rpms/kernel/F-11 linux-2.6-debug-selinux-null-creds.patch, NONE, 1.1 config-debug, 1.24, 1.25 config-nodebug, 1.33, 1.34 kernel.spec, 1.1630, 1.1631

Chuck Ebbert cebbert at fedoraproject.org
Mon Jun 8 21:45:02 UTC 2009 

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12161

Modified Files:
	config-debug config-nodebug kernel.spec 
Added Files:
	linux-2.6-debug-selinux-null-creds.patch 
Log Message:
Add debug patch for finding null security credentials. (494067)

linux-2.6-debug-selinux-null-creds.patch:

--- NEW FILE linux-2.6-debug-selinux-null-creds.patch ---
--- work-2.6.29.4.orig/kernel/cred.c
+++ work-2.6.29.4/kernel/cred.c
@@ -157,6 +157,9 @@ struct cred *prepare_creds(void)
 
 	if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
 		goto error;
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+	WARN_ON((unsigned long)new->security < 8);
+#endif
 	return new;
 
 error:
@@ -250,6 +253,9 @@ struct cred *prepare_usermodehelper_cred
 #endif
 	if (security_prepare_creds(new, &init_cred, GFP_ATOMIC) < 0)
 		goto error;
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+	WARN_ON((unsigned long)new->security < 8);
+#endif
 
 	BUG_ON(atomic_read(&new->usage) != 1);
 	return new;
@@ -331,6 +337,9 @@ int copy_creds(struct task_struct *p, un
 
 	atomic_inc(&new->user->processes);
 	p->cred = p->real_cred = get_cred(new);
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+	WARN_ON((unsigned long)new->security < 8);
+#endif
 	return 0;
 
 error_put:
@@ -360,6 +369,9 @@ int commit_creds(struct cred *new)
 	BUG_ON(task->cred != task->real_cred);
 	BUG_ON(atomic_read(&task->real_cred->usage) < 2);
 	BUG_ON(atomic_read(&new->usage) < 1);
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+	WARN_ON((unsigned long)new->security < 8);
+#endif
 
 	old = task->real_cred;
 	security_commit_creds(new, old);
@@ -444,6 +456,10 @@ const struct cred *override_creds(const 
 {
 	const struct cred *old = current->cred;
 
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+	WARN_ON((unsigned long)old->security < 8);
+	WARN_ON((unsigned long)new->security < 8);
+#endif
 	rcu_assign_pointer(current->cred, get_cred(new));
 	return old;
 }
@@ -460,6 +476,10 @@ void revert_creds(const struct cred *old
 {
 	const struct cred *override = current->cred;
 
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+	WARN_ON((unsigned long)old->security < 8);
+	WARN_ON((unsigned long)override->security < 8);
+#endif
 	rcu_assign_pointer(current->cred, old);
 	put_cred(override);
 }
@@ -507,6 +527,10 @@ struct cred *prepare_kernel_cred(struct 
 	else
 		old = get_cred(&init_cred);
 
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+	WARN_ON((unsigned long)old->security < 8);
+#endif
+
 	*new = *old;
 	get_uid(new->user);
 	get_group_info(new->group_info);
@@ -527,6 +551,9 @@ struct cred *prepare_kernel_cred(struct 
 
 	atomic_set(&new->usage, 1);
 	put_cred(old);
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+	WARN_ON((unsigned long)new->security < 8);
+#endif
 	return new;
 
 error:
--- work-2.6.29.4.orig/security/selinux/hooks.c
+++ work-2.6.29.4/security/selinux/hooks.c
@@ -3239,7 +3239,7 @@ static int selinux_task_create(unsigned 
 static void selinux_cred_free(struct cred *cred)
 {
 	struct task_security_struct *tsec = cred->security;
-	cred->security = NULL;
+	cred->security = (void *) 0x7UL;
 	kfree(tsec);
 }
 
--- work-2.6.29.4.orig/security/selinux/Kconfig
+++ work-2.6.29.4/security/selinux/Kconfig
@@ -8,6 +8,14 @@ config SECURITY_SELINUX
 	  You will also need a policy configuration and a labeled filesystem.
 	  If you are unsure how to answer this question, answer N.
 
+config SECURITY_SELINUX_DEBUG_NULL
+	bool "Debug NULL credentials"
+	depends on SECURITY_SELINUX
+	default n
+	help
+	  This adds debugging for null security credentials
+	  If you are unsure how to answer this question, answer N.
+
 config SECURITY_SELINUX_BOOTPARAM
 	bool "NSA SELinux boot parameter"
 	depends on SECURITY_SELINUX


Index: config-debug
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/config-debug,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -p -r1.24 -r1.25
--- config-debug	8 Apr 2009 15:33:30 -0000	1.24
+++ config-debug	8 Jun 2009 21:44:30 -0000	1.25
@@ -50,3 +50,5 @@ CONFIG_DEBUG_NOTIFIERS=y
 CONFIG_DMA_API_DEBUG=y
 
 CONFIG_MMIOTRACE=y
+
+CONFIG_SECURITY_SELINUX_DEBUG_NULL=y


Index: config-nodebug
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/config-nodebug,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -p -r1.33 -r1.34
--- config-nodebug	8 Apr 2009 15:33:30 -0000	1.33
+++ config-nodebug	8 Jun 2009 21:44:30 -0000	1.34
@@ -49,3 +49,5 @@ CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
 # CONFIG_DMA_API_DEBUG is not set
 
 # CONFIG_MMIOTRACE is not set
+
+# CONFIG_SECURITY_SELINUX_DEBUG_NULL is not set


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1630
retrieving revision 1.1631
diff -u -p -r1.1630 -r1.1631
--- kernel.spec	2 Jun 2009 20:44:55 -0000	1.1630
+++ kernel.spec	8 Jun 2009 21:44:30 -0000	1.1631
@@ -624,6 +624,7 @@ Patch270: linux-2.6-debug-taint-vm.patch
 Patch280: linux-2.6-debug-spinlock-taint.patch
 Patch340: linux-2.6-debug-vm-would-have-oomkilled.patch
 Patch360: linux-2.6-debug-always-inline-kzalloc.patch
+Patch370: linux-2.6-debug-selinux-null-creds.patch
 Patch380: linux-2.6-defaults-pci_no_msi.patch
 Patch381: linux-2.6-pciehp-update.patch
 Patch382: linux-2.6-defaults-pciehp.patch
@@ -1254,6 +1255,7 @@ ApplyPatch linux-2.6-debug-taint-vm.patc
 ApplyPatch linux-2.6-debug-spinlock-taint.patch
 ApplyPatch linux-2.6-debug-vm-would-have-oomkilled.patch
 ApplyPatch linux-2.6-debug-always-inline-kzalloc.patch
+ApplyPatch linux-2.6-debug-selinux-null-creds.patch
 
 #
 # PCI
@@ -2019,6 +2021,9 @@ fi
 # and build.
 
 %changelog
+* Tue Jun  8 2009 Chuck Ebbert <cebbert at redhat.com> - 2.6.29.4-169
+- Add debug patch for finding null security credentials. (494067)
+
 * Tue Jun  2 2009 Roland McGrath <roland at redhat.com> - 2.6.29.4-168
 - utrace update (fixes stap PR10185)

More information about the fedora-extras-commits mailing list