Eric Lee / smarc-fsl-linux-kernel

09 May, 2007

1 commit

  • 9d0633cfe   Remove redundant check from proc_sys_setattr() ... Browse Code »

    notify_change() already calls security_inode_setattr() before
    calling iop->setattr.

    Alan sayeth

    This is a behaviour change on all of these and limits some behaviour of
    existing established security modules

    When inode_change_ok is called it has side effects. This includes
    clearing the SGID bit on attribute changes caused by chmod. If you make
    this change the results of some rulesets may be different before or after
    the change is made.

    I'm not saying the change is wrong but it does change behaviour so that
    needs looking at closely (ditto all other attribute twiddles)

    Signed-off-by: Steve Beattie
    Signed-off-by: Andreas Gruenbacher
    Signed-off-by: John Johansen
    Acked-by: Stephen Smalley
    Cc: James Morris
    Cc: Chris Wright
    Cc: Alan Cox
    Cc: Christoph Hellwig
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    John Johansen
     

15 Feb, 2007

2 commits

  • 86a71dbd3   [PATCH] sysctl: hide the sysctl proc inodes from selinux ... Browse Code »

    Since the security checks are applied on each read and write of a sysctl file,
    just like they are applied when calling sys_sysctl, they are redundant on the
    standard VFS constructs. Since it is difficult to compute the security labels
    on the standard VFS constructs we just mark the sysctl inodes in proc private
    so selinux won't even bother with them.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • 77b14db50   [PATCH] sysctl: reimplement the sysctl proc support ... Browse Code »

    With this change the sysctl inodes can be cached and nothing needs to be done
    when removing a sysctl table.

    For a cost of 2K code we will save about 4K of static tables (when we remove
    de from ctl_table) and 70K in proc_dir_entries that we will not allocate, or
    about half that on a 32bit arch.

    The speed feels about the same, even though we can now cache the sysctl
    dentries :(

    We get the core advantage that we don't need to have a 1 to 1 mapping between
    ctl table entries and proc files. Making it possible to have /proc/sys vary
    depending on the namespace you are in. The currently merged namespaces don't
    have an issue here but the network namespace under /proc/sys/net needs to have
    different directories depending on which network adapters are visible. By
    simply being a cache different directories being visible depending on who you
    are is trivial to implement.

    [akpm@osdl.org: fix uninitialised var]
    [akpm@osdl.org: fix ARM build]
    [bunk@stusta.de: make things static]
    Signed-off-by: Eric W. Biederman
    Cc: Russell King
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman