Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v4.19 2018-08-16T05:49:04Z 2018-08-16T05:49:04Z Linus Torvalds torvalds@linux-foundation.org 2018-08-16T05:49:04Z urn:sha1:04743f89bcad30a438ef4f38840caddd7978dbaa Pull smack updates from James Morris: "Minor fixes from Piotr Sawicki" * 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: Smack: Inform peer that IPv6 traffic has been blocked Smack: Check UDP-Lite and DCCP protocols during IPv6 handling Smack: Fix handling of IPv4 traffic received by PF_INET6 sockets 2018-08-14T02:58:36Z Linus Torvalds torvalds@linux-foundation.org 2018-08-14T02:58:36Z urn:sha1:a66b4cd1e7163adb327838a3c81faaf6a9330d5a Pull vfs open-related updates from Al Viro: - "do we need fput() or put_filp()" rules are gone - it's always fput() now. We keep track of that state where it belongs - in ->f_mode. - int *opened mess killed - in finish_open(), in ->atomic_open() instances and in fs/namei.c code around do_last()/lookup_open()/atomic_open(). - alloc_file() wrappers with saner calling conventions are introduced (alloc_file_clone() and alloc_file_pseudo()); callers converted, with much simplification. - while we are at it, saner calling conventions for path_init() and link_path_walk(), simplifying things inside fs/namei.c (both on open-related paths and elsewhere). * 'work.open3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (40 commits) few more cleanups of link_path_walk() callers allow link_path_walk() to take ERR_PTR() make path_init() unconditionally paired with terminate_walk() document alloc_file() changes make alloc_file() static do_shmat(): grab shp->shm_file earlier, switch to alloc_file_clone() new helper: alloc_file_clone() create_pipe_files(): switch the first allocation to alloc_file_pseudo() anon_inode_getfile(): switch to alloc_file_pseudo() hugetlb_file_setup(): switch to alloc_file_pseudo() ocxlflash_getfile(): switch to alloc_file_pseudo() cxl_getfile(): switch to alloc_file_pseudo() ... and switch shmem_file_setup() to alloc_file_pseudo() __shmem_file_setup(): reorder allocations new wrapper: alloc_file_pseudo() kill FILE_{CREATED,OPENED} switch atomic_open() and lookup_open() to returning 0 in all success cases document ->atomic_open() changes ->atomic_open(): return 0 in all success cases get rid of 'opened' in path_openat() and the helpers downstream ... 2018-07-23T20:00:03Z Piotr Sawicki p.sawicki2@partner.samsung.com 2018-07-19T09:47:31Z urn:sha1:d66a8acbda926fa2398ae930f50787e8663bce96 In this patch we're sending an ICMPv6 message to a peer to immediately inform it that making a connection is not possible. In case of TCP connections, without this change, the peer will be waiting until a connection timeout is exceeded. Signed-off-by: Piotr Sawicki <p.sawicki2@partner.samsung.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2018-07-23T19:59:51Z Piotr Sawicki p.sawicki2@partner.samsung.com 2018-07-19T09:45:16Z urn:sha1:a07ef9516477aef2d052d75129a48f9f94d3b3f3 The smack_socket_sock_rcv_skb() function is checking smack labels only for UDP and TCP frames carried in IPv6 packets. From now on, it is able also to handle UDP-Lite and DCCP protocols. Signed-off-by: Piotr Sawicki <p.sawicki2@partner.samsung.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2018-07-23T19:59:41Z Piotr Sawicki p.sawicki2@partner.samsung.com 2018-07-19T09:42:58Z urn:sha1:129a99890936766f4b69b9da7ed88366313a9210 A socket which has sk_family set to PF_INET6 is able to receive not only IPv6 but also IPv4 traffic (IPv4-mapped IPv6 addresses). Prior to this patch, the smk_skb_to_addr_ipv6() could have been called for socket buffers containing IPv4 packets, in result such traffic was allowed. Signed-off-by: Piotr Sawicki <p.sawicki2@partner.samsung.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2018-07-12T14:04:15Z Al Viro viro@zeniv.linux.org.uk 2018-07-10T18:13:18Z urn:sha1:9481769208b5e39b871ae4e89f5328c776ec38dc Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2018-06-23T01:45:56Z Casey Schaufler casey@schaufler-ca.com 2018-06-22T17:54:45Z urn:sha1:7b4e88434c4e7982fb053c49657e1c8bbb8692d9 Smack: Mark inode instant in smack_task_to_inode /proc clean-up in commit 1bbc55131e59bd099fdc568d3aa0b42634dbd188 resulted in smack_task_to_inode() being called before smack_d_instantiate. This resulted in the smk_inode value being ignored, even while present for files in /proc/self. Marking the inode as instant here fixes that. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <james.morris@microsoft.com> 2018-06-05T20:18:58Z James Morris james.morris@microsoft.com 2018-06-05T20:18:58Z urn:sha1:2531a0cd2dd9dc2b0da9fabb950e2db308ce78b8 "one simple patch that fixes a memory leak in kernfs and labeled NFS" 2018-06-05T19:16:01Z Casey Schaufler casey@schaufler-ca.com 2018-06-01T17:45:12Z urn:sha1:0f8983cf97d3327531b7843c831517cac3a1b9ed Fix memory leak in smack_inode_getsecctx The implementation of smack_inode_getsecctx() made incorrect assumptions about how Smack presents a security context. Smack does not need to allocate memory to support security contexts, so "releasing" a Smack context is a no-op. The code made an unnecessary copy and returned that as a context, which was never freed. The revised implementation returns the context correctly. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reported-by: CHANDAN VN <chandan.vn@samsung.com> Tested-by: CHANDAN VN <chandan.vn@samsung.com> 2018-05-04T19:48:54Z Tom Gundersen teg@jklm.no 2018-05-04T14:28:22Z urn:sha1:5859cdf55063943192f316b3d6c673fd6fcbee46 Make sure to implement the new socketpair callback so the SO_PEERSEC call on socketpair(2)s will return correct information. Signed-off-by: Tom Gundersen <teg@jklm.no> Signed-off-by: David Herrmann <dh.herrmann@gmail.com> Signed-off-by: James Morris <james.morris@microsoft.com>