)]}' { "log": [ { "commit": "3296ca27f50ecbd71db1d808c7a72d311027f919", "tree": "833eaa58b2013bda86d4bd95faf6efad7a2d5ca4", "parents": [ "e893123c7378192c094747dadec326b7c000c190", "73fbad283cfbbcf02939bdbda31fc4a30e729cca" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 11 10:01:41 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 11 10:01:41 2009 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (44 commits)\n nommu: Provide mmap_min_addr definition.\n TOMOYO: Add description of lists and structures.\n TOMOYO: Remove unused field.\n integrity: ima audit dentry_open failure\n TOMOYO: Remove unused parameter.\n security: use mmap_min_addr indepedently of security models\n TOMOYO: Simplify policy reader.\n TOMOYO: Remove redundant markers.\n SELinux: define audit permissions for audit tree netlink messages\n TOMOYO: Remove unused mutex.\n tomoyo: avoid get+put of task_struct\n smack: Remove redundant initialization.\n integrity: nfsd imbalance bug fix\n rootplug: Remove redundant initialization.\n smack: do not beyond ARRAY_SIZE of data\n integrity: move ima_counts_get\n integrity: path_check update\n IMA: Add __init notation to ima functions\n IMA: Minimal IMA policy and boot param for TCB IMA policy\n selinux: remove obsolete read buffer limit from sel_read_bool\n ...\n" }, { "commit": "20f3f3ca499d2c211771ba552685398b65d83859", "tree": "41b460196a0860e11d12e33e3172463973cb0078", "parents": [ "769f3e8c384795cc350e2aae27de2a12374d19d4", "41c51c98f588edcdf6141cff1895df738e03ddd4" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 10 19:50:03 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 10 19:50:03 2009 -0700" }, "message": "Merge branch \u0027rcu-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip\n\n* \u0027rcu-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:\n rcu: rcu_sched_grace_period(): kill the bogus flush_signals()\n rculist: use list_entry_rcu in places where it\u0027s appropriate\n rculist.h: introduce list_entry_rcu() and list_first_entry_rcu()\n rcu: Update RCU tracing documentation for __rcu_pending\n rcu: Add __rcu_pending tracing to hierarchical RCU\n RCU: make treercu be default\n" }, { "commit": "c3fa109a5894077d1eaf8731ea741a15dd117b3c", "tree": "a3d5f58ea878868b48a1493055e6f2cb6dd3c9de", "parents": [ "5bf1692f65c12a8aa359dc883468284ffc3c4587" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Mon Jun 08 12:37:39 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 09 09:30:24 2009 +1000" }, "message": "TOMOYO: Add description of lists and structures.\n\nThis patch adds some descriptions of lists and structures.\nThis patch contains no code changes.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5bf1692f65c12a8aa359dc883468284ffc3c4587", "tree": "bab96097b51791985d6361b6bdfaf0280b0fc995", "parents": [ "0b4ec6e4e01d98e55ae325a41304cccd87fa4c0f" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Fri Jun 05 14:44:58 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 09 09:30:21 2009 +1000" }, "message": "TOMOYO: Remove unused field.\n\nTOMOYO 2.2.0 is not using total_len field of \"struct tomoyo_path_info\".\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0b4ec6e4e01d98e55ae325a41304cccd87fa4c0f", "tree": "1e075fdf4aaf0c5c003564b3f3414bb4a92ef2ed", "parents": [ "04288f42033607099cebf5ca15ce8dcec3a9688b", "3af968e066d593bc4dacc021715f3e95ddf0996f" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 09 09:27:53 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 09 09:27:53 2009 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "04288f42033607099cebf5ca15ce8dcec3a9688b", "tree": "41d07beeefcadc4c591699c779406f556cc3433b", "parents": [ "bcb86975dbcc24f820f1a37918d53914af29ace7" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Jun 04 13:53:10 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 05 08:02:39 2009 +1000" }, "message": "integrity: ima audit dentry_open failure\n\nUntil we start appraising measurements, the ima_path_check()\nreturn code should always be 0.\n\n- Update the ima_path_check() return code comment\n- Instead of the pr_info, audit the dentry_open failure\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bcb86975dbcc24f820f1a37918d53914af29ace7", "tree": "887bf8bd4d7d896a1357a21ad1df576e5f3ad3b9", "parents": [ "e0a94c2a63f2644826069044649669b5e7ca75d3" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Thu Jun 04 15:14:34 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 04 17:35:18 2009 +1000" }, "message": "TOMOYO: Remove unused parameter.\n\nTOMOYO 2.2.0 does not check argv[] and envp[] upon execve().\nWe don\u0027t need to pass \"struct tomoyo_page_buffer\".\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e0a94c2a63f2644826069044649669b5e7ca75d3", "tree": "debf8a9af6ac23dadd116dc1cd1f9dcefe9629c6", "parents": [ "7d2948b1248109dbc7f4aaf9867c54b1912d494c" ], "author": { "name": "Christoph Lameter", "email": "cl@linux-foundation.org", "time": "Wed Jun 03 16:04:31 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 04 12:07:48 2009 +1000" }, "message": "security: use mmap_min_addr indepedently of security models\n\nThis patch removes the dependency of mmap_min_addr on CONFIG_SECURITY.\nIt also sets a default mmap_min_addr of 4096.\n\nmmapping of addresses below 4096 will only be possible for processes\nwith CAP_SYS_RAWIO.\n\nSigned-off-by: Christoph Lameter \u003ccl@linux-foundation.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nLooks-ok-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7d2948b1248109dbc7f4aaf9867c54b1912d494c", "tree": "24edc8fa319598bc32b7d53c7b61fb3ec9ae9e92", "parents": [ "ab588ccadc80f6ef5495e83e176e88c5c0fc2d0e" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Jun 02 20:42:24 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jun 03 07:51:51 2009 +1000" }, "message": "TOMOYO: Simplify policy reader.\n\nWe can directly assign the result of tomoyo_io_printf() to done flag.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ab588ccadc80f6ef5495e83e176e88c5c0fc2d0e", "tree": "ffb995eba759218fd07795f00a1303518621c119", "parents": [ "850b0cee165576f969363a8c52021b5cf9ecbe67" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Tue Jun 02 14:23:39 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jun 03 07:50:06 2009 +1000" }, "message": "TOMOYO: Remove redundant markers.\n\nRemove \u0027/***** START/STOP *****/\u0027 markers.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "850b0cee165576f969363a8c52021b5cf9ecbe67", "tree": "47d8da2840492950b89a8a1a597c8c18b7cccff8", "parents": [ "fe67e6f2d6df371b58ba721954d45a196df5e8b8" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Jun 02 17:01:16 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jun 03 07:44:53 2009 +1000" }, "message": "SELinux: define audit permissions for audit tree netlink messages\n\nAudit trees defined 2 new netlink messages but the netlink mapping tables for\nselinux permissions were not set up. This patch maps these 2 new operations\nto AUDIT_WRITE.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "fe67e6f2d6df371b58ba721954d45a196df5e8b8", "tree": "b4b186aa4b222bdc45839ff4bdbde6f80c413395", "parents": [ "fbeb4a9c20d00e2550156f9e5a34473fbde59de2" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Tue Jun 02 17:00:45 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 02 21:19:54 2009 +1000" }, "message": "TOMOYO: Remove unused mutex.\n\nI forgot to remove on TOMOYO\u0027s 15th posting.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "fbeb4a9c20d00e2550156f9e5a34473fbde59de2", "tree": "d08881a9eb2d768722363d7022d2ae4da81494d9", "parents": [ "13b297d943828c4594527a2bd9c30ecd04e37886" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Mon Jun 01 22:47:19 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 02 15:13:13 2009 +1000" }, "message": "tomoyo: avoid get+put of task_struct\n\nUse task_cred_xxx(task, security) in tomoyo_real_domain() to\navoid a get+put of the target cred.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "13b297d943828c4594527a2bd9c30ecd04e37886", "tree": "9a4e7ea9e0f161f5a3edecfa8300d2677b24cfd9", "parents": [ "14dba5331b90c20588ae6504fea8049c7283028d" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Tue May 26 14:18:07 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 28 11:57:09 2009 +1000" }, "message": "smack: Remove redundant initialization.\n\nWe don\u0027t need to explicitly initialize to cap_* because\nit will be filled by security_fixup_ops().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "76b0187525f024cb391c8043adf2e359b2adb988", "tree": "5e94b6c2b2b0a9cb4e55a10e40fda7e0f6e5a70a", "parents": [ "2c9e703c618106f5383226fbb1f526cb11034f8a" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Tue May 26 14:16:31 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 27 13:30:46 2009 +1000" }, "message": "rootplug: Remove redundant initialization.\n\nWe don\u0027t need to explicitly initialize to cap_* because\nit will be filled by security_fixup_ops().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b1338d199dda6681d9af0297928af0a7eb9cba7b", "tree": "bdfcdf710df69eed78e7c4a2b86383ec3db9a230", "parents": [ "e2a1b9ee2335c35e0e34c88a024481b194b3c9cc" ], "author": { "name": "Herton Ronaldo Krzesinski", "email": "herton@mandriva.com.br", "time": "Tue May 26 12:15:53 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 27 09:46:48 2009 +1000" }, "message": "tomoyo: add missing call to cap_bprm_set_creds\n\ncap_bprm_set_creds() has to be called from security_bprm_set_creds().\nTOMOYO forgot to call cap_bprm_set_creds() from tomoyo_bprm_set_creds()\nand suid executables were not being working.\n\nMake sure we call cap_bprm_set_creds() with TOMOYO, to set credentials\nproperly inside tomoyo_bprm_set_creds().\n\nSigned-off-by: Herton Ronaldo Krzesinski \u003cherton@mandriva.com.br\u003e\nAcked-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2c9e703c618106f5383226fbb1f526cb11034f8a", "tree": "87d7548001ea82f655fede0640466fc16aabcdf7", "parents": [ "6470c077cae12227318f40f3e6d756caadcce4b0", "5805977e63a36ad56594a623f3bd2bebcb7db233" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 22 18:40:59 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 22 18:40:59 2009 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\tfs/exec.c\n\nRemoved IMA changes (the IMA checks are now performed via may_open()).\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6470c077cae12227318f40f3e6d756caadcce4b0", "tree": "c8a543bccd29dfcf7d4bbb104a4786da0c93cf56", "parents": [ "c9d9ac525a0285a5b5ad9c3f9aa8b7c1753e6121" ], "author": { "name": "Roel Kluin", "email": "roel.kluin@gmail.com", "time": "Thu May 21 18:42:54 2009 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 22 12:34:48 2009 +1000" }, "message": "smack: do not beyond ARRAY_SIZE of data\n\nDo not go beyond ARRAY_SIZE of data\n\nSigned-off-by: Roel Kluin \u003croel.kluin@gmail.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b9fc745db833bbf74b4988493b8cd902a84c9415", "tree": "45a15174efb3b1c3dcbe5f0dc503e790c4f6fd70", "parents": [ "932995f0ce52525b32ff5127b522c2c164de3810" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue May 19 13:25:57 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 22 09:43:41 2009 +1000" }, "message": "integrity: path_check update\n\n- Add support in ima_path_check() for integrity checking without\nincrementing the counts. (Required for nfsd.)\n- rename and export opencount_get to ima_counts_get\n- replace ima_shm_check calls with ima_counts_get\n- export ima_path_check\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "932995f0ce52525b32ff5127b522c2c164de3810", "tree": "648cfe2ac09025eb3922d2a84ed983a7ac70a060", "parents": [ "5789ba3bd0a3cd20df5980ebf03358f2eb44fd67" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu May 21 15:43:32 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 22 09:34:21 2009 +1000" }, "message": "IMA: Add __init notation to ima functions\n\nA number of IMA functions only used during init are not marked with __init.\nAdd those notations so they are freed automatically.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5789ba3bd0a3cd20df5980ebf03358f2eb44fd67", "tree": "4ad5dc0496f0d6bc06e9614ff5edbc0400fcdb5d", "parents": [ "c5642f4bbae30122beb696e723f6da273caa570e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu May 21 15:47:06 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 22 09:31:20 2009 +1000" }, "message": "IMA: Minimal IMA policy and boot param for TCB IMA policy\n\nThe IMA TCB policy is dangerous. A normal use can use all of a system\u0027s\nmemory (which cannot be freed) simply by building and running lots of\nexecutables. The TCB policy is also nearly useless because logging in as root\noften causes a policy violation when dealing with utmp, thus rendering the\nmeasurements meaningless.\n\nThere is no good fix for this in the kernel. A full TCB policy would need to\nbe loaded in userspace using LSM rule matching to get both a protected and\nuseful system. But, if too little is measured before userspace can load a real\npolicy one again ends up with a meaningless set of measurements. One option\nwould be to put the policy load inside the initrd in order to get it early\nenough in the boot sequence to be useful, but this runs into trouble with the\nLSM. For IMA to measure the LSM policy and the LSM policy loading mechanism\nit needs rules to do so, but we already talked about problems with defaulting\nto such broad rules....