- 18 Jul, 2011 1 commit
-
-
Mimi Zohar authored
This patch changes the security_inode_init_security API by adding a filesystem specific callback to write security extended attributes. This change is in preparation for supporting the initialization of multiple LSM xattrs and the EVM xattr. Initially the callback function walks an array of xattrs, writing each xattr separately, but could be optimized to write multiple xattrs at once. For existing security_inode_init_security() calls, which have not yet been converted to use the new callback function, such as those in reiserfs and ocfs2, this patch defines security_old_inode_init_security(). Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
-
- 14 Jul, 2011 1 commit
-
-
Tetsuo Handa authored
Update comments for scripts/kernel-doc and fix some of errors reported by scripts/checkpatch.pl . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
- 12 Jul, 2011 12 commits
-
-
Stefan Berger authored
This patch fixes a typo. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
-
Stefan Berger authored
This patch introduces a function for automatic probing for the Intel iTPM STS_DATA_EXPECT flaw. The patch splits the current tpm_tis_send function into 2 parts where the 1st part is now called tpm_tis_send_data() and merely sends the data to the TPM. This function is then used for probing. The new tpm_tis_send function now first calls tpm_tis_send_data and if that succeeds has the TPM process the command and waits until the response is there. The probing for the Intel iTPM is only invoked if the user has not passed itpm=1 as parameter for the module *or* if such a TPM was detected via ACPI. Previously it was necessary to pass itpm=1 when also passing force=1 to the module when doing a 'modprobe'. This function is more general than the ACPI test function and the function relying on ACPI could probably be removed. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
-
Stefan Berger authored
This patch fixes several aspects of the probing for interrupts. This patch reads the TPM's timeouts before probing for the interrupts. The tpm_get_timeouts() function is invoked in polling mode and gets the proper timeouts from the TPM so that we don't need to fall back to 2 minutes timeouts for short duration commands while the interrupt probing is happening. This patch introduces a variable probed_irq into the vendor structure that gets the irq number if an interrupt is received while the the tpm_gen_interrupt() function is run in polling mode during interrupt probing. Previously some parts of tpm_gen_interrupt() were run in polling mode, then the irq variable was set in the interrupt handler when an interrupt was received and execution of tpm_gen_interrupt() ended up switching over to interrupt mode. tpm_gen_interrupt() execution ended up on an event queue where it eventually timed out since the probing handler doesn't wake any queues. Before calling into free_irq() clear all interrupt flags that may have been set by the TPM. The reason is that free_irq() will call into the probing interrupt handler and may otherwise fool us into thinking that a real interrupt happened (because we see the flags as being set) while the TPM's interrupt line is not even connected to anything on the motherboard. This solves a problem on one machine I did testing on (Thinkpad T60). If a TPM claims to use a specifc interrupt, the probing is done as well to verify that the interrupt is actually working. If a TPM indicates that it does not use a specific interrupt (returns '0'), probe all interrupts from 3 to 15. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
-
Stefan Berger authored
This patch delays the (ACPI S3) suspend while the TPM is busy processing a command and the TPM TIS driver is run in interrupt mode. This is the same behavior as we already have it for the TPM TIS driver in polling mode. Reasoning: Some of the TPM's commands advance the internal state of the TPM. An example would be the extending of one of its PCR registers. Upper layers, such as IMA or TSS (TrouSerS), would certainly want to be sure that the command succeeded rather than getting an error code (-62 = -ETIME) that may not give a conclusive answer as for what reason the command failed. Reissuing such a command would put the TPM into the wrong state, so waiting for it to finish is really the only option. The downside is that some commands (key creation) can take a long time and actually prevent the machine from entering S3 at all before the 20 second timeout of the power management subsystem arrives. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
-
Stefan Berger authored
This patch makes sure that if the TPM TIS interface is run in interrupt mode (rather than polling mode) that all interrupts are enabled in the TPM's interrupt enable register after a resume from ACPI S3 suspend. The registers may either have been cleared by the TPM loosing its state during device sleep or by the BIOS leaving the TPM in polling mode (after sending a command to the TPM for starting it up again) You may want to check if your TPM runs with interrupts by doing cat /proc/interrupts | grep -i tpm and see whether there is an entry or otherwise for it to use interrupts: modprobe tpm_tis interrupts=1 [add 'itpm=1' for Intel TPM ] v2: - the patch was adapted to work with the pnp and platform driver implementations in tpm_tis.c Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
-
Stefan Berger authored
This patch fixes the TPM's pubek sysfs entry that is accessible as long as the TPM doesn't have an owner. It was necessary to shift the access to the data by -10 -- the first byte immediately follows the 10 byte header. The line data = tpm_cmd.params.readpubek_out_buffer; sets it at the offset '10' in the packet, so we can read the data array starting at offset '0'. Before: Algorithm: 00 0C 00 00 Encscheme: 08 00 Sigscheme: 00 00 Parameters: 00 00 00 00 01 00 AC E2 5E 3C A0 78 Modulus length: -563306801 Modulus: 28 21 08 0F 82 CD F2 B1 E7 49 F7 74 70 BE 59 8C 43 78 B1 24 EA 52 E2 FE 52 5C 3A 12 3B DC 61 71 [...] After: Algorithm: 00 00 00 01 Encscheme: 00 03 Sigscheme: 00 01 Parameters: 00 00 08 00 00 00 00 02 00 00 00 00 Modulus length: 256 Modulus: AC E2 5E 3C A0 78 DE 6C 9E CF 28 21 08 0F 82 CD F2 B1 E7 49 F7 74 70 BE 59 8C 43 78 B1 24 EA 52 [...] Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
-
Stefan Berger authored
Display the TPM's interface timeouts in a 'timeouts' sysfs entry. Display the entries as having been adjusted when they were scaled due to their values being reported in milliseconds rather than microseconds. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
-
Stefan Berger authored
Adjust the interface timeouts if they are found to be too small, i.e., if they are returned in milliseconds rather than microseconds as we heared from Infineon that some (old) Infineon TPMs do. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
-
Stefan Berger authored
The TPM driver currently discards the interface timeout values returned from the TPM. The check of the response packet needs to consider that the return_code field is 0 on success and the size of the expected packet is equivalent to the header size + u32 length indicator for the TPM_GetCapability() result + 4 interface timeout indicators of type u32. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
-
Stefan Berger authored
Display the TPM's command timeouts in a 'durations' sysfs entry. Display the entries as having been adjusted when they were scaled due to their values being reported in milliseconds rather than microseconds. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Tested-by: Guillaume Chazarain <guichaz@gmail.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
-
Stefan Berger authored
Adjust the durations if they are found to be too small, i.e., if they are returned in milliseconds rather than microseconds as some Infineon TPMs are reported to do. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
-
Stefan Berger authored
The TPM driver currently discards the durations values returned from the TPM. The check of the response packet needs to consider that the return_code field is 0 on success and the size of the expected packet is equivalent to the header size + u32 length indicator for the TPM_GetCapability() result + 3 timeout indicators of type u32. v4: - sysfs entry 'durations' is now a patch of its own - the work-around for TPMs reporting durations in milliseconds is now in a patch of its own v3: - sysfs entry now called 'durations' to resemble TPM-speak (previously was called 'timeouts') v2: - adjusting all timeouts for TPM devices reporting timeouts in msec rather than usec - also displaying in sysfs whether the timeouts are 'original' or 'adjusted' Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Tested-by: Guillaume Chazarain <guichaz@gmail.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
-
- 11 Jul, 2011 5 commits
-
-
Tetsuo Handa authored
Enable conditional ACL by passing object's pointers. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
Tetsuo Handa authored
This patch adds support for permission checks using argv[]/envp[] of execve() request. Hooks are in the last patch of this pathset. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
Tetsuo Handa authored
This patch adds support for permission checks using executable file's realpath upon execve() and symlink's target upon symlink(). Hooks are in the last patch of this pathset. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
Tetsuo Handa authored
This patch adds support for permission checks using file object's DAC attributes (e.g. owner/group) when checking file's pathnames. Hooks for passing file object's pointers are in the last patch of this pathset. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
Tetsuo Handa authored
This patch adds support for permission checks using current thread's UID/GID etc. in addition to pathnames. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
- 07 Jul, 2011 1 commit
-
-
Tetsuo Handa authored
/sys/kernel/security/tomoyo/.domain_status can be easily emulated using /sys/kernel/security/tomoyo/domain_policy . We can remove this interface by updating /usr/sbin/tomoyo-setprofile utility. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
- 30 Jun, 2011 7 commits
-
-
Tetsuo Handa authored
Commit eadd99cc "TOMOYO: Add auditing interface." by error replaced "struct tomoyo_request_info"->domain with tomoyo_domain(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
Mimi Zohar authored
Move keys-ecryptfs.txt to Documentation/security. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
-
Tetsuo Handa authored
Sort by alphabetic order. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
Tetsuo Handa authored
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
Tetsuo Handa authored
I forgot to add #ifndef in commit 0e4ae0e0 "TOMOYO: Make several options configurable.", resulting security/built-in.o: In function `tomoyo_bprm_set_creds': tomoyo.c:(.text+0x4698e): undefined reference to `tomoyo_load_policy' error. Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
James Morris authored
Merge branch 'for-security' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev into next
-
James Morris authored
-
- 29 Jun, 2011 11 commits
-
-
git://git.kernel.org/pub/scm/virt/kvm/kvmLinus Torvalds authored
* 'kvm-updates/3.0' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: x86 emulator: fix %rip-relative addressing with immediate source operand
-
git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/stagingLinus Torvalds authored
* 'i2c-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging: i2c/pca954x: Initialize the mux to disconnected state i2c-taos-evm: Fix log messages
-
git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpcLinus Torvalds authored
* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc: arch/powerpc: use printk_ratelimited instead of printk_ratelimit powerpc/rtas-rtc: remove sideeffects of printk_ratelimit powerpc/pseries: remove duplicate SCSI_BNX2_ISCSI in pseries_defconfig powerpc/e500: fix breakage with fsl_rio_mcheck_exception powerpc/p1022ds: fix audio-related properties in the device tree powerpc/85xx: fix NAND_CMD_READID read bytes number
-
Linus Torvalds authored
It's not so much an error as a warning about normal Marvell crazines. So don't use KERN_ERR that ends up spamming the console even in quiet mode, it's not _that_ critical. Explained by Jeff: "Long explanation, it's a mess: Marvell took standard AHCI, and bastardized it to include a weird mode whereby PATA devices appear inside the AHCI DMA and interrupt infrastructure you're familiar with. So, PATA devices appear via pata_marvell driver, using basic legacy IDE programming interface. But SATA devices, which might also be attached to this chip, either work in under-performing mode or simply don't work at all (e.g. newer 6 Gbps devices or port multiplier attachments, NCQ, ...) On the other hand, 'ahci' driver loads and works with the chip's attached SATA devices quite beautifully, but is completely unable to drive any attached PATA devices, due to the Marvell-specific PATA-under-AHCI interface. The "masking port_map 0x7 -> 0x3" message is the ahci driver "hiding" the PATA port(s) from itself, making sure it will only drive the SATA ports it knows how to drive." Acked-by: Jeff Garzik <jgarzik@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Petri Gynther authored
pca954x power-on default is channel 0 connected. If multiple pca954x muxes are connected to the same physical I2C bus, the parent bus will see channel 0 devices behind both muxes by default. This is bad. Scenario: -- pca954x @ 0x70 -- ch 0 (I2C-bus-101) -- EEPROM @ 0x50 | I2C-bus-1 --- | -- pca954x @ 0x71 -- ch 0 (I2C-bus-111) -- EEPROM @ 0x50 1. Load I2C bus driver: creates I2C-bus-1 2. Load pca954x driver: creates virtual I2C-bus-101 and I2C-bus-111 3. Load eeprom driver 4. Try to read EEPROM @ 0x50 on I2C-bus-101. The transaction will also bleed onto I2C-bus-111 because pca954x @ 0x71 channel 0 is connected by default. Fix: Initialize pca954x to disconnected state in pca954x_probe() Signed-off-by: Petri Gynther <pgynther@google.com> Signed-off-by: Jean Delvare <khali@linux-fr.org> Cc: stable@kernel.org
-
Jean Delvare authored
* Print all error and information messages even when debugging is disabled. * Don't use adapter device to log messages before it is ready. Signed-off-by: Jean Delvare <khali@linux-fr.org> Cc: stable@kernel.org
-
Avi Kivity authored
%rip-relative addressing is relative to the first byte of the next instruction, so we need to add %rip only after we've fetched any immediate bytes. Based on original patch by Li Xin <xin.li@intel.com>. Signed-off-by: Avi Kivity <avi@redhat.com> Acked-by: Li Xin <xin.li@intel.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
-
Christian Dietrich authored
Since printk_ratelimit() shouldn't be used anymore (see comment in include/linux/printk.h), replace it with printk_ratelimited. Signed-off-by: Christian Dietrich <christian.dietrich@informatik.uni-erlangen.de> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
-
Christian Dietrich authored
Don't use printk_ratelimit() as an additional condition for returning on an error. Because when the ratelimit is reached, printk_ratelimit will return 0 and e.g. in rtas_get_boot_time won't check for an error condition. Signed-off-by: Christian Dietrich <christian.dietrich@informatik.uni-erlangen.de> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
-
John Johansen authored
AppArmor is masking the capabilities returned by capget against the capabilities mask in the profile. This is wrong, in complain mode the profile has effectively all capabilities, as the profile restrictions are not being enforced, merely tested against to determine if an access is known by the profile. This can result in the wrong behavior of security conscience applications like sshd which examine their capability set, and change their behavior accordingly. In this case because of the masked capability set being returned sshd fails due to DAC checks, even when the profile is in complain mode. Kernels affected: 2.6.36 - 3.0. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
The pointer returned from tracehook_tracer_task() is only valid inside the rcu_read_lock. However the tracer pointer obtained is being passed to aa_may_ptrace outside of the rcu_read_lock critical section. Mover the aa_may_ptrace test into the rcu_read_lock critical section, to fix this. Kernels affected: 2.6.36 - 3.0 Reported-by: Oleg Nesterov <oleg@redhat.com> Cc: stable@kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com>
-
- 28 Jun, 2011 2 commits
-
-
Tetsuo Handa authored
To be able to start using enforcing mode from the early stage of boot sequence, this patch adds support for activating access control without calling external policy loader program. This will be useful for systems where operations which can lead to the hijacking of the boot sequence are needed before loading the policy. For example, you can activate immediately after loading the fixed part of policy which will allow only operations needed for mounting a partition which contains the variant part of policy and verifying (e.g. running GPG check) and loading the variant part of policy. Since you can start using enforcing mode from the beginning, you can reduce the possibility of hijacking the boot sequence. This patch makes several variables configurable on build time. This patch also adds TOMOYO_loader= and TOMOYO_trigger= kernel command line option to boot the same kernel in two different init systems (BSD-style init and systemd). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
Tetsuo Handa authored
To be able to start using enforcing mode from the early stage of boot sequence, this patch adds support for built-in policy configuration (and next patch adds support for activating access control without calling external policy loader program). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-