1. 04 Dec, 2009 1 commit
  2. 25 Nov, 2009 1 commit
  3. 24 Nov, 2009 2 commits
    • Serge E. Hallyn's avatar
      remove CONFIG_SECURITY_FILE_CAPABILITIES compile option · b3a222e5
      Serge E. Hallyn authored
      As far as I know, all distros currently ship kernels with default
      CONFIG_SECURITY_FILE_CAPABILITIES=y.  Since having the option on
      leaves a 'no_file_caps' option to boot without file capabilities,
      the main reason to keep the option is that turning it off saves
      you (on my s390x partition) 5k.  In particular, vmlinux sizes
      came to:
      
      without patch fscaps=n:		 	53598392
      without patch fscaps=y:		 	53603406
      with this patch applied:		53603342
      
      with the security-next tree.
      
      Against this we must weigh the fact that there is no simple way for
      userspace to figure out whether file capabilities are supported,
      while things like per-process securebits, capability bounding
      sets, and adding bits to pI if CAP_SETPCAP is in pE are not supported
      with SECURITY_FILE_CAPABILITIES=n, leaving a bit of a problem for
      applications wanting to know whether they can use them and/or why
      something failed.
      
      It also adds another subtly different set of semantics which we must
      maintain at the risk of severe security regressions.
      
      So this patch removes the SECURITY_FILE_CAPABILITIES compile
      option.  It drops the kernel size by about 50k over the stock
      SECURITY_FILE_CAPABILITIES=y kernel, by removing the
      cap_limit_ptraced_target() function.
      
      Changelog:
      	Nov 20: remove cap_limit_ptraced_target() as it's logic
      		was ifndef'ed.
      Signed-off-by: default avatarSerge E. Hallyn <serue@us.ibm.com>
      Acked-by: default avatarAndrew G. Morgan" <morgan@kernel.org>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      b3a222e5
    • Eric Paris's avatar
      SELinux: print denials for buggy kernel with unknown perms · 0bce9527
      Eric Paris authored
      Historically we've seen cases where permissions are requested for classes
      where they do not exist.  In particular we have seen CIFS forget to set
      i_mode to indicate it is a directory so when we later check something like
      remove_name we have problems since it wasn't defined in tclass file.  This
      used to result in a avc which included the permission 0x2000 or something.
      Currently the kernel will deny the operations (good thing) but will not
      print ANY information (bad thing).  First the auditdeny field is no
      extended to include unknown permissions.  After that is fixed the logic in
      avc_dump_query to output this information isn't right since it will remove
      the permission from the av and print the phrase "<NULL>".  This takes us
      back to the behavior before the classmap rewrite.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      0bce9527
  4. 20 Nov, 2009 3 commits
  5. 18 Nov, 2009 2 commits
    • Mimi Zohar's avatar
      ima: replace GFP_KERNEL with GFP_NOFS · c09c59e6
      Mimi Zohar authored
      While running fsstress tests on the NFSv4 mounted ext3 and ext4
      filesystem, the following call trace was generated on the nfs
      server machine.
      
      Replace GFP_KERNEL with GFP_NOFS in ima_iint_insert() to avoid a
      potential deadlock.
      
