1. 07 Apr, 2015 5 commits
  2. 02 Apr, 2015 1 commit
  3. 31 Mar, 2015 1 commit
  4. 27 Mar, 2015 2 commits
  5. 23 Mar, 2015 4 commits
    • Paul Gortmaker's avatar
      smack: Fix gcc warning from unused smack_syslog_lock mutex in smackfs.c · f43b65ba
      Paul Gortmaker authored
      In commit 00f84f3f ("Smack: Make the
      syslog control configurable") this mutex was added, but the rest of
      the final commit never actually made use of it, resulting in:
      
       In file included from include/linux/mutex.h:29:0,
                        from include/linux/notifier.h:13,
                        from include/linux/memory_hotplug.h:6,
                        from include/linux/mmzone.h:821,
                        from include/linux/gfp.h:5,
                        from include/linux/slab.h:14,
                        from include/linux/security.h:27,
                        from security/smack/smackfs.c:21:
       security/smack/smackfs.c:63:21: warning: ‘smack_syslog_lock’ defined but not used [-Wunused-variable]
        static DEFINE_MUTEX(smack_syslog_lock);
                            ^
      
      A git grep shows no other instances/references to smack_syslog_lock.
      Delete it, assuming that the mutex addition was just a leftover from
      an earlier work in progress version of the change.
      Signed-off-by: default avatarPaul Gortmaker <paul.gortmaker@windriver.com>
      f43b65ba
    • Casey Schaufler's avatar
      Smack: Allow an unconfined label in bringup mode · bf4b2fee
      Casey Schaufler authored
      I have vehemently opposed adding a "permissive" mode to Smack
      for the simple reasons that it would be subject to massive abuse
      and that developers refuse to turn it off come product release.
      I still believe that this is true, and still refuse to add a
      general "permissive mode". So don't ask again.
      
      Bumjin Im suggested an approach that addresses most of the concerns,
      and I have implemented it here. I still believe that we'd be better
      off without this sort of thing, but it looks like this minimizes the
      abuse potential.
      
      Firstly, you have to configure Smack Bringup Mode. That allows
      for "release" software to be ammune from abuse. Second, only one
      label gets to be "permissive" at a time. You can use it for
      debugging, but that's about it.
      
      A label written to smackfs/unconfined is treated specially.
      If either the subject or object label of an access check
      matches the "unconfined" label, and the access would not
      have been allowed otherwise an audit record and a console
      message are generated. The audit record "request" string is
      marked with either "(US)" or "(UO)", to indicate that the
      request was granted because of an unconfined label. The
      fact that an inode was accessed by an unconfined label is
      remembered, and subsequent accesses to that "impure"
      object are noted in the log. The impurity is not stored in
      the filesystem, so a file mislabled as a side effect of
      using an unconfined label may still cause concern after
      a reboot.
      
      So, it's there, it's dangerous, but so many application
      developers seem incapable of living without it I have
      given in. I've tried to make it as safe as I can, but
      in the end it's still a chain saw.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      bf4b2fee
    • José Bollo's avatar
      Smack: getting the Smack security context of keys · 7fc5f36e
      José Bollo authored
      With this commit, the LSM Smack implements the LSM
      side part of the system call keyctl with the action
      code KEYCTL_GET_SECURITY.
      
      It is now possible to get the context of, for example,
      the user session key using the command "keyctl security @s".
      
      The original patch has been modified for merge.
      Signed-off-by: default avatarJosé Bollo <jose.bollo@open.eurogiciel.org>
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      7fc5f36e
    • Marcin Lis's avatar
      Smack: Assign smack_known_web as default smk_in label for kernel thread's socket · 7412301b
      Marcin Lis authored
      This change fixes the bug associated with sockets owned by kernel threads. These
      sockets, created usually by network devices' drivers tasks, received smk_in
      label from the task that created them - the "floor" label in the most cases. The
      result was that they were not able to receive data packets because of missing
      smack rules. The main reason of the access deny is that the socket smk_in label
      is placed as the object during smk check, kernel thread's capabilities are
      omitted.
      Signed-off-by: default avatarMarcin Lis <m.lis@samsung.com>
      7412301b
  6. 18 Mar, 2015 8 commits
  7. 05 Mar, 2015 2 commits
    • Jarkko Sakkinen's avatar
      tpm: fix call order in tpm-chip.c · d972b052
      Jarkko Sakkinen authored
      - tpm_dev_add_device(): cdev_add() must be done before uevent is
        propagated in order to avoid races.
      - tpm_chip_register(): tpm_dev_add_device() must be done as the
        last step before exposing device to the user space in order to
        avoid races.
      
