Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris:
 "In this update, Smack learns to love IPv6 and to mount a filesystem
  with a transmutable hierarchy (i.e.  security labels are inherited
  from parent directory upon creation rather than creating process).

  The rest of the changes are maintenance"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (37 commits)
  tpm/tpm_i2c_infineon: Remove unused header file
  tpm: tpm_i2c_infinion: Don't modify i2c_client->driver
  evm: audit integrity metadata failures
  integrity: move integrity_audit_msg()
  evm: calculate HMAC after initializing posix acl on tmpfs
  maintainers:  add Dmitry Kasatkin
  Smack: Fix the bug smackcipso can't set CIPSO correctly
  Smack: Fix possible NULL pointer dereference at smk_netlbl_mls()
  Smack: Add smkfstransmute mount option
  Smack: Improve access check performance
  Smack: Local IPv6 port based controls
  tpm: fix regression caused by section type conflict of tpm_dev_release() in ppc builds
  maintainers: Remove Kent from maintainers
  tpm: move TPM_DIGEST_SIZE defintion
  tpm_tis: missing platform_driver_unregister() on error in init_tis()
  security: clarify cap_inode_getsecctx description
  apparmor: no need to delay vfree()
  apparmor: fix fully qualified name parsing
  apparmor: fix setprocattr arg processing for onexec
  apparmor: localize getting the security context to a few macros
  ...

1 files changed, 64 insertions, 0 deletions

diff --git a/security/integrity/integrity_audit.c b/security/integrity/integrity_audit.c
new file mode 100644
index 000000000000..d7efb30404aa
--- /dev/null
+++ b/security/integrity/integrity_audit.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2008 IBM Corporation
+ * Author: Mimi Zohar <zohar@us.ibm.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2 of the License.
+ *
+ * File: integrity_audit.c
+ *      Audit calls for the integrity subsystem
+ */
+
+#include <linux/fs.h>
+#include <linux/gfp.h>
+#include <linux/audit.h>
+#include "integrity.h"
+
+static int integrity_audit_info;
+
+/* ima_audit_setup - enable informational auditing messages */
+static int __init integrity_audit_setup(char *str)
+{
+        unsigned long audit;
+
+        if (!strict_strtoul(str, 0, &audit))
+                integrity_audit_info = audit ? 1 : 0;
+        return 1;
+}
+__setup("integrity_audit=", integrity_audit_setup);
+
+void integrity_audit_msg(int audit_msgno, struct inode *inode,
+                         const unsigned char *fname, const char *op,
+                         const char *cause, int result, int audit_info)
+{
+        struct audit_buffer *ab;
+
+        if (!integrity_audit_info && audit_info == 1)   /* Skip info messages */
+                return;
+
+        ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno);
+        audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u",
+                         current->pid,
+                         from_kuid(&init_user_ns, current_cred()->uid),
+                         from_kuid(&init_user_ns, audit_get_loginuid(current)),
+                         audit_get_sessionid(current));
+        audit_log_task_context(ab);
+        audit_log_format(ab, " op=");
+        audit_log_string(ab, op);
+        audit_log_format(ab, " cause=");
+        audit_log_string(ab, cause);
+        audit_log_format(ab, " comm=");
+        audit_log_untrustedstring(ab, current->comm);
+        if (fname) {
+                audit_log_format(ab, " name=");
+                audit_log_untrustedstring(ab, fname);
+        }
+        if (inode) {
+                audit_log_format(ab, " dev=");
+                audit_log_untrustedstring(ab, inode->i_sb->s_id);
+                audit_log_format(ab, " ino=%lu", inode->i_ino);
+        }
+        audit_log_format(ab, " res=%d", !result);
+        audit_log_end(ab);
+}