)]}' { "log": [ { "commit": "8ec2328f1138a58eaea55ec6150985a1623b01c5", "tree": "ebaecf41dd8c8789f0c49ee9c0f30c0ce40e3e39", "parents": [ "d0eec99ce50baa5cc2ac02363cdb2a771ed4e1e2" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Wed Nov 28 16:21:47 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Nov 29 09:24:53 2007 -0800" }, "message": "file capabilities: don\u0027t prevent signaling setuid root programs\n\nAn unprivileged process must be able to kill a setuid root program started\nby the same user. This is legacy behavior needed for instance for xinit to\nkill X when the window manager exits.\n\nWhen an unprivileged user runs a setuid root program in !SECURE_NOROOT\nmode, fP, fI, and fE are set full on, so pP\u0027 and pE\u0027 are full on. Then\ncap_task_kill() prevents the user from signaling the setuid root task.\nThis is a change in behavior compared to when\n!CONFIG_SECURITY_FILE_CAPABILITIES.\n\nThis patch introduces a special check into cap_task_kill() just to check\nwhether a non-root user is signaling a setuid root program started by the\nsame user. If so, then signal is allowed.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Andrew Morgan \u003cmorgan@kernel.org\u003e\nCc: Stephen Smalley \u003csds@epoch.ncsc.mil\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "91ad997a34d7abca1f04e819e31eb9f3d4e20585", "tree": "d39e72f2e2ab69ccb6c69acf46173ccd8803fcc4", "parents": [ "20a1022d4ac5c53f0956006fd9e30cf4846d5e58" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Wed Nov 14 17:00:34 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Nov 14 18:45:44 2007 -0800" }, "message": "file capabilities: allow sigcont within session\n\nFix http://bugzilla.kernel.org/show_bug.cgi?id\u003d9247\n\nAllow sigcont to be sent to a process with greater capabilities if it is in\nthe same session. Otherwise, a shell from which I\u0027ve started a root shell\nand done \u0027suspend\u0027 can\u0027t be restarted by the parent shell.\n\nAlso don\u0027t do file-capabilities signaling checks when uids for the\nprocesses don\u0027t match, since the standard check_kill_permission will have\ndone those checks.\n\n[akpm@linux-foundation.org: coding-style cleanups]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Andrew Morgan \u003cmorgan@kernel.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nTested-by: \"Theodore Ts\u0027o\" \u003ctytso@mit.edu\u003e\nCc: Stephen Smalley \u003csds@epoch.ncsc.mil\u003e\nCc: \"Rafael J. Wysocki\" \u003crjw@sisk.pl\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b68680e4731abbd78863063aaa0dca2a6d8cc723", "tree": "6c546575432b34abb27a54b51f549071d2819282", "parents": [ "b9049e234401e1fad8459d69a952b174d76c399d" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Sun Oct 21 16:41:38 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Oct 22 08:13:18 2007 -0700" }, "message": "capabilities: clean up file capability reading\n\nSimplify the vfs_cap_data structure.\n\nAlso fix get_file_caps which was declaring\n__le32 v1caps[XATTR_CAPS_SZ] on the stack, but\nXATTR_CAPS_SZ is already * sizeof(__le32).\n\n[akpm@linux-foundation.org: coding-style fixes]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Andrew Morgan \u003cmorgan@kernel.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b460cbc581a53cc088ceba80608021dd49c63c43", "tree": "83c28d0adbc15f4157c77b40fa60c40a71cb8673", "parents": [ "3743ca05ff464b8a9e345c08a6c9ce30485f9805" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Oct 18 23:39:52 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Oct 19 11:53:37 2007 -0700" }, "message": "pid namespaces: define is_global_init() and is_container_init()\n\nis_init() is an ambiguous name for the pid\u003d\u003d1 check. Split it into\nis_global_init() and is_container_init().\n\nA cgroup init has it\u0027s tsk-\u003epid \u003d\u003d 1.\n\nA global init also has it\u0027s tsk-\u003epid \u003d\u003d 1 and it\u0027s active pid namespace\nis the init_pid_ns. But rather than check the active pid namespace,\ncompare the task structure with \u0027init_pid_ns.child_reaper\u0027, which is\ninitialized during boot to the /sbin/init process and never changes.\n\nChangelog:\n\n\t2.6.22-rc4-mm2-pidns1:\n\t- Use \u0027init_pid_ns.child_reaper\u0027 to determine if a given task is the\n\t global init (/sbin/init) process. This would improve performance\n\t and remove dependence on the task_pid().\n\n\t2.6.21-mm2-pidns2:\n\n\t- [Sukadev Bhattiprolu] Changed is_container_init() calls in {powerpc,\n\t ppc,avr32}/traps.c for the _exception() call to is_global_init().\n\t This way, we kill only the cgroup if the cgroup\u0027s init has a\n\t bug rather than force a kernel panic.\n\n[akpm@linux-foundation.org: fix comment]\n[sukadev@us.ibm.com: Use is_global_init() in arch/m32r/mm/fault.c]\n[bunk@stusta.de: kernel/pid.c: remove unused exports]\n[sukadev@us.ibm.com: Fix capability.c to work with threaded init]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Sukadev Bhattiprolu \u003csukadev@us.ibm.com\u003e\nAcked-by: Pavel Emelianov \u003cxemul@openvz.org\u003e\nCc: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nCc: Cedric Le Goater \u003cclg@fr.ibm.com\u003e\nCc: Dave Hansen \u003chaveblue@us.ibm.com\u003e\nCc: Herbert Poetzel \u003cherbert@13thfloor.at\u003e\nCc: Kirill Korotaev \u003cdev@sw.ru\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "72c2d5823fc7be799a12184974c3bdc57acea3c4", "tree": "5c17418efb57cd5b2cdc0d751f577b2c64012423", "parents": [ "7058cb02ddab4bce70a46e519804fccb7ac0a060" ], "author": { "name": "Andrew Morgan", "email": "morgan@kernel.org", "time": "Thu Oct 18 03:05:59 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Oct 18 14:37:24 2007 -0700" }, "message": "V3 file capabilities: alter behavior of cap_setpcap\n\nThe non-filesystem capability meaning of CAP_SETPCAP is that a process, p1,\ncan change the capabilities of another process, p2. This is not the\nmeaning that was intended for this capability at all, and this\nimplementation came about purely because, without filesystem capabilities,\nthere was no way to use capabilities without one process bestowing them on\nanother.\n\nSince we now have a filesystem support for capabilities we can fix the\nimplementation of CAP_SETPCAP.\n\nThe most significant thing about this change is that, with it in effect, no\nprocess can set the capabilities of another process.\n\nThe capabilities of a program are set via the capability convolution\nrules:\n\n pI(post-exec) \u003d pI(pre-exec)\n pP(post-exec) \u003d (X(aka cap_bset) \u0026 fP) | (pI(post-exec) \u0026 fI)\n pE(post-exec) \u003d fE ? pP(post-exec) : 0\n\nat exec() time. As such, the only influence the pre-exec() program can\nhave on the post-exec() program\u0027s capabilities are through the pI\ncapability set.\n\nThe correct implementation for CAP_SETPCAP (and that enabled by this patch)\nis that it can be used to add extra pI capabilities to the current process\n- to be picked up by subsequent exec()s when the above convolution rules\nare applied.\n\nHere is how it works:\n\nLet\u0027s say we have a process, p. It has capability sets, pE, pP and pI.\nGenerally, p, can change the value of its own pI to pI\u0027 where\n\n (pI\u0027 \u0026 ~pI) \u0026 ~pP \u003d 0.\n\nThat is, the only new things in pI\u0027 that were not present in pI need to\nbe present in pP.\n\nThe role of CAP_SETPCAP is basically to permit changes to pI beyond\nthe above:\n\n if (pE \u0026 CAP_SETPCAP) {\n pI\u0027 \u003d anything; /* ie., even (pI\u0027 \u0026 ~pI) \u0026 ~pP !\u003d 0 */\n }\n\nThis capability is useful for things like login, which (say, via\npam_cap) might want to raise certain inheritable capabilities for use\nby the children of the logged-in user\u0027s shell, but those capabilities\nare not useful to or needed by the login program itself.\n\nOne such use might be to limit who can run ping. You set the\ncapabilities of the \u0027ping\u0027 program to be \"\u003d cap_net_raw+i\", and then\nonly shells that have (pI \u0026 CAP_NET_RAW) will be able to run\nit. Without CAP_SETPCAP implemented as described above, login(pam_cap)\nwould have to also have (pP \u0026 CAP_NET_RAW) in order to raise this\ncapability and pass it on through the inheritable set.