1. 27 Nov, 2016 19 commits
  2. 24 Nov, 2016 1 commit
  3. 22 Nov, 2016 3 commits
  4. 21 Nov, 2016 1 commit
    • Stephen Smalley's avatar
      selinux: keep SELinux in sync with new capability definitions · 3322d0d6
      Stephen Smalley authored
      When a new capability is defined, SELinux needs to be updated.
      Trigger a build error if a new capability is defined without
      corresponding update to security/selinux/include/classmap.h's
      COMMON_CAP2_PERMS.  This is similar to BUILD_BUG_ON() guards
      in the SELinux nlmsgtab code to ensure that SELinux tracks
      new netlink message types as needed.
      
      Note that there is already a similar build guard in
      security/selinux/hooks.c to detect when more than 64
      capabilities are defined, since that will require adding
      a third capability class to SELinux.
      
      A nicer way to do this would be to extend scripts/selinux/genheaders
      or a similar tool to auto-generate the necessary definitions and code
      for SELinux capability checking from include/uapi/linux/capability.h.
      AppArmor does something similar in its Makefile, although it only
      needs to generate a single table of names.  That is left as future
      work.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: reformat the description to keep checkpatch.pl happy]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      3322d0d6
  5. 20 Nov, 2016 1 commit
    • Stephen Smalley's avatar
      selinux: normalize input to /sys/fs/selinux/enforce · ea49d10e
      Stephen Smalley authored
      At present, one can write any signed integer value to
      /sys/fs/selinux/enforce and it will be stored,
      e.g. echo -1 > /sys/fs/selinux/enforce or echo 2 >
      /sys/fs/selinux/enforce. This makes no real difference
      to the kernel, since it only ever cares if it is zero or non-zero,
      but some userspace code compares it with 1 to decide if SELinux
      is enforcing, and this could confuse it. Only a process that is
      already root and is allowed the setenforce permission in SELinux
      policy can write to /sys/fs/selinux/enforce, so this is not considered
      to be a security issue, but it should be fixed.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      ea49d10e
  6. 15 Nov, 2016 1 commit
    • Casey Schaufler's avatar
      Smack: Remove unnecessary smack_known_invalid · 152f91d4
      Casey Schaufler authored
      The invalid Smack label ("") and the Huh ("?") Smack label
      serve the same purpose and having both is unnecessary.
      While pulling out the invalid label it became clear that
      the use of smack_from_secid() was inconsistent, so that
      is repaired. The setting of inode labels to the invalid
      label could never happen in a functional system, has
      never been observed in the wild and is not what you'd
      really want for a failure behavior in any case. That is
      removed.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      152f91d4
  7. 14 Nov, 2016 10 commits
  8. 13 Nov, 2016 4 commits
    • James Morris's avatar
      Merge commit 'v4.9-rc5' into next · 185c0f26
      James Morris authored
      185c0f26
    • Linus Torvalds's avatar
      Linux 4.9-rc5 · a25f0944
      Linus Torvalds authored
      a25f0944
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · e234832a
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "ARM fixes.  There are a couple pending x86 patches but they'll have to
        wait for next week"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: arm/arm64: vgic: Kick VCPUs when queueing already pending IRQs
        KVM: arm/arm64: vgic: Prevent access to invalid SPIs
        arm/arm64: KVM: Perform local TLB invalidation when multiplexing vcpus on a single CPU
      e234832a
    • Linus Torvalds's avatar
      Merge branch 'media-fixes' (patches from Mauro) · e861d890
      Linus Torvalds authored
      Merge media fixes from Mauro Carvalho Chehab:
       "This contains two patches fixing problems with my patch series meant
        to make USB drivers to work again after the DMA on stack changes.
      
        The last patch on this series is actually not related to DMA on stack.
        It solves a longstanding bug affecting module unload, causing
        module_put() to be called twice. It was reported by the user who
        reported and tested the issues with the gp8psk driver with the DMA
        fixup patches. As we're late at -rc cycle, maybe you prefer to not
        apply it right now. If this is the case, I'll add to the pile of
        patches for 4.10.
      
        Exceptionally this time, I'm sending the patches via e-mail, because
        I'm on another trip, and won't be able to use the usual procedure
        until Monday. Also, it is only three patches, and you followed already
        the discussions about the first one"
      
      * emailed patches from Mauro Carvalho Chehab <mchehab@osg.samsung.com>:
        gp8psk: Fix DVB frontend attach
        gp8psk: fix gp8psk_usb_in_op() logic
        dvb-usb: move data_mutex to struct dvb_usb_device
      e861d890