Eric Lee / smarc-fsl-linux-kernel

08 Oct, 2016

1 commit

  • 81243eacf   cred: simpler, 1D supplementary groups ... Browse Code »

    Current supplementary groups code can massively overallocate memory and
    is implemented in a way so that access to individual gid is done via 2D
    array.

    If number of gids is
    Cc: Vasily Kulikov
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Alexey Dobriyan
     

18 Jul, 2014

1 commit

  • ae4b884fc   nfsd: silence sparse warning about accessing credentials ... Browse Code »

    sparse says:

    fs/nfsd/auth.c:31:38: warning: incorrect type in argument 1 (different address spaces)
    fs/nfsd/auth.c:31:38: expected struct cred const *cred
    fs/nfsd/auth.c:31:38: got struct cred const [noderef] *real_cred

    Add a new accessor for the ->real_cred and use that to fetch the
    pointer. Accessing current->real_cred directly is actually quite safe
    since we know that they can't go away so this is mostly a cosmetic fixup
    to silence sparse.

    Signed-off-by: Jeff Layton
    Signed-off-by: J. Bruce Fields

    Jeff Layton
     

31 May, 2014

2 commits

04 Apr, 2014

1 commit

  • 8f6c5ffc8   kernel/groups.c: remove return value of set_groups ... Browse Code »

    After commit 6307f8fee295 ("security: remove dead hook task_setgroups"),
    set_groups will always return zero, so we could just remove return value
    of set_groups.

    This patch reduces code size, and simplfies code to use set_groups,
    because we don't need to check its return value any more.

    [akpm@linux-foundation.org: remove obsolete claims from set_groups() comment]
    Signed-off-by: Wang YanQing
    Cc: "Eric W. Biederman"
    Cc: Serge Hallyn
    Cc: Eric Paris
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Wang YanQing
     

13 Feb, 2013

2 commits

01 Jun, 2012

2 commits

  • 419f43194   Merge branch 'for-3.5' of git://linux-nfs.org/~bfields/linux ... Browse Code »

    Pull the rest of the nfsd commits from Bruce Fields:
    "... and then I cherry-picked the remainder of the patches from the
    head of my previous branch"

    This is the rest of the original nfsd branch, rebased without the
    delegation stuff that I thought really needed to be redone.

    I don't like rebasing things like this in general, but in this situation
    this was the lesser of two evils.

    * 'for-3.5' of git://linux-nfs.org/~bfields/linux: (50 commits)
    nfsd4: fix, consolidate client_has_state
    nfsd4: don't remove rebooted client record until confirmation
    nfsd4: remove some dprintk's and a comment
    nfsd4: return "real" sequence id in confirmed case
    nfsd4: fix exchange_id to return confirm flag
    nfsd4: clarify that renewing expired client is a bug
    nfsd4: simpler ordering of setclientid_confirm checks
    nfsd4: setclientid: remove pointless assignment
    nfsd4: fix error return in non-matching-creds case
    nfsd4: fix setclientid_confirm same_cred check
    nfsd4: merge 3 setclientid cases to 2
    nfsd4: pull out common code from setclientid cases
    nfsd4: merge last two setclientid cases
    nfsd4: setclientid/confirm comment cleanup
    nfsd4: setclientid remove unnecessary terms from a logical expression
    nfsd4: move rq_flavor into svc_cred
    nfsd4: stricter cred comparison for setclientid/exchange_id
    nfsd4: move principal name into svc_cred
    nfsd4: allow removing clients not holding state
    nfsd4: rearrange exchange_id logic to simplify
    ...

    Linus Torvalds
     
  • d5497fc69   nfsd4: move rq_flavor into svc_cred ... Browse Code »
    43

    Move the rq_flavor into struct svc_cred, and use it in setclientid and
    exchange_id comparisons as well.

    Signed-off-by: J. Bruce Fields

    J. Bruce Fields
     

03 May, 2012

1 commit

16 Dec, 2009

1 commit

15 Dec, 2009

2 commits

02 Sep, 2009

1 commit

  • e0e817392   CRED: Add some configurable debugging [try #6] ... Browse Code »

    Add a config option (CONFIG_DEBUG_CREDENTIALS) to turn on some debug checking
    for credential management. The additional code keeps track of the number of
    pointers from task_structs to any given cred struct, and checks to see that
    this number never exceeds the usage count of the cred struct (which includes
    all references, not just those from task_structs).

    Furthermore, if SELinux is enabled, the code also checks that the security
    pointer in the cred struct is never seen to be invalid.

    This attempts to catch the bug whereby inode_has_perm() faults in an nfsd
    kernel thread on seeing cred->security be a NULL pointer (it appears that the
    credential struct has been previously released):

    http://www.kerneloops.org/oops.php?number=252883

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     

28 Jan, 2009

2 commits

08 Jan, 2009

1 commit

  • f05ef8db1   CRED: Fix NFSD regression ... Browse Code »

    Fix a regression in NFSD's permission checking introduced by the credentials
    patches. There are two parts to the problem, both in nfsd_setuser():

    (1) The return value of set_groups() is -ve if in error, not 0, and should be
    checked appropriately. 0 indicates success.

    (2) The UID to use for fs accesses is in new->fsuid, not new->uid (which is
    0). This causes CAP_DAC_OVERRIDE to always be set, rather than being
    cleared if the UID is anything other than 0 after squashing.

    Reported-by: J. Bruce Fields
    Signed-off-by: David Howells
    Acked-by: James Morris
    Signed-off-by: J. Bruce Fields

    David Howells
     

14 Nov, 2008

3 commits

  • 3b11a1dec   CRED: Differentiate objective and effective subjective credentials on a task ... Browse Code »

    Differentiate the objective and real subjective credentials from the effective
    subjective credentials on a task by introducing a second credentials pointer
    into the task_struct.

    task_struct::real_cred then refers to the objective and apparent real
    subjective credentials of a task, as perceived by the other tasks in the
    system.

    task_struct::cred then refers to the effective subjective credentials of a
    task, as used by that task when it's actually running. These are not visible
    to the other tasks in the system.

    __task_cred(task) then refers to the objective/real credentials of the task in
    question.

    current_cred() refers to the effective subjective credentials of the current
    task.

    prepare_creds() uses the objective creds as a base and commit_creds() changes
    both pointers in the task_struct (indeed commit_creds() requires them to be the
    same).

    override_creds() and revert_creds() change the subjective creds pointer only,
    and the former returns the old subjective creds. These are used by NFSD,
    faccessat() and do_coredump(), and will by used by CacheFiles.

    In SELinux, current_has_perm() is provided as an alternative to
    task_has_perm(). This uses the effective subjective context of current,
    whereas task_has_perm() uses the objective/real context of the subject.

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     
  • d84f4f992   CRED: Inaugurate COW credentials ... Browse Code »

    Inaugurate copy-on-write credentials management. This uses RCU to manage the
    credentials pointer in the task_struct with respect to accesses by other tasks.
    A process may only modify its own credentials, and so does not need locking to
    access or modify its own credentials.

    A mutex (cred_replace_mutex) is added to the task_struct to control the effect
    of PTRACE_ATTACHED on credential calculations, particularly with respect to
    execve().

    With this patch, the contents of an active credentials struct may not be
    changed directly; rather a new set of credentials must be prepared, modified
    and committed using something like the following sequence of events:

    struct cred *new = prepare_creds();
    int ret = blah(new);
    if (ret < 0) {
    abort_creds(new);
    return ret;
    }
    return commit_creds(new);

    There are some exceptions to this rule: the keyrings pointed to by the active
    credentials may be instantiated - keyrings violate the COW rule as managing
    COW keyrings is tricky, given that it is possible for a task to directly alter
    the keys in a keyring in use by another task.

    To help enforce this, various pointers to sets of credentials, such as those in
    the task_struct, are declared const. The purpose of this is compile-time
    discouragement of altering credentials through those pointers. Once a set of
    credentials has been made public through one of these pointers, it may not be
    modified, except under special circumstances:

    (1) Its reference count may incremented and decremented.

    (2) The keyrings to which it points may be modified, but not replaced.

    The only safe way to modify anything else is to create a replacement and commit
    using the functions described in Documentation/credentials.txt (which will be
    added by a later patch).

    This patch and the preceding patches have been tested with the LTP SELinux
    testsuite.

    This patch makes several logical sets of alteration:

    (1) execve().

    This now prepares and commits credentials in various places in the
    security code rather than altering the current creds directly.

    (2) Temporary credential overrides.

    do_coredump() and sys_faccessat() now prepare their own credentials and
    temporarily override the ones currently on the acting thread, whilst
    preventing interference from other threads by holding cred_replace_mutex
    on the thread being dumped.

    This will be replaced in a future patch by something that hands down the
    credentials directly to the functions being called, rather than altering
    the task's objective credentials.

    (3) LSM interface.

    A number of functions have been changed, added or removed:

    (*) security_capset_check(), ->capset_check()
    (*) security_capset_set(), ->capset_set()

    Removed in favour of security_capset().

    (*) security_capset(), ->capset()

    New. This is passed a pointer to the new creds, a pointer to the old
    creds and the proposed capability sets. It should fill in the new
    creds or return an error. All pointers, barring the pointer to the
    new creds, are now const.

    (*) security_bprm_apply_creds(), ->bprm_apply_creds()

    Changed; now returns a value, which will cause the process to be
    killed if it's an error.

    (*) security_task_alloc(), ->task_alloc_security()

    Removed in favour of security_prepare_creds().

    (*) security_cred_free(), ->cred_free()

    New. Free security data attached to cred->security.

    (*) security_prepare_creds(), ->cred_prepare()

    New. Duplicate any security data attached to cred->security.

    (*) security_commit_creds(), ->cred_commit()

    New. Apply any security effects for the upcoming installation of new
    security by commit_creds().

    (*) security_task_post_setuid(), ->task_post_setuid()

    Removed in favour of security_task_fix_setuid().

    (*) security_task_fix_setuid(), ->task_fix_setuid()

    Fix up the proposed new credentials for setuid(). This is used by
    cap_set_fix_setuid() to implicitly adjust capabilities in line with
    setuid() changes. Changes are made to the new credentials, rather
    than the task itself as in security_task_post_setuid().

    (*) security_task_reparent_to_init(), ->task_reparent_to_init()

    Removed. Instead the task being reparented to init is referred
    directly to init's credentials.

    NOTE! This results in the loss of some state: SELinux's osid no
    longer records the sid of the thread that forked it.

    (*) security_key_alloc(), ->key_alloc()
    (*) security_key_permission(), ->key_permission()

    Changed. These now take cred pointers rather than task pointers to
    refer to the security context.

    (4) sys_capset().

    This has been simplified and uses less locking. The LSM functions it
    calls have been merged.

    (5) reparent_to_kthreadd().

    This gives the current thread the same credentials as init by simply using
    commit_thread() to point that way.

    (6) __sigqueue_alloc() and switch_uid()

    __sigqueue_alloc() can't stop the target task from changing its creds
    beneath it, so this function gets a reference to the currently applicable
    user_struct which it then passes into the sigqueue struct it returns if
    successful.

    switch_uid() is now called from commit_creds(), and possibly should be
    folded into that. commit_creds() should take care of protecting
    __sigqueue_alloc().

    (7) [sg]et[ug]id() and co and [sg]et_current_groups.

    The set functions now all use prepare_creds(), commit_creds() and
    abort_creds() to build and check a new set of credentials before applying
    it.

    security_task_set[ug]id() is called inside the prepared section. This
    guarantees that nothing else will affect the creds until we've finished.

    The calling of set_dumpable() has been moved into commit_creds().

    Much of the functionality of set_user() has been moved into
    commit_creds().

    The get functions all simply access the data directly.

    (8) security_task_prctl() and cap_task_prctl().

    security_task_prctl() has been modified to return -ENOSYS if it doesn't
    want to handle a function, or otherwise return the return value directly
    rather than through an argument.

    Additionally, cap_task_prctl() now prepares a new set of credentials, even
    if it doesn't end up using it.

    (9) Keyrings.

    A number of changes have been made to the keyrings code:

    (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
    all been dropped and built in to the credentials functions directly.
    They may want separating out again later.

    (b) key_alloc() and search_process_keyrings() now take a cred pointer
    rather than a task pointer to specify the security context.

    (c) copy_creds() gives a new thread within the same thread group a new
    thread keyring if its parent had one, otherwise it discards the thread
    keyring.

    (d) The authorisation key now points directly to the credentials to extend
    the search into rather pointing to the task that carries them.

    (e) Installing thread, process or session keyrings causes a new set of
    credentials to be created, even though it's not strictly necessary for
    process or session keyrings (they're shared).

    (10) Usermode helper.

    The usermode helper code now carries a cred struct pointer in its
    subprocess_info struct instead of a new session keyring pointer. This set
    of credentials is derived from init_cred and installed on the new process
    after it has been cloned.

    call_usermodehelper_setup() allocates the new credentials and
    call_usermodehelper_freeinfo() discards them if they haven't been used. A
    special cred function (prepare_usermodeinfo_creds()) is provided
    specifically for call_usermodehelper_setup() to call.

    call_usermodehelper_setkeys() adjusts the credentials to sport the
    supplied keyring as the new session keyring.

    (11) SELinux.

    SELinux has a number of changes, in addition to those to support the LSM
    interface changes mentioned above:

    (a) selinux_setprocattr() no longer does its check for whether the
    current ptracer can access processes with the new SID inside the lock
    that covers getting the ptracer's SID. Whilst this lock ensures that
    the check is done with the ptracer pinned, the result is only valid
    until the lock is released, so there's no point doing it inside the
    lock.

    (12) is_single_threaded().

    This function has been extracted from selinux_setprocattr() and put into
    a file of its own in the lib/ directory as join_session_keyring() now
    wants to use it too.

    The code in SELinux just checked to see whether a task shared mm_structs
    with other tasks (CLONE_VM), but that isn't good enough. We really want
    to know if they're part of the same thread group (CLONE_THREAD).

    (13) nfsd.

    The NFS server daemon now has to use the COW credentials to set the
    credentials it is going to use. It really needs to pass the credentials
    down to the functions it calls, but it can't do that until other patches
    in this series have been applied.

    Signed-off-by: David Howells
    Acked-by: James Morris
    Signed-off-by: James Morris

    David Howells
     
  • b6dff3ec5   CRED: Separate task security context from task_struct ... Browse Code »

    Separate the task security context from task_struct. At this point, the
    security data is temporarily embedded in the task_struct with two pointers
    pointing to it.

    Note that the Alpha arch is altered as it refers to (E)UID and (E)GID in
    entry.S via asm-offsets.

    With comment fixes Signed-off-by: Marc Dionne

    Signed-off-by: David Howells
    Acked-by: James Morris
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    David Howells
     

24 Apr, 2008

1 commit

  • a254b246e   nfsd: fix sparse warnings ... Browse Code »

    Add extern to nfsd/nfsd.h
    fs/nfsd/nfssvc.c:146:5: warning: symbol 'nfsd_nrthreads' was not declared. Should it be static?
    fs/nfsd/nfssvc.c:261:5: warning: symbol 'nfsd_nrpools' was not declared. Should it be static?
    fs/nfsd/nfssvc.c:269:5: warning: symbol 'nfsd_get_nrthreads' was not declared. Should it be static?
    fs/nfsd/nfssvc.c:281:5: warning: symbol 'nfsd_set_nrthreads' was not declared. Should it be static?
    fs/nfsd/export.c:1534:23: warning: symbol 'nfs_exports_op' was not declared. Should it be static?

    Add include of auth.h
    fs/nfsd/auth.c:27:5: warning: symbol 'nfsd_setuser' was not declared. Should it be static?

    Make static, move forward declaration closer to where it's needed.
    fs/nfsd/nfs4state.c:1877:1: warning: symbol 'laundromat_main' was not declared. Should it be static?

    Make static, forward declaration was already marked static.
    fs/nfsd/nfs4idmap.c:206:1: warning: symbol 'idtoname_parse' was not declared. Should it be static?
    fs/nfsd/vfs.c:1156:1: warning: symbol 'nfsd_create_setattr' was not declared. Should it be static?

    Signed-off-by: Harvey Harrison
    Signed-off-by: J. Bruce Fields

    Harvey Harrison
     

06 Feb, 2008

1 commit

  • e338d263a   Add 64-bit capability support to the kernel ... Browse Code »

    The patch supports legacy (32-bit) capability userspace, and where possible
    translates 32-bit capabilities to/from userspace and the VFS to 64-bit
    kernel space capabilities. If a capability set cannot be compressed into
    32-bits for consumption by user space, the system call fails, with -ERANGE.

    FWIW libcap-2.00 supports this change (and earlier capability formats)

    http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/

    [akpm@linux-foundation.org: coding-syle fixes]
    [akpm@linux-foundation.org: use get_task_comm()]
    [ezk@cs.sunysb.edu: build fix]
    [akpm@linux-foundation.org: do not initialise statics to 0 or NULL]
    [akpm@linux-foundation.org: unused var]
    [serue@us.ibm.com: export __cap_ symbols]
    Signed-off-by: Andrew G. Morgan
    Cc: Stephen Smalley
    Acked-by: Serge Hallyn
    Cc: Chris Wright
    Cc: James Morris
    Cc: Casey Schaufler
    Signed-off-by: Erez Zadok
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Andrew Morgan
     

20 Jul, 2007

1 commit

  • c7d51402d   knfsd: clean up EX_RDONLY ... Browse Code »

    Share a little common code, reverse the arguments for consistency, drop the
    unnecessary "inline", and lowercase the name.

    Signed-off-by: "J. Bruce Fields"
    Acked-by: Neil Brown
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    J. Bruce Fields
     

18 Jul, 2007

1 commit

11 Apr, 2006

1 commit

  • 54cceebb6   [PATCH] knfsd: nfsd: nfsd_setuser doesn't really need to modify rqstp->rq_cred. ... Browse Code »

    In addition to setting the processes filesystem id's, nfsd_setuser also
    modifies the value of the rq_cred which stores the id's that originally came
    from the rpc call, for example to reflect root squashing.

    There's no real reason to do that--the only case where rqstp->rq_cred is
    actually used later on is in the NFSv4 SETCLIENTID/SETCLIENTID_CONFIRM
    operations, and there the results are the opposite of what we want--those two
    operations don't deal with the filesystem at all, they only record the
    credentials used with the rpc call for later reference (so that we may require
    the same credentials be used on later operations), and the credentials
    shouldn't vary just because there was or wasn't a previous operation in the
    compound that referred to some export

    This fixes a bug which caused mounts from Solaris clients to fail.

    Signed-off-by: Andy Adamson
    Signed-off-by: J. Bruce Fields
    Signed-off-by: Neil Brown
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    NeilBrown
     

17 Apr, 2005

1 commit

  • 1da177e4c   Linux-2.6.12-rc2 ... Browse Code »

    Initial git repository build. I'm not bothering with the full history,
    even though we have it. We can create a separate "historical" git
    archive of that later if we want to, and in the meantime it's about
    3.2GB when imported into git - space that would just make the early
    git days unnecessarily complicated, when we don't have a lot of good
    infrastructure for it.

    Let it rip!

    Linus Torvalds