~ubuntu-kernel/ubuntu/+source/linux/+git/utopic:grouper

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

4a34eda... by Andy Whitcroft on 2014-02-26

UBUNTU: Ubuntu-grouper-3.1.10-8.28

Signed-off-by: Andy Whitcroft <email address hidden>

07d5aee... by Andy Whitcroft on 2014-02-26

UBUNTU: Start new release

Ignore: yes
Signed-off-by: Andy Whitcroft <email address hidden>

7903232... by Andy Whitcroft on 2014-02-25

UBUNTU: [Config] CONFIG_RT_GROUP_SCHED=n

BugLink: http://bugs.launchpad.net/bugs/1284731
Signed-off-by: Andy Whitcroft <email address hidden>

ee753ba... by Tim Gardner on 2014-02-07

UBUNTU: Ubuntu-grouper-3.1.10-7.27

Signed-off-by: Tim Gardner <email address hidden>

743ac00... by Tyler Hicks on 2014-02-07

UBUNTU: [Config] Enable Stacked Yama

Signed-off-by: Tyler Hicks <email address hidden>
Signed-off-by: Tim Gardner <email address hidden>

33760f3... by Kees Cook on 2014-02-07

UBUNTU: SAUCE: (no-up) Yama: add link restrictions

Add symlink and hardlink restrictions that have shown real-world security
benefits, along with sysctl knobs to control them.

Signed-off-by: Kees Cook <email address hidden>
Signed-off-by: Tim Gardner <email address hidden>
[tyhicks: forward ported from Quantal]
Signed-off-by: Tyler Hicks <email address hidden>
Signed-off-by: Tim Gardner <email address hidden>

e123c84... by Kees Cook on 2014-02-07

security: allow Yama to be unconditionally stacked

Unconditionally call Yama when CONFIG_SECURITY_YAMA_STACKED is selected,
no matter what LSM module is primary.

Ubuntu and Chrome OS already carry patches to do this, and Fedora
has voiced interest in doing this as well. Instead of having multiple
distributions (or LSM authors) carrying these patches, just allow Yama
to be called unconditionally when selected by the new CONFIG.

Signed-off-by: Kees Cook <email address hidden>
Acked-by: Serge E. Hallyn <email address hidden>
Acked-by: Eric Paris <email address hidden>
Acked-by: John Johansen <email address hidden>
Signed-off-by: James Morris <email address hidden>

(cherry picked from c6993e4ac002c92bc75379212e9179c36d4bf7ee)
Signed-off-by: Tyler Hicks <email address hidden>
Signed-off-by: Tim Gardner <email address hidden>

58aab79... by Kees Cook on 2014-02-07

Yama: higher restrictions should block PTRACE_TRACEME

The higher ptrace restriction levels should be blocking even
PTRACE_TRACEME requests. The comments in the LSM documentation are
misleading about when the checks happen (the parent does not go through
security_ptrace_access_check() on a PTRACE_TRACEME call).

Signed-off-by: Kees Cook <email address hidden>
Cc: <email address hidden> # 3.5.x and later
Signed-off-by: James Morris <email address hidden>

(back ported from 9d8dad742ad1c74d7e7210ee05d0b44961d5ea16)
[tyhicks: pull in task_user_ns() from commit f1c84dae0ecc51aa]
Signed-off-by: Tyler Hicks <email address hidden>
Signed-off-by: Tim Gardner <email address hidden>

e739d99... by Kees Cook on 2014-02-07

Yama: add additional ptrace scopes

This expands the available Yama ptrace restrictions to include two more
modes. Mode 2 requires CAP_SYS_PTRACE for PTRACE_ATTACH, and mode 3
completely disables PTRACE_ATTACH (and locks the sysctl).

Signed-off-by: Kees Cook <email address hidden>
Signed-off-by: James Morris <email address hidden>

(cherry picked from 389da25f93eea8ff64181ae7e3e87da68acaef2e)
Signed-off-by: Tyler Hicks <email address hidden>
Signed-off-by: Tim Gardner <email address hidden>

4686fe3... by Kees Cook on 2014-02-07

Yama: add PR_SET_PTRACER_ANY

For a process to entirely disable Yama ptrace restrictions, it can use
the special PR_SET_PTRACER_ANY pid to indicate that any otherwise allowed
process may ptrace it. This is stronger than calling PR_SET_PTRACER with
pid "1" because it includes processes in external pid namespaces. This is
currently needed by the Chrome renderer, since its crash handler (Breakpad)
runs external to the renderer's pid namespace.

Signed-off-by: Kees Cook <email address hidden>
Signed-off-by: James Morris <email address hidden>

(cherry picked from bf06189e4d14641c0148bea16e9dd24943862215)
Signed-off-by: Tyler Hicks <email address hidden>
Signed-off-by: Tim Gardner <email address hidden>