summaryrefslogtreecommitdiffstats
path: root/security
AgeCommit message (Collapse)AuthorLines
2005-03-31[SELINUX]: Fix for removal of i_sockStephen D. Smalley-18/+3
This patch against -bk eliminates the use of i_sock by SELinux as it appears to have been removed recently, breaking the build of SELinux in -bk. Simply replacing the i_sock test with an S_ISSOCK test would be unsafe in the SELinux code, as the latter will also return true for the inodes of socket files in the filesystem, not just the actual socket objects IIUC. Hence this patch reworks the SELinux code to avoid the need to apply such a test in the first place, part of which was obsoleted anyway by earlier changes to SELinux. Please apply. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-03-28[PATCH] SELinux: add name_connect permission checkStephen D. Smalley-1/+49
This patch adds a name_connect permission check to SELinux to provide control over outbound TCP connections to particular ports distinct from the general controls over sending and receiving packets. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-03-28[PATCH] SELinux: audit unrecognized netlink messagesStephen D. Smalley-0/+10
This patch changes SELinux to audit any unrecognized netlink messages in controlled classes rather than silently rejecting them, and to allow them if in permissive mode. Please apply. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-03-28[PATCH] SELinux: allow mounting of filesystems with invalid root inode contextStephen D. Smalley-1/+3
This patch alters the SELinux handling of inodes with invalid security contexts so that a filesystem with a root inode that has an invalid security context can still be mounted for administrative recovery without disabling SELinux altogether. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-03-28[PATCH] SELinux: make code static and remove unused codeStephen D. Smalley-503/+42
This patch from Adrian Bunk makes needlessly global code static and removes a number of unused global and static functions from SELinux. Please apply. Author: Adrian Bunk <bunk@stusta.de> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-03-13[PATCH] selinux needs inetAndrew Morton-1/+1
security/built-in.o(.text+0xe2fc): In function `selinux_socket_bind': : undefined reference to `sysctl_local_port_range' Acked-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-03-11[PATCH] Make lots of things staticAdrian Bunk-3/+3
This is a megarollup of ~60 patches which give various things static scope. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-03-09[PATCH] Properly share process and session keyrings with CLONE_THREAD [try #2]David Howells-87/+134
The attached patch causes process and session keyrings to be shared properly when CLONE_THREAD is in force. It does this by moving the keyring pointers into struct signal_struct[*]. [*] I have a patch to rename this to struct thread_group that I'll revisit after the advent of 2.6.11. Furthermore, once this patch is applied, process keyrings will no longer be allocated at fork, but will instead only be allocated when needed. Allocating them at fork was a way of half getting around the sharing across threads problem, but that's no longer necessary. This revision of the patch has the documentation changes patch rolled into it and no longer abstracts the locking for signal_struct into a pair of macros. Signed-Off-By: David Howells <dhowells@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-03-09[PATCH] Race against parent deletion in key_user_lookup()Alexander Nyberg-1/+2
I looked at some of the oops reports against keyrings, I think the problem is that the search isn't restarted after dropping the key_user_lock, *p will still be NULL when we get back to try_again and look through the tree. It looks like the intention was that the search start over from scratch. Signed-off-by: Alexander Nyberg <alexn@dsv.su.se> Cc: David Howells <dhowells@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-03-09[PATCH] SELinux: fix selinux_setprocattrStephen D. Smalley-2/+6
This patch changes the selinux_setprocattr hook function (which handles writes to nodes in the /proc/pid/attr directory) to ignore an optional terminating newline at the end of the value, and to handle a value beginning with a newline or a null in the same manner as a zero length value (clearing the attribute for the process and resetting it to using the default policy behavior). This change is to address the divergence from POSIX in the existing API, as POSIX says that write(2) with a zero count will return zero with no other effect, as well as to simplify use of the API from scripts (although that isn't recommended). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-03-09[PATCH] SELinux: pass requested protection to security_file_mmap/mprotect hooksStephen D. Smalley-5/+103
This patch adds a reqprot parameter to the security_file_mmap and security_file_mprotect hooks that is the original requested protection value prior to any modification for read-implies-exec, and changes the SELinux module to allow a mode of operation (controllable via a checkreqprot setting) where it applies checks based on that protection value rather than the protection that will be applied by the kernel, effectively restoring SELinux's original behavior prior to the introduction of the read-implies-exec logic in the mainline kernel. The patch also disables execmem and execmod checking entirely on PPC32, as the PPC32 ELF ABI presently requires RWE segments per Ulrich Drepper. At present, the read-implies-exec logic causes SELinux to see every mmap/mprotect read request by legacy binaries or binaries marked with PT_GNU_STACK RWE as a read|execute request, which tends to distort policy even if it reflects what is ultimately possible. The checkreqprot setting allows one to set the desired behavior for SELinux, so either the current behavior or the original behavior is possible. The checkreqprot value has a compile-time configurable default value and can also be set via boot parameter or at runtime via /selinux/checkreqprot if allowed by policy. Thanks to Chris Wright, James Morris, and Colin Walters for comments on an earlier version of the patch. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-03-09[PATCH] SELinux: enhanced MLS supportdgoeddel@trustedcs.com-835/+1011
This patch replaces the original experimental Multi-Level Security (MLS) implementation in SELinux with an enhanced MLS implementation contributed by Trusted Computer Solutions (TCS). The enhanced MLS implementation replaces the hardcoded MLS logic with a flexible constraint-based system and replaces the compile-time option for MLS support with a policy load-time enable based on whether MLS support was enabled in the policy when it was built. The latter change allows a single kernel and policy toolchain to support both MLS and non-MLS policies. Compatibility is still provided as usual for existing policies. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-03-07[PATCH] make RLIMIT_CPU/SIGXCPU per-processRoland McGrath-0/+7
POSIX requires that the RLIMIT_CPU resource limit that generates SIGXCPU be counted on a per-process basis. Currently, Linux implements this for individual threads. This patch fixes the semantics to conform with POSIX. The essential machinery for the process CPU limit is is tied into the new posix-timers code for process CPU clocks and timers. Signed-off-by: Roland McGrath <roland@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-03-07[PATCH] selinux: internal inode loop needs IS_PRIVATE testJeff Mahoney-1/+2
This patch applies the IS_PRIVATE test to the selinux internal inode loop. Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-02-28[PATCH] SELinux: null dereference in error pathAlexander Nyberg-1/+1
The 'bad' label will call function that unconditionally dereferences the NULL pointer. Found by the Coverity tool Signed-off-by: Alexander Nyberg <alexn@dsv.su.se> Acked-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-02-28[PATCH] SELinux: Leak in error pathAlexander Nyberg-1/+3
There's a leak here in the first error path. Found by the Coverity tool. Signed-off-by: Alexander Nyberg <alexn@dsv.su.se> Acked-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-02-24[PATCH] Make keyctl(KEYCTL_JOIN_SESSION_KEYRING) use the correct argDavid Howells-2/+2
The attached patch makes keyctl() use the correct argument when invoking the KEYCTL_JOIN_SESSION_KEYRING function. I'm not sure how this evaded testing before, but I suspect the compiler was kind and made both argument registers hold the same value. Thanks to Kevin Coffman <kwc@citi.umich.edu> for spotting this. Signed-Off-By: David Howells <dhowells@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-02-04[PATCH] SELinux: fix selinux_inode_setattr hookStephen D. Smalley-0/+3
This fixes the selinux_inode_setattr hook function to honor the ATTR_FORCE flag, skipping any permission checking in that case. Otherwise, it is possible though unlikely for a denial from the hook to prevent proper updating, e.g. for remove_suid upon writing to a file. This would only occur if the process had write permission to a suid file but lacked setattr permission to it. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-02-03[PATCH] SELinux: audit any unmapped permissionsStephen D. Smalley-2/+9
This patch changes SELinux to display any permission values that could not be mapped to names as a hex value when generating an audit message. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-02-03[PATCH] SELinux: define execmod permission for character devicesStephen D. Smalley-0/+7
This patch regenerates the SELinux module headers to define the execmod permission for character device files in order to provide proper auditing of such checks on /dev/zero. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-20[PATCH] Lock initializer cleanup: SecurityThomas Gleixner-8/+8
Use the new lock initializers DEFINE_SPIN_LOCK and DEFINE_RW_LOCK Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-20[PATCH] SELinux: add Netlink message types for the TC action code.James Morris-0/+3
This patch adds Netlink message types related to the TC action code, allowing finer grained SELinux control of this. Author: jamal <hadi@cyberus.ca> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-20[PATCH] Fix audit control message checksSerge Hallyn-9/+14
The audit control messages are sent over netlink. Permission checks are done on the process receiving the message, which may not be the same as the process sending the message. This patch switches the netlink_send security hooks to calculate the effective capabilities based on the sender. Then audit_receive_msg performs capability checks based on that. It also introduces the CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL capabilities, and replaces the previous CAP_SYS_ADMIN checks in audit code with the appropriate checks. - Simplified dummy_netlink_send given that dummy now keeps track of capabilities. - Many fixes based on feedback from <linux-audit@redhat.com> list. - Removed the netlink_msg_type helper function. - Switch to using CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL. Signed-off-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-14[PATCH] various Kconfig fixesGabor Egry-2/+2
Here are some Kconfig fixes: - typo fixes - unused token removes (empty or duplicated 'help') - non ASCII characters replaces - e-mail address and URL format corrections Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-14[PATCH] SELinux: fix setting of loaded policy versionStephen D. Smalley-13/+13
This patch fixes a different bug in the code for SELinux policy loading. It ensures that the loaded policy version number is not updated until the new policy is successfully committed. It also fixes the type on the loaded policy version. Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-14[PATCH] SELinux: fix error handling code for policy loadStephen D. Smalley-5/+14
This patch fixes several bugs in the error handling code for SELinux policy loading that were introduced by my earlier patch to eliminate unaligned accesses by that code. Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-11[PATCH] seclvl: add missing dependencyAkinobu Mita-0/+1
*** Warning: "crypto_free_tfm" [security/seclvl.ko] undefined! *** Warning: "crypto_alloc_tfm" [security/seclvl.ko] undefined! *** Warning: "crypto_unregister_alg" [crypto/sha1.ko] undefined! *** Warning: "crypto_register_alg" [crypto/sha1.ko] undefined! Signed-off-by: Akinobu Mita <amgta@yacht.ocn.ne.jp> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-10[PATCH] merge *_vm_enough_memory()s into a common helperSerge Hallyn-192/+23
The vm_enough_memory functionality was replicated in three separate places, and not always kept in sync. It also used capable() for authorization checks. This caused any process which ends up checking for this permission to have PF_SUPERPRIV set (inappropriately), and caused poor dependencies between stacked modules, since each LSM was generically asked to moderate capable(CAP_SYS_ADMIN) without knowing why. Signed-off-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-10[PATCH] split bprm_apply_creds into two functionsSerge Hallyn-70/+90
The following patch splits bprm_apply_creds into two functions, bprm_apply_creds and bprm_post_apply_creds. The latter is called after the task_lock has been dropped. Without this patch, SELinux must drop the task_lock and re-acquire it during apply_creds, making the 'unsafe' flag meaningless to any later security modules. Please apply. Signed-off-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-04[PATCH] SELinux: eliminate unaligned accesses by policy loading codeStephen D. Smalley-250/+201
This patch rewrites the SELinux next_entry() function and all callers to copy entry data from the binary policy into properly aligned buffers, eliminating unaligned accesses. This patch is in response to a bug report from Prarit Bhargava for SELinux and ia64, and he has confirmed that this patch eliminates the unaligned access warnings. Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-04[PATCH] SELinux: add member node to selinuxfsStephen D. Smalley-0/+65
This patch adds a member node to selinuxfs to export the security_member_sid interface to userspace for obtaining security polyinstantiation decisions. Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-04[PATCH] SELinux: enhance SELinux control of executable mappingsStephen D. Smalley-0/+27
This patch adds new permission checks to the SELinux mmap and mprotect hooks to enable control over the ability to make executable a mapping that can contain data not covered by the existing file-based permission checks. The task->self execmem permission controls the ability to create an executable anonymous mapping or a writable executable private file mapping. The task->file execmod permission controls the ability to make executable a previously written private file mapping, e.g. for text relocations. Thanks to Roland McGrath for input and feedback on earlier versions of this patch. Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-04[PATCH] SELinux: add dynamic context transition support to SELinuxStephen D. Smalley-5/+56
This patch for adds dynamic context transition support to SELinux via writes to the existing /proc/pid/attr/current interface. Previously, SELinux only supported exec-based context transitions. This functionality allows privileged applications to apply privilege bracketing without necessarily being refactored to an exec-based model (although such a model has advantages in least privilege and isolation). A process must have setcurrent permission to use this mechanism at all, and the dyntransition permission must be granted between the old and new security contexts. Multi-threaded processes are not allowed to use this operation, as it will yield an inconsistency among the security contexts of the threads sharing the same mm. Ptrace permission is revalidated against the new context if the process is being ptraced. Author: Darrel Goeddel <dgoeddel@trustedcs.com> Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-04[PATCH] SELinux: audit task comm if exe cannot be determinedStephen D. Smalley-0/+2
This patch ensures that the comm is included in the audit message if avc_audit is unable to determine the exe due to the mmap_sem being held. This is helpful in tracking down the causes of permission denials that occur in the mmap/mprotect hooks. Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-04[PATCH] SELinux: update selinux_task_setschedulerStephen D. Smalley-10/+1
This patch updates the selinux_task_setscheduler hook function to use the standard helper for task permission checks since it is now safe to audit from this hook (due to the upstream change to setscheduler() to not hold the runqueue lock during the security hook call). Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-04[PATCH] SELinux: regenerate SELinux module headersStephen D. Smalley-391/+409
This patch regenerates the SELinux module headers to use a new format and updates their use by the AVC. Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-04[PATCH] SELinux scalability: AVC statistics and tuningJames Morris-61/+287
This patch adds an selinuxfs based API to the AVC, to allow monitoring of the cache, and tuning of the cache size. The latter is mediated via the new setsecparam permission. AVC statistics may be monitored via the avcstat utility: http://people.redhat.com/jmorris/selinux/perf/avcstat.c Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-04[PATCH] SELinux: atomic_dec_and_test() bugJames Morris-1/+1
Atomic underflow debugging in this kernel exposed a bug in the AVC RCU code, fix below. The effect of this bug would be delayed node reclamation. Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-04[PATCH] SELinux scalability: convert AVC to RCUJames Morris-355/+323
The following patch improves the scalability of SELinux by replacing the global avc_lock with an RCU based scheme by Kaigai Kohei. The size of the cache is made tunable, to allow administrators to tune systems for different workloads, while statistics are exported via selinuxfs to allow AVC performance to be monitored at a low level. AVC nodes are also allocated now via a slab cache, and AVC references have been removed from the code. This code has been extensively tested and benchmarked (see benchmark results below). Baseline performance is not improved, although it is clear that dramatic scalability improvements are achieved. Baseline performance and networking scalability are areas where work is ongoing (in particular, we need to add caching of some network security objects so that we don't fallback to policy database lookups on each permission call). Benchmark results: =============================================================================================== System: 4 node 16-way IA64 NUMA - 'Stream' is based on http://www.cs.virginia.edu/stream/ , HPC memory bandwidth test, higher result is better. - Hackbench: scheduler scalability benchmark by Rusty, lower is better. Standard kernel: 2.6.9-1.648_EL SELINUX=0 : Stream 6159.987MB/s HackBench 53.144 2.6.9-1.648_EL SELINUX=1 : Stream 5872.529MB/s HackBench 1043.132 Kernel with RCU/AVC patches: 2.6.9-1.689_avcrcu.root SELINUX=0 : Stream 8829.647MB/s HackBench 53.976 2.6.9-1.689_avcrcu.root SELINUX=1 : Stream 8817.117MB/s HackBench 50.975 =============================================================================================== System: 8-way PIII 900Mhz Xeon with 9GB RAM Fileystem: ext2 for all testing. Notes: AVC was reset before tests, so avc was flushed. System was run in enforcing mode. Key: std-nolsm: standard kernel with LSM disabled std-lsmcap: standard kernel with LSM enabled, capabilities LSM std-sel-strict: standard kernel with SELinux enabled, capabilities secondary LSM rcu-sel-strict: as above with RCU & AVC stats patches
2005-01-04[PATCH] move waitchld_exit from task_struct to signal_structRoland McGrath-1/+1
There is really no point in each task_struct having its own waitchld_exit. In the only use of it, the waitchld_exit of each thread in a group gets woken up at the same time. So, there might as well just be one wait queue for the whole thread group. This patch does that by moving the field from task_struct to signal_struct. It should have no effect on the behavior, but saves a little work and a little storage in the multithreaded case. Signed-off-by: Roland McGrath <roland@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-04[PATCH] GP-REL data supportDavid Howells-2/+2
The attached patch makes it possible to support gp-rel addressing for small variables. Since the FR-V cpu's have fixed-length instructions and plenty of general-purpose registers, one register is nominated as a base for the small data area. This makes it possible to use single-insn accesses to access global and static variables instead of having to use multiple instructions. This, however, causes problems with small variables used to pinpoint the beginning and end of sections. The compiler assumes it can use gp-rel addressing for these, but the linker then complains because the displacement is out of range. By declaring certain variables as arrays or by forcing them into named sections, the compiler is persuaded to access them as if they can be outside the displacement range. Declaring the variables as "const void" type also works. Signed-Off-By: David Howells <dhowells@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-04[PATCH] properly split capset_check+capset_setSerge Hallyn-6/+0
The attached patch removes checks from kernel/capability.c which are redundant with cap_capset_check() code, and moves the capset_check() calls to immediately before the capset_set() calls. This allows capset_check() to accurately check the setter's permission to set caps on the target. Please apply. Signed-off-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-03[PATCH] fix up dummy security module code mergeChris Wright-1/+2
OK, somehow I managed to botch this one. It happens to work fine, but I should have been more careful with forward porting this 1+ year old patch. The exec-time calc should go in bprm_apply_creds, not bprm_free_security. Thanks to Stephen for spotting my mistake. Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-03[PATCH] remove duplicated patch fragmentAndries E. Brouwer-4/+0
Acked-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-03[PATCH] track capabilities in default dummy security module codeChris Wright-4/+3
Switch dummy logic around to set cap_* bits during exec and set*uid based on basic uid check. Then check cap_* bits during capable() (rather than doing basic uid check). This ensures that capability bits are properly initialized in case the capability module is later loaded. Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-03[PATCH] mm: overcommit updatesAndries E. Brouwer-0/+16
Alan made overcommit mode 2 and it doesnt work at all. A process passing the limit often does so at a moment of stack extension, and is killed by a segfault, not better than being OOM-killed. Another problem is that close to the edge no other processes can be started, so that a sysadmin has problems logging in and investigating. Below a patch that does 3 things: (1) It reserves a reasonable amount of virtual stack space (amount randomly chosen, no guarantees given) when the process is started, so that the common utilities will not be killed by segfault on stack extension. (2) It reserves a reasonable amount of virtual memory for root, so that root can do things when the system is out-of-memory (3) It limits a single process to 97% of what is left, so that also an ordinary user is able to use getty, login, bash, ps, kill and similar things when one of her processes got out of control. Since the current overcommit mode 2 is not really useful, I did not give this a new number. The patch is just for playing, not to be applied by Linus. But, Andrew, I hope that you would be willing to put this in -mm so that people can experiment. Of course it only does something if one sets overcommit mode to 2. The past month I have pressured people asking for feedback, and now have about a dozen reports, mostly positive, one very positive. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-01-03[PATCH] Fix of quota deadlock on pagelock: quota coreJan Kara-3/+3
The four patches in this series fix deadlocks with quotas of pagelock (the problem was lock inversion on PageLock and transaction start - quota code needed to first start a transaction and then write the data which subsequently needed acquisition of PageLock while the standard ordering - PageLock first and transaction start later - was used e.g. by pdflush). They implement a new way of quota access to disk: Every filesystem that would like to implement quotas now has to provide quota_read() and quota_write() functions. These functions must obey quota lock ordering (in particular they should not take PageLock inside a transaction). The first patch implements the changes in the quota core, the other three patches implement needed functions in ext2, ext3 and reiserfs. The patch for reiserfs also fixes several other lock inversion problems (similar as ext3 had) and implements the journaled quota functionality (which comes almost for free after the locking fixes...). The quota core patch makes quota support in other filesystems (except XFS which implements everything on its own ;)) unfunctional (quotaon() will refuse to turn on quotas on them). When the patches get reasonable wide testing and it will seem that no major changes will be needed I can make fixes also for the other filesystems (JFS, UDF, UFS). This patch: The patch implements the new way of quota io in the quota core. Every filesystem wanting to support quotas has to provide functions quota_read() and quota_write() obeying quota locking rules. As the writes and reads bypass the pagecache there is some ugly stuff ensuring that userspace can see all the data after quotaoff() (or Q_SYNC quotactl). In future I plan to make quota files inaccessible from userspace (with the exception of quotacheck(8) which will take care about the cache flushing and such stuff itself) so that this synchronization stuff can be removed... The rewrite of the quota core. Quota uses the filesystem read() and write() functions no more to avoid possible deadlocks on PageLock. From now on every filesystem supporting quotas must provide functions quota_read() and quota_write() which obey the quota locking rules (e.g. they cannot acquire the PageLock). Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2004-12-27[INET] move inet_sock into inet_opt and rename it to inet_sockArnaldo Carvalho de Melo-2/+2
With this we can remove all the cut'n'pasted layouts in all inet_sock derived classes, such as tcp_sock, udp_sock, sctp_sock, etc. Signed-off-by: Arnaldo Carvalho de Melo <acme@conectiva.com.br> Signed-off-by: David S. Miller <davem@davemloft.net>
2004-11-21[PATCH] SELinux: map Unix seqpacket sockets to appropriate security classStephen D. Smalley-0/+3
This patch for SELinux fixes a bug in the mapping of socket types to security classes and ensures that Unix seqpacket sockets are mapped to an appropriate security class. The Unix stream security class is re-used in this case as it has the same permission checking applied as for seqpacket. Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2004-11-18[PATCH] selinux: cache not freed if load_policy fails; reload BUG'sJeff Mahoney-0/+8
If security_load_policy() fails on the first try, the cache is never cleaned up. When the policy is fixed and a reload is attempted, the old cache will still exist, causing a BUG() in kmem_cache_create(). This patch adds a destroy operation to clean up the cache on failure. Signed-off-by: Jeff Mahoney <jeffm@novell.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>