プログラミングキャンプに参加すると特別講義が聴けるという事で許して(8人しか参加できんけど)
そろそろ今月のKernel Watchについて一言いっとくか
プログラミングキャンプに参加すると特別講義が聴けるという事で許して(8人しか参加できんけど)
Gitweb: http://git.kernel.org/linus/90a09c9cf78344d18e2438c3b87363b949629fa3
Commit: 90a09c9cf78344d18e2438c3b87363b949629fa3
Parent: 658874f05d040ca96eb5ba9b1c30ce0ff287d762
Author: Linus Torvalds
AuthorDate: Thu Jul 30 16:40:37 2009 -0700
Committer: Linus Torvalds
CommitDate: Thu Jul 30 16:40:37 2009 -0700
Alan doesn't want to maintain tty code any more
Not that anybody can blame him. It's a morass. But hey, it's way
better than it _used_ to be, though, so thanks for all the fish.
Signed-off-by: Linus Torvalds
---
MAINTAINERS | 7 ++-----
1 files changed, 2 insertions(+), 5 deletions(-)
diff --git a/MAINTAINERS b/MAINTAINERS
index 66a3865..79471ba 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -155,10 +155,9 @@ S: Maintained
F: drivers/net/r8169.c
8250/16?50 (AND CLONE UARTS) SERIAL DRIVER
-M: Alan Cox
L: linux-serial@vger.kernel.org
W: http://serial.sourceforge.net
-S: Odd Fixes
+S: Orphan
F: drivers/serial/8250*
F: include/linux/serial_8250.h
@@ -4997,9 +4996,7 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial.git
S: Maintained
TTY LAYER
-M: Alan Cox
-S: Maintained
-T: stgit http://zeniv.linux.org.uk/~alan/ttydev/
+S: Orphan
F: drivers/char/tty_*
F: drivers/serial/serial_core.c
F: include/linux/serial_core.h
--
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
# Page 801
CAF TWO # WCHPHASE = 2 ---> VERTICAL: P65,P66,P67
TS WCHPHOLD
TS WCHPHASE
TC BANKCALL # TEMPORARY, I HOPE HOPE HOPE
CADR STOPRATE # TEMPORARY, I HOPE HOPE HOPE
TC DOWNFLAG # PERMIT X-AXIS OVERRIDE
ADRES XOVINFLG
TC DOWNFLAG
ADRES REDFLAG
TCF VERTGUID
テンポラリのコードのまま月まで行ってはる!
Gidday,
The Linux man-pages maintainer proudly announces:
man-pages-3.22.tar.gz - man pages for Linux
This release is now available for download at:
http://www.kernel.org/pub/linux/docs/man-pages
or ftp://ftp.kernel.org/pub/linux/docs/man-pages
The online changelog is available at
http://www.kernel.org/doc/man-pages/changelog.html
(blogged at
http://linux-man-pages.blogspot.com/2009/07/man-pages-322-is-released.html )
and the current version of the pages is browsable at
http://www.kernel.org/doc/man-pages/
You are receiving this message either because:
a) You contributed to the content of this release.
b) You are subscribed to linux-man@vger.kernel.org (*).
c) I have information (possibly inaccurate) that you are the maintainer of
a translation of the manual pages, or are the maintainer of the manual
pages set in a particular distribution, or have expressed interest in
helping with man-pages maintenance, or have otherwise expressed interest in
being notified about man-pages releases. If you don't want to receive such
messages from me, or you know of some other translator or maintainer who
may want to receive such notifications, send me a message.
Cheers,
Michael
==================== Changes in man-pages-3.22 ====================
Released: 2009-07-25, Munich
Contributors
------------
The following people contributed notes, ideas, or patches that have
been incorporated in changes in this release:
Adrian Dewhurst
Alexander Lamaison
Bryan Østergaard
Christopher Head
Doug Goldstein
Florentin Duneau
Gokdeniz Karadag
Jeff Moyer
KOSAKI Motohiro
Lucian Adrian Grijincu
Mark Hills
Michael Kerrisk
Mike Frysinger
Petr Baudis
Reimar Döffinger
Ricardo Garcia
Rui Rlex
Shachar Shemesh
Tolga Dalman
ku roi
sobtwmxt
Apologies if I missed anyone!
