Age | Commit message (Collapse) | Author |
|
This fixes CVE-2016-0728.
If a thread is asked to join as a session keyring the keyring that's already
set as its session, we leak a keyring reference.
This can be tested with the following program:
#include <stddef.h>
#include <stdio.h>
#include <sys/types.h>
#include <keyutils.h>
int main(int argc, const char *argv[])
{
int i = 0;
key_serial_t serial;
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
if (keyctl(KEYCTL_SETPERM, serial,
KEY_POS_ALL | KEY_USR_ALL) < 0) {
perror("keyctl");
return -1;
}
for (i = 0; i < 100; i++) {
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
}
return 0;
}
If, after the program has run, there something like the following line in
/proc/keys:
3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty
with a usage count of 100 * the number of times the program has been run,
then the kernel is malfunctioning. If leaked-keyring has zero usages or
has been garbage collected, then the problem is fixed.
Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Acked-by: Prarit Bhargava <prarit@redhat.com>
Acked-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Bug: 26692844
(cherry picked from commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2)
Signed-off-by: Kees Cook <keescook@google.com>
Change-Id: I8e82764df4f20ffb3f0a1f0a0784d913dda6fa68
(cherry picked from commit fc4f48998ed66f064b61d2298d63a5239a5265dd)
|
|
Use the ATTR_FILE attribute to distinguish between truncate()
and ftruncate() system calls. The two other cases where
do_truncate is called with a filp (and therefore ATTR_FILE is set)
are for coredump files and for open(O_TRUNC). In both of those cases
the open permission has already been checked during file open and
therefore does not need to be repeated.
Commit 95dbf739313f ("SELinux: check OPEN on truncate calls")
fixed a major issue where domains were allowed to truncate files
without the open permission. However, it introduced a new bug where
a domain with the write permission can no longer ftruncate files
without the open permission, even when they receive an already open
file.
(cherry picked from commit b21800f304392ee5d20f411c37470183cc779f11)
Bug: 22567870
Change-Id: Id7c305e46beba5091c2c777529bd468216aae1c3
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
(cherry picked from commit fa1aa143ac4a682c7f5fd52a3cf05f5a6fe44a0a)
Add extended permissions logic to selinux. Extended permissions
provides additional permissions in 256 bit increments. Extend the
generic ioctl permission check to use the extended permissions for
per-command filtering. Source/target/class sets including the ioctl
permission may additionally include a set of commands. Example:
allowxperm <source> <target>:<class> ioctl unpriv_app_socket_cmds
auditallowxperm <source> <target>:<class> ioctl priv_gpu_cmds
Where unpriv_app_socket_cmds and priv_gpu_cmds are macros
representing commonly granted sets of ioctl commands.
When ioctl commands are omitted only the permissions are checked.
This feature is intended to provide finer granularity for the ioctl
permission that may be too imprecise. For example, the same driver
may use ioctls to provide important and benign functionality such as
driver version or socket type as well as dangerous capabilities such
as debugging features, read/write/execute to physical memory or
access to sensitive data. Per-command filtering provides a mechanism
to reduce the attack surface of the kernel, and limit applications
to the subset of commands required.
The format of the policy binary has been modified to include ioctl
commands, and the policy version number has been incremented to
POLICYDB_VERSION_XPERMS_IOCTL=30 to account for the format
change.
The extended permissions logic is deliberately generic to allow
components to be reused e.g. netlink filters
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Bug: 22846070
Change-Id: I1573d6b2d0ced27e82b6447318aa5b3065021a5b
|
|
(cherry pick from commit 671a2781ff01abf4fdc8904881fc3abd3a8279af)
Add information about ioctl calls to the LSM audit data. Log the
file path and command number.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <pmoore@redhat.com>
Bug: 22846070
Change-Id: Iccba24f0f53e93595aaf16b2d3b04c02dac5f7a1
|
|
(cherry pick from commit 83d4a806ae46397f606de7376b831524bd3a21e5)
Commit f01e1af445fa ("selinux: don't pass in NULL avd to avc_has_perm_noaudit")
made this pointer reassignment unnecessary. Avd should continue to reference
the stack-based copy.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: tweaked subject line]
Signed-off-by: Paul Moore <pmoore@redhat.com>
Bug: 22846070
Change-Id: I4aef4b95820e813c370525310e37f5da22d25efc
|
|
This reverts commit c8c3cd48e44fe12a41cd20e46d36fcfe5a759fd7.
Bug: 22846070
Change-Id: Ibf79b4c76f22f0af2d39e377b551151837a782cd
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
|
|
This reverts commit 8daca972e410f42a4fc1fe2de804c50013b24a28.
Bug: 22846070
Change-Id: Ia2d1e2b0f46ccb0328626286216e38378650505b
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
|
|
This reverts commit 98a4d82a78914c2496989d669ecae04dedcf361f.
Bug: 22846070
Change-Id: Ic047824591e8d94f937c052846ab387864c04fd7
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
|
|
A userspace call to mmap(MAP_LOCKED) may result in the successful locking
of memory while also producing a confusing audit log denial. can_do_mlock
checks capable and rlimit. If either of these return positive
can_do_mlock returns true. The capable check leads to an LSM hook used by
apparmour and selinux which produce the audit denial. Reordering so
rlimit is checked first eliminates the denial on success, only recording a
denial when the lock is unsuccessful as a result of the denial.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
Cc: Jeff Vander Stoep <jeffv@google.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Paul Cassella <cassella@cray.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
|
Advertize P2P device in prima driver so that userspace
can create it as a virtual interface
BUG=24715254
Change-Id: Ib7c778e19816da1968e847db1b6e723a28a30d00
|
|
BUG=25474162
Change-Id: I5f9226b548bdc08f701ed7a8acfe1349a5901889
Signed-off-by: Sourabh Banerjee <sbanerje@codeaurora.org>
|
|
(This CL was initially reverted due to a possible break in fastboot,
which turned out to have an unrelated cause. No change has been made
since the initial submit http://ag/811968.)
USB CI (chipidea) controller driver cannot handle
more than 16K and new ADB version supports buffer
length upto 256KB breaking the adb protocol whenever
adb daemon tries to send more than 16K to PC. Fix
it by limiting buffer length to 16K in ffs driver.
It will not break ADB functionality as ADB daemon
will retry.
Bug: http://b/25193669
Change-Id: I05ee0233eae52e904befd7ad3ae68d8fe1dd583f
Signed-off-by: David Pursell <dpursell@google.com>
Signed-off-by: Vamsi Krishna <vskrishn@codeaurora.org>
Signed-off-by: Anu Ramanathan <anur@codeaurora.org>
|
|
This reverts commit d1ce38d6f959b18bb6241d6fae18fb38a273f0ab.
There are reports of boards bricking during fastboot provisioning, and this is the most likely culprit. Reverting for now until we know more.
Change-Id: I022b030a028b65c36811cc3738ab4d9ca737b612
|
|
USB CI (chipidea) controller driver cannot handle
more than 16K and new ADB version supports buffer
length upto 256KB breaking the adb protocol whenever
adb daemon tries to send more than 16K to PC. Fix
it by limiting buffer length to 16K in ffs driver.
It will not break ADB functionality as ADB daemon
will retry.
Bug: http://b/25193669
Change-Id: I65243cf874ca2a8999fb0601d329405a814cb426
Signed-off-by: Vamsi Krishna <vskrishn@codeaurora.org>
Signed-off-by: Anu Ramanathan <anur@codeaurora.org>
|
|
Add board id 8 as a supported board in SBC device tree
BUG=25531724
Change-Id: Id14327d9d4fd2179049ea0865c21ca4b1a61898a
Signed-off-by: Sourabh Banerjee <sbanerje@codeaurora.org>
|
|
Obsolete messages referring to deferred resume message printed repeatedly
on runtime PM events. Remove.
Change-Id: Ia95ff841724e9866c51217120738dfe353e4171e
|
|
TESTING: Built, provisioned, ran ledflasher
BUG: 25352888
Change-Id: I35bec1a69b8a93c15fc93c8d55f530a95beb5f6e
|
|
tcp_nuke addr only grabs the bottom half socket lock, but not the
userspace socket lock. This allows a userspace program to call
close() while the socket is running, which causes a NULL pointer
dereference in inet_put_port.
Bug: 23663111
Bug: 24072792
Change-Id: Iecb63af68c2db4764c74785153d1c9054f76b94f
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
|
|
Adding qcom wifi drivers
from git://codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima
rev: ad06fb7a8e651c2e0af35096a9776ce7119d4ff3
BUG: 24409673
Change-Id: I78b8068b5a55f5afa32e47d85c30797bd5cefbc2
|
|
Add a new %P variable to be used in core_pattern. This variable contains
the global PID (PID in the init namespace) as %p contains the PID in the
current namespace which isn't always what we want.
The main use for this is to make it easier to handle crashes that happened
within a container. With that new variables it's possible to have the
crashes dumped into the container or forwarded to the host with the right
PID (from the host's point of view).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Reported-by: Hans Feldt <hans.feldt@ericsson.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Andy Whitcroft <apw@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 240ba92d4a528d7bc3fd08ad52081e108382809c)
Change-Id: I088df48afd1fd1fb327ee694a7c77967e8e8fcc4
|
|
This code is not exercised by policy version 26, but will be upon
upgrade to policy version 30.
Bug: 18087110
Change-Id: I07c6f34607713294a6a12c43a64d9936f0602200
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
|
|
Extend the generic ioctl permission check with support for per-command
filtering. Source/target/class sets including the ioctl permission may
additionally include a set of commands. Example:
allow <source> <target>:<class> { 0x8910-0x8926 0x892A-0x8935 }
auditallow <source> <target>:<class> 0x892A
When ioctl commands are omitted only the permissions are checked. This
feature is intended to provide finer granularity for the ioctl
permission which may be too imprecise in some circumstances. For
example, the same driver may use ioctls to provide important and
benign functionality such as driver version or socket type as well as
dangerous capabilities such as debugging features, read/write/execute
to physical memory or access to sensitive data. Per-command filtering
provides a mechanism to reduce the attack surface of the kernel, and
limit applications to the subset of commands required.
The format of the policy binary has been modified to include ioctl
commands, and the policy version number has been incremented to
POLICYDB_VERSION_IOCTL_OPERATIONS=30 to account for the format change.
Bug: 18087110
Change-Id: Ibf0e36728f6f3f0d5af56ccdeddee40800af689d
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
|
|
Add information about ioctl calls to the LSM audit data. Log the
file path and command number.
Bug: 18087110
Change-Id: Idbbd106db6226683cb30022d9e8f6f3b8fab7f84
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
|
|
rootfs (ramfs) can support setting of security contexts
by userspace due to the vfs fallback behavior of calling
the security module to set the in-core inode state
for security.* attributes when the filesystem does not
provide an xattr handler. No xattr handler required
as the inodes are pinned in memory and have no backing
store.
This is useful in allowing early userspace to label individual
files within a rootfs while still providing a policy-defined
default via genfs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
|
|
Update the policy version (POLICYDB_VERSION_CONSTRAINT_NAMES) to allow
holding of policy source info for constraints.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
LA.BR.1.2.4_rb1.10
|
|
Set MIPI_CSIPHY_GLBL_PWG_CFG0 to 0x01 only for MSM8939 Rev 3.0
using SOC info APIs.
Change-Id: I5ae8451570d2d1b74f0a41e97a703b7199b3569e
Signed-off-by: Vijay kumar Tumati <vtumati@codeaurora.org>
|
|
Rotator shared lock is released on the rotator completion, but when
rotator kickoff fails as completion wont happen lock is not released.
Handle the failure case gracefully.
Change-Id: I2973a1eec617b36c7af8e7c3f250baefe9f245cf
Signed-off-by: Kalyan Thota <kalyant@codeaurora.org>
|
|
Change the sequence of registering and freeing the interrupt
handler in suspend/resume. Freeirq needs a guarantee that the
IRQ can't come anymore before we call it. So, we disable the IRQ
before calling freeirq.And register the handler before enabling
the irq to avoid the interrupt getting unhandled.
Change-Id: I3945202d049e16f64a16e456f914f7602b763c89
Signed-off-by: Hanumath Prasad <hpprasad@codeaurora.org>
Signed-off-by: Sridhar Gujje <sgujje@codeaurora.org>
|
|
Change-Id: Iea3814316fbed4fc6deaa42d1d5c304e915afa65
|
|
Increase the modem region to 86MB for msm8939 as
modem flavor has changed to support QChat and memory requirement
has increased to support this modem. Also
correspondingly move peripheral region carveout.
Signed-off-by: Kurva Harish <hkurva@codeaurora.org>
Change-Id: I23345d60e9496829ec2c262b9c4c34f388097072
|
|
|
|
|
|
|
|
|
|
|
|
Select 1.5Ghz as max frequency level for 8939 Speed-bin 0 parts.
Also, update the CPR regulator corner mappings for Speed-bin 0
parts.
CRs-Fixed: 866385
Change-Id: I9874ac2379e5154602aa5a31782bbb083fdc7cf9
Signed-off-by: Tirupathi Reddy <tirupath@codeaurora.org>
|
|
Change-Id: I379c31bd3a35c0d84356538cd4441f5d9dba14d2
|
|
This will make sure that at any point of time BW vote will not
go below the limit set by mincpubw. cpubw node uses BIMC_MON governor
and will vote higher depends on the requirement. The bus driver will
aggregate votes and take the highest of these.
Change-Id: Ib6a7a470bd50c63909f4750bee41a8377e39b0b7
Signed-off-by: Arun KS <arunks@codeaurora.org>
Signed-off-by: Hanumath Prasad <hpprasad@codeaurora.org>
|
|
Commit 43e0e31e2d6e ("net: sockev: filtering non INET socket events")
from Krishnan introduced incorrect conditional logic which caused
the socket address families to be incorrectly filtered. This
patch corrects the logic.
CRs-Fixed: 830947
Cc: Krishnan Ramachandran <kramacha@qti.qualcomm.com>
Acked-by: Devesh Bisht <dbisht@qti.qualcomm.com>
Change-Id: I40a001a69d5aab25f7f97a7378aceae301fd762a
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
|
|
Commit 43e0e31e2d6e ("net: sockev: filtering non INET socket events")
from Krishnan introduced incorrect conditional logic which caused
the socket address families to be incorrectly filtered. This
patch corrects the logic.
CRs-Fixed: 830947
Cc: Krishnan Ramachandran <kramacha@qti.qualcomm.com>
Acked-by: Devesh Bisht <dbisht@qti.qualcomm.com>
Change-Id: I40a001a69d5aab25f7f97a7378aceae301fd762a
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
|
|
Power button log push action should be hard reset for SBC8016.
Change-Id: Iaeaadca54e484a646144579ad02ac7efcebac6fd
Signed-off-by: Tanya Finkel <tfinkel@codeaurora.org>
|
|
LA.BR.1.2.4_rb1.7
|
|
Read 16-bit output data in continuous measurement mode to use
the same sensitivity adjustments as single measurement mode.
This allows the driver to report proper magnitude to userspace
in continuous measurement mode.
Change-Id: I3f3fa46e98f703bae9328df7bdb2150cb843bba8
Signed-off-by: Kiran Raparthy <krapar@codeaurora.org>
|
|
add the ub size value for different target based
on the HW version.
Change-Id: I30bdfdca7a20cf52bbfd93d0afc7801881733188
Signed-off-by: Alok Kediya <kediya@codeaurora.org>
|
|
Change-Id: I858ab83c19efaa59d24699e0d1424dd732cdfcd2
|
|
The BT indication LED will be turned on/off when
BT will be enabled/disabled respectively
Change-Id: I9545506404935e1fbcf92892b2e14002d5175226
Signed-off-by: Tanya Finkel <tfinkel@codeaurora.org>
|
|
|
|
|
|
If the last hrtimer interrupt detected a hang it sets hang_detected=1
and programs the clock event device with a delay to let the system
make progress.
If hang_detected == 1, we prevent reprogramming of the clock event
device in hrtimer_reprogram() but not in hrtimer_force_reprogram().
This can lead to the following situation:
hrtimer_interrupt()
hang_detected = 1;
program ce device to Xms from now (hang delay)
We have two timers pending:
T1 expires 50ms from now
T2 expires 5s from now
Now T1 gets canceled, which causes hrtimer_force_reprogram() to be
invoked, which in turn programs the clock event device to T2 (5
seconds from now).
Any hrtimer_start after that will not reprogram the hardware due to
hang_detected still being set. So we effectivly block all timers until
the T2 event fires and cleans up the hang situation.
Add a check for hang_detected to hrtimer_force_reprogram() which
prevents the reprogramming of the hang delay in the hardware
timer. The subsequent hrtimer_interrupt will resolve all outstanding
issues.
[ tglx: Rewrote subject and changelog and fixed up the comment in
hrtimer_force_reprogram() ]
Change-Id: I3f8906cb60ec34390fce7c4056a5514a724b0705
Signed-off-by: Stuart Hayes <stuart.w.hayes@gmail.com>
Link: http://lkml.kernel.org/r/53602DC6.2060101@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Git-commit: 6c6c0d5a1c949d2e084706f9e5fb1fccc175b265
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/
Signed-off-by: Vignesh Radhakrishnan <vigneshr@codeaurora.org>
|