diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2009-06-11 13:01:41 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-06-11 13:01:41 -0400 |
commit | 3296ca27f50ecbd71db1d808c7a72d311027f919 (patch) | |
tree | 833eaa58b2013bda86d4bd95faf6efad7a2d5ca4 /Documentation | |
parent | e893123c7378192c094747dadec326b7c000c190 (diff) | |
parent | 73fbad283cfbbcf02939bdbda31fc4a30e729cca (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (44 commits)
nommu: Provide mmap_min_addr definition.
TOMOYO: Add description of lists and structures.
TOMOYO: Remove unused field.
integrity: ima audit dentry_open failure
TOMOYO: Remove unused parameter.
security: use mmap_min_addr indepedently of security models
TOMOYO: Simplify policy reader.
TOMOYO: Remove redundant markers.
SELinux: define audit permissions for audit tree netlink messages
TOMOYO: Remove unused mutex.
tomoyo: avoid get+put of task_struct
smack: Remove redundant initialization.
integrity: nfsd imbalance bug fix
rootplug: Remove redundant initialization.
smack: do not beyond ARRAY_SIZE of data
integrity: move ima_counts_get
integrity: path_check update
IMA: Add __init notation to ima functions
IMA: Minimal IMA policy and boot param for TCB IMA policy
selinux: remove obsolete read buffer limit from sel_read_bool
...
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/Smack.txt | 20 | ||||
-rw-r--r-- | Documentation/kernel-parameters.txt | 6 | ||||
-rw-r--r-- | Documentation/sysctl/kernel.txt | 11 |
3 files changed, 35 insertions, 2 deletions
diff --git a/Documentation/Smack.txt b/Documentation/Smack.txt index 629c92e99783..34614b4c708e 100644 --- a/Documentation/Smack.txt +++ b/Documentation/Smack.txt | |||
@@ -184,8 +184,9 @@ length. Single character labels using special characters, that being anything | |||
184 | other than a letter or digit, are reserved for use by the Smack development | 184 | other than a letter or digit, are reserved for use by the Smack development |
185 | team. Smack labels are unstructured, case sensitive, and the only operation | 185 | team. Smack labels are unstructured, case sensitive, and the only operation |
186 | ever performed on them is comparison for equality. Smack labels cannot | 186 | ever performed on them is comparison for equality. Smack labels cannot |
187 | contain unprintable characters or the "/" (slash) character. Smack labels | 187 | contain unprintable characters, the "/" (slash), the "\" (backslash), the "'" |
188 | cannot begin with a '-', which is reserved for special options. | 188 | (quote) and '"' (double-quote) characters. |
189 | Smack labels cannot begin with a '-', which is reserved for special options. | ||
189 | 190 | ||
190 | There are some predefined labels: | 191 | There are some predefined labels: |
191 | 192 | ||
@@ -523,3 +524,18 @@ Smack supports some mount options: | |||
523 | 524 | ||
524 | These mount options apply to all file system types. | 525 | These mount options apply to all file system types. |
525 | 526 | ||
527 | Smack auditing | ||
528 | |||
529 | If you want Smack auditing of security events, you need to set CONFIG_AUDIT | ||
530 | in your kernel configuration. | ||
531 | By default, all denied events will be audited. You can change this behavior by | ||
532 | writing a single character to the /smack/logging file : | ||
533 | 0 : no logging | ||
534 | 1 : log denied (default) | ||
535 | 2 : log accepted | ||
536 | 3 : log denied & accepted | ||
537 | |||
538 | Events are logged as 'key=value' pairs, for each event you at least will get | ||
539 | the subjet, the object, the rights requested, the action, the kernel function | ||
540 | that triggered the event, plus other pairs depending on the type of event | ||
541 | audited. | ||
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 4a3c2209a124..72d3bf08d79b 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt | |||
@@ -928,6 +928,12 @@ and is between 256 and 4096 characters. It is defined in the file | |||
928 | Formt: { "sha1" | "md5" } | 928 | Formt: { "sha1" | "md5" } |
929 | default: "sha1" | 929 | default: "sha1" |
930 | 930 | ||
931 | ima_tcb [IMA] | ||
932 | Load a policy which meets the needs of the Trusted | ||
933 | Computing Base. This means IMA will measure all | ||
934 | programs exec'd, files mmap'd for exec, and all files | ||
935 | opened for read by uid=0. | ||
936 | |||
931 | in2000= [HW,SCSI] | 937 | in2000= [HW,SCSI] |
932 | See header of drivers/scsi/in2000.c. | 938 | See header of drivers/scsi/in2000.c. |
933 | 939 | ||
diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index f11ca7979fa6..322a00bb99d9 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt | |||
@@ -32,6 +32,7 @@ show up in /proc/sys/kernel: | |||
32 | - kstack_depth_to_print [ X86 only ] | 32 | - kstack_depth_to_print [ X86 only ] |
33 | - l2cr [ PPC only ] | 33 | - l2cr [ PPC only ] |
34 | - modprobe ==> Documentation/debugging-modules.txt | 34 | - modprobe ==> Documentation/debugging-modules.txt |
35 | - modules_disabled | ||
35 | - msgmax | 36 | - msgmax |
36 | - msgmnb | 37 | - msgmnb |
37 | - msgmni | 38 | - msgmni |
@@ -184,6 +185,16 @@ kernel stack. | |||
184 | 185 | ||
185 | ============================================================== | 186 | ============================================================== |
186 | 187 | ||
188 | modules_disabled: | ||
189 | |||
190 | A toggle value indicating if modules are allowed to be loaded | ||
191 | in an otherwise modular kernel. This toggle defaults to off | ||
192 | (0), but can be set true (1). Once true, modules can be | ||
193 | neither loaded nor unloaded, and the toggle cannot be set back | ||
194 | to false. | ||
195 | |||
196 | ============================================================== | ||
197 | |||
187 | osrelease, ostype & version: | 198 | osrelease, ostype & version: |
188 | 199 | ||
189 | # cat osrelease | 200 | # cat osrelease |