Eric Lee / smarc-fsl-linux-kernel

16 Nov, 2011

1 commit

10 Sep, 2011

3 commits

02 Aug, 2011

1 commit

24 Jul, 2011

1 commit

  • 423e0ab08   VFS : mount lock scalability for internal mounts ... Browse Code »

    For a number of file systems that don't have a mount point (e.g. sockfs
    and pipefs), they are not marked as long term. Therefore in
    mntput_no_expire, all locks in vfs_mount lock are taken instead of just
    local cpu's lock to aggregate reference counts when we release
    reference to file objects. In fact, only local lock need to have been
    taken to update ref counts as these file systems are in no danger of
    going away until we are ready to unregister them.

    The attached patch marks file systems using kern_mount without
    mount point as long term. The contentions of vfs_mount lock
    is now eliminated. Before un-registering such file system,
    kern_unmount should be called to remove the long term flag and
    make the mount point ready to be freed.

    Signed-off-by: Tim Chen
    Signed-off-by: Al Viro

    Tim Chen
     

15 Jun, 2011

1 commit

27 May, 2011

1 commit

  • 0f7e4c33e   selinux: fix case of names with whitespace/multibytes on /selinux/create ... Browse Code »

    I submit the patch again, according to patch submission convension.

    This patch enables to accept percent-encoded object names as forth
    argument of /selinux/create interface to avoid possible bugs when we
    give an object name including whitespace or multibutes.

    E.g) if and when a userspace object manager tries to create a new object
    named as "resolve.conf but fake", it shall give this name as the forth
    argument of the /selinux/create. But sscanf() logic in kernel space
    fetches only the part earlier than the first whitespace.
    In this case, selinux may unexpectedly answer a default security context
    configured to "resolve.conf", but it is bug.

    Although I could not test this patch on named TYPE_TRANSITION rules
    actually, But debug printk() message seems to me the logic works
    correctly.
    I assume the libselinux provides an interface to apply this logic
    transparently, so nothing shall not be changed from the viewpoint of
    application.

    Signed-off-by: KaiGai Kohei
    Signed-off-by: Eric Paris

    Kohei Kaigai
     

24 May, 2011

2 commits

  • b7b57551b   Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into for-linus ... Browse Code »

    Conflicts:
    lib/flex_array.c
    security/selinux/avc.c
    security/selinux/hooks.c
    security/selinux/ss/policydb.c
    security/smack/smack_lsm.c

    Manually resolve conflicts.

    Signed-off-by: James Morris

    James Morris
     
  • 57d19e80f   Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial ... Browse Code »

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (39 commits)
    b43: fix comment typo reqest -> request
    Haavard Skinnemoen has left Atmel
    cris: typo in mach-fs Makefile
    Kconfig: fix copy/paste-ism for dell-wmi-aio driver
    doc: timers-howto: fix a typo ("unsgined")
    perf: Only include annotate.h once in tools/perf/util/ui/browsers/annotate.c
    md, raid5: Fix spelling error in comment ('Ofcourse' --> 'Of course').
    treewide: fix a few typos in comments
    regulator: change debug statement be consistent with the style of the rest
    Revert "arm: mach-u300/gpio: Fix mem_region resource size miscalculations"
    audit: acquire creds selectively to reduce atomic op overhead
    rtlwifi: don't touch with treewide double semicolon removal
    treewide: cleanup continuations and remove logging message whitespace
    ath9k_hw: don't touch with treewide double semicolon removal
    include/linux/leds-regulator.h: fix syntax in example code
    tty: fix typo in descripton of tty_termios_encode_baud_rate
    xtensa: remove obsolete BKL kernel option from defconfig
    m68k: fix comment typo 'occcured'
    arch:Kconfig.locks Remove unused config option.
    treewide: remove extra semicolons
    ...

    Linus Torvalds
     

20 May, 2011

1 commit

12 May, 2011

1 commit

  • 7a627e3b9   SELINUX: add /sys/fs/selinux mount point to put selinuxfs ... Browse Code »

    In the interest of keeping userspace from having to create new root
    filesystems all the time, let's follow the lead of the other in-kernel
    filesystems and provide a proper mount point for it in sysfs.

    For selinuxfs, this mount point should be in /sys/fs/selinux/

    Cc: Stephen Smalley
    Cc: James Morris
    Cc: Eric Paris
    Cc: Lennart Poettering
    Cc: Daniel J Walsh
    Signed-off-by: Greg Kroah-Hartman
    [include kobject.h - Eric Paris]
    [use selinuxfs_obj throughout - Eric Paris]
    Signed-off-by: Eric Paris

    Greg Kroah-Hartman
     

10 Apr, 2011

1 commit

02 Apr, 2011

1 commit

  • f50a3ec96   selinux: add type_transition with name extension support for selinuxfs ... Browse Code »

    The attached patch allows /selinux/create takes optional 4th argument
    to support TYPE_TRANSITION with name extension for userspace object
    managers.
    If 4th argument is not supplied, it shall perform as existing kernel.
    In fact, the regression test of SE-PostgreSQL works well on the patched
    kernel.

    Thanks,

    Signed-off-by: KaiGai Kohei
    [manually verify fuzz was not an issue, and it wasn't: eparis]
    Signed-off-by: Eric Paris

    Kohei Kaigai
     

10 Jan, 2011

1 commit

07 Jan, 2011

3 commits

  • dc0474be3   fs: dcache rationalise dget variants ... Browse Code »

    dget_locked was a shortcut to avoid the lazy lru manipulation when we already
    held dcache_lock (lru manipulation was relatively cheap at that point).
    However, how that the lru lock is an innermost one, we never hold it at any
    caller, so the lock cost can now be avoided. We already have well working lazy
    dcache LRU, so it should be fine to defer LRU manipulations to scan time.

    Signed-off-by: Nick Piggin

    Nick Piggin
     
  • b5c84bf6f   fs: dcache remove dcache_lock ... Browse Code »

    dcache_lock no longer protects anything. remove it.

    Signed-off-by: Nick Piggin

    Nick Piggin
     
  • 2fd6b7f50   fs: dcache scale subdirs ... Browse Code »

    Protect d_subdirs and d_child with d_lock, except in filesystems that aren't
    using dcache_lock for these anyway (eg. using i_mutex).

    Note: if we change the locking rule in future so that ->d_child protection is
    provided only with ->d_parent->d_lock, it may allow us to reduce some locking.
    But it would be an exception to an otherwise regular locking scheme, so we'd
    have to see some good results. Probably not worthwhile.

    Signed-off-by: Nick Piggin

    Nick Piggin
     

01 Dec, 2010

2 commits

  • c9e86a9b9   SELinux: do not set automatic i_ino in selinuxfs ... Browse Code »

    selinuxfs carefully uses i_ino to figure out what the inode refers to. The
    VFS used to generically set this value and we would reset it to something
    useable. After 85fe4025c616 each filesystem sets this value to a default
    if needed. Since selinuxfs doesn't use the default value and it can only
    lead to problems (I'd rather have 2 inodes with i_ino == 0 than one
    pointing to the wrong data) lets just stop setting a default.

    Signed-off-by: Eric Paris
    Acked-by: James Morris

    Eric Paris
     
  • b77a493b1   SELinux: standardize return code handling in selinuxfs.c ... Browse Code »

    selinuxfs.c has lots of different standards on how to handle return paths on
    error. For the most part transition to

    rc=errno
    if (failure)
    goto out;
    [...]
    out:
    cleanup()
    return rc;

    Instead of doing cleanup mid function, or having multiple returns or other
    options. This doesn't do that for every function, but most of the complex
    functions which have cleanup routines on error.

    Signed-off-by: Eric Paris

    Eric Paris
     

29 Oct, 2010

1 commit

26 Oct, 2010

1 commit

  • 85fe4025c   fs: do not assign default i_ino in new_inode ... Browse Code »
    43

    Instead of always assigning an increasing inode number in new_inode
    move the call to assign it into those callers that actually need it.
    For now callers that need it is estimated conservatively, that is
    the call is added to all filesystems that do not assign an i_ino
    by themselves. For a few more filesystems we can avoid assigning
    any inode number given that they aren't user visible, and for others
    it could be done lazily when an inode number is actually needed,
    but that's left for later patches.

    Signed-off-by: Christoph Hellwig
    Signed-off-by: Dave Chinner
    Signed-off-by: Al Viro

    Christoph Hellwig
     

21 Oct, 2010

3 commits

  • 845ca30fe   selinux: implement mmap on /selinux/policy ... Browse Code »

    /selinux/policy allows a user to copy the policy back out of the kernel.
    This patch allows userspace to actually mmap that file and use it directly.

    Signed-off-by: Eric Paris
    Signed-off-by: James Morris

    Eric Paris
     
  • cee74f47a   SELinux: allow userspace to read policy back out of the kernel ... Browse Code »

    There is interest in being able to see what the actual policy is that was
    loaded into the kernel. The patch creates a new selinuxfs file
    /selinux/policy which can be read by userspace. The actual policy that is
    loaded into the kernel will be written back out to userspace.

    Signed-off-by: Eric Paris
    Signed-off-by: James Morris

    Eric Paris
     
  • 119041672   selinux: fast status update interface (/selinux/status) ... Browse Code »

    This patch provides a new /selinux/status entry which allows applications
    read-only mmap(2).
    This region reflects selinux_kernel_status structure in kernel space.
    struct selinux_kernel_status
    {
    u32 length; /* length of this structure */
    u32 sequence; /* sequence number of seqlock logic */
    u32 enforcing; /* current setting of enforcing mode */
    u32 policyload; /* times of policy reloaded */
    u32 deny_unknown; /* current setting of deny_unknown */
    };

    When userspace object manager caches access control decisions provided
    by SELinux, it needs to invalidate the cache on policy reload and setenforce
    to keep consistency.
    However, the applications need to check the kernel state for each accesses
    on userspace avc, or launch a background worker process.
    In heuristic, frequency of invalidation is much less than frequency of
    making access control decision, so it is annoying to invoke a system call
    to check we don't need to invalidate the userspace cache.
    If we can use a background worker thread, it allows to receive invalidation
    messages from the kernel. But it requires us an invasive coding toward the
    base application in some cases; E.g, when we provide a feature performing
    with SELinux as a plugin module, it is unwelcome manner to launch its own
    worker thread from the module.

    If we could map /selinux/status to process memory space, application can
    know updates of selinux status; policy reload or setenforce.

    A typical application checks selinux_kernel_status::sequence when it tries
    to reference userspace avc. If it was changed from the last time when it
    checked userspace avc, it means something was updated in the kernel space.
    Then, the application can reset userspace avc or update current enforcing
    mode, without any system call invocations.
    This sequence number is updated according to the seqlock logic, so we need
    to wait for a while if it is odd number.

    Signed-off-by: KaiGai Kohei
    Acked-by: Eric Paris
    --
    security/selinux/include/security.h | 21 ++++++
    security/selinux/selinuxfs.c | 56 +++++++++++++++
    security/selinux/ss/Makefile | 2 +-
    security/selinux/ss/services.c | 3 +
    security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
    5 files changed, 210 insertions(+), 1 deletions(-)
    Signed-off-by: James Morris

    KaiGai Kohei
     

02 Aug, 2010

1 commit

  • 57a62c231   selinux: use generic_file_llseek ... Browse Code »

    The default for llseek will change to no_llseek,
    so selinuxfs needs to add explicit .llseek
    assignments. Since we're dealing with regular
    files from a VFS perspective, use generic_file_llseek.

    Signed-off-by: Arnd Bergmann
    Cc: Stephen Smalley
    Cc: Eric Paris
    Signed-off-by: James Morris

    Arnd Bergmann
     

09 Apr, 2010

1 commit

09 Feb, 2010

1 commit

  • 8007f1025   selinux: fix memory leak in sel_make_bools ... Browse Code »

    In sel_make_bools, kernel allocates memory for bool_pending_names[i]
    with security_get_bools. So if we just free bool_pending_names, those
    memories for bool_pending_names[i] will be leaked.

    This patch resolves dozens of following kmemleak report after resuming
    from suspend:
    unreferenced object 0xffff88022e4c7380 (size 32):
    comm "init", pid 1, jiffies 4294677173
    backtrace:
    [] create_object+0x1a2/0x2a9
    [] kmemleak_alloc+0x26/0x4b
    [] __kmalloc+0x18f/0x1b8
    [] security_get_bools+0xd7/0x16f
    [] sel_write_load+0x12e/0x62b
    [] vfs_write+0xae/0x10b
    [] sys_write+0x4a/0x6e
    [] system_call_fastpath+0x16/0x1b
    [] 0xffffffffffffffff

    Signed-off-by: Xiaotian Feng
    Signed-off-by: James Morris

    Xiaotian Feng
     

04 Feb, 2010

1 commit

18 Jan, 2010

1 commit

  • 19439d05b   selinux: change the handling of unknown classes ... Browse Code »

    If allow_unknown==deny, SELinux treats an undefined kernel security
    class as an error condition rather than as a typical permission denial
    and thus does not allow permissions on undefined classes even when in
    permissive mode. Change the SELinux logic so that this case is handled
    as a typical permission denial, subject to the usual permissive mode and
    permissive domain handling.

    Also drop the 'requested' argument from security_compute_av() and
    helpers as it is a legacy of the original security server interface and
    is unused.

    Changes:
    - Handle permissive domains consistently by moving up the test for a
    permissive domain.
    - Make security_compute_av_user() consistent with security_compute_av();
    the only difference now is that security_compute_av() performs mapping
    between the kernel-private class and permission indices and the policy
    values. In the userspace case, this mapping is handled by libselinux.
    - Moved avd_init inside the policy lock.

    Based in part on a patch by Paul Moore .

    Reported-by: Andrew Worsley
    Signed-off-by: Stephen D. Smalley
    Reviewed-by: Paul Moore
    Signed-off-by: James Morris

    Stephen Smalley
     

07 Oct, 2009

1 commit

  • c6d3aaa4e   selinux: dynamic class/perm discovery ... Browse Code »

    Modify SELinux to dynamically discover class and permission values
    upon policy load, based on the dynamic object class/perm discovery
    logic from libselinux. A mapping is created between kernel-private
    class and permission indices used outside the security server and the
    policy values used within the security server.

    The mappings are only applied upon kernel-internal computations;
    similar mappings for the private indices of userspace object managers
    is handled on a per-object manager basis by the userspace AVC. The
    interfaces for compute_av and transition_sid are split for kernel
    vs. userspace; the userspace functions are distinguished by a _user
    suffix.

    The kernel-private class indices are no longer tied to the policy
    values and thus do not need to skip indices for userspace classes;
    thus the kernel class index values are compressed. The flask.h
    definitions were regenerated by deleting the userspace classes from
    refpolicy's definitions and then regenerating the headers. Going
    forward, we can just maintain the flask.h, av_permissions.h, and
    classmap.h definitions separately from policy as they are no longer
    tied to the policy values. The next patch introduces a utility to
    automate generation of flask.h and av_permissions.h from the
    classmap.h definitions.

    The older kernel class and permission string tables are removed and
    replaced by a single security class mapping table that is walked at
    policy load to generate the mapping. The old kernel class validation
    logic is completely replaced by the mapping logic.

    The handle unknown logic is reworked. reject_unknown=1 is handled
    when the mappings are computed at policy load time, similar to the old
    handling by the class validation logic. allow_unknown=1 is handled
    when computing and mapping decisions - if the permission was not able
    to be mapped (i.e. undefined, mapped to zero), then it is
    automatically added to the allowed vector. If the class was not able
    to be mapped (i.e. undefined, mapped to zero), then all permissions
    are allowed for it if allow_unknown=1.

    avc_audit leverages the new security class mapping table to lookup the
    class and permission names from the kernel-private indices.

    The mdp program is updated to use the new table when generating the
    class definitions and allow rules for a minimal boot policy for the
    kernel. It should be noted that this policy will not include any
    userspace classes, nor will its policy index values for the kernel
    classes correspond with the ones in refpolicy (they will instead match
    the kernel-private indices).

    Signed-off-by: Stephen Smalley
    Signed-off-by: James Morris

    Stephen Smalley
     

19 May, 2009

1 commit

  • c5642f4bb   selinux: remove obsolete read buffer limit from sel_read_bool ... Browse Code »

    On Tue, 2009-05-19 at 00:05 -0400, Eamon Walsh wrote:
    > Recent versions of coreutils have bumped the read buffer size from 4K to
    > 32K in several of the utilities.
    >
    > This means that "cat /selinux/booleans/xserver_object_manager" no longer
    > works, it returns "Invalid argument" on F11. getsebool works fine.
    >
    > sel_read_bool has a check for "count > PAGE_SIZE" that doesn't seem to
    > be present in the other read functions. Maybe it could be removed?

    Yes, that check is obsoleted by the conversion of those functions to
    using simple_read_from_buffer(), which will reduce count if necessary to
    what is available in the buffer.

    Signed-off-by: Stephen Smalley
    Signed-off-by: James Morris

    Stephen Smalley
     

02 Apr, 2009

1 commit

  • 8a6f83afd   Permissive domain in userspace object manager ... Browse Code »

    This patch enables applications to handle permissive domain correctly.

    Since the v2.6.26 kernel, SELinux has supported an idea of permissive
    domain which allows certain processes to work as if permissive mode,
    even if the global setting is enforcing mode.
    However, we don't have an application program interface to inform
    what domains are permissive one, and what domains are not.
    It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
    and so on) cannot handle permissive domain correctly.

    This patch add the sixth field (flags) on the reply of the /selinux/access
    interface which is used to make an access control decision from userspace.
    If the first bit of the flags field is positive, it means the required
    access control decision is on permissive domain, so application should
    allow any required actions, as the kernel doing.

    This patch also has a side benefit. The av_decision.flags is set at
    context_struct_compute_av(). It enables to check required permissions
    without read_lock(&policy_rwlock).

    Signed-off-by: KaiGai Kohei
    Acked-by: Stephen Smalley
    Acked-by: Eric Paris
    --
    security/selinux/avc.c | 2 +-
    security/selinux/include/security.h | 4 +++-
    security/selinux/selinuxfs.c | 4 ++--
    security/selinux/ss/services.c | 30 +++++-------------------------
    4 files changed, 11 insertions(+), 29 deletions(-)
    Signed-off-by: James Morris

    KaiGai Kohei
     

28 Mar, 2009

1 commit

  • 58bfbb51f   selinux: Remove the "compat_net" compatibility code ... Browse Code »

    The SELinux "compat_net" is marked as deprecated, the time has come to
    finally remove it from the kernel. Further code simplifications are
    likely in the future, but this patch was intended to be a simple,
    straight-up removal of the compat_net code.

    Signed-off-by: Paul Moore
    Signed-off-by: James Morris

    Paul Moore
     

14 Feb, 2009

1 commit

  • f1c6381a6   SELinux: remove unused av.decided field ... Browse Code »

    It appears there was an intention to have the security server only decide
    certain permissions and leave other for later as some sort of a portential
    performance win. We are currently always deciding all 32 bits of
    permissions and this is a useless couple of branches and wasted space.
    This patch completely drops the av.decided concept.

    This in a 17% reduction in the time spent in avc_has_perm_noaudit
    based on oprofile sampling of a tbench benchmark.

    Signed-off-by: Eric Paris
    Reviewed-by: Paul Moore
    Acked-by: Stephen Smalley
    Signed-off-by: James Morris

    Eric Paris
     

07 Jan, 2009

1 commit

06 Jan, 2009

1 commit

01 Jan, 2009

2 commits

  • 4f4b6c1a9   cpumask: prepare for iterators to only go to nr_cpu_ids/nr_cpumask_bits.: core ... Browse Code »

    Impact: cleanup

    In future, all cpumask ops will only be valid (in general) for bit
    numbers < nr_cpu_ids. So use that instead of NR_CPUS in iterators
    and other comparisons.

    This is always safe: no cpu number can be >= nr_cpu_ids, and
    nr_cpu_ids is initialized to NR_CPUS at boot.

    Signed-off-by: Rusty Russell
    Signed-off-by: Mike Travis
    Acked-by: Ingo Molnar
    Acked-by: James Morris
    Cc: Eric Biederman

    Rusty Russell
     
  • 277d342fc   selinux: Deprecate and schedule the removal of the the compat_net functionality ... Browse Code »

    This patch is the first step towards removing the old "compat_net" code from
    the kernel. Secmark, the "compat_net" replacement was first introduced in
    2.6.18 (September 2006) and the major Linux distributions with SELinux support
    have transitioned to Secmark so it is time to start deprecating the "compat_net"
    mechanism. Testing a patched version of 2.6.28-rc6 with the initial release of
    Fedora Core 5 did not show any problems when running in enforcing mode.

    This patch adds an entry to the feature-removal-schedule.txt file and removes
    the SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing
    Secmark on by default although it can still be disabled at runtime. The patch
    also makes the Secmark permission checks "dynamic" in the sense that they are
    only executed when Secmark is configured; this should help prevent problems
    with older distributions that have not yet migrated to Secmark.

    Signed-off-by: Paul Moore
    Acked-by: James Morris

    Paul Moore
     

14 Nov, 2008

1 commit