Allow to tie upper bits of syscall bitmap in audit rules to kernel-defined
sets of syscalls. Infrastructure, a couple of classes (with 32bit counterparts
for biarch targets) and actual tie-in on i386, amd64 and ia64.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
We now have infrastructure in place to mark an EXPORTed symbol
as unused. So the natural next step is to warn during buildtime when
a module uses a symbol marked UNUSED.
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
This patch introduces object audit filters based on the elements
of the SELinux context.
Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
kernel/auditfilter.c | 25 +++++++++++++++++++++++++
kernel/auditsc.c | 40 ++++++++++++++++++++++++++++++++++++++++
security/selinux/ss/services.c | 18 +++++++++++++++++-
3 files changed, 82 insertions(+), 1 deletion(-)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This patch renames some audit constant definitions and adds
additional definitions used by the following patch. The renaming
avoids ambiguity with respect to the new definitions.
Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com>
include/linux/audit.h | 15 ++++++++----
kernel/auditfilter.c | 50 ++++++++++++++++++++---------------------
kernel/auditsc.c | 10 ++++----
security/selinux/ss/services.c | 32 +++++++++++++-------------
4 files changed, 56 insertions(+), 51 deletions(-)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Add support for a rule key, which can be used to tie audit records to audit
rules. This is useful when a watched file is accessed through a link or
symlink, as well as for general audit log analysis.
Because this patch uses a string key instead of an integer key, there is a bit
of extra overhead to do the kstrdup() when a rule fires. However, we're also
allocating memory for the audit record buffer, so it's probably not that
significant. I went ahead with a string key because it seems more
user-friendly.
Note that the user must ensure that filterkeys are unique. The kernel only
checks for duplicate rules.
Signed-off-by: Amy Griffis <amy.griffis@hpd.com>
Some fix that I forgot for good accessibility of lxdialog (the cursor
should always be left at the focus location):
Have the checklist display the currently highlighted entry last, for having
the cursor left on it (rather than on the last line of the list).
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
kbuild used $¤(*F to get filename of target without extension.
This was used in several places all over kbuild, but introducing
make -rR broke his for all cases where we specified full path to
target/prerequsite. It is assumed that make -rR disables old style
suffix-rules which is why is suddenly failed.
ia64 was impacted by this change because several div* routines in
arch/ia64/lib are build using explicit paths and then kbuild failed.
Thanks to David Mosberger-Tang <David.Mosberger@acm.org> for an explanation
what was the root-cause and for testing on ia64.
This patch also fixes two uses of $(*F) in arch/um
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
* master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6:
[SPARC64]: Kill sun4v virtual device layer.
[SERIAL] sunhv: Convert to of_driver layer.
[SPARC64]: Mask out top 8-bits in physical address when building resources.
[SERIAL] sunsu: Missing return statement in su_probe().
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
[IPV6]: Added GSO support for TCPv6
[NET]: Generalise TSO-specific bits from skb_setup_caps
[IPV6]: Added GSO support for TCPv6
[IPV6]: Remove redundant length check on input
[NETFILTER]: SCTP conntrack: fix crash triggered by packet without chunks
[TG3]: Update version and reldate
[TG3]: Add TSO workaround using GSO
[TG3]: Turn on hw fix for ASF problems
[TG3]: Add rx BD workaround
[TG3]: Add tg3_netif_stop() in vlan functions
[TCP]: Reset gso_segs if packet is dodgy
* 'for-linus' of master.kernel.org:/pub/scm/linux/kernel/git/roland/infiniband:
IB/core: Set alternate port number when initializing QP attributes
IB/uverbs: Set correct user handle for user SRQs
* git://git.kernel.org/pub/scm/linux/kernel/git/brodo/pcmcia-2.6/:
[PATCH] pcmcia: fix deadlock in pcmcia_parse_events
[PATCH] com20020_cs: more device support
[PATCH] au1xxx: pcmcia: fix __init called from non-init
[PATCH] kill open-coded offsetof in cm4000_cs.c ZERO_DEV()
[PATCH] pcmcia: convert pcmcia_cs to kthread
[PATCH] pcmcia: fix kernel-doc function name
[PATCH] pcmcia: hostap_cs.c - 0xc00f,0x0000 conflicts with pcnet_cs
[PATCH] pcmcia: at91_cf suspend/resume/wakeup
[PATCH] pcmcia: Make ide_cs work with the memory space of CF-Cards if IO space is not available
[PATCH] pcmcia: TI PCIxx12 CardBus controller support
[PATCH] pcmcia: warn if driver requests exclusive, but gets a shared IRQ
[PATCH] pcmcia: expose tool in pcmcia/Documentation/pcmcia/
[PATCH] pcmcia: another ID for serial_cs.c
[PATCH] yenta: fix hidden PCI bus numbers
[PATCH] yenta: do power-up only after socket is configured
* master.kernel.org:/pub/scm/linux/kernel/git/mchehab/v4l-dvb:
V4L/DVB (4290): Add support for the TCL M2523_3DB_E tuner.
V4L/DVB (4289): Missing statement in drivers/media/dvb/frontends/cx22700.c
V4L/DVB (4288): Clean out a zillion sparse warnings in pvrusb2
V4L/DVB (4287): Pvrusb2/: possible cleanups
V4L/DVB (4285): Cx88: add support for Geniatech Digistar / Digiwave 103g
V4L/DVB (4284): Cx24123: fix set_voltage function according to the specs
V4L/DVB (4282): Fix: use swzigzag for swalgo
V4L/DVB (4281): TDA9887_SET_CONFIG should only be handled by the tda9887.
V4L/DVB (4277): Fix CI interface on PRO KNC1 cards
V4L/DVB (4276): Fix CI on old KNC1 DVBC cards
V4L/DVB (4275): The FE_SET_FRONTEND_TUNE_MODE ioctl always returns EOPNOTSUPP
V4L/DVB (4274): Eliminate use of tda9887 from pvrusb2 driver
V4L/DVB (4273): Always log pvrusb2 device register / unregister events
V4L/DVB (4272): Fix tveeprom supported standards
V4L/DVB (4270): Add tda9887-specific tuner configuration
V4L/DVB (4269): Subject: videocodec: make 1-bit fields unsigned
V4L/DVB (4267): Remove all instances of request_module("tda9887")
V4L/DVB (4264): Cx88-blackbird: implement VIDIOC_QUERYCTRL and VIDIOC_QUERYMENU
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6: (25 commits)
ACPI: Kconfig: ACPI_SRAT depends on ACPI
ACPI: drivers/acpi/scan.c: make acpi_bus_type static
ACPI: fixup memhotplug debug message
ACPI: ACPICA 20060623
ACPI: C-States: only demote on current bus mastering activity
ACPI: C-States: bm_activity improvements
ACPI: C-States: accounting of sleep states
ACPI: additional blacklist entry for ThinkPad R40e
ACPI: restore comment justifying 'extra' P_LVLx access
ACPI: fix battery on HP NX6125
ACPIPHP: prevent duplicate slot numbers when no _SUN
ACPI: static-ize handle_hotplug_event_func()
ACPIPHP: use ACPI dock driver
ACPI: dock driver
KEVENT: add new uevent for dock
ACPI: asus_acpi_init: propagate correct return value
[ACPI] Print error message if remove/install notify handler fails
ACPI: delete tracing macros from drivers/acpi/*.c
ACPI: HW P-state coordination support
ACPI: un-export ACPI_ERROR() -- use printk(KERN_ERR...)
...
These top 8-bits are supposed to be ignored in the ranges and
top-level reg properties on this platform.
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch adds GSO support for IPv6 and TCPv6. This is based on a patch
by Ananda Raju <Ananda.Raju@neterion.com>. His original description is:
This patch enables TSO over IPv6. Currently Linux network stacks
restricts TSO over IPv6 by clearing of the NETIF_F_TSO bit from
"dev->features". This patch will remove this restriction.
This patch will introduce a new flag NETIF_F_TSO6 which will be used
to check whether device supports TSO over IPv6. If device support TSO
over IPv6 then we don't clear of NETIF_F_TSO and which will make the
TCP layer to create TSO packets. Any device supporting TSO over IPv6
will set NETIF_F_TSO6 flag in "dev->features" along with NETIF_F_TSO.
In case when user disables TSO using ethtool, NETIF_F_TSO will get
cleared from "dev->features". So even if we have NETIF_F_TSO6 we don't
get TSO packets created by TCP layer.
SKB_GSO_TCPV4 renamed to SKB_GSO_TCP to make it generic GSO packet.
SKB_GSO_UDPV4 renamed to SKB_GSO_UDP as UFO is not a IPv4 feature.
UFO is supported over IPv6 also
The following table shows there is significant improvement in
throughput with normal frames and CPU usage for both normal and jumbo.
--------------------------------------------------
| | 1500 | 9600 |
| ------------------|-------------------|
| | thru CPU | thru CPU |
--------------------------------------------------
| TSO OFF | 2.00 5.5% id | 5.66 20.0% id |
--------------------------------------------------
| TSO ON | 2.63 78.0 id | 5.67 39.0% id |
--------------------------------------------------
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch generalises the TSO-specific bits from sk_setup_caps by adding
the sk_gso_type member to struct sock. This makes sk_setup_caps generic
so that it can be used by TCPv6 or UFO.
The only catch is that whoever uses this must provide a GSO implementation
for their protocol which I think is a fair deal :) For now UFO continues to
live without a GSO implementation which is OK since it doesn't use the sock
caps field at the moment.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch adds GSO support for IPv6 and TCPv6.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
We don't need to check skb->len when we're just about to call
pskb_may_pull since that checks it for us.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
When a packet without any chunks is received, the newconntrack variable
in sctp_packet contains an out of bounds value that is used to look up an
pointer from the array of timeouts, which is then dereferenced, resulting
in a crash. Make sure at least a single chunk is present.
Problem noticed by George A. Theall <theall@tenablesecurity.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Use GSO to workaround a rare TSO bug on some chips. This hardware
bug may be triggered when the TSO header size is greater than 80
bytes. When this condition is detected in a TSO packet, the driver
will use GSO to segment the packet to workaround the hardware bug.
Thanks to Juergen Kreileder <jk@blackdown.de> for reporting the
problem and collecting traces to help debug the problem.
And thanks to Herbert Xu <herbert@gondor.apana.org.au> for providing
the GSO mechanism that happens to be the perfect workaround for this
problem.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Clear a bit to enable a hardware fix for some ASF related problem.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add workaround to limit the burst size of rx BDs being DMA'ed to the
chip. This works around hardware errata on a number of 5750, 5752,
and 5755 chips.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add tg3_netif_stop() when changing the vlgrp (vlan group) pointer. It
is necessary to quiesce the device before changing that pointer.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
I wasn't paranoid enough in verifying GSO information. A bogus gso_segs
could upset drivers as much as a bogus header would. Let's reset it in
the per-protocol gso_segment functions.
I didn't verify gso_size because that can be verified by the source of
the dodgy packets.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Set alternate port number when initializing QP attributes. This bug
is OpenFabrics bugzilla bug #160.
Signed-off-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Store away the user handle passed in from userspace when creating an
SRQ, so that the kernel can return the correct handle when an SRQ
asynchronous event occurs. (A 0 was incorrectly stored as the user
handle as part of the changes in 9ead190b, "IB/uverbs: Don't serialize
with ib_uverbs_idr_mutex")
Signed-off-by: Roland Dreier <rolandd@cisco.com>
The PCMCIA layer calls pcmcia_parse_events both from user context and
IRQ context; the lock thus needs to be irqsave to avoid deadlocks
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Enable the com20020_cs arcnet driver to see the SoHard (now Mercury
Computer Systems Inc.) SH ARC-PCMCIA card.
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
This must not be marked __init, as it is called from
au1x00_drv_pcmcia_probe.
Signed-off-by: Domen Puncer <domen.puncer@ultra.si>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
... to make sure that it doesn't break again when a field changes (see
"[PATCH] pcmcia: fix zeroing of cm4000_cs.c data" for recent example).
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Convert pcmcia_cs to use kthread instead of the deprecated
kernel_thread.
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Comment out the ID 0xc00f,0x0000 in hostap_cs.c, as it conflicts with the
pcnet_cs driver.
Signed-off-by: komurojun-mbn@nifty.com
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
AT91 CF updates, mostly for power management:
- Add suspend/resume methods to the AT91 CF driver, disabling
non-wakeup IRQs during system suspend. The card detect IRQ
serves as a wakeup event source.
- Convert the driver to the more-current "platform_driver" style.
So inserting or removing a CF card will wake the system, unless that
has been disabled by updating the sysfs file; and there will be no
more warnings about spurious IRQs during suspend/resume cycles.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
This patch enables ide_cs to access CF-cards via their common memory
rather than via their IO space.
Signed-off-by: Thomas Kleffel <tk@maintech.de>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
The patch below adds support for the TI PCIxx12 CardBus controllers.
This seems to be sufficient to detect the cardbus bridge on an HP nc6320
and works with an orinoco wifi card.
Signed-off-by: Alex Williamson <alex.williamson@hp.com>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
The patch below cleans up the pcmcia code a bit on the IRQ side (I did
this while debugging the problem just so I could read wtf it was doing),
and also adds a warning and passes back the correct information when a
device asks for exclusive but gets given shared. This at least means the
dmesg dump of a problem triggered by this will have a signature to find.
Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Expose example and tool source files in the Documentation/ directory in
their own files instead of being buried (almost hidden) in readme/txt files.
This will make them more visible/usable to users who may need
to use them, to developers who may need to test with them, and
to janitors who would update them if they were more visible.
Also, if any of these possibly should not be in the kernel tree at
all, it will be clearer that they are here and we can discuss if
they should be removed.
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Fixup the subordinate number parent bridge of yenta Cardbus Bridges
before the PCI bus scan starts to make the cardbus cards which are
otherwise hidden for PCI scans work.
Signed-off-by: Bernhard Kaindl <bk@suse.de>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Power-up the card only after the socket is configured. power-down in
the old place. The point is not to power-up the card before the interrupt
routing is set up correctly.
Signed-off-by: Daniel Ritz <daniel.ritz@gmx.ch>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Stumbled over this because of coverity (id #492),
seems like we are missing a return statement here and fail
to do proper bounds checking. If this assumption is false
we should at least change the identation to make it clear
Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>