)]}' { "log": [ { "commit": "e0007529893c1c064be90bd21422ca0da4a0198e", "tree": "c2334ba940e682183a18d18972cf95bd3a3da46a", "parents": [ "29e8c3c304b62f31b799565c9ee85d42bd163f80" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Mar 05 10:31:54 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 06 08:40:53 2008 +1100" }, "message": "LSM/SELinux: Interfaces to allow FS to control mount options\n\nIntroduce new LSM interfaces to allow an FS to deal with their own mount\noptions. This includes a new string parsing function exported from the\nLSM that an FS can use to get a security data blob and a new security\ndata blob. This is particularly useful for an FS which uses binary\nmount data, like NFS, which does not pass strings into the vfs to be\nhandled by the loaded LSM. Also fix a BUG() in both SELinux and SMACK\nwhen dealing with binary mount data. If the binary mount data is less\nthan one page the copy_page() in security_sb_copy_data() can cause an\nillegal page fault and boom. Remove all NFSisms from the SELinux code\nsince they were broken by past NFS changes.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "44707fdf5938ad269ea5d6c5744d82f6a7328746", "tree": "7eb1704418eb41b859ad24bc48f6400135474d87", "parents": [ "a03a8a709a0c34b61b7aea1d54a0473a6b941fdb" ], "author": { "name": "Jan Blunck", "email": "jblunck@suse.de", "time": "Thu Feb 14 19:38:33 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Feb 14 21:17:08 2008 -0800" }, "message": "d_path: Use struct path in struct avc_audit_data\n\naudit_log_d_path() is a d_path() wrapper that is used by the audit code. To\nuse a struct path in audit_log_d_path() I need to embed it into struct\navc_audit_data.\n\n[akpm@linux-foundation.org: coding-style fixes]\nSigned-off-by: Jan Blunck \u003cjblunck@suse.de\u003e\nAcked-by: Christoph Hellwig \u003chch@infradead.org\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: \"J. Bruce Fields\" \u003cbfields@fieldses.org\u003e\nCc: Neil Brown \u003cneilb@suse.de\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4ac9137858e08a19f29feac4e1f4df7c268b0ba5", "tree": "f5b5d84fd12fcc2b0ba0e7ce1a79ff381ad8f5dd", "parents": [ "c5e725f33b733a77de622e91b6ba5645fcf070be" ], "author": { "name": "Jan Blunck", "email": "jblunck@suse.de", "time": "Thu Feb 14 19:34:32 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Feb 14 21:13:33 2008 -0800" }, "message": "Embed a struct path into struct nameidata instead of nd-\u003e{dentry,mnt}\n\nThis is the central patch of a cleanup series. In most cases there is no good\nreason why someone would want to use a dentry for itself. This series reflects\nthat fact and embeds a struct path into nameidata.\n\nTogether with the other patches of this series\n- it enforced the correct order of getting/releasing the reference count on\n \u003cdentry,vfsmount\u003e pairs\n- it prepares the VFS for stacking support since it is essential to have a\n struct path in every place where the stack can be traversed\n- it reduces the overall code size:\n\nwithout patch series:\n text data bss dec hex filename\n5321639 858418 715768 6895825 6938d1 vmlinux\n\nwith patch series:\n text data bss dec hex filename\n5320026 858418 715768 6894212 693284 vmlinux\n\nThis patch:\n\nSwitch from nd-\u003e{dentry,mnt} to nd-\u003epath.{dentry,mnt} everywhere.\n\n[akpm@linux-foundation.org: coding-style fixes]\n[akpm@linux-foundation.org: fix cifs]\n[akpm@linux-foundation.org: fix smack]\nSigned-off-by: Jan Blunck \u003cjblunck@suse.de\u003e\nSigned-off-by: Andreas Gruenbacher \u003cagruen@suse.de\u003e\nAcked-by: Christoph Hellwig \u003chch@lst.de\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b68e418c445e8a468634d0a7ca2fb63bbaa74028", "tree": "e49b4a94ef28a9288ed6735a994387205b7cc5bd", "parents": [ "19af35546de68c872dcb687613e0902a602cb20e" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Thu Feb 07 11:21:04 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 11 20:30:02 2008 +1100" }, "message": "selinux: support 64-bit capabilities\n\nFix SELinux to handle 64-bit capabilities correctly, and to catch\nfuture extensions of capabilities beyond 64 bits to ensure that SELinux\nis properly updated.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "42492594043d621a7910ff5877c3eb9202870b45", "tree": "9188d112c019a189606847dc1d90ccc63c1bacf2", "parents": [ "3729145821e3088a0c3c4183037fde356204bf97" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Mon Feb 04 22:29:39 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "VFS/Security: Rework inode_getsecurity and callers to return resulting buffer\n\nThis patch modifies the interface to inode_getsecurity to have the function\nreturn a buffer containing the security blob and its length via parameters\ninstead of relying on the calling function to give it an appropriately sized\nbuffer.\n\nSecurity blobs obtained with this function should be freed using the\nrelease_secctx LSM hook. This alleviates the problem of the caller having to\nguess a length and preallocate a buffer for this function allowing it to be\nused elsewhere for Labeled NFS.\n\nThe patch also removed the unused err parameter. The conversion is similar to\nthe one performed by Al Viro for the security_getprocattr hook.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "374ea019cacfa8b69ae49eea993b74cb5968970b", "tree": "822718af14d91f3beabbde3e9d5758c055e3bef8", "parents": [ "71f1cb05f773661b6fa98c7a635d7a395cd9c55d" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Tue Jan 29 00:11:52 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:44 2008 +1100" }, "message": "selinux: make selinux_set_mnt_opts() static\n\nselinux_set_mnt_opts() can become static.\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "71f1cb05f773661b6fa98c7a635d7a395cd9c55d", "tree": "a540f89c5d1d081ea2c09105f264adce44d92fa9", "parents": [ "effad8df44261031a882e1a895415f7186a5098e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:51:16 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:30 2008 +1100" }, "message": "SELinux: Add warning messages on network denial due to error\n\nCurrently network traffic can be sliently dropped due to non-avc errors which\ncan lead to much confusion when trying to debug the problem. This patch adds\nwarning messages so that when these events occur there is a user visible\nnotification.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "effad8df44261031a882e1a895415f7186a5098e", "tree": "42c04b3247ede13077546e13f82fe3da83ce7b90", "parents": [ "13541b3adad2dc2f56761c5193c2b88db3597f0e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:49:27 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:30 2008 +1100" }, "message": "SELinux: Add network ingress and egress control permission checks\n\nThis patch implements packet ingress/egress controls for SELinux which allow\nSELinux security policy to control the flow of all IPv4 and IPv6 packets into\nand out of the system. Currently SELinux does not have proper control over\nforwarded packets and this patch corrects this problem.\n\nSpecial thanks to Venkat Yekkirala \u003cvyekkirala@trustedcs.com\u003e whose earlier\nwork on this topic eventually led to this patch.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5dbe1eb0cfc144a2b0cb1466e22bcb6fc34229a8", "tree": "e1e028acaf0dd08cbcacd2c125f60230f820b442", "parents": [ "d621d35e576aa20a0ddae8022c3810f38357c8ff" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:44:18 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:27 2008 +1100" }, "message": "SELinux: Allow NetLabel to directly cache SIDs\n\nNow that the SELinux NetLabel \"base SID\" is always the netmsg initial SID we\ncan do a big optimization - caching the SID and not just the MLS attributes.\nThis not only saves a lot of per-packet memory allocations and copies but it\nhas a nice side effect of removing a chunk of code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d621d35e576aa20a0ddae8022c3810f38357c8ff", "tree": "318e8aa890dbe715b901b11b019ebac3badb693d", "parents": [ "220deb966ea51e0dedb6a187c0763120809f3e64" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:43:36 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:26 2008 +1100" }, "message": "SELinux: Enable dynamic enable/disable of the network access checks\n\nThis patch introduces a mechanism for checking when labeled IPsec or SECMARK\nare in use by keeping introducing a configuration reference counter for each\nsubsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry\nis created the labeled IPsec/XFRM reference count is increased and when the\nentry is removed it is decreased. In the case of SECMARK, when a SECMARK\ntarget is created the reference count is increased and later decreased when the\ntarget is removed. These reference counters allow SELinux to quickly determine\nif either of these subsystems are enabled.\n\nNetLabel already has a similar mechanism which provides the netlbl_enabled()\nfunction.\n\nThis patch also renames the selinux_relabel_packet_permission() function to\nselinux_secmark_relabel_packet_permission() as the original name and\ndescription were misleading in that they referenced a single packet label which\nis not the case.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "220deb966ea51e0dedb6a187c0763120809f3e64", "tree": "7d0e5dd8048907c364b4eeff294991937b466c7e", "parents": [ "f67f4f315f31e7907779adb3296fb6682e755342" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:23 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:25 2008 +1100" }, "message": "SELinux: Better integration between peer labeling subsystems\n\nRework the handling of network peer labels so that the different peer labeling\nsubsystems work better together. This includes moving both subsystems to a\nsingle \"peer\" object class which involves not only changes to the permission\nchecks but an improved method of consolidating multiple packet peer labels.\nAs part of this work the inbound packet permission check code has been heavily\nmodified to handle both the old and new behavior in as sane a fashion as\npossible.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "224dfbd81e1ff672eb46e7695469c395bd531083", "tree": "c89c3ab606634a7174db8807b2633df8bb024b8c", "parents": [ "da5645a28a15aed2e541a814ecf9f7ffcd4c4673" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:13 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:23 2008 +1100" }, "message": "SELinux: Add a network node caching mechanism similar to the sel_netif_*() functions\n\nThis patch adds a SELinux IP address/node SID caching mechanism similar to the\nsel_netif_*() functions. The node SID queries in the SELinux hooks files are\nalso modified to take advantage of this new functionality. In addition, remove\nthe address length information from the sk_buff parsing routines as it is\nredundant since we already have the address family.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "da5645a28a15aed2e541a814ecf9f7ffcd4c4673", "tree": "8cedccebd0e12308de30573ad593d703943e3cbb", "parents": [ "e8bfdb9d0dfc1231a6a71e849dfbd4447acdfff6" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:10 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:22 2008 +1100" }, "message": "SELinux: Only store the network interface\u0027s ifindex\n\nInstead of storing the packet\u0027s network interface name store the ifindex. This\nallows us to defer the need to lookup the net_device structure until the audit\nrecord is generated meaning that in the majority of cases we never need to\nbother with this at all.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e8bfdb9d0dfc1231a6a71e849dfbd4447acdfff6", "tree": "0d786c0ad972e43d1128296b8e7ae47275ab3ebd", "parents": [ "75e22910cf0c26802b09dac2e34c13e648d3ed02" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:08 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:21 2008 +1100" }, "message": "SELinux: Convert the netif code to use ifindex values\n\nThe current SELinux netif code requires the caller have a valid net_device\nstruct pointer to lookup network interface information. However, we don\u0027t\nalways have a valid net_device pointer so convert the netif code to use\nthe ifindex values we always have as part of the sk_buff. This patch also\nremoves the default message SID from the network interface record, it is\nnot being used and therefore is \"dead code\".