- 21 10月, 2010 22 次提交
-
-
由 Eric Paris 提交于
The conntrack code can export the internal secid to userspace. These are dynamic, can change on lsm changes, and have no meaning in userspace. We should instead be sending lsm contexts to userspace instead. This patch sends the secctx (rather than secid) to userspace over the netlink socket. We use a new field CTA_SECCTX and stop using the the old CTA_SECMARK field since it did not send particularly useful information. Signed-off-by: NEric Paris <eparis@redhat.com> Reviewed-by: NPaul Moore <paul.moore@hp.com> Acked-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Eric Paris 提交于
With the (long ago) interface change to have the secid_to_secctx functions do the string allocation instead of having the caller do the allocation we lost the ability to query the security server for the length of the upcoming string. The SECMARK code would like to allocate a netlink skb with enough length to hold the string but it is just too unclean to do the string allocation twice or to do the allocation the first time and hold onto the string and slen. This patch adds the ability to call security_secid_to_secctx() with a NULL data pointer and it will just set the slen pointer. Signed-off-by: NEric Paris <eparis@redhat.com> Reviewed-by: NPaul Moore <paul.moore@hp.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Eric Paris 提交于
Right now secmark has lots of direct selinux calls. Use all LSM calls and remove all SELinux specific knowledge. The only SELinux specific knowledge we leave is the mode. The only point is to make sure that other LSMs at least test this generic code before they assume it works. (They may also have to make changes if they do not represent labels as strings) Signed-off-by: NEric Paris <eparis@redhat.com> Acked-by: NPaul Moore <paul.moore@hp.com> Acked-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Eric Paris 提交于
Commit 4a5a5c73 attempted to pass decent error messages back to userspace for netfilter errors. In xt_SECMARK.c however the patch screwed up and returned on 0 (aka no error) early and didn't finish setting up secmark. This results in a kernel BUG if you use SECMARK. Signed-off-by: NEric Paris <eparis@redhat.com> Acked-by: NPaul Moore <paul.moore@hp.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 John Johansen 提交于
Actually I think in this case the appropriate thing to do is to BUG as there is currently a case (remove) where the alloc_size needs to be larger than the copy_size, and if copy_size is ever greater than alloc_size there is a mistake in the caller code. Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Acked-by: NKees Cook <kees.cook@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Tetsuo Handa 提交于
Configuration files for TOMOYO 2.3 are not compatible with TOMOYO 2.2. But current panic() message is too unfriendly and is confusing users. Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Reviewed-by: NKOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 KOSAKI Motohiro 提交于
All security modules shouldn't change sched_param parameter of security_task_setscheduler(). This is not only meaningless, but also make a harmful result if caller pass a static variable. This patch remove policy and sched_param parameter from security_task_setscheduler() becuase none of security module is using it. Cc: James Morris <jmorris@namei.org> Signed-off-by: NKOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Dmitry Torokhov 提交于
Fix the following warning: drivers/char/tpm/tpm.c:1085: warning: `tpm_suspend_setup' defined but not used and make the workaround operable in case when TPM is compiled as a module. As a side-effect the option will be called tpm.suspend_pcr. Signed-off-by: NDmitry Torokhov <dtor@mail.ru> Cc: Rajiv Andrade <srajiv@linux.vnet.ibm.com> Cc: David Safford <safford@watson.ibm.com> Cc: James Morris <jmorris@namei.org> Cc: Debora Velarde <debora@linux.vnet.ibm.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 KaiGai Kohei 提交于
This patch fixes up coding-style problem at this commit: 4f27a7d49789b04404eca26ccde5f527231d01d5 selinux: fast status update interface (/selinux/status) Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 matt mooney 提交于
Replace EXTRA_CFLAGS with ccflags-y. Signed-off-by: Nmatt mooney <mfm@muteddisk.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Paul Gortmaker 提交于
While the previous change to the selinux Makefile reduced the window significantly for this failure, it is still possible to see a compile failure where cpp starts processing selinux files before the auto generated flask.h file is completed. This is easily reproduced by adding the following temporary change to expose the issue everytime: - cmd_flask = scripts/selinux/genheaders/genheaders ... + cmd_flask = sleep 30 ; scripts/selinux/genheaders/genheaders ... This failure happens because the creation of the object files in the ss subdir also depends on flask.h. So simply incorporate them into the parent Makefile, as the ss/Makefile really doesn't do anything unique. With this change, compiling of all selinux files is dependent on completion of the header file generation, and this test case with the "sleep 30" now confirms it is functioning as expected. Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Paul Gortmaker 提交于