           =================================
          [ INFO: inconsistent lock state ]
          2.6.31-31.el6.x86_64 #1
          ---------------------------------
          inconsistent {RECLAIM_FS-ON-W} -> {IN-RECLAIM_FS-W} usage.
          kswapd2/75 [HC0[0]:SC0[0]:HE1:SE1] takes:
           (jbd2_handle){+.+.?.}, at: [<ffffffff811edd5e>] jbd2_journal_start+0xfe/0x13f
          {RECLAIM_FS-ON-W} state was registered at:
            [<ffffffff81091e40>] mark_held_locks+0x65/0x99
            [<ffffffff81091f31>] lockdep_trace_alloc+0xbd/0xf5
            [<ffffffff81126fdd>] kmem_cache_alloc+0x40/0x185
            [<ffffffff812344d7>] ima_iint_insert+0x3d/0xf1
            [<ffffffff812345b0>] ima_inode_alloc+0x25/0x44
            [<ffffffff811484ac>] inode_init_always+0xec/0x271
            [<ffffffff81148682>] alloc_inode+0x51/0xa1
            [<ffffffff81148700>] new_inode+0x2e/0x94
            [<ffffffff811b2f08>] ext4_new_inode+0xb8/0xdc9
            [<ffffffff811be611>] ext4_create+0xcf/0x175
            [<ffffffff8113e2cd>] vfs_create+0x82/0xb8
            [<ffffffff8113f337>] do_filp_open+0x32c/0x9ee
            [<ffffffff811309b9>] do_sys_open+0x6c/0x12c
            [<ffffffff81130adc>] sys_open+0x2e/0x44
            [<ffffffff81011e42>] system_call_fastpath+0x16/0x1b
            [<ffffffffffffffff>] 0xffffffffffffffff
          irq event stamp: 90371
          hardirqs last  enabled at (90371): [<ffffffff8112708d>]
          kmem_cache_alloc+0xf0/0x185
          hardirqs last disabled at (90370): [<ffffffff81127026>]
          kmem_cache_alloc+0x89/0x185
          softirqs last  enabled at (89492): [<ffffffff81068ecf>]
          __do_softirq+0x1bf/0x1eb
          softirqs last disabled at (89477): [<ffffffff8101312c>] call_softirq+0x1c/0x30
      
          other info that might help us debug this:
          2 locks held by kswapd2/75:
           #0:  (shrinker_rwsem){++++..}, at: [<ffffffff810f98ba>] shrink_slab+0x44/0x177
           #1:  (&type->s_umount_key#25){++++..}, at: [<ffffffff811450ba>]
      Reported-by: default avatarMuni P. Beerakam <mbeeraka@in.ibm.com>
      Reported-by: default avatarAmit K. Arora <amitarora@in.ibm.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      c09c59e6
    • Eric W. Biederman's avatar
      sysctl: Drop & in front of every proc_handler. · 6d456111
      Eric W. Biederman authored
      For consistency drop & in front of every proc_handler.  Explicity
      taking the address is unnecessary and it prevents optimizations
      like stubbing the proc_handlers to NULL.
      
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Joe Perches <joe@perches.com>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      6d456111
  6. 12 Nov, 2009 2 commits
  7. 09 Nov, 2009 1 commit
    • Eric Paris's avatar
      security: report the module name to security_module_request · dd8dbf2e
      Eric Paris authored
      For SELinux to do better filtering in userspace we send the name of the
      module along with the AVC denial when a program is denied module_request.
      
      Example output:
      
      type=SYSCALL msg=audit(11/03/2009 10:59:43.510:9) : arch=x86_64 syscall=write success=yes exit=2 a0=3 a1=7fc28c0d56c0 a2=2 a3=7fffca0d7440 items=0 ppid=1727 pid=1729 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null)
      type=AVC msg=audit(11/03/2009 10:59:43.510:9) : avc:  denied  { module_request } for  pid=1729 comm=rpc.nfsd kmod="net-pf-10" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      dd8dbf2e
  8. 08 Nov, 2009 2 commits
  9. 29 Oct, 2009 1 commit
  10. 25 Oct, 2009 1 commit
  11. 24 Oct, 2009 1 commit
  12. 20 Oct, 2009 2 commits
  13. 19 Oct, 2009 1 commit
    • Eric Dumazet's avatar
      inet: rename some inet_sock fields · c720c7e8
      Eric Dumazet authored
      In order to have better cache layouts of struct sock (separate zones
      for rx/tx paths), we need this preliminary patch.
      
      Goal is to transfert fields used at lookup time in the first
      read-mostly cache line (inside struct sock_common) and move sk_refcnt
      to a separate cache line (only written by rx path)
      
      This patch adds inet_ prefix to daddr, rcv_saddr, dport, num, saddr,
      sport and id fields. This allows a future patch to define these
      fields as macros, like sk_refcnt, without name clashes.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c720c7e8
  14. 15 Oct, 2009 1 commit
    • David Howells's avatar
      KEYS: get_instantiation_keyring() should inc the keyring refcount in all cases · 21279cfa
      David Howells authored
      The destination keyring specified to request_key() and co. is made available to
      the process that instantiates the key (the slave process started by
      /sbin/request-key typically).  This is passed in the request_key_auth struct as
      the dest_keyring member.
      
      keyctl_instantiate_key and keyctl_negate_key() call get_instantiation_keyring()
      to get the keyring to attach the newly constructed key to at the end of
      instantiation.  This may be given a specific keyring into which a link will be
      made later, or it may be asked to find the keyring passed to request_key().  In
      the former case, it returns a keyring with the refcount incremented by
      lookup_user_key(); in the latter case, it returns the keyring from the
      request_key_auth struct - and does _not_ increment the refcount.
      
      The latter case will eventually result in an oops when the keyring prematurely
      runs out of references and gets destroyed.  The effect may take some time to
      show up as the key is destroyed lazily.
      
      To fix this, the keyring returned by get_instantiation_keyring() must always
      have its refcount incremented, no matter where it comes from.
      
      This can be tested by setting /etc/request-key.conf to:
      
      #OP	TYPE	DESCRIPTION	CALLOUT INFO	PROGRAM ARG1 ARG2 ARG3 ...
      #======	=======	===============	===============	===============================
      create  *	test:*		*		|/bin/false %u %g %d %{user:_display}
      negate	*	*		*		/bin/keyctl negate %k 10 @u
      
      and then doing:
      
      	keyctl add user _display aaaaaaaa @u
              while keyctl request2 user test:x test:x @u &&
              keyctl list @u;
              do
                      keyctl request2 user test:x test:x @u;
                      sleep 31;
                      keyctl list @u;
              done
      
      which will oops eventually.  Changing the negate line to have @u rather than
      %S at the end is important as that forces the latter case by passing a special
      keyring ID rather than an actual keyring ID.
      Reported-by: default avatarAlexander Zangerl <az@bond.edu.au>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarAlexander Zangerl <az@bond.edu.au>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      21279cfa
  15. 11 Oct, 2009 2 commits
  16. 07 Oct, 2009 3 commits
    • Stephen Smalley's avatar
      selinux: drop remapping of netlink classes · 941fc5b2
      Stephen Smalley authored
      Drop remapping of netlink classes and bypass of permission checking
      based on netlink message type for policy version < 18.  This removes
      compatibility code introduced when the original single netlink
      security class used for all netlink sockets was split into
      finer-grained netlink classes based on netlink protocol and when
      permission checking was added based on netlink message type in Linux
      2.6.8.  The only known distribution that shipped with SELinux and
      policy < 18 was Fedora Core 2, which was EOL'd on 2005-04-11.
      
      Given that the remapping code was never updated to address the
      addition of newer netlink classes, that the corresponding userland
      support was dropped in 2005, and that the assumptions made by the
      remapping code about the fixed ordering among netlink classes in the
      policy may be violated in the future due to the dynamic class/perm
      discovery support, we should drop this compatibility code now.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      941fc5b2
    • Stephen Smalley's avatar
      selinux: generate flask headers during kernel build · 8753f6be
      Stephen Smalley authored
      Add a simple utility (scripts/selinux/genheaders) and invoke it to
      generate the kernel-private class and permission indices in flask.h
      and av_permissions.h automatically during the kernel build from the
      security class mapping definitions in classmap.h.  Adding new kernel
      classes and permissions can then be done just by adding them to classmap.h.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      8753f6be
    • Stephen Smalley's avatar
      selinux: dynamic class/perm discovery · c6d3aaa4
      Stephen Smalley authored
      Modify SELinux to dynamically discover class and permission values
      upon policy load, based on the dynamic object class/perm discovery
      logic from libselinux.  A mapping is created between kernel-private
      class and permission indices used outside the security server and the
      policy values used within the security server.
      
      The mappings are only applied upon kernel-internal computations;
      similar mappings for the private indices of userspace object managers
      is handled on a per-object manager basis by the userspace AVC.  The
      interfaces for compute_av and transition_sid are split for kernel
      vs. userspace; the userspace functions are distinguished by a _user
      suffix.
      
      The kernel-private class indices are no longer tied to the policy
      values and thus do not need to skip indices for userspace classes;
      thus the kernel class index values are compressed.  The flask.h
      definitions were regenerated by deleting the userspace classes from
      refpolicy's definitions and then regenerating the headers.  Going
      forward, we can just maintain the flask.h, av_permissions.h, and
      classmap.h definitions separately from policy as they are no longer
      tied to the policy values.  The next patch introduces a utility to
      automate generation of flask.h and av_permissions.h from the
      classmap.h definitions.
      
      The older kernel class and permission string tables are removed and
      replaced by a single security class mapping table that is walked at
      policy load to generate the mapping.  The old kernel class validation
      logic is completely replaced by the mapping logic.
      
      The handle unknown logic is reworked.  reject_unknown=1 is handled
      when the mappings are computed at policy load time, similar to the old
      handling by the class validation logic.  allow_unknown=1 is handled
      when computing and mapping decisions - if the permission was not able
      to be mapped (i.e. undefined, mapped to zero), then it is
      automatically added to the allowed vector.  If the class was not able
      to be mapped (i.e. undefined, mapped to zero), then all permissions
      are allowed for it if allow_unknown=1.
      
      avc_audit leverages the new security class mapping table to lookup the
      class and permission names from the kernel-private indices.
      
      The mdp program is updated to use the new table when generating the
      class definitions and allow rules for a minimal boot policy for the
      kernel.  It should be noted that this policy will not include any
      userspace classes, nor will its policy index values for the kernel
      classes correspond with the ones in refpolicy (they will instead match
      the kernel-private indices).
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      c6d3aaa4
  17. 01 Oct, 2009 1 commit
  18. 30 Sep, 2009 1 commit
    • Eric Paris's avatar
      SELinux: reset the security_ops before flushing the avc cache · af8ff049
      Eric Paris authored
      This patch resets the security_ops to the secondary_ops before it flushes
      the avc.  It's still possible that a task on another processor could have
      already passed the security_ops dereference and be executing an selinux hook
      function which would add a new avc entry.  That entry would still not be
      freed.  This should however help to reduce the number of needless avcs the
      kernel has when selinux is disabled at run time.  There is no wasted
      memory if selinux is disabled on the command line or not compiled.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      af8ff049
  19. 24 Sep, 2009 4 commits
  20. 23 Sep, 2009 4 commits
    • Eric Paris's avatar
      SELinux: do not destroy the avc_cache_nodep · 5224ee08
      Eric Paris authored
      The security_ops reset done when SELinux is disabled at run time is done
      after the avc cache is freed and after the kmem_cache for the avc is also
      freed.  This means that between the time the selinux disable code destroys
      the avc_node_cachep another process could make a security request and could
      try to allocate from the cache.  We are just going to leave the cachep around,
      like we always have.
      
