)]}' { "log": [ { "commit": "5a55261716e838f188598ab3d7a0abf9cf1338f8", "tree": "2acf7f919cb2edd77a4f9ed0a434b6dbec19708e", "parents": [ "7180c4c9e09888db0a188f729c96c6d7bd61fa83" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 09 14:08:35 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 10 08:51:01 2008 +1000" }, "message": "SELinux: don\u0027t BUG if fs reuses a superblock\n\nI (wrongly) assumed that nfs_xdev_get_sb() would not ever share a superblock\nand so cloning mount options would always be correct. Turns out that isn\u0027t\nthe case and we could fall over a BUG_ON() that wasn\u0027t a BUG at all. Since\nthere is little we can do to reconcile different mount options this patch\njust leaves the sb alone and the first set of options wins.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Trond Myklebust \u003ctrond.myklebust@fys.uio.no\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "869ab5147e1eead890245cfd4f652ba282b6ac26", "tree": "8334fe84734e14e247fb7b4ef78f9a43891249f0", "parents": [ "ff09e2afe742f3ff52a0c9a660e8a3fe30cf587c" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Apr 04 08:46:05 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 08 08:30:14 2008 +1000" }, "message": "SELinux: more GFP_NOFS fixups to prevent selinux from re-entering the fs code\n\nMore cases where SELinux must not re-enter the fs code. Called from the\nd_instantiate security hook.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a02fe13297af26c13d004b1d44f391c077094ea0", "tree": "d75879f0da229eec87e3b4a95a4c28db2ea4d713", "parents": [ "9597362d354f8655ece324b01d0c640a0e99c077" ], "author": { "name": "Josef Bacik", "email": "jbacik@redhat.com", "time": "Fri Apr 04 09:35:05 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 04 09:35:05 2008 +1100" }, "message": "selinux: prevent rentry into the FS\n\nBUG fix. Keep us from re-entering the fs when we aren\u0027t supposed to.\n\nSee discussion at\nhttp://marc.info/?t\u003d120716967100004\u0026r\u003d1\u0026w\u003d2\n\nSigned-off-by: Josef Bacik \u003cjbacik@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0794c66d49885a2f615618ce4940434b5b067d84", "tree": "b01be53c424c7d4793f5673539c11d09fbbe2b5a", "parents": [ "0e81a8ae37687845f7cdfa2adce14ea6a5f1dd34" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon Mar 17 08:55:18 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 02 16:05:52 2008 +1100" }, "message": "selinux: handle files opened with flags 3 by checking ioctl permission\n\nHandle files opened with flags 3 by checking ioctl permission.\n\nDefault to returning FILE__IOCTL from file_to_av() if the f_mode has neither\nFMODE_READ nor FMODE_WRITE, and thus check ioctl permission on exec or\ntransfer, thereby validating such descriptors early as with normal r/w\ndescriptors and catching leaks of them prior to attempted usage.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cb622bbb69e41f2746aadf5d7d527e77597abe2e", "tree": "537a1ce6f76bd915bf9acd197d6bf4d042063998", "parents": [ "58336114af4d2cce830201aae49e50b93ede6c5c" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Mon Mar 24 12:29:49 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Mar 24 19:22:19 2008 -0700" }, "message": "smackfs: remove redundant lock, fix open(,O_RDWR)\n\nOlder smackfs was parsing MAC rules by characters, thus a need of locking\nwrite sessions on open() was needed. This lock is no longer useful now since\neach rule is handled by a single write() call.\n\nThis is also a bugfix since seq_open() was not called if an open() O_RDWR flag\nwas given, leading to a seq_read() without an initialized seq_file, thus an\nOops.\n\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nReported-by: Jonathan Corbet \u003ccorbet@lwn.net\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "aedb60a67c10a0861af179725d060765262ba0fb", "tree": "4a4a316f9f7d1ab0bf4da2cdd5c802bfb05c947f", "parents": [ "457fb605834504af294916411be128a9b21fc3f6" ], "author": { "name": "Serge Hallyn", "email": "serge@hallyn.com", "time": "Fri Feb 29 15:14:57 2008 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 20 09:46:36 2008 -0700" }, "message": "file capabilities: remove cap_task_kill()\n\nThe original justification for cap_task_kill() was as follows:\n\n\tcheck_kill_permission() does appropriate uid equivalence checks.\n\tHowever with file capabilities it becomes possible for an\n\tunprivileged user to execute a file with file capabilities\n\tresulting in a more privileged task with the same uid.\n\nHowever now that cap_task_kill() always returns 0 (permission\ngranted) when p-\u003euid\u003d\u003dcurrent-\u003euid, the whole hook is worthless,\nand only likely to create more subtle problems in the corner cases\nwhere it might still be called but return -EPERM. Those cases\nare basically when uids are different but euid/suid is equivalent\nas per the check in check_kill_permission().\n\nOne example of a still-broken application is \u0027at\u0027 for non-root users.\n\nThis patch removes cap_task_kill().\n\nSigned-off-by: Serge Hallyn \u003cserge@hallyn.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nEarlier-version-tested-by: Luiz Fernando N. Capitulino \u003clcapitulino@mandriva.com.br\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "1d252fb870aa9cd227c4beb1a226ecd434f57f28", "tree": "4a7b956c01487454b139e1df271518f36ca32285", "parents": [ "4ebf89845bea44a164d1fbb8fa319379ec7132de" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Wed Mar 19 17:00:51 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 19 18:53:36 2008 -0700" }, "message": "smack: do not dereference NULL ipc object\n\nIn the SYSV ipc msgctl(),semctl(),shmctl() family, if the user passed *_INFO\nas the desired operation, no specific object is meant to be controlled and\nonly system-wide information is returned. This leads to a NULL IPC object in\nthe LSM hooks if the _INFO flag is given.\n\nAvoid dereferencing this NULL pointer in Smack ipc *ctl() methods.\n\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "2e1479d95d02b43660fe03ab2c595ec9751a6f97", "tree": "6e4ff5a6eeda225390a19287cd95617b6345df63", "parents": [ "bde4f8fa8db2abd5ac9c542d76012d0fedab050f" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Mon Mar 17 22:29:23 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 18 09:17:22 2008 +1100" }, "message": "make selinux_parse_opts_str() static\n\nThis patch makes the needlessly global selinux_parse_opts_str() static.\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b500ce8d24d1f14426643da5f6fada28c1f60533", "tree": "17b6084b29434a968f787e238548a843126e2ec3", "parents": [ "93d74463d018ddf05c169ad399e62e90e0f82fc0" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Thu Mar 13 12:32:34 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 13 13:11:43 2008 -0700" }, "message": "smackfs: do not trust `count\u0027 in inodes write()s\n\nSmackfs write() implementation does not put a higher bound on the number of\nbytes to copy from user-space. This may lead to a DOS attack if a malicious\n`count\u0027 field is given.\n\nAssure that given `count\u0027 is exactly the length needed for a /smack/load rule.\n In case of /smack/cipso where the length is relative, assure that `count\u0027\ndoes not exceed the size needed for a buffer representing maximum possible\nnumber of CIPSO 2.2 categories.\n\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e0007529893c1c064be90bd21422ca0da4a0198e", "tree": "c2334ba940e682183a18d18972cf95bd3a3da46a", "parents": [ "29e8c3c304b62f31b799565c9ee85d42bd163f80" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Mar 05 10:31:54 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 06 08:40:53 2008 +1100" }, "message": "LSM/SELinux: Interfaces to allow FS to control mount options\n\nIntroduce new LSM interfaces to allow an FS to deal with their own mount\noptions. This includes a new string parsing function exported from the\nLSM that an FS can use to get a security data blob and a new security\ndata blob. This is particularly useful for an FS which uses binary\nmount data, like NFS, which does not pass strings into the vfs to be\nhandled by the loaded LSM. Also fix a BUG() in both SELinux and SMACK\nwhen dealing with binary mount data. If the binary mount data is less\nthan one page the copy_page() in security_sb_copy_data() can cause an\nillegal page fault and boom. Remove all NFSisms from the SELinux code\nsince they were broken by past NFS changes.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bcdca225bfa016100985e5fc7e51cdc1d68beaa6", "tree": "4af588f69c754a6380dae17b00de20b0f2f3b149", "parents": [ "43627582799db317e966ecb0002c2c3c9805ec0f" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Sat Feb 23 15:24:04 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Sat Feb 23 17:13:24 2008 -0800" }, "message": "Smack: update for file capabilities\n\nUpdate the Smack LSM to allow the registration of the capability \"module\"\nas a secondary LSM. Integrate the new hooks required for file based\ncapabilities.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "094972840f2e7c1c6fc9e1a97d817cc17085378e", "tree": "1fa2b8fb54b5d5d60318c8659d4574a81b953f88", "parents": [ "e5df70ab194543522397fa3da8c8f80564a0f7d3" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Sat Feb 23 15:23:33 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Sat Feb 23 17:12:13 2008 -0800" }, "message": "file capabilities: simplify signal check\n\nSimplify the uid equivalence check in cap_task_kill(). Anyone can kill a\nprocess owned by the same uid.\n\nWithout this patch wireshark is reported to fail.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: \u003cstable@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4bc87e62775052aac0be7574d5f84ff06f61c6b4", "tree": "23063e82de8f7b7506d795919d7d4c13725e74a0", "parents": [ "9a4c8546f3e7c893888bccc2b3416d6214f2664a" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Fri Feb 15 15:24:25 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 19 07:51:00 2008 -0800" }, "message": "Smack: unlabeled outgoing ambient packets\n\nSmack uses CIPSO labeling, but allows for unlabeled packets by\nspecifying an \"ambient\" label that is applied to incoming unlabeled\npackets.\n\nBecause the other end of the connection may dislike IP options, and ssh\nis one know application that behaves thus, it is prudent to respond in\nkind.\n\nThis patch changes the network labeling behavior such that an outgoing\npacket that would be given a CIPSO label that matches the ambient label\nis left unlabeled. An \"unlbl\" domain is added and the netlabel\ndefaulting mechanism invoked rather than assuming that everything is\nCIPSO. Locking has been added around changes to the ambient label as\nthe mechanisms used to do so are more involved.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "44707fdf5938ad269ea5d6c5744d82f6a7328746", "tree": "7eb1704418eb41b859ad24bc48f6400135474d87", "parents": [ "a03a8a709a0c34b61b7aea1d54a0473a6b941fdb" ], "author": { "name": "Jan Blunck", "email": "jblunck@suse.de", "time": "Thu Feb 14 19:38:33 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Feb 14 21:17:08 2008 -0800" }, "message": "d_path: Use struct path in struct avc_audit_data\n\naudit_log_d_path() is a d_path() wrapper that is used by the audit code. To\nuse a struct path in audit_log_d_path() I need to embed it into struct\navc_audit_data.\n\n[akpm@linux-foundation.org: coding-style fixes]\nSigned-off-by: Jan Blunck \u003cjblunck@suse.de\u003e\nAcked-by: Christoph Hellwig \u003chch@infradead.org\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: \"J. Bruce Fields\" \u003cbfields@fieldses.org\u003e\nCc: Neil Brown \u003cneilb@suse.de\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4ac9137858e08a19f29feac4e1f4df7c268b0ba5", "tree": "f5b5d84fd12fcc2b0ba0e7ce1a79ff381ad8f5dd", "parents": [ "c5e725f33b733a77de622e91b6ba5645fcf070be" ], "author": { "name": "Jan Blunck", "email": "jblunck@suse.de", "time": "Thu Feb 14 19:34:32 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Feb 14 21:13:33 2008 -0800" }, "message": "Embed a struct path into struct nameidata instead of nd-\u003e{dentry,mnt}\n\nThis is the central patch of a cleanup series. In most cases there is no good\nreason why someone would want to use a dentry for itself. This series reflects\nthat fact and embeds a struct path into nameidata.\n\nTogether with the other patches of this series\n- it enforced the correct order of getting/releasing the reference count on\n \u003cdentry,vfsmount\u003e pairs\n- it prepares the VFS for stacking support since it is essential to have a\n struct path in every place where the stack can be traversed\n- it reduces the overall code size:\n\nwithout patch series:\n text data bss dec hex filename\n5321639 858418 715768 6895825 6938d1 vmlinux\n\nwith patch series:\n text data bss dec hex filename\n5320026 858418 715768 6894212 693284 vmlinux\n\nThis patch:\n\nSwitch from nd-\u003e{dentry,mnt} to nd-\u003epath.{dentry,mnt} everywhere.\n\n[akpm@linux-foundation.org: coding-style fixes]\n[akpm@linux-foundation.org: fix cifs]\n[akpm@linux-foundation.org: fix smack]\nSigned-off-by: Jan Blunck \u003cjblunck@suse.de\u003e\nSigned-off-by: Andreas Gruenbacher \u003cagruen@suse.de\u003e\nAcked-by: Christoph Hellwig \u003chch@lst.de\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "2e1d146a19f2941aec08f60ca67fb2763baad595", "tree": "14831c6332b2d4004a7551354be46526a0c6f426", "parents": [ "cba44359d15ac7a3bca2c9199b7ff403d7edc69e" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Wed Feb 13 15:03:34 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Feb 13 16:21:20 2008 -0800" }, "message": "Smack: check for \u0027struct socket\u0027 with NULL sk\n\nThere\u0027s a small problem with smack and NFS. A similar report was also\nsent here: http://lkml.org/lkml/2007/10/27/85\n\nI\u0027ve also added similar checks in inode_{get/set}security(). Cheating from\nSELinux post_create_socket(), it does the same.\n\n[akpm@linux-foundation.org: remove uneeded BUG_ON()]\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schuafler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b68e418c445e8a468634d0a7ca2fb63bbaa74028", "tree": "e49b4a94ef28a9288ed6735a994387205b7cc5bd", "parents": [ "19af35546de68c872dcb687613e0902a602cb20e" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Thu Feb 07 11:21:04 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 11 20:30:02 2008 +1100" }, "message": "selinux: support 64-bit capabilities\n\nFix SELinux to handle 64-bit capabilities correctly, and to catch\nfuture extensions of capabilities beyond 64 bits to ensure that SELinux\nis properly updated.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e231c2ee64eb1c5cd3c63c31da9dac7d888dcf7f", "tree": "d4b17ef65960594681397a3acac02c2d248200b5", "parents": [ "d1bc8e95445224276d7896b8b08cbb0b28a0ca80" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Feb 07 00:15:26 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Feb 07 08:42:26 2008 -0800" }, "message": "Convert ERR_PTR(PTR_ERR(p)) instances to ERR_CAST(p)\n\nConvert instances of ERR_PTR(PTR_ERR(p)) to ERR_CAST(p) using:\n\nperl -spi -e \u0027s/ERR_PTR[(]PTR_ERR[(](.*)[)][)]/ERR_CAST(\\1)/\u0027 `grep -rl \u0027ERR_PTR[(]*PTR_ERR\u0027 fs crypto net security`\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "394c6753978a75cab7558a377f2551a3c1101027", "tree": "c2712cb2d52ecae5db1d9ae417241154fe7a0808", "parents": [ "a5ecbcb8c13ea8a822d243bf782d0dc9525b4f84" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Feb 05 07:31:00 2008 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@localhost.localdomain", "time": "Wed Feb 06 21:40:59 2008 +0800" }, "message": "SELinux: Remove security_get_policycaps()\n\nThe security_get_policycaps() functions has a couple of bugs in it and it\nisn\u0027t currently used by any in-tree code, so get rid of it and all of it\u0027s\nbugginess.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@localhost.localdomain\u003e\n" }, { "commit": "a5ecbcb8c13ea8a822d243bf782d0dc9525b4f84", "tree": "902df830bf581642a49bbb1e4f4de5b9f80eeaa1", "parents": [ "551e4fb2465b87de9d4aa1669b27d624435443bb" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jan 31 15:11:22 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@localhost.localdomain", "time": "Wed Feb 06 21:39:46 2008 +0800" }, "message": "security: allow Kconfig to set default mmap_min_addr protection\n\nSince it was decided that low memory protection from userspace couldn\u0027t\nbe turned on by default add a Kconfig option to allow users/distros to\nset a default at compile time. This value is still tunable after boot\nin /proc/sys/vm/mmap_min_addr\n\nDiscussion:\nhttp://www.mail-archive.com/linux-security-module@vger.kernel.org/msg02543.html\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e114e473771c848c3cfec05f0123e70f1cdbdc99", "tree": "933b840f3ccac6860da56291c742094f9b5a20cb", "parents": [ "eda61d32e8ad1d9102872f9a0abf3344bf9c5e67" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Mon Feb 04 22:29:50 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "Smack: Simplified Mandatory Access Control Kernel\n\nSmack is the Simplified Mandatory Access Control Kernel.\n\nSmack implements mandatory access control (MAC) using labels\nattached to tasks and data containers, including files, SVIPC,\nand other tasks. Smack is a kernel based scheme that requires\nan absolute minimum of application support and a very small\namount of configuration data.\n\nSmack uses extended attributes and\nprovides a set of general mount options, borrowing technics used\nelsewhere. Smack uses netlabel for CIPSO labeling. Smack provides\na pseudo-filesystem smackfs that is used for manipulation of\nsystem Smack attributes.\n\nThe patch, patches for ls and sshd, a README, a startup script,\nand x86 binaries for ls and sshd are also available on\n\n http://www.schaufler-ca.com\n\nDevelopment has been done using Fedora Core 7 in a virtual machine\nenvironment and on an old Sony laptop.\n\nSmack provides mandatory access controls based on the label attached\nto a task and the label attached to the object it is attempting to\naccess. Smack labels are deliberately short (1-23 characters) text\nstrings. Single character labels using special characters are reserved\nfor system use. The only operation applied to Smack labels is equality\ncomparison. No wildcards or expressions, regular or otherwise, are\nused. Smack labels are composed of printable characters and may not\ninclude \"/\".\n\nA file always gets the Smack label of the task that created it.\n\nSmack defines and uses these labels:\n\n \"*\" - pronounced \"star\"\n \"_\" - pronounced \"floor\"\n \"^\" - pronounced \"hat\"\n \"?\" - pronounced \"huh\"\n\nThe access rules enforced by Smack are, in order:\n\n1. Any access requested by a task labeled \"*\" is denied.\n2. A read or execute access requested by a task labeled \"^\"\n is permitted.\n3. A read or execute access requested on an object labeled \"_\"\n is permitted.\n4. Any access requested on an object labeled \"*\" is permitted.\n5. Any access requested by a task on an object with the same\n label is permitted.\n6. Any access requested that is explicitly defined in the loaded\n rule set is permitted.\n7. Any other access is denied.\n\nRules may be explicitly defined by writing subject,object,access\ntriples to /smack/load.\n\nSmack rule sets can be easily defined that describe Bell\u0026LaPadula\nsensitivity, Biba integrity, and a variety of interesting\nconfigurations. Smack rule sets can be modified on the fly to\naccommodate changes in the operating environment or even the time\nof day.\n\nSome practical use cases:\n\nHierarchical levels. The less common of the two usual uses\nfor MLS systems is to define hierarchical levels, often\nunclassified, confidential, secret, and so on. To set up smack\nto support this, these rules could be defined:\n\n C Unclass rx\n S C rx\n S Unclass rx\n TS S rx\n TS C rx\n TS Unclass rx\n\nA TS process can read S, C, and Unclass data, but cannot write it.\nAn S process can read C and Unclass. Note that specifying that\nTS can read S and S can read C does not imply TS can read C, it\nhas to be explicitly stated.\n\nNon-hierarchical categories. This is the more common of the\nusual uses for an MLS system. Since the default rule is that a\nsubject cannot access an object with a different label no\naccess rules are required to implement compartmentalization.\n\nA case that the Bell \u0026 LaPadula policy does not allow is demonstrated\nwith this Smack access rule:\n\nA case that Bell\u0026LaPadula does not allow that Smack does:\n\n ESPN ABC r\n ABC ESPN r\n\nOn my portable video device I have two applications, one that\nshows ABC programming and the other ESPN programming. ESPN wants\nto show me sport stories that show up as news, and ABC will\nonly provide minimal information about a sports story if ESPN\nis covering it. Each side can look at the other\u0027s info, neither\ncan change the other. Neither can see what FOX is up to, which\nis just as well all things considered.\n\nAnother case that I especially like:\n\n SatData Guard w\n Guard Publish w\n\nA program running with the Guard label opens a UDP socket and\naccepts messages sent by a program running with a SatData label.\nThe Guard program inspects the message to ensure it is wholesome\nand if it is sends it to a program running with the Publish label.\nThis program then puts the information passed in an appropriate\nplace. Note that the Guard program cannot write to a Publish\nfile system object because file system semanitic require read as\nwell as write.\n\nThe four cases (categories, levels, mutual read, guardbox) here\nare all quite real, and problems I\u0027ve been asked to solve over\nthe years. The first two are easy to do with traditonal MLS systems\nwhile the last two you can\u0027t without invoking privilege, at least\nfor a while.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: Joshua Brindle \u003cmethod@manicmethod.com\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: \"Ahmed S. Darwish\" \u003cdarwish.07@gmail.com\u003e\nCc: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3b7391de67da515c91f48aa371de77cb6cc5c07e", "tree": "22b9f5d9d1c36b374eb5765219aca3c7e1f23486", "parents": [ "46c383cc4530ccc438cb325e92e11eb21dd3d4fc" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Mon Feb 04 22:29:45 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "capabilities: introduce per-process capability bounding set\n\nThe capability bounding set is a set beyond which capabilities cannot grow.\n Currently cap_bset is per-system. It can be manipulated through sysctl,\nbut only init can add capabilities. Root can remove capabilities. By\ndefault it includes all caps except CAP_SETPCAP.\n\nThis patch makes the bounding set per-process when file capabilities are\nenabled. It is inherited at fork from parent. Noone can add elements,\nCAP_SETPCAP is required to remove them.\n\nOne example use of this is to start a safer container. For instance, until\ndevice namespaces or per-container device whitelists are introduced, it is\nbest to take CAP_MKNOD away from a container.\n\nThe bounding set will not affect pP and pE immediately. It will only\naffect pP\u0027 and pE\u0027 after subsequent exec()s. It also does not affect pI,\nand exec() does not constrain pI\u0027. So to really start a shell with no way\nof regain CAP_MKNOD, you would do\n\n\tprctl(PR_CAPBSET_DROP, CAP_MKNOD);\n\tcap_t cap \u003d cap_get_proc();\n\tcap_value_t caparray[1];\n\tcaparray[0] \u003d CAP_MKNOD;\n\tcap_set_flag(cap, CAP_INHERITABLE, 1, caparray, CAP_DROP);\n\tcap_set_proc(cap);\n\tcap_free(cap);\n\nThe following test program will get and set the bounding\nset (but not pI). For instance\n\n\t./bset get\n\t\t(lists capabilities in bset)\n\t./bset drop cap_net_raw\n\t\t(starts shell with new bset)\n\t\t(use capset, setuid binary, or binary with\n\t\tfile capabilities to try to increase caps)\n\n************************************************************\ncap_bound.c\n************************************************************\n #include \u003csys/prctl.h\u003e\n #include \u003clinux/capability.h\u003e\n #include \u003csys/types.h\u003e\n #include \u003cunistd.h\u003e\n #include \u003cstdio.h\u003e\n #include \u003cstdlib.h\u003e\n #include \u003cstring.h\u003e\n\n #ifndef PR_CAPBSET_READ\n #define PR_CAPBSET_READ 23\n #endif\n\n #ifndef PR_CAPBSET_DROP\n #define PR_CAPBSET_DROP 24\n #endif\n\nint usage(char *me)\n{\n\tprintf(\"Usage: %s get\\n\", me);\n\tprintf(\" %s drop \u003ccapability\u003e\\n\", me);\n\treturn 1;\n}\n\n #define numcaps 32\nchar *captable[numcaps] \u003d {\n\t\"cap_chown\",\n\t\"cap_dac_override\",\n\t\"cap_dac_read_search\",\n\t\"cap_fowner\",\n\t\"cap_fsetid\",\n\t\"cap_kill\",\n\t\"cap_setgid\",\n\t\"cap_setuid\",\n\t\"cap_setpcap\",\n\t\"cap_linux_immutable\",\n\t\"cap_net_bind_service\",\n\t\"cap_net_broadcast\",\n\t\"cap_net_admin\",\n\t\"cap_net_raw\",\n\t\"cap_ipc_lock\",\n\t\"cap_ipc_owner\",\n\t\"cap_sys_module\",\n\t\"cap_sys_rawio\",\n\t\"cap_sys_chroot\",\n\t\"cap_sys_ptrace\",\n\t\"cap_sys_pacct\",\n\t\"cap_sys_admin\",\n\t\"cap_sys_boot\",\n\t\"cap_sys_nice\",\n\t\"cap_sys_resource\",\n\t\"cap_sys_time\",\n\t\"cap_sys_tty_config\",\n\t\"cap_mknod\",\n\t\"cap_lease\",\n\t\"cap_audit_write\",\n\t\"cap_audit_control\",\n\t\"cap_setfcap\"\n};\n\nint getbcap(void)\n{\n\tint comma\u003d0;\n\tunsigned long i;\n\tint ret;\n\n\tprintf(\"i know of %d capabilities\\n\", numcaps);\n\tprintf(\"capability bounding set:\");\n\tfor (i\u003d0; i\u003cnumcaps; i++) {\n\t\tret \u003d prctl(PR_CAPBSET_READ, i);\n\t\tif (ret \u003c 0)\n\t\t\tperror(\"prctl\");\n\t\telse if (ret\u003d\u003d1)\n\t\t\tprintf(\"%s%s\", (comma++) ? \", \" : \" \", captable[i]);\n\t}\n\tprintf(\"\\n\");\n\treturn 0;\n}\n\nint capdrop(char *str)\n{\n\tunsigned long i;\n\n\tint found\u003d0;\n\tfor (i\u003d0; i\u003cnumcaps; i++) {\n\t\tif (strcmp(captable[i], str) \u003d\u003d 0) {\n\t\t\tfound\u003d1;\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (!found)\n\t\treturn 1;\n\tif (prctl(PR_CAPBSET_DROP, i)) {\n\t\tperror(\"prctl\");\n\t\treturn 1;\n\t}\n\treturn 0;\n}\n\nint main(int argc, char *argv[])\n{\n\tif (argc\u003c2)\n\t\treturn usage(argv[0]);\n\tif (strcmp(argv[1], \"get\")\u003d\u003d0)\n\t\treturn getbcap();\n\tif (strcmp(argv[1], \"drop\")!\u003d0 || argc\u003c3)\n\t\treturn usage(argv[0]);\n\tif (capdrop(argv[2])) {\n\t\tprintf(\"unknown capability\\n\");\n\t\treturn 1;\n\t}\n\treturn execl(\"/bin/bash\", \"/bin/bash\", NULL);\n}\n************************************************************\n\n[serue@us.ibm.com: fix typo]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003ea\nSigned-off-by: \"Serge E. Hallyn\" \u003cserue@us.ibm.com\u003e\nTested-by: Jiri Slaby \u003cjirislaby@gmail.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e338d263a76af78fe8f38a72131188b58fceb591", "tree": "f3f046fc6fd66de43de7191830f0daf3bc4ec8eb", "parents": [ "8f6936f4d29aa14e54a2470b954a2e1f96322988" ], "author": { "name": "Andrew Morgan", "email": "morgan@kernel.org", "time": "Mon Feb 04 22:29:42 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "Add 64-bit capability support to the kernel\n\nThe patch supports legacy (32-bit) capability userspace, and where possible\ntranslates 32-bit capabilities to/from userspace and the VFS to 64-bit\nkernel space capabilities. If a capability set cannot be compressed into\n32-bits for consumption by user space, the system call fails, with -ERANGE.\n\nFWIW libcap-2.00 supports this change (and earlier capability formats)\n\n http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/\n\n[akpm@linux-foundation.org: coding-syle fixes]\n[akpm@linux-foundation.org: use get_task_comm()]\n[ezk@cs.sunysb.edu: build fix]\n[akpm@linux-foundation.org: do not initialise statics to 0 or NULL]\n[akpm@linux-foundation.org: unused var]\n[serue@us.ibm.com: export __cap_ symbols]\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Erez Zadok \u003cezk@cs.sunysb.edu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8f6936f4d29aa14e54a2470b954a2e1f96322988", "tree": "63e1bca33b783cf819b356f3ffd45cfe7b226654", "parents": [ "4bea58053f206be9a89ca35850f9ad295dac2042" ], "author": { "name": "Andrew Morton", "email": "akpm@linux-foundation.org", "time": "Mon Feb 04 22:29:41 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "revert \"capabilities: clean up file capability reading\"\n\nRevert b68680e4731abbd78863063aaa0dca2a6d8cc723 to make way for the next\npatch: \"Add 64-bit capability support to the kernel\".\n\nWe want to keep the vfs_cap_data.data[] structure, using two \u0027data\u0027s for\n64-bit caps (and later three for 96-bit caps), whereas\nb68680e4731abbd78863063aaa0dca2a6d8cc723 had gotten rid of the \u0027data\u0027 struct\nmade its members inline.\n\nThe 64-bit caps patch keeps the stack abuse fix at get_file_caps(), which was\nthe more important part of that patch.\n\n[akpm@linux-foundation.org: coding-style fixes]\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "42492594043d621a7910ff5877c3eb9202870b45", "tree": "9188d112c019a189606847dc1d90ccc63c1bacf2", "parents": [ "3729145821e3088a0c3c4183037fde356204bf97" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Mon Feb 04 22:29:39 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "VFS/Security: Rework inode_getsecurity and callers to return resulting buffer\n\nThis patch modifies the interface to inode_getsecurity to have the function\nreturn a buffer containing the security blob and its length via parameters\ninstead of relying on the calling function to give it an appropriately sized\nbuffer.\n\nSecurity blobs obtained with this function should be freed using the\nrelease_secctx LSM hook. This alleviates the problem of the caller having to\nguess a length and preallocate a buffer for this function allowing it to be\nused elsewhere for Labeled NFS.\n\nThe patch also removed the unused err parameter. The conversion is similar to\nthe one performed by Al Viro for the security_getprocattr hook.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4746ec5b01ed07205a91e4f7ed9de9d70f371407", "tree": "7a3a836b6178ccab24801e90b69c1159b2c23099", "parents": [ "c2a7780efe37d01bdb3facc85a94663e6d67d4a8" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Jan 08 10:06:53 2008 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri Feb 01 14:06:51 2008 -0500" }, "message": "[AUDIT] add session id to audit messages\n\nIn order to correlate audit records to an individual login add a session\nid. This is incremented every time a user logs in and is included in\nalmost all messages which currently output the auid. The field is\nlabeled ses\u003d or oses\u003d\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "0c11b9428f619ab377c92eff2f160a834a6585dd", "tree": "35b573715ad5730a77d067486838345132771a7a", "parents": [ "24e1c13c93cbdd05e4b7ea921c0050b036555adc" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Jan 10 04:20:52 2008 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri Feb 01 14:04:59 2008 -0500" }, "message": "[PATCH] switch audit_get_loginuid() to task_struct *\n\nall callers pass something-\u003eaudit_context\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "e1770d97a730ff4c3aa1775d98f4d0558390607f", "tree": "64ad3c2d24b5506861aac9cef8f08c0e0fbd9959", "parents": [ "1a6509d991225ad210de54c63314fd9542922095" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Mon Jan 28 19:49:00 2008 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Jan 31 19:27:04 2008 -0800" }, "message": "[SELinux]: Fix double free in selinux_netlbl_sock_setsid()\n\nAs pointed out by Adrian Bunk, commit\n45c950e0f839fded922ebc0bfd59b1081cc71b70 (\"fix memory leak in netlabel\ncode\") caused a double-free when security_netlbl_sid_to_secattr()\nfails. This patch fixes this by removing the netlbl_secattr_destroy()\ncall from that function since we are already releasing the secattr\nmemory in selinux_netlbl_sock_setsid().\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "f71ea9ddf0ff110f3fcbb89a46686bfba264014c", "tree": "db6843db55d5e1036248fc41782a891882b2cb54", "parents": [ "374ea019cacfa8b69ae49eea993b74cb5968970b" ], "author": { "name": "sergeh@us.ibm.com", "email": "sergeh@us.ibm.com", "time": "Tue Jan 29 05:04:43 2008 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:18:21 2008 +1100" }, "message": "security: compile capabilities by default\n\nCapabilities have long been the default when CONFIG_SECURITY\u003dn,\nand its help text suggests turning it on when CONFIG_SECURITY\u003dy.\nBut it is set to default n.\n\nDefault it to y instead.\n\nSigned-off-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Matt LaPlante \u003ckernel1@cyberdogtech.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "374ea019cacfa8b69ae49eea993b74cb5968970b", "tree": "822718af14d91f3beabbde3e9d5758c055e3bef8", "parents": [ "71f1cb05f773661b6fa98c7a635d7a395cd9c55d" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Tue Jan 29 00:11:52 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:44 2008 +1100" }, "message": "selinux: make selinux_set_mnt_opts() static\n\nselinux_set_mnt_opts() can become static.\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "71f1cb05f773661b6fa98c7a635d7a395cd9c55d", "tree": "a540f89c5d1d081ea2c09105f264adce44d92fa9", "parents": [ "effad8df44261031a882e1a895415f7186a5098e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:51:16 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:30 2008 +1100" }, "message": "SELinux: Add warning messages on network denial due to error\n\nCurrently network traffic can be sliently dropped due to non-avc errors which\ncan lead to much confusion when trying to debug the problem. This patch adds\nwarning messages so that when these events occur there is a user visible\nnotification.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "effad8df44261031a882e1a895415f7186a5098e", "tree": "42c04b3247ede13077546e13f82fe3da83ce7b90", "parents": [ "13541b3adad2dc2f56761c5193c2b88db3597f0e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:49:27 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:30 2008 +1100" }, "message": "SELinux: Add network ingress and egress control permission checks\n\nThis patch implements packet ingress/egress controls for SELinux which allow\nSELinux security policy to control the flow of all IPv4 and IPv6 packets into\nand out of the system. Currently SELinux does not have proper control over\nforwarded packets and this patch corrects this problem.\n\nSpecial thanks to Venkat Yekkirala \u003cvyekkirala@trustedcs.com\u003e whose earlier\nwork on this topic eventually led to this patch.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5dbe1eb0cfc144a2b0cb1466e22bcb6fc34229a8", "tree": "e1e028acaf0dd08cbcacd2c125f60230f820b442", "parents": [ "d621d35e576aa20a0ddae8022c3810f38357c8ff" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:44:18 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:27 2008 +1100" }, "message": "SELinux: Allow NetLabel to directly cache SIDs\n\nNow that the SELinux NetLabel \"base SID\" is always the netmsg initial SID we\ncan do a big optimization - caching the SID and not just the MLS attributes.\nThis not only saves a lot of per-packet memory allocations and copies but it\nhas a nice side effect of removing a chunk of code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d621d35e576aa20a0ddae8022c3810f38357c8ff", "tree": "318e8aa890dbe715b901b11b019ebac3badb693d", "parents": [ "220deb966ea51e0dedb6a187c0763120809f3e64" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:43:36 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:26 2008 +1100" }, "message": "SELinux: Enable dynamic enable/disable of the network access checks\n\nThis patch introduces a mechanism for checking when labeled IPsec or SECMARK\nare in use by keeping introducing a configuration reference counter for each\nsubsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry\nis created the labeled IPsec/XFRM reference count is increased and when the\nentry is removed it is decreased. In the case of SECMARK, when a SECMARK\ntarget is created the reference count is increased and later decreased when the\ntarget is removed. These reference counters allow SELinux to quickly determine\nif either of these subsystems are enabled.\n\nNetLabel already has a similar mechanism which provides the netlbl_enabled()\nfunction.\n\nThis patch also renames the selinux_relabel_packet_permission() function to\nselinux_secmark_relabel_packet_permission() as the original name and\ndescription were misleading in that they referenced a single packet label which\nis not the case.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "220deb966ea51e0dedb6a187c0763120809f3e64", "tree": "7d0e5dd8048907c364b4eeff294991937b466c7e", "parents": [ "f67f4f315f31e7907779adb3296fb6682e755342" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:23 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:25 2008 +1100" }, "message": "SELinux: Better integration between peer labeling subsystems\n\nRework the handling of network peer labels so that the different peer labeling\nsubsystems work better together. This includes moving both subsystems to a\nsingle \"peer\" object class which involves not only changes to the permission\nchecks but an improved method of consolidating multiple packet peer labels.