linux/net/netlink, branch v3.3.2 Linux kernel source tree https://git.amat.us/linux/atom/net/netlink?h=v3.3.2 2012-01-15T02:36:33Z Merge branch 'for-linus' of git://selinuxproject.org/~jmorris/linux-security 2012-01-15T02:36:33Z Linus Torvalds torvalds@linux-foundation.org 2012-01-15T02:36:33Z urn:sha1:c49c41a4134679cecb77362e7f6b59acb6320aa7 * 'for-linus' of git://selinuxproject.org/~jmorris/linux-security: capabilities: remove __cap_full_set definition security: remove the security_netlink_recv hook as it is equivalent to capable() ptrace: do not audit capability check when outputing /proc/pid/stat capabilities: remove task_ns_* functions capabitlies: ns_capable can use the cap helpers rather than lsm call capabilities: style only - move capable below ns_capable capabilites: introduce new has_ns_capabilities_noaudit capabilities: call has_ns_capability from has_capability capabilities: remove all _real_ interfaces capabilities: introduce security_capable_noaudit capabilities: reverse arguments to security_capable capabilities: remove the task from capable LSM hook entirely selinux: sparse fix: fix several warnings in the security server cod selinux: sparse fix: fix warnings in netlink code selinux: sparse fix: eliminate warnings for selinuxfs selinux: sparse fix: declare selinux_disable() in security.h selinux: sparse fix: move selinux_complete_init selinux: sparse fix: make selinux_secmark_refcount static SELinux: Fix RCU deref check warning in sel_netport_insert() Manually fix up a semantic mis-merge wrt security_netlink_recv(): - the interface was removed in commit fd7784615248 ("security: remove the security_netlink_recv hook as it is equivalent to capable()") - a new user of it appeared in commit a38f7907b926 ("crypto: Add userspace configuration API") causing no automatic merge conflict, but Eric Paris pointed out the issue. security: remove the security_netlink_recv hook as it is equivalent to capable() 2012-01-05T23:53:01Z Eric Paris eparis@redhat.com 2012-01-03T17:25:16Z urn:sha1:fd778461524849afd035679030ae8e8873c72b81 Once upon a time netlink was not sync and we had to get the effective capabilities from the skb that was being received. Today we instead get the capabilities from the current task. This has rendered the entire purpose of the hook moot as it is now functionally equivalent to the capable() call. Signed-off-by: Eric Paris <eparis@redhat.com> genetlink: add auto module loading 2011-12-28T18:48:55Z Stephen Hemminger shemminger@vyatta.com 2011-12-28T18:48:55Z urn:sha1:fa84309533025eb3f03dc1d2d2be1c3ca206882a When testing L2TP support, I discovered that the l2tp module is not autoloaded as are other netlink interfaces. There is because of lack of hook in genetlink to call request_module and load the module. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net> netlink: Undo const marker in netlink_is_kernel(). 2011-12-23T22:33:03Z David S. Miller davem@davemloft.net 2011-12-23T22:33:03Z urn:sha1:035c4c16bea2814890c64c657d177e91cec1f473 We can't do this without propagating the const to nlk_sk() too, otherwise: net/netlink/af_netlink.c: In function ‘netlink_is_kernel’: net/netlink/af_netlink.c:103:2: warning: passing argument 1 of ‘nlk_sk’ discards ‘const’ qualifier from pointer target type [enabled by default] net/netlink/af_netlink.c:96:36: note: expected ‘struct sock *’ but argument is of type ‘const struct sock *’ Signed-off-by: David S. Miller <davem@davemloft.net> netlink: wake up netlink listeners sooner (v2) 2011-12-23T03:37:19Z stephen hemminger shemminger@vyatta.com 2011-12-22T08:52:03Z urn:sha1:2c64580046a122fa15bb586d8ca4fd5e4b69a1e7 This patch changes it to yield sooner at halfway instead. Still not a cure-all for listener overrun if listner is slow, but works much reliably. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net> netlink: af_netlink cleanup (v2) 2011-12-23T03:37:19Z stephen hemminger shemminger@vyatta.com 2011-12-22T08:52:02Z urn:sha1:b57ef81ff8ffb830e1b3e404d692e55161992d27 Don't inline functions that cover several lines, and do inline the trivial ones. Also make some arguments const. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net> genetlink: Add lockdep_genl_is_held(). 2011-12-03T17:35:07Z Pravin B Shelar pshelar@nicira.com 2011-11-11T03:14:51Z urn:sha1:86b1309c7e411b7c25dc0dc7a092582a4d291044 Open vSwitch uses genl_mutex locking to protect datapath data-structures like flow-table, flow-actions. Following patch adds lockdep_genl_is_held() which is used for rcu annotation to prove locking. Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Signed-off-by: Jesse Gross <jesse@nicira.com> genetlink: Add genl_notify() 2011-12-03T17:35:05Z Pravin B Shelar pshelar@nicira.com 2011-11-11T03:14:37Z urn:sha1:263ba61d3b19508dfb003c215ec5d23f882b4f87 Open vSwitch uses Generic Netlink interface for communication between userspace and kernel module. genl_notify() is used for sending notification back to userspace. genl_notify() is analogous to rtnl_notify() but uses genl_sock instead of rtnl. Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Signed-off-by: Jesse Gross <jesse@nicira.com> af_unix: dont send SCM_CREDENTIALS by default 2011-09-28T17:29:50Z Eric Dumazet eric.dumazet@gmail.com 2011-09-19T05:52:27Z urn:sha1:16e5726269611b71c930054ffe9b858c1cea88eb Since commit 7361c36c5224 (af_unix: Allow credentials to work across user and pid namespaces) af_unix performance dropped a lot. This is because we now take a reference on pid and cred in each write(), and release them in read(), usually done from another process, eventually from another cpu. This triggers false sharing. # Events: 154K cycles # # Overhead Command Shared Object Symbol # ........ ....... .................. ......................... # 10.40% hackbench [kernel.kallsyms] [k] put_pid 8.60% hackbench [kernel.kallsyms] [k] unix_stream_recvmsg 7.87% hackbench [kernel.kallsyms] [k] unix_stream_sendmsg 6.11% hackbench [kernel.kallsyms] [k] do_raw_spin_lock 4.95% hackbench [kernel.kallsyms] [k] unix_scm_to_skb 4.87% hackbench [kernel.kallsyms] [k] pid_nr_ns 4.34% hackbench [kernel.kallsyms] [k] cred_to_ucred 2.39% hackbench [kernel.kallsyms] [k] unix_destruct_scm 2.24% hackbench [kernel.kallsyms] [k] sub_preempt_count 1.75% hackbench [kernel.kallsyms] [k] fget_light 1.51% hackbench [kernel.kallsyms] [k] __mutex_lock_interruptible_slowpath 1.42% hackbench [kernel.kallsyms] [k] sock_alloc_send_pskb This patch includes SCM_CREDENTIALS information in a af_unix message/skb only if requested by the sender, [man 7 unix for details how to include ancillary data using sendmsg() system call] Note: This might break buggy applications that expected SCM_CREDENTIAL from an unaware write() system call, and receiver not using SO_PASSCRED socket option. If SOCK_PASSCRED is set on source or destination socket, we still include credentials for mere write() syscalls. Performance boost in hackbench : more than 50% gain on a 16 thread machine (2 quad-core cpus, 2 threads per core) hackbench 20 thread 2000 4.228 sec instead of 9.102 sec Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> net: cleanup some rcu_dereference_raw 2011-08-12T09:55:28Z Eric Dumazet eric.dumazet@gmail.com 2011-08-11T19:30:52Z urn:sha1:33d480ce6d43326e2541fd79b3548858a174ec3c RCU api had been completed and rcu_access_pointer() or rcu_dereference_protected() are better than generic rcu_dereference_raw() Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>