Eric Lee / smarc-fsl-linux-kernel

11 Oct, 2016

1 commit

  • 97d211670   Merge branch 'work.xattr' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs ... Browse Code »

    Pull vfs xattr updates from Al Viro:
    "xattr stuff from Andreas

    This completes the switch to xattr_handler ->get()/->set() from
    ->getxattr/->setxattr/->removexattr"

    * 'work.xattr' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
    vfs: Remove {get,set,remove}xattr inode operations
    xattr: Stop calling {get,set,remove}xattr inode operations
    vfs: Check for the IOP_XATTR flag in listxattr
    xattr: Add __vfs_{get,set,remove}xattr helpers
    libfs: Use IOP_XATTR flag for empty directory handling
    vfs: Use IOP_XATTR flag for bad-inode handling
    vfs: Add IOP_XATTR inode operations flag
    vfs: Move xattr_resolve_name to the front of fs/xattr.c
    ecryptfs: Switch to generic xattr handlers
    sockfs: Get rid of getxattr iop
    sockfs: getxattr: Fail with -EOPNOTSUPP for invalid attribute names
    kernfs: Switch to generic xattr handlers
    hfs: Switch to generic xattr handlers
    jffs2: Remove jffs2_{get,set,remove}xattr macros
    xattr: Remove unnecessary NULL attribute name check

    Linus Torvalds
     

08 Oct, 2016

1 commit

  • 5d6c31910   xattr: Add __vfs_{get,set,remove}xattr helpers ... Browse Code »

    Right now, various places in the kernel check for the existence of
    getxattr, setxattr, and removexattr inode operations and directly call
    those operations. Switch to helper functions and test for the IOP_XATTR
    flag instead.

    Signed-off-by: Andreas Gruenbacher
    Acked-by: James Morris
    Signed-off-by: Al Viro

    Andreas Gruenbacher
     

19 Sep, 2016

1 commit

09 Sep, 2016

1 commit

  • c60b90667   Smack: Signal delivery as an append operation ... Browse Code »

    Under a strict subject/object security policy delivering a
    signal or delivering network IPC could be considered either
    a write or an append operation. The original choice to make
    both write operations leads to an issue where IPC delivery
    is desired under policy, but delivery of signals is not.
    This patch provides the option of making signal delivery
    an append operation, allowing Smack rules that deny signal
    delivery while allowing IPC. This was requested for Tizen.

    Signed-off-by: Casey Schaufler

    Casey Schaufler
     

24 Aug, 2016

1 commit

09 Aug, 2016

1 commit

30 Jul, 2016

2 commits

  • 7a1e8b80f   Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security ... Browse Code »

    Pull security subsystem updates from James Morris:
    "Highlights:

    - TPM core and driver updates/fixes
    - IPv6 security labeling (CALIPSO)
    - Lots of Apparmor fixes
    - Seccomp: remove 2-phase API, close hole where ptrace can change
    syscall #"

    * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (156 commits)
    apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling
    tpm: Add TPM 2.0 support to the Nuvoton i2c driver (NPCT6xx family)
    tpm: Factor out common startup code
    tpm: use devm_add_action_or_reset
    tpm2_i2c_nuvoton: add irq validity check
    tpm: read burstcount from TPM_STS in one 32-bit transaction
    tpm: fix byte-order for the value read by tpm2_get_tpm_pt
    tpm_tis_core: convert max timeouts from msec to jiffies
    apparmor: fix arg_size computation for when setprocattr is null terminated
    apparmor: fix oops, validate buffer size in apparmor_setprocattr()
    apparmor: do not expose kernel stack
    apparmor: fix module parameters can be changed after policy is locked
    apparmor: fix oops in profile_unpack() when policy_db is not present
    apparmor: don't check for vmalloc_addr if kvzalloc() failed
    apparmor: add missing id bounds check on dfa verification
    apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task
    apparmor: use list_next_entry instead of list_entry_next
    apparmor: fix refcount race when finding a child profile
    apparmor: fix ref count leak when profile sha1 hash is read
    apparmor: check that xindex is in trans_table bounds
    ...

    Linus Torvalds
     
  • a867d7349   Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace ... Browse Code »

    Pull userns vfs updates from Eric Biederman:
    "This tree contains some very long awaited work on generalizing the
    user namespace support for mounting filesystems to include filesystems
    with a backing store. The real world target is fuse but the goal is
    to update the vfs to allow any filesystem to be supported. This
    patchset is based on a lot of code review and testing to approach that
    goal.

    While looking at what is needed to support the fuse filesystem it
    became clear that there were things like xattrs for security modules
    that needed special treatment. That the resolution of those concerns
    would not be fuse specific. That sorting out these general issues
    made most sense at the generic level, where the right people could be
    drawn into the conversation, and the issues could be solved for
    everyone.

    At a high level what this patchset does a couple of simple things:

    - Add a user namespace owner (s_user_ns) to struct super_block.

    - Teach the vfs to handle filesystem uids and gids not mapping into
    to kuids and kgids and being reported as INVALID_UID and
    INVALID_GID in vfs data structures.

    By assigning a user namespace owner filesystems that are mounted with
    only user namespace privilege can be detected. This allows security
    modules and the like to know which mounts may not be trusted. This
    also allows the set of uids and gids that are communicated to the
    filesystem to be capped at the set of kuids and kgids that are in the
    owning user namespace of the filesystem.

    One of the crazier corner casees this handles is the case of inodes
    whose i_uid or i_gid are not mapped into the vfs. Most of the code
    simply doesn't care but it is easy to confuse the inode writeback path
    so no operation that could cause an inode write-back is permitted for
    such inodes (aka only reads are allowed).

    This set of changes starts out by cleaning up the code paths involved
    in user namespace permirted mounts. Then when things are clean enough
    adds code that cleanly sets s_user_ns. Then additional restrictions
    are added that are possible now that the filesystem superblock
    contains owner information.

    These changes should not affect anyone in practice, but there are some
    parts of these restrictions that are changes in behavior.

    - Andy's restriction on suid executables that does not honor the
    suid bit when the path is from another mount namespace (think
    /proc/[pid]/fd/) or when the filesystem was mounted by a less
    privileged user.

    - The replacement of the user namespace implicit setting of MNT_NODEV
    with implicitly setting SB_I_NODEV on the filesystem superblock
    instead.

    Using SB_I_NODEV is a stronger form that happens to make this state
    user invisible. The user visibility can be managed but it caused
    problems when it was introduced from applications reasonably
    expecting mount flags to be what they were set to.

    There is a little bit of work remaining before it is safe to support
    mounting filesystems with backing store in user namespaces, beyond
    what is in this set of changes.

    - Verifying the mounter has permission to read/write the block device
    during mount.

    - Teaching the integrity modules IMA and EVM to handle filesystems
    mounted with only user namespace root and to reduce trust in their
    security xattrs accordingly.

    - Capturing the mounters credentials and using that for permission
    checks in d_automount and the like. (Given that overlayfs already
    does this, and we need the work in d_automount it make sense to
    generalize this case).

    Furthermore there are a few changes that are on the wishlist:

    - Get all filesystems supporting posix acls using the generic posix
    acls so that posix_acl_fix_xattr_from_user and
    posix_acl_fix_xattr_to_user may be removed. [Maintainability]

    - Reducing the permission checks in places such as remount to allow
    the superblock owner to perform them.

    - Allowing the superblock owner to chown files with unmapped uids and
    gids to something that is mapped so the files may be treated
    normally.

    I am not considering even obvious relaxations of permission checks
    until it is clear there are no more corner cases that need to be
    locked down and handled generically.

    Many thanks to Seth Forshee who kept this code alive, and putting up
    with me rewriting substantial portions of what he did to handle more
    corner cases, and for his diligent testing and reviewing of my
    changes"

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (30 commits)
    fs: Call d_automount with the filesystems creds
    fs: Update i_[ug]id_(read|write) to translate relative to s_user_ns
    evm: Translate user/group ids relative to s_user_ns when computing HMAC
    dquot: For now explicitly don't support filesystems outside of init_user_ns
    quota: Handle quota data stored in s_user_ns in quota_setxquota
    quota: Ensure qids map to the filesystem
    vfs: Don't create inodes with a uid or gid unknown to the vfs
    vfs: Don't modify inodes with a uid or gid unknown to the vfs
    cred: Reject inodes with invalid ids in set_create_file_as()
    fs: Check for invalid i_uid in may_follow_link()
    vfs: Verify acls are valid within superblock's s_user_ns.
    userns: Handle -1 in k[ug]id_has_mapping when !CONFIG_USER_NS
    fs: Refuse uid/gid changes which don't map into s_user_ns
    selinux: Add support for unprivileged mounts from user namespaces
    Smack: Handle labels consistently in untrusted mounts
    Smack: Add support for unprivileged mounts from user namespaces
    fs: Treat foreign mounts as nosuid
    fs: Limit file caps to the user namespace of the super block
    userns: Remove the now unnecessary FS_USERNS_DEV_MOUNT flag
    userns: Remove implicit MNT_NODEV fragility.
    ...

    Linus Torvalds
     

08 Jul, 2016

1 commit

07 Jul, 2016

1 commit

28 Jun, 2016

1 commit

25 Jun, 2016

1 commit

  • 809c02e09   Smack: Handle labels consistently in untrusted mounts ... Browse Code »

    The SMACK64, SMACK64EXEC, and SMACK64MMAP labels are all handled
    differently in untrusted mounts. This is confusing and
    potentically problematic. Change this to handle them all the same
    way that SMACK64 is currently handled; that is, read the label
    from disk and check it at use time. For SMACK64 and SMACK64MMAP
    access is denied if the label does not match smk_root. To be
    consistent with suid, a SMACK64EXEC label which does not match
    smk_root will still allow execution of the file but will not run
    with the label supplied in the xattr.

    Signed-off-by: Seth Forshee
    Acked-by: Casey Schaufler
    Signed-off-by: Eric W. Biederman

    Seth Forshee
     

24 Jun, 2016

1 commit

  • 9f50eda2a   Smack: Add support for unprivileged mounts from user namespaces ... Browse Code »

    Security labels from unprivileged mounts cannot be trusted.
    Ideally for these mounts we would assign the objects in the
    filesystem the same label as the inode for the backing device
    passed to mount. Unfortunately it's currently impossible to
    determine which inode this is from the LSM mount hooks, so we
    settle for the label of the process doing the mount.

    This label is assigned to s_root, and also to smk_default to
    ensure that new inodes receive this label. The transmute property
    is also set on s_root to make this behavior more explicit, even
    though it is technically not necessary.

    If a filesystem has existing security labels, access to inodes is
    permitted if the label is the same as smk_root, otherwise access
    is denied. The SMACK64EXEC xattr is completely ignored.

    Explicit setting of security labels continues to require
    CAP_MAC_ADMIN in init_user_ns.

    Altogether, this ensures that filesystem objects are not
    accessible to subjects which cannot already access the backing
    store, that MAC is not violated for any objects in the fileystem
    which are already labeled, and that a user cannot use an
    unprivileged mount to gain elevated MAC privileges.

    sysfs, tmpfs, and ramfs are already mountable from user
    namespaces and support security labels. We can't rule out the
    possibility that these filesystems may already be used in mounts
    from user namespaces with security lables set from the init
    namespace, so failing to trust lables in these filesystems may
    introduce regressions. It is safe to trust labels from these
    filesystems, since the unprivileged user does not control the
    backing store and thus cannot supply security labels, so an
    explicit exception is made to trust labels from these
    filesystems.

    Signed-off-by: Seth Forshee
    Acked-by: Casey Schaufler
    Signed-off-by: Eric W. Biederman

    Seth Forshee
     

11 Jun, 2016

1 commit

  • 8387ff257   vfs: make the string hashes salt the hash ... Browse Code »

    We always mixed in the parent pointer into the dentry name hash, but we
    did it late at lookup time. It turns out that we can simplify that
    lookup-time action by salting the hash with the parent pointer early
    instead of late.

