08a6c9ce30485f9805" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Oct 18 23:39:52 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Oct 19 11:53:37 2007 -0700" }, "message": "pid namespaces: define is_global_init() and is_container_init()\n\nis_init() is an ambiguous name for the pid\u003d\u003d1 check. Split it into\nis_global_init() and is_container_init().\n\nA cgroup init has it\u0027s tsk-\u003epid \u003d\u003d 1.\n\nA global init also has it\u0027s tsk-\u003epid \u003d\u003d 1 and it\u0027s active pid namespace\nis the init_pid_ns. But rather than check the active pid namespace,\ncompare the task structure with \u0027init_pid_ns.child_reaper\u0027, which is\ninitialized during boot to the /sbin/init process and never changes.\n\nChangelog:\n\n\t2.6.22-rc4-mm2-pidns1:\n\t- Use \u0027init_pid_ns.child_reaper\u0027 to determine if a given task is the\n\t global init (/sbin/init) process. This would improve performance\n\t and remove dependence on the task_pid().\n\n\t2.6.21-mm2-pidns2:\n\n\t- [Sukadev Bhattiprolu] Changed is_container_init() calls in {powerpc,\n\t ppc,avr32}/traps.c for the _exception() call to is_global_init().\n\t This way, we kill only the cgroup if the cgroup\u0027s init has a\n\t bug rather than force a kernel panic.\n\n[akpm@linux-foundation.org: fix comment]\n[sukadev@us.ibm.com: Use is_global_init() in arch/m32r/mm/fault.c]\n[bunk@stusta.de: kernel/pid.c: remove unused exports]\n[sukadev@us.ibm.com: Fix capability.c to work with threaded init]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Sukadev Bhattiprolu \u003csukadev@us.ibm.com\u003e\nAcked-by: Pavel Emelianov \u003cxemul@openvz.org\u003e\nCc: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nCc: Cedric Le Goater \u003cclg@fr.ibm.com\u003e\nCc: Dave Hansen \u003chaveblue@us.ibm.com\u003e\nCc: Herbert Poetzel \u003cherbert@13thfloor.at\u003e\nCc: Kirill Korotaev \u003cdev@sw.ru\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "314f70fd967064c7fa0734908f5feae6ac2831a9", "tree": "a3fce61d0cd5b9ac0bae92fad31dab3b04b9e71b", "parents": [ "c277e63fbe53697eab7595e86b297c643e2ea723" ], "author": { "name": "Daniel Walker", "email": "dwalker@mvista.com", "time": "Thu Oct 18 03:06:08 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Oct 18 14:37:25 2007 -0700" }, "message": "whitespace fixes: capability syscalls\n\nLarge chunks of 5 spaces instead of tabs.\n\nSigned-off-by: Daniel Walker \u003cdwalker@mvista.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "72c2d5823fc7be799a12184974c3bdc57acea3c4", "tree": "5c17418efb57cd5b2cdc0d751f577b2c64012423", "parents": [ "7058cb02ddab4bce70a46e519804fccb7ac0a060" ], "author": { "name": "Andrew Morgan", "email": "morgan@kernel.org", "time": "Thu Oct 18 03:05:59 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Oct 18 14:37:24 2007 -0700" }, "message": "V3 file capabilities: alter behavior of cap_setpcap\n\nThe non-filesystem capability meaning of CAP_SETPCAP is that a process, p1,\ncan change the capabilities of another process, p2. This is not the\nmeaning that was intended for this capability at all, and this\nimplementation came about purely because, without filesystem capabilities,\nthere was no way to use capabilities without one process bestowing them on\nanother.\n\nSince we now have a filesystem support for capabilities we can fix the\nimplementation of CAP_SETPCAP.\n\nThe most significant thing about this change is that, with it in effect, no\nprocess can set the capabilities of another process.\n\nThe capabilities of a program are set via the capability convolution\nrules:\n\n pI(post-exec) \u003d pI(pre-exec)\n pP(post-exec) \u003d (X(aka cap_bset) \u0026 fP) | (pI(post-exec) \u0026 fI)\n pE(post-exec) \u003d fE ? pP(post-exec) : 0\n\nat exec() time. As such, the only influence the pre-exec() program can\nhave on the post-exec() program\u0027s capabilities are through the pI\ncapability set.\n\nThe correct implementation for CAP_SETPCAP (and that enabled by this patch)\nis that it can be used to add extra pI capabilities to the current process\n- to be picked up by subsequent exec()s when the above convolution rules\nare applied.\n\nHere is how it works:\n\nLet\u0027s say we have a process, p. It has capability sets, pE, pP and pI.\nGenerally, p, can change the value of its own pI to pI\u0027 where\n\n (pI\u0027 \u0026 ~pI) \u0026 ~pP \u003d 0.\n\nThat is, the only new things in pI\u0027 that were not present in pI need to\nbe present in pP.\n\nThe role of CAP_SETPCAP is basically to permit changes to pI beyond\nthe above:\n\n if (pE \u0026 CAP_SETPCAP) {\n pI\u0027 \u003d anything; /* ie., even (pI\u0027 \u0026 ~pI) \u0026 ~pP !\u003d 0 */\n }\n\nThis capability is useful for things like login, which (say, via\npam_cap) might want to raise certain inheritable capabilities for use\nby the children of the logged-in user\u0027s shell, but those capabilities\nare not useful to or needed by the login program itself.\n\nOne such use might be to limit who can run ping. You set the\ncapabilities of the \u0027ping\u0027 program to be \"\u003d cap_net_raw+i\", and then\nonly shells that have (pI \u0026 CAP_NET_RAW) will be able to run\nit. Without CAP_SETPCAP implemented as described above, login(pam_cap)\nwould have to also have (pP \u0026 CAP_NET_RAW) in order to raise this\ncapability and pass it on through the inheritable set.\n\nSigned-off-by: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "cbfee34520666862f8ff539e580c48958fbb7706", "tree": "ded5cafce333e908a0fbeda1f7c55eaf7c1fbaaa", "parents": [ "b53767719b6cd8789392ea3e7e2eb7b8906898f0" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Tue Oct 16 23:31:38 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "security/ cleanups\n\nThis patch contains the following cleanups that are now possible:\n- remove the unused security_operations-\u003einode_xattr_getsuffix\n- remove the no longer used security_operations-\u003eunregister_security\n- remove some no longer required exit code\n- remove a bunch of no longer used exports\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "41487c65bfcce9c8e4d123da1719fcfd8df6d4d0", "tree": "e2e0e13bc3178c2cff766f1e0165bbbabdb2ed98", "parents": [ "ab521dc0f8e117fd808d3e425216864d60390500" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Mon Feb 12 00:53:01 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Feb 12 09:48:32 2007 -0800" }, "message": "[PATCH] pid: replace do/while_each_task_pid with do/while_each_pid_task\n\nThere isn\u0027t any real advantage to this change except that it allows the old\nfunctions to be removed. Which is easier on maintenance and puts the code in\na more uniform style.\n\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nCc: Alan Cox \u003calan@lxorguk.ukuu.org.uk\u003e\nCc: Oleg Nesterov \u003coleg@tv-sign.ru\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "f400e198b2ed26ce55b22a1412ded0896e7516ac", "tree": "a3d78bfc1c20635e199fe0fe85aaa1d8792acc58", "parents": [ "959ed340f4867fda7684340625f60e211c2296d6" ], "author": { "name": "Sukadev Bhattiprolu", "email": "sukadev@us.ibm.com", "time": "Fri Sep 29 02:00:07 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Sep 29 09:18:12 2006 -0700" }, "message": "[PATCH] pidspace: is_init()\n\nThis is an updated version of Eric Biederman\u0027s is_init() patch.\n(http://lkml.org/lkml/2006/2/6/280). It applies cleanly to 2.6.18-rc3 and\nreplaces a few more instances of -\u003epid \u003d\u003d 1 with is_init().\n\nFurther, is_init() checks pid and thus removes dependency on Eric\u0027s other\npatches for now.\n\nEric\u0027s original description:\n\n\tThere are a lot of places in the kernel where we test for init\n\tbecause we give it special properties. Most significantly init\n\tmust not die. This results in code all over the kernel test\n\t-\u003epid \u003d\u003d 1.\n\n\tIntroduce is_init to capture this case.\n\n\tWith multiple pid spaces for all of the cases affected we are\n\tlooking for only the first process on the system, not some other\n\tprocess that has pid \u003d\u003d 1.\n\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nSigned-off-by: Sukadev Bhattiprolu \u003csukadev@us.ibm.com\u003e\nCc: Dave Hansen \u003chaveblue@us.ibm.com\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Cedric Le Goater \u003cclg@fr.ibm.com\u003e\nCc: \u003clxc-devel@lists.sourceforge.net\u003e\nAcked-by: Paul Mackerras \u003cpaulus@samba.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "36c8b586896f60cb91a4fd526233190b34316baf", "tree": "003246e1e676de33703daa979b3e3109ca202a89", "parents": [ "48f24c4da1ee7f3f22289cb85e8b8a73e4df4db5" ], "author": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Mon Jul 03 00:25:41 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jul 03 15:27:11 2006 -0700" }, "message": "[PATCH] sched: cleanup, remove task_t, convert to struct task_struct\n\ncleanup: remove task_t and convert all the uses to struct task_struct. I\nintroduced it for the scheduler anno and it was a mistake.\n\nConversion was mostly scripted, the result was reviewed and all\nsecondary whitespace and style impact (if any) was fixed up by hand.\n\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "12b5989be10011387a9da5dee82e5c0d6f9d02e7", "tree": "74da71d407bf26bf97c639bb2b473de233a736ac", "parents": [ "77d47582c2345e071df02afaf9191641009287c4" ], "author": { "name": "Chris Wright", "email": "chrisw@sous-sol.org", "time": "Sat Mar 25 03:07:41 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sat Mar 25 08:22:56 2006 -0800" }, "message": "[PATCH] refactor capable() to one implementation, add __capable() helper\n\nMove capable() to kernel/capability.c and eliminate duplicate\nimplementations. Add __capable() function which can be used to check for\ncapabiilty of any process.\n\nSigned-off-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "c59ede7b78db329949d9cdcd7064e22d357560ef", "tree": "f9dc9d464fdad5bfd464d983e77c1af031389dda", "parents": [ "e16885c5ad624a6efe1b1bf764e075d75f65a788" ], "author": { "name": "Randy.Dunlap", "email": "rdunlap@xenotime.net", "time": "Wed Jan 11 12:17:46 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Wed Jan 11 18:42:13 2006 -0800" }, "message": "[PATCH] move capable() to capability.h\n\n- Move capable() from sched.h to capability.h;\n\n- Use \u003clinux/capability.h\u003e where capable() is used\n\t(in include/, block/, ipc/, kernel/, a few drivers/,\n\tmm/, security/, \u0026 sound/;\n\tmany more drivers/ to go)\n\nSigned-off-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "207a7ba8dc000e1b13acac97f3736810dd86e8e2", "tree": "de7baa1aa4a7752c6ea447938e73817de899d141", "parents": [ "c293621bbf678a3d85e3ed721c3921c8a670610d" ], "author": { "name": "Randy Dunlap", "email": "rdunlap@xenotime.net", "time": "Wed Jul 27 11:45:10 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Wed Jul 27 16:26:06 2005 -0700" }, "message": "[PATCH] kernel/capability.c: add kerneldoc\n\nAdd kerneldoc to kernel/capability.c\n\nSigned-off-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }