June 2023 - rsbac-commit

linux-5.4.y 5.4.246 commit 56b98f38201a Add missing put_pid in do_accept().
by Amon Ott 12 Jun '23

12 Jun '23

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.4.y.git;a=summary RSBAC for Linux 5.4 (Long Term) Current version: 5.4.246 commit 56b98f38201ab0543ef5c77f6d1eadd6fea3e599 Author: Amon Ott <ao(a)rsbac.org> Date: Wed Apr 5 13:01:16 2023 +0200 Add missing put_pid in do_accept(). net/socket.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)

1 0

linux-5.10.y 5.10.183 commit de3b9916ee12 __sys_setresuid(), __sys_setresgid(): move RSBAC check behind no-op
by Amon Ott 12 Jun '23

12 Jun '23

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.10.y.git;a=summary RSBAC for Linux 5.10 (Long Term) Current version: 5.10.183 commit de3b9916ee124cd34fb40f6504ae458dade4ad2e Author: Amon Ott <ao(a)rsbac.org> Date: Tue Jun 6 08:09:56 2023 +0200 __sys_setresuid(), __sys_setresgid(): move RSBAC check behind no-op check. Instead of checking RSBAC first, just disable the no-op check, if RSBAC is enabled. This also restores correct notification in this special case. kernel/sys.c | 72 ++++++++++++++++++++++++++++++++---------------------------- 1 file changed, 38 insertions(+), 34 deletions(-)

1 0

linux-5.15.y 5.15.116 commit 1c5bb0ff44ae __sys_setresuid(), __sys_setresgid(): move RSBAC check behind no-op
by Amon Ott 12 Jun '23

12 Jun '23

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.15.y.git;a=summary RSBAC for Linux 5.15 (Long Term) Current version: 5.15.116 commit 1c5bb0ff44ae272d7ce57cdc7422abfdebcb74cb Author: Amon Ott <ao(a)rsbac.org> Date: Tue Jun 6 08:02:25 2023 +0200 __sys_setresuid(), __sys_setresgid(): move RSBAC check behind no-op check. Instead of checking RSBAC first, just disable the no-op check, if RSBAC is enabled. This also restores correct notification in this special case. kernel/sys.c | 125 +++++++++++++++++++++++++++++++---------------------------- 1 file changed, 66 insertions(+), 59 deletions(-)

1 0

linux-6.1.y 6.1.33 commit db9a4f727b56 __sys_setresuid(), __sys_setresgid(): move RSBAC check behind no-op
by Amon Ott 12 Jun '23

12 Jun '23

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-6.1.y.git;a=summary RSBAC for Linux 6.1 (Long Term) Current version: 6.1.33 commit db9a4f727b567a55313c0babfd73bbf05369f88c Author: Amon Ott <ao(a)rsbac.org> Date: Tue Jun 6 07:59:56 2023 +0200 __sys_setresuid(), __sys_setresgid(): move RSBAC check behind no-op check. Instead of checking RSBAC first, just disable the no-op check, if RSBAC is enabled. This also restores correct notification in this special case. kernel/sys.c | 125 +++++++++++++++++++++++++++++++---------------------------- 1 file changed, 66 insertions(+), 59 deletions(-)

1 0

linux-5.4.y 5.4.245 commit 8f40f1eeb9ac Add missing put_pid in do_accept().
by Amon Ott 06 Jun '23

06 Jun '23

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.4.y.git;a=summary RSBAC for Linux 5.4 (Long Term) Current version: 5.4.245 commit 8f40f1eeb9acb5f1cc2f1b0c3aca4db025d5dde6 Author: Amon Ott <ao(a)rsbac.org> Date: Wed Apr 5 13:01:16 2023 +0200 Add missing put_pid in do_accept(). net/socket.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)

1 0

linux-5.10.y 5.10.182 commit 904a8b867368 __sys_setresuid(), __sys_setresgid(): move RSBAC check behind no-op
by Amon Ott 06 Jun '23

06 Jun '23

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.10.y.git;a=summary RSBAC for Linux 5.10 (Long Term) Current version: 5.10.182 commit 904a8b8673689888a257c145bd54221afa478b2b Author: Amon Ott <ao(a)rsbac.org> Date: Tue Jun 6 08:09:56 2023 +0200 __sys_setresuid(), __sys_setresgid(): move RSBAC check behind no-op check. Instead of checking RSBAC first, just disable the no-op check, if RSBAC is enabled. This also restores correct notification in this special case. kernel/sys.c | 72 ++++++++++++++++++++++++++++++++---------------------------- 1 file changed, 38 insertions(+), 34 deletions(-)

1 0

linux-5.15.y 5.15.115 commit 93494a9e63f0 __sys_setresuid(), __sys_setresgid(): move RSBAC check behind no-op
by Amon Ott 06 Jun '23

06 Jun '23

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.15.y.git;a=summary RSBAC for Linux 5.15 (Long Term) Current version: 5.15.115 commit 93494a9e63f02de91ecb9b693a69d353bcf044f2 Author: Amon Ott <ao(a)rsbac.org> Date: Tue Jun 6 08:02:25 2023 +0200 __sys_setresuid(), __sys_setresgid(): move RSBAC check behind no-op check. Instead of checking RSBAC first, just disable the no-op check, if RSBAC is enabled. This also restores correct notification in this special case. kernel/sys.c | 125 +++++++++++++++++++++++++++++++---------------------------- 1 file changed, 66 insertions(+), 59 deletions(-)

1 0

linux-6.1.y 6.1.32 commit ed4e580aaa05 __sys_setresuid(), __sys_setresgid(): move RSBAC check behind no-op
by Amon Ott 06 Jun '23

06 Jun '23

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-6.1.y.git;a=summary RSBAC for Linux 6.1 (Long Term) Current version: 6.1.32 commit ed4e580aaa056560fbf8e44cde20c8e1047bf7e3 Author: Amon Ott <ao(a)rsbac.org> Date: Tue Jun 6 07:59:56 2023 +0200 __sys_setresuid(), __sys_setresgid(): move RSBAC check behind no-op check. Instead of checking RSBAC first, just disable the no-op check, if RSBAC is enabled. This also restores correct notification in this special case. kernel/sys.c | 125 +++++++++++++++++++++++++++++++---------------------------- 1 file changed, 66 insertions(+), 59 deletions(-)

1 0

linux-5.10.y 5.10.181 commit 9afae1736497 __sys_setresuid(), __sys_setresgid(): move RSBAC check before no-op
by Amon Ott 01 Jun '23

01 Jun '23

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.10.y.git;a=summary RSBAC for Linux 5.10 (Long Term) Current version: 5.10.181 commit 9afae17364972a48660438c8025373e5968649c2 Author: Amon Ott <ao(a)rsbac.org> Date: Thu Jun 1 08:38:39 2023 +0200 __sys_setresuid(), __sys_setresgid(): move RSBAC check before no-op check. The kernel no-op check bypasses the RSBAC check and notification, but in RSBAC, setresuid(getuid(), -1, -1) is security relevant and needs to update state. As a side effect, we now also check before the kernel capability check and might see more RSBAC messages as a result. kernel/sys.c | 138 ++++++++++++++++++++++++++++------------------------------- 1 file changed, 66 insertions(+), 72 deletions(-)

1 0

linux-5.15.y 5.15.114 commit 4361aa035d3a __sys_setresuid(), __sys_setresgid(): move RSBAC check before no-op
by Amon Ott 01 Jun '23

01 Jun '23

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.15.y.git;a=summary RSBAC for Linux 5.15 (Long Term) Current version: 5.15.114 commit 4361aa035d3aa3c9371b33f96f8b6659e8a0f7fd Author: Amon Ott <ao(a)rsbac.org> Date: Thu Jun 1 08:30:58 2023 +0200 __sys_setresuid(), __sys_setresgid(): move RSBAC check before no-op check. The kernel no-op check bypasses the RSBAC check and notification, but in RSBAC, setresuid(getuid(), -1, -1) is security relevant and needs to update state. As a side effect, we now also check before the kernel capability check and might see more RSBAC messages as a result. kernel/sys.c | 138 ++++++++++++++++++++++++++++------------------------------- 1 file changed, 66 insertions(+), 72 deletions(-)

1 0

2025

2024

2023

2022

rsbac-commit June 2023