Eric Lee / smarc-fsl-linux-kernel

15 Jan, 2012

1 commit

  • c49c41a41   Merge branch 'for-linus' of git://selinuxproject.org/~jmorris/linux-security ... Browse Code »

    * 'for-linus' of git://selinuxproject.org/~jmorris/linux-security:
    capabilities: remove __cap_full_set definition
    security: remove the security_netlink_recv hook as it is equivalent to capable()
    ptrace: do not audit capability check when outputing /proc/pid/stat
    capabilities: remove task_ns_* functions
    capabitlies: ns_capable can use the cap helpers rather than lsm call
    capabilities: style only - move capable below ns_capable
    capabilites: introduce new has_ns_capabilities_noaudit
    capabilities: call has_ns_capability from has_capability
    capabilities: remove all _real_ interfaces
    capabilities: introduce security_capable_noaudit
    capabilities: reverse arguments to security_capable
    capabilities: remove the task from capable LSM hook entirely
    selinux: sparse fix: fix several warnings in the security server cod
    selinux: sparse fix: fix warnings in netlink code
    selinux: sparse fix: eliminate warnings for selinuxfs
    selinux: sparse fix: declare selinux_disable() in security.h
    selinux: sparse fix: move selinux_complete_init
    selinux: sparse fix: make selinux_secmark_refcount static
    SELinux: Fix RCU deref check warning in sel_netport_insert()

    Manually fix up a semantic mis-merge wrt security_netlink_recv():

    - the interface was removed in commit fd7784615248 ("security: remove
    the security_netlink_recv hook as it is equivalent to capable()")

    - a new user of it appeared in commit a38f7907b926 ("crypto: Add
    userspace configuration API")

    causing no automatic merge conflict, but Eric Paris pointed out the
    issue.

    Linus Torvalds
     

07 Jan, 2012

1 commit

06 Jan, 2012

1 commit

04 Jan, 2012

6 commits

20 Jul, 2011

1 commit

23 Apr, 2011

1 commit

  • 8c9e80ed2   SECURITY: Move exec_permission RCU checks into security modules ... Browse Code »

    Right now all RCU walks fall back to reference walk when CONFIG_SECURITY
    is enabled, even though just the standard capability module is active.
    This is because security_inode_exec_permission unconditionally fails
    RCU walks.

    Move this decision to the low level security module. This requires
    passing the RCU flags down the security hook. This way at least
    the capability module and a few easy cases in selinux/smack work
    with RCU walks with CONFIG_SECURITY=y

    Signed-off-by: Andi Kleen
    Acked-by: Eric Paris
    Signed-off-by: Linus Torvalds

    Andi Kleen
     

17 Mar, 2011

1 commit

  • 7a6362800   Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 ... Browse Code »

    * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1480 commits)
    bonding: enable netpoll without checking link status
    xfrm: Refcount destination entry on xfrm_lookup
    net: introduce rx_handler results and logic around that
    bonding: get rid of IFF_SLAVE_INACTIVE netdev->priv_flag
    bonding: wrap slave state work
    net: get rid of multiple bond-related netdevice->priv_flags
    bonding: register slave pointer for rx_handler
    be2net: Bump up the version number
    be2net: Copyright notice change. Update to Emulex instead of ServerEngines
    e1000e: fix kconfig for crc32 dependency
    netfilter ebtables: fix xt_AUDIT to work with ebtables
    xen network backend driver
    bonding: Improve syslog message at device creation time
    bonding: Call netif_carrier_off after register_netdevice
    bonding: Incorrect TX queue offset
    net_sched: fix ip_tos2prio
    xfrm: fix __xfrm_route_forward()
    be2net: Fix UDP packet detected status in RX compl
    Phonet: fix aligned-mode pipe socket buffer header reserve
    netxen: support for GbE port settings
    ...

    Fix up conflicts in drivers/staging/brcm80211/brcmsmac/wl_mac80211.c
    with the staging updates.

    Linus Torvalds
     

04 Mar, 2011

1 commit

  • ff36fe2c8   LSM: Pass -o remount options to the LSM ... Browse Code »

    The VFS mount code passes the mount options to the LSM. The LSM will remove
    options it understands from the data and the VFS will then pass the remaining
    options onto the underlying filesystem. This is how options like the
    SELinux context= work. The problem comes in that -o remount never calls
    into LSM code. So if you include an LSM specific option it will get passed
    to the filesystem and will cause the remount to fail. An example of where
    this is a problem is the 'seclabel' option. The SELinux LSM hook will
    print this word in /proc/mounts if the filesystem is being labeled using
    xattrs. If you pass this word on mount it will be silently stripped and
    ignored. But if you pass this word on remount the LSM never gets called
    and it will be passed to the FS. The FS doesn't know what seclabel means
    and thus should fail the mount. For example an ext3 fs mounted over loop

    # mount -o loop /tmp/fs /mnt/tmp
    # cat /proc/mounts | grep /mnt/tmp
    /dev/loop0 /mnt/tmp ext3 rw,seclabel,relatime,errors=continue,barrier=0,data=ordered 0 0
    # mount -o remount /mnt/tmp
    mount: /mnt/tmp not mounted already, or bad option
    # dmesg
    EXT3-fs (loop0): error: unrecognized mount option "seclabel" or missing value

    This patch passes the remount mount options to an new LSM hook.

    Signed-off-by: Eric Paris
    Reviewed-by: James Morris

    Eric Paris
     

23 Feb, 2011

1 commit

02 Feb, 2011

2 commits

  • 4916ca401   security: remove unused security_sysctl hook ... Browse Code »

    The only user for this hook was selinux. sysctl routes every call
    through /proc/sys/. Selinux and other security modules use the file
    system checks for sysctl too, so no need for this hook any more.

    Signed-off-by: Lucian Adrian Grijincu
    Signed-off-by: Eric Paris

    Lucian Adrian Grijincu
     
  • 2a7dba391   fs/vfs/security: pass last path component to LSM on inode creation ... Browse Code »

    SELinux would like to implement a new labeling behavior of newly created
    inodes. We currently label new inodes based on the parent and the creating
    process. This new behavior would also take into account the name of the
    new object when deciding the new label. This is not the (supposed) full path,
    just the last component of the path.

    This is very useful because creating /etc/shadow is different than creating
    /etc/passwd but the kernel hooks are unable to differentiate these
    operations. We currently require that userspace realize it is doing some
    difficult operation like that and than userspace jumps through SELinux hoops
    to get things set up correctly. This patch does not implement new
    behavior, that is obviously contained in a seperate SELinux patch, but it
    does pass the needed name down to the correct LSM hook. If no such name
    exists it is fine to pass NULL.

    Signed-off-by: Eric Paris

    Eric Paris
     

06 Jan, 2011

1 commit

  • 3610cda53   af_unix: Avoid socket->sk NULL OOPS in stream connect security hooks. ... Browse Code »

    unix_release() can asynchornously set socket->sk to NULL, and
    it does so without holding the unix_state_lock() on "other"
    during stream connects.

    However, the reverse mapping, sk->sk_socket, is only transitioned
    to NULL under the unix_state_lock().

    Therefore make the security hooks follow the reverse mapping instead
    of the forward mapping.

    Reported-by: Jeremy Fitzhardinge
    Reported-by: Linus Torvalds
    Signed-off-by: David S. Miller

    David S. Miller
     

16 Nov, 2010

1 commit

  • 12b3052c3   capabilities/syslog: open code cap_syslog logic to fix build failure ... Browse Code »

    The addition of CONFIG_SECURITY_DMESG_RESTRICT resulted in a build
    failure when CONFIG_PRINTK=n. This is because the capabilities code
    which used the new option was built even though the variable in question
    didn't exist.

    The patch here fixes this by moving the capabilities checks out of the
    LSM and into the caller. All (known) LSMs should have been calling the
    capabilities hook already so it actually makes the code organization
    better to eliminate the hook altogether.

    Signed-off-by: Eric Paris
    Acked-by: James Morris
    Signed-off-by: Linus Torvalds

    Eric Paris
     

21 Oct, 2010

1 commit

  • 2606fd1fa   secmark: make secmark object handling generic ... Browse Code »

    Right now secmark has lots of direct selinux calls. Use all LSM calls and
    remove all SELinux specific knowledge. The only SELinux specific knowledge
    we leave is the mode. The only point is to make sure that other LSMs at
    least test this generic code before they assume it works. (They may also
    have to make changes if they do not represent labels as strings)

    Signed-off-by: Eric Paris
    Acked-by: Paul Moore
    Acked-by: Patrick McHardy
    Signed-off-by: James Morris

    Eric Paris
     

11 Aug, 2010

1 commit

  • b34d8915c   Merge branch 'writable_limits' of git://decibel.fi.muni.cz/~xslaby/linux ... Browse Code »

    * 'writable_limits' of git://decibel.fi.muni.cz/~xslaby/linux:
    unistd: add __NR_prlimit64 syscall numbers
    rlimits: implement prlimit64 syscall
    rlimits: switch more rlimit syscalls to do_prlimit
    rlimits: redo do_setrlimit to more generic do_prlimit
    rlimits: add rlimit64 structure
    rlimits: do security check under task_lock
    rlimits: allow setrlimit to non-current tasks
    rlimits: split sys_setrlimit
    rlimits: selinux, do rlimits changes under task_lock
    rlimits: make sure ->rlim_max never grows in sys_setrlimit
    rlimits: add task_struct to update_rlimit_cpu
    rlimits: security, add task_struct to setrlimit

    Fix up various system call number conflicts. We not only added fanotify
    system calls in the meantime, but asm-generic/unistd.h added a wait4
    along with a range of reserved per-architecture system calls.

    Linus Torvalds
     

02 Aug, 2010

2 commits

  • dce3a3d2e   Security: capability: code style issue ... Browse Code »

    This fix a little code style issue deleting a space between a function
    name and a open parenthesis.

    Signed-off-by: Chihau Chau
    Acked-by: Andrew G. Morgan
    Signed-off-by: James Morris

    Chihau Chau
     
  • ea0d3ab23   LSM: Remove unused arguments from security_path_truncate(). ... Browse Code »

    When commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d "introduce new LSM hooks
    where vfsmount is available." was proposed, regarding security_path_truncate(),
    only "struct file *" argument (which AppArmor wanted to use) was removed.
    But length and time_attrs arguments are not used by TOMOYO nor AppArmor.
    Thus, let's remove these arguments.

    Signed-off-by: Tetsuo Handa
    Acked-by: Nick Piggin
    Signed-off-by: James Morris

    Tetsuo Handa
     

16 Jul, 2010

1 commit

17 May, 2010

1 commit

12 Apr, 2010

13 commits

24 Feb, 2010

1 commit

  • 189b3b1c8   Security: add static to security_ops and default_security_ops variable ... Browse Code »

    Enhance the security framework to support resetting the active security
    module. This eliminates the need for direct use of the security_ops and
    default_security_ops variables outside of security.c, so make security_ops
    and default_security_ops static. Also remove the secondary_ops variable as
    a cleanup since there is no use for that. secondary_ops was originally used by
    SELinux to call the "secondary" security module (capability or dummy),
    but that was replaced by direct calls to capability and the only
    remaining use is to save and restore the original security ops pointer
    value if SELinux is disabled by early userspace based on /etc/selinux/config.
    Further, if we support this directly in the security framework, then we can
    just use &default_security_ops for this purpose since that is now available.

    Signed-off-by: Zhitong Wang
    Acked-by: Stephen Smalley
    Signed-off-by: James Morris

    wzt.wzt@gmail.com
     

10 Nov, 2009

1 commit

  • dd8dbf2e6   security: report the module name to security_module_request ... Browse Code »

    For SELinux to do better filtering in userspace we send the name of the
    module along with the AVC denial when a program is denied module_request.

    Example output:

    type=SYSCALL msg=audit(11/03/2009 10:59:43.510:9) : arch=x86_64 syscall=write success=yes exit=2 a0=3 a1=7fc28c0d56c0 a2=2 a3=7fffca0d7440 items=0 ppid=1727 pid=1729 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null)
    type=AVC msg=audit(11/03/2009 10:59:43.510:9) : avc: denied { module_request } for pid=1729 comm=rpc.nfsd kmod="net-pf-10" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

    Signed-off-by: Eric Paris
    Signed-off-by: James Morris

    Eric Paris
     

12 Oct, 2009

1 commit