\nAs part of this work the inbound packet permission check code has been heavily\nmodified to handle both the old and new behavior in as sane a fashion as\npossible.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f67f4f315f31e7907779adb3296fb6682e755342", "tree": "237a41ae93b73bf4e98761a4b6d30d7a5a54b896", "parents": [ "3bb56b25dbe0a4b44bd2ebceab6736d068e85068" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:21 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:24 2008 +1100" }, "message": "SELinux: Add a new peer class and permissions to the Flask definitions\n\nAdd additional Flask definitions to support the new \"peer\" object class and\nadditional permissions to the netif, node, and packet object classes. Also,\nbring the kernel Flask definitions up to date with the Fedora SELinux policies\nby adding the \"flow_in\" and \"flow_out\" permissions to the \"packet\" class.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3bb56b25dbe0a4b44bd2ebceab6736d068e85068", "tree": "2285d831352b8580d401730eee98820ed54a81a0", "parents": [ "224dfbd81e1ff672eb46e7695469c395bd531083" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:19 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:23 2008 +1100" }, "message": "SELinux: Add a capabilities bitmap to SELinux policy version 22\n\nAdd a new policy capabilities bitmap to SELinux policy version 22. This bitmap\nwill enable the security server to query the policy to determine which features\nit supports.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "224dfbd81e1ff672eb46e7695469c395bd531083", "tree": "c89c3ab606634a7174db8807b2633df8bb024b8c", "parents": [ "da5645a28a15aed2e541a814ecf9f7ffcd4c4673" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:13 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:23 2008 +1100" }, "message": "SELinux: Add a network node caching mechanism similar to the sel_netif_*() functions\n\nThis patch adds a SELinux IP address/node SID caching mechanism similar to the\nsel_netif_*() functions. The node SID queries in the SELinux hooks files are\nalso modified to take advantage of this new functionality. In addition, remove\nthe address length information from the sk_buff parsing routines as it is\nredundant since we already have the address family.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "da5645a28a15aed2e541a814ecf9f7ffcd4c4673", "tree": "8cedccebd0e12308de30573ad593d703943e3cbb", "parents": [ "e8bfdb9d0dfc1231a6a71e849dfbd4447acdfff6" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:10 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:22 2008 +1100" }, "message": "SELinux: Only store the network interface\u0027s ifindex\n\nInstead of storing the packet\u0027s network interface name store the ifindex. This\nallows us to defer the need to lookup the net_device structure until the audit\nrecord is generated meaning that in the majority of cases we never need to\nbother with this at all.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e8bfdb9d0dfc1231a6a71e849dfbd4447acdfff6", "tree": "0d786c0ad972e43d1128296b8e7ae47275ab3ebd", "parents": [ "75e22910cf0c26802b09dac2e34c13e648d3ed02" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:08 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:21 2008 +1100" }, "message": "SELinux: Convert the netif code to use ifindex values\n\nThe current SELinux netif code requires the caller have a valid net_device\nstruct pointer to lookup network interface information. However, we don\u0027t\nalways have a valid net_device pointer so convert the netif code to use\nthe ifindex values we always have as part of the sk_buff. This patch also\nremoves the default message SID from the network interface record, it is\nnot being used and therefore is \"dead code\".\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "75e22910cf0c26802b09dac2e34c13e648d3ed02", "tree": "bf5f5c62f6db8a3057a0265dc7748bf310d26d4a", "parents": [ "16efd45435fa695b501b7f73c3259bd7c77cc12c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:04 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:20 2008 +1100" }, "message": "NetLabel: Add IP address family information to the netlbl_skbuff_getattr() function\n\nIn order to do any sort of IP header inspection of incoming packets we need to\nknow which address family, AF_INET/AF_INET6/etc., it belongs to and since the\nsk_buff structure does not store this information we need to pass along the\naddress family separate from the packet itself.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "16efd45435fa695b501b7f73c3259bd7c77cc12c", "tree": "f26eb84f65192eb0a17aca399fd405100e4be974", "parents": [ "1c3fad936acaf87b75055b95be781437e97d787f" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:37:59 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:19 2008 +1100" }, "message": "NetLabel: Add secid token support to the NetLabel secattr struct\n\nThis patch adds support to the NetLabel LSM secattr struct for a secid token\nand a type field, paving the way for full LSM/SELinux context support and\n\"static\" or \"fallback\" labels. In addition, this patch adds a fair amount\nof documentation to the core NetLabel structures used as part of the\nNetLabel kernel API.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6e23ae2a48750bda407a4a58f52a4865d7308bf5", "tree": "633fd60b2a42bf6fdb86564f0c05a6d52d8dc92b", "parents": [ "1bf06cd2e338fd6fc29169d30eaf0df982338285" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Mon Nov 19 18:53:30 2007 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Jan 28 14:53:55 2008 -0800" }, "message": "[NETFILTER]: Introduce NF_INET_ hook values\n\nThe IPv4 and IPv6 hook values are identical, yet some code tries to figure\nout the \"correct\" value by looking at the address family. Introduce NF_INET_*\nvalues for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__\nsection for userspace compatibility.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nAcked-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "b1aa5301b9f88a4891061650c591fb8fe1c1d1da", "tree": "701ee5bf6cefbf7545c91ebab614fda7d6fd6a27", "parents": [ "99f1c97dbdb30e958edfd1ced0ae43df62504e07" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Jan 25 13:03:42 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Jan 26 12:16:16 2008 +1100" }, "message": "selinux: fix labeling of /proc/net inodes\n\nThe proc net rewrite had a side effect on selinux, leading it to mislabel\nthe /proc/net inodes, thereby leading to incorrect denials. Fix\nsecurity_genfs_sid to ignore extra leading / characters in the path supplied\nby selinux_proc_get_sid since we now get \"//net/...\" rather than \"/net/...\".\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b47711bfbcd4eb77ca61ef0162487b20e023ae55", "tree": "b2a695dbd40f7ca2333664cf946ef34eda7b7dba", "parents": [ "7556afa0e0e436cad4f560ee83e5fbd5dac9359a", "2e08c0c1c3977a5ddc88887dd3af1b26c433e9d0" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 25 08:44:29 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 25 08:44:29 2008 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:\n selinux: make mls_compute_sid always polyinstantiate\n security/selinux: constify function pointer tables and fields\n security: add a secctx_to_secid() hook\n security: call security_file_permission from rw_verify_area\n security: remove security_sb_post_mountroot hook\n Security: remove security.h include from mm.h\n Security: remove security_file_mmap hook sparse-warnings (NULL as 0).\n Security: add get, set, and cloning of superblock security information\n security/selinux: Add missing \"space\"\n" }, { "commit": "78a2d906b40fe530ea800c1e873bfe8f02326f1e", "tree": "ebeef35150816fa807f71e596a9aaf711ad10a90", "parents": [ "197b12d6796a3bca187f22a8978a33d51e2bcd79" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@suse.de", "time": "Thu Dec 20 08:13:05 2007 -0800" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@suse.de", "time": "Thu Jan 24 20:40:40 2008 -0800" }, "message": "Kobject: convert remaining kobject_unregister() to kobject_put()\n\nThere is no need for kobject_unregister() anymore, thanks to Kay\u0027s\nkobject cleanup changes, so replace all instances of it with\nkobject_put().\n\n\nCc: Kay Sievers \u003ckay.sievers@vrfy.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\n\n" }, { "commit": "0ff21e46630abce11fdaaffabd72bbd4eed5ac2c", "tree": "cc49671622ef90775bf12a91d20b8286aa346e6f", "parents": [ "5c03c7ab886859eb195440dbb6ccb8c30c4e84cc" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@suse.de", "time": "Tue Nov 06 10:36:58 2007 -0800" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@suse.de", "time": "Thu Jan 24 20:40:24 2008 -0800" }, "message": "kobject: convert kernel_kset to be a kobject\n\nkernel_kset does not need to be a kset, but a much simpler kobject now\nthat we have kobj_attributes.\n\nWe also rename kernel_kset to kernel_kobj to catch all users of this\nsymbol with a build error instead of an easy-to-ignore build warning.\n\nCc: Kay Sievers \u003ckay.sievers@vrfy.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\n\n" }, { "commit": "bd35b93d8049ab47b5bfaf6b10ba39badf21d1c3", "tree": "bac82e14d960b2c7011b7f660a93f07e922f8a97", "parents": [ "e5e38a86c0bbe8475543f10f0a48393a45df5182" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@suse.de", "time": "Mon Oct 29 20:13:17 2007 +0100" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@suse.de", "time": "Thu Jan 24 20:40:14 2008 -0800" }, "message": "kset: convert kernel_subsys to use kset_create\n\nDynamically create the kset instead of declaring it statically. We also\nrename kernel_subsys to kernel_kset to catch all users of this symbol\nwith a build error instead of an easy-to-ignore build warning.\n\nCc: Kay Sievers \u003ckay.sievers@vrfy.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\n\n" }, { "commit": "69d8e1389551b107b1a8ec70c280cb7a56096666", "tree": "d487b8ce9435c4b225beb52e41eabc5ce68862e6", "parents": [ "5c89e17e9c2bc03ed16320967832b33b174e6234" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@suse.de", "time": "Mon Oct 29 20:13:17 2007 +0100" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@suse.de", "time": "Thu Jan 24 20:40:11 2008 -0800" }, "message": "kobject: convert securityfs to use kobject_create\n\nWe don\u0027t need a kset here, a simple kobject will do just fine, so\ndynamically create the kobject and use it.\n\nCc: Kay Sievers \u003ckay.sievers@vrfy.org\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\n\n" }, { "commit": "3514faca19a6fdc209734431c509631ea92b094e", "tree": "f6d102e6dec276f8e8d1044b47c74a02b901554f", "parents": [ "c11c4154e7ff4cebfadad849b1e22689d759c3f4" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@suse.de", "time": "Tue Oct 16 10:11:44 2007 -0600" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@suse.de", "time": "Thu Jan 24 20:40:10 2008 -0800" }, "message": "kobject: remove struct kobj_type from struct kset\n\nWe don\u0027t need a \"default\" ktype for a kset. We should set this\nexplicitly every time for each kset. This change is needed so that we\ncan make ksets dynamic, and cleans up one of the odd, undocumented\nassumption that the kset/kobject/ktype model has.\n\nThis patch is based on a lot of help from Kay Sievers.\n\nNasty bug in the block code was found by Dave Young\n\u003chidave.darkstar@gmail.com\u003e\n\nCc: Kay Sievers \u003ckay.sievers@vrfy.org\u003e\nCc: Dave Young \u003chidave.darkstar@gmail.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\n\n" }, { "commit": "2e08c0c1c3977a5ddc88887dd3af1b26c433e9d0", "tree": "2487c7d7bf54a5a26c53416ee4f1f14886121e15", "parents": [ "1996a10948e50e546dc2b64276723c0b64d3173b" ], "author": { "name": "Eamon Walsh", "email": "ewalsh@tycho.nsa.gov", "time": "Thu Jan 24 15:30:52 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:56 2008 +1100" }, "message": "selinux: make mls_compute_sid always polyinstantiate\n\nThis patch removes the requirement that the new and related object types\ndiffer in order to polyinstantiate by MLS level. This allows MLS\npolyinstantiation to occur in the absence of explicit type_member rules or\nwhen the type has not changed.\n\nPotential users of this support include pam_namespace.so (directory\npolyinstantiation) and the SELinux X support (property polyinstantiation).\n\nSigned-off-by: Eamon Walsh \u003cewalsh@tycho.nsa.gov\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1996a10948e50e546dc2b64276723c0b64d3173b", "tree": "971b235907b7c6911c21c9139e0ba85c5b84ef80", "parents": [ "63cb34492351078479b2d4bae6a881806a396286" ], "author": { "name": "Jan Engelhardt", "email": "jengelh@computergmbh.de", "time": "Wed Jan 23 00:02:58 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:54 2008 +1100" }, "message": "security/selinux: constify function pointer tables and fields\n\nConstify function pointer tables and fields.\n\nSigned-off-by: Jan Engelhardt \u003cjengelh@computergmbh.de\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "63cb34492351078479b2d4bae6a881806a396286", "tree": "d33ab15eda40c5195c4a723d9e49591a9b4950f9", "parents": [ "c43e259cc756ece387faae849af0058b56d78466" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 15 23:47:35 2008 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:53 2008 +1100" }, "message": "security: add a secctx_to_secid() hook\n\nAdd a secctx_to_secid() LSM hook to go along with the existing\nsecid_to_secctx() LSM hook. This patch also includes the SELinux\nimplementation for this hook.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bced95283e9434611cbad8f2ff903cd396eaea72", "tree": "5d56afc7a5f239ebc53a1800a508f16b8d8701b0", "parents": [ "42d7896ebc5f7268b1fe6bbd20f2282e20ae7895" ], "author": { "name": "H. Peter Anvin", "email": "hpa@zytor.com", "time": "Sat Dec 29 16:20:25 2007 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:50 2008 +1100" }, "message": "security: remove security_sb_post_mountroot hook\n\nThe security_sb_post_mountroot() hook is long-since obsolete, and is\nfundamentally broken: it is never invoked if someone uses initramfs.\nThis is particularly damaging, because the existence of this hook has\nbeen used as motivation for not using initramfs.\n\nStephen Smalley confirmed on 2007-07-19 that this hook was originally\nused by SELinux but can now be safely removed:\n\n http://marc.info/?l\u003dlinux-kernel\u0026m\u003d118485683612916\u0026w\u003d2\n\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Eric Paris \u003ceparis@parisplace.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: H. Peter Anvin \u003chpa@zytor.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c9180a57a9ab2d5525faf8815a332364ee9e89b7", "tree": "c677ec33735f3529d478a2b71fcc732d4fe59adf", "parents": [ "19c5fc198c369bb00f3ed9716ef40648865d8d94" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Nov 30 13:00:35 2007 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:46 2008 +1100" }, "message": "Security: add get, set, and cloning of superblock security information\n\nAdds security_get_sb_mnt_opts, security_set_sb_mnt_opts, and\nsecurity_clont_sb_mnt_opts to the LSM and to SELinux. This will allow\nfilesystems to directly own and control all of their mount options if they\nso choose. This interface deals only with option identifiers and strings so\nit should generic enough for any LSM which may come in the future.\n\nFilesystems which pass text mount data around in the kernel (almost all of\nthem) need not currently make use of this interface when dealing with\nSELinux since it will still parse those strings as it always has. I assume\nfuture LSM\u0027s would do the same. NFS is the primary FS which does not use\ntext mount data and thus must make use of this interface.\n\nAn LSM would need to implement these functions only if they had mount time\noptions, such as selinux has context\u003d or fscontext\u003d. If the LSM has no\nmount time options they could simply not implement and let the dummy ops\ntake care of things.\n\nAn LSM other than SELinux would need to define new option numbers in\nsecurity.h and any FS which decides to own there own security options would\nneed to be patched to use this new interface for every possible LSM. This\nis because it was stated to me very clearly that LSM\u0027s should not attempt to\nunderstand FS mount data and the burdon to understand security should be in\nthe FS which owns the options.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "19c5fc198c369bb00f3ed9716ef40648865d8d94", "tree": "20c6e68e469f509dd80c41736628a6322704f2ed", "parents": [ "49914084e797530d9baaf51df9eda77babc98fa8" ], "author": { "name": "Joe Perches", "email": "joe@perches.com", "time": "Mon Nov 19 17:53:44 2007 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 25 11:29:44 2008 +1100" }, "message": "security/selinux: Add missing \"space\"\n\nAdd missing space.\n\nSigned-off-by: Joe Perches \u003cjoe@perches.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8b85eaadd5b8d3786996bd74c73aff54a92ec456", "tree": "7ef6ed3e5955a45d54b1d223e3ebf7749aa3b918", "parents": [ "f290fc3669d659a915e29b6bdb82d454b437cf93", "45c950e0f839fded922ebc0bfd59b1081cc71b70" ], "author": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Jan 21 19:45:49 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Jan 21 19:45:49 2008 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:\n selinux: fix memory leak in netlabel code\n" }, { "commit": "a6dbb1ef2fc8d73578eacd02ac701f4233175c9f", "tree": "eb2efa0193cdc7ab6b1f30068571194d0dabf230", "parents": [ "a10336043b8193ec603ad54bb79cdcd26bbf94b3" ], "author": { "name": "Andrew G. Morgan", "email": "morgan@kernel.org", "time": "Mon Jan 21 17:18:30 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Jan 21 19:39:41 2008 -0800" }, "message": "Fix filesystem capability support\n\nIn linux-2.6.24-rc1, security/commoncap.c:cap_inh_is_capped() was\nintroduced. It has the exact reverse of its intended behavior. This\nled to an unintended privilege esculation involving a process\u0027\ninheritable capability set.\n\nTo be exposed to this bug, you need to have Filesystem Capabilities\nenabled and in use. That is:\n\n- CONFIG_SECURITY_FILE_CAPABILITIES must be defined for the buggy code\n to be compiled in.\n\n- You also need to have files on your system marked with fI bits raised.\n\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\n\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@akpm@linux-foundation.org\u003e\n" }, { "commit": "45c950e0f839fded922ebc0bfd59b1081cc71b70", "tree": "97ca2840c63c0c646daf6b13420157237a3fcbec", "parents": [ "a7da60f41551abb3c520b03d42ec05dd7decfc7f" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 22 09:31:00 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jan 22 09:31:00 2008 +1100" }, "message": "selinux: fix memory leak in netlabel code\n\nFix a memory leak in security_netlbl_sid_to_secattr() as reported here:\n * https://bugzilla.redhat.com/show_bug.cgi?id\u003d352281\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ab5a91a8364c3d6fc617abc47cc81d162c01d90a", "tree": "0b7f4ef877f56be57f75b8b455b9f694f19da633", "parents": [ "d313f948309ab22797316e789a7ff8fa358176b6" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 26 18:47:46 2007 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 06 00:24:30 2007 +1100" }, "message": "Security: allow capable check to permit mmap or low vm space\n\nOn a kernel with CONFIG_SECURITY but without an LSM which implements\nsecurity_file_mmap it is impossible for an application to mmap addresses\nlower than mmap_min_addr. Based on a suggestion from a developer in the\nopenwall community this patch adds a check for CAP_SYS_RAWIO. It is\nassumed that any process with this capability can harm the system a lot\nmore easily than writing some stuff on the zero page and then trying to\nget the kernel to trip over itself. It also means that programs like X\non i686 which use vm86 emulation can work even with mmap_min_addr set.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d313f948309ab22797316e789a7ff8fa358176b6", "tree": "7a6d4a54ea7448ce53cf23349eb8a64d7fd93151", "parents": [ "0955dc03aedfb6a5565445b3f2176255b784cc6a" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon Nov 26 11:12:53 2007 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 06 00:24:09 2007 +1100" }, "message": "SELinux: detect dead booleans\n\nInstead of using f_op to detect dead booleans, check the inode index\nagainst the number of booleans and check the dentry name against the\nboolean name for that index on reads and writes. This prevents\nincorrect use of a boolean file opened prior to a policy reload while\nallowing valid use of it as long as it still corresponds to the same\nboolean in the policy.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0955dc03aedfb6a5565445b3f2176255b784cc6a", "tree": "34ec01676c33f5627b8a5c02ca68b8757da3308c", "parents": [ "e3c0ac04f980750a368f7cd5f1b8d1d2cdc1f735" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed Nov 21 09:01:36 2007 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 06 00:23:46 2007 +1100" }, "message": "SELinux: do not clear f_op when removing entries\n\nDo not clear f_op when removing entries since it isn\u0027t safe to do.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8ec2328f1138a58eaea55ec6150985a1623b01c5", "tree": "ebaecf41dd8c8789f0c49ee9c0f30c0ce40e3e39", "parents": [ "d0eec99ce50baa5cc2ac02363cdb2a771ed4e1e2" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Wed Nov 28 16:21:47 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Nov 29 09:24:53 2007 -0800" }, "message": "file capabilities: don\u0027t prevent signaling setuid root programs\n\nAn unprivileged process must be able to kill a setuid root program started\nby the same user. This is legacy behavior needed for instance for xinit to\nkill X when the window manager exits.\n\nWhen an unprivileged user runs a setuid root program in !SECURE_NOROOT\nmode, fP, fI, and fE are set full on, so pP\u0027 and pE\u0027 are full on. Then\ncap_task_kill() prevents the user from signaling the setuid root task.\nThis is a change in behavior compared to when\n!CONFIG_SECURITY_FILE_CAPABILITIES.\n\nThis patch introduces a special check into cap_task_kill() just to check\nwhether a non-root user is signaling a setuid root program started by the\nsame user. If so, then signal is allowed.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Andrew Morgan \u003cmorgan@kernel.org\u003e\nCc: Stephen Smalley \u003csds@epoch.ncsc.mil\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "91ad997a34d7abca1f04e819e31eb9f3d4e20585", "tree": "d39e72f2e2ab69ccb6c69acf46173ccd8803fcc4", "parents": [ "20a1022d4ac5c53f0956006fd9e30cf4846d5e58" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Wed Nov 14 17:00:34 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Nov 14 18:45:44 2007 -0800" }, "message": "file capabilities: allow sigcont within session\n\nFix http://bugzilla.kernel.org/show_bug.cgi?id\u003d9247\n\nAllow sigcont to be sent to a process with greater capabilities if it is in\nthe same session. Otherwise, a shell from which I\u0027ve started a root shell\nand done \u0027suspend\u0027 can\u0027t be restarted by the parent shell.\n\nAlso don\u0027t do file-capabilities signaling checks when uids for the\nprocesses don\u0027t match, since the standard check_kill_permission will have\ndone those checks.\n\n[akpm@linux-foundation.org: coding-style cleanups]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Andrew Morgan \u003cmorgan@kernel.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nTested-by: \"Theodore Ts\u0027o\" \u003ctytso@mit.edu\u003e\nCc: Stephen Smalley \u003csds@epoch.ncsc.mil\u003e\nCc: \"Rafael J. Wysocki\" \u003crjw@sisk.pl\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "45e5421eb5bbcd9efa037d682dd357284e3ef982", "tree": "ceb24143024fe335d08ac30fb4da9ca25fbeb6e6", "parents": [ "6d2b685564ba417f4c6d80c3661f0dfee13fff85" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed Nov 07 10:08:00 2007 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 08 08:56:23 2007 +1100" }, "message": "SELinux: add more validity checks on policy load\n\nAdd more validity checks at policy load time to reject malformed\npolicies and prevent subsequent out-of-range indexing when in permissive\nmode. Resolves the NULL pointer dereference reported in\nhttps://bugzilla.redhat.com/show_bug.cgi?id\u003d357541.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6d2b685564ba417f4c6d80c3661f0dfee13fff85", "tree": "a4e098a0eaa0f59b84f167e875a987779a6cba5f", "parents": [ "57002bfb31283e84f694763ed4db0fb761b7d6a9" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@kaigai.gr.jp", "time": "Wed Nov 07 01:17:16 2007 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@sdv.(none)", "time": "Thu Nov 08 08:55:10 2007 +1100" }, "message": "SELinux: fix bug in new ebitmap code.\n\nThe \"e_iter \u003d e_iter-\u003enext;\" statement in the inner for loop is primally\nbug. It should be moved to outside of the for loop.\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@kaigai.gr.jp\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "57002bfb31283e84f694763ed4db0fb761b7d6a9", "tree": "7788e55754cbe3a86fdd7e73a1e5e15e2cb8ff1a", "parents": [ "dbeeb816e805091e7cfc03baf36dc40b4adb2bbd" ], "author": { "name": "Stephen Rothwell", "email": "sfr@canb.auug.org.au", "time": "Wed Oct 31 16:47:19 2007 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@sdv.(none)", "time": "Thu Nov 08 08:55:04 2007 +1100" }, "message": "SELinux: suppress a warning for 64k pages.\n\nOn PowerPC allmodconfig build we get this:\n\nsecurity/selinux/xfrm.c:214: warning: comparison is always false due to limited range of data type\n\nSigned-off-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "48d2268473a66fe3aa78fb13b09ee59d6ee95073", "tree": "20d55db1f93294f006ce79156a05652dfa7a8048", "parents": [ "e5eca6aef6a2a57e433db1eac247d2d1c213ce08", "8a53514043e380aa573baa805298a7727c993985" ], "author": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Oct 23 08:59:46 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Oct 23 08:59:46 2007 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:\n SELinux: always check SIGCHLD in selinux_task_wait\n" }, { "commit": "8a53514043e380aa573baa805298a7727c993985", "tree": "869d2c0f90390814430fc6639914dc8ea4c0c9c6", "parents": [ "55b70a0300b873c0ec7ea6e33752af56f41250ce" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 22 16:10:31 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Oct 23 08:47:48 2007 +1000" }, "message": "SELinux: always check SIGCHLD in selinux_task_wait\n\nWhen checking if we can wait on a child we were looking at\np-\u003eexit_signal and trying to make the decision based on if the signal\nwould eventually be allowed. One big flaw is that p-\u003eexit_signal is -1\nfor NPTL threads and so aignal_to_av was not actually checking SIGCHLD\nwhich is what would have been sent. Even is exit_signal was set to\nsomething strange it wouldn\u0027t change the fact that the child was there\nand needed to be waited on. This patch just assumes wait is based on\nSIGCHLD. Specific permission checks are made when the child actually\nattempts to send a signal.\n\nThis resolves the problem of things like using GDB on confined domains\nsuch as in RH BZ 232371. The confined domain did not have permission to\nsend a generic signal (exit_signal \u003d\u003d -1) back to the unconfined GDB.\nWith this patch the GDB wait works and since the actual signal sent is\nallowed everything functions as it should.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b68680e4731abbd78863063aaa0dca2a6d8cc723", "tree": "6c546575432b34abb27a54b51f549071d2819282", "parents": [ "b9049e234401e1fad8459d69a952b174d76c399d" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Sun Oct 21 16:41:38 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Oct 22 08:13:18 2007 -0700" }, "message": "capabilities: clean up file capability reading\n\nSimplify the vfs_cap_data structure.\n\nAlso fix get_file_caps which was declaring\n__le32 v1caps[XATTR_CAPS_SZ] on the stack, but\nXATTR_CAPS_SZ is already * sizeof(__le32).\n\n[akpm@linux-foundation.org: coding-style fixes]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Andrew Morgan \u003cmorgan@kernel.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b460cbc581a53cc088ceba80608021dd49c63c43", "tree": "83c28d0adbc15f4157c77b40fa60c40a71cb8673", "parents": [ "3743ca05ff464b8a9e345c08a6c9ce30485f9805" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Thu Oct 18 23:39:52 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Oct 19 11:53:37 2007 -0700" }, "message": "pid namespaces: define is_global_init() and is_container_init()\n\nis_init() is an ambiguous name for the pid\u003d\u003d1 check. Split it into\nis_global_init() and is_container_init().\n\nA cgroup init has it\u0027s tsk-\u003epid \u003d\u003d 1.\n\nA global init also has it\u0027s tsk-\u003epid \u003d\u003d 1 and it\u0027s active pid namespace\nis the init_pid_ns. But rather than check the active pid namespace,\ncompare the task structure with \u0027init_pid_ns.child_reaper\u0027, which is\ninitialized during boot to the /sbin/init process and never changes.\n\nChangelog:\n\n\t2.6.22-rc4-mm2-pidns1:\n\t- Use \u0027init_pid_ns.child_reaper\u0027 to determine if a given task is the\n\t global init (/sbin/init) process. This would improve performance\n\t and remove dependence on the task_pid().\n\n\t2.6.21-mm2-pidns2:\n\n\t- [Sukadev Bhattiprolu] Changed is_container_init() calls in {powerpc,\n\t ppc,avr32}/traps.c for the _exception() call to is_global_init().\n\t This way, we kill only the cgroup if the cgroup\u0027s init has a\n\t bug rather than force a kernel panic.\n\n[akpm@linux-foundation.org: fix comment]\n[sukadev@us.ibm.com: Use is_global_init() in arch/m32r/mm/fault.c]\n[bunk@stusta.de: kernel/pid.c: remove unused exports]\n[sukadev@us.ibm.com: Fix capability.c to work with threaded init]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Sukadev Bhattiprolu \u003csukadev@us.ibm.com\u003e\nAcked-by: Pavel Emelianov \u003cxemul@openvz.org\u003e\nCc: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nCc: Cedric Le Goater \u003cclg@fr.ibm.com\u003e\nCc: Dave Hansen \u003chaveblue@us.ibm.com\u003e\nCc: Herbert Poetzel \u003cherbert@13thfloor.at\u003e\nCc: Kirill Korotaev \u003cdev@sw.ru\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c80544dc0b87bb65038355e7aafdc30be16b26ab", "tree": "176349304bec88a9de16e650c9919462e0dd453c", "parents": [ "0e9663ee452ffce0d429656ebbcfe69417a30e92" ], "author": { "name": "Stephen Hemminger", "email": "shemminger@linux-foundation.org", "time": "Thu Oct 18 03:07:05 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Oct 18 14:37:31 2007 -0700" }, "message": "sparse pointer use of zero as null\n\nGet rid of sparse related warnings from places that use integer as NULL\npointer.\n\n[akpm@linux-foundation.org: coding-style fixes]\nSigned-off-by: Stephen Hemminger \u003cshemminger@linux-foundation.org\u003e\nCc: Andi Kleen \u003cak@suse.de\u003e\nCc: Jeff Garzik \u003cjeff@garzik.org\u003e\nCc: Matt Mackall \u003cmpm@selenic.com\u003e\nCc: Ian Kent \u003craven@themaw.net\u003e\nCc: Arnd Bergmann \u003carnd@arndb.de\u003e\nCc: Davide Libenzi \u003cdavidel@xmailserver.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "72c2d5823fc7be799a12184974c3bdc57acea3c4", "tree": "5c17418efb57cd5b2cdc0d751f577b2c64012423", "parents": [ "7058cb02ddab4bce70a46e519804fccb7ac0a060" ], "author": { "name": "Andrew Morgan", "email": "morgan@kernel.org", "time": "Thu Oct 18 03:05:59 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Oct 18 14:37:24 2007 -0700" }, "message": "V3 file capabilities: alter behavior of cap_setpcap\n\nThe non-filesystem capability meaning of CAP_SETPCAP is that a process, p1,\ncan change the capabilities of another process, p2. This is not the\nmeaning that was intended for this capability at all, and this\nimplementation came about purely because, without filesystem capabilities,\nthere was no way to use capabilities without one process bestowing them on\nanother.\n\nSince we now have a filesystem support for capabilities we can fix the\nimplementation of CAP_SETPCAP.\n\nThe most significant thing about this change is that, with it in effect, no\nprocess can set the capabilities of another process.\n\nThe capabilities of a program are set via the capability convolution\nrules:\n\n pI(post-exec) \u003d pI(pre-exec)\n pP(post-exec) \u003d (X(aka cap_bset) \u0026 fP) | (pI(post-exec) \u0026 fI)\n pE(post-exec) \u003d fE ? pP(post-exec) : 0\n\nat exec() time. As such, the only influence the pre-exec() program can\nhave on the post-exec() program\u0027s capabilities are through the pI\ncapability set.\n\nThe correct implementation for CAP_SETPCAP (and that enabled by this patch)\nis that it can be used to add extra pI capabilities to the current process\n- to be picked up by subsequent exec()s when the above convolution rules\nare applied.\n\nHere is how it works:\n\nLet\u0027s say we have a process, p. It has capability sets, pE, pP and pI.\nGenerally, p, can change the value of its own pI to pI\u0027 where\n\n (pI\u0027 \u0026 ~pI) \u0026 ~pP \u003d 0.\n\nThat is, the only new things in pI\u0027 that were not present in pI need to\nbe present in pP.\n\nThe role of CAP_SETPCAP is basically to permit changes to pI beyond\nthe above:\n\n if (pE \u0026 CAP_SETPCAP) {\n pI\u0027 \u003d anything; /* ie., even (pI\u0027 \u0026 ~pI) \u0026 ~pP !\u003d 0 */\n }\n\nThis capability is useful for things like login, which (say, via\npam_cap) might want to raise certain inheritable capabilities for use\nby the children of the logged-in user\u0027s shell, but those capabilities\nare not useful to or needed by the login program itself.\n\nOne such use might be to limit who can run ping. You set the\ncapabilities of the \u0027ping\u0027 program to be \"\u003d cap_net_raw+i\", and then\nonly shells that have (pI \u0026 CAP_NET_RAW) will be able to run\nit. Without CAP_SETPCAP implemented as described above, login(pam_cap)\nwould have to also have (pP \u0026 CAP_NET_RAW) in order to raise this\ncapability and pass it on through the inheritable set.\n\nSigned-off-by: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "cbfee34520666862f8ff539e580c48958fbb7706", "tree": "ded5cafce333e908a0fbeda1f7c55eaf7c1fbaaa", "parents": [ "b53767719b6cd8789392ea3e7e2eb7b8906898f0" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Tue Oct 16 23:31:38 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "security/ cleanups\n\nThis patch contains the following cleanups that are now possible:\n- remove the unused security_operations-\u003einode_xattr_getsuffix\n- remove the no longer used security_operations-\u003eunregister_security\n- remove some no longer required exit code\n- remove a bunch of no longer used exports\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b53767719b6cd8789392ea3e7e2eb7b8906898f0", "tree": "a0279dc93c79b94d3865b0f19f6b7b353e20608c", "parents": [ "57c521ce6125e15e99e56c902cb8da96bee7b36d" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Tue Oct 16 23:31:36 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "Implement file posix capabilities\n\nImplement file posix capabilities. This allows programs to be given a\nsubset of root\u0027s powers regardless of who runs them, without having to use\nsetuid and giving the binary all of root\u0027s powers.\n\nThis version works with Kaigai Kohei\u0027s userspace tools, found at\nhttp://www.kaigai.gr.jp/index.php. For more information on how to use this\npatch, Chris Friedhoff has posted a nice page at\nhttp://www.friedhoff.org/fscaps.html.\n\nChangelog:\n\tNov 27:\n\tIncorporate fixes from Andrew Morton\n\t(security-introduce-file-caps-tweaks and\n\tsecurity-introduce-file-caps-warning-fix)\n\tFix Kconfig dependency.\n\tFix change signaling behavior when file caps are not compiled in.\n\n\tNov 13:\n\tIntegrate comments from Alexey: Remove CONFIG_ ifdef from\n\tcapability.h, and use %zd for printing a size_t.\n\n\tNov 13:\n\tFix endianness warnings by sparse as suggested by Alexey\n\tDobriyan.\n\n\tNov 09:\n\tAddress warnings of unused variables at cap_bprm_set_security\n\twhen file capabilities are disabled, and simultaneously clean\n\tup the code a little, by pulling the new code into a helper\n\tfunction.\n\n\tNov 08:\n\tFor pointers to required userspace tools and how to use\n\tthem, see http://www.friedhoff.org/fscaps.html.\n\n\tNov 07:\n\tFix the calculation of the highest bit checked in\n\tcheck_cap_sanity().\n\n\tNov 07:\n\tAllow file caps to be enabled without CONFIG_SECURITY, since\n\tcapabilities are the default.\n\tHook cap_task_setscheduler when !CONFIG_SECURITY.\n\tMove capable(TASK_KILL) to end of cap_task_kill to reduce\n\taudit messages.\n\n\tNov 05:\n\tAdd secondary calls in selinux/hooks.c to task_setioprio and\n\ttask_setscheduler so that selinux and capabilities with file\n\tcap support can be stacked.\n\n\tSep 05:\n\tAs Seth Arnold points out, uid checks are out of place\n\tfor capability code.\n\n\tSep 01:\n\tDefine task_setscheduler, task_setioprio, cap_task_kill, and\n\ttask_setnice to make sure a user cannot affect a process in which\n\tthey called a program with some fscaps.\n\n\tOne remaining question is the note under task_setscheduler: are we\n\tok with CAP_SYS_NICE being sufficient to confine a process to a\n\tcpuset?\n\n\tIt is a semantic change, as without fsccaps, attach_task doesn\u0027t\n\tallow CAP_SYS_NICE to override the uid equivalence check. But since\n\tit uses security_task_setscheduler, which elsewhere is used where\n\tCAP_SYS_NICE can be used to override the uid equivalence check,\n\tfixing it might be tough.\n\n\t task_setscheduler\n\t\t note: this also controls cpuset:attach_task. Are we ok with\n\t\t CAP_SYS_NICE being used to confine to a cpuset?\n\t task_setioprio\n\t task_setnice\n\t\t sys_setpriority uses this (through set_one_prio) for another\n\t\t process. Need same checks as setrlimit\n\n\tAug 21:\n\tUpdated secureexec implementation to reflect the fact that\n\teuid and uid might be the same and nonzero, but the process\n\tmight still have elevated caps.\n\n\tAug 15:\n\tHandle endianness of xattrs.\n\tEnforce capability version match between kernel and disk.\n\tEnforce that no bits beyond the known max capability are\n\tset, else return -EPERM.\n\tWith this extra processing, it may be worth reconsidering\n\tdoing all the work at bprm_set_security rather than\n\td_instantiate.\n\n\tAug 10:\n\tAlways call getxattr at bprm_set_security, rather than\n\tcaching it at d_instantiate.\n\n[morgan@kernel.org: file-caps clean up for linux/capability.h]\n[bunk@kernel.org: unexport cap_inode_killpriv]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "20510f2f4e2dabb0ff6c13901807627ec9452f98", "tree": "d64b9eeb90d577f7f9688a215c4c6c3c2405188a", "parents": [ "5c3b447457789374cdb7b03afe2540d48c649a36" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Oct 16 23:31:32 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "security: Convert LSM into a static interface\n\nConvert LSM into a static interface, as the ability to unload a security\nmodule is not required by in-tree users and potentially complicates the\noverall security architecture.\n\nNeedlessly exported LSM symbols have been unexported, to help reduce API\nabuse.\n\nParameters for the capability and root_plug modules are now specified\nat boot.\n\nThe SECURITY_FRAMEWORK_VERSION macro has also been removed.\n\nIn a nutshell, there is no safe way to unload an LSM. The modular interface\nis thus unecessary and broken infrastructure. It is used only by out-of-tree\nmodules, which are often binary-only, illegal, abusive of the API and\ndangerous, e.g. silently re-vectoring SELinux.\n\n[akpm@linux-foundation.org: cleanups]\n[akpm@linux-foundation.org: USB Kconfig fix]\n[randy.dunlap@oracle.com: fix LSM kernel-doc]\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: \"Serge E. Hallyn\" \u003cserue@us.ibm.com\u003e\nAcked-by: Arjan van de Ven \u003carjan@infradead.org\u003e\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "76181c134f87479fa13bf2548ddf2999055d34d4", "tree": "34694341c190e7ecdd3111ee48e4b98602ff012f", "parents": [ "398c95bdf2c24d7866692a40ba04425aef238cdd" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Oct 16 23:29:46 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:42:57 2007 -0700" }, "message": "KEYS: Make request_key() and co fundamentally asynchronous\n\nMake request_key() and co fundamentally asynchronous to make it easier for\nNFS to make use of them. There are now accessor functions that do\nasynchronous constructions, a wait function to wait for construction to\ncomplete, and a completion function for the key type to indicate completion\nof construction.\n\nNote that the construction queue is now gone. Instead, keys under\nconstruction are linked in to the appropriate keyring in advance, and that\nanyone encountering one must wait for it to be complete before they can use\nit. This is done automatically for userspace.\n\nThe following auxiliary changes are also made:\n\n (1) Key type implementation stuff is split from linux/key.h into\n linux/key-type.h.\n\n (2) AF_RXRPC provides a way to allocate null rxrpc-type keys so that AFS does\n not need to call key_instantiate_and_link() directly.\n\n (3) Adjust the debugging macros so that they\u0027re -Wformat checked even if\n they are disabled, and make it so they can be enabled simply by defining\n __KDEBUG to be consistent with other code of mine.\n\n (3) Documentation.\n\n[alan@lxorguk.ukuu.org.uk: keys: missing word in documentation]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "087feb980443aadc7c62f6c26d3867543b470d8c", "tree": "06922e22b5390aeb2ad9ef8ea64b4f05d1d354e3", "parents": [ "9fe79ad1e43d236bbbb8edb3cf634356de714c79" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@kaigai.gr.jp", "time": "Wed Oct 03 23:42:56 2007 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Oct 17 08:59:36 2007 +1000" }, "message": "SELinux: kills warnings in Improve SELinux performance when AVC misses\n\nThis patch kills ugly warnings when the \"Improve SELinux performance\nwhen ACV misses\" patch.\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9fe79ad1e43d236bbbb8edb3cf634356de714c79", "tree": "91149cefa28baf692eb55f88f8c544a33e9126df", "parents": [ "3f12070e27b4a213d62607d2bff139793089a77d" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Sat Sep 29 02:20:55 2007 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Oct 17 08:59:34 2007 +1000" }, "message": "SELinux: improve performance when AVC misses.\n\n* We add ebitmap_for_each_positive_bit() which enables to walk on\n any positive bit on the given ebitmap, to improve its performance\n using common bit-operations defined in linux/bitops.h.\n In the previous version, this logic was implemented using a combination\n of ebitmap_for_each_bit() and ebitmap_node_get_bit(), but is was worse\n in performance aspect.\n This logic is most frequestly used to compute a new AVC entry,\n so this patch can improve SELinux performance when AVC misses are happen.\n* struct ebitmap_node is redefined as an array of \"unsigned long\", to get\n suitable for using find_next_bit() which is fasted than iteration of\n shift and logical operation, and to maximize memory usage allocated\n from general purpose slab.\n* Any ebitmap_for_each_bit() are repleced by the new implementation\n in ss/service.c and ss/mls.c. Some of related implementation are\n changed, however, there is no incompatibility with the previous\n version.\n* The width of any new line are less or equal than 80-chars.\n\nThe following benchmark shows the effect of this patch, when we\naccess many files which have different security context one after\nanother. The number is more than /selinux/avc/cache_threshold, so\nany access always causes AVC misses.\n\n selinux-2.6 selinux-2.6-ebitmap\nAVG: 22.763 [s] 8.750 [s]\nSTD: 0.265 0.019\n------------------------------------------\n1st: 22.558 [s] 8.786 [s]\n2nd: 22.458 [s] 8.750 [s]\n3rd: 22.478 [s] 8.754 [s]\n4th: 22.724 [s] 8.745 [s]\n5th: 22.918 [s] 8.748 [s]\n6th: 22.905 [s] 8.764 [s]\n7th: 23.238 [s] 8.726 [s]\n8th: 22.822 [s] 8.729 [s]\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3f12070e27b4a213d62607d2bff139793089a77d", "tree": "b6b614737f916c7c3102f66e6ad9e682b9c9bf04", "parents": [ "788e7dd4c22e6f41b3a118fd8c291f831f6fddbb" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Sep 21 14:37:10 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Oct 17 08:59:33 2007 +1000" }, "message": "SELinux: policy selectable handling of unknown classes and perms\n\nAllow policy to select, in much the same way as it selects MLS support, how\nthe kernel should handle access decisions which contain either unknown\nclasses or unknown permissions in known classes. The three choices for the\npolicy flags are\n\n0 - Deny unknown security access. (default)\n2 - reject loading policy if it does not contain all definitions\n4 - allow unknown security access\n\nThe policy\u0027s choice is exported through 2 booleans in\nselinuxfs. /selinux/deny_unknown and /selinux/reject_unknown.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "788e7dd4c22e6f41b3a118fd8c291f831f6fddbb", "tree": "cbe2d2a360aaf7dc243bef432e1c50507ae6db7b", "parents": [ "3232c110b56bd01c5f0fdfd16b4d695f2e05b0a9" ], "author": { "name": "Yuichi Nakamura", "email": "ynakam@hitachisoft.jp", "time": "Fri Sep 14 09:27:07 2007 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Oct 17 08:59:31 2007 +1000" }, "message": "SELinux: Improve read/write performance\n\nIt reduces the selinux overhead on read/write by only revalidating\npermissions in selinux_file_permission if the task or inode labels have\nchanged or the policy has changed since the open-time check. A new LSM\nhook, security_dentry_open, is added to capture the necessary state at open\ntime to allow this optimization.\n\n(see http://marc.info/?l\u003dselinux\u0026m\u003d118972995207740\u0026w\u003d2)\n\nSigned-off-by: Yuichi Nakamura\u003cynakam@hitachisoft.jp\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3232c110b56bd01c5f0fdfd16b4d695f2e05b0a9", "tree": "b369f8dc55e9d27bbd0b8b4b6843c0736d61b005", "parents": [ "821f3eff7cdb9d6c7076effabd46c96c322daed1" ], "author": { "name": "Yuichi Nakamura", "email": "ynakam@hitachisoft.jp", "time": "Fri Aug 24 11:55:11 2007 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Oct 17 08:59:30 2007 +1000" }, "message": "SELinux: tune avtab to reduce memory usage\n\nThis patch reduces memory usage of SELinux by tuning avtab. Number of hash\nslots in avtab was 32768. Unused slots used memory when number of rules is\nfewer. This patch decides number of hash slots dynamically based on number\nof rules. (chain length)^2 is also printed out in avtab_hash_eval to see\nstandard deviation of avtab hash table.\n\nSigned-off-by: Yuichi Nakamura\u003cynakam@hitachisoft.jp\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a224be766bf593f7bcd534ca0c48dbd3eaf7bfce", "tree": "b0a053b35fe654fb35199c1b5326a4d3932f79da", "parents": [ "762cc40801ad757a34527d5e548816cf3b6fc606" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Oct 15 02:58:25 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Oct 15 12:26:44 2007 -0700" }, "message": "[SELINUX]: Update for netfilter -\u003ehook() arg changes.\n\nThey take a \"struct sk_buff *\" instead of a \"struct sk_buff **\" now.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "227b60f5102cda4e4ab792b526a59c8cb20cd9f8", "tree": "2c9e372601ba794894833b0618bc531a9f5d57c4", "parents": [ "06393009000779b00a558fd2f280882cc7dc2008" ], "author": { "name": "Stephen Hemminger", "email": "shemminger@linux-foundation.org", "time": "Wed Oct 10 17:30:46 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Oct 10 17:30:46 2007 -0700" }, "message": "[INET]: local port range robustness\n\nExpansion of original idea from Denis V. Lunev \u003cden@openvz.org\u003e\n\nAdd robustness and locking to the local_port_range sysctl.\n1. Enforce that low \u003c high when setting.\n2. Use seqlock to ensure atomic update.\n\nThe locking might seem like overkill, but there are\ncases where sysadmin might want to change value in the\nmiddle of a DoS attack.\n\nSigned-off-by: Stephen Hemminger \u003cshemminger@linux-foundation.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "b4b510290b056b86611757ce1175a230f1080f53", "tree": "7bd1d45855ac7457be6d50338c60751f19e436d9", "parents": [ "e9dc86534051b78e41e5b746cccc291b57a3a311" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Wed Sep 12 13:05:38 2007 +0200" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:49:09 2007 -0700" }, "message": "[NET]: Support multiple network namespaces with netlink\n\nEach netlink socket will live in exactly one network namespace,\nthis includes the controlling kernel sockets.\n\nThis patch updates all of the existing netlink protocols\nto only support the initial network namespace. Request\nby clients in other namespaces will get -ECONREFUSED.\nAs they would if the kernel did not have the support for\nthat netlink protocol compiled in.\n\nAs each netlink protocol is updated to be multiple network\nnamespace safe it can register multiple kernel sockets\nto acquire a presence in the rest of the network namespaces.\n\nThe implementation in af_netlink is a simple filter implementation\nat hash table insertion and hash table look up time.\n\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "e9dc86534051b78e41e5b746cccc291b57a3a311", "tree": "1cd4a1dde4c51b6311749428a22cc8a8f5436825", "parents": [ "e730c15519d09ea528b4d2f1103681fa5937c0e6" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Wed Sep 12 13:02:17 2007 +0200" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:49:09 2007 -0700" }, "message": "[NET]: Make device event notification network namespace safe\n\nEvery user of the network device notifiers is either a protocol\nstack or a pseudo device. If a protocol stack that does not have\nsupport for multiple network namespaces receives an event for a\ndevice that is not in the initial network namespace it quite possibly\ncan get confused and do the wrong thing.\n\nTo avoid problems until all of the protocol stacks are converted\nthis patch modifies all netdev event handlers to ignore events on\ndevices that are not in the initial network namespace.\n\nAs the rest of the code is made network namespace aware these\nchecks can be removed.\n\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "31e879309474d1666d645b96de99d0b682fa055f", "tree": "bb9d45dc85e03044b5ee7635f3646774bcbb30d4", "parents": [ "a88a8eff1e6e32d3288986a9d36c6a449c032d3a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Sep 19 17:19:12 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Sep 20 08:06:40 2007 +1000" }, "message": "SELinux: fix array out of bounds when mounting with selinux options\n\nGiven an illegal selinux option it was possible for match_token to work in\nrandom memory at the end of the match_table_t array.\n\nNote that privilege is required to perform a context mount, so this issue is\neffectively limited to root only.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4ac212ad4e8fafc22fa147fc255ff5fa5435cf33", "tree": "9ab703429a2b24ccafc6748c1e0f2147f2b47114", "parents": [ "a1c582d0720f2eff61043e90711767decf37b917" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed Aug 29 08:51:50 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@localhost.localdomain", "time": "Thu Aug 30 20:22:47 2007 -0400" }, "message": "SELinux: clear parent death signal on SID transitions\n\nClear parent death signal on SID transitions to prevent unauthorized\nsignaling between SIDs.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@parisplace.org\u003e\nSigned-off-by: James Morris \u003cjmorris@localhost.localdomain\u003e\n" }, { "commit": "34b4e4aa3c470ce8fa2bd78abb1741b4b58baad7", "tree": "91d620288f1aaf63c12dc84ca1015465818601f2", "parents": [ "afe1ab4d577892822de2c8e803fbfaed6ec44ba3" ], "author": { "name": "Alan Cox", "email": "alan@lxorguk.ukuu.org.uk", "time": "Wed Aug 22 14:01:28 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Aug 22 19:52:45 2007 -0700" }, "message": "fix NULL pointer dereference in __vm_enough_memory()\n\nThe new exec code inserts an accounted vma into an mm struct which is not\ncurrent-\u003emm. The existing memory check code has a hard coded assumption\nthat this does not happen as does the security code.\n\nAs the correct mm is known we pass the mm to the security method and the\nhelper function. A new security test is added for the case where we need\nto pass the mm and the existing one is modified to pass current-\u003emm to\navoid the need to change large amounts of code.\n\n(Thanks to Tobias for fixing rejects and testing)\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nCc: WU Fengguang \u003cwfg@mail.ustc.edu.cn\u003e\nCc: James Morris \u003cjmorris@redhat.com\u003e\nCc: Tobias Diedrich \u003cranma+kernel@tdiedrich.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3ad40d647d5e7c320385649e5eb422a5e89e035d", "tree": "496025ef0d9427967f56d2523cfc2b2097531ec4", "parents": [ "28e8351ac22de25034e048c680014ad824323c65" ], "author": { "name": "Steve G", "email": "linux_4ever@yahoo.com", "time": "Tue Aug 14 12:50:46 2007 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@halo.namei", "time": "Thu Aug 16 11:42:28 2007 -0400" }, "message": "SELinux: correct error code in selinux_audit_rule_init\n\nCorrects an error code so that it is valid to pass to userspace.\n\nSigned-off-by: Steve Grubb \u003clinux_4ever@yahoo.com\u003e\nSigned-off-by: James Morris \u003cjmorris@halo.namei\u003e\n" }, { "commit": "088999e98b8caecd31adc3b62223a228555c5ab7", "tree": "ee16fd7c6cdde90642550ee9937fafb96e979f67", "parents": [ "9534f71ca33e5a9de26dfd43c76af86e005005dd" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Aug 01 11:12:58 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 02 11:52:23 2007 -0400" }, "message": "SELinux: remove redundant pointer checks before calling kfree()\n\nWe don\u0027t need to check for NULL pointers before calling kfree().\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9534f71ca33e5a9de26dfd43c76af86e005005dd", "tree": "344444735f541f79ed98cc38fa9040bc018ec66e", "parents": [ "1ed4395035a6791ebbbf618429a58ab9c207cc83" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Mon Jul 30 16:33:26 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 02 11:52:21 2007 -0400" }, "message": "SELinux: restore proper NetLabel caching behavior\n\nA small fix to the SELinux/NetLabel glue code to ensure that the NetLabel\ncache is utilized when possible. This was broken when the SELinux/NetLabel\nglue code was reorganized in the last kernel release.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d133a9609ee6111c9718a4bbe559b84a399603e6", "tree": "c838cc2ec00584acdf42125a13be1a8274b038e7", "parents": [ "6ace06dc68db13f7f82f9341fdef89502f0bb217" ], "author": { "name": "Gabriel Craciunescu", "email": "nix.or.die@googlemail.com", "time": "Tue Jul 31 00:39:19 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Jul 31 15:39:42 2007 -0700" }, "message": "Typo fixes errror -\u003e error\n\nTypo fixes errror -\u003e error\n\nSigned-off-by: Gabriel Craciunescu \u003cnix.or.die@googlemail.com\u003e\nCc: Jeff Garzik \u003cjeff@garzik.org\u003e\nCc: Martin Schwidefsky \u003cschwidefsky@de.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "910949a66839ff5f59fede5b7cb68ecf1453e22c", "tree": "6842924dba1c4af0397d06aa4b6363e8c26c220e", "parents": [ "0de085bb474f64e4fdb2f1ff3268590792648c7b" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Tue Jul 24 09:53:23 2007 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jul 25 12:49:41 2007 -0400" }, "message": "SELinux: null-terminate context string in selinux_xfrm_sec_ctx_alloc\n\nxfrm_audit_log() expects the context string to be null-terminated\nwhich currently doesn\u0027t happen with user-supplied contexts.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0ec8abd7086ee4f760cb1b477fe376805b17558c", "tree": "09eff2e119de344244242788eab5b6514191f040", "parents": [ "f695baf2df9e0413d3521661070103711545207a" ], "author": { "name": "Jesper Juhl", "email": "jesper.juhl@gmail.com", "time": "Sat Jul 21 00:12:44 2007 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 23 09:35:37 2007 -0400" }, "message": "SELinux: fix memory leak in security_netlbl_cache_add()\n\nFix memory leak in security_netlbl_cache_add()\nNote: The Coverity checker gets credit for spotting this one.\n\nSigned-off-by: Jesper Juhl \u003cjesper.juhl@gmail.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "4259fa01a2d2aa3e589b34ba7624080232d9c1ff", "tree": "3aa83d784c4db22f3b62e4d963757497555c5e5c", "parents": [ "74f2345b6be1410f824cb7dd638d2c10a9709379" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Jun 07 11:13:31 2007 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jul 22 09:57:02 2007 -0400" }, "message": "[PATCH] get rid of AVC_PATH postponed treatment\n\n Selinux folks had been complaining about the lack of AVC_PATH\nrecords when audit is disabled. I must admit my stupidity - I assumed\nthat avc_audit() really couldn\u0027t use audit_log_d_path() because of\ndeadlocks (\u003d\u003d could be called with dcache_lock or vfsmount_lock held).\nShouldn\u0027t have made that assumption - it never gets called that way.\nIt _is_ called under spinlocks, but not those.\n\n Since audit_log_d_path() uses ab-\u003egfp_mask for allocations,\nkmalloc() in there is not a problem. IOW, the simple fix is sufficient:\nlet\u0027s rip AUDIT_AVC_PATH out and simply generate pathname as part of main\nrecord. It\u0027s trivial to do.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "20c2df83d25c6a95affe6157a4c9cac4cf5ffaac", "tree": "415c4453d2b17a50abe7a3e515177e1fa337bd67", "parents": [ "64fb98fc40738ae1a98bcea9ca3145b89fb71524" ], "author": { "name": "Paul Mundt", "email": "lethal@linux-sh.org", "time": "Fri Jul 20 10:11:58 2007 +0900" }, "committer": { "name": "Paul Mundt", "email": "lethal@linux-sh.org", "time": "Fri Jul 20 10:11:58 2007 +0900" }, "message": "mm: Remove slab destructors from kmem_cache_create().\n\nSlab destructors were no longer supported after Christoph\u0027s\nc59def9f222d44bb7e2f0a559f2906191a0862d7 change. They\u0027ve been\nBUGs for both slab and slub, and slob never supported them\neither.\n\nThis rips out support for the dtor pointer from kmem_cache_create()\ncompletely and fixes up every single callsite in the kernel (there were\nabout 224, not including the slab allocator definitions themselves,\nor the documentation references).\n\nSigned-off-by: Paul Mundt \u003clethal@linux-sh.org\u003e\n" }, { "commit": "721e2629fa2167c0e5a9f10d704b1fee1621a8cb", "tree": "a1580ed191e710f891ef1bf25c8c1fc7d6f054a9", "parents": [ "fdb64f93b38a3470fa4db8cd5720b8c731922d1a", "f36158c410651fe66f438c17b2ab3ae813f8c060" ], "author": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Jul 19 14:42:40 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Jul 19 14:42:40 2007 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:\n SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel\n SELinux: enable dynamic activation/deactivation of NetLabel/SELinux enforcement\n" }, { "commit": "6c5d523826dc639df709ed0f88c5d2ce25379652", "tree": "ef2fa8cb30266b3a9b047902794e78c583b099da", "parents": [ "76fdbb25f963de5dc1e308325f0578a2f92b1c2d" ], "author": { "name": "Kawai, Hidehiro", "email": "hidehiro.kawai.ez@hitachi.com", "time": "Thu Jul 19 01:48:27 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Jul 19 10:04:46 2007 -0700" }, "message": "coredump masking: reimplementation of dumpable using two flags\n\nThis patch changes mm_struct.dumpable to a pair of bit flags.\n\nset_dumpable() converts three-value dumpable to two flags and stores it into\nlower two bits of mm_struct.flags instead of mm_struct.dumpable.\nget_dumpable() behaves in the opposite way.\n\n[akpm@linux-foundation.org: export set_dumpable]\nSigned-off-by: Hidehiro Kawai \u003chidehiro.kawai.ez@hitachi.com\u003e\nCc: Alan Cox \u003calan@lxorguk.ukuu.org.uk\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nCc: Hugh Dickins \u003chugh@veritas.com\u003e\nCc: Nick Piggin \u003cnickpiggin@yahoo.com.au\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "f36158c410651fe66f438c17b2ab3ae813f8c060", "tree": "644e57a36d918fe2b2fcdd2f59daffb847cd8d36", "parents": [ "23bcdc1adebd3cb47d5666f2e9ecada95c0134e4" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Jul 18 12:28:46 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jul 19 10:21:13 2007 -0400" }, "message": "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel\n\nThese changes will make NetLabel behave like labeled IPsec where there is an\naccess check for both labeled and unlabeled packets as well as providing the\nability to restrict domains to receiving only labeled packets when NetLabel is\nin use. The changes to the policy are straight forward with the following\nnecessary to receive labeled traffic (with SECINITSID_NETMSG defined as\n\"netlabel_peer_t\"):\n\n allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;\n\nThe policy for unlabeled traffic would be:\n\n allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;\n\nThese policy changes, as well as more general NetLabel support, are included in\nthe latest SELinux Reference Policy release 20070629 or later. Users who make\nuse of NetLabel are strongly encouraged to upgrade their policy to avoid\nnetwork problems. Users who do not make use of NetLabel will not notice any\ndifference.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ], "next": "23bcdc1adebd3cb47d5666f2e9ecada95c0134e4" }