[RFC PATCH 1/2] cr: lsm: provide hooks for an LSM to track policy changes

[RFC PATCH 1/2] cr: lsm: provide hooks for an LSM to track policy changes

[Serge E. Hallyn]

[ This applies on top of the previous LSM c/r patchset.  A corresponding
patch against mktree is needed as well. ]

Provide two new security_ hooks:
security_checkpoint_header:
	Gives the LSM a chance to write a checkpoint
	header object of type CKPT_HDR_LSM_INFO.  This
	can be any data the LSM deems fit, and can be
	written out using
		ckpt_write_obj_type(ctx, data, datalen, CKPT_HDR_LSM_INFO);

security_may_restart:
	Give the LSM an extra chance to refuse restart.  In
	particular the LSM may want to do this if the poicy has
	changed since checkpoint.  The checkpoint per-lsm data can
	be retrieved using

		ckpt_read_buf_type(ctx, MAX_INFO_LEN, CKPT_HDR_LSM_INFO);

	Note that the LSM should only look at that data if
	ctx->lsm_name is the current LSM's name.  Otherwise the
	info will be for another LSM (or the string "dummy").
	The hook will still be called, even if ctx->flags
	does not have RESTART_KEEP_LSM (meaning we do not restore
	checkpointed security labels) since the LSM may have other
	reasons to want to refuse restart.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
---
 checkpoint/checkpoint.c        |    4 +++
 checkpoint/restart.c           |    4 +++
 checkpoint/sys.c               |   22 +++++++++++++++++
 include/linux/checkpoint.h     |    3 ++
 include/linux/checkpoint_hdr.h |    1 +
 include/linux/security.h       |   50 ++++++++++++++++++++++++++++++++++++++++
 security/capability.c          |   26 ++++++++++++++++++++
 security/security.c            |   14 +++++++++++
 8 files changed, 124 insertions(+), 0 deletions(-)

diff --git a/checkpoint/checkpoint.c b/checkpoint/checkpoint.c
index 9dbb33c..a8e7483 100644
--- a/checkpoint/checkpoint.c
+++ b/checkpoint/checkpoint.c
@@ -257,6 +257,10 @@ static int checkpoint_write_header(struct ckpt_ctx *ctx)
 	if (ret < 0)
 		return ret;
 
+	ret = security_checkpoint_header(ctx);
+	if (ret < 0)
+		return ret;
+
 	return checkpoint_write_header_arch(ctx);
 }
 
diff --git a/checkpoint/restart.c b/checkpoint/restart.c
index f51838b..3c248c4 100644
--- a/checkpoint/restart.c
+++ b/checkpoint/restart.c
@@ -446,6 +446,10 @@ static int restore_read_header(struct ckpt_ctx *ctx)
 		}
 	}
 
+	ret = security_may_restart(ctx);
+	if (ret < 0)
+		goto out;
+
 	ret = restore_read_header_arch(ctx);
  out:
 	kfree(uts);
diff --git a/checkpoint/sys.c b/checkpoint/sys.c
index 525182a..a510138 100644
--- a/checkpoint/sys.c
+++ b/checkpoint/sys.c
@@ -169,6 +169,28 @@ void *ckpt_hdr_get_type(struct ckpt_ctx *ctx, int len, int type)
 	return h;
 }
 
+#define DUMMY_LSM_INFO "dummy"
+
+int ckpt_write_dummy_lsm_info(struct ckpt_ctx *ctx)
+{
+	return ckpt_write_obj_type(ctx, DUMMY_LSM_INFO,
+			strlen(DUMMY_LSM_INFO), CKPT_HDR_LSM_INFO);
+}
+
+/*
+ * ckpt_snarf_lsm_info
+ * If there is a CKPT_HDR_LSM_INFO field, toss it.
+ * Used when the current LSM doesn't care about this field.
+ */
+void ckpt_snarf_lsm_info(struct ckpt_ctx *ctx)
+{
+	struct ckpt_hdr *h;
+
+	h = ckpt_read_buf_type(ctx, CKPT_LSM_INFO_LEN, CKPT_HDR_LSM_INFO);
+	if (!IS_ERR(h))
+		ckpt_hdr_put(ctx, h);
+}
+
 
 /*
  * Helpers to manage c/r contexts: allocated for each checkpoint and/or
diff --git a/include/linux/checkpoint.h b/include/linux/checkpoint.h
index 3a800a6..bc96fcd 100644
--- a/include/linux/checkpoint.h
+++ b/include/linux/checkpoint.h
@@ -47,6 +47,7 @@
 #define CHECKPOINT_USER_FLAGS		CHECKPOINT_SUBTREE
 #define RESTART_USER_FLAGS		(RESTART_TASKSELF | RESTART_FROZEN | \
 					 RESTART_KEEP_LSM)
+#define CKPT_LSM_INFO_LEN 200
 
 extern void exit_checkpoint(struct task_struct *tsk);
 
@@ -57,6 +58,8 @@ extern void _ckpt_hdr_put(struct ckpt_ctx *ctx, void *ptr, int n);
 extern void ckpt_hdr_put(struct ckpt_ctx *ctx, void *ptr);
 extern void *ckpt_hdr_get(struct ckpt_ctx *ctx, int n);
 extern void *ckpt_hdr_get_type(struct ckpt_ctx *ctx, int n, int type);
+extern int ckpt_write_dummy_lsm_info(struct ckpt_ctx *ctx);
+extern void ckpt_snarf_lsm_info(struct ckpt_ctx *ctx);
 
 extern int ckpt_write_obj(struct ckpt_ctx *ctx, struct ckpt_hdr *h);
 extern int ckpt_write_obj_type(struct ckpt_ctx *ctx,
diff --git a/include/linux/checkpoint_hdr.h b/include/linux/checkpoint_hdr.h
index 729ca33..78afcec 100644
--- a/include/linux/checkpoint_hdr.h
+++ b/include/linux/checkpoint_hdr.h
@@ -54,6 +54,7 @@ enum {
 	CKPT_HDR_STRING,
 	CKPT_HDR_OBJREF,
 	CKPT_HDR_SEC,
+	CKPT_HDR_LSM_INFO,
 
 	CKPT_HDR_TREE = 101,
 	CKPT_HDR_TASK,
diff --git a/include/linux/security.h b/include/linux/security.h
index 61f224f..d5b18c7 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -45,6 +45,10 @@
 struct ctl_table;
 struct audit_krule;
 
+#ifdef CONFIG_CHECKPOINT
+struct ckpt_ctx;
+#endif
+
 /*
  * These functions are in security/capability.c and are used
  * as the default capabilities functions
@@ -1342,6 +1346,28 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	@secdata contains the security context.
  *	@seclen contains the length of the security context.
  *
+ * Security hooks for Checkpoint/restart
+ * (In addition to *_get_ctx and *_restore)
+ *
+ * @may_restart:
+ *	Authorize sys_restart().
+ *	Note that all construction of kernel resources, credentials,
+ *	etc is already authorized per the caller's credentials.  This
+ *	hook is intended for the LSM to make further decisions about
+ *	a task not being allowed to restart at all, for instance if
+ *	the policy has changed since checkpoint.
+ *	@ctx is the checkpoint/restart context (see <linux/checkpoint_types.h>)
+ *	Return 0 if allowed, <0 on error.
+ *
+ * @checkpoint_header:
+ *	Optionally write out a LSM-specific checkpoint header.  This is
+ *	a chance to write out policy information, for instance.  The same
+ *	LSM on restart can then use the info in security_may_restart() to
+ * 	refuse restart (for instance) across policy changes.
+ *	The info is to be written as a an object of type CKPT_HDR_LSM_INFO.
+ *	@ctx is the checkpoint/restart context (see <linux/checkpoint_types.h>)
+ *	Return 0 on success, <0 on error.
+ *
  * Security hooks for Audit
  *
  * @audit_rule_init:
@@ -1586,6 +1612,11 @@ struct security_operations {
 	int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
 	void (*release_secctx) (char *secdata, u32 seclen);
 
+#ifdef CONFIG_CHECKPOINT
+	int (*may_restart) (struct ckpt_ctx *ctx);
+	int (*checkpoint_header) (struct ckpt_ctx *ctx);
+#endif
+
 #ifdef CONFIG_SECURITY_NETWORK
 	int (*unix_stream_connect) (struct socket *sock,
 				    struct socket *other, struct sock *newsk);
@@ -1833,6 +1864,10 @@ int security_netlink_recv(struct sk_buff *skb, int cap);
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
 void security_release_secctx(char *secdata, u32 seclen);
+#ifdef CONFIG_CHECKPOINT
+int security_may_restart(struct ckpt_ctx *ctx);
+int security_checkpoint_header(struct ckpt_ctx *ctx);
+#endif /* CONFIG_CHECKPOINT */
 
 char *security_get_lsm_name(void);
 
@@ -2637,6 +2672,21 @@ static inline int security_secctx_to_secid(const char *secdata,
 static inline void security_release_secctx(char *secdata, u32 seclen)
 {
 }
+
+#ifdef CONFIG_CHECKPOINT
+void ckpt_snarf_lsm_info(struct ckpt_ctx *ctx);
+int ckpt_write_dummy_lsm_info(struct ckpt_ctx *ctx);
+
+static inline int security_may_restart(struct ckpt_ctx *ctx)
+{
+	ckpt_snarf_lsm_info(ctx);
+	return 0;
+}
+static inline int security_checkpoint_header(struct ckpt_ctx *ctx)
+{
+	return ckpt_write_dummy_lsm_info(ctx);
+}
+#endif /* CONFIG_CHECKPOINT */
 #endif	/* CONFIG_SECURITY */
 
