)]}' { "log": [ { "commit": "ca05a99a54db1db5bca72eccb5866d2a86f8517f", "tree": "b39fba6604da4b4f77103d2769bb783118b9b508", "parents": [ "cc94bc37d5e02aaf8a6409a28e3c62bbd479b9a8" ], "author": { "name": "Andrew G. Morgan", "email": "morgan@kernel.org", "time": "Tue May 27 22:05:17 2008 -0700" }, "committer": { "name": "Chris Wright", "email": "chrisw@sous-sol.org", "time": "Sat May 31 16:36:16 2008 -0700" }, "message": "capabilities: remain source compatible with 32-bit raw legacy capability support.\n\nSource code out there hard-codes a notion of what the\n_LINUX_CAPABILITY_VERSION #define means in terms of the semantics of the\nraw capability system calls capget() and capset(). Its unfortunate, but\ntrue.\n\nSince the confusing header file has been in a released kernel, there is\nsoftware that is erroneously using 64-bit capabilities with the semantics\nof 32-bit compatibilities. These recently compiled programs may suffer\ncorruption of their memory when sys_getcap() overwrites more memory than\nthey are coded to expect, and the raising of added capabilities when using\nsys_capset().\n\nAs such, this patch does a number of things to clean up the situation\nfor all. It\n\n 1. forces the _LINUX_CAPABILITY_VERSION define to always retain its\n legacy value.\n\n 2. adopts a new #define strategy for the kernel\u0027s internal\n implementation of the preferred magic.\n\n 3. deprecates v2 capability magic in favor of a new (v3) magic\n number. The functionality of v3 is entirely equivalent to v2,\n the only difference being that the v2 magic causes the kernel\n to log a \"deprecated\" warning so the admin can find applications\n that may be using v2 inappropriately.\n\n[User space code continues to be encouraged to use the libcap API which\nprotects the application from details like this. libcap-2.10 is the first\nto support v3 capabilities.]\n\nFixes issue reported in https://bugzilla.redhat.com/show_bug.cgi?id\u003d447518.\nThanks to Bojan Smojver for the report.\n\n[akpm@linux-foundation.org: s/depreciate/deprecate/g]\n[akpm@linux-foundation.org: be robust about put_user size]\n[akpm@linux-foundation.org: coding-style fixes]\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Bojan Smojver \u003cbojan@rexursive.com\u003e\nCc: stable@kernel.org\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\n" }, { "commit": "25f2ea9fc8c7ec34d351cef7dade2e8046e49ed1", "tree": "d261d4fb8bb751ddf23e64b09d960b1a2ad77116", "parents": [ "7bf570dc8dcf76df2a9f583bef2da96d4289ed0d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 20:54:28 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 13:22:56 2008 -0700" }, "message": "Security: Typecast CAP_*_SET macros\n\nCast the CAP_*_SET macros to be of kernel_cap_t type to avoid compiler\nwarnings.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3898b1b4ebff8dcfbcf1807e0661585e06c9a91c", "tree": "69a338864dfe654f68064a599c5d0da460df34ac", "parents": [ "4016a1390d07f15b267eecb20e76a48fd5c524ef" ], "author": { "name": "Andrew G. Morgan", "email": "morgan@kernel.org", "time": "Mon Apr 28 02:13:40 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Apr 28 08:58:26 2008 -0700" }, "message": "capabilities: implement per-process securebits\n\nFilesystem capability support makes it possible to do away with (set)uid-0\nbased privilege and use capabilities instead. That is, with filesystem\nsupport for capabilities but without this present patch, it is (conceptually)\npossible to manage a system with capabilities alone and never need to obtain\nprivilege via (set)uid-0.\n\nOf course, conceptually isn\u0027t quite the same as currently possible since few\nuser applications, certainly not enough to run a viable system, are currently\nprepared to leverage capabilities to exercise privilege. Further, many\napplications exist that may never get upgraded in this way, and the kernel\nwill continue to want to support their setuid-0 base privilege needs.\n\nWhere pure-capability applications evolve and replace setuid-0 binaries, it is\ndesirable that there be a mechanisms by which they can contain their\nprivilege. In addition to leveraging the per-process bounding and inheritable\nsets, this should include suppressing the privilege of the uid-0 superuser\nfrom the process\u0027 tree of children.\n\nThe feature added by this patch can be leveraged to suppress the privilege\nassociated with (set)uid-0. This suppression requires CAP_SETPCAP to\ninitiate, and only immediately affects the \u0027current\u0027 process (it is inherited\nthrough fork()/exec()). This reimplementation differs significantly from the\nhistorical support for securebits which was system-wide, unwieldy and which\nhas ultimately withered to a dead relic in the source of the modern kernel.\n\nWith this patch applied a process, that is capable(CAP_SETPCAP), can now drop\nall legacy privilege (through uid\u003d0) for itself and all subsequently\nfork()\u0027d/exec()\u0027d children with:\n\n prctl(PR_SET_SECUREBITS, 0x2f);\n\nThis patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES is\nenabled at configure time.\n\n[akpm@linux-foundation.org: fix uninitialised var warning]\n[serue@us.ibm.com: capabilities: use cap_task_prctl when !CONFIG_SECURITY]\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e114e473771c848c3cfec05f0123e70f1cdbdc99", "tree": "933b840f3ccac6860da56291c742094f9b5a20cb", "parents": [ "eda61d32e8ad1d9102872f9a0abf3344bf9c5e67" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Mon Feb 04 22:29:50 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "Smack: Simplified Mandatory Access Control Kernel\n\nSmack is the Simplified Mandatory Access Control Kernel.\n\nSmack implements mandatory access control (MAC) using labels\nattached to tasks and data containers, including files, SVIPC,\nand other tasks. Smack is a kernel based scheme that requires\nan absolute minimum of application support and a very small\namount of configuration data.\n\nSmack uses extended attributes and\nprovides a set of general mount options, borrowing technics used\nelsewhere. Smack uses netlabel for CIPSO labeling. Smack provides\na pseudo-filesystem smackfs that is used for manipulation of\nsystem Smack attributes.\n\nThe patch, patches for ls and sshd, a README, a startup script,\nand x86 binaries for ls and sshd are also available on\n\n http://www.schaufler-ca.com\n\nDevelopment has been done using Fedora Core 7 in a virtual machine\nenvironment and on an old Sony laptop.\n\nSmack provides mandatory access controls based on the label attached\nto a task and the label attached to the object it is attempting to\naccess. Smack labels are deliberately short (1-23 characters) text\nstrings. Single character labels using special characters are reserved\nfor system use. The only operation applied to Smack labels is equality\ncomparison. No wildcards or expressions, regular or otherwise, are\nused. Smack labels are composed of printable characters and may not\ninclude \"/\".\n\nA file always gets the Smack label of the task that created it.\n\nSmack defines and uses these labels:\n\n \"*\" - pronounced \"star\"\n \"_\" - pronounced \"floor\"\n \"^\" - pronounced \"hat\"\n \"?\" - pronounced \"huh\"\n\nThe access rules enforced by Smack are, in order:\n\n1. Any access requested by a task labeled \"*\" is denied.\n2. A read or execute access requested by a task labeled \"^\"\n is permitted.\n3. A read or execute access requested on an object labeled \"_\"\n is permitted.\n4. Any access requested on an object labeled \"*\" is permitted.\n5. Any access requested by a task on an object with the same\n label is permitted.\n6. Any access requested that is explicitly defined in the loaded\n rule set is permitted.\n7. Any other access is denied.\n\nRules may be explicitly defined by writing subject,object,access\ntriples to /smack/load.\n\nSmack rule sets can be easily defined that describe Bell\u0026LaPadula\nsensitivity, Biba integrity, and a variety of interesting\nconfigurations. Smack rule sets can be modified on the fly to\naccommodate changes in the operating environment or even the time\nof day.\n\nSome practical use cases:\n\nHierarchical levels. The less common of the two usual uses\nfor MLS systems is to define hierarchical levels, often\nunclassified, confidential, secret, and so on. To set up smack\nto support this, these rules could be defined:\n\n C Unclass rx\n S C rx\n S Unclass rx\n TS S rx\n TS C rx\n TS Unclass rx\n\nA TS process can read S, C, and Unclass data, but cannot write it.\nAn S process can read C and Unclass. Note that specifying that\nTS can read S and S can read C does not imply TS can read C, it\nhas to be explicitly stated.\n\nNon-hierarchical categories. This is the more common of the\nusual uses for an MLS system. Since the default rule is that a\nsubject cannot access an object with a different label no\naccess rules are required to implement compartmentalization.\n\nA case that the Bell \u0026 LaPadula policy does not allow is demonstrated\nwith this Smack access rule:\n\nA case that Bell\u0026LaPadula does not allow that Smack does:\n\n ESPN ABC r\n ABC ESPN r\n\nOn my portable video device I have two applications, one that\nshows ABC programming and the other ESPN programming. ESPN wants\nto show me sport stories that show up as news, and ABC will\nonly provide minimal information about a sports story if ESPN\nis covering it. Each side can look at the other\u0027s info, neither\ncan change the other. Neither can see what FOX is up to, which\nis just as well all things considered.\n\nAnother case that I especially like:\n\n SatData Guard w\n Guard Publish w\n\nA program running with the Guard label opens a UDP socket and\naccepts messages sent by a program running with a SatData label.\nThe Guard program inspects the message to ensure it is wholesome\nand if it is sends it to a program running with the Publish label.\nThis program then puts the information passed in an appropriate\nplace. Note that the Guard program cannot write to a Publish\nfile system object because file system semanitic require read as\nwell as write.\n\nThe four cases (categories, levels, mutual read, guardbox) here\nare all quite real, and problems I\u0027ve been asked to solve over\nthe years. The first two are easy to do with traditonal MLS systems\nwhile the last two you can\u0027t without invoking privilege, at least\nfor a while.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: Joshua Brindle \u003cmethod@manicmethod.com\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: \"Ahmed S. Darwish\" \u003cdarwish.07@gmail.com\u003e\nCc: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3b7391de67da515c91f48aa371de77cb6cc5c07e", "tree": "22b9f5d9d1c36b374eb5765219aca3c7e1f23486", "parents": [ "46c383cc4530ccc438cb325e92e11eb21dd3d4fc" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Mon Feb 04 22:29:45 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "capabilities: introduce per-process capability bounding set\n\nThe capability bounding set is a set beyond which capabilities cannot grow.\n Currently cap_bset is per-system. It can be manipulated through sysctl,\nbut only init can add capabilities. Root can remove capabilities. By\ndefault it includes all caps except CAP_SETPCAP.\n\nThis patch makes the bounding set per-process when file capabilities are\nenabled. It is inherited at fork from parent. Noone can add elements,\nCAP_SETPCAP is required to remove them.\n\nOne example use of this is to start a safer container. For instance, until\ndevice namespaces or per-container device whitelists are introduced, it is\nbest to take CAP_MKNOD away from a container.\n\nThe bounding set will not affect pP and pE immediately. It will only\naffect pP\u0027 and pE\u0027 after subsequent exec()s. It also does not affect pI,\nand exec() does not constrain pI\u0027. So to really start a shell with no way\nof regain CAP_MKNOD, you would do\n\n\tprctl(PR_CAPBSET_DROP, CAP_MKNOD);\n\tcap_t cap \u003d cap_get_proc();\n\tcap_value_t caparray[1];\n\tcaparray[0] \u003d CAP_MKNOD;\n\tcap_set_flag(cap, CAP_INHERITABLE, 1, caparray, CAP_DROP);\n\tcap_set_proc(cap);\n\tcap_free(cap);\n\nThe following test program will get and set the bounding\nset (but not pI). For instance\n\n\t./bset get\n\t\t(lists capabilities in bset)\n\t./bset drop cap_net_raw\n\t\t(starts shell with new bset)\n\t\t(use capset, setuid binary, or binary with\n\t\tfile capabilities to try to increase caps)\n\n************************************************************\ncap_bound.c\n************************************************************\n #include \u003csys/prctl.h\u003e\n #include \u003clinux/capability.h\u003e\n #include \u003csys/types.h\u003e\n #include \u003cunistd.h\u003e\n #include \u003cstdio.h\u003e\n #include \u003cstdlib.h\u003e\n #include \u003cstring.h\u003e\n\n #ifndef PR_CAPBSET_READ\n #define PR_CAPBSET_READ 23\n #endif\n\n #ifndef PR_CAPBSET_DROP\n #define PR_CAPBSET_DROP 24\n #endif\n\nint usage(char *me)\n{\n\tprintf(\"Usage: %s get\\n\", me);\n\tprintf(\" %s drop \u003ccapability\u003e\\n\", me);\n\treturn 1;\n}\n\n #define numcaps 32\nchar *captable[numcaps] \u003d {\n\t\"cap_chown\",\n\t\"cap_dac_override\",\n\t\"cap_dac_read_search\",\n\t\"cap_fowner\",\n\t\"cap_fsetid\",\n\t\"cap_kill\",\n\t\"cap_setgid\",\n\t\"cap_setuid\",\n\t\"cap_setpcap\",\n\t\"cap_linux_immutable\",\n\t\"cap_net_bind_service\",\n\t\"cap_net_broadcast\",\n\t\"cap_net_admin\",\n\t\"cap_net_raw\",\n\t\"cap_ipc_lock\",\n\t\"cap_ipc_owner\",\n\t\"cap_sys_module\",\n\t\"cap_sys_rawio\",\n\t\"cap_sys_chroot\",\n\t\"cap_sys_ptrace\",\n\t\"cap_sys_pacct\",\n\t\"cap_sys_admin\",\n\t\"cap_sys_boot\",\n\t\"cap_sys_nice\",\n\t\"cap_sys_resource\",\n\t\"cap_sys_time\",\n\t\"cap_sys_tty_config\",\n\t\"cap_mknod\",\n\t\"cap_lease\",\n\t\"cap_audit_write\",\n\t\"cap_audit_control\",\n\t\"cap_setfcap\"\n};\n\nint getbcap(void)\n{\n\tint comma\u003d0;\n\tunsigned long i;\n\tint ret;\n\n\tprintf(\"i know of %d capabilities\\n\", numcaps);\n\tprintf(\"capability bounding set:\");\n\tfor (i\u003d0; i\u003cnumcaps; i++) {\n\t\tret \u003d prctl(PR_CAPBSET_READ, i);\n\t\tif (ret \u003c 0)\n\t\t\tperror(\"prctl\");\n\t\telse if (ret\u003d\u003d1)\n\t\t\tprintf(\"%s%s\", (comma++) ? \", \" : \" \", captable[i]);\n\t}\n\tprintf(\"\\n\");\n\treturn 0;\n}\n\nint capdrop(char *str)\n{\n\tunsigned long i;\n\n\tint found\u003d0;\n\tfor (i\u003d0; i\u003cnumcaps; i++) {\n\t\tif (strcmp(captable[i], str) \u003d\u003d 0) {\n\t\t\tfound\u003d1;\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (!found)\n\t\treturn 1;\n\tif (prctl(PR_CAPBSET_DROP, i)) {\n\t\tperror(\"prctl\");\n\t\treturn 1;\n\t}\n\treturn 0;\n}\n\nint main(int argc, char *argv[])\n{\n\tif (argc\u003c2)\n\t\treturn usage(argv[0]);\n\tif (strcmp(argv[1], \"get\")\u003d\u003d0)\n\t\treturn getbcap();\n\tif (strcmp(argv[1], \"drop\")!\u003d0 || argc\u003c3)\n\t\treturn usage(argv[0]);\n\tif (capdrop(argv[2])) {\n\t\tprintf(\"unknown capability\\n\");\n\t\treturn 1;\n\t}\n\treturn execl(\"/bin/bash\", \"/bin/bash\", NULL);\n}\n************************************************************\n\n[serue@us.ibm.com: fix typo]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003ea\nSigned-off-by: \"Serge E. Hallyn\" \u003cserue@us.ibm.com\u003e\nTested-by: Jiri Slaby \u003cjirislaby@gmail.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "46c383cc4530ccc438cb325e92e11eb21dd3d4fc", "tree": "882b84078780844dffa3fc107adf2a053a25cc7f", "parents": [ "e338d263a76af78fe8f38a72131188b58fceb591" ], "author": { "name": "Andrew Morgan", "email": "andrew@nagrom.org", "time": "Mon Feb 04 22:29:43 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "Remove unnecessary include from include/linux/capability.h\n\nKaiGai Kohei observed that this line in the linux header is not needed.\n\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: KaiGai Kohei \u003ckaigai@kaigai.gr.jp\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e338d263a76af78fe8f38a72131188b58fceb591", "tree": "f3f046fc6fd66de43de7191830f0daf3bc4ec8eb", "parents": [ "8f6936f4d29aa14e54a2470b954a2e1f96322988" ], "author": { "name": "Andrew Morgan", "email": "morgan@kernel.org", "time": "Mon Feb 04 22:29:42 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "Add 64-bit capability support to the kernel\n\nThe patch supports legacy (32-bit) capability userspace, and where possible\ntranslates 32-bit capabilities to/from userspace and the VFS to 64-bit\nkernel space capabilities. If a capability set cannot be compressed into\n32-bits for consumption by user space, the system call fails, with -ERANGE.\n\nFWIW libcap-2.00 supports this change (and earlier capability formats)\n\n http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/\n\n[akpm@linux-foundation.org: coding-syle fixes]\n[akpm@linux-foundation.org: use get_task_comm()]\n[ezk@cs.sunysb.edu: build fix]\n[akpm@linux-foundation.org: do not initialise statics to 0 or NULL]\n[akpm@linux-foundation.org: unused var]\n[serue@us.ibm.com: export __cap_ symbols]\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Erez Zadok \u003cezk@cs.sunysb.edu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8f6936f4d29aa14e54a2470b954a2e1f96322988", "tree": "63e1bca33b783cf819b356f3ffd45cfe7b226654", "parents": [ "4bea58053f206be9a89ca35850f9ad295dac2042" ], "author": { "name": "Andrew Morton", "email": "akpm@linux-foundation.org", "time": "Mon Feb 04 22:29:41 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "revert \"capabilities: clean up file capability reading\"\n\nRevert b68680e4731abbd78863063aaa0dca2a6d8cc723 to make way for the next\npatch: \"Add 64-bit capability support to the kernel\".\n\nWe want to keep the vfs_cap_data.data[] structure, using two \u0027data\u0027s for\n64-bit caps (and later three for 96-bit caps), whereas\nb68680e4731abbd78863063aaa0dca2a6d8cc723 had gotten rid of the \u0027data\u0027 struct\nmade its members inline.\n\nThe 64-bit caps patch keeps the stack abuse fix at get_file_caps(), which was\nthe more important part of that patch.\n\n[akpm@linux-foundation.org: coding-style fixes]\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b68680e4731abbd78863063aaa0dca2a6d8cc723", "tree": "6c546575432b34abb27a54b51f549071d2819282", "parents": [ "b9049e234401e1fad8459d69a952b174d76c399d" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Sun Oct 21 16:41:38 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Oct 22 08:13:18 2007 -0700" }, "message": "capabilities: clean up file capability reading\n\nSimplify the vfs_cap_data structure.\n\nAlso fix get_file_caps which was declaring\n__le32 v1caps[XATTR_CAPS_SZ] on the stack, but\nXATTR_CAPS_SZ is already * sizeof(__le32).\n\n[akpm@linux-foundation.org: coding-style fixes]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Andrew Morgan \u003cmorgan@kernel.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "72c2d5823fc7be799a12184974c3bdc57acea3c4", "tree": "5c17418efb57cd5b2cdc0d751f577b2c64012423", "parents": [ "7058cb02ddab4bce70a46e519804fccb7ac0a060" ], "author": { "name": "Andrew Morgan", "email": "morgan@kernel.org", "time": "Thu Oct 18 03:05:59 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Oct 18 14:37:24 2007 -0700" }, "message": "V3 file capabilities: alter behavior of cap_setpcap\n\nThe non-filesystem capability meaning of CAP_SETPCAP is that a process, p1,\ncan change the capabilities of another process, p2. This is not the\nmeaning that was intended for this capability at all, and this\nimplementation came about purely because, without filesystem capabilities,\nthere was no way to use capabilities without one process bestowing them on\nanother.\n\nSince we now have a filesystem support for capabilities we can fix the\nimplementation of CAP_SETPCAP.\n\nThe most significant thing about this change is that, with it in effect, no\nprocess can set the capabilities of another process.\n\nThe capabilities of a program are set via the capability convolution\nrules:\n\n pI(post-exec) \u003d pI(pre-exec)\n pP(post-exec) \u003d (X(aka cap_bset) \u0026 fP) | (pI(post-exec) \u0026 fI)\n pE(post-exec) \u003d fE ? pP(post-exec) : 0\n\nat exec() time. As such, the only influence the pre-exec() program can\nhave on the post-exec() program\u0027s capabilities are through the pI\ncapability set.\n\nThe correct implementation for CAP_SETPCAP (and that enabled by this patch)\nis that it can be used to add extra pI capabilities to the current process\n- to be picked up by subsequent exec()s when the above convolution rules\nare applied.\n\nHere is how it works:\n\nLet\u0027s say we have a process, p. It has capability sets, pE, pP and pI.\nGenerally, p, can change the value of its own pI to pI\u0027 where\n\n (pI\u0027 \u0026 ~pI) \u0026 ~pP \u003d 0.\n\nThat is, the only new things in pI\u0027 that were not present in pI need to\nbe present in pP.\n\nThe role of CAP_SETPCAP is basically to permit changes to pI beyond\nthe above:\n\n if (pE \u0026 CAP_SETPCAP) {\n pI\u0027 \u003d anything; /* ie., even (pI\u0027 \u0026 ~pI) \u0026 ~pP !\u003d 0 */\n }\n\nThis capability is useful for things like login, which (say, via\npam_cap) might want to raise certain inheritable capabilities for use\nby the children of the logged-in user\u0027s shell, but those capabilities\nare not useful to or needed by the login program itself.\n\nOne such use might be to limit who can run ping. You set the\ncapabilities of the \u0027ping\u0027 program to be \"\u003d cap_net_raw+i\", and then\nonly shells that have (pI \u0026 CAP_NET_RAW) will be able to run\nit. Without CAP_SETPCAP implemented as described above, login(pam_cap)\nwould have to also have (pP \u0026 CAP_NET_RAW) in order to raise this\ncapability and pass it on through the inheritable set.\n\nSigned-off-by: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b53767719b6cd8789392ea3e7e2eb7b8906898f0", "tree": "a0279dc93c79b94d3865b0f19f6b7b353e20608c", "parents": [ "57c521ce6125e15e99e56c902cb8da96bee7b36d" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Tue Oct 16 23:31:36 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "Implement file posix capabilities\n\nImplement file posix capabilities. This allows programs to be given a\nsubset of root\u0027s powers regardless of who runs them, without having to use\nsetuid and giving the binary all of root\u0027s powers.\n\nThis version works with Kaigai Kohei\u0027s userspace tools, found at\nhttp://www.kaigai.gr.jp/index.php. For more information on how to use this\npatch, Chris Friedhoff has posted a nice page at\nhttp://www.friedhoff.org/fscaps.html.\n\nChangelog:\n\tNov 27:\n\tIncorporate fixes from Andrew Morton\n\t(security-introduce-file-caps-tweaks and\n\tsecurity-introduce-file-caps-warning-fix)\n\tFix Kconfig dependency.\n\tFix change signaling behavior when file caps are not compiled in.\n\n\tNov 13:\n\tIntegrate comments from Alexey: Remove CONFIG_ ifdef from\n\tcapability.h, and use %zd for printing a size_t.\n\n\tNov 13:\n\tFix endianness warnings by sparse as suggested by Alexey\n\tDobriyan.\n\n\tNov 09:\n\tAddress warnings of unused variables at cap_bprm_set_security\n\twhen file capabilities are disabled, and simultaneously clean\n\tup the code a little, by pulling the new code into a helper\n\tfunction.\n\n\tNov 08:\n\tFor pointers to required userspace tools and how to use\n\tthem, see http://www.friedhoff.org/fscaps.html.\n\n\tNov 07:\n\tFix the calculation of the highest bit checked in\n\tcheck_cap_sanity().\n\n\tNov 07:\n\tAllow file caps to be enabled without CONFIG_SECURITY, since\n\tcapabilities are the default.\n\tHook cap_task_setscheduler when !CONFIG_SECURITY.\n\tMove capable(TASK_KILL) to end of cap_task_kill to reduce\n\taudit messages.\n\n\tNov 05:\n\tAdd secondary calls in selinux/hooks.c to task_setioprio and\n\ttask_setscheduler so that selinux and capabilities with file\n\tcap support can be stacked.\n\n\tSep 05:\n\tAs Seth Arnold points out, uid checks are out of place\n\tfor capability code.\n\n\tSep 01:\n\tDefine task_setscheduler, task_setioprio, cap_task_kill, and\n\ttask_setnice to make sure a user cannot affect a process in which\n\tthey called a program with some fscaps.\n\n\tOne remaining question is the note under task_setscheduler: are we\n\tok with CAP_SYS_NICE being sufficient to confine a process to a\n\tcpuset?\n\n\tIt is a semantic change, as without fsccaps, attach_task doesn\u0027t\n\tallow CAP_SYS_NICE to override the uid equivalence check. But since\n\tit uses security_task_setscheduler, which elsewhere is used where\n\tCAP_SYS_NICE can be used to override the uid equivalence check,\n\tfixing it might be tough.\n\n\t task_setscheduler\n\t\t note: this also controls cpuset:attach_task. Are we ok with\n\t\t CAP_SYS_NICE being used to confine to a cpuset?\n\t task_setioprio\n\t task_setnice\n\t\t sys_setpriority uses this (through set_one_prio) for another\n\t\t process. Need same checks as setrlimit\n\n\tAug 21:\n\tUpdated secureexec implementation to reflect the fact that\n\teuid and uid might be the same and nonzero, but the process\n\tmight still have elevated caps.\n\n\tAug 15:\n\tHandle endianness of xattrs.\n\tEnforce capability version match between kernel and disk.\n\tEnforce that no bits beyond the known max capability are\n\tset, else return -EPERM.\n\tWith this extra processing, it may be worth reconsidering\n\tdoing all the work at bprm_set_security rather than\n\td_instantiate.\n\n\tAug 10:\n\tAlways call getxattr at bprm_set_security, rather than\n\tcaching it at d_instantiate.\n\n[morgan@kernel.org: file-caps clean up for linux/capability.h]\n[bunk@kernel.org: unexport cap_inode_killpriv]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "0a3021f4e249fbdb5f30d614707b5e02022e4c9b", "tree": "c01b80fa03dbb4a853b46f182864384736a54088", "parents": [ "9aacd599342fdfc1fb9422f37e900609b7a46249" ], "author": { "name": "Robert P. J. Day", "email": "rpjday@mindspring.com", "time": "Sun Jul 15 23:39:57 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Jul 16 09:05:42 2007 -0700" }, "message": "Remove unnecessary includes of spinlock.h under include/linux\n\nRemove the obviously unnecessary includes of \u003clinux/spinlock.h\u003e under the\ninclude/linux/ directory, and fix the couple errors that are introduced as\na result of that.\n\nSigned-off-by: Robert P. J. Day \u003crpjday@mindspring.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b7add02d6247bff34005e040347d81777c80931c", "tree": "41a2756e9fc1fc961ff29be08b5b8a080bbc2c03", "parents": [ "8ce7ad7b2d11fae2c3d285a6a0caea9322c0b8fc" ], "author": { "name": "Andrew Morton", "email": "akpm@linux-foundation.org", "time": "Wed May 23 13:57:39 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed May 23 20:14:12 2007 -0700" }, "message": "capability.h warning fix\n\ninclude/linux/capability.h:397: warning: \"struct task_struct\" declared inside parameter list\ninclude/linux/capability.h:397: warning: its scope is only this definition or declaration, which is probably not what you want\n\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "12b5989be10011387a9da5dee82e5c0d6f9d02e7", "tree": "74da71d407bf26bf97c639bb2b473de233a736ac", "parents": [ "77d47582c2345e071df02afaf9191641009287c4" ], "author": { "name": "Chris Wright", "email": "chrisw@sous-sol.org", "time": "Sat Mar 25 03:07:41 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sat Mar 25 08:22:56 2006 -0800" }, "message": "[PATCH] refactor capable() to one implementation, add __capable() helper\n\nMove capable() to kernel/capability.c and eliminate duplicate\nimplementations. Add __capable() function which can be used to check for\ncapabiilty of any process.\n\nSigned-off-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "c59ede7b78db329949d9cdcd7064e22d357560ef", "tree": "f9dc9d464fdad5bfd464d983e77c1af031389dda", "parents": [ "e16885c5ad624a6efe1b1bf764e075d75f65a788" ], "author": { "name": "Randy.Dunlap", "email": "rdunlap@xenotime.net", "time": "Wed Jan 11 12:17:46 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Wed Jan 11 18:42:13 2006 -0800" }, "message": "[PATCH] move capable() to capability.h\n\n- Move capable() from sched.h to capability.h;\n\n- Use \u003clinux/capability.h\u003e where capable() is used\n\t(in include/, block/, ipc/, kernel/, a few drivers/,\n\tmm/, security/, \u0026 sound/;\n\tmany more drivers/ to go)\n\nSigned-off-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "bce5f6ba340b09d8b29902add204bb95a6d3d88b", "tree": "1cfeea969fa5848f0a8d31394829aec5c8571a79", "parents": [ "242e54686257493f0b10ac557e730419d9af7d24" ], "author": { "name": "Martin Hicks", "email": "mort@sgi.com", "time": "Sat Sep 03 15:54:50 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@evo.osdl.org", "time": "Mon Sep 05 00:05:44 2005 -0700" }, "message": "[PATCH] VM: add capabilites check to set_zone_reclaim\n\nAdd a capability check to sys_set_zone_reclaim(). This syscall is not\nsomething that should be available to a user.\n\nSigned-off-by: Martin Hicks \u003cmort@sgi.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }