)]}' { "log": [ { "commit": "1b9a3917366028cc451a98dd22e3bcd537d4e5c1", "tree": "d911058720e0a9aeeaf9f407ccdc6fbf4047f47d", "parents": [ "3661f00e2097676847deb01add1a0918044bd816", "71e1c784b24a026a490b3de01541fc5ee14ebc09" ], "author": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sat Mar 25 09:24:53 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sat Mar 25 09:24:53 2006 -0800" }, "message": "Merge branch \u0027audit.b3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current\n\n* \u0027audit.b3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: (22 commits)\n [PATCH] fix audit_init failure path\n [PATCH] EXPORT_SYMBOL patch for audit_log, audit_log_start, audit_log_end and audit_format\n [PATCH] sem2mutex: audit_netlink_sem\n [PATCH] simplify audit_free() locking\n [PATCH] Fix audit operators\n [PATCH] promiscuous mode\n [PATCH] Add tty to syscall audit records\n [PATCH] add/remove rule update\n [PATCH] audit string fields interface + consumer\n [PATCH] SE Linux audit events\n [PATCH] Minor cosmetic cleanups to the code moved into auditfilter.c\n [PATCH] Fix audit record filtering with !CONFIG_AUDITSYSCALL\n [PATCH] Fix IA64 success/failure indication in syscall auditing.\n [PATCH] Miscellaneous bug and warning fixes\n [PATCH] Capture selinux subject/object context information.\n [PATCH] Exclude messages by message type\n [PATCH] Collect more inode information during syscall processing.\n [PATCH] Pass dentry, not just name, in fsnotify creation hooks.\n [PATCH] Define new range of userspace messages.\n [PATCH] Filter rule comparators\n ...\n\nFixed trivial conflict in security/selinux/hooks.c\n" }, { "commit": "c841aa030437bdf1b6fb22d93eb760e35380a4ed", "tree": "f23ec860be9deb035eacc15359549d2808a7ee15", "parents": [ "e35fc385655ac584902edd98dd07ac488e986aa1" ], "author": { "name": "Arnaldo Carvalho de Melo", "email": "acme@mandriva.com", "time": "Mon Mar 20 22:47:37 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 22:47:37 2006 -0800" }, "message": "[SECURITY] getpeersec: Fix build breakage\n\nA recent changeset removes dummy_socket_getpeersec, replacing it with\ntwo new functions, but still references the removed function in the\nsecurity_fixup_ops table, fix it by doing the replacement operation in\nthe fixup table too.\n\nSigned-off-by: Arnaldo Carvalho de Melo \u003cacme@mandriva.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "2c7946a7bf45ae86736ab3b43d0085e43947945c", "tree": "b956f301033ebaefe8d2701b257edfd947f537f3", "parents": [ "be33690d8fcf40377f16193c463681170eb6b295" ], "author": { "name": "Catherine Zhang", "email": "cxzhang@watson.ibm.com", "time": "Mon Mar 20 22:41:23 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 22:41:23 2006 -0800" }, "message": "[SECURITY]: TCP/UDP getpeersec\n\nThis patch implements an application of the LSM-IPSec networking\ncontrols whereby an application can determine the label of the\nsecurity association its TCP or UDP sockets are currently connected to\nvia getsockopt and the auxiliary data mechanism of recvmsg.\n\nPatch purpose:\n\nThis patch enables a security-aware application to retrieve the\nsecurity context of an IPSec security association a particular TCP or\nUDP socket is using. The application can then use this security\ncontext to determine the security context for processing on behalf of\nthe peer at the other end of this connection. In the case of UDP, the\nsecurity context is for each individual packet. An example\napplication is the inetd daemon, which could be modified to start\ndaemons running at security contexts dependent on the remote client.\n\nPatch design approach:\n\n- Design for TCP\nThe patch enables the SELinux LSM to set the peer security context for\na socket based on the security context of the IPSec security\nassociation. The application may retrieve this context using\ngetsockopt. When called, the kernel determines if the socket is a\nconnected (TCP_ESTABLISHED) TCP socket and, if so, uses the dst_entry\ncache on the socket to retrieve the security associations. If a\nsecurity association has a security context, the context string is\nreturned, as for UNIX domain sockets.\n\n- Design for UDP\nUnlike TCP, UDP is connectionless. This requires a somewhat different\nAPI to retrieve the peer security context. With TCP, the peer\nsecurity context stays the same throughout the connection, thus it can\nbe retrieved at any time between when the connection is established\nand when it is torn down. With UDP, each read/write can have\ndifferent peer and thus the security context might change every time.\nAs a result the security context retrieval must be done TOGETHER with\nthe packet retrieval.