--- v22
+++ v28
@@ -26,28 +26,38 @@
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: <bpf@vger.kernel.org>
+Cc: linux-audit@redhat.com
+Cc: linux-security-module@vger.kernel.org
+Cc: selinux@vger.kernel.org
+To: Mimi Zohar <zohar@linux.ibm.com>
+To: Mickaël Salaün <mic@linux.microsoft.com>
---
include/linux/audit.h | 4 +-
include/linux/lsm_hooks.h | 12 ++++-
- include/linux/security.h | 67 +++++++++++++++++++++++++--
+ include/linux/security.h | 67 ++++++++++++++++++++++++--
kernel/auditfilter.c | 24 +++++-----
- kernel/auditsc.c | 12 ++---
+ kernel/auditsc.c | 13 +++--
security/apparmor/lsm.c | 7 ++-
security/bpf/hooks.c | 12 ++++-
security/commoncap.c | 7 ++-
security/integrity/ima/ima_policy.c | 40 +++++++++++-----
+ security/landlock/cred.c | 2 +-
+ security/landlock/fs.c | 2 +-
+ security/landlock/ptrace.c | 2 +-
+ security/landlock/setup.c | 5 ++
+ security/landlock/setup.h | 1 +
security/loadpin/loadpin.c | 8 +++-
security/lockdown/lockdown.c | 7 ++-
security/safesetid/lsm.c | 8 +++-
- security/security.c | 72 ++++++++++++++++++++++++-----
+ security/security.c | 74 ++++++++++++++++++++++++-----
security/selinux/hooks.c | 8 +++-
security/smack/smack_lsm.c | 7 ++-
security/tomoyo/tomoyo.c | 8 +++-
security/yama/yama_lsm.c | 7 ++-
- 17 files changed, 254 insertions(+), 56 deletions(-)
+ 22 files changed, 265 insertions(+), 60 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
-index b3d859831a31..ba1cd38d601b 100644
+index 82b7c1116a85..418a485af114 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -11,6 +11,7 @@
@@ -70,10 +80,10 @@
};
u32 op;
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index d8f492ed6ebf..fe9203f15993 100644
+index afd3b16875b0..c61a16f0a5bc 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
-@@ -1545,6 +1545,14 @@ struct security_hook_heads {
+@@ -1570,6 +1570,14 @@ struct security_hook_heads {
#undef LSM_HOOK
} __randomize_layout;
@@ -88,7 +98,7 @@
/*
* Security module hook list structure.
* For use with generic list macros for common operations.
-@@ -1553,7 +1561,7 @@ struct security_hook_list {
+@@ -1578,7 +1586,7 @@ struct security_hook_list {
struct hlist_node list;
struct hlist_head *head;
union security_list_options hook;
@@ -97,7 +107,7 @@
} __randomize_layout;
/*
-@@ -1588,7 +1596,7 @@ extern struct security_hook_heads security_hook_heads;
+@@ -1614,7 +1622,7 @@ extern struct security_hook_heads security_hook_heads;
extern char *lsm_names;
extern void security_add_hooks(struct security_hook_list *hooks, int count,
@@ -107,10 +117,10 @@
#define LSM_FLAG_LEGACY_MAJOR BIT(0)
#define LSM_FLAG_EXCLUSIVE BIT(1)
diff --git a/include/linux/security.h b/include/linux/security.h
-index bc2725491560..fdb6e95c98e8 100644
+index 24eda04221e9..7655bfce4b96 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
-@@ -132,6 +132,65 @@ enum lockdown_reason {
+@@ -133,6 +133,65 @@ enum lockdown_reason {
extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
@@ -134,7 +144,7 @@
+#define LSMBLOB_NOT_NEEDED -3 /* Slot not requested */
+
+/**
-+ * lsmblob_init - initialize an lsmblob structure.
++ * lsmblob_init - initialize an lsmblob structure
+ * @blob: Pointer to the data to initialize
+ * @secid: The initial secid value
+ *
@@ -176,7 +186,7 @@
/* These functions are in security/commoncap.c */
extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
int cap, unsigned int opts);
-@@ -1833,8 +1892,8 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer)
+@@ -1881,8 +1940,8 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer)
#ifdef CONFIG_SECURITY
int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
int security_audit_rule_known(struct audit_krule *krule);
@@ -187,7 +197,7 @@
#else
-@@ -1850,12 +1909,12 @@ static inline int security_audit_rule_known(struct audit_krule *krule)
+@@ -1898,12 +1957,12 @@ static inline int security_audit_rule_known(struct audit_krule *krule)
}
static inline int security_audit_rule_match(u32 secid, u32 field, u32 op,
@@ -203,7 +213,7 @@
#endif /* CONFIG_SECURITY */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
-index 333b3bcfc545..45da229f9f1f 100644
+index db2c6b59dfc3..a2340e81cfa7 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -74,7 +74,7 @@ static void audit_free_lsm_field(struct audit_field *f)
@@ -257,13 +267,14 @@
* the originals will all be freed when the old rule is freed. */
for (i = 0; i < fcount; i++) {
switch (new->fields[i].type) {
-@@ -1358,10 +1359,11 @@ int audit_filter(int msgtype, unsigned int listtype)
+@@ -1358,11 +1359,12 @@ int audit_filter(int msgtype, unsigned int listtype)
case AUDIT_SUBJ_TYPE:
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
- if (f->lsm_rule) {
+ if (f->lsm_isset) {
- security_task_getsecid(current, &sid);
+ security_task_getsecid_subj(current,
+ &sid);
result = security_audit_rule_match(sid,
- f->type, f->op, f->lsm_rule);
+ f->type, f->op,
@@ -271,7 +282,7 @@
}
break;
case AUDIT_EXE:
-@@ -1388,7 +1390,7 @@ int audit_filter(int msgtype, unsigned int listtype)
+@@ -1389,7 +1391,7 @@ int audit_filter(int msgtype, unsigned int listtype)
return ret;
}
@@ -280,7 +291,7 @@
{
struct audit_entry *entry = container_of(r, struct audit_entry, rule);
struct audit_entry *nentry;
-@@ -1420,7 +1422,7 @@ static int update_lsm_rule(struct audit_krule *r)
+@@ -1421,7 +1423,7 @@ static int update_lsm_rule(struct audit_krule *r)
return err;
}
@@ -289,7 +300,7 @@
* It will traverse the filter lists serarching for rules that contain LSM
* specific filter fields. When such a rule is found, it is copied, the
* LSM field is re-initialized, and the old rule is replaced with the
-@@ -1435,7 +1437,7 @@ int audit_update_lsm_rules(void)
+@@ -1436,7 +1438,7 @@ int audit_update_lsm_rules(void)
for (i = 0; i < AUDIT_NR_FILTERS; i++) {
list_for_each_entry_safe(r, n, &audit_rules_list[i], list) {
@@ -299,27 +310,27 @@
err = res;
}
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
-index 8dba8f0983b5..16e3430f7d07 100644
+index 8dd73a64f921..acbd896f54a5 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
-@@ -667,14 +667,14 @@ static int audit_filter_rules(struct task_struct *tsk,
+@@ -671,14 +671,13 @@ static int audit_filter_rules(struct task_struct *tsk,
match for now to avoid losing information that
may be wanted. An error message will also be
logged upon error */
- if (f->lsm_rule) {
+ if (f->lsm_isset) {
if (need_sid) {
- security_task_getsecid(tsk, &sid);
+ security_task_getsecid_subj(tsk, &sid);
need_sid = 0;
}
result = security_audit_rule_match(sid, f->type,
- f->op,
+- f->op,
- f->lsm_rule);
-+ f->lsm_rules);
++ f->op, f->lsm_rules);
}
break;
case AUDIT_OBJ_USER:
-@@ -684,21 +684,21 @@ static int audit_filter_rules(struct task_struct *tsk,
+@@ -688,21 +687,21 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_OBJ_LEV_HIGH:
/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
also applies here */
@@ -344,7 +355,7 @@
++result;
break;
}
-@@ -709,7 +709,7 @@ static int audit_filter_rules(struct task_struct *tsk,
+@@ -713,7 +712,7 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
if (security_audit_rule_match(ctx->ipc.osid,
f->type, f->op,
@@ -354,10 +365,10 @@
}
break;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index f1c365905d5e..432915c1d427 100644
+index 4113516fb62e..392e25940d1f 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
-@@ -1152,6 +1152,11 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
+@@ -1161,6 +1161,11 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
.lbs_sock = sizeof(struct aa_sk_ctx),
};
@@ -369,7 +380,7 @@
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
-@@ -1852,7 +1857,7 @@ static int __init apparmor_init(void)
+@@ -1862,7 +1867,7 @@ static int __init apparmor_init(void)
goto buffers_out;
}
security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
@@ -379,11 +390,11 @@
/* Report that AppArmor successfully initialized */
apparmor_initialized = 1;
diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
-index 788667d582ae..a1a5032a4d87 100644
+index e5971fa74fd7..7a58fe9ab8c4 100644
--- a/security/bpf/hooks.c
+++ b/security/bpf/hooks.c
-@@ -14,9 +14,19 @@ static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
- LSM_HOOK_INIT(inode_free_security, bpf_inode_storage_free),
+@@ -15,9 +15,19 @@ static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
+ LSM_HOOK_INIT(task_free, bpf_task_storage_free),
};
+/*
@@ -404,10 +415,10 @@
return 0;
}
diff --git a/security/commoncap.c b/security/commoncap.c
-index 59bf3c1674c8..959a9f96b7f1 100644
+index 3f810d37b71b..628685cf20e3 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
-@@ -1341,6 +1341,11 @@ int cap_mmap_file(struct file *file, unsigned long reqprot,
+@@ -1443,6 +1443,11 @@ int cap_mmap_file(struct file *file, unsigned long reqprot,
#ifdef CONFIG_SECURITY
@@ -419,7 +430,7 @@
static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(capable, cap_capable),
LSM_HOOK_INIT(settime, cap_settime),
-@@ -1365,7 +1370,7 @@ static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
+@@ -1467,7 +1472,7 @@ static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
static int __init capability_init(void)
{
security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks),
@@ -429,10 +440,10 @@
}
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
-index 9b5adeaa47fc..cd393aaa17d5 100644
+index fd5d46e511f1..5c40677e881c 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
-@@ -79,7 +79,7 @@ struct ima_rule_entry {
+@@ -80,7 +80,7 @@ struct ima_rule_entry {
bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
int pcr;
struct {
@@ -441,13 +452,13 @@
char *args_p; /* audit value */
int type; /* audit type */
} lsm[MAX_LSM_RULES];
-@@ -88,6 +88,22 @@ struct ima_rule_entry {
+@@ -90,6 +90,22 @@ struct ima_rule_entry {
struct ima_template_desc *template;
};
+/**
+ * ima_lsm_isset - Is a rule set for any of the active security modules
-+ * @rules: The set of IMA rules to check.
++ * @rules: The set of IMA rules to check
+ *
+ * If a rule is set for any LSM return true, otherwise return false.
+ */
@@ -464,7 +475,7 @@
/*
* Without LSM specific knowledge, the default policy can only be
* written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
-@@ -326,9 +342,11 @@ static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list)
+@@ -335,9 +351,11 @@ static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list)
static void ima_lsm_free_rule(struct ima_rule_entry *entry)
{
int i;
@@ -477,7 +488,7 @@
kfree(entry->lsm[i].args_p);
}
}
-@@ -379,8 +397,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
+@@ -388,8 +406,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
ima_filter_rule_init(nentry->lsm[i].type, Audit_equal,
nentry->lsm[i].args_p,
@@ -488,7 +499,7 @@
pr_warn("rule for LSM \'%s\' is undefined\n",
nentry->lsm[i].args_p);
}
-@@ -545,7 +563,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
+@@ -578,7 +596,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
int rc = 0;
u32 osid;
@@ -497,7 +508,7 @@
if (!rule->lsm[i].args_p)
continue;
else
-@@ -558,14 +576,14 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
+@@ -591,14 +609,14 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
security_inode_getsecid(inode, &osid);
rc = ima_filter_rule_match(osid, rule->lsm[i].type,
Audit_equal,
@@ -511,10 +522,10 @@
Audit_equal,
- rule->lsm[i].rule);
+ rule->lsm[i].rules);
+ break;
default:
break;
- }
-@@ -952,7 +970,7 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
+@@ -994,7 +1012,7 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
{
int result;
@@ -523,7 +534,7 @@
return -EINVAL;
entry->lsm[lsm_rule].args_p = match_strdup(args);
-@@ -962,8 +980,8 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
+@@ -1004,8 +1022,8 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
entry->lsm[lsm_rule].type = audit_type;
result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal,
entry->lsm[lsm_rule].args_p,
@@ -534,7 +545,7 @@
pr_warn("rule for LSM \'%s\' is undefined\n",
entry->lsm[lsm_rule].args_p);
-@@ -1733,7 +1751,7 @@ int ima_policy_show(struct seq_file *m, void *v)
+@@ -1812,7 +1830,7 @@ int ima_policy_show(struct seq_file *m, void *v)
}
for (i = 0; i < MAX_LSM_RULES; i++) {
@@ -543,6 +554,66 @@
switch (i) {
case LSM_OBJ_USER:
seq_printf(m, pt(Opt_obj_user),
+diff --git a/security/landlock/cred.c b/security/landlock/cred.c
+index 6725af24c684..56b121d65436 100644
+--- a/security/landlock/cred.c
++++ b/security/landlock/cred.c
+@@ -42,5 +42,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
+ __init void landlock_add_cred_hooks(void)
+ {
+ security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
+- LANDLOCK_NAME);
++ &landlock_lsmid);
+ }
+diff --git a/security/landlock/fs.c b/security/landlock/fs.c
+index 97b8e421f617..319e90e9290c 100644
+--- a/security/landlock/fs.c
++++ b/security/landlock/fs.c
+@@ -688,5 +688,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
+ __init void landlock_add_fs_hooks(void)
+ {
+ security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
+- LANDLOCK_NAME);
++ &landlock_lsmid);
+ }
+diff --git a/security/landlock/ptrace.c b/security/landlock/ptrace.c
+index f55b82446de2..54ccf55a077a 100644
+--- a/security/landlock/ptrace.c
++++ b/security/landlock/ptrace.c
+@@ -116,5 +116,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
+ __init void landlock_add_ptrace_hooks(void)
+ {
+ security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
+- LANDLOCK_NAME);
++ &landlock_lsmid);
+ }
+diff --git a/security/landlock/setup.c b/security/landlock/setup.c
+index f8e8e980454c..759e00b9436c 100644
+--- a/security/landlock/setup.c
++++ b/security/landlock/setup.c
+@@ -23,6 +23,11 @@ struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = {
+ .lbs_superblock = sizeof(struct landlock_superblock_security),
+ };
+
++struct lsm_id landlock_lsmid __lsm_ro_after_init = {
++ .lsm = LANDLOCK_NAME,
++ .slot = LSMBLOB_NOT_NEEDED,
++};
++
+ static int __init landlock_init(void)
+ {
+ landlock_add_cred_hooks();
+diff --git a/security/landlock/setup.h b/security/landlock/setup.h
+index 1daffab1ab4b..38bce5b172dc 100644
+--- a/security/landlock/setup.h
++++ b/security/landlock/setup.h
+@@ -14,5 +14,6 @@
+ extern bool landlock_initialized;
+
+ extern struct lsm_blob_sizes landlock_blob_sizes;
++extern struct lsm_id landlock_lsmid;
+
+ #endif /* _SECURITY_LANDLOCK_SETUP_H */
diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
index b12f7d986b1e..b569f3bc170b 100644
--- a/security/loadpin/loadpin.c
@@ -595,10 +666,10 @@
}
diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c
-index 8a176b6adbe5..7c7ac9bfe5cd 100644
+index 963f4ad9cb66..0c368950dc14 100644
--- a/security/safesetid/lsm.c
+++ b/security/safesetid/lsm.c
-@@ -244,6 +244,11 @@ static int safesetid_task_fix_setgid(struct cred *new,
+@@ -241,6 +241,11 @@ static int safesetid_task_fix_setgid(struct cred *new,
return -EACCES;
}
@@ -610,7 +681,7 @@
static struct security_hook_list safesetid_security_hooks[] = {
LSM_HOOK_INIT(task_fix_setuid, safesetid_task_fix_setuid),
LSM_HOOK_INIT(task_fix_setgid, safesetid_task_fix_setgid),
-@@ -253,7 +258,8 @@ static struct security_hook_list safesetid_security_hooks[] = {
+@@ -250,7 +255,8 @@ static struct security_hook_list safesetid_security_hooks[] = {
static int __init safesetid_security_init(void)
{
security_add_hooks(safesetid_security_hooks,
@@ -621,18 +692,18 @@
/* Report that SafeSetID successfully initialized */
safesetid_initialized = 1;
diff --git a/security/security.c b/security/security.c
-index 5da8b3643680..d01363cb0082 100644
+index 335c313a668d..5f1b281511f2 100644
--- a/security/security.c
+++ b/security/security.c
-@@ -341,6 +341,7 @@ static void __init ordered_lsm_init(void)
- init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg);
- init_debug("sock blob size = %d\n", blob_sizes.lbs_sock);
- init_debug("task blob size = %d\n", blob_sizes.lbs_task);
-+ init_debug("lsmblob size = %zu\n", sizeof(struct lsmblob));
+@@ -344,6 +344,7 @@ static void __init ordered_lsm_init(void)
+ init_debug("sock blob size = %d\n", blob_sizes.lbs_sock);
+ init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock);
+ init_debug("task blob size = %d\n", blob_sizes.lbs_task);
++ init_debug("lsmblob size = %zu\n", sizeof(struct lsmblob));
/*
* Create any kmem_caches needed for blobs
-@@ -468,21 +469,36 @@ static int lsm_append(const char *new, char **result)
+@@ -471,21 +472,38 @@ static int lsm_append(const char *new, char **result)
return 0;
}
@@ -646,7 +717,7 @@
* @hooks: the hooks to add
* @count: the number of hooks to add
- * @lsm: the name of the security module
-+ * @lsmid: the the identification information for the security module
++ * @lsmid: the identification information for the security module
*
* Each LSM has to register its hooks with the infrastructure.
+ * If the LSM is using hooks that export secids allocate a slot
@@ -658,6 +729,8 @@
{
int i;
++ WARN_ON(!lsmid->slot || !lsmid->lsm);
++
+ if (lsmid->slot == LSMBLOB_NEEDED) {
+ if (lsm_slot >= LSMBLOB_ENTRIES)
+ panic("%s Too many LSMs registered.\n", __func__);
@@ -672,7 +745,7 @@
hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);
}
-@@ -491,7 +507,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
+@@ -494,7 +512,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
* and fix this up afterwards.
*/
if (slab_is_available()) {
@@ -681,7 +754,7 @@
panic("%s - Cannot get early memory.\n", __func__);
}
}
-@@ -2005,7 +2021,7 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
+@@ -2070,7 +2088,7 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
struct security_hook_list *hp;
hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
@@ -690,7 +763,7 @@
continue;
return hp->hook.getprocattr(p, name, value);
}
-@@ -2018,7 +2034,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
+@@ -2083,7 +2101,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
struct security_hook_list *hp;
hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
@@ -699,7 +772,7 @@
continue;
return hp->hook.setprocattr(name, value, size);
}
-@@ -2510,7 +2526,24 @@ int security_key_getsecurity(struct key *key, char **_buffer)
+@@ -2576,7 +2594,24 @@ int security_key_getsecurity(struct key *key, char **_buffer)
int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
{
@@ -725,7 +798,7 @@
}
int security_audit_rule_known(struct audit_krule *krule)
-@@ -2518,14 +2551,31 @@ int security_audit_rule_known(struct audit_krule *krule)
+@@ -2584,14 +2619,31 @@ int security_audit_rule_known(struct audit_krule *krule)
return call_int_hook(audit_rule_known, 0, krule);
}
@@ -762,10 +835,10 @@
#endif /* CONFIG_AUDIT */
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 2748281a5cca..52a50d7ca534 100644
+index e2c4a1fd952f..f84b6c274a10 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
-@@ -6933,6 +6933,11 @@ static int selinux_perf_event_write(struct perf_event *event)
+@@ -7101,6 +7101,11 @@ static int selinux_perf_event_write(struct perf_event *event)
}
#endif
@@ -777,7 +850,7 @@
/*
* IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
* 1. any hooks that don't belong to (2.) or (3.) below,
-@@ -7244,7 +7249,8 @@ static __init int selinux_init(void)
+@@ -7414,7 +7419,8 @@ static __init int selinux_init(void)
hashtab_cache_init();
@@ -788,11 +861,11 @@
if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
panic("SELinux: Unable to register AVC netcache callback\n");
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
-index ca4a6c862732..f96be93d1a75 100644
+index 1ee0bf1493f6..5c10ad27be37 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
-@@ -4693,6 +4693,11 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
- .lbs_sock = sizeof(struct socket_smack),
+@@ -4694,6 +4694,11 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
+ .lbs_superblock = sizeof(struct superblock_smack),
};
+static struct lsm_id smack_lsmid __lsm_ro_after_init = {
@@ -803,7 +876,7 @@
static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
-@@ -4892,7 +4897,7 @@ static __init int smack_init(void)
+@@ -4893,7 +4898,7 @@ static __init int smack_init(void)
/*
* Register with LSM
*/
@@ -813,10 +886,10 @@
pr_info("Smack: Initializing.\n");
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
-index 1f3cd432d830..22f62c67f2ec 100644
+index b6a31901f289..e8f6bb9782c1 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
-@@ -523,6 +523,11 @@ static void tomoyo_task_free(struct task_struct *task)
+@@ -521,6 +521,11 @@ static void tomoyo_task_free(struct task_struct *task)
}
}
@@ -828,7 +901,7 @@
/*
* tomoyo_security_ops is a "struct security_operations" which is used for
* registering TOMOYO.
-@@ -575,7 +580,8 @@ static int __init tomoyo_init(void)
+@@ -573,7 +578,8 @@ static int __init tomoyo_init(void)
struct tomoyo_task *s = tomoyo_task(current);
/* register ourselves with the security framework */
@@ -864,5 +937,5 @@
return 0;
}
--
-2.24.1
+2.31.1