* policy patch for 2002121210
From: Russell Coker @ 2002-12-16 16:13 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 450 bytes --]
I've attached my first policy patch for the latest release.
It doesn't contain anything exciting, just small tweaks and some patches for
things that have changed since the last patch I sent in.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 9461 bytes --]
diff -ru /tmp/policy/domains/program/bootloader.te policy/domains/program/bootloader.te
--- /tmp/policy/domains/program/bootloader.te 2002-12-16 17:06:02.000000000 +0100
+++ policy/domains/program/bootloader.te 2002-12-13 21:03:06.000000000 +0100
@@ -48,6 +48,7 @@
# for ldd
allow bootloader_t { insmod_exec_t fsadm_exec_t }:file { rx_file_perms execute_no_trans };
+allow bootloader_t insmod_exec_t:lnk_file { getattr read };
dontaudit bootloader_t sysadm_home_dir_t:dir search;
diff -ru /tmp/policy/domains/program/crack.te policy/domains/program/crack.te
--- /tmp/policy/domains/program/crack.te 2002-12-03 15:56:39.000000000 +0100
+++ policy/domains/program/crack.te 2002-12-13 21:03:18.000000000 +0100
@@ -35,4 +35,6 @@
allow crack_t { etc_t etc_runtime_t }:file { getattr read };
allow crack_t etc_t:dir r_dir_perms;
+allow crack_t fs_t:filesystem getattr;
+
dontaudit crack_t sysadm_home_dir_t:dir { getattr search };
diff -ru /tmp/policy/domains/program/crond.te policy/domains/program/crond.te
--- /tmp/policy/domains/program/crond.te 2002-12-03 15:56:39.000000000 +0100
+++ policy/domains/program/crond.te 2002-12-13 21:03:38.000000000 +0100
@@ -37,7 +37,7 @@
file_type_auto_trans(crond_t, var_log_t, cron_log_t)
# Use capabilities.
-allow crond_t crond_t:capability { setgid setuid net_bind_service };
+allow crond_t crond_t:capability { setgid setuid net_bind_service dac_override };
# Check entrypoint permission on crontab files.
allow crond_t security_t:security compute_av;
diff -ru /tmp/policy/domains/program/dpkg.te policy/domains/program/dpkg.te
--- /tmp/policy/domains/program/dpkg.te 2002-12-03 15:56:40.000000000 +0100
+++ policy/domains/program/dpkg.te 2002-12-13 21:04:23.000000000 +0100
@@ -25,7 +25,7 @@
can_exec(dpkg_t, init_exec_t)
file_type_auto_trans(dpkg_t, tmp_t, tmp_dpkg_t)
ifdef(`mta.te', `
-allow system_mail_t tmp_dpkg_t:file read;
+allow system_mail_t tmp_dpkg_t:file { getattr read };
')
allow dpkg_t random_device_t:chr_file read;
diff -ru /tmp/policy/domains/program/fsadm.te policy/domains/program/fsadm.te
--- /tmp/policy/domains/program/fsadm.te 2002-11-04 13:27:51.000000000 +0100
+++ policy/domains/program/fsadm.te 2002-12-13 21:54:24.000000000 +0100
@@ -22,6 +22,9 @@
type fsadm_tmp_t, file_type, sysadmfile, tmpfile;
file_type_auto_trans(fsadm_t, tmp_t, fsadm_tmp_t)
+# remount file system to apply changes
+allow fsadm_t fs_t:filesystem remount;
+
# Use capabilities.
allow fsadm_t fsadm_t:capability { sys_admin sys_rawio };
diff -ru /tmp/policy/domains/program/ftpd.te policy/domains/program/ftpd.te
--- /tmp/policy/domains/program/ftpd.te 2002-11-04 13:27:51.000000000 +0100
+++ policy/domains/program/ftpd.te 2002-12-13 21:05:01.000000000 +0100
@@ -18,7 +18,10 @@
ifdef(`inetd.te', `domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)')
ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
-ifdef(`crond.te', `system_crond_entry(ftpd_exec_t, ftpd_t)')
+ifdef(`crond.te', `
+system_crond_entry(ftpd_exec_t, ftpd_t)
+can_exec(ftpd_t, { bin_t sbin_t })
+')
# Inherit and use descriptors from inetd.
allow ftpd_t inetd_t:fd use;
diff -ru /tmp/policy/domains/program/hotplug.te policy/domains/program/hotplug.te
--- /tmp/policy/domains/program/hotplug.te 2002-12-03 15:56:40.000000000 +0100
+++ policy/domains/program/hotplug.te 2002-12-13 21:05:01.000000000 +0100
@@ -47,6 +47,7 @@
domain_auto_trans(kmod_t, hotplug_exec_t, hotplug_t)
domain_auto_trans_read(hotplug_t, insmod_exec_t, insmod_t)
+allow hotplug_t insmod_exec_t:lnk_file read;
domain_auto_trans_read(hotplug_t, mount_exec_t, mount_t)
domain_auto_trans_read(hotplug_t, ifconfig_exec_t, ifconfig_t)
ifdef(`pump.te', `domain_auto_trans_read(hotplug_t, pump_exec_t, pump_t)')
diff -ru /tmp/policy/domains/program/postfix.te policy/domains/program/postfix.te
--- /tmp/policy/domains/program/postfix.te 2002-12-03 15:56:41.000000000 +0100
+++ policy/domains/program/postfix.te 2002-12-13 21:07:17.000000000 +0100
@@ -82,9 +82,9 @@
allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
can_network(postfix_master_t)
allow postfix_master_t smtp_port_t:tcp_socket name_bind;
-allow postfix_master_t postfix_spool_maildrop_t:dir r_dir_perms;
+allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
+allow postfix_master_t postfix_spool_maildrop_t:file { rename getattr };
allow postfix_master_t postfix_prng_t:file getattr;
-allow postfix_master_t postfix_spool_maildrop_t:file getattr;
allow postfix_master_t privfd:fd use;
allow postfix_master_t etc_aliases_t:file r_file_perms;
create_dir_file(postfix_master_t, postfix_spool_flush_t)
@@ -241,7 +241,7 @@
type postfix_spool_bounce_t, file_type, sysadmfile;
create_dir_file(postfix_bounce_t, postfix_spool_bounce_t)
create_dir_file(postfix_bounce_t, postfix_spool_t)
-allow postfix_master_t postfix_spool_bounce_t:dir r_dir_perms;
+allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms;
allow postfix_bounce_t self:capability { dac_read_search };
allow postfix_bounce_t postfix_public_t:sock_file write;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
diff -ru /tmp/policy/domains/program/quota.te policy/domains/program/quota.te
--- /tmp/policy/domains/program/quota.te 2002-12-03 15:56:42.000000000 +0100
+++ policy/domains/program/quota.te 2002-12-13 21:07:17.000000000 +0100
@@ -15,7 +15,7 @@
rw_dir_create_file(initrc_t, quota_flag_t)
allow quota_t fs_t:filesystem { getattr quotaget quotamod };
-allow quota_t home_root_t:dir getattr;
+allow quota_t { home_root_t var_t usr_t src_t }:dir getattr;
allow quota_t self:capability sys_admin;
allow quota_t file_t:file quotaon;
Only in /tmp/policy/domains: system
Only in /tmp/policy/domains: user
diff -ru /tmp/policy/file_contexts/program/fsadm.fc policy/file_contexts/program/fsadm.fc
--- /tmp/policy/file_contexts/program/fsadm.fc 2002-12-03 15:56:44.000000000 +0100
+++ policy/file_contexts/program/fsadm.fc 2002-12-13 21:56:43.000000000 +0100
@@ -4,6 +4,7 @@
/sbin/e2fsck system_u:object_r:fsadm_exec_t
/sbin/reiserfs(ck|tune) system_u:object_r:fsadm_exec_t
/sbin/mkreiserfs system_u:object_r:fsadm_exec_t
+/sbin/resize.*fs system_u:object_r:fsadm_exec_t
/sbin/e2label system_u:object_r:fsadm_exec_t
/sbin/mkfs system_u:object_r:fsadm_exec_t
/sbin/mke2fs system_u:object_r:fsadm_exec_t
@@ -12,6 +13,7 @@
/sbin/sfdisk system_u:object_r:fsadm_exec_t
/sbin/cfdisk system_u:object_r:fsadm_exec_t
/sbin/fdisk system_u:object_r:fsadm_exec_t
+/sbin/parted system_u:object_r:fsadm_exec_t
/sbin/tune2fs system_u:object_r:fsadm_exec_t
/sbin/dumpe2fs system_u:object_r:fsadm_exec_t
/sbin/swapon system_u:object_r:fsadm_exec_t
diff -ru /tmp/policy/file_contexts/program/initrc.fc policy/file_contexts/program/initrc.fc
--- /tmp/policy/file_contexts/program/initrc.fc 2002-10-28 22:56:00.000000000 +0100
+++ policy/file_contexts/program/initrc.fc 2002-12-13 21:08:39.000000000 +0100
@@ -11,3 +11,4 @@
/usr/local/selinux/sbin/open_init_pty system_u:object_r:initrc_exec_t
/usr/sbin/run_init system_u:object_r:run_init_exec_t
/usr/sbin/open_init_pty system_u:object_r:initrc_exec_t
+/etc/nologin.boot system_u:object_r:etc_runtime_t
diff -ru /tmp/policy/file_contexts/program/modutil.fc policy/file_contexts/program/modutil.fc
--- /tmp/policy/file_contexts/program/modutil.fc 2002-12-16 17:06:32.000000000 +0100
+++ policy/file_contexts/program/modutil.fc 2002-12-13 21:08:39.000000000 +0100
@@ -5,6 +5,6 @@
/sbin/depmod.* system_u:object_r:depmod_exec_t
/sbin/modprobe.* system_u:object_r:insmod_exec_t
/sbin/insmod.* system_u:object_r:insmod_exec_t
-/sbin/insmod.static system_u:object_r:insmod_exec_t
+/sbin/insmod_ksymoops_clean system_u:object_r:sbin_t
/sbin/rmmod.* system_u:object_r:insmod_exec_t
/sbin/update-modules system_u:object_r:update_modules_exec_t
diff -ru /tmp/policy/file_contexts/program/postgresql.fc policy/file_contexts/program/postgresql.fc
--- /tmp/policy/file_contexts/program/postgresql.fc 2002-08-23 20:44:20.000000000 +0200
+++ policy/file_contexts/program/postgresql.fc 2002-12-13 21:08:39.000000000 +0100
@@ -4,3 +4,4 @@
/var/run/postgresql(/.*)? system_u:object_r:var_run_postgresql_t
/etc/postgresql(/.*)? system_u:object_r:etc_postgresql_t
/var/log/postgres.log.* system_u:object_r:postgresql_log_t
+/var/log/postgresql(/.*)? system_u:object_r:postgresql_log_t
diff -ru /tmp/policy/file_contexts/program/slapd.fc policy/file_contexts/program/slapd.fc
--- /tmp/policy/file_contexts/program/slapd.fc 2002-07-12 17:19:44.000000000 +0200
+++ policy/file_contexts/program/slapd.fc 2002-12-13 21:54:50.000000000 +0100
@@ -3,3 +3,4 @@
/var/lib/ldap(/.*)? system_u:object_r:slapd_db_t
/var/lib/ldap/replog(/.*)? system_u:object_r:slapd_replog_t
/var/run/slapd.args system_u:object_r:var_run_slapd_t
+/etc/ldap/slapd.conf system_u:object_r:etc_slapd_t
diff -ru /tmp/policy/macros/program/ssh_macros.te policy/macros/program/ssh_macros.te
--- /tmp/policy/macros/program/ssh_macros.te 2002-10-23 21:38:26.000000000 +0200
+++ policy/macros/program/ssh_macros.te 2002-12-13 21:10:46.000000000 +0100
@@ -69,7 +69,7 @@
allow $1_ssh_t $1_devpts_t:chr_file rw_file_perms;
# Allow the user shell to signal the ssh program.
-allow $1_t $1_ssh_t:process signal;
+allow $1_t $1_ssh_t:process { signal setpgid };
# allow ps to show ssh
allow $1_t $1_ssh_t:dir { search getattr read };
allow $1_t $1_ssh_t:{ file lnk_file } { read getattr };
^ permalink raw reply
* Re: system hangs after reboot
From: Paul Furness @ 2002-12-16 16:15 UTC (permalink / raw)
To: linux-newbie
In-Reply-To: <5.1.0.14.1.20021216080217.021330f0@celine>
Here's yet another set of questions to look at :)
1. If you change /etc/init.tab so that the system boots into run level
3, then reboot, do you get any errors?
2. If not, try logging in as a user and running "startx" to see what
errors you get (if any) on the terminal.
3. It sounds like you have a network thing going on. If you wait long
enough, it might start anyway. sendmail often does this when your host
table doesn't agree with your IP address. Other programs also have this
problem. Therefore, check that you have an "/etc/hosts" file and that it
is correct and complete (at least as far as info about the problem
machine goes).
P.
On Mon, 2002-12-16 at 16:07, Ray Olszewski wrote:
> Four questions about what you posted ...
>
> 1. In the "good init" sequence, what happens next? You're asking us to
> compare a bad init to nothing (as regards the part that is bad).
>
> 2. When you say the system "hangs" and "freezes", how carefully have you
> assessed that? How long have you waited before giving up? What happens if
> you CRTL-C when the system is "hung"?
>
> 3. What is eth0 and how does it connect to the Internet? If the problem is
> associated with a DHCP failure of some type, the details of the interface
> it is using may matter.
>
> 4. Is the problem only associated with a soft ("shutdown -r") reboot? If
> you do a power-down reboot, does the system boot and init properly?
>
> At 09:53 AM 12/16/02 +0100, Arno Seitzinger wrote:
> >Hi NG,
> >
> >for a couple of days, my Suse Linux 8.1 (2.4.19) on a HP Omnibook XE3 Laptop
> >shows a strange behaviour: it hangs after a reboot (shutdown -r now od from
> >KDE). First it starts as usual, but freezes after "switching to runlevel
> >5", when initializing the random number generator and the network.
> >I pasted the output of a good and a bad boot.msg below.
> >
> >My last actions, before I noticed it doesn't reboot anymore, were:
> >- use the cellphone to access internet
> >- create a new user because of OpenOffice store failure
> >- clear tmp directory in single user mode (because of OpenOffice store
> >failure - was this stupid?)
> >- new (workstation) installation of OpenOffice
> >
> >Nayone around who can give me a clou where to look next?
> >Arno
> >
> >***boot.msg when system hangs
> >=============================
> >[...]
> >Master Resource Control: previous runlevel: N, switching to runlevel:
> >5
> >
> >done<notice>killproc: kill(30,3)
> >
> >INIT: Entering runlevel: 5
> >
> ><notice>/etc/init.d/rc5.d/S01isdn start
> ><notice>'/etc/init.d/rc5.d/S01isdn start' exits with status 0
> ><notice>/etc/init.d/rc5.d/S01random start
> ><notice>'/etc/init.d/rc5.d/S01random start' exits with status 0
> ><notice>/etc/init.d/rc5.d/S05network start
> >
> >***boot.msg normally
> >====================
> >[...]
> >Master Resource Control: previous runlevel: N, switching to runlevel:
> >5
> >
> >
> >done<notice>killproc: kill(30,3)
> >
> >INIT: Entering runlevel: 5
> >
> >
> ><notice>/etc/init.d/rc5.d/S01isdn start
> ><notice>'/etc/init.d/rc5.d/S01isdn start' exits with status 0
> ><notice>/etc/init.d/rc5.d/S01random start
> ><notice>'/etc/init.d/rc5.d/S01random start' exits with status 0
> ><notice>/etc/init.d/rc5.d/S05network start
> ><notice>Initializing random number generator
> >done
> >
> >Setting up network interfaces:
> >
> > lo
> >done
> >
> > eth0 (DHCP) startproc: execve (/sbin/dhcpcd) [ /sbin/dhcpcd -H -D
> >-N -Y -t 999999 -h esw44 eth0 ], [ CONSOLE=/dev/console TERM=linux
> >SHELL=/bin/sh OLDPWD=/etc/sysconfig/network INIT_VERSION=sysvinit-2.82
> >RUN_FROM_RC=yes REDIRECT=/dev/tty1 COLUMNS=106
> >PATH=/sbin:/usr/sbin:/bin:/usr/bin:/etc/sysconfig/network/scripts vga=791
> >RUNLEVEL=5 PWD=/etc/sysconfig/network PREVLEVEL=N LINES=34 HOME=/ SHLVL=4
> >_=/sbin/startproc DAEMON=/sbin/dhcpcd ]
> ><notice>pidofproc: dhcpcd 347
>
>
>
> --
> -------------------------------------------"Never tell me the odds!"--------
> Ray Olszewski -- Han Solo
> Palo Alto, California, USA ray@comarre.com
> -------------------------------------------------------------------------------
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
--
Paul Furness
Systems Manager
Steepness is an illusion caused by flat things leaning over.
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply
* Re: 2.5.52 and modules (lots of unresolved symbols)?
From: Alex Goddard @ 2002-12-16 11:19 UTC (permalink / raw)
To: Gregoire Favre; +Cc: linux-kernel
In-Reply-To: <20021216094514.GA735@ulima.unil.ch>
On Mon, 16 Dec 2002, Gregoire Favre wrote:
> Hello,
>
> I have just patched 2.5.51, and not done the make clean && make mrproper
> before doing a make menuconfig && make dep && make bzImage && make
> modules...
>
> Will that change anything to make clean/mrproper here?
I would give 'make clean' a try.
> I have module-init-tools-0.9.3 compiled and installed on my system.
I got the same thing (a shitload of depmod unresolved symbols messages)
when i first tried compiling 2.5.52. It stopped when I reinstalled
module-init-tools, and built and the kernel again after a 'make clean'.
--
Alex Goddard
agoddard@purdue.edu
^ permalink raw reply
* Re: [PATCH] Add CONFIG_ACPI_RELAXED_AML option
From: Alan Cox @ 2002-12-16 16:19 UTC (permalink / raw)
To: NoZizzing OrDripping
Cc: Pavel Machek, Moore, Robert, 'Herbert Nachtnebel',
acpi-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f, Therien, Guy,
Grover, Andrew
In-Reply-To: <20021216143410.21977.qmail-wdi6g2619JCA/QwVtaZbd3CJp6faPEW9@public.gmane.org>
On Mon, 2002-12-16 at 14:34, NoZizzing OrDripping wrote:
> The opinions on this are going to break down along the
> lines of who has working AML, and who doesn't, with
> the tie-breaker going to the distro that wants to
> have as many satisfied "customers" as possible. Right
> now, that distro is XP :-(
Intel want people to write valid AML. I don't think they'll ever succeed
but trying doesn't hurt.
Vendors want working laptops
I think the loud complaint approach is the right one. Vendors will get
to look inferior with buggy AML, users get working laptops too.
Certainly its difficult to see a vendor not applying that change.
Alan
-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
^ permalink raw reply
* [patch] Synchronize lsm-2.5 with lsm-2.5-bk
From: Stephen D. Smalley @ 2002-12-16 15:43 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: TEXT/plain, Size: 403 bytes --]
The first attached patch, also committed to the sourceforge CVS tree,
synchronizes our lsm-2.5 tree with the head of the lsm-2.5 BitKeeper tree.
Note that one of these changes conflicts with the selinux-2.5.patch,
so revert that patch prior to applying. An updated selinux-2.5.patch
is attached, and has been committed to the sourceforge CVS tree as well.
--
Stephen Smalley, NSA
sds@epoch.ncsc.mil
[-- Attachment #2: lsm-2.5-bk.patch --]
[-- Type: TEXT/plain, Size: 72098 bytes --]
Index: lsm-2.5/security/Kconfig
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.5/security/Kconfig,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 Kconfig
--- lsm-2.5/security/Kconfig 13 Dec 2002 21:01:26 -0000 1.1.1.1
+++ lsm-2.5/security/Kconfig 16 Dec 2002 15:16:07 -0000
@@ -36,7 +36,7 @@
config SECURITY_OWLSM
tristate "LSM port of Openwall (EXPERIMENTAL)"
- depends EXPERIMENTAL
+ depends SECURITY && EXPERIMENTAL
help
This enables the LSM port of the Openwall kernel patch.
This is NOT official Openwall. For more information on the
@@ -145,7 +145,7 @@
config SECURITY_DTE
tristate "Domain and Type Enforcement (EXPERIMENTAL)"
- depends on EXPERIMENTAL
+ depends SECURITY && EXPERIMENTAL
help
This enables Domain and Type Enforcement. It assigns labels to
files and processes. File labels are called types, and process
Index: lsm-2.5/security/dummy.c
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.5/security/dummy.c,v
retrieving revision 1.1.1.7
diff -u -r1.1.1.7 dummy.c
--- lsm-2.5/security/dummy.c 13 Dec 2002 21:01:26 -0000 1.1.1.7
+++ lsm-2.5/security/dummy.c 16 Dec 2002 15:16:07 -0000
@@ -722,15 +722,15 @@
return;
}
-static int dummy_socket_unix_stream_connect (struct socket *sock,
- struct socket *other,
- struct sock *newsk)
+static int dummy_unix_stream_connect (struct socket *sock,
+ struct socket *other,
+ struct sock *newsk)
{
return 0;
}
-static int dummy_socket_unix_may_send (struct socket *sock,
- struct socket *other)
+static int dummy_unix_may_send (struct socket *sock,
+ struct socket *other)
{
return 0;
}
@@ -873,178 +873,7 @@
return -EINVAL;
}
-struct security_operations dummy_security_ops = {
- .sethostname = dummy_sethostname,
- .setdomainname = dummy_setdomainname,
- .reboot = dummy_reboot,
- .ioperm = dummy_ioperm,
- .iopl = dummy_iopl,
- .ptrace = dummy_ptrace,
- .capget = dummy_capget,
- .capset_check = dummy_capset_check,
- .capset_set = dummy_capset_set,
- .acct = dummy_acct,
- .capable = dummy_capable,
- .sysctl = dummy_sysctl,
- .swapon = dummy_swapon,
- .swapoff = dummy_swapoff,
- .quotactl = dummy_quotactl,
- .quota_on = dummy_quota_on,
- .syslog = dummy_syslog,
- .settime = dummy_settime,
-
- .netlink_send = dummy_netlink_send,
- .netlink_recv = dummy_netlink_recv,
-
- .unix_stream_connect = dummy_socket_unix_stream_connect,
- .unix_may_send = dummy_socket_unix_may_send,
-
- .bprm_alloc_security = dummy_bprm_alloc_security,
- .bprm_free_security = dummy_bprm_free_security,
- .bprm_compute_creds = dummy_bprm_compute_creds,
- .bprm_set_security = dummy_bprm_set_security,
- .bprm_check_security = dummy_bprm_check_security,
-
- .sb_alloc_security = dummy_sb_alloc_security,
- .sb_free_security = dummy_sb_free_security,
- .sb_kern_mount = dummy_sb_kern_mount,
- .sb_statfs = dummy_sb_statfs,
- .sb_mount = dummy_sb_mount,
- .sb_check_sb = dummy_sb_check_sb,
- .sb_umount = dummy_sb_umount,
- .sb_umount_close = dummy_sb_umount_close,
- .sb_umount_busy = dummy_sb_umount_busy,
- .sb_post_remount = dummy_sb_post_remount,
- .sb_post_mountroot = dummy_sb_post_mountroot,
- .sb_post_addmount = dummy_sb_post_addmount,
- .sb_pivotroot = dummy_sb_pivotroot,
- .sb_post_pivotroot = dummy_sb_post_pivotroot,
-
- .inode_alloc_security = dummy_inode_alloc_security,
- .inode_free_security = dummy_inode_free_security,
- .inode_create = dummy_inode_create,
- .inode_post_create = dummy_inode_post_create,
- .inode_link = dummy_inode_link,
- .inode_post_link = dummy_inode_post_link,
- .inode_unlink = dummy_inode_unlink,
- .inode_symlink = dummy_inode_symlink,
- .inode_post_symlink = dummy_inode_post_symlink,
- .inode_mkdir = dummy_inode_mkdir,
- .inode_post_mkdir = dummy_inode_post_mkdir,
- .inode_rmdir = dummy_inode_rmdir,
- .inode_mknod = dummy_inode_mknod,
- .inode_post_mknod = dummy_inode_post_mknod,
- .inode_rename = dummy_inode_rename,
- .inode_post_rename = dummy_inode_post_rename,
- .inode_readlink = dummy_inode_readlink,
- .inode_follow_link = dummy_inode_follow_link,
- .inode_permission = dummy_inode_permission,
- .inode_permission_lite = dummy_inode_permission_lite,
- .inode_setattr = dummy_inode_setattr,
- .inode_getattr = dummy_inode_getattr,
- .inode_post_lookup = dummy_inode_post_lookup,
- .inode_delete = dummy_inode_delete,
- .inode_setxattr = dummy_inode_setxattr,
- .inode_getxattr = dummy_inode_getxattr,
- .inode_listxattr = dummy_inode_listxattr,
- .inode_removexattr = dummy_inode_removexattr,
-
- .file_permission = dummy_file_permission,
- .file_alloc_security = dummy_file_alloc_security,
- .file_free_security = dummy_file_free_security,
- .file_ioctl = dummy_file_ioctl,
- .file_mmap = dummy_file_mmap,
- .file_mprotect = dummy_file_mprotect,
- .file_lock = dummy_file_lock,
- .file_fcntl = dummy_file_fcntl,
- .file_set_fowner = dummy_file_set_fowner,
- .file_send_sigiotask = dummy_file_send_sigiotask,
- .file_receive = dummy_file_receive,
-
- .task_create = dummy_task_create,
- .task_alloc_security = dummy_task_alloc_security,
- .task_free_security = dummy_task_free_security,
- .task_setuid = dummy_task_setuid,
- .task_post_setuid = dummy_task_post_setuid,
- .task_setgid = dummy_task_setgid,
- .task_setpgid = dummy_task_setpgid,
- .task_getpgid = dummy_task_getpgid,
- .task_getsid = dummy_task_getsid,
- .task_setgroups = dummy_task_setgroups,
- .task_setnice = dummy_task_setnice,
- .task_setrlimit = dummy_task_setrlimit,
- .task_setscheduler = dummy_task_setscheduler,
- .task_getscheduler = dummy_task_getscheduler,
- .task_wait = dummy_task_wait,
- .task_kill = dummy_task_kill,
- .task_prctl = dummy_task_prctl,
- .task_kmod_set_label = dummy_task_kmod_set_label,
- .task_reparent_to_init = dummy_task_reparent_to_init,
-
- .socket_create = dummy_socket_create,
- .socket_post_create = dummy_socket_post_create,
- .socket_bind = dummy_socket_bind,
- .socket_connect = dummy_socket_connect,
- .socket_listen = dummy_socket_listen,
- .socket_accept = dummy_socket_accept,
- .socket_post_accept = dummy_socket_post_accept,
- .socket_sendmsg = dummy_socket_sendmsg,
- .socket_recvmsg = dummy_socket_recvmsg,
- .socket_getsockname = dummy_socket_getsockname,
- .socket_getpeername = dummy_socket_getpeername,
- .socket_getsockopt = dummy_socket_getsockopt,
- .socket_setsockopt = dummy_socket_setsockopt,
- .socket_shutdown = dummy_socket_shutdown,
- .socket_sock_alloc_security = dummy_socket_sock_alloc_security,
- .socket_sock_free_security = dummy_socket_sock_free_security,
- .socket_sock_rcv_skb = dummy_socket_sock_rcv_skb,
- .open_request_alloc_security = dummy_open_request_alloc_security,
- .open_request_free_security = dummy_open_request_free_security,
- .tcp_connection_request = dummy_tcp_connection_request,
- .tcp_synack = dummy_tcp_synack,
- .tcp_create_openreq_child = dummy_tcp_create_openreq_child,
-
- .skb_alloc_security = dummy_skb_alloc_security,
- .skb_clone = dummy_skb_clone,
- .skb_copy = dummy_skb_copy,
- .skb_set_owner_w = dummy_skb_set_owner_w,
- .skb_recv_datagram = dummy_skb_recv_datagram,
- .skb_free_security = dummy_skb_free_security,
-
- .ip_fragment = dummy_ip_fragment,
- .ip_defragment = dummy_ip_defragment,
- .ip_encapsulate = dummy_ip_encapsulate,
- .ip_decapsulate = dummy_ip_decapsulate,
- .ip_decode_options = dummy_ip_decode_options,
-
- .ipc_permission = dummy_ipc_permission,
-
- .netdev_unregister = dummy_netdev_unregister,
-
- .msg_msg_alloc_security = dummy_msg_msg_alloc_security,
- .msg_msg_free_security = dummy_msg_msg_free_security,
-
- .msg_queue_alloc_security = dummy_msg_queue_alloc_security,
- .msg_queue_free_security = dummy_msg_queue_free_security,
- .msg_queue_associate = dummy_msg_queue_associate,
- .msg_queue_msgctl = dummy_msg_queue_msgctl,
- .msg_queue_msgsnd = dummy_msg_queue_msgsnd,
- .msg_queue_msgrcv = dummy_msg_queue_msgrcv,
-
- .shm_alloc_security = dummy_shm_alloc_security,
- .shm_free_security = dummy_shm_free_security,
- .shm_associate = dummy_shm_associate,
- .shm_shmctl = dummy_shm_shmctl,
- .shm_shmat = dummy_shm_shmat,
-
- .sem_alloc_security = dummy_sem_alloc_security,
- .sem_free_security = dummy_sem_free_security,
- .sem_associate = dummy_sem_associate,
- .sem_semctl = dummy_sem_semctl,
-
- .register_security = dummy_register_security,
- .unregister_security = dummy_unregister_security,
-};
+struct security_operations dummy_security_ops;
#define set_to_dummy_if_null(ops, function) \
do { \
@@ -1150,5 +979,65 @@
set_to_dummy_if_null(ops, sem_free_security);
set_to_dummy_if_null(ops, register_security);
set_to_dummy_if_null(ops, unregister_security);
+ set_to_dummy_if_null(ops, sethostname);
+ set_to_dummy_if_null(ops, setdomainname);
+ set_to_dummy_if_null(ops, reboot);
+ set_to_dummy_if_null(ops, ioperm);
+ set_to_dummy_if_null(ops, iopl);
+ set_to_dummy_if_null(ops, sysctl);
+ set_to_dummy_if_null(ops, swapon);
+ set_to_dummy_if_null(ops, swapoff);
+ set_to_dummy_if_null(ops, syslog);
+ set_to_dummy_if_null(ops, settime);
+ set_to_dummy_if_null(ops, netlink_send);
+ set_to_dummy_if_null(ops, netlink_recv);
+ set_to_dummy_if_null(ops, sb_kern_mount);
+ set_to_dummy_if_null(ops, ip_fragment);
+ set_to_dummy_if_null(ops, ip_defragment);
+ set_to_dummy_if_null(ops, ip_decapsulate);
+ set_to_dummy_if_null(ops, ip_encapsulate);
+ set_to_dummy_if_null(ops, ip_decode_options);
+ set_to_dummy_if_null(ops, netdev_unregister);
+ set_to_dummy_if_null(ops, socket_create);
+ set_to_dummy_if_null(ops, socket_post_create);
+ set_to_dummy_if_null(ops, socket_bind);
+ set_to_dummy_if_null(ops, socket_connect);
+ set_to_dummy_if_null(ops, socket_listen);
+ set_to_dummy_if_null(ops, socket_accept);
+ set_to_dummy_if_null(ops, socket_post_accept);
+ set_to_dummy_if_null(ops, socket_sendmsg);
+ set_to_dummy_if_null(ops, socket_recvmsg);
+ set_to_dummy_if_null(ops, socket_getsockname);
+ set_to_dummy_if_null(ops, socket_getpeername);
+ set_to_dummy_if_null(ops, socket_setsockopt);
+ set_to_dummy_if_null(ops, socket_getsockopt);
+ set_to_dummy_if_null(ops, socket_shutdown);
+ set_to_dummy_if_null(ops, socket_sock_alloc_security);
+ set_to_dummy_if_null(ops, socket_sock_free_security);
+ set_to_dummy_if_null(ops, socket_sock_rcv_skb);
+ set_to_dummy_if_null(ops, open_request_alloc_security);
+ set_to_dummy_if_null(ops, open_request_free_security);
+ set_to_dummy_if_null(ops, tcp_connection_request);
+ set_to_dummy_if_null(ops, tcp_synack);
+ set_to_dummy_if_null(ops, tcp_create_openreq_child);
+ set_to_dummy_if_null(ops, unix_stream_connect);
+ set_to_dummy_if_null(ops, unix_may_send);
+ set_to_dummy_if_null(ops, msg_msg_alloc_security);
+ set_to_dummy_if_null(ops, msg_msg_free_security);
+ set_to_dummy_if_null(ops, msg_queue_associate);
+ set_to_dummy_if_null(ops, msg_queue_msgctl);
+ set_to_dummy_if_null(ops, msg_queue_msgsnd);
+ set_to_dummy_if_null(ops, msg_queue_msgrcv);
+ set_to_dummy_if_null(ops, shm_associate);
+ set_to_dummy_if_null(ops, shm_shmctl);
+ set_to_dummy_if_null(ops, shm_shmat);
+ set_to_dummy_if_null(ops, sem_associate);
+ set_to_dummy_if_null(ops, sem_semctl);
+ set_to_dummy_if_null(ops, skb_alloc_security);
+ set_to_dummy_if_null(ops, skb_clone);
+ set_to_dummy_if_null(ops, skb_copy);
+ set_to_dummy_if_null(ops, skb_set_owner_w);
+ set_to_dummy_if_null(ops, skb_recv_datagram);
+ set_to_dummy_if_null(ops, skb_free_security);
}
Index: lsm-2.5/security/owlsm.c
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.5/security/owlsm.c,v
retrieving revision 1.1.1.7
diff -u -r1.1.1.7 owlsm.c
--- lsm-2.5/security/owlsm.c 13 Dec 2002 21:01:26 -0000 1.1.1.7
+++ lsm-2.5/security/owlsm.c 16 Dec 2002 15:16:07 -0000
@@ -30,63 +30,6 @@
/* flag to keep track of how we were registered */
static int secondary;
-static int owlsm_sethostname (char *hostname)
-{
- return 0;
-}
-
-static int owlsm_setdomainname (char *domainname)
-{
- return 0;
-}
-
-static int owlsm_reboot (unsigned int cmd)
-{
- return 0;
-}
-
-static int owlsm_ioperm (unsigned long from, unsigned long num, int turn_on)
-{
- return 0;
-}
-
-static int owlsm_iopl (unsigned int old, unsigned int level)
-{
- return 0;
-}
-
-static int owlsm_ptrace (struct task_struct *parent, struct task_struct *child)
-{
- return 0;
-}
-
-static int owlsm_capget (struct task_struct *target, kernel_cap_t * effective,
- kernel_cap_t * inheritable, kernel_cap_t * permitted)
-{
- return 0;
-}
-
-static int owlsm_capset_check (struct task_struct *target,
- kernel_cap_t * effective,
- kernel_cap_t * inheritable,
- kernel_cap_t * permitted)
-{
- return 0;
-}
-
-static void owlsm_capset_set (struct task_struct *target,
- kernel_cap_t * effective,
- kernel_cap_t * inheritable,
- kernel_cap_t * permitted)
-{
- return;
-}
-
-static int owlsm_acct (struct file *file)
-{
- return 0;
-}
-
static int owlsm_capable (struct task_struct *tsk, int cap)
{
/* from dummy.c */
@@ -98,47 +41,6 @@
return -EPERM;
}
-static int owlsm_sysctl (ctl_table * table, int op)
-{
- return 0;
-}
-
-static int owlsm_sys_security (unsigned int id, unsigned int call,
- unsigned long *args)
-{
- return -ENOSYS;
-}
-
-static int owlsm_swapon (struct swap_info_struct *swap)
-{
- return 0;
-}
-
-static int owlsm_swapoff (struct swap_info_struct *swap)
-{
- return 0;
-}
-
-static int owlsm_quotactl (int cmds, int type, int id, struct super_block *sb)
-{
- return 0;
-}
-
-static int owlsm_quota_on (struct file *f)
-{
- return 0;
-}
-
-static int owlsm_syslog (int type)
-{
- return 0;
-}
-
-static int owlsm_settime (struct timeval *tv, struct timezone *tz)
-{
- return 0;
-}
-
static int owlsm_netlink_send (struct sk_buff *skb)
{
/* from dummy.c */
@@ -182,879 +84,54 @@
return do_owlsm_sfd_set(bprm);
}
-static int owlsm_binprm_check_security (struct linux_binprm *bprm)
-{
- return 0;
-}
-
-static int owlsm_sb_alloc_security (struct super_block *sb)
-{
- return 0;
-}
-
-static void owlsm_sb_free_security (struct super_block *sb)
-{
- return;
-}
-
-static int owlsm_sb_kern_mount (struct super_block *sb)
-{
- return 0;
-}
-
-static int owlsm_sb_statfs (struct super_block *sb)
-{
- return 0;
-}
-
-static int owlsm_sb_mount (char *devname, struct nameidata *nd, char *type,
- unsigned long flags, void *data)
-{
- return 0;
-}
-
-static int owlsm_sb_check_sb (struct vfsmount *mnt, struct nameidata *nd)
-{
- return 0;
-}
-
-static int owlsm_sb_umount (struct vfsmount *mnt, int flags)
-{
- return 0;
-}
-
-static void owlsm_sb_umount_close (struct vfsmount *mnt)
-{
- return;
-}
-
-static void owlsm_sb_umount_busy (struct vfsmount *mnt)
-{
- return;
-}
-static void owlsm_sb_post_remount (struct vfsmount *mnt, unsigned long flags,
- void *data)
-{
- return;
-}
-
-static void owlsm_sb_post_mountroot (void)
-{
- return;
-}
-
-static void owlsm_sb_post_addmount (struct vfsmount *mnt, struct nameidata *nd)
-{
- return;
-}
-
-static int owlsm_pivotroot (struct nameidata *old_nd, struct nameidata *new_nd)
-{
- return 0;
-}
-
-static void owlsm_post_pivotroot (struct nameidata *old_nd, struct nameidata *new_nd)
-{
- return;
-}
-
-static int owlsm_inode_alloc_security (struct inode *inode)
-{
- return 0;
-}
-
-static void owlsm_inode_free_security (struct inode *inode)
-{
- return;
-}
-
-static int owlsm_inode_create (struct inode *inode, struct dentry *dentry,
- int mask)
-{
- return 0;
-}
-
-static void owlsm_inode_post_create (struct inode *inode, struct dentry *dentry,
- int mask)
-{
- return;
-}
-
static int owlsm_inode_link (struct dentry *old_dentry, struct inode *inode,
struct dentry *new_dentry)
{
return do_owlsm_link(old_dentry, inode, new_dentry);
}
-static void owlsm_inode_post_link (struct dentry *old_dentry,
- struct inode *inode,
- struct dentry *new_dentry)
-{
- return;
-}
-
-static int owlsm_inode_unlink (struct inode *inode, struct dentry *dentry)
-{
- return 0;
-}
-
-static int owlsm_inode_symlink (struct inode *inode, struct dentry *dentry,
- const char *name)
-{
- return 0;
-}
-
-static void owlsm_inode_post_symlink (struct inode *inode,
- struct dentry *dentry, const char *name)
-{
- return;
-}
-
-static int owlsm_inode_mkdir (struct inode *inode, struct dentry *dentry,
- int mask)
-{
- return 0;
-}
-
-static void owlsm_inode_post_mkdir (struct inode *inode, struct dentry *dentry,
- int mask)
-{
- return;
-}
-
-static int owlsm_inode_rmdir (struct inode *inode, struct dentry *dentry)
-{
- return 0;
-}
-
-static int owlsm_inode_mknod (struct inode *inode, struct dentry *dentry,
- int major, dev_t minor)
-{
- return 0;
-}
-
-static void owlsm_inode_post_mknod (struct inode *inode, struct dentry *dentry,
- int major, dev_t minor)
-{
- return;
-}
-
-static int owlsm_inode_rename (struct inode *old_inode,
- struct dentry *old_dentry,
- struct inode *new_inode,
- struct dentry *new_dentry)
-{
- return 0;
-}
-
-static void owlsm_inode_post_rename (struct inode *old_inode,
- struct dentry *old_dentry,
- struct inode *new_inode,
- struct dentry *new_dentry)
-{
- return;
-}
-
-static int owlsm_inode_readlink (struct dentry *dentry)
-{
- return 0;
-}
-
static int owlsm_inode_follow_link (struct dentry *dentry,
struct nameidata *nameidata)
{
return do_owlsm_follow_link(dentry, nameidata);
}
-static int owlsm_inode_permission (struct inode *inode, int mask)
-{
- return 0;
-}
-
-static int owlsm_inode_permission_lite (struct inode *inode, int mask)
-{
- return 0;
-}
-
-static int owlsm_inode_setattr (struct dentry *dentry, struct iattr *iattr)
-{
- return 0;
-}
-
-static int owlsm_inode_getattr (struct vfsmount *mnt, struct dentry *dentry)
-{
- return 0;
-}
-
-static void owlsm_post_lookup (struct inode *ino, struct dentry *d)
-{
- return;
-}
-
-static void owlsm_delete (struct inode *ino)
-{
- return;
-}
-
-static int owlsm_inode_setxattr (struct dentry *dentry, char *name, void *value,
- size_t size, int flags)
-{
- return 0;
-}
-
-static int owlsm_inode_getxattr (struct dentry *dentry, char *name)
-{
- return 0;
-}
-
-static int owlsm_inode_listxattr (struct dentry *dentry)
-{
- return 0;
-}
-
-static int owlsm_inode_removexattr (struct dentry *dentry, char *name)
-{
- return 0;
-}
-
-static int owlsm_file_permission (struct file *file, int mask)
-{
- return 0;
+static void owlsm_task_reparent_to_init (struct task_struct *p)
+{
+ p->euid = p->fsuid = 0;
+ return;
}
-static int owlsm_file_alloc_security (struct file *file)
+static int owlsm_decode_options (struct sk_buff *skb, const char *optptr,
+ unsigned char **pp_ptr)
{
+ /* from dummy.c */
+ if (!skb && !capable (CAP_NET_RAW)) {
+ (const unsigned char *) *pp_ptr = optptr;
+ return -EPERM;
+ }
return 0;
}
-static void owlsm_file_free_security (struct file *file)
-{
- return;
-}
-
-static int owlsm_file_ioctl (struct file *file, unsigned int command ,
- unsigned long arg)
-{
- return 0;
-}
