)]}' { "log": [ { "commit": "e5467859f7f79b69fc49004403009dfdba3bec53", "tree": "73b011daf79eeddd61bbcaf65cd197b5e5f6f149", "parents": [ "d007794a182bc072a7b7479909dbd0d67ba341be" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed May 30 13:30:51 2012 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu May 31 13:11:54 2012 -0400" }, "message": "split -\u003efile_mmap() into -\u003emmap_addr()/-\u003emmap_file()\n\n... i.e. file-dependent and address-dependent checks.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "d007794a182bc072a7b7479909dbd0d67ba341be", "tree": "75aa7ccd563a0fe8b60391824c92f64098674dda", "parents": [ "cf74d14c4fbce9bcc9eb62f52d721d3399a2b87f" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed May 30 13:11:37 2012 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu May 31 13:10:54 2012 -0400" }, "message": "split cap_mmap_addr() out of cap_file_mmap()\n\n... switch callers.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "ff2bb047c4bce9742e94911eeb44b4d6ff4734ab", "tree": "9d9b1cfa3fc17f0cc13f34ca697306cb1f46b05f", "parents": [ "cffee16e8b997ab947de661e8820e486b0830c94", "c737f8284cac91428f8fcc8281e69117fa16e887" ], "author": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Tue May 22 11:21:06 2012 +1000" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Tue May 22 11:21:06 2012 +1000" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/eparis/selinux into next\n\nPer pull request, for 3.5.\n" }, { "commit": "259e5e6c75a910f3b5e656151dc602f53f9d7548", "tree": "4405fdf68238f2e33f27b04e8c37c9e29a2493d8", "parents": [ "9ccf010f8172b699ea80178860e8ea228f7dce56" ], "author": { "name": "Andy Lutomirski", "email": "luto@amacapital.net", "time": "Thu Apr 12 16:47:50 2012 -0500" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Sat Apr 14 11:13:18 2012 +1000" }, "message": "Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs\n\nWith this change, calling\n prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)\ndisables privilege granting operations at execve-time. For example, a\nprocess will not be able to execute a setuid binary to change their uid\nor gid if this bit is set. The same is true for file capabilities.\n\nAdditionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that\nLSMs respect the requested behavior.\n\nTo determine if the NO_NEW_PRIVS bit is set, a task may call\n prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);\nIt returns 1 if set and 0 if it is not set. If any of the arguments are\nnon-zero, it will return -1 and set errno to -EINVAL.\n(PR_SET_NO_NEW_PRIVS behaves similarly.)\n\nThis functionality is desired for the proposed seccomp filter patch\nseries. By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the\nsystem call behavior for itself and its child tasks without being\nable to impact the behavior of a more privileged task.\n\nAnother potential use is making certain privileged operations\nunprivileged. For example, chroot may be considered \"safe\" if it cannot\naffect privileged tasks.\n\nNote, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is\nset and AppArmor is in use. It is fixed in a subsequent patch.\n\nSigned-off-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\nSigned-off-by: Will Drewry \u003cwad@chromium.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\n\nv18: updated change desc\nv17: using new define values as per 3.4\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "c737f8284cac91428f8fcc8281e69117fa16e887", "tree": "7cb4cd77df9786925aa2c7cad919c4881651638b", "parents": [ "562c99f20d989f222138dddfd71e275bfb3665de" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 05 13:51:53 2012 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 09 12:23:57 2012 -0400" }, "message": "SELinux: remove unused common_audit_data in flush_unauthorized_files\n\nWe don\u0027t need this variable and it just eats stack space. Remove it.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "899838b25f063a94594b1df6e0100aea1ec57fac", "tree": "ce22a1fca876195237ba92051cb12b34aa957447", "parents": [ "1d3492927118d0ce1ea1ff3e007746699cba8f3e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 04 15:01:43 2012 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 09 12:23:06 2012 -0400" }, "message": "SELinux: unify the selinux_audit_data and selinux_late_audit_data\n\nWe no longer need the distinction. We only need data after we decide to do an\naudit. So turn the \"late\" audit data into just \"data\" and remove what we\ncurrently have as \"data\".\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "50c205f5e5c2e2af002fd4ef537ded79b90b1b56", "tree": "9965a7746aa8c5e982357d5b8c46850f3283206c", "parents": [ "07f62eb66c6626aa5653a0fcb34c9c040d0bd032" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 04 15:01:43 2012 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 09 12:23:04 2012 -0400" }, "message": "LSM: do not initialize common_audit_data to 0\n\nIt isn\u0027t needed. If you don\u0027t set the type of the data associated with\nthat type it is a pretty obvious programming bug. So why waste the cycles?\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "b466066f9b648ccb6aa1e174f0389b7433e460fd", "tree": "beaec41a751db3ceeb55e4c428bb7e1fe995d880", "parents": [ "0972c74ecba4878baa5f97bb78b242c0eefacfb6" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 04 15:01:43 2012 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 09 12:23:03 2012 -0400" }, "message": "LSM: remove the task field from common_audit_data\n\nThere are no legitimate users. Always use current and get back some stack\nspace for the common_audit_data.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "bd5e50f9c1c71daac273fa586424f07205f6b13b", "tree": "57331d7e1941077cd55d33e7f12e6f8a07cdd80e", "parents": [ "d4cf970d0732628d514405c5a975024b9e205b0b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 04 15:01:42 2012 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 09 12:23:01 2012 -0400" }, "message": "LSM: remove the COMMON_AUDIT_DATA_INIT type expansion\n\nJust open code it so grep on the source code works better.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "d4cf970d0732628d514405c5a975024b9e205b0b", "tree": "481f90ea13b2cbc8dd77bc934aa91024c1df6587", "parents": [ "602a8dd6ea6abd463bc26310c4a1b44919f88e68" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 04 15:01:42 2012 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 09 12:23:00 2012 -0400" }, "message": "SELinux: move common_audit_data to a noinline slow path function\n\nselinux_inode_has_perm is a hot path. Instead of declaring the\ncommon_audit_data on the stack move it to a noinline function only used in\nthe rare case we need to send an audit message.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "602a8dd6ea6abd463bc26310c4a1b44919f88e68", "tree": "426df8399ff298942a7e30c3a360a666e51ba920", "parents": [ "2e33405785d3eaec303c54b4a10afdebf3729da7" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 04 15:01:42 2012 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 09 12:23:00 2012 -0400" }, "message": "SELinux: remove inode_has_perm_noadp\n\nBoth callers could better be using file_has_perm() to get better audit\nresults.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "2e33405785d3eaec303c54b4a10afdebf3729da7", "tree": "f4c0d114503796e9f958341393e336f76a7eb6dd", "parents": [ "154c50ca4eb9ae472f50b6a481213e21ead4457d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 04 15:01:42 2012 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 09 12:22:59 2012 -0400" }, "message": "SELinux: delay initialization of audit data in selinux_inode_permission\n\nWe pay a rather large overhead initializing the common_audit_data.\nSince we only need this information if we actually emit an audit\nmessage there is little need to set it up in the hot path. This patch\nsplits the functionality of avc_has_perm() into avc_has_perm_noaudit(),\navc_audit_required() and slow_avc_audit(). But we take care of setting\nup to audit between required() and the actual audit call. Thus saving\nmeasurable time in a hot path.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "d6ea83ec6864e9297fa8b00ec3dae183413a90e3", "tree": "8a64f20f1a930d8f6ecd5ce0368c55a0c83f49dc", "parents": [ "83d498569e9a7a4b92c4c5d3566f2d6a604f28c9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 04 13:45:49 2012 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 09 12:22:56 2012 -0400" }, "message": "SELinux: audit failed attempts to set invalid labels\n\nWe know that some yum operation is causing CAP_MAC_ADMIN failures. This\nimplies that an RPM is laying down (or attempting to lay down) a file with\nan invalid label. The problem is that we don\u0027t have any information to\ntrack down the cause. This patch will cause such a failure to report the\nfailed label in an SELINUX_ERR audit message. This is similar to the\nSELINUX_ERR reports on invalid transitions and things like that. It should\nhelp run down problems on what is trying to set invalid labels in the\nfuture.\n\nResulting records look something like:\ntype\u003dAVC msg\u003daudit(1319659241.138:71): avc: denied { mac_admin } for pid\u003d2594 comm\u003d\"chcon\" capability\u003d33 scontext\u003dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext\u003dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass\u003dcapability2\ntype\u003dSELINUX_ERR msg\u003daudit(1319659241.138:71): op\u003dsetxattr invalid_context\u003dunconfined_u:object_r:hello:s0\ntype\u003dSYSCALL msg\u003daudit(1319659241.138:71): arch\u003dc000003e syscall\u003d188 success\u003dno exit\u003d-22 a0\u003da2c0e0 a1\u003d390341b79b a2\u003da2d620 a3\u003d1f items\u003d1 ppid\u003d2519 pid\u003d2594 auid\u003d0 uid\u003d0 gid\u003d0 euid\u003d0 suid\u003d0 fsuid\u003d0 egid\u003d0 sgid\u003d0 fsgid\u003d0 tty\u003dpts0 ses\u003d1 comm\u003d\"chcon\" exe\u003d\"/usr/bin/chcon\" subj\u003dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key\u003d(null)\ntype\u003dCWD msg\u003daudit(1319659241.138:71): cwd\u003d\"/root\" type\u003dPATH msg\u003daudit(1319659241.138:71): item\u003d0 name\u003d\"test\" inode\u003d785879 dev\u003dfc:03 mode\u003d0100644 ouid\u003d0 ogid\u003d0 rdev\u003d00:00 obj\u003dunconfined_u:object_r:admin_home_t:s0\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "83d498569e9a7a4b92c4c5d3566f2d6a604f28c9", "tree": "e0d77f21bda5bec5ace52b3fa557f87b1bb57631", "parents": [ "95dbf739313f09c8d859bde1373bc264ef979337" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 04 13:45:40 2012 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 09 12:22:50 2012 -0400" }, "message": "SELinux: rename dentry_open to file_open\n\ndentry_open takes a file, rename it to file_open\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "95dbf739313f09c8d859bde1373bc264ef979337", "tree": "c798947b740826f1fc6403d8ed840565a086e7ea", "parents": [ "eed7795d0a2c9b2e934afc088e903fa2c17b7958" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 04 13:45:34 2012 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 09 12:22:49 2012 -0400" }, "message": "SELinux: check OPEN on truncate calls\n\nIn RH BZ 578841 we realized that the SELinux sandbox program was allowed to\ntruncate files outside of the sandbox. The reason is because sandbox\nconfinement is determined almost entirely by the \u0027open\u0027 permission. The idea\nwas that if the sandbox was unable to open() files it would be unable to do\nharm to those files. This turns out to be false in light of syscalls like\ntruncate() and chmod() which don\u0027t require a previous open() call. I looked\nat the syscalls that did not have an associated \u0027open\u0027 check and found that\ntruncate(), did not have a seperate permission and even if it did have a\nseparate permission such a permission owuld be inadequate for use by\nsandbox (since it owuld have to be granted so liberally as to be useless).\nThis patch checks the OPEN permission on truncate. I think a better solution\nfor sandbox is a whole new permission, but at least this fixes what we have\ntoday.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "48c62af68a403ef1655546bd3e021070c8508573", "tree": "ba938e4fb45d5bdaad2dad44071d0625f8e36945", "parents": [ "3b3b0e4fc15efa507b902d90cea39e496a523c3b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 02 13:15:44 2012 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 03 09:49:10 2012 -0700" }, "message": "LSM: shrink the common_audit_data data union\n\nAfter shrinking the common_audit_data stack usage for private LSM data I\u0027m\nnot going to shrink the data union. To do this I\u0027m going to move anything\nlarger than 2 void * ptrs to it\u0027s own structure and require it to be declared\nseparately on the calling stack. Thus hot paths which don\u0027t need more than\na couple pointer don\u0027t have to declare space to hold large unneeded\nstructures. I could get this down to one void * by dealing with the key\nstruct and the struct path. We\u0027ll see if that is helpful after taking care of\nnetworking.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3b3b0e4fc15efa507b902d90cea39e496a523c3b", "tree": "d7b91c21ad6c6f4ac21dd51297b74eec47c61684", "parents": [ "95694129b43165911dc4e8a972f0d39ad98d86be" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 03 09:37:02 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 03 09:48:40 2012 -0700" }, "message": "LSM: shrink sizeof LSM specific portion of common_audit_data\n\nLinus found that the gigantic size of the common audit data caused a big\nperf hit on something as simple as running stat() in a loop. This patch\nrequires LSMs to declare the LSM specific portion separately rather than\ndoing it in a union. Thus each LSM can be responsible for shrinking their\nportion and don\u0027t have to pay a penalty just because other LSMs have a\nbigger space requirement.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "2f99c36986ff27a86f06f27212c5f5fa8c7164a3", "tree": "a90fd7fe865bb1c5a00b0946754b505bcf070b60", "parents": [ "4a165d25f63a989d0aabe9d8eed5b3a5d5da1862" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri Mar 23 16:04:05 2012 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Mar 31 16:03:15 2012 -0400" }, "message": "get rid of pointless includes of ext2_fs.h\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "a591afc01d9e48affbacb365558a31e53c85af45", "tree": "9bb91f4eb94ec69fc4706c4944788ec5f3586063", "parents": [ "820d41cf0cd0e94a5661e093821e2e5c6b36a9d8", "31796ac4e8f0e88f5c10f1ad6dab8f19bebe44a4" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 29 18:12:23 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 29 18:12:23 2012 -0700" }, "message": "Merge branch \u0027x86-x32-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip\n\nPull x32 support for x86-64 from Ingo Molnar:\n \"This tree introduces the X32 binary format and execution mode for x86:\n 32-bit data space binaries using 64-bit instructions and 64-bit kernel\n syscalls.\n\n This allows applications whose working set fits into a 32 bits address\n space to make use of 64-bit instructions while using a 32-bit address\n space with shorter pointers, more compressed data structures, etc.\"\n\nFix up trivial context conflicts in arch/x86/{Kconfig,vdso/vma.c}\n\n* \u0027x86-x32-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (71 commits)\n x32: Fix alignment fail in struct compat_siginfo\n x32: Fix stupid ia32/x32 inversion in the siginfo format\n x32: Add ptrace for x32\n x32: Switch to a 64-bit clock_t\n x32: Provide separate is_ia32_task() and is_x32_task() predicates\n x86, mtrr: Use explicit sizing and padding for the 64-bit ioctls\n x86/x32: Fix the binutils auto-detect\n x32: Warn and disable rather than error if binutils too old\n x32: Only clear TIF_X32 flag once\n x32: Make sure TS_COMPAT is cleared for x32 tasks\n fs: Remove missed -\u003efds_bits from cessation use of fd_set structs internally\n fs: Fix close_on_exec pointer in alloc_fdtable\n x32: Drop non-__vdso weak symbols from the x32 VDSO\n x32: Fix coding style violations in the x32 VDSO code\n x32: Add x32 VDSO support\n x32: Allow x32 to be configured\n x32: If configured, add x32 system calls to system call tables\n x32: Handle process creation\n x32: Signal-related system calls\n x86: Add #ifdef CONFIG_COMPAT to \u003casm/sys_ia32.h\u003e\n ...\n" }, { "commit": "1fd36adcd98c14d2fd97f545293c488775cb2823", "tree": "c13ab1934a15aebe0d81601d910ce5a3c6fa2c6f", "parents": [ "1dce27c5aa6770e9d195f2bb7db1db3d4dde5591" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Feb 16 17:49:54 2012 +0000" }, "committer": { "name": "H. Peter Anvin", "email": "hpa@zytor.com", "time": "Sun Feb 19 10:30:57 2012 -0800" }, "message": "Replace the fd_sets in struct fdtable with an array of unsigned longs\n\nReplace the fd_sets in struct fdtable with an array of unsigned longs and then\nuse the standard non-atomic bit operations rather than the FD_* macros.\n\nThis:\n\n (1) Removes the abuses of struct fd_set:\n\n (a) Since we don\u0027t want to allocate a full fd_set the vast majority of the\n \t time, we actually, in effect, just allocate a just-big-enough array of\n \t unsigned longs and cast it to an fd_set type - so why bother with the\n \t fd_set at all?\n\n (b) Some places outside of the core fdtable handling code (such as\n \t SELinux) want to look inside the array of unsigned longs hidden inside\n \t the fd_set struct for more efficient iteration over the entire set.\n\n (2) Eliminates the use of FD_*() macros in the kernel completely.\n\n (3) Permits the __FD_*() macros to be deleted entirely where not exposed to\n userspace.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nLink: http://lkml.kernel.org/r/20120216174954.23314.48147.stgit@warthog.procyon.org.uk\nSigned-off-by: H. Peter Anvin \u003chpa@zytor.com\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "4040153087478993cbf0809f444400a3c808074c", "tree": "2dc7af85b0cf930f1656553bd38410b8c16601a6", "parents": [ "191c542442fdf53cc3c496c00be13367fd9cd42d" ], "author": { "name": "Al Viro", "email": "viro@ftp.linux.org.uk", "time": "Mon Feb 13 03:58:52 2012 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Feb 14 10:45:42 2012 +1100" }, "message": "security: trim security.h\n\nTrim security.h\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c49c41a4134679cecb77362e7f6b59acb6320aa7", "tree": "45e690c036ca5846a48c8be67945d1d841b2d96d", "parents": [ "892d208bcf79e4e1058707786a7b6d486697cd78", "f423e5ba76e7e4a6fcb4836b4f072d1fdebba8b5" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jan 14 18:36:33 2012 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Jan 14 18:36:33 2012 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://selinuxproject.org/~jmorris/linux-security\n\n* \u0027for-linus\u0027 of git://selinuxproject.org/~jmorris/linux-security:\n capabilities: remove __cap_full_set definition\n security: remove the security_netlink_recv hook as it is equivalent to capable()\n ptrace: do not audit capability check when outputing /proc/pid/stat\n capabilities: remove task_ns_* functions\n capabitlies: ns_capable can use the cap helpers rather than lsm call\n capabilities: style only - move capable below ns_capable\n capabilites: introduce new has_ns_capabilities_noaudit\n capabilities: call has_ns_capability from has_capability\n capabilities: remove all _real_ interfaces\n capabilities: introduce security_capable_noaudit\n capabilities: reverse arguments to security_capable\n capabilities: remove the task from capable LSM hook entirely\n selinux: sparse fix: fix several warnings in the security server cod\n selinux: sparse fix: fix warnings in netlink code\n selinux: sparse fix: eliminate warnings for selinuxfs\n selinux: sparse fix: declare selinux_disable() in security.h\n selinux: sparse fix: move selinux_complete_init\n selinux: sparse fix: make selinux_secmark_refcount static\n SELinux: Fix RCU deref check warning in sel_netport_insert()\n\nManually fix up a semantic mis-merge wrt security_netlink_recv():\n\n - the interface was removed in commit fd7784615248 (\"security: remove\n the security_netlink_recv hook as it is equivalent to capable()\")\n\n - a new user of it appeared in commit a38f7907b926 (\"crypto: Add\n userspace configuration API\")\n\ncausing no automatic merge conflict, but Eric Paris pointed out the\nissue.\n" }, { "commit": "972b2c719990f91eb3b2310d44ef8a2d38955a14", "tree": "b25a250ec5bec4b7b6355d214642d8b57c5cab32", "parents": [ "02550d61f49266930e674286379d3601006b2893", "c3aa077648e147783a7a53b409578234647db853" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Jan 08 12:19:57 2012 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Jan 08 12:19:57 2012 -0800" }, "message": "Merge branch \u0027for-linus2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs\n\n* \u0027for-linus2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (165 commits)\n reiserfs: Properly display mount options in /proc/mounts\n vfs: prevent remount read-only if pending removes\n vfs: count unlinked inodes\n vfs: protect remounting superblock read-only\n vfs: keep list of mounts for each superblock\n vfs: switch -\u003eshow_options() to struct dentry *\n vfs: switch -\u003eshow_path() to struct dentry *\n vfs: switch -\u003eshow_devname() to struct dentry *\n vfs: switch -\u003eshow_stats to struct dentry *\n switch security_path_chmod() to struct path *\n vfs: prefer -\u003edentry-\u003ed_sb to -\u003emnt-\u003emnt_sb\n vfs: trim includes a bit\n switch mnt_namespace -\u003eroot to struct mount\n vfs: take /proc/*/mounts and friends to fs/proc_namespace.c\n vfs: opencode mntget() mnt_set_mountpoint()\n vfs: spread struct mount - remaining argument of next_mnt()\n vfs: move fsnotify junk to struct mount\n vfs: move mnt_devname\n vfs: move mnt_list to struct mount\n vfs: switch pnode.h macros to struct mount *\n ...