diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2011-01-10 11:18:59 -0800 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-01-10 11:18:59 -0800 |
commit | e0e736fc0d33861335e2a132e4f688f7fd380c61 (patch) | |
tree | d9febe9ca1ef1e24efc5e6e1e34e412316d246bd /include | |
parent | a08948812b30653eb2c536ae613b635a989feb6f (diff) | |
parent | aeda4ac3efc29e4d55989abd0a73530453aa69ba (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (30 commits)
MAINTAINERS: Add tomoyo-dev-en ML.
SELinux: define permissions for DCB netlink messages
encrypted-keys: style and other cleanup
encrypted-keys: verify datablob size before converting to binary
trusted-keys: kzalloc and other cleanup
trusted-keys: additional TSS return code and other error handling
syslog: check cap_syslog when dmesg_restrict
Smack: Transmute labels on specified directories
selinux: cache sidtab_context_to_sid results
SELinux: do not compute transition labels on mountpoint labeled filesystems
This patch adds a new security attribute to Smack called SMACK64EXEC. It defines label that is used while task is running.
SELinux: merge policydb_index_classes and policydb_index_others
selinux: convert part of the sym_val_to_name array to use flex_array
selinux: convert type_val_to_struct to flex_array
flex_array: fix flex_array_put_ptr macro to be valid C
SELinux: do not set automatic i_ino in selinuxfs
selinux: rework security_netlbl_secattr_to_sid
SELinux: standardize return code handling in selinuxfs.c
SELinux: standardize return code handling in selinuxfs.c
SELinux: standardize return code handling in policydb.c
...
Diffstat (limited to 'include')
-rw-r--r-- | include/keys/encrypted-type.h | 29 | ||||
-rw-r--r-- | include/keys/trusted-type.h | 31 | ||||
-rw-r--r-- | include/linux/capability.h | 7 | ||||
-rw-r--r-- | include/linux/flex_array.h | 2 | ||||
-rw-r--r-- | include/linux/kernel.h | 3 | ||||
-rw-r--r-- | include/linux/security.h | 3 | ||||
-rw-r--r-- | include/linux/tpm.h | 4 | ||||
-rw-r--r-- | include/linux/tpm_command.h | 28 | ||||
-rw-r--r-- | include/linux/xattr.h | 4 |
9 files changed, 106 insertions, 5 deletions
diff --git a/include/keys/encrypted-type.h b/include/keys/encrypted-type.h new file mode 100644 index 00000000000..95855017a32 --- /dev/null +++ b/include/keys/encrypted-type.h @@ -0,0 +1,29 @@ +/* + * Copyright (C) 2010 IBM Corporation + * Author: Mimi Zohar <zohar@us.ibm.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2 of the License. + */ + +#ifndef _KEYS_ENCRYPTED_TYPE_H +#define _KEYS_ENCRYPTED_TYPE_H + +#include <linux/key.h> +#include <linux/rcupdate.h> + +struct encrypted_key_payload { + struct rcu_head rcu; + char *master_desc; /* datablob: master key name */ + char *datalen; /* datablob: decrypted key length */ + u8 *iv; /* datablob: iv */ + u8 *encrypted_data; /* datablob: encrypted data */ + unsigned short datablob_len; /* length of datablob */ + unsigned short decrypted_datalen; /* decrypted data length */ + u8 decrypted_data[0]; /* decrypted data + datablob + hmac */ +}; + +extern struct key_type key_type_encrypted; + +#endif /* _KEYS_ENCRYPTED_TYPE_H */ diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h new file mode 100644 index 00000000000..56f82e5c997 --- /dev/null +++ b/include/keys/trusted-type.h @@ -0,0 +1,31 @@ +/* + * Copyright (C) 2010 IBM Corporation + * Author: David Safford <safford@us.ibm.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2 of the License. + */ + +#ifndef _KEYS_TRUSTED_TYPE_H +#define _KEYS_TRUSTED_TYPE_H + +#include <linux/key.h> +#include <linux/rcupdate.h> + +#define MIN_KEY_SIZE 32 +#define MAX_KEY_SIZE 128 +#define MAX_BLOB_SIZE 320 + +struct trusted_key_payload { + struct rcu_head rcu; + unsigned int key_len; + unsigned int blob_len; + unsigned char migratable; + unsigned char key[MAX_KEY_SIZE + 1]; + unsigned char blob[MAX_BLOB_SIZE]; +}; + +extern struct key_type key_type_trusted; + +#endif /* _KEYS_TRUSTED_TYPE_H */ diff --git a/include/linux/capability.h b/include/linux/capability.h index 90012b9ddbf..fb16a3699b9 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -246,7 +246,6 @@ struct cpu_vfs_cap_data { /* Allow configuration of the secure attention key */ /* Allow administration of the random device */ /* Allow examination and configuration of disk quotas */ -/* Allow configuring the kernel's syslog (printk behaviour) */ /* Allow setting the domainname */ /* Allow setting the hostname */ /* Allow calling bdflush() */ @@ -352,7 +351,11 @@ struct cpu_vfs_cap_data { #define CAP_MAC_ADMIN 33 -#define CAP_LAST_CAP CAP_MAC_ADMIN +/* Allow configuring the kernel's syslog (printk behaviour) */ + +#define CAP_SYSLOG 34 + +#define CAP_LAST_CAP CAP_SYSLOG #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) diff --git a/include/linux/flex_array.h b/include/linux/flex_array.h index 631b77f2ac7..70e4efabe0f 100644 --- a/include/linux/flex_array.h +++ b/include/linux/flex_array.h @@ -71,7 +71,7 @@ void *flex_array_get(struct flex_array *fa, unsigned int element_nr); int flex_array_shrink(struct flex_array *fa); #define flex_array_put_ptr(fa, nr, src, gfp) \ - flex_array_put(fa, nr, &(void *)(src), gfp) + flex_array_put(fa, nr, (void *)&(src), gfp) void *flex_array_get_ptr(struct flex_array *fa, unsigned int element_nr); diff --git a/include/linux/kernel.h b/include/linux/kernel.h index b6de9a6f701..d0fbc043de6 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -56,6 +56,8 @@ #define FIELD_SIZEOF(t, f) (sizeof(((t*)0)->f)) #define DIV_ROUND_UP(n,d) (((n) + (d) - 1) / (d)) + +/* The `const' in roundup() prevents gcc-3.3 from calling __divdi3 */ #define roundup(x, y) ( \ { \ const typeof(y) __y = y; \ @@ -263,6 +265,7 @@ static inline char *pack_hex_byte(char *buf, u8 byte) } extern int hex_to_bin(char ch); +extern void hex2bin(u8 *dst, const char *src, size_t count); /* * General tracing related utility functions - trace_printk(), diff --git a/include/linux/security.h b/include/linux/security.h index 1ac42475ea0..c642bb8b8f5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1058,8 +1058,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @cred points to the credentials to provide the context against which to * evaluate the security data on the key. * @perm describes the combination of permissions required of this key. - * Return 1 if permission granted, 0 if permission denied and -ve it the - * normal permissions model should be effected. + * Return 0 if permission is granted, -ve error otherwise. * @key_getsecurity: * Get a textual representation of the security context attached to a key * for the purposes of honouring KEYCTL_GETSECURITY. This function diff --git a/include/linux/tpm.h b/include/linux/tpm.h index ac5d1c1285d..fdc718abf83 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -31,6 +31,7 @@ extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf); extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash); +extern int tpm_send(u32 chip_num, void *cmd, size_t buflen); #else static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) { return -ENODEV; @@ -38,5 +39,8 @@ static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) { static inline int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) { return -ENODEV; } +static inline int tpm_send(u32 chip_num, void *cmd, size_t buflen) { + return -ENODEV; +} #endif #endif diff --git a/include/linux/tpm_command.h b/include/linux/tpm_command.h new file mode 100644 index 00000000000..727512e249b --- /dev/null +++ b/include/linux/tpm_command.h @@ -0,0 +1,28 @@ +#ifndef __LINUX_TPM_COMMAND_H__ +#define __LINUX_TPM_COMMAND_H__ + +/* + * TPM Command constants from specifications at + * http://www.trustedcomputinggroup.org + */ + +/* Command TAGS */ +#define TPM_TAG_RQU_COMMAND 193 +#define TPM_TAG_RQU_AUTH1_COMMAND 194 +#define TPM_TAG_RQU_AUTH2_COMMAND 195 +#define TPM_TAG_RSP_COMMAND 196 +#define TPM_TAG_RSP_AUTH1_COMMAND 197 +#define TPM_TAG_RSP_AUTH2_COMMAND 198 + +/* Command Ordinals */ +#define TPM_ORD_GETRANDOM 70 +#define TPM_ORD_OSAP 11 +#define TPM_ORD_OIAP 10 +#define TPM_ORD_SEAL 23 +#define TPM_ORD_UNSEAL 24 + +/* Other constants */ +#define SRKHANDLE 0x40000000 +#define TPM_NONCE_SIZE 20 + +#endif diff --git a/include/linux/xattr.h b/include/linux/xattr.h index f1e5bde4b35..e6131ef98d8 100644 --- a/include/linux/xattr.h +++ b/include/linux/xattr.h @@ -40,9 +40,13 @@ #define XATTR_SMACK_SUFFIX "SMACK64" #define XATTR_SMACK_IPIN "SMACK64IPIN" #define XATTR_SMACK_IPOUT "SMACK64IPOUT" +#define XATTR_SMACK_EXEC "SMACK64EXEC" +#define XATTR_SMACK_TRANSMUTE "SMACK64TRANSMUTE" #define XATTR_NAME_SMACK XATTR_SECURITY_PREFIX XATTR_SMACK_SUFFIX #define XATTR_NAME_SMACKIPIN XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN #define XATTR_NAME_SMACKIPOUT XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT +#define XATTR_NAME_SMACKEXEC XATTR_SECURITY_PREFIX XATTR_SMACK_EXEC +#define XATTR_NAME_SMACKTRANSMUTE XATTR_SECURITY_PREFIX XATTR_SMACK_TRANSMUTE #define XATTR_CAPS_SUFFIX "capability" #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX |