Merge branch 'for-linus' of... (3296ca27) · Commits · 戴 / test

Documentation/Smack.txt

+18 −2

Original line number	Diff line number	Diff line
		@@ -184,8 +184,9 @@ length. Single character labels using special characters, that being anything
		other than a letter or digit, are reserved for use by the Smack development
		team. Smack labels are unstructured, case sensitive, and the only operation
		ever performed on them is comparison for equality. Smack labels cannot
		contain unprintable characters or the "/" (slash) character. Smack labels
		cannot begin with a '-', which is reserved for special options.
		contain unprintable characters, the "/" (slash), the "\" (backslash), the "'"
		(quote) and '"' (double-quote) characters.
		Smack labels cannot begin with a '-', which is reserved for special options.

		There are some predefined labels:

		@@ -523,3 +524,18 @@ Smack supports some mount options:

		These mount options apply to all file system types.

		Smack auditing

		If you want Smack auditing of security events, you need to set CONFIG_AUDIT
		in your kernel configuration.
		By default, all denied events will be audited. You can change this behavior by
		writing a single character to the /smack/logging file :
		0 : no logging
		1 : log denied (default)
		2 : log accepted
		3 : log denied & accepted

		Events are logged as 'key=value' pairs, for each event you at least will get
		the subjet, the object, the rights requested, the action, the kernel function
		that triggered the event, plus other pairs depending on the type of event
		audited.

+6 −0

Original line number	Diff line number	Diff line
		@@ -928,6 +928,12 @@ and is between 256 and 4096 characters. It is defined in the file
		Formt: { "sha1" \| "md5" }
		default: "sha1"

		ima_tcb [IMA]
		Load a policy which meets the needs of the Trusted
		Computing Base. This means IMA will measure all
		programs exec'd, files mmap'd for exec, and all files
		opened for read by uid=0.

		in2000= [HW,SCSI]
		See header of drivers/scsi/in2000.c.

+11 −0

Original line number	Diff line number	Diff line
		@@ -32,6 +32,7 @@ show up in /proc/sys/kernel:
		- kstack_depth_to_print [ X86 only ]
		- l2cr [ PPC only ]
		- modprobe ==> Documentation/debugging-modules.txt
		- modules_disabled
		- msgmax
		- msgmnb
		- msgmni
		@@ -184,6 +185,16 @@ kernel stack.

		==============================================================

		modules_disabled:

		A toggle value indicating if modules are allowed to be loaded
		in an otherwise modular kernel. This toggle defaults to off
		(0), but can be set true (1). Once true, modules can be
		neither loaded nor unloaded, and the toggle cannot be set back
		to false.

		==============================================================

		osrelease, ostype & version:

		# cat osrelease

+3 −3

Original line number	Diff line number	Diff line
		@@ -1488,7 +1488,7 @@ int compat_do_execve(char * filename,
		if (!bprm)
		goto out_files;

		retval = mutex_lock_interruptible(&current->cred_exec_mutex);
		retval = mutex_lock_interruptible(&current->cred_guard_mutex);
		if (retval < 0)
		goto out_free;
		current->in_execve = 1;
		@@ -1550,7 +1550,7 @@ int compat_do_execve(char * filename,
		/* execve succeeded */
		current->fs->in_exec = 0;
		current->in_execve = 0;
		mutex_unlock(&current->cred_exec_mutex);
		mutex_unlock(&current->cred_guard_mutex);
		acct_update_integrals(current);
		free_bprm(bprm);
		if (displaced)
		@@ -1573,7 +1573,7 @@ out_unmark:

		out_unlock:
		current->in_execve = 0;
		mutex_unlock(&current->cred_exec_mutex);
		mutex_unlock(&current->cred_guard_mutex);

		out_free:
		free_bprm(bprm);

+5 −5

Original line number	Diff line number	Diff line
		@@ -1016,7 +1016,7 @@ void install_exec_creds(struct linux_binprm *bprm)
		commit_creds(bprm->cred);
		bprm->cred = NULL;

		/* cred_exec_mutex must be held at least to this point to prevent
		/* cred_guard_mutex must be held at least to this point to prevent
		* ptrace_attach() from altering our determination of the task's
		* credentials; any time after this it may be unlocked */

		@@ -1026,7 +1026,7 @@ EXPORT_SYMBOL(install_exec_creds);

		/*
		* determine how safe it is to execute the proposed program
		* - the caller must hold current->cred_exec_mutex to protect against
		* - the caller must hold current->cred_guard_mutex to protect against
		* PTRACE_ATTACH
		*/
		int check_unsafe_exec(struct linux_binprm *bprm)
		@@ -1268,7 +1268,7 @@ int do_execve(char * filename,
		if (!bprm)
		goto out_files;

		retval = mutex_lock_interruptible(&current->cred_exec_mutex);
		retval = mutex_lock_interruptible(&current->cred_guard_mutex);
		if (retval < 0)
		goto out_free;
		current->in_execve = 1;
		@@ -1331,7 +1331,7 @@ int do_execve(char * filename,
		/* execve succeeded */
		current->fs->in_exec = 0;
		current->in_execve = 0;
		mutex_unlock(&current->cred_exec_mutex);
		mutex_unlock(&current->cred_guard_mutex);
		acct_update_integrals(current);
		free_bprm(bprm);
		if (displaced)
		@@ -1354,7 +1354,7 @@ out_unmark:

		out_unlock:
		current->in_execve = 0;
		mutex_unlock(&current->cred_exec_mutex);
		mutex_unlock(&current->cred_guard_mutex);

		out_free:
		free_bprm(bprm);