aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2009-06-11 13:01:41 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2009-06-11 13:01:41 -0400
commit3296ca27f50ecbd71db1d808c7a72d311027f919 (patch)
tree833eaa58b2013bda86d4bd95faf6efad7a2d5ca4 /include
parente893123c7378192c094747dadec326b7c000c190 (diff)
parent73fbad283cfbbcf02939bdbda31fc4a30e729cca (diff)
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (44 commits) nommu: Provide mmap_min_addr definition. TOMOYO: Add description of lists and structures. TOMOYO: Remove unused field. integrity: ima audit dentry_open failure TOMOYO: Remove unused parameter. security: use mmap_min_addr indepedently of security models TOMOYO: Simplify policy reader. TOMOYO: Remove redundant markers. SELinux: define audit permissions for audit tree netlink messages TOMOYO: Remove unused mutex. tomoyo: avoid get+put of task_struct smack: Remove redundant initialization. integrity: nfsd imbalance bug fix rootplug: Remove redundant initialization. smack: do not beyond ARRAY_SIZE of data integrity: move ima_counts_get integrity: path_check update IMA: Add __init notation to ima functions IMA: Minimal IMA policy and boot param for TCB IMA policy selinux: remove obsolete read buffer limit from sel_read_bool ...
Diffstat (limited to 'include')
-rw-r--r--include/linux/ima.h11
-rw-r--r--include/linux/init_task.h4
-rw-r--r--include/linux/lsm_audit.h111
-rw-r--r--include/linux/magic.h1
-rw-r--r--include/linux/mm.h2
-rw-r--r--include/linux/sched.h5
-rw-r--r--include/linux/security.h2
7 files changed, 127 insertions, 9 deletions
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 0e2aa45cb0ce..b1b827d091a9 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -13,14 +13,17 @@
13#include <linux/fs.h> 13#include <linux/fs.h>
14struct linux_binprm; 14struct linux_binprm;
15 15
16#define IMA_COUNT_UPDATE 1
17#define IMA_COUNT_LEAVE 0
18
16#ifdef CONFIG_IMA 19#ifdef CONFIG_IMA
17extern int ima_bprm_check(struct linux_binprm *bprm); 20extern int ima_bprm_check(struct linux_binprm *bprm);
18extern int ima_inode_alloc(struct inode *inode); 21extern int ima_inode_alloc(struct inode *inode);
19extern void ima_inode_free(struct inode *inode); 22extern void ima_inode_free(struct inode *inode);
20extern int ima_path_check(struct path *path, int mask); 23extern int ima_path_check(struct path *path, int mask, int update_counts);
21extern void ima_file_free(struct file *file); 24extern void ima_file_free(struct file *file);
22extern int ima_file_mmap(struct file *file, unsigned long prot); 25extern int ima_file_mmap(struct file *file, unsigned long prot);
23extern void ima_shm_check(struct file *file); 26extern void ima_counts_get(struct file *file);
24 27
25#else 28#else
26static inline int ima_bprm_check(struct linux_binprm *bprm) 29static inline int ima_bprm_check(struct linux_binprm *bprm)
@@ -38,7 +41,7 @@ static inline void ima_inode_free(struct inode *inode)
38 return; 41 return;
39} 42}
40 43
41static inline int ima_path_check(struct path *path, int mask) 44static inline int ima_path_check(struct path *path, int mask, int update_counts)
42{ 45{
43 return 0; 46 return 0;
44} 47}
@@ -53,7 +56,7 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot)
53 return 0; 56 return 0;
54} 57}
55 58
56static inline void ima_shm_check(struct file *file) 59static inline void ima_counts_get(struct file *file)
57{ 60{
58 return; 61 return;
59} 62}
diff --git a/include/linux/init_task.h b/include/linux/init_task.h
index 889bf99eca6d..6646bfc7b892 100644
--- a/include/linux/init_task.h
+++ b/include/linux/init_task.h
@@ -145,8 +145,8 @@ extern struct cred init_cred;
145 .group_leader = &tsk, \ 145 .group_leader = &tsk, \
146 .real_cred = &init_cred, \ 146 .real_cred = &init_cred, \
147 .cred = &init_cred, \ 147 .cred = &init_cred, \
148 .cred_exec_mutex = \ 148 .cred_guard_mutex = \
149 __MUTEX_INITIALIZER(tsk.cred_exec_mutex), \ 149 __MUTEX_INITIALIZER(tsk.cred_guard_mutex), \
150 .comm = "swapper", \ 150 .comm = "swapper", \
151 .thread = INIT_THREAD, \ 151 .thread = INIT_THREAD, \
152 .fs = &init_fs, \ 152 .fs = &init_fs, \
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
new file mode 100644
index 000000000000..e461b2c3d711
--- /dev/null
+++ b/include/linux/lsm_audit.h
@@ -0,0 +1,111 @@
1/*
2 * Common LSM logging functions
3 * Heavily borrowed from selinux/avc.h
4 *
5 * Author : Etienne BASSET <etienne.basset@ensta.org>
6 *
7 * All credits to : Stephen Smalley, <sds@epoch.ncsc.mil>
8 * All BUGS to : Etienne BASSET <etienne.basset@ensta.org>
9 */
10#ifndef _LSM_COMMON_LOGGING_
11#define _LSM_COMMON_LOGGING_
12
13#include <linux/stddef.h>
14#include <linux/errno.h>
15#include <linux/kernel.h>
16#include <linux/kdev_t.h>
17#include <linux/spinlock.h>
18#include <linux/init.h>
19#include <linux/audit.h>
20#include <linux/in6.h>
21#include <linux/path.h>
22#include <linux/key.h>
23#include <linux/skbuff.h>
24#include <asm/system.h>
25
26
27/* Auxiliary data to use in generating the audit record. */
28struct common_audit_data {
29 char type;
30#define LSM_AUDIT_DATA_FS 1
31#define LSM_AUDIT_DATA_NET 2
32#define LSM_AUDIT_DATA_CAP 3
33#define LSM_AUDIT_DATA_IPC 4
34#define LSM_AUDIT_DATA_TASK 5
35#define LSM_AUDIT_DATA_KEY 6
36 struct task_struct *tsk;
37 union {
38 struct {
39 struct path path;
40 struct inode *inode;
41 } fs;
42 struct {
43 int netif;
44 struct sock *sk;
45 u16 family;
46 __be16 dport;
47 __be16 sport;
48 union {
49 struct {
50 __be32 daddr;
51 __be32 saddr;
52 } v4;
53 struct {
54 struct in6_addr daddr;
55 struct in6_addr saddr;
56 } v6;
57 } fam;
58 } net;
59 int cap;
60 int ipc_id;
61 struct task_struct *tsk;
62#ifdef CONFIG_KEYS
63 struct {
64 key_serial_t key;
65 char *key_desc;
66 } key_struct;
67#endif
68 } u;
69 const char *function;
70 /* this union contains LSM specific data */
71 union {
72 /* SMACK data */
73 struct smack_audit_data {
74 char *subject;
75 char *object;
76 char *request;
77 int result;
78 } smack_audit_data;
79 /* SELinux data */
80 struct {
81 u32 ssid;
82 u32 tsid;
83 u16 tclass;
84 u32 requested;
85 u32 audited;
86 struct av_decision *avd;
87 int result;
88 } selinux_audit_data;
89 } lsm_priv;
90 /* these callback will be implemented by a specific LSM */
91 void (*lsm_pre_audit)(struct audit_buffer *, void *);
92 void (*lsm_post_audit)(struct audit_buffer *, void *);
93};
94
95#define v4info fam.v4
96#define v6info fam.v6
97
98int ipv4_skb_to_auditdata(struct sk_buff *skb,
99 struct common_audit_data *ad, u8 *proto);
100
101int ipv6_skb_to_auditdata(struct sk_buff *skb,
102 struct common_audit_data *ad, u8 *proto);
103
104/* Initialize an LSM audit data structure. */
105#define COMMON_AUDIT_DATA_INIT(_d, _t) \
106 { memset((_d), 0, sizeof(struct common_audit_data)); \
107 (_d)->type = LSM_AUDIT_DATA_##_t; (_d)->function = __func__; }
108
109void common_lsm_audit(struct common_audit_data *a);
110
111#endif
diff --git a/include/linux/magic.h b/include/linux/magic.h
index 5b4e28bcb788..927138cf3050 100644
--- a/include/linux/magic.h
+++ b/include/linux/magic.h
@@ -9,6 +9,7 @@
9#define DEBUGFS_MAGIC 0x64626720 9#define DEBUGFS_MAGIC 0x64626720
10#define SYSFS_MAGIC 0x62656572 10#define SYSFS_MAGIC 0x62656572
11#define SECURITYFS_MAGIC 0x73636673 11#define SECURITYFS_MAGIC 0x73636673
12#define SELINUX_MAGIC 0xf97cff8c
12#define TMPFS_MAGIC 0x01021994 13#define TMPFS_MAGIC 0x01021994
13#define SQUASHFS_MAGIC 0x73717368 14#define SQUASHFS_MAGIC 0x73717368
14#define EFS_SUPER_MAGIC 0x414A53 15#define EFS_SUPER_MAGIC 0x414A53
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 9772d6cbfc82..ad613ed66ab0 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -581,12 +581,10 @@ static inline void set_page_links(struct page *page, enum zone_type zone,
581 */ 581 */
582static inline unsigned long round_hint_to_min(unsigned long hint) 582static inline unsigned long round_hint_to_min(unsigned long hint)
583{ 583{
584#ifdef CONFIG_SECURITY
585 hint &= PAGE_MASK; 584 hint &= PAGE_MASK;
586 if (((void *)hint != NULL) && 585 if (((void *)hint != NULL) &&
587 (hint < mmap_min_addr)) 586 (hint < mmap_min_addr))
588 return PAGE_ALIGN(mmap_min_addr); 587 return PAGE_ALIGN(mmap_min_addr);
589#endif
590 return hint; 588 return hint;
591} 589}
592 590
diff --git a/include/linux/sched.h b/include/linux/sched.h
index d1399660b776..42bf2766111e 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1261,7 +1261,9 @@ struct task_struct {
1261 * credentials (COW) */ 1261 * credentials (COW) */
1262 const struct cred *cred; /* effective (overridable) subjective task 1262 const struct cred *cred; /* effective (overridable) subjective task
1263 * credentials (COW) */ 1263 * credentials (COW) */
1264 struct mutex cred_exec_mutex; /* execve vs ptrace cred calculation mutex */ 1264 struct mutex cred_guard_mutex; /* guard against foreign influences on
1265 * credential calculations
1266 * (notably. ptrace) */
1265 1267
1266 char comm[TASK_COMM_LEN]; /* executable name excluding path 1268 char comm[TASK_COMM_LEN]; /* executable name excluding path
1267 - access with [gs]et_task_comm (which lock 1269 - access with [gs]et_task_comm (which lock
@@ -1901,6 +1903,7 @@ extern void sched_dead(struct task_struct *p);
1901 1903
1902extern void proc_caches_init(void); 1904extern void proc_caches_init(void);
1903extern void flush_signals(struct task_struct *); 1905extern void flush_signals(struct task_struct *);
1906extern void __flush_signals(struct task_struct *);
1904extern void ignore_signals(struct task_struct *); 1907extern void ignore_signals(struct task_struct *);
1905extern void flush_signal_handlers(struct task_struct *, int force_default); 1908extern void flush_signal_handlers(struct task_struct *, int force_default);
1906extern int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info); 1909extern int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info);
diff --git a/include/linux/security.h b/include/linux/security.h
index d5fd6163606f..5eff459b3833 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2197,6 +2197,8 @@ static inline int security_file_mmap(struct file *file, unsigned long reqprot,
2197 unsigned long addr, 2197 unsigned long addr,
2198 unsigned long addr_only) 2198 unsigned long addr_only)
2199{ 2199{
2200 if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
2201 return -EACCES;
2200 return 0; 2202 return 0;
2201} 2203}
2202 2204