aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2009-06-10 21:03:14 -0400
committerJames Morris <jmorris@namei.org>2009-06-10 21:03:14 -0400
commit73fbad283cfbbcf02939bdbda31fc4a30e729cca (patch)
tree7c89fe13e1b4a2c7f2d60f4ea6eaf69c14bccab7 /include/linux
parent769f3e8c384795cc350e2aae27de2a12374d19d4 (diff)
parent35f2c2f6f6ae13ef23c4f68e6d3073753077ca43 (diff)
Merge branch 'next' into for-linus
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/ima.h11
-rw-r--r--include/linux/init_task.h4
-rw-r--r--include/linux/lsm_audit.h111
-rw-r--r--include/linux/magic.h1
-rw-r--r--include/linux/mm.h2
-rw-r--r--include/linux/sched.h5
-rw-r--r--include/linux/security.h2
7 files changed, 127 insertions, 9 deletions
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 0e2aa45cb0ce..b1b827d091a9 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -13,14 +13,17 @@
13#include <linux/fs.h> 13#include <linux/fs.h>
14struct linux_binprm; 14struct linux_binprm;
15 15
16#define IMA_COUNT_UPDATE 1
17#define IMA_COUNT_LEAVE 0
18
16#ifdef CONFIG_IMA 19#ifdef CONFIG_IMA
17extern int ima_bprm_check(struct linux_binprm *bprm); 20extern int ima_bprm_check(struct linux_binprm *bprm);
18extern int ima_inode_alloc(struct inode *inode); 21extern int ima_inode_alloc(struct inode *inode);
19extern void ima_inode_free(struct inode *inode); 22extern void ima_inode_free(struct inode *inode);
20extern int ima_path_check(struct path *path, int mask); 23extern int ima_path_check(struct path *path, int mask, int update_counts);
21extern void ima_file_free(struct file *file); 24extern void ima_file_free(struct file *file);
22extern int ima_file_mmap(struct file *file, unsigned long prot); 25extern int ima_file_mmap(struct file *file, unsigned long prot);
23extern void ima_shm_check(struct file *file); 26extern void ima_counts_get(struct file *file);
24 27
25#else 28#else
26static inline int ima_bprm_check(struct linux_binprm *bprm) 29static inline int ima_bprm_check(struct linux_binprm *bprm)
@@ -38,7 +41,7 @@ static inline void ima_inode_free(struct inode *inode)
38 return; 41 return;
39} 42}
40 43
41static inline int ima_path_check(struct path *path, int mask) 44static inline int ima_path_check(struct path *path, int mask, int update_counts)
42{ 45{
43 return 0; 46 return 0;
44} 47}
@@ -53,7 +56,7 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot)
53 return 0; 56 return 0;
54} 57}
55 58
56static inline void ima_shm_check(struct file *file) 59static inline void ima_counts_get(struct file *file)
57{ 60{
58 return; 61 return;
59} 62}
diff --git a/include/linux/init_task.h b/include/linux/init_task.h
index d87247d2641f..7f54ba942429 100644
--- a/include/linux/init_task.h
+++ b/include/linux/init_task.h
@@ -145,8 +145,8 @@ extern struct cred init_cred;
145 .group_leader = &tsk, \ 145 .group_leader = &tsk, \
146 .real_cred = &init_cred, \ 146 .real_cred = &init_cred, \
147 .cred = &init_cred, \ 147 .cred = &init_cred, \
148 .cred_exec_mutex = \ 148 .cred_guard_mutex = \
149 __MUTEX_INITIALIZER(tsk.cred_exec_mutex), \ 149 __MUTEX_INITIALIZER(tsk.cred_guard_mutex), \
150 .comm = "swapper", \ 150 .comm = "swapper", \
151 .thread = INIT_THREAD, \ 151 .thread = INIT_THREAD, \
152 .fs = &init_fs, \ 152 .fs = &init_fs, \
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
new file mode 100644
index 000000000000..e461b2c3d711
--- /dev/null
+++ b/include/linux/lsm_audit.h
@@ -0,0 +1,111 @@
1/*
2 * Common LSM logging functions
3 * Heavily borrowed from selinux/avc.h
4 *
5 * Author : Etienne BASSET <etienne.basset@ensta.org>
6 *
7 * All credits to : Stephen Smalley, <sds@epoch.ncsc.mil>
8 * All BUGS to : Etienne BASSET <etienne.basset@ensta.org>
9 */
10#ifndef _LSM_COMMON_LOGGING_
11#define _LSM_COMMON_LOGGING_
12
13#include <linux/stddef.h>
14#include <linux/errno.h>
15#include <linux/kernel.h>
16#include <linux/kdev_t.h>
17#include <linux/spinlock.h>
18#include <linux/init.h>
19#include <linux/audit.h>
20#include <linux/in6.h>
21#include <linux/path.h>
22#include <linux/key.h>
23#include <linux/skbuff.h>
24#include <asm/system.h>
25
26
27/* Auxiliary data to use in generating the audit record. */
28struct common_audit_data {
29 char type;
30#define LSM_AUDIT_DATA_FS 1
31#define LSM_AUDIT_DATA_NET 2
32#define LSM_AUDIT_DATA_CAP 3
33#define LSM_AUDIT_DATA_IPC 4
34#define LSM_AUDIT_DATA_TASK 5
35#define LSM_AUDIT_DATA_KEY 6
36 struct task_struct *tsk;
37 union {
38 struct {
39 struct path path;
40 struct inode *inode;
41 } fs;
42 struct {
43 int netif;
44 struct sock *sk;
45 u16 family;
46 __be16 dport;
47 __be16 sport;
48 union {
49 struct {
50 __be32 daddr;
51 __be32 saddr;
52 } v4;
53 struct {
54 struct in6_addr daddr;
55 struct in6_addr saddr;
56 } v6;
57 } fam;
58 } net;
59 int cap;
60 int ipc_id;
61 struct task_struct *tsk;
62#ifdef CONFIG_KEYS
63 struct {
64 key_serial_t key;
65 char *key_desc;
66 } key_struct;
67#endif
68 } u;
69 const char *function;
70 /* this union contains LSM specific data */
71 union {
72 /* SMACK data */
73 struct smack_audit_data {
74 char *subject;
75 char *object;
76 char *request;
77 int result;
78 } smack_audit_data;
79 /* SELinux data */
80 struct {
81 u32 ssid;
82 u32 tsid;
83 u16 tclass;
84 u32 requested;
85 u32 audited;
86 struct av_decision *avd;
87 int result;
88 } selinux_audit_data;
89 } lsm_priv;
90 /* these callback will be implemented by a specific LSM */
91 void (*lsm_pre_audit)(struct audit_buffer *, void *);
92 void (*lsm_post_audit)(struct audit_buffer *, void *);
93};
94
95#define v4info fam.v4
96#define v6info fam.v6
97
98int ipv4_skb_to_auditdata(struct sk_buff *skb,
99 struct common_audit_data *ad, u8 *proto);
100
101int ipv6_skb_to_auditdata(struct sk_buff *skb,
102 struct common_audit_data *ad, u8 *proto);
103
104/* Initialize an LSM audit data structure. */
105#define COMMON_AUDIT_DATA_INIT(_d, _t) \
106 { memset((_d), 0, sizeof(struct common_audit_data)); \
107 (_d)->type = LSM_AUDIT_DATA_##_t; (_d)->function = __func__; }
108
109void common_lsm_audit(struct common_audit_data *a);
110
111#endif
diff --git a/include/linux/magic.h b/include/linux/magic.h
index 5b4e28bcb788..927138cf3050 100644
--- a/include/linux/magic.h
+++ b/include/linux/magic.h
@@ -9,6 +9,7 @@
9#define DEBUGFS_MAGIC 0x64626720 9#define DEBUGFS_MAGIC 0x64626720
10#define SYSFS_MAGIC 0x62656572 10#define SYSFS_MAGIC 0x62656572
11#define SECURITYFS_MAGIC 0x73636673 11#define SECURITYFS_MAGIC 0x73636673
12#define SELINUX_MAGIC 0xf97cff8c
12#define TMPFS_MAGIC 0x01021994 13#define TMPFS_MAGIC 0x01021994
13#define SQUASHFS_MAGIC 0x73717368 14#define SQUASHFS_MAGIC 0x73717368
14#define EFS_SUPER_MAGIC 0x414A53 15#define EFS_SUPER_MAGIC 0x414A53
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 511b09867096..5528ff32512e 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -580,12 +580,10 @@ static inline void set_page_links(struct page *page, enum zone_type zone,
580 */ 580 */
581static inline unsigned long round_hint_to_min(unsigned long hint) 581static inline unsigned long round_hint_to_min(unsigned long hint)
582{ 582{
583#ifdef CONFIG_SECURITY
584 hint &= PAGE_MASK; 583 hint &= PAGE_MASK;
585 if (((void *)hint != NULL) && 584 if (((void *)hint != NULL) &&
586 (hint < mmap_min_addr)) 585 (hint < mmap_min_addr))
587 return PAGE_ALIGN(mmap_min_addr); 586 return PAGE_ALIGN(mmap_min_addr);
588#endif
589 return hint; 587 return hint;
590} 588}
591 589
diff --git a/include/linux/sched.h b/include/linux/sched.h
index dbb1043e8656..ff687281f233 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1267,7 +1267,9 @@ struct task_struct {
1267 * credentials (COW) */ 1267 * credentials (COW) */
1268 const struct cred *cred; /* effective (overridable) subjective task 1268 const struct cred *cred; /* effective (overridable) subjective task
1269 * credentials (COW) */ 1269 * credentials (COW) */
1270 struct mutex cred_exec_mutex; /* execve vs ptrace cred calculation mutex */ 1270 struct mutex cred_guard_mutex; /* guard against foreign influences on
1271 * credential calculations
1272 * (notably. ptrace) */
1271 1273
1272 char comm[TASK_COMM_LEN]; /* executable name excluding path 1274 char comm[TASK_COMM_LEN]; /* executable name excluding path
1273 - access with [gs]et_task_comm (which lock 1275 - access with [gs]et_task_comm (which lock
@@ -1905,6 +1907,7 @@ extern void sched_dead(struct task_struct *p);
1905 1907
1906extern void proc_caches_init(void); 1908extern void proc_caches_init(void);
1907extern void flush_signals(struct task_struct *); 1909extern void flush_signals(struct task_struct *);
1910extern void __flush_signals(struct task_struct *);
1908extern void ignore_signals(struct task_struct *); 1911extern void ignore_signals(struct task_struct *);
1909extern void flush_signal_handlers(struct task_struct *, int force_default); 1912extern void flush_signal_handlers(struct task_struct *, int force_default);
1910extern int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info); 1913extern int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info);
diff --git a/include/linux/security.h b/include/linux/security.h
index d5fd6163606f..5eff459b3833 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2197,6 +2197,8 @@ static inline int security_file_mmap(struct file *file, unsigned long reqprot,
2197 unsigned long addr, 2197 unsigned long addr,
2198 unsigned long addr_only) 2198 unsigned long addr_only)
2199{ 2199{
2200 if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
2201 return -EACCES;
2200 return 0; 2202 return 0;
2201} 2203}
2202 2204