April 2012 - kernel - Fedora Mailing-Lists

by Paul Bolle

0) Would it be possible to add tags to the kernel.git repository corresponding to the "%{VERSION}-%{RELEASE}" tags (ie, rpm querytags) of the kernel rpms (that have actually been released)? 1) Eg, checking out the current Fedora 16 kernel could be done with git checkout 3.3.2-1.fc16 instead of rpm -q kernel-3.3.2-1.fc16 --changelog | head git log -p origin/f16 | less [ grep on the string "Linux 3.3.2" ] [ copy a sha1sum ] git checkout 28b13140ec3375d59bac4f2d6bc336f7b8ed6fc7 2) Or would that require a lot of work for the people in charge of stuff like that? (3) This is not really a kernel.git specific thing. It just ran into this issue once again with the Fedora kernel rpms, because I happen to build those more often than other Fedora rpms.) Paul Bolle

12 years

6
18
0 / 0

Re: Rawhide kernels Changes?

by Frank Murphy

On 21/04/12 15:24, Josh Boyer wrote: > Also, none of that is what I suggested you do. > > josh > It appears to be a udev/dracut battle. /sbin/udevd is not in F18 yum whatprovides */sbin/udevd returns "No matches found" Defiantly not the kernel. -- Regards, Frank "Jack of all, fubars"

12 years

1
0
0 / 0

Rawhide kernels Changes?

by Frank Murphy

Haven't been able to boot since: kernel-3.4.0-0.rc3.git0.1.fc18 Immediately after line showing removing RD, MD RAID activation Drops to a dracut shell. Novelties such as locate, dir don't exist. KVM Guests i386, x86_64 Have installed kernel-modules-extra, as a just in case. Looking at the changlogs for the last couple of kernels since, can't really make out anything substantial. Virt\real hard hasn't changed. -- Regards, Frank "Jack of all, fubars"

12 years

3
5
0 / 0

new kernel header file not being packaged in kernel-headers

by Jeff Layton

Recently, I added a new upcall to mainline kernels and with that I added a new header file to describe the upcall/downcall format (include/linux/nfsd/cld.h). I've noticed though that that file is not being packaged in the kernel-headers package, even though the other files in the linux/nfsd dir are. Is there some master list that I need to add this file to? Or do I need to mark this file in some way to ensure that it gets included in kernel-headers? Thanks in advance, -- Jeff Layton <jlayton(a)poochiereds.net>

12 years

4
5
0 / 0

Fedora Kernel Meeting 04-13-2012 Minutes

by Justin Forbes

====================================== #fedora-meeting: Fedora Kernel Meeting ====================================== Meeting started by jforbes at 18:00:12 UTC. The full logs are available at http://meetbot.fedoraproject.org/fedora-meeting/2012-04-13/fedora-meeting... . Meeting summary --------------- * F15 (jforbes, 18:01:13) * Taking an exceptionally long time to get karma for F15 kernels * F16 (jforbes, 18:08:06) * F17 (jforbes, 18:14:54) * rawhide (jforbes, 18:17:44) * kernel-module-extras (jforbes, 18:21:31) * dlm module to be moved to kernel-module-extras (jforbes, 18:40:10) * open floor (jforbes, 18:56:31) Meeting ended at 18:58:50 UTC. Action Items ------------ Action Items, by person ----------------------- * **UNASSIGNED** * (none) People Present (lines said) --------------------------- * jforbes (57) * davej (47) * jwb (47) * swhiteho (46) * brunowolff_ (3) * zodbot (2) * pjones (2) * nirik (1) Generated by `MeetBot`_ 0.1.4 .. _`MeetBot`: http://wiki.debian.org/MeetBot

12 years

1
0
0 / 0

[PATCH] SELinux: apply a different permission to ptrace a child vs non-child

by Eric Paris

Some applications, like gdb, are able to ptrace both children or other completely unrelated tasks. We would like to be able to discern these two things and to be able to allow gdb to ptrace it's children, but not to be able to ptrace unrelated tasks for security reasons. Upstream is a bit weary of this patch as it may be incomplete. They are not fundamentally opposed to the patch, I was just ask to see if I could flush out any needed refinement in Fedora where we already had the problem. We may find that we need to emulate the YAMA non-child registration module in order to completely deal with 'normal' ptrace on a system. At the moment however, this patch will at least let us get gdb working for many users in Fedora (See fedora-devel-list for a discussion of the current issues people are complaining about in F17 without this) --- security/selinux/hooks.c | 38 +++++++++++++++++++++++++++++++++++ security/selinux/include/classmap.h | 2 +- security/selinux/include/security.h | 2 ++ security/selinux/selinuxfs.c | 3 ++- security/selinux/ss/services.c | 3 +++ 5 files changed, 46 insertions(+), 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1a4acf4..b226f26 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1805,6 +1805,39 @@ static inline u32 open_file_to_av(struct file *file) /* Hook functions begin here. */ +/** + * task_is_descendant - walk up a process family tree looking for a match + * @parent: the process to compare against while walking up from child + * @child: the process to start from while looking upwards for parent + * + * Returns 1 if child is a descendant of parent, 0 if not. + */ +static int task_is_descendant(struct task_struct *parent, + struct task_struct *child) +{ + int rc = 0; + struct task_struct *walker = child; + + if (!parent || !child) + return 0; + + rcu_read_lock(); + if (!thread_group_leader(parent)) + parent = rcu_dereference(parent->group_leader); + while (walker->pid > 0) { + if (!thread_group_leader(walker)) + walker = rcu_dereference(walker->group_leader); + if (walker == parent) { + rc = 1; + break; + } + walker = rcu_dereference(walker->real_parent); + } + rcu_read_unlock(); + + return rc; +} + static int selinux_ptrace_access_check(struct task_struct *child, unsigned int mode) { @@ -1820,6 +1853,9 @@ static int selinux_ptrace_access_check(struct task_struct *child, return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); } + + if (selinux_policycap_ptrace_child && task_is_descendant(current, child)) + return current_has_perm(child, PROCESS__PTRACE_CHILD); return current_has_perm(child, PROCESS__PTRACE); } @@ -1831,6 +1867,8 @@ static int selinux_ptrace_traceme(struct task_struct *parent) if (rc) return rc; + if (selinux_policycap_ptrace_child && task_is_descendant(parent, current)) + return task_has_perm(parent, current, PROCESS__PTRACE_CHILD); return task_has_perm(parent, current, PROCESS__PTRACE); } diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 39e678c..72c08b9 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -29,7 +29,7 @@ struct security_class_mapping secclass_map[] = { "getattr", "setexec", "setfscreate", "noatsecure", "siginh", "setrlimit", "rlimitinh", "dyntransition", "setcurrent", "execmem", "execstack", "execheap", "setkeycreate", - "setsockcreate", NULL } }, + "setsockcreate", "ptrace_child", NULL } }, { "system", { "ipc_info", "syslog_read", "syslog_mod", "syslog_console", "module_request", NULL } }, diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index dde2005..ac14b0a 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -68,12 +68,14 @@ extern int selinux_enabled; enum { POLICYDB_CAPABILITY_NETPEER, POLICYDB_CAPABILITY_OPENPERM, + POLICYDB_CAPABILITY_PTRACE_CHILD, __POLICYDB_CAPABILITY_MAX }; #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) extern int selinux_policycap_netpeer; extern int selinux_policycap_openperm; +extern int selinux_policycap_ptrace_child; /* * type_datum properties diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 4e93f9e..3379765 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -44,7 +44,8 @@ /* Policy capability filenames */ static char *policycap_names[] = { "network_peer_controls", - "open_perms" + "open_perms", + "ptrace_child", }; unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 9b7e7ed..4d12a6e 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -72,6 +72,7 @@ int selinux_policycap_netpeer; int selinux_policycap_openperm; +int selinux_policycap_ptrace_child; static DEFINE_RWLOCK(policy_rwlock); @@ -1812,6 +1813,8 @@ static void security_load_policycaps(void) POLICYDB_CAPABILITY_NETPEER); selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps, POLICYDB_CAPABILITY_OPENPERM); + selinux_policycap_ptrace_child = ebitmap_get_bit(&policydb.policycaps, + POLICYDB_CAPABILITY_PTRACE_CHILD); } static int security_preserve_bools(struct policydb *p);

12 years

3
3
0 / 0

First 3.4 rc2 build is a debug build

by Bruno Wolff III

Can we get a release build for the next rc2 build as a make up?

12 years

2
1
0 / 0

how to build carl9170 firmware

by Dan Horák

Hi, after a discussion with jwb and linvile on #fedora-kernel I did some experiments how could be the carl9170 firmware [1] built using the existing tools (dhowell's cross-gcc [2]). And the result is that it is feasible. See first patch for proof of concept using sh4-linux-gnu toolchain and second patch for proposed solution after we get the sh-linux-gnu toolchain (https://bugzilla.redhat.com/show_bug.cgi?id=766166#c12). Dan [1] http://linuxwireless.org/en/users/Drivers/carl9170 [2] http://koji.fedoraproject.org/koji/packageinfo?packageID=13624

12 years

2
3
0 / 0

nvidia card and kernel 3.1

by Dmitriy Tochansky

Hello! I bough new videocard yesterday and have some problems with it. After inserting it to my PC, I found in dmesg: [ 9.877721] PERCPU: allocation failed, size=240 align=4, failed to allocate new chunk [ 9.877729] Pid: 755, comm: modprobe Not tainted 3.1.0-7.fc16.i686 #1 [ 9.877732] Call Trace: [ 9.877743] [<c0808e3e>] ? printk+0x2d/0x2f [ 9.877752] [<c04c6904>] pcpu_alloc+0x659/0x6c1 [ 9.877759] [<c0468e19>] ? sys_init_module+0x5b/0x15c7 [ 9.877767] [<c04d3233>] ? __vmalloc_node+0x54/0x5b [ 9.877773] [<c0429d7c>] ? should_resched+0xd/0x27 [ 9.877788] [<c04c6b69>] __alloc_reserved_percpu+0x12/0x14 [ 9.877794] [<c0469169>] sys_init_module+0x3ab/0x15c7 [ 9.877801] [<c0813ad9>] ? do_page_fault+0x2a9/0x304 [ 9.877807] [<c04ff24c>] ? mntput_no_expire+0x27/0xb9 [ 9.877816] [<c0810b0c>] syscall_call+0x7/0xb [ 9.877823] [<c044007b>] ? sys_waitid+0x4a/0x141 [ 9.877827] nf_conntrack: Could not allocate 240 bytes percpu data [ 9.878335] modprobe[755]: FATAL: Error inserting xt_state (/lib/modules/3.1.0-7.fc16.i686/kernel/net/netfilter/xt_state.ko): Cannot allocate memory [ 9.878664] iptables.init[738]: iptables: Applying firewall rules: iptables-restore: line 12 failed [ 9.883352] iptables.init[738]: [FAILED] [ 9.909336] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 9.917425] PERCPU: allocation failed, size=240 align=4, failed to allocate new chunk [ 9.917433] Pid: 777, comm: modprobe Not tainted 3.1.0-7.fc16.i686 #1 [ 9.917437] Call Trace: [ 9.917448] [<c0808e3e>] ? printk+0x2d/0x2f [ 9.917456] [<c04c6904>] pcpu_alloc+0x659/0x6c1 [ 9.917463] [<c0468e19>] ? sys_init_module+0x5b/0x15c7 [ 9.917471] [<c04d3233>] ? __vmalloc_node+0x54/0x5b [ 9.917477] [<c0429d7c>] ? should_resched+0xd/0x27 [ 9.917492] [<c04c6b69>] __alloc_reserved_percpu+0x12/0x14 [ 9.917497] [<c0469169>] sys_init_module+0x3ab/0x15c7 [ 9.917504] [<c0813ad9>] ? do_page_fault+0x2a9/0x304 [ 9.917511] [<c04ff24c>] ? mntput_no_expire+0x27/0xb9 [ 9.917520] [<c0810b0c>] syscall_call+0x7/0xb [ 9.917527] [<c044007b>] ? sys_waitid+0x4a/0x141 [ 9.917531] nf_conntrack: Could not allocate 240 bytes percpu data [ 9.917802] modprobe[777]: FATAL: Error inserting xt_state (/lib/modules/3.1.0-7.fc16.i686/kernel/net/netfilter/xt_state.ko): Cannot allocate memory Much other problems like: [root@home toch]# modprobe fuse FATAL: Error inserting fuse (/lib/modules/3.1.0-7.fc16.i686/kernel/fs/fuse/fuse.ko): Cannot allocate memory Boot with kernel 3.3 is failed with blackscreen. -- Dmitriy

12 years

3
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

kernel April 2012