Eric Lee / smarc-fsl-linux-kernel

27 Sep, 2016

2 commits

16 Apr, 2015

1 commit

12 Apr, 2015

1 commit

27 Aug, 2014

1 commit

  • 8fe7a268b   tomoyo: Fix pathname calculation breakage. ... Browse Code »

    Commit 7177a9c4b509 ("fs: call rename2 if exists") changed
    "struct inode_operations"->rename == NULL if
    "struct inode_operations"->rename2 != NULL .

    TOMOYO needs to check for both ->rename and ->rename2 , or
    a system on (e.g.) ext4 filesystem won't boot.

    Signed-off-by: Tetsuo Handa
    Signed-off-by: Serge E. Hallyn

    Tetsuo Handa
     

02 Apr, 2014

1 commit

04 Jan, 2012

2 commits

  • d10577a8d   vfs: trim includes a bit ... Browse Code »

    [folded fix for missing magic.h from Tetsuo Handa]

    Signed-off-by: Al Viro

    Al Viro
     
  • c5dc332eb   tomoyo: stop including hell knows what ... Browse Code »

    tomoyo/realpath.c needs exactly one include - that of common.h. It pulls
    everything the thing needs, without doing ridiculous garbage such as trying
    to include ../../fs/internal.h. If that alone doesn't scream "layering
    violation", I don't know what does; and these days it's all for nothing,
    since it fortunately does not use any symbols defined in there...

    Signed-off-by: Al Viro

    Al Viro
     

09 Dec, 2011

1 commit

  • 1418a3e5a   TOMOYO: Fix pathname handling of disconnected paths. ... Browse Code »

    Current tomoyo_realpath_from_path() implementation returns strange pathname
    when calculating pathname of a file which belongs to lazy unmounted tree.
    Use local pathname rather than strange absolute pathname in that case.

    Also, this patch fixes a regression by commit 02125a82 "fix apparmor
    dereferencing potentially freed dentry, sanitize __d_path() API".

    Signed-off-by: Tetsuo Handa
    Acked-by: Al Viro
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds

    Tetsuo Handa
     

07 Dec, 2011

1 commit

  • 02125a826   fix apparmor dereferencing potentially freed dentry, sanitize __d_path() API ... Browse Code »
    1

    __d_path() API is asking for trouble and in case of apparmor d_namespace_path()
    getting just that. The root cause is that when __d_path() misses the root
    it had been told to look for, it stores the location of the most remote ancestor
    in *root. Without grabbing references. Sure, at the moment of call it had
    been pinned down by what we have in *path. And if we raced with umount -l, we
    could have very well stopped at vfsmount/dentry that got freed as soon as
    prepend_path() dropped vfsmount_lock.

    It is safe to compare these pointers with pre-existing (and known to be still
    alive) vfsmount and dentry, as long as all we are asking is "is it the same
    address?". Dereferencing is not safe and apparmor ended up stepping into
    that. d_namespace_path() really wants to examine the place where we stopped,
    even if it's not connected to our namespace. As the result, it looked
    at ->d_sb->s_magic of a dentry that might've been already freed by that point.
    All other callers had been careful enough to avoid that, but it's really
    a bad interface - it invites that kind of trouble.

    The fix is fairly straightforward, even though it's bigger than I'd like:
    * prepend_path() root argument becomes const.
    * __d_path() is never called with NULL/NULL root. It was a kludge
    to start with. Instead, we have an explicit function - d_absolute_root().
    Same as __d_path(), except that it doesn't get root passed and stops where
    it stops. apparmor and tomoyo are using it.
    * __d_path() returns NULL on path outside of root. The main
    caller is show_mountinfo() and that's precisely what we pass root for - to
    skip those outside chroot jail. Those who don't want that can (and do)
    use d_path().
    * __d_path() root argument becomes const. Everyone agrees, I hope.
    * apparmor does *NOT* try to use __d_path() or any of its variants
    when it sees that path->mnt is an internal vfsmount. In that case it's
    definitely not mounted anywhere and dentry_path() is exactly what we want
    there. Handling of sysctl()-triggered weirdness is moved to that place.
    * if apparmor is asked to do pathname relative to chroot jail
    and __d_path() tells it we it's not in that jail, the sucker just calls
    d_absolute_path() instead. That's the other remaining caller of __d_path(),
    BTW.
    * seq_path_root() does _NOT_ return -ENAMETOOLONG (it's stupid anyway -
    the normal seq_file logics will take care of growing the buffer and redoing
    the call of ->show() just fine). However, if it gets path not reachable
    from root, it returns SEQ_SKIP. The only caller adjusted (i.e. stopped
    ignoring the return value as it used to do).

    Reviewed-by: John Johansen
    ACKed-by: John Johansen
    Signed-off-by: Al Viro
    Cc: stable@vger.kernel.org

    Al Viro
     

14 Sep, 2011

1 commit

14 Jul, 2011

1 commit

29 Jun, 2011

1 commit

  • 5625f2e32   TOMOYO: Change pathname for non-rename()able filesystems. ... Browse Code »

    TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if $PID matches current
    thread's process ID in order to prevent current thread from accessing other
    process's information unless needed.

    But since procfs can be mounted on various locations (e.g. /proc/ /proc2/ /p/
    /tmp/foo/100/p/ ), TOMOYO cannot tell that whether the numeric part in the
    string returned by __d_path() represents process ID or not.

    Therefore, to be able to convert from $PID to self no matter where procfs is
    mounted, this patch changes pathname representations for filesystems which do
    not support rename() operation (e.g. proc, sysfs, securityfs).

    Examples:
    /proc/self/mounts => proc:/self/mounts
    /sys/kernel/security/ => sys:/kernel/security/
    /dev/pts/0 => devpts:/0

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     

07 Jan, 2011

1 commit

26 Oct, 2010

1 commit

02 Aug, 2010

4 commits

  • 0617c7ff3   TOMOYO: Remove alias keyword. ... Browse Code »

    Some programs behave differently depending on argv[0] passed to execve().
    TOMOYO has "alias" keyword in order to allow administrators to define different
    domains if requested pathname passed to execve() is a symlink. But "alias"
    keyword is incomplete because this keyword assumes that requested pathname and
    argv[0] are identical. Thus, remove "alias" keyword (by this patch) and add
    syntax for checking argv[0] (by future patches).

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • c8c57e842   TOMOYO: Support longer pathname. ... Browse Code »

    Allow pathnames longer than 4000 bytes.

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • c3ef1500e   TOMOYO: Split files into some pieces. ... Browse Code »

    security/tomoyo/common.c became too large to read.

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • 17fcfbd9d   TOMOYO: Add interactive enforcing mode. ... Browse Code »

    Since the behavior of the system is restricted by policy, we may need to update
    policy when you update packages.

    We need to update policy in the following cases.

    * The pathname of files has changed.
    * The dependency of files has changed.
    * The access permissions required has increased.

    The ideal way to update policy is to rebuild from the scratch using learning
    mode. But it is not desirable to change from enforcing mode to other mode if
    the system has once entered in production state. Suppose MAC could support
    per-application enforcing mode, the MAC becomes useless if an application that
    is not running in enforcing mode was cracked. For example, the whole system
    becomes vulnerable if only HTTP server application is running in learning mode
    to rebuild policy for the application. So, in TOMOYO Linux, updating policy is
    done while the system is running in enforcing mode.

    This patch implements "interactive enforcing mode" which allows administrators
    to judge whether to accept policy violation in enforcing mode or not.
    A demo movie is available at http://www.youtube.com/watch?v=b9q1Jo25LPA .

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     

10 May, 2010

1 commit

06 May, 2010

2 commits

05 May, 2010

1 commit

30 Mar, 2010

1 commit

  • 5a0e3ad6a   include cleanup: Update gfp.h and slab.h includes to prepare for breaking implic… ... Browse Code »

    …it slab.h inclusion from percpu.h

    percpu.h is included by sched.h and module.h and thus ends up being
    included when building most .c files. percpu.h includes slab.h which
    in turn includes gfp.h making everything defined by the two files
    universally available and complicating inclusion dependencies.

    percpu.h -> slab.h dependency is about to be removed. Prepare for
    this change by updating users of gfp and slab facilities include those
    headers directly instead of assuming availability. As this conversion
    needs to touch large number of source files, the following script is
    used as the basis of conversion.

    http://userweb.kernel.org/~tj/misc/slabh-sweep.py

    The script does the followings.

    * Scan files for gfp and slab usages and update includes such that
    only the necessary includes are there. ie. if only gfp is used,
    gfp.h, if slab is used, slab.h.

    * When the script inserts a new include, it looks at the include
    blocks and try to put the new include such that its order conforms
    to its surrounding. It's put in the include block which contains
    core kernel includes, in the same order that the rest are ordered -
    alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
    doesn't seem to be any matching order.

    * If the script can't find a place to put a new include (mostly
    because the file doesn't have fitting include block), it prints out
    an error message indicating which .h file needs to be added to the
    file.

    The conversion was done in the following steps.

    1. The initial automatic conversion of all .c files updated slightly
    over 4000 files, deleting around 700 includes and adding ~480 gfp.h
    and ~3000 slab.h inclusions. The script emitted errors for ~400
    files.

    2. Each error was manually checked. Some didn't need the inclusion,
    some needed manual addition while adding it to implementation .h or
    embedding .c file was more appropriate for others. This step added
    inclusions to around 150 files.

    3. The script was run again and the output was compared to the edits
    from #2 to make sure no file was left behind.

    4. Several build tests were done and a couple of problems were fixed.
    e.g. lib/decompress_*.c used malloc/free() wrappers around slab
    APIs requiring slab.h to be added manually.

    5. The script was run on all .h files but without automatically
    editing them as sprinkling gfp.h and slab.h inclusions around .h
    files could easily lead to inclusion dependency hell. Most gfp.h
    inclusion directives were ignored as stuff from gfp.h was usually
    wildly available and often used in preprocessor macros. Each
    slab.h inclusion directive was examined and added manually as
    necessary.

    6. percpu.h was updated not to include slab.h.

    7. Build test were done on the following configurations and failures
    were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
    distributed build env didn't work with gcov compiles) and a few
    more options had to be turned off depending on archs to make things
    build (like ipr on powerpc/64 which failed due to missing writeq).

    * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
    * powerpc and powerpc64 SMP allmodconfig
    * sparc and sparc64 SMP allmodconfig
    * ia64 SMP allmodconfig
    * s390 SMP allmodconfig
    * alpha SMP allmodconfig
    * um on x86_64 SMP allmodconfig

    8. percpu.h modifications were reverted so that it could be applied as
    a separate patch and serve as bisection point.

    Given the fact that I had only a couple of failures from tests on step
    6, I'm fairly confident about the coverage of this conversion patch.
    If there is a breakage, it's likely to be something in one of the arch
    headers which should be easily discoverable easily on most builds of
    the specific arch.

    Signed-off-by: Tejun Heo <tj@kernel.org>
    Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>

    Tejun Heo
     

05 Mar, 2010

1 commit

  • 0f2cc4ecd   Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 ... Browse Code »

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6: (52 commits)
    init: Open /dev/console from rootfs
    mqueue: fix typo "failues" -> "failures"
    mqueue: only set error codes if they are really necessary
    mqueue: simplify do_open() error handling
    mqueue: apply mathematics distributivity on mq_bytes calculation
    mqueue: remove unneeded info->messages initialization
    mqueue: fix mq_open() file descriptor leak on user-space processes
    fix race in d_splice_alias()
    set S_DEAD on unlink() and non-directory rename() victims
    vfs: add NOFOLLOW flag to umount(2)
    get rid of ->mnt_parent in tomoyo/realpath
    hppfs can use existing proc_mnt, no need for do_kern_mount() in there
    Mirror MS_KERNMOUNT in ->mnt_flags
    get rid of useless vfsmount_lock use in put_mnt_ns()
    Take vfsmount_lock to fs/internal.h
    get rid of insanity with namespace roots in tomoyo
    take check for new events in namespace (guts of mounts_poll()) to namespace.c
    Don't mess with generic_permission() under ->d_lock in hpfs
    sanitize const/signedness for udf
    nilfs: sanitize const/signedness in dealing with ->d_name.name
    ...

    Fix up fairly trivial (famous last words...) conflicts in
    drivers/infiniband/core/uverbs_main.c and security/tomoyo/realpath.c

    Linus Torvalds
     

04 Mar, 2010

2 commits

15 Feb, 2010

3 commits

  • 847b173ea   TOMOYO: Add garbage collector. ... Browse Code »

    This patch adds garbage collector support to TOMOYO.
    Elements are protected by "struct srcu_struct tomoyo_ss".

    Signed-off-by: Tetsuo Handa
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • 76bb0895d   TOMOYO: Merge headers. ... Browse Code »

    Gather structures and constants scattered around security/tomoyo/ directory.
    This is for preparation for adding garbage collector since garbage collector
    needs to know structures and constants which TOMOYO uses.

    Signed-off-by: Tetsuo Handa
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • bf24fb016   TOMOYO: Add refcounter on string data. ... Browse Code »

    Add refcounter to "struct tomoyo_name_entry" and replace tomoyo_save_name()
    with tomoyo_get_name()/tomoyo_put_name() pair so that we can kfree() when
    garbage collector is added.

    Signed-off-by: Tetsuo Handa
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Tetsuo Handa
     

27 Jan, 2010

1 commit

  • 8e2d39a16   TOMOYO: Remove usage counter for temporary memory. ... Browse Code »

    TOMOYO was using own memory usage counter for detecting memory leak.
    But as kernel 2.6.31 introduced memory leak detection mechanism
    ( CONFIG_DEBUG_KMEMLEAK ), we no longer need to have own counter.

    We remove usage counter for memory used for permission checks, but we keep
    usage counter for memory used for policy so that we can apply quota.

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     

11 Jan, 2010

2 commits

  • cd7bec6ad   TOMOYO: Remove memory pool for list elements. ... Browse Code »

    Currently, TOMOYO allocates memory for list elements from memory pool allocated
    by kmalloc(PAGE_SIZE). But that makes it difficult to kfree() when garbage
    collector is added. Thus, remove memory pool and use kmalloc(sizeof()).

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • e41035a99   TOMOYO: Remove memory pool for string data. ... Browse Code »

    Currently, TOMOYO allocates memory for string data from memory pool allocated
    by kmalloc(PAGE_SIZE). But that makes it difficult to kfree() when garbage
    collector is added. Thus, remove memory pool and use kmalloc(strlen()).

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     

15 Dec, 2009

1 commit

09 Dec, 2009

1 commit

  • 67fa4880c   TOMOYO: Compare filesystem by magic number rather than by name. ... Browse Code »

    Please apply below one after merging 1557d33007f63dd96e5d15f33af389378e5f2e54
    (Merge git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/sysctl-2.6).
    ----------
    [PATCH for 2.6.33] TOMOYO: Compare filesystem by magic number rather than by name.

    We can use magic number for checking whether the filesystem is procfs or not.

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     

08 Dec, 2009

1 commit

  • 1557d3300   Merge git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/sysctl-2.6 ... Browse Code »

    * git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/sysctl-2.6: (43 commits)
    security/tomoyo: Remove now unnecessary handling of security_sysctl.
    security/tomoyo: Add a special case to handle accesses through the internal proc mount.
    sysctl: Drop & in front of every proc_handler.
    sysctl: Remove CTL_NONE and CTL_UNNUMBERED
    sysctl: kill dead ctl_handler definitions.
    sysctl: Remove the last of the generic binary sysctl support
    sysctl net: Remove unused binary sysctl code
    sysctl security/tomoyo: Don't look at ctl_name
    sysctl arm: Remove binary sysctl support
    sysctl x86: Remove dead binary sysctl support
    sysctl sh: Remove dead binary sysctl support
    sysctl powerpc: Remove dead binary sysctl support
    sysctl ia64: Remove dead binary sysctl support
    sysctl s390: Remove dead sysctl binary support
    sysctl frv: Remove dead binary sysctl support
    sysctl mips/lasat: Remove dead binary sysctl support
    sysctl drivers: Remove dead binary sysctl support
    sysctl crypto: Remove dead binary sysctl support
    sysctl security/keys: Remove dead binary sysctl support
    sysctl kernel: Remove binary sysctl logic
    ...

    Linus Torvalds
     

21 Nov, 2009

1 commit

  • a4054b6b2   security/tomoyo: Add a special case to handle accesses through the internal proc mount. ... Browse Code »

    With the change of sys_sysctl going through the internal proc mount we no
    longer need to handle security_sysctl in tomoyo as we have valid pathnames
    for all sysctl accesses. There is one slight caveat to that in that
    all of the paths from the internal mount look like
    "/sys/net/ipv4/ip_local_port_range" instead of
    "/proc/sys/net/ipv4/ip_local_port_range" so tomoyo needs to add the
    "/proc" portion manually when resolving to full path names to get what it expects.

    This change teaches tomoyo perform that modification.

    Acked-by: Tetsuo Handa
    Acked-by: John Johansen
    Signed-off-by: Eric W. Biederman

    Eric W. Biederman
     

29 Oct, 2009

1 commit

  • 024e1a494   tomoyo: improve hash bucket dispersion ... Browse Code »

    When examining the network device name hash, it was discovered that
    the low order bits of full_name_hash() are not very well dispersed
    across the possible values. When used by filesystem code, this is handled
    by folding with the function hash_long().

    The only other non-filesystem usage of full_name_hash() at this time
    appears to be in TOMOYO. This patch should fix that.

    I do not use TOMOYO at this time, so this patch is build tested only.

    Signed-off-by: Stephen Hemminger
    Acked-by: Tetsuo Handa
    Signed-off-by: James Morris

    Stephen Hemminger
     

09 Jun, 2009

1 commit

03 Jun, 2009

1 commit