      SELinux:  Disabled at runtime.
      BUG: unable to handle kernel NULL pointer dereference at (null)
      IP: [<ffffffff81122537>] kmem_cache_alloc+0x9a/0x185
      PGD 0
      Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
      last sysfs file:
      CPU 1
      Modules linked in:
      Pid: 12, comm: khelper Not tainted 2.6.31-tip-05525-g0eeacc6-dirty #14819
      System Product Name
      RIP: 0010:[<ffffffff81122537>]  [<ffffffff81122537>]
      kmem_cache_alloc+0x9a/0x185
      RSP: 0018:ffff88003f9258b0  EFLAGS: 00010086
      RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000078c0129e
      RDX: 0000000000000000 RSI: ffffffff8130b626 RDI: ffffffff81122528
      RBP: ffff88003f925900 R08: 0000000078c0129e R09: 0000000000000001
      R10: 0000000000000000 R11: 0000000078c0129e R12: 0000000000000246
      R13: 0000000000008020 R14: ffff88003f8586d8 R15: 0000000000000001
      FS:  0000000000000000(0000) GS:ffff880002b00000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
      CR2: 0000000000000000 CR3: 0000000001001000 CR4: 00000000000006e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: ffffffff827bd420 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process khelper (pid: 12, threadinfo ffff88003f924000, task
      ffff88003f928000)
      Stack:
       0000000000000246 0000802000000246 ffffffff8130b626 0000000000000001
      <0> 0000000078c0129e 0000000000000000 ffff88003f925a70 0000000000000002
      <0> 0000000000000001 0000000000000001 ffff88003f925960 ffffffff8130b626
      Call Trace:
       [<ffffffff8130b626>] ? avc_alloc_node+0x36/0x273
       [<ffffffff8130b626>] avc_alloc_node+0x36/0x273
       [<ffffffff8130b545>] ? avc_latest_notif_update+0x7d/0x9e
       [<ffffffff8130b8b4>] avc_insert+0x51/0x18d
       [<ffffffff8130bcce>] avc_has_perm_noaudit+0x9d/0x128
       [<ffffffff8130bf20>] avc_has_perm+0x45/0x88
       [<ffffffff8130f99d>] current_has_perm+0x52/0x6d
       [<ffffffff8130fbb2>] selinux_task_create+0x2f/0x45
       [<ffffffff81303bf7>] security_task_create+0x29/0x3f
       [<ffffffff8105c6ba>] copy_process+0x82/0xdf0
       [<ffffffff81091578>] ? register_lock_class+0x2f/0x36c
       [<ffffffff81091a13>] ? mark_lock+0x2e/0x1e1
       [<ffffffff8105d596>] do_fork+0x16e/0x382
       [<ffffffff81091578>] ? register_lock_class+0x2f/0x36c
       [<ffffffff810d9166>] ? probe_workqueue_execution+0x57/0xf9
       [<ffffffff81091a13>] ? mark_lock+0x2e/0x1e1
       [<ffffffff810d9166>] ? probe_workqueue_execution+0x57/0xf9
       [<ffffffff8100cdb2>] kernel_thread+0x82/0xe0
       [<ffffffff81078b1f>] ? ____call_usermodehelper+0x0/0x139
       [<ffffffff8100ce10>] ? child_rip+0x0/0x20
       [<ffffffff81078aea>] ? __call_usermodehelper+0x65/0x9a
       [<ffffffff8107a5c7>] run_workqueue+0x171/0x27e
       [<ffffffff8107a573>] ? run_workqueue+0x11d/0x27e
       [<ffffffff81078a85>] ? __call_usermodehelper+0x0/0x9a
       [<ffffffff8107a7bc>] worker_thread+0xe8/0x10f
       [<ffffffff810808e2>] ? autoremove_wake_function+0x0/0x63
       [<ffffffff8107a6d4>] ? worker_thread+0x0/0x10f
       [<ffffffff8108042e>] kthread+0x91/0x99
       [<ffffffff8100ce1a>] child_rip+0xa/0x20
       [<ffffffff8100c754>] ? restore_args+0x0/0x30
       [<ffffffff8108039d>] ? kthread+0x0/0x99
       [<ffffffff8100ce10>] ? child_rip+0x0/0x20
      Code: 0f 85 99 00 00 00 9c 58 66 66 90 66 90 49 89 c4 fa 66 66 90 66 66 90
      e8 83 34 fb ff e8 d7 e9 26 00 48 98 49 8b 94 c6 10 01 00 00 <48> 8b 1a 44
      8b 7a 18 48 85 db 74 0f 8b 42 14 48 8b 04 c3 ff 42
      RIP  [<ffffffff81122537>] kmem_cache_alloc+0x9a/0x185
       RSP <ffff88003f9258b0>
      CR2: 0000000000000000
      ---[ end trace 42f41a982344e606 ]---
      Reported-by: default avatarIngo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      5224ee08
    • David Howells's avatar
      KEYS: Have the garbage collector set its timer for live expired keys · 606531c3
      David Howells authored
      The key garbage collector sets a timer to start a new collection cycle at the
      point the earliest key to expire should be considered garbage.  However, it
      currently only does this if the key it is considering hasn't yet expired.
      