\n\nIMA also depends on the files being measured to be on an FS which implements\nand supports i_version. Since the only FS with this support (ext4) doesn\u0027t\neven use it by default it seems silly to have any IMA rules by default.\n\nThis should reduce the performance overhead of IMA to near 0 while still\nletting users who choose to configure their machine as such to inclue the\nima_tcb kernel paramenter and get measurements during boot before they can\nload a customized, reasonable policy in userspace.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c5642f4bbae30122beb696e723f6da273caa570e", "tree": "caf9da5048c6083df90d97d7612d761840fdfbcf", "parents": [ "75834fc3b6fcff00327f5d2a18760c1e8e0179c5" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Tue May 19 09:02:23 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 19 23:56:11 2009 +1000" }, "message": "selinux: remove obsolete read buffer limit from sel_read_bool\n\nOn Tue, 2009-05-19 at 00:05 -0400, Eamon Walsh wrote:\n\u003e Recent versions of coreutils have bumped the read buffer size from 4K to\n\u003e 32K in several of the utilities.\n\u003e\n\u003e This means that \"cat /selinux/booleans/xserver_object_manager\" no longer\n\u003e works, it returns \"Invalid argument\" on F11. getsebool works fine.\n\u003e\n\u003e sel_read_bool has a check for \"count \u003e PAGE_SIZE\" that doesn\u0027t seem to\n\u003e be present in the other read functions. Maybe it could be removed?\n\nYes, that check is obsoleted by the conversion of those functions to\nusing simple_read_from_buffer(), which will reduce count if necessary to\nwhat is available in the buffer.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "75834fc3b6fcff00327f5d2a18760c1e8e0179c5", "tree": "28b1085d2aa76517024709d2f077fdc41aeec4c2", "parents": [ "c3d20103d08e5c0b6738fbd0acf3ca004e5356c5" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon May 18 10:26:10 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 19 08:19:00 2009 +1000" }, "message": "SELinux: move SELINUX_MAGIC into magic.h\n\nThe selinuxfs superblock magic is used inside the IMA code, but is being\ndefined in two places and could someday get out of sync. This patch moves the\ndeclaration into magic.h so it is only done once.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c3d20103d08e5c0b6738fbd0acf3ca004e5356c5", "tree": "4231ff475f11231b3cbca949a7bcad37a9a8cc17", "parents": [ "f850a7c040d9faafb41bceb0a05d6bb7432c8c7a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue May 12 15:14:23 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 15 09:55:44 2009 +1000" }, "message": "IMA: do not measure everything opened by root by default\n\nThe IMA default policy measures every single file opened by root. This is\nterrible for most users. Consider a system (like mine) with virtual machine\nimages. When those images are touched (which happens at boot for me) those\nimages are measured. This is just way too much for the default case.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f850a7c040d9faafb41bceb0a05d6bb7432c8c7a", "tree": "e4e1fa97be0bd3e749f993b99d18746c8a9737ba", "parents": [ "b103387037cea2ba0f04b44d408d54c53f678061" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue May 12 15:13:55 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 15 09:55:41 2009 +1000" }, "message": "IMA: remove read permissions on the ima policy file\n\nThe IMA policy file does not implement read. Trying to just open/read/close\nthe file will load a blank policy and you cannot then change the policy\nwithout a reboot. This removes the read permission from the file so one must\nat least be attempting to write...\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d93e4c940f51ae06b59c14523c4d55947f9597d6", "tree": "2dfe72da55eab4bd12e059f7d9de6f9c37eedbbf", "parents": [ "1a62e958fa4aaeeb752311b4f5e16b2a86737b23" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon May 11 20:47:15 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 12 11:06:11 2009 +1000" }, "message": "securityfs: securityfs_remove should handle IS_ERR pointers\n\nBoth of the securityfs users (TPM and IMA) can call securityfs_remove and pass\nan IS_ERR(dentry) in their failure paths. This patch handles those rather\nthan panicing when it tries to start deferencing some negative memory.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1a62e958fa4aaeeb752311b4f5e16b2a86737b23", "tree": "53d983ebdde45e00ad2079f8035792450b046d56", "parents": [ "f06dd16a03f6f7f72fab4db03be36e28c28c6fd6" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon May 11 13:59:22 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 12 11:06:08 2009 +1000" }, "message": "IMA: open all files O_LARGEFILE\n\nIf IMA tried to measure a file which was larger than 4G dentry_open would fail\nwith -EOVERFLOW since IMA wasn\u0027t passing O_LARGEFILE. This patch passes\nO_LARGEFILE to all IMA opens to avoid this problem.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f06dd16a03f6f7f72fab4db03be36e28c28c6fd6", "tree": "6542e8474a2eff0543b20ac4eb2bb2811d23fc3e", "parents": [ "37bcbf13d32e4e453e9def79ee72bd953b88302f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon May 11 13:59:16 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 12 11:06:04 2009 +1000" }, "message": "IMA: Handle dentry_open failures\n\nCurrently IMA does not handle failures from dentry_open(). This means that we\nleave a pointer set to ERR_PTR(errno) and then try to use it just a few lines\nlater in fput(). Oops.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "37bcbf13d32e4e453e9def79ee72bd953b88302f", "tree": "30f2dac25dc846b483558bf5ac9afec0d4ac4e5e", "parents": [ "107db7c7dd137aeb7361b8c2606ac936c0be58ff" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon May 11 13:59:10 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 12 11:06:01 2009 +1000" }, "message": "IMA: use current_cred() instead of current-\u003ecred\n\nProper invocation of the current credentials is to use current_cred() not\ncurrent-\u003ecred. This patches makes IMA use the new method.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e24977d45f45d1675e050dc1a0aaf4bfc4ca9866", "tree": "ee39b590596e9ca6cd18b8ece11a1f6d24278c29", "parents": [ "6b3304b531704711286c3359b06922b83fdba015" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Apr 02 21:17:03 2009 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat May 09 10:49:42 2009 -0400" }, "message": "Reduce path_lookup() abuses\n\n... use kern_path() where possible\n\n[folded a fix from rdd]\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "d254117099d711f215e62427f55dfb8ebd5ad011", "tree": "0848ff8dd74314fec14a86497f8d288c86ba7c65", "parents": [ "07ff7a0b187f3951788f64ae1f30e8109bc8e9eb", "8c9ed899b44c19e81859fbb0e9d659fe2f8630fc" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 08 17:56:47 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 08 17:56:47 2009 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "07ff7a0b187f3951788f64ae1f30e8109bc8e9eb", "tree": "995e13b947c55572cdac70a02e6cf169a6cc4f99", "parents": [ "e5e520a715dcea6b72f6b9417b203a4b1e813a8b" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue May 05 13:13:10 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 06 10:35:59 2009 +1000" }, "message": "integrity: remove __setup auditing msgs\n\nRemove integrity audit messages from __setup()\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e5e520a715dcea6b72f6b9417b203a4b1e813a8b", "tree": "5edb34e4273ec733d5705b1ebca2b296088a88b1", "parents": [ "53fc0e2259f261602a2750dcc82b8d7bf04d3c35" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue May 05 13:13:00 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 06 10:35:56 2009 +1000" }, "message": "integrity: use audit_log_string\n\nBased on a request from Eric Paris to simplify parsing, replace\naudit_log_format statements containing \"%s\" with audit_log_string().\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "53fc0e2259f261602a2750dcc82b8d7bf04d3c35", "tree": "09eaec1b928d433cc50485331bc75f1f2529d0e9", "parents": [ "78a3d9d5654a7fd99cf8b2ab06b9497b9c7aad64" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue May 05 13:12:48 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 06 10:35:53 2009 +1000" }, "message": "integrity: lsm audit rule matching fix\n\nAn audit subsystem change replaced AUDIT_EQUAL with Audit_equal.\nUpdate calls to security_filter_rule_init()/match() to reflect\nthe change.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "65c90bca0dba56f60dc4ce2a529140c3cc440f22", "tree": "fd8f5e6338f04ba47fe91de1303b92a22da78daf", "parents": [ "091438dd5668396328a3419abcbc6591159eb8d1" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon May 04 15:43:18 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 05 08:31:03 2009 +1000" }, "message": "selinux: Fix send_sigiotask hook\n\nThe CRED patch incorrectly converted the SELinux send_sigiotask hook to\nuse the current task SID rather than the target task SID in its\npermission check, yielding the wrong permission check. This fixes the\nhook function. Detected by the ltp selinux testsuite and confirmed to\ncorrect the test failure.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ecd6de3c88e8cbcad175b2eab48ba05c2014f7b6", "tree": "ab9257bbe3f3bc9379cf0d252110f9abffba7751", "parents": [ "3bcac0263f0b45e67a64034ebcb69eb9abb742f4" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Wed Apr 29 16:02:24 2009 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 30 09:08:48 2009 +1000" }, "message": "selinux: selinux_bprm_committed_creds() should wake up -\u003ereal_parent, not -\u003eparent.\n\nWe shouldn\u0027t worry about the tracer if current is ptraced, exec() must not\nsucceed if the tracer has no rights to trace this task after cred changing.\nBut we should notify -\u003ereal_parent which is, well, real parent.\n\nAlso, we don\u0027t need _irq to take tasklist, and we don\u0027t need parent\u0027s\n-\u003esiglock to wake_up_interruptible(real_parent-\u003esignal-\u003ewait_chldexit).\nSince we hold tasklist, real_parent-\u003esignal must be stable. Otherwise\nspin_lock(siglock) is not safe too and can\u0027t help anyway.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3bcac0263f0b45e67a64034ebcb69eb9abb742f4", "tree": "33f4db08edaa12e1c20df348e2fa28c7c2198ebe", "parents": [ "88c48db9788862d0290831d081bc3c64e13b592f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Apr 29 13:45:05 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 30 09:07:13 2009 +1000" }, "message": "SELinux: Don\u0027t flush inherited SIGKILL during execve()\n\nDon\u0027t flush inherited SIGKILL during execve() in SELinux\u0027s post cred commit\nhook. This isn\u0027t really a security problem: if the SIGKILL came before the\ncredentials were changed, then we were right to receive it at the time, and\nshould honour it; if it came after the creds were changed, then we definitely\nshould honour it; and in any case, all that will happen is that the process\nwill be scrapped before it ever returns to userspace.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "88c48db9788862d0290831d081bc3c64e13b592f", "tree": "5d0e0aedd2c5c0ea8db4007cac66f930ddbe73d7", "parents": [ "19e4529ee7345079eeacc8e40cf69a304a64dc23" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 29 14:00:25 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 30 08:45:56 2009 +1000" }, "message": "SELinux: drop secondary_ops-\u003esysctl\n\nWe are still calling secondary_ops-\u003esysctl even though the capabilities\nmodule does not define a sysctl operation.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "defc433ba3bc587826bb467ce0e63452deafa65d", "tree": "fb11744178f227598b1b26e1c6f24041261c3b98", "parents": [ "aefe6475720bd5eb8aacbc881488f3aa65618562" ], "author": { "name": "Etienne Basset", "email": "etienne.basset@numericable.fr", "time": "Thu Apr 16 23:58:42 2009 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Apr 18 12:58:25 2009 +1000" }, "message": "Smack: check for SMACK xattr validity in smack_inode_setxattr\n\nthe following patch moves checks for SMACK xattr validity\nfrom smack_inode_post_setxattr (which cannot return an error to the user)\nto smack_inode_setxattr (which can return an error).\n\nSigned-off-by: Etienne Basset \u003cetienne.basset@numericable.fr\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "05725f7eb4b8acb147c5fc7b91397b1f6bcab00d", "tree": "1f22c6bec3429f7ec9ebb8acd25672249e39b380", "parents": [ "72c6a9870f901045f2464c3dc6ee8914bfdc07aa" ], "author": { "name": "Jiri Pirko", "email": "jpirko@redhat.com", "time": "Tue Apr 14 20:17:16 2009 +0200" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Wed Apr 15 12:05:25 2009 +0200" }, "message": "rculist: use list_entry_rcu in places where it\u0027s appropriate\n\nUse previously introduced list_entry_rcu instead of an open-coded\nlist_entry + rcu_dereference combination.