Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (71 commits) SELinux: inode_doinit_with_dentry drop no dentry printk SELinux: new permission between tty audit and audit socket SELinux: open perm for sock files smack: fixes for unlabeled host support keys: make procfiles per-user-namespace keys: skip keys from another user namespace keys: consider user namespace in key_permission keys: distinguish per-uid keys in different namespaces integrity: ima iint radix_tree_lookup locking fix TOMOYO: Do not call tomoyo_realpath_init unless registered. integrity: ima scatterlist bug fix smack: fix lots of kernel-doc notation TOMOYO: Don't create securityfs entries unless registered. TOMOYO: Fix exception policy read failure. SELinux: convert the avc cache hash list to an hlist SELinux: code readability with avc_cache SELinux: remove unused av.decided field SELinux: more careful use of avd in avc_has_perm_noaudit SELinux: remove the unused ae.used SELinux: check seqno when updating an avc_node ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2009-03-26 14:03:39 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2009-03-26 14:03:39 -0400
commit: 8d80ce80e1d58ba9cd3e3972b112cccd6b4008f4 (patch)
tree: 16d3cca8d260c731d02a4e5e1ea5b9817c9c3626 /include/linux
parent: 1646df40bb111715a90ce0b86448dabbcc5b3f3d (diff)
parent: 703a3cd72817e99201cef84a8a7aecc60b2b3581 (diff)
4 files changed, 106 insertions, 1 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 67e5dbfc2961..4fa2810b675e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -36,7 +36,8 @@
 * 1500 - 1599 kernel LSPP events
 * 1600 - 1699 kernel crypto events
 * 1700 - 1799 kernel anomaly records
- * 1800 - 1999 future kernel use (maybe integrity labels and related events)
+ * 1800 - 1899 kernel integrity events
+ * 1900 - 1999 future kernel use
 * 2000 is for otherwise unclassified kernel audit messages (legacy)
 * 2001 - 2099 unused (kernel)
 * 2100 - 2199 user space anomaly records
@@ -125,6 +126,12 @@
 #define AUDIT_LAST_KERN_ANOM_MSG    1799
 #define AUDIT_ANOM_PROMISCUOUS      1700 /* Device changed promiscuous mode */
 #define AUDIT_ANOM_ABEND            1701 /* Process ended abnormally */
+#define AUDIT_INTEGRITY_DATA        1800 /* Data integrity verification */
+#define AUDIT_INTEGRITY_METADATA    1801 /* Metadata integrity verification */
+#define AUDIT_INTEGRITY_STATUS      1802 /* Integrity enable status */
+#define AUDIT_INTEGRITY_HASH        1803 /* Integrity HASH type */
+#define AUDIT_INTEGRITY_PCR         1804 /* PCR invalidation msgs */
+#define AUDIT_INTEGRITY_RULE        1805 /* policy rule */
 #define AUDIT_KERNEL            2000    /* Asynchronous audit record. NOT A REQUEST. */
diff --git a/include/linux/ima.h b/include/linux/ima.h
new file mode 100644
index 000000000000..0e2aa45cb0ce
--- /dev/null
+++ b/include/linux/ima.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2008 IBM Corporation
+ * Author: Mimi Zohar <zohar@us.ibm.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2 of the License.
+ */
+#ifndef _LINUX_IMA_H
+#define _LINUX_IMA_H
+#include <linux/fs.h>
+struct linux_binprm;
+#ifdef CONFIG_IMA
+extern int ima_bprm_check(struct linux_binprm *bprm);
+extern int ima_inode_alloc(struct inode *inode);
+extern void ima_inode_free(struct inode *inode);
+extern int ima_path_check(struct path *path, int mask);
+extern void ima_file_free(struct file *file);
+extern int ima_file_mmap(struct file *file, unsigned long prot);
+extern void ima_shm_check(struct file *file);
+#else
+static inline int ima_bprm_check(struct linux_binprm *bprm)
+{
+        return 0;
+}
+static inline int ima_inode_alloc(struct inode *inode)
+{
+        return 0;
+}
+static inline void ima_inode_free(struct inode *inode)
+{
+        return;
+}
+static inline int ima_path_check(struct path *path, int mask)
+{
+        return 0;
+}
+static inline void ima_file_free(struct file *file)
+{
+        return;
+}
+static inline int ima_file_mmap(struct file *file, unsigned long prot)
+{
+        return 0;
+}
+static inline void ima_shm_check(struct file *file)
+{
+        return;
+}
+#endif /* CONFIG_IMA_H */
+#endif /* _LINUX_IMA_H */
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 011db2f4c94c..2c36f62e7544 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1175,6 +1175,8 @@ struct task_struct {
        /* ??? */
        unsigned int personality;
        unsigned did_exec:1;
+        unsigned in_execve:1;   /* Tell the LSMs that the process is doing an
+                                 * execve */
        pid_t pid;
        pid_t tgid;
diff --git a/include/linux/tpm.h b/include/linux/tpm.h
new file mode 100644
index 000000000000..3338b3f5c21a
--- /dev/null
+++ b/include/linux/tpm.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2004,2007,2008 IBM Corporation
+ *
+ * Authors:
+ * Leendert van Doorn <leendert@watson.ibm.com>
+ * Dave Safford <safford@watson.ibm.com>
+ * Reiner Sailer <sailer@watson.ibm.com>
+ * Kylene Hall <kjhall@us.ibm.com>
+ * Debora Velarde <dvelarde@us.ibm.com>
+ *
+ * Maintained by: <tpmdd_devel@lists.sourceforge.net>
+ *
+ * Device driver for TCG/TCPA TPM (trusted platform module).
+ * Specifications at www.trustedcomputinggroup.org
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ */
+#ifndef __LINUX_TPM_H__
+#define __LINUX_TPM_H__
+/*
+ * Chip num is this value or a valid tpm idx
+ */
+#define TPM_ANY_NUM 0xFFFF
+#if defined(CONFIG_TCG_TPM)
+extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf);
+extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash);
+#endif
+#endif
author	Linus Torvalds <torvalds@linux-foundation.org>	2009-03-26 14:03:39 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2009-03-26 14:03:39 -0400
commit	8d80ce80e1d58ba9cd3e3972b112cccd6b4008f4 (patch)
tree	16d3cca8d260c731d02a4e5e1ea5b9817c9c3626 /include/linux
parent	1646df40bb111715a90ce0b86448dabbcc5b3f3d (diff)
parent	703a3cd72817e99201cef84a8a7aecc60b2b3581 (diff)

diff --git a/include/linux/audit.h b/include/linux/audit.h index 67e5dbfc2961..4fa2810b675e 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h
@@ -36,7 +36,8 @@
36	* 1500 - 1599 kernel LSPP events	36	* 1500 - 1599 kernel LSPP events
37	* 1600 - 1699 kernel crypto events	37	* 1600 - 1699 kernel crypto events
38	* 1700 - 1799 kernel anomaly records	38	* 1700 - 1799 kernel anomaly records
39	* 1800 - 1999 future kernel use (maybe integrity labels and related events)	39	* 1800 - 1899 kernel integrity events
		40	* 1900 - 1999 future kernel use
40	* 2000 is for otherwise unclassified kernel audit messages (legacy)	41	* 2000 is for otherwise unclassified kernel audit messages (legacy)
41	* 2001 - 2099 unused (kernel)	42	* 2001 - 2099 unused (kernel)
42	* 2100 - 2199 user space anomaly records	43	* 2100 - 2199 user space anomaly records
@@ -125,6 +126,12 @@
125	#define AUDIT_LAST_KERN_ANOM_MSG 1799	126	#define AUDIT_LAST_KERN_ANOM_MSG 1799
126	#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */	127	#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
127	#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */	128	#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
		129	#define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */
		130	#define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */
		131	#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
		132	#define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */
		133	#define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */
		134	#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */
128		135
129	#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */	136	#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
130		137


diff --git a/include/linux/ima.h b/include/linux/ima.h new file mode 100644 index 000000000000..0e2aa45cb0ce --- /dev/null +++ b/include/linux/ima.h
@@ -0,0 +1,61 @@
		1	/*
		2	* Copyright (C) 2008 IBM Corporation
		3	* Author: Mimi Zohar <zohar@us.ibm.com>
		4	*
		5	* This program is free software; you can redistribute it and/or modify
		6	* it under the terms of the GNU General Public License as published by
		7	* the Free Software Foundation, version 2 of the License.
		8	*/
		9
		10	#ifndef _LINUX_IMA_H
		11	#define _LINUX_IMA_H
		12
		13	#include <linux/fs.h>
		14	struct linux_binprm;
		15
		16	#ifdef CONFIG_IMA
		17	extern int ima_bprm_check(struct linux_binprm *bprm);
		18	extern int ima_inode_alloc(struct inode *inode);
		19	extern void ima_inode_free(struct inode *inode);
		20	extern int ima_path_check(struct path *path, int mask);
		21	extern void ima_file_free(struct file *file);
		22	extern int ima_file_mmap(struct file *file, unsigned long prot);
		23	extern void ima_shm_check(struct file *file);
		24
		25	#else
		26	static inline int ima_bprm_check(struct linux_binprm *bprm)
		27	{
		28	return 0;
		29	}
		30
		31	static inline int ima_inode_alloc(struct inode *inode)
		32	{
		33	return 0;
		34	}
		35
		36	static inline void ima_inode_free(struct inode *inode)
		37	{
		38	return;
		39	}
		40
		41	static inline int ima_path_check(struct path *path, int mask)
		42	{
		43	return 0;
		44	}
		45
		46	static inline void ima_file_free(struct file *file)
		47	{
		48	return;
		49	}
		50
		51	static inline int ima_file_mmap(struct file *file, unsigned long prot)
		52	{
		53	return 0;
		54	}
		55
		56	static inline void ima_shm_check(struct file *file)
		57	{
		58	return;
		59	}
		60	#endif /* CONFIG_IMA_H */
		61	#endif /* _LINUX_IMA_H */


diff --git a/include/linux/sched.h b/include/linux/sched.h index 011db2f4c94c..2c36f62e7544 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h
@@ -1175,6 +1175,8 @@ struct task_struct {
1175	/* ??? */	1175	/* ??? */
1176	unsigned int personality;	1176	unsigned int personality;
1177	unsigned did_exec:1;	1177	unsigned did_exec:1;
		1178	unsigned in_execve:1; /* Tell the LSMs that the process is doing an
		1179	* execve */
1178	pid_t pid;	1180	pid_t pid;
1179	pid_t tgid;	1181	pid_t tgid;
1180		1182


diff --git a/include/linux/tpm.h b/include/linux/tpm.h new file mode 100644 index 000000000000..3338b3f5c21a --- /dev/null +++ b/include/linux/tpm.h
@@ -0,0 +1,35 @@
		1	/*
		2	* Copyright (C) 2004,2007,2008 IBM Corporation
		3	*
		4	* Authors:
		5	* Leendert van Doorn <leendert@watson.ibm.com>
		6	* Dave Safford <safford@watson.ibm.com>
		7	* Reiner Sailer <sailer@watson.ibm.com>
		8	* Kylene Hall <kjhall@us.ibm.com>
		9	* Debora Velarde <dvelarde@us.ibm.com>
		10	*
		11	* Maintained by: <tpmdd_devel@lists.sourceforge.net>
		12	*
		13	* Device driver for TCG/TCPA TPM (trusted platform module).
		14	* Specifications at www.trustedcomputinggroup.org
		15	*
		16	* This program is free software; you can redistribute it and/or
		17	* modify it under the terms of the GNU General Public License as
		18	* published by the Free Software Foundation, version 2 of the
		19	* License.
		20	*
		21	*/
		22	#ifndef __LINUX_TPM_H__
		23	#define __LINUX_TPM_H__
		24
		25	/*
		26	* Chip num is this value or a valid tpm idx
		27	*/
		28	#define TPM_ANY_NUM 0xFFFF
		29
		30	#if defined(CONFIG_TCG_TPM)
		31
		32	extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf);
		33	extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash);
		34	#endif
		35	#endif