Loading Documentation/feature-removal-schedule.txt +12 −0 Original line number Diff line number Diff line Loading @@ -315,3 +315,15 @@ When: 2.6.29 (ideally) or 2.6.30 (more likely) Why: Deprecated by the new (standard) device driver binding model. Use i2c_driver->probe() and ->remove() instead. Who: Jean Delvare <khali@linux-fr.org> --------------------------- What: SELinux "compat_net" functionality When: 2.6.30 at the earliest Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net" network access control functionality of SELinux. Secmark offers both better performance and greater flexibility than the "compat_net" mechanism. Now that the major Linux distributions have moved to Secmark, it is time to deprecate the older mechanism and start the process of removing the old code. Who: Paul Moore <paul.moore@hp.com> include/linux/capability.h +15 −2 Original line number Diff line number Diff line Loading @@ -529,8 +529,21 @@ extern const kernel_cap_t __cap_init_eff_set; * * Note that this does not set PF_SUPERPRIV on the task. */ #define has_capability(t, cap) (security_capable((t), (cap)) == 0) #define has_capability_noaudit(t, cap) (security_capable_noaudit((t), (cap)) == 0) #define has_capability(t, cap) (security_real_capable((t), (cap)) == 0) /** * has_capability_noaudit - Determine if a task has a superior capability available (unaudited) * @t: The task in question * @cap: The capability to be tested for * * Return true if the specified task has the given superior capability * currently in effect, false if not, but don't write an audit message for the * check. * * Note that this does not set PF_SUPERPRIV on the task. */ #define has_capability_noaudit(t, cap) \ (security_real_capable_noaudit((t), (cap)) == 0) extern int capable(int cap); Loading include/linux/security.h +32 −9 Original line number Diff line number Diff line Loading @@ -48,7 +48,8 @@ struct audit_krule; * These functions are in security/capability.c and are used * as the default capabilities functions */ extern int cap_capable(struct task_struct *tsk, int cap, int audit); extern int cap_capable(struct task_struct *tsk, const struct cred *cred, int cap, int audit); extern int cap_settime(struct timespec *ts, struct timezone *tz); extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode); extern int cap_ptrace_traceme(struct task_struct *parent); Loading Loading @@ -1251,9 +1252,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @permitted contains the permitted capability set. * Return 0 and update @new if permission is granted. * @capable: * Check whether the @tsk process has the @cap capability. * Check whether the @tsk process has the @cap capability in the indicated * credentials. * @tsk contains the task_struct for the process. * @cred contains the credentials to use. * @cap contains the capability <include/linux/capability.h>. * @audit: Whether to write an audit message or not * Return 0 if the capability is granted for @tsk. * @acct: * Check permission before enabling or disabling process accounting. If Loading Loading @@ -1346,7 +1350,8 @@ struct security_operations { const kernel_cap_t *effective, const kernel_cap_t *inheritable, const kernel_cap_t *permitted); int (*capable) (struct task_struct *tsk, int cap, int audit); int (*capable) (struct task_struct *tsk, const struct cred *cred, int cap, int audit); int (*acct) (struct file *file); int (*sysctl) (struct ctl_table *table, int op); int (*quotactl) (int cmds, int type, int id, struct super_block *sb); Loading Loading @@ -1628,8 +1633,9 @@ int security_capset(struct cred *new, const struct cred *old, const kernel_cap_t *effective, const kernel_cap_t *inheritable, const kernel_cap_t *permitted); int security_capable(struct task_struct *tsk, int cap); int security_capable_noaudit(struct task_struct *tsk, int cap); int security_capable(int cap); int security_real_capable(struct task_struct *tsk, int cap); int security_real_capable_noaudit(struct task_struct *tsk, int cap); int security_acct(struct file *file); int security_sysctl(struct ctl_table *table, int op); int security_quotactl(int cmds, int type, int id, struct super_block *sb); Loading Loading @@ -1826,14 +1832,31 @@ static inline int security_capset(struct cred *new, return cap_capset(new, old, effective, inheritable, permitted); } static inline int security_capable(struct task_struct *tsk, int cap) static inline int security_capable(int cap) { return cap_capable(tsk, cap, SECURITY_CAP_AUDIT); return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT); } static inline int security_capable_noaudit(struct task_struct *tsk, int cap) static inline int security_real_capable(struct task_struct *tsk, int cap) { return cap_capable(tsk, cap, SECURITY_CAP_NOAUDIT); int ret; rcu_read_lock(); ret = cap_capable(tsk, __task_cred(tsk), cap, SECURITY_CAP_AUDIT); rcu_read_unlock(); return ret; } static inline int security_real_capable_noaudit(struct task_struct *tsk, int cap) { int ret; rcu_read_lock(); ret = cap_capable(tsk, __task_cred(tsk), cap, SECURITY_CAP_NOAUDIT); rcu_read_unlock(); return ret; } static inline int security_acct(struct file *file) Loading include/net/cipso_ipv4.h +4 −2 Original line number Diff line number Diff line Loading @@ -131,7 +131,8 @@ extern int cipso_v4_rbm_strictvalid; */ #ifdef CONFIG_NETLABEL int cipso_v4_doi_add(struct cipso_v4_doi *doi_def); int cipso_v4_doi_add(struct cipso_v4_doi *doi_def, struct netlbl_audit *audit_info); void cipso_v4_doi_free(struct cipso_v4_doi *doi_def); int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info); struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); Loading @@ -140,7 +141,8 @@ int cipso_v4_doi_walk(u32 *skip_cnt, int (*callback) (struct cipso_v4_doi *doi_def, void *arg), void *cb_arg); #else static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def) static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def, struct netlbl_audit *audit_info) { return -ENOSYS; } Loading include/net/netlabel.h +80 −6 Original line number Diff line number Diff line Loading @@ -33,6 +33,8 @@ #include <linux/types.h> #include <linux/net.h> #include <linux/skbuff.h> #include <linux/in.h> #include <linux/in6.h> #include <net/netlink.h> #include <asm/atomic.h> Loading Loading @@ -353,13 +355,37 @@ static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr) /* * LSM configuration operations */ int netlbl_cfg_map_del(const char *domain, struct netlbl_audit *audit_info); int netlbl_cfg_unlbl_add_map(const char *domain, int netlbl_cfg_map_del(const char *domain, u16 family, const void *addr, const void *mask, struct netlbl_audit *audit_info); int netlbl_cfg_unlbl_map_add(const char *domain, u16 family, const void *addr, const void *mask, struct netlbl_audit *audit_info); int netlbl_cfg_unlbl_static_add(struct net *net, const char *dev_name, const void *addr, const void *mask, u16 family, u32 secid, struct netlbl_audit *audit_info); int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, int netlbl_cfg_unlbl_static_del(struct net *net, const char *dev_name, const void *addr, const void *mask, u16 family, struct netlbl_audit *audit_info); int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def, struct netlbl_audit *audit_info); void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info); int netlbl_cfg_cipsov4_map_add(u32 doi, const char *domain, const struct in_addr *addr, const struct in_addr *mask, struct netlbl_audit *audit_info); /* * LSM security attribute operations */ Loading Loading @@ -401,19 +427,62 @@ void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway); void netlbl_cache_invalidate(void); int netlbl_cache_add(const struct sk_buff *skb, const struct netlbl_lsm_secattr *secattr); /* * Protocol engine operations */ struct audit_buffer *netlbl_audit_start(int type, struct netlbl_audit *audit_info); #else static inline int netlbl_cfg_map_del(const char *domain, u16 family, const void *addr, const void *mask, struct netlbl_audit *audit_info) { return -ENOSYS; } static inline int netlbl_cfg_unlbl_map_add(const char *domain, u16 family, void *addr, void *mask, struct netlbl_audit *audit_info) { return -ENOSYS; } static inline int netlbl_cfg_unlbl_static_add(struct net *net, const char *dev_name, const void *addr, const void *mask, u16 family, u32 secid, struct netlbl_audit *audit_info) { return -ENOSYS; } static inline int netlbl_cfg_unlbl_static_del(struct net *net, const char *dev_name, const void *addr, const void *mask, u16 family, struct netlbl_audit *audit_info) { return -ENOSYS; } static inline int netlbl_cfg_unlbl_add_map(const char *domain, static inline int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def, struct netlbl_audit *audit_info) { return -ENOSYS; } static inline int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, static inline void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info) { return; } static inline int netlbl_cfg_cipsov4_map_add(u32 doi, const char *domain, const struct in_addr *addr, const struct in_addr *mask, struct netlbl_audit *audit_info) { return -ENOSYS; Loading Loading @@ -495,6 +564,11 @@ static inline int netlbl_cache_add(const struct sk_buff *skb, { return 0; } static inline struct audit_buffer *netlbl_audit_start(int type, struct netlbl_audit *audit_info) { return NULL; } #endif /* CONFIG_NETLABEL */ #endif /* _NETLABEL_H */ Loading
Documentation/feature-removal-schedule.txt +12 −0 Original line number Diff line number Diff line Loading @@ -315,3 +315,15 @@ When: 2.6.29 (ideally) or 2.6.30 (more likely) Why: Deprecated by the new (standard) device driver binding model. Use i2c_driver->probe() and ->remove() instead. Who: Jean Delvare <khali@linux-fr.org> --------------------------- What: SELinux "compat_net" functionality When: 2.6.30 at the earliest Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net" network access control functionality of SELinux. Secmark offers both better performance and greater flexibility than the "compat_net" mechanism. Now that the major Linux distributions have moved to Secmark, it is time to deprecate the older mechanism and start the process of removing the old code. Who: Paul Moore <paul.moore@hp.com>
include/linux/capability.h +15 −2 Original line number Diff line number Diff line Loading @@ -529,8 +529,21 @@ extern const kernel_cap_t __cap_init_eff_set; * * Note that this does not set PF_SUPERPRIV on the task. */ #define has_capability(t, cap) (security_capable((t), (cap)) == 0) #define has_capability_noaudit(t, cap) (security_capable_noaudit((t), (cap)) == 0) #define has_capability(t, cap) (security_real_capable((t), (cap)) == 0) /** * has_capability_noaudit - Determine if a task has a superior capability available (unaudited) * @t: The task in question * @cap: The capability to be tested for * * Return true if the specified task has the given superior capability * currently in effect, false if not, but don't write an audit message for the * check. * * Note that this does not set PF_SUPERPRIV on the task. */ #define has_capability_noaudit(t, cap) \ (security_real_capable_noaudit((t), (cap)) == 0) extern int capable(int cap); Loading
include/linux/security.h +32 −9 Original line number Diff line number Diff line Loading @@ -48,7 +48,8 @@ struct audit_krule; * These functions are in security/capability.c and are used * as the default capabilities functions */ extern int cap_capable(struct task_struct *tsk, int cap, int audit); extern int cap_capable(struct task_struct *tsk, const struct cred *cred, int cap, int audit); extern int cap_settime(struct timespec *ts, struct timezone *tz); extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode); extern int cap_ptrace_traceme(struct task_struct *parent); Loading Loading @@ -1251,9 +1252,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @permitted contains the permitted capability set. * Return 0 and update @new if permission is granted. * @capable: * Check whether the @tsk process has the @cap capability. * Check whether the @tsk process has the @cap capability in the indicated * credentials. * @tsk contains the task_struct for the process. * @cred contains the credentials to use. * @cap contains the capability <include/linux/capability.h>. * @audit: Whether to write an audit message or not * Return 0 if the capability is granted for @tsk. * @acct: * Check permission before enabling or disabling process accounting. If Loading Loading @@ -1346,7 +1350,8 @@ struct security_operations { const kernel_cap_t *effective, const kernel_cap_t *inheritable, const kernel_cap_t *permitted); int (*capable) (struct task_struct *tsk, int cap, int audit); int (*capable) (struct task_struct *tsk, const struct cred *cred, int cap, int audit); int (*acct) (struct file *file); int (*sysctl) (struct ctl_table *table, int op); int (*quotactl) (int cmds, int type, int id, struct super_block *sb); Loading Loading @@ -1628,8 +1633,9 @@ int security_capset(struct cred *new, const struct cred *old, const kernel_cap_t *effective, const kernel_cap_t *inheritable, const kernel_cap_t *permitted); int security_capable(struct task_struct *tsk, int cap); int security_capable_noaudit(struct task_struct *tsk, int cap); int security_capable(int cap); int security_real_capable(struct task_struct *tsk, int cap); int security_real_capable_noaudit(struct task_struct *tsk, int cap); int security_acct(struct file *file); int security_sysctl(struct ctl_table *table, int op); int security_quotactl(int cmds, int type, int id, struct super_block *sb); Loading Loading @@ -1826,14 +1832,31 @@ static inline int security_capset(struct cred *new, return cap_capset(new, old, effective, inheritable, permitted); } static inline int security_capable(struct task_struct *tsk, int cap) static inline int security_capable(int cap) { return cap_capable(tsk, cap, SECURITY_CAP_AUDIT); return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT); } static inline int security_capable_noaudit(struct task_struct *tsk, int cap) static inline int security_real_capable(struct task_struct *tsk, int cap) { return cap_capable(tsk, cap, SECURITY_CAP_NOAUDIT); int ret; rcu_read_lock(); ret = cap_capable(tsk, __task_cred(tsk), cap, SECURITY_CAP_AUDIT); rcu_read_unlock(); return ret; } static inline int security_real_capable_noaudit(struct task_struct *tsk, int cap) { int ret; rcu_read_lock(); ret = cap_capable(tsk, __task_cred(tsk), cap, SECURITY_CAP_NOAUDIT); rcu_read_unlock(); return ret; } static inline int security_acct(struct file *file) Loading
include/net/cipso_ipv4.h +4 −2 Original line number Diff line number Diff line Loading @@ -131,7 +131,8 @@ extern int cipso_v4_rbm_strictvalid; */ #ifdef CONFIG_NETLABEL int cipso_v4_doi_add(struct cipso_v4_doi *doi_def); int cipso_v4_doi_add(struct cipso_v4_doi *doi_def, struct netlbl_audit *audit_info); void cipso_v4_doi_free(struct cipso_v4_doi *doi_def); int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info); struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); Loading @@ -140,7 +141,8 @@ int cipso_v4_doi_walk(u32 *skip_cnt, int (*callback) (struct cipso_v4_doi *doi_def, void *arg), void *cb_arg); #else static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def) static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def, struct netlbl_audit *audit_info) { return -ENOSYS; } Loading
include/net/netlabel.h +80 −6 Original line number Diff line number Diff line Loading @@ -33,6 +33,8 @@ #include <linux/types.h> #include <linux/net.h> #include <linux/skbuff.h> #include <linux/in.h> #include <linux/in6.h> #include <net/netlink.h> #include <asm/atomic.h> Loading Loading @@ -353,13 +355,37 @@ static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr) /* * LSM configuration operations */ int netlbl_cfg_map_del(const char *domain, struct netlbl_audit *audit_info); int netlbl_cfg_unlbl_add_map(const char *domain, int netlbl_cfg_map_del(const char *domain, u16 family, const void *addr, const void *mask, struct netlbl_audit *audit_info); int netlbl_cfg_unlbl_map_add(const char *domain, u16 family, const void *addr, const void *mask, struct netlbl_audit *audit_info); int netlbl_cfg_unlbl_static_add(struct net *net, const char *dev_name, const void *addr, const void *mask, u16 family, u32 secid, struct netlbl_audit *audit_info); int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, int netlbl_cfg_unlbl_static_del(struct net *net, const char *dev_name, const void *addr, const void *mask, u16 family, struct netlbl_audit *audit_info); int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def, struct netlbl_audit *audit_info); void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info); int netlbl_cfg_cipsov4_map_add(u32 doi, const char *domain, const struct in_addr *addr, const struct in_addr *mask, struct netlbl_audit *audit_info); /* * LSM security attribute operations */ Loading Loading @@ -401,19 +427,62 @@ void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway); void netlbl_cache_invalidate(void); int netlbl_cache_add(const struct sk_buff *skb, const struct netlbl_lsm_secattr *secattr); /* * Protocol engine operations */ struct audit_buffer *netlbl_audit_start(int type, struct netlbl_audit *audit_info); #else static inline int netlbl_cfg_map_del(const char *domain, u16 family, const void *addr, const void *mask, struct netlbl_audit *audit_info) { return -ENOSYS; } static inline int netlbl_cfg_unlbl_map_add(const char *domain, u16 family, void *addr, void *mask, struct netlbl_audit *audit_info) { return -ENOSYS; } static inline int netlbl_cfg_unlbl_static_add(struct net *net, const char *dev_name, const void *addr, const void *mask, u16 family, u32 secid, struct netlbl_audit *audit_info) { return -ENOSYS; } static inline int netlbl_cfg_unlbl_static_del(struct net *net, const char *dev_name, const void *addr, const void *mask, u16 family, struct netlbl_audit *audit_info) { return -ENOSYS; } static inline int netlbl_cfg_unlbl_add_map(const char *domain, static inline int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def, struct netlbl_audit *audit_info) { return -ENOSYS; } static inline int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, static inline void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info) { return; } static inline int netlbl_cfg_cipsov4_map_add(u32 doi, const char *domain, const struct in_addr *addr, const struct in_addr *mask, struct netlbl_audit *audit_info) { return -ENOSYS; Loading Loading @@ -495,6 +564,11 @@ static inline int netlbl_cache_add(const struct sk_buff *skb, { return 0; } static inline struct audit_buffer *netlbl_audit_start(int type, struct netlbl_audit *audit_info) { return NULL; } #endif /* CONFIG_NETLABEL */ #endif /* _NETLABEL_H */
