22 Apr, 2008
1 commit
-
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
SELinux: one little, two little, three little whitespaces, the avc.c saga.
SELinux: cleanup on isle selinuxfs.c
changing whitespace for fun and profit: policydb.c
SELinux: whitespace and formating fixes for hooks.c
SELinux: clean up printks
SELinux: sidtab.c whitespace, syntax, and static declaraction cleanups
SELinux: services.c whitespace, syntax, and static declaraction cleanups
SELinux: mls.c whitespace, syntax, and static declaraction cleanups
SELinux: hashtab.c whitespace, syntax, and static declaraction cleanups
SELinux: ebitmap.c whitespace, syntax, and static declaraction cleanups
SELinux: conditional.c whitespace, syntax, and static declaraction cleanups
SELinux: avtab.c whitespace, syntax, and static declaraction cleanups
SELinux: xfrm.c whitespace, syntax, and static declaraction cleanups
SELinux: nlmsgtab.c whitespace, syntax, and static declaraction cleanups
SELinux: netnode.c whitespace, syntax, and static declaraction cleanups
SELinux: netlink.c whitespace, syntax, and static declaraction cleanups
SELinux: netlabel.c whitespace, syntax, and static declaraction cleanups
SELinux: netif.c whitespace, syntax, and static declaraction cleanups
21 Apr, 2008
18 commits
-
avc.c was bad. It had whitespace and syntax issues which are against
our coding style. I have had a little chat with it and the result of
that conversation looked like this patch.Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Why would anyone just clean up white space all day? Because they were
out too late last night and don't want to think for a day. So here is a
nice clean selinuxfs.c patch.Signed-off-by: Eric Paris
Signed-off-by: James Morris -
More formatting changes. Aside from the 80 character line limit even
the checkpatch scripts like this file now. Too bad I don't get paid by
the lines of code I change.Signed-off-by: Eric Paris
Signed-off-by: James Morris -
All whitespace and formatting. Nothing interesting to see here. About
the only thing to remember is that we aren't supposed to initialize
static variables to 0/NULL. It is done for us and doing it ourselves
puts them in a different section.With this patch running checkpatch.pl against hooks.c only gives us
complaints about busting the 80 character limit and declaring extern's
in .c files. Apparently they don't like it, but I don't feel like going
to the trouble of moving those to .h files...Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Make sure all printk start with KERN_*
Make sure all printk end with \n
Make sure all printk have the word 'selinux' in them
Change "function name" to "%s", __func__ (found 2 wrong)Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes sidtab.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes services.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes mls.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes hashtab.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes ebitmap.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes conditional.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes avtab.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes xfrm.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes nlmsgtab.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes netnode.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes netlink.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes netlabel.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes netif.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
location of { around structs and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris
19 Apr, 2008
11 commits
-
None of these files use any of the functionality promised by
asm/semaphore.h.Signed-off-by: Matthew Wilcox
-
…s/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
security: fix up documentation for security_module_enable
Security: Introduce security= boot parameter
Audit: Final renamings and cleanup
SELinux: use new audit hooks, remove redundant exports
Audit: internally use the new LSM audit hooks
LSM/Audit: Introduce generic Audit LSM hooks
SELinux: remove redundant exports
Netlink: Use generic LSM hook
Audit: use new LSM hooks instead of SELinux exports
SELinux: setup new inode/ipc getsecid hooks
LSM: Introduce inode_getsecid and ipc_getsecid hooks -
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6.26: (1090 commits)
[NET]: Fix and allocate less memory for ->priv'less netdevices
[IPV6]: Fix dangling references on error in fib6_add().
[NETLABEL]: Fix NULL deref in netlbl_unlabel_staticlist_gen() if ifindex not found
[PKT_SCHED]: Fix datalen check in tcf_simp_init().
[INET]: Uninline the __inet_inherit_port call.
[INET]: Drop the inet_inherit_port() call.
SCTP: Initialize partial_bytes_acked to 0, when all of the data is acked.
[netdrvr] forcedeth: internal simplifications; changelog removal
phylib: factor out get_phy_id from within get_phy_device
PHY: add BCM5464 support to broadcom PHY driver
cxgb3: Fix __must_check warning with dev_dbg.
tc35815: Statistics cleanup
natsemi: fix MMIO for PPC 44x platforms
[TIPC]: Cleanup of TIPC reference table code
[TIPC]: Optimized initialization of TIPC reference table
[TIPC]: Remove inlining of reference table locking routines
e1000: convert uint16_t style integers to u16
ixgb: convert uint16_t style integers to u16
sb1000.c: make const arrays static
sb1000.c: stop inlining largish static functions
... -
security_module_enable() can only be called during kernel init.
Signed-off-by: James Morris
-
Add the security= boot parameter. This is done to avoid LSM
registration clashes in case of more than one bult-in module.User can choose a security module to enable at boot. If no
security= boot parameter is specified, only the first LSM
asking for registration will be loaded. An invalid security
module name will be treated as if no module has been chosen.LSM modules must check now if they are allowed to register
by calling security_module_enable(ops) first. Modify SELinux
and SMACK to do so.Do not let SMACK register smackfs if it was not chosen on
boot. Smackfs assumes that smack hooks are registered and
the initial task security setup (swapper->security) is done.Signed-off-by: Ahmed S. Darwish
Acked-by: James Morris -
Rename the se_str and se_rule audit fields elements to
lsm_str and lsm_rule to avoid confusion.Signed-off-by: Casey Schaufler
Signed-off-by: Ahmed S. Darwish
Acked-by: James Morris -
Setup the new Audit LSM hooks for SELinux.
Remove the now redundant exported SELinux Audit interface.Audit: Export 'audit_krule' and 'audit_field' to the public
since their internals are needed by the implementation of the
new LSM hook 'audit_rule_known'.Signed-off-by: Casey Schaufler
Signed-off-by: Ahmed S. Darwish
Acked-by: James Morris -
Introduce a generic Audit interface for security modules
by adding the following new LSM hooks:audit_rule_init(field, op, rulestr, lsmrule)
audit_rule_known(krule)
audit_rule_match(secid, field, op, rule, actx)
audit_rule_free(rule)Those hooks are only available if CONFIG_AUDIT is enabled.
Signed-off-by: Casey Schaufler
Signed-off-by: Ahmed S. Darwish
Acked-by: James Morris
Reviewed-by: Paul Moore -
Remove the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)They can be substitued with the following generic equivalents
respectively:
new LSM hook, inode_getsecid(inode, secid)
new LSM hook, ipc_getsecid*(ipcp, secid)
LSM hook, task_getsecid(tsk, secid)
LSM hook, sid_to_secctx(sid, ctx, len)Signed-off-by: Casey Schaufler
Signed-off-by: Ahmed S. Darwish
Acked-by: James Morris
Reviewed-by: Paul Moore -
Setup the new inode_getsecid and ipc_getsecid() LSM hooks
for SELinux.Signed-off-by: Casey Schaufler
Signed-off-by: Ahmed S. Darwish
Acked-by: James Morris
Reviewed-by: Paul Moore -
Introduce inode_getsecid(inode, secid) and ipc_getsecid(ipcp, secid)
LSM hooks. These hooks will be used instead of similar exported
SELinux interfaces.Let {inode,ipc,task}_getsecid hooks set the secid to 0 by default
if CONFIG_SECURITY is not defined or if the hook is set to
NULL (dummy). This is done to notify the caller that no valid
secid exists.Signed-off-by: Casey Schaufler
Signed-off-by: Ahmed S. Darwish
Acked-by: James Morris
Reviewed-by: Paul Moore
18 Apr, 2008
10 commits
-
Got burned by setting the proposed default of 65536
across all Debian archs.Thus proposing to be more specific on which archs you may
set this. Also propose a value for arm and friends that
doesn't break sshd.Reword to mention working archs ia64 and ppc64 too.
Signed-off-by: maximilian attems
Cc: Martin Michlmayr
Cc: Gordon Farquharson
Acked-by: Eric Paris
Signed-off-by: James Morris -
Thank you, git.
Signed-off-by: James Morris
-
Much like we added a network node cache, this patch adds a network port
cache. The design is taken almost completely from the network node cache
which in turn was taken from the network interface cache. The basic idea is
to cache entries in a hash table based on protocol/port information. The
hash function only takes the port number into account since the number of
different protocols in use at any one time is expected to be relatively
small.Signed-off-by: Paul Moore
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
Convert the strings used for mount options into #defines rather than
retyping the string throughout the SELinux code.Signed-off-by: Eric Paris
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
Every file should include the headers containing the externs for its global
code.Signed-off-by: Adrian Bunk
Signed-off-by: James Morris -
Introduce the concept of a permissive type. A new ebitmap is introduced to
the policy database which indicates if a given type has the permissive bit
set or not. This bit is tested for the scontext of any denial. The bit is
meaningless on types which only appear as the target of a decision and never
the source. A domain running with a permissive type will be allowed to
perform any action similarly to when the system is globally set permissive.Signed-off-by: Eric Paris
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
This changes checks related to ptrace to get rid of the ptrace_sid tracking.
It's good to disentangle the security model from the ptrace implementation
internals. It's sufficient to check against the SID of the ptracer at the
time a tracee attempts a transition.Signed-off-by: Roland McGrath
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
This patch turns the case where we have a call into avc_has_perm with no
requested permissions into a BUG_ON. All callers to this should be in
the kernel and thus should be a function we need to fix if we ever hit
this. The /selinux/access permission checking it done directly in the
security server and not through the avc, so those requests which we
cannot control from userspace should not be able to trigger this BUG_ON.Signed-off-by: Eric Paris
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
ERROR: "(foo*)" should be "(foo *)"
#168: FILE: security/selinux/hooks.c:2656:
+ "%s, rc=%d\n", __func__, (char*)value, -rc);total: 1 errors, 0 warnings, 195 lines checked
./patches/security-replace-remaining-__function__-occurences.patch has style problems, please review. If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.Please run checkpatch prior to sending patches
Cc: Harvey Harrison
Cc: James Morris
Cc: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: James Morris -
__FUNCTION__ is gcc-specific, use __func__
Signed-off-by: Harvey Harrison
Cc: James Morris
Cc: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: James Morris
