1. 15 Nov, 2007 1 commit
    • Arjan van de Ven's avatar
      mark sys_open/sys_read exports unused · cb51f973
      Arjan van de Ven authored
      sys_open / sys_read were used in the early 1.2 days to load firmware from
      disk inside drivers.  Since 2.0 or so this was deprecated behavior, but
      several drivers still were using this.  Since a few years we have a
      request_firmware() API that implements this in a nice, consistent way.
      Only some old ISA sound drivers (pre-ALSA) still straggled along for some
      time....  however with commit c2b1239a the
      last user is now gone.
      This is a good thing, since using sys_open / sys_read etc for firmware is a
      very buggy to dangerous thing to do; these operations put an fd in the
      process file descriptor table....  which then can be tampered with from
      other threads for example.  For those who don't want the firmware loader,
      filp_open()/vfs_read are the better APIs to use, without this security
      The patch below marks sys_open and sys_read unused now that they're
      really not used anymore, and for deletion in the 2.6.25 timeframe.
      Signed-off-by: default avatarArjan van de Ven <arjan@linux.intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  2. 21 Oct, 2007 1 commit
  3. 17 Oct, 2007 2 commits
    • Serge E. Hallyn's avatar
      Implement file posix capabilities · b5376771
      Serge E. Hallyn authored
      Implement file posix capabilities.  This allows programs to be given a
      subset of root's powers regardless of who runs them, without having to use
      setuid and giving the binary all of root's powers.
      This version works with Kaigai Kohei's userspace tools, found at
      http://www.kaigai.gr.jp/index.php.  For more information on how to use this
      patch, Chris Friedhoff has posted a nice page at
      	Nov 27:
      	Incorporate fixes from Andrew Morton
      	(security-introduce-file-caps-tweaks and
      	Fix Kconfig dependency.
      	Fix change signaling behavior when file caps are not compiled in.
      	Nov 13:
      	Integrate comments from Alexey: Remove CONFIG_ ifdef from
      	capability.h, and use %zd for printing a size_t.
      	Nov 13:
      	Fix endianness warnings by sparse as suggested by Alexey
      	Nov 09:
      	Address warnings of unused variables at cap_bprm_set_security
      	when file capabilities are disabled, and simultaneously clean
      	up the code a little, by pulling the new code into a helper
      	Nov 08:
      	For pointers to required userspace tools and how to use
      	them, see http://www.friedhoff.org/fscaps.html.
      	Nov 07:
      	Fix the calculation of the highest bit checked in
      	Nov 07:
      	Allow file caps to be enabled without CONFIG_SECURITY, since
      	capabilities are the default.
      	Hook cap_task_setscheduler when !CONFIG_SECURITY.
      	Move capable(TASK_KILL) to end of cap_task_kill to reduce
      	audit messages.
      	Nov 05:
      	Add secondary calls in selinux/hooks.c to task_setioprio and
      	task_setscheduler so that selinux and capabilities with file
      	cap support can be stacked.
      	Sep 05:
      	As Seth Arnold points out, uid checks are out of place
      	for capability code.
      	Sep 01:
      	Define task_setscheduler, task_setioprio, cap_task_kill, and
      	task_setnice to make sure a user cannot affect a process in which
      	they called a program with some fscaps.
      	One remaining question is the note under task_setscheduler: are we
      	ok with CAP_SYS_NICE being sufficient to confine a process to a
      	It is a semantic change, as without fsccaps, attach_task doesn't
      	allow CAP_SYS_NICE to override the uid equivalence check.  But since
      	it uses security_task_setscheduler, which elsewhere is used where
      	CAP_SYS_NICE can be used to override the uid equivalence check,
      	fixing it might be tough.
      		 note: this also controls cpuset:attach_task.  Are we ok with
      		     CAP_SYS_NICE being used to confine to a cpuset?
      		 sys_setpriority uses this (through set_one_prio) for another
      		 process.  Need same checks as setrlimit
      	Aug 21:
      	Updated secureexec implementation to reflect the fact that
      	euid and uid might be the same and nonzero, but the process
      	might still have elevated caps.
      	Aug 15:
      	Handle endianness of xattrs.
      	Enforce capability version match between kernel and disk.
      	Enforce that no bits beyond the known max capability are
      	set, else return -EPERM.
      	With this extra processing, it may be worth reconsidering
      	doing all the work at bprm_set_security rather than
      	Aug 10:
      	Always call getxattr at bprm_set_security, rather than
      	caching it at d_instantiate.
      [morgan@kernel.org: file-caps clean up for linux/capability.h]
      [bunk@kernel.org: unexport cap_inode_killpriv]
      Signed-off-by: default avatarSerge E. Hallyn <serue@us.ibm.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Andrew Morgan <morgan@kernel.org>
      Signed-off-by: default avatarAndrew Morgan <morgan@kernel.org>
      Signed-off-by: default avatarAdrian Bunk <bunk@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Alan Cox's avatar
      fs: correct SuS compliance for open of large file without options · a9c62a18
      Alan Cox authored
      The early LFS work that Linux uses favours EFBIG in various places. SuSv3
      specifically uses EOVERFLOW for this as noted by Michael (Bug 7253)
          The named file is a regular file and the size of the file cannot be
      represented correctly in an object of type off_t. We should therefore
      transition to the proper error return code
      Signed-off-by: default avatarAlan Cox <alan@redhat.com>
      Cc: Theodore Tso <tytso@mit.edu>
      Cc: Jens Axboe <jens.axboe@oracle.com>
      Cc: Arjan van de Ven <arjan@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  4. 16 Oct, 2007 1 commit
  5. 31 Jul, 2007 1 commit
  6. 24 Jul, 2007 1 commit
    • Ulrich Drepper's avatar
      fallocate syscall interface deficiency · 0d786d4a
      Ulrich Drepper authored
      The fallocate syscall returns ENOSYS in case the filesystem does not support
      the operation and expects the userlevel code to fill in.  This is good in
      The problem is that the libc code for old kernels should be able to
      distinguish the case where the syscall is not at all available vs not
      functioning for a specific mount point.  As is this is not possible and we
      always have to invoke the syscall even if the kernel doesn't support it.
      I suggest the following patch.  Using EOPNOTSUPP is IMO the right thing to do.
      Cc: Amit Arora <aarora@in.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  7. 18 Jul, 2007 1 commit
    • Amit Arora's avatar
      sys_fallocate() implementation on i386, x86_64 and powerpc · 97ac7350
      Amit Arora authored
      fallocate() is a new system call being proposed here which will allow
      applications to preallocate space to any file(s) in a file system.
      Each file system implementation that wants to use this feature will need
      to support an inode operation called ->fallocate().
      Applications can use this feature to avoid fragmentation to certain
      level and thus get faster access speed. With preallocation, applications
      also get a guarantee of space for particular file(s) - even if later the
      the system becomes full.
      Currently, glibc provides an interface called posix_fallocate() which
      can be used for similar cause. Though this has the advantage of working
      on all file systems, but it is quite slow (since it writes zeroes to
      each block that has to be preallocated). Without a doubt, file systems
      can do this more efficiently within the kernel, by implementing
      the proposed fallocate() system call. It is expected that
      posix_fallocate() will be modified to call this new system call first
      and incase the kernel/filesystem does not implement it, it should fall
      back to the current implementation of writing zeroes to the new blocks.
      1. Implementation on other architectures (other than i386, x86_64,
         and ppc). Patches for s390(x) and ia64 are already available from
         previous posts, but it was decided that they should be added later
         once fallocate is in the mainline. Hence not including those patches
         in this take.
      2. Changes to glibc,
         a) to support fallocate() system call
         b) to make posix_fallocate() and posix_fallocate64() call fallocate()
      Signed-off-by: default avatarAmit Arora <aarora@in.ibm.com>
  8. 16 Jul, 2007 2 commits
    • Ulrich Drepper's avatar
      O_CLOEXEC for SCM_RIGHTS · 4a19542e
      Ulrich Drepper authored
      Part two in the O_CLOEXEC saga: adding support for file descriptors received
      through Unix domain sockets.
      The patch is once again pretty minimal, it introduces a new flag for recvmsg
      and passes it just like the existing MSG_CMSG_COMPAT flag.  I think this bit
      is not used otherwise but the networking people will know better.
      This new flag is not recognized by recvfrom and recv.  These functions cannot
      be used for that purpose and the asymmetry this introduces is not worse than
      the already existing MSG_CMSG_COMPAT situations.
      The patch must be applied on the patch which introduced O_CLOEXEC.  It has to
      remove static from the new get_unused_fd_flags function but since scm.c cannot
      live in a module the function still hasn't to be exported.
      Here's a test program to make sure the code works.  It's so much longer than
      the actual patch...
      #include <errno.h>
      #include <error.h>
      #include <fcntl.h>
      #include <stdio.h>
      #include <string.h>
      #include <unistd.h>
      #include <sys/socket.h>
      #include <sys/un.h>
      #ifndef O_CLOEXEC
      # define O_CLOEXEC 02000000
      #ifndef MSG_CMSG_CLOEXEC
      # define MSG_CMSG_CLOEXEC 0x40000000
      main (int argc, char *argv[])
        if (argc > 1)
            int fd = atol (argv[1]);
            printf ("child: fd = %d\n", fd);
            if (fcntl (fd, F_GETFD) == 0 || errno != EBADF)
                puts ("file descriptor valid in child");
                return 1;
            return 0;
        struct sockaddr_un sun;
        strcpy (sun.sun_path, "./testsocket");
        sun.sun_family = AF_UNIX;
        char databuf[] = "hello";
        struct iovec iov[1];
        iov[0].iov_base = databuf;
        iov[0].iov_len = sizeof (databuf);
          struct cmsghdr hdr;
          char bytes[CMSG_SPACE (sizeof (int))];
        } buf;
        struct msghdr msg = { .msg_iov = iov, .msg_iovlen = 1,
                              .msg_control = buf.bytes,
                              .msg_controllen = sizeof (buf) };
        struct cmsghdr *cmsg = CMSG_FIRSTHDR (&msg);
        cmsg->cmsg_level = SOL_SOCKET;
        cmsg->cmsg_type = SCM_RIGHTS;
        cmsg->cmsg_len = CMSG_LEN (sizeof (int));
        msg.msg_controllen = cmsg->cmsg_len;
        pid_t child = fork ();
        if (child == -1)
          error (1, errno, "fork");
        if (child == 0)
            int sock = socket (PF_UNIX, SOCK_STREAM, 0);
            if (sock < 0)
              error (1, errno, "socket");
            if (bind (sock, (struct sockaddr *) &sun, sizeof (sun)) < 0)
              error (1, errno, "bind");
            if (listen (sock, SOMAXCONN) < 0)
              error (1, errno, "listen");
            int conn = accept (sock, NULL, NULL);
            if (conn == -1)
              error (1, errno, "accept");
            *(int *) CMSG_DATA (cmsg) = sock;
            if (sendmsg (conn, &msg, MSG_NOSIGNAL) < 0)
              error (1, errno, "sendmsg");
            return 0;
        /* For a test suite this should be more robust like a
           barrier in shared memory.  */
        sleep (1);
        int sock = socket (PF_UNIX, SOCK_STREAM, 0);
        if (sock < 0)
          error (1, errno, "socket");
        if (connect (sock, (struct sockaddr *) &sun, sizeof (sun)) < 0)
          error (1, errno, "connect");
        unlink (sun.sun_path);
        *(int *) CMSG_DATA (cmsg) = -1;
        if (recvmsg (sock, &msg, MSG_CMSG_CLOEXEC) < 0)
          error (1, errno, "recvmsg");
        int fd = *(int *) CMSG_DATA (cmsg);
        if (fd == -1)
          error (1, 0, "no descriptor received");
        char fdname[20];
        snprintf (fdname, sizeof (fdname), "%d", fd);
        execl ("/proc/self/exe", argv[0], fdname, NULL);
        puts ("execl failed");
        return 1;
      [akpm@linux-foundation.org: Fix fastcall inconsistency noted by Michael Buesch]
      [akpm@linux-foundation.org: build fix]
      Signed-off-by: default avatarUlrich Drepper <drepper@redhat.com>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Michael Buesch <mb@bu3sch.de>
      Cc: Michael Kerrisk <mtk-manpages@gmx.net>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Ulrich Drepper's avatar
      Introduce O_CLOEXEC · f23513e8
      Ulrich Drepper authored
      The problem is as follows: in multi-threaded code (or more correctly: all
      code using clone() with CLONE_FILES) we have a race when exec'ing.
         thread #1                       thread #2
                                         fork + exec
      In some applications this can happen frequently.  Take a web browser.  One
      thread opens a file and another thread starts, say, an external PDF viewer.
       The result can even be a security issue if that open file descriptor
      refers to a sensitive file and the external program can somehow be tricked
      into using that descriptor.
      Just adding O_CLOEXEC support to open() doesn't solve the whole set of
      problems.  There are other ways to create file descriptors (socket,
      epoll_create, Unix domain socket transfer, etc).  These can and should be
      addressed separately though.  open() is such an easy case that it makes not
      much sense putting the fix off.
      The test program:
      #include <errno.h>
      #include <fcntl.h>
      #include <stdio.h>
      #include <unistd.h>
      #ifndef O_CLOEXEC
      # define O_CLOEXEC 02000000
      main (int argc, char *argv[])
        int fd;
        if (argc > 1)
            fd = atol (argv[1]);
            printf ("child: fd = %d\n", fd);
            if (fcntl (fd, F_GETFD) == 0 || errno != EBADF)
                puts ("file descriptor valid in child");
                return 1;
            return 0;
        fd = open ("/proc/self/exe", O_RDONLY | O_CLOEXEC);
        printf ("in parent: new fd = %d\n", fd);
        char buf[20];
        snprintf (buf, sizeof (buf), "%d", fd);
        execl ("/proc/self/exe", argv[0], buf, NULL);
        puts ("execl failed");
        return 1;
      [kyle@parisc-linux.org: parisc fix]
      Signed-off-by: default avatarUlrich Drepper <drepper@redhat.com>
      Acked-by: default avatarIngo Molnar <mingo@elte.hu>
      Cc: Davide Libenzi <davidel@xmailserver.org>
      Cc: Michael Kerrisk <mtk-manpages@gmx.net>
      Cc: Chris Zankel <chris@zankel.net>
      Signed-off-by: default avatarKyle McMartin <kyle@parisc-linux.org>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  9. 09 May, 2007 1 commit
  10. 08 May, 2007 1 commit
  11. 10 Dec, 2006 1 commit
    • Vadim Lobanov's avatar
      [PATCH] fdtable: Make fdarray and fdsets equal in size · bbea9f69
      Vadim Lobanov authored
      Currently, each fdtable supports three dynamically-sized arrays of data: the
      fdarray and two fdsets.  The code allows the number of fds supported by the
      fdarray (fdtable->max_fds) to differ from the number of fds supported by each
      of the fdsets (fdtable->max_fdset).
      In practice, it is wasteful for these two sizes to differ: whenever we hit a
      limit on the smaller-capacity structure, we will reallocate the entire fdtable
      and all the dynamic arrays within it, so any delta in the memory used by the
      larger-capacity structure will never be touched at all.
      Rather than hogging this excess, we shouldn't even allocate it in the first
      place, and keep the capacities of the fdarray and the fdsets equal.  This
      patch removes fdtable->max_fdset.  As an added bonus, most of the supporting
      code becomes simpler.
      Signed-off-by: default avatarVadim Lobanov <vlobanov@speakeasy.net>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Dipankar Sarma <dipankar@in.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
  12. 08 Dec, 2006 2 commits
    • Josef "Jeff" Sipek's avatar
      [PATCH] VFS: change struct file to use struct path · 0f7fc9e4
      Josef "Jeff" Sipek authored
      This patch changes struct file to use struct path instead of having
      independent pointers to struct dentry and struct vfsmount, and converts all
      users of f_{dentry,vfsmnt} in fs/ to use f_path.{dentry,mnt}.
      Additionally, it adds two #define's to make the transition easier for users of
      the f_dentry and f_vfsmnt.
      Signed-off-by: default avatarJosef "Jeff" Sipek <jsipek@cs.sunysb.edu>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    • Peter Zijlstra's avatar
      [PATCH] tty: ->signal->tty locking · 24ec839c
      Peter Zijlstra authored
      Fix the locking of signal->tty.
      Use ->sighand->siglock to protect ->signal->tty; this lock is already used
      by most other members of ->signal/->sighand.  And unless we are 'current'
      or the tasklist_lock is held we need ->siglock to access ->signal anyway.
      (NOTE: sys_unshare() is broken wrt ->sighand locking rules)
      Note that tty_mutex is held over tty destruction, so while holding
      tty_mutex any tty pointer remains valid.  Otherwise the lifetime of ttys
      are governed by their open file handles.  This leaves some holes for tty
      access from signal->tty (or any other non file related tty access).
      It solves the tty SLAB scribbles we were seeing.
      (NOTE: the change from group_send_sig_info to __group_send_sig_info needs to
             be examined by someone familiar with the security framework, I think
             it is safe given the SEND_SIG_PRIV from other __group_send_sig_info
      [schwidefsky@de.ibm.com: 3270 fix]
      [akpm@osdl.org: various post-viro fixes]
      Signed-off-by: default avatarPeter Zijlstra <a.p.zijlstra@chello.nl>
      Acked-by: default avatarAlan Cox <alan@redhat.com>
      Cc: Oleg Nesterov <oleg@tv-sign.ru>
      Cc: Prarit Bhargava <prarit@redhat.com>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Roland McGrath <roland@redhat.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Jan Kara <jack@ucw.cz>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
  13. 01 Oct, 2006 2 commits
  14. 29 Sep, 2006 2 commits
    • Ernie Petrides's avatar
      [PATCH] fix wrong error code on interrupted close syscalls · ee731f4f
      Ernie Petrides authored
      The problem is that close() syscalls can call a file system's flush
      handler, which in turn might sleep interruptibly and ultimately pass back
      an -ERESTARTSYS return value.  This happens for files backed by an
      interruptible NFS mount under nfs_file_flush() when a large file has just
      been written and nfs_wait_bit_interruptible() detects that there is a
      signal pending.
      I have a test case where the "strace" command is used to attach to a
      process sleeping in such a close().  Since the SIGSTOP is forced onto the
      victim process (removing it from the thread's "blocked" mask in
      force_sig_info()), the RPC wait is interrupted and the close() is
      terminated early.
      But the file table entry has already been cleared before the flush handler
      was called.  Thus, when the syscall is restarted, the file descriptor
      appears closed and an EBADF error is returned (which is wrong).  What's
      worse, there is the hypothetical case where another thread of a
      multi-threaded application might have reused the file descriptor, in which
      case that file would be mistakenly closed.
      The bottom line is that close() syscalls are not restartable, and thus
      -ERESTARTSYS return values should be mapped to -EINTR.  This is consistent
      with the close(2) manual page.  The fix is below.
      Signed-off-by: default avatarErnie Petrides <petrides@redhat.com>
      Cc: Roland McGrath <roland@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    • Miklos Szeredi's avatar
      [PATCH] vfs: define new lookup flag for chdir · 650a8983
      Miklos Szeredi authored
      In the "operation does permission checking" model used by fuse, chdir
      permission is not checked, since there's no chdir method.
      For this case set a lookup flag, which will be passed to ->permission(), so
      fuse can distinguish it from permission checks for other operations.
      Signed-off-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
  15. 25 Jun, 2006 1 commit
    • Peter Staubach's avatar
      [PATCH] ftruncate does not always update m/ctime · 6e656be8
      Peter Staubach authored
      In the course of trying to track down a bug where a file mtime was not
      being updated correctly, it was discovered that the m/ctime updates were
      not quite being handled correctly for ftruncate() calls.
      Quoth SUSv3:
              If O_TRUNC is set and the file did previously exist, upon
              successful completion, open() shall mark for update the st_ctime
              and st_mtime fields of the file.
              Upon successful completion, if the file size is changed, this
              function shall mark for update the st_ctime and st_mtime fields
              of the file, and the S_ISUID and S_ISGID bits of the file mode
              may be cleared.
              Upon successful completion, if fildes refers to a regular file,
              the ftruncate() function shall mark for update the st_ctime and
              st_mtime fields of the file and the S_ISUID and S_ISGID bits of
              the file mode may be cleared. If the ftruncate() function is
              unsuccessful, the file is unaffected.
      The open(O_TRUNC) and truncate cases were being handled correctly, but the
      ftruncate case was being handled like the truncate case.  The semantics of
      truncate and ftruncate don't quite match, so ftruncate needs to be handled
      slightly differently.
      The attached patch addresses this issue for ftruncate(2).
      My thanx to Stephen Tweedie and Trond Myklebust for their help in
      understanding the situation and semantics.
      Signed-off-by: default avatarPeter Staubach <staubach@redhat.com>
      Cc: "Stephen C. Tweedie" <sct@redhat.com>
      Cc: Trond Myklebust <trond.myklebust@fys.uio.no>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
  16. 23 Jun, 2006 2 commits
  17. 20 Jun, 2006 1 commit
    • Amy Griffis's avatar
      [PATCH] log more info for directory entry change events · 9c937dcc
      Amy Griffis authored
      When an audit event involves changes to a directory entry, include
      a PATH record for the directory itself.  A few other notable changes:
          - fixed audit_inode_child() hooks in fsnotify_move()
          - removed unused flags arg from audit_inode()
          - added audit log routines for logging a portion of a string
      Here's some sample output.
      before patch:
      type=SYSCALL msg=audit(1149821605.320:26): arch=40000003 syscall=39 success=yes exit=0 a0=bf8d3c7c a1=1ff a2=804e1b8 a3=bf8d3c7c items=1 ppid=739 pid=800 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149821605.320:26):  cwd="/root"
      type=PATH msg=audit(1149821605.320:26): item=0 name="foo" parent=164068 inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      after patch:
      type=SYSCALL msg=audit(1149822032.332:24): arch=40000003 syscall=39 success=yes exit=0 a0=bfdd9c7c a1=1ff a2=804e1b8 a3=bfdd9c7c items=2 ppid=714 pid=777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149822032.332:24):  cwd="/root"
      type=PATH msg=audit(1149822032.332:24): item=0 name="/root" inode=164068 dev=03:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0
      type=PATH msg=audit(1149822032.332:24): item=1 name="foo" inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
  18. 15 May, 2006 1 commit
  19. 18 Apr, 2006 2 commits
    • Linus Torvalds's avatar
      x86: be careful about tailcall breakage for sys_open[at] too · 385910f2
      Linus Torvalds authored
      Came up through a quick grep for other cases similar to the ftruncate()
      one in commit 0a489cb3.
      Also, add a comment, so that people who read the code understand why we
      do what looks like a no-op.
      (Again, this won't actually matter to any sane user, since libc will
      save and restore the register gcc stomps on, but it's still wrong to
      stomp on it)
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    • Linus Torvalds's avatar
      x86: don't allow tail-calls in sys_ftruncate[64]() · 0a489cb3
      Linus Torvalds authored
      Gcc thinks it owns the incoming argument stack, but that's not true for
      "asmlinkage" functions, and it corrupts the caller-set-up argument stack
      when it pushes the third argument onto the stack.  Which can result in
      %ebx getting corrupted in user space.
      Now, normally nobody sane would ever notice, since libc will save and
      restore %ebx anyway over the system call, but it's still wrong.
      I'd much rather have "asmlinkage" tell gcc directly that it doesn't own
      the stack, but no such attribute exists, so we're stuck with our hacky
      manual "prevent_tail_call()" macro once more (we've had the same issue
      before with sys_waitpid() and sys_wait4()).
      Thanks to Hans-Werner Hilse <hilse@sub.uni-goettingen.de> for reporting
      the issue and testing the fix.
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
  20. 25 Mar, 2006 1 commit
  21. 23 Mar, 2006 1 commit
    • Eric Dumazet's avatar
      [PATCH] Shrinks sizeof(files_struct) and better layout · 0c9e63fd
      Eric Dumazet authored
      1) Reduce the size of (struct fdtable) to exactly 64 bytes on 32bits
         platforms, lowering kmalloc() allocated space by 50%.
      2) Reduce the size of (files_struct), using a special 32 bits (or
         64bits) embedded_fd_set, instead of a 1024 bits fd_set for the
         close_on_exec_init and open_fds_init fields.  This save some ram (248
         bytes per task) as most tasks dont open more than 32 files.  D-Cache
         footprint for such tasks is also reduced to the minimum.
      3) Reduce size of allocated fdset.  Currently two full pages are
         allocated, that is 32768 bits on x86 for example, and way too much.  The
         minimum is now L1_CACHE_BYTES.
      UP and SMP should benefit from this patch, because most tasks will touch
      only one cache line when open()/close() stdin/stdout/stderr (0/1/2),
      (next_fd, close_on_exec_init, open_fds_init, fd_array[0 ..  2] being in the
      same cache line)
      Signed-off-by: default avatarEric Dumazet <dada1@cosmosbay.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
  22. 20 Mar, 2006 1 commit
    • Amy Griffis's avatar
      [PATCH] Collect more inode information during syscall processing. · 73241ccc
      Amy Griffis authored
      This patch augments the collection of inode info during syscall
      processing. It represents part of the functionality that was provided
      by the auditfs patch included in RHEL4.
      Specifically, it:
      - Collects information for target inodes created or removed during
        syscalls.  Previous code only collects information for the target
        inode's parent.
      - Adds the audit_inode() hook to syscalls that operate on a file
        descriptor (e.g. fchown), enabling audit to do inode filtering for
        these calls.
      - Modifies filtering code to check audit context for either an inode #
        or a parent inode # matching a given rule.
      - Modifies logging to provide inode # for both parent and child.
      - Protect debug info from NULL audit_names.name.
      [AV: folded a later typo fix from the same author]
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
  23. 19 Jan, 2006 1 commit
    • Ulrich Drepper's avatar
      [PATCH] vfs: *at functions: core · 5590ff0d
      Ulrich Drepper authored
      Here is a series of patches which introduce in total 13 new system calls
      which take a file descriptor/filename pair instead of a single file
      name.  These functions, openat etc, have been discussed on numerous
      occasions.  They are needed to implement race-free filesystem traversal,
      they are necessary to implement a virtual per-thread current working
      directory (think multi-threaded backup software), etc.
      We have in glibc today implementations of the interfaces which use the
      /proc/self/fd magic.  But this code is rather expensive.  Here are some
      results (similar to what Jim Meyering posted before).
      The test creates a deep directory hierarchy on a tmpfs filesystem.  Then
      rm -fr is used to remove all directories.  Without syscall support I get
      real    0m31.921s
      user    0m0.688s
      sys     0m31.234s
      With syscall support the results are much better:
      real    0m20.699s
      user    0m0.536s
      sys     0m20.149s
      The interfaces are for obvious reasons currently not much used.  But they'll
      be used.  coreutils (and Jeff's posixutils) are already using them.
      Furthermore, code like ftw/fts in libc (maybe even glob) will also start using
      them.  I expect a patch to make follow soon.  Every program which is walking
      the filesystem tree will benefit.
      Signed-off-by: default avatarUlrich Drepper <drepper@redhat.com>
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Al Viro <viro@ftp.linux.org.uk>
      Acked-by: default avatarIngo Molnar <mingo@elte.hu>
      Cc: Michael Kerrisk <mtk-manpages@gmx.net>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
  24. 12 Jan, 2006 1 commit
  25. 09 Jan, 2006 3 commits
    • Jes Sorensen's avatar
      [PATCH] mutex subsystem, semaphore to mutex: VFS, ->i_sem · 1b1dcc1b
      Jes Sorensen authored
      This patch converts the inode semaphore to a mutex. I have tested it on
      XFS and compiled as much as one can consider on an ia64. Anyway your
      luck with it might be different.
      Modified-by: default avatarIngo Molnar <mingo@elte.hu>
      (finished the conversion)
      Signed-off-by: default avatarJes Sorensen <jes@sgi.com>
      Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
    • Matt Mackall's avatar
      [PATCH] tiny: Uninline some open.c functions · b01ec0ef
      Matt Mackall authored
      uninline some open.c functions
      add/remove: 3/0 grow/shrink: 0/6 up/down: 679/-1166 (-487)
      function                                     old     new   delta
      do_sys_truncate                                -     336    +336
      do_sys_ftruncate                               -     317    +317
      __put_unused_fd                                -      26     +26
      put_unused_fd                                 57      49      -8
      sys_close                                    150     119     -31
      sys_ftruncate64                              260      26    -234
      sys_ftruncate                                272      24    -248
      sys_truncate                                 339      25    -314
      sys_truncate64                               336       5    -331
      Signed-off-by: default avatarMatt Mackall <mpm@selenic.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    • NeilBrown's avatar
      [PATCH] Fix some problems with truncate and mtime semantics. · 4a30131e
      NeilBrown authored
      SUS requires that when truncating a file to the size that it currently
        truncate and ftruncate should NOT modify ctime or mtime
        O_TRUNC SHOULD modify ctime and mtime.
      Currently mtime and ctime are always modified on most local
      filesystems (side effect of ->truncate) or never modified (on NFS).
      With this patch:
        ATTR_CTIME|ATTR_MTIME are sent with ATTR_SIZE precisely when
          an update of these times is required whether size changes or not
          (via a new argument to do_truncate).  This allows NFS to do
          the right thing for O_TRUNC.
        inode_setattr nolonger forces ATTR_MTIME|ATTR_CTIME when the ATTR_SIZE
          sets the size to it's current value.  This allows local filesystems
          to do the right thing for f?truncate.
      Also, the logic in inode_setattr is changed a bit so there are two return
      points.  One returns the error from vmtruncate if it failed, the other
      returns 0 (there can be no other failure).
      Finally, if vmtruncate succeeds, and ATTR_SIZE is the only change
      requested, we now fall-through and mark_inode_dirty.  If a filesystem did
      not have a ->truncate function, then vmtruncate will have changed i_size,
      without marking the inode as 'dirty', and I think this is wrong.
      Signed-off-by: default avatarNeil Brown <neilb@suse.de>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Trond Myklebust <trond.myklebust@fys.uio.no>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
  26. 09 Nov, 2005 2 commits
  27. 07 Nov, 2005 2 commits
  28. 18 Oct, 2005 1 commit
  29. 13 Sep, 2005 1 commit
    • Peter Staubach's avatar
      [PATCH] open returns ENFILE but creates file anyway · a1a5b3d9
      Peter Staubach authored
      When open(O_CREAT) is called and the error, ENFILE, is returned, the file
      may be created anyway.  This is counter intuitive, against the SUS V3
      specification, and may cause applications to misbehave if they are not
      coded correctly to handle this semantic.  The SUS V3 specification
      explicitly states "No files shall be created or modified if the function
      returns -1.".
      The error, ENFILE, is used to indicate the system wide open file table is
      full and no more file structs can be allocated.
      This is due to an ordering problem.  The entry in the directory is created
      before the file struct is allocated.  If the allocation for the file struct
      fails, then the system call must return an error, but the directory entry
      was already created and can not be safely removed.
      The solution to this situation is relatively easy.  The file struct should
      be allocated before the directory entry is created.  If the allocation
      fails, then the error can be returned directly.  If the creation of the
      directory entry fails, then the file struct can be easily freed.
      Signed-off-by: default avatarPeter Staubach <staubach@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>