      In addition clarified description in tpm_chip_register().
      
      Fixes: 313d21ee ("tpm: device class for tpm")
      Fixes: afb5abc2 ("tpm: two-phase chip management functions")
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Reviewed-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      Signed-off-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      d972b052
    • jmlatten@linux.vnet.ibm.com's avatar
      tpm/ibmvtpm: Additional LE support for tpm_ibmvtpm_send · 6da2517d
      jmlatten@linux.vnet.ibm.com authored
      Problem: When IMA and VTPM are both enabled in kernel config,
      kernel hangs during bootup on LE OS.
      
      Why?: IMA calls tpm_pcr_read() which results in tpm_ibmvtpm_send
      and tpm_ibmtpm_recv getting called. A trace showed that
      tpm_ibmtpm_recv was hanging.
      
      Resolution: tpm_ibmtpm_recv was hanging because tpm_ibmvtpm_send
      was sending CRQ message that probably did not make much sense
      to phype because of Endianness. The fix below sends correctly
      converted CRQ for LE. This was not caught before because it
      seems IMA is not enabled by default in kernel config and
      IMA exercises this particular code path in vtpm.
      
      Tested with IMA and VTPM enabled in kernel config and VTPM
      enabled on both a BE OS and a LE OS ppc64 lpar. This exercised
      CRQ and TPM command code paths in vtpm.
      Patch is against Peter's tpmdd tree on github which included
      Vicky's previous vtpm le patches.
      Signed-off-by: default avatarJoy Latten <jmlatten@linux.vnet.ibm.com>
      Cc: <stable@vger.kernel.org> # eb71f8a5: "Added Little Endian support to vtpm module"
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarAshley Lai <ashley@ahsleylai.com>
      Signed-off-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      6da2517d
  8. 03 Mar, 2015 1 commit
  9. 28 Feb, 2015 2 commits
  10. 23 Feb, 2015 3 commits
    • Linus Torvalds's avatar
      Linux 4.0-rc1 · c517d838
      Linus Torvalds authored
      .. after extensive statistical analysis of my G+ polling, I've come to
      the inescapable conclusion that internet polls are bad.
      
      Big surprise.
      
      But "Hurr durr I'ma sheep" trounced "I like online polls" by a 62-to-38%
      margin, in a poll that people weren't even supposed to participate in.
      Who can argue with solid numbers like that? 5,796 votes from people who
      can't even follow the most basic directions?
      
      In contrast, "v4.0" beat out "v3.20" by a slimmer margin of 56-to-44%,
      but with a total of 29,110 votes right now.
      
      Now, arguably, that vote spread is only about 3,200 votes, which is less
      than the almost six thousand votes that the "please ignore" poll got, so
      it could be considered noise.
      
      But hey, I asked, so I'll honor the votes.
      c517d838
    • Linus Torvalds's avatar
      Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · feaf2229
      Linus Torvalds authored
      Pull ext4 fixes from Ted Ts'o:
       "Ext4 bug fixes.
      
        We also reserved code points for encryption and read-only images (for
        which the implementation is mostly just the reserved code point for a
        read-only feature :-)"
      
      * tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: fix indirect punch hole corruption
        ext4: ignore journal checksum on remount; don't fail
        ext4: remove duplicate remount check for JOURNAL_CHECKSUM change
        ext4: fix mmap data corruption in nodelalloc mode when blocksize < pagesize
        ext4: support read-only images
        ext4: change to use setup_timer() instead of init_timer()
        ext4: reserve codepoints used by the ext4 encryption feature
        jbd2: complain about descriptor block checksum errors
      feaf2229
    • Linus Torvalds's avatar
      Merge branch 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · be5e6616
      Linus Torvalds authored
      Pull more vfs updates from Al Viro:
       "Assorted stuff from this cycle.  The big ones here are multilayer
        overlayfs from Miklos and beginning of sorting ->d_inode accesses out
        from David"
      
      * 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (51 commits)
        autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation
        procfs: fix race between symlink removals and traversals
        debugfs: leave freeing a symlink body until inode eviction
        Documentation/filesystems/Locking: ->get_sb() is long gone
        trylock_super(): replacement for grab_super_passive()
        fanotify: Fix up scripted S_ISDIR/S_ISREG/S_ISLNK conversions
        Cachefiles: Fix up scripted S_ISDIR/S_ISREG/S_ISLNK conversions
        VFS: (Scripted) Convert S_ISLNK/DIR/REG(dentry->d_inode) to d_is_*(dentry)
        SELinux: Use d_is_positive() rather than testing dentry->d_inode
        Smack: Use d_is_positive() rather than testing dentry->d_inode
        TOMOYO: Use d_is_dir() rather than d_inode and S_ISDIR()
        Apparmor: Use d_is_positive/negative() rather than testing dentry->d_inode
        Apparmor: mediated_filesystem() should use dentry->d_sb not inode->i_sb
        VFS: Split DCACHE_FILE_TYPE into regular and special types
        VFS: Add a fallthrough flag for marking virtual dentries
        VFS: Add a whiteout dentry type
        VFS: Introduce inode-getting helpers for layered/unioned fs environments
        Infiniband: Fix potential NULL d_inode dereference
        posix_acl: fix reference leaks in posix_acl_create
        autofs4: Wrong format for printing dentry
        ...
      be5e6616
  11. 22 Feb, 2015 11 commits
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm · 90c453ca
      Linus Torvalds authored
      Pull ARM fix from Russell King:
       "Just one fix this time around.  __iommu_alloc_buffer() can cause a
        BUG() if dma_alloc_coherent() is called with either __GFP_DMA32 or
        __GFP_HIGHMEM set.  The patch from Alexandre addresses this"
      
      * 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
        ARM: 8305/1: DMA: Fix kzalloc flags in __iommu_alloc_buffer()
      90c453ca
    • Al Viro's avatar
      autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation · 0a280962
      Al Viro authored
      X-Coverup: just ask spender
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      0a280962
    • Al Viro's avatar
      procfs: fix race between symlink removals and traversals · 7e0e953b
      Al Viro authored
      use_pde()/unuse_pde() in ->follow_link()/->put_link() resp.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      7e0e953b
    • Al Viro's avatar
      debugfs: leave freeing a symlink body until inode eviction · 0db59e59
      Al Viro authored
      As it is, we have debugfs_remove() racing with symlink traversals.
      Supply ->evict_inode() and do freeing there - inode will remain
      pinned until we are done with the symlink body.
      
      And rip the idiocy with checking if dentry is positive right after
      we'd verified debugfs_positive(), which is a stronger check...
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      0db59e59
    • Al Viro's avatar
      dca11178
    • Konstantin Khlebnikov's avatar
      trylock_super(): replacement for grab_super_passive() · eb6ef3df
      Konstantin Khlebnikov authored
      I've noticed significant locking contention in memory reclaimer around
      sb_lock inside grab_super_passive(). Grab_super_passive() is called from
      two places: in icache/dcache shrinkers (function super_cache_scan) and
      from writeback (function __writeback_inodes_wb). Both are required for
      progress in memory allocator.
      
      Grab_super_passive() acquires sb_lock to increment sb->s_count and check
      sb->s_instances. It seems sb->s_umount locked for read is enough here:
      super-block deactivation always runs under sb->s_umount locked for write.
      Protecting super-block itself isn't a problem: in super_cache_scan() sb
      is protected by shrinker_rwsem: it cannot be freed if its slab shrinkers
      are still active. Inside writeback super-block comes from inode from bdi
      writeback list under wb->list_lock.
      
      This patch removes locking sb_lock and checks s_instances under s_umount:
      generic_shutdown_super() unlinks it under sb->s_umount locked for write.
      New variant is called trylock_super() and since it only locks semaphore,
      callers must call up_read(&sb->s_umount) instead of drop_super(sb) when
      they're done.
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      eb6ef3df
    • David Howells's avatar
      fanotify: Fix up scripted S_ISDIR/S_ISREG/S_ISLNK conversions · 54f2a2f4
      David Howells authored
      Fanotify probably doesn't want to watch autodirs so make it use d_can_lookup()
      rather than d_is_dir() when checking a dir watch and give an error on fake
      directories.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      54f2a2f4
    • David Howells's avatar
      Cachefiles: Fix up scripted S_ISDIR/S_ISREG/S_ISLNK conversions · ce40fa78
      David Howells authored
      Fix up the following scripted S_ISDIR/S_ISREG/S_ISLNK conversions (or lack
      thereof) in cachefiles:
      
       (1) Cachefiles mostly wants to use d_can_lookup() rather than d_is_dir() as
           it doesn't want to deal with automounts in its cache.
      
       (2) Coccinelle didn't find S_IS* expressions in ASSERT() statements in
           cachefiles.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      ce40fa78
    • David Howells's avatar
      VFS: (Scripted) Convert S_ISLNK/DIR/REG(dentry->d_inode) to d_is_*(dentry) · e36cb0b8
      David Howells authored
      Convert the following where appropriate:
      
       (1) S_ISLNK(dentry->d_inode) to d_is_symlink(dentry).
      
       (2) S_ISREG(dentry->d_inode) to d_is_reg(dentry).
      
       (3) S_ISDIR(dentry->d_inode) to d_is_dir(dentry).  This is actually more
           complicated than it appears as some calls should be converted to
           d_can_lookup() instead.  The difference is whether the directory in
           question is a real dir with a ->lookup op or whether it's a fake dir with
           a ->d_automount op.
      
      In some circumstances, we can subsume checks for dentry->d_inode not being
      NULL into this, provided we the code isn't in a filesystem that expects
      d_inode to be NULL if the dirent really *is* negative (ie. if we're going to
      use d_inode() rather than d_backing_inode() to get the inode pointer).
      
      Note that the dentry type field may be set to something other than
      DCACHE_MISS_TYPE when d_inode is NULL in the case of unionmount, where the VFS
      manages the fall-through from a negative dentry to a lower layer.  In such a
      case, the dentry type of the negative union dentry is set to the same as the
      type of the lower dentry.
      
      However, if you know d_inode is not NULL at the call site, then you can use
      the d_is_xxx() functions even in a filesystem.
      
      There is one further complication: a 0,0 chardev dentry may be labelled
      DCACHE_WHITEOUT_TYPE rather than DCACHE_SPECIAL_TYPE.  Strictly, this was
      intended for special directory entry types that don't have attached inodes.
      
      The following perl+coccinelle script was used:
      
      use strict;
      
      my @callers;
      open($fd, 'git grep -l \'S_IS[A-Z].*->d_inode\' |') ||
          die "Can't grep for S_ISDIR and co. callers";
      @callers = <$fd>;
      close($fd);
      unless (@callers) {
          print "No matches\n";
          exit(0);
      }
      
      my @cocci = (
          '@@',
          'expression E;',
          '@@',
          '',
          '- S_ISLNK(E->d_inode->i_mode)',
          '+ d_is_symlink(E)',
          '',
          '@@',
          'expression E;',
          '@@',
          '',
          '- S_ISDIR(E->d_inode->i_mode)',
          '+ d_is_dir(E)',
          '',
          '@@',
          'expression E;',
          '@@',
          '',
          '- S_ISREG(E->d_inode->i_mode)',
          '+ d_is_reg(E)' );
      
      my $coccifile = "tmp.sp.cocci";
      open($fd, ">$coccifile") || die $coccifile;
      print($fd "$_\n") || die $coccifile foreach (@cocci);
      close($fd);
      
      foreach my $file (@callers) {
          chomp $file;
          print "Processing ", $file, "\n";
          system("spatch", "--sp-file", $coccifile, $file, "--in-place", "--no-show-diff") == 0 ||
      	die "spatch failed";
      }
      
      [AV: overlayfs parts skipped]
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      e36cb0b8
    • David Howells's avatar
      SELinux: Use d_is_positive() rather than testing dentry->d_inode · 2c616d4d
      David Howells authored
      Use d_is_positive() rather than testing dentry->d_inode in SELinux to get rid
      of direct references to d_inode outside of the VFS.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      2c616d4d
    • David Howells's avatar
      Smack: Use d_is_positive() rather than testing dentry->d_inode · 8802565b
      David Howells authored
      Use d_is_positive() rather than testing dentry->d_inode in Smack to get rid of
      direct references to d_inode outside of the VFS.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      8802565b