)]}' { "log": [ { "commit": "fbbb456347b21279a379b42eeb31151c33d8dd49", "tree": "d1d5debe01e000fd38f2af8232d342a054b754a4", "parents": [ "12fa8a2732e6d0bb42c311f76250f7871d042df8" ], "author": { "name": "Mimi Zohar", "email": "zohar@us.ibm.com", "time": "Mon May 14 21:50:11 2012 -0400" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Wed May 16 10:36:41 2012 +1000" }, "message": "ima: fix filename hint to reflect script interpreter name\n\nWhen IMA was first upstreamed, the bprm filename and interp were\nalways the same. Currently, the bprm-\u003efilename and bprm-\u003einterp\nare the same, except for when only bprm-\u003einterp contains the\ninterpreter name. So instead of using the bprm-\u003efilename as\nthe IMA filename hint in the measurement list, we could replace\nit with bprm-\u003einterp, but this feels too fragil.\n\nThe following patch is not much better, but at least there is some\nindication that sometimes we\u0027re passing the filename and other times\nthe interpreter name.\n\nReported-by: Andrew Lunn \u003candrew@lunn.ch\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "a69f15890292b5449f9056b4bb322b044e6ce0c6", "tree": "7a37f3826e958787ca7d78603c9031d29558f43f", "parents": [ "28042fabf43b9a8ccfaa38f8c8187cc525e53fd3" ], "author": { "name": "Randy Dunlap", "email": "rdunlap@xenotime.net", "time": "Fri Feb 24 11:28:05 2012 -0800" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Tue Feb 28 11:01:15 2012 +1100" }, "message": "security: fix ima kconfig warning\n\nFix IMA kconfig warning on non-X86 architectures:\n\nwarning: (IMA) selects TCG_TIS which has unmet direct dependencies\n(TCG_TPM \u0026\u0026 X86)\n\nSigned-off-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nReported-by: Geert Uytterhoeven \u003cgeert@linux-m68k.org\u003e\nAcked-by: Rajiv Andrade \u003csrajiv@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "b0d5de4d58803bbcce2b8175a8dd21c559a3abc1", "tree": "08213154dd13ab28eac64e9a87b3a8b7e5660381", "parents": [ "bf06189e4d14641c0148bea16e9dd24943862215" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 14 17:11:07 2012 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 16 12:01:42 2012 +1100" }, "message": "IMA: fix audit res field to indicate 1 for success and 0 for failure\n\nThe audit res field ususally indicates success with a 1 and 0 for a\nfailure. So make IMA do it the same way.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9e3ff38647a316e4f92d59b14c8f0eb13b33bb2c", "tree": "2750d9fc94b8fb78d9982ea4a62d586e7f0a7862", "parents": [ "2eb6038c51034bf7f9335b15ce9238a028fdd2d6", "4c2c392763a682354fac65b6a569adec4e4b5387" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 09 17:02:34 2012 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 09 17:02:34 2012 +1100" }, "message": "Merge branch \u0027next-queue\u0027 into next\n" }, { "commit": "4c2c392763a682354fac65b6a569adec4e4b5387", "tree": "490b840399ed1e010561f4b97018f3c0a3caf8b6", "parents": [ "f4a0391dfa91155bd961673b31eb42d9d45c799d" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Tue Oct 18 14:16:28 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Jan 19 21:30:21 2012 -0500" }, "message": "ima: policy for RAMFS\n\nDon\u0027t measure ramfs files.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "f4a0391dfa91155bd961673b31eb42d9d45c799d", "tree": "21186b7a48986afa47115cefaf9d385fb9f8dcf7", "parents": [ "700920eb5ba4de5417b446c9a8bb008df2b973e0" ], "author": { "name": "Fabio Estevam", "email": "festevam@gmail.com", "time": "Thu Jan 05 12:49:54 2012 -0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Jan 19 21:30:09 2012 -0500" }, "message": "ima: fix Kconfig dependencies\n\nFix the following build warning:\nwarning: (IMA) selects TCG_TPM which has unmet direct dependencies\n(HAS_IOMEM \u0026\u0026 EXPERIMENTAL)\n\nSuggested-by: Rajiv Andrade \u003csrajiv@linux.vnet.ibm.com\u003e\nSigned-off-by: Fabio Estevam \u003cfabio.estevam@freescale.com\u003e\nSigned-off-by: Rajiv Andrade \u003csrajiv@linux.vnet.ibm.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "3db59dd93309710c40aaf1571c607cb0feef3ecb", "tree": "6a224a855aad0e5207abae573456b2d2ec381f7c", "parents": [ "4bf1924c008dffdc154f82507b4052e49263a6f4" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 17 22:11:28 2012 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 19 15:59:11 2012 +1100" }, "message": "ima: fix cred sparse warning\n\nFix ima_policy.c sparse \"warning: dereference of noderef expression\"\nmessage, by accessing cred-\u003euid using current_cred().\n\nChangelog v1:\n- Change __cred to just cred (based on David Howell\u0027s comment)\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a25a2b84098eb5e001cb8086603d692aa95bf2ec", "tree": "02c01b36251f7b0afb1a98093e14efb17d015910", "parents": [ "f429ee3b808118591d1f3cdf3c0d0793911a5677", "f1be242c95257b199d8b679bc952ca33487c9af6" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jan 17 16:43:39 2012 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jan 17 16:43:39 2012 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:\n integrity: digital signature config option name change\n lib: Removed MPILIB, MPILIB_EXTRA, and SIGNATURE prompts\n lib: MPILIB Kconfig description update\n lib: digital signature dependency fix\n lib: digital signature config option name change\n encrypted-keys: fix rcu and sparse messages\n keys: fix trusted/encrypted keys sparse rcu_assign_pointer messages\n KEYS: Add missing smp_rmb() primitives to the keyring search code\n TOMOYO: Accept \\000 as a valid character.\n security: update MAINTAINERS file with new git repo\n" }, { "commit": "f1be242c95257b199d8b679bc952ca33487c9af6", "tree": "fa3a1057bbd9caedca959c1fa3811413bf101d7d", "parents": [ "2e5f094b9dbf9463ab93f86351cd1a8dc88942cc" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Tue Jan 17 17:12:07 2012 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 18 10:46:27 2012 +1100" }, "message": "integrity: digital signature config option name change\n\nSimilar to SIGNATURE, rename INTEGRITY_DIGSIG to INTEGRITY_SIGNATURE.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5e8898e97a5db4125d944070922164d1d09a2689", "tree": "a5319fcc60499e63fecc7a08d923a1de8f9c7622", "parents": [ "6ac6172a935d1faf7ef259802267657bc0007a62" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Tue Jan 17 17:12:03 2012 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 18 10:46:21 2012 +1100" }, "message": "lib: digital signature config option name change\n\nIt was reported that DIGSIG is confusing name for digital signature\nmodule. It was suggested to rename DIGSIG to SIGNATURE.\n\nRequested-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSuggested-by: Pavel Machek \u003cpavel@ucw.cz\u003e\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "41fdc3054e23e3229edea27053522fe052d02ec2", "tree": "00bb62aef2288df07eae059f344d11d32b004f69", "parents": [ "5afb8a3f96573f7ea018abb768f5b6ebe1a6c1a4" ], "author": { "name": "Kees Cook", "email": "keescook@chromium.org", "time": "Sat Jan 07 10:41:04 2012 -0800" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jan 17 16:17:03 2012 -0500" }, "message": "audit: treat s_id as an untrusted string\n\nThe use of s_id should go through the untrusted string path, just to be\nextra careful.\n\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "8fcc99549522fc7a0bbaeb5755855ab0d9a59ce8", "tree": "a118eaef15d4ba22247f45ee01537ecc906cd161", "parents": [ "805a6af8dba5dfdd35ec35dc52ec0122400b2610", "7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 09 12:16:48 2012 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 09 12:16:48 2012 +1100" }, "message": "Merge branch \u0027next\u0027 into for-linus\n\nConflicts:\n\tsecurity/integrity/evm/evm_crypto.c\n\nResolved upstream fix vs. next conflict manually.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "97426f985729573cea06e82e271cc3929f1f5f8e", "tree": "4aafe725018a95dc5c76ede5199d24aea524b060", "parents": [ "d21b59451886cb82448302f8d6f9ac87c3bd56cf" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Dec 05 13:17:42 2011 +0200" }, "committer": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Tue Dec 20 17:50:08 2011 +0200" }, "message": "evm: prevent racing during tfm allocation\n\nThere is a small chance of racing during tfm allocation.\nThis patch fixes it.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d21b59451886cb82448302f8d6f9ac87c3bd56cf", "tree": "f2842dca9ee3c2c3febbe2f6984bb2c5e2a34c28", "parents": [ "511585a28e5b5fd1cac61e601e42efc4c5dd64b5" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Dec 05 13:17:41 2011 +0200" }, "committer": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Tue Dec 20 17:45:45 2011 +0200" }, "message": "evm: key must be set once during initialization\n\nOn multi-core systems, setting of the key before every caclculation,\ncauses invalid HMAC calculation for other tfm users, because internal\nstate (ipad, opad) can be invalid before set key call returns.\nIt needs to be set only once during initialization.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da", "tree": "af324024e68047b9fff7ddf49c3e8f8e6024792e", "parents": [ "45fae7493970d7c45626ccd96d4a74f5f1eea5a9" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Dec 19 15:57:28 2011 +0100" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 19 22:07:54 2011 -0500" }, "message": "ima: fix invalid memory reference\n\nDon\u0027t free a valid measurement entry on TPM PCR extend failure.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nCc: stable@vger.kernel.org\n" }, { "commit": "45fae7493970d7c45626ccd96d4a74f5f1eea5a9", "tree": "0c7bdd82bfcb4bd921a64abb441ca5c20c82a3df", "parents": [ "114d6e9c103736487c967060d0a7aec9a7fce967" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Dec 19 15:57:27 2011 +0100" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 19 22:04:32 2011 -0500" }, "message": "ima: free duplicate measurement memory\n\nInfo about new measurements are cached in the iint for performance. When\nthe inode is flushed from cache, the associated iint is flushed as well.\nSubsequent access to the inode will cause the inode to be re-measured and\nwill attempt to add a duplicate entry to the measurement list.\n\nThis patch frees the duplicate measurement memory, fixing a memory leak.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nCc: stable@vger.kernel.org\n" }, { "commit": "143b01d33221e4937d3930e6bb2b63d70b7c7a65", "tree": "5cae452fecfd8b1fb6b0ae1f159929ada81d8b1f", "parents": [ "88d7ed35085184f15a2af3d9e88d775059b2f307" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Dec 05 13:17:42 2011 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 08 10:06:12 2011 +1100" }, "message": "evm: prevent racing during tfm allocation\n\nThere is a small chance of racing during tfm allocation.\nThis patch fixes it.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "88d7ed35085184f15a2af3d9e88d775059b2f307", "tree": "f02d2530e0f665fea4c5b240404f7767d39f47bf", "parents": [ "fe0e94c5a7e5335ba0d200e7d3e26e9f80cda4b1" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Dec 05 13:17:41 2011 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 08 10:06:09 2011 +1100" }, "message": "evm: key must be set once during initialization\n\nOn multi-core systems, setting of the key before every caclculation,\ncauses invalid HMAC calculation for other tfm users, because internal\nstate (ipad, opad) can be invalid before set key call returns.\nIt needs to be set only once during initialization.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "de353533753e048b5c4658f0a42365937527ac45", "tree": "376ea9cb73de3691d4f907ad98f13f838742395e", "parents": [ "4e2c5b28f8086cd2f678ade0ea21d8c3cc058c53" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Nov 21 17:31:15 2011 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 22 10:02:32 2011 +1100" }, "message": "digsig: build dependency fix\n\nFix build errors by adding Kconfig dependency on KEYS.\nCRYPTO dependency removed.\n\n CC security/integrity/digsig.o\nsecurity/integrity/digsig.c: In function ?integrity_digsig_verify?:\nsecurity/integrity/digsig.c:38:4: error: implicit declaration of function ?request_key?\nsecurity/integrity/digsig.c:38:17: error: ?key_type_keyring? undeclared (first use in this function)\nsecurity/integrity/digsig.c:38:17: note: each undeclared identifier is reported only once for each function it appears in\nmake[2]: *** [security/integrity/digsig.o] Error 1\n\nReported-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "15647eb3985ef30dfd657038924dc85c03026733", "tree": "5d4629ef3b687ff56a446f42a8ee5aa35ec9322b", "parents": [ "8607c501478432b23654739c7321bc7456053cb6" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Thu Sep 01 14:41:40 2011 +0300" }, "committer": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Nov 09 16:51:14 2011 +0200" }, "message": "evm: digital signature verification support\n\nThis patch adds support for digital signature verification to EVM.\nWith this feature file metadata can be protected using digital\nsignature instead of an HMAC. When building an image,\nwhich has to be flashed to different devices, an HMAC cannot\nbe used to sign file metadata, because the HMAC key should be\ndifferent on every device.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "8607c501478432b23654739c7321bc7456053cb6", "tree": "598ef1649a261954cb1cafc05189ddedb3bd3ff8", "parents": [ "051dbb918c7fb7da8e64a2cd0d804ba73399709f" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Oct 05 11:54:46 2011 +0300" }, "committer": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Nov 09 16:51:09 2011 +0200" }, "message": "integrity: digital signature verification using multiple keyrings\n\nDefine separate keyrings for each of the different use cases - evm, ima,\nand modules. Using different keyrings improves search performance, and also\nallows \"locking\" specific keyring to prevent adding new keys.\nThis is useful for evm and module keyrings, when keys are usually only\nadded from initramfs.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\n" }, { "commit": "de0a5345a55b8dd5a4695181275df0e691176830", "tree": "17530e824f7f46ce0b1757657179fb5957a6add5", "parents": [ "994c0e992522c123298b4a91b72f5e67ba2d1123", "8535639810e578960233ad39def3ac2157b0c3ec" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Nov 02 09:45:39 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Nov 02 09:45:39 2011 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://github.com/richardweinberger/linux\n\n* \u0027for-linus\u0027 of git://github.com/richardweinberger/linux: (90 commits)\n um: fix ubd cow size\n um: Fix kmalloc argument order in um/vdso/vma.c\n um: switch to use of drivers/Kconfig\n UserModeLinux-HOWTO.txt: fix a typo\n UserModeLinux-HOWTO.txt: remove ^H characters\n um: we need sys/user.h only on i386\n um: merge delay_{32,64}.c\n um: distribute exports to where exported stuff is defined\n um: kill system-um.h\n um: generic ftrace.h will do...\n um: segment.h is x86-only and needed only there\n um: asm/pda.h is not needed anymore\n um: hw_irq.h can go generic as well\n um: switch to generic-y\n um: clean Kconfig up a bit\n um: a couple of missing dependencies...\n um: kill useless argument of free_chan() and free_one_chan()\n um: unify ptrace_user.h\n um: unify KSTK_...\n um: fix gcov build breakage\n ...\n" }, { "commit": "3369465ed1a6a9aa9b885a6d7d8e074ecbd782da", "tree": "ac60be76e1d363caab63156c1390f1ab0c4ee96c", "parents": [ "c039aff672a540f8976770e74599d350de1805cb" ], "author": { "name": "Al Viro", "email": "viro@ftp.linux.org.uk", "time": "Thu Aug 18 20:11:59 2011 +0100" }, "committer": { "name": "Richard Weinberger", "email": "richard@nod.at", "time": "Wed Nov 02 14:15:41 2011 +0100" }, "message": "um: switch to use of drivers/Kconfig\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Richard Weinberger \u003crichard@nod.at\u003e\n" }, { "commit": "fb788d8b981fa55603873416882f8dcf835e7924", "tree": "023d8410571f27e8d10bf6fc0a4a088cb9368df6", "parents": [ "566be59ab86c0e030b980645a580d683a015a483" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Aug 15 15:30:11 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:24:52 2011 -0400" }, "message": "evm: clean verification status\n\nWhen allocating from slab, initialization is done the first time in\ninit_once() and subsequently on free. Because evm_status was not\nre-initialized on free, evm_verify_hmac() skipped verifications.\n\nThis patch re-initializes evm_status.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "566be59ab86c0e030b980645a580d683a015a483", "tree": "c5d29c7db2f8ef93e970cb405621f59c57d01b94", "parents": [ "bf6d0f5dcda17df3cc5577e203d0f8ea1c2ad6aa" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Aug 22 09:14:18 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:24:52 2011 -0400" }, "message": "evm: permit mode bits to be updated\n\nBefore permitting \u0027security.evm\u0027 to be updated, \u0027security.evm\u0027 must\nexist and be valid. In the case that there are no existing EVM protected\nxattrs, it is safe for posix acls to update the mode bits.\n\nTo differentiate between no \u0027security.evm\u0027 xattr and no xattrs used to\ncalculate \u0027security.evm\u0027, this patch defines INTEGRITY_NOXATTR.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "bf6d0f5dcda17df3cc5577e203d0f8ea1c2ad6aa", "tree": "c6c5f39d43fe0d27bc1d3aedbd2f9b3ba2f8f537", "parents": [ "a924ce0b35875ef9512135b46a32f4150fd700b2" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Aug 18 18:07:44 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:24:51 2011 -0400" }, "message": "evm: posix acls modify i_mode\n\nThe posix xattr acls are \u0027system\u0027 prefixed, which normally would not\naffect security.evm. An interesting side affect of writing posix xattr\nacls is their modifying of the i_mode, which is included in security.evm.\n\nThis patch updates security.evm when posix xattr acls are written.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "a924ce0b35875ef9512135b46a32f4150fd700b2", "tree": "0e01ac679790fe96c03b341b2670a2ed9c56a122", "parents": [ "fb88c2b6cbb1265a8bef60694699b37f5cd4ba76" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Aug 11 01:22:30 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:24:51 2011 -0400" }, "message": "evm: limit verifying current security.evm integrity\n\nevm_protect_xattr unnecessarily validates the current security.evm\nintegrity, before updating non-evm protected extended attributes\nand other file metadata. This patch limits validating the current\nsecurity.evm integrity to evm protected metadata.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "1d714057ef8f6348eba7b28ace6d307513e57cef", "tree": "a848b86df6257b347b6929f9ad09666105996003", "parents": [ "982e617a313b57abee3bcfa53381c356d00fd64a" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sun Aug 28 08:57:11 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:24:49 2011 -0400" }, "message": "evm: remove TCG_TPM dependency\n\nAll tristates selected by EVM(boolean) are forced to be builtin, except\nin the TCG_TPM(tristate) dependency case. Arnaud Lacombe summarizes the\nKconfig bug as, \"So it would seem direct dependency state influence the\nstate of reverse dependencies..\" For a detailed explanation, refer to\nArnaud Lacombe\u0027s posting http://lkml.org/lkml/2011/8/23/498.\n\nWith the \"encrypted-keys: remove trusted-keys dependency\" patch, EVM\ncan now be built without a dependency on TCG_TPM. The trusted-keys\ndependency requires trusted-keys to either be builtin or not selected.\nThis dependency will prevent the boolean/tristate mismatch from\noccuring.\n\nReported-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e,\n Randy Dunlap \u003crdunlap@xenotimenet\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "d5813a571876c72766f125b1c6e63414f6822c28", "tree": "fe688a7aa64fa890741e5a87800a3f95ddcaaee6", "parents": [ "b97e14520207dccb5cdf93f322e571bf907df104" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 30 10:19:50 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:30 2011 -0700" }, "message": "ima: sparse fix: include linux/ima.h in ima_main.c\n\nFixes sparse warnings:\nsecurity/integrity/ima/ima_main.c:105:6: warning: symbol \u0027ima_file_free\u0027 was not declared. Should it be static?\nsecurity/integrity/ima/ima_main.c:167:5: warning: symbol \u0027ima_file_mmap\u0027 was not declared. Should it be static?\nsecurity/integrity/ima/ima_main.c:192:5: warning: symbol \u0027ima_bprm_check\u0027 was not declared. Should it be static?\nsecurity/integrity/ima/ima_main.c:211:5: warning: symbol \u0027ima_file_check\u0027 was not declared. Should it be static?\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b97e14520207dccb5cdf93f322e571bf907df104", "tree": "1757e5541378136752d608ecde87e1c7251afbb0", "parents": [ "cc7db09952faefc86187c67c4adf5cbdb6fe2c1b" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 30 10:18:30 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:29 2011 -0700" }, "message": "ima: sparse fix: make ima_open_policy static\n\nFixes sparse warning:\nsecurity/integrity/ima/ima_fs.c:290:5: warning: symbol \u0027ima_open_policy\u0027 was not declared. Should it be static?\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4892722e06694fda1928bac4aa5af5505bd26a4c", "tree": "eaeeb90d98ad1ad35bf32c75a579d28a70b722e2", "parents": [ "fc9ff9b7e3eaff3f49bc0fbbddfc1416212e888a" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Aug 17 10:34:33 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:24 2011 -0700" }, "message": "integrity: sparse fix: move iint_initialized to integrity.h\n\nSparse fix: move iint_initialized to integrity.h\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dbe5ad17ec62fbd3be7789f9a5ab71d23da8acf0", "tree": "60e4ae2f8b5d66faac484f5774d22290a51c21e4", "parents": [ "09f464bf0961aba3cd917d4939597bafb269fb95" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Aug 17 18:51:36 2011 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 18 12:58:12 2011 +1000" }, "message": "evm: add Kconfig TCG_TPM dependency\n\nAlthough the EVM encrypted-key should be encrypted/decrypted using a\ntrusted-key, a user-defined key could be used instead. When using a user-\ndefined key, a TCG_TPM dependency should not be required. Unfortunately,\nthe encrypted-key code needs to be refactored a bit in order to remove\nthis dependency.\n\nThis patch adds the TCG_TPM dependency.\n\nReported-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e,\n\t Randy Dunlap \u003crdunlap@xenotimenet\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5a4730ba9517cf2793175991243436a24b1db18f", "tree": "2c9c26d4662a31c851aed525d4d032d08e54e297", "parents": [ "e1c9b23adbe86c725738402857397d7a29f9d6ef" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Aug 11 00:22:52 2011 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 11 17:42:41 2011 +1000" }, "message": "evm: fix evm_inode_init_security return code\n\nevm_inode_init_security() should return 0, when EVM is not enabled.\n(Returning an error is a remnant of evm_inode_post_init_security.)\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0b024d2446474c6a7c47573af5a35db83f557ce3", "tree": "56d1d380cd4f87581a0e276ee80cc52e438738b8", "parents": [ "5a2f3a02aea164f4f59c0c3497772090a411b462" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 09 11:33:36 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 09 11:33:36 2011 +1000" }, "message": "EVM: ensure trusted and encypted key symbols are available to EVM\n\nSelect trusted and encrypted keys if EVM is selected, to ensure\nthe requisite symbols are available. Otherwise, these can be\nselected as modules while EVM is static, leading to a kernel\nbuild failure.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5a2f3a02aea164f4f59c0c3497772090a411b462", "tree": "d3ebe03d4f97575290087843960baa01de3acd0a", "parents": [ "1d568ab068c021672d6cd7f50f92a3695a921ffb", "817b54aa45db03437c6d09a7693fc6926eb8e822" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 09 10:31:03 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 09 10:31:03 2011 +1000" }, "message": "Merge branch \u0027next-evm\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6 into next\n\nConflicts:\n\tfs/attr.c\n\nResolve conflict manually.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4b2a2c67415f1ab128f1d0b340fe6d13363335e5", "tree": "4553a90b12550980ac1dc40288458865e3eb186f", "parents": [ "ed476418394f12d47f27a75424c237a94d244f10" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jul 26 04:30:35 2011 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jul 26 13:04:32 2011 -0400" }, "message": "ima: fmode_t misspelled as mode_t...\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "817b54aa45db03437c6d09a7693fc6926eb8e822", "tree": "03d43f3abfbd8670e3a30a33ef868ec7705ef2c4", "parents": [ "7102ebcd65c1cdb5d5a87c7c5cf7a46f5afb0cac" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri May 13 12:53:38 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:50 2011 -0400" }, "message": "evm: add evm_inode_setattr to prevent updating an invalid security.evm\n\nPermit changing of security.evm only when valid, unless in fixmode.\n\nReported-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "7102ebcd65c1cdb5d5a87c7c5cf7a46f5afb0cac", "tree": "1de4ac95b25e6bebab103e4377047c8f76038dac", "parents": [ "24e0198efe0df50034ec1c14b2d7b5bb0f66d54a" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu May 12 18:33:20 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:49 2011 -0400" }, "message": "evm: permit only valid security.evm xattrs to be updated\n\nIn addition to requiring CAP_SYS_ADMIN permission to modify/delete\nsecurity.evm, prohibit invalid security.evm xattrs from changing,\nunless in fixmode. This patch prevents inadvertent \u0027fixing\u0027 of\nsecurity.evm to reflect offline modifications.\n\nChangelog v7:\n- rename boot paramater \u0027evm_mode\u0027 to \u0027evm\u0027\n\nReported-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "24e0198efe0df50034ec1c14b2d7b5bb0f66d54a", "tree": "64f7d23cd7b07dabe826c2a6ed37f7c1842816b2", "parents": [ "6d38ca01c0c2d6c2e46ec1984db9ada6bad6ca26" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Fri May 06 11:34:17 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:48 2011 -0400" }, "message": "evm: replace hmac_status with evm_status\n\nWe will use digital signatures in addtion to hmac.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "6d38ca01c0c2d6c2e46ec1984db9ada6bad6ca26", "tree": "6084a84cd87d18c261d62dc816d48335ce602447", "parents": [ "2960e6cb5f7c662b8edb6b0d2edc72095b4f5672" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Fri May 06 11:34:14 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:48 2011 -0400" }, "message": "evm: evm_verify_hmac must not return INTEGRITY_UNKNOWN\n\nIf EVM is not supported or enabled, evm_verify_hmac() returns\nINTEGRITY_UNKNOWN, which ima_appraise_measurement() ignores and sets\nthe appraisal status based solely on the security.ima verification.\n\nevm_verify_hmac() also returns INTEGRITY_UNKNOWN for other failures, such\nas temporary failures like -ENOMEM, resulting in possible attack vectors.\nThis patch changes the default return code for temporary/unexpected\nfailures, like -ENOMEM, from INTEGRITY_UNKNOWN to INTEGRITY_FAIL, making\nevm_verify_hmac() fail safe.\n\nAs a result, failures need to be re-evaluated in order to catch both\ntemporary errors, such as the -ENOMEM, as well as errors that have been\nresolved in fix mode.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "2960e6cb5f7c662b8edb6b0d2edc72095b4f5672", "tree": "84e8c3378312243087089a669e4209f43d531b37", "parents": [ "d46eb3699502ba221e81e88e6c6594e2a7818532" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Fri May 06 11:34:13 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:47 2011 -0400" }, "message": "evm: additional parameter to pass integrity cache entry \u0027iint\u0027\n\nAdditional iint parameter allows to skip lookup in the cache.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "d46eb3699502ba221e81e88e6c6594e2a7818532", "tree": "4761b63f12ded9ad53e3019c33d62d173b4b07da", "parents": [ "823eb1ccd0b310449e99c822412ea8208334d14c" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Wed Mar 09 15:07:36 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:46 2011 -0400" }, "message": "evm: crypto hash replaced by shash\n\nUsing shash is more efficient, because the algorithm is allocated only\nonce. Only the descriptor to store the hash state needs to be allocated\nfor every operation.\n\nChangelog v6:\n- check for crypto_shash_setkey failure\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "cb72318069d5e92eb74840118732c66eb38c812f", "tree": "eb4e9a6c923567e01ddd1340f9430eb3c43f4aeb", "parents": [ "975d294373d8c1c913ad2bf4eb93966d4c7ca38f" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Mar 09 14:40:44 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:45 2011 -0400" }, "message": "evm: add evm_inode_init_security to initialize new files\n\nInitialize \u0027security.evm\u0027 for new files.\n\nChangelog v7:\n- renamed evm_inode_post_init_security to evm_inode_init_security\n- moved struct xattr definition to earlier patch\n- allocate xattr name\nChangelog v6:\n- Use \u0027struct evm_ima_xattr_data\u0027\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "3e1be52d6c6b21d9080dd886c0e609e009831562", "tree": "2947250698b89eed0149af2d69a33b303c4d6be4", "parents": [ "6be5cc5246f807fd8ede9f5f1bb2826f2c598658" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Mar 09 14:38:26 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:42 2011 -0400" }, "message": "security: imbed evm calls in security hooks\n\nImbed the evm calls evm_inode_setxattr(), evm_inode_post_setxattr(),\nevm_inode_removexattr() in the security hooks. evm_inode_setxattr()\nprotects security.evm xattr. evm_inode_post_setxattr() and\nevm_inode_removexattr() updates the hmac associated with an inode.\n\n(Assumes an LSM module protects the setting/removing of xattr.)\n\nChangelog:\n - Don\u0027t define evm_verifyxattr(), unless CONFIG_INTEGRITY is enabled.\n - xattr_name is a \u0027const\u0027, value is \u0027void *\u0027\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@ubuntu.com\u003e\n" }, { "commit": "6be5cc5246f807fd8ede9f5f1bb2826f2c598658", "tree": "00fc342eb91fb50df4e8eddfe2a7294b27df8117", "parents": [ "66dbc325afcef909043c30e90930a36823fc734c" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Wed Mar 09 14:28:20 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:41 2011 -0400" }, "message": "evm: add support for different security.evm data types\n\nEVM protects a file\u0027s security extended attributes(xattrs) against integrity\nattacks. The current patchset maintains an HMAC-sha1 value across the security\nxattrs, storing the value as the extended attribute \u0027security.evm\u0027. We\nanticipate other methods for protecting the security extended attributes.\nThis patch reserves the first byte of \u0027security.evm\u0027 as a place holder for\nthe type of method.\n\nChangelog v6:\n- move evm_ima_xattr_type definition to security/integrity/integrity.h\n- defined a structure for the EVM xattr called evm_ima_xattr_data\n (based on Serge Hallyn\u0027s suggestion)\n- removed unnecessary memset\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\n" }, { "commit": "66dbc325afcef909043c30e90930a36823fc734c", "tree": "5c8a7fe063a058f4266c6db5e48229e8c04dd00e", "parents": [ "1601fbad2b14e0b8d4dbb55e749bfe31e972818a" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Mar 15 16:12:09 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:40 2011 -0400" }, "message": "evm: re-release\n\nEVM protects a file\u0027s security extended attributes(xattrs) against integrity\nattacks. This patchset provides the framework and an initial method. The\ninitial method maintains an HMAC-sha1 value across the security extended\nattributes, storing the HMAC value as the extended attribute \u0027security.evm\u0027.\nOther methods of validating the integrity of a file\u0027s metadata will be posted\nseparately (eg. EVM-digital-signatures).\n\nWhile this patchset does authenticate the security xattrs, and\ncryptographically binds them to the inode, coming extensions will bind other\ndirectory and inode metadata for more complete protection. To help simplify\nthe review and upstreaming process, each extension will be posted separately\n(eg. IMA-appraisal, IMA-appraisal-directory). For a general overview of the\nproposed Linux integrity subsystem, refer to Dave Safford\u0027s whitepaper:\nhttp://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf.\n\nEVM depends on the Kernel Key Retention System to provide it with a\ntrusted/encrypted key for the HMAC-sha1 operation. The key is loaded onto the\nroot\u0027s keyring using keyctl. Until EVM receives notification that the key has\nbeen successfully loaded onto the keyring (echo 1 \u003e \u003csecurityfs\u003e/evm), EVM can\nnot create or validate the \u0027security.evm\u0027 xattr, but returns INTEGRITY_UNKNOWN.\nLoading the key and signaling EVM should be done as early as possible. Normally\nthis is done in the initramfs, which has already been measured as part of the\ntrusted boot. For more information on creating and loading existing\ntrusted/encrypted keys, refer to Documentation/keys-trusted-encrypted.txt. A\nsample dracut patch, which loads the trusted/encrypted key and enables EVM, is\navailable from http://linux-ima.sourceforge.net/#EVM.\n\nBased on the LSMs enabled, the set of EVM protected security xattrs is defined\nat compile. EVM adds the following three calls to the existing security hooks:\nevm_inode_setxattr(), evm_inode_post_setxattr(), and evm_inode_removexattr. To\ninitialize and update the \u0027security.evm\u0027 extended attribute, EVM defines three\ncalls: evm_inode_post_init(), evm_inode_post_setattr() and\nevm_inode_post_removexattr() hooks. To verify the integrity of a security\nxattr, EVM exports evm_verifyxattr().\n\nChangelog v7:\n- Fixed URL in EVM ABI documentation\n\nChangelog v6: (based on Serge Hallyn\u0027s review)\n- fix URL in patch description\n- remove evm_hmac_size definition\n- use SHA1_DIGEST_SIZE (removed both MAX_DIGEST_SIZE and evm_hmac_size)\n- moved linux include before other includes\n- test for crypto_hash_setkey failure\n- fail earlier for invalid key\n- clear entire encrypted key, even on failure\n- check xattr name length before comparing xattr names\n\nChangelog:\n- locking based on i_mutex, remove evm_mutex\n- using trusted/encrypted keys for storing the EVM key used in the HMAC-sha1\n operation.\n- replaced crypto hash with shash (Dmitry Kasatkin)\n- support for additional methods of verifying the security xattrs\n (Dmitry Kasatkin)\n- iint not allocated for all regular files, but only for those appraised\n- Use cap_sys_admin in lieu of cap_mac_admin\n- Use __vfs_setxattr_noperm(), without permission checks, from EVM\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\n" }, { "commit": "f381c272224f5f158f5cff64f8f3481fa0eee8b3", "tree": "a003dc4c6635c9d2fa90f31577ba5e7ea7bc71b1", "parents": [ "9d8f13ba3f4833219e50767b022b82cd0da930eb" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Mar 09 14:13:22 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:38 2011 -0400" }, "message": "integrity: move ima inode integrity data management\n\nMove the inode integrity data(iint) management up to the integrity directory\nin order to share the iint among the different integrity models.\n\nChangelog:\n- don\u0027t define MAX_DIGEST_SIZE\n- rename several globally visible \u0027ima_\u0027 prefixed functions, structs,\n locks, etc to \u0027integrity_\u0027\n- replace \u002720\u0027 with SHA1_DIGEST_SIZE\n- reflect location change in appropriate Kconfig and Makefiles\n- remove unnecessary initialization of iint_initialized to 0\n- rebased on current ima_iint.c\n- define integrity_iint_store/lock as static\n\nThere should be no other functional changes.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@ubuntu.com\u003e\n" }, { "commit": "1adace9bb04a5f4a4dea9e642089102661bb0ceb", "tree": "2396099935c50d838899a01da1438b8a441619de", "parents": [ "854fdd55bfdd56cfc61bd30f2062a9268fcebba6" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Feb 22 10:19:43 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Feb 23 16:38:52 2011 -0500" }, "message": "ima: remove unnecessary call to ima_must_measure\n\nThe original ima_must_measure() function based its results on cached\niint information, which required an iint be allocated for all files.\nCurrently, an iint is allocated only for files in policy. As a result,\nfor those files in policy, ima_must_measure() is now called twice: once\nto determine if the inode is in the measurement policy and, the second\ntime, to determine if it needs to be measured/re-measured.\n\nThe second call to ima_must_measure() unnecessarily checks to see if\nthe file is in policy. As we already know the file is in policy, this\npatch removes the second unnecessary call to ima_must_measure(), removes\nthe vestige iint parameter, and just checks the iint directly to determine\nif the inode has been measured or needs to be measured/re-measured.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "854fdd55bfdd56cfc61bd30f2062a9268fcebba6", "tree": "139af793bf7395002e6e68978b603d47f28f7dc2", "parents": [ "890275b5eb79e9933d12290473eab9ac38da0051" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Nov 02 10:14:22 2010 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Feb 10 07:51:44 2011 -0500" }, "message": "IMA: remove IMA imbalance checking\n\nNow that i_readcount is maintained by the VFS layer, remove the\nimbalance checking in IMA. Cleans up the IMA code nicely.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "890275b5eb79e9933d12290473eab9ac38da0051", "tree": "8fa529a6fdfa7647ed4e14287658b71df8636ddd", "parents": [ "a5c96ebf1d71df0c5fb77ab58c9aeb307cf02372" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Nov 02 10:13:07 2010 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Feb 10 07:51:44 2011 -0500" }, "message": "IMA: maintain i_readcount in the VFS layer\n\nima_counts_get() updated the readcount and invalidated the PCR,\nas necessary. Only update the i_readcount in the VFS layer.\nMove the PCR invalidation checks to ima_file_check(), where it\nbelongs.\n\nMaintaining the i_readcount in the VFS layer, will allow other\nsubsystems to use i_readcount.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "a68a27b6f2354273bacc39c3dd06456edb202230", "tree": "d73396dab134842ecd1e86d665718e75012e7e78", "parents": [ "75a25637bf8a1b8fbed2368c0a3ec15c66a534f1" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Nov 02 10:10:56 2010 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Feb 10 07:51:43 2011 -0500" }, "message": "IMA: convert i_readcount to atomic\n\nConvert the inode\u0027s i_readcount from an unsigned int to atomic.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "867c20265459d30a01b021a9c1e81fb4c5832aa9", "tree": "7873555d6a0e100fb1faa90da6e6366a430c3403", "parents": [ "03ed6a3aa600c48593c3984812fda2d5945ddb46" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jan 03 14:59:10 2011 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 03 16:36:33 2011 -0800" }, "message": "ima: fix add LSM rule bug\n\nIf security_filter_rule_init() doesn\u0027t return a rule, then not everything\nis as fine as the return code implies.\n\nThis bug only occurs when the LSM (eg. SELinux) is disabled at runtime.\n\nAdding an empty LSM rule causes ima_match_rules() to always succeed,\nignoring any remaining rules.\n\n default IMA TCB policy:\n # PROC_SUPER_MAGIC\n dont_measure fsmagic\u003d0x9fa0\n # SYSFS_MAGIC\n dont_measure fsmagic\u003d0x62656572\n # DEBUGFS_MAGIC\n dont_measure fsmagic\u003d0x64626720\n # TMPFS_MAGIC\n dont_measure fsmagic\u003d0x01021994\n # SECURITYFS_MAGIC\n dont_measure fsmagic\u003d0x73636673\n\n \u003c LSM specific rule \u003e\n dont_measure obj_type\u003dvar_log_t\n\n measure func\u003dBPRM_CHECK\n measure func\u003dFILE_MMAP mask\u003dMAY_EXEC\n measure func\u003dFILE_CHECK mask\u003dMAY_READ uid\u003d0\n\nThus without the patch, with the boot parameters \u0027tcb selinux\u003d0\u0027, adding\nthe above \u0027dont_measure obj_type\u003dvar_log_t\u0027 rule to the default IMA TCB\nmeasurement policy, would result in nothing being measured. The patch\nprevents the default TCB policy from being replaced.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nCc: David Safford \u003csafford@watson.ibm.com\u003e\nCc: \u003cstable@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "bade72d607c4eb1b1d6c7852c493b75f065a56b5", "tree": "95aafb198d9a8a08e6b7813de0403658e6a1b04a", "parents": [ "196f518128d2ee6e0028b50e6fec0313640db142" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:25 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:19 2010 -0700" }, "message": "IMA: fix the ToMToU logic\n\nCurrent logic looks like this:\n\n rc \u003d ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK);\n if (rc \u003c 0)\n goto out;\n\n if (mode \u0026 FMODE_WRITE) {\n if (inode-\u003ei_readcount)\n send_tomtou \u003d true;\n goto out;\n }\n\n if (atomic_read(\u0026inode-\u003ei_writecount) \u003e 0)\n send_writers \u003d true;\n\nLets assume we have a policy which states that all files opened for read\nby root must be measured.\n\nLets assume the file has permissions 777.\n\nLets assume that root has the given file open for read.\n\nLets assume that a non-root process opens the file write.\n\nThe non-root process will get to ima_counts_get() and will check the\nima_must_measure(). Since it is not supposed to measure it will goto\nout.\n\nWe should check the i_readcount no matter what since we might be causing\na ToMToU voilation!\n\nThis is close to correct, but still not quite perfect. The situation\ncould have been that root, which was interested in the mesurement opened\nand closed the file and another process which is not interested in the\nmeasurement is the one holding the i_readcount ATM. This is just overly\nstrict on ToMToU violations, which is better than not strict enough...\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "196f518128d2ee6e0028b50e6fec0313640db142", "tree": "43a1d76bee477dbaa682233979e86f58a98369f0", "parents": [ "64c62f06bef8314a64d3189cb9c78062d54169b3" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:19 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:19 2010 -0700" }, "message": "IMA: explicit IMA i_flag to remove global lock on inode_delete\n\nCurrently for every removed inode IMA must take a global lock and search\nthe IMA rbtree looking for an associated integrity structure. Instead\nwe explicitly mark an inode when we add an integrity structure so we\nonly have to take the global lock and do the removal if it exists.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "64c62f06bef8314a64d3189cb9c78062d54169b3", "tree": "63f542bf6a0de4eb2c9742376f7c314ac78e65ec", "parents": [ "bc7d2a3e66b40477270c3cbe3b89b47093276e7a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:12 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:19 2010 -0700" }, "message": "IMA: drop refcnt from ima_iint_cache since it isn\u0027t needed\n\nSince finding a struct ima_iint_cache requires a valid struct inode, and\nthe struct ima_iint_cache is supposed to have the same lifetime as a\nstruct inode (technically they die together but don\u0027t need to be created\nat the same time) we don\u0027t have to worry about the ima_iint_cache\noutliving or dieing before the inode. So the refcnt isn\u0027t useful. Just\nget rid of it and free the structure when the inode is freed.\n\nSigned-off-by: Eric Paris \u003ceapris@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "bc7d2a3e66b40477270c3cbe3b89b47093276e7a", "tree": "8f0198b8ad455fde11b24e32a2e32c008a5ececb", "parents": [ "a178d2027d3198b0a04517d764326ab71cd73da2" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:05 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: only allocate iint when needed\n\nIMA always allocates an integrity structure to hold information about\nevery inode, but only needed this structure to track the number of\nreaders and writers currently accessing a given inode. Since that\ninformation was moved into struct inode instead of the integrity struct\nthis patch stops allocating the integrity stucture until it is needed.\nThus greatly reducing memory usage.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "a178d2027d3198b0a04517d764326ab71cd73da2", "tree": "d81b9336328ba1741231b318a6f8187f627581fd", "parents": [ "b9593d309d17c57e9ddc3934d641902533896ca9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:59 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: move read counter into struct inode\n\nIMA currently allocated an inode integrity structure for every inode in\ncore. This stucture is about 120 bytes long. Most files however\n(especially on a system which doesn\u0027t make use of IMA) will never need\nany of this space. The problem is that if IMA is enabled we need to\nknow information about the number of readers and the number of writers\nfor every inode on the box. At the moment we collect that information\nin the per inode iint structure and waste the rest of the space. This\npatch moves those counters into the struct inode so we can eventually\nstop allocating an IMA integrity structure except when absolutely\nneeded.\n\nThis patch does the minimum needed to move the location of the data.\nFurther cleanups, especially the location of counter updates, may still\nbe possible.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b9593d309d17c57e9ddc3934d641902533896ca9", "tree": "fa7fd9ced4a79f102e653ee4a5dc348aa1a41c21", "parents": [ "ad16ad00c34d3f320a5876b3d711ef6bc81362e1" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:52 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: use i_writecount rather than a private counter\n\nIMA tracks the number of struct files which are holding a given inode\nreadonly and the number which are holding the inode write or r/w. It\nneeds this information so when a new reader or writer comes in it can\ntell if this new file will be able to invalidate results it already made\nabout existing files.\n\naka if a task is holding a struct file open RO, IMA measured the file\nand recorded those measurements and then a task opens the file RW IMA\nneeds to note in the logs that the old measurement may not be correct.\nIt\u0027s called a \"Time of Measure Time of Use\" (ToMToU) issue. The same is\ntrue is a RO file is opened to an inode which has an open writer. We\ncannot, with any validity, measure the file in question since it could\nbe changing.\n\nThis patch attempts to use the i_writecount field to track writers. The\ni_writecount field actually embeds more information in it\u0027s value than\nIMA needs but it should work for our purposes and allow us to shrink the\nstruct inode even more.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "ad16ad00c34d3f320a5876b3d711ef6bc81362e1", "tree": "7cf3b755567fde2850d2ea7f4a186a0dcea6b80f", "parents": [ "15aac676778f206b42c4d7782b08f89246680485" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:45 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: use inode-\u003ei_lock to protect read and write counters\n\nCurrently IMA used the iint-\u003emutex to protect the i_readcount and\ni_writecount. This patch uses the inode-\u003ei_lock since we are going to\nstart using in inode objects and that is the most appropriate lock.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "15aac676778f206b42c4d7782b08f89246680485", "tree": "d4d2625139f8a52ffa7bd0cb1848a446518652ec", "parents": [ "497f32337073a2da102c49a53779097b5394711b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:39 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: convert internal flags from long to char\n\nThe IMA flags is an unsigned long but there is only 1 flag defined.\nLets save a little space and make it a char. This packs nicely next to\nthe array of u8\u0027s.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "497f32337073a2da102c49a53779097b5394711b", "tree": "203cbcd3f9462737d872e24fb2c847ce9a69de45", "parents": [ "b575156dafef208415ff0842c392733d16d4ccf1" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:32 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: use unsigned int instead of long for counters\n\nCurrently IMA uses 2 longs in struct inode. To save space (and as it\nseems impossible to overflow 32 bits) we switch these to unsigned int.\nThe switch to unsigned does require slightly different checks for\nunderflow, but it isn\u0027t complex.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b575156dafef208415ff0842c392733d16d4ccf1", "tree": "52e4afd6a1969a975bd9e4b882d97d5ab659fa20", "parents": [ "8549164143a5431f9d9ea846acaa35a862410d9c" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:26 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:17 2010 -0700" }, "message": "IMA: drop the inode opencount since it isn\u0027t needed for operation\n\nThe opencount was used to help debugging to make sure that everything\nwhich created a struct file also correctly made the IMA calls. Since we\nmoved all of that into the VFS this isn\u0027t as necessary. We should be\nable to get the same amount of debugging out of just the reader and\nwrite count.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8549164143a5431f9d9ea846acaa35a862410d9c", "tree": "79b0d2aeb2674f221854866cb067947dc47f2203", "parents": [ "f6f94e2ab1b33f0082ac22d71f66385a60d8157f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:18 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:17 2010 -0700" }, "message": "IMA: use rbtree instead of radix tree for inode information cache\n\nThe IMA code needs to store the number of tasks which have an open fd\ngranting permission to write a file even when IMA is not in use. It\nneeds this information in order to be enabled at a later point in time\nwithout losing it\u0027s integrity garantees.\n\nAt the moment that means we store a little bit of data about every inode\nin a cache. We use a radix tree key\u0027d on the inode\u0027s memory address.\nDave Chinner pointed out that a radix tree is a terrible data structure\nfor such a sparse key space. This patch switches to using an rbtree\nwhich should be more efficient.\n\nBug report from Dave:\n\n \"I just noticed that slabtop was reporting an awfully high usage of\n radix tree nodes:\n\n OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME\n 4200331 2778082 66% 0.55K 144839 29 2317424K radix_tree_node\n 2321500 2060290 88% 1.00K 72581 32 2322592K xfs_inode\n 2235648 2069791 92% 0.12K 69864 32 279456K iint_cache\n\n That is, 2.7M radix tree nodes are allocated, and the cache itself is\n consuming 2.3GB of RAM. I know that the XFS inodei caches are indexed\n by radix tree node, but for 2 million cached inodes that would mean a\n density of 1 inode per radix tree node, which for a system with 16M\n inodes in the filsystems is an impossibly low density. The worst I\u0027ve\n seen in a production system like kernel.org is about 20-25% density,\n which would mean about 150-200k radix tree nodes for that many inodes.\n So it\u0027s not the inode cache.\n\n So I looked up what the iint_cache was. It appears to used for\n storing per-inode IMA information, and uses a radix tree for indexing.\n It uses the *address* of the struct inode as the indexing key. That\n means the key space is extremely sparse - for XFS the struct inode\n addresses are approximately 1000 bytes apart, which means the closest\n the radix tree index keys get is ~1000. Which means that there is a\n single entry per radix tree leaf node, so the radix tree is using\n roughly 550 bytes for every 120byte structure being cached. For the\n above example, it\u0027s probably wasting close to 1GB of RAM....\"\n\nReported-by: Dave Chinner \u003cdavid@fromorbit.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e950598d43dce8d97e7d5270808393425d1e5cbd", "tree": "916c8a6c5dc63cd3486aa7200964269ea31b4d42", "parents": [ "999b4f0aa2314b76857775334cb94bafa053db64" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Aug 31 09:38:51 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 08 09:51:41 2010 +1000" }, "message": "ima: always maintain counters\n\ncommit 8262bb85da allocated the inode integrity struct (iint) before any\ninodes were created. Only after IMA was initialized in late_initcall were\nthe counters updated. This patch updates the counters, whether or not IMA\nhas been initialized, to resolve \u0027imbalance\u0027 messages.\n\nThis patch fixes the bug as reported in bugzilla: 15673. When the i915\nis builtin, the ring_buffer is initialized before IMA, causing the\nimbalance message on suspend.\n\nReported-by: Thomas Meyer \u003cthomas@m3y3r.de\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nTested-by: Thomas Meyer \u003cthomas@m3y3r.de\u003e\nTested-by: David Safford\u003csafford@watson.ibm.com\u003e\nCc: Stable Kernel \u003cstable@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cdcd90f9e450d4edb5fab0490119f9540874e882", "tree": "5b1a5b5d00d19d6fa9ba13261ff22ffb0b8aa154", "parents": [ "7e2deb7ce8f662bce877dbfd3b0053e9559c25a3" ], "author": { "name": "Arnd Bergmann", "email": "arnd@arndb.de", "time": "Wed Jul 07 23:40:15 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:58 2010 +1000" }, "message": "ima: use generic_file_llseek for securityfs\n\nThe default for llseek will change to no_llseek,\nso securityfs users need to add explicit .llseek\nassignments. Since we\u0027re dealing with regular\nfiles from a VFS perspective, use generic_file_llseek.\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nCc: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "db1afffab0b5d9f6d31f8f4bea44c9cb3bc59351", "tree": "5ba8fd7a5018c0772d999b8c3aa945c0efb929e0", "parents": [ "dd336c554d8926c3348a2d5f2a5ef5597f6d1a06" ], "author": { "name": "NeilBrown", "email": "neilb@suse.de", "time": "Tue Mar 16 15:14:51 2010 +1100" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@suse.de", "time": "Fri May 21 09:37:29 2010 -0700" }, "message": "kref: remove kref_set\n\nOf the three uses of kref_set in the kernel:\n\n One really should be kref_put as the code is letting go of a\n reference,\n Two really should be kref_init because the kref is being\n initialised.\n\nThis suggests that making kref_set available encourages bad code.\nSo fix the three uses and remove kref_set completely.\n\nSigned-off-by: NeilBrown \u003cneilb@suse.de\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\n\n" }, { "commit": "ba0c1709f4946a5ca1a678f4318ed72c0d409b3c", "tree": "22c60e909f1dccf1fa6f0c0b51b9e3163d66cfc1", "parents": [ "7f2ab000c6f2ae46070807a3bf645c45d8639460" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue May 04 18:16:30 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon May 17 09:21:58 2010 +1000" }, "message": "ima: remove ACPI dependency\n\nThe ACPI dependency moved to the TPM, where it belongs. Although\nIMA per-se does not require access to the bios measurement log,\nverifying the IMA boot aggregate does, which requires ACPI.\n\nThis patch prereq\u0027s \u0027TPM: ACPI/PNP dependency removal\u0027\nhttp://lkml.org/lkml/2010/5/4/378.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nReported-by: Jean-Christophe Dubois \u003cjcd@tribudubois.net\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nTested-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "83c36ccfe4d849f482ea0a62402c7624f4e59f0e", "tree": "381c005c107bc5cf8db594308c5a3b0ec2bd1d34", "parents": [ "ec4a162af388a2716c5314c4aff7029071d09f57" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 07 09:20:03 2010 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 07 09:20:03 2010 +1000" }, "message": "Revert \"ima: remove ACPI dependency\"\n\nThis reverts commit a674fa46c79ffa37995bd1c8e4daa2b3be5a95ae.\n\nPrevious revert was a prereq.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0ffbe2699cda6afbe08501098dff8a8c2fe6ae09", "tree": "81b1a2305d16c873371b65c5a863c0268036cefe", "parents": [ "4e5d6f7ec3833c0da9cf34fa5c53c6058c5908b6", "7ebd467551ed6ae200d7835a84bbda0dcadaa511" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:07 2010 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:07 2010 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "a674fa46c79ffa37995bd1c8e4daa2b3be5a95ae", "tree": "4f2b0d0b89310cc93e9ae9377cdbba80b0554814", "parents": [ "b89e66e1e396f7b5436af154e58209320cc08aed" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue May 04 18:16:30 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 05 10:00:06 2010 +1000" }, "message": "ima: remove ACPI dependency\n\nThe ACPI dependency moved to the TPM, where it belongs. Although\nIMA per-se does not require access to the bios measurement log,\nverifying the IMA boot aggregate does, which requires ACPI.\n\nThis patch prereq\u0027s \u0027TPM: ACPI/PNP dependency removal\u0027\nhttp://lkml.org/lkml/2010/5/4/378.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nReported-by: Jean-Christophe Dubois \u003cjcd@tribudubois.net\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nTested-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "eb8dae9607901fd3fc181325ff3f30dce8f574c5", "tree": "1b6a0af7a1cd6b32a8cbb1512d91232895733bc5", "parents": [ "34c111f626e91adb23f90a91d2c7cd4dac9fa4b1" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 22 10:49:36 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 23 08:47:53 2010 +1000" }, "message": "IMA: include the word IMA in printk messages\n\nAs an example IMA emits a warning when it can\u0027t find a TPM chip:\n\n\"No TPM chip found, activating TPM-bypass!\"\n\nThis patch prefaces that message with IMA so we know what subsystem is\nbypassing the TPM. Do this for all pr_info and pr_err messages.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "34c111f626e91adb23f90a91d2c7cd4dac9fa4b1", "tree": "3ca16731ab7e9b6cc1848dd28852503506dd97e1", "parents": [ "2f1506cd82e0725ba00c7146a9a9b47824a5edcf" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 20 10:21:36 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 21 09:58:18 2010 +1000" }, "message": "IMA: drop the word integrity in the audit message\n\nintegrity_audit_msg() uses \"integrity:\" in the audit message. This\nviolates the (loosely defined) audit system requirements that everything be\na key\u003dvalue pair and it doesn\u0027t provide additional information. This can\nbe obviously gleaned from the message type. Just drop it.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2f1506cd82e0725ba00c7146a9a9b47824a5edcf", "tree": "ac92c983ab10842e82e229c00b697566c6f20028", "parents": [ "7233e3ee22b1506723411fe437bcf69f678e8cdd" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 20 10:21:30 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 21 09:58:17 2010 +1000" }, "message": "IMA: use audit_log_untrusted_string rather than %s\n\nConvert all of the places IMA calls audit_log_format with %s into\naudit_log_untrusted_string(). This is going to cause them all to get\nquoted, but it should make audit log injection harder.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7233e3ee22b1506723411fe437bcf69f678e8cdd", "tree": "3d84d037890a9918ed02b89fde875fd6e6cd3b10", "parents": [ "28ef4002ec7b4be27f1110b83e255df8159c786a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 20 10:21:24 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 21 09:58:16 2010 +1000" }, "message": "IMA: handle comments in policy\n\nIMA policy load parser will reject any policies with a comment. This patch\nwill allow the parser to just ignore lines which start with a #. This is not\nvery robust. # can ONLY be used at the very beginning of a line. Inline\ncomments are not allowed.\n\nSigned-off-by: Eric Paris\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "28ef4002ec7b4be27f1110b83e255df8159c786a", "tree": "e7b32aeb36ecf2d76235aa7d436a7578738a98cc", "parents": [ "e9d393bf8660fbbbe00617015224342bac3ea6fc" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 20 10:21:18 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 21 09:58:16 2010 +1000" }, "message": "IMA: handle whitespace better\n\nIMA parser will fail if whitespace is used in any way other than a single\nspace. Using a tab or even using 2 spaces in a row will result in a policy\nbeing rejected. This patch makes the kernel ignore whitespace a bit better.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e9d393bf8660fbbbe00617015224342bac3ea6fc", "tree": "b127189c4b598774ef467b599bd8bfe08b3c71d4", "parents": [ "b9035b1fd7933c11e68dbbf49b530cc43bf1da65" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 20 10:21:13 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 21 09:58:15 2010 +1000" }, "message": "IMA: reject policies with unknown entries\n\nCurrently the ima policy load code will print what it doesn\u0027t understand\nbut really I think it should reject any policy it doesn\u0027t understand. This\npatch makes it so!\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b9035b1fd7933c11e68dbbf49b530cc43bf1da65", "tree": "b2f6846ee36422db9a58705e902054d4dac1c438", "parents": [ "7b62e162129c3b28d51016774e0c7c57c710c452" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 20 10:21:07 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 21 09:58:14 2010 +1000" }, "message": "IMA: set entry-\u003eaction to UNKNOWN rather than hard coding\n\nima_parse_rule currently sets entry-\u003eaction \u003d -1 and then later tests\nif (entry-\u003eaction \u003d\u003d UNKNOWN). It is true that UNKNOWN \u003d\u003d -1 but actually\nsetting it to UNKNOWN makes a lot more sense in case things change in the\nfuture.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7b62e162129c3b28d51016774e0c7c57c710c452", "tree": "c6d18b649b70bb684b2a648a4a00956f2d1e62e2", "parents": [ "6ccd045630054c99ba1bb35673db12cfcf1eea58" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 20 10:21:01 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 21 09:58:14 2010 +1000" }, "message": "IMA: do not allow the same rule to specify the same thing twice\n\nIMA will accept rules which specify things twice and will only pay\nattention to the last one. We should reject such rules.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6ccd045630054c99ba1bb35673db12cfcf1eea58", "tree": "bce41e39722ae178807abe2213fd94e582842bae", "parents": [ "a200005038955057063fc8ea82129ebc785df41c" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 20 10:20:54 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 21 09:58:13 2010 +1000" }, "message": "ima: handle multiple rules per write\n\nCurrently IMA will only accept one rule per write(). This patch allows IMA to\naccept writes which contain multiple rules but only processes one rule per\nwrite. \\n is used as the delimiter between rules. IMA will return a short\nwrite indicating that it only accepted up to the first \\n.\n\nThis allows simple userspace utilities like cat to be used to load an IMA\npolicy instead of needing a special userspace utility that understood \u0027one\nwrite per rule\u0027\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5a0e3ad6af8660be21ca98a971cd00f331318c05", "tree": "5bfb7be11a03176a87296a43ac6647975c00a1d1", "parents": [ "ed391f4ebf8f701d3566423ce8f17e614cde9806" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Wed Mar 24 17:04:11 2010 +0900" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Tue Mar 30 22:02:32 2010 +0900" }, "message": "include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h\n\npercpu.h is included by sched.h and module.h and thus ends up being\nincluded when building most .c files. percpu.h includes slab.h which\nin turn includes gfp.h making everything defined by the two files\nuniversally available and complicating inclusion dependencies.\n\npercpu.h -\u003e slab.h dependency is about to be removed. Prepare for\nthis change by updating users of gfp and slab facilities include those\nheaders directly instead of assuming availability. As this conversion\nneeds to touch large number of source files, the following script is\nused as the basis of conversion.\n\n http://userweb.kernel.org/~tj/misc/slabh-sweep.py\n\nThe script does the followings.\n\n* Scan files for gfp and slab usages and update includes such that\n only the necessary includes are there. ie. if only gfp is used,\n gfp.h, if slab is used, slab.h.\n\n* When the script inserts a new include, it looks at the include\n blocks and try to put the new include such that its order conforms\n to its surrounding. It\u0027s put in the include block which contains\n core kernel includes, in the same order that the rest are ordered -\n alphabetical, Christmas tree, rev-Xmas-tree or at the end if there\n doesn\u0027t seem to be any matching order.\n\n* If the script can\u0027t find a place to put a new include (mostly\n because the file doesn\u0027t have fitting include block), it prints out\n an error message indicating which .h file needs to be added to the\n file.\n\nThe conversion was done in the following steps.\n\n1. The initial automatic conversion of all .c files updated slightly\n over 4000 files, deleting around 700 includes and adding ~480 gfp.h\n and ~3000 slab.h inclusions. The script emitted errors for ~400\n files.\n\n2. Each error was manually checked. Some didn\u0027t need the inclusion,\n some needed manual addition while adding it to implementation .h or\n embedding .c file was more appropriate for others. This step added\n inclusions to around 150 files.\n\n3. The script was run again and the output was compared to the edits\n from #2 to make sure no file was left behind.\n\n4. Several build tests were done and a couple of problems were fixed.\n e.g. lib/decompress_*.c used malloc/free() wrappers around slab\n APIs requiring slab.h to be added manually.\n\n5. The script was run on all .h files but without automatically\n editing them as sprinkling gfp.h and slab.h inclusions around .h\n files could easily lead to inclusion dependency hell. Most gfp.h\n inclusion directives were ignored as stuff from gfp.h was usually\n wildly available and often used in preprocessor macros. Each\n slab.h inclusion directive was examined and added manually as\n necessary.\n\n6. percpu.h was updated not to include slab.h.\n\n7. Build test were done on the following configurations and failures\n were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my\n distributed build env didn\u0027t work with gcov compiles) and a few\n more options had to be turned off depending on archs to make things\n build (like ipr on powerpc/64 which failed due to missing writeq).\n\n * x86 and x86_64 UP and SMP allmodconfig and a custom test config.\n * powerpc and powerpc64 SMP allmodconfig\n * sparc and sparc64 SMP allmodconfig\n * ia64 SMP allmodconfig\n * s390 SMP allmodconfig\n * alpha SMP allmodconfig\n * um on x86_64 SMP allmodconfig\n\n8. percpu.h modifications were reverted so that it could be applied as\n a separate patch and serve as bisection point.\n\nGiven the fact that I had only a couple of failures from tests on step\n6, I\u0027m fairly confident about the coverage of this conversion patch.\nIf there is a breakage, it\u0027s likely to be something in one of the arch\nheaders which should be easily discoverable easily on most builds of\nthe specific arch.\n\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nGuess-its-ok-by: Christoph Lameter \u003ccl@linux-foundation.org\u003e\nCc: Ingo Molnar \u003cmingo@redhat.com\u003e\nCc: Lee Schermerhorn \u003cLee.Schermerhorn@hp.com\u003e\n" }, { "commit": "a19c5bbefb37ebe22fb42bd3861a8d3b2a2652a1", "tree": "4850853aca5c1ac564af02cd3240748579f32ba8", "parents": [ "512ea3bc30c0e052a961e1abce8e783f3e28c92a" ], "author": { "name": "H Hartley Sweeten", "email": "hartleys@visionengravers.com", "time": "Tue Mar 09 17:59:59 2010 -0600" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Mar 10 15:59:54 2010 +1100" }, "message": "security/ima: replace gcc specific __FUNCTION__ with __func__\n\nAs noted by checkpatch.pl, __func__ should be used instead of gcc\nspecific __FUNCTION__.\n\nSigned-off-by: H Hartley Sweeten \u003chsweeten@visionengravers.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "baac35c4155a8aa826c70acee6553368ca5243a2", "tree": "3a930979c48c83e4f07234ed05ef67caeb869bac", "parents": [ "60b341b778cc2929df16c0a504c91621b3c6a4ad" ], "author": { "name": "Xiaotian Feng", "email": "dfeng@redhat.com", "time": "Wed Feb 24 18:39:02 2010 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 25 07:54:33 2010 +1100" }, "message": "security: fix error return path in ima_inode_alloc\n\nIf radix_tree_preload is failed in ima_inode_alloc, we don\u0027t need\nradix_tree_preload_end because kernel is alread preempt enabled\n\nSigned-off-by: Xiaotian Feng \u003cdfeng@redhat.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1e93d0052d9a6b3d0b382eedceb18b519d603baf", "tree": "b47cb67cdfd98e257c4d7fb7ed75f6930a1bf005", "parents": [ "9bbb6cad0173e6220f3ac609e26beb48dab3b7cd" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 26 17:02:41 2010 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Feb 07 03:06:23 2010 -0500" }, "message": "ima: rename PATH_CHECK to FILE_CHECK\n\nWith the movement of the ima hooks functions were renamed from *path* to\n*file* since they always deal with struct file. This patch renames some of\nthe ima internal flags to make them consistent with the rest of the code.\n\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "9bbb6cad0173e6220f3ac609e26beb48dab3b7cd", "tree": "680e0de3071c938ca9858fa9ed5bd5ca8ff2f20f", "parents": [ "54bb6552bd9405dc7685653157a4ec260c77a71c" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 26 17:02:40 2010 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Feb 07 03:06:22 2010 -0500" }, "message": "ima: rename ima_path_check to ima_file_check\n\nima_path_check actually deals with files! call it ima_file_check instead.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "54bb6552bd9405dc7685653157a4ec260c77a71c", "tree": "7baad9e6cfacd055fd8076d52748a2d3f71d7551", "parents": [ "8eb988c70e7709b7bd1a69f0ec53d19ac20dea84" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Dec 09 15:29:01 2009 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Feb 07 03:06:22 2010 -0500" }, "message": "ima: initialize ima before inodes can be allocated\n\nima wants to create an inode information struct (iint) when inodes are\nallocated. This means that at least the part of ima which does this\nallocation (the allocation is filled with information later) should\nbefore any inodes are created. To accomplish this we split the ima\ninitialization routine placing the kmem cache allocator inside a\nsecurity_initcall() function. Since this makes use of radix trees we also\nneed to make sure that is initialized before security_initcall().\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "8eb988c70e7709b7bd1a69f0ec53d19ac20dea84", "tree": "6d0283a9fbca5cc104f591b9cc628edf39bc0b05", "parents": [ "1e41568d7378d1ba8c64ba137b9ddd00b59f893a" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Jan 20 15:35:41 2010 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Feb 07 03:06:22 2010 -0500" }, "message": "fix ima breakage\n\nThe \"Untangling ima mess, part 2 with counters\" patch messed\nup the counters. Based on conversations with Al Viro, this patch\nstreamlines ima_path_check() by removing the counter maintaince.\nThe counters are now updated independently, from measuring the file,\nin __dentry_open() and alloc_file() by calling ima_counts_get().\nima_path_check() is called from nfsd and do_filp_open().\nIt also did not measure all files that should have been measured.\nReason: ima_path_check() got bogus value passed as mask.\n[AV: mea culpa]\n[AV: add missing nfsd bits]\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "d1625436b4fe526fa463bc0519ba37d7e4b37bbc", "tree": "a609c4bcd671190b039ddd4bd0f9bd63df588a22", "parents": [ "1429b3eca23818f87f9fa569a15d9816de81f698" ], "author": { "name": "Mimi Zohar", "email": "zohar@us.ibm.com", "time": "Fri Dec 04 15:48:40 2009 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Dec 16 12:16:48 2009 -0500" }, "message": "ima: limit imbalance msg\n\nLimit the number of imbalance messages to once per filesystem type instead of\nonce per system boot. (it\u0027s actually slightly racy and could give you a\ncouple per fs, but this isn\u0027t a real issue)\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "1429b3eca23818f87f9fa569a15d9816de81f698", "tree": "3100f009ec8863ee4692ee197b8e0c16c11258e6", "parents": [ "b65a9cfc2c38eebc33533280b8ad5841caee8b6e" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Dec 16 06:38:01 2009 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Dec 16 12:16:47 2009 -0500" }, "message": "Untangling ima mess, part 3: kill dead code in ima\n\nKill the \u0027update\u0027 argument of ima_path_check(), kill\ndead code in ima.\n\nCurrent rules: ima counters are bumped at the same time\nwhen the file switches from put_filp() fodder to fput()\none. Which happens exactly in two places - alloc_file()\nand __dentry_open(). Nothing else needs to do that at\nall.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "85a17f552dfe77efb44b971615e4f221a5f28f37", "tree": "bf9639dc2bb2dab926624a49a8b5aa1159876059", "parents": [ "e0d5bd2aec4e69e720ee86958503923cafb45be5" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Dec 04 15:48:08 2009 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Dec 16 12:16:46 2009 -0500" }, "message": "ima: call ima_inode_free ima_inode_free\n\nima_inode_free() has some funky #define just to confuse the crap out of me.\n\nvoid ima_iint_delete(struct inode *inode)\n\nand then things actually call ima_inode_free() and nothing calls\nima_iint_delete().\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "e0d5bd2aec4e69e720ee86958503923cafb45be5", "tree": "07ad4c96ad5c680f8a6b1f8152269af23944dc5d", "parents": [ "9353384ec8128cb443463016bbabb44ca857ff52" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Dec 04 15:48:00 2009 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Dec 16 12:16:46 2009 -0500" }, "message": "IMA: clean up the IMA counts updating code\n\nWe currently have a lot of duplicated code around ima file counts. Clean\nthat all up.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "9353384ec8128cb443463016bbabb44ca857ff52", "tree": "411ff22e85868aea1575d8b133187def3b0e0498", "parents": [ "ec29ea544b1ce204ba3575ba05fccf3069d00c3f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Dec 04 15:47:52 2009 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Dec 16 12:16:46 2009 -0500" }, "message": "ima: only insert at inode creation time\n\niints are supposed to be allocated when an inode is allocated (during\nsecurity_inode_alloc()) But we have code which will attempt to allocate\nan iint during measurement calls. If we couldn\u0027t allocate the iint and we\ncared, we should have died during security_inode_alloc(). Not make the\ncode more complex and less efficient.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "ec29ea544b1ce204ba3575ba05fccf3069d00c3f", "tree": "9b8073563183059e275730a8bb4f5b0c01800b6e", "parents": [ "e81e3f4dca6c54116a24aec217d2c15c6f58ada5" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Dec 04 15:47:44 2009 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Dec 16 12:16:46 2009 -0500" }, "message": "ima: valid return code from ima_inode_alloc\n\nima_inode_alloc returns 0 and 1, but the LSM hooks expects an errno.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "c84d6efd363a3948eb32ec40d46bab6338580454", "tree": "3ba7ac46e6626fe8ac843834588609eb6ccee5c6", "parents": [ "7539cf4b92be4aecc573ea962135f246a7a33401", "22763c5cf3690a681551162c15d34d935308c8d7" ], "author": { "name": "James Morris", "email": "jmorris@macbook.(none)", "time": "Thu Dec 03 12:03:40 2009 +0530" }, "committer": { "name": "James Morris", "email": "jmorris@macbook.(none)", "time": "Thu Dec 03 12:03:40 2009 +0530" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "c09c59e6a070d6af05f238f255aea268185273ef", "tree": "80f4004f11896aa59cf100cf60a08f3af368fc7c", "parents": [ "ac50e950784cae1c26ad9e09ebd8f8c706131eb3" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Nov 18 16:16:06 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 19 08:42:01 2009 +1100" }, "message": "ima: replace GFP_KERNEL with GFP_NOFS\n\nWhile running fsstress tests on the NFSv4 mounted ext3 and ext4\nfilesystem, the following call trace was generated on the nfs\nserver machine.\n\nReplace GFP_KERNEL with GFP_NOFS in ima_iint_insert() to avoid a\npotential deadlock.\n\n \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n [ INFO: inconsistent lock state ]\n 2.6.31-31.el6.x86_64 #1\n ---------------------------------\n inconsistent {RECLAIM_FS-ON-W} -\u003e {IN-RECLAIM_FS-W} usage.\n kswapd2/75 [HC0[0]:SC0[0]:HE1:SE1] takes:\n (jbd2_handle){+.+.?.}, at: [\u003cffffffff811edd5e\u003e] jbd2_journal_start+0xfe/0x13f\n {RECLAIM_FS-ON-W} state was registered at:\n [\u003cffffffff81091e40\u003e] mark_held_locks+0x65/0x99\n [\u003cffffffff81091f31\u003e] lockdep_trace_alloc+0xbd/0xf5\n [\u003cffffffff81126fdd\u003e] kmem_cache_alloc+0x40/0x185\n [\u003cffffffff812344d7\u003e] ima_iint_insert+0x3d/0xf1\n [\u003cffffffff812345b0\u003e] ima_inode_alloc+0x25/0x44\n [\u003cffffffff811484ac\u003e] inode_init_always+0xec/0x271\n [\u003cffffffff81148682\u003e] alloc_inode+0x51/0xa1\n [\u003cffffffff81148700\u003e] new_inode+0x2e/0x94\n [\u003cffffffff811b2f08\u003e] ext4_new_inode+0xb8/0xdc9\n [\u003cffffffff811be611\u003e] ext4_create+0xcf/0x175\n [\u003cffffffff8113e2cd\u003e] vfs_create+0x82/0xb8\n [\u003cffffffff8113f337\u003e] do_filp_open+0x32c/0x9ee\n [\u003cffffffff811309b9\u003e] do_sys_open+0x6c/0x12c\n [\u003cffffffff81130adc\u003e] sys_open+0x2e/0x44\n [\u003cffffffff81011e42\u003e] system_call_fastpath+0x16/0x1b\n [\u003cffffffffffffffff\u003e] 0xffffffffffffffff\n irq event stamp: 90371\n hardirqs last enabled at (90371): [\u003cffffffff8112708d\u003e]\n kmem_cache_alloc+0xf0/0x185\n hardirqs last disabled at (90370): [\u003cffffffff81127026\u003e]\n kmem_cache_alloc+0x89/0x185\n softirqs last enabled at (89492): [\u003cffffffff81068ecf\u003e]\n __do_softirq+0x1bf/0x1eb\n softirqs last disabled at (89477): [\u003cffffffff8101312c\u003e] call_softirq+0x1c/0x30\n\n other info that might help us debug this:\n 2 locks held by kswapd2/75:\n #0: (shrinker_rwsem){++++..}, at: [\u003cffffffff810f98ba\u003e] shrink_slab+0x44/0x177\n #1: (\u0026type-\u003es_umount_key#25){++++..}, at: [\u003cffffffff811450ba\u003e]\n\nReported-by: Muni P. Beerakam \u003cmbeeraka@in.ibm.com\u003e\nReported-by: Amit K. Arora \u003camitarora@in.ibm.com\u003e\nCc: stable@kernel.org\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6c21a7fb492bf7e2c4985937082ce58ddeca84bd", "tree": "6cfe11ba4b8eee26ee8b02d2b4a5fcc6ea07e4bd", "parents": [ "6e8e16c7bc298d7887584c3d027e05db3e86eed9" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Oct 22 17:30:13 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sun Oct 25 12:22:48 2009 +0800" }, "message": "LSM: imbed ima calls in the security hooks\n\nBased on discussions on LKML and LSM, where there are consecutive\nsecurity_ and ima_ calls in the vfs layer, move the ima_ calls to\nthe existing security_ hooks.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "828c09509b9695271bcbdc53e9fc9a6a737148d2", "tree": "072ffad6f02db7bf4095e07e2b90247cfa042998", "parents": [ "1c4115e595dec42aa0e81ba47ef46e35b34ed428" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Thu Oct 01 15:43:56 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Oct 01 16:11:11 2009 -0700" }, "message": "const: constify remaining file_operations\n\n[akpm@linux-foundation.org: fix KVM]\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nAcked-by: Mike Frysinger \u003cvapier@gentoo.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "88e9d34c727883d7d6f02cf1475b3ec98b8480c7", "tree": "475f544536d52739e0929e7727cab5124e855a06", "parents": [ "b7ed698cc9d556306a4088c238e2ea9311ea2cb3" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 22 16:43:43 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Sep 23 07:39:29 2009 -0700" }, "message": "seq_file: constify seq_operations\n\nMake all seq_operations structs const, to help mitigate against\nrevectoring user-triggerable function pointers.\n\nThis is derived from the grsecurity patch, although generated from scratch\nbecause it\u0027s simpler than extracting the changes from there.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "acd0c935178649f72c44ec49ca83bee35ce1f79e", "tree": "c0cb2f8fbbaa54567785b5430e5be8c8b51f5724", "parents": [ "e07cccf4046978df10f2e13fe2b99b2f9b3a65db" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Sep 04 13:08:46 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Sep 07 11:54:58 2009 +1000" }, "message": "IMA: update ima_counts_put\n\n- As ima_counts_put() may be called after the inode has been freed,\nverify that the inode is not NULL, before dereferencing it.\n\n- Maintain the IMA file counters in may_open() properly, decrementing\nany counter increments on subsequent errors.\n\nReported-by: Ciprian Docan \u003cdocan@eden.rutgers.edu\u003e\nReported-by: J.R. Okajima \u003chooanon05@yahoo.co.jp\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5311034ddda7aad48934520d3536b9d0e4502672", "tree": "1c4f522322883ccf8e253c95343abc74344bfab8", "parents": [ "533995ed85730a1f5f385b9ecb2d2b4b731d27b4", "53a7197aff20e341487fca8575275056fe1c63e5" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Aug 26 20:17:07 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Aug 26 20:17:07 2009 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:\n IMA: iint put in ima_counts_get and put\n" }, { "commit": "53a7197aff20e341487fca8575275056fe1c63e5", "tree": "db302fc811fb6debaa7015abd908c053a59d084f", "parents": [ "3edf2fb9d80a46d6c32ba12547a42419845b4b76" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Aug 26 14:56:48 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 27 11:01:03 2009 +1000" }, "message": "IMA: iint put in ima_counts_get and put\n\nima_counts_get() calls ima_iint_find_insert_get() which takes a reference\nto the iint in question, but does not put that reference at the end of the\nfunction. This can lead to a nasty memory leak. Easy enough to reproduce:\n\n#include \u003csys/mman.h\u003e\n#include \u003cstdio.h\u003e\n\nint main (void)\n{\n\tint i;\n\tvoid *ptr;\n\n\tfor (i\u003d0; i \u003c 100000; i++) {\n\t\tptr \u003d mmap(NULL, 4096, PROT_READ|PROT_WRITE,\n\t\t\t MAP_SHARED|MAP_ANONYMOUS, -1, 0);\n\t\tif (ptr \u003d\u003d MAP_FAILED)\n\t\t\treturn 2;\n\t\tmunmap(ptr, 4096);\n\t}\n\n\treturn 0;\n}\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ], "next": "16bfa38b1936212428cb38fbfbbb8f6c62b8d81f" }