This one-line patch fixes the missing export of copy_page introduced
by the cachefile patches. This patch is not yet upstream, but is required
for cachefile on ia64. It will be pushed upstream when cachefile goes
upstream.
Signed-off-by: Prarit Bhargava [EMAIL PROTECTED]
Signed-off-by: David
Display the local caching state in /proc/fs/nfsfs/volumes.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/nfs/client.c |7 ---
fs/nfs/fscache.h | 15 +++
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index be38c3c
Changes to the kernel configuration defintions and to the NFS mount options to
allow the local caching support added by the previous patch to be enabled.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/Kconfig|8
fs/nfs/client.c |2 ++
fs/nfs/internal.h |1
an NFS filesystem to use caching, add an fsc option to the mount:
mount warthog:/ /a -o fsc
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/nfs/Makefile |1
fs/nfs/client.c |5 +
fs/nfs/file.c | 37
fs/nfs/fscache-def.c | 289
-off-by: David Howells [EMAIL PROTECTED]
---
include/linux/pagemap.h |5 +
mm/filemap.c| 18 ++
2 files changed, 23 insertions(+), 0 deletions(-)
diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
index 6a1b317..21c35e2 100644
--- a/include/linux
) to do the honours.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
mm/readahead.c | 39 +--
1 files changed, 37 insertions(+), 2 deletions(-)
diff --git a/mm/readahead.c b/mm/readahead.c
index c9c50ca..75aa6b6 100644
--- a/mm/readahead.c
+++ b/mm/readahead.c
-off-by: David Howells [EMAIL PROTECTED]
---
security/keys/keyctl.c | 38 ++
1 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index d9ca15c..8ec8432 100644
--- a/security/keys/keyctl.c
+++ b
Change current-fs[ug]id to current_fs[ug]id() so that fsgid and fsuid can be
separated from the task_struct.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
arch/ia64/kernel/perfmon.c|4 ++--
arch/powerpc/platforms/cell/spufs/inode.c |4 ++--
drivers/isdn/capi
These patches add local caching for network filesystems such as NFS and AFS.
The patches can roughly be broken down into a number of sets:
(*) 01-keys-inc-payload.diff
(*) 02-keys-search-keyring.diff
(*) 03-keys-callout-blob.diff
Three patches to the keyring code made to help the
routines once the pages have been unlocked as part of the
writeback process. To this end, the PG_error flag is set, then the
PG_writeback flag is cleared, and only *then* can lock_page() be called.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
include/linux/mm.h |5 ++-
mm/truncate.c
Signed-off-by: Al Viro [EMAIL PROTECTED]
---
crypto/fcrypt.c | 88 ---
1 files changed, 44 insertions(+), 44 deletions(-)
diff --git a/crypto/fcrypt.c b/crypto/fcrypt.c
index d161949..a32cb68 100644
--- a/crypto/fcrypt.c
+++
.
Supply a generic implementation for this that uses the write_begin() and
write_end() address_space operations to bind a copy directly into the page
cache.
Hook the Ext2 and Ext3 operations to the generic implementation.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/ext2/inode.c|2
-off-by: David Howells [EMAIL PROTECTED]
---
security/keys/keyctl.c | 38 ++
1 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index d9ca15c..8ec8432 100644
--- a/security/keys/keyctl.c
+++ b
and
2) check whether that top-level keyring is the thing being searched for
Signed-off-by: Kevin Coffman [EMAIL PROTECTED]
Signed-off-by: David Howells [EMAIL PROTECTED]
---
security/keys/keyring.c | 35 +++
1 files changed, 31 insertions(+), 4 deletions(-)
diff
Provide an add_wait_queue_tail() function to add a waiter to the back of a
wait queue instead of the front.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
include/linux/wait.h |2 ++
kernel/wait.c| 18 ++
2 files changed, 20 insertions(+), 0 deletions(-)
diff
to detect this.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/splice.c|2 +-
include/linux/page-flags.h | 38 --
include/linux/pagemap.h| 11 +++
mm/filemap.c | 16
mm/migrate.c
()
request_key_async()
request_key_async_with_auxdata()
Signed-off-by: David Howells [EMAIL PROTECTED]
---
Documentation/keys-request-key.txt | 11 +---
Documentation/keys.txt | 14 +++---
include/linux/key.h|9 ---
security/keys/internal.h
Change current-fs[ug]id to current_fs[ug]id() so that fsgid and fsuid can be
separated from the task_struct.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
arch/ia64/kernel/perfmon.c|4 ++--
arch/powerpc/platforms/cell/spufs/inode.c |4 ++--
drivers/isdn/capi
permission on the key for this function to be
successful.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
Documentation/keys.txt | 21 +++
include/linux/keyctl.h |1 +
include/linux/security.h | 20 +-
security/dummy.c |8 ++
security/keys
be
revalidated.
