From: Rik Faith <faith@redhat.com>

This patch provides a low-overhead system-call auditing framework for Linux
that is usable by LSM components (e.g., SELinux).  This is an update of the
patch discussed in this thread:

    http://marc.theaimsgroup.com/?t=107815888100001&r=1&w=2

In brief, it provides for netlink-based logging of audit records that have
been generated in other parts of the kernel (e.g., SELinux) as well as the
ability to audit system calls, either independently (using simple
filtering) or as a compliment to the audit record that another part of the
kernel generated.

The main goals were to provide system call auditing with 1) as low overhead
as possible, and 2) without duplicating functionality that is already
provided by SELinux (and/or other security infrastructures).  This
framework will work "stand-alone", but is not designed to provide, e.g.,
CAPP functionality without another security component in place.

This updated patch includes changes from feedback I have received,
including the ability to compile without CONFIG_NET (and better use of
tabs, so use -w if you diff against the older patch).

Please see http://people.redhat.com/faith/audit/ for an early example
user-space client (auditd-0.4.tar.gz) and instructions on how to try it.

My future intentions at the kernel level include improving filtering (e.g.,
syscall personality/exit codes) and syscall support for more architectures.
 First, though, I'm going to work on documentation, a (real) audit daemon,
and patches for other user-space tools so that people can play with the
framework and understand how it can be used with and without SELinux.


Update:

Light-weight Auditing Framework receive filter fixes
From: Rik Faith <faith@redhat.com>

Since audit_receive_filter() is only called with audit_netlink_sem held, it
cannot race with either audit_del_rule() or audit_add_rule(), so the
list_for_each_entry_rcu()s may be replaced by list_for_each_entry()s, and
the rcu_read_{un,}lock()s removed.  A fix for this is part of the attached
patch.

Other features of the attached patch are:

1) generalized the ability to test for inequality

2) added syscall exit status reporting and testing

3) added ability to report and test first 4 syscall arguments (this adds
   a large amount of flexibility for little cost; not implemented or tested
   on ppc64)

4) added ability to report and test personality

User-space demo program enhanced for new fields and inequality testing:
http://people.redhat.com/faith/audit/auditd-0.5.tar.gz

This patch removes a harmless duplicate assignment from the IPv6 code.

From: James Morris <jmorris@redhat.com>

The patch below adds explicit IPv6 support to SELinux.

Brief description of changes:

o IPv6 networking is now subject to the same controls as IPv4 (in
  addition to the generic socket permissions which cover all protocols),
  namely: bind to local node address; bind to local port; send & receive
  TCP/UDP and raw IP packets based on local network interface and remote
  node address.

o Packet parsing has been extended to IPv6 packets for logging and
  control, and simplified for IPv4.

o Support for logging of IPv6 addresses has also been added.

o The kernel policy database code has been modified to support IPv6, and
  reworked to provide generic security policy version handling so that
  older policy versions will still work, making upgrading simpler.

Corresponding userspace patches are available at
<http://people.redhat.com/jmorris/selinux/ipv6/>, although current
userspace tools will continue to function normally (but without explicit
IPv6 support).

For more details at the security management level, see
<http://marc.theaimsgroup.com/?l=selinux&m=108068187630948&w=2>

This code has been under testing and review for several weeks.

From: Chris Mason <mason@suse.com>

reiserfs-writepage-ordered-race needs a minor update to include your latest
__block_write_full_page fixes for the direct_read_under bug Daniel was
hitting.

fs/reiserfs/journal.c: In function `reiserfs_end_persistent_transaction':
fs/reiserfs/journal.c:2616: warning: unused variable `s'

Make the functions static inline so that typechecking is enabled if
!CONFIG_REISERFS_CHECK.

From: Chris Mason <mason@suse.com>

block_write_full_page() might see and lock clean metadata buffers, which leads
to journal-1777 messages.  Change the message to ignore bh locked.

From: Chris Mason <mason@suse.com>

Some latency improvements for the reiserfs data=ordered code from Takashi.

From: Chris Mason <mason@suse.com>

reiserfs_unmap_buffer should clean and wait on all buffers.  This fixes a
leak under fsx workloads.

From: Chris Mason <mason@suse.com>

Add reiserfs support for laptop mode.

From: Chris Mason <mason@suse.com>

reiserfs_file_write makes a hole one block too large if it is the first thing
in the file.

From: Chris Mason <mason@suse.com>

Fix reiserfs_writepage so it doesn't race with data=ordered writes.  This
still has a pending fix to redirty the page when it finds a locked buffer. 
Waiting for Andrew to finish sorting that out on ext3 first.

From: Chris Mason <mason@suse.com>

Repacking a tail might leave a journal handle attached to an unmapped buffer.
 If that buffer gets dirtied again (via mmap for example), the reiserfs
data=ordered code might try to write the dirty unmapped buffer to disk.

The fix is to make sure we remove the journal handle when we unmap buffers.

From: Chris Mason <mason@suse.com>

Enable preallocation for reiserfs_file_write when the write size is smaller
than the default preallocation size.

From: Chris Mason <mason@suse.com>

Make sure to hold the BKL while ending a transaction in the error path or
reiserfs_prepare_write.

From: Chris Mason <mason@suse.com>

reiserfs data=ordered support.

From: Chris Mason <mason@suse.com>

reiserfs logging rework, making things much faster for small transactions. 
metadata buffers are dirtied when they are safe to write, so normal kernel
mechanisms can contribute to log cleaning.

From: Chris Mason <mason@suse.com>

reiserfs cleanup, get rid of old debugging code.

From: Chris Mason <mason@suse.com>

reiserfs support for nested transactions.  This originally came from Peter
Braam for 2.4.x and was ported forward by Jeff Mahoney.

ext3 transaction batching has been ineffective since the scheduler changes
forced us to replace the yield() with a schedule().

Using schedule_timeout(1) fixes it up again.  Benchmarking is positive with
wither a 1 or 10 millisecond delay in there, so there appears to be no need
to play around with HZ.

From: Kurt Garloff <garloff@suse.de>

A patch to parse the elf binaries for a PT_GNU_STACK section to set the stack
non-executable if possible.  Most parts have been shamelessly stolen from
Ingo Molnar's more ambitious stackshield
http://people.redhat.com/mingo/exec-shield/exec-shield-2.6.4-C9

The toolchain has meanwhile support for marking the binaries with a
PT_GNU_STACK section wwithout x bit as needed.

If no such section is found, we leave the stack to whatever the arch defaults
to.  If there is one, we explicitly disabled the VM_EXEC bit if no x bit is
found, otherwise explicitly enable.

- s/__inline__/inline/

- Remove lots of extraneous andi-was-here trailing whitespace

From: "Paul E. McKenney" <paulmck@us.ibm.com>

The attached patch improves the documentation of the _rcu list primitives.

From: "Luiz Fernando N. Capitulino" <lcapitulino@prefeitura.sp.gov.br>

IBM LAN Adapter/A driver depends on mca-legacy.

From: "Luiz Fernando N. Capitulino" <lcapitulino@prefeitura.sp.gov.br>

drivers/net/wan/cycx_drv.c: In function `load_cyc2x':
drivers/net/wan/cycx_drv.c:430: warning: unsigned int format, long unsigned int arg (arg 3)

From: Pavel Machek <pavel@ucw.cz>

This function will break with -mregparm, so mark it asmlinkage.

From: "Luiz Fernando N. Capitulino" <lcapitulino@prefeitura.sp.gov.br>

drivers/media/dvb/frontends/tda1004x.c:191: warning: `errno' defined but not used

From: "Luiz Fernando N. Capitulino" <lcapitulino@prefeitura.sp.gov.br>

sound/isa/wavefront/wavefront_synth.c:1923: warning: `errno' defined but not used

With CONFIG_LBD=n:

fs/open.c: In function `vfs_statfs_native':
fs/open.c:67: warning: comparison is always true due to limited range of data type
fs/open.c:70: warning: comparison is always true due to limited range of data type

From: Olaf Kirch <okir@suse.de>

The attached patch fixes a problem with the 32bit statfs call on NFS file
systems.  Some NFS servers return a value of -1 for the f_files and f_ffree.
The current code would think this is a 64bit value that cannot be converted
to 32bits.  Consequently, the system call would always fail.

The patch adds two special if() to detect a value of -1 for f_files and
f_ffree.

From: Trond Myklebust <trond.myklebust@fys.uio.no>

Fixes the Oops reported by Paul Blazejowski.  Bug turned out to be in the page
overflow checking for READDIRPLUS.

From: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>

From: Gerd Knorr <kraxel@bytesex.org>

This is a update for the cx88 driver.  There are *lots* of changes:

  * vbi support was added.
  * plenty of fixes for audio support (there are still problems
    through).
  * new cards added.
  * serveral minor tweaks.

From: Gerd Knorr <kraxel@bytesex.org>

This patch updates the documentation for the v4l drivers.

From: Gerd Knorr <kraxel@bytesex.org>

This patch updates the bttv driver.  Changes:

  (1) several card-specific tweaks.
  (2) make software vs. hardware i2c configurable per TV card.
  (3) reinitialize image parameters after chip reset.
  (4) make bttv quite by default on frame drops.
  (5) new insmod option: "debug_latency=1" to enable frame drop
      debug messages.

bttv is quite sensitive to irq latencies, especially when capturing both
video and vbi.  There are several reports about problems due to this, I don't
see that on my machines through.  (5) dumps a stracktrace if the driver
thinks the frame drop is is caused by high latencies as experiment, lets see
whenever that helps ...

drivers/built-in.o(.text+0x32912b): In function `dsp_buffer_init':
drivers/media/video/saa7134/saa7134-oss.c:77: undefined reference to `videobuf_dma_init'

From: Gerd Knorr <kraxel@bytesex.org>

This is a update for the saa7134 driver.  Changes:

  * add cropping support.
  * fix Makefile to build the saa6752hs module.
  * fix locking bug in oss dsp driver.
  * infrared remote keytable update.
  * some card-specific fixes.

From: Gerd Knorr <kraxel@bytesex.org>

Trivial patch, $subject says all, just a new keytable.

From: Gerd Knorr <kraxel@bytesex.org>

This patch allows to use switch to the second external input of the msp34xx
chips.  Also has some minor cleanups and more verbose debug info.

From: Gerd Knorr <kraxel@bytesex.org>

This patch fixes a bug in the tuner descriptions and prepares for the removal
of the type= insmod option by printing a warning when it is used.

From: Gerd Knorr <kraxel@bytesex.org>

Minor tweak in the v4l1 compatibility layer: Make sure that capture actually
is active before going to wait for a frame so we don't block forever.