\n\nSigned-off-by: Jiri Pirko \u003cjpirko@redhat.com\u003e\nReviewed-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nCc: dipankar@in.ibm.com\nLKML-Reference: \u003c20090414181715.GA3634@psychotron.englab.brq.redhat.com\u003e\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\n" }, { "commit": "39826a1e17c1957bd7b5cd7815b83940e5e3a230", "tree": "c1452c0293b7f2f4bce2c36d3b5aea8e4020ff3e", "parents": [ "17a7b7b39056a82c5012539311850f202e6c3cd4" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Wed Apr 08 22:31:28 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 14 09:15:02 2009 +1000" }, "message": "tomoyo: version bump to 2.2.0.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ecfcc53fef3c357574bb6143dce6631e6d56295c", "tree": "d7bee04b64c5ad2ba0ed273bff2c8c7c98b3eee5", "parents": [ "6e837fb152410e571a81aaadbd9884f0bc46a55e" ], "author": { "name": "Etienne Basset", "email": "etienne.basset@numericable.fr", "time": "Wed Apr 08 20:40:06 2009 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 14 09:00:23 2009 +1000" }, "message": "smack: implement logging V3\n\nthe following patch, add logging of Smack security decisions.\nThis is of course very useful to understand what your current smack policy does.\nAs suggested by Casey, it also now forbids labels with \u0027, \" or \\\n\nIt introduces a \u0027/smack/logging\u0027 switch :\n0: no logging\n1: log denied (default)\n2: log accepted\n3: log denied\u0026accepted\n\nSigned-off-by: Etienne Basset \u003cetienne.basset@numericable.fr\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6e837fb152410e571a81aaadbd9884f0bc46a55e", "tree": "7169c53fa17d729e1f3021102c12653dad3d3dcb", "parents": [ "7ba5779533819fc061b4afafcb4a609d55f37057" ], "author": { "name": "Etienne Basset", "email": "etienne.basset@numericable.fr", "time": "Wed Apr 08 20:39:40 2009 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 14 09:00:19 2009 +1000" }, "message": "smack: implement logging V3\n\nThis patch creates auditing functions usable by LSM to audit security\nevents. It provides standard dumping of FS, NET, task etc ... events\n(code borrowed from SELinux)\nand provides 2 callbacks to define LSM specific auditing, which should be\nflexible enough to convert SELinux too.\n\nSigned-off-by: Etienne Basset \u003cetienne.basset@numericable.fr\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\ncked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "34574dd10b6d0697b86703388d6d6af9cbf4bb48", "tree": "89eb52c0777687d4704d3ab3a370c50c1fe9479c", "parents": [ "11ff5f6affe9b75f115a900a5584db339d46002b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Apr 09 17:14:05 2009 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 09 10:41:19 2009 -0700" }, "message": "keys: Handle there being no fallback destination keyring for request_key()\n\nWhen request_key() is called, without there being any standard process\nkeyrings on which to fall back if a destination keyring is not specified, an\noops is liable to occur when construct_alloc_key() calls down_write() on\ndest_keyring\u0027s semaphore.\n\nDue to function inlining this may be seen as an oops in down_write() as called\nfrom request_key_and_link().\n\nThis situation crops up during boot, where request_key() is called from within\nthe kernel (such as in CIFS mounts) where nobody is actually logged in, and so\nPAM has not had a chance to create a session keyring and user keyrings to act\nas the fallback.\n\nTo fix this, make construct_alloc_key() not attempt to cache a key if there is\nno fallback key if no destination keyring is given specifically.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "5bf37ec3e0f5eb79f23e024a7fbc8f3557c087f0", "tree": "555033e32330726df31fa68244656e11eae39490", "parents": [ "577c9c456f0e1371cbade38eaf91ae8e8a308555" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Wed Apr 08 16:55:58 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 09 09:12:03 2009 +1000" }, "message": "cap_prctl: don\u0027t set error to 0 at \u0027no_change\u0027\n\nOne-liner: capsh --print is broken without this patch.\n\nIn certain cases, cap_prctl returns error \u003e 0 for success. However,\nthe \u0027no_change\u0027 label was always setting error to 0. As a result,\nfor example, \u0027prctl(CAP_BSET_READ, N)\u0027 would always return 0.\nIt should return 1 if a process has N in its bounding set (as\nby default it does).\n\nI\u0027m keeping the no_change label even though it\u0027s now functionally\nthe same as \u0027error\u0027.\n\nSigned-off-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a0558fc3491c0494feb8472cf6c0119e43fd9484", "tree": "e26a2baaa63c07761686f97cde9aa4aaa527f82f", "parents": [ "d508afb437daee7cf07da085b635c44a4ebf9b38" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Apr 06 20:49:14 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 07 16:08:56 2009 +1000" }, "message": "tomoyo: remove \"undelete domain\" command.\n\nSince TOMOYO\u0027s policy management tools does not use the \"undelete domain\"\ncommand, we decided to remove that command.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7ba5779533819fc061b4afafcb4a609d55f37057", "tree": "aef85844963c54661d33ed82dad8ff9afac7ea9d", "parents": [ "b5f22a59c0356655a501190959db9f7f5dd07e3f" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Apr 06 20:49:14 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 07 08:17:43 2009 +1000" }, "message": "tomoyo: remove \"undelete domain\" command.\n\nSince TOMOYO\u0027s policy management tools does not use the \"undelete domain\"\ncommand, we decided to remove that command.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "800a964787faef3509d194fa33268628c3d1daa9", "tree": "37a722ed9d269d60bc26f6d8f0862d87e45a2424", "parents": [ "385e1ca5f21c4680ad6a46a3aa2ea8af99e99c92" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 03 16:42:40 2009 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 03 16:42:40 2009 +0100" }, "message": "CacheFiles: Export things for CacheFiles\n\nExport a number of functions for CacheFiles\u0027s use.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Steve Dickson \u003csteved@redhat.com\u003e\nAcked-by: Trond Myklebust \u003cTrond.Myklebust@netapp.com\u003e\nAcked-by: Rik van Riel \u003criel@redhat.com\u003e\nAcked-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nTested-by: Daire Byrne \u003cDaire.Byrne@framestore.com\u003e\n" }, { "commit": "8fe74cf053de7ad2124a894996f84fa890a81093", "tree": "77dcd8fbf33ce53a3821942233962fb28c6f2848", "parents": [ "c2eb2fa6d2b6fe122d3479ec5b28d978418b2698", "ced117c73edc917e96dea7cca98c91383f0792f7" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 21:09:10 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 21:09:10 2009 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:\n Remove two unneeded exports and make two symbols static in fs/mpage.c\n Cleanup after commit 585d3bc06f4ca57f975a5a1f698f65a45ea66225\n Trim includes of fdtable.h\n Don\u0027t crap into descriptor table in binfmt_som\n Trim includes in binfmt_elf\n Don\u0027t mess with descriptor table in load_elf_binary()\n Get rid of indirect include of fs_struct.h\n New helper - current_umask()\n check_unsafe_exec() doesn\u0027t care about signal handlers sharing\n New locking/refcounting for fs_struct\n Take fs_struct handling to new file (fs/fs_struct.c)\n Get rid of bumping fs_struct refcount in pivot_root(2)\n Kill unsharing fs_struct in __set_personality()\n" }, { "commit": "b4046f00ee7c1e5615261b496cf7309683275b29", "tree": "8ef312b95b03f362f7780a37620167c54bf55e8f", "parents": [ "d969fbe69e07fcceb0558b35d4c75eb046041c5e" ], "author": { "name": "Li Zefan", "email": "lizf@cn.fujitsu.com", "time": "Thu Apr 02 16:57:32 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Apr 02 19:04:55 2009 -0700" }, "message": "devcgroup: avoid using cgroup_lock\n\nThere is nothing special that has to be protected by cgroup_lock,\nso introduce devcgroup_mtuex for it\u0027s own use.\n\nSigned-off-by: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Balbir Singh \u003cbalbir@in.ibm.com\u003e\nCc: KAMEZAWA Hiroyuki \u003ckamezawa.hiroyu@jp.fujitsu.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b5f22a59c0356655a501190959db9f7f5dd07e3f", "tree": "3c20437a6a3b7b7e980078bfbcd0d53cdeda7528", "parents": [ "3d43321b7015387cfebbe26436d0e9d299162ea1" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Apr 02 18:47:14 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 03 11:49:31 2009 +1100" }, "message": "don\u0027t raise all privs on setuid-root file with fE set (v2)\n\nDistributions face a backward compatibility problem with starting to use\nfile capabilities. For instance, removing setuid root from ping and\ndoing setcap cap_net_raw\u003dpe means that booting with an older kernel\nor one compiled without file capabilities means ping won\u0027t work for\nnon-root users.\n\nIn order to replace the setuid root bit on a capability-unaware\nprogram, one has to set the effective, or legacy, file capability,\nwhich makes the capability effective immediately. This patch\nuses the legacy bit as a queue to not automatically add full\nprivilege to a setuid-root program.\n\nSo, with this patch, an ordinary setuid-root program will run with\nprivilege. But if /bin/ping has both setuid-root and cap_net_raw in\nfP and fE, then ping (when run by non-root user) will not run\nwith only cap_net_raw.\n\nChangelog:\n\tApr 2 2009: Print a message once when such a binary is loaded,\n\t\tas per James Morris\u0027 suggestion.\n\tApr 2 2009: Fix the condition to only catch uid!\u003d0 \u0026\u0026 euid\u003d\u003d0.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8a6f83afd0c5355db6d11394a798e94950306239", "tree": "f7cb84de87f67eeba0dd68681907696f8a5774d1", "parents": [ "c31f403de62415c738ddc9e673cf8e722c82f861" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Wed Apr 01 10:07:57 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 02 09:23:45 2009 +1100" }, "message": "Permissive domain in userspace object manager\n\nThis patch enables applications to handle permissive domain correctly.\n\nSince the v2.6.26 kernel, SELinux has supported an idea of permissive\ndomain which allows certain processes to work as if permissive mode,\neven if the global setting is enforcing mode.\nHowever, we don\u0027t have an application program interface to inform\nwhat domains are permissive one, and what domains are not.\nIt means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL\nand so on) cannot handle permissive domain correctly.\n\nThis patch add the sixth field (flags) on the reply of the /selinux/access\ninterface which is used to make an access control decision from userspace.\nIf the first bit of the flags field is positive, it means the required\naccess control decision is on permissive domain, so application should\nallow any required actions, as the kernel doing.\n\nThis patch also has a side benefit. The av_decision.flags is set at\ncontext_struct_compute_av(). It enables to check required permissions\nwithout read_lock(\u0026policy_rwlock).\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n--\n security/selinux/avc.c | 2 +-\n security/selinux/include/security.h | 4 +++-\n security/selinux/selinuxfs.c | 4 ++--\n security/selinux/ss/services.c | 30 +++++-------------------------\n 4 files changed, 11 insertions(+), 29 deletions(-)\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5ad4e53bd5406ee214ddc5a41f03f779b8b2d526", "tree": "b3dab5140284b3edf02bf2b13f74bfddb25aa62a", "parents": [ "ce3b0f8d5c2203301fc87f3aaaed73e5819e2a48" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Mar 29 19:50:06 2009 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Mar 31 23:00:27 2009 -0400" }, "message": "Get rid of indirect include of fs_struct.h\n\nDon\u0027t pull it in sched.h; very few files actually need it and those\ncan include directly. sched.h itself only needs forward declaration\nof struct fs_struct;\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "4303154e86597885bc3cbc178a48ccbc8213875f", "tree": "11989bcc2ec5d9cd5a1b7952f169ec5cbd8abb8e", "parents": [ "07feee8f812f7327a46186f7604df312c8c81962" ], "author": { "name": "Etienne Basset", "email": "etienne.basset@numericable.fr", "time": "Fri Mar 27 17:11:01 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:37 2009 +1100" }, "message": "smack: Add a new \u0027-CIPSO\u0027 option to the network address label configuration\n\nThis patch adds a new special option \u0027-CIPSO\u0027 to the Smack subsystem. When used\nin the netlabel list, it means \"use CIPSO networking\". A use case is when your\nlocal network speaks CIPSO and you want also to connect to the unlabeled\nInternet. This patch also add some documentation describing that. The patch\nalso corrects an oops when setting a \u0027\u0027 SMACK64 xattr to a file.\n\nSigned-off-by: Etienne Basset \u003cetienne.basset@numericable.fr\u003e\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "07feee8f812f7327a46186f7604df312c8c81962", "tree": "73eac643b60532aa82d7680a7de193ba2b62eddd", "parents": [ "8651d5c0b1f874c5b8307ae2b858bc40f9f02482" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:54 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:37 2009 +1100" }, "message": "netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections\n\nThis patch cleans up a lot of the Smack network access control code. The\nlargest changes are to fix the labeling of incoming TCP connections in a\nmanner similar to the recent SELinux changes which use the\nsecurity_inet_conn_request() hook to label the request_sock and let the label\nmove to the child socket via the normal network stack mechanisms. In addition\nto the incoming TCP connection fixes this patch also removes the smk_labled\nfield from the socket_smack struct as the minor optimization advantage was\noutweighed by the difficulty in maintaining it\u0027s proper state.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8651d5c0b1f874c5b8307ae2b858bc40f9f02482", "tree": "c09bee8fdc4c659d155b47911dc87ce4c09b6676", "parents": [ "58bfbb51ff2b0fdc6c732ff3d72f50aa632b67a2" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:48 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:37 2009 +1100" }, "message": "lsm: Remove the socket_post_accept() hook\n\nThe socket_post_accept() hook is not currently used by any in-tree modules\nand its existence continues to cause problems by confusing people about\nwhat can be safely accomplished using this hook. If a legitimate need for\nthis hook arises in the future it can always be reintroduced.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "58bfbb51ff2b0fdc6c732ff3d72f50aa632b67a2", "tree": "41132587adbb6816b56b9d28105826b8ef0fd7b9", "parents": [ "389fb800ac8be2832efedd19978a2b8ced37eb61" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:41 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:37 2009 +1100" }, "message": "selinux: Remove the \"compat_net\" compatibility code\n\nThe SELinux \"compat_net\" is marked as deprecated, the time has come to\nfinally remove it from the kernel. Further code simplifications are\nlikely in the future, but this patch was intended to be a simple,\nstraight-up removal of the compat_net code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "389fb800ac8be2832efedd19978a2b8ced37eb61", "tree": "fa0bc16050dfb491aa05f76b54fa4c167de96376", "parents": [ "284904aa79466a4736f4c775fdbe5c7407fa136c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:34 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:36 2009 +1100" }, "message": "netlabel: Label incoming TCP connections correctly in SELinux\n\nThe current NetLabel/SELinux behavior for incoming TCP connections works but\nonly through a series of happy coincidences that rely on the limited nature of\nstandard CIPSO (only able to convey MLS attributes) and the write equality\nimposed by the SELinux MLS constraints. The problem is that network sockets\ncreated as the result of an incoming TCP connection were not on-the-wire\nlabeled based on the security attributes of the parent socket but rather based\non the wire label of the remote peer. The issue had to do with how IP options\nwere managed as part of the network stack and where the LSM hooks were in\nrelation to the code which set the IP options on these newly created child\nsockets. While NetLabel/SELinux did correctly set the socket\u0027s on-the-wire\nlabel it was promptly cleared by the network stack and reset based on the IP\noptions of the remote peer.\n\nThis patch, in conjunction with a prior patch that adjusted the LSM hook\nlocations, works to set the correct on-the-wire label format for new incoming\nconnections through the security_inet_conn_request() hook. Besides the\ncorrect behavior there are many advantages to this change, the most significant\nis that all of the NetLabel socket labeling code in SELinux now lives in hooks\nwhich can return error codes to the core stack which allows us to finally get\nride of the selinux_netlbl_inode_permission() logic which greatly simplfies\nthe NetLabel/SELinux glue code. In the process of developing this patch I\nalso ran into a small handful of AF_INET6 cleanliness issues that have been\nfixed which should make the code safer and easier to extend in the future.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a106cbfd1f3703402fc2d95d97e7a054102250f0", "tree": "f386efb92e2c68bbd15900b6f14a56c444c28556", "parents": [ "1987f17d2266e882862528841429b5bf67bc8fe5" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Fri Mar 27 13:12:16 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 27 19:03:44 2009 +1100" }, "message": "TOMOYO: Fix a typo.\n\nFix a typo.\n\nReported-by: Pavel Machek \u003cpavel@ucw.cz\u003e\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7198e2eeb44b3fe7cc97f997824002da47a9c644", "tree": "4989ad0f9727ac4b861189217760517aa8beea43", "parents": [ "703a3cd72817e99201cef84a8a7aecc60b2b3581" ], "author": { "name": "Etienne Basset", "email": "etienne.basset@numericable.fr", "time": "Tue Mar 24 20:53:24 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 26 09:17:04 2009 +1100" }, "message": "smack: convert smack to standard linux lists\n\nthe following patch (on top of 2.6.29) converts Smack lists to standard linux lists\nPlease review and consider for inclusion in 2.6.30-rc\n\nregards,\nEtienne\n\nSigned-off-by: Etienne Basset \u003cetienne.basset@numericable.fr\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "703a3cd72817e99201cef84a8a7aecc60b2b3581", "tree": "3e943755178ff410694722bb031f523136fbc432", "parents": [ "df7f54c012b92ec93d56b68547351dcdf8a163d3", "8e0ee43bc2c3e19db56a4adaa9a9b04ce885cd84" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 24 10:52:46 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 24 10:52:46 2009 +1100" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "df7f54c012b92ec93d56b68547351dcdf8a163d3", "tree": "07039542feca94d4d467c430521319950819a4e1", "parents": [ "dd34b5d75a0405814a3de83f02a44ac297e81629" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Mar 09 14:35:58 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 10 08:40:02 2009 +1100" }, "message": "SELinux: inode_doinit_with_dentry drop no dentry printk\n\nDrop the printk message when an inode is found without an associated\ndentry. This should only happen when userspace can\u0027t be accessing those\ninodes and those labels will get set correctly on the next d_instantiate.\nThus there is no reason to send this message.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dd34b5d75a0405814a3de83f02a44ac297e81629", "tree": "f24939a7b7f6b33c44939ee4022d7e95b3f670b6", "parents": [ "6a25b27d602aac24f3c642722377ba5d778417ec" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 05 13:43:35 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 06 08:50:21 2009 +1100" }, "message": "SELinux: new permission between tty audit and audit socket\n\nNew selinux permission to separate the ability to turn on tty auditing from\nthe ability to set audit rules.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6a25b27d602aac24f3c642722377ba5d778417ec", "tree": "ba334617326c65ccd98e7f4733c75fa0ac2ae5ca", "parents": [ "113a0e4590881ce579ca992a80ddc562b3372ede" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 05 13:40:35 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 06 08:50:18 2009 +1100" }, "message": "SELinux: open perm for sock files\n\nWhen I did open permissions I didn\u0027t think any sockets would have an open.\nTurns out AF_UNIX sockets can have an open when they are bound to the\nfilesystem namespace. This patch adds a new SOCK_FILE__OPEN permission.\nIt\u0027s safe to add this as the open perms are already predicated on\ncapabilities and capabilities means we have unknown perm handling so\nsystems should be as backwards compatible as the policy wants them to\nbe.\n\nhttps://bugzilla.redhat.com/show_bug.cgi?id\u003d475224\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "211a40c0870457b29100cffea0180fa5083caf96", "tree": "fae71ac7a443a45391ee6049f2300a5c25fe2272", "parents": [ "559595a985e106d2fa9f0c79b7f5805453fed593" ], "author": { "name": "etienne", "email": "etienne.basset@numericable.fr", "time": "Wed Mar 04 07:33:51 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 05 08:36:34 2009 +1100" }, "message": "smack: fixes for unlabeled host support\n\nThe following patch (against 2.6.29rc5) fixes a few issues in the\nsmack/netlabel \"unlabeled host support\" functionnality that was added in\n2.6.29rc. It should go in before -final.\n\n1) smack_host_label disregard a \"0.0.0.0/0 @\" rule (or other label),\npreventing \u0027tagged\u0027 tasks to access Internet (many systems drop packets with\nIP options)\n\n2) netmasks were not handled correctly, they were stored in a way _not\nequivalent_ to conversion to be32 (it was equivalent for /0, /8, /16, /24,\n/32 masks but not other masks)\n\n3) smack_netlbladdr prefixes (IP/mask) were not consistent (mask\u0026IP was not\ndone), so there could have been different list entries for the same IP\nprefix; if those entries had different labels, well ...\n\n4) they were not sorted\n\n1) 2) 3) are bugs, 4) is a more cosmetic issue.\nThe patch :\n\n-creates a new helper smk_netlbladdr_insert to insert a smk_netlbladdr,\n-sorted by netmask length\n\n-use the new sorted nature of smack_netlbladdrs list to simplify\n smack_host_label : the first match _will_ be the more specific\n\n-corrects endianness issues in smk_write_netlbladdr \u0026 netlbladdr_seq_show\n\nSigned-off-by: \u003cetienne.basset@numericable.fr\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "113a0e4590881ce579ca992a80ddc562b3372ede", "tree": "29dd1cd1c5f594efb51cdf9530a90ba2f3f2854e", "parents": [ "454804ab0302b354e35d992d08e53fe03313baaf" ], "author": { "name": "etienne", "email": "etienne.basset@numericable.fr", "time": "Wed Mar 04 07:33:51 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 05 08:30:01 2009 +1100" }, "message": "smack: fixes for unlabeled host support\n\nThe following patch (against 2.6.29rc5) fixes a few issues in the\nsmack/netlabel \"unlabeled host support\" functionnality that was added in\n2.6.29rc. It should go in before -final.\n\n1) smack_host_label disregard a \"0.0.0.0/0 @\" rule (or other label),\npreventing \u0027tagged\u0027 tasks to access Internet (many systems drop packets with\nIP options)\n\n2) netmasks were not handled correctly, they were stored in a way _not\nequivalent_ to conversion to be32 (it was equivalent for /0, /8, /16, /24,\n/32 masks but not other masks)\n\n3) smack_netlbladdr prefixes (IP/mask) were not consistent (mask\u0026IP was not\ndone), so there could have been different list entries for the same IP\nprefix; if those entries had different labels, well ...\n\n4) they were not sorted\n\n1) 2) 3) are bugs, 4) is a more cosmetic issue.\nThe patch :\n\n-creates a new helper smk_netlbladdr_insert to insert a smk_netlbladdr,\n-sorted by netmask length\n\n-use the new sorted nature of smack_netlbladdrs list to simplify\n smack_host_label : the first match _will_ be the more specific\n\n-corrects endianness issues in smk_write_netlbladdr \u0026 netlbladdr_seq_show\n\nSigned-off-by: \u003cetienne.basset@numericable.fr\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d7f59dc4642ce2fc7b79fcd4ec02ffce7f21eb02", "tree": "1557550ed6478a38cc04ad480a5977580d97b5cd", "parents": [ "778ef1e6cbb049c9bcbf405936ee6f2b6e451892" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Feb 27 15:00:03 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Mar 02 09:30:04 2009 +1100" }, "message": "selinux: Fix a panic in selinux_netlbl_inode_permission()\n\nRick McNeal from LSI identified a panic in selinux_netlbl_inode_permission()\ncaused by a certain sequence of SUNRPC operations. The problem appears to be\ndue to the lack of NULL pointer checking in the function; this patch adds the\npointer checks so the function will exit safely in the cases where the socket\nis not completely initialized.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "454804ab0302b354e35d992d08e53fe03313baaf", "tree": "e01a4928e19ac2e8318bc88d0b79970cccc60665", "parents": [ "2ea190d0a006ce5218baa6e798512652446a605a" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Feb 26 18:28:04 2009 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 27 12:35:15 2009 +1100" }, "message": "keys: make procfiles per-user-namespace\n\nRestrict the /proc/keys and /proc/key-users output to keys\nbelonging to the same user namespace as the reading task.\n\nWe may want to make this more complicated - so that any\nkeys in a user-namespace which is belongs to the reading\ntask are also shown. But let\u0027s see if anyone wants that\nfirst.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2ea190d0a006ce5218baa6e798512652446a605a", "tree": "1d8612678355c77d8ea9f316ef6ce7d80ee6d613", "parents": [ "8ff3bc3138a400294ee9e126ac75fc9a9fae4e0b" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Feb 26 18:27:55 2009 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 27 12:35:12 2009 +1100" }, "message": "keys: skip keys from another user namespace\n\nWhen listing keys, do not return keys belonging to the\nsame uid in another user namespace. Otherwise uid 500\nin another user namespace will return keyrings called\nuid.500 for another user namespace.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8ff3bc3138a400294ee9e126ac75fc9a9fae4e0b", "tree": "f1e2f21f17268cb9a88446da2f1ced9dbccd5138", "parents": [ "1d1e97562e5e2ac60fb7b25437ba619f95f67fab" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Feb 26 18:27:47 2009 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 27 12:35:09 2009 +1100" }, "message": "keys: consider user namespace in key_permission\n\nIf a key is owned by another user namespace, then treat the\nkey as though it is owned by both another uid and gid.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1d1e97562e5e2ac60fb7b25437ba619f95f67fab", "tree": "68a9c52ecbff0782dd9b9438685afc3b40b6f707", "parents": [ "be38e0fd5f90a91d09e0a85ffb294b70a7be6259" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Feb 26 18:27:38 2009 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 27 12:35:06 2009 +1100" }, "message": "keys: distinguish per-uid keys in different namespaces\n\nper-uid keys were looked by uid only. Use the user namespace\nto distinguish the same uid in different namespaces.\n\nThis does not address key_permission. So a task can for instance\ntry to join a keyring owned by the same uid in another namespace.\nThat will be handled by a separate patch.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "09c50b4a52c01a1f450b8eec819089e228655bfb", "tree": "d97bcaf9544e58a8a6bc6aeb40ca9793411d3e79", "parents": [ "586c25003707067f074043d80fb2071671c58db0" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Feb 20 16:33:02 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 23 10:05:55 2009 +1100" }, "message": "selinux: Fix the NetLabel glue code for setsockopt()\n\nAt some point we (okay, I) managed to break the ability for users to use the\nsetsockopt() syscall to set IPv4 options when NetLabel was not active on the\nsocket in question. The problem was noticed by someone trying to use the\n\"-R\" (record route) option of ping:\n\n # ping -R 10.0.0.1\n ping: record route: No message of desired type\n\nThe solution is relatively simple, we catch the unlabeled socket case and\nclear the error code, allowing the operation to succeed. Please note that we\nstill deny users the ability to override IPv4 options on socket\u0027s which have\nNetLabel labeling active; this is done to ensure the labeling remains intact.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "be38e0fd5f90a91d09e0a85ffb294b70a7be6259", "tree": "8e48b770e6c2012185fd68c0a1098991ad3c56cb", "parents": [ "1581e7ddbdd97443a134e1a0cc9d81256baf77a4" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Feb 20 14:28:29 2009 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 23 09:54:53 2009 +1100" }, "message": "integrity: ima iint radix_tree_lookup locking fix\n\nBased on Andrew Morton\u0027s comments:\n- add missing locks around radix_tree_lookup in ima_iint_insert()\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1581e7ddbdd97443a134e1a0cc9d81256baf77a4", "tree": "54134783d9b61dea08b434e0d6e447ac8f8924b2", "parents": [ "0da0a420bb542b13ebae142109a9d2045ade0cb1" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Sat Feb 21 20:40:50 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 23 09:45:05 2009 +1100" }, "message": "TOMOYO: Do not call tomoyo_realpath_init unless registered.\n\ntomoyo_realpath_init() is unconditionally called by security_initcall().\nBut nobody will use realpath related functions if TOMOYO is not registered.\n\nSo, let tomoyo_init() call tomoyo_realpath_init().\n\nThis patch saves 4KB of memory allocation if TOMOYO is not registered.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0da0a420bb542b13ebae142109a9d2045ade0cb1", "tree": "995a02bed11d55c9f8d963735b12f670ddca19cc", "parents": [ "251a2a958b0455d11b711aeeb57cabad66259461" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Feb 19 21:23:50 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 21 00:29:59 2009 +1100" }, "message": "integrity: ima scatterlist bug fix\n\nBased on Alexander Beregalov\u0027s post http://lkml.org/lkml/2009/2/19/198\n\n- replaced sg_set_buf() with sg_init_one()\n\n kernel BUG at include/linux/scatterlist.h:65!\n invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC\n last sysfs file:\n CPU 2\n Modules linked in:\n Pid: 1, comm: swapper Not tainted 2.6.29-rc5-next-20090219 #5 PowerEdge 1950\n RIP: 0010:[\u003cffffffff8045ec70\u003e] [\u003cffffffff8045ec70\u003e] ima_calc_hash+0xc0/0x160\n RSP: 0018:ffff88007f46bc40 EFLAGS: 00010286\n RAX: ffffe200032c45e8 RBX: 00000000fffffff4 RCX: 0000000087654321\n RDX: 0000000000000002 RSI: 0000000000000001 RDI: ffff88007cf71048\n RBP: ffff88007f46bcd0 R08: 0000000000000000 R09: 0000000000000163\n R10: ffff88007f4707a8 R11: 0000000000000000 R12: ffff88007cf71048\n R13: 0000000000001000 R14: 0000000000000000 R15: 0000000000009d98\n FS: 0000000000000000(0000) GS:ffff8800051ac000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b\n CR2: 0000000000000000 CR3: 0000000000201000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nTested-by: Alexander Beregalov \u003ca.beregalov@gmail.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "251a2a958b0455d11b711aeeb57cabad66259461", "tree": "6e89b9a3f79c4a46573682044188c7d4692f0cb5", "parents": [ "e5a3b95f581da62e2054ef79d3be2d383e9ed664" ], "author": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Wed Feb 18 11:42:33 2009 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 19 15:51:10 2009 +1100" }, "message": "smack: fix lots of kernel-doc notation\n\nFix/add kernel-doc notation and fix typos in security/smack/.\n\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e5a3b95f581da62e2054ef79d3be2d383e9ed664", "tree": "6a55bf40033c92b2c82fa0643c2511dbe7124b32", "parents": [ "33043cbb9fd49a957089f5948fe814764d7abbd6" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Sat Feb 14 11:46:56 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 16 09:01:48 2009 +1100" }, "message": "TOMOYO: Don\u0027t create securityfs entries unless registered.\n\nTOMOYO should not create /sys/kernel/security/tomoyo/ interface unless\nTOMOYO is registered.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "33043cbb9fd49a957089f5948fe814764d7abbd6", "tree": "66be66415be5a1108788291194cc5b2bc89fb6fe", "parents": [ "26036651c562609d1f52d181f9d2cccbf89929b1" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Fri Feb 13 16:00:58 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 12:33:30 2009 +1100" }, "message": "TOMOYO: Fix exception policy read failure.\n\nDue to wrong initialization, \"cat /sys/kernel/security/tomoyo/exception_policy\"\nreturned nothing.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "26036651c562609d1f52d181f9d2cccbf89929b1", "tree": "db68ab98d574d6763f562ac87cc7810385496f22", "parents": [ "edf3d1aecd0d608acbd561b0c527e1d41abcb657" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:51:04 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:23:48 2009 +1100" }, "message": "SELinux: convert the avc cache hash list to an hlist\n\nWe do not need O(1) access to the tail of the avc cache lists and so we are\nwasting lots of space using struct list_head instead of struct hlist_head.\nThis patch converts the avc cache to use hlists in which there is a single\npointer from the head which saves us about 4k of global memory.\n\nResulted in about a 1.5% decrease in time spent in avc_has_perm_noaudit based\non oprofile sampling of tbench. Although likely within the noise....\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "edf3d1aecd0d608acbd561b0c527e1d41abcb657", "tree": "49d88ec27a59f602784b47e2f951934d245f7de8", "parents": [ "f1c6381a6e337adcecf84be2a838bd9e610e2365" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:59 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:23:45 2009 +1100" }, "message": "SELinux: code readability with avc_cache\n\nThe code making use of struct avc_cache was not easy to read thanks to liberal\nuse of \u0026avc_cache.{slots_lock,slots}[hvalue] throughout. This patch simply\ncreates local pointers and uses those instead of the long global names.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f1c6381a6e337adcecf84be2a838bd9e610e2365", "tree": "a6e0857db27a38b0976fb422836f9443241b4b61", "parents": [ "21193dcd1f3570ddfd8a04f4465e484c1f94252f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:54 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:23:08 2009 +1100" }, "message": "SELinux: remove unused av.decided field\n\nIt appears there was an intention to have the security server only decide\ncertain permissions and leave other for later as some sort of a portential\nperformance win. We are currently always deciding all 32 bits of\npermissions and this is a useless couple of branches and wasted space.\nThis patch completely drops the av.decided concept.\n\nThis in a 17% reduction in the time spent in avc_has_perm_noaudit\nbased on oprofile sampling of a tbench benchmark.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "21193dcd1f3570ddfd8a04f4465e484c1f94252f", "tree": "b6cab3861103261a3ab27ff3ea3485cb53af5a92", "parents": [ "906d27d9d28fd50fb40026e56842d8f6806a7a04" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:49 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:23:04 2009 +1100" }, "message": "SELinux: more careful use of avd in avc_has_perm_noaudit\n\nwe are often needlessly jumping through hoops when it comes to avd\nentries in avc_has_perm_noaudit and we have extra initialization and memcpy\nwhich are just wasting performance. Try to clean the function up a bit.\n\nThis patch resulted in a 13% drop in time spent in avc_has_perm_noaudit in my\noprofile sampling of a tbench benchmark.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "906d27d9d28fd50fb40026e56842d8f6806a7a04", "tree": "4f73e1396a09349a307f38b1de19767f558bedb1", "parents": [ "a5dda683328f99c781f92c66cc52ffc0639bef58" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:43 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:37 2009 +1100" }, "message": "SELinux: remove the unused ae.used\n\nCurrently SELinux code has an atomic which was intended to track how many\ntimes an avc entry was used and to evict entries when they haven\u0027t been\nused recently. Instead we never let this atomic get above 1 and evict when\nit is first checked for eviction since it hits zero. This is a total waste\nof time so I\u0027m completely dropping ae.used.\n\nThis change resulted in about a 3% faster avc_has_perm_noaudit when running\noprofile against a tbench benchmark.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a5dda683328f99c781f92c66cc52ffc0639bef58", "tree": "2432f51e505fd9242f7081d5bf4e21ff322b73d6", "parents": [ "4cb912f1d1447077160ace9ce3b3a10696dd74e5" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:11 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:34 2009 +1100" }, "message": "SELinux: check seqno when updating an avc_node\n\nThe avc update node callbacks do not check the seqno of the caller with the\nseqno of the node found. It is possible that a policy change could happen\n(although almost impossibly unlikely) in which a permissive or\npermissive_domain decision is not valid for the entry found. Simply pass\nand check that the seqno of the caller and the seqno of the node found\nmatch.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4cb912f1d1447077160ace9ce3b3a10696dd74e5", "tree": "916f112de07ca626b0f398a0fc85943f15306146", "parents": [ "4ba0a8ad63e12a03ae01c039482967cc496b9174" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:05 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:30 2009 +1100" }, "message": "SELinux: NULL terminate al contexts from disk\n\nWhen a context is pulled in from disk we don\u0027t know that it is null\nterminated. This patch forecebly null terminates contexts when we pull\nthem from disk.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4ba0a8ad63e12a03ae01c039482967cc496b9174", "tree": "340aa55aa98cc42c33cff4297f0813f14f46b121", "parents": [ "200ac532a4bc3134147ca06686c56a6420e66c46" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 15:01:10 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:27 2009 +1100" }, "message": "SELinux: better printk when file with invalid label found\n\nCurrently when an inode is read into the kernel with an invalid label\nstring (can often happen with removable media) we output a string like:\n\nSELinux: inode_doinit_with_dentry: context_to_sid([SOME INVALID LABEL])\nreturned -22 dor dev\u003d[blah] ino\u003d[blah]\n\nWhich is all but incomprehensible to all but a couple of us. Instead, on\nEINVAL only, I plan to output a much more user friendly string and I plan to\nratelimit the printk since many of these could be generated very rapidly.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "200ac532a4bc3134147ca06686c56a6420e66c46", "tree": "f9b1779458df389052c758ea23cf61695a021e67", "parents": [ "b53fab9d48e9bd9aeba0b500dec550becd981a91" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 15:01:04 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:22:24 2009 +1100" }, "message": "SELinux: call capabilities code directory\n\nFor cleanliness and efficiency remove all calls to secondary-\u003e and instead\ncall capabilities code directly. capabilities are the only module that\nselinux stacks with and so the code should not indicate that other stacking\nmight be possible.