)]}' { "log": [ { "commit": "c49c41a4134679cecb77362e7f6b59acb6320aa7", "tree": "45e690c036ca5846a48c8be67945d1d841b2d96d", "parents": [ "892d208bcf79e4e1058707786a7b6d486697cd78", "f423e5ba76e7e4a6fcb4836b4f072d1fdebba8b5" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jan 14 18:36:33 2012 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jan 14 18:36:33 2012 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://selinuxproject.org/~jmorris/linux-security\n\n* \u0027for-linus\u0027 of git://selinuxproject.org/~jmorris/linux-security:\n capabilities: remove __cap_full_set definition\n security: remove the security_netlink_recv hook as it is equivalent to capable()\n ptrace: do not audit capability check when outputing /proc/pid/stat\n capabilities: remove task_ns_* functions\n capabitlies: ns_capable can use the cap helpers rather than lsm call\n capabilities: style only - move capable below ns_capable\n capabilites: introduce new has_ns_capabilities_noaudit\n capabilities: call has_ns_capability from has_capability\n capabilities: remove all _real_ interfaces\n capabilities: introduce security_capable_noaudit\n capabilities: reverse arguments to security_capable\n capabilities: remove the task from capable LSM hook entirely\n selinux: sparse fix: fix several warnings in the security server cod\n selinux: sparse fix: fix warnings in netlink code\n selinux: sparse fix: eliminate warnings for selinuxfs\n selinux: sparse fix: declare selinux_disable() in security.h\n selinux: sparse fix: move selinux_complete_init\n selinux: sparse fix: make selinux_secmark_refcount static\n SELinux: Fix RCU deref check warning in sel_netport_insert()\n\nManually fix up a semantic mis-merge wrt security_netlink_recv():\n\n - the interface was removed in commit fd7784615248 (\"security: remove\n the security_netlink_recv hook as it is equivalent to capable()\")\n\n - a new user of it appeared in commit a38f7907b926 (\"crypto: Add\n userspace configuration API\")\n\ncausing no automatic merge conflict, but Eric Paris pointed out the\nissue.\n" }, { "commit": "cdcf116d44e78c7216ba9f8be9af1cdfca7af728", "tree": "2417cfd3e06ac5e2468585e8f00d580242cb5571", "parents": [ "d8c9584ea2a92879f471fd3a2be3af6c534fb035" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Dec 08 10:51:53 2011 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri Jan 06 23:16:53 2012 -0500" }, "message": "switch security_path_chmod() to struct path *\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "fd778461524849afd035679030ae8e8873c72b81", "tree": "32a5849c1879413fce0307af304e372eaa8225b4", "parents": [ "69f594a38967f4540ce7a29b3fd214e68a8330bd" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Jan 03 12:25:16 2012 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jan 05 18:53:01 2012 -0500" }, "message": "security: remove the security_netlink_recv hook as it is equivalent to capable()\n\nOnce upon a time netlink was not sync and we had to get the effective\ncapabilities from the skb that was being received. Today we instead get\nthe capabilities from the current task. This has rendered the entire\npurpose of the hook moot as it is now functionally equivalent to the\ncapable() call.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "2920a8409de5a51575d03deca07e5bb2be6fc98d", "tree": "1f16eba518068e7096b6ff200c09d3d31e285586", "parents": [ "c7eba4a97563fd8b431787f7ad623444f2da80c6" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Jan 03 12:25:15 2012 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jan 05 18:52:55 2012 -0500" }, "message": "capabilities: remove all _real_ interfaces\n\nThe name security_real_capable and security_real_capable_noaudit just don\u0027t\nmake much sense to me. Convert them to use security_capable and\nsecurity_capable_noaudit.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\n" }, { "commit": "c7eba4a97563fd8b431787f7ad623444f2da80c6", "tree": "12041949c45c2f394d6a96041c39e07ad6df720b", "parents": [ "b7e724d303b684655e4ca3dabd5a6840ad19012d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Jan 03 12:25:15 2012 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jan 05 18:52:54 2012 -0500" }, "message": "capabilities: introduce security_capable_noaudit\n\nExactly like security_capable except don\u0027t audit any denials. This is for\nplaces where the kernel may make decisions about what to do if a task has a\ngiven capability, but which failing that capability is not a sign of a\nsecurity policy violation. An example is checking if a task has\nCAP_SYS_ADMIN to lower it\u0027s likelyhood of being killed by the oom killer.\nThis check is not a security violation if it is denied.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\n" }, { "commit": "b7e724d303b684655e4ca3dabd5a6840ad19012d", "tree": "5474d8d49d61ade4c5e306a0485a835587237bf4", "parents": [ "6a9de49115d5ff9871d953af1a5c8249e1585731" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Jan 03 12:25:15 2012 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jan 05 18:52:53 2012 -0500" }, "message": "capabilities: reverse arguments to security_capable\n\nsecurity_capable takes ns, cred, cap. But the LSM capable() hook takes\ncred, ns, cap. The capability helper functions also take cred, ns, cap.\nRather than flip argument order just to flip it back, leave them alone.\nHeck, this should be a little faster since argument will be in the right\nplace!\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "6a9de49115d5ff9871d953af1a5c8249e1585731", "tree": "eee3700ccc2ce26c566bfe99129e646fac9f983e", "parents": [ "2653812e14f4e16688ec8247d7fd290bdbbc4747" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Jan 03 12:25:14 2012 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jan 05 18:52:53 2012 -0500" }, "message": "capabilities: remove the task from capable LSM hook entirely\n\nThe capabilities framework is based around credentials, not necessarily the\ncurrent task. Yet we still passed the current task down into LSMs from the\nsecurity_capable() LSM hook as if it was a meaningful portion of the security\ndecision. This patch removes the \u0027generic\u0027 passing of current and instead\nforces individual LSMs to use current explicitly if they think it is\nappropriate. In our case those LSMs are SELinux and AppArmor.\n\nI believe the AppArmor use of current is incorrect, but that is wholely\nunrelated to this patch. This patch does not change what AppArmor does, it\njust makes it clear in the AppArmor code that it is doing it.\n\nThe SELinux code still uses current in it\u0027s audit message, which may also be\nwrong and needs further investigation. Again this is NOT a change, it may\nhave always been wrong, this patch just makes it clear what is happening.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "04fc66e789a896e684bfdca30208e57eb832dd96", "tree": "37c26bff07e48c8c25d147850b7906d0d1c79a81", "parents": [ "4572befe248fd0d94aedc98775e3f0ddc8a26651" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Nov 21 14:58:38 2011 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jan 03 22:55:19 2012 -0500" }, "message": "switch -\u003epath_mknod() to umode_t\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "4572befe248fd0d94aedc98775e3f0ddc8a26651", "tree": "2f4c4dabaebadb2790c8266a0434c7030c5f7cc0", "parents": [ "d179333f37d33533f4c77118f757b9e7835ccb7c" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Nov 21 14:56:21 2011 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jan 03 22:55:18 2012 -0500" }, "message": "switch -\u003epath_mkdir() to umode_t\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "910f4ecef3f67714ebff69d0bc34313e48afaed2", "tree": "348fe3b5d8789a4c019a700da5501a4756f988de", "parents": [ "49f0a0767211d3076974e59a26f36b567cbe8621" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jul 26 04:25:58 2011 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jan 03 22:55:13 2012 -0500" }, "message": "switch security_path_chmod() to umode_t\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "1a67aafb5f72a436ca044293309fa7e6351d6a35", "tree": "d9e58600148de9d41b478cf815773b746647d15b", "parents": [ "4acdaf27ebe2034c342f3be57ef49aed1ad885ef" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jul 26 01:52:52 2011 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jan 03 22:54:54 2012 -0500" }, "message": "switch -\u003emknod() to umode_t\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "4acdaf27ebe2034c342f3be57ef49aed1ad885ef", "tree": "d89a876ee19cd88609a587f8aa6c464a52ee6d98", "parents": [ "18bb1db3e7607e4a997d50991a6f9fa5b0f8722c" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jul 26 01:42:34 2011 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jan 03 22:54:53 2012 -0500" }, "message": "switch -\u003ecreate() to umode_t\n\nvfs_create() ignores everything outside of 16bit subset of its\nmode argument; switching it to umode_t is obviously equivalent\nand it\u0027s the only caller of the method\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "18bb1db3e7607e4a997d50991a6f9fa5b0f8722c", "tree": "4ee4e584bc9a67f3ec14ce159d2d7d4a27e68d4a", "parents": [ "8208a22bb8bd3c52ef634b4ff194f14892ab1713" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jul 26 01:41:39 2011 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jan 03 22:54:53 2012 -0500" }, "message": "switch vfs_mkdir() and -\u003emkdir() to umode_t\n\nvfs_mkdir() gets int, but immediately drops everything that might not\nfit into umode_t and that\u0027s the only caller of -\u003emkdir()...\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "30e053248da178cf6154bb7e950dc8713567e3fa", "tree": "3ef4cb7f85f581fe53361ea0eb2586a8b6e696c2", "parents": [ "4376eee92e5a8332b470040e672ea99cd44c826a" ], "author": { "name": "Jan Kara", "email": "jack@suse.cz", "time": "Tue Jan 03 13:14:29 2012 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jan 03 16:12:19 2012 -0800" }, "message": "security: Fix security_old_inode_init_security() when CONFIG_SECURITY is not set\n\nCommit 1e39f384bb01 (\"evm: fix build problems\") makes the stub version\nof security_old_inode_init_security() return 0 when CONFIG_SECURITY is\nnot set.\n\nBut that makes callers such as reiserfs_security_init() assume that\nsecurity_old_inode_init_security() has set name, value, and len\narguments properly - but security_old_inode_init_security() left them\nuninitialized which then results in interesting failures.\n\nRevert security_old_inode_init_security() to the old behavior of\nreturning EOPNOTSUPP since both callers (reiserfs and ocfs2) handle this\njust fine.\n\n[ Also fixed the S_PRIVATE(inode) case of the actual non-stub\n security_old_inode_init_security() function to return EOPNOTSUPP\n for the same reason, as pointed out by Mimi Zohar.\n\n It got incorrectly changed to match the new function in commit\n fb88c2b6cbb1: \"evm: fix security/security_old_init_security return\n code\". - Linus ]\n\nReported-by: Jorge Bastos \u003cmysql.jorge@decimal.pt\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: Jan Kara \u003cjack@suse.cz\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "36b8d186e6cc8e32cb5227f5645a58e1bc0af190", "tree": "1000ad26e189e6ff2c53fb7eeff605f59c7ad94e", "parents": [ "cd85b557414fe4cd44ea6608825e96612a5fe2b2", "c45ed235abf1b0b6666417e3c394f18717976acd" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 25 09:45:31 2011 +0200" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 25 09:45:31 2011 +0200" }, "message": "Merge branch \u0027next\u0027 of git://selinuxproject.org/~jmorris/linux-security\n\n* \u0027next\u0027 of git://selinuxproject.org/~jmorris/linux-security: (95 commits)\n TOMOYO: Fix incomplete read after seek.\n Smack: allow to access /smack/access as normal user\n TOMOYO: Fix unused kernel config option.\n Smack: fix: invalid length set for the result of /smack/access\n Smack: compilation fix\n Smack: fix for /smack/access output, use string instead of byte\n Smack: domain transition protections (v3)\n Smack: Provide information for UDS getsockopt(SO_PEERCRED)\n Smack: Clean up comments\n Smack: Repair processing of fcntl\n Smack: Rule list lookup performance\n Smack: check permissions from user space (v2)\n TOMOYO: Fix quota and garbage collector.\n TOMOYO: Remove redundant tasklist_lock.\n TOMOYO: Fix domain transition failure warning.\n TOMOYO: Remove tomoyo_policy_memory_lock spinlock.\n TOMOYO: Simplify garbage collector.\n TOMOYO: Fix make namespacecheck warnings.\n target: check hex2bin result\n encrypted-keys: check hex2bin result\n ...\n" }, { "commit": "6230c9b4f8957c8938ee4cf2d03166d3c2dc89de", "tree": "acb6aa03e5b34ab83c4945fdacefee66c5285af2", "parents": [ "835acf5da239b91edb9f7ebe36516999e156e6ee" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Fri Oct 07 09:40:59 2011 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Oct 18 23:36:43 2011 -0400" }, "message": "bluetooth: Properly clone LSM attributes to newly created child connections\n\nThe Bluetooth stack has internal connection handlers for all of the various\nBluetooth protocols, and unfortunately, they are currently lacking the LSM\nhooks found in the core network stack\u0027s connection handlers. I say\nunfortunately, because this can cause problems for users who have have an\nLSM enabled and are using certain Bluetooth devices. See one problem\nreport below:\n\n * http://bugzilla.redhat.com/show_bug.cgi?id\u003d741703\n\nIn order to keep things simple at this point in time, this patch fixes the\nproblem by cloning the parent socket\u0027s LSM attributes to the newly created\nchild socket. If we decide we need a more elaborate LSM marking mechanism\nfor Bluetooth (I somewhat doubt this) we can always revisit this decision\nin the future.