\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "75e22910cf0c26802b09dac2e34c13e648d3ed02", "tree": "bf5f5c62f6db8a3057a0265dc7748bf310d26d4a", "parents": [ "16efd45435fa695b501b7f73c3259bd7c77cc12c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:04 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:20 2008 +1100" }, "message": "NetLabel: Add IP address family information to the netlbl_skbuff_getattr() function\n\nIn order to do any sort of IP header inspection of incoming packets we need to\nknow which address family, AF_INET/AF_INET6/etc., it belongs to and since the\nsk_buff structure does not store this information we need to pass along the\naddress family separate from the packet itself.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6e23ae2a48750bda407a4a58f52a4865d7308bf5", "tree": "633fd60b2a42bf6fdb86564f0c05a6d52d8dc92b", "parents": [ "1bf06cd2e338fd6fc29169d30eaf0df982338285" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Mon Nov 19 18:53:30 2007 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Jan 28 14:53:55 2008 -0800" }, "message": "[NETFILTER]: Introduce NF_INET_ hook values\n\nThe IPv4 and IPv6 hook values are identical, yet some code tries to figure\nout the \"correct\" value by looking at the address family. Introduce NF_INET_*\nvalues for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__\nsection for userspace compatibility.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nAcked-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "63cb34492351078479b2d4bae6a881806a396286", "tree": "d33ab15eda40c5195c4a723d9e49591a9b4950f9", "parents": [ "c43e259cc756ece387faae849af0058b56d78466" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 15 23:47:35 2008 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:53 2008 +1100" }, "message": "security: add a secctx_to_secid() hook\n\nAdd a secctx_to_secid() LSM hook to go along with the existing\nsecid_to_secctx() LSM hook. This patch also includes the SELinux\nimplementation for this hook.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c9180a57a9ab2d5525faf8815a332364ee9e89b7", "tree": "c677ec33735f3529d478a2b71fcc732d4fe59adf", "parents": [ "19c5fc198c369bb00f3ed9716ef40648865d8d94" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Nov 30 13:00:35 2007 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:46 2008 +1100" }, "message": "Security: add get, set, and cloning of superblock security information\n\nAdds security_get_sb_mnt_opts, security_set_sb_mnt_opts, and\nsecurity_clont_sb_mnt_opts to the LSM and to SELinux. This will allow\nfilesystems to directly own and control all of their mount options if they\nso choose. This interface deals only with option identifiers and strings so\nit should generic enough for any LSM which may come in the future.\n\nFilesystems which pass text mount data around in the kernel (almost all of\nthem) need not currently make use of this interface when dealing with\nSELinux since it will still parse those strings as it always has. I assume\nfuture LSM\u0027s would do the same. NFS is the primary FS which does not use\ntext mount data and thus must make use of this interface.\n\nAn LSM would need to implement these functions only if they had mount time\noptions, such as selinux has context\u003d or fscontext\u003d. If the LSM has no\nmount time options they could simply not implement and let the dummy ops\ntake care of things.\n\nAn LSM other than SELinux would need to define new option numbers in\nsecurity.h and any FS which decides to own there own security options would\nneed to be patched to use this new interface for every possible LSM. This\nis because it was stated to me very clearly that LSM\u0027s should not attempt to\nunderstand FS mount data and the burdon to understand security should be in\nthe FS which owns the options.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8a53514043e380aa573baa805298a7727c993985", "tree": "869d2c0f90390814430fc6639914dc8ea4c0c9c6", "parents": [ "55b70a0300b873c0ec7ea6e33752af56f41250ce" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 22 16:10:31 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Oct 23 08:47:48 2007 +1000" }, "message": "SELinux: always check SIGCHLD in selinux_task_wait\n\nWhen checking if we can wait on a child we were looking at\np-\u003eexit_signal and trying to make the decision based on if the signal\nwould eventually be allowed. One big flaw is that p-\u003eexit_signal is -1\nfor NPTL threads and so aignal_to_av was not actually checking SIGCHLD\nwhich is what would have been sent. Even is exit_signal was set to\nsomething strange it wouldn\u0027t change the fact that the child was there\nand needed to be waited on. This patch just assumes wait is based on\nSIGCHLD. Specific permission checks are made when the child actually\nattempts to send a signal.\n\nThis resolves the problem of things like using GDB on confined domains\nsuch as in RH BZ 232371. The confined domain did not have permission to\nsend a generic signal (exit_signal \u003d\u003d -1) back to the unconfined GDB.\nWith this patch the GDB wait works and since the actual signal sent is\nallowed everything functions as it should.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cbfee34520666862f8ff539e580c48958fbb7706", "tree": "ded5cafce333e908a0fbeda1f7c55eaf7c1fbaaa", "parents": [ "b53767719b6cd8789392ea3e7e2eb7b8906898f0" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Tue Oct 16 23:31:38 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "security/ cleanups\n\nThis patch contains the following cleanups that are now possible:\n- remove the unused security_operations-\u003einode_xattr_getsuffix\n- remove the no longer used security_operations-\u003eunregister_security\n- remove some no longer required exit code\n- remove a bunch of no longer used exports\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b53767719b6cd8789392ea3e7e2eb7b8906898f0", "tree": "a0279dc93c79b94d3865b0f19f6b7b353e20608c", "parents": [ "57c521ce6125e15e99e56c902cb8da96bee7b36d" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Tue Oct 16 23:31:36 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "Implement file posix capabilities\n\nImplement file posix capabilities. This allows programs to be given a\nsubset of root\u0027s powers regardless of who runs them, without having to use\nsetuid and giving the binary all of root\u0027s powers.\n\nThis version works with Kaigai Kohei\u0027s userspace tools, found at\nhttp://www.kaigai.gr.jp/index.php. For more information on how to use this\npatch, Chris Friedhoff has posted a nice page at\nhttp://www.friedhoff.org/fscaps.html.\n\nChangelog:\n\tNov 27:\n\tIncorporate fixes from Andrew Morton\n\t(security-introduce-file-caps-tweaks and\n\tsecurity-introduce-file-caps-warning-fix)\n\tFix Kconfig dependency.\n\tFix change signaling behavior when file caps are not compiled in.\n\n\tNov 13:\n\tIntegrate comments from Alexey: Remove CONFIG_ ifdef from\n\tcapability.h, and use %zd for printing a size_t.\n\n\tNov 13:\n\tFix endianness warnings by sparse as suggested by Alexey\n\tDobriyan.\n\n\tNov 09:\n\tAddress warnings of unused variables at cap_bprm_set_security\n\twhen file capabilities are disabled, and simultaneously clean\n\tup the code a little, by pulling the new code into a helper\n\tfunction.\n\n\tNov 08:\n\tFor pointers to required userspace tools and how to use\n\tthem, see http://www.friedhoff.org/fscaps.html.\n\n\tNov 07:\n\tFix the calculation of the highest bit checked in\n\tcheck_cap_sanity().\n\n\tNov 07:\n\tAllow file caps to be enabled without CONFIG_SECURITY, since\n\tcapabilities are the default.\n\tHook cap_task_setscheduler when !CONFIG_SECURITY.\n\tMove capable(TASK_KILL) to end of cap_task_kill to reduce\n\taudit messages.\n\n\tNov 05:\n\tAdd secondary calls in selinux/hooks.c to task_setioprio and\n\ttask_setscheduler so that selinux and capabilities with file\n\tcap support can be stacked.\n\n\tSep 05:\n\tAs Seth Arnold points out, uid checks are out of place\n\tfor capability code.\n\n\tSep 01:\n\tDefine task_setscheduler, task_setioprio, cap_task_kill, and\n\ttask_setnice to make sure a user cannot affect a process in which\n\tthey called a program with some fscaps.\n\n\tOne remaining question is the note under task_setscheduler: are we\n\tok with CAP_SYS_NICE being sufficient to confine a process to a\n\tcpuset?\n\n\tIt is a semantic change, as without fsccaps, attach_task doesn\u0027t\n\tallow CAP_SYS_NICE to override the uid equivalence check. But since\n\tit uses security_task_setscheduler, which elsewhere is used where\n\tCAP_SYS_NICE can be used to override the uid equivalence check,\n\tfixing it might be tough.\n\n\t task_setscheduler\n\t\t note: this also controls cpuset:attach_task. Are we ok with\n\t\t CAP_SYS_NICE being used to confine to a cpuset?\n\t task_setioprio\n\t task_setnice\n\t\t sys_setpriority uses this (through set_one_prio) for another\n\t\t process. Need same checks as setrlimit\n\n\tAug 21:\n\tUpdated secureexec implementation to reflect the fact that\n\teuid and uid might be the same and nonzero, but the process\n\tmight still have elevated caps.\n\n\tAug 15:\n\tHandle endianness of xattrs.\n\tEnforce capability version match between kernel and disk.\n\tEnforce that no bits beyond the known max capability are\n\tset, else return -EPERM.\n\tWith this extra processing, it may be worth reconsidering\n\tdoing all the work at bprm_set_security rather than\n\td_instantiate.\n\n\tAug 10:\n\tAlways call getxattr at bprm_set_security, rather than\n\tcaching it at d_instantiate.\n\n[morgan@kernel.org: file-caps clean up for linux/capability.h]\n[bunk@kernel.org: unexport cap_inode_killpriv]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "20510f2f4e2dabb0ff6c13901807627ec9452f98", "tree": "d64b9eeb90d577f7f9688a215c4c6c3c2405188a", "parents": [ "5c3b447457789374cdb7b03afe2540d48c649a36" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Oct 16 23:31:32 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "security: Convert LSM into a static interface\n\nConvert LSM into a static interface, as the ability to unload a security\nmodule is not required by in-tree users and potentially complicates the\noverall security architecture.\n\nNeedlessly exported LSM symbols have been unexported, to help reduce API\nabuse.\n\nParameters for the capability and root_plug modules are now specified\nat boot.\n\nThe SECURITY_FRAMEWORK_VERSION macro has also been removed.\n\nIn a nutshell, there is no safe way to unload an LSM. The modular interface\nis thus unecessary and broken infrastructure. It is used only by out-of-tree\nmodules, which are often binary-only, illegal, abusive of the API and\ndangerous, e.g. silently re-vectoring SELinux.\n\n[akpm@linux-foundation.org: cleanups]\n[akpm@linux-foundation.org: USB Kconfig fix]\n[randy.dunlap@oracle.com: fix LSM kernel-doc]\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: \"Serge E. Hallyn\" \u003cserue@us.ibm.com\u003e\nAcked-by: Arjan van de Ven \u003carjan@infradead.org\u003e\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "788e7dd4c22e6f41b3a118fd8c291f831f6fddbb", "tree": "cbe2d2a360aaf7dc243bef432e1c50507ae6db7b", "parents": [ "3232c110b56bd01c5f0fdfd16b4d695f2e05b0a9" ], "author": { "name": "Yuichi Nakamura", "email": "ynakam@hitachisoft.jp", "time": "Fri Sep 14 09:27:07 2007 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Oct 17 08:59:31 2007 +1000" }, "message": "SELinux: Improve read/write performance\n\nIt reduces the selinux overhead on read/write by only revalidating\npermissions in selinux_file_permission if the task or inode labels have\nchanged or the policy has changed since the open-time check. A new LSM\nhook, security_dentry_open, is added to capture the necessary state at open\ntime to allow this optimization.\n\n(see http://marc.info/?l\u003dselinux\u0026m\u003d118972995207740\u0026w\u003d2)\n\nSigned-off-by: Yuichi Nakamura\u003cynakam@hitachisoft.jp\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a224be766bf593f7bcd534ca0c48dbd3eaf7bfce", "tree": "b0a053b35fe654fb35199c1b5326a4d3932f79da", "parents": [ "762cc40801ad757a34527d5e548816cf3b6fc606" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Oct 15 02:58:25 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Oct 15 12:26:44 2007 -0700" }, "message": "[SELINUX]: Update for netfilter -\u003ehook() arg changes.\n\nThey take a \"struct sk_buff *\" instead of a \"struct sk_buff **\" now.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "227b60f5102cda4e4ab792b526a59c8cb20cd9f8", "tree": "2c9e372601ba794894833b0618bc531a9f5d57c4", "parents": [ "06393009000779b00a558fd2f280882cc7dc2008" ], "author": { "name": "Stephen Hemminger", "email": "shemminger@linux-foundation.org", "time": "Wed Oct 10 17:30:46 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Oct 10 17:30:46 2007 -0700" }, "message": "[INET]: local port range robustness\n\nExpansion of original idea from Denis V. Lunev \u003cden@openvz.org\u003e\n\nAdd robustness and locking to the local_port_range sysctl.\n1. Enforce that low \u003c high when setting.\n2. Use seqlock to ensure atomic update.\n\nThe locking might seem like overkill, but there are\ncases where sysadmin might want to change value in the\nmiddle of a DoS attack.\n\nSigned-off-by: Stephen Hemminger \u003cshemminger@linux-foundation.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "31e879309474d1666d645b96de99d0b682fa055f", "tree": "bb9d45dc85e03044b5ee7635f3646774bcbb30d4", "parents": [ "a88a8eff1e6e32d3288986a9d36c6a449c032d3a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Sep 19 17:19:12 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Sep 20 08:06:40 2007 +1000" }, "message": "SELinux: fix array out of bounds when mounting with selinux options\n\nGiven an illegal selinux option it was possible for match_token to work in\nrandom memory at the end of the match_table_t array.\n\nNote that privilege is required to perform a context mount, so this issue is\neffectively limited to root only.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4ac212ad4e8fafc22fa147fc255ff5fa5435cf33", "tree": "9ab703429a2b24ccafc6748c1e0f2147f2b47114", "parents": [ "a1c582d0720f2eff61043e90711767decf37b917" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed Aug 29 08:51:50 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@localhost.localdomain", "time": "Thu Aug 30 20:22:47 2007 -0400" }, "message": "SELinux: clear parent death signal on SID transitions\n\nClear parent death signal on SID transitions to prevent unauthorized\nsignaling between SIDs.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@parisplace.org\u003e\nSigned-off-by: James Morris \u003cjmorris@localhost.localdomain\u003e\n" }, { "commit": "34b4e4aa3c470ce8fa2bd78abb1741b4b58baad7", "tree": "91d620288f1aaf63c12dc84ca1015465818601f2", "parents": [ "afe1ab4d577892822de2c8e803fbfaed6ec44ba3" ], "author": { "name": "Alan Cox", "email": "alan@lxorguk.ukuu.org.uk", "time": "Wed Aug 22 14:01:28 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Aug 22 19:52:45 2007 -0700" }, "message": "fix NULL pointer dereference in __vm_enough_memory()\n\nThe new exec code inserts an accounted vma into an mm struct which is not\ncurrent-\u003emm. The existing memory check code has a hard coded assumption\nthat this does not happen as does the security code.\n\nAs the correct mm is known we pass the mm to the security method and the\nhelper function. A new security test is added for the case where we need\nto pass the mm and the existing one is modified to pass current-\u003emm to\navoid the need to change large amounts of code.\n\n(Thanks to Tobias for fixing rejects and testing)\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nCc: WU Fengguang \u003cwfg@mail.ustc.edu.cn\u003e\nCc: James Morris \u003cjmorris@redhat.com\u003e\nCc: Tobias Diedrich \u003cranma+kernel@tdiedrich.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "088999e98b8caecd31adc3b62223a228555c5ab7", "tree": "ee16fd7c6cdde90642550ee9937fafb96e979f67", "parents": [ "9534f71ca33e5a9de26dfd43c76af86e005005dd" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Aug 01 11:12:58 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 02 11:52:23 2007 -0400" }, "message": "SELinux: remove redundant pointer checks before calling kfree()\n\nWe don\u0027t need to check for NULL pointers before calling kfree().\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "20c2df83d25c6a95affe6157a4c9cac4cf5ffaac", "tree": "415c4453d2b17a50abe7a3e515177e1fa337bd67", "parents": [ "64fb98fc40738ae1a98bcea9ca3145b89fb71524" ], "author": { "name": "Paul Mundt", "email": "lethal@linux-sh.org", "time": "Fri Jul 20 10:11:58 2007 +0900" }, "committer": { "name": "Paul Mundt", "email": "lethal@linux-sh.org", "time": "Fri Jul 20 10:11:58 2007 +0900" }, "message": "mm: Remove slab destructors from kmem_cache_create().\n\nSlab destructors were no longer supported after Christoph\u0027s\nc59def9f222d44bb7e2f0a559f2906191a0862d7 change. They\u0027ve been\nBUGs for both slab and slub, and slob never supported them\neither.\n\nThis rips out support for the dtor pointer from kmem_cache_create()\ncompletely and fixes up every single callsite in the kernel (there were\nabout 224, not including the slab allocator definitions themselves,\nor the documentation references).\n\nSigned-off-by: Paul Mundt \u003clethal@linux-sh.org\u003e\n" }, { "commit": "f36158c410651fe66f438c17b2ab3ae813f8c060", "tree": "644e57a36d918fe2b2fcdd2f59daffb847cd8d36", "parents": [ "23bcdc1adebd3cb47d5666f2e9ecada95c0134e4" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Jul 18 12:28:46 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jul 19 10:21:13 2007 -0400" }, "message": "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel\n\nThese changes will make NetLabel behave like labeled IPsec where there is an\naccess check for both labeled and unlabeled packets as well as providing the\nability to restrict domains to receiving only labeled packets when NetLabel is\nin use. The changes to the policy are straight forward with the following\nnecessary to receive labeled traffic (with SECINITSID_NETMSG defined as\n\"netlabel_peer_t\"):\n\n allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;\n\nThe policy for unlabeled traffic would be:\n\n allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;\n\nThese policy changes, as well as more general NetLabel support, are included in\nthe latest SELinux Reference Policy release 20070629 or later. Users who make\nuse of NetLabel are strongly encouraged to upgrade their policy to avoid\nnetwork problems. Users who do not make use of NetLabel will not notice any\ndifference.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3bd858ab1c451725c07a805dcb315215dc85b86e", "tree": "5d49c4300e350d64fd81eb3230b81f754117e0c1", "parents": [ "49c13b51a15f1ba9f6d47e26e4a3886c4f3931e2" ], "author": { "name": "Satyam Sharma", "email": "ssatyam@cse.iitk.ac.in", "time": "Tue Jul 17 15:00:08 2007 +0530" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Jul 17 12:00:03 2007 -0700" }, "message": "Introduce is_owner_or_cap() to wrap CAP_FOWNER use with fsuid check\n\nIntroduce is_owner_or_cap() macro in fs.h, and convert over relevant\nusers to it. This is done because we want to avoid bugs in the future\nwhere we check for only effective fsuid of the current task against a\nfile\u0027s owning uid, without simultaneously checking for CAP_FOWNER as\nwell, thus violating its semantics.\n[ XFS uses special macros and structures, and in general looked ...\nuntouchable, so we leave it alone -- but it has been looked over. ]\n\nThe (current-\u003efsuid !\u003d inode-\u003ei_uid) check in generic_permission() and\nexec_permission_lite() is left alone, because those operations are\ncovered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH. Similarly operations\nfalling under the purview of CAP_CHOWN and CAP_LEASE are also left alone.\n\nSigned-off-by: Satyam Sharma \u003cssatyam@cse.iitk.ac.in\u003e\nCc: Al Viro \u003cviro@ftp.linux.org.uk\u003e\nAcked-by: Serge E. Hallyn \u003cserge@hallyn.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8d9107e8c50e1c4ff43c91c8841805833f3ecfb9", "tree": "abc57f38cf659d4031d5a9915a088f2c47b2cc7e", "parents": [ "16cefa8c3863721fd40445a1b34dea18cd16ccfe" ], "author": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Jul 13 16:53:18 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Jul 13 16:53:18 2007 -0700" }, "message": "Revert \"SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel\"\n\nThis reverts commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0.\n\nIt bit people like Michal Piotrowski:\n\n \"My system is too secure, I can not login :)\"\n\nbecause it changed how CONFIG_NETLABEL worked, and broke older SElinux\npolicies.\n\nAs a result, quoth James Morris:\n\n \"Can you please revert this patch?\n\n We thought it only affected people running MLS, but it will affect others.\n\n Sorry for the hassle.\"\n\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Michal Piotrowski \u003cmichal.k.k.piotrowski@gmail.com\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0", "tree": "ee167dc8c575dee062cdaf91d0b60a5997bba0c3", "parents": [ "ed0321895182ffb6ecf210e066d87911b270d587" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Jun 29 11:48:16 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jul 11 22:52:31 2007 -0400" }, "message": "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel\n\nThese changes will make NetLabel behave like labeled IPsec where there is an\naccess check for both labeled and unlabeled packets as well as providing the\nability to restrict domains to receiving only labeled packets when NetLabel\nis in use. The changes to the policy are straight forward with the\nfollowing necessary to receive labeled traffic (with SECINITSID_NETMSG\ndefined as \"netlabel_peer_t\"):\n\n allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;\n\nThe policy for unlabeled traffic would be:\n\n allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;\n\nThese policy changes, as well as more general NetLabel support, are included\nin the SELinux Reference Policy SVN tree, r2352 or later. Users who enable\nNetLabel support in the kernel are strongly encouraged to upgrade their\npolicy to avoid network problems.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ed0321895182ffb6ecf210e066d87911b270d587", "tree": "832bb54666f73b06e55322df40f915c5e9ef64d7", "parents": [ "13bddc2e9d591e31bf20020dc19ea6ca85de420e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jun 28 15:55:21 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jul 11 22:52:29 2007 -0400" }, "message": "security: Protection for exploiting null dereference using mmap\n\nAdd a new security check on mmap operations to see if the user is attempting\nto mmap to low area of the address space. The amount of space protected is\nindicated by the new proc tunable /proc/sys/vm/mmap_min_addr and defaults to\n0, preserving existing behavior.\n\nThis patch uses a new SELinux security class \"memprotect.\" Policy already\ncontains a number of allow rules like a_t self:process * (unconfined_t being\none of them) which mean that putting this check in the process class (its\nbest current fit) would make it useless as all user processes, which we also\nwant to protect against, would be allowed. By taking the memprotect name of\nthe new class it will also make it possible for us to move some of the other\nmemory protect permissions out of \u0027process\u0027 and into the new class next time\nwe bump the policy version number (which I also think is a good future idea)\n\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2c3c05dbcbc7b9d71549fe0e2b249f10f5a66518", "tree": "bab75df9fafc435f3370a6d773d3284716347249", "parents": [ "9dc9978084ea2a96b9f42752753d9e38a9f9d7b2" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Thu Jun 07 15:34:10 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jul 11 22:52:25 2007 -0400" }, "message": "SELinux: allow preemption between transition permission checks\n\nIn security_get_user_sids, move the transition permission checks\noutside of the section holding the policy rdlock, and use the AVC to\nperform the checks, calling cond_resched after each one. These\nchanges should allow preemption between the individual checks and\nenable caching of the results. It may however increase the overall\ntime spent in the function in some cases, particularly in the cache\nmiss case.