1. 17 5月, 2006 5 次提交
  2. 16 5月, 2006 4 次提交
  3. 11 5月, 2006 2 次提交
  4. 09 5月, 2006 1 次提交
  5. 07 5月, 2006 2 次提交
  6. 04 5月, 2006 2 次提交
  7. 03 5月, 2006 2 次提交
  8. 02 5月, 2006 7 次提交
    • J
      [PATCH] vmsplice: restrict stealing a little more · 330ab716
      Jens Axboe 提交于
      Apply the same rules as the anon pipe pages, only allow stealing
      if no one else is using the page.
      Signed-off-by: NJens Axboe <axboe@suse.de>
      330ab716
    • J
      [PATCH] splice: fix page LRU accounting · a893b99b
      Jens Axboe 提交于
      Currently we rely on the PIPE_BUF_FLAG_LRU flag being set correctly
      to know whether we need to fiddle with page LRU state after stealing it,
      however for some origins we just don't know if the page is on the LRU
      list or not.
      
      So remove PIPE_BUF_FLAG_LRU and do this check/add manually in pipe_to_file()
      instead.
      Signed-off-by: NJens Axboe <axboe@suse.de>
      a893b99b
    • P
      [NETFILTER] x_tables: fix compat related crash on non-x86 · 46c5ea3c
      Patrick McHardy 提交于
      When iptables userspace adds an ipt_standard_target, it calculates the size
      of the entire entry as:
      
      sizeof(struct ipt_entry) + XT_ALIGN(sizeof(struct ipt_standard_target))
      
      ipt_standard_target looks like this:
      
        struct xt_standard_target
        {
              struct xt_entry_target target;
              int verdict;
        };
      
      xt_entry_target contains a pointer, so when compiled for 64 bit the
      structure gets an extra 4 byte of padding at the end. On 32 bit
      architectures where iptables aligns to 8 byte it will also have 4
      byte padding at the end because it is only 36 bytes large.
      
      The compat_ipt_standard_fn in the kernel adjusts the offsets by
      
        sizeof(struct ipt_standard_target) - sizeof(struct compat_ipt_standard_target),
      
      which will always result in 4, even if the structure from userspace
      was already padded to a multiple of 8. On x86 this works out by
      accident because userspace only aligns to 4, on all other
      architectures this is broken and causes incorrect adjustments to
      the size and following offsets.
      
      Thanks to Linus for lots of debugging help and testing.
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      46c5ea3c
    • J
      [PATCH] vmsplice: allow user to pass in gift pages · 7afa6fd0
      Jens Axboe 提交于
      If SPLICE_F_GIFT is set, the user is basically giving this pages away to
      the kernel. That means we can steal them for eg page cache uses instead
      of copying it.
      
      The data must be properly page aligned and also a multiple of the page size
      in length.
      Signed-off-by: NJens Axboe <axboe@suse.de>
      7afa6fd0
    • J
      [PATCH] pipe: enable atomic copying of pipe data to/from user space · f6762b7a
      Jens Axboe 提交于
      The pipe ->map() method uses kmap() to virtually map the pages, which
      is both slow and has known scalability issues on SMP. This patch enables
      atomic copying of pipe pages, by pre-faulting data and using kmap_atomic()
      instead.
      
      lmbench bw_pipe and lat_pipe measurements agree this is a Good Thing. Here
      are results from that on a UP machine with highmem (1.5GiB of RAM), running
      first a UP kernel, SMP kernel, and SMP kernel patched.
      
      Vanilla-UP:
      Pipe bandwidth: 1622.28 MB/sec
      Pipe bandwidth: 1610.59 MB/sec
      Pipe bandwidth: 1608.30 MB/sec
      Pipe latency: 7.3275 microseconds
      Pipe latency: 7.2995 microseconds
      Pipe latency: 7.3097 microseconds
      
      Vanilla-SMP:
      Pipe bandwidth: 1382.19 MB/sec
      Pipe bandwidth: 1317.27 MB/sec
      Pipe bandwidth: 1355.61 MB/sec
      Pipe latency: 9.6402 microseconds
      Pipe latency: 9.6696 microseconds
      Pipe latency: 9.6153 microseconds
      
      Patched-SMP:
      Pipe bandwidth: 1578.70 MB/sec
      Pipe bandwidth: 1579.95 MB/sec
      Pipe bandwidth: 1578.63 MB/sec
      Pipe latency: 9.1654 microseconds
      Pipe latency: 9.2266 microseconds
      Pipe latency: 9.1527 microseconds
      Signed-off-by: NJens Axboe <axboe@suse.de>
      f6762b7a
    • J
      [PATCH] pipe: introduce ->pin() buffer operation · f84d7519
      Jens Axboe 提交于
      The ->map() function is really expensive on highmem machines right now,
      since it has to use the slower kmap() instead of kmap_atomic(). Splice
      rarely needs to access the virtual address of a page, so it's a waste
      of time doing it.
      
      Introduce ->pin() to take over the responsibility of making sure the
      page data is valid. ->map() is then reduced to just kmap(). That way we
      can also share a most of the pipe buffer ops between pipe.c and splice.c
      Signed-off-by: NJens Axboe <axboe@suse.de>
      f84d7519
    • J
      [PATCH] splice: fix bugs in pipe_to_file() · 0568b409
      Jens Axboe 提交于
      Found by Oleg Nesterov <oleg@tv-sign.ru>, fixed by me.
      
      - Only allow full pages to go to the page cache.
      - Check page != buf->page instead of using PIPE_BUF_FLAG_STOLEN.
      - Remember to clear 'stolen' if add_to_page_cache() fails.
      
      And as a cleanup on that:
      
      - Make the bottom fall-through logic a little less convoluted. Also make
        the steal path hold an extra reference to the page, so we don't have
        to differentiate between stolen and non-stolen at the end.
      Signed-off-by: NJens Axboe <axboe@suse.de>
      0568b409
  9. 01 5月, 2006 7 次提交
    • S
      [PATCH] Rework of IPC auditing · 073115d6
      Steve Grubb 提交于
      1) The audit_ipc_perms() function has been split into two different
      functions:
              - audit_ipc_obj()
              - audit_ipc_set_perm()
      
      There's a key shift here...  The audit_ipc_obj() collects the uid, gid,
      mode, and SElinux context label of the current ipc object.  This
      audit_ipc_obj() hook is now found in several places.  Most notably, it
      is hooked in ipcperms(), which is called in various places around the
      ipc code permforming a MAC check.  Additionally there are several places
      where *checkid() is used to validate that an operation is being
      performed on a valid object while not necessarily having a nearby
      ipcperms() call.  In these locations, audit_ipc_obj() is called to
      ensure that the information is captured by the audit system.
      
      The audit_set_new_perm() function is called any time the permissions on
      the ipc object changes.  In this case, the NEW permissions are recorded
      (and note that an audit_ipc_obj() call exists just a few lines before
      each instance).
      
      2) Support for an AUDIT_IPC_SET_PERM audit message type.  This allows
      for separate auxiliary audit records for normal operations on an IPC
      object and permissions changes.  Note that the same struct
      audit_aux_data_ipcctl is used and populated, however there are separate
      audit_log_format statements based on the type of the message.  Finally,
      the AUDIT_IPC block of code in audit_free_aux() was extended to handle
      aux messages of this new type.  No more mem leaks I hope ;-)
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      073115d6
    • S
      [PATCH] More user space subject labels · ce29b682
      Steve Grubb 提交于
      Hi,
      
      The patch below builds upon the patch sent earlier and adds subject label to
      all audit events generated via the netlink interface. It also cleans up a few
      other minor things.
      Signed-off-by: NSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      ce29b682
    • S
      [PATCH] Reworked patch for labels on user space messages · e7c34970
      Steve Grubb 提交于
      The below patch should be applied after the inode and ipc sid patches.
      This patch is a reworking of Tim's patch that has been updated to match
      the inode and ipc patches since its similar.
      
      [updated:
      >  Stephen Smalley also wanted to change a variable from isec to tsec in the
      >  user sid patch.                                                              ]
      Signed-off-by: NSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      e7c34970
    • S
      [PATCH] change lspp ipc auditing · 9c7aa6aa
      Steve Grubb 提交于
      Hi,
      
      The patch below converts IPC auditing to collect sid's and convert to context
      string only if it needs to output an audit record. This patch depends on the
      inode audit change patch already being applied.
      Signed-off-by: NSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      9c7aa6aa
    • S
      [PATCH] audit inode patch · 1b50eed9
      Steve Grubb 提交于
      Previously, we were gathering the context instead of the sid. Now in this patch,
      we gather just the sid and convert to context only if an audit event is being
      output.
      
      This patch brings the performance hit from 146% down to 23%
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      1b50eed9
    • D
      [PATCH] support for context based audit filtering · 376bd9cb
      Darrel Goeddel 提交于
      The following patch provides selinux interfaces that will allow the audit
      system to perform filtering based on the process context (user, role, type,
      sensitivity, and clearance).  These interfaces will allow the selinux
      module to perform efficient matches based on lower level selinux constructs,
      rather than relying on context retrievals and string comparisons within
      the audit module.  It also allows for dominance checks on the mls portion
      of the contexts that are impossible with only string comparisons.
      Signed-off-by: NDarrel Goeddel <dgoeddel@trustedcs.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      376bd9cb
    • A
      [PATCH] drop task argument of audit_syscall_{entry,exit} · 5411be59
      Al Viro 提交于
      ... it's always current, and that's a good thing - allows simpler locking.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      5411be59
  10. 30 4月, 2006 2 次提交
  11. 29 4月, 2006 1 次提交
  12. 28 4月, 2006 4 次提交
  13. 27 4月, 2006 1 次提交