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b53fab9d48e9bd9aeba0b500dec550becd981a91", "tree": "19e17d0aa255624bf6455ac35a5089ac550abdb6", "parents": [ "35d50e60e8b12e4adc2fa317343a176d87294a72" ], "author": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Thu Feb 12 09:54:14 2009 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 13 09:27:56 2009 +1100" }, "message": "ima: fix build error\n\nIMA_LSM_RULES requires AUDIT. This is automatic if SECURITY_SELINUX\u003dy\nbut not when SECURITY_SMACK\u003dy (and SECURITY_SELINUX\u003dn), so make the\ndependency explicit. This fixes the following build error:\n\nsecurity/integrity/ima/ima_policy.c:111:error: implicit declaration of function \u0027security_audit_rule_match\u0027\nsecurity/integrity/ima/ima_policy.c:230:error: implicit declaration of function \u0027security_audit_rule_init\u0027\n\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "35d50e60e8b12e4adc2fa317343a176d87294a72", "tree": "d4374d08677dafdf940fc8bdaaadc0aeefa06126", "parents": [ "42d5aaa2d826f54924e260b58a8e410e59d54163" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Thu Feb 12 15:53:38 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 20:21:10 2009 +1100" }, "message": "tomoyo: fix sparse warning\n\nFix sparse warning.\n\n$ make C\u003d2 SUBDIRS\u003dsecurity/tomoyo CF\u003d\"-D__cold__\u003d\"\n CHECK security/tomoyo/common.c\n CHECK security/tomoyo/realpath.c\n CHECK security/tomoyo/tomoyo.c\nsecurity/tomoyo/tomoyo.c:110:8: warning: symbol \u0027buf\u0027 shadows an earlier one\nsecurity/tomoyo/tomoyo.c:100:7: originally declared here\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "42d5aaa2d826f54924e260b58a8e410e59d54163", "tree": "64e3c400671d3adf1ed40f5179e95655400ce1cc", "parents": [ "d74db3b22a75fac474abe711f582ffe25eacce25" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 16:29:04 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 16:29:04 2009 +1100" }, "message": "security: change link order of LSMs so security\u003dtomoyo works\n\nLSMs need to be linked before root_plug to ensure the security\u003d\nboot parameter works with them. Do this for Tomoyo.\n\n(root_plug probably needs to be taken out and shot at some point,\ntoo).\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "00d7d6f840ddc947237307e022de5e75ded4105f", "tree": "53669494101f93becdd401be2e70073bc7c6fe0b", "parents": [ "f7433243770c77979c396b4c7449a10e9b3521db" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:17 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:19:00 2009 +1100" }, "message": "Kconfig and Makefile\n\nTOMOYO uses LSM hooks for pathname based access control and securityfs support.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f7433243770c77979c396b4c7449a10e9b3521db", "tree": "8bcb3d92ddb65b73f1802c5476d75f92814477d8", "parents": [ "26a2a1c9eb88d9aca8891575b3b986812e073872" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:16 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:05 2009 +1100" }, "message": "LSM adapter functions.\n\nDAC\u0027s permissions and TOMOYO\u0027s permissions are not one-to-one mapping.\n\nRegarding DAC, there are \"read\", \"write\", \"execute\" permissions.\nRegarding TOMOYO, there are \"allow_read\", \"allow_write\", \"allow_read/write\",\n\"allow_execute\", \"allow_create\", \"allow_unlink\", \"allow_mkdir\", \"allow_rmdir\",\n\"allow_mkfifo\", \"allow_mksock\", \"allow_mkblock\", \"allow_mkchar\",\n\"allow_truncate\", \"allow_symlink\", \"allow_rewrite\", \"allow_link\",\n\"allow_rename\" permissions.\n\n+----------------------------------+----------------------------------+\n| requested operation | required TOMOYO\u0027s permission |\n+----------------------------------+----------------------------------+\n| sys_open(O_RDONLY) | allow_read |\n+----------------------------------+----------------------------------+\n| sys_open(O_WRONLY) | allow_write |\n+----------------------------------+----------------------------------+\n| sys_open(O_RDWR) | allow_read/write |\n+----------------------------------+----------------------------------+\n| open_exec() from do_execve() | allow_execute |\n+----------------------------------+----------------------------------+\n| open_exec() from !do_execve() | allow_read |\n+----------------------------------+----------------------------------+\n| sys_read() | (none) |\n+----------------------------------+----------------------------------+\n| sys_write() | (none) |\n+----------------------------------+----------------------------------+\n| sys_mmap() | (none) |\n+----------------------------------+----------------------------------+\n| sys_uselib() | allow_read |\n+----------------------------------+----------------------------------+\n| sys_open(O_CREAT) | allow_create |\n+----------------------------------+----------------------------------+\n| sys_open(O_TRUNC) | allow_truncate |\n+----------------------------------+----------------------------------+\n| sys_truncate() | allow_truncate |\n+----------------------------------+----------------------------------+\n| sys_ftruncate() | allow_truncate |\n+----------------------------------+----------------------------------+\n| sys_open() without O_APPEND | allow_rewrite |\n+----------------------------------+----------------------------------+\n| setfl() without O_APPEND | allow_rewrite |\n+----------------------------------+----------------------------------+\n| sys_sysctl() for writing | allow_write |\n+----------------------------------+----------------------------------+\n| sys_sysctl() for reading | allow_read |\n+----------------------------------+----------------------------------+\n| sys_unlink() | allow_unlink |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFREG) | allow_create |\n+----------------------------------+----------------------------------+\n| sys_mknod(0) | allow_create |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFIFO) | allow_mkfifo |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFSOCK) | allow_mksock |\n+----------------------------------+----------------------------------+\n| sys_bind(AF_UNIX) | allow_mksock |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFBLK) | allow_mkblock |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFCHR) | allow_mkchar |\n+----------------------------------+----------------------------------+\n| sys_symlink() | allow_symlink |\n+----------------------------------+----------------------------------+\n| sys_mkdir() | allow_mkdir |\n+----------------------------------+----------------------------------+\n| sys_rmdir() | allow_rmdir |\n+----------------------------------+----------------------------------+\n| sys_link() | allow_link |\n+----------------------------------+----------------------------------+\n| sys_rename() | allow_rename |\n+----------------------------------+----------------------------------+\n\nTOMOYO requires \"allow_execute\" permission of a pathname passed to do_execve()\nbut does not require \"allow_read\" permission of that pathname.\nLet\u0027s consider 3 patterns (statically linked, dynamically linked,\nshell script). This description is to some degree simplified.\n\n $ cat hello.c\n #include \u003cstdio.h\u003e\n int main() {\n printf(\"Hello\\n\");\n return 0;\n }\n $ cat hello.sh\n #! /bin/sh\n echo \"Hello\"\n $ gcc -static -o hello-static hello.c\n $ gcc -o hello-dynamic hello.c\n $ chmod 755 hello.sh\n\nCase 1 -- Executing hello-static from bash.\n\n (1) The bash process calls fork() and the child process requests\n do_execve(\"hello-static\").\n\n (2) The kernel checks \"allow_execute hello-static\" from \"bash\" domain.\n\n (3) The kernel calculates \"bash hello-static\" as the domain to transit to.\n\n (4) The kernel overwrites the child process by \"hello-static\".\n\n (5) The child process transits to \"bash hello-static\" domain.\n\n (6) The \"hello-static\" starts and finishes.\n\nCase 2 -- Executing hello-dynamic from bash.\n\n (1) The bash process calls fork() and the child process requests\n do_execve(\"hello-dynamic\").\n\n (2) The kernel checks \"allow_execute hello-dynamic\" from \"bash\" domain.\n\n (3) The kernel calculates \"bash hello-dynamic\" as the domain to transit to.\n\n (4) The kernel checks \"allow_read ld-linux.so\" from \"bash hello-dynamic\"\n domain. I think permission to access ld-linux.so should be charged\n hello-dynamic program, for \"hello-dynamic needs ld-linux.so\" is not\n a fault of bash program.\n\n (5) The kernel overwrites the child process by \"hello-dynamic\".\n\n (6) The child process transits to \"bash hello-dynamic\" domain.\n\n (7) The \"hello-dynamic\" starts and finishes.\n\nCase 3 -- Executing hello.sh from bash.\n\n (1) The bash process calls fork() and the child process requests\n do_execve(\"hello.sh\").\n\n (2) The kernel checks \"allow_execute hello.sh\" from \"bash\" domain.\n\n (3) The kernel calculates \"bash hello.sh\" as the domain to transit to.\n\n (4) The kernel checks \"allow_read /bin/sh\" from \"bash hello.sh\" domain.\n I think permission to access /bin/sh should be charged hello.sh program,\n for \"hello.sh needs /bin/sh\" is not a fault of bash program.\n\n (5) The kernel overwrites the child process by \"/bin/sh\".\n\n (6) The child process transits to \"bash hello.sh\" domain.\n\n (7) The \"/bin/sh\" requests open(\"hello.sh\").\n\n (8) The kernel checks \"allow_read hello.sh\" from \"bash hello.sh\" domain.\n\n (9) The \"/bin/sh\" starts and finishes.\n\nWhether a file is interpreted as a program or not depends on an application.\nThe kernel cannot know whether the file is interpreted as a program or not.\nThus, TOMOYO treats \"hello-static\" \"hello-dynamic\" \"ld-linux.so\" \"hello.sh\"\n\"/bin/sh\" equally as merely files; no distinction between executable and\nnon-executable. Therefore, TOMOYO doesn\u0027t check DAC\u0027s execute permission.\nTOMOYO checks \"allow_read\" permission instead.\n\nCalling do_execve() is a bold gesture that an old program\u0027s instance (i.e.\ncurrent process) is ready to be overwritten by a new program and is ready to\ntransfer control to the new program. To split purview of programs, TOMOYO\nrequires \"allow_execute\" permission of the new program against the old\nprogram\u0027s instance and performs domain transition. If do_execve() succeeds,\nthe old program is no longer responsible against the consequence of the new\nprogram\u0027s behavior. Only the new program is responsible for all consequences.\n\nBut TOMOYO doesn\u0027t require \"allow_read\" permission of the new program.\nIf TOMOYO requires \"allow_read\" permission of the new program, TOMOYO will\nallow an attacker (who hijacked the old program\u0027s instance) to open the new\nprogram and steal data from the new program. Requiring \"allow_read\" permission\nwill widen purview of the old program.\n\nNot requiring \"allow_read\" permission of the new program against the old\nprogram\u0027s instance is my design for reducing purview of the old program.\nTo be able to know whether the current process is in do_execve() or not,\nI want to add in_execve flag to \"task_struct\".\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "26a2a1c9eb88d9aca8891575b3b986812e073872", "tree": "4abec8ee7800aa52c1055ad74185156c7894e743", "parents": [ "b69a54ee582373d76e4b5560970db5b8c618b12a" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:15 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:05 2009 +1100" }, "message": "Domain transition handler.\n\nThis file controls domain creation/deletion/transition.\n\nEvery process belongs to a domain in TOMOYO Linux.\nDomain transition occurs when execve(2) is called\nand the domain is expressed as \u0027process invocation history\u0027,\nsuch as \u0027\u003ckernel\u003e /sbin/init /etc/init.d/rc\u0027.\nDomain information is stored in current-\u003ecred-\u003esecurity field.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b69a54ee582373d76e4b5560970db5b8c618b12a", "tree": "5889c074f7885187104906c921da0bab318bfe64", "parents": [ "9590837b89aaa4523209ac91c52db5ea0d9142fd" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:14 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:05 2009 +1100" }, "message": "File operation restriction part.\n\nThis file controls file related operations of TOMOYO Linux.\n\ntomoyo/tomoyo.c calls the following six functions in this file.\nEach function handles the following access types.\n\n * tomoyo_check_file_perm\nsysctl()\u0027s \"read\" and \"write\".\n\n * tomoyo_check_exec_perm\n\"execute\".\n\n * tomoyo_check_open_permission\nopen(2) for \"read\" and \"write\".\n\n * tomoyo_check_1path_perm\n\"create\", \"unlink\", \"mkdir\", \"rmdir\", \"mkfifo\",\n\"mksock\", \"mkblock\", \"mkchar\", \"truncate\" and \"symlink\".\n\n * tomoyo_check_2path_perm\n\"rename\" and \"unlink\".\n\n * tomoyo_check_rewrite_permission\n\"rewrite\".\n(\"rewrite\" are operations which may lose already recorded data of a file,\ni.e. open(!O_APPEND) || open(O_TRUNC) || truncate() || ftruncate())\n\nThe functions which actually checks ACLs are the following three functions.\nEach function handles the following access types.\nACL directive is expressed by \"allow_\u003caccess type\u003e\".\n\n * tomoyo_check_file_acl\nOpen() operation and execve() operation.\n(\"read\", \"write\", \"read/write\" and \"execute\")\n\n * tomoyo_check_single_write_acl\nDirectory modification operations with 1 pathname.\n(\"create\", \"unlink\", \"mkdir\", \"rmdir\", \"mkfifo\", \"mksock\",\n \"mkblock\", \"mkchar\", \"truncate\", \"symlink\" and \"rewrite\")\n\n * tomoyo_check_double_write_acl\nDirectory modification operations with 2 pathname.\n(\"link\" and \"rename\")\n\nAlso, this file contains handlers of some utility directives\nfor file related operations.\n\n * \"allow_read\": specifies globally (for all domains) readable files.\n * \"path_group\": specifies pathname macro.\n * \"deny_rewrite\": restricts rewrite operation.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9590837b89aaa4523209ac91c52db5ea0d9142fd", "tree": "0e7e3febb1f6106be0e45c281309078f6c1cd7e6", "parents": [ "c73bd6d473ceb5d643d3afd7e75b7dc2e6918558" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:13 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:04 2009 +1100" }, "message": "Common functions for TOMOYO Linux.\n\nThis file contains common functions (e.g. policy I/O, pattern matching).\n\n-------------------- About pattern matching --------------------\n\nSince TOMOYO Linux is a name based access control, TOMOYO Linux seriously\nconsiders \"safe\" string representation.\n\nTOMOYO Linux\u0027s string manipulation functions make reviewers feel crazy,\nbut there are reasons why TOMOYO Linux needs its own string manipulation\nfunctions.\n\n----- Part 1 : preconditions -----\n\nPeople definitely want to use wild card.\n\n To support pattern matching, we have to support wild card characters.\n\n In a typical Linux system, filenames are likely consists of only alphabets,\n numbers, and some characters (e.g. + - ~ . / ).\n But theoretically, the Linux kernel accepts all characters but NUL character\n (which is used as a terminator of a string).\n\n Some Linux systems can have filenames which contain * ? ** etc.\n\nTherefore, we have to somehow modify string so that we can distinguish\nwild card characters and normal characters.\n\n It might be possible for some application\u0027s configuration files to restrict\n acceptable characters.\n It is impossible for kernel to restrict acceptable characters.\n\n We can\u0027t accept approaches which will cause troubles for applications.\n\n----- Part 2 : commonly used approaches -----\n\nText formatted strings separated by space character (0x20) and new line\ncharacter (0x0A) is more preferable for users over array of NUL-terminated\nstring.\n\n Thus, people use text formatted configuration files separated by space\n character and new line.\n\nWe sometimes need to handle non-printable characters.\n\n Thus, people use \\ character (0x5C) as escape character and represent\n non-printable characters using octal or hexadecimal format.\n\nAt this point, we remind (at least) 3 approaches.\n\n (1) Shell glob style expression\n (2) POSIX regular expression (UNIX style regular expression)\n (3) Maverick wild card expression\n\nOn the surface, (1) and (2) sound good choices. But they have a big pitfall.\nAll meta-characters in (1) and (2) are legal characters for representing\na pathname, and users easily write incorrect expression. What is worse, users\nunlikely notice incorrect expressions because characters used for regular\npathnames unlikely contain meta-characters. This incorrect use of\nmeta-characters in pathname representation reveals vulnerability\n(e.g. unexpected results) only when irregular pathname is specified.\n\nThe authors of TOMOYO Linux think that approaches which adds some character\nfor interpreting meta-characters as normal characters (i.e. (1) and (2)) are\nnot suitable for security use.\n\nTherefore, the authors of TOMOYO Linux propose (3).\n\n----- Part 3: consideration points -----\n\nWe need to solve encoding problem.\n\n A single character can be represented in several ways using encodings.\n\n For Japanese language, there are \"ShiftJIS\", \"ISO-2022-JP\", \"EUC-JP\",\n \"UTF-8\" and more.\n\n Some languages (e.g. Japanese language) supports multi-byte characters\n (where a single character is represented using several bytes).\n\n Some multi-byte characters may match the escape character.\n\n For Japanese language, some characters in \"ShiftJIS\" encoding match\n \\ character, and bothering Web\u0027s CGI developers.\n\n It is important that the kernel string is not bothered by encoding problem.\n\n Linus said, \"I really would expect that kernel strings don\u0027t have\n an encoding. They\u0027re just C strings: a NUL-terminated stream of bytes.\"\n http://lkml.org/lkml/2007/11/6/142\n\n Yes. The kernel strings are just C strings.\n We are talking about how to store and carry \"kernel strings\" safely.\n\n If we store \"kernel string\" into policy file as-is, the \"kernel string\" will\n be interpreted differently depending on application\u0027s encoding settings.\n One application may interpret \"kernel string\" as \"UTF-8\",\n another application may interpret \"kernel string\" as \"ShiftJIS\".\n\n Therefore, we propose to represent strings using ASCII encoding.\n In this way, we are no longer bothered by encoding problems.\n\nWe need to avoid information loss caused by display.\n\n It is difficult to input and display non-printable characters, but we have to\n be able to handle such characters because the kernel string is a C string.\n\n If we use only ASCII printable characters (from 0x21 to 0x7E) and space\n character (0x20) and new line character (0x0A), it is easy to input from\n keyboard and display on all terminals which is running Linux.\n\n Therefore, we propose to represent strings using only characters which value\n is one of \"from 0x21 to 0x7E\", \"0x20\", \"0x0A\".\n\nWe need to consider ease of splitting strings from a line.\n\n If we use an approach which uses \"\\ \" for representing a space character\n within a string, we have to count the string from the beginning to check\n whether this space character is accompanied with \\ character or not.\n As a result, we cannot monotonically split a line using space character.\n\n If we use an approach which uses \"\\040\" for representing a space character\n within a string, we can monotonically split a line using space character.\n\n If we use an approach which uses NUL character as a delimiter, we cannot\n use string manipulation functions for splitting strings from a line.\n\n Therefore, we propose that we represent space character as \"\\040\".\n\nWe need to avoid wrong designations (incorrect use of special characters).\n\n Not all users can understand and utilize POSIX\u0027s regular expressions\n correctly and perfectly.\n\n If a character acts as a wild card by default, the user will get unexpected\n result if that user didn\u0027t know the meaning of that character.\n\n Therefore, we propose that all characters but \\ character act as\n a normal character and let the user add \\ character to make a character\n act as a wild card.\n\n In this way, users needn\u0027t to know all wild card characters beforehand.\n They can learn when they encountered an unseen wild card character\n for their first time.\n\n----- Part 4: supported wild card expressions -----\n\nAt this point, we have wild card expressions listed below.\n\n +-----------+--------------------------------------------------------------+\n | Wild card | Meaning and example |\n +-----------+--------------------------------------------------------------+\n | \\* | More than or equals to 0 character other than \u0027/\u0027. |\n | | /var/log/samba/\\* |\n +-----------+--------------------------------------------------------------+\n | \\@ | More than or equals to 0 character other than \u0027/\u0027 or \u0027.\u0027. |\n | | /var/www/html/\\@.html |\n +-----------+--------------------------------------------------------------+\n | \\? | 1 byte character other than \u0027/\u0027. |\n | | /tmp/mail.\\?\\?\\?\\?\\?\\? |\n +-----------+--------------------------------------------------------------+\n | \\$ | More than or equals to 1 decimal digit. |\n | | /proc/\\$/cmdline |\n +-----------+--------------------------------------------------------------+\n | \\+ | 1 decimal digit. |\n | | /var/tmp/my_work.\\+ |\n +-----------+--------------------------------------------------------------+\n | \\X | More than or equals to 1 hexadecimal digit. |\n | | /var/tmp/my-work.\\X |\n +-----------+--------------------------------------------------------------+\n | \\x | 1 hexadecimal digit. |\n | | /tmp/my-work.\\x |\n +-----------+--------------------------------------------------------------+\n | \\A | More than or equals to 1 alphabet character. |\n | | /var/log/my-work/\\$-\\A-\\$.log |\n +-----------+--------------------------------------------------------------+\n | \\a | 1 alphabet character. |\n | | /home/users/\\a/\\*/public_html/\\*.html |\n +-----------+--------------------------------------------------------------+\n | \\- | Pathname subtraction operator. |\n | | +---------------------+------------------------------------+ |\n | | | Example | Meaning | |\n | | +---------------------+------------------------------------+ |\n | | | /etc/\\* | All files in /etc/ directory. | |\n | | +---------------------+------------------------------------+ |\n | | | /etc/\\*\\-\\*shadow\\* | /etc/\\* other than /etc/\\*shadow\\* | |\n | | +---------------------+------------------------------------+ |\n | | | /\\*\\-proc\\-sys/ | /\\*/ other than /proc/ /sys/ | |\n | | +---------------------+------------------------------------+ |\n +-----------+--------------------------------------------------------------+\n\n +----------------+---------------------------------------------------------+\n | Representation | Meaning and example |\n +----------------+---------------------------------------------------------+\n | \\\\ | backslash character itself. |\n +----------------+---------------------------------------------------------+\n | \\ooo | 1 byte character. |\n | | ooo is 001 \u003c\u003d ooo \u003c\u003d 040 || 177 \u003c\u003d ooo \u003c\u003d 377. |\n | | |\n | | \\040 for space character. |\n | | \\177 for del character. |\n | | |\n +----------------+---------------------------------------------------------+\n\n----- Part 5: Advantages -----\n\nWe can obtain extensibility.\n\n Since our proposed approach adds \\ to a character to interpret as a wild\n card, we can introduce new wild card in future while maintaining backward\n compatibility.\n\nWe can process monotonically.\n\n Since our proposed approach separates strings using a space character,\n we can split strings using existing string manipulation functions.\n\nWe can reliably analyze access logs.\n\n It is guaranteed that a string doesn\u0027t contain space character (0x20) and\n new line character (0x0A).\n\n It is guaranteed that a string won\u0027t be converted by FTP and won\u0027t be damaged\n by a terminal\u0027s settings.\n\n It is guaranteed that a string won\u0027t be affected by encoding converters\n (except encodings which insert NUL character (e.g. UTF-16)).\n\n----- Part 6: conclusion -----\n\nTOMOYO Linux is using its own encoding with reasons described above.\nThere is a disadvantage that we need to introduce a series of new string\nmanipulation functions. But TOMOYO Linux\u0027s encoding is useful for all users\n(including audit and AppArmor) who want to perform pattern matching and\nsafely exchange string information between the kernel and the userspace.\n\n-------------------- About policy interface --------------------\n\nTOMOYO Linux creates the following files on securityfs (normally\nmounted on /sys/kernel/security) as interfaces between kernel and\nuserspace. These files are for TOMOYO Linux management tools *only*,\nnot for general programs.\n\n * profile\n * exception_policy\n * domain_policy\n * manager\n * meminfo\n * self_domain\n * version\n * .domain_status\n * .process_status\n\n** /sys/kernel/security/tomoyo/profile **\n\nThis file is used to read or write profiles.\n\n\"profile\" means a running mode of process. A profile lists up\nfunctions and their modes in \"$number-$variable\u003d$value\" format. The\n$number is profile number between 0 and 255. Each domain is assigned\none profile. To assign profile to domains, use \"ccs-setprofile\" or\n\"ccs-editpolicy\" or \"ccs-loadpolicy\" commands.\n\n(Example)\n[root@tomoyo]# cat /sys/kernel/security/tomoyo/profile\n0-COMMENT\u003d-----Disabled Mode-----\n0-MAC_FOR_FILE\u003ddisabled\n0-MAX_ACCEPT_ENTRY\u003d2048\n0-TOMOYO_VERBOSE\u003ddisabled\n1-COMMENT\u003d-----Learning Mode-----\n1-MAC_FOR_FILE\u003dlearning\n1-MAX_ACCEPT_ENTRY\u003d2048\n1-TOMOYO_VERBOSE\u003ddisabled\n2-COMMENT\u003d-----Permissive Mode-----\n2-MAC_FOR_FILE\u003dpermissive\n2-MAX_ACCEPT_ENTRY\u003d2048\n2-TOMOYO_VERBOSE\u003denabled\n3-COMMENT\u003d-----Enforcing Mode-----\n3-MAC_FOR_FILE\u003denforcing\n3-MAX_ACCEPT_ENTRY\u003d2048\n3-TOMOYO_VERBOSE\u003denabled\n\n- MAC_FOR_FILE:\nSpecifies access control level regarding file access requests.\n- MAX_ACCEPT_ENTRY:\nLimits the max number of ACL entries that are automatically appended\nduring learning mode. Default is 2048.\n- TOMOYO_VERBOSE:\nSpecifies whether to print domain policy violation messages or not.\n\n** /sys/kernel/security/tomoyo/manager **\n\nThis file is used to read or append the list of programs or domains\nthat can write to /sys/kernel/security/tomoyo interface. By default,\nonly processes with both UID \u003d 0 and EUID \u003d 0 can modify policy via\n/sys/kernel/security/tomoyo interface. You can use keyword\n\"manage_by_non_root\" to allow policy modification by non root user.\n\n(Example)\n[root@tomoyo]# cat /sys/kernel/security/tomoyo/manager\n/usr/lib/ccs/loadpolicy\n/usr/lib/ccs/editpolicy\n/usr/lib/ccs/setlevel\n/usr/lib/ccs/setprofile\n/usr/lib/ccs/ld-watch\n/usr/lib/ccs/ccs-queryd\n\n** /sys/kernel/security/tomoyo/exception_policy **\n\nThis file is used to read and write system global settings. Each line\nhas a directive and operand pair. Directives are listed below.\n\n- initialize_domain:\nTo initialize domain transition when specific program is executed,\nuse initialize_domain directive.\n * initialize_domain \"program\" from \"domain\"\n * initialize_domain \"program\" from \"the last program part of domain\"\n * initialize_domain \"program\"\nIf the part \"from\" and after is not given, the entry is applied to\nall domain. If the \"domain\" doesn\u0027t start with \"\u003ckernel\u003e\", the entry\nis applied to all domain whose domainname ends with \"the last program\npart of domain\".\nThis directive is intended to aggregate domain transitions for daemon\nprogram and program that are invoked by the kernel on demand, by\ntransiting to different domain.\n\n- keep_domain\nTo prevent domain transition when program is executed from specific\ndomain, use keep_domain directive.\n * keep_domain \"program\" from \"domain\"\n * keep_domain \"program\" from \"the last program part of domain\"\n * keep_domain \"domain\"\n * keep_domain \"the last program part of domain\"\nIf the part \"from\" and before is not given, this entry is applied to\nall program. If the \"domain\" doesn\u0027t start with \"\u003ckernel\u003e\", the entry\nis applied to all domain whose domainname ends with \"the last program\npart of domain\".\nThis directive is intended to reduce total number of domains and\nmemory usage by suppressing unneeded domain transitions.\nTo declare domain keepers, use keep_domain directive followed by\ndomain definition.\nAny process that belongs to any domain declared with this directive,\nthe process stays at the same domain unless any program registered\nwith initialize_domain directive is executed.\n\nIn order to control domain transition in detail, you can use\nno_keep_domain/no_initialize_domain keywrods.\n\n- alias:\nTo allow executing programs using the name of symbolic links, use\nalias keyword followed by dereferenced pathname and reference\npathname. For example, /sbin/pidof is a symbolic link to\n/sbin/killall5 . In normal case, if /sbin/pidof is executed, the\ndomain is defined as if /sbin/killall5 is executed. By specifying\n\"alias /sbin/killall5 /sbin/pidof\", you can run /sbin/pidof in the\ndomain for /sbin/pidof .\n(Example)\nalias /sbin/killall5 /sbin/pidof\n\n- allow_read:\nTo grant unconditionally readable permissions, use allow_read keyword\nfollowed by canonicalized file. This keyword is intended to reduce\nsize of domain policy by granting read access to library files such\nas GLIBC and locale files. Exception is, if ignore_global_allow_read\nkeyword is given to a domain, entries specified by this keyword are\nignored.\n(Example)\nallow_read /lib/libc-2.5.so\n\n- file_pattern:\nTo declare pathname pattern, use file_pattern keyword followed by\npathname pattern. The pathname pattern must be a canonicalized\nPathname. This keyword is not applicable to neither granting execute\npermissions nor domain definitions.\nFor example, canonicalized pathname that contains a process ID\n(i.e. /proc/PID/ files) needs to be grouped in order to make access\ncontrol work well.\n(Example)\nfile_pattern /proc/\\$/cmdline\n\n- path_group\nTo declare pathname group, use path_group keyword followed by name of\nthe group and pathname pattern. For example, if you want to group all\nfiles under home directory, you can define\n path_group HOME-DIR-FILE /home/\\*/\\*\n path_group HOME-DIR-FILE /home/\\*/\\*/\\*\n path_group HOME-DIR-FILE /home/\\*/\\*/\\*/\\*\nin the exception policy and use like\n allow_read @HOME-DIR-FILE\nto grant file access permission.\n\n- deny_rewrite:\nTo deny overwriting already written contents of file (such as log\nfiles) by default, use deny_rewrite keyword followed by pathname\npattern. Files whose pathname match the patterns are not permitted to\nopen for writing without append mode or truncate unless the pathnames\nare explicitly granted using allow_rewrite keyword in domain policy.\n(Example)\ndeny_rewrite /var/log/\\*\n\n- aggregator\nTo deal multiple programs as a single program, use aggregator keyword\nfollowed by name of original program and aggregated program. This\nkeyword is intended to aggregate similar programs.\nFor example, /usr/bin/tac and /bin/cat are similar. By specifying\n\"aggregator /usr/bin/tac /bin/cat\", you can run /usr/bin/tac in the\ndomain for /bin/cat .\nFor example, /usr/sbin/logrotate for Fedora Core 3 generates programs\nlike /tmp/logrotate.\\?\\?\\?\\?\\?\\? and run them, but TOMOYO Linux\ndoesn\u0027t allow using patterns for granting execute permission and\ndefining domains. By specifying\n\"aggregator /tmp/logrotate.\\?\\?\\?\\?\\?\\? /tmp/logrotate.tmp\", you can\nrun /tmp/logrotate.\\?\\?\\?\\?\\?\\? as if /tmp/logrotate.tmp is running.\n\n** /sys/kernel/security/tomoyo/domain_policy **\n\nThis file contains definition of all domains and permissions that are\ngranted to each domain.\n\nLines from the next line to a domain definition ( any lines starting\nwith \"\u003ckernel\u003e\") to the previous line to the next domain definitions\nare interpreted as access permissions for that domain.\n\n** /sys/kernel/security/tomoyo/meminfo **\n\nThis file is to show the total RAM used to keep policy in the kernel\nby TOMOYO Linux in bytes.\n(Example)\n[root@tomoyo]# cat /sys/kernel/security/tomoyo/meminfo\nShared: 61440\nPrivate: 69632\nDynamic: 768\nTotal: 131840\n\nYou can set memory quota by writing to this file.\n(Example)\n[root@tomoyo]# echo Shared: 2097152 \u003e /sys/kernel/security/tomoyo/meminfo\n[root@tomoyo]# echo Private: 2097152 \u003e /sys/kernel/security/tomoyo/meminfo\n\n** /sys/kernel/security/tomoyo/self_domain **\n\nThis file is to show the name of domain the caller process belongs to.\n(Example)\n[root@etch]# cat /sys/kernel/security/tomoyo/self_domain\n\u003ckernel\u003e /usr/sbin/sshd /bin/zsh /bin/cat\n\n** /sys/kernel/security/tomoyo/version **\n\nThis file is used for getting TOMOYO Linux\u0027s version.\n(Example)\n[root@etch]# cat /sys/kernel/security/tomoyo/version\n2.2.0-pre\n\n** /sys/kernel/security/tomoyo/.domain_status **\n\nThis is a view (of a DBMS) that contains only profile number and\ndomainnames of domain so that \"ccs-setprofile\" command can do\nline-oriented processing easily.\n\n** /sys/kernel/security/tomoyo/.process_status **\n\nThis file is used by \"ccs-ccstree\" command to show \"list of processes\ncurrently running\" and \"domains which each process belongs to\" and\n\"profile number which the domain is currently assigned\" like \"pstree\"\ncommand. This file is writable by programs that aren\u0027t registered as\npolicy manager.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c73bd6d473ceb5d643d3afd7e75b7dc2e6918558", "tree": "76a800f3080d000215ec74f4c66fc73560b83a8f", "parents": [ "f9ce1f1cda8b73a36f47e424975a9dfa78b7840c" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:12 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:04 2009 +1100" }, "message": "Memory and pathname management functions.\n\nTOMOYO Linux performs pathname based access control.\nTo remove factors that make pathname based access control difficult\n(e.g. symbolic links, \"..\", \"//\" etc.), TOMOYO Linux derives realpath\nof requested pathname from \"struct dentry\" and \"struct vfsmount\".\n\nThe maximum length of string data is limited to 4000 including trailing \u0027\\0\u0027.\nSince TOMOYO Linux uses \u0027\\ooo\u0027 style representation for non ASCII printable\ncharacters, maybe TOMOYO Linux should be able to support 16336 (which means\n(NAME_MAX * (PATH_MAX / (NAME_MAX + 1)) * 4 + (PATH_MAX / (NAME_MAX + 1)))\nincluding trailing \u0027\\0\u0027), but I think 4000 is enough for practical use.\n\nTOMOYO uses only 0x21 - 0x7E (as printable characters) and 0x20 (as word\ndelimiter) and 0x0A (as line delimiter).\n0x01 - 0x20 and 0x80 - 0xFF is handled in \\ooo style representation.\nThe reason to use \\ooo is to guarantee that \"%s\" won\u0027t damage logs.\nUserland program can request\n\n open(\"/tmp/file granted.\\nAccess /tmp/file \", O_WRONLY | O_CREAT, 0600)\n\nand logging such crazy pathname using \"Access %s denied.\\n\" format will cause\n\"fabrication of logs\" like\n\n Access /tmp/file granted.\n Access /tmp/file denied.\n\nTOMOYO converts such characters to \\ooo so that the logs will become\n\n Access /tmp/file\\040granted.\\012Access\\040/tmp/file denied.\n\nand the administrator can read the logs safely using /bin/cat .\nLikewise, a crazy request like\n\n open(\"/tmp/\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\", O_WRONLY | O_CREAT, 0600)\n\nwill be processed safely by converting to\n\n Access /tmp/\\001\\002\\003\\004\\005\\006\\007\\010\\011 denied.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "523979adfa0b79d4e3aa053220c37a9233294206", "tree": "15ff42f935f9d443220edb118f3980432f924360", "parents": [ "ed850a52af971528b048812c4215cef298af0d3b" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Feb 11 11:12:28 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 09:40:14 2009 +1100" }, "message": "integrity: audit update\n\nBased on discussions on linux-audit, as per Steve Grubb\u0027s request\nhttp://lkml.org/lkml/2009/2/6/269, the following changes were made:\n- forced audit result to be either 0 or 1.\n- made template names const\n- Added new stand-alone message type: AUDIT_INTEGRITY_RULE\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Steve Grubb \u003csgrubb@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cb5629b10d64a8006622ce3a52bc887d91057d69", "tree": "7c06d8f30783115e3384721046258ce615b129c5", "parents": [ "8920d5ad6ba74ae8ab020e90cc4d976980e68701", "f01d1d546abb2f4028b5299092f529eefb01253a" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 11:01:45 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 11:01:45 2009 +1100" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\tfs/namei.c\n\nManually merged per:\n\ndiff --cc fs/namei.c\nindex 734f2b5,bbc15c2..0000000\n--- a/fs/namei.c\n+++ b/fs/namei.c\n@@@ -860,9 -848,8 +849,10 @@@ static int __link_path_walk(const char\n \t\tnd-\u003eflags |\u003d LOOKUP_CONTINUE;\n \t\terr \u003d exec_permission_lite(inode);\n \t\tif (err \u003d\u003d -EAGAIN)\n- \t\t\terr \u003d vfs_permission(nd, MAY_EXEC);\n+ \t\t\terr \u003d inode_permission(nd-\u003epath.dentry-\u003ed_inode,\n+ \t\t\t\t\t MAY_EXEC);\n +\t\tif (!err)\n +\t\t\terr \u003d ima_path_check(\u0026nd-\u003epath, MAY_EXEC);\n \t\tif (err)\n \t\t\tbreak;\n\n@@@ -1525,14 -1506,9 +1509,14 @@@ int may_open(struct path *path, int acc\n \t\tflag \u0026\u003d ~O_TRUNC;\n \t}\n\n- \terror \u003d vfs_permission(nd, acc_mode);\n+ \terror \u003d inode_permission(inode, acc_mode);\n \tif (error)\n \t\treturn error;\n +\n- \terror \u003d ima_path_check(\u0026nd-\u003epath,\n++\terror \u003d ima_path_check(path,\n +\t\t\t acc_mode \u0026 (MAY_READ | MAY_WRITE | MAY_EXEC));\n +\tif (error)\n +\t\treturn error;\n \t/*\n \t * An append-only file must be opened in append mode for writing.\n \t */\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "64c61d80a6e4c935a09ac5ff1d952967ca1268f8", "tree": "80d109d7b3218c925ee48d22254d704e23d31199", "parents": [ "aa7168f47d912459a99a01c93714f447b44bfa72" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 05 09:28:26 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 09:05:34 2009 +1100" }, "message": "IMA: fix ima_delete_rules() definition\n\nFix ima_delete_rules() definition so sparse doesn\u0027t complain.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1df9f0a73178718969ae47d813b8e7aab2cf073c", "tree": "6bd3d8838858f0e93acd8f7969b7d0e5ce2bfb08", "parents": [ "f4bd857bc8ed997c25ec06b56ef8064aafa6d4f3" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Feb 04 09:07:02 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 09:05:33 2009 +1100" }, "message": "Integrity: IMA file free imbalance\n\nThe number of calls to ima_path_check()/ima_file_free()\nshould be balanced. An extra call to fput(), indicates\nthe file could have been accessed without first being\nmeasured.\n\nAlthough f_count is incremented/decremented in places other\nthan fget/fput, like fget_light/fput_light and get_file, the\ncurrent task must already hold a file refcnt. The call to\n__fput() is delayed until the refcnt becomes 0, resulting\nin ima_file_free() flagging any changes.\n\n- add hook to increment opencount for IPC shared memory(SYSV),\n shmat files, and /dev/zero\n- moved NULL iint test in opencount_get()\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ], "next": "f4bd857bc8ed997c25ec06b56ef8064aafa6d4f3" }