linux/security/tomoyo, branch v3.6.5

Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into next

2012-05-22T01:21:06Z

Per pull request, for 3.5.

TOMOYO: Accept manager programs which do not start with / .

2012-05-15T00:24:29Z

The pathname of /usr/sbin/tomoyo-editpolicy seen from Ubuntu 12.04 Live CD is squashfs:/usr/sbin/tomoyo-editpolicy rather than /usr/sbin/tomoyo-editpolicy . Therefore, we need to accept manager programs which do not start with / . Signed-off-by: Tetsuo Handa Signed-off-by: James Morris

SELinux: rename dentry_open to file_open

2012-04-09T16:22:50Z

dentry_open takes a file, rename it to file_open Signed-off-by: Eric Paris

usermodehelper: use UMH_WAIT_PROC consistently

2012-03-23T23:58:41Z

A few call_usermodehelper() callers use the hardcoded constant instead of the proper UMH_WAIT_PROC, fix them. Reported-by: Tetsuo Handa Signed-off-by: Oleg Nesterov Cc: Lars Ellenberg Cc: Greg Kroah-Hartman Cc: Michal Januszewski Cc: Florian Tobias Schandinat Cc: Kentaro Takeda Cc: Tetsuo Handa Cc: James Morris Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

2012-03-21T20:25:04Z

Pull security subsystem updates for 3.4 from James Morris: "The main addition here is the new Yama security module from Kees Cook, which was discussed at the Linux Security Summit last year. Its purpose is to collect miscellaneous DAC security enhancements in one place. This also marks a departure in policy for LSM modules, which were previously limited to being standalone access control systems. Chromium OS is using Yama, and I believe there are plans for Ubuntu, at least. This patchset also includes maintenance updates for AppArmor, TOMOYO and others." Fix trivial conflict in due to the jumo_label->static_key rename. * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (38 commits) AppArmor: Fix location of const qualifier on generated string tables TOMOYO: Return error if fails to delete a domain AppArmor: add const qualifiers to string arrays AppArmor: Add ability to load extended policy TOMOYO: Return appropriate value to poll(). AppArmor: Move path failure information into aa_get_name and rename AppArmor: Update dfa matching routines. AppArmor: Minor cleanup of d_namespace_path to consolidate error handling AppArmor: Retrieve the dentry_path for error reporting when path lookup fails AppArmor: Add const qualifiers to generated string tables AppArmor: Fix oops in policy unpack auditing AppArmor: Fix error returned when a path lookup is disconnected KEYS: testing wrong bit for KEY_FLAG_REVOKED TOMOYO: Fix mount flags checking order. security: fix ima kconfig warning AppArmor: Fix the error case for chroot relative path name lookup AppArmor: fix mapping of META_READ to audit and quiet flags AppArmor: Fix underflow in xindex calculation AppArmor: Fix dropping of allowed operations that are force audited AppArmor: Add mising end of structure test to caps unpacking ...

tomoyo: remove the second argument of k[un]map_atomic()

2012-03-20T13:48:28Z

Acked-by: Tetsuo Handa Signed-off-by: Cong Wang

TOMOYO: Return error if fails to delete a domain

2012-03-20T01:06:50Z

Call sequence: tomoyo_write_domain() --> tomoyo_delete_domain() In 'tomoyo_delete_domain', return -EINTR if locking attempt is interrupted by signal. At present it returns success to its caller 'tomoyo_write_domain()' even though domain is not deleted. 'tomoyo_write_domain()' assumes domain is deleted and returns success to its caller. This is wrong behaviour. 'tomoyo_write_domain' should return error from tomoyo_delete_domain() to its caller. Signed-off-by: Santosh Nayak Signed-off-by: Tetsuo Handa Signed-off-by: James Morris

TOMOYO: Return appropriate value to poll().

2012-03-15T01:29:18Z

"struct file_operations"->poll() expects "unsigned int" return value. All files in /sys/kernel/security/tomoyo/ directory other than /sys/kernel/security/tomoyo/query and /sys/kernel/security/tomoyo/audit should return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM rather than -ENOSYS. Also, /sys/kernel/security/tomoyo/query and /sys/kernel/security/tomoyo/audit should return POLLOUT | POLLWRNORM rather than 0 when there is no data to read. Signed-off-by: Tetsuo Handa Signed-off-by: James Morris

TOMOYO: Fix mount flags checking order.

2012-02-29T23:23:19Z

Userspace can pass in arbitrary combinations of MS_* flags to mount(). If both MS_BIND and one of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE are passed, device name which should be checked for MS_BIND was not checked because MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE had higher priority than MS_BIND. If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name which should not be checked for MS_REMOUNT was checked because MS_BIND/MS_MOVE had higher priority than MS_REMOUNT. Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND -> MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount() does. Also, unconditionally return -EINVAL if more than one of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE is passed so that TOMOYO will not generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity check mount flags passed to change_mnt_propagation()" clarified that these flags must be exclusively passed. Signed-off-by: Tetsuo Handa Signed-off-by: James Morris

TOMOYO: Accept \000 as a valid character.

2012-01-17T23:40:59Z

TOMOYO 2.5 in Linux 3.2 and later handles Unix domain socket's address. Thus, tomoyo_correct_word2() needs to accept \000 as a valid character, or TOMOYO 2.5 cannot handle Unix domain's abstract socket address. Reported-by: Steven Allen Signed-off-by: Tetsuo Handa CC: stable@vger.kernel.org [3.2+] Signed-off-by: James Morris