      If the key being considering has expired, but hasn't yet reached the collection
      time then it is ignored, and won't be collected until some other key provokes a
      round of collection.
      
      Make the garbage collector set the timer for the earliest key that hasn't yet
      passed its collection time, rather than the earliest key that hasn't yet
      expired.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      606531c3
    • James Morris's avatar
      seq_file: constify seq_operations · 88e9d34c
      James Morris authored
      Make all seq_operations structs const, to help mitigate against
      revectoring user-triggerable function pointers.
      
      This is derived from the grsecurity patch, although generated from scratch
      because it's simpler than extracting the changes from there.
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      88e9d34c
    • Nick Black's avatar
      Move magic numbers into magic.h · 1fd7317d
      Nick Black authored
      Move various magic-number definitions into magic.h.
      Signed-off-by: default avatarNick Black <dank@qemfd.net>
      Acked-by: default avatarPekka Enberg <penberg@cs.helsinki.fi>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1fd7317d
  21. 14 Sep, 2009 4 commits
    • David Howells's avatar
      KEYS: Fix garbage collector · c08ef808
      David Howells authored
      Fix a number of problems with the new key garbage collector:
      
       (1) A rogue semicolon in keyring_gc() was causing the initial count of dead
           keys to be miscalculated.
      
       (2) A missing return in keyring_gc() meant that under certain circumstances,
           the keyring semaphore would be unlocked twice.
      
       (3) The key serial tree iterator (key_garbage_collector()) part of the garbage
           collector has been modified to:
      
           (a) Complete each scan of the keyrings before setting the new timer.
      
           (b) Only set the new timer for keys that have yet to expire.  This means
               that the new timer is now calculated correctly, and the gc doesn't
               get into a loop continually scanning for keys that have expired, and
               preventing other things from happening, like RCU cleaning up the old
               keyring contents.
      
           (c) Perform an extra scan if any keys were garbage collected in this one
           	 as a key might become garbage during a scan, and (b) could mean we
           	 don't set the timer again.
      
       (4) Made key_schedule_gc() take the time at which to do a collection run,
           rather than the time at which the key expires.  This means the collection
           of dead keys (key type unregistered) can happen immediately.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      c08ef808
    • Marc Dionne's avatar
      KEYS: Unlock tasklist when exiting early from keyctl_session_to_parent · 5c84342a
      Marc Dionne authored
      When we exit early from keyctl_session_to_parent because of permissions or
      because the session keyring is the same as the parent, we need to unlock the
      tasklist.
      
      The missing unlock causes the system to hang completely when using
      keyctl(KEYCTL_SESSION_TO_PARENT) with a keyring shared with the parent.
      Signed-off-by: default avatarMarc Dionne <marc.c.dionne@gmail.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      5c84342a
    • Eric Paris's avatar
      SELinux: flush the avc before disabling SELinux · 4e6d0bff
      Eric Paris authored
      Before SELinux is disabled at boot it can create AVC entries.  This patch
      will flush those entries before disabling SELinux.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      4e6d0bff
    • Eric Paris's avatar
      SELinux: seperate avc_cache flushing · 008574b1
      Eric Paris authored
      Move the avc_cache flushing into it's own function so it can be reused when
      disabling SELinux.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      008574b1