summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2017-05-03 08:50:52 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2017-05-03 08:50:52 -0700
commit0302e28dee643932ee7b3c112ebccdbb9f8ec32c (patch)
tree405d4cb3f772ef069ed7f291adc4b74a4e73346e /security
parent89c9fea3c8034cdb2fd745f551cde0b507fd6893 (diff)
parent8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 (diff)
downloadlinux-0302e28dee643932ee7b3c112ebccdbb9f8ec32c.tar.gz
linux-0302e28dee643932ee7b3c112ebccdbb9f8ec32c.tar.bz2
linux-0302e28dee643932ee7b3c112ebccdbb9f8ec32c.zip
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris: "Highlights: IMA: - provide ">" and "<" operators for fowner/uid/euid rules KEYS: - add a system blacklist keyring - add KEYCTL_RESTRICT_KEYRING, exposes keyring link restriction functionality to userland via keyctl() LSM: - harden LSM API with __ro_after_init - add prlmit security hook, implement for SELinux - revive security_task_alloc hook TPM: - implement contextual TPM command 'spaces'" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (98 commits) tpm: Fix reference count to main device tpm_tis: convert to using locality callbacks tpm: fix handling of the TPM 2.0 event logs tpm_crb: remove a cruft constant keys: select CONFIG_CRYPTO when selecting DH / KDF apparmor: Make path_max parameter readonly apparmor: fix parameters so that the permission test is bypassed at boot apparmor: fix invalid reference to index variable of iterator line 836 apparmor: use SHASH_DESC_ON_STACK security/apparmor/lsm.c: set debug messages apparmor: fix boolreturn.cocci warnings Smack: Use GFP_KERNEL for smk_netlbl_mls(). smack: fix double free in smack_parse_opts_str() KEYS: add SP800-56A KDF support for DH KEYS: Keyring asymmetric key restrict method with chaining KEYS: Restrict asymmetric key linkage using a specific keychain KEYS: Add a lookup_restriction function for the asymmetric key type KEYS: Add KEYCTL_RESTRICT_KEYRING KEYS: Consistent ordering for __key_link_begin and restrict check KEYS: Add an optional lookup_restriction hook to key_type ...
Diffstat (limited to 'security')
-rw-r--r--security/Kconfig5
-rw-r--r--security/apparmor/crypto.c32
-rw-r--r--security/apparmor/include/lib.h2
-rw-r--r--security/apparmor/lib.c4
-rw-r--r--security/apparmor/lsm.c53
-rw-r--r--security/apparmor/policy.c6
-rw-r--r--security/commoncap.c2
-rw-r--r--security/integrity/digsig.c9
-rw-r--r--security/integrity/ima/ima_appraise.c5
-rw-r--r--security/integrity/ima/ima_mok.c11
-rw-r--r--security/integrity/ima/ima_policy.c123
-rw-r--r--security/keys/Kconfig2
-rw-r--r--security/keys/Makefile3
-rw-r--r--security/keys/compat.c9
-rw-r--r--security/keys/compat_dh.c38
-rw-r--r--security/keys/dh.c220
-rw-r--r--security/keys/gc.c13
-rw-r--r--security/keys/internal.h32
-rw-r--r--security/keys/key.c58
-rw-r--r--security/keys/keyctl.c60
-rw-r--r--security/keys/keyring.c187
-rw-r--r--security/keys/proc.c4
-rw-r--r--security/keys/process_keys.c2
-rw-r--r--security/keys/request_key_auth.c2
-rw-r--r--security/loadpin/loadpin.c2
-rw-r--r--security/security.c370
-rw-r--r--security/selinux/Kconfig6
-rw-r--r--security/selinux/hooks.c26
-rw-r--r--security/selinux/include/classmap.h2
-rw-r--r--security/selinux/nlmsgtab.c10
-rw-r--r--security/selinux/selinuxfs.c8
-rw-r--r--security/selinux/ss/conditional.c14
-rw-r--r--security/selinux/ss/hashtab.c10
-rw-r--r--security/selinux/ss/policydb.c59
-rw-r--r--security/selinux/ss/services.c2
-rw-r--r--security/selinux/ss/sidtab.c6
-rw-r--r--security/smack/smack_access.c2
-rw-r--r--security/smack/smack_lsm.c6
-rw-r--r--security/tomoyo/file.c12
-rw-r--r--security/tomoyo/tomoyo.c22
-rw-r--r--security/yama/yama_lsm.c2
41 files changed, 851 insertions, 590 deletions
diff --git a/security/Kconfig b/security/Kconfig
index 213df4d4f2c1..93027fdf47d1 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -31,6 +31,11 @@ config SECURITY
If you are unsure how to answer this question, answer N.
+config SECURITY_WRITABLE_HOOKS
+ depends on SECURITY
+ bool
+ default n
+
config SECURITYFS
bool "Enable the securityfs filesystem"
help
diff --git a/security/apparmor/crypto.c b/security/apparmor/crypto.c
index de8dc78b6144..136f2a047836 100644
--- a/security/apparmor/crypto.c
+++ b/security/apparmor/crypto.c
@@ -31,10 +31,7 @@ unsigned int aa_hash_size(void)
char *aa_calc_hash(void *data, size_t len)
{
- struct {
- struct shash_desc shash;
- char ctx[crypto_shash_descsize(apparmor_tfm)];
- } desc;
+ SHASH_DESC_ON_STACK(desc, apparmor_tfm);
char *hash = NULL;
int error = -ENOMEM;
@@ -45,16 +42,16 @@ char *aa_calc_hash(void *data, size_t len)
if (!hash)
goto fail;
- desc.shash.tfm = apparmor_tfm;
- desc.shash.flags = 0;
+ desc->tfm = apparmor_tfm;
+ desc->flags = 0;
- error = crypto_shash_init(&desc.shash);
+ error = crypto_shash_init(desc);
if (error)
goto fail;
- error = crypto_shash_update(&desc.shash, (u8 *) data, len);
+ error = crypto_shash_update(desc, (u8 *) data, len);
if (error)
goto fail;
- error = crypto_shash_final(&desc.shash, hash);
+ error = crypto_shash_final(desc, hash);
if (error)
goto fail;
@@ -69,10 +66,7 @@ fail:
int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
size_t len)
{
- struct {
- struct shash_desc shash;
- char ctx[crypto_shash_descsize(apparmor_tfm)];
- } desc;
+ SHASH_DESC_ON_STACK(desc, apparmor_tfm);
int error = -ENOMEM;
__le32 le32_version = cpu_to_le32(version);
@@ -86,19 +80,19 @@ int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
if (!profile->hash)
goto fail;
- desc.shash.tfm = apparmor_tfm;
- desc.shash.flags = 0;
+ desc->tfm = apparmor_tfm;
+ desc->flags = 0;
- error = crypto_shash_init(&desc.shash);
+ error = crypto_shash_init(desc);
if (error)
goto fail;
- error = crypto_shash_update(&desc.shash, (u8 *) &le32_version, 4);
+ error = crypto_shash_update(desc, (u8 *) &le32_version, 4);
if (error)
goto fail;
- error = crypto_shash_update(&desc.shash, (u8 *) start, len);
+ error = crypto_shash_update(desc, (u8 *) start, len);
if (error)
goto fail;
- error = crypto_shash_final(&desc.shash, profile->hash);
+ error = crypto_shash_final(desc, profile->hash);
if (error)
goto fail;
diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h
index 65ff492a9807..0291ff3902f9 100644
--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -57,7 +57,7 @@
pr_err_ratelimited("AppArmor: " fmt, ##args)
/* Flag indicating whether initialization completed */
-extern int apparmor_initialized __initdata;
+extern int apparmor_initialized;
/* fn's in lib */
char *aa_split_fqname(char *args, char **ns_name);
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index 66475bda6f72..32cafc12593e 100644
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -180,13 +180,13 @@ bool aa_policy_init(struct aa_policy *policy, const char *prefix,
} else
policy->hname = kstrdup(name, gfp);
if (!policy->hname)
- return 0;
+ return false;
/* base.name is a substring of fqname */
policy->name = basename(policy->hname);
INIT_LIST_HEAD(&policy->list);
INIT_LIST_HEAD(&policy->profiles);
- return 1;
+ return true;
}
/**
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 709eacd23909..8f3c0f7aca5a 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -39,7 +39,7 @@
#include "include/procattr.h"
/* Flag indicating whether initialization completed */
-int apparmor_initialized __initdata;
+int apparmor_initialized;
DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
@@ -587,7 +587,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
return error;
}
-static struct security_hook_list apparmor_hooks[] = {
+static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
LSM_HOOK_INIT(capget, apparmor_capget),
@@ -681,7 +681,7 @@ module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
#endif
/* Debug mode */
-bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_DEBUG_MESSAGES);
+bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
/* Audit mode */
@@ -710,7 +710,7 @@ module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
/* Maximum pathname length before accesses will start getting rejected */
unsigned int aa_g_path_max = 2 * PATH_MAX;
-module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR);
+module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
/* Determines how paranoid loading of policy is and how much verification
* on the loaded policy is done.
@@ -738,78 +738,77 @@ __setup("apparmor=", apparmor_enabled_setup);
/* set global flag turning off the ability to load policy */
static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
{
- if (!policy_admin_capable(NULL))
+ if (!apparmor_enabled)
+ return -EINVAL;
+ if (apparmor_initialized && !policy_admin_capable(NULL))
return -EPERM;
return param_set_bool(val, kp);
}
static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
{
- if (!policy_view_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_view_capable(NULL))
+ return -EPERM;
return param_get_bool(buffer, kp);
}
static int param_set_aabool(const char *val, const struct kernel_param *kp)
{
- if (!policy_admin_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_admin_capable(NULL))
+ return -EPERM;
return param_set_bool(val, kp);
}
static int param_get_aabool(char *buffer, const struct kernel_param *kp)
{
- if (!policy_view_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_view_capable(NULL))
+ return -EPERM;
return param_get_bool(buffer, kp);
}
static int param_set_aauint(const char *val, const struct kernel_param *kp)
{
- if (!policy_admin_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_admin_capable(NULL))
+ return -EPERM;
return param_set_uint(val, kp);
}
static int param_get_aauint(char *buffer, const struct kernel_param *kp)
{
- if (!policy_view_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_view_capable(NULL))
+ return -EPERM;
return param_get_uint(buffer, kp);
}
static int param_get_audit(char *buffer, struct kernel_param *kp)
{
- if (!policy_view_capable(NULL))
- return -EPERM;
-
if (!apparmor_enabled)
return -EINVAL;
-
+ if (apparmor_initialized && !policy_view_capable(NULL))
+ return -EPERM;
return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
}
static int param_set_audit(const char *val, struct kernel_param *kp)
{
int i;
- if (!policy_admin_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
-
if (!val)
return -EINVAL;
+ if (apparmor_initialized && !policy_admin_capable(NULL))
+ return -EPERM;
for (i = 0; i < AUDIT_MAX_INDEX; i++) {
if (strcmp(val, audit_mode_names[i]) == 0) {
@@ -823,11 +822,10 @@ static int param_set_audit(const char *val, struct kernel_param *kp)
static int param_get_mode(char *buffer, struct kernel_param *kp)
{
- if (!policy_view_capable(NULL))
- return -EPERM;
-
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_view_capable(NULL))
+ return -EPERM;
return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
}
@@ -835,14 +833,13 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)
static int param_set_mode(const char *val, struct kernel_param *kp)
{
int i;
- if (!policy_admin_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
-
if (!val)
return -EINVAL;
+ if (apparmor_initialized && !policy_admin_capable(NULL))
+ return -EPERM;
for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {
if (strcmp(val, aa_profile_mode_names[i]) == 0) {
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index def1fbd6bdfd..cf9d670dca94 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -876,9 +876,11 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
if (ns_name) {
ns = aa_prepare_ns(view, ns_name);
if (IS_ERR(ns)) {
+ op = OP_PROF_LOAD;
info = "failed to prepare namespace";
error = PTR_ERR(ns);
ns = NULL;
+ ent = NULL;
goto fail;
}
} else
@@ -1013,7 +1015,7 @@ fail_lock:
/* audit cause of failure */
op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
fail:
- audit_policy(profile, op, ns_name, ent->new->base.hname,
+ audit_policy(profile, op, ns_name, ent ? ent->new->base.hname : NULL,
info, error);
/* audit status that rest of profiles in the atomic set failed too */
info = "valid profile in failed atomic policy load";
@@ -1023,7 +1025,7 @@ fail:
/* skip entry that caused failure */
continue;
}
- op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
+ op = (!tmp->old) ? OP_PROF_LOAD : OP_PROF_REPL;
audit_policy(profile, op, ns_name,
tmp->new->base.hname, info, error);
}
diff --git a/security/commoncap.c b/security/commoncap.c
index 78b37838a2d3..7abebd782d5e 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1071,7 +1071,7 @@ int cap_mmap_file(struct file *file, unsigned long reqprot,
#ifdef CONFIG_SECURITY
-struct security_hook_list capability_hooks[] = {
+struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(capable, cap_capable),
LSM_HOOK_INIT(settime, cap_settime),
LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check),
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 106e855e2d9d..06554c448dce 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -81,18 +81,25 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
int __init integrity_init_keyring(const unsigned int id)
{
const struct cred *cred = current_cred();
+ struct key_restriction *restriction;
int err = 0;
if (!init_keyring)
return 0;
+ restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
+ if (!restriction)
+ return -ENOMEM;
+
+ restriction->check = restrict_link_to_ima;
+
keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
KGIDT_INIT(0), cred,
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ |
KEY_USR_WRITE | KEY_USR_SEARCH),
KEY_ALLOC_NOT_IN_QUOTA,
- restrict_link_to_ima, NULL);
+ restriction, NULL);
if (IS_ERR(keyring[id])) {
err = PTR_ERR(keyring[id]);
pr_info("Can't allocate %s keyring (%d)\n",
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 1fd9539a969d..5d0785cfe063 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -207,10 +207,11 @@ int ima_appraise_measurement(enum ima_hooks func,
cause = "missing-hash";
status = INTEGRITY_NOLABEL;
- if (opened & FILE_CREATED) {
+ if (opened & FILE_CREATED)
iint->flags |= IMA_NEW_FILE;
+ if ((iint->flags & IMA_NEW_FILE) &&
+ !(iint->flags & IMA_DIGSIG_REQUIRED))
status = INTEGRITY_PASS;
- }
goto out;
}
diff --git a/security/integrity/ima/ima_mok.c b/security/integrity/ima/ima_mok.c
index 74a279957464..073ddc9bce5b 100644
--- a/security/integrity/ima/ima_mok.c
+++ b/security/integrity/ima/ima_mok.c
@@ -17,6 +17,7 @@
#include <linux/cred.h>
#include <linux/err.h>
#include <linux/init.h>
+#include <linux/slab.h>
#include <keys/system_keyring.h>
@@ -27,15 +28,23 @@ struct key *ima_blacklist_keyring;
*/
__init int ima_mok_init(void)
{
+ struct key_restriction *restriction;
+
pr_notice("Allocating IMA blacklist keyring.\n");
+ restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
+ if (!restriction)
+ panic("Can't allocate IMA blacklist restriction.");
+
+ restriction->check = restrict_link_by_builtin_trusted;
+
ima_blacklist_keyring = keyring_alloc(".ima_blacklist",
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ |
KEY_USR_WRITE | KEY_USR_SEARCH,
KEY_ALLOC_NOT_IN_QUOTA,
- restrict_link_by_builtin_trusted, NULL);
+ restriction, NULL);
if (IS_ERR(ima_blacklist_keyring))
panic("Can't allocate IMA blacklist keyring.");
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index aed47b777a57..3ab1067db624 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -64,6 +64,8 @@ struct ima_rule_entry {
u8 fsuuid[16];
kuid_t uid;
kuid_t fowner;
+ bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */
+ bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
int pcr;
struct {
void *rule; /* LSM file metadata specific */
@@ -83,7 +85,7 @@ struct ima_rule_entry {
* normal users can easily run the machine out of memory simply building
* and running executables.
*/
-static struct ima_rule_entry dont_measure_rules[] = {
+static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
@@ -97,32 +99,35 @@ static struct ima_rule_entry dont_measure_rules[] = {
{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
};
-static struct ima_rule_entry original_measurement_rules[] = {
+static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
.flags = IMA_FUNC | IMA_MASK},
{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
.flags = IMA_FUNC | IMA_MASK},
{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
- .uid = GLOBAL_ROOT_UID, .flags = IMA_FUNC | IMA_MASK | IMA_UID},
+ .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
+ .flags = IMA_FUNC | IMA_MASK | IMA_UID},
{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
};
-static struct ima_rule_entry default_measurement_rules[] = {
+static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
.flags = IMA_FUNC | IMA_MASK},
{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
.flags = IMA_FUNC | IMA_MASK},
{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
- .uid = GLOBAL_ROOT_UID, .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
+ .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
+ .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
{.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
- .uid = GLOBAL_ROOT_UID, .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
+ .uid = GLOBAL_ROOT_UID, .uid_op = &uid_eq,
+ .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
{.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
};
-static struct ima_rule_entry default_appraise_rules[] = {
+static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
@@ -139,10 +144,11 @@ static struct ima_rule_entry default_appraise_rules[] = {
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
#endif
#ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
- {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .flags = IMA_FOWNER},
+ {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
+ .flags = IMA_FOWNER},
#else
/* force signature */
- {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID,
+ {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
.flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
#endif
};
@@ -240,19 +246,20 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
if ((rule->flags & IMA_FSUUID) &&
memcmp(rule->fsuuid, inode->i_sb->s_uuid, sizeof(rule->fsuuid)))
return false;
- if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
+ if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
return false;
if (rule->flags & IMA_EUID) {
if (has_capability_noaudit(current, CAP_SETUID)) {
- if (!uid_eq(rule->uid, cred->euid)
- && !uid_eq(rule->uid, cred->suid)
- && !uid_eq(rule->uid, cred->uid))
+ if (!rule->uid_op(cred->euid, rule->uid)
+ && !rule->uid_op(cred->suid, rule->uid)
+ && !rule->uid_op(cred->uid, rule->uid))
return false;
- } else if (!uid_eq(rule->uid, cred->euid))
+ } else if (!rule->uid_op(cred->euid, rule->uid))
return false;
}
- if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid))
+ if ((rule->flags & IMA_FOWNER) &&
+ !rule->fowner_op(inode->i_uid, rule->fowner))
return false;
for (i = 0; i < MAX_LSM_RULES; i++) {
int rc = 0;
@@ -486,7 +493,9 @@ enum {
Opt_obj_user, Opt_obj_role, Opt_obj_type,
Opt_subj_user, Opt_subj_role, Opt_subj_type,
Opt_func, Opt_mask, Opt_fsmagic,
- Opt_fsuuid, Opt_uid, Opt_euid, Opt_fowner,
+ Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
+ Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
+ Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
Opt_appraise_type, Opt_permit_directio,
Opt_pcr
};
@@ -507,9 +516,15 @@ static match_table_t policy_tokens = {
{Opt_mask, "mask=%s"},
{Opt_fsmagic, "fsmagic=%s"},
{Opt_fsuuid, "fsuuid=%s"},
- {Opt_uid, "uid=%s"},
- {Opt_euid, "euid=%s"},
- {Opt_fowner, "fowner=%s"},
+ {Opt_uid_eq, "uid=%s"},
+ {Opt_euid_eq, "euid=%s"},
+ {Opt_fowner_eq, "fowner=%s"},
+ {Opt_uid_gt, "uid>%s"},
+ {Opt_euid_gt, "euid>%s"},
+ {Opt_fowner_gt, "fowner>%s"},
+ {Opt_uid_lt, "uid<%s"},
+ {Opt_euid_lt, "euid<%s"},
+ {Opt_fowner_lt, "fowner<%s"},
{Opt_appraise_type, "appraise_type=%s"},
{Opt_permit_directio, "permit_directio"},
{Opt_pcr, "pcr=%s"},
@@ -541,24 +556,37 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
return result;
}
-static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
+static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
+ bool (*rule_operator)(kuid_t, kuid_t))
{
- audit_log_format(ab, "%s=", key);
+ if (rule_operator == &uid_gt)
+ audit_log_format(ab, "%s>", key);
+ else if (rule_operator == &uid_lt)
+ audit_log_format(ab, "%s<", key);
+ else
+ audit_log_format(ab, "%s=", key);
audit_log_untrustedstring(ab, value);
audit_log_format(ab, " ");
}
+static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
+{
+ ima_log_string_op(ab, key, value, NULL);
+}
static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
{
struct audit_buffer *ab;
char *from;
char *p;
+ bool uid_token;
int result = 0;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
entry->uid = INVALID_UID;
entry->fowner = INVALID_UID;
+ entry->uid_op = &uid_eq;
+ entry->fowner_op = &uid_eq;
entry->action = UNKNOWN;
while ((p = strsep(&rule, " \t")) != NULL) {
substring_t args[MAX_OPT_ARGS];
@@ -694,11 +722,21 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
if (!result)
entry->flags |= IMA_FSUUID;
break;
- case Opt_uid:
- ima_log_string(ab, "uid", args[0].from);
- case Opt_euid:
- if (token == Opt_euid)
- ima_log_string(ab, "euid", args[0].from);
+ case Opt_uid_gt:
+ case Opt_euid_gt:
+ entry->uid_op = &uid_gt;
+ case Opt_uid_lt:
+ case Opt_euid_lt:
+ if ((token == Opt_uid_lt) || (token == Opt_euid_lt))
+ entry->uid_op = &uid_lt;
+ case Opt_uid_eq:
+ case Opt_euid_eq:
+ uid_token = (token == Opt_uid_eq) ||
+ (token == Opt_uid_gt) ||
+ (token == Opt_uid_lt);
+
+ ima_log_string_op(ab, uid_token ? "uid" : "euid",
+ args[0].from, entry->uid_op);
if (uid_valid(entry->uid)) {
result = -EINVAL;
@@ -713,12 +751,18 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
(uid_t)lnum != lnum)
result = -EINVAL;
else
- entry->flags |= (token == Opt_uid)
+ entry->flags |= uid_token
? IMA_UID : IMA_EUID;
}
break;
- case Opt_fowner:
- ima_log_string(ab, "fowner", args[0].from);
+ case Opt_fowner_gt:
+ entry->fowner_op = &uid_gt;
+ case Opt_fowner_lt:
+ if (token == Opt_fowner_lt)
+ entry->fowner_op = &uid_lt;
+ case Opt_fowner_eq:
+ ima_log_string_op(ab, "fowner", args[0].from,
+ entry->fowner_op);
if (uid_valid(entry->fowner)) {
result = -EINVAL;
@@ -1049,19 +1093,34 @@ int ima_policy_show(struct seq_file *m, void *v)
if (entry->flags & IMA_UID) {
snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
- seq_printf(m, pt(Opt_uid), tbuf);
+ if (entry->uid_op == &uid_gt)
+ seq_printf(m, pt(Opt_uid_gt), tbuf);
+ else if (entry->uid_op == &uid_lt)
+ seq_printf(m, pt(Opt_uid_lt), tbuf);
+ else
+ seq_printf(m, pt(Opt_uid_eq), tbuf);
seq_puts(m, " ");
}
if (entry->flags & IMA_EUID) {
snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
- seq_printf(m, pt(Opt_euid), tbuf);
+ if (entry->uid_op == &uid_gt)
+ seq_printf(m, pt(Opt_euid_gt), tbuf);
+ else if (entry->uid_op == &uid_lt)
+ seq_printf(m, pt(Opt_euid_lt), tbuf);
+ else
+ seq_printf(m, pt(Opt_euid_eq), tbuf);
seq_puts(m, " ");
}
if (entry->flags & IMA_FOWNER) {
snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
- seq_printf(m, pt(Opt_fowner), tbuf);
+ if (entry->fowner_op == &uid_gt)
+ seq_printf(m, pt(Opt_fowner_gt), tbuf);
+ else if (entry->fowner_op == &uid_lt)
+ seq_printf(m, pt(Opt_fowner_lt), tbuf);
+ else
+ seq_printf(m, pt(Opt_fowner_eq), tbuf);
seq_puts(m, " ");
}
diff --git a/security/keys/Kconfig b/security/keys/Kconfig
index d942c7c2bc0a..6fd95f76bfae 100644
--- a/security/keys/Kconfig
+++ b/security/keys/Kconfig
@@ -90,6 +90,8 @@ config KEY_DH_OPERATIONS
bool "Diffie-Hellman operations on retained keys"
depends on KEYS
select MPILIB
+ select CRYPTO
+ select CRYPTO_HASH
help
This option provides support for calculating Diffie-Hellman
public keys and shared secrets using values stored as keys
diff --git a/security/keys/Makefile b/security/keys/Makefile
index 1fd4a16e6daf..57dff0c15809 100644
--- a/security/keys/Makefile
+++ b/security/keys/Makefile
@@ -15,7 +15,8 @@ obj-y := \
request_key.o \
request_key_auth.o \
user_defined.o
-obj-$(CONFIG_KEYS_COMPAT) += compat.o
+compat-obj-$(CONFIG_KEY_DH_OPERATIONS) += compat_dh.o
+obj-$(CONFIG_KEYS_COMPAT) += compat.o $(compat-obj-y)
obj-$(CONFIG_PROC_FS) += proc.o
obj-$(CONFIG_SYSCTL) += sysctl.o
obj-$(CONFIG_PERSISTENT_KEYRINGS) += persistent.o
diff --git a/security/keys/compat.c b/security/keys/compat.c
index 36c80bf5b89c..e87c89c0177c 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -133,8 +133,13 @@ COMPAT_SYSCALL_DEFINE5(keyctl, u32, option,
return keyctl_get_persistent(arg2, arg3);
case KEYCTL_DH_COMPUTE:
- return keyctl_dh_compute(compat_ptr(arg2), compat_ptr(arg3),
- arg4, compat_ptr(arg5));
+ return compat_keyctl_dh_compute(compat_ptr(arg2),
+ compat_ptr(arg3),
+ arg4, compat_ptr(arg5));
+
+ case KEYCTL_RESTRICT_KEYRING:
+ return keyctl_restrict_keyring(arg2, compat_ptr(arg3),
+ compat_ptr(arg4));
default:
return -EOPNOTSUPP;
diff --git a/security/keys/compat_dh.c b/security/keys/compat_dh.c
new file mode 100644
index 000000000000..a6a659b6bcb6
--- /dev/null
+++ b/security/keys/compat_dh.c
@@ -0,0 +1,38 @@
+/* 32-bit compatibility syscall for 64-bit systems for DH operations
+ *
+ * Copyright (C) 2016 Stephan Mueller <smueller@chronox.de>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ */
+
+#include <linux/uaccess.h>
+
+#include "internal.h"
+
+/*
+ * Perform the DH computation or DH based key derivation.
+ *
+ * If successful, 0 will be returned.
+ */
+long compat_keyctl_dh_compute(struct keyctl_dh_params __user *params,
+ char __user *buffer, size_t buflen,
+ struct compat_keyctl_kdf_params __user *kdf)
+{
+ struct keyctl_kdf_params kdfcopy;
+ struct compat_keyctl_kdf_params compat_kdfcopy;
+
+ if (!kdf)
+ return __keyctl_dh_compute(params, buffer, buflen, NULL);
+
+ if (copy_from_user(&compat_kdfcopy, kdf, sizeof(compat_kdfcopy)) != 0)
+ return -EFAULT;
+
+ kdfcopy.hashname = compat_ptr(compat_kdfcopy.hashname);
+ kdfcopy.otherinfo = compat_ptr(compat_kdfcopy.otherinfo);
+ kdfcopy.otherinfolen = compat_kdfcopy.otherinfolen;
+
+ return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);
+}
diff --git a/security/keys/dh.c b/security/keys/dh.c
index 893af4c45038..e603bd912e4c 100644
--- a/security/keys/dh.c
+++ b/security/keys/dh.c
@@ -11,6 +11,8 @@
#include <linux/mpi.h>
#include <linux/slab.h>
#include <linux/uaccess.h>
+#include <linux/crypto.h>
+#include <crypto/hash.h>
#include <keys/user-type.h>
#include "internal.h"
@@ -77,9 +79,146 @@ error:
return ret;
}
-long keyctl_dh_compute(struct keyctl_dh_params __user *params,
- char __user *buffer, size_t buflen,
- void __user *reserved)
+struct kdf_sdesc {
+ struct shash_desc shash;
+ char ctx[];
+};
+
+static int kdf_alloc(struct kdf_sdesc **sdesc_ret, char *hashname)
+{
+ struct crypto_shash *tfm;
+ struct kdf_sdesc *sdesc;
+ int size;
+
+ /* allocate synchronous hash */
+ tfm = crypto_alloc_shash(hashname, 0, 0);
+ if (IS_ERR(tfm)) {
+ pr_info("could not allocate digest TFM handle %s\n", hashname);
+ return PTR_ERR(tfm);
+ }
+
+ size = sizeof(struct shash_desc) + crypto_shash_descsize(tfm);
+ sdesc = kmalloc(size, GFP_KERNEL);
+ if (!sdesc)
+ return -ENOMEM;
+ sdesc->shash.tfm = tfm;
+ sdesc->shash.flags = 0x0;
+
+ *sdesc_ret = sdesc;
+
+ return 0;
+}
+
+static void kdf_dealloc(struct kdf_sdesc *sdesc)
+{
+ if (!sdesc)
+ return;
+
+ if (sdesc->shash.tfm)
+ crypto_free_shash(sdesc->shash.tfm);
+
+ kzfree(sdesc);
+}
+
+/* convert 32 bit integer into its string representation */
+static inline void crypto_kw_cpu_to_be32(u32 val, u8 *buf)
+{
+ __be32 *a = (__be32 *)buf;
+
+ *a = cpu_to_be32(val);
+}
+
+/*
+ * Implementation of the KDF in counter mode according to SP800-108 section 5.1
+ * as well as SP800-56A section 5.8.1 (Single-step KDF).
+ *
+ * SP800-56A:
+ * The src pointer is defined as Z || other info where Z is the shared secret
+ * from DH and other info is an arbitrary string (see SP800-56A section
+ * 5.8.1.2).
+ */
+static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen,
+ u8 *dst, unsigned int dlen)
+{
+ struct shash_desc *desc = &sdesc->shash;
+ unsigned int h = crypto_shash_digestsize(desc->tfm);
+ int err = 0;
+ u8 *dst_orig = dst;
+ u32 i = 1;
+ u8 iteration[sizeof(u32)];
+
+ while (dlen) {
+ err = crypto_shash_init(desc);
+ if (err)
+ goto err;
+
+ crypto_kw_cpu_to_be32(i, iteration);
+ err = crypto_shash_update(desc, iteration, sizeof(u32));
+ if (err)
+ goto err;
+
+ if (src && slen) {
+ err = crypto_shash_update(desc, src, slen);
+ if (err)
+ goto err;
+ }
+
+ if (dlen < h) {
+ u8 tmpbuffer[h];
+
+ err = crypto_shash_final(desc, tmpbuffer);
+ if (err)
+ goto err;
+ memcpy(dst, tmpbuffer, dlen);
+ memzero_explicit(tmpbuffer, h);
+ return 0;
+ } else {
+ err = crypto_shash_final(desc, dst);
+ if (err)
+ goto err;
+
+ dlen -= h;
+ dst += h;
+ i++;
+ }
+ }
+
+ return 0;
+
+err:
+ memzero_explicit(dst_orig, dlen);
+ return err;
+}
+
+static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc,
+ char __user *buffer, size_t buflen,
+ uint8_t *kbuf, size_t kbuflen)
+{
+ uint8_t *outbuf = NULL;
+ int ret;
+
+ outbuf = kmalloc(buflen, GFP_KERNEL);
+ if (!outbuf) {
+ ret = -ENOMEM;
+ goto err;
+ }
+
+ ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, buflen);
+ if (ret)
+ goto err;
+
+ ret = buflen;
+ if (copy_to_user(buffer, outbuf, buflen) != 0)
+ ret = -EFAULT;
+
+err:
+ kzfree(outbuf);
+ return ret;
+}
+
+long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
+ char __user *buffer, size_t buflen,
+ struct keyctl_kdf_params *kdfcopy)
{
long ret;
MPI base, private, prime, result;
@@ -88,6 +227,7 @@ long keyctl_dh_compute(struct keyctl_dh_params __user *params,
uint8_t *kbuf;
ssize_t keylen;
size_t resultlen;
+ struct kdf_sdesc *sdesc = NULL;
if (!params || (!buffer && buflen)) {
ret = -EINVAL;
@@ -98,12 +238,34 @@ long keyctl_dh_compute(struct keyctl_dh_params __user *params,
goto out;
}
- if (reserved) {
- ret = -EINVAL;
- goto out;
+ if (kdfcopy) {
+ char *hashname;
+
+ if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN ||
+ kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
+ ret = -EMSGSIZE;
+ goto out;
+ }
+
+ /* get KDF name string */
+ hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME);
+ if (IS_ERR(hashname)) {
+ ret = PTR_ERR(hashname);
+ goto out;
+ }
+
+ /* allocate KDF from the kernel crypto API */
+ ret = kdf_alloc(&sdesc, hashname);
+ kfree(hashname);
+ if (ret)
+ goto out;
}
- keylen = mpi_from_key(pcopy.prime, buflen, &prime);
+ /*
+ * If the caller requests postprocessing with a KDF, allow an
+ * arbitrary output buffer size since the KDF ensures proper truncation.
+ */
+ keylen = mpi_from_key(pcopy.prime, kdfcopy ? SIZE_MAX : buflen, &prime);
if (keylen < 0 || !prime) {
/* buflen == 0 may be used to query the required buffer size,
* which is the prime key length.
@@ -133,12 +295,25 @@ long keyctl_dh_compute(struct keyctl_dh_params __user *params,
goto error3;
}
- kbuf = kmalloc(resultlen, GFP_KERNEL);
+ /* allocate space for DH shared secret and SP800-56A otherinfo */
+ kbuf = kmalloc(kdfcopy ? (resultlen + kdfcopy->otherinfolen) : resultlen,
+ GFP_KERNEL);
if (!kbuf) {
ret = -ENOMEM;
goto error4;
}
+ /*
+ * Concatenate SP800-56A otherinfo past DH shared secret -- the
+ * input to the KDF is (DH shared secret || otherinfo)
+ */
+ if (kdfcopy && kdfcopy->otherinfo &&
+ copy_from_user(kbuf + resultlen, kdfcopy->otherinfo,
+ kdfcopy->otherinfolen) != 0) {
+ ret = -EFAULT;
+ goto error5;
+ }
+
ret = do_dh(result, base, private, prime);
if (ret)
goto error5;
@@ -147,12 +322,17 @@ long keyctl_dh_compute(struct keyctl_dh_params __user *params,
if (ret != 0)
goto error5;
- ret = nbytes;
- if (copy_to_user(buffer, kbuf, nbytes) != 0)
- ret = -EFAULT;
+ if (kdfcopy) {
+ ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, kbuf,
+ resultlen + kdfcopy->otherinfolen);
+ } else {
+ ret = nbytes;
+ if (copy_to_user(buffer, kbuf, nbytes) != 0)
+ ret = -EFAULT;
+ }
error5:
- kfree(kbuf);
+ kzfree(kbuf);
error4:
mpi_free(result);
error3:
@@ -162,5 +342,21 @@ error2:
error1:
mpi_free(prime);
out:
+ kdf_dealloc(sdesc);
return ret;
}
+
+long keyctl_dh_compute(struct keyctl_dh_params __user *params,
+ char __user *buffer, size_t buflen,
+ struct keyctl_kdf_params __user *kdf)
+{
+ struct keyctl_kdf_params kdfcopy;
+
+ if (!kdf)
+ return __keyctl_dh_compute(params, buffer, buflen, NULL);
+
+ if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0)
+ return -EFAULT;
+
+ return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);
+}
diff --git a/security/keys/gc.c b/security/keys/gc.c
index 9cb4fe4478a1..595becc6d0d2 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -220,7 +220,7 @@ continue_scanning:
key = rb_entry(cursor, struct key, serial_node);
cursor = rb_next(cursor);
- if (atomic_read(&key->usage) == 0)
+ if (refcount_read(&key->usage) == 0)
goto found_unreferenced_key;
if (unlikely(gc_state & KEY_GC_REAPING_DEAD_1)) {
@@ -229,6 +229,9 @@ continue_scanning:
set_bit(KEY_FLAG_DEAD, &key->flags);
key->perm = 0;
goto skip_dead_key;
+ } else if (key->type == &key_type_keyring &&
+ key->restrict_link) {
+ goto found_restricted_keyring;
}
}
@@ -334,6 +337,14 @@ found_unreferenced_key:
gc_state |= KEY_GC_REAP_AGAIN;
goto maybe_resched;
+ /* We found a restricted keyring and need to update the restriction if
+ * it is associated with the dead key type.
+ */
+found_restricted_keyring:
+ spin_unlock(&key_serial_lock);
+ keyring_restriction_gc(key, key_gc_dead_keytype);
+ goto maybe_resched;
+
/* We found a keyring and we need to check the payload for links to
* dead or expired keys. We don't flag another reap immediately as we
* have to wait for the old payload to be destroyed by RCU before we
diff --git a/security/keys/internal.h b/security/keys/internal.h
index a2f4c0abb8d8..c0f8682eba69 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -17,6 +17,8 @@
#include <linux/key-type.h>
#include <linux/task_work.h>
#include <linux/keyctl.h>
+#include <linux/refcount.h>
+#include <linux/compat.h>
struct iovec;
@@ -53,7 +55,7 @@ struct key_user {
struct rb_node node;
struct mutex cons_lock; /* construction initiation lock */
spinlock_t lock;
- atomic_t usage; /* for accessing qnkeys & qnbytes */
+ refcount_t usage; /* for accessing qnkeys & qnbytes */
atomic_t nkeys; /* number of keys */
atomic_t nikeys; /* number of instantiated keys */
kuid_t uid;
@@ -167,6 +169,8 @@ extern void key_change_session_keyring(struct callback_head *twork);
extern struct work_struct key_gc_work;
extern unsigned key_gc_delay;
extern void keyring_gc(struct key *keyring, time_t limit);
+extern void keyring_restriction_gc(struct key *keyring,
+ struct key_type *dead_type);
extern void key_schedule_gc(time_t gc_at);
extern void key_schedule_gc_links(void);
extern void key_gc_keytype(struct key_type *ktype);
@@ -249,6 +253,9 @@ struct iov_iter;
extern long keyctl_instantiate_key_common(key_serial_t,
struct iov_iter *,
key_serial_t);
+extern long keyctl_restrict_keyring(key_serial_t id,
+ const char __user *_type,
+ const char __user *_restriction);
#ifdef CONFIG_PERSISTENT_KEYRINGS
extern long keyctl_get_persistent(uid_t, key_serial_t);
extern unsigned persistent_keyring_expiry;
@@ -261,15 +268,34 @@ static inline long keyctl_get_persistent(uid_t uid, key_serial_t destring)
#ifdef CONFIG_KEY_DH_OPERATIONS
extern long keyctl_dh_compute(struct keyctl_dh_params __user *, char __user *,
- size_t, void __user *);
+ size_t, struct keyctl_kdf_params __user *);
+extern long __keyctl_dh_compute(struct keyctl_dh_params __user *, char __user *,
+ size_t, struct keyctl_kdf_params *);
+#ifdef CONFIG_KEYS_COMPAT
+extern long compat_keyctl_dh_compute(struct keyctl_dh_params __user *params,
+ char __user *buffer, size_t buflen,
+ struct compat_keyctl_kdf_params __user *kdf);
+#endif
+#define KEYCTL_KDF_MAX_OUTPUT_LEN 1024 /* max length of KDF output */
+#define KEYCTL_KDF_MAX_OI_LEN 64 /* max length of otherinfo */
#else
static inline long keyctl_dh_compute(struct keyctl_dh_params __user *params,
char __user *buffer, size_t buflen,
- void __user *reserved)
+ struct keyctl_kdf_params __user *kdf)
+{
+ return -EOPNOTSUPP;
+}
+
+#ifdef CONFIG_KEYS_COMPAT
+static inline long compat_keyctl_dh_compute(
+ struct keyctl_dh_params __user *params,
+ char __user *buffer, size_t buflen,
+ struct keyctl_kdf_params __user *kdf)
{
return -EOPNOTSUPP;
}
#endif
+#endif
/*
* Debugging key validation
diff --git a/security/keys/key.c b/security/keys/key.c
index 346fbf201c22..455c04d80bbb 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -93,7 +93,7 @@ try_again:
/* if we get here, then the user record still hadn't appeared on the
* second pass - so we use the candidate record */
- atomic_set(&candidate->usage, 1);
+ refcount_set(&candidate->usage, 1);
atomic_set(&candidate->nkeys, 0);
atomic_set(&candidate->nikeys, 0);
candidate->uid = uid;
@@ -110,7 +110,7 @@ try_again:
/* okay - we found a user record for this UID */
found:
- atomic_inc(&user->usage);
+ refcount_inc(&user->usage);
spin_unlock(&key_user_lock);
kfree(candidate);
out:
@@ -122,7 +122,7 @@ out:
*/
void key_user_put(struct key_user *user)
{
- if (atomic_dec_and_lock(&user->usage, &key_user_lock)) {
+ if (refcount_dec_and_lock(&user->usage, &key_user_lock)) {
rb_erase(&user->node, &key_user_tree);
spin_unlock(&key_user_lock);
@@ -201,12 +201,15 @@ serial_exists:
* @cred: The credentials specifying UID namespace.
* @perm: The permissions mask of the new key.
* @flags: Flags specifying quota properties.
- * @restrict_link: Optional link restriction method for new keyrings.
+ * @restrict_link: Optional link restriction for new keyrings.
*
* Allocate a key of the specified type with the attributes given. The key is
* returned in an uninstantiated state and the caller needs to instantiate the
* key before returning.
*
+ * The restrict_link structure (if not NULL) will be freed when the
+ * keyring is destroyed, so it must be dynamically allocated.
+ *
* The user's key count quota is updated to reflect the creation of the key and
* the user's key data quota has the default for the key type reserved. The
* instantiation function should amend this as necessary. If insufficient
@@ -225,9 +228,7 @@ serial_exists:
struct key *key_alloc(struct key_type *type, const char *desc,
kuid_t uid, kgid_t gid, const struct cred *cred,
key_perm_t perm, unsigned long flags,
- int (*restrict_link)(struct key *,
- const struct key_type *,
- const union key_payload *))
+ struct key_restriction *restrict_link)
{
struct key_user *user = NULL;
struct key *key;
@@ -285,7 +286,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
if (!key->index_key.description)
goto no_memory_3;
- atomic_set(&key->usage, 1);
+ refcount_set(&key->usage, 1);
init_rwsem(&key->sem);
lockdep_set_class(&key->sem, &type->lock_class);
key->index_key.type = type;
@@ -499,19 +500,23 @@ int key_instantiate_and_link(struct key *key,
}
if (keyring) {
- if (keyring->restrict_link) {
- ret = keyring->restrict_link(keyring, key->type,
- &prep.payload);
- if (ret < 0)
- goto error;
- }
ret = __key_link_begin(keyring, &key->index_key, &edit);
if (ret < 0)
goto error;
+
+ if (keyring->restrict_link && keyring->restrict_link->check) {
+ struct key_restriction *keyres = keyring->restrict_link;
+
+ ret = keyres->check(keyring, key->type, &prep.payload,
+ keyres->key);
+ if (ret < 0)
+ goto error_link_end;
+ }
}
ret = __key_instantiate_and_link(key, &prep, keyring, authkey, &edit);
+error_link_end:
if (keyring)
__key_link_end(keyring, &key->index_key, edit);
@@ -621,7 +626,7 @@ void key_put(struct key *key)
if (key) {
key_check(key);
- if (atomic_dec_and_test(&key->usage))
+ if (refcount_dec_and_test(&key->usage))
schedule_work(&key_gc_work);
}
}
@@ -656,7 +661,7 @@ not_found:
found:
/* pretend it doesn't exist if it is awaiting deletion */
- if (atomic_read(&key->usage) == 0)
+ if (refcount_read(&key->usage) == 0)
goto not_found;
/* this races with key_put(), but that doesn't matter since key_put()
@@ -806,9 +811,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
struct key *keyring, *key = NULL;
key_ref_t key_ref;
int ret;
- int (*restrict_link)(struct key *,
- const struct key_type *,
- const union key_payload *) = NULL;
+ struct key_restriction *restrict_link = NULL;
/* look up the key type to see if it's one of the registered kernel
* types */
@@ -854,20 +857,21 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
}
index_key.desc_len = strlen(index_key.description);
- if (restrict_link) {
- ret = restrict_link(keyring, index_key.type, &prep.payload);
- if (ret < 0) {
- key_ref = ERR_PTR(ret);
- goto error_free_prep;
- }
- }
-
ret = __key_link_begin(keyring, &index_key, &edit);
if (ret < 0) {
key_ref = ERR_PTR(ret);
goto error_free_prep;
}
+ if (restrict_link && restrict_link->check) {
+ ret = restrict_link->check(keyring, index_key.type,
+ &prep.payload, restrict_link->key);
+ if (ret < 0) {
+ key_ref = ERR_PTR(ret);
+ goto error_link_end;
+ }
+ }
+
/* if we're going to allocate a new key, we're going to have
* to modify the keyring */
ret = key_permission(keyring_ref, KEY_NEED_WRITE);
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 4ad3212adebe..82a9e1851108 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1585,6 +1585,59 @@ error_keyring:
}
/*
+ * Apply a restriction to a given keyring.
+ *
+ * The caller must have Setattr permission to change keyring restrictions.
+ *
+ * The requested type name may be a NULL pointer to reject all attempts
+ * to link to the keyring. If _type is non-NULL, _restriction can be
+ * NULL or a pointer to a string describing the restriction. If _type is
+ * NULL, _restriction must also be NULL.
+ *
+ * Returns 0 if successful.
+ */
+long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
+ const char __user *_restriction)
+{
+ key_ref_t key_ref;
+ bool link_reject = !_type;
+ char type[32];
+ char *restriction = NULL;
+ long ret;
+
+ key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR);
+ if (IS_ERR(key_ref))
+ return PTR_ERR(key_ref);
+
+ if (_type) {
+ ret = key_get_type_from_user(type, _type, sizeof(type));
+ if (ret < 0)
+ goto error;
+ }
+
+ if (_restriction) {
+ if (!_type) {
+ ret = -EINVAL;
+ goto error;
+ }
+
+ restriction = strndup_user(_restriction, PAGE_SIZE);
+ if (IS_ERR(restriction)) {
+ ret = PTR_ERR(restriction);
+ goto error;
+ }
+ }
+
+ ret = keyring_restrict(key_ref, link_reject ? NULL : type, restriction);
+ kfree(restriction);
+
+error:
+ key_ref_put(key_ref);
+
+ return ret;
+}
+
+/*
* The key control system call
*/
SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
@@ -1693,7 +1746,12 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
case KEYCTL_DH_COMPUTE:
return keyctl_dh_compute((struct keyctl_dh_params __user *) arg2,
(char __user *) arg3, (size_t) arg4,
- (void __user *) arg5);
+ (struct keyctl_kdf_params __user *) arg5);
+
+ case KEYCTL_RESTRICT_KEYRING:
+ return keyctl_restrict_keyring((key_serial_t) arg2,
+ (const char __user *) arg3,
+ (const char __user *) arg4);
default:
return -EOPNOTSUPP;
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index c91e4e0cea08..4d1678e4586f 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -394,6 +394,13 @@ static void keyring_destroy(struct key *keyring)
write_unlock(&keyring_name_lock);
}
+ if (keyring->restrict_link) {
+ struct key_restriction *keyres = keyring->restrict_link;
+
+ key_put(keyres->key);
+ kfree(keyres);
+ }
+
assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops);
}
@@ -492,9 +499,7 @@ static long keyring_read(const struct key *keyring,
struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
const struct cred *cred, key_perm_t perm,
unsigned long flags,
- int (*restrict_link)(struct key *,
- const struct key_type *,
- const union key_payload *),
+ struct key_restriction *restrict_link,
struct key *dest)
{
struct key *keyring;
@@ -519,17 +524,19 @@ EXPORT_SYMBOL(keyring_alloc);
* @keyring: The keyring being added to.
* @type: The type of key being added.
* @payload: The payload of the key intended to be added.
+ * @data: Additional data for evaluating restriction.
*
* Reject the addition of any links to a keyring. It can be overridden by
* passing KEY_ALLOC_BYPASS_RESTRICTION to key_instantiate_and_link() when
* adding a key to a keyring.
*
- * This is meant to be passed as the restrict_link parameter to
- * keyring_alloc().
+ * This is meant to be stored in a key_restriction structure which is passed
+ * in the restrict_link parameter to keyring_alloc().
*/
int restrict_link_reject(struct key *keyring,
const struct key_type *type,
- const union key_payload *payload)
+ const union key_payload *payload,
+ struct key *restriction_key)
{
return -EPERM;
}
@@ -940,6 +947,111 @@ key_ref_t keyring_search(key_ref_t keyring,
}
EXPORT_SYMBOL(keyring_search);
+static struct key_restriction *keyring_restriction_alloc(
+ key_restrict_link_func_t check)
+{
+ struct key_restriction *keyres =
+ kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
+
+ if (!keyres)
+ return ERR_PTR(-ENOMEM);
+
+ keyres->check = check;
+
+ return keyres;
+}
+
+/*
+ * Semaphore to serialise restriction setup to prevent reference count
+ * cycles through restriction key pointers.
+ */
+static DECLARE_RWSEM(keyring_serialise_restrict_sem);
+
+/*
+ * Check for restriction cycles that would prevent keyring garbage collection.
+ * keyring_serialise_restrict_sem must be held.
+ */
+static bool keyring_detect_restriction_cycle(const struct key *dest_keyring,
+ struct key_restriction *keyres)
+{
+ while (keyres && keyres->key &&
+ keyres->key->type == &key_type_keyring) {
+ if (keyres->key == dest_keyring)
+ return true;
+
+ keyres = keyres->key->restrict_link;
+ }
+
+ return false;
+}
+
+/**
+ * keyring_restrict - Look up and apply a restriction to a keyring
+ *
+ * @keyring: The keyring to be restricted
+ * @restriction: The restriction options to apply to the keyring
+ */
+int keyring_restrict(key_ref_t keyring_ref, const char *type,
+ const char *restriction)
+{
+ struct key *keyring;
+ struct key_type *restrict_type = NULL;
+ struct key_restriction *restrict_link;
+ int ret = 0;
+
+ keyring = key_ref_to_ptr(keyring_ref);
+ key_check(keyring);
+
+ if (keyring->type != &key_type_keyring)
+ return -ENOTDIR;
+
+ if (!type) {
+ restrict_link = keyring_restriction_alloc(restrict_link_reject);
+ } else {
+ restrict_type = key_type_lookup(type);
+
+ if (IS_ERR(restrict_type))
+ return PTR_ERR(restrict_type);
+
+ if (!restrict_type->lookup_restriction) {
+ ret = -ENOENT;
+ goto error;
+ }
+
+ restrict_link = restrict_type->lookup_restriction(restriction);
+ }
+
+ if (IS_ERR(restrict_link)) {
+ ret = PTR_ERR(restrict_link);
+ goto error;
+ }
+
+ down_write(&keyring->sem);
+ down_write(&keyring_serialise_restrict_sem);
+
+ if (keyring->restrict_link)
+ ret = -EEXIST;
+ else if (keyring_detect_restriction_cycle(keyring, restrict_link))
+ ret = -EDEADLK;
+ else
+ keyring->restrict_link = restrict_link;
+
+ up_write(&keyring_serialise_restrict_sem);
+ up_write(&keyring->sem);
+
+ if (ret < 0) {
+ key_put(restrict_link->key);
+ kfree(restrict_link);
+ }
+
+error:
+ if (restrict_type)
+ key_type_put(restrict_type);
+
+ return ret;
+}
+EXPORT_SYMBOL(keyring_restrict);
+
/*
* Search the given keyring for a key that might be updated.
*
@@ -1033,7 +1145,7 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
/* we've got a match but we might end up racing with
* key_cleanup() if the keyring is currently 'dead'
* (ie. it has a zero usage count) */
- if (!atomic_inc_not_zero(&keyring->usage))
+ if (!refcount_inc_not_zero(&keyring->usage))
continue;
keyring->last_used_at = current_kernel_time().tv_sec;
goto out;
@@ -1220,9 +1332,10 @@ void __key_link_end(struct key *keyring,
*/
static int __key_link_check_restriction(struct key *keyring, struct key *key)
{
- if (!keyring->restrict_link)
+ if (!keyring->restrict_link || !keyring->restrict_link->check)
return 0;
- return keyring->restrict_link(keyring, key->type, &key->payload);
+ return keyring->restrict_link->check(keyring, key->type, &key->payload,
+ keyring->restrict_link->key);
}
/**
@@ -1250,14 +1363,14 @@ int key_link(struct key *keyring, struct key *key)
struct assoc_array_edit *edit;
int ret;
- kenter("{%d,%d}", keyring->serial, atomic_read(&keyring->usage));
+ kenter("{%d,%d}", keyring->serial, refcount_read(&keyring->usage));
key_check(keyring);
key_check(key);
ret = __key_link_begin(keyring, &key->index_key, &edit);
if (ret == 0) {
- kdebug("begun {%d,%d}", keyring->serial, atomic_read(&keyring->usage));
+ kdebug("begun {%d,%d}", keyring->serial, refcount_read(&keyring->usage));
ret = __key_link_check_restriction(keyring, key);
if (ret == 0)
ret = __key_link_check_live_key(keyring, key);
@@ -1266,7 +1379,7 @@ int key_link(struct key *keyring, struct key *key)
__key_link_end(keyring, &key->index_key, edit);
}
- kleave(" = %d {%d,%d}", ret, keyring->serial, atomic_read(&keyring->usage));
+ kleave(" = %d {%d,%d}", ret, keyring->serial, refcount_read(&keyring->usage));
return ret;
}
EXPORT_SYMBOL(key_link);
@@ -1426,3 +1539,53 @@ do_gc:
up_write(&keyring->sem);
kleave(" [gc]");
}
+
+/*
+ * Garbage collect restriction pointers from a keyring.
+ *
+ * Keyring restrictions are associated with a key type, and must be cleaned
+ * up if the key type is unregistered. The restriction is altered to always
+ * reject additional keys so a keyring cannot be opened up by unregistering
+ * a key type.
+ *
+ * Not called with any keyring locks held. The keyring's key struct will not
+ * be deallocated under us as only our caller may deallocate it.
+ *
+ * The caller is required to hold key_types_sem and dead_type->sem. This is
+ * fulfilled by key_gc_keytype() holding the locks on behalf of
+ * key_garbage_collector(), which it invokes on a workqueue.
+ */
+void keyring_restriction_gc(struct key *keyring, struct key_type *dead_type)
+{
+ struct key_restriction *keyres;
+
+ kenter("%x{%s}", keyring->serial, keyring->description ?: "");
+
+ /*
+ * keyring->restrict_link is only assigned at key allocation time
+ * or with the key type locked, so the only values that could be
+ * concurrently assigned to keyring->restrict_link are for key
+ * types other than dead_type. Given this, it's ok to check
+ * the key type before acquiring keyring->sem.
+ */
+ if (!dead_type || !keyring->restrict_link ||
+ keyring->restrict_link->keytype != dead_type) {
+ kleave(" [no restriction gc]");
+ return;
+ }
+
+ /* Lock the keyring to ensure that a link is not in progress */
+ down_write(&keyring->sem);
+
+ keyres = keyring->restrict_link;
+
+ keyres->check = restrict_link_reject;
+
+ key_put(keyres->key);
+ keyres->key = NULL;
+ keyres->keytype = NULL;
+
+ up_write(&keyring->sem);
+
+ kleave(" [restriction gc]");
+}
diff --git a/security/keys/proc.c b/security/keys/proc.c
index b9f531c9e4fa..bf08d02b6646 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -252,7 +252,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
showflag(key, 'U', KEY_FLAG_USER_CONSTRUCT),
showflag(key, 'N', KEY_FLAG_NEGATIVE),
showflag(key, 'i', KEY_FLAG_INVALIDATED),
- atomic_read(&key->usage),
+ refcount_read(&key->usage),
xbuf,
key->perm,
from_kuid_munged(seq_user_ns(m), key->uid),
@@ -340,7 +340,7 @@ static int proc_key_users_show(struct seq_file *m, void *v)
seq_printf(m, "%5u: %5d %d/%d %d/%d %d/%d\n",
from_kuid_munged(seq_user_ns(m), user->uid),
- atomic_read(&user->usage),
+ refcount_read(&user->usage),
atomic_read(&user->nkeys),
atomic_read(&user->nikeys),
user->qnkeys,
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 9139b18fc863..2217dfec7996 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -30,7 +30,7 @@ static DEFINE_MUTEX(key_user_keyring_mutex);
/* The root user's tracking struct */
struct key_user root_key_user = {
- .usage = ATOMIC_INIT(3),
+ .usage = REFCOUNT_INIT(3),
.cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock),
.lock = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
.nkeys = ATOMIC_INIT(2),
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index 6bbe2f535f08..0f062156dfb2 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -213,7 +213,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info,
if (ret < 0)
goto error_inst;
- kleave(" = {%d,%d}", authkey->serial, atomic_read(&authkey->usage));
+ kleave(" = {%d,%d}", authkey->serial, refcount_read(&authkey->usage));
return authkey;
auth_key_revoked:
diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
index 1d82eae3a5b8..dbe6efde77a0 100644
--- a/security/loadpin/loadpin.c
+++ b/security/loadpin/loadpin.c
@@ -174,7 +174,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
return 0;
}
-static struct security_hook_list loadpin_hooks[] = {
+static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
};
diff --git a/security/security.c b/security/security.c
index 23555c5504f6..b9fea3999cf8 100644
--- a/security/security.c
+++ b/security/security.c
@@ -32,6 +32,7 @@
/* Maximum number of letters for an LSM name string */
#define SECURITY_NAME_MAX 10
+struct security_hook_heads security_hook_heads __lsm_ro_after_init;
char *lsm_names;
/* Boot-time LSM user choice */
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
@@ -54,6 +55,12 @@ static void __init do_security_initcalls(void)
*/
int __init security_init(void)
{
+ int i;
+ struct list_head *list = (struct list_head *) &security_hook_heads;
+
+ for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct list_head);
+ i++)
+ INIT_LIST_HEAD(&list[i]);
pr_info("Security Framework initialized\n");
/*
@@ -934,6 +941,11 @@ int security_task_create(unsigned long clone_flags)
return call_int_hook(task_create, 0, clone_flags);
}
+int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
+{
+ return call_int_hook(task_alloc, 0, task, clone_flags);
+}
+
void security_task_free(struct task_struct *task)
{
call_void_hook(task_free, task);
@@ -1040,6 +1052,12 @@ int security_task_getioprio(struct task_struct *p)
return call_int_hook(task_getioprio, 0, p);
}
+int security_task_prlimit(const struct cred *cred, const struct cred *tcred,
+ unsigned int flags)
+{
+ return call_int_hook(task_prlimit, 0, cred, tcred, flags);
+}
+
int security_task_setrlimit(struct task_struct *p, unsigned int resource,
struct rlimit *new_rlim)
{
@@ -1625,355 +1643,3 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
actx);
}
#endif /* CONFIG_AUDIT */
-
-struct security_hook_heads security_hook_heads = {
- .binder_set_context_mgr =
- LIST_HEAD_INIT(security_hook_heads.binder_set_context_mgr),
- .binder_transaction =
- LIST_HEAD_INIT(security_hook_heads.binder_transaction),
- .binder_transfer_binder =
- LIST_HEAD_INIT(security_hook_heads.binder_transfer_binder),
- .binder_transfer_file =
- LIST_HEAD_INIT(security_hook_heads.binder_transfer_file),
-
- .ptrace_access_check =
- LIST_HEAD_INIT(security_hook_heads.ptrace_access_check),
- .ptrace_traceme =
- LIST_HEAD_INIT(security_hook_heads.ptrace_traceme),
- .capget = LIST_HEAD_INIT(security_hook_heads.capget),
- .capset = LIST_HEAD_INIT(security_hook_heads.capset),
- .capable = LIST_HEAD_INIT(security_hook_heads.capable),
- .quotactl = LIST_HEAD_INIT(security_hook_heads.quotactl),
- .quota_on = LIST_HEAD_INIT(security_hook_heads.quota_on),
- .syslog = LIST_HEAD_INIT(security_hook_heads.syslog),
- .settime = LIST_HEAD_INIT(security_hook_heads.settime),
- .vm_enough_memory =
- LIST_HEAD_INIT(security_hook_heads.vm_enough_memory),
- .bprm_set_creds =
- LIST_HEAD_INIT(security_hook_heads.bprm_set_creds),
- .bprm_check_security =
- LIST_HEAD_INIT(security_hook_heads.bprm_check_security),
- .bprm_secureexec =
- LIST_HEAD_INIT(security_hook_heads.bprm_secureexec),
- .bprm_committing_creds =
- LIST_HEAD_INIT(security_hook_heads.bprm_committing_creds),
- .bprm_committed_creds =
- LIST_HEAD_INIT(security_hook_heads.bprm_committed_creds),
- .sb_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.sb_alloc_security),
- .sb_free_security =
- LIST_HEAD_INIT(security_hook_heads.sb_free_security),
- .sb_copy_data = LIST_HEAD_INIT(security_hook_heads.sb_copy_data),
- .sb_remount = LIST_HEAD_INIT(security_hook_heads.sb_remount),
- .sb_kern_mount =
- LIST_HEAD_INIT(security_hook_heads.sb_kern_mount),
- .sb_show_options =
- LIST_HEAD_INIT(security_hook_heads.sb_show_options),
- .sb_statfs = LIST_HEAD_INIT(security_hook_heads.sb_statfs),
- .sb_mount = LIST_HEAD_INIT(security_hook_heads.sb_mount),
- .sb_umount = LIST_HEAD_INIT(security_hook_heads.sb_umount),
- .sb_pivotroot = LIST_HEAD_INIT(security_hook_heads.sb_pivotroot),
- .sb_set_mnt_opts =
- LIST_HEAD_INIT(security_hook_heads.sb_set_mnt_opts),
- .sb_clone_mnt_opts =
- LIST_HEAD_INIT(security_hook_heads.sb_clone_mnt_opts),
- .sb_parse_opts_str =
- LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str),
- .dentry_init_security =
- LIST_HEAD_INIT(security_hook_heads.dentry_init_security),
- .dentry_create_files_as =
- LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as),
-#ifdef CONFIG_SECURITY_PATH
- .path_unlink = LIST_HEAD_INIT(security_hook_heads.path_unlink),
- .path_mkdir = LIST_HEAD_INIT(security_hook_heads.path_mkdir),
- .path_rmdir = LIST_HEAD_INIT(security_hook_heads.path_rmdir),
- .path_mknod = LIST_HEAD_INIT(security_hook_heads.path_mknod),
- .path_truncate =
- LIST_HEAD_INIT(security_hook_heads.path_truncate),
- .path_symlink = LIST_HEAD_INIT(security_hook_heads.path_symlink),
- .path_link = LIST_HEAD_INIT(security_hook_heads.path_link),
- .path_rename = LIST_HEAD_INIT(security_hook_heads.path_rename),
- .path_chmod = LIST_HEAD_INIT(security_hook_heads.path_chmod),
- .path_chown = LIST_HEAD_INIT(security_hook_heads.path_chown),
- .path_chroot = LIST_HEAD_INIT(security_hook_heads.path_chroot),
-#endif
- .inode_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.inode_alloc_security),
- .inode_free_security =
- LIST_HEAD_INIT(security_hook_heads.inode_free_security),
- .inode_init_security =
- LIST_HEAD_INIT(security_hook_heads.inode_init_security),
- .inode_create = LIST_HEAD_INIT(security_hook_heads.inode_create),
- .inode_link = LIST_HEAD_INIT(security_hook_heads.inode_link),
- .inode_unlink = LIST_HEAD_INIT(security_hook_heads.inode_unlink),
- .inode_symlink =
- LIST_HEAD_INIT(security_hook_heads.inode_symlink),
- .inode_mkdir = LIST_HEAD_INIT(security_hook_heads.inode_mkdir),
- .inode_rmdir = LIST_HEAD_INIT(security_hook_heads.inode_rmdir),
- .inode_mknod = LIST_HEAD_INIT(security_hook_heads.inode_mknod),
- .inode_rename = LIST_HEAD_INIT(security_hook_heads.inode_rename),
- .inode_readlink =
- LIST_HEAD_INIT(security_hook_heads.inode_readlink),
- .inode_follow_link =
- LIST_HEAD_INIT(security_hook_heads.inode_follow_link),
- .inode_permission =
- LIST_HEAD_INIT(security_hook_heads.inode_permission),
- .inode_setattr =
- LIST_HEAD_INIT(security_hook_heads.inode_setattr),
- .inode_getattr =
- LIST_HEAD_INIT(security_hook_heads.inode_getattr),
- .inode_setxattr =
- LIST_HEAD_INIT(security_hook_heads.inode_setxattr),
- .inode_post_setxattr =
- LIST_HEAD_INIT(security_hook_heads.inode_post_setxattr),
- .inode_getxattr =
- LIST_HEAD_INIT(security_hook_heads.inode_getxattr),
- .inode_listxattr =
- LIST_HEAD_INIT(security_hook_heads.inode_listxattr),
- .inode_removexattr =
- LIST_HEAD_INIT(security_hook_heads.inode_removexattr),
- .inode_need_killpriv =
- LIST_HEAD_INIT(security_hook_heads.inode_need_killpriv),
- .inode_killpriv =
- LIST_HEAD_INIT(security_hook_heads.inode_killpriv),
- .inode_getsecurity =
- LIST_HEAD_INIT(security_hook_heads.inode_getsecurity),
- .inode_setsecurity =
- LIST_HEAD_INIT(security_hook_heads.inode_setsecurity),
- .inode_listsecurity =
- LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
- .inode_getsecid =
- LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
- .inode_copy_up =
- LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
- .inode_copy_up_xattr =
- LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
- .file_permission =
- LIST_HEAD_INIT(security_hook_heads.file_permission),
- .file_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.file_alloc_security),
- .file_free_security =
- LIST_HEAD_INIT(security_hook_heads.file_free_security),
- .file_ioctl = LIST_HEAD_INIT(security_hook_heads.file_ioctl),
- .mmap_addr = LIST_HEAD_INIT(security_hook_heads.mmap_addr),
- .mmap_file = LIST_HEAD_INIT(security_hook_heads.mmap_file),
- .file_mprotect =
- LIST_HEAD_INIT(security_hook_heads.file_mprotect),
- .file_lock = LIST_HEAD_INIT(security_hook_heads.file_lock),
- .file_fcntl = LIST_HEAD_INIT(security_hook_heads.file_fcntl),
- .file_set_fowner =
- LIST_HEAD_INIT(security_hook_heads.file_set_fowner),
- .file_send_sigiotask =
- LIST_HEAD_INIT(security_hook_heads.file_send_sigiotask),
- .file_receive = LIST_HEAD_INIT(security_hook_heads.file_receive),
- .file_open = LIST_HEAD_INIT(security_hook_heads.file_open),
- .task_create = LIST_HEAD_INIT(security_hook_heads.task_create),
- .task_free = LIST_HEAD_INIT(security_hook_heads.task_free),
- .cred_alloc_blank =
- LIST_HEAD_INIT(security_hook_heads.cred_alloc_blank),
- .cred_free = LIST_HEAD_INIT(security_hook_heads.cred_free),
- .cred_prepare = LIST_HEAD_INIT(security_hook_heads.cred_prepare),
- .cred_transfer =
- LIST_HEAD_INIT(security_hook_heads.cred_transfer),
- .kernel_act_as =
- LIST_HEAD_INIT(security_hook_heads.kernel_act_as),
- .kernel_create_files_as =
- LIST_HEAD_INIT(security_hook_heads.kernel_create_files_as),
- .kernel_module_request =
- LIST_HEAD_INIT(security_hook_heads.kernel_module_request),
- .kernel_read_file =
- LIST_HEAD_INIT(security_hook_heads.kernel_read_file),
- .kernel_post_read_file =
- LIST_HEAD_INIT(security_hook_heads.kernel_post_read_file),
- .task_fix_setuid =
- LIST_HEAD_INIT(security_hook_heads.task_fix_setuid),
- .task_setpgid = LIST_HEAD_INIT(security_hook_heads.task_setpgid),
- .task_getpgid = LIST_HEAD_INIT(security_hook_heads.task_getpgid),
- .task_getsid = LIST_HEAD_INIT(security_hook_heads.task_getsid),
- .task_getsecid =
- LIST_HEAD_INIT(security_hook_heads.task_getsecid),
- .task_setnice = LIST_HEAD_INIT(security_hook_heads.task_setnice),
- .task_setioprio =
- LIST_HEAD_INIT(security_hook_heads.task_setioprio),
- .task_getioprio =
- LIST_HEAD_INIT(security_hook_heads.task_getioprio),
- .task_setrlimit =
- LIST_HEAD_INIT(security_hook_heads.task_setrlimit),
- .task_setscheduler =
- LIST_HEAD_INIT(security_hook_heads.task_setscheduler),
- .task_getscheduler =
- LIST_HEAD_INIT(security_hook_heads.task_getscheduler),
- .task_movememory =
- LIST_HEAD_INIT(security_hook_heads.task_movememory),
- .task_kill = LIST_HEAD_INIT(security_hook_heads.task_kill),
- .task_prctl = LIST_HEAD_INIT(security_hook_heads.task_prctl),
- .task_to_inode =
- LIST_HEAD_INIT(security_hook_heads.task_to_inode),
- .ipc_permission =
- LIST_HEAD_INIT(security_hook_heads.ipc_permission),
- .ipc_getsecid = LIST_HEAD_INIT(security_hook_heads.ipc_getsecid),
- .msg_msg_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.msg_msg_alloc_security),
- .msg_msg_free_security =
- LIST_HEAD_INIT(security_hook_heads.msg_msg_free_security),
- .msg_queue_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.msg_queue_alloc_security),
- .msg_queue_free_security =
- LIST_HEAD_INIT(security_hook_heads.msg_queue_free_security),
- .msg_queue_associate =
- LIST_HEAD_INIT(security_hook_heads.msg_queue_associate),
- .msg_queue_msgctl =
- LIST_HEAD_INIT(security_hook_heads.msg_queue_msgctl),
- .msg_queue_msgsnd =
- LIST_HEAD_INIT(security_hook_heads.msg_queue_msgsnd),
- .msg_queue_msgrcv =
- LIST_HEAD_INIT(security_hook_heads.msg_queue_msgrcv),
- .shm_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.shm_alloc_security),
- .shm_free_security =
- LIST_HEAD_INIT(security_hook_heads.shm_free_security),
- .shm_associate =
- LIST_HEAD_INIT(security_hook_heads.shm_associate),
- .shm_shmctl = LIST_HEAD_INIT(security_hook_heads.shm_shmctl),
- .shm_shmat = LIST_HEAD_INIT(security_hook_heads.shm_shmat),
- .sem_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.sem_alloc_security),
- .sem_free_security =
- LIST_HEAD_INIT(security_hook_heads.sem_free_security),
- .sem_associate =
- LIST_HEAD_INIT(security_hook_heads.sem_associate),
- .sem_semctl = LIST_HEAD_INIT(security_hook_heads.sem_semctl),
- .sem_semop = LIST_HEAD_INIT(security_hook_heads.sem_semop),
- .netlink_send = LIST_HEAD_INIT(security_hook_heads.netlink_send),
- .d_instantiate =
- LIST_HEAD_INIT(security_hook_heads.d_instantiate),
- .getprocattr = LIST_HEAD_INIT(security_hook_heads.getprocattr),
- .setprocattr = LIST_HEAD_INIT(security_hook_heads.setprocattr),
- .ismaclabel = LIST_HEAD_INIT(security_hook_heads.ismaclabel),
- .secid_to_secctx =
- LIST_HEAD_INIT(security_hook_heads.secid_to_secctx),
- .secctx_to_secid =
- LIST_HEAD_INIT(security_hook_heads.secctx_to_secid),
- .release_secctx =
- LIST_HEAD_INIT(security_hook_heads.release_secctx),
- .inode_invalidate_secctx =
- LIST_HEAD_INIT(security_hook_heads.inode_invalidate_secctx),
- .inode_notifysecctx =
- LIST_HEAD_INIT(security_hook_heads.inode_notifysecctx),
- .inode_setsecctx =
- LIST_HEAD_INIT(security_hook_heads.inode_setsecctx),
- .inode_getsecctx =
- LIST_HEAD_INIT(security_hook_heads.inode_getsecctx),
-#ifdef CONFIG_SECURITY_NETWORK
- .unix_stream_connect =
- LIST_HEAD_INIT(security_hook_heads.unix_stream_connect),
- .unix_may_send =
- LIST_HEAD_INIT(security_hook_heads.unix_may_send),
- .socket_create =
- LIST_HEAD_INIT(security_hook_heads.socket_create),
- .socket_post_create =
- LIST_HEAD_INIT(security_hook_heads.socket_post_create),
- .socket_bind = LIST_HEAD_INIT(security_hook_heads.socket_bind),
- .socket_connect =
- LIST_HEAD_INIT(security_hook_heads.socket_connect),
- .socket_listen =
- LIST_HEAD_INIT(security_hook_heads.socket_listen),
- .socket_accept =
- LIST_HEAD_INIT(security_hook_heads.socket_accept),
- .socket_sendmsg =
- LIST_HEAD_INIT(security_hook_heads.socket_sendmsg),
- .socket_recvmsg =
- LIST_HEAD_INIT(security_hook_heads.socket_recvmsg),
- .socket_getsockname =
- LIST_HEAD_INIT(security_hook_heads.socket_getsockname),
- .socket_getpeername =
- LIST_HEAD_INIT(security_hook_heads.socket_getpeername),
- .socket_getsockopt =
- LIST_HEAD_INIT(security_hook_heads.socket_getsockopt),
- .socket_setsockopt =
- LIST_HEAD_INIT(security_hook_heads.socket_setsockopt),
- .socket_shutdown =
- LIST_HEAD_INIT(security_hook_heads.socket_shutdown),
- .socket_sock_rcv_skb =
- LIST_HEAD_INIT(security_hook_heads.socket_sock_rcv_skb),
- .socket_getpeersec_stream =
- LIST_HEAD_INIT(security_hook_heads.socket_getpeersec_stream),
- .socket_getpeersec_dgram =
- LIST_HEAD_INIT(security_hook_heads.socket_getpeersec_dgram),
- .sk_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.sk_alloc_security),
- .sk_free_security =
- LIST_HEAD_INIT(security_hook_heads.sk_free_security),
- .sk_clone_security =
- LIST_HEAD_INIT(security_hook_heads.sk_clone_security),
- .sk_getsecid = LIST_HEAD_INIT(security_hook_heads.sk_getsecid),
- .sock_graft = LIST_HEAD_INIT(security_hook_heads.sock_graft),
- .inet_conn_request =
- LIST_HEAD_INIT(security_hook_heads.inet_conn_request),
- .inet_csk_clone =
- LIST_HEAD_INIT(security_hook_heads.inet_csk_clone),
- .inet_conn_established =
- LIST_HEAD_INIT(security_hook_heads.inet_conn_established),
- .secmark_relabel_packet =
- LIST_HEAD_INIT(security_hook_heads.secmark_relabel_packet),
- .secmark_refcount_inc =
- LIST_HEAD_INIT(security_hook_heads.secmark_refcount_inc),
- .secmark_refcount_dec =
- LIST_HEAD_INIT(security_hook_heads.secmark_refcount_dec),
- .req_classify_flow =
- LIST_HEAD_INIT(security_hook_heads.req_classify_flow),
- .tun_dev_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.tun_dev_alloc_security),
- .tun_dev_free_security =
- LIST_HEAD_INIT(security_hook_heads.tun_dev_free_security),
- .tun_dev_create =
- LIST_HEAD_INIT(security_hook_heads.tun_dev_create),
- .tun_dev_attach_queue =
- LIST_HEAD_INIT(security_hook_heads.tun_dev_attach_queue),
- .tun_dev_attach =
- LIST_HEAD_INIT(security_hook_heads.tun_dev_attach),
- .tun_dev_open = LIST_HEAD_INIT(security_hook_heads.tun_dev_open),
-#endif /* CONFIG_SECURITY_NETWORK */
-#ifdef CONFIG_SECURITY_NETWORK_XFRM
- .xfrm_policy_alloc_security =
- LIST_HEAD_INIT(security_hook_heads.xfrm_policy_alloc_security),
- .xfrm_policy_clone_security =
- LIST_HEAD_INIT(security_hook_heads.xfrm_policy_clone_security),
- .xfrm_policy_free_security =
- LIST_HEAD_INIT(security_hook_heads.xfrm_policy_free_security),
- .xfrm_policy_delete_security =
- LIST_HEAD_INIT(security_hook_heads.xfrm_policy_delete_security),
- .xfrm_state_alloc =
- LIST_HEAD_INIT(security_hook_heads.xfrm_state_alloc),
- .xfrm_state_alloc_acquire =
- LIST_HEAD_INIT(security_hook_heads.xfrm_state_alloc_acquire),
- .xfrm_state_free_security =
- LIST_HEAD_INIT(security_hook_heads.xfrm_state_free_security),
- .xfrm_state_delete_security =
- LIST_HEAD_INIT(security_hook_heads.xfrm_state_delete_security),
- .xfrm_policy_lookup =
- LIST_HEAD_INIT(security_hook_heads.xfrm_policy_lookup),
- .xfrm_state_pol_flow_match =
- LIST_HEAD_INIT(security_hook_heads.xfrm_state_pol_flow_match),
- .xfrm_decode_session =
- LIST_HEAD_INIT(security_hook_heads.xfrm_decode_session),
-#endif /* CONFIG_SECURITY_NETWORK_XFRM */
-#ifdef CONFIG_KEYS
- .key_alloc = LIST_HEAD_INIT(security_hook_heads.key_alloc),
- .key_free = LIST_HEAD_INIT(security_hook_heads.key_free),
- .key_permission =
- LIST_HEAD_INIT(security_hook_heads.key_permission),
- .key_getsecurity =
- LIST_HEAD_INIT(security_hook_heads.key_getsecurity),
-#endif /* CONFIG_KEYS */
-#ifdef CONFIG_AUDIT
- .audit_rule_init =
- LIST_HEAD_INIT(security_hook_heads.audit_rule_init),
- .audit_rule_known =
- LIST_HEAD_INIT(security_hook_heads.audit_rule_known),
- .audit_rule_match =
- LIST_HEAD_INIT(security_hook_heads.audit_rule_match),
- .audit_rule_free =
- LIST_HEAD_INIT(security_hook_heads.audit_rule_free),
-#endif /* CONFIG_AUDIT */
-};
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index ea7e3efbe0f7..8af7a690eb40 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -40,6 +40,7 @@ config SECURITY_SELINUX_BOOTPARAM_VALUE
config SECURITY_SELINUX_DISABLE
bool "NSA SELinux runtime disable"
depends on SECURITY_SELINUX
+ select SECURITY_WRITABLE_HOOKS
default n
help
This option enables writing to a selinuxfs node 'disable', which
@@ -50,6 +51,11 @@ config SECURITY_SELINUX_DISABLE
portability across platforms where boot parameters are difficult
to employ.
+ NOTE: selecting this option will disable the '__ro_after_init'
+ kernel hardening feature for security hooks. Please consider
+ using the selinux=0 boot parameter instead of enabling this
+ option.
+
If you are unsure how to answer this question, answer N.
config SECURITY_SELINUX_DEVELOP
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0c2ac318aa7f..e67a526d1f30 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3920,6 +3920,21 @@ static int selinux_task_getioprio(struct task_struct *p)
PROCESS__GETSCHED, NULL);
}
+int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
+ unsigned int flags)
+{
+ u32 av = 0;
+
+ if (!flags)
+ return 0;
+ if (flags & LSM_PRLIMIT_WRITE)
+ av |= PROCESS__SETRLIMIT;
+ if (flags & LSM_PRLIMIT_READ)
+ av |= PROCESS__GETRLIMIT;
+ return avc_has_perm(cred_sid(cred), cred_sid(tcred),
+ SECCLASS_PROCESS, av, NULL);
+}
+
static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
struct rlimit *new_rlim)
{
@@ -4352,10 +4367,18 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
u32 sid, node_perm;
if (family == PF_INET) {
+ if (addrlen < sizeof(struct sockaddr_in)) {
+ err = -EINVAL;
+ goto out;
+ }
addr4 = (struct sockaddr_in *)address;
snum = ntohs(addr4->sin_port);
addrp = (char *)&addr4->sin_addr.s_addr;
} else {
+ if (addrlen < SIN6_LEN_RFC2133) {
+ err = -EINVAL;
+ goto out;
+ }
addr6 = (struct sockaddr_in6 *)address;
snum = ntohs(addr6->sin6_port);
addrp = (char *)&addr6->sin6_addr.s6_addr;
@@ -6108,7 +6131,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
#endif
-static struct security_hook_list selinux_hooks[] = {
+static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
@@ -6206,6 +6229,7 @@ static struct security_hook_list selinux_hooks[] = {
LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
+ LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index d429c4a1c551..1e0cc9b5de20 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -47,7 +47,7 @@ struct security_class_mapping secclass_map[] = {
"getattr", "setexec", "setfscreate", "noatsecure", "siginh",
"setrlimit", "rlimitinh", "dyntransition", "setcurrent",
"execmem", "execstack", "execheap", "setkeycreate",
- "setsockcreate", NULL } },
+ "setsockcreate", "getrlimit", NULL } },
{ "system",
{ "ipc_info", "syslog_read", "syslog_mod",
"syslog_console", "module_request", "module_load", NULL } },
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 8e67bb4c9cab..5aeaf30b7a13 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -28,7 +28,7 @@ struct nlmsg_perm {
u32 perm;
};
-static struct nlmsg_perm nlmsg_route_perms[] =
+static const struct nlmsg_perm nlmsg_route_perms[] =
{
{ RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
@@ -81,7 +81,7 @@ static struct nlmsg_perm nlmsg_route_perms[] =
{ RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ },
};
-static struct nlmsg_perm nlmsg_tcpdiag_perms[] =
+static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
{
{ TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
{ DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
@@ -89,7 +89,7 @@ static struct nlmsg_perm nlmsg_tcpdiag_perms[] =
{ SOCK_DESTROY, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE },
};
-static struct nlmsg_perm nlmsg_xfrm_perms[] =
+static const struct nlmsg_perm nlmsg_xfrm_perms[] =
{
{ XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
@@ -116,7 +116,7 @@ static struct nlmsg_perm nlmsg_xfrm_perms[] =
{ XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ },
};
-static struct nlmsg_perm nlmsg_audit_perms[] =
+static const struct nlmsg_perm nlmsg_audit_perms[] =
{
{ AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ },
{ AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
@@ -137,7 +137,7 @@ static struct nlmsg_perm nlmsg_audit_perms[] =
};
-static int nlmsg_perm(u16 nlmsg_type, u32 *perm, struct nlmsg_perm *tab, size_t tabsize)
+static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize)
{
int i, err = -EINVAL;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index cb3fd98fb05a..ce7171884223 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1456,10 +1456,10 @@ static int sel_avc_stats_seq_show(struct seq_file *seq, void *v)
{
struct avc_cache_stats *st = v;
- if (v == SEQ_START_TOKEN)
- seq_printf(seq, "lookups hits misses allocations reclaims "
- "frees\n");
- else {
+ if (v == SEQ_START_TOKEN) {
+ seq_puts(seq,
+ "lookups hits misses allocations reclaims frees\n");
+ } else {
unsigned int lookups = st->lookups;
unsigned int misses = st->misses;
unsigned int hits = lookups - misses;
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 34afeadd9e73..771c96afe1d5 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -176,8 +176,9 @@ void cond_policydb_destroy(struct policydb *p)
int cond_init_bool_indexes(struct policydb *p)
{
kfree(p->bool_val_to_struct);
- p->bool_val_to_struct =
- kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL);
+ p->bool_val_to_struct = kmalloc_array(p->p_bools.nprim,
+ sizeof(*p->bool_val_to_struct),
+ GFP_KERNEL);
if (!p->bool_val_to_struct)
return -ENOMEM;
return 0;
@@ -226,7 +227,7 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp)
u32 len;
int rc;
- booldatum = kzalloc(sizeof(struct cond_bool_datum), GFP_KERNEL);
+ booldatum = kzalloc(sizeof(*booldatum), GFP_KERNEL);
if (!booldatum)
return -ENOMEM;
@@ -331,7 +332,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
goto err;
}
- list = kzalloc(sizeof(struct cond_av_list), GFP_KERNEL);
+ list = kzalloc(sizeof(*list), GFP_KERNEL);
if (!list) {
rc = -ENOMEM;
goto err;
@@ -420,7 +421,7 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
goto err;
rc = -ENOMEM;
- expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL);
+ expr = kzalloc(sizeof(*expr), GFP_KERNEL);
if (!expr)
goto err;
@@ -471,7 +472,7 @@ int cond_read_list(struct policydb *p, void *fp)
for (i = 0; i < len; i++) {
rc = -ENOMEM;
- node = kzalloc(sizeof(struct cond_node), GFP_KERNEL);
+ node = kzalloc(sizeof(*node), GFP_KERNEL);
if (!node)
goto err;
@@ -663,5 +664,4 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
(node->key.specified & AVTAB_XPERMS))
services_compute_xperms_drivers(xperms, node);
}
- return;
}
diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c
index 2cc496149842..3858706a29fb 100644
--- a/security/selinux/ss/hashtab.c
+++ b/security/selinux/ss/hashtab.c
@@ -17,15 +17,15 @@ struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *
u32 i;
p = kzalloc(sizeof(*p), GFP_KERNEL);
- if (p == NULL)
+ if (!p)
return p;
p->size = size;
p->nel = 0;
p->hash_value = hash_value;
p->keycmp = keycmp;
- p->htable = kmalloc(sizeof(*(p->htable)) * size, GFP_KERNEL);
- if (p->htable == NULL) {
+ p->htable = kmalloc_array(size, sizeof(*p->htable), GFP_KERNEL);
+ if (!p->htable) {
kfree(p);
return NULL;
}
@@ -58,7 +58,7 @@ int hashtab_insert(struct hashtab *h, void *key, void *datum)
return -EEXIST;
newnode = kzalloc(sizeof(*newnode), GFP_KERNEL);
- if (newnode == NULL)
+ if (!newnode)
return -ENOMEM;
newnode->key = key;
newnode->datum = datum;
@@ -87,7 +87,7 @@ void *hashtab_search(struct hashtab *h, const void *key)
while (cur && h->keycmp(h, key, cur->key) > 0)
cur = cur->next;
- if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
+ if (!cur || (h->keycmp(h, key, cur->key) != 0))
return NULL;
return cur->datum;
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 9c92f29a38ea..0080122760ad 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -178,10 +178,9 @@ static int roles_init(struct policydb *p)
int rc;
struct role_datum *role;
- rc = -ENOMEM;
role = kzalloc(sizeof(*role), GFP_KERNEL);
if (!role)
- goto out;
+ return -ENOMEM;
rc = -EINVAL;
role->value = ++p->p_roles.nprim;
@@ -540,23 +539,23 @@ static int policydb_index(struct policydb *p)
#endif
rc = -ENOMEM;
- p->class_val_to_struct =
- kzalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)),
- GFP_KERNEL);
+ p->class_val_to_struct = kcalloc(p->p_classes.nprim,
+ sizeof(*p->class_val_to_struct),
+ GFP_KERNEL);
if (!p->class_val_to_struct)
goto out;
rc = -ENOMEM;
- p->role_val_to_struct =
- kzalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)),
- GFP_KERNEL);
+ p->role_val_to_struct = kcalloc(p->p_roles.nprim,
+ sizeof(*p->role_val_to_struct),
+ GFP_KERNEL);
if (!p->role_val_to_struct)
goto out;
rc = -ENOMEM;
- p->user_val_to_struct =
- kzalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)),
- GFP_KERNEL);
+ p->user_val_to_struct = kcalloc(p->p_users.nprim,
+ sizeof(*p->user_val_to_struct),
+ GFP_KERNEL);
if (!p->user_val_to_struct)
goto out;
@@ -880,8 +879,6 @@ void policydb_destroy(struct policydb *p)
ebitmap_destroy(&p->filename_trans_ttypes);
ebitmap_destroy(&p->policycaps);
ebitmap_destroy(&p->permissive_map);
-
- return;
}
/*
@@ -1120,10 +1117,9 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
__le32 buf[2];
u32 len;
- rc = -ENOMEM;
perdatum = kzalloc(sizeof(*perdatum), GFP_KERNEL);
if (!perdatum)
- goto bad;
+ return -ENOMEM;
rc = next_entry(buf, fp, sizeof buf);
if (rc)
@@ -1154,10 +1150,9 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp)
u32 len, nel;
int i, rc;
- rc = -ENOMEM;
comdatum = kzalloc(sizeof(*comdatum), GFP_KERNEL);
if (!comdatum)
- goto bad;
+ return -ENOMEM;
rc = next_entry(buf, fp, sizeof buf);
if (rc)
@@ -1320,10 +1315,9 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
u32 len, len2, ncons, nel;
int i, rc;
- rc = -ENOMEM;
cladatum = kzalloc(sizeof(*cladatum), GFP_KERNEL);
if (!cladatum)
- goto bad;
+ return -ENOMEM;
rc = next_entry(buf, fp, sizeof(u32)*6);
if (rc)
@@ -1414,10 +1408,9 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
__le32 buf[3];
u32 len;
- rc = -ENOMEM;
role = kzalloc(sizeof(*role), GFP_KERNEL);
if (!role)
- goto bad;
+ return -ENOMEM;
if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
to_read = 3;
@@ -1471,10 +1464,9 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
__le32 buf[4];
u32 len;
- rc = -ENOMEM;
typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL);
if (!typdatum)
- goto bad;
+ return -ENOMEM;
if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
