)]}' { "log": [ { "commit": "073219e995b4a3f8cf1ce8228b7ef440b6994ac0", "tree": "d140fc2e94bd8fd09270286b7267fb087a79f288", "parents": [ "3ed80a62bf959d34ebd4d553b026fbe7e6fbcc54" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Sat Feb 08 10:36:58 2014 -0500" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Sat Feb 08 10:36:58 2014 -0500" }, "message": "cgroup: clean up cgroup_subsys names and initialization\n\ncgroup_subsys is a bit messier than it needs to be.\n\n* The name of a subsys can be different from its internal identifier\n defined in cgroup_subsys.h. Most subsystems use the matching name\n but three - cpu, memory and perf_event - use different ones.\n\n* cgroup_subsys_id enums are postfixed with _subsys_id and each\n cgroup_subsys is postfixed with _subsys. cgroup.h is widely\n included throughout various subsystems, it doesn\u0027t and shouldn\u0027t\n have claim on such generic names which don\u0027t have any qualifier\n indicating that they belong to cgroup.\n\n* cgroup_subsys-\u003esubsys_id should always equal the matching\n cgroup_subsys_id enum; however, we require each controller to\n initialize it and then BUG if they don\u0027t match, which is a bit\n silly.\n\nThis patch cleans up cgroup_subsys names and initialization by doing\nthe followings.\n\n* cgroup_subsys_id enums are now postfixed with _cgrp_id, and each\n cgroup_subsys with _cgrp_subsys.\n\n* With the above, renaming subsys identifiers to match the userland\n visible names doesn\u0027t cause any naming conflicts. All non-matching\n identifiers are renamed to match the official names.\n\n cpu_cgroup -\u003e cpu\n mem_cgroup -\u003e memory\n perf -\u003e perf_event\n\n* controllers no longer need to initialize -\u003esubsys_id and -\u003ename.\n They\u0027re generated in cgroup core and set automatically during boot.\n\n* Redundant cgroup_subsys declarations removed.\n\n* While updating BUG_ON()s in cgroup_init_early(), convert them to\n WARN()s. BUGging that early during boot is stupid - the kernel\n can\u0027t print anything, even through serial console and the trap\n handler doesn\u0027t even link stack frame properly for back-tracing.\n\nThis patch doesn\u0027t introduce any behavior changes.\n\nv2: Rebased on top of fe1217c4f3f7 (\"net: net_cls: move cgroupfs\n classid handling into core\").\n\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nAcked-by: Neil Horman \u003cnhorman@tuxdriver.com\u003e\nAcked-by: \"David S. Miller\" \u003cdavem@davemloft.net\u003e\nAcked-by: \"Rafael J. Wysocki\" \u003crjw@rjwysocki.net\u003e\nAcked-by: Michal Hocko \u003cmhocko@suse.cz\u003e\nAcked-by: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nAcked-by: Aristeu Rozanski \u003caris@redhat.com\u003e\nAcked-by: Ingo Molnar \u003cmingo@redhat.com\u003e\nAcked-by: Li Zefan \u003clizefan@huawei.com\u003e\nCc: Johannes Weiner \u003channes@cmpxchg.org\u003e\nCc: Balbir Singh \u003cbsingharora@gmail.com\u003e\nCc: KAMEZAWA Hiroyuki \u003ckamezawa.hiroyu@jp.fujitsu.com\u003e\nCc: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nCc: Vivek Goyal \u003cvgoyal@redhat.com\u003e\nCc: Thomas Graf \u003ctgraf@suug.ch\u003e\n" }, { "commit": "6dd9158ae8577372aa433e6b0eae3c3d4caa5439", "tree": "aa097a9f9ea6206d668ac924460ad1a5d64e751c", "parents": [ "90804ed61f24712975fa12f8a1fc12cd46ef7d59", "f3411cb2b2e396a41ed3a439863f028db7140a34" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jan 23 18:08:10 2014 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jan 23 18:08:10 2014 -0800" }, "message": "Merge git://git.infradead.org/users/eparis/audit\n\nPull audit update from Eric Paris:\n \"Again we stayed pretty well contained inside the audit system.\n Venturing out was fixing a couple of function prototypes which were\n inconsistent (didn\u0027t hurt anything, but we used the same value as an\n int, uint, u32, and I think even a long in a couple of places).\n\n We also made a couple of minor changes to when a couple of LSMs called\n the audit system. We hoped to add aarch64 audit support this go\n round, but it wasn\u0027t ready.\n\n I\u0027m disappearing on vacation on Thursday. I should have internet\n access, but it\u0027ll be spotty. If anything goes wrong please be sure to\n cc rgb@redhat.com. He\u0027ll make fixing things his top priority\"\n\n* git://git.infradead.org/users/eparis/audit: (50 commits)\n audit: whitespace fix in kernel-parameters.txt\n audit: fix location of __net_initdata for audit_net_ops\n audit: remove pr_info for every network namespace\n audit: Modify a set of system calls in audit class definitions\n audit: Convert int limit uses to u32\n audit: Use more current logging style\n audit: Use hex_byte_pack_upper\n audit: correct a type mismatch in audit_syscall_exit()\n audit: reorder AUDIT_TTY_SET arguments\n audit: rework AUDIT_TTY_SET to only grab spin_lock once\n audit: remove needless switch in AUDIT_SET\n audit: use define\u0027s for audit version\n audit: documentation of audit\u003d kernel parameter\n audit: wait_for_auditd rework for readability\n audit: update MAINTAINERS\n audit: log task info on feature change\n audit: fix incorrect set of audit_sock\n audit: print error message when fail to create audit socket\n audit: fix dangling keywords in audit_log_set_loginuid() output\n audit: log on errors from filter user rules\n ...\n" }, { "commit": "f075e0f6993f41c72dbb1d3e7a2d7740f14e89e2", "tree": "a25b464a67fffc6f43940e0e85e2735a48bb1ad7", "parents": [ "5cb7398caf69e3943df78435a19a8a77fe8b9463", "dd4b0a4676907481256d16d5de0851b315a6f22c" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jan 21 17:51:34 2014 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jan 21 17:51:34 2014 -0800" }, "message": "Merge branch \u0027for-3.14\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup\n\nPull cgroup updates from Tejun Heo:\n \"The bulk of changes are cleanups and preparations for the upcoming\n kernfs conversion.\n\n - cgroup_event mechanism which is and will be used only by memcg is\n moved to memcg.\n\n - pidlist handling is updated so that it can be served by seq_file.\n\n Also, the list is not sorted if sane_behavior. cgroup\n documentation explicitly states that the file is not sorted but it\n has been for quite some time.\n\n - All cgroup file handling now happens on top of seq_file. This is\n to prepare for kernfs conversion. In addition, all operations are\n restructured so that they map 1-1 to kernfs operations.\n\n - Other cleanups and low-pri fixes\"\n\n* \u0027for-3.14\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: (40 commits)\n cgroup: trivial style updates\n cgroup: remove stray references to css_id\n doc: cgroups: Fix typo in doc/cgroups\n cgroup: fix fail path in cgroup_load_subsys()\n cgroup: fix missing unlock on error in cgroup_load_subsys()\n cgroup: remove for_each_root_subsys()\n cgroup: implement for_each_css()\n cgroup: factor out cgroup_subsys_state creation into create_css()\n cgroup: combine css handling loops in cgroup_create()\n cgroup: reorder operations in cgroup_create()\n cgroup: make for_each_subsys() useable under cgroup_root_mutex\n cgroup: css iterations and css_from_dir() are safe under cgroup_mutex\n cgroup: unify pidlist and other file handling\n cgroup: replace cftype-\u003eread_seq_string() with cftype-\u003eseq_show()\n cgroup: attach cgroup_open_file to all cgroup files\n cgroup: generalize cgroup_pidlist_open_file\n cgroup: unify read path so that seq_file is always used\n cgroup: unify cgroup_write_X64() and cgroup_write_string()\n cgroup: remove cftype-\u003eread(), -\u003eread_map() and -\u003ewrite()\n hugetlb_cgroup: convert away from cftype-\u003eread()\n ...\n" }, { "commit": "fb2e2c85375a0380d6818f153ffa2ae9ebbd055f", "tree": "cf8498a01357c220e4d664ff67125f60146f0da3", "parents": [ "ec513b16c480c6cdda1e3d597e611eafca05227b", "923b49ff69fcbffe6f8b2739de218c45544392a7" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jan 21 09:06:02 2014 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jan 21 09:06:02 2014 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security\n\nPull security layer updates from James Morris:\n \"Changes for this kernel include maintenance updates for Smack, SELinux\n (and several networking fixes), IMA and TPM\"\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (39 commits)\n SELinux: Fix memory leak upon loading policy\n tpm/tpm-sysfs: active_show() can be static\n tpm: tpm_tis: Fix compile problems with CONFIG_PM_SLEEP/CONFIG_PNP\n tpm: Make tpm-dev allocate a per-file structure\n tpm: Use the ops structure instead of a copy in tpm_vendor_specific\n tpm: Create a tpm_class_ops structure and use it in the drivers\n tpm: Pull all driver sysfs code into tpm-sysfs.c\n tpm: Move sysfs functions from tpm-interface to tpm-sysfs\n tpm: Pull everything related to /dev/tpmX into tpm-dev.c\n char: tpm: nuvoton: remove unused variable\n tpm: MAINTAINERS: Cleanup TPM Maintainers file\n tpm/tpm_i2c_atmel: fix coccinelle warnings\n tpm/tpm_ibmvtpm: fix unreachable code warning (smatch warning)\n tpm/tpm_i2c_stm_st33: Check return code of get_burstcount\n tpm/tpm_ppi: Check return value of acpi_get_name\n tpm/tpm_ppi: Do not compare strcmp(a,b) \u003d\u003d -1\n ima: remove unneeded size_limit argument from ima_eventdigest_init_common()\n ima: update IMA-templates.txt documentation\n ima: pass HASH_ALGO__LAST as hash algo in ima_eventdigest_init()\n ima: change the default hash algorithm to SHA1 in ima_eventdigest_ng_init()\n ...\n" }, { "commit": "4eb0f4abfb9441849530ea19389ae57cc62c8078", "tree": "0594e8a255258bfb21fadf622e46df95da86c918", "parents": [ "9ad42a79247d5e16d26f7d1531a68f20a889c5af" ], "author": { "name": "Richard Guy Briggs", "email": "rgb@redhat.com", "time": "Thu Nov 21 13:57:33 2013 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Jan 13 22:32:06 2014 -0500" }, "message": "smack: call WARN_ONCE() instead of calling audit_log_start()\n\nRemove the call to audit_log() (which call audit_log_start()) and deal with\nthe errors in the caller, logging only once if the condition is met. Calling\naudit_log_start() in this location makes buffer allocation and locking more\ncomplicated in the calling tree (audit_filter_user()).\n\nSigned-off-by: Richard Guy Briggs \u003crgb@redhat.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "9ad42a79247d5e16d26f7d1531a68f20a889c5af", "tree": "3d0af9e44b66f8738b4be24ac82b560612b68ece", "parents": [ "4440e8548153e9e6d56db9abe6f3bc0e5b9eb74f" ], "author": { "name": "Richard Guy Briggs", "email": "rgb@redhat.com", "time": "Thu Nov 21 13:31:40 2013 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Jan 13 22:32:00 2014 -0500" }, "message": "selinux: call WARN_ONCE() instead of calling audit_log_start()\n\nTwo of the conditions in selinux_audit_rule_match() should never happen and\nthe third indicates a race that should be retried. Remove the calls to\naudit_log() (which call audit_log_start()) and deal with the errors in the\ncaller, logging only once if the condition is met. Calling audit_log_start()\nin this location makes buffer allocation and locking more complicated in the\ncalling tree (audit_filter_user()).\n\nSigned-off-by: Richard Guy Briggs \u003crgb@redhat.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "3dc91d4338d698ce77832985f9cb183d8eeaf6be", "tree": "04ab80b7e7ce8664e179ac8cb9b714a94344c833", "parents": [ "eecc1e426d681351a6026a7d3e7d225f38955b6c" ], "author": { "name": "Steven Rostedt", "email": "rostedt@goodmis.org", "time": "Thu Jan 09 21:46:34 2014 -0500" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Jan 12 16:53:13 2014 +0700" }, "message": "SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()\n\nWhile running stress tests on adding and deleting ftrace instances I hit\nthis bug:\n\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\n IP: selinux_inode_permission+0x85/0x160\n PGD 63681067 PUD 7ddbe067 PMD 0\n Oops: 0000 [#1] PREEMPT\n CPU: 0 PID: 5634 Comm: ftrace-test-mki Not tainted 3.13.0-rc4-test-00033-gd2a6dde-dirty #20\n Hardware name: /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006\n task: ffff880078375800 ti: ffff88007ddb0000 task.ti: ffff88007ddb0000\n RIP: 0010:[\u003cffffffff812d8bc5\u003e] [\u003cffffffff812d8bc5\u003e] selinux_inode_permission+0x85/0x160\n RSP: 0018:ffff88007ddb1c48 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000800000 RCX: ffff88006dd43840\n RDX: 0000000000000001 RSI: 0000000000000081 RDI: ffff88006ee46000\n RBP: ffff88007ddb1c88 R08: 0000000000000000 R09: ffff88007ddb1c54\n R10: 6e6576652f6f6f66 R11: 0000000000000003 R12: 0000000000000000\n R13: 0000000000000081 R14: ffff88006ee46000 R15: 0000000000000000\n FS: 00007f217b5b6700(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M\n CR2: 0000000000000020 CR3: 000000006a0fe000 CR4: 00000000000007f0\n Call Trace:\n security_inode_permission+0x1c/0x30\n __inode_permission+0x41/0xa0\n inode_permission+0x18/0x50\n link_path_walk+0x66/0x920\n path_openat+0xa6/0x6c0\n do_filp_open+0x43/0xa0\n do_sys_open+0x146/0x240\n SyS_open+0x1e/0x20\n system_call_fastpath+0x16/0x1b\n Code: 84 a1 00 00 00 81 e3 00 20 00 00 89 d8 83 c8 02 40 f6 c6 04 0f 45 d8 40 f6 c6 08 74 71 80 cf 02 49 8b 46 38 4c 8d 4d cc 45 31 c0 \u003c0f\u003e b7 50 20 8b 70 1c 48 8b 41 70 89 d9 8b 78 04 e8 36 cf ff ff\n RIP selinux_inode_permission+0x85/0x160\n CR2: 0000000000000020\n\nInvestigating, I found that the inode-\u003ei_security was NULL, and the\ndereference of it caused the oops.\n\nin selinux_inode_permission():\n\n\tisec \u003d inode-\u003ei_security;\n\n\trc \u003d avc_has_perm_noaudit(sid, isec-\u003esid, isec-\u003esclass, perms, 0, \u0026avd);\n\nNote, the crash came from stressing the deletion and reading of debugfs\nfiles. I was not able to recreate this via normal files. But I\u0027m not\nsure they are safe. It may just be that the race window is much harder\nto hit.\n\nWhat seems to have happened (and what I have traced), is the file is\nbeing opened at the same time the file or directory is being deleted.\nAs the dentry and inode locks are not held during the path walk, nor is\nthe inodes ref counts being incremented, there is nothing saving these\nstructures from being discarded except for an rcu_read_lock().\n\nThe rcu_read_lock() protects against freeing of the inode, but it does\nnot protect freeing of the inode_security_struct. Now if the freeing of\nthe i_security happens with a call_rcu(), and the i_security field of\nthe inode is not changed (it gets freed as the inode gets freed) then\nthere will be no issue here. (Linus Torvalds suggested not setting the\nfield to NULL such that we do not need to check if it is NULL in the\npermission check).\n\nNote, this is a hack, but it fixes the problem at hand. A real fix is\nto restructure the destroy_inode() to call all the destructor handlers\nfrom the RCU callback. But that is a major job to do, and requires a\nlot of work. For now, we just band-aid this bug with this fix (it\nworks), and work on a more maintainable solution in the future.\n\nLink: http://lkml.kernel.org/r/20140109101932.0508dec7@gandalf.local.home\nLink: http://lkml.kernel.org/r/20140109182756.17abaaa8@gandalf.local.home\n\nCc: stable@vger.kernel.org\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "923b49ff69fcbffe6f8b2739de218c45544392a7", "tree": "44d03d61cad1edd916e5e0d88641353aa7cd0d4c", "parents": [ "d4a82a4a033d563f1dc2c944eec2358cb38432d0", "8ed814602876bec9bad2649ca17f34b499357a1c" ], "author": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Wed Jan 08 17:22:32 2014 +1100" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Wed Jan 08 17:22:32 2014 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/pcmoore/selinux into next\n" }, { "commit": "8ed814602876bec9bad2649ca17f34b499357a1c", "tree": "2ee1bfcb40e7ecfa61064a2c6c254fa575af9db6", "parents": [ "465954cd649a7d8cd331695bd24a16bcb5c4c716" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Jan 06 21:28:15 2014 +0900" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Tue Jan 07 10:21:44 2014 -0500" }, "message": "SELinux: Fix memory leak upon loading policy\n\nHello.\n\nI got below leak with linux-3.10.0-54.0.1.el7.x86_64 .\n\n[ 681.903890] kmemleak: 5538 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\n\nBelow is a patch, but I don\u0027t know whether we need special handing for undoing\nebitmap_set_bit() call.\n----------\n\u003e\u003eFrom fe97527a90fe95e2239dfbaa7558f0ed559c0992 Mon Sep 17 00:00:00 2001\nFrom: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nDate: Mon, 6 Jan 2014 16:30:21 +0900\nSubject: [PATCH] SELinux: Fix memory leak upon loading policy\n\nCommit 2463c26d \"SELinux: put name based create rules in a hashtable\" did not\ncheck return value from hashtab_insert() in filename_trans_read(). It leaks\nmemory if hashtab_insert() returns error.\n\n unreferenced object 0xffff88005c9160d0 (size 8):\n comm \"systemd\", pid 1, jiffies 4294688674 (age 235.265s)\n hex dump (first 8 bytes):\n 57 0b 00 00 6b 6b 6b a5 W...kkk.\n backtrace:\n [\u003cffffffff816604ae\u003e] kmemleak_alloc+0x4e/0xb0\n [\u003cffffffff811cba5e\u003e] kmem_cache_alloc_trace+0x12e/0x360\n [\u003cffffffff812aec5d\u003e] policydb_read+0xd1d/0xf70\n [\u003cffffffff812b345c\u003e] security_load_policy+0x6c/0x500\n [\u003cffffffff812a623c\u003e] sel_write_load+0xac/0x750\n [\u003cffffffff811eb680\u003e] vfs_write+0xc0/0x1f0\n [\u003cffffffff811ec08c\u003e] SyS_write+0x4c/0xa0\n [\u003cffffffff81690419\u003e] system_call_fastpath+0x16/0x1b\n [\u003cffffffffffffffff\u003e] 0xffffffffffffffff\n\nHowever, we should not return EEXIST error to the caller, or the systemd will\nshow below message and the boot sequence freezes.\n\n systemd[1]: Failed to load SELinux policy. Freezing.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "d4a82a4a033d563f1dc2c944eec2358cb38432d0", "tree": "83f8fca138299584d47930d2509151ea38050253", "parents": [ "5f64822d63efa20cee9efe8766b3a62ab6a1f6c3", "465954cd649a7d8cd331695bd24a16bcb5c4c716" ], "author": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Tue Jan 07 01:45:59 2014 +1100" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Tue Jan 07 01:45:59 2014 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/pcmoore/selinux into next\n\nConflicts:\n\tsecurity/selinux/hooks.c\n\nResolved using request struct.\n\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "38fd2c202a3d82bc12430bce5789fa2c2a406f71", "tree": "a73513dbb015155f5236b391709b9083916b3136", "parents": [ "dcf4e392867bf98d50ad108ed7c2bfb941e8c33d", "d6e0a2dd12f4067a5bcefb8bbd8ddbeff800afbc" ], "author": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Mon Jan 06 22:23:01 2014 +1100" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Mon Jan 06 22:23:01 2014 +1100" }, "message": "Merge to v3.13-rc7 for prerequisite changes in the Xen code for TPM\n" }, { "commit": "dcf4e392867bf98d50ad108ed7c2bfb941e8c33d", "tree": "25f5668c6acf31bcb593937acac3673b350a942e", "parents": [ "ef8894b0ca3f123bd68dd748b162369ccbeca4a7" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Fri Nov 08 19:21:37 2013 +0100" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Jan 03 07:43:00 2014 -0500" }, "message": "ima: remove unneeded size_limit argument from ima_eventdigest_init_common()\n\nThis patch removes the \u0027size_limit\u0027 argument from\nima_eventdigest_init_common(). Since the \u0027d\u0027 field will never include\nthe hash algorithm as prefix and the \u0027d-ng\u0027 will always have it, we can\nuse the hash algorithm to differentiate the two cases in the modified\nfunction (it is equal to HASH_ALGO__LAST in the first case, the opposite\nin the second).\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "712a49bd7d00d567edd5235e6e9034c55052446b", "tree": "a6193db0635b8d7bbee756bb3f3d41fd3451bef5", "parents": [ "c502c78ba7fb5b9cef71e2bd70f12c38ef26e5ab" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Fri Nov 08 19:21:36 2013 +0100" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Jan 03 07:42:59 2014 -0500" }, "message": "ima: pass HASH_ALGO__LAST as hash algo in ima_eventdigest_init()\n\nReplace the \u0027-1\u0027 value with HASH_ALGO__LAST in ima_eventdigest_init()\nas the called function ima_eventdigest_init_common() expects an unsigned\nchar.\n\nFix commit:\n 4d7aeee ima: define new template ima-ng and template fields d-ng and n-ng\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "c502c78ba7fb5b9cef71e2bd70f12c38ef26e5ab", "tree": "cd708ce3fe4a3bc149b1d507450601dec18f03ed", "parents": [ "4482a44f6a3221cd0076eb6af65672a7e198d8da" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Fri Nov 08 19:21:35 2013 +0100" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Jan 03 07:42:57 2014 -0500" }, "message": "ima: change the default hash algorithm to SHA1 in ima_eventdigest_ng_init()\n\nReplace HASH_ALGO__LAST with HASH_ALGO_SHA1 as the initial value of\nthe hash algorithm so that the prefix \u0027sha1:\u0027 is added to violation\ndigests.\n\nFix commit:\n 4d7aeee ima: define new template ima-ng and template fields d-ng and n-ng\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nCc: \u003cstable@vger.kernel.org\u003e # 3.13.x\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "4482a44f6a3221cd0076eb6af65672a7e198d8da", "tree": "5caa99f7179486a64399de14496fba56a88cb7e9", "parents": [ "24ea1b6efcd8fc3b465fb74964e1a0cbe9979730" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Mon Dec 30 17:37:45 2013 -0800" }, "committer": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Tue Dec 31 13:35:27 2013 -0800" }, "message": "Smack: File receive audit correction\n\nEric Paris politely points out:\n\n Inside smack_file_receive() it seems like you are initting the audit\n field with LSM_AUDIT_DATA_TASK. And then use\n smk_ad_setfield_u_fs_path().\n\n Seems like LSM_AUDIT_DATA_PATH would make more sense. (and depending\n on how it\u0027s used fix a crash...)\n\nHe is correct. This puts things in order.\n\nTargeted for git://git.gitorious.org/smack-next/kernel.git\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "24ea1b6efcd8fc3b465fb74964e1a0cbe9979730", "tree": "bb45d3814997cbfe99a72fa9c874b752fcd6b83a", "parents": [ "4afde48be8929b6da63a9e977aaff0894ba82984" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Mon Dec 30 09:38:00 2013 -0800" }, "committer": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Tue Dec 31 13:35:16 2013 -0800" }, "message": "Smack: Rationalize mount restrictions\n\nThe mount restrictions imposed by Smack rely heavily on the\nuse of the filesystem \"floor\", which is the label that all\nprocesses writing to the filesystem must have access to. It\nturns out that while the \"floor\" notion is sound, it has yet\nto be fully implemented and has never been used.\n\nThe sb_mount and sb_umount hooks only make sense if the\nfilesystem floor is used actively, and it isn\u0027t. They can\nbe reintroduced if a rational restriction comes up. Until\nthen, they get removed.\n\nThe sb_kern_mount hook is required for the option processing.\nIt is too permissive in the case of unprivileged mounts,\neffectively bypassing the CAP_MAC_ADMIN restrictions if\nany of the smack options are specified. Unprivileged mounts\nare no longer allowed to set Smack filesystem options.\nAdditionally, the root and default values are set to the\nlabel of the caller, in keeping with the policy that objects\nget the label of their creator.\n\nTargeted for git://git.gitorious.org/smack-next/kernel.git\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "4afde48be8929b6da63a9e977aaff0894ba82984", "tree": "0e2ade1737801dd3a378278efabaaeaa7678cff5", "parents": [ "00f84f3f2e9d088f06722f4351d67f5f577abe22" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Thu Dec 19 13:23:26 2013 -0800" }, "committer": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Mon Dec 23 15:57:43 2013 -0800" }, "message": "Smack: change rule cap check\n\nsmk_write_change_rule() is calling capable rather than\nthe more correct smack_privileged(). This allows for setting\nrules in violation of the onlycap facility. This is the\nsimple repair.\n\nTargeted for git://git.gitorious.org/smack-next/kernel.git\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "00f84f3f2e9d088f06722f4351d67f5f577abe22", "tree": "06ac369a9dac582d9d9710aba38c684f048774ba", "parents": [ "19760ad03cc639d6f6f8e9beff0f8e6df654b677" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Mon Dec 23 11:07:10 2013 -0800" }, "committer": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Mon Dec 23 15:50:55 2013 -0800" }, "message": "Smack: Make the syslog control configurable\n\nThe syslog control requires that the calling proccess\nhave the floor (\"_\") Smack label. Tizen does not run any\nprocesses except for kernel helpers with the floor label.\nThis changes allows the admin to configure a specific\nlabel for syslog. The default value is the star (\"*\")\nlabel, effectively removing the restriction. The value\ncan be set using smackfs/syslog for anyone who wants\na more restrictive behavior.\n\nTargeted for git://git.gitorious.org/smack-next/kernel.git\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "c0c1439541f5305b57a83d599af32b74182933fe", "tree": "e430e1d9e869d9e08a0a7e8677951465568d17dc", "parents": [ "46d01d63221c3508421dd72ff9c879f61053cffc" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Mon Dec 23 17:45:01 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Mon Dec 23 17:45:17 2013 -0500" }, "message": "selinux: selinux_setprocattr()-\u003eptrace_parent() needs rcu_read_lock()\n\nselinux_setprocattr() does ptrace_parent(p) under task_lock(p),\nbut task_struct-\u003ealloc_lock doesn\u0027t pin -\u003eparent or -\u003eptrace,\nthis looks confusing and triggers the \"suspicious RCU usage\"\nwarning because ptrace_parent() does rcu_dereference_check().\n\nAnd in theory this is wrong, spin_lock()-\u003epreempt_disable()\ndoesn\u0027t necessarily imply rcu_read_lock() we need to access\nthe -\u003eparent.\n\nReported-by: Evan McNabb \u003cemcnabb@redhat.com\u003e\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "46d01d63221c3508421dd72ff9c879f61053cffc", "tree": "a540d957750613679ab917082b9d88e7f8561959", "parents": [ "f5835372ebedf26847c2b9e193284075cc9c1f7f" ], "author": { "name": "Chad Hanson", "email": "chanson@trustedcs.com", "time": "Mon Dec 23 17:45:01 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Mon Dec 23 17:45:17 2013 -0500" }, "message": "selinux: fix broken peer recv check\n\nFix a broken networking check. Return an error if peer recv fails. If\nsecmark is active and the packet recv succeeds the peer recv error is\nignored.\n\nSigned-off-by: Chad Hanson \u003cchanson@trustedcs.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "19760ad03cc639d6f6f8e9beff0f8e6df654b677", "tree": "66f40219fd1a35b7d6bee6eab7aee0fa8405a287", "parents": [ "398ce073700a2a3e86b5a0b1edecdddfa3996b27" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Mon Dec 16 16:27:26 2013 -0800" }, "committer": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Thu Dec 19 13:05:24 2013 -0800" }, "message": "Smack: Prevent the * and @ labels from being used in SMACK64EXEC\n\nSmack prohibits processes from using the star (\"*\") and web (\"@\") labels\nbecause we don\u0027t want files with those labels getting created implicitly.\nAll setting of those labels should be done explicitly. The trouble is that\nthere is no check for these labels in the processing of SMACK64EXEC. That\nis repaired.\n\nTargeted for git://git.gitorious.org/smack-next/kernel.git\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "465954cd649a7d8cd331695bd24a16bcb5c4c716", "tree": "8c0e5ee5d4073fb24e4b58719488da578cfe49f8", "parents": [ "a5e333d34037c64c5f667dee3c418b66874ba0b0" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Sat Dec 14 17:33:17 2013 +0100" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Mon Dec 16 16:00:29 2013 -0500" }, "message": "selinux: selinux_setprocattr()-\u003eptrace_parent() needs rcu_read_lock()\n\nselinux_setprocattr() does ptrace_parent(p) under task_lock(p),\nbut task_struct-\u003ealloc_lock doesn\u0027t pin -\u003eparent or -\u003eptrace,\nthis looks confusing and triggers the \"suspicious RCU usage\"\nwarning because ptrace_parent() does rcu_dereference_check().\n\nAnd in theory this is wrong, spin_lock()-\u003epreempt_disable()\ndoesn\u0027t necessarily imply rcu_read_lock() we need to access\nthe -\u003eparent.\n\nReported-by: Evan McNabb \u003cemcnabb@redhat.com\u003e\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "a5e333d34037c64c5f667dee3c418b66874ba0b0", "tree": "4303067995fc78ace0172bec5a99d25871d615a0", "parents": [ "4d546f81717d253ab67643bf072c6d8821a9249c" ], "author": { "name": "Wei Yongjun", "email": "yongjun_wei@trendmicro.com.cn", "time": "Mon Dec 16 14:15:40 2013 +0800" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Mon Dec 16 15:58:23 2013 -0500" }, "message": "SELinux: remove duplicated include from hooks.c\n\nRemove duplicated include.\n\nSigned-off-by: Wei Yongjun \u003cyongjun_wei@trendmicro.com.cn\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "b5745c59627854afb3cd3f3860ee6f4571e2b633", "tree": "df9f3bb37b4cf0f3c52c970927bed4a843234e29", "parents": [ "29b1deb2a48a9dd02b93597aa4c055a24c0e989f", "d93aca6050b10cd7d8b491637c3b5344c5680cac" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Dec 15 11:28:02 2013 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Dec 15 11:28:02 2013 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security\n\nPull SELinux fixes from James Morris.\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:\n selinux: process labeled IPsec TCP SYN-ACK packets properly in selinux_ip_postroute()\n selinux: look for IPsec labels on both inbound and outbound packets\n selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()\n selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output()\n selinux: fix possible memory leak\n" }, { "commit": "29b1deb2a48a9dd02b93597aa4c055a24c0e989f", "tree": "7e179afa1380b31646512aa5cf025e7b162c4885", "parents": [ "0925f2cdf9d11fb24130d00d6bbea84502610535" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Dec 15 11:17:45 2013 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Dec 15 11:17:45 2013 -0800" }, "message": "Revert \"selinux: consider filesystem subtype in policies\"\n\nThis reverts commit 102aefdda4d8275ce7d7100bc16c88c74272b260.\n\nTom London reports that it causes sync() to hang on Fedora rawhide:\n\n https://bugzilla.redhat.com/show_bug.cgi?id\u003d1033965\n\nand Josh Boyer bisected it down to this commit. Reverting the commit in\nthe rawhide kernel fixes the problem.\n\nEric Paris root-caused it to incorrect subtype matching in that commit\nbreaking fuse, and has a tentative patch, but by now we\u0027re better off\nretrying this in 3.14 rather than playing with it any more.\n\nReported-by: Tom London \u003cselinux@gmail.com\u003e\nBisected-by: Josh Boyer \u003cjwboyer@fedoraproject.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Anand Avati \u003cavati@redhat.com\u003e\nCc: Paul Moore \u003cpaul@paul-moore.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4d546f81717d253ab67643bf072c6d8821a9249c", "tree": "2bfae32c5e42b7b57cab82efbe71f522db79af60", "parents": [ "598cdbcf861825692fe7905e0fd662c7d06bae58" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Fri Dec 13 14:49:53 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Fri Dec 13 14:52:25 2013 -0500" }, "message": "selinux: revert 102aefdda4d8275ce7d7100bc16c88c74272b260\n\nRevert \"selinux: consider filesystem subtype in policies\"\n\nThis reverts commit 102aefdda4d8275ce7d7100bc16c88c74272b260.\n\nExplanation from Eric Paris:\n\n\tSELinux policy can specify if it should use a filesystem\u0027s\n\txattrs or not. In current policy we have a specification that\n\tfuse should not use xattrs but fuse.glusterfs should use\n\txattrs. This patch has a bug in which non-glusterfs\n\tfilesystems would match the rule saying fuse.glusterfs should\n\tuse xattrs. If both fuse and the particular filesystem in\n\tquestion are not written to handle xattr calls during the mount\n\tcommand, they will deadlock.\n\n\tI have fixed the bug to do proper matching, however I believe a\n\trevert is still the correct solution. The reason I believe\n\tthat is because the code still does not work. The s_subtype is\n\tnot set until after the SELinux hook which attempts to match on\n\tthe \".gluster\" portion of the rule. So we cannot match on the\n\trule in question. The code is useless.