)]}' { "log": [ { "commit": "e63ba744a64d234c8a07c469ab1806443cb0a6ff", "tree": "84dcf86b243ca425ba1f7e7ddff6eb0754fafcd4", "parents": [ "1b0ba1c9037b2265d6e5d0165d31e4c0269b603b" ], "author": { "name": "Arnd Bergmann", "email": "arnd@arndb.de", "time": "Fri Feb 26 18:01:20 2010 +0100" }, "committer": { "name": "Paul E. McKenney", "email": "paulmck@linux.vnet.ibm.com", "time": "Thu Aug 19 17:18:00 2010 -0700" }, "message": "keys: __rcu annotations\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nSigned-off-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: Josh Triplett \u003cjosh@joshtriplett.org\u003e\n" }, { "commit": "8f92054e7ca1d3a3ae50fb42d2253ac8730d9b2a", "tree": "29d1bcf78bf04fe41c7e811f806f58d655c41f9f", "parents": [ "de09a9771a5346029f4d11e4ac886be7f9bfdd75" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jul 29 12:45:55 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jul 29 15:16:18 2010 -0700" }, "message": "CRED: Fix __task_cred()\u0027s lockdep check and banner comment\n\nFix __task_cred()\u0027s lockdep check by removing the following validation\ncondition:\n\n\tlockdep_tasklist_lock_is_held()\n\nas commit_creds() does not take the tasklist_lock, and nor do most of the\nfunctions that call it, so this check is pointless and it can prevent\ndetection of the RCU lock not being held if the tasklist_lock is held.\n\nInstead, add the following validation condition:\n\n\ttask-\u003eexit_state \u003e\u003d 0\n\nto permit the access if the target task is dead and therefore unable to change\nits own credentials.\n\nFix __task_cred()\u0027s comment to:\n\n (1) discard the bit that says that the caller must prevent the target task\n from being deleted. That shouldn\u0027t need saying.\n\n (2) Add a comment indicating the result of __task_cred() should not be passed\n directly to get_cred(), but rather than get_task_cred() should be used\n instead.\n\nAlso put a note into the documentation to enforce this point there too.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jiri Olsa \u003cjolsa@redhat.com\u003e\nCc: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "de09a9771a5346029f4d11e4ac886be7f9bfdd75", "tree": "ccce9e75753c98a9f38075d54ab98aa4b89e66c7", "parents": [ "540ad6b62b3a188a53b51cac81d8a60d40e29fbd" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jul 29 12:45:49 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jul 29 15:16:17 2010 -0700" }, "message": "CRED: Fix get_task_cred() and task_state() to not resurrect dead credentials\n\nIt\u0027s possible for get_task_cred() as it currently stands to \u0027corrupt\u0027 a set of\ncredentials by incrementing their usage count after their replacement by the\ntask being accessed.\n\nWhat happens is that get_task_cred() can race with commit_creds():\n\n\tTASK_1\t\t\tTASK_2\t\t\tRCU_CLEANER\n\t--\u003eget_task_cred(TASK_2)\n\trcu_read_lock()\n\t__cred \u003d __task_cred(TASK_2)\n\t\t\t\t--\u003ecommit_creds()\n\t\t\t\told_cred \u003d TASK_2-\u003ereal_cred\n\t\t\t\tTASK_2-\u003ereal_cred \u003d ...\n\t\t\t\tput_cred(old_cred)\n\t\t\t\t call_rcu(old_cred)\n\t\t[__cred-\u003eusage \u003d\u003d 0]\n\tget_cred(__cred)\n\t\t[__cred-\u003eusage \u003d\u003d 1]\n\trcu_read_unlock()\n\t\t\t\t\t\t\t--\u003eput_cred_rcu()\n\t\t\t\t\t\t\t[__cred-\u003eusage \u003d\u003d 1]\n\t\t\t\t\t\t\tpanic()\n\nHowever, since a tasks credentials are generally not changed very often, we can\nreasonably make use of a loop involving reading the creds pointer and using\natomic_inc_not_zero() to attempt to increment it if it hasn\u0027t already hit zero.\n\nIf successful, we can safely return the credentials in the knowledge that, even\nif the task we\u0027re accessing has released them, they haven\u0027t gone to the RCU\ncleanup code.\n\nWe then change task_state() in procfs to use get_task_cred() rather than\ncalling get_cred() on the result of __task_cred(), as that suffers from the\nsame problem.\n\nWithout this change, a BUG_ON in __put_cred() or in put_cred_rcu() can be\ntripped when it is noticed that the usage count is not zero as it ought to be,\nfor example:\n\nkernel BUG at kernel/cred.c:168!\ninvalid opcode: 0000 [#1] SMP\nlast sysfs file: /sys/kernel/mm/ksm/run\nCPU 0\nPid: 2436, comm: master Not tainted 2.6.33.3-85.fc13.x86_64 #1 0HR330/OptiPlex\n745\nRIP: 0010:[\u003cffffffff81069881\u003e] [\u003cffffffff81069881\u003e] __put_cred+0xc/0x45\nRSP: 0018:ffff88019e7e9eb8 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff880161514480 RCX: 00000000ffffffff\nRDX: 00000000ffffffff RSI: ffff880140c690c0 RDI: ffff880140c690c0\nRBP: ffff88019e7e9eb8 R08: 00000000000000d0 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000040 R12: ffff880140c690c0\nR13: ffff88019e77aea0 R14: 00007fff336b0a5c R15: 0000000000000001\nFS: 00007f12f50d97c0(0000) GS:ffff880007400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f461bc000 CR3: 00000001b26ce000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\nProcess master (pid: 2436, threadinfo ffff88019e7e8000, task ffff88019e77aea0)\nStack:\n ffff88019e7e9ec8 ffffffff810698cd ffff88019e7e9ef8 ffffffff81069b45\n\u003c0\u003e ffff880161514180 ffff880161514480 ffff880161514180 0000000000000000\n\u003c0\u003e ffff88019e7e9f28 ffffffff8106aace 0000000000000001 0000000000000246\nCall Trace:\n [\u003cffffffff810698cd\u003e] put_cred+0x13/0x15\n [\u003cffffffff81069b45\u003e] commit_creds+0x16b/0x175\n [\u003cffffffff8106aace\u003e] set_current_groups+0x47/0x4e\n [\u003cffffffff8106ac89\u003e] sys_setgroups+0xf6/0x105\n [\u003cffffffff81009b02\u003e] system_call_fastpath+0x16/0x1b\nCode: 48 8d 71 ff e8 7e 4e 15 00 85 c0 78 0b 8b 75 ec 48 89 df e8 ef 4a 15 00\n48 83 c4 18 5b c9 c3 55 8b 07 8b 07 48 89 e5 85 c0 74 04 \u003c0f\u003e 0b eb fe 65 48 8b\n04 25 00 cc 00 00 48 3b b8 58 04 00 00 75\nRIP [\u003cffffffff81069881\u003e] __put_cred+0xc/0x45\n RSP \u003cffff88019e7e9eb8\u003e\n---[ end trace df391256a100ebdd ]---\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jiri Olsa \u003cjolsa@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c70a626d3eba373514c72287c93588b6974a0059", "tree": "c23b890cbbeb824e52e1eaee6812bc88496a246d", "parents": [ "685bfd2c48bb3284d31e73ff3151c957d76deda9" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Wed May 26 14:43:01 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 27 09:12:45 2010 -0700" }, "message": "umh: creds: kill subprocess_info-\u003ecred logic\n\nNow that nobody ever changes subprocess_info-\u003ecred we can kill this member\nand related code. ____call_usermodehelper() always runs in the context of\nfreshly forked kernel thread, it has the proper -\u003ecred copied from its\nparent kthread, keventd.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nAcked-by: Neil Horman \u003cnhorman@tuxdriver.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "db1466b3e1bd1727375cdbfcbea4bcce2f860f61", "tree": "e56e8d7b82f8851e570d95f531ec62e4d107967a", "parents": [ "0e064caf6402d1d67db4233d26beec88ca212919" ], "author": { "name": "Paul E. McKenney", "email": "paulmck@linux.vnet.ibm.com", "time": "Wed Mar 03 07:46:56 2010 -0800" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Thu Mar 04 11:46:14 2010 +0100" }, "message": "rcu: Use wrapper function instead of exporting tasklist_lock\n\nLockdep-RCU commit d11c563d exported tasklist_lock, which is not\na good thing. This patch instead exports a function that uses\nlockdep to check whether tasklist_lock is held.\n\nSuggested-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nCc: laijs@cn.fujitsu.com\nCc: dipankar@in.ibm.com\nCc: mathieu.desnoyers@polymtl.ca\nCc: josh@joshtriplett.org\nCc: dvhltc@us.ibm.com\nCc: niv@us.ibm.com\nCc: peterz@infradead.org\nCc: rostedt@goodmis.org\nCc: Valdis.Kletnieks@vt.edu\nCc: dhowells@redhat.com\nCc: Christoph Hellwig \u003chch@lst.de\u003e\nLKML-Reference: \u003c1267631219-8713-1-git-send-email-paulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\n" }, { "commit": "d11c563dd20ff35da5652c3e1c989d9e10e1d6d0", "tree": "b189f50de7a01d7603935d4da7e755d764dfe67e", "parents": [ "a898def29e4119bc01ebe7ca97423181f4c0ea2d" ], "author": { "name": "Paul E. McKenney", "email": "paulmck@linux.vnet.ibm.com", "time": "Mon Feb 22 17:04:50 2010 -0800" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Thu Feb 25 10:34:26 2010 +0100" }, "message": "sched: Use lockdep-based checking on rcu_dereference()\n\nUpdate the rcu_dereference() usages to take advantage of the new\nlockdep-based checking.\n\nSigned-off-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nCc: laijs@cn.fujitsu.com\nCc: dipankar@in.ibm.com\nCc: mathieu.desnoyers@polymtl.ca\nCc: josh@joshtriplett.org\nCc: dvhltc@us.ibm.com\nCc: niv@us.ibm.com\nCc: peterz@infradead.org\nCc: rostedt@goodmis.org\nCc: Valdis.Kletnieks@vt.edu\nCc: dhowells@redhat.com\nLKML-Reference: \u003c1266887105-1528-6-git-send-email-paulmck@linux.vnet.ibm.com\u003e\n[ -v2: fix allmodconfig missing symbol export build failure on x86 ]\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\n" }, { "commit": "74908a0009eb36054190ab80deb9671014efed96", "tree": "c763a2ca3e5fa4d9b356ab1fe1f1f85da4321109", "parents": [ "43c1266ce4dc06bfd236cec31e11e9ecd69c0bef" ], "author": { "name": "Andrew Morton", "email": "akpm@linux-foundation.org", "time": "Thu Sep 17 17:47:12 2009 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 23 11:01:25 2009 -0700" }, "message": "include/linux/cred.h: fix build\n\nmips allmodconfig:\n\ninclude/linux/cred.h: In function `creds_are_invalid\u0027:\ninclude/linux/cred.h:187: error: `PAGE_SIZE\u0027 undeclared (first use in this function)\ninclude/linux/cred.h:187: error: (Each undeclared identifier is reported only once\ninclude/linux/cred.h:187: error: for each function it appears in.)\n\nFixes\n\ncommit b6dff3ec5e116e3af6f537d4caedcad6b9e5082a\nAuthor: David Howells \u003cdhowells@redhat.com\u003e\nAuthorDate: Fri Nov 14 10:39:16 2008 +1100\nCommit: James Morris \u003cjmorris@namei.org\u003e\nCommitDate: Fri Nov 14 10:39:16 2008 +1100\n\n CRED: Separate task security context from task_struct\n\nI think.\n\nIt\u0027s way too large to be inlined anyway.\n\nDunno if this needs an EXPORT_SYMBOL() yet.\n\nCc: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ed868a56988464cd31de0302426a5e94d3127f10", "tree": "cdcd1715445aa19051b6a9a671b39250a449333a", "parents": [ "86d710146fb9975f04c505ec78caa43d227c1018" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Sat Sep 12 22:54:10 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Sep 14 12:34:07 2009 +1000" }, "message": "Creds: creds-\u003esecurity can be NULL is selinux is disabled\n\n__validate_process_creds should check if selinux is actually enabled before\nrunning tests on the selinux portion of the credentials struct.