12 Feb, 2007
2 commits
-
Replace a small number of expressions with a call to the "container_of()"
macro.Signed-off-by: Robert P. J. Day
Acked-by: Paul Mackerras
Cc: "David S. Miller"
Cc: Martin Schwidefsky
Cc: Stephen Smalley
Cc: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Replace appropriate pairs of "kmem_cache_alloc()" + "memset(0)" with the
corresponding "kmem_cache_zalloc()" call.Signed-off-by: Robert P. J. Day
Cc: "Luck, Tony"
Cc: Andi Kleen
Cc: Roland McGrath
Cc: James Bottomley
Cc: Greg KH
Acked-by: Joel Becker
Cc: Steven Whitehouse
Cc: Jan Kara
Cc: Michael Halcrow
Cc: "David S. Miller"
Cc: Stephen Smalley
Cc: James Morris
Cc: Chris Wright
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
07 Feb, 2007
1 commit
-
Fix the key serial number collision avoidance code in key_alloc_serial().
This didn't use to be so much of a problem as the key serial numbers were
allocated from a simple incremental counter, and it would have to go through
two billion keys before it could possibly encounter a collision. However, now
that random numbers are used instead, collisions are much more likely.This is fixed by finding a hole in the rbtree where the next unused serial
number ought to be and using that by going almost back to the top of the
insertion routine and redoing the insertion with the new serial number rather
than trying to be clever and attempting to work out the insertion point
pointer directly.This fixes kernel BZ #7727.
Signed-off-by: David Howells
Signed-off-by: Linus Torvalds
27 Jan, 2007
1 commit
-
This patch is an incremental fix to the flow_cache_genid
patch for selinux that breaks the build of 2.6.20-rc6 when
xfrm is not configured.Signed-off-by: Venkat Yekkirala
Signed-off-by: David S. Miller
24 Jan, 2007
1 commit
-
Currently, old flow cache entries remain valid even after
a reload of SELinux policy.This patch increments the flow cache generation id
on policy (re)loads so that flow cache entries are
revalidated as needed.Thanks to Herbet Xu for pointing this out. See:
http://marc.theaimsgroup.com/?l=linux-netdev&m=116841378704536&w=2There's also a general issue as well as a solution proposed
by David Miller for when flow_cache_genid wraps. I might be
submitting a separate patch for that later.I request that this be applied to 2.6.20 since it's
a security relevant fix.Signed-off-by: Venkat Yekkirala
Signed-off-by: David S. Miller
09 Jan, 2007
2 commits
-
The spinlock protecting the update of the "sksec->nlbl_state" variable is not
currently softirq safe which can lead to problems. This patch fixes this by
changing the spin_{un}lock() functions into spin_{un}lock_bh() functions.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
This deletes mls_copy_context() in favor of mls_context_cpy() and
replaces mls_scopy_context() with mls_context_cpy_low().Signed-off-by: Venkat Yekkirala
Acked-by: Stephen Smalley
Signed-off-by: James Morris
03 Jan, 2007
1 commit
-
do not call a sleeping lock API in an RCU read section.
lock_sock_nested can sleep, its BH counterpart doesn't.
selinux_netlbl_inode_permission() needs to use the BH counterpart
unconditionally.Compile tested.
From: Ingo Molnar
added BH disabling, because this function can be called from non-atomic
contexts too, so a naked bh_lock_sock() would be deadlock-prone.Boot-tested the resulting kernel.
Signed-off-by: Parag Warudkar
Signed-off-by: Ingo Molnar
Signed-off-by: Linus Torvalds
11 Dec, 2006
1 commit
-
Currently, each fdtable supports three dynamically-sized arrays of data: the
fdarray and two fdsets. The code allows the number of fds supported by the
fdarray (fdtable->max_fds) to differ from the number of fds supported by each
of the fdsets (fdtable->max_fdset).In practice, it is wasteful for these two sizes to differ: whenever we hit a
limit on the smaller-capacity structure, we will reallocate the entire fdtable
and all the dynamic arrays within it, so any delta in the memory used by the
larger-capacity structure will never be touched at all.Rather than hogging this excess, we shouldn't even allocate it in the first
place, and keep the capacities of the fdarray and the fdsets equal. This
patch removes fdtable->max_fdset. As an added bonus, most of the supporting
code becomes simpler.Signed-off-by: Vadim Lobanov
Cc: Christoph Hellwig
Cc: Al Viro
Cc: Dipankar Sarma
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
09 Dec, 2006
2 commits
-
Signed-off-by: Josef Sipek
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Fix the locking of signal->tty.
Use ->sighand->siglock to protect ->signal->tty; this lock is already used
by most other members of ->signal/->sighand. And unless we are 'current'
or the tasklist_lock is held we need ->siglock to access ->signal anyway.(NOTE: sys_unshare() is broken wrt ->sighand locking rules)
Note that tty_mutex is held over tty destruction, so while holding
tty_mutex any tty pointer remains valid. Otherwise the lifetime of ttys
are governed by their open file handles. This leaves some holes for tty
access from signal->tty (or any other non file related tty access).It solves the tty SLAB scribbles we were seeing.
(NOTE: the change from group_send_sig_info to __group_send_sig_info needs to
be examined by someone familiar with the security framework, I think
it is safe given the SEND_SIG_PRIV from other __group_send_sig_info
invocations)[schwidefsky@de.ibm.com: 3270 fix]
[akpm@osdl.org: various post-viro fixes]
Signed-off-by: Peter Zijlstra
Acked-by: Alan Cox
Cc: Oleg Nesterov
Cc: Prarit Bhargava
Cc: Chris Wright
Cc: Roland McGrath
Cc: Stephen Smalley
Cc: James Morris
Cc: "David S. Miller"
Cc: Jeff Dike
Cc: Martin Schwidefsky
Cc: Jan Kara
Signed-off-by: Martin Schwidefsky
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
08 Dec, 2006
5 commits
-
Name some of the remaning 'old_style_spin_init' locks
Signed-off-by: Peter Zijlstra
Acked-by: Ingo Molnar
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Signed-off-by: Eric Sesterhenn
Signed-off-by: Alexey Dobriyan
Acked-By: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Replace all uses of kmem_cache_t with struct kmem_cache.
The patch was generated using the following script:
#!/bin/sh
#
# Replace one string by another in all the kernel sources.
#set -e
for file in `find * -name "*.c" -o -name "*.h"|xargs grep -l $1`; do
quilt add $file
sed -e "1,\$s/$1/$2/g" $file >/tmp/$$
mv /tmp/$$ $file
quilt refresh
doneThe script was run like this
sh replace kmem_cache_t "struct kmem_cache"
Signed-off-by: Christoph Lameter
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
SLAB_KERNEL is an alias of GFP_KERNEL.
Signed-off-by: Christoph Lameter
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
SLAB_ATOMIC is an alias of GFP_ATOMIC
Signed-off-by: Christoph Lameter
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
06 Dec, 2006
1 commit
-
Conflicts:
drivers/ata/libata-scsi.c
include/linux/libata.hFuther merge of Linus's head and compilation fixups.
Signed-Off-By: David Howells
05 Dec, 2006
2 commits
-
Conflicts:
drivers/infiniband/core/iwcm.c
drivers/net/chelsio/cxgb2.c
drivers/net/wireless/bcm43xx/bcm43xx_main.c
drivers/net/wireless/prism54/islpci_eth.c
drivers/usb/core/hub.h
drivers/usb/input/hid-core.c
net/core/netpoll.cFix up merge failures with Linus's head and fix new compilation failures.
Signed-Off-By: David Howells
-
Signed-off-by: Al Viro
Signed-off-by: Linus Torvalds
03 Dec, 2006
11 commits
-
We're seeing increasing namespace conflicts between the global
class_destroy() function declared in linux/device.h, and the private
function in the SELinux core code. This patch renames the SELinux
function to cls_destroy() to avoid this conflict.Acked-by: Stephen Smalley
Signed-off-by: James Morris -
The original NetLabel category bitmap was a straight char bitmap which worked
fine for the initial release as it only supported 240 bits due to limitations
in the CIPSO restricted bitmap tag (tag type 0x01). This patch converts that
straight char bitmap into an extensibile/sparse bitmap in order to lay the
foundation for other CIPSO tag types and protocols.This patch also has a nice side effect in that all of the security attributes
passed by NetLabel into the LSM are now in a format which is in the host's
native byte/bit ordering which makes the LSM specific code much simpler; look
at the changes in security/selinux/ss/ebitmap.c as an example.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Use a forward declaration instead of dragging in skbuff.h and
related junk.Signed-off-by: James Morris
-
Now that labeled IPsec makes use of the peer_sid field in the
sk_security_struct we can remove a lot of the special cases between labeled
IPsec and NetLabel. In addition, create a new function,
security_skb_extlbl_sid(), which we can use in several places to get the
security context of the packet's external label which allows us to further
simplify the code in a few places.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
This patch does a lot of cleanup in the SELinux NetLabel support code. A
summary of the changes include:* Use RCU locking for the NetLabel state variable in the skk_security_struct
instead of using the inode_security_struct mutex.
* Remove unnecessary parameters in selinux_netlbl_socket_post_create().
* Rename selinux_netlbl_sk_clone_security() to
selinux_netlbl_sk_security_clone() to better fit the other NetLabel
sk_security functions.
* Improvements to selinux_netlbl_inode_permission() to help reduce the cost of
the common case.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
The existing netlbl_lsm_secattr struct required the LSM to check all of the
fields to determine if any security attributes were present resulting in a lot
of work in the common case of no attributes. This patch adds a 'flags' field
which is used to indicate which attributes are present in the structure; this
should allow the LSM to do a quick comparison to determine if the structure
holds any security attributes.Example:
if (netlbl_lsm_secattr->flags)
/* security attributes present */
else
/* NO security attributes present */Signed-off-by: Paul Moore
Signed-off-by: James Morris -
RTM_GETPREFIX is completely unused and is thus removed.
Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
This patch implements SELinux kernel support for DCCP
(http://linux-net.osdl.org/index.php/DCCP), which is similar in
operation to TCP in terms of connected state between peers.The SELinux support for DCCP is thus modeled on existing handling of
TCP.A new DCCP socket class is introduced, to allow protocol
differentation. The permissions for this class inherit all of the
socket permissions, as well as the current TCP permissions (node_bind,
name_bind etc). IPv4 and IPv6 are supported, although labeled
networking is not, at this stage.Patches for SELinux userspace are at:
http://people.redhat.com/jmorris/selinux/dccp/user/I've performed some basic testing, and it seems to be working as
expected. Adding policy support is similar to TCP, the only real
difference being that it's a different protocol.Acked-by: Stephen Smalley
Signed-off-by: James Morris
Signed-off-by: David S. Miller -
Fix the selection of an SA for an outgoing packet to be at the same
context as the originating socket/flow. This eliminates the SELinux
policy's ability to use/sendto SAs with contexts other than the socket's.With this patch applied, the SELinux policy will require one or more of the
following for a socket to be able to communicate with/without SAs:1. To enable a socket to communicate without using labeled-IPSec SAs:
allow socket_t unlabeled_t:association { sendto recvfrom }
2. To enable a socket to communicate with labeled-IPSec SAs:
allow socket_t self:association { sendto };
allow socket_t peer_sa_t:association { recvfrom };Signed-off-by: Venkat Yekkirala
Signed-off-by: James Morris -
Fix SO_PEERSEC for tcp sockets to return the security context of
the peer (as represented by the SA from the peer) as opposed to the
SA used by the local/source socket.Signed-off-by: Venkat Yekkirala
Signed-off-by: James Morris -
Since the upstreaming of the mlsxfrm modification a few months back,
testing has resulted in the identification of the following issues/bugs that
are resolved in this patch set.1. Fix the security context used in the IKE negotiation to be the context
of the socket as opposed to the context of the SPD rule.2. Fix SO_PEERSEC for tcp sockets to return the security context of
the peer as opposed to the source.3. Fix the selection of an SA for an outgoing packet to be at the same
context as the originating socket/flow.The following would be the result of applying this patchset:
- SO_PEERSEC will now correctly return the peer's context.
- IKE deamons will receive the context of the source socket/flow
as opposed to the SPD rule's context so that the negotiated SA
will be at the same context as the source socket/flow.- The SELinux policy will require one or more of the
following for a socket to be able to communicate with/without SAs:1. To enable a socket to communicate without using labeled-IPSec SAs:
allow socket_t unlabeled_t:association { sendto recvfrom }
2. To enable a socket to communicate with labeled-IPSec SAs:
allow socket_t self:association { sendto };
allow socket_t peer_sa_t:association { recvfrom };This Patch: Pass correct security context to IKE for use in negotiation
Fix the security context passed to IKE for use in negotiation to be the
context of the socket as opposed to the context of the SPD rule so that
the SA carries the label of the originating socket/flow.Signed-off-by: Venkat Yekkirala
Signed-off-by: James Morris
02 Dec, 2006
1 commit
-
* 'for-2.6.20' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
SELinux: validate kernel object classes and permissions
SELinux: ensure keys constant in hashtab_search
SELinux: export object class and permission definitions
SELinux: remove current object class and permission validation mechanism
29 Nov, 2006
4 commits
-
This is a new object class and permission validation scheme that validates
against the defined kernel headers. This scheme allows extra classes
and permissions that do not conflict with the kernel definitions to be
added to the policy. This validation is now done for all policy loads,
not just subsequent loads after the first policy load.The implementation walks the three structrures containing the defined
object class and permission values and ensures their values are the
same in the policy being loaded. This includes verifying the object
classes themselves, the permissions they contain, and the permissions
they inherit from commons. Classes or permissions that are present in the
kernel but missing from the policy cause a warning (printed to KERN_INFO)
to be printed, but do not stop the policy from loading, emulating current
behavior. Any other inconsistencies cause the load to fail.Signed-off-by: Chad Sellers
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
Makes the key argument passed into hashtab_search and all the functions
it calls constant. These functions include hash table function pointers
hash_value and keycmp. The only implementations of these currently
are symhash and symcmp, which do not modify the key. The key parameter
should never be changed by any of these, so it should be const. This
is necessary to allow calling these functions with keys found in kernel
object class and permission definitions.Signed-off-by: Chad Sellers
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
Moves the definition of the 3 structs containing object class and
permission definitions from avc.c to avc_ss.h so that the security
server can access them for validation on policy load. This also adds
a new struct type, defined_classes_perms_t, suitable for allowing the
security server to access these data structures from the avc.Signed-off-by: Chad Sellers
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
Removes the current SELinux object class and permission validation code,
as the current code makes it impossible to change or remove object classes
and permissions on a running system. Additionally, the current code does
not actually validate that the classes and permissions are correct, but
instead merely validates that they do not change between policy reloads.Signed-off-by: Chad Sellers
Acked-by: Stephen Smalley
Signed-off-by: James Morris
27 Nov, 2006
1 commit
-
The return value of dentry_open() shoud be checked by IS_ERR().
Cc: Stephen Smalley
Cc: James Morris
Signed-off-by: Akinobu Mita
Signed-off-by: James Morris
22 Nov, 2006
1 commit
-
Pass the work_struct pointer to the work function rather than context data.
The work function can use container_of() to work out the data.For the cases where the container of the work_struct may go away the moment the
pending bit is cleared, it is made possible to defer the release of the
structure by deferring the clearing of the pending bit.To make this work, an extra flag is introduced into the management side of the
work_struct. This governs auto-release of the structure upon execution.Ordinarily, the work queue executor would release the work_struct for further
scheduling or deallocation by clearing the pending bit prior to jumping to the
work function. This means that, unless the driver makes some guarantee itself
that the work_struct won't go away, the work function may not access anything
else in the work_struct or its container lest they be deallocated.. This is a
problem if the auxiliary data is taken away (as done by the last patch).However, if the pending bit is *not* cleared before jumping to the work
function, then the work function *may* access the work_struct and its container
with no problems. But then the work function must itself release the
work_struct by calling work_release().In most cases, automatic release is fine, so this is the default. Special
initiators exist for the non-auto-release case (ending in _NAR).Signed-Off-By: David Howells
31 Oct, 2006
1 commit
-
This patch makes two changes to protect applications from either removing or
tampering with the CIPSOv4 IP option on a socket. The first is the requirement
that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option
on a socket; this prevents untrusted applications from setting their own
CIPSOv4 security attributes on the packets they send. The second change is to
SELinux and it prevents applications from setting any IPv4 options when there
is an IPOPT_CIPSO option already present on the socket; this prevents
applications from removing CIPSOv4 security attributes from the packets they
send.Signed-off-by: Paul Moore
Signed-off-by: James Morris
Signed-off-by: David S. Miller
16 Oct, 2006
1 commit
-
Upon inspection it looked like the error handling for mls_export_cat() was
rather poor. This patch addresses this by NULL'ing out kfree()'d pointers
before returning and checking the return value of the function everywhere
it is called.Signed-off-by: Paul Moore
Signed-off-by: James Morris
12 Oct, 2006
1 commit
-
This patch fixes two bugs in policydb_destroy. Two list pointers
(policydb.ocontexts[i] and policydb.genfs) were not being reset to NULL when
the lists they pointed to were being freed. This caused a problem when the
initial policy load failed, as the policydb being destroyed was not a
temporary new policydb that was thrown away, but rather was the global
(active) policydb. Consequently, later functions, particularly
sys_bind->selinux_socket_bind->security_node_sid and
do_rw_proc->selinux_sysctl->selinux_proc_get_sid->security_genfs_sid tried
to dereference memory that had previously been freed.Signed-off-by: Chad Sellers
Signed-off-by: James Morris