\n" }, { "commit": "d8c9584ea2a92879f471fd3a2be3af6c534fb035", "tree": "3541b9c6228f820bdc65e4875156eb27b1c91cb1", "parents": [ "ece2ccb668046610189d88d6aaf05aeb09c988a1" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Dec 07 18:16:57 2011 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri Jan 06 23:16:53 2012 -0500" }, "message": "vfs: prefer -\u003edentry-\u003ed_sb to -\u003emnt-\u003emnt_sb\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "fd778461524849afd035679030ae8e8873c72b81", "tree": "32a5849c1879413fce0307af304e372eaa8225b4", "parents": [ "69f594a38967f4540ce7a29b3fd214e68a8330bd" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Jan 03 12:25:16 2012 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jan 05 18:53:01 2012 -0500" }, "message": "security: remove the security_netlink_recv hook as it is equivalent to capable()\n\nOnce upon a time netlink was not sync and we had to get the effective\ncapabilities from the skb that was being received. Today we instead get\nthe capabilities from the current task. This has rendered the entire\npurpose of the hook moot as it is now functionally equivalent to the\ncapable() call.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "69f594a38967f4540ce7a29b3fd214e68a8330bd", "tree": "dff25b5f5ef0736fb63b08729bec4ff57062c13f", "parents": [ "f1c84dae0ecc51aa35c81f19a0ebcd6c0921ddcb" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Jan 03 12:25:15 2012 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jan 05 18:53:00 2012 -0500" }, "message": "ptrace: do not audit capability check when outputing /proc/pid/stat\n\nReading /proc/pid/stat of another process checks if one has ptrace permissions\non that process. If one does have permissions it outputs some data about the\nprocess which might have security and attack implications. If the current\ntask does not have ptrace permissions the read still works, but those fields\nare filled with inocuous (0) values. Since this check and a subsequent denial\nis not a violation of the security policy we should not audit such denials.\n\nThis can be quite useful to removing ptrace broadly across a system without\nflooding the logs when ps is run or something which harmlessly walks proc.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\n" }, { "commit": "6a9de49115d5ff9871d953af1a5c8249e1585731", "tree": "eee3700ccc2ce26c566bfe99129e646fac9f983e", "parents": [ "2653812e14f4e16688ec8247d7fd290bdbbc4747" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Jan 03 12:25:14 2012 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jan 05 18:52:53 2012 -0500" }, "message": "capabilities: remove the task from capable LSM hook entirely\n\nThe capabilities framework is based around credentials, not necessarily the\ncurrent task. Yet we still passed the current task down into LSMs from the\nsecurity_capable() LSM hook as if it was a meaningful portion of the security\ndecision. This patch removes the \u0027generic\u0027 passing of current and instead\nforces individual LSMs to use current explicitly if they think it is\nappropriate. In our case those LSMs are SELinux and AppArmor.\n\nI believe the AppArmor use of current is incorrect, but that is wholely\nunrelated to this patch. This patch does not change what AppArmor does, it\njust makes it clear in the AppArmor code that it is doing it.\n\nThe SELinux code still uses current in it\u0027s audit message, which may also be\nwrong and needs further investigation. Again this is NOT a change, it may\nhave always been wrong, this patch just makes it clear what is happening.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "2653812e14f4e16688ec8247d7fd290bdbbc4747", "tree": "dabb2238a76e000b37374c69901afd6f99479631", "parents": [ "02f5daa563456c1ff3c3422aa3ec00e67460f762" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 30 14:19:02 2011 +1000" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jan 05 18:52:52 2012 -0500" }, "message": "selinux: sparse fix: fix several warnings in the security server cod\n\nFix several sparse warnings in the SELinux security server code.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "02f5daa563456c1ff3c3422aa3ec00e67460f762", "tree": "b2394602c587815aae9f1b07ac272302800d9288", "parents": [ "e8a65a3f67f8a85802c0a0250e48c4c4652d0da0" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 30 14:18:06 2011 +1000" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jan 05 18:52:51 2012 -0500" }, "message": "selinux: sparse fix: fix warnings in netlink code\n\nFix sparse warnings in SELinux Netlink code.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "e8a65a3f67f8a85802c0a0250e48c4c4652d0da0", "tree": "4f9b55cac61209b6b4f15a1e20396a15a4444b11", "parents": [ "6063c0461b947c26a77674f33a3409eb99e15d2f" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 30 14:17:34 2011 +1000" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jan 05 18:52:50 2012 -0500" }, "message": "selinux: sparse fix: eliminate warnings for selinuxfs\n\nFixes several sparse warnings for selinuxfs.c\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "b46610caba4bd9263afd07c7ef7a79974550554a", "tree": "3f1edce9d24e9e7af2661ab4c2eeae744beb183c", "parents": [ "94d4ef0c2b3e6c799f78d223e233254a870c4559" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 30 14:11:24 2011 +1000" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Jan 05 18:52:48 2012 -0500" }, "message": "selinux: sparse fix: make selinux_secmark_refcount static\n\nSparse fix: make selinux_secmark_refcount static.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "dba19c6064766730dd64757a010ec3aec503ecdb", "tree": "2071835ccfcb169b6219be7d5a4692fcfdcbd2c5", "parents": [ "1b9d5ff7644ddf2723c9205f4726c95ec01bf033" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Jul 25 20:49:29 2011 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jan 03 22:55:12 2012 -0500" }, "message": "get rid of open-coded S_ISREG(), etc.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "1a67aafb5f72a436ca044293309fa7e6351d6a35", "tree": "d9e58600148de9d41b478cf815773b746647d15b", "parents": [ "4acdaf27ebe2034c342f3be57ef49aed1ad885ef" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jul 26 01:52:52 2011 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jan 03 22:54:54 2012 -0500" }, "message": "switch -\u003emknod() to umode_t\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "4acdaf27ebe2034c342f3be57ef49aed1ad885ef", "tree": "d89a876ee19cd88609a587f8aa6c464a52ee6d98", "parents": [ "18bb1db3e7607e4a997d50991a6f9fa5b0f8722c" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jul 26 01:42:34 2011 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jan 03 22:54:53 2012 -0500" }, "message": "switch -\u003ecreate() to umode_t\n\nvfs_create() ignores everything outside of 16bit subset of its\nmode argument; switching it to umode_t is obviously equivalent\nand it\u0027s the only caller of the method\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "18bb1db3e7607e4a997d50991a6f9fa5b0f8722c", "tree": "4ee4e584bc9a67f3ec14ce159d2d7d4a27e68d4a", "parents": [ "8208a22bb8bd3c52ef634b4ff194f14892ab1713" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jul 26 01:41:39 2011 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jan 03 22:54:53 2012 -0500" }, "message": "switch vfs_mkdir() and -\u003emkdir() to umode_t\n\nvfs_mkdir() gets int, but immediately drops everything that might not\nfit into umode_t and that\u0027s the only caller of -\u003emkdir()...\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "7f1fb60c4fc9fb29fbb406ac8c4cfb4e59e168d6", "tree": "c099fd6899f382c439e29aed54c912ee95453324", "parents": [ "d5f43c1ea4260807a894150b680fa0a0dd386259" ], "author": { "name": "Pavel Emelyanov", "email": "xemul@parallels.com", "time": "Tue Dec 06 07:56:43 2011 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Dec 06 13:57:36 2011 -0500" }, "message": "inet_diag: Partly rename inet_ to sock_\n\nThe ultimate goal is to get the sock_diag module, that works in\nfamily+protocol terms. Currently this is suitable to do on the\ninet_diag basis, so rename parts of the code. It will be moved\nto sock_diag.c later.\n\nSigned-off-by: Pavel Emelyanov \u003cxemul@parallels.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "75f2811c6460ccc59d83c66059943ce9c9f81a18", "tree": "49373cf5f5b11358aeb587209ad270496f751609", "parents": [ "396cf9430505cfba529a2f2a037d782719fa5844" ], "author": { "name": "Jesse Gross", "email": "jesse@nicira.com", "time": "Wed Nov 30 17:05:51 2011 -0800" }, "committer": { "name": "Jesse Gross", "email": "jesse@nicira.com", "time": "Sat Dec 03 09:35:10 2011 -0800" }, "message": "ipv6: Add fragment reporting to ipv6_skip_exthdr().\n\nWhile parsing through IPv6 extension headers, fragment headers are\nskipped making them invisible to the caller. This reports the\nfragment offset of the last header in order to make it possible to\ndetermine whether the packet is fragmented and, if so whether it is\na first or last fragment.\n\nSigned-off-by: Jesse Gross \u003cjesse@nicira.com\u003e\n" }, { "commit": "4e3fd7a06dc20b2d8ec6892233ad2012968fe7b6", "tree": "da3fbec7672ac6b967dfa31cec6c88f468a57fa2", "parents": [ "40ba84993d66469d336099c5af74c3da5b73e28d" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Mon Nov 21 03:39:03 2011 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Nov 22 16:43:32 2011 -0500" }, "message": "net: remove ipv6_addr_copy()\n\nC assignment can handle struct in6_addr copying.\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "44fc7ea0bfe9143551649a42eb35f1460566c3c5", "tree": "7cfceedba653c69db90912427d140da996ab4f09", "parents": [ "a6ee87790b708dc4cdd3643104417793f0d985ec" ], "author": { "name": "Paul Gortmaker", "email": "paul.gortmaker@windriver.com", "time": "Thu May 26 20:52:10 2011 -0400" }, "committer": { "name": "Paul Gortmaker", "email": "paul.gortmaker@windriver.com", "time": "Mon Oct 31 19:31:32 2011 -0400" }, "message": "selinux: Add export.h to files using EXPORT_SYMBOL/THIS_MODULE\n\nThe pervasive, but implicit presence of \u003clinux/module.h\u003e meant\nthat things like this file would happily compile as-is. But\nwith the desire to phase out the module.h being included everywhere,\npoint this file at export.h which will give it THIS_MODULE and\nthe EXPORT_SYMBOL variants.\n\nSigned-off-by: Paul Gortmaker \u003cpaul.gortmaker@windriver.com\u003e\n" }, { "commit": "7b98a5857c3fa86cb0a7e5f893643491a8b5b425", "tree": "9e8b83d35a9c70f2c02853de808184871df3aba9", "parents": [ "0ff53f5ddbaebeac1c2735125901275acc1fecc6" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 30 12:52:32 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:32 2011 -0700" }, "message": "selinux: sparse fix: fix several warnings in the security server code\n\nFix several sparse warnings in the SELinux security server code.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6a3fbe81179c85eb53054a0f4c8423ffec0276a7", "tree": "b281fee66a005236bbdedf5f22eeacc37669ba4a", "parents": [ "ad3fa08c4ff84ed87649d72e8497735c85561a3d" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 30 12:09:15 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:31 2011 -0700" }, "message": "selinux: sparse fix: fix warnings in netlink code\n\nFix sparse warnings in SELinux Netlink code.