Changes in 4.14.194
USB: serial: qcserial: add EM7305 QDL product ID
net/mlx5e: Don't support phys switch id if not in switchdev mode
USB: iowarrior: fix up report size handling for some devices
usb: xhci: define IDs for various ASMedia host controllers
usb: xhci: Fix ASMedia ASM1142 DMA addressing
ALSA: seq: oss: Serialize ioctls
staging: android: ashmem: Fix lockdep warning for write operation
Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
omapfb: dss: Fix max fclk divider for omap36xx
binder: Prevent context manager from incrementing ref 0
vgacon: Fix for missing check in scrollback handling
mtd: properly check all write ioctls for permissions
leds: wm831x-status: fix use-after-free on unbind
leds: da903x: fix use-after-free on unbind
leds: lm3533: fix use-after-free on unbind
leds: 88pm860x: fix use-after-free on unbind
net/9p: validate fds in p9_fd_open
drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason
drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
i2c: slave: improve sanity check when registering
i2c: slave: add sanity check when unregistering
cfg80211: check vendor command doit pointer before use
igb: reinit_locked() should be called with rtnl_lock
atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
tools lib traceevent: Fix memory leak in process_dynamic_array_len
Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23)
xattr: break delegations in {set,remove}xattr
ipv4: Silence suspicious RCU usage warning
ipv6: fix memory leaks on IPV6_ADDRFORM path
net: ethernet: mtk_eth_soc: fix MTU warnings
vxlan: Ensure FDB dump is performed under RCU
net: lan78xx: replace bogus endpoint lookup
hv_netvsc: do not use VF device if link is down
net: gre: recompute gre csum for sctp over gre tunnels
openvswitch: Prevent kernel-infoleak in ovs_ct_put_key()
Revert "vxlan: fix tos value before xmit"
selftests/net: relax cpu affinity requirement in msg_zerocopy test
usb: hso: check for return value in hso_serial_common_create()
rxrpc: Fix race between recvmsg and sendmsg on immediate call failure
Smack: fix use-after-free in smk_write_relabel_self()
tracepoint: Mark __tracepoint_string's __used
HID: input: Fix devices that return multiple bytes in battery report
cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
x86/mce/inject: Fix a wrong assignment of i_mce.status
sched: correct SD_flags returned by tl->sd_flags()
arm64: dts: rockchip: fix rk3399-puma vcc5v0-host gpio
arm64: dts: rockchip: fix rk3399-puma gmac reset gpio
EDAC: Fix reference count leaks
arm64: dts: qcom: msm8916: Replace invalid bias-pull-none property
arm64: dts: exynos: Fix silent hang after boot on Espresso
m68k: mac: Don't send IOP message until channel is idle
m68k: mac: Fix IOP status/control register writes
platform/x86: intel-hid: Fix return value check in check_acpi_dev()
platform/x86: intel-vbtn: Fix return value check in check_acpi_dev()
ARM: at91: pm: add missing put_device() call in at91_pm_sram_init()
spi: lantiq: fix: Rx overflow error in full duplex mode
ARM: socfpga: PM: add missing put_device() call in socfpga_setup_ocram_self_refresh()
drm/tilcdc: fix leak & null ref in panel_connector_get_modes
Bluetooth: add a mutex lock to avoid UAF in do_enale_set
fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls
drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync
video: fbdev: neofb: fix memory leak in neo_scan_monitor()
md-cluster: fix wild pointer of unlock_all_bitmaps()
arm64: dts: hisilicon: hikey: fixes to comply with adi, adv7533 DT binding
drm/nouveau: fix multiple instances of reference count leaks
drm/debugfs: fix plain echo to connector "force" attribute
irqchip/irq-mtk-sysirq: Replace spinlock with raw_spinlock
mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls
brcmfmac: To fix Bss Info flag definition Bug
brcmfmac: set state of hanger slot to FREE when flushing PSQ
iwlegacy: Check the return value of pcie_capability_read_*()
gpu: host1x: debug: Fix multiple channels emitting messages simultaneously
usb: gadget: net2280: fix memory leak on probe error handling paths
bdc: Fix bug causing crash after multiple disconnects
usb: bdc: Halt controller on suspend
dyndbg: fix a BUG_ON in ddebug_describe_flags
bcache: fix super block seq numbers comparision in register_cache_set()
ACPICA: Do not increment operation_region reference counts for field units
agp/intel: Fix a memory leak on module initialisation failure
video: fbdev: sm712fb: fix an issue about iounmap for a wrong address
console: newport_con: fix an issue about leak related system resources
video: pxafb: Fix the function used to balance a 'dma_alloc_coherent()' call
iio: improve IIO_CONCENTRATION channel type description
drm/arm: fix unintentional integer overflow on left shift
leds: lm355x: avoid enum conversion warning
media: omap3isp: Add missed v4l2_ctrl_handler_free() for preview_init_entities()
ASoC: Intel: bxt_rt298: add missing .owner field
scsi: cumana_2: Fix different dev_id between request_irq() and free_irq()
drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline
cxl: Fix kobject memleak
drm/radeon: fix array out-of-bounds read and write issues
scsi: powertec: Fix different dev_id between request_irq() and free_irq()
scsi: eesox: Fix different dev_id between request_irq() and free_irq()
ipvs: allow connection reuse for unconfirmed conntrack
media: firewire: Using uninitialized values in node_probe()
media: exynos4-is: Add missed check for pinctrl_lookup_state()
xfs: fix reflink quota reservation accounting error
PCI: Fix pci_cfg_wait queue locking problem
leds: core: Flush scheduled work for system suspend
drm: panel: simple: Fix bpc for LG LB070WV8 panel
drm/bridge: sil_sii8620: initialize return of sii8620_readb
scsi: scsi_debug: Add check for sdebug_max_queue during module init
mwifiex: Prevent memory corruption handling keys
powerpc/vdso: Fix vdso cpu truncation
staging: rtl8192u: fix a dubious looking mask before a shift
PCI/ASPM: Add missing newline in sysfs 'policy'
drm/imx: tve: fix regulator_disable error path
USB: serial: iuu_phoenix: fix led-activity helpers
thermal: ti-soc-thermal: Fix reversed condition in ti_thermal_expose_sensor()
coresight: tmc: Fix TMC mode read in tmc_read_unprepare_etb()
MIPS: OCTEON: add missing put_device() call in dwc3_octeon_device_init()
usb: dwc2: Fix error path in gadget registration
scsi: mesh: Fix panic after host or bus reset
net: dsa: mv88e6xxx: MV88E6097 does not support jumbo configuration
Smack: fix another vsscanf out of bounds
Smack: prevent underflow in smk_set_cipso()
power: supply: check if calc_soc succeeded in pm860x_init_battery
Bluetooth: hci_serdev: Only unregister device if it was registered
selftests/powerpc: Fix CPU affinity for child process
PCI: Release IVRS table in AMD ACS quirk
selftests/powerpc: Fix online CPU selection
s390/qeth: don't process empty bridge port events
wl1251: fix always return 0 error
tools, build: Propagate build failures from tools/build/Makefile.build
net: ethernet: aquantia: Fix wrong return value
liquidio: Fix wrong return value in cn23xx_get_pf_num()
net: spider_net: Fix the size used in a 'dma_free_coherent()' call
fsl/fman: use 32-bit unsigned integer
fsl/fman: fix dereference null return value
fsl/fman: fix unreachable code
fsl/fman: check dereferencing null pointer
fsl/fman: fix eth hash table allocation
dlm: Fix kobject memleak
pinctrl-single: fix pcs_parse_pinconf() return value
x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task
crypto: aesni - add compatibility with IAS
af_packet: TPACKET_V3: fix fill status rwlock imbalance
drivers/net/wan/lapbether: Added needed_headroom and a skb->len check
net/nfc/rawsock.c: add CAP_NET_RAW check.
net: refactor bind_bucket fastreuse into helper
net: Set fput_needed iff FDPUT_FPUT is set
USB: serial: cp210x: re-enable auto-RTS on open
USB: serial: cp210x: enable usb generic throttle/unthrottle
ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support
ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109
ALSA: usb-audio: add quirk for Pioneer DDJ-RB
crypto: qat - fix double free in qat_uclo_create_batch_init_list
crypto: ccp - Fix use of merged scatterlists
crypto: cpt - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not specified
bitfield.h: don't compile-time validate _val in FIELD_FIT
fs/minix: check return value of sb_getblk()
fs/minix: don't allow getting deleted inodes
fs/minix: reject too-large maximum file size
ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109
9p: Fix memory leak in v9fs_mount
spi: spidev: Align buffers for DMA
mtd: rawnand: qcom: avoid write to unavailable register
parisc: Implement __smp_store_release and __smp_load_acquire barriers
parisc: mask out enable and reserved bits from sba imask
ARM: 8992/1: Fix unwind_frame for clang-built kernels
irqdomain/treewide: Free firmware node after domain removal
xen/balloon: fix accounting in alloc_xenballooned_pages error path
xen/balloon: make the balloon wait interruptible
net: initialize fastreuse on inet_inherit_port
smb3: warn on confusing error scenario with sec=krb5
PCI: hotplug: ACPI: Fix context refcounting in acpiphp_grab_context()
btrfs: don't allocate anonymous block device for user invisible roots
btrfs: only search for left_info if there is no right_info in try_merge_free_space
btrfs: fix memory leaks after failure to lookup checksums during inode logging
dt-bindings: iio: io-channel-mux: Fix compatible string in example code
iio: dac: ad5592r: fix unbalanced mutex unlocks in ad5592r_read_raw()
