1. 02 Jun, 2009 3 commits
  2. 28 May, 2009 1 commit
  3. 27 May, 2009 2 commits
    • Mimi Zohar's avatar
      integrity: nfsd imbalance bug fix · 14dba533
      Mimi Zohar authored
      An nfsd exported file is opened/closed by the kernel causing the
      integrity imbalance message.
      
      Before a file is opened, there normally is permission checking, which
      is done in inode_permission().  However, as integrity checking requires
      a dentry and mount point, which is not available in inode_permission(),
      the integrity (permission) checking must be called separately.
      
      In order to detect any missing integrity checking calls, we keep track
      of file open/closes.  ima_path_check() increments these counts and
      does the integrity (permission) checking. As a result, the number of
      calls to ima_path_check()/ima_file_free() should be balanced.  An extra
      call to fput(), indicates the file could have been accessed without first
      calling ima_path_check().
      
      In nfsv3 permission checking is done once, followed by multiple reads,
      which do an open/close for each read.  The integrity (permission) checking
      call should be in nfsd_permission() after the inode_permission() call, but
      as there is no correlation between the number of permission checking and
      open calls, the integrity checking call should not increment the counters,
      but defer it to when the file is actually opened.
      
      This patch adds:
      - integrity (permission) checking for nfsd exported files in nfsd_permission().
      - a call to increment counts for files opened by nfsd.
      
      This patch has been updated to return the nfs error types.
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      14dba533
    • Tetsuo Handa's avatar
      rootplug: Remove redundant initialization. · 76b01875
      Tetsuo Handa authored
      We don't need to explicitly initialize to cap_* because
      it will be filled by security_fixup_ops().
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      76b01875
  4. 22 May, 2009 2 commits
  5. 21 May, 2009 4 commits
    • Mimi Zohar's avatar
      integrity: move ima_counts_get · c9d9ac52
      Mimi Zohar authored
      Based on discussion on lkml (Andrew Morton and Eric Paris),
      move ima_counts_get down a layer into shmem/hugetlb__file_setup().
      Resolves drm shmem_file_setup() usage case as well.
      
      HD comment:
        I still think you're doing this at the wrong level, but recognize
        that you probably won't be persuaded until a few more users of
        alloc_file() emerge, all wanting your ima_counts_get().
      
        Resolving GEM's shmem_file_setup() is an improvement, so I'll say
      Acked-by: default avatarHugh Dickins <hugh.dickins@tiscali.co.uk>
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      c9d9ac52
    • Mimi Zohar's avatar
      integrity: path_check update · b9fc745d
      Mimi Zohar authored
      - Add support in ima_path_check() for integrity checking without
      incrementing the counts. (Required for nfsd.)
      - rename and export opencount_get to ima_counts_get
      - replace ima_shm_check calls with ima_counts_get
      - export ima_path_check
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      b9fc745d
    • Eric Paris's avatar
      IMA: Add __init notation to ima functions · 932995f0
      Eric Paris authored
      A number of IMA functions only used during init are not marked with __init.
      Add those notations so they are freed automatically.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Acked-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      932995f0
    • Eric Paris's avatar
      IMA: Minimal IMA policy and boot param for TCB IMA policy · 5789ba3b
      Eric Paris authored
      The IMA TCB policy is dangerous.  A normal use can use all of a system's
      memory (which cannot be freed) simply by building and running lots of
      executables.  The TCB policy is also nearly useless because logging in as root
      often causes a policy violation when dealing with utmp, thus rendering the
      measurements meaningless.
      
      There is no good fix for this in the kernel.  A full TCB policy would need to
      be loaded in userspace using LSM rule matching to get both a protected and
      useful system.  But, if too little is measured before userspace can load a real
      policy one again ends up with a meaningless set of measurements.  One option
      would be to put the policy load inside the initrd in order to get it early
      enough in the boot sequence to be useful, but this runs into trouble with the
      LSM.  For IMA to measure the LSM policy and the LSM policy loading mechanism
      it needs rules to do so, but we already talked about problems with defaulting
      to such broad rules....
      
      IMA also depends on the files being measured to be on an FS which implements
      and supports i_version.  Since the only FS with this support (ext4) doesn't
      even use it by default it seems silly to have any IMA rules by default.
      
      This should reduce the performance overhead of IMA to near 0 while still
      letting users who choose to configure their machine as such to inclue the
      ima_tcb kernel paramenter and get measurements during boot before they can
      load a customized, reasonable policy in userspace.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Acked-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      5789ba3b
  6. 20 May, 2009 16 commits
  7. 19 May, 2009 12 commits
    • Benjamin Herrenschmidt's avatar
      drm: Round size of SHM maps to PAGE_SIZE · b6741377
      Benjamin Herrenschmidt authored
      Currently, userspace can fail to obtain the SAREA mapping (among other
      reasons) if it passes SAREA_MAX to drmAddMap without aligning it to the
      page size. This breaks for example on PowerPC with 64K pages and radeon
      despite the kernel radeon actually doing the right rouding in the first
      place.
      
      The way SAREA_MAX is defined with a bunch of ifdef's and duplicated
      between libdrm and the X server is gross, ultimately it should be
      retrieved by userspace from the kernel, but in the meantime, we have
      plenty of existing userspace built with bad values that need to work.
      
      This patch works around broken userspace by rounding the requested size
      in drm_addmap_core() of any SHM map to the page size. Since the backing
      memory for SHM maps is also allocated within addmap_core, there is no
      danger of adjacent memory being exposed due to the increased map size.
      The only side effect is that drivers that previously tried to create or
      access SHM maps using a size < PAGE_SIZE and failed (getting -EINVAL),
      will now succeed at the cost of a little bit more memory used if that
      happens to be when the map is created.
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarJesse Barnes <jbarnes@virtuousgeek.org>
      b6741377
    • Eric Paris's avatar
      TPM: get_event_name stack corruption · fbaa5869
      Eric Paris authored
      get_event_name uses sprintf to fill a buffer declared on the stack.  It fills
      the buffer 2 bytes at a time.  What the code doesn't take into account is that
      sprintf(buf, "%02x", data) actually writes 3 bytes.  2 bytes for the data and
      then it nul terminates the string.  Since we declare buf to be 40 characters
      long and then we write 40 bytes of data into buf sprintf is going to write 41
      characters.  The fix is to leave room in buf for the nul terminator.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      fbaa5869
    • Thomas Gleixner's avatar
      futex: setup writeable mapping for futex ops which modify user space data · 64d1304a
      Thomas Gleixner authored
      The futex code installs a read only mapping via get_user_pages_fast()
      even if the futex op function has to modify user space data. The
      eventual fault was fixed up by futex_handle_fault() which walked the
      VMA with mmap_sem held.
      
      After the cleanup patches which removed the mmap_sem dependency of the
      futex code commit 4dc5b7a36a49eff97050894cf1b3a9a02523717 (futex:
      clean up fault logic) removed the private VMA walk logic from the
      futex code. This change results in a stale RO mapping which is not
      fixed up.
      
      Instead of reintroducing the previous fault logic we set up the
      mapping in get_user_pages_fast() read/write for all operations which
      modify user space data. Also handle private futexes in the same way
      and make the current unconditional access_ok(VERIFY_WRITE) depend on
      the futex op.
      Reported-by: default avatarAndreas Schwab <schwab@linux-m68k.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      CC: stable@kernel.org
      64d1304a
    • Nico Schottelius's avatar
      Fix scripts/setlocalversion with tagged git commit · 33252572
      Nico Schottelius authored
      Produce correct output for
      - tagged commit (v2.6.30-rc6)
      - past tagged commit (v2.6.30-rc5-299-g7c7327d9)
      - no tag
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      33252572
    • Nelson Castillo's avatar
      mfd: pcf50633: fix unsafe disable_irq() · f43ab901
      Nelson Castillo authored
      Without this change Openmoko Freerunner (GTA02) bootstrap will deadlock.
      As pointed out in other patches this issue is in the wild since the merge
      of:
      
      : commit 3aa551c9
      : Author: Thomas Gleixner <tglx@linutronix.de>
      : Date:   Mon Mar 23 18:28:15 2009 +0100
      :
      :    genirq: add threaded interrupt handler support
      :
      :    Add support for threaded interrupt handlers
      Signed-off-by: default avatarNelson Castillo <arhuaco@freaks-unidos.net>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: <balajirrao@openmoko.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
      f43ab901
    • Mark Brown's avatar
      mfd: Keep a cache of WM8350 volatile values · b126d113
      Mark Brown authored
      Due to the way that the WM8350 audio driver handles CODEC_ENA many of
      the WM8350 audio registers are marked as volatile when they aren't
      actually so. Allow the audio driver to see a cache of these values for
      inspection during interrupt context.
      
      To do this we need to stop satisfying any bits from volatile registers
      from cache - there's no real benefit from doing so anyway, we did the
      read already.
      Signed-off-by: default avatarMark Brown <broonie@opensource.wolfsonmicro.com>
      Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
      b126d113
    • Linus Torvalds's avatar
      Merge branch 'fixes-for-linus' of git://git.monstr.eu/linux-2.6-microblaze · 279e677f
      Linus Torvalds authored
      * 'fixes-for-linus' of git://git.monstr.eu/linux-2.6-microblaze:
        microblaze: Fix kind-of-intr checking against number of interrupts
        microblaze: Update Microblaze defconfig
      279e677f
    • Linus Torvalds's avatar
      467999f5
    • Linus Torvalds's avatar
      Avoid ICE in get_random_int() with gcc-3.4.5 · 26a9a418
      Linus Torvalds authored
      Martin Knoblauch reports that trying to build 2.6.30-rc6-git3 with
      RHEL4.3 userspace (gcc (GCC) 3.4.5 20051201 (Red Hat 3.4.5-2)) causes an
      internal compiler error (ICE):
      
          drivers/char/random.c: In function `get_random_int':
          drivers/char/random.c:1672: error: unrecognizable insn:
          (insn 202 148 150 0 /scratch/build/linux-2.6.30-rc6-git3/arch/x86/include/asm/tsc.h:23 (set (reg:SI 0 ax [91])
                  (subreg:SI (plus:DI (plus:DI (reg:DI 0 ax [88])
                              (subreg:DI (reg:SI 6 bp) 0))
                          (const_int -4 [0xfffffffffffffffc])) 0)) -1 (nil)
              (nil))
          drivers/char/random.c:1672: internal compiler error: in extract_insn, at recog.c:2083
      
      and after some debugging it turns out that it's due to the code trying
      to figure out the rough value of the current stack pointer by taking an
      address of an uninitialized variable and casting that to an integer.
      
      This is clearly a compiler bug, but it's not worth fighting - while the
      current stack kernel pointer might be somewhat hard to predict in user
      space, it's also not generally going to change for a lot of the call
      chains for a particular process.
      
      So just drop it, and mumble some incoherent curses at the compiler.
      Tested-by: default avatarMartin Knoblauch <spamtrap@knobisoft.de>
      Cc: Matt Mackall <mpm@selenic.com>
      Cc: Ingo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      26a9a418
    • Jeff Layton's avatar
      cifs: fix pointer initialization and checks in cifs_follow_symlink (try #4) · 8b6427a2
      Jeff Layton authored
      This is the third respin of the patch posted yesterday to fix the error
      handling in cifs_follow_symlink. It also includes a fix for a bogus NULL
      pointer check in CIFSSMBQueryUnixSymLink that Jeff Moyer spotted.
      
      It's possible for CIFSSMBQueryUnixSymLink to return without setting
      target_path to a valid pointer. If that happens then the current value
      to which we're initializing this pointer could cause an oops when it's
      kfree'd.
      
      This patch is a little more comprehensive than the last patches. It
      reorganizes cifs_follow_link a bit for (hopefully) better readability.
      It should also eliminate the uneeded allocation of full_path on servers
      without unix extensions (assuming they can get to this point anyway, of
      which I'm not convinced).
      
      On a side note, I'm not sure I agree with the logic of enabling this
      query even when unix extensions are disabled on the client. It seems
      like that should disable this as well. But, changing that is outside the
      scope of this fix, so I've left it alone for now.
      Reported-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Reviewed-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@inraded.com>
      Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
      8b6427a2
    • Stephen Smalley's avatar
      selinux: remove obsolete read buffer limit from sel_read_bool · c5642f4b
      Stephen Smalley authored
      On Tue, 2009-05-19 at 00:05 -0400, Eamon Walsh wrote:
      > Recent versions of coreutils have bumped the read buffer size from 4K to
      > 32K in several of the utilities.
      >
      > This means that "cat /selinux/booleans/xserver_object_manager" no longer
      > works, it returns "Invalid argument" on F11.  getsebool works fine.
      >
      > sel_read_bool has a check for "count > PAGE_SIZE" that doesn't seem to
      > be present in the other read functions.  Maybe it could be removed?
      
      Yes, that check is obsoleted by the conversion of those functions to
      using simple_read_from_buffer(), which will reduce count if necessary to
      what is available in the buffer.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      c5642f4b
    • Ian Campbell's avatar
      xen/blkfront: fix warning when deleting gendisk on unplug/shutdown · 31a14400
      Ian Campbell authored
      Currently blkfront gives a warning when hot unplugging due to calling
      del_gendisk() with interrupts disabled (due to blkif_io_lock).
      
      WARNING: at kernel/softirq.c:124 local_bh_enable+0x36/0x84()
      Modules linked in: xenfs xen_netfront ext3 jbd mbcache xen_blkfront
      Pid: 13, comm: xenwatch Not tainted 2.6.29-xs5.5.0.13 #3
      Call Trace:
       [<c012611c>] warn_slowpath+0x80/0xb6
       [<c0104cf1>] xen_sched_clock+0x16/0x63
       [<c0104710>] xen_force_evtchn_callback+0xc/0x10
       [<c0104e32>] check_events+0x8/0xe
       [<c0104d9b>] xen_restore_fl_direct_end+0x0/0x1
       [<c0103749>] xen_mc_flush+0x10a/0x13f
       [<c0105bd2>] __switch_to+0x114/0x14e
       [<c011d92b>] dequeue_task+0x62/0x70
       [<c0123b6f>] finish_task_switch+0x2b/0x84
       [<c0299877>] schedule+0x66d/0x6e7
       [<c0104710>] xen_force_evtchn_callback+0xc/0x10
       [<c0104710>] xen_force_evtchn_callback+0xc/0x10
       [<c012a642>] local_bh_enable+0x36/0x84
       [<c022f9a7>] sk_filter+0x57/0x5c
       [<c0233dae>] netlink_broadcast+0x1d5/0x315
       [<c01c6371>] kobject_uevent_env+0x28d/0x331
       [<c01e7ead>] device_del+0x10f/0x120
       [<c01e7ec6>] device_unregister+0x8/0x10
       [<c015f86d>] bdi_unregister+0x2d/0x39
       [<c01bf6f4>] unlink_gendisk+0x23/0x3e
       [<c01ac946>] del_gendisk+0x7b/0xe7
       [<d0828c19>] blkfront_closing+0x28/0x6e [xen_blkfront]
       [<d082900c>] backend_changed+0x3ad/0x41d [xen_blkfront]
      
      We can fix this by calling del_gendisk() later in blkfront_closing, after
      releasing blkif_io_lock. Since the queue is stopped during the interrupts
      disabled phase I don't think there is any danger of an event occuring between
      releasing the blkif_io_lock and deleting the disk.
      Signed-off-by: default avatarIan Campbell <ian.campbell@citrix.com>
      Cc: Jeremy Fitzhardinge <jeremy@goop.org>
      Signed-off-by: default avatarJens Axboe <jens.axboe@oracle.com>
      31a14400