29 Apr, 2008
1 commit
-
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
SELinux: Fix a RCU free problem with the netport cache
SELinux: Made netnode cache adds faster
SELinux: include/security.h whitespace, syntax, and other cleanups
SELinux: policydb.h whitespace, syntax, and other cleanups
SELinux: mls_types.h whitespace, syntax, and other cleanups
SELinux: mls.h whitespace, syntax, and other cleanups
SELinux: hashtab.h whitespace, syntax, and other cleanups
SELinux: context.h whitespace, syntax, and other cleanups
SELinux: ss/conditional.h whitespace, syntax, and other cleanups
SELinux: selinux/include/security.h whitespace, syntax, and other cleanups
SELinux: objsec.h whitespace, syntax, and other cleanups
SELinux: netlabel.h whitespace, syntax, and other cleanups
SELinux: avc_ss.h whitespace, syntax, and other cleanupsFixed up conflict in include/linux/security.h manually
28 Apr, 2008
17 commits
-
With the introduction of per-process securebits, the capabilities-related
prctl callbacks were moved into cap_task_prctl(). Have smack use
cap_task_prctl() so that PR_SET_KEEPCAPS is defined.Signed-off-by: Serge E. Hallyn
Acked-by: Casey Schaufler
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
The functions smk_cipso_doi and smk_unlbl_ambient are not used outside
smackfs.c and should hence be static.Signed-off-by: Casey Schaufler
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
With the introduction of per-process securebits, the capabilities-related
prctl callbacks were moved into cap_task_prctl(). Have root_plug use
cap_task_prctl() so that PR_SET_KEEPCAPS is defined.Signed-off-by: Serge E. Hallyn
Acked-by: Greg Kroah-Hartman
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
security/smack/smack_lsm.c:1257:16: warning: Using plain integer as NULL pointer
Signed-off-by: Harvey Harrison
Acked-by: Casey Schaufler
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Filesystem capability support makes it possible to do away with (set)uid-0
based privilege and use capabilities instead. That is, with filesystem
support for capabilities but without this present patch, it is (conceptually)
possible to manage a system with capabilities alone and never need to obtain
privilege via (set)uid-0.Of course, conceptually isn't quite the same as currently possible since few
user applications, certainly not enough to run a viable system, are currently
prepared to leverage capabilities to exercise privilege. Further, many
applications exist that may never get upgraded in this way, and the kernel
will continue to want to support their setuid-0 base privilege needs.Where pure-capability applications evolve and replace setuid-0 binaries, it is
desirable that there be a mechanisms by which they can contain their
privilege. In addition to leveraging the per-process bounding and inheritable
sets, this should include suppressing the privilege of the uid-0 superuser
from the process' tree of children.The feature added by this patch can be leveraged to suppress the privilege
associated with (set)uid-0. This suppression requires CAP_SETPCAP to
initiate, and only immediately affects the 'current' process (it is inherited
through fork()/exec()). This reimplementation differs significantly from the
historical support for securebits which was system-wide, unwieldy and which
has ultimately withered to a dead relic in the source of the modern kernel.With this patch applied a process, that is capable(CAP_SETPCAP), can now drop
all legacy privilege (through uid=0) for itself and all subsequently
fork()'d/exec()'d children with:prctl(PR_SET_SECUREBITS, 0x2f);
This patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES is
enabled at configure time.[akpm@linux-foundation.org: fix uninitialised var warning]
[serue@us.ibm.com: capabilities: use cap_task_prctl when !CONFIG_SECURITY]
Signed-off-by: Andrew G. Morgan
Acked-by: Serge Hallyn
Reviewed-by: James Morris
Cc: Stephen Smalley
Cc: Paul Moore
Signed-off-by: Serge E. Hallyn
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
The netport cache doesn't free resources in a manner which is safe or orderly.
This patch fixes this by adding in a missing call to rcu_dereference() in
sel_netport_insert() as well as some general cleanup throughout the file.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
When adding new entries to the network node cache we would walk the entire
hash bucket to make sure we didn't cross a threshold (done to bound the
cache size). This isn't a very quick or elegant solution for something
which is supposed to be quick-ish so add a counter to each hash bucket to
track the size of the bucket and eliminate the need to walk the entire
bucket list on each add.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
This patch changes policydb.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)spaces followed by tabs
spaces used instead of tabs
location of * in pointer declarationsSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes mls_types.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)spaces used instead of tabs
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes mls.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)spaces used instead of tabs
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes hashtab.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)spaces used instead of tabs
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes context.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)include spaces around , in function calls
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes ss/conditional.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)location of * in pointer declarations
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes selinux/include/security.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
location of { around structs and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
no assignments in if statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes objsec.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
location of { around structs and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
no assignments in if statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes netlabel.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)spaces used instead of tabs
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes avc_ss.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
location of { around structs and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
no assignments in if statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris
23 Apr, 2008
1 commit
-
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
[PATCH] get rid of __exit_files(), __exit_fs() and __put_fs_struct()
[PATCH] proc_readfd_common() race fix
[PATCH] double-free of inode on alloc_file() failure exit in create_write_pipe()
[PATCH] teach seq_file to discard entries
[PATCH] umount_tree() will unhash everything itself
[PATCH] get rid of more nameidata passing in namespace.c
[PATCH] switch a bunch of LSM hooks from nameidata to path
[PATCH] lock exclusively in collect_mounts() and drop_collected_mounts()
[PATCH] move a bunch of declarations to fs/internal.h
22 Apr, 2008
4 commits
-
The attached patch needs to move from -rt to mainline given preemptable RCU.
This patch fixes SELinux code that implicitly assumes that disabling
preemption prevents an RCU grace period from completing, an assumption that
is valid for Classic RCU, but not necessarily for preemptable RCU. Explicit
rcu_read_lock() calls are thus added.Signed-off-by: Paul E. McKenney
Acked-by: Steven Rostedt
Signed-off-by: James Morris -
Namely, ones from namespace.c
Signed-off-by: Al Viro
-
The Fedora installer actually makes multiple NFS mounts before it loads
selinux policy. The code in selinux_clone_mnt_opts() assumed that the
init process would always be loading policy before NFS was up and
running. It might be possible to hit this in a diskless environment as
well, I'm not sure. There is no need to BUG_ON() in this situation
since we can safely continue given the circumstances.Signed-off-by: Eric Paris
Signed-off-by: James Morris -
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
SELinux: one little, two little, three little whitespaces, the avc.c saga.
SELinux: cleanup on isle selinuxfs.c
changing whitespace for fun and profit: policydb.c
SELinux: whitespace and formating fixes for hooks.c
SELinux: clean up printks
SELinux: sidtab.c whitespace, syntax, and static declaraction cleanups
SELinux: services.c whitespace, syntax, and static declaraction cleanups
SELinux: mls.c whitespace, syntax, and static declaraction cleanups
SELinux: hashtab.c whitespace, syntax, and static declaraction cleanups
SELinux: ebitmap.c whitespace, syntax, and static declaraction cleanups
SELinux: conditional.c whitespace, syntax, and static declaraction cleanups
SELinux: avtab.c whitespace, syntax, and static declaraction cleanups
SELinux: xfrm.c whitespace, syntax, and static declaraction cleanups
SELinux: nlmsgtab.c whitespace, syntax, and static declaraction cleanups
SELinux: netnode.c whitespace, syntax, and static declaraction cleanups
SELinux: netlink.c whitespace, syntax, and static declaraction cleanups
SELinux: netlabel.c whitespace, syntax, and static declaraction cleanups
SELinux: netif.c whitespace, syntax, and static declaraction cleanups
21 Apr, 2008
17 commits
-
avc.c was bad. It had whitespace and syntax issues which are against
our coding style. I have had a little chat with it and the result of
that conversation looked like this patch.Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Why would anyone just clean up white space all day? Because they were
out too late last night and don't want to think for a day. So here is a
nice clean selinuxfs.c patch.Signed-off-by: Eric Paris
Signed-off-by: James Morris -
More formatting changes. Aside from the 80 character line limit even
the checkpatch scripts like this file now. Too bad I don't get paid by
the lines of code I change.Signed-off-by: Eric Paris
Signed-off-by: James Morris -
All whitespace and formatting. Nothing interesting to see here. About
the only thing to remember is that we aren't supposed to initialize
static variables to 0/NULL. It is done for us and doing it ourselves
puts them in a different section.With this patch running checkpatch.pl against hooks.c only gives us
complaints about busting the 80 character limit and declaring extern's
in .c files. Apparently they don't like it, but I don't feel like going
to the trouble of moving those to .h files...Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Make sure all printk start with KERN_*
Make sure all printk end with \n
Make sure all printk have the word 'selinux' in them
Change "function name" to "%s", __func__ (found 2 wrong)Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes sidtab.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes services.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes mls.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes hashtab.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes ebitmap.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes conditional.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes avtab.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes xfrm.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes nlmsgtab.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes netnode.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes netlink.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes netlabel.c to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
locateion of { around struct and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris