- 15 4月, 2015 1 次提交
-
-
由 Richard Guy Briggs 提交于
When task->comm is passed directly to audit_log_untrustedstring() without getting a copy or using the task_lock, there is a race that could happen that would output a NULL (\0) in the middle of the output string that would effectively truncate the rest of the report text after the comm= field in the audit log message, losing fields. Using get_task_comm() to get a copy while acquiring the task_lock to prevent this and to prevent the result from being a mixture of old and new values of comm would incur potentially unacceptable overhead, considering that the value can be influenced by userspace and therefore untrusted anyways. Copy the value before passing it to audit_log_untrustedstring() ensures that a local copy is used to calculate the length *and* subsequently printed. Even if this value contains a mix of old and new values, it will only calculate and copy up to the first NULL, preventing the rest of the audit log message being truncated. Use a second local copy of comm to avoid a race between the first and second calls to audit_log_untrustedstring() with comm. Reported-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: NRichard Guy Briggs <rgb@redhat.com> Signed-off-by: NJames Morris <james.l.morris@oracle.com>
-
- 13 4月, 2015 1 次提交
-
-
由 James Morris 提交于
Merge branch 'tomoyo-cleanup' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild into next
-
- 08 4月, 2015 3 次提交
-
-
由 Michal Marek 提交于
The Makefile automatically generates the tomoyo policy files, which are not removed by make clean (because they could have been provided by the user). Instead of generating the missing files, use /dev/null if a given file is not provided. Store the default exception_policy in exception_policy.conf.default. Acked-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: NMichal Marek <mmarek@suse.cz>
-
由 Michal Marek 提交于
Combine the generation of builtin-policy.h into a single command and use if_changed, so that the file is regenerated each time the command changes. The next patch will make use of this. Acked-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: NMichal Marek <mmarek@suse.cz>
-
由 Michal Marek 提交于
Simplify the Makefile by using a readily available tool instead of a custom sed script. The downside is that builtin-policy.h becomes unreadable for humans, but it is only a generated file. Acked-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: NMichal Marek <mmarek@suse.cz>
-
- 07 4月, 2015 5 次提交
-
-
由 Stephen Smalley 提交于
Now that we can safely increase the avtab max buckets without triggering high order allocations and have a hash function that will make better use of the larger number of buckets, increase the max buckets to 2^16. Original: 101421 entries and 2048/2048 buckets used, longest chain length 374 With new hash function: 101421 entries and 2048/2048 buckets used, longest chain length 81 With increased max buckets: 101421 entries and 31078/32768 buckets used, longest chain length 12 Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NPaul Moore <pmoore@redhat.com>
-
由 John Brooks 提交于
This function, based on murmurhash3, has much better distribution than the original. Using the current default of 2048 buckets, there are many fewer collisions: Before: 101421 entries and 2048/2048 buckets used, longest chain length 374 After: 101421 entries and 2048/2048 buckets used, longest chain length 81 The difference becomes much more significant when buckets are increased. A naive attempt to expand the current function to larger outputs doesn't yield any significant improvement; so this function is a prerequisite for increasing the bucket size. sds: Adapted from the original patches for libsepol to the kernel. Signed-off-by: NJohn Brooks <john.brooks@jolla.com> Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NPaul Moore <pmoore@redhat.com>
-
由 Stephen Smalley 提交于
Previously we shrank the avtab max hash buckets to avoid high order memory allocations, but this causes avtab lookups to degenerate to very long linear searches for the Fedora policy. Convert to using a flex_array instead so that we can increase the buckets without such limitations. This change does not alter the max hash buckets; that is left to a separate follow-on change. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NPaul Moore <pmoore@redhat.com>
-
由 Paul Moore 提交于
Move the NetLabel secattr MLS category import logic into mls_import_netlbl_cat() where it belongs, and use the mls_import_netlbl_cat() function in security_netlbl_secattr_to_sid(). Reported-by: NRickard Strandqvist <rickard_strandqvist@spectrumdigital.se> Signed-off-by: NPaul Moore <pmoore@redhat.com>
-
由 Jeff Vander Stoep 提交于
Commit f01e1af4 ("selinux: don't pass in NULL avd to avc_has_perm_noaudit") made this pointer reassignment unnecessary. Avd should continue to reference the stack-based copy. Signed-off-by: NJeff Vander Stoep <jeffv@google.com> Acked-by: NStephen Smalley <sds@tycho.nsa.gov> [PM: tweaked subject line] Signed-off-by: NPaul Moore <pmoore@redhat.com>
-
- 02 4月, 2015 1 次提交
-
-
- 01 4月, 2015 1 次提交
-
-
由 Casey Schaufler 提交于
Document the Smack bringup features. Update the proper location for mounting smackfs from /smack to /sys/fs/smackfs. Fix some spelling errors. Suggest the use of the load2 interface instead of the load interface. Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 27 3月, 2015 2 次提交
-
-
由 Christophe Ricard 提交于
MODULE_DEVICE_TABLE is missing in spi phy in case CONFIG_OF is not set. Reviewed-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com> Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com> Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
-
由 Christophe Ricard 提交于
In case the driver is configured to use irq, we are not waiting the answer for a duration period to see the DATA_AVAIL status bit to raise but at maximum timeout_c. This may result in critical failure as we will not wait long enough for the command completion. Reviewed-by: NJason Gunthorpe <jason.gunthorpe@obsidianresearch.com> Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com> Fixes: bf38b871 ("tpm/tpm_i2c_stm_st33: Split tpm_i2c_tpm_st33 in 2 layers (core + phy)") Reviewed-by: NPeter Huewe <peterhuewe@gmx.de> Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
-
- 24 3月, 2015 4 次提交
-
-
由 Paul Gortmaker 提交于
In commit 00f84f3f ("Smack: Make the syslog control configurable") this mutex was added, but the rest of the final commit never actually made use of it, resulting in: In file included from include/linux/mutex.h:29:0, from include/linux/notifier.h:13, from include/linux/memory_hotplug.h:6, from include/linux/mmzone.h:821, from include/linux/gfp.h:5, from include/linux/slab.h:14, from include/linux/security.h:27, from security/smack/smackfs.c:21: security/smack/smackfs.c:63:21: warning: ‘smack_syslog_lock’ defined but not used [-Wunused-variable] static DEFINE_MUTEX(smack_syslog_lock); ^ A git grep shows no other instances/references to smack_syslog_lock. Delete it, assuming that the mutex addition was just a leftover from an earlier work in progress version of the change. Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com>
-
由 Casey Schaufler 提交于
I have vehemently opposed adding a "permissive" mode to Smack for the simple reasons that it would be subject to massive abuse and that developers refuse to turn it off come product release. I still believe that this is true, and still refuse to add a general "permissive mode". So don't ask again. Bumjin Im suggested an approach that addresses most of the concerns, and I have implemented it here. I still believe that we'd be better off without this sort of thing, but it looks like this minimizes the abuse potential. Firstly, you have to configure Smack Bringup Mode. That allows for "release" software to be ammune from abuse. Second, only one label gets to be "permissive" at a time. You can use it for debugging, but that's about it. A label written to smackfs/unconfined is treated specially. If either the subject or object label of an access check matches the "unconfined" label, and the access would not have been allowed otherwise an audit record and a console message are generated. The audit record "request" string is marked with either "(US)" or "(UO)", to indicate that the request was granted because of an unconfined label. The fact that an inode was accessed by an unconfined label is remembered, and subsequent accesses to that "impure" object are noted in the log. The impurity is not stored in the filesystem, so a file mislabled as a side effect of using an unconfined label may still cause concern after a reboot. So, it's there, it's dangerous, but so many application developers seem incapable of living without it I have given in. I've tried to make it as safe as I can, but in the end it's still a chain saw. Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
由 José Bollo 提交于
With this commit, the LSM Smack implements the LSM side part of the system call keyctl with the action code KEYCTL_GET_SECURITY. It is now possible to get the context of, for example, the user session key using the command "keyctl security @s". The original patch has been modified for merge. Signed-off-by: NJosé Bollo <jose.bollo@open.eurogiciel.org> Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
由 Marcin Lis 提交于
This change fixes the bug associated with sockets owned by kernel threads. These sockets, created usually by network devices' drivers tasks, received smk_in label from the task that created them - the "floor" label in the most cases. The result was that they were not able to receive data packets because of missing smack rules. The main reason of the access deny is that the socket smk_in label is placed as the object during smk check, kernel thread's capabilities are omitted. Signed-off-by: NMarcin Lis <m.lis@samsung.com>
-
- 19 3月, 2015 8 次提交
-
-
由 Peter Huewe 提交于
Make the tpm_infineon driver define its PM callbacks through a struct dev_pm_ops object rather than by using legacy PM hooks in struct pnp_driver. This allows the driver to use tpm_pm_suspend() as its suspend callback directly, so we can remove the duplicated savestate code. Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
-
由 Peter Huewe 提交于
Jason does an excellent job reviewing the TPM stuff, so we add him to the designated reviewer list (with his consent :) Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com> Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
-
由 Peter Huewe 提交于
I got a lot of requests lately about whether the new TPM2.0 support includes the FIFO interface for TPM2.0 as well. The FIFO interface is handled by tpm_tis since FIFO=TIS (more or less). -> Update the helptext and headline Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
-
由 Christophe Ricard 提交于
Reviewed-by: NJason Gunthorpe <jason.gunthorpe@obsidianresearch.com> Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com> Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
-
由 Christophe Ricard 提交于
st33zp24 TIS 1.2 support also SPI. It is using a proprietary protocol to transport TIS data. Acked-by: NJarkko Sakkinen <jarkko.sakknen@linux.intel.com> Reviewed-by: NJason Gunthorpe <jason.gunthorpe@obsidianresearch.com> Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com> Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
-
由 Christophe Ricard 提交于
tpm_i2c_stm_st33 is a TIS 1.2 TPM with a core interface which can be used by different phy such as i2c or spi. The core part is called st33zp24 which is also the main part reference. include/linux/platform_data/tpm_stm_st33.h is renamed consequently. The driver is also split into an i2c phy in charge of sending/receiving data as well as managing platform data or dts configuration. Acked-by: NJarkko Sakkinen <jarkko.sakknen@linux.intel.com> Reviewed-by: NJason Gunthorpe <jason.gunthorpe@obsidianresearch.com> Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com> Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
-
由 Christophe Ricard 提交于
io_lpcpd is accessible from struct tpm_stm_dev. struct st33zp24_platform_data is only valid when using static platform configuration data, not when using dts. Reviewed-by: NJason Gunthorpe <jason.gunthorpe@obsidianresearch.com> Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com> Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
-
由 Jarkko Sakkinen 提交于
I started to work with PPI interface so that it would be available under character device sysfs directory and realized that chip registeration was still too messy. In TPM 1.x in some rare scenarios (errors that almost never occur) wrong order in deinitialization steps was taken in teardown. I reproduced these scenarios by manually inserting error codes in the place of the corresponding function calls. The key problem is that the teardown is messy with two separate code paths (this was inherited when moving code from tpm-interface.c). Moved TPM 1.x specific register/unregister functionality to own helper functions and added single code path for teardown in tpm_chip_register(). Now the code paths have been fixed and it should be easier to review later on this part of the code. Cc: <stable@vger.kernel.org> Fixes: 7a1d7e6d ("tpm: TPM 2.0 baseline support") Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: NScot Doyle <lkml14@scotdoyle.com> Reviewed-by: NPeter Huewe <peterhuewe@gmx.de> Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
-
- 06 3月, 2015 2 次提交
-
-
由 Jarkko Sakkinen 提交于
- tpm_dev_add_device(): cdev_add() must be done before uevent is propagated in order to avoid races. - tpm_chip_register(): tpm_dev_add_device() must be done as the last step before exposing device to the user space in order to avoid races. In addition clarified description in tpm_chip_register(). Fixes: 313d21ee ("tpm: device class for tpm") Fixes: afb5abc2 ("tpm: two-phase chip management functions") Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: NPeter Huewe <peterhuewe@gmx.de> Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
-
Problem: When IMA and VTPM are both enabled in kernel config, kernel hangs during bootup on LE OS. Why?: IMA calls tpm_pcr_read() which results in tpm_ibmvtpm_send and tpm_ibmtpm_recv getting called. A trace showed that tpm_ibmtpm_recv was hanging. Resolution: tpm_ibmtpm_recv was hanging because tpm_ibmvtpm_send was sending CRQ message that probably did not make much sense to phype because of Endianness. The fix below sends correctly converted CRQ for LE. This was not caught before because it seems IMA is not enabled by default in kernel config and IMA exercises this particular code path in vtpm. Tested with IMA and VTPM enabled in kernel config and VTPM enabled on both a BE OS and a LE OS ppc64 lpar. This exercised CRQ and TPM command code paths in vtpm. Patch is against Peter's tpmdd tree on github which included Vicky's previous vtpm le patches. Signed-off-by: NJoy Latten <jmlatten@linux.vnet.ibm.com> Cc: <stable@vger.kernel.org> # eb71f8a5: "Added Little Endian support to vtpm module" Cc: <stable@vger.kernel.org> Reviewed-by: NAshley Lai <ashley@ahsleylai.com> Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
-
- 03 3月, 2015 1 次提交
-
- 28 2月, 2015 2 次提交
-
-
由 Stephen Smalley 提交于
Yama selects SECURITYFS and SECURITY_PATH, but requires neither. Remove them. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
When the sysctl table is constified, we won't be able to directly modify it. Instead, use a table copy that carries any needed changes. Suggested-by: NPaX Team <pageexec@freemail.hu> Signed-off-by: NKees Cook <keescook@chromium.org>
-
- 23 2月, 2015 9 次提交
-
-
由 Linus Torvalds 提交于
.. after extensive statistical analysis of my G+ polling, I've come to the inescapable conclusion that internet polls are bad. Big surprise. But "Hurr durr I'ma sheep" trounced "I like online polls" by a 62-to-38% margin, in a poll that people weren't even supposed to participate in. Who can argue with solid numbers like that? 5,796 votes from people who can't even follow the most basic directions? In contrast, "v4.0" beat out "v3.20" by a slimmer margin of 56-to-44%, but with a total of 29,110 votes right now. Now, arguably, that vote spread is only about 3,200 votes, which is less than the almost six thousand votes that the "please ignore" poll got, so it could be considered noise. But hey, I asked, so I'll honor the votes.
-
git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4由 Linus Torvalds 提交于
Pull ext4 fixes from Ted Ts'o: "Ext4 bug fixes. We also reserved code points for encryption and read-only images (for which the implementation is mostly just the reserved code point for a read-only feature :-)" * tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: ext4: fix indirect punch hole corruption ext4: ignore journal checksum on remount; don't fail ext4: remove duplicate remount check for JOURNAL_CHECKSUM change ext4: fix mmap data corruption in nodelalloc mode when blocksize < pagesize ext4: support read-only images ext4: change to use setup_timer() instead of init_timer() ext4: reserve codepoints used by the ext4 encryption feature jbd2: complain about descriptor block checksum errors
-
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs由 Linus Torvalds 提交于
Pull more vfs updates from Al Viro: "Assorted stuff from this cycle. The big ones here are multilayer overlayfs from Miklos and beginning of sorting ->d_inode accesses out from David" * 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (51 commits) autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation procfs: fix race between symlink removals and traversals debugfs: leave freeing a symlink body until inode eviction Documentation/filesystems/Locking: ->get_sb() is long gone trylock_super(): replacement for grab_super_passive() fanotify: Fix up scripted S_ISDIR/S_ISREG/S_ISLNK conversions Cachefiles: Fix up scripted S_ISDIR/S_ISREG/S_ISLNK conversions VFS: (Scripted) Convert S_ISLNK/DIR/REG(dentry->d_inode) to d_is_*(dentry) SELinux: Use d_is_positive() rather than testing dentry->d_inode Smack: Use d_is_positive() rather than testing dentry->d_inode TOMOYO: Use d_is_dir() rather than d_inode and S_ISDIR() Apparmor: Use d_is_positive/negative() rather than testing dentry->d_inode Apparmor: mediated_filesystem() should use dentry->d_sb not inode->i_sb VFS: Split DCACHE_FILE_TYPE into regular and special types VFS: Add a fallthrough flag for marking virtual dentries VFS: Add a whiteout dentry type VFS: Introduce inode-getting helpers for layered/unioned fs environments Infiniband: Fix potential NULL d_inode dereference posix_acl: fix reference leaks in posix_acl_create autofs4: Wrong format for printing dentry ...
-
git://ftp.arm.linux.org.uk/~rmk/linux-arm由 Linus Torvalds 提交于
Pull ARM fix from Russell King: "Just one fix this time around. __iommu_alloc_buffer() can cause a BUG() if dma_alloc_coherent() is called with either __GFP_DMA32 or __GFP_HIGHMEM set. The patch from Alexandre addresses this" * 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm: ARM: 8305/1: DMA: Fix kzalloc flags in __iommu_alloc_buffer()
-
由 Al Viro 提交于
X-Coverup: just ask spender Cc: stable@vger.kernel.org Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 Al Viro 提交于
use_pde()/unuse_pde() in ->follow_link()/->put_link() resp. Cc: stable@vger.kernel.org Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 Al Viro 提交于
As it is, we have debugfs_remove() racing with symlink traversals. Supply ->evict_inode() and do freeing there - inode will remain pinned until we are done with the symlink body. And rip the idiocy with checking if dentry is positive right after we'd verified debugfs_positive(), which is a stronger check... Cc: stable@vger.kernel.org Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 Al Viro 提交于
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 Konstantin Khlebnikov 提交于
I've noticed significant locking contention in memory reclaimer around sb_lock inside grab_super_passive(). Grab_super_passive() is called from two places: in icache/dcache shrinkers (function super_cache_scan) and from writeback (function __writeback_inodes_wb). Both are required for progress in memory allocator. Grab_super_passive() acquires sb_lock to increment sb->s_count and check sb->s_instances. It seems sb->s_umount locked for read is enough here: super-block deactivation always runs under sb->s_umount locked for write. Protecting super-block itself isn't a problem: in super_cache_scan() sb is protected by shrinker_rwsem: it cannot be freed if its slab shrinkers are still active. Inside writeback super-block comes from inode from bdi writeback list under wb->list_lock. This patch removes locking sb_lock and checks s_instances under s_umount: generic_shutdown_super() unlinks it under sb->s_umount locked for write. New variant is called trylock_super() and since it only locks semaphore, callers must call up_read(&sb->s_umount) instead of drop_super(sb) when they're done. Signed-off-by: NKonstantin Khlebnikov <khlebnikov@yandex-team.ru> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-