1. 27 May, 2015 1 commit
    • Luis R. Rodriguez's avatar
      kernel/params: constify struct kernel_param_ops uses · 9c27847d
      Luis R. Rodriguez authored
      Most code already uses consts for the struct kernel_param_ops,
      sweep the kernel for the last offending stragglers. Other than
      include/linux/moduleparam.h and kernel/params.c all other changes
      were generated with the following Coccinelle SmPL patch. Merge
      conflicts between trees can be handled with Coccinelle.
      
      In the future git could get Coccinelle merge support to deal with
      patch --> fail --> grammar --> Coccinelle --> new patch conflicts
      automatically for us on patches where the grammar is available and
      the patch is of high confidence. Consider this a feature request.
      
      Test compiled on x86_64 against:
      
      	* allnoconfig
      	* allmodconfig
      	* allyesconfig
      
      @ const_found @
      identifier ops;
      @@
      
      const struct kernel_param_ops ops = {
      };
      
      @ const_not_found depends on !const_found @
      identifier ops;
      @@
      
      -struct kernel_param_ops ops = {
      +const struct kernel_param_ops ops = {
      };
      
      Generated-by: Coccinelle SmPL
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Cc: Junio C Hamano <gitster@pobox.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: cocci@systeme.lip6.fr
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarLuis R. Rodriguez <mcgrof@suse.com>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      9c27847d
  2. 11 May, 2015 3 commits
  3. 15 Apr, 2015 1 commit
  4. 11 Apr, 2015 1 commit
  5. 22 Feb, 2015 1 commit
  6. 27 Aug, 2014 1 commit
  7. 06 Feb, 2014 1 commit
  8. 29 Oct, 2013 1 commit
  9. 20 Aug, 2013 1 commit
  10. 14 Aug, 2013 3 commits
  11. 28 Apr, 2013 5 commits
  12. 22 Feb, 2013 1 commit
  13. 21 Sep, 2012 1 commit
  14. 31 May, 2012 2 commits
  15. 09 Apr, 2012 3 commits
  16. 03 Apr, 2012 1 commit
  17. 12 Jan, 2012 1 commit
  18. 06 Jan, 2012 1 commit
  19. 05 Jan, 2012 1 commit
    • Eric Paris's avatar
      capabilities: remove the task from capable LSM hook entirely · 6a9de491
      Eric Paris authored
      The capabilities framework is based around credentials, not necessarily the
      current task.  Yet we still passed the current task down into LSMs from the
      security_capable() LSM hook as if it was a meaningful portion of the security
      decision.  This patch removes the 'generic' passing of current and instead
      forces individual LSMs to use current explicitly if they think it is
      appropriate.  In our case those LSMs are SELinux and AppArmor.
      
      I believe the AppArmor use of current is incorrect, but that is wholely
      unrelated to this patch.  This patch does not change what AppArmor does, it
      just makes it clear in the AppArmor code that it is doing it.
      
      The SELinux code still uses current in it's audit message, which may also be
      wrong and needs further investigation.  Again this is NOT a change, it may
      have always been wrong, this patch just makes it clear what is happening.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      6a9de491
  20. 03 Jan, 2012 3 commits
  21. 15 Dec, 2011 1 commit
  22. 28 Jun, 2011 1 commit
    • John Johansen's avatar
      AppArmor: Fix masking of capabilities in complain mode · 25e75dff
      John Johansen authored
      AppArmor is masking the capabilities returned by capget against the
      capabilities mask in the profile.  This is wrong, in complain mode the
      profile has effectively all capabilities, as the profile restrictions are
      not being enforced, merely tested against to determine if an access is
      known by the profile.
      
      This can result in the wrong behavior of security conscience applications
      like sshd which examine their capability set, and change their behavior
      accordingly.  In this case because of the masked capability set being
      returned sshd fails due to DAC checks, even when the profile is in complain
      mode.
      
      Kernels affected: 2.6.36 - 3.0.
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      25e75dff
  23. 08 Jun, 2011 1 commit
    • John Johansen's avatar
      AppArmor: Fix sleep in invalid context from task_setrlimit · 1780f2d3
      John Johansen authored
      Affected kernels 2.6.36 - 3.0
      
      AppArmor may do a GFP_KERNEL memory allocation with task_lock(tsk->group_leader);
      held when called from security_task_setrlimit.  This will only occur when the
      task's current policy has been replaced, and the task's creds have not been
      updated before entering the LSM security_task_setrlimit() hook.
      
      BUG: sleeping function called from invalid context at mm/slub.c:847
       in_atomic(): 1, irqs_disabled(): 0, pid: 1583, name: cupsd
       2 locks held by cupsd/1583:
        #0:  (tasklist_lock){.+.+.+}, at: [<ffffffff8104dafa>] do_prlimit+0x61/0x189
        #1:  (&(&p->alloc_lock)->rlock){+.+.+.}, at: [<ffffffff8104db2d>]
      do_prlimit+0x94/0x189
       Pid: 1583, comm: cupsd Not tainted 3.0.0-rc2-git1 #7
       Call Trace:
        [<ffffffff8102ebf2>] __might_sleep+0x10d/0x112
        [<ffffffff810e6f46>] slab_pre_alloc_hook.isra.49+0x2d/0x33
        [<ffffffff810e7bc4>] kmem_cache_alloc+0x22/0x132
        [<ffffffff8105b6e6>] prepare_creds+0x35/0xe4
        [<ffffffff811c0675>] aa_replace_current_profile+0x35/0xb2
        [<ffffffff811c4d2d>] aa_current_profile+0x45/0x4c
        [<ffffffff811c4d4d>] apparmor_task_setrlimit+0x19/0x3a
        [<ffffffff811beaa5>] security_task_setrlimit+0x11/0x13
        [<ffffffff8104db6b>] do_prlimit+0xd2/0x189
        [<ffffffff8104dea9>] sys_setrlimit+0x3b/0x48
        [<ffffffff814062bb>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Reported-by: default avatarMiles Lane <miles.lane@gmail.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      1780f2d3
  24. 31 May, 2011 1 commit
  25. 23 Mar, 2011 1 commit
    • Serge E. Hallyn's avatar
      userns: security: make capabilities relative to the user namespace · 3486740a
      Serge E. Hallyn authored
      - Introduce ns_capable to test for a capability in a non-default
        user namespace.
      - Teach cap_capable to handle capabilities in a non-default
        user namespace.
      
      The motivation is to get to the unprivileged creation of new
      namespaces.  It looks like this gets us 90% of the way there, with
      only potential uid confusion issues left.
      
      I still need to handle getting all caps after creation but otherwise I
      think I have a good starter patch that achieves all of your goals.
      
      Changelog:
      	11/05/2010: [serge] add apparmor
      	12/14/2010: [serge] fix capabilities to created user namespaces
      	Without this, if user serge creates a user_ns, he won't have
      	capabilities to the user_ns he created.  THis is because we
      	were first checking whether his effective caps had the caps
      	he needed and returning -EPERM if not, and THEN checking whether
      	he was the creator.  Reverse those checks.
      	12/16/2010: [serge] security_real_capable needs ns argument in !security case
      	01/11/2011: [serge] add task_ns_capable helper
      	01/11/2011: [serge] add nsown_capable() helper per Bastian Blank suggestion
      	02/16/2011: [serge] fix a logic bug: the root user is always creator of
      		    init_user_ns, but should not always have capabilities to
      		    it!  Fix the check in cap_capable().
      	02/21/2011: Add the required user_ns parameter to security_capable,
      		    fixing a compile failure.
      	02/23/2011: Convert some macros to functions as per akpm comments.  Some
      		    couldn't be converted because we can't easily forward-declare
      		    them (they are inline if !SECURITY, extern if SECURITY).  Add
      		    a current_user_ns function so we can use it in capability.h
      		    without #including cred.h.  Move all forward declarations
      		    together to the top of the #ifdef __KERNEL__ section, and use
      		    kernel-doc format.
      	02/23/2011: Per dhowells, clean up comment in cap_capable().
      	02/23/2011: Per akpm, remove unreachable 'return -EPERM' in cap_capable.
      
      (Original written and signed off by Eric;  latest, modified version
      acked by him)
      
      [akpm@linux-foundation.org: fix build]
      [akpm@linux-foundation.org: export current_user_ns() for ecryptfs]
      [serge.hallyn@canonical.com: remove unneeded extra argument in selinux's task_has_capability]
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarSerge E. Hallyn <serge.hallyn@canonical.com>
      Acked-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Acked-by: default avatarDaniel Lezcano <daniel.lezcano@free.fr>
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      Cc: James Morris <jmorris@namei.org>
      Signed-off-by: default avatarSerge E. Hallyn <serge.hallyn@canonical.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3486740a
  26. 08 Mar, 2011 1 commit
  27. 10 Nov, 2010 1 commit