summaryrefslogtreecommitdiffstats
path: root/security
AgeCommit message (Collapse)Author
2011-06-30TOMOYO: Cleanup header file.Tetsuo Handa
Sort by alphabetic order. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-30TOMOYO: Fix build error with CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y .Tetsuo Handa
I forgot to add #ifndef in commit 0e4ae0e0 "TOMOYO: Make several options configurable.", resulting security/built-in.o: In function `tomoyo_bprm_set_creds': tomoyo.c:(.text+0x4698e): undefined reference to `tomoyo_load_policy' error. Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-30Merge branch 'for-security' of ↵James Morris
git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev into next
2011-06-30Merge branch 'linus' into nextJames Morris
2011-06-29AppArmor: Fix masking of capabilities in complain modeJohn Johansen
AppArmor is masking the capabilities returned by capget against the capabilities mask in the profile. This is wrong, in complain mode the profile has effectively all capabilities, as the profile restrictions are not being enforced, merely tested against to determine if an access is known by the profile. This can result in the wrong behavior of security conscience applications like sshd which examine their capability set, and change their behavior accordingly. In this case because of the masked capability set being returned sshd fails due to DAC checks, even when the profile is in complain mode. Kernels affected: 2.6.36 - 3.0. Signed-off-by: John Johansen <john.johansen@canonical.com>
2011-06-29AppArmor: Fix reference to rcu protected pointer outside of rcu_read_lockJohn Johansen
The pointer returned from tracehook_tracer_task() is only valid inside the rcu_read_lock. However the tracer pointer obtained is being passed to aa_may_ptrace outside of the rcu_read_lock critical section. Mover the aa_may_ptrace test into the rcu_read_lock critical section, to fix this. Kernels affected: 2.6.36 - 3.0 Reported-by: Oleg Nesterov <oleg@redhat.com> Cc: stable@kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com>
2011-06-29TOMOYO: Make several options configurable.Tetsuo Handa
To be able to start using enforcing mode from the early stage of boot sequence, this patch adds support for activating access control without calling external policy loader program. This will be useful for systems where operations which can lead to the hijacking of the boot sequence are needed before loading the policy. For example, you can activate immediately after loading the fixed part of policy which will allow only operations needed for mounting a partition which contains the variant part of policy and verifying (e.g. running GPG check) and loading the variant part of policy. Since you can start using enforcing mode from the beginning, you can reduce the possibility of hijacking the boot sequence. This patch makes several variables configurable on build time. This patch also adds TOMOYO_loader= and TOMOYO_trigger= kernel command line option to boot the same kernel in two different init systems (BSD-style init and systemd). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-29TOMOYO: Add built-in policy support.Tetsuo Handa
To be able to start using enforcing mode from the early stage of boot sequence, this patch adds support for built-in policy configuration (and next patch adds support for activating access control without calling external policy loader program). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-29TOMOYO: Rename meminfo to stat and show more statistics.Tetsuo Handa
Show statistics such as last policy update time and last policy violation time in addition to memory usage. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-29TOMOYO: Cleanup part 4.Tetsuo Handa
Gather string constants to one file in order to make the object size smaller. Use unsigned type where appropriate. read()/write() returns ssize_t. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-29TOMOYO: Fix lockdep warning.Tetsuo Handa
Currently TOMOYO holds SRCU lock upon open() and releases it upon close() because list elements stored in the "struct tomoyo_io_buffer" instances are accessed until close() is called. However, such SRCU usage causes lockdep to complain about leaving the kernel with SRCU lock held. This patch solves the warning by holding/releasing SRCU upon each read()/write(). This patch is doing something similar to calling kfree() without calling synchronize_srcu(), by selectively deferring kfree() by keeping track of the "struct tomoyo_io_buffer" instances. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-29TOMOYO: Change pathname for non-rename()able filesystems.Tetsuo Handa
TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if $PID matches current thread's process ID in order to prevent current thread from accessing other process's information unless needed. But since procfs can be mounted on various locations (e.g. /proc/ /proc2/ /p/ /tmp/foo/100/p/ ), TOMOYO cannot tell that whether the numeric part in the string returned by __d_path() represents process ID or not. Therefore, to be able to convert from $PID to self no matter where procfs is mounted, this patch changes pathname representations for filesystems which do not support rename() operation (e.g. proc, sysfs, securityfs). Examples: /proc/self/mounts => proc:/self/mounts /sys/kernel/security/ => sys:/kernel/security/ /dev/pts/0 => devpts:/0 Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-29TOMOYO: Add policy namespace support.Tetsuo Handa
Mauras Olivier reported that it is difficult to use TOMOYO in LXC environments, for TOMOYO cannot distinguish between environments outside the container and environments inside the container since LXC environments are created using pivot_root(). To address this problem, this patch introduces policy namespace. Each policy namespace has its own set of domain policy, exception policy and profiles, which are all independent of other namespaces. This independency allows users to develop policy without worrying interference among namespaces. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-29TOMOYO: Add ACL group support.Tetsuo Handa
ACL group allows administrator to globally grant not only "file read" permission but also other permissions. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-29TOMOYO: Add auditing interface.Tetsuo Handa
Add /sys/kernel/security/tomoyo/audit interface. This interface generates audit logs in the form of domain policy so that /usr/sbin/tomoyo-auditd can reuse audit logs for appending to /sys/kernel/security/tomoyo/domain_policy interface. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-29TOMOYO: Simplify profile structure.Tetsuo Handa
Remove global preference from profile structure in order to make code simpler. Due to this structure change, printk() warnings upon policy violation are temporarily disabled. They will be replaced by /sys/kernel/security/tomoyo/audit by next patch. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-29TOMOYO: Rename directives.Tetsuo Handa
Convert "allow_..." style directives to "file ..." style directives. By converting to the latter style, we can pack policy like "file read/write/execute /path/to/file". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-29TOMOYO: Use struct for passing ACL line.Tetsuo Handa
Use structure for passing ACL line, in preparation for supporting policy namespace and conditional parameters. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-29TOMOYO: Cleanup part 3.Tetsuo Handa
Use common structure for ACL with "struct list_head" + "atomic_t". Use array/struct where possible. Remove is_group from "struct tomoyo_name_union"/"struct tomoyo_number_union". Pass "struct file"->private_data rather than "struct file". Update some of comments. Bring tomoyo_same_acl_head() from common.h to domain.c . Bring tomoyo_invalid()/tomoyo_valid() from common.h to util.c . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-29TOMOYO: Cleanup part 2.Tetsuo Handa
Update (or temporarily remove) comments. Remove or replace some of #define lines. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-29TOMOYO: Cleanup part 1.Tetsuo Handa
In order to synchronize with TOMOYO 1.8's syntax, (1) Remove special handling for allow_read/write permission. (2) Replace deny_rewrite/allow_rewrite permission with allow_append permission. (3) Remove file_pattern keyword. (4) Remove allow_read permission from exception policy. (5) Allow creating domains in enforcing mode without calling supervisor. (6) Add permission check for opening directory for reading. (7) Add permission check for stat() operation. (8) Make "cat < /sys/kernel/security/tomoyo/self_domain" behave as if "cat /sys/kernel/security/tomoyo/self_domain". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-27encrypted-keys: add ecryptfs format supportRoberto Sassu
The 'encrypted' key type defines its own payload format which contains a symmetric key randomly generated that cannot be used directly to mount an eCryptfs filesystem, because it expects an authentication token structure. This patch introduces the new format 'ecryptfs' that allows to store an authentication token structure inside the encrypted key payload containing a randomly generated symmetric key, as the same for the format 'default'. More details about the usage of encrypted keys with the eCryptfs filesystem can be found in the file 'Documentation/keys-ecryptfs.txt'. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> Acked-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2011-06-27encrypted-keys: add key format supportRoberto Sassu
This patch introduces a new parameter, called 'format', that defines the format of data stored by encrypted keys. The 'default' format identifies encrypted keys containing only the symmetric key, while other formats can be defined to support additional information. The 'format' parameter is written in the datablob produced by commands 'keyctl print' or 'keyctl pipe' and is integrity protected by the HMAC. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2011-06-27encrypted-keys: added additional debug messagesRoberto Sassu
Some debug messages have been added in the function datablob_parse() in order to better identify errors returned when dealing with 'encrypted' keys. Changelog from version v4: - made the debug messages more understandable Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2011-06-27encrypted-keys: fixed valid_master_desc() function descriptionRoberto Sassu
Valid key type prefixes for the parameter 'key-type' are: 'trusted' and 'user'. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2011-06-27encrypted_keys: avoid dumping the master key if the request failsRoberto Sassu
Do not dump the master key if an error is encountered during the request. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2011-06-21KEYS: Fix error handling in construct_key_and_link()David Howells
Fix error handling in construct_key_and_link(). If construct_alloc_key() returns an error, it shouldn't pass out through the normal path as the key_serial() called by the kleave() statement will oops when it gets an error code in the pointer: BUG: unable to handle kernel paging request at ffffffffffffff84 IP: [<ffffffff8120b401>] request_key_and_link+0x4d7/0x52f .. Call Trace: [<ffffffff8120b52c>] request_key+0x41/0x75 [<ffffffffa00ed6e8>] cifs_get_spnego_key+0x206/0x226 [cifs] [<ffffffffa00eb0c9>] CIFS_SessSetup+0x511/0x1234 [cifs] [<ffffffffa00d9799>] cifs_setup_session+0x90/0x1ae [cifs] [<ffffffffa00d9c02>] cifs_get_smb_ses+0x34b/0x40f [cifs] [<ffffffffa00d9e05>] cifs_mount+0x13f/0x504 [cifs] [<ffffffffa00caabb>] cifs_do_mount+0xc4/0x672 [cifs] [<ffffffff8113ae8c>] mount_fs+0x69/0x155 [<ffffffff8114ff0e>] vfs_kern_mount+0x63/0xa0 [<ffffffff81150be2>] do_kern_mount+0x4d/0xdf [<ffffffff81152278>] do_mount+0x63c/0x69f [<ffffffff8115255c>] sys_mount+0x88/0xc2 [<ffffffff814fbdc2>] system_call_fastpath+0x16/0x1b Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-06-20Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6: devcgroup_inode_permission: take "is it a device node" checks to inlined wrapper fix comment in generic_permission() kill obsolete comment for follow_down() proc_sys_permission() is OK in RCU mode reiserfs_permission() doesn't need to bail out in RCU mode proc_fd_permission() is doesn't need to bail out in RCU mode nilfs2_permission() doesn't need to bail out in RCU mode logfs doesn't need ->permission() at all coda_ioctl_permission() is safe in RCU mode cifs_permission() doesn't need to bail out in RCU mode bad_inode_permission() is safe from RCU mode ubifs: dereferencing an ERR_PTR in ubifs_mount()
2011-06-20devcgroup_inode_permission: take "is it a device node" checks to inlined wrapperAl Viro
inode_permission() calls devcgroup_inode_permission() and almost all such calls are _not_ for device nodes; let's at least keep the common path straight... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-06-17KEYS/DNS: Fix ____call_usermodehelper() to not lose the session keyringDavid Howells
____call_usermodehelper() now erases any credentials set by the subprocess_inf::init() function. The problem is that commit 17f60a7da150 ("capabilites: allow the application of capability limits to usermode helpers") creates and commits new credentials with prepare_kernel_cred() after the call to the init() function. This wipes all keyrings after umh_keys_init() is called. The best way to deal with this is to put the init() call just prior to the commit_creds() call, and pass the cred pointer to init(). That means that umh_keys_init() and suchlike can modify the credentials _before_ they are published and potentially in use by the rest of the system. This prevents request_key() from working as it is prevented from passing the session keyring it set up with the authorisation token to /sbin/request-key, and so the latter can't assume the authority to instantiate the key. This causes the in-kernel DNS resolver to fail with ENOKEY unconditionally. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Eric Paris <eparis@redhat.com> Tested-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-06-15Merge branch 'for-linus' of git://git.infradead.org/users/eparis/selinux ↵James Morris
into for-linus
2011-06-14SELinux: skip file_name_trans_write() when policy downgraded.Roy.Li
When policy version is less than POLICYDB_VERSION_FILENAME_TRANS, skip file_name_trans_write(). Signed-off-by: Roy.Li <rongqing.li@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com>
2011-06-14TOMOYO: Fix oops in tomoyo_mount_acl().Tetsuo Handa
In tomoyo_mount_acl() since 2.6.36, kern_path() was called without checking dev_name != NULL. As a result, an unprivileged user can trigger oops by issuing mount(NULL, "/", "ext3", 0, NULL) request. Fix this by checking dev_name != NULL before calling kern_path(dev_name). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Cc: stable@kernel.org Signed-off-by: James Morris <jmorris@namei.org>
2011-06-14KEYS: Don't return EAGAIN to keyctl_assume_authority()David Howells
Don't return EAGAIN to keyctl_assume_authority() to indicate that a key could not be found (ENOKEY is only returned if a negative key is found). Instead return ENOKEY in both cases. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
2011-06-09AppArmor: Fix sleep in invalid context from task_setrlimitJohn Johansen
Affected kernels 2.6.36 - 3.0 AppArmor may do a GFP_KERNEL memory allocation with task_lock(tsk->group_leader); held when called from security_task_setrlimit. This will only occur when the task's current policy has been replaced, and the task's creds have not been updated before entering the LSM security_task_setrlimit() hook. BUG: sleeping function called from invalid context at mm/slub.c:847 in_atomic(): 1, irqs_disabled(): 0, pid: 1583, name: cupsd 2 locks held by cupsd/1583: #0: (tasklist_lock){.+.+.+}, at: [<ffffffff8104dafa>] do_prlimit+0x61/0x189 #1: (&(&p->alloc_lock)->rlock){+.+.+.}, at: [<ffffffff8104db2d>] do_prlimit+0x94/0x189 Pid: 1583, comm: cupsd Not tainted 3.0.0-rc2-git1 #7 Call Trace: [<ffffffff8102ebf2>] __might_sleep+0x10d/0x112 [<ffffffff810e6f46>] slab_pre_alloc_hook.isra.49+0x2d/0x33 [<ffffffff810e7bc4>] kmem_cache_alloc+0x22/0x132 [<ffffffff8105b6e6>] prepare_creds+0x35/0xe4 [<ffffffff811c0675>] aa_replace_current_profile+0x35/0xb2 [<ffffffff811c4d2d>] aa_current_profile+0x45/0x4c [<ffffffff811c4d4d>] apparmor_task_setrlimit+0x19/0x3a [<ffffffff811beaa5>] security_task_setrlimit+0x11/0x13 [<ffffffff8104db6b>] do_prlimit+0xd2/0x189 [<ffffffff8104dea9>] sys_setrlimit+0x3b/0x48 [<ffffffff814062bb>] system_call_fastpath+0x16/0x1b Signed-off-by: John Johansen <john.johansen@canonical.com> Reported-by: Miles Lane <miles.lane@gmail.com> Cc: stable@kernel.org Signed-off-by: James Morris <jmorris@namei.org>
2011-06-08selinux: simplify and clean up inode_has_perm()Linus Torvalds
This is a rather hot function that is called with a potentially NULL "struct common_audit_data" pointer argument. And in that case it has to provide and initialize its own dummy common_audit_data structure. However, all the _common_ cases already pass it a real audit-data structure, so that uncommon NULL case not only creates a silly run-time test, more importantly it causes that function to have a big stack frame for the dummy variable that isn't even used in the common case! So get rid of that stupid run-time behavior, and make the (few) functions that currently call with a NULL pointer just call a new helper function instead (naturally called inode_has_perm_noapd(), since it has no adp argument). This makes the run-time test be a static code generation issue instead, and allows for a much denser stack since none of the common callers need the dummy structure. And a denser stack not only means less stack space usage, it means better cache behavior. So we have a win-win-win from this simplification: less code executed, smaller stack footprint, and better cache behavior. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-06-01AppArmor: fix oops in apparmor_setprocattrKees Cook
When invalid parameters are passed to apparmor_setprocattr a NULL deref oops occurs when it tries to record an audit message. This is because it is passing NULL for the profile parameter for aa_audit. But aa_audit now requires that the profile passed is not NULL. Fix this by passing the current profile on the task that is trying to setprocattr. Signed-off-by: Kees Cook <kees@ubuntu.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Cc: stable@kernel.org Signed-off-by: James Morris <jmorris@namei.org>
2011-05-27Merge branch 'docs-move' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rdunlap/linux-docs * 'docs-move' of git://git.kernel.org/pub/scm/linux/kernel/git/rdunlap/linux-docs: Create Documentation/security/, move LSM-, credentials-, and keys-related files from Documentation/ to Documentation/security/, add Documentation/security/00-INDEX, and update all occurrences of Documentation/<moved_file> to Documentation/security/<moved_file>.
2011-05-26selinux: don't pass in NULL avd to avc_has_perm_noauditLinus Torvalds
Right now security_get_user_sids() will pass in a NULL avd pointer to avc_has_perm_noaudit(), which then forces that function to have a dummy entry for that case and just generally test it. Don't do it. The normal callers all pass a real avd pointer, and this helper function is incredibly hot. So don't make avc_has_perm_noaudit() do conditional stuff that isn't needed for the common case. This also avoids some duplicated stack space. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-05-26cgroups: add per-thread subsystem callbacksBen Blum
Add cgroup subsystem callbacks for per-thread attachment in atomic contexts Add can_attach_task(), pre_attach(), and attach_task() as new callbacks for cgroups's subsystem interface. Unlike can_attach and attach, these are for per-thread operations, to be called potentially many times when attaching an entire threadgroup. Also, the old "bool threadgroup" interface is removed, as replaced by this. All subsystems are modified for the new interface - of note is cpuset, which requires from/to nodemasks for attach to be globally scoped (though per-cpuset would work too) to persist from its pre_attach to attach_task and attach. This is a pre-patch for cgroup-procs-writable.patch. Signed-off-by: Ben Blum <bblum@andrew.cmu.edu> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Li Zefan <lizf@cn.fujitsu.com> Cc: Matt Helsley <matthltc@us.ibm.com> Reviewed-by: Paul Menage <menage@google.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: David Rientjes <rientjes@google.com> Cc: Miao Xie <miaox@cn.fujitsu.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-05-26selinux: fix case of names with whitespace/multibytes on /selinux/createKohei Kaigai
I submit the patch again, according to patch submission convension. This patch enables to accept percent-encoded object names as forth argument of /selinux/create interface to avoid possible bugs when we give an object name including whitespace or multibutes. E.g) if and when a userspace object manager tries to create a new object named as "resolve.conf but fake", it shall give this name as the forth argument of the /selinux/create. But sscanf() logic in kernel space fetches only the part earlier than the first whitespace. In this case, selinux may unexpectedly answer a default security context configured to "resolve.conf", but it is bug. Although I could not test this patch on named TYPE_TRANSITION rules actually, But debug printk() message seems to me the logic works correctly. I assume the libselinux provides an interface to apply this logic transparently, so nothing shall not be changed from the viewpoint of application. Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com> Signed-off-by: Eric Paris <eparis@redhat.com>
2011-05-26Merge commit 'v2.6.39' into 20110526Eric Paris
Conflicts: lib/flex_array.c security/selinux/avc.c security/selinux/hooks.c security/selinux/ss/policydb.c security/smack/smack_lsm.c
2011-05-26Set cred->user_ns in key_replace_session_keyringSerge E. Hallyn
Since this cred was not created with copy_creds(), it needs to get initialized. Otherwise use of syscall(__NR_keyctl, KEYCTL_SESSION_TO_PARENT); can lead to a NULL deref. Thanks to Robert for finding this. But introduced by commit 47a150edc2a ("Cache user_ns in struct cred"). Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com> Reported-by: Robert Święcki <robert@swiecki.net> Cc: David Howells <dhowells@redhat.com> Cc: stable@kernel.org (2.6.39) Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-05-24Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into ↵James Morris
for-linus Conflicts: lib/flex_array.c security/selinux/avc.c security/selinux/hooks.c security/selinux/ss/policydb.c security/smack/smack_lsm.c Manually resolve conflicts. Signed-off-by: James Morris <jmorris@namei.org>
2011-05-24Merge branch 'next' into for-linusJames Morris
2011-05-23Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (39 commits) b43: fix comment typo reqest -> request Haavard Skinnemoen has left Atmel cris: typo in mach-fs Makefile Kconfig: fix copy/paste-ism for dell-wmi-aio driver doc: timers-howto: fix a typo ("unsgined") perf: Only include annotate.h once in tools/perf/util/ui/browsers/annotate.c md, raid5: Fix spelling error in comment ('Ofcourse' --> 'Of course'). treewide: fix a few typos in comments regulator: change debug statement be consistent with the style of the rest Revert "arm: mach-u300/gpio: Fix mem_region resource size miscalculations" audit: acquire creds selectively to reduce atomic op overhead rtlwifi: don't touch with treewide double semicolon removal treewide: cleanup continuations and remove logging message whitespace ath9k_hw: don't touch with treewide double semicolon removal include/linux/leds-regulator.h: fix syntax in example code tty: fix typo in descripton of tty_termios_encode_baud_rate xtensa: remove obsolete BKL kernel option from defconfig m68k: fix comment typo 'occcured' arch:Kconfig.locks Remove unused config option. treewide: remove extra semicolons ...
2011-05-19selinux: avoid unnecessary avc cache stat hit countLinus Torvalds
There is no point in counting hits - we can calculate it from the number of lookups and misses. This makes the avc statistics a bit smaller, and makes the code generation better too. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-05-19selinux: de-crapify avc cache stat code generationLinus Torvalds
You can turn off the avc cache stats, but distributions seem to not do that (perhaps because several performance tuning how-to's talk about the avc cache statistics). Which is sad, because the code it generates is truly horrendous, with the statistics update being sandwitched between get_cpu/put_cpu which in turn causes preemption disables etc. We're talking ten+ instructions just to increment a per-cpu variable in some pretty hot code. Fix the craziness by just using 'this_cpu_inc()' instead. Suddenly we only need a single 'inc' instruction to increment the statistics. This is quite noticeable in the incredibly hot avc_has_perm_noaudit() function (which triggers all the statistics by virtue of doing an avc_lookup() call). Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-05-19Merge branch 'core-rcu-for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: (78 commits) Revert "rcu: Decrease memory-barrier usage based on semi-formal proof" net,rcu: convert call_rcu(prl_entry_destroy_rcu) to kfree batman,rcu: convert call_rcu(softif_neigh_free_rcu) to kfree_rcu batman,rcu: convert call_rcu(neigh_node_free_rcu) to kfree() batman,rcu: convert call_rcu(gw_node_free_rcu) to kfree_rcu net,rcu: convert call_rcu(kfree_tid_tx) to kfree_rcu() net,rcu: convert call_rcu(xt_osf_finger_free_rcu) to kfree_rcu() net/mac80211,rcu: convert call_rcu(work_free_rcu) to kfree_rcu() net,rcu: convert call_rcu(wq_free_rcu) to kfree_rcu() net,rcu: convert call_rcu(phonet_device_rcu_free) to kfree_rcu() perf,rcu: convert call_rcu(swevent_hlist_release_rcu) to kfree_rcu() perf,rcu: convert call_rcu(free_ctx) to kfree_rcu() net,rcu: convert call_rcu(__nf_ct_ext_free_rcu) to kfree_rcu() net,rcu: convert call_rcu(net_generic_release) to kfree_rcu() net,rcu: convert call_rcu(netlbl_unlhsh_free_addr6) to kfree_rcu() net,rcu: convert call_rcu(netlbl_unlhsh_free_addr4) to kfree_rcu() security,rcu: convert call_rcu(sel_netif_free) to kfree_rcu() net,rcu: convert call_rcu(xps_dev_maps_release) to kfree_rcu() net,rcu: convert call_rcu(xps_map_release) to kfree_rcu() net,rcu: convert call_rcu(rps_map_release) to kfree_rcu() ...
2011-05-19Create Documentation/security/,Randy Dunlap
move LSM-, credentials-, and keys-related files from Documentation/ to Documentation/security/, add Documentation/security/00-INDEX, and update all occurrences of Documentation/<moved_file> to Documentation/security/<moved_file>.