to_read = 4;
@@ -1546,10 +1538,9 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp)
__le32 buf[3];
u32 len;
- rc = -ENOMEM;
usrdatum = kzalloc(sizeof(*usrdatum), GFP_KERNEL);
if (!usrdatum)
- goto bad;
+ return -ENOMEM;
if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
to_read = 3;
@@ -1597,10 +1588,9 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
__le32 buf[2];
u32 len;
- rc = -ENOMEM;
levdatum = kzalloc(sizeof(*levdatum), GFP_ATOMIC);
if (!levdatum)
- goto bad;
+ return -ENOMEM;
rc = next_entry(buf, fp, sizeof buf);
if (rc)
@@ -1614,7 +1604,7 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
goto bad;
rc = -ENOMEM;
- levdatum->level = kmalloc(sizeof(struct mls_level), GFP_ATOMIC);
+ levdatum->level = kmalloc(sizeof(*levdatum->level), GFP_ATOMIC);
if (!levdatum->level)
goto bad;
@@ -1639,10 +1629,9 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
__le32 buf[3];
u32 len;
- rc = -ENOMEM;
catdatum = kzalloc(sizeof(*catdatum), GFP_ATOMIC);
if (!catdatum)
- goto bad;
+ return -ENOMEM;
rc = next_entry(buf, fp, sizeof buf);
if (rc)
@@ -1854,7 +1843,7 @@ static int range_read(struct policydb *p, void *fp)
rc = next_entry(buf, fp, sizeof(u32));
if (rc)
- goto out;
+ return rc;
nel = le32_to_cpu(buf[0]);
for (i = 0; i < nel; i++) {
@@ -1931,7 +1920,6 @@ static int filename_trans_read(struct policydb *p, void *fp)
nel = le32_to_cpu(buf[0]);
for (i = 0; i < nel; i++) {
- ft = NULL;
otype = NULL;
name = NULL;
@@ -2008,7 +1996,7 @@ static int genfs_read(struct policydb *p, void *fp)
rc = next_entry(buf, fp, sizeof(u32));
if (rc)
- goto out;
+ return rc;
nel = le32_to_cpu(buf[0]);
for (i = 0; i < nel; i++) {
@@ -2100,9 +2088,10 @@ static int genfs_read(struct policydb *p, void *fp)
}
rc = 0;
out:
- if (newgenfs)
+ if (newgenfs) {
kfree(newgenfs->fstype);
- kfree(newgenfs);
+ kfree(newgenfs);
+ }
ocontext_destroy(newc, OCON_FSUSE);
return rc;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b4aa491a0a23..60d9b0252321 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -157,7 +157,7 @@ static int selinux_set_mapping(struct policydb *pol,
}
k = 0;
- while (p_in->perms && p_in->perms[k]) {
+ while (p_in->perms[k]) {
/* An empty permission string skips ahead */
if (!*p_in->perms[k]) {
k++;
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index 5840a35155fc..f6915f257486 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -18,7 +18,7 @@ int sidtab_init(struct sidtab *s)
{
int i;
- s->htable = kmalloc(sizeof(*(s->htable)) * SIDTAB_SIZE, GFP_ATOMIC);
+ s->htable = kmalloc_array(SIDTAB_SIZE, sizeof(*s->htable), GFP_ATOMIC);
if (!s->htable)
return -ENOMEM;
for (i = 0; i < SIDTAB_SIZE; i++)
@@ -54,7 +54,7 @@ int sidtab_insert(struct sidtab *s, u32 sid, struct context *context)
}
newnode = kmalloc(sizeof(*newnode), GFP_ATOMIC);
- if (newnode == NULL) {
+ if (!newnode) {
rc = -ENOMEM;
goto out;
}
@@ -98,7 +98,7 @@ static struct context *sidtab_search_core(struct sidtab *s, u32 sid, int force)
if (force && cur && sid == cur->sid && cur->context.len)
return &cur->context;
- if (cur == NULL || sid != cur->sid || cur->context.len) {
+ if (!cur || sid != cur->sid || cur->context.len) {
/* Remap invalid SIDs to the unlabeled SID. */
sid = SECINITSID_UNLABELED;
hvalue = SIDTAB_HASH(sid);
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 356e3764cad9..a4b2e6b94abd 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -504,7 +504,7 @@ int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap,
if ((m & *cp) == 0)
continue;
rc = netlbl_catmap_setbit(&sap->attr.mls.cat,
- cat, GFP_ATOMIC);
+ cat, GFP_KERNEL);
if (rc < 0) {
netlbl_catmap_free(sap->attr.mls.cat);
return rc;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index fc8fb31fc24f..658f5d8c7e76 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -695,10 +695,8 @@ static int smack_parse_opts_str(char *options,
opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int),
GFP_KERNEL);
- if (!opts->mnt_opts_flags) {
- kfree(opts->mnt_opts);
+ if (!opts->mnt_opts_flags)
goto out_err;
- }
if (fsdefault) {
opts->mnt_opts[num_mnt_opts] = fsdefault;
@@ -4633,7 +4631,7 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
return 0;
}
-static struct security_hook_list smack_hooks[] = {
+static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
LSM_HOOK_INIT(syslog, smack_syslog),
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c
index 7041a580019e..223f21ffa632 100644
--- a/security/tomoyo/file.c
+++ b/security/tomoyo/file.c
@@ -692,7 +692,7 @@ int tomoyo_path_number_perm(const u8 type, const struct path *path,
{
struct tomoyo_request_info r;
struct tomoyo_obj_info obj = {
- .path1 = *path,
+ .path1 = { .mnt = path->mnt, .dentry = path->dentry },
};
int error = -ENOMEM;
struct tomoyo_path_info buf;
@@ -740,7 +740,7 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
struct tomoyo_path_info buf;
struct tomoyo_request_info r;
struct tomoyo_obj_info obj = {
- .path1 = *path,
+ .path1 = { .mnt = path->mnt, .dentry = path->dentry },
};
int idx;
@@ -786,7 +786,7 @@ int tomoyo_path_perm(const u8 operation, const struct path *path, const char *ta
{
struct tomoyo_request_info r;
struct tomoyo_obj_info obj = {
- .path1 = *path,
+ .path1 = { .mnt = path->mnt, .dentry = path->dentry },
};
int error;
struct tomoyo_path_info buf;
@@ -843,7 +843,7 @@ int tomoyo_mkdev_perm(const u8 operation, const struct path *path,
{
struct tomoyo_request_info r;
struct tomoyo_obj_info obj = {
- .path1 = *path,
+ .path1 = { .mnt = path->mnt, .dentry = path->dentry },
};
int error = -ENOMEM;
struct tomoyo_path_info buf;
@@ -890,8 +890,8 @@ int tomoyo_path2_perm(const u8 operation, const struct path *path1,
struct tomoyo_path_info buf2;
struct tomoyo_request_info r;
struct tomoyo_obj_info obj = {
- .path1 = *path1,
- .path2 = *path2,
+ .path1 = { .mnt = path1->mnt, .dentry = path1->dentry },
+ .path2 = { .mnt = path2->mnt, .dentry = path2->dentry }
};
int idx;
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index edc52d620f29..130b4fa4f65f 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -165,7 +165,7 @@ static int tomoyo_path_truncate(const struct path *path)
*/
static int tomoyo_path_unlink(const struct path *parent, struct dentry *dentry)
{
- struct path path = { parent->mnt, dentry };
+ struct path path = { .mnt = parent->mnt, .dentry = dentry };
return tomoyo_path_perm(TOMOYO_TYPE_UNLINK, &path, NULL);
}
@@ -181,7 +181,7 @@ static int tomoyo_path_unlink(const struct path *parent, struct dentry *dentry)
static int tomoyo_path_mkdir(const struct path *parent, struct dentry *dentry,
umode_t mode)
{
- struct path path = { parent->mnt, dentry };
+ struct path path = { .mnt = parent->mnt, .dentry = dentry };
return tomoyo_path_number_perm(TOMOYO_TYPE_MKDIR, &path,
mode & S_IALLUGO);
}
@@ -196,7 +196,7 @@ static int tomoyo_path_mkdir(const struct path *parent, struct dentry *dentry,
*/
static int tomoyo_path_rmdir(const struct path *parent, struct dentry *dentry)
{
- struct path path = { parent->mnt, dentry };
+ struct path path = { .mnt = parent->mnt, .dentry = dentry };
return tomoyo_path_perm(TOMOYO_TYPE_RMDIR, &path, NULL);
}
@@ -212,7 +212,7 @@ static int tomoyo_path_rmdir(const struct path *parent, struct dentry *dentry)
static int tomoyo_path_symlink(const struct path *parent, struct dentry *dentry,
const char *old_name)
{
- struct path path = { parent->mnt, dentry };
+ struct path path = { .mnt = parent->mnt, .dentry = dentry };
return tomoyo_path_perm(TOMOYO_TYPE_SYMLINK, &path, old_name);
}
@@ -229,7 +229,7 @@ static int tomoyo_path_symlink(const struct path *parent, struct dentry *dentry,
static int tomoyo_path_mknod(const struct path *parent, struct dentry *dentry,
umode_t mode, unsigned int dev)
{
- struct path path = { parent->mnt, dentry };
+ struct path path = { .mnt = parent->mnt, .dentry = dentry };
int type = TOMOYO_TYPE_CREATE;
const unsigned int perm = mode & S_IALLUGO;
@@ -268,8 +268,8 @@ static int tomoyo_path_mknod(const struct path *parent, struct dentry *dentry,
static int tomoyo_path_link(struct dentry *old_dentry, const struct path *new_dir,
struct dentry *new_dentry)
{
- struct path path1 = { new_dir->mnt, old_dentry };
- struct path path2 = { new_dir->mnt, new_dentry };
+ struct path path1 = { .mnt = new_dir->mnt, .dentry = old_dentry };
+ struct path path2 = { .mnt = new_dir->mnt, .dentry = new_dentry };
return tomoyo_path2_perm(TOMOYO_TYPE_LINK, &path1, &path2);
}
@@ -288,8 +288,8 @@ static int tomoyo_path_rename(const struct path *old_parent,
const struct path *new_parent,
struct dentry *new_dentry)
{
- struct path path1 = { old_parent->mnt, old_dentry };
- struct path path2 = { new_parent->mnt, new_dentry };
+ struct path path1 = { .mnt = old_parent->mnt, .dentry = old_dentry };
+ struct path path2 = { .mnt = new_parent->mnt, .dentry = new_dentry };
return tomoyo_path2_perm(TOMOYO_TYPE_RENAME, &path1, &path2);
}
@@ -417,7 +417,7 @@ static int tomoyo_sb_mount(const char *dev_name, const struct path *path,
*/
static int tomoyo_sb_umount(struct vfsmount *mnt, int flags)
{
- struct path path = { mnt, mnt->mnt_root };
+ struct path path = { .mnt = mnt, .dentry = mnt->mnt_root };
return tomoyo_path_perm(TOMOYO_TYPE_UMOUNT, &path, NULL);
}
@@ -496,7 +496,7 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
* tomoyo_security_ops is a "struct security_operations" which is used for
* registering TOMOYO.
*/
-static struct security_hook_list tomoyo_hooks[] = {
+static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(cred_alloc_blank, tomoyo_cred_alloc_blank),
LSM_HOOK_INIT(cred_prepare, tomoyo_cred_prepare),
LSM_HOOK_INIT(cred_transfer, tomoyo_cred_transfer),
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 88271a3bf37f..8298e094f4f7 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -428,7 +428,7 @@ int yama_ptrace_traceme(struct task_struct *parent)
return rc;
}
-static struct security_hook_list yama_hooks[] = {
+static struct security_hook_list yama_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme),
LSM_HOOK_INIT(task_prctl, yama_task_prctl),