Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.5-rc2 2012-06-01T14:37:01Z 2012-06-01T14:37:01Z Al Viro viro@zeniv.linux.org.uk 2012-05-30T21:11:23Z urn:sha1:8b3ec6814c83d76b85bd13badc48552836c24839 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-05-31T17:11:54Z Al Viro viro@zeniv.linux.org.uk 2012-05-30T17:30:51Z urn:sha1:e5467859f7f79b69fc49004403009dfdba3bec53 ... i.e. file-dependent and address-dependent checks. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-05-31T17:10:54Z Al Viro viro@zeniv.linux.org.uk 2012-05-30T17:11:37Z urn:sha1:d007794a182bc072a7b7479909dbd0d67ba341be ... switch callers. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-05-22T01:21:06Z James Morris james.l.morris@oracle.com 2012-05-22T01:21:06Z urn:sha1:ff2bb047c4bce9742e94911eeb44b4d6ff4734ab Per pull request, for 3.5. 2012-04-14T01:13:18Z Andy Lutomirski luto@amacapital.net 2012-04-12T21:47:50Z urn:sha1:259e5e6c75a910f3b5e656151dc602f53f9d7548 With this change, calling prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) disables privilege granting operations at execve-time. For example, a process will not be able to execute a setuid binary to change their uid or gid if this bit is set. The same is true for file capabilities. Additionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that LSMs respect the requested behavior. To determine if the NO_NEW_PRIVS bit is set, a task may call prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0); It returns 1 if set and 0 if it is not set. If any of the arguments are non-zero, it will return -1 and set errno to -EINVAL. (PR_SET_NO_NEW_PRIVS behaves similarly.) This functionality is desired for the proposed seccomp filter patch series. By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the system call behavior for itself and its child tasks without being able to impact the behavior of a more privileged task. Another potential use is making certain privileged operations unprivileged. For example, chroot may be considered "safe" if it cannot affect privileged tasks. Note, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is set and AppArmor is in use. It is fixed in a subsequent patch. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Will Drewry <wad@chromium.org> Acked-by: Eric Paris <eparis@redhat.com> Acked-by: Kees Cook <keescook@chromium.org> v18: updated change desc v17: using new define values as per 3.4 Signed-off-by: James Morris <james.l.morris@oracle.com> 2012-04-09T16:22:50Z Eric Paris eparis@redhat.com 2012-04-04T17:45:40Z urn:sha1:83d498569e9a7a4b92c4c5d3566f2d6a604f28c9 dentry_open takes a file, rename it to file_open Signed-off-by: Eric Paris <eparis@redhat.com> 2012-03-21T20:25:04Z Linus Torvalds torvalds@linux-foundation.org 2012-03-21T20:25:04Z urn:sha1:3556485f1595e3964ba539e39ea682acbb835cee Pull security subsystem updates for 3.4 from James Morris: "The main addition here is the new Yama security module from Kees Cook, which was discussed at the Linux Security Summit last year. Its purpose is to collect miscellaneous DAC security enhancements in one place. This also marks a departure in policy for LSM modules, which were previously limited to being standalone access control systems. Chromium OS is using Yama, and I believe there are plans for Ubuntu, at least. This patchset also includes maintenance updates for AppArmor, TOMOYO and others." Fix trivial conflict in <net/sock.h> due to the jumo_label->static_key rename. * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (38 commits) AppArmor: Fix location of const qualifier on generated string tables TOMOYO: Return error if fails to delete a domain AppArmor: add const qualifiers to string arrays AppArmor: Add ability to load extended policy TOMOYO: Return appropriate value to poll(). AppArmor: Move path failure information into aa_get_name and rename AppArmor: Update dfa matching routines. AppArmor: Minor cleanup of d_namespace_path to consolidate error handling AppArmor: Retrieve the dentry_path for error reporting when path lookup fails AppArmor: Add const qualifiers to generated string tables AppArmor: Fix oops in policy unpack auditing AppArmor: Fix error returned when a path lookup is disconnected KEYS: testing wrong bit for KEY_FLAG_REVOKED TOMOYO: Fix mount flags checking order. security: fix ima kconfig warning AppArmor: Fix the error case for chroot relative path name lookup AppArmor: fix mapping of META_READ to audit and quiet flags AppArmor: Fix underflow in xindex calculation AppArmor: Fix dropping of allowed operations that are force audited AppArmor: Add mising end of structure test to caps unpacking ... 2012-02-28T15:01:55Z Javier Martinez Canillas javier@dowhile0.org 2012-02-15T10:58:54Z urn:sha1:fbe74e361c6586cdd996bc2805033999dd469e99 unix_may_send hook has the prototype: int (*unix_may_send) (struct socket *sock, struct socket *other) so the documentation is wrongly referring to the second argument as @sock. Signed-off-by: Javier Martinez Canillas <javier@dowhile0.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 2012-02-13T23:45:42Z Al Viro viro@ftp.linux.org.uk 2012-02-13T03:58:52Z urn:sha1:4040153087478993cbf0809f444400a3c808074c Trim security.h Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: James Morris <jmorris@namei.org> 2012-02-13T23:45:39Z Al Viro viro@ftp.linux.org.uk 2012-02-13T03:58:52Z urn:sha1:191c542442fdf53cc3c496c00be13367fd9cd42d Collapse security_vm_enough_memory() variants into a single function. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: James Morris <jmorris@namei.org>