)]}' { "log": [ { "commit": "a5ecbcb8c13ea8a822d243bf782d0dc9525b4f84", "tree": "902df830bf581642a49bbb1e4f4de5b9f80eeaa1", "parents": [ "551e4fb2465b87de9d4aa1669b27d624435443bb" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jan 31 15:11:22 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@localhost.localdomain", "time": "Wed Feb 06 21:39:46 2008 +0800" }, "message": "security: allow Kconfig to set default mmap_min_addr protection\n\nSince it was decided that low memory protection from userspace couldn\u0027t\nbe turned on by default add a Kconfig option to allow users/distros to\nset a default at compile time. This value is still tunable after boot\nin /proc/sys/vm/mmap_min_addr\n\nDiscussion:\nhttp://www.mail-archive.com/linux-security-module@vger.kernel.org/msg02543.html\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e114e473771c848c3cfec05f0123e70f1cdbdc99", "tree": "933b840f3ccac6860da56291c742094f9b5a20cb", "parents": [ "eda61d32e8ad1d9102872f9a0abf3344bf9c5e67" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Mon Feb 04 22:29:50 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Feb 05 09:44:20 2008 -0800" }, "message": "Smack: Simplified Mandatory Access Control Kernel\n\nSmack is the Simplified Mandatory Access Control Kernel.\n\nSmack implements mandatory access control (MAC) using labels\nattached to tasks and data containers, including files, SVIPC,\nand other tasks. Smack is a kernel based scheme that requires\nan absolute minimum of application support and a very small\namount of configuration data.\n\nSmack uses extended attributes and\nprovides a set of general mount options, borrowing technics used\nelsewhere. Smack uses netlabel for CIPSO labeling. Smack provides\na pseudo-filesystem smackfs that is used for manipulation of\nsystem Smack attributes.\n\nThe patch, patches for ls and sshd, a README, a startup script,\nand x86 binaries for ls and sshd are also available on\n\n http://www.schaufler-ca.com\n\nDevelopment has been done using Fedora Core 7 in a virtual machine\nenvironment and on an old Sony laptop.\n\nSmack provides mandatory access controls based on the label attached\nto a task and the label attached to the object it is attempting to\naccess. Smack labels are deliberately short (1-23 characters) text\nstrings. Single character labels using special characters are reserved\nfor system use. The only operation applied to Smack labels is equality\ncomparison. No wildcards or expressions, regular or otherwise, are\nused. Smack labels are composed of printable characters and may not\ninclude \"/\".\n\nA file always gets the Smack label of the task that created it.\n\nSmack defines and uses these labels:\n\n \"*\" - pronounced \"star\"\n \"_\" - pronounced \"floor\"\n \"^\" - pronounced \"hat\"\n \"?\" - pronounced \"huh\"\n\nThe access rules enforced by Smack are, in order:\n\n1. Any access requested by a task labeled \"*\" is denied.\n2. A read or execute access requested by a task labeled \"^\"\n is permitted.\n3. A read or execute access requested on an object labeled \"_\"\n is permitted.\n4. Any access requested on an object labeled \"*\" is permitted.\n5. Any access requested by a task on an object with the same\n label is permitted.\n6. Any access requested that is explicitly defined in the loaded\n rule set is permitted.\n7. Any other access is denied.\n\nRules may be explicitly defined by writing subject,object,access\ntriples to /smack/load.\n\nSmack rule sets can be easily defined that describe Bell\u0026LaPadula\nsensitivity, Biba integrity, and a variety of interesting\nconfigurations. Smack rule sets can be modified on the fly to\naccommodate changes in the operating environment or even the time\nof day.\n\nSome practical use cases:\n\nHierarchical levels. The less common of the two usual uses\nfor MLS systems is to define hierarchical levels, often\nunclassified, confidential, secret, and so on. To set up smack\nto support this, these rules could be defined:\n\n C Unclass rx\n S C rx\n S Unclass rx\n TS S rx\n TS C rx\n TS Unclass rx\n\nA TS process can read S, C, and Unclass data, but cannot write it.\nAn S process can read C and Unclass. Note that specifying that\nTS can read S and S can read C does not imply TS can read C, it\nhas to be explicitly stated.\n\nNon-hierarchical categories. This is the more common of the\nusual uses for an MLS system. Since the default rule is that a\nsubject cannot access an object with a different label no\naccess rules are required to implement compartmentalization.\n\nA case that the Bell \u0026 LaPadula policy does not allow is demonstrated\nwith this Smack access rule:\n\nA case that Bell\u0026LaPadula does not allow that Smack does:\n\n ESPN ABC r\n ABC ESPN r\n\nOn my portable video device I have two applications, one that\nshows ABC programming and the other ESPN programming. ESPN wants\nto show me sport stories that show up as news, and ABC will\nonly provide minimal information about a sports story if ESPN\nis covering it. Each side can look at the other\u0027s info, neither\ncan change the other. Neither can see what FOX is up to, which\nis just as well all things considered.\n\nAnother case that I especially like:\n\n SatData Guard w\n Guard Publish w\n\nA program running with the Guard label opens a UDP socket and\naccepts messages sent by a program running with a SatData label.\nThe Guard program inspects the message to ensure it is wholesome\nand if it is sends it to a program running with the Publish label.\nThis program then puts the information passed in an appropriate\nplace. Note that the Guard program cannot write to a Publish\nfile system object because file system semanitic require read as\nwell as write.\n\nThe four cases (categories, levels, mutual read, guardbox) here\nare all quite real, and problems I\u0027ve been asked to solve over\nthe years. The first two are easy to do with traditonal MLS systems\nwhile the last two you can\u0027t without invoking privilege, at least\nfor a while.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: Joshua Brindle \u003cmethod@manicmethod.com\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: \"Ahmed S. Darwish\" \u003cdarwish.07@gmail.com\u003e\nCc: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "f71ea9ddf0ff110f3fcbb89a46686bfba264014c", "tree": "db6843db55d5e1036248fc41782a891882b2cb54", "parents": [ "374ea019cacfa8b69ae49eea993b74cb5968970b" ], "author": { "name": "sergeh@us.ibm.com", "email": "sergeh@us.ibm.com", "time": "Tue Jan 29 05:04:43 2008 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:18:21 2008 +1100" }, "message": "security: compile capabilities by default\n\nCapabilities have long been the default when CONFIG_SECURITY\u003dn,\nand its help text suggests turning it on when CONFIG_SECURITY\u003dy.\nBut it is set to default n.\n\nDefault it to y instead.\n\nSigned-off-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Matt LaPlante \u003ckernel1@cyberdogtech.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b53767719b6cd8789392ea3e7e2eb7b8906898f0", "tree": "a0279dc93c79b94d3865b0f19f6b7b353e20608c", "parents": [ "57c521ce6125e15e99e56c902cb8da96bee7b36d" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Tue Oct 16 23:31:36 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "Implement file posix capabilities\n\nImplement file posix capabilities. This allows programs to be given a\nsubset of root\u0027s powers regardless of who runs them, without having to use\nsetuid and giving the binary all of root\u0027s powers.\n\nThis version works with Kaigai Kohei\u0027s userspace tools, found at\nhttp://www.kaigai.gr.jp/index.php. For more information on how to use this\npatch, Chris Friedhoff has posted a nice page at\nhttp://www.friedhoff.org/fscaps.html.\n\nChangelog:\n\tNov 27:\n\tIncorporate fixes from Andrew Morton\n\t(security-introduce-file-caps-tweaks and\n\tsecurity-introduce-file-caps-warning-fix)\n\tFix Kconfig dependency.\n\tFix change signaling behavior when file caps are not compiled in.\n\n\tNov 13:\n\tIntegrate comments from Alexey: Remove CONFIG_ ifdef from\n\tcapability.h, and use %zd for printing a size_t.\n\n\tNov 13:\n\tFix endianness warnings by sparse as suggested by Alexey\n\tDobriyan.\n\n\tNov 09:\n\tAddress warnings of unused variables at cap_bprm_set_security\n\twhen file capabilities are disabled, and simultaneously clean\n\tup the code a little, by pulling the new code into a helper\n\tfunction.\n\n\tNov 08:\n\tFor pointers to required userspace tools and how to use\n\tthem, see http://www.friedhoff.org/fscaps.html.\n\n\tNov 07:\n\tFix the calculation of the highest bit checked in\n\tcheck_cap_sanity().\n\n\tNov 07:\n\tAllow file caps to be enabled without CONFIG_SECURITY, since\n\tcapabilities are the default.\n\tHook cap_task_setscheduler when !CONFIG_SECURITY.\n\tMove capable(TASK_KILL) to end of cap_task_kill to reduce\n\taudit messages.\n\n\tNov 05:\n\tAdd secondary calls in selinux/hooks.c to task_setioprio and\n\ttask_setscheduler so that selinux and capabilities with file\n\tcap support can be stacked.\n\n\tSep 05:\n\tAs Seth Arnold points out, uid checks are out of place\n\tfor capability code.\n\n\tSep 01:\n\tDefine task_setscheduler, task_setioprio, cap_task_kill, and\n\ttask_setnice to make sure a user cannot affect a process in which\n\tthey called a program with some fscaps.\n\n\tOne remaining question is the note under task_setscheduler: are we\n\tok with CAP_SYS_NICE being sufficient to confine a process to a\n\tcpuset?\n\n\tIt is a semantic change, as without fsccaps, attach_task doesn\u0027t\n\tallow CAP_SYS_NICE to override the uid equivalence check. But since\n\tit uses security_task_setscheduler, which elsewhere is used where\n\tCAP_SYS_NICE can be used to override the uid equivalence check,\n\tfixing it might be tough.\n\n\t task_setscheduler\n\t\t note: this also controls cpuset:attach_task. Are we ok with\n\t\t CAP_SYS_NICE being used to confine to a cpuset?\n\t task_setioprio\n\t task_setnice\n\t\t sys_setpriority uses this (through set_one_prio) for another\n\t\t process. Need same checks as setrlimit\n\n\tAug 21:\n\tUpdated secureexec implementation to reflect the fact that\n\teuid and uid might be the same and nonzero, but the process\n\tmight still have elevated caps.\n\n\tAug 15:\n\tHandle endianness of xattrs.\n\tEnforce capability version match between kernel and disk.\n\tEnforce that no bits beyond the known max capability are\n\tset, else return -EPERM.\n\tWith this extra processing, it may be worth reconsidering\n\tdoing all the work at bprm_set_security rather than\n\td_instantiate.\n\n\tAug 10:\n\tAlways call getxattr at bprm_set_security, rather than\n\tcaching it at d_instantiate.\n\n[morgan@kernel.org: file-caps clean up for linux/capability.h]\n[bunk@kernel.org: unexport cap_inode_killpriv]\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Andrew Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "20510f2f4e2dabb0ff6c13901807627ec9452f98", "tree": "d64b9eeb90d577f7f9688a215c4c6c3c2405188a", "parents": [ "5c3b447457789374cdb7b03afe2540d48c649a36" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Oct 16 23:31:32 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "security: Convert LSM into a static interface\n\nConvert LSM into a static interface, as the ability to unload a security\nmodule is not required by in-tree users and potentially complicates the\noverall security architecture.\n\nNeedlessly exported LSM symbols have been unexported, to help reduce API\nabuse.\n\nParameters for the capability and root_plug modules are now specified\nat boot.\n\nThe SECURITY_FRAMEWORK_VERSION macro has also been removed.\n\nIn a nutshell, there is no safe way to unload an LSM. The modular interface\nis thus unecessary and broken infrastructure. It is used only by out-of-tree\nmodules, which are often binary-only, illegal, abusive of the API and\ndangerous, e.g. silently re-vectoring SELinux.\n\n[akpm@linux-foundation.org: cleanups]\n[akpm@linux-foundation.org: USB Kconfig fix]\n[randy.dunlap@oracle.com: fix LSM kernel-doc]\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: \"Serge E. Hallyn\" \u003cserue@us.ibm.com\u003e\nAcked-by: Arjan van de Ven \u003carjan@infradead.org\u003e\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3bc1fa8ae18f281b40903cce94baba10c3cf9d88", "tree": "9097244b28cbf4eba16368803272af0fc70224d5", "parents": [ "cd1c6a48ac16b360746f9f111895931d332c35dd" ], "author": { "name": "Chris Wright", "email": "chrisw@sous-sol.org", "time": "Fri Sep 29 01:59:49 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Sep 29 09:18:10 2006 -0700" }, "message": "[PATCH] LSM: remove BSD secure level security module\n\nThis code has suffered from broken core design and lack of developer\nattention. Broken security modules are too dangerous to leave around. It\nis time to remove this one.\n\nSigned-off-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nAcked-by: Michael Halcrow \u003cmhalcrow@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Davi Arnaut \u003cdavi.arnaut@gmail.com\u003e\nAcked-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "06ec7be557a1259611d6093a00463c42650dc71a", "tree": "b83cdbc8405e0a174939d36e4fe40fb8adb51071", "parents": [ "e51f6d343789a4f0a2a7587ad7ec7746969d5c1c" ], "author": { "name": "Michael LeMay", "email": "mdlemay@epoch.ncsc.mil", "time": "Mon Jun 26 00:24:56 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:18 2006 -0700" }, "message": "[PATCH] keys: restrict contents of /proc/keys to Viewable keys\n\nRestrict /proc/keys such that only those keys to which the current task is\ngranted View permission are presented.\n\nThe documentation is also updated to reflect these changes.\n\nSigned-off-by: Michael LeMay \u003cmdlemay@epoch.ncsc.mil\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "df71837d5024e2524cd51c93621e558aa7dd9f3f", "tree": "58938f1d46f3c6713b63e5a785e82fdbb10121a1", "parents": [ "88026842b0a760145aa71d69e74fbc9ec118ca44" ], "author": { "name": "Trent Jaeger", "email": "tjaeger@cse.psu.edu", "time": "Tue Dec 13 23:12:27 2005 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jan 03 13:10:24 2006 -0800" }, "message": "[LSM-IPSec]: Security association restriction.\n\nThis patch series implements per packet access control via the\nextension of the Linux Security Modules (LSM) interface by hooks in\nthe XFRM and pfkey subsystems that leverage IPSec security\nassociations to label packets. Extensions to the SELinux LSM are\nincluded that leverage the patch for this purpose.\n\nThis patch implements the changes necessary to the XFRM subsystem,\npfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a\nsocket to use only authorized security associations (or no security\nassociation) to send/receive network packets.\n\nPatch purpose:\n\nThe patch is designed to enable access control per packets based on\nthe strongly authenticated IPSec security association. Such access\ncontrols augment the existing ones based on network interface and IP\naddress. The former are very coarse-grained, and the latter can be\nspoofed. By using IPSec, the system can control access to remote\nhosts based on cryptographic keys generated using the IPSec mechanism.\nThis enables access control on a per-machine basis or per-application\nif the remote machine is running the same mechanism and trusted to\nenforce the access control policy.\n\nPatch design approach:\n\nThe overall approach is that policy (xfrm_policy) entries set by\nuser-level programs (e.g., setkey for ipsec-tools) are extended with a\nsecurity context that is used at policy selection time in the XFRM\nsubsystem to restrict the sockets that can send/receive packets via\nsecurity associations (xfrm_states) that are built from those\npolicies.\n\nA presentation available at\nwww.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf\nfrom the SELinux symposium describes the overall approach.\n\nPatch implementation details:\n\nOn output, the policy retrieved (via xfrm_policy_lookup or\nxfrm_sk_policy_lookup) must be authorized for the security context of\nthe socket and the same security context is required for resultant\nsecurity association (retrieved or negotiated via racoon in\nipsec-tools). This is enforced in xfrm_state_find.\n\nOn input, the policy retrieved must also be authorized for the socket\n(at __xfrm_policy_check), and the security context of the policy must\nalso match the security association being used.\n\nThe patch has virtually no impact on packets that do not use IPSec.\nThe existing Netfilter (outgoing) and LSM rcv_skb hooks are used as\nbefore.\n\nAlso, if IPSec is used without security contexts, the impact is\nminimal. The LSM must allow such policies to be selected for the\ncombination of socket and remote machine, but subsequent IPSec\nprocessing proceeds as in the original case.\n\nTesting:\n\nThe pfkey interface is tested using the ipsec-tools. ipsec-tools have\nbeen modified (a separate ipsec-tools patch is available for version\n0.5) that supports assignment of xfrm_policy entries and security\nassociations with security contexts via setkey and the negotiation\nusing the security contexts via racoon.\n\nThe xfrm_user interface is tested via ad hoc programs that set\nsecurity contexts. These programs are also available from me, and\ncontain programs for setting, getting, and deleting policy for testing\nthis interface. Testing of sa functions was done by tracing kernel\nbehavior.\n\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "2c40579bdc2a94977fcff2521d5b53a97c33e77a", "tree": "04da3ba2070d46115e93ddbb148e035666862d84", "parents": [ "5a73c308754e27829c94544e010f133019cbd432" ], "author": { "name": "Adrian Bunk", "email": "bunk@stusta.de", "time": "Mon Aug 22 18:20:50 2005 +0200" }, "committer": { "name": "Chris Wright", "email": "chrisw@osdl.org", "time": "Mon Aug 22 14:10:22 2005 -0700" }, "message": "[PATCH] SECURITY must depend on SYSFS\n\nCONFIG_SECURITY\u003dy and CONFIG_SYSFS\u003dn results in the following compile\nerror:\n\n\u003c-- snip --\u003e\n\n...\n LD vmlinux\nsecurity/built-in.o: In function `securityfs_init\u0027:\ninode.c:(.init.text+0x1c2): undefined reference to `kernel_subsys\u0027\nmake: *** [vmlinux] Error 1\n\n\u003c-- snip --\u003e\n\nSigned-off-by: Adrian Bunk \u003cbunk@stusta.de\u003e\nSigned-off-by: Chris Wright \u003cchrisw@osdl.org\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }