diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2017-05-03 11:50:52 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2017-05-03 11:50:52 -0400 |
| commit | 0302e28dee643932ee7b3c112ebccdbb9f8ec32c (patch) | |
| tree | 405d4cb3f772ef069ed7f291adc4b74a4e73346e /include/linux/security.h | |
| parent | 89c9fea3c8034cdb2fd745f551cde0b507fd6893 (diff) | |
| parent | 8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 (diff) | |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"Highlights:
IMA:
- provide ">" and "<" operators for fowner/uid/euid rules
KEYS:
- add a system blacklist keyring
- add KEYCTL_RESTRICT_KEYRING, exposes keyring link restriction
functionality to userland via keyctl()
LSM:
- harden LSM API with __ro_after_init
- add prlmit security hook, implement for SELinux
- revive security_task_alloc hook
TPM:
- implement contextual TPM command 'spaces'"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (98 commits)
tpm: Fix reference count to main device
tpm_tis: convert to using locality callbacks
tpm: fix handling of the TPM 2.0 event logs
tpm_crb: remove a cruft constant
keys: select CONFIG_CRYPTO when selecting DH / KDF
apparmor: Make path_max parameter readonly
apparmor: fix parameters so that the permission test is bypassed at boot
apparmor: fix invalid reference to index variable of iterator line 836
apparmor: use SHASH_DESC_ON_STACK
security/apparmor/lsm.c: set debug messages
apparmor: fix boolreturn.cocci warnings
Smack: Use GFP_KERNEL for smk_netlbl_mls().
smack: fix double free in smack_parse_opts_str()
KEYS: add SP800-56A KDF support for DH
KEYS: Keyring asymmetric key restrict method with chaining
KEYS: Restrict asymmetric key linkage using a specific keychain
KEYS: Add a lookup_restriction function for the asymmetric key type
KEYS: Add KEYCTL_RESTRICT_KEYRING
KEYS: Consistent ordering for __key_link_begin and restrict check
KEYS: Add an optional lookup_restriction hook to key_type
...
Diffstat (limited to 'include/linux/security.h')
| -rw-r--r-- | include/linux/security.h | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 96899fad7016..af675b576645 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -133,6 +133,10 @@ extern unsigned long dac_mmap_min_addr; | |||
| 133 | /* setfsuid or setfsgid, id0 == fsuid or fsgid */ | 133 | /* setfsuid or setfsgid, id0 == fsuid or fsgid */ |
| 134 | #define LSM_SETID_FS 8 | 134 | #define LSM_SETID_FS 8 |
| 135 | 135 | ||
| 136 | /* Flags for security_task_prlimit(). */ | ||
| 137 | #define LSM_PRLIMIT_READ 1 | ||
| 138 | #define LSM_PRLIMIT_WRITE 2 | ||
| 139 | |||
| 136 | /* forward declares to avoid warnings */ | 140 | /* forward declares to avoid warnings */ |
| 137 | struct sched_param; | 141 | struct sched_param; |
| 138 | struct request_sock; | 142 | struct request_sock; |
| @@ -304,6 +308,7 @@ int security_file_send_sigiotask(struct task_struct *tsk, | |||
| 304 | int security_file_receive(struct file *file); | 308 | int security_file_receive(struct file *file); |
| 305 | int security_file_open(struct file *file, const struct cred *cred); | 309 | int security_file_open(struct file *file, const struct cred *cred); |
| 306 | int security_task_create(unsigned long clone_flags); | 310 | int security_task_create(unsigned long clone_flags); |
| 311 | int security_task_alloc(struct task_struct *task, unsigned long clone_flags); | ||
| 307 | void security_task_free(struct task_struct *task); | 312 | void security_task_free(struct task_struct *task); |
| 308 | int security_cred_alloc_blank(struct cred *cred, gfp_t gfp); | 313 | int security_cred_alloc_blank(struct cred *cred, gfp_t gfp); |
| 309 | void security_cred_free(struct cred *cred); | 314 | void security_cred_free(struct cred *cred); |
| @@ -324,6 +329,8 @@ void security_task_getsecid(struct task_struct *p, u32 *secid); | |||
| 324 | int security_task_setnice(struct task_struct *p, int nice); | 329 | int security_task_setnice(struct task_struct *p, int nice); |
| 325 | int security_task_setioprio(struct task_struct *p, int ioprio); | 330 | int security_task_setioprio(struct task_struct *p, int ioprio); |
| 326 | int security_task_getioprio(struct task_struct *p); | 331 | int security_task_getioprio(struct task_struct *p); |
| 332 | int security_task_prlimit(const struct cred *cred, const struct cred *tcred, | ||
| 333 | unsigned int flags); | ||
| 327 | int security_task_setrlimit(struct task_struct *p, unsigned int resource, | 334 | int security_task_setrlimit(struct task_struct *p, unsigned int resource, |
| 328 | struct rlimit *new_rlim); | 335 | struct rlimit *new_rlim); |
| 329 | int security_task_setscheduler(struct task_struct *p); | 336 | int security_task_setscheduler(struct task_struct *p); |
| @@ -855,6 +862,12 @@ static inline int security_task_create(unsigned long clone_flags) | |||
| 855 | return 0; | 862 | return 0; |
| 856 | } | 863 | } |
| 857 | 864 | ||
| 865 | static inline int security_task_alloc(struct task_struct *task, | ||
| 866 | unsigned long clone_flags) | ||
| 867 | { | ||
| 868 | return 0; | ||
| 869 | } | ||
| 870 | |||
| 858 | static inline void security_task_free(struct task_struct *task) | 871 | static inline void security_task_free(struct task_struct *task) |
| 859 | { } | 872 | { } |
| 860 | 873 | ||
| @@ -949,6 +962,13 @@ static inline int security_task_getioprio(struct task_struct *p) | |||
| 949 | return 0; | 962 | return 0; |
| 950 | } | 963 | } |
| 951 | 964 | ||
| 965 | static inline int security_task_prlimit(const struct cred *cred, | ||
| 966 | const struct cred *tcred, | ||
| 967 | unsigned int flags) | ||
| 968 | { | ||
| 969 | return 0; | ||
| 970 | } | ||
| 971 | |||
| 952 | static inline int security_task_setrlimit(struct task_struct *p, | 972 | static inline int security_task_setrlimit(struct task_struct *p, |
| 953 | unsigned int resource, | 973 | unsigned int resource, |
| 954 | struct rlimit *new_rlim) | 974 | struct rlimit *new_rlim) |