Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris: "Highlights: - Integrity: add local fs integrity verification to detect offline attacks - Integrity: add digital signature verification - Simple stacking of Yama with other LSMs (per LSS discussions) - IBM vTPM support on ppc64 - Add new driver for Infineon I2C TIS TPM - Smack: add rule revocation for subject labels" Fixed conflicts with the user namespace support in kernel/auditsc.c and security/integrity/ima/ima_policy.c. * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (39 commits) Documentation: Update git repository URL for Smack userland tools ima: change flags container data type Smack: setprocattr memory leak fix Smack: implement revoking all rules for a subject label Smack: remove task_wait() hook. ima: audit log hashes ima: generic IMA action flag handling ima: rename ima_must_appraise_or_measure audit: export audit_log_task_info tpm: fix tpm_acpi sparse warning on different address spaces samples/seccomp: fix 31 bit build on s390 ima: digital signature verification support ima: add support for different security.ima data types ima: add ima_inode_setxattr/removexattr function and calls ima: add inode_post_setattr call ima: replace iint spinblock with rwlock/read_lock ima: allocating iint improvements ima: add appraise action keywords and default rules ima: integrity appraisal extension vfs: move ima_file_free before releasing the file ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2012-10-03 00:38:48 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2012-10-03 00:38:48 -0400
commit: 88265322c14cce39f7afbc416726ef4fac413298 (patch)
tree: e4956f905ef617971f87788d8f8a09dbb66b70a3 /include/linux
parent: 65b99c74fdd325d1ffa2e5663295888704712604 (diff)
parent: bf5308344527d015ac9a6d2bda4ad4d40fd7d943 (diff)
7 files changed, 71 insertions, 5 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 12367cbadfe1..e7c836d961ea 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -531,6 +531,7 @@ extern int  audit_set_loginuid(kuid_t loginuid);
 #define audit_get_loginuid(t) ((t)->loginuid)
 #define audit_get_sessionid(t) ((t)->sessionid)
 extern void audit_log_task_context(struct audit_buffer *ab);
+extern void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk);
 extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
 extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
 extern int __audit_bprm(struct linux_binprm *bprm);
@@ -642,6 +643,7 @@ extern int audit_signals;
 #define audit_get_loginuid(t) (INVALID_UID)
 #define audit_get_sessionid(t) (-1)
 #define audit_log_task_context(b) do { ; } while (0)
+#define audit_log_task_info(b, t) do { ; } while (0)
 #define audit_ipc_obj(i) ((void)0)
 #define audit_ipc_set_perm(q,u,g,m) ((void)0)
 #define audit_bprm(p) ({ 0; })
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 6ac8e50c6cf5..2c7223d7e73b 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -39,5 +39,32 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot)
 {
        return 0;
 }
 #endif /* CONFIG_IMA_H */
+#ifdef CONFIG_IMA_APPRAISE
+extern void ima_inode_post_setattr(struct dentry *dentry);
+extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
+                       const void *xattr_value, size_t xattr_value_len);
+extern int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name);
+#else
+static inline void ima_inode_post_setattr(struct dentry *dentry)
+{
+        return;
+}
+static inline int ima_inode_setxattr(struct dentry *dentry,
+                                     const char *xattr_name,
+                                     const void *xattr_value,
+                                     size_t xattr_value_len)
+{
+        return 0;
+}
+static inline int ima_inode_removexattr(struct dentry *dentry,
+                                        const char *xattr_name)
+{
+        return 0;
+}
+#endif /* CONFIG_IMA_APPRAISE_H */
 #endif /* _LINUX_IMA_H */
diff --git a/include/linux/integrity.h b/include/linux/integrity.h
index a0c41256cb92..66c5fe9550a5 100644
--- a/include/linux/integrity.h
+++ b/include/linux/integrity.h
@@ -22,13 +22,14 @@ enum integrity_status {
 /* List of EVM protected security xattrs */
 #ifdef CONFIG_INTEGRITY
-extern int integrity_inode_alloc(struct inode *inode);
+extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode);
 extern void integrity_inode_free(struct inode *inode);
 #else
-static inline int integrity_inode_alloc(struct inode *inode)
+static inline struct integrity_iint_cache *
+                                integrity_inode_get(struct inode *inode)
 {
-        return 0;
+        return NULL;
 }
 static inline void integrity_inode_free(struct inode *inode)
diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h
index 597e4fdb97fe..3db698aee34c 100644
--- a/include/linux/ptrace.h
+++ b/include/linux/ptrace.h
@@ -130,8 +130,6 @@ extern void exit_ptrace(struct task_struct *tracer);
 #define PTRACE_MODE_READ        0x01
 #define PTRACE_MODE_ATTACH      0x02
 #define PTRACE_MODE_NOAUDIT     0x04
-/* Returns 0 on success, -errno on denial. */
-extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
 /* Returns true on success, false on denial. */
 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
diff --git a/include/linux/security.h b/include/linux/security.h
index 145accee9236..5b50c4e1a7c2 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -3022,5 +3022,36 @@ static inline void free_secdata(void *secdata)
 { }
 #endif /* CONFIG_SECURITY */
+#ifdef CONFIG_SECURITY_YAMA
+extern int yama_ptrace_access_check(struct task_struct *child,
+                                    unsigned int mode);
+extern int yama_ptrace_traceme(struct task_struct *parent);
+extern void yama_task_free(struct task_struct *task);
+extern int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
+                           unsigned long arg4, unsigned long arg5);
+#else
+static inline int yama_ptrace_access_check(struct task_struct *child,
+                                           unsigned int mode)
+{
+        return 0;
+}
+static inline int yama_ptrace_traceme(struct task_struct *parent)
+{
+        return 0;
+}
+static inline void yama_task_free(struct task_struct *task)
+{
+}
+static inline int yama_task_prctl(int option, unsigned long arg2,
+                                  unsigned long arg3, unsigned long arg4,
+                                  unsigned long arg5)
+{
+        return -ENOSYS;
+}
+#endif /* CONFIG_SECURITY_YAMA */
 #endif /* ! __LINUX_SECURITY_H */
diff --git a/include/linux/tpm.h b/include/linux/tpm.h
index fdc718abf83b..fcb627ff8d3e 100644
--- a/include/linux/tpm.h
+++ b/include/linux/tpm.h
@@ -32,6 +32,7 @@
 extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf);
 extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash);
 extern int tpm_send(u32 chip_num, void *cmd, size_t buflen);
+extern int tpm_get_random(u32 chip_num, u8 *data, size_t max);
 #else
 static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) {
        return -ENODEV;
@@ -42,5 +43,8 @@ static inline int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) {
 static inline int tpm_send(u32 chip_num, void *cmd, size_t buflen) {
        return -ENODEV;
 }
+static inline int tpm_get_random(u32 chip_num, u8 *data, size_t max) {
+        return -ENODEV;
+}
 #endif
 #endif
diff --git a/include/linux/xattr.h b/include/linux/xattr.h
index 2ace7a60316d..cc13e1115970 100644
--- a/include/linux/xattr.h
+++ b/include/linux/xattr.h
@@ -33,6 +33,9 @@
 #define XATTR_EVM_SUFFIX "evm"
 #define XATTR_NAME_EVM XATTR_SECURITY_PREFIX XATTR_EVM_SUFFIX
+#define XATTR_IMA_SUFFIX "ima"
+#define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX
 #define XATTR_SELINUX_SUFFIX "selinux"
 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
author	Linus Torvalds <torvalds@linux-foundation.org>	2012-10-03 00:38:48 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2012-10-03 00:38:48 -0400
commit	88265322c14cce39f7afbc416726ef4fac413298 (patch)
tree	e4956f905ef617971f87788d8f8a09dbb66b70a3 /include/linux
parent	65b99c74fdd325d1ffa2e5663295888704712604 (diff)
parent	bf5308344527d015ac9a6d2bda4ad4d40fd7d943 (diff)

diff --git a/include/linux/audit.h b/include/linux/audit.h index 12367cbadfe1..e7c836d961ea 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h
@@ -531,6 +531,7 @@ extern int audit_set_loginuid(kuid_t loginuid);
531	#define audit_get_loginuid(t) ((t)->loginuid)	531	#define audit_get_loginuid(t) ((t)->loginuid)
532	#define audit_get_sessionid(t) ((t)->sessionid)	532	#define audit_get_sessionid(t) ((t)->sessionid)
533	extern void audit_log_task_context(struct audit_buffer *ab);	533	extern void audit_log_task_context(struct audit_buffer *ab);
		534	extern void audit_log_task_info(struct audit_buffer ab, struct task_struct tsk);
534	extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);	535	extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
535	extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);	536	extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
536	extern int __audit_bprm(struct linux_binprm *bprm);	537	extern int __audit_bprm(struct linux_binprm *bprm);
@@ -642,6 +643,7 @@ extern int audit_signals;
642	#define audit_get_loginuid(t) (INVALID_UID)	643	#define audit_get_loginuid(t) (INVALID_UID)
643	#define audit_get_sessionid(t) (-1)	644	#define audit_get_sessionid(t) (-1)
644	#define audit_log_task_context(b) do { ; } while (0)	645	#define audit_log_task_context(b) do { ; } while (0)
		646	#define audit_log_task_info(b, t) do { ; } while (0)
645	#define audit_ipc_obj(i) ((void)0)	647	#define audit_ipc_obj(i) ((void)0)
646	#define audit_ipc_set_perm(q,u,g,m) ((void)0)	648	#define audit_ipc_set_perm(q,u,g,m) ((void)0)
647	#define audit_bprm(p) ({ 0; })	649	#define audit_bprm(p) ({ 0; })


diff --git a/include/linux/ima.h b/include/linux/ima.h index 6ac8e50c6cf5..2c7223d7e73b 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h
@@ -39,5 +39,32 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot)
39	{	39	{
40	return 0;	40	return 0;
41	}	41	}
		42
42	#endif /* CONFIG_IMA_H */	43	#endif /* CONFIG_IMA_H */
		44
		45	#ifdef CONFIG_IMA_APPRAISE
		46	extern void ima_inode_post_setattr(struct dentry *dentry);
		47	extern int ima_inode_setxattr(struct dentry dentry, const char xattr_name,
		48	const void *xattr_value, size_t xattr_value_len);
		49	extern int ima_inode_removexattr(struct dentry dentry, const char xattr_name);
		50	#else
		51	static inline void ima_inode_post_setattr(struct dentry *dentry)
		52	{
		53	return;
		54	}
		55
		56	static inline int ima_inode_setxattr(struct dentry *dentry,
		57	const char *xattr_name,
		58	const void *xattr_value,
		59	size_t xattr_value_len)
		60	{
		61	return 0;
		62	}
		63
		64	static inline int ima_inode_removexattr(struct dentry *dentry,
		65	const char *xattr_name)
		66	{
		67	return 0;
		68	}
		69	#endif /* CONFIG_IMA_APPRAISE_H */
43	#endif /* _LINUX_IMA_H */	70	#endif /* _LINUX_IMA_H */


diff --git a/include/linux/integrity.h b/include/linux/integrity.h index a0c41256cb92..66c5fe9550a5 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h
@@ -22,13 +22,14 @@ enum integrity_status {
22		22
23	/* List of EVM protected security xattrs */	23	/* List of EVM protected security xattrs */
24	#ifdef CONFIG_INTEGRITY	24	#ifdef CONFIG_INTEGRITY
25	extern int integrity_inode_alloc(struct inode *inode);	25	extern struct integrity_iint_cache integrity_inode_get(struct inode inode);
26	extern void integrity_inode_free(struct inode *inode);	26	extern void integrity_inode_free(struct inode *inode);
27		27
28	#else	28	#else
29	static inline int integrity_inode_alloc(struct inode *inode)	29	static inline struct integrity_iint_cache *
		30	integrity_inode_get(struct inode *inode)
30	{	31	{
31	return 0;	32	return NULL;
32	}	33	}
33		34
34	static inline void integrity_inode_free(struct inode *inode)	35	static inline void integrity_inode_free(struct inode *inode)


diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h index 597e4fdb97fe..3db698aee34c 100644 --- a/include/linux/ptrace.h +++ b/include/linux/ptrace.h
@@ -130,8 +130,6 @@ extern void exit_ptrace(struct task_struct *tracer);
130	#define PTRACE_MODE_READ 0x01	130	#define PTRACE_MODE_READ 0x01
131	#define PTRACE_MODE_ATTACH 0x02	131	#define PTRACE_MODE_ATTACH 0x02
132	#define PTRACE_MODE_NOAUDIT 0x04	132	#define PTRACE_MODE_NOAUDIT 0x04
133	/* Returns 0 on success, -errno on denial. */
134	extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
135	/* Returns true on success, false on denial. */	133	/* Returns true on success, false on denial. */
136	extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);	134	extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
137		135


diff --git a/include/linux/security.h b/include/linux/security.h index 145accee9236..5b50c4e1a7c2 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -3022,5 +3022,36 @@ static inline void free_secdata(void *secdata)
3022	{ }	3022	{ }
3023	#endif /* CONFIG_SECURITY */	3023	#endif /* CONFIG_SECURITY */
3024		3024
		3025	#ifdef CONFIG_SECURITY_YAMA
		3026	extern int yama_ptrace_access_check(struct task_struct *child,
		3027	unsigned int mode);
		3028	extern int yama_ptrace_traceme(struct task_struct *parent);
		3029	extern void yama_task_free(struct task_struct *task);
		3030	extern int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
		3031	unsigned long arg4, unsigned long arg5);
		3032	#else
		3033	static inline int yama_ptrace_access_check(struct task_struct *child,
		3034	unsigned int mode)
		3035	{
		3036	return 0;
		3037	}
		3038
		3039	static inline int yama_ptrace_traceme(struct task_struct *parent)
		3040	{
		3041	return 0;
		3042	}
		3043
		3044	static inline void yama_task_free(struct task_struct *task)
		3045	{
		3046	}
		3047
		3048	static inline int yama_task_prctl(int option, unsigned long arg2,
		3049	unsigned long arg3, unsigned long arg4,
		3050	unsigned long arg5)
		3051	{
		3052	return -ENOSYS;
		3053	}
		3054	#endif /* CONFIG_SECURITY_YAMA */
		3055
3025	#endif /* ! __LINUX_SECURITY_H */	3056	#endif /* ! __LINUX_SECURITY_H */
3026		3057


diff --git a/include/linux/tpm.h b/include/linux/tpm.h index fdc718abf83b..fcb627ff8d3e 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h
@@ -32,6 +32,7 @@
32	extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf);	32	extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf);
33	extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash);	33	extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash);
34	extern int tpm_send(u32 chip_num, void *cmd, size_t buflen);	34	extern int tpm_send(u32 chip_num, void *cmd, size_t buflen);
		35	extern int tpm_get_random(u32 chip_num, u8 *data, size_t max);
35	#else	36	#else
36	static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) {	37	static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) {
37	return -ENODEV;	38	return -ENODEV;
@@ -42,5 +43,8 @@ static inline int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) {
42	static inline int tpm_send(u32 chip_num, void *cmd, size_t buflen) {	43	static inline int tpm_send(u32 chip_num, void *cmd, size_t buflen) {
43	return -ENODEV;	44	return -ENODEV;
44	}	45	}
		46	static inline int tpm_get_random(u32 chip_num, u8 *data, size_t max) {
		47	return -ENODEV;
		48	}
45	#endif	49	#endif
46	#endif	50	#endif


diff --git a/include/linux/xattr.h b/include/linux/xattr.h index 2ace7a60316d..cc13e1115970 100644 --- a/include/linux/xattr.h +++ b/include/linux/xattr.h
@@ -33,6 +33,9 @@
33	#define XATTR_EVM_SUFFIX "evm"	33	#define XATTR_EVM_SUFFIX "evm"
34	#define XATTR_NAME_EVM XATTR_SECURITY_PREFIX XATTR_EVM_SUFFIX	34	#define XATTR_NAME_EVM XATTR_SECURITY_PREFIX XATTR_EVM_SUFFIX
35		35
		36	#define XATTR_IMA_SUFFIX "ima"
		37	#define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX
		38
36	#define XATTR_SELINUX_SUFFIX "selinux"	39	#define XATTR_SELINUX_SUFFIX "selinux"
37	#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX	40	#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
38		41