- rsbac-commit - rsbac.org

linux-6.6.y 6.6.43 commit b56929c08198 vfs_getattr(): with RSBAC_FSOBJ_HIDE, avoid SEARCH request on IPC t
by Amon Ott 30 Jul '24

30 Jul '24

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-6.6.y.git;a=summary RSBAC for Linux 6.6 (Long Term) Current version: 6.6.43 commit b56929c081987635320de7fa9b0580ed35ba4b60 Author: Amon Ott <ao(a)rsbac.org> Date: Tue Jul 30 14:38:26 2024 +0200 vfs_getattr(): with RSBAC_FSOBJ_HIDE, avoid SEARCH request on IPC targets. fs/stat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

1 0

linux-5.15.y 5.15.164 commit ab66792588e7 Always call rsbac_mount() with parent info, but not from do_move_mo
by Amon Ott 29 Jul '24

29 Jul '24

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.15.y.git;a=summary RSBAC for Linux 5.15 (Long Term) Current version: 5.15.164 commit ab66792588e74204dc137a91ba1664679bc7804a Author: Amon Ott <ao(a)rsbac.org> Date: Thu Jul 25 13:34:43 2024 +0200 Always call rsbac_mount() with parent info, but not from do_move_mount(). This commit ports the rsbac_mount() changes from kernel 6.6. fs/namespace.c | 58 ++++++++++++++++++++--------- rsbac/data_structures/aci_data_structures.c | 31 +++++++++------ rsbac/data_structures/acl_data_structures.c | 20 +++++----- 3 files changed, 70 insertions(+), 39 deletions(-)

1 0

linux-4.19.y 4.19.319 commit a38709f4dc72 Fix rsbac_rc_copy_type() and rsbac_rc_sys_copy_type() parameter typ
by Amon Ott 29 Jul '24

29 Jul '24

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-4.19.y.git;a=summary RSBAC for Linux 4.19 (Long Term) Current version: 4.19.319 commit a38709f4dc72ef23de6539356b14fe98f6a31e3b Author: Amon Ott <ao(a)rsbac.org> Date: Tue Jan 16 08:41:16 2024 +0100 Fix rsbac_rc_copy_type() and rsbac_rc_sys_copy_type() parameter type. include/rsbac/adf_syshelpers.h | 6 +++--- include/rsbac/rc.h | 6 +++--- rsbac/help/syscalls.c | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-)

1 0

linux-5.4.y 5.4.281 commit 45cdfadb1039 Fix rsbac_rc_copy_type() and rsbac_rc_sys_copy_type() parameter typ
by Amon Ott 29 Jul '24

29 Jul '24

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.4.y.git;a=summary RSBAC for Linux 5.4 (Long Term) Current version: 5.4.281 commit 45cdfadb10399a616829fba12409707739aaf113 Author: Amon Ott <ao(a)rsbac.org> Date: Tue Jan 16 08:36:19 2024 +0100 Fix rsbac_rc_copy_type() and rsbac_rc_sys_copy_type() parameter type. include/rsbac/adf_syshelpers.h | 6 +++--- include/rsbac/rc.h | 6 +++--- rsbac/help/syscalls.c | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-)

1 0

linux-5.10.y 5.10.223 commit 0fc525fdc8ef Always call rsbac_mount() with parent info, but not from do_move_mo
by Amon Ott 29 Jul '24

29 Jul '24

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.10.y.git;a=summary RSBAC for Linux 5.10 (Long Term) Current version: 5.10.223 commit 0fc525fdc8ef8379537f490818ab2420c264216c Author: Amon Ott <ao(a)rsbac.org> Date: Thu Jul 25 13:43:14 2024 +0200 Always call rsbac_mount() with parent info, but not from do_move_mount(). This commit ports the rsbac_mount() changes from kernel 6.6. fs/namespace.c | 57 ++++++++++++++++++++--------- rsbac/data_structures/aci_data_structures.c | 31 ++++++++++------ rsbac/data_structures/acl_data_structures.c | 22 +++++------ 3 files changed, 71 insertions(+), 39 deletions(-)

1 0

linux-6.1.y 6.1.102 commit 537df3dbc573 Always call rsbac_mount() with parent info, but not from do_move_mo
by Amon Ott 29 Jul '24

29 Jul '24

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-6.1.y.git;a=summary RSBAC for Linux 6.1 (Long Term) Current version: 6.1.102 commit 537df3dbc573a786a932e2d1cf96b8b359ce60c9 Author: Amon Ott <ao(a)rsbac.org> Date: Thu Jul 25 13:31:24 2024 +0200 Always call rsbac_mount() with parent info, but not from do_move_mount(). This commit ports the rsbac_mount() changes from kernel 6.6. fs/namespace.c | 58 ++++++++++++++++++++--------- rsbac/data_structures/aci_data_structures.c | 31 +++++++++------ rsbac/data_structures/acl_data_structures.c | 20 +++++----- 3 files changed, 70 insertions(+), 39 deletions(-)

1 0

linux-6.6.y 6.6.43 commit 19e528dc52bb Add feature CAP filesystem object hiding If enabled, you can hide f
by Amon Ott 29 Jul '24

29 Jul '24

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-6.6.y.git;a=summary RSBAC for Linux 6.6 (Long Term) Current version: 6.6.43 commit 19e528dc52bbbf0d390bd82238d09d6a549c74d4 Author: Amon Ott <ao(a)rsbac.org> Date: Mon Jul 29 12:56:30 2024 +0200 Add feature CAP filesystem object hiding If enabled, you can hide filesystem objects from users without Linux read rights on them, set with the kernel command line switch rsbac_cap_fd_hiding or through the RSBAC proc interface. There are two possible values: 0 / off: no hiding. 1 / on: only processes with Linux read right to a filesystem object, Linux capability DAC_OVERRIDE or DAC_READ_SEARCH or with CAP role security officer or system admin may see this object. Hiding works with many, but not all types of file system object access. While at it, reduce overhead with CAP process hiding: only use global variable rsbac_cap_process_hiding instead of per-process attribute, which does not get set individually anyway. Since rsbac_get_owner() never returns an error, change it to not return a result and remove all result checks. Add some type casts to rc_main.c. fs/locks.c | 12 + fs/namei.c | 37 ++ fs/open.c | 34 ++ fs/readdir.c | 50 +-- fs/stat.c | 31 ++ include/rsbac/aci_data_structures.h | 10 +- include/rsbac/adf.h | 10 +- include/rsbac/debug.h | 7 +- include/rsbac/helpers.h | 6 +- include/rsbac/types.h | 11 +- rsbac/Kconfig | 23 +- rsbac/adf/acl/acl_syscalls.c | 26 +- rsbac/adf/adf_main.c | 91 ++--- rsbac/adf/cap/cap_main.c | 45 +-- rsbac/adf/rc/rc_main.c | 30 +- rsbac/adf/rc/rc_syscalls.c | 562 ++++++++++++---------------- rsbac/data_structures/aci_data_structures.c | 14 +- rsbac/help/debug.c | 124 +++++- rsbac/help/getname.c | 8 +- rsbac/help/helpers.c | 91 ++++- rsbac/help/syscalls.c | 10 +- 21 files changed, 702 insertions(+), 530 deletions(-)

1 0

linux-6.6.y 6.6.42 commit c01a4c130ac7 Add feature CAP filesystem object hiding If enabled, you can hide f
by Amon Ott 29 Jul '24

29 Jul '24

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-6.6.y.git;a=summary RSBAC for Linux 6.6 (Long Term) Current version: 6.6.42 commit c01a4c130ac7692a4fb075ff51aec8805cdc540f Author: Amon Ott <ao(a)rsbac.org> Date: Mon Jul 29 12:56:30 2024 +0200 Add feature CAP filesystem object hiding If enabled, you can hide filesystem objects from users without Linux read rights on them, set with the kernel command line switch rsbac_cap_fd_hiding or through the RSBAC proc interface. There are two possible values: 0 / off: no hiding. 1 / on: only processes with Linux read right to a filesystem object, Linux capability DAC_OVERRIDE or DAC_READ_SEARCH or with CAP role security officer or system admin may see this object. Hiding works with many, but not all types of file system object access. While at it, reduce overhead with CAP process hiding: only use global variable rsbac_cap_process_hiding instead of per-process attribute, which does not get set individually anyway. Since rsbac_get_owner() never returns an error, change it to not return a result and remove all result checks. Add some type casts to rc_main.c. fs/locks.c | 12 + fs/namei.c | 37 ++ fs/open.c | 34 ++ fs/readdir.c | 50 +-- fs/stat.c | 31 ++ include/rsbac/aci_data_structures.h | 10 +- include/rsbac/adf.h | 10 +- include/rsbac/debug.h | 7 +- include/rsbac/helpers.h | 6 +- include/rsbac/types.h | 11 +- rsbac/Kconfig | 23 +- rsbac/adf/acl/acl_syscalls.c | 26 +- rsbac/adf/adf_main.c | 91 ++--- rsbac/adf/cap/cap_main.c | 45 +-- rsbac/adf/rc/rc_main.c | 30 +- rsbac/adf/rc/rc_syscalls.c | 562 ++++++++++++---------------- rsbac/data_structures/aci_data_structures.c | 14 +- rsbac/help/debug.c | 124 +++++- rsbac/help/getname.c | 8 +- rsbac/help/helpers.c | 91 ++++- rsbac/help/syscalls.c | 10 +- 21 files changed, 702 insertions(+), 530 deletions(-)

1 0

linux-5.10.y 5.10.222 commit 355665e551b0 Always call rsbac_mount() with parent info, but not from do_move_mo
by Amon Ott 25 Jul '24

25 Jul '24

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.10.y.git;a=summary RSBAC for Linux 5.10 (Long Term) Current version: 5.10.222 commit 355665e551b08aab63b52ef4cb13a6e22448ef9f Author: Amon Ott <ao(a)rsbac.org> Date: Thu Jul 25 13:43:14 2024 +0200 Always call rsbac_mount() with parent info, but not from do_move_mount(). This commit ports the rsbac_mount() changes from kernel 6.6. fs/namespace.c | 57 ++++++++++++++++++++--------- rsbac/data_structures/aci_data_structures.c | 31 ++++++++++------ rsbac/data_structures/acl_data_structures.c | 22 +++++------ 3 files changed, 71 insertions(+), 39 deletions(-)

1 0

linux-5.15.y 5.15.163 commit b3f79be12c70 Always call rsbac_mount() with parent info, but not from do_move_mo
by Amon Ott 25 Jul '24

25 Jul '24

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.15.y.git;a=summary RSBAC for Linux 5.15 (Long Term) Current version: 5.15.163 commit b3f79be12c7084470623412c59def156595ebf15 Author: Amon Ott <ao(a)rsbac.org> Date: Thu Jul 25 13:34:43 2024 +0200 Always call rsbac_mount() with parent info, but not from do_move_mount(). This commit ports the rsbac_mount() changes from kernel 6.6. fs/namespace.c | 58 ++++++++++++++++++++--------- rsbac/data_structures/aci_data_structures.c | 31 +++++++++------ rsbac/data_structures/acl_data_structures.c | 20 +++++----- 3 files changed, 70 insertions(+), 39 deletions(-)

1 0

2025

2024

2023

2022

rsbac-commit