\n\nSigned-off-by: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "cbfee34520666862f8ff539e580c48958fbb7706", "tree": "ded5cafce333e908a0fbeda1f7c55eaf7c1fbaaa", "parents": [ "b53767719b6cd8789392ea3e7e2eb7b8906898f0" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Tue Oct 16 23:31:38 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "security/ cleanups\n\nThis patch contains the following cleanups that are now possible:\n- remove the unused security_operations-\u003einode_xattr_getsuffix\n- remove the no longer used security_operations-\u003eunregister_security\n- remove some no longer required exit code\n- remove a bunch of no longer used exports\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b53767719b6cd8789392ea3e7e2eb7b8906898f0", "tree": "a0279dc93c79b94d3865b0f19f6b7b353e20608c", "parents": [ "57c521ce6125e15e99e56c902cb8da96bee7b36d" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Tue Oct 16 23:31:36 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "Implement file posix capabilities\n\nImplement file posix capabilities. This allows programs to be given a\nsubset of root\u0027s powers regardless of who runs them, without having to use\nsetuid and giving the binary all of root\u0027s powers.\n\nThis version works with Kaigai Kohei\u0027s userspace tools, found at\nhttp://www.kaigai.gr.jp/index.php. For more information on how to use this\npatch, Chris Friedhoff has posted a nice page at\nhttp://www.friedhoff.org/fscaps.html.\n\nChangelog:\n\tNov 27:\n\tIncorporate fixes from Andrew Morton\n\t(security-introduce-file-caps-tweaks and\n\tsecurity-introduce-file-caps-warning-fix)\n\tFix Kconfig dependency.\n\tFix change signaling behavior when file caps are not compiled in.\n\n\tNov 13:\n\tIntegrate comments from Alexey: Remove CONFIG_ ifdef from\n\tcapability.h, and use %zd for printing a size_t.\n\n\tNov 13:\n\tFix endianness warnings by sparse as suggested by Alexey\n\tDobriyan.\n\n\tNov 09:\n\tAddress warnings of unused variables at cap_bprm_set_security\n\twhen file capabilities are disabled, and simultaneously clean\n\tup the code a little, by pulling the new code into a helper\n\tfunction.\n\n\tNov 08:\n\tFor pointers to required userspace tools and how to use\n\tthem, see http://www.friedhoff.org/fscaps.html.\n\n\tNov 07:\n\tFix the calculation of the highest bit checked in\n\tcheck_cap_sanity().\n\n\tNov 07:\n\tAllow file caps to be enabled without CONFIG_SECURITY, since\n\tcapabilities are the default.\n\tHook cap_task_setscheduler when !CONFIG_SECURITY.\n\tMove capable(TASK_KILL) to end of cap_task_kill to reduce\n\taudit messages.\n\n\tNov 05:\n\tAdd secondary calls in selinux/hooks.c to task_setioprio and\n\ttask_setscheduler so that selinux and capabilities with file\n\tcap support can be stacked.\n\n\tSep 05:\n\tAs Seth Arnold points out, uid checks are out of place\n\tfor capability code.\n\n\tSep 01:\n\tDefine task_setscheduler, task_setioprio, cap_task_kill, and\n\ttask_setnice to make sure a user cannot affect a process in which\n\tthey called a program with some fscaps.\n\n\tOne remaining question is the note under task_setscheduler: are we\n\tok with CAP_SYS_NICE being sufficient to confine a process to a\n\tcpuset?\n\n\tIt is a semantic change, as without fsccaps, attach_task doesn\u0027t\n\tallow CAP_SYS_NICE to override the uid equivalence check. But since\n\tit uses security_task_setscheduler, which elsewhere is used where\n\tCAP_SYS_NICE can be used to override the uid equivalence check,\n\tfixing it might be tough.\n\n\t task_setscheduler\n\t\t note: this also controls cpuset:attach_task. Are we ok with\n\t\t CAP_SYS_NICE being used to confine to a cpuset?\n\t task_setioprio\n\t task_setnice\n\t\t sys_setpriority uses this (through set_one_prio) for another\n\t\t process. Need same checks as setrlimit\n\n\tAug 21:\n\tUpdated secureexec implementation to reflect the fact that\n\teuid and uid might be the same and nonzero, but the process\n\tmight still have elevated caps.\n\n\tAug 15:\n\tHandle endianness of xattrs.\n\tEnforce capability version match between kernel and disk.\n\tEnforce that no bits beyond the known max capability are\n\tset, else return -EPERM.\n\tWith this extra processing, it may be worth reconsidering\n\tdoing all the work at bprm_set_security rather than\n\td_instantiate.\n\n\tAug 10:\n\tAlways call getxattr at bprm_set_security, rather than\n\tcaching it at d_instantiate.\n\n[morgan@kernel.org: file-caps clean up for linux/capability.h]\n[bunk@kernel.org: unexport cap_inode_killpriv]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "20510f2f4e2dabb0ff6c13901807627ec9452f98", "tree": "d64b9eeb90d577f7f9688a215c4c6c3c2405188a", "parents": [ "5c3b447457789374cdb7b03afe2540d48c649a36" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Oct 16 23:31:32 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "security: Convert LSM into a static interface\n\nConvert LSM into a static interface, as the ability to unload a security\nmodule is not required by in-tree users and potentially complicates the\noverall security architecture.\n\nNeedlessly exported LSM symbols have been unexported, to help reduce API\nabuse.\n\nParameters for the capability and root_plug modules are now specified\nat boot.\n\nThe SECURITY_FRAMEWORK_VERSION macro has also been removed.\n\nIn a nutshell, there is no safe way to unload an LSM. The modular interface\nis thus unecessary and broken infrastructure. It is used only by out-of-tree\nmodules, which are often binary-only, illegal, abusive of the API and\ndangerous, e.g. silently re-vectoring SELinux.\n\n[akpm@linux-foundation.org: cleanups]\n[akpm@linux-foundation.org: USB Kconfig fix]\n[randy.dunlap@oracle.com: fix LSM kernel-doc]\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: \"Serge E. Hallyn\" \u003cserue@us.ibm.com\u003e\nAcked-by: Arjan van de Ven \u003carjan@infradead.org\u003e\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "34b4e4aa3c470ce8fa2bd78abb1741b4b58baad7", "tree": "91d620288f1aaf63c12dc84ca1015465818601f2", "parents": [ "afe1ab4d577892822de2c8e803fbfaed6ec44ba3" ], "author": { "name": "Alan Cox", "email": "alan@lxorguk.ukuu.org.uk", "time": "Wed Aug 22 14:01:28 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Aug 22 19:52:45 2007 -0700" }, "message": "fix NULL pointer dereference in __vm_enough_memory()\n\nThe new exec code inserts an accounted vma into an mm struct which is not\ncurrent-\u003emm. The existing memory check code has a hard coded assumption\nthat this does not happen as does the security code.\n\nAs the correct mm is known we pass the mm to the security method and the\nhelper function. A new security test is added for the case where we need\nto pass the mm and the existing one is modified to pass current-\u003emm to\navoid the need to change large amounts of code.\n\n(Thanks to Tobias for fixing rejects and testing)\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nCc: WU Fengguang \u003cwfg@mail.ustc.edu.cn\u003e\nCc: James Morris \u003cjmorris@redhat.com\u003e\nCc: Tobias Diedrich \u003cranma+kernel@tdiedrich.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "6c5d523826dc639df709ed0f88c5d2ce25379652", "tree": "ef2fa8cb30266b3a9b047902794e78c583b099da", "parents": [ "76fdbb25f963de5dc1e308325f0578a2f92b1c2d" ], "author": { "name": "Kawai, Hidehiro", "email": "hidehiro.kawai.ez@hitachi.com", "time": "Thu Jul 19 01:48:27 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Jul 19 10:04:46 2007 -0700" }, "message": "coredump masking: reimplementation of dumpable using two flags\n\nThis patch changes mm_struct.dumpable to a pair of bit flags.\n\nset_dumpable() converts three-value dumpable to two flags and stores it into\nlower two bits of mm_struct.flags instead of mm_struct.dumpable.\nget_dumpable() behaves in the opposite way.\n\n[akpm@linux-foundation.org: export set_dumpable]\nSigned-off-by: Hidehiro Kawai \u003chidehiro.kawai.ez@hitachi.com\u003e\nCc: Alan Cox \u003calan@lxorguk.ukuu.org.uk\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nCc: Hugh Dickins \u003chugh@veritas.com\u003e\nCc: Nick Piggin \u003cnickpiggin@yahoo.com.au\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e63340ae6b6205fef26b40a75673d1c9c0c8bb90", "tree": "8d3212705515edec73c3936bb9e23c71d34a7b41", "parents": [ "04c9167f91e309c9c4ea982992aa08e83b2eb42e" ], "author": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Tue May 08 00:28:08 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue May 08 11:15:07 2007 -0700" }, "message": "header cleaning: don\u0027t include smp_lock.h when not used\n\nRemove includes of \u003clinux/smp_lock.h\u003e where it is not used/needed.\nSuggested by Al Viro.\n\nBuilds cleanly on x86_64, i386, alpha, ia64, powerpc, sparc,\nsparc64, and arm (all 59 defconfigs).\n\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "f400e198b2ed26ce55b22a1412ded0896e7516ac", "tree": "a3d78bfc1c20635e199fe0fe85aaa1d8792acc58", "parents": [ "959ed340f4867fda7684340625f60e211c2296d6" ], "author": { "name": "Sukadev Bhattiprolu", "email": "sukadev@us.ibm.com", "time": "Fri Sep 29 02:00:07 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Sep 29 09:18:12 2006 -0700" }, "message": "[PATCH] pidspace: is_init()\n\nThis is an updated version of Eric Biederman\u0027s is_init() patch.\n(http://lkml.org/lkml/2006/2/6/280). It applies cleanly to 2.6.18-rc3 and\nreplaces a few more instances of -\u003epid \u003d\u003d 1 with is_init().\n\nFurther, is_init() checks pid and thus removes dependency on Eric\u0027s other\npatches for now.\n\nEric\u0027s original description:\n\n\tThere are a lot of places in the kernel where we test for init\n\tbecause we give it special properties. Most significantly init\n\tmust not die. This results in code all over the kernel test\n\t-\u003epid \u003d\u003d 1.\n\n\tIntroduce is_init to capture this case.\n\n\tWith multiple pid spaces for all of the cases affected we are\n\tlooking for only the first process on the system, not some other\n\tprocess that has pid \u003d\u003d 1.\n\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nSigned-off-by: Sukadev Bhattiprolu \u003csukadev@us.ibm.com\u003e\nCc: Dave Hansen \u003chaveblue@us.ibm.com\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Cedric Le Goater \u003cclg@fr.ibm.com\u003e\nCc: \u003clxc-devel@lists.sourceforge.net\u003e\nAcked-by: Paul Mackerras \u003cpaulus@samba.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "6ab3d5624e172c553004ecc862bfeac16d9d68b7", "tree": "6d98881fe91fd9583c109208d5c27131b93fa248", "parents": [ "e02169b682bc448ccdc819dc8639ed34a23cedd8" ], "author": { "name": "Jörn Engel", "email": "joern@wohnheim.fh-wedel.de", "time": "Fri Jun 30 19:25:36 2006 +0200" }, "committer": { "name": "Adrian Bunk", "email": "bunk@stusta.de", "time": "Fri Jun 30 19:25:36 2006 +0200" }, "message": "Remove obsolete #include \u003clinux/config.h\u003e\n\nSigned-off-by: Jörn Engel \u003cjoern@wohnheim.fh-wedel.de\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@stusta.de\u003e\n" }, { "commit": "c7bdb545d23026b18be53289fd866d1ac07f5f8c", "tree": "6d9a218871d88f7579dd53f14692df2529b6e712", "parents": [ "576a30eb6453439b3c37ba24455ac7090c247b5a" ], "author": { "name": "Darrel Goeddel", "email": "dgoeddel@trustedcs.com", "time": "Tue Jun 27 13:26:11 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Jun 29 16:57:55 2006 -0700" }, "message": "[NETLINK]: Encapsulate eff_cap usage within security framework.\n\nThis patch encapsulates the usage of eff_cap (in netlink_skb_params) within\nthe security framework by extending security_netlink_recv to include a required\ncapability parameter and converting all direct usage of eff_caps outside\nof the lsm modules to use the interface. It also updates the SELinux\nimplementation of the security_netlink_send and security_netlink_recv\nhooks to take advantage of the sid in the netlink_skb_params struct.\nThis also enables SELinux to perform auditing of netlink capability checks.\nPlease apply, for 2.6.18 if possible.\n\nSigned-off-by: Darrel Goeddel \u003cdgoeddel@trustedcs.com\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "d4eb82c783992551c574580eb55fddc8bb006ad0", "tree": "912aa24f162342bffae86a0c3e4713700a9e5c66", "parents": [ "12b5989be10011387a9da5dee82e5c0d6f9d02e7" ], "author": { "name": "Chris Wright", "email": "chrisw@sous-sol.org", "time": "Sat Mar 25 03:07:41 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sat Mar 25 08:22:56 2006 -0800" }, "message": "[PATCH] make cap_ptrace enforce PTRACE_TRACME checks\n\nPTRACE_TRACEME doesn\u0027t have proper capabilities validation when parent is\nless privileged than child. Issue pointed out by Ram Gupta\n\u003cram.gupta5@gmail.com\u003e.\n\nNote: I haven\u0027t identified a strong security issue, and it\u0027s a small ABI\nchange that could break apps that rely on existing behaviour (which allows\nparent that is less privileged than child to ptrace when child does\nPTRACE_TRACEME).\n\nSigned-off-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Ram Gupta \u003cram.gupta5@gmail.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "c59ede7b78db329949d9cdcd7064e22d357560ef", "tree": "f9dc9d464fdad5bfd464d983e77c1af031389dda", "parents": [ "e16885c5ad624a6efe1b1bf764e075d75f65a788" ], "author": { "name": "Randy.Dunlap", "email": "rdunlap@xenotime.net", "time": "Wed Jan 11 12:17:46 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Wed Jan 11 18:42:13 2006 -0800" }, "message": "[PATCH] move capable() to capability.h\n\n- Move capable() from sched.h to capability.h;\n\n- Use \u003clinux/capability.h\u003e where capable() is used\n\t(in include/, block/, ipc/, kernel/, a few drivers/,\n\tmm/, security/, \u0026 sound/;\n\tmany more drivers/ to go)\n\nSigned-off-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "d6e711448137ca3301512cec41a2c2ce852b3d0a", "tree": "f0765ebd90fdbdf270c05fcd7f3d32b24ba56681", "parents": [ "8b0914ea7475615c7c8965c1ac8fe4069270f25c" ], "author": { "name": "Alan Cox", "email": "alan@lxorguk.ukuu.org.uk", "time": "Thu Jun 23 00:09:43 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Thu Jun 23 09:45:26 2005 -0700" }, "message": "[PATCH] setuid core dump\n\nAdd a new `suid_dumpable\u0027 sysctl:\n\nThis value can be used to query and set the core dump mode for setuid\nor otherwise protected/tainted binaries. The modes are\n\n0 - (default) - traditional behaviour. Any process which has changed\n privilege levels or is execute only will not be dumped\n\n1 - (debug) - all processes dump core when possible. The core dump is\n owned by the current user and no security is applied. This is intended\n for system debugging situations only. Ptrace is unchecked.\n\n2 - (suidsafe) - any binary which normally would not be dumped is dumped\n readable by root only. This allows the end user to remove such a dump but\n not access it directly. For security reasons core dumps in this mode will\n not overwrite one another or other files. This mode is appropriate when\n adminstrators are attempting to debug problems in a normal environment.\n\n(akpm:\n\n\u003e \u003e +EXPORT_SYMBOL(suid_dumpable);\n\u003e\n\u003e EXPORT_SYMBOL_GPL?\n\nNo problem to me.\n\n\u003e \u003e \tif (current-\u003eeuid \u003d\u003d current-\u003euid \u0026\u0026 current-\u003eegid \u003d\u003d current-\u003egid)\n\u003e \u003e \t\tcurrent-\u003emm-\u003edumpable \u003d 1;\n\u003e\n\u003e Should this be SUID_DUMP_USER?\n\nActually the feedback I had from last time was that the SUID_ defines\nshould go because its clearer to follow the numbers. They can go\neverywhere (and there are lots of places where dumpable is tested/used\nas a bool in untouched code)\n\n\u003e Maybe this should be renamed to `dump_policy\u0027 or something. Doing that\n\u003e would help us catch any code which isn\u0027t using the #defines, too.\n\nFair comment. The patch was designed to be easy to maintain for Red Hat\nrather than for merging. Changing that field would create a gigantic\ndiff because it is used all over the place.\n\n)\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }