)]}'
{
  "log": [
    {
      "commit": "7ac512aa8237c43331ffaf77a4fd8b8d684819ba",
      "tree": "0fe199f0364c5b54012691c9e4ff4a11767d1797",
      "parents": [
        "91af70814105f4c05e6e11b51c3269907b71794b"
      ],
      "author": {
        "name": "David Howells",
        "email": "dhowells@redhat.com",
        "time": "Wed May 12 15:34:03 2010 +0100"
      },
      "committer": {
        "name": "Linus Torvalds",
        "email": "torvalds@linux-foundation.org",
        "time": "Wed May 12 18:23:58 2010 -0700"
      },
      "message": "CacheFiles: Fix error handling in cachefiles_determine_cache_security()\n\ncachefiles_determine_cache_security() is expected to return with a\nsecurity override in place.  However, if set_create_files_as() fails, we\nfail to do this.  In this case, we should just reinstate the security\noverride that was set by the caller.\n\nFurthermore, if set_create_files_as() fails, we should dispose of the\nnew credentials we were in the process of creating.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n"
    },
    {
      "commit": "9ae326a69004dea8af2dae4fde58de27db700a8d",
      "tree": "3a1d88a6e297989bfbd17648b398c7aa5ef9bf30",
      "parents": [
        "800a964787faef3509d194fa33268628c3d1daa9"
      ],
      "author": {
        "name": "David Howells",
        "email": "dhowells@redhat.com",
        "time": "Fri Apr 03 16:42:41 2009 +0100"
      },
      "committer": {
        "name": "David Howells",
        "email": "dhowells@redhat.com",
        "time": "Fri Apr 03 16:42:41 2009 +0100"
      },
      "message": "CacheFiles: A cache that backs onto a mounted filesystem\n\nAdd an FS-Cache cache-backend that permits a mounted filesystem to be used as a\nbacking store for the cache.\n\nCacheFiles uses a userspace daemon to do some of the cache management - such as\nreaping stale nodes and culling.  This is called cachefilesd and lives in\n/sbin.  The source for the daemon can be downloaded from:\n\n\thttp://people.redhat.com/~dhowells/cachefs/cachefilesd.c\n\nAnd an example configuration from:\n\n\thttp://people.redhat.com/~dhowells/cachefs/cachefilesd.conf\n\nThe filesystem and data integrity of the cache are only as good as those of the\nfilesystem providing the backing services.  Note that CacheFiles does not\nattempt to journal anything since the journalling interfaces of the various\nfilesystems are very specific in nature.\n\nCacheFiles creates a misc character device - \"/dev/cachefiles\" - that is used\nto communication with the daemon.  Only one thing may have this open at once,\nand whilst it is open, a cache is at least partially in existence.  The daemon\nopens this and sends commands down it to control the cache.\n\nCacheFiles is currently limited to a single cache.\n\nCacheFiles attempts to maintain at least a certain percentage of free space on\nthe filesystem, shrinking the cache by culling the objects it contains to make\nspace if necessary - see the \"Cache Culling\" section.  This means it can be\nplaced on the same medium as a live set of data, and will expand to make use of\nspare space and automatically contract when the set of data requires more\nspace.\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nREQUIREMENTS\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nThe use of CacheFiles and its daemon requires the following features to be\navailable in the system and in the cache filesystem:\n\n\t- dnotify.\n\n\t- extended attributes (xattrs).\n\n\t- openat() and friends.\n\n\t- bmap() support on files in the filesystem (FIBMAP ioctl).\n\n\t- The use of bmap() to detect a partial page at the end of the file.\n\nIt is strongly recommended that the \"dir_index\" option is enabled on Ext3\nfilesystems being used as a cache.\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nCONFIGURATION\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nThe cache is configured by a script in /etc/cachefilesd.conf.  These commands\nset up cache ready for use.  The following script commands are available:\n\n (*) brun \u003cN\u003e%\n (*) bcull \u003cN\u003e%\n (*) bstop \u003cN\u003e%\n (*) frun \u003cN\u003e%\n (*) fcull \u003cN\u003e%\n (*) fstop \u003cN\u003e%\n\n\tConfigure the culling limits.  Optional.  See the section on culling\n\tThe defaults are 7% (run), 5% (cull) and 1% (stop) respectively.\n\n\tThe commands beginning with a \u0027b\u0027 are file space (block) limits, those\n\tbeginning with an \u0027f\u0027 are file count limits.\n\n (*) dir \u003cpath\u003e\n\n\tSpecify the directory containing the root of the cache.  Mandatory.\n\n (*) tag \u003cname\u003e\n\n\tSpecify a tag to FS-Cache to use in distinguishing multiple caches.\n\tOptional.  The default is \"CacheFiles\".\n\n (*) debug \u003cmask\u003e\n\n\tSpecify a numeric bitmask to control debugging in the kernel module.\n\tOptional.  The default is zero (all off).  The following values can be\n\tOR\u0027d into the mask to collect various information:\n\n\t\t1\tTurn on trace of function entry (_enter() macros)\n\t\t2\tTurn on trace of function exit (_leave() macros)\n\t\t4\tTurn on trace of internal debug points (_debug())\n\n\tThis mask can also be set through sysfs, eg:\n\n\t\techo 5 \u003e/sys/modules/cachefiles/parameters/debug\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nSTARTING THE CACHE\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nThe cache is started by running the daemon.  The daemon opens the cache device,\nconfigures the cache and tells it to begin caching.  At that point the cache\nbinds to fscache and the cache becomes live.\n\nThe daemon is run as follows:\n\n\t/sbin/cachefilesd [-d]* [-s] [-n] [-f \u003cconfigfile\u003e]\n\nThe flags are:\n\n (*) -d\n\n\tIncrease the debugging level.  This can be specified multiple times and\n\tis cumulative with itself.\n\n (*) -s\n\n\tSend messages to stderr instead of syslog.\n\n (*) -n\n\n\tDon\u0027t daemonise and go into background.\n\n (*) -f \u003cconfigfile\u003e\n\n\tUse an alternative configuration file rather than the default one.\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nTHINGS TO AVOID\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nDo not mount other things within the cache as this will cause problems.  The\nkernel module contains its own very cut-down path walking facility that ignores\nmountpoints, but the daemon can\u0027t avoid them.\n\nDo not create, rename or unlink files and directories in the cache whilst the\ncache is active, as this may cause the state to become uncertain.\n\nRenaming files in the cache might make objects appear to be other objects (the\nfilename is part of the lookup key).\n\nDo not change or remove the extended attributes attached to cache files by the\ncache as this will cause the cache state management to get confused.\n\nDo not create files or directories in the cache, lest the cache get confused or\nserve incorrect data.\n\nDo not chmod files in the cache.  The module creates things with minimal\npermissions to prevent random users being able to access them directly.\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nCACHE CULLING\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nThe cache may need culling occasionally to make space.  This involves\ndiscarding objects from the cache that have been used less recently than\nanything else.  Culling is based on the access time of data objects.  Empty\ndirectories are culled if not in use.\n\nCache culling is done on the basis of the percentage of blocks and the\npercentage of files available in the underlying filesystem.  There are six\n\"limits\":\n\n (*) brun\n (*) frun\n\n     If the amount of free space and the number of available files in the cache\n     rises above both these limits, then culling is turned off.\n\n (*) bcull\n (*) fcull\n\n     If the amount of available space or the number of available files in the\n     cache falls below either of these limits, then culling is started.\n\n (*) bstop\n (*) fstop\n\n     If the amount of available space or the number of available files in the\n     cache falls below either of these limits, then no further allocation of\n     disk space or files is permitted until culling has raised things above\n     these limits again.\n\nThese must be configured thusly:\n\n\t0 \u003c\u003d bstop \u003c bcull \u003c brun \u003c 100\n\t0 \u003c\u003d fstop \u003c fcull \u003c frun \u003c 100\n\nNote that these are percentages of available space and available files, and do\n_not_ appear as 100 minus the percentage displayed by the \"df\" program.\n\nThe userspace daemon scans the cache to build up a table of cullable objects.\nThese are then culled in least recently used order.  A new scan of the cache is\nstarted as soon as space is made in the table.  Objects will be skipped if\ntheir atimes have changed or if the kernel module says it is still using them.\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nCACHE STRUCTURE\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nThe CacheFiles module will create two directories in the directory it was\ngiven:\n\n (*) cache/\n\n (*) graveyard/\n\nThe active cache objects all reside in the first directory.  The CacheFiles\nkernel module moves any retired or culled objects that it can\u0027t simply unlink\nto the graveyard from which the daemon will actually delete them.\n\nThe daemon uses dnotify to monitor the graveyard directory, and will delete\nanything that appears therein.\n\nThe module represents index objects as directories with the filename \"I...\" or\n\"J...\".  Note that the \"cache/\" directory is itself a special index.\n\nData objects are represented as files if they have no children, or directories\nif they do.  Their filenames all begin \"D...\" or \"E...\".  If represented as a\ndirectory, data objects will have a file in the directory called \"data\" that\nactually holds the data.\n\nSpecial objects are similar to data objects, except their filenames begin\n\"S...\" or \"T...\".\n\nIf an object has children, then it will be represented as a directory.\nImmediately in the representative directory are a collection of directories\nnamed for hash values of the child object keys with an \u0027@\u0027 prepended.  Into\nthis directory, if possible, will be placed the representations of the child\nobjects:\n\n\tINDEX     INDEX      INDEX                             DATA FILES\n\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\tcache/@4a/I03nfs/@30/Ji000000000000000--fHg8hi8400\n\tcache/@4a/I03nfs/@30/Ji000000000000000--fHg8hi8400/@75/Es0g000w...DB1ry\n\tcache/@4a/I03nfs/@30/Ji000000000000000--fHg8hi8400/@75/Es0g000w...N22ry\n\tcache/@4a/I03nfs/@30/Ji000000000000000--fHg8hi8400/@75/Es0g000w...FP1ry\n\nIf the key is so long that it exceeds NAME_MAX with the decorations added on to\nit, then it will be cut into pieces, the first few of which will be used to\nmake a nest of directories, and the last one of which will be the objects\ninside the last directory.  The names of the intermediate directories will have\n\u0027+\u0027 prepended:\n\n\tJ1223/@23/+xy...z/+kl...m/Epqr\n\nNote that keys are raw data, and not only may they exceed NAME_MAX in size,\nthey may also contain things like \u0027/\u0027 and NUL characters, and so they may not\nbe suitable for turning directly into a filename.\n\nTo handle this, CacheFiles will use a suitably printable filename directly and\n\"base-64\" encode ones that aren\u0027t directly suitable.  The two versions of\nobject filenames indicate the encoding:\n\n\tOBJECT TYPE\tPRINTABLE\tENCODED\n\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\tIndex\t\t\"I...\"\t\t\"J...\"\n\tData\t\t\"D...\"\t\t\"E...\"\n\tSpecial\t\t\"S...\"\t\t\"T...\"\n\nIntermediate directories are always \"@\" or \"+\" as appropriate.\n\nEach object in the cache has an extended attribute label that holds the object\ntype ID (required to distinguish special objects) and the auxiliary data from\nthe netfs.  The latter is used to detect stale objects in the cache and update\nor retire them.\n\nNote that CacheFiles will erase from the cache any file it doesn\u0027t recognise or\nany file of an incorrect type (such as a FIFO file or a device file).\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nSECURITY MODEL AND SELINUX\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nCacheFiles is implemented to deal properly with the LSM security features of\nthe Linux kernel and the SELinux facility.\n\nOne of the problems that CacheFiles faces is that it is generally acting on\nbehalf of a process, and running in that process\u0027s context, and that includes a\nsecurity context that is not appropriate for accessing the cache - either\nbecause the files in the cache are inaccessible to that process, or because if\nthe process creates a file in the cache, that file may be inaccessible to other\nprocesses.\n\nThe way CacheFiles works is to temporarily change the security context (fsuid,\nfsgid and actor security label) that the process acts as - without changing the\nsecurity context of the process when it the target of an operation performed by\nsome other process (so signalling and suchlike still work correctly).\n\nWhen the CacheFiles module is asked to bind to its cache, it:\n\n (1) Finds the security label attached to the root cache directory and uses\n     that as the security label with which it will create files.  By default,\n     this is:\n\n\tcachefiles_var_t\n\n (2) Finds the security label of the process which issued the bind request\n     (presumed to be the cachefilesd daemon), which by default will be:\n\n\tcachefilesd_t\n\n     and asks LSM to supply a security ID as which it should act given the\n     daemon\u0027s label.  By default, this will be:\n\n\tcachefiles_kernel_t\n\n     SELinux transitions the daemon\u0027s security ID to the module\u0027s security ID\n     based on a rule of this form in the policy.\n\n\ttype_transition \u003cdaemon\u0027s-ID\u003e kernel_t : process \u003cmodule\u0027s-ID\u003e;\n\n     For instance:\n\n\ttype_transition cachefilesd_t kernel_t : process cachefiles_kernel_t;\n\nThe module\u0027s security ID gives it permission to create, move and remove files\nand directories in the cache, to find and access directories and files in the\ncache, to set and access extended attributes on cache objects, and to read and\nwrite files in the cache.\n\nThe daemon\u0027s security ID gives it only a very restricted set of permissions: it\nmay scan directories, stat files and erase files and directories.  It may\nnot read or write files in the cache, and so it is precluded from accessing the\ndata cached therein; nor is it permitted to create new files in the cache.\n\nThere are policy source files available in:\n\n\thttp://people.redhat.com/~dhowells/fscache/cachefilesd-0.8.tar.bz2\n\nand later versions.  In that tarball, see the files:\n\n\tcachefilesd.te\n\tcachefilesd.fc\n\tcachefilesd.if\n\nThey are built and installed directly by the RPM.\n\nIf a non-RPM based system is being used, then copy the above files to their own\ndirectory and run:\n\n\tmake -f /usr/share/selinux/devel/Makefile\n\tsemodule -i cachefilesd.pp\n\nYou will need checkpolicy and selinux-policy-devel installed prior to the\nbuild.\n\nBy default, the cache is located in /var/fscache, but if it is desirable that\nit should be elsewhere, than either the above policy files must be altered, or\nan auxiliary policy must be installed to label the alternate location of the\ncache.\n\nFor instructions on how to add an auxiliary policy to enable the cache to be\nlocated elsewhere when SELinux is in enforcing mode, please see:\n\n\t/usr/share/doc/cachefilesd-*/move-cache.txt\n\nWhen the cachefilesd rpm is installed; alternatively, the document can be found\nin the sources.\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nA NOTE ON SECURITY\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nCacheFiles makes use of the split security in the task_struct.  It allocates\nits own task_security structure, and redirects current-\u003eact_as to point to it\nwhen it acts on behalf of another process, in that process\u0027s context.\n\nThe reason it does this is that it calls vfs_mkdir() and suchlike rather than\nbypassing security and calling inode ops directly.  Therefore the VFS and LSM\nmay deny the CacheFiles access to the cache data because under some\ncircumstances the caching code is running in the security context of whatever\nprocess issued the original syscall on the netfs.\n\nFurthermore, should CacheFiles create a file or directory, the security\nparameters with that object is created (UID, GID, security label) would be\nderived from that process that issued the system call, thus potentially\npreventing other processes from accessing the cache - including CacheFiles\u0027s\ncache management daemon (cachefilesd).\n\nWhat is required is to temporarily override the security of the process that\nissued the system call.  We can\u0027t, however, just do an in-place change of the\nsecurity data as that affects the process as an object, not just as a subject.\nThis means it may lose signals or ptrace events for example, and affects what\nthe process looks like in /proc.\n\nSo CacheFiles makes use of a logical split in the security between the\nobjective security (task-\u003esec) and the subjective security (task-\u003eact_as).  The\nobjective security holds the intrinsic security properties of a process and is\nnever overridden.  This is what appears in /proc, and is what is used when a\nprocess is the target of an operation by some other process (SIGKILL for\nexample).\n\nThe subjective security holds the active security properties of a process, and\nmay be overridden.  This is not seen externally, and is used whan a process\nacts upon another object, for example SIGKILLing another process or opening a\nfile.\n\nLSM hooks exist that allow SELinux (or Smack or whatever) to reject a request\nfor CacheFiles to run in a context of a specific security label, or to create\nfiles and directories with another security label.\n\nThis documentation is added by the patch to:\n\n\tDocumentation/filesystems/caching/cachefiles.txt\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Steve Dickson \u003csteved@redhat.com\u003e\nAcked-by: Trond Myklebust \u003cTrond.Myklebust@netapp.com\u003e\nAcked-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nTested-by: Daire Byrne \u003cDaire.Byrne@framestore.com\u003e\n"
    }
  ]
}