)]}' { "log": [ { "commit": "1f8f5cf6e4f038552a3e47b66085452c08556d71", "tree": "ccbfebc2fd565b8a979bde1f50d58b32328e4ddf", "parents": [ "3ad4f597058301c97f362e500a32f63f5c950a45" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Nov 10 19:00:05 2008 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Nov 10 13:20:57 2008 -0800" }, "message": "KEYS: Make request key instantiate the per-user keyrings\n\nMake request_key() instantiate the per-user keyrings so that it doesn\u0027t oops\nif it needs to get hold of the user session keyring because there isn\u0027t a\nsession keyring in place.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Steve French \u003csmfrench@gmail.com\u003e\nTested-by: Rutger Nijlunsing \u003crutger.nijlunsing@gmail.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "0a6d2fac615972142715d736289abeeb7382e81d", "tree": "828bd68949a5d4dd3a958c2be215695170b9b29c", "parents": [ "76f8bef0db031f03bf286c8bbccfaf83f0b22224", "37dd0bd04a3240d2922786d501e2f12cec858fbf" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Nov 01 09:50:38 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Nov 01 09:50:38 2008 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:\n SELinux: properly handle empty tty_files list\n" }, { "commit": "3318a386e4ca68c76e0294363d29bdc46fcad670", "tree": "da0da58f10bcb7dd7a885f6032b46d1025af208b", "parents": [ "e06f42d6c127883e58b747048752f44ae208ae47" ], "author": { "name": "Serge Hallyn", "email": "serue@us.ibm.com", "time": "Thu Oct 30 11:52:23 2008 -0500" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Nov 01 09:49:45 2008 -0700" }, "message": "file caps: always start with clear bprm-\u003ecaps_*\n\nWhile Linux doesn\u0027t honor setuid on scripts. However, it mistakenly\nbehaves differently for file capabilities.\n\nThis patch fixes that behavior by making sure that get_file_caps()\nbegins with empty bprm-\u003ecaps_*. That way when a script is loaded,\nits bprm-\u003ecaps_* may be filled when binfmt_misc calls prepare_binprm(),\nbut they will be cleared again when binfmt_elf calls prepare_binprm()\nnext to read the interpreter\u0027s file capabilities.\n\nSigned-off-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "37dd0bd04a3240d2922786d501e2f12cec858fbf", "tree": "d4fa5a124a95d33bf22276429a82822ec8d4810a", "parents": [ "721d5dfe7e516954c501d5e9d0dfab379cf4241a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Oct 31 17:40:00 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Nov 01 09:38:48 2008 +1100" }, "message": "SELinux: properly handle empty tty_files list\n\nSELinux has wrongly (since 2004) had an incorrect test for an empty\ntty-\u003etty_files list. With an empty list selinux would be pointing to part\nof the tty struct itself and would then proceed to dereference that value\nand again dereference that result. An F10 change to plymouth on a ppc64\nsystem is actually currently triggering this bug. This patch uses\nlist_empty() to handle empty lists rather than looking at a meaningless\nlocation.\n\n[note, this fixes the oops reported in\nhttps://bugzilla.redhat.com/show_bug.cgi?id\u003d469079]\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "731572d39fcd3498702eda4600db4c43d51e0b26", "tree": "f892907ae20539845f353d72d2a2bf202b67e007", "parents": [ "6c89161b10f5771ee0b51ada0fce0e8835e72ade" ], "author": { "name": "Alan Cox", "email": "alan@redhat.com", "time": "Wed Oct 29 14:01:20 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Oct 30 11:38:47 2008 -0700" }, "message": "nfsd: fix vm overcommit crash\n\nJunjiro R. Okajima reported a problem where knfsd crashes if you are\nusing it to export shmemfs objects and run strict overcommit. In this\nsituation the current-\u003emm based modifier to the overcommit goes through a\nNULL pointer.\n\nWe could simply check for NULL and skip the modifier but we\u0027ve caught\nother real bugs in the past from mm being NULL here - cases where we did\nneed a valid mm set up (eg the exec bug about a year ago).\n\nTo preserve the checks and get the logic we want shuffle the checking\naround and add a new helper to the vm_ security wrappers\n\nAlso fix a current-\u003emm reference in nommu that should use the passed mm\n\n[akpm@linux-foundation.org: coding-style fixes]\n[akpm@linux-foundation.org: fix build]\nReported-by: Junjiro R. Okajima \u003chooanon05@yahoo.co.jp\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "99ebcf8285df28f32fd2d1c19a7166e70f00309c", "tree": "caf45f39a77026b2fae2413c145067a1e5164701", "parents": [ "72558dde738b06cc01e16b3247a9659ca739e22d", "c465a76af658b443075d6efee1c3131257643020" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 20 13:19:56 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 20 13:19:56 2008 -0700" }, "message": "Merge branch \u0027v28-timers-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip\n\n* \u0027v28-timers-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: (36 commits)\n fix documentation of sysrq-q really\n Fix documentation of sysrq-q\n timer_list: add base address to clock base\n timer_list: print cpu number of clockevents device\n timer_list: print real timer address\n NOHZ: restart tick device from irq_enter()\n NOHZ: split tick_nohz_restart_sched_tick()\n NOHZ: unify the nohz function calls in irq_enter()\n timers: fix itimer/many thread hang, fix\n timers: fix itimer/many thread hang, v3\n ntp: improve adjtimex frequency rounding\n timekeeping: fix rounding problem during clock update\n ntp: let update_persistent_clock() sleep\n hrtimer: reorder struct hrtimer to save 8 bytes on 64bit builds\n posix-timers: lock_timer: make it readable\n posix-timers: lock_timer: kill the bogus -\u003eit_id check\n posix-timers: kill -\u003eit_sigev_signo and -\u003eit_sigev_value\n posix-timers: sys_timer_create: cleanup the error handling\n posix-timers: move the initialization of timer-\u003esigq from send to create path\n posix-timers: sys_timer_create: simplify and s/tasklist/rcu/\n ...\n\nFix trivial conflicts due to sysrq-q description clahes in\nDocumentation/sysrq.txt and drivers/char/sysrq.c\n" }, { "commit": "47c59803becb55b72b26cdab3838d621a15badc8", "tree": "63711f3e41f46288e2fa18db0b4ed734e9b1f668", "parents": [ "c012a54ae0b2ee2c73499f54596e0f5257288fec" ], "author": { "name": "Lai Jiangshan", "email": "laijs@cn.fujitsu.com", "time": "Sat Oct 18 20:28:07 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 20 08:52:38 2008 -0700" }, "message": "devcgroup: remove spin_lock()\n\nSince we introduced rcu for read side, spin_lock is used only for update.\nBut we always hold cgroup_lock() when update, so spin_lock() is not need.\n\nAdditional cleanup:\n1) include linux/rcupdate.h explicitly\n2) remove unused variable cur_devcgroup in devcgroup_update_access()\n\nSigned-off-by: Lai Jiangshan \u003claijs@cn.fujitsu.com\u003e\nAcked-by: \"Serge E. Hallyn\" \u003cserue@us.ibm.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c012a54ae0b2ee2c73499f54596e0f5257288fec", "tree": "4fab77415948c241c563a4de1e8e29fcc0604828", "parents": [ "2cdc7241a290bb2b9ef4c2e2969a4a3ed92abb63" ], "author": { "name": "Li Zefan", "email": "lizf@cn.fujitsu.com", "time": "Sat Oct 18 20:28:07 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 20 08:52:38 2008 -0700" }, "message": "devcgroup: remove unused variable\n\nSigned-off-by: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "2cdc7241a290bb2b9ef4c2e2969a4a3ed92abb63", "tree": "c544eeca8ed7777580ebd91f97778792d5ff6d07", "parents": [ "886465f407e57d6c3c81013c919ea670ce1ae0d0" ], "author": { "name": "Li Zefan", "email": "lizf@cn.fujitsu.com", "time": "Sat Oct 18 20:28:06 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 20 08:52:38 2008 -0700" }, "message": "devcgroup: use kmemdup()\n\nThis saves 40 bytes on my x86_32 box.\n\nSigned-off-by: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c465a76af658b443075d6efee1c3131257643020", "tree": "63c28c9fab02dedec7f03cee4a3ef7fe4dc1c072", "parents": [ "2d42244ae71d6c7b0884b5664cf2eda30fb2ae68", "1b02469088ac7a13d7e622b618b7410d0f1ce5ec", "fb02fbc14d17837b4b7b02dbb36142c16a7bf208", "d40e944c25fb4642adb2a4c580a48218a9f3f824", "1508487e7f16d992ad23cabd3712563ff912f413", "322acf6585f3c4e82ee32a246b0483ca0f6ad3f4" ], "author": { "name": "Thomas Gleixner", "email": "tglx@linutronix.de", "time": "Mon Oct 20 13:14:06 2008 +0200" }, "committer": { "name": "Thomas Gleixner", "email": "tglx@linutronix.de", "time": "Mon Oct 20 13:14:06 2008 +0200" }, "message": "Merge branches \u0027timers/clocksource\u0027, \u0027timers/hrtimers\u0027, \u0027timers/nohz\u0027, \u0027timers/ntp\u0027, \u0027timers/posixtimers\u0027 and \u0027timers/debug\u0027 into v28-timers-for-linus\n" }, { "commit": "a447c0932445f92ce6f4c1bd020f62c5097a7842", "tree": "bacf05bc7f9764515cdd6f7dc5e2254776b4f160", "parents": [ "54cebc68c81eacac41a21bdfe99dc889d3882c60" ], "author": { "name": "Steven Whitehouse", "email": "swhiteho@redhat.com", "time": "Mon Oct 13 10:46:57 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 10:10:37 2008 -0700" }, "message": "vfs: Use const for kernel parser table\n\nThis is a much better version of a previous patch to make the parser\ntables constant. Rather than changing the typedef, we put the \"const\" in\nall the various places where its required, allowing the __initconst\nexception for nfsroot which was the cause of the previous trouble.\n\nThis was posted for review some time ago and I believe its been in -mm\nsince then.\n\nSigned-off-by: Steven Whitehouse \u003cswhiteho@redhat.com\u003e\nCc: Alexander Viro \u003caviro@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8d71ff0bef9cf4e70108a9a2762f2361e607abde", "tree": "a79487fceb6ec18e956373a3019416a43b269f1d", "parents": [ "244dc4e54b73567fae7f8fd9ba56584be9375442", "92562927826fceb2f8e69c89e28161b8c1e0b125" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 10:00:44 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 10:00:44 2008 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (24 commits)\n integrity: special fs magic\n As pointed out by Jonathan Corbet, the timer must be deleted before\n ERROR: code indent should use tabs where possible\n The tpm_dev_release function is only called for platform devices, not pnp\n Protect tpm_chip_list when transversing it.\n Renames num_open to is_open, as only one process can open the file at a time.\n Remove the BKL calls from the TPM driver, which were added in the overall\n netlabel: Add configuration support for local labeling\n cipso: Add support for native local labeling and fixup mapping names\n netlabel: Changes to the NetLabel security attributes to allow LSMs to pass full contexts\n selinux: Cache NetLabel secattrs in the socket\u0027s security struct\n selinux: Set socket NetLabel based on connection endpoint\n netlabel: Add functionality to set the security attributes of a packet\n netlabel: Add network address selectors to the NetLabel/LSM domain mapping\n netlabel: Add a generic way to create ordered linked lists of network addrs\n netlabel: Replace protocol/NetLabel linking with refrerence counts\n smack: Fix missing calls to netlbl_skbuff_err()\n selinux: Fix missing calls to netlbl_skbuff_err()\n selinux: Fix a problem in security_netlbl_sid_to_secattr()\n selinux: Better local/forward check in selinux_ip_postroute()\n ...\n" }, { "commit": "934e6ebf96e8c1a0f299e64129fdaebc1132a427", "tree": "ab4bd754997b097f06a5cfefd9e3671d56e628f4", "parents": [ "2cb5998b5f0ccc886fdda3509059eef297b49577" ], "author": { "name": "Alan Cox", "email": "alan@redhat.com", "time": "Mon Oct 13 10:40:43 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 09:51:41 2008 -0700" }, "message": "tty: Redo current tty locking\n\nCurrently it is sometimes locked by the tty mutex and sometimes by the\nsighand lock. The latter is in fact correct and now we can hand back referenced\nobjects we can fix this up without problems around sleeping functions.\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "452a00d2ee288f2cbc36f676edd06cb14d2878c1", "tree": "c8251c73924a6ac9b174bc557357bfeff0c8d1a8", "parents": [ "f4d2a6c2096b764decb20070b1bf4356de9144a8" ], "author": { "name": "Alan Cox", "email": "alan@redhat.com", "time": "Mon Oct 13 10:39:13 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 13 09:51:41 2008 -0700" }, "message": "tty: Make get_current_tty use a kref\n\nWe now return a kref covered tty reference. That ensures the tty structure\ndoesn\u0027t go away when you have a return from get_current_tty. This is not\nenough to protect you from most of the resources being freed behind your\nback - yet.\n\n[Updated to include fixes for SELinux problems found by Andrew Morton and\n an s390 leak found while debugging the former]\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "92562927826fceb2f8e69c89e28161b8c1e0b125", "tree": "e44f22406ea4d3753a4834feed7e7d271da28ab8", "parents": [ "93db628658197aa46bd7f83d429908b6f187ec9c" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Oct 07 14:00:12 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Oct 13 09:47:43 2008 +1100" }, "message": "integrity: special fs magic\n\nDiscussion on the mailing list questioned the use of these\nmagic values in userspace, concluding these values are already\nexported to userspace via statfs and their correct/incorrect\nusage is left up to the userspace application.\n\n - Move special fs magic number definitions to magic.h\n - Add magic.h include\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0da939b0058742ad2d8580b7db6b966d0fc72252", "tree": "47cb109fdf97135191bff5db4e3bfc905136bf8b", "parents": [ "4bdec11f560b8f405a011288a50e65b1a81b3654", "d91d40799165b0c84c97e7c71fb8039494ff07dc" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 11 09:26:14 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 11 09:26:14 2008 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/pcmoore/lblnet-2.6_next into next\n" }, { "commit": "8d75899d033617316e06296b7c0729612f56aba0", "tree": "47ab64d46b26b86089e20c337e9ba22b00e2d94f", "parents": [ "6c5b3fc0147f79d714d2fe748b5869d7892ef2e7" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "message": "netlabel: Changes to the NetLabel security attributes to allow LSMs to pass full contexts\n\nThis patch provides support for including the LSM\u0027s secid in addition to\nthe LSM\u0027s MLS information in the NetLabel security attributes structure.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6c5b3fc0147f79d714d2fe748b5869d7892ef2e7", "tree": "2cff691b2d4da2afd69660cb4ee647f6b553cdf9", "parents": [ "014ab19a69c325f52d7bae54ceeda73d6307ae0c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "message": "selinux: Cache NetLabel secattrs in the socket\u0027s security struct\n\nPrevious work enabled the use of address based NetLabel selectors, which\nwhile highly useful, brought the potential for additional per-packet overhead\nwhen used. This patch attempts to mitigate some of that overhead by caching\nthe NetLabel security attribute struct within the SELinux socket security\nstructure. This should help eliminate the need to recreate the NetLabel\nsecattr structure for each packet resulting in less overhead.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "014ab19a69c325f52d7bae54ceeda73d6307ae0c", "tree": "8a69c490accb7d5454bdfeb8c078d846729aeb60", "parents": [ "948bf85c1bc9a84754786a9d5dd99b7ecc46451e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "message": "selinux: Set socket NetLabel based on connection endpoint\n\nPrevious work enabled the use of address based NetLabel selectors, which while\nhighly useful, brought the potential for additional per-packet overhead when\nused. This patch attempts to solve that by applying NetLabel socket labels\nwhen sockets are connect()\u0027d. This should alleviate the per-packet NetLabel\nlabeling for all connected sockets (yes, it even works for connected DGRAM\nsockets).\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "948bf85c1bc9a84754786a9d5dd99b7ecc46451e", "tree": "a4706be1f4a5a37408774ef3c4cab8cf2e7775b5", "parents": [ "63c41688743760631188cf0f4ae986a6793ccb0a" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:32 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:32 2008 -0400" }, "message": "netlabel: Add functionality to set the security attributes of a packet\n\nThis patch builds upon the new NetLabel address selector functionality by\nproviding the NetLabel KAPI and CIPSO engine support needed to enable the\nnew packet-based labeling. The only new addition to the NetLabel KAPI at\nthis point is shown below:\n\n * int netlbl_skbuff_setattr(skb, family, secattr)\n\n... and is designed to be called from a Netfilter hook after the packet\u0027s\nIP header has been populated such as in the FORWARD or LOCAL_OUT hooks.\n\nThis patch also provides the necessary SELinux hooks to support this new\nfunctionality. Smack support is not currently included due to uncertainty\nregarding the permissions needed to expand the Smack network access controls.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b1edeb102397546438ab4624489c6ccd7b410d97", "tree": "ce7033f678ffe46ec3f517bb2771b9cbb04d62bb", "parents": [ "a8134296ba9940b5b271d908666e532d34430a3c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "message": "netlabel: Replace protocol/NetLabel linking with refrerence counts\n\nNetLabel has always had a list of backpointers in the CIPSO DOI definition\nstructure which pointed to the NetLabel LSM domain mapping structures which\nreferenced the CIPSO DOI struct. The rationale for this was that when an\nadministrator removed a CIPSO DOI from the system all of the associated\nNetLabel LSM domain mappings should be removed as well; a list of\nbackpointers made this a simple operation.\n\nUnfortunately, while the backpointers did make the removal easier they were\na bit of a mess from an implementation point of view which was making\nfurther development difficult. Since the removal of a CIPSO DOI is a\nrealtively rare event it seems to make sense to remove this backpointer\nlist as the optimization was hurting us more then it was helping. However,\nwe still need to be able to track when a CIPSO DOI definition is being used\nso replace the backpointer list with a reference count. In order to\npreserve the current functionality of removing the associated LSM domain\nmappings when a CIPSO DOI is removed we walk the LSM domain mapping table,\nremoving the relevant entries.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a8134296ba9940b5b271d908666e532d34430a3c", "tree": "28ef03dc3c6a56bd43e5c9d4b8b303749e815342", "parents": [ "dfaebe9825ff34983778f287101bc5f3bce00640" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "message": "smack: Fix missing calls to netlbl_skbuff_err()\n\nSmack needs to call netlbl_skbuff_err() to let NetLabel do the necessary\nprotocol specific error handling.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "dfaebe9825ff34983778f287101bc5f3bce00640", "tree": "4dccdcdcecd57fc8bfc083ff30d9e0ecb2e7ecba", "parents": [ "99d854d231ce141850b988bdc7e2e7c78f49b03a" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "message": "selinux: Fix missing calls to netlbl_skbuff_err()\n\nAt some point I think I messed up and dropped the calls to netlbl_skbuff_err()\nwhich are necessary for CIPSO to send error notifications to remote systems.\nThis patch re-introduces the error handling calls into the SELinux code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "99d854d231ce141850b988bdc7e2e7c78f49b03a", "tree": "d9da2a23471f38f6b25ec2bcfe982622ee51adba", "parents": [ "d8395c876bb8a560c8a032887e191b95499a25d6" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:30 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:30 2008 -0400" }, "message": "selinux: Fix a problem in security_netlbl_sid_to_secattr()\n\nCurrently when SELinux fails to allocate memory in\nsecurity_netlbl_sid_to_secattr() the NetLabel LSM domain field is set to\nNULL which triggers the default NetLabel LSM domain mapping which may not\nalways be the desired mapping. This patch fixes this by returning an error\nwhen the kernel is unable to allocate memory. This could result in more\nfailures on a system with heavy memory pressure but it is the \"correct\"\nthing to do.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d8395c876bb8a560c8a032887e191b95499a25d6", "tree": "6c2ef0d59e04b90a9ef673fa34e1c042d22f128e", "parents": [ "948a72438d4178d0728c4b0a38836d280b846939" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:30 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:30 2008 -0400" }, "message": "selinux: Better local/forward check in selinux_ip_postroute()\n\nIt turns out that checking to see if skb-\u003esk is NULL is not a very good\nindicator of a forwarded packet as some locally generated packets also have\nskb-\u003esk set to NULL. Fix this by not only checking the skb-\u003esk field but also\nthe IP[6]CB(skb)-\u003eflags field for the IP[6]SKB_FORWARDED flag. While we are\nat it, we are calling selinux_parse_skb() much earlier than we really should\nresulting in potentially wasted cycles parsing packets for information we\nmight no use; so shuffle the code around a bit to fix this.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "aa86290089a1e57b4bdbbb4720072233f66bd5b2", "tree": "9ab16f4d22056297f1571bb7b2b988bff84c8a10", "parents": [ "accc609322ef5ed44cba6d2d70c741afc76385fb" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "message": "selinux: Correctly handle IPv4 packets on IPv6 sockets in all cases\n\nWe did the right thing in a few cases but there were several areas where we\ndetermined a packet\u0027s address family based on the socket\u0027s address family which\nis not the right thing to do since we can get IPv4 packets on IPv6 sockets.\nThis patch fixes these problems by either taking the address family directly\nfrom the packet.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "accc609322ef5ed44cba6d2d70c741afc76385fb", "tree": "4a86c08a2fad7302b14e0f419b5e6bd11111330f", "parents": [ "561967010edef40f539dacf2aa125e20773ab40b" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "message": "selinux: Cleanup the NetLabel glue code\n\nWe were doing a lot of extra work in selinux_netlbl_sock_graft() what wasn\u0027t\nnecessary so this patch removes that code. It also removes the redundant\nsecond argument to selinux_netlbl_sock_setsid() which allows us to simplify a\nfew other functions.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3040a6d5a2655c7967bd42b5fb4903d48daa747f", "tree": "a4342a6b272a8be9acc16131d39d971536a3e8da", "parents": [ "b5ff7df3df9efab511244d5a299fce706c71af48" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 03 10:51:15 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 04 08:25:18 2008 +1000" }, "message": "selinux: Fix an uninitialized variable BUG/panic in selinux_secattr_to_sid()\n\nAt some point during the 2.6.27 development cycle two new fields were added\nto the SELinux context structure, a string pointer and a length field. The\ncode in selinux_secattr_to_sid() was not modified and as a result these two\nfields were left uninitialized which could result in erratic behavior,\nincluding kernel panics, when NetLabel is used. This patch fixes the\nproblem by fully initializing the context in selinux_secattr_to_sid() before\nuse and reducing the level of direct context manipulation done to help\nprevent future problems.\n\nPlease apply this to the 2.6.27-rcX release stream.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "81990fbdd18b9cfdc93dc221ff3250f81468aed8", "tree": "7c8298b58173e9e67f972890bdb209590ac93cab", "parents": [ "ea6b184f7d521a503ecab71feca6e4057562252b" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 03 10:51:15 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 04 08:18:18 2008 +1000" }, "message": "selinux: Fix an uninitialized variable BUG/panic in selinux_secattr_to_sid()\n\nAt some point during the 2.6.27 development cycle two new fields were added\nto the SELinux context structure, a string pointer and a length field. The\ncode in selinux_secattr_to_sid() was not modified and as a result these two\nfields were left uninitialized which could result in erratic behavior,\nincluding kernel panics, when NetLabel is used. This patch fixes the\nproblem by fully initializing the context in selinux_secattr_to_sid() before\nuse and reducing the level of direct context manipulation done to help\nprevent future problems.\n\nPlease apply this to the 2.6.27-rcX release stream.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ea6b184f7d521a503ecab71feca6e4057562252b", "tree": "89724ca76ba9bc8a7029f3fd3edc49557ec6ab40", "parents": [ "de45e806a84909648623119dfe6fc1d31e71ceba" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon Sep 22 15:41:19 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 30 00:26:53 2008 +1000" }, "message": "selinux: use default proc sid on symlinks\n\nAs we are not concerned with fine-grained control over reading of\nsymlinks in proc, always use the default proc SID for all proc symlinks.\nThis should help avoid permission issues upon changes to the proc tree\nas in the /proc/net -\u003e /proc/self/net example.\nThis does not alter labeling of symlinks within /proc/pid directories.\nls -Zd /proc/net output before and after the patch should show the difference.\n\nSigned-off-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "de45e806a84909648623119dfe6fc1d31e71ceba", "tree": "ca10329190483178175c43ad84862faa04c57195", "parents": [ "ab2b49518e743962f71b94246855c44ee9cf52cc" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Fri Sep 26 22:27:47 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Sep 27 15:07:56 2008 +1000" }, "message": "file capabilities: uninline cap_safe_nice\n\nThis reduces the kernel size by 289 bytes.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ab2b49518e743962f71b94246855c44ee9cf52cc", "tree": "26b260a350f0a0a0d19b558bf147b812e3a1564c", "parents": [ "f058925b201357fba48d56cc9c1719ae274b2022", "72d31053f62c4bc464c2783974926969614a8649" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sun Sep 21 17:41:56 2008 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sun Sep 21 17:41:56 2008 -0700" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\n\tMAINTAINERS\n\nThanks for breaking my tree :-)\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f06febc96ba8e0af80bcc3eaec0a109e88275fac", "tree": "46dba9432ef25d2eae9434ff2df638c7a268c0f1", "parents": [ "6bfb09a1005193be5c81ebac9f3ef85210142650" ], "author": { "name": "Frank Mayhar", "email": "fmayhar@google.com", "time": "Fri Sep 12 09:54:39 2008 -0700" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Sun Sep 14 16:25:35 2008 +0200" }, "message": "timers: fix itimer/many thread hang\n\nOverview\n\nThis patch reworks the handling of POSIX CPU timers, including the\nITIMER_PROF, ITIMER_VIRT timers and rlimit handling. It was put together\nwith the help of Roland McGrath, the owner and original writer of this code.\n\nThe problem we ran into, and the reason for this rework, has to do with using\na profiling timer in a process with a large number of threads. It appears\nthat the performance of the old implementation of run_posix_cpu_timers() was\nat least O(n*3) (where \"n\" is the number of threads in a process) or worse.\nEverything is fine with an increasing number of threads until the time taken\nfor that routine to run becomes the same as or greater than the tick time, at\nwhich point things degrade rather quickly.\n\nThis patch fixes bug 9906, \"Weird hang with NPTL and SIGPROF.\"\n\nCode Changes\n\nThis rework corrects the implementation of run_posix_cpu_timers() to make it\nrun in constant time for a particular machine. (Performance may vary between\none machine and another depending upon whether the kernel is built as single-\nor multiprocessor and, in the latter case, depending upon the number of\nrunning processors.) To do this, at each tick we now update fields in\nsignal_struct as well as task_struct. The run_posix_cpu_timers() function\nuses those fields to make its decisions.\n\nWe define a new structure, \"task_cputime,\" to contain user, system and\nscheduler times and use these in appropriate places:\n\nstruct task_cputime {\n\tcputime_t utime;\n\tcputime_t stime;\n\tunsigned long long sum_exec_runtime;\n};\n\nThis is included in the structure \"thread_group_cputime,\" which is a new\nsubstructure of signal_struct and which varies for uniprocessor versus\nmultiprocessor kernels. For uniprocessor kernels, it uses \"task_cputime\" as\na simple substructure, while for multiprocessor kernels it is a pointer:\n\nstruct thread_group_cputime {\n\tstruct task_cputime totals;\n};\n\nstruct thread_group_cputime {\n\tstruct task_cputime *totals;\n};\n\nWe also add a new task_cputime substructure directly to signal_struct, to\ncache the earliest expiration of process-wide timers, and task_cputime also\nreplaces the it_*_expires fields of task_struct (used for earliest expiration\nof thread timers). The \"thread_group_cputime\" structure contains process-wide\ntimers that are updated via account_user_time() and friends. In the non-SMP\ncase the structure is a simple aggregator; unfortunately in the SMP case that\nsimplicity was not achievable due to cache-line contention between CPUs (in\none measured case performance was actually _worse_ on a 16-cpu system than\nthe same test on a 4-cpu system, due to this contention). For SMP, the\nthread_group_cputime counters are maintained as a per-cpu structure allocated\nusing alloc_percpu(). The timer functions update only the timer field in\nthe structure corresponding to the running CPU, obtained using per_cpu_ptr().\n\nWe define a set of inline functions in sched.h that we use to maintain the\nthread_group_cputime structure and hide the differences between UP and SMP\nimplementations from the rest of the kernel. The thread_group_cputime_init()\nfunction initializes the thread_group_cputime structure for the given task.\nThe thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the\nout-of-line function thread_group_cputime_alloc_smp() to allocate and fill\nin the per-cpu structures and fields. The thread_group_cputime_free()\nfunction, also a no-op for UP, in SMP frees the per-cpu structures. The\nthread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls\nthread_group_cputime_alloc() if the per-cpu structures haven\u0027t yet been\nallocated. The thread_group_cputime() function fills the task_cputime\nstructure it is passed with the contents of the thread_group_cputime fields;\nin UP it\u0027s that simple but in SMP it must also safely check that tsk-\u003esignal\nis non-NULL (if it is it just uses the appropriate fields of task_struct) and,\nif so, sums the per-cpu values for each online CPU. Finally, the three\nfunctions account_group_user_time(), account_group_system_time() and\naccount_group_exec_runtime() are used by timer functions to update the\nrespective fields of the thread_group_cputime structure.\n\nNon-SMP operation is trivial and will not be mentioned further.\n\nThe per-cpu structure is always allocated when a task creates its first new\nthread, via a call to thread_group_cputime_clone_thread() from copy_signal().\nIt is freed at process exit via a call to thread_group_cputime_free() from\ncleanup_signal().\n\nAll functions that formerly summed utime/stime/sum_sched_runtime values from\nfrom all threads in the thread group now use thread_group_cputime() to\nsnapshot the values in the thread_group_cputime structure or the values in\nthe task structure itself if the per-cpu structure hasn\u0027t been allocated.\n\nFinally, the code in kernel/posix-cpu-timers.c has changed quite a bit.\nThe run_posix_cpu_timers() function has been split into a fast path and a\nslow path; the former safely checks whether there are any expired thread\ntimers and, if not, just returns, while the slow path does the heavy lifting.\nWith the dedicated thread group fields, timers are no longer \"rebalanced\" and\nthe process_timer_rebalance() function and related code has gone away. All\nsumming loops are gone and all code that used them now uses the\nthread_group_cputime() inline. When process-wide timers are set, the new\ntask_cputime structure in signal_struct is used to cache the earliest\nexpiration; this is checked in the fast path.\n\nPerformance\n\nThe fix appears not to add significant overhead to existing operations. It\ngenerally performs the same as the current code except in two cases, one in\nwhich it performs slightly worse (Case 5 below) and one in which it performs\nvery significantly better (Case 2 below). Overall it\u0027s a wash except in those\ntwo cases.\n\nI\u0027ve since done somewhat more involved testing on a dual-core Opteron system.\n\nCase 1: With no itimer running, for a test with 100,000 threads, the fixed\n\tkernel took 1428.5 seconds, 513 seconds more than the unfixed system,\n\tall of which was spent in the system. There were twice as many\n\tvoluntary context switches with the fix as without it.\n\nCase 2: With an itimer running at .01 second ticks and 4000 threads (the most\n\tan unmodified kernel can handle), the fixed kernel ran the test in\n\teight percent of the time (5.8 seconds as opposed to 70 seconds) and\n\thad better tick accuracy (.012 seconds per tick as opposed to .023\n\tseconds per tick).\n\nCase 3: A 4000-thread test with an initial timer tick of .01 second and an\n\tinterval of 10,000 seconds (i.e. a timer that ticks only once) had\n\tvery nearly the same performance in both cases: 6.3 seconds elapsed\n\tfor the fixed kernel versus 5.5 seconds for the unfixed kernel.\n\nWith fewer threads (eight in these tests), the Case 1 test ran in essentially\nthe same time on both the modified and unmodified kernels (5.2 seconds versus\n5.8 seconds). The Case 2 test ran in about the same time as well, 5.9 seconds\nversus 5.4 seconds but again with much better tick accuracy, .013 seconds per\ntick versus .025 seconds per tick for the unmodified kernel.\n\nSince the fix affected the rlimit code, I also tested soft and hard CPU limits.\n\nCase 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer\n\trunning), the modified kernel was very slightly favored in that while\n\tit killed the process in 19.997 seconds of CPU time (5.002 seconds of\n\twall time), only .003 seconds of that was system time, the rest was\n\tuser time. The unmodified kernel killed the process in 20.001 seconds\n\tof CPU (5.014 seconds of wall time) of which .016 seconds was system\n\ttime. Really, though, the results were too close to call. The results\n\twere essentially the same with no itimer running.\n\nCase 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds\n\t(where the hard limit would never be reached) and an itimer running,\n\tthe modified kernel exhibited worse tick accuracy than the unmodified\n\tkernel: .050 seconds/tick versus .028 seconds/tick. Otherwise,\n\tperformance was almost indistinguishable. With no itimer running this\n\ttest exhibited virtually identical behavior and times in both cases.\n\nIn times past I did some limited performance testing. those results are below.\n\nOn a four-cpu Opteron system without this fix, a sixteen-thread test executed\nin 3569.991 seconds, of which user was 3568.435s and system was 1.556s. On\nthe same system with the fix, user and elapsed time were about the same, but\nsystem time dropped to 0.007 seconds. Performance with eight, four and one\nthread were comparable. Interestingly, the timer ticks with the fix seemed\nmore accurate: The sixteen-thread test with the fix received 149543 ticks\nfor 0.024 seconds per tick, while the same test without the fix received 58720\nfor 0.061 seconds per tick. Both cases were configured for an interval of\n0.01 seconds. Again, the other tests were comparable. Each thread in this\ntest computed the primes up to 25,000,000.\n\nI also did a test with a large number of threads, 100,000 threads, which is\nimpossible without the fix. In this case each thread computed the primes only\nup to 10,000 (to make the runtime manageable). System time dominated, at\n1546.968 seconds out of a total 2176.906 seconds (giving a user time of\n629.938s). It received 147651 ticks for 0.015 seconds per tick, still quite\naccurate. There is obviously no comparable test without the fix.\n\nSigned-off-by: Frank Mayhar \u003cfmayhar@google.com\u003e\nCc: Roland McGrath \u003croland@redhat.com\u003e\nCc: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nCc: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\n" }, { "commit": "f058925b201357fba48d56cc9c1719ae274b2022", "tree": "796868dcdeb2ee3e2d296eeb25a8cedbb422a5a1", "parents": [ "b56c8c221d192e4ffa719d00907c3b60fbaa2737" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Thu Sep 11 09:20:26 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 12 00:44:08 2008 +1000" }, "message": "Update selinux info in MAINTAINERS and Kconfig help text\n\nUpdate the SELinux entry in MAINTAINERS and drop the obsolete information\nfrom the selinux Kconfig help text.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8e531af90f3940615623dc0aa6c94866a6773601", "tree": "d618b12f26648de917cbec53677c734362e6bfc2", "parents": [ "ec0c15afb41fd9ad45b53468b60db50170e22346" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Sep 03 11:49:47 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Sep 04 08:35:13 2008 +1000" }, "message": "SELinux: memory leak in security_context_to_sid_core\n\nFix a bug and a philosophical decision about who handles errors.\n\nsecurity_context_to_sid_core() was leaking a context in the common case.\nThis was causing problems on fedora systems which recently have started\nmaking extensive use of this function.\n\nIn discussion it was decided that if string_to_context_struct() had an\nerror it was its own responsibility to clean up any mess it created\nalong the way.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "36fd71d293898a59b14e49da1f6e81c1a58f2035", "tree": "e67d5a0f6fc6caa83558f57588d9f69a46e5f4c9", "parents": [ "09a2910e54646f7a334702fbafa7a6129dc072e6" ], "author": { "name": "Li Zefan", "email": "lizf@cn.fujitsu.com", "time": "Tue Sep 02 14:35:52 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Sep 02 19:21:38 2008 -0700" }, "message": "devcgroup: fix race against rmdir()\n\nDuring the use of a dev_cgroup, we should guarantee the corresponding\ncgroup won\u0027t be deleted (i.e. via rmdir). This can be done through\ncss_get(\u0026dev_cgroup-\u003ecss), but here we can just get and use the dev_cgroup\nunder rcu_read_lock.\n\nAnd also remove checking NULL dev_cgroup, it won\u0027t be NULL since a task\nalways belongs to a cgroup.\n\nSigned-off-by: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "d9250dea3f89fe808a525f08888016b495240ed4", "tree": "c4b039ce0b29714e8f4c3bbc6d407adc361cc122", "parents": [ "da31894ed7b654e2e1741e7ac4ef6c15be0dd14b" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Thu Aug 28 16:35:57 2008 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Aug 29 00:33:33 2008 +1000" }, "message": "SELinux: add boundary support and thread context assignment\n\nThe purpose of this patch is to assign per-thread security context\nunder a constraint. It enables multi-threaded server application\nto kick a request handler with its fair security context, and\nhelps some of userspace object managers to handle user\u0027s request.\n\nWhen we assign a per-thread security context, it must not have wider\npermissions than the original one. Because a multi-threaded process\nshares a single local memory, an arbitary per-thread security context\nalso means another thread can easily refer violated information.\n\nThe constraint on a per-thread security context requires a new domain\nhas to be equal or weaker than its original one, when it tries to assign\na per-thread security context.\n\nBounds relationship between two types is a way to ensure a domain can\nnever have wider permission than its bounds. We can define it in two\nexplicit or implicit ways.\n\nThe first way is using new TYPEBOUNDS statement. It enables to define\na boundary of types explicitly. The other one expand the concept of\nexisting named based hierarchy. If we defines a type with \".\" separated\nname like \"httpd_t.php\", toolchain implicitly set its bounds on \"httpd_t\".\n\nThis feature requires a new policy version.\nThe 24th version (POLICYDB_VERSION_BOUNDARY) enables to ship them into\nkernel space, and the following patch enables to handle it.\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "da31894ed7b654e2e1741e7ac4ef6c15be0dd14b", "tree": "7247357082b105a4aab13a2fb7dad73886f1a9e5", "parents": [ "86d688984deefa3ae5a802880c11f2b408b5d6cf" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Aug 22 11:35:57 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 28 10:47:42 2008 +1000" }, "message": "securityfs: do not depend on CONFIG_SECURITY\n\nAdd a new Kconfig option SECURITYFS which will build securityfs support\nbut does not require CONFIG_SECURITY. The only current user of\nsecurityfs does not depend on CONFIG_SECURITY and there is no reason the\nfull LSM needs to be built to build this fs.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "86d688984deefa3ae5a802880c11f2b408b5d6cf", "tree": "7ea5e8189b0a774626d3ed7c3c87df2495a4c4a0", "parents": [ "93c06cbbf9fea5d5be1778febb7fa9ab1a74e5f5", "4c246edd2550304df5b766cc841584b2bb058843" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 28 10:47:34 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 28 10:47:34 2008 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "3f23d815c5049c9d7022226cec2242e384dd0b43", "tree": "7917329366ccac8e9a21d5572b9df948409cee36", "parents": [ "dbc74c65b3fd841985935f676388c82d6b85c485" ], "author": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Sun Aug 17 21:44:22 2008 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Aug 20 20:16:32 2008 +1000" }, "message": "security: add/fix security kernel-doc\n\nAdd security/inode.c functions to the kernel-api docbook.\nUse \u0027%\u0027 on constants in kernel-doc notation.\nFix several typos/spellos in security function descriptions.\n\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dbc74c65b3fd841985935f676388c82d6b85c485", "tree": "8ebbf88795fa70f56a9eb64bfc0b21dd8666d97f", "parents": [ "421fae06be9e0dac45747494756b3580643815f9" ], "author": { "name": "Vesa-Matti Kari", "email": "vmkari@cc.helsinki.fi", "time": "Thu Aug 07 03:18:20 2008 +0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Aug 15 08:40:47 2008 +1000" }, "message": "selinux: Unify for- and while-loop style\n\nReplace \"thing !\u003d NULL\" comparisons with just \"thing\" to make\nthe code look more uniform (mixed styles were used even in the\nsame source file).\n\nSigned-off-by: Vesa-Matti Kari \u003cvmkari@cc.helsinki.fi\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5cd9c58fbe9ec92b45b27e131719af4f2bd9eb40", "tree": "8573db001b4dc3c2ad97102dda42b841c40b5f6c", "parents": [ "8d0968abd03ec6b407df117adc773562386702fa" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Aug 14 11:37:28 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 14 22:59:43 2008 +1000" }, "message": "security: Fix setting of PF_SUPERPRIV by __capable()\n\nFix the setting of PF_SUPERPRIV by __capable() as it could corrupt the flags\nthe target process if that is not the current process and it is trying to\nchange its own flags in a different way at the same time.\n\n__capable() is using neither atomic ops nor locking to protect t-\u003eflags. This\npatch removes __capable() and introduces has_capability() that doesn\u0027t set\nPF_SUPERPRIV on the process being queried.\n\nThis patch further splits security_ptrace() in two:\n\n (1) security_ptrace_may_access(). This passes judgement on whether one\n process may access another only (PTRACE_MODE_ATTACH for ptrace() and\n PTRACE_MODE_READ for /proc), and takes a pointer to the child process.\n current is the parent.\n\n (2) security_ptrace_traceme(). This passes judgement on PTRACE_TRACEME only,\n and takes only a pointer to the parent process. current is the child.\n\n In Smack and commoncap, this uses has_capability() to determine whether\n the parent will be permitted to use PTRACE_ATTACH if normal checks fail.\n This does not set PF_SUPERPRIV.\n\nTwo of the instances of __capable() actually only act on current, and so have\nbeen changed to calls to capable().\n\nOf the places that were using __capable():\n\n (1) The OOM killer calls __capable() thrice when weighing the killability of a\n process. All of these now use has_capability().\n\n (2) cap_ptrace() and smack_ptrace() were using __capable() to check to see\n whether the parent was allowed to trace any process. As mentioned above,\n these have been split. For PTRACE_ATTACH and /proc, capable() is now\n used, and for PTRACE_TRACEME, has_capability() is used.\n\n (3) cap_safe_nice() only ever saw current, so now uses capable().\n\n (4) smack_setprocattr() rejected accesses to tasks other than current just\n after calling __capable(), so the order of these two tests have been\n switched and capable() is used instead.\n\n (5) In smack_file_send_sigiotask(), we need to allow privileged processes to\n receive SIGIO on files they\u0027re manipulating.\n\n (6) In smack_task_wait(), we let a process wait for a privileged process,\n whether or not the process doing the waiting is privileged.\n\nI\u0027ve tested this with the LTP SELinux and syscalls testscripts.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "421fae06be9e0dac45747494756b3580643815f9", "tree": "8b390e53636092477c82304b7f7f10524df6fd1b", "parents": [ "15446235367fa4a621ff5abfa4b6ebbe25b33763" ], "author": { "name": "Vesa-Matti Kari", "email": "vmkari@cc.helsinki.fi", "time": "Wed Aug 06 18:24:51 2008 +0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 07 08:56:16 2008 +1000" }, "message": "selinux: conditional expression type validation was off-by-one\n\nexpr_isvalid() in conditional.c was off-by-one and allowed\ninvalid expression type COND_LAST. However, it is this header file\nthat needs to be fixed. That way the if-statement\u0027s disjunction\u0027s\nsecond component reads more naturally, \"if expr type is greater than\nthe last allowed value\" ( rather than using \"\u003e\u003d\" in conditional.c):\n\n if (expr-\u003eexpr_type \u003c\u003d 0 || expr-\u003eexpr_type \u003e COND_LAST)\n\nSigned-off-by: Vesa-Matti Kari \u003cvmkari@cc.helsinki.fi\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "15446235367fa4a621ff5abfa4b6ebbe25b33763", "tree": "bc6823055afbef26560c63f8041caeadd4cef078", "parents": [ "cf9481e289247fe9cf40f2e2481220d899132049" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Wed Jul 30 15:37:11 2008 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 05 10:55:53 2008 +1000" }, "message": "smack: limit privilege by label\n\nThere have been a number of requests to make the Smack LSM\nenforce MAC even in the face of privilege, either capability\nbased or superuser based. This is not universally desired,\nhowever, so it seems desirable to make it optional. Further,\nat least one legacy OS implemented a scheme whereby only\nprocesses running with one particular label could be exempt\nfrom MAC. This patch supports these three cases.\n\nIf /smack/onlycap is empty (unset or null-string) privilege\nis enforced in the normal way.\n\nIf /smack/onlycap contains a label only processes running with\nthat label may be MAC exempt.\n\nIf the label in /smack/onlycap is the star label (\"*\") the\nsemantics of the star label combine with the privilege\nrestrictions to prevent any violations of MAC, even in the\npresence of privilege.\n\nAgain, this will be independent of the privilege scheme.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cf9481e289247fe9cf40f2e2481220d899132049", "tree": "39b8e15d27876cd84acb07c9543b423c29d66a7f", "parents": [ "0c0e186f812457e527c420f7a4d02865fd0dc7d2" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Sun Jul 27 21:31:07 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 05 10:55:47 2008 +1000" }, "message": "SELinux: Fix a potentially uninitialised variable in SELinux hooks\n\nFix a potentially uninitialised variable in SELinux hooks that\u0027s given a\npointer to the network address by selinux_parse_skb() passing a pointer back\nthrough its argument list. By restructuring selinux_parse_skb(), the compiler\ncan see that the error case need not set it as the caller will return\nimmediately.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0c0e186f812457e527c420f7a4d02865fd0dc7d2", "tree": "3561fb50e5ec5d0f9466c187312797e7769cef60", "parents": [ "df4ea865f09580b1cad621c0426612f598847815" ], "author": { "name": "Vesa-Matti J Kari", "email": "vmkari@cc.helsinki.fi", "time": "Mon Jul 21 02:50:20 2008 +0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 05 10:55:38 2008 +1000" }, "message": "SELinux: trivial, remove unneeded local variable\n\nHello,\n\nRemove unneeded local variable:\n\n struct avtab_node *newnode\n\nSigned-off-by: Vesa-Matti Kari \u003cvmkari@cc.helsinki.fi\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "df4ea865f09580b1cad621c0426612f598847815", "tree": "57c7e7cc2cb1e4144f1a101a8bc93f74d4b64db9", "parents": [ "3583a71183a02c51ca71cd180e9189cfb0411cc1" ], "author": { "name": "Vesa-Matti J Kari", "email": "vmkari@cc.helsinki.fi", "time": "Sun Jul 20 23:57:01 2008 +0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 05 10:55:30 2008 +1000" }, "message": "SELinux: Trivial minor fixes that change C null character style\n\nTrivial minor fixes that change C null character style.\n\nSigned-off-by: Vesa-Matti Kari \u003cvmkari@cc.helsinki.fi\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3583a71183a02c51ca71cd180e9189cfb0411cc1", "tree": "3e613e3fc087131a2e4d2f3c5bdf36ecca02e0bd", "parents": [ "2b12a4c524812fb3f6ee590a02e65b95c8c32229" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Tue Jul 22 20:21:23 2008 +0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 05 10:55:24 2008 +1000" }, "message": "make selinux_write_opts() static\n\nThis patch makes the needlessly global selinux_write_opts() static.\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "383795c206946777d87ed5f6d61d6659110f9344", "tree": "839c3a69e5a8603ce4bc494fc5b7e81c1e02e87b", "parents": [ "6e86841d05f371b5b9b86ce76c02aaee83352298" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Jul 29 17:07:26 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jul 30 08:31:28 2008 +1000" }, "message": "SELinux: /proc/mounts should show what it can\n\nGiven a hosed SELinux config in which a system never loads policy or\ndisables SELinux we currently just return -EINVAL for anyone trying to\nread /proc/mounts. This is a configuration problem but we can certainly\nbe more graceful. This patch just ignores -EINVAL when displaying LSM\noptions and causes /proc/mounts display everything else it can. If\npolicy isn\u0027t loaded the obviously there are no options, so we aren\u0027t\nreally loosing any information here.\n\nThis is safe as the only other return of EINVAL comes from\nsecurity_sid_to_context_core() in the case of an invalid sid. Even if a\nFS was mounted with a now invalidated context that sid should have been\nremapped to unlabeled and so we won\u0027t hit the EINVAL and will work like\nwe should. (yes, I tested to make sure it worked like I thought)\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nTested-by: Marc Dionne \u003cmarc.c.dionne@gmail.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4836e3007882984279ca63d3c42bf0b14616eb78", "tree": "28bf22726964e068b825491d71a141eefedbe5f8", "parents": [ "5c7c204aeca51ccfad63caab4fcdc5d8026c0fd8", "4e1e018ecc6f7bfd10fc75b3ff9715cc8164e0a2" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jul 26 20:23:44 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jul 26 20:23:44 2008 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6: (39 commits)\n [PATCH] fix RLIM_NOFILE handling\n [PATCH] get rid of corner case in dup3() entirely\n [PATCH] remove remaining namei_{32,64}.h crap\n [PATCH] get rid of indirect users of namei.h\n [PATCH] get rid of __user_path_lookup_open\n [PATCH] f_count may wrap around\n [PATCH] dup3 fix\n [PATCH] don\u0027t pass nameidata to __ncp_lookup_validate()\n [PATCH] don\u0027t pass nameidata to gfs2_lookupi()\n [PATCH] new (local) helper: user_path_parent()\n [PATCH] sanitize __user_walk_fd() et.al.\n [PATCH] preparation to __user_walk_fd cleanup\n [PATCH] kill nameidata passing to permission(), rename to inode_permission()\n [PATCH] take noexec checks to very few callers that care\n Re: [PATCH 3/6] vfs: open_exec cleanup\n [patch 4/4] vfs: immutable inode checking cleanup\n [patch 3/4] fat: dont call notify_change\n [patch 2/4] vfs: utimes cleanup\n [patch 1/4] vfs: utimes: move owner check into inode_change_ok()\n [PATCH] vfs: use kstrdup() and check failing allocation\n ...\n" }, { "commit": "228428428138e231a155464239880201e5cc8b44", "tree": "89b437f5501d03ca36b717e232337426d0de77ca", "parents": [ "78681ac08a611313595d13cafabae1183b71ef48", "6c3b8fc618905d7599dcc514c99ce4293d476f39" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jul 26 20:17:56 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jul 26 20:17:56 2008 -0700" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:\n netns: fix ip_rt_frag_needed rt_is_expired\n netfilter: nf_conntrack_extend: avoid unnecessary \"ct-\u003eext\" dereferences\n netfilter: fix double-free and use-after free\n netfilter: arptables in netns for real\n netfilter: ip{,6}tables_security: fix future section mismatch\n selinux: use nf_register_hooks()\n netfilter: ebtables: use nf_register_hooks()\n Revert \"pkt_sched: sch_sfq: dump a real number of flows\"\n qeth: use dev-\u003eml_priv instead of dev-\u003epriv\n syncookies: Make sure ECN is disabled\n net: drop unused BUG_TRAP()\n net: convert BUG_TRAP to generic WARN_ON\n drivers/net: convert BUG_TRAP to generic WARN_ON\n" }, { "commit": "b1da47e29e467f1ec36dc78d009bfb109fd533c7", "tree": "13d72e54e6b7d9bbb0e48158c84bcb26561b0ecb", "parents": [ "e9b76fedc61235da80b6b7f81dfd67ec224dfb49" ], "author": { "name": "Miklos Szeredi", "email": "mszeredi@suse.cz", "time": "Tue Jul 01 15:01:28 2008 +0200" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Jul 26 20:53:27 2008 -0400" }, "message": "[patch 3/4] fat: dont call notify_change\n\nThe FAT_IOCTL_SET_ATTRIBUTES ioctl() calls notify_change() to change\nthe file mode before changing the inode attributes. Replace with\nexplicit calls to security_inode_setattr(), fat_setattr() and\nfsnotify_change().\n\nThis is equivalent to the original. The reason it is needed, is that\nlater in the series we move the immutable check into notify_change().\nThat would break the FAT_IOCTL_SET_ATTRIBUTES ioctl, as it needs to\nperform the mode change regardless of the immutability of the file.\n\n[Fix error if fat is built as a module. Thanks to OGAWA Hirofumi for\nnoticing.]\n\nSigned-off-by: Miklos Szeredi \u003cmszeredi@suse.cz\u003e\nAcked-by: OGAWA Hirofumi \u003chirofumi@mail.parknet.co.jp\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "b77b0646ef4efe31a7449bb3d9360fd00f95433d", "tree": "f8487fe832fbe23400c9f98e808555f0251fb158", "parents": [ "a110343f0d6d41f68b7cf8c00b57a3172c67f816" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Jul 17 09:37:02 2008 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Jul 26 20:53:22 2008 -0400" }, "message": "[PATCH] pass MAY_OPEN to vfs_permission() explicitly\n\n... and get rid of the last \"let\u0027s deduce mask from nameidata-\u003eflags\"\nbit.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "6c5a9d2e1599a099b0e47235a1c1502162b14310", "tree": "517e577b1485b8a40458cff1e3780eab556f4749", "parents": [ "e40f51a36a6ca718e829c0933ab1e79333ac932e" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Sat Jul 26 17:48:15 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Jul 26 17:48:15 2008 -0700" }, "message": "selinux: use nf_register_hooks()\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "0d094efeb1e98010c6b99923f1eb7e17bf1e3a74", "tree": "6ee271b6da5796e5321d2ab6f9d7d9ba03c300a2", "parents": [ "dae33574dcf5211e1f43c7e45fa29f73ba3e00cb" ], "author": { "name": "Roland McGrath", "email": "roland@redhat.com", "time": "Fri Jul 25 19:45:49 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jul 26 12:00:08 2008 -0700" }, "message": "tracehook: tracehook_tracer_task\n\nThis adds the tracehook_tracer_task() hook to consolidate all forms of\n\"Who is using ptrace on me?\" logic. This is used for \"TracerPid:\" in\n/proc and for permission checks. We also clean up the selinux code the\ncalled an identical accessor.\n\nSigned-off-by: Roland McGrath \u003croland@redhat.com\u003e\nCc: Oleg Nesterov \u003coleg@tv-sign.ru\u003e\nReviewed-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "7759fc9d10d3559f365cb122d81e0c0a185fe0fe", "tree": "2674cb439f9d27b5c0ef9ef078f6c8f7dac3b758", "parents": [ "4efd1a1b2f09a4b746dd9dc057986c6dadcb1317" ], "author": { "name": "Li Zefan", "email": "lizf@cn.fujitsu.com", "time": "Fri Jul 25 01:47:08 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jul 25 10:53:37 2008 -0700" }, "message": "devcgroup: code cleanup\n\n- clean up set_majmin()\n- use simple_strtoul() to parse major/minor\n\n[akpm@linux-foundation.org: fix simple_strtoul() usage]\n[kosaki.motohiro@jp.fujitsu.com: fix warnings]\nSigned-off-by: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nCc: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nSigned-off-by: KOSAKI Motohiro \u003ckosaki.motohiro@jp.fujitsu.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4efd1a1b2f09a4b746dd9dc057986c6dadcb1317", "tree": "048b7c286be2f17efce9b3482d9618cd150ee3f7", "parents": [ "e885dcde75685e09f23cffae1f6d5169c105b8a0" ], "author": { "name": "Pavel Emelyanov", "email": "xemul@openvz.org", "time": "Fri Jul 25 01:47:07 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jul 25 10:53:37 2008 -0700" }, "message": "devcgroup: relax white-list protection down to RCU\n\nCurrently this list is protected with a simple spinlock, even for reading\nfrom one. This is OK, but can be better.\n\nActually I want it to be better very much, since after replacing the\nOpenVZ device permissions engine with the cgroup-based one I noticed, that\nwe set 12 default device permissions for each newly created container (for\n/dev/null, full, terminals, ect devices), and people sometimes have up to\n20 perms more, so traversing the ~30-40 elements list under a spinlock\ndoesn\u0027t seem very good.\n\nHere\u0027s the RCU protection for white-list - dev_whitelist_item-s are added\nand removed under the devcg-\u003elock, but are looked up in permissions\nchecking under the rcu_read_lock.\n\nSigned-off-by: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Balbir Singh \u003cbalbir@in.ibm.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nCc: \"Paul E. McKenney\" \u003cpaulmck@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "f92523e3a7861f5dbd76021e0719a35fe8771f2d", "tree": "933c9e6e1f0683ac1c6bc019da5b91c9e567bf7c", "parents": [ "e37123953292146445c8629b3950d0513fd10ae2" ], "author": { "name": "Paul Menage", "email": "menage@google.com", "time": "Fri Jul 25 01:47:03 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jul 25 10:53:36 2008 -0700" }, "message": "cgroup files: convert devcgroup_access_write() into a cgroup write_string() handler\n\nThis patch converts devcgroup_access_write() from a raw file handler\ninto a handler for the cgroup write_string() method. This allows some\nboilerplate copying/locking/checking to be removed and simplifies the\ncleanup path, since these functions are performed by the cgroups\nframework before calling the handler.\n\nSigned-off-by: Paul Menage \u003cmenage@google.com\u003e\nCc: Paul Jackson \u003cpj@sgi.com\u003e\nCc: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nCc: Balbir Singh \u003cbalbir@in.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: KAMEZAWA Hiroyuki \u003ckamezawa.hiroyu@jp.fujitsu.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "84aaa7ab4c40b66d6dd9aa393901551ad50ec640", "tree": "6b16125299477335c808e7ee548bd778fc9fd5df", "parents": [ "ab763c7112ce0e2559c73f921617c81dc7287ca6" ], "author": { "name": "Andrew G. Morgan", "email": "morgan@kernel.org", "time": "Wed Jul 23 21:28:25 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jul 24 10:47:22 2008 -0700" }, "message": "security: filesystem capabilities no longer experimental\n\nFilesystem capabilities have come of age. Remove the experimental tag for\nconfiguring filesystem capabilities.\n\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "5459c164f0591ee75ed0203bb8f3817f25948e2f", "tree": "7b17a0cbadfc487d7311b7f5a41779ff33d6fe7f", "parents": [ "78ecba081224a2db5876b6b81cfed0b78f58adc7" ], "author": { "name": "Andrew G. Morgan", "email": "morgan@kernel.org", "time": "Wed Jul 23 21:28:24 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jul 24 10:47:22 2008 -0700" }, "message": "security: protect legacy applications from executing with insufficient privilege\n\nWhen cap_bset suppresses some of the forced (fP) capabilities of a file,\nit is generally only safe to execute the program if it understands how to\nrecognize it doesn\u0027t have enough privilege to work correctly. For legacy\napplications (fE!\u003d0), which have no non-destructive way to determine that\nthey are missing privilege, we fail to execute (EPERM) any executable that\nrequires fP capabilities, but would otherwise get pP\u0027 \u003c fP. This is a\nfail-safe permission check.\n\nFor some discussion of why it is problematic for (legacy) privileged\napplications to run with less than the set of capabilities requested for\nthem, see:\n\n http://userweb.kernel.org/~morgan/sendmail-capabilities-war-story.html\n\nWith this iteration of this support, we do not include setuid-0 based\nprivilege protection from the bounding set. That is, the admin can still\n(ab)use the bounding set to suppress the privileges of a setuid-0 program.\n\n[akpm@linux-foundation.org: coding-style fixes]\n[akpm@linux-foundation.org: cleanup]\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "089be43e403a78cd6889cde2fba164fefe9dfd89", "tree": "de401b27c91c528dbf64c712e6b64d185ded0c54", "parents": [ "50515af207d410c9f228380e529c56f43c3de0bd" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jul 15 18:32:49 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jul 15 18:32:49 2008 +1000" }, "message": "Revert \"SELinux: allow fstype unknown to policy to use xattrs if present\"\n\nThis reverts commit 811f3799279e567aa354c649ce22688d949ac7a9.\n\nFrom Eric Paris:\n\n\"Please drop this patch for now. It deadlocks on ntfs-3g. I need to\nrework it to handle fuse filesystems better. (casey was right)\"\n" }, { "commit": "6f0f0fd496333777d53daff21a4e3b28c4d03a6d", "tree": "202de67376fce2547b44ae5b016d6424c3c7409c", "parents": [ "93cbace7a058bce7f99319ef6ceff4b78cf45051" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jul 10 17:02:07 2008 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:04:06 2008 +1000" }, "message": "security: remove register_security hook\n\nThe register security hook is no longer required, as the capability\nmodule is always registered. LSMs wishing to stack capability as\na secondary module should do so explicitly.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\n" }, { "commit": "93cbace7a058bce7f99319ef6ceff4b78cf45051", "tree": "01a9f6c054dc2cca186a563a84345c4635ab304e", "parents": [ "5915eb53861c5776cfec33ca4fcc1fd20d66dd27" ], "author": { "name": "Miklos Szeredi", "email": "miklos@szeredi.hu", "time": "Thu Jul 10 11:10:09 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:03:41 2008 +1000" }, "message": "security: remove dummy module fix\n\nFix small oversight in \"security: remove dummy module\":\nCONFIG_SECURITY_FILE_CAPABILITIES doesn\u0027t depend on CONFIG_SECURITY\n\nSigned-off-by: Miklos Szeredi \u003cmszeredi@suse.cz\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5915eb53861c5776cfec33ca4fcc1fd20d66dd27", "tree": "d4895b96dfdc227a3abe2f13c093b6f53ac3aef8", "parents": [ "b478a9f9889c81e88077d1495daadee64c0af541" ], "author": { "name": "Miklos Szeredi", "email": "mszeredi@suse.cz", "time": "Thu Jul 03 20:56:05 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:03:04 2008 +1000" }, "message": "security: remove dummy module\n\nRemove the dummy module and make the \"capability\" module the default.\n\nCompile and boot tested.\n\nSigned-off-by: Miklos Szeredi \u003cmszeredi@suse.cz\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b478a9f9889c81e88077d1495daadee64c0af541", "tree": "d1a843fab53dd4b28b45172ba0b90417c4eefc48", "parents": [ "2069f457848f846cb31149c9aa29b330a6b66d1b" ], "author": { "name": "Miklos Szeredi", "email": "mszeredi@suse.cz", "time": "Thu Jul 03 20:56:04 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:02:05 2008 +1000" }, "message": "security: remove unused sb_get_mnt_opts hook\n\nThe sb_get_mnt_opts() hook is unused, and is superseded by the\nsb_show_options() hook.\n\nSigned-off-by: Miklos Szeredi \u003cmszeredi@suse.cz\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2069f457848f846cb31149c9aa29b330a6b66d1b", "tree": "199e7bb15e7d7b5cf008cd6fdb6cefc0d6af7f13", "parents": [ "811f3799279e567aa354c649ce22688d949ac7a9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 04 09:47:13 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:02:05 2008 +1000" }, "message": "LSM/SELinux: show LSM mount options in /proc/mounts\n\nThis patch causes SELinux mount options to show up in /proc/mounts. As\nwith other code in the area seq_put errors are ignored. Other LSM\u0027s\nwill not have their mount options displayed until they fill in their own\nsecurity_sb_show_options() function.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Miklos Szeredi \u003cmszeredi@suse.cz\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "811f3799279e567aa354c649ce22688d949ac7a9", "tree": "2a4d8c30821de84d5adcf37a09562ebba92f9f23", "parents": [ "65fc7668006b537f7ae8451990c0ed9ec882544e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Jun 18 09:50:04 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:02:04 2008 +1000" }, "message": "SELinux: allow fstype unknown to policy to use xattrs if present\n\nCurrently if a FS is mounted for which SELinux policy does not define an\nfs_use_* that FS will either be genfs labeled or not labeled at all.\nThis decision is based on the existence of a genfscon rule in policy and\nis irrespective of the capabilities of the filesystem itself. This\npatch allows the kernel to check if the filesystem supports security\nxattrs and if so will use those if there is no fs_use_* rule in policy.\nAn fstype with a no fs_use_* rule but with a genfs rule will use xattrs\nif available and will follow the genfs rule.\n\nThis can be particularly interesting for things like ecryptfs which\nactually overlays a real underlying FS. If we define excryptfs in\npolicy to use xattrs we will likely get this wrong at times, so with\nthis path we just don\u0027t need to define it!\n\nOverlay ecryptfs on top of NFS with no xattr support:\nSELinux: initialized (dev ecryptfs, type ecryptfs), uses genfs_contexts\nOverlay ecryptfs on top of ext4 with xattr support:\nSELinux: initialized (dev ecryptfs, type ecryptfs), uses xattr\n\nIt is also useful as the kernel adds new FS we don\u0027t need to add them in\npolicy if they support xattrs and that is how we want to handle them.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "65fc7668006b537f7ae8451990c0ed9ec882544e", "tree": "9f0f2b9c98aaa330534e225c5644e997cf01c1a9", "parents": [ "2baf06df85b27c1d64867883a0692519594f1ef2" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 12 01:00:10 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:02:03 2008 +1000" }, "message": "security: fix return of void-valued expressions\n\nFix several warnings generated by sparse of the form\n\"returning void-valued expression\".\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\n" }, { "commit": "2baf06df85b27c1d64867883a0692519594f1ef2", "tree": "b4f8f2ba2c4175983fea740a607d7cc3cfef26ec", "parents": [ "e399f98224a03d2e85fb45eacba367c47173f6f9" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 12 01:42:35 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:02:02 2008 +1000" }, "message": "SELinux: use do_each_thread as a proper do/while block\n\nUse do_each_thread as a proper do/while block. Sparse complained.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "e399f98224a03d2e85fb45eacba367c47173f6f9", "tree": "b21f310e9317c2726acc5d27763c95a128528b4d", "parents": [ "6cbe27061a69ab89d25dbe42d1a4f33a8425fe88" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 12 01:39:58 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:02:01 2008 +1000" }, "message": "SELinux: remove unused and shadowed addrlen variable\n\nRemove unused and shadowed addrlen variable. Picked up by sparse.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\n" }, { "commit": "6cbe27061a69ab89d25dbe42d1a4f33a8425fe88", "tree": "883e50c699dcd495ca9fc985e71622394ce21001", "parents": [ "22df4adb049a5cbb340dd935f5bbfa1ab3947562" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Jun 09 16:51:37 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:02:00 2008 +1000" }, "message": "SELinux: more user friendly unknown handling printk\n\nI\u0027ve gotten complaints and reports about people not understanding the\nmeaning of the current unknown class/perm handling the kernel emits on\nevery policy load. Hopefully this will make make it clear to everyone\nthe meaning of the message and won\u0027t waste a printk the user won\u0027t care\nabout anyway on systems where the kernel and the policy agree on\neverything.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "22df4adb049a5cbb340dd935f5bbfa1ab3947562", "tree": "28dead43dd9eb81768e143ced4e9cd45c6a0246f", "parents": [ "89abd0acf0335f3f760a3c0698d43bb1eaa83e44" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon Jun 09 16:03:56 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:59 2008 +1000" }, "message": "selinux: change handling of invalid classes (Was: Re: 2.6.26-rc5-mm1 selinux whine)\n\nOn Mon, 2008-06-09 at 01:24 -0700, Andrew Morton wrote:\n\u003e Getting a few of these with FC5:\n\u003e\n\u003e SELinux: context_struct_compute_av: unrecognized class 69\n\u003e SELinux: context_struct_compute_av: unrecognized class 69\n\u003e\n\u003e one came out when I logged in.\n\u003e\n\u003e No other symptoms, yet.\n\nChange handling of invalid classes by SELinux, reporting class values\nunknown to the kernel as errors (w/ ratelimit applied) and handling\nclass values unknown to policy as normal denials.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "89abd0acf0335f3f760a3c0698d43bb1eaa83e44", "tree": "c71f08fd6b9fa3969352f96d88daa1409474e2d6", "parents": [ "cea78dc4ca044e9666e8f5d797ec50ab85253e49" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Jun 09 15:58:04 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:58 2008 +1000" }, "message": "SELinux: drop load_mutex in security_load_policy\n\nWe used to protect against races of policy load in security_load_policy\nby using the load_mutex. Since then we have added a new mutex,\nsel_mutex, in sel_write_load() which is always held across all calls to\nsecurity_load_policy we are covered and can safely just drop this one.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cea78dc4ca044e9666e8f5d797ec50ab85253e49", "tree": "3aa8608428774602db2550cd684bef26a9812b5d", "parents": [ "bdd581c1439339f1d3e8446b83e0f1beaef294e9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Jun 09 15:43:12 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:58 2008 +1000" }, "message": "SELinux: fix off by 1 reference of class_to_string in context_struct_compute_av\n\nThe class_to_string array is referenced by tclass. My code mistakenly\nwas using tclass - 1. If the proceeding class is a userspace class\nrather than kernel class this may cause a denial/EINVAL even if unknown\nhandling is set to allow. The bug shouldn\u0027t be allowing excess\nprivileges since those are given based on the contents of another array\nwhich should be correctly referenced.\n\nAt this point in time its pretty unlikely this is going to cause\nproblems. The most recently added kernel classes which could be\naffected are association, dccp_socket, and peer. Its pretty unlikely\nany policy with handle_unknown\u003dallow doesn\u0027t have association and\ndccp_socket undefined (they\u0027ve been around longer than unknown handling)\nand peer is conditionalized on a policy cap which should only be defined\nif that class exists in policy.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bdd581c1439339f1d3e8446b83e0f1beaef294e9", "tree": "aa6daa5462dfe041692900d1e853a94bc791818b", "parents": [ "972ccac2b237967ed7e56a50eb181b5a0a484b79" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 06 18:50:12 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:57 2008 +1000" }, "message": "SELinux: open code sidtab lock\n\nOpen code sidtab lock to make Andrew Morton happy.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "972ccac2b237967ed7e56a50eb181b5a0a484b79", "tree": "44916f101e36cbb9c5c75eca91bd5a76250ea0c2", "parents": [ "0804d1133c02cbdfba0055de774f2c21a8b777dc" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 06 18:43:26 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:56 2008 +1000" }, "message": "SELinux: open code load_mutex\n\nOpen code load_mutex as suggested by Andrew Morton.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0804d1133c02cbdfba0055de774f2c21a8b777dc", "tree": "d9bbb58ed872f55887d2269abd9aec252894289d", "parents": [ "59dbd1ba9847837aa7095f3e4a29599dae412ac4" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 06 18:40:29 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:55 2008 +1000" }, "message": "SELinux: open code policy_rwlock\n\nOpen code policy_rwlock, as suggested by Andrew Morton.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "59dbd1ba9847837aa7095f3e4a29599dae412ac4", "tree": "7027450aa23e7f25a67e5cd9a7686e013956ac61", "parents": [ "242631c49d4cf39642741d6627750151b058233b" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Thu Jun 05 09:48:51 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:54 2008 +1000" }, "message": "selinux: fix endianness bug in network node address handling\n\nFix an endianness bug in the handling of network node addresses by\nSELinux. This yields no change on little endian hardware but fixes\nthe incorrect handling on big endian hardware. The network node\naddresses are stored in network order in memory by checkpolicy, not in\ncpu/host order, and thus should not have cpu_to_le32/le32_to_cpu\nconversions applied upon policy write/read unlike other data in the\npolicy.\n\nBug reported by John Weeks of Sun, who noticed that binary policy\nfiles built from the same policy source on x86 and sparc differed and\ntracked it down to the ipv4 address handling in checkpolicy.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "242631c49d4cf39642741d6627750151b058233b", "tree": "26756c2b256cf5b14ca279a634d5bcc5e67b2b41", "parents": [ "abc69bb633931bf54c6db798bcdc6fd1e0284742" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Thu Jun 05 09:21:28 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:53 2008 +1000" }, "message": "selinux: simplify ioctl checking\n\nSimplify and improve the robustness of the SELinux ioctl checking by\nusing the \"access mode\" bits of the ioctl command to determine the\npermission check rather than dealing with individual command values.\nThis removes any knowledge of specific ioctl commands from SELinux\nand follows the same guidance we gave to Smack earlier.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "abc69bb633931bf54c6db798bcdc6fd1e0284742", "tree": "711aaf6c5e1d8bdd57138e8baf3a369ed832602d", "parents": [ "006ebb40d3d65338bd74abb03b945f8d60e362bd" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed May 21 14:16:12 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:52 2008 +1000" }, "message": "SELinux: enable processes with mac_admin to get the raw inode contexts\n\nEnable processes with CAP_MAC_ADMIN + mac_admin permission in policy\nto get undefined contexts on inodes. This extends the support for\ndeferred mapping of security contexts in order to permit restorecon\nand similar programs to see the raw file contexts unknown to the\nsystem policy in order to check them.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "006ebb40d3d65338bd74abb03b945f8d60e362bd", "tree": "c548c678b54b307e1fb9acf94676fb7bfd849501", "parents": [ "feb2a5b82d87fbdc01c00b7e9413e4b5f4c1f0c1" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Mon May 19 08:32:49 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:47 2008 +1000" }, "message": "Security: split proc ptrace checking into read vs. attach\n\nEnable security modules to distinguish reading of process state via\nproc from full ptrace access by renaming ptrace_may_attach to\nptrace_may_access and adding a mode argument indicating whether only\nread access or full attach access is requested. This allows security\nmodules to permit access to reading process state without granting\nfull ptrace access. The base DAC/capability checking remains unchanged.\n\nRead access to /proc/pid/mem continues to apply a full ptrace attach\ncheck since check_mem_permission() already requires the current task\nto already be ptracing the target. The other ptrace checks within\nproc for elements like environ, maps, and fds are changed to pass the\nread mode instead of attach.\n\nIn the SELinux case, we model such reading of process state as a\nreading of a proc file labeled with the target process\u0027 label. This\nenables SELinux policy to permit such reading of process state without\npermitting control or manipulation of the target process, as there are\na number of cases where programs probe for such information via proc\nbut do not need to be able to control the target (e.g. procps,\nlsof, PolicyKit, ConsoleKit). At present we have to choose between\nallowing full ptrace in policy (more permissive than required/desired)\nor breaking functionality (or in some cases just silencing the denials\nvia dontaudit rules but this can hide genuine attacks).\n\nThis version of the patch incorporates comments from Casey Schaufler\n(change/replace existing ptrace_may_attach interface, pass access\nmode), and Chris Wright (provide greater consistency in the checking).\n\nNote that like their predecessors __ptrace_may_attach and\nptrace_may_attach, the __ptrace_may_access and ptrace_may_access\ninterfaces use different return value conventions from each other (0\nor -errno vs. 1 or 0). I retained this difference to avoid any\nchanges to the caller logic but made the difference clearer by\nchanging the latter interface to return a bool rather than an int and\nby adding a comment about it to ptrace.h for any future callers.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "feb2a5b82d87fbdc01c00b7e9413e4b5f4c1f0c1", "tree": "ba72273578711b9e21386570f70bc619b6af3ae4", "parents": [ "fdeb05184b8b2500e120647778d63fddba76dc59" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 20 09:42:33 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:38 2008 +1000" }, "message": "SELinux: remove inherit field from inode_security_struct\n\nRemove inherit field from inode_security_struct, per Stephen Smalley:\n\"Let\u0027s just drop inherit altogether - dead field.\"\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "fdeb05184b8b2500e120647778d63fddba76dc59", "tree": "19e745966786f4af3d589018d6dc738aeb5f1321", "parents": [ "f5269710789f666a65cf1132c4f1d14fbc8d3c29" ], "author": { "name": "Richard Kennedy", "email": "richard@rsk.demon.co.uk", "time": "Sun May 18 12:32:57 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:37 2008 +1000" }, "message": "SELinux: reorder inode_security_struct to increase objs/slab on 64bit\n\nreorder inode_security_struct to remove padding on 64 bit builds\n\nsize reduced from 72 to 64 bytes increasing objects per slab to 64.\n\nSigned-off-by: Richard Kennedy \u003crichard@rsk.demon.co.uk\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f5269710789f666a65cf1132c4f1d14fbc8d3c29", "tree": "8c61f74cb04505e3f16483baf1d7113e750968d7", "parents": [ "9a59daa03df72526d234b91dd3e32ded5aebd3ef" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed May 14 11:27:45 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:36 2008 +1000" }, "message": "SELinux: keep the code clean formating and syntax\n\nFormatting and syntax changes\n\nwhitespace, tabs to spaces, trailing space\nput open { on same line as struct def\nremove unneeded {} after if statements\nchange printk(\"Lu\") to printk(\"llu\")\nconvert asm/uaccess.h to linux/uaacess.h includes\nremove unnecessary asm/bug.h includes\nconvert all users of simple_strtol to strict_strtol\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9a59daa03df72526d234b91dd3e32ded5aebd3ef", "tree": "9ba6797d509a5657be7f47f55e630f06a489174d", "parents": [ "12b29f34558b9b45a2c6eabd4f3c6be939a3980f" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed May 14 10:33:55 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:35 2008 +1000" }, "message": "SELinux: fix sleeping allocation in security_context_to_sid\n\nFix a sleeping function called from invalid context bug by moving allocation\nto the callers prior to taking the policy rdlock.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "12b29f34558b9b45a2c6eabd4f3c6be939a3980f", "tree": "9b7921724226cd81901070026572bf05014dc41c", "parents": [ "bce7f793daec3e65ec5c5705d2457b81fe7b5725" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed May 07 13:03:20 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:34 2008 +1000" }, "message": "selinux: support deferred mapping of contexts\n\nIntroduce SELinux support for deferred mapping of security contexts in\nthe SID table upon policy reload, and use this support for inode\nsecurity contexts when the context is not yet valid under the current\npolicy. Only processes with CAP_MAC_ADMIN + mac_admin permission in\npolicy can set undefined security contexts on inodes. Inodes with\nsuch undefined contexts are treated as having the unlabeled context\nuntil the context becomes valid upon a policy reload that defines the\ncontext. Context invalidation upon policy reload also uses this\nsupport to save the context information in the SID table and later\nrecover it upon a subsequent policy reload that defines the context\nagain.\n\nThis support is to enable package managers and similar programs to set\ndown file contexts unknown to the system policy at the time the file\nis created in order to better support placing loadable policy modules\nin packages and to support build systems that need to create images of\ndifferent distro releases with different policies w/o requiring all of\nthe contexts to be defined or legal in the build host policy.\n\nWith this patch applied, the following sequence is possible, although\nin practice it is recommended that this permission only be allowed to\nspecific program domains such as the package manager.\n\n# rmdir baz\n# rm bar\n# touch bar\n# chcon -t foo_exec_t bar # foo_exec_t is not yet defined\nchcon: failed to change context of `bar\u0027 to `system_u:object_r:foo_exec_t\u0027: Invalid argument\n# mkdir -Z system_u:object_r:foo_exec_t baz\nmkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t\u0027: Invalid argument\n# cat setundefined.te\npolicy_module(setundefined, 1.0)\nrequire {\n\ttype unconfined_t;\n\ttype unlabeled_t;\n}\nfiles_type(unlabeled_t)\nallow unconfined_t self:capability2 mac_admin;\n# make -f /usr/share/selinux/devel/Makefile setundefined.pp\n# semodule -i setundefined.pp\n# chcon -t foo_exec_t bar # foo_exec_t is not yet defined\n# mkdir -Z system_u:object_r:foo_exec_t baz\n# ls -Zd bar baz\n-rw-r--r-- root root system_u:object_r:unlabeled_t bar\ndrwxr-xr-x root root system_u:object_r:unlabeled_t baz\n# cat foo.te\npolicy_module(foo, 1.0)\ntype foo_exec_t;\nfiles_type(foo_exec_t)\n# make -f /usr/share/selinux/devel/Makefile foo.pp\n# semodule -i foo.pp # defines foo_exec_t\n# ls -Zd bar baz\n-rw-r--r-- root root user_u:object_r:foo_exec_t bar\ndrwxr-xr-x root root system_u:object_r:foo_exec_t baz\n# semodule -r foo\n# ls -Zd bar baz\n-rw-r--r-- root root system_u:object_r:unlabeled_t bar\ndrwxr-xr-x root root system_u:object_r:unlabeled_t baz\n# semodule -i foo.pp\n# ls -Zd bar baz\n-rw-r--r-- root root user_u:object_r:foo_exec_t bar\ndrwxr-xr-x root root system_u:object_r:foo_exec_t baz\n# semodule -r setundefined foo\n# chcon -t foo_exec_t bar # no longer defined and not allowed\nchcon: failed to change context of `bar\u0027 to `system_u:object_r:foo_exec_t\u0027: Invalid argument\n# rmdir baz\n# mkdir -Z system_u:object_r:foo_exec_t baz\nmkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t\u0027: Invalid argument\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ec229e830060091b9be63c8f873c1b2407a82821", "tree": "505231f1cad4a3258d509dfc75e47ed445647ff6", "parents": [ "17d213f806dad629e9af36fc45f082b87ed7bceb" ], "author": { "name": "Li Zefan", "email": "lizf@cn.fujitsu.com", "time": "Sun Jul 13 12:14:04 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Jul 13 12:51:18 2008 -0700" }, "message": "devcgroup: fix permission check when adding entry to child cgroup\n\n # cat devices.list\n c 1:3 r\n # echo \u0027c 1:3 w\u0027 \u003e sub/devices.allow\n # cat sub/devices.list\n c 1:3 w\n\nAs illustrated, the parent group has no write permission to /dev/null, so\nit\u0027s child should not be allowed to add this write permission.\n\nSigned-off-by: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nCc: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "17d213f806dad629e9af36fc45f082b87ed7bceb", "tree": "bbb91f06c39cddd1a05b0bdb8470f472c39c81c6", "parents": [ "0302c01b4b793cfbc5c7bf8723f6d14bf9bd7cf4" ], "author": { "name": "Li Zefan", "email": "lizf@cn.fujitsu.com", "time": "Sun Jul 13 12:14:02 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Jul 13 12:51:18 2008 -0700" }, "message": "devcgroup: always show positive major/minor num\n\n # echo \"b $((0x7fffffff)):$((0x80000000)) rwm\" \u003e devices.allow\n # cat devices.list\n b 214748364:-21474836 rwm\n\nthough a major/minor number of 0x800000000 is meaningless, we\nshould not cast it to a negative value.\n\nSigned-off-by: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nCc: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "d823f6bfec2844493c05961133895de21fa0e02d", "tree": "853fac4a97ab842f9ee52adfbf72297e8b90688d", "parents": [ "26ff8c697a2c8f6974c2357d3f01cca91b20c964" ], "author": { "name": "Li Zefan", "email": "lizf@cn.fujitsu.com", "time": "Fri Jul 04 10:00:07 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jul 04 10:40:10 2008 -0700" }, "message": "devcgroup: fix odd behaviour when writing \u0027a\u0027 to devices.allow\n\n # cat /devcg/devices.list\n a *:* rwm\n # echo a \u003e devices.allow\n # cat /devcg/devices.list\n a *:* rwm\n a 0:0 rwm\n\nThis is odd and maybe confusing. With this patch, writing \u0027a\u0027 to\ndevices.allow will add \u0027a *:* rwm\u0027 to the whitelist.\n\nAlso a few fixes and updates to the document.\n\nSigned-off-by: Li Zefan \u003clizf@cn.fujitsu.com\u003e\nCc: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nCc: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nCc: Balbir Singh \u003cbalbir@in.ibm.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: KAMEZAWA Hiroyuki \u003ckamezawa.hiroyu@jp.fujitsu.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "1209726ce942047c9fefe7cd427dc36f8e9ded53", "tree": "298e78052d6bdd92c78b22c86604f8c8364bc8d9", "parents": [ "086f7316f0d400806d76323beefae996bb3849b1" ], "author": { "name": "Andrew G. Morgan", "email": "morgan@kernel.org", "time": "Fri Jul 04 09:59:59 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jul 04 10:40:08 2008 -0700" }, "message": "security: filesystem capabilities: fix CAP_SETPCAP handling\n\nThe filesystem capability support meaning for CAP_SETPCAP is less powerful\nthan the non-filesystem capability support. As such, when filesystem\ncapabilities are configured, we should not permit CAP_SETPCAP to \u0027enhance\u0027\nthe current process through strace manipulation of a child process.\n\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8cdbc2b9826b3543fecff2f6d6400fa77b21ffdd", "tree": "e42ddc9142988fffb2b4128e2d94b3913914dbe6", "parents": [ "57d3c64fd8130ebdacd85a36c9656ba5e221f3a3" ], "author": { "name": "Andrew G. Morgan", "email": "morgan@kernel.org", "time": "Thu Jun 12 15:21:33 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 12 18:05:40 2008 -0700" }, "message": "capabilities: add (back) dummy support for KEEPCAPS\n\nThe dummy module is used by folk that run security conscious code(!?). A\nfeature of such code (for example, dhclient) is that it tries to operate\nwith minimum privilege (dropping unneeded capabilities). While the dummy\nmodule doesn\u0027t restrict code execution based on capability state, the user\ncode expects the kernel to appear to support it. This patch adds back\nfaked support for the PR_SET_KEEPCAPS etc., calls - making the kernel\nbehave as before 2.6.26.\n\nFor details see: http://bugzilla.kernel.org/show_bug.cgi?id\u003d10748\n\nSigned-off-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "dba6a4d32d8677c99e73798d3375417f8a6d46de", "tree": "1011eef6e948f2db35805c017324648e1eddb61a", "parents": [ "37340746a66e5e7feed5945f28cb75d90a8fd9f6" ], "author": { "name": "Daniel Walker", "email": "dwalker@mvista.com", "time": "Thu Jun 05 22:46:32 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jun 06 11:29:11 2008 -0700" }, "message": "keys: remove unused key_alloc_sem\n\nThis semaphore doesn\u0027t appear to be used, so remove it.\n\nSigned-off-by: Daniel Walker \u003cdwalker@mvista.com\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "d1ee2971f5bd8a16bc5ecfe1b00e14b4fe407c4f", "tree": "733c51b66dda47216ca1526fdd85004206fd0ec8", "parents": [ "7db9cfd380205f6b50afdc3bc3619f876a5eaf0d" ], "author": { "name": "Pavel Emelyanov", "email": "xemul@openvz.org", "time": "Thu Jun 05 22:46:28 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jun 06 11:29:11 2008 -0700" }, "message": "devscgroup: make white list more compact in some cases\n\nConsider you added a \u0027c foo:bar r\u0027 permission to some cgroup and then (a\nbit later) \u0027c\u0027foo:bar w\u0027 for it. After this you\u0027ll see the\n\nc foo:bar r\nc foo:bar w\n\nlines in a devices.list file.\n\nAnother example - consider you added 10 \u0027c foo:bar r\u0027 permissions to some\ncgroup (e.g. by mistake). After this you\u0027ll see 10 c foo:bar r lines in\na list file.\n\nThis is weird. This situation also has one more annoying consequence.\nHaving many items in a white list makes permissions checking slower, sine\nit has to walk a longer list.\n\nThe proposal is to merge permissions for items, that correspond to the\nsame device.\n\nSigned-off-by: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "cc9cb219aac24ffc711566c8f372c2b3a3bf840f", "tree": "efa678227596922a00b2a7744c33707041c78316", "parents": [ "b66862f7663332aa1ecb3ebda4086360ddb8befc" ], "author": { "name": "Pavel Emelyanov", "email": "xemul@openvz.org", "time": "Thu Jun 05 22:46:26 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jun 06 11:29:11 2008 -0700" }, "message": "devscgroup: relax task to dev_cgroup conversion\n\nTwo functions, that need to get a device_cgroup from a task (they are\ndevcgroup_inode_permission and devcgroup_inode_mknod) make it in a strange\nway:\n\nThey get a css_set from task, then a subsys_state from css_set, then a\ncgroup from the state and then a subsys_state again from the cgroup.\nBesides, the devices_subsys_id is read from memory, whilst there\u0027s a\nenum-ed constant for it.\n\nOptimize this part a bit:\n1. Get the subsys_stats form the task and be done - no 2 extra\n dereferences,\n2. Use the device_subsys_id constant, not the value from memory\n (i.e. one less dereference).\n\nFound while preparing 2.6.26 OpenVZ port.\n\nSigned-off-by: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Paul Menage \u003cmenage@google.com\u003e\nCc: Balbir Singh \u003cbalbir@in.ibm.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b66862f7663332aa1ecb3ebda4086360ddb8befc", "tree": "8ba5a907f4bafad460cef4d6c573b9f5aae957e5", "parents": [ "93b071139a956e51c98cdefd50a47981a4eb852e" ], "author": { "name": "Pavel Emelyanov", "email": "xemul@openvz.org", "time": "Thu Jun 05 22:46:24 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jun 06 11:29:11 2008 -0700" }, "message": "devcgroup: make a helper to convert cgroup_subsys_state to devs_cgroup\n\nThis is just picking the container_of out of cgroup_to_devcgroup into a\nseparate function.\n\nThis new css_to_devcgroup will be used in the 2nd patch.\n\nSigned-off-by: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Paul Menage \u003cmenage@google.com\u003e\nCc: Balbir Singh \u003cbalbir@in.ibm.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e97dcb0eadbb821eccd549d4987b653cf61e2374", "tree": "0dc9cddcac54dcdc35f7e1ddf6e190947ec86320", "parents": [ "246dd412d31e4f5de1d43aa6422a325b785f36e4" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Mon Jun 02 10:04:32 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 04 08:50:43 2008 -0700" }, "message": "Smack: fuse mount hang fix\n\nThe d_instantiate hook for Smack can hang on the root inode of a\nfilesystem if the file system code has not really done all the set-up.\nFuse is known to encounter this problem.\n\nThis change detects an attempt to instantiate a root inode and addresses\nit early in the processing, before any attempt is made to do something\nthat might hang.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nTested-by: Luiz Fernando N. Capitulino \u003clcapitulino@mandriva.com.br\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "9f3acc3140444a900ab280de942291959f0f615d", "tree": "0d7f3f9698071ff90fb9a127a4c6e86e1c37c945", "parents": [ "a2dcb44c3c5a8151d2d9f6ac8ad0789efcdbe184" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Apr 24 07:44:08 2008 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu May 01 13:08:16 2008 -0400" }, "message": "[PATCH] split linux/file.h\n\nInitial splitoff of the low-level stuff; taken to fdtable.h\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "3b5e9e53c6f31b5a5a0f5c43707503c62bdefa46", "tree": "1244b7cf2755c06a8a793149ce4717e4a1311218", "parents": [ "9e3bd6c3fb2334be171e69b432039cd18bce4458" ], "author": { "name": "Oleg Nesterov", "email": "oleg@tv-sign.ru", "time": "Wed Apr 30 00:52:42 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Apr 30 08:29:34 2008 -0700" }, "message": "signals: cleanup security_task_kill() usage/implementation\n\nEvery implementation of -\u003etask_kill() does nothing when the signal comes from\nthe kernel. This is correct, but means that check_kill_permission() should\ncall security_task_kill() only for SI_FROMUSER() case, and we can remove the\nsame check from -\u003etask_kill() implementations.\n\n(sadly, check_kill_permission() is the last user of signal-\u003esession/__session\n but we can\u0027t s/task_session_nr/task_session/ here).\n\nNOTE: Eric W. Biederman pointed out cap_task_kill() should die, and I think\nhe is very right.\n\nSigned-off-by: Oleg Nesterov \u003coleg@tv-sign.ru\u003e\nCc: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nCc: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Roland McGrath \u003croland@redhat.com\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: David Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nCc: Eric Paris \u003ceparis@redhat.com\u003e\nCc: Harald Welte \u003claforge@gnumonks.org\u003e\nCc: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "d20bdda6d45a4035e48ca7ae467a0d955c1ffc60", "tree": "634f8bcc6ad7382a79be1081575ee12e7006c375", "parents": [ "780db6c104de48104501f5943361f2371564b85d" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Wed Apr 30 08:34:10 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 30 08:34:10 2008 +1000" }, "message": "Smack: Integrate Smack with Audit\n\nSetup the new Audit hooks for Smack. SELinux Audit rule fields are recycled\nto avoid `auditd\u0027 userspace modifications. Currently only equality testing\nis supported on labels acting as a subject (AUDIT_SUBJ_USER) or as an object\n(AUDIT_OBJ_USER).\n\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "e52c1764f18a62776a0f2bc6752fb76b6e345827", "tree": "b60a62585dfe511d9216cdd4a207fd07df1b2f99", "parents": [ "7663c1e2792a9662b23dec6e19bfcd3d55360b8f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 20:52:51 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 30 08:23:51 2008 +1000" }, "message": "Security: Make secctx_to_secid() take const secdata\n\nMake secctx_to_secid() take constant secdata.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ], "next": "9781db7b345b5dfe93787aaaf310c861db7c1ede" }