 #ifdef CONFIG_SECURITY_NETWORK
diff --git a/security/capability.c b/security/capability.c
index 28e6495..2577a3c 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -841,6 +841,28 @@ static void cap_release_secctx(char *secdata, u32 seclen)
 {
 }
 
+#ifdef CONFIG_CHECKPOINT
+void ckpt_snarf_lsm_info(struct ckpt_ctx *ctx);
+int ckpt_write_dummy_lsm_info(struct ckpt_ctx *ctx);
+static int cap_may_restart(struct ckpt_ctx *ctx)
+{
+	/*
+	 * Note that all construction of kernel resources, credentials,
+	 * etc is already authorized per the caller's credentials.  This
+	 * hook is intended for the LSM to make further decisions about
+	 * a task not being allowed to restart at all, for instance if
+	 * the policy has changed since checkpoint.
+	 */
+	ckpt_snarf_lsm_info(ctx);
+	return 0;
+}
+
+static int cap_checkpoint_header(struct ckpt_ctx *ctx)
+{
+	return ckpt_write_dummy_lsm_info(ctx);
+}
+#endif
+
 #ifdef CONFIG_KEYS
 static int cap_key_alloc(struct key *key, const struct cred *cred,
 			 unsigned long flags)
@@ -1049,6 +1071,10 @@ void security_fixup_ops(struct security_operations *ops)
 	set_to_cap_if_null(ops, secid_to_secctx);
 	set_to_cap_if_null(ops, secctx_to_secid);
 	set_to_cap_if_null(ops, release_secctx);
+#ifdef CONFIG_CHECKPOINT
+	set_to_cap_if_null(ops, may_restart);
+	set_to_cap_if_null(ops, checkpoint_header);
+#endif
 #ifdef CONFIG_SECURITY_NETWORK
 	set_to_cap_if_null(ops, unix_stream_connect);
 	set_to_cap_if_null(ops, unix_may_send);
diff --git a/security/security.c b/security/security.c
index d198d0c..2a182d5 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1004,6 +1004,20 @@ void security_release_secctx(char *secdata, u32 seclen)
 }
 EXPORT_SYMBOL(security_release_secctx);
 
+#ifdef CONFIG_CHECKPOINT
+int security_may_restart(struct ckpt_ctx *ctx)
+{
+	return security_ops->may_restart(ctx);
+}
+EXPORT_SYMBOL(security_may_restart);
+
+int security_checkpoint_header(struct ckpt_ctx *ctx)
+{
+	return security_ops->checkpoint_header(ctx);
+}
+EXPORT_SYMBOL(security_checkpoint_header);
+#endif
+
 #ifdef CONFIG_SECURITY_NETWORK
 
 int security_unix_stream_connect(struct socket *sock, struct socket *other,
-- 
1.6.1

[RFC PATCH 1/2] cr: lsm: provide hooks for an LSM to track policy changes

[Serge E. Hallyn]

[ This applies on top of the previous LSM c/r patchset.  A corresponding
patch against mktree is needed as well. ]

Provide two new security_ hooks:
security_checkpoint_header:
	Gives the LSM a chance to write a checkpoint
	header object of type CKPT_HDR_LSM_INFO.  This
	can be any data the LSM deems fit, and can be
	written out using
		ckpt_write_obj_type(ctx, data, datalen, CKPT_HDR_LSM_INFO);

security_may_restart:
	Give the LSM an extra chance to refuse restart.  In
	particular the LSM may want to do this if the poicy has
	changed since checkpoint.  The checkpoint per-lsm data can
	be retrieved using

		ckpt_read_buf_type(ctx, MAX_INFO_LEN, CKPT_HDR_LSM_INFO);

	Note that the LSM should only look at that data if
	ctx->lsm_name is the current LSM's name.  Otherwise the
	info will be for another LSM (or the string "dummy").
	The hook will still be called, even if ctx->flags
	does not have RESTART_KEEP_LSM (meaning we do not restore
	checkpointed security labels) since the LSM may have other
	reasons to want to refuse restart.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
---
 checkpoint/checkpoint.c        |    4 +++
 checkpoint/restart.c           |    4 +++
 checkpoint/sys.c               |   22 +++++++++++++++++
 include/linux/checkpoint.h     |    3 ++
 include/linux/checkpoint_hdr.h |    1 +
 include/linux/security.h       |   50 ++++++++++++++++++++++++++++++++++++++++
 security/capability.c          |   26 ++++++++++++++++++++
 security/security.c            |   14 +++++++++++
 8 files changed, 124 insertions(+), 0 deletions(-)

diff --git a/checkpoint/checkpoint.c b/checkpoint/checkpoint.c
index 9dbb33c..a8e7483 100644
--- a/checkpoint/checkpoint.c
+++ b/checkpoint/checkpoint.c
@@ -257,6 +257,10 @@ static int checkpoint_write_header(struct ckpt_ctx *ctx)
 	if (ret < 0)
 		return ret;
 
+	ret = security_checkpoint_header(ctx);
+	if (ret < 0)
+		return ret;
+
 	return checkpoint_write_header_arch(ctx);
 }
 
diff --git a/checkpoint/restart.c b/checkpoint/restart.c
index f51838b..3c248c4 100644
--- a/checkpoint/restart.c
+++ b/checkpoint/restart.c
@@ -446,6 +446,10 @@ static int restore_read_header(struct ckpt_ctx *ctx)
 		}
 	}
 
+	ret = security_may_restart(ctx);
+	if (ret < 0)
+		goto out;
+
 	ret = restore_read_header_arch(ctx);
  out:
 	kfree(uts);
diff --git a/checkpoint/sys.c b/checkpoint/sys.c
index 525182a..a510138 100644
--- a/checkpoint/sys.c
+++ b/checkpoint/sys.c
@@ -169,6 +169,28 @@ void *ckpt_hdr_get_type(struct ckpt_ctx *ctx, int len, int type)
 	return h;
 }
 
+#define DUMMY_LSM_INFO "dummy"
+
+int ckpt_write_dummy_lsm_info(struct ckpt_ctx *ctx)
+{
+	return ckpt_write_obj_type(ctx, DUMMY_LSM_INFO,
+			strlen(DUMMY_LSM_INFO), CKPT_HDR_LSM_INFO);
+}
+
+/*
+ * ckpt_snarf_lsm_info
+ * If there is a CKPT_HDR_LSM_INFO field, toss it.
+ * Used when the current LSM doesn't care about this field.
+ */
+void ckpt_snarf_lsm_info(struct ckpt_ctx *ctx)
+{
+	struct ckpt_hdr *h;
+
+	h = ckpt_read_buf_type(ctx, CKPT_LSM_INFO_LEN, CKPT_HDR_LSM_INFO);
+	if (!IS_ERR(h))
+		ckpt_hdr_put(ctx, h);
+}
+
 
 /*
  * Helpers to manage c/r contexts: allocated for each checkpoint and/or
diff --git a/include/linux/checkpoint.h b/include/linux/checkpoint.h
index 3a800a6..bc96fcd 100644
--- a/include/linux/checkpoint.h
+++ b/include/linux/checkpoint.h
@@ -47,6 +47,7 @@
 #define CHECKPOINT_USER_FLAGS		CHECKPOINT_SUBTREE
 #define RESTART_USER_FLAGS		(RESTART_TASKSELF | RESTART_FROZEN | \
 					 RESTART_KEEP_LSM)
+#define CKPT_LSM_INFO_LEN 200
 
 extern void exit_checkpoint(struct task_struct *tsk);
 
@@ -57,6 +58,8 @@ extern void _ckpt_hdr_put(struct ckpt_ctx *ctx, void *ptr, int n);
 extern void ckpt_hdr_put(struct ckpt_ctx *ctx, void *ptr);
 extern void *ckpt_hdr_get(struct ckpt_ctx *ctx, int n);
 extern void *ckpt_hdr_get_type(struct ckpt_ctx *ctx, int n, int type);
+extern int ckpt_write_dummy_lsm_info(struct ckpt_ctx *ctx);
+extern void ckpt_snarf_lsm_info(struct ckpt_ctx *ctx);
 
 extern int ckpt_write_obj(struct ckpt_ctx *ctx, struct ckpt_hdr *h);
 extern int ckpt_write_obj_type(struct ckpt_ctx *ctx,
diff --git a/include/linux/checkpoint_hdr.h b/include/linux/checkpoint_hdr.h
index 729ca33..78afcec 100644
--- a/include/linux/checkpoint_hdr.h
+++ b/include/linux/checkpoint_hdr.h
@@ -54,6 +54,7 @@ enum {
 	CKPT_HDR_STRING,
 	CKPT_HDR_OBJREF,
 	CKPT_HDR_SEC,
+	CKPT_HDR_LSM_INFO,
 
 	CKPT_HDR_TREE = 101,
 	CKPT_HDR_TASK,
diff --git a/include/linux/security.h b/include/linux/security.h
index 61f224f..d5b18c7 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -45,6 +45,10 @@
 struct ctl_table;
 struct audit_krule;
 
+#ifdef CONFIG_CHECKPOINT
+struct ckpt_ctx;
+#endif
+
 /*
  * These functions are in security/capability.c and are used
  * as the default capabilities functions
@@ -1342,6 +1346,28 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	@secdata contains the security context.
  *	@seclen contains the length of the security context.
  *
+ * Security hooks for Checkpoint/restart
+ * (In addition to *_get_ctx and *_restore)
+ *
+ * @may_restart:
+ *	Authorize sys_restart().
+ *	Note that all construction of kernel resources, credentials,
+ *	etc is already authorized per the caller's credentials.  This
+ *	hook is intended for the LSM to make further decisions about
+ *	a task not being allowed to restart at all, for instance if
+ *	the policy has changed since checkpoint.
+ *	@ctx is the checkpoint/restart context (see <linux/checkpoint_types.h>)
+ *	Return 0 if allowed, <0 on error.
+ *
+ * @checkpoint_header:
+ *	Optionally write out a LSM-specific checkpoint header.  This is
+ *	a chance to write out policy information, for instance.  The same
+ *	LSM on restart can then use the info in security_may_restart() to
+ * 	refuse restart (for instance) across policy changes.
+ *	The info is to be written as a an object of type CKPT_HDR_LSM_INFO.
+ *	@ctx is the checkpoint/restart context (see <linux/checkpoint_types.h>)
+ *	Return 0 on success, <0 on error.
+ *
  * Security hooks for Audit
  *
  * @audit_rule_init:
@@ -1586,6 +1612,11 @@ struct security_operations {
 	int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
 	void (*release_secctx) (char *secdata, u32 seclen);
 
+#ifdef CONFIG_CHECKPOINT
+	int (*may_restart) (struct ckpt_ctx *ctx);
+	int (*checkpoint_header) (struct ckpt_ctx *ctx);
+#endif
+
 #ifdef CONFIG_SECURITY_NETWORK
 	int (*unix_stream_connect) (struct socket *sock,
 				    struct socket *other, struct sock *newsk);
@@ -1833,6 +1864,10 @@ int security_netlink_recv(struct sk_buff *skb, int cap);
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
 void security_release_secctx(char *secdata, u32 seclen);
+#ifdef CONFIG_CHECKPOINT
+int security_may_restart(struct ckpt_ctx *ctx);
+int security_checkpoint_header(struct ckpt_ctx *ctx);
+#endif /* CONFIG_CHECKPOINT */
 
 char *security_get_lsm_name(void);
 
@@ -2637,6 +2672,21 @@ static inline int security_secctx_to_secid(const char *secdata,
 static inline void security_release_secctx(char *secdata, u32 seclen)
 {
 }
+
+#ifdef CONFIG_CHECKPOINT
+void ckpt_snarf_lsm_info(struct ckpt_ctx *ctx);
+int ckpt_write_dummy_lsm_info(struct ckpt_ctx *ctx);
+
+static inline int security_may_restart(struct ckpt_ctx *ctx)
+{
+	ckpt_snarf_lsm_info(ctx);
+	return 0;
+}
+static inline int security_checkpoint_header(struct ckpt_ctx *ctx)
+{
+	return ckpt_write_dummy_lsm_info(ctx);
+}
+#endif /* CONFIG_CHECKPOINT */
 #endif	/* CONFIG_SECURITY */
 
 #ifdef CONFIG_SECURITY_NETWORK
diff --git a/security/capability.c b/security/capability.c
index 28e6495..2577a3c 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -841,6 +841,28 @@ static void cap_release_secctx(char *secdata, u32 seclen)
 {
 }
 
+#ifdef CONFIG_CHECKPOINT
+void ckpt_snarf_lsm_info(struct ckpt_ctx *ctx);
+int ckpt_write_dummy_lsm_info(struct ckpt_ctx *ctx);
+static int cap_may_restart(struct ckpt_ctx *ctx)
+{
+	/*
+	 * Note that all construction of kernel resources, credentials,
+	 * etc is already authorized per the caller's credentials.  This
+	 * hook is intended for the LSM to make further decisions about
+	 * a task not being allowed to restart at all, for instance if
+	 * the policy has changed since checkpoint.
+	 */
+	ckpt_snarf_lsm_info(ctx);
+	return 0;
+}
+
+static int cap_checkpoint_header(struct ckpt_ctx *ctx)
+{
+	return ckpt_write_dummy_lsm_info(ctx);
+}
+#endif
+
 #ifdef CONFIG_KEYS
 static int cap_key_alloc(struct key *key, const struct cred *cred,
 			 unsigned long flags)
@@ -1049,6 +1071,10 @@ void security_fixup_ops(struct security_operations *ops)
 	set_to_cap_if_null(ops, secid_to_secctx);
 	set_to_cap_if_null(ops, secctx_to_secid);
 	set_to_cap_if_null(ops, release_secctx);
+#ifdef CONFIG_CHECKPOINT
+	set_to_cap_if_null(ops, may_restart);
+	set_to_cap_if_null(ops, checkpoint_header);
+#endif
 #ifdef CONFIG_SECURITY_NETWORK
 	set_to_cap_if_null(ops, unix_stream_connect);
 	set_to_cap_if_null(ops, unix_may_send);
diff --git a/security/security.c b/security/security.c
index d198d0c..2a182d5 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1004,6 +1004,20 @@ void security_release_secctx(char *secdata, u32 seclen)
 }
 EXPORT_SYMBOL(security_release_secctx);
 
+#ifdef CONFIG_CHECKPOINT
+int security_may_restart(struct ckpt_ctx *ctx)
+{
+	return security_ops->may_restart(ctx);
+}
+EXPORT_SYMBOL(security_may_restart);
+
+int security_checkpoint_header(struct ckpt_ctx *ctx)
+{
+	return security_ops->checkpoint_header(ctx);
+}
+EXPORT_SYMBOL(security_checkpoint_header);
+#endif
+
 #ifdef CONFIG_SECURITY_NETWORK
 
 int security_unix_stream_connect(struct socket *sock, struct socket *other,
-- 
1.6.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Serge E. Hallyn]

This patch, for debugging only, introduces a silly admin-controlled
'policy version' for smack.  By default the version is 1.  An
admin (with CAP_MAC_ADMIN) can change it by echoing a new value
into /smack/version.

It then defines security_checkpoint_header() to add this 'policy
version' into the checkpoint header, and defines security_may_restart()
to refuse restart if both:
	1. the caller asked for RESTART_KEEP_LSM
and
	2. the checkpointed version was different from the current.

This of course is easy enough to test by doing

	echo 1 > /smack/version
	ckpt > out
	mktree < out
		succeed
	mktree -k < out
		succeed
	echo 2 > /smack/version
	mktree < out
		succeed
	mktree -k < out
		fail

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
---
 security/smack/smack_lsm.c |   46 +++++++++++++++++++++++++++
 security/smack/smackfs.c   |   75 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 121 insertions(+), 0 deletions(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 279fdce..f0d4a08 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -27,6 +27,7 @@
 #include <linux/udp.h>
 #include <linux/mutex.h>
 #include <linux/pipe_fs_i.h>
+#include <linux/checkpoint.h>
 #include <net/netlabel.h>
 #include <net/cipso_ipv4.h>
 #include <linux/audit.h>
@@ -3111,6 +3112,47 @@ static void smack_release_secctx(char *secdata, u32 seclen)
 {
 }
 
+#ifdef CONFIG_CHECKPOINT
+extern int smack_version;
+
+static int smack_may_restart(struct ckpt_ctx *ctx)
+{
+	struct ckpt_hdr *h;
+	char *smackv;
+	int v = 0, slen, ret;
+
+	h = ckpt_read_buf_type(ctx, CKPT_LSM_INFO_LEN, CKPT_HDR_LSM_INFO);
+	if (IS_ERR(h))
+		return PTR_ERR(h);
+
+	if (strcmp(ctx->lsm_name, "smack") != 0)
+		return 0;
+
+	smackv = (char *) (h + 1);
+	slen = h->len - sizeof(*h);
+	if (smackv[slen-1] != '\0')
+		smackv[slen-1] = '\0';
+	ret = sscanf(smackv, "%d", &v);
+	ckpt_hdr_put(ctx, h);
+	if (!(ctx->uflags & RESTART_KEEP_LSM))
+		return 0;
+	if (ret != 1 || v != smack_version) {
+		ckpt_debug("Smack version at checkpoint was %d, now is %d\n",
+			v, smack_version);
+		return -EINVAL;
+	}
+	return 0;
+}
+
+static int smack_checkpoint_header(struct ckpt_ctx *ctx)
+{
+	char smackv[10];
+	sprintf(smackv, "%d", smack_version);
+	return ckpt_write_obj_type(ctx, smackv, strlen(smackv)+1,
+				  CKPT_HDR_LSM_INFO);
+}
+#endif
+
 struct security_operations smack_ops = {
 	.name =				"smack",
 
@@ -3245,6 +3287,10 @@ struct security_operations smack_ops = {
 	.secid_to_secctx = 		smack_secid_to_secctx,
 	.secctx_to_secid = 		smack_secctx_to_secid,
 	.release_secctx = 		smack_release_secctx,
+#ifdef CONFIG_CHECKPOINT
+	.may_restart =			smack_may_restart,
+	.checkpoint_header =		smack_checkpoint_header,
+#endif
 };
 
 
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index f83a809..7b20ad9 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -42,6 +42,7 @@ enum smk_inos {
 	SMK_NETLBLADDR	= 8,	/* single label hosts */
 	SMK_ONLYCAP	= 9,	/* the only "capable" label */
 	SMK_LOGGING	= 10,	/* logging */
+	SMK_VERSION	= 11,	/* logging */
 };
 