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ad3fa08c4ff84ed87649d72e8497735c85561a3d", "tree": "e6f22e6d42cf52c689e983be42b9292180564446", "parents": [ "d5813a571876c72766f125b1c6e63414f6822c28" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 30 10:50:12 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:30 2011 -0700" }, "message": "selinux: sparse fix: eliminate warnings for selinuxfs\n\nFixes several sparse warnings for selinuxfs.c\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "56a4ca996181b94b30e6b46509dc28e4ca3cc3f8", "tree": "ff238902759365d93b9ca8739f370fd3ba0f8659", "parents": [ "3417d8d5d4d584bd73e2f6265f7a06b51e4a70a1" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Aug 17 11:08:43 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:25 2011 -0700" }, "message": "selinux: sparse fix: make selinux_secmark_refcount static\n\nSparse fix: make selinux_secmark_refcount static.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "82c21bfab41a77bc01affe21bea9727d776774a7", "tree": "b0c5850be07c7f6d747df389f8f15780887da630", "parents": [ "87a0874cf19f1bc9bd25bd7d053a0ea25ccf8373" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Mon Aug 01 11:10:33 2011 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Aug 01 17:58:33 2011 -0700" }, "message": "doc: Update the email address for Paul Moore in various source files\n\nMy @hp.com will no longer be valid starting August 5, 2011 so an update is\nnecessary. My new email address is employer independent so we don\u0027t have\nto worry about doing this again any time soon.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Paul Moore \u003cpaul@paul-moore.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "60063497a95e716c9a689af3be2687d261f115b4", "tree": "6ce0d68db76982c53df46aee5f29f944ebf2c320", "parents": [ "148817ba092f9f6edd35bad3c6c6b8e8f90fe2ed" ], "author": { "name": "Arun Sharma", "email": "asharma@fb.com", "time": "Tue Jul 26 16:09:06 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jul 26 16:49:47 2011 -0700" }, "message": "atomic: use \u003clinux/atomic.h\u003e\n\nThis allows us to move duplicated code in \u003casm/atomic.h\u003e\n(atomic_inc_not_zero() for now) to \u003clinux/atomic.h\u003e\n\nSigned-off-by: Arun Sharma \u003casharma@fb.com\u003e\nReviewed-by: Eric Dumazet \u003ceric.dumazet@gmail.com\u003e\nCc: Ingo Molnar \u003cmingo@elte.hu\u003e\nCc: David Miller \u003cdavem@davemloft.net\u003e\nCc: Eric Dumazet \u003ceric.dumazet@gmail.com\u003e\nAcked-by: Mike Frysinger \u003cvapier@gentoo.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "bbd9d6f7fbb0305c9a592bf05a32e87eb364a4ff", "tree": "12b2bb4202b05f6ae6a43c6ce830a0472043dbe5", "parents": [ "8e204874db000928e37199c2db82b7eb8966cc3c", "5a9a43646cf709312d71eca71cef90ad802f28f9" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jul 22 19:02:39 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jul 22 19:02:39 2011 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6: (107 commits)\n vfs: use ERR_CAST for err-ptr tossing in lookup_instantiate_filp\n isofs: Remove global fs lock\n jffs2: fix IN_DELETE_SELF on overwriting rename() killing a directory\n fix IN_DELETE_SELF on overwriting rename() on ramfs et.al.\n mm/truncate.c: fix build for CONFIG_BLOCK not enabled\n fs:update the NOTE of the file_operations structure\n Remove dead code in dget_parent()\n AFS: Fix silly characters in a comment\n switch d_add_ci() to d_splice_alias() in \"found negative\" case as well\n simplify gfs2_lookup()\n jfs_lookup(): don\u0027t bother with . or ..\n get rid of useless dget_parent() in btrfs rename() and link()\n get rid of useless dget_parent() in fs/btrfs/ioctl.c\n fs: push i_mutex and filemap_write_and_wait down into -\u003efsync() handlers\n drivers: fix up various -\u003ellseek() implementations\n fs: handle SEEK_HOLE/SEEK_DATA properly in all fs\u0027s that define their own llseek\n Ext4: handle SEEK_HOLE/SEEK_DATA generically\n Btrfs: implement our own -\u003ellseek\n fs: add SEEK_HOLE and SEEK_DATA flags\n reiserfs: make reiserfs default to barrier\u003dflush\n ...\n\nFix up trivial conflicts in fs/xfs/linux-2.6/xfs_super.c due to the new\nshrinker callout for the inode cache, that clashed with the xfs code to\nstart the periodic workers later.\n" }, { "commit": "8209f53d79444747782a28520187abaf689761f2", "tree": "726270ea29e037f026d77a99787b9d844531ac42", "parents": [ "22a3b9771117d566def0150ea787fcc95f16e724", "eac1b5e57d7abc836e78fd3fbcf77dbeed01edc9" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jul 22 15:06:50 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jul 22 15:06:50 2011 -0700" }, "message": "Merge branch \u0027ptrace\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/oleg/misc\n\n* \u0027ptrace\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/oleg/misc: (39 commits)\n ptrace: do_wait(traced_leader_killed_by_mt_exec) can block forever\n ptrace: fix ptrace_signal() \u0026\u0026 STOP_DEQUEUED interaction\n connector: add an event for monitoring process tracers\n ptrace: dont send SIGSTOP on auto-attach if PT_SEIZED\n ptrace: mv send-SIGSTOP from do_fork() to ptrace_init_task()\n ptrace_init_task: initialize child-\u003ejobctl explicitly\n has_stopped_jobs: s/task_is_stopped/SIGNAL_STOP_STOPPED/\n ptrace: make former thread ID available via PTRACE_GETEVENTMSG after PTRACE_EVENT_EXEC stop\n ptrace: wait_consider_task: s/same_thread_group/ptrace_reparented/\n ptrace: kill real_parent_is_ptracer() in in favor of ptrace_reparented()\n ptrace: ptrace_reparented() should check same_thread_group()\n redefine thread_group_leader() as exit_signal \u003e\u003d 0\n do not change dead_task-\u003eexit_signal\n kill task_detached()\n reparent_leader: check EXIT_DEAD instead of task_detached()\n make do_notify_parent() __must_check, update the callers\n __ptrace_detach: avoid task_detached(), check do_notify_parent()\n kill tracehook_notify_death()\n make do_notify_parent() return bool\n ptrace: s/tracehook_tracer_task()/ptrace_parent()/\n ...\n" }, { "commit": "cf1dd1dae851ce5765cda5de16aa965eef7c2dbf", "tree": "5ee564e56eca307701ce155e30a2cbb05b9937e3", "parents": [ "e74f71eb78a4a8b9eaf1bc65f20f761648e85f76" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Jun 20 19:44:08 2011 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Jul 20 01:43:27 2011 -0400" }, "message": "selinux: don\u0027t transliterate MAY_NOT_BLOCK to IPERM_FLAG_RCU\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "e74f71eb78a4a8b9eaf1bc65f20f761648e85f76", "tree": "7bc7fc1344f5ed6e3ce8132b36125ef5cec6407c", "parents": [ "10556cb21a0d0b24d95f00ea6df16f599a3345b2" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Jun 20 19:38:15 2011 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Jul 20 01:43:26 2011 -0400" }, "message": "-\u003epermission() sanitizing: don\u0027t pass flags to -\u003einode_permission()\n\npass that via mask instead.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "06d984737bac0545fe20bb5447ee488b95adb531", "tree": "b8d89d21a53c28a025dd42598bc3406e25db5ba8", "parents": [ "4b9d33e6d83cc05a8005a8f9a8b9677fa0f53626" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Fri Jun 17 16:50:40 2011 +0200" }, "committer": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Wed Jun 22 19:26:29 2011 +0200" }, "message": "ptrace: s/tracehook_tracer_task()/ptrace_parent()/\n\ntracehook.h is on the way out. Rename tracehook_tracer_task() to\nptrace_parent() and move it from tracehook.h to ptrace.h.\n\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nCc: Christoph Hellwig \u003chch@infradead.org\u003e\nCc: John Johansen \u003cjohn.johansen@canonical.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\n" }, { "commit": "95f4efb2d78661065aaf0be57f5bf00e4d2aea1d", "tree": "e344402e6428194515a0550ef30cf7cb8eeb0fdf", "parents": [ "4c1f683a4a343808536a5617ede85dfc34430472" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 08 15:11:56 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 08 15:11:56 2011 -0700" }, "message": "selinux: simplify and clean up inode_has_perm()\n\nThis is a rather hot function that is called with a potentially NULL\n\"struct common_audit_data\" pointer argument. And in that case it has to\nprovide and initialize its own dummy common_audit_data structure.\n\nHowever, all the _common_ cases already pass it a real audit-data\nstructure, so that uncommon NULL case not only creates a silly run-time\ntest, more importantly it causes that function to have a big stack frame\nfor the dummy variable that isn\u0027t even used in the common case!\n\nSo get rid of that stupid run-time behavior, and make the (few)\nfunctions that currently call with a NULL pointer just call a new helper\nfunction instead (naturally called inode_has_perm_noapd(), since it has\nno adp argument).\n\nThis makes the run-time test be a static code generation issue instead,\nand allows for a much denser stack since none of the common callers need\nthe dummy structure. And a denser stack not only means less stack space\nusage, it means better cache behavior. So we have a win-win-win from\nthis simplification: less code executed, smaller stack footprint, and\nbetter cache behavior.\n\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b7b57551bbda1390959207f79f2038aa7adb72ae", "tree": "d591a08e7e45615b51d8b5ee1634a29920f62c3f", "parents": [ "434d42cfd05a7cc452457a81d2029540cba12150", "7a627e3b9a2bd0f06945bbe64bcf403e788ecf6e" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 24 23:20:19 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 24 23:20:19 2011 +1000" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/eparis/selinux into for-linus\n\nConflicts:\n\tlib/flex_array.c\n\tsecurity/selinux/avc.c\n\tsecurity/selinux/hooks.c\n\tsecurity/selinux/ss/policydb.c\n\tsecurity/smack/smack_lsm.c\n\nManually resolve conflicts.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6f239284542bae297d27355d06afbb8df23c5db9", "tree": "b0ba42fb54cd05178c61584e0913be38a57f0384", "parents": [ "609cfda586c7fe3e5d1a02c51edb587506294167", "bf69d41d198138e3c601e9a6645f4f1369aff7e0" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 04 11:59:34 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 04 11:59:34 2011 +1000" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.infradead.org/users/eparis/selinux into for-linus\n" }, { "commit": "cb1e922fa104bb0bb3aa5fc6ca7f7e070f3b55e9", "tree": "c776ceca8e63dd8de70f242fe6883320004884eb", "parents": [ "fe3fa43039d47ee4e22caf460b79b62a14937f79" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:11:21 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 16:12:41 2011 -0400" }, "message": "SELinux: pass last path component in may_create\n\nNew inodes are created in a two stage process. We first will compute the\nlabel on a new inode in security_inode_create() and check if the\noperation is allowed. We will then actually re-compute that same label and\napply it in security_inode_init_security(). The change to do new label\ncalculations based in part on the last component of the path name only\npassed the path component information all the way down the\nsecurity_inode_init_security hook. Down the security_inode_create hook the\npath information did not make it past may_create. Thus the two calculations\ncame up differently and the permissions check might not actually be against\nthe label that is created. Pass and use the same information in both places\nto harmonize the calculations and checks.\n\nReported-by: Dominick Grift \u003cdomg472@gmail.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "2875fa00830be62431f5ac22d8f85d57f9fa3033", "tree": "541fdb15e39711fb1ad901223d823421c7b77526", "parents": [ "a8d05c81fb238bbb18878ccfae7599ca79448dd3" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 16:04:24 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 16:09:59 2011 -0400" }, "message": "SELinux: introduce path_has_perm\n\nWe currently have inode_has_perm and dentry_has_perm. dentry_has_perm just\ncalls inode_has_perm with additional audit data. But dentry_has_perm can\ntake either a dentry or a path. Split those to make the code obvious and\nto fix the previous problem where I thought dentry_has_perm always had a\nvalid dentry and mnt.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "562abf624175e3f8487b7f064e516805e437e597", "tree": "75e52d8f8f91fc42c28ca2e0b7196b9fd16c25e0", "parents": [ "2463c26d50adc282d19317013ba0ff473823ca47" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:11:21 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:15:54 2011 -0400" }, "message": "SELinux: pass last path component in may_create\n\nNew inodes are created in a two stage process. We first will compute the\nlabel on a new inode in security_inode_create() and check if the\noperation is allowed. We will then actually re-compute that same label and\napply it in security_inode_init_security(). The change to do new label\ncalculations based in part on the last component of the path name only\npassed the path component information all the way down the\nsecurity_inode_init_security hook. Down the security_inode_create hook the\npath information did not make it past may_create. Thus the two calculations\ncame up differently and the permissions check might not actually be against\nthe label that is created. Pass and use the same information in both places\nto harmonize the calculations and checks.\n\nReported-by: Dominick Grift \u003cdomg472@gmail.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "9ade0cf440a1e5800dc68eef2e77b8d9d83a6dff", "tree": "17a06970af5a26cd340b785a894f20f262335575", "parents": [ "1879fd6a26571fd4e8e1f4bb3e7537bc936b1fe7" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 16:26:29 2011 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Apr 25 18:16:32 2011 -0700" }, "message": "SELINUX: Make selinux cache VFS RCU walks safe\n\nNow that the security modules can decide whether they support the\ndcache RCU walk or not it\u0027s possible to make selinux a bit more\nRCU friendly. The SELinux AVC and security server access decision\ncode is RCU safe. A specific piece of the LSM audit code may not\nbe RCU safe.\n\nThis patch makes the VFS RCU walk retry if it would hit the non RCU\nsafe chunk of code. It will normally just work under RCU. This is\ndone simply by passing the VFS RCU state as a flag down into the\navc_audit() code and returning ECHILD there if it would have an issue.\n\nBased-on-patch-by: Andi Kleen \u003cak@linux.intel.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "a269434d2fb48a4d66c1d7bf821b7874b59c5b41", "tree": "9c84b5f3e9f3adb3dd4a7e9da2b72dd7fe7eec49", "parents": [ "f48b7399840b453e7282b523f535561fe9638a2d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 13:10:27 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 18:14:07 2011 -0400" }, "message": "LSM: separate LSM_AUDIT_DATA_DENTRY from LSM_AUDIT_DATA_PATH\n\nThis patch separates and audit message that only contains a dentry from\none that contains a full path. This allows us to make it harder to\nmisuse the interfaces or for the interfaces to be implemented wrong.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "f48b7399840b453e7282b523f535561fe9638a2d", "tree": "29eed009469d35473367708ea60b9c5b01fc0c5f", "parents": [ "0dc1ba24f7fff659725eecbba2c9ad679a0954cd" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 12:54:27 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 18:13:15 2011 -0400" }, "message": "LSM: split LSM_AUDIT_DATA_FS into _PATH and _INODE\n\nThe lsm common audit code has wacky contortions making sure which pieces\nof information are set based on if it was given a path, dentry, or\ninode. Split this into path and inode to get rid of some of the code\ncomplexity.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "0dc1ba24f7fff659725eecbba2c9ad679a0954cd", "tree": "ad5831b52b38ca8157dd3ba4e5dfb75768bd372f", "parents": [ "1c9904297451f558191e211a48d8838b4bf792b0" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 21 17:23:20 2011 -0700" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 16:24:41 2011 -0400" }, "message": "SELINUX: Make selinux cache VFS RCU walks safe\n\nNow that the security modules can decide whether they support the\ndcache RCU walk or not it\u0027s possible to make selinux a bit more\nRCU friendly. The SELinux AVC and security server access decision\ncode is RCU safe. A specific piece of the LSM audit code may not\nbe RCU safe.\n\nThis patch makes the VFS RCU walk retry if it would hit the non RCU\nsafe chunk of code. It will normally just work under RCU. This is\ndone simply by passing the VFS RCU state as a flag down into the\navc_audit() code and returning ECHILD there if it would have an issue.\n\nBased-on-patch-by: Andi Kleen \u003cak@linux.intel.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "1c9904297451f558191e211a48d8838b4bf792b0", "tree": "9c7cabec6ce3d6604147de73953cfaca672f1c0d", "parents": [ "6b697323a78bed254ee372f71b1a6a2901bb4b7a" ], "author": { "name": "Andi Kleen", "email": "ak@linux.intel.com", "time": "Thu Apr 21 17:23:19 2011 -0700" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 10:20:32 2011 -0400" }, "message": "SECURITY: Move exec_permission RCU checks into security modules\n\nRight now all RCU walks fall back to reference walk when CONFIG_SECURITY\nis enabled, even though just the standard capability module is active.\nThis is because security_inode_exec_permission unconditionally fails\nRCU walks.\n\nMove this decision to the low level security module. This requires\npassing the RCU flags down the security hook. This way at least\nthe capability module and a few easy cases in selinux/smack work\nwith RCU walks with CONFIG_SECURITY\u003dy\n\nSigned-off-by: Andi Kleen \u003cak@linux.intel.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "a35c6c8368d88deae6890205e73ed330b6df1db7", "tree": "f61c3da7460bb5ab39353404456d92e005e9000e", "parents": [ "425b473de5372cad6fffc6b98a758ed8e3fc70ce" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 20 10:21:28 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 10:18:27 2011 -0400" }, "message": "SELinux: silence build warning when !CONFIG_BUG\n\nIf one builds a kernel without CONFIG_BUG there are a number of \u0027may be\nused uninitialized\u0027 warnings. Silence these by returning after the BUG().\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8c9e80ed276fc4b9c9fadf29d8bf6b3576112f1a", "tree": "7595dd217545593675d40f85cfb11d69697a8300", "parents": [ "8d082f8f3fb89e8a1fcb5120ad98cd9860c8a3e8" ], "author": { "name": "Andi Kleen", "email": "ak@linux.intel.com", "time": "Thu Apr 21 17:23:19 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Apr 22 16:17:29 2011 -0700" }, "message": "SECURITY: Move exec_permission RCU checks into security modules\n\nRight now all RCU walks fall back to reference walk when CONFIG_SECURITY\nis enabled, even though just the standard capability module is active.\nThis is because security_inode_exec_permission unconditionally fails\nRCU walks.\n\nMove this decision to the low level security module. This requires\npassing the RCU flags down the security hook. This way at least\nthe capability module and a few easy cases in selinux/smack work\nwith RCU walks with CONFIG_SECURITY\u003dy\n\nSigned-off-by: Andi Kleen \u003cak@linux.intel.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "2e1496707560ecf98e9b0604622c0990f94861d3", "tree": "d1473b70fad31a903fedc87221680678a6c6c5f6", "parents": [ "e795b71799ff0b27365020c9ddaa25d0d83f99c8" ], "author": { "name": "Serge E. Hallyn", "email": "serge@hallyn.com", "time": "Wed Mar 23 16:43:26 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 23 19:47:13 2011 -0700" }, "message": "userns: rename is_owner_or_cap to inode_owner_or_capable\n\nAnd give it a kernel-doc comment.\n\n[akpm@linux-foundation.org: btrfs changed in linux-next]\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nCc: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nCc: Daniel Lezcano \u003cdaniel.lezcano@free.fr\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3486740a4f32a6a466f5ac931654d154790ba648", "tree": "ac5d968a66057fa84933b8f89fd3e916270dffed", "parents": [ "59607db367c57f515183cb203642291bb14d9c40" ], "author": { "name": "Serge E. Hallyn", "email": "serge@hallyn.com", "time": "Wed Mar 23 16:43:17 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 23 19:47:02 2011 -0700" }, "message": "userns: security: make capabilities relative to the user namespace\n\n- Introduce ns_capable to test for a capability in a non-default\n user namespace.\n- Teach cap_capable to handle capabilities in a non-default\n user namespace.\n\nThe motivation is to get to the unprivileged creation of new\nnamespaces. It looks like this gets us 90% of the way there, with\nonly potential uid confusion issues left.\n\nI still need to handle getting all caps after creation but otherwise I\nthink I have a good starter patch that achieves all of your goals.\n\nChangelog:\n\t11/05/2010: [serge] add apparmor\n\t12/14/2010: [serge] fix capabilities to created user namespaces\n\tWithout this, if user serge creates a user_ns, he won\u0027t have\n\tcapabilities to the user_ns he created. THis is because we\n\twere first checking whether his effective caps had the caps\n\the needed and returning -EPERM if not, and THEN checking whether\n\the was the creator. Reverse those checks.\n\t12/16/2010: [serge] security_real_capable needs ns argument in !security case\n\t01/11/2011: [serge] add task_ns_capable helper\n\t01/11/2011: [serge] add nsown_capable() helper per Bastian Blank suggestion\n\t02/16/2011: [serge] fix a logic bug: the root user is always creator of\n\t\t init_user_ns, but should not always have capabilities to\n\t\t it! Fix the check in cap_capable().\n\t02/21/2011: Add the required user_ns parameter to security_capable,\n\t\t fixing a compile failure.\n\t02/23/2011: Convert some macros to functions as per akpm comments. Some\n\t\t couldn\u0027t be converted because we can\u0027t easily forward-declare\n\t\t them (they are inline if !SECURITY, extern if SECURITY). Add\n\t\t a current_user_ns function so we can use it in capability.h\n\t\t without #including cred.h. Move all forward declarations\n\t\t together to the top of the #ifdef __KERNEL__ section, and use\n\t\t kernel-doc format.\n\t02/23/2011: Per dhowells, clean up comment in cap_capable().\n\t02/23/2011: Per akpm, remove unreachable \u0027return -EPERM\u0027 in cap_capable.\n\n(Original written and signed off by Eric; latest, modified version\nacked by him)\n\n[akpm@linux-foundation.org: fix build]\n[akpm@linux-foundation.org: export current_user_ns() for ecryptfs]\n[serge.hallyn@canonical.com: remove unneeded extra argument in selinux\u0027s task_has_capability]\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nAcked-by: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nAcked-by: Daniel Lezcano \u003cdaniel.lezcano@free.fr\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "7a6362800cb7d1d618a697a650c7aaed3eb39320", "tree": "087f9bc6c13ef1fad4b392c5cf9325cd28fa8523", "parents": [ "6445ced8670f37cfc2c5e24a9de9b413dbfc788d", "ceda86a108671294052cbf51660097b6534672f5" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 16 16:29:25 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 16 16:29:25 2011 -0700" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1480 commits)\n bonding: enable netpoll without checking link status\n xfrm: Refcount destination entry on xfrm_lookup\n net: introduce rx_handler results and logic around that\n bonding: get rid of IFF_SLAVE_INACTIVE netdev-\u003epriv_flag\n bonding: wrap slave state work\n net: get rid of multiple bond-related netdevice-\u003epriv_flags\n bonding: register slave pointer for rx_handler\n be2net: Bump up the version number\n be2net: Copyright notice change. Update to Emulex instead of ServerEngines\n e1000e: fix kconfig for crc32 dependency\n netfilter ebtables: fix xt_AUDIT to work with ebtables\n xen network backend driver\n bonding: Improve syslog message at device creation time\n bonding: Call netif_carrier_off after register_netdevice\n bonding: Incorrect TX queue offset\n net_sched: fix ip_tos2prio\n xfrm: fix __xfrm_route_forward()\n be2net: Fix UDP packet detected status in RX compl\n Phonet: fix aligned-mode pipe socket buffer header reserve\n netxen: support for GbE port settings\n ...\n\nFix up conflicts in drivers/staging/brcm80211/brcmsmac/wl_mac80211.c\nwith the staging updates.\n" }, { "commit": "1d28f42c1bd4bb2363d88df74d0128b4da135b4a", "tree": "cb2e652fe79a2bc307e871bc2d3fa51cc8051e45", "parents": [ "ca116922afa8cc5ad46b00c0a637b1cde5ca478a" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Mar 12 00:29:39 2011 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Mar 12 15:08:44 2011 -0800" }, "message": "net: Put flowi_* prefix on AF independent members of struct flowi\n\nI intend to turn struct flowi into a union of AF specific flowi\nstructs. There will be a common structure that each variant includes\nfirst, much like struct sock_common.\n\nThis is the first step to move in that direction.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "fe3fa43039d47ee4e22caf460b79b62a14937f79", "tree": "9eab8d00f1227b9fe0959f32a62d892ed35803ba", "parents": [ "ee009e4a0d4555ed522a631bae9896399674f064", "026eb167ae77244458fa4b4b9fc171209c079ba7" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:38:10 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:38:10 2011 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/eparis/selinux into next\n" }, { "commit": "026eb167ae77244458fa4b4b9fc171209c079ba7", "tree": "1e66fcfeb0b43a6fb764e1d07f8f0200d0c99094", "parents": [ "ff36fe2c845cab2102e4826c1ffa0a6ebf487c65" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 16:09:14 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 16:12:28 2011 -0500" }, "message": "SELinux: implement the new sb_remount LSM hook\n\nFor SELinux we do not allow security information to change during a remount\noperation. Thus this hook simply strips the security module options from\nthe data and verifies that those are the same options as exist on the\ncurrent superblock.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2ad18bdf3b8f84c85c7da7e4de365f7c5701fb3f", "tree": "7b45743dee9e9de69714da3801aa3f987a3db365", "parents": [ "6f5317e730505d5cbc851c435a2dfe3d5a21d343" ], "author": { "name": "Harry Ciao", "email": "qingtao.cao@windriver.com", "time": "Wed Mar 02 13:32:34 2011 +0800" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 15:19:44 2011 -0500" }, "message": "SELinux: Compute SID for the newly created socket\n\nThe security context for the newly created socket shares the same\nuser, role and MLS attribute as its creator but may have a different\ntype, which could be specified by a type_transition rule in the relevant\npolicy package.\n\nSigned-off-by: Harry Ciao \u003cqingtao.cao@windriver.com\u003e\n[fix call to security_transition_sid to include qstr, Eric Paris]\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6", "tree": "9bb539a7731af94cac0112b8f13771e4a33e0450", "parents": [ "06dc94b1ed05f91e246315afeb1c652d6d0dc9ab" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Thu Mar 03 10:55:40 2011 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Mar 03 10:55:40 2011 -0800" }, "message": "netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parms\n\nNetlink message processing in the kernel is synchronous these days, the\nsession information can be collected when needed.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "0b24dcb7f2f7a0ce9b762eef0362c21c88f47b32", "tree": "9c7dc83e169cd4a2e5fd248e4b940f82131627b6", "parents": [ "47ac19ea429aee561f66e9cd05b908e8ffbc498a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:39:20 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:40:00 2011 -0500" }, "message": "Revert \"selinux: simplify ioctl checking\"\n\nThis reverts commit 242631c49d4cf39642741d6627750151b058233b.\n\nConflicts:\n\n\tsecurity/selinux/hooks.c\n\nSELinux used to recognize certain individual ioctls and check\npermissions based on the knowledge of the individual ioctl. In commit\n242631c49d4cf396 the SELinux code stopped trying to understand\nindividual ioctls and to instead looked at the ioctl access bits to\ndetermine in we should check read or write for that operation. This\nsame suggestion was made to SMACK (and I believe copied into TOMOYO).\nBut this suggestion is total rubbish. The ioctl access bits are\nactually the access requirements for the structure being passed into the\nioctl, and are completely unrelated to the operation of the ioctl or the\nobject the ioctl is being performed upon.\n\nTake FS_IOC_FIEMAP as an example. FS_IOC_FIEMAP is defined as:\n\nFS_IOC_FIEMAP _IOWR(\u0027f\u0027, 11, struct fiemap)\n\nSo it has access bits R and W. What this really means is that the\nkernel is going to both read and write to the struct fiemap. It has\nnothing at all to do with the operations that this ioctl might perform\non the file itself!\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "4a7ab3dcad0b66a486c468ccf0d6197c5dbe3326", "tree": "b88badda1de339ed01149caf05601400d2e2a9dd", "parents": [ "b9679a76187694138099e09d7f5091b73086e6d7" ], "author": { "name": "Steffen Klassert", "email": "steffen.klassert@secunet.com", "time": "Wed Feb 23 12:56:23 2011 +0100" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:00:51 2011 -0500" }, "message": "selinux: Fix packet forwarding checks on postrouting\n\nThe IPSKB_FORWARDED and IP6SKB_FORWARDED flags are used only in the\nmulticast forwarding case to indicate that a packet looped back after\nforward. So these flags are not a good indicator for packet forwarding.\nA better indicator is the incoming interface. If we have no socket context,\nbut an incoming interface and we see the packet in the ip postroute hook,\nthe packet is going to be forwarded.\n\nWith this patch we use the incoming interface as an indicator on packet\nforwarding.\n\nSigned-off-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "b9679a76187694138099e09d7f5091b73086e6d7", "tree": "224bfa579013b55ed6c459879ba0aab6d28e8ae2", "parents": [ "8f82a6880d8d03961181d973388e1df2772a8b24" ], "author": { "name": "Steffen Klassert", "email": "steffen.klassert@secunet.com", "time": "Wed Feb 23 12:55:21 2011 +0100" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:00:47 2011 -0500" }, "message": "selinux: Fix wrong checks for selinux_policycap_netpeer\n\nselinux_sock_rcv_skb_compat and selinux_ip_postroute_compat are just\ncalled if selinux_policycap_netpeer is not set. However in these\nfunctions we check if selinux_policycap_netpeer is set. This leads\nto some dead code and to the fact that selinux_xfrm_postroute_last\nis never executed. This patch removes the dead code and the checks\nfor selinux_policycap_netpeer in the compatibility functions.\n\nSigned-off-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "2edeaa34a6e3f2c43b667f6c4f7b27944b811695", "tree": "37dd9156645491a86844ba9198fe05e4e6fe44c5", "parents": [ "257a65d79581880032e0bf0c452f4041b693664c" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Feb 07 13:36:10 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Feb 07 14:04:00 2011 -0800" }, "message": "CRED: Fix BUG() upon security_cred_alloc_blank() failure\n\nIn cred_alloc_blank() since 2.6.32, abort_creds(new) is called with\nnew-\u003esecurity \u003d\u003d NULL and new-\u003emagic \u003d\u003d 0 when security_cred_alloc_blank()\nreturns an error. As a result, BUG() will be triggered if SELinux is enabled\nor CONFIG_DEBUG_CREDENTIALS\u003dy.\n\nIf CONFIG_DEBUG_CREDENTIALS\u003dy, BUG() is called from __invalid_creds() because\ncred-\u003emagic \u003d\u003d 0. Failing that, BUG() is called from selinux_cred_free()\nbecause selinux_cred_free() is not expecting cred-\u003esecurity \u003d\u003d NULL. This does\nnot affect smack_cred_free(), tomoyo_cred_free() or apparmor_cred_free().\n\nFix these bugs by\n\n(1) Set new-\u003emagic before calling security_cred_alloc_blank().\n\n(2) Handle null cred-\u003esecurity in creds_are_invalid() and selinux_cred_free().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8e6c96935fcc1ed3dbebc96fddfef3f2f2395afc", "tree": "c26297c8ca479972010cadf2058aacd63ce1744f", "parents": [ "652bb9b0d6ce007f37c098947b2cc0c45efa3f66" ], "author": { "name": "Lucian Adrian Grijincu", "email": "lucian.grijincu@gmail.com", "time": "Tue Feb 01 18:42:22 2011 +0200" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:53:54 2011 -0500" }, "message": "security/selinux: fix /proc/sys/ labeling\n\nThis fixes an old (2007) selinux regression: filesystem labeling for\n/proc/sys returned\n -r--r--r-- unknown /proc/sys/fs/file-nr\ninstead of\n -r--r--r-- system_u:object_r:sysctl_fs_t:s0 /proc/sys/fs/file-nr\n\nEvents that lead to breaking of /proc/sys/ selinux labeling:\n\n1) sysctl was reimplemented to route all calls through /proc/sys/\n\n commit 77b14db502cb85a031fe8fde6c85d52f3e0acb63\n [PATCH] sysctl: reimplement the sysctl proc support\n\n2) proc_dir_entry was removed from ctl_table:\n\n commit 3fbfa98112fc3962c416452a0baf2214381030e6\n [PATCH] sysctl: remove the proc_dir_entry member for the sysctl tables\n\n3) selinux still walked the proc_dir_entry tree to apply\n labeling. Because ctl_tables don\u0027t have a proc_dir_entry, we did\n not label /proc/sys/ inodes any more. To achieve this the /proc/sys/\n inodes were marked private and private inodes were ignored by\n selinux.\n\n commit bbaca6c2e7ef0f663bc31be4dad7cf530f6c4962\n [PATCH] selinux: enhance selinux to always ignore private inodes\n\n commit 86a71dbd3e81e8870d0f0e56b87875f57e58222b\n [PATCH] sysctl: hide the sysctl proc inodes from selinux\n\nAccess control checks have been done by means of a special sysctl hook\nthat was called for read/write accesses to any /proc/sys/ entry.\n\nWe don\u0027t have to do this because, instead of walking the\nproc_dir_entry tree we can walk the dentry tree (as done in this\npatch). With this patch:\n* we don\u0027t mark /proc/sys/ inodes as private\n* we don\u0027t need the sysclt security hook\n* we walk the dentry tree to find the path to the inode.\n\nWe have to strip the PID in /proc/PID/ entries that have a\nproc_dir_entry because selinux does not know how to label paths like\n\u0027/1/net/rpc/nfsd.fh\u0027 (and defaults to \u0027proc_t\u0027 labeling). Selinux does\nknow of \u0027/net/rpc/nfsd.fh\u0027 (and applies the \u0027sysctl_rpc_t\u0027 label).\n\nPID stripping from the path was done implicitly in the previous code\nbecause the proc_dir_entry tree had the root in \u0027/net\u0027 in the example\nfrom above. The dentry tree has the root in \u0027/1\u0027.\n\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nSigned-off-by: Lucian Adrian Grijincu \u003clucian.grijincu@gmail.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "652bb9b0d6ce007f37c098947b2cc0c45efa3f66", "tree": "7bf76f04a1fcaa401761a9a734b94682e2ac8b8c", "parents": [ "2a7dba391e5628ad665ce84ef9a6648da541ebab" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:05:40 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:12:30 2011 -0500" }, "message": "SELinux: Use dentry name in new object labeling\n\nCurrently SELinux has rules which label new objects according to 3 criteria.\nThe label of the process creating the object, the label of the parent\ndirectory, and the type of object (reg, dir, char, block, etc.) This patch\nadds a 4th criteria, the dentry name, thus we can distinguish between\ncreating a file in an etc_t directory called shadow and one called motd.\n\nThere is no file globbing, regex parsing, or anything mystical. Either the\npolicy exactly (strcmp) matches the dentry name of the object or it doesn\u0027t.\nThis patch has no changes from today if policy does not implement the new\nrules.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "2a7dba391e5628ad665ce84ef9a6648da541ebab", "tree": "ba0722bd74d2c883dbda7ff721850bab411cac04", "parents": [ "821404434f3324bf23f545050ff64055a149766e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:05:39 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:12:29 2011 -0500" }, "message": "fs/vfs/security: pass last path component to LSM on inode creation\n\nSELinux would like to implement a new labeling behavior of newly created\ninodes. We currently label new inodes based on the parent and the creating\nprocess. This new behavior would also take into account the name of the\nnew object when deciding the new label. This is not the (supposed) full path,\njust the last component of the path.\n\nThis is very useful because creating /etc/shadow is different than creating\n/etc/passwd but the kernel hooks are unable to differentiate these\noperations. We currently require that userspace realize it is doing some\ndifficult operation like that and than userspace jumps through SELinux hoops\nto get things set up correctly. This patch does not implement new\nbehavior, that is obviously contained in a seperate SELinux patch, but it\ndoes pass the needed name down to the correct LSM hook. If no such name\nexists it is fine to pass NULL.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "aeda4ac3efc29e4d55989abd0a73530453aa69ba", "tree": "35b3d2cca8bfb49cf08bf1c6b55b586c1e5971e7", "parents": [ "d2e7ad19229f982fc1eb731827d82ceac90abfb3", "350e4f31e0eaf56dfc3b328d24a11bdf42a41fb8" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 10:40:42 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 10:40:42 2011 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/eparis/selinux into next\n" }, { "commit": "3610cda53f247e176bcbb7a7cca64bc53b12acdb", "tree": "d780bc1e405116e75a194b2f4693a6f9bbe9f58f", "parents": [ "44b8288308ac9da27eab7d7bdbf1375a568805c3" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Jan 05 15:38:53 2011 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Jan 05 15:38:53 2011 -0800" }, "message": "af_unix: Avoid socket-\u003esk NULL OOPS in stream connect security hooks.\n\nunix_release() can asynchornously set socket-\u003esk to NULL, and\nit does so without holding the unix_state_lock() on \"other\"\nduring stream connects.\n\nHowever, the reverse mapping, sk-\u003esk_socket, is only transitioned\nto NULL under the unix_state_lock().\n\nTherefore make the security hooks follow the reverse mapping instead\nof the forward mapping.\n\nReported-by: Jeremy Fitzhardinge \u003cjeremy@goop.org\u003e\nReported-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "17f7f4d9fcce8f1b75b5f735569309dee7665968", "tree": "14d7e49ca0053a0fcab3c33b5023bf3f90c5c08a", "parents": [ "041110a439e21cd40709ead4ffbfa8034619ad77", "d7c1255a3a21e98bdc64df8ccf005a174d7e6289" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sun Dec 26 22:37:05 2010 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sun Dec 26 22:37:05 2010 -0800" }, "message": "Merge branch \u0027master\u0027 of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6\n\nConflicts:\n\tnet/ipv4/fib_frontend.c\n" }, { "commit": "415103f9932d45f7927f4b17e3a9a13834cdb9a1", "tree": "271746ba59ca5b19185574538b5af3e30178c04f", "parents": [ "1d9bc6dc5b6b9cc9299739f0245ce4841f066b92" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Dec 02 16:13:40 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Dec 02 16:14:51 2010 -0500" }, "message": "SELinux: do not compute transition labels on mountpoint labeled filesystems\n\nselinux_inode_init_security computes transitions sids even for filesystems\nthat use mount point labeling. It shouldn\u0027t do that. It should just use\nthe mount point label always and no matter what.\n\nThis causes 2 problems. 1) it makes file creation slower than it needs to be\nsince we calculate the transition sid and 2) it allows files to be created\nwith a different label than the mount point!\n\n# id -Z\nstaff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023\n# sesearch --type --class file --source sysadm_t --target tmp_t\nFound 1 semantic te rules:\n type_transition sysadm_t tmp_t : file user_tmp_t;\n\n# mount -o loop,context\u003d\"system_u:object_r:tmp_t:s0\" /tmp/fs /mnt/tmp\n\n# ls -lZ /mnt/tmp\ndrwx------. root root system_u:object_r:tmp_t:s0 lost+found\n# touch /mnt/tmp/file1\n# ls -lZ /mnt/tmp\n-rw-r--r--. root root staff_u:object_r:user_tmp_t:s0 file1\ndrwx------. root root system_u:object_r:tmp_t:s0 lost+found\n\nWhoops, we have a mount point labeled filesystem tmp_t with a user_tmp_t\nlabeled file!\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Reviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2fe66ec242d3f76e3b0101f36419e7e5405bcff3", "tree": "2091420d53ae1bf9e7673c2275b36c6b1e6aac1b", "parents": [ "04f6d70f6e64900a5d70a5fc199dd9d5fa787738" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 06:28:08 2010 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Nov 23 10:50:17 2010 -0800" }, "message": "SELinux: indicate fatal error in compat netfilter code\n\nThe SELinux ip postroute code indicates when policy rejected a packet and\npasses the error back up the stack. The compat code does not. This patch\nsends the same kind of error back up the stack in the compat code.\n\nBased-on-patch-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "04f6d70f6e64900a5d70a5fc199dd9d5fa787738", "tree": "68d369f422f98842031ae4ada17e391140165b54", "parents": [ "eb06acdc85585f28864261f28659157848762ee4" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 06:28:02 2010 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Nov 23 10:50:17 2010 -0800" }, "message": "SELinux: Only return netlink error when we know the return is fatal\n\nSome of the SELinux netlink code returns a fatal error when the error might\nactually be transient. This patch just silently drops packets on\npotentially transient errors but continues to return a permanant error\nindicator when the denial was because of policy.\n\nBased-on-comments-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "1f1aaf82825865a50cef0b4722607abb12aeee52", "tree": "9ab2495097fa2944404ab41bfb3038de374f5626", "parents": [ "ee58681195bf243bafc44ca53f3c24429d096cce" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 16 11:52:57 2010 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Nov 17 10:54:35 2010 -0800" }, "message": "SELinux: return -ECONNREFUSED from ip_postroute to signal fatal error\n\nThe SELinux netfilter hooks just return NF_DROP if they drop a packet. We\nwant to signal that a drop in this hook is a permanant fatal error and is not\ntransient. If we do this the error will be passed back up the stack in some\nplaces and applications will get a faster interaction that something went\nwrong.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "12b3052c3ee8f508b2c7ee4ddd63ed03423409d8", "tree": "b97d0f209f363cfad94ce9d075312274e349da89", "parents": [ "6800e4c0ea3e96cf78953b8b5743381cb1bb9e37" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 15 18:36:29 2010 -0500" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Nov 15 15:40:01 2010 -0800" }, "message": "capabilities/syslog: open code cap_syslog logic to fix build failure\n\nThe addition of CONFIG_SECURITY_DMESG_RESTRICT resulted in a build\nfailure when CONFIG_PRINTK\u003dn. This is because the capabilities code\nwhich used the new option was built even though the variable in question\ndidn\u0027t exist.\n\nThe patch here fixes this by moving the capabilities checks out of the\nLSM and into the caller. All (known) LSMs should have been calling the\ncapabilities hook already so it actually makes the code organization\nbetter to eliminate the hook altogether.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "2606fd1fa5710205b23ee859563502aa18362447", "tree": "f79becd7010a2da1a765829fce0e09327cd50531", "parents": [ "15714f7b58011cf3948cab2988abea560240c74f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 16:24:41 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:48 2010 +1100" }, "message": "secmark: make secmark object handling generic\n\nRight now secmark has lots of direct selinux calls. Use all LSM calls and\nremove all SELinux specific knowledge. The only SELinux specific knowledge\nwe leave is the mode. The only point is to make sure that other LSMs at\nleast test this generic code before they assume it works. (They may also\nhave to make changes if they do not represent labels as strings)\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b0ae19811375031ae3b3fecc65b702a9c6e5cc28", "tree": "a765b71155fbed1ed3a3cff35c1044ad49a002ae", "parents": [ "9b3056cca09529d34af2d81305b2a9c6b622ca1b" ], "author": { "name": "KOSAKI Motohiro", "email": "kosaki.motohiro@jp.fujitsu.com", "time": "Fri Oct 15 04:21:18 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:44 2010 +1100" }, "message": "security: remove unused parameter from security_task_setscheduler()\n\nAll security modules shouldn\u0027t change sched_param parameter of\nsecurity_task_setscheduler(). This is not only meaningless, but also\nmake a harmful result if caller pass a static variable.\n\nThis patch remove policy and sched_param parameter from\nsecurity_task_setscheduler() becuase none of security module is\nusing it.\n\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: KOSAKI Motohiro \u003ckosaki.motohiro@jp.fujitsu.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d996b62a8df1d935b01319bf8defb95b5709f7b8", "tree": "d81f8240da776336845a2063555d7bb4dce684bd", "parents": [ "ee2ffa0dfdd2db19705f2ba1c6a4c0bfe8122dd8" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Wed Aug 18 04:37:36 2010 +1000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Aug 18 08:35:47 2010 -0400" }, "message": "tty: fix fu_list abuse\n\ntty: fix fu_list abuse\n\ntty code abuses fu_list, which causes a bug in remount,ro handling.\n\nIf a tty device node is opened on a filesystem, then the last link to the inode\nremoved, the filesystem will be allowed to be remounted readonly. This is\nbecause fs_may_remount_ro does not find the 0 link tty inode on the file sb\nlist (because the tty code incorrectly removed it to use for its own purpose).\nThis can result in a filesystem with errors after it is marked \"clean\".\n\nTaking idea from Christoph\u0027s initial patch, allocate a tty private struct\nat file-\u003eprivate_data and put our required list fields in there, linking\nfile and tty. This makes tty nodes behave the same way as other device nodes\nand avoid meddling with the vfs, and avoids this bug.\n\nThe error handling is not trivial in the tty code, so for this bugfix, I take\nthe simple approach of using __GFP_NOFAIL and don\u0027t worry about memory errors.\nThis is not a problem because our allocator doesn\u0027t fail small allocs as a rule\nanyway. So proper error handling is left as an exercise for tty hackers.\n\n[ Arguably filesystem\u0027s device inode would ideally be divorced from the\ndriver\u0027s pseudo inode when it is opened, but in practice it\u0027s not clear whether\nthat will ever be worth implementing. ]\n\nCc: linux-kernel@vger.kernel.org\nCc: Christoph Hellwig \u003chch@infradead.org\u003e\nCc: Alan Cox \u003calan@lxorguk.ukuu.org.uk\u003e\nCc: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "ee2ffa0dfdd2db19705f2ba1c6a4c0bfe8122dd8", "tree": "e48400d1a33f8d2e68589ccfd61637aa64462f08", "parents": [ "b04f784e5d19ed58892833dae845738972cea260" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Wed Aug 18 04:37:35 2010 +1000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Aug 18 08:35:47 2010 -0400" }, "message": "fs: cleanup files_lock locking\n\nfs: cleanup files_lock locking\n\nLock tty_files with a new spinlock, tty_files_lock; provide helpers to\nmanipulate the per-sb files list; unexport the files_lock spinlock.\n\nCc: linux-kernel@vger.kernel.org\nCc: Christoph Hellwig \u003chch@infradead.org\u003e\nCc: Alan Cox \u003calan@lxorguk.ukuu.org.uk\u003e\nAcked-by: Andi Kleen \u003cak@linux.intel.com\u003e\nAcked-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "b34d8915c413acb51d837a45fb8747b61f65c020", "tree": "ced5fac166324634653d84b1afe2b958b3904f4d", "parents": [ "e8a89cebdbaab14caaa26debdb4ffd493b8831af", "f33ebbe9da2c3c24664a0ad4f8fd83f293547e63" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Aug 10 12:07:51 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Aug 10 12:07:51 2010 -0700" }, "message": "Merge branch \u0027writable_limits\u0027 of git://decibel.fi.muni.cz/~xslaby/linux\n\n* \u0027writable_limits\u0027 of git://decibel.fi.muni.cz/~xslaby/linux:\n unistd: add __NR_prlimit64 syscall numbers\n rlimits: implement prlimit64 syscall\n rlimits: switch more rlimit syscalls to do_prlimit\n rlimits: redo do_setrlimit to more generic do_prlimit\n rlimits: add rlimit64 structure\n rlimits: do security check under task_lock\n rlimits: allow setrlimit to non-current tasks\n rlimits: split sys_setrlimit\n rlimits: selinux, do rlimits changes under task_lock\n rlimits: make sure -\u003erlim_max never grows in sys_setrlimit\n rlimits: add task_struct to update_rlimit_cpu\n rlimits: security, add task_struct to setrlimit\n\nFix up various system call number conflicts. We not only added fanotify\nsystem calls in the meantime, but asm-generic/unistd.h added a wait4\nalong with a range of reserved per-architecture system calls.\n" }, { "commit": "49b7b8de46d293113a0a0bb026ff7bd833c73367", "tree": "ff29778c49a8ac1511249cc268ddbb2c6ddb86a9", "parents": [ "b782e0a68d17894d9a618ffea55b33639faa6bb4" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 23 11:44:09 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:08 2010 +1000" }, "message": "selinux: place open in the common file perms\n\nkernel can dynamically remap perms. Drop the open lookup table and put open\nin the common file perms.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b782e0a68d17894d9a618ffea55b33639faa6bb4", "tree": "307bc615153075a6e92be5d839a58ff48d6525f3", "parents": [ "d09ca73979460b96d5d4684d588b188be9a1f57d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 23 11:44:03 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:07 2010 +1000" }, "message": "SELinux: special dontaudit for access checks\n\nCurrently there are a number of applications (nautilus being the main one) which\ncalls access() on files in order to determine how they should be displayed. It\nis normal and expected that nautilus will want to see if files are executable\nor if they are really read/write-able. access() should return the real\npermission. SELinux policy checks are done in access() and can result in lots\nof AVC denials as policy denies RWX on files which DAC allows. Currently\nSELinux must dontaudit actual attempts to read/write/execute a file in\norder to silence these messages (and not flood the logs.) But dontaudit rules\nlike that can hide real attacks. This patch addes a new common file\npermission audit_access. This permission is special in that it is meaningless\nand should never show up in an allow rule. Instead the only place this\npermission has meaning is in a dontaudit rule like so:\n\ndontaudit nautilus_t sbin_t:file audit_access\n\nWith such a rule if nautilus just checks access() we will still get denied and\nthus userspace will still get the correct answer but we will not log the denial.\nIf nautilus attempted to actually perform one of the forbidden actions\n(rather than just querying access(2) about it) we would still log a denial.\nThis type of dontaudit rule should be used sparingly, as it could be a\nmethod for an attacker to probe the system permissions without detection.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d09ca73979460b96d5d4684d588b188be9a1f57d", "tree": "217543affc5c1c76181ffca00c23cfa69f1dd4f6", "parents": [ "9cfcac810e8993fa7a5bfd24b1a21f1dbbb03a7b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 23 11:43:57 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:07 2010 +1000" }, "message": "security: make LSMs explicitly mask off permissions\n\nSELinux needs to pass the MAY_ACCESS flag so it can handle auditting\ncorrectly. Presently the masking of MAY_* flags is done in the VFS. In\norder to allow LSMs to decide what flags they care about and what flags\nthey don\u0027t just pass them all and the each LSM mask off what they don\u0027t\nneed. This patch should contain no functional changes to either the VFS or\nany LSM.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "af4f136056c984b0aa67feed7d3170b958370b2f", "tree": "30b62cd9174044cbdfdddc1fe5e0f21e7ddde85c", "parents": [ "5ad18a0d59ba9e65b3c8b2b489fd23bc6b3daf94" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Jul 01 15:07:43 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:57 2010 +1000" }, "message": "security: move LSM xattrnames to xattr.h\n\nMake the security extended attributes names global. Updated to move\nthe remaining Smack xattrs.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5fb49870e6d48d81d8ca0e1ef979073dc9a820f7", "tree": "136fdf4f4181907b89916f24a8e828c00ba3e6bd", "parents": [ "253bfae6e0ad97554799affa0266052968a45808" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Apr 22 14:46:19 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:39 2010 +1000" }, "message": "selinux: Use current_security() when possible\n\nThere were a number of places using the following code pattern:\n\n struct cred *cred \u003d current_cred();\n struct task_security_struct *tsec \u003d cred-\u003esecurity;\n\n... which were simplified to the following:\n\n struct task_security_struct *tsec \u003d current_security();\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "253bfae6e0ad97554799affa0266052968a45808", "tree": "c3599a18f06664160a55a20b30428ba4faf6e2c0", "parents": [ "84914b7ed1c5e0f3199a5a6997022758a70fcaff" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Apr 22 14:46:19 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:39 2010 +1000" }, "message": "selinux: Convert socket related access controls to use socket labels\n\nAt present, the socket related access controls use a mix of inode and\nsocket labels; while there should be no practical difference (they\n_should_ always be the same), it makes the code more confusing. This\npatch attempts to convert all of the socket related access control\npoints (with the exception of some of the inode/fd based controls) to\nuse the socket\u0027s own label. In the process, I also converted the\nsocket_has_perm() function to take a \u0027sock\u0027 argument instead of a\n\u0027socket\u0027 since that was adding a bit more overhead in some cases.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "84914b7ed1c5e0f3199a5a6997022758a70fcaff", "tree": "a0ac9631fba19280516ec26819c884e6b086b183", "parents": [ "d4f2d97841827cb876da8b607df05a3dab812416" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Apr 22 14:46:18 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:38 2010 +1000" }, "message": "selinux: Shuffle the sk_security_struct alloc and free routines\n\nThe sk_alloc_security() and sk_free_security() functions were only being\ncalled by the selinux_sk_alloc_security() and selinux_sk_free_security()\nfunctions so we just move the guts of the alloc/free routines to the\ncallers and eliminate a layer of indirection.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d4f2d97841827cb876da8b607df05a3dab812416", "tree": "8d3128128f465e23dbfc5ee4ccc50d9bc489f7d7", "parents": [ "4d1e24514d80cb266231d0c1b6c02161970ad019" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Apr 22 14:46:18 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:37 2010 +1000" }, "message": "selinux: Consolidate sockcreate_sid logic\n\nConsolidate the basic sockcreate_sid logic into a single helper function\nwhich allows us to do some cleanups in the related code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4d1e24514d80cb266231d0c1b6c02161970ad019", "tree": "2de35d44c52dc1afa28c8f1bf294180817834a9d", "parents": [ "e79acf0ef45e0b54aed47ebea7f25c540d3f527e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Apr 22 14:46:18 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:37 2010 +1000" }, "message": "selinux: Set the peer label correctly on connected UNIX domain sockets\n\nCorrect a problem where we weren\u0027t setting the peer label correctly on\nthe client end of a pair of connected UNIX sockets.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ], "next": "eb2d55a32b9a91bca0dea299eedb560bafa8b14e" }