Eric Lee / smarc-fsl-linux-kernel

14 Sep, 2011

1 commit

  • d58e0da85   TOMOYO: Add environment variable name restriction support. ... Browse Code »

    This patch adds support for checking environment variable's names.
    Although TOMOYO already provides ability to check argv[]/envp[] passed to
    execve() requests,

    file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="bar"

    will reject execution of /bin/sh if environment variable LD_LIBRARY_PATH is not
    defined. To grant execution of /bin/sh if LD_LIBRARY_PATH is not defined,
    administrators have to specify like

    file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="/system/lib"
    file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]=NULL

    . Since there are many environment variables whereas conditional checks are
    applied as "&&", it is difficult to cover all combinations. Therefore, this
    patch supports conditional checks that are applied as "||", by specifying like

    file execute /bin/sh
    misc env LD_LIBRARY_PATH exec.envp["LD_LIBRARY_PATH"]="/system/lib"

    which means "grant execution of /bin/sh if environment variable is not defined
    or is defined and its value is /system/lib".

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     

10 Sep, 2011

17 commits

23 Aug, 2011

7 commits

  • 0c061b570   KEYS: Correctly destroy key payloads when their keytype is removed ... Browse Code »

    unregister_key_type() has code to mark a key as dead and make it unavailable in
    one loop and then destroy all those unavailable key payloads in the next loop.
    However, the loop to mark keys dead renders the key undetectable to the second
    loop by changing the key type pointer also.

    Fix this by the following means:

    (1) The key code has two garbage collectors: one deletes unreferenced keys and
    the other alters keyrings to delete links to old dead, revoked and expired
    keys. They can end up holding each other up as both want to scan the key
    serial tree under spinlock. Combine these into a single routine.

    (2) Move the dead key marking, dead link removal and dead key removal into the
    garbage collector as a three phase process running over the three cycles
    of the normal garbage collection procedure. This is tracked by the
    KEY_GC_REAPING_DEAD_1, _2 and _3 state flags.

    unregister_key_type() then just unlinks the key type from the list, wakes
    up the garbage collector and waits for the third phase to complete.

    (3) Downgrade the key types sem in unregister_key_type() once it has deleted
    the key type from the list so that it doesn't block the keyctl() syscall.

    (4) Dead keys that cannot be simply removed in the third phase have their
    payloads destroyed with the key's semaphore write-locked to prevent
    interference by the keyctl() syscall. There should be no in-kernel users
    of dead keys of that type by the point of unregistration, though keyctl()
    may be holding a reference.

    (5) Only perform timer recalculation in the GC if the timer actually expired.
    If it didn't, we'll get another cycle when it goes off - and if the key
    that actually triggered it has been removed, it's not a problem.

    (6) Only garbage collect link if the timer expired or if we're doing dead key
    clean up phase 2.

    (7) As only key_garbage_collector() is permitted to use rb_erase() on the key
    serial tree, it doesn't need to revalidate its cursor after dropping the
    spinlock as the node the cursor points to must still exist in the tree.

    (8) Drop the spinlock in the GC if there is contention on it or if we need to
    reschedule. After dealing with that, get the spinlock again and resume
    scanning.

    This has been tested in the following ways:

    (1) Run the keyutils testsuite against it.

    (2) Using the AF_RXRPC and RxKAD modules to test keytype removal:

    Load the rxrpc_s key type:

    # insmod /tmp/af-rxrpc.ko
    # insmod /tmp/rxkad.ko

    Create a key (http://people.redhat.com/~dhowells/rxrpc/listen.c):

    # /tmp/listen &
    [1] 8173

    Find the key:

    # grep rxrpc_s /proc/keys
    091086e1 I--Q-- 1 perm 39390000 0 0 rxrpc_s 52:2

    Link it to a session keyring, preferably one with a higher serial number:

    # keyctl link 0x20e36251 @s

    Kill the process (the key should remain as it's linked to another place):

    # fg
    /tmp/listen
    ^C

    Remove the key type:

    rmmod rxkad
    rmmod af-rxrpc

    This can be made a more effective test by altering the following part of
    the patch:

    if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2)) {
    /* Make sure everyone revalidates their keys if we marked a
    * bunch as being dead and make sure all keyring ex-payloads
    * are destroyed.
    */
    kdebug("dead sync");
    synchronize_rcu();

    To call synchronize_rcu() in GC phase 1 instead. That causes that the
    keyring's old payload content to hang around longer until it's RCU
    destroyed - which usually happens after GC phase 3 is complete. This
    allows the destroy_dead_key branch to be tested.

    Reported-by: Benjamin Coddington
    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     
  • d199798bd   KEYS: The dead key link reaper should be non-reentrant ... Browse Code »

    The dead key link reaper should be non-reentrant as it relies on global state
    to keep track of where it's got to when it returns to the work queue manager to
    give it some air.

