2.5.70-lsm1

Chris Wright (chris@wirex.com)
Mon, 2 Jun 2003 16:12:56 -0700


The Linux Security Modules project provides a lightweight, general purpose
framework for access control. The LSM interface enables developing
security policies as loadable kernel modules. See http://lsm.immunix.org
for more information.

2.5.70-lsm1 patch released. This is an update up to 2.5.70 as well as
some interface and module updates, and various cleanups. Out of tree
projects will want to resync with interface changes. Expect that some
modules may not be build ATM. Patches welcome ;-)

Full lsm-2.5 patch (LSM + all modules) is available at:
http://lsm.immunix.org/patches/2.5/2.5.70/patch-2.5.70-lsm1.gz

The whole ChangeLog for this release is at:
http://lsm.immunix.org/patches/2.5/2.5.70/ChangeLog-2.5.70-lsm1

The LSM 2.5 BK tree can be pulled from:
bk://lsm.bkbits.net/lsm-2.5

ChangeLog summary:
------------------
Chris Wright:
o merge with 2.5.70 TAG: v2.5.70-lsm1
o patch-2.5.70 TAG: LINUX_2.5.70
o Merge lsm@lsm.bkbits.net:lsm-2.5 into wirex.com:/home/chris/bk/lsm/lsm-2.5
o Makefile, Kconfig
o Add TPE to the LSM tree
o fixup merge error, skb_head_pool was removed
o merge with 2.5.69
o patch-2.5.69 TAG: LINUX_2.5.69
o Merge wirex.com:/home/chris/bk/lsm/linux-2.5 into
wirex.com:/home/chris/bk/lsm/lsm-2.5
o patch-2.5.68 TAG: LINUX_2.5.68
o As discussed before, here is a simple patch to allow for early
initialization of security modules when compiled statically into the
kernel. The standard do_initcalls is too late for complete coverage of all
filesystems and threads for example.
o Merge
o patch-2.5.67 TAG: LINUX_2.5.67

Niki Rahimi:
o TPE cleanups

Serge Hallyn:
o LSM modules, when built into the kernel, can now be loaded earlier than
ever. But policies are supposed to be loaded by a user-space process, so
DTE policies are now loaded later than ever. This patch tracks the process
tree between the time that DTE is loaded (whether as module or bulit-in),
and the time that a policy is loaded, and retrofits domains as though the
policy had been running all along.
o DTE now interacts with userspace (including reading its policy) through
sysfs

Stephen D. Smalley:
o SELinux: Fixes for 2.5.70
o SELinux: Remove inode_permission_list hook, since it doesn't exist in the
lsm-2.5 BitKeeper tree anymore, but it is still present in the mainline 2.5
tree.
o The new 2.5 SELinux
o Add an xattr handler for the security. namespace to devpts and add
corresponding hooks to the LSM API to support conversion between xattr
values and the security labels stored in the inode security field by the
security module. This allows userspace to get and set security labels on
devpts nodes, e.g. so that sshd can set the security label for the pty via
setxattr. LSM API changes should be re-useable for other pseudo
filesystems.
o Add a hook to proc_pid_make_inode to allow security modules to set the
security attributes on /proc/pid inodes based on the security attributes of
the asociated task.
o Add an xattr handler for ext3 to support the security. namespace for
security modules.
o Add an xattr handler for ext2 to support the security. namespace for
security modules.
o Move the security_d_instantiate hook call after the inode has been attached
to the dentry so that the security module can call the getxattr inode
operation from this hook to obtain the inode security label.
o Add a inode_post_setxattr hook so that security modules can update their
state after a successful setxattr, and move the existing inode_setxattr
hook after taking the inode semaphore so that atomicity is provided for the
security check and the update to the security field.
o Process attribute API implemented via /proc/pid/attr nodes
o SELinux: Replace uses of kdevname with sb->s_id since kdevname is gone

thanks,
-chris

-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/