1. 24 Nov, 2015 1 commit
    • Stephen Smalley's avatar
      selinux: fix bug in conditional rules handling · f3bef679
      Stephen Smalley authored
      commit fa1aa143 ("selinux: extended permissions for ioctls")
      introduced a bug into the handling of conditional rules, skipping the
      processing entirely when the caller does not provide an extended
      permissions (xperms) structure.  Access checks from userspace using
      /sys/fs/selinux/access do not include such a structure since that
      interface does not presently expose extended permission information.
      As a result, conditional rules were being ignored entirely on userspace
      access requests, producing denials when access was allowed by
      conditional rules in the policy.  Fix the bug by only skipping
      computation of extended permissions in this situation, not the entire
      conditional rules processing.
      Reported-by: default avatarLaurent Bigonville <bigon@debian.org>
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: fixed long lines in patch description]
      Cc: stable@vger.kernel.org # 4.3
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      f3bef679
  2. 21 Oct, 2015 9 commits
  3. 20 Oct, 2015 2 commits
  4. 19 Oct, 2015 1 commit
    • Zbigniew Jasinski's avatar
      Smack: limited capability for changing process label · 38416e53
      Zbigniew Jasinski authored
      This feature introduces new kernel interface:
      
      - <smack_fs>/relabel-self - for setting transition labels list
      
      This list is used to control smack label transition mechanism.
      List is set by, and per process. Process can transit to new label only if
      label is on the list. Only process with CAP_MAC_ADMIN capability can add
      labels to this list. With this list, process can change it's label without
      CAP_MAC_ADMIN but only once. After label changing, list is unset.
      
      Changes in v2:
      * use list_for_each_entry instead of _rcu during label write
      * added missing description in security/Smack.txt
      
      Changes in v3:
      * squashed into one commit
      
      Changes in v4:
      * switch from global list to per-task list
      * since the per-task list is accessed only by the task itself
        there is no need to use synchronization mechanisms on it
      
      Changes in v5:
      * change smackfs interface of relabel-self to the one used for onlycap
        multiple labels are accepted, separated by space, which
        replace the previous list upon write
      Signed-off-by: default avatarZbigniew Jasinski <z.jasinski@samsung.com>
      Signed-off-by: default avatarRafal Krypa <r.krypa@samsung.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      38416e53
  5. 18 Oct, 2015 18 commits
  6. 09 Oct, 2015 5 commits
  7. 04 Oct, 2015 4 commits
    • Linus Torvalds's avatar
      Linux 4.3-rc4 · 049e6dde
      Linus Torvalds authored
      049e6dde
    • Linus Torvalds's avatar
      Merge branch 'strscpy' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile · 30c44659
      Linus Torvalds authored
      Pull strscpy string copy function implementation from Chris Metcalf.
      
      Chris sent this during the merge window, but I waffled back and forth on
      the pull request, which is why it's going in only now.
      
      The new "strscpy()" function is definitely easier to use and more secure
      than either strncpy() or strlcpy(), both of which are horrible nasty
      interfaces that have serious and irredeemable problems.
      
      strncpy() has a useless return value, and doesn't NUL-terminate an
      overlong result.  To make matters worse, it pads a short result with
      zeroes, which is a performance disaster if you have big buffers.
      
      strlcpy(), by contrast, is a mis-designed "fix" for strlcpy(), lacking
      the insane NUL padding, but having a differently broken return value
      which returns the original length of the source string.  Which means
      that it will read characters past the count from the source buffer, and
      you have to trust the source to be properly terminated.  It also makes
      error handling fragile, since the test for overflow is unnecessarily
      subtle.
      
      strscpy() avoids both these problems, guaranteeing the NUL termination
      (but not excessive padding) if the destination size wasn't zero, and
      making the overflow condition very obvious by returning -E2BIG.  It also
      doesn't read past the size of the source, and can thus be used for
      untrusted source data too.
      
      So why did I waffle about this for so long?
      
      Every time we introduce a new-and-improved interface, people start doing
      these interminable series of trivial conversion patches.
      
      And every time that happens, somebody does some silly mistake, and the
      conversion patch to the improved interface actually makes things worse.
      Because the patch is mindnumbing and trivial, nobody has the attention
      span to look at it carefully, and it's usually done over large swatches
      of source code which means that not every conversion gets tested.
      
      So I'm pulling the strscpy() support because it *is* a better interface.
      But I will refuse to pull mindless conversion patches.  Use this in
      places where it makes sense, but don't do trivial patches to fix things
      that aren't actually known to be broken.
      
      * 'strscpy' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile:
        tile: use global strscpy() rather than private copy
        string: provide strscpy()
        Make asm/word-at-a-time.h available on all architectures
      30c44659
    • Linus Torvalds's avatar
      Merge tag 'md/4.3-fixes' of git://neil.brown.name/md · 15ecf9a9
      Linus Torvalds authored
      Pull md fixes from Neil Brown:
       "Assorted fixes for md in 4.3-rc.
      
        Two tagged for -stable, and one is really a cleanup to match and
        improve kmemcache interface.
      
      * tag 'md/4.3-fixes' of git://neil.brown.name/md:
        md/bitmap: don't pass -1 to bitmap_storage_alloc.
        md/raid1: Avoid raid1 resync getting stuck
        md: drop null test before destroy functions
        md: clear CHANGE_PENDING in readonly array
        md/raid0: apply base queue limits *before* disk_stack_limits
        md/raid5: don't index beyond end of array in need_this_block().
        raid5: update analysis state for failed stripe
        md: wait for pending superblock updates before switching to read-only
      15ecf9a9
    • Linus Torvalds's avatar
      Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus · 0d877081
      Linus Torvalds authored
      Pull MIPS updates from Ralf Baechle:
       "This week's round of MIPS fixes:
         - Fix JZ4740 build
         - Fix fallback to GFP_DMA
         - FP seccomp in case of ENOSYS
         - Fix bootmem panic
         - A number of FP and CPS fixes
         - Wire up new syscalls
         - Make sure BPF assembler objects can properly be disassembled
         - Fix BPF assembler code for MIPS I"
      
      * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
        MIPS: scall: Always run the seccomp syscall filters
        MIPS: Octeon: Fix kernel panic on startup from memory corruption
        MIPS: Fix R2300 FP context switch handling
        MIPS: Fix octeon FP context switch handling
        MIPS: BPF: Fix load delay slots.
        MIPS: BPF: Do all exports of symbols with FEXPORT().
        MIPS: Fix the build on jz4740 after removing the custom gpio.h
        MIPS: CPS: #ifdef on CONFIG_MIPS_MT_SMP rather than CONFIG_MIPS_MT
        MIPS: CPS: Don't include MT code in non-MT kernels.
        MIPS: CPS: Stop dangling delay slot from has_mt.
        MIPS: dma-default: Fix 32-bit fall back to GFP_DMA
        MIPS: Wire up userfaultfd and membarrier syscalls.
      0d877081