1. 03 Jun, 2014 5 commits
    • Mimi Zohar's avatar
      ima: audit log files opened with O_DIRECT flag · f9b2a735
      Mimi Zohar authored
      Files are measured or appraised based on the IMA policy.  When a
      file, in policy, is opened with the O_DIRECT flag, a deadlock
      occurs.
      
      The first attempt at resolving this lockdep temporarily removed the
      O_DIRECT flag and restored it, after calculating the hash.  The
      second attempt introduced the O_DIRECT_HAVELOCK flag. Based on this
      flag, do_blockdev_direct_IO() would skip taking the i_mutex a second
      time.  The third attempt, by Dmitry Kasatkin, resolves the i_mutex
      locking issue, by re-introducing the IMA mutex, but uncovered
      another problem.  Reading a file with O_DIRECT flag set, writes
      directly to userspace pages.  A second patch allocates a user-space
      like memory.  This works for all IMA hooks, except ima_file_free(),
      which is called on __fput() to recalculate the file hash.
      
      Until this last issue is addressed, do not 'collect' the
      measurement for measuring, appraising, or auditing files opened
      with the O_DIRECT flag set.  Based on policy, permit or deny file
      access.  This patch defines a new IMA policy rule option named
      'permit_directio'.  Policy rules could be defined, based on LSM
      or other criteria, to permit specific applications to open files
      with the O_DIRECT flag set.
      
      Changelog v1:
      - permit or deny file access based IMA policy rules
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Acked-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Cc: <stable@vger.kernel.org>
      f9b2a735
    • Dave Jones's avatar
      selinux: conditionally reschedule in hashtab_insert while loading selinux policy · ed1c9642
      Dave Jones authored
      After silencing the sleeping warning in mls_convert_context() I started
      seeing similar traces from hashtab_insert. Do a cond_resched there too.
      Signed-off-by: default avatarDave Jones <davej@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      ed1c9642
    • Dave Jones's avatar
      selinux: conditionally reschedule in mls_convert_context while loading selinux policy · 9a591f39
      Dave Jones authored
      On a slow machine (with debugging enabled), upgrading selinux policy may take
      a considerable amount of time. Long enough that the softlockup detector
      gets triggered.
      
      The backtrace looks like this..
      
       > BUG: soft lockup - CPU#2 stuck for 23s! [load_policy:19045]
       > Call Trace:
       >  [<ffffffff81221ddf>] symcmp+0xf/0x20
       >  [<ffffffff81221c27>] hashtab_search+0x47/0x80
       >  [<ffffffff8122e96c>] mls_convert_context+0xdc/0x1c0
       >  [<ffffffff812294e8>] convert_context+0x378/0x460
       >  [<ffffffff81229170>] ? security_context_to_sid_core+0x240/0x240
       >  [<ffffffff812221b5>] sidtab_map+0x45/0x80
       >  [<ffffffff8122bb9f>] security_load_policy+0x3ff/0x580
       >  [<ffffffff810788a8>] ? sched_clock_cpu+0xa8/0x100
       >  [<ffffffff810786dd>] ? sched_clock_local+0x1d/0x80
       >  [<ffffffff810788a8>] ? sched_clock_cpu+0xa8/0x100
       >  [<ffffffff8103096a>] ? __change_page_attr_set_clr+0x82a/0xa50
       >  [<ffffffff810786dd>] ? sched_clock_local+0x1d/0x80
       >  [<ffffffff810788a8>] ? sched_clock_cpu+0xa8/0x100
       >  [<ffffffff8103096a>] ? __change_page_attr_set_clr+0x82a/0xa50
       >  [<ffffffff810788a8>] ? sched_clock_cpu+0xa8/0x100
       >  [<ffffffff81534ddc>] ? retint_restore_args+0xe/0xe
       >  [<ffffffff8109c82d>] ? trace_hardirqs_on_caller+0xfd/0x1c0
       >  [<ffffffff81279a2e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
       >  [<ffffffff810d28a8>] ? rcu_irq_exit+0x68/0xb0
       >  [<ffffffff81534ddc>] ? retint_restore_args+0xe/0xe
       >  [<ffffffff8121e947>] sel_write_load+0xa7/0x770
       >  [<ffffffff81139633>] ? vfs_write+0x1c3/0x200
       >  [<ffffffff81210e8e>] ? security_file_permission+0x1e/0xa0
       >  [<ffffffff8113952b>] vfs_write+0xbb/0x200
       >  [<ffffffff811581c7>] ? fget_light+0x397/0x4b0
       >  [<ffffffff81139c27>] SyS_write+0x47/0xa0
       >  [<ffffffff8153bde4>] tracesys+0xdd/0xe2
      
      Stephen Smalley suggested:
      
       > Maybe put a cond_resched() within the ebitmap_for_each_positive_bit()
       > loop in mls_convert_context()?
      
      That seems to do the trick. Tested by downgrading and re-upgrading selinux-policy-targeted.
      Signed-off-by: default avatarDave Jones <davej@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      9a591f39
    • Paul Moore's avatar
      selinux: reject setexeccon() on MNT_NOSUID applications with -EACCES · 5b589d44
      Paul Moore authored
      We presently prevent processes from using setexecon() to set the
      security label of exec()'d processes when NO_NEW_PRIVS is enabled by
      returning an error; however, we silently ignore setexeccon() when
      exec()'ing from a nosuid mounted filesystem.  This patch makes things
      a bit more consistent by returning an error in the setexeccon()/nosuid
      case.
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Acked-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      5b589d44
    • Stephen Smalley's avatar
      selinux: Report permissive mode in avc: denied messages. · ca7786a2
      Stephen Smalley authored
      We cannot presently tell from an avc: denied message whether access was in
      fact denied or was allowed due to global or per-domain permissive mode.
      Add a permissive= field to the avc message to reflect this information.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      ca7786a2
  2. 20 May, 2014 1 commit
  3. 06 May, 2014 1 commit
  4. 30 Apr, 2014 1 commit
  5. 23 Apr, 2014 1 commit
  6. 15 Apr, 2014 1 commit
  7. 14 Apr, 2014 2 commits
  8. 11 Apr, 2014 8 commits
  9. 31 Mar, 2014 6 commits
    • Linus Torvalds's avatar
      Linux 3.14 · 455c6fdb
      Linus Torvalds authored
      455c6fdb
    • Linus Torvalds's avatar
      Merge branch 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · fedc1ed0
      Linus Torvalds authored
      Pull vfs fixes from Al Viro:
       "Switch mnt_hash to hlist, turning the races between __lookup_mnt() and
        hash modifications into false negatives from __lookup_mnt() (instead
        of hangs)"
      
      On the false negatives from __lookup_mnt():
       "The *only* thing we care about is not getting stuck in __lookup_mnt().
        If it misses an entry because something in front of it just got moved
        around, etc, we are fine.  We'll notice that mount_lock mismatch and
        that'll be it"
      
      * 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        switch mnt_hash to hlist
        don't bother with propagate_mnt() unless the target is shared
        keep shadowed vfsmounts together
        resizable namespace.c hashes
      fedc1ed0
    • Randy Dunlap's avatar
      MAINTAINERS: resume as Documentation maintainer · 01358e56
      Randy Dunlap authored
      I am the new kernel tree Documentation maintainer (except for parts that
      are handled by other people, of course).
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Acked-by: default avatarRob Landley <rob@landley.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      01358e56
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 915ac4e2
      Linus Torvalds authored
      Pull input updates from Dmitry Torokhov:
       "Some more updates for the input subsystem.
      
        You will get a fix for race in mousedev that has been causing quite a
        few oopses lately and a small fixup for force feedback support in
        evdev"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: mousedev - fix race when creating mixed device
        Input: don't modify the id of ioctl-provided ff effect on upload failure
      915ac4e2
    • Eric Paris's avatar
      AUDIT: Allow login in non-init namespaces · aa4af831
      Eric Paris authored
      It its possible to configure your PAM stack to refuse login if audit
      messages (about the login) were unable to be sent.  This is common in
      many distros and thus normal configuration of many containers.  The PAM
      modules determine if audit is enabled/disabled in the kernel based on
      the return value from sending an audit message on the netlink socket.
      If userspace gets back ECONNREFUSED it believes audit is disabled in the
      kernel.  If it gets any other error else it refuses to let the login
      proceed.
      
      Just about ever since the introduction of namespaces the kernel audit
      subsystem has returned EPERM if the task sending a message was not in
      the init user or pid namespace.  So many forms of containers have never
      worked if audit was enabled in the kernel.
      
      BUT if the container was not in net_init then the kernel network code
      would send ECONNREFUSED (instead of the audit code sending EPERM).  Thus
      by pure accident/dumb luck/bug if an admin configured the PAM stack to
      reject all logins that didn't talk to audit, but then ran the login
      untility in the non-init_net namespace, it would work!! Clearly this was
      a bug, but it is a bug some people expected.
      
      With the introduction of network namespace support in 3.14-rc1 the two
      bugs stopped cancelling each other out.  Now, containers in the
      non-init_net namespace refused to let users log in (just like PAM was
      configfured!) Obviously some people were not happy that what used to let
      users log in, now didn't!
      
      This fix is kinda hacky.  We return ECONNREFUSED for all non-init
      relevant namespaces.  That means that not only will the old broken
      non-init_net setups continue to work, now the broken non-init_pid or
      non-init_user setups will 'work'.  They don't really work, since audit
      isn't logging things.  But it's what most users want.
      
      In 3.15 we should have patches to support not only the non-init_net
      (3.14) namespace but also the non-init_pid and non-init_user namespace.
      So all will be right in the world.  This just opens the doors wide open
      on 3.14 and hopefully makes users happy, if not the audit system...
      Reported-by: default avatarAndre Tomt <andre@tomt.net>
      Reported-by: default avatarAdam Richter <adam_richter2004@yahoo.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      aa4af831
    • Theodore Ts'o's avatar
      ext4: atomically set inode->i_flags in ext4_set_inode_flags() · 00a1a053
      Theodore Ts'o authored
      Use cmpxchg() to atomically set i_flags instead of clearing out the
      S_IMMUTABLE, S_APPEND, etc. flags and then setting them from the
      EXT4_IMMUTABLE_FL, EXT4_APPEND_FL flags, since this opens up a race
      where an immutable file has the immutable flag cleared for a brief
      window of time.
      Reported-by: default avatarJohn Sullivan <jsrhbz@kanargh.force9.co.uk>
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      00a1a053
  10. 30 Mar, 2014 4 commits
  11. 29 Mar, 2014 5 commits
  12. 28 Mar, 2014 5 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 49d8137a
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) We've discovered a common error in several networking drivers, they
          put VLAN offload features into ->vlan_features, which would suggest
          that they support offloading 2 or more levels of VLAN encapsulation.
          Not only do these devices not do that, but we don't have the
          infrastructure yet to handle that at all.
      
          Fixes from Vlad Yasevich.
      
       2) Fix tcpdump crash with bridging and vlans, also from Vlad.
      
       3) Some MAINTAINERS updates for random32 and bonding.
      
       4) Fix late reseeds of prandom generator, from Sasha Levin.
      
       5) Bridge doesn't handle stacked vlans properly, fix from Toshiaki
          Makita.
      
       6) Fix deadlock in openvswitch, from Flavio Leitner.
      
       7) get_timewait4_sock() doesn't report delay times correctly, fix from
          Eric Dumazet.
      
       8) Duplicate address detection and addrconf verification need to run in
          contexts where RTNL can be obtained.  Move them to run from a
          workqueue.  From Hannes Frederic Sowa.
      
       9) Fix route refcount leaking in ip tunnels, from Pravin B Shelar.
      
      10) Don't return -EINTR from non-blocking recvmsg() on AF_UNIX sockets,
          from Eric Dumazet.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (28 commits)
        vlan: Warn the user if lowerdev has bad vlan features.
        veth: Turn off vlan rx acceleration in vlan_features
        ifb: Remove vlan acceleration from vlan_features
        qlge: Do not propaged vlan tag offloads to vlans
        bridge: Fix crash with vlan filtering and tcpdump
        net: Account for all vlan headers in skb_mac_gso_segment
        MAINTAINERS: bonding: change email address
        MAINTAINERS: bonding: change email address
        ipv6: move DAD and addrconf_verify processing to workqueue
        tcp: fix get_timewait4_sock() delay computation on 64bit
        openvswitch: fix a possible deadlock and lockdep warning
        bridge: Fix handling stacked vlan tags
        bridge: Fix inabillity to retrieve vlan tags when tx offload is disabled
        vhost: validate vhost_get_vq_desc return value
        vhost: fix total length when packets are too short
        random32: avoid attempt to late reseed if in the middle of seeding
        random32: assign to network folks in MAINTAINERS
        net/mlx4_core: pass pci_device_id.driver_data to __mlx4_init_one during reset
        core, nfqueue, openvswitch: Orphan frags in skb_zerocopy and handle errors
        vlan: Set hard_header_len according to available acceleration
        ...
      49d8137a
    • David S. Miller's avatar
      Merge branch 'vlan_offloads' · 5f2feca2
      David S. Miller authored
      Vlad Yasevich says:
      
      ====================
      Audit all drivers for correct vlan_features.
      
      Some drivers set vlan acceleration features in vlan_features.  This causes
      issues with Q-in-Q/802.1ad configurations.
      
      Audit all the drivers for correct vlan_features.  Fix broken ones.
      Add a warning to vlan code to help catch future offenders.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5f2feca2
    • Vlad Yasevich's avatar
      vlan: Warn the user if lowerdev has bad vlan features. · 2adb956b
      Vlad Yasevich authored
      Some drivers incorrectly assign vlan acceleration features to
      vlan_features thus causing issues for Q-in-Q vlan configurations.
      Warn the user of such cases.
      Signed-off-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2adb956b
    • Vlad Yasevich's avatar
      veth: Turn off vlan rx acceleration in vlan_features · 3f8c707b
      Vlad Yasevich authored
      For completeness, turn off vlan rx acceleration in vlan_features so
      that it doesn't show up on q-in-q setups.
      Signed-off-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3f8c707b
    • Vlad Yasevich's avatar
      ifb: Remove vlan acceleration from vlan_features · 8dd6e147
      Vlad Yasevich authored
      Do not include vlan acceleration features in vlan_features as that
      precludes correct Q-in-Q operation.
      Signed-off-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8dd6e147