21 Apr, 2009

1 commit

• 24b6f16ec   No need for crossing to mountpoint in audit_tag_tree() ... Browse Code »

  is_under() will DTRT anyway. And yes, is_subdir() behaviour
  is intentional.

  Signed-off-by: Al Viro

  Al Viro

  2009-04-21 11:01:15 +0800  

06 Apr, 2009

1 commit

• 318b6d3d7   audit: incorrect ref counting in audit tree tag_chunk ... Browse Code »

  tag_chunk has bad exit paths in which the inotify ref counting is wrong.
  At the top of the function we found &old_watch using inotify_find_watch().
  inotify_find_watch takes a reference to the watch. This is never dropped
  on an error path.

  Signed-off-by: Eric Paris
  Signed-off-by: Al Viro

  Eric Paris

  2009-04-06 01:48:26 +0800  

05 Jan, 2009

2 commits

• 5af75d8d5   audit: validate comparison operations, store them in sane form ... Browse Code »

  Don't store the field->op in the messy (and very inconvenient for e.g.
  audit_comparator()) form; translate to dense set of values and do full
  validation of userland-submitted value while we are at it.

  ->audit_init_rule() and ->audit_match_rule() get new values now; in-tree
  instances updated.

  Signed-off-by: Al Viro

  Al Viro

  2009-01-05 04:14:42 +0800  
• e45aa212e   audit rules ordering, part 2 ... Browse Code »

  Fix the actual rule listing; add per-type lists _not_ used for matching,
  with all exit,... sitting on one such list. Simplifies "do something
  for all rules" logics, while we are at it...

  Signed-off-by: Al Viro

  Al Viro

  2009-01-05 04:14:42 +0800  

16 Nov, 2008

1 commit

• 8f7b0ba1c   Fix inotify watch removal/umount races ... Browse Code »

  Inotify watch removals suck violently.

  To kick the watch out we need (in this order) inode->inotify_mutex and
  ih->mutex. That's fine if we have a hold on inode; however, for all
  other cases we need to make damn sure we don't race with umount. We can
  *NOT* just grab a reference to a watch - inotify_unmount_inodes() will
  happily sail past it and we'll end with reference to inode potentially
  outliving its superblock.

  Ideally we just want to grab an active reference to superblock if we
  can; that will make sure we won't go into inotify_umount_inodes() until
  we are done. Cleanup is just deactivate_super().

  However, that leaves a messy case - what if we *are* racing with
  umount() and active references to superblock can't be acquired anymore?
  We can bump ->s_count, grab ->s_umount, which will almost certainly wait
  until the superblock is shut down and the watch in question is pining
  for fjords. That's fine, but there is a problem - we might have hit the
  window between ->s_active getting to 0 / ->s_count - below S_BIAS (i.e.
  the moment when superblock is past the point of no return and is heading
  for shutdown) and the moment when deactivate_super() acquires
  ->s_umount.

  We could just do drop_super() yield() and retry, but that's rather
  antisocial and this stuff is luser-triggerable. OTOH, having grabbed
  ->s_umount and having found that we'd got there first (i.e. that
  ->s_root is non-NULL) we know that we won't race with
  inotify_umount_inodes().

  So we could grab a reference to watch and do the rest as above, just
  with drop_super() instead of deactivate_super(), right? Wrong. We had
  to drop ih->mutex before we could grab ->s_umount. So the watch
  could've been gone already.

  That still can be dealt with - we need to save watch->wd, do idr_find()
  and compare its result with our pointer. If they match, we either have
  the damn thing still alive or we'd lost not one but two races at once,
  the watch had been killed and a new one got created with the same ->wd
  at the same address. That couldn't have happened in inotify_destroy(),
  but inotify_rm_wd() could run into that. Still, "new one got created"
  is not a problem - we have every right to kill it or leave it alone,
  whatever's more convenient.

  So we can use idr_find(...) == watch && watch->inode->i_sb == sb as
  "grab it and kill it" check. If it's been our original watch, we are
  fine, if it's a newcomer - nevermind, just pretend that we'd won the
  race and kill the fscker anyway; we are safe since we know that its
  superblock won't be going away.

  And yes, this is far beyond mere "not very pretty"; so's the entire
  concept of inotify to start with.

  Signed-off-by: Al Viro
  Acked-by: Greg KH
  Signed-off-by: Linus Torvalds

  Al Viro

  2008-11-16 04:26:44 +0800  

23 Oct, 2008

1 commit

• 98bc993f9   [PATCH] get rid of nameidata in audit_tree ... Browse Code »

  Signed-off-by: Al Viro

  Al Viro

  2008-10-23 17:12:53 +0800  

17 May, 2008

1 commit

• 6793a051f   [PATCH] list_for_each_rcu must die: audit ... Browse Code »

  All uses of list_for_each_rcu() can be profitably replaced by the
  easier-to-use list_for_each_entry_rcu(). This patch makes this change
  for the Audit system, in preparation for removing the list_for_each_rcu()
  API entirely. This time with well-formed SOB.

  Signed-off-by: Paul E. McKenney
  Signed-off-by: Al Viro

  Paul E. McKenney

  2008-05-17 15:30:23 +0800  

15 Feb, 2008

2 commits

• 1d957f9bf   Introduce path_put() ... Browse Code »

  * Add path_put() functions for releasing a reference to the dentry and
  vfsmount of a struct path in the right order

  * Switch from path_release(nd) to path_put(&nd->path)

  * Rename dput_path() to path_put_conditional()

  [akpm@linux-foundation.org: fix cifs]
  Signed-off-by: Jan Blunck
  Signed-off-by: Andreas Gruenbacher
  Acked-by: Christoph Hellwig
  Cc:
  Cc: Al Viro
  Cc: Steven French
  Signed-off-by: Andrew Morton
  Signed-off-by: Linus Torvalds

  Jan Blunck

  2008-02-15 13:13:33 +0800  
• 4ac913785   Embed a struct path into struct nameidata instead of nd->{dentry,mnt} ... Browse Code »

  This is the central patch of a cleanup series. In most cases there is no good
  reason why someone would want to use a dentry for itself. This series reflects
  that fact and embeds a struct path into nameidata.

  Together with the other patches of this series
  - it enforced the correct order of getting/releasing the reference count on
  pairs
  - it prepares the VFS for stacking support since it is essential to have a
  struct path in every place where the stack can be traversed
  - it reduces the overall code size:

  without patch series:
  text data bss dec hex filename
  5321639 858418 715768 6895825 6938d1 vmlinux

  with patch series:
  text data bss dec hex filename
  5320026 858418 715768 6894212 693284 vmlinux

  This patch:

  Switch from nd->{dentry,mnt} to nd->path.{dentry,mnt} everywhere.

  [akpm@linux-foundation.org: coding-style fixes]
  [akpm@linux-foundation.org: fix cifs]
  [akpm@linux-foundation.org: fix smack]
  Signed-off-by: Jan Blunck
  Signed-off-by: Andreas Gruenbacher
  Acked-by: Christoph Hellwig
  Cc: Al Viro
  Cc: Casey Schaufler
  Signed-off-by: Andrew Morton
  Signed-off-by: Linus Torvalds

  Jan Blunck

  2008-02-15 13:13:33 +0800  

21 Oct, 2007

1 commit

• 74c3cbe33   [PATCH] audit: watching subtrees ... Browse Code »

  New kind of audit rule predicates: "object is visible in given subtree".
  The part that can be sanely implemented, that is. Limitations:
  * if you have hardlink from outside of tree, you'd better watch
  it too (or just watch the object itself, obviously)
  * if you mount something under a watched tree, tell audit
  that new chunk should be added to watched subtrees
  * if you umount something in a watched tree and it's still mounted
  elsewhere, you will get matches on events happening there. New command
  tells audit to recalculate the trees, trimming such sources of false
  positives.

  Note that it's _not_ about path - if something mounted in several places
  (multiple mount, bindings, different namespaces, etc.), the match does
  _not_ depend on which one we are using for access.

  Signed-off-by: Al Viro

  Al Viro

  2007-10-21 14:37:45 +0800