Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris: "Highlights: - TPM core and driver updates/fixes - IPv6 security labeling (CALIPSO) - Lots of Apparmor fixes - Seccomp: remove 2-phase API, close hole where ptrace can change syscall #" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (156 commits) apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling tpm: Add TPM 2.0 support to the Nuvoton i2c driver (NPCT6xx family) tpm: Factor out common startup code tpm: use devm_add_action_or_reset tpm2_i2c_nuvoton: add irq validity check tpm: read burstcount from TPM_STS in one 32-bit transaction tpm: fix byte-order for the value read by tpm2_get_tpm_pt tpm_tis_core: convert max timeouts from msec to jiffies apparmor: fix arg_size computation for when setprocattr is null terminated apparmor: fix oops, validate buffer size in apparmor_setprocattr() apparmor: do not expose kernel stack apparmor: fix module parameters can be changed after policy is locked apparmor: fix oops in profile_unpack() when policy_db is not present apparmor: don't check for vmalloc_addr if kvzalloc() failed apparmor: add missing id bounds check on dfa verification apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task apparmor: use list_next_entry instead of list_entry_next apparmor: fix refcount race when finding a child profile apparmor: fix ref count leak when profile sha1 hash is read apparmor: check that xindex is in trans_table bounds ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2016-07-29 20:38:46 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2016-07-29 20:38:46 -0400
commit: 7a1e8b80fb1e8ead4cec15d1fc494ed290e4d2e9 (patch)
tree: 55a36d4256f1ae793b5c8e88c0f158737447193f /include/uapi/linux
parent: a867d7349e94b6409b08629886a819f802377e91 (diff)
parent: 7616ac70d1bb4f2e9d25c1a82d283f3368a7b632 (diff)
4 files changed, 40 insertions, 0 deletions
diff --git a/include/uapi/linux/Kbuild b/include/uapi/linux/Kbuild
index ec10cfef166a..6d4e92ccdc91 100644
--- a/include/uapi/linux/Kbuild
+++ b/include/uapi/linux/Kbuild
@@ -455,6 +455,7 @@ header-y += virtio_scsi.h
 header-y += virtio_types.h
 header-y += vm_sockets.h
 header-y += vt.h
+header-y += vtpm_proxy.h
 header-y += wait.h
 header-y += wanrouter.h
 header-y += watchdog.h
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d820aa979620..82e8aa59446b 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -130,6 +130,8 @@
 #define AUDIT_MAC_IPSEC_EVENT   1415    /* Audit an IPSec event */
 #define AUDIT_MAC_UNLBL_STCADD  1416    /* NetLabel: add a static label */
 #define AUDIT_MAC_UNLBL_STCDEL  1417    /* NetLabel: del a static label */
+#define AUDIT_MAC_CALIPSO_ADD   1418    /* NetLabel: add CALIPSO DOI entry */
+#define AUDIT_MAC_CALIPSO_DEL   1419    /* NetLabel: del CALIPSO DOI entry */
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG    1799
diff --git a/include/uapi/linux/in6.h b/include/uapi/linux/in6.h
index 318a4828bf98..b39ea4f2e701 100644
--- a/include/uapi/linux/in6.h
+++ b/include/uapi/linux/in6.h
@@ -143,6 +143,7 @@ struct in6_flowlabel_req {
 #define IPV6_TLV_PAD1           0
 #define IPV6_TLV_PADN           1
 #define IPV6_TLV_ROUTERALERT    5
+#define IPV6_TLV_CALIPSO        7       /* RFC 5570 */
 #define IPV6_TLV_JUMBO          194
 #define IPV6_TLV_HAO            201     /* home address option */
diff --git a/include/uapi/linux/vtpm_proxy.h b/include/uapi/linux/vtpm_proxy.h
new file mode 100644
index 000000000000..41e8e2252a30
--- /dev/null
+++ b/include/uapi/linux/vtpm_proxy.h
@@ -0,0 +1,36 @@
+/*
+ * Definitions for the VTPM proxy driver
+ * Copyright (c) 2015, 2016, IBM Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ */
+#ifndef _UAPI_LINUX_VTPM_PROXY_H
+#define _UAPI_LINUX_VTPM_PROXY_H
+#include <linux/types.h>
+#include <linux/ioctl.h>
+/* ioctls */
+struct vtpm_proxy_new_dev {
+        __u32 flags;         /* input */
+        __u32 tpm_num;       /* output */
+        __u32 fd;            /* output */
+        __u32 major;         /* output */
+        __u32 minor;         /* output */
+};
+/* above flags */
+#define VTPM_PROXY_FLAG_TPM2  1  /* emulator is TPM 2 */
+#define VTPM_PROXY_IOC_NEW_DEV   _IOWR(0xa1, 0x00, struct vtpm_proxy_new_dev)
+#endif /* _UAPI_LINUX_VTPM_PROXY_H */
author	Linus Torvalds <torvalds@linux-foundation.org>	2016-07-29 20:38:46 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2016-07-29 20:38:46 -0400
commit	7a1e8b80fb1e8ead4cec15d1fc494ed290e4d2e9 (patch)
tree	55a36d4256f1ae793b5c8e88c0f158737447193f /include/uapi/linux
parent	a867d7349e94b6409b08629886a819f802377e91 (diff)
parent	7616ac70d1bb4f2e9d25c1a82d283f3368a7b632 (diff)

diff --git a/include/uapi/linux/Kbuild b/include/uapi/linux/Kbuild index ec10cfef166a..6d4e92ccdc91 100644 --- a/include/uapi/linux/Kbuild +++ b/include/uapi/linux/Kbuild
@@ -455,6 +455,7 @@ header-y += virtio_scsi.h
455	header-y += virtio_types.h	455	header-y += virtio_types.h
456	header-y += vm_sockets.h	456	header-y += vm_sockets.h
457	header-y += vt.h	457	header-y += vt.h
		458	header-y += vtpm_proxy.h
458	header-y += wait.h	459	header-y += wait.h
459	header-y += wanrouter.h	460	header-y += wanrouter.h
460	header-y += watchdog.h	461	header-y += watchdog.h


diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index d820aa979620..82e8aa59446b 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h
@@ -130,6 +130,8 @@
130	#define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */	130	#define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */
131	#define AUDIT_MAC_UNLBL_STCADD 1416 /* NetLabel: add a static label */	131	#define AUDIT_MAC_UNLBL_STCADD 1416 /* NetLabel: add a static label */
132	#define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */	132	#define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */
		133	#define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */
		134	#define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */
133		135
134	#define AUDIT_FIRST_KERN_ANOM_MSG 1700	136	#define AUDIT_FIRST_KERN_ANOM_MSG 1700
135	#define AUDIT_LAST_KERN_ANOM_MSG 1799	137	#define AUDIT_LAST_KERN_ANOM_MSG 1799


diff --git a/include/uapi/linux/in6.h b/include/uapi/linux/in6.h index 318a4828bf98..b39ea4f2e701 100644 --- a/include/uapi/linux/in6.h +++ b/include/uapi/linux/in6.h
@@ -143,6 +143,7 @@ struct in6_flowlabel_req {
143	#define IPV6_TLV_PAD1 0	143	#define IPV6_TLV_PAD1 0
144	#define IPV6_TLV_PADN 1	144	#define IPV6_TLV_PADN 1
145	#define IPV6_TLV_ROUTERALERT 5	145	#define IPV6_TLV_ROUTERALERT 5
		146	#define IPV6_TLV_CALIPSO 7 /* RFC 5570 */
146	#define IPV6_TLV_JUMBO 194	147	#define IPV6_TLV_JUMBO 194
147	#define IPV6_TLV_HAO 201 /* home address option */	148	#define IPV6_TLV_HAO 201 /* home address option */
148		149


diff --git a/include/uapi/linux/vtpm_proxy.h b/include/uapi/linux/vtpm_proxy.h new file mode 100644 index 000000000000..41e8e2252a30 --- /dev/null +++ b/include/uapi/linux/vtpm_proxy.h
@@ -0,0 +1,36 @@
		1	/*
		2	* Definitions for the VTPM proxy driver
		3	* Copyright (c) 2015, 2016, IBM Corporation
		4	*
		5	* This program is free software; you can redistribute it and/or modify it
		6	* under the terms and conditions of the GNU General Public License,
		7	* version 2, as published by the Free Software Foundation.
		8	*
		9	* This program is distributed in the hope it will be useful, but WITHOUT
		10	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
		11	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
		12	* more details.
		13	*/
		14
		15	#ifndef _UAPI_LINUX_VTPM_PROXY_H
		16	#define _UAPI_LINUX_VTPM_PROXY_H
		17
		18	#include <linux/types.h>
		19	#include <linux/ioctl.h>
		20
		21	/* ioctls */
		22
		23	struct vtpm_proxy_new_dev {
		24	__u32 flags; /* input */
		25	__u32 tpm_num; /* output */
		26	__u32 fd; /* output */
		27	__u32 major; /* output */
		28	__u32 minor; /* output */
		29	};
		30
		31	/* above flags */
		32	#define VTPM_PROXY_FLAG_TPM2 1 /* emulator is TPM 2 */
		33
		34	#define VTPM_PROXY_IOC_NEW_DEV _IOWR(0xa1, 0x00, struct vtpm_proxy_new_dev)
		35
		36	#endif /* _UAPI_LINUX_VTPM_PROXY_H */