summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ima: fix up #endif commentsTycho Andersen2017-06-211-2/+2
| | | | | | | | While reading the code, I noticed that these #endif comments don't match how they're actually nested. This patch fixes that. Signed-off-by: Tycho Andersen <tycho@docker.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* IMA: Correct Kconfig dependencies for hash selectionBen Hutchings2017-06-211-4/+4
| | | | | | | | IMA uses the hash algorithm too early to be able to use a module. Require the selected hash algorithm to be built-in. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: define is_ima_appraise_enabled()Mimi Zohar2017-06-212-0/+16
| | | | | | | | | Only return enabled if in enforcing mode, not fix or log modes. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Changes: - Define is_ima_appraise_enabled() as a bool (Thiago Bauermann)
* ima: define Kconfig IMA_APPRAISE_BOOTPARAM optionMimi Zohar2017-06-212-0/+10
| | | | | | | Permit enabling the different "ima_appraise=" modes (eg. log, fix) from the boot command line. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: define a set of appraisal rules requiring file signaturesMimi Zohar2017-06-212-2/+30
| | | | | | | | | | | | | | | | | | | The builtin "ima_appraise_tcb" policy should require file signatures for at least a few of the hooks (eg. kernel modules, firmware, and the kexec kernel image), but changing it would break the existing userspace/kernel ABI. This patch defines a new builtin policy named "secure_boot", which can be specified on the "ima_policy=" boot command line, independently or in conjunction with the "ima_appraise_tcb" policy, by specifing ima_policy="appraise_tcb | secure_boot". The new appraisal rules requiring file signatures will be added prior to the "ima_appraise_tcb" rules. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Changelog: - Reference secure boot in the new builtin policy name. (Thiago Bauermann)
* ima: extend the "ima_policy" boot command line to support multiple policiesMimi Zohar2017-06-212-11/+21
| | | | | | | Add support for providing multiple builtin policies on the "ima_policy=" boot command line. Use "|" as the delimitor separating the policy names. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* Merge branch 'smack-for-4.13' of git://github.com/cschaufler/smack-next into ↵James Morris2017-06-214-18/+31
|\ | | | | | | next
| * Smack: Use cap_capable in privilege checkCasey Schaufler2017-06-012-9/+12
| | | | | | | | | | | | | | | | | | Use cap_capable() rather than capable() in the Smack privilege check as the former does not invoke other security module privilege check, while the later does. This becomes important when stacking. It may be a problem even with minor modules. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
| * Smack: Safer check for a socket in file_receiveCasey Schaufler2017-06-011-1/+1
| | | | | | | | | | | | | | | | The check of S_ISSOCK() in smack_file_receive() is not appropriate if the passed descriptor is a socket. Reported-by: Stephen Smalley <sds@tyco.nsa.gov> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
| * smack: use pernet operations for hook registrationFlorian Westphal2017-06-011-8/+18
| | | | | | | | | | | | | | It will allow us to remove the old netfilter hook api in the near future. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
* | tpm/tpm_atmel: remove unnecessary NULL checkGustavo A. R. Silva2017-06-191-7/+5
| | | | | | | | | | | | | | | | | | | | Remove unnecessary NULL check. Pointer _chip_ cannot be NULL in this instance. Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com> (compilation) Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
* | tpm/st33zp24: Switch to devm_acpi_dev_add_driver_gpios()Andy Shevchenko2017-06-192-4/+2
| | | | | | | | | | | | | | | | | | | | Switch to use managed variant of acpi_dev_add_driver_gpios() to simplify error path and fix potentially wrong assignment if ->probe() fails. Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com> (compilation) Signed-off-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com>
* | tpm: vtpm_proxy: Prevent userspace from sending driver commandStefan Berger2017-06-131-0/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | To prevent userspace from sending the TPM driver command to set the locality, we need to check every command that is sent from user space. To distinguish user space commands from internally sent commands we introduce an additional state flag STATE_DRIVER_COMMAND that is set while the driver sends this command. Similar to the TPM 2 space commands we return an error code when this command is detected. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
* | tpm: vtpm_proxy: Implement request_locality function.Stefan Berger2017-06-133-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement the request_locality function. To set the locality on the backend we define vendor-specific TPM 1.2 and TPM 2 ordinals and send a command to the backend to set the locality for the next commands. To avoid recursing into requesting the locality, we set the TPM_TRANSMIT_RAW flag when calling tpm_transmit_cmd. To avoid recursing into TPM 2 space related commands, we set the space parameter to NULL. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
* | tpm: Introduce flag TPM_TRANSMIT_RAWStefan Berger2017-06-132-1/+3
| | | | | | | | | | | | | | | | | | Introduce the flag TPM_TRANSMIT_RAW that allows us to transmit a command without recursing into the requesting of locality. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
* | tpm: vtpm_proxy: Suppress error logging when in closed stateStefan Berger2017-06-132-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | Suppress the error logging when the core TPM driver sends commands to the VTPM proxy driver and -EPIPE is returned in case the VTPM proxy driver is 'closed' (closed anonymous file descriptor). This error code is only returned by the send function and by tpm_transmit when the VTPM proxy driver is being used. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
* | tpm, tpmrm: Mark tpmrm_write as staticPeter Huewe2017-06-131-1/+1
| | | | | | | | | | | | | | | | | | sparse complains that tpmrm_write can be made static, and since it is right we make it static. Signed-off-by: Peter Huewe <peterhuewe@gmx.de> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
* | tpm: remove struct tpm_pcrextend_inJarkko Sakkinen2017-06-131-6/+0
| | | | | | | | | | | | | | Removed struct tpm_pcrextend_in as it is not used for anything anymore. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
* | tpm, tpm_infineon: remove useless snprintf() callsJarkko Sakkinen2017-06-131-4/+4
| | | | | | | | | | | | | | The memory copy from rodata to stack is useless. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
* | tpm: fix byte order related arithmetic inconsistency in tpm_getcap()Jarkko Sakkinen2017-06-132-27/+16
| | | | | | | | | | | | | | | | | | | | You should not do arithmetic with __be32 or __le32 types because sometimes it results incorrect results. Calculations must be done only with integers that are in in the CPU byte order. This commit migrates tpm_getcap() to struct tpm_buf in order to sort out these issues. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
* | tpm: Apply a sane minimum adapterlimit value for retransmission.Bryan Freed2017-06-131-20/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the I2C Infineon part is attached to an I2C adapter that imposes a size limitation, large requests will fail with -EOPNOTSUPP. Retry them with a sane minimum size without re-issuing the 0x05 command as this appears to occasionally put the TPM in a bad state. Signed-off-by: Bryan Freed <bfreed@chromium.org> [rework the patch to adapt to the feedback received] Signed-off-by: Enric Balletbo i Serra <enric.balletbo@collabora.com> Acked-by: Andrew Lunn <andrew@lunn.ch> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
* | tpm_tis: Consolidate the platform and acpi probe flowJason Gunthorpe2017-06-131-113/+54
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now that the platform device was merged for OF support we can use the platform device to match ACPI devices as well and run everything through tpm_tis_init. pnp_acpi_device is replaced with ACPI_COMPANION, and ACPI_HANDLE is pushed further down. platform_get_resource is used instead of acpi_dev_get_resources. The itpm global module parameter is no longer changed during itpm detection, instead the phy specific bit is set directly. Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jerry Snitselaar <jsnitsel@redhat.com> (with TPM 2.0) Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> (with TPM 1.2) Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
* | tpm_tis: Use platform_get_irqJason Gunthorpe2017-06-131-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | Replace the open coded IORESOURCE_IRQ with platform_get_irq, which supports more cases. Fixes: 00194826e6be ("tpm_tis: Clean up the force=1 module parameter") Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jerry Snitselaar <jsnitsel@redhat.com> (with TPM 2.0) Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> (with TPM 1.2) Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
* | tpm_tis: Fix IRQ autoprobing when using platform_deviceJason Gunthorpe2017-06-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The test was backwards, triggering IRQ autoprobing if the firmware did not specify an IRQ, instead of triggering it only when the module force parameter was specified. Since autoprobing is not enabled on !x86 and the platform device is currently only used on !x86, or with force, this has gone unnoticed. Fixes: 00194826e6be ("tpm_tis: Clean up the force=1 module parameter") Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jerry Snitselaar <jsnitsel@redhat.com> (with TPM 2.0) Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> (with TPM 1.2) Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
* | tpm: move TPM 1.2 code of tpm_pcr_extend() to tpm1_pcr_extend()Roberto Sassu2017-06-131-17/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In preparation of the modifications to tpm_pcr_extend(), which will allow callers to supply a digest for each PCR bank of a TPM 2.0, the TPM 1.2 specific code has been moved to tpm1_pcr_extend(). tpm1_pcr_extend() uses tpm_buf_init() to prepare the command buffer, which offers protection against buffer overflow. It is called by tpm_pcr_extend() and tpm_pm_suspend(). Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
* | tpm: move endianness conversion of ordinals to tpm_input_headerRoberto Sassu2017-06-132-14/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Move CPU native value to big-endian conversion of ordinals to the tpm_input_header declarations. With the previous and this patch it will now be possible to modify TPM 1.2 functions to use tpm_buf_init(), which expects CPU native value for the tag and ordinal arguments. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
* | tpm: move endianness conversion of TPM_TAG_RQU_COMMAND to tpm_input_headerRoberto Sassu2017-06-133-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the long term, TPM 1.2 functions in the driver interface will be modified to use tpm_buf_init(). However, tag and ordinals cannot be passed directly to tpm_buf_init(), because this function performs CPU native to big-endian conversion of these arguments. Since TPM_TAG_RQU_COMMAND and TPM_ORD_ are already converted, passing them to the function will undo the previous conversion. This patch moves the conversion of TPM_TAG_RQU_COMMAND from the tpm.h header file in the driver directory to the tpm_input_header declarations in the driver interface and tpm-sysfs.c. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
* | apparmor: export that basic profile namespaces are supportedJohn Johansen2017-06-101-0/+7
| | | | | | | | | | | | | | Allow userspace to detect that basic profile policy namespaces are available. Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: add stacked domain labels interfaceJohn Johansen2017-06-102-0/+8
| | | | | | | | | | | | Update the user interface to support the stacked change_profile transition. Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: add domain label stacking info to apparmorfsJohn Johansen2017-06-103-0/+39
| | | | | | | | | | | | | | Now that the domain label transition is complete advertise it to userspace. Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: move change_profile mediation to using labelsJohn Johansen2017-06-101-68/+123
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: move change_hat mediation to using labelsJohn Johansen2017-06-101-102/+201
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: move exec domain mediation to using labelsJohn Johansen2017-06-102-259/+678
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: support v7 transition format compatible with label_parseJohn Johansen2017-06-102-7/+15
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: mediate files when they are receivedJohn Johansen2017-06-102-0/+7
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: rework file permission to cache file access in file->ctxJohn Johansen2017-06-101-6/+76
| | | | | | | | | | | | | | | | This is a temporary step, towards using the file->ctx for delegation, and also helps speed up file queries, until the permission lookup cache is introduced. Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: move path_link mediation to using labelsJohn Johansen2017-06-103-47/+59
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: refactor path name lookup and permission checks around labelsJohn Johansen2017-06-103-45/+85
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: update aa_audit_file() to use labelsJohn Johansen2017-06-103-9/+18
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: move aa_file_perm() to use labelsJohn Johansen2017-06-103-37/+64
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: allow ptrace checks to be finer grained than just capabilityJohn Johansen2017-06-103-0/+68
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: move ptrace checks to using labelsJohn Johansen2017-06-105-80/+58
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: add cross check permission helper macrosJohn Johansen2017-06-101-1/+41
| | | | | | | | | | | | | | The cross check permission helper macros will help simplify code that does cross task permission checks like ptrace. Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: move resource checks to using labelsJohn Johansen2017-06-103-42/+80
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: move capability checks to using labelsJohn Johansen2017-06-105-29/+58
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: update query interface to support label queriesJohn Johansen2017-06-101-7/+39
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: switch getprocattr to using label_print fns()John Johansen2017-06-103-37/+27
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: switch from profiles to using labels on contextsJohn Johansen2017-06-1020-529/+686
| | | | | | | | | | | | | | | | Begin the actual switch to using domain labels by storing them on the context and converting the label to a singular profile where possible. Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: add the base fns() for domain labelsJohn Johansen2017-06-102-0/+2561
| | | | | | | | | | | | | | | | Begin moving apparmor to using broader domain labels, that will allow run time computation of domain type splitting via "stacking" of profiles into a domain label vec. Signed-off-by: John Johansen <john.johansen@canonical.com>
* | apparmor: revalidate files during execJohn Johansen2017-06-104-0/+81
| | | | | | | | | | | | | | | | | | Instead of running file revalidation lazily when read/write are called copy selinux and revalidate the file table on exec. This avoids extra mediation overhead in read/write and also prevents file handles being passed through to a grand child unchecked. Signed-off-by: John Johansen <john.johansen@canonical.com>
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-22 23:32:03 +0000