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ee18d64c1f632043a02e6f5ba5e045bb26a5465f", "tree": "80b5a4d530ec7d5fd69799920f0db7b78aba6b9d", "parents": [ "d0420c83f39f79afb82010c2d2cafd150eef651b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:14:21 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:22 2009 +1000" }, "message": "KEYS: Add a keyctl to install a process\u0027s session keyring on its parent [try #6]\n\nAdd a keyctl to install a process\u0027s session keyring onto its parent. This\nreplaces the parent\u0027s session keyring. Because the COW credential code does\nnot permit one process to change another process\u0027s credentials directly, the\nchange is deferred until userspace next starts executing again. Normally this\nwill be after a wait*() syscall.\n\nTo support this, three new security hooks have been provided:\ncred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in\nthe blank security creds and key_session_to_parent() - which asks the LSM if\nthe process may replace its parent\u0027s session keyring.\n\nThe replacement may only happen if the process has the same ownership details\nas its parent, and the process has LINK permission on the session keyring, and\nthe session keyring is owned by the process, and the LSM permits it.\n\nNote that this requires alteration to each architecture\u0027s notify_resume path.\nThis has been done for all arches barring blackfin, m68k* and xtensa, all of\nwhich need assembly alteration to support TIF_NOTIFY_RESUME. This allows the\nreplacement to be performed at the point the parent process resumes userspace\nexecution.\n\nThis allows the userspace AFS pioctl emulation to fully emulate newpag() and\nthe VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to\nalter the parent process\u0027s PAG membership. However, since kAFS doesn\u0027t use\nPAGs per se, but rather dumps the keys into the session keyring, the session\nkeyring of the parent must be replaced if, for example, VIOCSETTOK is passed\nthe newpag flag.\n\nThis can be tested with the following program:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\n\t#define KEYCTL_SESSION_TO_PARENT\t18\n\n\t#define OSERROR(X, S) do { if ((long)(X) \u003d\u003d -1) { perror(S); exit(1); } } while(0)\n\n\tint main(int argc, char **argv)\n\t{\n\t\tkey_serial_t keyring, key;\n\t\tlong ret;\n\n\t\tkeyring \u003d keyctl_join_session_keyring(argv[1]);\n\t\tOSERROR(keyring, \"keyctl_join_session_keyring\");\n\n\t\tkey \u003d add_key(\"user\", \"a\", \"b\", 1, keyring);\n\t\tOSERROR(key, \"add_key\");\n\n\t\tret \u003d keyctl(KEYCTL_SESSION_TO_PARENT);\n\t\tOSERROR(ret, \"KEYCTL_SESSION_TO_PARENT\");\n\n\t\treturn 0;\n\t}\n\nCompiled and linked with -lkeyutils, you should see something like:\n\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t355907932 --alswrv 4043 -1 \\_ keyring: _uid.4043\n\t[dhowells@andromeda ~]$ /tmp/newpag\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t1055658746 --alswrv 4043 4043 \\_ user: a\n\t[dhowells@andromeda ~]$ /tmp/newpag hello\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: hello\n\t340417692 --alswrv 4043 4043 \\_ user: a\n\nWhere the test program creates a new session keyring, sticks a user key named\n\u0027a\u0027 into it and then installs it on its parent.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e0e817392b9acf2c98d3be80c233dddb1b52003d", "tree": "ee680c020039313c9f9c40ab3542bb30a7363381", "parents": [ "ed6d76e4c32de0c2ad5f1d572b948ef49e465176" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:13:40 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:01 2009 +1000" }, "message": "CRED: Add some configurable debugging [try #6]\n\nAdd a config option (CONFIG_DEBUG_CREDENTIALS) to turn on some debug checking\nfor credential management. The additional code keeps track of the number of\npointers from task_structs to any given cred struct, and checks to see that\nthis number never exceeds the usage count of the cred struct (which includes\nall references, not just those from task_structs).\n\nFurthermore, if SELinux is enabled, the code also checks that the security\npointer in the cred struct is never seen to be invalid.\n\nThis attempts to catch the bug whereby inode_has_perm() faults in an nfsd\nkernel thread on seeing cred-\u003esecurity be a NULL pointer (it appears that the\ncredential struct has been previously released):\n\n\thttp://www.kerneloops.org/oops.php?number\u003d252883\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1c388ad054fb1ead3dc354b1719570b99e464135", "tree": "6ec1bacaf6b75c23562fd0474b3110915a5ba065", "parents": [ "967cc5371113f9806b39a2ebb2174af2883d96fe" ], "author": { "name": "Paul Menage", "email": "menage@google.com", "time": "Fri Jul 17 16:16:18 2009 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 20 08:45:25 2009 +1000" }, "message": "include/linux/cred.h: work around gcc-4.2.4 warning in get_cred()\n\nWith gcc 4.2.4 (building UML) I get the warning\n\ninclude/linux/cred.h: In function \u0027get_cred\u0027:\ninclude/linux/cred.h:189: warning: passing argument 1 of\n\u0027get_new_cred\u0027 discards qualifiers from pointer target type\n\nInserting an additional local variable appears to keep the compiler happy,\nalthough it\u0027s not clear to me why this should be needed.\n\nSigned-off-by: Paul Menage \u003cmenage@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b2e1feaf0af6b8a826b86748a19ddc2013ab7dbd", "tree": "73db46aa2824e4b6882f585f6e09a1a2f1ac9b2c", "parents": [ "6d2661ede5f20f968422e790af3334908c3bc857" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Thu May 28 14:34:20 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 29 08:40:01 2009 -0700" }, "message": "cred: #include init.h in cred.h\n\nlinux/cred.h can\u0027t be included as first header (alphabetical order)\nbecause it uses __init which is enough to break compilation on some archs.\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "18b6e0414e42d95183f07d8177e3ff0241abd825", "tree": "91ca2f2d442055e31eb7bb551bf7060f3f4c4cc7", "parents": [ "9789cfe22e5d7bc10cad841a4ea96ecedb34b267" ], "author": { "name": "Serge Hallyn", "email": "serue@us.ibm.com", "time": "Wed Oct 15 16:38:45 2008 -0500" }, "committer": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Mon Nov 24 18:57:41 2008 -0500" }, "message": "User namespaces: set of cleanups (v2)\n\nThe user_ns is moved from nsproxy to user_struct, so that a struct\ncred by itself is sufficient to determine access (which it otherwise\nwould not be). Corresponding ecryptfs fixes (by David Howells) are\nhere as well.\n\nFix refcounting. The following rules now apply:\n 1. The task pins the user struct.\n 2. The user struct pins its user namespace.\n 3. The user namespace pins the struct user which created it.\n\nUser namespaces are cloned during copy_creds(). Unsharing a new user_ns\nis no longer possible. (We could re-add that, but it\u0027ll cause code\nduplication and doesn\u0027t seem useful if PAM doesn\u0027t need to clone user\nnamespaces).\n\nWhen a user namespace is created, its first user (uid 0) gets empty\nkeyrings and a clean group_info.\n\nThis incorporates a previous patch by David Howells. Here\nis his original patch description:\n\n\u003eI suggest adding the attached incremental patch. It makes the following\n\u003echanges:\n\u003e\n\u003e (1) Provides a current_user_ns() macro to wrap accesses to current\u0027s user\n\u003e namespace.\n\u003e\n\u003e (2) Fixes eCryptFS.\n\u003e\n\u003e (3) Renames create_new_userns() to create_user_ns() to be more consistent\n\u003e with the other associated functions and because the \u0027new\u0027 in the name is\n\u003e superfluous.\n\u003e\n\u003e (4) Moves the argument and permission checks made for CLONE_NEWUSER to the\n\u003e beginning of do_fork() so that they\u0027re done prior to making any attempts\n\u003e at allocation.\n\u003e\n\u003e (5) Calls create_user_ns() after prepare_creds(), and gives it the new creds\n\u003e to fill in rather than have it return the new root user. I don\u0027t imagine\n\u003e the new root user being used for anything other than filling in a cred\n\u003e struct.\n\u003e\n\u003e This also permits me to get rid of a get_uid() and a free_uid(), as the\n\u003e reference the creds were holding on the old user_struct can just be\n\u003e transferred to the new namespace\u0027s creator pointer.\n\u003e\n\u003e (6) Makes create_user_ns() reset the UIDs and GIDs of the creds under\n\u003e preparation rather than doing it in copy_creds().\n\u003e\n\u003eDavid\n\n\u003eSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n\nChangelog:\n\tOct 20: integrate dhowells comments\n\t\t1. leave thread_keyring alone\n\t\t2. use current_user_ns() in set_user()\n\nSigned-off-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\n" }, { "commit": "3a3b7ce9336952ea7b9564d976d068a238976c9d", "tree": "3f0a3be33022492161f534636a20a4b1059f8236", "parents": [ "1bfdc75ae077d60a01572a7781ec6264d55ab1b9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "message": "CRED: Allow kernel services to override LSM settings for task actions\n\nAllow kernel services to override LSM settings appropriate to the actions\nperformed by a task by duplicating a set of credentials, modifying it and then\nusing task_struct::cred to point to it when performing operations on behalf of\na task.\n\nThis is used, for example, by CacheFiles which has to transparently access the\ncache on behalf of a process that thinks it is doing, say, NFS accesses with a\npotentially inappropriate (with respect to accessing the cache) set of\ncredentials.\n\nThis patch provides two LSM hooks for modifying a task security record:\n\n (*) security_kernel_act_as() which allows modification of the security datum\n with which a task acts on other objects (most notably files).\n\n (*) security_kernel_create_files_as() which allows modification of the\n security datum that is used to initialise the security data on a file that\n a task creates.\n\nThe patch also provides four new credentials handling functions, which wrap the\nLSM functions:\n\n (1) prepare_kernel_cred()\n\n Prepare a set of credentials for a kernel service to use, based either on\n a daemon\u0027s credentials or on init_cred. All the keyrings are cleared.\n\n (2) set_security_override()\n\n Set the LSM security ID in a set of credentials to a specific security\n context, assuming permission from the LSM policy.\n\n (3) set_security_override_from_ctx()\n\n As (2), but takes the security context as a string.\n\n (4) set_create_files_as()\n\n Set the file creation LSM security ID in a set of credentials to be the\n same as that on a particular inode.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e [Smack changes]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3b11a1decef07c19443d24ae926982bc8ec9f4c0", "tree": "b6555f0e5b07f4b2badd332a0a900b974920c49d", "parents": [ "98870ab0a5a3f1822aee681d2997017e1c87d026" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:26 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:26 2008 +1100" }, "message": "CRED: Differentiate objective and effective subjective credentials on a task\n\nDifferentiate the objective and real subjective credentials from the effective\nsubjective credentials on a task by introducing a second credentials pointer\ninto the task_struct.\n\ntask_struct::real_cred then refers to the objective and apparent real\nsubjective credentials of a task, as perceived by the other tasks in the\nsystem.\n\ntask_struct::cred then refers to the effective subjective credentials of a\ntask, as used by that task when it\u0027s actually running. These are not visible\nto the other tasks in the system.\n\n__task_cred(task) then refers to the objective/real credentials of the task in\nquestion.\n\ncurrent_cred() refers to the effective subjective credentials of the current\ntask.\n\nprepare_creds() uses the objective creds as a base and commit_creds() changes\nboth pointers in the task_struct (indeed commit_creds() requires them to be the\nsame).\n\noverride_creds() and revert_creds() change the subjective creds pointer only,\nand the former returns the old subjective creds. These are used by NFSD,\nfaccessat() and do_coredump(), and will by used by CacheFiles.\n\nIn SELinux, current_has_perm() is provided as an alternative to\ntask_has_perm(). This uses the effective subjective context of current,\nwhereas task_has_perm() uses the objective/real context of the subject.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "98870ab0a5a3f1822aee681d2997017e1c87d026", "tree": "4f28b9732777b114d5ef2f1647289a48e00a6fda", "parents": [ "d76b0d9b2d87cfc95686e148767cbf7d0e22bdc0" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:26 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:26 2008 +1100" }, "message": "CRED: Documentation\n\nDocument credentials and the new credentials API.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a6f76f23d297f70e2a6b3ec607f7aeeea9e37e8d", "tree": "8f95617996d0974507f176163459212a7def8b9a", "parents": [ "d84f4f992cbd76e8f39c488cf0c5d123843923b1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "message": "CRED: Make execve() take advantage of copy-on-write credentials\n\nMake execve() take advantage of copy-on-write credentials, allowing it to set\nup the credentials in advance, and then commit the whole lot after the point\nof no return.\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n The credential bits from struct linux_binprm are, for the most part,\n replaced with a single credentials pointer (bprm-\u003ecred). This means that\n all the creds can be calculated in advance and then applied at the point\n of no return with no possibility of failure.\n\n I would like to replace bprm-\u003ecap_effective with:\n\n\tcap_isclear(bprm-\u003ecap_effective)\n\n but this seems impossible due to special behaviour for processes of pid 1\n (they always retain their parent\u0027s capability masks where normally they\u0027d\n be changed - see cap_bprm_set_creds()).\n\n The following sequence of events now happens:\n\n (a) At the start of do_execve, the current task\u0027s cred_exec_mutex is\n \t locked to prevent PTRACE_ATTACH from obsoleting the calculation of\n \t creds that we make.\n\n (a) prepare_exec_creds() is then called to make a copy of the current\n \t task\u0027s credentials and prepare it. This copy is then assigned to\n \t bprm-\u003ecred.\n\n \t This renders security_bprm_alloc() and security_bprm_free()\n \t unnecessary, and so they\u0027ve been removed.\n\n (b) The determination of unsafe execution is now performed immediately\n \t after (a) rather than later on in the code. The result is stored in\n \t bprm-\u003eunsafe for future reference.\n\n (c) prepare_binprm() is called, possibly multiple times.\n\n \t (i) This applies the result of set[ug]id binaries to the new creds\n \t attached to bprm-\u003ecred. Personality bit clearance is recorded,\n \t but now deferred on the basis that the exec procedure may yet\n \t fail.\n\n (ii) This then calls the new security_bprm_set_creds(). This should\n\t calculate the new LSM and capability credentials into *bprm-\u003ecred.\n\n\t This folds together security_bprm_set() and parts of\n\t security_bprm_apply_creds() (these two have been removed).\n\t Anything that might fail must be done at this point.\n\n (iii) bprm-\u003ecred_prepared is set to 1.\n\n\t bprm-\u003ecred_prepared is 0 on the first pass of the security\n\t calculations, and 1 on all subsequent passes. This allows SELinux\n\t in (ii) to base its calculations only on the initial script and\n\t not on the interpreter.\n\n (d) flush_old_exec() is called to commit the task to execution. This\n \t performs the following steps with regard to credentials:\n\n\t (i) Clear pdeath_signal and set dumpable on certain circumstances that\n\t may not be covered by commit_creds().\n\n (ii) Clear any bits in current-\u003epersonality that were deferred from\n (c.i).\n\n (e) install_exec_creds() [compute_creds() as was] is called to install the\n \t new credentials. This performs the following steps with regard to\n \t credentials:\n\n (i) Calls security_bprm_committing_creds() to apply any security\n requirements, such as flushing unauthorised files in SELinux, that\n must be done before the credentials are changed.\n\n\t This is made up of bits of security_bprm_apply_creds() and\n\t security_bprm_post_apply_creds(), both of which have been removed.\n\t This function is not allowed to fail; anything that might fail\n\t must have been done in (c.ii).\n\n (ii) Calls commit_creds() to apply the new credentials in a single\n assignment (more or less). Possibly pdeath_signal and dumpable\n should be part of struct creds.\n\n\t (iii) Unlocks the task\u0027s cred_replace_mutex, thus allowing\n\t PTRACE_ATTACH to take place.\n\n (iv) Clears The bprm-\u003ecred pointer as the credentials it was holding\n are now immutable.\n\n (v) Calls security_bprm_committed_creds() to apply any security\n alterations that must be done after the creds have been changed.\n SELinux uses this to flush signals and signal handlers.\n\n (f) If an error occurs before (d.i), bprm_free() will call abort_creds()\n \t to destroy the proposed new credentials and will then unlock\n \t cred_replace_mutex. No changes to the credentials will have been\n \t made.\n\n (2) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_bprm_alloc(), -\u003ebprm_alloc_security()\n (*) security_bprm_free(), -\u003ebprm_free_security()\n\n \t Removed in favour of preparing new credentials and modifying those.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n (*) security_bprm_post_apply_creds(), -\u003ebprm_post_apply_creds()\n\n \t Removed; split between security_bprm_set_creds(),\n \t security_bprm_committing_creds() and security_bprm_committed_creds().\n\n (*) security_bprm_set(), -\u003ebprm_set_security()\n\n \t Removed; folded into security_bprm_set_creds().\n\n (*) security_bprm_set_creds(), -\u003ebprm_set_creds()\n\n \t New. The new credentials in bprm-\u003ecreds should be checked and set up\n \t as appropriate. bprm-\u003ecred_prepared is 0 on the first call, 1 on the\n \t second and subsequent calls.\n\n (*) security_bprm_committing_creds(), -\u003ebprm_committing_creds()\n (*) security_bprm_committed_creds(), -\u003ebprm_committed_creds()\n\n \t New. Apply the security effects of the new credentials. This\n \t includes closing unauthorised files in SELinux. This function may not\n \t fail. When the former is called, the creds haven\u0027t yet been applied\n \t to the process; when the latter is called, they have.\n\n \t The former may access bprm-\u003ecred, the latter may not.\n\n (3) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) The bprm_security_struct struct has been removed in favour of using\n \t the credentials-under-construction approach.\n\n (c) flush_unauthorized_files() now takes a cred pointer and passes it on\n \t to inode_has_perm(), file_has_perm() and dentry_open().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d84f4f992cbd76e8f39c488cf0c5d123843923b1", "tree": "fc4a0349c42995715b93d0f7a3c78e9ea9b3f36e", "parents": [ "745ca2475a6ac596e3d8d37c2759c0fbe2586227" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "message": "CRED: Inaugurate COW credentials\n\nInaugurate copy-on-write credentials management. This uses RCU to manage the\ncredentials pointer in the task_struct with respect to accesses by other tasks.\nA process may only modify its own credentials, and so does not need locking to\naccess or modify its own credentials.\n\nA mutex (cred_replace_mutex) is added to the task_struct to control the effect\nof PTRACE_ATTACHED on credential calculations, particularly with respect to\nexecve().\n\nWith this patch, the contents of an active credentials struct may not be\nchanged directly; rather a new set of credentials must be prepared, modified\nand committed using something like the following sequence of events:\n\n\tstruct cred *new \u003d prepare_creds();\n\tint ret \u003d blah(new);\n\tif (ret \u003c 0) {\n\t\tabort_creds(new);\n\t\treturn ret;\n\t}\n\treturn commit_creds(new);\n\nThere are some exceptions to this rule: the keyrings pointed to by the active\ncredentials may be instantiated - keyrings violate the COW rule as managing\nCOW keyrings is tricky, given that it is possible for a task to directly alter\nthe keys in a keyring in use by another task.\n\nTo help enforce this, various pointers to sets of credentials, such as those in\nthe task_struct, are declared const. The purpose of this is compile-time\ndiscouragement of altering credentials through those pointers. Once a set of\ncredentials has been made public through one of these pointers, it may not be\nmodified, except under special circumstances:\n\n (1) Its reference count may incremented and decremented.\n\n (2) The keyrings to which it points may be modified, but not replaced.\n\nThe only safe way to modify anything else is to create a replacement and commit\nusing the functions described in Documentation/credentials.txt (which will be\nadded by a later patch).\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n This now prepares and commits credentials in various places in the\n security code rather than altering the current creds directly.\n\n (2) Temporary credential overrides.\n\n do_coredump() and sys_faccessat() now prepare their own credentials and\n temporarily override the ones currently on the acting thread, whilst\n preventing interference from other threads by holding cred_replace_mutex\n on the thread being dumped.\n\n This will be replaced in a future patch by something that hands down the\n credentials directly to the functions being called, rather than altering\n the task\u0027s objective credentials.\n\n (3) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_capset_check(), -\u003ecapset_check()\n (*) security_capset_set(), -\u003ecapset_set()\n\n \t Removed in favour of security_capset().\n\n (*) security_capset(), -\u003ecapset()\n\n \t New. This is passed a pointer to the new creds, a pointer to the old\n \t creds and the proposed capability sets. It should fill in the new\n \t creds or return an error. All pointers, barring the pointer to the\n \t new creds, are now const.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n\n \t Changed; now returns a value, which will cause the process to be\n \t killed if it\u0027s an error.\n\n (*) security_task_alloc(), -\u003etask_alloc_security()\n\n \t Removed in favour of security_prepare_creds().\n\n (*) security_cred_free(), -\u003ecred_free()\n\n \t New. Free security data attached to cred-\u003esecurity.\n\n (*) security_prepare_creds(), -\u003ecred_prepare()\n\n \t New. Duplicate any security data attached to cred-\u003esecurity.\n\n (*) security_commit_creds(), -\u003ecred_commit()\n\n \t New. Apply any security effects for the upcoming installation of new\n \t security by commit_creds().\n\n (*) security_task_post_setuid(), -\u003etask_post_setuid()\n\n \t Removed in favour of security_task_fix_setuid().\n\n (*) security_task_fix_setuid(), -\u003etask_fix_setuid()\n\n \t Fix up the proposed new credentials for setuid(). This is used by\n \t cap_set_fix_setuid() to implicitly adjust capabilities in line with\n \t setuid() changes. Changes are made to the new credentials, rather\n \t than the task itself as in security_task_post_setuid().\n\n (*) security_task_reparent_to_init(), -\u003etask_reparent_to_init()\n\n \t Removed. Instead the task being reparented to init is referred\n \t directly to init\u0027s credentials.\n\n\t NOTE! This results in the loss of some state: SELinux\u0027s osid no\n\t longer records the sid of the thread that forked it.\n\n (*) security_key_alloc(), -\u003ekey_alloc()\n (*) security_key_permission(), -\u003ekey_permission()\n\n \t Changed. These now take cred pointers rather than task pointers to\n \t refer to the security context.\n\n (4) sys_capset().\n\n This has been simplified and uses less locking. The LSM functions it\n calls have been merged.\n\n (5) reparent_to_kthreadd().\n\n This gives the current thread the same credentials as init by simply using\n commit_thread() to point that way.\n\n (6) __sigqueue_alloc() and switch_uid()\n\n __sigqueue_alloc() can\u0027t stop the target task from changing its creds\n beneath it, so this function gets a reference to the currently applicable\n user_struct which it then passes into the sigqueue struct it returns if\n successful.\n\n switch_uid() is now called from commit_creds(), and possibly should be\n folded into that. commit_creds() should take care of protecting\n __sigqueue_alloc().\n\n (7) [sg]et[ug]id() and co and [sg]et_current_groups.\n\n The set functions now all use prepare_creds(), commit_creds() and\n abort_creds() to build and check a new set of credentials before applying\n it.\n\n security_task_set[ug]id() is called inside the prepared section. This\n guarantees that nothing else will affect the creds until we\u0027ve finished.\n\n The calling of set_dumpable() has been moved into commit_creds().\n\n Much of the functionality of set_user() has been moved into\n commit_creds().\n\n The get functions all simply access the data directly.\n\n (8) security_task_prctl() and cap_task_prctl().\n\n security_task_prctl() has been modified to return -ENOSYS if it doesn\u0027t\n want to handle a function, or otherwise return the return value directly\n rather than through an argument.\n\n Additionally, cap_task_prctl() now prepares a new set of credentials, even\n if it doesn\u0027t end up using it.\n\n (9) Keyrings.\n\n A number of changes have been made to the keyrings code:\n\n (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have\n \t all been dropped and built in to the credentials functions directly.\n \t They may want separating out again later.\n\n (b) key_alloc() and search_process_keyrings() now take a cred pointer\n \t rather than a task pointer to specify the security context.\n\n (c) copy_creds() gives a new thread within the same thread group a new\n \t thread keyring if its parent had one, otherwise it discards the thread\n \t keyring.\n\n (d) The authorisation key now points directly to the credentials to extend\n \t the search into rather pointing to the task that carries them.\n\n (e) Installing thread, process or session keyrings causes a new set of\n \t credentials to be created, even though it\u0027s not strictly necessary for\n \t process or session keyrings (they\u0027re shared).\n\n(10) Usermode helper.\n\n The usermode helper code now carries a cred struct pointer in its\n subprocess_info struct instead of a new session keyring pointer. This set\n of credentials is derived from init_cred and installed on the new process\n after it has been cloned.\n\n call_usermodehelper_setup() allocates the new credentials and\n call_usermodehelper_freeinfo() discards them if they haven\u0027t been used. A\n special cred function (prepare_usermodeinfo_creds()) is provided\n specifically for call_usermodehelper_setup() to call.\n\n call_usermodehelper_setkeys() adjusts the credentials to sport the\n supplied keyring as the new session keyring.\n\n(11) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) selinux_setprocattr() no longer does its check for whether the\n \t current ptracer can access processes with the new SID inside the lock\n \t that covers getting the ptracer\u0027s SID. Whilst this lock ensures that\n \t the check is done with the ptracer pinned, the result is only valid\n \t until the lock is released, so there\u0027s no point doing it inside the\n \t lock.\n\n(12) is_single_threaded().\n\n This function has been extracted from selinux_setprocattr() and put into\n a file of its own in the lib/ directory as join_session_keyring() now\n wants to use it too.\n\n The code in SELinux just checked to see whether a task shared mm_structs\n with other tasks (CLONE_VM), but that isn\u0027t good enough. We really want\n to know if they\u0027re part of the same thread group (CLONE_THREAD).\n\n(13) nfsd.\n\n The NFS server daemon now has to use the COW credentials to set the\n credentials it is going to use. It really needs to pass the credentials\n down to the functions it calls, but it can\u0027t do that until other patches\n in this series have been applied.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bb952bb98a7e479262c7eb25d5592545a3af147d", "tree": "9a2158c07a22a5fbddcec412944d2e7534eecc8f", "parents": [ "275bb41e9d058fbb327e7642f077e1beaeac162e" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:20 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:20 2008 +1100" }, "message": "CRED: Separate per-task-group keyrings from signal_struct\n\nSeparate per-task-group keyrings from signal_struct and dangle their anchor\nfrom the cred struct rather than the signal_struct.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c69e8d9c01db2adc503464993c358901c9af9de4", "tree": "bed94aaa9aeb7a7834d1c880f72b62a11a752c78", "parents": [ "86a264abe542cfececb4df129bc45a0338d8cdb9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:19 2008 +1100" }, "message": "CRED: Use RCU to access another task\u0027s creds and to release a task\u0027s own creds\n\nUse RCU to access another task\u0027s creds and to release a task\u0027s own creds.\nThis means that it will be possible for the credentials of a task to be\nreplaced without another task (a) requiring a full lock to read them, and (b)\nseeing deallocated memory.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "86a264abe542cfececb4df129bc45a0338d8cdb9", "tree": "30152f04ba847f311028d5ca697f864c16c7ebb3", "parents": [ "f1752eec6145c97163dbce62d17cf5d928e28a27" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:18 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:18 2008 +1100" }, "message": "CRED: Wrap current-\u003ecred and a few other accessors\n\nWrap current-\u003ecred and a few other accessors to hide their actual\nimplementation.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f1752eec6145c97163dbce62d17cf5d928e28a27", "tree": "16bc51166d38815092de36a461b845b0b4b522f9", "parents": [ "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:17 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:17 2008 +1100" }, "message": "CRED: Detach the credentials from task_struct\n\nDetach the credentials from task_struct, duplicating them in copy_process()\nand releasing them in __put_task_struct().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a", "tree": "9e76f972eb7ce9b84e0146c8e4126a3f86acb428", "parents": [ "15a2460ed0af7538ca8e6c610fe607a2cd9da142" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "message": "CRED: Separate task security context from task_struct\n\nSeparate the task security context from task_struct. At this point, the\nsecurity data is temporarily embedded in the task_struct with two pointers\npointing to it.\n\nNote that the Alpha arch is altered as it refers to (E)UID and (E)GID in\nentry.S via asm-offsets.\n\nWith comment fixes Signed-off-by: Marc Dionne \u003cmarc.c.dionne@gmail.com\u003e\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9e2b2dc4133f65272a6d3c5dcb2ce63f8a87cae9", "tree": "96a9da2c1e733cce2dced4868aaa68b48ced49e1", "parents": [ "8d0968abd03ec6b407df117adc773562386702fa" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Aug 13 16:20:04 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 14 09:35:23 2008 +1000" }, "message": "CRED: Introduce credential access wrappers\n\nThe patches that are intended to introduce copy-on-write credentials for 2.6.28\nrequire abstraction of access to some fields of the task structure,\nparticularly for the case of one task accessing another\u0027s credentials where RCU\nwill have to be observed.\n\nIntroduced here are trivial no-op versions of the desired accessors for current\nand other tasks so that other subsystems can start to be converted over more\neasily.\n\nWrappers are introduced into a new header (linux/cred.h) for UID/GID,\nEUID/EGID, SUID/SGID, FSUID/FSGID, cap_effective and current\u0027s subscribed\nuser_struct. These wrappers are macros because the ordering between header\nfiles mitigates against making them inline functions.\n\nlinux/cred.h is #included from linux/sched.h.\n\nFurther, XFS is modified such that it no longer defines and uses parameterised\nversions of current_fs[ug]id(), thus getting rid of the namespace collision\notherwise incurred.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ] }