1. 10 9月, 2005 1 次提交
    • S
      [PATCH] security: enable atomic inode security labeling · 5e41ff9e
      Stephen Smalley 提交于
      The following patch set enables atomic security labeling of newly created
      inodes by altering the fs code to invoke a new LSM hook to obtain the security
      attribute to apply to a newly created inode and to set up the incore inode
      security state during the inode creation transaction.  This parallels the
      existing processing for setting ACLs on newly created inodes.  Otherwise, it
      is possible for new inodes to be accessed by another thread via the dcache
      prior to complete security setup (presently handled by the
      post_create/mkdir/...  LSM hooks in the VFS) and a newly created inode may be
      left unlabeled on the disk in the event of a crash.  SELinux presently works
      around the issue by ensuring that the incore inode security label is
      initialized to a special SID that is inaccessible to unprivileged processes
      (in accordance with policy), thereby preventing inappropriate access but
      potentially causing false denials on legitimate accesses.  A simple test
      program demonstrates such false denials on SELinux, and the patch solves the
      problem.  Similar such false denials have been encountered in real
      applications.
      
      This patch defines a new inode_init_security LSM hook to obtain the security
      attribute to apply to a newly created inode and to set up the incore inode
      security state for it, and adds a corresponding hook function implementation
      to SELinux.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      5e41ff9e
  2. 24 6月, 2005 1 次提交
    • A
      [PATCH] setuid core dump · d6e71144
      Alan Cox 提交于
      Add a new `suid_dumpable' sysctl:
      
      This value can be used to query and set the core dump mode for setuid
      or otherwise protected/tainted binaries. The modes are
      
      0 - (default) - traditional behaviour.  Any process which has changed
          privilege levels or is execute only will not be dumped
      
      1 - (debug) - all processes dump core when possible.  The core dump is
          owned by the current user and no security is applied.  This is intended
          for system debugging situations only.  Ptrace is unchecked.
      
      2 - (suidsafe) - any binary which normally would not be dumped is dumped
          readable by root only.  This allows the end user to remove such a dump but
          not access it directly.  For security reasons core dumps in this mode will
          not overwrite one another or other files.  This mode is appropriate when
          adminstrators are attempting to debug problems in a normal environment.
      
      (akpm:
      
      > > +EXPORT_SYMBOL(suid_dumpable);
      >
      > EXPORT_SYMBOL_GPL?
      
      No problem to me.
      
      > >  	if (current->euid == current->uid && current->egid == current->gid)
      > >  		current->mm->dumpable = 1;
      >
      > Should this be SUID_DUMP_USER?
      
      Actually the feedback I had from last time was that the SUID_ defines
      should go because its clearer to follow the numbers. They can go
      everywhere (and there are lots of places where dumpable is tested/used
      as a bool in untouched code)
      
      > Maybe this should be renamed to `dump_policy' or something.  Doing that
      > would help us catch any code which isn't using the #defines, too.
      
      Fair comment. The patch was designed to be easy to maintain for Red Hat
      rather than for merging. Changing that field would create a gigantic
      diff because it is used all over the place.
      
      )
      Signed-off-by: NAlan Cox <alan@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      d6e71144
  3. 17 4月, 2005 1 次提交
    • L
      Linux-2.6.12-rc2 · 1da177e4
      Linus Torvalds 提交于
      Initial git repository build. I'm not bothering with the full history,
      even though we have it. We can create a separate "historical" git
      archive of that later if we want to, and in the meantime it's about
      3.2GB when imported into git - space that would just make the early
      git days unnecessarily complicated, when we don't have a lot of good
      infrastructure for it.
      
      Let it rip!
      1da177e4