\n\nReported-by: James M. Cape \u003cjcape@ignore-your.tv\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "fb88c2b6cbb1265a8bef60694699b37f5cd4ba76", "tree": "f747bf1f156c5537da77528a92a4e36eb342cb58", "parents": [ "1d714057ef8f6348eba7b28ace6d307513e57cef" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Aug 15 10:13:18 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:24:50 2011 -0400" }, "message": "evm: fix security/security_old_init_security return code\n\nsecurity_inode_init_security previously returned -EOPNOTSUPP, for S_PRIVATE\ninodes, and relied on the callers to change it to 0. As the callers do not\nchange the return code anymore, return 0, intead of -EOPNOTSUPP.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "5dbe3040c74eef18e66951347eda05b153e69328", "tree": "72c9e5f77deae00f1234e488254d4898cab32027", "parents": [ "7b98a5857c3fa86cb0a7e5f893643491a8b5b425" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 30 13:48:53 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:33 2011 -0700" }, "message": "security: sparse fix: Move security_fixup_op to security.h\n\nFix sparse warning by moving declaraion to global header.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5a2f3a02aea164f4f59c0c3497772090a411b462", "tree": "d3ebe03d4f97575290087843960baa01de3acd0a", "parents": [ "1d568ab068c021672d6cd7f50f92a3695a921ffb", "817b54aa45db03437c6d09a7693fc6926eb8e822" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 09 10:31:03 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 09 10:31:03 2011 +1000" }, "message": "Merge branch \u0027next-evm\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6 into next\n\nConflicts:\n\tfs/attr.c\n\nResolve conflict manually.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "eecdd358b467405a084d400d5ec571bbdbfe97a3", "tree": "357332873b909a19964e77dbae3c4aed5c100dc6", "parents": [ "cf1dd1dae851ce5765cda5de16aa965eef7c2dbf" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Jun 20 19:48:41 2011 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Jul 20 01:43:29 2011 -0400" }, "message": "-\u003epermission() sanitizing: don\u0027t pass flags to exec_permission()\n\npass mask instead; kill security_inode_exec_permission() since we can use\nsecurity_inode_permission() instead.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "e74f71eb78a4a8b9eaf1bc65f20f761648e85f76", "tree": "7bc7fc1344f5ed6e3ce8132b36125ef5cec6407c", "parents": [ "10556cb21a0d0b24d95f00ea6df16f599a3345b2" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Jun 20 19:38:15 2011 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Jul 20 01:43:26 2011 -0400" }, "message": "-\u003epermission() sanitizing: don\u0027t pass flags to -\u003einode_permission()\n\npass that via mask instead.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "817b54aa45db03437c6d09a7693fc6926eb8e822", "tree": "03d43f3abfbd8670e3a30a33ef868ec7705ef2c4", "parents": [ "7102ebcd65c1cdb5d5a87c7c5cf7a46f5afb0cac" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri May 13 12:53:38 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:50 2011 -0400" }, "message": "evm: add evm_inode_setattr to prevent updating an invalid security.evm\n\nPermit changing of security.evm only when valid, unless in fixmode.\n\nReported-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "823eb1ccd0b310449e99c822412ea8208334d14c", "tree": "649d04ab6042cf058f7849dd826ef74a2d556628", "parents": [ "cb72318069d5e92eb74840118732c66eb38c812f" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Jun 15 21:19:10 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:45 2011 -0400" }, "message": "evm: call evm_inode_init_security from security_inode_init_security\n\nChangelog v7:\n- moved the initialization call to security_inode_init_security,\n renaming evm_inode_post_init_security to evm_inode_init_security\n- increase size of xattr array for EVM xattr\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "3e1be52d6c6b21d9080dd886c0e609e009831562", "tree": "2947250698b89eed0149af2d69a33b303c4d6be4", "parents": [ "6be5cc5246f807fd8ede9f5f1bb2826f2c598658" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Mar 09 14:38:26 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:42 2011 -0400" }, "message": "security: imbed evm calls in security hooks\n\nImbed the evm calls evm_inode_setxattr(), evm_inode_post_setxattr(),\nevm_inode_removexattr() in the security hooks. evm_inode_setxattr()\nprotects security.evm xattr. evm_inode_post_setxattr() and\nevm_inode_removexattr() updates the hmac associated with an inode.\n\n(Assumes an LSM module protects the setting/removing of xattr.)\n\nChangelog:\n - Don\u0027t define evm_verifyxattr(), unless CONFIG_INTEGRITY is enabled.\n - xattr_name is a \u0027const\u0027, value is \u0027void *\u0027\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@ubuntu.com\u003e\n" }, { "commit": "f381c272224f5f158f5cff64f8f3481fa0eee8b3", "tree": "a003dc4c6635c9d2fa90f31577ba5e7ea7bc71b1", "parents": [ "9d8f13ba3f4833219e50767b022b82cd0da930eb" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Mar 09 14:13:22 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:38 2011 -0400" }, "message": "integrity: move ima inode integrity data management\n\nMove the inode integrity data(iint) management up to the integrity directory\nin order to share the iint among the different integrity models.\n\nChangelog:\n- don\u0027t define MAX_DIGEST_SIZE\n- rename several globally visible \u0027ima_\u0027 prefixed functions, structs,\n locks, etc to \u0027integrity_\u0027\n- replace \u002720\u0027 with SHA1_DIGEST_SIZE\n- reflect location change in appropriate Kconfig and Makefiles\n- remove unnecessary initialization of iint_initialized to 0\n- rebased on current ima_iint.c\n- define integrity_iint_store/lock as static\n\nThere should be no other functional changes.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@ubuntu.com\u003e\n" }, { "commit": "9d8f13ba3f4833219e50767b022b82cd0da930eb", "tree": "3ba2367380d009111ea17696162a62320c88d144", "parents": [ "0f2a55d5bb2372058275b0b343d90dd5d640d045" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 06 15:29:25 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:38 2011 -0400" }, "message": "security: new security_inode_init_security API adds function callback\n\nThis patch changes the security_inode_init_security API by adding a\nfilesystem specific callback to write security extended attributes.\nThis change is in preparation for supporting the initialization of\nmultiple LSM xattrs and the EVM xattr. Initially the callback function\nwalks an array of xattrs, writing each xattr separately, but could be\noptimized to write multiple xattrs at once.\n\nFor existing security_inode_init_security() calls, which have not yet\nbeen converted to use the new callback function, such as those in\nreiserfs and ocfs2, this patch defines security_old_inode_init_security().\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "8c9e80ed276fc4b9c9fadf29d8bf6b3576112f1a", "tree": "7595dd217545593675d40f85cfb11d69697a8300", "parents": [ "8d082f8f3fb89e8a1fcb5120ad98cd9860c8a3e8" ], "author": { "name": "Andi Kleen", "email": "ak@linux.intel.com", "time": "Thu Apr 21 17:23:19 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Apr 22 16:17:29 2011 -0700" }, "message": "SECURITY: Move exec_permission RCU checks into security modules\n\nRight now all RCU walks fall back to reference walk when CONFIG_SECURITY\nis enabled, even though just the standard capability module is active.\nThis is because security_inode_exec_permission unconditionally fails\nRCU walks.\n\nMove this decision to the low level security module. This requires\npassing the RCU flags down the security hook. This way at least\nthe capability module and a few easy cases in selinux/smack work\nwith RCU walks with CONFIG_SECURITY\u003dy\n\nSigned-off-by: Andi Kleen \u003cak@linux.intel.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3486740a4f32a6a466f5ac931654d154790ba648", "tree": "ac5d968a66057fa84933b8f89fd3e916270dffed", "parents": [ "59607db367c57f515183cb203642291bb14d9c40" ], "author": { "name": "Serge E. Hallyn", "email": "serge@hallyn.com", "time": "Wed Mar 23 16:43:17 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 23 19:47:02 2011 -0700" }, "message": "userns: security: make capabilities relative to the user namespace\n\n- Introduce ns_capable to test for a capability in a non-default\n user namespace.\n- Teach cap_capable to handle capabilities in a non-default\n user namespace.\n\nThe motivation is to get to the unprivileged creation of new\nnamespaces. It looks like this gets us 90% of the way there, with\nonly potential uid confusion issues left.\n\nI still need to handle getting all caps after creation but otherwise I\nthink I have a good starter patch that achieves all of your goals.\n\nChangelog:\n\t11/05/2010: [serge] add apparmor\n\t12/14/2010: [serge] fix capabilities to created user namespaces\n\tWithout this, if user serge creates a user_ns, he won\u0027t have\n\tcapabilities to the user_ns he created. THis is because we\n\twere first checking whether his effective caps had the caps\n\the needed and returning -EPERM if not, and THEN checking whether\n\the was the creator. Reverse those checks.\n\t12/16/2010: [serge] security_real_capable needs ns argument in !security case\n\t01/11/2011: [serge] add task_ns_capable helper\n\t01/11/2011: [serge] add nsown_capable() helper per Bastian Blank suggestion\n\t02/16/2011: [serge] fix a logic bug: the root user is always creator of\n\t\t init_user_ns, but should not always have capabilities to\n\t\t it! Fix the check in cap_capable().\n\t02/21/2011: Add the required user_ns parameter to security_capable,\n\t\t fixing a compile failure.\n\t02/23/2011: Convert some macros to functions as per akpm comments. Some\n\t\t couldn\u0027t be converted because we can\u0027t easily forward-declare\n\t\t them (they are inline if !SECURITY, extern if SECURITY). Add\n\t\t a current_user_ns function so we can use it in capability.h\n\t\t without #including cred.h. Move all forward declarations\n\t\t together to the top of the #ifdef __KERNEL__ section, and use\n\t\t kernel-doc format.\n\t02/23/2011: Per dhowells, clean up comment in cap_capable().\n\t02/23/2011: Per akpm, remove unreachable \u0027return -EPERM\u0027 in cap_capable.\n\n(Original written and signed off by Eric; latest, modified version\nacked by him)\n\n[akpm@linux-foundation.org: fix build]\n[akpm@linux-foundation.org: export current_user_ns() for ecryptfs]\n[serge.hallyn@canonical.com: remove unneeded extra argument in selinux\u0027s task_has_capability]\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nAcked-by: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nAcked-by: Daniel Lezcano \u003cdaniel.lezcano@free.fr\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "7a6362800cb7d1d618a697a650c7aaed3eb39320", "tree": "087f9bc6c13ef1fad4b392c5cf9325cd28fa8523", "parents": [ "6445ced8670f37cfc2c5e24a9de9b413dbfc788d", "ceda86a108671294052cbf51660097b6534672f5" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 16 16:29:25 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 16 16:29:25 2011 -0700" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1480 commits)\n bonding: enable netpoll without checking link status\n xfrm: Refcount destination entry on xfrm_lookup\n net: introduce rx_handler results and logic around that\n bonding: get rid of IFF_SLAVE_INACTIVE netdev-\u003epriv_flag\n bonding: wrap slave state work\n net: get rid of multiple bond-related netdevice-\u003epriv_flags\n bonding: register slave pointer for rx_handler\n be2net: Bump up the version number\n be2net: Copyright notice change. Update to Emulex instead of ServerEngines\n e1000e: fix kconfig for crc32 dependency\n netfilter ebtables: fix xt_AUDIT to work with ebtables\n xen network backend driver\n bonding: Improve syslog message at device creation time\n bonding: Call netif_carrier_off after register_netdevice\n bonding: Incorrect TX queue offset\n net_sched: fix ip_tos2prio\n xfrm: fix __xfrm_route_forward()\n be2net: Fix UDP packet detected status in RX compl\n Phonet: fix aligned-mode pipe socket buffer header reserve\n netxen: support for GbE port settings\n ...\n\nFix up conflicts in drivers/staging/brcm80211/brcmsmac/wl_mac80211.c\nwith the staging updates.\n" }, { "commit": "0f6e0e8448a16d8d22119ce91d8dd24b44865b51", "tree": "7c295c02db035fc6a0b867465911a2bc9dc6b1ef", "parents": [ "0d2ecee2bdb2a19d04bc5cefac0f86e790f1aad4", "a002951c97ff8da49938c982a4c236bf2fafdc9f" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 16 09:15:43 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 16 09:15:43 2011 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (33 commits)\n AppArmor: kill unused macros in lsm.c\n AppArmor: cleanup generated files correctly\n KEYS: Add an iovec version of KEYCTL_INSTANTIATE\n KEYS: Add a new keyctl op to reject a key with a specified error code\n KEYS: Add a key type op to permit the key description to be vetted\n KEYS: Add an RCU payload dereference macro\n AppArmor: Cleanup make file to remove cruft and make it easier to read\n SELinux: implement the new sb_remount LSM hook\n LSM: Pass -o remount options to the LSM\n SELinux: Compute SID for the newly created socket\n SELinux: Socket retains creator role and MLS attribute\n SELinux: Auto-generate security_is_socket_class\n TOMOYO: Fix memory leak upon file open.\n Revert \"selinux: simplify ioctl checking\"\n selinux: drop unused packet flow permissions\n selinux: Fix packet forwarding checks on postrouting\n selinux: Fix wrong checks for selinux_policycap_netpeer\n selinux: Fix check for xfrm selinux context algorithm\n ima: remove unnecessary call to ima_must_measure\n IMA: remove IMA imbalance checking\n ...