Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security (92d4a036) · Commits · 戴 / test

MAINTAINERS

+0 −5

Original line number	Diff line number	Diff line
		@@ -8342,11 +8342,6 @@ F: Documentation/core-api/atomic_ops.rst
		F: Documentation/core-api/refcount-vs-atomic.rst
		F: Documentation/memory-barriers.txt

		LINUX SECURITY MODULE (LSM) FRAMEWORK
		M: Chris Wright <chrisw@sous-sol.org>
		L: linux-security-module@vger.kernel.org
		S: Supported

		LIS3LV02D ACCELEROMETER DRIVER
		M: Eric Piel <eric.piel@tremplin-utc.net>
		S: Maintained

drivers/base/firmware_loader/fallback.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -651,6 +651,8 @@ static bool fw_force_sysfs_fallback(enum fw_opt opt_flags)

		static bool fw_run_sysfs_fallback(enum fw_opt opt_flags)
		{
		int ret;

		if (fw_fallback_config.ignore_sysfs_fallback) {
		pr_info_once("Ignoring firmware sysfs fallback due to sysctl knob\n");
		return false;
		@@ -659,6 +661,11 @@ static bool fw_run_sysfs_fallback(enum fw_opt opt_flags)
		if ((opt_flags & FW_OPT_NOFALLBACK))
		return false;

		/* Also permit LSMs and IMA to fail firmware sysfs fallback */
		ret = security_kernel_load_data(LOADING_FIRMWARE);
		if (ret < 0)
		return ret;

		return fw_force_sysfs_fallback(opt_flags);
		}

include/linux/ima.h

+7 −0

Original line number	Diff line number	Diff line
		@@ -11,6 +11,7 @@
		#define _LINUX_IMA_H

		#include <linux/fs.h>
		#include <linux/security.h>
		#include <linux/kexec.h>
		struct linux_binprm;

		@@ -19,6 +20,7 @@ extern int ima_bprm_check(struct linux_binprm *bprm);
		extern int ima_file_check(struct file *file, int mask);
		extern void ima_file_free(struct file *file);
		extern int ima_file_mmap(struct file *file, unsigned long prot);
		extern int ima_load_data(enum kernel_load_data_id id);
		extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
		extern int ima_post_read_file(struct file file, void buf, loff_t size,
		enum kernel_read_file_id id);
		@@ -49,6 +51,11 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot)
		return 0;
		}

		static inline int ima_load_data(enum kernel_load_data_id id)
		{
		return 0;
		}

		static inline int ima_read_file(struct file *file, enum kernel_read_file_id id)
		{
		return 0;

include/linux/lsm_hooks.h

+6 −0

Original line number	Diff line number	Diff line
		@@ -576,6 +576,10 @@
		* userspace to load a kernel module with the given name.
		* @kmod_name name of the module requested by the kernel
		* Return 0 if successful.
		* @kernel_load_data:
		* Load data provided by userspace.
		* @id kernel load data identifier
		* Return 0 if permission is granted.
		* @kernel_read_file:
		* Read a file specified by userspace.
		* @file contains the file structure pointing to the file being read
		@@ -1582,6 +1586,7 @@ union security_list_options {
		int (kernel_act_as)(struct cred new, u32 secid);
		int (kernel_create_files_as)(struct cred new, struct inode *inode);
		int (kernel_module_request)(char kmod_name);
		int (*kernel_load_data)(enum kernel_load_data_id id);
		int (kernel_read_file)(struct file file, enum kernel_read_file_id id);
		int (kernel_post_read_file)(struct file file, char *buf, loff_t size,
		enum kernel_read_file_id id);
		@@ -1872,6 +1877,7 @@ struct security_hook_heads {
		struct hlist_head cred_getsecid;
		struct hlist_head kernel_act_as;
		struct hlist_head kernel_create_files_as;
		struct hlist_head kernel_load_data;
		struct hlist_head kernel_read_file;
		struct hlist_head kernel_post_read_file;
		struct hlist_head kernel_module_request;

include/linux/security.h

+27 −0

Original line number	Diff line number	Diff line
		@@ -159,6 +159,27 @@ extern int mmap_min_addr_handler(struct ctl_table *table, int write,
		typedef int (initxattrs) (struct inode inode,
		const struct xattr xattr_array, void fs_data);


		/* Keep the kernel_load_data_id enum in sync with kernel_read_file_id */
		#define __data_id_enumify(ENUM, dummy) LOADING_ ## ENUM,
		#define __data_id_stringify(dummy, str) #str,

		enum kernel_load_data_id {
		__kernel_read_file_id(__data_id_enumify)
		};

		static const char * const kernel_load_data_str[] = {
		__kernel_read_file_id(__data_id_stringify)
		};

		static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
		{
		if ((unsigned)id >= LOADING_MAX_ID)
		return kernel_load_data_str[LOADING_UNKNOWN];

		return kernel_load_data_str[id];
		}

		#ifdef CONFIG_SECURITY

		struct security_mnt_opts {
		@@ -320,6 +341,7 @@ void security_cred_getsecid(const struct cred c, u32 secid);
		int security_kernel_act_as(struct cred *new, u32 secid);
		int security_kernel_create_files_as(struct cred new, struct inode inode);
		int security_kernel_module_request(char *kmod_name);
		int security_kernel_load_data(enum kernel_load_data_id id);
		int security_kernel_read_file(struct file *file, enum kernel_read_file_id id);
		int security_kernel_post_read_file(struct file file, char buf, loff_t size,
		enum kernel_read_file_id id);
		@@ -908,6 +930,11 @@ static inline int security_kernel_module_request(char *kmod_name)
		return 0;
		}

		static inline int security_kernel_load_data(enum kernel_load_data_id id)
		{
		return 0;
		}

		static inline int security_kernel_read_file(struct file *file,
		enum kernel_read_file_id id)
		{

Admin message