-static int owlsm_file_mmap (struct file *file, unsigned long prot,
- unsigned long flags)
-{
- return 0;
-}
+static struct security_operations owlsm_ops = {
+ capable: owlsm_capable,
-static int owlsm_file_mprotect (struct vm_area_struct *vma, unsigned long prot)
-{
- return 0;
-}
+ netlink_send: owlsm_netlink_send,
+ netlink_recv: owlsm_netlink_recv,
+
+ bprm_alloc_security: owlsm_binprm_alloc_security,
+ bprm_free_security: owlsm_binprm_free_security,
+ bprm_compute_creds: owlsm_binprm_compute_creds,
+ bprm_set_security: owlsm_binprm_set_security,
+
+ inode_link: owlsm_inode_link,
-static int owlsm_file_lock (struct file *file, unsigned int cmd)
-{
- return 0;
-}
+ inode_follow_link: owlsm_inode_follow_link,
-static int owlsm_file_fcntl (struct file *file, unsigned int cmd,
- unsigned long arg)
-{
- return 0;
-}
+ task_reparent_to_init: owlsm_task_reparent_to_init,
-static int owlsm_file_set_fowner (struct file *file)
-{
- return 0;
-}
-
-static int owlsm_file_send_sigiotask (struct task_struct *tsk,
- struct fown_struct *fown,
- int fd, int reason)
-{
- return 0;
-}
-
-static int owlsm_file_receive (struct file *file)
-{
- return 0;
-}
-
-static int owlsm_task_create (unsigned long clone_flags)
-{
- return 0;
-}
-
-static int owlsm_task_alloc_security (struct task_struct *p)
-{
- return 0;
-}
-
-static void owlsm_task_free_security (struct task_struct *p)
-{
- return;
-}
-
-static int owlsm_task_setuid (uid_t id0, uid_t id1, uid_t id2, int flags)
-{
- return 0;
-}
-
-static int owlsm_task_post_setuid(uid_t old_ruid, uid_t old_euid,
- uid_t old_suid, int flags)
-{
- return 0;
-}
-
-static int owlsm_task_setgid (gid_t id0, gid_t id1, gid_t id2, int flags)
-{
- return 0;
-}
-
-static int owlsm_task_setpgid (struct task_struct *p, pid_t pgid)
-{
- return 0;
-}
-
-static int owlsm_task_getpgid (struct task_struct *p)
-{
- return 0;
-}
-
-static int owlsm_task_getsid (struct task_struct *p)
-{
- return 0;
-}
-
-static int owlsm_task_setgroups (int gidsetsize, gid_t *grouplist)
-{
- return 0;
-}
-
-static int owlsm_task_setnice (struct task_struct *p, int nice)
-{
- return 0;
-}
-
-static int owlsm_task_setrlimit (unsigned int resource, struct rlimit *new_rlim)
-{
- return 0;
-}
-
-static int owlsm_task_setscheduler (struct task_struct *p, int policy,
- struct sched_param *lp)
-{
- return 0;
-}
-
-static int owlsm_task_getscheduler (struct task_struct *p)
-{
- return 0;
-}
-
-static int owlsm_task_wait (struct task_struct *p)
-{
- return 0;
-}
-
-static int owlsm_task_kill (struct task_struct *p, struct siginfo *info, int sig)
-{
- return 0;
-}
-
-static int owlsm_task_prctl (int option, unsigned long arg2, unsigned long arg3,
- unsigned long arg4, unsigned long arg5)
-{
- return 0;
-}
-
-static void owlsm_task_kmod_set_label (void)
-{
- return;
-}
-
-static void owlsm_task_reparent_to_init (struct task_struct *p)
-{
- p->euid = p->fsuid = 0;
- return;
-}
-
-static void owlsm_ip_fragment (struct sk_buff *newskb,
- const struct sk_buff *oldskb)
-{
- return;
-}
-
-static int owlsm_ip_defragment (struct sk_buff *skb)
-{
- return 0;
-}
-
-static void owlsm_ip_encapsulate (struct sk_buff *skb)
-{
- return;
-}
-
-static void owlsm_ip_decapsulate (struct sk_buff *skb)
-{
- return;
-}
-
-static int owlsm_decode_options (struct sk_buff *skb, const char *optptr,
- unsigned char **pp_ptr)
-{
- /* from dummy.c */
- if (!skb && !capable (CAP_NET_RAW)) {
- (const unsigned char *) *pp_ptr = optptr;
- return -EPERM;
- }
- return 0;
-}
-
-static void owlsm_netdev_unregister (struct net_device *dev)
-{
- return;
-}
-
-static int owlsm_socket_create (int family, int type, int protocol)
-{
- return 0;
-}
-static void owlsm_socket_post_create (struct socket *sock, int family,
- int type, int protocol)
-{
- return;
-}
-
-static int owlsm_socket_bind (struct socket *sock, struct sockaddr *address,
- int addrlen)
-{
- return 0;
-}
-
-static int owlsm_socket_connect (struct socket *sock, struct sockaddr *address,
- int addrlen)
-{
- return 0;
-}
-
-static int owlsm_socket_listen (struct socket *sock, int backlog)
-{
- return 0;
-}
-
-static int owlsm_socket_accept (struct socket *sock, struct socket *newsock)
-{
- return 0;
-}
-
-static void owlsm_socket_post_accept (struct socket *sock,
- struct socket *newsock)
-{
- return;
-}
-
-static int owlsm_socket_sendmsg (struct socket *sock, struct msghdr *msg,
- int size)
-{
- return 0;
-}
-
-static int owlsm_socket_recvmsg (struct socket *sock, struct msghdr *msg,
- int size, int flags)
-{
- return 0;
-}
-
-static int owlsm_socket_getsockname (struct socket *sock)
-{
- return 0;
-}
-
-static int owlsm_socket_getpeername (struct socket *sock)
-{
- return 0;
-}
-
-static int owlsm_socket_setsockopt (struct socket *sock, int level, int optname)
-{
- return 0;
-}
-
-static int owlsm_socket_getsockopt (struct socket *sock, int level, int optname)
-{
- return 0;
-}
-
-static int owlsm_socket_shutdown (struct socket *sock, int how)
-{
- return 0;
-}
-
-static int owlsm_socket_sock_alloc_security(struct sock *sk, int gfp_mask)
-{
- return 0;
-}
-
-static void owlsm_socket_sock_free_security(struct sock *sk)
-{
- return;
-}
-
-static int owlsm_socket_sock_rcv_skb (struct sock *sk, struct sk_buff *skb)
-{
- return 0;
-}
-
-static int owlsm_open_request_alloc_security(struct open_request * req)
-{
- return 0;
-}
-
-static void owlsm_open_request_free_security(struct open_request * req)
-{
- return;
-}
-
-static void owlsm_tcp_connection_request(struct sock *sk, struct sk_buff * skb,
- struct open_request *req)
-{
- return;
-}
-
-static void owlsm_tcp_synack(struct sock *sk, struct sk_buff * skb,
- struct open_request *req)
-{
- return;
-}
-
-static void owlsm_tcp_create_openreq_child(struct sock *sk, struct sock *newsk,
- struct sk_buff *skb,
- struct open_request *req)
-{
- return;
-}
-
-static int owlsm_socket_unix_stream_connect (struct socket *sock,
- struct socket *other,
- struct sock *newsk)
-{
- return 0;
-}
-
-static int owlsm_socket_unix_may_send (struct socket *sock,
- struct socket *other)
-{
- return 0;
-}
-
-static int owlsm_ipc_permission (struct kern_ipc_perm *ipcp, short flag)
-{
- return 0;
-}
-
-static int owlsm_msg_msg_alloc_security (struct msg_msg *msg)
-{
- return 0;
-}
-
-static void owlsm_msg_msg_free_security (struct msg_msg *msg)
-{
- return;
-}
-
-static int owlsm_msg_queue_alloc_security (struct msg_queue *msq)
-{
- return 0;
-}
-
-static void owlsm_msg_queue_free_security (struct msg_queue *msq)
-{
- return;
-}
-
-static int owlsm_msg_queue_associate (struct msg_queue *msq,
- int msgflg)
-{
- return 0;
-}
-
-static int owlsm_msg_queue_msgctl (struct msg_queue *msq, int cmd)
-{
- return 0;
-}
-
-static int owlsm_msg_queue_msgsnd (struct msg_queue *msq, struct msg_msg *msg,
- int msgflg)
-{
- return 0;
-}
-
-static int owlsm_msg_queue_msgrcv (struct msg_queue *msq, struct msg_msg *msg,
- struct task_struct *target,
- long type, int mode)
-{
- return 0;
-}
-
-static int owlsm_shm_alloc_security (struct shmid_kernel *shp)
-{
- return 0;
-}
-
-static void owlsm_shm_free_security (struct shmid_kernel *shp)
-{
- return;
-}
-
-static int owlsm_shm_associate (struct shmid_kernel *shp, int shmflg)
-{
- return 0;
-}
-
-static int owlsm_shm_shmctl (struct shmid_kernel *shp, int cmd)
-{
- return 0;
-}
-
-static int owlsm_shm_shmat (struct shmid_kernel *shp, char *shmaddr,
- int shmflg)
-{
- return 0;
-}
-
-static int owlsm_sem_alloc_security (struct sem_array *sma)
-{
- return 0;
-}
-
-static void owlsm_sem_free_security (struct sem_array *sma)
-{
- return;
-}
-
-static int owlsm_sem_associate (struct sem_array *sma, int semflg)
-{
- return 0;
-}
-
-static int owlsm_sem_semctl (struct sem_array *sma, int cmd)
-{
- return 0;
-}
-
-static int owlsm_skb_alloc_security (struct sk_buff *skb, int priority)
-{
- return 0;
-}
-
-static int owlsm_skb_clone (struct sk_buff *newskb,
- const struct sk_buff *oldskb)
-{
- return 0;
-}
-
-static void owlsm_skb_copy (struct sk_buff *newskb,
- const struct sk_buff *oldskb)
-{
- return;
-}
-
-static void owlsm_skb_set_owner_w (struct sk_buff *skb, struct sock *sk)
-{
- return;
-}
-
-static void owlsm_skb_recv_datagram (struct sk_buff *skb, struct sock *sk,
- unsigned flags)
-{
- return;
-}
-
-static void owlsm_skb_free_security (struct sk_buff *skb)
-{
- return;
-}
-
-static int owlsm_register (const char *name, struct security_operations *ops)
-{
- return -EINVAL;
-}
-
-static int owlsm_unregister (const char *name, struct security_operations *ops)
-{
- return -EINVAL;
-}
-
-static struct security_operations owlsm_ops = {
- sethostname: owlsm_sethostname,
- setdomainname: owlsm_setdomainname,
- reboot: owlsm_reboot,
- ioperm: owlsm_ioperm,
- iopl: owlsm_iopl,
- ptrace: owlsm_ptrace,
- capget: owlsm_capget,
- capset_check: owlsm_capset_check,
- capset_set: owlsm_capset_set,
- acct: owlsm_acct,
- sysctl: owlsm_sysctl,
- capable: owlsm_capable,
- sys_security: owlsm_sys_security,
- swapon: owlsm_swapon,
- swapoff: owlsm_swapoff,
- quotactl: owlsm_quotactl,
- quota_on: owlsm_quota_on,
- syslog: owlsm_syslog,
- settime: owlsm_settime,
-
- netlink_send: owlsm_netlink_send,
- netlink_recv: owlsm_netlink_recv,
-
- unix_stream_connect: owlsm_socket_unix_stream_connect,
- unix_may_send: owlsm_socket_unix_may_send,
-
- bprm_alloc_security: owlsm_binprm_alloc_security,
- bprm_free_security: owlsm_binprm_free_security,
- bprm_compute_creds: owlsm_binprm_compute_creds,
- bprm_set_security: owlsm_binprm_set_security,
- bprm_check_security: owlsm_binprm_check_security,
-
- sb_alloc_security: owlsm_sb_alloc_security,
- sb_free_security: owlsm_sb_free_security,
- sb_kern_mount: owlsm_sb_kern_mount,
- sb_statfs: owlsm_sb_statfs,
- sb_mount: owlsm_sb_mount,
- sb_check_sb: owlsm_sb_check_sb,
- sb_umount: owlsm_sb_umount,
- sb_umount_close: owlsm_sb_umount_close,
- sb_umount_busy: owlsm_sb_umount_busy,
- sb_post_remount: owlsm_sb_post_remount,
- sb_post_mountroot: owlsm_sb_post_mountroot,
- sb_post_addmount: owlsm_sb_post_addmount,
- sb_pivotroot: owlsm_pivotroot,
- sb_post_pivotroot: owlsm_post_pivotroot,
-
- inode_alloc_security: owlsm_inode_alloc_security,
- inode_free_security: owlsm_inode_free_security,
- inode_create: owlsm_inode_create,
- inode_post_create: owlsm_inode_post_create,
- inode_link: owlsm_inode_link,
- inode_post_link: owlsm_inode_post_link,
- inode_unlink: owlsm_inode_unlink,
- inode_symlink: owlsm_inode_symlink,
- inode_post_symlink: owlsm_inode_post_symlink,
- inode_mkdir: owlsm_inode_mkdir,
- inode_post_mkdir: owlsm_inode_post_mkdir,
- inode_rmdir: owlsm_inode_rmdir,
- inode_mknod: owlsm_inode_mknod,
- inode_post_mknod: owlsm_inode_post_mknod,
- inode_rename: owlsm_inode_rename,
- inode_post_rename: owlsm_inode_post_rename,
- inode_readlink: owlsm_inode_readlink,
- inode_follow_link: owlsm_inode_follow_link,
- inode_permission: owlsm_inode_permission,
- inode_permission_lite: owlsm_inode_permission_lite,
- inode_setattr: owlsm_inode_setattr,
- inode_getattr: owlsm_inode_getattr,
- inode_post_lookup: owlsm_post_lookup,
- inode_delete: owlsm_delete,
- inode_setxattr: owlsm_inode_setxattr,
- inode_getxattr: owlsm_inode_getxattr,
- inode_listxattr: owlsm_inode_listxattr,
- inode_removexattr: owlsm_inode_removexattr,
-
- file_permission: owlsm_file_permission,
- file_alloc_security: owlsm_file_alloc_security,
- file_free_security: owlsm_file_free_security,
- file_ioctl: owlsm_file_ioctl,
- file_mmap: owlsm_file_mmap,
- file_mprotect: owlsm_file_mprotect,
- file_lock: owlsm_file_lock,
- file_fcntl: owlsm_file_fcntl,
- file_set_fowner: owlsm_file_set_fowner,
- file_send_sigiotask: owlsm_file_send_sigiotask,
- file_receive: owlsm_file_receive,
-
- task_create: owlsm_task_create,
- task_alloc_security: owlsm_task_alloc_security,
- task_free_security: owlsm_task_free_security,
- task_setuid: owlsm_task_setuid,
- task_post_setuid: owlsm_task_post_setuid,
- task_setgid: owlsm_task_setgid,
- task_setpgid: owlsm_task_setpgid,
- task_getpgid: owlsm_task_getpgid,
- task_getsid: owlsm_task_getsid,
- task_setgroups: owlsm_task_setgroups,
- task_setnice: owlsm_task_setnice,
- task_setrlimit: owlsm_task_setrlimit,
- task_setscheduler: owlsm_task_setscheduler,
- task_getscheduler: owlsm_task_getscheduler,
- task_wait: owlsm_task_wait,
- task_kill: owlsm_task_kill,
- task_prctl: owlsm_task_prctl,
- task_kmod_set_label: owlsm_task_kmod_set_label,
- task_reparent_to_init: owlsm_task_reparent_to_init,
-
- socket_create: owlsm_socket_create,
- socket_post_create: owlsm_socket_post_create,
- socket_bind: owlsm_socket_bind,
- socket_connect: owlsm_socket_connect,
- socket_listen: owlsm_socket_listen,
- socket_accept: owlsm_socket_accept,
- socket_post_accept: owlsm_socket_post_accept,
- socket_sendmsg: owlsm_socket_sendmsg,
- socket_recvmsg: owlsm_socket_recvmsg,
- socket_getsockname: owlsm_socket_getsockname,
- socket_getpeername: owlsm_socket_getpeername,
- socket_getsockopt: owlsm_socket_getsockopt,
- socket_setsockopt: owlsm_socket_setsockopt,
- socket_shutdown: owlsm_socket_shutdown,
- socket_sock_alloc_security: owlsm_socket_sock_alloc_security,
- socket_sock_free_security: owlsm_socket_sock_free_security,
- socket_sock_rcv_skb: owlsm_socket_sock_rcv_skb,
- open_request_alloc_security: owlsm_open_request_alloc_security,
- open_request_free_security: owlsm_open_request_free_security,
- tcp_connection_request: owlsm_tcp_connection_request,
- tcp_synack: owlsm_tcp_synack,
- tcp_create_openreq_child: owlsm_tcp_create_openreq_child,
-
- skb_alloc_security: owlsm_skb_alloc_security,
- skb_clone: owlsm_skb_clone,
- skb_copy: owlsm_skb_copy,
- skb_set_owner_w: owlsm_skb_set_owner_w,
- skb_recv_datagram: owlsm_skb_recv_datagram,
- skb_free_security: owlsm_skb_free_security,
-
- ip_fragment: owlsm_ip_fragment,
- ip_defragment: owlsm_ip_defragment,
- ip_encapsulate: owlsm_ip_encapsulate,
- ip_decapsulate: owlsm_ip_decapsulate,
ip_decode_options: owlsm_decode_options,
-
- netdev_unregister: owlsm_netdev_unregister,
-
- ipc_permission: owlsm_ipc_permission,
-
- msg_msg_alloc_security: owlsm_msg_msg_alloc_security,
- msg_msg_free_security: owlsm_msg_msg_free_security,
-
- msg_queue_alloc_security: owlsm_msg_queue_alloc_security,
- msg_queue_free_security: owlsm_msg_queue_free_security,
- msg_queue_associate: owlsm_msg_queue_associate,
- msg_queue_msgctl: owlsm_msg_queue_msgctl,
- msg_queue_msgsnd: owlsm_msg_queue_msgsnd,
- msg_queue_msgrcv: owlsm_msg_queue_msgrcv,
-
- shm_alloc_security: owlsm_shm_alloc_security,
- shm_free_security: owlsm_shm_free_security,
- shm_associate: owlsm_shm_associate,
- shm_shmctl: owlsm_shm_shmctl,
- shm_shmat: owlsm_shm_shmat,
-
- sem_alloc_security: owlsm_sem_alloc_security,
- sem_free_security: owlsm_sem_free_security,
- sem_associate: owlsm_sem_associate,
- sem_semctl: owlsm_sem_semctl,
-
- register_security: owlsm_register,
- unregister_security: owlsm_unregister,
};
#if defined(CONFIG_SECURITY_owlsm_MODULE)
Index: lsm-2.5/security/security.c
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.5/security/security.c,v
retrieving revision 1.1.1.5
diff -u -r1.1.1.5 security.c
--- lsm-2.5/security/security.c 13 Dec 2002 21:01:26 -0000 1.1.1.5
+++ lsm-2.5/security/security.c 16 Dec 2002 15:16:07 -0000
@@ -48,6 +48,12 @@
printk (KERN_INFO "Security Scaffold v" SECURITY_SCAFFOLD_VERSION
" initialized\n");
+ if (verify (&dummy_security_ops)) {
+ printk (KERN_ERR "%s could not verify "
+ "dummy_security_ops structure.\n", __FUNCTION__);
+ return -EIO;
+ }
+
security_ops = &dummy_security_ops;
return 0;
Index: lsm-2.5/security/lids/Kconfig
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.5/security/lids/Kconfig,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 Kconfig
--- lsm-2.5/security/lids/Kconfig 13 Dec 2002 21:01:27 -0000 1.1.1.1
+++ lsm-2.5/security/lids/Kconfig 16 Dec 2002 15:16:08 -0000
@@ -2,12 +2,11 @@
# Kconfig for LIDS
#
-menu "Linux Intrusion Detection System"
-
-if EXPERIMENTAL && SYSCTL
+if EXPERIMENTAL && SYSCTL && SECURITY
config LIDS
tristate "Linux Intrusion Detection System support (EXPERIMENTAL)"
+ depends SECURITY && EXPERIMENTAL
help
LIDS - Linux Intrusion Detection System can let you protect
your linux kernel.
@@ -39,26 +38,25 @@
if LIDS
-comment "Lids features"
-
config LIDS_MAX_INODE
int "Maximum protected objects to manage"
- default 256
+ default 1024
config LIDS_MAX_SACL
int "Maximum ACL subjects to manage"
- default 256
+ default 1024
config LIDS_MAX_OACL
int "Maximum ACL objects to manage"
- default 256
+ default 1024
config LIDS_MAX_PROTECTED_PID
int "Maximum protected proceeds"
- default 256
+ default 1024
config LIDS_SA_EXEC_UP
bool "Security alert when execing unprotected programs before sealing LIDS"
+ default n
help
Saying yes will generate a security alert for each unprotected
program that is executed before LIDS is sealed (with lidsadm
@@ -71,6 +69,7 @@
config LIDS_NO_EXEC_UP
bool "Do not execute unprotected programs before sealing LIDS"
+ default n
depends on LIDS_SA_EXEC_UP
help
@@ -87,6 +86,7 @@
config LIDS_NO_FLOOD_LOG
bool "Attempt not to flood logs"
+ default y
help
If you say Yes here, LIDS will try not to flood logs with the
same message repeated a lot of times.
@@ -107,6 +107,7 @@
config LIDS_ALLOW_SWITCH
bool "Allow switching LIDS protections"
+ default y
help
If you say Yes here, you will enable the possibility to switch
LIDS on and off.
@@ -119,6 +120,7 @@
config LIDS_RESTRICT_MODE_SWITCH
bool "Restrict mode switching to specified terminals"
+ default n
help
If you enable this option, mode switching will be only allowed
from specified terminal types.
@@ -127,6 +129,7 @@
config LIDS_MODE_SWITCH_CONSOLE
bool "Allow mode switching from a Linux Console"
+ default y
help
Allow mode switching from a Linux Console.
@@ -161,20 +164,9 @@
The higher it is, the more secure the system will be.
-config LIDS_ALLOW_ANY_PROG_SWITCH
- bool "Allow any program to switch LIDS protections"
- help
- If you say Yes here, you will allow programs others than
- /sbin/lidsadm to feed /proc/sys/lids/locks.
-
- Notes : * It is strongly recommended to leave this option
- unmarked ! Don't say yes !
- * I don't know what it could be useful for :)
-
- Say no.
