23 Feb, 2013
1 commit
-
Signed-off-by: Al Viro
09 Oct, 2012
1 commit
-
A long time ago, in v2.4, VM_RESERVED kept swapout process off VMA,
currently it lost original meaning but still has some effects:| effect | alternative flags
-+------------------------+---------------------------------------------
1| account as reserved_vm | VM_IO
2| skip in core dump | VM_IO, VM_DONTDUMP
3| do not merge or expand | VM_IO, VM_DONTEXPAND, VM_HUGETLB, VM_PFNMAP
4| do not mlock | VM_IO, VM_DONTEXPAND, VM_HUGETLB, VM_PFNMAPThis patch removes reserved_vm counter from mm_struct. Seems like nobody
cares about it, it does not exported into userspace directly, it only
reduces total_vm showed in proc.Thus VM_RESERVED can be replaced with VM_IO or pair VM_DONTEXPAND | VM_DONTDUMP.
remap_pfn_range() and io_remap_pfn_range() set VM_IO|VM_DONTEXPAND|VM_DONTDUMP.
remap_vmalloc_range() set VM_DONTEXPAND | VM_DONTDUMP.[akpm@linux-foundation.org: drivers/vfio/pci/vfio_pci.c fixup]
Signed-off-by: Konstantin Khlebnikov
Cc: Alexander Viro
Cc: Carsten Otte
Cc: Chris Metcalf
Cc: Cyrill Gorcunov
Cc: Eric Paris
Cc: H. Peter Anvin
Cc: Hugh Dickins
Cc: Ingo Molnar
Cc: James Morris
Cc: Jason Baron
Cc: Kentaro Takeda
Cc: Matt Helsley
Cc: Nick Piggin
Cc: Oleg Nesterov
Cc: Peter Zijlstra
Cc: Robert Richter
Cc: Suresh Siddha
Cc: Tetsuo Handa
Cc: Venkatesh Pallipadi
Acked-by: Linus Torvalds
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
21 Sep, 2012
1 commit
-
Cc: Stephen Smalley
Cc: James Morris
Cc: Eric Paris
Signed-off-by: "Eric W. Biederman"
23 Jul, 2012
1 commit
-
Signed-off-by: Al Viro
30 May, 2012
1 commit
-
a) %d does _not_ produce a page worth of output
b) snprintf() doesn't return negatives - it used to in old glibc, but
that's the kernel...Signed-off-by: Al Viro
10 Apr, 2012
4 commits
-
We reset the bool names and values array to NULL, but do not reset the
number of entries in these arrays to 0. If we error out and then get back
into this function we will walk these NULL pointers based on the belief
that they are non-zero length.Signed-off-by: Eric Paris
cc: stable@kernel.org -
I'm not really sure what the idea behind the sel_div function is, but it's
useless. Since a and b are both unsigned, it's impossible for a % b < 0.
That means that part of the function never does anything. Thus it's just a
normal /. Just do that instead. I don't even understand what that operation
was supposed to mean in the signed case however....If it was signed:
sel_div(-2, 4) == ((-2 / 4) - ((-2 % 4) < 0))
((0) - ((-2) < 0))
((0) - (1))
(-1)What actually happens:
sel_div(-2, 4) == ((18446744073709551614 / 4) - ((18446744073709551614 % 4) < 0))
((4611686018427387903) - ((2 < 0))
(4611686018427387903 - 0)
((unsigned int)4611686018427387903)
(4294967295)Neither makes a whole ton of sense to me. So I'm getting rid of the
function entirely.Signed-off-by: Eric Paris
-
There is no reason the DAC perms on reading the policy file need to be root
only. There are selinux checks which should control this access.Signed-off-by: Eric Paris
-
sesearch uses:
lseek(3, 0, SEEK_SET) = -1 ESPIPE (Illegal seek)Make that work.
Signed-off-by: Eric Paris
01 Apr, 2012
1 commit
-
Signed-off-by: Al Viro
16 Nov, 2011
1 commit
-
Signed-off-by: Andy Shevchenko
Cc: Eric Paris
Cc: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: James Morris
10 Sep, 2011
3 commits
-
Fix sparse warnings in SELinux Netlink code.
Signed-off-by: James Morris
-
Fixes several sparse warnings for selinuxfs.c
Signed-off-by: James Morris
-
Sparse fix: declare selinux_disable() in security.h
Signed-off-by: James Morris
02 Aug, 2011
1 commit
-
My @hp.com will no longer be valid starting August 5, 2011 so an update is
necessary. My new email address is employer independent so we don't have
to worry about doing this again any time soon.Signed-off-by: Paul Moore
Signed-off-by: Paul Moore
Signed-off-by: David S. Miller
24 Jul, 2011
1 commit
-
For a number of file systems that don't have a mount point (e.g. sockfs
and pipefs), they are not marked as long term. Therefore in
mntput_no_expire, all locks in vfs_mount lock are taken instead of just
local cpu's lock to aggregate reference counts when we release
reference to file objects. In fact, only local lock need to have been
taken to update ref counts as these file systems are in no danger of
going away until we are ready to unregister them.The attached patch marks file systems using kern_mount without
mount point as long term. The contentions of vfs_mount lock
is now eliminated. Before un-registering such file system,
kern_unmount should be called to remove the long term flag and
make the mount point ready to be freed.Signed-off-by: Tim Chen
Signed-off-by: Al Viro
15 Jun, 2011
1 commit
27 May, 2011
1 commit
-
I submit the patch again, according to patch submission convension.
This patch enables to accept percent-encoded object names as forth
argument of /selinux/create interface to avoid possible bugs when we
give an object name including whitespace or multibutes.E.g) if and when a userspace object manager tries to create a new object
named as "resolve.conf but fake", it shall give this name as the forth
argument of the /selinux/create. But sscanf() logic in kernel space
fetches only the part earlier than the first whitespace.
In this case, selinux may unexpectedly answer a default security context
configured to "resolve.conf", but it is bug.Although I could not test this patch on named TYPE_TRANSITION rules
actually, But debug printk() message seems to me the logic works
correctly.
I assume the libselinux provides an interface to apply this logic
transparently, so nothing shall not be changed from the viewpoint of
application.Signed-off-by: KaiGai Kohei
Signed-off-by: Eric Paris
24 May, 2011
2 commits
-
Conflicts:
lib/flex_array.c
security/selinux/avc.c
security/selinux/hooks.c
security/selinux/ss/policydb.c
security/smack/smack_lsm.cManually resolve conflicts.
Signed-off-by: James Morris
-
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (39 commits)
b43: fix comment typo reqest -> request
Haavard Skinnemoen has left Atmel
cris: typo in mach-fs Makefile
Kconfig: fix copy/paste-ism for dell-wmi-aio driver
doc: timers-howto: fix a typo ("unsgined")
perf: Only include annotate.h once in tools/perf/util/ui/browsers/annotate.c
md, raid5: Fix spelling error in comment ('Ofcourse' --> 'Of course').
treewide: fix a few typos in comments
regulator: change debug statement be consistent with the style of the rest
Revert "arm: mach-u300/gpio: Fix mem_region resource size miscalculations"
audit: acquire creds selectively to reduce atomic op overhead
rtlwifi: don't touch with treewide double semicolon removal
treewide: cleanup continuations and remove logging message whitespace
ath9k_hw: don't touch with treewide double semicolon removal
include/linux/leds-regulator.h: fix syntax in example code
tty: fix typo in descripton of tty_termios_encode_baud_rate
xtensa: remove obsolete BKL kernel option from defconfig
m68k: fix comment typo 'occcured'
arch:Kconfig.locks Remove unused config option.
treewide: remove extra semicolons
...
20 May, 2011
1 commit
-
There is no point in counting hits - we can calculate it from the number
of lookups and misses.This makes the avc statistics a bit smaller, and makes the code
generation better too.Signed-off-by: Linus Torvalds
12 May, 2011
1 commit
-
In the interest of keeping userspace from having to create new root
filesystems all the time, let's follow the lead of the other in-kernel
filesystems and provide a proper mount point for it in sysfs.For selinuxfs, this mount point should be in /sys/fs/selinux/
Cc: Stephen Smalley
Cc: James Morris
Cc: Eric Paris
Cc: Lennart Poettering
Cc: Daniel J Walsh
Signed-off-by: Greg Kroah-Hartman
[include kobject.h - Eric Paris]
[use selinuxfs_obj throughout - Eric Paris]
Signed-off-by: Eric Paris
10 Apr, 2011
1 commit
-
Signed-off-by: Justin P. Mattock
Signed-off-by: Jiri Kosina
02 Apr, 2011
1 commit
-
The attached patch allows /selinux/create takes optional 4th argument
to support TYPE_TRANSITION with name extension for userspace object
managers.
If 4th argument is not supplied, it shall perform as existing kernel.
In fact, the regression test of SE-PostgreSQL works well on the patched
kernel.Thanks,
Signed-off-by: KaiGai Kohei
[manually verify fuzz was not an issue, and it wasn't: eparis]
Signed-off-by: Eric Paris
10 Jan, 2011
1 commit
07 Jan, 2011
3 commits
-
dget_locked was a shortcut to avoid the lazy lru manipulation when we already
held dcache_lock (lru manipulation was relatively cheap at that point).
However, how that the lru lock is an innermost one, we never hold it at any
caller, so the lock cost can now be avoided. We already have well working lazy
dcache LRU, so it should be fine to defer LRU manipulations to scan time.Signed-off-by: Nick Piggin
-
dcache_lock no longer protects anything. remove it.
Signed-off-by: Nick Piggin
-
Protect d_subdirs and d_child with d_lock, except in filesystems that aren't
using dcache_lock for these anyway (eg. using i_mutex).Note: if we change the locking rule in future so that ->d_child protection is
provided only with ->d_parent->d_lock, it may allow us to reduce some locking.
But it would be an exception to an otherwise regular locking scheme, so we'd
have to see some good results. Probably not worthwhile.Signed-off-by: Nick Piggin
01 Dec, 2010
2 commits
-
selinuxfs carefully uses i_ino to figure out what the inode refers to. The
VFS used to generically set this value and we would reset it to something
useable. After 85fe4025c616 each filesystem sets this value to a default
if needed. Since selinuxfs doesn't use the default value and it can only
lead to problems (I'd rather have 2 inodes with i_ino == 0 than one
pointing to the wrong data) lets just stop setting a default.Signed-off-by: Eric Paris
Acked-by: James Morris -
selinuxfs.c has lots of different standards on how to handle return paths on
error. For the most part transition torc=errno
if (failure)
goto out;
[...]
out:
cleanup()
return rc;Instead of doing cleanup mid function, or having multiple returns or other
options. This doesn't do that for every function, but most of the complex
functions which have cleanup routines on error.Signed-off-by: Eric Paris
29 Oct, 2010
1 commit
-
Signed-off-by: Al Viro
26 Oct, 2010
1 commit
-
Instead of always assigning an increasing inode number in new_inode
move the call to assign it into those callers that actually need it.
For now callers that need it is estimated conservatively, that is
the call is added to all filesystems that do not assign an i_ino
by themselves. For a few more filesystems we can avoid assigning
any inode number given that they aren't user visible, and for others
it could be done lazily when an inode number is actually needed,
but that's left for later patches.Signed-off-by: Christoph Hellwig
Signed-off-by: Dave Chinner
Signed-off-by: Al Viro
21 Oct, 2010
3 commits
-
/selinux/policy allows a user to copy the policy back out of the kernel.
This patch allows userspace to actually mmap that file and use it directly.Signed-off-by: Eric Paris
Signed-off-by: James Morris -
There is interest in being able to see what the actual policy is that was
loaded into the kernel. The patch creates a new selinuxfs file
/selinux/policy which can be read by userspace. The actual policy that is
loaded into the kernel will be written back out to userspace.Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch provides a new /selinux/status entry which allows applications
read-only mmap(2).
This region reflects selinux_kernel_status structure in kernel space.
struct selinux_kernel_status
{
u32 length; /* length of this structure */
u32 sequence; /* sequence number of seqlock logic */
u32 enforcing; /* current setting of enforcing mode */
u32 policyload; /* times of policy reloaded */
u32 deny_unknown; /* current setting of deny_unknown */
};When userspace object manager caches access control decisions provided
by SELinux, it needs to invalidate the cache on policy reload and setenforce
to keep consistency.
However, the applications need to check the kernel state for each accesses
on userspace avc, or launch a background worker process.
In heuristic, frequency of invalidation is much less than frequency of
making access control decision, so it is annoying to invoke a system call
to check we don't need to invalidate the userspace cache.
If we can use a background worker thread, it allows to receive invalidation
messages from the kernel. But it requires us an invasive coding toward the
base application in some cases; E.g, when we provide a feature performing
with SELinux as a plugin module, it is unwelcome manner to launch its own
worker thread from the module.If we could map /selinux/status to process memory space, application can
know updates of selinux status; policy reload or setenforce.A typical application checks selinux_kernel_status::sequence when it tries
to reference userspace avc. If it was changed from the last time when it
checked userspace avc, it means something was updated in the kernel space.
Then, the application can reset userspace avc or update current enforcing
mode, without any system call invocations.
This sequence number is updated according to the seqlock logic, so we need
to wait for a while if it is odd number.Signed-off-by: KaiGai Kohei
Acked-by: Eric Paris
--
security/selinux/include/security.h | 21 ++++++
security/selinux/selinuxfs.c | 56 +++++++++++++++
security/selinux/ss/Makefile | 2 +-
security/selinux/ss/services.c | 3 +
security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
5 files changed, 210 insertions(+), 1 deletions(-)
Signed-off-by: James Morris
02 Aug, 2010
1 commit
-
The default for llseek will change to no_llseek,
so selinuxfs needs to add explicit .llseek
assignments. Since we're dealing with regular
files from a VFS perspective, use generic_file_llseek.Signed-off-by: Arnd Bergmann
Cc: Stephen Smalley
Cc: Eric Paris
Signed-off-by: James Morris
09 Apr, 2010
1 commit
-
Fix coding style in security/
Signed-off-by: Zhitong Wang
Signed-off-by: James Morris
09 Feb, 2010
1 commit
-
In sel_make_bools, kernel allocates memory for bool_pending_names[i]
with security_get_bools. So if we just free bool_pending_names, those
memories for bool_pending_names[i] will be leaked.This patch resolves dozens of following kmemleak report after resuming
from suspend:
unreferenced object 0xffff88022e4c7380 (size 32):
comm "init", pid 1, jiffies 4294677173
backtrace:
[] create_object+0x1a2/0x2a9
[] kmemleak_alloc+0x26/0x4b
[] __kmalloc+0x18f/0x1b8
[] security_get_bools+0xd7/0x16f
[] sel_write_load+0x12e/0x62b
[] vfs_write+0xae/0x10b
[] sys_write+0x4a/0x6e
[] system_call_fastpath+0x16/0x1b
[] 0xffffffffffffffffSigned-off-by: Xiaotian Feng
Signed-off-by: James Morris
04 Feb, 2010
1 commit
-
Allow runtime switching between different policy types (e.g. from a MLS/MCS
policy to a non-MLS/non-MCS policy or viceversa).Signed-off-by: Guido Trentalancia
Acked-by: Stephen Smalley
Signed-off-by: James Morris
18 Jan, 2010
1 commit
-
If allow_unknown==deny, SELinux treats an undefined kernel security
class as an error condition rather than as a typical permission denial
and thus does not allow permissions on undefined classes even when in
permissive mode. Change the SELinux logic so that this case is handled
as a typical permission denial, subject to the usual permissive mode and
permissive domain handling.Also drop the 'requested' argument from security_compute_av() and
helpers as it is a legacy of the original security server interface and
is unused.Changes:
- Handle permissive domains consistently by moving up the test for a
permissive domain.
- Make security_compute_av_user() consistent with security_compute_av();
the only difference now is that security_compute_av() performs mapping
between the kernel-private class and permission indices and the policy
values. In the userspace case, this mapping is handled by libselinux.
- Moved avd_init inside the policy lock.Based in part on a patch by Paul Moore .
Reported-by: Andrew Worsley
Signed-off-by: Stephen D. Smalley
Reviewed-by: Paul Moore
Signed-off-by: James Morris
