[GIT] Security subsystem changes for 2.6.39
From: James Morris
Date: Tue Mar 15 2011 - 19:26:27 EST
Please pull the following changes for the 2.6.39 kernel.
Notable enhancements:
- Improved mmap support for Smack
- Pathname hooks for CacheFiles (previously unmediated for pathname security)
- Improved management & error handling for keys
- Pass the last pathname component to LSM when creating an inode, to
allow it to be used in labeling decisions; implementation for SELinux
- New sb_remount LSM hook; implementation for SELinux to refuse remounts
if mount labels change
- Misc. fixes and cleanups for AppArmor, SELinux networking, IMA and
TOMOYO
The following changes since commit 521cb40b0c44418a4fd36dc633f575813d59a43d:
Linus Torvalds (1):
Linux 2.6.38
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6 for-linus
Casey Schaufler (3):
Subject: [PATCH] Smack: mmap controls for library containment
Smack: correct behavior in the mmap hook
Smack: correct final mmap check comparison
David Howells (5):
CacheFiles: Add calls to path-based security hooks
KEYS: Add an RCU payload dereference macro
KEYS: Add a key type op to permit the key description to be vetted
KEYS: Add a new keyctl op to reject a key with a specified error code
KEYS: Add an iovec version of KEYCTL_INSTANTIATE
Eric Paris (6):
fs/vfs/security: pass last path component to LSM on inode creation
SELinux: Use dentry name in new object labeling
selinux: drop unused packet flow permissions
Revert "selinux: simplify ioctl checking"
LSM: Pass -o remount options to the LSM
SELinux: implement the new sb_remount LSM hook
Harry Ciao (3):
SELinux: Auto-generate security_is_socket_class
SELinux: Socket retains creator role and MLS attribute
SELinux: Compute SID for the newly created socket
James Morris (4):
Merge branch 'master'; commit 'v2.6.38-rc7' into next
Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into next
Merge branch 'security-next' of git://git.kernel.org/.../jj/apparmor-dev into next
Merge branch 'next' into for-linus
John Johansen (1):
AppArmor: Cleanup make file to remove cruft and make it easier to read
Lucian Adrian Grijincu (2):
security/selinux: fix /proc/sys/ labeling
security: remove unused security_sysctl hook
Michal Hocko (1):
AppArmor: cleanup generated files correctly
Mimi Zohar (5):
IMA: convert i_readcount to atomic
IMA: define readcount functions
IMA: maintain i_readcount in the VFS layer
IMA: remove IMA imbalance checking
ima: remove unnecessary call to ima_must_measure
Shan Wei (3):
security:selinux: kill unused MAX_AVTAB_HASH_MASK and ebitmap_startbit
security:smack: kill unused SMACK_LIST_MAX, MAY_ANY and MAY_ANYWRITE
AppArmor: kill unused macros in lsm.c
Steffen Klassert (3):
selinux: Fix check for xfrm selinux context algorithm
selinux: Fix wrong checks for selinux_policycap_netpeer
selinux: Fix packet forwarding checks on postrouting
Tetsuo Handa (1):
TOMOYO: Fix memory leak upon file open.
Documentation/keys-request-key.txt | 9 +-
Documentation/keys.txt | 28 ++-
arch/x86/Kconfig | 5 +
fs/btrfs/inode.c | 13 +-
fs/btrfs/xattr.c | 6 +-
fs/btrfs/xattr.h | 3 +-
fs/cachefiles/namei.c | 52 ++++-
fs/ext2/ext2.h | 2 +-
fs/ext2/ialloc.c | 5 +-
fs/ext2/namei.c | 8 +-
fs/ext2/xattr.h | 6 +-
fs/ext2/xattr_security.c | 5 +-
fs/ext3/ialloc.c | 5 +-
fs/ext3/namei.c | 8 +-
fs/ext3/xattr.h | 4 +-
fs/ext3/xattr_security.c | 5 +-
fs/ext4/ialloc.c | 2 +-
fs/ext4/xattr.h | 4 +-
fs/ext4/xattr_security.c | 5 +-
fs/file_table.c | 5 +-
fs/gfs2/inode.c | 7 +-
fs/jffs2/dir.c | 9 +-
fs/jffs2/nodelist.h | 2 +-
fs/jffs2/security.c | 5 +-
fs/jffs2/write.c | 18 +-
fs/jffs2/xattr.h | 5 +-
fs/jfs/jfs_xattr.h | 5 +-
fs/jfs/namei.c | 8 +-
fs/jfs/xattr.c | 6 +-
fs/namespace.c | 4 +
fs/ocfs2/namei.c | 4 +-
fs/ocfs2/refcounttree.c | 3 +-
fs/ocfs2/xattr.c | 10 +-
fs/ocfs2/xattr.h | 4 +-
fs/open.c | 3 +-
fs/proc/proc_sysctl.c | 1 -
fs/reiserfs/namei.c | 9 +-
fs/reiserfs/xattr_security.c | 3 +-
fs/xfs/linux-2.6/xfs_iops.c | 9 +-
include/linux/ext3_fs.h | 3 +-
include/linux/fs.h | 23 ++-
include/linux/ima.h | 6 -
include/linux/key-type.h | 14 +-
include/linux/key.h | 5 +
include/linux/keyctl.h | 2 +
include/linux/reiserfs_xattr.h | 2 +
include/linux/security.h | 35 ++--
include/linux/xattr.h | 2 +
kernel/sysctl.c | 5 -
mm/shmem.c | 9 +-
net/rxrpc/ar-key.c | 19 ++
scripts/selinux/genheaders/genheaders.c | 20 ++
security/apparmor/Makefile | 38 +++-
security/apparmor/lsm.c | 2 -
security/capability.c | 15 +-
security/integrity/ima/ima.h | 3 +-
security/integrity/ima/ima_api.c | 13 +-
security/integrity/ima/ima_iint.c | 5 -
security/integrity/ima/ima_main.c | 136 ++----------
security/keys/compat.c | 50 ++++
security/keys/encrypted.c | 3 +-
security/keys/internal.h | 8 +
security/keys/key.c | 27 ++-
security/keys/keyctl.c | 143 +++++++++++-
security/keys/keyring.c | 4 +-
security/keys/request_key.c | 2 +-
security/keys/trusted.c | 3 +-
security/keys/user_defined.c | 3 +-
security/security.c | 19 +-
security/selinux/hooks.c | 350 ++++++++++++++++--------------
security/selinux/include/classmap.h | 7 +-
security/selinux/include/security.h | 8 +-
security/selinux/ss/avtab.h | 23 +-
security/selinux/ss/ebitmap.h | 1 -
security/selinux/ss/mls.c | 5 +-
security/selinux/ss/mls.h | 3 +-
security/selinux/ss/policydb.c | 130 +++++++++++
security/selinux/ss/policydb.h | 14 +-
security/selinux/ss/services.c | 73 +++++--
security/selinux/xfrm.c | 2 +-
security/smack/smack.h | 17 +-
security/smack/smack_access.c | 52 +++--
security/smack/smack_lsm.c | 287 ++++++++++++++++++++----
security/smack/smackfs.c | 370 +++++++++++++++++++++----------
security/tomoyo/file.c | 5 +-
85 files changed, 1549 insertions(+), 712 deletions(-)
--
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/