aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/crypto/pkcs7.h36
-rw-r--r--include/crypto/public_key.h4
-rw-r--r--include/keys/big_key-type.h3
-rw-r--r--include/keys/system_keyring.h10
-rw-r--r--include/keys/user-type.h3
-rw-r--r--include/linux/capability.h5
-rw-r--r--include/linux/ima.h6
-rw-r--r--include/linux/key-type.h5
-rw-r--r--include/linux/key.h2
-rw-r--r--include/linux/oid_registry.h8
-rw-r--r--include/linux/pe.h448
-rw-r--r--include/linux/sched.h18
-rw-r--r--include/linux/seccomp.h8
-rw-r--r--include/linux/security.h17
-rw-r--r--include/linux/syscalls.h2
-rw-r--r--include/linux/tpm.h3
-rw-r--r--include/linux/verify_pefile.h18
-rw-r--r--include/net/netlabel.h94
-rw-r--r--include/uapi/asm-generic/unistd.h4
-rw-r--r--include/uapi/linux/seccomp.h7
20 files changed, 647 insertions, 54 deletions
diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
new file mode 100644
index 000000000000..691c79172a26
--- /dev/null
+++ b/include/crypto/pkcs7.h
@@ -0,0 +1,36 @@
1/* PKCS#7 crypto data parser
2 *
3 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12struct key;
13struct pkcs7_message;
14
15/*
16 * pkcs7_parser.c
17 */
18extern struct pkcs7_message *pkcs7_parse_message(const void *data,
19 size_t datalen);
20extern void pkcs7_free_message(struct pkcs7_message *pkcs7);
21
22extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
23 const void **_data, size_t *_datalen,
24 bool want_wrapper);
25
26/*
27 * pkcs7_trust.c
28 */
29extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
30 struct key *trust_keyring,
31 bool *_trusted);
32
33/*
34 * pkcs7_verify.c
35 */
36extern int pkcs7_verify(struct pkcs7_message *pkcs7);
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index fc09732613ad..0d164c6af539 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -98,4 +98,8 @@ struct key;
98extern int verify_signature(const struct key *key, 98extern int verify_signature(const struct key *key,
99 const struct public_key_signature *sig); 99 const struct public_key_signature *sig);
100 100
101extern struct key *x509_request_asymmetric_key(struct key *keyring,
102 const char *issuer,
103 const char *key_id);
104
101#endif /* _LINUX_PUBLIC_KEY_H */ 105#endif /* _LINUX_PUBLIC_KEY_H */
diff --git a/include/keys/big_key-type.h b/include/keys/big_key-type.h
index d69bc8af3292..e0970a578188 100644
--- a/include/keys/big_key-type.h
+++ b/include/keys/big_key-type.h
@@ -16,7 +16,8 @@
16 16
17extern struct key_type key_type_big_key; 17extern struct key_type key_type_big_key;
18 18
19extern int big_key_instantiate(struct key *key, struct key_preparsed_payload *prep); 19extern int big_key_preparse(struct key_preparsed_payload *prep);
20extern void big_key_free_preparse(struct key_preparsed_payload *prep);
20extern void big_key_revoke(struct key *key); 21extern void big_key_revoke(struct key *key);
21extern void big_key_destroy(struct key *key); 22extern void big_key_destroy(struct key *key);
22extern void big_key_describe(const struct key *big_key, struct seq_file *m); 23extern void big_key_describe(const struct key *big_key, struct seq_file *m);
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 8dabc399bd1d..72665eb80692 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -17,7 +17,15 @@
17#include <linux/key.h> 17#include <linux/key.h>
18 18
19extern struct key *system_trusted_keyring; 19extern struct key *system_trusted_keyring;
20 20static inline struct key *get_system_trusted_keyring(void)
21{
22 return system_trusted_keyring;
23}
24#else
25static inline struct key *get_system_trusted_keyring(void)
26{
27 return NULL;
28}
21#endif 29#endif
22 30
23#endif /* _KEYS_SYSTEM_KEYRING_H */ 31#endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/include/keys/user-type.h b/include/keys/user-type.h
index 5e452c84f1e6..3ab1873a4bfa 100644
--- a/include/keys/user-type.h
+++ b/include/keys/user-type.h
@@ -37,7 +37,8 @@ extern struct key_type key_type_logon;
37 37
38struct key_preparsed_payload; 38struct key_preparsed_payload;
39 39
40extern int user_instantiate(struct key *key, struct key_preparsed_payload *prep); 40extern int user_preparse(struct key_preparsed_payload *prep);
41extern void user_free_preparse(struct key_preparsed_payload *prep);
41extern int user_update(struct key *key, struct key_preparsed_payload *prep); 42extern int user_update(struct key *key, struct key_preparsed_payload *prep);
42extern int user_match(const struct key *key, const void *criterion); 43extern int user_match(const struct key *key, const void *criterion);
43extern void user_revoke(struct key *key); 44extern void user_revoke(struct key *key);
diff --git a/include/linux/capability.h b/include/linux/capability.h
index 84b13ad67c1c..aa93e5ef594c 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -78,8 +78,11 @@ extern const kernel_cap_t __cap_init_eff_set;
78# error Fix up hand-coded capability macro initializers 78# error Fix up hand-coded capability macro initializers
79#else /* HAND-CODED capability initializers */ 79#else /* HAND-CODED capability initializers */
80 80
81#define CAP_LAST_U32 ((_KERNEL_CAPABILITY_U32S) - 1)
82#define CAP_LAST_U32_VALID_MASK (CAP_TO_MASK(CAP_LAST_CAP + 1) -1)
83
81# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }}) 84# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
82# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }}) 85# define CAP_FULL_SET ((kernel_cap_t){{ ~0, CAP_LAST_U32_VALID_MASK }})
83# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ 86# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
84 | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \ 87 | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
85 CAP_FS_MASK_B1 } }) 88 CAP_FS_MASK_B1 } })
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 1b7f268cddce..7cf5e9b32550 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -19,6 +19,7 @@ extern int ima_file_check(struct file *file, int mask);
19extern void ima_file_free(struct file *file); 19extern void ima_file_free(struct file *file);
20extern int ima_file_mmap(struct file *file, unsigned long prot); 20extern int ima_file_mmap(struct file *file, unsigned long prot);
21extern int ima_module_check(struct file *file); 21extern int ima_module_check(struct file *file);
22extern int ima_fw_from_file(struct file *file, char *buf, size_t size);
22 23
23#else 24#else
24static inline int ima_bprm_check(struct linux_binprm *bprm) 25static inline int ima_bprm_check(struct linux_binprm *bprm)
@@ -46,6 +47,11 @@ static inline int ima_module_check(struct file *file)
46 return 0; 47 return 0;
47} 48}
48 49
50static inline int ima_fw_from_file(struct file *file, char *buf, size_t size)
51{
52 return 0;
53}
54
49#endif /* CONFIG_IMA */ 55#endif /* CONFIG_IMA */
50 56
51#ifdef CONFIG_IMA_APPRAISE 57#ifdef CONFIG_IMA_APPRAISE
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index a74c3a84dfdd..44792ee649de 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -41,10 +41,11 @@ struct key_construction {
41struct key_preparsed_payload { 41struct key_preparsed_payload {
42 char *description; /* Proposed key description (or NULL) */ 42 char *description; /* Proposed key description (or NULL) */
43 void *type_data[2]; /* Private key-type data */ 43 void *type_data[2]; /* Private key-type data */
44 void *payload; /* Proposed payload */ 44 void *payload[2]; /* Proposed payload */
45 const void *data; /* Raw data */ 45 const void *data; /* Raw data */
46 size_t datalen; /* Raw datalen */ 46 size_t datalen; /* Raw datalen */
47 size_t quotalen; /* Quota length for proposed payload */ 47 size_t quotalen; /* Quota length for proposed payload */
48 time_t expiry; /* Expiry time of key */
48 bool trusted; /* True if key is trusted */ 49 bool trusted; /* True if key is trusted */
49}; 50};
50 51
@@ -159,5 +160,7 @@ static inline int key_negate_and_link(struct key *key,
159 return key_reject_and_link(key, timeout, ENOKEY, keyring, instkey); 160 return key_reject_and_link(key, timeout, ENOKEY, keyring, instkey);
160} 161}
161 162
163extern int generic_key_instantiate(struct key *key, struct key_preparsed_payload *prep);
164
162#endif /* CONFIG_KEYS */ 165#endif /* CONFIG_KEYS */
163#endif /* _LINUX_KEY_TYPE_H */ 166#endif /* _LINUX_KEY_TYPE_H */
diff --git a/include/linux/key.h b/include/linux/key.h
index 017b0826642f..e1d4715f3222 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -170,6 +170,8 @@ struct key {
170#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */ 170#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */
171#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */ 171#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */
172#define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */ 172#define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */
173#define KEY_FLAG_BUILTIN 10 /* set if key is builtin */
174#define KEY_FLAG_ROOT_CAN_INVAL 11 /* set if key can be invalidated by root without permission */
173 175
174 /* the key type and key description string 176 /* the key type and key description string
175 * - the desc is used to match a key against search criteria 177 * - the desc is used to match a key against search criteria
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
index 6926db724258..c2bbf672b84e 100644
--- a/include/linux/oid_registry.h
+++ b/include/linux/oid_registry.h
@@ -52,9 +52,15 @@ enum OID {
52 OID_md4, /* 1.2.840.113549.2.4 */ 52 OID_md4, /* 1.2.840.113549.2.4 */
53 OID_md5, /* 1.2.840.113549.2.5 */ 53 OID_md5, /* 1.2.840.113549.2.5 */
54 54
55 OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */ 55 /* Microsoft Authenticode & Software Publishing */
56 OID_msIndirectData, /* 1.3.6.1.4.1.311.2.1.4 */
57 OID_msPeImageDataObjId, /* 1.3.6.1.4.1.311.2.1.15 */
58 OID_msIndividualSPKeyPurpose, /* 1.3.6.1.4.1.311.2.1.21 */
56 OID_msOutlookExpress, /* 1.3.6.1.4.1.311.16.4 */ 59 OID_msOutlookExpress, /* 1.3.6.1.4.1.311.16.4 */
60
61 OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */
57 OID_sha1, /* 1.3.14.3.2.26 */ 62 OID_sha1, /* 1.3.14.3.2.26 */
63 OID_sha256, /* 2.16.840.1.101.3.4.2.1 */
58 64
59 /* Distinguished Name attribute IDs [RFC 2256] */ 65 /* Distinguished Name attribute IDs [RFC 2256] */
60 OID_commonName, /* 2.5.4.3 */ 66 OID_commonName, /* 2.5.4.3 */
diff --git a/include/linux/pe.h b/include/linux/pe.h
new file mode 100644
index 000000000000..e170b95e763b
--- /dev/null
+++ b/include/linux/pe.h
@@ -0,0 +1,448 @@
1/*
2 * Copyright 2011 Red Hat, Inc.
3 * All rights reserved.
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; version 2 of the License.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program. If not, see <http://www.gnu.org/licenses/>.
16 *
17 * Author(s): Peter Jones <pjones@redhat.com>
18 */
19#ifndef __LINUX_PE_H
20#define __LINUX_PE_H
21
22#include <linux/types.h>
23
24#define MZ_MAGIC 0x5a4d /* "MZ" */
25
26struct mz_hdr {
27 uint16_t magic; /* MZ_MAGIC */
28 uint16_t lbsize; /* size of last used block */
29 uint16_t blocks; /* pages in file, 0x3 */
30 uint16_t relocs; /* relocations */
31 uint16_t hdrsize; /* header size in "paragraphs" */
32 uint16_t min_extra_pps; /* .bss */
33 uint16_t max_extra_pps; /* runtime limit for the arena size */
34 uint16_t ss; /* relative stack segment */
35 uint16_t sp; /* initial %sp register */
36 uint16_t checksum; /* word checksum */
37 uint16_t ip; /* initial %ip register */
38 uint16_t cs; /* initial %cs relative to load segment */
39 uint16_t reloc_table_offset; /* offset of the first relocation */
40 uint16_t overlay_num; /* overlay number. set to 0. */
41 uint16_t reserved0[4]; /* reserved */
42 uint16_t oem_id; /* oem identifier */
43 uint16_t oem_info; /* oem specific */
44 uint16_t reserved1[10]; /* reserved */
45 uint32_t peaddr; /* address of pe header */
46 char message[64]; /* message to print */
47};
48
49struct mz_reloc {
50 uint16_t offset;
51 uint16_t segment;
52};
53
54#define PE_MAGIC 0x00004550 /* "PE\0\0" */
55#define PE_OPT_MAGIC_PE32 0x010b
56#define PE_OPT_MAGIC_PE32_ROM 0x0107
57#define PE_OPT_MAGIC_PE32PLUS 0x020b
58
59/* machine type */
60#define IMAGE_FILE_MACHINE_UNKNOWN 0x0000
61#define IMAGE_FILE_MACHINE_AM33 0x01d3
62#define IMAGE_FILE_MACHINE_AMD64 0x8664
63#define IMAGE_FILE_MACHINE_ARM 0x01c0
64#define IMAGE_FILE_MACHINE_ARMV7 0x01c4
65#define IMAGE_FILE_MACHINE_EBC 0x0ebc
66#define IMAGE_FILE_MACHINE_I386 0x014c
67#define IMAGE_FILE_MACHINE_IA64 0x0200
68#define IMAGE_FILE_MACHINE_M32R 0x9041
69#define IMAGE_FILE_MACHINE_MIPS16 0x0266
70#define IMAGE_FILE_MACHINE_MIPSFPU 0x0366
71#define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466
72#define IMAGE_FILE_MACHINE_POWERPC 0x01f0
73#define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1
74#define IMAGE_FILE_MACHINE_R4000 0x0166
75#define IMAGE_FILE_MACHINE_SH3 0x01a2
76#define IMAGE_FILE_MACHINE_SH3DSP 0x01a3
77#define IMAGE_FILE_MACHINE_SH3E 0x01a4
78#define IMAGE_FILE_MACHINE_SH4 0x01a6
79#define IMAGE_FILE_MACHINE_SH5 0x01a8
80#define IMAGE_FILE_MACHINE_THUMB 0x01c2
81#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169
82
83/* flags */
84#define IMAGE_FILE_RELOCS_STRIPPED 0x0001
85#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002
86#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004
87#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008
88#define IMAGE_FILE_AGGRESSIVE_WS_TRIM 0x0010
89#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020
90#define IMAGE_FILE_16BIT_MACHINE 0x0040
91#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080
92#define IMAGE_FILE_32BIT_MACHINE 0x0100
93#define IMAGE_FILE_DEBUG_STRIPPED 0x0200
94#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400
95#define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800
96#define IMAGE_FILE_SYSTEM 0x1000
97#define IMAGE_FILE_DLL 0x2000
98#define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000
99#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000
100
101struct pe_hdr {
102 uint32_t magic; /* PE magic */
103 uint16_t machine; /* machine type */
104 uint16_t sections; /* number of sections */
105 uint32_t timestamp; /* time_t */
106 uint32_t symbol_table; /* symbol table offset */
107 uint32_t symbols; /* number of symbols */
108 uint16_t opt_hdr_size; /* size of optional header */
109 uint16_t flags; /* flags */
110};
111
112#define IMAGE_FILE_OPT_ROM_MAGIC 0x107
113#define IMAGE_FILE_OPT_PE32_MAGIC 0x10b
114#define IMAGE_FILE_OPT_PE32_PLUS_MAGIC 0x20b
115
116#define IMAGE_SUBSYSTEM_UNKNOWN 0
117#define IMAGE_SUBSYSTEM_NATIVE 1
118#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2
119#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3
120#define IMAGE_SUBSYSTEM_POSIX_CUI 7
121#define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9
122#define IMAGE_SUBSYSTEM_EFI_APPLICATION 10
123#define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11
124#define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12
125#define IMAGE_SUBSYSTEM_EFI_ROM_IMAGE 13
126#define IMAGE_SUBSYSTEM_XBOX 14
127
128#define IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE 0x0040
129#define IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY 0x0080
130#define IMAGE_DLL_CHARACTERISTICS_NX_COMPAT 0x0100
131#define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200
132#define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400
133#define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800
134#define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000
135#define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
136
137/* the fact that pe32 isn't padded where pe32+ is 64-bit means union won't
138 * work right. vomit. */
139struct pe32_opt_hdr {
140 /* "standard" header */
141 uint16_t magic; /* file type */
142 uint8_t ld_major; /* linker major version */
143 uint8_t ld_minor; /* linker minor version */
144 uint32_t text_size; /* size of text section(s) */
145 uint32_t data_size; /* size of data section(s) */
146 uint32_t bss_size; /* size of bss section(s) */
147 uint32_t entry_point; /* file offset of entry point */
148 uint32_t code_base; /* relative code addr in ram */
149 uint32_t data_base; /* relative data addr in ram */
150 /* "windows" header */
151 uint32_t image_base; /* preferred load address */
152 uint32_t section_align; /* alignment in bytes */
153 uint32_t file_align; /* file alignment in bytes */
154 uint16_t os_major; /* major OS version */
155 uint16_t os_minor; /* minor OS version */
156 uint16_t image_major; /* major image version */
157 uint16_t image_minor; /* minor image version */
158 uint16_t subsys_major; /* major subsystem version */
159 uint16_t subsys_minor; /* minor subsystem version */
160 uint32_t win32_version; /* reserved, must be 0 */
161 uint32_t image_size; /* image size */
162 uint32_t header_size; /* header size rounded up to
163 file_align */
164 uint32_t csum; /* checksum */
165 uint16_t subsys; /* subsystem */
166 uint16_t dll_flags; /* more flags! */
167 uint32_t stack_size_req;/* amt of stack requested */
168 uint32_t stack_size; /* amt of stack required */
169 uint32_t heap_size_req; /* amt of heap requested */
170 uint32_t heap_size; /* amt of heap required */
171 uint32_t loader_flags; /* reserved, must be 0 */
172 uint32_t data_dirs; /* number of data dir entries */
173};
174
175struct pe32plus_opt_hdr {
176 uint16_t magic; /* file type */
177 uint8_t ld_major; /* linker major version */
178 uint8_t ld_minor; /* linker minor version */
179 uint32_t text_size; /* size of text section(s) */
180 uint32_t data_size; /* size of data section(s) */
181 uint32_t bss_size; /* size of bss section(s) */
182 uint32_t entry_point; /* file offset of entry point */
183 uint32_t code_base; /* relative code addr in ram */
184 /* "windows" header */
185 uint64_t image_base; /* preferred load address */
186 uint32_t section_align; /* alignment in bytes */
187 uint32_t file_align; /* file alignment in bytes */
188 uint16_t os_major; /* major OS version */
189 uint16_t os_minor; /* minor OS version */
190 uint16_t image_major; /* major image version */
191 uint16_t image_minor; /* minor image version */
192 uint16_t subsys_major; /* major subsystem version */
193 uint16_t subsys_minor; /* minor subsystem version */
194 uint32_t win32_version; /* reserved, must be 0 */
195 uint32_t image_size; /* image size */
196 uint32_t header_size; /* header size rounded up to
197 file_align */
198 uint32_t csum; /* checksum */
199 uint16_t subsys; /* subsystem */
200 uint16_t dll_flags; /* more flags! */
201 uint64_t stack_size_req;/* amt of stack requested */
202 uint64_t stack_size; /* amt of stack required */
203 uint64_t heap_size_req; /* amt of heap requested */
204 uint64_t heap_size; /* amt of heap required */
205 uint32_t loader_flags; /* reserved, must be 0 */
206 uint32_t data_dirs; /* number of data dir entries */
207};
208
209struct data_dirent {
210 uint32_t virtual_address; /* relative to load address */
211 uint32_t size;
212};
213
214struct data_directory {
215 struct data_dirent exports; /* .edata */
216 struct data_dirent imports; /* .idata */
217 struct data_dirent resources; /* .rsrc */
218 struct data_dirent exceptions; /* .pdata */
219 struct data_dirent certs; /* certs */
220 struct data_dirent base_relocations; /* .reloc */
221 struct data_dirent debug; /* .debug */
222 struct data_dirent arch; /* reservered */
223 struct data_dirent global_ptr; /* global pointer reg. Size=0 */
224 struct data_dirent tls; /* .tls */
225 struct data_dirent load_config; /* load configuration structure */
226 struct data_dirent bound_imports; /* no idea */
227 struct data_dirent import_addrs; /* import address table */
228 struct data_dirent delay_imports; /* delay-load import table */
229 struct data_dirent clr_runtime_hdr; /* .cor (object only) */
230 struct data_dirent reserved;
231};
232
233struct section_header {
234 char name[8]; /* name or "/12\0" string tbl offset */
235 uint32_t virtual_size; /* size of loaded section in ram */
236 uint32_t virtual_address; /* relative virtual address */
237 uint32_t raw_data_size; /* size of the section */
238 uint32_t data_addr; /* file pointer to first page of sec */
239 uint32_t relocs; /* file pointer to relocation entries */
240 uint32_t line_numbers; /* line numbers! */
241 uint16_t num_relocs; /* number of relocations */
242 uint16_t num_lin_numbers; /* srsly. */
243 uint32_t flags;
244};
245
246/* they actually defined 0x00000000 as well, but I think we'll skip that one. */
247#define IMAGE_SCN_RESERVED_0 0x00000001
248#define IMAGE_SCN_RESERVED_1 0x00000002
249#define IMAGE_SCN_RESERVED_2 0x00000004
250#define IMAGE_SCN_TYPE_NO_PAD 0x00000008 /* don't pad - obsolete */
251#define IMAGE_SCN_RESERVED_3 0x00000010
252#define IMAGE_SCN_CNT_CODE 0x00000020 /* .text */
253#define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 /* .data */
254#define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 /* .bss */
255#define IMAGE_SCN_LNK_OTHER 0x00000100 /* reserved */
256#define IMAGE_SCN_LNK_INFO 0x00000200 /* .drectve comments */
257#define IMAGE_SCN_RESERVED_4 0x00000400
258#define IMAGE_SCN_LNK_REMOVE 0x00000800 /* .o only - scn to be rm'd*/
259#define IMAGE_SCN_LNK_COMDAT 0x00001000 /* .o only - COMDAT data */
260#define IMAGE_SCN_RESERVED_5 0x00002000 /* spec omits this */
261#define IMAGE_SCN_RESERVED_6 0x00004000 /* spec omits this */
262#define IMAGE_SCN_GPREL 0x00008000 /* global pointer referenced data */
263/* spec lists 0x20000 twice, I suspect they meant 0x10000 for one of them */
264#define IMAGE_SCN_MEM_PURGEABLE 0x00010000 /* reserved for "future" use */
265#define IMAGE_SCN_16BIT 0x00020000 /* reserved for "future" use */
266#define IMAGE_SCN_LOCKED 0x00040000 /* reserved for "future" use */
267#define IMAGE_SCN_PRELOAD 0x00080000 /* reserved for "future" use */
268/* and here they just stuck a 1-byte integer in the middle of a bitfield */
269#define IMAGE_SCN_ALIGN_1BYTES 0x00100000 /* it does what it says on the box */
270#define IMAGE_SCN_ALIGN_2BYTES 0x00200000
271#define IMAGE_SCN_ALIGN_4BYTES 0x00300000
272#define IMAGE_SCN_ALIGN_8BYTES 0x00400000
273#define IMAGE_SCN_ALIGN_16BYTES 0x00500000
274#define IMAGE_SCN_ALIGN_32BYTES 0x00600000
275#define IMAGE_SCN_ALIGN_64BYTES 0x00700000
276#define IMAGE_SCN_ALIGN_128BYTES 0x00800000
277#define IMAGE_SCN_ALIGN_256BYTES 0x00900000
278#define IMAGE_SCN_ALIGN_512BYTES 0x00a00000
279#define IMAGE_SCN_ALIGN_1024BYTES 0x00b00000
280#define IMAGE_SCN_ALIGN_2048BYTES 0x00c00000
281#define IMAGE_SCN_ALIGN_4096BYTES 0x00d00000
282#define IMAGE_SCN_ALIGN_8192BYTES 0x00e00000
283#define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 /* extended relocations */
284#define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 /* scn can be discarded */
285#define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 /* cannot be cached */
286#define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 /* not pageable */
287#define IMAGE_SCN_MEM_SHARED 0x10000000 /* can be shared */
288#define IMAGE_SCN_MEM_EXECUTE 0x20000000 /* can be executed as code */
289#define IMAGE_SCN_MEM_READ 0x40000000 /* readable */
290#define IMAGE_SCN_MEM_WRITE 0x80000000 /* writeable */
291
292enum x64_coff_reloc_type {
293 IMAGE_REL_AMD64_ABSOLUTE = 0,
294 IMAGE_REL_AMD64_ADDR64,
295 IMAGE_REL_AMD64_ADDR32,
296 IMAGE_REL_AMD64_ADDR32N,
297 IMAGE_REL_AMD64_REL32,
298 IMAGE_REL_AMD64_REL32_1,
299 IMAGE_REL_AMD64_REL32_2,
300 IMAGE_REL_AMD64_REL32_3,
301 IMAGE_REL_AMD64_REL32_4,
302 IMAGE_REL_AMD64_REL32_5,
303 IMAGE_REL_AMD64_SECTION,
304 IMAGE_REL_AMD64_SECREL,
305 IMAGE_REL_AMD64_SECREL7,
306 IMAGE_REL_AMD64_TOKEN,
307 IMAGE_REL_AMD64_SREL32,
308 IMAGE_REL_AMD64_PAIR,
309 IMAGE_REL_AMD64_SSPAN32,
310};
311
312enum arm_coff_reloc_type {
313 IMAGE_REL_ARM_ABSOLUTE,
314 IMAGE_REL_ARM_ADDR32,
315 IMAGE_REL_ARM_ADDR32N,
316 IMAGE_REL_ARM_BRANCH2,
317 IMAGE_REL_ARM_BRANCH1,
318 IMAGE_REL_ARM_SECTION,
319 IMAGE_REL_ARM_SECREL,
320};
321
322enum sh_coff_reloc_type {
323 IMAGE_REL_SH3_ABSOLUTE,
324 IMAGE_REL_SH3_DIRECT16,
325 IMAGE_REL_SH3_DIRECT32,
326 IMAGE_REL_SH3_DIRECT8,
327 IMAGE_REL_SH3_DIRECT8_WORD,
328 IMAGE_REL_SH3_DIRECT8_LONG,
329 IMAGE_REL_SH3_DIRECT4,
330 IMAGE_REL_SH3_DIRECT4_WORD,
331 IMAGE_REL_SH3_DIRECT4_LONG,
332 IMAGE_REL_SH3_PCREL8_WORD,
333 IMAGE_REL_SH3_PCREL8_LONG,
334 IMAGE_REL_SH3_PCREL12_WORD,
335 IMAGE_REL_SH3_STARTOF_SECTION,
336 IMAGE_REL_SH3_SIZEOF_SECTION,
337 IMAGE_REL_SH3_SECTION,
338 IMAGE_REL_SH3_SECREL,
339 IMAGE_REL_SH3_DIRECT32_NB,
340 IMAGE_REL_SH3_GPREL4_LONG,
341 IMAGE_REL_SH3_TOKEN,
342 IMAGE_REL_SHM_PCRELPT,
343 IMAGE_REL_SHM_REFLO,
344 IMAGE_REL_SHM_REFHALF,
345 IMAGE_REL_SHM_RELLO,
346 IMAGE_REL_SHM_RELHALF,
347 IMAGE_REL_SHM_PAIR,
348 IMAGE_REL_SHM_NOMODE,
349};
350
351enum ppc_coff_reloc_type {
352 IMAGE_REL_PPC_ABSOLUTE,
353 IMAGE_REL_PPC_ADDR64,
354 IMAGE_REL_PPC_ADDR32,
355 IMAGE_REL_PPC_ADDR24,
356 IMAGE_REL_PPC_ADDR16,
357 IMAGE_REL_PPC_ADDR14,
358 IMAGE_REL_PPC_REL24,
359 IMAGE_REL_PPC_REL14,
360 IMAGE_REL_PPC_ADDR32N,
361 IMAGE_REL_PPC_SECREL,
362 IMAGE_REL_PPC_SECTION,
363 IMAGE_REL_PPC_SECREL16,
364 IMAGE_REL_PPC_REFHI,
365 IMAGE_REL_PPC_REFLO,
366 IMAGE_REL_PPC_PAIR,
367 IMAGE_REL_PPC_SECRELLO,
368 IMAGE_REL_PPC_GPREL,
369 IMAGE_REL_PPC_TOKEN,
370};
371
372enum x86_coff_reloc_type {
373 IMAGE_REL_I386_ABSOLUTE,
374 IMAGE_REL_I386_DIR16,
375 IMAGE_REL_I386_REL16,
376 IMAGE_REL_I386_DIR32,
377 IMAGE_REL_I386_DIR32NB,
378 IMAGE_REL_I386_SEG12,
379 IMAGE_REL_I386_SECTION,
380 IMAGE_REL_I386_SECREL,
381 IMAGE_REL_I386_TOKEN,
382 IMAGE_REL_I386_SECREL7,
383 IMAGE_REL_I386_REL32,
384};
385
386enum ia64_coff_reloc_type {
387 IMAGE_REL_IA64_ABSOLUTE,
388 IMAGE_REL_IA64_IMM14,
389 IMAGE_REL_IA64_IMM22,
390 IMAGE_REL_IA64_IMM64,
391 IMAGE_REL_IA64_DIR32,
392 IMAGE_REL_IA64_DIR64,
393 IMAGE_REL_IA64_PCREL21B,
394 IMAGE_REL_IA64_PCREL21M,
395 IMAGE_REL_IA64_PCREL21F,
396 IMAGE_REL_IA64_GPREL22,
397 IMAGE_REL_IA64_LTOFF22,
398 IMAGE_REL_IA64_SECTION,
399 IMAGE_REL_IA64_SECREL22,
400 IMAGE_REL_IA64_SECREL64I,
401 IMAGE_REL_IA64_SECREL32,
402 IMAGE_REL_IA64_DIR32NB,
403 IMAGE_REL_IA64_SREL14,
404 IMAGE_REL_IA64_SREL22,
405 IMAGE_REL_IA64_SREL32,
406 IMAGE_REL_IA64_UREL32,
407 IMAGE_REL_IA64_PCREL60X,
408 IMAGE_REL_IA64_PCREL60B,
409 IMAGE_REL_IA64_PCREL60F,
410 IMAGE_REL_IA64_PCREL60I,
411 IMAGE_REL_IA64_PCREL60M,
412 IMAGE_REL_IA64_IMMGPREL6,
413 IMAGE_REL_IA64_TOKEN,
414 IMAGE_REL_IA64_GPREL32,
415 IMAGE_REL_IA64_ADDEND,
416};
417
418struct coff_reloc {
419 uint32_t virtual_address;
420 uint32_t symbol_table_index;
421 union {
422 enum x64_coff_reloc_type x64_type;
423 enum arm_coff_reloc_type arm_type;
424 enum sh_coff_reloc_type sh_type;
425 enum ppc_coff_reloc_type ppc_type;
426 enum x86_coff_reloc_type x86_type;
427 enum ia64_coff_reloc_type ia64_type;
428 uint16_t data;
429 };
430};
431
432/*
433 * Definitions for the contents of the certs data block
434 */
435#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
436#define WIN_CERT_TYPE_EFI_OKCS115 0x0EF0
437#define WIN_CERT_TYPE_EFI_GUID 0x0EF1
438
439#define WIN_CERT_REVISION_1_0 0x0100
440#define WIN_CERT_REVISION_2_0 0x0200
441
442struct win_certificate {
443 uint32_t length;
444 uint16_t revision;
445 uint16_t cert_type;
446};
447
448#endif /* __LINUX_PE_H */
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 66124d63371a..7c19d552dc3f 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1304,13 +1304,12 @@ struct task_struct {
1304 * execve */ 1304 * execve */
1305 unsigned in_iowait:1; 1305 unsigned in_iowait:1;
1306 1306
1307 /* task may not gain privileges */
1308 unsigned no_new_privs:1;
1309
1310 /* Revert to default priority/policy when forking */ 1307 /* Revert to default priority/policy when forking */
1311 unsigned sched_reset_on_fork:1; 1308 unsigned sched_reset_on_fork:1;
1312 unsigned sched_contributes_to_load:1; 1309 unsigned sched_contributes_to_load:1;
1313 1310
1311 unsigned long atomic_flags; /* Flags needing atomic access. */
1312
1314 pid_t pid; 1313 pid_t pid;
1315 pid_t tgid; 1314 pid_t tgid;
1316 1315
@@ -1962,6 +1961,19 @@ static inline void memalloc_noio_restore(unsigned int flags)
1962 current->flags = (current->flags & ~PF_MEMALLOC_NOIO) | flags; 1961 current->flags = (current->flags & ~PF_MEMALLOC_NOIO) | flags;
1963} 1962}
1964 1963
1964/* Per-process atomic flags. */
1965#define PFA_NO_NEW_PRIVS 0x00000001 /* May not gain new privileges. */
1966
1967static inline bool task_no_new_privs(struct task_struct *p)
1968{
1969 return test_bit(PFA_NO_NEW_PRIVS, &p->atomic_flags);
1970}
1971
1972static inline void task_set_no_new_privs(struct task_struct *p)
1973{
1974 set_bit(PFA_NO_NEW_PRIVS, &p->atomic_flags);
1975}
1976
1965/* 1977/*
1966 * task->jobctl flags 1978 * task->jobctl flags
1967 */ 1979 */
diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
index 4054b0994071..5d586a45a319 100644
--- a/include/linux/seccomp.h
+++ b/include/linux/seccomp.h
@@ -3,6 +3,8 @@
3 3
4#include <uapi/linux/seccomp.h> 4#include <uapi/linux/seccomp.h>
5 5
6#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC)
7
6#ifdef CONFIG_SECCOMP 8#ifdef CONFIG_SECCOMP
7 9
8#include <linux/thread_info.h> 10#include <linux/thread_info.h>
@@ -14,11 +16,11 @@ struct seccomp_filter;
14 * 16 *
15 * @mode: indicates one of the valid values above for controlled 17 * @mode: indicates one of the valid values above for controlled
16 * system calls available to a process. 18 * system calls available to a process.
17 * @filter: The metadata and ruleset for determining what system calls 19 * @filter: must always point to a valid seccomp-filter or NULL as it is
18 * are allowed for a task. 20 * accessed without locking during system call entry.
19 * 21 *
20 * @filter must only be accessed from the context of current as there 22 * @filter must only be accessed from the context of current as there
21 * is no locking. 23 * is no read locking.
22 */ 24 */
23struct seccomp { 25struct seccomp {
24 int mode; 26 int mode;
diff --git a/include/linux/security.h b/include/linux/security.h
index 9c6b9722ff48..623f90e5f38d 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -702,6 +702,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
702 * @inode points to the inode to use as a reference. 702 * @inode points to the inode to use as a reference.
703 * The current task must be the one that nominated @inode. 703 * The current task must be the one that nominated @inode.
704 * Return 0 if successful. 704 * Return 0 if successful.
705 * @kernel_fw_from_file:
706 * Load firmware from userspace (not called for built-in firmware).
707 * @file contains the file structure pointing to the file containing
708 * the firmware to load. This argument will be NULL if the firmware
709 * was loaded via the uevent-triggered blob-based interface exposed
710 * by CONFIG_FW_LOADER_USER_HELPER.
711 * @buf pointer to buffer containing firmware contents.
712 * @size length of the firmware contents.
713 * Return 0 if permission is granted.
705 * @kernel_module_request: 714 * @kernel_module_request:
706 * Ability to trigger the kernel to automatically upcall to userspace for 715 * Ability to trigger the kernel to automatically upcall to userspace for
707 * userspace to load a kernel module with the given name. 716 * userspace to load a kernel module with the given name.
@@ -1565,6 +1574,7 @@ struct security_operations {
1565 void (*cred_transfer)(struct cred *new, const struct cred *old); 1574 void (*cred_transfer)(struct cred *new, const struct cred *old);
1566 int (*kernel_act_as)(struct cred *new, u32 secid); 1575 int (*kernel_act_as)(struct cred *new, u32 secid);
1567 int (*kernel_create_files_as)(struct cred *new, struct inode *inode); 1576 int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
1577 int (*kernel_fw_from_file)(struct file *file, char *buf, size_t size);
1568 int (*kernel_module_request)(char *kmod_name); 1578 int (*kernel_module_request)(char *kmod_name);
1569 int (*kernel_module_from_file)(struct file *file); 1579 int (*kernel_module_from_file)(struct file *file);
1570 int (*task_fix_setuid) (struct cred *new, const struct cred *old, 1580 int (*task_fix_setuid) (struct cred *new, const struct cred *old,
@@ -1837,6 +1847,7 @@ int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
1837void security_transfer_creds(struct cred *new, const struct cred *old); 1847void security_transfer_creds(struct cred *new, const struct cred *old);
1838int security_kernel_act_as(struct cred *new, u32 secid); 1848int security_kernel_act_as(struct cred *new, u32 secid);
1839int security_kernel_create_files_as(struct cred *new, struct inode *inode); 1849int security_kernel_create_files_as(struct cred *new, struct inode *inode);
1850int security_kernel_fw_from_file(struct file *file, char *buf, size_t size);
1840int security_kernel_module_request(char *kmod_name); 1851int security_kernel_module_request(char *kmod_name);
1841int security_kernel_module_from_file(struct file *file); 1852int security_kernel_module_from_file(struct file *file);
1842int security_task_fix_setuid(struct cred *new, const struct cred *old, 1853int security_task_fix_setuid(struct cred *new, const struct cred *old,
@@ -2363,6 +2374,12 @@ static inline int security_kernel_create_files_as(struct cred *cred,
2363 return 0; 2374 return 0;
2364} 2375}
2365 2376
2377static inline int security_kernel_fw_from_file(struct file *file,
2378 char *buf, size_t size)
2379{
2380 return 0;
2381}
2382
2366static inline int security_kernel_module_request(char *kmod_name) 2383static inline int security_kernel_module_request(char *kmod_name)
2367{ 2384{
2368 return 0; 2385 return 0;
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index b0881a0ed322..1713977ee26f 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -866,4 +866,6 @@ asmlinkage long sys_process_vm_writev(pid_t pid,
866asmlinkage long sys_kcmp(pid_t pid1, pid_t pid2, int type, 866asmlinkage long sys_kcmp(pid_t pid1, pid_t pid2, int type,
867 unsigned long idx1, unsigned long idx2); 867 unsigned long idx1, unsigned long idx2);
868asmlinkage long sys_finit_module(int fd, const char __user *uargs, int flags); 868asmlinkage long sys_finit_module(int fd, const char __user *uargs, int flags);
869asmlinkage long sys_seccomp(unsigned int op, unsigned int flags,
870 const char __user *uargs);
869#endif 871#endif
diff --git a/include/linux/tpm.h b/include/linux/tpm.h
index fff1d0976f80..8350c538b486 100644
--- a/include/linux/tpm.h
+++ b/include/linux/tpm.h
@@ -39,6 +39,9 @@ struct tpm_class_ops {
39 int (*send) (struct tpm_chip *chip, u8 *buf, size_t len); 39 int (*send) (struct tpm_chip *chip, u8 *buf, size_t len);
40 void (*cancel) (struct tpm_chip *chip); 40 void (*cancel) (struct tpm_chip *chip);
41 u8 (*status) (struct tpm_chip *chip); 41 u8 (*status) (struct tpm_chip *chip);
42 bool (*update_timeouts)(struct tpm_chip *chip,
43 unsigned long *timeout_cap);
44
42}; 45};
43 46
44#if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE) 47#if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE)
diff --git a/include/linux/verify_pefile.h b/include/linux/verify_pefile.h
new file mode 100644
index 000000000000..ac34819214f9
--- /dev/null
+++ b/include/linux/verify_pefile.h
@@ -0,0 +1,18 @@
1/* Signed PE file verification
2 *
3 * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12#ifndef _LINUX_VERIFY_PEFILE_H
13#define _LINUX_VERIFY_PEFILE_H
14
15extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
16 struct key *trusted_keyring, bool *_trusted);
17
18#endif /* _LINUX_VERIFY_PEFILE_H */
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 4fe018c48ed9..a4fc39bb3e4f 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -139,7 +139,7 @@ struct netlbl_lsm_cache {
139}; 139};
140 140
141/** 141/**
142 * struct netlbl_lsm_secattr_catmap - NetLabel LSM secattr category bitmap 142 * struct netlbl_lsm_catmap - NetLabel LSM secattr category bitmap
143 * @startbit: the value of the lowest order bit in the bitmap 143 * @startbit: the value of the lowest order bit in the bitmap
144 * @bitmap: the category bitmap 144 * @bitmap: the category bitmap
145 * @next: pointer to the next bitmap "node" or NULL 145 * @next: pointer to the next bitmap "node" or NULL
@@ -162,10 +162,10 @@ struct netlbl_lsm_cache {
162#define NETLBL_CATMAP_SIZE (NETLBL_CATMAP_MAPSIZE * \ 162#define NETLBL_CATMAP_SIZE (NETLBL_CATMAP_MAPSIZE * \
163 NETLBL_CATMAP_MAPCNT) 163 NETLBL_CATMAP_MAPCNT)
164#define NETLBL_CATMAP_BIT (NETLBL_CATMAP_MAPTYPE)0x01 164#define NETLBL_CATMAP_BIT (NETLBL_CATMAP_MAPTYPE)0x01
165struct netlbl_lsm_secattr_catmap { 165struct netlbl_lsm_catmap {
166 u32 startbit; 166 u32 startbit;
167 NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT]; 167 NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];
168 struct netlbl_lsm_secattr_catmap *next; 168 struct netlbl_lsm_catmap *next;
169}; 169};
170 170
171/** 171/**
@@ -209,7 +209,7 @@ struct netlbl_lsm_secattr {
209 struct netlbl_lsm_cache *cache; 209 struct netlbl_lsm_cache *cache;
210 struct { 210 struct {
211 struct { 211 struct {
212 struct netlbl_lsm_secattr_catmap *cat; 212 struct netlbl_lsm_catmap *cat;
213 u32 lvl; 213 u32 lvl;
214 } mls; 214 } mls;
215 u32 secid; 215 u32 secid;
@@ -258,7 +258,7 @@ static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache)
258} 258}
259 259
260/** 260/**
261 * netlbl_secattr_catmap_alloc - Allocate a LSM secattr catmap 261 * netlbl_catmap_alloc - Allocate a LSM secattr catmap
262 * @flags: memory allocation flags 262 * @flags: memory allocation flags
263 * 263 *
264 * Description: 264 * Description:
@@ -266,30 +266,28 @@ static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache)
266 * on failure. 266 * on failure.
267 * 267 *
268 */ 268 */
269static inline struct netlbl_lsm_secattr_catmap *netlbl_secattr_catmap_alloc( 269static inline struct netlbl_lsm_catmap *netlbl_catmap_alloc(gfp_t flags)
270 gfp_t flags)
271{ 270{
272 return kzalloc(sizeof(struct netlbl_lsm_secattr_catmap), flags); 271 return kzalloc(sizeof(struct netlbl_lsm_catmap), flags);
273} 272}
274 273
275/** 274/**
276 * netlbl_secattr_catmap_free - Free a LSM secattr catmap 275 * netlbl_catmap_free - Free a LSM secattr catmap
277 * @catmap: the category bitmap 276 * @catmap: the category bitmap
278 * 277 *
279 * Description: 278 * Description:
280 * Free a LSM secattr catmap. 279 * Free a LSM secattr catmap.
281 * 280 *
282 */ 281 */
283static inline void netlbl_secattr_catmap_free( 282static inline void netlbl_catmap_free(struct netlbl_lsm_catmap *catmap)
284 struct netlbl_lsm_secattr_catmap *catmap)
285{ 283{
286 struct netlbl_lsm_secattr_catmap *iter; 284 struct netlbl_lsm_catmap *iter;
287 285
288 do { 286 while (catmap) {
289 iter = catmap; 287 iter = catmap;
290 catmap = catmap->next; 288 catmap = catmap->next;
291 kfree(iter); 289 kfree(iter);
292 } while (catmap); 290 }
293} 291}
294 292
295/** 293/**
@@ -321,7 +319,7 @@ static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)
321 if (secattr->flags & NETLBL_SECATTR_CACHE) 319 if (secattr->flags & NETLBL_SECATTR_CACHE)
322 netlbl_secattr_cache_free(secattr->cache); 320 netlbl_secattr_cache_free(secattr->cache);
323 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) 321 if (secattr->flags & NETLBL_SECATTR_MLS_CAT)
324 netlbl_secattr_catmap_free(secattr->attr.mls.cat); 322 netlbl_catmap_free(secattr->attr.mls.cat);
325} 323}
326 324
327/** 325/**
@@ -390,17 +388,22 @@ int netlbl_cfg_cipsov4_map_add(u32 doi,
390/* 388/*
391 * LSM security attribute operations 389 * LSM security attribute operations
392 */ 390 */
393int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap, 391int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap, u32 offset);
394 u32 offset); 392int netlbl_catmap_walkrng(struct netlbl_lsm_catmap *catmap, u32 offset);
395int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap, 393int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
396 u32 offset); 394 u32 *offset,
397int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap *catmap, 395 unsigned long *bitmap);
398 u32 bit, 396int netlbl_catmap_setbit(struct netlbl_lsm_catmap **catmap,
399 gfp_t flags); 397 u32 bit,
400int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap, 398 gfp_t flags);
401 u32 start, 399int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap,
402 u32 end, 400 u32 start,
403 gfp_t flags); 401 u32 end,
402 gfp_t flags);
403int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
404 u32 offset,
405 unsigned long bitmap,
406 gfp_t flags);
404 407
405/* 408/*
406 * LSM protocol operations (NetLabel LSM/kernel API) 409 * LSM protocol operations (NetLabel LSM/kernel API)
@@ -492,30 +495,39 @@ static inline int netlbl_cfg_cipsov4_map_add(u32 doi,
492{ 495{
493 return -ENOSYS; 496 return -ENOSYS;
494} 497}
495static inline int netlbl_secattr_catmap_walk( 498static inline int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap,
496 struct netlbl_lsm_secattr_catmap *catmap, 499 u32 offset)
497 u32 offset)
498{ 500{
499 return -ENOENT; 501 return -ENOENT;
500} 502}
501static inline int netlbl_secattr_catmap_walk_rng( 503static inline int netlbl_catmap_walkrng(struct netlbl_lsm_catmap *catmap,
502 struct netlbl_lsm_secattr_catmap *catmap, 504 u32 offset)
503 u32 offset)
504{ 505{
505 return -ENOENT; 506 return -ENOENT;
506} 507}
507static inline int netlbl_secattr_catmap_setbit( 508static inline int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
508 struct netlbl_lsm_secattr_catmap *catmap, 509 u32 *offset,
509 u32 bit, 510 unsigned long *bitmap)
510 gfp_t flags)
511{ 511{
512 return 0; 512 return 0;
513} 513}
514static inline int netlbl_secattr_catmap_setrng( 514static inline int netlbl_catmap_setbit(struct netlbl_lsm_catmap **catmap,
515 struct netlbl_lsm_secattr_catmap *catmap, 515 u32 bit,
516 u32 start, 516 gfp_t flags)
517 u32 end, 517{
518 gfp_t flags) 518 return 0;
519}
520static inline int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap,
521 u32 start,
522 u32 end,
523 gfp_t flags)
524{
525 return 0;
526}
527static int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
528 u32 offset,
529 unsigned long bitmap,
530 gfp_t flags)
519{ 531{
520 return 0; 532 return 0;
521} 533}
diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
index 333640608087..65acbf0e2867 100644
--- a/include/uapi/asm-generic/unistd.h
+++ b/include/uapi/asm-generic/unistd.h
@@ -699,9 +699,11 @@ __SYSCALL(__NR_sched_setattr, sys_sched_setattr)
699__SYSCALL(__NR_sched_getattr, sys_sched_getattr) 699__SYSCALL(__NR_sched_getattr, sys_sched_getattr)
700#define __NR_renameat2 276 700#define __NR_renameat2 276
701__SYSCALL(__NR_renameat2, sys_renameat2) 701__SYSCALL(__NR_renameat2, sys_renameat2)
702#define __NR_seccomp 277
703__SYSCALL(__NR_seccomp, sys_seccomp)
702 704
703#undef __NR_syscalls 705#undef __NR_syscalls
704#define __NR_syscalls 277 706#define __NR_syscalls 278
705 707
706/* 708/*
707 * All syscalls below here should go away really, 709 * All syscalls below here should go away really,
diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h
index ac2dc9f72973..0f238a43ff1e 100644
--- a/include/uapi/linux/seccomp.h
+++ b/include/uapi/linux/seccomp.h
@@ -10,6 +10,13 @@
10#define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */ 10#define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */
11#define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */ 11#define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
12 12
13/* Valid operations for seccomp syscall. */
14#define SECCOMP_SET_MODE_STRICT 0
15#define SECCOMP_SET_MODE_FILTER 1
16
17/* Valid flags for SECCOMP_SET_MODE_FILTER */
18#define SECCOMP_FILTER_FLAG_TSYNC 1
19
13/* 20/*
14 * All BPF programs must return a 32-bit value. 21 * All BPF programs must return a 32-bit value.
15 * The bottom 16-bits are for optional return data. 22 * The bottom 16-bits are for optional return data.
generated by cgit v1.2.2 (git 2.25.0) at 2026-02-21 05:27:38 -0500