)]}' { "log": [ { "commit": "766ce4e5a952510f9f27511cbfecc884bf5147cd", "tree": "93ad1970e254fc3b1fb0650a4dc449d86ad5114e", "parents": [ "3bc527393379fcd740cc66c700da808abdbf5a5d" ], "author": { "name": "Ivan Grinko", "email": "iivanich@gmail.com", "time": "Thu Apr 28 22:06:41 2016 +0300" }, "committer": { "name": "William Bellavance", "email": "flintman@flintmancomputers.com", "time": "Tue May 17 08:03:16 2016 -0400" }, "message": "Linux 3.4.112\n\nhttps://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.112\n\nChange-Id: Ic146bc84c10ebcfe256eb6bffa8ffef44c9a1d38\n" }, { "commit": "58f794b5648f3bd9146bf060897abe9473189649", "tree": "4920af6c625f6794c42c0888a739ccf7cb6ab974", "parents": [ "9c1dfc61f68c81c89856dde4c67f11db38067db3" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Dec 18 01:34:26 2015 +0000" }, "committer": { "name": "William Bellavance", "email": "flintman@flintmancomputers.com", "time": "Tue May 17 07:52:00 2016 -0400" }, "message": "KEYS: Fix race between read and revoke\n\nThis fixes CVE-2015-7550.\n\nThere\u0027s a race between keyctl_read() and keyctl_revoke(). If the revoke\nhappens between keyctl_read() checking the validity of a key and the key\u0027s\nsemaphore being taken, then the key type read method will see a revoked key.\n\nThis causes a problem for the user-defined key type because it assumes in\nits read method that there will always be a payload in a non-revoked key\nand doesn\u0027t check for a NULL pointer.\n\nFix this by making keyctl_read() check the validity of a key after taking\nsemaphore instead of before.\n\nI think the bug was introduced with the original keyrings code.\n\nThis was discovered by a multithreaded test program generated by syzkaller\n(http://github.com/google/syzkaller). Here\u0027s a cleaned up version:\n\n\t#include \u003csys/types.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\t#include \u003cpthread.h\u003e\n\tvoid *thr0(void *arg)\n\t{\n\t\tkey_serial_t key \u003d (unsigned long)arg;\n\t\tkeyctl_revoke(key);\n\t\treturn 0;\n\t}\n\tvoid *thr1(void *arg)\n\t{\n\t\tkey_serial_t key \u003d (unsigned long)arg;\n\t\tchar buffer[16];\n\t\tkeyctl_read(key, buffer, 16);\n\t\treturn 0;\n\t}\n\tint main()\n\t{\n\t\tkey_serial_t key \u003d add_key(\"user\", \"%\", \"foo\", 3, KEY_SPEC_USER_KEYRING);\n\t\tpthread_t th[5];\n\t\tpthread_create(\u0026th[0], 0, thr0, (void *)(unsigned long)key);\n\t\tpthread_create(\u0026th[1], 0, thr1, (void *)(unsigned long)key);\n\t\tpthread_create(\u0026th[2], 0, thr0, (void *)(unsigned long)key);\n\t\tpthread_create(\u0026th[3], 0, thr1, (void *)(unsigned long)key);\n\t\tpthread_join(th[0], 0);\n\t\tpthread_join(th[1], 0);\n\t\tpthread_join(th[2], 0);\n\t\tpthread_join(th[3], 0);\n\t\treturn 0;\n\t}\n\nBuild as:\n\n\tcc -o keyctl-race keyctl-race.c -lkeyutils -lpthread\n\nRun as:\n\n\twhile keyctl-race; do :; done\n\nas it may need several iterations to crash the kernel. The crash can be\nsummarised as:\n\n\tBUG: unable to handle kernel NULL pointer dereference at 0000000000000010\n\tIP: [\u003cffffffff81279b08\u003e] user_read+0x56/0xa3\n\t...\n\tCall Trace:\n\t [\u003cffffffff81276aa9\u003e] keyctl_read_key+0xb6/0xd7\n\t [\u003cffffffff81277815\u003e] SyS_keyctl+0x83/0xe0\n\t [\u003cffffffff815dbb97\u003e] entry_SYSCALL_64_fastpath+0x12/0x6f\n\nChange-Id: I4b4011c628b471701cdda77265d8f130b0ed8f22\nReported-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "8094624a26bd87d40e019ebf16f2e57e22c79c74", "tree": "0dbb8f49485835ded234d4de87e52ea437d8a0b4", "parents": [ "5ee52010ffedbeeb58d5314585e7e1d75345ba4f" ], "author": { "name": "Nicolas Dichtel", "email": "nicolas.dichtel@6wind.com", "time": "Wed Apr 08 18:36:40 2015 +0200" }, "committer": { "name": "William Bellavance", "email": "flintman@flintmancomputers.com", "time": "Tue May 17 07:51:20 2016 -0400" }, "message": "selinux/nlmsg: add XFRM_MSG_NEWSPDINFO\n\ncommit 2b7834d3e1b828429faa5dc41a480919e52d3f31 upstream (net-next).\n\nThis new command is missing.\n\nBug: 20350607\nChange-Id: If511000c19aa9af7220ff775d88ace9834b35dcb\nFixes: 880a6fab8f6b (\"xfrm: configure policy hash table thresholds by netlink\")\nReported-by: Christophe Gouault \u003cchristophe.gouault@6wind.com\u003e\nSigned-off-by: Nicolas Dichtel \u003cnicolas.dichtel@6wind.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "64c363146fe8b4b26285d36fad0fc01b9c8c1285", "tree": "f4597aeccc6d37aadbf3a719dfefc62632e4ee10", "parents": [ "900469d0b0c337db19908f77d172f4b17f4573ba" ], "author": { "name": "José Adolfo Galdámez", "email": "josegalre@pac-rom.com", "time": "Mon Sep 21 22:00:27 2015 -0600" }, "committer": { "name": "William Bellavance", "email": "flintman@flintmancomputers.com", "time": "Wed Feb 10 20:03:50 2016 -0500" }, "message": "Merge tag \u0027v3.4.109\u0027 into mm-6.0\n\nChange-Id: I93b29443377e338fc5d3b031b130da720f788879\nSigned-off-by: José Adolfo Galdámez \u003cjosegalre@pac-rom.com\u003e\n" }, { "commit": "900469d0b0c337db19908f77d172f4b17f4573ba", "tree": "e7c8e6e70ad09ecc74c7385269f9a7a908489b88", "parents": [ "3591a444f6b8cb82a9b88a49a4e67d8f4b61a6de" ], "author": { "name": "José Adolfo Galdámez", "email": "josegalre@pac-rom.com", "time": "Sat Jun 20 23:45:36 2015 -0600" }, "committer": { "name": "William Bellavance", "email": "flintman@flintmancomputers.com", "time": "Wed Feb 10 20:02:51 2016 -0500" }, "message": "Merge tag \u0027v3.4.108\u0027 into mm-6.0\n\nChange-Id: I5ee718e5c87c9647c6edf0926a887679e065a649\nSigned-off-by: José Adolfo Galdámez \u003cjosegalre@pac-rom.com\u003e\n" }, { "commit": "a49e6ce46b2174e740908332b4ec1796af9e029a", "tree": "abef367c23b20577a299f363a7d76154fd1e7c21", "parents": [ "5aaf989a3f7a116df4a0dd9a6c537f13cb0e32d2" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Oct 26 19:19:16 2014 -0400" }, "committer": { "name": "William Bellavance", "email": "flintman@flintmancomputers.com", "time": "Wed Feb 10 20:01:44 2016 -0500" }, "message": "move d_rcu from overlapping d_child to overlapping d_alias\n\ncommit 946e51f2bf37f1656916eb75bd0742ba33983c28 upstream.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n[bwh: Backported to 3.2:\n - Apply name changes in all the different places we use d_alias and d_child\n - Move the WARN_ON() in __d_free() to d_free() as we don\u0027t have dentry_free()]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n[lizf: Backported to 3.4:\n - adjust context\n - need one more name change in debugfs]\n" }, { "commit": "e1404a083531a5811009997e73c0be4cf12e123c", "tree": "97b285269f0c2a0a3a7c156e707ee0db572b7920", "parents": [ "8588a96db2df2bfe263b09508dd472302577815a" ], "author": { "name": "Takashi Iwai", "email": "tiwai@suse.de", "time": "Thu Dec 04 18:25:19 2014 +0100" }, "committer": { "name": "William Bellavance", "email": "flintman@flintmancomputers.com", "time": "Wed Feb 10 20:00:07 2016 -0500" }, "message": "KEYS: Fix stale key registration at error path\n\ncommit b26bdde5bb27f3f900e25a95e33a0c476c8c2c48 upstream.\n\nWhen loading encrypted-keys module, if the last check of\naes_get_sizes() in init_encrypted() fails, the driver just returns an\nerror without unregistering its key type. This results in the stale\nentry in the list. In addition to memory leaks, this leads to a kernel\ncrash when registering a new key type later.\n\nThis patch fixes the problem by swapping the calls of aes_get_sizes()\nand register_key_type(), and releasing resources properly at the error\npaths.\n\nBugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id\u003d908163\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n" }, { "commit": "0fbb248bd3e76a39fdc944b9a2bd2b108b95352b", "tree": "c69c5a70235fb8150d577089e2630141b53c1033", "parents": [ "8048eac1e925f6c2d9ad4ae4324d98c95414aa6d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Oct 15 17:21:37 2015 +0100" }, "committer": { "name": "William Bellavance", "email": "flintman@flintmancomputers.com", "time": "Sat Dec 19 08:41:00 2015 -0500" }, "message": "KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring\n\nThe following sequence of commands:\n\n i\u003d`keyctl add user a a @s`\n keyctl request2 keyring foo bar @t\n keyctl unlink $i @s\n\ntries to invoke an upcall to instantiate a keyring if one doesn\u0027t already\nexist by that name within the user\u0027s keyring set. However, if the upcall\nfails, the code sets keyring-\u003etype_data.reject_error to -ENOKEY or some\nother error code. When the key is garbage collected, the key destroy\nfunction is called unconditionally and keyring_destroy() uses list_empty()\non keyring-\u003etype_data.link - which is in a union with reject_error.\nSubsequently, the kernel tries to unlink the keyring from the keyring names\nlist - which oopses like this:\n\n\tBUG: unable to handle kernel paging request at 00000000ffffff8a\n\tIP: [\u003cffffffff8126e051\u003e] keyring_destroy+0x3d/0x88\n\t...\n\tWorkqueue: events key_garbage_collector\n\t...\n\tRIP: 0010:[\u003cffffffff8126e051\u003e] keyring_destroy+0x3d/0x88\n\tRSP: 0018:ffff88003e2f3d30 EFLAGS: 00010203\n\tRAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000\n\tRDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40\n\tRBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000\n\tR10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900\n\tR13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000\n\t...\n\tCR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0\n\t...\n\tCall Trace:\n\t [\u003cffffffff8126c756\u003e] key_gc_unused_keys.constprop.1+0x5d/0x10f\n\t [\u003cffffffff8126ca71\u003e] key_garbage_collector+0x1fa/0x351\n\t [\u003cffffffff8105ec9b\u003e] process_one_work+0x28e/0x547\n\t [\u003cffffffff8105fd17\u003e] worker_thread+0x26e/0x361\n\t [\u003cffffffff8105faa9\u003e] ? rescuer_thread+0x2a8/0x2a8\n\t [\u003cffffffff810648ad\u003e] kthread+0xf3/0xfb\n\t [\u003cffffffff810647ba\u003e] ? kthread_create_on_node+0x1c2/0x1c2\n\t [\u003cffffffff815f2ccf\u003e] ret_from_fork+0x3f/0x70\n\t [\u003cffffffff810647ba\u003e] ? kthread_create_on_node+0x1c2/0x1c2\n\nNote the value in RAX. This is a 32-bit representation of -ENOKEY.\n\nThe solution is to only call -\u003edestroy() if the key was successfully\ninstantiated.\n\nChange-Id: Ia52370813b7e8231fdd99d2a208340af1c7b4007\nReported-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\n" }, { "commit": "8048eac1e925f6c2d9ad4ae4324d98c95414aa6d", "tree": "b078f391f0728d6a761fd4eb3041b48b8a7563cf", "parents": [ "b5401aa15d058b45abd5ade0f96484af4afb4ae7" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Sep 25 16:30:08 2015 +0100" }, "committer": { "name": "William Bellavance", "email": "flintman@flintmancomputers.com", "time": "Sat Dec 19 08:40:58 2015 -0500" }, "message": "KEYS: Fix race between key destruction and finding a keyring by name\n\nThere appears to be a race between:\n\n (1) key_gc_unused_keys() which frees key-\u003esecurity and then calls\n keyring_destroy() to unlink the name from the name list\n\n (2) find_keyring_by_name() which calls key_permission(), thus accessing\n key-\u003esecurity, on a key before checking to see whether the key usage is 0\n (ie. the key is dead and might be cleaned up).\n\nFix this by calling -\u003edestroy() before cleaning up the core key data -\nincluding key-\u003esecurity.\n\nChange-Id: I4b9b89af020e6348af095e9014bf23b5eb1a9ef9\nReported-by: Petr Matousek \u003cpmatouse@redhat.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "b5401aa15d058b45abd5ade0f96484af4afb4ae7", "tree": "84ab3c877c6ca08d12d046617f4b3fdef91ac4fa", "parents": [ "6b1fa60f0b88faec25f6bb3bcc494ccb09498294" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "William Bellavance", "email": "flintman@flintmancomputers.com", "time": "Sat Dec 19 08:40:56 2015 -0500" }, "message": "KEYS: Add invalidation support\n\nAdd support for invalidating a key - which renders it immediately invisible to\nfurther searches and causes the garbage collector to immediately wake up,\nremove it from keyrings and then destroy it when it\u0027s no longer referenced.\n\nIt\u0027s better not to do this with keyctl_revoke() as that marks the key to start\nreturning -EKEYREVOKED to searches when what is actually desired is to have the\nkey refetched.\n\nTo invalidate a key the caller must be granted SEARCH permission by the key.\nThis may be too strict. It may be better to also permit invalidation if the\ncaller has any of READ, WRITE or SETATTR permission.\n\nThe primary use for this is to evict keys that are cached in special keyrings,\nsuch as the DNS resolver or an ID mapper.\n\nChange-Id: I923ea0f0b8f9d6b3ff8ec8beca77b1774984f1c3\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "6b1fa60f0b88faec25f6bb3bcc494ccb09498294", "tree": "78ca2a99f83a48f5bf44a9143eaa0ff1d4a67a38", "parents": [ "c2035a53e48959fc1ce6ed862a156f4c76b3ca85" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "William Bellavance", "email": "flintman@flintmancomputers.com", "time": "Sat Dec 19 08:40:55 2015 -0500" }, "message": "KEYS: Permit in-place link replacement in keyring list\n\nMake use of the previous patch that makes the garbage collector perform RCU\nsynchronisation before destroying defunct keys. Key pointers can now be\nreplaced in-place without creating a new keyring payload and replacing the\nwhole thing as the discarded keys will not be destroyed until all currently\nheld RCU read locks are released.\n\nIf the keyring payload space needs to be expanded or contracted, then a\nreplacement will still need allocating, and the original will still have to be\nfreed by RCU.\n\nChange-Id: I6c4f784f120951fb51ac9c23856ea37f51770bb9\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "c2035a53e48959fc1ce6ed862a156f4c76b3ca85", "tree": "0d2e070337254c64e8be0fa3c3590da25c1e4537", "parents": [ "c7cbbb1cbddfff2bf8e0983249d4635e2770b133" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "William Bellavance", "email": "flintman@flintmancomputers.com", "time": "Sat Dec 19 08:40:43 2015 -0500" }, "message": "KEYS: Perform RCU synchronisation on keys prior to key destruction\n\nMake the keys garbage collector invoke synchronize_rcu() prior to destroying\nkeys with a zero usage count. This means that a key can be examined under the\nRCU read lock in the safe knowledge that it won\u0027t get deallocated until after\nthe lock is released - even if its usage count becomes zero whilst we\u0027re\nlooking at it.\n\nThis is useful in keyring search vs key link. Consider a keyring containing a\nlink to a key. That link can be replaced in-place in the keyring without\nrequiring an RCU copy-and-replace on the keyring contents without breaking a\nsearch underway on that keyring when the displaced key is released, provided\nthe key is actually destroyed only after the RCU read lock held by the search\nalgorithm is released.\n\nThis permits __key_link() to replace a key without having to reallocate the key\npayload. A key gets replaced if a new key being linked into a keyring has the\nsame type and description.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\n\nConflicts:\n\tsecurity/keys/gc.c\n\nChange-Id: Ifd8549b5b906c638d63c358ce1f34acd81139207\n" }, { "commit": "c9ec5028049b974988c98f11f953c9fb5ef540ac", "tree": "cbcebc3ffbc436aff40a48a77d5c8b9112ce3a75", "parents": [ "d92ec408ad768845400cbed6a18cc2a6ffe2def1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Nov 24 21:36:31 2015 +0000" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Thu Dec 10 05:21:38 2015 -0500" }, "message": "KEYS: Fix handling of stored error in a negatively instantiated user key\n\nIf a user key gets negatively instantiated, an error code is cached in the\npayload area. A negatively instantiated key may be then be positively\ninstantiated by updating it with valid data. However, the -\u003eupdate key\ntype method must be aware that the error code may be there.\n\nThe following may be used to trigger the bug in the user key type:\n\n keyctl request2 user user \"\" @u\n keyctl add user user \"a\" @u\n\nwhich manifests itself as:\n\n\tBUG: unable to handle kernel paging request at 00000000ffffff8a\n\tIP: [\u003cffffffff810a376f\u003e] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046\n\tPGD 7cc30067 PUD 0\n\tOops: 0002 [#1] SMP\n\tModules linked in:\n\tCPU: 3 PID: 2644 Comm: a.out Not tainted 4.3.0+ #49\n\tHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n\ttask: ffff88003ddea700 ti: ffff88003dd88000 task.ti: ffff88003dd88000\n\tRIP: 0010:[\u003cffffffff810a376f\u003e] [\u003cffffffff810a376f\u003e] __call_rcu.constprop.76+0x1f/0x280\n\t [\u003cffffffff810a376f\u003e] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046\n\tRSP: 0018:ffff88003dd8bdb0 EFLAGS: 00010246\n\tRAX: 00000000ffffff82 RBX: 0000000000000000 RCX: 0000000000000001\n\tRDX: ffffffff81e3fe40 RSI: 0000000000000000 RDI: 00000000ffffff82\n\tRBP: ffff88003dd8bde0 R08: ffff88007d2d2da0 R09: 0000000000000000\n\tR10: 0000000000000000 R11: ffff88003e8073c0 R12: 00000000ffffff82\n\tR13: ffff88003dd8be68 R14: ffff88007d027600 R15: ffff88003ddea700\n\tFS: 0000000000b92880(0063) GS:ffff88007fd00000(0000) knlGS:0000000000000000\n\tCS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b\n\tCR2: 00000000ffffff8a CR3: 000000007cc5f000 CR4: 00000000000006e0\n\tStack:\n\t ffff88003dd8bdf0 ffffffff81160a8a 0000000000000000 00000000ffffff82\n\t ffff88003dd8be68 ffff88007d027600 ffff88003dd8bdf0 ffffffff810a39e5\n\t ffff88003dd8be20 ffffffff812a31ab ffff88007d027600 ffff88007d027620\n\tCall Trace:\n\t [\u003cffffffff810a39e5\u003e] kfree_call_rcu+0x15/0x20 kernel/rcu/tree.c:3136\n\t [\u003cffffffff812a31ab\u003e] user_update+0x8b/0xb0 security/keys/user_defined.c:129\n\t [\u003c inline \u003e] __key_update security/keys/key.c:730\n\t [\u003cffffffff8129e5c1\u003e] key_create_or_update+0x291/0x440 security/keys/key.c:908\n\t [\u003c inline \u003e] SYSC_add_key security/keys/keyctl.c:125\n\t [\u003cffffffff8129fc21\u003e] SyS_add_key+0x101/0x1e0 security/keys/keyctl.c:60\n\t [\u003cffffffff8185f617\u003e] entry_SYSCALL_64_fastpath+0x12/0x6a arch/x86/entry/entry_64.S:185\n\nNote the error code (-ENOKEY) in EDX.\n\nA similar bug can be tripped by:\n\n keyctl request2 trusted user \"\" @u\n keyctl add trusted user \"a\" @u\n\nThis should also affect encrypted keys - but that has to be correctly\nparameterised or it will fail with EINVAL before getting to the bit that\nwill crashes.\n\nChange-Id: I171d566f431c56208e1fe279f466d2d399a9ac7c\nReported-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "f29c68f94f0cc6b4467386d8a70b5c9e0dba0796", "tree": "9c5c73640c5535b9bb59d8418354ea95179140cc", "parents": [ "56f9e25ee138692ab12f60154ad3a96f48848d20" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Oct 11 11:42:01 2012 -0400" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Wed Oct 14 06:38:19 2015 -0400" }, "message": "consitify do_mount() arguments\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n(cherry picked from commit 808d4e3cfdcc52b19276175464f6dbca4df13b09)\n" }, { "commit": "b0fd0221d200dddfdb10befd4881a516f0721ff4", "tree": "d6ef261001b6d2500272560431061279999e30f9", "parents": [ "472d3c6c6b4d529792e965015d077cbed5faff7b" ], "author": { "name": "Jeff Vander Stoep", "email": "jeffv@google.com", "time": "Sat Apr 04 16:15:54 2015 -0700" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Oct 12 21:03:31 2015 -0400" }, "message": "security: lsm_audit: add ioctl specific auditing\n\nAdd information about ioctl calls to the LSM audit data. Log the\nfile path and command number.\n\nBug: 20350607\nBug: 18087110\nChange-Id: Idbbd106db6226683cb30022d9e8f6f3b8fab7f84\nSigned-off-by: Jeff Vander Stoep \u003cjeffv@google.com\u003e\n" }, { "commit": "472d3c6c6b4d529792e965015d077cbed5faff7b", "tree": "f47f84165ea173f7a81b1fcbd304525701d29422", "parents": [ "6ab0e3760c374ef9da22f5acef499ef3cc06d439" ], "author": { "name": "Mark Salyzyn", "email": "salyzyn@google.com", "time": "Wed Jan 07 09:27:15 2015 -0800" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Oct 12 21:03:30 2015 -0400" }, "message": "pstore: selinux: add security in-core xattr support for pstore and debugfs\n\n- add \"pstore\" and \"debugfs\" to list of in-core exceptions\n- change fstype checks to boolean equation\n- change from strncmp to strcmp for checking\n\n(Cherry Pick from commit 2294d499b7969df3838becf5e58bf16b0e3c86c8)\n\nSigned-off-by: Mark Salyzyn \u003csalyzyn@google.com\u003e\nBug: 18917345\nBug: 18935184\nChange-Id: Ib648f30ce4b5d6c96f11465836d6fee89bec1c72\n" }, { "commit": "6ab0e3760c374ef9da22f5acef499ef3cc06d439", "tree": "850d0c8e73ddd16a350d782c4322f5adbdce6979", "parents": [ "bb8c8befdd984468a43670f4ba2c9aac7d3fe31f" ], "author": { "name": "Jeff Vander Stoep", "email": "jeffv@google.com", "time": "Wed Apr 29 11:14:23 2015 -0700" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Oct 12 21:03:13 2015 -0400" }, "message": "SELinux: ss: Fix policy write for ioctl operations\n\nSecurity server omits the type field when writing out the contents of the\navtab from /sys/fs/selinux/policy. This leads to a corrupt output. No impact\non the running kernel or its loaded policy. Impacts CTS neverallow tests.\n\nBug: 20665861\nChange-Id: I657e18013dd5a1f40052bc2b02dd8e0afee9bcfb\nSigned-off-by: Jeff Vander Stoep \u003cjeffv@google.com\u003e\n(cherry picked from commit 8cdfb356b51e29494ca0b9e4e86727d6f841a52d)\n" }, { "commit": "bb8c8befdd984468a43670f4ba2c9aac7d3fe31f", "tree": "efbb52938f1f07c9ad9693303aa50b5a1717022e", "parents": [ "f3e85345addf732f1f930e91dc974ccda5f75084" ], "author": { "name": "Jeff Vander Stoep", "email": "jeffv@google.com", "time": "Mon Apr 20 17:45:42 2015 -0700" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Oct 12 21:03:11 2015 -0400" }, "message": "SELinux: use deletion-safe iterator to free list\n\nThis code is not exercised by policy version 26, but will be upon\nupgrade to policy version 30.\n\nBug: 18087110\nChange-Id: I07c6f34607713294a6a12c43a64d9936f0602200\nSigned-off-by: Jeff Vander Stoep \u003cjeffv@google.com\u003e\n" }, { "commit": "f3e85345addf732f1f930e91dc974ccda5f75084", "tree": "81f36a2bb0308eb07f67de57f6b3a38f6da57c15", "parents": [ "f0449ea947097bfaefca995ceeb03ed9117fac38" ], "author": { "name": "Jeff Vander Stoep", "email": "jeffv@google.com", "time": "Wed Apr 08 11:27:46 2015 -0700" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Oct 12 21:03:10 2015 -0400" }, "message": "SELinux: per-command whitelisting of ioctls\n\n note that this patch depends on a prior patch that is already in\n android-3.4 but has not apparently found its way into the msm 3.4\n branches (but is included in exynos and tegra),\n https://android-review.googlesource.com/#/c/92962/\n\nExtend the generic ioctl permission check with support for per-command\nfiltering. Source/target/class sets including the ioctl permission may\nadditionally include a set of commands. Example:\n\nallow \u003csource\u003e \u003ctarget\u003e:\u003cclass\u003e { 0x8910-0x8926 0x892A-0x8935 }\nauditallow \u003csource\u003e \u003ctarget\u003e:\u003cclass\u003e 0x892A\n\nWhen ioctl commands are omitted only the permissions are checked. This\nfeature is intended to provide finer granularity for the ioctl\npermission which may be too imprecise in some circumstances. For\nexample, the same driver may use ioctls to provide important and\nbenign functionality such as driver version or socket type as well as\ndangerous capabilities such as debugging features, read/write/execute\nto physical memory or access to sensitive data. Per-command filtering\nprovides a mechanism to reduce the attack surface of the kernel, and\nlimit applications to the subset of commands required.\n\nThe format of the policy binary has been modified to include ioctl\ncommands, and the policy version number has been incremented to\nPOLICYDB_VERSION_IOCTL_OPERATIONS\u003d30 to account for the format change.\n\nBug: 20350607\nBug: 18087110\nChange-Id: Ibf0e36728f6f3f0d5af56ccdeddee40800af689d\nSigned-off-by: Jeff Vander Stoep \u003cjeffv@google.com\u003e\n" }, { "commit": "f0449ea947097bfaefca995ceeb03ed9117fac38", "tree": "247e2e0288dec8f7342e687391452643816fc4ff", "parents": [ "19766a54e07e30168368322037e0dda3be4c6cfb" ], "author": { "name": "Richard Haines", "email": "richard_c_haines@btinternet.com", "time": "Tue Nov 19 17:34:23 2013 -0500" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Oct 12 21:03:08 2015 -0400" }, "message": "SELinux: Update policy version to support constraints info\n\nUpdate the policy version (POLICYDB_VERSION_CONSTRAINT_NAMES) to allow\nholding of policy source info for constraints.\n\nChange-Id: Id2971142ad2e2dd47c12796480705128b230349f\nSigned-off-by: Richard Haines \u003crichard_c_haines@btinternet.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "19766a54e07e30168368322037e0dda3be4c6cfb", "tree": "6af8a5983cf787299a59e60e47005b67bd5cee29", "parents": [ "d076bc7ce1dd23fcc2084db69e9c03bfb12e624c" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Mar 20 14:35:12 2012 -0400" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Oct 12 21:03:06 2015 -0400" }, "message": "SELinux: add default_type statements\n\nBecause Fedora shipped userspace based on my development tree we now\nhave policy version 27 in the wild defining only default user, role, and\nrange. Thus to add default_type we need a policy.28.\n\nChange-Id: Ic3e0cd121ef02b951674fafe13138a33e3e95c04\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "d076bc7ce1dd23fcc2084db69e9c03bfb12e624c", "tree": "76378d2b78acb149e57d3610776c3d61a001d497", "parents": [ "d23d9267bc0393c8522aa6c3654e844f20c903eb" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Mar 20 14:35:12 2012 -0400" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Oct 12 21:03:04 2015 -0400" }, "message": "SELinux: allow default source/target selectors for user/role/range\n\nWhen new objects are created we have great and flexible rules to\ndetermine the type of the new object. We aren\u0027t quite as flexible or\nmature when it comes to determining the user, role, and range. This\npatch adds a new ability to specify the place a new objects user, role,\nand range should come from. For users and roles it can come from either\nthe source or the target of the operation. aka for files the user can\neither come from the source (the running process and todays default) or\nit can come from the target (aka the parent directory of the new file)\n\nexamples always are done with\ndirectory context: system_u:object_r:mnt_t:s0-s0:c0.c512\nprocess context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\n\n[no rule]\n\tunconfined_u:object_r:mnt_t:s0 test_none\n[default user source]\n\tunconfined_u:object_r:mnt_t:s0 test_user_source\n[default user target]\n\tsystem_u:object_r:mnt_t:s0 test_user_target\n[default role source]\n\tunconfined_u:unconfined_r:mnt_t:s0 test_role_source\n[default role target]\n\tunconfined_u:object_r:mnt_t:s0 test_role_target\n[default range source low]\n\tunconfined_u:object_r:mnt_t:s0 test_range_source_low\n[default range source high]\n\tunconfined_u:object_r:mnt_t:s0:c0.c1023 test_range_source_high\n[default range source low-high]\n\tunconfined_u:object_r:mnt_t:s0-s0:c0.c1023 test_range_source_low-high\n[default range target low]\n\tunconfined_u:object_r:mnt_t:s0 test_range_target_low\n[default range target high]\n\tunconfined_u:object_r:mnt_t:s0:c0.c512 test_range_target_high\n[default range target low-high]\n\tunconfined_u:object_r:mnt_t:s0-s0:c0.c512 test_range_target_low-high\n\nChange-Id: I7b259aee39241825aa69882701099f1089108f4e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "a71feb202f897c7978d60bfce80b58437f754209", "tree": "0475e3989443c2a1e0e8e89ef5e7c40338f7a346", "parents": [ "a6af8f91623152e98fcc0cf13ed6143d77ac3a2f" ], "author": { "name": "James Sullins", "email": "jcsullins@gmail.com", "time": "Thu Nov 21 10:01:19 2013 -0600" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:05:04 2015 -0400" }, "message": "security/commoncap: fix perms for bluetooth/rfkill\n\nChange-Id: I9a8de2cf70855d6ca68195eba894c2af8eaa3e04\n" }, { "commit": "5eab130238adb0adc6100dbba713082c19794dbf", "tree": "e4c0af7539ca574904595f40c2344602116b2160", "parents": [ "d7a4f76933fc2be05f2837f46045039c9d187d45" ], "author": { "name": "Kees Cook", "email": "keescook@chromium.org", "time": "Wed May 21 15:23:46 2014 -0700" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:54 2015 -0400" }, "message": "sched: move no_new_privs into new atomic flags\n\nSince seccomp transitions between threads requires updates to the\nno_new_privs flag to be atomic, the flag must be part of an atomic flag\nset. This moves the nnp flag into a separate task field, and introduces\naccessors.\n\nChange-Id: I4e764b1b1eb5296a3f7e498a89cfdd6624796c87\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nReviewed-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nReviewed-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\n" }, { "commit": "d7a4f76933fc2be05f2837f46045039c9d187d45", "tree": "7f3f9af8d4888e568f6c22975f9f3b48b1479160", "parents": [ "95de3e500c6502922b9e66385f9f0aad23f21128" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Mon Jan 30 08:17:27 2012 -0800" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:04:53 2015 -0400" }, "message": "Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS\n\nAdd support for AppArmor to explicitly fail requested domain transitions\nif NO_NEW_PRIVS is set and the task is not unconfined.\n\nTransitions from unconfined are still allowed because this always results\nin a reduction of privileges.\n\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Will Drewry \u003cwad@chromium.org\u003e\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\n\nv18: new acked-by, new description\n" }, { "commit": "6295f3f6b2491291726ef485b62d1b651e69ea3b", "tree": "8136b7d5d84a34dc887d3c07af0b9a9e335be3c9", "parents": [ "c389a745d038d17cf34312ee495aa51e60965385" ], "author": { "name": "Dmitry Kasatkin", "email": "d.kasatkin@samsung.com", "time": "Tue Oct 28 14:28:49 2014 +0200" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:02:11 2015 -0400" }, "message": "evm: check xattr value length and type in evm_inode_setxattr()\n\ncommit 3b1deef6b1289a99505858a3b212c5b50adf0c2f upstream.\n\nevm_inode_setxattr() can be called with no value. The function does not\ncheck the length so that following command can be used to produce the\nkernel oops: setfattr -n security.evm FOO. This patch fixes it.\n\nChanges in v3:\n* there is no reason to return different error codes for EVM_XATTR_HMAC\n and non EVM_XATTR_HMAC. Remove unnecessary test then.\n\nChanges in v2:\n* testing for validity of xattr type\n\n[ 1106.396921] BUG: unable to handle kernel NULL pointer dereference at (null)\n[ 1106.398192] IP: [\u003cffffffff812af7b8\u003e] evm_inode_setxattr+0x2a/0x48\n[ 1106.399244] PGD 29048067 PUD 290d7067 PMD 0\n[ 1106.399953] Oops: 0000 [#1] SMP\n[ 1106.400020] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse\n[ 1106.400020] CPU: 0 PID: 3635 Comm: setxattr Not tainted 3.16.0-kds+ #2936\n[ 1106.400020] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 1106.400020] task: ffff8800291a0000 ti: ffff88002917c000 task.ti: ffff88002917c000\n[ 1106.400020] RIP: 0010:[\u003cffffffff812af7b8\u003e] [\u003cffffffff812af7b8\u003e] evm_inode_setxattr+0x2a/0x48\n[ 1106.400020] RSP: 0018:ffff88002917fd50 EFLAGS: 00010246\n[ 1106.400020] RAX: 0000000000000000 RBX: ffff88002917fdf8 RCX: 0000000000000000\n[ 1106.400020] RDX: 0000000000000000 RSI: ffffffff818136d3 RDI: ffff88002917fdf8\n[ 1106.400020] RBP: ffff88002917fd68 R08: 0000000000000000 R09: 00000000003ec1df\n[ 1106.400020] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800438a0a00\n[ 1106.400020] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 1106.400020] FS: 00007f7dfa7d7740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000\n[ 1106.400020] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1106.400020] CR2: 0000000000000000 CR3: 000000003763e000 CR4: 00000000000006f0\n[ 1106.400020] Stack:\n[ 1106.400020] ffff8800438a0a00 ffff88002917fdf8 0000000000000000 ffff88002917fd98\n[ 1106.400020] ffffffff812a1030 ffff8800438a0a00 ffff88002917fdf8 0000000000000000\n[ 1106.400020] 0000000000000000 ffff88002917fde0 ffffffff8116d08a ffff88002917fdc8\n[ 1106.400020] Call Trace:\n[ 1106.400020] [\u003cffffffff812a1030\u003e] security_inode_setxattr+0x5d/0x6a\n[ 1106.400020] [\u003cffffffff8116d08a\u003e] vfs_setxattr+0x6b/0x9f\n[ 1106.400020] [\u003cffffffff8116d1e0\u003e] setxattr+0x122/0x16c\n[ 1106.400020] [\u003cffffffff811687e8\u003e] ? mnt_want_write+0x21/0x45\n[ 1106.400020] [\u003cffffffff8114d011\u003e] ? __sb_start_write+0x10f/0x143\n[ 1106.400020] [\u003cffffffff811687e8\u003e] ? mnt_want_write+0x21/0x45\n[ 1106.400020] [\u003cffffffff811687c0\u003e] ? __mnt_want_write+0x48/0x4f\n[ 1106.400020] [\u003cffffffff8116d3e6\u003e] SyS_setxattr+0x6e/0xb0\n[ 1106.400020] [\u003cffffffff81529da9\u003e] system_call_fastpath+0x16/0x1b\n[ 1106.400020] Code: c3 0f 1f 44 00 00 55 48 89 e5 41 55 49 89 d5 41 54 49 89 fc 53 48 89 f3 48 c7 c6 d3 36 81 81 48 89 df e8 18 22 04 00 85 c0 75 07 \u003c41\u003e 80 7d 00 02 74 0d 48 89 de 4c 89 e7 e8 5a fe ff ff eb 03 83\n[ 1106.400020] RIP [\u003cffffffff812af7b8\u003e] evm_inode_setxattr+0x2a/0x48\n[ 1106.400020] RSP \u003cffff88002917fd50\u003e\n[ 1106.400020] CR2: 0000000000000000\n[ 1106.428061] ---[ end trace ae08331628ba3050 ]---\n\nReported-by: Jan Kara \u003cjack@suse.cz\u003e\nSigned-off-by: Dmitry Kasatkin \u003cd.kasatkin@samsung.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n" }, { "commit": "61dedfa6a0d04c4efd7f67920bcfb48f2094a3fd", "tree": "238cabfe3daa6788e25f46eefd4c3e8306e4adef", "parents": [ "1e604b5a88fe727b9687954f2f01fb3f532e5a47" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon Oct 06 16:32:52 2014 -0400" }, "committer": { "name": "flintman", "email": "flintman@flintmancomputers.com", "time": "Mon Apr 27 08:01:21 2015 -0400" }, "message": "selinux: fix inode security list corruption\n\ncommit 923190d32de4428afbea5e5773be86bea60a9925 upstream.\n\nsb_finish_set_opts() can race with inode_free_security()\nwhen initializing inode security structures for inodes\ncreated prior to initial policy load or by the filesystem\nduring -\u003emount(). This appears to have always been\na possible race, but commit 3dc91d4 (\"SELinux: Fix possible\nNULL pointer dereference in selinux_inode_permission()\")\nmade it more evident by immediately reusing the unioned\nlist/rcu element of the inode security structure for call_rcu()\nupon an inode_free_security(). But the underlying issue\nwas already present before that commit as a possible use-after-free\nof isec.\n\nShivnandan Kumar reported the list corruption and proposed\na patch to split the list and rcu elements out of the union\nas separate fields of the inode_security_struct so that setting\nthe rcu element would not affect the list element. However,\nthis would merely hide the issue and not truly fix the code.\n\nThis patch instead moves up the deletion of the list entry\nprior to dropping the sbsec-\u003eisec_lock initially. Then,\nif the inode is dropped subsequently, there will be no further\nreferences to the isec.\n\nReported-by: Shivnandan Kumar \u003cshivnandan.k@samsung.com\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Zefan Li \u003clizefan@huawei.com\u003e\n" }, { "commit": "1097d78180e1a2916c2bcdb15cb90ba131af9cd8", "tree": "5910f8fc0dcb85c71011ccccee18895769699390", "parents": [ "3ded4adc97887ddde3c1855f29f062e015d19425", "7fd7a446b1c2b96252e4389746e5419eae04faef" ], "author": { "name": "Paul", "email": "javelinanddart@gmail.com", "time": "Sun Jan 11 17:15:40 2015 -0800" }, "committer": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Sun Jan 11 17:20:45 2015 -0800" }, "message": "Merge tag \u0027v3.4.105\u0027 into cm-12.0\n\nThis is the 3.4.105 stable release\n\nConflicts:\n\tarch/arm/mm/proc-v7.S\n\tdrivers/bluetooth/hci_ldisc.c\n\tdrivers/media/dvb/dvb-core/dmxdev.c\n\tdrivers/usb/core/driver.c\n\tdrivers/usb/dwc3/core.c\n\tdrivers/usb/host/xhci-hub.c\n\tdrivers/usb/host/xhci.c\n\tdrivers/usb/serial/qcserial.c\n\tdrivers/usb/serial/usb_wwan.c\n\tkernel/events/core.c\n\tkernel/time/tick-sched.ck\n\tkernel/futex.c\n\tmm/memory_hotplug.c\n\tmm/vmscan.c\n\tnet/bluetooth/hci_conn.c\n\tnet/bluetooth/hci_event.c\n\tnet/bluetooth/l2cap_core.c\n\tnet/ipv4/ping.c\n\tnet/wireless/nl80211.c\n\tsound/soc/soc-core.c\n\nChange-Id: Id09da84afb427ba1a32ff26e74f2bb86458d4a2e\n" }, { "commit": "77945c90c023415428f5bb0a682787401bc8bef3", "tree": "578d50f462f945ee3fe0e045798c06f3f43c676d", "parents": [ "f16bf066acb08350287b5518875828e947e5c05a" ], "author": { "name": "Sasha Levin", "email": "sasha.levin@oracle.com", "time": "Mon Dec 29 14:39:01 2014 -0600" }, "committer": { "name": "Matt Mower", "email": "mowerm@gmail.com", "time": "Tue Jan 06 12:42:32 2015 -0600" }, "message": "KEYS: close race between key lookup and freeing\n\nWhen a key is being garbage collected, it\u0027s key-\u003euser would get put before\nthe -\u003edestroy() callback is called, where the key is removed from it\u0027s\nrespective tracking structures.\n\nThis leaves a key hanging in a semi-invalid state which leaves a window open\nfor a different task to try an access key-\u003euser. An example is\nfind_keyring_by_name() which would dereference key-\u003euser for a key that is\nin the process of being garbage collected (where key-\u003euser was freed but\n-\u003edestroy() wasn\u0027t called yet - so it\u0027s still present in the linked list).\n\nThis would cause either a panic, or corrupt memory.\n\nChange-Id: Ic74246dc2dcc593f04f71063e3301e7356d588b7\nSigned-off-by: Sasha Levin \u003csasha.levin@oracle.com\u003e\n" }, { "commit": "62c2fe4dab1064dad772f2220486dd54e3deaeb6", "tree": "6a20ec807c371aa81f3c2c9f089df4be00aac2ed", "parents": [ "9bf75dffc07ea6b5e19251880b8dcf0debdbbccc" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Sun Dec 14 12:37:06 2014 +0200" }, "committer": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Tue Dec 16 13:18:02 2014 -0800" }, "message": "selinux: Report permissive mode in avc: denied messages.\n\nWe cannot presently tell from an avc: denied message whether access was in\nfact denied or was allowed due to global or per-domain permissive mode.\nAdd a permissive\u003d field to the avc message to reflect this information.\n\nChange-Id: I0281c366d0815addd5b22b26d266a18a743c53f5\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "9bf75dffc07ea6b5e19251880b8dcf0debdbbccc", "tree": "329bb5327b7e523ed2812dc6679b035f594f69f5", "parents": [ "74cfe2dcc0f4b17f9abbabf349e33c39a260987e" ], "author": { "name": "Andy Lutomirski", "email": "luto@amacapital.net", "time": "Thu Apr 12 16:47:50 2012 -0500" }, "committer": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Tue Dec 16 13:18:02 2014 -0800" }, "message": "Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs\n\nWith this change, calling\n prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)\ndisables privilege granting operations at execve-time. For example, a\nprocess will not be able to execute a setuid binary to change their uid\nor gid if this bit is set. The same is true for file capabilities.\n\nAdditionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that\nLSMs respect the requested behavior.\n\nTo determine if the NO_NEW_PRIVS bit is set, a task may call\n prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);\nIt returns 1 if set and 0 if it is not set. If any of the arguments are\nnon-zero, it will return -1 and set errno to -EINVAL.\n(PR_SET_NO_NEW_PRIVS behaves similarly.)\n\nThis functionality is desired for the proposed seccomp filter patch\nseries. By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the\nsystem call behavior for itself and its child tasks without being\nable to impact the behavior of a more privileged task.\n\nAnother potential use is making certain privileged operations\nunprivileged. For example, chroot may be considered \"safe\" if it cannot\naffect privileged tasks.\n\nNote, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is\nset and AppArmor is in use. It is fixed in a subsequent patch.\n\nSigned-off-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\nSigned-off-by: Will Drewry \u003cwad@chromium.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\n\nChange-Id: I2159006d20daefe6add5adc47c22bdbcd7d79e3a\nv18: updated change desc\nv17: using new define values as per 3.4\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "12a38b8f1dd7c65d01aa4c759f29a700c194ecec", "tree": "60c9629330a2feb612a024f14847fa23243626d0", "parents": [ "7f53daea4dd53f43dd10ac24f752f74063abe4fa" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sun May 11 00:05:23 2014 -0400" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Thu Jun 26 15:10:28 2014 -0400" }, "message": "evm: prohibit userspace writing \u0027security.evm\u0027 HMAC value\n\ncommit 2fb1c9a4f2dbc2f0bd2431c7fa64d0b5483864e4 upstream.\n\nCalculating the \u0027security.evm\u0027 HMAC value requires access to the\nEVM encrypted key. Only the kernel should have access to it. This\npatch prevents userspace tools(eg. setfattr, cp --preserve\u003dxattr)\nfrom setting/modifying the \u0027security.evm\u0027 HMAC value directly.\n\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "23a5a7a2dafd877ec853b4c7debf6d726d10f9b9", "tree": "609000441a317cb217a79c629b84dbb345a123b5", "parents": [ "cd59fb14918a6b20c1ac8be121fa6397b97b00cb" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Wed Mar 19 16:46:18 2014 -0400" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Apr 14 06:44:17 2014 -0700" }, "message": "selinux: correctly label /proc inodes in use before the policy is loaded\n\ncommit f64410ec665479d7b4b77b7519e814253ed0f686 upstream.\n\nThis patch is based on an earlier patch by Eric Paris, he describes\nthe problem below:\n\n \"If an inode is accessed before policy load it will get placed on a\n list of inodes to be initialized after policy load. After policy\n load we call inode_doinit() which calls inode_doinit_with_dentry()\n on all inodes accessed before policy load. In the case of inodes\n in procfs that means we\u0027ll end up at the bottom where it does:\n\n /* Default to the fs superblock SID. */\n isec-\u003esid \u003d sbsec-\u003esid;\n\n if ((sbsec-\u003eflags \u0026 SE_SBPROC) \u0026\u0026 !S_ISLNK(inode-\u003ei_mode)) {\n if (opt_dentry) {\n isec-\u003esclass \u003d inode_mode_to_security_class(...)\n rc \u003d selinux_proc_get_sid(opt_dentry,\n isec-\u003esclass,\n \u0026sid);\n if (rc)\n goto out_unlock;\n isec-\u003esid \u003d sid;\n }\n }\n\n Since opt_dentry is null, we\u0027ll never call selinux_proc_get_sid()\n and will leave the inode labeled with the label on the superblock.\n I believe a fix would be to mimic the behavior of xattrs. Look\n for an alias of the inode. If it can\u0027t be found, just leave the\n inode uninitialized (and pick it up later) if it can be found, we\n should be able to call selinux_proc_get_sid() ...\"\n\nOn a system exhibiting this problem, you will notice a lot of files in\n/proc with the generic \"proc_t\" type (at least the ones that were\naccessed early in the boot), for example:\n\n # ls -Z /proc/sys/kernel/shmmax | awk \u0027{ print $4 \" \" $5 }\u0027\n system_u:object_r:proc_t:s0 /proc/sys/kernel/shmmax\n\nHowever, with this patch in place we see the expected result:\n\n # ls -Z /proc/sys/kernel/shmmax | awk \u0027{ print $4 \" \" $5 }\u0027\n system_u:object_r:sysctl_kernel_t:s0 /proc/sys/kernel/shmmax\n\nCc: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "186ef2385c50ee6b2232f2ab8edb354ca71332bf", "tree": "95356924d61dedc87dcc53d24b8896de9a7b8e27", "parents": [ "f80747a43fc2613b9f5e1ded16f50ef28815652e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 20 10:56:45 2014 -0500" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Tue Mar 11 16:10:02 2014 -0700" }, "message": "SELinux: bigendian problems with filename trans rules\n\ncommit 9085a6422900092886da8c404e1c5340c4ff1cbf upstream.\n\nWhen writing policy via /sys/fs/selinux/policy I wrote the type and class\nof filename trans rules in CPU endian instead of little endian. On\nx86_64 this works just fine, but it means that on big endian arch\u0027s like\nppc64 and s390 userspace reads the policy and converts it from\nle32_to_cpu. So the values are all screwed up. Write the values in le\nformat like it should have been to start.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "66d383de0963dd351051304e36247e9a6fa66b77", "tree": "5cd17ffcb6edfa4385a2ceddb63ada9efdea2ee1", "parents": [ "c523abc466c9b7c693e4a528ca2f54c6e931b6a6", "2606524141e4ff9b6a5d0bcbd9d601dfc5a8285c" ], "author": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Fri Mar 07 11:56:04 2014 -0800" }, "committer": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Fri Mar 07 11:56:04 2014 -0800" }, "message": "Merge tag \u0027v3.4.82\u0027 into cm-11.0\n\nThis is the 3.4.82 stable release\n\nConflicts:\n\tarch/arm/kernel/traps.c\n\tmm/internal.h\n\nChange-Id: Ie3b1ffdfe133e76cfa3eaaa4305535af8490d7cc\n" }, { "commit": "a0f916d429bcb240f8048c0d5f61d07c6d0c73ae", "tree": "76d140745d5050c649ad216bfc58691d7a7eeacd", "parents": [ "a6d2ebcda7cb7467b3f5ca597710be25cc8ad76f" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Thu Jan 30 11:26:59 2014 -0500" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Thu Feb 20 10:45:32 2014 -0800" }, "message": "SELinux: Fix kernel BUG on empty security contexts.\n\ncommit 2172fa709ab32ca60e86179dc67d0857be8e2c98 upstream.\n\nSetting an empty security context (length\u003d0) on a file will\nlead to incorrectly dereferencing the type and other fields\nof the security context structure, yielding a kernel BUG.\nAs a zero-length security context is never valid, just reject\nall such security contexts whether coming from userspace\nvia setxattr or coming from the filesystem upon a getxattr\nrequest by SELinux.\n\nSetting a security context value (empty or otherwise) unknown to\nSELinux in the first place is only possible for a root process\n(CAP_MAC_ADMIN), and, if running SELinux in enforcing mode, only\nif the corresponding SELinux mac_admin permission is also granted\nto the domain by policy. In Fedora policies, this is only allowed for\nspecific domains such as livecd for setting down security contexts\nthat are not defined in the build host policy.\n\nReproducer:\nsu\nsetenforce 0\ntouch foo\nsetfattr -n security.selinux foo\n\nCaveat:\nRelabeling or removing foo after doing the above may not be possible\nwithout booting with SELinux disabled. Any subsequent access to foo\nafter doing the above will also trigger the BUG.\n\nBUG output from Matthew Thode:\n[ 473.893141] ------------[ cut here ]------------\n[ 473.962110] kernel BUG at security/selinux/ss/services.c:654!\n[ 473.995314] invalid opcode: 0000 [#6] SMP\n[ 474.027196] Modules linked in:\n[ 474.058118] CPU: 0 PID: 8138 Comm: ls Tainted: G D I\n3.13.0-grsec #1\n[ 474.116637] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0\n07/29/10\n[ 474.149768] task: ffff8805f50cd010 ti: ffff8805f50cd488 task.ti:\nffff8805f50cd488\n[ 474.183707] RIP: 0010:[\u003cffffffff814681c7\u003e] [\u003cffffffff814681c7\u003e]\ncontext_struct_compute_av+0xce/0x308\n[ 474.219954] RSP: 0018:ffff8805c0ac3c38 EFLAGS: 00010246\n[ 474.252253] RAX: 0000000000000000 RBX: ffff8805c0ac3d94 RCX:\n0000000000000100\n[ 474.287018] RDX: ffff8805e8aac000 RSI: 00000000ffffffff RDI:\nffff8805e8aaa000\n[ 474.321199] RBP: ffff8805c0ac3cb8 R08: 0000000000000010 R09:\n0000000000000006\n[ 474.357446] R10: 0000000000000000 R11: ffff8805c567a000 R12:\n0000000000000006\n[ 474.419191] R13: ffff8805c2b74e88 R14: 00000000000001da R15:\n0000000000000000\n[ 474.453816] FS: 00007f2e75220800(0000) GS:ffff88061fc00000(0000)\nknlGS:0000000000000000\n[ 474.489254] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 474.522215] CR2: 00007f2e74716090 CR3: 00000005c085e000 CR4:\n00000000000207f0\n[ 474.556058] Stack:\n[ 474.584325] ffff8805c0ac3c98 ffffffff811b549b ffff8805c0ac3c98\nffff8805f1190a40\n[ 474.618913] ffff8805a6202f08 ffff8805c2b74e88 00068800d0464990\nffff8805e8aac860\n[ 474.653955] ffff8805c0ac3cb8 000700068113833a ffff880606c75060\nffff8805c0ac3d94\n[ 474.690461] Call Trace:\n[ 474.723779] [\u003cffffffff811b549b\u003e] ? lookup_fast+0x1cd/0x22a\n[ 474.778049] [\u003cffffffff81468824\u003e] security_compute_av+0xf4/0x20b\n[ 474.811398] [\u003cffffffff8196f419\u003e] avc_compute_av+0x2a/0x179\n[ 474.843813] [\u003cffffffff8145727b\u003e] avc_has_perm+0x45/0xf4\n[ 474.875694] [\u003cffffffff81457d0e\u003e] inode_has_perm+0x2a/0x31\n[ 474.907370] [\u003cffffffff81457e76\u003e] selinux_inode_getattr+0x3c/0x3e\n[ 474.938726] [\u003cffffffff81455cf6\u003e] security_inode_getattr+0x1b/0x22\n[ 474.970036] [\u003cffffffff811b057d\u003e] vfs_getattr+0x19/0x2d\n[ 475.000618] [\u003cffffffff811b05e5\u003e] vfs_fstatat+0x54/0x91\n[ 475.030402] [\u003cffffffff811b063b\u003e] vfs_lstat+0x19/0x1b\n[ 475.061097] [\u003cffffffff811b077e\u003e] SyS_newlstat+0x15/0x30\n[ 475.094595] [\u003cffffffff8113c5c1\u003e] ? __audit_syscall_entry+0xa1/0xc3\n[ 475.148405] [\u003cffffffff8197791e\u003e] system_call_fastpath+0x16/0x1b\n[ 475.179201] Code: 00 48 85 c0 48 89 45 b8 75 02 0f 0b 48 8b 45 a0 48\n8b 3d 45 d0 b6 00 8b 40 08 89 c6 ff ce e8 d1 b0 06 00 48 85 c0 49 89 c7\n75 02 \u003c0f\u003e 0b 48 8b 45 b8 4c 8b 28 eb 1e 49 8d 7d 08 be 80 01 00 00 e8\n[ 475.255884] RIP [\u003cffffffff814681c7\u003e]\ncontext_struct_compute_av+0xce/0x308\n[ 475.296120] RSP \u003cffff8805c0ac3c38\u003e\n[ 475.328734] ---[ end trace f076482e9d754adc ]---\n\nReported-by: Matthew Thode \u003cmthode@mthode.org\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "ef609edc523e00e7b8cf6be348f52f6d6577d63e", "tree": "730c6ffc56d7904a5473602a80897f6da5dd246b", "parents": [ "e3b1f4138a12a66dcd2a48e5b4a7fa1bba9c2c5b" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Jan 06 21:28:15 2014 +0900" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Thu Feb 13 11:51:07 2014 -0800" }, "message": "SELinux: Fix memory leak upon loading policy\n\ncommit 8ed814602876bec9bad2649ca17f34b499357a1c upstream.\n\nHello.\n\nI got below leak with linux-3.10.0-54.0.1.el7.x86_64 .\n\n[ 681.903890] kmemleak: 5538 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\n\nBelow is a patch, but I don\u0027t know whether we need special handing for undoing\nebitmap_set_bit() call.\n----------\n\u003e\u003eFrom fe97527a90fe95e2239dfbaa7558f0ed559c0992 Mon Sep 17 00:00:00 2001\nFrom: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nDate: Mon, 6 Jan 2014 16:30:21 +0900\nSubject: SELinux: Fix memory leak upon loading policy\n\nCommit 2463c26d \"SELinux: put name based create rules in a hashtable\" did not\ncheck return value from hashtab_insert() in filename_trans_read(). It leaks\nmemory if hashtab_insert() returns error.\n\n unreferenced object 0xffff88005c9160d0 (size 8):\n comm \"systemd\", pid 1, jiffies 4294688674 (age 235.265s)\n hex dump (first 8 bytes):\n 57 0b 00 00 6b 6b 6b a5 W...kkk.\n backtrace:\n [\u003cffffffff816604ae\u003e] kmemleak_alloc+0x4e/0xb0\n [\u003cffffffff811cba5e\u003e] kmem_cache_alloc_trace+0x12e/0x360\n [\u003cffffffff812aec5d\u003e] policydb_read+0xd1d/0xf70\n [\u003cffffffff812b345c\u003e] security_load_policy+0x6c/0x500\n [\u003cffffffff812a623c\u003e] sel_write_load+0xac/0x750\n [\u003cffffffff811eb680\u003e] vfs_write+0xc0/0x1f0\n [\u003cffffffff811ec08c\u003e] SyS_write+0x4c/0xa0\n [\u003cffffffff81690419\u003e] system_call_fastpath+0x16/0x1b\n [\u003cffffffffffffffff\u003e] 0xffffffffffffffff\n\nHowever, we should not return EEXIST error to the caller, or the systemd will\nshow below message and the boot sequence freezes.\n\n systemd[1]: Failed to load SELinux policy. Freezing.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "9e74d93d657ae6662cfd5e3e9ca67d05cfffbd9a", "tree": "d5cf44c68adfbbbef3bd83cccf982298765f958b", "parents": [ "e34cdde46b0c080f0654f5237c4af76b27019f60" ], "author": { "name": "Steven Rostedt", "email": "rostedt@goodmis.org", "time": "Thu Jan 09 21:46:34 2014 -0500" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Wed Jan 29 05:10:42 2014 -0800" }, "message": "SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()\n\ncommit 3dc91d4338d698ce77832985f9cb183d8eeaf6be upstream.\n\nWhile running stress tests on adding and deleting ftrace instances I hit\nthis bug:\n\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\n IP: selinux_inode_permission+0x85/0x160\n PGD 63681067 PUD 7ddbe067 PMD 0\n Oops: 0000 [#1] PREEMPT\n CPU: 0 PID: 5634 Comm: ftrace-test-mki Not tainted 3.13.0-rc4-test-00033-gd2a6dde-dirty #20\n Hardware name: /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006\n task: ffff880078375800 ti: ffff88007ddb0000 task.ti: ffff88007ddb0000\n RIP: 0010:[\u003cffffffff812d8bc5\u003e] [\u003cffffffff812d8bc5\u003e] selinux_inode_permission+0x85/0x160\n RSP: 0018:ffff88007ddb1c48 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000800000 RCX: ffff88006dd43840\n RDX: 0000000000000001 RSI: 0000000000000081 RDI: ffff88006ee46000\n RBP: ffff88007ddb1c88 R08: 0000000000000000 R09: ffff88007ddb1c54\n R10: 6e6576652f6f6f66 R11: 0000000000000003 R12: 0000000000000000\n R13: 0000000000000081 R14: ffff88006ee46000 R15: 0000000000000000\n FS: 00007f217b5b6700(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M\n CR2: 0000000000000020 CR3: 000000006a0fe000 CR4: 00000000000007f0\n Call Trace:\n security_inode_permission+0x1c/0x30\n __inode_permission+0x41/0xa0\n inode_permission+0x18/0x50\n link_path_walk+0x66/0x920\n path_openat+0xa6/0x6c0\n do_filp_open+0x43/0xa0\n do_sys_open+0x146/0x240\n SyS_open+0x1e/0x20\n system_call_fastpath+0x16/0x1b\n Code: 84 a1 00 00 00 81 e3 00 20 00 00 89 d8 83 c8 02 40 f6 c6 04 0f 45 d8 40 f6 c6 08 74 71 80 cf 02 49 8b 46 38 4c 8d 4d cc 45 31 c0 \u003c0f\u003e b7 50 20 8b 70 1c 48 8b 41 70 89 d9 8b 78 04 e8 36 cf ff ff\n RIP selinux_inode_permission+0x85/0x160\n CR2: 0000000000000020\n\nInvestigating, I found that the inode-\u003ei_security was NULL, and the\ndereference of it caused the oops.\n\nin selinux_inode_permission():\n\n\tisec \u003d inode-\u003ei_security;\n\n\trc \u003d avc_has_perm_noaudit(sid, isec-\u003esid, isec-\u003esclass, perms, 0, \u0026avd);\n\nNote, the crash came from stressing the deletion and reading of debugfs\nfiles. I was not able to recreate this via normal files. But I\u0027m not\nsure they are safe. It may just be that the race window is much harder\nto hit.\n\nWhat seems to have happened (and what I have traced), is the file is\nbeing opened at the same time the file or directory is being deleted.\nAs the dentry and inode locks are not held during the path walk, nor is\nthe inodes ref counts being incremented, there is nothing saving these\nstructures from being discarded except for an rcu_read_lock().\n\nThe rcu_read_lock() protects against freeing of the inode, but it does\nnot protect freeing of the inode_security_struct. Now if the freeing of\nthe i_security happens with a call_rcu(), and the i_security field of\nthe inode is not changed (it gets freed as the inode gets freed) then\nthere will be no issue here. (Linus Torvalds suggested not setting the\nfield to NULL such that we do not need to check if it is NULL in the\npermission check).\n\nNote, this is a hack, but it fixes the problem at hand. A real fix is\nto restructure the destroy_inode() to call all the destructor handlers\nfrom the RCU callback. But that is a major job to do, and requires a\nlot of work. For now, we just band-aid this bug with this fix (it\nworks), and work on a more maintainable solution in the future.\n\nLink: http://lkml.kernel.org/r/20140109101932.0508dec7@gandalf.local.home\nLink: http://lkml.kernel.org/r/20140109182756.17abaaa8@gandalf.local.home\n\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "9771ba99eb41a87d5add7799092288e702283dfc", "tree": "00bd25fc71a77ad9097cf08d1e69c79336329c44", "parents": [ "8ad62c20c16409cf90fd7c6774f71ce81378d6a0" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 06 14:13:29 2012 -0400" }, "committer": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Fri Jan 17 22:12:26 2014 -0800" }, "message": "SELinux: include definition of new capabilities\n\nThe kernel has added CAP_WAKE_ALARM and CAP_EPOLLWAKEUP. We need to\ndefine these in SELinux so they can be mediated by policy.\n\nChange-Id: I8a3e0db15ec5f4eb05d455a57e8446a8c2b484c2\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n[sds: rename epollwakeup to block_suspend to match upstream merge]\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "fda73056f62d84376a3d29926708b4a08155da31", "tree": "0080c4eec02c23179f59a50d269f48f7662b61ce", "parents": [ "cf8f2e58d0893f9785b8056b29d9bbcb4758765f", "94f578e6aba14bb2aeb00db2e7f6e5f704fee937" ], "author": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Tue Jan 14 21:50:44 2014 -0800" }, "committer": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Tue Jan 14 21:50:44 2014 -0800" }, "message": "Merge tag \u0027v3.4.76\u0027 into cm-11.0\n\nThis is the 3.4.76 stable release\n\nConflicts:\n\tdrivers/gpio/gpio-msm-v2.c\n\nChange-Id: Ic80b29098bdf656b5e5c9b95d98d2ec64bba1f28\n" }, { "commit": "420cc6d77fd83ab28ebed7ab1dc9018ab351ec12", "tree": "5b28c87f0e82876d6a895895a249b2824a5042af", "parents": [ "73ec955cd6954d69540c7a761182ee84d2bad189" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Tue Dec 10 14:58:01 2013 -0500" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Wed Jan 08 09:42:12 2014 -0800" }, "message": "selinux: process labeled IPsec TCP SYN-ACK packets properly in selinux_ip_postroute()\n\ncommit c0828e50485932b7e019df377a6b0a8d1ebd3080 upstream.\n\nDue to difficulty in arriving at the proper security label for\nTCP SYN-ACK packets in selinux_ip_postroute(), we need to check packets\nwhile/before they are undergoing XFRM transforms instead of waiting\nuntil afterwards so that we can determine the correct security label.\n\nReported-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "73ec955cd6954d69540c7a761182ee84d2bad189", "tree": "d2e9e8a5966067058d959d9bcae6ea77cf6aaf02", "parents": [ "7a12bcd95b59dcf1a715827846baa7c81d1946f9" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Tue Dec 10 14:57:54 2013 -0500" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Wed Jan 08 09:42:12 2014 -0800" }, "message": "selinux: look for IPsec labels on both inbound and outbound packets\n\ncommit 817eff718dca4e54d5721211ddde0914428fbb7c upstream.\n\nPreviously selinux_skb_peerlbl_sid() would only check for labeled\nIPsec security labels on inbound packets, this patch enables it to\ncheck both inbound and outbound traffic for labeled IPsec security\nlabels.\n\nReported-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "58c2314ac41e8f24a2a594bd866915e38de9648e", "tree": "25b4928360576d7d6501a1e0d01fcab7e6003226", "parents": [ "351381d8cea3036cfe021eb29994584d0e5c0e73" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Mon Dec 23 17:45:01 2013 -0500" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Wed Jan 08 09:42:10 2014 -0800" }, "message": "selinux: selinux_setprocattr()-\u003eptrace_parent() needs rcu_read_lock()\n\ncommit c0c1439541f5305b57a83d599af32b74182933fe upstream.\n\nselinux_setprocattr() does ptrace_parent(p) under task_lock(p),\nbut task_struct-\u003ealloc_lock doesn\u0027t pin -\u003eparent or -\u003eptrace,\nthis looks confusing and triggers the \"suspicious RCU usage\"\nwarning because ptrace_parent() does rcu_dereference_check().\n\nAnd in theory this is wrong, spin_lock()-\u003epreempt_disable()\ndoesn\u0027t necessarily imply rcu_read_lock() we need to access\nthe -\u003eparent.\n\nReported-by: Evan McNabb \u003cemcnabb@redhat.com\u003e\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "351381d8cea3036cfe021eb29994584d0e5c0e73", "tree": "575afc68d8b8f5522817066d64aae1dc6843a69a", "parents": [ "bc8a3912facbd66e2b88d10922aae74548b86606" ], "author": { "name": "Chad Hanson", "email": "chanson@trustedcs.com", "time": "Mon Dec 23 17:45:01 2013 -0500" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Wed Jan 08 09:42:10 2014 -0800" }, "message": "selinux: fix broken peer recv check\n\ncommit 46d01d63221c3508421dd72ff9c879f61053cffc upstream.\n\nFix a broken networking check. Return an error if peer recv fails. If\nsecmark is active and the packet recv succeeds the peer recv error is\nignored.\n\nSigned-off-by: Chad Hanson \u003cchanson@trustedcs.com\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "de0f9a5a9d7932086e623560d66655cc8507cfec", "tree": "d9e4678d68da38d7670b79c8b5e8782445c5ad7e", "parents": [ "e1a3c5a3706d580390c02c69cb14dcd679d31d91", "84dfcb758ba7cce52ef475ac96861a558e1a20ca" ], "author": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Sat Dec 21 14:22:41 2013 -0800" }, "committer": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Sat Dec 21 14:22:41 2013 -0800" }, "message": "Merge tag \u0027v3.4.75\u0027 into cm-11.0\n\nThis is the 3.4.75 stable release\n\nConflicts:\n\tdrivers/md/dm-crypt.c\n\tdrivers/mmc/card/block.c\n\tdrivers/net/ethernet/smsc/smc91x.h\n\nChange-Id: I39f38ef5530c5fef07583beb9d76b983e71b9ff3\n" }, { "commit": "2ea04e5a3d579032632c72584ea67b623321064c", "tree": "ea2d1ac04a2559bc55aa2dde512e99d9e8f16862", "parents": [ "1c5d9d1527ceb57e66001fba3d84c766d89baf2e" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Wed Dec 04 16:10:51 2013 -0500" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Dec 20 07:34:20 2013 -0800" }, "message": "selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()\n\ncommit 446b802437f285de68ffb8d6fac3c44c3cab5b04 upstream.\n\nIn selinux_ip_postroute() we perform access checks based on the\npacket\u0027s security label. For locally generated traffic we get the\npacket\u0027s security label from the associated socket; this works in all\ncases except for TCP SYN-ACK packets. In the case of SYN-ACK packet\u0027s\nthe correct security label is stored in the connection\u0027s request_sock,\nnot the server\u0027s socket. Unfortunately, at the point in time when\nselinux_ip_postroute() is called we can\u0027t query the request_sock\ndirectly, we need to recreate the label using the same logic that\noriginally labeled the associated request_sock.\n\nSee the inline comments for more explanation.\n\nReported-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nTested-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "1c5d9d1527ceb57e66001fba3d84c766d89baf2e", "tree": "2fd2bda381a616fca0a9ed6326bd0ba732621a7c", "parents": [ "898341afe54f827138e9b3516ae5a456f2d5fa48" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Wed Dec 04 16:10:45 2013 -0500" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Dec 20 07:34:20 2013 -0800" }, "message": "selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output()\n\ncommit 47180068276a04ed31d24fe04c673138208b07a9 upstream.\n\nIn selinux_ip_output() we always label packets based on the parent\nsocket. While this approach works in almost all cases, it doesn\u0027t\nwork in the case of TCP SYN-ACK packets when the correct label is not\nthe label of the parent socket, but rather the label of the larval\nsocket represented by the request_sock struct.\n\nUnfortunately, since the request_sock isn\u0027t queued on the parent\nsocket until *after* the SYN-ACK packet is sent, we can\u0027t lookup the\nrequest_sock to determine the correct label for the packet; at this\npoint in time the best we can do is simply pass/NF_ACCEPT the packet.\nIt must be said that simply passing the packet without any explicit\nlabeling action, while far from ideal, is not terrible as the SYN-ACK\npacket will inherit any IP option based labeling from the initial\nconnection request so the label *should* be correct and all our\naccess controls remain in place so we shouldn\u0027t have to worry about\ninformation leaks.\n\nReported-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nTested-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "2a38ada0f1ab9f894eea4428731ebc811b51c3f3", "tree": "759c765808a23a3a35e4ba10d8306c847c0205b7", "parents": [ "19218e895cefdd389c96af12c93c89e7276bbaad", "44d19f5a04ae4e433548ba2f25e4d2ccfcac765e" ], "author": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Sun Dec 08 12:50:38 2013 -0800" }, "committer": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Sun Dec 08 12:50:38 2013 -0800" }, "message": "Merge tag \u0027v3.4.72\u0027 into tmp\n\nThis is the 3.4.72 stable release\n\nConflicts:\n\tarch/arm/Kconfig\n\tarch/arm/include/asm/mutex.h\n\tarch/arm/kernel/perf_event.c\n\tarch/arm/kernel/traps.c\n\tarch/arm/mm/dma-mapping.c\n\tdrivers/base/power/main.c\n\tdrivers/bluetooth/ath3k.c\n\tdrivers/bluetooth/btusb.c\n\tdrivers/gpu/drm/radeon/radeon_mode.h\n\tdrivers/mmc/card/block.c\n\tdrivers/mmc/host/sdhci.c\n\tdrivers/usb/core/message.c\n\tdrivers/usb/host/xhci-plat.c\n\tdrivers/usb/host/xhci.h\n\tdrivers/virtio/virtio_ring.c\n\tfs/ubifs/dir.c\n\tinclude/linux/freezer.h\n\tinclude/linux/virtio.h\n\tinclude/media/v4l2-ctrls.h\n\tinclude/net/bluetooth/hci_core.h\n\tinclude/net/bluetooth/mgmt.h\n\tkernel/cgroup.c\n\tkernel/futex.c\n\tkernel/signal.c\n\tnet/bluetooth/hci_conn.c\n\tnet/bluetooth/hci_core.c\n\tnet/bluetooth/hci_event.c\n\tnet/bluetooth/l2cap_core.c\n\tnet/bluetooth/mgmt.c\n\tnet/bluetooth/rfcomm/sock.c\n\tnet/bluetooth/smp.c\n\nChange-Id: I4fb0d5de74ca76f933d95d98e1a9c2c859402f34\n" }, { "commit": "17af9d91523a6e44a3721cea48cd3ade66a8b416", "tree": "2baf8e6c824c313203cc7ec6000fa243257ee52c", "parents": [ "5d6d6a7a101136aec882cc168c2d6bd4376b3760" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Thu Sep 26 17:00:46 2013 -0400" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Wed Dec 04 10:50:32 2013 -0800" }, "message": "selinux: correct locking in selinux_netlbl_socket_connect)\n\ncommit 42d64e1add3a1ce8a787116036163b8724362145 upstream.\n\nThe SELinux/NetLabel glue code has a locking bug that affects systems\nwith NetLabel enabled, see the kernel error message below. This patch\ncorrects this problem by converting the bottom half socket lock to a\nmore conventional, and correct for this call-path, lock_sock() call.\n\n \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n [ INFO: suspicious RCU usage. ]\n 3.11.0-rc3+ #19 Not tainted\n -------------------------------\n net/ipv4/cipso_ipv4.c:1928 suspicious rcu_dereference_protected() usage!\n\n other info that might help us debug this:\n\n rcu_scheduler_active \u003d 1, debug_locks \u003d 0\n 2 locks held by ping/731:\n #0: (slock-AF_INET/1){+.-...}, at: [...] selinux_netlbl_socket_connect\n #1: (rcu_read_lock){.+.+..}, at: [\u003c...\u003e] netlbl_conn_setattr\n\n stack backtrace:\n CPU: 1 PID: 731 Comm: ping Not tainted 3.11.0-rc3+ #19\n Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n 0000000000000001 ffff88006f659d28 ffffffff81726b6a ffff88003732c500\n ffff88006f659d58 ffffffff810e4457 ffff88006b845a00 0000000000000000\n 000000000000000c ffff880075aa2f50 ffff88006f659d90 ffffffff8169bec7\n Call Trace:\n [\u003cffffffff81726b6a\u003e] dump_stack+0x54/0x74\n [\u003cffffffff810e4457\u003e] lockdep_rcu_suspicious+0xe7/0x120\n [\u003cffffffff8169bec7\u003e] cipso_v4_sock_setattr+0x187/0x1a0\n [\u003cffffffff8170f317\u003e] netlbl_conn_setattr+0x187/0x190\n [\u003cffffffff8170f195\u003e] ? netlbl_conn_setattr+0x5/0x190\n [\u003cffffffff8131ac9e\u003e] selinux_netlbl_socket_connect+0xae/0xc0\n [\u003cffffffff81303025\u003e] selinux_socket_connect+0x135/0x170\n [\u003cffffffff8119d127\u003e] ? might_fault+0x57/0xb0\n [\u003cffffffff812fb146\u003e] security_socket_connect+0x16/0x20\n [\u003cffffffff815d3ad3\u003e] SYSC_connect+0x73/0x130\n [\u003cffffffff81739a85\u003e] ? sysret_check+0x22/0x5d\n [\u003cffffffff810e5e2d\u003e] ? trace_hardirqs_on_caller+0xfd/0x1c0\n [\u003cffffffff81373d4e\u003e] ? trace_hardirqs_on_thunk+0x3a/0x3f\n [\u003cffffffff815d52be\u003e] SyS_connect+0xe/0x10\n [\u003cffffffff81739a59\u003e] system_call_fastpath+0x16/0x1b\n\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "7288f91dd5b55d82e1dee9f0d24e9f4730d57392", "tree": "ddacb42865accbcdfa64f3562b68e4df3ff5f11a", "parents": [ "7eebf56b11ac00f164583a217b65fa264f62cb07" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Oct 17 07:34:02 2013 -0400" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Nov 29 10:50:34 2013 -0800" }, "message": "Revert \"ima: policy for RAMFS\"\n\ncommit 08de59eb144d7c41351a467442f898d720f0f15f upstream.\n\nThis reverts commit 4c2c392763a682354fac65b6a569adec4e4b5387.\n\nEverything in the initramfs should be measured and appraised,\nbut until the initramfs has extended attribute support, at\nleast measured.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "90078116a6286c5eb860c90eef2ef9d3291a2de1", "tree": "eaa8a0a93737947e96cd065c9f64e4093d59adf6", "parents": [ "8bc0447c9b77d06ae5692eeaddfb90f5e177a4ec" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri May 10 10:16:19 2013 -0400" }, "committer": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Mon Jul 22 10:57:48 2013 -0700" }, "message": "Enable setting security contexts on rootfs inodes.\n\nrootfs (ramfs) can support setting of security contexts\nby userspace due to the vfs fallback behavior of calling\nthe security module to set the in-core inode state\nfor security.* attributes when the filesystem does not\nprovide an xattr handler. No xattr handler required\nas the inodes are pinned in memory and have no backing\nstore.\n\nThis is useful in allowing early userspace to label individual\nfiles within a rootfs while still providing a policy-defined\ndefault via genfs.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nChange-Id: I3436cf9ae27ade445e37376d7b9125746b1e506f\n" }, { "commit": "84ab2cd3fe27042f449880cb114878b24e70a941", "tree": "da71a9d5cae272f79e7a40d3650b8fc103a69f4a", "parents": [ "d9795bafda02819105f8e91a0fce6c657ae55779" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon Nov 05 08:15:34 2012 -0500" }, "committer": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Mon Jul 22 10:56:51 2013 -0700" }, "message": "Add security hooks to binder and implement the hooks for SELinux.\n\nAdd security hooks to the binder and implement the hooks for SELinux.\nThe security hooks enable security modules such as SELinux to implement\ncontrols over binder IPC. The security hooks include support for\ncontrolling what process can become the binder context manager\n(binder_set_context_mgr), controlling the ability of a process\nto invoke a binder transaction/IPC to another process (binder_transaction),\ncontrolling the ability a process to transfer a binder reference to\nanother process (binder_transfer_binder), and controlling the ability\nof a process to transfer an open file to another process (binder_transfer_file).\n\nThis support is used by SE Android, http://selinuxproject.org/page/SEAndroid.\n\nChange-Id: I9a64a87825df2e60b9c51400377af4a9cd1c4049\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "dde448d95d8698ee4c8373bb48fe08a22f41052f", "tree": "7fe87fa93bfa5b81e6f87b147e32512d2e8198e3", "parents": [ "ac4f6190fae02a3dc30133f90488b996f726bf7a", "f95b978981a7d154ba40d14c18e8ed5c694e6124" ], "author": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Thu Jun 20 11:32:42 2013 -0700" }, "committer": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Thu Jun 20 11:32:42 2013 -0700" }, "message": "Merge tag \u0027v3.4.10\u0027 into cm-10.1\n\nThis is the 3.4.10 stable release\n\nConflicts:\n\tarch/arm/mm/tlb-v7.S\n\tarch/arm/vfp/entry.S\n\tdrivers/base/power/main.c\n\tdrivers/mmc/host/sdhci.c\n\tdrivers/net/tun.c\n\tdrivers/usb/core/hub.c\n\tdrivers/usb/host/xhci.h\n\tinclude/linux/sched.h\n\tkernel/power/suspend.c\n\nChange-Id: Ia2477ec93ceb64b13dd1a2d8aa646cb233387d14\n" }, { "commit": "b647ebe6e7c171efd2003b1a8d07dcc26e6fa748", "tree": "d4fd13848f1ae194d3e450a5d26fd7f3d2191e50", "parents": [ "8b55bf58c5f89681d37b19789bdae389fa54b0cd" ], "author": { "name": "Alan Cox", "email": "alan@linux.intel.com", "time": "Fri Sep 28 12:20:02 2012 +0100" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Thu Mar 28 12:12:27 2013 -0700" }, "message": "key: Fix resource leak\n\ncommit a84a921978b7d56e0e4b87ffaca6367429b4d8ff upstream.\n\nOn an error iov may still have been reallocated and need freeing\n\nSigned-off-by: Alan Cox \u003calan@linux.intel.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "8c97feb5edd118fe633ed29773c599536d562d43", "tree": "95bae3db178398cd3d451efed85c9ee2b69dd1f0", "parents": [ "e55005034b11c0dd52ac08b7f769ec410b6bfa1f" ], "author": { "name": "Dan Carpenter", "email": "dan.carpenter@oracle.com", "time": "Sat Mar 16 12:48:11 2013 +0300" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Wed Mar 20 13:05:00 2013 -0700" }, "message": "selinux: use GFP_ATOMIC under spin_lock\n\ncommit 4502403dcf8f5c76abd4dbab8726c8e4ecb5cd34 upstream.\n\nThe call tree here is:\n\nsk_clone_lock() \u003c- takes bh_lock_sock(newsk);\nxfrm_sk_clone_policy()\n__xfrm_sk_clone_policy()\nclone_policy() \u003c- uses GFP_ATOMIC for allocations\nsecurity_xfrm_policy_clone()\nsecurity_ops-\u003exfrm_policy_clone_security()\nselinux_xfrm_policy_clone()\n\nSigned-off-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "3126603e01babcec7cfe2f284099e2adff095bff", "tree": "edd0b3fd6d738ef785f4338825b703f1e7fa7db7", "parents": [ "96ace773358d2989ea522a1cdccf65d75c1335f3" ], "author": { "name": "Mathieu Desnoyers", "email": "mathieu.desnoyers@efficios.com", "time": "Mon Feb 25 10:20:36 2013 -0500" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Thu Mar 14 11:29:51 2013 -0700" }, "message": "Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys\n\ncommit 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 upstream.\n\nLooking at mm/process_vm_access.c:process_vm_rw() and comparing it to\ncompat_process_vm_rw() shows that the compatibility code requires an\nexplicit \"access_ok()\" check before calling\ncompat_rw_copy_check_uvector(). The same difference seems to appear when\nwe compare fs/read_write.c:do_readv_writev() to\nfs/compat.c:compat_do_readv_writev().\n\nThis subtle difference between the compat and non-compat requirements\nshould probably be debated, as it seems to be error-prone. In fact,\nthere are two others sites that use this function in the Linux kernel,\nand they both seem to get it wrong:\n\nNow shifting our attention to fs/aio.c, we see that aio_setup_iocb()\nalso ends up calling compat_rw_copy_check_uvector() through\naio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to\nbe missing. Same situation for\nsecurity/keys/compat.c:compat_keyctl_instantiate_key_iov().\n\nI propose that we add the access_ok() check directly into\ncompat_rw_copy_check_uvector(), so callers don\u0027t have to worry about it,\nand it therefore makes the compat call code similar to its non-compat\ncounterpart. Place the access_ok() check in the same location where\ncopy_from_user() can trigger a -EFAULT error in the non-compat code, so\nthe ABI behaviors are alike on both compat and non-compat.\n\nWhile we are here, fix compat_do_readv_writev() so it checks for\ncompat_rw_copy_check_uvector() negative return values.\n\nAnd also, fix a memory leak in compat_keyctl_instantiate_key_iov() error\nhandling.\n\nAcked-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nAcked-by: Al Viro \u003cviro@ZenIV.linux.org.uk\u003e\nSigned-off-by: Mathieu Desnoyers \u003cmathieu.desnoyers@efficios.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "96ace773358d2989ea522a1cdccf65d75c1335f3", "tree": "c9b078ec66184fb1d8f59930b3cf48f7b0cdcbe3", "parents": [ "30e39b7c57422b29533a1bf43f2fd921e088a71d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Mar 12 16:44:31 2013 +1100" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Thu Mar 14 11:29:51 2013 -0700" }, "message": "keys: fix race with concurrent install_user_keyrings()\n\ncommit 0da9dfdd2cd9889201bc6f6f43580c99165cd087 upstream.\n\nThis fixes CVE-2013-1792.\n\nThere is a race in install_user_keyrings() that can cause a NULL pointer\ndereference when called concurrently for the same user if the uid and\nuid-session keyrings are not yet created. It might be possible for an\nunprivileged user to trigger this by calling keyctl() from userspace in\nparallel immediately after logging in.\n\nAssume that we have two threads both executing lookup_user_key(), both\nlooking for KEY_SPEC_USER_SESSION_KEYRING.\n\n\tTHREAD A\t\t\tTHREAD B\n\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\t\t\t\t\t\u003d\u003d\u003ecall install_user_keyrings();\n\tif (!cred-\u003euser-\u003esession_keyring)\n\t\u003d\u003d\u003ecall install_user_keyrings()\n\t\t\t\t\t...\n\t\t\t\t\tuser-\u003euid_keyring \u003d uid_keyring;\n\tif (user-\u003euid_keyring)\n\t\treturn 0;\n\t\u003c\u003d\u003d\n\tkey \u003d cred-\u003euser-\u003esession_keyring [\u003d\u003d NULL]\n\t\t\t\t\tuser-\u003esession_keyring \u003d session_keyring;\n\tatomic_inc(\u0026key-\u003eusage); [oops]\n\nAt the point thread A dereferences cred-\u003euser-\u003esession_keyring, thread B\nhasn\u0027t updated user-\u003esession_keyring yet, but thread A assumes it is\npopulated because install_user_keyrings() returned ok.\n\nThe race window is really small but can be exploited if, for example,\nthread B is interrupted or preempted after initializing uid_keyring, but\nbefore doing setting session_keyring.\n\nThis couldn\u0027t be reproduced on a stock kernel. However, after placing\nsystemtap probe on \u0027user-\u003esession_keyring \u003d session_keyring;\u0027 that\nintroduced some delay, the kernel could be crashed reliably.\n\nFix this by checking both pointers before deciding whether to return.\nAlternatively, the test could be done away with entirely as it is checked\ninside the mutex - but since the mutex is global, that may not be the best\nway.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReported-by: Mateusz Guzik \u003cmguzik@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "9c5f1b49341154b579851425dabb32cb3aa9b5db", "tree": "11801701b164fb0cf4d8d2782303eb254f150eb5", "parents": [ "f2a010040e2c368a76f7ea0ed6533f5779cb6b4b" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Fri Jan 18 23:56:39 2013 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Sun Jan 27 20:47:43 2013 -0800" }, "message": "evm: checking if removexattr is not a NULL\n\ncommit a67adb997419fb53540d4a4f79c6471c60bc69b6 upstream.\n\nThe following lines of code produce a kernel oops.\n\nfd \u003d socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);\nfchmod(fd, 0666);\n\n[ 139.922364] BUG: unable to handle kernel NULL pointer dereference at (null)\n[ 139.924982] IP: [\u003c (null)\u003e] (null)\n[ 139.924982] *pde \u003d 00000000\n[ 139.924982] Oops: 0000 [#5] SMP\n[ 139.924982] Modules linked in: fuse dm_crypt dm_mod i2c_piix4 serio_raw evdev binfmt_misc button\n[ 139.924982] Pid: 3070, comm: acpid Tainted: G D 3.8.0-rc2-kds+ #465 Bochs Bochs\n[ 139.924982] EIP: 0060:[\u003c00000000\u003e] EFLAGS: 00010246 CPU: 0\n[ 139.924982] EIP is at 0x0\n[ 139.924982] EAX: cf5ef000 EBX: cf5ef000 ECX: c143d600 EDX: c15225f2\n[ 139.924982] ESI: cf4d2a1c EDI: cf4d2a1c EBP: cc02df10 ESP: cc02dee4\n[ 139.924982] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068\n[ 139.924982] CR0: 80050033 CR2: 00000000 CR3: 0c059000 CR4: 000006d0\n[ 139.924982] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000\n[ 139.924982] DR6: ffff0ff0 DR7: 00000400\n[ 139.924982] Process acpid (pid: 3070, ti\u003dcc02c000 task\u003dd7705340 task.ti\u003dcc02c000)\n[ 139.924982] Stack:\n[ 139.924982] c1203c88 00000000 cc02def4 cf4d2a1c ae21eefa 471b60d5 1083c1ba c26a5940\n[ 139.924982] e891fb5e 00000041 00000004 cc02df1c c1203964 00000000 cc02df4c c10e20c3\n[ 139.924982] 00000002 00000000 00000000 22222222 c1ff2222 cf5ef000 00000000 d76efb08\n[ 139.924982] Call Trace:\n[ 139.924982] [\u003cc1203c88\u003e] ? evm_update_evmxattr+0x5b/0x62\n[ 139.924982] [\u003cc1203964\u003e] evm_inode_post_setattr+0x22/0x26\n[ 139.924982] [\u003cc10e20c3\u003e] notify_change+0x25f/0x281\n[ 139.924982] [\u003cc10cbf56\u003e] chmod_common+0x59/0x76\n[ 139.924982] [\u003cc10e27a1\u003e] ? put_unused_fd+0x33/0x33\n[ 139.924982] [\u003cc10cca09\u003e] sys_fchmod+0x39/0x5c\n[ 139.924982] [\u003cc13f4f30\u003e] syscall_call+0x7/0xb\n[ 139.924982] Code: Bad EIP value.\n\nThis happens because sockets do not define the removexattr operation.\nBefore removing the xattr, verify the removexattr function pointer is\nnot NULL.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "55649211861616c26aa25c9e710c5691837975e4", "tree": "b7923d6a18037d57130c54ade50b19c0ff36f3f8", "parents": [ "a23d6310a6fbe4a2a1d3a40251a6d5b8ae39ec22" ], "author": { "name": "Dave Jones", "email": "davej@redhat.com", "time": "Thu Nov 08 16:09:27 2012 -0800" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Nov 26 11:38:02 2012 -0800" }, "message": "selinux: fix sel_netnode_insert() suspicious rcu dereference\n\ncommit 88a693b5c1287be4da937699cb82068ce9db0135 upstream.\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n[ INFO: suspicious RCU usage. ]\n3.5.0-rc1+ #63 Not tainted\n-------------------------------\nsecurity/selinux/netnode.c:178 suspicious rcu_dereference_check() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active \u003d 1, debug_locks \u003d 0\n1 lock held by trinity-child1/8750:\n #0: (sel_netnode_lock){+.....}, at: [\u003cffffffff812d8f8a\u003e] sel_netnode_sid+0x16a/0x3e0\n\nstack backtrace:\nPid: 8750, comm: trinity-child1 Not tainted 3.5.0-rc1+ #63\nCall Trace:\n [\u003cffffffff810cec2d\u003e] lockdep_rcu_suspicious+0xfd/0x130\n [\u003cffffffff812d91d1\u003e] sel_netnode_sid+0x3b1/0x3e0\n [\u003cffffffff812d8e20\u003e] ? sel_netnode_find+0x1a0/0x1a0\n [\u003cffffffff812d24a6\u003e] selinux_socket_bind+0xf6/0x2c0\n [\u003cffffffff810cd1dd\u003e] ? trace_hardirqs_off+0xd/0x10\n [\u003cffffffff810cdb55\u003e] ? lock_release_holdtime.part.9+0x15/0x1a0\n [\u003cffffffff81093841\u003e] ? lock_hrtimer_base+0x31/0x60\n [\u003cffffffff812c9536\u003e] security_socket_bind+0x16/0x20\n [\u003cffffffff815550ca\u003e] sys_bind+0x7a/0x100\n [\u003cffffffff816c03d5\u003e] ? sysret_check+0x22/0x5d\n [\u003cffffffff810d392d\u003e] ? trace_hardirqs_on_caller+0x10d/0x1a0\n [\u003cffffffff8133b09e\u003e] ? trace_hardirqs_on_thunk+0x3a/0x3f\n [\u003cffffffff816c03a9\u003e] system_call_fastpath+0x16/0x1b\n\nThis patch below does what Paul McKenney suggested in the previous thread.\n\nSigned-off-by: Dave Jones \u003cdavej@redhat.com\u003e\nReviewed-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nAcked-by: Paul Moore \u003cpaul@paul-moore.com\u003e\nCc: Eric Paris \u003ceparis@parisplace.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "7d0fcfec4c491eb3c815929be5512ae8d1886553", "tree": "0312f1815213f82535b26c5141f5f7b00f87a8f5", "parents": [ "56a631f3bf36641133afeb3db7c1ec5721c8dd04" ], "author": { "name": "Kees Cook", "email": "keescook@chromium.org", "time": "Mon Aug 27 11:38:13 2012 -0700" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Sun Oct 07 08:32:28 2012 -0700" }, "message": "Yama: handle 32-bit userspace prctl\n\ncommit 2e4930eb7c8fb20a39dfb5f8a8f80402710dcea8 upstream.\n\nWhen running a 64-bit kernel and receiving prctls from a 32-bit\nuserspace, the \"-1\" used as an unsigned long will end up being\nmisdetected. The kernel is looking for 0xffffffffffffffff instead of\n0xffffffff. Since prctl lacks a distinct compat interface, Yama needs\nto handle this translation itself. As such, support either value as\nmeaning PR_SET_PTRACER_ANY, to avoid breaking the ABI for 64-bit.\n\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nAcked-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "27cd8f51344dcf4799c7a092c1797402b833126a", "tree": "4af5fa7d852c6f73795dd0ea9508b86283fb009e", "parents": [ "b6e9ffcdb09fbf28665e025aa31fda702689786c" ], "author": { "name": "Josh Boyer", "email": "jwboyer@redhat.com", "time": "Wed Jul 25 10:40:34 2012 -0400" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Thu Aug 09 08:31:39 2012 -0700" }, "message": "posix_types.h: Cleanup stale __NFDBITS and related definitions\n\ncommit 8ded2bbc1845e19c771eb55209aab166ef011243 upstream.\n\nRecently, glibc made a change to suppress sign-conversion warnings in\nFD_SET (glibc commit ceb9e56b3d1). This uncovered an issue with the\nkernel\u0027s definition of __NFDBITS if applications #include\n\u003clinux/types.h\u003e after including \u003csys/select.h\u003e. A build failure would\nbe seen when passing the -Werror\u003dsign-compare and -D_FORTIFY_SOURCE\u003d2\nflags to gcc.\n\nIt was suggested that the kernel should either match the glibc\ndefinition of __NFDBITS or remove that entirely. The current in-kernel\nuses of __NFDBITS can be replaced with BITS_PER_LONG, and there are no\nuses of the related __FDELT and __FDMASK defines. Given that, we\u0027ll\ncontinue the cleanup that was started with commit 8b3d1cda4f5f\n(\"posix_types: Remove fd_set macros\") and drop the remaining unused\nmacros.\n\nAdditionally, linux/time.h has similar macros defined that expand to\nnothing so we\u0027ll remove those at the same time.\n\nReported-by: Jeff Law \u003claw@redhat.com\u003e\nSuggested-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Josh Boyer \u003cjwboyer@redhat.com\u003e\n[ .. and fix up whitespace as per akpm ]\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "c3083d9d9e5860c365e93b1e96aa65613fa829fb", "tree": "00f75dd01c3f4ac248abec379ca246a38a3fb8a0", "parents": [ "305d212b5e9d473230de491b2b722424af1dfc9b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 04 13:47:11 2012 -0400" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Jun 01 15:18:16 2012 +0800" }, "message": "SELinux: if sel_make_bools errors don\u0027t leave inconsistent state\n\ncommit 154c50ca4eb9ae472f50b6a481213e21ead4457d upstream.\n\nWe reset the bool names and values array to NULL, but do not reset the\nnumber of entries in these arrays to 0. If we error out and then get back\ninto this function we will walk these NULL pointers based on the belief\nthat they are non-zero length.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n" }, { "commit": "e9a85c71afa38ee304e71c86ca7d74ed4658318c", "tree": "7b02114f23f72fcab725a1e5d00993b732b065f9", "parents": [ "92967117531f1ffe4516a32d9d6c97ec6f1814eb" ], "author": { "name": "Tushar Behera", "email": "tushar.behera@linaro.org", "time": "Mon Mar 26 16:54:15 2012 +0530" }, "committer": { "name": "Colin Cross", "email": "ccross@android.com", "time": "Mon May 07 18:04:12 2012 -0700" }, "message": "security: Add proper checks for Android specific capability checks\n\nCommit b641072 (\"security: Add AID_NET_RAW and AID_NET_ADMIN capability\ncheck in cap_capable().\") introduces additional checks for AID_NET_xxx\nmacros. Since the header file including those macros are conditionally\nincluded, the checks should also be conditionally executed.\n\nChange-Id: Iaec5208d5b95a46b1ac3f2db8449c661e803fa5b\nSigned-off-by: Tushar Behera \u003ctushar.behera@linaro.org\u003e\nSigned-off-by: Andrey Konovalov \u003candrey.konovalov@linaro.org\u003e\n" }, { "commit": "957265bd4fe182af757886f117416d66f68854aa", "tree": "177cee182ea61611f0b80db704203bf72ee4f3cb", "parents": [ "60c98d9abbd1ff3274b904027690f3c33d656250", "66f75a5d028beaf67c931435fdc3e7823125730c" ], "author": { "name": "Colin Cross", "email": "ccross@android.com", "time": "Fri Apr 27 14:03:45 2012 -0700" }, "committer": { "name": "Colin Cross", "email": "ccross@android.com", "time": "Fri Apr 27 14:03:45 2012 -0700" }, "message": "Merge commit \u0027v3.4-rc4\u0027 into android-3.4\n" }, { "commit": "ab2965eefef95a2eecfd54c12b0eb243162862e9", "tree": "c947fdc158e144c2d060486b65d10ee67d254039", "parents": [ "a0ec4361e4539e30cf1c5de7ddfd2dadcd8e1595", "e816b57a337ea3b755de72bec38c10c864f23015" ], "author": { "name": "Colin Cross", "email": "ccross@android.com", "time": "Thu Apr 19 14:42:22 2012 -0700" }, "committer": { "name": "Colin Cross", "email": "ccross@android.com", "time": "Thu Apr 19 14:42:22 2012 -0700" }, "message": "Merge commit \u0027v3.4-rc3\u0027 into android-3.4\n\nConflicts:\n\tdrivers/staging/android/lowmemorykiller.c\n\nChange-Id: Ia3ffcfc702e28c4fce0e91b363f4afd5f1c40306\n" }, { "commit": "51b79bee627d526199b2f6a6bef8ee0c0739b6d1", "tree": "f75bc36f3915284e335f3f69eb039ae88e91f513", "parents": [ "b6a89584c36f307f2c2bbb136ea50985ca4bc7b4" ], "author": { "name": "Jonghwan Choi", "email": "jhbird.choi@samsung.com", "time": "Wed Apr 18 17:23:04 2012 -0400" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Thu Apr 19 12:56:39 2012 +1000" }, "message": "security: fix compile error in commoncap.c\n\nAdd missing \"personality.h\"\nsecurity/commoncap.c: In function \u0027cap_bprm_set_creds\u0027:\nsecurity/commoncap.c:510: error: \u0027PER_CLEAR_ON_SETID\u0027 undeclared (first use in this function)\nsecurity/commoncap.c:510: error: (Each undeclared identifier is reported only once\nsecurity/commoncap.c:510: error: for each function it appears in.)\n\nSigned-off-by: Jonghwan Choi \u003cjhbird.choi@samsung.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "d52fc5dde171f030170a6cb78034d166b13c9445", "tree": "f982d0bdab54d5ab31cdd3e69cb88a1376797d1f", "parents": [ "09c79b60960bdd4b00916219402eabfa5e479c5a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 17 16:26:54 2012 -0400" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Wed Apr 18 12:37:56 2012 +1000" }, "message": "fcaps: clear the same personality flags as suid when fcaps are used\n\nIf a process increases permissions using fcaps all of the dangerous\npersonality flags which are cleared for suid apps should also be cleared.\nThus programs given priviledge with fcaps will continue to have address space\nrandomization enabled even if the parent tried to disable it to make it\neasier to attack.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "86812bb0de1a3758dc6c7aa01a763158a7c0638a", "tree": "41cb41cd7fe52730a3fe8c88ca298c2494f9040a", "parents": [ "592fe8980688e7cba46897685d014c7fb3018a67" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Tue Apr 17 18:55:46 2012 -0700" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Wed Apr 18 12:02:28 2012 +1000" }, "message": "Smack: move label list initialization\n\nA kernel with Smack enabled will fail if tmpfs has xattr support.\n\nMove the initialization of predefined Smack label\nlist entries to the LSM initialization from the\nsmackfs setup. This became an issue when tmpfs\nacquired xattr support, but was never correct.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "923e9a1399b620d063cd88537c64561bc3d5f905", "tree": "5d7aec3e06664c7f96726b9439a42a565bcc86ab", "parents": [ "94fb175c0414902ad9dbd956addf3a5feafbc85b" ], "author": { "name": "Kees Cook", "email": "keescook@chromium.org", "time": "Tue Apr 10 13:26:44 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 10 16:14:40 2012 -0700" }, "message": "Smack: build when CONFIG_AUDIT not defined\n\nThis fixes builds where CONFIG_AUDIT is not defined and\nCONFIG_SECURITY_SMACK\u003dy.\n\nThis got introduced by the stack-usage reducation commit 48c62af68a40\n(\"LSM: shrink the common_audit_data data union\").\n\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "0432013eb1fbddf51f43d3dfb7553db011c81707", "tree": "b6600e6562949114ccb4ca32f5fec339738a9340", "parents": [ "c54f674c656d66a27f555bdc85e122808f65d119" ], "author": { "name": "Chia-chi Yeh", "email": "chiachi@android.com", "time": "Fri Jun 19 07:15:05 2009 +0800" }, "committer": { "name": "Colin Cross", "email": "ccross@android.com", "time": "Mon Apr 09 13:57:47 2012 -0700" }, "message": "security: Add AID_NET_RAW and AID_NET_ADMIN capability check in cap_capable().\n\nSigned-off-by: Chia-chi Yeh \u003cchiachi@android.com\u003e\n" }, { "commit": "b61c37f57988567c84359645f8202a7c84bc798a", "tree": "a808c891711d060060a751f4119198dc06e2c847", "parents": [ "3f0882c48286e7bdb0bbdec9c4bfa934e0db8e09" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Apr 02 15:48:12 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 03 09:49:59 2012 -0700" }, "message": "lsm_audit: don\u0027t specify the audit pre/post callbacks in \u0027struct common_audit_data\u0027\n\nIt just bloats the audit data structure for no good reason, since the\nonly time those fields are filled are just before calling the\ncommon_lsm_audit() function, which is also the only user of those\nfields.\n\nSo just make them be the arguments to common_lsm_audit(), rather than\nbloating that structure that is passed around everywhere, and is\ninitialized in hot paths.\n\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3f0882c48286e7bdb0bbdec9c4bfa934e0db8e09", "tree": "20a7485417c8528d975ef4ff6e90467f63f67ab2", "parents": [ "f8294f1144ad0630075918df4bf94075f5384604" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 03 09:38:00 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 03 09:49:41 2012 -0700" }, "message": "SELinux: do not allocate stack space for AVC data unless needed\n\nInstead of declaring the entire selinux_audit_data on the stack when we\nstart an operation on declare it on the stack if we are going to use it.\nWe know it\u0027s usefulness at the end of the security decision and can declare\nit there.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "f8294f1144ad0630075918df4bf94075f5384604", "tree": "9c794bc9a5cbc688d3b6819d211df16b979a56c9", "parents": [ "7f6a47cf1477ffae9cff1d6ee181e2ce6bfb2f02" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 02 13:15:55 2012 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 03 09:49:10 2012 -0700" }, "message": "SELinux: remove avd from slow_avc_audit()\n\nWe don\u0027t use the argument, so remove it.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "7f6a47cf1477ffae9cff1d6ee181e2ce6bfb2f02", "tree": "55d2bfda38776aeed69b82cf0bd5b409744b4afd", "parents": [ "48c62af68a403ef1655546bd3e021070c8508573" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 02 13:15:50 2012 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 03 09:49:10 2012 -0700" }, "message": "SELinux: remove avd from selinux_audit_data\n\nWe do not use it. Remove it.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "48c62af68a403ef1655546bd3e021070c8508573", "tree": "ba938e4fb45d5bdaad2dad44071d0625f8e36945", "parents": [ "3b3b0e4fc15efa507b902d90cea39e496a523c3b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 02 13:15:44 2012 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 03 09:49:10 2012 -0700" }, "message": "LSM: shrink the common_audit_data data union\n\nAfter shrinking the common_audit_data stack usage for private LSM data I\u0027m\nnot going to shrink the data union. To do this I\u0027m going to move anything\nlarger than 2 void * ptrs to it\u0027s own structure and require it to be declared\nseparately on the calling stack. Thus hot paths which don\u0027t need more than\na couple pointer don\u0027t have to declare space to hold large unneeded\nstructures. I could get this down to one void * by dealing with the key\nstruct and the struct path. We\u0027ll see if that is helpful after taking care of\nnetworking.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3b3b0e4fc15efa507b902d90cea39e496a523c3b", "tree": "d7b91c21ad6c6f4ac21dd51297b74eec47c61684", "parents": [ "95694129b43165911dc4e8a972f0d39ad98d86be" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 03 09:37:02 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 03 09:48:40 2012 -0700" }, "message": "LSM: shrink sizeof LSM specific portion of common_audit_data\n\nLinus found that the gigantic size of the common audit data caused a big\nperf hit on something as simple as running stat() in a loop. This patch\nrequires LSMs to declare the LSM specific portion separately rather than\ndoing it in a union. Thus each LSM can be responsible for shrinking their\nportion and don\u0027t have to pay a penalty just because other LSMs have a\nbigger space requirement.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8bb1f229527dee95644e0f8496980bb767c6f620", "tree": "511551e9772f11f855bd5b759b6d449da47e8820", "parents": [ "f22e08a79f3765fecf060b225a46931c94fb0a92", "c0d0259481cc6ec2a38cad810055e455de35c733" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Mar 31 13:42:57 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Mar 31 13:42:57 2012 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs\n\nPull second try at vfs part d#2 from Al Viro:\n \"Miklos\u0027 first series (with do_lookup() rewrite split into edible\n chunks) + assorted bits and pieces.\n\n The \u0027untangling of do_lookup()\u0027 series is is a splitup of what used to\n be a monolithic patch from Miklos, so this series is basically \"how do\n I convince myself that his patch is correct (or find a hole in it)\".\n No holes found and I like the resulting cleanup, so in it went...\"\n\nChanges from try 1: Fix a boot problem with selinux, and commit messages\nprettied up a bit.\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (24 commits)\n vfs: fix out-of-date dentry_unhash() comment\n vfs: split __lookup_hash\n untangling do_lookup() - take __lookup_hash()-calling case out of line.\n untangling do_lookup() - switch to calling __lookup_hash()\n untangling do_lookup() - merge d_alloc_and_lookup() callers\n untangling do_lookup() - merge failure exits in !dentry case\n untangling do_lookup() - massage !dentry case towards __lookup_hash()\n untangling do_lookup() - get rid of need_reval in !dentry case\n untangling do_lookup() - eliminate a loop.\n untangling do_lookup() - expand the area under -\u003ei_mutex\n untangling do_lookup() - isolate !dentry stuff from the rest of it.\n vfs: move MAY_EXEC check from __lookup_hash()\n vfs: don\u0027t revalidate just looked up dentry\n vfs: fix d_need_lookup/d_revalidate order in do_lookup\n ext3: move headers to fs/ext3/\n migrate ext2_fs.h guts to fs/ext2/ext2.h\n new helper: ext2_image_size()\n get rid of pointless includes of ext2_fs.h\n ext2: No longer export ext2_fs.h to user space\n mtdchar: kill persistently held vfsmount\n ...\n" }, { "commit": "2f99c36986ff27a86f06f27212c5f5fa8c7164a3", "tree": "a90fd7fe865bb1c5a00b0946754b505bcf070b60", "parents": [ "4a165d25f63a989d0aabe9d8eed5b3a5d5da1862" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri Mar 23 16:04:05 2012 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Mar 31 16:03:15 2012 -0400" }, "message": "get rid of pointless includes of ext2_fs.h\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "a1c2aa1e86a25e7cace2ded47ec52754206a5733", "tree": "6d435240e757e9f83b4f9c42f98c69888f3b3928", "parents": [ "e152c38abaa92352679c9b53c4cce533c03997c6" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Mar 18 20:36:59 2012 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Mar 31 16:03:15 2012 -0400" }, "message": "selinuxfs: merge dentry allocation into sel_make_dir()\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "cdb0f9a1ad2ee3c11e21bc99f0c2021a02844666", "tree": "e4c2ea0b8c432645d1a28bdb694939b1e2891b30", "parents": [ "a554bea89948dfb6d2f9c4c62ce2b12b2dac18ad" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Mar 31 11:12:57 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Mar 31 11:24:22 2012 -0700" }, "message": "selinux: inline avc_audit() and avc_has_perm_noaudit() into caller\n\nNow that all the slow-path code is gone from these functions, we can\ninline them into the main caller - avc_has_perm_flags().\n\nNow the compiler can see that \u0027avc\u0027 is allocated on the stack for this\ncase, which helps register pressure a bit. It also actually shrinks the\ntotal stack frame, because the stack frame that avc_has_perm_flags()\nalways needed (for that \u0027avc\u0027 allocation) is now sufficient for the\ninlined functions too.\n\nInlining isn\u0027t bad - but mindless inlining of cold code (see the\nprevious commit) is.\n\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "a554bea89948dfb6d2f9c4c62ce2b12b2dac18ad", "tree": "f84e38fa7a54c1a678a14d7a65e583efac1cafa3", "parents": [ "fa2a4519cb6ad94224eb56a1341fff570fd44ea1" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Mar 31 10:58:08 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Mar 31 11:24:22 2012 -0700" }, "message": "selinux: don\u0027t inline slow-path code into avc_has_perm_noaudit()\n\nThe selinux AVC paths remain some of the hottest (and deepest) codepaths\nat filename lookup time, and we make it worse by having the slow path\ncases take up I$ and stack space even when they don\u0027t trigger. Gcc\ntends to always want to inline functions that are just called once -\nnever mind that this might make for slower and worse code in the caller.\n\nSo this tries to improve on it a bit by making the slow-path cases\nexplicitly separate functions that are marked noinline, causing gcc to\nat least no longer allocate stack space for them unless they are\nactually called. It also seems to help register allocation a tiny bit,\nsince gcc now doesn\u0027t take the slow case code into account.\n\nUninlining the slow path may also allow us to inline the remaining hot\npath into the one caller that actually matters: avc_has_perm_flags().\nI\u0027ll have to look at that separately, but both avc_audit() and\navc_has_perm_noaudit() are now small and lean enough that inlining them\nmay make sense.\n\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "a591afc01d9e48affbacb365558a31e53c85af45", "tree": "9bb91f4eb94ec69fc4706c4944788ec5f3586063", "parents": [ "820d41cf0cd0e94a5661e093821e2e5c6b36a9d8", "31796ac4e8f0e88f5c10f1ad6dab8f19bebe44a4" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 29 18:12:23 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 29 18:12:23 2012 -0700" }, "message": "Merge branch \u0027x86-x32-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip\n\nPull x32 support for x86-64 from Ingo Molnar:\n \"This tree introduces the X32 binary format and execution mode for x86:\n 32-bit data space binaries using 64-bit instructions and 64-bit kernel\n syscalls.\n\n This allows applications whose working set fits into a 32 bits address\n space to make use of 64-bit instructions while using a 32-bit address\n space with shorter pointers, more compressed data structures, etc.\"\n\nFix up trivial context conflicts in arch/x86/{Kconfig,vdso/vma.c}\n\n* \u0027x86-x32-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (71 commits)\n x32: Fix alignment fail in struct compat_siginfo\n x32: Fix stupid ia32/x32 inversion in the siginfo format\n x32: Add ptrace for x32\n x32: Switch to a 64-bit clock_t\n x32: Provide separate is_ia32_task() and is_x32_task() predicates\n x86, mtrr: Use explicit sizing and padding for the 64-bit ioctls\n x86/x32: Fix the binutils auto-detect\n x32: Warn and disable rather than error if binutils too old\n x32: Only clear TIF_X32 flag once\n x32: Make sure TS_COMPAT is cleared for x32 tasks\n fs: Remove missed -\u003efds_bits from cessation use of fd_set structs internally\n fs: Fix close_on_exec pointer in alloc_fdtable\n x32: Drop non-__vdso weak symbols from the x32 VDSO\n x32: Fix coding style violations in the x32 VDSO code\n x32: Add x32 VDSO support\n x32: Allow x32 to be configured\n x32: If configured, add x32 system calls to system call tables\n x32: Handle process creation\n x32: Signal-related system calls\n x86: Add #ifdef CONFIG_COMPAT to \u003casm/sys_ia32.h\u003e\n ...\n" }, { "commit": "0195c00244dc2e9f522475868fa278c473ba7339", "tree": "f97ca98ae64ede2c33ad3de05ed7bbfa4f4495ed", "parents": [ "f21ce8f8447c8be8847dadcfdbcc76b0d7365fa5", "141124c02059eee9dbc5c86ea797b1ca888e77f7" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 28 15:58:21 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 28 15:58:21 2012 -0700" }, "message": "Merge tag \u0027split-asm_system_h-for-linus-20120328\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-asm_system\n\nPull \"Disintegrate and delete asm/system.h\" from David Howells:\n \"Here are a bunch of patches to disintegrate asm/system.h into a set of\n separate bits to relieve the problem of circular inclusion\n dependencies.\n\n I\u0027ve built all the working defconfigs from all the arches that I can\n and made sure that they don\u0027t break.\n\n The reason for these patches is that I recently encountered a circular\n dependency problem that came about when I produced some patches to\n optimise get_order() by rewriting it to use ilog2().\n\n This uses bitops - and on the SH arch asm/bitops.h drags in\n asm-generic/get_order.h by a circuituous route involving asm/system.h.\n\n The main difficulty seems to be asm/system.h. It holds a number of\n low level bits with no/few dependencies that are commonly used (eg.\n memory barriers) and a number of bits with more dependencies that\n aren\u0027t used in many places (eg. switch_to()).\n\n These patches break asm/system.h up into the following core pieces:\n\n (1) asm/barrier.h\n\n Move memory barriers here. This already done for MIPS and Alpha.\n\n (2) asm/switch_to.h\n\n Move switch_to() and related stuff here.\n\n (3) asm/exec.h\n\n Move arch_align_stack() here. Other process execution related bits\n could perhaps go here from asm/processor.h.\n\n (4) asm/cmpxchg.h\n\n Move xchg() and cmpxchg() here as they\u0027re full word atomic ops and\n frequently used by atomic_xchg() and atomic_cmpxchg().\n\n (5) asm/bug.h\n\n Move die() and related bits.\n\n (6) asm/auxvec.h\n\n Move AT_VECTOR_SIZE_ARCH here.\n\n Other arch headers are created as needed on a per-arch basis.\"\n\nFixed up some conflicts from other header file cleanups and moving code\naround that has happened in the meantime, so David\u0027s testing is somewhat\nweakened by that. We\u0027ll find out anything that got broken and fix it..\n\n* tag \u0027split-asm_system_h-for-linus-20120328\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-asm_system: (38 commits)\n Delete all instances of asm/system.h\n Remove all #inclusions of asm/system.h\n Add #includes needed to permit the removal of asm/system.h\n Move all declarations of free_initmem() to linux/mm.h\n Disintegrate asm/system.h for OpenRISC\n Split arch_align_stack() out from asm-generic/system.h\n Split the switch_to() wrapper out of asm-generic/system.h\n Move the asm-generic/system.h xchg() implementation to asm-generic/cmpxchg.h\n Create asm-generic/barrier.h\n Make asm-generic/cmpxchg.h #include asm-generic/cmpxchg-local.h\n Disintegrate asm/system.h for Xtensa\n Disintegrate asm/system.h for Unicore32 [based on ver #3, changed by gxt]\n Disintegrate asm/system.h for Tile\n Disintegrate asm/system.h for Sparc\n Disintegrate asm/system.h for SH\n Disintegrate asm/system.h for Score\n Disintegrate asm/system.h for S390\n Disintegrate asm/system.h for PowerPC\n Disintegrate asm/system.h for PA-RISC\n Disintegrate asm/system.h for MN10300\n ...\n" }, { "commit": "9ffc93f203c18a70623f21950f1dd473c9ec48cd", "tree": "1eb3536ae183b0bfbf7f5152a6fe4f430ae881c2", "parents": [ "96f951edb1f1bdbbc99b0cd458f9808bb83d58ae" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Mar 28 18:30:03 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Mar 28 18:30:03 2012 +0100" }, "message": "Remove all #inclusions of asm/system.h\n\nRemove all #inclusions of asm/system.h preparatory to splitting and killing\nit. Performed with the following command:\n\nperl -p -i -e \u0027s!^#\\s*include\\s*\u003casm/system[.]h\u003e.*\\n!!\u0027 `grep -Irl \u0027^#\\s*include\\s*\u003casm/system[.]h\u003e\u0027 *`\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "0421ea91ddc7895a5a68d3bc670ed4b8e6448a42", "tree": "409b065611770dc4b69df1bb80100e001d52c36c", "parents": [ "e22057c8599373e5caef0bc42bdb95d2a361ab0d" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Tue Mar 27 04:14:33 2012 -0700" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Wed Mar 28 01:00:05 2012 +1100" }, "message": "apparmor: Fix change_onexec when called from a confined task\n\nFix failure in aa_change_onexec api when the request is made from a confined\ntask. This failure was caused by two problems\n\n The AA_MAY_ONEXEC perm was not being mapped correctly for this case.\n\n The executable name was being checked as second time instead of using the\n requested onexec profile name, which may not be the same as the exec\n profile name. This mistake can not be exploited to grant extra permission\n because of the above flaw where the ONEXEC permission was not being mapped\n so it will not be granted.\n\nBugLink: http://bugs.launchpad.net/bugs/963756\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "778aae84ef694325662447eceba1a5f7d3eebdbb", "tree": "7bf3f7e682e220ce30afe3572332fb424a3761f2", "parents": [ "15e9b9b9ed268fa91e52c44d621f3d0296162d15" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Mar 26 16:38:47 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Mar 26 16:38:47 2012 +0100" }, "message": "SELinux: selinux/xfrm.h needs net/flow.h\n\nselinux/xfrm.h needs to #include net/flow.h or else suffer:\n\nIn file included from security/selinux/ss/services.c:69:0:\nsecurity/selinux/include/xfrm.h: In function \u0027selinux_xfrm_notify_policyload\u0027:\nsecurity/selinux/include/xfrm.h:53:14: error: \u0027flow_cache_genid\u0027 undeclared (first use in this function)\nsecurity/selinux/include/xfrm.h:53:14: note: each undeclared identifier is reported only once for each function it appears in\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "9d944ef32e83405a07376f112e9f02161d3e9731", "tree": "24170ff64fb83221da133e2afb53f58e840a6eee", "parents": [ "d0bd587a80960d7ba7e0c8396e154028c9045c54" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Fri Mar 23 15:02:48 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Mar 23 16:58:41 2012 -0700" }, "message": "usermodehelper: kill umh_wait, renumber UMH_* constants\n\nNo functional changes. It is not sane to use UMH_KILLABLE with enum\numh_wait, but obviously we do not want another argument in\ncall_usermodehelper_* helpers. Kill this enum, use the plain int.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nCc: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nCc: Rusty Russell \u003crusty@rustcorp.com.au\u003e\nCc: Tejun Heo \u003ctj@kernel.org\u003e\nCc: David Rientjes \u003crientjes@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "70834d3070c3f3015ab5c05176d54bd4a0100546", "tree": "4dbcea84c4584de05f83aa911164902b3f00265f", "parents": [ "a02d6fd643cbd4c559113b35b31d3b04e4ec60c7" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Fri Mar 23 15:02:46 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Mar 23 16:58:41 2012 -0700" }, "message": "usermodehelper: use UMH_WAIT_PROC consistently\n\nA few call_usermodehelper() callers use the hardcoded constant instead of\nthe proper UMH_WAIT_PROC, fix them.\n\nReported-by: Tetsuo Handa \u003cpenguin-kernel@i-love.sakura.ne.jp\u003e\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nCc: Lars Ellenberg \u003cdrbd-dev@lists.linbit.com\u003e\nCc: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nCc: Michal Januszewski \u003cspock@gentoo.org\u003e\nCc: Florian Tobias Schandinat \u003cFlorianSchandinat@gmx.de\u003e\nCc: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nCc: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "f63d395d47f37a4fe771e6d4b1db9d2cdae5ffc5", "tree": "3448a14ae965802adb963762cadeb9989ce4caa2", "parents": [ "643ac9fc5429e85b8b7f534544b80bcc4f34c367", "5a7c9eec9fde1da0e3adf0a4ddb64ff2a324a492" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Mar 23 08:53:47 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Mar 23 08:53:47 2012 -0700" }, "message": "Merge tag \u0027nfs-for-3.4-1\u0027 of git://git.linux-nfs.org/projects/trondmy/linux-nfs\n\nPull NFS client updates for Linux 3.4 from Trond Myklebust:\n \"New features include:\n - Add NFS client support for containers.\n\n This should enable most of the necessary functionality, including\n lockd support, and support for rpc.statd, NFSv4 idmapper and\n RPCSEC_GSS upcalls into the correct network namespace from which\n the mount system call was issued.\n\n - NFSv4 idmapper scalability improvements\n\n Base the idmapper cache on the keyring interface to allow\n concurrent access to idmapper entries. Start the process of\n migrating users from the single-threaded daemon-based approach to\n the multi-threaded request-key based approach.\n\n - NFSv4.1 implementation id.\n\n Allows the NFSv4.1 client and server to mutually identify each\n other for logging and debugging purposes.\n\n - Support the \u0027vers\u003d4.1\u0027 mount option for mounting NFSv4.1 instead of\n having to use the more counterintuitive \u0027vers\u003d4,minorversion\u003d1\u0027.\n\n - SUNRPC tracepoints.\n\n Start the process of adding tracepoints in order to improve\n debugging of the RPC layer.\n\n - pNFS object layout support for autologin.\n\n Important bugfixes include:\n\n - Fix a bug in rpc_wake_up/rpc_wake_up_status that caused them to\n fail to wake up all tasks when applied to priority waitqueues.\n\n - Ensure that we handle read delegations correctly, when we try to\n truncate a file.\n\n - A number of fixes for NFSv4 state manager loops (mostly to do with\n delegation recovery).\"\n\n* tag \u0027nfs-for-3.4-1\u0027 of git://git.linux-nfs.org/projects/trondmy/linux-nfs: (224 commits)\n NFS: fix sb-\u003es_id in nfs debug prints\n xprtrdma: Remove assumption that each segment is \u003c\u003d PAGE_SIZE\n xprtrdma: The transport should not bug-check when a dup reply is received\n pnfs-obj: autologin: Add support for protocol autologin\n NFS: Remove nfs4_setup_sequence from generic rename code\n NFS: Remove nfs4_setup_sequence from generic unlink code\n NFS: Remove nfs4_setup_sequence from generic read code\n NFS: Remove nfs4_setup_sequence from generic write code\n NFS: Fix more NFS debug related build warnings\n SUNRPC/LOCKD: Fix build warnings when CONFIG_SUNRPC_DEBUG is undefined\n nfs: non void functions must return a value\n SUNRPC: Kill compiler warning when RPC_DEBUG is unset\n SUNRPC/NFS: Add Kbuild dependencies for NFS_DEBUG/RPC_DEBUG\n NFS: Use cond_resched_lock() to reduce latencies in the commit scans\n NFSv4: It is not safe to dereference lsp-\u003els_state in release_lockowner\n NFS: ncommit count is being double decremented\n SUNRPC: We must not use list_for_each_entry_safe() in rpc_wake_up()\n Try using machine credentials for RENEW calls\n NFSv4.1: Fix a few issues in filelayout_commit_pagelist\n NFSv4.1: Clean ups and bugfixes for the pNFS read/writeback/commit code\n ...\n" }, { "commit": "48aab2f79dfc1357c48ce22ff5c989b52a590069", "tree": "7f690fe147bccc24b7a017845dbe9a99d7978b5f", "parents": [ "f7493e5d9cc10ac97cf1f1579fdc14117460b40b" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 22 17:01:41 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 22 17:01:41 2012 -0700" }, "message": "security: optimize avc_audit() common path\n\navc_audit() did a lot of jumping around and had a big stack frame, all\nfor the uncommon case.\n\nSplit up the uncommon case (which we really can\u0027t make go fast anyway)\ninto its own slow function, and mark the conditional branches\nappropriately for the common likely case.\n\nThis causes avc_audit() to no longer show up as one of the hottest\nfunctions on the branch profiles (the new \"perf -b\" thing), and makes\nthe cycle profiles look really nice and dense too.\n\nThe whole audit path is still annoyingly very much one of the biggest\ncosts of name lookup, so these things are worth optimizing for. I wish\nwe could just tell people to turn it off, but realistically we do need\nit: we just need to make sure that the overhead of the necessary evil is\nas low as possible.\n\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e2a0883e4071237d09b604a342c28b96b44a04b3", "tree": "aa56f4d376b5eb1c32358c19c2669c2a94e0e1fd", "parents": [ "3a990a52f9f25f45469e272017a31e7a3fda60ed", "07c0c5d8b8c122b2f2df9ee574ac3083daefc981" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 21 13:36:41 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 21 13:36:41 2012 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs\n\nPull vfs pile 1 from Al Viro:\n \"This is _not_ all; in particular, Miklos\u0027 and Jan\u0027s stuff is not there\n yet.\"\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (64 commits)\n ext4: initialization of ext4_li_mtx needs to be done earlier\n debugfs-related mode_t whack-a-mole\n hfsplus: add an ioctl to bless files\n hfsplus: change finder_info to u32\n hfsplus: initialise userflags\n qnx4: new helper - try_extent()\n qnx4: get rid of qnx4_bread/qnx4_getblk\n take removal of PF_FORKNOEXEC to flush_old_exec()\n trim includes in inode.c\n um: uml_dup_mmap() relies on -\u003emmap_sem being held, but activate_mm() doesn\u0027t hold it\n um: embed -\u003estub_pages[] into mmu_context\n gadgetfs: list_for_each_safe() misuse\n ocfs2: fix leaks on failure exits in module_init\n ecryptfs: make register_filesystem() the last potential failure exit\n ntfs: forgets to unregister sysctls on register_filesystem() failure\n logfs: missing cleanup on register_filesystem() failure\n jfs: mising cleanup on register_filesystem() failure\n make configfs_pin_fs() return root dentry on success\n configfs: configfs_create_dir() has parent dentry in dentry-\u003ed_parent\n configfs: sanitize configfs_create()\n ...\n" }, { "commit": "3556485f1595e3964ba539e39ea682acbb835cee", "tree": "7f5ee254f425b1427ac0059b5f347a307f8538a1", "parents": [ "b8716614a7cc2fc15ea2a518edd04755fb08d922", "09f61cdbb32a9d812c618d3922db533542736bb0" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 21 13:25:04 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 21 13:25:04 2012 -0700" }, "message": "Merge branch \u0027next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security\n\nPull security subsystem updates for 3.4 from James Morris:\n \"The main addition here is the new Yama security module from Kees Cook,\n which was discussed at the Linux Security Summit last year. Its\n purpose is to collect miscellaneous DAC security enhancements in one\n place. This also marks a departure in policy for LSM modules, which\n were previously limited to being standalone access control systems.\n Chromium OS is using Yama, and I believe there are plans for Ubuntu,\n at least.\n\n This patchset also includes maintenance updates for AppArmor, TOMOYO\n and others.\"\n\nFix trivial conflict in \u003cnet/sock.h\u003e due to the jumo_label-\u003estatic_key\nrename.\n\n* \u0027next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (38 commits)\n AppArmor: Fix location of const qualifier on generated string tables\n TOMOYO: Return error if fails to delete a domain\n AppArmor: add const qualifiers to string arrays\n AppArmor: Add ability to load extended policy\n TOMOYO: Return appropriate value to poll().\n AppArmor: Move path failure information into aa_get_name and rename\n AppArmor: Update dfa matching routines.\n AppArmor: Minor cleanup of d_namespace_path to consolidate error handling\n AppArmor: Retrieve the dentry_path for error reporting when path lookup fails\n AppArmor: Add const qualifiers to generated string tables\n AppArmor: Fix oops in policy unpack auditing\n AppArmor: Fix error returned when a path lookup is disconnected\n KEYS: testing wrong bit for KEY_FLAG_REVOKED\n TOMOYO: Fix mount flags checking order.\n security: fix ima kconfig warning\n AppArmor: Fix the error case for chroot relative path name lookup\n AppArmor: fix mapping of META_READ to audit and quiet flags\n AppArmor: Fix underflow in xindex calculation\n AppArmor: Fix dropping of allowed operations that are force audited\n AppArmor: Add mising end of structure test to caps unpacking\n ...\n" }, { "commit": "9f3938346a5c1fa504647670edb5fea5756cfb00", "tree": "7cf6d24d6b076c8db8571494984924cac03703a2", "parents": [ "69a7aebcf019ab3ff5764525ad6858fbe23bb86d", "317b6e128247f75976b0fc2b9fd8d2c20ef13b3a" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 21 09:40:26 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 21 09:40:26 2012 -0700" }, "message": "Merge branch \u0027kmap_atomic\u0027 of git://github.com/congwang/linux\n\nPull kmap_atomic cleanup from Cong Wang.\n\nIt\u0027s been in -next for a long time, and it gets rid of the (no longer\nused) second argument to k[un]map_atomic().\n\nFix up a few trivial conflicts in various drivers, and do an \"evil\nmerge\" to catch some new uses that have come in since Cong\u0027s tree.\n\n* \u0027kmap_atomic\u0027 of git://github.com/congwang/linux: (59 commits)\n feature-removal-schedule.txt: schedule the deprecated form of kmap_atomic() for removal\n highmem: kill all __kmap_atomic() [swarren@nvidia.com: highmem: Fix ARM build break due to __kmap_atomic rename]\n drbd: remove the second argument of k[un]map_atomic()\n zcache: remove the second argument of k[un]map_atomic()\n gma500: remove the second argument of k[un]map_atomic()\n dm: remove the second argument of k[un]map_atomic()\n tomoyo: remove the second argument of k[un]map_atomic()\n sunrpc: remove the second argument of k[un]map_atomic()\n rds: remove the second argument of k[un]map_atomic()\n net: remove the second argument of k[un]map_atomic()\n mm: remove the second argument of k[un]map_atomic()\n lib: remove the second argument of k[un]map_atomic()\n power: remove the second argument of k[un]map_atomic()\n kdb: remove the second argument of k[un]map_atomic()\n udf: remove the second argument of k[un]map_atomic()\n ubifs: remove the second argument of k[un]map_atomic()\n squashfs: remove the second argument of k[un]map_atomic()\n reiserfs: remove the second argument of k[un]map_atomic()\n ocfs2: remove the second argument of k[un]map_atomic()\n ntfs: remove the second argument of k[un]map_atomic()\n ...\n" }, { "commit": "40ffe67d2e89c7a475421d007becc11a2f88ea3d", "tree": "5373e71b18895b9ffd8370a88aec6c54438240a0", "parents": [ "38eff2892628fa5c4fc8962a17b7296f42833ebe" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Mar 14 21:54:32 2012 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Mar 20 21:29:41 2012 -0400" }, "message": "switch unix_sock to struct path\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "0d9cabdccedb79ee5f27b77ff51f29a9e7d23275", "tree": "8bfb64c3672d058eb90aec3c3a9c4f61cef9097c", "parents": [ "701085b219016d38f105b031381b9cee6200253a", "3ce3230a0cff484e5130153f244d4fb8a56b3a8b" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Mar 20 18:11:21 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Mar 20 18:11:21 2012 -0700" }, "message": "Merge branch \u0027for-3.4\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup\n\nPull cgroup changes from Tejun Heo:\n \"Out of the 8 commits, one fixes a long-standing locking issue around\n tasklist walking and others are cleanups.\"\n\n* \u0027for-3.4\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:\n cgroup: Walk task list under tasklist_lock in cgroup_enable_task_cg_list\n cgroup: Remove wrong comment on cgroup_enable_task_cg_list()\n cgroup: remove cgroup_subsys argument from callbacks\n cgroup: remove extra calls to find_existing_css_set\n cgroup: replace tasklist_lock with rcu_read_lock\n cgroup: simplify double-check locking in cgroup_attach_proc\n cgroup: move struct cgroup_pidlist out from the header file\n cgroup: remove cgroup_attach_task_current_cg()\n" }, { "commit": "c58e0377d61e209600def7d4d9ae535ea94bc210", "tree": "142d1ca23d06458c8b798174e01281ad67b2ab76", "parents": [ "b85417860172ff693dc115d7999805fc240cec1c" ], "author": { "name": "Cong Wang", "email": "amwang@redhat.com", "time": "Fri Nov 25 23:26:35 2011 +0800" }, "committer": { "name": "Cong Wang", "email": "xiyou.wangcong@gmail.com", "time": "Tue Mar 20 21:48:28 2012 +0800" }, "message": "tomoyo: remove the second argument of k[un]map_atomic()\n\nAcked-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Cong Wang \u003camwang@redhat.com\u003e\n" }, { "commit": "09f61cdbb32a9d812c618d3922db533542736bb0", "tree": "90d8e9163e269d0ed9e01f0dac500316014b88c5", "parents": [ "7d7473dbdb9121dd1b5939566660d51130ecda3a", "7e570145cb022beeb58e3f691e0418477b670223" ], "author": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Tue Mar 20 12:52:17 2012 +1100" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Tue Mar 20 12:52:17 2012 +1100" }, "message": "Merge branch \u0027for-security\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor into next\n" }, { "commit": "7e570145cb022beeb58e3f691e0418477b670223", "tree": "a33eae9dc5f854fd9a5f6cf1880370903a80365c", "parents": [ "b01d3fb921df9baef1ecd13704f4b1e269b58b6b" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Wed Mar 14 23:41:17 2012 -0700" }, "committer": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Mon Mar 19 18:22:46 2012 -0700" }, "message": "AppArmor: Fix location of const qualifier on generated string tables\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@i-love.sakura.ne.jp\u003e\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\n" }, { "commit": "7d7473dbdb9121dd1b5939566660d51130ecda3a", "tree": "057bf591dd896c01a2b35b31dc41996d3d9e51b8", "parents": [ "b01d3fb921df9baef1ecd13704f4b1e269b58b6b" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Sat Mar 17 20:33:38 2012 +0900" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Tue Mar 20 12:06:50 2012 +1100" }, "message": "TOMOYO: Return error if fails to delete a domain\n\nCall sequence:\ntomoyo_write_domain() --\u003e tomoyo_delete_domain()\n\nIn \u0027tomoyo_delete_domain\u0027, return -EINTR if locking attempt is\ninterrupted by signal.\n\nAt present it returns success to its caller \u0027tomoyo_write_domain()\u0027\neven though domain is not deleted. \u0027tomoyo_write_domain()\u0027 assumes\ndomain is deleted and returns success to its caller. This is wrong behaviour.\n\n\u0027tomoyo_write_domain\u0027 should return error from tomoyo_delete_domain() to its\ncaller.\n\nSigned-off-by: Santosh Nayak \u003csantoshprasadnayak@gmail.com\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "b01d3fb921df9baef1ecd13704f4b1e269b58b6b", "tree": "1ca714b40774cd56c0194abee5c6577b2ba6aad2", "parents": [ "6041e8346f2165679c2184cab60db768d6a26a1d", "2d4cee7e3a2b9f9c3237672cc136e20dbad0e2ce" ], "author": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Thu Mar 15 14:43:02 2012 +1100" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Thu Mar 15 14:43:02 2012 +1100" }, "message": "Merge branch \u0027for-security\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor into next\n" } ], "next": "2d4cee7e3a2b9f9c3237672cc136e20dbad0e2ce" }