)]}' { "log": [ { "commit": "3f0882c48286e7bdb0bbdec9c4bfa934e0db8e09", "tree": "20a7485417c8528d975ef4ff6e90467f63f67ab2", "parents": [ "f8294f1144ad0630075918df4bf94075f5384604" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 03 09:38:00 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 03 09:49:41 2012 -0700" }, "message": "SELinux: do not allocate stack space for AVC data unless needed\n\nInstead of declaring the entire selinux_audit_data on the stack when we\nstart an operation on declare it on the stack if we are going to use it.\nWe know it\u0027s usefulness at the end of the security decision and can declare\nit there.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "7f6a47cf1477ffae9cff1d6ee181e2ce6bfb2f02", "tree": "55d2bfda38776aeed69b82cf0bd5b409744b4afd", "parents": [ "48c62af68a403ef1655546bd3e021070c8508573" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 02 13:15:50 2012 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 03 09:49:10 2012 -0700" }, "message": "SELinux: remove avd from selinux_audit_data\n\nWe do not use it. Remove it.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3b3b0e4fc15efa507b902d90cea39e496a523c3b", "tree": "d7b91c21ad6c6f4ac21dd51297b74eec47c61684", "parents": [ "95694129b43165911dc4e8a972f0d39ad98d86be" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 03 09:37:02 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 03 09:48:40 2012 -0700" }, "message": "LSM: shrink sizeof LSM specific portion of common_audit_data\n\nLinus found that the gigantic size of the common audit data caused a big\nperf hit on something as simple as running stat() in a loop. This patch\nrequires LSMs to declare the LSM specific portion separately rather than\ndoing it in a union. Thus each LSM can be responsible for shrinking their\nportion and don\u0027t have to pay a penalty just because other LSMs have a\nbigger space requirement.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "9ffc93f203c18a70623f21950f1dd473c9ec48cd", "tree": "1eb3536ae183b0bfbf7f5152a6fe4f430ae881c2", "parents": [ "96f951edb1f1bdbbc99b0cd458f9808bb83d58ae" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Mar 28 18:30:03 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Mar 28 18:30:03 2012 +0100" }, "message": "Remove all #inclusions of asm/system.h\n\nRemove all #inclusions of asm/system.h preparatory to splitting and killing\nit. Performed with the following command:\n\nperl -p -i -e \u0027s!^#\\s*include\\s*\u003casm/system[.]h\u003e.*\\n!!\u0027 `grep -Irl \u0027^#\\s*include\\s*\u003casm/system[.]h\u003e\u0027 *`\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "778aae84ef694325662447eceba1a5f7d3eebdbb", "tree": "7bf3f7e682e220ce30afe3572332fb424a3761f2", "parents": [ "15e9b9b9ed268fa91e52c44d621f3d0296162d15" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Mar 26 16:38:47 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Mar 26 16:38:47 2012 +0100" }, "message": "SELinux: selinux/xfrm.h needs net/flow.h\n\nselinux/xfrm.h needs to #include net/flow.h or else suffer:\n\nIn file included from security/selinux/ss/services.c:69:0:\nsecurity/selinux/include/xfrm.h: In function \u0027selinux_xfrm_notify_policyload\u0027:\nsecurity/selinux/include/xfrm.h:53:14: error: \u0027flow_cache_genid\u0027 undeclared (first use in this function)\nsecurity/selinux/include/xfrm.h:53:14: note: each undeclared identifier is reported only once for each function it appears in\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "7b98a5857c3fa86cb0a7e5f893643491a8b5b425", "tree": "9e8b83d35a9c70f2c02853de808184871df3aba9", "parents": [ "0ff53f5ddbaebeac1c2735125901275acc1fecc6" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 30 12:52:32 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:32 2011 -0700" }, "message": "selinux: sparse fix: fix several warnings in the security server code\n\nFix several sparse warnings in the SELinux security server code.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6a3fbe81179c85eb53054a0f4c8423ffec0276a7", "tree": "b281fee66a005236bbdedf5f22eeacc37669ba4a", "parents": [ "ad3fa08c4ff84ed87649d72e8497735c85561a3d" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 30 12:09:15 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:31 2011 -0700" }, "message": "selinux: sparse fix: fix warnings in netlink code\n\nFix sparse warnings in SELinux Netlink code.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ad3fa08c4ff84ed87649d72e8497735c85561a3d", "tree": "e6f22e6d42cf52c689e983be42b9292180564446", "parents": [ "d5813a571876c72766f125b1c6e63414f6822c28" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 30 10:50:12 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:30 2011 -0700" }, "message": "selinux: sparse fix: eliminate warnings for selinuxfs\n\nFixes several sparse warnings for selinuxfs.c\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "58982b74832917405a483a22beede729e3175376", "tree": "fc6fa24b9cf15490de54501125ac08049abb5ea0", "parents": [ "cc59a582d6081b296e481b8bc9676b5c2faad818" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Aug 17 11:17:14 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:26 2011 -0700" }, "message": "selinux: sparse fix: declare selinux_disable() in security.h\n\nSparse fix: declare selinux_disable() in security.h\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cc59a582d6081b296e481b8bc9676b5c2faad818", "tree": "5ed00269cea7ffef573c78e854a6369a32842437", "parents": [ "56a4ca996181b94b30e6b46509dc28e4ca3cc3f8" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Aug 17 11:13:31 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:26 2011 -0700" }, "message": "selinux: sparse fix: move selinux_complete_init\n\nSparse fix: move selinux_complete_init\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "82c21bfab41a77bc01affe21bea9727d776774a7", "tree": "b0c5850be07c7f6d747df389f8f15780887da630", "parents": [ "87a0874cf19f1bc9bd25bd7d053a0ea25ccf8373" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Mon Aug 01 11:10:33 2011 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Aug 01 17:58:33 2011 -0700" }, "message": "doc: Update the email address for Paul Moore in various source files\n\nMy @hp.com will no longer be valid starting August 5, 2011 so an update is\nnecessary. My new email address is employer independent so we don\u0027t have\nto worry about doing this again any time soon.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Paul Moore \u003cpaul@paul-moore.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "b7b57551bbda1390959207f79f2038aa7adb72ae", "tree": "d591a08e7e45615b51d8b5ee1634a29920f62c3f", "parents": [ "434d42cfd05a7cc452457a81d2029540cba12150", "7a627e3b9a2bd0f06945bbe64bcf403e788ecf6e" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 24 23:20:19 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 24 23:20:19 2011 +1000" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/eparis/selinux into for-linus\n\nConflicts:\n\tlib/flex_array.c\n\tsecurity/selinux/avc.c\n\tsecurity/selinux/hooks.c\n\tsecurity/selinux/ss/policydb.c\n\tsecurity/smack/smack_lsm.c\n\nManually resolve conflicts.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "257313b2a87795e07a0bdf58d0fffbdba8b31051", "tree": "ff5043526b0381cdc1f1f68d3c6f8ed3635e0ddb", "parents": [ "044aea9b83614948c98564000db07d1d32b2d29b" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 19 21:22:53 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 19 21:22:53 2011 -0700" }, "message": "selinux: avoid unnecessary avc cache stat hit count\n\nThere is no point in counting hits - we can calculate it from the number\nof lookups and misses.\n\nThis makes the avc statistics a bit smaller, and makes the code\ngeneration better too.\n\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "9ade0cf440a1e5800dc68eef2e77b8d9d83a6dff", "tree": "17a06970af5a26cd340b785a894f20f262335575", "parents": [ "1879fd6a26571fd4e8e1f4bb3e7537bc936b1fe7" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 16:26:29 2011 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Apr 25 18:16:32 2011 -0700" }, "message": "SELINUX: Make selinux cache VFS RCU walks safe\n\nNow that the security modules can decide whether they support the\ndcache RCU walk or not it\u0027s possible to make selinux a bit more\nRCU friendly. The SELinux AVC and security server access decision\ncode is RCU safe. A specific piece of the LSM audit code may not\nbe RCU safe.\n\nThis patch makes the VFS RCU walk retry if it would hit the non RCU\nsafe chunk of code. It will normally just work under RCU. This is\ndone simply by passing the VFS RCU state as a flag down into the\navc_audit() code and returning ECHILD there if it would have an issue.\n\nBased-on-patch-by: Andi Kleen \u003cak@linux.intel.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "0dc1ba24f7fff659725eecbba2c9ad679a0954cd", "tree": "ad5831b52b38ca8157dd3ba4e5dfb75768bd372f", "parents": [ "1c9904297451f558191e211a48d8838b4bf792b0" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 21 17:23:20 2011 -0700" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 16:24:41 2011 -0400" }, "message": "SELINUX: Make selinux cache VFS RCU walks safe\n\nNow that the security modules can decide whether they support the\ndcache RCU walk or not it\u0027s possible to make selinux a bit more\nRCU friendly. The SELinux AVC and security server access decision\ncode is RCU safe. A specific piece of the LSM audit code may not\nbe RCU safe.\n\nThis patch makes the VFS RCU walk retry if it would hit the non RCU\nsafe chunk of code. It will normally just work under RCU. This is\ndone simply by passing the VFS RCU state as a flag down into the\navc_audit() code and returning ECHILD there if it would have an issue.\n\nBased-on-patch-by: Andi Kleen \u003cak@linux.intel.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "6b697323a78bed254ee372f71b1a6a2901bb4b7a", "tree": "ef1282bd99f549074253b33deeb6436809566ad4", "parents": [ "a35c6c8368d88deae6890205e73ed330b6df1db7" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 20 10:21:28 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 10:19:02 2011 -0400" }, "message": "SELinux: security_read_policy should take a size_t not ssize_t\n\nThe len should be an size_t but is a ssize_t. Easy enough fix to silence\nbuild warnings. We have no need for signed-ness.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f50a3ec961f90e38c0311411179d5dfee1412192", "tree": "600b7909964cd116af1252ecabb5b1415c01d7a0", "parents": [ "6bde95ce33e1c2ac9b5cb3d814722105131090ec" ], "author": { "name": "Kohei Kaigai", "email": "Kohei.Kaigai@eu.nec.com", "time": "Fri Apr 01 15:39:26 2011 +0100" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Apr 01 17:13:23 2011 -0400" }, "message": "selinux: add type_transition with name extension support for selinuxfs\n\nThe attached patch allows /selinux/create takes optional 4th argument\nto support TYPE_TRANSITION with name extension for userspace object\nmanagers.\nIf 4th argument is not supplied, it shall perform as existing kernel.\nIn fact, the regression test of SE-PostgreSQL works well on the patched\nkernel.\n\nThanks,\n\nSigned-off-by: KaiGai Kohei \u003ckohei.kaigai@eu.nec.com\u003e\n[manually verify fuzz was not an issue, and it wasn\u0027t: eparis]\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "8023976cf4627d9f1d82ad468ec40e32eb87d211", "tree": "82af1157ffbb00be2a8d2357a8c2fd88826233b1", "parents": [ "fe3fa43039d47ee4e22caf460b79b62a14937f79" ], "author": { "name": "Harry Ciao", "email": "qingtao.cao@windriver.com", "time": "Fri Mar 25 13:51:56 2011 +0800" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Mar 28 14:20:58 2011 -0400" }, "message": "SELinux: Add class support to the role_trans structure\n\nIf kernel policy version is \u003e\u003d 26, then the binary representation of\nthe role_trans structure supports specifying the class for the current\nsubject or the newly created object.