30 Mar, 2010

1 commit

  • …it slab.h inclusion from percpu.h

    percpu.h is included by sched.h and module.h and thus ends up being
    included when building most .c files. percpu.h includes slab.h which
    in turn includes gfp.h making everything defined by the two files
    universally available and complicating inclusion dependencies.

    percpu.h -> slab.h dependency is about to be removed. Prepare for
    this change by updating users of gfp and slab facilities include those
    headers directly instead of assuming availability. As this conversion
    needs to touch large number of source files, the following script is
    used as the basis of conversion.

    http://userweb.kernel.org/~tj/misc/slabh-sweep.py

    The script does the followings.

    * Scan files for gfp and slab usages and update includes such that
    only the necessary includes are there. ie. if only gfp is used,
    gfp.h, if slab is used, slab.h.

    * When the script inserts a new include, it looks at the include
    blocks and try to put the new include such that its order conforms
    to its surrounding. It's put in the include block which contains
    core kernel includes, in the same order that the rest are ordered -
    alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
    doesn't seem to be any matching order.

    * If the script can't find a place to put a new include (mostly
    because the file doesn't have fitting include block), it prints out
    an error message indicating which .h file needs to be added to the
    file.

    The conversion was done in the following steps.

    1. The initial automatic conversion of all .c files updated slightly
    over 4000 files, deleting around 700 includes and adding ~480 gfp.h
    and ~3000 slab.h inclusions. The script emitted errors for ~400
    files.

    2. Each error was manually checked. Some didn't need the inclusion,
    some needed manual addition while adding it to implementation .h or
    embedding .c file was more appropriate for others. This step added
    inclusions to around 150 files.

    3. The script was run again and the output was compared to the edits
    from #2 to make sure no file was left behind.

    4. Several build tests were done and a couple of problems were fixed.
    e.g. lib/decompress_*.c used malloc/free() wrappers around slab
    APIs requiring slab.h to be added manually.

    5. The script was run on all .h files but without automatically
    editing them as sprinkling gfp.h and slab.h inclusions around .h
    files could easily lead to inclusion dependency hell. Most gfp.h
    inclusion directives were ignored as stuff from gfp.h was usually
    wildly available and often used in preprocessor macros. Each
    slab.h inclusion directive was examined and added manually as
    necessary.

    6. percpu.h was updated not to include slab.h.

    7. Build test were done on the following configurations and failures
    were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
    distributed build env didn't work with gcov compiles) and a few
    more options had to be turned off depending on archs to make things
    build (like ipr on powerpc/64 which failed due to missing writeq).

    * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
    * powerpc and powerpc64 SMP allmodconfig
    * sparc and sparc64 SMP allmodconfig
    * ia64 SMP allmodconfig
    * s390 SMP allmodconfig
    * alpha SMP allmodconfig
    * um on x86_64 SMP allmodconfig

    8. percpu.h modifications were reverted so that it could be applied as
    a separate patch and serve as bisection point.

    Given the fact that I had only a couple of failures from tests on step
    6, I'm fairly confident about the coverage of this conversion patch.
    If there is a breakage, it's likely to be something in one of the arch
    headers which should be easily discoverable easily on most builds of
    the specific arch.

    Signed-off-by: Tejun Heo <tj@kernel.org>
    Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>

    Tejun Heo
     

15 Mar, 2010

1 commit


08 Mar, 2010

1 commit


05 Mar, 2010

1 commit

  • * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6: (52 commits)
    init: Open /dev/console from rootfs
    mqueue: fix typo "failues" -> "failures"
    mqueue: only set error codes if they are really necessary
    mqueue: simplify do_open() error handling
    mqueue: apply mathematics distributivity on mq_bytes calculation
    mqueue: remove unneeded info->messages initialization
    mqueue: fix mq_open() file descriptor leak on user-space processes
    fix race in d_splice_alias()
    set S_DEAD on unlink() and non-directory rename() victims
    vfs: add NOFOLLOW flag to umount(2)
    get rid of ->mnt_parent in tomoyo/realpath
    hppfs can use existing proc_mnt, no need for do_kern_mount() in there
    Mirror MS_KERNMOUNT in ->mnt_flags
    get rid of useless vfsmount_lock use in put_mnt_ns()
    Take vfsmount_lock to fs/internal.h
    get rid of insanity with namespace roots in tomoyo
    take check for new events in namespace (guts of mounts_poll()) to namespace.c
    Don't mess with generic_permission() under ->d_lock in hpfs
    sanitize const/signedness for udf
    nilfs: sanitize const/signedness in dealing with ->d_name.name
    ...

    Fix up fairly trivial (famous last words...) conflicts in
    drivers/infiniband/core/uverbs_main.c and security/tomoyo/realpath.c

    Linus Torvalds
     

04 Mar, 2010

3 commits


01 Mar, 2010

2 commits

  • James Morris
     
  • * 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: (44 commits)
    rcu: Fix accelerated GPs for last non-dynticked CPU
    rcu: Make non-RCU_PROVE_LOCKING rcu_read_lock_sched_held() understand boot
    rcu: Fix accelerated grace periods for last non-dynticked CPU
    rcu: Export rcu_scheduler_active
    rcu: Make rcu_read_lock_sched_held() take boot time into account
    rcu: Make lockdep_rcu_dereference() message less alarmist
    sched, cgroups: Fix module export
    rcu: Add RCU_CPU_STALL_VERBOSE to dump detailed per-task information
    rcu: Fix rcutorture mod_timer argument to delay one jiffy
    rcu: Fix deadlock in TREE_PREEMPT_RCU CPU stall detection
    rcu: Convert to raw_spinlocks
    rcu: Stop overflowing signed integers
    rcu: Use canonical URL for Mathieu's dissertation
    rcu: Accelerate grace period if last non-dynticked CPU
    rcu: Fix citation of Mathieu's dissertation
    rcu: Documentation update for CONFIG_PROVE_RCU
    security: Apply lockdep-based checking to rcu_dereference() uses
    idr: Apply lockdep-based diagnostics to rcu_dereference() uses
    radix-tree: Disable RCU lockdep checking in radix tree
    vfs: Abstract rcu_dereference_check for files-fdtable use
    ...

    Linus Torvalds
     

26 Feb, 2010

2 commits


25 Feb, 2010

3 commits

  • Apply lockdep-ified RCU primitives to key_gc_keyring() and
    keyring_destroy().

    Cc: David Howells
    Signed-off-by: Paul E. McKenney
    Cc: laijs@cn.fujitsu.com
    Cc: dipankar@in.ibm.com
    Cc: mathieu.desnoyers@polymtl.ca
    Cc: josh@joshtriplett.org
    Cc: dvhltc@us.ibm.com
    Cc: niv@us.ibm.com
    Cc: peterz@infradead.org
    Cc: rostedt@goodmis.org
    Cc: Valdis.Kletnieks@vt.edu
    Cc: dhowells@redhat.com
    LKML-Reference:
    Signed-off-by: Ingo Molnar

    Paul E. McKenney
     
  • This fixes corrupted CIPSO packets when SELinux categories greater than 127
    are used. The bug occured on the second (and later) loops through the
    while; the inner for loop through the ebitmap->maps array used the same
    index as the NetLabel catmap->bitmap array, even though the NetLabel bitmap
    is twice as long as the SELinux bitmap.

    Signed-off-by: Joshua Roys
    Acked-by: Paul Moore
    Signed-off-by: James Morris

    Joshua Roys
     
  • If radix_tree_preload is failed in ima_inode_alloc, we don't need
    radix_tree_preload_end because kernel is alread preempt enabled

    Signed-off-by: Xiaotian Feng
    Signed-off-by: Mimi Zohar
    Signed-off-by: James Morris

    Xiaotian Feng
     

24 Feb, 2010

1 commit

  • Enhance the security framework to support resetting the active security
    module. This eliminates the need for direct use of the security_ops and
    default_security_ops variables outside of security.c, so make security_ops
    and default_security_ops static. Also remove the secondary_ops variable as
    a cleanup since there is no use for that. secondary_ops was originally used by
    SELinux to call the "secondary" security module (capability or dummy),
    but that was replaced by direct calls to capability and the only
    remaining use is to save and restore the original security ops pointer
    value if SELinux is disabled by early userspace based on /etc/selinux/config.
    Further, if we support this directly in the security framework, then we can
    just use &default_security_ops for this purpose since that is now available.

    Signed-off-by: Zhitong Wang
    Acked-by: Stephen Smalley
    Signed-off-by: James Morris

    wzt.wzt@gmail.com
     

22 Feb, 2010

1 commit

  • This patch revert the commit of 7d52a155e38d5a165759dbbee656455861bf7801
    which removed a part of type_attribute_bounds_av as a dead code.
    However, at that time, we didn't find out the target side boundary allows
    to handle some of pseudo /proc//* entries with its process's security
    context well.

    Signed-off-by: KaiGai Kohei
    Acked-by: Stephen Smalley

    --
    security/selinux/ss/services.c | 43 ++++++++++++++++++++++++++++++++++++---
    1 files changed, 39 insertions(+), 4 deletions(-)
    Signed-off-by: James Morris

    KaiGai Kohei
     

17 Feb, 2010

1 commit


16 Feb, 2010

4 commits


15 Feb, 2010

4 commits

  • This patch adds garbage collector support to TOMOYO.
    Elements are protected by "struct srcu_struct tomoyo_ss".

    Signed-off-by: Tetsuo Handa
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • Add refcounter to "struct tomoyo_domain_info" since garbage collector needs to
    determine whether this struct is referred by "struct cred"->security or not.

    Signed-off-by: Tetsuo Handa
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • Gather structures and constants scattered around security/tomoyo/ directory.
    This is for preparation for adding garbage collector since garbage collector
    needs to know structures and constants which TOMOYO uses.

    Signed-off-by: Tetsuo Handa
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • Add refcounter to "struct tomoyo_name_entry" and replace tomoyo_save_name()
    with tomoyo_get_name()/tomoyo_put_name() pair so that we can kfree() when
    garbage collector is added.

    Signed-off-by: Tetsuo Handa
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Tetsuo Handa
     

11 Feb, 2010

1 commit


09 Feb, 2010

1 commit

  • In sel_make_bools, kernel allocates memory for bool_pending_names[i]
    with security_get_bools. So if we just free bool_pending_names, those
    memories for bool_pending_names[i] will be leaked.

    This patch resolves dozens of following kmemleak report after resuming
    from suspend:
    unreferenced object 0xffff88022e4c7380 (size 32):
    comm "init", pid 1, jiffies 4294677173
    backtrace:
    [] create_object+0x1a2/0x2a9
    [] kmemleak_alloc+0x26/0x4b
    [] __kmalloc+0x18f/0x1b8
    [] security_get_bools+0xd7/0x16f
    [] sel_write_load+0x12e/0x62b
    [] vfs_write+0xae/0x10b
    [] sys_write+0x4a/0x6e
    [] system_call_fastpath+0x16/0x1b
    [] 0xffffffffffffffff

    Signed-off-by: Xiaotian Feng
    Signed-off-by: James Morris

    Xiaotian Feng
     

08 Feb, 2010

1 commit

  • Since list elements are rounded up to kmalloc() size rather than sizeof(int),
    saving one byte by using bitfields is no longer helpful.

    Signed-off-by: Tetsuo Handa
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Tetsuo Handa
     

07 Feb, 2010

5 commits

  • Hooks: Just Say No.

    Signed-off-by: Al Viro

    Al Viro
     
  • With the movement of the ima hooks functions were renamed from *path* to
    *file* since they always deal with struct file. This patch renames some of
    the ima internal flags to make them consistent with the rest of the code.

    Signed-off-by: Mimi Zohar
    Signed-off-by: Eric Paris
    Signed-off-by: Al Viro

    Mimi Zohar
     
  • ima_path_check actually deals with files! call it ima_file_check instead.

    Signed-off-by: Eric Paris
    Acked-by: Mimi Zohar
    Signed-off-by: Al Viro

    Mimi Zohar
     
  • ima wants to create an inode information struct (iint) when inodes are
    allocated. This means that at least the part of ima which does this
    allocation (the allocation is filled with information later) should
    before any inodes are created. To accomplish this we split the ima
    initialization routine placing the kmem cache allocator inside a
    security_initcall() function. Since this makes use of radix trees we also
    need to make sure that is initialized before security_initcall().

    Signed-off-by: Eric Paris
    Acked-by: Mimi Zohar
    Signed-off-by: Al Viro

    Eric Paris
     
  • The "Untangling ima mess, part 2 with counters" patch messed
    up the counters. Based on conversations with Al Viro, this patch
    streamlines ima_path_check() by removing the counter maintaince.
    The counters are now updated independently, from measuring the file,
    in __dentry_open() and alloc_file() by calling ima_counts_get().
    ima_path_check() is called from nfsd and do_filp_open().
    It also did not measure all files that should have been measured.
    Reason: ima_path_check() got bogus value passed as mask.
    [AV: mea culpa]
    [AV: add missing nfsd bits]

    Signed-off-by: Mimi Zohar
    Signed-off-by: Al Viro

    Mimi Zohar
     

05 Feb, 2010

2 commits


04 Feb, 2010

4 commits

  • Right now the syslog "type" action are just raw numbers which makes
    the source difficult to follow. This patch replaces the raw numbers
    with defined constants for some level of sanity.

    Signed-off-by: Kees Cook
    Acked-by: John Johansen
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Kees Cook
     
  • This allows the LSM to distinguish between syslog functions originating
    from /proc/kmsg access and direct syscalls. By default, the commoncaps
    will now no longer require CAP_SYS_ADMIN to read an opened /proc/kmsg
    file descriptor. For example the kernel syslog reader can now drop
    privileges after opening /proc/kmsg, instead of staying privileged with
    CAP_SYS_ADMIN. MAC systems that implement security_syslog have unchanged
    behavior.

    Signed-off-by: Kees Cook
    Acked-by: Serge Hallyn
    Acked-by: John Johansen
    Signed-off-by: James Morris

    Kees Cook
     
  • Allow runtime switching between different policy types (e.g. from a MLS/MCS
    policy to a non-MLS/non-MCS policy or viceversa).

    Signed-off-by: Guido Trentalancia
    Acked-by: Stephen Smalley
    Signed-off-by: James Morris

    Guido Trentalancia
     
  • Always load the initial SIDs, even in the case of a policy
    reload and not just at the initial policy load. This comes
    particularly handy after the introduction of a recent
    patch for enabling runtime switching between different
    policy types, although this patch is in theory independent
    from that feature.

    Signed-off-by: Guido Trentalancia
    Acked-by: Stephen Smalley
    Signed-off-by: James Morris

    Guido Trentalancia
     

03 Feb, 2010

1 commit

  • Only audit the permissions specified by the policy rules.

    Before:
    type=AVC msg=audit(01/28/2010 14:30:46.690:3250) : avc: denied { read
    append } for pid=14092 comm=foo name=test_file dev=dm-1 ino=132932
    scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023
    tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file

    After:
    type=AVC msg=audit(01/28/2010 14:52:37.448:26) : avc: denied
    { append } for pid=1917 comm=foo name=test_file dev=dm-1 ino=132932
    scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023
    tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file

    Reference:
    https://bugzilla.redhat.com/show_bug.cgi?id=558499

    Reported-by: Tom London
    Signed-off-by: Stephen D. Smalley
    Signed-off-by: James Morris

    Stephen Smalley