Selinux has an autogenerated file, "flask.h" which is included by two other selinux files. The current makefile has a single dependency on the first object file in the selinux-y list, assuming that will get flask.h generated before anyone looks for it, but that assumption breaks down in a "make -jN" situation and you get: selinux/selinuxfs.c:35: fatal error: flask.h: No such file or directory compilation terminated. remake[9]: *** [security/selinux/selinuxfs.o] Error 1 Since flask.h is included by security.h which in turn is included nearly everywhere, make the dependency apply to all of the selinux-y list of objs. Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 KaiGai Kohei 提交于
This patch provides a new /selinux/status entry which allows applications read-only mmap(2). This region reflects selinux_kernel_status structure in kernel space. struct selinux_kernel_status { u32 length; /* length of this structure */ u32 sequence; /* sequence number of seqlock logic */ u32 enforcing; /* current setting of enforcing mode */ u32 policyload; /* times of policy reloaded */ u32 deny_unknown; /* current setting of deny_unknown */ }; When userspace object manager caches access control decisions provided by SELinux, it needs to invalidate the cache on policy reload and setenforce to keep consistency. However, the applications need to check the kernel state for each accesses on userspace avc, or launch a background worker process. In heuristic, frequency of invalidation is much less than frequency of making access control decision, so it is annoying to invoke a system call to check we don't need to invalidate the userspace cache. If we can use a background worker thread, it allows to receive invalidation messages from the kernel. But it requires us an invasive coding toward the base application in some cases; E.g, when we provide a feature performing with SELinux as a plugin module, it is unwelcome manner to launch its own worker thread from the module. If we could map /selinux/status to process memory space, application can know updates of selinux status; policy reload or setenforce. A typical application checks selinux_kernel_status::sequence when it tries to reference userspace avc. If it was changed from the last time when it checked userspace avc, it means something was updated in the kernel space. Then, the application can reset userspace avc or update current enforcing mode, without any system call invocations. This sequence number is updated according to the seqlock logic, so we need to wait for a while if it is odd number. Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: NEric Paris <eparis@redhat.com> -- security/selinux/include/security.h | 21 ++++++ security/selinux/selinuxfs.c | 56 +++++++++++++++ security/selinux/ss/Makefile | 2 +- security/selinux/ss/services.c | 3 + security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++ 5 files changed, 210 insertions(+), 1 deletions(-) Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Yong Zhang 提交于
Signed-off-by: NYong Zhang <yong.zhang0@gmail.com> Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Tetsuo Handa 提交于
We can set default LSM module to DAC (which means "enable no LSM module"). If default LSM module was set to DAC, security_module_enable() must return 0 unless overridden via boot time parameter. Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: NSerge E. Hallyn <serge@hallyn.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Eric Paris 提交于
type is not used at all, stop declaring and assigning it. Signed-off-by: NEric Paris <eparis@redhat.com> Acked-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Dan Carpenter 提交于
If domain is NULL then &domain->list is a bogus address. Let's leave head->r.domain NULL instead of saving an unusable pointer. This is just a cleanup. The current code always checks head->r.eof before dereferencing head->r.domain. Signed-off-by: NDan Carpenter <error27@gmail.com> Acked-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-
由 Linus Torvalds 提交于
-
git://git.linux-mips.org/pub/scm/upstream-linus由 Linus Torvalds 提交于
* 'upstream' of git://git.linux-mips.org/pub/scm/upstream-linus: MIPS: O32 compat/N32: Fix to use compat syscall wrappers for AIO syscalls. MAINTAINERS: Change list for ioc_serial to linux-serial. SERIAL: ioc3_serial: Return -ENOMEM on memory allocation failure MIPS: jz4740: Fix Kbuild Platform file. MIPS: Repair Kbuild make clean breakage.
-
由 Amit Shah 提交于
If the host is slow in reading data or doesn't read data at all, blocking write calls not only blocked the program that called write() but the entire guest itself. To overcome this, let's not block till the host signals it has given back the virtio ring element we passed it. Instead, send the buffer to the host and return to userspace. This operation then becomes similar to how non-blocking writes work, so let's use the existing code for this path as well. This code change also ensures blocking write calls do get blocked if there's not enough room in the virtio ring as well as they don't return -EAGAIN to userspace. Signed-off-by: NAmit Shah <amit.shah@redhat.com> Acked-by: NHans de Goede <hdegoede@redhat.com> CC: stable@kernel.org Signed-off-by: NRusty Russell <rusty@rustcorp.com.au> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6由 Linus Torvalds 提交于
* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6: [SCSI] bsg: fix incorrect device_status value [SCSI] Fix VPD inquiry page wrapper
-
git://git.kernel.org/pub/scm/virt/kvm/kvm由 Linus Torvalds 提交于
* 'kvm-updates/2.6.36' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: Fix fs/gs reload oops with invalid ldt
-
- 20 10月, 2010 7 次提交
-
-
由 Michel Thebeau 提交于
[Ralf: Michel's original patch only fixed N32; I replicated the same fix for O32.] Signed-off-by: NMichel Thebeau <michel.thebeau@windriver.com> Cc: paul.gortmaker@windriver.com Cc: bruce.ashfield@windriver.com Signed-off-by: NRalf Baechle <ralf@linux-mips.org>
-
由 Ralf Baechle 提交于
IOC3 is also being used on SGI MIPS systems but this particular driver is only being used on IA64 systems so linux-mips made no sense as a list. Pat also thinks linux-serial@vger.kernel.org is the better list. Signed-off-by: NRalf Baechle <ralf@linux-mips.org>
-
由 Julia Lawall 提交于
In this code, 0 is returned on memory allocation failure, even though other failures return -ENOMEM or other similar values. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression ret; expression x,e1,e2,e3; @@ ret = 0 ... when != ret = e1 *x = \(kmalloc\|kcalloc\|kzalloc\)(...) ... when != ret = e2 if (x == NULL) { ... when != ret = e3 return ret; } // </smpl> Signed-off-by: NJulia Lawall <julia@diku.dk> To: Pat Gefre <pfg@sgi.com> Cc: kernel-janitors@vger.kernel.org Cc: linux-ia64@vger.kernel.org Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/1704/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>
-
由 David Daney 提交于
The platform specific files should be included via the platform-y variable. Signed-off-by: NDavid Daney <ddaney@caviumnetworks.com> Cc: Lars-Peter Clausen <lars@metafoo.de> Patchwork: https://patchwork.linux-mips.org/patch/1719/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>
-
由 David Daney 提交于
When running make clean, Kbuild doesn't process the .config file, so nothing generates a platform-y variable. We can get it to descend into the platform directories by setting $(obj-). The dec Platform file was unconditionally setting platform-, obliterating its previous contents and preventing some directories from being cleaned. This is change to an append operation '+=' to allow cavium-octeon to be cleaned. Signed-off-by: NDavid Daney <ddaney@caviumnetworks.com> Cc: Sam Ravnborg <sam@ravnborg.org> Patchwork: https://patchwork.linux-mips.org/patch/1718/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6由 Linus Torvalds 提交于
* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6: drm/radeon/kms: avivo cursor workaround applies to evergreen as well
-
由 Avi Kivity 提交于
kvm reloads the host's fs and gs blindly, however the underlying segment descriptors may be invalid due to the user modifying the ldt after loading them. Fix by using the safe accessors (loadsegment() and load_gs_index()) instead of home grown unsafe versions. This is CVE-2010-3698. KVM-Stable-Tag. Signed-off-by: NAvi Kivity <avi@redhat.com> Signed-off-by: NMarcelo Tosatti <mtosatti@redhat.com>
-
- 19 10月, 2010 6 次提交
-
-
git://git.linux-mips.org/pub/scm/upstream-linus由 Linus Torvalds 提交于
* 'upstream' of git://git.linux-mips.org/pub/scm/upstream-linus: MIPS: Enable ISA_DMA_API config to fix build failure MIPS: 32-bit: Fix build failure in asm/fcntl.h MIPS: Remove all generated vmlinuz* files on "make clean" MIPS: do_sigaltstack() expects userland pointers MIPS: Fix error values in case of bad_stack MIPS: Sanitize restart logics MIPS: secure_computing, syscall audit: syscall number should in r2, not r0. MIPS: Don't block signals if we'd failed to setup a sigframe
-
git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input由 Linus Torvalds 提交于
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: evdev - fix EVIOCSABS regression Input: evdev - fix Ooops in EVIOCGABS/EVIOCSABS
-
git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6由 Linus Torvalds 提交于
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6: firewire: ohci: fix TI TSB82AA2 regression since 2.6.35
-
由 Sascha Hauer 提交于
This patch reverts the driver to enabling/disabling the NFC interrupt mask rather than enabling/disabling the system interrupt. This cleans up the driver so that it doesn't rely on interrupts being disabled within the interrupt handler. For i.MX21 we keep the current behaviour, that is calling enable_irq/disable_irq_nosync to enable/disable interrupts. This patch is based on earlier work by John Ogness. Signed-off-by: NSascha Hauer <s.hauer@pengutronix.de> Acked-by: NJohn Ogness <john.ogness@linutronix.de> Tested-by: NJohn Ogness <john.ogness@linutronix.de> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
git://git.fluff.org/bjdooks/linux由 Linus Torvalds 提交于
* 'for-linus/i2c/2636-rc8' of git://git.fluff.org/bjdooks/linux: i2c-imx: do not allow interruptions when waiting for I2C to complete i2c-davinci: Fix TX setup for more SoCs
-
由 Linus Torvalds 提交于
* fixes: v4l1: fix 32-bit compat microcode loading translation De-pessimize rds_page_copy_user
-
- 18 10月, 2010 5 次提交
-
-
由 Namhyung Kim 提交于
Add ISA_DMA_API config item and select it when GENERIC_ISA_DMA enabled. This fixes build failure on allmodconfig like following: CC sound/isa/es18xx.o sound/isa/es18xx.c: In function 'snd_es18xx_playback1_prepare': sound/isa/es18xx.c:501:9: error: implicit declaration of function 'snd_dma_program' sound/isa/es18xx.c: In function 'snd_es18xx_playback_pointer': sound/isa/es18xx.c:818:3: error: implicit declaration of function 'snd_dma_pointer' make[3]: *** [sound/isa/es18xx.o] Error 1 make[2]: *** [sound/isa/es18xx.o] Error 2 make[1]: *** [sub-make] Error 2 make: *** [all] Error 2 Signed-off-by: NNamhyung Kim <namhyung@gmail.com> Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/1717/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>
-
由 Namhyung Kim 提交于
CC security/integrity/ima/ima_fs.o In file included from linux/include/linux/fcntl.h:4:0, from linux/security/integrity/ima/ima_fs.c:18: linux/arch/mips/include/asm/fcntl.h:63:2: error: expected specifier-qualifier-list before 'off_t' make[3]: *** [security/integrity/ima/ima_fs.o] Error 1 make[2]: *** [security/integrity/ima/ima_fs.o] Error 2 make[1]: *** [sub-make] Error 2 make: *** [all] Error 2 Signed-off-by: NNamhyung Kim <namhyung@gmail.com> Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/1715/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>
-
由 Wu Zhangjin 提交于
[Ralf: I changed the patch to explicitly list all files to be deleted out of paranoia.] Signed-off-by: NWu Zhangjin <wuzhangjin@gmail.com> Patchwork: http://patchwork.linux-mips.org/patch/1590/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>
-
由 Al Viro 提交于
o32 compat does the right thing, native and n32 compat do not... Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk> Cc: linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org Cc: linux-mips@linux-mips.org Patchwork: http://patchwork.linux-mips.org/patch/1700/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>
-
由 Al Viro 提交于
We want EFAULT, not -<syscall number> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk> Cc: linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/1699/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>
-