\n" }, { "commit": "420c1c572d4ceaa2f37b6311b7017ac6cf049fe2", "tree": "df04e6b4b756b7a46d9887462d54a3ad0e1f91d5", "parents": [ "9620639b7ea3843983f4ced8b4c81eb4d8974838", "6e6823d17b157f185be09f4c70181299f9273f0b" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Mar 15 18:53:35 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Mar 15 18:53:35 2011 -0700" }, "message": "Merge branch \u0027timers-core-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip\n\n* \u0027timers-core-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: (62 commits)\n posix-clocks: Check write permissions in posix syscalls\n hrtimer: Remove empty hrtimer_init_hres_timer()\n hrtimer: Update hrtimer-\u003estate documentation\n hrtimer: Update base[CLOCK_BOOTTIME].offset correctly\n timers: Export CLOCK_BOOTTIME via the posix timers interface\n timers: Add CLOCK_BOOTTIME hrtimer base\n time: Extend get_xtime_and_monotonic_offset() to also return sleep\n time: Introduce get_monotonic_boottime and ktime_get_boottime\n hrtimers: extend hrtimer base code to handle more then 2 clockids\n ntp: Remove redundant and incorrect parameter check\n mn10300: Switch do_timer() to xtimer_update()\n posix clocks: Introduce dynamic clocks\n posix-timers: Cleanup namespace\n posix-timers: Add support for fd based clocks\n x86: Add clock_adjtime for x86\n posix-timers: Introduce a syscall for clock tuning.\n time: Splitout compat timex accessors\n ntp: Add ADJ_SETOFFSET mode bit\n time: Introduce timekeeping_inject_offset\n posix-timer: Update comment\n ...\n\nFix up new system-call-related conflicts in\n\tarch/x86/ia32/ia32entry.S\n\tarch/x86/include/asm/unistd_32.h\n\tarch/x86/include/asm/unistd_64.h\n\tarch/x86/kernel/syscall_table_32.S\n(name_to_handle_at()/open_by_handle_at() vs clock_adjtime()), and some\ndue to movement of get_jiffies_64() in:\n\tkernel/time.c\n" }, { "commit": "1d28f42c1bd4bb2363d88df74d0128b4da135b4a", "tree": "cb2e652fe79a2bc307e871bc2d3fa51cc8051e45", "parents": [ "ca116922afa8cc5ad46b00c0a637b1cde5ca478a" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Mar 12 00:29:39 2011 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Mar 12 15:08:44 2011 -0800" }, "message": "net: Put flowi_* prefix on AF independent members of struct flowi\n\nI intend to turn struct flowi into a union of AF specific flowi\nstructs. There will be a common structure that each variant includes\nfirst, much like struct sock_common.\n\nThis is the first step to move in that direction.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "fe3fa43039d47ee4e22caf460b79b62a14937f79", "tree": "9eab8d00f1227b9fe0959f32a62d892ed35803ba", "parents": [ "ee009e4a0d4555ed522a631bae9896399674f064", "026eb167ae77244458fa4b4b9fc171209c079ba7" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:38:10 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:38:10 2011 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/eparis/selinux into next\n" }, { "commit": "1cc26bada9f6807814806db2f0d78792eecdac71", "tree": "5509b5139db04af6c13db0a580c84116a4a54039", "parents": [ "eae61f3c829439f8f9121b5cd48a14be04df451f", "214d93b02c4fe93638ad268613c9702a81ed9192" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 10:55:06 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 10:55:06 2011 +1100" }, "message": "Merge branch \u0027master\u0027; commit \u0027v2.6.38-rc7\u0027 into next\n" }, { "commit": "ff36fe2c845cab2102e4826c1ffa0a6ebf487c65", "tree": "d61f4c65bc51e6455f0cb5a3d03fab41d0f83169", "parents": [ "2ad18bdf3b8f84c85c7da7e4de365f7c5701fb3f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 16:09:14 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 16:12:27 2011 -0500" }, "message": "LSM: Pass -o remount options to the LSM\n\nThe VFS mount code passes the mount options to the LSM. The LSM will remove\noptions it understands from the data and the VFS will then pass the remaining\noptions onto the underlying filesystem. This is how options like the\nSELinux context\u003d work. The problem comes in that -o remount never calls\ninto LSM code. So if you include an LSM specific option it will get passed\nto the filesystem and will cause the remount to fail. An example of where\nthis is a problem is the \u0027seclabel\u0027 option. The SELinux LSM hook will\nprint this word in /proc/mounts if the filesystem is being labeled using\nxattrs. If you pass this word on mount it will be silently stripped and\nignored. But if you pass this word on remount the LSM never gets called\nand it will be passed to the FS. The FS doesn\u0027t know what seclabel means\nand thus should fail the mount. For example an ext3 fs mounted over loop\n\n# mount -o loop /tmp/fs /mnt/tmp\n# cat /proc/mounts | grep /mnt/tmp\n/dev/loop0 /mnt/tmp ext3 rw,seclabel,relatime,errors\u003dcontinue,barrier\u003d0,data\u003dordered 0 0\n# mount -o remount /mnt/tmp\nmount: /mnt/tmp not mounted already, or bad option\n# dmesg\nEXT3-fs (loop0): error: unrecognized mount option \"seclabel\" or missing value\n\nThis patch passes the remount mount options to an new LSM hook.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e33f770426674a565a188042caf3f974f8b3722d", "tree": "6ee309a1cbccec1cef9972fc6c8f8d9b280978f5", "parents": [ "e1ad2ab2cf0cabcd81861e2c61870fc27bb27ded" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Feb 22 18:13:15 2011 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Feb 22 18:13:15 2011 -0800" }, "message": "xfrm: Mark flowi arg to security_xfrm_state_pol_flow_match() const.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "6037b715d6fab139742c3df8851db4c823081561", "tree": "aba9e9427debd4fa5b904daefa8e71a6320f4b93", "parents": [ "deabb19ba4bd8c06ae69bc262e3594b515e3a459" ], "author": { "name": "Chris Wright", "email": "chrisw@sous-sol.org", "time": "Wed Feb 09 22:11:51 2011 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 11 17:41:58 2011 +1100" }, "message": "security: add cred argument to security_capable()\n\nExpand security_capable() to include cred, so that it can be usable in a\nwider range of call sites.\n\nSigned-off-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1e6d767924c74929c0cfe839ae8f37bcee9e544e", "tree": "4ace06971e2b3519e556bea2f7e3e999e860eedd", "parents": [ "7cf37e87dd2cfa17a64f28ea7f31eed4525f79e4" ], "author": { "name": "Richard Cochran", "email": "richard.cochran@omicron.at", "time": "Tue Feb 01 13:50:58 2011 +0000" }, "committer": { "name": "Thomas Gleixner", "email": "tglx@linutronix.de", "time": "Wed Feb 02 15:28:11 2011 +0100" }, "message": "time: Correct the *settime* parameters\n\nBoth settimeofday() and clock_settime() promise with a \u0027const\u0027\nattribute not to alter the arguments passed in. This patch adds the\nmissing \u0027const\u0027 attribute into the various kernel functions\nimplementing these calls.\n\nSigned-off-by: Richard Cochran \u003crichard.cochran@omicron.at\u003e\nAcked-by: John Stultz \u003cjohnstul@us.ibm.com\u003e\nLKML-Reference: \u003c20110201134417.545698637@linutronix.de\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\n" }, { "commit": "4916ca401e3051dad326ddd69765bd0e3f32fb9b", "tree": "593778babcd691a498a909a5eaf462f29d241cf6", "parents": [ "8e6c96935fcc1ed3dbebc96fddfef3f2f2395afc" ], "author": { "name": "Lucian Adrian Grijincu", "email": "lucian.grijincu@gmail.com", "time": "Tue Feb 01 18:44:56 2011 +0200" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:54:02 2011 -0500" }, "message": "security: remove unused security_sysctl hook\n\nThe only user for this hook was selinux. sysctl routes every call\nthrough /proc/sys/. Selinux and other security modules use the file\nsystem checks for sysctl too, so no need for this hook any more.\n\nSigned-off-by: Lucian Adrian Grijincu \u003clucian.grijincu@gmail.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "2a7dba391e5628ad665ce84ef9a6648da541ebab", "tree": "ba0722bd74d2c883dbda7ff721850bab411cac04", "parents": [ "821404434f3324bf23f545050ff64055a149766e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:05:39 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:12:29 2011 -0500" }, "message": "fs/vfs/security: pass last path component to LSM on inode creation\n\nSELinux would like to implement a new labeling behavior of newly created\ninodes. We currently label new inodes based on the parent and the creating\nprocess. This new behavior would also take into account the name of the\nnew object when deciding the new label. This is not the (supposed) full path,\njust the last component of the path.\n\nThis is very useful because creating /etc/shadow is different than creating\n/etc/passwd but the kernel hooks are unable to differentiate these\noperations. We currently require that userspace realize it is doing some\ndifficult operation like that and than userspace jumps through SELinux hoops\nto get things set up correctly. This patch does not implement new\nbehavior, that is obviously contained in a seperate SELinux patch, but it\ndoes pass the needed name down to the correct LSM hook. If no such name\nexists it is fine to pass NULL.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "821404434f3324bf23f545050ff64055a149766e", "tree": "619847c1b4c101da7eddee2cc920af329829847f", "parents": [ "ced3b93018a9633447ddeb12a96f25e08154cbe7" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Dec 24 14:48:35 2010 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 24 10:49:45 2011 +1100" }, "message": "CacheFiles: Add calls to path-based security hooks\n\nAdd calls to path-based security hooks into CacheFiles as, unlike inode-based\nsecurity, these aren\u0027t implicit in the vfs_mkdir() and similar calls.\n\nReported-by: Tetsuo Handa \u003cpenguin-kernel@i-love.sakura.ne.jp\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b4a45f5fe8078bfc10837dbd5b98735058bc4698", "tree": "df6f13a27610a3ec7eb4a661448cd779a8f84c79", "parents": [ "01539ba2a706ab7d35fc0667dff919ade7f87d63", "b3e19d924b6eaf2ca7d22cba99a517c5171007b6" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 07 08:56:33 2011 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 07 08:56:33 2011 -0800" }, "message": "Merge branch \u0027vfs-scale-working\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/npiggin/linux-npiggin\n\n* \u0027vfs-scale-working\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/npiggin/linux-npiggin: (57 commits)\n fs: scale mntget/mntput\n fs: rename vfsmount counter helpers\n fs: implement faster dentry memcmp\n fs: prefetch inode data in dcache lookup\n fs: improve scalability of pseudo filesystems\n fs: dcache per-inode inode alias locking\n fs: dcache per-bucket dcache hash locking\n bit_spinlock: add required includes\n kernel: add bl_list\n xfs: provide simple rcu-walk ACL implementation\n btrfs: provide simple rcu-walk ACL implementation\n ext2,3,4: provide simple rcu-walk ACL implementation\n fs: provide simple rcu-walk generic_check_acl implementation\n fs: provide rcu-walk aware permission i_ops\n fs: rcu-walk aware d_revalidate method\n fs: cache optimise dentry and inode for rcu-walk\n fs: dcache reduce branches in lookup path\n fs: dcache remove d_mounted\n fs: fs_struct use seqlock\n fs: rcu-walk for path lookup\n ...\n" }, { "commit": "31e6b01f4183ff419a6d1f86177cbf4662347cec", "tree": "e215ec9af88352c55e024f784f3d9f8eb13fab85", "parents": [ "3c22cd5709e8143444a6d08682a87f4c57902df3" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:49:52 2011 +1100" }, "committer": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:50:27 2011 +1100" }, "message": "fs: rcu-walk for path lookup\n\nPerform common cases of path lookups without any stores or locking in the\nancestor dentry elements. This is called rcu-walk, as opposed to the current\nalgorithm which is a refcount based walk, or ref-walk.\n\nThis results in far fewer atomic operations on every path element,\nsignificantly improving path lookup performance. It also avoids cacheline\nbouncing on common dentries, significantly improving scalability.\n\nThe overall design is like this:\n* LOOKUP_RCU is set in nd-\u003eflags, which distinguishes rcu-walk from ref-walk.\n* Take the RCU lock for the entire path walk, starting with the acquiring\n of the starting path (eg. root/cwd/fd-path). So now dentry refcounts are\n not required for dentry persistence.\n* synchronize_rcu is called when unregistering a filesystem, so we can\n access d_ops and i_ops during rcu-walk.\n* Similarly take the vfsmount lock for the entire path walk. So now mnt\n refcounts are not required for persistence. Also we are free to perform mount\n lookups, and to assume dentry mount points and mount roots are stable up and\n down the path.\n* Have a per-dentry seqlock to protect the dentry name, parent, and inode,\n so we can load this tuple atomically, and also check whether any of its\n members have changed.\n* Dentry lookups (based on parent, candidate string tuple) recheck the parent\n sequence after the child is found in case anything changed in the parent\n during the path walk.\n* inode is also RCU protected so we can load d_inode and use the inode for\n limited things.\n* i_mode, i_uid, i_gid can be tested for exec permissions during path walk.\n* i_op can be loaded.\n\nWhen we reach the destination dentry, we lock it, recheck lookup sequence,\nand increment its refcount and mountpoint refcount. RCU and vfsmount locks\nare dropped. This is termed \"dropping rcu-walk\". If the dentry refcount does\nnot match, we can not drop rcu-walk gracefully at the current point in the\nlokup, so instead return -ECHILD (for want of a better errno). This signals the\npath walking code to re-do the entire lookup with a ref-walk.\n\nAside from the final dentry, there are other situations that may be encounted\nwhere we cannot continue rcu-walk. In that case, we drop rcu-walk (ie. take\na reference on the last good dentry) and continue with a ref-walk. Again, if\nwe can drop rcu-walk gracefully, we return -ECHILD and do the whole lookup\nusing ref-walk. But it is very important that we can continue with ref-walk\nfor most cases, particularly to avoid the overhead of double lookups, and to\ngain the scalability advantages on common path elements (like cwd and root).\n\nThe cases where rcu-walk cannot continue are:\n* NULL dentry (ie. any uncached path element)\n* parent with d_inode-\u003ei_op-\u003epermission or ACLs\n* dentries with d_revalidate\n* Following links\n\nIn future patches, permission checks and d_revalidate become rcu-walk aware. It\nmay be possible eventually to make following links rcu-walk aware.\n\nUncached path elements will always require dropping to ref-walk mode, at the\nvery least because i_mutex needs to be grabbed, and objects allocated.\n\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\n" }, { "commit": "3610cda53f247e176bcbb7a7cca64bc53b12acdb", "tree": "d780bc1e405116e75a194b2f4693a6f9bbe9f58f", "parents": [ "44b8288308ac9da27eab7d7bdbf1375a568805c3" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Jan 05 15:38:53 2011 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Jan 05 15:38:53 2011 -0800" }, "message": "af_unix: Avoid socket-\u003esk NULL OOPS in stream connect security hooks.\n\nunix_release() can asynchornously set socket-\u003esk to NULL, and\nit does so without holding the unix_state_lock() on \"other\"\nduring stream connects.\n\nHowever, the reverse mapping, sk-\u003esk_socket, is only transitioned\nto NULL under the unix_state_lock().\n\nTherefore make the security hooks follow the reverse mapping instead\nof the forward mapping.\n\nReported-by: Jeremy Fitzhardinge \u003cjeremy@goop.org\u003e\nReported-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "12b3052c3ee8f508b2c7ee4ddd63ed03423409d8", "tree": "b97d0f209f363cfad94ce9d075312274e349da89", "parents": [ "6800e4c0ea3e96cf78953b8b5743381cb1bb9e37" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 15 18:36:29 2010 -0500" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Nov 15 15:40:01 2010 -0800" }, "message": "capabilities/syslog: open code cap_syslog logic to fix build failure\n\nThe addition of CONFIG_SECURITY_DMESG_RESTRICT resulted in a build\nfailure when CONFIG_PRINTK\u003dn. This is because the capabilities code\nwhich used the new option was built even though the variable in question\ndidn\u0027t exist.\n\nThe patch here fixes this by moving the capabilities checks out of the\nLSM and into the caller. All (known) LSMs should have been calling the\ncapabilities hook already so it actually makes the code organization\nbetter to eliminate the hook altogether.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "f9ba5375a8aae4aeea6be15df77e24707a429812", "tree": "c6388d7e40f0f6a70d7ba6a4d4aeaa0d1f5591f6", "parents": [ "45352bbf48e95078b4acd20774f49e72676e1e0f", "bade72d607c4eb1b1d6c7852c493b75f065a56b5" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:48 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:48 2010 -0700" }, "message": "Merge branch \u0027ima-memory-use-fixes\u0027\n\n* ima-memory-use-fixes:\n IMA: fix the ToMToU logic\n IMA: explicit IMA i_flag to remove global lock on inode_delete\n IMA: drop refcnt from ima_iint_cache since it isn\u0027t needed\n IMA: only allocate iint when needed\n IMA: move read counter into struct inode\n IMA: use i_writecount rather than a private counter\n IMA: use inode-\u003ei_lock to protect read and write counters\n IMA: convert internal flags from long to char\n IMA: use unsigned int instead of long for counters\n IMA: drop the inode opencount since it isn\u0027t needed for operation\n IMA: use rbtree instead of radix tree for inode information cache\n" }, { "commit": "bc7d2a3e66b40477270c3cbe3b89b47093276e7a", "tree": "8f0198b8ad455fde11b24e32a2e32c008a5ececb", "parents": [ "a178d2027d3198b0a04517d764326ab71cd73da2" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:05 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: only allocate iint when needed\n\nIMA always allocates an integrity structure to hold information about\nevery inode, but only needed this structure to track the number of\nreaders and writers currently accessing a given inode. Since that\ninformation was moved into struct inode instead of the integrity struct\nthis patch stops allocating the integrity stucture until it is needed.\nThus greatly reducing memory usage.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "2606fd1fa5710205b23ee859563502aa18362447", "tree": "f79becd7010a2da1a765829fce0e09327cd50531", "parents": [ "15714f7b58011cf3948cab2988abea560240c74f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 16:24:41 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:48 2010 +1100" }, "message": "secmark: make secmark object handling generic\n\nRight now secmark has lots of direct selinux calls. Use all LSM calls and\nremove all SELinux specific knowledge. The only SELinux specific knowledge\nwe leave is the mode. The only point is to make sure that other LSMs at\nleast test this generic code before they assume it works. (They may also\nhave to make changes if they do not represent labels as strings)\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b0ae19811375031ae3b3fecc65b702a9c6e5cc28", "tree": "a765b71155fbed1ed3a3cff35c1044ad49a002ae", "parents": [ "9b3056cca09529d34af2d81305b2a9c6b622ca1b" ], "author": { "name": "KOSAKI Motohiro", "email": "kosaki.motohiro@jp.fujitsu.com", "time": "Fri Oct 15 04:21:18 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:44 2010 +1100" }, "message": "security: remove unused parameter from security_task_setscheduler()\n\nAll security modules shouldn\u0027t change sched_param parameter of\nsecurity_task_setscheduler(). This is not only meaningless, but also\nmake a harmful result if caller pass a static variable.\n\nThis patch remove policy and sched_param parameter from\nsecurity_task_setscheduler() becuase none of security module is\nusing it.\n\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: KOSAKI Motohiro \u003ckosaki.motohiro@jp.fujitsu.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "065d78a0603cc6f8d288e96dbf761b96984b634f", "tree": "b95d865a91a6895d54b7b6486ebeb3b40bf2648e", "parents": [ "daa6d83a2863c28197b0c7dabfdf1e0606760b78" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Sat Aug 28 14:58:44 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:34 2010 +1100" }, "message": "LSM: Fix security_module_enable() error.\n\nWe can set default LSM module to DAC (which means \"enable no LSM module\").\nIf default LSM module was set to DAC, security_module_enable() must return 0\nunless overridden via boot time parameter.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Serge E. Hallyn \u003cserge@hallyn.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b34d8915c413acb51d837a45fb8747b61f65c020", "tree": "ced5fac166324634653d84b1afe2b958b3904f4d", "parents": [ "e8a89cebdbaab14caaa26debdb4ffd493b8831af", "f33ebbe9da2c3c24664a0ad4f8fd83f293547e63" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Aug 10 12:07:51 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Aug 10 12:07:51 2010 -0700" }, "message": "Merge branch \u0027writable_limits\u0027 of git://decibel.fi.muni.cz/~xslaby/linux\n\n* \u0027writable_limits\u0027 of git://decibel.fi.muni.cz/~xslaby/linux:\n unistd: add __NR_prlimit64 syscall numbers\n rlimits: implement prlimit64 syscall\n rlimits: switch more rlimit syscalls to do_prlimit\n rlimits: redo do_setrlimit to more generic do_prlimit\n rlimits: add rlimit64 structure\n rlimits: do security check under task_lock\n rlimits: allow setrlimit to non-current tasks\n rlimits: split sys_setrlimit\n rlimits: selinux, do rlimits changes under task_lock\n rlimits: make sure -\u003erlim_max never grows in sys_setrlimit\n rlimits: add task_struct to update_rlimit_cpu\n rlimits: security, add task_struct to setrlimit\n\nFix up various system call number conflicts. We not only added fanotify\nsystem calls in the meantime, but asm-generic/unistd.h added a wait4\nalong with a range of reserved per-architecture system calls.\n" }, { "commit": "8c8946f509a494769a8c602b5ed189df01917d39", "tree": "dfd96bd6ca5ea6803c6d77f65ba37e04f78b2d3b", "parents": [ "5f248c9c251c60af3403902b26e08de43964ea0b", "1968f5eed54ce47bde488fd9a450912e4a2d7138" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Aug 10 11:39:13 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Aug 10 11:39:13 2010 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.infradead.org/users/eparis/notify\n\n* \u0027for-linus\u0027 of git://git.infradead.org/users/eparis/notify: (132 commits)\n fanotify: use both marks when possible\n fsnotify: pass both the vfsmount mark and inode mark\n fsnotify: walk the inode and vfsmount lists simultaneously\n fsnotify: rework ignored mark flushing\n fsnotify: remove global fsnotify groups lists\n fsnotify: remove group-\u003emask\n fsnotify: remove the global masks\n fsnotify: cleanup should_send_event\n fanotify: use the mark in handler functions\n audit: use the mark in handler functions\n dnotify: use the mark in handler functions\n inotify: use the mark in handler functions\n fsnotify: send fsnotify_mark to groups in event handling functions\n fsnotify: Exchange list heads instead of moving elements\n fsnotify: srcu to protect read side of inode and vfsmount locks\n fsnotify: use an explicit flag to indicate fsnotify_destroy_mark has been called\n fsnotify: use _rcu functions for mark list traversal\n fsnotify: place marks on object in order of group memory address\n vfs/fsnotify: fsnotify_close can delay the final work in fput\n fsnotify: store struct file not struct path\n ...\n\nFix up trivial delete/modify conflict in fs/notify/inotify/inotify.c.\n" }, { "commit": "ea0d3ab239fba48d6e998b19c28d78f765963007", "tree": "c1e20273bf121a4f404ca7ac2a012161b0e0201e", "parents": [ "3e62cbb8436f6c0cb799c8b7f106de7f662a7b8d" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Wed Jun 02 13:24:43 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:33:40 2010 +1000" }, "message": "LSM: Remove unused arguments from security_path_truncate().\n\nWhen commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d \"introduce new LSM hooks\nwhere vfsmount is available.\" was proposed, regarding security_path_truncate(),\nonly \"struct file *\" argument (which AppArmor wanted to use) was removed.\nBut length and time_attrs arguments are not used by TOMOYO nor AppArmor.\nThus, let\u0027s remove these arguments.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Nick Piggin \u003cnpiggin@suse.de\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c4ec54b40d33f8016fea970a383cc584dd0e6019", "tree": "8e8865170cf340d1e79dc379f56417588715b2c8", "parents": [ "d14f1729483fad3a8817fbbcbd017678b7d1ad26" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Dec 17 21:24:34 2009 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Jul 28 09:59:01 2010 -0400" }, "message": "fsnotify: new fsnotify hooks and events types for access decisions\n\nintroduce a new fsnotify hook, fsnotify_perm(), which is called from the\nsecurity code. This hook is used to allow fsnotify groups to make access\ncontrol decisions about events on the system. We also must change the\ngeneric fsnotify function to return an error code if we intend these hooks\nto be in any way useful.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "8fd00b4d7014b00448eb33cf0590815304769798", "tree": "f97cc5b4401dd038e539dae7ad66066383012866", "parents": [ "2f7989efd4398d92b8adffce2e07dd043a0895fe" ], "author": { "name": "Jiri Slaby", "email": "jirislaby@gmail.com", "time": "Wed Aug 26 18:41:16 2009 +0200" }, "committer": { "name": "Jiri Slaby", "email": "jirislaby@gmail.com", "time": "Fri Jul 16 09:48:45 2010 +0200" }, "message": "rlimits: security, add task_struct to setrlimit\n\nAdd task_struct to task_setrlimit of security_operations to be able to set\nrlimit of task other than current.\n\nSigned-off-by: Jiri Slaby \u003cjirislaby@gmail.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c80901f2755c582e3096e6708028a8daca59e6e2", "tree": "eaf353e1736d7f7f99f04b4c086e4bbbff4af854", "parents": [ "7762fbfffdbce8191f5236d5053b290035d3d749" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Fri May 14 12:01:26 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon May 17 09:27:20 2010 +1000" }, "message": "LSM: Add __init to fixup function.\n\nregister_security() became __init function.\nSo do verify() and security_fixup_ops().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "05b90496f2f366b9d3eea468351888ddf010782a", "tree": "5c6b3c5167d4577043e74bb8590a6a4ed48c0bdf", "parents": [ "3011a344cdcda34cdbcb40c3fb3d1a6e89954abb" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:15:25 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:19:19 2010 +1000" }, "message": "security: remove dead hook acct\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3011a344cdcda34cdbcb40c3fb3d1a6e89954abb", "tree": "43db9abc5f96cd8ec31a4a24f0d52dae76680a1c", "parents": [ "6307f8fee295b364716d28686df6e69c2fee751a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:15:19 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:19:18 2010 +1000" }, "message": "security: remove dead hook key_session_to_parent\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6307f8fee295b364716d28686df6e69c2fee751a", "tree": "da2d51edcca32dd71c2a3a6f74bf56e88a60293f", "parents": [ "06ad187e280e725e356c62c3a30ddcd01564f8be" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:15:13 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:19:18 2010 +1000" }, "message": "security: remove dead hook task_setgroups\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "06ad187e280e725e356c62c3a30ddcd01564f8be", "tree": "5406ae3382d62971ed8b981533075657aa18d16b", "parents": [ "43ed8c3b4573d5f5cd314937fee63b4ab046ac5f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:15:08 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:19:17 2010 +1000" }, "message": "security: remove dead hook task_setgid\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "43ed8c3b4573d5f5cd314937fee63b4ab046ac5f", "tree": "bb3f094daa6f0c3f49c4c47fb5ac1c80a26e9698", "parents": [ "0968d0060a3c885e53d453380266c7792a55d302" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:15:02 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:19:16 2010 +1000" }, "message": "security: remove dead hook task_setuid\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0968d0060a3c885e53d453380266c7792a55d302", "tree": "b8511f3bf4aa4cfb21421ab5dde8346f0119dbe3", "parents": [ "9d5ed77dadc66a72b40419c91df942adfa55a102" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:14:56 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:19:15 2010 +1000" }, "message": "security: remove dead hook cred_commit\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9d5ed77dadc66a72b40419c91df942adfa55a102", "tree": "eb55062edf757a7b7fe707adda7178181f8a4427", "parents": [ "91a9420f5826db482030c21eca8c507271bbc441" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:14:50 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:19:15 2010 +1000" }, "message": "security: remove dead hook inode_delete\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "91a9420f5826db482030c21eca8c507271bbc441", "tree": "e5e400622884c8c0cd373c51ee4a3822c853aaa5", "parents": [ "3db291017753e539af64c8bab373785f34e43ed2" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:14:45 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:18:32 2010 +1000" }, "message": "security: remove dead hook sb_post_pivotroot\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3db291017753e539af64c8bab373785f34e43ed2", "tree": "e6759c7dea1774465b6bf2860a0c2f283c0b34fa", "parents": [ "82dab10453d65ad9ca551de5b8925673ca05c7e9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:14:39 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:18:31 2010 +1000" }, "message": "security: remove dead hook sb_post_addmount\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "82dab10453d65ad9ca551de5b8925673ca05c7e9", "tree": "942bf24adb67b534fa3080dbbfa1ffe33b7c16bd", "parents": [ "4b61d12c84293ac061909f27f567c1905e4d90e3" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:14:33 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:18:30 2010 +1000" }, "message": "security: remove dead hook sb_post_remount\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4b61d12c84293ac061909f27f567c1905e4d90e3", "tree": "dfab10311d1b6be7667600307c72379c6779d32d", "parents": [ "231923bd0e06cba69f7c2028f4a68602b8d22160" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:14:27 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:18:30 2010 +1000" }, "message": "security: remove dead hook sb_umount_busy\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "231923bd0e06cba69f7c2028f4a68602b8d22160", "tree": "91e3864e87f3de86de8ad0ed55a829cbdf797545", "parents": [ "353633100d8d684ac0acae4ce93fb833f92881f4" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:14:21 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:18:29 2010 +1000" }, "message": "security: remove dead hook sb_umount_close\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "353633100d8d684ac0acae4ce93fb833f92881f4", "tree": "d45effdd09f5ef2f2c44bbcfcca8751cc5cdbd7d", "parents": [ "c1a7368a6f0b18b10fdec87972da680ebdf03794" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:14:15 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:18:28 2010 +1000" }, "message": "security: remove sb_check_sb hooks\n\nUnused hook. Remove it.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c43a7523470dc2d9947fa114a0b54317975d4c04", "tree": "30a72ed1e9079f19b814263197761820f57c39ce", "parents": [ "eaa5eec739637f32f8733d528ff0b94fd62b1214", "634a539e16bd7a1ba31c3f832baa725565cc9f96" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 09 12:46:47 2010 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 09 12:46:47 2010 +1100" }, "message": "Merge branch \u0027next-queue\u0027 into next\n" }, { "commit": "c1e992b99603a84d7debb188542b64f2d9232c07", "tree": "786b1ec0c06c3d5a9df7bc3123c881ccae083d65", "parents": [ "3a5b27bf6f29574d667230c7e76e4b83fe3014e0" ], "author": { "name": "wzt.wzt@gmail.com", "email": "wzt.wzt@gmail.com", "time": "Fri Feb 26 22:49:55 2010 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Mar 03 09:15:28 2010 +1100" }, "message": "Security: Add __init to register_security to disable load a security module on runtime\n\nLSM framework doesn\u0027t allow to load a security module on runtime, it must be loaded on boot time.\nbut in security/security.c:\nint register_security(struct security_operations *ops)\n{\n ...\n if (security_ops !\u003d \u0026default_security_ops)\n return -EAGAIN;\n ...\n}\nif security_ops \u003d\u003d \u0026default_security_ops, it can access to register a security module. If selinux is enabled,\nother security modules can\u0027t register, but if selinux is disabled on boot time, the security_ops was set to\ndefault_security_ops, LSM allows other kernel modules to use register_security() to register a not trust\nsecurity module. For example:\n\ndisable selinux on boot time(selinux\u003d0).\n\n#include \u003clinux/kernel.h\u003e\n#include \u003clinux/module.h\u003e\n#include \u003clinux/init.h\u003e\n#include \u003clinux/version.h\u003e\n#include \u003clinux/string.h\u003e\n#include \u003clinux/list.h\u003e\n#include \u003clinux/security.h\u003e\n\nMODULE_LICENSE(\"GPL\");\nMODULE_AUTHOR(\"wzt\");\n\nextern int register_security(struct security_operations *ops);\nint (*new_register_security)(struct security_operations *ops);\n\nint rootkit_bprm_check_security(struct linux_binprm *bprm)\n{\n return 0;\n}\n\nstruct security_operations rootkit_ops \u003d {\n .bprm_check_security \u003d rootkit_bprm_check_security,\n};\n\nstatic int rootkit_init(void)\n{\n printk(\"Load LSM rootkit module.\\n\");\n\n\t/* cat /proc/kallsyms | grep register_security */\n new_register_security \u003d 0xc0756689;\n if (new_register_security(\u0026rootkit_ops)) {\n printk(\"Can\u0027t register rootkit module.\\n\");\n return 0;\n }\n printk(\"Register rootkit module ok.\\n\");\n\n return 0;\n}\n\nstatic void rootkit_exit(void)\n{\n printk(\"Unload LSM rootkit module.\\n\");\n}\n\nmodule_init(rootkit_init);\nmodule_exit(rootkit_exit);\n\nSigned-off-by: Zhitong Wang \u003czhitong.wangzt@alibaba-inc.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b4ccebdd37ff70d349321a198f416ba737a5e833", "tree": "275d717070346722c3aacd8355fb4f743216e03b", "parents": [ "30ff056c42c665b9ea535d8515890857ae382540", "ef57471a73b67a7b65fd8708fd55c77cb7c619af" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Mar 01 09:36:31 2010 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Mar 01 09:36:31 2010 +1100" }, "message": "Merge branch \u0027next\u0027 into for-linus\n" }, { "commit": "189b3b1c89761054fee3438f063d7f257306e2d8", "tree": "8099352fa731fca91b95d862ac0d7199f21ca54d", "parents": [ "2ae3ba39389b51d8502123de0a59374bec899c4d" ], "author": { "name": "wzt.wzt@gmail.com", "email": "wzt.wzt@gmail.com", "time": "Tue Feb 23 23:15:28 2010 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Feb 24 08:11:02 2010 +1100" }, "message": "Security: add static to security_ops and default_security_ops variable\n\nEnhance the security framework to support resetting the active security\nmodule. This eliminates the need for direct use of the security_ops and\ndefault_security_ops variables outside of security.c, so make security_ops\nand default_security_ops static. Also remove the secondary_ops variable as\na cleanup since there is no use for that. secondary_ops was originally used by\nSELinux to call the \"secondary\" security module (capability or dummy),\nbut that was replaced by direct calls to capability and the only\nremaining use is to save and restore the original security ops pointer\nvalue if SELinux is disabled by early userspace based on /etc/selinux/config.\nFurther, if we support this directly in the security framework, then we can\njust use \u0026default_security_ops for this purpose since that is now available.\n\nSigned-off-by: Zhitong Wang \u003czhitong.wangzt@alibaba-inc.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "89068c576bf324ef6fbd50dfc745148f7def202c", "tree": "6c19f0e1fa2e0bdd732fb91924a9e9c3efb2784b", "parents": [ "1e93d0052d9a6b3d0b382eedceb18b519d603baf" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Feb 07 03:07:29 2010 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Feb 07 03:07:29 2010 -0500" }, "message": "Take ima_file_free() to proper place.\n\nHooks: Just Say No.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "002345925e6c45861f60db6f4fc6236713fd8847", "tree": "d7849eafe1755116597166bbebf43e2bee86cb76", "parents": [ "0719aaf5ead7555b7b7a4a080ebf2826a871384e" ], "author": { "name": "Kees Cook", "email": "kees.cook@canonical.com", "time": "Wed Feb 03 15:36:43 2010 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 04 14:20:12 2010 +1100" }, "message": "syslog: distinguish between /proc/kmsg and syscalls\n\nThis allows the LSM to distinguish between syslog functions originating\nfrom /proc/kmsg access and direct syscalls. By default, the commoncaps\nwill now no longer require CAP_SYS_ADMIN to read an opened /proc/kmsg\nfile descriptor. For example the kernel syslog reader can now drop\nprivileges after opening /proc/kmsg, instead of staying privileged with\nCAP_SYS_ADMIN. MAC systems that implement security_syslog have unchanged\nbehavior.\n\nSigned-off-by: Kees Cook \u003ckees.cook@canonical.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8d9525048c74786205b99f3fcd05a839721edfb7", "tree": "e09c056c9888410aea680deda092ca9b85fc77e2", "parents": [ "cd7bec6ad80188394a8ea857ff1aa3512fc2282a" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 14 09:33:28 2010 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 15 08:23:57 2010 +1100" }, "message": "security: correct error returns for get/set security with private inodes\n\nCurrently, the getsecurity and setsecurity operations return zero for\nkernel private inodes, where xattrs are not available directly to\nuserspace.\n\nThis confuses some applications, and does not conform to the\nman page for getxattr(2) etc., which state that these syscalls\nshould return ENOTSUP if xattrs are not supported or disabled.\n\nNote that in the listsecurity case, we still need to return zero\nas we don\u0027t know which other xattr handlers may be active.\n\nFor discussion of userland confusion, see:\nhttp://www.mail-archive.com/bug-coreutils@gnu.org/msg17988.html\n\nThis patch corrects the error returns so that ENOTSUP is reported\nto userspace as required.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\n" }, { "commit": "5d0901a3a0c39c97ca504f73d24030f63cfc9fa2", "tree": "8495b895c7c0691ebc26b806342b9ddef6967f29", "parents": [ "9f59f90bf57cff8be07faddc608c400b6e7c5d05" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Thu Nov 26 15:24:49 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Dec 08 14:58:00 2009 +1100" }, "message": "LSM: Rename security_path_ functions argument names.\n\ninclude/linux/security.h and security/capability.c are using \"struct path *dir\"\nbut security/security.c was using \"struct path *path\" by error.\nThis patch renames \"struct path *path\" to \"struct path *dir\".\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dd8dbf2e6880e30c00b18600c962d0cb5a03c555", "tree": "24835aaf40cec5ceb2aeecccde9240ee173f70f1", "parents": [ "6e65f92ff0d6f18580737321718d09035085a3fb" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 03 16:35:32 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 10 09:33:46 2009 +1100" }, "message": "security: report the module name to security_module_request\n\nFor SELinux to do better filtering in userspace we send the name of the\nmodule along with the AVC denial when a program is denied module_request.\n\nExample output:\n\ntype\u003dSYSCALL msg\u003daudit(11/03/2009 10:59:43.510:9) : arch\u003dx86_64 syscall\u003dwrite success\u003dyes exit\u003d2 a0\u003d3 a1\u003d7fc28c0d56c0 a2\u003d2 a3\u003d7fffca0d7440 items\u003d0 ppid\u003d1727 pid\u003d1729 auid\u003dunset uid\u003droot gid\u003droot euid\u003droot suid\u003droot fsuid\u003droot egid\u003droot sgid\u003droot fsgid\u003droot tty\u003d(none) ses\u003dunset comm\u003drpc.nfsd exe\u003d/usr/sbin/rpc.nfsd subj\u003dsystem_u:system_r:nfsd_t:s0 key\u003d(null)\ntype\u003dAVC msg\u003daudit(11/03/2009 10:59:43.510:9) : avc: denied { module_request } for pid\u003d1729 comm\u003drpc.nfsd kmod\u003d\"net-pf-10\" scontext\u003dsystem_u:system_r:nfsd_t:s0 tcontext\u003dsystem_u:system_r:kernel_t:s0 tclass\u003dsystem\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6e65f92ff0d6f18580737321718d09035085a3fb", "tree": "2edfad79128d1b48e0b4ad49abdfbfcf2a1a2a48", "parents": [ "0e1a6ef2dea88101b056b6d9984f3325c5efced3" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Thu Nov 05 17:03:20 2009 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Nov 09 08:40:07 2009 +1100" }, "message": "Config option to set a default LSM\n\nThe LSM currently requires setting a kernel parameter at boot to select\na specific LSM. This adds a config option that allows specifying a default\nLSM that is used unless overridden with the security\u003d kernel parameter.\nIf the the config option is not set the current behavior of first LSM\nto register is used.