rpms/kernel/F-11 linux-2.6-debug-selinux-null-creds.patch, NONE, 1.1 config-debug, 1.24, 1.25 config-nodebug, 1.33, 1.34 kernel.spec, 1.1630, 1.1631
Chuck Ebbert
cebbert at fedoraproject.org
Mon Jun 8 21:45:02 UTC 2009
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12161
Modified Files:
config-debug config-nodebug kernel.spec
Added Files:
linux-2.6-debug-selinux-null-creds.patch
Log Message:
Add debug patch for finding null security credentials. (494067)
linux-2.6-debug-selinux-null-creds.patch:
--- NEW FILE linux-2.6-debug-selinux-null-creds.patch ---
--- work-2.6.29.4.orig/kernel/cred.c
+++ work-2.6.29.4/kernel/cred.c
@@ -157,6 +157,9 @@ struct cred *prepare_creds(void)
if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
goto error;
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+ WARN_ON((unsigned long)new->security < 8);
+#endif
return new;
error:
@@ -250,6 +253,9 @@ struct cred *prepare_usermodehelper_cred
#endif
if (security_prepare_creds(new, &init_cred, GFP_ATOMIC) < 0)
goto error;
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+ WARN_ON((unsigned long)new->security < 8);
+#endif
BUG_ON(atomic_read(&new->usage) != 1);
return new;
@@ -331,6 +337,9 @@ int copy_creds(struct task_struct *p, un
atomic_inc(&new->user->processes);
p->cred = p->real_cred = get_cred(new);
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+ WARN_ON((unsigned long)new->security < 8);
+#endif
return 0;
error_put:
@@ -360,6 +369,9 @@ int commit_creds(struct cred *new)
BUG_ON(task->cred != task->real_cred);
BUG_ON(atomic_read(&task->real_cred->usage) < 2);
BUG_ON(atomic_read(&new->usage) < 1);
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+ WARN_ON((unsigned long)new->security < 8);
+#endif
old = task->real_cred;
security_commit_creds(new, old);
@@ -444,6 +456,10 @@ const struct cred *override_creds(const
{
const struct cred *old = current->cred;
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+ WARN_ON((unsigned long)old->security < 8);
+ WARN_ON((unsigned long)new->security < 8);
+#endif
rcu_assign_pointer(current->cred, get_cred(new));
return old;
}
@@ -460,6 +476,10 @@ void revert_creds(const struct cred *old
{
const struct cred *override = current->cred;
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+ WARN_ON((unsigned long)old->security < 8);
+ WARN_ON((unsigned long)override->security < 8);
+#endif
rcu_assign_pointer(current->cred, old);
put_cred(override);
}
@@ -507,6 +527,10 @@ struct cred *prepare_kernel_cred(struct
else
old = get_cred(&init_cred);
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+ WARN_ON((unsigned long)old->security < 8);
+#endif
+
*new = *old;
get_uid(new->user);
get_group_info(new->group_info);
@@ -527,6 +551,9 @@ struct cred *prepare_kernel_cred(struct
atomic_set(&new->usage, 1);
put_cred(old);
+#if defined(CONFIG_SECURITY_SELINUX) && defined(CONFIG_SECURITY_SELINUX_DEBUG_NULL)
+ WARN_ON((unsigned long)new->security < 8);
+#endif
return new;
error:
--- work-2.6.29.4.orig/security/selinux/hooks.c
+++ work-2.6.29.4/security/selinux/hooks.c
@@ -3239,7 +3239,7 @@ static int selinux_task_create(unsigned
static void selinux_cred_free(struct cred *cred)
{
struct task_security_struct *tsec = cred->security;
- cred->security = NULL;
+ cred->security = (void *) 0x7UL;
kfree(tsec);
}
--- work-2.6.29.4.orig/security/selinux/Kconfig
+++ work-2.6.29.4/security/selinux/Kconfig
@@ -8,6 +8,14 @@ config SECURITY_SELINUX
You will also need a policy configuration and a labeled filesystem.
If you are unsure how to answer this question, answer N.
+config SECURITY_SELINUX_DEBUG_NULL
+ bool "Debug NULL credentials"
+ depends on SECURITY_SELINUX
+ default n
+ help
+ This adds debugging for null security credentials
+ If you are unsure how to answer this question, answer N.
+
config SECURITY_SELINUX_BOOTPARAM
bool "NSA SELinux boot parameter"
depends on SECURITY_SELINUX
Index: config-debug
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/config-debug,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -p -r1.24 -r1.25
--- config-debug 8 Apr 2009 15:33:30 -0000 1.24
+++ config-debug 8 Jun 2009 21:44:30 -0000 1.25
@@ -50,3 +50,5 @@ CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DMA_API_DEBUG=y
CONFIG_MMIOTRACE=y
+
+CONFIG_SECURITY_SELINUX_DEBUG_NULL=y
Index: config-nodebug
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/config-nodebug,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -p -r1.33 -r1.34
--- config-nodebug 8 Apr 2009 15:33:30 -0000 1.33
+++ config-nodebug 8 Jun 2009 21:44:30 -0000 1.34
@@ -49,3 +49,5 @@ CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
# CONFIG_DMA_API_DEBUG is not set
# CONFIG_MMIOTRACE is not set
+
+# CONFIG_SECURITY_SELINUX_DEBUG_NULL is not set
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1630
retrieving revision 1.1631
diff -u -p -r1.1630 -r1.1631
--- kernel.spec 2 Jun 2009 20:44:55 -0000 1.1630
+++ kernel.spec 8 Jun 2009 21:44:30 -0000 1.1631
@@ -624,6 +624,7 @@ Patch270: linux-2.6-debug-taint-vm.patch
Patch280: linux-2.6-debug-spinlock-taint.patch
Patch340: linux-2.6-debug-vm-would-have-oomkilled.patch
Patch360: linux-2.6-debug-always-inline-kzalloc.patch
+Patch370: linux-2.6-debug-selinux-null-creds.patch
Patch380: linux-2.6-defaults-pci_no_msi.patch
Patch381: linux-2.6-pciehp-update.patch
Patch382: linux-2.6-defaults-pciehp.patch
@@ -1254,6 +1255,7 @@ ApplyPatch linux-2.6-debug-taint-vm.patc
ApplyPatch linux-2.6-debug-spinlock-taint.patch
ApplyPatch linux-2.6-debug-vm-would-have-oomkilled.patch
ApplyPatch linux-2.6-debug-always-inline-kzalloc.patch
+ApplyPatch linux-2.6-debug-selinux-null-creds.patch
#
# PCI
@@ -2019,6 +2021,9 @@ fi
# and build.
%changelog
+* Tue Jun 8 2009 Chuck Ebbert <cebbert at redhat.com> - 2.6.29.4-169
+- Add debug patch for finding null security credentials. (494067)
+
* Tue Jun 2 2009 Roland McGrath <roland at redhat.com> - 2.6.29.4-168
- utrace update (fixes stap PR10185)
More information about the fedora-extras-commits
mailing list