16 Oct, 2009

1 commit

  • The destination keyring specified to request_key() and co. is made available to
    the process that instantiates the key (the slave process started by
    /sbin/request-key typically). This is passed in the request_key_auth struct as
    the dest_keyring member.

    keyctl_instantiate_key and keyctl_negate_key() call get_instantiation_keyring()
    to get the keyring to attach the newly constructed key to at the end of
    instantiation. This may be given a specific keyring into which a link will be
    made later, or it may be asked to find the keyring passed to request_key(). In
    the former case, it returns a keyring with the refcount incremented by
    lookup_user_key(); in the latter case, it returns the keyring from the
    request_key_auth struct - and does _not_ increment the refcount.

    The latter case will eventually result in an oops when the keyring prematurely
    runs out of references and gets destroyed. The effect may take some time to
    show up as the key is destroyed lazily.

    To fix this, the keyring returned by get_instantiation_keyring() must always
    have its refcount incremented, no matter where it comes from.

    This can be tested by setting /etc/request-key.conf to:

    #OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
    #====== ======= =============== =============== ===============================
    create * test:* * |/bin/false %u %g %d %{user:_display}
    negate * * * /bin/keyctl negate %k 10 @u

    and then doing:

    keyctl add user _display aaaaaaaa @u
    while keyctl request2 user test:x test:x @u &&
    keyctl list @u;
    do
    keyctl request2 user test:x test:x @u;
    sleep 31;
    keyctl list @u;
    done

    which will oops eventually. Changing the negate line to have @u rather than
    %S at the end is important as that forces the latter case by passing a special
    keyring ID rather than an actual keyring ID.

    Reported-by: Alexander Zangerl
    Signed-off-by: David Howells
    Tested-by: Alexander Zangerl
    Signed-off-by: Linus Torvalds

    David Howells
     

02 Oct, 2009

1 commit


24 Sep, 2009

8 commits

  • * git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:
    lsm: Use a compressed IPv6 string format in audit events
    Audit: send signal info if selinux is disabled
    Audit: rearrange audit_context to save 16 bytes per struct
    Audit: reorganize struct audit_watch to save 8 bytes

    Linus Torvalds
     
  • It's unused.

    It isn't needed -- read or write flag is already passed and sysctl
    shouldn't care about the rest.

    It _was_ used in two places at arch/frv for some reason.

    Signed-off-by: Alexey Dobriyan
    Cc: David Howells
    Cc: "Eric W. Biederman"
    Cc: Al Viro
    Cc: Ralf Baechle
    Cc: Martin Schwidefsky
    Cc: Ingo Molnar
    Cc: "David S. Miller"
    Cc: James Morris
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Alexey Dobriyan
     
  • Ratan Nalumasu reported that in a process with many threads doing
    unnecessary wakeups. Every waiting thread in the process wakes up to loop
    through the children and see that the only ones it cares about are still
    not ready.

    Now that we have struct wait_opts we can change do_wait/__wake_up_parent
    to use filtered wakeups.

    We can make child_wait_callback() more clever later, right now it only
    checks eligible_child().

    Signed-off-by: Oleg Nesterov
    Acked-by: Roland McGrath
    Cc: Ingo Molnar
    Cc: Ratan Nalumasu
    Cc: Vitaly Mayatskikh
    Acked-by: James Morris
    Tested-by: Valdis Kletnieks
    Acked-by: David Howells
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Oleg Nesterov
     
  • Alter the ss->can_attach and ss->attach functions to be able to deal with
    a whole threadgroup at a time, for use in cgroup_attach_proc. (This is a
    pre-patch to cgroup-procs-writable.patch.)

    Currently, new mode of the attach function can only tell the subsystem
    about the old cgroup of the threadgroup leader. No subsystem currently
    needs that information for each thread that's being moved, but if one were
    to be added (for example, one that counts tasks within a group) this bit
    would need to be reworked a bit to tell the subsystem the right
    information.

    [hidave.darkstar@gmail.com: fix build]
    Signed-off-by: Ben Blum
    Signed-off-by: Paul Menage
    Acked-by: Li Zefan
    Reviewed-by: Matt Helsley
    Cc: "Eric W. Biederman"
    Cc: Oleg Nesterov
    Cc: Peter Zijlstra
    Cc: Ingo Molnar
    Cc: Dave Young
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Ben Blum
     
  • Currently the audit subsystem prints uncompressed IPv6 addresses which not
    only differs from common usage but also results in ridiculously large audit
    strings which is not a good thing. This patch fixes this by simply converting
    audit to always print compressed IPv6 addresses.

    Old message example:

    audit(1253576792.161:30): avc: denied { ingress } for
    saddr=0000:0000:0000:0000:0000:0000:0000:0001 src=5000
    daddr=0000:0000:0000:0000:0000:0000:0000:0001 dest=35502 netif=lo
    scontext=system_u:object_r:unlabeled_t:s15:c0.c1023
    tcontext=system_u:object_r:lo_netif_t:s0-s15:c0.c1023 tclass=netif

    New message example:

    audit(1253576792.161:30): avc: denied { ingress } for
    saddr=::1 src=5000 daddr=::1 dest=35502 netif=lo
    scontext=system_u:object_r:unlabeled_t:s15:c0.c1023
    tcontext=system_u:object_r:lo_netif_t:s0-s15:c0.c1023 tclass=netif

    Signed-off-by: Paul Moore
    Signed-off-by: Eric Paris
    Signed-off-by: Al Viro

    Paul Moore
     
  • …s/security-testing-2.6

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
    SELinux: do not destroy the avc_cache_nodep
    KEYS: Have the garbage collector set its timer for live expired keys
    tpm-fixup-pcrs-sysfs-file-update
    creds_are_invalid() needs to be exported for use by modules:
    include/linux/cred.h: fix build

    Fix trivial BUILD_BUG_ON-induced conflicts in drivers/char/tpm/tpm.c

    Linus Torvalds
     
  • The security_ops reset done when SELinux is disabled at run time is done
    after the avc cache is freed and after the kmem_cache for the avc is also
    freed. This means that between the time the selinux disable code destroys
    the avc_node_cachep another process could make a security request and could
    try to allocate from the cache. We are just going to leave the cachep around,
    like we always have.

    SELinux: Disabled at runtime.
    BUG: unable to handle kernel NULL pointer dereference at (null)
    IP: [] kmem_cache_alloc+0x9a/0x185
    PGD 0
    Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
    last sysfs file:
    CPU 1
    Modules linked in:
    Pid: 12, comm: khelper Not tainted 2.6.31-tip-05525-g0eeacc6-dirty #14819
    System Product Name
    RIP: 0010:[] []
    kmem_cache_alloc+0x9a/0x185
    RSP: 0018:ffff88003f9258b0 EFLAGS: 00010086
    RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000078c0129e
    RDX: 0000000000000000 RSI: ffffffff8130b626 RDI: ffffffff81122528
    RBP: ffff88003f925900 R08: 0000000078c0129e R09: 0000000000000001
    R10: 0000000000000000 R11: 0000000078c0129e R12: 0000000000000246
    R13: 0000000000008020 R14: ffff88003f8586d8 R15: 0000000000000001
    FS: 0000000000000000(0000) GS:ffff880002b00000(0000)
    knlGS:0000000000000000
    CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
    CR2: 0000000000000000 CR3: 0000000001001000 CR4: 00000000000006e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: ffffffff827bd420 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Process khelper (pid: 12, threadinfo ffff88003f924000, task
    ffff88003f928000)
    Stack:
    0000000000000246 0000802000000246 ffffffff8130b626 0000000000000001
    0000000078c0129e 0000000000000000 ffff88003f925a70 0000000000000002
    0000000000000001 0000000000000001 ffff88003f925960 ffffffff8130b626
    Call Trace:
    [] ? avc_alloc_node+0x36/0x273
    [] avc_alloc_node+0x36/0x273
    [] ? avc_latest_notif_update+0x7d/0x9e
    [] avc_insert+0x51/0x18d
    [] avc_has_perm_noaudit+0x9d/0x128
    [] avc_has_perm+0x45/0x88
    [] current_has_perm+0x52/0x6d
    [] selinux_task_create+0x2f/0x45
    [] security_task_create+0x29/0x3f
    [] copy_process+0x82/0xdf0
    [] ? register_lock_class+0x2f/0x36c
    [] ? mark_lock+0x2e/0x1e1
    [] do_fork+0x16e/0x382
    [] ? register_lock_class+0x2f/0x36c
    [] ? probe_workqueue_execution+0x57/0xf9
    [] ? mark_lock+0x2e/0x1e1
    [] ? probe_workqueue_execution+0x57/0xf9
    [] kernel_thread+0x82/0xe0
    [] ? ____call_usermodehelper+0x0/0x139
    [] ? child_rip+0x0/0x20
    [] ? __call_usermodehelper+0x65/0x9a
    [] run_workqueue+0x171/0x27e
    [] ? run_workqueue+0x11d/0x27e
    [] ? __call_usermodehelper+0x0/0x9a
    [] worker_thread+0xe8/0x10f
    [] ? autoremove_wake_function+0x0/0x63
    [] ? worker_thread+0x0/0x10f
    [] kthread+0x91/0x99
    [] child_rip+0xa/0x20
    [] ? restore_args+0x0/0x30
    [] ? kthread+0x0/0x99
    [] ? child_rip+0x0/0x20
    Code: 0f 85 99 00 00 00 9c 58 66 66 90 66 90 49 89 c4 fa 66 66 90 66 66 90
    e8 83 34 fb ff e8 d7 e9 26 00 48 98 49 8b 94 c6 10 01 00 00 8b 1a 44
    8b 7a 18 48 85 db 74 0f 8b 42 14 48 8b 04 c3 ff 42
    RIP [] kmem_cache_alloc+0x9a/0x185
    RSP
    CR2: 0000000000000000
    ---[ end trace 42f41a982344e606 ]---

    Reported-by: Ingo Molnar
    Signed-off-by: Eric Paris
    Signed-off-by: James Morris

    Eric Paris
     
  • The key garbage collector sets a timer to start a new collection cycle at the
    point the earliest key to expire should be considered garbage. However, it
    currently only does this if the key it is considering hasn't yet expired.

    If the key being considering has expired, but hasn't yet reached the collection
    time then it is ignored, and won't be collected until some other key provokes a
    round of collection.

    Make the garbage collector set the timer for the earliest key that hasn't yet
    passed its collection time, rather than the earliest key that hasn't yet
    expired.

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     

23 Sep, 2009

2 commits

  • Make all seq_operations structs const, to help mitigate against
    revectoring user-triggerable function pointers.

    This is derived from the grsecurity patch, although generated from scratch
    because it's simpler than extracting the changes from there.

    Signed-off-by: James Morris
    Acked-by: Serge Hallyn
    Acked-by: Casey Schaufler
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    James Morris
     
  • Move various magic-number definitions into magic.h.

    Signed-off-by: Nick Black
    Acked-by: Pekka Enberg
    Cc: Al Viro
    Cc: "David S. Miller"
    Cc: Casey Schaufler
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Nick Black
     

16 Sep, 2009

1 commit

  • * 'x86-txt-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
    x86, intel_txt: clean up the impact on generic code, unbreak non-x86
    x86, intel_txt: Handle ACPI_SLEEP without X86_TRAMPOLINE
    x86, intel_txt: Fix typos in Kconfig help
    x86, intel_txt: Factor out the code for S3 setup
    x86, intel_txt: tboot.c needs
    intel_txt: Force IOMMU on for Intel TXT launch
    x86, intel_txt: Intel TXT Sx shutdown support
    x86, intel_txt: Intel TXT reboot/halt shutdown support
    x86, intel_txt: Intel TXT boot support

    Linus Torvalds
     

15 Sep, 2009

2 commits

  • Fix a number of problems with the new key garbage collector:

    (1) A rogue semicolon in keyring_gc() was causing the initial count of dead
    keys to be miscalculated.

    (2) A missing return in keyring_gc() meant that under certain circumstances,
    the keyring semaphore would be unlocked twice.

    (3) The key serial tree iterator (key_garbage_collector()) part of the garbage
    collector has been modified to:

    (a) Complete each scan of the keyrings before setting the new timer.

    (b) Only set the new timer for keys that have yet to expire. This means
    that the new timer is now calculated correctly, and the gc doesn't
    get into a loop continually scanning for keys that have expired, and
    preventing other things from happening, like RCU cleaning up the old
    keyring contents.

    (c) Perform an extra scan if any keys were garbage collected in this one
    as a key might become garbage during a scan, and (b) could mean we
    don't set the timer again.

    (4) Made key_schedule_gc() take the time at which to do a collection run,
    rather than the time at which the key expires. This means the collection
    of dead keys (key type unregistered) can happen immediately.

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     
  • When we exit early from keyctl_session_to_parent because of permissions or
    because the session keyring is the same as the parent, we need to unlock the
    tasklist.

    The missing unlock causes the system to hang completely when using
    keyctl(KEYCTL_SESSION_TO_PARENT) with a keyring shared with the parent.

    Signed-off-by: Marc Dionne
    Signed-off-by: David Howells
    Signed-off-by: James Morris

    Marc Dionne
     

14 Sep, 2009

3 commits


11 Sep, 2009

1 commit


10 Sep, 2009

2 commits

  • This patch adds a setxattr handler to the file, directory, and symlink
    inode_operations structures for sysfs. The patch uses hooks introduced in the
    previous patch to handle the getting and setting of security information for
    the sysfs inodes. As was suggested by Eric Biederman the struct iattr in the
    sysfs_dirent structure has been replaced by a structure which contains the
    iattr, secdata and secdata length to allow the changes to persist in the event
    that the inode representing the sysfs_dirent is evicted. Because sysfs only
    stores this information when a change is made all the optional data is moved
    into one dynamically allocated field.

    This patch addresses an issue where SELinux was denying virtd access to the PCI
    configuration entries in sysfs. The lack of setxattr handlers for sysfs
    required that a single label be assigned to all entries in sysfs. Granting virtd
    access to every entry in sysfs is not an acceptable solution so fine grained
    labeling of sysfs is required such that individual entries can be labeled
    appropriately.

    [sds: Fixed compile-time warnings, coding style, and setting of inode security init flags.]

    Signed-off-by: David P. Quigley
    Signed-off-by: Stephen D. Smalley
    Signed-off-by: James Morris

    David P. Quigley
     
  • This patch introduces three new hooks. The inode_getsecctx hook is used to get
    all relevant information from an LSM about an inode. The inode_setsecctx is
    used to set both the in-core and on-disk state for the inode based on a context
    derived from inode_getsecctx.The final hook inode_notifysecctx will notify the
    LSM of a change for the in-core state of the inode in question. These hooks are
    for use in the labeled NFS code and addresses concerns of how to set security
    on an inode in a multi-xattr LSM. For historical reasons Stephen Smalley's
    explanation of the reason for these hooks is pasted below.

    Quote Stephen Smalley

    inode_setsecctx: Change the security context of an inode. Updates the
    in core security context managed by the security module and invokes the
    fs code as needed (via __vfs_setxattr_noperm) to update any backing
    xattrs that represent the context. Example usage: NFS server invokes
    this hook to change the security context in its incore inode and on the
    backing file system to a value provided by the client on a SETATTR
    operation.

    inode_notifysecctx: Notify the security module of what the security
    context of an inode should be. Initializes the incore security context
    managed by the security module for this inode. Example usage: NFS
    client invokes this hook to initialize the security context in its
    incore inode to the value provided by the server for the file when the
    server returned the file's attributes to the client.

    Signed-off-by: David P. Quigley
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    David P. Quigley
     

07 Sep, 2009

1 commit

  • - As ima_counts_put() may be called after the inode has been freed,
    verify that the inode is not NULL, before dereferencing it.

    - Maintain the IMA file counters in may_open() properly, decrementing
    any counter increments on subsequent errors.

    Reported-by: Ciprian Docan
    Reported-by: J.R. Okajima
    Signed-off-by: Mimi Zohar
    Acked-by: Eric Paris

    Mimi Zohar
     

02 Sep, 2009

10 commits

  • Add a keyctl to install a process's session keyring onto its parent. This
    replaces the parent's session keyring. Because the COW credential code does
    not permit one process to change another process's credentials directly, the
    change is deferred until userspace next starts executing again. Normally this
    will be after a wait*() syscall.

    To support this, three new security hooks have been provided:
    cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in
    the blank security creds and key_session_to_parent() - which asks the LSM if
    the process may replace its parent's session keyring.

    The replacement may only happen if the process has the same ownership details
    as its parent, and the process has LINK permission on the session keyring, and
    the session keyring is owned by the process, and the LSM permits it.

    Note that this requires alteration to each architecture's notify_resume path.
    This has been done for all arches barring blackfin, m68k* and xtensa, all of
    which need assembly alteration to support TIF_NOTIFY_RESUME. This allows the
    replacement to be performed at the point the parent process resumes userspace
    execution.

    This allows the userspace AFS pioctl emulation to fully emulate newpag() and
    the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to
    alter the parent process's PAG membership. However, since kAFS doesn't use
    PAGs per se, but rather dumps the keys into the session keyring, the session
    keyring of the parent must be replaced if, for example, VIOCSETTOK is passed
    the newpag flag.

    This can be tested with the following program:

    #include
    #include
    #include

    #define KEYCTL_SESSION_TO_PARENT 18

    #define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0)

    int main(int argc, char **argv)
    {
    key_serial_t keyring, key;
    long ret;

    keyring = keyctl_join_session_keyring(argv[1]);
    OSERROR(keyring, "keyctl_join_session_keyring");

    key = add_key("user", "a", "b", 1, keyring);
    OSERROR(key, "add_key");

    ret = keyctl(KEYCTL_SESSION_TO_PARENT);
    OSERROR(ret, "KEYCTL_SESSION_TO_PARENT");

    return 0;
    }

    Compiled and linked with -lkeyutils, you should see something like:

    [dhowells@andromeda ~]$ keyctl show
    Session Keyring
    -3 --alswrv 4043 4043 keyring: _ses
    355907932 --alswrv 4043 -1 \_ keyring: _uid.4043
    [dhowells@andromeda ~]$ /tmp/newpag
    [dhowells@andromeda ~]$ keyctl show
    Session Keyring
    -3 --alswrv 4043 4043 keyring: _ses
    1055658746 --alswrv 4043 4043 \_ user: a
    [dhowells@andromeda ~]$ /tmp/newpag hello
    [dhowells@andromeda ~]$ keyctl show
    Session Keyring
    -3 --alswrv 4043 4043 keyring: hello
    340417692 --alswrv 4043 4043 \_ user: a

    Where the test program creates a new session keyring, sticks a user key named
    'a' into it and then installs it on its parent.

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     
  • Do some whitespace cleanups in the key management code.

    Signed-off-by: David Howells
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    David Howells
     
  • Make the file position maintained by /proc/keys represent the ID of the key
    just read rather than the number of keys read. This should make it faster to
    perform a lookup as we don't have to scan the key ID tree from the beginning to
    find the current position.

    Signed-off-by: Serge E. Hallyn
    Signed-off-by: David Howells
    Signed-off-by: James Morris

    Serge E. Hallyn
     
  • Add garbage collection for dead, revoked and expired keys. This involved
    erasing all links to such keys from keyrings that point to them. At that
    point, the key will be deleted in the normal manner.

    Keyrings from which garbage collection occurs are shrunk and their quota
    consumption reduced as appropriate.

    Dead keys (for which the key type has been removed) will be garbage collected
    immediately.

    Revoked and expired keys will hang around for a number of seconds, as set in
    /proc/sys/kernel/keys/gc_delay before being automatically removed. The default
    is 5 minutes.

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     
  • Set the KEY_FLAG_DEAD flag on keys for which the type has been removed. This
    causes the key_permission() function to return EKEYREVOKED in response to
    various commands. It does not, however, prevent unlinking or clearing of
    keyrings from detaching the key.

    Signed-off-by: David Howells
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    David Howells
     
  • Allow keyctl_revoke() to operate on keys that have SETATTR but not WRITE
    permission, rather than only on keys that have WRITE permission.

    Signed-off-by: David Howells
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    David Howells
     
  • Allow keys for which the key type has been removed to be unlinked. Currently
    dead-type keys can only be disposed of by completely clearing the keyrings
    that point to them.

    Signed-off-by: David Howells
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    David Howells
     
  • Add a config option (CONFIG_DEBUG_CREDENTIALS) to turn on some debug checking
    for credential management. The additional code keeps track of the number of
    pointers from task_structs to any given cred struct, and checks to see that
    this number never exceeds the usage count of the cred struct (which includes
    all references, not just those from task_structs).

    Furthermore, if SELinux is enabled, the code also checks that the security
    pointer in the cred struct is never seen to be invalid.

    This attempts to catch the bug whereby inode_has_perm() faults in an nfsd
    kernel thread on seeing cred->security be a NULL pointer (it appears that the
    credential struct has been previously released):

    http://www.kerneloops.org/oops.php?number=252883

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     
  • Conflicts:
    arch/x86/kernel/reboot.c
    security/Kconfig

    Merge reason: resolve the conflicts, bump up from rc3 to rc8.

    Signed-off-by: Ingo Molnar

    Ingo Molnar
     
  • Move tboot.h from asm to linux to fix the build errors of intel_txt
    patch on non-X86 platforms. Remove the tboot code from generic code
    init/main.c and kernel/cpu.c.

    Signed-off-by: Shane Wang
    Signed-off-by: H. Peter Anvin

    Shane Wang
     

01 Sep, 2009

2 commits

  • Add support for the new TUN LSM hooks: security_tun_dev_create(),
    security_tun_dev_post_create() and security_tun_dev_attach(). This includes
    the addition of a new object class, tun_socket, which represents the socks
    associated with TUN devices. The _tun_dev_create() and _tun_dev_post_create()
    hooks are fairly similar to the standard socket functions but _tun_dev_attach()
    is a bit special. The _tun_dev_attach() is unique because it involves a
    domain attaching to an existing TUN device and its associated tun_socket
    object, an operation which does not exist with standard sockets and most
    closely resembles a relabel operation.

    Signed-off-by: Paul Moore
    Acked-by: Eric Paris
    Signed-off-by: James Morris

    Paul Moore
     
  • The TUN driver lacks any LSM hooks which makes it difficult for LSM modules,
    such as SELinux, to enforce access controls on network traffic generated by
    TUN users; this is particularly problematic for virtualization apps such as
    QEMU and KVM. This patch adds three new LSM hooks designed to control the
    creation and attachment of TUN devices, the hooks are:

    * security_tun_dev_create()
    Provides access control for the creation of new TUN devices

    * security_tun_dev_post_create()
    Provides the ability to create the necessary socket LSM state for newly
    created TUN devices

    * security_tun_dev_attach()
    Provides access control for attaching to existing, persistent TUN devices
    and the ability to update the TUN device's socket LSM state as necessary

    Signed-off-by: Paul Moore
    Acked-by: Eric Paris
    Acked-by: Serge Hallyn
    Acked-by: David S. Miller
    Signed-off-by: James Morris

    Paul Moore
     

27 Aug, 2009

2 commits

  • …s/security-testing-2.6

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
    IMA: iint put in ima_counts_get and put

    Linus Torvalds
     
  • ima_counts_get() calls ima_iint_find_insert_get() which takes a reference
    to the iint in question, but does not put that reference at the end of the
    function. This can lead to a nasty memory leak. Easy enough to reproduce:

    #include
    #include

    int main (void)
    {
    int i;
    void *ptr;

    for (i=0; i < 100000; i++) {
    ptr = mmap(NULL, 4096, PROT_READ|PROT_WRITE,
    MAP_SHARED|MAP_ANONYMOUS, -1, 0);
    if (ptr == MAP_FAILED)
    return 2;
    munmap(ptr, 4096);
    }

    return 0;
    }

    Signed-off-by: Eric Paris
    Signed-off-by: James Morris

    Eric Paris
     

24 Aug, 2009

1 commit

  • Hashing files larger than INT_MAX causes process to loop.
    Dependent on redefining kernel_read() offset type to loff_t.

    (http://bugzilla.kernel.org/show_bug.cgi?id=13909)

    Cc: stable@kernel.org
    Signed-off-by: Mimi Zohar
    Signed-off-by: James Morris

    Mimi Zohar
     

21 Aug, 2009

1 commit

  • As suggested by OGAWA Hirofumi in thread:
    http://lkml.org/lkml/2009/8/7/132, we should let selinux_inode_setattr()
    to match our ATTR_* rules. ATTR_FORCE should not force things like
    ATTR_SIZE.

    [hirofumi@mail.parknet.co.jp: tweaks]
    Signed-off-by: WANG Cong
    Signed-off-by: OGAWA Hirofumi
    Acked-by: Stephen Smalley
    Acked-by: Eric Paris
    Cc: Eugene Teo
    Cc: Al Viro
    Cc: Christoph Hellwig
    Acked-by: James Morris
    Signed-off-by: Andrew Morton
    Signed-off-by: James Morris

    Amerigo Wang
     

20 Aug, 2009

1 commit


19 Aug, 2009

1 commit