\n\nIf kernel policy version is \u003c 26, then the class field would be default\nto the process class.\n\nSigned-off-by: Harry Ciao \u003cqingtao.cao@windriver.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "7a6362800cb7d1d618a697a650c7aaed3eb39320", "tree": "087f9bc6c13ef1fad4b392c5cf9325cd28fa8523", "parents": [ "6445ced8670f37cfc2c5e24a9de9b413dbfc788d", "ceda86a108671294052cbf51660097b6534672f5" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 16 16:29:25 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 16 16:29:25 2011 -0700" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1480 commits)\n bonding: enable netpoll without checking link status\n xfrm: Refcount destination entry on xfrm_lookup\n net: introduce rx_handler results and logic around that\n bonding: get rid of IFF_SLAVE_INACTIVE netdev-\u003epriv_flag\n bonding: wrap slave state work\n net: get rid of multiple bond-related netdevice-\u003epriv_flags\n bonding: register slave pointer for rx_handler\n be2net: Bump up the version number\n be2net: Copyright notice change. Update to Emulex instead of ServerEngines\n e1000e: fix kconfig for crc32 dependency\n netfilter ebtables: fix xt_AUDIT to work with ebtables\n xen network backend driver\n bonding: Improve syslog message at device creation time\n bonding: Call netif_carrier_off after register_netdevice\n bonding: Incorrect TX queue offset\n net_sched: fix ip_tos2prio\n xfrm: fix __xfrm_route_forward()\n be2net: Fix UDP packet detected status in RX compl\n Phonet: fix aligned-mode pipe socket buffer header reserve\n netxen: support for GbE port settings\n ...\n\nFix up conflicts in drivers/staging/brcm80211/brcmsmac/wl_mac80211.c\nwith the staging updates.\n" }, { "commit": "fe3fa43039d47ee4e22caf460b79b62a14937f79", "tree": "9eab8d00f1227b9fe0959f32a62d892ed35803ba", "parents": [ "ee009e4a0d4555ed522a631bae9896399674f064", "026eb167ae77244458fa4b4b9fc171209c079ba7" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:38:10 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:38:10 2011 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/eparis/selinux into next\n" }, { "commit": "4bc6c2d5d8386800fde23a8e78cd4f04a0ade0ad", "tree": "9ed72f305050b876d846b44ccf13f63fcbab1ff4", "parents": [ "0b24dcb7f2f7a0ce9b762eef0362c21c88f47b32" ], "author": { "name": "Harry Ciao", "email": "qingtao.cao@windriver.com", "time": "Wed Mar 02 13:46:08 2011 +0800" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 15:19:43 2011 -0500" }, "message": "SELinux: Auto-generate security_is_socket_class\n\nThe security_is_socket_class() is auto-generated by genheaders based\non classmap.h to reduce maintenance effort when a new class is defined\nin SELinux kernel. The name for any socket class should be suffixed by\n\"socket\" and doesn\u0027t contain more than one substr of \"socket\".\n\nSigned-off-by: Harry Ciao \u003cqingtao.cao@windriver.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "47ac19ea429aee561f66e9cd05b908e8ffbc498a", "tree": "22a95f4b75ab4dd71949f8f337463638ff6711e3", "parents": [ "4a7ab3dcad0b66a486c468ccf0d6197c5dbe3326" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:39:20 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:40:00 2011 -0500" }, "message": "selinux: drop unused packet flow permissions\n\nThese permissions are not used and can be dropped in the kernel\ndefinitions.\n\nSuggested-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "e33f770426674a565a188042caf3f974f8b3722d", "tree": "6ee309a1cbccec1cef9972fc6c8f8d9b280978f5", "parents": [ "e1ad2ab2cf0cabcd81861e2c61870fc27bb27ded" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Feb 22 18:13:15 2011 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Feb 22 18:13:15 2011 -0800" }, "message": "xfrm: Mark flowi arg to security_xfrm_state_pol_flow_match() const.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "652bb9b0d6ce007f37c098947b2cc0c45efa3f66", "tree": "7bf76f04a1fcaa401761a9a734b94682e2ac8b8c", "parents": [ "2a7dba391e5628ad665ce84ef9a6648da541ebab" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:05:40 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:12:30 2011 -0500" }, "message": "SELinux: Use dentry name in new object labeling\n\nCurrently SELinux has rules which label new objects according to 3 criteria.\nThe label of the process creating the object, the label of the parent\ndirectory, and the type of object (reg, dir, char, block, etc.) This patch\nadds a 4th criteria, the dentry name, thus we can distinguish between\ncreating a file in an etc_t directory called shadow and one called motd.\n\nThere is no file globbing, regex parsing, or anything mystical. Either the\npolicy exactly (strcmp) matches the dentry name of the object or it doesn\u0027t.\nThis patch has no changes from today if policy does not implement the new\nrules.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "e0e736fc0d33861335e2a132e4f688f7fd380c61", "tree": "d9febe9ca1ef1e24efc5e6e1e34e412316d246bd", "parents": [ "a08948812b30653eb2c536ae613b635a989feb6f", "aeda4ac3efc29e4d55989abd0a73530453aa69ba" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 10 11:18:59 2011 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 10 11:18:59 2011 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (30 commits)\n MAINTAINERS: Add tomoyo-dev-en ML.\n SELinux: define permissions for DCB netlink messages\n encrypted-keys: style and other cleanup\n encrypted-keys: verify datablob size before converting to binary\n trusted-keys: kzalloc and other cleanup\n trusted-keys: additional TSS return code and other error handling\n syslog: check cap_syslog when dmesg_restrict\n Smack: Transmute labels on specified directories\n selinux: cache sidtab_context_to_sid results\n SELinux: do not compute transition labels on mountpoint labeled filesystems\n This patch adds a new security attribute to Smack called SMACK64EXEC. It defines label that is used while task is running.\n SELinux: merge policydb_index_classes and policydb_index_others\n selinux: convert part of the sym_val_to_name array to use flex_array\n selinux: convert type_val_to_struct to flex_array\n flex_array: fix flex_array_put_ptr macro to be valid C\n SELinux: do not set automatic i_ino in selinuxfs\n selinux: rework security_netlbl_secattr_to_sid\n SELinux: standardize return code handling in selinuxfs.c\n SELinux: standardize return code handling in selinuxfs.c\n SELinux: standardize return code handling in policydb.c\n ...\n" }, { "commit": "37721e1b0cf98cb65895f234d8c500d270546529", "tree": "6fb3ec6910513b18e100b17432864fa8c46d55e4", "parents": [ "9f99a2f0e44663517b99b69a3e4a499d0ba877df" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Mon Jan 10 08:17:10 2011 +0200" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 10 08:51:44 2011 -0800" }, "message": "headers: path.h redux\n\nRemove path.h from sched.h and other files.\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "ce6ada35bdf710d16582cc4869c26722547e6f11", "tree": "c2b5fd46c883f4b7285b191bac55940022662b43", "parents": [ "1d6d75684d869406e5bb2ac5d3ed9454f52d0cab" ], "author": { "name": "Serge E. Hallyn", "email": "serge@hallyn.com", "time": "Thu Nov 25 17:11:32 2010 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Nov 29 08:35:12 2010 +1100" }, "message": "security: Define CAP_SYSLOG\n\nPrivileged syslog operations currently require CAP_SYS_ADMIN. Split\nthis off into a new CAP_SYSLOG privilege which we can sanely take away\nfrom a container through the capability bounding set.\n\nWith this patch, an lxc container can be prevented from messing with\nthe host\u0027s syslog (i.e. dmesg -c).\n\nChangelog: mar 12 2010: add selinux capability2:cap_syslog perm\nChangelog: nov 22 2010:\n\t. port to new kernel\n\t. add a WARN_ONCE if userspace isn\u0027t using CAP_SYSLOG\n\nSigned-off-by: Serge Hallyn \u003cserge.hallyn@ubuntu.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-By: Kees Cook \u003ckees.cook@canonical.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Michael Kerrisk \u003cmtk.manpages@gmail.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: \"Christopher J. PeBenito\" \u003ccpebenito@tresys.com\u003e\nCc: Eric Paris \u003ceparis@parisplace.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cee74f47a6baba0ac457e87687fdcf0abd599f0a", "tree": "3d9fdb073050664e62d9cdb6c28112090cd138da", "parents": [ "00d85c83ac52e2c1a66397f1abc589f80c543425" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 17:50:25 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:58 2010 +1100" }, "message": "SELinux: allow userspace to read policy back out of the kernel\n\nThere is interest in being able to see what the actual policy is that was\nloaded into the kernel. The patch creates a new selinuxfs file\n/selinux/policy which can be read by userspace. The actual policy that is\nloaded into the kernel will be written back out to userspace.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2606fd1fa5710205b23ee859563502aa18362447", "tree": "f79becd7010a2da1a765829fce0e09327cd50531", "parents": [ "15714f7b58011cf3948cab2988abea560240c74f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 16:24:41 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:48 2010 +1100" }, "message": "secmark: make secmark object handling generic\n\nRight now secmark has lots of direct selinux calls. Use all LSM calls and\nremove all SELinux specific knowledge. The only SELinux specific knowledge\nwe leave is the mode. The only point is to make sure that other LSMs at\nleast test this generic code before they assume it works. (They may also\nhave to make changes if they do not represent labels as strings)\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "36f7f28416c97dbb725154930066d115b4447e17", "tree": "c09aed0142158c6fda679bab87012144e5a60372", "parents": [ "8b0c543e5cb1e47a54d3ea791b8a03b9c8a715db" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Thu Sep 30 11:49:55 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:41 2010 +1100" }, "message": "selinux: fix up style problem on /selinux/status\n\nThis patch fixes up coding-style problem at this commit:\n\n 4f27a7d49789b04404eca26ccde5f527231d01d5\n selinux: fast status update interface (/selinux/status)\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "119041672592d1890d89dd8f194bd0919d801dc8", "tree": "b994abb42446b8637f072194c57359fd80d52a97", "parents": [ "4b04a7cfc5ccb573ca3752429c81d37f8dd2f7c6" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Tue Sep 14 18:28:39 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:36 2010 +1100" }, "message": "selinux: fast status update interface (/selinux/status)\n\nThis patch provides a new /selinux/status entry which allows applications\nread-only mmap(2).\nThis region reflects selinux_kernel_status structure in kernel space.\n struct selinux_kernel_status\n {\n u32 length; /* length of this structure */\n u32 sequence; /* sequence number of seqlock logic */\n u32 enforcing; /* current setting of enforcing mode */\n u32 policyload; /* times of policy reloaded */\n u32 deny_unknown; /* current setting of deny_unknown */\n };\n\nWhen userspace object manager caches access control decisions provided\nby SELinux, it needs to invalidate the cache on policy reload and setenforce\nto keep consistency.\nHowever, the applications need to check the kernel state for each accesses\non userspace avc, or launch a background worker process.\nIn heuristic, frequency of invalidation is much less than frequency of\nmaking access control decision, so it is annoying to invoke a system call\nto check we don\u0027t need to invalidate the userspace cache.\nIf we can use a background worker thread, it allows to receive invalidation\nmessages from the kernel. But it requires us an invasive coding toward the\nbase application in some cases; E.g, when we provide a feature performing\nwith SELinux as a plugin module, it is unwelcome manner to launch its own\nworker thread from the module.