diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/apparmor/lsm.c | 4 | ||||
| -rw-r--r-- | security/capability.c | 4 | ||||
| -rw-r--r-- | security/device_cgroup.c | 2 | ||||
| -rw-r--r-- | security/inode.c | 2 | ||||
| -rw-r--r-- | security/integrity/ima/ima_crypto.c | 47 | ||||
| -rw-r--r-- | security/keys/gc.c | 11 | ||||
| -rw-r--r-- | security/keys/key.c | 4 | ||||
| -rw-r--r-- | security/keys/request_key.c | 23 | ||||
| -rw-r--r-- | security/security.c | 4 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 6 | ||||
| -rw-r--r-- | security/selinux/netif.c | 4 | ||||
| -rw-r--r-- | security/selinux/netnode.c | 3 | ||||
| -rw-r--r-- | security/selinux/netport.c | 3 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 3 | ||||
| -rw-r--r-- | security/tomoyo/audit.c | 8 | ||||
| -rw-r--r-- | security/tomoyo/common.c | 4 | ||||
| -rw-r--r-- | security/tomoyo/realpath.c | 5 |
17 files changed, 46 insertions, 91 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 9981000..65ca451 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -668,7 +668,7 @@ static int param_set_aabool(const char *val, const struct kernel_param *kp); static int param_get_aabool(char *buffer, const struct kernel_param *kp); #define param_check_aabool param_check_bool static struct kernel_param_ops param_ops_aabool = { - .flags = KERNEL_PARAM_FL_NOARG, + .flags = KERNEL_PARAM_OPS_FL_NOARG, .set = param_set_aabool, .get = param_get_aabool }; @@ -685,7 +685,7 @@ static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); #define param_check_aalockpolicy param_check_bool static struct kernel_param_ops param_ops_aalockpolicy = { - .flags = KERNEL_PARAM_FL_NOARG, + .flags = KERNEL_PARAM_OPS_FL_NOARG, .set = param_set_aalockpolicy, .get = param_get_aalockpolicy }; diff --git a/security/capability.c b/security/capability.c index a74fde6..d68c57a 100644 --- a/security/capability.c +++ b/security/capability.c @@ -343,9 +343,9 @@ static int cap_file_fcntl(struct file *file, unsigned int cmd, return 0; } -static int cap_file_set_fowner(struct file *file) +static void cap_file_set_fowner(struct file *file) { - return 0; + return; } static int cap_file_send_sigiotask(struct task_struct *tsk, diff --git a/security/device_cgroup.c b/security/device_cgroup.c index d9d69e6..188c1d2 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -796,7 +796,7 @@ struct cgroup_subsys devices_cgrp_subsys = { .css_free = devcgroup_css_free, .css_online = devcgroup_online, .css_offline = devcgroup_offline, - .base_cftypes = dev_cgroup_files, + .legacy_cftypes = dev_cgroup_files, }; /** diff --git a/security/inode.c b/security/inode.c index 43ce6e1..8e7ca62 100644 --- a/security/inode.c +++ b/security/inode.c @@ -74,7 +74,7 @@ static struct file_system_type fs_type = { * pointer must be passed to the securityfs_remove() function when the file is * to be removed (no automatic cleanup happens if your module is unloaded, * you are responsible here). If an error occurs, the function will return - * the erorr value (via ERR_PTR). + * the error value (via ERR_PTR). * * If securityfs is not enabled in the kernel, the value %-ENODEV is * returned. diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index d34e7df..78d66da 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c @@ -386,17 +386,14 @@ static int ima_calc_file_hash_tfm(struct file *file, loff_t i_size, offset = 0; char *rbuf; int rc, read = 0; - struct { - struct shash_desc shash; - char ctx[crypto_shash_descsize(tfm)]; - } desc; + SHASH_DESC_ON_STACK(shash, tfm); - desc.shash.tfm = tfm; - desc.shash.flags = 0; + shash->tfm = tfm; + shash->flags = 0; hash->length = crypto_shash_digestsize(tfm); - rc = crypto_shash_init(&desc.shash); + rc = crypto_shash_init(shash); if (rc != 0) return rc; @@ -426,7 +423,7 @@ static int ima_calc_file_hash_tfm(struct file *file, break; offset += rbuf_len; - rc = crypto_shash_update(&desc.shash, rbuf, rbuf_len); + rc = crypto_shash_update(shash, rbuf, rbuf_len); if (rc) break; } @@ -435,7 +432,7 @@ static int ima_calc_file_hash_tfm(struct file *file, kfree(rbuf); out: if (!rc) - rc = crypto_shash_final(&desc.shash, hash->digest); + rc = crypto_shash_final(shash, hash->digest); return rc; } @@ -493,18 +490,15 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data, struct ima_digest_data *hash, struct crypto_shash *tfm) { - struct { - struct shash_desc shash; - char ctx[crypto_shash_descsize(tfm)]; - } desc; + SHASH_DESC_ON_STACK(shash, tfm); int rc, i; - desc.shash.tfm = tfm; - desc.shash.flags = 0; + shash->tfm = tfm; + shash->flags = 0; hash->length = crypto_shash_digestsize(tfm); - rc = crypto_shash_init(&desc.shash); + rc = crypto_shash_init(shash); if (rc != 0) return rc; @@ -514,7 +508,7 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data, u32 datalen = field_data[i].len; if (strcmp(td->name, IMA_TEMPLATE_IMA_NAME) != 0) { - rc = crypto_shash_update(&desc.shash, + rc = crypto_shash_update(shash, (const u8 *) &field_data[i].len, sizeof(field_data[i].len)); if (rc) @@ -524,13 +518,13 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data, data_to_hash = buffer; datalen = IMA_EVENT_NAME_LEN_MAX + 1; } - rc = crypto_shash_update(&desc.shash, data_to_hash, datalen); + rc = crypto_shash_update(shash, data_to_hash, datalen); if (rc) break; } if (!rc) - rc = crypto_shash_final(&desc.shash, hash->digest); + rc = crypto_shash_final(shash, hash->digest); return rc; } @@ -571,15 +565,12 @@ static int __init ima_calc_boot_aggregate_tfm(char *digest, { u8 pcr_i[TPM_DIGEST_SIZE]; int rc, i; - struct { - struct shash_desc shash; - char ctx[crypto_shash_descsize(tfm)]; - } desc; + SHASH_DESC_ON_STACK(shash, tfm); - desc.shash.tfm = tfm; - desc.shash.flags = 0; + shash->tfm = tfm; + shash->flags = 0; - rc = crypto_shash_init(&desc.shash); + rc = crypto_shash_init(shash); if (rc != 0) return rc; @@ -587,10 +578,10 @@ static int __init ima_calc_boot_aggregate_tfm(char *digest, for (i = TPM_PCR0; i < TPM_PCR8; i++) { ima_pcrread(i, pcr_i); /* now accumulate with current aggregate */ - rc = crypto_shash_update(&desc.shash, pcr_i, TPM_DIGEST_SIZE); + rc = crypto_shash_update(shash, pcr_i, TPM_DIGEST_SIZE); } if (!rc) - crypto_shash_final(&desc.shash, digest); + crypto_shash_final(shash, digest); return rc; } diff --git a/security/keys/gc.c b/security/keys/gc.c index d3222b6..9609a7f 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c @@ -92,15 +92,6 @@ static void key_gc_timer_func(unsigned long data) } /* - * wait_on_bit() sleep function for uninterruptible waiting - */ -static int key_gc_wait_bit(void *flags) -{ - schedule(); - return 0; -} - -/* * Reap keys of dead type. * * We use three flags to make sure we see three complete cycles of the garbage @@ -123,7 +114,7 @@ void key_gc_keytype(struct key_type *ktype) schedule_work(&key_gc_work); kdebug("sleep"); - wait_on_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE, key_gc_wait_bit, + wait_on_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE, TASK_UNINTERRUPTIBLE); key_gc_dead_keytype = NULL; diff --git a/security/keys/key.c b/security/keys/key.c index 8c0092c..e17ba6a 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -27,8 +27,8 @@ DEFINE_SPINLOCK(key_serial_lock); struct rb_root key_user_tree; /* tree of quota records indexed by UID */ DEFINE_SPINLOCK(key_user_lock); -unsigned int key_quota_root_maxkeys = 200; /* root's key count quota */ -unsigned int key_quota_root_maxbytes = 20000; /* root's key space quota */ +unsigned int key_quota_root_maxkeys = 1000000; /* root's key count quota */ +unsigned int key_quota_root_maxbytes = 25000000; /* root's key space quota */ unsigned int key_quota_maxkeys = 200; /* general key count quota */ unsigned int key_quota_maxbytes = 20000; /* general key space quota */ diff --git a/security/keys/request_key.c b/security/keys/request_key.c index dc6ed32..bb4337c 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c @@ -21,24 +21,6 @@ #define key_negative_timeout 60 /* default timeout on a negative key's existence */ -/* - * wait_on_bit() sleep function for uninterruptible waiting - */ -static int key_wait_bit(void *flags) -{ - schedule(); - return 0; -} - -/* - * wait_on_bit() sleep function for interruptible waiting - */ -static int key_wait_bit_intr(void *flags) -{ - schedule(); - return signal_pending(current) ? -ERESTARTSYS : 0; -} - /** * complete_request_key - Complete the construction of a key. * @cons: The key construction record. @@ -603,10 +585,9 @@ int wait_for_key_construction(struct key *key, bool intr) int ret; ret = wait_on_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT, - intr ? key_wait_bit_intr : key_wait_bit, intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE); - if (ret < 0) - return ret; + if (ret) + return -ERESTARTSYS; if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) { smp_rmb(); return key->type_data.reject_error; diff --git a/security/security.c b/security/security.c index e41b1a8..18b35c6 100644 --- a/security/security.c +++ b/security/security.c @@ -775,9 +775,9 @@ int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg) return security_ops->file_fcntl(file, cmd, arg); } -int security_file_set_fowner(struct file *file) +void security_file_set_fowner(struct file *file) { - return security_ops->file_set_fowner(file); + security_ops->file_set_fowner(file); } int security_file_send_sigiotask(struct task_struct *tsk, diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 29e64d4..e663141 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -481,6 +481,7 @@ next_inode: list_entry(sbsec->isec_head.next, struct inode_security_struct, list); struct inode *inode = isec->inode; + list_del_init(&isec->list); spin_unlock(&sbsec->isec_lock); inode = igrab(inode); if (inode) { @@ -489,7 +490,6 @@ next_inode: iput(inode); } spin_lock(&sbsec->isec_lock); - list_del_init(&isec->list); goto next_inode; } spin_unlock(&sbsec->isec_lock); @@ -3381,14 +3381,12 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd, return err; } -static int selinux_file_set_fowner(struct file *file) +static void selinux_file_set_fowner(struct file *file) { struct file_security_struct *fsec; fsec = file->f_security; fsec->fown_sid = current_sid(); - - return 0; } static int selinux_file_send_sigiotask(struct task_struct *tsk, diff --git a/security/selinux/netif.c b/security/selinux/netif.c index 485524c..e607b44 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c @@ -275,7 +275,7 @@ static struct notifier_block sel_netif_netdev_notifier = { static __init int sel_netif_init(void) { - int i, err; + int i; if (!selinux_enabled) return 0; @@ -285,7 +285,7 @@ static __init int sel_netif_init(void) register_netdevice_notifier(&sel_netif_netdev_notifier); - return err; + return 0; } __initcall(sel_netif_init); diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index ddf3152..da923f8 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c @@ -303,7 +303,6 @@ void sel_netnode_flush(void) static __init int sel_netnode_init(void) { int iter; - int ret; if (!selinux_enabled) return 0; @@ -313,7 +312,7 @@ static __init int sel_netnode_init(void) sel_netnode_hash[iter].size = 0; } - return ret; + return 0; } __initcall(sel_netnode_init); diff --git a/security/selinux/netport.c b/security/selinux/netport.c index 73ac678..3311cc3 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c @@ -237,7 +237,6 @@ void sel_netport_flush(void) static __init int sel_netport_init(void) { int iter; - int ret; if (!selinux_enabled) return 0; @@ -247,7 +246,7 @@ static __init int sel_netport_init(void) sel_netport_hash[iter].size = 0; } - return ret; + return 0; } __initcall(sel_netport_init); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 93dc876..d515ec2 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1570,12 +1570,11 @@ static int smack_mmap_file(struct file *file, * Returns 0 * Further research may be required on this one. */ -static int smack_file_set_fowner(struct file *file) +static void smack_file_set_fowner(struct file *file) { struct smack_known *skp = smk_of_current(); file->f_security = skp; - return 0; } /** diff --git a/security/tomoyo/audit.c b/security/tomoyo/audit.c index c1b0037..3ffa4f5 100644 --- a/security/tomoyo/audit.c +++ b/security/tomoyo/audit.c @@ -155,11 +155,9 @@ static char *tomoyo_print_header(struct tomoyo_request_info *r) u8 i; if (!buffer) return NULL; - { - struct timeval tv; - do_gettimeofday(&tv); - tomoyo_convert_time(tv.tv_sec, &stamp); - } + + tomoyo_convert_time(get_seconds(), &stamp); + pos = snprintf(buffer, tomoyo_buffer_len - 1, "#%04u/%02u/%02u %02u:%02u:%02u# profile=%u mode=%s " "granted=%s (global-pid=%u) task={ pid=%u ppid=%u " diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 283862a..e0fb750 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -2267,13 +2267,11 @@ static unsigned int tomoyo_stat_modified[TOMOYO_MAX_POLICY_STAT]; */ void tomoyo_update_stat(const u8 index) { - struct timeval tv; - do_gettimeofday(&tv); /* * I don't use atomic operations because race condition is not fatal. */ tomoyo_stat_updated[index]++; - tomoyo_stat_modified[index] = tv.tv_sec; + tomoyo_stat_modified[index] = get_seconds(); } /** diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c index a3386d1..bed745c 100644 --- a/security/tomoyo/realpath.c +++ b/security/tomoyo/realpath.c @@ -173,7 +173,7 @@ static char *tomoyo_get_local_path(struct dentry *dentry, char * const buffer, * Use filesystem name if filesystem does not support rename() * operation. */ - if (!inode->i_op->rename) + if (!inode->i_op->rename && !inode->i_op->rename2) goto prepend_filesystem_name; } /* Prepend device name. */ @@ -282,7 +282,8 @@ char *tomoyo_realpath_from_path(struct path *path) * Get local name for filesystems without rename() operation * or dentry without vfsmount. */ - if (!path->mnt || !inode->i_op->rename) + if (!path->mnt || + (!inode->i_op->rename && !inode->i_op->rename2)) pos = tomoyo_get_local_path(path->dentry, buf, buf_len - 1); /* Get absolute name for the rest. */ |