\n\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "d93aca6050b10cd7d8b491637c3b5344c5680cac", "tree": "216cf72ea9fc6e7e1f995029cf5ead4a4aeb3301", "parents": [ "54fb723cc48db2fde964fb9bb0eaaccf2cf31a9f", "c0828e50485932b7e019df377a6b0a8d1ebd3080" ], "author": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Fri Dec 13 13:27:55 2013 +1100" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Fri Dec 13 13:27:55 2013 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/pcmoore/selinux_fixes into for-linus\n" }, { "commit": "c0828e50485932b7e019df377a6b0a8d1ebd3080", "tree": "60d953c62261e7ec3b5b33e86e58a3d7286e1c4a", "parents": [ "817eff718dca4e54d5721211ddde0914428fbb7c" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Tue Dec 10 14:58:01 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Thu Dec 12 17:21:31 2013 -0500" }, "message": "selinux: process labeled IPsec TCP SYN-ACK packets properly in selinux_ip_postroute()\n\nDue to difficulty in arriving at the proper security label for\nTCP SYN-ACK packets in selinux_ip_postroute(), we need to check packets\nwhile/before they are undergoing XFRM transforms instead of waiting\nuntil afterwards so that we can determine the correct security label.\n\nReported-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "817eff718dca4e54d5721211ddde0914428fbb7c", "tree": "af7ee8d6ca454532624c7148e9f96bd1a67c0cb3", "parents": [ "446b802437f285de68ffb8d6fac3c44c3cab5b04" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Tue Dec 10 14:57:54 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Thu Dec 12 17:21:31 2013 -0500" }, "message": "selinux: look for IPsec labels on both inbound and outbound packets\n\nPreviously selinux_skb_peerlbl_sid() would only check for labeled\nIPsec security labels on inbound packets, this patch enables it to\ncheck both inbound and outbound traffic for labeled IPsec security\nlabels.\n\nReported-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "446b802437f285de68ffb8d6fac3c44c3cab5b04", "tree": "2123c25875f8ad75114592e4755d21429765a6c0", "parents": [ "47180068276a04ed31d24fe04c673138208b07a9" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Wed Dec 04 16:10:51 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Thu Dec 12 17:21:31 2013 -0500" }, "message": "selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()\n\nIn selinux_ip_postroute() we perform access checks based on the\npacket\u0027s security label. For locally generated traffic we get the\npacket\u0027s security label from the associated socket; this works in all\ncases except for TCP SYN-ACK packets. In the case of SYN-ACK packet\u0027s\nthe correct security label is stored in the connection\u0027s request_sock,\nnot the server\u0027s socket. Unfortunately, at the point in time when\nselinux_ip_postroute() is called we can\u0027t query the request_sock\ndirectly, we need to recreate the label using the same logic that\noriginally labeled the associated request_sock.\n\nSee the inline comments for more explanation.\n\nReported-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nTested-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "47180068276a04ed31d24fe04c673138208b07a9", "tree": "957e58757aa1373a9e8696761f00f26d6b6704f8", "parents": [ "0af901643fe3f1f8d44e41115d36609ee4bda2bf" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Wed Dec 04 16:10:45 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Thu Dec 12 17:21:31 2013 -0500" }, "message": "selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output()\n\nIn selinux_ip_output() we always label packets based on the parent\nsocket. While this approach works in almost all cases, it doesn\u0027t\nwork in the case of TCP SYN-ACK packets when the correct label is not\nthe label of the parent socket, but rather the label of the larval\nsocket represented by the request_sock struct.\n\nUnfortunately, since the request_sock isn\u0027t queued on the parent\nsocket until *after* the SYN-ACK packet is sent, we can\u0027t lookup the\nrequest_sock to determine the correct label for the packet; at this\npoint in time the best we can do is simply pass/NF_ACCEPT the packet.\nIt must be said that simply passing the packet without any explicit\nlabeling action, while far from ideal, is not terrible as the SYN-ACK\npacket will inherit any IP option based labeling from the initial\nconnection request so the label *should* be correct and all our\naccess controls remain in place so we shouldn\u0027t have to worry about\ninformation leaks.\n\nReported-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nTested-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "5dec682c7f33a765a5eb764cc18b1d02b17cd762", "tree": "fe75d0d632ac4343dcff1335dbccc58dd6bbcdf0", "parents": [ "48a2f0b2728c88b18829e191eafdde60290aa64f", "62226983da070f7e51068ec2e3a4da34672964c7" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Dec 12 10:15:24 2013 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Dec 12 10:15:24 2013 -0800" }, "message": "Merge tag \u0027keys-devel-20131210\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs\n\nPull misc keyrings fixes from David Howells:\n \"These break down into five sets:\n\n - A patch to error handling in the big_key type for huge payloads.\n If the payload is larger than the \"low limit\" and the backing store\n allocation fails, then big_key_instantiate() doesn\u0027t clear the\n payload pointers in the key, assuming them to have been previously\n cleared - but only one of them is.\n\n Unfortunately, the garbage collector still calls big_key_destroy()\n when sees one of the pointers with a weird value in it (and not\n NULL) which it then tries to clean up.\n\n - Three patches to fix the keyring type:\n\n * A patch to fix the hash function to correctly divide keyrings off\n from keys in the topology of the tree inside the associative\n array. This is only a problem if searching through nested\n keyrings - and only if the hash function incorrectly puts the a\n keyring outside of the 0 branch of the root node.\n\n * A patch to fix keyrings\u0027 use of the associative array. The\n __key_link_begin() function initially passes a NULL key pointer\n to assoc_array_insert() on the basis that it\u0027s holding a place in\n the tree whilst it does more allocation and stuff.\n\n This is only a problem when a node contains 16 keys that match at\n that level and we want to add an also matching 17th. This should\n easily be manufactured with a keyring full of keyrings (without\n chucking any other sort of key into the mix) - except for (a)\n above which makes it on average adding the 65th keyring.\n\n * A patch to fix searching down through nested keyrings, where any\n keyring in the set has more than 16 keyrings and none of the\n first keyrings we look through has a match (before the tree\n iteration needs to step to a more distal node).\n\n Test in keyutils test suite:\n\n http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/commit/?id\u003d8b4ae963ed92523aea18dfbb8cab3f4979e13bd1\n\n - A patch to fix the big_key type\u0027s use of a shmem file as its\n backing store causing audit messages and LSM check failures. This\n is done by setting S_PRIVATE on the file to avoid LSM checks on the\n file (access to the shmem file goes through the keyctl() interface\n and so is gated by the LSM that way).\n\n This isn\u0027t normally a problem if a key is used by the context that\n generated it - and it\u0027s currently only used by libkrb5.\n\n Test in keyutils test suite:\n\n http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/commit/?id\u003dd9a53cbab42c293962f2f78f7190253fc73bd32e\n\n - A patch to add a generated file to .gitignore.\n\n - A patch to fix the alignment of the system certificate data such\n that it it works on s390. As I understand it, on the S390 arch,\n symbols must be 2-byte aligned because loading the address discards\n the least-significant bit\"\n\n* tag \u0027keys-devel-20131210\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:\n KEYS: correct alignment of system_certificate_list content in assembly file\n Ignore generated file kernel/x509_certificate_list\n security: shmem: implement kernel private shmem inodes\n KEYS: Fix searching of nested keyrings\n KEYS: Fix multiple key add into associative array\n KEYS: Fix the keyring hash function\n KEYS: Pre-clear struct key on allocation\n" }, { "commit": "598cdbcf861825692fe7905e0fd662c7d06bae58", "tree": "c8114efd8770a9c8ee85f3e4c5cdec21447ba500", "parents": [ "5c6c26813a209e7075baf908e3ad81c1a9d389e8" ], "author": { "name": "Chad Hanson", "email": "chanson@trustedcs.com", "time": "Wed Dec 11 17:07:56 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Wed Dec 11 17:07:56 2013 -0500" }, "message": "selinux: fix broken peer recv check\n\nFix a broken networking check. Return an error if peer recv fails. If\nsecmark is active and the packet recv succeeds the peer recv error is\nignored.\n\nSigned-off-by: Chad Hanson \u003cchanson@trustedcs.com\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "398ce073700a2a3e86b5a0b1edecdddfa3996b27", "tree": "81ebb8780ddfdd38590e1f5ba578a0aa087181b1", "parents": [ "217091dd7a7a1bdac027ddb7c5a25f6ac0b8e241" ], "author": { "name": "Jarkko Sakkinen", "email": "jarkko.sakkinen@linux.intel.com", "time": "Thu Nov 28 19:16:46 2013 +0200" }, "committer": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Wed Dec 11 10:48:55 2013 -0800" }, "message": "smack: fix: allow either entry be missing on access/access2 check (v2)\n\nThis is a regression caused by f7112e6c. When either subject or\nobject is not found the answer for access should be no. This\npatch fixes the situation. \u00270\u0027 is written back instead of failing\nwith -EINVAL.\n\nv2: cosmetic style fixes\n\nSigned-off-by: Jarkko Sakkinen \u003cjarkko.sakkinen@linux.intel.com\u003e\n" }, { "commit": "5c6c26813a209e7075baf908e3ad81c1a9d389e8", "tree": "6df3b20fae12cdba5e0deb254b9df2b933983506", "parents": [ "5b67c493248059909d7e0ff646d8475306669b27" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Mon Dec 09 16:11:53 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Tue Dec 10 14:50:25 2013 -0500" }, "message": "selinux: process labeled IPsec TCP SYN-ACK packets properly in selinux_ip_postroute()\n\nDue to difficulty in arriving at the proper security label for\nTCP SYN-ACK packets in selinux_ip_postroute(), we need to check packets\nwhile/before they are undergoing XFRM transforms instead of waiting\nuntil afterwards so that we can determine the correct security label.\n\nReported-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "5b67c493248059909d7e0ff646d8475306669b27", "tree": "c1fb0f7caba61189811b12fc7e89c72d34610afb", "parents": [ "0b1f24e6db9a60c1f68117ad158ea29faa7c3a7f" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Mon Dec 09 15:32:33 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Mon Dec 09 15:32:33 2013 -0500" }, "message": "selinux: look for IPsec labels on both inbound and outbound packets\n\nPreviously selinux_skb_peerlbl_sid() would only check for labeled\nIPsec security labels on inbound packets, this patch enables it to\ncheck both inbound and outbound traffic for labeled IPsec security\nlabels.\n\nReported-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "2da8ca822d49c8b8781800ad155aaa00e7bb5f1a", "tree": "9ec6b0a7a009d76d0c607640eae64d3e9ed666a9", "parents": [ "7da112792753d71aed44b918395892a1fc53048a" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Thu Dec 05 12:28:04 2013 -0500" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Thu Dec 05 12:28:04 2013 -0500" }, "message": "cgroup: replace cftype-\u003eread_seq_string() with cftype-\u003eseq_show()\n\nIn preparation of conversion to kernfs, cgroup file handling is\nupdated so that it can be easily mapped to kernfs. This patch\nreplaces cftype-\u003eread_seq_string() with cftype-\u003eseq_show() which is\nnot limited to single_open() operation and will map directcly to\nkernfs seq_file interface.\n\nThe conversions are mechanical. As -\u003eseq_show() doesn\u0027t have @css and\n@cft, the functions which make use of them are converted to use\nseq_css() and seq_cft() respectively. In several occassions, e.f. if\nit has seq_string in its name, the function name is updated to fit the\nnew method better.\n\nThis patch does not introduce any behavior changes.\n\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nAcked-by: Aristeu Rozanski \u003carozansk@redhat.com\u003e\nAcked-by: Vivek Goyal \u003cvgoyal@redhat.com\u003e\nAcked-by: Michal Hocko \u003cmhocko@suse.cz\u003e\nAcked-by: Daniel Wagner \u003cdaniel.wagner@bmw-carit.de\u003e\nAcked-by: Li Zefan \u003clizefan@huawei.com\u003e\nCc: Jens Axboe \u003caxboe@kernel.dk\u003e\nCc: Ingo Molnar \u003cmingo@redhat.com\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Johannes Weiner \u003channes@cmpxchg.org\u003e\nCc: Balbir Singh \u003cbsingharora@gmail.com\u003e\nCc: KAMEZAWA Hiroyuki \u003ckamezawa.hiroyu@jp.fujitsu.com\u003e\nCc: Neil Horman \u003cnhorman@tuxdriver.com\u003e\n" }, { "commit": "0af901643fe3f1f8d44e41115d36609ee4bda2bf", "tree": "ba01c6063e7f342725040b661136174a5ae52276", "parents": [ "dd0a11815a339d6deeea8357574f8126a8404c92" ], "author": { "name": "Geyslan G. Bem", "email": "geyslan@gmail.com", "time": "Wed Dec 04 16:10:24 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Wed Dec 04 16:10:24 2013 -0500" }, "message": "selinux: fix possible memory leak\n\nFree \u0027ctx_str\u0027 when necessary.\n\nSigned-off-by: Geyslan G. Bem \u003cgeyslan@gmail.com\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "0b1f24e6db9a60c1f68117ad158ea29faa7c3a7f", "tree": "3720295706f668b9a8f6e5d754ec0a7bcbe9e14e", "parents": [ "050d032b25e617cd738db8d6fd5aed24d87cbbcb" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Tue Dec 03 11:39:13 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Wed Dec 04 16:08:27 2013 -0500" }, "message": "selinux: pull address family directly from the request_sock struct\n\nWe don\u0027t need to inspect the packet to determine if the packet is an\nIPv4 packet arriving on an IPv6 socket when we can query the\nrequest_sock directly.\n\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "050d032b25e617cd738db8d6fd5aed24d87cbbcb", "tree": "53771bb7cebc1cf36bbd0442d3acc1a93e4ccedb", "parents": [ "7f721643db3b2da53e1b91aaa4e8cb7706bfdd10" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Tue Dec 03 11:36:11 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Wed Dec 04 16:08:17 2013 -0500" }, "message": "selinux: ensure that the cached NetLabel secattr matches the desired SID\n\nIn selinux_netlbl_skbuff_setsid() we leverage a cached NetLabel\nsecattr whenever possible. However, we never check to ensure that\nthe desired SID matches the cached NetLabel secattr. This patch\nchecks the SID against the secattr before use and only uses the\ncached secattr when the SID values match.\n\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "7f721643db3b2da53e1b91aaa4e8cb7706bfdd10", "tree": "2265959ac11a9e6acce19ae68bb4b837af186fb5", "parents": [ "da2ea0d05671f878196cc949906aa89d15c567db" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Tue Dec 03 11:16:36 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Wed Dec 04 16:07:28 2013 -0500" }, "message": "selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()\n\nIn selinux_ip_postroute() we perform access checks based on the\npacket\u0027s security label. For locally generated traffic we get the\npacket\u0027s security label from the associated socket; this works in all\ncases except for TCP SYN-ACK packets. In the case of SYN-ACK packet\u0027s\nthe correct security label is stored in the connection\u0027s request_sock,\nnot the server\u0027s socket. Unfortunately, at the point in time when\nselinux_ip_postroute() is called we can\u0027t query the request_sock\ndirectly, we need to recreate the label using the same logic that\noriginally labeled the associated request_sock.\n\nSee the inline comments for more explanation.\n\nReported-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nTested-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "da2ea0d05671f878196cc949906aa89d15c567db", "tree": "a9067db90c8d2da60f1a38ba649f793a09620f8d", "parents": [ "8e645c345a4cf6b8b13054b4ec2f6371f05876a9" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Tue Dec 03 11:14:04 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Wed Dec 04 16:06:47 2013 -0500" }, "message": "selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output()\n\nIn selinux_ip_output() we always label packets based on the parent\nsocket. While this approach works in almost all cases, it doesn\u0027t\nwork in the case of TCP SYN-ACK packets when the correct label is not\nthe label of the parent socket, but rather the label of the larval\nsocket represented by the request_sock struct.\n\nUnfortunately, since the request_sock isn\u0027t queued on the parent\nsocket until *after* the SYN-ACK packet is sent, we can\u0027t lookup the\nrequest_sock to determine the correct label for the packet; at this\npoint in time the best we can do is simply pass/NF_ACCEPT the packet.\nIt must be said that simply passing the packet without any explicit\nlabeling action, while far from ideal, is not terrible as the SYN-ACK\npacket will inherit any IP option based labeling from the initial\nconnection request so the label *should* be correct and all our\naccess controls remain in place so we shouldn\u0027t have to worry about\ninformation leaks.\n\nReported-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nTested-by: Janak Desai \u003cJanak.Desai@gtri.gatech.edu\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "a7ed7c60e14df5b986f93549717235b882643e7e", "tree": "7e615a0664541d91f99c5875164b335b74fd8d8d", "parents": [ "09ae6345721afbb7cf3e0920209b140cbe7bff0d" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Dec 02 19:40:34 2013 +0100" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 02 20:46:56 2013 -0500" }, "message": "ima: properly free ima_template_entry structures\n\nThe new templates management mechanism records information associated\nto an event into an array of \u0027ima_field_data\u0027 structures and makes it\navailable through the \u0027template_data\u0027 field of the \u0027ima_template_entry\u0027\nstructure (the element of the measurements list created by IMA).\n\nSince \u0027ima_field_data\u0027 contains dynamically allocated data (which length\nvaries depending on the data associated to a selected template field),\nit is not enough to just free the memory reserved for a\n\u0027ima_template_entry\u0027 structure if something goes wrong.\n\nThis patch creates the new function ima_free_template_entry() which\nwalks the array of \u0027ima_field_data\u0027 structures, frees the memory\nreferenced by the \u0027data\u0027 pointer and finally the space reserved for\nthe \u0027ima_template_entry\u0027 structure. Further, it replaces existing kfree()\nthat have a pointer to an \u0027ima_template_entry\u0027 structure as argument\nwith calls to the new function.\n\nFixes: a71dc65: ima: switch to new template management mechanism\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "09ae6345721afbb7cf3e0920209b140cbe7bff0d", "tree": "36196a39f1b68dc76f4d4b1103d67ee118b999fd", "parents": [ "a45299e72737c528975546a0680cace5d7364d27" ], "author": { "name": "Christoph Paasch", "email": "christoph.paasch@uclouvain.be", "time": "Mon Dec 02 00:05:20 2013 +0100" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 02 20:46:32 2013 -0500" }, "message": "ima: Do not free \u0027entry\u0027 before it is initialized\n\n7bc5f447ce9d0 (ima: define new function ima_alloc_init_template() to\nAPI) moved the initialization of \u0027entry\u0027 in ima_add_boot_aggregate() a\nbit more below, after the if (ima_used_chip).\n\nSo, \u0027entry\u0027 is not initialized while being inside this if-block. So, we\nshould not attempt to free it.\n\nFound by Coverity (CID: 1131971)\n\nFixes: 7bc5f447ce9d0 (ima: define new function ima_alloc_init_template() to API)\nSigned-off-by: Christoph Paasch \u003cchristoph.paasch@uclouvain.be\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "c7277090927a5e71871e799a355ed2940f6c8fc6", "tree": "7d570fe7496a7d2b4dd671146074ab52bbc4c609", "parents": [ "9c5e45df215b4788f7a41c983ce862d08a083c2d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Dec 02 11:24:19 2013 +0000" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Dec 02 11:24:19 2013 +0000" }, "message": "security: shmem: implement kernel private shmem inodes\n\nWe have a problem where the big_key key storage implementation uses a\nshmem backed inode to hold the key contents. Because of this detail of\nimplementation LSM checks are being done between processes trying to\nread the keys and the tmpfs backed inode. The LSM checks are already\nbeing handled on the key interface level and should not be enforced at\nthe inode level (since the inode is an implementation detail, not a\npart of the security model)\n\nThis patch implements a new function shmem_kernel_file_setup() which\nreturns the equivalent to shmem_file_setup() only the underlying inode\nhas S_PRIVATE set. This means that all LSM checks for the inode in\nquestion are skipped. It should only be used for kernel internal\noperations where the inode is not exposed to userspace without proper\nLSM checking. It is possible that some other users of\nshmem_file_setup() should use the new interface, but this has not been\nexplored.\n\nReproducing this bug is a little bit difficult. The steps I used on\nFedora are:\n\n (1) Turn off selinux enforcing:\n\n\tsetenforce 0\n\n (2) Create a huge key\n\n\tk\u003d`dd if\u003d/dev/zero bs\u003d8192 count\u003d1 | keyctl padd big_key test-key @s`\n\n (3) Access the key in another context:\n\n\truncon system_u:system_r:httpd_t:s0-s0:c0.c1023 keyctl print $k \u003e/dev/null\n\n (4) Examine the audit logs:\n\n\tausearch -m AVC -i --subject httpd_t | audit2allow\n\nIf the last command\u0027s output includes a line that looks like:\n\n\tallow httpd_t user_tmpfs_t:file { open read };\n\nThere was an inode check between httpd and the tmpfs filesystem. With\nthis patch no such denial will be seen. (NOTE! you should clear your\naudit log if you have tested for this previously)\n\n(Please return you box to enforcing)\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\ncc: Hugh Dickins \u003chughd@google.com\u003e\ncc: linux-mm@kvack.org\n" }, { "commit": "9c5e45df215b4788f7a41c983ce862d08a083c2d", "tree": "8cc80b01bfd2501b21e84688f4d34bb9516a17da", "parents": [ "23fd78d76415729b338ff1802a0066b4a62f7fb8" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Dec 02 11:24:19 2013 +0000" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Dec 02 11:24:19 2013 +0000" }, "message": "KEYS: Fix searching of nested keyrings\n\nIf a keyring contains more than 16 keyrings (the capacity of a single node in\nthe associative array) then those keyrings are split over multiple nodes\narranged as a tree.\n\nIf search_nested_keyrings() is called to search the keyring then it will\nattempt to manually walk over just the 0 branch of the associative array tree\nwhere all the keyring links are stored. This works provided the key is found\nbefore the algorithm steps from one node containing keyrings to a child node\nor if there are sufficiently few keyring links that the keyrings are all in\none node.\n\nHowever, if the algorithm does need to step from a node to a child node, it\ndoesn\u0027t change the node pointer unless a shortcut also gets transited. This\nmeans that the algorithm will keep scanning the same node over and over again\nwithout terminating and without returning.\n\nTo fix this, move the internal-pointer-to-node translation from inside the\nshortcut transit handler so that it applies it to node arrival as well.\n\nThis can be tested by:\n\n\tr\u003d`keyctl newring sandbox @s`\n\tfor ((i\u003d0; i\u003c\u003d16; i++)); do keyctl newring ring$i $r; done\n\tfor ((i\u003d0; i\u003c\u003d16; i++)); do keyctl add user a$i a %:ring$i; done\n\tfor ((i\u003d0; i\u003c\u003d16; i++)); do keyctl search $r user a$i; done\n\tfor ((i\u003d17; i\u003c\u003d20; i++)); do keyctl search $r user a$i; done\n\nThe searches should all complete successfully (or with an error for 17-20),\nbut instead one or more of them will hang.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Stephen Gallagher \u003csgallagh@redhat.com\u003e\n" }, { "commit": "23fd78d76415729b338ff1802a0066b4a62f7fb8", "tree": "b832cd635e3e3fe8cca93de1a2e5bb165a968538", "parents": [ "d54e58b7f01552b0eb7d445f4b58de4499ad5ea6" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Dec 02 11:24:18 2013 +0000" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Dec 02 11:24:18 2013 +0000" }, "message": "KEYS: Fix multiple key add into associative array\n\nIf sufficient keys (or keyrings) are added into a keyring such that a node in\nthe associative array\u0027s tree overflows (each node has a capacity N, currently\n16) and such that all N+1 keys have the same index key segment for that level\nof the tree (the level\u0027th nibble of the index key), then assoc_array_insert()\ncalls ops-\u003ediff_objects() to indicate at which bit position the two index keys\nvary.\n\nHowever, __key_link_begin() passes a NULL object to assoc_array_insert() with\nthe intention of supplying the correct pointer later before we commit the\nchange. This means that keyring_diff_objects() is given a NULL pointer as one\nof its arguments which it does not expect. This results in an oops like the\nattached.\n\nWith the previous patch to fix the keyring hash function, this can be forced\nmuch more easily by creating a keyring and only adding keyrings to it. Add any\nother sort of key and a different insertion path is taken - all 16+1 objects\nmust want to cluster in the same node slot.\n\nThis can be tested by:\n\n\tr\u003d`keyctl newring sandbox @s`\n\tfor ((i\u003d0; i\u003c\u003d16; i++)); do keyctl newring ring$i $r; done\n\nThis should work fine, but oopses when the 17th keyring is added.\n\nSince ops-\u003ediff_objects() is always called with the first pointer pointing to\nthe object to be inserted (ie. the NULL pointer), we can fix the problem by\nchanging the to-be-inserted object pointer to point to the index key passed\ninto assoc_array_insert() instead.\n\nWhilst we\u0027re at it, we also switch the arguments so that they are the same as\nfor -\u003ecompare_object().\n\nBUG: unable to handle kernel NULL pointer dereference at 0000000000000088\nIP: [\u003cffffffff81191ee4\u003e] hash_key_type_and_desc+0x18/0xb0\n...\nRIP: 0010:[\u003cffffffff81191ee4\u003e] hash_key_type_and_desc+0x18/0xb0\n...\nCall Trace:\n [\u003cffffffff81191f9d\u003e] keyring_diff_objects+0x21/0xd2\n [\u003cffffffff811f09ef\u003e] assoc_array_insert+0x3b6/0x908\n [\u003cffffffff811929a7\u003e] __key_link_begin+0x78/0xe5\n [\u003cffffffff81191a2e\u003e] key_create_or_update+0x17d/0x36a\n [\u003cffffffff81192e0a\u003e] SyS_add_key+0x123/0x183\n [\u003cffffffff81400ddb\u003e] tracesys+0xdd/0xe2\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Stephen Gallagher \u003csgallagh@redhat.com\u003e\n" }, { "commit": "d54e58b7f01552b0eb7d445f4b58de4499ad5ea6", "tree": "a9fa542f64099599b74dbe6f77107d6cb79d3324", "parents": [ "2480f57fb3023eb047c5f2d6dfefef41ab9b893c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Dec 02 11:24:18 2013 +0000" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Dec 02 11:24:18 2013 +0000" }, "message": "KEYS: Fix the keyring hash function\n\nThe keyring hash function (used by the associative array) is supposed to clear\nthe bottommost nibble of the index key (where the hash value resides) for\nkeyrings and make sure it is non-zero for non-keyrings. This is done to make\nkeyrings cluster together on one branch of the tree separately to other keys.\n\nUnfortunately, the wrong mask is used, so only the bottom two bits are\nexamined and cleared and not the whole bottom nibble. This means that keys\nand keyrings can still be successfully searched for under most circumstances\nas the hash is consistent in its miscalculation, but if a keyring\u0027s\nassociative array bottom node gets filled up then approx 75% of the keyrings\nwill not be put into the 0 branch.\n\nThe consequence of this is that a key in a keyring linked to by another\nkeyring, ie.\n\n\tkeyring A -\u003e keyring B -\u003e key\n\nmay not be found if the search starts at keyring A and then descends into\nkeyring B because search_nested_keyrings() only searches up the 0 branch (as it\n\"knows\" all keyrings must be there and not elsewhere in the tree).\n\nThe fix is to use the right mask.\n\nThis can be tested with:\n\n\tr\u003d`keyctl newring sandbox @s`\n\tfor ((i\u003d0; i\u003c\u003d16; i++)); do keyctl newring ring$i $r; done\n\tfor ((i\u003d0; i\u003c\u003d16; i++)); do keyctl add user a$i a %:ring$i; done\n\tfor ((i\u003d0; i\u003c\u003d16; i++)); do keyctl search $r user a$i; done\n\nThis creates a sandbox keyring, then creates 17 keyrings therein (labelled\nring0..ring16). This causes the root node of the sandbox\u0027s associative array\nto overflow and for the tree to have extra nodes inserted.\n\nEach keyring then is given a user key (labelled aN for ringN) for us to search\nfor.\n\nWe then search for the user keys we added, starting from the sandbox. If\nworking correctly, it should return the same ordered list of key IDs as\nfor...keyctl add... did. Without this patch, it reports ENOKEY \"Required key\nnot available\" for some of the keys. Just which keys get this depends as the\nkernel pointer to the key type forms part of the hash function.\n\nReported-by: Nalin Dahyabhai \u003cnalin@redhat.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Stephen Gallagher \u003csgallagh@redhat.com\u003e\n" }, { "commit": "2480f57fb3023eb047c5f2d6dfefef41ab9b893c", "tree": "65279528bb73307d236d8c614eb64dd6362e9e65", "parents": [ "af91706d5ddecb4a9858cca9e90d463037cfd498" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Dec 02 11:24:18 2013 +0000" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Dec 02 11:24:18 2013 +0000" }, "message": "KEYS: Pre-clear struct key on allocation\n\nThe second word of key-\u003epayload does not get initialised in key_alloc(), but\nthe big_key type is relying on it having been cleared. The problem comes when\nbig_key fails to instantiate a large key and doesn\u0027t then set the payload. The\nbig_key_destroy() op is called from the garbage collector and this assumes that\nthe dentry pointer stored in the second word will be NULL if instantiation did\nnot complete.\n\nTherefore just pre-clear the entire struct key on allocation rather than trying\nto be clever and only initialising to 0 only those bits that aren\u0027t otherwise\ninitialised.\n\nThe lack of initialisation can lead to a bug report like the following if\nbig_key failed to initialise its file:\n\n\tgeneral protection fault: 0000 [#1] SMP\n\tModules linked in: ...\n\tCPU: 0 PID: 51 Comm: kworker/0:1 Not tainted 3.10.0-53.el7.x86_64 #1\n\tHardware name: Dell Inc. PowerEdge 1955/0HC513, BIOS 1.4.4 12/09/2008\n\tWorkqueue: events key_garbage_collector\n\ttask: ffff8801294f5680 ti: ffff8801296e2000 task.ti: ffff8801296e2000\n\tRIP: 0010:[\u003cffffffff811b4a51\u003e] dput+0x21/0x2d0\n\t...\n\tCall Trace:\n\t [\u003cffffffff811a7b06\u003e] path_put+0x16/0x30\n\t [\u003cffffffff81235604\u003e] big_key_destroy+0x44/0x60\n\t [\u003cffffffff8122dc4b\u003e] key_gc_unused_keys.constprop.2+0x5b/0xe0\n\t [\u003cffffffff8122df2f\u003e] key_garbage_collector+0x1df/0x3c0\n\t [\u003cffffffff8107759b\u003e] process_one_work+0x17b/0x460\n\t [\u003cffffffff8107834b\u003e] worker_thread+0x11b/0x400\n\t [\u003cffffffff81078230\u003e] ? rescuer_thread+0x3e0/0x3e0\n\t [\u003cffffffff8107eb00\u003e] kthread+0xc0/0xd0\n\t [\u003cffffffff8107ea40\u003e] ? kthread_create_on_node+0x110/0x110\n\t [\u003cffffffff815c4bec\u003e] ret_from_fork+0x7c/0xb0\n\t [\u003cffffffff8107ea40\u003e] ? kthread_create_on_node+0x110/0x110\n\nReported-by: Patrik Kis \u003cpkis@redhat.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: Stephen Gallagher \u003csgallagh@redhat.com\u003e\n" }, { "commit": "af91706d5ddecb4a9858cca9e90d463037cfd498", "tree": "6deb94f92beb6a51eadad053ded7da136847062f", "parents": [ "dc1ccc48159d63eca5089e507c82c7d22ef60839" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Wed Nov 27 14:40:41 2013 +0100" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Sat Nov 30 13:09:53 2013 +1100" }, "message": "ima: store address of template_fmt_copy in a pointer before calling strsep\n\nThis patch stores the address of the \u0027template_fmt_copy\u0027 variable in a new\nvariable, called \u0027template_fmt_ptr\u0027, so that the latter is passed as an\nargument of strsep() instead of the former. This modification is needed\nin order to correctly free the memory area referenced by\n\u0027template_fmt_copy\u0027 (strsep() modifies the pointer of the passed string).\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nReported-by: Sebastian Ott \u003csebott@linux.vnet.ibm.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "dd0a11815a339d6deeea8357574f8126a8404c92", "tree": "c3c743ac6323e1caf9e987d6946cc4b2333a8256", "parents": [ "42d64e1add3a1ce8a787116036163b8724362145", "5e01dc7b26d9f24f39abace5da98ccbd6a5ceb52" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Tue Nov 26 17:32:55 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Tue Nov 26 17:32:55 2013 -0500" }, "message": "Merge tag \u0027v3.12\u0027\n\nLinux 3.12\n" }, { "commit": "8e645c345a4cf6b8b13054b4ec2f6371f05876a9", "tree": "d81d01ba23cb6dc1b12396d4992fea48e1b5b0ee", "parents": [ "b5495b4217d3fa64deac479db83dbede149af7d8" ], "author": { "name": "Geyslan G. Bem", "email": "geyslan@gmail.com", "time": "Sun Nov 24 08:37:01 2013 -0300" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Mon Nov 25 17:00:33 2013 -0500" }, "message": "selinux: fix possible memory leak\n\nFree \u0027ctx_str\u0027 when necessary.\n\nSigned-off-by: Geyslan G. Bem \u003cgeyslan@gmail.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "dbc335d2dc3c437649eb6b39f4e9aee2a13eb0af", "tree": "b070f9d96f16ae2abf4c6a5b824d2b6c82716da2", "parents": [ "3e8e5503a33577d89bdb7469b851b11f507bbed6" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Nov 25 20:18:52 2013 +0100" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Nov 25 15:05:33 2013 -0500" }, "message": "ima: make a copy of template_fmt in template_desc_init_fields()\n\nThis patch makes a copy of the \u0027template_fmt\u0027 function argument so that\nthe latter will not be modified by strsep(), which does the splitting by\nreplacing the given separator with \u0027\\0\u0027.\n\n IMA: No TPM chip found, activating TPM-bypass!\n Unable to handle kernel pointer dereference at virtual kernel address 0000000000842000\n Oops: 0004 [#1] SMP\n Modules linked in:\n CPU: 3 PID: 1 Comm: swapper/0 Not tainted 3.12.0-rc2-00098-g3ce1217d6cd5 #17\n task: 000000003ffa0000 ti: 000000003ff84000 task.ti: 000000003ff84000\n Krnl PSW : 0704e00180000000 000000000044bf88 (strsep+0x7c/0xa0)\n            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 EA:3\n Krnl GPRS: 000000000000007c 000000000000007c 000000003ff87d90 0000000000821fd8\n            0000000000000000 000000000000007c 0000000000aa37e0 0000000000aa9008\n            0000000000000051 0000000000a114d8 0000000100000002 0000000000842bde\n            0000000000842bdf 00000000006f97f0 000000000040062c 000000003ff87cf0\n Krnl Code: 000000000044bf7c: a7f4000a           brc     15,44bf90\n            000000000044bf80: b90200cc           ltgr    %r12,%r12\n           #000000000044bf84: a7840006           brc     8,44bf90\n           \u003e000000000044bf88: 9200c000           mvi     0(%r12),0\n            000000000044bf8c: 41c0c001           la      %r12,1(%r12)\n            000000000044bf90: e3c020000024       stg     %r12,0(%r2)\n            000000000044bf96: b904002b           lgr     %r2,%r11\n            000000000044bf9a: ebbcf0700004       lmg     %r11,%r12,112(%r15)\n Call Trace:\n ([\u003c00000000004005fe\u003e] ima_init_template+0xa2/0x1bc)\n  [\u003c0000000000a7c896\u003e] ima_init+0x7a/0xa8\n  [\u003c0000000000a7c938\u003e] init_ima+0x24/0x40\n  [\u003c00000000001000e8\u003e] do_one_initcall+0x68/0x128\n  [\u003c0000000000a4eb56\u003e] kernel_init_freeable+0x20a/0x2b4\n  [\u003c00000000006a1ff4\u003e] kernel_init+0x30/0x178\n  [\u003c00000000006b69fe\u003e] kernel_thread_starter+0x6/0xc\n  [\u003c00000000006b69f8\u003e] kernel_thread_starter+0x0/0xc\n Last Breaking-Event-Address:\n  [\u003c000000000044bf42\u003e] strsep+0x36/0xa0\n\nFixes commit: adf53a7 ima: new templates management mechanism\n\nChangelog v1:\n- make template_fmt \u0027const char *\u0027 (reported-by James Morris)\n- fix kstrdup memory leak (reported-by James Morris)\n\nReported-by: Heiko Carstens \u003cheiko.carstens@de.ibm.com\u003e\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nTested-by: Heiko Carstens \u003cheiko.carstens@de.ibm.com\u003e\n" }, { "commit": "3e8e5503a33577d89bdb7469b851b11f507bbed6", "tree": "50621a970614b947f7720db128b6ffaf4a3c7aeb", "parents": [ "b6f8f16f41d92861621b043389ef49de1c52d613" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Fri Nov 08 19:21:40 2013 +0100" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Nov 25 07:31:14 2013 -0500" }, "message": "ima: do not send field length to userspace for digest of ima template\n\nThis patch defines a new value for the \u0027ima_show_type\u0027 enumerator\n(IMA_SHOW_BINARY_NO_FIELD_LEN) to prevent that the field length\nis transmitted through the \u0027binary_runtime_measurements\u0027 interface\nfor the digest field of the \u0027ima\u0027 template.\n\nFixes commit: 3ce1217 ima: define template fields library and new helpers\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "b6f8f16f41d92861621b043389ef49de1c52d613", "tree": "4aa54f988efc980c6f5ec7845fda7761fa667c16", "parents": [ "4c1cc40a2d49500d84038ff751bc6cd183e729b5" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Fri Nov 08 19:21:39 2013 +0100" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Nov 25 07:26:28 2013 -0500" }, "message": "ima: do not include field length in template digest calc for ima template\n\nTo maintain compatibility with userspace tools, the field length must not\nbe included in the template digest calculation for the \u0027ima\u0027 template.\n\nFixes commit: a71dc65 ima: switch to new template management mechanism\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "34ef7bd3823bf4401bf8f1f855e1bc77b82b1a43", "tree": "80b9e7de72353048b5e933d634d64bd14d0eb00c", "parents": [ "26b265cd29dde56bf0901c421eabc7ae815f38c4" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Nov 23 16:36:35 2013 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Nov 23 16:36:35 2013 -0800" }, "message": "Revert \"ima: define \u0027_ima\u0027 as a builtin \u0027trusted\u0027 keyring\"\n\nThis reverts commit 217091dd7a7a1bdac027ddb7c5a25f6ac0b8e241, which\ncaused the following build error:\n\n security/integrity/digsig.c:70:5: error: redefinition of ‘integrity_init_keyring’\n security/integrity/integrity.h:149:12: note: previous definition of ‘integrity_init_keyring’ w\n security/integrity/integrity.h:149:12: warning: ‘integrity_init_keyring’ defined but not used\n\nreported by Krzysztof Kolasa. Mimi says:\n\n \"I made the classic mistake of requesting this patch to be upstreamed\n at the last second, rather than waiting until the next open window.\n\n At this point, the best course would probably be to revert the two\n commits and fix them for the next open window\"\n\nReported-by: Krzysztof Kolasa \u003ckkolasa@winsoft.pl\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "fc582aef7dcc27a7120cf232c1e76c569c7b6eab", "tree": "7d275dd4ceab6067b91e9a25a5f6338b425fbccd", "parents": [ "9175c9d2aed528800175ef81c90569d00d23f9be", "5e01dc7b26d9f24f39abace5da98ccbd6a5ceb52" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Nov 22 18:57:08 2013 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Nov 22 18:57:54 2013 -0500" }, "message": "Merge tag \u0027v3.12\u0027\n\nLinux 3.12\n\nConflicts:\n\tfs/exec.c\n" }, { "commit": "78dc53c422172a317adb0776dfb687057ffa28b7", "tree": "7c5d15da75d769d01f6a992c24c3490b3867d5b2", "parents": [ "3eaded86ac3e7f00fb3eeb8162d89e9a34e42fb0", "62fe318256befbd1b4a6765e71d9c997f768fe79" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Nov 21 19:46:00 2013 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Nov 21 19:46:00 2013 -0800" }, "message": "Merge branch \u0027for-linus2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security\n\nPull security subsystem updates from James Morris:\n \"In this patchset, we finally get an SELinux update, with Paul Moore\n taking over as maintainer of that code.\n\n Also a significant update for the Keys subsystem, as well as\n maintenance updates to Smack, IMA, TPM, and Apparmor\"\n\nand since I wanted to know more about the updates to key handling,\nhere\u0027s the explanation from David Howells on that:\n\n \"Okay. There are a number of separate bits. I\u0027ll go over the big bits\n and the odd important other bit, most of the smaller bits are just\n fixes and cleanups. If you want the small bits accounting for, I can\n do that too.\n\n (1) Keyring capacity expansion.\n\n KEYS: Consolidate the concept of an \u0027index key\u0027 for key access\n KEYS: Introduce a search context structure\n KEYS: Search for auth-key by name rather than target key ID\n Add a generic associative array implementation.\n KEYS: Expand the capacity of a keyring\n\n Several of the patches are providing an expansion of the capacity of a\n keyring. Currently, the maximum size of a keyring payload is one page.\n Subtract a small header and then divide up into pointers, that only gives\n you ~500 pointers on an x86_64 box. However, since the NFS idmapper uses\n a keyring to store ID mapping data, that has proven to be insufficient to\n the cause.\n\n Whatever data structure I use to handle the keyring payload, it can only\n store pointers to keys, not the keys themselves because several keyrings\n may point to a single key. This precludes inserting, say, and rb_node\n struct into the key struct for this purpose.\n\n I could make an rbtree of records such that each record has an rb_node\n and a key pointer, but that would use four words of space per key stored\n in the keyring. It would, however, be able to use much existing code.\n\n I selected instead a non-rebalancing radix-tree type approach as that\n could have a better space-used/key-pointer ratio. I could have used the\n radix tree implementation that we already have and insert keys into it by\n their serial numbers, but that means any sort of search must iterate over\n the whole radix tree. Further, its nodes are a bit on the capacious side\n for what I want - especially given that key serial numbers are randomly\n allocated, thus leaving a lot of empty space in the tree.\n\n So what I have is an associative array that internally is a radix-tree\n with 16 pointers per node where the index key is constructed from the key\n type pointer and the key description. This means that an exact lookup by\n type+description is very fast as this tells us how to navigate directly to\n the target key.\n\n I made the data structure general in lib/assoc_array.c as far as it is\n concerned, its index key is just a sequence of bits that leads to a\n pointer. It\u0027s possible that someone else will be able to make use of it\n also. FS-Cache might, for example.\n\n (2) Mark keys as \u0027trusted\u0027 and keyrings as \u0027trusted only\u0027.\n\n KEYS: verify a certificate is signed by a \u0027trusted\u0027 key\n KEYS: Make the system \u0027trusted\u0027 keyring viewable by userspace\n KEYS: Add a \u0027trusted\u0027 flag and a \u0027trusted only\u0027 flag\n KEYS: Separate the kernel signature checking keyring from module signing\n\n These patches allow keys carrying asymmetric public keys to be marked as\n being \u0027trusted\u0027 and allow keyrings to be marked as only permitting the\n addition or linkage of trusted keys.\n\n Keys loaded from hardware during kernel boot or compiled into the kernel\n during build are marked as being trusted automatically. New keys can be\n loaded at runtime with add_key(). They are checked against the system\n keyring contents and if their signatures can be validated with keys that\n are already marked trusted, then they are marked trusted also and can\n thus be added into the master keyring.\n\n Patches from Mimi Zohar make this usable with the IMA keyrings also.\n\n (3) Remove the date checks on the key used to validate a module signature.\n\n X.509: Remove certificate date checks\n\n It\u0027s not reasonable to reject a signature just because the key that it was\n generated with is no longer valid datewise - especially if the kernel\n hasn\u0027t yet managed to set the system clock when the first module is\n loaded - so just remove those checks.\n\n (4) Make it simpler to deal with additional X.509 being loaded into the kernel.\n\n KEYS: Load *.x509 files into kernel keyring\n KEYS: Have make canonicalise the paths of the X.509 certs better to deduplicate\n\n The builder of the kernel now just places files with the extension \".x509\"\n into the kernel source or build trees and they\u0027re concatenated by the\n kernel build and stuffed into the appropriate section.\n\n (5) Add support for userspace kerberos to use keyrings.\n\n KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches\n KEYS: Implement a big key type that can save to tmpfs\n\n Fedora went to, by default, storing kerberos tickets and tokens in tmpfs.\n We looked at storing it in keyrings instead as that confers certain\n advantages such as tickets being automatically deleted after a certain\n amount of time and the ability for the kernel to get at these tokens more\n easily.\n\n To make this work, two things were needed:\n\n (a) A way for the tickets to persist beyond the lifetime of all a user\u0027s\n sessions so that cron-driven processes can still use them.\n\n The problem is that a user\u0027s session keyrings are deleted when the\n session that spawned them logs out and the user\u0027s user keyring is\n deleted when the UID is deleted (typically when the last log out\n happens), so neither of these places is suitable.\n\n I\u0027ve added a system keyring into which a \u0027persistent\u0027 keyring is\n created for each UID on request. Each time a user requests their\n persistent keyring, the expiry time on it is set anew. If the user\n doesn\u0027t ask for it for, say, three days, the keyring is automatically\n expired and garbage collected using the existing gc. All the kerberos\n tokens it held are then also gc\u0027d.\n\n (b) A key type that can hold really big tickets (up to 1MB in size).\n\n The problem is that Active Directory can return huge tickets with lots\n of auxiliary data attached. We don\u0027t, however, want to eat up huge\n tracts of unswappable kernel space for this, so if the ticket is\n greater than a certain size, we create a swappable shmem file and dump\n the contents in there and just live with the fact we then have an\n inode and a dentry overhead. If the ticket is smaller than that, we\n slap it in a kmalloc()\u0027d buffer\"\n\n* \u0027for-linus2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (121 commits)\n KEYS: Fix keyring content gc scanner\n KEYS: Fix error handling in big_key instantiation\n KEYS: Fix UID check in keyctl_get_persistent()\n KEYS: The RSA public key algorithm needs to select MPILIB\n ima: define \u0027_ima\u0027 as a builtin \u0027trusted\u0027 keyring\n ima: extend the measurement list to include the file signature\n kernel/system_certificate.S: use real contents instead of macro GLOBAL()\n KEYS: fix error return code in big_key_instantiate()\n KEYS: Fix keyring quota misaccounting on key replacement and unlink\n KEYS: Fix a race between negating a key and reading the error set\n KEYS: Make BIG_KEYS boolean\n apparmor: remove the \"task\" arg from may_change_ptraced_domain()\n apparmor: remove parent task info from audit logging\n apparmor: remove tsk field from the apparmor_audit_struct\n apparmor: fix capability to not use the current task, during reporting\n Smack: Ptrace access check mode\n ima: provide hash algo info in the xattr\n ima: enable support for larger default filedata hash algorithms\n ima: define kernel parameter \u0027ima_template\u003d\u0027 to change configured default\n ima: add Kconfig default measurement list template\n ...\n" }, { "commit": "3eaded86ac3e7f00fb3eeb8162d89e9a34e42fb0", "tree": "4c48b9f1739dcb034186956bf39908803b524154", "parents": [ "527d1511310a89650000081869260394e20c7013", "9175c9d2aed528800175ef81c90569d00d23f9be" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Nov 21 19:18:14 2013 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Nov 21 19:18:14 2013 -0800" }, "message": "Merge git://git.infradead.org/users/eparis/audit\n\nPull audit updates from Eric Paris:\n \"Nothing amazing. Formatting, small bug fixes, couple of fixes where\n we didn\u0027t get records due to some old VFS changes, and a change to how\n we collect execve info...\"\n\nFixed conflict in fs/exec.c as per Eric and linux-next.\n\n* git://git.infradead.org/users/eparis/audit: (28 commits)\n audit: fix type of sessionid in audit_set_loginuid()\n audit: call audit_bprm() only once to add AUDIT_EXECVE information\n audit: move audit_aux_data_execve contents into audit_context union\n audit: remove unused envc member of audit_aux_data_execve\n audit: Kill the unused struct audit_aux_data_capset\n audit: do not reject all AUDIT_INODE filter types\n audit: suppress stock memalloc failure warnings since already managed\n audit: log the audit_names record type\n audit: add child record before the create to handle case where create fails\n audit: use given values in tty_audit enable api\n audit: use nlmsg_len() to get message payload length\n audit: use memset instead of trying to initialize field by field\n audit: fix info leak in AUDIT_GET requests\n audit: update AUDIT_INODE filter rule to comparator function\n audit: audit feature to set loginuid immutable\n audit: audit feature to only allow unsetting the loginuid\n audit: allow unsetting the loginuid (with priv)\n audit: remove CONFIG_AUDIT_LOGINUID_IMMUTABLE\n audit: loginuid functions coding style\n selinux: apply selinux checks on new audit message types\n ...\n" }, { "commit": "b5495b4217d3fa64deac479db83dbede149af7d8", "tree": "00056ecd7fd8833d199203178e9e098cbb58d651", "parents": [ "a660bec1d84ad19a39e380af129e207b3b8f609e" ], "author": { "name": "Tim Gardner", "email": "tim.gardner@canonical.com", "time": "Thu Nov 14 15:04:51 2013 -0700" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Tue Nov 19 17:35:18 2013 -0500" }, "message": "SELinux: security_load_policy: Silence frame-larger-than warning\n\nDynamically allocate a couple of the larger stack variables in order to\nreduce the stack footprint below 1024. gcc-4.8\n\nsecurity/selinux/ss/services.c: In function \u0027security_load_policy\u0027:\nsecurity/selinux/ss/services.c:1964:1: warning: the frame size of 1104 bytes is larger than 1024 bytes [-Wframe-larger-than\u003d]\n }\n\nAlso silence a couple of checkpatch warnings at the same time.\n\nWARNING: sizeof policydb should be sizeof(policydb)\n+\tmemcpy(oldpolicydb, \u0026policydb, sizeof policydb);\n\nWARNING: sizeof policydb should be sizeof(policydb)\n+\tmemcpy(\u0026policydb, newpolicydb, sizeof policydb);\n\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjames.l.morris@oracle.com\u003e\nCc: Eric Paris \u003ceparis@parisplace.org\u003e\nSigned-off-by: Tim Gardner \u003ctim.gardner@canonical.com\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "a660bec1d84ad19a39e380af129e207b3b8f609e", "tree": "7dce6178a20225dacb833cec5d3b781d1b3626ac", "parents": [ "94851b18d4eb94f8bbf0d9176f7429bd8e371f62" ], "author": { "name": "Richard Haines", "email": "richard_c_haines@btinternet.com", "time": "Tue Nov 19 17:34:23 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Tue Nov 19 17:34:23 2013 -0500" }, "message": "SELinux: Update policy version to support constraints info\n\nUpdate the policy version (POLICYDB_VERSION_CONSTRAINT_NAMES) to allow\nholding of policy source info for constraints.\n\nSigned-off-by: Richard Haines \u003crichard_c_haines@btinternet.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\n" }, { "commit": "62fe318256befbd1b4a6765e71d9c997f768fe79", "tree": "a24b4672750ceea1850f7b97131256f163554ea7", "parents": [ "97826c821ec6724fc359d9b7840dc10af914c641" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Nov 14 13:02:31 2013 +0000" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Nov 14 14:09:53 2013 +0000" }, "message": "KEYS: Fix keyring content gc scanner\n\nKey pointers stored in the keyring are marked in bit 1 to indicate if they\npoint to a keyring. We need to strip off this bit before using the pointer\nwhen iterating over the keyring for the purpose of looking for links to garbage\ncollect.\n\nThis means that expirable keyrings aren\u0027t correctly expiring because the\nchecker is seeing their key pointer with 2 added to it.\n\nSince the fix for this involves knowing about the internals of the keyring,\nkey_gc_keyring() is moved to keyring.c and merged into keyring_gc().\n\nThis can be tested by:\n\n\techo 2 \u003e/proc/sys/kernel/keys/gc_delay\n\tkeyctl timeout `keyctl add keyring qwerty \"\" @s` 2\n\tcat /proc/keys\n\tsleep 5; cat /proc/keys\n\nwhich should see a keyring called \"qwerty\" appear in the session keyring and\nthen disappear after it expires, and:\n\n\techo 2 \u003e/proc/sys/kernel/keys/gc_delay\n\ta\u003d`keyctl get_persistent @s`\n\tb\u003d`keyctl add keyring 0 \"\" $a`\n\tkeyctl add user a a $b\n\tkeyctl timeout $b 2\n\tcat /proc/keys\n\tsleep 5; cat /proc/keys\n\nwhich should see a keyring called \"0\" with a key called \"a\" in it appear in the\nuser\u0027s persistent keyring (which will be attached to the session keyring) and\nthen both the \"0\" keyring and the \"a\" key should disappear when the \"0\" keyring\nexpires.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Simo Sorce \u003csimo@redhat.com\u003e\n" }, { "commit": "97826c821ec6724fc359d9b7840dc10af914c641", "tree": "0d0f64d3dde09c876fd0248df6ca6bfaec16be93", "parents": [ "fbf8c53f1a2ac7610ed124043600dc074992e71b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Nov 13 16:51:06 2013 +0000" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Nov 13 16:51:06 2013 +0000" }, "message": "KEYS: Fix error handling in big_key instantiation\n\nIn the big_key_instantiate() function we return 0 if kernel_write() returns us\nan error rather than returning an error. This can potentially lead to\ndentry_open() giving a BUG when called from big_key_read() with an unset\ntmpfile path.\n\n\t------------[ cut here ]------------\n\tkernel BUG at fs/open.c:798!\n\t...\n\tRIP: 0010:[\u003cffffffff8119bbd1\u003e] dentry_open+0xd1/0xe0\n\t...\n\tCall Trace:\n\t [\u003cffffffff812350c5\u003e] big_key_read+0x55/0x100\n\t [\u003cffffffff81231084\u003e] keyctl_read_key+0xb4/0xe0\n\t [\u003cffffffff81231e58\u003e] SyS_keyctl+0xf8/0x1d0\n\t [\u003cffffffff815bb799\u003e] system_call_fastpath+0x16/0x1b\n\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: Stephen Gallagher \u003csgallagh@redhat.com\u003e\n" }, { "commit": "42a2d923cc349583ebf6fdd52a7d35e1c2f7e6bd", "tree": "2b2b0c03b5389c1301800119333967efafd994ca", "parents": [ "5cbb3d216e2041700231bcfc383ee5f8b7fc8b74", "75ecab1df14d90e86cebef9ec5c76befde46e65f" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Nov 13 17:40:34 2013 +0900" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Nov 13 17:40:34 2013 +0900" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next\n\nPull networking updates from David Miller:\n\n 1) The addition of nftables. No longer will we need protocol aware\n firewall filtering modules, it can all live in userspace.\n\n At the core of nftables is a, for lack of a better term, virtual\n machine that executes byte codes to inspect packet or metadata\n (arriving interface index, etc.) and make verdict decisions.\n\n Besides support for loading packet contents and comparing them, the\n interpreter supports lookups in various datastructures as\n fundamental operations. For example sets are supports, and\n therefore one could create a set of whitelist IP address entries\n which have ACCEPT verdicts attached to them, and use the appropriate\n byte codes to do such lookups.\n\n Since the interpreted code is composed in userspace, userspace can\n do things like optimize things before giving it to the kernel.\n\n Another major improvement is the capability of atomically updating\n portions of the ruleset. In the existing netfilter implementation,\n one has to update the entire rule set in order to make a change and\n this is very expensive.\n\n Userspace tools exist to create nftables rules using existing\n netfilter rule sets, but both kernel implementations will need to\n co-exist for quite some time as we transition from the old to the\n new stuff.\n\n Kudos to Patrick McHardy, Pablo Neira Ayuso, and others who have\n worked so hard on this.\n\n 2) Daniel Borkmann and Hannes Frederic Sowa made several improvements\n to our pseudo-random number generator, mostly used for things like\n UDP port randomization and netfitler, amongst other things.\n\n In particular the taus88 generater is updated to taus113, and test\n cases are added.\n\n 3) Support 64-bit rates in HTB and TBF schedulers, from Eric Dumazet\n and Yang Yingliang.\n\n 4) Add support for new 577xx tigon3 chips to tg3 driver, from Nithin\n Sujir.\n\n 5) Fix two fatal flaws in TCP dynamic right sizing, from Eric Dumazet,\n Neal Cardwell, and Yuchung Cheng.\n\n 6) Allow IP_TOS and IP_TTL to be specified in sendmsg() ancillary\n control message data, much like other socket option attributes.\n From Francesco Fusco.\n\n 7) Allow applications to specify a cap on the rate computed\n automatically by the kernel for pacing flows, via a new\n SO_MAX_PACING_RATE socket option. From Eric Dumazet.\n\n 8) Make the initial autotuned send buffer sizing in TCP more closely\n reflect actual needs, from Eric Dumazet.\n\n 9) Currently early socket demux only happens for TCP sockets, but we\n can do it for connected UDP sockets too. Implementation from Shawn\n Bohrer.\n\n10) Refactor inet socket demux with the goal of improving hash demux\n performance for listening sockets. With the main goals being able\n to use RCU lookups on even request sockets, and eliminating the\n listening lock contention. From Eric Dumazet.\n\n11) The bonding layer has many demuxes in it\u0027s fast path, and an RCU\n conversion was started back in 3.11, several changes here extend the\n RCU usage to even more locations. From Ding Tianhong and Wang\n Yufen, based upon suggestions by Nikolay Aleksandrov and Veaceslav\n Falico.\n\n12) Allow stackability of segmentation offloads to, in particular, allow\n segmentation offloading over tunnels. From Eric Dumazet.\n\n13) Significantly improve the handling of secret keys we input into the\n various hash functions in the inet hashtables, TCP fast open, as\n well as syncookies. From Hannes Frederic Sowa. The key fundamental\n operation is \"net_get_random_once()\" which uses static keys.\n\n Hannes even extended this to ipv4/ipv6 fragmentation handling and\n our generic flow dissector.\n\n14) The generic driver layer takes care now to set the driver data to\n NULL on device removal, so it\u0027s no longer necessary for drivers to\n explicitly set it to NULL any more. Many drivers have been cleaned\n up in this way, from Jingoo Han.\n\n15) Add a BPF based packet scheduler classifier, from Daniel Borkmann.\n\n16) Improve CRC32 interfaces and generic SKB checksum iterators so that\n SCTP\u0027s checksumming can more cleanly be handled. Also from Daniel\n Borkmann.\n\n17) Add a new PMTU discovery mode, IP_PMTUDISC_INTERFACE, which forces\n using the interface MTU value. This helps avoid PMTU attacks,\n particularly on DNS servers. From Hannes Frederic Sowa.\n\n18) Use generic XPS for transmit queue steering rather than internal\n (re-)implementation in virtio-net. From Jason Wang.\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1622 commits)\n random32: add test cases for taus113 implementation\n random32: upgrade taus88 generator to taus113 from errata paper\n random32: move rnd_state to linux/random.h\n random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized\n random32: add periodic reseeding\n random32: fix off-by-one in seeding requirement\n PHY: Add RTL8201CP phy_driver to realtek\n xtsonic: add missing platform_set_drvdata() in xtsonic_probe()\n macmace: add missing platform_set_drvdata() in mace_probe()\n ethernet/arc/arc_emac: add missing platform_set_drvdata() in arc_emac_probe()\n ipv6: protect for_each_sk_fl_rcu in mem_check with rcu_read_lock_bh\n vlan: Implement vlan_dev_get_egress_qos_mask as an inline.\n ixgbe: add warning when max_vfs is out of range.\n igb: Update link modes display in ethtool\n netfilter: push reasm skb through instead of original frag skbs\n ip6_output: fragment outgoing reassembled skb properly\n MAINTAINERS: mv643xx_eth: take over maintainership from Lennart\n net_sched: tbf: support of 64bit rates\n ixgbe: deleting dfwd stations out of order can cause null ptr deref\n ixgbe: fix build err, num_rx_queues is only available with CONFIG_RPS\n ...\n" }, { "commit": "a9986464564609dd0962e6023513f7d3d313dc80", "tree": "bcec3cd7404bdf3ac2e205a8cce5810b90ece6bf", "parents": [ "13aa7e0bc20f7f7e5ef45f0defc4ff4380802302", "73ba353471e0b692f398f3d63018b7f46ccf1d3e" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Nov 13 15:21:53 2013 +0900" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Nov 13 15:21:53 2013 +0900" }, "message": "Merge branch \u0027for-3.13\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup\n\nPull cgroup changes from Tejun Heo:\n \"Not too much activity this time around. css_id is finally killed and\n a minor update to device_cgroup\"\n\n* \u0027for-3.13\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:\n device_cgroup: remove can_attach\n cgroup: kill css_id\n memcg: stop using css id\n memcg: fail to create cgroup if the cgroup id is too big\n memcg: convert to use cgroup id\n memcg: convert to use cgroup_is_descendant()\n" }, { "commit": "94851b18d4eb94f8bbf0d9176f7429bd8e371f62", "tree": "c3c743ac6323e1caf9e987d6946cc4b2333a8256", "parents": [ "42d64e1add3a1ce8a787116036163b8724362145", "5e01dc7b26d9f24f39abace5da98ccbd6a5ceb52" ], "author": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Fri Nov 08 13:56:38 2013 -0500" }, "committer": { "name": "Paul Moore", "email": "pmoore@redhat.com", "time": "Fri Nov 08 13:56:38 2013 -0500" }, "message": "Merge tag \u0027v3.12\u0027\n\nLinux 3.12\n" }, { "commit": "fbf8c53f1a2ac7610ed124043600dc074992e71b", "tree": "f0a6e0226507a85389737e650879aa6ee0dfe4ad", "parents": [ "dbed71416332d24e4e9ba26dcf90cd86a93c06f1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Nov 06 14:01:51 2013 +0000" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Nov 06 14:01:51 2013 +0000" }, "message": "KEYS: Fix UID check in keyctl_get_persistent()\n\nIf the UID is specified by userspace when calling the KEYCTL_GET_PERSISTENT\nfunction and the process does not have the CAP_SETUID capability, then the\nfunction will return -EPERM if the current process\u0027s uid, suid, euid and fsuid\nall match the requested UID. This is incorrect.\n\nFix it such that when a non-privileged caller requests a persistent keyring by\na specific UID they can only request their own (ie. the specified UID matches\neither then process\u0027s UID or the process\u0027s EUID).\n\nThis can be tested by logging in as the user and doing:\n\n\tkeyctl get_persistent @p\n\tkeyctl get_persistent @p `id -u`\n\tkeyctl get_persistent @p 0\n\nThe first two should successfully print the same key ID. The third should do\nthe same if called by UID 0 or indicate Operation Not Permitted otherwise.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Stephen Gallagher \u003csgallagh@redhat.com\u003e\n" }, { "commit": "a20b62bdf7a1ed1a334eff3c4cafa97f5826006b", "tree": "233c3774d6ff81715d37163cc223fb5008e83e9b", "parents": [ "d3aea84a4ace5ff9ce7fb7714cee07bebef681c2" ], "author": { "name": "Richard Guy Briggs", "email": "rgb@redhat.com", "time": "Tue Oct 01 21:14:54 2013 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 05 11:09:11 2013 -0500" }, "message": "audit: suppress stock memalloc failure warnings since already managed\n\nSupress the stock memory allocation failure warnings for audit buffers\nsince audit alreay takes care of memory allocation failure warnings, including\nrate-limiting, in audit_log_start().\n\nSigned-off-by: Richard Guy Briggs \u003crgb@redhat.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "b805b198dc74b73aabb6969a3db734c71c05c88c", "tree": "7863f6b26836117ac4677554252376e3a8c014de", "parents": [ "b0fed40214ce79ef70d97584ebdf13f89786da0e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri May 24 12:09:50 2013 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 05 11:07:35 2013 -0500" }, "message": "selinux: apply selinux checks on new audit message types\n\nWe use the read check to get the feature set (like AUDIT_GET) and the\nwrite check to set the features (like AUDIT_SET).\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Richard Guy Briggs \u003crgb@redhat.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "217091dd7a7a1bdac027ddb7c5a25f6ac0b8e241", "tree": "3a8a39da527431153698fc73640db47e8a1bd43a", "parents": [ "bcbc9b0cf6d8f340a1d166e414f4612b353f7a9b" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Aug 13 08:47:43 2013 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Oct 31 20:20:48 2013 -0400" }, "message": "ima: define \u0027_ima\u0027 as a builtin \u0027trusted\u0027 keyring\n\nRequire all keys added to the IMA keyring be signed by an\nexisting trusted key on the system trusted keyring.\n\nChangelog:\n- define stub integrity_init_keyring() function (reported-by Fengguang Wu)\n- differentiate between regular and trusted keyring names.\n- replace printk with pr_info (D. Kasatkin)\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "bcbc9b0cf6d8f340a1d166e414f4612b353f7a9b", "tree": "cd728f166ccf86137a7a8a7847ce962488ff86e2", "parents": [ "42a20ba5c90ded07f79992d222fa0814b8448cf6" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jul 23 11:15:00 2013 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Oct 31 20:19:35 2013 -0400" }, "message": "ima: extend the measurement list to include the file signature\n\nThis patch defines a new template called \u0027ima-sig\u0027, which includes\nthe file signature in the template data, in addition to the file\u0027s\ndigest and pathname.\n\nA template is composed of a set of fields. Associated with each\nfield is an initialization and display function. This patch defines\na new template field called \u0027sig\u0027, the initialization function\nima_eventsig_init(), and the display function ima_show_template_sig().\n\nThis patch modifies the .field_init() function definition to include\nthe \u0027security.ima\u0027 extended attribute and length.\n\nChangelog:\n- remove unused code (Dmitry Kasatkin)\n- avoid calling ima_write_template_field_data() unnecesarily (Roberto Sassu)\n- rename DATA_FMT_SIG to DATA_FMT_HEX\n- cleanup ima_eventsig_init() based on Roberto\u0027s comments\n\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Dmitry Kasatkin \u003cd.kasatkin@samsung.com\u003e\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\n" }, { "commit": "42a20ba5c90ded07f79992d222fa0814b8448cf6", "tree": "f19f8c5fd0ce043fcae5455489e552fc70217cad", "parents": [ "51775fe736f053329faf0f5de7c679ee4cb0023d", "6ef4d2eaf5a46d4ab6db02612b5e883b834017b8" ], "author": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Thu Oct 31 09:46:36 2013 +1100" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Thu Oct 31 09:46:36 2013 +1100" }, "message": "Merge branch \u0027keys-devel\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into ra-next\n" }, { "commit": "d2b86970245b64652c4d7799e707dd8bd1533b64", "tree": "00aaa63cb66c5cfbd595261ba7f5029fbe1326f9", "parents": [ "034faeb9ef390d58239e1dce748143f6b35a0d9b" ], "author": { "name": "Wei Yongjun", "email": "yongjun_wei@trendmicro.com.cn", "time": "Wed Oct 30 11:23:02 2013 +0800" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Oct 30 12:54:29 2013 +0000" }, "message": "KEYS: fix error return code in big_key_instantiate()\n\nFix to return a negative error code from the error handling\ncase instead of 0, as done elsewhere in this function.\n\nSigned-off-by: Wei Yongjun \u003cyongjun_wei@trendmicro.com.cn\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "034faeb9ef390d58239e1dce748143f6b35a0d9b", "tree": "f2239231b251a064e0f8d4b5c34cf4ef04586992", "parents": [ "74792b0001ee85b845dc82c1a716c6052c2db9de" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Oct 30 11:15:24 2013 +0000" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Oct 30 11:15:24 2013 +0000" }, "message": "KEYS: Fix keyring quota misaccounting on key replacement and unlink\n\nIf a key is displaced from a keyring by a matching one, then four more bytes\nof quota are allocated to the keyring - despite the fact that the keyring does\nnot change in size.\n\nFurther, when a key is unlinked from a keyring, the four bytes of quota\nallocated the link isn\u0027t recovered and returned to the user\u0027s pool.\n\nThe first can be tested by repeating:\n\n\tkeyctl add big_key a fred @s\n\tcat /proc/key-users\n\n(Don\u0027t put it in a shell loop otherwise the garbage collector won\u0027t have time\nto clear the displaced keys, thus affecting the result).\n\nThis was causing the kerberos keyring to run out of room fairly quickly.\n\nThe second can be tested by:\n\n\tcat /proc/key-users\n\ta\u003d`keyctl add user a a @s`\n\tcat /proc/key-users\n\tkeyctl unlink $a\n\tsleep 1 # Give RCU a chance to delete the key\n\tcat /proc/key-users\n\nassuming no system activity that otherwise adds/removes keys, the amount of\nkey data allocated should go up (say 40/20000 -\u003e 47/20000) and then return to\nthe original value at the end.\n\nReported-by: Stephen Gallagher \u003csgallagh@redhat.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "74792b0001ee85b845dc82c1a716c6052c2db9de", "tree": "eacf322c88e57e005a8032e8a1b86bde522496d4", "parents": [ "2eaf6b5dcafda2b8c22930eff7f48a364fce1741" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Oct 30 11:15:24 2013 +0000" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Oct 30 11:15:24 2013 +0000" }, "message": "KEYS: Fix a race between negating a key and reading the error set\n\nkey_reject_and_link() marking a key as negative and setting the error with\nwhich it was negated races with keyring searches and other things that read\nthat error.\n\nThe fix is to switch the order in which the assignments are done in\nkey_reject_and_link() and to use memory barriers.\n\nKudos to Dave Wysochanski \u003cdwysocha@redhat.com\u003e and Scott Mayhew\n\u003csmayhew@redhat.com\u003e for tracking this down.\n\nThis may be the cause of:\n\nBUG: unable to handle kernel NULL pointer dereference at 0000000000000070\nIP: [\u003cffffffff81219011\u003e] wait_for_key_construction+0x31/0x80\nPGD c6b2c3067 PUD c59879067 PMD 0\nOops: 0000 [#1] SMP\nlast sysfs file: /sys/devices/system/cpu/cpu3/cache/index2/shared_cpu_map\nCPU 0\nModules linked in: ...\n\nPid: 13359, comm: amqzxma0 Not tainted 2.6.32-358.20.1.el6.x86_64 #1 IBM System x3650 M3 -[7945PSJ]-/00J6159\nRIP: 0010:[\u003cffffffff81219011\u003e] wait_for_key_construction+0x31/0x80\nRSP: 0018:ffff880c6ab33758 EFLAGS: 00010246\nRAX: ffffffff81219080 RBX: 0000000000000000 RCX: 0000000000000002\nRDX: ffffffff81219060 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffff880c6ab33768 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: ffff880adfcbce40\nR13: ffffffffa03afb84 R14: ffff880adfcbce40 R15: ffff880adfcbce43\nFS: 00007f29b8042700(0000) GS:ffff880028200000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000070 CR3: 0000000c613dc000 CR4: 00000000000007f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\nProcess amqzxma0 (pid: 13359, threadinfo ffff880c6ab32000, task ffff880c610deae0)\nStack:\n ffff880adfcbce40 0000000000000000 ffff880c6ab337b8 ffffffff81219695\n\u003cd\u003e 0000000000000000 ffff880a000000d0 ffff880c6ab337a8 000000000000000f\n\u003cd\u003e ffffffffa03afb93 000000000000000f ffff88186c7882c0 0000000000000014\nCall Trace:\n [\u003cffffffff81219695\u003e] request_key+0x65/0xa0\n [\u003cffffffffa03a0885\u003e] nfs_idmap_request_key+0xc5/0x170 [nfs]\n [\u003cffffffffa03a0eb4\u003e] nfs_idmap_lookup_id+0x34/0x80 [nfs]\n [\u003cffffffffa03a1255\u003e] nfs_map_group_to_gid+0x75/0xa0 [nfs]\n [\u003cffffffffa039a9ad\u003e] decode_getfattr_attrs+0xbdd/0xfb0 [nfs]\n [\u003cffffffff81057310\u003e] ? __dequeue_entity+0x30/0x50\n [\u003cffffffff8100988e\u003e] ? __switch_to+0x26e/0x320\n [\u003cffffffffa039ae03\u003e] decode_getfattr+0x83/0xe0 [nfs]\n [\u003cffffffffa039b610\u003e] ? nfs4_xdr_dec_getattr+0x0/0xa0 [nfs]\n [\u003cffffffffa039b69f\u003e] nfs4_xdr_dec_getattr+0x8f/0xa0 [nfs]\n [\u003cffffffffa02dada4\u003e] rpcauth_unwrap_resp+0x84/0xb0 [sunrpc]\n [\u003cffffffffa039b610\u003e] ? nfs4_xdr_dec_getattr+0x0/0xa0 [nfs]\n [\u003cffffffffa02cf923\u003e] call_decode+0x1b3/0x800 [sunrpc]\n [\u003cffffffff81096de0\u003e] ? wake_bit_function+0x0/0x50\n [\u003cffffffffa02cf770\u003e] ? call_decode+0x0/0x800 [sunrpc]\n [\u003cffffffffa02d99a7\u003e] __rpc_execute+0x77/0x350 [sunrpc]\n [\u003cffffffff81096c67\u003e] ? bit_waitqueue+0x17/0xd0\n [\u003cffffffffa02d9ce1\u003e] rpc_execute+0x61/0xa0 [sunrpc]\n [\u003cffffffffa02d03a5\u003e] rpc_run_task+0x75/0x90 [sunrpc]\n [\u003cffffffffa02d04c2\u003e] rpc_call_sync+0x42/0x70 [sunrpc]\n [\u003cffffffffa038ff80\u003e] _nfs4_call_sync+0x30/0x40 [nfs]\n [\u003cffffffffa038836c\u003e] _nfs4_proc_getattr+0xac/0xc0 [nfs]\n [\u003cffffffff810aac87\u003e] ? futex_wait+0x227/0x380\n [\u003cffffffffa038b856\u003e] nfs4_proc_getattr+0x56/0x80 [nfs]\n [\u003cffffffffa0371403\u003e] __nfs_revalidate_inode+0xe3/0x220 [nfs]\n [\u003cffffffffa037158e\u003e] nfs_revalidate_mapping+0x4e/0x170 [nfs]\n [\u003cffffffffa036f147\u003e] nfs_file_read+0x77/0x130 [nfs]\n [\u003cffffffff811811aa\u003e] do_sync_read+0xfa/0x140\n [\u003cffffffff81096da0\u003e] ? autoremove_wake_function+0x0/0x40\n [\u003cffffffff8100bb8e\u003e] ? apic_timer_interrupt+0xe/0x20\n [\u003cffffffff8100b9ce\u003e] ? common_interrupt+0xe/0x13\n [\u003cffffffff81228ffb\u003e] ? selinux_file_permission+0xfb/0x150\n [\u003cffffffff8121bed6\u003e] ? security_file_permission+0x16/0x20\n [\u003cffffffff81181a95\u003e] vfs_read+0xb5/0x1a0\n [\u003cffffffff81181bd1\u003e] sys_read+0x51/0x90\n [\u003cffffffff810dc685\u003e] ? __audit_syscall_exit+0x265/0x290\n [\u003cffffffff8100b072\u003e] system_call_fastpath+0x16/0x1b\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\ncc: Dave Wysochanski \u003cdwysocha@redhat.com\u003e\ncc: Scott Mayhew \u003csmayhew@redhat.com\u003e\n" }, { "commit": "2eaf6b5dcafda2b8c22930eff7f48a364fce1741", "tree": "959a9a617f7476d22dce1efbfb2b320668a52022", "parents": [ "50b719f811583a47762ecb7e480d253abc2eb22f" ], "author": { "name": "Josh Boyer", "email": "jwboyer@redhat.com", "time": "Wed Oct 30 11:15:23 2013 +0000" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Oct 30 11:15:23 2013 +0000" }, "message": "KEYS: Make BIG_KEYS boolean\n\nHaving the big_keys functionality as a module is very marginally useful.\nThe userspace code that would use this functionality will get odd error\nmessages from the keys layer if the module isn\u0027t loaded. The code itself\nis fairly small, so just have this as a boolean option and not a tristate.\n\nSigned-off-by: Josh Boyer \u003cjwboyer@fedoraproject.org\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "51775fe736f053329faf0f5de7c679ee4cb0023d", "tree": "03c7edaa4b4e6b3d78528769202661ce4861a832", "parents": [ "4a7fc3018f05f4305723b508b12f3be13b7c4875" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Tue Oct 08 05:46:03 2013 -0700" }, "committer": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Tue Oct 29 21:34:18 2013 -0700" }, "message": "apparmor: remove the \"task\" arg from may_change_ptraced_domain()\n\nUnless task \u003d\u003d current ptrace_parent(task) is not safe even under\nrcu_read_lock() and most of the current users are not right.\n\nSo may_change_ptraced_domain(task) looks wrong as well. However it\nis always called with task \u003d\u003d current so the code is actually fine.\nRemove this argument to make this fact clear.\n\nNote: perhaps we should simply kill ptrace_parent(), it buys almost\nnothing. And it is obviously racy, perhaps this should be fixed.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\n" }, { "commit": "4a7fc3018f05f4305723b508b12f3be13b7c4875", "tree": "cbb27bfd27362dadffb4850f79c49897a2ec2552", "parents": [ "61e3fb8acaea0ca4303ef123bae7edf8435dc2b7" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Tue Oct 08 05:39:02 2013 -0700" }, "committer": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Tue Oct 29 21:34:04 2013 -0700" }, "message": "apparmor: remove parent task info from audit logging\n\nThe reporting of the parent task info is a vestage from old versions of\napparmor. The need for this information was removed by unique null-\nprofiles before apparmor was upstreamed so remove this info from logging.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\n" }, { "commit": "61e3fb8acaea0ca4303ef123bae7edf8435dc2b7", "tree": "434c0947a474470b8fc58e95074f40ff9e0613b8", "parents": [ "dd0c6e86f66080869ca0a48c78fb9bfbe4cf156f" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Tue Oct 08 05:37:26 2013 -0700" }, "committer": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Tue Oct 29 21:33:52 2013 -0700" }, "message": "apparmor: remove tsk field from the apparmor_audit_struct\n\nNow that aa_capabile no longer sets the task field it can be removed\nand the lsm_audit version of the field can be used.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\n" }, { "commit": "dd0c6e86f66080869ca0a48c78fb9bfbe4cf156f", "tree": "f97984485d11517840063f8d5e78c39f9f292c00", "parents": [ "50b719f811583a47762ecb7e480d253abc2eb22f" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Tue Oct 08 05:37:18 2013 -0700" }, "committer": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Tue Oct 29 21:33:37 2013 -0700" }, "message": "apparmor: fix capability to not use the current task, during reporting\n\nMediation is based off of the cred but auditing includes the current\ntask which may not be related to the actual request.\n\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\n" }, { "commit": "50b719f811583a47762ecb7e480d253abc2eb22f", "tree": "290e6cb4f15695140a9dbef1164e69ac9c80e454", "parents": [ "3ea7a56067e663278470c04fd655adf809e72d4d", "b5dfd8075bc26636d11c3d8888940198afbf5112" ], "author": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Wed Oct 30 14:07:10 2013 +1100" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Wed Oct 30 14:07:10 2013 +1100" }, "message": "Merge branch \u0027smack-for-3.13\u0027 of git://git.gitorious.org/smack-next/kernel into ra-next\n" }, { "commit": "b5dfd8075bc26636d11c3d8888940198afbf5112", "tree": "65c10996178b210a5d7223489cf8d5332bc9c273", "parents": [ "c0ab6e56dcb7ca9903d460247cb464e769ae6e77" ], "author": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Tue Oct 22 11:47:45 2013 -0700" }, "committer": { "name": "Casey Schaufler", "email": "casey@schaufler-ca.com", "time": "Mon Oct 28 10:23:36 2013 -0700" }, "message": "Smack: Ptrace access check mode\n\nWhen the ptrace security hooks were split the addition of\na mode parameter was not taken advantage of in the Smack\nptrace access check. This changes the access check from\nalways looking for read and write access to using the\npassed mode. This will make use of /proc much happier.\n\nTargeted for git://git.gitorious.org/smack-next/kernel.git\n\nSigned-off-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "3ea7a56067e663278470c04fd655adf809e72d4d", "tree": "8216b30887dc86cf7594f6fd1cc729b7eda28c0a", "parents": [ "e7a2ad7eb6f48ad80c70a22dd8167fb34b409466" ], "author": { "name": "Dmitry Kasatkin", "email": "d.kasatkin@samsung.com", "time": "Mon Aug 12 11:22:51 2013 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sat Oct 26 21:32:55 2013 -0400" }, "message": "ima: provide hash algo info in the xattr\n\nAll files labeled with \u0027security.ima\u0027 hashes, are hashed using the\nsame hash algorithm. Changing from one hash algorithm to another,\nrequires relabeling the filesystem. This patch defines a new xattr\ntype, which includes the hash algorithm, permitting different files\nto be hashed with different algorithms.\n\nSigned-off-by: Dmitry Kasatkin \u003cd.kasatkin@samsung.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "e7a2ad7eb6f48ad80c70a22dd8167fb34b409466", "tree": "d1b7e58d2029a273a347b9b9a08f35c50b244d27", "parents": [ "9b9d4ce592d283fc4c01da746c02a840c499bb7e" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Jun 07 12:16:37 2013 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sat Oct 26 21:32:55 2013 -0400" }, "message": "ima: enable support for larger default filedata hash algorithms\n\nThe IMA measurement list contains two hashes - a template data hash\nand a filedata hash. The template data hash is committed to the TPM,\nwhich is limited, by the TPM v1.2 specification, to 20 bytes. The\nfiledata hash is defined as 20 bytes as well.\n\nNow that support for variable length measurement list templates was\nadded, the filedata hash is not limited to 20 bytes. This patch adds\nKconfig support for defining larger default filedata hash algorithms\nand replacing the builtin default with one specified on the kernel\ncommand line.\n\n\u003cuapi/linux/hash_info.h\u003e contains a list of hash algorithms. The\nKconfig default hash algorithm is a subset of this list, but any hash\nalgorithm included in the list can be specified at boot, using the\n\u0027ima_hash\u003d\u0027 kernel command line option.\n\nChangelog v2:\n- update Kconfig\n\nChangelog:\n- support hashes that are configured\n- use generic HASH_ALGO_ definitions\n- add Kconfig support\n- hash_setup must be called only once (Dmitry)\n- removed trailing whitespaces (Roberto Sassu)\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\n" }, { "commit": "9b9d4ce592d283fc4c01da746c02a840c499bb7e", "tree": "e0778c7a3aef0259a06f03c2f90f271a6789000c", "parents": [ "4286587dccd43d4f81fa227e413ed7e909895342" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Fri Jun 07 12:16:35 2013 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sat Oct 26 21:32:54 2013 -0400" }, "message": "ima: define kernel parameter \u0027ima_template\u003d\u0027 to change configured default\n\nThis patch allows users to specify from the kernel command line the\ntemplate descriptor, among those defined, that will be used to generate\nand display measurement entries. If an user specifies a wrong template,\nIMA reverts to the template descriptor set in the kernel configuration.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "4286587dccd43d4f81fa227e413ed7e909895342", "tree": "94781e93d49c79253048e60b21d822c635cda444", "parents": [ "add1c05dceb495a45036d66cdcbb3b2306de26c1" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Jun 07 12:16:34 2013 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sat Oct 26 21:32:54 2013 -0400" }, "message": "ima: add Kconfig default measurement list template\n\nThis patch adds a Kconfig option to select the default IMA\nmeasurement list template. The \u0027ima\u0027 template limited the\nfiledata hash to 20 bytes and the pathname to 255 charaters.\nThe \u0027ima-ng\u0027 measurement list template permits larger hash\ndigests and longer pathnames.\n\nChangelog:\n- keep \u0027select CRYPTO_HASH_INFO\u0027 in \u0027config IMA\u0027 section (Kconfig)\n (Roberto Sassu);\n- removed trailing whitespaces (Roberto Sassu).\n- Lindent fixes\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\n" }, { "commit": "add1c05dceb495a45036d66cdcbb3b2306de26c1", "tree": "b432080d2151c60c3ce7d07f68336113befa096d", "parents": [ "5278aa52f35003ddafda80b0243b3693f935b134" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Fri Jun 07 12:16:39 2013 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sat Oct 26 21:32:53 2013 -0400" }, "message": "ima: defer determining the appraisal hash algorithm for \u0027ima\u0027 template\n\nThe same hash algorithm should be used for calculating the file\ndata hash for the IMA measurement list, as for appraising the file\ndata integrity. (The appraise hash algorithm is stored in the\n\u0027security.ima\u0027 extended attribute.) The exception is when the\nreference file data hash digest, stored in the extended attribute,\nis larger than the one supported by the template. In this case,\nthe file data hash needs to be calculated twice, once for the\nmeasurement list and, again, for appraisal.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "5278aa52f35003ddafda80b0243b3693f935b134", "tree": "ca904308ffb6482612ab6f74ee7480c8e4fcf18c", "parents": [ "a71dc65d30a472409f05d247f4eab91b14acf2f5" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Jun 07 12:16:38 2013 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sat Oct 26 21:32:46 2013 -0400" }, "message": "ima: add audit log support for larger hashes\n\nDifferent files might be signed based on different hash algorithms.\nThis patch prefixes the audit log measurement hash with the hash\nalgorithm.\n\nChangelog:\n- use generic HASH_ALGO defintions\n- use \u0027:\u0027 as delimiter between the hash algorithm and the digest\n (Roberto Sassu)\n- always include the hash algorithm used when audit-logging a measurement\n\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Peter Moody \u003cpmoody@google.com\u003e\n" }, { "commit": "a71dc65d30a472409f05d247f4eab91b14acf2f5", "tree": "0d0798a7a40af5db7d44608de1f64ca872bfaf1c", "parents": [ "4d7aeee73f5304bf195aa2904f8eb1d7b2e8fe52" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Fri Jun 07 12:16:33 2013 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Oct 25 17:17:06 2013 -0400" }, "message": "ima: switch to new template management mechanism\n\nThis patch performs the switch to the new template mechanism by modifying\nthe functions ima_alloc_init_template(), ima_measurements_show() and\nima_ascii_measurements_show(). The old function ima_template_show() was\nremoved as it is no longer needed. Also, if the template descriptor used\nto generate a measurement entry is not \u0027ima\u0027, the whole length of field\ndata stored for an entry is provided before the data itself through the\nbinary_runtime_measurement interface.\n\nChangelog:\n- unnecessary to use strncmp() (Mimi Zohar)\n- create new variable \u0027field\u0027 in ima_alloc_init_template() (Roberto Sassu)\n- use GFP_NOFS flag in ima_alloc_init_template() (Roberto Sassu)\n- new variable \u0027num_fields\u0027 in ima_store_template() (Roberto Sassu,\n proposed by Mimi Zohar)\n- rename ima_calc_buffer_hash/template_hash() to ima_calc_field_array_hash(),\n something more generic (Mimi, requested by Dmitry)\n- sparse error fix - Fengguang Wu\n- fix lindent warnings\n- always include the field length in the template data length\n- include the template field length variable size in the template data length\n- include both the template field data and field length in the template digest\n calculation. Simplifies verifying the template digest. (Mimi)\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "4d7aeee73f5304bf195aa2904f8eb1d7b2e8fe52", "tree": "5cc0bb30f81dab7a981c1f640fb668932a7c32c2", "parents": [ "3ce1217d6cd5dfa82a9db5c2a999cc1bb01490d9" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Fri Jun 07 12:16:32 2013 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Oct 25 17:17:05 2013 -0400" }, "message": "ima: define new template ima-ng and template fields d-ng and n-ng\n\nThis patch adds support for the new template \u0027ima-ng\u0027, whose format\nis defined as \u0027d-ng|n-ng\u0027. These new field definitions remove the\nsize limitations of the original \u0027ima\u0027 template. Further, the \u0027d-ng\u0027\nfield prefixes the inode digest with the hash algorithim, when\ndisplaying the new larger digest sizes.\n\nChange log:\n- scripts/Lindent fixes - Mimi\n- \"always true comparison\" - reported by Fengguang Wu, resolved Dmitry\n- initialize hash_algo variable to HASH_ALGO__LAST\n- always prefix digest with hash algorithm - Mimi\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "3ce1217d6cd5dfa82a9db5c2a999cc1bb01490d9", "tree": "4645a20eaa70b3dc5dd4654fa31a7cf132291fd5", "parents": [ "adf53a778a0a5a5dc9103509da4a9719046e5310" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Fri Jun 07 12:16:30 2013 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Oct 25 17:17:05 2013 -0400" }, "message": "ima: define template fields library and new helpers\n\nThis patch defines a library containing two initial template fields,\ninode digest (d) and file name (n), the \u0027ima\u0027 template descriptor,\nwhose format is \u0027d|n\u0027, and two helper functions,\nima_write_template_field_data() and ima_show_template_field_data().\n\nChangelog:\n- replace ima_eventname_init() parameter NULL checking with BUG_ON.\n (suggested by Mimi)\n- include \"new template fields for inode digest (d) and file name (n)\"\n definitions to fix a compiler warning. - Mimi\n- unnecessary to prefix static function names with \u0027ima_\u0027. remove\n prefix to resolve Lindent formatting changes. - Mimi\n- abbreviated/removed inline comments - Mimi\n- always send the template field length - Mimi\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "adf53a778a0a5a5dc9103509da4a9719046e5310", "tree": "2c5298965f79c48194481ad3b6ad9f1a3ab84a2c", "parents": [ "7bc5f447ce9d01e19394b5399bf1a4fcebf0f8dd" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Fri Jun 07 12:16:29 2013 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Oct 25 17:17:04 2013 -0400" }, "message": "ima: new templates management mechanism\n\nThe original \u0027ima\u0027 template is fixed length, containing the filedata hash\nand pathname. The filedata hash is limited to 20 bytes (md5/sha1). The\npathname is a null terminated string, limited to 255 characters. To\novercome these limitations and to add additional file metadata, it is\nnecessary to extend the current version of IMA by defining additional\ntemplates.\n\nThe main reason to introduce this feature is that, each time a new\ntemplate is defined, the functions that generate and display the\nmeasurement list would include the code for handling a new format and,\nthus, would significantly grow over time.\n\nThis patch set solves this problem by separating the template management\nfrom the remaining IMA code. The core of this solution is the definition\nof two new data structures: a template descriptor, to determine which\ninformation should be included in the measurement list, and a template\nfield, to generate and display data of a given type.\n\nTo define a new template field, developers define the field identifier\nand implement two functions, init() and show(), respectively to generate\nand display measurement entries. Initially, this patch set defines the\nfollowing template fields (support for additional data types will be\nadded later):\n - \u0027d\u0027: the digest of the event (i.e. the digest of a measured file),\n        calculated with the SHA1 or MD5 hash algorithm;\n - \u0027n\u0027: the name of the event (i.e. the file name), with size up to\n        255 bytes;\n - \u0027d-ng\u0027: the digest of the event, calculated with an arbitrary hash\n           algorithm (field format: [\u003chash algo\u003e:]digest, where the digest\n           prefix is shown only if the hash algorithm is not SHA1 or MD5);\n - \u0027n-ng\u0027: the name of the event, without size limitations.\n\nDefining a new template descriptor requires specifying the template format,\na string of field identifiers separated by the \u0027|\u0027 character. This patch\nset defines the following template descriptors:\n - \"ima\": its format is \u0027d|n\u0027;\n - \"ima-ng\" (default): its format is \u0027d-ng|n-ng\u0027\n\nFurther details about the new template architecture can be found in\nDocumentation/security/IMA-templates.txt.\n\nChangelog:\n- don\u0027t defer calling ima_init_template() - Mimi\n- don\u0027t define ima_lookup_template_desc() until used - Mimi\n- squashed with documentation patch - Mimi\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "7bc5f447ce9d01e19394b5399bf1a4fcebf0f8dd", "tree": "b15aaf6f56d81d204296455a80fd1ff29c4cd122", "parents": [ "9803d413f41db86fdf0097f1af781fe2e68f474c" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Fri Jun 07 12:16:28 2013 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Oct 25 17:17:04 2013 -0400" }, "message": "ima: define new function ima_alloc_init_template() to API\n\nInstead of allocating and initializing the template entry from multiple\nplaces (eg. boot aggregate, violation, and regular measurements), this\npatch defines a new function called ima_alloc_init_template(). The new\nfunction allocates and initializes the measurement entry with the inode\ndigest and the filename.\n\nIn respect to the current behavior, it truncates the file name passed\nin the \u0027filename\u0027 argument if the latter\u0027s size is greater than 255 bytes\nand the passed file descriptor is NULL.\n\nChangelog:\n- initialize \u0027hash\u0027 variable for non TPM case - Mimi\n- conform to expectation for \u0027iint\u0027 to be defined as a pointer. - Mimi\n- add missing \u0027file\u0027 dependency for recalculating file hash. - Mimi\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "9803d413f41db86fdf0097f1af781fe2e68f474c", "tree": "cbfdd18431034357ccceb0e01b7739708622fc41", "parents": [ "7d802a227b7f26c89f13dab09767e6b0aebd9c9f" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Fri Jun 07 12:16:27 2013 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Oct 25 17:17:03 2013 -0400" }, "message": "ima: pass the filename argument up to ima_add_template_entry()\n\nPass the filename argument to ima_add_template_entry() in order to\neliminate a dependency on template specific data (third argument of\nintegrity_audit_msg).\n\nThis change is required because, with the new template management\nmechanism, the generation of a new measurement entry will be performed\nby new specific functions (introduced in next patches) and the current IMA\ncode will not be aware anymore of how data is stored in the entry payload.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "7d802a227b7f26c89f13dab09767e6b0aebd9c9f", "tree": "755c29562e348bc3b3f30c5a402d00d8eea77b75", "parents": [ "09ef54359c4ad49c01a12503b2c510b424ecf059" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Fri Jun 07 12:16:26 2013 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Oct 25 17:17:02 2013 -0400" }, "message": "ima: pass the file descriptor to ima_add_violation()\n\nPass the file descriptor instead of the inode to ima_add_violation(),\nto make the latter consistent with ima_store_measurement() in\npreparation for the new template architecture.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "09ef54359c4ad49c01a12503b2c510b424ecf059", "tree": "18911069d877f2ae821c040d5fc64339dffd03d7", "parents": [ "ea593993d361748e795f5eb783a5fb5144fb2df9" ], "author": { "name": "Dmitry Kasatkin", "email": "d.kasatkin@samsung.com", "time": "Fri Jun 07 12:16:25 2013 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Oct 25 17:17:02 2013 -0400" }, "message": "ima: ima_calc_boot_agregate must use SHA1\n\nWith multiple hash algorithms, ima_hash_tfm is no longer guaranteed to be sha1.\nNeed to force to use sha1.\n\nChangelog:\n- pass ima_digest_data to ima_calc_boot_aggregate() instead of char *\n (Roberto Sassu);\n- create an ima_digest_data structure in ima_add_boot_aggregate()\n (Roberto Sassu);\n- pass hash-\u003ealgo to ima_alloc_tfm() (Roberto Sassu, reported by Dmitry).\n- \"move hash definition in ima_add_boot_aggregate()\" commit hunk to here.\n- sparse warning fix - Fengguang Wu\n\nSigned-off-by: Dmitry Kasatkin \u003cd.kasatkin@samsung.com\u003e\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "ea593993d361748e795f5eb783a5fb5144fb2df9", "tree": "387915941a654ae6b23199d372c73afede8d19e1", "parents": [ "723326b927b675daf4223fe31d7428eca68f194b" ], "author": { "name": "Dmitry Kasatkin", "email": "d.kasatkin@samsung.com", "time": "Fri Jun 07 12:16:24 2013 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Oct 25 17:17:01 2013 -0400" }, "message": "ima: support arbitrary hash algorithms in ima_calc_buffer_hash\n\nima_calc_buffer_hash will be used with different hash algorithms.\nThis patch provides support for arbitrary hash algorithms in\nima_calc_buffer_hash.\n\nSigned-off-by: Dmitry Kasatkin \u003cd.kasatkin@samsung.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "723326b927b675daf4223fe31d7428eca68f194b", "tree": "499ca34fc60793d66ae07dc9ee453a401bef3cc8", "parents": [ "140d802240a4ba3351494b4ab199964b96f87493" ], "author": { "name": "Dmitry Kasatkin", "email": "d.kasatkin@samsung.com", "time": "Thu Jul 04 17:40:01 2013 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Oct 25 17:17:01 2013 -0400" }, "message": "ima: provide dedicated hash algo allocation function\n\nThis patch provides dedicated hash algo allocation and\ndeallocation function which can be used by different clients.\n\nSigned-off-by: Dmitry Kasatkin \u003cd.kasatkin@samsung.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "140d802240a4ba3351494b4ab199964b96f87493", "tree": "0fa711063f82e868ef589165e89e7b2298b60025", "parents": [ "a35c3fb6490cc1d3446e4781693408100113c4fb" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Mar 11 20:29:47 2013 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Oct 25 17:17:00 2013 -0400" }, "message": "ima: differentiate between template hash and file data hash sizes\n\nThe TPM v1.2 limits the template hash size to 20 bytes. This\npatch differentiates between the template hash size, as defined\nin the ima_template_entry, and the file data hash size, as\ndefined in the ima_template_data. Subsequent patches add support\nfor different file data hash algorithms.\n\nChange log:\n- hash digest definition in ima_store_template() should be TPM_DIGEST_SIZE\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "a35c3fb6490cc1d3446e4781693408100113c4fb", "tree": "03234f8b7ebaf3cb98bf77f999b8a5284d4dadbc", "parents": [ "b1aaab22e263d0cca1effe319b7d2bf895444219" ], "author": { "name": "Dmitry Kasatkin", "email": "d.kasatkin@samsung.com", "time": "Thu Apr 25 10:44:04 2013 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Oct 25 17:17:00 2013 -0400" }, "message": "ima: use dynamically allocated hash storage\n\nFor each inode in the IMA policy, an iint is allocated. To support\nlarger hash digests, the iint digest size changed from 20 bytes to\nthe maximum supported hash digest size. Instead of allocating the\nmaximum size, which most likely is not needed, this patch dynamically\nallocates the needed hash storage.\n\nChangelog:\n- fix krealloc bug\n\nSigned-off-by: Dmitry Kasatkin \u003cd.kasatkin@samsung.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" } ], "next": "b1aaab22e263d0cca1effe319b7d2bf895444219" }