Hi,
The patch below converts IPC auditing to collect sid's and convert to context
string only if it needs to output an audit record. This patch depends on the
inode audit change patch already being applied.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Previously, we were gathering the context instead of the sid. Now in this patch,
we gather just the sid and convert to context only if an audit event is being
output.
This patch brings the performance hit from 146% down to 23%
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This patch provides the ability to filter audit messages based on the
elements of the process' SELinux context (user, role, type, mls sensitivity,
and mls clearance). It uses the new interfaces from selinux to opaquely
store information related to the selinux context and to filter based on that
information. It also uses the callback mechanism provided by selinux to
refresh the information when a new policy is loaded.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
The following patch provides selinux interfaces that will allow the audit
system to perform filtering based on the process context (user, role, type,
sensitivity, and clearance). These interfaces will allow the selinux
module to perform efficient matches based on lower level selinux constructs,
rather than relying on context retrievals and string comparisons within
the audit module. It also allows for dominance checks on the mls portion
of the contexts that are impossible with only string comparisons.
Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
On Thursday 23 March 2006 09:08, John D. Ramsdell wrote:
> I noticed that a socketcall(bind) and socketcall(connect) event contain a
> record of type=SOCKADDR, but I cannot see one for a system call event
> associated with socketcall(accept). Recording the sockaddr of an accepted
> socket is important for cross platform information flow analys
Thanks for pointing this out. The following patch should address this.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
A context switch will force a call to flush_tlb_pending() (via
switch_to()), so if we test tlb_nr to be non-zero, then sleep, it
would become zero and later back at the original context we'll pass
zero down into the TLB flushing code which should never see a nr
argument of zero.
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan Engelhardt <jengelh@linux01.gwdg.de> wrote:
while compiling 2.6.17-rc2 with allyesconfig, this showed up:
...
LOGO drivers/video/logo/logo_superh_clut224.c
CC drivers/video/logo/logo_linux_mono.o
...
A tab had sneaked in. Convert it to a few spaces.
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Create correct dependencies when specifying your own file with
list of files etc. to include in initramfs.
Reported by: Andre Noll <maan@skl-net.de>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Relax driver data name from *_driver to *driver.
This fixes the 26 section mismatch warnings in drivers/ide/pci.
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Remove *.mod files but not .tmp_versions for external builds
When "make install" is run as root, .tmp_versions is re-created and
becomes owned by root. Subsequent "make" run by user fails because
.tmp_versions cannot be removed.
Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
64bit mips has different r_info layout. This patch fixes modpost
segfault for 64bit little endian mips kernel.
Signed-off-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
- Check that page has suitable count for stealing in the regular pipes.
- pipe_to_file() assumes that the page is locked on succesful steal, so
do that in the pipe steal hook
- Missing unlock_page() in add_to_page_cache() failure.
Signed-off-by: Jens Axboe <axboe@suse.de>
Patch from Pavel Pisa
The clock starting imxmci_start_clock() function contains hardware
issue workaround, which repeats start attempt, if SDHC does not react on
the first trial. But the second start attempt can be taken even, if the
first succeed and test code misses time limited clock running phase
due to delay caused by schedule to other task or some another device
interrupt. This change enables to detect such situation.
The performance is not issue, because usually at full clock rate
only about six loops in delay cycle are needed.
Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Patch from Deepak Saxena
This patch allows for the addition of IXP4xx systems that do not make
use of the PCI interface by moving the CONFIG_PCI symbol selection to
be platform-specific instead of for all of IXP4xx. If at least one machine
with PCI support is built, the PCI code will be compiled in, but when
building !PCI, this will drastically shrink the kernel size.
Signed-off-by: Deepak Saxena <dsaxena@plexity.net>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Patch from Markus Gutschke
In order to prevent gcc from making incorrect optimizations, all asm()
statements that define system calls should report memory as
clobbered. Recent versions of the headers for i386 have been changed
accordingly, but the ARM headers are still defective.
This patch fixes the bug tracked at
http://bugzilla.kernel.org/show_bug.cgi?id=6205
Signed-off-by: Markus Gutschke <markus@google.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
A bug report from Gerd Hoffmann has highlighted that unconditionally
enabling the transmit interrupt at the end of console writes is very
bad.
In Gerd's case, it causes the test for buggy UARTs to give false
positives, incorrectly identifying ports as buggy when they are not.
Moreover, if we unconditionally enable the interrupt, and the port
is sharing it's interrupt with other ports, there is the very real
possibility that we'll cause an interrupt storm. (Not all ports use
OUT2 as an interrupt mask.)
Hence, revert part of f91a3715db and
all of f5968b37b3 until a better solution
can be found.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Alchemy SoC uart have got a non-standard divisor register that needs some
special handling.
This patch adds divisor read/write functions with test and special
handling for Alchemy internal uart.
Signed-off-by: Jon Anders Haugum <jonah@omegav.ntnu.no>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
I've noticed that the 8250/Au1x00 driver (drivers/serial/8250_au1x00.c)
doesn't claim UART memory ranges and uses wrong (KSEG1-based) UART
addresses instead of the physical ones.
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
The locking for the uart_port is over complicated, and can be
simplified if we introduce a flag to indicate that a port is "dead"
and will be removed.
This also helps the validator because it removes a case of non-nested
unlock ordering.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Fix bug in nvram write function. If the starting nvram address offset
happens to be the last dword of the page, the NVRAM_CMD_LAST bit will
not get set in the existing code. This patch fixes the bug by changing
the "else if" to "if" so that the last dword condition always gets
checked.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add a reset_phy parameter to tg3_reset_hw() and tg3_init_hw(). With
the full chip reset during MAC address change, the automatic PHY reset
during chip reset will cause a link down and bonding will not work
properly as a result. With this reset_phy parameter, we can do a chip
reset without link down when changing MAC address or MTU.
Signed-off-by: Gary Zambrano <zambrano@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Do the full chip reset when changing MAC address if ASF is enabled.
ASF sometimes uses a different MAC address than the driver. Without
the reset, the ASF MAC address may be overwritten when the driver's
MAC address is changed.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add some PHY workaround code to reduce jitter on some PHYs.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add netif_carrier_off() call during tg3_phy_reset(). This is needed
to properly track the netif_carrier state in cases where we do a
PHY reset with interrupts disabled. The SerDes code will not run
properly if the netif_carrier state is wrong.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
We eliminated rt6_dflt_lock (to protect default router pointer)
at 2.6.17-rc1, and introduced rt6_select() for general router selection.
The function is called in the context of rt6_lock read-lock held,
but this means, we have some race conditions when we do round-robin.
Signed-off-by; YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
xfrm_policy_afinfo_lock can be taken in bh context, at:
[<c013fe1a>] lockdep_acquire_read+0x54/0x6d
[<c0f6e024>] _read_lock+0x15/0x22
[<c0e8fcdb>] xfrm_policy_get_afinfo+0x1a/0x3d
[<c0e8fd10>] xfrm_decode_session+0x12/0x32
[<c0e66094>] ip_route_me_harder+0x1c9/0x25b
[<c0e770d3>] ip_nat_local_fn+0x94/0xad
[<c0e2bbc8>] nf_iterate+0x2e/0x7a
[<c0e2bc50>] nf_hook_slow+0x3c/0x9e
[<c0e3a342>] ip_push_pending_frames+0x2de/0x3a7
[<c0e53e19>] icmp_push_reply+0x136/0x141
[<c0e543fb>] icmp_reply+0x118/0x1a0
[<c0e54581>] icmp_echo+0x44/0x46
[<c0e53fad>] icmp_rcv+0x111/0x138
[<c0e36764>] ip_local_deliver+0x150/0x1f9
[<c0e36be2>] ip_rcv+0x3d5/0x413
[<c0df760f>] netif_receive_skb+0x337/0x356
[<c0df76c3>] process_backlog+0x95/0x110
[<c0df5fe2>] net_rx_action+0xa5/0x16d
[<c012d8a7>] __do_softirq+0x6f/0xe6
[<c0105ec2>] do_softirq+0x52/0xb1
this means that all write-locking of xfrm_policy_afinfo_lock must be
bh-safe. This patch fixes xfrm_policy_register_afinfo() and
xfrm_policy_unregister_afinfo().
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>
xfrm_state_afinfo_lock can be read-locked from bh context, so take it
in a bh-safe manner in xfrm_state_register_afinfo() and
xfrm_state_unregister_afinfo(). Found by the lock validator.
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>
The following unlikely should be replaced by likely because the
condition happens every time unless there is a hard error to transmit
a packet.
Signed-off-by: Hua Zhong <hzhong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
xfrm typemap->lock may be used in softirq context, so all write_lock()
uses must be softirq-safe.
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>
I was looking through the xfrm input/output code in order to abstract
out the address family specific encapsulation/decapsulation code. During
that process I found this bug in the IP ID selection code in xfrm4_output.c.
At that point dst is still the xfrm_dst for the current SA which
represents an internal flow as far as the IPsec tunnel is concerned.
Since the IP ID is going to sit on the outside of the encapsulated
packet, we obviously want the external flow which is just dst->child.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Use hlist_unhashed() rather than accessing inside data structure.
Signed-off-by: Akinobu Mita <mita@miraclelinux.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Convert inet_init to an fs_initcall to make sure its called before any
device driver's initcall.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 line removal, of unused macro.
ran 'egrep -r' from linux-2.6.16/ for Nprintk and
didn't see it anywhere else but here, in #define...
Signed-off-by: Soyoung Park <speattle@yahoo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The following one line fix is needed to make loss function of
netem work right when doing loss on the local host.
Otherwise, higher layers just recover.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
When the sk_timer function x25_heartbeat_expiry() is called by the
kernel in a running/terminating process, spinlock-recursion and
spinlock-lockup locks up the kernel. This has happened with testing
on some distro's and the patch below fixed it.
Signed-off-by: Shaun Pereira <spereira@tusc.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Let people enable the advansys driver on x86-32, even though it's broken
on other architectures due to missing DMA mapping infrastructure.
It's used by Jeffrey Phillips Freeman <jeffreyfreeman@syncleus.com> and
possibly others.
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
The FXSAVE information leak patch introduced a bug in FP exception
handling: it clears FP exceptions only when there are already
none outstanding. Mikael Pettersson reported that causes problems
with the Erlang runtime and has tested this fix.
Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
Acked-by: Mikael Pettersson <mikpe@it.uu.se>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
While writing to an event device allows to set repeat rate for an
individual input device there is no way to retrieve current settings
so we need to ressurect EVIOCGREP. Also ressurect EVIOCSREP so we
have a symmetrical interface.
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
reflect the changes to Kconfig since the last update.
Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
