Re: [PATCH] inotify: actually check for invalid bits in sys_inotify_add_watch()

2015-09-09 Thread Eric Paris
Looks fine to me. And usually akpm picks them up these days. On Wed, 2015-09-09 at 14:59 -0700, Dave Hansen wrote: > On 06/30/2015 10:36 AM, Dave Hansen wrote: > > From: Dave Hansen > > > > The comment here says that it is checking for invalid bits. But, > > the

[PATCH] CAPABILITIES: remove undefined caps from all processes

2014-07-23 Thread Eric Paris
. This lets 'capsh --caps=all=eip -- -c /bin/bash' run. 4) mask out undefined bit when we read a file capability off of disk as again likely all bits are set in the xattr for forward/backward compatibility. This lets 'setcap all+pe /bin/bash; /bin/bash' run Signed-off-by: Eric

Re: [PATCH] CAPABILITIES: remove undefined caps from all processes

2014-07-23 Thread Eric Paris
On Wed, 2014-07-23 at 13:46 -0700, Andy Lutomirski wrote: On 07/23/2014 12:36 PM, Eric Paris wrote: This is effectively a revert of 7b9a7ec565505699f503b4fcf61500dceb36e744 plus fixing it a different way... You sent something like this a couple days ago. What changed? right when I sent

Re: [PATCH 1/2] auditsc: audit_krule mask accesses need bounds checking

2014-06-10 Thread Eric Paris
On Mon, 2014-06-09 at 16:36 -0700, Linus Torvalds wrote: On Mon, Jun 9, 2014 at 3:56 PM, Andy Lutomirski l...@amacapital.net wrote: In this particular case, it's my patch, and I've never sent you a pull request. I sort of assumed that secur...@kernel.org magically caused acknowledged

Re: [PATCH v2 1/2] auditsc: audit_krule mask accesses need bounds checking

2014-05-28 Thread Eric Paris
On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote: Fixes an easy DoS and possible information disclosure. This does nothing about the broken state of x32 auditing. Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski l...@amacapital.net --- kernel/auditsc.c | 27

Re: [PATCH v2 1/2] auditsc: audit_krule mask accesses need bounds checking

2014-05-28 Thread Eric Paris
On Wed, 2014-05-28 at 19:27 -0700, Andy Lutomirski wrote: On Wed, May 28, 2014 at 7:23 PM, Eric Paris epa...@redhat.com wrote: On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote: Fixes an easy DoS and possible information disclosure. This does nothing about the broken state of x32

[PATCH 1/2] auditsc: audit_krule mask accesses need bounds checking

2014-05-28 Thread Eric Paris
: stable@vger.kernel.org Signed-off-by: Andy Lutomirski l...@amacapital.net Signed-off-by: Eric Paris epa...@redhat.com --- kernel/auditsc.c | 27 ++- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 254ce20..842f58a 100644

Re: [PATCH 7/7] pid: get pid_t ppid of task in init_pid_ns

2014-03-17 Thread Eric Paris
On Mon, 2014-03-17 at 13:14 -0700, Tony Luck wrote: On Thu, Jan 23, 2014 at 11:32 AM, Richard Guy Briggs r...@redhat.com wrote: Added the functions task_ppid_nr_ns() and task_ppid_nr() to abstract the lookup of the PPID (real_parent's pid_t) of a process, including rcu locking, in the

Re: [PATCH] SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()

2014-01-09 Thread Eric Paris
Didn't Al find this/something very similar. I really hate this solution. Why should every LSM try to understand the intimate lifetime rules of the parent subsystems? The real problem is that inode_free_security() is being called while the inode is still in use. While I agree with the

Re: [PATCH] SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()

2014-01-09 Thread Eric Paris
On Thu, 2014-01-09 at 10:51 -0500, Steven Rostedt wrote: On Thu, 9 Jan 2014 10:31:55 -0500 Eric Paris epa...@parisplace.org wrote: Didn't Al find this/something very similar. I really hate this I'm not involved with the vfs, so I'm unaware of other solutions presented. I just hit

Re: [PATCH] SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()

2014-01-09 Thread Eric Paris
[adding lsm and selinux] Am I just crazy, or was this bug discussed (and obviously not fixed) some time ago? VFS can still use inodes after security_inode_free_security() was called... On Thu, 2014-01-09 at 10:57 -0500, Eric Paris wrote: On Thu, 2014-01-09 at 10:51 -0500, Steven Rostedt wrote

Re: [PATCH] SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()

2014-01-09 Thread Eric Paris
https://bugzilla.redhat.com/show_bug.cgi?id=829715 at least has some discussion... On Thu, Jan 9, 2014 at 11:22 AM, Steven Rostedt rost...@goodmis.org wrote: On Thu, 09 Jan 2014 11:10:05 -0500 Stephen Smalley s...@tycho.nsa.gov wrote: I didn't know that was the case; originally when we added

Re: [PATCH] SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()

2014-01-09 Thread Eric Paris
On Thu, 2014-01-09 at 22:13 +, Al Viro wrote: On Thu, Jan 09, 2014 at 10:31:55AM -0500, Eric Paris wrote: Didn't Al find this/something very similar. I really hate this solution. Why should every LSM try to understand the intimate lifetime rules of the parent subsystems? The real

Re: [PATCH] SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()

2014-01-09 Thread Eric Paris
On Thu, 2014-01-09 at 22:13 +, Al Viro wrote: On Thu, Jan 09, 2014 at 10:31:55AM -0500, Eric Paris wrote: Didn't Al find this/something very similar. I really hate this solution. Why should every LSM try to understand the intimate lifetime rules of the parent subsystems? The real

Re: [PATCH] vfs: Fix possible NULL pointer dereference in inode_permission()

2014-01-09 Thread Eric Paris
On Thu, 2014-01-09 at 18:27 -0500, Steven Rostedt wrote: On Thu, 9 Jan 2014 18:25:23 -0500 Steven Rostedt rost...@goodmis.org wrote: On Fri, 10 Jan 2014 06:41:03 +0800 Linus Torvalds torva...@linux-foundation.org wrote: I think the sane short term fix is to make the kfree() of the

Re: [PATCH] kmsg: Honor dmesg_restrict sysctl on /dev/kmsg

2013-02-27 Thread Eric Paris
Fine Fine, I'll get off my lazy butt and look at this. On Wed, 2013-02-27 at 10:14 -0800, Kees Cook wrote: On Wed, Feb 27, 2013 at 10:01 AM, Josh Boyer jwbo...@redhat.com wrote: On Wed, Feb 27, 2013 at 09:54:27AM -0800, Kees Cook wrote: On Fri, Feb 22, 2013 at 01:18:57PM -0500, Josh Boyer

Re: [PATCH 2/3] audit: fix refcounting in audit-tree

2012-07-06 Thread Eric Paris
. Reported-by: Valentin Avram ava...@gmail.com Reported-by: Peter Moody pmo...@google.com Partial-patch-by: Marcelo Cerri mhce...@linux.vnet.ibm.com Signed-off-by: Eric Paris epa...@redhat.com Maybe you can use some of that changelog in your next post? (If you do one?) The only reason you

Re: [PATCH 1/3] audit: don't free_chunk() after fsnotify_add_mark()

2012-07-06 Thread Eric Paris
: stable@vger.kernel.org Al, can you send these along? I am not going to see a computer again for a month. Hurray! Acked-by: Eric Paris epa...@redhat.com --- kernel/audit_tree.c |6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/audit_tree.c b/kernel

Re: Patch fcaps: clear the same personality flags as suid when fcaps are used has been added to the 3.3-stable tree

2012-04-19 Thread Eric Paris
d52fc5dde171f030170a6cb78034d166b13c9445 Mon Sep 17 00:00:00 2001 From: Eric Paris epa...@redhat.com Date: Tue, 17 Apr 2012 16:26:54 -0400 Subject: fcaps: clear the same personality flags as suid when fcaps are used From: Eric Paris epa...@redhat.com commit