Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b0ca118d authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'for-linus' of... 

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (43 commits)
  TOMOYO: Fix wrong domainname validation.
  SELINUX: add /sys/fs/selinux mount point to put selinuxfs
  CRED: Fix load_flat_shared_library() to initialise bprm correctly
  SELinux: introduce path_has_perm
  flex_array: allow 0 length elements
  flex_arrays: allow zero length flex arrays
  flex_array: flex_array_prealloc takes a number of elements, not an end
  SELinux: pass last path component in may_create
  SELinux: put name based create rules in a hashtable
  SELinux: generic hashtab entry counter
  SELinux: calculate and print hashtab stats with a generic function
  SELinux: skip filename trans rules if ttype does not match parent dir
  SELinux: rename filename_compute_type argument to *type instead of *con
  SELinux: fix comment to state filename_compute_type takes an objname not a qstr
  SMACK: smack_file_lock can use the struct path
  LSM: separate LSM_AUDIT_DATA_DENTRY from LSM_AUDIT_DATA_PATH
  LSM: split LSM_AUDIT_DATA_FS into _PATH and _INODE
  SELINUX: Make selinux cache VFS RCU walks safe
  SECURITY: Move exec_permission RCU checks into security modules
  SELinux: security_read_policy should take a size_t not ssize_t
  ...
parents 2bb732cd b7b57551

MAINTAINERS

+2 −1
Original line number Diff line number Diff line
@@ -5592,10 +5592,11 @@ M: James Morris <jmorris@namei.org> 
M:	Eric Paris <eparis@parisplace.org>

L:	selinux@tycho.nsa.gov (subscribers-only, general discussion)

W:	http://selinuxproject.org

T:	git git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6.git

T:	git git://git.infradead.org/users/eparis/selinux.git

S:	Supported

F:	include/linux/selinux*

F:	security/selinux/

F:	scripts/selinux/



APPARMOR SECURITY MODULE

M:	John Johansen <john.johansen@canonical.com>

fs/binfmt_flat.c

+8 −0
Original line number Diff line number Diff line
@@ -820,6 +820,8 @@ static int load_flat_shared_library(int id, struct lib_info *libs) 
	int res;

	char buf[16];



	memset(&bprm, 0, sizeof(bprm));



	/* Create the file name */

	sprintf(buf, "/lib/lib%d.so", id);
@@ -835,6 +837,12 @@ static int load_flat_shared_library(int id, struct lib_info *libs) 
	if (!bprm.cred)

		goto out;



	/* We don't really care about recalculating credentials at this point

	 * as we're past the point of no return and are dealing with shared

	 * libraries.

	 */

	bprm.cred_prepared = 1;



	res = prepare_binprm(&bprm);



	if (!IS_ERR_VALUE(res))

include/linux/capability.h

+0 −5
Original line number Diff line number Diff line
@@ -417,7 +417,6 @@ extern const kernel_cap_t __cap_init_eff_set; 


# define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})

# define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})

# define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }})

# define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \

				    | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \

				    CAP_FS_MASK_B1 } })
@@ -427,11 +426,7 @@ extern const kernel_cap_t __cap_init_eff_set; 


#endif /* _KERNEL_CAPABILITY_U32S != 2 */



#define CAP_INIT_INH_SET    CAP_EMPTY_SET



# define cap_clear(c)         do { (c) = __cap_empty_set; } while (0)

# define cap_set_full(c)      do { (c) = __cap_full_set; } while (0)

# define cap_set_init_eff(c)  do { (c) = __cap_init_eff_set; } while (0)



#define cap_raise(c, flag)  ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))

#define cap_lower(c, flag)  ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))

include/linux/init_task.h

+0 −7
Original line number Diff line number Diff line
@@ -83,13 +83,6 @@ extern struct group_info init_groups; 
#define INIT_IDS

#endif



/*

 * Because of the reduced scope of CAP_SETPCAP when filesystem

 * capabilities are in effect, it is safe to allow CAP_SETPCAP to

 * be available in the default configuration.

 */

# define CAP_INIT_BSET  CAP_FULL_SET



#ifdef CONFIG_RCU_BOOST

#define INIT_TASK_RCU_BOOST()						\

	.rcu_boost_mutex = NULL,

include/linux/key.h

+13 −0
Original line number Diff line number Diff line
@@ -276,6 +276,19 @@ static inline key_serial_t key_serial(struct key *key) 
	return key ? key->serial : 0;

}



/**

 * key_is_instantiated - Determine if a key has been positively instantiated

 * @key: The key to check.

 *

 * Return true if the specified key has been positively instantiated, false

 * otherwise.

 */

static inline bool key_is_instantiated(const struct key *key)

{

	return test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&

		!test_bit(KEY_FLAG_NEGATIVE, &key->flags);

}



#define rcu_dereference_key(KEY)					\

	(rcu_dereference_protected((KEY)->payload.rcudata,		\

				   rwsem_is_locked(&((struct key *)(KEY))->sem)))