)]}' { "log": [ { "commit": "8b0c543e5cb1e47a54d3ea791b8a03b9c8a715db", "tree": "82391c4dc20e071f0ebcee867a7cc27119928114", "parents": [ "60272da0341e9eaa136e1dc072bfef72c995d851" ], "author": { "name": "matt mooney", "email": "mfm@muteddisk.com", "time": "Wed Sep 22 23:50:06 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:40 2010 +1100" }, "message": "selinux: change to new flag variable\n\nReplace EXTRA_CFLAGS with ccflags-y.\n\nSigned-off-by: matt mooney \u003cmfm@muteddisk.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "60272da0341e9eaa136e1dc072bfef72c995d851", "tree": "9441606f03330f1e2951ff0613d8059f90a353ec", "parents": [ "ceba72a68d17ee36ef24a71b80dde39ee934ece8" ], "author": { "name": "Paul Gortmaker", "email": "paul.gortmaker@windriver.com", "time": "Wed Sep 15 20:14:53 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:39 2010 +1100" }, "message": "selinux: really fix dependency causing parallel compile failure.\n\nWhile the previous change to the selinux Makefile reduced the window\nsignificantly for this failure, it is still possible to see a compile\nfailure where cpp starts processing selinux files before the auto\ngenerated flask.h file is completed. This is easily reproduced by\nadding the following temporary change to expose the issue everytime:\n\n- cmd_flask \u003d scripts/selinux/genheaders/genheaders ...\n+ cmd_flask \u003d sleep 30 ; scripts/selinux/genheaders/genheaders ...\n\nThis failure happens because the creation of the object files in the ss\nsubdir also depends on flask.h. So simply incorporate them into the\nparent Makefile, as the ss/Makefile really doesn\u0027t do anything unique.\n\nWith this change, compiling of all selinux files is dependent on\ncompletion of the header file generation, and this test case with\nthe \"sleep 30\" now confirms it is functioning as expected.\n\nSigned-off-by: Paul Gortmaker \u003cpaul.gortmaker@windriver.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ceba72a68d17ee36ef24a71b80dde39ee934ece8", "tree": "912582b629745d650e9f8ae6fecb42e4345e3900", "parents": [ "119041672592d1890d89dd8f194bd0919d801dc8" ], "author": { "name": "Paul Gortmaker", "email": "paul.gortmaker@windriver.com", "time": "Mon Aug 09 17:34:25 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:38 2010 +1100" }, "message": "selinux: fix parallel compile error\n\nSelinux has an autogenerated file, \"flask.h\" which is included by\ntwo other selinux files. The current makefile has a single dependency\non the first object file in the selinux-y list, assuming that will get\nflask.h generated before anyone looks for it, but that assumption breaks\ndown in a \"make -jN\" situation and you get:\n\n selinux/selinuxfs.c:35: fatal error: flask.h: No such file or directory\n compilation terminated.\n remake[9]: *** [security/selinux/selinuxfs.o] Error 1\n\nSince flask.h is included by security.h which in turn is included\nnearly everywhere, make the dependency apply to all of the selinux-y\nlist of objs.\n\nSigned-off-by: Paul Gortmaker \u003cpaul.gortmaker@windriver.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a7a387cc596278af1516c534b50cc0bee171129d", "tree": "6b020262150ab47e2aaeb7ccdd57534460df2665", "parents": [ "06c22dadc6d3f9b65e55407a87faaf6a4a014112" ], "author": { "name": "Ralf Baechle", "email": "ralf@linux-mips.org", "time": "Fri Aug 06 20:37:56 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Aug 06 18:11:39 2010 -0400" }, "message": "SELINUX: Fix build error.\n\nFix build error caused by a stale security/selinux/av_permissions.h in the $(src)\ndirectory which will override a more recent version in $(obj) that is it\nappears to strike only when building with a separate object directory.\n\nSigned-off-by: Ralf Baechle \u003cralf@linux-mips.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8753f6bec352392b52ed9b5e290afb34379f4612", "tree": "b5f381be9f56125309bfbfcaa73d68e08c309747", "parents": [ "c6d3aaa4e35c71a32a86ececacd4eea7ecfc316c" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed Sep 30 13:41:02 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Oct 07 21:56:44 2009 +1100" }, "message": "selinux: generate flask headers during kernel build\n\nAdd a simple utility (scripts/selinux/genheaders) and invoke it to\ngenerate the kernel-private class and permission indices in flask.h\nand av_permissions.h automatically during the kernel build from the\nsecurity class mapping definitions in classmap.h. Adding new kernel\nclasses and permissions can then be done just by adding them to classmap.h.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3e11217263d0521e212cb8a017fbc2a1514db78f", "tree": "d3b399c3d907cd90afd27003000fd9d99212f44b", "parents": [ "832cbd9aa1293cba57d06571f5fc8f0917c672af" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Apr 10 10:48:14 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:16 2008 +1000" }, "message": "SELinux: Add network port SID cache\n\nMuch like we added a network node cache, this patch adds a network port\ncache. The design is taken almost completely from the network node cache\nwhich in turn was taken from the network interface cache. The basic idea is\nto cache entries in a hash table based on protocol/port information. The\nhash function only takes the port number into account since the number of\ndifferent protocols in use at any one time is expected to be relatively\nsmall.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "224dfbd81e1ff672eb46e7695469c395bd531083", "tree": "c89c3ab606634a7174db8807b2633df8bb024b8c", "parents": [ "da5645a28a15aed2e541a814ecf9f7ffcd4c4673" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:13 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:23 2008 +1100" }, "message": "SELinux: Add a network node caching mechanism similar to the sel_netif_*() functions\n\nThis patch adds a SELinux IP address/node SID caching mechanism similar to the\nsel_netif_*() functions. The node SID queries in the SELinux hooks files are\nalso modified to take advantage of this new functionality. In addition, remove\nthe address length information from the sk_buff parsing routines as it is\nredundant since we already have the address family.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5778eabd9cdbf16ea3e40248c452b4fd25554d11", "tree": "a488fd5fc07c01b93fe38621888cc50c64cfc0a1", "parents": [ "128c6b6cbffc8203e13ea5712a8aa65d2ed82e4e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Feb 28 15:14:22 2007 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 26 01:35:48 2007 -0400" }, "message": "SELinux: extract the NetLabel SELinux support from the security server\n\nUp until this patch the functions which have provided NetLabel support to\nSELinux have been integrated into the SELinux security server, which for\nvarious reasons is not really ideal. This patch makes an effort to extract as\nmuch of the NetLabel support from the security server as possibile and move it\ninto it\u0027s own file within the SELinux directory structure.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "376bd9cb357ec945ac893feaeb63af7370a6e70b", "tree": "7e2848792982dfe30e19a600a41fa5cb49ee6e6e", "parents": [ "97e94c453073a2aba4bb5e0825ddc5e923debf11" ], "author": { "name": "Darrel Goeddel", "email": "dgoeddel@trustedcs.com", "time": "Fri Feb 24 15:44:05 2006 -0600" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon May 01 06:06:24 2006 -0400" }, "message": "[PATCH] support for context based audit filtering\n\nThe following patch provides selinux interfaces that will allow the audit\nsystem to perform filtering based on the process context (user, role, type,\nsensitivity, and clearance). These interfaces will allow the selinux\nmodule to perform efficient matches based on lower level selinux constructs,\nrather than relying on context retrievals and string comparisons within\nthe audit module. It also allows for dominance checks on the mls portion\nof the contexts that are impossible with only string comparisons.\n\nSigned-off-by: Darrel Goeddel \u003cdgoeddel@trustedcs.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "c2b507fda390b8ae90deba9b8cdc3fe727482193", "tree": "6c839e9682fd1610dc6a9fb7cca9df2899ff05ca", "parents": [ "5c0d5d262aa4c5e93f9f5de298cf25d6d8b558c4" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Sat Feb 04 23:27:50 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sun Feb 05 11:06:52 2006 -0800" }, "message": "[PATCH] selinux: require SECURITY_NETWORK\n\nMake SELinux depend on SECURITY_NETWORK (which depends on SECURITY), as it\nrequires the socket hooks for proper operation even in the local case.