Merge branch 'next' into for-linus

author: James Morris <jmorris@namei.org> 2009-06-10 21:03:14 -0400
committer: James Morris <jmorris@namei.org> 2009-06-10 21:03:14 -0400
commit: 73fbad283cfbbcf02939bdbda31fc4a30e729cca (patch)
tree: 7c89fe13e1b4a2c7f2d60f4ea6eaf69c14bccab7 /Documentation
parent: 769f3e8c384795cc350e2aae27de2a12374d19d4 (diff)
parent: 35f2c2f6f6ae13ef23c4f68e6d3073753077ca43 (diff)
3 files changed, 35 insertions, 2 deletions
diff --git a/Documentation/Smack.txt b/Documentation/Smack.txt
index 629c92e99783..34614b4c708e 100644
--- a/Documentation/Smack.txt
+++ b/Documentation/Smack.txt
@@ -184,8 +184,9 @@ length. Single character labels using special characters, that being anything
 other than a letter or digit, are reserved for use by the Smack development
 team. Smack labels are unstructured, case sensitive, and the only operation
 ever performed on them is comparison for equality. Smack labels cannot
-contain unprintable characters or the "/" (slash) character. Smack labels
+contain unprintable characters, the "/" (slash), the "\" (backslash), the "'"
-cannot begin with a '-', which is reserved for special options.
+(quote) and '"' (double-quote) characters.
+Smack labels cannot begin with a '-', which is reserved for special options.
 There are some predefined labels:
@@ -523,3 +524,18 @@ Smack supports some mount options:
 These mount options apply to all file system types.
+Smack auditing
+If you want Smack auditing of security events, you need to set CONFIG_AUDIT
+in your kernel configuration.
+By default, all denied events will be audited. You can change this behavior by
+writing a single character to the /smack/logging file :
+0 : no logging
+1 : log denied (default)
+2 : log accepted
+3 : log denied & accepted
+Events are logged as 'key=value' pairs, for each event you at least will get
+the subjet, the object, the rights requested, the action, the kernel function
+that triggered the event, plus other pairs depending on the type of event
+audited.
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index af43f45e8358..a5253f6d01af 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -916,6 +916,12 @@ and is between 256 and 4096 characters. It is defined in the file
                        Formt: { "sha1" | "md5" }
                        default: "sha1"
+        ima_tcb         [IMA]
+                        Load a policy which meets the needs of the Trusted
+                        Computing Base.  This means IMA will measure all
+                        programs exec'd, files mmap'd for exec, and all files
+                        opened for read by uid=0.
        in2000=         [HW,SCSI]
                        See header of drivers/scsi/in2000.c.
diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index f11ca7979fa6..322a00bb99d9 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -32,6 +32,7 @@ show up in /proc/sys/kernel:
 - kstack_depth_to_print       [ X86 only ]
 - l2cr                        [ PPC only ]
 - modprobe                    ==> Documentation/debugging-modules.txt
+- modules_disabled
 - msgmax
 - msgmnb
 - msgmni
@@ -184,6 +185,16 @@ kernel stack.
 ==============================================================
+modules_disabled:
+A toggle value indicating if modules are allowed to be loaded
+in an otherwise modular kernel.  This toggle defaults to off
+(0), but can be set true (1).  Once true, modules can be
+neither loaded nor unloaded, and the toggle cannot be set back
+to false.
+==============================================================
 osrelease, ostype & version:
 # cat osrelease
author	James Morris <jmorris@namei.org>	2009-06-10 21:03:14 -0400
committer	James Morris <jmorris@namei.org>	2009-06-10 21:03:14 -0400
commit	73fbad283cfbbcf02939bdbda31fc4a30e729cca (patch)
tree	7c89fe13e1b4a2c7f2d60f4ea6eaf69c14bccab7 /Documentation
parent	769f3e8c384795cc350e2aae27de2a12374d19d4 (diff)
parent	35f2c2f6f6ae13ef23c4f68e6d3073753077ca43 (diff)

diff --git a/Documentation/Smack.txt b/Documentation/Smack.txt index 629c92e99783..34614b4c708e 100644 --- a/Documentation/Smack.txt +++ b/Documentation/Smack.txt
@@ -184,8 +184,9 @@ length. Single character labels using special characters, that being anything
184	other than a letter or digit, are reserved for use by the Smack development	184	other than a letter or digit, are reserved for use by the Smack development
185	team. Smack labels are unstructured, case sensitive, and the only operation	185	team. Smack labels are unstructured, case sensitive, and the only operation
186	ever performed on them is comparison for equality. Smack labels cannot	186	ever performed on them is comparison for equality. Smack labels cannot
187	contain unprintable characters or the "/" (slash) character. Smack labels	187	contain unprintable characters, the "/" (slash), the "\" (backslash), the "'"
188	cannot begin with a '-', which is reserved for special options.	188	(quote) and '"' (double-quote) characters.
		189	Smack labels cannot begin with a '-', which is reserved for special options.
189		190
190	There are some predefined labels:	191	There are some predefined labels:
191		192
@@ -523,3 +524,18 @@ Smack supports some mount options:
523		524
524	These mount options apply to all file system types.	525	These mount options apply to all file system types.
525		526
		527	Smack auditing
		528
		529	If you want Smack auditing of security events, you need to set CONFIG_AUDIT
		530	in your kernel configuration.
		531	By default, all denied events will be audited. You can change this behavior by
		532	writing a single character to the /smack/logging file :
		533	0 : no logging
		534	1 : log denied (default)
		535	2 : log accepted
		536	3 : log denied & accepted
		537
		538	Events are logged as 'key=value' pairs, for each event you at least will get
		539	the subjet, the object, the rights requested, the action, the kernel function
		540	that triggered the event, plus other pairs depending on the type of event
		541	audited.


diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index af43f45e8358..a5253f6d01af 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt
@@ -916,6 +916,12 @@ and is between 256 and 4096 characters. It is defined in the file
916	Formt: { "sha1" \| "md5" }	916	Formt: { "sha1" \| "md5" }
917	default: "sha1"	917	default: "sha1"
918		918
		919	ima_tcb [IMA]
		920	Load a policy which meets the needs of the Trusted
		921	Computing Base. This means IMA will measure all
		922	programs exec'd, files mmap'd for exec, and all files
		923	opened for read by uid=0.
		924
919	in2000= [HW,SCSI]	925	in2000= [HW,SCSI]
920	See header of drivers/scsi/in2000.c.	926	See header of drivers/scsi/in2000.c.
921		927


diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index f11ca7979fa6..322a00bb99d9 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt
@@ -32,6 +32,7 @@ show up in /proc/sys/kernel:
32	- kstack_depth_to_print [ X86 only ]	32	- kstack_depth_to_print [ X86 only ]
33	- l2cr [ PPC only ]	33	- l2cr [ PPC only ]
34	- modprobe ==> Documentation/debugging-modules.txt	34	- modprobe ==> Documentation/debugging-modules.txt
		35	- modules_disabled
35	- msgmax	36	- msgmax
36	- msgmnb	37	- msgmnb
37	- msgmni	38	- msgmni
@@ -184,6 +185,16 @@ kernel stack.
184		185
185	==============================================================	186	==============================================================
186		187
		188	modules_disabled:
		189
		190	A toggle value indicating if modules are allowed to be loaded
		191	in an otherwise modular kernel. This toggle defaults to off
		192	(0), but can be set true (1). Once true, modules can be
		193	neither loaded nor unloaded, and the toggle cannot be set back
		194	to false.
		195
		196	==============================================================
		197
187	osrelease, ostype & version:	198	osrelease, ostype & version:
188		199
189	# cat osrelease	200	# cat osrelease