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6c21a7fb492bf7e2c4985937082ce58ddeca84bd", "tree": "6cfe11ba4b8eee26ee8b02d2b4a5fcc6ea07e4bd", "parents": [ "6e8e16c7bc298d7887584c3d027e05db3e86eed9" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Oct 22 17:30:13 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sun Oct 25 12:22:48 2009 +0800" }, "message": "LSM: imbed ima calls in the security hooks\n\nBased on discussions on LKML and LSM, where there are consecutive\nsecurity_ and ima_ calls in the vfs layer, move the ima_ calls to\nthe existing security_ hooks.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8b8efb44033c7e86b3dc76f825c693ec92ae30e9", "tree": "8cf43afc59f88f36a86f3a8165770bccec28b3c3", "parents": [ "89eda06837094ce9f34fae269b8773fcfd70f046" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Sun Oct 04 21:49:48 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Oct 12 10:56:02 2009 +1100" }, "message": "LSM: Add security_path_chroot().\n\nThis patch allows pathname based LSM modules to check chroot() operations.\n\nThis hook is used by TOMOYO.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "89eda06837094ce9f34fae269b8773fcfd70f046", "tree": "dc11701c68ebcc8346d7567cfb53b9c7327ef445", "parents": [ "941fc5b2bf8f7dd1d0a9c502e152fa719ff6578e" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Sun Oct 04 21:49:47 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Oct 12 10:56:00 2009 +1100" }, "message": "LSM: Add security_path_chmod() and security_path_chown().\n\nThis patch allows pathname based LSM modules to check chmod()/chown()\noperations. Since notify_change() does not receive \"struct vfsmount *\",\nwe add security_path_chmod() and security_path_chown() to the caller of\nnotify_change().\n\nThese hooks are used by TOMOYO.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1ee65e37e904b959c24404139f5752edc66319d5", "tree": "587c1ef70ae7ee41a7b9b531161a4ef5689838f7", "parents": [ "b1ab7e4b2a88d3ac13771463be8f302ce1616cfc" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Thu Sep 03 14:25:57 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Sep 10 10:11:24 2009 +1000" }, "message": "LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information.\n\nThis patch introduces three new hooks. The inode_getsecctx hook is used to get\nall relevant information from an LSM about an inode. The inode_setsecctx is\nused to set both the in-core and on-disk state for the inode based on a context\nderived from inode_getsecctx.The final hook inode_notifysecctx will notify the\nLSM of a change for the in-core state of the inode in question. These hooks are\nfor use in the labeled NFS code and addresses concerns of how to set security\non an inode in a multi-xattr LSM. For historical reasons Stephen Smalley\u0027s\nexplanation of the reason for these hooks is pasted below.\n\nQuote Stephen Smalley\n\ninode_setsecctx: Change the security context of an inode. Updates the\nin core security context managed by the security module and invokes the\nfs code as needed (via __vfs_setxattr_noperm) to update any backing\nxattrs that represent the context. Example usage: NFS server invokes\nthis hook to change the security context in its incore inode and on the\nbacking file system to a value provided by the client on a SETATTR\noperation.\n\ninode_notifysecctx: Notify the security module of what the security\ncontext of an inode should be. Initializes the incore security context\nmanaged by the security module for this inode. Example usage: NFS\nclient invokes this hook to initialize the security context in its\nincore inode to the value provided by the server for the file when the\nserver returned the file\u0027s attributes to the client.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ee18d64c1f632043a02e6f5ba5e045bb26a5465f", "tree": "80b5a4d530ec7d5fd69799920f0db7b78aba6b9d", "parents": [ "d0420c83f39f79afb82010c2d2cafd150eef651b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:14:21 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:22 2009 +1000" }, "message": "KEYS: Add a keyctl to install a process\u0027s session keyring on its parent [try #6]\n\nAdd a keyctl to install a process\u0027s session keyring onto its parent. This\nreplaces the parent\u0027s session keyring. Because the COW credential code does\nnot permit one process to change another process\u0027s credentials directly, the\nchange is deferred until userspace next starts executing again. Normally this\nwill be after a wait*() syscall.\n\nTo support this, three new security hooks have been provided:\ncred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in\nthe blank security creds and key_session_to_parent() - which asks the LSM if\nthe process may replace its parent\u0027s session keyring.\n\nThe replacement may only happen if the process has the same ownership details\nas its parent, and the process has LINK permission on the session keyring, and\nthe session keyring is owned by the process, and the LSM permits it.\n\nNote that this requires alteration to each architecture\u0027s notify_resume path.\nThis has been done for all arches barring blackfin, m68k* and xtensa, all of\nwhich need assembly alteration to support TIF_NOTIFY_RESUME. This allows the\nreplacement to be performed at the point the parent process resumes userspace\nexecution.\n\nThis allows the userspace AFS pioctl emulation to fully emulate newpag() and\nthe VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to\nalter the parent process\u0027s PAG membership. However, since kAFS doesn\u0027t use\nPAGs per se, but rather dumps the keys into the session keyring, the session\nkeyring of the parent must be replaced if, for example, VIOCSETTOK is passed\nthe newpag flag.\n\nThis can be tested with the following program:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\n\t#define KEYCTL_SESSION_TO_PARENT\t18\n\n\t#define OSERROR(X, S) do { if ((long)(X) \u003d\u003d -1) { perror(S); exit(1); } } while(0)\n\n\tint main(int argc, char **argv)\n\t{\n\t\tkey_serial_t keyring, key;\n\t\tlong ret;\n\n\t\tkeyring \u003d keyctl_join_session_keyring(argv[1]);\n\t\tOSERROR(keyring, \"keyctl_join_session_keyring\");\n\n\t\tkey \u003d add_key(\"user\", \"a\", \"b\", 1, keyring);\n\t\tOSERROR(key, \"add_key\");\n\n\t\tret \u003d keyctl(KEYCTL_SESSION_TO_PARENT);\n\t\tOSERROR(ret, \"KEYCTL_SESSION_TO_PARENT\");\n\n\t\treturn 0;\n\t}\n\nCompiled and linked with -lkeyutils, you should see something like:\n\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t355907932 --alswrv 4043 -1 \\_ keyring: _uid.4043\n\t[dhowells@andromeda ~]$ /tmp/newpag\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t1055658746 --alswrv 4043 4043 \\_ user: a\n\t[dhowells@andromeda ~]$ /tmp/newpag hello\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: hello\n\t340417692 --alswrv 4043 4043 \\_ user: a\n\nWhere the test program creates a new session keyring, sticks a user key named\n\u0027a\u0027 into it and then installs it on its parent.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2b980dbd77d229eb60588802162c9659726b11f4", "tree": "78a7f734d0721029e4b4c961ca61d35abe9e6dbc", "parents": [ "d8e180dcd5bbbab9cd3ff2e779efcf70692ef541" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Aug 28 18:12:43 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 01 08:29:48 2009 +1000" }, "message": "lsm: Add hooks to the TUN driver\n\nThe TUN driver lacks any LSM hooks which makes it difficult for LSM modules,\nsuch as SELinux, to enforce access controls on network traffic generated by\nTUN users; this is particularly problematic for virtualization apps such as\nQEMU and KVM. This patch adds three new LSM hooks designed to control the\ncreation and attachment of TUN devices, the hooks are:\n\n * security_tun_dev_create()\n Provides access control for the creation of new TUN devices\n\n * security_tun_dev_post_create()\n Provides the ability to create the necessary socket LSM state for newly\n created TUN devices\n\n * security_tun_dev_attach()\n Provides access control for attaching to existing, persistent TUN devices\n and the ability to update the TUN device\u0027s socket LSM state as necessary\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Eric Paris \u003ceparis@parisplace.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9188499cdb117d86a1ea6b04374095b098d56936", "tree": "7c0dd23f2c98630c426cbd0bfbf5e46cc689091e", "parents": [ "a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Aug 13 09:44:57 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Aug 14 11:18:37 2009 +1000" }, "message": "security: introducing security_request_module\n\nCalling request_module() will trigger a userspace upcall which will load a\nnew module into the kernel. This can be a dangerous event if the process\nable to trigger request_module() is able to control either the modprobe\nbinary or the module binary. This patch adds a new security hook to\nrequest_module() which can be used by an LSM to control a processes ability\nto call request_module().\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9e48858f7d36a6a3849f1d1b40c3bf5624b4ee7c", "tree": "5d8fe586c5b1bbab36acc3b76b2b4dd1bc538968", "parents": [ "86abcf9cebf7b5ceb33facde297face5ec4d2260" ], "author": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Thu May 07 19:26:19 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 25 00:18:05 2009 +1000" }, "message": "security: rename ptrace_may_access \u003d\u003e ptrace_access_check\n\nThe -\u003eptrace_may_access() methods are named confusingly - the real\nptrace_may_access() returns a bool, while these security checks have\na retval convention.\n\nRename it to ptrace_access_check, to reduce the confusion factor.\n\n[ Impact: cleanup, no code changed ]\n\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e0a94c2a63f2644826069044649669b5e7ca75d3", "tree": "debf8a9af6ac23dadd116dc1cd1f9dcefe9629c6", "parents": [ "7d2948b1248109dbc7f4aaf9867c54b1912d494c" ], "author": { "name": "Christoph Lameter", "email": "cl@linux-foundation.org", "time": "Wed Jun 03 16:04:31 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 04 12:07:48 2009 +1000" }, "message": "security: use mmap_min_addr indepedently of security models\n\nThis patch removes the dependency of mmap_min_addr on CONFIG_SECURITY.\nIt also sets a default mmap_min_addr of 4096.\n\nmmapping of addresses below 4096 will only be possible for processes\nwith CAP_SYS_RAWIO.\n\nSigned-off-by: Christoph Lameter \u003ccl@linux-foundation.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nLooks-ok-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "800a964787faef3509d194fa33268628c3d1daa9", "tree": "37a722ed9d269d60bc26f6d8f0862d87e45a2424", "parents": [ "385e1ca5f21c4680ad6a46a3aa2ea8af99e99c92" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 03 16:42:40 2009 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 03 16:42:40 2009 +0100" }, "message": "CacheFiles: Export things for CacheFiles\n\nExport a number of functions for CacheFiles\u0027s use.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Steve Dickson \u003csteved@redhat.com\u003e\nAcked-by: Trond Myklebust \u003cTrond.Myklebust@netapp.com\u003e\nAcked-by: Rik van Riel \u003criel@redhat.com\u003e\nAcked-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nTested-by: Daire Byrne \u003cDaire.Byrne@framestore.com\u003e\n" }, { "commit": "8651d5c0b1f874c5b8307ae2b858bc40f9f02482", "tree": "c09bee8fdc4c659d155b47911dc87ce4c09b6676", "parents": [ "58bfbb51ff2b0fdc6c732ff3d72f50aa632b67a2" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:48 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:37 2009 +1100" }, "message": "lsm: Remove the socket_post_accept() hook\n\nThe socket_post_accept() hook is not currently used by any in-tree modules\nand its existence continues to cause problems by confusing people about\nwhat can be safely accomplished using this hook. If a legitimate need for\nthis hook arises in the future it can always be reintroduced.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ac8cc0fa5395fe2278e305a4cbed48e90d88d878", "tree": "515f577bfddd054ee4373228be7c974dfb8133af", "parents": [ "238c6d54830c624f34ac9cf123ac04aebfca5013", "3699c53c485bf0168e6500d0ed18bf931584dd7c" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:58:22 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:58:22 2009 +1100" }, "message": "Merge branch \u0027next\u0027 into for-linus\n" }, { "commit": "3699c53c485bf0168e6500d0ed18bf931584dd7c", "tree": "eee63a8ddbdb0665bc6a4a053a2405ca7a5b867f", "parents": [ "29881c4502ba05f46bc12ae8053d4e08d7e2615c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 06 22:27:01 2009 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:38:48 2009 +1100" }, "message": "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #3]\n\nFix a regression in cap_capable() due to:\n\n\tcommit 3b11a1decef07c19443d24ae926982bc8ec9f4c0\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Fri Nov 14 10:39:26 2008 +1100\n\n\t CRED: Differentiate objective and effective subjective credentials on a task\n\nThe problem is that the above patch allows a process to have two sets of\ncredentials, and for the most part uses the subjective credentials when\naccessing current\u0027s creds.\n\nThere is, however, one exception: cap_capable(), and thus capable(), uses the\nreal/objective credentials of the target task, whether or not it is the current\ntask.\n\nOrdinarily this doesn\u0027t matter, since usually the two cred pointers in current\npoint to the same set of creds. However, sys_faccessat() makes use of this\nfacility to override the credentials of the calling process to make its test,\nwithout affecting the creds as seen from other processes.\n\nOne of the things sys_faccessat() does is to make an adjustment to the\neffective capabilities mask, which cap_capable(), as it stands, then ignores.\n\nThe affected capability check is in generic_permission():\n\n\tif (!(mask \u0026 MAY_EXEC) || execute_ok(inode))\n\t\tif (capable(CAP_DAC_OVERRIDE))\n\t\t\treturn 0;\n\nThis change passes the set of credentials to be tested down into the commoncap\nand SELinux code. The security functions called by capable() and\nhas_capability() select the appropriate set of credentials from the process\nbeing checked.\n\nThis can be tested by compiling the following program from the XFS testsuite:\n\n/*\n * t_access_root.c - trivial test program to show permission bug.\n *\n * Written by Michael Kerrisk - copyright ownership not pursued.\n * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html\n */\n#include \u003climits.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003csys/stat.h\u003e\n\n#define UID 500\n#define GID 100\n#define PERM 0\n#define TESTPATH \"/tmp/t_access\"\n\nstatic void\nerrExit(char *msg)\n{\n perror(msg);\n exit(EXIT_FAILURE);\n} /* errExit */\n\nstatic void\naccessTest(char *file, int mask, char *mstr)\n{\n printf(\"access(%s, %s) returns %d\\n\", file, mstr, access(file, mask));\n} /* accessTest */\n\nint\nmain(int argc, char *argv[])\n{\n int fd, perm, uid, gid;\n char *testpath;\n char cmd[PATH_MAX + 20];\n\n testpath \u003d (argc \u003e 1) ? argv[1] : TESTPATH;\n perm \u003d (argc \u003e 2) ? strtoul(argv[2], NULL, 8) : PERM;\n uid \u003d (argc \u003e 3) ? atoi(argv[3]) : UID;\n gid \u003d (argc \u003e 4) ? atoi(argv[4]) : GID;\n\n unlink(testpath);\n\n fd \u003d open(testpath, O_RDWR | O_CREAT, 0);\n if (fd \u003d\u003d -1) errExit(\"open\");\n\n if (fchown(fd, uid, gid) \u003d\u003d -1) errExit(\"fchown\");\n if (fchmod(fd, perm) \u003d\u003d -1) errExit(\"fchmod\");\n close(fd);\n\n snprintf(cmd, sizeof(cmd), \"ls -l %s\", testpath);\n system(cmd);\n\n if (seteuid(uid) \u003d\u003d -1) errExit(\"seteuid\");\n\n accessTest(testpath, 0, \"0\");\n accessTest(testpath, R_OK, \"R_OK\");\n accessTest(testpath, W_OK, \"W_OK\");\n accessTest(testpath, X_OK, \"X_OK\");\n accessTest(testpath, R_OK | W_OK, \"R_OK | W_OK\");\n accessTest(testpath, R_OK | X_OK, \"R_OK | X_OK\");\n accessTest(testpath, W_OK | X_OK, \"W_OK | X_OK\");\n accessTest(testpath, R_OK | W_OK | X_OK, \"R_OK | W_OK | X_OK\");\n\n exit(EXIT_SUCCESS);\n} /* main */\n\nThis can be run against an Ext3 filesystem as well as against an XFS\nfilesystem. If successful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns 0\n\taccess(/tmp/xxx, W_OK) returns 0\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns 0\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nIf unsuccessful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns -1\n\taccess(/tmp/xxx, W_OK) returns -1\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns -1\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nI\u0027ve also tested the fix with the SELinux and syscalls LTP testsuites.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: J. Bruce Fields \u003cbfields@citi.umich.edu\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "29881c4502ba05f46bc12ae8053d4e08d7e2615c", "tree": "536ea4ac63554e836438bd5f370ddecaa343f1f4", "parents": [ "76f7ba35d4b5219fcc4cb072134c020ec77d030d" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:21:54 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 07 09:21:54 2009 +1100" }, "message": "Revert \"CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]\"\n\nThis reverts commit 14eaddc967b16017d4a1a24d2be6c28ecbe06ed8.\n\nDavid has a better version to come.\n" }, { "commit": "14eaddc967b16017d4a1a24d2be6c28ecbe06ed8", "tree": "ce10216d592f0fa89ae02c4e4e9e9497010e7714", "parents": [ "5c8c40be4b5a2944483bfc1a45d6c3fa02551af3" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Dec 31 15:15:42 2008 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 05 11:17:04 2009 +1100" }, "message": "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]\n\nFix a regression in cap_capable() due to:\n\n\tcommit 5ff7711e635b32f0a1e558227d030c7e45b4a465\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Wed Dec 31 02:52:28 2008 +0000\n\n\t CRED: Differentiate objective and effective subjective credentials on a task\n\nThe problem is that the above patch allows a process to have two sets of\ncredentials, and for the most part uses the subjective credentials when\naccessing current\u0027s creds.\n\nThere is, however, one exception: cap_capable(), and thus capable(), uses the\nreal/objective credentials of the target task, whether or not it is the current\ntask.\n\nOrdinarily this doesn\u0027t matter, since usually the two cred pointers in current\npoint to the same set of creds. However, sys_faccessat() makes use of this\nfacility to override the credentials of the calling process to make its test,\nwithout affecting the creds as seen from other processes.\n\nOne of the things sys_faccessat() does is to make an adjustment to the\neffective capabilities mask, which cap_capable(), as it stands, then ignores.\n\nThe affected capability check is in generic_permission():\n\n\tif (!(mask \u0026 MAY_EXEC) || execute_ok(inode))\n\t\tif (capable(CAP_DAC_OVERRIDE))\n\t\t\treturn 0;\n\nThis change splits capable() from has_capability() down into the commoncap and\nSELinux code. The capable() security op now only deals with the current\nprocess, and uses the current process\u0027s subjective creds. A new security op -\ntask_capable() - is introduced that can check any task\u0027s objective creds.\n\nstrictly the capable() security op is superfluous with the presence of the\ntask_capable() op, however it should be faster to call the capable() op since\ntwo fewer arguments need be passed down through the various layers.\n\nThis can be tested by compiling the following program from the XFS testsuite:\n\n/*\n * t_access_root.c - trivial test program to show permission bug.\n *\n * Written by Michael Kerrisk - copyright ownership not pursued.\n * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html\n */\n#include \u003climits.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003csys/stat.h\u003e\n\n#define UID 500\n#define GID 100\n#define PERM 0\n#define TESTPATH \"/tmp/t_access\"\n\nstatic void\nerrExit(char *msg)\n{\n perror(msg);\n exit(EXIT_FAILURE);\n} /* errExit */\n\nstatic void\naccessTest(char *file, int mask, char *mstr)\n{\n printf(\"access(%s, %s) returns %d\\n\", file, mstr, access(file, mask));\n} /* accessTest */\n\nint\nmain(int argc, char *argv[])\n{\n int fd, perm, uid, gid;\n char *testpath;\n char cmd[PATH_MAX + 20];\n\n testpath \u003d (argc \u003e 1) ? argv[1] : TESTPATH;\n perm \u003d (argc \u003e 2) ? strtoul(argv[2], NULL, 8) : PERM;\n uid \u003d (argc \u003e 3) ? atoi(argv[3]) : UID;\n gid \u003d (argc \u003e 4) ? atoi(argv[4]) : GID;\n\n unlink(testpath);\n\n fd \u003d open(testpath, O_RDWR | O_CREAT, 0);\n if (fd \u003d\u003d -1) errExit(\"open\");\n\n if (fchown(fd, uid, gid) \u003d\u003d -1) errExit(\"fchown\");\n if (fchmod(fd, perm) \u003d\u003d -1) errExit(\"fchmod\");\n close(fd);\n\n snprintf(cmd, sizeof(cmd), \"ls -l %s\", testpath);\n system(cmd);\n\n if (seteuid(uid) \u003d\u003d -1) errExit(\"seteuid\");\n\n accessTest(testpath, 0, \"0\");\n accessTest(testpath, R_OK, \"R_OK\");\n accessTest(testpath, W_OK, \"W_OK\");\n accessTest(testpath, X_OK, \"X_OK\");\n accessTest(testpath, R_OK | W_OK, \"R_OK | W_OK\");\n accessTest(testpath, R_OK | X_OK, \"R_OK | X_OK\");\n accessTest(testpath, W_OK | X_OK, \"W_OK | X_OK\");\n accessTest(testpath, R_OK | W_OK | X_OK, \"R_OK | W_OK | X_OK\");\n\n exit(EXIT_SUCCESS);\n} /* main */\n\nThis can be run against an Ext3 filesystem as well as against an XFS\nfilesystem. If successful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns 0\n\taccess(/tmp/xxx, W_OK) returns 0\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns 0\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nIf unsuccessful, it will show:\n\n\t[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043\n\t---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx\n\taccess(/tmp/xxx, 0) returns 0\n\taccess(/tmp/xxx, R_OK) returns -1\n\taccess(/tmp/xxx, W_OK) returns -1\n\taccess(/tmp/xxx, X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK) returns -1\n\taccess(/tmp/xxx, R_OK | X_OK) returns -1\n\taccess(/tmp/xxx, W_OK | X_OK) returns -1\n\taccess(/tmp/xxx, R_OK | W_OK | X_OK) returns -1\n\nI\u0027ve also tested the fix with the SELinux and syscalls LTP testsuites.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d", "tree": "3a770f4cc676efeba443b28caa1ad195eeff49bc", "parents": [ "6a94cb73064c952255336cc57731904174b2c58f" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Wed Dec 17 13:24:15 2008 +0900" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Dec 31 18:07:37 2008 -0500" }, "message": "introduce new LSM hooks where vfsmount is available.\n\nAdd new LSM hooks for path-based checks. Call them on directory-modifying\noperations at the points where we still know the vfsmount involved.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "12204e24b1330428c3062faee10a0d80b8a5cb61", "tree": "d92ee705a86f0ec2bf85c8a797239dbb840d5927", "parents": [ "459c19f524a9d89c65717a7d061d5f11ecf6bcb8" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Dec 19 10:44:42 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Dec 20 09:02:39 2008 +1100" }, "message": "security: pass mount flags to security_sb_kern_mount()\n\nPass mount flags to security_sb_kern_mount(), so security modules\ncan determine if a mount operation is being performed by the kernel.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "200036ca9b3f0b2250912142552ce56682190f95", "tree": "2588521766ea0d6ec0a79c18bceee1d81e30dab1", "parents": [ "9789cfe22e5d7bc10cad841a4ea96ecedb34b267" ], "author": { "name": "Hannes Eder", "email": "hannes@hanneseder.net", "time": "Mon Nov 24 22:14:43 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 25 06:33:17 2008 +0530" }, "message": "CRED: fix sparse warnings\n\nImpact: fix sparse warnings\n\nFix the following sparse warnings:\n\n security/security.c:228:2: warning: returning void-valued expression\n security/security.c:233:2: warning: returning void-valued expression\n security/security.c:616:2: warning: returning void-valued expression\n\nSigned-off-by: Hannes Eder \u003channes@hanneseder.net\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3a3b7ce9336952ea7b9564d976d068a238976c9d", "tree": "3f0a3be33022492161f534636a20a4b1059f8236", "parents": [ "1bfdc75ae077d60a01572a7781ec6264d55ab1b9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:28 2008 +1100" }, "message": "CRED: Allow kernel services to override LSM settings for task actions\n\nAllow kernel services to override LSM settings appropriate to the actions\nperformed by a task by duplicating a set of credentials, modifying it and then\nusing task_struct::cred to point to it when performing operations on behalf of\na task.\n\nThis is used, for example, by CacheFiles which has to transparently access the\ncache on behalf of a process that thinks it is doing, say, NFS accesses with a\npotentially inappropriate (with respect to accessing the cache) set of\ncredentials.\n\nThis patch provides two LSM hooks for modifying a task security record:\n\n (*) security_kernel_act_as() which allows modification of the security datum\n with which a task acts on other objects (most notably files).\n\n (*) security_kernel_create_files_as() which allows modification of the\n security datum that is used to initialise the security data on a file that\n a task creates.\n\nThe patch also provides four new credentials handling functions, which wrap the\nLSM functions:\n\n (1) prepare_kernel_cred()\n\n Prepare a set of credentials for a kernel service to use, based either on\n a daemon\u0027s credentials or on init_cred. All the keyrings are cleared.\n\n (2) set_security_override()\n\n Set the LSM security ID in a set of credentials to a specific security\n context, assuming permission from the LSM policy.\n\n (3) set_security_override_from_ctx()\n\n As (2), but takes the security context as a string.\n\n (4) set_create_files_as()\n\n Set the file creation LSM security ID in a set of credentials to be the\n same as that on a particular inode.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e [Smack changes]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a6f76f23d297f70e2a6b3ec607f7aeeea9e37e8d", "tree": "8f95617996d0974507f176163459212a7def8b9a", "parents": [ "d84f4f992cbd76e8f39c488cf0c5d123843923b1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "message": "CRED: Make execve() take advantage of copy-on-write credentials\n\nMake execve() take advantage of copy-on-write credentials, allowing it to set\nup the credentials in advance, and then commit the whole lot after the point\nof no return.\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n The credential bits from struct linux_binprm are, for the most part,\n replaced with a single credentials pointer (bprm-\u003ecred). This means that\n all the creds can be calculated in advance and then applied at the point\n of no return with no possibility of failure.\n\n I would like to replace bprm-\u003ecap_effective with:\n\n\tcap_isclear(bprm-\u003ecap_effective)\n\n but this seems impossible due to special behaviour for processes of pid 1\n (they always retain their parent\u0027s capability masks where normally they\u0027d\n be changed - see cap_bprm_set_creds()).\n\n The following sequence of events now happens:\n\n (a) At the start of do_execve, the current task\u0027s cred_exec_mutex is\n \t locked to prevent PTRACE_ATTACH from obsoleting the calculation of\n \t creds that we make.\n\n (a) prepare_exec_creds() is then called to make a copy of the current\n \t task\u0027s credentials and prepare it. This copy is then assigned to\n \t bprm-\u003ecred.\n\n \t This renders security_bprm_alloc() and security_bprm_free()\n \t unnecessary, and so they\u0027ve been removed.\n\n (b) The determination of unsafe execution is now performed immediately\n \t after (a) rather than later on in the code. The result is stored in\n \t bprm-\u003eunsafe for future reference.\n\n (c) prepare_binprm() is called, possibly multiple times.\n\n \t (i) This applies the result of set[ug]id binaries to the new creds\n \t attached to bprm-\u003ecred. Personality bit clearance is recorded,\n \t but now deferred on the basis that the exec procedure may yet\n \t fail.\n\n (ii) This then calls the new security_bprm_set_creds(). This should\n\t calculate the new LSM and capability credentials into *bprm-\u003ecred.\n\n\t This folds together security_bprm_set() and parts of\n\t security_bprm_apply_creds() (these two have been removed).\n\t Anything that might fail must be done at this point.\n\n (iii) bprm-\u003ecred_prepared is set to 1.\n\n\t bprm-\u003ecred_prepared is 0 on the first pass of the security\n\t calculations, and 1 on all subsequent passes. This allows SELinux\n\t in (ii) to base its calculations only on the initial script and\n\t not on the interpreter.\n\n (d) flush_old_exec() is called to commit the task to execution. This\n \t performs the following steps with regard to credentials:\n\n\t (i) Clear pdeath_signal and set dumpable on certain circumstances that\n\t may not be covered by commit_creds().\n\n (ii) Clear any bits in current-\u003epersonality that were deferred from\n (c.i).\n\n (e) install_exec_creds() [compute_creds() as was] is called to install the\n \t new credentials. This performs the following steps with regard to\n \t credentials:\n\n (i) Calls security_bprm_committing_creds() to apply any security\n requirements, such as flushing unauthorised files in SELinux, that\n must be done before the credentials are changed.\n\n\t This is made up of bits of security_bprm_apply_creds() and\n\t security_bprm_post_apply_creds(), both of which have been removed.\n\t This function is not allowed to fail; anything that might fail\n\t must have been done in (c.ii).\n\n (ii) Calls commit_creds() to apply the new credentials in a single\n assignment (more or less). Possibly pdeath_signal and dumpable\n should be part of struct creds.\n\n\t (iii) Unlocks the task\u0027s cred_replace_mutex, thus allowing\n\t PTRACE_ATTACH to take place.\n\n (iv) Clears The bprm-\u003ecred pointer as the credentials it was holding\n are now immutable.\n\n (v) Calls security_bprm_committed_creds() to apply any security\n alterations that must be done after the creds have been changed.\n SELinux uses this to flush signals and signal handlers.\n\n (f) If an error occurs before (d.i), bprm_free() will call abort_creds()\n \t to destroy the proposed new credentials and will then unlock\n \t cred_replace_mutex. No changes to the credentials will have been\n \t made.\n\n (2) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_bprm_alloc(), -\u003ebprm_alloc_security()\n (*) security_bprm_free(), -\u003ebprm_free_security()\n\n \t Removed in favour of preparing new credentials and modifying those.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n (*) security_bprm_post_apply_creds(), -\u003ebprm_post_apply_creds()\n\n \t Removed; split between security_bprm_set_creds(),\n \t security_bprm_committing_creds() and security_bprm_committed_creds().\n\n (*) security_bprm_set(), -\u003ebprm_set_security()\n\n \t Removed; folded into security_bprm_set_creds().\n\n (*) security_bprm_set_creds(), -\u003ebprm_set_creds()\n\n \t New. The new credentials in bprm-\u003ecreds should be checked and set up\n \t as appropriate. bprm-\u003ecred_prepared is 0 on the first call, 1 on the\n \t second and subsequent calls.\n\n (*) security_bprm_committing_creds(), -\u003ebprm_committing_creds()\n (*) security_bprm_committed_creds(), -\u003ebprm_committed_creds()\n\n \t New. Apply the security effects of the new credentials. This\n \t includes closing unauthorised files in SELinux. This function may not\n \t fail. When the former is called, the creds haven\u0027t yet been applied\n \t to the process; when the latter is called, they have.\n\n \t The former may access bprm-\u003ecred, the latter may not.\n\n (3) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) The bprm_security_struct struct has been removed in favour of using\n \t the credentials-under-construction approach.\n\n (c) flush_unauthorized_files() now takes a cred pointer and passes it on\n \t to inode_has_perm(), file_has_perm() and dentry_open().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d84f4f992cbd76e8f39c488cf0c5d123843923b1", "tree": "fc4a0349c42995715b93d0f7a3c78e9ea9b3f36e", "parents": [ "745ca2475a6ac596e3d8d37c2759c0fbe2586227" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "message": "CRED: Inaugurate COW credentials\n\nInaugurate copy-on-write credentials management. This uses RCU to manage the\ncredentials pointer in the task_struct with respect to accesses by other tasks.\nA process may only modify its own credentials, and so does not need locking to\naccess or modify its own credentials.\n\nA mutex (cred_replace_mutex) is added to the task_struct to control the effect\nof PTRACE_ATTACHED on credential calculations, particularly with respect to\nexecve().\n\nWith this patch, the contents of an active credentials struct may not be\nchanged directly; rather a new set of credentials must be prepared, modified\nand committed using something like the following sequence of events:\n\n\tstruct cred *new \u003d prepare_creds();\n\tint ret \u003d blah(new);\n\tif (ret \u003c 0) {\n\t\tabort_creds(new);\n\t\treturn ret;\n\t}\n\treturn commit_creds(new);\n\nThere are some exceptions to this rule: the keyrings pointed to by the active\ncredentials may be instantiated - keyrings violate the COW rule as managing\nCOW keyrings is tricky, given that it is possible for a task to directly alter\nthe keys in a keyring in use by another task.\n\nTo help enforce this, various pointers to sets of credentials, such as those in\nthe task_struct, are declared const. The purpose of this is compile-time\ndiscouragement of altering credentials through those pointers. Once a set of\ncredentials has been made public through one of these pointers, it may not be\nmodified, except under special circumstances:\n\n (1) Its reference count may incremented and decremented.\n\n (2) The keyrings to which it points may be modified, but not replaced.\n\nThe only safe way to modify anything else is to create a replacement and commit\nusing the functions described in Documentation/credentials.txt (which will be\nadded by a later patch).\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n This now prepares and commits credentials in various places in the\n security code rather than altering the current creds directly.\n\n (2) Temporary credential overrides.\n\n do_coredump() and sys_faccessat() now prepare their own credentials and\n temporarily override the ones currently on the acting thread, whilst\n preventing interference from other threads by holding cred_replace_mutex\n on the thread being dumped.\n\n This will be replaced in a future patch by something that hands down the\n credentials directly to the functions being called, rather than altering\n the task\u0027s objective credentials.\n\n (3) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_capset_check(), -\u003ecapset_check()\n (*) security_capset_set(), -\u003ecapset_set()\n\n \t Removed in favour of security_capset().\n\n (*) security_capset(), -\u003ecapset()\n\n \t New. This is passed a pointer to the new creds, a pointer to the old\n \t creds and the proposed capability sets. It should fill in the new\n \t creds or return an error. All pointers, barring the pointer to the\n \t new creds, are now const.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n\n \t Changed; now returns a value, which will cause the process to be\n \t killed if it\u0027s an error.\n\n (*) security_task_alloc(), -\u003etask_alloc_security()\n\n \t Removed in favour of security_prepare_creds().\n\n (*) security_cred_free(), -\u003ecred_free()\n\n \t New. Free security data attached to cred-\u003esecurity.\n\n (*) security_prepare_creds(), -\u003ecred_prepare()\n\n \t New. Duplicate any security data attached to cred-\u003esecurity.\n\n (*) security_commit_creds(), -\u003ecred_commit()\n\n \t New. Apply any security effects for the upcoming installation of new\n \t security by commit_creds().\n\n (*) security_task_post_setuid(), -\u003etask_post_setuid()\n\n \t Removed in favour of security_task_fix_setuid().\n\n (*) security_task_fix_setuid(), -\u003etask_fix_setuid()\n\n \t Fix up the proposed new credentials for setuid(). This is used by\n \t cap_set_fix_setuid() to implicitly adjust capabilities in line with\n \t setuid() changes. Changes are made to the new credentials, rather\n \t than the task itself as in security_task_post_setuid().\n\n (*) security_task_reparent_to_init(), -\u003etask_reparent_to_init()\n\n \t Removed. Instead the task being reparented to init is referred\n \t directly to init\u0027s credentials.\n\n\t NOTE! This results in the loss of some state: SELinux\u0027s osid no\n\t longer records the sid of the thread that forked it.\n\n (*) security_key_alloc(), -\u003ekey_alloc()\n (*) security_key_permission(), -\u003ekey_permission()\n\n \t Changed. These now take cred pointers rather than task pointers to\n \t refer to the security context.\n\n (4) sys_capset().\n\n This has been simplified and uses less locking. The LSM functions it\n calls have been merged.\n\n (5) reparent_to_kthreadd().\n\n This gives the current thread the same credentials as init by simply using\n commit_thread() to point that way.\n\n (6) __sigqueue_alloc() and switch_uid()\n\n __sigqueue_alloc() can\u0027t stop the target task from changing its creds\n beneath it, so this function gets a reference to the currently applicable\n user_struct which it then passes into the sigqueue struct it returns if\n successful.\n\n switch_uid() is now called from commit_creds(), and possibly should be\n folded into that. commit_creds() should take care of protecting\n __sigqueue_alloc().\n\n (7) [sg]et[ug]id() and co and [sg]et_current_groups.\n\n The set functions now all use prepare_creds(), commit_creds() and\n abort_creds() to build and check a new set of credentials before applying\n it.\n\n security_task_set[ug]id() is called inside the prepared section. This\n guarantees that nothing else will affect the creds until we\u0027ve finished.\n\n The calling of set_dumpable() has been moved into commit_creds().\n\n Much of the functionality of set_user() has been moved into\n commit_creds().\n\n The get functions all simply access the data directly.\n\n (8) security_task_prctl() and cap_task_prctl().\n\n security_task_prctl() has been modified to return -ENOSYS if it doesn\u0027t\n want to handle a function, or otherwise return the return value directly\n rather than through an argument.\n\n Additionally, cap_task_prctl() now prepares a new set of credentials, even\n if it doesn\u0027t end up using it.\n\n (9) Keyrings.\n\n A number of changes have been made to the keyrings code:\n\n (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have\n \t all been dropped and built in to the credentials functions directly.\n \t They may want separating out again later.\n\n (b) key_alloc() and search_process_keyrings() now take a cred pointer\n \t rather than a task pointer to specify the security context.\n\n (c) copy_creds() gives a new thread within the same thread group a new\n \t thread keyring if its parent had one, otherwise it discards the thread\n \t keyring.\n\n (d) The authorisation key now points directly to the credentials to extend\n \t the search into rather pointing to the task that carries them.\n\n (e) Installing thread, process or session keyrings causes a new set of\n \t credentials to be created, even though it\u0027s not strictly necessary for\n \t process or session keyrings (they\u0027re shared).\n\n(10) Usermode helper.\n\n The usermode helper code now carries a cred struct pointer in its\n subprocess_info struct instead of a new session keyring pointer. This set\n of credentials is derived from init_cred and installed on the new process\n after it has been cloned.\n\n call_usermodehelper_setup() allocates the new credentials and\n call_usermodehelper_freeinfo() discards them if they haven\u0027t been used. A\n special cred function (prepare_usermodeinfo_creds()) is provided\n specifically for call_usermodehelper_setup() to call.\n\n call_usermodehelper_setkeys() adjusts the credentials to sport the\n supplied keyring as the new session keyring.\n\n(11) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) selinux_setprocattr() no longer does its check for whether the\n \t current ptracer can access processes with the new SID inside the lock\n \t that covers getting the ptracer\u0027s SID. Whilst this lock ensures that\n \t the check is done with the ptracer pinned, the result is only valid\n \t until the lock is released, so there\u0027s no point doing it inside the\n \t lock.\n\n(12) is_single_threaded().\n\n This function has been extracted from selinux_setprocattr() and put into\n a file of its own in the lib/ directory as join_session_keyring() now\n wants to use it too.\n\n The code in SELinux just checked to see whether a task shared mm_structs\n with other tasks (CLONE_VM), but that isn\u0027t good enough. We really want\n to know if they\u0027re part of the same thread group (CLONE_THREAD).\n\n(13) nfsd.\n\n The NFS server daemon now has to use the COW credentials to set the\n credentials it is going to use. It really needs to pass the credentials\n down to the functions it calls, but it can\u0027t do that until other patches\n in this series have been applied.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ], "next": "745ca2475a6ac596e3d8d37c2759c0fbe2586227" }