)]}' { "log": [ { "commit": "08a6fac1c63233c87eec129938022f1a9a4d51f6", "tree": "4fd7a2a906cf5ca0a42b3b8cb30351465f0f6cee", "parents": [ "5f719558edf9c84bfbb1f7ad37e84c483282d09f" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat May 10 16:38:25 2008 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri May 16 17:23:05 2008 -0400" }, "message": "[PATCH] get rid of leak in compat_execve()\n\nEven though copy_compat_strings() doesn\u0027t cache the pages,\ncopy_strings_kernel() and stuff indirectly called by e.g.\n-\u003eload_binary() is doing that, so we need to drop the\ncache contents in the end.\n\n[found by WANG Cong \u003cwangcong@zeuux.org\u003e]\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "3a2e7f47d71e1df86acc1dda6826890b6546a4e1", "tree": "3c5856f67af25a80a4d934e754f437936c7b1bbf", "parents": [ "cbd9b67bd3883dff0ef4b8ec9229d315a9ba38f0" ], "author": { "name": "Pavel Emelyanov", "email": "xemul@openvz.org", "time": "Tue Apr 29 00:59:24 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:04 2008 -0700" }, "message": "binfmt_misc.c: avoid potential kernel stack overflow\n\nThis can be triggered with root help only, but...\n\nRegister the \":text:E::txt::/root/cat.txt:\u0027 rule in binfmt_misc (by root) and\ntry launching the cat.txt file (by anyone) :) The result is - the endless\nrecursion in the load_misc_binary -\u003e open_exec -\u003e load_misc_binary chain and\nstack overflow.\n\nThere\u0027s a similar problem with binfmt_script, and there\u0027s a sh_bang memner on\nlinux_binprm structure to handle this, but simply raising this in binfmt_misc\nmay break some setups when the interpreter of some misc binaries is a script.\n\nSo the proposal is to turn sh_bang into a bit, add a new one (the misc_bang)\nand raise it in load_misc_binary. After this, even if we set up the misc -\u003e\nscript -\u003e misc loop for binfmts one of them will step on its own bang and\nexit.\n\nSigned-off-by: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "175a06ae300188af8a61db68a78e1af44dc7d44f", "tree": "ed088932ad725985ead11fbf9e4cd7754af0dcc8", "parents": [ "ecd0fa9825a1270e31fb48bc9edcfb28918b6c51" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Tue Apr 29 00:59:17 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:03 2008 -0700" }, "message": "exec: remove argv_len from struct linux_binprm\n\nI noticed that 2.6.24.2 calculates bprm-\u003eargv_len at do_execve(). But it\ndoesn\u0027t update bprm-\u003eargv_len after \"remove_arg_zero() +\ncopy_strings_kernel()\" at load_script() etc.\n\naudit_bprm() is called from search_binary_handler() and\nsearch_binary_handler() is called from load_script() etc. Thus, I think the\ncondition check\n\n if (bprm-\u003eargv_len \u003e (audit_argv_kb \u003c\u003c 10))\n return -E2BIG;\n\nin audit_bprm() might return wrong result when strlen(removed_arg) !\u003d\nstrlen(spliced_args). Why not update bprm-\u003eargv_len at load_script() etc. ?\n\nBy the way, 2.6.25-rc3 seems to not doing the condition check. Is the field\nbprm-\u003eargv_len no longer needed?\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nCc: Ollie Wild \u003caaw@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b53767719b6cd8789392ea3e7e2eb7b8906898f0", "tree": "a0279dc93c79b94d3865b0f19f6b7b353e20608c", "parents": [ "57c521ce6125e15e99e56c902cb8da96bee7b36d" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Tue Oct 16 23:31:36 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "Implement file posix capabilities\n\nImplement file posix capabilities. This allows programs to be given a\nsubset of root\u0027s powers regardless of who runs them, without having to use\nsetuid and giving the binary all of root\u0027s powers.\n\nThis version works with Kaigai Kohei\u0027s userspace tools, found at\nhttp://www.kaigai.gr.jp/index.php. For more information on how to use this\npatch, Chris Friedhoff has posted a nice page at\nhttp://www.friedhoff.org/fscaps.html.\n\nChangelog:\n\tNov 27:\n\tIncorporate fixes from Andrew Morton\n\t(security-introduce-file-caps-tweaks and\n\tsecurity-introduce-file-caps-warning-fix)\n\tFix Kconfig dependency.\n\tFix change signaling behavior when file caps are not compiled in.\n\n\tNov 13:\n\tIntegrate comments from Alexey: Remove CONFIG_ ifdef from\n\tcapability.h, and use %zd for printing a size_t.\n\n\tNov 13:\n\tFix endianness warnings by sparse as suggested by Alexey\n\tDobriyan.\n\n\tNov 09:\n\tAddress warnings of unused variables at cap_bprm_set_security\n\twhen file capabilities are disabled, and simultaneously clean\n\tup the code a little, by pulling the new code into a helper\n\tfunction.\n\n\tNov 08:\n\tFor pointers to required userspace tools and how to use\n\tthem, see http://www.friedhoff.org/fscaps.html.\n\n\tNov 07:\n\tFix the calculation of the highest bit checked in\n\tcheck_cap_sanity().\n\n\tNov 07:\n\tAllow file caps to be enabled without CONFIG_SECURITY, since\n\tcapabilities are the default.\n\tHook cap_task_setscheduler when !CONFIG_SECURITY.\n\tMove capable(TASK_KILL) to end of cap_task_kill to reduce\n\taudit messages.\n\n\tNov 05:\n\tAdd secondary calls in selinux/hooks.c to task_setioprio and\n\ttask_setscheduler so that selinux and capabilities with file\n\tcap support can be stacked.\n\n\tSep 05:\n\tAs Seth Arnold points out, uid checks are out of place\n\tfor capability code.\n\n\tSep 01:\n\tDefine task_setscheduler, task_setioprio, cap_task_kill, and\n\ttask_setnice to make sure a user cannot affect a process in which\n\tthey called a program with some fscaps.\n\n\tOne remaining question is the note under task_setscheduler: are we\n\tok with CAP_SYS_NICE being sufficient to confine a process to a\n\tcpuset?\n\n\tIt is a semantic change, as without fsccaps, attach_task doesn\u0027t\n\tallow CAP_SYS_NICE to override the uid equivalence check. But since\n\tit uses security_task_setscheduler, which elsewhere is used where\n\tCAP_SYS_NICE can be used to override the uid equivalence check,\n\tfixing it might be tough.\n\n\t task_setscheduler\n\t\t note: this also controls cpuset:attach_task. Are we ok with\n\t\t CAP_SYS_NICE being used to confine to a cpuset?\n\t task_setioprio\n\t task_setnice\n\t\t sys_setpriority uses this (through set_one_prio) for another\n\t\t process. Need same checks as setrlimit\n\n\tAug 21:\n\tUpdated secureexec implementation to reflect the fact that\n\teuid and uid might be the same and nonzero, but the process\n\tmight still have elevated caps.\n\n\tAug 15:\n\tHandle endianness of xattrs.\n\tEnforce capability version match between kernel and disk.\n\tEnforce that no bits beyond the known max capability are\n\tset, else return -EPERM.\n\tWith this extra processing, it may be worth reconsidering\n\tdoing all the work at bprm_set_security rather than\n\td_instantiate.\n\n\tAug 10:\n\tAlways call getxattr at bprm_set_security, rather than\n\tcaching it at d_instantiate.\n\n[morgan@kernel.org: file-caps clean up for linux/capability.h]\n[bunk@kernel.org: unexport cap_inode_killpriv]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "7dc0b22e3c54f1f4730354fef84a20f5944f6c5e", "tree": "8b281ed3315699eb0b21f00b5933b6222add5b5a", "parents": [ "8e2b705649e294f43a8cd1ea79e4c594c0bd1d9d" ], "author": { "name": "Neil Horman", "email": "nhorman@tuxdriver.com", "time": "Tue Oct 16 23:26:34 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:42:50 2007 -0700" }, "message": "core_pattern: ignore RLIMIT_CORE if core_pattern is a pipe\n\nFor some time /proc/sys/kernel/core_pattern has been able to set its output\ndestination as a pipe, allowing a user space helper to receive and\nintellegently process a core. This infrastructure however has some\nshortcommings which can be enhanced. Specifically:\n\n1) The coredump code in the kernel should ignore RLIMIT_CORE limitation\n when core_pattern is a pipe, since file system resources are not being\n consumed in this case, unless the user application wishes to save the core,\n at which point the app is restricted by usual file system limits and\n restrictions.\n\n2) The core_pattern code should be able to parse and pass options to the\n user space helper as an argv array. The real core limit of the uid of the\n crashing proces should also be passable to the user space helper (since it\n is overridden to zero when called).\n\n3) Some miscellaneous bugs need to be cleaned up (specifically the\n recognition of a recursive core dump, should the user mode helper itself\n crash. Also, the core dump code in the kernel should not wait for the user\n mode helper to exit, since the same context is responsible for writing to\n the pipe, and a read of the pipe by the user mode helper will result in a\n deadlock.\n\nThis patch:\n\nRemove the check of RLIMIT_CORE if core_pattern is a pipe. In the event that\ncore_pattern is a pipe, the entire core will be fed to the user mode helper.\n\nSigned-off-by: Neil Horman \u003cnhorman@tuxdriver.com\u003e\nCc: \u003cmartin.pitt@ubuntu.com\u003e\nCc: \u003cwwoods@redhat.com\u003e\nCc: Jeremy Fitzhardinge \u003cjeremy@goop.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "f6b450d489f2fb4e909447beacad64edb8aa0cda", "tree": "85240acdf3d5c1cb2f193a72c99e24789acc0a0e", "parents": [ "e4dc1b14d8dc57c3975bf69740e4f5cda6bfba09" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@sw.ru", "time": "Tue Oct 16 23:26:04 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:42:46 2007 -0700" }, "message": "Make unregister_binfmt() return void\n\nlist_del() hardly can fail, so checking for return value is pointless\n(and current code always return 0).\n\nNobody really cared that return value anyway.\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@sw.ru\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e4dc1b14d8dc57c3975bf69740e4f5cda6bfba09", "tree": "084771b19ecb4335c31cdd91093f7a02b7861e69", "parents": [ "deba0f49b9345f885a53a077623a68cef89c01d5" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@sw.ru", "time": "Tue Oct 16 23:26:03 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:42:46 2007 -0700" }, "message": "Use list_head in binfmt handling\n\nSwitch single-linked binfmt formats list to usual list_head\u0027s. This leads\nto one-liners in register_binfmt() and unregister_binfmt(). The downside\nis one pointer more in struct linux_binfmt. This is not a problem, since\nthe set of registered binfmts on typical box is very small -- (ELF +\nsomething distro enabled for you).\n\nTest-booted, played with executable .txt files, modprobe/rmmod binfmt_misc.\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@sw.ru\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b6a2fea39318e43fee84fa7b0b90d68bed92d2ba", "tree": "c9c3619cb2730b5c10c7427b837146bce3d69156", "parents": [ "bdf4c48af20a3b0f01671799ace345e3d49576da" ], "author": { "name": "Ollie Wild", "email": "aaw@google.com", "time": "Thu Jul 19 01:48:16 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Jul 19 10:04:45 2007 -0700" }, "message": "mm: variable length argument support\n\nRemove the arg+env limit of MAX_ARG_PAGES by copying the strings directly from\nthe old mm into the new mm.\n\nWe create the new mm before the binfmt code runs, and place the new stack at\nthe very top of the address space. Once the binfmt code runs and figures out\nwhere the stack should be, we move it downwards.\n\nIt is a bit peculiar in that we have one task with two mm\u0027s, one of which is\ninactive.\n\n[a.p.zijlstra@chello.nl: limit stack size]\nSigned-off-by: Ollie Wild \u003caaw@google.com\u003e\nSigned-off-by: Peter Zijlstra \u003ca.p.zijlstra@chello.nl\u003e\nCc: \u003clinux-arch@vger.kernel.org\u003e\nCc: Hugh Dickins \u003chugh@veritas.com\u003e\n[bunk@stusta.de: unexport bprm_mm_init]\nSigned-off-by: Adrian Bunk \u003cbunk@stusta.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "bdf4c48af20a3b0f01671799ace345e3d49576da", "tree": "7c3b903d2de1cba6e212ad6f347bc8742b08035a", "parents": [ "b111757c50ee30dad162192df6168e270a90c252" ], "author": { "name": "Peter Zijlstra", "email": "a.p.zijlstra@chello.nl", "time": "Thu Jul 19 01:48:15 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Jul 19 10:04:45 2007 -0700" }, "message": "audit: rework execve audit\n\nThe purpose of audit_bprm() is to log the argv array to a userspace daemon at\nthe end of the execve system call. Since user-space hasn\u0027t had time to run,\nthis array is still in pristine state on the process\u0027 stack; so no need to\ncopy it, we can just grab it from there.\n\nIn order to minimize the damage to audit_log_*() copy each string into a\ntemporary kernel buffer first.\n\nCurrently the audit code requires that the full argument vector fits in a\nsingle packet. So currently it does clip the argv size to a (sysctl) limit,\nbut only when execve auditing is enabled.\n\nIf the audit protocol gets extended to allow for multiple packets this check\ncan be removed.\n\nSigned-off-by: Peter Zijlstra \u003ca.p.zijlstra@chello.nl\u003e\nSigned-off-by: Ollie Wild \u003caaw@google.com\u003e\nCc: \u003clinux-audit@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "71ce92f3fa442069670a52fa6230a6064c4517b3", "tree": "30fec3491b9655040d90c810785ce7e843a90f93", "parents": [ "bc88d5d4e18add7283770ead2734b601c50b3e2a" ], "author": { "name": "Dan Aloni", "email": "da-x@monatomic.org", "time": "Wed May 16 22:11:16 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu May 17 05:23:05 2007 -0700" }, "message": "make sysctl/kernel/core_pattern and fs/exec.c agree on maximum core filename size\n\nMake sysctl/kernel/core_pattern and fs/exec.c agree on maximum core\nfilename size and change it to 128, so that extensive patterns such as\n\u0027/local/cores/%e-%h-%s-%t-%p.core\u0027 won\u0027t result in truncated filename\ngeneration.\n\nSigned-off-by: Dan Aloni \u003cda-x@monatomic.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "9fbbd4dd17d0712054368e5e939e28b2456bfe1b", "tree": "778766e35c52529ed0fc369ce1c3cf9382fc6e16", "parents": [ "120fad72401ebec2a126c16cc48f56c28f3eefe2" ], "author": { "name": "Andi Kleen", "email": "ak@suse.de", "time": "Tue Feb 13 13:26:26 2007 +0100" }, "committer": { "name": "Andi Kleen", "email": "andi@basil.nowhere.org", "time": "Tue Feb 13 13:26:26 2007 +0100" }, "message": "[PATCH] x86: Don\u0027t require the vDSO for handling a.out signals\n\nand in other strange binfmts. vDSO is not necessarily mapped there.\n\nSigned-off-by: Andi Kleen \u003cak@suse.de\u003e\n" }, { "commit": "d6e711448137ca3301512cec41a2c2ce852b3d0a", "tree": "f0765ebd90fdbdf270c05fcd7f3d32b24ba56681", "parents": [ "8b0914ea7475615c7c8965c1ac8fe4069270f25c" ], "author": { "name": "Alan Cox", "email": "alan@lxorguk.ukuu.org.uk", "time": "Thu Jun 23 00:09:43 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Thu Jun 23 09:45:26 2005 -0700" }, "message": "[PATCH] setuid core dump\n\nAdd a new `suid_dumpable\u0027 sysctl:\n\nThis value can be used to query and set the core dump mode for setuid\nor otherwise protected/tainted binaries. The modes are\n\n0 - (default) - traditional behaviour. Any process which has changed\n privilege levels or is execute only will not be dumped\n\n1 - (debug) - all processes dump core when possible. The core dump is\n owned by the current user and no security is applied. This is intended\n for system debugging situations only. Ptrace is unchecked.\n\n2 - (suidsafe) - any binary which normally would not be dumped is dumped\n readable by root only. This allows the end user to remove such a dump but\n not access it directly. For security reasons core dumps in this mode will\n not overwrite one another or other files. This mode is appropriate when\n adminstrators are attempting to debug problems in a normal environment.\n\n(akpm:\n\n\u003e \u003e +EXPORT_SYMBOL(suid_dumpable);\n\u003e\n\u003e EXPORT_SYMBOL_GPL?\n\nNo problem to me.\n\n\u003e \u003e \tif (current-\u003eeuid \u003d\u003d current-\u003euid \u0026\u0026 current-\u003eegid \u003d\u003d current-\u003egid)\n\u003e \u003e \t\tcurrent-\u003emm-\u003edumpable \u003d 1;\n\u003e\n\u003e Should this be SUID_DUMP_USER?\n\nActually the feedback I had from last time was that the SUID_ defines\nshould go because its clearer to follow the numbers. They can go\neverywhere (and there are lots of places where dumpable is tested/used\nas a bool in untouched code)\n\n\u003e Maybe this should be renamed to `dump_policy\u0027 or something. Doing that\n\u003e would help us catch any code which isn\u0027t using the #defines, too.\n\nFair comment. The patch was designed to be easy to maintain for Red Hat\nrather than for merging. Changing that field would create a gigantic\ndiff because it is used all over the place.\n\n)\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "75c96f85845a6707b0f9916cb263cb3584f7d48f", "tree": "45a64d1c9bb71d7093db3a11e0f21465c2e3dec6", "parents": [ "5e198d94dd0c3ec7f6138229e2e412c2c6268c38" ], "author": { "name": "Adrian Bunk", "email": "bunk@stusta.de", "time": "Thu May 05 16:16:09 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Thu May 05 16:36:47 2005 -0700" }, "message": "[PATCH] make some things static\n\nThis patch makes some needlessly global identifiers static.\n\nSigned-off-by: Adrian Bunk \u003cbunk@stusta.de\u003e\nAcked-by: Arjan van de Ven \u003carjanv@infradead.org\u003e\nAcked-by: Trond Myklebust \u003ctrond.myklebust@fys.uio.no\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }