kernel.git: add "version-release" tags?
by Paul Bolle
0) Would it be possible to add tags to the kernel.git repository
corresponding to the "%{VERSION}-%{RELEASE}" tags (ie, rpm querytags) of
the kernel rpms (that have actually been released)?
1) Eg, checking out the current Fedora 16 kernel could be done with
git checkout 3.3.2-1.fc16
instead of
rpm -q kernel-3.3.2-1.fc16 --changelog | head
git log -p origin/f16 | less
[ grep on the string "Linux 3.3.2" ]
[ copy a sha1sum ]
git checkout 28b13140ec3375d59bac4f2d6bc336f7b8ed6fc7
2) Or would that require a lot of work for the people in charge of stuff
like that?
(3) This is not really a kernel.git specific thing. It just ran into
this issue once again with the Fedora kernel rpms, because I happen to
build those more often than other Fedora rpms.)
Paul Bolle
12 years
Re: Rawhide kernels Changes?
by Frank Murphy
On 21/04/12 15:24, Josh Boyer wrote:
> Also, none of that is what I suggested you do.
>
> josh
>
It appears to be a udev/dracut battle.
/sbin/udevd is not in F18
yum whatprovides */sbin/udevd
returns "No matches found"
Defiantly not the kernel.
--
Regards,
Frank
"Jack of all, fubars"
12 years
Rawhide kernels Changes?
by Frank Murphy
Haven't been able to boot since:
kernel-3.4.0-0.rc3.git0.1.fc18
Immediately after line showing removing RD, MD RAID activation
Drops to a dracut shell.
Novelties such as locate, dir don't exist.
KVM Guests i386, x86_64
Have installed kernel-modules-extra,
as a just in case.
Looking at the changlogs for the last couple of kernels since,
can't really make out anything substantial.
Virt\real hard hasn't changed.
--
Regards,
Frank
"Jack of all, fubars"
12 years
new kernel header file not being packaged in kernel-headers
by Jeff Layton
Recently, I added a new upcall to mainline kernels and with that I
added a new header file to describe the upcall/downcall format
(include/linux/nfsd/cld.h).
I've noticed though that that file is not being packaged in the
kernel-headers package, even though the other files in the linux/nfsd
dir are. Is there some master list that I need to add this file to? Or
do I need to mark this file in some way to ensure that it gets included
in kernel-headers?
Thanks in advance,
--
Jeff Layton <jlayton(a)poochiereds.net>
12 years
Fedora Kernel Meeting 04-13-2012 Minutes
by Justin Forbes
======================================
#fedora-meeting: Fedora Kernel Meeting
======================================
Meeting started by jforbes at 18:00:12 UTC. The full logs are available
at
http://meetbot.fedoraproject.org/fedora-meeting/2012-04-13/fedora-meeting...
.
Meeting summary
---------------
* F15 (jforbes, 18:01:13)
* Taking an exceptionally long time to get karma for F15 kernels
* F16 (jforbes, 18:08:06)
* F17 (jforbes, 18:14:54)
* rawhide (jforbes, 18:17:44)
* kernel-module-extras (jforbes, 18:21:31)
* dlm module to be moved to kernel-module-extras (jforbes, 18:40:10)
* open floor (jforbes, 18:56:31)
Meeting ended at 18:58:50 UTC.
Action Items
------------
Action Items, by person
-----------------------
* **UNASSIGNED**
* (none)
People Present (lines said)
---------------------------
* jforbes (57)
* davej (47)
* jwb (47)
* swhiteho (46)
* brunowolff_ (3)
* zodbot (2)
* pjones (2)
* nirik (1)
Generated by `MeetBot`_ 0.1.4
.. _`MeetBot`: http://wiki.debian.org/MeetBot
12 years
[PATCH] SELinux: apply a different permission to ptrace a child vs non-child
by Eric Paris
Some applications, like gdb, are able to ptrace both children or other
completely unrelated tasks. We would like to be able to discern these two
things and to be able to allow gdb to ptrace it's children, but not to be
able to ptrace unrelated tasks for security reasons.
Upstream is a bit weary of this patch as it may be incomplete. They are
not fundamentally opposed to the patch, I was just ask to see if I could
flush out any needed refinement in Fedora where we already had the
problem. We may find that we need to emulate the YAMA non-child
registration module in order to completely deal with 'normal' ptrace on
a system. At the moment however, this patch will at least let us get
gdb working for many users in Fedora (See fedora-devel-list for a
discussion of the current issues people are complaining about in F17
without this)
---
security/selinux/hooks.c | 38 +++++++++++++++++++++++++++++++++++
security/selinux/include/classmap.h | 2 +-
security/selinux/include/security.h | 2 ++
security/selinux/selinuxfs.c | 3 ++-
security/selinux/ss/services.c | 3 +++
5 files changed, 46 insertions(+), 2 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1a4acf4..b226f26 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1805,6 +1805,39 @@ static inline u32 open_file_to_av(struct file *file)
/* Hook functions begin here. */
+/**
+ * task_is_descendant - walk up a process family tree looking for a match
+ * @parent: the process to compare against while walking up from child
+ * @child: the process to start from while looking upwards for parent
+ *
+ * Returns 1 if child is a descendant of parent, 0 if not.
+ */
+static int task_is_descendant(struct task_struct *parent,
+ struct task_struct *child)
+{
+ int rc = 0;
+ struct task_struct *walker = child;
+
+ if (!parent || !child)
+ return 0;
+
+ rcu_read_lock();
+ if (!thread_group_leader(parent))
+ parent = rcu_dereference(parent->group_leader);
+ while (walker->pid > 0) {
+ if (!thread_group_leader(walker))
+ walker = rcu_dereference(walker->group_leader);
+ if (walker == parent) {
+ rc = 1;
+ break;
+ }
+ walker = rcu_dereference(walker->real_parent);
+ }
+ rcu_read_unlock();
+
+ return rc;
+}
+
static int selinux_ptrace_access_check(struct task_struct *child,
unsigned int mode)
{
@@ -1820,6 +1853,9 @@ static int selinux_ptrace_access_check(struct task_struct *child,
return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
}
+
+ if (selinux_policycap_ptrace_child && task_is_descendant(current, child))
+ return current_has_perm(child, PROCESS__PTRACE_CHILD);
return current_has_perm(child, PROCESS__PTRACE);
}
@@ -1831,6 +1867,8 @@ static int selinux_ptrace_traceme(struct task_struct *parent)
if (rc)
return rc;
+ if (selinux_policycap_ptrace_child && task_is_descendant(parent, current))
+ return task_has_perm(parent, current, PROCESS__PTRACE_CHILD);
return task_has_perm(parent, current, PROCESS__PTRACE);
}
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 39e678c..72c08b9 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -29,7 +29,7 @@ struct security_class_mapping secclass_map[] = {
"getattr", "setexec", "setfscreate", "noatsecure", "siginh",
"setrlimit", "rlimitinh", "dyntransition", "setcurrent",
"execmem", "execstack", "execheap", "setkeycreate",
- "setsockcreate", NULL } },
+ "setsockcreate", "ptrace_child", NULL } },
{ "system",
{ "ipc_info", "syslog_read", "syslog_mod",
"syslog_console", "module_request", NULL } },
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index dde2005..ac14b0a 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -68,12 +68,14 @@ extern int selinux_enabled;
enum {
POLICYDB_CAPABILITY_NETPEER,
POLICYDB_CAPABILITY_OPENPERM,
+ POLICYDB_CAPABILITY_PTRACE_CHILD,
__POLICYDB_CAPABILITY_MAX
};
#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
extern int selinux_policycap_netpeer;
extern int selinux_policycap_openperm;
+extern int selinux_policycap_ptrace_child;
/*
* type_datum properties
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 4e93f9e..3379765 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -44,7 +44,8 @@
/* Policy capability filenames */
static char *policycap_names[] = {
"network_peer_controls",
- "open_perms"
+ "open_perms",
+ "ptrace_child",
};
unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 9b7e7ed..4d12a6e 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -72,6 +72,7 @@
int selinux_policycap_netpeer;
int selinux_policycap_openperm;
+int selinux_policycap_ptrace_child;
static DEFINE_RWLOCK(policy_rwlock);
@@ -1812,6 +1813,8 @@ static void security_load_policycaps(void)
POLICYDB_CAPABILITY_NETPEER);
selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
POLICYDB_CAPABILITY_OPENPERM);
+ selinux_policycap_ptrace_child = ebitmap_get_bit(&policydb.policycaps,
+ POLICYDB_CAPABILITY_PTRACE_CHILD);
}
static int security_preserve_bools(struct policydb *p);
12 years
nvidia card and kernel 3.1
by Dmitriy Tochansky
Hello!
I bough new videocard yesterday and have some problems with it.
After inserting it to my PC, I found in dmesg:
[ 9.877721] PERCPU: allocation failed, size=240 align=4, failed to
allocate new chunk
[ 9.877729] Pid: 755, comm: modprobe Not tainted 3.1.0-7.fc16.i686 #1
[ 9.877732] Call Trace:
[ 9.877743] [<c0808e3e>] ? printk+0x2d/0x2f
[ 9.877752] [<c04c6904>] pcpu_alloc+0x659/0x6c1
[ 9.877759] [<c0468e19>] ? sys_init_module+0x5b/0x15c7
[ 9.877767] [<c04d3233>] ? __vmalloc_node+0x54/0x5b
[ 9.877773] [<c0429d7c>] ? should_resched+0xd/0x27
[ 9.877788] [<c04c6b69>] __alloc_reserved_percpu+0x12/0x14
[ 9.877794] [<c0469169>] sys_init_module+0x3ab/0x15c7
[ 9.877801] [<c0813ad9>] ? do_page_fault+0x2a9/0x304
[ 9.877807] [<c04ff24c>] ? mntput_no_expire+0x27/0xb9
[ 9.877816] [<c0810b0c>] syscall_call+0x7/0xb
[ 9.877823] [<c044007b>] ? sys_waitid+0x4a/0x141
[ 9.877827] nf_conntrack: Could not allocate 240 bytes percpu data
[ 9.878335] modprobe[755]: FATAL: Error inserting xt_state
(/lib/modules/3.1.0-7.fc16.i686/kernel/net/netfilter/xt_state.ko): Cannot
allocate memory
[ 9.878664] iptables.init[738]: iptables: Applying firewall rules:
iptables-restore: line 12 failed
[ 9.883352] iptables.init[738]: [FAILED]
[ 9.909336] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 9.917425] PERCPU: allocation failed, size=240 align=4, failed to
allocate new chunk
[ 9.917433] Pid: 777, comm: modprobe Not tainted 3.1.0-7.fc16.i686 #1
[ 9.917437] Call Trace:
[ 9.917448] [<c0808e3e>] ? printk+0x2d/0x2f
[ 9.917456] [<c04c6904>] pcpu_alloc+0x659/0x6c1
[ 9.917463] [<c0468e19>] ? sys_init_module+0x5b/0x15c7
[ 9.917471] [<c04d3233>] ? __vmalloc_node+0x54/0x5b
[ 9.917477] [<c0429d7c>] ? should_resched+0xd/0x27
[ 9.917492] [<c04c6b69>] __alloc_reserved_percpu+0x12/0x14
[ 9.917497] [<c0469169>] sys_init_module+0x3ab/0x15c7
[ 9.917504] [<c0813ad9>] ? do_page_fault+0x2a9/0x304
[ 9.917511] [<c04ff24c>] ? mntput_no_expire+0x27/0xb9
[ 9.917520] [<c0810b0c>] syscall_call+0x7/0xb
[ 9.917527] [<c044007b>] ? sys_waitid+0x4a/0x141
[ 9.917531] nf_conntrack: Could not allocate 240 bytes percpu data
[ 9.917802] modprobe[777]: FATAL: Error inserting xt_state
(/lib/modules/3.1.0-7.fc16.i686/kernel/net/netfilter/xt_state.ko): Cannot
allocate memory
Much other problems like:
[root@home toch]# modprobe fuse
FATAL: Error inserting fuse
(/lib/modules/3.1.0-7.fc16.i686/kernel/fs/fuse/fuse.ko): Cannot allocate
memory
Boot with kernel 3.3 is failed with blackscreen.
--
Dmitriy
12 years