1. 10 4月, 2012 24 次提交
    • E
      SELinux: remove unused common_audit_data in flush_unauthorized_files · c737f828
      Eric Paris 提交于
      We don't need this variable and it just eats stack space.  Remove it.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      c737f828
    • W
      SELinux: avc: remove the useless fields in avc_add_callback · 562c99f2
      Wanlong Gao 提交于
      avc_add_callback now just used for registering reset functions
      in initcalls, and the callback functions just did reset operations.
      So, reducing the arguments to only one event is enough now.
      Signed-off-by: NWanlong Gao <gaowanlong@cn.fujitsu.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      562c99f2
    • W
      SELinux: replace weak GFP_ATOMIC to GFP_KERNEL in avc_add_callback · 0b36e44c
      Wanlong Gao 提交于
      avc_add_callback now only called from initcalls, so replace the
      weak GFP_ATOMIC to GFP_KERNEL, and mark this function __init
      to make a warning when not been called from initcalls.
      Signed-off-by: NWanlong Gao <gaowanlong@cn.fujitsu.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      0b36e44c
    • E
      SELinux: unify the selinux_audit_data and selinux_late_audit_data · 899838b2
      Eric Paris 提交于
      We no longer need the distinction.  We only need data after we decide to do an
      audit.  So turn the "late" audit data into just "data" and remove what we
      currently have as "data".
      Signed-off-by: NEric Paris <eparis@redhat.com>
      899838b2
    • E
      SELinux: remove auditdeny from selinux_audit_data · 1d349292
      Eric Paris 提交于
      It's just takin' up space.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      1d349292
    • E
      LSM: do not initialize common_audit_data to 0 · 50c205f5
      Eric Paris 提交于
      It isn't needed.  If you don't set the type of the data associated with
      that type it is a pretty obvious programming bug.  So why waste the cycles?
      Signed-off-by: NEric Paris <eparis@redhat.com>
      50c205f5
    • E
      LSM: BUILD_BUG_ON if the common_audit_data union ever grows · 07f62eb6
      Eric Paris 提交于
      We did a lot of work to shrink the common_audit_data.  Add a BUILD_BUG_ON
      so future programers (let's be honest, probably me) won't do something
      foolish like make it large again!
      Signed-off-by: NEric Paris <eparis@redhat.com>
      07f62eb6
    • E
      LSM: remove the task field from common_audit_data · b466066f
      Eric Paris 提交于
      There are no legitimate users.  Always use current and get back some stack
      space for the common_audit_data.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      b466066f
    • E
      apparmor: move task from common_audit_data to apparmor_audit_data · 0972c74e
      Eric Paris 提交于
      apparmor is the only LSM that uses the common_audit_data tsk field.
      Instead of making all LSMs pay for the stack space move the aa usage into
      the apparmor_audit_data.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      0972c74e
    • E
      LSM: remove the COMMON_AUDIT_DATA_INIT type expansion · bd5e50f9
      Eric Paris 提交于
      Just open code it so grep on the source code works better.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      bd5e50f9
    • E
      SELinux: move common_audit_data to a noinline slow path function · d4cf970d
      Eric Paris 提交于
      selinux_inode_has_perm is a hot path.  Instead of declaring the
      common_audit_data on the stack move it to a noinline function only used in
      the rare case we need to send an audit message.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      d4cf970d
    • E
      SELinux: remove inode_has_perm_noadp · 602a8dd6
      Eric Paris 提交于
      Both callers could better be using file_has_perm() to get better audit
      results.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      602a8dd6
    • E
      SELinux: delay initialization of audit data in selinux_inode_permission · 2e334057
      Eric Paris 提交于
      We pay a rather large overhead initializing the common_audit_data.
      Since we only need this information if we actually emit an audit
      message there is little need to set it up in the hot path.  This patch
      splits the functionality of avc_has_perm() into avc_has_perm_noaudit(),
      avc_audit_required() and slow_avc_audit().  But we take care of setting
      up to audit between required() and the actual audit call.  Thus saving
      measurable time in a hot path.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      2e334057
    • E
      SELinux: if sel_make_bools errors don't leave inconsistent state · 154c50ca
      Eric Paris 提交于
      We reset the bool names and values array to NULL, but do not reset the
      number of entries in these arrays to 0.  If we error out and then get back
      into this function we will walk these NULL pointers based on the belief
      that they are non-zero length.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      cc: stable@kernel.org
      154c50ca
    • E
      SELinux: remove needless sel_div function · 92ae9e82
      Eric Paris 提交于
      I'm not really sure what the idea behind the sel_div function is, but it's
      useless.  Since a and b are both unsigned, it's impossible for a % b < 0.
      That means that part of the function never does anything.  Thus it's just a
      normal /.  Just do that instead.  I don't even understand what that operation
      was supposed to mean in the signed case however....
      
      If it was signed:
      sel_div(-2, 4) == ((-2 / 4) - ((-2 % 4) < 0))
      		  ((0)      - ((-2)     < 0))
      		  ((0)      - (1))
      		  (-1)
      
      What actually happens:
      sel_div(-2, 4) == ((18446744073709551614 / 4) - ((18446744073709551614 % 4) < 0))
      		  ((4611686018427387903)      - ((2 < 0))
      		  (4611686018427387903        - 0)
      		  ((unsigned int)4611686018427387903)
      		  (4294967295)
      
      Neither makes a whole ton of sense to me.  So I'm getting rid of the
      function entirely.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      92ae9e82
    • E
      SELinux: possible NULL deref in context_struct_to_string · bb7081ab
      Eric Paris 提交于
      It's possible that the caller passed a NULL for scontext.  However if this
      is a defered mapping we might still attempt to call *scontext=kstrdup().
      This is bad.  Instead just return the len.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      bb7081ab
    • E
      SELinux: audit failed attempts to set invalid labels · d6ea83ec
      Eric Paris 提交于
      We know that some yum operation is causing CAP_MAC_ADMIN failures.  This
      implies that an RPM is laying down (or attempting to lay down) a file with
      an invalid label.  The problem is that we don't have any information to
      track down the cause.  This patch will cause such a failure to report the
      failed label in an SELINUX_ERR audit message.  This is similar to the
      SELINUX_ERR reports on invalid transitions and things like that.  It should
      help run down problems on what is trying to set invalid labels in the
      future.
      
      Resulting records look something like:
      type=AVC msg=audit(1319659241.138:71): avc:  denied  { mac_admin } for pid=2594 comm="chcon" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2
      type=SELINUX_ERR msg=audit(1319659241.138:71): op=setxattr invalid_context=unconfined_u:object_r:hello:s0
      type=SYSCALL msg=audit(1319659241.138:71): arch=c000003e syscall=188 success=no exit=-22 a0=a2c0e0 a1=390341b79b a2=a2d620 a3=1f items=1 ppid=2519 pid=2594 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
      type=CWD msg=audit(1319659241.138:71):  cwd="/root" type=PATH msg=audit(1319659241.138:71): item=0 name="test" inode=785879 dev=fc:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0
      Signed-off-by: NEric Paris <eparis@redhat.com>
      d6ea83ec
    • E
      SELinux: rename dentry_open to file_open · 83d49856
      Eric Paris 提交于
      dentry_open takes a file, rename it to file_open
      Signed-off-by: NEric Paris <eparis@redhat.com>
      83d49856
    • E
      SELinux: check OPEN on truncate calls · 95dbf739
      Eric Paris 提交于
      In RH BZ 578841 we realized that the SELinux sandbox program was allowed to
      truncate files outside of the sandbox.  The reason is because sandbox
      confinement is determined almost entirely by the 'open' permission.  The idea
      was that if the sandbox was unable to open() files it would be unable to do
      harm to those files.  This turns out to be false in light of syscalls like
      truncate() and chmod() which don't require a previous open() call.  I looked
      at the syscalls that did not have an associated 'open' check and found that
      truncate(), did not have a seperate permission and even if it did have a
      separate permission such a permission owuld be inadequate for use by
      sandbox (since it owuld have to be granted so liberally as to be useless).
      This patch checks the OPEN permission on truncate.  I think a better solution
      for sandbox is a whole new permission, but at least this fixes what we have
      today.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      95dbf739
    • E
      SELinux: add default_type statements · eed7795d
      Eric Paris 提交于
      Because Fedora shipped userspace based on my development tree we now
      have policy version 27 in the wild defining only default user, role, and
      range.  Thus to add default_type we need a policy.28.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      eed7795d
    • E
      SELinux: allow default source/target selectors for user/role/range · aa893269
      Eric Paris 提交于
      When new objects are created we have great and flexible rules to
      determine the type of the new object.  We aren't quite as flexible or
      mature when it comes to determining the user, role, and range.  This
      patch adds a new ability to specify the place a new objects user, role,
      and range should come from.  For users and roles it can come from either
      the source or the target of the operation.  aka for files the user can
      either come from the source (the running process and todays default) or
      it can come from the target (aka the parent directory of the new file)
      
      examples always are done with
      directory context: system_u:object_r:mnt_t:s0-s0:c0.c512
      process context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
      
      [no rule]
      	unconfined_u:object_r:mnt_t:s0   test_none
      [default user source]
      	unconfined_u:object_r:mnt_t:s0   test_user_source
      [default user target]
      	system_u:object_r:mnt_t:s0       test_user_target
      [default role source]
      	unconfined_u:unconfined_r:mnt_t:s0 test_role_source
      [default role target]
      	unconfined_u:object_r:mnt_t:s0   test_role_target
      [default range source low]
      	unconfined_u:object_r:mnt_t:s0 test_range_source_low
      [default range source high]
      	unconfined_u:object_r:mnt_t:s0:c0.c1023 test_range_source_high
      [default range source low-high]
      	unconfined_u:object_r:mnt_t:s0-s0:c0.c1023 test_range_source_low-high
      [default range target low]
      	unconfined_u:object_r:mnt_t:s0 test_range_target_low
      [default range target high]
      	unconfined_u:object_r:mnt_t:s0:c0.c512 test_range_target_high
      [default range target low-high]
      	unconfined_u:object_r:mnt_t:s0-s0:c0.c512 test_range_target_low-high
      Signed-off-by: NEric Paris <eparis@redhat.com>
      aa893269
    • E
      SELinux: include flow.h where used rather than get it indirectly · 6ce74ec7
      Eric Paris 提交于
      We use flow_cache_genid in the selinux xfrm files.  This is declared in
      net/flow.h  However we do not include that file directly anywhere.  We have
      always just gotten it through a long chain of indirect .h file includes.
      
      on x86_64:
      
        CC      security/selinux/ss/services.o
      In file included from
      /next/linux-next-20120216/security/selinux/ss/services.c:69:0:
      /next/linux-next-20120216/security/selinux/include/xfrm.h: In function 'selinux_xfrm_notify_policyload':
      /next/linux-next-20120216/security/selinux/include/xfrm.h:51:14: error: 'flow_cache_genid' undeclared (first use in this function)
      /next/linux-next-20120216/security/selinux/include/xfrm.h:51:14: note: each undeclared identifier is reported only once for each function it appears in
      make[3]: *** [security/selinux/ss/services.o] Error 1
      Reported-by: NRandy Dunlap <rdunlap@xenotime.net>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      6ce74ec7
    • E
      SELinux: loosen DAC perms on reading policy · 72e8c859
      Eric Paris 提交于
      There is no reason the DAC perms on reading the policy file need to be root
      only.  There are selinux checks which should control this access.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      72e8c859
    • E
      SELinux: allow seek operations on the file exposing policy · 47a93a5b
      Eric Paris 提交于
      sesearch uses:
      lseek(3, 0, SEEK_SET)                   = -1 ESPIPE (Illegal seek)
      
      Make that work.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      47a93a5b
  2. 08 4月, 2012 5 次提交
  3. 07 4月, 2012 11 次提交
    • L
      Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux · f21fec96
      Linus Torvalds 提交于
      Pull ACPI & Power Management patches from Len Brown:
       "Two fixes for cpuidle merge-window changes, plus a URL fix in
        MAINTAINERS"
      
      * 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux:
        MAINTAINERS: Update git url for ACPI
        cpuidle: Fix panic in CPU off-lining with no idle driver
        ACPI processor: Use safe_halt() rather than halt() in acpi_idle_play_dead()
      f21fec96
    • L
      Merge branch '3.4-rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending · a0421da4
      Linus Torvalds 提交于
      Pull target fixes from Nicholas Bellinger:
       "Pull two tcm_fc fabric related fixes for -rc2:
      
        Note that both have been CC'ed to stable, and patch #1 is the
        important one that addresses a memory corruption bug related to FC
        exchange timeouts + command abort.
      
        Thanks again to MDR for tracking down this issue!"
      
      * '3.4-rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
        tcm_fc: Do not free tpg structure during wq allocation failure
        tcm_fc: Add abort flag for gracefully handling exchange timeout
      a0421da4
    • M
      tcm_fc: Do not free tpg structure during wq allocation failure · 06383f10
      Mark Rustad 提交于
      Avoid freeing a registered tpg structure if an alloc_workqueue call
      fails.  This fixes a bug where the failure was leaking memory associated
      with se_portal_group setup during the original core_tpg_register() call.
      Signed-off-by: NMark Rustad <mark.d.rustad@intel.com>
      Acked-by: NKiran Patil <Kiran.patil@intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      06383f10
    • M
      tcm_fc: Add abort flag for gracefully handling exchange timeout · e1c40382
      Mark Rustad 提交于
      Add abort flag and use it to terminate processing when an exchange
      is timed out or is reset. The abort flag is used in place of the
      transport_generic_free_cmd function call in the reset and timeout
      cases, because calling that function in that context would free
      memory that was in use. The aborted flag allows the lifetime to
      be managed in a more normal way, while truncating the processing.
      
      This change eliminates a source of memory corruption which
      manifested in a variety of ugly ways.
      
      (nab: Drop unused struct fc_exch *ep in ft_recv_seq)
      Signed-off-by: NMark Rustad <mark.d.rustad@intel.com>
      Acked-by: NKiran Patil <Kiran.patil@intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      e1c40382
    • L
      Merge branches 'idle-fix' and 'misc' into release · eeaab2d8
      Len Brown 提交于
      eeaab2d8
    • I
      MAINTAINERS: Update git url for ACPI · aaef292a
      Igor Murzov 提交于
      Signed-off-by: NIgor Murzov <e-mail@date.by>
      Signed-off-by: NLen Brown <len.brown@intel.com>
      aaef292a
    • L
      Merge branch 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile · 4157368e
      Linus Torvalds 提交于
      Pull arch/tile bug fixes from Chris Metcalf:
       "This includes Paul Gortmaker's change to fix the <asm/system.h>
        disintegration issues on tile, a fix to unbreak the tilepro ethernet
        driver, and a backlog of bugfix-only changes from internal Tilera
        development over the last few months.
      
        They have all been to LKML and on linux-next for the last few days.
        The EDAC change to MAINTAINERS is an oddity but discussion on the
        linux-edac list suggested I ask you to pull that change through my
        tree since they don't have a tree to pull edac changes from at the
        moment."
      
      * 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile: (39 commits)
        drivers/net/ethernet/tile: fix netdev_alloc_skb() bombing
        MAINTAINERS: update EDAC information
        tilepro ethernet driver: fix a few minor issues
        tile-srom.c driver: minor code cleanup
        edac: say "TILEGx" not "TILEPro" for the tilegx edac driver
        arch/tile: avoid accidentally unmasking NMI-type interrupt accidentally
        arch/tile: remove bogus performance optimization
        arch/tile: return SIGBUS for addresses that are unaligned AND invalid
        arch/tile: fix finv_buffer_remote() for tilegx
        arch/tile: use atomic exchange in arch_write_unlock()
        arch/tile: stop mentioning the "kvm" subdirectory
        arch/tile: export the page_home() function.
        arch/tile: fix pointer cast in cacheflush.c
        arch/tile: fix single-stepping over swint1 instructions on tilegx
        arch/tile: implement panic_smp_self_stop()
        arch/tile: add "nop" after "nap" to help GX idle power draw
        arch/tile: use proper memparse() for "maxmem" options
        arch/tile: fix up locking in pgtable.c slightly
        arch/tile: don't leak kernel memory when we unload modules
        arch/tile: fix bug in delay_backoff()
        ...
      4157368e
    • L
      Merge tag 'stable/for-linus-3.4-rc1-tag' of... · 9479f0f8
      Linus Torvalds 提交于
      Merge tag 'stable/for-linus-3.4-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen
      
      Pull xen fixes from Konrad Rzeszutek Wilk:
       "Two fixes for regressions:
         * one is a workaround that will be removed in v3.5 with proper fix in
           the tip/x86 tree,
         * the other is to fix drivers to load on PV (a previous patch made
           them only load in PVonHVM mode).
      
        The rest are just minor fixes in the various drivers and some cleanup
        in the core code."
      
      * tag 'stable/for-linus-3.4-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
        xen/pcifront: avoid pci_frontend_enable_msix() falsely returning success
        xen/pciback: fix XEN_PCI_OP_enable_msix result
        xen/smp: Remove unnecessary call to smp_processor_id()
        xen/x86: Workaround 'x86/ioapic: Add register level checks to detect bogus io-apic entries'
        xen: only check xen_platform_pci_unplug if hvm
      9479f0f8
    • L
      Merge tag 'mmc-fixes-for-3.4-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/cjb/mmc · 1ddca057
      Linus Torvalds 提交于
      Pull MMC fixes from Chris Ball:
       - Disable use of MSI in sdhci-pci, which caused multiple chipsets to
         stop working in 3.4-rc1.  I'll wait to turn this on again until we
         have a chipset whitelist for it.
       - Fix a libertas SDIO powered-resume regression introduced in 3.3;
         thanks to Neil Brown and Rafael Wysocki for this fix.
       - Fix module reloading on omap_hsmmc.
       - Stop trusting the spec/card's specified maximum data timeout length,
         and use three seconds instead.  Previously we used 300ms.
      
      Also cleanups and fixes for s3c, atmel, sh_mmcif and omap_hsmmc.
      
      * tag 'mmc-fixes-for-3.4-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/cjb/mmc: (28 commits)
        mmc: use really long write timeout to deal with crappy cards
        mmc: sdhci-dove: Fix compile error by including module.h
        mmc: Prevent 1.8V switch for SD hosts that don't support UHS modes.
        Revert "mmc: sdhci-pci: Add MSI support"
        Revert "mmc: sdhci-pci: add quirks for broken MSI on O2Micro controllers"
        mmc: core: fix power class selection
        mmc: omap_hsmmc: fix module re-insertion
        mmc: omap_hsmmc: convert to module_platform_driver
        mmc: omap_hsmmc: make it behave well as a module
        mmc: omap_hsmmc: trivial cleanups
        mmc: omap_hsmmc: context save after enabling runtime pm
        mmc: omap_hsmmc: use runtime put sync in probe error patch
        mmc: sdio: Use empty system suspend/resume callbacks at the bus level
        mmc: bus: print bus speed mode of UHS-I card
        mmc: sdhci-pci: add quirks for broken MSI on O2Micro controllers
        mmc: sh_mmcif: Simplify calculation of mmc->f_min
        mmc: sh_mmcif: mmc->f_max should be half of the bus clock
        mmc: sh_mmcif: double clock speed
        mmc: block: Remove use of mmc_blk_set_blksize
        mmc: atmel-mci: add support for odd clock dividers
        ...
      1ddca057
    • L
      Make the "word-at-a-time" helper functions more commonly usable · f68e556e
      Linus Torvalds 提交于
      I have a new optimized x86 "strncpy_from_user()" that will use these
      same helper functions for all the same reasons the name lookup code uses
      them.  This is preparation for that.
      
      This moves them into an architecture-specific header file.  It's
      architecture-specific for two reasons:
      
       - some of the functions are likely to want architecture-specific
         implementations.  Even if the current code happens to be "generic" in
         the sense that it should work on any little-endian machine, it's
         likely that the "multiply by a big constant and shift" implementation
         is less than optimal for an architecture that has a guaranteed fast
         bit count instruction, for example.
      
       - I expect that if architectures like sparc want to start playing
         around with this, we'll need to abstract out a few more details (in
         particular the actual unaligned accesses).  So we're likely to have
         more architecture-specific stuff if non-x86 architectures start using
         this.
      
         (and if it turns out that non-x86 architectures don't start using
         this, then having it in an architecture-specific header is still the
         right thing to do, of course)
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      f68e556e
    • T
      cpuidle: Fix panic in CPU off-lining with no idle driver · ee01e663
      Toshi Kani 提交于
      Fix a NULL pointer dereference panic in cpuidle_play_dead() during
      CPU off-lining when no cpuidle driver is registered.  A cpuidle
      driver may be registered at boot-time based on CPU type.  This patch
      allows an off-lined CPU to enter HLT-based idle in this condition.
      Signed-off-by: NToshi Kani <toshi.kani@hp.com>
      Cc: Boris Ostrovsky <boris.ostrovsky@amd.com>
      Reviewed-by: NSrivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
      Tested-by: NSrivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
      Signed-off-by: NLen Brown <len.brown@intel.com>
      ee01e663