\n\nThe solution is to build upon the existing Unix domain socket API for\nretrieving user credentials. Linux offers the API for obtaining user\ncredentials via ancillary messages (i.e., out of band/control messages\nthat are bundled together with a normal message).\n\nPatch implementation details:\n\n- Implementation for TCP\nThe security context can be retrieved by applications using getsockopt\nwith the existing SO_PEERSEC flag. As an example (ignoring error\nchecking):\n\ngetsockopt(sockfd, SOL_SOCKET, SO_PEERSEC, optbuf, \u0026optlen);\nprintf(\"Socket peer context is: %s\\n\", optbuf);\n\nThe SELinux function, selinux_socket_getpeersec, is extended to check\nfor labeled security associations for connected (TCP_ESTABLISHED \u003d\u003d\nsk-\u003esk_state) TCP sockets only. If so, the socket has a dst_cache of\nstruct dst_entry values that may refer to security associations. If\nthese have security associations with security contexts, the security\ncontext is returned.\n\ngetsockopt returns a buffer that contains a security context string or\nthe buffer is unmodified.\n\n- Implementation for UDP\nTo retrieve the security context, the application first indicates to\nthe kernel such desire by setting the IP_PASSSEC option via\ngetsockopt. Then the application retrieves the security context using\nthe auxiliary data mechanism.\n\nAn example server application for UDP should look like this:\n\ntoggle \u003d 1;\ntoggle_len \u003d sizeof(toggle);\n\nsetsockopt(sockfd, SOL_IP, IP_PASSSEC, \u0026toggle, \u0026toggle_len);\nrecvmsg(sockfd, \u0026msg_hdr, 0);\nif (msg_hdr.msg_controllen \u003e sizeof(struct cmsghdr)) {\n cmsg_hdr \u003d CMSG_FIRSTHDR(\u0026msg_hdr);\n if (cmsg_hdr-\u003ecmsg_len \u003c\u003d CMSG_LEN(sizeof(scontext)) \u0026\u0026\n cmsg_hdr-\u003ecmsg_level \u003d\u003d SOL_IP \u0026\u0026\n cmsg_hdr-\u003ecmsg_type \u003d\u003d SCM_SECURITY) {\n memcpy(\u0026scontext, CMSG_DATA(cmsg_hdr), sizeof(scontext));\n }\n}\n\nip_setsockopt is enhanced with a new socket option IP_PASSSEC to allow\na server socket to receive security context of the peer. A new\nancillary message type SCM_SECURITY.\n\nWhen the packet is received we get the security context from the\nsec_path pointer which is contained in the sk_buff, and copy it to the\nancillary message space. An additional LSM hook,\nselinux_socket_getpeersec_udp, is defined to retrieve the security\ncontext from the SELinux space. The existing function,\nselinux_socket_getpeersec does not suit our purpose, because the\nsecurity context is copied directly to user space, rather than to\nkernel space.\n\nTesting:\n\nWe have tested the patch by setting up TCP and UDP connections between\napplications on two machines using the IPSec policies that result in\nlabeled security associations being built. For TCP, we can then\nextract the peer security context using getsockopt on either end. For\nUDP, the receiving end can retrieve the security context using the\nauxiliary data mechanism of recvmsg.\n\nSigned-off-by: Catherine Zhang \u003ccxzhang@watson.ibm.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "7306a0b9b3e2056a616c84841288ca2431a05627", "tree": "d3f61ef43c7079790d6b8ef9bf307689a7d9ea16", "parents": [ "8c8570fb8feef2bc166bee75a85748b25cda22d9" ], "author": { "name": "Dustin Kirkland", "email": "dustin.kirkland@us.ibm.com", "time": "Wed Nov 16 15:53:13 2005 +0000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Mar 20 14:08:54 2006 -0500" }, "message": "[PATCH] Miscellaneous bug and warning fixes\n\nThis patch fixes a couple of bugs revealed in new features recently\nadded to -mm1:\n* fixes warnings due to inconsistent use of const struct inode *inode\n* fixes bug that prevent a kernel from booting with audit on, and SELinux off\n due to a missing function in security/dummy.c\n* fixes a bug that throws spurious audit_panic() messages due to a missing\n return just before an error_path label\n* some reasonable house cleaning in audit_ipc_context(),\n audit_inode_context(), and audit_log_task_context()\n\nSigned-off-by: Dustin Kirkland \u003cdustin.kirkland@us.ibm.com\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "8c8570fb8feef2bc166bee75a85748b25cda22d9", "tree": "ed783d405ea9d5f3d3ccc57fb56c7b7cb2cdfb82", "parents": [ "c8edc80c8b8c397c53f4f659a05b9ea6208029bf" ], "author": { "name": "Dustin Kirkland", "email": "dustin.kirkland@us.ibm.com", "time": "Thu Nov 03 17:15:16 2005 +0000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Mar 20 14:08:54 2006 -0500" }, "message": "[PATCH] Capture selinux subject/object context information.\n\nThis patch extends existing audit records with subject/object context\ninformation. Audit records associated with filesystem inodes, ipc, and\ntasks now contain SELinux label information in the field \"subj\" if the\nitem is performing the action, or in \"obj\" if the item is the receiver\nof an action.\n\nThese labels are collected via hooks in SELinux and appended to the\nappropriate record in the audit code.\n\nThis additional information is required for Common Criteria Labeled\nSecurity Protection Profile (LSPP).\n\n[AV: fixed kmalloc flags use]\n[folded leak fixes]\n[folded cleanup from akpm (kfree(NULL)]\n[folded audit_inode_context() leak fix]\n[folded akpm\u0027s fix for audit_ipc_perm() definition in case of !CONFIG_AUDIT]\n\nSigned-off-by: Dustin Kirkland \u003cdustin.kirkland@us.ibm.com\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "c59ede7b78db329949d9cdcd7064e22d357560ef", "tree": "f9dc9d464fdad5bfd464d983e77c1af031389dda", "parents": [ "e16885c5ad624a6efe1b1bf764e075d75f65a788" ], "author": { "name": "Randy.Dunlap", "email": "rdunlap@xenotime.net", "time": "Wed Jan 11 12:17:46 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Wed Jan 11 18:42:13 2006 -0800" }, "message": "[PATCH] move capable() to capability.h\n\n- Move capable() from sched.h to capability.h;\n\n- Use \u003clinux/capability.h\u003e where capable() is used\n\t(in include/, block/, ipc/, kernel/, a few drivers/,\n\tmm/, security/, \u0026 sound/;\n\tmany more drivers/ to go)\n\nSigned-off-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "df71837d5024e2524cd51c93621e558aa7dd9f3f", "tree": "58938f1d46f3c6713b63e5a785e82fdbb10121a1", "parents": [ "88026842b0a760145aa71d69e74fbc9ec118ca44" ], "author": { "name": "Trent Jaeger", "email": "tjaeger@cse.psu.edu", "time": "Tue Dec 13 23:12:27 2005 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jan 03 13:10:24 2006 -0800" }, "message": "[LSM-IPSec]: Security association restriction.\n\nThis patch series implements per packet access control via the\nextension of the Linux Security Modules (LSM) interface by hooks in\nthe XFRM and pfkey subsystems that leverage IPSec security\nassociations to label packets. Extensions to the SELinux LSM are\nincluded that leverage the patch for this purpose.\n\nThis patch implements the changes necessary to the XFRM subsystem,\npfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a\nsocket to use only authorized security associations (or no security\nassociation) to send/receive network packets.\n\nPatch purpose:\n\nThe patch is designed to enable access control per packets based on\nthe strongly authenticated IPSec security association. Such access\ncontrols augment the existing ones based on network interface and IP\naddress. The former are very coarse-grained, and the latter can be\nspoofed. By using IPSec, the system can control access to remote\nhosts based on cryptographic keys generated using the IPSec mechanism.\nThis enables access control on a per-machine basis or per-application\nif the remote machine is running the same mechanism and trusted to\nenforce the access control policy.\n\nPatch design approach:\n\nThe overall approach is that policy (xfrm_policy) entries set by\nuser-level programs (e.g., setkey for ipsec-tools) are extended with a\nsecurity context that is used at policy selection time in the XFRM\nsubsystem to restrict the sockets that can send/receive packets via\nsecurity associations (xfrm_states) that are built from those\npolicies.\n\nA presentation available at\nwww.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf\nfrom the SELinux symposium describes the overall approach.\n\nPatch implementation details:\n\nOn output, the policy retrieved (via xfrm_policy_lookup or\nxfrm_sk_policy_lookup) must be authorized for the security context of\nthe socket and the same security context is required for resultant\nsecurity association (retrieved or negotiated via racoon in\nipsec-tools). This is enforced in xfrm_state_find.\n\nOn input, the policy retrieved must also be authorized for the socket\n(at __xfrm_policy_check), and the security context of the policy must\nalso match the security association being used.\n\nThe patch has virtually no impact on packets that do not use IPSec.\nThe existing Netfilter (outgoing) and LSM rcv_skb hooks are used as\nbefore.\n\nAlso, if IPSec is used without security contexts, the impact is\nminimal. The LSM must allow such policies to be selected for the\ncombination of socket and remote machine, but subsequent IPSec\nprocessing proceeds as in the original case.\n\nTesting:\n\nThe pfkey interface is tested using the ipsec-tools. ipsec-tools have\nbeen modified (a separate ipsec-tools patch is available for version\n0.5) that supports assignment of xfrm_policy entries and security\nassociations with security contexts via setkey and the negotiation\nusing the security contexts via racoon.\n\nThe xfrm_user interface is tested via ad hoc programs that set\nsecurity contexts. These programs are also available from me, and\ncontain programs for setting, getting, and deleting policy for testing\nthis interface. Testing of sa functions was done by tracing kernel\nbehavior.\n\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "29db9190634067c5a328ee5fcc2890251b836b4b", "tree": "07ec242789230824f1fa8bcbbe681fd5bf166fa8", "parents": [ "2aa349f6e37ce030060c994d3aebbff4ab703565" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Sun Oct 30 15:02:44 2005 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sun Oct 30 17:37:23 2005 -0800" }, "message": "[PATCH] Keys: Add LSM hooks for key management [try #3]\n\nThe attached patch adds LSM hooks for key management facilities. The notable\nchanges are:\n\n (1) The key struct now supports a security pointer for the use of security\n modules. This will permit key labelling and restrictions on which\n programs may access a key.\n\n (2) Security modules get a chance to note (or abort) the allocation of a key.\n\n (3) The key permission checking can now be enhanced by the security modules;\n the permissions check consults LSM if all other checks bear out.\n\n (4) The key permissions checking functions now return an error code rather\n than a boolean value.\n\n (5) An extra permission has been added to govern the modification of\n attributes (UID, GID, permissions).\n\nNote that there isn\u0027t an LSM hook specifically for each keyctl() operation,\nbut rather the permissions hook allows control of individual operations based\non the permission request bits.\n\nKey management access control through LSM is enabled by automatically if both\nCONFIG_KEYS and CONFIG_SECURITY are enabled.\n\nThis should be applied on top of the patch ensubjected:\n\n\t[PATCH] Keys: Possessor permissions should be additive\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Chris Wright \u003cchrisw@osdl.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "d381d8a9a08cac9824096213069159be17fd2e2f", "tree": "0c19722b8f67c29b7c08c6ab8776a9c146395d03", "parents": [ "89d155ef62e5e0c10e4b37aaa5056f0beafe10e6" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sun Oct 30 14:59:22 2005 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sun Oct 30 17:37:11 2005 -0800" }, "message": "[PATCH] SELinux: canonicalize getxattr()\n\nThis patch allows SELinux to canonicalize the value returned from\ngetxattr() via the security_inode_getsecurity() hook, which is called after\nthe fs level getxattr() function.\n\nThe purpose of this is to allow the in-core security context for an inode\nto override the on-disk value. This could happen in cases such as\nupgrading a system to a different labeling form (e.g. standard SELinux to\nMLS) without needing to do a full relabel of the filesystem.\n\nIn such cases, we want getxattr() to return the canonical security context\nthat the kernel is using rather than what is stored on disk.\n\nThe implementation hooks into the inode_getsecurity(), adding another\nparameter to indicate the result of the preceding fs-level getxattr() call,\nso that SELinux knows whether to compare a value obtained from disk with\nthe kernel value.\n\nWe also now allow getxattr() to work for mountpoint labeled filesystems\n(i.e. mount with option context\u003dfoo_t), as we are able to return the\nkernel value to the user.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "7d877f3bda870ab5f001bd92528654471d5966b3", "tree": "1c05b62abead153956c4ca250ffb1891887e77c9", "parents": [ "fd4f2df24bc23e6b8fc069765b425c7dacf52347" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri Oct 21 03:20:43 2005 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Oct 28 08:16:47 2005 -0700" }, "message": "[PATCH] gfp_t: net/*\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "e31e14ec356f36b131576be5bc31d8fef7e95483", "tree": "5597419cf186904d77c4b4ecf117287bcc1db986", "parents": [ "a74574aafea3a63add3251047601611111f44562" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Sep 09 13:01:45 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Sep 09 13:57:28 2005 -0700" }, "message": "[PATCH] remove the inode_post_link and inode_post_rename LSM hooks\n\nThis patch removes the inode_post_link and inode_post_rename LSM hooks as\nthey are unused (and likely useless).\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "a74574aafea3a63add3251047601611111f44562", "tree": "a8f4a809589513c666c6f5518cbe84f50ee5523e", "parents": [ "570bc1c2e5ccdb408081e77507a385dc7ebed7fa" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Sep 09 13:01:44 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Sep 09 13:57:28 2005 -0700" }, "message": "[PATCH] Remove security_inode_post_create/mkdir/symlink/mknod hooks\n\nThis patch removes the inode_post_create/mkdir/mknod/symlink LSM hooks as\nthey are obsoleted by the new inode_init_security hook that enables atomic\ninode security labeling.\n\nIf anyone sees any reason to retain these hooks, please speak now. Also,\nis anyone using the post_rename/link hooks; if not, those could also be\nremoved.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "5e41ff9e0650f327a6c819841fa412da95d57319", "tree": "a525df8bda34c2aa52f30326f94cd15109bb58b3", "parents": [ "f5ee56cc184e0944ebc9ff1691985219959596f6" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Sep 09 13:01:35 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Sep 09 13:57:27 2005 -0700" }, "message": "[PATCH] security: enable atomic inode security labeling\n\nThe following patch set enables atomic security labeling of newly created\ninodes by altering the fs code to invoke a new LSM hook to obtain the security\nattribute to apply to a newly created inode and to set up the incore inode\nsecurity state during the inode creation transaction. This parallels the\nexisting processing for setting ACLs on newly created inodes. Otherwise, it\nis possible for new inodes to be accessed by another thread via the dcache\nprior to complete security setup (presently handled by the\npost_create/mkdir/... LSM hooks in the VFS) and a newly created inode may be\nleft unlabeled on the disk in the event of a crash. SELinux presently works\naround the issue by ensuring that the incore inode security label is\ninitialized to a special SID that is inaccessible to unprivileged processes\n(in accordance with policy), thereby preventing inappropriate access but\npotentially causing false denials on legitimate accesses. A simple test\nprogram demonstrates such false denials on SELinux, and the patch solves the\nproblem. Similar such false denials have been encountered in real\napplications.\n\nThis patch defines a new inode_init_security LSM hook to obtain the security\nattribute to apply to a newly created inode and to set up the incore inode\nsecurity state for it, and adds a corresponding hook function implementation\nto SELinux.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "d6e711448137ca3301512cec41a2c2ce852b3d0a", "tree": "f0765ebd90fdbdf270c05fcd7f3d32b24ba56681", "parents": [ "8b0914ea7475615c7c8965c1ac8fe4069270f25c" ], "author": { "name": "Alan Cox", "email": "alan@lxorguk.ukuu.org.uk", "time": "Thu Jun 23 00:09:43 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Thu Jun 23 09:45:26 2005 -0700" }, "message": "[PATCH] setuid core dump\n\nAdd a new `suid_dumpable\u0027 sysctl:\n\nThis value can be used to query and set the core dump mode for setuid\nor otherwise protected/tainted binaries. The modes are\n\n0 - (default) - traditional behaviour. Any process which has changed\n privilege levels or is execute only will not be dumped\n\n1 - (debug) - all processes dump core when possible. The core dump is\n owned by the current user and no security is applied. This is intended\n for system debugging situations only. Ptrace is unchecked.\n\n2 - (suidsafe) - any binary which normally would not be dumped is dumped\n readable by root only. This allows the end user to remove such a dump but\n not access it directly. For security reasons core dumps in this mode will\n not overwrite one another or other files. This mode is appropriate when\n adminstrators are attempting to debug problems in a normal environment.\n\n(akpm:\n\n\u003e \u003e +EXPORT_SYMBOL(suid_dumpable);\n\u003e\n\u003e EXPORT_SYMBOL_GPL?\n\nNo problem to me.\n\n\u003e \u003e \tif (current-\u003eeuid \u003d\u003d current-\u003euid \u0026\u0026 current-\u003eegid \u003d\u003d current-\u003egid)\n\u003e \u003e \t\tcurrent-\u003emm-\u003edumpable \u003d 1;\n\u003e\n\u003e Should this be SUID_DUMP_USER?\n\nActually the feedback I had from last time was that the SUID_ defines\nshould go because its clearer to follow the numbers. They can go\neverywhere (and there are lots of places where dumpable is tested/used\nas a bool in untouched code)\n\n\u003e Maybe this should be renamed to `dump_policy\u0027 or something. Doing that\n\u003e would help us catch any code which isn\u0027t using the #defines, too.\n\nFair comment. The patch was designed to be easy to maintain for Red Hat\nrather than for merging. Changing that field would create a gigantic\ndiff because it is used all over the place.\n\n)\n\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }