linux.kernel - 26 new messages in 18 topics - digest
linux.kernel
http://groups.google.com/group/linux.kernel?hl=en
Today's topics:
* TOMOYO: Update Kconfig and Makefile. - 6 messages, 1 author
http://groups.google.com/group/linux.kernel/t/537ea6b848cb95a9?hl=en
* nfs mount breakage as of 8a0382f6f - 2 messages, 2 authors
http://groups.google.com/group/linux.kernel/t/af47e232674ef06f?hl=en
* 2.6.32 regression (bisected): Video tearing/glitching with T400 laptops - 1
messages, 1 author
http://groups.google.com/group/linux.kernel/t/35c7c9075eb0fc78?hl=en
* Userspace RCU: (ab)using futexes to save cpu cycles and energy - 1 messages,
1 author
http://groups.google.com/group/linux.kernel/t/875675487e701adb?hl=en
* 2.6.32-rc1: various BUGs on resume from hibernation - 1 messages, 1 author
http://groups.google.com/group/linux.kernel/t/7e2744e176559776?hl=en
* Added PR_SET_PROCTITLE_AREA option for prctl() - 2 messages, 1 author
http://groups.google.com/group/linux.kernel/t/240edeea1df86ee5?hl=en
* i686 quirk for AMD Geode - 1 messages, 1 author
http://groups.google.com/group/linux.kernel/t/bef36aec450907c0?hl=en
* battery: Fix charge_now returned by broken batteries - 2 messages, 2 authors
http://groups.google.com/group/linux.kernel/t/622ce7b9c61d8939?hl=en
* x86, pci: Correct spelling in a comment - 1 messages, 1 author
http://groups.google.com/group/linux.kernel/t/00040c20db7cba7a?hl=en
* Disassociating atheros wlan with 2.6.31 - 1 messages, 1 author
http://groups.google.com/group/linux.kernel/t/38ef5637babc364d?hl=en
* futex: Fix locking imbalance - 1 messages, 1 author
http://groups.google.com/group/linux.kernel/t/ccab234928070dfe?hl=en
* Kconfig: Remove useless and sometimes wrong comments - 1 messages, 1 author
http://groups.google.com/group/linux.kernel/t/0ea625c9f4db6a33?hl=en
* Do we support ioprio on SSDs with NCQ (Was: Re: IO scheduler based IO
controller V10) - 1 messages, 1 author
http://groups.google.com/group/linux.kernel/t/49d2360a22af8898?hl=en
* NULL pointer dereference at cfq_exit_single_io_context - 1 messages, 1
author
http://groups.google.com/group/linux.kernel/t/169a935044828023?hl=en
* visual_init(): Caught 32-bit read from unallocated memory (bf820028) - 1
messages, 1 author
http://groups.google.com/group/linux.kernel/t/3e398cd506ffd2b8?hl=en
* this_cpu: X86 optimized this_cpu operations - 1 messages, 1 author
http://groups.google.com/group/linux.kernel/t/30a889bde0a27b86?hl=en
* futex question - 1 messages, 1 author
http://groups.google.com/group/linux.kernel/t/e645544a893657af?hl=en
* 2.6.31: access permission filesystem 0.23 - 1 messages, 1 author
http://groups.google.com/group/linux.kernel/t/0f297222eedba33b?hl=en
==============================================================================
TOPIC: TOMOYO: Update Kconfig and Makefile.
http://groups.google.com/group/linux.kernel/t/537ea6b848cb95a9?hl=en
==============================================================================
== 1 of 6 ==
Date: Sun, Oct 4 2009 6:10 am
From: Tetsuo Handa
This patch switches from TOMOYO 2.2.0 to TOMOYO 2.3.0 .
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
security/tomoyo/Kconfig | 67 +++++++++++++++++++++++++++++++++++++++++++++++
security/tomoyo/Makefile | 2 -
2 files changed, 68 insertions(+), 1 deletion(-)
--- security-testing-2.6.orig/security/tomoyo/Kconfig
+++ security-testing-2.6/security/tomoyo/Kconfig
@@ -3,9 +3,76 @@ config SECURITY_TOMOYO
depends on SECURITY
select SECURITYFS
select SECURITY_PATH
+ select SECURITY_NETWORK
default n
help
This selects TOMOYO Linux, pathname-based access control.
Required userspace tools and further information may be
found at <http://tomoyo.sourceforge.jp/>.
If you are unsure how to answer this question, answer N.
+
+config SECURITY_TOMOYO_MAX_ACCEPT_ENTRY
+ int "Default maximal count for learning mode"
+ default 2048
+ range 0 2147483647
+ depends on SECURITY_TOMOYO
+ help
+ This is the default value for maximal ACL entries
+ that are automatically appended into policy at "learning mode".
+ Some programs access thousands of objects, so running
+ such programs in "learning mode" dulls the system response
+ and consumes much memory.
+ This is the safeguard for such programs.
+
+config SECURITY_TOMOYO_BUILTIN_INITIALIZERS
+ string "Built-in domain initializer programs"
+ default "/sbin/modprobe /sbin/hotplug"
+ depends on SECURITY_TOMOYO
+ ---help---
+ Some programs are executed from initrd/initramfs before /sbin/init
+ starts.
+
+ Since policy is loaded when /sbin/init starts, it is impossible to
+ run such programs outside the <kernel> domain. Usually it is fine.
+
+ But if such programs continue running when /sbin/init starts, such
+ programs will reside in the <kernel> domain.
+ If such programs executes /bin/sh , you will give the <kernel> domain
+ permission to execute /bin/sh ; I think you don't want to do so.
+
+ This option allows you to chase such programs away from the <kernel>
+ domain so that you won't give the <kernel> domain permission to
+ execute /bin/sh .
+
+config SECURITY_TOMOYO_AUDIT
+ bool "Auditing interface support"
+ default y
+ depends on SECURITY_TOMOYO
+ help
+ This option enables /sys/kernel/security/tomoyo/grant_log and /sys/kernel/security/tomoyo/reject_log
+ interfaces. You may disable these interfaces if you want to apply for
+ HDD-less systems (e.g. embedded systems).
+
+config SECURITY_TOMOYO_MAX_GRANT_LOG
+ int "Default maximal count for grant log"
+ default 1024
+ range 0 2147483647
+ depends on SECURITY_TOMOYO_AUDIT
+ help
+ This is the default value for maximal entries for
+ access grant logs that the kernel can hold on memory.
+ You can read the log via /sys/kernel/security/tomoyo/grant_log.
+ If you don't need access grant logs,
+ you may set this value to 0.
+
+config SECURITY_TOMOYO_MAX_REJECT_LOG
+ int "Default maximal count for reject log"
+ default 1024
+ range 0 2147483647
+ depends on SECURITY_TOMOYO_AUDIT
+ help
+ This is the default value for maximal entries for
+ access reject logs that the kernel can hold on memory.
+ You can read the log via /sys/kernel/security/tomoyo/reject_log.
+ If you don't need access reject logs,
+ you may set this value to 0.
--- security-testing-2.6.orig/security/tomoyo/Makefile
+++ security-testing-2.6/security/tomoyo/Makefile
@@ -1 +1 @@
-obj-y = common.o realpath.o tomoyo.o domain.o file.o
+obj-y = address_group.o gc.o mount.o new-file.o path_group.o audit.o environ.o load_policy.o network.o new-realpath.o securityfs_if.o util.o capability.o condition.o memory.o new-domain.o number_group.o policy_io.o lsm.o
--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
== 2 of 6 ==
Date: Sun, Oct 4 2009 6:10 am
From: Tetsuo Handa
This patch contains code for creating /sys/kernel/security/tomoyo/ interface.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
security/tomoyo/securityfs_if.c | 148 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 148 insertions(+)
--- /dev/null
+++ security-testing-2.6/security/tomoyo/securityfs_if.c
@@ -0,0 +1,148 @@
+/*
+ * security/tomoyo/securityfs_if.c
+ *
+ * Copyright (C) 2005-2009 NTT DATA CORPORATION
+ */
+#include "internal.h"
+
+/**
+ * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
+ *
+ * @inode: Pointer to "struct inode".
