diff v29→v28 (patch 2) | series

Inter-revision diff: patch 2

Comparing v29 (message) to v28 (message)
--- v29
+++ v28
@@ -21,7 +21,7 @@
 Because IMA uses the audit rule functions it is
 affected as well.
 
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
 Acked-by: Paul Moore <paul@paul-moore.com>
 Acked-by: John Johansen <john.johansen@canonical.com>
 Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
@@ -117,10 +117,10 @@
  #define LSM_FLAG_LEGACY_MAJOR	BIT(0)
  #define LSM_FLAG_EXCLUSIVE	BIT(1)
 diff --git a/include/linux/security.h b/include/linux/security.h
-index 5b7288521300..1b05094468b7 100644
+index 24eda04221e9..7655bfce4b96 100644
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
-@@ -134,6 +134,65 @@ enum lockdown_reason {
+@@ -133,6 +133,65 @@ enum lockdown_reason {
  
  extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
  
@@ -186,7 +186,7 @@
  /* These functions are in security/commoncap.c */
  extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
  		       int cap, unsigned int opts);
-@@ -1882,8 +1941,8 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer)
+@@ -1881,8 +1940,8 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer)
  #ifdef CONFIG_SECURITY
  int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
  int security_audit_rule_known(struct audit_krule *krule);
@@ -197,7 +197,7 @@
  
  #else
  
-@@ -1899,12 +1958,12 @@ static inline int security_audit_rule_known(struct audit_krule *krule)
+@@ -1898,12 +1957,12 @@ static inline int security_audit_rule_known(struct audit_krule *krule)
  }
  
  static inline int security_audit_rule_match(u32 secid, u32 field, u32 op,
@@ -440,19 +440,19 @@
  }
  
 diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
-index 87b9b71cb820..cbe6f1244e31 100644
+index fd5d46e511f1..5c40677e881c 100644
 --- a/security/integrity/ima/ima_policy.c
 +++ b/security/integrity/ima/ima_policy.c
-@@ -84,7 +84,7 @@ struct ima_rule_entry {
+@@ -80,7 +80,7 @@ struct ima_rule_entry {
+ 	bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
  	int pcr;
- 	unsigned int allowed_algos; /* bitfield of allowed hash algorithms */
  	struct {
 -		void *rule;	/* LSM file metadata specific */
 +		void *rules[LSMBLOB_ENTRIES]; /* LSM file metadata specific */
  		char *args_p;	/* audit value */
  		int type;	/* audit type */
  	} lsm[MAX_LSM_RULES];
-@@ -94,6 +94,22 @@ struct ima_rule_entry {
+@@ -90,6 +90,22 @@ struct ima_rule_entry {
  	struct ima_template_desc *template;
  };
  
@@ -473,9 +473,9 @@
 +}
 +
  /*
-  * sanity check in case the kernels gains more hash algorithms that can
-  * fit in an unsigned int
-@@ -347,9 +363,11 @@ static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list)
+  * Without LSM specific knowledge, the default policy can only be
+  * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
+@@ -335,9 +351,11 @@ static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list)
  static void ima_lsm_free_rule(struct ima_rule_entry *entry)
  {
  	int i;
@@ -488,7 +488,7 @@
  		kfree(entry->lsm[i].args_p);
  	}
  }
-@@ -400,8 +418,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
+@@ -388,8 +406,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
  
  		ima_filter_rule_init(nentry->lsm[i].type, Audit_equal,
  				     nentry->lsm[i].args_p,
@@ -499,7 +499,7 @@
  			pr_warn("rule for LSM \'%s\' is undefined\n",
  				nentry->lsm[i].args_p);
  	}
-@@ -590,7 +608,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
+@@ -578,7 +596,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
  		int rc = 0;
  		u32 osid;
  
@@ -508,7 +508,7 @@
  			if (!rule->lsm[i].args_p)
  				continue;
  			else
-@@ -603,14 +621,14 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
+@@ -591,14 +609,14 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
  			security_inode_getsecid(inode, &osid);
  			rc = ima_filter_rule_match(osid, rule->lsm[i].type,
  						   Audit_equal,
@@ -525,7 +525,7 @@
  			break;
  		default:
  			break;
-@@ -1046,7 +1064,7 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
+@@ -994,7 +1012,7 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
  {
  	int result;
  
@@ -534,7 +534,7 @@
  		return -EINVAL;
  
  	entry->lsm[lsm_rule].args_p = match_strdup(args);
-@@ -1056,8 +1074,8 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
+@@ -1004,8 +1022,8 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
  	entry->lsm[lsm_rule].type = audit_type;
  	result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal,
  				      entry->lsm[lsm_rule].args_p,
@@ -545,7 +545,7 @@
  		pr_warn("rule for LSM \'%s\' is undefined\n",
  			entry->lsm[lsm_rule].args_p);
  
-@@ -1954,7 +1972,7 @@ int ima_policy_show(struct seq_file *m, void *v)
+@@ -1812,7 +1830,7 @@ int ima_policy_show(struct seq_file *m, void *v)
  	}
  
  	for (i = 0; i < MAX_LSM_RULES; i++) {
@@ -692,10 +692,10 @@
  	/* Report that SafeSetID successfully initialized */
  	safesetid_initialized = 1;
 diff --git a/security/security.c b/security/security.c
-index 26df1ff0b529..b4af710fbb90 100644
+index 335c313a668d..5f1b281511f2 100644
 --- a/security/security.c
 +++ b/security/security.c
-@@ -345,6 +345,7 @@ static void __init ordered_lsm_init(void)
+@@ -344,6 +344,7 @@ static void __init ordered_lsm_init(void)
  	init_debug("sock blob size       = %d\n", blob_sizes.lbs_sock);
  	init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock);
  	init_debug("task blob size       = %d\n", blob_sizes.lbs_task);
@@ -703,7 +703,7 @@
  
  	/*
  	 * Create any kmem_caches needed for blobs
-@@ -472,21 +473,38 @@ static int lsm_append(const char *new, char **result)
+@@ -471,21 +472,38 @@ static int lsm_append(const char *new, char **result)
  	return 0;
  }
  
@@ -745,7 +745,7 @@
  		hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);
  	}
  
-@@ -495,7 +513,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
+@@ -494,7 +512,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
  	 * and fix this up afterwards.
  	 */
  	if (slab_is_available()) {
@@ -754,7 +754,7 @@
  			panic("%s - Cannot get early memory.\n", __func__);
  	}
  }
-@@ -2071,7 +2089,7 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
+@@ -2070,7 +2088,7 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
  	struct security_hook_list *hp;
  
  	hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
@@ -763,7 +763,7 @@
  			continue;
  		return hp->hook.getprocattr(p, name, value);
  	}
-@@ -2084,7 +2102,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
+@@ -2083,7 +2101,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
  	struct security_hook_list *hp;
  
  	hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
@@ -772,7 +772,7 @@
  			continue;
  		return hp->hook.setprocattr(name, value, size);
  	}
-@@ -2577,7 +2595,24 @@ int security_key_getsecurity(struct key *key, char **_buffer)
+@@ -2576,7 +2594,24 @@ int security_key_getsecurity(struct key *key, char **_buffer)
  
  int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
  {
@@ -798,7 +798,7 @@
  }
  
  int security_audit_rule_known(struct audit_krule *krule)
-@@ -2585,14 +2620,31 @@ int security_audit_rule_known(struct audit_krule *krule)
+@@ -2584,14 +2619,31 @@ int security_audit_rule_known(struct audit_krule *krule)
  	return call_int_hook(audit_rule_known, 0, krule);
  }
  
@@ -835,10 +835,10 @@
  #endif /* CONFIG_AUDIT */
  
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 9f050bdefb17..824a0df03aca 100644
+index e2c4a1fd952f..f84b6c274a10 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
-@@ -7107,6 +7107,11 @@ static int selinux_perf_event_write(struct perf_event *event)
+@@ -7101,6 +7101,11 @@ static int selinux_perf_event_write(struct perf_event *event)
  }
  #endif
  
@@ -850,7 +850,7 @@
  /*
   * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
   * 1. any hooks that don't belong to (2.) or (3.) below,
-@@ -7420,7 +7425,8 @@ static __init int selinux_init(void)
+@@ -7414,7 +7419,8 @@ static __init int selinux_init(void)
  
  	hashtab_cache_init();
  
@@ -861,7 +861,7 @@
  	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
  		panic("SELinux: Unable to register AVC netcache callback\n");
 diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
-index f9c6940e6991..9474fcdaf002 100644
+index 1ee0bf1493f6..5c10ad27be37 100644
 --- a/security/smack/smack_lsm.c
 +++ b/security/smack/smack_lsm.c
 @@ -4694,6 +4694,11 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help