)]}' { "log": [ { "commit": "ceb73c12047b8d543570b23353e7848eb7c540a1", "tree": "a637dc88d418be1b705a66bea375af955bd14e22", "parents": [ "f5c66d70ac2a9016a7ad481bd37e39afd7dd7369" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 25 16:34:28 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jan 26 08:58:20 2011 +1000" }, "message": "KEYS: Fix __key_link_end() quota fixup on error\n\nFix __key_link_end()\u0027s attempt to fix up the quota if an error occurs.\n\nThere are two erroneous cases: Firstly, we always decrease the quota if\nthe preallocated replacement keyring needs cleaning up, irrespective of\nwhether or not we should (we may have replaced a pointer rather than\nadding another pointer).\n\nSecondly, we never clean up the quota if we added a pointer without the\nkeyring storage being extended (we allocate multiple pointers at a time,\neven if we\u0027re not going to use them all immediately).\n\nWe handle this by setting the bottom bit of the preallocation pointer in\n__key_link_begin() to indicate that the quota needs fixing up, which is\nthen passed to __key_link() (which clears the whole thing) and\n__key_link_end().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3ac285ff23cd6e1bc402b6db836521bce006eb89", "tree": "449a7788ba52f3ac0cb7a5ae6a467934163745c2", "parents": [ "e5cce6c13c25d9ac56955a3ae2fd562719848172" ], "author": { "name": "Davidlohr Bueso", "email": "dave@gnu.org", "time": "Fri Jan 21 12:28:04 2011 -0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 24 11:35:47 2011 +1100" }, "message": "selinux: return -ENOMEM when memory allocation fails\n\nReturn -ENOMEM when memory allocation fails in cond_init_bool_indexes,\ncorrectly propagating error code to caller.\n\nSigned-off-by: Davidlohr Bueso \u003cdave@gnu.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5403110943a2dcf1f96416d7a412a8b46895facd", "tree": "48e3501e71511200c911315b8bdffde4788d357d", "parents": [ "7f3c68bee977ab872827e44de017216736fe21d7" ], "author": { "name": "Jesper Juhl", "email": "jj@chaosbits.net", "time": "Sun Jan 23 22:40:42 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 24 10:59:58 2011 +1100" }, "message": "trusted keys: Fix a memory leak in trusted_update().\n\nOne failure path in security/keys/trusted.c::trusted_update() does\nnot free \u0027new_p\u0027 while the others do. This patch makes sure we also free\nit in the remaining path (if datablob_parse() returns different from\nOpt_update).\n\nSigned-off-by: Jesper Juhl \u003cjj@chaosbits.net\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b9703449347603289cac0bd04e574ac2e777275d", "tree": "287d7d8cccfad36f238d826f87e474afb8db424d", "parents": [ "4b174b6d281f5c87234fc65bafc02877f565c5cf" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 18 09:07:12 2011 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 24 10:27:57 2011 +1100" }, "message": "encrypted-keys: rename encrypted_defined files to encrypted\n\nRename encrypted_defined.c and encrypted_defined.h files to encrypted.c and\nencrypted.h, respectively. Based on request from David Howells.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4b174b6d281f5c87234fc65bafc02877f565c5cf", "tree": "5c1f0519d2f4d642ac9ecec9a180019fe980958e", "parents": [ "1bae4ce27c9c90344f23c65ea6966c50ffeae2f5" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 18 09:07:11 2011 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 24 10:14:22 2011 +1100" }, "message": "trusted-keys: rename trusted_defined files to trusted\n\nRename trusted_defined.c and trusted_defined.h files to trusted.c and\ntrusted.h, respectively. Based on request from David Howells.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "973c9f4f49ca96a53bcf6384c4c59ccd26c33906", "tree": "e3535a43c1e5cb5f0c06c040f58bc25c9b869fd1", "parents": [ "a8b17ed019bd40d3bfa20439d9c36a99f9be9180" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jan 20 16:38:33 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 21 14:59:30 2011 -0800" }, "message": "KEYS: Fix up comments in key management code\n\nFix up comments in the key management code. No functional changes.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "a8b17ed019bd40d3bfa20439d9c36a99f9be9180", "tree": "beb3b08575aa01c7ebb24939b678d533b1f59adf", "parents": [ "9093ba53b7f26dbb5210de1157769e59e34bbe23" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jan 20 16:38:27 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 21 14:59:29 2011 -0800" }, "message": "KEYS: Do some style cleanup in the key management code.\n\nDo a bit of a style clean up in the key management code. No functional\nchanges.\n\nDone using:\n\n perl -p -i -e \u0027s!^/[*]*/\\n!!\u0027 security/keys/*.c\n perl -p -i -e \u0027s!} /[*] end [a-z0-9_]*[(][)] [*]/\\n!}\\n!\u0027 security/keys/*.c\n sed -i -s -e \": next\" -e N -e \u0027s/^\\n[}]$/}/\u0027 -e t -e P -e \u0027s/^.*\\n//\u0027 -e \"b next\" security/keys/*.c\n\nTo remove /*****/ lines, remove comments on the closing brace of a\nfunction to name the function and remove blank lines before the closing\nbrace of a function.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "154a96bfcd53b8e5020718c64769e542c44788b9", "tree": "2fc7a4c8992fb4222a6fb47f22907a94da48eebd", "parents": [ "0e7491f685cbc962f2ef977f7b5f8ed0b3100e88" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Jan 17 09:27:27 2011 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 19 09:53:59 2011 +1100" }, "message": "trusted-keys: avoid scattring va_end()\n\nWe can avoid scattering va_end() within the\n\n va_start();\n for (;;) {\n\n }\n va_end();\n\nloop, assuming that crypto_shash_init()/crypto_shash_update() return 0 on\nsuccess and negative value otherwise.\n\nMake TSS_authhmac()/TSS_checkhmac1()/TSS_checkhmac2() similar to TSS_rawhmac()\nby removing \"va_end()/goto\" from the loop.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nReviewed-by: Jesper Juhl \u003cjj@chaosbits.net\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0e7491f685cbc962f2ef977f7b5f8ed0b3100e88", "tree": "44d27bf6f64b974eb8d177316c3fd77f66324b13", "parents": [ "35576eab390df313095306e2a8216134910e7014" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Jan 17 09:25:34 2011 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 19 09:53:56 2011 +1100" }, "message": "trusted-keys: check for NULL before using it\n\nTSS_rawhmac() checks for data !\u003d NULL before using it.\nWe should do the same thing for TSS_authhmac().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nReviewed-by: Jesper Juhl \u003cjj@chaosbits.net\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "35576eab390df313095306e2a8216134910e7014", "tree": "c35b52f6797ce69091c3e3bc596783f45e19496a", "parents": [ "40c1001792de63e0f90e977eb05393fd71f78692" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Jan 17 09:22:47 2011 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 19 09:53:53 2011 +1100" }, "message": "trusted-keys: another free memory bugfix\n\nTSS_rawhmac() forgot to call va_end()/kfree() when data \u003d\u003d NULL and\nforgot to call va_end() when crypto_shash_update() \u003c 0.\nFix these bugs by escaping from the loop using \"break\"\n(rather than \"return\"/\"goto\") in order to make sure that\nva_end()/kfree() are always called.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nReviewed-by: Jesper Juhl \u003cjj@chaosbits.net\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "40c1001792de63e0f90e977eb05393fd71f78692", "tree": "7172e92ccefd8f4b8ee42401901ddab5bec687b5", "parents": [ "581548db3b3c0f6e25b500329eb02e3c72e7acbe" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 20 12:37:18 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 14 10:27:46 2011 +1100" }, "message": "trusted-keys: free memory bugfix\n\nAdd missing kfree(td) in tpm_seal() before the return, freeing\ntd on error paths as well.\n\nReported-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Safford \u003csafford@watson.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Serge Hallyn \u003cserge@hallyn.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "008d23e4852d78bb2618f2035f8b2110b6a6b968", "tree": "81c88f744f6f3fc84132527c1ddc0b4da410c5e2", "parents": [ "8f685fbda43deccd130d192c9fcef1444649eaca", "bfc672dcf323877228682aff79dff8ecd9f30ff8" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jan 13 10:05:56 2011 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jan 13 10:05:56 2011 -0800" }, "message": "Merge branch \u0027for-next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial\n\n* \u0027for-next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (43 commits)\n Documentation/trace/events.txt: Remove obsolete sched_signal_send.\n writeback: fix global_dirty_limits comment runtime -\u003e real-time\n ppc: fix comment typo singal -\u003e signal\n drivers: fix comment typo diable -\u003e disable.\n m68k: fix comment typo diable -\u003e disable.\n wireless: comment typo fix diable -\u003e disable.\n media: comment typo fix diable -\u003e disable.\n remove doc for obsolete dynamic-printk kernel-parameter\n remove extraneous \u0027is\u0027 from Documentation/iostats.txt\n Fix spelling milisec -\u003e ms in snd_ps3 module parameter description\n Fix spelling mistakes in comments\n Revert conflicting V4L changes\n i7core_edac: fix typos in comments\n mm/rmap.c: fix comment\n sound, ca0106: Fix assignment to \u0027channel\u0027.\n hrtimer: fix a typo in comment\n init/Kconfig: fix typo\n anon_inodes: fix wrong function name in comment\n fix comment typos concerning \"consistent\"\n poll: fix a typo in comment\n ...\n\nFix up trivial conflicts in:\n - drivers/net/wireless/iwlwifi/iwl-core.c (moved to iwl-legacy.c)\n - fs/ext4/ext4.h\n\nAlso fix missed \u0027diabled\u0027 typo in drivers/net/bnx2x/bnx2x.h while at it.\n" }, { "commit": "e0e736fc0d33861335e2a132e4f688f7fd380c61", "tree": "d9febe9ca1ef1e24efc5e6e1e34e412316d246bd", "parents": [ "a08948812b30653eb2c536ae613b635a989feb6f", "aeda4ac3efc29e4d55989abd0a73530453aa69ba" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 10 11:18:59 2011 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 10 11:18:59 2011 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (30 commits)\n MAINTAINERS: Add tomoyo-dev-en ML.\n SELinux: define permissions for DCB netlink messages\n encrypted-keys: style and other cleanup\n encrypted-keys: verify datablob size before converting to binary\n trusted-keys: kzalloc and other cleanup\n trusted-keys: additional TSS return code and other error handling\n syslog: check cap_syslog when dmesg_restrict\n Smack: Transmute labels on specified directories\n selinux: cache sidtab_context_to_sid results\n SELinux: do not compute transition labels on mountpoint labeled filesystems\n This patch adds a new security attribute to Smack called SMACK64EXEC. It defines label that is used while task is running.\n SELinux: merge policydb_index_classes and policydb_index_others\n selinux: convert part of the sym_val_to_name array to use flex_array\n selinux: convert type_val_to_struct to flex_array\n flex_array: fix flex_array_put_ptr macro to be valid C\n SELinux: do not set automatic i_ino in selinuxfs\n selinux: rework security_netlbl_secattr_to_sid\n SELinux: standardize return code handling in selinuxfs.c\n SELinux: standardize return code handling in selinuxfs.c\n SELinux: standardize return code handling in policydb.c\n ...\n" }, { "commit": "57cc7215b70856dc6bae8e55b00ecd7b1d7429b1", "tree": "f6dedefd41e6745a9b801166b99af7d830e41ef2", "parents": [ "37721e1b0cf98cb65895f234d8c500d270546529" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Mon Jan 10 08:18:25 2011 +0200" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 10 08:51:44 2011 -0800" }, "message": "headers: kobject.h redux\n\nRemove kobject.h from files which don\u0027t need it, notably,\nsched.h and fs.h.\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "37721e1b0cf98cb65895f234d8c500d270546529", "tree": "6fb3ec6910513b18e100b17432864fa8c46d55e4", "parents": [ "9f99a2f0e44663517b99b69a3e4a499d0ba877df" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Mon Jan 10 08:17:10 2011 +0200" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 10 08:51:44 2011 -0800" }, "message": "headers: path.h redux\n\nRemove path.h from sched.h and other files.\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "aeda4ac3efc29e4d55989abd0a73530453aa69ba", "tree": "35b3d2cca8bfb49cf08bf1c6b55b586c1e5971e7", "parents": [ "d2e7ad19229f982fc1eb731827d82ceac90abfb3", "350e4f31e0eaf56dfc3b328d24a11bdf42a41fb8" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 10:40:42 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 10:40:42 2011 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/eparis/selinux into next\n" }, { "commit": "d2e7ad19229f982fc1eb731827d82ceac90abfb3", "tree": "98a3741b4d4b27a48b3c7ea9babe331e539416a8", "parents": [ "d03a5d888fb688c832d470b749acc5ed38e0bc1d", "0c21e3aaf6ae85bee804a325aa29c325209180fd" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 09:46:24 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 09:46:24 2011 +1100" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\tsecurity/smack/smack_lsm.c\n\nVerified and added fix by Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nOk\u0027d by Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b4a45f5fe8078bfc10837dbd5b98735058bc4698", "tree": "df6f13a27610a3ec7eb4a661448cd779a8f84c79", "parents": [ "01539ba2a706ab7d35fc0667dff919ade7f87d63", "b3e19d924b6eaf2ca7d22cba99a517c5171007b6" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 07 08:56:33 2011 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 07 08:56:33 2011 -0800" }, "message": "Merge branch \u0027vfs-scale-working\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/npiggin/linux-npiggin\n\n* \u0027vfs-scale-working\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/npiggin/linux-npiggin: (57 commits)\n fs: scale mntget/mntput\n fs: rename vfsmount counter helpers\n fs: implement faster dentry memcmp\n fs: prefetch inode data in dcache lookup\n fs: improve scalability of pseudo filesystems\n fs: dcache per-inode inode alias locking\n fs: dcache per-bucket dcache hash locking\n bit_spinlock: add required includes\n kernel: add bl_list\n xfs: provide simple rcu-walk ACL implementation\n btrfs: provide simple rcu-walk ACL implementation\n ext2,3,4: provide simple rcu-walk ACL implementation\n fs: provide simple rcu-walk generic_check_acl implementation\n fs: provide rcu-walk aware permission i_ops\n fs: rcu-walk aware d_revalidate method\n fs: cache optimise dentry and inode for rcu-walk\n fs: dcache reduce branches in lookup path\n fs: dcache remove d_mounted\n fs: fs_struct use seqlock\n fs: rcu-walk for path lookup\n ...\n" }, { "commit": "31e6b01f4183ff419a6d1f86177cbf4662347cec", "tree": "e215ec9af88352c55e024f784f3d9f8eb13fab85", "parents": [ "3c22cd5709e8143444a6d08682a87f4c57902df3" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:49:52 2011 +1100" }, "committer": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:50:27 2011 +1100" }, "message": "fs: rcu-walk for path lookup\n\nPerform common cases of path lookups without any stores or locking in the\nancestor dentry elements. This is called rcu-walk, as opposed to the current\nalgorithm which is a refcount based walk, or ref-walk.\n\nThis results in far fewer atomic operations on every path element,\nsignificantly improving path lookup performance. It also avoids cacheline\nbouncing on common dentries, significantly improving scalability.\n\nThe overall design is like this:\n* LOOKUP_RCU is set in nd-\u003eflags, which distinguishes rcu-walk from ref-walk.\n* Take the RCU lock for the entire path walk, starting with the acquiring\n of the starting path (eg. root/cwd/fd-path). So now dentry refcounts are\n not required for dentry persistence.\n* synchronize_rcu is called when unregistering a filesystem, so we can\n access d_ops and i_ops during rcu-walk.\n* Similarly take the vfsmount lock for the entire path walk. So now mnt\n refcounts are not required for persistence. Also we are free to perform mount\n lookups, and to assume dentry mount points and mount roots are stable up and\n down the path.\n* Have a per-dentry seqlock to protect the dentry name, parent, and inode,\n so we can load this tuple atomically, and also check whether any of its\n members have changed.\n* Dentry lookups (based on parent, candidate string tuple) recheck the parent\n sequence after the child is found in case anything changed in the parent\n during the path walk.\n* inode is also RCU protected so we can load d_inode and use the inode for\n limited things.\n* i_mode, i_uid, i_gid can be tested for exec permissions during path walk.\n* i_op can be loaded.\n\nWhen we reach the destination dentry, we lock it, recheck lookup sequence,\nand increment its refcount and mountpoint refcount. RCU and vfsmount locks\nare dropped. This is termed \"dropping rcu-walk\". If the dentry refcount does\nnot match, we can not drop rcu-walk gracefully at the current point in the\nlokup, so instead return -ECHILD (for want of a better errno). This signals the\npath walking code to re-do the entire lookup with a ref-walk.\n\nAside from the final dentry, there are other situations that may be encounted\nwhere we cannot continue rcu-walk. In that case, we drop rcu-walk (ie. take\na reference on the last good dentry) and continue with a ref-walk. Again, if\nwe can drop rcu-walk gracefully, we return -ECHILD and do the whole lookup\nusing ref-walk. But it is very important that we can continue with ref-walk\nfor most cases, particularly to avoid the overhead of double lookups, and to\ngain the scalability advantages on common path elements (like cwd and root).\n\nThe cases where rcu-walk cannot continue are:\n* NULL dentry (ie. any uncached path element)\n* parent with d_inode-\u003ei_op-\u003epermission or ACLs\n* dentries with d_revalidate\n* Following links\n\nIn future patches, permission checks and d_revalidate become rcu-walk aware. It\nmay be possible eventually to make following links rcu-walk aware.\n\nUncached path elements will always require dropping to ref-walk mode, at the\nvery least because i_mutex needs to be grabbed, and objects allocated.\n\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\n" }, { "commit": "dc0474be3e27463d4d4a2793f82366eed906f223", "tree": "41f75e638442cb343bacdcfbabb17ffc3bd5b4ce", "parents": [ "357f8e658bba8a085c4a5d4331e30894be8096b8" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:49:43 2011 +1100" }, "committer": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:50:24 2011 +1100" }, "message": "fs: dcache rationalise dget variants\n\ndget_locked was a shortcut to avoid the lazy lru manipulation when we already\nheld dcache_lock (lru manipulation was relatively cheap at that point).\nHowever, how that the lru lock is an innermost one, we never hold it at any\ncaller, so the lock cost can now be avoided. We already have well working lazy\ndcache LRU, so it should be fine to defer LRU manipulations to scan time.\n\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\n" }, { "commit": "b5c84bf6f6fa3a7dfdcb556023a62953574b60ee", "tree": "7a2c299a180713e21d5cb653cb933121adf53c31", "parents": [ "949854d02455080d20cd3e1db28a3a18daf7599d" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:49:38 2011 +1100" }, "committer": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:50:23 2011 +1100" }, "message": "fs: dcache remove dcache_lock\n\ndcache_lock no longer protects anything. remove it.\n\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\n" }, { "commit": "2fd6b7f50797f2e993eea59e0a0b8c6399c811dc", "tree": "ce33b94b34844c09103836cf4cfa4364b742f217", "parents": [ "da5029563a0a026c64821b09e8e7b4fd81d3fe1b" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:49:34 2011 +1100" }, "committer": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:50:21 2011 +1100" }, "message": "fs: dcache scale subdirs\n\nProtect d_subdirs and d_child with d_lock, except in filesystems that aren\u0027t\nusing dcache_lock for these anyway (eg. using i_mutex).\n\nNote: if we change the locking rule in future so that -\u003ed_child protection is\nprovided only with -\u003ed_parent-\u003ed_lock, it may allow us to reduce some locking.\nBut it would be an exception to an otherwise regular locking scheme, so we\u0027d\nhave to see some good results. Probably not worthwhile.\n\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\n" }, { "commit": "da5029563a0a026c64821b09e8e7b4fd81d3fe1b", "tree": "5d5618e0cb382390073377b1be7d0aa76879ac54", "parents": [ "b7ab39f631f505edc2bbdb86620d5493f995c9da" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:49:33 2011 +1100" }, "committer": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:50:21 2011 +1100" }, "message": "fs: dcache scale d_unhashed\n\nProtect d_unhashed(dentry) condition with d_lock. This means keeping\nDCACHE_UNHASHED bit in synch with hash manipulations.\n\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\n" }, { "commit": "abb359450f20c32ae03039d8736f12b1d561caf5", "tree": "6e8723885feb66a138f19f0ff31615dc13a8d859", "parents": [ "cb600d2f83c854ec3d6660063e4466431999489b", "4e3dbdb1392a83bd21a6ff8f6bc785495058d37c" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jan 06 12:30:19 2011 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jan 06 12:30:19 2011 -0800" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1436 commits)\n cassini: Use local-mac-address prom property for Cassini MAC address\n net: remove the duplicate #ifdef __KERNEL__\n net: bridge: check the length of skb after nf_bridge_maybe_copy_header()\n netconsole: clarify stopping message\n netconsole: don\u0027t announce stopping if nothing happened\n cnic: Fix the type field in SPQ messages\n netfilter: fix export secctx error handling\n netfilter: fix the race when initializing nf_ct_expect_hash_rnd\n ipv4: IP defragmentation must be ECN aware\n net: r6040: Return proper error for r6040_init_one\n dcb: use after free in dcb_flushapp()\n dcb: unlock on error in dcbnl_ieee_get()\n net: ixp4xx_eth: Return proper error for eth_init_one\n include/linux/if_ether.h: Add #define ETH_P_LINK_CTL for HPNA and wlan local tunnel\n net: add POLLPRI to sock_def_readable()\n af_unix: Avoid socket-\u003esk NULL OOPS in stream connect security hooks.\n net_sched: pfifo_head_drop problem\n mac80211: remove stray extern\n mac80211: implement off-channel TX using hw r-o-c offload\n mac80211: implement hardware offload for remain-on-channel\n ...\n" }, { "commit": "3610cda53f247e176bcbb7a7cca64bc53b12acdb", "tree": "d780bc1e405116e75a194b2f4693a6f9bbe9f58f", "parents": [ "44b8288308ac9da27eab7d7bdbf1375a568805c3" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Jan 05 15:38:53 2011 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Jan 05 15:38:53 2011 -0800" }, "message": "af_unix: Avoid socket-\u003esk NULL OOPS in stream connect security hooks.\n\nunix_release() can asynchornously set socket-\u003esk to NULL, and\nit does so without holding the unix_state_lock() on \"other\"\nduring stream connects.\n\nHowever, the reverse mapping, sk-\u003esk_socket, is only transitioned\nto NULL under the unix_state_lock().\n\nTherefore make the security hooks follow the reverse mapping instead\nof the forward mapping.\n\nReported-by: Jeremy Fitzhardinge \u003cjeremy@goop.org\u003e\nReported-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "867c20265459d30a01b021a9c1e81fb4c5832aa9", "tree": "7873555d6a0e100fb1faa90da6e6366a430c3403", "parents": [ "03ed6a3aa600c48593c3984812fda2d5945ddb46" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jan 03 14:59:10 2011 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 03 16:36:33 2011 -0800" }, "message": "ima: fix add LSM rule bug\n\nIf security_filter_rule_init() doesn\u0027t return a rule, then not everything\nis as fine as the return code implies.\n\nThis bug only occurs when the LSM (eg. SELinux) is disabled at runtime.\n\nAdding an empty LSM rule causes ima_match_rules() to always succeed,\nignoring any remaining rules.\n\n default IMA TCB policy:\n # PROC_SUPER_MAGIC\n dont_measure fsmagic\u003d0x9fa0\n # SYSFS_MAGIC\n dont_measure fsmagic\u003d0x62656572\n # DEBUGFS_MAGIC\n dont_measure fsmagic\u003d0x64626720\n # TMPFS_MAGIC\n dont_measure fsmagic\u003d0x01021994\n # SECURITYFS_MAGIC\n dont_measure fsmagic\u003d0x73636673\n\n \u003c LSM specific rule \u003e\n dont_measure obj_type\u003dvar_log_t\n\n measure func\u003dBPRM_CHECK\n measure func\u003dFILE_MMAP mask\u003dMAY_EXEC\n measure func\u003dFILE_CHECK mask\u003dMAY_READ uid\u003d0\n\nThus without the patch, with the boot parameters \u0027tcb selinux\u003d0\u0027, adding\nthe above \u0027dont_measure obj_type\u003dvar_log_t\u0027 rule to the default IMA TCB\nmeasurement policy, would result in nothing being measured. The patch\nprevents the default TCB policy from being replaced.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nCc: David Safford \u003csafford@watson.ibm.com\u003e\nCc: \u003cstable@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "17f7f4d9fcce8f1b75b5f735569309dee7665968", "tree": "14d7e49ca0053a0fcab3c33b5023bf3f90c5c08a", "parents": [ "041110a439e21cd40709ead4ffbfa8034619ad77", "d7c1255a3a21e98bdc64df8ccf005a174d7e6289" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sun Dec 26 22:37:05 2010 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sun Dec 26 22:37:05 2010 -0800" }, "message": "Merge branch \u0027master\u0027 of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6\n\nConflicts:\n\tnet/ipv4/fib_frontend.c\n" }, { "commit": "3fc5e98d8cf85e0d77fc597b49e9268dff67400e", "tree": "acd7c7a2579f945ff856bd570988f48f652f93c1", "parents": [ "44658a11f312fb9217674cb90b1a11cbe17fd18d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Dec 22 16:24:13 2010 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Dec 23 15:31:48 2010 -0800" }, "message": "KEYS: Don\u0027t call up_write() if __key_link_begin() returns an error\n\nIn construct_alloc_key(), up_write() is called in the error path if\n__key_link_begin() fails, but this is incorrect as __key_link_begin() only\nreturns with the nominated keyring locked if it returns successfully.\n\nWithout this patch, you might see the following in dmesg:\n\n\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\t[ BUG: bad unlock balance detected! ]\n\t-------------------------------------\n\tmount.cifs/5769 is trying to release lock (\u0026key-\u003esem) at:\n\t[\u003cffffffff81201159\u003e] request_key_and_link+0x263/0x3fc\n\tbut there are no more locks to release!\n\n\tother info that might help us debug this:\n\t3 locks held by mount.cifs/5769:\n\t #0: (\u0026type-\u003es_umount_key#41/1){+.+.+.}, at: [\u003cffffffff81131321\u003e] sget+0x278/0x3e7\n\t #1: (\u0026ret_buf-\u003esession_mutex){+.+.+.}, at: [\u003cffffffffa0258e59\u003e] cifs_get_smb_ses+0x35a/0x443 [cifs]\n\t #2: (root_key_user.cons_lock){+.+.+.}, at: [\u003cffffffff81201000\u003e] request_key_and_link+0x10a/0x3fc\n\n\tstack backtrace:\n\tPid: 5769, comm: mount.cifs Not tainted 2.6.37-rc6+ #1\n\tCall Trace:\n\t [\u003cffffffff81201159\u003e] ? request_key_and_link+0x263/0x3fc\n\t [\u003cffffffff81081601\u003e] print_unlock_inbalance_bug+0xca/0xd5\n\t [\u003cffffffff81083248\u003e] lock_release_non_nested+0xc1/0x263\n\t [\u003cffffffff81201159\u003e] ? request_key_and_link+0x263/0x3fc\n\t [\u003cffffffff81201159\u003e] ? request_key_and_link+0x263/0x3fc\n\t [\u003cffffffff81083567\u003e] lock_release+0x17d/0x1a4\n\t [\u003cffffffff81073f45\u003e] up_write+0x23/0x3b\n\t [\u003cffffffff81201159\u003e] request_key_and_link+0x263/0x3fc\n\t [\u003cffffffffa026fe9e\u003e] ? cifs_get_spnego_key+0x61/0x21f [cifs]\n\t [\u003cffffffff812013c5\u003e] request_key+0x41/0x74\n\t [\u003cffffffffa027003d\u003e] cifs_get_spnego_key+0x200/0x21f [cifs]\n\t [\u003cffffffffa026e296\u003e] CIFS_SessSetup+0x55d/0x1273 [cifs]\n\t [\u003cffffffffa02589e1\u003e] cifs_setup_session+0x90/0x1ae [cifs]\n\t [\u003cffffffffa0258e7e\u003e] cifs_get_smb_ses+0x37f/0x443 [cifs]\n\t [\u003cffffffffa025a9e3\u003e] cifs_mount+0x1aa1/0x23f3 [cifs]\n\t [\u003cffffffff8111fd94\u003e] ? alloc_debug_processing+0xdb/0x120\n\t [\u003cffffffffa027002c\u003e] ? cifs_get_spnego_key+0x1ef/0x21f [cifs]\n\t [\u003cffffffffa024cc71\u003e] cifs_do_mount+0x165/0x2b3 [cifs]\n\t [\u003cffffffff81130e72\u003e] vfs_kern_mount+0xaf/0x1dc\n\t [\u003cffffffff81131007\u003e] do_kern_mount+0x4d/0xef\n\t [\u003cffffffff811483b9\u003e] do_mount+0x6f4/0x733\n\t [\u003cffffffff8114861f\u003e] sys_mount+0x88/0xc2\n\t [\u003cffffffff8100ac42\u003e] system_call_fastpath+0x16/0x1b\n\nReported-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-and-Tested-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4b7bd364700d9ac8372eff48832062b936d0793b", "tree": "0dbf78c95456a0b02d07fcd473281f04a87e266d", "parents": [ "c0d8768af260e2cbb4bf659ae6094a262c86b085", "90a8a73c06cc32b609a880d48449d7083327e11a" ], "author": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Wed Dec 22 18:57:02 2010 +0100" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Wed Dec 22 18:57:02 2010 +0100" }, "message": "Merge branch \u0027master\u0027 into for-next\n\nConflicts:\n\tMAINTAINERS\n\tarch/arm/mach-omap2/pm24xx.c\n\tdrivers/scsi/bfa/bfa_fcpim.c\n\nNeeded to update to apply fixes for which the old branch was too\noutdated.\n" }, { "commit": "350e4f31e0eaf56dfc3b328d24a11bdf42a41fb8", "tree": "8b825e93e80367fc55f43641037301abfcca0b17", "parents": [ "73ff5fc0a86b28b77e02a6963b388d1dbfa0a263" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Dec 16 11:46:51 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Dec 16 12:50:17 2010 -0500" }, "message": "SELinux: define permissions for DCB netlink messages\n\nCommit 2f90b865 added two new netlink message types to the netlink route\nsocket. SELinux has hooks to define if netlink messages are allowed to\nbe sent or received, but it did not know about these two new message\ntypes. By default we allow such actions so noone likely noticed. This\npatch adds the proper definitions and thus proper permissions\nenforcement.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "3b1826cebe1d534ec05417a29b9a9f82651a5cb5", "tree": "38fc352e647df90c86a0b03722eff8f66b7eb607", "parents": [ "1f35065a9e2573427ce3fd6c4a40b355c2ddfb92" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 13 16:53:13 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Dec 15 12:14:34 2010 +0530" }, "message": "encrypted-keys: style and other cleanup\n\nCleanup based on David Howells suggestions:\n- use static const char arrays instead of #define\n- rename init_sdesc to alloc_sdesc\n- convert \u0027unsigned int\u0027 definitions to \u0027size_t\u0027\n- revert remaining \u0027const unsigned int\u0027 definitions to \u0027unsigned int\u0027\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1f35065a9e2573427ce3fd6c4a40b355c2ddfb92", "tree": "9ee6990e21b34dda09efc625a8bca4fa6c4e5d67", "parents": [ "1bdbb4024c309e470711b434a24fb356fc92edea" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 13 16:53:12 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Dec 15 12:14:32 2010 +0530" }, "message": "encrypted-keys: verify datablob size before converting to binary\n\nVerify the hex ascii datablob length is correct before converting the IV,\nencrypted data, and HMAC to binary.\n\nReported-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1bdbb4024c309e470711b434a24fb356fc92edea", "tree": "129f4136a53e0133fcdff81065f2e15fb4aac374", "parents": [ "bc5e0af0b36b6cc9de301074426c279fc9b72675" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 13 16:53:11 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Dec 15 12:14:27 2010 +0530" }, "message": "trusted-keys: kzalloc and other cleanup\n\nCleanup based on David Howells suggestions:\n- replace kzalloc, where possible, with kmalloc\n- revert \u0027const unsigned int\u0027 definitions to \u0027unsigned int\u0027\n\nSigned-off-by: David Safford \u003csafford@watson.ibm.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bc5e0af0b36b6cc9de301074426c279fc9b72675", "tree": "116b20ec3e81f4a956ecf0fde2dfba11d43117dc", "parents": [ "38ef4c2e437d11b5922723504b62824e96761459" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 13 16:53:10 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Dec 15 12:14:25 2010 +0530" }, "message": "trusted-keys: additional TSS return code and other error handling\n\nPreviously not all TSS return codes were tested, as they were all eventually\ncaught by the TPM. Now all returns are tested and handled immediately.\n\nThis patch also fixes memory leaks in error and non-error paths.\n\nSigned-off-by: David Safford \u003csafford@watson.ibm.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge E. Hallyn \u003cserge@hallyn.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5c6d1125f8dbd1bfef39e38fbc2837003be78a59", "tree": "368d34e800bc5478442679323270d776b79501e8", "parents": [ "fe27d4b012273640e033be80f143bdc54daa8e16" ], "author": { "name": "Jarkko Sakkinen", "email": "ext-jarkko.2.sakkinen@nokia.com", "time": "Tue Dec 07 13:34:01 2010 +0200" }, "committer": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Tue Dec 07 14:04:02 2010 -0800" }, "message": "Smack: Transmute labels on specified directories\n\nIn a situation where Smack access rules allow processes\nwith multiple labels to write to a directory it is easy\nto get into a situation where the directory gets cluttered\nwith files that the owner can\u0027t deal with because while\nthey could be written to the directory a process at the\nlabel of the directory can\u0027t write them. This is generally\nthe desired behavior, but when it isn\u0027t it is a real\nissue.\n\nThis patch introduces a new attribute SMACK64TRANSMUTE that\ninstructs Smack to create the file with the label of the directory\nunder certain circumstances.\n\nA new access mode, \"t\" for transmute, is made available to\nSmack access rules, which are expanded from \"rwxa\" to \"rwxat\".\nIf a file is created in a directory marked as transmutable\nand if access was granted to perform the operation by a rule\nthat included the transmute mode, then the file gets the\nSmack label of the directory instead of the Smack label of the\ncreating process.\n\nNote that this is equivalent to creating an empty file at the\nlabel of the directory and then having the other process write\nto it. The transmute scheme requires that both the access rule\nallows transmutation and that the directory be explicitly marked.\n\nSigned-off-by: Jarkko Sakkinen \u003cext-jarkko.2.sakkinen@nokia.com\u003e\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "73ff5fc0a86b28b77e02a6963b388d1dbfa0a263", "tree": "7b84f738078e6b96f6b35805c8b6c4fa699968ed", "parents": [ "415103f9932d45f7927f4b17e3a9a13834cdb9a1" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Dec 07 16:17:28 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Dec 07 16:44:01 2010 -0500" }, "message": "selinux: cache sidtab_context_to_sid results\n\nsidtab_context_to_sid takes up a large share of time when creating large\nnumbers of new inodes (~30-40% in oprofile runs). This patch implements a\ncache of 3 entries which is checked before we do a full context_to_sid lookup.\nOn one system this showed over a x3 improvement in the number of inodes that\ncould be created per second and around a 20% improvement on another system.\n\nAny time we look up the same context string sucessivly (imagine ls -lZ) we\nshould hit this cache hot. A cache miss should have a relatively minor affect\non performance next to doing the full table search.\n\nAll operations on the cache are done COMPLETELY lockless. We know that all\nstruct sidtab_node objects created will never be deleted until a new policy is\nloaded thus we never have to worry about a pointer being dereferenced. Since\nwe also know that pointer assignment is atomic we know that the cache will\nalways have valid pointers. Given this information we implement a FIFO cache\nin an array of 3 pointers. Every result (whether a cache hit or table lookup)\nwill be places in the 0 spot of the cache and the rest of the entries moved\ndown one spot. The 3rd entry will be lost.\n\nRaces are possible and are even likely to happen. Lets assume that 4 tasks\nare hitting sidtab_context_to_sid. The first task checks against the first\nentry in the cache and it is a miss. Now lets assume a second task updates\nthe cache with a new entry. This will push the first entry back to the second\nspot. Now the first task might check against the second entry (which it\nalready checked) and will miss again. Now say some third task updates the\ncache and push the second entry to the third spot. The first task my check\nthe third entry (for the third time!) and again have a miss. At which point\nit will just do a full table lookup. No big deal!\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "415103f9932d45f7927f4b17e3a9a13834cdb9a1", "tree": "271746ba59ca5b19185574538b5af3e30178c04f", "parents": [ "1d9bc6dc5b6b9cc9299739f0245ce4841f066b92" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Dec 02 16:13:40 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Dec 02 16:14:51 2010 -0500" }, "message": "SELinux: do not compute transition labels on mountpoint labeled filesystems\n\nselinux_inode_init_security computes transitions sids even for filesystems\nthat use mount point labeling. It shouldn\u0027t do that. It should just use\nthe mount point label always and no matter what.\n\nThis causes 2 problems. 1) it makes file creation slower than it needs to be\nsince we calculate the transition sid and 2) it allows files to be created\nwith a different label than the mount point!\n\n# id -Z\nstaff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023\n# sesearch --type --class file --source sysadm_t --target tmp_t\nFound 1 semantic te rules:\n type_transition sysadm_t tmp_t : file user_tmp_t;\n\n# mount -o loop,context\u003d\"system_u:object_r:tmp_t:s0\" /tmp/fs /mnt/tmp\n\n# ls -lZ /mnt/tmp\ndrwx------. root root system_u:object_r:tmp_t:s0 lost+found\n# touch /mnt/tmp/file1\n# ls -lZ /mnt/tmp\n-rw-r--r--. root root staff_u:object_r:user_tmp_t:s0 file1\ndrwx------. root root system_u:object_r:tmp_t:s0 lost+found\n\nWhoops, we have a mount point labeled filesystem tmp_t with a user_tmp_t\nlabeled file!\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Reviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "676dac4b1bee0469d6932f698aeb77e8489f5861", "tree": "196b4cb35cf8dfdff0698dc4368cfd00acc7391a", "parents": [ "93ae86e759299718c611bc543b9b1633bf32905a" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Thu Dec 02 06:43:39 2010 -0800" }, "committer": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Thu Dec 02 06:43:39 2010 -0800" }, "message": "This patch adds a new security attribute to Smack called\nSMACK64EXEC. It defines label that is used while task is\nrunning.\n\nException: in smack_task_wait() child task is checked\nfor write access to parent task using label inherited\nfrom the task that forked it.\n\nFixed issues from previous submit:\n- SMACK64EXEC was not read when SMACK64 was not set.\n- inode security blob was not updated after setting\n SMACK64EXEC\n- inode security blob was not updated when removing\n SMACK64EXEC\n" }, { "commit": "1d9bc6dc5b6b9cc9299739f0245ce4841f066b92", "tree": "aa1fe241ebdd6fb74ae468c1cf301dff4315db49", "parents": [ "ac76c05becb6beedbb458d0827d3deaa6f479a72" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 29 15:47:09 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:58 2010 -0500" }, "message": "SELinux: merge policydb_index_classes and policydb_index_others\n\nWe duplicate functionality in policydb_index_classes() and\npolicydb_index_others(). This patch merges those functions just to make it\nclear there is nothing special happening here.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "ac76c05becb6beedbb458d0827d3deaa6f479a72", "tree": "255276b52f7b031671ae5948b39d7c92e50ba420", "parents": [ "23bdecb000c806cf4ec52764499a600f7200d7a9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 29 15:47:09 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:58 2010 -0500" }, "message": "selinux: convert part of the sym_val_to_name array to use flex_array\n\nThe sym_val_to_name type array can be quite large as it grows linearly with\nthe number of types. With known policies having over 5k types these\nallocations are growing large enough that they are likely to fail. Convert\nthose to flex_array so no allocation is larger than PAGE_SIZE\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "23bdecb000c806cf4ec52764499a600f7200d7a9", "tree": "f13a523f6bec22c5e7ec58ea02a4988aefe7c8ac", "parents": [ "c41ab6a1b9028de33e74101cb0aae13098a56fdb" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 29 15:47:09 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:57 2010 -0500" }, "message": "selinux: convert type_val_to_struct to flex_array\n\nIn rawhide type_val_to_struct will allocate 26848 bytes, an order 3\nallocations. While this hasn\u0027t been seen to fail it isn\u0027t outside the\nrealm of possibiliy on systems with severe memory fragmentation. Convert\nto flex_array so no allocation will ever be bigger than PAGE_SIZE.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "c9e86a9b95f198d7df49b25fcd808ee39cba218f", "tree": "0e62d348103f25a612d649c796cab225db2372c3", "parents": [ "7ae9f23cbd3ef9daff7f768da4bfd4c56b19300d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 29 15:46:39 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:57 2010 -0500" }, "message": "SELinux: do not set automatic i_ino in selinuxfs\n\nselinuxfs carefully uses i_ino to figure out what the inode refers to. The\nVFS used to generically set this value and we would reset it to something\nuseable. After 85fe4025c616 each filesystem sets this value to a default\nif needed. Since selinuxfs doesn\u0027t use the default value and it can only\nlead to problems (I\u0027d rather have 2 inodes with i_ino \u003d\u003d 0 than one\npointing to the wrong data) lets just stop setting a default.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7ae9f23cbd3ef9daff7f768da4bfd4c56b19300d", "tree": "8a92d6d1f05268c27f0e37d5684e947c6111d89e", "parents": [ "4b02b524487622ce1cf472123899520b583f47dc" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 11:40:09 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:57 2010 -0500" }, "message": "selinux: rework security_netlbl_secattr_to_sid\n\nsecurity_netlbl_secattr_to_sid is difficult to follow, especially the\nreturn codes. Try to make the function obvious.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "4b02b524487622ce1cf472123899520b583f47dc", "tree": "58802e2968852cb1eb0f8f6303fbfaf3d85ecc53", "parents": [ "b77a493b1dc8010245feeac001e5c7ed0988678f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 11:40:08 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:57 2010 -0500" }, "message": "SELinux: standardize return code handling in selinuxfs.c\n\nselinuxfs.c has lots of different standards on how to handle return paths on\nerror. For the most part transition to\n\n\trc\u003derrno\n\tif (failure)\n\t\tgoto out;\n[...]\nout:\n\tcleanup()\n\treturn rc;\n\nInstead of doing cleanup mid function, or having multiple returns or other\noptions. This doesn\u0027t do that for every function, but most of the complex\nfunctions which have cleanup routines on error.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "b77a493b1dc8010245feeac001e5c7ed0988678f", "tree": "f0d2364ce8ed46ab569f3a41cbebb9a51bffb0f0", "parents": [ "9398c7f794078dc1768cc061b3da8cdd59f179a5" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 11:40:08 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:57 2010 -0500" }, "message": "SELinux: standardize return code handling in selinuxfs.c\n\nselinuxfs.c has lots of different standards on how to handle return paths on\nerror. For the most part transition to\n\n\trc\u003derrno\n\tif (failure)\n\t\tgoto out;\n[...]\nout:\n\tcleanup()\n\treturn rc;\n\nInstead of doing cleanup mid function, or having multiple returns or other\noptions. This doesn\u0027t do that for every function, but most of the complex\nfunctions which have cleanup routines on error.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "9398c7f794078dc1768cc061b3da8cdd59f179a5", "tree": "16e665d3bf7160e2da67b236b27a6bf87a73d5e2", "parents": [ "e8a7e48bb248a1196484d3f8afa53bded2b24e71" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 11:40:08 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:56 2010 -0500" }, "message": "SELinux: standardize return code handling in policydb.c\n\npolicydb.c has lots of different standards on how to handle return paths on\nerror. For the most part transition to\n\n\trc\u003derrno\n\tif (failure)\n\t\tgoto out;\n[...]\nout:\n\tcleanup()\n\treturn rc;\n\nInstead of doing cleanup mid function, or having multiple returns or other\noptions. This doesn\u0027t do that for every function, but most of the complex\nfunctions which have cleanup routines on error.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "93ae86e759299718c611bc543b9b1633bf32905a", "tree": "e8b054d9df2c2f9e935d656d5eb25c7c6231c940", "parents": [ "b4e0d5f0791bd6dd12a1c1edea0340969c7c1f90" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Nov 29 16:20:04 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 30 09:20:27 2010 +1100" }, "message": "keys: add missing include file for trusted and encrypted keys\n\nThis patch fixes the linux-next powerpc build errors as reported by\nStephen Rothwell.\n\nReported-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nTested-by: Rajiv Andrade \u003csrajiv@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b4e0d5f0791bd6dd12a1c1edea0340969c7c1f90", "tree": "1ed1def6d5dea2cdae6b6e52571677fa7650edd5", "parents": [ "7e70cb4978507cf31d76b90e4cfb4c28cad87f0c" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Wed Nov 24 17:12:10 2010 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Nov 29 09:04:35 2010 +1100" }, "message": "Smack: UDS revision\n\nThis patch addresses a number of long standing issues\n with the way Smack treats UNIX domain sockets.\n\n All access control was being done based on the label of\n the file system object. This is inconsistant with the\n internet domain, in which access is done based on the\n IPIN and IPOUT attributes of the socket. As a result\n of the inode label policy it was not possible to use\n a UDS socket for label cognizant services, including\n dbus and the X11 server.\n\n Support for SCM_PEERSEC on UDS sockets is also provided.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7e70cb4978507cf31d76b90e4cfb4c28cad87f0c", "tree": "c5df493eef8d30dcb40d647b0528970eb4a391c6", "parents": [ "d00a1c72f7f4661212299e6cb132dfa58030bcdb" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Nov 23 18:55:35 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Nov 29 08:55:29 2010 +1100" }, "message": "keys: add new key-type encrypted\n\nDefine a new kernel key-type called \u0027encrypted\u0027. Encrypted keys are kernel\ngenerated random numbers, which are encrypted/decrypted with a \u0027trusted\u0027\nsymmetric key. Encrypted keys are created/encrypted/decrypted in the kernel.\nUserspace only ever sees/stores encrypted blobs.\n\nChangelog:\n- bug fix: replaced master-key rcu based locking with semaphore\n (reported by David Howells)\n- Removed memset of crypto_shash_digest() digest output\n- Replaced verification of \u0027key-type:key-desc\u0027 using strcspn(), with\n one based on string constants.\n- Moved documentation to Documentation/keys-trusted-encrypted.txt\n- Replace hash with shash (based on comments by David Howells)\n- Make lengths/counts size_t where possible (based on comments by David Howells)\n Could not convert most lengths, as crypto expects \u0027unsigned int\u0027\n (size_t: on 32 bit is defined as unsigned int, but on 64 bit is unsigned long)\n- Add \u0027const\u0027 where possible (based on comments by David Howells)\n- allocate derived_buf dynamically to support arbitrary length master key\n (fixed by Roberto Sassu)\n- wait until late_initcall for crypto libraries to be registered\n- cleanup security/Kconfig\n- Add missing \u0027update\u0027 keyword (reported/fixed by Roberto Sassu)\n- Free epayload on failure to create key (reported/fixed by Roberto Sassu)\n- Increase the data size limit (requested by Roberto Sassu)\n- Crypto return codes are always 0 on success and negative on failure,\n remove unnecessary tests.\n- Replaced kzalloc() with kmalloc()\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: David Safford \u003csafford@watson.ibm.com\u003e\nReviewed-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d00a1c72f7f4661212299e6cb132dfa58030bcdb", "tree": "2c873e461f42bbf3aea03b7b2e59cea8f941d841", "parents": [ "c749ba912e87ccebd674ae24b97462176c63732e" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Nov 23 17:50:34 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Nov 29 08:55:25 2010 +1100" }, "message": "keys: add new trusted key-type\n\nDefine a new kernel key-type called \u0027trusted\u0027. Trusted keys are random\nnumber symmetric keys, generated and RSA-sealed by the TPM. The TPM\nonly unseals the keys, if the boot PCRs and other criteria match.\nUserspace can only ever see encrypted blobs.\n\nBased on suggestions by Jason Gunthorpe, several new options have been\nadded to support additional usages.\n\nThe new options are:\nmigratable\u003d designates that the key may/may not ever be updated\n (resealed under a new key, new pcrinfo or new auth.)\n\npcrlock\u003dn extends the designated PCR \u0027n\u0027 with a random value,\n so that a key sealed to that PCR may not be unsealed\n again until after a reboot.\n\nkeyhandle\u003d specifies the sealing/unsealing key handle.\n\nkeyauth\u003d specifies the sealing/unsealing key auth.\n\nblobauth\u003d specifies the sealed data auth.\n\nImplementation of a kernel reserved locality for trusted keys will be\ninvestigated for a possible future extension.\n\nChangelog:\n- Updated and added examples to Documentation/keys-trusted-encrypted.txt\n- Moved generic TPM constants to include/linux/tpm_command.h\n (David Howell\u0027s suggestion.)\n- trusted_defined.c: replaced kzalloc with kmalloc, added pcrlock failure\n error handling, added const qualifiers where appropriate.\n- moved to late_initcall\n- updated from hash to shash (suggestion by David Howells)\n- reduced worst stack usage (tpm_seal) from 530 to 312 bytes\n- moved documentation to Documentation directory (suggestion by David Howells)\n- all the other code cleanups suggested by David Howells\n- Add pcrlock CAP_SYS_ADMIN dependency (based on comment by Jason Gunthorpe)\n- New options: migratable, pcrlock, keyhandle, keyauth, blobauth (based on\n discussions with Jason Gunthorpe)\n- Free payload on failure to create key(reported/fixed by Roberto Sassu)\n- Updated Kconfig and other descriptions (based on Serge Hallyn\u0027s suggestion)\n- Replaced kzalloc() with kmalloc() (reported by Serge Hallyn)\n\nSigned-off-by: David Safford \u003csafford@watson.ibm.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ce6ada35bdf710d16582cc4869c26722547e6f11", "tree": "c2b5fd46c883f4b7285b191bac55940022662b43", "parents": [ "1d6d75684d869406e5bb2ac5d3ed9454f52d0cab" ], "author": { "name": "Serge E. Hallyn", "email": "serge@hallyn.com", "time": "Thu Nov 25 17:11:32 2010 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Nov 29 08:35:12 2010 +1100" }, "message": "security: Define CAP_SYSLOG\n\nPrivileged syslog operations currently require CAP_SYS_ADMIN. Split\nthis off into a new CAP_SYSLOG privilege which we can sanely take away\nfrom a container through the capability bounding set.\n\nWith this patch, an lxc container can be prevented from messing with\nthe host\u0027s syslog (i.e. dmesg -c).\n\nChangelog: mar 12 2010: add selinux capability2:cap_syslog perm\nChangelog: nov 22 2010:\n\t. port to new kernel\n\t. add a WARN_ONCE if userspace isn\u0027t using CAP_SYSLOG\n\nSigned-off-by: Serge Hallyn \u003cserge.hallyn@ubuntu.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-By: Kees Cook \u003ckees.cook@canonical.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Michael Kerrisk \u003cmtk.manpages@gmail.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: \"Christopher J. PeBenito\" \u003ccpebenito@tresys.com\u003e\nCc: Eric Paris \u003ceparis@parisplace.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2fe66ec242d3f76e3b0101f36419e7e5405bcff3", "tree": "2091420d53ae1bf9e7673c2275b36c6b1e6aac1b", "parents": [ "04f6d70f6e64900a5d70a5fc199dd9d5fa787738" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 06:28:08 2010 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Nov 23 10:50:17 2010 -0800" }, "message": "SELinux: indicate fatal error in compat netfilter code\n\nThe SELinux ip postroute code indicates when policy rejected a packet and\npasses the error back up the stack. The compat code does not. This patch\nsends the same kind of error back up the stack in the compat code.\n\nBased-on-patch-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "04f6d70f6e64900a5d70a5fc199dd9d5fa787738", "tree": "68d369f422f98842031ae4ada17e391140165b54", "parents": [ "eb06acdc85585f28864261f28659157848762ee4" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 06:28:02 2010 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Nov 23 10:50:17 2010 -0800" }, "message": "SELinux: Only return netlink error when we know the return is fatal\n\nSome of the SELinux netlink code returns a fatal error when the error might\nactually be transient. This patch just silently drops packets on\npotentially transient errors but continues to return a permanant error\nindicator when the denial was because of policy.\n\nBased-on-comments-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "1f1aaf82825865a50cef0b4722607abb12aeee52", "tree": "9ab2495097fa2944404ab41bfb3038de374f5626", "parents": [ "ee58681195bf243bafc44ca53f3c24429d096cce" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 16 11:52:57 2010 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Nov 17 10:54:35 2010 -0800" }, "message": "SELinux: return -ECONNREFUSED from ip_postroute to signal fatal error\n\nThe SELinux netfilter hooks just return NF_DROP if they drop a packet. We\nwant to signal that a drop in this hook is a permanant fatal error and is not\ntransient. If we do this the error will be passed back up the stack in some\nplaces and applications will get a faster interaction that something went\nwrong.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "12b3052c3ee8f508b2c7ee4ddd63ed03423409d8", "tree": "b97d0f209f363cfad94ce9d075312274e349da89", "parents": [ "6800e4c0ea3e96cf78953b8b5743381cb1bb9e37" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 15 18:36:29 2010 -0500" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Nov 15 15:40:01 2010 -0800" }, "message": "capabilities/syslog: open code cap_syslog logic to fix build failure\n\nThe addition of CONFIG_SECURITY_DMESG_RESTRICT resulted in a build\nfailure when CONFIG_PRINTK\u003dn. This is because the capabilities code\nwhich used the new option was built even though the variable in question\ndidn\u0027t exist.\n\nThe patch here fixes this by moving the capabilities checks out of the\nLSM and into the caller. All (known) LSMs should have been calling the\ncapabilities hook already so it actually makes the code organization\nbetter to eliminate the hook altogether.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "fe7e96f66b2622d8492ee9dd7fc08b811086caca", "tree": "524b78f3a5a9c35bee8b437e9c4738d42fc454a7", "parents": [ "0f90933c477c061df6daf42d814ff2012aea43cc", "a26d279ea87e9fef2cf8a44b371e48e6091975a6" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Nov 12 08:00:25 2010 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Nov 12 08:00:25 2010 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:\n APPARMOR: Fix memory leak of apparmor_init()\n APPARMOR: Fix memory leak of alloc_namespace()\n" }, { "commit": "eaf06b241b091357e72b76863ba16e89610d31bd", "tree": "83bc8667309050b3538630707513574c14c51f37", "parents": [ "203f40a5a030ed4048cd40e3bd9ab5df6c5df589" ], "author": { "name": "Dan Rosenberg", "email": "drosenberg@vsecurity.com", "time": "Thu Nov 11 14:05:18 2010 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Nov 12 07:55:32 2010 -0800" }, "message": "Restrict unprivileged access to kernel syslog\n\nThe kernel syslog contains debugging information that is often useful\nduring exploitation of other vulnerabilities, such as kernel heap\naddresses. Rather than futilely attempt to sanitize hundreds (or\nthousands) of printk statements and simultaneously cripple useful\ndebugging functionality, it is far simpler to create an option that\nprevents unprivileged users from reading the syslog.\n\nThis patch, loosely based on grsecurity\u0027s GRKERNSEC_DMESG, creates the\ndmesg_restrict sysctl. When set to \"0\", the default, no restrictions are\nenforced. When set to \"1\", only users with CAP_SYS_ADMIN can read the\nkernel syslog via dmesg(8) or other mechanisms.\n\n[akpm@linux-foundation.org: explain the config option in kernel.txt]\nSigned-off-by: Dan Rosenberg \u003cdrosenberg@vsecurity.com\u003e\nAcked-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nAcked-by: Eugene Teo \u003ceugeneteo@kernel.org\u003e\nAcked-by: Kees Cook \u003ckees.cook@canonical.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "a26d279ea87e9fef2cf8a44b371e48e6091975a6", "tree": "fe1a1a007c0fc1419e8f8e3e845ad18a377569bc", "parents": [ "246c3fb16b08193837a8009ff15ef6908534ba71" ], "author": { "name": "wzt.wzt@gmail.com", "email": "wzt.wzt@gmail.com", "time": "Wed Nov 10 16:05:15 2010 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 11 07:36:22 2010 +1100" }, "message": "APPARMOR: Fix memory leak of apparmor_init()\n\nset_init_cxt() allocted sizeof(struct aa_task_cxt) bytes for cxt,\nif register_security() failed, it will cause memory leak.\n\nSigned-off-by: Zhitong Wang \u003czhitong.wangzt@alibaba-inc.com\u003e\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "246c3fb16b08193837a8009ff15ef6908534ba71", "tree": "47c8fb1d63c3f0cfd7c3e1507e6c1e16a6837264", "parents": [ "f6614b7bb405a9b35dd28baea989a749492c46b2" ], "author": { "name": "wzt.wzt@gmail.com", "email": "wzt.wzt@gmail.com", "time": "Wed Nov 10 11:31:55 2010 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 11 07:36:18 2010 +1100" }, "message": "APPARMOR: Fix memory leak of alloc_namespace()\n\npolicy-\u003ename is a substring of policy-\u003ehname, if prefix is not NULL, it will\nallocted strlen(prefix) + strlen(name) + 3 bytes to policy-\u003ehname in policy_init().\nuse kzfree(ns-\u003ebase.name) will casue memory leak if alloc_namespace() failed.\n\nSigned-off-by: Zhitong Wang \u003czhitong.wangzt@alibaba-inc.com\u003e\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b595076a180a56d1bb170e6eceda6eb9d76f4cd3", "tree": "bc01ec7283808013e0b8ce7713fd6fc40f810429", "parents": [ "6aaccece1c483f189f76f1282b3984ff4c7ecb0a" ], "author": { "name": "Uwe Kleine-König", "email": "u.kleine-koenig@pengutronix.de", "time": "Mon Nov 01 15:38:34 2010 -0400" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Mon Nov 01 15:38:34 2010 -0400" }, "message": "tree-wide: fix comment/printk typos\n\n\"gadget\", \"through\", \"command\", \"maintain\", \"maintain\", \"controller\", \"address\",\n\"between\", \"initiali[zs]e\", \"instead\", \"function\", \"select\", \"already\",\n\"equal\", \"access\", \"management\", \"hierarchy\", \"registration\", \"interest\",\n\"relative\", \"memory\", \"offset\", \"already\",\n\nSigned-off-by: Uwe Kleine-König \u003cu.kleine-koenig@pengutronix.de\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.cz\u003e\n" }, { "commit": "fc14f2fef682df677d64a145256dbd263df2aa7b", "tree": "74f6b939fbad959a43c04ec646cd0adc8af5f53a", "parents": [ "848b83a59b772b8f102bc5e3f1187c2fa5676959" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jul 25 01:48:30 2010 +0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri Oct 29 04:16:28 2010 -0400" }, "message": "convert get_sb_single() users\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "27d6379894be4a81984da4d48002196a83939ca9", "tree": "1d5a7338b0fc66ba4c0b799eb60df44b8f0fc08a", "parents": [ "765aaafe38050790301e89745b991dbdf3dded4c" ], "author": { "name": "Andi Kleen", "email": "ak@linux.intel.com", "time": "Thu Oct 28 13:16:13 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Oct 28 09:02:15 2010 -0700" }, "message": "Fix install_process_keyring error handling\n\nFix an incorrect error check that returns 1 for error instead of the\nexpected error code.\n\nSigned-off-by: Andi Kleen \u003cak@linux.intel.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "426e1f5cec4821945642230218876b0e89aafab1", "tree": "2728ace018d0698886989da586210ef1543a7098", "parents": [ "9e5fca251f44832cb996961048ea977f80faf6ea", "63997e98a3be68d7cec806d22bf9b02b2e1daabb" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 17:58:44 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 17:58:44 2010 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6: (52 commits)\n split invalidate_inodes()\n fs: skip I_FREEING inodes in writeback_sb_inodes\n fs: fold invalidate_list into invalidate_inodes\n fs: do not drop inode_lock in dispose_list\n fs: inode split IO and LRU lists\n fs: switch bdev inode bdi\u0027s correctly\n fs: fix buffer invalidation in invalidate_list\n fsnotify: use dget_parent\n smbfs: use dget_parent\n exportfs: use dget_parent\n fs: use RCU read side protection in d_validate\n fs: clean up dentry lru modification\n fs: split __shrink_dcache_sb\n fs: improve DCACHE_REFERENCED usage\n fs: use percpu counter for nr_dentry and nr_dentry_unused\n fs: simplify __d_free\n fs: take dcache_lock inside __d_path\n fs: do not assign default i_ino in new_inode\n fs: introduce a per-cpu last_ino allocator\n new helper: ihold()\n ...\n" }, { "commit": "f9ba5375a8aae4aeea6be15df77e24707a429812", "tree": "c6388d7e40f0f6a70d7ba6a4d4aeaa0d1f5591f6", "parents": [ "45352bbf48e95078b4acd20774f49e72676e1e0f", "bade72d607c4eb1b1d6c7852c493b75f065a56b5" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:48 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:48 2010 -0700" }, "message": "Merge branch \u0027ima-memory-use-fixes\u0027\n\n* ima-memory-use-fixes:\n IMA: fix the ToMToU logic\n IMA: explicit IMA i_flag to remove global lock on inode_delete\n IMA: drop refcnt from ima_iint_cache since it isn\u0027t needed\n IMA: only allocate iint when needed\n IMA: move read counter into struct inode\n IMA: use i_writecount rather than a private counter\n IMA: use inode-\u003ei_lock to protect read and write counters\n IMA: convert internal flags from long to char\n IMA: use unsigned int instead of long for counters\n IMA: drop the inode opencount since it isn\u0027t needed for operation\n IMA: use rbtree instead of radix tree for inode information cache\n" }, { "commit": "bade72d607c4eb1b1d6c7852c493b75f065a56b5", "tree": "95aafb198d9a8a08e6b7813de0403658e6a1b04a", "parents": [ "196f518128d2ee6e0028b50e6fec0313640db142" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:25 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:19 2010 -0700" }, "message": "IMA: fix the ToMToU logic\n\nCurrent logic looks like this:\n\n rc \u003d ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK);\n if (rc \u003c 0)\n goto out;\n\n if (mode \u0026 FMODE_WRITE) {\n if (inode-\u003ei_readcount)\n send_tomtou \u003d true;\n goto out;\n }\n\n if (atomic_read(\u0026inode-\u003ei_writecount) \u003e 0)\n send_writers \u003d true;\n\nLets assume we have a policy which states that all files opened for read\nby root must be measured.\n\nLets assume the file has permissions 777.\n\nLets assume that root has the given file open for read.\n\nLets assume that a non-root process opens the file write.\n\nThe non-root process will get to ima_counts_get() and will check the\nima_must_measure(). Since it is not supposed to measure it will goto\nout.\n\nWe should check the i_readcount no matter what since we might be causing\na ToMToU voilation!\n\nThis is close to correct, but still not quite perfect. The situation\ncould have been that root, which was interested in the mesurement opened\nand closed the file and another process which is not interested in the\nmeasurement is the one holding the i_readcount ATM. This is just overly\nstrict on ToMToU violations, which is better than not strict enough...\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "196f518128d2ee6e0028b50e6fec0313640db142", "tree": "43a1d76bee477dbaa682233979e86f58a98369f0", "parents": [ "64c62f06bef8314a64d3189cb9c78062d54169b3" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:19 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:19 2010 -0700" }, "message": "IMA: explicit IMA i_flag to remove global lock on inode_delete\n\nCurrently for every removed inode IMA must take a global lock and search\nthe IMA rbtree looking for an associated integrity structure. Instead\nwe explicitly mark an inode when we add an integrity structure so we\nonly have to take the global lock and do the removal if it exists.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "64c62f06bef8314a64d3189cb9c78062d54169b3", "tree": "63f542bf6a0de4eb2c9742376f7c314ac78e65ec", "parents": [ "bc7d2a3e66b40477270c3cbe3b89b47093276e7a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:12 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:19 2010 -0700" }, "message": "IMA: drop refcnt from ima_iint_cache since it isn\u0027t needed\n\nSince finding a struct ima_iint_cache requires a valid struct inode, and\nthe struct ima_iint_cache is supposed to have the same lifetime as a\nstruct inode (technically they die together but don\u0027t need to be created\nat the same time) we don\u0027t have to worry about the ima_iint_cache\noutliving or dieing before the inode. So the refcnt isn\u0027t useful. Just\nget rid of it and free the structure when the inode is freed.\n\nSigned-off-by: Eric Paris \u003ceapris@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "bc7d2a3e66b40477270c3cbe3b89b47093276e7a", "tree": "8f0198b8ad455fde11b24e32a2e32c008a5ececb", "parents": [ "a178d2027d3198b0a04517d764326ab71cd73da2" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:05 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: only allocate iint when needed\n\nIMA always allocates an integrity structure to hold information about\nevery inode, but only needed this structure to track the number of\nreaders and writers currently accessing a given inode. Since that\ninformation was moved into struct inode instead of the integrity struct\nthis patch stops allocating the integrity stucture until it is needed.\nThus greatly reducing memory usage.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "a178d2027d3198b0a04517d764326ab71cd73da2", "tree": "d81b9336328ba1741231b318a6f8187f627581fd", "parents": [ "b9593d309d17c57e9ddc3934d641902533896ca9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:59 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: move read counter into struct inode\n\nIMA currently allocated an inode integrity structure for every inode in\ncore. This stucture is about 120 bytes long. Most files however\n(especially on a system which doesn\u0027t make use of IMA) will never need\nany of this space. The problem is that if IMA is enabled we need to\nknow information about the number of readers and the number of writers\nfor every inode on the box. At the moment we collect that information\nin the per inode iint structure and waste the rest of the space. This\npatch moves those counters into the struct inode so we can eventually\nstop allocating an IMA integrity structure except when absolutely\nneeded.\n\nThis patch does the minimum needed to move the location of the data.\nFurther cleanups, especially the location of counter updates, may still\nbe possible.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b9593d309d17c57e9ddc3934d641902533896ca9", "tree": "fa7fd9ced4a79f102e653ee4a5dc348aa1a41c21", "parents": [ "ad16ad00c34d3f320a5876b3d711ef6bc81362e1" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:52 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: use i_writecount rather than a private counter\n\nIMA tracks the number of struct files which are holding a given inode\nreadonly and the number which are holding the inode write or r/w. It\nneeds this information so when a new reader or writer comes in it can\ntell if this new file will be able to invalidate results it already made\nabout existing files.\n\naka if a task is holding a struct file open RO, IMA measured the file\nand recorded those measurements and then a task opens the file RW IMA\nneeds to note in the logs that the old measurement may not be correct.\nIt\u0027s called a \"Time of Measure Time of Use\" (ToMToU) issue. The same is\ntrue is a RO file is opened to an inode which has an open writer. We\ncannot, with any validity, measure the file in question since it could\nbe changing.\n\nThis patch attempts to use the i_writecount field to track writers. The\ni_writecount field actually embeds more information in it\u0027s value than\nIMA needs but it should work for our purposes and allow us to shrink the\nstruct inode even more.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "ad16ad00c34d3f320a5876b3d711ef6bc81362e1", "tree": "7cf3b755567fde2850d2ea7f4a186a0dcea6b80f", "parents": [ "15aac676778f206b42c4d7782b08f89246680485" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:45 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: use inode-\u003ei_lock to protect read and write counters\n\nCurrently IMA used the iint-\u003emutex to protect the i_readcount and\ni_writecount. This patch uses the inode-\u003ei_lock since we are going to\nstart using in inode objects and that is the most appropriate lock.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "15aac676778f206b42c4d7782b08f89246680485", "tree": "d4d2625139f8a52ffa7bd0cb1848a446518652ec", "parents": [ "497f32337073a2da102c49a53779097b5394711b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:39 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: convert internal flags from long to char\n\nThe IMA flags is an unsigned long but there is only 1 flag defined.\nLets save a little space and make it a char. This packs nicely next to\nthe array of u8\u0027s.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "497f32337073a2da102c49a53779097b5394711b", "tree": "203cbcd3f9462737d872e24fb2c847ce9a69de45", "parents": [ "b575156dafef208415ff0842c392733d16d4ccf1" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:32 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: use unsigned int instead of long for counters\n\nCurrently IMA uses 2 longs in struct inode. To save space (and as it\nseems impossible to overflow 32 bits) we switch these to unsigned int.\nThe switch to unsigned does require slightly different checks for\nunderflow, but it isn\u0027t complex.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b575156dafef208415ff0842c392733d16d4ccf1", "tree": "52e4afd6a1969a975bd9e4b882d97d5ab659fa20", "parents": [ "8549164143a5431f9d9ea846acaa35a862410d9c" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:26 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:17 2010 -0700" }, "message": "IMA: drop the inode opencount since it isn\u0027t needed for operation\n\nThe opencount was used to help debugging to make sure that everything\nwhich created a struct file also correctly made the IMA calls. Since we\nmoved all of that into the VFS this isn\u0027t as necessary. We should be\nable to get the same amount of debugging out of just the reader and\nwrite count.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8549164143a5431f9d9ea846acaa35a862410d9c", "tree": "79b0d2aeb2674f221854866cb067947dc47f2203", "parents": [ "f6f94e2ab1b33f0082ac22d71f66385a60d8157f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:18 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:17 2010 -0700" }, "message": "IMA: use rbtree instead of radix tree for inode information cache\n\nThe IMA code needs to store the number of tasks which have an open fd\ngranting permission to write a file even when IMA is not in use. It\nneeds this information in order to be enabled at a later point in time\nwithout losing it\u0027s integrity garantees.\n\nAt the moment that means we store a little bit of data about every inode\nin a cache. We use a radix tree key\u0027d on the inode\u0027s memory address.\nDave Chinner pointed out that a radix tree is a terrible data structure\nfor such a sparse key space. This patch switches to using an rbtree\nwhich should be more efficient.\n\nBug report from Dave:\n\n \"I just noticed that slabtop was reporting an awfully high usage of\n radix tree nodes:\n\n OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME\n 4200331 2778082 66% 0.55K 144839 29 2317424K radix_tree_node\n 2321500 2060290 88% 1.00K 72581 32 2322592K xfs_inode\n 2235648 2069791 92% 0.12K 69864 32 279456K iint_cache\n\n That is, 2.7M radix tree nodes are allocated, and the cache itself is\n consuming 2.3GB of RAM. I know that the XFS inodei caches are indexed\n by radix tree node, but for 2 million cached inodes that would mean a\n density of 1 inode per radix tree node, which for a system with 16M\n inodes in the filsystems is an impossibly low density. The worst I\u0027ve\n seen in a production system like kernel.org is about 20-25% density,\n which would mean about 150-200k radix tree nodes for that many inodes.\n So it\u0027s not the inode cache.\n\n So I looked up what the iint_cache was. It appears to used for\n storing per-inode IMA information, and uses a radix tree for indexing.\n It uses the *address* of the struct inode as the indexing key. That\n means the key space is extremely sparse - for XFS the struct inode\n addresses are approximately 1000 bytes apart, which means the closest\n the radix tree index keys get is ~1000. Which means that there is a\n single entry per radix tree leaf node, so the radix tree is using\n roughly 550 bytes for every 120byte structure being cached. For the\n above example, it\u0027s probably wasting close to 1GB of RAM....\"\n\nReported-by: Dave Chinner \u003cdavid@fromorbit.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "be148247cfbe2422f5709e77d9c3e10b8a6394da", "tree": "f04605bb5ea21cefd455b6fd81c51d8bb02c1521", "parents": [ "85fe4025c616a7c0ed07bc2fc8c5371b07f3888c" ], "author": { "name": "Christoph Hellwig", "email": "hch@infradead.org", "time": "Sun Oct 10 05:36:21 2010 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Oct 25 21:26:12 2010 -0400" }, "message": "fs: take dcache_lock inside __d_path\n\nAll callers take dcache_lock just around the call to __d_path, so\ntake the lock into it in preparation of getting rid of dcache_lock.\n\nSigned-off-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "85fe4025c616a7c0ed07bc2fc8c5371b07f3888c", "tree": "7a5db7accb6192f2911f2473b4e3191227b914cc", "parents": [ "f991bd2e14210fb93d722cb23e54991de20e8a3d" ], "author": { "name": "Christoph Hellwig", "email": "hch@lst.de", "time": "Sat Oct 23 11:19:54 2010 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Oct 25 21:26:11 2010 -0400" }, "message": "fs: do not assign default i_ino in new_inode\n\nInstead of always assigning an increasing inode number in new_inode\nmove the call to assign it into those callers that actually need it.\nFor now callers that need it is estimated conservatively, that is\nthe call is added to all filesystems that do not assign an i_ino\nby themselves. For a few more filesystems we can avoid assigning\nany inode number given that they aren\u0027t user visible, and for others\nit could be done lazily when an inode number is actually needed,\nbut that\u0027s left for later patches.\n\nSigned-off-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Dave Chinner \u003cdchinner@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "092e0e7e520a1fca03e13c9f2d157432a8657ff2", "tree": "451897252c4c08c4b5a8ef535da156f1e817e80b", "parents": [ "79f14b7c56d3b3ba58f8b43d1f70b9b71477a800", "776c163b1b93c8dfa5edba885bc2bfbc2d228a5f" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Oct 22 10:52:56 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Oct 22 10:52:56 2010 -0700" }, "message": "Merge branch \u0027llseek\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl\n\n* \u0027llseek\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl:\n vfs: make no_llseek the default\n vfs: don\u0027t use BKL in default_llseek\n llseek: automatically add .llseek fop\n libfs: use generic_file_llseek for simple_attr\n mac80211: disallow seeks in minstrel debug code\n lirc: make chardev nonseekable\n viotape: use noop_llseek\n raw: use explicit llseek file operations\n ibmasmfs: use generic_file_llseek\n spufs: use llseek in all file operations\n arm/omap: use generic_file_llseek in iommu_debug\n lkdtm: use generic_file_llseek in debugfs\n net/wireless: use generic_file_llseek in debugfs\n drm: use noop_llseek\n" }, { "commit": "f0d3d9894e43fc68d47948e2c6f03e32da88b799", "tree": "685f386b1f114a29c6db8d5f2f947620b4df0285", "parents": [ "ff660c80d00b52287f1f67ee6c115dc0057bcdde" ], "author": { "name": "Stephen Rothwell", "email": "sfr@canb.auug.org.au", "time": "Wed Oct 20 16:08:00 2010 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:13:01 2010 +1100" }, "message": "selinux: include vmalloc.h for vmalloc_user\n\nInclude vmalloc.h for vmalloc_user (fixes ppc build warning).\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "845ca30fe9691f1bab7cfbf30b6d11c944eb4abd", "tree": "eabf2b17957c2214375f870387eaab6c43d9e931", "parents": [ "cee74f47a6baba0ac457e87687fdcf0abd599f0a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 17:50:31 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:59 2010 +1100" }, "message": "selinux: implement mmap on /selinux/policy\n\n/selinux/policy allows a user to copy the policy back out of the kernel.\nThis patch allows userspace to actually mmap that file and use it directly.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cee74f47a6baba0ac457e87687fdcf0abd599f0a", "tree": "3d9fdb073050664e62d9cdb6c28112090cd138da", "parents": [ "00d85c83ac52e2c1a66397f1abc589f80c543425" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 17:50:25 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:58 2010 +1100" }, "message": "SELinux: allow userspace to read policy back out of the kernel\n\nThere is interest in being able to see what the actual policy is that was\nloaded into the kernel. The patch creates a new selinuxfs file\n/selinux/policy which can be read by userspace. The actual policy that is\nloaded into the kernel will be written back out to userspace.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "00d85c83ac52e2c1a66397f1abc589f80c543425", "tree": "86f297ed90f988d46e6bb8c56a60fbc3b3eb8d66", "parents": [ "4419aae1f4f380a3fba0f4f12ffbbbdf3f267c51" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 17:50:19 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:57 2010 +1100" }, "message": "SELinux: drop useless (and incorrect) AVTAB_MAX_SIZE\n\nAVTAB_MAX_SIZE was a define which was supposed to be used in userspace to\ndefine a maximally sized avtab when userspace wasn\u0027t sure how big of a table\nit needed. It doesn\u0027t make sense in the kernel since we always know our table\nsizes. The only place it is used we have a more appropiately named define\ncalled AVTAB_MAX_HASH_BUCKETS, use that instead.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4419aae1f4f380a3fba0f4f12ffbbbdf3f267c51", "tree": "e2f7e4850dc84768f6dd66e38a1454b8e3574714", "parents": [ "b28efd54d9d5c8005a29cd8782335beb9daaa32d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 17:50:14 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:56 2010 +1100" }, "message": "SELinux: deterministic ordering of range transition rules\n\nRange transition rules are placed in the hash table in an (almost)\narbitrary order. This patch inserts them in a fixed order to make policy\nretrival more predictable.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d5630b9d276bd389299ffea620b7c340ab19bcf5", "tree": "4e97cadf12518fb107f9e7140fa94343bd6643f5", "parents": [ "2606fd1fa5710205b23ee859563502aa18362447" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 16:24:48 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:50 2010 +1100" }, "message": "security: secid_to_secctx returns len when data is NULL\n\nWith the (long ago) interface change to have the secid_to_secctx functions\ndo the string allocation instead of having the caller do the allocation we\nlost the ability to query the security server for the length of the\nupcoming string. The SECMARK code would like to allocate a netlink skb\nwith enough length to hold the string but it is just too unclean to do the\nstring allocation twice or to do the allocation the first time and hold\nonto the string and slen. This patch adds the ability to call\nsecurity_secid_to_secctx() with a NULL data pointer and it will just set\nthe slen pointer.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2606fd1fa5710205b23ee859563502aa18362447", "tree": "f79becd7010a2da1a765829fce0e09327cd50531", "parents": [ "15714f7b58011cf3948cab2988abea560240c74f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 16:24:41 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:48 2010 +1100" }, "message": "secmark: make secmark object handling generic\n\nRight now secmark has lots of direct selinux calls. Use all LSM calls and\nremove all SELinux specific knowledge. The only SELinux specific knowledge\nwe leave is the mode. The only point is to make sure that other LSMs at\nleast test this generic code before they assume it works. (They may also\nhave to make changes if they do not represent labels as strings)\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3ed02ada2a5e695e2fbb5e4a0008cfcb0f50feaa", "tree": "8b01e83cfa6b18fe8b83b342733931d5f98bc1b2", "parents": [ "9f1c1d426b0402b25cd0d7ca719ffc8e20e46d5f" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Sat Oct 09 00:47:53 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:46 2010 +1100" }, "message": "AppArmor: Ensure the size of the copy is \u003c the buffer allocated to hold it\n\nActually I think in this case the appropriate thing to do is to BUG as there\nis currently a case (remove) where the alloc_size needs to be larger than\nthe copy_size, and if copy_size is ever greater than alloc_size there is\na mistake in the caller code.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nAcked-by: Kees Cook \u003ckees.cook@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9f1c1d426b0402b25cd0d7ca719ffc8e20e46d5f", "tree": "5d31ff027688a90cef5ccea5bee1cb3e65639b37", "parents": [ "b0ae19811375031ae3b3fecc65b702a9c6e5cc28" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Fri Oct 08 14:43:22 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:45 2010 +1100" }, "message": "TOMOYO: Print URL information before panic().\n\nConfiguration files for TOMOYO 2.3 are not compatible with TOMOYO 2.2.\nBut current panic() message is too unfriendly and is confusing users.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nReviewed-by: KOSAKI Motohiro \u003ckosaki.motohiro@jp.fujitsu.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b0ae19811375031ae3b3fecc65b702a9c6e5cc28", "tree": "a765b71155fbed1ed3a3cff35c1044ad49a002ae", "parents": [ "9b3056cca09529d34af2d81305b2a9c6b622ca1b" ], "author": { "name": "KOSAKI Motohiro", "email": "kosaki.motohiro@jp.fujitsu.com", "time": "Fri Oct 15 04:21:18 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:44 2010 +1100" }, "message": "security: remove unused parameter from security_task_setscheduler()\n\nAll security modules shouldn\u0027t change sched_param parameter of\nsecurity_task_setscheduler(). This is not only meaningless, but also\nmake a harmful result if caller pass a static variable.\n\nThis patch remove policy and sched_param parameter from\nsecurity_task_setscheduler() becuase none of security module is\nusing it.\n\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: KOSAKI Motohiro \u003ckosaki.motohiro@jp.fujitsu.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "36f7f28416c97dbb725154930066d115b4447e17", "tree": "c09aed0142158c6fda679bab87012144e5a60372", "parents": [ "8b0c543e5cb1e47a54d3ea791b8a03b9c8a715db" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Thu Sep 30 11:49:55 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:41 2010 +1100" }, "message": "selinux: fix up style problem on /selinux/status\n\nThis patch fixes up coding-style problem at this commit:\n\n 4f27a7d49789b04404eca26ccde5f527231d01d5\n selinux: fast status update interface (/selinux/status)\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8b0c543e5cb1e47a54d3ea791b8a03b9c8a715db", "tree": "82391c4dc20e071f0ebcee867a7cc27119928114", "parents": [ "60272da0341e9eaa136e1dc072bfef72c995d851" ], "author": { "name": "matt mooney", "email": "mfm@muteddisk.com", "time": "Wed Sep 22 23:50:06 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:40 2010 +1100" }, "message": "selinux: change to new flag variable\n\nReplace EXTRA_CFLAGS with ccflags-y.\n\nSigned-off-by: matt mooney \u003cmfm@muteddisk.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "60272da0341e9eaa136e1dc072bfef72c995d851", "tree": "9441606f03330f1e2951ff0613d8059f90a353ec", "parents": [ "ceba72a68d17ee36ef24a71b80dde39ee934ece8" ], "author": { "name": "Paul Gortmaker", "email": "paul.gortmaker@windriver.com", "time": "Wed Sep 15 20:14:53 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:39 2010 +1100" }, "message": "selinux: really fix dependency causing parallel compile failure.\n\nWhile the previous change to the selinux Makefile reduced the window\nsignificantly for this failure, it is still possible to see a compile\nfailure where cpp starts processing selinux files before the auto\ngenerated flask.h file is completed. This is easily reproduced by\nadding the following temporary change to expose the issue everytime:\n\n- cmd_flask \u003d scripts/selinux/genheaders/genheaders ...\n+ cmd_flask \u003d sleep 30 ; scripts/selinux/genheaders/genheaders ...\n\nThis failure happens because the creation of the object files in the ss\nsubdir also depends on flask.h. So simply incorporate them into the\nparent Makefile, as the ss/Makefile really doesn\u0027t do anything unique.\n\nWith this change, compiling of all selinux files is dependent on\ncompletion of the header file generation, and this test case with\nthe \"sleep 30\" now confirms it is functioning as expected.\n\nSigned-off-by: Paul Gortmaker \u003cpaul.gortmaker@windriver.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ceba72a68d17ee36ef24a71b80dde39ee934ece8", "tree": "912582b629745d650e9f8ae6fecb42e4345e3900", "parents": [ "119041672592d1890d89dd8f194bd0919d801dc8" ], "author": { "name": "Paul Gortmaker", "email": "paul.gortmaker@windriver.com", "time": "Mon Aug 09 17:34:25 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:38 2010 +1100" }, "message": "selinux: fix parallel compile error\n\nSelinux has an autogenerated file, \"flask.h\" which is included by\ntwo other selinux files. The current makefile has a single dependency\non the first object file in the selinux-y list, assuming that will get\nflask.h generated before anyone looks for it, but that assumption breaks\ndown in a \"make -jN\" situation and you get:\n\n selinux/selinuxfs.c:35: fatal error: flask.h: No such file or directory\n compilation terminated.\n remake[9]: *** [security/selinux/selinuxfs.o] Error 1\n\nSince flask.h is included by security.h which in turn is included\nnearly everywhere, make the dependency apply to all of the selinux-y\nlist of objs.\n\nSigned-off-by: Paul Gortmaker \u003cpaul.gortmaker@windriver.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "119041672592d1890d89dd8f194bd0919d801dc8", "tree": "b994abb42446b8637f072194c57359fd80d52a97", "parents": [ "4b04a7cfc5ccb573ca3752429c81d37f8dd2f7c6" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Tue Sep 14 18:28:39 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:36 2010 +1100" }, "message": "selinux: fast status update interface (/selinux/status)\n\nThis patch provides a new /selinux/status entry which allows applications\nread-only mmap(2).\nThis region reflects selinux_kernel_status structure in kernel space.\n struct selinux_kernel_status\n {\n u32 length; /* length of this structure */\n u32 sequence; /* sequence number of seqlock logic */\n u32 enforcing; /* current setting of enforcing mode */\n u32 policyload; /* times of policy reloaded */\n u32 deny_unknown; /* current setting of deny_unknown */\n };\n\nWhen userspace object manager caches access control decisions provided\nby SELinux, it needs to invalidate the cache on policy reload and setenforce\nto keep consistency.\nHowever, the applications need to check the kernel state for each accesses\non userspace avc, or launch a background worker process.\nIn heuristic, frequency of invalidation is much less than frequency of\nmaking access control decision, so it is annoying to invoke a system call\nto check we don\u0027t need to invalidate the userspace cache.\nIf we can use a background worker thread, it allows to receive invalidation\nmessages from the kernel. But it requires us an invasive coding toward the\nbase application in some cases; E.g, when we provide a feature performing\nwith SELinux as a plugin module, it is unwelcome manner to launch its own\nworker thread from the module.\n\nIf we could map /selinux/status to process memory space, application can\nknow updates of selinux status; policy reload or setenforce.\n\nA typical application checks selinux_kernel_status::sequence when it tries\nto reference userspace avc. If it was changed from the last time when it\nchecked userspace avc, it means something was updated in the kernel space.\nThen, the application can reset userspace avc or update current enforcing\nmode, without any system call invocations.\nThis sequence number is updated according to the seqlock logic, so we need\nto wait for a while if it is odd number.\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n--\n security/selinux/include/security.h | 21 ++++++\n security/selinux/selinuxfs.c | 56 +++++++++++++++\n security/selinux/ss/Makefile | 2 +-\n security/selinux/ss/services.c | 3 +\n security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++\n 5 files changed, 210 insertions(+), 1 deletions(-)\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4b04a7cfc5ccb573ca3752429c81d37f8dd2f7c6", "tree": "d765918750208f7a99c714eddd398f4005051b6a", "parents": [ "065d78a0603cc6f8d288e96dbf761b96984b634f" ], "author": { "name": "Yong Zhang", "email": "yong.zhang@windriver.com", "time": "Sat Aug 28 10:25:09 2010 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:35 2010 +1100" }, "message": ".gitignore: ignore apparmor/rlim_names.h\n\nSigned-off-by: Yong Zhang \u003cyong.zhang0@gmail.com\u003e\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "065d78a0603cc6f8d288e96dbf761b96984b634f", "tree": "b95d865a91a6895d54b7b6486ebeb3b40bf2648e", "parents": [ "daa6d83a2863c28197b0c7dabfdf1e0606760b78" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Sat Aug 28 14:58:44 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:34 2010 +1100" }, "message": "LSM: Fix security_module_enable() error.\n\nWe can set default LSM module to DAC (which means \"enable no LSM module\").\nIf default LSM module was set to DAC, security_module_enable() must return 0\nunless overridden via boot time parameter.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Serge E. Hallyn \u003cserge@hallyn.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "daa6d83a2863c28197b0c7dabfdf1e0606760b78", "tree": "0c1198f796847274aeead46e791bb8c84451bfd2", "parents": [ "68eda8f59081c74a51d037cc29893bd7c9b3c2d8" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Aug 03 15:26:05 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:33 2010 +1100" }, "message": "selinux: type_bounds_sanity_check has a meaningless variable declaration\n\ntype is not used at all, stop declaring and assigning it.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "68eda8f59081c74a51d037cc29893bd7c9b3c2d8", "tree": "5970a384719568f6f36ee07efe72adb8cfab39f1", "parents": [ "f6f94e2ab1b33f0082ac22d71f66385a60d8157f" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Sun Aug 08 00:17:51 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:32 2010 +1100" }, "message": "tomoyo: cleanup. don\u0027t store bogus pointer\n\nIf domain is NULL then \u0026domain-\u003elist is a bogus address. Let\u0027s leave\nhead-\u003er.domain NULL instead of saving an unusable pointer.\n\nThis is just a cleanup. The current code always checks head-\u003er.eof\nbefore dereferencing head-\u003er.domain.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nAcked-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\n" }, { "commit": "6038f373a3dc1f1c26496e60b6c40b164716f07e", "tree": "a0d3bbd026eea41b9fc36b8c722cbaf56cd9f825", "parents": [ "1ec5584e3edf9c4bf2c88c846534d19cf986ba11" ], "author": { "name": "Arnd Bergmann", "email": "arnd@arndb.de", "time": "Sun Aug 15 18:52:59 2010 +0200" }, "committer": { "name": "Arnd Bergmann", "email": "arnd@arndb.de", "time": "Fri Oct 15 15:53:27 2010 +0200" }, "message": "llseek: automatically add .llseek fop\n\nAll file_operations should get a .llseek operation so we can make\nnonseekable_open the default for future file operations without a\n.llseek pointer.\n\nThe three cases that we can automatically detect are no_llseek, seq_lseek\nand default_llseek. For cases where we can we can automatically prove that\nthe file offset is always ignored, we use noop_llseek, which maintains\nthe current behavior of not returning an error from a seek.\n\nNew drivers should normally not use noop_llseek but instead use no_llseek\nand call nonseekable_open at open time. Existing drivers can be converted\nto do the same when the maintainer knows for certain that no user code\nrelies on calling seek on the device file.\n\nThe generated code is often incorrectly indented and right now contains\ncomments that clarify for each added line why a specific variant was\nchosen. In the version that gets submitted upstream, the comments will\nbe gone and I will manually fix the indentation, because there does not\nseem to be a way to do that using coccinelle.\n\nSome amount of new code is currently sitting in linux-next that should get\nthe same modifications, which I will do at the end of the merge window.\n\nMany thanks to Julia Lawall for helping me learn to write a semantic\npatch that does all this.\n\n\u003d\u003d\u003d\u003d\u003d begin semantic patch \u003d\u003d\u003d\u003d\u003d\n// This adds an llseek\u003d method to all file operations,\n// as a preparation for making no_llseek the default.\n//\n// The rules are\n// - use no_llseek explicitly if we do nonseekable_open\n// - use seq_lseek for sequential files\n// - use default_llseek if we know we access f_pos\n// - use noop_llseek if we know we don\u0027t access f_pos,\n// but we still want to allow users to call lseek\n//\n@ open1 exists @\nidentifier nested_open;\n@@\nnested_open(...)\n{\n\u003c+...\nnonseekable_open(...)\n...+\u003e\n}\n\n@ open exists@\nidentifier open_f;\nidentifier i, f;\nidentifier open1.nested_open;\n@@\nint open_f(struct inode *i, struct file *f)\n{\n\u003c+...\n(\nnonseekable_open(...)\n|\nnested_open(...)\n)\n...+\u003e\n}\n\n@ read disable optional_qualifier exists @\nidentifier read_f;\nidentifier f, p, s, off;\ntype ssize_t, size_t, loff_t;\nexpression E;\nidentifier func;\n@@\nssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)\n{\n\u003c+...\n(\n *off \u003d E\n|\n *off +\u003d E\n|\n func(..., off, ...)\n|\n E \u003d *off\n)\n...+\u003e\n}\n\n@ read_no_fpos disable optional_qualifier exists @\nidentifier read_f;\nidentifier f, p, s, off;\ntype ssize_t, size_t, loff_t;\n@@\nssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)\n{\n... when !\u003d off\n}\n\n@ write @\nidentifier write_f;\nidentifier f, p, s, off;\ntype ssize_t, size_t, loff_t;\nexpression E;\nidentifier func;\n@@\nssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)\n{\n\u003c+...\n(\n *off \u003d E\n|\n *off +\u003d E\n|\n func(..., off, ...)\n|\n E \u003d *off\n)\n...+\u003e\n}\n\n@ write_no_fpos @\nidentifier write_f;\nidentifier f, p, s, off;\ntype ssize_t, size_t, loff_t;\n@@\nssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)\n{\n... when !\u003d off\n}\n\n@ fops0 @\nidentifier fops;\n@@\nstruct file_operations fops \u003d {\n ...\n};\n\n@ has_llseek depends on fops0 @\nidentifier fops0.fops;\nidentifier llseek_f;\n@@\nstruct file_operations fops \u003d {\n...\n .llseek \u003d llseek_f,\n...\n};\n\n@ has_read depends on fops0 @\nidentifier fops0.fops;\nidentifier read_f;\n@@\nstruct file_operations fops \u003d {\n...\n .read \u003d read_f,\n...\n};\n\n@ has_write depends on fops0 @\nidentifier fops0.fops;\nidentifier write_f;\n@@\nstruct file_operations fops \u003d {\n...\n .write \u003d write_f,\n...\n};\n\n@ has_open depends on fops0 @\nidentifier fops0.fops;\nidentifier open_f;\n@@\nstruct file_operations fops \u003d {\n...\n .open \u003d open_f,\n...\n};\n\n// use no_llseek if we call nonseekable_open\n////////////////////////////////////////////\n@ nonseekable1 depends on !has_llseek \u0026\u0026 has_open @\nidentifier fops0.fops;\nidentifier nso ~\u003d \"nonseekable_open\";\n@@\nstruct file_operations fops \u003d {\n... .open \u003d nso, ...\n+.llseek \u003d no_llseek, /* nonseekable */\n};\n\n@ nonseekable2 depends on !has_llseek @\nidentifier fops0.fops;\nidentifier open.open_f;\n@@\nstruct file_operations fops \u003d {\n... .open \u003d open_f, ...\n+.llseek \u003d no_llseek, /* open uses nonseekable */\n};\n\n// use seq_lseek for sequential files\n/////////////////////////////////////\n@ seq depends on !has_llseek @\nidentifier fops0.fops;\nidentifier sr ~\u003d \"seq_read\";\n@@\nstruct file_operations fops \u003d {\n... .read \u003d sr, ...\n+.llseek \u003d seq_lseek, /* we have seq_read */\n};\n\n// use default_llseek if there is a readdir\n///////////////////////////////////////////\n@ fops1 depends on !has_llseek \u0026\u0026 !nonseekable1 \u0026\u0026 !nonseekable2 \u0026\u0026 !seq @\nidentifier fops0.fops;\nidentifier readdir_e;\n@@\n// any other fop is used that changes pos\nstruct file_operations fops \u003d {\n... .readdir \u003d readdir_e, ...\n+.llseek \u003d default_llseek, /* readdir is present */\n};\n\n// use default_llseek if at least one of read/write touches f_pos\n/////////////////////////////////////////////////////////////////\n@ fops2 depends on !fops1 \u0026\u0026 !has_llseek \u0026\u0026 !nonseekable1 \u0026\u0026 !nonseekable2 \u0026\u0026 !seq @\nidentifier fops0.fops;\nidentifier read.read_f;\n@@\n// read fops use offset\nstruct file_operations fops \u003d {\n... .read \u003d read_f, ...\n+.llseek \u003d default_llseek, /* read accesses f_pos */\n};\n\n@ fops3 depends on !fops1 \u0026\u0026 !fops2 \u0026\u0026 !has_llseek \u0026\u0026 !nonseekable1 \u0026\u0026 !nonseekable2 \u0026\u0026 !seq @\nidentifier fops0.fops;\nidentifier write.write_f;\n@@\n// write fops use offset\nstruct file_operations fops \u003d {\n... .write \u003d write_f, ...\n+\t.llseek \u003d default_llseek, /* write accesses f_pos */\n};\n\n// Use noop_llseek if neither read nor write accesses f_pos\n///////////////////////////////////////////////////////////\n\n@ fops4 depends on !fops1 \u0026\u0026 !fops2 \u0026\u0026 !fops3 \u0026\u0026 !has_llseek \u0026\u0026 !nonseekable1 \u0026\u0026 !nonseekable2 \u0026\u0026 !seq @\nidentifier fops0.fops;\nidentifier read_no_fpos.read_f;\nidentifier write_no_fpos.write_f;\n@@\n// write fops use offset\nstruct file_operations fops \u003d {\n...\n .write \u003d write_f,\n .read \u003d read_f,\n...\n+.llseek \u003d noop_llseek, /* read and write both use no f_pos */\n};\n\n@ depends on has_write \u0026\u0026 !has_read \u0026\u0026 !fops1 \u0026\u0026 !fops2 \u0026\u0026 !has_llseek \u0026\u0026 !nonseekable1 \u0026\u0026 !nonseekable2 \u0026\u0026 !seq @\nidentifier fops0.fops;\nidentifier write_no_fpos.write_f;\n@@\nstruct file_operations fops \u003d {\n... .write \u003d write_f, ...\n+.llseek \u003d noop_llseek, /* write uses no f_pos */\n};\n\n@ depends on has_read \u0026\u0026 !has_write \u0026\u0026 !fops1 \u0026\u0026 !fops2 \u0026\u0026 !has_llseek \u0026\u0026 !nonseekable1 \u0026\u0026 !nonseekable2 \u0026\u0026 !seq @\nidentifier fops0.fops;\nidentifier read_no_fpos.read_f;\n@@\nstruct file_operations fops \u003d {\n... .read \u003d read_f, ...\n+.llseek \u003d noop_llseek, /* read uses no f_pos */\n};\n\n@ depends on !has_read \u0026\u0026 !has_write \u0026\u0026 !fops1 \u0026\u0026 !fops2 \u0026\u0026 !has_llseek \u0026\u0026 !nonseekable1 \u0026\u0026 !nonseekable2 \u0026\u0026 !seq @\nidentifier fops0.fops;\n@@\nstruct file_operations fops \u003d {\n...\n+.llseek \u003d noop_llseek, /* no read or write fn */\n};\n\u003d\u003d\u003d\u003d\u003d End semantic patch \u003d\u003d\u003d\u003d\u003d\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nCc: Julia Lawall \u003cjulia@diku.dk\u003e\nCc: Christoph Hellwig \u003chch@infradead.org\u003e\n" }, { "commit": "c8da96e87d349e9035345293093ecc74792fb96a", "tree": "738b017e4fa8547feb2741969decd749ea6e98e1", "parents": [ "91e71c12c506e15028c252a5a097723f41c518dd" ], "author": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Sun Sep 26 05:55:13 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Sep 27 10:53:18 2010 +1000" }, "message": "TOMOYO: Don\u0027t abuse sys_getpid(), sys_getppid()\n\nSystem call entry functions sys_*() are never to be called from\ngeneral kernel code. The fact that they aren\u0027t declared in header\nfiles should have been a clue. These functions also don\u0027t exist on\nAlpha since it has sys_getxpid() instead.\n\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\nAcked-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3d96406c7da1ed5811ea52a3b0905f4f0e295376", "tree": "051e3a0ab6b0c9d9ac12b88fd244ff09766f8f50", "parents": [ "9d1ac65a9698513d00e5608d93fca0c53f536c14" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Sep 10 09:59:51 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Sep 10 07:30:00 2010 -0700" }, "message": "KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring\n\nFix a bug in keyctl_session_to_parent() whereby it tries to check the ownership\nof the parent process\u0027s session keyring whether or not the parent has a session\nkeyring [CVE-2010-2960].\n\nThis results in the following oops:\n\n BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0\n IP: [\u003cffffffff811ae4dd\u003e] keyctl_session_to_parent+0x251/0x443\n ...\n Call Trace:\n [\u003cffffffff811ae2f3\u003e] ? keyctl_session_to_parent+0x67/0x443\n [\u003cffffffff8109d286\u003e] ? __do_fault+0x24b/0x3d0\n [\u003cffffffff811af98c\u003e] sys_keyctl+0xb4/0xb8\n [\u003cffffffff81001eab\u003e] system_call_fastpath+0x16/0x1b\n\nif the parent process has no session keyring.\n\nIf the system is using pam_keyinit then it mostly protected against this as all\nprocesses derived from a login will have inherited the session keyring created\nby pam_keyinit during the log in procedure.\n\nTo test this, pam_keyinit calls need to be commented out in /etc/pam.d/.\n\nReported-by: Tavis Ormandy \u003ctaviso@cmpxchg8b.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Tavis Ormandy \u003ctaviso@cmpxchg8b.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" } ], "next": "9d1ac65a9698513d00e5608d93fca0c53f536c14" }