openwrt/staging/blogic.git
15 years agoSELinux: inode_doinit_with_dentry drop no dentry printk
Eric Paris [Mon, 9 Mar 2009 18:35:58 +0000 (14:35 -0400)]
SELinux: inode_doinit_with_dentry drop no dentry printk

Drop the printk message when an inode is found without an associated
dentry.  This should only happen when userspace can't be accessing those
inodes and those labels will get set correctly on the next d_instantiate.
Thus there is no reason to send this message.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoSELinux: new permission between tty audit and audit socket
Eric Paris [Thu, 5 Mar 2009 18:43:35 +0000 (13:43 -0500)]
SELinux: new permission between tty audit and audit socket

New selinux permission to separate the ability to turn on tty auditing from
the ability to set audit rules.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoSELinux: open perm for sock files
Eric Paris [Thu, 5 Mar 2009 18:40:35 +0000 (13:40 -0500)]
SELinux: open perm for sock files

When I did open permissions I didn't think any sockets would have an open.
Turns out AF_UNIX sockets can have an open when they are bound to the
filesystem namespace.  This patch adds a new SOCK_FILE__OPEN permission.
It's safe to add this as the open perms are already predicated on
capabilities and capabilities means we have unknown perm handling so
systems should be as backwards compatible as the policy wants them to
be.

https://bugzilla.redhat.com/show_bug.cgi?id=475224

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agosmack: fixes for unlabeled host support
etienne [Wed, 4 Mar 2009 06:33:51 +0000 (07:33 +0100)]
smack: fixes for unlabeled host support

The following patch (against 2.6.29rc5) fixes a few issues in the
smack/netlabel "unlabeled host support" functionnality that was added in
2.6.29rc.  It should go in before -final.

1) smack_host_label disregard a "0.0.0.0/0 @" rule (or other label),
preventing 'tagged' tasks to access Internet (many systems drop packets with
IP options)

2) netmasks were not handled correctly, they were stored in a way _not
equivalent_ to conversion to be32 (it was equivalent for /0, /8, /16, /24,
/32 masks but not other masks)

3) smack_netlbladdr prefixes (IP/mask) were not consistent (mask&IP was not
done), so there could have been different list entries for the same IP
prefix; if those entries had different labels, well ...

4) they were not sorted

1) 2) 3) are bugs, 4) is a more cosmetic issue.
The patch :

-creates a new helper smk_netlbladdr_insert to insert a smk_netlbladdr,
-sorted by netmask length

-use the new sorted nature of  smack_netlbladdrs list to simplify
 smack_host_label : the first match _will_ be the more specific

-corrects endianness issues in smk_write_netlbladdr &  netlbladdr_seq_show

Signed-off-by: <etienne.basset@numericable.fr>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agokeys: make procfiles per-user-namespace
Serge E. Hallyn [Fri, 27 Feb 2009 00:28:04 +0000 (18:28 -0600)]
keys: make procfiles per-user-namespace

Restrict the /proc/keys and /proc/key-users output to keys
belonging to the same user namespace as the reading task.

We may want to make this more complicated - so that any
keys in a user-namespace which is belongs to the reading
task are also shown.  But let's see if anyone wants that
first.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agokeys: skip keys from another user namespace
Serge E. Hallyn [Fri, 27 Feb 2009 00:27:55 +0000 (18:27 -0600)]
keys: skip keys from another user namespace

When listing keys, do not return keys belonging to the
same uid in another user namespace.  Otherwise uid 500
in another user namespace will return keyrings called
uid.500 for another user namespace.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agokeys: consider user namespace in key_permission
Serge E. Hallyn [Fri, 27 Feb 2009 00:27:47 +0000 (18:27 -0600)]
keys: consider user namespace in key_permission

If a key is owned by another user namespace, then treat the
key as though it is owned by both another uid and gid.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agokeys: distinguish per-uid keys in different namespaces
Serge E. Hallyn [Fri, 27 Feb 2009 00:27:38 +0000 (18:27 -0600)]
keys: distinguish per-uid keys in different namespaces

per-uid keys were looked by uid only.  Use the user namespace
to distinguish the same uid in different namespaces.

This does not address key_permission.  So a task can for instance
try to join a keyring owned by the same uid in another namespace.
That will be handled by a separate patch.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agointegrity: ima iint radix_tree_lookup locking fix
Mimi Zohar [Fri, 20 Feb 2009 22:28:29 +0000 (14:28 -0800)]
integrity: ima iint radix_tree_lookup locking fix

Based on Andrew Morton's comments:
- add missing locks around radix_tree_lookup in ima_iint_insert()

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoTOMOYO: Do not call tomoyo_realpath_init unless registered.
Tetsuo Handa [Sat, 21 Feb 2009 11:40:50 +0000 (20:40 +0900)]
TOMOYO: Do not call tomoyo_realpath_init unless registered.

tomoyo_realpath_init() is unconditionally called by security_initcall().
But nobody will use realpath related functions if TOMOYO is not registered.

So, let tomoyo_init() call tomoyo_realpath_init().

This patch saves 4KB of memory allocation if TOMOYO is not registered.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agointegrity: ima scatterlist bug fix
Mimi Zohar [Fri, 20 Feb 2009 02:23:50 +0000 (21:23 -0500)]
integrity: ima scatterlist bug fix

Based on Alexander Beregalov's post http://lkml.org/lkml/2009/2/19/198

- replaced sg_set_buf() with sg_init_one()

 kernel BUG at include/linux/scatterlist.h:65!
 invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
 last sysfs file:
 CPU 2
 Modules linked in:
 Pid: 1, comm: swapper Not tainted 2.6.29-rc5-next-20090219 #5 PowerEdge 1950
 RIP: 0010:[<ffffffff8045ec70>]  [<ffffffff8045ec70>] ima_calc_hash+0xc0/0x160
 RSP: 0018:ffff88007f46bc40  EFLAGS: 00010286
 RAX: ffffe200032c45e8 RBX: 00000000fffffff4 RCX: 0000000087654321
 RDX: 0000000000000002 RSI: 0000000000000001 RDI: ffff88007cf71048
 RBP: ffff88007f46bcd0 R08: 0000000000000000 R09: 0000000000000163
 R10: ffff88007f4707a8 R11: 0000000000000000 R12: ffff88007cf71048
 R13: 0000000000001000 R14: 0000000000000000 R15: 0000000000009d98
 FS:  0000000000000000(0000) GS:ffff8800051ac000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
 CR2: 0000000000000000 CR3: 0000000000201000 CR4: 00000000000006e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Tested-by: Alexander Beregalov <a.beregalov@gmail.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agosmack: fix lots of kernel-doc notation
Randy Dunlap [Wed, 18 Feb 2009 19:42:33 +0000 (11:42 -0800)]
smack: fix lots of kernel-doc notation

Fix/add kernel-doc notation and fix typos in security/smack/.

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoTOMOYO: Don't create securityfs entries unless registered.
Tetsuo Handa [Sat, 14 Feb 2009 02:46:56 +0000 (11:46 +0900)]
TOMOYO: Don't create securityfs entries unless registered.

TOMOYO should not create /sys/kernel/security/tomoyo/ interface unless
TOMOYO is registered.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoTOMOYO: Fix exception policy read failure.
Tetsuo Handa [Fri, 13 Feb 2009 07:00:58 +0000 (16:00 +0900)]
TOMOYO: Fix exception policy read failure.

Due to wrong initialization, "cat /sys/kernel/security/tomoyo/exception_policy"
returned nothing.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoSELinux: convert the avc cache hash list to an hlist
Eric Paris [Thu, 12 Feb 2009 19:51:04 +0000 (14:51 -0500)]
SELinux: convert the avc cache hash list to an hlist

We do not need O(1) access to the tail of the avc cache lists and so we are
wasting lots of space using struct list_head instead of struct hlist_head.
This patch converts the avc cache to use hlists in which there is a single
pointer from the head which saves us about 4k of global memory.

Resulted in about a 1.5% decrease in time spent in avc_has_perm_noaudit based
on oprofile sampling of tbench.  Although likely within the noise....

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoSELinux: code readability with avc_cache
Eric Paris [Thu, 12 Feb 2009 19:50:59 +0000 (14:50 -0500)]
SELinux: code readability with avc_cache

The code making use of struct avc_cache was not easy to read thanks to liberal
use of &avc_cache.{slots_lock,slots}[hvalue] throughout.  This patch simply
creates local pointers and uses those instead of the long global names.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoSELinux: remove unused av.decided field
Eric Paris [Thu, 12 Feb 2009 19:50:54 +0000 (14:50 -0500)]
SELinux: remove unused av.decided field

It appears there was an intention to have the security server only decide
certain permissions and leave other for later as some sort of a portential
performance win.  We are currently always deciding all 32 bits of
permissions and this is a useless couple of branches and wasted space.
This patch completely drops the av.decided concept.

This in a 17% reduction in the time spent in avc_has_perm_noaudit
based on oprofile sampling of a tbench benchmark.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Paul Moore <paul.moore@hp.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoSELinux: more careful use of avd in avc_has_perm_noaudit
Eric Paris [Thu, 12 Feb 2009 19:50:49 +0000 (14:50 -0500)]
SELinux: more careful use of avd in avc_has_perm_noaudit

we are often needlessly jumping through hoops when it comes to avd
entries in avc_has_perm_noaudit and we have extra initialization and memcpy
which are just wasting performance.  Try to clean the function up a bit.

This patch resulted in a 13% drop in time spent in avc_has_perm_noaudit in my
oprofile sampling of a tbench benchmark.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Paul Moore <paul.moore@hp.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoSELinux: remove the unused ae.used
Eric Paris [Thu, 12 Feb 2009 19:50:43 +0000 (14:50 -0500)]
SELinux: remove the unused ae.used

Currently SELinux code has an atomic which was intended to track how many
times an avc entry was used and to evict entries when they haven't been
used recently.  Instead we never let this atomic get above 1 and evict when
it is first checked for eviction since it hits zero.  This is a total waste
of time so I'm completely dropping ae.used.

This change resulted in about a 3% faster avc_has_perm_noaudit when running
oprofile against a tbench benchmark.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed by: Paul Moore <paul.moore@hp.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoSELinux: check seqno when updating an avc_node
Eric Paris [Thu, 12 Feb 2009 19:50:11 +0000 (14:50 -0500)]
SELinux: check seqno when updating an avc_node

The avc update node callbacks do not check the seqno of the caller with the
seqno of the node found.  It is possible that a policy change could happen
(although almost impossibly unlikely) in which a permissive or
permissive_domain decision is not valid for the entry found.  Simply pass
and check that the seqno of the caller and the seqno of the node found
match.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoSELinux: NULL terminate al contexts from disk
Eric Paris [Thu, 12 Feb 2009 19:50:05 +0000 (14:50 -0500)]
SELinux: NULL terminate al contexts from disk

When a context is pulled in from disk we don't know that it is null
terminated.  This patch forecebly null terminates contexts when we pull
them from disk.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoSELinux: better printk when file with invalid label found
Eric Paris [Thu, 12 Feb 2009 20:01:10 +0000 (15:01 -0500)]
SELinux: better printk when file with invalid label found

Currently when an inode is read into the kernel with an invalid label
string (can often happen with removable media) we output a string like:

SELinux: inode_doinit_with_dentry:  context_to_sid([SOME INVALID LABEL])
returned -22 dor dev=[blah] ino=[blah]

Which is all but incomprehensible to all but a couple of us.  Instead, on
EINVAL only, I plan to output a much more user friendly string and I plan to
ratelimit the printk since many of these could be generated very rapidly.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoSELinux: call capabilities code directory
Eric Paris [Thu, 12 Feb 2009 20:01:04 +0000 (15:01 -0500)]
SELinux: call capabilities code directory

For cleanliness and efficiency remove all calls to secondary-> and instead
call capabilities code directly.  capabilities are the only module that
selinux stacks with and so the code should not indicate that other stacking
might be possible.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoima: fix build error
Randy Dunlap [Thu, 12 Feb 2009 17:54:14 +0000 (09:54 -0800)]
ima: fix build error

IMA_LSM_RULES requires AUDIT.  This is automatic if SECURITY_SELINUX=y
but not when SECURITY_SMACK=y (and SECURITY_SELINUX=n), so make the
dependency explicit.  This fixes the following build error:

security/integrity/ima/ima_policy.c:111:error: implicit declaration of function 'security_audit_rule_match'
security/integrity/ima/ima_policy.c:230:error: implicit declaration of function 'security_audit_rule_init'

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Acked-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agotomoyo: fix sparse warning
Tetsuo Handa [Thu, 12 Feb 2009 06:53:38 +0000 (15:53 +0900)]
tomoyo: fix sparse warning

Fix sparse warning.

$ make C=2 SUBDIRS=security/tomoyo CF="-D__cold__="
 CHECK   security/tomoyo/common.c
 CHECK   security/tomoyo/realpath.c
 CHECK   security/tomoyo/tomoyo.c
security/tomoyo/tomoyo.c:110:8: warning: symbol 'buf' shadows an earlier one
security/tomoyo/tomoyo.c:100:7: originally declared here

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agosecurity: change link order of LSMs so security=tomoyo works
James Morris [Thu, 12 Feb 2009 05:29:04 +0000 (16:29 +1100)]
security: change link order of LSMs so security=tomoyo works

LSMs need to be linked before root_plug to ensure the security=
boot parameter works with them.  Do this for Tomoyo.

(root_plug probably needs to be taken out and shot at some point,
too).

Signed-off-by: James Morris <jmorris@namei.org>
15 years agoMAINTAINERS info
Kentaro Takeda [Thu, 5 Feb 2009 08:18:18 +0000 (17:18 +0900)]
MAINTAINERS info

The archive of tomoyo-users-en mailing list is available at
http://lists.sourceforge.jp/mailman/archives/tomoyo-users-en/ .
Mailing lists for Japanese users are at
http://lists.sourceforge.jp/mailman/archives/tomoyo-users/ and
http://lists.sourceforge.jp/mailman/archives/tomoyo-dev/ .

TOMOYO Linux English portal is at
http://elinux.org/TomoyoLinux .

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoKconfig and Makefile
Kentaro Takeda [Thu, 5 Feb 2009 08:18:17 +0000 (17:18 +0900)]
Kconfig and Makefile

TOMOYO uses LSM hooks for pathname based access control and securityfs support.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoLSM adapter functions.
Kentaro Takeda [Thu, 5 Feb 2009 08:18:16 +0000 (17:18 +0900)]
LSM adapter functions.

DAC's permissions and TOMOYO's permissions are not one-to-one mapping.

Regarding DAC, there are "read", "write", "execute" permissions.
Regarding TOMOYO, there are "allow_read", "allow_write", "allow_read/write",
"allow_execute", "allow_create", "allow_unlink", "allow_mkdir", "allow_rmdir",
"allow_mkfifo", "allow_mksock", "allow_mkblock", "allow_mkchar",
"allow_truncate", "allow_symlink", "allow_rewrite", "allow_link",
"allow_rename" permissions.

+----------------------------------+----------------------------------+
| requested operation              | required TOMOYO's permission     |
+----------------------------------+----------------------------------+
| sys_open(O_RDONLY)               | allow_read                       |
+----------------------------------+----------------------------------+
| sys_open(O_WRONLY)               | allow_write                      |
+----------------------------------+----------------------------------+
| sys_open(O_RDWR)                 | allow_read/write                 |
+----------------------------------+----------------------------------+
| open_exec() from do_execve()     | allow_execute                    |
+----------------------------------+----------------------------------+
| open_exec() from !do_execve()    | allow_read                       |
+----------------------------------+----------------------------------+
| sys_read()                       | (none)                           |
+----------------------------------+----------------------------------+
| sys_write()                      | (none)                           |
+----------------------------------+----------------------------------+
| sys_mmap()                       | (none)                           |
+----------------------------------+----------------------------------+
| sys_uselib()                     | allow_read                       |
+----------------------------------+----------------------------------+
| sys_open(O_CREAT)                | allow_create                     |
+----------------------------------+----------------------------------+
| sys_open(O_TRUNC)                | allow_truncate                   |
+----------------------------------+----------------------------------+
| sys_truncate()                   | allow_truncate                   |
+----------------------------------+----------------------------------+
| sys_ftruncate()                  | allow_truncate                   |
+----------------------------------+----------------------------------+
| sys_open() without O_APPEND      | allow_rewrite                    |
+----------------------------------+----------------------------------+
| setfl() without O_APPEND         | allow_rewrite                    |
+----------------------------------+----------------------------------+
| sys_sysctl() for writing         | allow_write                      |
+----------------------------------+----------------------------------+
| sys_sysctl() for reading         | allow_read                       |
+----------------------------------+----------------------------------+
| sys_unlink()                     | allow_unlink                     |
+----------------------------------+----------------------------------+
| sys_mknod(S_IFREG)               | allow_create                     |
+----------------------------------+----------------------------------+
| sys_mknod(0)                     | allow_create                     |
+----------------------------------+----------------------------------+
| sys_mknod(S_IFIFO)               | allow_mkfifo                     |
+----------------------------------+----------------------------------+
| sys_mknod(S_IFSOCK)              | allow_mksock                     |
+----------------------------------+----------------------------------+
| sys_bind(AF_UNIX)                | allow_mksock                     |
+----------------------------------+----------------------------------+
| sys_mknod(S_IFBLK)               | allow_mkblock                    |
+----------------------------------+----------------------------------+
| sys_mknod(S_IFCHR)               | allow_mkchar                     |
+----------------------------------+----------------------------------+
| sys_symlink()                    | allow_symlink                    |
+----------------------------------+----------------------------------+
| sys_mkdir()                      | allow_mkdir                      |
+----------------------------------+----------------------------------+
| sys_rmdir()                      | allow_rmdir                      |
+----------------------------------+----------------------------------+
| sys_link()                       | allow_link                       |
+----------------------------------+----------------------------------+
| sys_rename()                     | allow_rename                     |
+----------------------------------+----------------------------------+

TOMOYO requires "allow_execute" permission of a pathname passed to do_execve()
but does not require "allow_read" permission of that pathname.
Let's consider 3 patterns (statically linked, dynamically linked,
shell script). This description is to some degree simplified.

  $ cat hello.c
  #include <stdio.h>
  int main() {
          printf("Hello\n");
          return 0;
  }
  $ cat hello.sh
  #! /bin/sh
  echo "Hello"
  $ gcc -static -o hello-static hello.c
  $ gcc -o hello-dynamic hello.c
  $ chmod 755 hello.sh

Case 1 -- Executing hello-static from bash.

  (1) The bash process calls fork() and the child process requests
      do_execve("hello-static").

  (2) The kernel checks "allow_execute hello-static" from "bash" domain.

  (3) The kernel calculates "bash hello-static" as the domain to transit to.

  (4) The kernel overwrites the child process by "hello-static".

  (5) The child process transits to "bash hello-static" domain.

  (6) The "hello-static" starts and finishes.

Case 2 -- Executing hello-dynamic from bash.

  (1) The bash process calls fork() and the child process requests
      do_execve("hello-dynamic").

  (2) The kernel checks "allow_execute hello-dynamic" from "bash" domain.

  (3) The kernel calculates "bash hello-dynamic" as the domain to transit to.

  (4) The kernel checks "allow_read ld-linux.so" from "bash hello-dynamic"
      domain. I think permission to access ld-linux.so should be charged
      hello-dynamic program, for "hello-dynamic needs ld-linux.so" is not
      a fault of bash program.

  (5) The kernel overwrites the child process by "hello-dynamic".

  (6) The child process transits to "bash hello-dynamic" domain.

  (7) The "hello-dynamic" starts and finishes.

Case 3 -- Executing hello.sh from bash.

  (1) The bash process calls fork() and the child process requests
      do_execve("hello.sh").

  (2) The kernel checks "allow_execute hello.sh" from "bash" domain.

  (3) The kernel calculates "bash hello.sh" as the domain to transit to.

  (4) The kernel checks "allow_read /bin/sh" from "bash hello.sh" domain.
      I think permission to access /bin/sh should be charged hello.sh program,
      for "hello.sh needs /bin/sh" is not a fault of bash program.

  (5) The kernel overwrites the child process by "/bin/sh".

  (6) The child process transits to "bash hello.sh" domain.

  (7) The "/bin/sh" requests open("hello.sh").

  (8) The kernel checks "allow_read hello.sh" from  "bash hello.sh" domain.

  (9) The "/bin/sh" starts and finishes.

Whether a file is interpreted as a program or not depends on an application.
The kernel cannot know whether the file is interpreted as a program or not.
Thus, TOMOYO treats "hello-static" "hello-dynamic" "ld-linux.so" "hello.sh"
"/bin/sh" equally as merely files; no distinction between executable and
non-executable. Therefore, TOMOYO doesn't check DAC's execute permission.
TOMOYO checks "allow_read" permission instead.

Calling do_execve() is a bold gesture that an old program's instance (i.e.
current process) is ready to be overwritten by a new program and is ready to
transfer control to the new program. To split purview of programs, TOMOYO
requires "allow_execute" permission of the new program against the old
program's instance and performs domain transition. If do_execve() succeeds,
the old program is no longer responsible against the consequence of the new
program's behavior. Only the new program is responsible for all consequences.

But TOMOYO doesn't require "allow_read" permission of the new program.
If TOMOYO requires "allow_read" permission of the new program, TOMOYO will
allow an attacker (who hijacked the old program's instance) to open the new
program and steal data from the new program. Requiring "allow_read" permission
will widen purview of the old program.

Not requiring "allow_read" permission of the new program against the old
program's instance is my design for reducing purview of the old program.
To be able to know whether the current process is in do_execve() or not,
I want to add in_execve flag to "task_struct".

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoDomain transition handler.
Kentaro Takeda [Thu, 5 Feb 2009 08:18:15 +0000 (17:18 +0900)]
Domain transition handler.

This file controls domain creation/deletion/transition.

Every process belongs to a domain in TOMOYO Linux.
Domain transition occurs when execve(2) is called
and the domain is expressed as 'process invocation history',
such as '<kernel> /sbin/init /etc/init.d/rc'.
Domain information is stored in current->cred->security field.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoFile operation restriction part.
Kentaro Takeda [Thu, 5 Feb 2009 08:18:14 +0000 (17:18 +0900)]
File operation restriction part.

This file controls file related operations of TOMOYO Linux.

tomoyo/tomoyo.c calls the following six functions in this file.
Each function handles the following access types.

 * tomoyo_check_file_perm
sysctl()'s "read" and "write".

 * tomoyo_check_exec_perm
"execute".

 * tomoyo_check_open_permission
open(2) for "read" and "write".

 * tomoyo_check_1path_perm
"create", "unlink", "mkdir", "rmdir", "mkfifo",
"mksock", "mkblock", "mkchar", "truncate" and "symlink".

 * tomoyo_check_2path_perm
"rename" and "unlink".

 * tomoyo_check_rewrite_permission
"rewrite".
("rewrite" are operations which may lose already recorded data of a file,
i.e. open(!O_APPEND) || open(O_TRUNC) || truncate() || ftruncate())

The functions which actually checks ACLs are the following three functions.
Each function handles the following access types.
ACL directive is expressed by "allow_<access type>".

 * tomoyo_check_file_acl
Open() operation and execve() operation.
("read", "write", "read/write" and "execute")

 * tomoyo_check_single_write_acl
Directory modification operations with 1 pathname.
("create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock",
 "mkblock", "mkchar", "truncate", "symlink" and "rewrite")

 * tomoyo_check_double_write_acl
Directory modification operations with 2 pathname.
("link" and "rename")

Also, this file contains handlers of some utility directives
for file related operations.

 * "allow_read":   specifies globally (for all domains) readable files.
 * "path_group":   specifies pathname macro.
 * "deny_rewrite": restricts rewrite operation.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoCommon functions for TOMOYO Linux.
Kentaro Takeda [Thu, 5 Feb 2009 08:18:13 +0000 (17:18 +0900)]
Common functions for TOMOYO Linux.

This file contains common functions (e.g. policy I/O, pattern matching).

-------------------- About pattern matching --------------------

Since TOMOYO Linux is a name based access control, TOMOYO Linux seriously
considers "safe" string representation.

TOMOYO Linux's string manipulation functions make reviewers feel crazy,
but there are reasons why TOMOYO Linux needs its own string manipulation
functions.

----- Part 1 : preconditions -----

People definitely want to use wild card.

  To support pattern matching, we have to support wild card characters.

  In a typical Linux system, filenames are likely consists of only alphabets,
  numbers, and some characters (e.g. + - ~ . / ).
  But theoretically, the Linux kernel accepts all characters but NUL character
  (which is used as a terminator of a string).

    Some Linux systems can have filenames which contain * ? ** etc.

Therefore, we have to somehow modify string so that we can distinguish
wild card characters and normal characters.

  It might be possible for some application's configuration files to restrict
  acceptable characters.
  It is impossible for kernel to restrict acceptable characters.

    We can't accept approaches which will cause troubles for applications.

----- Part 2 : commonly used approaches -----

Text formatted strings separated by space character (0x20) and new line
character (0x0A) is more preferable for users over array of NUL-terminated
string.

  Thus, people use text formatted configuration files separated by space
  character and new line.

We sometimes need to handle non-printable characters.

  Thus, people use \ character (0x5C) as escape character and represent
  non-printable characters using octal or hexadecimal format.

At this point, we remind (at least) 3 approaches.

  (1) Shell glob style expression
  (2) POSIX regular expression (UNIX style regular expression)
  (3) Maverick wild card expression

On the surface, (1) and (2) sound good choices. But they have a big pitfall.
All meta-characters in (1) and (2) are legal characters for representing
a pathname, and users easily write incorrect expression. What is worse, users
unlikely notice incorrect expressions because characters used for regular
pathnames unlikely contain meta-characters. This incorrect use of
meta-characters in pathname representation reveals vulnerability
(e.g. unexpected results) only when irregular pathname is specified.

The authors of TOMOYO Linux think that approaches which adds some character
for interpreting meta-characters as normal characters (i.e. (1) and (2)) are
not suitable for security use.

Therefore, the authors of TOMOYO Linux propose (3).

----- Part 3: consideration points -----

We need to solve encoding problem.

  A single character can be represented in several ways using encodings.

    For Japanese language, there are "ShiftJIS", "ISO-2022-JP", "EUC-JP",
    "UTF-8" and more.

  Some languages (e.g. Japanese language) supports multi-byte characters
  (where a single character is represented using several bytes).

    Some multi-byte characters may match the escape character.

    For Japanese language, some characters in "ShiftJIS" encoding match
    \ character, and bothering Web's CGI developers.

  It is important that the kernel string is not bothered by encoding problem.

    Linus said, "I really would expect that kernel strings don't have
    an encoding. They're just C strings: a NUL-terminated stream of bytes."
    http://lkml.org/lkml/2007/11/6/142

    Yes. The kernel strings are just C strings.
    We are talking about how to store and carry "kernel strings" safely.

  If we store "kernel string" into policy file as-is, the "kernel string" will
  be interpreted differently depending on application's encoding settings.
  One application may interpret "kernel string" as "UTF-8",
  another application may interpret "kernel string" as "ShiftJIS".

    Therefore, we propose to represent strings using ASCII encoding.
    In this way, we are no longer bothered by encoding problems.

We need to avoid information loss caused by display.

  It is difficult to input and display non-printable characters, but we have to
  be able to handle such characters because the kernel string is a C string.

  If we use only ASCII printable characters (from 0x21 to 0x7E) and space
  character (0x20) and new line character (0x0A), it is easy to input from
  keyboard and display on all terminals which is running Linux.

  Therefore, we propose to represent strings using only characters which value
  is one of "from 0x21 to 0x7E", "0x20", "0x0A".

We need to consider ease of splitting strings from a line.

  If we use an approach which uses "\ " for representing a space character
  within a string, we have to count the string from the beginning to check
  whether this space character is accompanied with \ character or not.
  As a result, we cannot monotonically split a line using space character.

  If we use an approach which uses "\040" for representing a space character
  within a string, we can monotonically split a line using space character.

  If we use an approach which uses NUL character as a delimiter, we cannot
  use string manipulation functions for splitting strings from a line.

  Therefore, we propose that we represent space character as "\040".

We need to avoid wrong designations (incorrect use of special characters).

  Not all users can understand and utilize POSIX's regular expressions
  correctly and perfectly.

  If a character acts as a wild card by default, the user will get unexpected
  result if that user didn't know the meaning of that character.

    Therefore, we propose that all characters but \ character act as
    a normal character and let the user add \ character to make a character
    act as a wild card.

    In this way, users needn't to know all wild card characters beforehand.
    They can learn when they encountered an unseen wild card character
    for their first time.

----- Part 4: supported wild card expressions -----

At this point, we have wild card expressions listed below.

  +-----------+--------------------------------------------------------------+
  | Wild card | Meaning and example                                          |
  +-----------+--------------------------------------------------------------+
  |   \*      | More than or equals to 0 character other than '/'.           |
  |           |           /var/log/samba/\*                                  |
  +-----------+--------------------------------------------------------------+
  |   \@      | More than or equals to 0 character other than '/' or '.'.    |
  |           |           /var/www/html/\@.html                              |
  +-----------+--------------------------------------------------------------+
  |   \?      | 1 byte character other than '/'.                             |
  |           |           /tmp/mail.\?\?\?\?\?\?                             |
  +-----------+--------------------------------------------------------------+
  |   \$      | More than or equals to 1 decimal digit.                      |
  |           |           /proc/\$/cmdline                                   |
  +-----------+--------------------------------------------------------------+
  |   \+      | 1 decimal digit.                                             |
  |           |           /var/tmp/my_work.\+                                |
  +-----------+--------------------------------------------------------------+
  |   \X      | More than or equals to 1 hexadecimal digit.                  |
  |           |           /var/tmp/my-work.\X                                |
  +-----------+--------------------------------------------------------------+
  |   \x      | 1 hexadecimal digit.                                         |
  |           |           /tmp/my-work.\x                                    |
  +-----------+--------------------------------------------------------------+
  |   \A      | More than or equals to 1 alphabet character.                 |
  |           |           /var/log/my-work/\$-\A-\$.log                      |
  +-----------+--------------------------------------------------------------+
  |   \a      | 1 alphabet character.                                        |
  |           |           /home/users/\a/\*/public_html/\*.html              |
  +-----------+--------------------------------------------------------------+
  |   \-      | Pathname subtraction operator.                               |
  |           | +---------------------+------------------------------------+ |
  |           | | Example             | Meaning                            | |
  |           | +---------------------+------------------------------------+ |
  |           | | /etc/\*             | All files in /etc/ directory.      | |
  |           | +---------------------+------------------------------------+ |
  |           | | /etc/\*\-\*shadow\* | /etc/\* other than /etc/\*shadow\* | |
  |           | +---------------------+------------------------------------+ |
  |           | | /\*\-proc\-sys/     | /\*/ other than /proc/ /sys/       | |
  |           | +---------------------+------------------------------------+ |
  +-----------+--------------------------------------------------------------+

  +----------------+---------------------------------------------------------+
  | Representation | Meaning and example                                     |
  +----------------+---------------------------------------------------------+
  |   \\           | backslash character itself.                             |
  +----------------+---------------------------------------------------------+
  |   \ooo         | 1 byte character.                                       |
  |                | ooo is 001 <= ooo <= 040 || 177 <= ooo <= 377.          |
  |                |                                                         |
  |                |           \040 for space character.                     |
  |                |           \177 for del character.                       |
  |                |                                                         |
  +----------------+---------------------------------------------------------+

----- Part 5: Advantages -----

We can obtain extensibility.

  Since our proposed approach adds \ to a character to interpret as a wild
  card, we can introduce new wild card in future while maintaining backward
  compatibility.

We can process monotonically.

  Since our proposed approach separates strings using a space character,
  we can split strings using existing string manipulation functions.

We can reliably analyze access logs.

  It is guaranteed that a string doesn't contain space character (0x20) and
  new line character (0x0A).

  It is guaranteed that a string won't be converted by FTP and won't be damaged
  by a terminal's settings.

  It is guaranteed that a string won't be affected by encoding converters
  (except encodings which insert NUL character (e.g. UTF-16)).

----- Part 6: conclusion -----

TOMOYO Linux is using its own encoding with reasons described above.
There is a disadvantage that we need to introduce a series of new string
manipulation functions. But TOMOYO Linux's encoding is useful for all users
(including audit and AppArmor) who want to perform pattern matching and
safely exchange string information between the kernel and the userspace.

-------------------- About policy interface --------------------

TOMOYO Linux creates the following files on securityfs (normally
mounted on /sys/kernel/security) as interfaces between kernel and
userspace. These files are for TOMOYO Linux management tools *only*,
not for general programs.

  * profile
  * exception_policy
  * domain_policy
  * manager
  * meminfo
  * self_domain
  * version
  * .domain_status
  * .process_status

** /sys/kernel/security/tomoyo/profile **

This file is used to read or write profiles.

"profile" means a running mode of process. A profile lists up
functions and their modes in "$number-$variable=$value" format. The
$number is profile number between 0 and 255. Each domain is assigned
one profile. To assign profile to domains, use "ccs-setprofile" or
"ccs-editpolicy" or "ccs-loadpolicy" commands.

(Example)
[root@tomoyo]# cat /sys/kernel/security/tomoyo/profile
0-COMMENT=-----Disabled Mode-----
0-MAC_FOR_FILE=disabled
0-MAX_ACCEPT_ENTRY=2048
0-TOMOYO_VERBOSE=disabled
1-COMMENT=-----Learning Mode-----
1-MAC_FOR_FILE=learning
1-MAX_ACCEPT_ENTRY=2048
1-TOMOYO_VERBOSE=disabled
2-COMMENT=-----Permissive Mode-----
2-MAC_FOR_FILE=permissive
2-MAX_ACCEPT_ENTRY=2048
2-TOMOYO_VERBOSE=enabled
3-COMMENT=-----Enforcing Mode-----
3-MAC_FOR_FILE=enforcing
3-MAX_ACCEPT_ENTRY=2048
3-TOMOYO_VERBOSE=enabled

- MAC_FOR_FILE:
Specifies access control level regarding file access requests.
- MAX_ACCEPT_ENTRY:
Limits the max number of ACL entries that are automatically appended
during learning mode. Default is 2048.
- TOMOYO_VERBOSE:
Specifies whether to print domain policy violation messages or not.

** /sys/kernel/security/tomoyo/manager **

This file is used to read or append the list of programs or domains
that can write to /sys/kernel/security/tomoyo interface. By default,
only processes with both UID = 0 and EUID = 0 can modify policy via
/sys/kernel/security/tomoyo interface. You can use keyword
"manage_by_non_root" to allow policy modification by non root user.

(Example)
[root@tomoyo]# cat /sys/kernel/security/tomoyo/manager
/usr/lib/ccs/loadpolicy
/usr/lib/ccs/editpolicy
/usr/lib/ccs/setlevel
/usr/lib/ccs/setprofile
/usr/lib/ccs/ld-watch
/usr/lib/ccs/ccs-queryd

** /sys/kernel/security/tomoyo/exception_policy **

This file is used to read and write system global settings. Each line
has a directive and operand pair. Directives are listed below.

- initialize_domain:
To initialize domain transition when specific program is executed,
use initialize_domain directive.
  * initialize_domain "program" from "domain"
  * initialize_domain "program" from "the last program part of domain"
  * initialize_domain "program"
If the part "from" and after is not given, the entry is applied to
all domain. If the "domain" doesn't start with "<kernel>", the entry
is applied to all domain whose domainname ends with "the last program
part of domain".
This directive is intended to aggregate domain transitions for daemon
program and program that are invoked by the kernel on demand, by
transiting to different domain.

- keep_domain
To prevent domain transition when program is executed from specific
domain, use keep_domain directive.
  * keep_domain "program" from "domain"
  * keep_domain "program" from "the last program part of domain"
  * keep_domain "domain"
  * keep_domain "the last program part of domain"
If the part "from" and before is not given, this entry is applied to
all program. If the "domain" doesn't start with "<kernel>", the entry
is applied to all domain whose domainname ends with "the last program
part of domain".
This directive is intended to reduce total number of domains and
memory usage by suppressing unneeded domain transitions.
To declare domain keepers, use keep_domain directive followed by
domain definition.
Any process that belongs to any domain declared with this directive,
the process stays at the same domain unless any program registered
with initialize_domain directive is executed.

In order to control domain transition in detail, you can use
no_keep_domain/no_initialize_domain keywrods.

- alias:
To allow executing programs using the name of symbolic links, use
alias keyword followed by dereferenced pathname and reference
pathname. For example, /sbin/pidof is a symbolic link to
/sbin/killall5 . In normal case, if /sbin/pidof is executed, the
domain is defined as if /sbin/killall5 is executed. By specifying
"alias /sbin/killall5 /sbin/pidof", you can run /sbin/pidof in the
domain for /sbin/pidof .
(Example)
alias /sbin/killall5 /sbin/pidof

- allow_read:
To grant unconditionally readable permissions, use allow_read keyword
followed by canonicalized file. This keyword is intended to reduce
size of domain policy by granting read access to library files such
as GLIBC and locale files. Exception is, if ignore_global_allow_read
keyword is given to a domain, entries specified by this keyword are
ignored.
(Example)
allow_read /lib/libc-2.5.so

- file_pattern:
To declare pathname pattern, use file_pattern keyword followed by
pathname pattern. The pathname pattern must be a canonicalized
Pathname. This keyword is not applicable to neither granting execute
permissions nor domain definitions.
For example, canonicalized pathname that contains a process ID
(i.e. /proc/PID/ files) needs to be grouped in order to make access
control work well.
(Example)
file_pattern /proc/\$/cmdline

- path_group
To declare pathname group, use path_group keyword followed by name of
the group and pathname pattern. For example, if you want to group all
files under home directory, you can define
   path_group HOME-DIR-FILE /home/\*/\*
   path_group HOME-DIR-FILE /home/\*/\*/\*
   path_group HOME-DIR-FILE /home/\*/\*/\*/\*
in the exception policy and use like
   allow_read @HOME-DIR-FILE
to grant file access permission.

- deny_rewrite:
To deny overwriting already written contents of file (such as log
files) by default, use deny_rewrite keyword followed by pathname
pattern. Files whose pathname match the patterns are not permitted to
open for writing without append mode or truncate unless the pathnames
are explicitly granted using allow_rewrite keyword in domain policy.
(Example)
deny_rewrite /var/log/\*

- aggregator
To deal multiple programs as a single program, use aggregator keyword
followed by name of original program and aggregated program. This
keyword is intended to aggregate similar programs.
For example, /usr/bin/tac and /bin/cat are similar. By specifying
"aggregator /usr/bin/tac /bin/cat", you can run /usr/bin/tac in the
domain for /bin/cat .
For example, /usr/sbin/logrotate for Fedora Core 3 generates programs
like /tmp/logrotate.\?\?\?\?\?\? and run them, but TOMOYO Linux
doesn't allow using patterns for granting execute permission and
defining domains. By specifying
"aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp", you can
run /tmp/logrotate.\?\?\?\?\?\? as if /tmp/logrotate.tmp is running.

** /sys/kernel/security/tomoyo/domain_policy **

This file contains definition of all domains and permissions that are
granted to each domain.

Lines from the next line to a domain definition ( any lines starting
with "<kernel>") to the previous line to the next domain definitions
are interpreted as access permissions for that domain.

** /sys/kernel/security/tomoyo/meminfo **

This file is to show the total RAM used to keep policy in the kernel
by TOMOYO Linux in bytes.
(Example)
[root@tomoyo]# cat /sys/kernel/security/tomoyo/meminfo
Shared:       61440
Private:      69632
Dynamic:        768
Total:       131840

You can set memory quota by writing to this file.
(Example)
[root@tomoyo]# echo Shared: 2097152 > /sys/kernel/security/tomoyo/meminfo
[root@tomoyo]# echo Private: 2097152 > /sys/kernel/security/tomoyo/meminfo

** /sys/kernel/security/tomoyo/self_domain **

This file is to show the name of domain the caller process belongs to.
(Example)
[root@etch]# cat /sys/kernel/security/tomoyo/self_domain
<kernel> /usr/sbin/sshd /bin/zsh /bin/cat

** /sys/kernel/security/tomoyo/version **

This file is used for getting TOMOYO Linux's version.
(Example)
[root@etch]# cat /sys/kernel/security/tomoyo/version
2.2.0-pre

** /sys/kernel/security/tomoyo/.domain_status **

This is a view (of a DBMS) that contains only profile number and
domainnames of domain so that "ccs-setprofile" command can do
line-oriented processing easily.

** /sys/kernel/security/tomoyo/.process_status **

This file is used by "ccs-ccstree" command to show "list of processes
currently running" and "domains which each process belongs to" and
"profile number which the domain is currently assigned" like "pstree"
command. This file is writable by programs that aren't registered as
policy manager.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoMemory and pathname management functions.
Kentaro Takeda [Thu, 5 Feb 2009 08:18:12 +0000 (17:18 +0900)]
Memory and pathname management functions.

TOMOYO Linux performs pathname based access control.
To remove factors that make pathname based access control difficult
(e.g. symbolic links, "..", "//" etc.), TOMOYO Linux derives realpath
of requested pathname from "struct dentry" and "struct vfsmount".

The maximum length of string data is limited to 4000 including trailing '\0'.
Since TOMOYO Linux uses '\ooo' style representation for non ASCII printable
characters, maybe TOMOYO Linux should be able to support 16336 (which means
(NAME_MAX * (PATH_MAX / (NAME_MAX + 1)) * 4 + (PATH_MAX / (NAME_MAX + 1)))
including trailing '\0'), but I think 4000 is enough for practical use.

TOMOYO uses only 0x21 - 0x7E (as printable characters) and 0x20 (as word
delimiter) and 0x0A (as line delimiter).
0x01 - 0x20 and 0x80 - 0xFF is handled in \ooo style representation.
The reason to use \ooo is to guarantee that "%s" won't damage logs.
Userland program can request

 open("/tmp/file granted.\nAccess /tmp/file ", O_WRONLY | O_CREAT, 0600)

and logging such crazy pathname using "Access %s denied.\n" format will cause
"fabrication of logs" like

 Access /tmp/file granted.
 Access /tmp/file denied.

TOMOYO converts such characters to \ooo so that the logs will become

 Access /tmp/file\040granted.\012Access\040/tmp/file denied.

and the administrator can read the logs safely using /bin/cat .
Likewise, a crazy request like

 open("/tmp/\x01\x02\x03\x04\x05\x06\x07\x08\x09", O_WRONLY | O_CREAT, 0600)

will be processed safely by converting to

 Access /tmp/\001\002\003\004\005\006\007\010\011 denied.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoAdd in_execve flag into task_struct.
Kentaro Takeda [Thu, 5 Feb 2009 08:18:11 +0000 (17:18 +0900)]
Add in_execve flag into task_struct.

This patch allows LSM modules to determine whether current process is in an
execve operation or not so that they can behave differently while an execve
operation is in progress.

This patch is needed by TOMOYO. Please see another patch titled "LSM adapter
functions." for backgrounds.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agointegrity: audit update
Mimi Zohar [Wed, 11 Feb 2009 16:12:28 +0000 (11:12 -0500)]
integrity: audit update

Based on discussions on linux-audit, as per Steve Grubb's request
http://lkml.org/lkml/2009/2/6/269, the following changes were made:
- forced audit result to be either 0 or 1.
- made template names const
- Added new stand-alone message type: AUDIT_INTEGRITY_RULE

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agointegrity: shmem zero fix
Mimi Zohar [Wed, 11 Feb 2009 04:01:19 +0000 (23:01 -0500)]
integrity: shmem zero fix

Based on comments from Mike Frysinger and Randy Dunlap:
(http://lkml.org/lkml/2009/2/9/262)
- moved ima.h include before CONFIG_SHMEM test to fix compiler error
  on Blackfin:
mm/shmem.c: In function 'shmem_zero_setup':
mm/shmem.c:2670: error: implicit declaration of function 'ima_shm_check'

- added 'struct linux_binprm' in ima.h to fix compiler warning on Blackfin:
In file included from mm/shmem.c:32:
include/linux/ima.h:25: warning: 'struct linux_binprm' declared inside
parameter list
include/linux/ima.h:25: warning: its scope is only this definition or
declaration, which is probably not what you want

- moved fs.h include within _LINUX_IMA_H definition

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoMerge branch 'master' into next
James Morris [Fri, 6 Feb 2009 00:01:45 +0000 (11:01 +1100)]
Merge branch 'master' into next

Conflicts:
fs/namei.c

Manually merged per:

diff --cc fs/namei.c
index 734f2b5,bbc15c2..0000000
--- a/fs/namei.c
+++ b/fs/namei.c
@@@ -860,9 -848,8 +849,10 @@@ static int __link_path_walk(const char
   nd->flags |= LOOKUP_CONTINUE;
   err = exec_permission_lite(inode);
   if (err == -EAGAIN)
-  err = vfs_permission(nd, MAY_EXEC);
+  err = inode_permission(nd->path.dentry->d_inode,
+         MAY_EXEC);
 + if (!err)
 + err = ima_path_check(&nd->path, MAY_EXEC);
    if (err)
   break;

@@@ -1525,14 -1506,9 +1509,14 @@@ int may_open(struct path *path, int acc
   flag &= ~O_TRUNC;
   }

-  error = vfs_permission(nd, acc_mode);
+  error = inode_permission(inode, acc_mode);
   if (error)
   return error;
 +
-  error = ima_path_check(&nd->path,
++ error = ima_path_check(path,
 +        acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC));
 + if (error)
 + return error;
   /*
    * An append-only file must be opened in append mode for writing.
    */

Signed-off-by: James Morris <jmorris@namei.org>
15 years agoseq_file: fix big-enough lseek() + read()
Alexey Dobriyan [Thu, 5 Feb 2009 21:30:05 +0000 (00:30 +0300)]
seq_file: fix big-enough lseek() + read()

lseek() further than length of the file will leave stale ->index
(second-to-last during iteration). Next seq_read() will not notice
that ->f_pos is big enough to return 0, but will print last item
as if ->f_pos is pointing to it.

Introduced in commit cb510b8172602a66467f3551b4be1911f5a7c8c2
aka "seq_file: more atomicity in traverse()".

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agoTPM: integrity fix
Rajiv Andrade [Thu, 5 Feb 2009 15:06:30 +0000 (13:06 -0200)]
TPM: integrity fix

Fix to function which is called by IMA, now tpm_chip_find_get() considers the case in which the machine doesn't have a TPM or, if it has, its TPM isn't enabled.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoIMA: fix ima_delete_rules() definition
James Morris [Wed, 4 Feb 2009 22:28:26 +0000 (09:28 +1100)]
IMA: fix ima_delete_rules() definition

Fix ima_delete_rules() definition so sparse doesn't complain.

Signed-off-by: James Morris <jmorris@namei.org>
15 years agoIntegrity: IMA update maintainers
Mimi Zohar [Wed, 4 Feb 2009 14:07:03 +0000 (09:07 -0500)]
Integrity: IMA update maintainers

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoIntegrity: IMA file free imbalance
Mimi Zohar [Wed, 4 Feb 2009 14:07:02 +0000 (09:07 -0500)]
Integrity: IMA file free imbalance

The number of calls to ima_path_check()/ima_file_free()
should be balanced.  An extra call to fput(), indicates
the file could have been accessed without first being
measured.

Although f_count is incremented/decremented in places other
than fget/fput, like fget_light/fput_light and get_file, the
current task must already hold a file refcnt.  The call to
__fput() is delayed until the refcnt becomes 0, resulting
in ima_file_free() flagging any changes.

- add hook to increment opencount for IPC shared memory(SYSV),
  shmat files, and /dev/zero
- moved NULL iint test in opencount_get()

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agointegrity: IMA policy open
Mimi Zohar [Wed, 4 Feb 2009 14:07:01 +0000 (09:07 -0500)]
integrity: IMA policy open

Sequentialize access to the policy file
- permit multiple attempts to replace default policy with a valid policy

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agointegrity: IMA policy
Mimi Zohar [Wed, 4 Feb 2009 14:07:00 +0000 (09:07 -0500)]
integrity: IMA policy

Support for a user loadable policy through securityfs
with support for LSM specific policy data.
- free invalid rule in ima_parse_add_rule()

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agointegrity: IMA display
Mimi Zohar [Wed, 4 Feb 2009 14:06:59 +0000 (09:06 -0500)]
integrity: IMA display

Make the measurement lists available through securityfs.
- removed test for NULL return code from securityfs_create_file/dir

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agointegrity: IMA as an integrity service provider
Mimi Zohar [Wed, 4 Feb 2009 14:06:58 +0000 (09:06 -0500)]
integrity: IMA as an integrity service provider

IMA provides hardware (TPM) based measurement and attestation for
file measurements. As the Trusted Computing (TPM) model requires,
IMA measures all files before they are accessed in any way (on the
integrity_bprm_check, integrity_path_check and integrity_file_mmap
hooks), and commits the measurements to the TPM. Once added to the
TPM, measurements can not be removed.

In addition, IMA maintains a list of these file measurements, which
can be used to validate the aggregate value stored in the TPM.  The
TPM can sign these measurements, and thus the system can prove, to
itself and to a third party, the system's integrity in a way that
cannot be circumvented by malicious or compromised software.

- alloc ima_template_entry before calling ima_store_template()
- log ima_add_boot_aggregate() failure
- removed unused IMA_TEMPLATE_NAME_LEN
- replaced hard coded string length with #define name

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agointegrity: IMA hooks
Mimi Zohar [Wed, 4 Feb 2009 14:06:57 +0000 (09:06 -0500)]
integrity: IMA hooks

This patch replaces the generic integrity hooks, for which IMA registered
itself, with IMA integrity hooks in the appropriate places directly
in the fs directory.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
15 years agoseq_file: move traverse so it can be used from seq_read
Eric Biederman [Wed, 4 Feb 2009 23:12:25 +0000 (15:12 -0800)]
seq_file: move traverse so it can be used from seq_read

In 2.6.25 some /proc files were converted to use the seq_file
infrastructure.  But seq_files do not correctly support pread(), which
broke some usersapce applications.

To handle pread correctly we can't assume that f_pos is where we left it
in seq_read.  So move traverse() so that we can eventually use it in
seq_read and do thus some day support pread().

Signed-off-by: Eric Biederman <ebiederm@xmission.com>
Cc: Paul Turner <pjt@google.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agosgi-xp: fix writing past the end of kzalloc()'d space
Dean Nelson [Wed, 4 Feb 2009 23:12:24 +0000 (15:12 -0800)]
sgi-xp: fix writing past the end of kzalloc()'d space

A missing type cast results in writing way beyond the end of a kzalloc()'d
memory segment resulting in slab corruption. But it seems like the better
solution is to define ->recv_msg_slots as a 'void *' rather than a
'struct xpc_notify_mq_msg_uv *' and add the type cast.

Signed-off-by: Dean Nelson <dcn@sgi.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agoalpha: fixup BUG macro
Alexey Dobriyan [Wed, 4 Feb 2009 23:12:21 +0000 (15:12 -0800)]
alpha: fixup BUG macro

Do usual do {} while (0) dance, otherwise

fs/gfs2/util.c:99: error: expected expression before 'else'
drivers/scsi/lpfc/lpfc_sli.c:363: error: expected expression before 'else'

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Acked-by: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Richard Henderson <rth@twiddle.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agosx.c: fix missed unlock_kernel() on error path in sx_fw_ioctl()
Dan Carpenter [Wed, 4 Feb 2009 23:12:20 +0000 (15:12 -0800)]
sx.c: fix missed unlock_kernel() on error path in sx_fw_ioctl()

If we return directly with -EPERM then lock_kernel() is still held.

This was found with a code checker (http://repo.or.cz/w/smatch.git/).

[akpm@linux-foundation.org: fix another such path - missed func_exit()]
Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: <R.E.Wolff@BitWizard.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agoatyfb: fix CONFIG_ namespace violations
Randy Dunlap [Wed, 4 Feb 2009 23:12:20 +0000 (15:12 -0800)]
atyfb: fix CONFIG_ namespace violations

Fix namespace violations by changing non-kconfig CONFIG_ names to CNFG_*.

Fixes breakage in staging/, which adds a real CONFIG_PANEL.

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agortc-ds1390: fix compilation warnings in drivers/rtc/rtc-ds1390.c
Manish Katiyar [Wed, 4 Feb 2009 23:12:19 +0000 (15:12 -0800)]
rtc-ds1390: fix compilation warnings in drivers/rtc/rtc-ds1390.c

drivers/rtc/rtc-ds1390.c:125: warning: unused variable 'rtc'

Signed-off-by: Manish Katiyar <mkatiyar@gmail.com>
Signed-off-by: Alessandro Zummo <a.zummo@towertech.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agodrivers/video/backlight: rename da903x to da903x_bl
Mike Rapoport [Wed, 4 Feb 2009 23:12:18 +0000 (15:12 -0800)]
drivers/video/backlight: rename da903x to da903x_bl

Currently both da903x backlight and voltage reulator drivers have the
same name. Rename the backlight driver to allow use of both drivers as
modules.

Signed-off-by: Mike Rapoport <mike@compulab.co.il>
Acked-by: Eric Miao <eric.miao@marvell.com>
Cc: Richard Purdie <rpurdie@rpsys.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agoatmel-ssc: fix misuse of dev_dbg when requested ssc instance is not found
Hans-Christian Egtvedt [Wed, 4 Feb 2009 23:12:17 +0000 (15:12 -0800)]
atmel-ssc: fix misuse of dev_dbg when requested ssc instance is not found

The ssc pointer is not valid when the id is not found in the list.
Convert the message from a debug one into an error message and avoid
dereferencing the bad pointer.

Signed-off-by: Hans-Christian Egtvedt <hans-christian.egtvedt@atmel.com>
Cc: Kay Sievers <kay.sievers@vrfy.org>
Cc: Huang Weiyi <weiyi.huang@gmail.com>
Acked-by: Haavard Skinnemoen <haavard.skinnemoen@atmel.com>
Cc: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agodo_wp_page: fix regression with execute in place
Carsten Otte [Wed, 4 Feb 2009 23:12:16 +0000 (15:12 -0800)]
do_wp_page: fix regression with execute in place

Fix do_wp_page for VM_MIXEDMAP mappings.

In the case where pfn_valid returns 0 for a pfn at the beginning of
do_wp_page and the mapping is not shared writable, the code branches to
label `gotten:' with old_page == NULL.

In case the vma is locked (vma->vm_flags & VM_LOCKED), lock_page,
clear_page_mlock, and unlock_page try to access the old_page.

This patch checks whether old_page is valid before it is dereferenced.

The regression was introduced by "mlock: mlocked pages are unevictable"
(commit b291f000393f5a0b679012b39d79fbc85c018233).

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: <stable@kernel.org> [2.6.28.x]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agowait: prevent exclusive waiter starvation
Johannes Weiner [Wed, 4 Feb 2009 23:12:14 +0000 (15:12 -0800)]
wait: prevent exclusive waiter starvation

With exclusive waiters, every process woken up through the wait queue must
ensure that the next waiter down the line is woken when it has finished.

Interruptible waiters don't do that when aborting due to a signal.  And if
an aborting waiter is concurrently woken up through the waitqueue, noone
will ever wake up the next waiter.

This has been observed with __wait_on_bit_lock() used by
lock_page_killable(): the first contender on the queue was aborting when
the actual lock holder woke it up concurrently.  The aborted contender
didn't acquire the lock and therefor never did an unlock followed by
waking up the next waiter.

Add abort_exclusive_wait() which removes the process' wait descriptor from
the waitqueue, iff still queued, or wakes up the next waiter otherwise.
It does so under the waitqueue lock.  Racing with a wake up means the
aborting process is either already woken (removed from the queue) and will
wake up the next waiter, or it will remove itself from the queue and the
concurrent wake up will apply to the next waiter after it.

Use abort_exclusive_wait() in __wait_event_interruptible_exclusive() and
__wait_on_bit_lock() when they were interrupted by other means than a wake
up through the queue.

[akpm@linux-foundation.org: coding-style fixes]
Reported-by: Chris Mason <chris.mason@oracle.com>
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Mentored-by: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Matthew Wilcox <matthew@wil.cx>
Cc: Chuck Lever <cel@citi.umich.edu>
Cc: Nick Piggin <nickpiggin@yahoo.com.au>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: <stable@kernel.org> ["after some testing"]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agomaintainers: general@lists.openfabrics.org is moderated
Randy Dunlap [Wed, 4 Feb 2009 23:12:13 +0000 (15:12 -0800)]
maintainers: general@lists.openfabrics.org is moderated

I got the "list is moderated message," so add it here.

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Cc: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agolis3lv02d: add axes knowledge for HP 6710
Martin Kebert [Wed, 4 Feb 2009 23:12:12 +0000 (15:12 -0800)]
lis3lv02d: add axes knowledge for HP 6710

Add support for the HP laptops of model 6710x for having correctly setup
axes.

Signed-off-by: Martin Kebert <gkmarty@gmail.com>
Signed-off-by: Eric Piel <eric.piel@tremplin-utc.net>
Acked-by: Pavel Machek <pavel@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agolis3lv02d: add axes knowledge for HP 6730
Pavel Herrmann [Wed, 4 Feb 2009 23:12:11 +0000 (15:12 -0800)]
lis3lv02d: add axes knowledge for HP 6730

Add support for the HP laptops of model 6730x for having correctly setup
axes.

Signed-off-by: Pavel Herrmann <morpheus.ibis@gmail.com>
Signed-off-by: Eric Piel <eric.piel@tremplin-utc.net>
Acked-by: Pavel Machek <pavel@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agolis3lv02d: add axes knowledge for HP 6530
Eric Piel [Wed, 4 Feb 2009 23:12:11 +0000 (15:12 -0800)]
lis3lv02d: add axes knowledge for HP 6530

Add support for the HP laptops of model 6530x for having correctly setup
axes.

Reported-by: Jerome Poulin <jeromepoulin@gmail.com>
Signed-off-by: Eric Piel <eric.piel@tremplin-utc.net>
Acked-by: Pavel Machek <pavel@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agolis3lv02d: add axes knowledge for HP 6510b
Jiri Tersel [Wed, 4 Feb 2009 23:12:09 +0000 (15:12 -0800)]
lis3lv02d: add axes knowledge for HP 6510b

According to dmesg my laptop model HP 6510b is not being recognized by this
driver. After I have modified "lis3lv02d.c" axes in Neverball are OK.

Signed-off-by: Jiri Tersel <tersel@mail.muni.cz>
Signed-off-by: Eric Piel <eric.piel@tremplin-utc.net>
Acked-by: Pavel Machek <pavel@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agohp-wmi: fix error path in hp_wmi_bios_setup()
Andrew Morton [Wed, 4 Feb 2009 23:12:07 +0000 (15:12 -0800)]
hp-wmi: fix error path in hp_wmi_bios_setup()

The error-path code can call rfkill_unregister() with a pointer which does
not contain the result of a call to rfkill_register().  It goes BUG().

Addresses http://bugzilla.kernel.org/show_bug.cgi?id=12560.

Cc: Frans Pop <elendil@planet.nl>
Cc: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Len Brown <lenb@kernel.org>
Acked-by: Matthew Garrett <mjg@redhat.com>
Reported-by: Helge Deller <deller@gmx.de>
Testted-by: Helge Deller <deller@gmx.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agorevert "rlimit: permit setting RLIMIT_NOFILE to RLIM_INFINITY"
Andrew Morton [Wed, 4 Feb 2009 23:12:06 +0000 (15:12 -0800)]
revert "rlimit: permit setting RLIMIT_NOFILE to RLIM_INFINITY"

Revert commit 0c2d64fb6cae9aae480f6a46cfe79f8d7d48b59f because it causes
(arguably poorly designed) existing userspace to spend interminable
periods closing billions of not-open file descriptors.

We could bring this back, with some sort of opt-in tunable in /proc, which
defaults to "off".

Peter's alanysis follows:

: I spent several hours trying to get to the bottom of a serious
: performance issue that appeared on one of our servers after upgrading to
: 2.6.28.  In the end it's what could be considered a userspace bug that
: was triggered by a change in 2.6.28.  Since this might also affect other
: people I figured I'd at least document what I found here, and maybe we
: can even do something about it:
:
:
: So, I upgraded some of debian.org's machines to 2.6.28.1 and immediately
: the team maintaining our ftp archive complained that one of their
: scripts that previously ran in a few minutes still hadn't even come
: close to being done after an hour or so.  Downgrading to 2.6.27 fixed
: that.
:
: Turns out that script is forking a lot and something in it or python or
: whereever closes all the file descriptors it doesn't want to pass on.
: That is, it starts at zero and goes up to ulimit -n/RLIMIT_NOFILE and
: closes them all with a few exceptions.
:
: Turns out that takes a long time when your limit -n is now 2^20 (1048576).
:
: With 2.6.27.* the ulimit -n was the standard 1024, but with 2.6.28 it is
: now a thousand times that.
:
: 2.6.28 included a patch titled "rlimit: permit setting RLIMIT_NOFILE to
: RLIM_INFINITY" (0c2d64fb6cae9aae480f6a46cfe79f8d7d48b59f)[1] that
: allows, as the title implies, to set the limit for number of files to
: infinity.
:
: Closer investigation showed that the broken default ulimit did not apply
: to "system" processes (like stuff started from init).  In the end I
: could establish that all processes that passed through pam_limit at one
: point had the bad resource limit.
:
: Apparently the pam library in Debian etch (4.0) initializes the limits
: to some default values when it doesn't have any settings in limit.conf
: to override them.  Turns out that for nofiles this is RLIM_INFINITY.
: Commenting out "case RLIMIT_NOFILE" in pam_limit.c:267 of our pam
: package version 0.79-5 fixes that - tho I'm not sure what side effects
: that has.
:
: Debian lenny (the upcoming 5.0 version) doesn't have this issue as it
: uses a different pam (version).

Reported-by: Peter Palfrader <weasel@debian.org>
Cc: Adam Tkac <vonsch@gmail.com>
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
Cc: <stable@kernel.org> [2.6.28.x]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agoshm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM
Tony Battersby [Wed, 4 Feb 2009 23:12:04 +0000 (15:12 -0800)]
shm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM

shm_get_stat() assumes that the inode is a "struct shmem_inode_info",
which is incorrect for !CONFIG_SHMEM (see fs/ramfs/inode.c:
ramfs_get_inode() vs.  mm/shmem.c: shmem_get_inode()).

This bad assumption can cause shmctl(SHM_INFO) to lockup when
shm_get_stat() tries to spin_lock(&info->lock).  Users of !CONFIG_SHMEM
may encounter this lockup simply by invoking the 'ipcs' command.

Reported by Jiri Olsa back in February 2008:
http://lkml.org/lkml/2008/2/29/74

Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Reported-by: Jiri Olsa <olsajiri@gmail.com>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: <stable@kernel.org> [2.6.everything]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agofbmem: don't call copy_from/to_user() with mutex held
Andrea Righi [Wed, 4 Feb 2009 23:12:03 +0000 (15:12 -0800)]
fbmem: don't call copy_from/to_user() with mutex held

Avoid calling copy_from/to_user() with fb_info->lock mutex held in fbmem
ioctl().

fb_mmap() is called under mm->mmap_sem (A) held, that also acquires
fb_info->lock (B); fb_ioctl() takes fb_info->lock (B) and does
copy_from/to_user() that might acquire mm->mmap_sem (A), causing a
deadlock.

NOTE: it doesn't push down the fb_info->lock in each own driver's
fb_ioctl(), so there are still potential deadlocks elsewhere.

Signed-off-by: Andrea Righi <righi.andrea@gmail.com>
Cc: Dave Jones <davej@redhat.com>
Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
Cc: Johannes Weiner <hannes@saeurebad.de>
Cc: Krzysztof Helt <krzysztof.h1@wp.pl>
Cc: Harvey Harrison <harvey.harrison@gmail.com>
Cc: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agortc: rtc-dm355evm driver
David Brownell [Wed, 4 Feb 2009 23:12:01 +0000 (15:12 -0800)]
rtc: rtc-dm355evm driver

Simple RTC driver for the MSP430 firmware on the DM355 EVM board.  Other
than not supporting atomic reads/writes of all four bytes, this is
reasonable as a basic no-alarm RTC.

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Kevin Hilman <khilman@deeprootsystems.com>
Acked-by: Alessandro Zummo <a.zummo@towertech.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agomisc: dell-laptop should depend on POWER_SUPPLY
Matthew Garrett [Wed, 4 Feb 2009 23:12:00 +0000 (15:12 -0800)]
misc: dell-laptop should depend on POWER_SUPPLY

dell-laptop makes use of the power supply class information to choose
which backlight interface to change. Add a depends on it.

Signed-off-by: Matthew Garrett <mjg@redhat.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
Cc: Len Brown <lenb@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agogeneric swap(): don't return a value from swap()
Peter Zijlstra [Wed, 4 Feb 2009 23:11:59 +0000 (15:11 -0800)]
generic swap(): don't return a value from swap()

The swap() macro is accidentally retuning the value of its first argument.
Change it into a doesn't-return-anything macro before someone goes and
relies upon this behaviour.

Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Wu Fengguang <wfg@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agohpilo: open/close fix
David Altobelli [Wed, 4 Feb 2009 23:11:58 +0000 (15:11 -0800)]
hpilo: open/close fix

The device can take a while to respond to an open/close request, so
increase the time kernel will wait for response (1 ms to 10ms).

Also, properly clean up a channel on a failed open, by calling the channel
close routine.  Just freeing the memory isn't sufficient, the device needs
to be informed that the channel is no longer open, and the device memory
cleared of references to freed dma buffer.

Signed-off-by: David Altobelli <david.altobelli@hp.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agokernel/async.c: fix printk warnings
Andrew Morton [Wed, 4 Feb 2009 23:11:58 +0000 (15:11 -0800)]
kernel/async.c: fix printk warnings

alpha:

kernel/async.c: In function 'run_one_entry':
kernel/async.c:141: warning: format '%lli' expects type 'long long int', but argument 2 has type 'async_cookie_t'
kernel/async.c:149: warning: format '%lli' expects type 'long long int', but argument 2 has type 'async_cookie_t'
kernel/async.c:149: warning: format '%lld' expects type 'long long int', but argument 4 has type 's64'
kernel/async.c: In function 'async_synchronize_cookie_special':
kernel/async.c:250: warning: format '%lli' expects type 'long long int', but argument 3 has type 's64'

Cc: Arjan van de Ven <arjan@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
15 years agoMerge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Wed, 4 Feb 2009 21:58:50 +0000 (13:58 -0800)]
Merge branch 'x86-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  x86: APIC: enable workaround on AMD Fam10h CPUs
  xen: disable interrupts before saving in percpu
  x86: add x86@kernel.org to MAINTAINERS
  x86: push old stack address on irqstack for unwinder
  irq, x86: fix lock status with numa_migrate_irq_desc
  x86: add cache descriptors for Intel Core i7
  x86/Voyager: make it build and boot

15 years agoMerge branch 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Wed, 4 Feb 2009 21:58:37 +0000 (13:58 -0800)]
Merge branch 'sched-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  sched: add missing kernel-doc in sched.h

15 years agoMerge branch 'tracing-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Wed, 4 Feb 2009 21:58:24 +0000 (13:58 -0800)]
Merge branch 'tracing-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'tracing-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  ftrace: do_each_pid_task() needs rcu lock

15 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6
Linus Torvalds [Wed, 4 Feb 2009 17:39:12 +0000 (09:39 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/tiwai/sound-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
  ALSA: pcm_oss: AFMT_S24_LE is set twice in return value
  ALSA: ASoC: email - update email addresses.
  OMAP: ASoC: Fix spinlock misuse in omap-pcm.c
  ALSA: hda - No widget selection for volume knob widgets in proc output
  ALSA: hda - Add support of iMac 24 Aluminium
  ALSA: alsa: time reaches -1, tested 0
  ALSA: hda - Add quirk for another HP dv5 model

15 years agoMerge branch 'fix/asoc' into for-linus
Takashi Iwai [Wed, 4 Feb 2009 17:19:11 +0000 (18:19 +0100)]
Merge branch 'fix/asoc' into for-linus

15 years agoMerge branch 'fix/hda' into for-linus
Takashi Iwai [Wed, 4 Feb 2009 17:19:07 +0000 (18:19 +0100)]
Merge branch 'fix/hda' into for-linus

15 years agoALSA: pcm_oss: AFMT_S24_LE is set twice in return value
Roel Kluin [Wed, 4 Feb 2009 17:14:55 +0000 (18:14 +0100)]
ALSA: pcm_oss: AFMT_S24_LE is set twice in return value

AFMT_S24_LE is set twice in return value

vi sound/core/oss/pcm_oss.c +640
#define AFMT_S24_LE      0x00008000
#define AFMT_S24_BE      0x00010000

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
15 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney...
Linus Torvalds [Wed, 4 Feb 2009 15:56:25 +0000 (07:56 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/cooloney/blackfin-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/blackfin-2.6: (40 commits)
  Blackfin arch: Remove outdated code
  Blackfin arch: Fix udelay implementation
  Blackfin arch: Update Copyright information
  Blackfin arch: Add BF561 PPI POLS, POLC Masks
  Blackfin arch: Update CM-BF527 kernel config
  Blackfin arch: define bfin_memmap as static since it is only used here
  Blackfin arch: cplb mananger: use a do...while loop rather than a for loop
  Blackfin arch: fix bug - traps test case 19 for exception 0x2d fails
  Blackfin arch: add platform device bfin_mii-bus and KSZ8893M switch driver platform resources to board files
  Blackfin arch: build jtag tty driver as a module by default
  Blackfin arch: fix 2 bugs related to debug
  Blackfin arch: Add ANOMALY_05000380 to BF54x to kill the compile warning
  Blackfin arch: Fix bug - 561 SMP kernel can't boot from jffs2
  Blackfin arch: base SIC_IWR# programming on whether the MMR exists
  Blackfin arch: read SYSCR on newer parts that mirror the bits of SWRST in it
  Blackfin arch: fixup board init function name
  Blackfin arch: drop CONFIG_I2C_BOARDINFO ifdefs
  Blackfin arch: bfin_reset->_bfin_reset redirection no longer needed
  Blackfin arch: sync reboot handler with version in u-boot
  Blackfin arch: Faster Implementation of csum_tcpudp_nofold()
  ...

15 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6
Linus Torvalds [Wed, 4 Feb 2009 15:54:00 +0000 (07:54 -0800)]
Merge git://git./linux/kernel/git/davem/sparc-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6:
  sparc64: Kill bogus TPC/address truncation during 32-bit faults.
  sparc: fixup for sparseirq changes
  sparc64: Validate kernel generated fault addresses on sparc64.
  sparc64: On non-Niagara, need to touch NMI watchdog in NOHZ mode.
  sparc64: Implement NMI watchdog on capable cpus.
  sparc: Probe PMU type and record in sparc_pmu_type.
  sparc64: Move generic PCR support code to seperate file.

15 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
Linus Torvalds [Wed, 4 Feb 2009 15:52:21 +0000 (07:52 -0800)]
Merge git://git./linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
  sunrpc: fix rdma dependencies
  e1000: Fix PCI enable to honor the need_ioport flag
  sgi-xp: link XPNET's net_device_ops to its net_device structure
  pcnet_cs: Fix misuse of the equality operator.
  hso: add new device id's
  dca: redesign locks to fix deadlocks
  cassini/sungem: limit reaches -1, but 0 tested
  net: variables reach -1, but 0 tested
  qlge: bugfix: Add missing netif_napi_del call.
  qlge: bugfix: Add flash offset for second port.
  qlge: bugfix: Fix endian issue when reading flash.
  udp: increments sk_drops in __udp_queue_rcv_skb()
  net: Fix userland breakage wrt. linux/if_tunnel.h
  net: packet socket packet_lookup_frame fix

15 years agoMerge branch 'for-linus' of git://git.o-hand.com/linux-mfd
Linus Torvalds [Wed, 4 Feb 2009 15:40:54 +0000 (07:40 -0800)]
Merge branch 'for-linus' of git://git.o-hand.com/linux-mfd

* 'for-linus' of git://git.o-hand.com/linux-mfd:
  mfd: Remove non exported references from pcf50633

15 years agoMerge branch 'core/xen' into x86/urgent
Ingo Molnar [Wed, 4 Feb 2009 13:54:56 +0000 (14:54 +0100)]
Merge branch 'core/xen' into x86/urgent

15 years agoBlackfin arch: Remove outdated code
Michael Hennerich [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: Remove outdated code

The removed version with the loop registers saved on the stack was
originally intended to workaround the missing toolchain support for
LoopReg Clobbers.

Since our toolchain now supports these there is no point in keeping this
workaround. And since we don't touch LoopRegs anymore we're no longer
subject for ANOMALY_05000312.

Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: Fix udelay implementation
Michael Hennerich [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: Fix udelay implementation

Avoid possible overflow during 32*32->32 multiplies.

Reported-by: Marco Reppenhagen <marco.reppenhagen@auerswald.de>
Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: Update Copyright information
Michael Hennerich [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: Update Copyright information

Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: Add BF561 PPI POLS, POLC Masks
Michael Hennerich [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: Add BF561 PPI POLS, POLC Masks

Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: Update CM-BF527 kernel config
Michael Hennerich [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: Update CM-BF527 kernel config

Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: define bfin_memmap as static since it is only used here
Mike Frysinger [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: define bfin_memmap as static since it is only used here

Signed-off-by: Mike Frysinger <vapier.adi@gmail.com>
Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: cplb mananger: use a do...while loop rather than a for loop
Mike Frysinger [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: cplb mananger: use a do...while loop rather than a for loop

use a do...while loop rather than a for loop to get slightly better
optimization and to avoid gcc "may be used uninitialized" warnings ...
we know that the [id]cplb_nr_bounds variables will never be 0, so this
is OK

Signed-off-by: Mike Frysinger <vapier.adi@gmail.com>
Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: fix bug - traps test case 19 for exception 0x2d fails
Bernd Schmidt [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: fix bug - traps test case 19 for exception 0x2d fails

Enable null pointer checking for ICPLBs. The code was there but for
some reason I had commented it out at some stage during development.

Should restrict this to 1K since atomic ops start there.

Signed-off-by: Bernd Schmidt <bernds_cb1@t-online.de>
Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: add platform device bfin_mii-bus and KSZ8893M switch driver platform...
Graf Yang [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: add platform device bfin_mii-bus and KSZ8893M switch driver platform resources to board files

Signed-off-by: Graf Yang <graf.yang@analog.com>
Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: build jtag tty driver as a module by default
Mike Frysinger [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: build jtag tty driver as a module by default

Signed-off-by: Mike Frysinger <vapier.adi@gmail.com>
Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: fix 2 bugs related to debug
Jie Zhang [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: fix 2 bugs related to debug

 - unable to single step over emuexcpt instruction
 - gdbproxy goes into infinite loop when doing gdb does "next" over
   "emuexcpt"

Don't decrement PC after software breakpoint.

Signed-off-by: Jie Zhang <jie.zhang@analog.com>
Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: Add ANOMALY_05000380 to BF54x to kill the compile warning
Bryan Wu [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: Add ANOMALY_05000380 to BF54x to kill the compile warning

Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: Fix bug - 561 SMP kernel can't boot from jffs2
Graf Yang [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: Fix bug - 561 SMP kernel can't boot from jffs2

bss_l2 section is garbage when the data in this section is used by
_bfin_relocate_l1_mem, so move the zero out function ahead.

Signed-off-by: Graf Yang <graf.yang@analog.com>
Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: base SIC_IWR# programming on whether the MMR exists
Mike Frysinger [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: base SIC_IWR# programming on whether the MMR exists

base SIC_IWR# programming on whether the MMR exists
rather than having to maintain another list of processors

Signed-off-by: Mike Frysinger <vapier.adi@gmail.com>
Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: read SYSCR on newer parts that mirror the bits of SWRST in it
Mike Frysinger [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: read SYSCR on newer parts that mirror the bits of SWRST in it

Signed-off-by: Mike Frysinger <vapier.adi@gmail.com>
Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: fixup board init function name
Mike Frysinger [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: fixup board init function name

Signed-off-by: Mike Frysinger <vapier.adi@gmail.com>
Signed-off-by: Bryan Wu <cooloney@kernel.org>
15 years agoBlackfin arch: drop CONFIG_I2C_BOARDINFO ifdefs
Mike Frysinger [Wed, 4 Feb 2009 08:49:45 +0000 (16:49 +0800)]
Blackfin arch: drop CONFIG_I2C_BOARDINFO ifdefs

Drop CONFIG_I2C_BOARDINFO ifdefs as the common i2c header handles this
already by stubbing things out

Signed-off-by: Mike Frysinger <vapier.adi@gmail.com>
Signed-off-by: Bryan Wu <cooloney@kernel.org>