\n\nIf we could map /selinux/status to process memory space, application can\nknow updates of selinux status; policy reload or setenforce.\n\nA typical application checks selinux_kernel_status::sequence when it tries\nto reference userspace avc. If it was changed from the last time when it\nchecked userspace avc, it means something was updated in the kernel space.\nThen, the application can reset userspace avc or update current enforcing\nmode, without any system call invocations.\nThis sequence number is updated according to the seqlock logic, so we need\nto wait for a while if it is odd number.\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n--\n security/selinux/include/security.h | 21 ++++++\n security/selinux/selinuxfs.c | 56 +++++++++++++++\n security/selinux/ss/Makefile | 2 +-\n security/selinux/ss/services.c | 3 +\n security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++\n 5 files changed, 210 insertions(+), 1 deletions(-)\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b424485abe2b16580a178b469917a7b6ee0c152a", "tree": "d90d4662dd1ad229976354e4caa1a7632fb2a6d3", "parents": [ "49b7b8de46d293113a0a0bb026ff7bd833c73367" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 23 11:44:15 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:09 2010 +1000" }, "message": "SELinux: Move execmod to the common perms\n\nexecmod \"could\" show up on non regular files and non chr files. The current\nimplementation would actually make these checks against non-existant bits\nsince the code assumes the execmod permission is same for all file types.\nTo make this line up for chr files we had to define execute_no_trans and\nentrypoint permissions. These permissions are unreachable and only existed\nto to make FILE__EXECMOD and CHR_FILE__EXECMOD the same. This patch drops\nthose needless perms as well.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "49b7b8de46d293113a0a0bb026ff7bd833c73367", "tree": "ff29778c49a8ac1511249cc268ddbb2c6ddb86a9", "parents": [ "b782e0a68d17894d9a618ffea55b33639faa6bb4" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 23 11:44:09 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:08 2010 +1000" }, "message": "selinux: place open in the common file perms\n\nkernel can dynamically remap perms. Drop the open lookup table and put open\nin the common file perms.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b782e0a68d17894d9a618ffea55b33639faa6bb4", "tree": "307bc615153075a6e92be5d839a58ff48d6525f3", "parents": [ "d09ca73979460b96d5d4684d588b188be9a1f57d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jul 23 11:44:03 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:35:07 2010 +1000" }, "message": "SELinux: special dontaudit for access checks\n\nCurrently there are a number of applications (nautilus being the main one) which\ncalls access() on files in order to determine how they should be displayed. It\nis normal and expected that nautilus will want to see if files are executable\nor if they are really read/write-able. access() should return the real\npermission. SELinux policy checks are done in access() and can result in lots\nof AVC denials as policy denies RWX on files which DAC allows. Currently\nSELinux must dontaudit actual attempts to read/write/execute a file in\norder to silence these messages (and not flood the logs.) But dontaudit rules\nlike that can hide real attacks. This patch addes a new common file\npermission audit_access. This permission is special in that it is meaningless\nand should never show up in an allow rule. Instead the only place this\npermission has meaning is in a dontaudit rule like so:\n\ndontaudit nautilus_t sbin_t:file audit_access\n\nWith such a rule if nautilus just checks access() we will still get denied and\nthus userspace will still get the correct answer but we will not log the denial.\nIf nautilus attempted to actually perform one of the forbidden actions\n(rather than just querying access(2) about it) we would still log a denial.\nThis type of dontaudit rule should be used sparingly, as it could be a\nmethod for an attacker to probe the system permissions without detection.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e8c26255992474a2161c63ce9d385827302e4530", "tree": "08d247a53eca56a6e161ca784a4536b3ea7662f7", "parents": [ "01a05b337a5b647909e1d6670f57e7202318a5fb" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Mar 23 06:36:54 2010 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri May 21 18:31:17 2010 -0400" }, "message": "switch selinux delayed superblock handling to iterate_supers()\n\n... kill their private list, while we are at it\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "dd3e7836bfe093fc611f715c323cf53be9252b27", "tree": "5e789062f3b74ed7c0ec370785eba234ee1ff472", "parents": [ "d25d6fa1a95f465ff1ec4458ca15e30b2c8dffec" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:08:46 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 08 09:17:02 2010 +1000" }, "message": "selinux: always call sk_security_struct sksec\n\ntrying to grep everything that messes with a sk_security_struct isn\u0027t easy\nsince we don\u0027t always call it sksec. Just rename everything sksec.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c43a7523470dc2d9947fa114a0b54317975d4c04", "tree": "30a72ed1e9079f19b814263197761820f57c39ce", "parents": [ "eaa5eec739637f32f8733d528ff0b94fd62b1214", "634a539e16bd7a1ba31c3f832baa725565cc9f96" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 09 12:46:47 2010 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 09 12:46:47 2010 +1100" }, "message": "Merge branch \u0027next-queue\u0027 into next\n" }, { "commit": "634a539e16bd7a1ba31c3f832baa725565cc9f96", "tree": "cdc26f167c3a2764fecdf3427b2303d28bf05671", "parents": [ "c8563473c1259f5686ceb918c548c80132089f79" ], "author": { "name": "Stephen Hemminger", "email": "shemminger@vyatta.com", "time": "Thu Mar 04 21:59:03 2010 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Mar 08 09:33:53 2010 +1100" }, "message": "selinux: const strings in tables\n\nSeveral places strings tables are used that should be declared\nconst.\n\nSigned-off-by: Stephen Hemminger \u003cshemminger@vyatta.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0719aaf5ead7555b7b7a4a080ebf2826a871384e", "tree": "19c0b16b1013d84a8b8092737d38e60f3dd7e939", "parents": [ "42596eafdd75257a640f64701b9b07090bcd84b0" ], "author": { "name": "Guido Trentalancia", "email": "guido@trentalancia.com", "time": "Wed Feb 03 16:40:20 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 04 09:06:36 2010 +1100" }, "message": "selinux: allow MLS-\u003enon-MLS and vice versa upon policy reload\n\nAllow runtime switching between different policy types (e.g. from a MLS/MCS\npolicy to a non-MLS/non-MCS policy or viceversa).\n\nSigned-off-by: Guido Trentalancia \u003cguido@trentalancia.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "19439d05b88dafc4e55d9ffce84ccc27cf8b2bcc", "tree": "e529e1bbba49f30684c3b88a67df1d62ba3e11b1", "parents": [ "8d9525048c74786205b99f3fcd05a839721edfb7" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Thu Jan 14 17:28:10 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 18 09:54:26 2010 +1100" }, "message": "selinux: change the handling of unknown classes\n\nIf allow_unknown\u003d\u003ddeny, SELinux treats an undefined kernel security\nclass as an error condition rather than as a typical permission denial\nand thus does not allow permissions on undefined classes even when in\npermissive mode. Change the SELinux logic so that this case is handled\nas a typical permission denial, subject to the usual permissive mode and\npermissive domain handling.\n\nAlso drop the \u0027requested\u0027 argument from security_compute_av() and\nhelpers as it is a legacy of the original security server interface and\nis unused.\n\nChanges:\n- Handle permissive domains consistently by moving up the test for a\npermissive domain.\n- Make security_compute_av_user() consistent with security_compute_av();\nthe only difference now is that security_compute_av() performs mapping\nbetween the kernel-private class and permission indices and the policy\nvalues. In the userspace case, this mapping is handled by libselinux.\n- Moved avd_init inside the policy lock.\n\nBased in part on a patch by Paul Moore \u003cpaul.moore@hp.com\u003e.\n\nReported-by: Andrew Worsley \u003camworsley@gmail.com\u003e\nSigned-off-by: Stephen D. Smalley \u003csds@tycho.nsa.gov\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8753f6bec352392b52ed9b5e290afb34379f4612", "tree": "b5f381be9f56125309bfbfcaa73d68e08c309747", "parents": [ "c6d3aaa4e35c71a32a86ececacd4eea7ecfc316c" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed Sep 30 13:41:02 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Oct 07 21:56:44 2009 +1100" }, "message": "selinux: generate flask headers during kernel build\n\nAdd a simple utility (scripts/selinux/genheaders) and invoke it to\ngenerate the kernel-private class and permission indices in flask.h\nand av_permissions.h automatically during the kernel build from the\nsecurity class mapping definitions in classmap.h. Adding new kernel\nclasses and permissions can then be done just by adding them to classmap.h.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c6d3aaa4e35c71a32a86ececacd4eea7ecfc316c", "tree": "1a5475b4370655a22670fd6eb35e54d8b131b362", "parents": [ "23acb98de5a4109a60b5fe3f0439389218b039d7" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed Sep 30 13:37:50 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Oct 07 21:56:42 2009 +1100" }, "message": "selinux: dynamic class/perm discovery\n\nModify SELinux to dynamically discover class and permission values\nupon policy load, based on the dynamic object class/perm discovery\nlogic from libselinux. A mapping is created between kernel-private\nclass and permission indices used outside the security server and the\npolicy values used within the security server.\n\nThe mappings are only applied upon kernel-internal computations;\nsimilar mappings for the private indices of userspace object managers\nis handled on a per-object manager basis by the userspace AVC. The\ninterfaces for compute_av and transition_sid are split for kernel\nvs. userspace; the userspace functions are distinguished by a _user\nsuffix.\n\nThe kernel-private class indices are no longer tied to the policy\nvalues and thus do not need to skip indices for userspace classes;\nthus the kernel class index values are compressed. The flask.h\ndefinitions were regenerated by deleting the userspace classes from\nrefpolicy\u0027s definitions and then regenerating the headers. Going\nforward, we can just maintain the flask.h, av_permissions.h, and\nclassmap.h definitions separately from policy as they are no longer\ntied to the policy values. The next patch introduces a utility to\nautomate generation of flask.h and av_permissions.h from the\nclassmap.h definitions.\n\nThe older kernel class and permission string tables are removed and\nreplaced by a single security class mapping table that is walked at\npolicy load to generate the mapping. The old kernel class validation\nlogic is completely replaced by the mapping logic.\n\nThe handle unknown logic is reworked. reject_unknown\u003d1 is handled\nwhen the mappings are computed at policy load time, similar to the old\nhandling by the class validation logic. allow_unknown\u003d1 is handled\nwhen computing and mapping decisions - if the permission was not able\nto be mapped (i.e. undefined, mapped to zero), then it is\nautomatically added to the allowed vector. If the class was not able\nto be mapped (i.e. undefined, mapped to zero), then all permissions\nare allowed for it if allow_unknown\u003d1.\n\navc_audit leverages the new security class mapping table to lookup the\nclass and permission names from the kernel-private indices.\n\nThe mdp program is updated to use the new table when generating the\nclass definitions and allow rules for a minimal boot policy for the\nkernel. It should be noted that this policy will not include any\nuserspace classes, nor will its policy index values for the kernel\nclasses correspond with the ones in refpolicy (they will instead match\nthe kernel-private indices).\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ed6d76e4c32de0c2ad5f1d572b948ef49e465176", "tree": "893914916ad849fefed72df48bca0bf9c78e392d", "parents": [ "2b980dbd77d229eb60588802162c9659726b11f4" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Aug 28 18:12:49 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 01 08:29:52 2009 +1000" }, "message": "selinux: Support for the new TUN LSM hooks\n\nAdd support for the new TUN LSM hooks: security_tun_dev_create(),\nsecurity_tun_dev_post_create() and security_tun_dev_attach(). This includes\nthe addition of a new object class, tun_socket, which represents the socks\nassociated with TUN devices. The _tun_dev_create() and _tun_dev_post_create()\nhooks are fairly similar to the standard socket functions but _tun_dev_attach()\nis a bit special. The _tun_dev_attach() is unique because it involves a\ndomain attaching to an existing TUN device and its associated tun_socket\nobject, an operation which does not exist with standard sockets and most\nclosely resembles a relabel operation.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Eric Paris \u003ceparis@parisplace.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2bf49690325b62480a42f7afed5e9f164173c570", "tree": "bc8525f6a45ea3ffaed9449084df7644bcd4e3c2", "parents": [ "f322abf83feddc3c37c3a91794e0c5aece4af18e" ], "author": { "name": "Thomas Liu", "email": "tliu@redhat.com", "time": "Tue Jul 14 12:14:09 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 17 08:37:18 2009 +1000" }, "message": "SELinux: Convert avc_audit to use lsm_audit.h\n\nConvert avc_audit in security/selinux/avc.c to use lsm_audit.h,\nfor better maintainability.\n\n - changed selinux to use common_audit_data instead of\n avc_audit_data\n - eliminated code in avc.c and used code from lsm_audit.h instead.\n\nHad to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit\ncan call common_lsm_audit and do the pre and post callbacks without\ndoing the actual dump. This makes it so that the patched version\nbehaves the same way as the unpatched version.\n\nAlso added a denied field to the selinux_audit_data private space,\nonce again to make it so that the patched version behaves like the\nunpatched.\n\nI\u0027ve tested and confirmed that AVCs look the same before and after\nthis patch.\n\nSigned-off-by: Thomas Liu \u003ctliu@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "25354c4fee169710fd9da15f3bb2abaa24dcf933", "tree": "7fb462945c15ce09392ae858c8ae757290b5ed2d", "parents": [ "9188499cdb117d86a1ea6b04374095b098d56936" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Aug 13 09:45:03 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Aug 14 11:18:40 2009 +1000" }, "message": "SELinux: add selinux_kernel_module_request\n\nThis patch adds a new selinux hook so SELinux can arbitrate if a given\nprocess should be allowed to trigger a request for the kernel to try to\nload a module. This is a different operation than a process trying to load\na module itself, which is already protected by CAP_SYS_MODULE.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "be940d6279c30a2d7c4e8d1d5435f957f594d66d", "tree": "965805d563cb756879fd3595230c3ca205da76d1", "parents": [ "b3a633c8527ef155b1a4e22e8f5abc58f7af54c9" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 13 10:39:36 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 13 10:39:36 2009 +1000" }, "message": "Revert \"SELinux: Convert avc_audit to use lsm_audit.h\"\n\nThis reverts commit 8113a8d80f4c6a3dc3724b39b470f3fee9c426b6.\n\nThe patch causes a stack overflow on my system during boot.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8113a8d80f4c6a3dc3724b39b470f3fee9c426b6", "tree": "27eb775108daaff8390ad564010a9f2fbd5187a2", "parents": [ "65c3f0a2d0f72d210c879e4974c2d222b7951321" ], "author": { "name": "Thomas Liu", "email": "tliu@redhat.com", "time": "Fri Jul 10 10:31:04 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 13 07:54:48 2009 +1000" }, "message": "SELinux: Convert avc_audit to use lsm_audit.h\n\nConvert avc_audit in security/selinux/avc.c to use lsm_audit.h,\nfor better maintainability and for less code duplication.\n\n - changed selinux to use common_audit_data instead of\n avc_audit_data\n - eliminated code in avc.c and used code from lsm_audit.h instead.\n\nI have tested to make sure that the avcs look the same before and\nafter this patch.\n\nSigned-off-by: Thomas Liu \u003ctliu@redhat.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "89c86576ecde504da1eeb4f4882b2189ac2f9c4a", "tree": "94674a48becd9cfde298e9fe6b58db8da28fe238", "parents": [ "a893a84e8799270fbec5c3708d001650aab47138" ], "author": { "name": "Thomas Liu", "email": "tliu@redhat.com", "time": "Wed Jun 24 17:58:05 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 25 08:29:16 2009 +1000" }, "message": "selinux: clean up avc node cache when disabling selinux\n\nAdded a call to free the avc_node_cache when inside selinux_disable because\nit should not waste resources allocated during avc_init if SELinux is disabled\nand the cache will never be used.\n\nSigned-off-by: Thomas Liu \u003ctliu@redhat.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d905163c5b23f6d8511971e06081a1b525e8a0bd", "tree": "f76918c1be802ec068d37763466f5518efdb690e", "parents": [ "44c2d9bdd7022ca7d240d5adc009296fc1c6ce08", "0732f87761dbe417cb6e084b712d07e879e876ef" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 19 08:20:55 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 19 08:20:55 2009 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "44c2d9bdd7022ca7d240d5adc009296fc1c6ce08", "tree": "33115ee8d7e167d2a26558c2af8e0edfdca099d5", "parents": [ "caabbdc07df4249f2ed516b2c3e2d6b0973bcbb3" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Thu Jun 18 17:26:13 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 19 00:12:28 2009 +1000" }, "message": "Add audit messages on type boundary violations\n\nThe attached patch adds support to generate audit messages on two cases.\n\nThe first one is a case when a multi-thread process tries to switch its\nperforming security context using setcon(3), but new security context is\nnot bounded by the old one.\n\n type\u003dSELINUX_ERR msg\u003daudit(1245311998.599:17): \\\n op\u003dsecurity_bounded_transition result\u003ddenied \\\n oldcontext\u003dsystem_u:system_r:httpd_t:s0 \\\n newcontext\u003dsystem_u:system_r:guest_webapp_t:s0\n\nThe other one is a case when security_compute_av() masked any permissions\ndue to the type boundary violation.\n\n type\u003dSELINUX_ERR msg\u003daudit(1245312836.035:32):\t\\\n op\u003dsecurity_compute_av reason\u003dbounds \\\n scontext\u003dsystem_u:object_r:user_webapp_t:s0 \\\n tcontext\u003dsystem_u:object_r:shadow_t:s0:c0 \\\n tclass\u003dfile perms\u003dgetattr,open\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "75834fc3b6fcff00327f5d2a18760c1e8e0179c5", "tree": "28b1085d2aa76517024709d2f077fdc41aeec4c2", "parents": [ "c3d20103d08e5c0b6738fbd0acf3ca004e5356c5" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon May 18 10:26:10 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 19 08:19:00 2009 +1000" }, "message": "SELinux: move SELINUX_MAGIC into magic.h\n\nThe selinuxfs superblock magic is used inside the IMA code, but is being\ndefined in two places and could someday get out of sync. This patch moves the\ndeclaration into magic.h so it is only done once.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8a6f83afd0c5355db6d11394a798e94950306239", "tree": "f7cb84de87f67eeba0dd68681907696f8a5774d1", "parents": [ "c31f403de62415c738ddc9e673cf8e722c82f861" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Wed Apr 01 10:07:57 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 02 09:23:45 2009 +1100" }, "message": "Permissive domain in userspace object manager\n\nThis patch enables applications to handle permissive domain correctly.\n\nSince the v2.6.26 kernel, SELinux has supported an idea of permissive\ndomain which allows certain processes to work as if permissive mode,\neven if the global setting is enforcing mode.\nHowever, we don\u0027t have an application program interface to inform\nwhat domains are permissive one, and what domains are not.\nIt means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL\nand so on) cannot handle permissive domain correctly.\n\nThis patch add the sixth field (flags) on the reply of the /selinux/access\ninterface which is used to make an access control decision from userspace.\nIf the first bit of the flags field is positive, it means the required\naccess control decision is on permissive domain, so application should\nallow any required actions, as the kernel doing.\n\nThis patch also has a side benefit. The av_decision.flags is set at\ncontext_struct_compute_av(). It enables to check required permissions\nwithout read_lock(\u0026policy_rwlock).\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n--\n security/selinux/avc.c | 2 +-\n security/selinux/include/security.h | 4 +++-\n security/selinux/selinuxfs.c | 4 ++--\n security/selinux/ss/services.c | 30 +++++-------------------------\n 4 files changed, 11 insertions(+), 29 deletions(-)\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "389fb800ac8be2832efedd19978a2b8ced37eb61", "tree": "fa0bc16050dfb491aa05f76b54fa4c167de96376", "parents": [ "284904aa79466a4736f4c775fdbe5c7407fa136c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:34 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:36 2009 +1100" }, "message": "netlabel: Label incoming TCP connections correctly in SELinux\n\nThe current NetLabel/SELinux behavior for incoming TCP connections works but\nonly through a series of happy coincidences that rely on the limited nature of\nstandard CIPSO (only able to convey MLS attributes) and the write equality\nimposed by the SELinux MLS constraints. The problem is that network sockets\ncreated as the result of an incoming TCP connection were not on-the-wire\nlabeled based on the security attributes of the parent socket but rather based\non the wire label of the remote peer. The issue had to do with how IP options\nwere managed as part of the network stack and where the LSM hooks were in\nrelation to the code which set the IP options on these newly created child\nsockets. While NetLabel/SELinux did correctly set the socket\u0027s on-the-wire\nlabel it was promptly cleared by the network stack and reset based on the IP\noptions of the remote peer.\n\nThis patch, in conjunction with a prior patch that adjusted the LSM hook\nlocations, works to set the correct on-the-wire label format for new incoming\nconnections through the security_inet_conn_request() hook. Besides the\ncorrect behavior there are many advantages to this change, the most significant\nis that all of the NetLabel socket labeling code in SELinux now lives in hooks\nwhich can return error codes to the core stack which allows us to finally get\nride of the selinux_netlbl_inode_permission() logic which greatly simplfies\nthe NetLabel/SELinux glue code. In the process of developing this patch I\nalso ran into a small handful of AF_INET6 cleanliness issues that have been\nfixed which should make the code safer and easier to extend in the future.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dd34b5d75a0405814a3de83f02a44ac297e81629", "tree": "f24939a7b7f6b33c44939ee4022d7e95b3f670b6", "parents": [ "6a25b27d602aac24f3c642722377ba5d778417ec" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 05 13:43:35 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 06 08:50:21 2009 +1100" }, "message": "SELinux: new permission between tty audit and audit socket\n\nNew selinux permission to separate the ability to turn on tty auditing from\nthe ability to set audit rules.