xtensa: fix xtensa_pmu_setup prototype
powerpc: Fix circular dependency between percpu.h and mmu.h
net: ethernet: stmmac: Disable hardware multicast filter
net: stmmac: dwmac1000: provide multicast filter fallback
net/compat: Add missing sock updates for SCM_RIGHTS
md/raid5: Fix Force reconstruct-write io stuck in degraded raid5
bcache: allocate meta data pages as compound pages
mac80211: fix misplaced while instead of if
MIPS: CPU#0 is not hotpluggable
ext2: fix missing percpu_counter_inc
ocfs2: change slot number type s16 to u16
ftrace: Setup correct FTRACE_FL_REGS flags for module
kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler
tracing/hwlat: Honor the tracing_cpumask
tracing: Use trace_sched_process_free() instead of exit() for pid tracing
watchdog: f71808e_wdt: indicate WDIOF_CARDRESET support in watchdog_info.options
watchdog: f71808e_wdt: remove use of wrong watchdog_info option
watchdog: f71808e_wdt: clear watchdog timeout occurred flag
pseries: Fix 64 bit logical memory block panic
perf intel-pt: Fix FUP packet state
drm/imx: imx-ldb: Disable both channels for split mode in enc->disable()
mfd: arizona: Ensure 32k clock is put on driver unbind and error
RDMA/ipoib: Return void from ipoib_ib_dev_stop()
USB: serial: ftdi_sio: make process-packet buffer unsigned
USB: serial: ftdi_sio: clean up receive processing
gpu: ipu-v3: image-convert: Combine rotate/no-rotate irq handlers
dm rq: don't call blk_mq_queue_stopped() in dm_stop_queue()
iommu/omap: Check for failure of a call to omap_iommu_dump_ctx
iommu/vt-d: Enforce PASID devTLB field mask
i2c: rcar: slave: only send STOP event when we have been addressed
clk: clk-atlas6: fix return value check in atlas6_clk_init()
pwm: bcm-iproc: handle clk_get_rate() return
tools build feature: Use CC and CXX from parent
i2c: rcar: avoid race when unregistering slave
Input: sentelic - fix error return when fsp_reg_write fails
drm/vmwgfx: Use correct vmw_legacy_display_unit pointer
drm/vmwgfx: Fix two list_for_each loop exit tests
net: qcom/emac: add missed clk_disable_unprepare in error path of emac_clks_phase1_init
nfs: Fix getxattr kernel panic and memory overflow
fs/ufs: avoid potential u32 multiplication overflow
test_kmod: avoid potential double free in trigger_config_run_type()
mfd: dln2: Run event handler loop under spinlock
ALSA: echoaudio: Fix potential Oops in snd_echo_resume()
perf bench mem: Always memset source before memcpy
tools build feature: Quote CC and CXX for their arguments
sh: landisk: Add missing initialization of sh_io_port_base
khugepaged: retract_page_tables() remember to test exit
genirq/affinity: Handle affinity setting on inactive interrupts correctly
genirq/affinity: Make affinity setting if activated opt-in
dm cache: pass cache structure to mode functions
dm cache: submit writethrough writes in parallel to origin and cache
dm cache: remove all obsolete writethrough-specific code
Linux 4.14.194
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I0a759b837bffc0f5af5fe1b6a38ccdd465e41e6e
commit 08b5d5014a27e717826999ad20e394a8811aae92 upstream.
set/removexattr on an exported filesystem should break NFS delegations.
This is true in general, but also for the upcoming support for
RFC 8726 (NFSv4 extended attribute support). Make sure that they do.
Additionally, they need to grow a _locked variant, since callers might
call this with i_rwsem held (like the NFS server code).
Cc: stable@vger.kernel.org # v4.9+
Cc: linux-fsdevel@vger.kernel.org
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Add an optional __get xattr method that would be called, if set, only
in __vfs_getxattr instead of the regular get xattr method.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 133515582
Bug: 136124883
Bug: 129319403
Change-Id: If9f6cf3e0d964e77af769244bb1e8f6aee4f4445
Many source files in the tree are missing licensing information, which
makes it harder for compliance tools to determine the correct license.
By default all files without license information are under the default
license of the kernel, which is GPL version 2.
Update the files which contain no license information with the 'GPL-2.0'
SPDX license identifier. The SPDX identifier is a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne.
How this work was done:
Patches were generated and checked against linux-4.14-rc6 for a subset of
the use cases:
- file had no licensing information it it.
- file was a */uapi/* one with no licensing information in it,
- file was a */uapi/* one with existing licensing information,
Further patches will be generated in subsequent months to fix up cases
where non-standard license headers were used, and references to license
had to be inferred by heuristics based on keywords.
The analysis to determine which SPDX License Identifier to be applied to
a file was done in a spreadsheet of side by side results from of the
output of two independent scanners (ScanCode & Windriver) producing SPDX
tag:value files created by Philippe Ombredanne. Philippe prepared the
base worksheet, and did an initial spot review of a few 1000 files.
The 4.13 kernel was the starting point of the analysis with 60,537 files
assessed. Kate Stewart did a file by file comparison of the scanner
results in the spreadsheet to determine which SPDX license identifier(s)
to be applied to the file. She confirmed any determination that was not
immediately clear with lawyers working with the Linux Foundation.
Criteria used to select files for SPDX license identifier tagging was:
- Files considered eligible had to be source code files.
- Make and config files were included as candidates if they contained >5
lines of source
- File already had some variant of a license header in it (even if <5
lines).
All documentation files were explicitly excluded.
The following heuristics were used to determine which SPDX license
identifiers to apply.
- when both scanners couldn't find any license traces, file was
considered to have no license information in it, and the top level
COPYING file license applied.
For non */uapi/* files that summary was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 11139
and resulted in the first patch in this series.
If that file was a */uapi/* path one, it was "GPL-2.0 WITH
Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 WITH Linux-syscall-note 930
and resulted in the second patch in this series.
- if a file had some form of licensing information in it, and was one
of the */uapi/* ones, it was denoted with the Linux-syscall-note if
any GPL family license was found in the file or had no licensing in
it (per prior point). Results summary:
SPDX license identifier # files
---------------------------------------------------|------
GPL-2.0 WITH Linux-syscall-note 270
GPL-2.0+ WITH Linux-syscall-note 169
((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
LGPL-2.1+ WITH Linux-syscall-note 15
GPL-1.0+ WITH Linux-syscall-note 14
((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
LGPL-2.0+ WITH Linux-syscall-note 4
LGPL-2.1 WITH Linux-syscall-note 3
((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1
and that resulted in the third patch in this series.
- when the two scanners agreed on the detected license(s), that became
the concluded license(s).
- when there was disagreement between the two scanners (one detected a
license but the other didn't, or they both detected different
licenses) a manual inspection of the file occurred.
- In most cases a manual inspection of the information in the file
resulted in a clear resolution of the license that should apply (and
which scanner probably needed to revisit its heuristics).
- When it was not immediately clear, the license identifier was
confirmed with lawyers working with the Linux Foundation.
- If there was any question as to the appropriate license identifier,
the file was flagged for further research and to be revisited later
in time.
In total, over 70 hours of logged manual review was done on the
spreadsheet to determine the SPDX license identifiers to apply to the
source files by Kate, Philippe, Thomas and, in some cases, confirmation
by lawyers working with the Linux Foundation.
Kate also obtained a third independent scan of the 4.13 code base from
FOSSology, and compared selected files where the other two scanners
disagreed against that SPDX file, to see if there was new insights. The
Windriver scanner is based on an older version of FOSSology in part, so
they are related.
Thomas did random spot checks in about 500 files from the spreadsheets
for the uapi headers and agreed with SPDX license identifier in the
files he inspected. For the non-uapi files Thomas did random spot checks
in about 15000 files.
In initial set of patches against 4.14-rc6, 3 files were found to have
copy/paste license identifier errors, and have been fixed to reflect the
correct identifier.
Additionally Philippe spent 10 hours this week doing a detailed manual
inspection and review of the 12,461 patched files from the initial patch
version early this week with:
- a full scancode scan run, collecting the matched texts, detected
license ids and scores
- reviewing anything where there was a license detected (about 500+
files) to ensure that the applied SPDX license was correct
- reviewing anything where there was no detection but the patch license
was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
SPDX license was correct
This produced a worksheet with 20 files needing minor correction. This
worksheet was then exported into 3 different .csv files for the
different types of files to be modified.
These .csv files were then reviewed by Greg. Thomas wrote a script to
parse the csv files and add the proper SPDX tag to the file, in the
format that the file expected. This script was further refined by Greg
based on the output to detect more types of files automatically and to
distinguish between header and source .c files (which need different
comment types.) Finally Greg ran the script using the .csv files to
generate the patches.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Right now, various places in the kernel check for the existence of
getxattr, setxattr, and removexattr inode operations and directly call
those operations. Switch to helper functions and test for the IOP_XATTR
flag instead.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
smack ->d_instantiate() uses ->setxattr(), so to be able to call it before
we'd hashed the new dentry and attached it to inode, we need ->setxattr()
instances getting the inode as an explicit argument rather than obtaining
it from dentry.
Similar change for ->getxattr() had been done in commit ce23e64. Unlike
->getxattr() (which is used by both selinux and smack instances of
->d_instantiate()) ->setxattr() is used only by smack one and unfortunately
it got missed back then.
Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Tested-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Change the list operation to only return whether or not an attribute
should be listed. Copying the attribute names into the buffer is moved
to the callers.
Since the result only depends on the dentry and not on the attribute
name, we do not pass the attribute name to list operations.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Use the VFS xattr handler infrastructure and get rid of similar code in
the filesystem. For implementing shmem_xattr_handler_set, we need a
version of simple_xattr_set which removes the attribute when value is
NULL. Use this to implement kernfs_iop_removexattr as well.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: linux-mm@kvack.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Add an additional "name" field to struct xattr_handler. When the name
is set, the handler matches attributes with exactly that name. When the
prefix is set instead, the handler matches attributes with the given
prefix and with a non-empty suffix.
This patch should avoid bugs like the one fixed in commit c361016a in
the future.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Now that the xattr handler is passed to the xattr handler operations, we
can use the same get and set operations for the user, trusted, and security
xattr namespaces. In those namespaces, we can access the full attribute
name by "reattaching" the name prefix the vfs has skipped for us. Add a
xattr_full_name helper to make this obvious in the code.
For the "system.posix_acl_access" and "system.posix_acl_default"
attributes, handler->prefix is the full attribute name; the suffix is the
empty string.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Cc: Eric Van Hensbergen <ericvh@gmail.com>
Cc: Ron Minnich <rminnich@sandia.gov>
Cc: Latchesar Ionkov <lucho@ionkov.net>
Cc: v9fs-developer@lists.sourceforge.net
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Pull security subsystem updates from James Morris:
"Highlights:
- Integrity: add local fs integrity verification to detect offline
attacks
- Integrity: add digital signature verification
- Simple stacking of Yama with other LSMs (per LSS discussions)
- IBM vTPM support on ppc64
- Add new driver for Infineon I2C TIS TPM
- Smack: add rule revocation for subject labels"
Fixed conflicts with the user namespace support in kernel/auditsc.c and
security/integrity/ima/ima_policy.c.
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (39 commits)
Documentation: Update git repository URL for Smack userland tools
ima: change flags container data type
Smack: setprocattr memory leak fix
Smack: implement revoking all rules for a subject label
Smack: remove task_wait() hook.
ima: audit log hashes
ima: generic IMA action flag handling
ima: rename ima_must_appraise_or_measure
audit: export audit_log_task_info
tpm: fix tpm_acpi sparse warning on different address spaces
samples/seccomp: fix 31 bit build on s390
ima: digital signature verification support
ima: add support for different security.ima data types
ima: add ima_inode_setxattr/removexattr function and calls
ima: add inode_post_setattr call
ima: replace iint spinblock with rwlock/read_lock
ima: allocating iint improvements
ima: add appraise action keywords and default rules
ima: integrity appraisal extension
vfs: move ima_file_free before releasing the file
...
IMA currently maintains an integrity measurement list used to assert the
integrity of the running system to a third party. The IMA-appraisal
extension adds local integrity validation and enforcement of the
measurement against a "good" value stored as an extended attribute
'security.ima'. The initial methods for validating 'security.ima' are
hashed based, which provides file data integrity, and digital signature
based, which in addition to providing file data integrity, provides
authenticity.
This patch creates and maintains the 'security.ima' xattr, containing
the file data hash measurement. Protection of the xattr is provided by
EVM, if enabled and configured.
Based on policy, IMA calls evm_verifyxattr() to verify a file's metadata
integrity and, assuming success, compares the file's current hash value
with the one stored as an extended attribute in 'security.ima'.
Changelov v4:
- changed iint cache flags to hex values
Changelog v3:
- change appraisal default for filesystems without xattr support to fail
Changelog v2:
- fix audit msg 'res' value
- removed unused 'ima_appraise=' values
Changelog v1:
- removed unused iint mutex (Dmitry Kasatkin)
- setattr hook must not reset appraised (Dmitry Kasatkin)
- evm_verifyxattr() now differentiates between no 'security.evm' xattr
(INTEGRITY_NOLABEL) and no EVM 'protected' xattrs included in the
'security.evm' (INTEGRITY_NOXATTRS).
- replace hash_status with ima_status (Dmitry Kasatkin)
- re-initialize slab element ima_status on free (Dmitry Kasatkin)
- include 'security.ima' in EVM if CONFIG_IMA_APPRAISE, not CONFIG_IMA
- merged half "ima: ima_must_appraise_or_measure API change" (Dmitry Kasatkin)
- removed unnecessary error variable in process_measurement() (Dmitry Kasatkin)
- use ima_inode_post_setattr() stub function, if IMA_APPRAISE not configured
(moved ima_inode_post_setattr() to ima_appraise.c)
- make sure ima_collect_measurement() can read file
Changelog:
- add 'iint' to evm_verifyxattr() call (Dimitry Kasatkin)
- fix the race condition between chmod, which takes the i_mutex and then
iint->mutex, and ima_file_free() and process_measurement(), which take
the locks in the reverse order, by eliminating iint->mutex. (Dmitry Kasatkin)
- cleanup of ima_appraise_measurement() (Dmitry Kasatkin)
- changes as a result of the iint not allocated for all regular files, but
only for those measured/appraised.
- don't try to appraise new/empty files
- expanded ima_appraisal description in ima/Kconfig
- IMA appraise definitions required even if IMA_APPRAISE not enabled
- add return value to ima_must_appraise() stub
- unconditionally set status = INTEGRITY_PASS *after* testing status,
not before. (Found by Joe Perches)
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Extract in-memory xattr APIs from tmpfs. Will be used by cgroup.
$ size vmlinux.o
text data bss dec hex filename
4658782 880729 5195032 10734543 a3cbcf vmlinux.o
$ size vmlinux.o
text data bss dec hex filename
4658957 880729 5195032 10734718 a3cc7e vmlinux.o
v7:
- checkpatch warnings fixed
- Implement the changes requested by Hugh Dickins:
- make simple_xattrs_init and simple_xattrs_free inline
- get rid of locking and list reinitialization in simple_xattrs_free,
they're not needed
v6:
- no changes
v5:
- no changes
v4:
- move simple_xattrs_free() to fs/xattr.c
v3:
- in kmem_xattrs_free(), reinitialize the list
- use simple_xattr_* prefix
- introduce simple_xattr_add() to prevent direct list usage
Original-patch-by: Li Zefan <lizefan@huawei.com>
Cc: Li Zefan <lizefan@huawei.com>
Cc: Hillf Danton <dhillf@gmail.com>
Cc: Lennart Poettering <lpoetter@redhat.com>
Acked-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Li Zefan <lizefan@huawei.com>
Signed-off-by: Aristeu Rozanski <aris@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
The posix xattr acls are 'system' prefixed, which normally would not
affect security.evm. An interesting side affect of writing posix xattr
acls is their modifying of the i_mode, which is included in security.evm.
This patch updates security.evm when posix xattr acls are written.
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
EVM protects a file's security extended attributes(xattrs) against integrity
attacks. This patchset provides the framework and an initial method. The
initial method maintains an HMAC-sha1 value across the security extended
attributes, storing the HMAC value as the extended attribute 'security.evm'.
Other methods of validating the integrity of a file's metadata will be posted
separately (eg. EVM-digital-signatures).
While this patchset does authenticate the security xattrs, and
cryptographically binds them to the inode, coming extensions will bind other
directory and inode metadata for more complete protection. To help simplify
the review and upstreaming process, each extension will be posted separately
(eg. IMA-appraisal, IMA-appraisal-directory). For a general overview of the
proposed Linux integrity subsystem, refer to Dave Safford's whitepaper:
http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf.
EVM depends on the Kernel Key Retention System to provide it with a
trusted/encrypted key for the HMAC-sha1 operation. The key is loaded onto the
root's keyring using keyctl. Until EVM receives notification that the key has
been successfully loaded onto the keyring (echo 1 > <securityfs>/evm), EVM can
not create or validate the 'security.evm' xattr, but returns INTEGRITY_UNKNOWN.
Loading the key and signaling EVM should be done as early as possible. Normally
this is done in the initramfs, which has already been measured as part of the
trusted boot. For more information on creating and loading existing
trusted/encrypted keys, refer to Documentation/keys-trusted-encrypted.txt. A
sample dracut patch, which loads the trusted/encrypted key and enables EVM, is
available from http://linux-ima.sourceforge.net/#EVM.
Based on the LSMs enabled, the set of EVM protected security xattrs is defined
at compile. EVM adds the following three calls to the existing security hooks:
evm_inode_setxattr(), evm_inode_post_setxattr(), and evm_inode_removexattr. To
initialize and update the 'security.evm' extended attribute, EVM defines three
calls: evm_inode_post_init(), evm_inode_post_setattr() and
evm_inode_post_removexattr() hooks. To verify the integrity of a security
xattr, EVM exports evm_verifyxattr().
Changelog v7:
- Fixed URL in EVM ABI documentation
Changelog v6: (based on Serge Hallyn's review)
- fix URL in patch description
- remove evm_hmac_size definition
- use SHA1_DIGEST_SIZE (removed both MAX_DIGEST_SIZE and evm_hmac_size)
- moved linux include before other includes
- test for crypto_hash_setkey failure
- fail earlier for invalid key
- clear entire encrypted key, even on failure
- check xattr name length before comparing xattr names
Changelog:
- locking based on i_mutex, remove evm_mutex
- using trusted/encrypted keys for storing the EVM key used in the HMAC-sha1
operation.
- replaced crypto hash with shash (Dmitry Kasatkin)
- support for additional methods of verifying the security xattrs
(Dmitry Kasatkin)
- iint not allocated for all regular files, but only for those appraised
- Use cap_sys_admin in lieu of cap_mac_admin
- Use __vfs_setxattr_noperm(), without permission checks, from EVM
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
vfs_getxattr_alloc() and vfs_xattr_cmp() are two new kernel xattr helper
functions. vfs_getxattr_alloc() first allocates memory for the requested
xattr and then retrieves it. vfs_xattr_cmp() compares a given value with
the contents of an extended attribute.
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This patch changes the security_inode_init_security API by adding a
filesystem specific callback to write security extended attributes.
This change is in preparation for supporting the initialization of
multiple LSM xattrs and the EVM xattr. Initially the callback function
walks an array of xattrs, writing each xattr separately, but could be
optimized to write multiple xattrs at once.
For existing security_inode_init_security() calls, which have not yet
been converted to use the new callback function, such as those in
reiserfs and ocfs2, this patch defines security_old_inode_init_security().
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
af4f136056 ("security: move LSM xattrnames to xattr.h") moved the
XATTR_CAPS_SUFFIX define from capability.h to xattr.h. This makes sense
except it was previously exports to userspace but xattr.h does not export
it to userspace. This patch exports these headers to userspace to fix the
ABI regression.
There is some slight possibility that this will cause problems in other
applications which used these #defines differently (wrongly) and I could
JUST export the capabilities xattr name that we broke. Does anyonehave an
idea how exposing these headers could cause a problem?
Below is what is being exposed to userspace, included here since it isn't
clear exactly what is going to be made available from the patch.
/* Namespaces */
#define XATTR_OS2_PREFIX "os2."
#define XATTR_OS2_PREFIX_LEN (sizeof (XATTR_OS2_PREFIX) - 1)
#define XATTR_SECURITY_PREFIX "security."
#define XATTR_SECURITY_PREFIX_LEN (sizeof (XATTR_SECURITY_PREFIX) - 1)
#define XATTR_SYSTEM_PREFIX "system."
#define XATTR_SYSTEM_PREFIX_LEN (sizeof (XATTR_SYSTEM_PREFIX) - 1)
#define XATTR_TRUSTED_PREFIX "trusted."
#define XATTR_TRUSTED_PREFIX_LEN (sizeof (XATTR_TRUSTED_PREFIX) - 1)
#define XATTR_USER_PREFIX "user."
#define XATTR_USER_PREFIX_LEN (sizeof (XATTR_USER_PREFIX) - 1)
/* Security namespace */
#define XATTR_SELINUX_SUFFIX "selinux"
#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
#define XATTR_SMACK_SUFFIX "SMACK64"
#define XATTR_SMACK_IPIN "SMACK64IPIN"
#define XATTR_SMACK_IPOUT "SMACK64IPOUT"
#define XATTR_NAME_SMACK XATTR_SECURITY_PREFIX XATTR_SMACK_SUFFIX
#define XATTR_NAME_SMACKIPIN XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN
#define XATTR_NAME_SMACKIPOUT XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT
#define XATTR_CAPS_SUFFIX "capability"
#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
Reported-by: Ozan Çaglayan <ozan@pardus.org.tr>
Signed-off-by: Eric Paris <eparis@redhat.com>
Cc: Mimi Zohar <zohar@us.ibm.com>
Cc: Serge Hallyn <serue@us.ibm.com>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
In the embedded world there are often situations
where libraries are updated from a variety of sources,
for a variety of reasons, and with any number of
security characteristics. These differences
might include privilege required for a given library
provided interface to function properly, as occurs
from time to time in graphics libraries. There are
also cases where it is important to limit use of
libraries based on the provider of the library and
the security aware application may make choices
based on that criteria.
These issues are addressed by providing an additional
Smack label that may optionally be assigned to an object,
the SMACK64MMAP attribute. An mmap operation is allowed
if there is no such attribute.
If there is a SMACK64MMAP attribute the mmap is permitted
only if a subject with that label has all of the access
permitted a subject with the current task label.
Security aware applications may from time to time
wish to reduce their "privilege" to avoid accidental use
of privilege. One case where this arises is the
environment in which multiple sources provide libraries
to perform the same functions. An application may know
that it should eschew services made available from a
particular vendor, or of a particular version.
In support of this a secondary list of Smack rules has
been added that is local to the task. This list is
consulted only in the case where the global list has
approved access. It can only further restrict access.
Unlike the global last, if no entry is found on the
local list access is granted. An application can add
entries to its own list by writing to /smack/load-self.
The changes appear large as they involve refactoring
the list handling to accomodate there being more
than one rule list.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
In a situation where Smack access rules allow processes
with multiple labels to write to a directory it is easy
to get into a situation where the directory gets cluttered
with files that the owner can't deal with because while
they could be written to the directory a process at the
label of the directory can't write them. This is generally
the desired behavior, but when it isn't it is a real
issue.