 /*
@@ -51,6 +52,7 @@ static DEFINE_MUTEX(smack_list_lock);
 static DEFINE_MUTEX(smack_cipso_lock);
 static DEFINE_MUTEX(smack_ambient_lock);
 static DEFINE_MUTEX(smk_netlbladdr_lock);
+static DEFINE_MUTEX(smack_version_lock);
 
 /*
  * This is the "ambient" label for network traffic.
@@ -60,6 +62,11 @@ static DEFINE_MUTEX(smk_netlbladdr_lock);
 char *smack_net_ambient = smack_known_floor.smk_known;
 
 /*
+ * this is the policy version, a simple integer
+ */
+int smack_version = 1;
+
+/*
  * This is the level in a CIPSO header that indicates a
  * smack label is contained directly in the category set.
  * It can be reset via smackfs/direct
@@ -1255,6 +1262,72 @@ static const struct file_operations smk_logging_ops = {
 	.read		= smk_read_logging,
 	.write		= smk_write_logging,
 };
+
+#define SMK_VERSIONLEN 12
+/**
+ * smk_read_version - read() for /smack/version
+ * @filp: file pointer, not actually used
+ * @buf: where to put the result
+ * @cn: maximum to send along
+ * @ppos: where to start
+ *
+ * Returns number of bytes read or error code, as appropriate
+ */
+static ssize_t smk_read_version(struct file *filp, char __user *buf,
+				size_t count, loff_t *ppos)
+{
+	char temp[SMK_VERSIONLEN];
+
+	if (*ppos != 0)
+		return 0;
+
+	mutex_lock(&smack_version_lock);
+	sprintf(temp, "%d\n", smack_version);
+	mutex_unlock(&smack_version_lock);
+
+	return simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
+}
+
+/**
+ * smk_write_version - write() for /smack/version
+ * @file: file pointer, not actually used
+ * @buf: where to get the data from
+ * @count: bytes sent
+ * @ppos: where to start
+ *
+ * Returns number of bytes written or error code, as appropriate
+ */
+static ssize_t smk_write_version(struct file *file, const char __user *buf,
+				 size_t count, loff_t *ppos)
+{
+	char in[SMK_VERSIONLEN];
+	int tmp, ret;
+
+	if (!capable(CAP_MAC_ADMIN))
+		return -EPERM;
+
+	if (count >= SMK_VERSIONLEN)
+		return -EINVAL;
+
+	if (copy_from_user(in, buf, count) != 0)
+		return -EFAULT;
+
+	in[count-1] = '\0';
+	ret = sscanf(in, "%d", &tmp);
+	if (ret != 1)
+		return -EINVAL;
+	mutex_lock(&smack_version_lock);
+	smack_version = tmp;
+	mutex_unlock(&smack_version_lock);
+
+	return count;
+}
+
+static const struct file_operations smk_version_ops = {
+	.read		= smk_read_version,
+	.write		= smk_write_version,
+};
+
 /**
  * smk_fill_super - fill the /smackfs superblock
  * @sb: the empty superblock
@@ -1287,6 +1360,8 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
 			{"onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR},
 		[SMK_LOGGING]	=
 			{"logging", &smk_logging_ops, S_IRUGO|S_IWUSR},
+		[SMK_VERSION]	=
+			{"version", &smk_version_ops, S_IRUGO|S_IWUSR},
 		/* last one */ {""}
 	};
 
-- 
1.6.1

[RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Serge E. Hallyn]

This patch, for debugging only, introduces a silly admin-controlled
'policy version' for smack.  By default the version is 1.  An
admin (with CAP_MAC_ADMIN) can change it by echoing a new value
into /smack/version.

It then defines security_checkpoint_header() to add this 'policy
version' into the checkpoint header, and defines security_may_restart()
to refuse restart if both:
	1. the caller asked for RESTART_KEEP_LSM
and
	2. the checkpointed version was different from the current.

This of course is easy enough to test by doing

	echo 1 > /smack/version
	ckpt > out
	mktree < out
		succeed
	mktree -k < out
		succeed
	echo 2 > /smack/version
	mktree < out
		succeed
	mktree -k < out
		fail

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
---
 security/smack/smack_lsm.c |   46 +++++++++++++++++++++++++++
 security/smack/smackfs.c   |   75 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 121 insertions(+), 0 deletions(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 279fdce..f0d4a08 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -27,6 +27,7 @@
 #include <linux/udp.h>
 #include <linux/mutex.h>
 #include <linux/pipe_fs_i.h>
+#include <linux/checkpoint.h>
 #include <net/netlabel.h>
 #include <net/cipso_ipv4.h>
 #include <linux/audit.h>
@@ -3111,6 +3112,47 @@ static void smack_release_secctx(char *secdata, u32 seclen)
 {
 }
 
+#ifdef CONFIG_CHECKPOINT
+extern int smack_version;
+
+static int smack_may_restart(struct ckpt_ctx *ctx)
+{
+	struct ckpt_hdr *h;
+	char *smackv;
+	int v = 0, slen, ret;
+
+	h = ckpt_read_buf_type(ctx, CKPT_LSM_INFO_LEN, CKPT_HDR_LSM_INFO);
+	if (IS_ERR(h))
+		return PTR_ERR(h);
+
+	if (strcmp(ctx->lsm_name, "smack") != 0)
+		return 0;
+
+	smackv = (char *) (h + 1);
+	slen = h->len - sizeof(*h);
+	if (smackv[slen-1] != '\0')
+		smackv[slen-1] = '\0';
+	ret = sscanf(smackv, "%d", &v);
+	ckpt_hdr_put(ctx, h);
+	if (!(ctx->uflags & RESTART_KEEP_LSM))
+		return 0;
+	if (ret != 1 || v != smack_version) {
+		ckpt_debug("Smack version at checkpoint was %d, now is %d\n",
+			v, smack_version);
+		return -EINVAL;
+	}
+	return 0;
+}
+
+static int smack_checkpoint_header(struct ckpt_ctx *ctx)
+{
+	char smackv[10];
+	sprintf(smackv, "%d", smack_version);
+	return ckpt_write_obj_type(ctx, smackv, strlen(smackv)+1,
+				  CKPT_HDR_LSM_INFO);
+}
+#endif
+
 struct security_operations smack_ops = {
 	.name =				"smack",
 
@@ -3245,6 +3287,10 @@ struct security_operations smack_ops = {
 	.secid_to_secctx = 		smack_secid_to_secctx,
 	.secctx_to_secid = 		smack_secctx_to_secid,
 	.release_secctx = 		smack_release_secctx,
+#ifdef CONFIG_CHECKPOINT
+	.may_restart =			smack_may_restart,
+	.checkpoint_header =		smack_checkpoint_header,
+#endif
 };
 
 
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index f83a809..7b20ad9 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -42,6 +42,7 @@ enum smk_inos {
 	SMK_NETLBLADDR	= 8,	/* single label hosts */
 	SMK_ONLYCAP	= 9,	/* the only "capable" label */
 	SMK_LOGGING	= 10,	/* logging */
+	SMK_VERSION	= 11,	/* logging */
 };
 
 /*
@@ -51,6 +52,7 @@ static DEFINE_MUTEX(smack_list_lock);
 static DEFINE_MUTEX(smack_cipso_lock);
 static DEFINE_MUTEX(smack_ambient_lock);
 static DEFINE_MUTEX(smk_netlbladdr_lock);
+static DEFINE_MUTEX(smack_version_lock);
 
 /*
  * This is the "ambient" label for network traffic.
@@ -60,6 +62,11 @@ static DEFINE_MUTEX(smk_netlbladdr_lock);
 char *smack_net_ambient = smack_known_floor.smk_known;
 
 /*
+ * this is the policy version, a simple integer
+ */
+int smack_version = 1;
+
+/*
  * This is the level in a CIPSO header that indicates a
  * smack label is contained directly in the category set.
  * It can be reset via smackfs/direct
@@ -1255,6 +1262,72 @@ static const struct file_operations smk_logging_ops = {
 	.read		= smk_read_logging,
 	.write		= smk_write_logging,
 };
+
+#define SMK_VERSIONLEN 12
+/**
+ * smk_read_version - read() for /smack/version
+ * @filp: file pointer, not actually used
+ * @buf: where to put the result
+ * @cn: maximum to send along
+ * @ppos: where to start
+ *
+ * Returns number of bytes read or error code, as appropriate
+ */
+static ssize_t smk_read_version(struct file *filp, char __user *buf,
+				size_t count, loff_t *ppos)
+{
+	char temp[SMK_VERSIONLEN];
+
+	if (*ppos != 0)
+		return 0;
+
+	mutex_lock(&smack_version_lock);
+	sprintf(temp, "%d\n", smack_version);
+	mutex_unlock(&smack_version_lock);
+
+	return simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
+}
+
+/**
+ * smk_write_version - write() for /smack/version
+ * @file: file pointer, not actually used
+ * @buf: where to get the data from
+ * @count: bytes sent
+ * @ppos: where to start
+ *
+ * Returns number of bytes written or error code, as appropriate
+ */
+static ssize_t smk_write_version(struct file *file, const char __user *buf,
+				 size_t count, loff_t *ppos)
+{
+	char in[SMK_VERSIONLEN];
+	int tmp, ret;
+
+	if (!capable(CAP_MAC_ADMIN))
+		return -EPERM;
+
+	if (count >= SMK_VERSIONLEN)
+		return -EINVAL;
+
+	if (copy_from_user(in, buf, count) != 0)
+		return -EFAULT;
+
+	in[count-1] = '\0';
+	ret = sscanf(in, "%d", &tmp);
+	if (ret != 1)
+		return -EINVAL;
+	mutex_lock(&smack_version_lock);
+	smack_version = tmp;
+	mutex_unlock(&smack_version_lock);
+
+	return count;
+}
+
+static const struct file_operations smk_version_ops = {
+	.read		= smk_read_version,
+	.write		= smk_write_version,
+};
+
 /**
  * smk_fill_super - fill the /smackfs superblock
  * @sb: the empty superblock
@@ -1287,6 +1360,8 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
 			{"onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR},
 		[SMK_LOGGING]	=
 			{"logging", &smk_logging_ops, S_IRUGO|S_IWUSR},
+		[SMK_VERSION]	=
+			{"version", &smk_version_ops, S_IRUGO|S_IWUSR},
 		/* last one */ {""}
 	};
 
-- 
1.6.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Casey Schaufler]

Serge E. Hallyn wrote:
> This patch, for debugging only, introduces a silly admin-controlled
> 'policy version' for smack.  By default the version is 1.  An
> admin (with CAP_MAC_ADMIN) can change it by echoing a new value
> into /smack/version.
>   

The scheme you have suggested is just one step off of completely
acceptable for real. More detail below, but if you make the "version"
a string instead of a number I'm happy with it. In particular, a
string that would itself be a valid Smack label makes everything
really simple.

It would take me a few days, but if you're not in a real hurry or
you're lazier than I am (yeah, right) I could provide a patch that
does it. Or, if I haven't been completely incomprehensible, you
could do a revision.


> It then defines security_checkpoint_header() to add this 'policy
> version' into the checkpoint header, and defines security_may_restart()
> to refuse restart if both:
> 	1. the caller asked for RESTART_KEEP_LSM
> and
> 	2. the checkpointed version was different from the current.
>
> This of course is easy enough to test by doing
>
> 	echo 1 > /smack/version
> 	ckpt > out
> 	mktree < out
> 		succeed
> 	mktree -k < out
> 		succeed
> 	echo 2 > /smack/version
> 	mktree < out
> 		succeed
> 	mktree -k < out
> 		fail
>
> Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
> ---
>  security/smack/smack_lsm.c |   46 +++++++++++++++++++++++++++
>  security/smack/smackfs.c   |   75 ++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 121 insertions(+), 0 deletions(-)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 279fdce..f0d4a08 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -27,6 +27,7 @@
>  #include <linux/udp.h>
>  #include <linux/mutex.h>
>  #include <linux/pipe_fs_i.h>
> +#include <linux/checkpoint.h>
>  #include <net/netlabel.h>
>  #include <net/cipso_ipv4.h>
>  #include <linux/audit.h>
> @@ -3111,6 +3112,47 @@ static void smack_release_secctx(char *secdata, u32 seclen)
>  {
>  }
>  
> +#ifdef CONFIG_CHECKPOINT
> +extern int smack_version;
>   

Make this a char * instead of an int and set it to
smack_known_floor.smk_known (which will be "_").


> +
> +static int smack_may_restart(struct ckpt_ctx *ctx)
>   

So as to reduce confusion between ctx's and checkpoint thingies,

   static int smack_may_restart(struct ckpt_ctx *ckptx)
> +{
> +	struct ckpt_hdr *h;
>   

How about:
          struct ckpt_hdr *chp;

instead for a little more consistency with Smack code.

> +	char *smackv;
> +	int v = 0, slen, ret;
> +
> +	h = ckpt_read_buf_type(ctx, CKPT_LSM_INFO_LEN, CKPT_HDR_LSM_INFO);
> +	if (IS_ERR(h))
> +		return PTR_ERR(h);
> +
> +	if (strcmp(ctx->lsm_name, "smack") != 0)
> +		return 0;
> +
> +	smackv = (char *) (h + 1);
>   

And delete from here ...

> +	slen = h->len - sizeof(*h);
> +	if (smackv[slen-1] != '\0')
> +		smackv[slen-1] = '\0';
> +	ret = sscanf(smackv, "%d", &v);
>   

... to here. How about we say that the version name meet the same
requirements as a label? A call to smk_import() can verify that and
take care of all the memory allocation business.

> +	ckpt_hdr_put(ctx, h);
> +	if (!(ctx->uflags & RESTART_KEEP_LSM))
> +		return 0;
> +	if (ret != 1 || v != smack_version) {
>   

Make this a strcmp()

> +		ckpt_debug("Smack version at checkpoint was %d, now is %d\n",
>   

%s instead of %d all around.

> +			v, smack_version);
> +		return -EINVAL;
> +	}
> +	return 0;
> +}
> +
> +static int smack_checkpoint_header(struct cpt_ctx *ctx)
> +{
> +	char smackv[10];
> +	sprintf(smackv, "%d", smack_version);
>   

You can drop this ...

> +	return ckpt_write_obj_type(ctx, smackv, strlen(smackv)+1,
> +				  CKPT_HDR_LSM_INFO);
>   

And pass back smack_version, which is a string.

> +}
> +#endif
> +
>  struct security_operations smack_ops = {
>  	.name =				"smack",
>  
> @@ -3245,6 +3287,10 @@ struct security_operations smack_ops = {
>  	.secid_to_secctx = 		smack_secid_to_secctx,
>  	.secctx_to_secid = 		smack_secctx_to_secid,
>  	.release_secctx = 		smack_release_secctx,
> +#ifdef CONFIG_CHECKPOINT
> +	.may_restart =			smack_may_restart,
> +	.checkpoint_header =		smack_checkpoint_header,
> +#endif
>  };
>  
>  
> diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
> index f83a809..7b20ad9 100644
> --- a/security/smack/smackfs.c
> +++ b/security/smack/smackfs.c
> @@ -42,6 +42,7 @@ enum smk_inos {
>  	SMK_NETLBLADDR	= 8,	/* single label hosts */
>  	SMK_ONLYCAP	= 9,	/* the only "capable" label */
>  	SMK_LOGGING	= 10,	/* logging */
> +	SMK_VERSION	= 11,	/* logging */
>  };
>  
>  /*
> @@ -51,6 +52,7 @@ static DEFINE_MUTEX(smack_list_lock);
>  static DEFINE_MUTEX(smack_cipso_lock);
>  static DEFINE_MUTEX(smack_ambient_lock);
>  static DEFINE_MUTEX(smk_netlbladdr_lock);
> +static DEFINE_MUTEX(smack_version_lock);
>  
>  /*
>   * This is the "ambient" label for network traffic.
> @@ -60,6 +62,11 @@ static DEFINE_MUTEX(smk_netlbladdr_lock);
>  char *smack_net_ambient = smack_known_floor.smk_known;
>  
>  /*
> + * this is the policy version, a simple integer
> + */
> +int smack_version = 1;
> +
>   

Make this a char * instead of an int and set it to
smack_known_floor.smk_known (which will be "_"). As above.


> +/*
>   * This is the level in a CIPSO header that indicates a
>   * smack label is contained directly in the category set.
>   * It can be reset via smackfs/direct
> @@ -1255,6 +1262,72 @@ static const struct file_operations smk_logging_ops = {
>  	.read		= smk_read_logging,
>  	.write		= smk_write_logging,
>  };
> +
> +#define SMK_VERSIONLEN 12
>   

    #define SMK_VERSIONLEN SMK_LABELLEN

> +/**
> + * smk_read_version - read() for /smack/version
> + * @filp: file pointer, not actually used
> + * @buf: where to put the result
> + * @cn: maximum to send along
> + * @ppos: where to start
> + *
> + * Returns number of bytes read or error code, as appropriate
> + */
> +static ssize_t smk_read_version(struct file *filp, char __user *buf,
> +				size_t count, loff_t *ppos)
> +{
> +	char temp[SMK_VERSIONLEN];
> +
> +	if (*ppos != 0)
> +		return 0;
> +
> +	mutex_lock(&smack_version_lock);
> +	sprintf(temp, "%d\n", smack_version);
>   

In the scheme I'm suggesting, no need for the sprintf.

> +	mutex_unlock(&smack_version_lock);
> +
> +	return simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
> +}
> +
> +/**
> + * smk_write_version - write() for /smack/version
> + * @file: file pointer, not actually used
> + * @buf: where to get the data from
> + * @count: bytes sent
> + * @ppos: where to start
> + *
> + * Returns number of bytes written or error code, as appropriate
> + */
> +static ssize_t smk_write_version(struct file *file, const char __user *buf,
> +				 size_t count, loff_t *ppos)
> +{
> +	char in[SMK_VERSIONLEN];
> +	int tmp, ret;
> +
> +	if (!capable(CAP_MAC_ADMIN))
> +		return -EPERM;
> +
> +	if (count >= SMK_VERSIONLEN)
> +		return -EINVAL;
> +
> +	if (copy_from_user(in, buf, count) != 0)
> +		return -EFAULT;
>   

This would become smk_import(), replacing ....

> +
> +	in[count-1] = '\0';
> +	ret = sscanf(in, "%d", &tmp);
> +	if (ret != 1)
> +		return -EINVAL;
>   

... this

> +	mutex_lock(&smack_version_lock);
> +	smack_version = tmp;
>   

and smack_version gets the return from smk_import unless it is NULL.

> +	mutex_unlock(&smack_version_lock);
> +
> +	return count;
> +}
> +
> +static const struct file_operations smk_version_ops = {
> +	.read		= smk_read_version,
> +	.write		= smk_write_version,
> +};
> +
>  /**
>   * smk_fill_super - fill the /smackfs superblock
>   * @sb: the empty superblock
> @@ -1287,6 +1360,8 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
>  			{"onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR},
>  		[SMK_LOGGING]	=
>  			{"logging", &smk_logging_ops, S_IRUGO|S_IWUSR},
> +		[SMK_VERSION]	=
> +			{"version", &smk_version_ops, S_IRUGO|S_IWUSR},
>  		/* last one */ {""}
>  	};
>  
>   

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Casey Schaufler]

Serge E. Hallyn wrote:
> This patch, for debugging only, introduces a silly admin-controlled
> 'policy version' for smack.  By default the version is 1.  An
> admin (with CAP_MAC_ADMIN) can change it by echoing a new value
> into /smack/version.
>   

The scheme you have suggested is just one step off of completely
acceptable for real. More detail below, but if you make the "version"
a string instead of a number I'm happy with it. In particular, a
string that would itself be a valid Smack label makes everything
really simple.

It would take me a few days, but if you're not in a real hurry or
you're lazier than I am (yeah, right) I could provide a patch that
does it. Or, if I haven't been completely incomprehensible, you
could do a revision.


> It then defines security_checkpoint_header() to add this 'policy
> version' into the checkpoint header, and defines security_may_restart()
> to refuse restart if both:
> 	1. the caller asked for RESTART_KEEP_LSM
> and
> 	2. the checkpointed version was different from the current.
>
> This of course is easy enough to test by doing
>
> 	echo 1 > /smack/version
> 	ckpt > out
> 	mktree < out
> 		succeed
> 	mktree -k < out
> 		succeed
> 	echo 2 > /smack/version
> 	mktree < out
> 		succeed
> 	mktree -k < out
> 		fail
>
> Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
> ---
>  security/smack/smack_lsm.c |   46 +++++++++++++++++++++++++++
>  security/smack/smackfs.c   |   75 ++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 121 insertions(+), 0 deletions(-)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 279fdce..f0d4a08 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -27,6 +27,7 @@
>  #include <linux/udp.h>
>  #include <linux/mutex.h>
>  #include <linux/pipe_fs_i.h>
> +#include <linux/checkpoint.h>
>  #include <net/netlabel.h>
>  #include <net/cipso_ipv4.h>
>  #include <linux/audit.h>
> @@ -3111,6 +3112,47 @@ static void smack_release_secctx(char *secdata, u32 seclen)
>  {
>  }
>  
> +#ifdef CONFIG_CHECKPOINT
> +extern int smack_version;
>   

Make this a char * instead of an int and set it to
smack_known_floor.smk_known (which will be "_").


> +
> +static int smack_may_restart(struct ckpt_ctx *ctx)
>   

So as to reduce confusion between ctx's and checkpoint thingies,

   static int smack_may_restart(struct ckpt_ctx *ckptx)
> +{
> +	struct ckpt_hdr *h;
>   

How about:
          struct ckpt_hdr *chp;

instead for a little more consistency with Smack code.

> +	char *smackv;
> +	int v = 0, slen, ret;
> +
> +	h = ckpt_read_buf_type(ctx, CKPT_LSM_INFO_LEN, CKPT_HDR_LSM_INFO);
> +	if (IS_ERR(h))
> +		return PTR_ERR(h);
> +
> +	if (strcmp(ctx->lsm_name, "smack") != 0)
> +		return 0;
> +
> +	smackv = (char *) (h + 1);
>   

And delete from here ...

> +	slen = h->len - sizeof(*h);
> +	if (smackv[slen-1] != '\0')
> +		smackv[slen-1] = '\0';
> +	ret = sscanf(smackv, "%d", &v);
>   

... to here. How about we say that the version name meet the same
requirements as a label? A call to smk_import() can verify that and
take care of all the memory allocation business.

> +	ckpt_hdr_put(ctx, h);
> +	if (!(ctx->uflags & RESTART_KEEP_LSM))
> +		return 0;
> +	if (ret != 1 || v != smack_version) {
>   

Make this a strcmp()

> +		ckpt_debug("Smack version at checkpoint was %d, now is %d\n",
>   

%s instead of %d all around.

> +			v, smack_version);
> +		return -EINVAL;
> +	}
> +	return 0;
> +}
> +
> +static int smack_checkpoint_header(struct cpt_ctx *ctx)
> +{
> +	char smackv[10];
> +	sprintf(smackv, "%d", smack_version);
>   

You can drop this ...

> +	return ckpt_write_obj_type(ctx, smackv, strlen(smackv)+1,
> +				  CKPT_HDR_LSM_INFO);
>   

And pass back smack_version, which is a string.

> +}
> +#endif
> +
>  struct security_operations smack_ops = {
>  	.name =				"smack",
>  
> @@ -3245,6 +3287,10 @@ struct security_operations smack_ops = {
>  	.secid_to_secctx = 		smack_secid_to_secctx,
>  	.secctx_to_secid = 		smack_secctx_to_secid,
>  	.release_secctx = 		smack_release_secctx,
> +#ifdef CONFIG_CHECKPOINT
> +	.may_restart =			smack_may_restart,
> +	.checkpoint_header =		smack_checkpoint_header,
> +#endif
>  };
>  
>  
> diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
> index f83a809..7b20ad9 100644
> --- a/security/smack/smackfs.c
> +++ b/security/smack/smackfs.c
> @@ -42,6 +42,7 @@ enum smk_inos {
>  	SMK_NETLBLADDR	= 8,	/* single label hosts */
>  	SMK_ONLYCAP	= 9,	/* the only "capable" label */
>  	SMK_LOGGING	= 10,	/* logging */
> +	SMK_VERSION	= 11,	/* logging */
>  };
>  
>  /*
> @@ -51,6 +52,7 @@ static DEFINE_MUTEX(smack_list_lock);
>  static DEFINE_MUTEX(smack_cipso_lock);
>  static DEFINE_MUTEX(smack_ambient_lock);
>  static DEFINE_MUTEX(smk_netlbladdr_lock);
> +static DEFINE_MUTEX(smack_version_lock);
>  
>  /*
>   * This is the "ambient" label for network traffic.
> @@ -60,6 +62,11 @@ static DEFINE_MUTEX(smk_netlbladdr_lock);
>  char *smack_net_ambient = smack_known_floor.smk_known;
>  
>  /*
> + * this is the policy version, a simple integer
> + */
> +int smack_version = 1;
> +
>   

Make this a char * instead of an int and set it to
smack_known_floor.smk_known (which will be "_"). As above.


> +/*
>   * This is the level in a CIPSO header that indicates a
>   * smack label is contained directly in the category set.
>   * It can be reset via smackfs/direct
> @@ -1255,6 +1262,72 @@ static const struct file_operations smk_logging_ops = {
>  	.read		= smk_read_logging,
>  	.write		= smk_write_logging,
>  };
> +
> +#define SMK_VERSIONLEN 12
>   

    #define SMK_VERSIONLEN SMK_LABELLEN

> +/**
> + * smk_read_version - read() for /smack/version
> + * @filp: file pointer, not actually used
> + * @buf: where to put the result
> + * @cn: maximum to send along
> + * @ppos: where to start
> + *
> + * Returns number of bytes read or error code, as appropriate
> + */
> +static ssize_t smk_read_version(struct file *filp, char __user *buf,
> +				size_t count, loff_t *ppos)
> +{
> +	char temp[SMK_VERSIONLEN];
> +
> +	if (*ppos != 0)
> +		return 0;
> +
> +	mutex_lock(&smack_version_lock);
> +	sprintf(temp, "%d\n", smack_version);
>   

In the scheme I'm suggesting, no need for the sprintf.

> +	mutex_unlock(&smack_version_lock);
> +
> +	return simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
> +}
> +
> +/**
> + * smk_write_version - write() for /smack/version
> + * @file: file pointer, not actually used
> + * @buf: where to get the data from
> + * @count: bytes sent
> + * @ppos: where to start
> + *
> + * Returns number of bytes written or error code, as appropriate
> + */
> +static ssize_t smk_write_version(struct file *file, const char __user *buf,
> +				 size_t count, loff_t *ppos)
> +{
> +	char in[SMK_VERSIONLEN];
> +	int tmp, ret;
> +
> +	if (!capable(CAP_MAC_ADMIN))
> +		return -EPERM;
> +
> +	if (count >= SMK_VERSIONLEN)
> +		return -EINVAL;
> +
> +	if (copy_from_user(in, buf, count) != 0)
> +		return -EFAULT;
>   

This would become smk_import(), replacing ....

> +
> +	in[count-1] = '\0';
> +	ret = sscanf(in, "%d", &tmp);
> +	if (ret != 1)
> +		return -EINVAL;
>   

... this

> +	mutex_lock(&smack_version_lock);
> +	smack_version = tmp;
>   

and smack_version gets the return from smk_import unless it is NULL.

> +	mutex_unlock(&smack_version_lock);
> +
> +	return count;
> +}
> +
> +static const struct file_operations smk_version_ops = {
> +	.read		= smk_read_version,
> +	.write		= smk_write_version,
> +};
> +
>  /**
>   * smk_fill_super - fill the /smackfs superblock
>   * @sb: the empty superblock
> @@ -1287,6 +1360,8 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
>  			{"onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR},
>  		[SMK_LOGGING]	=
>  			{"logging", &smk_logging_ops, S_IRUGO|S_IWUSR},
> +		[SMK_VERSION]	=
> +			{"version", &smk_version_ops, S_IRUGO|S_IWUSR},
>  		/* last one */ {""}
>  	};
>  
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Serge E. Hallyn]

Quoting Casey Schaufler (casey@schaufler-ca.com):
> Serge E. Hallyn wrote:
> > This patch, for debugging only, introduces a silly admin-controlled
> > 'policy version' for smack.  By default the version is 1.  An
> > admin (with CAP_MAC_ADMIN) can change it by echoing a new value
> > into /smack/version.
> >   
> 
> The scheme you have suggested is just one step off of completely
> acceptable for real. More detail below, but if you make the "version"
> a string instead of a number I'm happy with it. In particular, a
> string that would itself be a valid Smack label makes everything
> really simple.

Presumably at many sites the version will be a unique string not
used as a label anywhere else.  That's ok?

> It would take me a few days, but if you're not in a real hurry or
> you're lazier than I am (yeah, right) I could provide a patch that
> does it. Or, if I haven't been completely incomprehensible, you
> could do a revision.

Heh, I'm in no hurry.  I'll mark this to do midway next week, if
you haven't gotten around to it first.  Thanks!

-serge

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Serge E. Hallyn]

Quoting Casey Schaufler (casey@schaufler-ca.com):
> Serge E. Hallyn wrote:
> > This patch, for debugging only, introduces a silly admin-controlled
> > 'policy version' for smack.  By default the version is 1.  An
> > admin (with CAP_MAC_ADMIN) can change it by echoing a new value
> > into /smack/version.
> >   
> 
> The scheme you have suggested is just one step off of completely
> acceptable for real. More detail below, but if you make the "version"
> a string instead of a number I'm happy with it. In particular, a
> string that would itself be a valid Smack label makes everything
> really simple.

Presumably at many sites the version will be a unique string not
used as a label anywhere else.  That's ok?

> It would take me a few days, but if you're not in a real hurry or
> you're lazier than I am (yeah, right) I could provide a patch that
> does it. Or, if I haven't been completely incomprehensible, you
> could do a revision.

Heh, I'm in no hurry.  I'll mark this to do midway next week, if
you haven't gotten around to it first.  Thanks!

-serge

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Casey Schaufler]

Serge E. Hallyn wrote:
> Quoting Casey Schaufler (casey@schaufler-ca.com):
>   
>> Serge E. Hallyn wrote:
>>     
>>> This patch, for debugging only, introduces a silly admin-controlled
>>> 'policy version' for smack.  By default the version is 1.  An
>>> admin (with CAP_MAC_ADMIN) can change it by echoing a new value
>>> into /smack/version.
>>>   
>>>       
>> The scheme you have suggested is just one step off of completely
>> acceptable for real. More detail below, but if you make the "version"
>> a string instead of a number I'm happy with it. In particular, a
>> string that would itself be a valid Smack label makes everything
>> really simple.
>>     
>
> Presumably at many sites the version will be a unique string not
> used as a label anywhere else.  That's ok?
>
>   
>> It would take me a few days, but if you're not in a real hurry or
>> you're lazier than I am (yeah, right) I could provide a patch that
>> does it. Or, if I haven't been completely incomprehensible, you
>> could do a revision.
>>     
>
> Heh, I'm in no hurry.  I'll mark this to do midway next week, if
> you haven't gotten around to it first.  Thanks!
>   


I hate to be a bother, but what tree are you basing these patches on?
Suspect that I missed a round of patches along the way, and can't apply
the ones I do have.

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Casey Schaufler]

Serge E. Hallyn wrote:
> Quoting Casey Schaufler (casey@schaufler-ca.com):
>   
>> Serge E. Hallyn wrote:
>>     
>>> This patch, for debugging only, introduces a silly admin-controlled
>>> 'policy version' for smack.  By default the version is 1.  An
>>> admin (with CAP_MAC_ADMIN) can change it by echoing a new value
>>> into /smack/version.
>>>   
>>>       
>> The scheme you have suggested is just one step off of completely
>> acceptable for real. More detail below, but if you make the "version"
>> a string instead of a number I'm happy with it. In particular, a
>> string that would itself be a valid Smack label makes everything
>> really simple.
>>     
>
> Presumably at many sites the version will be a unique string not
> used as a label anywhere else.  That's ok?
>
>   
>> It would take me a few days, but if you're not in a real hurry or
>> you're lazier than I am (yeah, right) I could provide a patch that
>> does it. Or, if I haven't been completely incomprehensible, you
>> could do a revision.
>>     
>
> Heh, I'm in no hurry.  I'll mark this to do midway next week, if
> you haven't gotten around to it first.  Thanks!
>   


I hate to be a bother, but what tree are you basing these patches on?
Suspect that I missed a round of patches along the way, and can't apply
the ones I do have.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Serge E. Hallyn]

Quoting Casey Schaufler (casey@schaufler-ca.com):
> Serge E. Hallyn wrote:
> > Quoting Casey Schaufler (casey@schaufler-ca.com):
> >   
> >> Serge E. Hallyn wrote:
> >>     
> >>> This patch, for debugging only, introduces a silly admin-controlled
> >>> 'policy version' for smack.  By default the version is 1.  An
> >>> admin (with CAP_MAC_ADMIN) can change it by echoing a new value
> >>> into /smack/version.
> >>>   
> >>>       
> >> The scheme you have suggested is just one step off of completely
> >> acceptable for real. More detail below, but if you make the "version"
> >> a string instead of a number I'm happy with it. In particular, a
> >> string that would itself be a valid Smack label makes everything
> >> really simple.
> >>     
> >
> > Presumably at many sites the version will be a unique string not
> > used as a label anywhere else.  That's ok?
> >
> >   
> >> It would take me a few days, but if you're not in a real hurry or
> >> you're lazier than I am (yeah, right) I could provide a patch that
> >> does it. Or, if I haven't been completely incomprehensible, you
> >> could do a revision.
> >>     
> >
> > Heh, I'm in no hurry.  I'll mark this to do midway next week, if
> > you haven't gotten around to it first.  Thanks!
> >   
> 
> 
> I hate to be a bother, but what tree are you basing these patches on?
> Suspect that I missed a round of patches along the way, and can't apply
> the ones I do have.

Sorry, the c/r tree is at:

git://git.ncl.cs.columbia.edu/pub/git/linux-cr.git

-serge

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Serge E. Hallyn]

Quoting Casey Schaufler (casey@schaufler-ca.com):
> Serge E. Hallyn wrote:
> > Quoting Casey Schaufler (casey@schaufler-ca.com):
> >   
> >> Serge E. Hallyn wrote:
> >>     
> >>> This patch, for debugging only, introduces a silly admin-controlled
> >>> 'policy version' for smack.  By default the version is 1.  An
> >>> admin (with CAP_MAC_ADMIN) can change it by echoing a new value
> >>> into /smack/version.
> >>>   
> >>>       
> >> The scheme you have suggested is just one step off of completely
> >> acceptable for real. More detail below, but if you make the "version"
> >> a string instead of a number I'm happy with it. In particular, a
> >> string that would itself be a valid Smack label makes everything
> >> really simple.
> >>     
> >
> > Presumably at many sites the version will be a unique string not
> > used as a label anywhere else.  That's ok?
> >
> >   
> >> It would take me a few days, but if you're not in a real hurry or
> >> you're lazier than I am (yeah, right) I could provide a patch that
> >> does it. Or, if I haven't been completely incomprehensible, you
> >> could do a revision.
> >>     
> >
> > Heh, I'm in no hurry.  I'll mark this to do midway next week, if
> > you haven't gotten around to it first.  Thanks!
> >   
> 
> 
> I hate to be a bother, but what tree are you basing these patches on?
> Suspect that I missed a round of patches along the way, and can't apply
> the ones I do have.

Sorry, the c/r tree is at:

git://git.ncl.cs.columbia.edu/pub/git/linux-cr.git

-serge

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Casey Schaufler]

Serge E. Hallyn wrote:
> Quoting Casey Schaufler (casey@schaufler-ca.com):
>   
>> Serge E. Hallyn wrote:
>>     
>>> Quoting Casey Schaufler (casey@schaufler-ca.com):
>>>   
>>>       
>>>> Serge E. Hallyn wrote:
>>>>     
>>>>         
>>>>> This patch, for debugging only, introduces a silly admin-controlled
>>>>> 'policy version' for smack.  By default the version is 1.  An
>>>>> admin (with CAP_MAC_ADMIN) can change it by echoing a new value
>>>>> into /smack/version.
>>>>>   
>>>>>       
>>>>>           
>>>> The scheme you have suggested is just one step off of completely
>>>> acceptable for real. More detail below, but if you make the "version"
>>>> a string instead of a number I'm happy with it. In particular, a
>>>> string that would itself be a valid Smack label makes everything
>>>> really simple.
>>>>     
>>>>         
>>> Presumably at many sites the version will be a unique string not
>>> used as a label anywhere else.  That's ok?
>>>
>>>   
>>>       
>>>> It would take me a few days, but if you're not in a real hurry or
>>>> you're lazier than I am (yeah, right) I could provide a patch that
>>>> does it. Or, if I haven't been completely incomprehensible, you
>>>> could do a revision.
>>>>     
>>>>         
>>> Heh, I'm in no hurry.  I'll mark this to do midway next week, if
>>> you haven't gotten around to it first.  Thanks!
>>>   
>>>       
>> I hate to be a bother, but what tree are you basing these patches on?
>> Suspect that I missed a round of patches along the way, and can't apply
>> the ones I do have.
>>     
>
> Sorry, the c/r tree is at:
>
> git://git.ncl.cs.columbia.edu/pub/git/linux-cr.git
>   

The four patches from 08/28 (2-5) and the two from 09/03
are not happy applying to this tree. Am I missing a patch?

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Casey Schaufler]

Serge E. Hallyn wrote:
> Quoting Casey Schaufler (casey@schaufler-ca.com):
>   
>> Serge E. Hallyn wrote:
>>     
>>> Quoting Casey Schaufler (casey@schaufler-ca.com):
>>>   
>>>       
>>>> Serge E. Hallyn wrote:
>>>>     
>>>>         
>>>>> This patch, for debugging only, introduces a silly admin-controlled
>>>>> 'policy version' for smack.  By default the version is 1.  An
>>>>> admin (with CAP_MAC_ADMIN) can change it by echoing a new value
>>>>> into /smack/version.
>>>>>   
>>>>>       
>>>>>           
>>>> The scheme you have suggested is just one step off of completely
>>>> acceptable for real. More detail below, but if you make the "version"
>>>> a string instead of a number I'm happy with it. In particular, a
>>>> string that would itself be a valid Smack label makes everything
>>>> really simple.
>>>>     
>>>>         
>>> Presumably at many sites the version will be a unique string not
>>> used as a label anywhere else.  That's ok?
>>>
>>>   
>>>       
>>>> It would take me a few days, but if you're not in a real hurry or
>>>> you're lazier than I am (yeah, right) I could provide a patch that
>>>> does it. Or, if I haven't been completely incomprehensible, you
>>>> could do a revision.
>>>>     
>>>>         
>>> Heh, I'm in no hurry.  I'll mark this to do midway next week, if
>>> you haven't gotten around to it first.  Thanks!
>>>   
>>>       
>> I hate to be a bother, but what tree are you basing these patches on?
>> Suspect that I missed a round of patches along the way, and can't apply
>> the ones I do have.
>>     
>
> Sorry, the c/r tree is at:
>
> git://git.ncl.cs.columbia.edu/pub/git/linux-cr.git
>   

The four patches from 08/28 (2-5) and the two from 09/03
are not happy applying to this tree. Am I missing a patch?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Serge E. Hallyn]

Quoting Casey Schaufler (casey@schaufler-ca.com):
> Serge E. Hallyn wrote:
> > Quoting Casey Schaufler (casey@schaufler-ca.com):
> > Sorry, the c/r tree is at:
> >
> > git://git.ncl.cs.columbia.edu/pub/git/linux-cr.git
> >   
> 
> The four patches from 08/28 (2-5) and the two from 09/03
> are not happy applying to this tree. Am I missing a patch?
> 

There was this patch which was 1/5
	https://lists.linux-foundation.org/pipermail/containers/2009-August/020212.html

But there have also been some changes since that posting to the
git tree.  You could rewind the git tree to the state it was in
on aug 28, but I'll need to forward-port my patches anyway, so
let me do that this afternoon and resend the patchset.

-serge

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Serge E. Hallyn]

Quoting Casey Schaufler (casey@schaufler-ca.com):
> Serge E. Hallyn wrote:
> > Quoting Casey Schaufler (casey@schaufler-ca.com):
> > Sorry, the c/r tree is at:
> >
> > git://git.ncl.cs.columbia.edu/pub/git/linux-cr.git
> >   
> 
> The four patches from 08/28 (2-5) and the two from 09/03
> are not happy applying to this tree. Am I missing a patch?
> 

There was this patch which was 1/5
	https://lists.linux-foundation.org/pipermail/containers/2009-August/020212.html

But there have also been some changes since that posting to the
git tree.  You could rewind the git tree to the state it was in
on aug 28, but I'll need to forward-port my patches anyway, so
let me do that this afternoon and resend the patchset.

-serge

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Casey Schaufler]

Serge E. Hallyn wrote:
> Quoting Casey Schaufler (casey@schaufler-ca.com):
>   
>> Serge E. Hallyn wrote:
>>     
>>> Quoting Casey Schaufler (casey@schaufler-ca.com):
>>> Sorry, the c/r tree is at:
>>>
>>> git://git.ncl.cs.columbia.edu/pub/git/linux-cr.git
>>>   
>>>       
>> The four patches from 08/28 (2-5) and the two from 09/03
>> are not happy applying to this tree. Am I missing a patch?
>>
>>     
>
> There was this patch which was 1/5
> 	https://lists.linux-foundation.org/pipermail/containers/2009-August/020212.html
>
> But there have also been some changes since that posting to the
> git tree.  You could rewind the git tree to the state it was in
> on aug 28, but I'll need to forward-port my patches anyway, so
> let me do that this afternoon and resend the patchset.
>
>   

I figured it was something like that. Thank you.

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Casey Schaufler]

Serge E. Hallyn wrote:
> Quoting Casey Schaufler (casey@schaufler-ca.com):
>   
>> Serge E. Hallyn wrote:
>>     
>>> Quoting Casey Schaufler (casey@schaufler-ca.com):
>>> Sorry, the c/r tree is at:
>>>
>>> git://git.ncl.cs.columbia.edu/pub/git/linux-cr.git
>>>   
>>>       
>> The four patches from 08/28 (2-5) and the two from 09/03
>> are not happy applying to this tree. Am I missing a patch?
>>
>>     
>
> There was this patch which was 1/5
> 	https://lists.linux-foundation.org/pipermail/containers/2009-August/020212.html
>
> But there have also been some changes since that posting to the
> git tree.  You could rewind the git tree to the state it was in
> on aug 28, but I'll need to forward-port my patches anyway, so
> let me do that this afternoon and resend the patchset.
>
>   

I figured it was something like that. Thank you.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Serge E. Hallyn]

Quoting Casey Schaufler (casey@schaufler-ca.com):
> Serge E. Hallyn wrote:
> > Quoting Casey Schaufler (casey@schaufler-ca.com):
> >   
> >> Serge E. Hallyn wrote:
> >>     
> >>> Quoting Casey Schaufler (casey@schaufler-ca.com):
> >>> Sorry, the c/r tree is at:
> >>>
> >>> git://git.ncl.cs.columbia.edu/pub/git/linux-cr.git
> >>>   
> >>>       
> >> The four patches from 08/28 (2-5) and the two from 09/03
> >> are not happy applying to this tree. Am I missing a patch?
> >>
> >>     
> >
> > There was this patch which was 1/5
> > 	https://lists.linux-foundation.org/pipermail/containers/2009-August/020212.html
> >
> > But there have also been some changes since that posting to the
> > git tree.  You could rewind the git tree to the state it was in
> > on aug 28, but I'll need to forward-port my patches anyway, so
> > let me do that this afternoon and resend the patchset.
> >
> >   
> 
> I figured it was something like that. Thank you.

Actually the patches still apply cleanly.  But it turns out
that when you clone the linux-cr tree, it pulls the ckpt-v17
branch, and only the ckpt-v17 branch.  It is hugely different
from the ckpt-v17-dev tree, which is the one you want.  So
assuming you created a kernel tree by doing git clone
git://git.ncl.cs.columbia.edu/pub/git/linux-cr.git (as opposed
to tweaking your .git/config in another git tree), then you
want to:

	git fetch origin ckpt-v17-dev:ckpt-v17-dev
	git checkout ckpt-v17-dev

The lsm c/r patches should apply cleanly there.

thanks,
-serge

Re: [RFC PATCH 2/2] cr: debug security_checkpoint_header and security_may_restart

[Serge E. Hallyn]

Quoting Casey Schaufler (casey@schaufler-ca.com):
> Serge E. Hallyn wrote:
> > Quoting Casey Schaufler (casey@schaufler-ca.com):
> >   
> >> Serge E. Hallyn wrote:
> >>     
> >>> Quoting Casey Schaufler (casey@schaufler-ca.com):
> >>> Sorry, the c/r tree is at:
> >>>
> >>> git://git.ncl.cs.columbia.edu/pub/git/linux-cr.git
> >>>   
> >>>       
> >> The four patches from 08/28 (2-5) and the two from 09/03
> >> are not happy applying to this tree. Am I missing a patch?
> >>
> >>     
> >
> > There was this patch which was 1/5
> > 	https://lists.linux-foundation.org/pipermail/containers/2009-August/020212.html
> >
> > But there have also been some changes since that posting to the
> > git tree.  You could rewind the git tree to the state it was in
> > on aug 28, but I'll need to forward-port my patches anyway, so
> > let me do that this afternoon and resend the patchset.
> >
> >   
> 
> I figured it was something like that. Thank you.

Actually the patches still apply cleanly.  But it turns out
that when you clone the linux-cr tree, it pulls the ckpt-v17
branch, and only the ckpt-v17 branch.  It is hugely different
from the ckpt-v17-dev tree, which is the one you want.  So
assuming you created a kernel tree by doing git clone
git://git.ncl.cs.columbia.edu/pub/git/linux-cr.git (as opposed
to tweaking your .git/config in another git tree), then you
want to:

	git fetch origin ckpt-v17-dev:ckpt-v17-dev
	git checkout ckpt-v17-dev

The lsm c/r patches should apply cleanly there.

thanks,
-serge

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.