(5) The writeback-rejection handler now calls cancel_rejected_write() added by
the previous patch to excise the affected pages rather than clearing the
PG_uptodate flag on all the pages.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/afs/fsclient.c |4
Save the operation ID to be used with a call that we're making for display
through /proc/net/rxrpc_calls. This helps debugging stuck operations as we
then know what they are.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/afs/fsclient.c | 32 +++-
fs
, then
page_mkwrite() will flush it before attaching a record of the new key.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/afs/file.c | 20 +++-
fs/afs/internal.h |1 +
fs/afs/write.c| 35 +++
3 files changed, 55 insertions(+), 1 deletions
Stephen Smalley [EMAIL PROTECTED] wrote:
inode_getsecurity and getprocattr directly return the strings.
Admittedly, the whole interface could be cleaned up and made far more
consistent, but I don't think he necessarily has to go through the
getsecid + secid_to_secctx sequence if he only wants
this to be
incorrect. It should probably use security_task_getsecid() instead.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
drivers/usb/core/devio.c |4 ++--
include/linux/security.h | 18 +-
include/linux/selinux.h | 15 ++-
kernel/auditsc.c
-by: David Howells [EMAIL PROTECTED]
---
include/linux/cred.h |1
include/linux/security.h | 33 ++
kernel/cred.c |7 +
security/dummy.c | 11 +
security/selinux/exports.c|6
security/selinux/hooks.c | 497
by update_current_cred() which is
invoked on entry to any system call that might need it.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/buffer.c |3 +++
fs/ioprio.c |3 +++
fs/open.c | 27 +--
fs/proc/array.c
Request a credential record for the named kernel service. This produces a
cred struct with appropriate DAC and MAC controls for effecting that service.
It may be used to override the credentials on a task to do work on that task's
behalf.
Signed-off-by: David Howells [EMAIL PROTECTED
) to do the honours.
Signed-Off-By: David Howells [EMAIL PROTECTED]
---
mm/readahead.c | 40 ++--
1 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/mm/readahead.c b/mm/readahead.c
index 39bf45d..12d1378 100644
--- a/mm/readahead.c
+++ b/mm/readahead.c
Provide an add_wait_queue_tail() function to add a waiter to the back of a
wait queue instead of the front.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
include/linux/wait.h |1 +
kernel/wait.c| 18 ++
2 files changed, 19 insertions(+), 0 deletions(-)
diff
This one-line patch fixes the missing export of copy_page introduced
by the cachefile patches. This patch is not yet upstream, but is required
for cachefile on ia64. It will be pushed upstream when cachefile goes
upstream.
Signed-off-by: Prarit Bhargava [EMAIL PROTECTED]
Signed-Off-By: David
-Off-By: David Howells [EMAIL PROTECTED]
---
include/linux/pagemap.h |5 +
mm/filemap.c| 19 +++
2 files changed, 24 insertions(+), 0 deletions(-)
diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
index d1049b6..452fdcf 100644
--- a/include/linux
Export a number of functions for CacheFiles's use.
Signed-Off-By: David Howells [EMAIL PROTECTED]
---
fs/super.c |2 ++
kernel/auditsc.c |2 ++
2 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/fs/super.c b/fs/super.c
index 28e7370..0e8c0e2 100644
--- a/fs/super.c
Changes to the kernel configuration defintions and to the NFS mount options to
allow the local caching support added by the previous patch to be enabled.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/Kconfig|8
fs/nfs/client.c | 14 ++
fs/nfs
an NFS filesystem to use caching, add an fsc option to the mount:
mount warthog:/ /a -o fsc
Signed-Off-By: David Howells [EMAIL PROTECTED]
---
fs/nfs/Makefile |1
fs/nfs/client.c |5 +
fs/nfs/file.c | 51 ++
fs/nfs/fscache-def.c | 288
Display the local caching state in /proc/fs/nfsfs/volumes.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/nfs/client.c |7 ---
fs/nfs/fscache.h | 12
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 0de4db4
routines once the pages have been unlocked as part of the
writeback process. To this end, the PG_error flag is set, then the
PG_writeback flag is cleared, and only *then* can lock_page() be called.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
include/linux/mm.h |5 ++-
mm/truncate.c
be
revalidated.
(5) The writeback-rejection handler now calls cancel_rejected_write() added by
the previous patch to excise the affected pages rather than clearing the
PG_uptodate flag on all the pages.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/afs/fsclient.c |4
The attached patch makes the kAFS filesystem in fs/afs/ use FS-Cache, and
through it any attached caches. The kAFS filesystem will use caching
automatically if it's available.
Signed-Off-By: David Howells [EMAIL PROTECTED]
---
fs/Kconfig |8 +
fs/afs/Makefile|3
fs/afs
, then
page_mkwrite() will flush it before attaching a record of the new key.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/afs/file.c | 20 +++-
fs/afs/internal.h |1 +
fs/afs/write.c| 35 +++
3 files changed, 55 insertions(+), 1 deletions
Al Viro [EMAIL PROTECTED] wrote:
Umm... Perhaps a better primitive would be make sure that our cred is
not shared with anybody, creating a copy and redirecting reference to
it if needed.
I wanted to make the point that once a cred record was made live - i.e. exposed
to the rest of the system
Changes to the kernel configuration defintions and to the NFS mount options to
allow the local caching support added by the previous patch to be enabled.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/Kconfig|8
fs/nfs/client.c | 14 ++
fs/nfs
an NFS filesystem to use caching, add an fsc option to the mount:
mount warthog:/ /a -o fsc
Signed-Off-By: David Howells [EMAIL PROTECTED]
---
fs/nfs/Makefile |1
fs/nfs/client.c |5 +
fs/nfs/file.c | 51 ++
fs/nfs/fscache-def.c | 288
for this that uses the prepare_write() and
commit_write() address_space operations to bound a copy directly into the page
cache.
Hook the Ext2 and Ext3 operations to the generic implementation.
Signed-Off-By: David Howells [EMAIL PROTECTED]
---
fs/ext2/inode.c|2 +
fs/ext3/inode.c|3
, then
page_mkwrite() will flush it before attaching a record of the new key.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/afs/file.c | 20 +++-
fs/afs/internal.h |1 +
fs/afs/write.c| 35 +++
3 files changed, 55 insertions(+), 1 deletions
The attached patch makes the kAFS filesystem in fs/afs/ use FS-Cache, and
through it any attached caches. The kAFS filesystem will use caching
automatically if it's available.
Signed-Off-By: David Howells [EMAIL PROTECTED]
---
fs/Kconfig |8 +
fs/afs/Makefile|3
fs/afs
This patch set is available for download as a tarball from:
http://people.redhat.com/~dhowells/nfs/nfs+fscache-23.tar.bz2
David
-
To unsubscribe from this list: send the line unsubscribe
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at
to detect this.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/splice.c|2 +-
include/linux/page-flags.h | 30 +-
include/linux/pagemap.h| 11 +++
mm/filemap.c | 16
mm/migrate.c
) to do the honours.
Signed-Off-By: David Howells [EMAIL PROTECTED]
---
mm/readahead.c | 40 ++--
1 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/mm/readahead.c b/mm/readahead.c
index 39bf45d..12d1378 100644
--- a/mm/readahead.c
+++ b/mm/readahead.c
-by: David Howells [EMAIL PROTECTED]
---
include/linux/cred.h |1
include/linux/security.h | 33 ++
kernel/cred.c |7 +
security/dummy.c | 11 +
security/selinux/exports.c|6
security/selinux/hooks.c | 497
Trond Myklebust [EMAIL PROTECTED] wrote:
So why do you need a new address space operation? AFAICS the generic
implementation will work for pretty much everyone who supports the
existing prepare_write()/commit_write().
Because Christoph decreed that I wasn't allowed to call prepare_write() and
Trond Myklebust [EMAIL PROTECTED] wrote:
This is used by CacheFiles to detect read completion on a page in the
backing filesystem so that it can then copy the data to the waiting netfs
page.
Won't it in any case want to lock the page too?
No. Why would it? All it wants to do is to
David Howells [EMAIL PROTECTED] wrote:
Peter Staubach [EMAIL PROTECTED] wrote:
Did I miss the section where the modified semantics about which
mounted file systems can use the cache and which ones can not
was implemented?
Yes.
fs/nfs/super.c:
case Opt_sharecache
Andrew Morgan [EMAIL PROTECTED] wrote:
OOC If we were to simply drop support for one process changing the
capabilities of another, would we need this patch?
Well, the patch could be less, but there's still the possibility of a kernel
service wanting to override the capabilities mask.
David
-
-by: David Howells [EMAIL PROTECTED]
---
include/linux/cred.h |1
include/linux/security.h | 34 +++
kernel/cred.c |7 +
security/dummy.c | 11 +
security/selinux/exports.c|6
security/selinux/hooks.c
Hi Al, Christoph, Trond, Stephen, Casey,
Here's a set of patches that implement a very basic set of COW credentials. It
compiles, links and runs for x86_64 with EXT3, (V)FAT, NFS, AFS, SELinux and
keyrings all enabled. Most other filesystems are disabled, apart from things
like proc. It is
Casey Schaufler [EMAIL PROTECTED] wrote:
Move into the cred struct the part of the task security data that defines
how a task acts upon an object. The part that defines how something acts
upon a task remains attached to the task.
This seems to me to be an unnatural and inappropriate
Hi Linus, Al,
Would you object greatly to functions like vfs_mkdir() gaining a security
parameter? What I'm thinking of is this:
int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode,
struct security *security)
Where the security context is the state
Casey Schaufler [EMAIL PROTECTED] wrote:
With Smack you can leave the label alone, raise CAP_MAC_OVERRIDE,
do your business of setting the label correctly, and then drop
the capability. No new hooks required.
That sounds like a contradiction. How can you both leave it alone and set it?
Casey Schaufler [EMAIL PROTECTED] wrote:
I haven't looked into the issues at all and I bet there are plenty,
maybe in audit and places outside of the security realm, but this
looks like a clean approach from the LSM interface standpoint. Do
you want the entire task or just task-security?
It
Stephen Smalley [EMAIL PROTECTED] wrote:
Seems like over-design - we don't need to support LSM stacking, and we
don't need to support pushing/popping more than one level of context.
It will, at some point hopefully, be possible for someone to try, say, NFS
exporting a cached ISO9660 mount
Casey Schaufler [EMAIL PROTECTED] wrote:
(1) int security_get_context(void **_context);
This allocates and gives the caller a blob that describes the current
context of all the LSM module states attached to the current task and
stores a pointer to it in *_context.
Is
Casey Schaufler [EMAIL PROTECTED] wrote:
How would you expect an LSM that is not SELinux to interface with
CacheFiles?
You have to understand that I didn't know that much about the LSM interface,
so I asked advice of the Red Hat security people, who, naturally, pointed me
at the SELinux
Casey Schaufler [EMAIL PROTECTED] wrote:
Grumble. Yet another thing to undo in the near future. I still
hope to suggest what I would consider a viable alternative soon.
Use a struct key with the overrides attached? The key can be generated by
SELinux or whatever module is there.
David
-
To
201 - 263 of 263 matches
Mail list logo