\n\nThe long term fix will be to take much of this logic to userspace by\nexporting additional state via selinuxfs, and ultimately deprecating\nand eliminating this interface from the kernel.\n\nTested-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e63340ae6b6205fef26b40a75673d1c9c0c8bb90", "tree": "8d3212705515edec73c3936bb9e23c71d34a7b41", "parents": [ "04c9167f91e309c9c4ea982992aa08e83b2eb42e" ], "author": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Tue May 08 00:28:08 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue May 08 11:15:07 2007 -0700" }, "message": "header cleaning: don\u0027t include smp_lock.h when not used\n\nRemove includes of \u003clinux/smp_lock.h\u003e where it is not used/needed.\nSuggested by Al Viro.\n\nBuilds cleanly on x86_64, i386, alpha, ia64, powerpc, sparc,\nsparc64, and arm (all 59 defconfigs).\n\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "98a27ba485c7508ef9d9527fe06e4686f3a163dc", "tree": "73d5dca7f1b5120ecf1bbcc664094044bc35dc56", "parents": [ "2a65f1d9fe78475720bd8f0e0fbbf1973b1b5ac2" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Tue May 08 00:26:56 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue May 08 11:15:04 2007 -0700" }, "message": "tty: introduce no_tty and use it in selinux\n\nWhile researching the tty layer pid leaks I found a weird case in selinux when\nwe drop a controlling tty because of inadequate permissions we don\u0027t do the\nnormal hangup processing. Which is a problem if it happens the session leader\nhas exec\u0027d something that can no longer access the tty.\n\nWe already have code in the kernel to handle this case in the form of the\nTIOCNOTTY ioctl. So this patch factors out a helper function that is the\nessence of that ioctl and calls it from the selinux code.\n\nThis removes the inconsistency in handling dropping of a controlling tty and\nwho knows it might even make some part of user space happy because it received\na SIGHUP it was expecting.\n\nIn addition since this removes the last user of proc_set_tty outside of\ntty_io.c proc_set_tty is made static and removed from tty.h\n\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nAcked-by: Alan Cox \u003calan@lxorguk.ukuu.org.uk\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "a205752d1ad2d37d6597aaae5a56fc396a770868", "tree": "1def76b02da90b98cefd66c4ba3904697963c358", "parents": [ "39bc89fd4019b164002adaacef92c4140e37955a", "e900a7d90ae1486ac95c10e0b7337fc2c2eda529" ], "author": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Apr 27 10:47:29 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Apr 27 10:47:29 2007 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:\n selinux: preserve boolean values across policy reloads\n selinux: change numbering of boolean directory inodes in selinuxfs\n selinux: remove unused enumeration constant from selinuxfs\n selinux: explicitly number all selinuxfs inodes\n selinux: export initial SID contexts via selinuxfs\n selinux: remove userland security class and permission definitions\n SELinux: move security_skb_extlbl_sid() out of the security server\n MAINTAINERS: update selinux entry\n SELinux: rename selinux_netlabel.h to netlabel.h\n SELinux: extract the NetLabel SELinux support from the security server\n NetLabel: convert a BUG_ON in the CIPSO code to a runtime check\n NetLabel: cleanup and document CIPSO constants\n" }, { "commit": "4f6a993f96a256e83b9be7612f958c7bc4ca9f00", "tree": "385e5ce4423583b65780d20fce075cd936fe1449", "parents": [ "588a31577f86a5cd8b0bcde6026e4e6dcac8c383" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Mar 01 14:35:22 2007 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 26 01:35:56 2007 -0400" }, "message": "SELinux: move security_skb_extlbl_sid() out of the security server\n\nAs suggested, move the security_skb_extlbl_sid() function out of the security\nserver and into the SELinux hooks file.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c60475bf35fc5fa10198df89187ab148527e72f7", "tree": "5f8081082c8be5865049c2c446583b67a9c786b3", "parents": [ "5778eabd9cdbf16ea3e40248c452b4fd25554d11" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Feb 28 15:14:23 2007 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 26 01:35:50 2007 -0400" }, "message": "SELinux: rename selinux_netlabel.h to netlabel.h\n\nIn the beginning I named the file selinux_netlabel.h to avoid potential\nnamespace colisions. However, over time I have realized that there are several\nother similar cases of multiple header files with the same name so I\u0027m changing\nthe name to something which better fits with existing naming conventions.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b529ccf2799c14346d1518e9bdf1f88f03643e99", "tree": "f899a5a5d66d2ca21724c1871ee3afeda6c4a670", "parents": [ "965ffea43d4ebe8cd7b9fee78d651268dd7d23c5" ], "author": { "name": "Arnaldo Carvalho de Melo", "email": "acme@redhat.com", "time": "Wed Apr 25 19:08:35 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Apr 25 22:26:34 2007 -0700" }, "message": "[NETLINK]: Introduce nlmsg_hdr() helper\n\nFor the common \"(struct nlmsghdr *)skb-\u003edata\" sequence, so that we reduce the\nnumber of direct accesses to skb-\u003edata and for consistency with all the other\ncast skb member helpers.\n\nSigned-off-by: Arnaldo Carvalho de Melo \u003cacme@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "bbe735e4247dba32568a305553b010081c8dea99", "tree": "95d96619c85785a47ccee48965b68d99cf946854", "parents": [ "e7dd65dafda5737a983c04d652a69ab8da78ee3f" ], "author": { "name": "Arnaldo Carvalho de Melo", "email": "acme@redhat.com", "time": "Sat Mar 10 22:16:10 2007 -0300" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Apr 25 22:24:58 2007 -0700" }, "message": "[SK_BUFF]: Introduce skb_network_offset()\n\nFor the quite common \u0027skb-\u003enh.raw - skb-\u003edata\u0027 sequence.\n\nSigned-off-by: Arnaldo Carvalho de Melo \u003cacme@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "04ff97086b1a3237bbd1fe6390fa80fe75207e23", "tree": "877e26055759d84a726c6bc68245bc6f9a4a5753", "parents": [ "c4823bce033be74c0fcfbcae2f1be0854fdc2e18" ], "author": { "name": "Al Viro", "email": "viro@ftp.linux.org.uk", "time": "Mon Mar 12 16:17:58 2007 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Mar 14 15:27:48 2007 -0700" }, "message": "[PATCH] sanitize security_getprocattr() API\n\nhave it return the buffer it had allocated\n\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "fadcdb451632d32d7c0d4c71df9ac2d3b7ae2348", "tree": "51e411452a4aa05bb5150d4d670324badf1a4bd0", "parents": [ "9654640d0af8f2de40ff3807d3695109d3463f54" ], "author": { "name": "Eric Paris", "email": "eparis@parisplace.org", "time": "Thu Feb 22 18:11:31 2007 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 26 14:43:07 2007 -0500" }, "message": "Reassign printk levels in selinux kernel code\n\nBelow is a patch which demotes many printk lines to KERN_DEBUG from\nKERN_INFO. It should help stop the spamming of logs with messages in\nwhich users are not interested nor is there any action that users should\ntake. It also promotes some KERN_INFO to KERN_ERR such as when there\nare improper attempts to register/unregister security modules.\n\nA similar patch was discussed a while back on list:\nhttp://marc.theaimsgroup.com/?t\u003d116656343500003\u0026r\u003d1\u0026w\u003d2\nThis patch addresses almost all of the issues raised. I believe the\nonly advice not taken was in the demoting of messages related to\nundefined permissions and classes.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n\n security/selinux/hooks.c | 20 ++++++++++----------\n security/selinux/ss/avtab.c | 2 +-\n security/selinux/ss/policydb.c | 6 +++---\n security/selinux/ss/sidtab.c | 2 +-\n 4 files changed, 15 insertions(+), 15 deletions(-)\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bbaca6c2e7ef0f663bc31be4dad7cf530f6c4962", "tree": "c90c927fa0547ba46cb01aaf7625008e350d84eb", "parents": [ "b599fdfdb4bb4941e9076308efcf3bb89e577db5" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed Feb 14 00:34:16 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Feb 14 08:10:00 2007 -0800" }, "message": "[PATCH] selinux: enhance selinux to always ignore private inodes\n\nHmmm...turns out to not be quite enough, as the /proc/sys inodes aren\u0027t truly\nprivate to the fs, so we can run into them in a variety of security hooks\nbeyond just the inode hooks, such as security_file_permission (when reading\nand writing them via the vfs helpers), security_sb_mount (when mounting other\nfilesystems on directories in proc like binfmt_misc), and deeper within the\nsecurity module itself (as in flush_unauthorized_files upon inheritance across\nexecve). So I think we have to add an IS_PRIVATE() guard within SELinux, as\nbelow. Note however that the use of the private flag here could be confusing,\nas these inodes are _not_ private to the fs, are exposed to userspace, and\nsecurity modules must implement the sysctl hook to get any access control over\nthem.\n\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b599fdfdb4bb4941e9076308efcf3bb89e577db5", "tree": "c224273f3ef29749bf3f62e06f7ffdee595996c0", "parents": [ "3fbfa98112fc3962c416452a0baf2214381030e6" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Wed Feb 14 00:34:15 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Feb 14 08:10:00 2007 -0800" }, "message": "[PATCH] sysctl: fix the selinux_sysctl_get_sid\n\nI goofed and when reenabling the fine grained selinux labels for\nsysctls and forgot to add the \"/sys\" prefix before consulting\nthe policy database. When computing the same path using\nproc_dir_entries we got the \"/sys\" for free as it was part\nof the tree, but it isn\u0027t true for clt_table trees.\n\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3fbfa98112fc3962c416452a0baf2214381030e6", "tree": "5a14a9d97ba05f415698de7b4ec5949363c268a6", "parents": [ "d912b0cc1a617d7c590d57b7ea971d50c7f02503" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Wed Feb 14 00:34:14 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Feb 14 08:10:00 2007 -0800" }, "message": "[PATCH] sysctl: remove the proc_dir_entry member for the sysctl tables\n\nIt isn\u0027t needed anymore, all of the users are gone, and all of the ctl_table\ninitializers have been converted to use explicit names of the fields they are\ninitializing.\n\n[akpm@osdl.org: NTFS fix]\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b385a144ee790f00e8559bcb8024d042863f9be1", "tree": "c2f2df78805fe8eff006716cee7b8fa8010d3b62", "parents": [ "521dae191e5ba9362152da9fd3a12203e087df83" ], "author": { "name": "Robert P. J. Day", "email": "rpjday@mindspring.com", "time": "Sat Feb 10 01:46:25 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Sun Feb 11 11:18:06 2007 -0800" }, "message": "[PATCH] Replace regular code with appropriate calls to container_of()\n\nReplace a small number of expressions with a call to the \"container_of()\"\nmacro.\n\nSigned-off-by: Robert P. J. Day \u003crpjday@mindspring.com\u003e\nAcked-by: Paul Mackerras \u003cpaulus@samba.org\u003e\nCc: \"David S. Miller\" \u003cdavem@davemloft.net\u003e\nCc: Martin Schwidefsky \u003cschwidefsky@de.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c376222960ae91d5ffb9197ee36771aaed1d9f90", "tree": "7f431c42529fec77433d33490bd9f2a8c47ba091", "parents": [ "1b135431abf5ea92e61bf4e91d93726c7b96da5f" ], "author": { "name": "Robert P. J. Day", "email": "rpjday@mindspring.com", "time": "Sat Feb 10 01:45:03 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Sun Feb 11 10:51:27 2007 -0800" }, "message": "[PATCH] Transform kmem_cache_alloc()+memset(0) -\u003e kmem_cache_zalloc().\n\nReplace appropriate pairs of \"kmem_cache_alloc()\" + \"memset(0)\" with the\ncorresponding \"kmem_cache_zalloc()\" call.\n\nSigned-off-by: Robert P. J. Day \u003crpjday@mindspring.com\u003e\nCc: \"Luck, Tony\" \u003ctony.luck@intel.com\u003e\nCc: Andi Kleen \u003cak@muc.de\u003e\nCc: Roland McGrath \u003croland@redhat.com\u003e\nCc: James Bottomley \u003cJames.Bottomley@steeleye.com\u003e\nCc: Greg KH \u003cgreg@kroah.com\u003e\nAcked-by: Joel Becker \u003cJoel.Becker@oracle.com\u003e\nCc: Steven Whitehouse \u003cswhiteho@redhat.com\u003e\nCc: Jan Kara \u003cjack@ucw.cz\u003e\nCc: Michael Halcrow \u003cmhalcrow@us.ibm.com\u003e\nCc: \"David S. Miller\" \u003cdavem@davemloft.net\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "bbea9f69668a3d0cf9feba15a724cd02896f8675", "tree": "bc58506e4daba4a04309181a5501ae4eb5424783", "parents": [ "f3d19c90fb117a5f080310a4592929aa8e1ad8e9" ], "author": { "name": "Vadim Lobanov", "email": "vlobanov@speakeasy.net", "time": "Sun Dec 10 02:21:12 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.osdl.org", "time": "Sun Dec 10 09:57:22 2006 -0800" }, "message": "[PATCH] fdtable: Make fdarray and fdsets equal in size\n\nCurrently, each fdtable supports three dynamically-sized arrays of data: the\nfdarray and two fdsets. The code allows the number of fds supported by the\nfdarray (fdtable-\u003emax_fds) to differ from the number of fds supported by each\nof the fdsets (fdtable-\u003emax_fdset).\n\nIn practice, it is wasteful for these two sizes to differ: whenever we hit a\nlimit on the smaller-capacity structure, we will reallocate the entire fdtable\nand all the dynamic arrays within it, so any delta in the memory used by the\nlarger-capacity structure will never be touched at all.\n\nRather than hogging this excess, we shouldn\u0027t even allocate it in the first\nplace, and keep the capacities of the fdarray and the fdsets equal. This\npatch removes fdtable-\u003emax_fdset. As an added bonus, most of the supporting\ncode becomes simpler.\n\nSigned-off-by: Vadim Lobanov \u003cvlobanov@speakeasy.net\u003e\nCc: Christoph Hellwig \u003chch@lst.de\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Dipankar Sarma \u003cdipankar@in.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "3d5ff529ea222461a5fa3c4df05cbdc5eb56864d", "tree": "28ec8432eb9212bc04e345c2e85addc132f3a34e", "parents": [ "7ac6207b2a6a5b828bc333f2530a3bd48197af3e" ], "author": { "name": "Josef Sipek", "email": "jsipek@fsl.cs.sunysb.edu", "time": "Fri Dec 08 02:37:38 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.osdl.org", "time": "Fri Dec 08 08:28:49 2006 -0800" }, "message": "[PATCH] struct path: convert selinux\n\nSigned-off-by: Josef Sipek \u003cjsipek@fsl.cs.sunysb.edu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "24ec839c431eb79bb8f6abc00c4e1eb3b8c4d517", "tree": "2ff478b1925159eeac007913c2a8f19d5f5e6010", "parents": [ "562f9c574e0707f9159a729ea41faf53b221cd30" ], "author": { "name": "Peter Zijlstra", "email": "a.p.zijlstra@chello.nl", "time": "Fri Dec 08 02:36:04 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.osdl.org", "time": "Fri Dec 08 08:28:38 2006 -0800" }, "message": "[PATCH] tty: -\u003esignal-\u003etty locking\n\nFix the locking of signal-\u003etty.\n\nUse -\u003esighand-\u003esiglock to protect -\u003esignal-\u003etty; this lock is already used\nby most other members of -\u003esignal/-\u003esighand. And unless we are \u0027current\u0027\nor the tasklist_lock is held we need -\u003esiglock to access -\u003esignal anyway.\n\n(NOTE: sys_unshare() is broken wrt -\u003esighand locking rules)\n\nNote that tty_mutex is held over tty destruction, so while holding\ntty_mutex any tty pointer remains valid. Otherwise the lifetime of ttys\nare governed by their open file handles. This leaves some holes for tty\naccess from signal-\u003etty (or any other non file related tty access).\n\nIt solves the tty SLAB scribbles we were seeing.\n\n(NOTE: the change from group_send_sig_info to __group_send_sig_info needs to\n be examined by someone familiar with the security framework, I think\n it is safe given the SEND_SIG_PRIV from other __group_send_sig_info\n invocations)\n\n[schwidefsky@de.ibm.com: 3270 fix]\n[akpm@osdl.org: various post-viro fixes]\nSigned-off-by: Peter Zijlstra \u003ca.p.zijlstra@chello.nl\u003e\nAcked-by: Alan Cox \u003calan@redhat.com\u003e\nCc: Oleg Nesterov \u003coleg@tv-sign.ru\u003e\nCc: Prarit Bhargava \u003cprarit@redhat.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Roland McGrath \u003croland@redhat.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: \"David S. Miller\" \u003cdavem@davemloft.net\u003e\nCc: Jeff Dike \u003cjdike@addtoit.com\u003e\nCc: Martin Schwidefsky \u003cschwidefsky@de.ibm.com\u003e\nCc: Jan Kara \u003cjack@ucw.cz\u003e\nSigned-off-by: Martin Schwidefsky \u003cschwidefsky@de.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "e18b890bb0881bbab6f4f1a6cd20d9c60d66b003", "tree": "4828be07e1c24781c264b42c5a75bcd968223c3f", "parents": [ "441e143e95f5aa1e04026cb0aa71c801ba53982f" ], "author": { "name": "Christoph Lameter", "email": "clameter@sgi.com", "time": "Wed Dec 06 20:33:20 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.osdl.org", "time": "Thu Dec 07 08:39:25 2006 -0800" }, "message": "[PATCH] slab: remove kmem_cache_t\n\nReplace all uses of kmem_cache_t with struct kmem_cache.\n\nThe patch was generated using the following script:\n\n\t#!/bin/sh\n\t#\n\t# Replace one string by another in all the kernel sources.\n\t#\n\n\tset -e\n\n\tfor file in `find * -name \"*.c\" -o -name \"*.h\"|xargs grep -l $1`; do\n\t\tquilt add $file\n\t\tsed -e \"1,\\$s/$1/$2/g\" $file \u003e/tmp/$$\n\t\tmv /tmp/$$ $file\n\t\tquilt refresh\n\tdone\n\nThe script was run like this\n\n\tsh replace kmem_cache_t \"struct kmem_cache\"\n\nSigned-off-by: Christoph Lameter \u003cclameter@sgi.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "e94b1766097d53e6f3ccfb36c8baa562ffeda3fc", "tree": "93fa0a8ab84976d4e89c50768ca8b8878d642a0d", "parents": [ "54e6ecb23951b195d02433a741c7f7cb0b796c78" ], "author": { "name": "Christoph Lameter", "email": "clameter@sgi.com", "time": "Wed Dec 06 20:33:17 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.osdl.org", "time": "Thu Dec 07 08:39:24 2006 -0800" }, "message": "[PATCH] slab: remove SLAB_KERNEL\n\nSLAB_KERNEL is an alias of GFP_KERNEL.\n\nSigned-off-by: Christoph Lameter \u003cclameter@sgi.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "87fcd70d983d30eca4b933fff2e97d9a31743d0a", "tree": "2c79943f7691f80123af0145a8909f14011b0761", "parents": [ "91f433cacc9d1ae95ae46ce26d7bcf3a724c72d0" ], "author": { "name": "Al Viro", "email": "viro@hera.kernel.org", "time": "Mon Dec 04 22:00:55 2006 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.osdl.org", "time": "Mon Dec 04 19:32:44 2006 -0800" }, "message": "[PATCH] selinux endianness annotations\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "3de4bab5b9f8848a0c16a4b1ffe0452f0d670237", "tree": "f65c12b53bf2ad02645ea31522f67e7318019498", "parents": [ "9f2ad66509b182b399a5b03de487f45bde623524" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Nov 17 17:38:54 2006 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:24:14 2006 -0800" }, "message": "SELinux: peer secid consolidation for external network labeling\n\nNow that labeled IPsec makes use of the peer_sid field in the\nsk_security_struct we can remove a lot of the special cases between labeled\nIPsec and NetLabel. In addition, create a new function,\nsecurity_skb_extlbl_sid(), which we can use in several places to get the\nsecurity context of the packet\u0027s external label which allows us to further\nsimplify the code in a few places.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9f2ad66509b182b399a5b03de487f45bde623524", "tree": "8376dc2db99a78c1b043644f019c4dc224187f16", "parents": [ "9bb5fd2b05cb4dba229e225536faa59eaadd837d" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Nov 17 17:38:53 2006 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:24:13 2006 -0800" }, "message": "NetLabel: SELinux cleanups\n\nThis patch does a lot of cleanup in the SELinux NetLabel support code. A\nsummary of the changes include:\n\n* Use RCU locking for the NetLabel state variable in the skk_security_struct\n instead of using the inode_security_struct mutex.\n* Remove unnecessary parameters in selinux_netlbl_socket_post_create().\n* Rename selinux_netlbl_sk_clone_security() to\n selinux_netlbl_sk_security_clone() to better fit the other NetLabel\n sk_security functions.\n* Improvements to selinux_netlbl_inode_permission() to help reduce the cost of\n the common case.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2ee92d46c6cabedd50edf6f273fa8cf84f707618", "tree": "bdf7c64514a5063ba4ef41915f9efb6f803fc38a", "parents": [ "90833aa4f496d69ca374af6acef7d1614c8693ff" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Nov 13 16:09:01 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:22:24 2006 -0800" }, "message": "[SELinux]: Add support for DCCP\n\nThis patch implements SELinux kernel support for DCCP\n(http://linux-net.osdl.org/index.php/DCCP), which is similar in\noperation to TCP in terms of connected state between peers.\n\nThe SELinux support for DCCP is thus modeled on existing handling of\nTCP.\n\nA new DCCP socket class is introduced, to allow protocol\ndifferentation. The permissions for this class inherit all of the\nsocket permissions, as well as the current TCP permissions (node_bind,\nname_bind etc). IPv4 and IPv6 are supported, although labeled\nnetworking is not, at this stage.\n\nPatches for SELinux userspace are at:\nhttp://people.redhat.com/jmorris/selinux/dccp/user/\n\nI\u0027ve performed some basic testing, and it seems to be working as\nexpected. Adding policy support is similar to TCP, the only real\ndifference being that it\u0027s a different protocol.\n\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "67f83cbf081a70426ff667e8d14f94e13ed3bdca", "tree": "776a40733eacb9071478f865e6791daa3f6fd602", "parents": [ "6b877699c6f1efede4545bcecc367786a472eedb" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Wed Nov 08 17:04:26 2006 -0600" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:34 2006 -0800" }, "message": "SELinux: Fix SA selection semantics\n\nFix the selection of an SA for an outgoing packet to be at the same\ncontext as the originating socket/flow. This eliminates the SELinux\npolicy\u0027s ability to use/sendto SAs with contexts other than the socket\u0027s.\n\nWith this patch applied, the SELinux policy will require one or more of the\nfollowing for a socket to be able to communicate with/without SAs:\n\n1. To enable a socket to communicate without using labeled-IPSec SAs:\n\nallow socket_t unlabeled_t:association { sendto recvfrom }\n\n2. To enable a socket to communicate with labeled-IPSec SAs:\n\nallow socket_t self:association { sendto };\nallow socket_t peer_sa_t:association { recvfrom };\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6b877699c6f1efede4545bcecc367786a472eedb", "tree": "c0a60dc90578fa9f16d4496e2700bc285eab47c0", "parents": [ "c1a856c9640c9ff3d70bbd8214b6a0974609eef8" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Wed Nov 08 17:04:09 2006 -0600" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:33 2006 -0800" }, "message": "SELinux: Return correct context for SO_PEERSEC\n\nFix SO_PEERSEC for tcp sockets to return the security context of\nthe peer (as represented by the SA from the peer) as opposed to the\nSA used by the local/source socket.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "fc5d81e69d15c65ca20d9e5b4e242690e3e9c27d", "tree": "487e7c5e25fb91246712747cc9595f750cffa30b", "parents": [ "2ea5814472c3c910aed5c5b60f1f3b1000e353f1" ], "author": { "name": "Akinobu Mita", "email": "akinobu.mita@gmail.com", "time": "Mon Nov 27 15:16:48 2006 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Nov 27 10:22:43 2006 -0500" }, "message": "selinux: fix dentry_open() error check\n\nThe return value of dentry_open() shoud be checked by IS_ERR().\n\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Akinobu Mita \u003cakinobu.mita@gmail.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f8687afefcc821fc47c75775eec87731fe3de360", "tree": "9835a3c95fb94597ede42cfdf732b97cc495c9bf", "parents": [ "920b868ae1dfdac77c5e8c97e7067b23680f043e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Mon Oct 30 15:22:15 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Oct 30 15:24:49 2006 -0800" }, "message": "[NetLabel]: protect the CIPSOv4 socket option from setsockopt()\n\nThis patch makes two changes to protect applications from either removing or\ntampering with the CIPSOv4 IP option on a socket. The first is the requirement\nthat applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option\non a socket; this prevents untrusted applications from setting their own\nCIPSOv4 security attributes on the packets they send. The second change is to\nSELinux and it prevents applications from setting any IPv4 options when there\nis an IPOPT_CIPSO option already present on the socket; this prevents\napplications from removing CIPSOv4 security attributes from the packets they\nsend.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "2148ccc437a9eac9f0d4b3c27cb1e41f6a48194c", "tree": "03dc59734526aa654d29e1b81cdad18369598182", "parents": [ "9a69d1aeccf169d9a1e442c07d3a6e87f06a7b49" ], "author": { "name": "David Woodhouse", "email": "dwmw2@infradead.org", "time": "Fri Sep 29 15:50:25 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Sep 29 15:58:21 2006 -0700" }, "message": "[PATCH] MLSXFRM: fix mis-labelling of child sockets\n\nAccepted connections of types other than AF_INET, AF_INET6, AF_UNIX won\u0027t\nhave an appropriate label derived from the peer, so don\u0027t use it.\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "3528a95322b5c1ce882ab723f175a1845430cd89", "tree": "3aa8b456e08ed3e57fe23152c934b8ed1b234022", "parents": [ "79f5acf5d784492afe80723496624093079aed9c" ], "author": { "name": "Cory Olmo", "email": "colmo@TrustedCS.com", "time": "Fri Sep 29 01:58:44 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Sep 29 09:18:03 2006 -0700" }, "message": "[PATCH] SELinux: support mls categories for context mounts\n\nAllows commas to be embedded into context mount options (i.e. \"-o\ncontext\u003dsome_selinux_context_t\"), to better support multiple categories,\nwhich are separated by commas and confuse mount.\n\nFor example, with the current code:\n\n mount -t iso9660 /dev/cdrom /media/cdrom -o \\\n ro,context\u003dsystem_u:object_r:iso9660_t:s0:c1,c3,c4,exec\n\nThe context option that will be interpreted by SELinux is\ncontext\u003dsystem_u:object_r:iso9660_t:s0:c1\n\ninstead of\ncontext\u003dsystem_u:object_r:iso9660_t:s0:c1,c3,c4\n\nThe options that will be passed on to the file system will be\nro,c3,c4,exec.\n\nThe proposed solution is to allow/require the SELinux context option\nspecified to mount to use quotes when the context contains a comma.\n\nThis patch modifies the option parsing in parse_opts(), contained in\nmount.c, to take options after finding a comma only if it hasn\u0027t seen a\nquote or if the quotes are matched. It also introduces a new function that\nwill strip the quotes from the context option prior to translation. The\nquotes are replaced after the translation is completed to insure that in\nthe event the raw context contains commas the kernel will be able to\ninterpret the correct context.\n\nSigned-off-by: Cory Olmo \u003ccolmo@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "b20c8122a3204496fca8b5343c93b60fe11dad04", "tree": "f807fb699dcec3f40a8de1a5c64f3653cf68bb6a", "parents": [ "bc7e982b84aceef0a040c88ff659eb5c83818f72" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon Sep 25 23:32:03 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Tue Sep 26 08:48:53 2006 -0700" }, "message": "[PATCH] selinux: fix tty locking\n\nTake tty_mutex when accessing -\u003esignal-\u003etty in selinux code. Noted by Alan\nCox. Longer term, we are looking at refactoring the code to provide better\nencapsulation of the tty layer, but this is a simple fix that addresses the\nimmediate bug.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Alan Cox \u003calan@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "bc7e982b84aceef0a040c88ff659eb5c83818f72", "tree": "0e351e00c5fa90cd5b6a9b9f710e95ecb953b1f2", "parents": [ "23970741720360de9dd0a4e87fbeb1d5927aa474" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Sep 25 23:32:02 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Tue Sep 26 08:48:53 2006 -0700" }, "message": "[PATCH] SELinux: convert sbsec semaphore to a mutex\n\nThis patch converts the semaphore in the superblock security struct to a\nmutex. No locking changes or other code changes are done.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "23970741720360de9dd0a4e87fbeb1d5927aa474", "tree": "2dc28ddfeae751a673d43e1925fd131d6ed3e222", "parents": [ "296fddf7513c155adbd3a443d12add1f62b5cddb" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Sep 25 23:32:01 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Tue Sep 26 08:48:53 2006 -0700" }, "message": "[PATCH] SELinux: change isec semaphore to a mutex\n\nThis patch converts the remaining isec-\u003esem into a mutex. Very similar\nlocking is provided as before only in the faster smaller mutex rather than a\nsemaphore. An out_unlock path is introduced rather than the conditional\nunlocking found in the original code.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "296fddf7513c155adbd3a443d12add1f62b5cddb", "tree": "1fc7e3067f1b635b34a178fcb9a96b88bf5c626e", "parents": [ "f3f8771420737004da55159c2f2dc0b6f483a4ef" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Sep 25 23:32:00 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Tue Sep 26 08:48:53 2006 -0700" }, "message": "[PATCH] SELinux: eliminate inode_security_set_security\n\ninode_security_set_sid is only called by security_inode_init_security, which\nis called when a new file is being created and needs to have its incore\nsecurity state initialized and its security xattr set. This helper used to be\ncalled in other places in the past, but now only has the one. So this patch\nrolls inode_security_set_sid directly back into security_inode_init_security.\nThere also is no need to hold the isec-\u003esem while doing this, as the inode is\nnot available to other threads at this point in time.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "99f59ed073d3c1b890690064ab285a201dea2e35", "tree": "0f6ae012cf4f988d3ae0c665fd3b12ea05409ec8", "parents": [ "fc747e82b40ea50a62eb2aef55bedd4465607cb0" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Aug 29 17:53:48 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:18:34 2006 -0700" }, "message": "[NetLabel]: Correctly initialize the NetLabel fields.\n\nFix a problem where the NetLabel specific fields of the sk_security_struct\nstructure were not being initialized early enough in some cases.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "9a673e563e543a5c8a6f9824562e55e807b8a56c", "tree": "53d26641175411b04ce7c755df72e515b3bf79ad", "parents": [ "97a4f3e7110619568aa239fe19143d9ec42dede5" ], "author": { "name": "Adrian Bunk", "email": "bunk@stusta.de", "time": "Tue Aug 15 00:03:53 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:54:44 2006 -0700" }, "message": "[SELINUX]: security/selinux/hooks.c: Make 4 functions static.\n\nThis patch makes four needlessly global functions static.\n\nSigned-off-by: Adrian Bunk \u003cbunk@stusta.de\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "7420ed23a4f77480b5b7b3245e5da30dd24b7575", "tree": "016f5bb996c5eae66754b10243c5be6226d773f2", "parents": [ "96cb8e3313c7a12e026c1ed510522ae6f6023875" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Fri Aug 04 23:17:57 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:36 2006 -0700" }, "message": "[NetLabel]: SELinux support\n\nAdd NetLabel support to the SELinux LSM and modify the\nsocket_post_create() LSM hook to return an error code. The most\nsignificant part of this patch is the addition of NetLabel hooks into\nthe following SELinux LSM hooks:\n\n * selinux_file_permission()\n * selinux_socket_sendmsg()\n * selinux_socket_post_create()\n * selinux_socket_sock_rcv_skb()\n * selinux_socket_getpeersec_stream()\n * selinux_socket_getpeersec_dgram()\n * selinux_sock_graft()\n * selinux_inet_conn_request()\n\nThe basic reasoning behind this patch is that outgoing packets are\n\"NetLabel\u0027d\" by labeling their socket and the NetLabel security\nattributes are checked via the additional hook in\nselinux_socket_sock_rcv_skb(). NetLabel itself is only a labeling\nmechanism, similar to filesystem extended attributes, it is up to the\nSELinux enforcement mechanism to perform the actual access checks.\n\nIn addition to the changes outlined above this patch also includes\nsome changes to the extended bitmap (ebitmap) and multi-level security\n(mls) code to import and export SELinux TE/MLS attributes into and out\nof NetLabel.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a51c64f1e5c2876eab2a32955acd9e8015c91c15", "tree": "1cc49c6ee7a3135ea000956e5fef41ff4c8e2ebe", "parents": [ "4237c75c0a35535d7f9f2bfeeb4b4df1e068a0bf" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Thu Jul 27 22:01:34 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:30 2006 -0700" }, "message": "[MLSXFRM]: Fix build with SECURITY_NETWORK_XFRM disabled.\n\nThe following patch will fix the build problem (encountered by Andrew\nMorton) when SECURITY_NETWORK_XFRM is not enabled.\n\nAs compared to git-net-selinux_xfrm_decode_session-build-fix.patch in\n-mm, this patch sets the return parameter sid to SECSID_NULL in\nselinux_xfrm_decode_session() and handles this value in the caller\nselinux_inet_conn_request() appropriately.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4237c75c0a35535d7f9f2bfeeb4b4df1e068a0bf", "tree": "02adcb6fe6c346a8b99cf161ba5233ed1e572727", "parents": [ "cb969f072b6d67770b559617f14e767f47e77ece" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:32:50 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:29 2006 -0700" }, "message": "[MLSXFRM]: Auto-labeling of child sockets\n\nThis automatically labels the TCP, Unix stream, and dccp child sockets\nas well as openreqs to be at the same MLS level as the peer. This will\nresult in the selection of appropriately labeled IPSec Security\nAssociations.\n\nThis also uses the sock\u0027s sid (as opposed to the isec sid) in SELinux\nenforcement of secmark in rcv_skb and postroute_last hooks.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "beb8d13bed80f8388f1a9a107d07ddd342e627e8", "tree": "19d5763b9b3b8ff3969997565e5ec0edd6e4bd33", "parents": [ "4e2ba18eae7f370c7c3ed96eaca747cc9b39f917" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Fri Aug 04 23:12:42 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:27 2006 -0700" }, "message": "[MLSXFRM]: Add flow labeling\n\nThis labels the flows that could utilize IPSec xfrms at the points the\nflows are defined so that IPSec policy and SAs at the right label can\nbe used.\n\nThe following protos are currently not handled, but they should\ncontinue to be able to use single-labeled IPSec like they currently\ndo.\n\nipmr\nip_gre\nipip\nigmp\nsit\nsctp\nip6_tunnel (IPv6 over IPv6 tunnel device)\ndecnet\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "e0d1caa7b0d5f02e4f34aa09c695d04251310c6c", "tree": "bf023c17abf6813f2694ebf5fafff82edd6a1023", "parents": [ "b6340fcd761acf9249b3acbc95c4dc555d9beb07" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:29:07 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:24 2006 -0700" }, "message": "[MLSXFRM]: Flow based matching of xfrm policy and state\n\nThis implements a seemless mechanism for xfrm policy selection and\nstate matching based on the flow sid. This also includes the necessary\nSELinux enforcement pieces.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "892c141e62982272b9c738b5520ad0e5e1ad7b42", "tree": "c8e0c9b3e55106d2cb085a5047b9d02dbbb28653", "parents": [ "08554d6b33e60aa8ee40bbef94505941c0eefef2" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Fri Aug 04 23:08:56 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:22 2006 -0700" }, "message": "[MLSXFRM]: Add security sid to sock\n\nThis adds security for IP sockets at the sock level. Security at the\nsock level is needed to enforce the SELinux security policy for\nsecurity associations even when a sock is orphaned (such as in the TCP\nLAST_ACK state).\n\nThis will also be used to enforce SELinux controls over data arriving\nat or leaving a child socket while it\u0027s still waiting to be accepted.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "dc49c1f94e3469d94b952e8f5160dd4ccd791d79", "tree": "e47b1974c262a03dbabf0a148325d9089817e78e", "parents": [ "2b7e24b66d31d677d76b49918e711eb360c978b6" ], "author": { "name": "Catherine Zhang", "email": "cxzhang@watson.ibm.com", "time": "Wed Aug 02 14:12:06 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Aug 02 14:12:06 2006 -0700" }, "message": "[AF_UNIX]: Kernel memory leak fix for af_unix datagram getpeersec patch\n\nFrom: Catherine Zhang \u003ccxzhang@watson.ibm.com\u003e\n\nThis patch implements a cleaner fix for the memory leak problem of the\noriginal unix datagram getpeersec patch. Instead of creating a\nsecurity context each time a unix datagram is sent, we only create the\nsecurity context when the receiver requests it.\n\nThis new design requires modification of the current\nunix_getsecpeer_dgram LSM hook and addition of two new hooks, namely,\nsecid_to_secctx and release_secctx. The former retrieves the security\ncontext and the latter releases it. A hook is required for releasing\nthe security context because it is up to the security module to decide\nhow that\u0027s done. In the case of Selinux, it\u0027s a simple kfree\noperation.\n\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "b04ea3cebf79d6808632808072f276dbc98aaf01", "tree": "7620a01477510d9e4ae042baab17bce103b59185", "parents": [ "517e7aa5b022f9dc486639c7689666663daee24f" ], "author": { "name": "Eric Paris", "email": "eparis@parisplace.org", "time": "Fri Jul 14 00:24:33 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Jul 14 21:53:55 2006 -0700" }, "message": "[PATCH] Fix security check for joint context\u003d and fscontext\u003d mount options\n\nAfter some discussion on the actual meaning of the filesystem class\nsecurity check in try context mount it was determined that the checks for\nthe context\u003d mount options were not correct if fscontext mount option had\nalready been used.\n\nWhen labeling the superblock we should be checking relabel_from and\nrelabel_to. But if the superblock has already been labeled (with\nfscontext) then context\u003d is actually labeling the inodes, and so we should\nbe checking relabel_from and associate. This patch fixes which checks are\ncalled depending on the mount options.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "0808925ea5684a0ce25483b30e94d4f398804978", "tree": "62456726442d656d21bc4fa6b1339f0236f0a6e8", "parents": [ "c312feb2931ded0582378712727b7ea017a951bd" ], "author": { "name": "Eric Paris", "email": "eparis@parisplace.org", "time": "Mon Jul 10 04:43:55 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jul 10 13:24:13 2006 -0700" }, "message": "[PATCH] SELinux: add rootcontext\u003d option to label root inode when mounting\n\nIntroduce a new rootcontext\u003d option to FS mounting. This option will allow\nyou to explicitly label the root inode of an FS being mounted before that\nFS or inode because visible to userspace. This was found to be useful for\nthings like stateless linux, see\nhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id\u003d190001\n\nSigned-off-by: Eric Paris \u003ceparis@parisplace.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "c312feb2931ded0582378712727b7ea017a951bd", "tree": "dd985aa4dd0b759690af9557a5170dabf589d87f", "parents": [ "2ed6e34f88a0d896a6f889b00693cae0fadacfd0" ], "author": { "name": "Eric Paris", "email": "eparis@parisplace.org", "time": "Mon Jul 10 04:43:53 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jul 10 13:24:13 2006 -0700" }, "message": "[PATCH] SELinux: decouple fscontext/context mount options\n\nRemove the conflict between fscontext and context mount options. If\ncontext\u003d is specified without fscontext it will operate just as before, if\nboth are specified we will use mount point labeling and all inodes will get\nthe label specified by context\u003d. The superblock will be labeled with the\nlabel of fscontext\u003d, thus affecting operations which check the superblock\nsecurity context, such as associate permissions.\n\nSigned-off-by: Eric Paris \u003ceparis@parisplace.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "22a3e233ca08a2ddc949ba1ae8f6e16ec7ef1a13", "tree": "7ef158ba2c30e0dde2dc103d1904fae243759a6b", "parents": [ "39302175c26d74be35715c05a0f342c9e64c21bf", "6ab3d5624e172c553004ecc862bfeac16d9d68b7" ], "author": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Jun 30 15:39:30 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Jun 30 15:39:30 2006 -0700" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/bunk/trivial\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/bunk/trivial:\n Remove obsolete #include \u003clinux/config.h\u003e\n remove obsolete swsusp_encrypt\n arch/arm26/Kconfig typos\n Documentation/IPMI typos\n Kconfig: Typos in net/sched/Kconfig\n v9fs: do not include linux/version.h\n Documentation/DocBook/mtdnand.tmpl: typo fixes\n typo fixes: specfic -\u003e specific\n typo fixes in Documentation/networking/pktgen.txt\n typo fixes: occuring -\u003e occurring\n typo fixes: infomation -\u003e information\n typo fixes: disadvantadge -\u003e disadvantage\n typo fixes: aquire -\u003e acquire\n typo fixes: mecanism -\u003e mechanism\n typo fixes: bandwith -\u003e bandwidth\n fix a typo in the RTC_CLASS help text\n smb is no longer maintained\n\nManually merged trivial conflict in arch/um/kernel/vmlinux.lds.S\n" }, { "commit": "a1836a42daf5ddfe9a891973734bd9a7d62eb504", "tree": "e8819aec40aff3fa0eecd2ef9d92df8213bce58b", "parents": [ "7a01955f99b65622a00ba5c8b39202ddc6fa65f8" ], "author": { "name": "David Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jun 30 01:55:49 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Jun 30 11:25:37 2006 -0700" }, "message": "[PATCH] SELinux: Add security hook definition for getioprio and insert hooks\n\nAdd a new security hook definition for the sys_ioprio_get operation. At\npresent, the SELinux hook function implementation for this hook is\nidentical to the getscheduler implementation but a separate hook is\nintroduced to allow this check to be specialized in the future if\nnecessary.\n\nThis patch also creates a helper function get_task_ioprio which handles the\naccess check in addition to retrieving the ioprio value for the task.\n\nSigned-off-by: David Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Jens Axboe \u003caxboe@suse.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "f9008e4c5c525941967b67777945aa6266ab6326", "tree": "a0c9436485b80d548ef74d5f1aec0f6d0309af6e", "parents": [ "ed11d9eb2228acc483c819ab353e3c41bcb158fa" ], "author": { "name": "David Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jun 30 01:55:46 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Jun 30 11:25:36 2006 -0700" }, "message": "[PATCH] SELinux: extend task_kill hook to handle signals sent by AIO completion\n\nThis patch extends the security_task_kill hook to handle signals sent by AIO\ncompletion. In this case, the secid of the task responsible for the signal\nneeds to be obtained and saved earlier, so a security_task_getsecid() hook is\nadded, and then this saved value is passed subsequently to the extended\ntask_kill hook for use in checking.\n\nSigned-off-by: David Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "6ab3d5624e172c553004ecc862bfeac16d9d68b7", "tree": "6d98881fe91fd9583c109208d5c27131b93fa248", "parents": [ "e02169b682bc448ccdc819dc8639ed34a23cedd8" ], "author": { "name": "Jörn Engel", "email": "joern@wohnheim.fh-wedel.de", "time": "Fri Jun 30 19:25:36 2006 +0200" }, "committer": { "name": "Adrian Bunk", "email": "bunk@stusta.de", "time": "Fri Jun 30 19:25:36 2006 +0200" }, "message": "Remove obsolete #include \u003clinux/config.h\u003e\n\nSigned-off-by: Jörn Engel \u003cjoern@wohnheim.fh-wedel.de\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@stusta.de\u003e\n" }, { "commit": "877ce7c1b3afd69a9b1caeb1b9964c992641f52a", "tree": "740c6c0d4a2858af53c09c4635cadf06833536c1", "parents": [ "d6b4991ad5d1a9840e12db507be1a6593def01fe" ], "author": { "name": "Catherine Zhang", "email": "cxzhang@watson.ibm.com", "time": "Thu Jun 29 12:27:47 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Jun 29 16:58:06 2006 -0700" }, "message": "[AF_UNIX]: Datagram getpeersec\n\nThis patch implements an API whereby an application can determine the\nlabel of its peer\u0027s Unix datagram sockets via the auxiliary data mechanism of\nrecvmsg.\n\nPatch purpose:\n\nThis patch enables a security-aware application to retrieve the\nsecurity context of the peer of a Unix datagram socket. The application\ncan then use this security context to determine the security context for\nprocessing on behalf of the peer who sent the packet.\n\nPatch design and implementation:\n\nThe design and implementation is very similar to the UDP case for INET\nsockets. Basically we build upon the existing Unix domain socket API for\nretrieving user credentials. Linux offers the API for obtaining user\ncredentials via ancillary messages (i.e., out of band/control messages\nthat are bundled together with a normal message). To retrieve the security\ncontext, the application first indicates to the kernel such desire by\nsetting the SO_PASSSEC option via getsockopt. Then the application\nretrieves the security context using the auxiliary data mechanism.\n\nAn example server application for Unix datagram socket should look like this:\n\ntoggle \u003d 1;\ntoggle_len \u003d sizeof(toggle);\n\nsetsockopt(sockfd, SOL_SOCKET, SO_PASSSEC, \u0026toggle, \u0026toggle_len);\nrecvmsg(sockfd, \u0026msg_hdr, 0);\nif (msg_hdr.msg_controllen \u003e sizeof(struct cmsghdr)) {\n cmsg_hdr \u003d CMSG_FIRSTHDR(\u0026msg_hdr);\n if (cmsg_hdr-\u003ecmsg_len \u003c\u003d CMSG_LEN(sizeof(scontext)) \u0026\u0026\n cmsg_hdr-\u003ecmsg_level \u003d\u003d SOL_SOCKET \u0026\u0026\n cmsg_hdr-\u003ecmsg_type \u003d\u003d SCM_SECURITY) {\n memcpy(\u0026scontext, CMSG_DATA(cmsg_hdr), sizeof(scontext));\n }\n}\n\nsock_setsockopt is enhanced with a new socket option SOCK_PASSSEC to allow\na server socket to receive security context of the peer.\n\nTesting:\n\nWe have tested the patch by setting up Unix datagram client and server\napplications. We verified that the server can retrieve the security context\nusing the auxiliary data mechanism of recvmsg.\n\nSigned-off-by: Catherine Zhang \u003ccxzhang@watson.ibm.com\u003e\nAcked-by: Acked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c7bdb545d23026b18be53289fd866d1ac07f5f8c", "tree": "6d9a218871d88f7579dd53f14692df2529b6e712", "parents": [ "576a30eb6453439b3c37ba24455ac7090c247b5a" ], "author": { "name": "Darrel Goeddel", "email": "dgoeddel@trustedcs.com", "time": "Tue Jun 27 13:26:11 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Jun 29 16:57:55 2006 -0700" }, "message": "[NETLINK]: Encapsulate eff_cap usage within security framework.\n\nThis patch encapsulates the usage of eff_cap (in netlink_skb_params) within\nthe security framework by extending security_netlink_recv to include a required\ncapability parameter and converting all direct usage of eff_caps outside\nof the lsm modules to use the interface. It also updates the SELinux\nimplementation of the security_netlink_send and security_netlink_recv\nhooks to take advantage of the sid in the netlink_skb_params struct.\nThis also enables SELinux to perform auditing of netlink capability checks.\nPlease apply, for 2.6.18 if possible.\n\nSigned-off-by: Darrel Goeddel \u003cdgoeddel@trustedcs.com\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "28eba5bf9d4bf3ba4d58d985abf3a2903b7f2125", "tree": "e825fc3fb6bdd81ae0aa146572406eb69bc5404b", "parents": [ "76b67ed9dce69a6a329cdd66f94af1787f417b62" ], "author": { "name": "Michael LeMay", "email": "mdlemay@epoch.ncsc.mil", "time": "Tue Jun 27 02:53:42 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Tue Jun 27 17:32:37 2006 -0700" }, "message": "[PATCH] selinux: inherit /proc/self/attr/keycreate across fork\n\nUpdate SELinux to cause the keycreate process attribute held in\n/proc/self/attr/keycreate to be inherited across a fork and reset upon\nexecve. This is consistent with the handling of the other process\nattributes provided by SELinux and also makes it simpler to adapt logon\nprograms to properly handle the keycreate attribute.\n\nSigned-off-by: Michael LeMay \u003cmdlemay@epoch.ncsc.mil\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "42c3e03ef6b298813557cdb997bd6db619cd65a2", "tree": "c2fba776ccf7015d45651ff7d2aee89f06da6f42", "parents": [ "c1df7fb88a011b39ea722ac00975c5b8a803261b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Jun 26 00:26:03 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:26 2006 -0700" }, "message": "[PATCH] SELinux: Add sockcreate node to procattr API\n\nBelow is a patch to add a new /proc/self/attr/sockcreate A process may write a\ncontext into this interface and all subsequent sockets created will be labeled\nwith that context. This is the same idea as the fscreate interface where a\nprocess can specify the label of a file about to be created. At this time one\nenvisioned user of this will be xinetd. It will be able to better label\nsockets for the actual services. At this time all sockets take the label of\nthe creating process, so all xinitd sockets would just be labeled the same.\n\nI tested this by creating a tcp sender and listener. The sender was able to\nwrite to this new proc file and then create sockets with the specified label.\nI am able to be sure the new label was used since the avc denial messages\nkicked out by the kernel included both the new security permission\nsetsockcreate and all the socket denials were for the new label, not the label\nof the running process.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "4eb582cf1fbd7b9e5f466e3718a59c957e75254e", "tree": "4387e460a50efa8d46a54526d0cf0959c0e3b428", "parents": [ "06ec7be557a1259611d6093a00463c42650dc71a" ], "author": { "name": "Michael LeMay", "email": "mdlemay@epoch.ncsc.mil", "time": "Mon Jun 26 00:24:57 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:18 2006 -0700" }, "message": "[PATCH] keys: add a way to store the appropriate context for newly-created keys\n\nAdd a /proc/\u003cpid\u003e/attr/keycreate entry that stores the appropriate context for\nnewly-created keys. Modify the selinux_key_alloc hook to make use of the new\nentry. Update the flask headers to include a new \"setkeycreate\" permission\nfor processes. Update the flask headers to include a new \"create\" permission\nfor keys. Use the create permission to restrict which SIDs each task can\nassign to newly-created keys. Add a new parameter to the security hook\n\"security_key_alloc\" to indicate whether it is being invoked by the kernel, or\nfrom userspace. If it is being invoked by the kernel, the security hook\nshould never fail. Update the documentation to reflect these changes.\n\nSigned-off-by: Michael LeMay \u003cmdlemay@epoch.ncsc.mil\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "7e047ef5fe2d52e83020e856b1bf2556a6a2ce98", "tree": "97656e2c56a27be9d1da451dde627b693b8643f2", "parents": [ "f116629d03655adaf7832b93b03c99391d09d4a7" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Jun 26 00:24:50 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:18 2006 -0700" }, "message": "[PATCH] keys: sort out key quota system\n\nAdd the ability for key creation to overrun the user\u0027s quota in some\ncircumstances - notably when a session keyring is created and assigned to a\nprocess that didn\u0027t previously have one.\n\nThis means it\u0027s still possible to log in, should PAM require the creation of a\nnew session keyring, and fix an overburdened key quota.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "35601547baf92d984b6e59cf3583649da04baea5", "tree": "a392501e6e004ed33789dbf3f7a9fe43295439e1", "parents": [ "22fb52dd736a62e24c44c50739007496265dc38c" ], "author": { "name": "David Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jun 23 02:04:01 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Jun 23 07:42:54 2006 -0700" }, "message": "[PATCH] SELinux: add task_movememory hook\n\nThis patch adds new security hook, task_movememory, to be called when memory\nowened by a task is to be moved (e.g. when migrating pages to a this hook is\nidentical to the setscheduler implementation, but a separate hook introduced\nto allow this check to be specialized in the future if necessary.\n\nSince the last posting, the hook has been renamed following feedback from\nChristoph Lameter.\n\nSigned-off-by: David Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Christoph Lameter \u003cclameter@sgi.com\u003e\nCc: Andi Kleen \u003cak@muc.de\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "03e68060636e05989ea94bcb671ab633948f328c", "tree": "aee5e7b55f31998536dd3a4f54f38caeee6105d6", "parents": [ "9216dfad4fc97ab639ef0885efc713f3d7a20d5b" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 23 02:03:58 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Jun 23 07:42:53 2006 -0700" }, "message": "[PATCH] lsm: add task_setioprio hook\n\nImplement an LSM hook for setting a task\u0027s IO priority, similar to the hook\nfor setting a tasks\u0027s nice value.\n\nA previous version of this LSM hook was included in an older version of\nmultiadm by Jan Engelhardt, although I don\u0027t recall it being submitted\nupstream.\n\nAlso included is the corresponding SELinux hook, which re-uses the setsched\npermission in the proccess class.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Jan Engelhardt \u003cjengelh@linux01.gwdg.de\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Jens Axboe \u003caxboe@suse.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "726c334223180e3c0197cc980a432681370d4baf", "tree": "8327b354bb3dc959a6606051ae6f8d4d035e38a2", "parents": [ "454e2398be9b9fa30433fccc548db34d19aa9958" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Jun 23 02:02:58 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Jun 23 07:42:45 2006 -0700" }, "message": "[PATCH] VFS: Permit filesystem to perform statfs with a known root dentry\n\nGive the statfs superblock operation a dentry pointer rather than a superblock\npointer.\n\nThis complements the get_sb() patch. That reduced the significance of\nsb-\u003es_root, allowing NFS to place a fake root there. However, NFS does\nrequire a dentry to use as a target for the statfs operation. This permits\nthe root in the vfsmount to be used instead.\n\nlinux/mount.h has been added where necessary to make allyesconfig build\nsuccessfully.\n\nInterest has also been expressed for use with the FUSE and XFS filesystems.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Nathan Scott \u003cnathans@sgi.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "d720024e94de4e8b7f10ee83c532926f3ad5d708", "tree": "8f21613c29a26bfbeb334cb0104b8b998b09fbdc", "parents": [ "f893afbe1262e27e91234506f72e17716190dd2f" ], "author": { "name": "Michael LeMay", "email": "mdlemay@epoch.ncsc.mil", "time": "Thu Jun 22 14:47:17 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Thu Jun 22 15:05:55 2006 -0700" }, "message": "[PATCH] selinux: add hooks for key subsystem\n\nIntroduce SELinux hooks to support the access key retention subsystem\nwithin the kernel. Incorporate new flask headers from a modified version\nof the SELinux reference policy, with support for the new security class\nrepresenting retained keys. Extend the \"key_alloc\" security hook with a\ntask parameter representing the intended ownership context for the key\nbeing allocated. Attach security information to root\u0027s default keyrings\nwithin the SELinux initialization routine.\n\nHas passed David\u0027s testsuite.\n\nSigned-off-by: Michael LeMay \u003cmdlemay@epoch.ncsc.mil\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "4e5ab4cb85683cf77b507ba0c4d48871e1562305", "tree": "aef7ba8b6050fcaccbaf0d05f8e5ba860a143eaf", "parents": [ "100468e9c05c10fb6872751c1af523b996d6afa9" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 09 00:33:33 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:30:05 2006 -0700" }, "message": "[SECMARK]: Add new packet controls to SELinux\n\nAdd new per-packet access controls to SELinux, replacing the old\npacket controls.\n\nPackets are labeled with the iptables SECMARK and CONNSECMARK targets,\nthen security policy for the packets is enforced with these controls.\n\nTo allow for a smooth transition to the new controls, the old code is\nstill present, but not active by default. To restore previous\nbehavior, the old controls may be activated at runtime by writing a\n\u00271\u0027 to /selinux/compat_net, and also via the kernel boot parameter\nselinux_compat_net. Switching between the network control models\nrequires the security load_policy permission. The old controls will\nprobably eventually be removed and any continued use is discouraged.\n\nWith this patch, the new secmark controls for SElinux are disabled by\ndefault, so existing behavior is entirely preserved, and the user is\nnot affected at all.\n\nIt also provides a config option to enable the secmark controls by\ndefault (which can always be overridden at boot and runtime). It is\nalso noted in the kconfig help that the user will need updated\nuserspace if enabling secmark controls for SELinux and that they\u0027ll\nprobably need the SECMARK and CONNMARK targets, and conntrack protocol\nhelpers, although such decisions are beyond the scope of kernel\nconfiguration.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "3e3ff15e6d8ba931fa9a6c7f9fe711edc77e96e5", "tree": "e3b3edcf5092e9533539f6e8abdda83eee2cb96d", "parents": [ "6f68dc37759b1d6ff3b4d4a9d097605a09f8f043" ], "author": { "name": "Christopher J. PeBenito", "email": "cpebenito@tresys.com", "time": "Fri Jun 09 00:25:03 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:29:51 2006 -0700" }, "message": "[SELINUX]: add security class for appletalk sockets\n\nAdd a security class for appletalk sockets so that they can be\ndistinguished in SELinux policy. Please apply.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c8c05a8eec6f1258f6d5cb71a44ee5dc1e989b63", "tree": "b4a04dd9e2b940cb5b2911fb67fbe49c5f8b3fbf", "parents": [ "cec6f7f39c3db7d9f6091bf2f8fc8d520f372719" ], "author": { "name": "Catherine Zhang", "email": "cxzhang@watson.ibm.com", "time": "Thu Jun 08 23:39:49 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:29:45 2006 -0700" }, "message": "[LSM-IPsec]: SELinux Authorize\n\nThis patch contains a fix for the previous patch that adds security\ncontexts to IPsec policies and security associations. In the previous\npatch, no authorization (besides the check for write permissions to\nSAD and SPD) is required to delete IPsec policies and security\nassocations with security contexts. Thus a user authorized to change\nSAD and SPD can bypass the IPsec policy authorization by simply\ndeleteing policies with security contexts. To fix this security hole,\nan additional authorization check is added for removing security\npolicies and security associations with security contexts.\n\nNote that if no security context is supplied on add or present on\npolicy to be deleted, the SELinux module allows the change\nunconditionally. The hook is called on deletion when no context is\npresent, which we may want to change. At present, I left it up to the\nmodule.\n\nLSM changes:\n\nThe patch adds two new LSM hooks: xfrm_policy_delete and\nxfrm_state_delete. The new hooks are necessary to authorize deletion\nof IPsec policies that have security contexts. The existing hooks\nxfrm_policy_free and xfrm_state_free lack the context to do the\nauthorization, so I decided to split authorization of deletion and\nmemory management of security data, as is typical in the LSM\ninterface.\n\nUse:\n\nThe new delete hooks are checked when xfrm_policy or xfrm_state are\ndeleted by either the xfrm_user interface (xfrm_get_policy,\nxfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete).\n\nSELinux changes:\n\nThe new policy_delete and state_delete functions are added.\n\nSigned-off-by: Catherine Zhang \u003ccxzhang@watson.ibm.com\u003e\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "ba0c19ed6a61a96d4b42b81cb19d4bc81b5f728c", "tree": "5e6d1774265140f1f4eddab043c90920414abe59", "parents": [ "93ff66bf1ef29881dffd6fdc344555dab03cdb42" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Sun Jun 04 02:51:30 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 05 12:29:16 2006 -0700" }, "message": "[PATCH] selinux: fix sb_lock/sb_security_lock nesting\n\nFrom: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n\nFix unsafe nesting of sb_lock inside sb_security_lock in\nselinux_complete_init. Detected by the kernel locking validator.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "d4e9dc63dca91cd89086b5a686d7f7635c8319e5", "tree": "c6ec1b8801d8e526e0d7373b7cd91e46f20a4299", "parents": [ "df88912a2165f56a7402db80126cf8ea075221fe" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Sat May 20 15:00:02 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sun May 21 12:59:17 2006 -0700" }, "message": "[PATCH] selinux: endian fix\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" } ], "next": "30d55280b867aa0cae99f836ad0181bb0bf8f9cb" }