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     
  • b072e9bc2   KEYS: Make the key reaper non-reentrant ... Browse Code »

    Make the key reaper non-reentrant by sticking it on the appropriate system work
    queue when we queue it. This will allow it to have global state and drop
    locks. It should probably be non-reentrant already as it may spend a long time
    holding the key serial spinlock, and so multiple entrants can spend long
    periods of time just sitting there spinning, waiting to get the lock.

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     
  • 8bc16deab   KEYS: Move the unreferenced key reaper to the keys garbage collector file ... Browse Code »

    Move the unreferenced key reaper function to the keys garbage collector file
    as that's a more appropriate place with the dead key link reaper.

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     
  • 6d528b082   KEYS: __key_link() should use the RCU deref wrapper for keyring payloads ... Browse Code »

    __key_link() should use the RCU deref wrapper rcu_dereference_locked_keyring()
    for accessing keyring payloads rather than calling rcu_dereference_protected()
    directly.

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     
  • 3ecf1b4f3   KEYS: keyctl_get_keyring_ID() should create a session keyring if create flag set ... Browse Code »

    The keyctl call:

    keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1)

    should create a session keyring if the process doesn't have one of its own
    because the create flag argument is set - rather than subscribing to and
    returning the user-session keyring as:

    keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)

    will do.

    This can be tested by commenting out pam_keyinit in the /etc/pam.d files and
    running the following program a couple of times in a row:

    #include
    #include
    #include
    int main(int argc, char *argv[])
    {
    key_serial_t uk, usk, sk, nsk;
    uk = keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);
    usk = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
    sk = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
    nsk = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1);
    printf("keys: %08x %08x %08x %08x\n", uk, usk, sk, nsk);
    return 0;
    }

    Without this patch, I see:

    keys: 3975ddc7 119c0c66 119c0c66 119c0c66
    keys: 3975ddc7 119c0c66 119c0c66 119c0c66

    With this patch, I see:

    keys: 2cb4997b 34112878 34112878 17db2ce3
    keys: 2cb4997b 34112878 34112878 39f3c73e

    As can be seen, the session keyring starts off the same as the user-session
    keyring each time, but with the patch a new session keyring is created when
    the create flag is set.

    Reported-by: Greg Wettstein
    Signed-off-by: David Howells
    Tested-by: Greg Wettstein
    Signed-off-by: James Morris

    David Howells
     
  • 995995378   KEYS: If install_session_keyring() is given a keyring, it should install it ... Browse Code »

    If install_session_keyring() is given a keyring, it should install it rather
    than just creating a new one anyway. This was accidentally broken in:

    commit d84f4f992cbd76e8f39c488cf0c5d123843923b1
    Author: David Howells
    Date: Fri Nov 14 10:39:23 2008 +1100
    Subject: CRED: Inaugurate COW credentials

    The impact of that commit is that pam_keyinit no longer works correctly if
    'force' isn't specified against a login process. This is because:

    keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)

    now always creates a new session keyring and thus the check whether the session
    keyring and the user-session keyring are the same is always false. This leads
    pam_keyinit to conclude that a session keyring is installed and it shouldn't be
    revoked by pam_keyinit here if 'revoke' is specified.

    Any system that specifies 'force' against pam_keyinit in the PAM configuration
    files for login methods (login, ssh, su -l, kdm, etc.) is not affected since
    that bypasses the broken check and forces the creation of a new session keyring
    anyway (for which the revoke flag is not cleared) - and any subsequent call to
    pam_keyinit really does have a session keyring already installed, and so the
    check works correctly there.

    Reverting to the previous behaviour will cause the kernel to subscribe the
    process to the user-session keyring as its session keyring if it doesn't have a
    session keyring of its own. pam_keyinit will detect this and install a new
    session keyring anyway (and won't clear the revert flag).

    This can be tested by commenting out pam_keyinit in the /etc/pam.d files and
    running the following program a couple of times in a row:

    #include
    #include
    #include
    int main(int argc, char *argv[])
    {
    key_serial_t uk, usk, sk;
    uk = keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);
    usk = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
    sk = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
    printf("keys: %08x %08x %08x\n", uk, usk, sk);
    return 0;
    }

    Without the patch, I see:

    keys: 3884e281 24c4dfcf 22825f8e
    keys: 3884e281 24c4dfcf 068772be

    With the patch, I see:

    keys: 26be9c83 0e755ce0 0e755ce0
    keys: 26be9c83 0e755ce0 0e755ce0

    As can be seen, with the patch, the session keyring is the same as the
    user-session keyring each time; without the patch a new session keyring is
    generated each time.

    Reported-by: Greg Wettstein
    Signed-off-by: David Howells
    Tested-by: Greg Wettstein
    Signed-off-by: James Morris

    David Howells
     

18 Aug, 2011

1 commit

  • dbe5ad17e   evm: add Kconfig TCG_TPM dependency ... Browse Code »

    Although the EVM encrypted-key should be encrypted/decrypted using a
    trusted-key, a user-defined key could be used instead. When using a user-
    defined key, a TCG_TPM dependency should not be required. Unfortunately,
    the encrypted-key code needs to be refactored a bit in order to remove
    this dependency.

    This patch adds the TCG_TPM dependency.

    Reported-by: Stephen Rothwell ,
    Randy Dunlap
    Signed-off-by: Mimi Zohar
    Signed-off-by: James Morris

    Mimi Zohar
     

17 Aug, 2011

1 commit

  • 09f464bf0   tomoyo: remove tomoyo_gc_thread()->daemonize() ... Browse Code »

    daemonize() is only needed when a user-space task does kernel_thread().

    tomoyo_gc_thread() is kthread_create()'ed and thus it doesn't need
    the soon-to-be-deprecated daemonize().

    Signed-off-by: Oleg Nesterov
    Acked-by: Tejun Heo
    Acked-by: Matt Fleming
    Signed-off-by: James Morris

    Oleg Nesterov
     

16 Aug, 2011

1 commit

12 Aug, 2011

1 commit

  • 4d49f6710   capabilities: do not grant full privs for setuid w/ file caps + no effective caps ... Browse Code »

    A task (when !SECURE_NOROOT) which executes a setuid-root binary will
    obtain root privileges while executing that binary. If the binary also
    has effective capabilities set, then only those capabilities will be
    granted. The rationale is that the same binary can carry both setuid-root
    and the minimal file capability set, so that on a filesystem not
    supporting file caps the binary can still be executed with privilege,
    while on a filesystem supporting file caps it will run with minimal
    privilege.

    This special case currently does NOT happen if there are file capabilities
    but no effective capabilities. Since capability-aware programs can very
    well start with empty pE but populated pP and move those caps to pE when
    needed. In other words, if the file has file capabilities but NOT
    effective capabilities, then we should do the same thing as if there
    were file capabilities, and not grant full root privileges.

    This patchset does that.

    (Changelog by Serge Hallyn).

    Signed-off-by: Zhi Li
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Zhi Li
     

11 Aug, 2011

1 commit

09 Aug, 2011

2 commits

02 Aug, 2011

1 commit

28 Jul, 2011

1 commit

  • 95b688652   Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorri… ... Browse Code »

    …s/security-testing-2.6

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (54 commits)
    tpm_nsc: Fix bug when loading multiple TPM drivers
    tpm: Move tpm_tis_reenable_interrupts out of CONFIG_PNP block
    tpm: Fix compilation warning when CONFIG_PNP is not defined
    TOMOYO: Update kernel-doc.
    tpm: Fix a typo
    tpm_tis: Probing function for Intel iTPM bug
    tpm_tis: Fix the probing for interrupts
    tpm_tis: Delay ACPI S3 suspend while the TPM is busy
    tpm_tis: Re-enable interrupts upon (S3) resume
    tpm: Fix display of data in pubek sysfs entry
    tpm_tis: Add timeouts sysfs entry
    tpm: Adjust interface timeouts if they are too small
    tpm: Use interface timeouts returned from the TPM
    tpm_tis: Introduce durations sysfs entry
    tpm: Adjust the durations if they are too small
    tpm: Use durations returned from TPM
    TOMOYO: Enable conditional ACL.
    TOMOYO: Allow using argv[]/envp[] of execve() as conditions.
    TOMOYO: Allow using executable's realpath and symlink's target as conditions.
    TOMOYO: Allow using owner/group etc. of file objects as conditions.
    ...

    Fix up trivial conflict in security/tomoyo/realpath.c

    Linus Torvalds
     

27 Jul, 2011

3 commits

  • e371d46ae   Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 ... Browse Code »

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
    merge fchmod() and fchmodat() guts, kill ancient broken kludge
    xfs: fix misspelled S_IS...()
    xfs: get rid of open-coded S_ISREG(), etc.
    vfs: document locking requirements for d_move, __d_move and d_materialise_unique
    omfs: fix (mode & S_IFDIR) abuse
    btrfs: S_ISREG(mode) is not mode & S_IFREG...
    ima: fmode_t misspelled as mode_t...
    pci-label.c: size_t misspelled as mode_t
    jffs2: S_ISLNK(mode & S_IFMT) is pointless
    snd_msnd ->mode is fmode_t, not mode_t
    v9fs_iop_get_acl: get rid of unused variable
    vfs: dont chain pipe/anon/socket on superblock s_inodes list
    Documentation: Exporting: update description of d_splice_alias
    fs: add missing unlock in default_llseek()

    Linus Torvalds
     
  • 60063497a   atomic: use <linux/atomic.h> ... Browse Code »

    This allows us to move duplicated code in
    (atomic_inc_not_zero() for now) to

    Signed-off-by: Arun Sharma
    Reviewed-by: Eric Dumazet
    Cc: Ingo Molnar
    Cc: David Miller
    Cc: Eric Dumazet
    Acked-by: Mike Frysinger
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Arun Sharma
     
  • 4b2a2c674   ima: fmode_t misspelled as mode_t... ... Browse Code »

    Signed-off-by: Al Viro

    Al Viro
     

26 Jul, 2011

1 commit

  • d3ec4844d   Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial ... Browse Code »

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (43 commits)
    fs: Merge split strings
    treewide: fix potentially dangerous trailing ';' in #defined values/expressions
    uwb: Fix misspelling of neighbourhood in comment
    net, netfilter: Remove redundant goto in ebt_ulog_packet
    trivial: don't touch files that are removed in the staging tree
    lib/vsprintf: replace link to Draft by final RFC number
    doc: Kconfig: `to be' -> `be'
    doc: Kconfig: Typo: square -> squared
    doc: Konfig: Documentation/power/{pm => apm-acpi}.txt
    drivers/net: static should be at beginning of declaration
    drivers/media: static should be at beginning of declaration
    drivers/i2c: static should be at beginning of declaration
    XTENSA: static should be at beginning of declaration
    SH: static should be at beginning of declaration
    MIPS: static should be at beginning of declaration
    ARM: static should be at beginning of declaration
    rcu: treewide: Do not use rcu_read_lock_held when calling rcu_dereference_check
    Update my e-mail address
    PCIe ASPM: forcedly -> forcibly
    gma500: push through device driver tree
    ...

    Fix up trivial conflicts:
    - arch/arm/mach-ep93xx/dma-m2p.c (deleted)
    - drivers/gpio/gpio-ep93xx.c (renamed and context nearby)
    - drivers/net/r8169.c (just context changes)

    Linus Torvalds
     

24 Jul, 2011

1 commit

  • 423e0ab08   VFS : mount lock scalability for internal mounts ... Browse Code »

    For a number of file systems that don't have a mount point (e.g. sockfs
    and pipefs), they are not marked as long term. Therefore in
    mntput_no_expire, all locks in vfs_mount lock are taken instead of just
    local cpu's lock to aggregate reference counts when we release
    reference to file objects. In fact, only local lock need to have been
    taken to update ref counts as these file systems are in no danger of
    going away until we are ready to unregister them.

    The attached patch marks file systems using kern_mount without
    mount point as long term. The contentions of vfs_mount lock
    is now eliminated. Before un-registering such file system,
    kern_unmount should be called to remove the long term flag and
    make the mount point ready to be freed.

    Signed-off-by: Tim Chen
    Signed-off-by: Al Viro

    Tim Chen
     

23 Jul, 2011

1 commit

  • bbd9d6f7f   Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 ... Browse Code »

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6: (107 commits)
    vfs: use ERR_CAST for err-ptr tossing in lookup_instantiate_filp
    isofs: Remove global fs lock
    jffs2: fix IN_DELETE_SELF on overwriting rename() killing a directory
    fix IN_DELETE_SELF on overwriting rename() on ramfs et.al.
    mm/truncate.c: fix build for CONFIG_BLOCK not enabled
    fs:update the NOTE of the file_operations structure
    Remove dead code in dget_parent()
    AFS: Fix silly characters in a comment
    switch d_add_ci() to d_splice_alias() in "found negative" case as well
    simplify gfs2_lookup()
    jfs_lookup(): don't bother with . or ..
    get rid of useless dget_parent() in btrfs rename() and link()
    get rid of useless dget_parent() in fs/btrfs/ioctl.c
    fs: push i_mutex and filemap_write_and_wait down into ->fsync() handlers
    drivers: fix up various ->llseek() implementations
    fs: handle SEEK_HOLE/SEEK_DATA properly in all fs's that define their own llseek
    Ext4: handle SEEK_HOLE/SEEK_DATA generically
    Btrfs: implement our own ->llseek
    fs: add SEEK_HOLE and SEEK_DATA flags
    reiserfs: make reiserfs default to barrier=flush
    ...

    Fix up trivial conflicts in fs/xfs/linux-2.6/xfs_super.c due to the new
    shrinker callout for the inode cache, that clashed with the xfs code to
    start the periodic workers later.

    Linus Torvalds