11 Dec, 2006
1 commit
-
Currently, each fdtable supports three dynamically-sized arrays of data: the
fdarray and two fdsets. The code allows the number of fds supported by the
fdarray (fdtable->max_fds) to differ from the number of fds supported by each
of the fdsets (fdtable->max_fdset).In practice, it is wasteful for these two sizes to differ: whenever we hit a
limit on the smaller-capacity structure, we will reallocate the entire fdtable
and all the dynamic arrays within it, so any delta in the memory used by the
larger-capacity structure will never be touched at all.Rather than hogging this excess, we shouldn't even allocate it in the first
place, and keep the capacities of the fdarray and the fdsets equal. This
patch removes fdtable->max_fdset. As an added bonus, most of the supporting
code becomes simpler.Signed-off-by: Vadim Lobanov
Cc: Christoph Hellwig
Cc: Al Viro
Cc: Dipankar Sarma
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
09 Dec, 2006
2 commits
-
Signed-off-by: Josef Sipek
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Fix the locking of signal->tty.
Use ->sighand->siglock to protect ->signal->tty; this lock is already used
by most other members of ->signal/->sighand. And unless we are 'current'
or the tasklist_lock is held we need ->siglock to access ->signal anyway.(NOTE: sys_unshare() is broken wrt ->sighand locking rules)
Note that tty_mutex is held over tty destruction, so while holding
tty_mutex any tty pointer remains valid. Otherwise the lifetime of ttys
are governed by their open file handles. This leaves some holes for tty
access from signal->tty (or any other non file related tty access).It solves the tty SLAB scribbles we were seeing.
(NOTE: the change from group_send_sig_info to __group_send_sig_info needs to
be examined by someone familiar with the security framework, I think
it is safe given the SEND_SIG_PRIV from other __group_send_sig_info
invocations)[schwidefsky@de.ibm.com: 3270 fix]
[akpm@osdl.org: various post-viro fixes]
Signed-off-by: Peter Zijlstra
Acked-by: Alan Cox
Cc: Oleg Nesterov
Cc: Prarit Bhargava
Cc: Chris Wright
Cc: Roland McGrath
Cc: Stephen Smalley
Cc: James Morris
Cc: "David S. Miller"
Cc: Jeff Dike
Cc: Martin Schwidefsky
Cc: Jan Kara
Signed-off-by: Martin Schwidefsky
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
08 Dec, 2006
5 commits
-
Name some of the remaning 'old_style_spin_init' locks
Signed-off-by: Peter Zijlstra
Acked-by: Ingo Molnar
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Signed-off-by: Eric Sesterhenn
Signed-off-by: Alexey Dobriyan
Acked-By: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Replace all uses of kmem_cache_t with struct kmem_cache.
The patch was generated using the following script:
#!/bin/sh
#
# Replace one string by another in all the kernel sources.
#set -e
for file in `find * -name "*.c" -o -name "*.h"|xargs grep -l $1`; do
quilt add $file
sed -e "1,\$s/$1/$2/g" $file >/tmp/$$
mv /tmp/$$ $file
quilt refresh
doneThe script was run like this
sh replace kmem_cache_t "struct kmem_cache"
Signed-off-by: Christoph Lameter
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
SLAB_KERNEL is an alias of GFP_KERNEL.
Signed-off-by: Christoph Lameter
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
SLAB_ATOMIC is an alias of GFP_ATOMIC
Signed-off-by: Christoph Lameter
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
06 Dec, 2006
1 commit
-
Conflicts:
drivers/ata/libata-scsi.c
include/linux/libata.hFuther merge of Linus's head and compilation fixups.
Signed-Off-By: David Howells
05 Dec, 2006
2 commits
-
Conflicts:
drivers/infiniband/core/iwcm.c
drivers/net/chelsio/cxgb2.c
drivers/net/wireless/bcm43xx/bcm43xx_main.c
drivers/net/wireless/prism54/islpci_eth.c
drivers/usb/core/hub.h
drivers/usb/input/hid-core.c
net/core/netpoll.cFix up merge failures with Linus's head and fix new compilation failures.
Signed-Off-By: David Howells
-
Signed-off-by: Al Viro
Signed-off-by: Linus Torvalds
03 Dec, 2006
11 commits
-
We're seeing increasing namespace conflicts between the global
class_destroy() function declared in linux/device.h, and the private
function in the SELinux core code. This patch renames the SELinux
function to cls_destroy() to avoid this conflict.Acked-by: Stephen Smalley
Signed-off-by: James Morris -
The original NetLabel category bitmap was a straight char bitmap which worked
fine for the initial release as it only supported 240 bits due to limitations
in the CIPSO restricted bitmap tag (tag type 0x01). This patch converts that
straight char bitmap into an extensibile/sparse bitmap in order to lay the
foundation for other CIPSO tag types and protocols.This patch also has a nice side effect in that all of the security attributes
passed by NetLabel into the LSM are now in a format which is in the host's
native byte/bit ordering which makes the LSM specific code much simpler; look
at the changes in security/selinux/ss/ebitmap.c as an example.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Use a forward declaration instead of dragging in skbuff.h and
related junk.Signed-off-by: James Morris
-
Now that labeled IPsec makes use of the peer_sid field in the
sk_security_struct we can remove a lot of the special cases between labeled
IPsec and NetLabel. In addition, create a new function,
security_skb_extlbl_sid(), which we can use in several places to get the
security context of the packet's external label which allows us to further
simplify the code in a few places.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
This patch does a lot of cleanup in the SELinux NetLabel support code. A
summary of the changes include:* Use RCU locking for the NetLabel state variable in the skk_security_struct
instead of using the inode_security_struct mutex.
* Remove unnecessary parameters in selinux_netlbl_socket_post_create().
* Rename selinux_netlbl_sk_clone_security() to
selinux_netlbl_sk_security_clone() to better fit the other NetLabel
sk_security functions.
* Improvements to selinux_netlbl_inode_permission() to help reduce the cost of
the common case.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
The existing netlbl_lsm_secattr struct required the LSM to check all of the
fields to determine if any security attributes were present resulting in a lot
of work in the common case of no attributes. This patch adds a 'flags' field
which is used to indicate which attributes are present in the structure; this
should allow the LSM to do a quick comparison to determine if the structure
holds any security attributes.Example:
if (netlbl_lsm_secattr->flags)
/* security attributes present */
else
/* NO security attributes present */Signed-off-by: Paul Moore
Signed-off-by: James Morris -
RTM_GETPREFIX is completely unused and is thus removed.
Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
This patch implements SELinux kernel support for DCCP
(http://linux-net.osdl.org/index.php/DCCP), which is similar in
operation to TCP in terms of connected state between peers.The SELinux support for DCCP is thus modeled on existing handling of
TCP.A new DCCP socket class is introduced, to allow protocol
differentation. The permissions for this class inherit all of the
socket permissions, as well as the current TCP permissions (node_bind,
name_bind etc). IPv4 and IPv6 are supported, although labeled
networking is not, at this stage.Patches for SELinux userspace are at:
http://people.redhat.com/jmorris/selinux/dccp/user/I've performed some basic testing, and it seems to be working as
expected. Adding policy support is similar to TCP, the only real
difference being that it's a different protocol.Acked-by: Stephen Smalley
Signed-off-by: James Morris
Signed-off-by: David S. Miller -
Fix the selection of an SA for an outgoing packet to be at the same
context as the originating socket/flow. This eliminates the SELinux
policy's ability to use/sendto SAs with contexts other than the socket's.With this patch applied, the SELinux policy will require one or more of the
following for a socket to be able to communicate with/without SAs:1. To enable a socket to communicate without using labeled-IPSec SAs:
allow socket_t unlabeled_t:association { sendto recvfrom }
2. To enable a socket to communicate with labeled-IPSec SAs:
allow socket_t self:association { sendto };
allow socket_t peer_sa_t:association { recvfrom };Signed-off-by: Venkat Yekkirala
Signed-off-by: James Morris -
Fix SO_PEERSEC for tcp sockets to return the security context of
the peer (as represented by the SA from the peer) as opposed to the
SA used by the local/source socket.Signed-off-by: Venkat Yekkirala
Signed-off-by: James Morris -
Since the upstreaming of the mlsxfrm modification a few months back,
testing has resulted in the identification of the following issues/bugs that
are resolved in this patch set.1. Fix the security context used in the IKE negotiation to be the context
of the socket as opposed to the context of the SPD rule.2. Fix SO_PEERSEC for tcp sockets to return the security context of
the peer as opposed to the source.3. Fix the selection of an SA for an outgoing packet to be at the same
context as the originating socket/flow.The following would be the result of applying this patchset:
- SO_PEERSEC will now correctly return the peer's context.
- IKE deamons will receive the context of the source socket/flow
as opposed to the SPD rule's context so that the negotiated SA
will be at the same context as the source socket/flow.- The SELinux policy will require one or more of the
following for a socket to be able to communicate with/without SAs:1. To enable a socket to communicate without using labeled-IPSec SAs:
allow socket_t unlabeled_t:association { sendto recvfrom }
2. To enable a socket to communicate with labeled-IPSec SAs:
allow socket_t self:association { sendto };
allow socket_t peer_sa_t:association { recvfrom };This Patch: Pass correct security context to IKE for use in negotiation
Fix the security context passed to IKE for use in negotiation to be the
context of the socket as opposed to the context of the SPD rule so that
the SA carries the label of the originating socket/flow.Signed-off-by: Venkat Yekkirala
Signed-off-by: James Morris
02 Dec, 2006
1 commit
-
* 'for-2.6.20' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
SELinux: validate kernel object classes and permissions
SELinux: ensure keys constant in hashtab_search
SELinux: export object class and permission definitions
SELinux: remove current object class and permission validation mechanism
29 Nov, 2006
4 commits
-
This is a new object class and permission validation scheme that validates
against the defined kernel headers. This scheme allows extra classes
and permissions that do not conflict with the kernel definitions to be
added to the policy. This validation is now done for all policy loads,
not just subsequent loads after the first policy load.The implementation walks the three structrures containing the defined
object class and permission values and ensures their values are the
same in the policy being loaded. This includes verifying the object
classes themselves, the permissions they contain, and the permissions
they inherit from commons. Classes or permissions that are present in the
kernel but missing from the policy cause a warning (printed to KERN_INFO)
to be printed, but do not stop the policy from loading, emulating current
behavior. Any other inconsistencies cause the load to fail.Signed-off-by: Chad Sellers
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
Makes the key argument passed into hashtab_search and all the functions
it calls constant. These functions include hash table function pointers
hash_value and keycmp. The only implementations of these currently
are symhash and symcmp, which do not modify the key. The key parameter
should never be changed by any of these, so it should be const. This
is necessary to allow calling these functions with keys found in kernel
object class and permission definitions.Signed-off-by: Chad Sellers
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
Moves the definition of the 3 structs containing object class and
permission definitions from avc.c to avc_ss.h so that the security
server can access them for validation on policy load. This also adds
a new struct type, defined_classes_perms_t, suitable for allowing the
security server to access these data structures from the avc.Signed-off-by: Chad Sellers
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
Removes the current SELinux object class and permission validation code,
as the current code makes it impossible to change or remove object classes
and permissions on a running system. Additionally, the current code does
not actually validate that the classes and permissions are correct, but
instead merely validates that they do not change between policy reloads.Signed-off-by: Chad Sellers
Acked-by: Stephen Smalley
Signed-off-by: James Morris
27 Nov, 2006
1 commit
-
The return value of dentry_open() shoud be checked by IS_ERR().
Cc: Stephen Smalley
Cc: James Morris
Signed-off-by: Akinobu Mita
Signed-off-by: James Morris
22 Nov, 2006
1 commit
-
Pass the work_struct pointer to the work function rather than context data.
The work function can use container_of() to work out the data.For the cases where the container of the work_struct may go away the moment the
pending bit is cleared, it is made possible to defer the release of the
structure by deferring the clearing of the pending bit.To make this work, an extra flag is introduced into the management side of the
work_struct. This governs auto-release of the structure upon execution.Ordinarily, the work queue executor would release the work_struct for further
scheduling or deallocation by clearing the pending bit prior to jumping to the
work function. This means that, unless the driver makes some guarantee itself
that the work_struct won't go away, the work function may not access anything
else in the work_struct or its container lest they be deallocated.. This is a
problem if the auxiliary data is taken away (as done by the last patch).However, if the pending bit is *not* cleared before jumping to the work
function, then the work function *may* access the work_struct and its container
with no problems. But then the work function must itself release the
work_struct by calling work_release().In most cases, automatic release is fine, so this is the default. Special
initiators exist for the non-auto-release case (ending in _NAR).Signed-Off-By: David Howells
31 Oct, 2006
1 commit
-
This patch makes two changes to protect applications from either removing or
tampering with the CIPSOv4 IP option on a socket. The first is the requirement
that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option
on a socket; this prevents untrusted applications from setting their own
CIPSOv4 security attributes on the packets they send. The second change is to
SELinux and it prevents applications from setting any IPv4 options when there
is an IPOPT_CIPSO option already present on the socket; this prevents
applications from removing CIPSOv4 security attributes from the packets they
send.Signed-off-by: Paul Moore
Signed-off-by: James Morris
Signed-off-by: David S. Miller
16 Oct, 2006
1 commit
-
Upon inspection it looked like the error handling for mls_export_cat() was
rather poor. This patch addresses this by NULL'ing out kfree()'d pointers
before returning and checking the return value of the function everywhere
it is called.Signed-off-by: Paul Moore
Signed-off-by: James Morris
12 Oct, 2006
4 commits
-
This patch fixes two bugs in policydb_destroy. Two list pointers
(policydb.ocontexts[i] and policydb.genfs) were not being reset to NULL when
the lists they pointed to were being freed. This caused a problem when the
initial policy load failed, as the policydb being destroyed was not a
temporary new policydb that was thrown away, but rather was the global
(active) policydb. Consequently, later functions, particularly
sys_bind->selinux_socket_bind->security_node_sid and
do_rw_proc->selinux_sysctl->selinux_proc_get_sid->security_genfs_sid tried
to dereference memory that had previously been freed.Signed-off-by: Chad Sellers
Signed-off-by: James Morris -
Currently when an IPSec policy rule doesn't specify a security
context, it is assumed to be "unlabeled" by SELinux, and so
the IPSec policy rule fails to match to a flow that it would
otherwise match to, unless one has explicitly added an SELinux
policy rule allowing the flow to "polmatch" to the "unlabeled"
IPSec policy rules. In the absence of such an explicitly added
SELinux policy rule, the IPSec policy rule fails to match and
so the packet(s) flow in clear text without the otherwise applicable
xfrm(s) applied.The above SELinux behavior violates the SELinux security notion of
"deny by default" which should actually translate to "encrypt by
default" in the above case.This was first reported by Evgeniy Polyakov and the way James Morris
was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.With this patch applied, SELinux "polmatching" of flows Vs. IPSec
policy rules will only come into play when there's a explicit context
specified for the IPSec policy rule (which also means there's corresponding
SELinux policy allowing appropriate domains/flows to polmatch to this context).Secondly, when a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return errors other than access denied,
such as -EINVAL. We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.The solution for this is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).This patch: Fix the selinux side of things.
This makes sure SELinux polmatching of flow contexts to IPSec policy
rules comes into play only when an explicit context is associated
with the IPSec policy rule.Also, this no longer defaults the context of a socket policy to
the context of the socket since the "no explicit context" case
is now handled properly.Signed-off-by: Venkat Yekkirala
Signed-off-by: James Morris -
This patch changes NetLabel to use SECINITSID_UNLABLELED as it's source of
SELinux type information when generating a NetLabel context.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Testing revealed a problem with the NetLabel cache where a cached entry could
be freed while in use by the LSM layer causing an oops and other problems.
This patch fixes that problem by introducing a reference counter to the cache
entry so that it is only freed when it is no longer in use.Signed-off-by: Paul Moore
Signed-off-by: James Morris
04 Oct, 2006
2 commits
-
Signed-off-by: Adrian Bunk
-
Signed-off-by: Adrian Bunk
01 Oct, 2006
1 commit
-
This is mostly included for parity with dec_nlink(), where we will have some
more hooks. This one should stay pretty darn straightforward for now.Signed-off-by: Dave Hansen
Acked-by: Christoph Hellwig
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
30 Sep, 2006
2 commits
-
Accepted connections of types other than AF_INET, AF_INET6, AF_UNIX won't
have an appropriate label derived from the peer, so don't use it.Signed-off-by: David Woodhouse
Acked-by: Stephen Smalley
Acked-by: James Morris
Acked-by: Paul Moore
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This is an updated version of Eric Biederman's is_init() patch.
(http://lkml.org/lkml/2006/2/6/280). It applies cleanly to 2.6.18-rc3 and
replaces a few more instances of ->pid == 1 with is_init().Further, is_init() checks pid and thus removes dependency on Eric's other
patches for now.Eric's original description:
There are a lot of places in the kernel where we test for init
because we give it special properties. Most significantly init
must not die. This results in code all over the kernel test
->pid == 1.Introduce is_init to capture this case.
With multiple pid spaces for all of the cases affected we are
looking for only the first process on the system, not some other
process that has pid == 1.Signed-off-by: Eric W. Biederman
Signed-off-by: Sukadev Bhattiprolu
Cc: Dave Hansen
Cc: Serge Hallyn
Cc: Cedric Le Goater
Cc:
Acked-by: Paul Mackerras
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
