Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.9.173 2016-09-19T02:27:10Z 2016-09-19T02:27:10Z James Morris james.l.morris@oracle.com 2016-09-19T02:27:10Z urn:sha1:de2f4b3453d29934ceb41eccebd55ab087e17d6c 2016-08-09T00:58:57Z Mickaël Salaün mic@digikod.net 2016-07-09T18:19:15Z urn:sha1:a4f4528a3174646e654989262afdc8303835fcd5 Remove remaining kernel_module_from_file hook left by commit a1db74209483 ("module: replace copy_module_from_fd with kernel version") Signed-off-by: Mickaël Salaün <mic@digikod.net> Cc: Rusty Russell <rusty@rustcorp.com.au> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 2016-08-09T00:46:46Z Vivek Goyal vgoyal@redhat.com 2016-07-13T14:44:52Z urn:sha1:2602625b7e46576b00db619ac788c508ba3bcb2c During a new file creation we need to make sure new file is created with the right label. New file is created in upper/ so effectively file should get label as if task had created file in upper/. We switched to mounter's creds for actual file creation. Also if there is a whiteout present, then file will be created in work/ dir first and then renamed in upper. In none of the cases file will be labeled as we want it to be. This patch introduces a new hook dentry_create_files_as(), which determines the label/context dentry will get if it had been created by task in upper and modify passed set of creds appropriately. Caller makes use of these new creds for file creation. Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: fix whitespace issues found with checkpatch.pl] [PM: changes to use stat->mode in ovl_create_or_link()] Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-08-09T00:42:13Z Vivek Goyal vgoyal@redhat.com 2016-07-13T14:44:49Z urn:sha1:121ab822ef21914adac2fa3730efeeb8fd762473 Provide a security hook which is called when xattrs of a file are being copied up. This hook is called once for each xattr and LSM can return 0 if the security module wants the xattr to be copied up, 1 if the security module wants the xattr to be discarded on the copy, -EOPNOTSUPP if the security module does not handle/manage the xattr, or a -errno upon an error. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: whitespace cleanup for checkpatch.pl] Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-08-09T00:06:53Z Vivek Goyal vgoyal@redhat.com 2016-07-13T15:13:56Z urn:sha1:d8ad8b49618410ddeafd78465b63a6cedd6c9484 Provide a security hook to label new file correctly when a file is copied up from lower layer to upper layer of a overlay/union mount. This hook can prepare a new set of creds which are suitable for new file creation during copy up. Caller will use new creds to create file and then revert back to old creds and release new creds. Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: whitespace cleanup to appease checkpatch.pl] Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-07-21T03:30:06Z Al Viro viro@zeniv.linux.org.uk 2016-07-20T20:06:15Z urn:sha1:4f3ccd76572a83278166c12f3e351e74cc03578c Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2016-05-17T21:41:03Z Linus Torvalds torvalds@linux-foundation.org 2016-05-17T21:41:03Z urn:sha1:c52b76185b7a1b300e5f15ff871c8f45ced3dee9 Pull 'struct path' constification update from Al Viro: "'struct path' is passed by reference to a bunch of Linux security methods; in theory, there's nothing to stop them from modifying the damn thing and LSM community being what it is, sooner or later some enterprising soul is going to decide that it's a good idea. Let's remove the temptation and constify all of those..." * 'work.const-path' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: constify ima_d_path() constify security_sb_pivotroot() constify security_path_chroot() constify security_path_{link,rename} apparmor: remove useless checks for NULL ->mnt constify security_path_{mkdir,mknod,symlink} constify security_path_{unlink,rmdir} apparmor: constify common_perm_...() apparmor: constify aa_path_link() apparmor: new helper - common_path_perm() constify chmod_common/security_path_chmod constify security_sb_mount() constify chown_common/security_path_chown tomoyo: constify assorted struct path * apparmor_path_truncate(): path->mnt is never NULL constify vfs_truncate() constify security_path_truncate() [apparmor] constify struct path * in a bunch of helpers 2016-04-22T18:48:30Z Baolin Wang baolin.wang@linaro.org 2016-04-08T06:02:11Z urn:sha1:457db29bfcfd1d9cc717587c446a89d60499d4a9 security_settime() uses a timespec, which is not year 2038 safe on 32bit systems. Thus this patch introduces the security_settime64() function with timespec64 type. We also convert the cap_settime() helper function to use the 64bit types. This patch then moves security_settime() to the header file as an inline helper function so that existing users can be iteratively converted. None of the existing hooks is using the timespec argument and therefor the patch is not making any functional changes. Cc: Serge Hallyn <serge.hallyn@canonical.com>, Cc: James Morris <james.l.morris@oracle.com>, Cc: "Serge E. Hallyn" <serge@hallyn.com>, Cc: Paul Moore <pmoore@redhat.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Kees Cook <keescook@chromium.org> Cc: Prarit Bhargava <prarit@redhat.com> Cc: Richard Cochran <richardcochran@gmail.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@kernel.org> Reviewed-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Baolin Wang <baolin.wang@linaro.org> [jstultz: Reworded commit message] Signed-off-by: John Stultz <john.stultz@linaro.org> 2016-03-28T04:47:52Z Al Viro viro@zeniv.linux.org.uk 2016-03-25T19:31:19Z urn:sha1:3b73b68c05db0b3c9b282c6e8e6eb71acc589a02 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2016-03-28T04:47:51Z Al Viro viro@zeniv.linux.org.uk 2016-03-25T19:28:43Z urn:sha1:77b286c0d26a5399912f5affd90ed73e2d8b42a5 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>