This patch introduces a new attribute SMACK64TRANSMUTE that
instructs Smack to create the file with the label of the directory
under certain circumstances.
A new access mode, "t" for transmute, is made available to
Smack access rules, which are expanded from "rwxa" to "rwxat".
If a file is created in a directory marked as transmutable
and if access was granted to perform the operation by a rule
that included the transmute mode, then the file gets the
Smack label of the directory instead of the Smack label of the
creating process.
Note that this is equivalent to creating an empty file at the
label of the directory and then having the other process write
to it. The transmute scheme requires that both the access rule
allows transmutation and that the directory be explicitly marked.
Signed-off-by: Jarkko Sakkinen <ext-jarkko.2.sakkinen@nokia.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
SMACK64EXEC. It defines label that is used while task is
running.
Exception: in smack_task_wait() child task is checked
for write access to parent task using label inherited
from the task that forked it.
Fixed issues from previous submit:
- SMACK64EXEC was not read when SMACK64 was not set.
- inode security blob was not updated after setting
SMACK64EXEC
- inode security blob was not updated when removing
SMACK64EXEC
The entries in xattr handler table should be immutable (ie const)
like other operation tables.
Later patches convert common filesystems. Uncoverted filesystems
will still work, but will generate a compiler warning.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Add a flags argument to struct xattr_handler and pass it to all xattr
handler methods. This allows using the same methods for multiple
handlers, e.g. for the ACL methods which perform exactly the same action
for the access and default ACLs, just using a different underlying
attribute. With a little more groundwork it'll also allow sharing the
methods for the regular user/trusted/secure handlers in extN, ocfs2 and
jffs2 like it's already done for xfs in this patch.
Also change the inode argument to the handlers to a dentry to allow
using the handlers mechnism for filesystems that require it later,
e.g. cifs.
[with GFS2 bits updated by Steven Whitehouse <swhiteho@redhat.com>]
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: James Morris <jmorris@namei.org>
Acked-by: Joel Becker <joel.becker@oracle.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This factors out the part of the vfs_setxattr function that performs the
setting of the xattr and its notification. This is needed so the SELinux
implementation of inode_setsecctx can handle the setting of the xattr while
maintaining the proper separation of layers.
Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
This patch modifies the interface to inode_getsecurity to have the function
return a buffer containing the security blob and its length via parameters
instead of relying on the calling function to give it an appropriately sized
buffer.
Security blobs obtained with this function should be freed using the
release_secctx LSM hook. This alleviates the problem of the caller having to
guess a length and preallocate a buffer for this function allowing it to be
used elsewhere for Labeled NFS.
The patch also removed the unused err parameter. The conversion is similar to
the one performed by Al Viro for the security_getprocattr hook.
Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Chris Wright <chrisw@sous-sol.org>
Acked-by: James Morris <jmorris@namei.org>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This patch moves code out of fs/xattr.c:listxattr into a new function -
vfs_listxattr. The code for vfs_listxattr was originally submitted by Bill
Nottingham <notting@redhat.com> to Unionfs.
Sorry about that. The reason for this submission is to make the
listxattr code in fs/xattr.c a little cleaner (as well as to clean up
some code in Unionfs.)
Currently, Unionfs has vfs_listxattr defined in its code. I think
that's very ugly, and I'd like to see it (re)moved. The logical place
to put it, is along side of all the other vfs_*xattr functions.
Overall, I think this patch is benefitial for both kernel.org kernel and
Unionfs.
Signed-off-by: Josef "Jeff" Sipek <jsipek@cs.sunysb.edu>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
)
From: Christoph Hellwig <hch@lst.de>
The xattr code has rather complex permission checks because the rules are very
different for different attribute namespaces. This patch moves as much as we
can into the generic code. Currently all the major disk based filesystems
duplicate these checks, while many minor filesystems or network filesystems
lack some or all of them.
To do this we need defines for the extended attribute names in common code, I
moved them up from JFS which had the nicest defintions.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Acked-by: Dave Kleikamp <shaggy@austin.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Add vfs_getxattr, vfs_setxattr and vfs_removexattr helpers for common checks
around invocation of the xattr methods. NFSD already was missing some of the
checks and there will be more soon.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Cc: James Morris <jmorris@namei.org>
(James, I haven't touched selinux yet because it's doing various odd things
and I'm not sure how it would interact with the security attribute fallbacks
you added. Could you investigate whether it could use vfs_getxattr or if not
add a __vfs_getxattr helper to share the bits it is fine with?)
For NFSv4: instead of just converting it add an nfsd_getxattr helper for the
code shared by NFSv2/3 and NFSv4 ACLs. In fact that code isn't even
NFS-specific, but I'll wait for more users to pop up first before moving it to
common code.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Acked-by: Dave Kleikamp <shaggy@austin.ibm.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Neil Brown <neilb@suse.de>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.
Let it rip!
