Skip to content

cloud-kernel
cloud-kernel

openanolis / cloud-kernel
1 年多 前同步成功

通知 160
Star 36
Fork 7
cloud-kernel
cloud-kernel
切换分支/标签
  1. 25 6月, 2016 17 次提交
  3. 15 6月, 2016 14 次提交
  5. 06 6月, 2016 9 次提交
    • M
      security: tomoyo: simplify the gc kthread creation · 40d27378
      Mike Danese 提交于 
      The code is doing the equivalent of the kthread_run macro.
Signed-off-by: NMike Danese <mikedanese@google.com>
Acked-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>
      40d27378
    • T
      net: Use ns_capable_noaudit() when determining net sysctl permissions · d6e0d306
      Tyler Hicks 提交于 
      The capability check should not be audited since it is only being used
to determine the inode permissions. A failed check does not indicate a
violation of security policy but, when an LSM is enabled, a denial audit
message was being generated.

The denial audit message caused confusion for some application authors
because root-running Go applications always triggered the denial. To
prevent this confusion, the capability check in net_ctl_permissions() is
switched to the noaudit variant.

BugLink: https://launchpad.net/bugs/1465724Signed-off-by: NTyler Hicks <tyhicks@canonical.com>
Acked-by: NSerge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>
      d6e0d306
    • T
      kernel: Add noaudit variant of ns_capable() · 98f368e9
      Tyler Hicks 提交于 
      When checking the current cred for a capability in a specific user
namespace, it isn't always desirable to have the LSMs audit the check.
This patch adds a noaudit variant of ns_capable() for when those
situations arise.

The common logic between ns_capable() and the new ns_capable_noaudit()
is moved into a single, shared function to keep duplicated code to a
minimum and ease maintainability.
Signed-off-by: NTyler Hicks <tyhicks@canonical.com>
Acked-by: NSerge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>
      98f368e9
    • C
      LSM: Fix for security_inode_getsecurity and -EOPNOTSUPP · 2885c1e3
      Casey Schaufler 提交于 
      Serge Hallyn pointed out that the current implementation of
security_inode_getsecurity() works if there is only one hook
provided for it, but will fail if there is more than one and
the attribute requested isn't supplied by the first module.
This isn't a problem today, since only SELinux and Smack
provide this hook and there is (currently) no way to enable
both of those modules at the same time. Serge, however, wants
to introduce a capability attribute and an inode_getsecurity
hook in the capability security module to handle it. This
addresses that upcoming problem, will be required for "extreme
stacking" and is just a better implementation.
Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
Acked-by: NSerge Hallyn <serge@hallyn.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>
      2885c1e3
    • S
      MAINTAINERS: update Serge Hallyn's email address · 39baa7e6
      Serge E. Hallyn 提交于 
      Author: Serge Hallyn <serge.hallyn@ubuntu.com>
Date:   Thu May 19 23:37:05 2016 -0500

    Update email address

    My canonical.com email address will soon stop working.
Signed-off-by: NSerge Hallyn <serge@hallyn.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>
      39baa7e6
    • L
      Linux 4.7-rc2 · af8c34ce
      Linus Torvalds 提交于
      af8c34ce
    • L
      Merge branch 'parisc-4.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 5975b2c0
      Linus Torvalds 提交于 
      Pull parisc fixes from Helge Deller:

 - Fix printk time stamps on SMP systems which got wrong due to a patch
   which was added during the merge window

 - Fix two bugs in the stack backtrace code: Races in module unloading
   and possible invalid accesses to memory due to wrong instruction
   decoding (Mikulas Patocka)

 - Fix userspace crash when syscalls access invalid unaligned userspace
   addresses.  Those syscalls will now return EFAULT as expected.
   (tagged for stable kernel series)

* 'parisc-4.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
  parisc: Move die_if_kernel() prototype into traps.h header
  parisc: Fix pagefault crash in unaligned __get_user() call
  parisc: Fix printk time during boot
  parisc: Fix backtrace on PA-RISC
      5975b2c0
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · d834502e
      Linus Torvalds 提交于 
      Pull key handling update from James Morris:
 "This alters a new keyctl function added in the current merge window to
  allow for a future extension planned for the next merge window"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  KEYS: Add placeholder for KDF usage with DH
      d834502e
    • E
      devpts: Make each mount of devpts an independent filesystem. · eedf265a
      Eric W. Biederman 提交于 
      The /dev/ptmx device node is changed to lookup the directory entry "pts"
in the same directory as the /dev/ptmx device node was opened in.  If
there is a "pts" entry and that entry is a devpts filesystem /dev/ptmx
uses that filesystem.  Otherwise the open of /dev/ptmx fails.

The DEVPTS_MULTIPLE_INSTANCES configuration option is removed, so that
userspace can now safely depend on each mount of devpts creating a new
instance of the filesystem.

Each mount of devpts is now a separate and equal filesystem.

Reserved ttys are now available to all instances of devpts where the
mounter is in the initial mount namespace.

A new vfs helper path_pts is introduced that finds a directory entry
named "pts" in the directory of the passed in path, and changes the
passed in path to point to it.  The helper path_pts uses a function
path_parent_directory that was factored out of follow_dotdot.

In the implementation of devpts:
 - devpts_mnt is killed as it is no longer meaningful if all mounts of
   devpts are equal.
 - pts_sb_from_inode is replaced by just inode->i_sb as all cached
   inodes in the tty layer are now from the devpts filesystem.
 - devpts_add_ref is rolled into the new function devpts_ptmx.  And the
   unnecessary inode hold is removed.
 - devpts_del_ref is renamed devpts_release and reduced to just a
   deacrivate_super.
 - The newinstance mount option continues to be accepted but is now
   ignored.

In devpts_fs.h definitions for when !CONFIG_UNIX98_PTYS are removed as
they are never used.

Documentation/filesystems/devices.txt is updated to describe the current
situation.

This has been verified to work properly on openwrt-15.05, centos5,
centos6, centos7, debian-6.0.2, debian-7.9, debian-8.2, ubuntu-14.04.3,
ubuntu-15.10, fedora23, magia-5, mint-17.3, opensuse-42.1,
slackware-14.1, gentoo-20151225 (13.0?), archlinux-2015-12-01.  With the
caveat that on centos6 and on slackware-14.1 that there wind up being
two instances of the devpts filesystem mounted on /dev/pts, the lower
copy does not end up getting used.
Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
Cc: Greg KH <greg@kroah.com>
Cc: Peter Hurley <peter@hurleysoftware.com>
Cc: Peter Anvin <hpa@zytor.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
Cc: Jann Horn <jann@thejh.net>
Cc: Jiri Slaby <jslaby@suse.com>
Cc: Florian Weimer <fw@deneb.enyo.de>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      eedf265a