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "d28d1e080132f28ab773291f10ad6acca4c8bba2", "tree": "4cc6abef076393bc4c9f0d4e4c9952b78c04d3ee", "parents": [ "df71837d5024e2524cd51c93621e558aa7dd9f3f" ], "author": { "name": "Trent Jaeger", "email": "tjaeger@cse.psu.edu", "time": "Tue Dec 13 23:12:40 2005 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jan 03 13:10:25 2006 -0800" }, "message": "[LSM-IPSec]: Per-packet access control.\n\nThis patch series implements per packet access control via the\nextension of the Linux Security Modules (LSM) interface by hooks in\nthe XFRM and pfkey subsystems that leverage IPSec security\nassociations to label packets. Extensions to the SELinux LSM are\nincluded that leverage the patch for this purpose.\n\nThis patch implements the changes necessary to the SELinux LSM to\ncreate, deallocate, and use security contexts for policies\n(xfrm_policy) and security associations (xfrm_state) that enable\ncontrol of a socket\u0027s ability to send and receive packets.\n\nPatch purpose:\n\nThe patch is designed to enable the SELinux LSM to implement access\ncontrol on individual packets based on the strongly authenticated\nIPSec security association. Such access controls augment the existing\nones in SELinux based on network interface and IP address. The former\nare very coarse-grained, and the latter can be spoofed. By using\nIPSec, the SELinux can control access to remote hosts based on\ncryptographic keys generated using the IPSec mechanism. This enables\naccess control on a per-machine basis or per-application if the remote\nmachine is running the same mechanism and trusted to enforce the\naccess control policy.\n\nPatch design approach:\n\nThe patch\u0027s main function is to authorize a socket\u0027s access to a IPSec\npolicy based on their security contexts. Since the communication is\nimplemented by a security association, the patch ensures that the\nsecurity association\u0027s negotiated and used have the same security\ncontext. The patch enables allocation and deallocation of such\nsecurity contexts for policies and security associations. It also\nenables copying of the security context when policies are cloned.\nLastly, the patch ensures that packets that are sent without using a\nIPSec security assocation with a security context are allowed to be\nsent in that manner.\n\nA presentation available at\nwww.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf\nfrom the SELinux symposium describes the overall approach.\n\nPatch implementation details:\n\nThe function which authorizes a socket to perform a requested\noperation (send/receive) on a IPSec policy (xfrm_policy) is\nselinux_xfrm_policy_lookup. The Netfilter and rcv_skb hooks ensure\nthat if a IPSec SA with a securit y association has not been used,\nthen the socket is allowed to send or receive the packet,\nrespectively.\n\nThe patch implements SELinux function for allocating security contexts\nwhen policies (xfrm_policy) are created via the pfkey or xfrm_user\ninterfaces via selinux_xfrm_policy_alloc. When a security association\nis built, SELinux allocates the security context designated by the\nXFRM subsystem which is based on that of the authorized policy via\nselinux_xfrm_state_alloc.\n\nWhen a xfrm_policy is cloned, the security context of that policy, if\nany, is copied to the clone via selinux_xfrm_policy_clone.\n\nWhen a xfrm_policy or xfrm_state is freed, its security context, if\nany is also freed at selinux_xfrm_policy_free or\nselinux_xfrm_state_free.\n\nTesting:\n\nThe SELinux authorization function is tested using ipsec-tools. We\ncreated policies and security associations with particular security\ncontexts and added SELinux access control policy entries to verify the\nauthorization decision. We also made sure that packets for which no\nsecurity context was supplied (which either did or did not use\nsecurity associations) were authorized using an unlabelled context.\n\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }