1. 21 Oct, 2008 1 commit
  2. 13 Oct, 2008 1 commit
  3. 01 Aug, 2008 1 commit
  4. 27 Jul, 2008 9 commits
  5. 24 Jul, 2008 1 commit
  6. 04 Jul, 2008 1 commit
  7. 01 May, 2008 1 commit
  8. 28 Apr, 2008 1 commit
  9. 19 Apr, 2008 7 commits
  10. 11 Apr, 2008 1 commit
    • Roland McGrath's avatar
      asmlinkage_protect replaces prevent_tail_call · 54a01510
      Roland McGrath authored
      The prevent_tail_call() macro works around the problem of the compiler
      clobbering argument words on the stack, which for asmlinkage functions
      is the caller's (user's) struct pt_regs.  The tail/sibling-call
      optimization is not the only way that the compiler can decide to use
      stack argument words as scratch space, which we have to prevent.
      Other optimizations can do it too.
      Until we have new compiler support to make "asmlinkage" binding on the
      compiler's own use of the stack argument frame, we have work around all
      the manifestations of this issue that crop up.
      More cases seem to be prevented by also keeping the incoming argument
      variables live at the end of the function.  This makes their original
      stack slots attractive places to leave those variables, so the compiler
      tends not clobber them for something else.  It's still no guarantee, but
      it handles some observed cases that prevent_tail_call() did not.
      Signed-off-by: default avatarRoland McGrath <roland@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  11. 19 Mar, 2008 1 commit
  12. 15 Feb, 2008 3 commits
  13. 08 Feb, 2008 2 commits
  14. 15 Nov, 2007 1 commit
    • Arjan van de Ven's avatar
      mark sys_open/sys_read exports unused · cb51f973
      Arjan van de Ven authored
      sys_open / sys_read were used in the early 1.2 days to load firmware from
      disk inside drivers.  Since 2.0 or so this was deprecated behavior, but
      several drivers still were using this.  Since a few years we have a
      request_firmware() API that implements this in a nice, consistent way.
      Only some old ISA sound drivers (pre-ALSA) still straggled along for some
      time....  however with commit c2b1239a
      last user is now gone.
      This is a good thing, since using sys_open / sys_read etc for firmware is a
      very buggy to dangerous thing to do; these operations put an fd in the
      process file descriptor table....  which then can be tampered with from
      other threads for example.  For those who don't want the firmware loader,
      filp_open()/vfs_read are the better APIs to use, without this security
      The patch below marks sys_open and sys_read unused now that they're
      really not used anymore, and for deletion in the 2.6.25 timeframe.
      Signed-off-by: default avatarArjan van de Ven <arjan@linux.intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  15. 21 Oct, 2007 1 commit
  16. 17 Oct, 2007 2 commits
    • Serge E. Hallyn's avatar
      Implement file posix capabilities · b5376771
      Serge E. Hallyn authored
      Implement file posix capabilities.  This allows programs to be given a
      subset of root's powers regardless of who runs them, without having to use
      setuid and giving the binary all of root's powers.
      This version works with Kaigai Kohei's userspace tools, found at
      http://www.kaigai.gr.jp/index.php.  For more information on how to use this
      patch, Chris Friedhoff has posted a nice page at
      	Nov 27:
      	Incorporate fixes from Andrew Morton
      	(security-introduce-file-caps-tweaks and
      	Fix Kconfig dependency.
      	Fix change signaling behavior when file caps are not compiled in.
      	Nov 13:
      	Integrate comments from Alexey: Remove CONFIG_ ifdef from
      	capability.h, and use %zd for printing a size_t.
      	Nov 13:
      	Fix endianness warnings by sparse as suggested by Alexey
      	Nov 09:
      	Address warnings of unused variables at cap_bprm_set_security
      	when file capabilities are disabled, and simultaneously clean
      	up the code a little, by pulling the new code into a helper
      	Nov 08:
      	For pointers to required userspace tools and how to use
      	them, see http://www.friedhoff.org/fscaps.html
      	Nov 07:
      	Fix the calculation of the highest bit checked in
      	Nov 07:
      	Allow file caps to be enabled without CONFIG_SECURITY, since
      	capabilities are the default.
      	Hook cap_task_setscheduler when !CONFIG_SECURITY.
      	Move capable(TASK_KILL) to end of cap_task_kill to reduce
      	audit messages.
      	Nov 05:
      	Add secondary calls in selinux/hooks.c to task_setioprio and
      	task_setscheduler so that selinux and capabilities with file
      	cap support can be stacked.
      	Sep 05:
      	As Seth Arnold points out, uid checks are out of place
      	for capability code.
      	Sep 01:
      	Define task_setscheduler, task_setioprio, cap_task_kill, and
      	task_setnice to make sure a user cannot affect a process in which
      	they called a program with some fscaps.
      	One remaining question is the note under task_setscheduler: are we
      	ok with CAP_SYS_NICE being sufficient to confine a process to a
      	It is a semantic change, as without fsccaps, attach_task doesn't
      	allow CAP_SYS_NICE to override the uid equivalence check.  But since
      	it uses security_task_setscheduler, which elsewhere is used where
      	CAP_SYS_NICE can be used to override the uid equivalence check,
      	fixing it might be tough.
      		 note: this also controls cpuset:attach_task.  Are we ok with
      		     CAP_SYS_NICE being used to confine to a cpuset?
      		 sys_setpriority uses this (through set_one_prio) for another
      		 process.  Need same checks as setrlimit
      	Aug 21:
      	Updated secureexec implementation to reflect the fact that
      	euid and uid might be the same and nonzero, but the process
      	might still have elevated caps.
      	Aug 15:
      	Handle endianness of xattrs.
      	Enforce capability version match between kernel and disk.
      	Enforce that no bits beyond the known max capability are
      	set, else return -EPERM.
      	With this extra processing, it may be worth reconsidering
      	doing all the work at bprm_set_security rather than
      	Aug 10:
      	Always call getxattr at bprm_set_security, rather than
      	caching it at d_instantiate.
      [morgan@kernel.org: file-caps clean up for linux/capability.h]
      [bunk@kernel.org: unexport cap_inode_killpriv]
      Signed-off-by: default avatarSerge E. Hallyn <serue@us.ibm.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Andrew Morgan <morgan@kernel.org>
      Signed-off-by: default avatarAndrew Morgan <morgan@kernel.org>
      Signed-off-by: default avatarAdrian Bunk <bunk@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Alan Cox's avatar
      fs: correct SuS compliance for open of large file without options · a9c62a18
      Alan Cox authored
      The early LFS work that Linux uses favours EFBIG in various places. SuSv3
      specifically uses EOVERFLOW for this as noted by Michael (Bug 7253)
          The named file is a regular file and the size of the file cannot be
      represented correctly in an object of type off_t. We should therefore
      transition to the proper error return code
      Signed-off-by: default avatarAlan Cox <alan@redhat.com>
      Cc: Theodore Tso <tytso@mit.edu>
      Cc: Jens Axboe <jens.axboe@oracle.com>
      Cc: Arjan van de Ven <arjan@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  17. 16 Oct, 2007 1 commit
  18. 31 Jul, 2007 1 commit
  19. 24 Jul, 2007 1 commit
    • Ulrich Drepper's avatar
      fallocate syscall interface deficiency · 0d786d4a
      Ulrich Drepper authored
      The fallocate syscall returns ENOSYS in case the filesystem does not support
      the operation and expects the userlevel code to fill in.  This is good in
      The problem is that the libc code for old kernels should be able to
      distinguish the case where the syscall is not at all available vs not
      functioning for a specific mount point.  As is this is not possible and we
      always have to invoke the syscall even if the kernel doesn't support it.
      I suggest the following patch.  Using EOPNOTSUPP is IMO the right thing to do.
      Cc: Amit Arora <aarora@in.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  20. 18 Jul, 2007 1 commit
    • Amit Arora's avatar
      sys_fallocate() implementation on i386, x86_64 and powerpc · 97ac7350
      Amit Arora authored
      fallocate() is a new system call being proposed here which will allow
      applications to preallocate space to any file(s) in a file system.
      Each file system implementation that wants to use this feature will need
      to support an inode operation called ->fallocate().
      Applications can use this feature to avoid fragmentation to certain
      level and thus get faster access speed. With preallocation, applications
      also get a guarantee of space for particular file(s) - even if later the
      the system becomes full.
      Currently, glibc provides an interface called posix_fallocate() which
      can be used for similar cause. Though this has the advantage of working
      on all file systems, but it is quite slow (since it writes zeroes to
      each block that has to be preallocated). Without a doubt, file systems
      can do this more efficiently within the kernel, by implementing
      the proposed fallocate() system call. It is expected that
      posix_fallocate() will be modified to call this new system call first
      and incase the kernel/filesystem does not implement it, it should fall
      back to the current implementation of writing zeroes to the new blocks.
      1. Implementation on other architectures (other than i386, x86_64,
         and ppc). Patches for s390(x) and ia64 are already available from
         previous posts, but it was decided that they should be added later
         once fallocate is in the mainline. Hence not including those patches
         in this take.
      2. Changes to glibc,
         a) to support fallocate() system call
         b) to make posix_fallocate() and posix_fallocate64() call fallocate()
      Signed-off-by: default avatarAmit Arora <aarora@in.ibm.com>
  21. 16 Jul, 2007 2 commits
    • Ulrich Drepper's avatar
      O_CLOEXEC for SCM_RIGHTS · 4a19542e
      Ulrich Drepper authored
      Part two in the O_CLOEXEC saga: adding support for file descriptors received
      through Unix domain sockets.
      The patch is once again pretty minimal, it introduces a new flag for recvmsg
      and passes it just like the existing MSG_CMSG_COMPAT flag.  I think this bit
      is not used otherwise but the networking people will know better.
      This new flag is not recognized by recvfrom and recv.  These functions cannot
      be used for that purpose and the asymmetry this introduces is not worse than
      the already existing MSG_CMSG_COMPAT situations.
      The patch must be applied on the patch which introduced O_CLOEXEC.  It has to
      remove static from the new get_unused_fd_flags function but since scm.c cannot
      live in a module the function still hasn't to be exported.
      Here's a test program to make sure the code works.  It's so much longer than
      the actual patch...
      #include <errno.h>
      #include <error.h>
      #include <fcntl.h>
      #include <stdio.h>
      #include <string.h>
      #include <unistd.h>
      #include <sys/socket.h>
      #include <sys/un.h>
      #ifndef O_CLOEXEC
      # define O_CLOEXEC 02000000
      #ifndef MSG_CMSG_CLOEXEC
      # define MSG_CMSG_CLOEXEC 0x40000000
      main (int argc, char *argv[])
        if (argc > 1)
            int fd = atol (argv[1]);
            printf ("child: fd = %d\n", fd);
            if (fcntl (fd, F_GETFD) == 0 || errno != EBADF)
                puts ("file descriptor valid in child");
                return 1;
            return 0;
        struct sockaddr_un sun;
        strcpy (sun.sun_path, "./testsocket");
        sun.sun_family = AF_UNIX;
        char databuf[] = "hello";
        struct iovec iov[1];
        iov[0].iov_base = databuf;
        iov[0].iov_len = sizeof (databuf);
          struct cmsghdr hdr;
          char bytes[CMSG_SPACE (sizeof (int))];
        } buf;
        struct msghdr msg = { .msg_iov = iov, .msg_iovlen = 1,
                              .msg_control = buf.bytes,
                              .msg_controllen = sizeof (buf) };
        struct cmsghdr *cmsg = CMSG_FIRSTHDR (&msg);
        cmsg->cmsg_level = SOL_SOCKET;
        cmsg->cmsg_type = SCM_RIGHTS;
        cmsg->cmsg_len = CMSG_LEN (sizeof (int));
        msg.msg_controllen = cmsg->cmsg_len;
        pid_t child = fork ();
        if (child == -1)
          error (1, errno, "fork");
        if (child == 0)
            int sock = socket (PF_UNIX, SOCK_STREAM, 0);
            if (sock < 0)
              error (1, errno, "socket");
            if (bind (sock, (struct sockaddr *) &sun, sizeof (sun)) < 0)
              error (1, errno, "bind");
            if (listen (sock, SOMAXCONN) < 0)
              error (1, errno, "listen");
            int conn = accept (sock, NULL, NULL);
            if (conn == -1)
              error (1, errno, "accept");
            *(int *) CMSG_DATA (cmsg) = sock;
            if (sendmsg (conn, &msg, MSG_NOSIGNAL) < 0)
              error (1, errno, "sendmsg");
            return 0;
        /* For a test suite this should be more robust like a
           barrier in shared memory.  */
        sleep (1);
        int sock = socket (PF_UNIX, SOCK_STREAM, 0);
        if (sock < 0)
          error (1, errno, "socket");
        if (connect (sock, (struct sockaddr *) &sun, sizeof (sun)) < 0)
          error (1, errno, "connect");
        unlink (sun.sun_path);
        *(int *) CMSG_DATA (cmsg) = -1;
        if (recvmsg (sock, &msg, MSG_CMSG_CLOEXEC) < 0)
          error (1, errno, "recvmsg");
        int fd = *(int *) CMSG_DATA (cmsg);
        if (fd == -1)
          error (1, 0, "no descriptor received");
        char fdname[20];
        snprintf (fdname, sizeof (fdname), "%d", fd);
        execl ("/proc/self/exe", argv[0], fdname, NULL);
        puts ("execl failed");
        return 1;
      [akpm@linux-foundation.org: Fix fastcall inconsistency noted by Michael Buesch]
      [akpm@linux-foundation.org: build fix]
      Signed-off-by: default avatarUlrich Drepper <drepper@redhat.com>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Michael Buesch <mb@bu3sch.de>
      Cc: Michael Kerrisk <mtk-manpages@gmx.net>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Ulrich Drepper's avatar
      Introduce O_CLOEXEC · f23513e8
      Ulrich Drepper authored
      The problem is as follows: in multi-threaded code (or more correctly: all
      code using clone() with CLONE_FILES) we have a race when exec'ing.
         thread #1                       thread #2
                                         fork + exec
      In some applications this can happen frequently.  Take a web browser.  One
      thread opens a file and another thread starts, say, an external PDF viewer.
       The result can even be a security issue if that open file descriptor
      refers to a sensitive file and the external program can somehow be tricked
      into using that descriptor.
      Just adding O_CLOEXEC support to open() doesn't solve the whole set of
      problems.  There are other ways to create file descriptors (socket,
      epoll_create, Unix domain socket transfer, etc).  These can and should be
      addressed separately though.  open() is such an easy case that it makes not
      much sense putting the fix off.
      The test program:
      #include <errno.h>
      #include <fcntl.h>
      #include <stdio.h>
      #include <unistd.h>
      #ifndef O_CLOEXEC
      # define O_CLOEXEC 02000000
      main (int argc, char *argv[])
        int fd;
        if (argc > 1)
            fd = atol (argv[1]);
            printf ("child: fd = %d\n", fd);
            if (fcntl (fd, F_GETFD) == 0 || errno != EBADF)
                puts ("file descriptor valid in child");
                return 1;
            return 0;
        fd = open ("/proc/self/exe", O_RDONLY | O_CLOEXEC);
        printf ("in parent: new fd = %d\n", fd);
        char buf[20];
        snprintf (buf, sizeof (buf), "%d", fd);
        execl ("/proc/self/exe", argv[0], buf, NULL);
        puts ("execl failed");
        return 1;
      [kyle@parisc-linux.org: parisc fix]
      Signed-off-by: default avatarUlrich Drepper <drepper@redhat.com>
      Acked-by: default avatarIngo Molnar <mingo@elte.hu>
      Cc: Davide Libenzi <davidel@xmailserver.org>
      Cc: Michael Kerrisk <mtk-manpages@gmx.net>
      Cc: Chris Zankel <chris@zankel.net>
      Signed-off-by: default avatarKyle McMartin <kyle@parisc-linux.org>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>