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6a25b27d602aac24f3c642722377ba5d778417ec", "tree": "ba334617326c65ccd98e7f4733c75fa0ac2ae5ca", "parents": [ "113a0e4590881ce579ca992a80ddc562b3372ede" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 05 13:40:35 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 06 08:50:18 2009 +1100" }, "message": "SELinux: open perm for sock files\n\nWhen I did open permissions I didn\u0027t think any sockets would have an open.\nTurns out AF_UNIX sockets can have an open when they are bound to the\nfilesystem namespace. This patch adds a new SOCK_FILE__OPEN permission.\nIt\u0027s safe to add this as the open perms are already predicated on\ncapabilities and capabilities means we have unknown perm handling so\nsystems should be as backwards compatible as the policy wants them to\nbe.\n\nhttps://bugzilla.redhat.com/show_bug.cgi?id\u003d475224\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f1c6381a6e337adcecf84be2a838bd9e610e2365", "tree": "a6e0857db27a38b0976fb422836f9443241b4b61", "parents": [ "21193dcd1f3570ddfd8a04f4465e484c1f94252f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 12 14:50:54 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 09:23:08 2009 +1100" }, "message": "SELinux: remove unused av.decided field\n\nIt appears there was an intention to have the security server only decide\ncertain permissions and leave other for later as some sort of a portential\nperformance win. We are currently always deciding all 32 bits of\npermissions and this is a useless couple of branches and wasted space.\nThis patch completely drops the av.decided concept.\n\nThis in a 17% reduction in the time spent in avc_has_perm_noaudit\nbased on oprofile sampling of a tbench benchmark.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "11689d47f0957121920c9ec646eb5d838755853a", "tree": "187b4179c0b7b9430bb9e62f6bba474a2d011235", "parents": [ "0d90a7ec48c704025307b129413bc62451b20ab3" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jan 16 09:22:03 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@macbook.localdomain", "time": "Mon Jan 19 09:47:06 2009 +1100" }, "message": "SELinux: Add new security mount option to indicate security label support.\n\nThere is no easy way to tell if a file system supports SELinux security labeling.\nBecause of this a new flag is being added to the super block security structure\nto indicate that the particular super block supports labeling. This flag is set\nfor file systems using the xattr, task, and transition labeling methods unless\nthat behavior is overridden by context mounts.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@macbook.localdomain\u003e\n" }, { "commit": "0d90a7ec48c704025307b129413bc62451b20ab3", "tree": "38cc8a7f5ff3afaccd16d2978455ccc002d69933", "parents": [ "c8334dc8fb6413b363df3e1419e287f5b25bce32" ], "author": { "name": "David P. Quigley", "email": "dpquigl@tycho.nsa.gov", "time": "Fri Jan 16 09:22:02 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@macbook.localdomain", "time": "Mon Jan 19 09:46:40 2009 +1100" }, "message": "SELinux: Condense super block security structure flags and cleanup necessary code.\n\nThe super block security structure currently has three fields for what are\nessentially flags. The flags field is used for mount options while two other\nchar fields are used for initialization and proc flags. These latter two fields are\nessentially bit fields since the only used values are 0 and 1. These fields\nhave been collapsed into the flags field and new bit masks have been added for\nthem. The code is also fixed to work with these new flags.\n\nSigned-off-by: David P. Quigley \u003cdpquigl@tycho.nsa.gov\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@macbook.localdomain\u003e\n" }, { "commit": "76f7ba35d4b5219fcc4cb072134c020ec77d030d", "tree": "971ec5f913a688d98e9be2a04b0c675adcc4166b", "parents": [ "14eaddc967b16017d4a1a24d2be6c28ecbe06ed8" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Jan 02 17:40:06 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 05 19:19:55 2009 +1100" }, "message": "SELinux: shrink sizeof av_inhert selinux_class_perm and context\n\nI started playing with pahole today and decided to put it against the\nselinux structures. Found we could save a little bit of space on x86_64\n(and no harm on i686) just reorganizing some structs.\n\nObject size changes:\nav_inherit: 24 -\u003e 16\nselinux_class_perm: 48 -\u003e 40\ncontext: 80 -\u003e 72\n\nAdmittedly there aren\u0027t many of av_inherit or selinux_class_perm\u0027s in\nthe kernel (33 and 1 respectively) But the change to the size of struct\ncontext reverberate out a bit. I can get some hard number if they are\nneeded, but I don\u0027t see why they would be. We do change which cacheline\ncontext-\u003elen and context-\u003estr would be on, but I don\u0027t see that as a\nproblem since we are clearly going to have to load both if the context\nis to be of any value. I\u0027ve run with the patch and don\u0027t seem to be\nhaving any problems.\n\nAn example of what\u0027s going on using struct av_inherit would be:\n\nform: to:\nstruct av_inherit {\t\t\tstruct av_inherit {\n\tu16 tclass;\t\t\t\tconst char **common_pts;\n\tconst char **common_pts;\t\tu32 common_base;\n\tu32 common_base;\t\t\tu16 tclass;\n};\n\n(notice all I did was move u16 tclass to the end of the struct instead\nof the beginning)\n\nMemory layout before the change:\nstruct av_inherit {\n\tu16 tclass; /* 2 */\n\t/* 6 bytes hole */\n\tconst char** common_pts; /* 8 */\n\tu32 common_base; /* 4 */\n\t/* 4 byes padding */\n\n\t/* size: 24, cachelines: 1 */\n\t/* sum members: 14, holes: 1, sum holes: 6 */\n\t/* padding: 4 */\n};\n\nMemory layout after the change:\nstruct av_inherit {\n\tconst char ** common_pts; /* 8 */\n\tu32 common_base; /* 4 */\n\tu16 tclass; /* 2 */\n\t/* 2 bytes padding */\n\n\t/* size: 16, cachelines: 1 */\n\t/* sum members: 14, holes: 0, sum holes: 0 */\n\t/* padding: 2 */\n};\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1bfdc75ae077d60a01572a7781ec6264d55ab1b9", "tree": "627cbbca1232725bbea68677cb904bf36e73b35c", "parents": [ "3b11a1decef07c19443d24ae926982bc8ec9f4c0" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:27 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:27 2008 +1100" }, "message": "CRED: Add a kernel_service object class to SELinux\n\nAdd a \u0027kernel_service\u0027 object class to SELinux and give this object class two\naccess vectors: \u0027use_as_override\u0027 and \u0027create_files_as\u0027.\n\nThe first vector is used to grant a process the right to nominate an alternate\nprocess security ID for the kernel to use as an override for the SELinux\nsubjective security when accessing stuff on behalf of another process.\n\nFor example, CacheFiles when accessing the cache on behalf on a process\naccessing an NFS file needs to use a subjective security ID appropriate to the\ncache rather then the one the calling process is using. The cachefilesd\ndaemon will nominate the security ID to be used.\n\nThe second vector is used to grant a process the right to nominate a file\ncreation label for a kernel service to use.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a6f76f23d297f70e2a6b3ec607f7aeeea9e37e8d", "tree": "8f95617996d0974507f176163459212a7def8b9a", "parents": [ "d84f4f992cbd76e8f39c488cf0c5d123843923b1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "message": "CRED: Make execve() take advantage of copy-on-write credentials\n\nMake execve() take advantage of copy-on-write credentials, allowing it to set\nup the credentials in advance, and then commit the whole lot after the point\nof no return.\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n The credential bits from struct linux_binprm are, for the most part,\n replaced with a single credentials pointer (bprm-\u003ecred). This means that\n all the creds can be calculated in advance and then applied at the point\n of no return with no possibility of failure.\n\n I would like to replace bprm-\u003ecap_effective with:\n\n\tcap_isclear(bprm-\u003ecap_effective)\n\n but this seems impossible due to special behaviour for processes of pid 1\n (they always retain their parent\u0027s capability masks where normally they\u0027d\n be changed - see cap_bprm_set_creds()).\n\n The following sequence of events now happens:\n\n (a) At the start of do_execve, the current task\u0027s cred_exec_mutex is\n \t locked to prevent PTRACE_ATTACH from obsoleting the calculation of\n \t creds that we make.\n\n (a) prepare_exec_creds() is then called to make a copy of the current\n \t task\u0027s credentials and prepare it. This copy is then assigned to\n \t bprm-\u003ecred.\n\n \t This renders security_bprm_alloc() and security_bprm_free()\n \t unnecessary, and so they\u0027ve been removed.\n\n (b) The determination of unsafe execution is now performed immediately\n \t after (a) rather than later on in the code. The result is stored in\n \t bprm-\u003eunsafe for future reference.\n\n (c) prepare_binprm() is called, possibly multiple times.\n\n \t (i) This applies the result of set[ug]id binaries to the new creds\n \t attached to bprm-\u003ecred. Personality bit clearance is recorded,\n \t but now deferred on the basis that the exec procedure may yet\n \t fail.\n\n (ii) This then calls the new security_bprm_set_creds(). This should\n\t calculate the new LSM and capability credentials into *bprm-\u003ecred.\n\n\t This folds together security_bprm_set() and parts of\n\t security_bprm_apply_creds() (these two have been removed).\n\t Anything that might fail must be done at this point.\n\n (iii) bprm-\u003ecred_prepared is set to 1.\n\n\t bprm-\u003ecred_prepared is 0 on the first pass of the security\n\t calculations, and 1 on all subsequent passes. This allows SELinux\n\t in (ii) to base its calculations only on the initial script and\n\t not on the interpreter.\n\n (d) flush_old_exec() is called to commit the task to execution. This\n \t performs the following steps with regard to credentials:\n\n\t (i) Clear pdeath_signal and set dumpable on certain circumstances that\n\t may not be covered by commit_creds().\n\n (ii) Clear any bits in current-\u003epersonality that were deferred from\n (c.i).\n\n (e) install_exec_creds() [compute_creds() as was] is called to install the\n \t new credentials. This performs the following steps with regard to\n \t credentials:\n\n (i) Calls security_bprm_committing_creds() to apply any security\n requirements, such as flushing unauthorised files in SELinux, that\n must be done before the credentials are changed.\n\n\t This is made up of bits of security_bprm_apply_creds() and\n\t security_bprm_post_apply_creds(), both of which have been removed.\n\t This function is not allowed to fail; anything that might fail\n\t must have been done in (c.ii).\n\n (ii) Calls commit_creds() to apply the new credentials in a single\n assignment (more or less). Possibly pdeath_signal and dumpable\n should be part of struct creds.\n\n\t (iii) Unlocks the task\u0027s cred_replace_mutex, thus allowing\n\t PTRACE_ATTACH to take place.\n\n (iv) Clears The bprm-\u003ecred pointer as the credentials it was holding\n are now immutable.\n\n (v) Calls security_bprm_committed_creds() to apply any security\n alterations that must be done after the creds have been changed.\n SELinux uses this to flush signals and signal handlers.\n\n (f) If an error occurs before (d.i), bprm_free() will call abort_creds()\n \t to destroy the proposed new credentials and will then unlock\n \t cred_replace_mutex. No changes to the credentials will have been\n \t made.\n\n (2) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_bprm_alloc(), -\u003ebprm_alloc_security()\n (*) security_bprm_free(), -\u003ebprm_free_security()\n\n \t Removed in favour of preparing new credentials and modifying those.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n (*) security_bprm_post_apply_creds(), -\u003ebprm_post_apply_creds()\n\n \t Removed; split between security_bprm_set_creds(),\n \t security_bprm_committing_creds() and security_bprm_committed_creds().\n\n (*) security_bprm_set(), -\u003ebprm_set_security()\n\n \t Removed; folded into security_bprm_set_creds().\n\n (*) security_bprm_set_creds(), -\u003ebprm_set_creds()\n\n \t New. The new credentials in bprm-\u003ecreds should be checked and set up\n \t as appropriate. bprm-\u003ecred_prepared is 0 on the first call, 1 on the\n \t second and subsequent calls.\n\n (*) security_bprm_committing_creds(), -\u003ebprm_committing_creds()\n (*) security_bprm_committed_creds(), -\u003ebprm_committed_creds()\n\n \t New. Apply the security effects of the new credentials. This\n \t includes closing unauthorised files in SELinux. This function may not\n \t fail. When the former is called, the creds haven\u0027t yet been applied\n \t to the process; when the latter is called, they have.\n\n \t The former may access bprm-\u003ecred, the latter may not.\n\n (3) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) The bprm_security_struct struct has been removed in favour of using\n \t the credentials-under-construction approach.\n\n (c) flush_unauthorized_files() now takes a cred pointer and passes it on\n \t to inode_has_perm(), file_has_perm() and dentry_open().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0da939b0058742ad2d8580b7db6b966d0fc72252", "tree": "47cb109fdf97135191bff5db4e3bfc905136bf8b", "parents": [ "4bdec11f560b8f405a011288a50e65b1a81b3654", "d91d40799165b0c84c97e7c71fb8039494ff07dc" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 11 09:26:14 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Oct 11 09:26:14 2008 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/pcmoore/lblnet-2.6_next into next\n" }, { "commit": "6c5b3fc0147f79d714d2fe748b5869d7892ef2e7", "tree": "2cff691b2d4da2afd69660cb4ee647f6b553cdf9", "parents": [ "014ab19a69c325f52d7bae54ceeda73d6307ae0c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "message": "selinux: Cache NetLabel secattrs in the socket\u0027s security struct\n\nPrevious work enabled the use of address based NetLabel selectors, which\nwhile highly useful, brought the potential for additional per-packet overhead\nwhen used. This patch attempts to mitigate some of that overhead by caching\nthe NetLabel security attribute struct within the SELinux socket security\nstructure. This should help eliminate the need to recreate the NetLabel\nsecattr structure for each packet resulting in less overhead.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "014ab19a69c325f52d7bae54ceeda73d6307ae0c", "tree": "8a69c490accb7d5454bdfeb8c078d846729aeb60", "parents": [ "948bf85c1bc9a84754786a9d5dd99b7ecc46451e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "message": "selinux: Set socket NetLabel based on connection endpoint\n\nPrevious work enabled the use of address based NetLabel selectors, which while\nhighly useful, brought the potential for additional per-packet overhead when\nused. This patch attempts to solve that by applying NetLabel socket labels\nwhen sockets are connect()\u0027d. This should alleviate the per-packet NetLabel\nlabeling for all connected sockets (yes, it even works for connected DGRAM\nsockets).\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "948bf85c1bc9a84754786a9d5dd99b7ecc46451e", "tree": "a4706be1f4a5a37408774ef3c4cab8cf2e7775b5", "parents": [ "63c41688743760631188cf0f4ae986a6793ccb0a" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:32 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:32 2008 -0400" }, "message": "netlabel: Add functionality to set the security attributes of a packet\n\nThis patch builds upon the new NetLabel address selector functionality by\nproviding the NetLabel KAPI and CIPSO engine support needed to enable the\nnew packet-based labeling. The only new addition to the NetLabel KAPI at\nthis point is shown below:\n\n * int netlbl_skbuff_setattr(skb, family, secattr)\n\n... and is designed to be called from a Netfilter hook after the packet\u0027s\nIP header has been populated such as in the FORWARD or LOCAL_OUT hooks.\n\nThis patch also provides the necessary SELinux hooks to support this new\nfunctionality. Smack support is not currently included due to uncertainty\nregarding the permissions needed to expand the Smack network access controls.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dfaebe9825ff34983778f287101bc5f3bce00640", "tree": "4dccdcdcecd57fc8bfc083ff30d9e0ecb2e7ecba", "parents": [ "99d854d231ce141850b988bdc7e2e7c78f49b03a" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "message": "selinux: Fix missing calls to netlbl_skbuff_err()\n\nAt some point I think I messed up and dropped the calls to netlbl_skbuff_err()\nwhich are necessary for CIPSO to send error notifications to remote systems.\nThis patch re-introduces the error handling calls into the SELinux code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d9250dea3f89fe808a525f08888016b495240ed4", "tree": "c4b039ce0b29714e8f4c3bbc6d407adc361cc122", "parents": [ "da31894ed7b654e2e1741e7ac4ef6c15be0dd14b" ], "author": { "name": "KaiGai Kohei", "email": "kaigai@ak.jp.nec.com", "time": "Thu Aug 28 16:35:57 2008 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Aug 29 00:33:33 2008 +1000" }, "message": "SELinux: add boundary support and thread context assignment\n\nThe purpose of this patch is to assign per-thread security context\nunder a constraint. It enables multi-threaded server application\nto kick a request handler with its fair security context, and\nhelps some of userspace object managers to handle user\u0027s request.\n\nWhen we assign a per-thread security context, it must not have wider\npermissions than the original one. Because a multi-threaded process\nshares a single local memory, an arbitary per-thread security context\nalso means another thread can easily refer violated information.\n\nThe constraint on a per-thread security context requires a new domain\nhas to be equal or weaker than its original one, when it tries to assign\na per-thread security context.\n\nBounds relationship between two types is a way to ensure a domain can\nnever have wider permission than its bounds. We can define it in two\nexplicit or implicit ways.\n\nThe first way is using new TYPEBOUNDS statement. It enables to define\na boundary of types explicitly. The other one expand the concept of\nexisting named based hierarchy. If we defines a type with \".\" separated\nname like \"httpd_t.php\", toolchain implicitly set its bounds on \"httpd_t\".\n\nThis feature requires a new policy version.\nThe 24th version (POLICYDB_VERSION_BOUNDARY) enables to ship them into\nkernel space, and the following patch enables to handle it.\n\nSigned-off-by: KaiGai Kohei \u003ckaigai@ak.jp.nec.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "089be43e403a78cd6889cde2fba164fefe9dfd89", "tree": "de401b27c91c528dbf64c712e6b64d185ded0c54", "parents": [ "50515af207d410c9f228380e529c56f43c3de0bd" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jul 15 18:32:49 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jul 15 18:32:49 2008 +1000" }, "message": "Revert \"SELinux: allow fstype unknown to policy to use xattrs if present\"\n\nThis reverts commit 811f3799279e567aa354c649ce22688d949ac7a9.\n\nFrom Eric Paris:\n\n\"Please drop this patch for now. It deadlocks on ntfs-3g. I need to\nrework it to handle fuse filesystems better. (casey was right)\"\n" }, { "commit": "811f3799279e567aa354c649ce22688d949ac7a9", "tree": "2a4d8c30821de84d5adcf37a09562ebba92f9f23", "parents": [ "65fc7668006b537f7ae8451990c0ed9ec882544e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Jun 18 09:50:04 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:02:04 2008 +1000" }, "message": "SELinux: allow fstype unknown to policy to use xattrs if present\n\nCurrently if a FS is mounted for which SELinux policy does not define an\nfs_use_* that FS will either be genfs labeled or not labeled at all.\nThis decision is based on the existence of a genfscon rule in policy and\nis irrespective of the capabilities of the filesystem itself. This\npatch allows the kernel to check if the filesystem supports security\nxattrs and if so will use those if there is no fs_use_* rule in policy.\nAn fstype with a no fs_use_* rule but with a genfs rule will use xattrs\nif available and will follow the genfs rule.\n\nThis can be particularly interesting for things like ecryptfs which\nactually overlays a real underlying FS. If we define excryptfs in\npolicy to use xattrs we will likely get this wrong at times, so with\nthis path we just don\u0027t need to define it!\n\nOverlay ecryptfs on top of NFS with no xattr support:\nSELinux: initialized (dev ecryptfs, type ecryptfs), uses genfs_contexts\nOverlay ecryptfs on top of ext4 with xattr support:\nSELinux: initialized (dev ecryptfs, type ecryptfs), uses xattr\n\nIt is also useful as the kernel adds new FS we don\u0027t need to add them in\npolicy if they support xattrs and that is how we want to handle them.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "feb2a5b82d87fbdc01c00b7e9413e4b5f4c1f0c1", "tree": "ba72273578711b9e21386570f70bc619b6af3ae4", "parents": [ "fdeb05184b8b2500e120647778d63fddba76dc59" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 20 09:42:33 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:38 2008 +1000" }, "message": "SELinux: remove inherit field from inode_security_struct\n\nRemove inherit field from inode_security_struct, per Stephen Smalley:\n\"Let\u0027s just drop inherit altogether - dead field.\"\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "fdeb05184b8b2500e120647778d63fddba76dc59", "tree": "19e745966786f4af3d589018d6dc738aeb5f1321", "parents": [ "f5269710789f666a65cf1132c4f1d14fbc8d3c29" ], "author": { "name": "Richard Kennedy", "email": "richard@rsk.demon.co.uk", "time": "Sun May 18 12:32:57 2008 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:37 2008 +1000" }, "message": "SELinux: reorder inode_security_struct to increase objs/slab on 64bit\n\nreorder inode_security_struct to remove padding on 64 bit builds\n\nsize reduced from 72 to 64 bytes increasing objects per slab to 64.\n\nSigned-off-by: Richard Kennedy \u003crichard@rsk.demon.co.uk\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f5269710789f666a65cf1132c4f1d14fbc8d3c29", "tree": "8c61f74cb04505e3f16483baf1d7113e750968d7", "parents": [ "9a59daa03df72526d234b91dd3e32ded5aebd3ef" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed May 14 11:27:45 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:36 2008 +1000" }, "message": "SELinux: keep the code clean formating and syntax\n\nFormatting and syntax changes\n\nwhitespace, tabs to spaces, trailing space\nput open { on same line as struct def\nremove unneeded {} after if statements\nchange printk(\"Lu\") to printk(\"llu\")\nconvert asm/uaccess.h to linux/uaacess.h includes\nremove unnecessary asm/bug.h includes\nconvert all users of simple_strtol to strict_strtol\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "12b29f34558b9b45a2c6eabd4f3c6be939a3980f", "tree": "9b7921724226cd81901070026572bf05014dc41c", "parents": [ "bce7f793daec3e65ec5c5705d2457b81fe7b5725" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Wed May 07 13:03:20 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 14 15:01:34 2008 +1000" }, "message": "selinux: support deferred mapping of contexts\n\nIntroduce SELinux support for deferred mapping of security contexts in\nthe SID table upon policy reload, and use this support for inode\nsecurity contexts when the context is not yet valid under the current\npolicy. Only processes with CAP_MAC_ADMIN + mac_admin permission in\npolicy can set undefined security contexts on inodes. Inodes with\nsuch undefined contexts are treated as having the unlabeled context\nuntil the context becomes valid upon a policy reload that defines the\ncontext. Context invalidation upon policy reload also uses this\nsupport to save the context information in the SID table and later\nrecover it upon a subsequent policy reload that defines the context\nagain.\n\nThis support is to enable package managers and similar programs to set\ndown file contexts unknown to the system policy at the time the file\nis created in order to better support placing loadable policy modules\nin packages and to support build systems that need to create images of\ndifferent distro releases with different policies w/o requiring all of\nthe contexts to be defined or legal in the build host policy.\n\nWith this patch applied, the following sequence is possible, although\nin practice it is recommended that this permission only be allowed to\nspecific program domains such as the package manager.\n\n# rmdir baz\n# rm bar\n# touch bar\n# chcon -t foo_exec_t bar # foo_exec_t is not yet defined\nchcon: failed to change context of `bar\u0027 to `system_u:object_r:foo_exec_t\u0027: Invalid argument\n# mkdir -Z system_u:object_r:foo_exec_t baz\nmkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t\u0027: Invalid argument\n# cat setundefined.te\npolicy_module(setundefined, 1.0)\nrequire {\n\ttype unconfined_t;\n\ttype unlabeled_t;\n}\nfiles_type(unlabeled_t)\nallow unconfined_t self:capability2 mac_admin;\n# make -f /usr/share/selinux/devel/Makefile setundefined.pp\n# semodule -i setundefined.pp\n# chcon -t foo_exec_t bar # foo_exec_t is not yet defined\n# mkdir -Z system_u:object_r:foo_exec_t baz\n# ls -Zd bar baz\n-rw-r--r-- root root system_u:object_r:unlabeled_t bar\ndrwxr-xr-x root root system_u:object_r:unlabeled_t baz\n# cat foo.te\npolicy_module(foo, 1.0)\ntype foo_exec_t;\nfiles_type(foo_exec_t)\n# make -f /usr/share/selinux/devel/Makefile foo.pp\n# semodule -i foo.pp # defines foo_exec_t\n# ls -Zd bar baz\n-rw-r--r-- root root user_u:object_r:foo_exec_t bar\ndrwxr-xr-x root root system_u:object_r:foo_exec_t baz\n# semodule -r foo\n# ls -Zd bar baz\n-rw-r--r-- root root system_u:object_r:unlabeled_t bar\ndrwxr-xr-x root root system_u:object_r:unlabeled_t baz\n# semodule -i foo.pp\n# ls -Zd bar baz\n-rw-r--r-- root root user_u:object_r:foo_exec_t bar\ndrwxr-xr-x root root system_u:object_r:foo_exec_t baz\n# semodule -r setundefined foo\n# chcon -t foo_exec_t bar # no longer defined and not allowed\nchcon: failed to change context of `bar\u0027 to `system_u:object_r:foo_exec_t\u0027: Invalid argument\n# rmdir baz\n# mkdir -Z system_u:object_r:foo_exec_t baz\nmkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t\u0027: Invalid argument\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7bf570dc8dcf76df2a9f583bef2da96d4289ed0d", "tree": "b60a62585dfe511d9216cdd4a207fd07df1b2f99", "parents": [ "7663c1e2792a9662b23dec6e19bfcd3d55360b8f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 20:52:51 2008 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 13:22:56 2008 -0700" }, "message": "Security: Make secctx_to_secid() take const secdata\n\nMake secctx_to_secid() take constant secdata.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8f0cfa52a1d4ffacd8e7de906d19662f5da58d58", "tree": "2aa82e3682e75330d9b5d601855e3af3c57c03d8", "parents": [ "7ec02ef1596bb3c829a7e8b65ebf13b87faf1819" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 00:59:41 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:06 2008 -0700" }, "message": "xattr: add missing consts to function arguments\n\nAdd missing consts to xattr function arguments.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Andreas Gruenbacher \u003cagruen@suse.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b19d8eae99dae42bb747954fdbb2cd456922eb5f", "tree": "9f6ab00ada0e7a893ae0c995f30e068998b90fe9", "parents": [ "a936b79bdf97285e0274eca7b656fc6350ca57ea" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 22 17:46:11 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 28 09:29:01 2008 +1000" }, "message": "SELinux: selinux/include/security.h whitespace, syntax, and other cleanups\n\nThis patch changes selinux/include/security.h to fix whitespace and syntax issues. Things that\nare fixed may include (does not not have to include)\n\nwhitespace at end of lines\nspaces followed by tabs\nspaces used instead of tabs\nspacing around parenthesis\nlocation of { around structs and else clauses\nlocation of * in pointer declarations\nremoval of initialization of static data to keep it in the right section\nuseless {} in if statemetns\nuseless checking for NULL before kfree\nfixing of the indentation depth of switch statements\nno assignments in if statements\nand any number of other things I forgot to mention\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a936b79bdf97285e0274eca7b656fc6350ca57ea", "tree": "19278c901668d074324c94a8efad59257ca355d3", "parents": [ "cc03766aaf0b670581ec2bd5cba2b9051d14df8d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 22 17:46:10 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 28 09:29:00 2008 +1000" }, "message": "SELinux: objsec.h whitespace, syntax, and other cleanups\n\nThis patch changes objsec.h to fix whitespace and syntax issues. Things that\nare fixed may include (does not not have to include)\n\nwhitespace at end of lines\nspaces followed by tabs\nspaces used instead of tabs\nspacing around parenthesis\nlocation of { around structs and else clauses\nlocation of * in pointer declarations\nremoval of initialization of static data to keep it in the right section\nuseless {} in if statemetns\nuseless checking for NULL before kfree\nfixing of the indentation depth of switch statements\nno assignments in if statements\nand any number of other things I forgot to mention\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cc03766aaf0b670581ec2bd5cba2b9051d14df8d", "tree": "10005580a9fa66fbaa5398de921418a074133c91", "parents": [ "e392febedb6e1050a1a81a7bd72456a32c88e710" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 22 17:46:09 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 28 09:28:59 2008 +1000" }, "message": "SELinux: netlabel.h whitespace, syntax, and other cleanups\n\nThis patch changes netlabel.h to fix whitespace and syntax issues. Things that\nare fixed may include (does not not have to include)\n\nspaces used instead of tabs\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e392febedb6e1050a1a81a7bd72456a32c88e710", "tree": "6f1ea622ff88b3b5941392a44e7315c70536a79e", "parents": [ "064922a805ec7aadfafdd27aa6b4908d737c3c1d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 22 17:46:08 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 28 09:28:58 2008 +1000" }, "message": "SELinux: avc_ss.h whitespace, syntax, and other cleanups\n\nThis patch changes avc_ss.h to fix whitespace and syntax issues. Things that\nare fixed may include (does not not have to include)\n\nwhitespace at end of lines\nspaces followed by tabs\nspaces used instead of tabs\nspacing around parenthesis\nlocation of { around structs and else clauses\nlocation of * in pointer declarations\nremoval of initialization of static data to keep it in the right section\nuseless {} in if statemetns\nuseless checking for NULL before kfree\nfixing of the indentation depth of switch statements\nno assignments in if statements\nand any number of other things I forgot to mention\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3925e6fc1f774048404fdd910b0345b06c699eb4", "tree": "c9a58417d9492f39f7fe81d4721d674c34dd8be2", "parents": [ "334d094504c2fe1c44211ecb49146ae6bca8c321", "7cea51be4e91edad05bd834f3235b45c57783f0d" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Apr 18 18:18:30 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Apr 18 18:18:30 2008 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:\n security: fix up documentation for security_module_enable\n Security: Introduce security\u003d boot parameter\n Audit: Final renamings and cleanup\n SELinux: use new audit hooks, remove redundant exports\n Audit: internally use the new LSM audit hooks\n LSM/Audit: Introduce generic Audit LSM hooks\n SELinux: remove redundant exports\n Netlink: Use generic LSM hook\n Audit: use new LSM hooks instead of SELinux exports\n SELinux: setup new inode/ipc getsecid hooks\n LSM: Introduce inode_getsecid and ipc_getsecid hooks\n" }, { "commit": "334d094504c2fe1c44211ecb49146ae6bca8c321", "tree": "d3c0f68e4b9f8e3d2ccc39e7dfe5de0534a5fad9", "parents": [ "d1a4be630fb068f251d64b62919f143c49ca8057", "d1643d24c61b725bef399cc1cf2944b4c9c23177" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Apr 18 18:02:35 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Apr 18 18:02:35 2008 -0700" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6.26\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6.26: (1090 commits)\n [NET]: Fix and allocate less memory for -\u003epriv\u0027less netdevices\n [IPV6]: Fix dangling references on error in fib6_add().\n [NETLABEL]: Fix NULL deref in netlbl_unlabel_staticlist_gen() if ifindex not found\n [PKT_SCHED]: Fix datalen check in tcf_simp_init().\n [INET]: Uninline the __inet_inherit_port call.\n [INET]: Drop the inet_inherit_port() call.\n SCTP: Initialize partial_bytes_acked to 0, when all of the data is acked.\n [netdrvr] forcedeth: internal simplifications; changelog removal\n phylib: factor out get_phy_id from within get_phy_device\n PHY: add BCM5464 support to broadcom PHY driver\n cxgb3: Fix __must_check warning with dev_dbg.\n tc35815: Statistics cleanup\n natsemi: fix MMIO for PPC 44x platforms\n [TIPC]: Cleanup of TIPC reference table code\n [TIPC]: Optimized initialization of TIPC reference table\n [TIPC]: Remove inlining of reference table locking routines\n e1000: convert uint16_t style integers to u16\n ixgb: convert uint16_t style integers to u16\n sb1000.c: make const arrays static\n sb1000.c: stop inlining largish static functions\n ...\n" }, { "commit": "04305e4aff8b0533dc05f9f6f1a34d0796bd985f", "tree": "9938264917b4b9e6e147b883d88fca94c6788b76", "parents": [ "9d57a7f9e23dc30783d245280fc9907cf2c87837" ], "author": { "name": "Ahmed S. Darwish", "email": "darwish.07@gmail.com", "time": "Sat Apr 19 09:59:43 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Apr 19 09:59:43 2008 +1000" }, "message": "Audit: Final renamings and cleanup\n\nRename the se_str and se_rule audit fields elements to\nlsm_str and lsm_rule to avoid confusion.\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Ahmed S. Darwish \u003cdarwish.07@gmail.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "27cc2a6e572e1a86a08a02918517558f175f6974", "tree": "fdd3d6cbea9807421527ffc4d6fa893f6a182c58", "parents": [ "3e11217263d0521e212cb8a017fbc2a1514db78f" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 14 15:09:53 2008 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:17 2008 +1000" }, "message": "SELinux: add netport.[ch]\n\nThank you, git.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3e11217263d0521e212cb8a017fbc2a1514db78f", "tree": "d3b399c3d907cd90afd27003000fd9d99212f44b", "parents": [ "832cbd9aa1293cba57d06571f5fc8f0917c672af" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Apr 10 10:48:14 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:16 2008 +1000" }, "message": "SELinux: Add network port SID cache\n\nMuch like we added a network node cache, this patch adds a network port\ncache. The design is taken almost completely from the network node cache\nwhich in turn was taken from the network interface cache. The basic idea is\nto cache entries in a hash table based on protocol/port information. The\nhash function only takes the port number into account since the number of\ndifferent protocols in use at any one time is expected to be relatively\nsmall.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "832cbd9aa1293cba57d06571f5fc8f0917c672af", "tree": "85b1b550c71acde04294b69c08176adbaaf8641b", "parents": [ "0e55a004b58847c53e48d846b9a4570b1587c382" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 01 13:24:09 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:13 2008 +1000" }, "message": "SELinux: turn mount options strings into defines\n\nConvert the strings used for mount options into #defines rather than\nretyping the string throughout the SELinux code.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "64dbf07474d011540ca479a2e87fe998f570d6e3", "tree": "364ae3f3a29f06246dd2097674586fe508c4445f", "parents": [ "0356357c5158c71d4cbf20196b2f784435dd916c" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Mar 31 12:17:33 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:11 2008 +1000" }, "message": "selinux: introduce permissive types\n\nIntroduce the concept of a permissive type. A new ebitmap is introduced to\nthe policy database which indicates if a given type has the permissive bit\nset or not. This bit is tested for the scontext of any denial. The bit is\nmeaningless on types which only appear as the target of a decision and never\nthe source. A domain running with a permissive type will be allowed to\nperform any action similarly to when the system is globally set permissive.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0356357c5158c71d4cbf20196b2f784435dd916c", "tree": "e680a4d0346286d2c318bb20914cceabc0596af1", "parents": [ "eda4f69ca5a532b425db5a6c2c6bc50717b9b5fe" ], "author": { "name": "Roland McGrath", "email": "roland@redhat.com", "time": "Wed Mar 26 15:46:39 2008 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:10 2008 +1000" }, "message": "selinux: remove ptrace_sid\n\nThis changes checks related to ptrace to get rid of the ptrace_sid tracking.\nIt\u0027s good to disentangle the security model from the ptrace implementation\ninternals. It\u0027s sufficient to check against the SID of the ptracer at the\ntime a tracee attempts a transition.\n\nSigned-off-by: Roland McGrath \u003croland@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b0c636b99997c8594da6a46e166ce4fcf6956fda", "tree": "16308f0324846cd8c19180b6a45793268dd16f50", "parents": [ "d4ee4231a3a8731576ef0e0a7e1225e4fde1e659" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Feb 28 12:58:40 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:06 2008 +1000" }, "message": "SELinux: create new open permission\n\nAdds a new open permission inside SELinux when \u0027opening\u0027 a file. The idea\nis that opening a file and reading/writing to that file are not the same\nthing. Its different if a program had its stdout redirected to /tmp/output\nthan if the program tried to directly open /tmp/output. This should allow\npolicy writers to more liberally give read/write permissions across the\npolicy while still blocking many design and programing flaws SELinux is so\ngood at catching today.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "98e9894650455426f67c2157db4f39bd14fac2f6", "tree": "bee5205f20c4d1faa6ec80f05d708eecad2959b3", "parents": [ "f74af6e816c940c678c235d49486fe40d7e49ce9" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Feb 26 09:52:58 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:04 2008 +1000" }, "message": "SELinux: remove unused backpointers from security objects\n\nRemove unused backpoiters from security objects.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f74af6e816c940c678c235d49486fe40d7e49ce9", "tree": "06f2fa54bd7ceabac2ad29a6ab0aca1deb87c032", "parents": [ "4b119e21d0c66c22e8ca03df05d9de623d0eb50f" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Mon Feb 25 11:40:33 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:03 2008 +1000" }, "message": "SELinux: Correct the NetLabel locking for the sk_security_struct\n\nThe RCU/spinlock locking approach for the nlbl_state in the sk_security_struct\nwas almost certainly overkill. This patch removes both the RCU and spinlock\nlocking, relying on the existing socket locks to handle the case of multiple\nwriters. This change also makes several code reductions possible.\n\nLess locking, less code - it\u0027s a Good Thing.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1e42198609d73ed1a9adcba2af275c24c2678420", "tree": "32fd4d9073bfc0f3909af8f9fb4bcff38951d01a", "parents": [ "794eb6bf20ebf992c040ea831cd3a9c64b0c1f7a", "4b119e21d0c66c22e8ca03df05d9de623d0eb50f" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Apr 17 23:56:30 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Apr 17 23:56:30 2008 -0700" }, "message": "Merge branch \u0027master\u0027 of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6\n" }, { "commit": "03e1ad7b5d871d4189b1da3125c2f12d1b5f7d0b", "tree": "1e7f291ac6bd0c1f3a95e8252c32fcce7ff47ea7", "parents": [ "00447872a643787411c2c0cb1df6169dda8b0c47" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Sat Apr 12 19:07:52 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Apr 12 19:07:52 2008 -0700" }, "message": "LSM: Make the Labeled IPsec hooks more stack friendly\n\nThe xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs\non the stack to work around the LSM API. This patch attempts to fix that\nproblem by changing the LSM API to require only the relevant \"security\"\npointers instead of the entire SPD entry; we do this for all of the\nsecurity_xfrm_policy*() functions to keep things consistent.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "869ab5147e1eead890245cfd4f652ba282b6ac26", "tree": "8334fe84734e14e247fb7b4ef78f9a43891249f0", "parents": [ "ff09e2afe742f3ff52a0c9a660e8a3fe30cf587c" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Apr 04 08:46:05 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 08 08:30:14 2008 +1000" }, "message": "SELinux: more GFP_NOFS fixups to prevent selinux from re-entering the fs code\n\nMore cases where SELinux must not re-enter the fs code. Called from the\nd_instantiate security hook.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e0007529893c1c064be90bd21422ca0da4a0198e", "tree": "c2334ba940e682183a18d18972cf95bd3a3da46a", "parents": [ "29e8c3c304b62f31b799565c9ee85d42bd163f80" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Mar 05 10:31:54 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 06 08:40:53 2008 +1100" }, "message": "LSM/SELinux: Interfaces to allow FS to control mount options\n\nIntroduce new LSM interfaces to allow an FS to deal with their own mount\noptions. This includes a new string parsing function exported from the\nLSM that an FS can use to get a security data blob and a new security\ndata blob. This is particularly useful for an FS which uses binary\nmount data, like NFS, which does not pass strings into the vfs to be\nhandled by the loaded LSM. Also fix a BUG() in both SELinux and SMACK\nwhen dealing with binary mount data. If the binary mount data is less\nthan one page the copy_page() in security_sb_copy_data() can cause an\nillegal page fault and boom. Remove all NFSisms from the SELinux code\nsince they were broken by past NFS changes.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "44707fdf5938ad269ea5d6c5744d82f6a7328746", "tree": "7eb1704418eb41b859ad24bc48f6400135474d87", "parents": [ "a03a8a709a0c34b61b7aea1d54a0473a6b941fdb" ], "author": { "name": "Jan Blunck", "email": "jblunck@suse.de", "time": "Thu Feb 14 19:38:33 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Feb 14 21:17:08 2008 -0800" }, "message": "d_path: Use struct path in struct avc_audit_data\n\naudit_log_d_path() is a d_path() wrapper that is used by the audit code. To\nuse a struct path in audit_log_d_path() I need to embed it into struct\navc_audit_data.\n\n[akpm@linux-foundation.org: coding-style fixes]\nSigned-off-by: Jan Blunck \u003cjblunck@suse.de\u003e\nAcked-by: Christoph Hellwig \u003chch@infradead.org\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: \"J. Bruce Fields\" \u003cbfields@fieldses.org\u003e\nCc: Neil Brown \u003cneilb@suse.de\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b68e418c445e8a468634d0a7ca2fb63bbaa74028", "tree": "e49b4a94ef28a9288ed6735a994387205b7cc5bd", "parents": [ "19af35546de68c872dcb687613e0902a602cb20e" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Thu Feb 07 11:21:04 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 11 20:30:02 2008 +1100" }, "message": "selinux: support 64-bit capabilities\n\nFix SELinux to handle 64-bit capabilities correctly, and to catch\nfuture extensions of capabilities beyond 64 bits to ensure that SELinux\nis properly updated.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "394c6753978a75cab7558a377f2551a3c1101027", "tree": "c2712cb2d52ecae5db1d9ae417241154fe7a0808", "parents": [ "a5ecbcb8c13ea8a822d243bf782d0dc9525b4f84" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Feb 05 07:31:00 2008 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@localhost.localdomain", "time": "Wed Feb 06 21:40:59 2008 +0800" }, "message": "SELinux: Remove security_get_policycaps()\n\nThe security_get_policycaps() functions has a couple of bugs in it and it\nisn\u0027t currently used by any in-tree code, so get rid of it and all of it\u0027s\nbugginess.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@localhost.localdomain\u003e\n" }, { "commit": "5dbe1eb0cfc144a2b0cb1466e22bcb6fc34229a8", "tree": "e1e028acaf0dd08cbcacd2c125f60230f820b442", "parents": [ "d621d35e576aa20a0ddae8022c3810f38357c8ff" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:44:18 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:27 2008 +1100" }, "message": "SELinux: Allow NetLabel to directly cache SIDs\n\nNow that the SELinux NetLabel \"base SID\" is always the netmsg initial SID we\ncan do a big optimization - caching the SID and not just the MLS attributes.\nThis not only saves a lot of per-packet memory allocations and copies but it\nhas a nice side effect of removing a chunk of code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d621d35e576aa20a0ddae8022c3810f38357c8ff", "tree": "318e8aa890dbe715b901b11b019ebac3badb693d", "parents": [ "220deb966ea51e0dedb6a187c0763120809f3e64" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:43:36 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:26 2008 +1100" }, "message": "SELinux: Enable dynamic enable/disable of the network access checks\n\nThis patch introduces a mechanism for checking when labeled IPsec or SECMARK\nare in use by keeping introducing a configuration reference counter for each\nsubsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry\nis created the labeled IPsec/XFRM reference count is increased and when the\nentry is removed it is decreased. In the case of SECMARK, when a SECMARK\ntarget is created the reference count is increased and later decreased when the\ntarget is removed. These reference counters allow SELinux to quickly determine\nif either of these subsystems are enabled.\n\nNetLabel already has a similar mechanism which provides the netlbl_enabled()\nfunction.\n\nThis patch also renames the selinux_relabel_packet_permission() function to\nselinux_secmark_relabel_packet_permission() as the original name and\ndescription were misleading in that they referenced a single packet label which\nis not the case.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "220deb966ea51e0dedb6a187c0763120809f3e64", "tree": "7d0e5dd8048907c364b4eeff294991937b466c7e", "parents": [ "f67f4f315f31e7907779adb3296fb6682e755342" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:23 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:25 2008 +1100" }, "message": "SELinux: Better integration between peer labeling subsystems\n\nRework the handling of network peer labels so that the different peer labeling\nsubsystems work better together. This includes moving both subsystems to a\nsingle \"peer\" object class which involves not only changes to the permission\nchecks but an improved method of consolidating multiple packet peer labels.\nAs part of this work the inbound packet permission check code has been heavily\nmodified to handle both the old and new behavior in as sane a fashion as\npossible.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ], "next": "f67f4f315f31e7907779adb3296fb6682e755342" }