aboutsummaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/integrity/ima/Kconfig2
-rw-r--r--security/keys/compat.c2
-rw-r--r--security/keys/encrypted-keys/encrypted.c2
-rw-r--r--security/keys/keyctl.c2
-rw-r--r--security/keys/trusted.c2
-rw-r--r--security/keys/user_defined.c3
-rw-r--r--security/security.c1
-rw-r--r--security/selinux/hooks.c1
-rw-r--r--security/selinux/netlink.c1
-rw-r--r--security/tomoyo/common.c42
10 files changed, 49 insertions, 9 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 19c053b8230..4f554f20dc9 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -9,7 +9,7 @@ config IMA
select CRYPTO_HMAC
select CRYPTO_MD5
select CRYPTO_SHA1
- select TCG_TPM if !S390
+ select TCG_TPM if !S390 && !UML
select TCG_TIS if TCG_TPM
help
The Trusted Computing Group(TCG) runtime Integrity
diff --git a/security/keys/compat.c b/security/keys/compat.c
index 338b510e902..4c48e13448f 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -38,7 +38,7 @@ long compat_keyctl_instantiate_key_iov(
ret = compat_rw_copy_check_uvector(WRITE, _payload_iov, ioc,
ARRAY_SIZE(iovstack),
- iovstack, &iov);
+ iovstack, &iov, 1);
if (ret < 0)
return ret;
if (ret == 0)
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index f33804c1b4c..dcc843cb0f8 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -293,7 +293,7 @@ static char *datablob_format(struct encrypted_key_payload *epayload,
/* convert the hex encoded iv, encrypted-data and HMAC to ascii */
bufp = &ascii_buf[len];
for (i = 0; i < (asciiblob_len - len) / 2; i++)
- bufp = pack_hex_byte(bufp, iv[i]);
+ bufp = hex_byte_pack(bufp, iv[i]);
out:
return ascii_buf;
}
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index eca51918c95..0b3f5d72af1 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1065,7 +1065,7 @@ long keyctl_instantiate_key_iov(key_serial_t id,
goto no_payload;
ret = rw_copy_check_uvector(WRITE, _payload_iov, ioc,
- ARRAY_SIZE(iovstack), iovstack, &iov);
+ ARRAY_SIZE(iovstack), iovstack, &iov, 1);
if (ret < 0)
return ret;
if (ret == 0)
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index 0964fc23694..0ed5fdf238a 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -1098,7 +1098,7 @@ static long trusted_read(const struct key *key, char __user *buffer,
bufp = ascii_buf;
for (i = 0; i < p->blob_len; i++)
- bufp = pack_hex_byte(bufp, p->blob[i]);
+ bufp = hex_byte_pack(bufp, p->blob[i]);
if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) {
kfree(ascii_buf);
return -EFAULT;
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 5b366d7af3c..69ff52c08e9 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -102,7 +102,8 @@ int user_update(struct key *key, const void *data, size_t datalen)
key->expiry = 0;
}
- kfree_rcu(zap, rcu);
+ if (zap)
+ kfree_rcu(zap, rcu);
error:
return ret;
diff --git a/security/security.c b/security/security.c
index c1d69875db6..0c6cc69c8f8 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1151,6 +1151,7 @@ void security_sk_clone(const struct sock *sk, struct sock *newsk)
{
security_ops->sk_clone_security(sk, newsk);
}
+EXPORT_SYMBOL(security_sk_clone);
void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
{
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e545b9f6707..1126c10a5e8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -80,6 +80,7 @@
#include <linux/posix-timers.h>
#include <linux/syslog.h>
#include <linux/user_namespace.h>
+#include <linux/export.h>
#include "avc.h"
#include "objsec.h"
diff --git a/security/selinux/netlink.c b/security/selinux/netlink.c
index ce3f481558d..161e01a6c7e 100644
--- a/security/selinux/netlink.c
+++ b/security/selinux/netlink.c
@@ -14,6 +14,7 @@
#include <linux/slab.h>
#include <linux/stddef.h>
#include <linux/kernel.h>
+#include <linux/export.h>
#include <linux/skbuff.h>
#include <linux/netlink.h>
#include <linux/selinux_netlink.h>
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 365f3bddee7..c47d3ce6c73 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -502,8 +502,10 @@ static struct tomoyo_profile *tomoyo_assign_profile
TOMOYO_CONFIG_WANT_REJECT_LOG;
memset(ptr->config, TOMOYO_CONFIG_USE_DEFAULT,
sizeof(ptr->config));
- ptr->pref[TOMOYO_PREF_MAX_AUDIT_LOG] = 1024;
- ptr->pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] = 2048;
+ ptr->pref[TOMOYO_PREF_MAX_AUDIT_LOG] =
+ CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG;
+ ptr->pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] =
+ CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY;
mb(); /* Avoid out-of-order execution. */
ns->profile_ptr[profile] = ptr;
entry = NULL;
@@ -746,8 +748,10 @@ static void tomoyo_read_profile(struct tomoyo_io_buffer *head)
head->r.index++)
if (ns->profile_ptr[head->r.index])
break;
- if (head->r.index == TOMOYO_MAX_PROFILES)
+ if (head->r.index == TOMOYO_MAX_PROFILES) {
+ head->r.eof = true;
return;
+ }
head->r.step++;
break;
case 2:
@@ -759,6 +763,7 @@ static void tomoyo_read_profile(struct tomoyo_io_buffer *head)
tomoyo_io_printf(head, "%u-COMMENT=", index);
tomoyo_set_string(head, comment ? comment->name : "");
tomoyo_set_lf(head);
+ tomoyo_print_namespace(head);
tomoyo_io_printf(head, "%u-PREFERENCE={ ", index);
for (i = 0; i < TOMOYO_MAX_PREF; i++)
tomoyo_io_printf(head, "%s=%u ",
@@ -961,6 +966,9 @@ static bool tomoyo_manager(void)
return found;
}
+static struct tomoyo_domain_info *tomoyo_find_domain_by_qid
+(unsigned int serial);
+
/**
* tomoyo_select_domain - Parse select command.
*
@@ -994,6 +1002,8 @@ static bool tomoyo_select_domain(struct tomoyo_io_buffer *head,
} else if (!strncmp(data, "domain=", 7)) {
if (tomoyo_domain_def(data + 7))
domain = tomoyo_find_domain(data + 7);
+ } else if (sscanf(data, "Q=%u", &pid) == 1) {
+ domain = tomoyo_find_domain_by_qid(pid);
} else
return false;
head->w.domain = domain;
@@ -1889,6 +1899,7 @@ static DECLARE_WAIT_QUEUE_HEAD(tomoyo_answer_wait);
/* Structure for query. */
struct tomoyo_query {
struct list_head list;
+ struct tomoyo_domain_info *domain;
char *query;
size_t query_len;
unsigned int serial;
@@ -2039,6 +2050,7 @@ int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...)
goto out;
}
len = tomoyo_round2(entry.query_len);
+ entry.domain = r->domain;
spin_lock(&tomoyo_query_list_lock);
if (tomoyo_memory_quota[TOMOYO_MEMORY_QUERY] &&
tomoyo_memory_used[TOMOYO_MEMORY_QUERY] + len
@@ -2086,6 +2098,29 @@ out:
}
/**
+ * tomoyo_find_domain_by_qid - Get domain by query id.
+ *
+ * @serial: Query ID assigned by tomoyo_supervisor().
+ *
+ * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
+ */
+static struct tomoyo_domain_info *tomoyo_find_domain_by_qid
+(unsigned int serial)
+{
+ struct tomoyo_query *ptr;
+ struct tomoyo_domain_info *domain = NULL;
+ spin_lock(&tomoyo_query_list_lock);
+ list_for_each_entry(ptr, &tomoyo_query_list, list) {
+ if (ptr->serial != serial || ptr->answer)
+ continue;
+ domain = ptr->domain;
+ break;
+ }
+ spin_unlock(&tomoyo_query_list_lock);
+ return domain;
+}
+
+/**
* tomoyo_poll_query - poll() for /sys/kernel/security/tomoyo/query.
*
* @file: Pointer to "struct file".
@@ -2589,6 +2624,7 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
return -EFAULT;
if (mutex_lock_interruptible(&head->io_sem))
return -EINTR;
+ head->read_user_buf_avail = 0;
idx = tomoyo_read_lock();
/* Read a line and dispatch it to the policy handler. */
while (avail_len > 0) {