+ * @file: Pointer to "struct file".
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
+static int tomoyo_open(struct inode *inode, struct file *file)
+{
+ const int key = ((u8 *) file->f_path.dentry->d_inode->i_private)
+ - ((u8 *) NULL);
+ return tomoyo_open_control(key, file);
+}
+
+/**
+ * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
+ *
+ * @inode: Pointer to "struct inode".
+ * @file: Pointer to "struct file".
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
+static int tomoyo_release(struct inode *inode, struct file *file)
+{
+ return tomoyo_close_control(file);
+}
+
+/**
+ * tomoyo_poll - poll() for /sys/kernel/security/tomoyo/ interface.
+ *
+ * @file: Pointer to "struct file".
+ * @wait: Pointer to "poll_table".
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
+static unsigned int tomoyo_poll(struct file *file, poll_table *wait)
+{
+ return tomoyo_poll_control(file, wait);
+}
+
+/**
+ * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
+ *
+ * @file: Pointer to "struct file".
+ * @buf: Pointer to buffer.
+ * @count: Size of @buf.
+ * @ppos: Unused.
+ *
+ * Returns bytes read on success, negative value otherwise.
+ */
+static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count,
+ loff_t *ppos)
+{
+ return tomoyo_read_control(file, buf, count);
+}
+
+/**
+ * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
+ *
+ * @file: Pointer to "struct file".
+ * @buf: Pointer to buffer.
+ * @count: Size of @buf.
+ * @ppos: Unused.
+ *
+ * Returns @count on success, negative value otherwise.
+ */
+static ssize_t tomoyo_write(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ return tomoyo_write_control(file, buf, count);
+}
+
+/* Operations for /sys/kernel/security/tomoyo/interface. */
+static const struct file_operations tomoyo_operations = {
+ .open = tomoyo_open,
+ .release = tomoyo_release,
+ .poll = tomoyo_poll,
+ .read = tomoyo_read,
+ .write = tomoyo_write,
+};
+
+/**
+ * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
+ *
+ * @name: The name of the interface file.
+ * @mode: The permission of the interface file.
+ * @parent: The parent directory.
+ * @key: Type of interface.
+ *
+ * Returns nothing.
+ */
+static void __init tomoyo_create_entry(const char *name, const mode_t mode,
+ struct dentry *parent, const u8 key)
+{
+ securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key,
+ &tomoyo_operations);
+}
+
+/**
+ * tomoyo_securityfs_init - Initialize /sys/kernel/security/tomoyo/ interface.
+ *
+ * Returns 0.
+ */
+static int __init tomoyo_securityfs_init(void)
+{
+ struct dentry *tomoyo_dir;
+ if (!tomoyo_registered)
+ return 0;
+ tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
+ tomoyo_create_entry("query", 0600, tomoyo_dir,
+ TOMOYO_QUERY);
+ tomoyo_create_entry("domain_policy", 0600, tomoyo_dir,
+ TOMOYO_DOMAINPOLICY);
+ tomoyo_create_entry("exception_policy", 0600, tomoyo_dir,
+ TOMOYO_EXCEPTIONPOLICY);
+#ifdef CONFIG_SECURITY_TOMOYO_AUDIT
+ tomoyo_create_entry("grant_log", 0400, tomoyo_dir,
+ TOMOYO_GRANTLOG);
+ tomoyo_create_entry("reject_log", 0400, tomoyo_dir,
+ TOMOYO_REJECTLOG);
+
posted by twitter @ 9:52 AM
0 Comments
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home