1. 31 10月, 2005 1 次提交
    • J
      [PATCH] SELinux: canonicalize getxattr() · d381d8a9
      James Morris 提交于
      This patch allows SELinux to canonicalize the value returned from
      getxattr() via the security_inode_getsecurity() hook, which is called after
      the fs level getxattr() function.
      
      The purpose of this is to allow the in-core security context for an inode
      to override the on-disk value.  This could happen in cases such as
      upgrading a system to a different labeling form (e.g.  standard SELinux to
      MLS) without needing to do a full relabel of the filesystem.
      
      In such cases, we want getxattr() to return the canonical security context
      that the kernel is using rather than what is stored on disk.
      
      The implementation hooks into the inode_getsecurity(), adding another
      parameter to indicate the result of the preceding fs-level getxattr() call,
      so that SELinux knows whether to compare a value obtained from disk with
      the kernel value.
      
      We also now allow getxattr() to work for mountpoint labeled filesystems
      (i.e.  mount with option context=foo_t), as we are able to return the
      kernel value to the user.
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      d381d8a9
  2. 08 9月, 2005 1 次提交
  3. 05 9月, 2005 1 次提交
    • S
      [PATCH] Generic VFS fallback for security xattrs · f549d6c1
      Stephen Smalley 提交于
      This patch modifies the VFS setxattr, getxattr, and listxattr code to fall
      back to the security module for security xattrs if the filesystem does not
      support xattrs natively.  This allows security modules to export the incore
      inode security label information to userspace even if the filesystem does
      not provide xattr storage, and eliminates the need to individually patch
      various pseudo filesystem types to provide such access.  The patch removes
      the existing xattr code from devpts and tmpfs as it is then no longer
      needed.
      
      The patch restructures the code flow slightly to reduce duplication between
      the normal path and the fallback path, but this should only have one
      user-visible side effect - a program may get -EACCES rather than
      -EOPNOTSUPP if policy denied access but the filesystem didn't support the
      operation anyway.  Note that the post_setxattr hook call is not needed in
      the fallback case, as the inode_setsecurity hook call handles the incore
      inode security state update directly.  In contrast, we do call fsnotify in
      both cases.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      f549d6c1
  4. 13 7月, 2005 1 次提交
    • R
      [PATCH] inotify · 0eeca283
      Robert Love 提交于
      inotify is intended to correct the deficiencies of dnotify, particularly
      its inability to scale and its terrible user interface:
      
              * dnotify requires the opening of one fd per each directory
                that you intend to watch. This quickly results in too many
                open files and pins removable media, preventing unmount.
              * dnotify is directory-based. You only learn about changes to
                directories. Sure, a change to a file in a directory affects
                the directory, but you are then forced to keep a cache of
                stat structures.
              * dnotify's interface to user-space is awful.  Signals?
      
      inotify provides a more usable, simple, powerful solution to file change
      notification:
      
              * inotify's interface is a system call that returns a fd, not SIGIO.
      	  You get a single fd, which is select()-able.
              * inotify has an event that says "the filesystem that the item
                you were watching is on was unmounted."
              * inotify can watch directories or files.
      
      Inotify is currently used by Beagle (a desktop search infrastructure),
      Gamin (a FAM replacement), and other projects.
      
      See Documentation/filesystems/inotify.txt.
      Signed-off-by: NRobert Love <rml@novell.com>
      Cc: John McCutchan <ttb@tentacle.dhs.org>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      0eeca283
  5. 17 4月, 2005 1 次提交
    • L
      Linux-2.6.12-rc2 · 1da177e4
      Linus Torvalds 提交于
      Initial git repository build. I'm not bothering with the full history,
      even though we have it. We can create a separate "historical" git
      archive of that later if we want to, and in the meantime it's about
      3.2GB when imported into git - space that would just make the early
      git days unnecessarily complicated, when we don't have a lot of good
      infrastructure for it.
      
      Let it rip!
      1da177e4