    A few other users of our string hashes also wanted to mix in their own
    pointers into the hash, and those are updated to use the same mechanism.

    Hash users that don't have any particular initial salt can just use the
    NULL pointer as a no-salt.

    Cc: Vegard Nossum
    Cc: George Spelvin
    Cc: Al Viro
    Signed-off-by: Linus Torvalds

    Linus Torvalds
     

09 Jun, 2016

1 commit

  • 18d872f77   Smack: ignore null signal in smack_task_kill ... Browse Code »

    Kill with signal number 0 is commonly used for checking PID existence.
    Smack treated such cases like any other kills, although no signal is
    actually delivered when sig == 0.

    Checking permissions when sig == 0 didn't prevent an unprivileged caller
    from learning whether PID exists or not. When it existed, kernel returned
    EPERM, when it didn't - ESRCH. The only effect of policy check in such
    case is noise in audit logs.

    This change lets Smack silently ignore kill() invocations with sig == 0.

    Signed-off-by: Rafal Krypa
    Acked-by: Casey Schaufler

    Rafal Krypa
     

28 May, 2016

1 commit

  • 3767e255b   switch ->setxattr() to passing dentry and inode separately ... Browse Code »

    smack ->d_instantiate() uses ->setxattr(), so to be able to call it before
    we'd hashed the new dentry and attached it to inode, we need ->setxattr()
    instances getting the inode as an explicit argument rather than obtaining
    it from dentry.

    Similar change for ->getxattr() had been done in commit ce23e64. Unlike
    ->getxattr() (which is used by both selinux and smack instances of
    ->d_instantiate()) ->setxattr() is used only by smack one and unfortunately
    it got missed back then.

    Reported-by: Seung-Woo Kim
    Tested-by: Casey Schaufler
    Signed-off-by: Al Viro

    Al Viro
     

11 Apr, 2016

2 commits

17 Feb, 2016

1 commit

  • 8012495e1   smack: fix cache of access labels ... Browse Code »

    Before this commit, removing the access property of
    a file, aka, the extended attribute security.SMACK64
    was not effictive until the cache had been cleaned.

    This patch fixes that problem.

    Signed-off-by: José Bollo
    Acked-by: Casey Schaufler

    José Bollo
     

12 Feb, 2016

1 commit

  • 491a0b08d   Smack: Remove pointless hooks ... Browse Code »

    Prior to the 4.2 kernel there no no harm in providing
    a security module hook that does nothing, as the default
    hook would get called if the module did not supply one.
    With the list based infrastructure an empty hook adds
    overhead. This patch removes the three Smack hooks that
    don't actually do anything.

    Signed-off-by: Casey Schaufler

    Casey Schaufler
     

21 Jan, 2016

1 commit

  • 3dfb7d8cd   security: let security modules use PTRACE_MODE_* with bitmasks ... Browse Code »

    It looks like smack and yama weren't aware that the ptrace mode
    can have flags ORed into it - PTRACE_MODE_NOAUDIT until now, but
    only for /proc/$pid/stat, and with the PTRACE_MODE_*CREDS patch,
    all modes have flags ORed into them.

    Signed-off-by: Jann Horn
    Acked-by: Kees Cook
    Acked-by: Casey Schaufler
    Cc: Oleg Nesterov
    Cc: Ingo Molnar
    Cc: James Morris
    Cc: "Serge E. Hallyn"
    Cc: Andy Shevchenko
    Cc: Andy Lutomirski
    Cc: Al Viro
    Cc: "Eric W. Biederman"
    Cc: Willy Tarreau
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Jann Horn
     

18 Jan, 2016

1 commit

  • 5807fcaa9   Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security ... Browse Code »

    Pull security subsystem updates from James Morris:

    - EVM gains support for loading an x509 cert from the kernel
    (EVM_LOAD_X509), into the EVM trusted kernel keyring.

    - Smack implements 'file receive' process-based permission checking for
    sockets, rather than just depending on inode checks.

    - Misc enhancments for TPM & TPM2.

    - Cleanups and bugfixes for SELinux, Keys, and IMA.

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (41 commits)
    selinux: Inode label revalidation performance fix
    KEYS: refcount bug fix
    ima: ima_write_policy() limit locking
    IMA: policy can be updated zero times
    selinux: rate-limit netlink message warnings in selinux_nlmsg_perm()
    selinux: export validatetrans decisions
    gfs2: Invalid security labels of inodes when they go invalid
    selinux: Revalidate invalid inode security labels
    security: Add hook to invalidate inode security labels
    selinux: Add accessor functions for inode->i_security
    security: Make inode argument of inode_getsecid non-const
    security: Make inode argument of inode_getsecurity non-const
    selinux: Remove unused variable in selinux_inode_init_security
    keys, trusted: seal with a TPM2 authorization policy
    keys, trusted: select hash algorithm for TPM2 chips
    keys, trusted: fix: *do not* allow duplicate key options
    tpm_ibmvtpm: properly handle interrupted packet receptions
    tpm_tis: Tighten IRQ auto-probing
    tpm_tis: Refactor the interrupt setup
    tpm_tis: Get rid of the duplicate IRQ probing code
    ...

    Linus Torvalds
     

13 Jan, 2016

1 commit

  • 33caf82ac   Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs ... Browse Code »

    Pull misc vfs updates from Al Viro:
    "All kinds of stuff. That probably should've been 5 or 6 separate
    branches, but by the time I'd realized how large and mixed that bag
    had become it had been too close to -final to play with rebasing.

    Some fs/namei.c cleanups there, memdup_user_nul() introduction and
    switching open-coded instances, burying long-dead code, whack-a-mole
    of various kinds, several new helpers for ->llseek(), assorted
    cleanups and fixes from various people, etc.

    One piece probably deserves special mention - Neil's
    lookup_one_len_unlocked(). Similar to lookup_one_len(), but gets
    called without ->i_mutex and tries to avoid ever taking it. That, of
    course, means that it's not useful for any directory modifications,
    but things like getting inode attributes in nfds readdirplus are fine
    with that. I really should've asked for moratorium on lookup-related
    changes this cycle, but since I hadn't done that early enough... I
    *am* asking for that for the coming cycle, though - I'm going to try
    and get conversion of i_mutex to rwsem with ->lookup() done under lock
    taken shared.

    There will be a patch closer to the end of the window, along the lines
    of the one Linus had posted last May - mechanical conversion of
    ->i_mutex accesses to inode_lock()/inode_unlock()/inode_trylock()/
    inode_is_locked()/inode_lock_nested(). To quote Linus back then:

    -----
    | This is an automated patch using
    |
    | sed 's/mutex_lock(&\(.*\)->i_mutex)/inode_lock(\1)/'
    | sed 's/mutex_unlock(&\(.*\)->i_mutex)/inode_unlock(\1)/'
    | sed 's/mutex_lock_nested(&\(.*\)->i_mutex,[ ]*I_MUTEX_\([A-Z0-9_]*\))/inode_lock_nested(\1, I_MUTEX_\2)/'
    | sed 's/mutex_is_locked(&\(.*\)->i_mutex)/inode_is_locked(\1)/'
    | sed 's/mutex_trylock(&\(.*\)->i_mutex)/inode_trylock(\1)/'
    |
    | with a very few manual fixups
    -----

    I'm going to send that once the ->i_mutex-affecting stuff in -next
    gets mostly merged (or when Linus says he's about to stop taking
    merges)"

    * 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (63 commits)
    nfsd: don't hold i_mutex over userspace upcalls
    fs:affs:Replace time_t with time64_t
    fs/9p: use fscache mutex rather than spinlock
    proc: add a reschedule point in proc_readfd_common()
    logfs: constify logfs_block_ops structures
    fcntl: allow to set O_DIRECT flag on pipe
    fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE
    fs: xattr: Use kvfree()
    [s390] page_to_phys() always returns a multiple of PAGE_SIZE
    nbd: use ->compat_ioctl()
    fs: use block_device name vsprintf helper
    lib/vsprintf: add %*pg format specifier
    fs: use gendisk->disk_name where possible
    poll: plug an unused argument to do_poll
    amdkfd: don't open-code memdup_user()
    cdrom: don't open-code memdup_user()
    rsxx: don't open-code memdup_user()
    mtip32xx: don't open-code memdup_user()
    [um] mconsole: don't open-code memdup_user_nul()
    [um] hostaudio: don't open-code memdup_user()
    ...

    Linus Torvalds
     

04 Jan, 2016

1 commit

26 Dec, 2015

1 commit

25 Dec, 2015

2 commits

18 Dec, 2015

1 commit

  • 81bd0d562   Smack: type confusion in smak sendmsg() handler ... Browse Code »

    Smack security handler for sendmsg() syscall
    is vulnerable to type confusion issue what
    can allow to privilege escalation into root
    or cause denial of service.

    A malicious attacker can create socket of one
    type for example AF_UNIX and pass is into
    sendmsg() function ensuring that this is
    AF_INET socket.

    Remedy
    Do not trust user supplied data.
    Proposed fix below.

    Signed-off-by: Roman Kubiak
    Signed-off-by: Mateusz Fruba
    Acked-by: Casey Schaufler

    Roman Kubiak
     

14 Dec, 2015

1 commit

10 Dec, 2015

1 commit

  • 79be09350   Smack: File receive for sockets ... Browse Code »

    The existing file receive hook checks for access on
    the file inode even for UDS. This is not right, as
    the inode is not used by Smack to make access checks
    for sockets. This change checks for an appropriate
    access relationship between the receiving (current)
    process and the socket. If the process can't write
    to the socket's send label or the socket's receive
    label can't write to the process fail.

    This will allow the legitimate cases, where the
    socket sender and socket receiver can freely communicate.
    Only strangly set socket labels should cause a problem.

    Signed-off-by: Casey Schaufler

    Casey Schaufler
     

11 Nov, 2015

1 commit

  • 2df4ee78d   Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net ... Browse Code »

    Pull networking fixes from David Miller:

    1) Fix null deref in xt_TEE netfilter module, from Eric Dumazet.

    2) Several spots need to get to the original listner for SYN-ACK
    packets, most spots got this ok but some were not. Whilst covering
    the remaining cases, create a helper to do this. From Eric Dumazet.

    3) Missiing check of return value from alloc_netdev() in CAIF SPI code,
    from Rasmus Villemoes.

    4) Don't sleep while != TASK_RUNNING in macvtap, from Vlad Yasevich.

    5) Use after free in mvneta driver, from Justin Maggard.

    6) Fix race on dst->flags access in dst_release(), from Eric Dumazet.

    7) Add missing ZLIB_INFLATE dependency for new qed driver. From Arnd
    Bergmann.

    8) Fix multicast getsockopt deadlock, from WANG Cong.

    9) Fix deadlock in btusb, from Kuba Pawlak.

    10) Some ipv6_add_dev() failure paths were not cleaning up the SNMP6
    counter state. From Sabrina Dubroca.

    11) Fix packet_bind() race, which can cause lost notifications, from
    Francesco Ruggeri.

    12) Fix MAC restoration in qlcnic driver during bonding mode changes,
    from Jarod Wilson.

    13) Revert bridging forward delay change which broke libvirt and other
    userspace things, from Vlad Yasevich.

    * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (65 commits)
    Revert "bridge: Allow forward delay to be cfgd when STP enabled"
    bpf_trace: Make dependent on PERF_EVENTS
    qed: select ZLIB_INFLATE
    net: fix a race in dst_release()
    net: mvneta: Fix memory use after free.
    net: Documentation: Fix default value tcp_limit_output_bytes
    macvtap: Resolve possible __might_sleep warning in macvtap_do_read()
    mvneta: add FIXED_PHY dependency
    net: caif: check return value of alloc_netdev
    net: hisilicon: NET_VENDOR_HISILICON should depend on HAS_DMA
    drivers: net: xgene: fix RGMII 10/100Mb mode
    netfilter: nft_meta: use skb_to_full_sk() helper
    net_sched: em_meta: use skb_to_full_sk() helper
    sched: cls_flow: use skb_to_full_sk() helper
    netfilter: xt_owner: use skb_to_full_sk() helper
    smack: use skb_to_full_sk() helper
    net: add skb_to_full_sk() helper and use it in selinux_netlbl_skbuff_setsid()
    bpf: doc: correct arch list for supported eBPF JIT
    dwc_eth_qos: Delete an unnecessary check before the function call "of_node_put"
    bonding: fix panic on non-ARPHRD_ETHER enslave failure
    ...

    Linus Torvalds
     

09 Nov, 2015

1 commit

  • 8827d90e2   smack: use skb_to_full_sk() helper ... Browse Code »

    This module wants to access sk->sk_security, which is not
    available for request sockets.

    Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
    Signed-off-by: Eric Dumazet
    Signed-off-by: David S. Miller

    Eric Dumazet
     

06 Nov, 2015

1 commit

  • 1873499e1   Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security ... Browse Code »

    Pull security subsystem update from James Morris:
    "This is mostly maintenance updates across the subsystem, with a
    notable update for TPM 2.0, and addition of Jarkko Sakkinen as a
    maintainer of that"

    * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (40 commits)
    apparmor: clarify CRYPTO dependency
    selinux: Use a kmem_cache for allocation struct file_security_struct
    selinux: ioctl_has_perm should be static
    selinux: use sprintf return value
    selinux: use kstrdup() in security_get_bools()
    selinux: use kmemdup in security_sid_to_context_core()
    selinux: remove pointless cast in selinux_inode_setsecurity()
    selinux: introduce security_context_str_to_sid
    selinux: do not check open perm on ftruncate call
    selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default
    KEYS: Merge the type-specific data with the payload data
    KEYS: Provide a script to extract a module signature
    KEYS: Provide a script to extract the sys cert list from a vmlinux file
    keys: Be more consistent in selection of union members used
    certs: add .gitignore to stop git nagging about x509_certificate_list
    KEYS: use kvfree() in add_key
    Smack: limited capability for changing process label
    TPM: remove unnecessary little endian conversion
    vTPM: support little endian guests
    char: Drop owner assignment from i2c_driver
    ...

    Linus Torvalds
     

20 Oct, 2015

1 commit

  • 38416e539   Smack: limited capability for changing process label ... Browse Code »

    This feature introduces new kernel interface:

    - /relabel-self - for setting transition labels list

    This list is used to control smack label transition mechanism.
    List is set by, and per process. Process can transit to new label only if
    label is on the list. Only process with CAP_MAC_ADMIN capability can add
    labels to this list. With this list, process can change it's label without
    CAP_MAC_ADMIN but only once. After label changing, list is unset.

    Changes in v2:
    * use list_for_each_entry instead of _rcu during label write
    * added missing description in security/Smack.txt

    Changes in v3:
    * squashed into one commit

    Changes in v4:
    * switch from global list to per-task list
    * since the per-task list is accessed only by the task itself
    there is no need to use synchronization mechanisms on it

    Changes in v5:
    * change smackfs interface of relabel-self to the one used for onlycap
    multiple labels are accepted, separated by space, which
    replace the previous list upon write

    Signed-off-by: Zbigniew Jasinski
    Signed-off-by: Rafal Krypa
    Acked-by: Casey Schaufler

    Zbigniew Jasinski
     

17 Oct, 2015

1 commit

  • 2ffbceb2b   netfilter: remove hook owner refcounting ... Browse Code »

    since commit 8405a8fff3f8 ("netfilter: nf_qeueue: Drop queue entries on
    nf_unregister_hook") all pending queued entries are discarded.

    So we can simply remove all of the owner handling -- when module is
    removed it also needs to unregister all its hooks.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

10 Oct, 2015

4 commits

19 Sep, 2015

1 commit