Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris: "Highlights: - Integrity: add local fs integrity verification to detect offline attacks - Integrity: add digital signature verification - Simple stacking of Yama with other LSMs (per LSS discussions) - IBM vTPM support on ppc64 - Add new driver for Infineon I2C TIS TPM - Smack: add rule revocation for subject labels" Fixed conflicts with the user namespace support in kernel/auditsc.c and security/integrity/ima/ima_policy.c. * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (39 commits) Documentation: Update git repository URL for Smack userland tools ima: change flags container data type Smack: setprocattr memory leak fix Smack: implement revoking all rules for a subject label Smack: remove task_wait() hook. ima: audit log hashes ima: generic IMA action flag handling ima: rename ima_must_appraise_or_measure audit: export audit_log_task_info tpm: fix tpm_acpi sparse warning on different address spaces samples/seccomp: fix 31 bit build on s390 ima: digital signature verification support ima: add support for different security.ima data types ima: add ima_inode_setxattr/removexattr function and calls ima: add inode_post_setattr call ima: replace iint spinblock with rwlock/read_lock ima: allocating iint improvements ima: add appraise action keywords and default rules ima: integrity appraisal extension vfs: move ima_file_free before releasing the file ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2012-10-03 00:38:48 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2012-10-03 00:38:48 -0400
commit: 88265322c14cce39f7afbc416726ef4fac413298 (patch)
tree: e4956f905ef617971f87788d8f8a09dbb66b70a3 /kernel
parent: 65b99c74fdd325d1ffa2e5663295888704712604 (diff)
parent: bf5308344527d015ac9a6d2bda4ad4d40fd7d943 (diff)
2 files changed, 42 insertions, 46 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ff4798fcb488..29e090cc0e46 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1146,13 +1146,44 @@ error_path:
 EXPORT_SYMBOL(audit_log_task_context);
-static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
+void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
 {
+        const struct cred *cred;
        char name[sizeof(tsk->comm)];
        struct mm_struct *mm = tsk->mm;
        struct vm_area_struct *vma;
+        char *tty;
+        if (!ab)
+                return;
        /* tsk == current */
+        cred = current_cred();
+        spin_lock_irq(&tsk->sighand->siglock);
+        if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
+                tty = tsk->signal->tty->name;
+        else
+                tty = "(none)";
+        spin_unlock_irq(&tsk->sighand->siglock);
+        audit_log_format(ab,
+                         " ppid=%ld pid=%d auid=%u uid=%u gid=%u"
+                         " euid=%u suid=%u fsuid=%u"
+                         " egid=%u sgid=%u fsgid=%u ses=%u tty=%s",
+                         sys_getppid(),
+                         tsk->pid,
+                         from_kuid(&init_user_ns, tsk->loginuid),
+                         from_kuid(&init_user_ns, cred->uid),
+                         from_kgid(&init_user_ns, cred->gid),
+                         from_kuid(&init_user_ns, cred->euid),
+                         from_kuid(&init_user_ns, cred->suid),
+                         from_kuid(&init_user_ns, cred->fsuid),
+                         from_kgid(&init_user_ns, cred->egid),
+                         from_kgid(&init_user_ns, cred->sgid),
+                         from_kgid(&init_user_ns, cred->fsgid),
+                         tsk->sessionid, tty);
        get_task_comm(name, tsk);
        audit_log_format(ab, " comm=");
@@ -1175,6 +1206,8 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
        audit_log_task_context(ab);
 }
+EXPORT_SYMBOL(audit_log_task_info);
 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
                                 kuid_t auid, kuid_t uid, unsigned int sessionid,
                                 u32 sid, char *comm)
@@ -1580,26 +1613,12 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
 {
-        const struct cred *cred;
        int i, call_panic = 0;
        struct audit_buffer *ab;
        struct audit_aux_data *aux;
-        const char *tty;
        struct audit_names *n;
        /* tsk == current */
-        context->pid = tsk->pid;
-        if (!context->ppid)
-                context->ppid = sys_getppid();
-        cred = current_cred();
-        context->uid   = cred->uid;
-        context->gid   = cred->gid;
-        context->euid  = cred->euid;
-        context->suid  = cred->suid;
-        context->fsuid = cred->fsuid;
-        context->egid  = cred->egid;
-        context->sgid  = cred->sgid;
-        context->fsgid = cred->fsgid;
        context->personality = tsk->personality;
        ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
@@ -1614,37 +1633,13 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
                                 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
                                 context->return_code);
-        spin_lock_irq(&tsk->sighand->siglock);
-        if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
-                tty = tsk->signal->tty->name;
-        else
-                tty = "(none)";
-        spin_unlock_irq(&tsk->sighand->siglock);
        audit_log_format(ab,
-                  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
+                         " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
-                  " ppid=%d pid=%d auid=%u uid=%u gid=%u"
+                         context->argv[0],
-                  " euid=%u suid=%u fsuid=%u"
+                         context->argv[1],
-                  " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
+                         context->argv[2],
-                  context->argv[0],
+                         context->argv[3],
-                  context->argv[1],
+                         context->name_count);
-                  context->argv[2],
-                  context->argv[3],
-                  context->name_count,
-                  context->ppid,
-                  context->pid,
-                  from_kuid(&init_user_ns, tsk->loginuid),
-                  from_kuid(&init_user_ns, context->uid),
-                  from_kgid(&init_user_ns, context->gid),
-                  from_kuid(&init_user_ns, context->euid),
-                  from_kuid(&init_user_ns, context->suid),
-                  from_kuid(&init_user_ns, context->fsuid),
-                  from_kgid(&init_user_ns, context->egid),
-                  from_kgid(&init_user_ns, context->sgid),
-                  from_kgid(&init_user_ns, context->fsgid),
-                  tty,
-                  tsk->sessionid);
        audit_log_task_info(ab, tsk);
        audit_log_key(ab, context->filterkey);
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index a232bb59d93f..1f5e55dda955 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -180,7 +180,8 @@ static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
                return has_ns_capability(current, ns, CAP_SYS_PTRACE);
 }
-int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+/* Returns 0 on success, -errno on denial. */
+static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
 {
        const struct cred *cred = current_cred(), *tcred;
author	Linus Torvalds <torvalds@linux-foundation.org>	2012-10-03 00:38:48 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2012-10-03 00:38:48 -0400
commit	88265322c14cce39f7afbc416726ef4fac413298 (patch)
tree	e4956f905ef617971f87788d8f8a09dbb66b70a3 /kernel
parent	65b99c74fdd325d1ffa2e5663295888704712604 (diff)
parent	bf5308344527d015ac9a6d2bda4ad4d40fd7d943 (diff)