#
b80affe3 |
| 16-Dec-2020 |
Linus Torvalds <torvalds@linux-foundation.org> |
Merge tag 'linux-kselftest-fixes-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
Pull Kselftest fixes from Shuah Khan: "Build fixes for clone3 and rseq tests"
* ta
Merge tag 'linux-kselftest-fixes-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
Pull Kselftest fixes from Shuah Khan: "Build fixes for clone3 and rseq tests"
* tag 'linux-kselftest-fixes-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: selftests/clone3: Fix build error rseq/selftests: Fix MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ build error under other arch.
show more ...
|
#
4b419325 |
| 15-Dec-2020 |
Dmitry Torokhov <dmitry.torokhov@gmail.com> |
Merge branch 'next' into for-linus
Prepare input updates for 5.11 merge window.
|
Revision tags: v5.10, v5.10-rc7, v5.10-rc6 |
|
#
88f4ede4 |
| 27-Nov-2020 |
Xingxing Su <suxingxing@loongson.cn> |
selftests/clone3: Fix build error
When compiling the selftests with the -std=gnu99 option the build can fail with.
Following build error:
test_core.c: In function ‘test_cgcore_destroy’: test_c
selftests/clone3: Fix build error
When compiling the selftests with the -std=gnu99 option the build can fail with.
Following build error:
test_core.c: In function ‘test_cgcore_destroy’: test_core.c:87:2: error: ‘for’ loop initial declarations are only allowed in C99 mode for (int i = 0; i < 10; i++) { ^ test_core.c:87:2: note: use option -std=c99 or -std=gnu99 to compile
Add -std=gnu99 to the clone3 selftest Makefile to fix this.
Signed-off-by: Xingxing Su <suxingxing@loongson.cn> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
show more ...
|
Revision tags: v5.10-rc5 |
|
#
05909cd9 |
| 18-Nov-2020 |
Dmitry Torokhov <dmitry.torokhov@gmail.com> |
Merge tag 'v5.9' into next
Sync up with mainline to bring in the latest DTS files.
|
Revision tags: v5.10-rc4, v5.10-rc3, v5.10-rc2, v5.10-rc1, v5.9, v5.9-rc8, v5.9-rc7, v5.9-rc6, v5.9-rc5 |
|
#
0ea8a56d |
| 12-Sep-2020 |
Rodrigo Vivi <rodrigo.vivi@intel.com> |
Merge drm/drm-next into drm-intel-next-queued
Sync drm-intel-gt-next here so we can have an unified fixes flow.
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
|
#
9ddb236f |
| 09-Sep-2020 |
Takashi Iwai <tiwai@suse.de> |
Merge branch 'for-linus' into for-next
Back-merge to apply the tasklet conversion patches that are based on the already applied tasklet API changes on 5.9-rc4.
Signed-off-by: Takashi Iwai <tiwai@su
Merge branch 'for-linus' into for-next
Back-merge to apply the tasklet conversion patches that are based on the already applied tasklet API changes on 5.9-rc4.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
show more ...
|
Revision tags: v5.9-rc4 |
|
#
6bde8ef5 |
| 02-Sep-2020 |
Takashi Iwai <tiwai@suse.de> |
Merge branch 'topic/tasklet-convert' into for-linus
Pull tasklet API conversions.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
#
ead5d1f4 |
| 01-Sep-2020 |
Jiri Kosina <jkosina@suse.cz> |
Merge branch 'master' into for-next
Sync with Linus' branch in order to be able to apply fixups of more recent patches.
|
Revision tags: v5.9-rc3 |
|
#
3bec5b6a |
| 25-Aug-2020 |
Mark Brown <broonie@kernel.org> |
Merge tag 'v5.9-rc2' into regulator-5.9
Linux 5.9-rc2
|
#
1959ba4e |
| 25-Aug-2020 |
Mark Brown <broonie@kernel.org> |
Merge tag 'v5.9-rc2' into asoc-5.9
Linux 5.9-rc2
|
#
2d9ad4cf |
| 25-Aug-2020 |
Maarten Lankhorst <maarten.lankhorst@linux.intel.com> |
Merge tag 'v5.9-rc2' into drm-misc-fixes
Backmerge requested by Tomi for a fix to omap inconsistent locking state issue, and because we need at least v5.9-rc2 now.
Signed-off-by: Maarten Lankhorst
Merge tag 'v5.9-rc2' into drm-misc-fixes
Backmerge requested by Tomi for a fix to omap inconsistent locking state issue, and because we need at least v5.9-rc2 now.
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
show more ...
|
Revision tags: v5.9-rc2 |
|
#
d85ddd13 |
| 18-Aug-2020 |
Maxime Ripard <maxime@cerno.tech> |
Merge v5.9-rc1 into drm-misc-next
Sam needs 5.9-rc1 to have dev_err_probe in to merge some patches.
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
|
Revision tags: v5.9-rc1 |
|
#
94fb1afb |
| 06-Aug-2020 |
Arnaldo Carvalho de Melo <acme@redhat.com> |
Mgerge remote-tracking branch 'torvalds/master' into perf/core
To sync headers, for instance, in this case tools/perf was ahead of upstream till Linus merged tip/perf/core to get the PERF_RECORD_TEX
Mgerge remote-tracking branch 'torvalds/master' into perf/core
To sync headers, for instance, in this case tools/perf was ahead of upstream till Linus merged tip/perf/core to get the PERF_RECORD_TEXT_POKE changes:
Warning: Kernel ABI header at 'tools/include/uapi/linux/perf_event.h' differs from latest version at 'include/uapi/linux/perf_event.h' diff -u tools/include/uapi/linux/perf_event.h include/uapi/linux/perf_event.h
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
show more ...
|
#
74858abb |
| 05-Aug-2020 |
Linus Torvalds <torvalds@linux-foundation.org> |
Merge tag 'cap-checkpoint-restore-v5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
Pull checkpoint-restore updates from Christian Brauner: "This enables unprivileged checkpoint/
Merge tag 'cap-checkpoint-restore-v5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
Pull checkpoint-restore updates from Christian Brauner: "This enables unprivileged checkpoint/restore of processes.
Given that this work has been going on for quite some time the first sentence in this summary is hopefully more exciting than the actual final code changes required. Unprivileged checkpoint/restore has seen a frequent increase in interest over the last two years and has thus been one of the main topics for the combined containers & checkpoint/restore microconference since at least 2018 (cf. [1]).
Here are just the three most frequent use-cases that were brought forward:
- The JVM developers are integrating checkpoint/restore into a Java VM to significantly decrease the startup time.
- In high-performance computing environment a resource manager will typically be distributing jobs where users are always running as non-root. Long-running and "large" processes with significant startup times are supposed to be checkpointed and restored with CRIU.
- Container migration as a non-root user.
In all of these scenarios it is either desirable or required to run without CAP_SYS_ADMIN. The userspace implementation of checkpoint/restore CRIU already has the pull request for supporting unprivileged checkpoint/restore up (cf. [2]).
To enable unprivileged checkpoint/restore a new dedicated capability CAP_CHECKPOINT_RESTORE is introduced. This solution has last been discussed in 2019 in a talk by Google at Linux Plumbers (cf. [1] "Update on Task Migration at Google Using CRIU") with Adrian and Nicolas providing the implementation now over the last months. In essence, this allows the CRIU binary to be installed with the CAP_CHECKPOINT_RESTORE vfs capability set thereby enabling unprivileged users to restore processes.
To make this possible the following permissions are altered:
- Selecting a specific PID via clone3() set_tid relaxed from userns CAP_SYS_ADMIN to CAP_CHECKPOINT_RESTORE.
- Selecting a specific PID via /proc/sys/kernel/ns_last_pid relaxed from userns CAP_SYS_ADMIN to CAP_CHECKPOINT_RESTORE.
- Accessing /proc/pid/map_files relaxed from init userns CAP_SYS_ADMIN to init userns CAP_CHECKPOINT_RESTORE.
- Changing /proc/self/exe from userns CAP_SYS_ADMIN to userns CAP_CHECKPOINT_RESTORE.
Of these four changes the /proc/self/exe change deserves a few words because the reasoning behind even restricting /proc/self/exe changes in the first place is just full of historical quirks and tracking this down was a questionable version of fun that I'd like to spare others.
In short, it is trivial to change /proc/self/exe as an unprivileged user, i.e. without userns CAP_SYS_ADMIN right now. Either via ptrace() or by simply intercepting the elf loader in userspace during exec. Nicolas was nice enough to even provide a POC for the latter (cf. [3]) to illustrate this fact.
The original patchset which introduced PR_SET_MM_MAP had no permissions around changing the exe link. They too argued that it is trivial to spoof the exe link already which is true. The argument brought up against this was that the Tomoyo LSM uses the exe link in tomoyo_manager() to detect whether the calling process is a policy manager. This caused changing the exe links to be guarded by userns CAP_SYS_ADMIN.
All in all this rather seems like a "better guard it with something rather than nothing" argument which imho doesn't qualify as a great security policy. Again, because spoofing the exe link is possible for the calling process so even if this were security relevant it was broken back then and would be broken today. So technically, dropping all permissions around changing the exe link would probably be possible and would send a clearer message to any userspace that relies on /proc/self/exe for security reasons that they should stop doing this but for now we're only relaxing the exe link permissions from userns CAP_SYS_ADMIN to userns CAP_CHECKPOINT_RESTORE.
There's a final uapi change in here. Changing the exe link used to accidently return EINVAL when the caller lacked the necessary permissions instead of the more correct EPERM. This pr contains a commit fixing this. I assume that userspace won't notice or care and if they do I will revert this commit. But since we are changing the permissions anyway it seems like a good opportunity to try this fix.
With these changes merged unprivileged checkpoint/restore will be possible and has already been tested by various users"
[1] LPC 2018 1. "Task Migration at Google Using CRIU" https://www.youtube.com/watch?v=yI_1cuhoDgA&t=12095 2. "Securely Migrating Untrusted Workloads with CRIU" https://www.youtube.com/watch?v=yI_1cuhoDgA&t=14400 LPC 2019 1. "CRIU and the PID dance" https://www.youtube.com/watch?v=LN2CUgp8deo&list=PLVsQ_xZBEyN30ZA3Pc9MZMFzdjwyz26dO&index=9&t=2m48s 2. "Update on Task Migration at Google Using CRIU" https://www.youtube.com/watch?v=LN2CUgp8deo&list=PLVsQ_xZBEyN30ZA3Pc9MZMFzdjwyz26dO&index=9&t=1h2m8s
[2] https://github.com/checkpoint-restore/criu/pull/1155
[3] https://github.com/nviennot/run_as_exe
* tag 'cap-checkpoint-restore-v5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux: selftests: add clone3() CAP_CHECKPOINT_RESTORE test prctl: exe link permission error changed from -EINVAL to -EPERM prctl: Allow local CAP_CHECKPOINT_RESTORE to change /proc/self/exe proc: allow access in init userns for map_files with CAP_CHECKPOINT_RESTORE pid_namespace: use checkpoint_restore_ns_capable() for ns_last_pid pid: use checkpoint_restore_ns_capable() for set_tid capabilities: Introduce CAP_CHECKPOINT_RESTORE
show more ...
|
Revision tags: v5.8, v5.8-rc7, v5.8-rc6 |
|
#
1d27a0be |
| 19-Jul-2020 |
Adrian Reber <areber@redhat.com> |
selftests: add clone3() CAP_CHECKPOINT_RESTORE test
This adds a test that changes its UID, uses capabilities to get CAP_CHECKPOINT_RESTORE and uses clone3() with set_tid to create a process with a g
selftests: add clone3() CAP_CHECKPOINT_RESTORE test
This adds a test that changes its UID, uses capabilities to get CAP_CHECKPOINT_RESTORE and uses clone3() with set_tid to create a process with a given PID as non-root.
Signed-off-by: Adrian Reber <areber@redhat.com> Link: https://lore.kernel.org/r/20200719100418.2112740-8-areber@redhat.com [christian.brauner@ubuntu.com: use TH_LOG() instead of ksft_print_msg()] Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
show more ...
|
Revision tags: v5.8-rc5, v5.8-rc4, v5.8-rc3, v5.8-rc2, v5.8-rc1, v5.7, v5.7-rc7, v5.7-rc6, v5.7-rc5, v5.7-rc4, v5.7-rc3, v5.7-rc2, v5.7-rc1, v5.6, v5.6-rc7, v5.6-rc6, v5.6-rc5, v5.6-rc4, v5.6-rc3 |
|
#
c95baf12 |
| 20-Feb-2020 |
Zhenyu Wang <zhenyuw@linux.intel.com> |
Merge drm-intel-next-queued into gvt-next
Backmerge to pull in https://patchwork.freedesktop.org/patch/353621/?series=73544&rev=1
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
|
Revision tags: v5.6-rc2, v5.6-rc1, v5.5, v5.5-rc7, v5.5-rc6, v5.5-rc5 |
|
#
28336be5 |
| 30-Dec-2019 |
Ingo Molnar <mingo@kernel.org> |
Merge tag 'v5.5-rc4' into locking/kcsan, to resolve conflicts
Conflicts: init/main.c lib/Kconfig.debug
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
#
b19efcab |
| 01-Feb-2020 |
Dmitry Torokhov <dmitry.torokhov@gmail.com> |
Merge branch 'next' into for-linus
Prepare input updates for 5.6 merge window.
|
#
1bdd3e05 |
| 10-Jan-2020 |
Dmitry Torokhov <dmitry.torokhov@gmail.com> |
Merge tag 'v5.5-rc5' into next
Sync up with mainline to get SPI "delay" API changes.
|
#
22164fbe |
| 06-Jan-2020 |
Maarten Lankhorst <maarten.lankhorst@linux.intel.com> |
Merge drm/drm-next into drm-misc-next
Requested, and we need v5.5-rc1 backported as our current branch is still based on v5.4.
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
|
Revision tags: v5.5-rc4, v5.5-rc3, v5.5-rc2 |
|
#
023265ed |
| 11-Dec-2019 |
Jani Nikula <jani.nikula@intel.com> |
Merge drm/drm-next into drm-intel-next-queued
Sync up with v5.5-rc1 to get the updated lock_release() API among other things. Fix the conflict reported by Stephen Rothwell [1].
[1] http://lore.kern
Merge drm/drm-next into drm-intel-next-queued
Sync up with v5.5-rc1 to get the updated lock_release() API among other things. Fix the conflict reported by Stephen Rothwell [1].
[1] http://lore.kernel.org/r/20191210093957.5120f717@canb.auug.org.au
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
show more ...
|
Revision tags: v5.5-rc1 |
|
#
942e6f8a |
| 05-Dec-2019 |
Olof Johansson <olof@lixom.net> |
Merge mainline/master into arm/fixes
This brings in the mainline tree right after armsoc contents was merged this release cycle, so that we can re-run savedefconfig, etc.
Signed-off-by: Olof Johans
Merge mainline/master into arm/fixes
This brings in the mainline tree right after armsoc contents was merged this release cycle, so that we can re-run savedefconfig, etc.
Signed-off-by: Olof Johansson <olof@lixom.net>
show more ...
|
#
2ea352d5 |
| 26-Nov-2019 |
Arnaldo Carvalho de Melo <acme@redhat.com> |
Merge remote-tracking branch 'torvalds/master' into perf/core
To pick up BPF changes we'll need.
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
|
#
0acefef5 |
| 26-Nov-2019 |
Linus Torvalds <torvalds@linux-foundation.org> |
Merge tag 'threads-v5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
Pull thread management updates from Christian Brauner:
- A pidfd's fdinfo file currently contains the field
Merge tag 'threads-v5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
Pull thread management updates from Christian Brauner:
- A pidfd's fdinfo file currently contains the field "Pid:\t<pid>" where <pid> is the pid of the process in the pid namespace of the procfs instance the fdinfo file for the pidfd was opened in.
The fdinfo file has now gained a new "NSpid:\t<ns-pid1>[\t<ns-pid2>[...]]" field which lists the pids of the process in all child pid namespaces provided the pid namespace of the procfs instance it is looked up under has an ancestoral relationship with the pid namespace of the process. If it does not 0 will be shown and no further pid namespaces will be listed. Tests included. (Christian Kellner)
- If the process the pidfd references has already exited, print -1 for the Pid and NSpid fields in the pidfd's fdinfo file. Tests included. (me)
- Add CLONE_CLEAR_SIGHAND. This lets callers clear all signal handler that are not SIG_DFL or SIG_IGN at process creation time. This originated as a feature request from glibc to improve performance and elimate races in their posix_spawn() implementation. Tests included. (me)
- Add support for choosing a specific pid for a process with clone3(). This is the feature which was part of the thread update for v5.4 but after a discussion at LPC in Lisbon we decided to delay it for one more cycle in order to make the interface more generic. This has now done. It is now possible to choose a specific pid in a whole pid namespaces (sub)hierarchy instead of just one pid namespace. In order to choose a specific pid the caller must have CAP_SYS_ADMIN in all owning user namespaces of the target pid namespaces. Tests included. (Adrian Reber)
- Test improvements and extensions. (Andrei Vagin, me)
* tag 'threads-v5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux: selftests/clone3: skip if clone3() is ENOSYS selftests/clone3: check that all pids are released on error paths selftests/clone3: report a correct number of fails selftests/clone3: flush stdout and stderr before clone3() and _exit() selftests: add tests for clone3() with *set_tid fork: extend clone3() to support setting a PID selftests: add tests for clone3() tests: test CLONE_CLEAR_SIGHAND clone3: add CLONE_CLEAR_SIGHAND pid: use pid_has_task() in pidfd_open() exit: use pid_has_task() in do_wait() pid: use pid_has_task() in __change_pid() test: verify fdinfo for pidfd of reaped process pidfd: check pid has attached task in fdinfo pidfd: add tests for NSpid info in fdinfo pidfd: add NSpid entries to fdinfo
show more ...
|
Revision tags: v5.4, v5.4-rc8 |
|
#
41585bbe |
| 15-Nov-2019 |
Adrian Reber <areber@redhat.com> |
selftests: add tests for clone3() with *set_tid
This tests clone3() with *set_tid to see if all desired PIDs are working as expected. The tests are trying multiple invalid input parameters as well a
selftests: add tests for clone3() with *set_tid
This tests clone3() with *set_tid to see if all desired PIDs are working as expected. The tests are trying multiple invalid input parameters as well as creating processes while specifying a certain PID in multiple PID namespaces at the same time.
Additionally this moves common clone3() test code into clone3_selftests.h.
Signed-off-by: Adrian Reber <areber@redhat.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/r/20191115123621.142252-2-areber@redhat.com Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
show more ...
|