diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2009-06-11 13:01:41 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-06-11 13:01:41 -0400 |
commit | 3296ca27f50ecbd71db1d808c7a72d311027f919 (patch) | |
tree | 833eaa58b2013bda86d4bd95faf6efad7a2d5ca4 /include | |
parent | e893123c7378192c094747dadec326b7c000c190 (diff) | |
parent | 73fbad283cfbbcf02939bdbda31fc4a30e729cca (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (44 commits)
nommu: Provide mmap_min_addr definition.
TOMOYO: Add description of lists and structures.
TOMOYO: Remove unused field.
integrity: ima audit dentry_open failure
TOMOYO: Remove unused parameter.
security: use mmap_min_addr indepedently of security models
TOMOYO: Simplify policy reader.
TOMOYO: Remove redundant markers.
SELinux: define audit permissions for audit tree netlink messages
TOMOYO: Remove unused mutex.
tomoyo: avoid get+put of task_struct
smack: Remove redundant initialization.
integrity: nfsd imbalance bug fix
rootplug: Remove redundant initialization.
smack: do not beyond ARRAY_SIZE of data
integrity: move ima_counts_get
integrity: path_check update
IMA: Add __init notation to ima functions
IMA: Minimal IMA policy and boot param for TCB IMA policy
selinux: remove obsolete read buffer limit from sel_read_bool
...
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/ima.h | 11 | ||||
-rw-r--r-- | include/linux/init_task.h | 4 | ||||
-rw-r--r-- | include/linux/lsm_audit.h | 111 | ||||
-rw-r--r-- | include/linux/magic.h | 1 | ||||
-rw-r--r-- | include/linux/mm.h | 2 | ||||
-rw-r--r-- | include/linux/sched.h | 5 | ||||
-rw-r--r-- | include/linux/security.h | 2 |
7 files changed, 127 insertions, 9 deletions
diff --git a/include/linux/ima.h b/include/linux/ima.h index 0e2aa45cb0ce..b1b827d091a9 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h | |||
@@ -13,14 +13,17 @@ | |||
13 | #include <linux/fs.h> | 13 | #include <linux/fs.h> |
14 | struct linux_binprm; | 14 | struct linux_binprm; |
15 | 15 | ||
16 | #define IMA_COUNT_UPDATE 1 | ||
17 | #define IMA_COUNT_LEAVE 0 | ||
18 | |||
16 | #ifdef CONFIG_IMA | 19 | #ifdef CONFIG_IMA |
17 | extern int ima_bprm_check(struct linux_binprm *bprm); | 20 | extern int ima_bprm_check(struct linux_binprm *bprm); |
18 | extern int ima_inode_alloc(struct inode *inode); | 21 | extern int ima_inode_alloc(struct inode *inode); |
19 | extern void ima_inode_free(struct inode *inode); | 22 | extern void ima_inode_free(struct inode *inode); |
20 | extern int ima_path_check(struct path *path, int mask); | 23 | extern int ima_path_check(struct path *path, int mask, int update_counts); |
21 | extern void ima_file_free(struct file *file); | 24 | extern void ima_file_free(struct file *file); |
22 | extern int ima_file_mmap(struct file *file, unsigned long prot); | 25 | extern int ima_file_mmap(struct file *file, unsigned long prot); |
23 | extern void ima_shm_check(struct file *file); | 26 | extern void ima_counts_get(struct file *file); |
24 | 27 | ||
25 | #else | 28 | #else |
26 | static inline int ima_bprm_check(struct linux_binprm *bprm) | 29 | static inline int ima_bprm_check(struct linux_binprm *bprm) |
@@ -38,7 +41,7 @@ static inline void ima_inode_free(struct inode *inode) | |||
38 | return; | 41 | return; |
39 | } | 42 | } |
40 | 43 | ||
41 | static inline int ima_path_check(struct path *path, int mask) | 44 | static inline int ima_path_check(struct path *path, int mask, int update_counts) |
42 | { | 45 | { |
43 | return 0; | 46 | return 0; |
44 | } | 47 | } |
@@ -53,7 +56,7 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot) | |||
53 | return 0; | 56 | return 0; |
54 | } | 57 | } |
55 | 58 | ||
56 | static inline void ima_shm_check(struct file *file) | 59 | static inline void ima_counts_get(struct file *file) |
57 | { | 60 | { |
58 | return; | 61 | return; |
59 | } | 62 | } |
diff --git a/include/linux/init_task.h b/include/linux/init_task.h index 889bf99eca6d..6646bfc7b892 100644 --- a/include/linux/init_task.h +++ b/include/linux/init_task.h | |||
@@ -145,8 +145,8 @@ extern struct cred init_cred; | |||
145 | .group_leader = &tsk, \ | 145 | .group_leader = &tsk, \ |
146 | .real_cred = &init_cred, \ | 146 | .real_cred = &init_cred, \ |
147 | .cred = &init_cred, \ | 147 | .cred = &init_cred, \ |
148 | .cred_exec_mutex = \ | 148 | .cred_guard_mutex = \ |
149 | __MUTEX_INITIALIZER(tsk.cred_exec_mutex), \ | 149 | __MUTEX_INITIALIZER(tsk.cred_guard_mutex), \ |
150 | .comm = "swapper", \ | 150 | .comm = "swapper", \ |
151 | .thread = INIT_THREAD, \ | 151 | .thread = INIT_THREAD, \ |
152 | .fs = &init_fs, \ | 152 | .fs = &init_fs, \ |
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h new file mode 100644 index 000000000000..e461b2c3d711 --- /dev/null +++ b/include/linux/lsm_audit.h | |||
@@ -0,0 +1,111 @@ | |||
1 | /* | ||
2 | * Common LSM logging functions | ||
3 | * Heavily borrowed from selinux/avc.h | ||
4 | * | ||
5 | * Author : Etienne BASSET <etienne.basset@ensta.org> | ||
6 | * | ||
7 | * All credits to : Stephen Smalley, <sds@epoch.ncsc.mil> | ||
8 | * All BUGS to : Etienne BASSET <etienne.basset@ensta.org> | ||
9 | */ | ||
10 | #ifndef _LSM_COMMON_LOGGING_ | ||
11 | #define _LSM_COMMON_LOGGING_ | ||
12 | |||
13 | #include <linux/stddef.h> | ||
14 | #include <linux/errno.h> | ||
15 | #include <linux/kernel.h> | ||
16 | #include <linux/kdev_t.h> | ||
17 | #include <linux/spinlock.h> | ||
18 | #include <linux/init.h> | ||
19 | #include <linux/audit.h> | ||
20 | #include <linux/in6.h> | ||
21 | #include <linux/path.h> | ||
22 | #include <linux/key.h> | ||
23 | #include <linux/skbuff.h> | ||
24 | #include <asm/system.h> | ||
25 | |||
26 | |||
27 | /* Auxiliary data to use in generating the audit record. */ | ||
28 | struct common_audit_data { | ||
29 | char type; | ||
30 | #define LSM_AUDIT_DATA_FS 1 | ||
31 | #define LSM_AUDIT_DATA_NET 2 | ||
32 | #define LSM_AUDIT_DATA_CAP 3 | ||
33 | #define LSM_AUDIT_DATA_IPC 4 | ||
34 | #define LSM_AUDIT_DATA_TASK 5 | ||
35 | #define LSM_AUDIT_DATA_KEY 6 | ||
36 | struct task_struct *tsk; | ||
37 | union { | ||
38 | struct { | ||
39 | struct path path; | ||
40 | struct inode *inode; | ||
41 | } fs; | ||
42 | struct { | ||
43 | int netif; | ||
44 | struct sock *sk; | ||
45 | u16 family; | ||
46 | __be16 dport; | ||
47 | __be16 sport; | ||
48 | union { | ||
49 | struct { | ||
50 | __be32 daddr; | ||
51 | __be32 saddr; | ||
52 | } v4; | ||
53 | struct { | ||
54 | struct in6_addr daddr; | ||
55 | struct in6_addr saddr; | ||
56 | } v6; | ||
57 | } fam; | ||
58 | } net; | ||
59 | int cap; | ||
60 | int ipc_id; | ||
61 | struct task_struct *tsk; | ||
62 | #ifdef CONFIG_KEYS | ||
63 | struct { | ||
64 | key_serial_t key; | ||
65 | char *key_desc; | ||
66 | } key_struct; | ||
67 | #endif | ||
68 | } u; | ||
69 | const char *function; | ||
70 | /* this union contains LSM specific data */ | ||
71 | union { | ||
72 | /* SMACK data */ | ||
73 | struct smack_audit_data { | ||
74 | char *subject; | ||
75 | char *object; | ||
76 | char *request; | ||
77 | int result; | ||
78 | } smack_audit_data; | ||
79 | /* SELinux data */ | ||
80 | struct { | ||
81 | u32 ssid; | ||
82 | u32 tsid; | ||
83 | u16 tclass; | ||
84 | u32 requested; | ||
85 | u32 audited; | ||
86 | struct av_decision *avd; | ||
87 | int result; | ||
88 | } selinux_audit_data; | ||
89 | } lsm_priv; | ||
90 | /* these callback will be implemented by a specific LSM */ | ||
91 | void (*lsm_pre_audit)(struct audit_buffer *, void *); | ||
92 | void (*lsm_post_audit)(struct audit_buffer *, void *); | ||
93 | }; | ||
94 | |||
95 | #define v4info fam.v4 | ||
96 | #define v6info fam.v6 | ||
97 | |||
98 | int ipv4_skb_to_auditdata(struct sk_buff *skb, | ||
99 | struct common_audit_data *ad, u8 *proto); | ||
100 | |||
101 | int ipv6_skb_to_auditdata(struct sk_buff *skb, | ||
102 | struct common_audit_data *ad, u8 *proto); | ||
103 | |||
104 | /* Initialize an LSM audit data structure. */ | ||
105 | #define COMMON_AUDIT_DATA_INIT(_d, _t) \ | ||
106 | { memset((_d), 0, sizeof(struct common_audit_data)); \ | ||
107 | (_d)->type = LSM_AUDIT_DATA_##_t; (_d)->function = __func__; } | ||
108 | |||
109 | void common_lsm_audit(struct common_audit_data *a); | ||
110 | |||
111 | #endif | ||
diff --git a/include/linux/magic.h b/include/linux/magic.h index 5b4e28bcb788..927138cf3050 100644 --- a/include/linux/magic.h +++ b/include/linux/magic.h | |||
@@ -9,6 +9,7 @@ | |||
9 | #define DEBUGFS_MAGIC 0x64626720 | 9 | #define DEBUGFS_MAGIC 0x64626720 |
10 | #define SYSFS_MAGIC 0x62656572 | 10 | #define SYSFS_MAGIC 0x62656572 |
11 | #define SECURITYFS_MAGIC 0x73636673 | 11 | #define SECURITYFS_MAGIC 0x73636673 |
12 | #define SELINUX_MAGIC 0xf97cff8c | ||
12 | #define TMPFS_MAGIC 0x01021994 | 13 | #define TMPFS_MAGIC 0x01021994 |
13 | #define SQUASHFS_MAGIC 0x73717368 | 14 | #define SQUASHFS_MAGIC 0x73717368 |
14 | #define EFS_SUPER_MAGIC 0x414A53 | 15 | #define EFS_SUPER_MAGIC 0x414A53 |
diff --git a/include/linux/mm.h b/include/linux/mm.h index 9772d6cbfc82..ad613ed66ab0 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h | |||
@@ -581,12 +581,10 @@ static inline void set_page_links(struct page *page, enum zone_type zone, | |||
581 | */ | 581 | */ |
582 | static inline unsigned long round_hint_to_min(unsigned long hint) | 582 | static inline unsigned long round_hint_to_min(unsigned long hint) |
583 | { | 583 | { |
584 | #ifdef CONFIG_SECURITY | ||
585 | hint &= PAGE_MASK; | 584 | hint &= PAGE_MASK; |
586 | if (((void *)hint != NULL) && | 585 | if (((void *)hint != NULL) && |
587 | (hint < mmap_min_addr)) | 586 | (hint < mmap_min_addr)) |
588 | return PAGE_ALIGN(mmap_min_addr); | 587 | return PAGE_ALIGN(mmap_min_addr); |
589 | #endif | ||
590 | return hint; | 588 | return hint; |
591 | } | 589 | } |
592 | 590 | ||
diff --git a/include/linux/sched.h b/include/linux/sched.h index d1399660b776..42bf2766111e 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h | |||
@@ -1261,7 +1261,9 @@ struct task_struct { | |||
1261 | * credentials (COW) */ | 1261 | * credentials (COW) */ |
1262 | const struct cred *cred; /* effective (overridable) subjective task | 1262 | const struct cred *cred; /* effective (overridable) subjective task |
1263 | * credentials (COW) */ | 1263 | * credentials (COW) */ |
1264 | struct mutex cred_exec_mutex; /* execve vs ptrace cred calculation mutex */ | 1264 | struct mutex cred_guard_mutex; /* guard against foreign influences on |
1265 | * credential calculations | ||
1266 | * (notably. ptrace) */ | ||
1265 | 1267 | ||
1266 | char comm[TASK_COMM_LEN]; /* executable name excluding path | 1268 | char comm[TASK_COMM_LEN]; /* executable name excluding path |
1267 | - access with [gs]et_task_comm (which lock | 1269 | - access with [gs]et_task_comm (which lock |
@@ -1901,6 +1903,7 @@ extern void sched_dead(struct task_struct *p); | |||
1901 | 1903 | ||
1902 | extern void proc_caches_init(void); | 1904 | extern void proc_caches_init(void); |
1903 | extern void flush_signals(struct task_struct *); | 1905 | extern void flush_signals(struct task_struct *); |
1906 | extern void __flush_signals(struct task_struct *); | ||
1904 | extern void ignore_signals(struct task_struct *); | 1907 | extern void ignore_signals(struct task_struct *); |
1905 | extern void flush_signal_handlers(struct task_struct *, int force_default); | 1908 | extern void flush_signal_handlers(struct task_struct *, int force_default); |
1906 | extern int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info); | 1909 | extern int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info); |
diff --git a/include/linux/security.h b/include/linux/security.h index d5fd6163606f..5eff459b3833 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -2197,6 +2197,8 @@ static inline int security_file_mmap(struct file *file, unsigned long reqprot, | |||
2197 | unsigned long addr, | 2197 | unsigned long addr, |
2198 | unsigned long addr_only) | 2198 | unsigned long addr_only) |
2199 | { | 2199 | { |
2200 | if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO)) | ||
2201 | return -EACCES; | ||
2200 | return 0; | 2202 | return 0; |
2201 | } | 2203 | } |
2202 | 2204 | ||