diff options
| author | James Morris <james.l.morris@oracle.com> | 2014-11-19 05:32:12 -0500 |
|---|---|---|
| committer | James Morris <james.l.morris@oracle.com> | 2014-11-19 05:32:12 -0500 |
| commit | b10778a00d40b3d9fdaaf5891e802794781ff71c (patch) | |
| tree | 6ba4cbac86eecedc3f30650e7f764ecf00c83898 /security | |
| parent | 594081ee7145cc30a3977cb4e218f81213b63dc5 (diff) | |
| parent | bfe01a5ba2490f299e1d2d5508cbbbadd897bbe9 (diff) | |
Merge commit 'v3.17' into next
Diffstat (limited to 'security')
| -rw-r--r-- | security/device_cgroup.c | 2 | ||||
| -rw-r--r-- | security/keys/gc.c | 11 | ||||
| -rw-r--r-- | security/keys/key.c | 4 | ||||
| -rw-r--r-- | security/keys/request_key.c | 23 | ||||
| -rw-r--r-- | security/selinux/netif.c | 4 | ||||
| -rw-r--r-- | security/selinux/netnode.c | 3 | ||||
| -rw-r--r-- | security/selinux/netport.c | 3 | ||||
| -rw-r--r-- | security/tomoyo/audit.c | 8 | ||||
| -rw-r--r-- | security/tomoyo/common.c | 4 | ||||
| -rw-r--r-- | security/tomoyo/realpath.c | 5 |
10 files changed, 17 insertions, 50 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c index d9d69e6930ed..188c1d26393b 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c | |||
| @@ -796,7 +796,7 @@ struct cgroup_subsys devices_cgrp_subsys = { | |||
| 796 | .css_free = devcgroup_css_free, | 796 | .css_free = devcgroup_css_free, |
| 797 | .css_online = devcgroup_online, | 797 | .css_online = devcgroup_online, |
| 798 | .css_offline = devcgroup_offline, | 798 | .css_offline = devcgroup_offline, |
| 799 | .base_cftypes = dev_cgroup_files, | 799 | .legacy_cftypes = dev_cgroup_files, |
| 800 | }; | 800 | }; |
| 801 | 801 | ||
| 802 | /** | 802 | /** |
diff --git a/security/keys/gc.c b/security/keys/gc.c index d3222b6d7d59..9609a7f0faea 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c | |||
| @@ -92,15 +92,6 @@ static void key_gc_timer_func(unsigned long data) | |||
| 92 | } | 92 | } |
| 93 | 93 | ||
| 94 | /* | 94 | /* |
| 95 | * wait_on_bit() sleep function for uninterruptible waiting | ||
| 96 | */ | ||
| 97 | static int key_gc_wait_bit(void *flags) | ||
| 98 | { | ||
| 99 | schedule(); | ||
| 100 | return 0; | ||
| 101 | } | ||
| 102 | |||
| 103 | /* | ||
| 104 | * Reap keys of dead type. | 95 | * Reap keys of dead type. |
| 105 | * | 96 | * |
| 106 | * We use three flags to make sure we see three complete cycles of the garbage | 97 | * We use three flags to make sure we see three complete cycles of the garbage |
| @@ -123,7 +114,7 @@ void key_gc_keytype(struct key_type *ktype) | |||
| 123 | schedule_work(&key_gc_work); | 114 | schedule_work(&key_gc_work); |
| 124 | 115 | ||
| 125 | kdebug("sleep"); | 116 | kdebug("sleep"); |
| 126 | wait_on_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE, key_gc_wait_bit, | 117 | wait_on_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE, |
| 127 | TASK_UNINTERRUPTIBLE); | 118 | TASK_UNINTERRUPTIBLE); |
| 128 | 119 | ||
| 129 | key_gc_dead_keytype = NULL; | 120 | key_gc_dead_keytype = NULL; |
diff --git a/security/keys/key.c b/security/keys/key.c index 8c0092ca0443..e17ba6aefdc0 100644 --- a/security/keys/key.c +++ b/security/keys/key.c | |||
| @@ -27,8 +27,8 @@ DEFINE_SPINLOCK(key_serial_lock); | |||
| 27 | struct rb_root key_user_tree; /* tree of quota records indexed by UID */ | 27 | struct rb_root key_user_tree; /* tree of quota records indexed by UID */ |
| 28 | DEFINE_SPINLOCK(key_user_lock); | 28 | DEFINE_SPINLOCK(key_user_lock); |
| 29 | 29 | ||
| 30 | unsigned int key_quota_root_maxkeys = 200; /* root's key count quota */ | 30 | unsigned int key_quota_root_maxkeys = 1000000; /* root's key count quota */ |
| 31 | unsigned int key_quota_root_maxbytes = 20000; /* root's key space quota */ | 31 | unsigned int key_quota_root_maxbytes = 25000000; /* root's key space quota */ |
| 32 | unsigned int key_quota_maxkeys = 200; /* general key count quota */ | 32 | unsigned int key_quota_maxkeys = 200; /* general key count quota */ |
| 33 | unsigned int key_quota_maxbytes = 20000; /* general key space quota */ | 33 | unsigned int key_quota_maxbytes = 20000; /* general key space quota */ |
| 34 | 34 | ||
diff --git a/security/keys/request_key.c b/security/keys/request_key.c index dc6ed32b7844..bb4337c7ae1b 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c | |||
| @@ -21,24 +21,6 @@ | |||
| 21 | 21 | ||
| 22 | #define key_negative_timeout 60 /* default timeout on a negative key's existence */ | 22 | #define key_negative_timeout 60 /* default timeout on a negative key's existence */ |
| 23 | 23 | ||
| 24 | /* | ||
| 25 | * wait_on_bit() sleep function for uninterruptible waiting | ||
| 26 | */ | ||
| 27 | static int key_wait_bit(void *flags) | ||
| 28 | { | ||
| 29 | schedule(); | ||
| 30 | return 0; | ||
| 31 | } | ||
| 32 | |||
| 33 | /* | ||
| 34 | * wait_on_bit() sleep function for interruptible waiting | ||
| 35 | */ | ||
| 36 | static int key_wait_bit_intr(void *flags) | ||
| 37 | { | ||
| 38 | schedule(); | ||
| 39 | return signal_pending(current) ? -ERESTARTSYS : 0; | ||
| 40 | } | ||
| 41 | |||
| 42 | /** | 24 | /** |
| 43 | * complete_request_key - Complete the construction of a key. | 25 | * complete_request_key - Complete the construction of a key. |
| 44 | * @cons: The key construction record. | 26 | * @cons: The key construction record. |
| @@ -603,10 +585,9 @@ int wait_for_key_construction(struct key *key, bool intr) | |||
| 603 | int ret; | 585 | int ret; |
| 604 | 586 | ||
| 605 | ret = wait_on_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT, | 587 | ret = wait_on_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT, |
| 606 | intr ? key_wait_bit_intr : key_wait_bit, | ||
| 607 | intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE); | 588 | intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE); |
| 608 | if (ret < 0) | 589 | if (ret) |
| 609 | return ret; | 590 | return -ERESTARTSYS; |
| 610 | if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) { | 591 | if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) { |
| 611 | smp_rmb(); | 592 | smp_rmb(); |
| 612 | return key->type_data.reject_error; | 593 | return key->type_data.reject_error; |
diff --git a/security/selinux/netif.c b/security/selinux/netif.c index 485524c477a4..e607b4473ef6 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c | |||
| @@ -275,7 +275,7 @@ static struct notifier_block sel_netif_netdev_notifier = { | |||
| 275 | 275 | ||
| 276 | static __init int sel_netif_init(void) | 276 | static __init int sel_netif_init(void) |
| 277 | { | 277 | { |
| 278 | int i, err; | 278 | int i; |
| 279 | 279 | ||
| 280 | if (!selinux_enabled) | 280 | if (!selinux_enabled) |
| 281 | return 0; | 281 | return 0; |
| @@ -285,7 +285,7 @@ static __init int sel_netif_init(void) | |||
| 285 | 285 | ||
| 286 | register_netdevice_notifier(&sel_netif_netdev_notifier); | 286 | register_netdevice_notifier(&sel_netif_netdev_notifier); |
| 287 | 287 | ||
| 288 | return err; | 288 | return 0; |
| 289 | } | 289 | } |
| 290 | 290 | ||
| 291 | __initcall(sel_netif_init); | 291 | __initcall(sel_netif_init); |
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index ddf315260839..da923f89d2a9 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c | |||
| @@ -303,7 +303,6 @@ void sel_netnode_flush(void) | |||
| 303 | static __init int sel_netnode_init(void) | 303 | static __init int sel_netnode_init(void) |
| 304 | { | 304 | { |
| 305 | int iter; | 305 | int iter; |
| 306 | int ret; | ||
| 307 | 306 | ||
| 308 | if (!selinux_enabled) | 307 | if (!selinux_enabled) |
| 309 | return 0; | 308 | return 0; |
| @@ -313,7 +312,7 @@ static __init int sel_netnode_init(void) | |||
| 313 | sel_netnode_hash[iter].size = 0; | 312 | sel_netnode_hash[iter].size = 0; |
| 314 | } | 313 | } |
| 315 | 314 | ||
| 316 | return ret; | 315 | return 0; |
| 317 | } | 316 | } |
| 318 | 317 | ||
| 319 | __initcall(sel_netnode_init); | 318 | __initcall(sel_netnode_init); |
diff --git a/security/selinux/netport.c b/security/selinux/netport.c index 73ac6784d091..3311cc393cb4 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c | |||
| @@ -237,7 +237,6 @@ void sel_netport_flush(void) | |||
| 237 | static __init int sel_netport_init(void) | 237 | static __init int sel_netport_init(void) |
| 238 | { | 238 | { |
| 239 | int iter; | 239 | int iter; |
| 240 | int ret; | ||
| 241 | 240 | ||
| 242 | if (!selinux_enabled) | 241 | if (!selinux_enabled) |
| 243 | return 0; | 242 | return 0; |
| @@ -247,7 +246,7 @@ static __init int sel_netport_init(void) | |||
| 247 | sel_netport_hash[iter].size = 0; | 246 | sel_netport_hash[iter].size = 0; |
| 248 | } | 247 | } |
| 249 | 248 | ||
| 250 | return ret; | 249 | return 0; |
| 251 | } | 250 | } |
| 252 | 251 | ||
| 253 | __initcall(sel_netport_init); | 252 | __initcall(sel_netport_init); |
diff --git a/security/tomoyo/audit.c b/security/tomoyo/audit.c index c1b00375c9ad..3ffa4f5509d8 100644 --- a/security/tomoyo/audit.c +++ b/security/tomoyo/audit.c | |||
| @@ -155,11 +155,9 @@ static char *tomoyo_print_header(struct tomoyo_request_info *r) | |||
| 155 | u8 i; | 155 | u8 i; |
| 156 | if (!buffer) | 156 | if (!buffer) |
| 157 | return NULL; | 157 | return NULL; |
| 158 | { | 158 | |
| 159 | struct timeval tv; | 159 | tomoyo_convert_time(get_seconds(), &stamp); |
| 160 | do_gettimeofday(&tv); | 160 | |
| 161 | tomoyo_convert_time(tv.tv_sec, &stamp); | ||
| 162 | } | ||
| 163 | pos = snprintf(buffer, tomoyo_buffer_len - 1, | 161 | pos = snprintf(buffer, tomoyo_buffer_len - 1, |
| 164 | "#%04u/%02u/%02u %02u:%02u:%02u# profile=%u mode=%s " | 162 | "#%04u/%02u/%02u %02u:%02u:%02u# profile=%u mode=%s " |
| 165 | "granted=%s (global-pid=%u) task={ pid=%u ppid=%u " | 163 | "granted=%s (global-pid=%u) task={ pid=%u ppid=%u " |
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 283862aebdc8..e0fb75052550 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c | |||
| @@ -2267,13 +2267,11 @@ static unsigned int tomoyo_stat_modified[TOMOYO_MAX_POLICY_STAT]; | |||
| 2267 | */ | 2267 | */ |
| 2268 | void tomoyo_update_stat(const u8 index) | 2268 | void tomoyo_update_stat(const u8 index) |
| 2269 | { | 2269 | { |
| 2270 | struct timeval tv; | ||
| 2271 | do_gettimeofday(&tv); | ||
| 2272 | /* | 2270 | /* |
| 2273 | * I don't use atomic operations because race condition is not fatal. | 2271 | * I don't use atomic operations because race condition is not fatal. |
| 2274 | */ | 2272 | */ |
| 2275 | tomoyo_stat_updated[index]++; | 2273 | tomoyo_stat_updated[index]++; |
| 2276 | tomoyo_stat_modified[index] = tv.tv_sec; | 2274 | tomoyo_stat_modified[index] = get_seconds(); |
| 2277 | } | 2275 | } |
| 2278 | 2276 | ||
| 2279 | /** | 2277 | /** |
diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c index a3386d119425..bed745c8b1a3 100644 --- a/security/tomoyo/realpath.c +++ b/security/tomoyo/realpath.c | |||
| @@ -173,7 +173,7 @@ static char *tomoyo_get_local_path(struct dentry *dentry, char * const buffer, | |||
| 173 | * Use filesystem name if filesystem does not support rename() | 173 | * Use filesystem name if filesystem does not support rename() |
| 174 | * operation. | 174 | * operation. |
| 175 | */ | 175 | */ |
| 176 | if (!inode->i_op->rename) | 176 | if (!inode->i_op->rename && !inode->i_op->rename2) |
| 177 | goto prepend_filesystem_name; | 177 | goto prepend_filesystem_name; |
| 178 | } | 178 | } |
| 179 | /* Prepend device name. */ | 179 | /* Prepend device name. */ |
| @@ -282,7 +282,8 @@ char *tomoyo_realpath_from_path(struct path *path) | |||
| 282 | * Get local name for filesystems without rename() operation | 282 | * Get local name for filesystems without rename() operation |
| 283 | * or dentry without vfsmount. | 283 | * or dentry without vfsmount. |
| 284 | */ | 284 | */ |
| 285 | if (!path->mnt || !inode->i_op->rename) | 285 | if (!path->mnt || |
| 286 | (!inode->i_op->rename && !inode->i_op->rename2)) | ||
| 286 | pos = tomoyo_get_local_path(path->dentry, buf, | 287 | pos = tomoyo_get_local_path(path->dentry, buf, |
| 287 | buf_len - 1); | 288 | buf_len - 1); |
| 288 | /* Get absolute name for the rest. */ | 289 | /* Get absolute name for the rest. */ |