Based on a request from Eric Paris to simplify parsing, replace
audit_log_format statements containing "%s" with audit_log_string().
Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
Acked-by: NEric Paris <eparis@redhat.com>
Signed-off-by: NJames Morris <jmorris@namei.org>

An audit subsystem change replaced AUDIT_EQUAL with Audit_equal.
Update calls to security_filter_rule_init()/match() to reflect
the change.
Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
Signed-off-by: NJames Morris <jmorris@namei.org>

I was never able to understand what should we actually do when
security_task_wait() fails, but the current code doesn't look right.

If ->task_wait() returns the error, we update *notask_error correctly.
But then we either reap the child (despite the fact this was forbidden)
or clear *notask_error (and hide the securiy policy problems).

This patch assumes that "stolen by ptrace" doesn't matter. If selinux
denies the child we should ignore it but make sure we report -EACCESS
instead of -ECHLD if there are no other eligible children.
Signed-off-by: NOleg Nesterov <oleg@redhat.com>
Acked-by: NRoland McGrath <roland@redhat.com>
Signed-off-by: NJames Morris <jmorris@namei.org>

We shouldn't worry about the tracer if current is ptraced, exec() must not
succeed if the tracer has no rights to trace this task after cred changing.
But we should notify ->real_parent which is, well, real parent.

Also, we don't need _irq to take tasklist, and we don't need parent's
->siglock to wake_up_interruptible(real_parent->signal->wait_chldexit).
Since we hold tasklist, real_parent->signal must be stable. Otherwise
spin_lock(siglock) is not safe too and can't help anyway.
Signed-off-by: NOleg Nesterov <oleg@redhat.com>
Signed-off-by: NJames Morris <jmorris@namei.org>

Don't flush inherited SIGKILL during execve() in SELinux's post cred commit
hook.  This isn't really a security problem: if the SIGKILL came before the
credentials were changed, then we were right to receive it at the time, and
should honour it; if it came after the creds were changed, then we definitely
should honour it; and in any case, all that will happen is that the process
will be scrapped before it ever returns to userspace.
Signed-off-by: NDavid Howells <dhowells@redhat.com>
Signed-off-by: NOleg Nesterov <oleg@redhat.com>
Signed-off-by: NJames Morris <jmorris@namei.org>

We are still calling secondary_ops->sysctl even though the capabilities
module does not define a sysctl operation.
Signed-off-by: NEric Paris <eparis@redhat.com>
Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: NJames Morris <jmorris@namei.org>

Commit 3d43321b ("modules: sysctl to
block module loading") introduces a modules_disabled variable that is
only defined if CONFIG_MODULE_UNLOAD is enabled, despite being used in
other places. This moves it up and fixes up the build.

  CC      kernel/module.o
kernel/module.c: In function 'sys_init_module':
kernel/module.c:2401: error: 'modules_disabled' undeclared (first use in this function)
kernel/module.c:2401: error: (Each undeclared identifier is reported only once
kernel/module.c:2401: error: for each function it appears in.)
make[1]: *** [kernel/module.o] Error 1
make: *** [kernel/module.o] Error 2
Signed-off-by: NPaul Mundt <lethal@linux-sh.org>
Signed-off-by: NJames Morris <jmorris@namei.org>

the following patch, add logging of Smack security decisions.
This is of course very useful to understand what your current smack policy does.
As suggested by Casey, it also now forbids labels with ', " or \

It introduces a '/smack/logging' switch :
0: no logging
1: log denied (default)
2: log accepted
3: log denied&accepted
Signed-off-by: NEtienne Basset <etienne.basset@numericable.fr>
Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
Acked-by: NEric Paris <eparis@redhat.com>
Signed-off-by: NJames Morris <jmorris@namei.org>

This patch creates auditing functions usable by LSM to audit security
events. It provides standard dumping of FS, NET, task etc ... events
(code borrowed from SELinux)
and provides 2 callbacks to define LSM specific auditing, which should be
flexible enough to convert SELinux too.
Signed-off-by: NEtienne Basset <etienne.basset@numericable.fr>
Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
cked-by: NEric Paris <eparis@redhat.com>
Signed-off-by: NJames Morris <jmorris@namei.org>

Since TOMOYO's policy management tools does not use the "undelete domain"
command, we decided to remove that command.
Signed-off-by: NKentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: NToshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: NJames Morris <jmorris@namei.org>

Distributions face a backward compatibility problem with starting to use
file capabilities.  For instance, removing setuid root from ping and
doing setcap cap_net_raw=pe means that booting with an older kernel
or one compiled without file capabilities means ping won't work for
non-root users.

In order to replace the setuid root bit on a capability-unaware
program, one has to set the effective, or legacy, file capability,
which makes the capability effective immediately.  This patch
uses the legacy bit as a queue to not automatically add full
privilege to a setuid-root program.

So, with this patch, an ordinary setuid-root program will run with
privilege.  But if /bin/ping has both setuid-root and cap_net_raw in
fP and fE, then ping (when run by non-root user) will not run
with only cap_net_raw.

Changelog:
	Apr 2 2009: Print a message once when such a binary is loaded,
		as per James Morris' suggestion.
	Apr 2 2009: Fix the condition to only catch uid!=0 && euid==0.
Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com>
Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
Signed-off-by: NJames Morris <jmorris@namei.org>

Implement a sysctl file that disables module-loading system-wide since
there is no longer a viable way to remove CAP_SYS_MODULE after the system
bounding capability set was removed in 2.6.25.

Value can only be set to "1", and is tested only if standard capability
checks allow CAP_SYS_MODULE.  Given existing /dev/mem protections, this
should allow administrators a one-way method to block module loading
after initial boot-time module loading has finished.
Signed-off-by: NKees Cook <kees.cook@canonical.com>
Acked-by: NSerge Hallyn <serue@us.ibm.com>
Signed-off-by: NJames Morris <jmorris@namei.org>

This patch enables applications to handle permissive domain correctly.

Since the v2.6.26 kernel, SELinux has supported an idea of permissive
domain which allows certain processes to work as if permissive mode,
even if the global setting is enforcing mode.
However, we don't have an application program interface to inform
what domains are permissive one, and what domains are not.
It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
and so on) cannot handle permissive domain correctly.

This patch add the sixth field (flags) on the reply of the /selinux/access
interface which is used to make an access control decision from userspace.
If the first bit of the flags field is positive, it means the required
access control decision is on permissive domain, so application should
allow any required actions, as the kernel doing.

This patch also has a side benefit. The av_decision.flags is set at
context_struct_compute_av(). It enables to check required permissions
without read_lock(&policy_rwlock).
Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
Acked-by: NEric Paris <eparis@redhat.com>
--
 security/selinux/avc.c              |    2 +-
 security/selinux/include/security.h |    4 +++-
 security/selinux/selinuxfs.c        |    4 ++--
 security/selinux/ss/services.c      |   30 +++++-------------------------
 4 files changed, 11 insertions(+), 29 deletions(-)
Signed-off-by: NJames Morris <jmorris@namei.org>

* 'futexes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  futex: remove the pointer math from double_unlock_hb, fix
  futex: remove the pointer math from double_unlock_hb
  futex: clean up fault logic
  futex: unlock before returning -EFAULT
  futex: use current->time_slack_ns for rt tasks too
  futex: add double_unlock_hb()
  futex: additional (get|put)_futex_key() fixes
  futex: update futex commentary

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
  smack: Add a new '-CIPSO' option to the network address label configuration
  netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections
  lsm: Remove the socket_post_accept() hook
  selinux: Remove the "compat_net" compatibility code
  netlabel: Label incoming TCP connections correctly in SELinux
  lsm: Relocate the IPv4 security_inet_conn_request() hooks
  TOMOYO: Fix a typo.
  smack: convert smack to standard linux lists

Annotate struct fs_struct's usage count to indicate the restrictions upon it.
It may not be incremented, except by clone(CLONE_FS), as this affects the
check in check_unsafe_exec() in fs/exec.c.
Signed-off-by: NDavid Howells <dhowells@redhat.com>
Signed-off-by: NHugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

check_unsafe_exec() also notes whether the fs_struct is being
shared by more threads than will get killed by the exec, and if so
sets LSM_UNSAFE_SHARE to make bprm_set_creds() careful about euid.
But /proc/<pid>/cwd and /proc/<pid>/root lookups make transient
use of get_fs_struct(), which also raises that sharing count.

This might occasionally cause a setuid program not to change euid,
in the same way as happened with files->count (check_unsafe_exec
also looks at sighand->count, but /proc doesn't raise that one).

We'd prefer exec not to unshare fs_struct: so fix this in procfs,
replacing get_fs_struct() by get_fs_path(), which does path_get
while still holding task_lock, instead of raising fs->count.
Signed-off-by: NHugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
___

 fs/proc/base.c |   50 +++++++++++++++--------------------------------
 1 file changed, 16 insertions(+), 34 deletions(-)
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Joe Malicki reports that setuid sometimes doesn't: very rarely,
a setuid root program does not get root euid; and, by the way,
they have a health check running lsof every few minutes.

Right, check_unsafe_exec() notes whether the files_struct is being
shared by more threads than will get killed by the exec, and if so
sets LSM_UNSAFE_SHARE to make bprm_set_creds() careful about euid.
But /proc/<pid>/fd and /proc/<pid>/fdinfo lookups make transient
use of get_files_struct(), which also raises that sharing count.

There's a rather simple fix for this: exec's check on files->count
has been redundant ever since 2.6.1 made it unshare_files() (except
while compat_do_execve() omitted to do so) - just remove that check.

[Note to -stable: this patch will not apply before 2.6.29: earlier
releases should just remove the files->count line from unsafe_exec().]
Reported-by: NJoe Malicki <jmalicki@metacarta.com>
Narrowed-down-by: NMichael Itz <mitz@metacarta.com>
Tested-by: NJoe Malicki <jmalicki@metacarta.com>
Signed-off-by: NHugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

2.6.26's commit fd8328be
"sanitize handling of shared descriptor tables in failing execve()"
moved the unshare_files() from flush_old_exec() and several binfmts
to the head of do_execve(); but forgot to make the same change to
compat_do_execve(), leaving a CLONE_FILES files_struct shared across
exec from a 32-bit process on a 64-bit kernel.

It's arguable whether the files_struct really ought to be unshared
across exec; but 2.6.1 made that so to stop the loading binary's fd
leaking into other threads, and a 32-bit process on a 64-bit kernel
ought to behave in the same way as 32 on 32 and 64 on 64.
Signed-off-by: NHugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

* 'i2c-for-linus' of git://jdelvare.pck.nerim.net/jdelvare-2.6:
  i2c-core: Some style cleanups
  i2c-piix4: Add support for the Broadcom HT1100 chipset
  i2c-piix4: Add support to SB800 SMBus changes
  i2c-pca-platform: Use defaults if no platform_data given
  i2c-algo-pca: Use timeout for checking the state machine
  i2c-algo-pca: Rework waiting for a free bus
  i2c-algo-pca: Add PCA9665 support
  i2c: Adapt debug macros for KERN_* constants
  i2c-davinci: Fix timeout handling
  i2c: Adapter timeout is in jiffies
  i2c: Set a default timeout value for all adapters
  i2c: Add missing KERN_* constants to printks
  i2c-algo-pcf: Handle timeout correctly
  i2c-algo-pcf: Style cleanups
  eeprom/at24: Remove EXPERIMENTAL
  i2c-nforce2: Add support for MCP67, MCP73, MCP78S and MCP79
  i2c: Clarify which clients are auto-removed
  i2c: Let checkpatch shout on users of the legacy model
  i2c: Document the different ways to instantiate i2c devices

* 'devel' of master.kernel.org:/home/rmk/linux-2.6-arm: (422 commits)
  [ARM] 5435/1: fix compile warning in sanity_check_meminfo()
  [ARM] 5434/1: ARM: OMAP: Fix mailbox compile for 24xx
  [ARM] pxa: fix the bad assumption that PCMCIA sockets always start with 0
  [ARM] pxa: fix Colibri PXA300 and PXA320 LCD backlight pins
  imxfb: Fix TFT mode
  i.MX21/27: remove ifdef CONFIG_FB_IMX
  imxfb: add clock support
  mxc: add arch_reset() function
  clkdev: add possibility to get a clock based on the device name
  i.MX1: remove fb support from mach-imx
  [ARM] pxa: build arch/arm/plat-pxa/mfp.c only when PXA3xx or ARCH_MMP defined
  Gemini: Add support for Teltonika RUT100
  Gemini: gpiolib based GPIO support v2
  MAINTAINERS: add myself as Gemini architecture maintainer
  ARM: Add Gemini architecture v3
  [ARM] OMAP: Fix compile for omap2_init_common_hw()
  MAINTAINERS: Add myself as Faraday ARM core variant maintainer
  ARM: Add support for FA526 v2
  [ARM] acorn,ebsa110,footbridge,integrator,sa1100: Convert asm/io.h to linux/io.h
  [ARM] collie: fix two minor formatting nits
  ...

* git://git.kernel.org/pub/scm/linux/kernel/git/arjan/linux-2.6-async-for-30:
  fastboot: remove duplicate unpack_to_rootfs()
  ide/net: flip the order of SATA and network init
  async: remove the temporary (2.6.29) "async is off by default" code

Fix up conflicts in init/initramfs.c manually

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/blackfin-2.6:
  Blackfin arch: be less noisy when gets a gpio conflict after kernel has booted
  Blackfin arch: add RSI's definitions to bf514 and bf516
  Blackfin arch: add link-time asserts to make sure on-chip regions dont overflow
  Blackfin arch: sport spi needs 6 gpio pins
  Blackfin arch: add sport-spi related resource stuff to board file
  Blackfin arch: Blacklist Hibernate (PM_SUSPEND_MEM) on BF561 as well
  Blackfin arch: Privide BF537-STAMP platform data of ADP5520 Multifunction driver
  Blackfin arch: enable the platfrom PATA driver with CF Cards
  Blackfin arch: clean up sports header file
  Blackfin arch: convert BF5{18,27,48}_FAMILY to CONFIG_BF{51,52,54}x
  Blackfin arch: bf51x processors also have 8 timers
  Blackfin arch: add a check to make sure only Blackfin GPIOs may generate IRQs
  Blackfin arch: update default kernel configuration
  Blackfin arch: include linux headers that this one uses definitions from fro sport drivers

Merge branch 'percpu-cpumask-x86-for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'percpu-cpumask-x86-for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: (682 commits)
  percpu: fix spurious alignment WARN in legacy SMP percpu allocator
  percpu: generalize embedding first chunk setup helper
  percpu: more flexibility for @dyn_size of pcpu_setup_first_chunk()
  percpu: make x86 addr <-> pcpu ptr conversion macros generic
  linker script: define __per_cpu_load on all SMP capable archs
  x86: UV: remove uv_flush_tlb_others() WARN_ON
  percpu: finer grained locking to break deadlock and allow atomic free
  percpu: move fully free chunk reclamation into a work
  percpu: move chunk area map extension out of area allocation
  percpu: replace pcpu_realloc() with pcpu_mem_alloc() and pcpu_mem_free()
  x86, percpu: setup reserved percpu area for x86_64
  percpu, module: implement reserved allocation and use it for module percpu variables
  percpu: add an indirection ptr for chunk page map access
  x86: make embedding percpu allocator return excessive free space
  percpu: use negative for auto for pcpu_setup_first_chunk() arguments
  percpu: improve first chunk initial area map handling
  percpu: cosmetic renames in pcpu_setup_first_chunk()
  percpu: clean up percpu constants
  x86: un-__init fill_pud/pmd/pte
  x86: remove vestigial fix_ioremap prototypes
  ...

Manually merge conflicts in arch/ia64/kernel/irq_ia64.c

Some lines over 80. 
The printk(KERN_ERR ... ) should be dev_err.
And some blankspace should be deleted.
Signed-off-by: NZhenwen Xu <helight.xu@gmail.com>
Signed-off-by: NJean Delvare <khlai@linux-fr.org>

Add support for the Broadcom HT1100 LD chipset (SMBus function.)
Signed-off-by: NFlavio Leitner <fbl@redhat.com>
Signed-off-by: NJean Delvare <khali@linux-fr.org>

Add support for the AMD SB800 Family series of products.
Major changes include the changes to addressing the SMBus registers at different
location from the locations in the previous compatible parts from AMD such as
SB400/SB600/SB700. For SB800, the main features and register definitions of
SMBus and other interfaces are still compatible with the previous products with
the only change being in how to access the internal registers for these blocks.
Signed-off-by: NShane Huang <shane.huang@amd.com>
Signed-off-by: NJean Delvare <khali@linux-fr.org>

Signed-off-by: NWolfram Sang <w.sang@pengutronix.de>
Signed-off-by: NJean Delvare <khali@linux-fr.org>

We now timeout also if the state machine does not change within the
given time. For that, the driver-specific completion-functions are
extended to return true or false depending on the timeout. This then
gets checked in the algorithm.
Signed-off-by: NWolfram Sang <w.sang@pengutronix.de>
Signed-off-by: NJean Delvare <khali@linux-fr.org>

Waiting for a free bus now accepts the timeout value in jiffies and does
proper checking using time_before.
Signed-off-by: NWolfram Sang <w.sang@pengutronix.de>
Signed-off-by: NJean Delvare <khali@linux-fr.org>

Add support for the PCA9665 I2C controller.
Signed-off-by: NWolfram Sang <w.sang@pengutronix.de>
Signed-off-by: NJean Delvare <khali@linux-fr.org>

According to kerneljanitors todo list all printk calls (beginning
a new line) should have an according KERN_* constant.
Those are the changes to the debug macros in the i2c subsystem
to meet this requirement. Also changing no-debug statements
to raw printks again.
Signed-off-by: NFrank Seidel <frank@f-seidel.de>
Signed-off-by: NJean Delvare <khali@linux-fr.org>
Tested-by: NWolfram Sang <w.sang@pengutronix.de>

Properly set the adapter timeout value in jiffies, and then use that
value in the driver, rather than a hard-coded constant.
Signed-off-by: NJean Delvare <khali@linux-fr.org>
Tested-by: NTroy Kisky <troy.kisky@boundarydevices.com>
Cc: Kevin Hilman <khilman@mvista.com>

i2c_adapter.timeout is in jiffies. Fix all drivers which thought
otherwise. It didn't really matter as long as the value was only used
inside the driver, but soon i2c-core will use it too so it must have
the proper unit.

Note: for the i2c-mpc driver, this fixes a bug in polling mode.
Timeout would trigger after 1 jiffy, which is most probably not what
the author wanted.
Signed-off-by: NJean Delvare <khali@linux-fr.org>
Cc: Clifford Wolf <clifford@clifford.at>
Acked-by: NSean MacLennan <smaclennan@pikatech.com>
Cc: Stefan Roese <sr@denx.de>
Acked-by: NLennert Buytenhek <kernel@wantstofly.org>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Grant Likely <grant.likely@secretlab.ca>
Acked-by: NMark A. Greer <mgreer@mvista.com>

Setting a default timeout value on a per-algo basis doesn't make any
sense. Move the default value setting to i2c-core. Individual adapter
drivers can specify a different (non-zero) value if they wish.

Also express the timeout value in a way which results in the same
duration regarless of the value of HZ.
Signed-off-by: NJean Delvare <khali@linux-fr.org>
Acked-by: NWolfram Sang <w.sang@pengutronix.de>

According to kerneljanitors todo list all printk calls (beginning
a new line) should have an according KERN_* constant.
Those are the missing pieces here for the i2c subsystem.
Signed-off-by: NFrank Seidel <frank@f-seidel.de>
Signed-off-by: NJean Delvare <khali@linux-fr.org>

With a postfix decrement these timeouts reach -1 rather than 0, but after the
loop it is tested whether they have become 0.

As pointed out by Jean Delvare, the msg_num should be tested before the timeout.
With the current order, you could exit with a timeout error while all the
messages were successfully transferred.
Signed-off-by: NRoel Kluin <roel.kluin@gmail.com>
Signed-off-by: NJean Delvare <khali@linux-fr.org>
Acked-by: NEric Brower <ebrower@gmail.com>

cleanup whitespace, fix comments and remove the unused STUB_I2C.
Signed-off-by: NRoel Kluin <roel.kluin@gmail.com>
Signed-off-by: NJean Delvare <khali@linux-fr.org>
Acked-by: NEric Brower <ebrower@gmail.com>

This driver has been widely used since inclusion and no problems have
been reported.
Signed-off-by: NWolfram Sang <w.sang@pengutronix.de>
Cc: David Brownell <david-b@pacbell.net>
Signed-off-by: NJean Delvare <khali@linux-fr.org>