07 Mar, 2010

1 commit

  • Make sure compiler won't do weird things with limits. E.g. fetching them
    twice may return 2 different values after writable limits are implemented.

    I.e. either use rlimit helpers added in commit 3e10e716abf3 ("resource:
    add helpers for fetching rlimits") or ACCESS_ONCE if not applicable.

    Signed-off-by: Jiri Slaby
    Cc: Alexander Viro
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Jiri Slaby
     

30 Jan, 2010

1 commit

  • 'flush_old_exec()' is the point of no return when doing an execve(), and
    it is pretty badly misnamed. It doesn't just flush the old executable
    environment, it also starts up the new one.

    Which is very inconvenient for things like setting up the new
    personality, because we want the new personality to affect the starting
    of the new environment, but at the same time we do _not_ want the new
    personality to take effect if flushing the old one fails.

    As a result, the x86-64 '32-bit' personality is actually done using this
    insane "I'm going to change the ABI, but I haven't done it yet" bit
    (TIF_ABI_PENDING), with SET_PERSONALITY() not actually setting the
    personality, but just the "pending" bit, so that "flush_thread()" can do
    the actual personality magic.

    This patch in no way changes any of that insanity, but it does split the
    'flush_old_exec()' function up into a preparatory part that can fail
    (still called flush_old_exec()), and a new part that will actually set
    up the new exec environment (setup_new_exec()). All callers are changed
    to trivially comply with the new world order.

    Signed-off-by: H. Peter Anvin
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds

    Linus Torvalds
     

18 Dec, 2009

1 commit

  • Introduce coredump parameter data structure (struct coredump_params) to
    simplify binfmt->core_dump() arguments.

    Signed-off-by: Masami Hiramatsu
    Suggested-by: Ingo Molnar
    Cc: Hidehiro Kawai
    Cc: Oleg Nesterov
    Cc: Roland McGrath
    Cc: KOSAKI Motohiro
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Masami Hiramatsu
     

24 Sep, 2009

1 commit

  • There is a common macro now for testing mixed pointer/errno values, so use
    that rather than handling the casts ourself.

    Signed-off-by: Mike Frysinger
    Acked-by: David McCullough
    Acked-by: Greg Ungerer
    Cc: David Howells
    Cc: Paul Mundt
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Mike Frysinger
     

08 Aug, 2009

1 commit


29 May, 2009

1 commit

  • The flat loader uses an architecture's flat_stack_align() to align the
    stack but assumes word-alignment is enough for the data sections.

    However, on the Xtensa S6000 we have registers up to 128bit width
    which can be used from userspace and therefor need userspace stack and
    data-section alignment of at least this size.

    This patch drops flat_stack_align() and uses the same alignment that
    is required for slab caches, ARCH_SLAB_MINALIGN, or wordsize if it's
    not defined by the architecture.

    It also fixes m32r which was obviously kaput, aligning an
    uninitialized stack entry instead of the stack pointer.

    [akpm@linux-foundation.org: coding-style fixes]
    Signed-off-by: Oskar Schirmer
    Cc: David Howells
    Cc: Russell King
    Cc: Bryan Wu
    Cc: Geert Uytterhoeven
    Acked-by: Paul Mundt
    Cc: Greg Ungerer
    Signed-off-by: Johannes Weiner
    Acked-by: Mike Frysinger
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Oskar Schirmer
     

08 Jan, 2009

1 commit

  • Stop the FLAT binfmt from attempting to expand the userspace stack and brk
    segments to fill the space actually allocated for it. The space allocated may
    be rounded up by mmap(), and may be wasted.

    However, finding out how much space we actually obtained uses the contentious
    kobjsize() function which we'd like to get rid of as it doesn't necessarily
    work for all slab allocators.

    Signed-off-by: David Howells
    Tested-by: Mike Frysinger
    Acked-by: Paul Mundt

    David Howells
     

14 Nov, 2008

1 commit

  • Make execve() take advantage of copy-on-write credentials, allowing it to set
    up the credentials in advance, and then commit the whole lot after the point
    of no return.

    This patch and the preceding patches have been tested with the LTP SELinux
    testsuite.

    This patch makes several logical sets of alteration:

    (1) execve().

    The credential bits from struct linux_binprm are, for the most part,
    replaced with a single credentials pointer (bprm->cred). This means that
    all the creds can be calculated in advance and then applied at the point
    of no return with no possibility of failure.

    I would like to replace bprm->cap_effective with:

    cap_isclear(bprm->cap_effective)

    but this seems impossible due to special behaviour for processes of pid 1
    (they always retain their parent's capability masks where normally they'd
    be changed - see cap_bprm_set_creds()).

    The following sequence of events now happens:

    (a) At the start of do_execve, the current task's cred_exec_mutex is
    locked to prevent PTRACE_ATTACH from obsoleting the calculation of
    creds that we make.

    (a) prepare_exec_creds() is then called to make a copy of the current
    task's credentials and prepare it. This copy is then assigned to
    bprm->cred.

    This renders security_bprm_alloc() and security_bprm_free()
    unnecessary, and so they've been removed.

    (b) The determination of unsafe execution is now performed immediately
    after (a) rather than later on in the code. The result is stored in
    bprm->unsafe for future reference.

    (c) prepare_binprm() is called, possibly multiple times.

    (i) This applies the result of set[ug]id binaries to the new creds
    attached to bprm->cred. Personality bit clearance is recorded,
    but now deferred on the basis that the exec procedure may yet
    fail.

    (ii) This then calls the new security_bprm_set_creds(). This should
    calculate the new LSM and capability credentials into *bprm->cred.

    This folds together security_bprm_set() and parts of
    security_bprm_apply_creds() (these two have been removed).
    Anything that might fail must be done at this point.

    (iii) bprm->cred_prepared is set to 1.

    bprm->cred_prepared is 0 on the first pass of the security
    calculations, and 1 on all subsequent passes. This allows SELinux
    in (ii) to base its calculations only on the initial script and
    not on the interpreter.

    (d) flush_old_exec() is called to commit the task to execution. This
    performs the following steps with regard to credentials:

    (i) Clear pdeath_signal and set dumpable on certain circumstances that
    may not be covered by commit_creds().

    (ii) Clear any bits in current->personality that were deferred from
    (c.i).

    (e) install_exec_creds() [compute_creds() as was] is called to install the
    new credentials. This performs the following steps with regard to
    credentials:

    (i) Calls security_bprm_committing_creds() to apply any security
    requirements, such as flushing unauthorised files in SELinux, that
    must be done before the credentials are changed.

    This is made up of bits of security_bprm_apply_creds() and
    security_bprm_post_apply_creds(), both of which have been removed.
    This function is not allowed to fail; anything that might fail
    must have been done in (c.ii).

    (ii) Calls commit_creds() to apply the new credentials in a single
    assignment (more or less). Possibly pdeath_signal and dumpable
    should be part of struct creds.

    (iii) Unlocks the task's cred_replace_mutex, thus allowing
    PTRACE_ATTACH to take place.

    (iv) Clears The bprm->cred pointer as the credentials it was holding
    are now immutable.

    (v) Calls security_bprm_committed_creds() to apply any security
    alterations that must be done after the creds have been changed.
    SELinux uses this to flush signals and signal handlers.

    (f) If an error occurs before (d.i), bprm_free() will call abort_creds()
    to destroy the proposed new credentials and will then unlock
    cred_replace_mutex. No changes to the credentials will have been
    made.

    (2) LSM interface.

    A number of functions have been changed, added or removed:

    (*) security_bprm_alloc(), ->bprm_alloc_security()
    (*) security_bprm_free(), ->bprm_free_security()

    Removed in favour of preparing new credentials and modifying those.

    (*) security_bprm_apply_creds(), ->bprm_apply_creds()
    (*) security_bprm_post_apply_creds(), ->bprm_post_apply_creds()

    Removed; split between security_bprm_set_creds(),
    security_bprm_committing_creds() and security_bprm_committed_creds().

    (*) security_bprm_set(), ->bprm_set_security()

    Removed; folded into security_bprm_set_creds().

    (*) security_bprm_set_creds(), ->bprm_set_creds()

    New. The new credentials in bprm->creds should be checked and set up
    as appropriate. bprm->cred_prepared is 0 on the first call, 1 on the
    second and subsequent calls.

    (*) security_bprm_committing_creds(), ->bprm_committing_creds()
    (*) security_bprm_committed_creds(), ->bprm_committed_creds()

    New. Apply the security effects of the new credentials. This
    includes closing unauthorised files in SELinux. This function may not
    fail. When the former is called, the creds haven't yet been applied
    to the process; when the latter is called, they have.

    The former may access bprm->cred, the latter may not.

    (3) SELinux.

    SELinux has a number of changes, in addition to those to support the LSM
    interface changes mentioned above:

    (a) The bprm_security_struct struct has been removed in favour of using
    the credentials-under-construction approach.

    (c) flush_unauthorized_files() now takes a cred pointer and passes it on
    to inode_has_perm(), file_has_perm() and dentry_open().

    Signed-off-by: David Howells
    Acked-by: James Morris
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    David Howells
     

17 Oct, 2008

1 commit

  • There are off-by-one errors in decompress_exec() when calculating the length of
    optional "original file name" and "comment" fields: the "ret" index is not
    incremented when terminating '\0' character is reached. The check of the buffer
    overflow (after an "extra-field" length was taken into account) is also fixed.

    I've encountered this off-by-one error when tried to reuse
    gzip-header-parsing part of the decompress_exec() function. There was an
    "original file name" field in the payload (with miscalculated length) and
    zlib_inflate() returned Z_DATA_ERROR. But after the fix similar to this
    one all worked fine.

    Signed-off-by: Volodymyr G Lukiianyk
    Acked-by: Greg Ungerer
    Acked-by: David Howells
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Volodymyr G. Lukiianyk
     

11 Aug, 2008

1 commit


27 Jul, 2008

1 commit

  • This moves all the ptrace hooks related to exec into tracehook.h inlines.

    This also lifts the calls for tracing out of the binfmt load_binary hooks
    into search_binary_handler() after it calls into the binfmt module. This
    change has no effect, since all the binfmt modules' load_binary functions
    did the call at the end on success, and now search_binary_handler() does
    it immediately after return if successful. We consolidate the repeated
    code, and binfmt modules no longer need to import ptrace_notify().

    Signed-off-by: Roland McGrath
    Cc: Oleg Nesterov
    Reviewed-by: Ingo Molnar
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Roland McGrath
     

07 Jun, 2008

1 commit

  • The nommu binfmt code uses ksize() for pointers returned from do_mmap()
    which is wrong. This converts the call-sites to use the nommu specific
    kobjsize() function which works as expected.

    Cc: Christoph Lameter
    Cc: Matt Mackall
    Acked-by: Paul Mundt
    Acked-by: David Howells
    Signed-off-by: Pekka Enberg
    Acked-by: Greg Ungerer
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Pekka Enberg
     

29 Apr, 2008

2 commits

  • The kernel implements readlink of /proc/pid/exe by getting the file from
    the first executable VMA. Then the path to the file is reconstructed and
    reported as the result.

    Because of the VMA walk the code is slightly different on nommu systems.
    This patch avoids separate /proc/pid/exe code on nommu systems. Instead of
    walking the VMAs to find the first executable file-backed VMA we store a
    reference to the exec'd file in the mm_struct.

    That reference would prevent the filesystem holding the executable file
    from being unmounted even after unmapping the VMAs. So we track the number
    of VM_EXECUTABLE VMAs and drop the new reference when the last one is
    unmapped. This avoids pinning the mounted filesystem.

    [akpm@linux-foundation.org: improve comments]
    [yamamoto@valinux.co.jp: fix dup_mmap]
    Signed-off-by: Matt Helsley
    Cc: Oleg Nesterov
    Cc: David Howells
    Cc:"Eric W. Biederman"
    Cc: Christoph Hellwig
    Cc: Al Viro
    Cc: Hugh Dickins
    Signed-off-by: YAMAMOTO Takashi
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Matt Helsley
     
  • I have not yet seen anyone saying he has a reasonable use case for using
    BINFMT_FLAT modular on his embedded device.

    Considering that fs/binfmt_flat.c even lacks a MODULE_LICENSE() I really doubt
    there is any, and this patch therefore makes BINFMT_FLAT a bool.

    Signed-off-by: Adrian Bunk
    Acked-by: Bryan Wu
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Adrian Bunk
     

15 Feb, 2008

1 commit

  • The warning issued by fs/binfmt_flat.c when the format handler is given a
    non-FLAT and non-script executable is annoying to say the least when working
    with FDPIC ELF objects. If you build a kernel that supports both FLAT and
    FDPIC ELFs on no-mmu, every time you execute an FDPIC ELF, the kernel spits
    out this message. While I understand a lot of newcomers to the no-mmu world
    screw up generation of FLAT binaries, this warning is not usable for systems
    that support more than just FLAT.

    Signed-off-by: Jie Zhang
    Signed-off-by: Mike Frysinger
    Cc: Bernd Schmidt
    Acked-by: Greg Ungerer
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Mike Frysinger
     

09 Feb, 2008

1 commit


17 Oct, 2007

2 commits

  • Fix this lot:

    fs/binfmt_flat.c: In function `decompress_exec':
    fs/binfmt_flat.c:293: warning: label `out' defined but not used
    fs/binfmt_flat.c: In function `load_flat_file':
    fs/binfmt_flat.c:462: warning: unsigned int format, long int arg (arg 3)
    fs/binfmt_flat.c:462: warning: unsigned int format, long int arg (arg 4)
    fs/binfmt_flat.c:518: warning: comparison of distinct pointer types lacks a cast
    fs/binfmt_flat.c:549: warning: passing arg 1 of `ksize' makes pointer from integer without a cast
    fs/binfmt_flat.c:601: warning: passing arg 1 of `ksize' makes pointer from integer without a cast
    fs/binfmt_flat.c: In function `load_flat_binary':
    fs/binfmt_flat.c:116: warning: 'dummy' might be used uninitialized in this function

    Acked-by: Greg Ungerer
    Cc: David Howells
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Andrew Morton
     
  • For some time /proc/sys/kernel/core_pattern has been able to set its output
    destination as a pipe, allowing a user space helper to receive and
    intellegently process a core. This infrastructure however has some
    shortcommings which can be enhanced. Specifically:

    1) The coredump code in the kernel should ignore RLIMIT_CORE limitation
    when core_pattern is a pipe, since file system resources are not being
    consumed in this case, unless the user application wishes to save the core,
    at which point the app is restricted by usual file system limits and
    restrictions.

    2) The core_pattern code should be able to parse and pass options to the
    user space helper as an argv array. The real core limit of the uid of the
    crashing proces should also be passable to the user space helper (since it
    is overridden to zero when called).

    3) Some miscellaneous bugs need to be cleaned up (specifically the
    recognition of a recursive core dump, should the user mode helper itself
    crash. Also, the core dump code in the kernel should not wait for the user
    mode helper to exit, since the same context is responsible for writing to
    the pipe, and a read of the pipe by the user mode helper will result in a
    deadlock.

    This patch:

    Remove the check of RLIMIT_CORE if core_pattern is a pipe. In the event that
    core_pattern is a pipe, the entire core will be fed to the user mode helper.

    Signed-off-by: Neil Horman
    Cc:
    Cc:
    Cc: Jeremy Fitzhardinge
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Neil Horman
     

03 Oct, 2007

2 commits


09 Jun, 2007

1 commit


10 Feb, 2007

1 commit

  • remap() the region we get from mmap() to mark the fact that we are
    using all of the available slack space. Any slack space is used
    to form a simple brk region, and potentially more stack space than
    requested at load time.

    Any searches of the vma chain may well fail looking for
    stack (and especially arg) addresses if the remaping is not done.
    The simplest example is /proc//cmdline, since the args
    are pretty much always at the top of the data/bss/stack region.

    Signed-off-by: Greg Ungerer
    Signed-off-by: Linus Torvalds

    Greg Ungerer
     

09 Dec, 2006

1 commit

  • This patch changes struct file to use struct path instead of having
    independent pointers to struct dentry and struct vfsmount, and converts all
    users of f_{dentry,vfsmnt} in fs/ to use f_path.{dentry,mnt}.

    Additionally, it adds two #define's to make the transition easier for users of
    the f_dentry and f_vfsmnt.

    Signed-off-by: Josef "Jeff" Sipek
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Josef "Jeff" Sipek
     

01 Jul, 2006

1 commit


26 Jun, 2006

1 commit

  • binfmt_flat.c calls set_personality with PER_LINUX as the personality.
    On the arm architecture this results in the program running in 26bit
    usermode. PER_LINUX_32BIT should be used instead. This doesn't affect
    other architectures that use binfmt_flat.

    Signed-off-by: Greg Ungerer
    Signed-off-by: Linus Torvalds

    Malcolm Parsons
     

22 May, 2006

1 commit

  • Bernd Schmidt points out that binfmt_flat is now leaving the exec file open
    while the application runs. This offsets all the application's fd numbers.
    We should have closed the file within exec(), not at exit()-time.

    But there doesn't seem to be a lot of point in doing all this just to avoid
    going over RLIMIT_NOFILE by one fd for a few microseconds. So take the EMFILE
    checking out again. This will cause binfmt_flat to again fail LTP's
    exec-should-return-EMFILE-when-fdtable-is-full test. That test appears to be
    wrong anyway - Open Group specs say nothing about exec() returning EMFILE.

    Cc: Bernd Schmidt
    Cc: Greg Ungerer
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Andrew Morton
     

26 Mar, 2006

1 commit


11 Jan, 2006

2 commits

  • Modify the initial trace output (which is based on flags in the binary
    header) so that it is not done until after the magic number check. This
    may well not be a flat format binary, so the flags could be invalid.
    (Prime example, running a script).

    Changes prompted by patches from Stuart Hughs.

    Signed-off-by: Greg Ungerer
    Signed-off-by: Linus Torvalds

    Greg Ungerer
     
  • )

    From: Adrian Bunk

    - create one common dump_thread() prototype in kernel.h

    - dump_thread() is only used in fs/binfmt_aout.c and can therefore be
    removed on all architectures where CONFIG_BINFMT_AOUT is not
    available

    Signed-off-by: Adrian Bunk
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    akpm@osdl.org
     

30 Oct, 2005

1 commit

  • How is anon_rss initialized? In dup_mmap, and by mm_alloc's memset; but
    that's not so good if an mm_counter_t is a special type. And how is rss
    initialized? By set_mm_counter, all over the place. Come on, we just need to
    initialize them both at once by set_mm_counter in mm_init (which follows the
    memcpy when forking).

    Signed-off-by: Hugh Dickins
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Hugh Dickins
     

02 Sep, 2005

1 commit


07 Jun, 2005

1 commit

  • Make sure that binfmt_flat passes the correct flags into do_mmap(). nommu's
    validate_mmap_request() will simple return -EINVAL if we try and pass it a
    flags value of zero.

    Signed-off-by: Yoshinori Sato
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Yoshinori Sato
     

17 Apr, 2005

1 commit

  • Initial git repository build. I'm not bothering with the full history,
    even though we have it. We can create a separate "historical" git
    archive of that later if we want to, and in the meantime it's about
    3.2GB when imported into git - space that would just make the early
    git days unnecessarily complicated, when we don't have a lot of good
    infrastructure for it.

    Let it rip!

    Linus Torvalds