diff options
author | Xinyu Chen <xinyu.chen@freescale.com> | 2012-07-25 16:54:33 +0800 |
---|---|---|
committer | Xinyu Chen <xinyu.chen@freescale.com> | 2012-07-25 16:54:33 +0800 |
commit | 10ca2f12149b8c3fde9af51da89736529892dc69 (patch) | |
tree | 1a5118db41796df0a40c20467f37542e957e87a0 /security | |
parent | 3fb99edfabe05a47803eba7f39109b5eb86e25df (diff) | |
parent | cf3095062b75f6e518c6ef8a25b47a5b2ced7668 (diff) |
Merge remote branch 'fsl-linux-sdk/imx_3.0.35' into imx_3.0.35_android
Conflicts:
arch/arm/configs/imx6_defconfig
arch/arm/configs/imx6_updater_defconfig
arch/arm/configs/imx6s_defconfig
arch/arm/include/asm/dma-mapping.h
arch/arm/kernel/smp.c
arch/arm/mach-mx6/Kconfig
arch/arm/mach-mx6/board-mx6dl_arm2.h
arch/arm/mach-mx6/board-mx6dl_sabresd.h
arch/arm/mach-mx6/board-mx6q_arm2.c
arch/arm/mach-mx6/board-mx6q_arm2.h
arch/arm/mach-mx6/board-mx6q_sabreauto.c
arch/arm/mach-mx6/board-mx6q_sabreauto.h
arch/arm/mach-mx6/board-mx6q_sabrelite.c
arch/arm/mach-mx6/board-mx6q_sabresd.c
arch/arm/mach-mx6/board-mx6q_sabresd.h
arch/arm/mach-mx6/board-mx6sl_arm2.c
arch/arm/mach-mx6/board-mx6sl_arm2.h
arch/arm/mach-mx6/board-mx6solo_sabreauto.h
arch/arm/mach-mx6/bus_freq.c
arch/arm/mach-mx6/clock.c
arch/arm/mach-mx6/clock_mx6sl.c
arch/arm/mach-mx6/cpu.c
arch/arm/mach-mx6/crm_regs.h
arch/arm/mach-mx6/devices-imx6q.h
arch/arm/mach-mx6/devices.c
arch/arm/mach-mx6/mx6_anatop_regulator.c
arch/arm/mach-mx6/pcie.c
arch/arm/mach-mx6/system.c
arch/arm/mm/dma-mapping.c
arch/arm/plat-mxc/devices/Makefile
arch/arm/plat-mxc/devices/platform-imx-dcp.c
arch/arm/plat-mxc/devices/platform-imx-ocotp.c
arch/arm/plat-mxc/devices/platform-imx-rngb.c
arch/arm/plat-mxc/devices/platform-mxc_hdmi.c
arch/arm/plat-mxc/include/mach/devices-common.h
arch/arm/plat-mxc/include/mach/esdhc.h
arch/arm/plat-mxc/include/mach/iomux-mx6dl.h
arch/arm/plat-mxc/include/mach/iomux-mx6q.h
arch/arm/plat-mxc/include/mach/memory.h
arch/arm/plat-mxc/include/mach/mx6.h
arch/arm/plat-mxc/include/mach/mxc_edid.h
arch/arm/plat-mxc/include/mach/mxc_hdmi.h
arch/arm/plat-mxc/system.c
drivers/Kconfig
drivers/char/hw_random/fsl-rngc.c
drivers/cpufreq/Makefile
drivers/cpufreq/cpufreq_interactive.c
drivers/crypto/Kconfig
drivers/crypto/caam/caamalg.c
drivers/crypto/caam/compat.h
drivers/crypto/caam/ctrl.c
drivers/crypto/caam/desc_constr.h
drivers/crypto/caam/intern.h
drivers/crypto/dcp.c
drivers/dma/pch_dma.c
drivers/input/keyboard/gpio_keys.c
drivers/input/touchscreen/egalax_ts.c
drivers/input/touchscreen/max11801_ts.c
drivers/media/video/mxc/capture/Kconfig
drivers/media/video/mxc/capture/adv7180.c
drivers/media/video/mxc/capture/ipu_csi_enc.c
drivers/media/video/mxc/capture/ipu_prp_vf_sdc.c
drivers/media/video/mxc/capture/ipu_prp_vf_sdc_bg.c
drivers/media/video/mxc/capture/mxc_v4l2_capture.c
drivers/media/video/mxc/capture/ov5640_mipi.c
drivers/media/video/mxc/output/mxc_vout.c
drivers/misc/Kconfig
drivers/misc/Makefile
drivers/mmc/card/block.c
drivers/mmc/core/mmc.c
drivers/mmc/host/mmci.c
drivers/mmc/host/sdhci-esdhc-imx.c
drivers/mmc/host/sdhci.c
drivers/mmc/host/sdhci.h
drivers/mxc/Kconfig
drivers/mxc/Makefile
drivers/mxc/asrc/mxc_asrc.c
drivers/mxc/gpu-viv/arch/XAQ2/hal/kernel/gc_hal_kernel_context.c
drivers/mxc/gpu-viv/arch/XAQ2/hal/kernel/gc_hal_kernel_hardware.c
drivers/mxc/gpu-viv/hal/kernel/gc_hal_kernel.c
drivers/mxc/gpu-viv/hal/kernel/gc_hal_kernel.h
drivers/mxc/gpu-viv/hal/kernel/gc_hal_kernel_command.c
drivers/mxc/gpu-viv/hal/kernel/gc_hal_kernel_event.c
drivers/mxc/gpu-viv/hal/kernel/inc/gc_hal.h
drivers/mxc/gpu-viv/hal/kernel/inc/gc_hal_base.h
drivers/mxc/gpu-viv/hal/kernel/inc/gc_hal_options.h
drivers/mxc/gpu-viv/hal/os/linux/kernel/gc_hal_kernel_os.c
drivers/mxc/ipu3/ipu_device.c
drivers/mxc/vpu/mxc_vpu.c
drivers/net/fec.c
drivers/net/wireless/Makefile
drivers/power/sabresd_battery.c
drivers/regulator/core.c
drivers/tty/serial/imx.c
drivers/usb/core/hub.c
drivers/usb/gadget/arcotg_udc.c
drivers/usb/gadget/fsl_updater.c
drivers/usb/gadget/inode.c
drivers/usb/host/ehci-hub.c
drivers/video/mxc/ldb.c
drivers/video/mxc/mipi_dsi.c
drivers/video/mxc/mxc_dispdrv.c
drivers/video/mxc/mxc_dispdrv.h
drivers/video/mxc/mxc_edid.c
drivers/video/mxc/mxc_elcdif_fb.c
drivers/video/mxc/mxc_ipuv3_fb.c
drivers/video/mxc/mxc_spdc_fb.c
drivers/video/mxc_hdmi.c
drivers/watchdog/imx2_wdt.c
fs/proc/base.c
include/linux/mmc/host.h
include/linux/mmc/sdhci.h
include/linux/mxc_v4l2.h
kernel/power/main.c
sound/soc/codecs/mxc_hdmi.c
sound/soc/codecs/mxc_spdif.c
sound/soc/codecs/wm8962.c
sound/soc/imx/Kconfig
sound/soc/imx/Makefile
sound/soc/imx/imx-cs42888.c
sound/soc/imx/imx-esai.c
sound/soc/imx/imx-wm8958.c
sound/soc/imx/imx-wm8962.c
Diffstat (limited to 'security')
-rw-r--r-- | security/commoncap.c | 6 | ||||
-rw-r--r-- | security/integrity/ima/ima_api.c | 4 | ||||
-rw-r--r-- | security/integrity/ima/ima_queue.c | 17 | ||||
-rw-r--r-- | security/selinux/netport.c | 4 | ||||
-rw-r--r-- | security/selinux/selinuxfs.c | 1 | ||||
-rw-r--r-- | security/tomoyo/mount.c | 38 |
6 files changed, 44 insertions, 26 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 1322b6aa648d..ccfe568b396f 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -28,6 +28,7 @@ #include <linux/prctl.h> #include <linux/securebits.h> #include <linux/user_namespace.h> +#include <linux/personality.h> #ifdef CONFIG_ANDROID_PARANOID_NETWORK #include <linux/android_aid.h> @@ -519,6 +520,11 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) } skip: + /* if we have fs caps, clear dangerous personality flags */ + if (!cap_issubset(new->cap_permitted, old->cap_permitted)) + bprm->per_clear |= PER_CLEAR_ON_SETID; + + /* Don't let someone trace a set[ug]id/setpcap binary with the revised * credentials unless they have the appropriate permit */ diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index da36d2c085a4..5335605571fe 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -177,8 +177,8 @@ void ima_store_measurement(struct ima_iint_cache *iint, struct file *file, strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX); result = ima_store_template(entry, violation, inode); - if (!result) + if (!result || result == -EEXIST) iint->flags |= IMA_MEASURED; - else + if (result < 0) kfree(entry); } diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index 8e28f04a5e2e..55a6271bce7a 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -23,6 +23,8 @@ #include <linux/slab.h> #include "ima.h" +#define AUDIT_CAUSE_LEN_MAX 32 + LIST_HEAD(ima_measurements); /* list of all measurements */ /* key: inode (before secure-hashing a file) */ @@ -94,7 +96,8 @@ static int ima_pcr_extend(const u8 *hash) result = tpm_pcr_extend(TPM_ANY_NUM, CONFIG_IMA_MEASURE_PCR_IDX, hash); if (result != 0) - pr_err("IMA: Error Communicating to TPM chip\n"); + pr_err("IMA: Error Communicating to TPM chip, result: %d\n", + result); return result; } @@ -106,14 +109,16 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, { u8 digest[IMA_DIGEST_SIZE]; const char *audit_cause = "hash_added"; + char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX]; int audit_info = 1; - int result = 0; + int result = 0, tpmresult = 0; mutex_lock(&ima_extend_list_mutex); if (!violation) { memcpy(digest, entry->digest, sizeof digest); if (ima_lookup_digest_entry(digest)) { audit_cause = "hash_exists"; + result = -EEXIST; goto out; } } @@ -128,9 +133,11 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, if (violation) /* invalidate pcr */ memset(digest, 0xff, sizeof digest); - result = ima_pcr_extend(digest); - if (result != 0) { - audit_cause = "TPM error"; + tpmresult = ima_pcr_extend(digest); + if (tpmresult != 0) { + snprintf(tpm_audit_cause, AUDIT_CAUSE_LEN_MAX, "TPM_error(%d)", + tpmresult); + audit_cause = tpm_audit_cause; audit_info = 0; } out: diff --git a/security/selinux/netport.c b/security/selinux/netport.c index cfe2d72d3fb7..e2b74ebdc383 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c @@ -139,7 +139,9 @@ static void sel_netport_insert(struct sel_netport *port) if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) { struct sel_netport *tail; tail = list_entry( - rcu_dereference(sel_netport_hash[idx].list.prev), + rcu_dereference_protected( + sel_netport_hash[idx].list.prev, + lockdep_is_held(&sel_netport_lock)), struct sel_netport, list); list_del_rcu(&tail->list); call_rcu(&tail->rcu, sel_netport_free); diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 35459340019e..27a96732b872 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -1241,6 +1241,7 @@ static int sel_make_bools(void) kfree(bool_pending_names[i]); kfree(bool_pending_names); kfree(bool_pending_values); + bool_num = 0; bool_pending_names = NULL; bool_pending_values = NULL; diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c index 9fc2e15841c9..892494ac58e2 100644 --- a/security/tomoyo/mount.c +++ b/security/tomoyo/mount.c @@ -205,30 +205,32 @@ int tomoyo_mount_permission(char *dev_name, struct path *path, char *type, if (flags & MS_REMOUNT) { type = TOMOYO_MOUNT_REMOUNT_KEYWORD; flags &= ~MS_REMOUNT; - } - if (flags & MS_MOVE) { - type = TOMOYO_MOUNT_MOVE_KEYWORD; - flags &= ~MS_MOVE; - } - if (flags & MS_BIND) { + } else if (flags & MS_BIND) { type = TOMOYO_MOUNT_BIND_KEYWORD; flags &= ~MS_BIND; - } - if (flags & MS_UNBINDABLE) { - type = TOMOYO_MOUNT_MAKE_UNBINDABLE_KEYWORD; - flags &= ~MS_UNBINDABLE; - } - if (flags & MS_PRIVATE) { + } else if (flags & MS_SHARED) { + if (flags & (MS_PRIVATE | MS_SLAVE | MS_UNBINDABLE)) + return -EINVAL; + type = TOMOYO_MOUNT_MAKE_SHARED_KEYWORD; + flags &= ~MS_SHARED; + } else if (flags & MS_PRIVATE) { + if (flags & (MS_SHARED | MS_SLAVE | MS_UNBINDABLE)) + return -EINVAL; type = TOMOYO_MOUNT_MAKE_PRIVATE_KEYWORD; flags &= ~MS_PRIVATE; - } - if (flags & MS_SLAVE) { + } else if (flags & MS_SLAVE) { + if (flags & (MS_SHARED | MS_PRIVATE | MS_UNBINDABLE)) + return -EINVAL; type = TOMOYO_MOUNT_MAKE_SLAVE_KEYWORD; flags &= ~MS_SLAVE; - } - if (flags & MS_SHARED) { - type = TOMOYO_MOUNT_MAKE_SHARED_KEYWORD; - flags &= ~MS_SHARED; + } else if (flags & MS_UNBINDABLE) { + if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE)) + return -EINVAL; + type = TOMOYO_MOUNT_MAKE_UNBINDABLE_KEYWORD; + flags &= ~MS_UNBINDABLE; + } else if (flags & MS_MOVE) { + type = TOMOYO_MOUNT_MOVE_KEYWORD; + flags &= ~MS_MOVE; } if (!type) type = "<NULL>"; |