-
config LIDS_RELOAD_CONF
bool "Allow reloading config. file"
+ default y
help
Saying Yes here will compile the necessary code to reload
the config file. Each time you pass +RELOAD_CONF argument to
@@ -194,6 +186,7 @@
config LIDS_SA_THROUGH_NET
bool "Send security alerts through network"
+ default n
help
Say yes here if you want to send LIDS security alerts to a
remote machine through the network, directly from the kernel,
@@ -261,11 +254,10 @@
config LIDS_DEBUG
bool "LIDS Debug"
+ default n
# endif LIDS
endif
# endif EXPERIMENTAL && SYSCTL
endif
-
-endmenu
Index: lsm-2.5/security/lids/lids_acl.c
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.5/security/lids/lids_acl.c,v
retrieving revision 1.1.1.6
diff -u -r1.1.1.6 lids_acl.c
--- lsm-2.5/security/lids/lids_acl.c 13 Dec 2002 21:01:27 -0000 1.1.1.6
+++ lsm-2.5/security/lids/lids_acl.c 16 Dec 2002 15:16:08 -0000
@@ -40,7 +40,7 @@
#include <asm/namei.h>
-#include <linux/utime.h>
+#include <linux/time.h>
#include <linux/file.h>
#include <linux/fs.h>
@@ -119,11 +119,7 @@
read_unlock(&tasklist_lock);
return 1;
}
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,5,7)
t=t->parent;
-#else
- t=t->p_pptr;
-#endif
}
read_unlock(&tasklist_lock);
return 0;
@@ -200,7 +196,7 @@
struct lids_sys_acl *current_sys_acl = current->security;
if (!current_sys_acl) return -1;
- return lids_time_checker(get_seconds()%(60*60*24), current_sys_acl->cap[cap].time);
+ return lids_time_checker(get_seconds()%(60*60*24), current_sys_acl->cap[cap].time);
}
/*
@@ -293,7 +289,7 @@
return -EPERM;
ino = inode->i_ino;
- dev = to_kdev_t(inode->i_dev);
+ dev = to_kdev_t(inode->i_sb->s_dev);
if (check_domain)
acl = current_sys_acl->lids_domain;
@@ -713,7 +709,7 @@
while (dentry) {
if ((ino=dentry->d_inode)!=NULL)
- if ((retval=lids_search_inode(ino->i_ino,to_kdev_t(ino->i_dev),
+ if ((retval=lids_search_inode(ino->i_ino,to_kdev_t(ino->i_sb->s_dev),
&lids_data[lids_curr&1])) >= 0) {
return (retval & flag) ? 0:
lids_check_acl(base,flag,lids_curr,0);
Index: lsm-2.5/security/lids/lids_exec.c
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.5/security/lids/lids_exec.c,v
retrieving revision 1.1.1.6
diff -u -r1.1.1.6 lids_exec.c
--- lsm-2.5/security/lids/lids_exec.c 13 Dec 2002 21:01:27 -0000 1.1.1.6
+++ lsm-2.5/security/lids/lids_exec.c 16 Dec 2002 15:16:08 -0000
@@ -128,8 +128,8 @@
dentry = bprm->file->f_dentry;
lids_security_alert("Attempt to give [%.128s] to privilegied program %.128s (dev %d:%d inode %ld)",
kaddr, bprm->filename,
- MAJOR(dentry->d_inode->i_dev),
- MINOR(dentry->d_inode->i_dev),
+ MAJOR(dentry->d_inode->i_sb->s_dev),
+ MINOR(dentry->d_inode->i_sb->s_dev),
dentry->d_inode->i_ino);
}
kfree(p);
@@ -158,15 +158,11 @@
struct lids_sys_acl *current_sys_acl = current->security;
struct dentry *dentry;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,5,7)
if(current->parent->pid == 0) return 0;
-#else
- if(current->p_pptr->pid == 0) return 0;
-#endif
if(!bprm || !bprm->file) { printk("%s:BUG!\n",__FUNCTION__); return 0; }
- LIDS_DBG("%s:##### pid %i exec [%s]\n",__FUNCTION__ ,current->pid,bprm->filename);
+ LIDS_DBG("%s:##### pid %i exec [%s]\n",__FUNCTION__,current->pid,bprm->filename);
dentry = bprm->file->f_dentry;
/* check if this program is protected or not */
if (lids_check_base(dentry,LIDS_APPEND)) {
@@ -180,7 +176,7 @@
/* if it is protected, set the ACLs */
lids_get_task_acl(¤t_acl, current);
- new_sys_acl = lids_search_acl(dentry->d_inode->i_ino,to_kdev_t(dentry->d_inode->i_dev),lids_current);
+ new_sys_acl = lids_search_acl(dentry->d_inode->i_ino,to_kdev_t(dentry->d_inode->i_sb->s_dev),lids_current);
if (lids_compute_acls(¤t_acl,new_sys_acl,&computed_acl) < 0) {
dput(dentry);
@@ -203,8 +199,8 @@
#ifdef CONFIG_LIDS_NO_EXEC_UP
lids_security_alert("Attempt to exec unprotected program %s (dev %d:%d inode %ld) before sealing LIDS",
bprm->filename,
- MAJOR(dentry->d_inode->i_dev),
- MINOR(dentry->d_inode->i_dev),
+ MAJOR(dentry->d_inode->i_sb->s_dev),
+ MINOR(dentry->d_inode->i_sb->s_dev),
dentry->d_inode->i_ino);
if (dentry)
dput(dentry);
@@ -212,8 +208,8 @@
#else
lids_security_alert("Exec'ed unprotected program %s (dev %d:%d inode %ld) before sealing LIDS",
bprm->filename,
- MAJOR(dentry->d_inode->i_dev),
- MINOR(dentry->d_inode->i_dev),
+ MAJOR(dentry->d_inode->i_sb->s_dev),
+ MINOR(dentry->d_inode->i_sb->s_dev),
dentry->d_inode->i_ino);
#endif
}
@@ -222,7 +218,7 @@
/* maybe we need some locks here */
if (current_sys_acl) {
lids_get_task_acl(¤t_acl, current);
- new_sys_acl = lids_search_acl(dentry->d_inode->i_ino,to_kdev_t(dentry->d_inode->i_dev),lids_current);
+ new_sys_acl = lids_search_acl(dentry->d_inode->i_ino,to_kdev_t(dentry->d_inode->i_sb->s_dev),lids_current);
if (lids_compute_acls(¤t_acl,new_sys_acl,&computed_acl) < 0) {
dput(dentry);
return -EPERM;
@@ -232,8 +228,8 @@
|| computed_acl.lids_sys_acl->flags ) {
lids_security_alert("Attempt to transmit privileges to an unprotected program (%s dev %d:%d inode %ld)",
bprm->filename,
- MAJOR(dentry->d_inode->i_dev),
- MINOR(dentry->d_inode->i_dev),
+ MAJOR(dentry->d_inode->i_sb->s_dev),
+ MINOR(dentry->d_inode->i_sb->s_dev),
dentry->d_inode->i_ino);
}
current_sys_acl->lids_cap=0;
@@ -254,11 +250,8 @@
struct lids_task_acl src,dst;
if(!tsk) {printk("%s: BUG\n", __FUNCTION__); return 0 ;}
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,5,7)
+
if(!tsk->parent->pid) return 0;
-#else
- if(!tsk->p_pptr->pid) return 0;
-#endif
lids_get_task_acl(&src, current);
if (lids_task_acl_deep_copy(&dst,&src) < 0) {
@@ -277,11 +270,7 @@
if(!task_sys_acl) return 0;
if ( cap_raised(task_sys_acl->lids_cap, CAP_PROTECTED) ) {
if (current->pid && (current->pid != p->pid)
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,5,7)
&& ((sig != SIGCHLD) || (current->parent->pid != p->pid))) {
-#else
- && ((sig != SIGCHLD) || (current->p_pptr->pid != p->pid))) {
-#endif
if (!capable(CAP_KILL_PROTECTED)) {
lids_security_alert("Attempt to kill pid=%d with sig=%d",p->pid,sig);
return -1;
Index: lsm-2.5/security/lids/lids_init.c
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.5/security/lids/lids_init.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 lids_init.c
--- lsm-2.5/security/lids/lids_init.c 26 Aug 2002 11:25:09 -0000 1.1.1.4
+++ lsm-2.5/security/lids/lids_init.c 16 Dec 2002 15:16:08 -0000
@@ -224,7 +224,7 @@
*ino=simple_strtoul(ino_str,0,0);
*dev= (kdev_t){simple_strtoul(dev_str,0,0)};
if ((*ino != d_file->d_inode->i_ino) ||
- (!kdev_same(*dev, to_kdev_t(d_file->d_inode->i_dev)))) {
+ (!kdev_same(*dev, to_kdev_t(d_file->d_inode->i_sb->s_dev)))) {
LIDS_DBG("now=%p\n",d_file);
printk("LIDS: [%s] dev/inode in lids.conf seems wrong\n",q);
}
@@ -643,10 +643,8 @@
int finished=0;
int error = 0;
_lids_data_t *data=&lids_data[(lids_current&1)^1];
-#ifndef CONFIG_LIDS_ALLOW_ANY_PROG_SWITCH
struct dentry *dentry;
struct nameidata nd;
-#endif
/* Get lidsadm dev/inode */
@@ -666,14 +664,8 @@
memset(data->fastguess,0,sizeof(data->fastguess));
-#ifndef CONFIG_LIDS_ALLOW_ANY_PROG_SWITCH
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,5,6)
error = path_lookup(LIDS_ADM_PATH, LOOKUP_FOLLOW,&nd);
-#else
- if (path_init(LIDS_ADM_PATH, LOOKUP_FOLLOW|LOOKUP_POSITIVE,&nd))
- error = path_walk(LIDS_ADM_PATH,&nd);
-#endif
+
if (error)
return -1;
/*
@@ -689,7 +681,7 @@
}
else {
if (!dentry->d_inode ||
- !dentry->d_inode->i_dev ||
+ !dentry->d_inode->i_sb->s_dev ||
!dentry->d_inode->i_ino) {
printk("LIDS: something wrong with " LIDS_ADM_PATH "\n");
lidsadm.ino = 0;
@@ -697,11 +689,11 @@
}
else {
lidsadm.ino = dentry->d_inode->i_ino;
- lidsadm.dev = to_kdev_t(dentry->d_inode->i_dev);
+ lidsadm.dev = to_kdev_t(dentry->d_inode->i_sb->s_dev);
}
}
path_release(&nd);
-#endif
+
/* Now, try to read lids.conf */
/* if ( init_add_file(LIDS_CONF_DIR,data) < 0 ) {
Index: lsm-2.5/security/lids/lids_logs.c
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.5/security/lids/lids_logs.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 lids_logs.c
--- lsm-2.5/security/lids/lids_logs.c 13 Dec 2002 21:01:27 -0000 1.1.1.4
+++ lsm-2.5/security/lids/lids_logs.c 16 Dec 2002 15:16:08 -0000
@@ -99,8 +99,8 @@
strncpy(progname,f_dentry->d_iname,63);
snprintf(proginfo,127,"%s (dev %d:%d inode %ld)",
progname,
- MAJOR(f_dentry->d_inode->i_dev),
- MINOR(f_dentry->d_inode->i_dev),
+ MAJOR(f_dentry->d_inode->i_sb->s_dev),
+ MINOR(f_dentry->d_inode->i_sb->s_dev),
f_dentry->d_inode->i_ino);
}
else {
@@ -110,11 +110,7 @@
/* Make the message string */
vsnprintf(msgstr,255,message,args);
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,5,7)
parent_pid = current->parent->pid;
-#else
- parent_pid = current->p_pptr->pid,
-#endif
/* Make the log string */
lids_print("LIDS: %s pid %d ppid %d uid/gid (%d/%d) on (%s) : %s %s\n",
Index: lsm-2.5/security/lids/lids_lsm.c
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.5/security/lids/lids_lsm.c,v
retrieving revision 1.1.1.6
diff -u -r1.1.1.6 lids_lsm.c
--- lsm-2.5/security/lids/lids_lsm.c 13 Dec 2002 21:01:27 -0000 1.1.1.6
+++ lsm-2.5/security/lids/lids_lsm.c 16 Dec 2002 15:16:08 -0000
@@ -25,31 +25,6 @@
struct security_operations *lids_secondary_ops;
-static int lids_sethostname (char *hostname)
-{
- return 0;
-}
-
-static int lids_setdomainname (char *domainname)
-{
- return 0;
-}
-
-static int lids_reboot (unsigned int cmd)
-{
- return 0;
-}
-
-static int lids_ioperm (unsigned long from, unsigned long num, int turn_on)
-{
- return 0;
-}
-
-static int lids_iopl (unsigned int old, unsigned int level)
-{
- return 0;
-}
-
static int lids_ptrace (struct task_struct *parent, struct task_struct *child)
{
return 0;
@@ -96,27 +71,6 @@
return -EPERM;
}
-static int lids_sysctl (ctl_table * table, int op)
-{
- return 0;
-}
-
-static int lids_sys_security (unsigned int id, unsigned int call,
- unsigned long *args)
-{
- return -ENOSYS;
-}
-
-static int lids_swapon (struct swap_info_struct *swap)
-{
- return 0;
-}
-
-static int lids_swapoff (struct swap_info_struct *swap)
-{
- return 0;
-}
-
static int lids_quotactl (int cmds, int type, int id, struct super_block *sb)
{
return 0;
@@ -127,33 +81,7 @@
return 0;
}
-static int lids_syslog (int type)
-{
- return 0;
-}
-
-static int lids_settime (struct timeval *tv, struct timezone *tz)
-{
- return 0;
-}
-
-static int lids_netlink_send (struct sk_buff *skb)
-{
- if (current->euid == 0)
- cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
- else
- NETLINK_CB (skb).eff_cap = 0;
- return 0;
-}
-
-static int lids_netlink_recv (struct sk_buff *skb)
-{
- if (!cap_raised (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN))
- return -EPERM;
- return 0;
-}
-
-static int lids_binprm_alloc_security (struct linux_binprm *bprm)
+static int lids_bprm_alloc_security (struct linux_binprm *bprm)
{
int rc=0;
@@ -163,21 +91,21 @@
return rc;
}
-static void lids_binprm_free_security (struct linux_binprm *bprm)
+static void lids_bprm_free_security (struct linux_binprm *bprm)
{
if (lids_secondary_ops)
lids_secondary_ops->bprm_free_security(bprm);
return;
}
-static void lids_binprm_compute_creds (struct linux_binprm *bprm)
+static void lids_bprm_compute_creds (struct linux_binprm *bprm)
{
if (lids_secondary_ops)
lids_secondary_ops->bprm_compute_creds(bprm);
return;
}
-static int lids_binprm_set_security (struct linux_binprm *bprm)
+static int lids_bprm_set_security (struct linux_binprm *bprm)
{
int rc=0;
@@ -187,7 +115,7 @@
return rc;
}
-static int lids_binprm_check_security (struct linux_binprm *bprm)
+static int lids_bprm_check_security (struct linux_binprm *bprm)
{
/* do the do_execve here */
if(copy_lids_acls(bprm))
@@ -205,11 +133,6 @@
return;
}
-static int lids_sb_kern_mount (struct super_block *sb)
-{
- return 0;
-}
-
static int lids_sb_statfs (struct super_block *sb)
{
return 0;
@@ -513,7 +436,7 @@
static int lids_inode_permission_lite (struct inode *inode, int mask)
{
- return -EAGAIN;
+ return 0;
}
static int lids_inode_setattr (struct dentry *dentry, struct iattr *iattr)
@@ -542,7 +465,6 @@
return;
}
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,5,2)
static int lids_inode_setxattr (struct dentry *dentry, char *name, void *value,
size_t size, int flags)
{
@@ -563,7 +485,6 @@
{
return 0;
}
-#endif
static int lids_file_permission (struct file *file, int mask)
{
@@ -734,196 +655,15 @@
static void lids_task_reparent_to_init (struct task_struct *p)
{
+ p->euid = p->fsuid = 0;
return;
}
-static void lids_ip_fragment (struct sk_buff *newskb,
- const struct sk_buff *oldskb)
-{
- return;
-}
-
-static int lids_ip_defragment (struct sk_buff *skb)
-{
- return 0;
-}
-
-static void lids_ip_decapsulate (struct sk_buff *skb)
-{
- return;
-}
-
-static void lids_ip_encapsulate (struct sk_buff *skb)
-{
- return;
-}
-
-static int lids_ip_decode_options (struct sk_buff *skb, const char *optptr,
- unsigned char **pp_ptr)
-{
- if (!skb && !capable (CAP_NET_RAW)) {
- (const unsigned char *) *pp_ptr = optptr;
- return -EPERM;
- }
- return 0;
-}
-
-static void lids_netdev_unregister (struct net_device *dev)
-{
- return;
-}
-
-static int lids_socket_create (int family, int type, int protocol)
-{
- return 0;
-}
-
-static void lids_socket_post_create (struct socket *sock, int family, int type,
- int protocol)
-{
- return;
-}
-
-static int lids_socket_bind (struct socket *sock, struct sockaddr *address,
- int addrlen)
-{
- return 0;
-}
-
-static int lids_socket_connect (struct socket *sock, struct sockaddr *address,
- int addrlen)
-{
- return 0;
-}
-
-static int lids_socket_listen (struct socket *sock, int backlog)
-{
- return 0;
-}
-
-static int lids_socket_accept (struct socket *sock, struct socket *newsock)
-{
- return 0;
-}
-
-static void lids_socket_post_accept (struct socket *sock,
- struct socket *newsock)
-{
- return;
-}
-
-static int lids_socket_sendmsg (struct socket *sock, struct msghdr *msg,
- int size)
-{
- return 0;
-}
-
-static int lids_socket_recvmsg (struct socket *sock, struct msghdr *msg,
- int size, int flags)
-{
- return 0;
-}
-
-static int lids_socket_getsockname (struct socket *sock)
-{
- return 0;
-}
-
-static int lids_socket_getpeername (struct socket *sock)
-{
- return 0;
-}
-
-static int lids_socket_setsockopt (struct socket *sock, int level, int optname)
-{
- return 0;
-}
-
-static int lids_socket_getsockopt (struct socket *sock, int level, int optname)
-{
- return 0;
-}
-
-static int lids_socket_shutdown (struct socket *sock, int how)
-{
- return 0;
-}
-
-static int lids_socket_sock_alloc_security (struct sock *sk, int gfp_mask)
-{
- return 0;
-}
-
-static void lids_socket_sock_free_security (struct sock *sk)
-{
- return;
-}
-
-static int lids_sock_rcv_skb (struct sock *sk, struct sk_buff *skb)
-{
- return 0;
-}
-
-static int lids_open_request_alloc_security (struct open_request *req)
-{
- return 0;
-}
-
-static void lids_open_request_free_security (struct open_request *req)
-{
- return;
-}
-
-static void lids_tcp_connection_request (struct sock *sk,
- struct sk_buff *skb,
- struct open_request *req)
-{
- return;
-}
-
-static void lids_tcp_synack (struct sock *sk, struct sk_buff *skb,
- struct open_request *req)
-{
- return;
-}
-
-
-static void lids_tcp_create_openreq_child (struct sock *sk,
- struct sock *newsk,
- struct sk_buff *skb,
- struct open_request *req)
-{
- return;
-}
-
-static int lids_socket_unix_stream_connect (struct socket *sock,
- struct socket *other,
- struct sock *newsk)
-{
- return 0;
-}
-
-static int lids_socket_unix_may_send (struct socket *sock,
- struct socket *other)
-{
- return 0;
-}
-
static int lids_ipc_permission (struct kern_ipc_perm *ipcp, short flag)
{
return 0;
}
-static int lids_msg_msg_alloc_security (struct msg_msg *msg)
-{
- return 0;
-}
-
-static void lids_msg_msg_free_security (struct msg_msg *msg)
-{
- return;
-}
-
static int lids_msg_queue_alloc_security (struct msg_queue *msq)
{
return 0;
@@ -934,30 +674,6 @@
return;
}
-static int lids_msg_queue_associate (struct msg_queue *msq,
- int msqflg)
-{
- return 0;
-}
-
-static int lids_msg_queue_msgctl (struct msg_queue *msq, int cmd)
-{
- return 0;
-}
-
-static int lids_msg_queue_msgsnd (struct msg_queue *msq, struct msg_msg *msg,
- int msgflg)
-{
- return 0;
-}
-
-static int lids_msg_queue_msgrcv (struct msg_queue *msq, struct msg_msg *msg,
- struct task_struct *target, long type,
- int mode)
-{
- return 0;
-}
-
static int lids_shm_alloc_security (struct shmid_kernel *shp)
{
return 0;
@@ -968,22 +684,6 @@
return;
}
-static int lids_shm_associate (struct shmid_kernel *shp, int shmflg)
-{
- return 0;
-}
-
-static int lids_shm_shmctl (struct shmid_kernel *shp, int cmd)
-{
- return 0;
-}
-
-static int lids_shm_shmat (struct shmid_kernel *shp, char *shmaddr,
- int shmflg)
-{
- return 0;
-}
-
static int lids_sem_alloc_security (struct sem_array *sma)
{
return 0;
@@ -994,49 +694,6 @@
return;
}
-static int lids_sem_associate (struct sem_array *sma, int semflg)
-{
- return 0;
-}
-
-static int lids_sem_semctl (struct sem_array *sma, int cmd)
-{
- return 0;
-}
-
-static int lids_skb_alloc_security (struct sk_buff *skb, int gfp_mask)
-{
- return 0;
-}
-
-static int lids_skb_clone (struct sk_buff *newskb,
- const struct sk_buff *oldskb)
-{
- return 0;
-}
-
-static void lids_skb_copy (struct sk_buff *newskb,
- const struct sk_buff *oldskb)
-{
- return;
-}
-
-static void lids_skb_set_owner_w (struct sk_buff *skb, struct sock *sk)
-{
- return;
-}
-
-static void lids_skb_recv_datagram (struct sk_buff *skb, struct sock *sk,
- unsigned flags)
-{
- return;
-}
-
-static void lids_skb_free_security (struct sk_buff *skb)
-{
- return;
-}
-
static int lids_register (const char *name, struct security_operations *ops)
{
if (lids_secondary_ops !=NULL) {
@@ -1058,7 +715,6 @@
printk(KERN_NOTICE "LIDS: no secondary module %s.\n", name);
return -EINVAL;
}else if (ops == lids_secondary_ops) {
- lids_secondary_ops = NULL;
printk(KERN_NOTICE "LIDS: unregistering module %s.\n", name);
return 0;
}
@@ -1067,179 +723,109 @@
}
struct security_operations lids_security_ops = {
- sethostname: lids_sethostname,
- setdomainname: lids_setdomainname,
- reboot: lids_reboot,
- ioperm: lids_ioperm,
- iopl: lids_iopl,
- ptrace: lids_ptrace,
- capget: lids_capget,
- capset_check: lids_capset_check,
- capset_set: lids_capset_set,
- acct: lids_acct,
- capable: lids_capable,
- sysctl: lids_sysctl,
- sys_security: lids_sys_security,
- swapon: lids_swapon,
- swapoff: lids_swapoff,
- quotactl: lids_quotactl,
- quota_on: lids_quota_on,
- syslog: lids_syslog,
- settime: lids_settime,
-
- netlink_send: lids_netlink_send,
- netlink_recv: lids_netlink_recv,
-
- unix_stream_connect: lids_socket_unix_stream_connect,
- unix_may_send: lids_socket_unix_may_send,
-
- bprm_alloc_security: lids_binprm_alloc_security,
- bprm_free_security: lids_binprm_free_security,
- bprm_compute_creds: lids_binprm_compute_creds,
- bprm_set_security: lids_binprm_set_security,
- bprm_check_security: lids_binprm_check_security,
+ .ptrace = lids_ptrace,
+ .capget = lids_capget,
+ .capset_check = lids_capset_check,
+ .capset_set = lids_capset_set,
+ .acct = lids_acct,
+ .capable = lids_capable,
+ .quotactl = lids_quotactl,
+ .quota_on = lids_quota_on,
+
+ .bprm_alloc_security = lids_bprm_alloc_security,
+ .bprm_free_security = lids_bprm_free_security,
+ .bprm_compute_creds = lids_bprm_compute_creds,
+ .bprm_set_security = lids_bprm_set_security,
+ .bprm_check_security = lids_bprm_check_security,
+
+ .sb_alloc_security = lids_sb_alloc_security,
+ .sb_free_security = lids_sb_free_security,
+ .sb_statfs = lids_sb_statfs,
+ .sb_mount = lids_mount,
+ .sb_check_sb = lids_check_sb,
+ .sb_umount = lids_umount,
+ .sb_umount_close = lids_umount_close,
+ .sb_umount_busy = lids_umount_busy,
+ .sb_post_remount = lids_post_remount,
+ .sb_post_mountroot = lids_post_mountroot,
+ .sb_post_addmount = lids_post_addmount,
+ .sb_pivotroot = lids_pivotroot,
+ .sb_post_pivotroot = lids_post_pivotroot,
+
+ .inode_alloc_security = lids_inode_alloc_security,
+ .inode_free_security = lids_inode_free_security,
+ .inode_create = lids_inode_create,
+ .inode_post_create = lids_inode_post_create,
+ .inode_link = lids_inode_link,
+ .inode_post_link = lids_inode_post_link,
+ .inode_unlink = lids_inode_unlink,
+ .inode_symlink = lids_inode_symlink,
+ .inode_post_symlink = lids_inode_post_symlink,
+ .inode_mkdir = lids_inode_mkdir,
+ .inode_post_mkdir = lids_inode_post_mkdir,
+ .inode_rmdir = lids_inode_rmdir,
+ .inode_mknod = lids_inode_mknod,
+ .inode_post_mknod = lids_inode_post_mknod,
+ .inode_rename = lids_inode_rename,
+ .inode_post_rename = lids_inode_post_rename,
+ .inode_readlink = lids_inode_readlink,
+ .inode_follow_link = lids_inode_follow_link,
+ .inode_permission = lids_inode_permission,
+ .inode_permission_lite = lids_inode_permission_lite,
+ .inode_setattr = lids_inode_setattr,
+ .inode_getattr = lids_inode_getattr,
+ .inode_post_lookup = lids_post_lookup,
+ .inode_delete = lids_delete,
+ .inode_setxattr = lids_inode_setxattr,
+ .inode_getxattr = lids_inode_getxattr,
+ .inode_listxattr = lids_inode_listxattr,
+ .inode_removexattr = lids_inode_removexattr,
+
+ .file_permission = lids_file_permission,
+ .file_alloc_security = lids_file_alloc_security,
+ .file_free_security = lids_file_free_security,
+ .file_ioctl = lids_file_ioctl,
+ .file_mmap = lids_file_mmap,
+ .file_mprotect = lids_file_mprotect,
+ .file_lock = lids_file_lock,
+ .file_fcntl = lids_file_fcntl,
+ .file_set_fowner = lids_file_set_fowner,
+ .file_send_sigiotask = lids_file_send_sigiotask,
+ .file_receive = lids_file_receive,
+
+ .task_create = lids_task_create,
+ .task_alloc_security = lids_task_alloc_security,
+ .task_free_security = lids_task_free_security,
+ .task_setuid = lids_task_setuid,
+ .task_post_setuid = lids_task_post_setuid,
+ .task_setgid = lids_task_setgid,
+ .task_setpgid = lids_task_setpgid,
+ .task_getpgid = lids_task_getpgid,
+ .task_getsid = lids_task_getsid,
+ .task_setgroups = lids_task_setgroups,
+ .task_setnice = lids_task_setnice,
+ .task_setrlimit = lids_task_setrlimit,
+ .task_setscheduler = lids_task_setscheduler,
+ .task_getscheduler = lids_task_getscheduler,
+ .task_wait = lids_task_wait,
+ .task_kill = lids_task_kill,
+ .task_prctl = lids_task_prctl,
+ .task_kmod_set_label = lids_task_kmod_set_label,
+ .task_reparent_to_init = lids_task_reparent_to_init,
+
+ .ipc_permission = lids_ipc_permission,
+
+ .msg_queue_alloc_security = lids_msg_queue_alloc_security,
+ .msg_queue_free_security = lids_msg_queue_free_security,
- sb_alloc_security: lids_sb_alloc_security,
- sb_free_security: lids_sb_free_security,
- sb_kern_mount: lids_sb_kern_mount,
- sb_statfs: lids_sb_statfs,
- sb_mount: lids_mount,
- sb_check_sb: lids_check_sb,
- sb_umount: lids_umount,
- sb_umount_close: lids_umount_close,
- sb_umount_busy: lids_umount_busy,
- sb_post_remount: lids_post_remount,
- sb_post_mountroot: lids_post_mountroot,
- sb_post_addmount: lids_post_addmount,
- sb_pivotroot: lids_pivotroot,
- sb_post_pivotroot: lids_post_pivotroot,
+ .shm_alloc_security = lids_shm_alloc_security,
+ .shm_free_security = lids_shm_free_security,
- inode_alloc_security: lids_inode_alloc_security,
- inode_free_security: lids_inode_free_security,
- inode_create: lids_inode_create,
- inode_post_create: lids_inode_post_create,
- inode_link: lids_inode_link,
- inode_post_link: lids_inode_post_link,
- inode_unlink: lids_inode_unlink,
- inode_symlink: lids_inode_symlink,
- inode_post_symlink: lids_inode_post_symlink,
- inode_mkdir: lids_inode_mkdir,
- inode_post_mkdir: lids_inode_post_mkdir,
- inode_rmdir: lids_inode_rmdir,
- inode_mknod: lids_inode_mknod,
- inode_post_mknod: lids_inode_post_mknod,
- inode_rename: lids_inode_rename,
- inode_post_rename: lids_inode_post_rename,
- inode_readlink: lids_inode_readlink,
- inode_follow_link: lids_inode_follow_link,
- inode_permission: lids_inode_permission,
- inode_permission_lite: lids_inode_permission_lite,
- inode_setattr: lids_inode_setattr,
- inode_getattr: lids_inode_getattr,
- inode_post_lookup: lids_post_lookup,
- inode_delete: lids_delete,
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,5,2)
- inode_setxattr: lids_inode_setxattr,
- inode_getxattr: lids_inode_getxattr,
- inode_listxattr: lids_inode_listxattr,
- inode_removexattr: lids_inode_removexattr,
-#endif
-
- file_permission: lids_file_permission,
- file_alloc_security: lids_file_alloc_security,
- file_free_security: lids_file_free_security,
- file_ioctl: lids_file_ioctl,
- file_mmap: lids_file_mmap,
- file_mprotect: lids_file_mprotect,
- file_lock: lids_file_lock,
- file_fcntl: lids_file_fcntl,
- file_set_fowner: lids_file_set_fowner,
- file_send_sigiotask: lids_file_send_sigiotask,
- file_receive: lids_file_receive,
-
- task_create: lids_task_create,
- task_alloc_security: lids_task_alloc_security,
- task_free_security: lids_task_free_security,
- task_setuid: lids_task_setuid,
- task_post_setuid: lids_task_post_setuid,
- task_setgid: lids_task_setgid,
- task_setpgid: lids_task_setpgid,
- task_getpgid: lids_task_getpgid,
- task_getsid: lids_task_getsid,
- task_setgroups: lids_task_setgroups,
- task_setnice: lids_task_setnice,
- task_setrlimit: lids_task_setrlimit,
- task_setscheduler: lids_task_setscheduler,
- task_getscheduler: lids_task_getscheduler,
- task_wait: lids_task_wait,
- task_kill: lids_task_kill,
- task_prctl: lids_task_prctl,
- task_kmod_set_label: lids_task_kmod_set_label,
- task_reparent_to_init: lids_task_reparent_to_init,
-
- socket_create: lids_socket_create,
- socket_post_create: lids_socket_post_create,
- socket_bind: lids_socket_bind,
- socket_connect: lids_socket_connect,
- socket_listen: lids_socket_listen,
- socket_accept: lids_socket_accept,
- socket_post_accept: lids_socket_post_accept,
- socket_sendmsg: lids_socket_sendmsg,
- socket_recvmsg: lids_socket_recvmsg,
- socket_getsockname: lids_socket_getsockname,
- socket_getpeername: lids_socket_getpeername,
- socket_getsockopt: lids_socket_getsockopt,
- socket_setsockopt: lids_socket_setsockopt,
- socket_shutdown: lids_socket_shutdown,
- socket_sock_alloc_security: lids_socket_sock_alloc_security,
- socket_sock_free_security: lids_socket_sock_free_security,
- socket_sock_rcv_skb: lids_sock_rcv_skb,
- open_request_alloc_security: lids_open_request_alloc_security,
- open_request_free_security: lids_open_request_free_security,
- tcp_connection_request: lids_tcp_connection_request,
- tcp_synack: lids_tcp_synack,
- tcp_create_openreq_child: lids_tcp_create_openreq_child,
-
- skb_alloc_security: lids_skb_alloc_security,
- skb_clone: lids_skb_clone,
- skb_copy: lids_skb_copy,
- skb_set_owner_w: lids_skb_set_owner_w,
- skb_recv_datagram: lids_skb_recv_datagram,
- skb_free_security: lids_skb_free_security,
-
- ip_fragment: lids_ip_fragment,
- ip_defragment: lids_ip_defragment,
- ip_encapsulate: lids_ip_encapsulate,
- ip_decapsulate: lids_ip_decapsulate,
- ip_decode_options: lids_ip_decode_options,
-
- ipc_permission: lids_ipc_permission,
-
- netdev_unregister: lids_netdev_unregister,
-
- msg_msg_alloc_security: lids_msg_msg_alloc_security,
- msg_msg_free_security: lids_msg_msg_free_security,
+ .sem_alloc_security = lids_sem_alloc_security,
+ .sem_free_security = lids_sem_free_security,
- msg_queue_alloc_security: lids_msg_queue_alloc_security,
- msg_queue_free_security: lids_msg_queue_free_security,
- msg_queue_associate: lids_msg_queue_associate,
- msg_queue_msgctl: lids_msg_queue_msgctl,
- msg_queue_msgsnd: lids_msg_queue_msgsnd,
- msg_queue_msgrcv: lids_msg_queue_msgrcv,
-
- shm_alloc_security: lids_shm_alloc_security,
- shm_free_security: lids_shm_free_security,
- shm_associate: lids_shm_associate,
- shm_shmctl: lids_shm_shmctl,
- shm_shmat: lids_shm_shmat,
-
- sem_alloc_security: lids_sem_alloc_security,
- sem_free_security: lids_sem_free_security,
- sem_associate: lids_sem_associate,
- sem_semctl: lids_sem_semctl,
-
- register_security: lids_register,
- unregister_security: lids_unregister,
+ .register_security = lids_register,
+ .unregister_security = lids_unregister,
};
extern void setup_lids_module(void);
Index: lsm-2.5/security/lids/lids_sysctl.c
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.5/security/lids/lids_sysctl.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 lids_sysctl.c
--- lsm-2.5/security/lids/lids_sysctl.c 26 Aug 2002 11:25:09 -0000 1.1.1.3
+++ lsm-2.5/security/lids/lids_sysctl.c 16 Dec 2002 15:16:08 -0000
@@ -45,9 +45,7 @@
-#ifndef CONFIG_LIDS_ALLOW_ANY_PROG_SWITCH
struct allowed_ino lidsadm;
-#endif
/***********************************************************************
@@ -115,17 +113,23 @@
lids_flag_lower(lids_flags,LIDS_FLAGS_LIDS_ON);
}
if ( lids_local_on != (lids_flag_raised(flags,LIDS_FLAGS_LIDS_LOCAL_ON) != 0) ) {
+ #if 1
+ lids_load=(lids_flag_raised(flags,LIDS_FLAGS_LIDS_LOCAL_ON) != 0);
+ lids_security_alert("LIDS switched to %i",lids_load);
+ if (lids_load)
+ lids_flag_raise(lids_flags,LIDS_FLAGS_LIDS_LOCAL_ON);
+ else
+ lids_flag_lower(lids_flags,LIDS_FLAGS_LIDS_LOCAL_ON);
+ #endif
+ #if 0
lids_local_on=(lids_flag_raised(flags,LIDS_FLAGS_LIDS_LOCAL_ON) != 0); /* XXX: Race condition here. We must first assign the PID */
lids_security_alert("LIDS locally switched to %i",lids_local_on);
if (lids_local_on) {
lids_flag_raise(lids_flags,LIDS_FLAGS_LIDS_LOCAL_ON);
}
else {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,5,7)
lids_local_pid=current->parent->pid;
-#else
- lids_local_pid=current->p_pptr->pid;
-#endif
+
if (lids_local_pid == 1) { /* this doesn't apply to init */
printk("Can't give local lids deactivation to init!!\n");
lids_flag_raise(lids_flags,LIDS_FLAGS_LIDS_LOCAL_ON);
@@ -134,6 +138,7 @@
else
lids_flag_lower(lids_flags,LIDS_FLAGS_LIDS_LOCAL_ON); /* should not be necessary */
}
+ #endif
}
#else
if (!lids_flag_raised(flags,LIDS_FLAGS_LIDS_ON)) {
@@ -226,7 +231,6 @@
}
#endif /* CONFIG_LIDS_RESTRICT_MODE_SWITCH */
-#ifndef CONFIG_LIDS_ALLOW_ANY_PROG_SWITCH
{
struct vm_area_struct * vma;
unsigned long ino;
@@ -241,7 +245,7 @@
vma->vm_file && vma->vm_file->f_dentry &&
vma->vm_file->f_dentry->d_inode) {
ino=vma->vm_file->f_dentry->d_inode->i_ino;
- dev=HASHDEV(to_kdev_t(vma->vm_file->f_dentry->d_inode->i_dev));
+ dev=HASHDEV(to_kdev_t(vma->vm_file->f_dentry->d_inode->i_sb->s_dev));
break;
}
vma = vma->vm_next;
@@ -253,7 +257,6 @@
return -EPERM;
}
}
-#endif
/* second: check wether it is not a timeout period after two many failed attempts */
if (wait_after_fail) {
Index: lsm-2.5/security/lids/include/linux/lids.h
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.5/security/lids/include/linux/lids.h,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 lids.h
--- lsm-2.5/security/lids/include/linux/lids.h 26 Aug 2002 11:25:09 -0000 1.1.1.3
+++ lsm-2.5/security/lids/include/linux/lids.h 16 Dec 2002 15:16:08 -0000
@@ -10,6 +10,7 @@
#include <linux/sysctl.h>
#include <linux/slab.h>
#include <linux/tty.h>
+#include <linux/binfmts.h>
#include "lidsext.h"
#include "lidsif.h"
@@ -18,7 +19,7 @@
#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
#endif
-#define LIDS_VERSION "2.0.1pre4"
+#define LIDS_VERSION "2.0.2pre2"
/* FIXME: some more externals in kernel/signal.c and kernel/sysctl.c */
typedef struct
Index: lsm-2.5/security/lids/include/linux/lidsext.h
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.5/security/lids/include/linux/lidsext.h,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 lidsext.h
--- lsm-2.5/security/lids/include/linux/lidsext.h 13 Dec 2002 21:01:27 -0000 1.1.1.2
+++ lsm-2.5/security/lids/include/linux/lidsext.h 16 Dec 2002 15:16:08 -0000
@@ -29,7 +29,7 @@
#define LIDS_STR(X) LIDS_STR2(X)
#ifdef LIDS_DEBUG
-#define LIDS_DBG(format, args...) printk(KERN_DEBUG "LIDS.%s.l" LIDS_STR(__LINE__) ": " format, __FUNCTION__ , ##args)
+#define LIDS_DBG(msg...) printk(KERN_DEBUG "LIDS." __FUNCTION__ ".l" LIDS_STR(__LINE__) ": " ##msg)
#else
#define LIDS_DBG(msg...)
#endif
[-- Attachment #3: selinux-2.5.patch --]
[-- Type: TEXT/plain, Size: 9015 bytes --]
Index: lsm-2.5/Makefile
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/Makefile,v
retrieving revision 1.42
diff -u -r1.42 Makefile
--- lsm-2.5/Makefile 10 Dec 2002 14:38:47 -0000 1.42
+++ lsm-2.5/Makefile 16 Dec 2002 15:23:47 -0000
@@ -1,7 +1,7 @@
VERSION = 2
PATCHLEVEL = 5
SUBLEVEL = 51
-EXTRAVERSION = -lsm1
+EXTRAVERSION = -selinux
# *DOCUMENTATION*
# To see a list of typical targets execute "make help"
Index: lsm-2.5/arch/i386/defconfig
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/arch/i386/defconfig,v
retrieving revision 1.1.1.18
diff -u -r1.1.1.18 defconfig
--- lsm-2.5/arch/i386/defconfig 21 Oct 2002 20:40:23 -0000 1.1.1.18
+++ lsm-2.5/arch/i386/defconfig 16 Dec 2002 15:23:47 -0000
@@ -401,7 +401,7 @@
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
# CONFIG_NETLINK_DEV is not set
-# CONFIG_NETFILTER is not set
+CONFIG_NETFILTER=y
# CONFIG_FILTER is not set
CONFIG_UNIX=y
CONFIG_INET=y
@@ -1169,3 +1169,13 @@
CONFIG_X86_SMP=y
CONFIG_X86_HT=y
CONFIG_X86_BIOS_REBOOT=y
+
+#
+# Security options
+#
+CONFIG_SECURITY=y
+CONFIG_SECURITY_CAPABILITIES=y
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_SELINUX_DEVELOP=y
+CONFIG_SECURITY_SELINUX_NSID=y
+CONFIG_SECURITY_SELINUX_SELOPT=y
Index: lsm-2.5/fs/dcache.c
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/fs/dcache.c,v
retrieving revision 1.1.1.18
diff -u -r1.1.1.18 dcache.c
--- lsm-2.5/fs/dcache.c 25 Nov 2002 13:30:33 -0000 1.1.1.18
+++ lsm-2.5/fs/dcache.c 16 Dec 2002 15:23:47 -0000
@@ -25,6 +25,7 @@
#include <linux/module.h>
#include <linux/mount.h>
#include <asm/uaccess.h>
+#include <linux/security.h>
#define DCACHE_PARANOIA 1
/* #define DCACHE_DEBUG 1 */
@@ -699,6 +700,8 @@
void d_instantiate(struct dentry *entry, struct inode * inode)
{
if (!list_empty(&entry->d_alias)) BUG();
+ if (inode)
+ security_inode_init(inode);
spin_lock(&dcache_lock);
if (inode)
list_add(&entry->d_alias, &inode->i_dentry);
Index: lsm-2.5/fs/pipe.c
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/fs/pipe.c,v
retrieving revision 1.1.1.12
diff -u -r1.1.1.12 pipe.c
--- lsm-2.5/fs/pipe.c 19 Nov 2002 14:18:29 -0000 1.1.1.12
+++ lsm-2.5/fs/pipe.c 16 Dec 2002 15:23:47 -0000
@@ -15,6 +15,7 @@
#include <linux/pipe_fs_i.h>
#include <asm/uaccess.h>
#include <asm/ioctls.h>
+#include <linux/security.h>
/*
* We use a start+len construction, which provides full use of the
@@ -529,6 +530,7 @@
inode->i_gid = current->fsgid;
inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME;
inode->i_blksize = PAGE_SIZE;
+ security_inode_init(inode);
return inode;
fail_iput:
Index: lsm-2.5/fs/devpts/inode.c
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/fs/devpts/inode.c,v
retrieving revision 1.1.1.9
diff -u -r1.1.1.9 inode.c
--- lsm-2.5/fs/devpts/inode.c 19 Nov 2002 14:20:22 -0000 1.1.1.9
+++ lsm-2.5/fs/devpts/inode.c 16 Dec 2002 15:23:47 -0000
@@ -16,6 +16,7 @@
#include <linux/sched.h>
#include <linux/namei.h>
#include <linux/mount.h>
+#include <linux/security.h>
#define DEVPTS_SUPER_MAGIC 0x1cd1
@@ -142,6 +143,7 @@
inode->i_gid = config.setgid ? config.gid : current->fsgid;
inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME;
init_special_inode(inode, S_IFCHR|config.mode, device);
+ security_inode_init(inode);
dentry = get_node(number);
if (!IS_ERR(dentry) && !dentry->d_inode)
Index: lsm-2.5/include/linux/security.h
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/include/linux/security.h,v
retrieving revision 1.30
diff -u -r1.30 security.h
--- lsm-2.5/include/linux/security.h 4 Dec 2002 21:58:27 -0000 1.30
+++ lsm-2.5/include/linux/security.h 16 Dec 2002 15:23:47 -0000
@@ -1205,6 +1205,7 @@
int (*inode_alloc_security) (struct inode *inode);
void (*inode_free_security) (struct inode *inode);
+ void (*inode_init) (struct inode * inode);
int (*inode_create) (struct inode *dir,
struct dentry *dentry, int mode);
void (*inode_post_create) (struct inode *dir,
@@ -1613,6 +1614,11 @@
{
security_ops->inode_free_security (inode);
}
+
+static inline void security_inode_init (struct inode *inode)
+{
+ security_ops->inode_init (inode);
+}
static inline int security_inode_create (struct inode *dir,
struct dentry *dentry,
@@ -2480,6 +2486,9 @@
}
static inline void security_inode_free (struct inode *inode)
+{ }
+
+static inline void security_inode_init (struct inode *inode)
{ }
static inline int security_inode_create (struct inode *dir,
Index: lsm-2.5/init/main.c
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/init/main.c,v
retrieving revision 1.23
diff -u -r1.23 main.c
--- lsm-2.5/init/main.c 10 Dec 2002 14:39:02 -0000 1.23
+++ lsm-2.5/init/main.c 16 Dec 2002 15:23:47 -0000
@@ -370,6 +370,10 @@
cpu_idle();
}
+#ifdef CONFIG_SECURITY_SELINUX
+extern void selinux_init(void);
+#endif
+
/*
* Activate the first processor.
*/
@@ -425,6 +429,9 @@
fork_init(num_physpages);
proc_caches_init();
security_scaffolding_startup();
+#ifdef CONFIG_SECURITY_SELINUX
+ selinux_init();
+#endif
buffer_init();
vfs_caches_init(num_physpages);
radix_tree_init();
Index: lsm-2.5/mm/shmem.c
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/mm/shmem.c,v
retrieving revision 1.1.1.22
diff -u -r1.1.1.22 shmem.c
--- lsm-2.5/mm/shmem.c 25 Nov 2002 13:35:14 -0000 1.1.1.22
+++ lsm-2.5/mm/shmem.c 16 Dec 2002 15:23:47 -0000
@@ -31,6 +31,7 @@
#include <linux/backing-dev.h>
#include <linux/shmem_fs.h>
#include <linux/mount.h>
+#include <linux/security.h>
#include <asm/uaccess.h>
@@ -1058,6 +1059,7 @@
case S_IFLNK:
break;
}
+ security_inode_init(inode);
}
return inode;
}
Index: lsm-2.5/net/netsyms.c
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/net/netsyms.c,v
retrieving revision 1.1.1.18
diff -u -r1.1.1.18 netsyms.c
--- lsm-2.5/net/netsyms.c 10 Dec 2002 14:02:35 -0000 1.1.1.18
+++ lsm-2.5/net/netsyms.c 16 Dec 2002 15:23:47 -0000
@@ -324,7 +324,8 @@
EXPORT_SYMBOL(xfrm_policy_list);
-#if defined (CONFIG_IPV6_MODULE) || defined (CONFIG_IP_SCTP_MODULE)
+#if defined (CONFIG_IPV6_MODULE) || defined (CONFIG_IP_SCTP_MODULE) || defined (CONFIG_SECURITY_SELINUX_SELOPT_MODULE)
+extern struct tcp_func ipv4_specific;
/* inet functions common to v4 and v6 */
EXPORT_SYMBOL(inet_release);
EXPORT_SYMBOL(inet_stream_connect);
Index: lsm-2.5/security/dummy.c
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/security/dummy.c,v
retrieving revision 1.30
diff -u -r1.30 dummy.c
--- lsm-2.5/security/dummy.c 13 Dec 2002 20:26:34 -0000 1.30
+++ lsm-2.5/security/dummy.c 16 Dec 2002 15:23:47 -0000
@@ -258,6 +258,11 @@
return;
}
+static void dummy_inode_init (struct inode *inode)
+{
+ return;
+}
+
static int dummy_inode_create (struct inode *inode, struct dentry *dentry,
int mask)
{
@@ -914,6 +919,7 @@
set_to_dummy_if_null(ops, sb_post_pivotroot);
set_to_dummy_if_null(ops, inode_alloc_security);
set_to_dummy_if_null(ops, inode_free_security);
+ set_to_dummy_if_null(ops, inode_init);
set_to_dummy_if_null(ops, inode_create);
set_to_dummy_if_null(ops, inode_post_create);
set_to_dummy_if_null(ops, inode_link);
Index: lsm-2.5/security/selinux/hooks.c
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/security/selinux/hooks.c,v
retrieving revision 1.84
diff -u -r1.84 hooks.c
--- lsm-2.5/security/selinux/hooks.c 3 Dec 2002 20:40:19 -0000 1.84
+++ lsm-2.5/security/selinux/hooks.c 16 Dec 2002 15:23:47 -0000
@@ -65,6 +65,8 @@
#include "selinux_plug.h"
#include "extsocket.h"
+#define _SELINUX_KERNEL_PATCH_
+
#ifndef _SELINUX_KERNEL_PATCH_
#warning "SELinux: The separate SELinux kernel patch has not been applied. Using SELinux without this patch is not recommended."
#endif
@@ -1919,6 +1921,18 @@
inode_free_security(inode);
}
+static void selinux_inode_init(struct inode *inode)
+{
+ struct super_block *sb = inode->i_sb;
+ if (sb) {
+ struct superblock_security_struct *sbsec = sb->s_security;
+ if (sbsec && sbsec->uses_genfs)
+ /* Defer to inode_post_lookup. */
+ return;
+ }
+ inode_doinit(inode);
+}
+
static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
{
return may_create(dir, dentry, SECCLASS_FILE);
@@ -4041,6 +4055,7 @@
inode_alloc_security: selinux_inode_alloc_security,
inode_free_security: selinux_inode_free_security,
+ inode_init: selinux_inode_init,
inode_create: selinux_inode_create,
inode_post_create: selinux_inode_post_create,
inode_link: selinux_inode_link,
^ permalink raw reply
* Re: [PATCH] Add CONFIG_ACPI_RELAXED_AML option
From: Carlos Morgado @ 2002-12-16 16:22 UTC (permalink / raw)
To: acpi-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f
In-Reply-To: <20021216143410.21977.qmail-wdi6g2619JCA/QwVtaZbd3CJp6faPEW9@public.gmane.org>
On 2002.12.16 14:34:10 +0000 NoZizzing OrDripping wrote:
>
> BTW, Best Buy had the Toshiba Satellite 1115-S103 on
> sale for only $500 USD yesterday (after $600 in
> rebates and markdowns!). The new bar has been set,
> and these
> sub-$1000 laptops with buggy AML are going to continue
> to profilerate.
>
if people pay $500 for a laptop and then complain it doesn't
work you can always tell them they got what they paid for,
a quirky toy.
"quality" AMLs is not a question of price, it's a question
of vendor atitude
--
Carlos Morgado - chbm(at)chbm(dot)nu - http://chbm.nu/ -- gpgkey: 0x1FC57F0A
http://wwwkeys.pgp.net/ FP:0A27 35D3 C448 3641 0573 6876 2A37 4BB2 1FC5 7F0A
Software is like sex; it's better when it's free. - Linus Torvalds
-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
^ permalink raw reply
* "iptables: Invalid argument" with kernel 2.4.20
From: cees-bart @ 2002-12-16 16:25 UTC (permalink / raw)
To: netfilter
hi all,
by reading the iptables tutorial (version 1.1.11) i've constructed
a configuration that forwards a port on MYMACHINE to OTHERMACHINE:
# Generated by iptables-save v1.2.6a on Tue Nov 12 17:41:18 2002
*nat
:PREROUTING ACCEPT [221:38784]
:POSTROUTING ACCEPT [78:7025]
:OUTPUT ACCEPT [72:6769]
-A PREROUTING -d MYMACHINE -p udp -m udp --dport 27960 -j DNAT \
--to-destination OTHERMACHINE:30000
-A POSTROUTING -d OTHERMACHINE -p udp -m udp --dport 30000 -j SNAT \
--to-source MYMACHINE
-A OUTPUT -d MYMACHINE -p udp -m udp --dport 27960 -j DNAT \
--to-destination OTHERMACHINE:30000
COMMIT
# Completed on Tue Nov 12 17:41:18 2002
this setup works fine on kernel 2.4.19 with iptables 1.2.6a.
BUT, the last rule (OUTPUT) fails with message "iptables: Invalid
argument" when running under 2.4.20.
i tried iptables 1.2.7a as well, but the result is the same.
am i doing something wrong?
thnx,
cees-bart.
^ permalink raw reply
* Discovery II (was Re: Support for Arctic platform (405LP based))
From: Roland Dreier @ 2002-12-16 16:25 UTC (permalink / raw)
To: linuxppc-embedded
In-Reply-To: <20021216150839.GK6095@opus.bloom.county>
Tom> ... with the exception of the current gt64260 code, which
Tom> will hopefully get an update so that it could move
Tom> up-and-out. But no promises there.
This reminds me... can someone tell me what the status of Discovery II
(MV64340) is at the moment?
Thanks,
Roland
** Sent via the linuxppc-embedded mail list. See http://lists.linuxppc.org/
^ permalink raw reply
* Re: Linux v2.5.52
From: Christoph Hellwig @ 2002-12-16 16:36 UTC (permalink / raw)
To: Ben Collins; +Cc: Linus Torvalds, Kernel Mailing List
In-Reply-To: <20021216151639.GQ504@hopper.phunnypharm.org>
On Mon, Dec 16, 2002 at 10:16:39AM -0500, Ben Collins wrote:
> > This merge looks fishy. It seems to be yet another let's throw my CVS
> > repo in merge and backs out Al's work yo get rid of lots of devfs crap.
>
> Quit talking shit. I go through a lot of effort to merge in changes sent
> to Linus' tree into the Linux1394 repo. I don't just dump changes for no
> good reason.
>
> How about pointing out some specifics?
Take a look at the changeset at
http://linus.bkbits.net:8080/linux-2.5/diffs/drivers/ieee1394/dv1394.c@1.15?nav=index.html|src/|src/drivers|src/drivers/ieee1394|hist/drivers/ieee1394/dv1394.c.
Your big BLOB merge basically undoes everything in there.
> Maybe make my job easier by getting me some patches directly.
It was Al's patch, not mine.
> Trying to track two seperate source tree's isn't as easy as you might think.
In fact it's not difficult at all with a proper SCM, a bit of care and the
right attitude. I merge the changes from XFS (and about half a donzend
XFS-related repositories inside SGI that all need proper merging / keeping
in sync) to Linus all the time. And by keeping the changesets (or atomic
commits in SVN terminlogoy) as one patch each, hand-editing as needed when
merge conflicts arrive that works very well, even if I had been away and
the changes for four weeks need merging or as now we're five patchlevels
away from Linus tree (at 2.5.47). I've not lost a single upstream change
with that merge policy yet.
And no, that's no BK advertisment, SGI uses a RCS-based SCM internally and
I use unfied diffs to get it into a staging repository for Linus to pull.
^ permalink raw reply
* Re: Linux v2.5.52
From: Ben Collins @ 2002-12-16 16:40 UTC (permalink / raw)
To: Christoph Hellwig, Linus Torvalds, Kernel Mailing List
In-Reply-To: <20021216163631.A5342@infradead.org>
> > Trying to track two seperate source tree's isn't as easy as you might think.
>
> In fact it's not difficult at all with a proper SCM, a bit of care and the
> right attitude. I merge the changes from XFS (and about half a donzend
> XFS-related repositories inside SGI that all need proper merging / keeping
> in sync) to Linus all the time. And by keeping the changesets (or atomic
> commits in SVN terminlogoy) as one patch each, hand-editing as needed when
> merge conflicts arrive that works very well, even if I had been away and
> the changes for four weeks need merging or as now we're five patchlevels
> away from Linus tree (at 2.5.47). I've not lost a single upstream change
> with that merge policy yet.
>
> And no, that's no BK advertisment, SGI uses a RCS-based SCM internally and
> I use unfied diffs to get it into a staging repository for Linus to pull.
When someone pays me to work fulltime on Linux1394, I'll give it that
much time. Until then I have to make due with what time I have. If I
miss things because people would rather send patches to Linus than me,
it isn't my fault, but I'll do my best to fix it up.
--
Debian - http://www.debian.org/
Linux 1394 - http://www.linux1394.org/
Subversion - http://subversion.tigris.org/
Deqo - http://www.deqo.com/
^ permalink raw reply
* Re: ACK packets being dropped from yahoo
From: Jon Wyatt @ 2002-12-16 16:32 UTC (permalink / raw)
To: netfilter, netfilter
>From: Joel Newkirk <netfilter@newkirk.us>
>
>BTW, when I try this rule as first rule in my INPUT chain, it does NOT
>hit when I do a Yahoo search, the search works fine. Is there something
>more particular about your search, or is it just "yahoo.com" and enter
>some text to search for?
>
I swear to god I haven't changed anything...........
...........but it's started working.
Thanks anyway.
jon.
_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8.
http://join.msn.com/?page=features/junkmail
^ permalink raw reply
* [PATCH] kexec for 2.5.52
From: Eric W. Biederman @ 2002-12-16 16:40 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel
Linus will you please apply this?
MAINTAINERS | 8
arch/i386/Kconfig | 17
arch/i386/kernel/Makefile | 1
arch/i386/kernel/entry.S | 2
arch/i386/kernel/machine_kexec.c | 142 ++++++++
arch/i386/kernel/relocate_kernel.S | 107 ++++++
include/asm-i386/kexec.h | 25 +
include/asm-i386/unistd.h | 2
include/linux/kexec.h | 45 ++
include/linux/reboot.h | 2
kernel/Makefile | 1
kernel/kexec.c | 640 +++++++++++++++++++++++++++++++++++++
kernel/sys.c | 23 +
13 files changed, 1013 insertions, 2 deletions
diff -uNr linux-2.5.52/MAINTAINERS linux-2.5.52.x86kexec/MAINTAINERS
--- linux-2.5.52/MAINTAINERS Thu Dec 12 07:41:16 2002
+++ linux-2.5.52.x86kexec/MAINTAINERS Mon Dec 16 02:24:32 2002
@@ -997,6 +997,14 @@
W: http://www.cse.unsw.edu.au/~neilb/patches/linux-devel/
S: Maintained
+KEXEC
+P: Eric Biederman
+M: ebiederm@xmission.com
+M: ebiederman@lnxi.com
+W: http://www.xmission.com/~ebiederm/files/kexec/
+L: linux-kernel@vger.kernel.org
+S: Maintained
+
LANMEDIA WAN CARD DRIVER
P: Andrew Stanley-Jones
M: asj@lanmedia.com
diff -uNr linux-2.5.52/arch/i386/Kconfig linux-2.5.52.x86kexec/arch/i386/Kconfig
--- linux-2.5.52/arch/i386/Kconfig Mon Dec 16 02:18:32 2002
+++ linux-2.5.52.x86kexec/arch/i386/Kconfig Mon Dec 16 02:23:00 2002
@@ -686,6 +686,23 @@
depends on (SMP || PREEMPT) && X86_CMPXCHG
default y
+config KEXEC
+ bool "kexec system call (EXPERIMENTAL)"
+ depends on EXPERIMENTAL
+ help
+ kexec is a system call that implements the ability to shutdown your
+ current kernel, and to start another kernel. It is like a reboot
+ but it is indepedent of the system firmware. And like a reboot
+ you can start any kernel with it not just Linux.
+
+ The name comes from the similiarity to the exec system call.
+
+ It is on an going process to be certain the hardware in a machine
+ is properly shutdown, so do not be surprised if this code does not
+ initially work for you. It may help to enable device hotplugging
+ support. As of this writing the exact hardware interface is
+ strongly in flux, so no good recommendation can be made.
+
endmenu
diff -uNr linux-2.5.52/arch/i386/kernel/Makefile linux-2.5.52.x86kexec/arch/i386/kernel/Makefile
--- linux-2.5.52/arch/i386/kernel/Makefile Mon Dec 16 02:18:32 2002
+++ linux-2.5.52.x86kexec/arch/i386/kernel/Makefile Mon Dec 16 02:23:00 2002
@@ -24,6 +24,7 @@
obj-$(CONFIG_X86_MPPARSE) += mpparse.o
obj-$(CONFIG_X86_LOCAL_APIC) += apic.o nmi.o
obj-$(CONFIG_X86_IO_APIC) += io_apic.o
+obj-$(CONFIG_KEXEC) += machine_kexec.o relocate_kernel.o
obj-$(CONFIG_SOFTWARE_SUSPEND) += suspend.o suspend_asm.o
obj-$(CONFIG_X86_NUMAQ) += numaq.o
obj-$(CONFIG_PROFILING) += profile.o
diff -uNr linux-2.5.52/arch/i386/kernel/entry.S linux-2.5.52.x86kexec/arch/i386/kernel/entry.S
--- linux-2.5.52/arch/i386/kernel/entry.S Thu Dec 12 07:41:17 2002
+++ linux-2.5.52.x86kexec/arch/i386/kernel/entry.S Mon Dec 16 02:23:00 2002
@@ -743,7 +743,7 @@
.long sys_epoll_wait
.long sys_remap_file_pages
.long sys_set_tid_address
-
+ .long sys_kexec_load
.rept NR_syscalls-(.-sys_call_table)/4
.long sys_ni_syscall
diff -uNr linux-2.5.52/arch/i386/kernel/machine_kexec.c linux-2.5.52.x86kexec/arch/i386/kernel/machine_kexec.c
--- linux-2.5.52/arch/i386/kernel/machine_kexec.c Wed Dec 31 17:00:00 1969
+++ linux-2.5.52.x86kexec/arch/i386/kernel/machine_kexec.c Mon Dec 16 02:23:00 2002
@@ -0,0 +1,142 @@
+#include <linux/config.h>
+#include <linux/mm.h>
+#include <linux/kexec.h>
+#include <linux/delay.h>
+#include <asm/pgtable.h>
+#include <asm/pgalloc.h>
+#include <asm/tlbflush.h>
+#include <asm/io.h>
+#include <asm/apic.h>
+
+
+/*
+ * machine_kexec
+ * =======================
+ */
+
+
+static void set_idt(void *newidt, __u16 limit)
+{
+ unsigned char curidt[6];
+
+ /* ia32 supports unaliged loads & stores */
+ (*(__u16 *)(curidt)) = limit;
+ (*(__u32 *)(curidt +2)) = (unsigned long)(newidt);
+
+ __asm__ __volatile__ (
+ "lidt %0\n"
+ : "=m" (curidt)
+ );
+};
+
+
+static void set_gdt(void *newgdt, __u16 limit)
+{
+ unsigned char curgdt[6];
+
+ /* ia32 supports unaliged loads & stores */
+ (*(__u16 *)(curgdt)) = limit;
+ (*(__u32 *)(curgdt +2)) = (unsigned long)(newgdt);
+
+ __asm__ __volatile__ (
+ "lgdt %0\n"
+ : "=m" (curgdt)
+ );
+};
+
+static void load_segments(void)
+{
+#define __STR(X) #X
+#define STR(X) __STR(X)
+
+ __asm__ __volatile__ (
+ "\tljmp $"STR(__KERNEL_CS)",$1f\n"
+ "\t1:\n"
+ "\tmovl $"STR(__KERNEL_DS)",%eax\n"
+ "\tmovl %eax,%ds\n"
+ "\tmovl %eax,%es\n"
+ "\tmovl %eax,%fs\n"
+ "\tmovl %eax,%gs\n"
+ "\tmovl %eax,%ss\n"
+ );
+#undef STR
+#undef __STR
+}
+
+static void identity_map_page(unsigned long address)
+{
+ /* This code is x86 specific...
+ * general purpose code must be more carful
+ * of caches and tlbs...
+ */
+ pgd_t *pgd;
+ pmd_t *pmd;
+ struct mm_struct *mm = current->mm;
+ spin_lock(&mm->page_table_lock);
+
+ pgd = pgd_offset(mm, address);
+ pmd = pmd_alloc(mm, pgd, address);
+
+ if (pmd) {
+ pte_t *pte = pte_alloc_map(mm, pmd, address);
+ if (pte) {
+ set_pte(pte,
+ mk_pte(virt_to_page(phys_to_virt(address)),
+ PAGE_SHARED));
+ __flush_tlb_one(address);
+ }
+ }
+ spin_unlock(&mm->page_table_lock);
+}
+
+
+typedef void (*relocate_new_kernel_t)(
+ unsigned long indirection_page, unsigned long reboot_code_buffer,
+ unsigned long start_address);
+
+const extern unsigned char relocate_new_kernel[];
+extern void relocate_new_kernel_end(void);
+const extern unsigned int relocate_new_kernel_size;
+
+void machine_kexec(struct kimage *image)
+{
+ unsigned long *indirection_page;
+ void *reboot_code_buffer;
+ relocate_new_kernel_t rnk;
+
+ /* Interrupts aren't acceptable while we reboot */
+ local_irq_disable();
+ reboot_code_buffer = image->reboot_code_buffer;
+ indirection_page = phys_to_virt(image->head & PAGE_MASK);
+
+ identity_map_page(virt_to_phys(reboot_code_buffer));
+
+ /* copy it out */
+ memcpy(reboot_code_buffer, relocate_new_kernel,
+ relocate_new_kernel_size);
+
+ /* The segment registers are funny things, they are
+ * automatically loaded from a table, in memory wherever you
+ * set them to a specific selector, but this table is never
+ * accessed again you set the segment to a different selector.
+ *
+ * The more common model is are caches where the behide
+ * the scenes work is done, but is also dropped at arbitrary
+ * times.
+ *
+ * I take advantage of this here by force loading the
+ * segments, before I zap the gdt with an invalid value.
+ */
+ load_segments();
+ /* The gdt & idt are now invalid.
+ * If you want to load them you must set up your own idt & gdt.
+ */
+ set_gdt(phys_to_virt(0),0);
+ set_idt(phys_to_virt(0),0);
+
+ /* now call it */
+ rnk = (relocate_new_kernel_t) virt_to_phys(reboot_code_buffer);
+ (*rnk)(virt_to_phys(indirection_page), virt_to_phys(reboot_code_buffer),
+ image->start);
+}
+
diff -uNr linux-2.5.52/arch/i386/kernel/relocate_kernel.S linux-2.5.52.x86kexec/arch/i386/kernel/relocate_kernel.S
--- linux-2.5.52/arch/i386/kernel/relocate_kernel.S Wed Dec 31 17:00:00 1969
+++ linux-2.5.52.x86kexec/arch/i386/kernel/relocate_kernel.S Mon Dec 16 02:23:00 2002
@@ -0,0 +1,107 @@
+#include <linux/config.h>
+#include <linux/linkage.h>
+
+ /* Must be relocatable PIC code callable as a C function, that once
+ * it starts can not use the previous processes stack.
+ *
+ */
+ .globl relocate_new_kernel
+relocate_new_kernel:
+ /* read the arguments and say goodbye to the stack */
+ movl 4(%esp), %ebx /* indirection_page */
+ movl 8(%esp), %ebp /* reboot_code_buffer */
+ movl 12(%esp), %edx /* start address */
+
+ /* zero out flags, and disable interrupts */
+ pushl $0
+ popfl
+
+ /* set a new stack at the bottom of our page... */
+ lea 4096(%ebp), %esp
+
+ /* store the parameters back on the stack */
+ pushl %edx /* store the start address */
+
+ /* Set cr0 to a known state:
+ * 31 0 == Paging disabled
+ * 18 0 == Alignment check disabled
+ * 16 0 == Write protect disabled
+ * 3 0 == No task switch
+ * 2 0 == Don't do FP software emulation.
+ * 0 1 == Proctected mode enabled
+ */
+ movl %cr0, %eax
+ andl $~((1<<31)|(1<<18)|(1<<16)|(1<<3)|(1<<2)), %eax
+ orl $(1<<0), %eax
+ movl %eax, %cr0
+
+ /* Set cr4 to a known state:
+ * Setting everything to zero seems safe.
+ */
+ movl %cr4, %eax
+ andl $0, %eax
+ movl %eax, %cr4
+
+ jmp 1f
+1:
+
+ /* Flush the TLB (needed?) */
+ xorl %eax, %eax
+ movl %eax, %cr3
+
+ /* Do the copies */
+ cld
+0: /* top, read another word for the indirection page */
+ movl %ebx, %ecx
+ movl (%ebx), %ecx
+ addl $4, %ebx
+ testl $0x1, %ecx /* is it a destination page */
+ jz 1f
+ movl %ecx, %edi
+ andl $0xfffff000, %edi
+ jmp 0b
+1:
+ testl $0x2, %ecx /* is it an indirection page */
+ jz 1f
+ movl %ecx, %ebx
+ andl $0xfffff000, %ebx
+ jmp 0b
+1:
+ testl $0x4, %ecx /* is it the done indicator */
+ jz 1f
+ jmp 2f
+1:
+ testl $0x8, %ecx /* is it the source indicator */
+ jz 0b /* Ignore it otherwise */
+ movl %ecx, %esi /* For every source page do a copy */
+ andl $0xfffff000, %esi
+
+ movl $1024, %ecx
+ rep ; movsl
+ jmp 0b
+
+2:
+
+ /* To be certain of avoiding problems with self modifying code
+ * I need to execute a serializing instruction here.
+ * So I flush the TLB, it's handy, and not processor dependent.
+ */
+ xorl %eax, %eax
+ movl %eax, %cr3
+
+ /* set all of the registers to known values */
+ /* leave %esp alone */
+
+ xorl %eax, %eax
+ xorl %ebx, %ebx
+ xorl %ecx, %ecx
+ xorl %edx, %edx
+ xorl %esi, %esi
+ xorl %edi, %edi
+ xorl %ebp, %ebp
+ ret
+relocate_new_kernel_end:
+
+ .globl relocate_new_kernel_size
+relocate_new_kernel_size:
+ .long relocate_new_kernel_end - relocate_new_kernel
diff -uNr linux-2.5.52/include/asm-i386/kexec.h linux-2.5.52.x86kexec/include/asm-i386/kexec.h
--- linux-2.5.52/include/asm-i386/kexec.h Wed Dec 31 17:00:00 1969
+++ linux-2.5.52.x86kexec/include/asm-i386/kexec.h Mon Dec 16 02:23:00 2002
@@ -0,0 +1,25 @@
+#ifndef _I386_KEXEC_H
+#define _I386_KEXEC_H
+
+#include <asm/fixmap.h>
+
+/*
+ * KEXEC_SOURCE_MEMORY_LIMIT maximum page get_free_page can return.
+ * I.e. Maximum page that is mapped directly into kernel memory,
+ * and kmap is not required.
+ *
+ * Someone correct me if FIXADDR_START - PAGEOFFSET is not the correct
+ * calculation for the amount of memory directly mappable into the
+ * kernel memory space.
+ */
+
+/* Maximum physical address we can use pages from */
+#define KEXEC_SOURCE_MEMORY_LIMIT (FIXADDR_START - PAGE_OFFSET)
+/* Maximum address we can reach in physical address mode */
+#define KEXEC_DESTINATION_MEMORY_LIMIT (-1UL)
+
+#define KEXEC_REBOOT_CODE_SIZE 4096
+#define KEXEC_REBOOT_CODE_ALIGN 0
+
+
+#endif /* _I386_KEXEC_H */
diff -uNr linux-2.5.52/include/asm-i386/unistd.h linux-2.5.52.x86kexec/include/asm-i386/unistd.h
--- linux-2.5.52/include/asm-i386/unistd.h Thu Dec 12 07:41:35 2002
+++ linux-2.5.52.x86kexec/include/asm-i386/unistd.h Mon Dec 16 02:23:00 2002
@@ -264,7 +264,7 @@
#define __NR_epoll_wait 256
#define __NR_remap_file_pages 257
#define __NR_set_tid_address 258
-
+#define __NR_sys_kexec_load 259
/* user-visible error numbers are in the range -1 - -124: see <asm-i386/errno.h> */
diff -uNr linux-2.5.52/include/linux/kexec.h linux-2.5.52.x86kexec/include/linux/kexec.h
--- linux-2.5.52/include/linux/kexec.h Wed Dec 31 17:00:00 1969
+++ linux-2.5.52.x86kexec/include/linux/kexec.h Mon Dec 16 02:23:00 2002
@@ -0,0 +1,45 @@
+#ifndef LINUX_KEXEC_H
+#define LINUX_KEXEC_H
+
+#if CONFIG_KEXEC
+#include <linux/types.h>
+#include <asm/kexec.h>
+
+/*
+ * This structure is used to hold the arguments that are used when loading
+ * kernel binaries.
+ */
+
+typedef unsigned long kimage_entry_t;
+#define IND_DESTINATION 0x1
+#define IND_INDIRECTION 0x2
+#define IND_DONE 0x4
+#define IND_SOURCE 0x8
+
+struct kimage {
+ kimage_entry_t head;
+ kimage_entry_t *entry;
+ kimage_entry_t *last_entry;
+
+ unsigned long destination;
+ unsigned long offset;
+
+ unsigned long start;
+ void *reboot_code_buffer;
+};
+
+struct kexec_segment {
+ void *buf;
+ size_t bufsz;
+ void *mem;
+ size_t memsz;
+};
+
+/* kexec interface functions */
+extern void machine_kexec(struct kimage *image);
+extern asmlinkage long sys_kexec(unsigned long entry, long nr_segments,
+ struct kexec_segment *segments);
+extern struct kimage *kexec_image;
+#endif
+#endif /* LINUX_KEXEC_H */
+
diff -uNr linux-2.5.52/include/linux/reboot.h linux-2.5.52.x86kexec/include/linux/reboot.h
--- linux-2.5.52/include/linux/reboot.h Thu Dec 12 07:41:37 2002
+++ linux-2.5.52.x86kexec/include/linux/reboot.h Mon Dec 16 02:23:00 2002
@@ -21,6 +21,7 @@
* POWER_OFF Stop OS and remove all power from system, if possible.
* RESTART2 Restart system using given command string.
* SW_SUSPEND Suspend system using Software Suspend if compiled in
+ * KEXEC Restart the system using a different kernel.
*/
#define LINUX_REBOOT_CMD_RESTART 0x01234567
@@ -30,6 +31,7 @@
#define LINUX_REBOOT_CMD_POWER_OFF 0x4321FEDC
#define LINUX_REBOOT_CMD_RESTART2 0xA1B2C3D4
#define LINUX_REBOOT_CMD_SW_SUSPEND 0xD000FCE2
+#define LINUX_REBOOT_CMD_KEXEC 0x45584543
#ifdef __KERNEL__
diff -uNr linux-2.5.52/kernel/Makefile linux-2.5.52.x86kexec/kernel/Makefile
--- linux-2.5.52/kernel/Makefile Mon Dec 16 02:19:15 2002
+++ linux-2.5.52.x86kexec/kernel/Makefile Mon Dec 16 02:23:00 2002
@@ -21,6 +21,7 @@
obj-$(CONFIG_CPU_FREQ) += cpufreq.o
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
obj-$(CONFIG_SOFTWARE_SUSPEND) += suspend.o
+obj-$(CONFIG_KEXEC) += kexec.o
obj-$(CONFIG_COMPAT) += compat.o
ifneq ($(CONFIG_IA64),y)
diff -uNr linux-2.5.52/kernel/kexec.c linux-2.5.52.x86kexec/kernel/kexec.c
--- linux-2.5.52/kernel/kexec.c Wed Dec 31 17:00:00 1969
+++ linux-2.5.52.x86kexec/kernel/kexec.c Mon Dec 16 02:30:10 2002
@@ -0,0 +1,640 @@
+#include <linux/mm.h>
+#include <linux/file.h>
+#include <linux/slab.h>
+#include <linux/fs.h>
+#include <linux/version.h>
+#include <linux/compile.h>
+#include <linux/kexec.h>
+#include <linux/spinlock.h>
+#include <net/checksum.h>
+#include <asm/page.h>
+#include <asm/uaccess.h>
+#include <asm/io.h>
+#include <asm/system.h>
+
+/* As designed kexec can only use the memory that you don't
+ * need to use kmap to access. Memory that you can use virt_to_phys()
+ * on an call get_free_page to allocate.
+ *
+ * In the best case you need one page for the transition from
+ * virtual to physical memory. And this page must be identity
+ * mapped. Which pretty much leaves you with pages < PAGE_OFFSET
+ * as you can only mess with user pages.
+ *
+ * As the only subset of memory that it is easy to restrict allocation
+ * to is the physical memory mapped into the kernel, I do that
+ * with get_free_page and hope it is enough.
+ *
+ * I don't know of a good way to do this calcuate which pages get_free_page
+ * will return independent of architecture so I depend on
+ * <asm/kexec.h> to properly set
+ * KEXEC_SOURCE_MEMORY_LIMIT and KEXEC_DESTINATION_MEMORY_LIMIT
+ *
+ */
+
+static struct kimage *kimage_alloc(void)
+{
+ struct kimage *image;
+ image = kmalloc(sizeof(*image), GFP_KERNEL);
+ if (!image)
+ return 0;
+ memset(image, 0, sizeof(*image));
+ image->head = 0;
+ image->entry = &image->head;
+ image->last_entry = &image->head;
+ return image;
+}
+static int kimage_add_entry(struct kimage *image, kimage_entry_t entry)
+{
+ if (image->offset != 0) {
+ image->entry++;
+ }
+ if (image->entry == image->last_entry) {
+ kimage_entry_t *ind_page;
+ ind_page = (void *)__get_free_page(GFP_KERNEL);
+ if (!ind_page) {
+ return -ENOMEM;
+ }
+ *image->entry = virt_to_phys(ind_page) | IND_INDIRECTION;
+ image->entry = ind_page;
+ image->last_entry =
+ ind_page + ((PAGE_SIZE/sizeof(kimage_entry_t)) - 1);
+ }
+ *image->entry = entry;
+ image->entry++;
+ image->offset = 0;
+ return 0;
+}
+
+static int kimage_verify_destination(unsigned long destination)
+{
+ int result;
+
+ /* Assume the page is bad unless we pass the checks */
+ result = -EADDRNOTAVAIL;
+
+ if (destination >= KEXEC_DESTINATION_MEMORY_LIMIT) {
+ goto out;
+ }
+
+ /* NOTE: The caller is responsible for making certain we
+ * don't attempt to load the new image into invalid or
+ * reserved areas of RAM.
+ */
+ result = 0;
+out:
+ return result;
+}
+
+static int kimage_set_destination(
+ struct kimage *image, unsigned long destination)
+{
+ int result;
+ destination &= PAGE_MASK;
+ result = kimage_verify_destination(destination);
+ if (result) {
+ return result;
+ }
+ result = kimage_add_entry(image, destination | IND_DESTINATION);
+ if (result == 0) {
+ image->destination = destination;
+ }
+ return result;
+}
+
+
+static int kimage_add_page(struct kimage *image, unsigned long page)
+{
+ int result;
+ page &= PAGE_MASK;
+ result = kimage_verify_destination(image->destination);
+ if (result) {
+ return result;
+ }
+ result = kimage_add_entry(image, page | IND_SOURCE);
+ if (result == 0) {
+ image->destination += PAGE_SIZE;
+ }
+ return result;
+}
+
+
+static int kimage_terminate(struct kimage *image)
+{
+ int result;
+ result = kimage_add_entry(image, IND_DONE);
+ if (result == 0) {
+ /* Point at the terminating element */
+ image->entry--;
+ }
+ return result;
+}
+
+#define for_each_kimage_entry(image, ptr, entry) \
+ for (ptr = &image->head; (entry = *ptr) && !(entry & IND_DONE); \
+ ptr = (entry & IND_INDIRECTION)? \
+ phys_to_virt((entry & PAGE_MASK)): ptr +1)
+
+static void kimage_free(struct kimage *image)
+{
+ kimage_entry_t *ptr, entry;
+ kimage_entry_t ind = 0;
+ if (!image)
+ return;
+ for_each_kimage_entry(image, ptr, entry) {
+ if (entry & IND_INDIRECTION) {
+ /* Free the previous indirection page */
+ if (ind & IND_INDIRECTION) {
+ free_page((unsigned long)phys_to_virt(ind & PAGE_MASK));
+ }
+ /* Save this indirection page until we are
+ * done with it.
+ */
+ ind = entry;
+ }
+ else if (entry & IND_SOURCE) {
+ free_page((unsigned long)phys_to_virt(entry & PAGE_MASK));
+ }
+ }
+ kfree(image);
+}
+
+static int kimage_is_destination_page(
+ struct kimage *image, unsigned long page)
+{
+ kimage_entry_t *ptr, entry;
+ unsigned long destination;
+ destination = 0;
+ page &= PAGE_MASK;
+ for_each_kimage_entry(image, ptr, entry) {
+ if (entry & IND_DESTINATION) {
+ destination = entry & PAGE_MASK;
+ }
+ else if (entry & IND_SOURCE) {
+ if (page == destination) {
+ return 1;
+ }
+ destination += PAGE_SIZE;
+ }
+ }
+ return 0;
+}
+
+static int kimage_get_unused_area(
+ struct kimage *image, unsigned long size, unsigned long align,
+ unsigned long *area)
+{
+ /* Walk through mem_map and find the first chunk of
+ * ununsed memory that is at least size bytes long.
+ */
+ /* Since the kernel plays with Page_Reseved mem_map is less
+ * than ideal for this purpose, but it will give us a correct
+ * conservative estimate of what we need to do.
+ */
+ /* For now we take advantage of the fact that all kernel pages
+ * are marked with PG_resereved to allocate a large
+ * contiguous area for the reboot code buffer.
+ */
+ unsigned long addr;
+ unsigned long start, end;
+ unsigned long mask;
+ mask = ((1 << align) -1);
+ start = end = PAGE_SIZE;
+ for(addr = PAGE_SIZE; addr < KEXEC_SOURCE_MEMORY_LIMIT; addr += PAGE_SIZE) {
+ struct page *page;
+ unsigned long aligned_start;
+ page = virt_to_page(phys_to_virt(addr));
+ if (PageReserved(page) ||
+ kimage_is_destination_page(image, addr)) {
+ /* The current page is reserved so the start &
+ * end of the next area must be atleast at the
+ * next page.
+ */
+ start = end = addr + PAGE_SIZE;
+ }
+ else {
+ /* O.k. The current page isn't reserved
+ * so push up the end of the area.
+ */
+ end = addr;
+ }
+ aligned_start = (start + mask) & ~mask;
+ if (aligned_start > start) {
+ continue;
+ }
+ if (aligned_start > end) {
+ continue;
+ }
+ if (end - aligned_start >= size) {
+ *area = aligned_start;
+ return 0;
+ }
+ }
+ *area = 0;
+ return -ENOSPC;
+}
+
+static kimage_entry_t *kimage_dst_conflict(
+ struct kimage *image, unsigned long page, kimage_entry_t *limit)
+{
+ kimage_entry_t *ptr, entry;
+ unsigned long destination = 0;
+ for_each_kimage_entry(image, ptr, entry) {
+ if (ptr == limit) {
+ return 0;
+ }
+ else if (entry & IND_DESTINATION) {
+ destination = entry & PAGE_MASK;
+ }
+ else if (entry & IND_SOURCE) {
+ if (page == destination) {
+ return ptr;
+ }
+ destination += PAGE_SIZE;
+ }
+ }
+ return 0;
+}
+
+static kimage_entry_t *kimage_src_conflict(
+ struct kimage *image, unsigned long destination, kimage_entry_t *limit)
+{
+ kimage_entry_t *ptr, entry;
+ for_each_kimage_entry(image, ptr, entry) {
+ unsigned long page;
+ if (ptr == limit) {
+ return 0;
+ }
+ else if (entry & IND_DESTINATION) {
+ /* nop */
+ }
+ else if (entry & IND_DONE) {
+ /* nop */
+ }
+ else {
+ /* SOURCE & INDIRECTION */
+ page = entry & PAGE_MASK;
+ if (page == destination) {
+ return ptr;
+ }
+ }
+ }
+ return 0;
+}
+
+static int kimage_get_off_destination_pages(struct kimage *image)
+{
+ kimage_entry_t *ptr, *cptr, entry;
+ unsigned long buffer, page;
+ unsigned long destination = 0;
+
+ /* Here we implement safe guards to insure that
+ * a source page is not copied to it's destination
+ * page before the data on the destination page is
+ * no longer useful.
+ *
+ * To make it work we actually wind up with a
+ * stronger condition. For every page considered
+ * it is either it's own destination page or it is
+ * not a destination page of any page considered.
+ *
+ * Invariants
+ * 1. buffer is not a destination of a previous page.
+ * 2. page is not a destination of a previous page.
+ * 3. destination is not a previous source page.
+ *
+ * Result: Either a source page and a destination page
+ * are the same or the page is not a destination page.
+ *
+ * These checks could be done when we allocate the pages,
+ * but doing it as a final pass allows us more freedom
+ * on how we allocate pages.
+ *
+ * Also while the checks are necessary, in practice nothing
+ * happens. The destination kernel wants to sit in the
+ * same physical addresses as the current kernel so we never
+ * actually allocate a destination page.
+ *
+ * BUGS: This is a O(N^2) algorithm.
+ */
+
+
+ buffer = __get_free_page(GFP_KERNEL);
+ if (!buffer) {
+ return -ENOMEM;
+ }
+ buffer = virt_to_phys((void *)buffer);
+ for_each_kimage_entry(image, ptr, entry) {
+ /* Here we check to see if an allocated page */
+ kimage_entry_t *limit;
+ if (entry & IND_DESTINATION) {
+ destination = entry & PAGE_MASK;
+ }
+ else if (entry & IND_INDIRECTION) {
+ /* Indirection pages must include all of their
+ * contents in limit checking.
+ */
+ limit = phys_to_virt(page + PAGE_SIZE - sizeof(*limit));
+ }
+ if (!((entry & IND_SOURCE) | (entry & IND_INDIRECTION))) {
+ continue;
+ }
+ page = entry & PAGE_MASK;
+ limit = ptr;
+
+ /* See if a previous page has the current page as it's
+ * destination.
+ * i.e. invariant 2
+ */
+ cptr = kimage_dst_conflict(image, page, limit);
+ if (cptr) {
+ unsigned long cpage;
+ kimage_entry_t centry;
+ centry = *cptr;
+ cpage = centry & PAGE_MASK;
+ memcpy(phys_to_virt(buffer), phys_to_virt(page), PAGE_SIZE);
+ memcpy(phys_to_virt(page), phys_to_virt(cpage), PAGE_SIZE);
+ *cptr = page | (centry & ~PAGE_MASK);
+ *ptr = buffer | (entry & ~PAGE_MASK);
+ buffer = cpage;
+ }
+ if (!(entry & IND_SOURCE)) {
+ continue;
+ }
+
+ /* See if a previous page is our destination page.
+ * If so claim it now.
+ * i.e. invariant 3
+ */
+ cptr = kimage_src_conflict(image, destination, limit);
+ if (cptr) {
+ unsigned long cpage;
+ kimage_entry_t centry;
+ centry = *cptr;
+ cpage = centry & PAGE_MASK;
+ memcpy(phys_to_virt(buffer), phys_to_virt(cpage), PAGE_SIZE);
+ memcpy(phys_to_virt(cpage), phys_to_virt(page), PAGE_SIZE);
+ *cptr = buffer | (centry & ~PAGE_MASK);
+ *ptr = cpage | ( entry & ~PAGE_MASK);
+ buffer = page;
+ }
+ /* If the buffer is my destination page do the copy now
+ * i.e. invariant 3 & 1
+ */
+ if (buffer == destination) {
+ memcpy(phys_to_virt(buffer), phys_to_virt(page), PAGE_SIZE);
+ *ptr = buffer | (entry & ~PAGE_MASK);
+ buffer = page;
+ }
+ }
+ free_page((unsigned long)phys_to_virt(buffer));
+ return 0;
+}
+
+static int kimage_add_empty_pages(struct kimage *image,
+ unsigned long len)
+{
+ unsigned long pos;
+ int result;
+ for(pos = 0; pos < len; pos += PAGE_SIZE) {
+ char *page;
+ result = -ENOMEM;
+ page = (void *)__get_free_page(GFP_KERNEL);
+ if (!page) {
+ goto out;
+ }
+ result = kimage_add_page(image, virt_to_phys(page));
+ if (result) {
+ goto out;
+ }
+ }
+ result = 0;
+ out:
+ return result;
+}
+
+
+static int kimage_load_segment(struct kimage *image,
+ struct kexec_segment *segment)
+{
+ unsigned long mstart;
+ int result;
+ unsigned long offset;
+ unsigned long offset_end;
+ unsigned char *buf;
+
+ result = 0;
+ buf = segment->buf;
+ mstart = (unsigned long)segment->mem;
+
+ offset_end = segment->memsz;
+
+ result = kimage_set_destination(image, mstart);
+ if (result < 0) {
+ goto out;
+ }
+ for(offset = 0; offset < segment->memsz; offset += PAGE_SIZE) {
+ char *page;
+ size_t size, leader;
+ page = (char *)__get_free_page(GFP_KERNEL);
+ if (page == 0) {
+ result = -ENOMEM;
+ goto out;
+ }
+ result = kimage_add_page(image, virt_to_phys(page));
+ if (result < 0) {
+ goto out;
+ }
+ if (segment->bufsz < offset) {
+ /* We are past the end zero the whole page */
+ memset(page, 0, PAGE_SIZE);
+ continue;
+ }
+ size = PAGE_SIZE;
+ leader = 0;
+ if ((offset == 0)) {
+ leader = mstart & ~PAGE_MASK;
+ }
+ if (leader) {
+ /* We are on the first page zero the unused portion */
+ memset(page, 0, leader);
+ size -= leader;
+ page += leader;
+ }
+ if (size > (segment->bufsz - offset)) {
+ size = segment->bufsz - offset;
+ }
+ result = copy_from_user(page, buf + offset, size);
+ if (result) {
+ result = (result < 0)?result : -EIO;
+ goto out;
+ }
+ if (size < (PAGE_SIZE - leader)) {
+ /* zero the trailing part of the page */
+ memset(page + size, 0, (PAGE_SIZE - leader) - size);
+ }
+ }
+ out:
+ return result;
+}
+
+
+/* do_kexec executes a new kernel
+ */
+static int do_kexec(unsigned long start, unsigned long nr_segments,
+ struct kexec_segment *arg_segments, struct kimage *image)
+{
+ struct kexec_segment *segments;
+ size_t segment_bytes;
+ int i;
+
+ int result;
+ unsigned long reboot_code_buffer;
+ kimage_entry_t *end;
+
+ /* Initialize variables */
+ segments = 0;
+
+ segment_bytes = nr_segments * sizeof(*segments);
+ segments = kmalloc(GFP_KERNEL, segment_bytes);
+ if (segments == 0) {
+ result = -ENOMEM;
+ goto out;
+ }
+ result = copy_from_user(segments, arg_segments, segment_bytes);
+ if (result) {
+ goto out;
+ }
+
+ /* Read in the data from user space */
+ image->start = start;
+ for(i = 0; i < nr_segments; i++) {
+ result = kimage_load_segment(image, &segments[i]);
+ if (result) {
+ goto out;
+ }
+ }
+
+ /* Terminate early so I can get a place holder. */
+ result = kimage_terminate(image);
+ if (result)
+ goto out;
+ end = image->entry;
+
+ /* Usage of the reboot code buffer is subtle. We first
+ * find a continguous area of ram, that is not one
+ * of our destination pages. We do not allocate the ram.
+ *
+ * The algorithm to make certain we do not have address
+ * conflicts requires each destination region to have some
+ * backing store so we allocate abitrary source pages.
+ *
+ * Later in machine_kexec when we copy data to the
+ * reboot_code_buffer it still may be allocated for other
+ * purposes, but we do know there are no source or destination
+ * pages in that area. And since the rest of the kernel
+ * is already shutdown those pages are free for use,
+ * regardless of their page->count values.
+ *
+ * The kernel mapping is of the reboot code buffer is passed to
+ * the machine dependent code. If it needs something else
+ * it is free to set that up.
+ */
+ result = kimage_get_unused_area(
+ image, KEXEC_REBOOT_CODE_SIZE, KEXEC_REBOOT_CODE_ALIGN,
+ &reboot_code_buffer);
+ if (result)
+ goto out;
+
+ /* Allocating pages we should never need is silly but the
+ * code won't work correctly unless we have dummy pages to
+ * work with.
+ */
+ result = kimage_set_destination(image, reboot_code_buffer);
+ if (result)
+ goto out;
+ result = kimage_add_empty_pages(image, KEXEC_REBOOT_CODE_SIZE);
+ if (result)
+ goto out;
+ image->reboot_code_buffer = phys_to_virt(reboot_code_buffer);
+
+ result = kimage_terminate(image);
+ if (result)
+ goto out;
+
+ result = kimage_get_off_destination_pages(image);
+ if (result)
+ goto out;
+
+ /* Now hide the extra source pages for the reboot code buffer.
+ */
+ image->entry = end;
+ result = kimage_terminate(image);
+ if (result)
+ goto out;
+
+ result = 0;
+ out:
+ /* cleanup and exit */
+ if (segments) kfree(segments);
+ return result;
+}
+
+
+/*
+ * Exec Kernel system call: for obvious reasons only root may call it.
+ *
+ * This call breaks up into three pieces.
+ * - A generic part which loads the new kernel from the current
+ * address space, and very carefully places the data in the
+ * allocated pages.
+ *
+ * - A generic part that interacts with the kernel and tells all of
+ * the devices to shut down. Preventing on-going dmas, and placing
+ * the devices in a consistent state so a later kernel can
+ * reinitialize them.
+ *
+ * - A machine specific part that includes the syscall number
+ * and the copies the image to it's final destination. And
+ * jumps into the image at entry.
+ *
+ * kexec does not sync, or unmount filesystems so if you need
+ * that to happen you need to do that yourself.
+ */
+struct kimage *kexec_image = 0;
+
+asmlinkage long sys_kexec_load(unsigned long entry, unsigned long nr_segments,
+ struct kexec_segment *segments, unsigned long flags)
+{
+ /* Am I using to much stack space here? */
+ struct kimage *image, *old_image;
+ int result;
+
+ /* We only trust the superuser with rebooting the system. */
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
+ /* In case we need just a little bit of special behavior for
+ * reboot on panic
+ */
+ if (flags != 0)
+ return -EINVAL;
+
+ image = 0;
+ if (nr_segments > 0) {
+ image = kimage_alloc();
+ if (!image) {
+ return -ENOMEM;
+ }
+ result = do_kexec(entry, nr_segments, segments, image);
+ if (result) {
+ kimage_free(image);
+ return result;
+ }
+ }
+
+ old_image = xchg(&kexec_image, image);
+
+ kimage_free(old_image);
+ return 0;
+}
diff -uNr linux-2.5.52/kernel/sys.c linux-2.5.52.x86kexec/kernel/sys.c
--- linux-2.5.52/kernel/sys.c Thu Dec 12 07:41:37 2002
+++ linux-2.5.52.x86kexec/kernel/sys.c Mon Dec 16 02:23:00 2002
@@ -16,6 +16,7 @@
#include <linux/init.h>
#include <linux/highuid.h>
#include <linux/fs.h>
+#include <linux/kexec.h>
#include <linux/workqueue.h>
#include <linux/device.h>
#include <linux/times.h>
@@ -207,6 +208,7 @@
cond_syscall(sys_lookup_dcookie)
cond_syscall(sys_swapon)
cond_syscall(sys_swapoff)
+cond_syscall(sys_kexec_load)
cond_syscall(sys_init_module)
cond_syscall(sys_delete_module)
@@ -419,6 +421,27 @@
machine_restart(buffer);
break;
+#ifdef CONFIG_KEXEC
+ case LINUX_REBOOT_CMD_KEXEC:
+ {
+ struct kimage *image;
+ if (arg) {
+ unlock_kernel();
+ return -EINVAL;
+ }
+ image = xchg(&kexec_image, 0);
+ if (!image) {
+ unlock_kernel();
+ return -EINVAL;
+ }
+ notifier_call_chain(&reboot_notifier_list, SYS_RESTART, NULL);
+ system_running = 0;
+ device_shutdown();
+ printk(KERN_EMERG "Starting new kernel\n");
+ machine_kexec(image);
+ break;
+ }
+#endif
#ifdef CONFIG_SOFTWARE_SUSPEND
case LINUX_REBOOT_CMD_SW_SUSPEND:
if (!software_suspend_enabled) {
^ permalink raw reply
* [PATCH] 2.5.52: access permission filesystem 0.13
From: Olaf Dietsche @ 2002-12-16 16:51 UTC (permalink / raw)
To: linux-kernel
This *untested* patch adds a new permission managing file system.
Furthermore, it adds two modules, which make use of this file system.
One module allows granting capabilities based on user-/groupid. The
second module allows to grant access to lower numbered ports based on
user-/groupid, too.
Changes:
- updated to 2.5.52
- fixed 'struct timespec' compile error
This patch is available at:
<http://home.t-online.de/home/olaf.dietsche/linux/accessfs/>
Regards, Olaf.
^ permalink raw reply
* [PATCH] 2.5.52: Filesystem capabilities 0.13
From: Olaf Dietsche @ 2002-12-16 16:51 UTC (permalink / raw)
To: linux-kernel
This *untested* patch implements filesystem capabilities. It allows to
run privileged executables without the need for suid root.
Changes:
- updated to 2.5.52
- fixed missing includes
This patch is available at:
<http://home.t-online.de/home/olaf.dietsche/linux/capability/>
Regards, Olaf.
^ permalink raw reply
* Re: help on subscribing
From: Fabio Miranda Hamburger @ 2002-12-16 16:44 UTC (permalink / raw)
To: Nicholas Ho; +Cc: linux-c-programming
In-Reply-To: <3DFC77D0.3020304@singmail.com>
send an email to: majordomo@vger.kernel.org
in the body of the message write:
subscribe linux-c-programming
end
and wait for a reply and READ IT.
bye,
---
Fabio Andres Miranda
Ingenieria de sistemas informaticos
Universidad Latina - Costa Rica
On Sun, 15 Dec 2002, Nicholas Ho wrote:
> Hi, how do i subscribe to this mailing list?
> -Nicholas-
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply
* Re: Intel sez: Synchronous Flash and XIP is the future -- thoughts?
From: Nicolas Pitre @ 2002-12-16 17:21 UTC (permalink / raw)
To: David Woodhouse; +Cc: Wolfgang Denk, Paul Nash, Linux-MTD (E-mail)
In-Reply-To: <18190.1040039149@passion.cambridge.redhat.com>
On Mon, 16 Dec 2002, David Woodhouse wrote:
>
> wd@denx.de said:
> > Running the kernel XIP is not so insane. It can help to reduce boot
> > time. We still more than 3 seconds from power-on to application
> > start, which is not so bad, but still too much in some cases;
> > avoiding the memcpy() of some 2 MB of data is kind of attractive
> > then...
>
> That's true, although even if you have the kernel on a separate flash chip
> to which you don't ever write, it does cost you later because you then run
> from flash which is slower than RAM. I wonder if we could copy the kernel
> from flash to RAM at runtime and fix up the page tables as we go, to get the
> best of both worlds?
On ARM this has no value since the kernel takes up at most 1 or 2 page table
entries (1MB section descriptors that is).
Fortunately on ARM the kernel seems to be sane with .text and .rodata
actually being read-only.
/me who incidentally just finished hacking a XIP kernel and filesystem patch
on ARM for a customer named Intel...
Nicolas
^ permalink raw reply
* Re: Peter Abel's assembly book.
From: Robin Miyagi @ 2002-12-16 16:53 UTC (permalink / raw)
To: linux-assembly
In-Reply-To: <F15F8beVGRQaRbatlkZ00008cd1@hotmail.com>
Dr. Paul Carter's assembly book. You will find a link to it under
resources at linuxassembly.org
On Monday 16 December 2002 07:50, fabio miranda wrote:
> Hi, I am interested in learning about Linux/FreeBSD assembly programming
> focused on vulnerability research.
> It has been very difficult to find book about assembly in my country,
> however, I found the Peter Abel's book about assembly on DOS.
> Can I use it having in mind my goals?.
> What others resources Do you suggest me ( != linuxassembly.org) ?
>
> regards,
>
> PLCR.
>
>
> _________________________________________________________________
> MSN. Más Útil Cada Día http://www.msn.es/intmap/
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-assembly"
> in the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Robin Miyagi<penguin-computing@c2c2c.ca>
http://penguin.c2c2c.ca/
Please do not send me MSWord, Excel or other proprietary format documents
-
To unsubscribe from this list: send the line "unsubscribe linux-assembly" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply
* Re: 1/19
From: Linus Torvalds @ 2002-12-16 17:07 UTC (permalink / raw)
To: Joe Thornber; +Cc: Kernel Mailing List
In-Reply-To: <20021216100608.GB7407@reti>
Thanks for doing the split, great work.
For future reference, it would help if the subject line also had a short
description, something more like
Subject: [PATCH 1/19] dm: move ioctl numbers to sane place
but that's just a small technical detail and I'll make up my own "short
description" based on your longer in-email ones.
Linus
^ permalink raw reply
* Re: NFS oopses on smp servers
From: Trond Myklebust @ 2002-12-16 16:58 UTC (permalink / raw)
To: Trond Myklebust; +Cc: Bernhard Kaindl, Peter Lojkin, nfs, Chris Mason
In-Reply-To: <shs8yyqht9o.fsf@charged.uio.no>
>>>>> " " == Trond Myklebust <trond.myklebust@fys.uio.no> writes:
> Try the appended patch instead:
Duh: typo...
Cheers,
Trond
--- linux-2.4.20-smp/fs/nfs/pagelist.c.orig Fri Nov 29 00:53:15 2002
+++ linux-2.4.20-smp/fs/nfs/pagelist.c Mon Dec 16 17:36:56 2002
@@ -134,9 +134,9 @@
req->wb_cred = NULL;
}
if (req->wb_page) {
+ atomic_dec(&NFS_REQUESTLIST(req->wb_inode)->nr_requests);
page_cache_release(req->wb_page);
req->wb_page = NULL;
- atomic_dec(&NFS_REQUESTLIST(req->wb_inode)->nr_requests);
}
}
@@ -165,8 +165,6 @@
BUG();
if (NFS_WBACK_BUSY(req))
BUG();
- if (atomic_read(&NFS_REQUESTLIST(req->wb_inode)->nr_requests) < 0)
- BUG();
#endif
/* Release struct file or cached credential */
-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
NFS maillist - NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs
^ permalink raw reply
* [LARTC] HTB steals bandwidth
From: Robert Brueckmann @ 2002-12-16 17:02 UTC (permalink / raw)
To: lartc
Hi!
I just tested my HTB setup. But I have a problem. Let's assume I run the
following script (even if it might do nothing useful, just for demonstrating
my problem):
#!/bin/bash
/usr/sbin/tc qdisc add dev ppp0 root handle 1: htb default 12
/usr/sbin/tc class add dev ppp0 parent 1: classid 1:1 htb rate 125kbit ceil
125kbit
/usr/sbin/tc class add dev ppp0 parent 1:1 classid 1:14 htb rate 125kbit
ceil 125kbit prio 0
iptables -A POSTROUTING -t mangle -o ppp0 -p tcp --dport ftp-data -j
MARK --set-mark 14
tc filter add dev ppp0 parent 1:0 prio 0 protocol ip handle 14 fw flowid
1:14
I have an adsl-connection (768kbit down/128kbit up), Linux kernel 2.4.20.
The script should do nothing to an outgoing ftp-upload, since I grant all
the available bandwith to it. No other traffic is happending during all
that, only one ftp-upload from a computer inside the LAN. I start the upload
without the rules above, and the upload is at a constant maximum of
128kbit/sec. After running the script above and waiting for say 5 seconds,
the upload speed drops down to app. 80 kbit/s! After removing the rules
above, the speed climbs up again to top speed.
Can someone explain to me why this happens? I think I didn't quite
understand HTB...
Thanks,
Robert
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply
* Notification hooks
From: Ben Collins @ 2002-12-16 17:12 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, Larry McVoy
Linus, is there anyway I can request a hook so that anything that
changes drivers/ieee1394/ in your repo sends me an email with the diff
for just the files in that directory, and the changeset log? Is this
something that bkbits can do?
I'd bet lots of ppl would like similar hooks for their portions of the
source.
--
Debian - http://www.debian.org/
Linux 1394 - http://www.linux1394.org/
Subversion - http://subversion.tigris.org/
Deqo - http://www.deqo.com/
^ permalink raw reply
* Re: Printer error
From: Ray Olszewski @ 2002-12-16 17:05 UTC (permalink / raw)
To: linux-newbie
In-Reply-To: <3DFD4529.1040700@pghmail.com>
You don't give us much to go on, but since the problems seem to be with
name resolution, I'd suggest you tell us the details of your system as they
relate to that.
First is your networking setup. Are you connected to a LAN or directly to
the internet? (I guess you must be if you are using MapQuest.) If so, how?
More immediately, how does your system do name-to-address resolution? Does
it rely on /etc/hosts? If so, what are the contents of that file? Or does
it use a nameserver? If so, is it accessable? And what are the contents of
the /etc/resolv.conf file?
Does the message really say "local host" rather than "localhost"? What
result do you get if (from the command line) you try "ping localhost"?
How is the printer connected to the PC? Parallel port? Something else?
Although your questions involve generic Linux applications, the form of
your report is specific to RH 8.0. My questions ask for more generic Linux
information, which will permit non-RH users to try to assess your problem.
If you prefer to stick with the RH tools, that's fine ... in that case, I
hope someone else here, someone who does use RH 8.0, pops in with
translations of these suggestions to Red Hat-ese.
Finally, as to your immediate problem ... if the third page of a epecific
document continues to fail to print, while other docs print fine (do they?
you haven't said), i'd suspect something odd about the specific document.
Generically, you need to investigate how general the printing problem is
before we can tackle it systematically.
At 10:14 PM 12/15/02 -0500, Bill Pleasants wrote:
>Hello,
>After installing RH 8.0 in my HP Pentium II, my first successful installation,
>I installed a Brother HL-720 printer. I set it up local. The Printer
>Administration window shows:
>Command: lpr
>
>Driver: Generic Printer (SGENPRT)
>
>Location:
>
>After printing 2 of 3 pages from
>Mapquest, the printer indicated toner out. I replaced the cartridge and
>there was an error light which can be cleared by unplugging the printer
>cable and cycling the printer off. I reset the print queue and the same
>2 pages printed and the error light flashed. Rebooted - same error light.
>Attempts to print additional items failed. Later I entered "lprm" to
>cancel anything pending and got
>"local host IP not available." When I entered
>"/etc/init.d/lpd stop" I got "[FAILED]"
>I repeated it and got
>"[FAILED]"
>"local host IP not available"
>In the panel is a ? which when clicked gives
>"Temporary error in name resolution."
>So far I haven't learned what this IP is about. I would appreciate help.
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA ray@comarre.com
-------------------------------------------------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply
* Re: [LARTC] total bandwidth ocupied
From: Catalin Bucur @ 2002-12-16 17:06 UTC (permalink / raw)
To: lartc
In-Reply-To: <marc-lartc-104000531807331@msgid-missing>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adi Nugroho wrote:
| Dear sir/madam,
|
| I discover that bandwidth usage which is limited using htb is about 5
to 10%
| higher than the rate/ceil we set, if we monitor it using iptraf.
|
| I become more confused since I saw, the grafic in HTB homepage are
also show
| more bandwidth than the setting.
|
| My question is:
| * what is the exac value of this over bandwidth?
It depends of burst and cburst values that you (or tc) set. In Devik's
user guide says: "Latest tc tool will compute and set the smallest
possible burst when it is not specified". This means:
minimal_burst=max_rate*timer_resolution
So, for 2Mbit bandwidth on i386, minimal_burst=2Mbit*10ms kbit. This
says the theory, but in real world I saw that this minimal_burst
calculated by tc could be up to 64kbit. Am I missing something?
| * how to make the bandwidth are limited exacly at "x" kbps?
Set a lower value for ceil and a value for cburst thus:
ceil+cburst=limited_bandwidth
- --
Catalin Bucur mailto:cata@geniusnet.ro
NOC @ Genius Network SRL - Galati - Romania
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9/ggIpDe20wwI9oIRApcqAJ94Z53bvrGpAvCUVPO8mmI3eHIV2gCfcwXK
pALs5TiT9dbZf42GNtVBHOc=JRkQ
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply
* Re: Intel sez: Synchronous Flash and XIP is the future -- thoughts?
From: David Woodhouse @ 2002-12-16 17:38 UTC (permalink / raw)
To: Nicolas Pitre; +Cc: Wolfgang Denk, Paul Nash, Linux-MTD (E-mail)
In-Reply-To: <Pine.LNX.4.44.0212161215550.25780-100000@xanadu.home>
nico@cam.org said:
> On ARM this has no value since the kernel takes up at most 1 or 2
> page table entries (1MB section descriptors that is).
But you could still start up quickly from flash without having to memcpy
the entire kernel into RAM first, then once you're running copy the kernel
text into RAM and alter the page tables so you're running from the RAM copy
instead of the flash.
This gives you the fast startup of XIP without the runtime pain of XIP. But
it's probably overkill.
--
dwmw2
^ permalink raw reply
* Re: 2.5.52 and modules (lots of unresolved symbols)?
From: Gregoire Favre @ 2002-12-16 17:17 UTC (permalink / raw)
To: Alex Goddard; +Cc: linux-kernel
In-Reply-To: <Pine.LNX.4.50L0.0212161114360.1154-100000@dust.ebiz-gw.wintek.com>
On Mon, Dec 16, 2002 at 11:19:00AM +0000, Alex Goddard wrote:
> > I have just patched 2.5.51, and not done the make clean && make mrproper
> > before doing a make menuconfig && make dep && make bzImage && make
> > modules...
> >
> > Will that change anything to make clean/mrproper here?
>
> I would give 'make clean' a try.
I am just doing that right now... I'll wait till completion to report
the issue:
No change, still the same messages :-(
Thank you very much and have a great day,
Grégoire
________________________________________________________________
http://ulima.unil.ch/greg ICQ:16624071 mailto:greg@ulima.unil.ch
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.