Changes to individual pages
---------------------------
clone.2
Michael Kerrisk
Rewrite crufty text about number of args in older version of clone()
Some bit rot had crept in regarding the discussion of the
number of arguments in older versions of this syscall.
Simplify the text to just say that Linux 2.4 and earlier
didn't have ptid, tls, and ctid arguments.
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=533868
Michael Kerrisk
Fix version number for CLONE_NEWIPC
It's 2.6.19, not 2.4.19.
Michael Kerrisk
Fix errors in argument names in text (ptid, ctd)
execve.2
Mike Frysinger
Remove erroneous statement that pending signal set is cleared
on execve(2).
fcntl.2
Michael Kerrisk
The kernel source file mandatory.txt is now mandatory-locking.txt
Michael Kerrisk
The Documentation/* files are now in Documentation/filesystems
flock.2
Michael Kerrisk
Remove unneeded reference to Documentation/mandatory.txt
Mandatory locks are only implemented by fcntl() locking
Michael Kerrisk
The Documentation/* files are now in Documentation/filesystems
fork.2
Jeff Moyer
Document fork() behaviour for the Linux native AIO io_context
It was noted on lkml that the fork behaviour is documented
for the POSIX AIO calls, but not for the Linux native calls.
Here is a patch which adds a small blurb that folks will
hopefully find useful.
Upon fork(), the child process does not inherit the
io_context_t data structures returned by io_setup,
and thus cannot submit further asynchronous I/O or
reap event completions for said contexts.
getdents.2
Michael Kerrisk
The d_type field is fully supported on Btrfs
mount.2
Michael Kerrisk
Document MS_STRICTATIME, update description of MS_RELATIME
Starting with Linux 2.6.30, the MS_RELATIME behavior became
the default, and MS_STRICTATIME is required to obtain the
traditional semantics.
poll.2
Michael Kerrisk
Remove EBADF error from ERRORS
As reported by Motohiro:
"man poll" describe this error code.
>ERRORS
> EBADF An invalid file descriptor was given in one of the sets.
but current kernel implementation ignore invalid file descriptor,
not return EBADF.
...
In the other hand, SUSv3 talk about
> POLLNVAL
> The specified fd value is invalid. This flag is only valid in the
> revents member; it shall ignored in the events member.
and
> If the value of fd is less than 0, events shall be ignored, and
> ireevents shall be set to 0 in that entry on return from poll().
but, no desribe EBADF.
(see
http://www.opengroup.org/onlinepubs/009695399/functions/poll.html)
So, I think the implementation is correct.
Why don't we remove EBADF description?
sigaction.2
Michael Kerrisk
EWxpand description of si_utime and si_stime fields of siginfo_t
stat.2
Michael Kerrisk
Improve wording of ENOTDIR error
syscalls.2
Michael Kerrisk
Ad preadv() and pwritev(), new in kernel 2.6.30
wait.2
Gokdeniz Karadag
Document CLD_DUMPED and CLD_TRAPPED si_code values
daemon.3
Michael Kerrisk
Clarify discussion of 'noclose' and 'nochdir' arguments
ffs.3
Petr Baudis
SEE ALSO: add memchr(3)
fmemopen.3
Petr Baudis
Relocate BUGS section to correct position
Petr Baudis
NOTES: there is no file descriptor associated with the returned stream
Alexander Lamaison pointed out that this is not obvious
from the documentation, citing an example with passing the
FILE * handle to a function that tries to fstat() its
fileno() in order to determine the buffer size.
Michael Kerrisk
CONFORMING TO: remove note that these functions are GNU extensions
That sentence is now redundant, since these functions
are added in POSIX.1-2008.
lockf.3
Michael Kerrisk
Clarify relationship between fcntl() and lockf() locking
memchr.3
Petr Baudis
SEE ALSO: add ffs(3)
readdir.3
Michael Kerrisk
The d_type field is fully supported on Btrfs
setjmp.3
Mike Frysinger
Fix typo and clarify RETURN description
The word "signal" was duplicated in NOTES, and the RETURN
section refers to setjmp() and sigsetjmp(), and mentions
longjmp(), but not siglongjmp().
strcmp.3
Petr Baudis
SEE ALSO: add strverscmp(3)
strcpy.3
Mark Hills
SEE ALSO: Add strdup(3)
complex.7
Michael Kerrisk
Add missing header file for example program
Reimar Döffinger
Fix type used in example code
man complex (from release 3.18) contains the following code:
complex z = cexp(I * pi);
Reading the C99 standard, "complex" is not a valid type,
and several compilers (Intel ICC, ARM RVCT) will refuse to compile.
It should be
double complex z = cexp(I * pi); instead.
environ.7
Michael Kerrisk
Note that last element in environ array is NULL
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528628
Michael Kerrisk
Wording fixes
mq_overview.7
Michael Kerrisk
Note that mkdir and mount commands here need superuser privilege
Michael Kerrisk
Fix example showing contents of /dev/mqueue file
standards.7
Michael Kerrisk
Remove references to dated books
Gallmeister and Lewine are rather old books. Probably,
there are better books to consult nowadays, and anyway,
this man page isn't intended to be a bibliography.
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Watch my Linux system programming book progress to publication!
http://blog.man7.org/
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Watch my Linux system programming book progress to publication!
http://blog.man7.org/
Hi all,
I'm happy to announce, that after many months of discussions, Microsoft
has released their Hyper-V Linux drivers under the GPLv2. Following
this message, will be the patches that add the drivers to the
drivers/staging/ tree, and a whole bunch of cleanups.
It's taken a long road to get here, and I'd like to thank the following
people who made this possible:
- Steve Hemminger for the initial prodding and extreme patience
- Hank Janssen for providing the code and working with me to get it
into a workable and semi-mergable state. His involvement within
Microsoft was also invaluable.
- Sam Ramji for his push within Microsoft to make this happen in a
manner that works with the Linux community.
- Novell for sponsoring my work on the Linux Driver project, without
which, this would not have even been possible.
And there are many others both within Novell and Microsoft, who I do not
want to slight by not naming, but the list would be too long to go into.
These drivers are to enable Linux to work better when running as a guest
on top of the Hyper-V system. There is still a lot of work to do in
getting this into "proper" mergable state, and moving it out of the
staging directory, but Hank and I will be undertaking this task. See
the TODO file in the drivers/staging/hv/ directory if anyone wishes to
help out with this task.
The code should be showing up in the linux-next tree soon, as the
patches are now in my public tree.
If anyone has any questions about this code, please let me and Hank know
about it.
thanks,
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Subject: mmap_min_addr and your local LSM (ok, just SELinux)
From Eric Paris <eparis@redhat.com>
Brad Spengler recently pointed out that the SELinux decision on how to
handle mmap_min_addr in some ways weakens system security vs on a system
without SELinux (and in other ways can be stronger). There is a trade
off and a reason I did what I did but I would like ideas and discussion
on how to get the best of both worlds.
With SELinux mapping the 0 page requires an SELinux policy permission,
mmap_zero. Without SELinux mapping the 0 page requires CAP_SYS_RAWIO.
Note that CAP_SYS_RAWIO roughly translates to uid=0 since noone really
does interesting things with capabilities.
The main problem is WINE. I'm told that WINE needs to map the 0 page to
support 16bit applications. On distros without SELinux users must
disable the mmap_min_addr protections for the ENTIRE system if they want
to run WINE.
http://wiki.winehq.org/PreloaderPageZeroProblem
I believe (from reading mailing lists) if you install WINE on ubuntu it
automatically disables these protections. Thus installing wine on
ubuntu disables ALL hardening gains of the mmap_min_addr.
On Fedora, with SELinux, we allow users to run WINE in a domain that has
the SELinux mmap_zero permission and thus other programs/domains, do not
have security weakened. Your daemons, like the web server, are still
unable to map the 0 page. This is different than distros without
SELinux, remember they have to disable protection globally.
But logged in users (by default), under SELinux, are 'unconfined' and
can by their very nature run their program in a domain that allows
mmap_zero. Trying to 'confine' the 'unconfined' user with SELinux is an
open problem which we don't currently even reasonably attempt address on
a broad scale. It's like besieging the user in a gentle mist of water
hoping they won't try to escape.
So in Fedora your web server is a harder entry point to exploit kernel
NULL pointer bugs, but you have no protections against a malicious user.
On Ubuntu if you install WINE your web server and your logged in users
have no hardening. If you do not install WINE non-root is hardened,
anything running as root is not (aka suid apps, aka pulseaudio).
So I was thinking today, wondering how to get the best (or at least
better) of both worlds on an SELinux system. I was considering adding a
second mmap_min_addr_lsm which would typically be equal to
mmap_min_addr. The purpose would be to allow the sysadmin to
individually control DAC/LSM protections. The security checks would
turn (sort of) into
if (addr < mmap_min_addr)
ret |= capable(CAP_SYS_RAWIO);
if (addr < mmap_min_addr_lsm)
ret |= [insert LSM check here]
So on a non-SELinux system users would end up with exactly what they
have today. if you want to run WINE as a normal user you have to set
mmap_min_addr = 0 and then you no longer need CAP_SYS_RAWIO. Not much
else we can do if your distro down support fine grained permissions.
On an SELinux system what this lets me do is default to a stricter
setup, one in which you have to have both CAP_SYS_RAWIO and the selinux
mmap_zero permission. You, out of the box, get protection for both your
malicious logged in user and your web server. Then if a user decides to
run WINE they would turn down mmap_min_addr. This would remove the
requirement that they are root, and leave the system vulnerable to a
malicious user, but would still allow SELinux to protect confined
domains and daemons.
Does anyone see a better way to let users continue to be users while
protecting most people? Yes SELinux is stronger in some areas than
without confining the ability to map the 0 page, but as has be rightly
pointed out it's foolish an broken that SELinux can weaken any
protections.
-Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
I haven't seen a better idea so far.
I strongly believe that we need to maintain the principle, in SELinux and
LSM generally, that the interface is restrictive, i.e. that it can only
further restrict access. It should be impossible, from a design point of
view at least, for any LSM module to authorize more privilege than
standard DAC. This has always been a specific design goal of LSM. (The
capability module is an exception, as it has a fixed security policy and
implements legacy DAC behavior; there's no way to "fix" this).
In this case, we're not dealing with a standard form of access control,
where access to a userland object is being mediated. We're trying to
mediate the ability of a subject to bypass a separate mechanism which aims
to protect the kernel itself from attack via a more fundamental system
flaw. The LSM module didn't create that vulnerability directly, but it
must not allow the vulnerability to be more easily exploited.
The security policy writer should have a guarantee that the worst mistake
they can make is to mess up their own security model; if they can mess up
the base DAC security with MAC policy, we break that guarantee. There's
also an issue of user confidence in the LSM modules, in that they should
not be any worse off security-wise if they enable an enhanced protection
mechanism.
This does not account for kernel bugs in the LSM modules themselves,
obviously, but the same can be said for any kernel code, albeit with less
irony.
Subject: [PATCH 1/2] VM/SELinux: require CAP_SYS_RAWIO for all mmap_zero operations
Currently non-SELinux systems need CAP_SYS_RAWIO for an application to mmap
the 0 page. On SELinux systems they need a specific SELinux permission,
but do not need CAP_SYS_RAWIO. This has proved to be a poor decision by
the SELinux team as, by default, SELinux users are logged in unconfined and
thus a malicious non-root has nothing stopping them from mapping the 0 page
of virtual memory.
On a non-SELinux system, a malicious non-root user is unable to do this, as
they need CAP_SYS_RAWIO.
This patch checks CAP_SYS_RAWIO for all operations which attemt to map a
page below mmap_min_addr.
Signed-off-by: Eric Paris
---
include/linux/security.h | 2 --
mm/mmap.c | 10 ++++++++++
mm/mremap.c | 8 ++++++++
mm/nommu.c | 3 +++
security/capability.c | 2 --
5 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 1459091..f7d198a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2197,8 +2197,6 @@ static inline int security_file_mmap(struct file *file, unsigned long reqprot,
unsigned long addr,
unsigned long addr_only)
{
- if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
- return -EACCES;
return 0;
}
diff --git a/mm/mmap.c b/mm/mmap.c
index 34579b2..37fdc90 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1047,6 +1047,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
}
}
+ if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
+ return -EACCES;
+
error = security_file_mmap(file, reqprot, prot, flags, addr, 0);
if (error)
return error;
@@ -1657,6 +1660,10 @@ static int expand_downwards(struct vm_area_struct *vma,
return -ENOMEM;
address &= PAGE_MASK;
+
+ if ((address < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
+ return -EACCES;
+
error = security_file_mmap(NULL, 0, 0, 0, address, 1);
if (error)
return error;
@@ -1998,6 +2005,9 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
if (is_hugepage_only_range(mm, addr, len))
return -EINVAL;
+ if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
+ return -EACCES;
+
error = security_file_mmap(NULL, 0, 0, 0, addr, 1);
if (error)
return error;
diff --git a/mm/mremap.c b/mm/mremap.c
index a39b7b9..066e73d 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -299,6 +299,10 @@ unsigned long do_mremap(unsigned long addr,
if ((addr <= new_addr) && (addr+old_len) > new_addr)
goto out;
+ ret = -EACCES;
+ if ((new_addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
+ goto out;
+
ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
if (ret)
goto out;
@@ -407,6 +411,10 @@ unsigned long do_mremap(unsigned long addr,
goto out;
}
+ ret = -EACCES;
+ if ((new_addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
+ goto out;
+
ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
if (ret)
goto out;
diff --git a/mm/nommu.c b/mm/nommu.c
index 53cab10..c1f3eff 100644
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -995,6 +995,9 @@ static int validate_mmap_request(struct file *file,
}
/* allow the security API to have its say */
+ if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
+ return -EACCES;
+
ret = security_file_mmap(file, reqprot, prot, flags, addr, 0);
if (ret < 0)
return ret;
diff --git a/security/capability.c b/security/capability.c
index f218dd3..a3a5d9b 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -334,8 +334,6 @@ static int cap_file_mmap(struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags,
unsigned long addr, unsigned long addr_only)
{
- if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
- return -EACCES;
return 0;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Subject: [PATCH 2/2] SELinux: selinux_file_mmap always enforce mapping the 0 page
Currently SELinux enforcement of controls on the ability to map the 0 page
is determined by the mmap_min_addr tunable. This patch causes SELinux to
ignore the tunable and to always (but ONLY) protect the 0 page.
The tunable will now only control the need for CAP_SYS_RAWIO and SELinux
permissions will always protect the 0 page based on it's mmap_zero
permission.
This allows users who need to disable the mmap_min_addr controls (usual reason
being they run WINE as a non-root user) to do so and still have SELinux
controls preventing confined domains (like a web server) from being able to
map the 0 page.
Note: the additional SELinux restriction will now ONLY protect the 0 page.
CAP_SYS_RAWIO will protect anything between 0 and mmap_min_addr, but SELinux
will only protect between 0 and PAGE_SIZE.
Signed-off-by: Eric Paris
---
include/linux/security.h | 1 -
security/selinux/hooks.c | 2 +-
2 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index f7d198a..de774f7 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -91,7 +91,6 @@ struct seq_file;
extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
extern int cap_netlink_recv(struct sk_buff *skb, int cap);
-extern unsigned long mmap_min_addr;
/*
* Values used in the task_security_ops calls
*/
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e65677d..7bbac1d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3034,7 +3034,7 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
int rc = 0;
u32 sid = current_sid();
- if (addr < mmap_min_addr)
+ if (addr < PAGE_SIZE)
rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
MEMPROTECT__MMAP_ZERO, NULL);
if (rc || addr_only)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/