uint state; /* mount/recovery state */
unsigned long flag; /* mount time flags */
uint p_state; /* state prior to going no integrity */
- uint uid; /* uid to override on-disk uid */
- uint gid; /* gid to override on-disk gid */
+ kuid_t uid; /* uid to override on-disk uid */
+ kgid_t gid; /* gid to override on-disk gid */
uint umask; /* umask to override on-disk umask */
+ uint minblks_trim; /* minimum blocks, for online trim */
};
/* jfs_sb_info commit_state */
case Opt_uid:
{
char *uid = args[0].from;
- sbi->uid = simple_strtoul(uid, &uid, 0);
+ uid_t val = simple_strtoul(uid, &uid, 0);
+ sbi->uid = make_kuid(current_user_ns(), val);
+ if (!uid_valid(sbi->uid))
+ goto cleanup;
break;
}
+
case Opt_gid:
{
char *gid = args[0].from;
- sbi->gid = simple_strtoul(gid, &gid, 0);
+ gid_t val = simple_strtoul(gid, &gid, 0);
+ sbi->gid = make_kgid(current_user_ns(), val);
+ if (!gid_valid(sbi->gid))
+ goto cleanup;
break;
}
+
case Opt_umask:
{
char *umask = args[0].from;
struct ubifs_dent_node *dent, *pdent = NULL;
int count = 2;
- printk(KERN_ERR "Dump in-memory inode:");
- printk(KERN_ERR "\tinode %lu\n", inode->i_ino);
- printk(KERN_ERR "\tsize %llu\n",
+ pr_err("Dump in-memory inode:");
+ pr_err("\tinode %lu\n", inode->i_ino);
+ pr_err("\tsize %llu\n",
(unsigned long long)i_size_read(inode));
- printk(KERN_ERR "\tnlink %u\n", inode->i_nlink);
- printk(KERN_ERR "\tuid %u\n", (unsigned int)i_uid_read(inode));
- printk(KERN_ERR "\tgid %u\n", (unsigned int)i_gid_read(inode));
- printk(KERN_ERR "\tatime %u.%u\n",
+ pr_err("\tnlink %u\n", inode->i_nlink);
- pr_err("\tuid %u\n", (unsigned int)inode->i_uid);
- pr_err("\tgid %u\n", (unsigned int)inode->i_gid);
++ pr_err("\tuid %u\n", (unsigned int)i_uid_read(inode));
++ pr_err("\tgid %u\n", (unsigned int)i_gid_read(inode));
+ pr_err("\tatime %u.%u\n",
(unsigned int)inode->i_atime.tv_sec,
(unsigned int)inode->i_atime.tv_nsec);
- printk(KERN_ERR "\tmtime %u.%u\n",
+ pr_err("\tmtime %u.%u\n",
(unsigned int)inode->i_mtime.tv_sec,
(unsigned int)inode->i_mtime.tv_nsec);
- printk(KERN_ERR "\tctime %u.%u\n",
+ pr_err("\tctime %u.%u\n",
(unsigned int)inode->i_ctime.tv_sec,
(unsigned int)inode->i_ctime.tv_nsec);
- printk(KERN_ERR "\tcreat_sqnum %llu\n", ui->creat_sqnum);
- printk(KERN_ERR "\txattr_size %u\n", ui->xattr_size);
- printk(KERN_ERR "\txattr_cnt %u\n", ui->xattr_cnt);
- printk(KERN_ERR "\txattr_names %u\n", ui->xattr_names);
- printk(KERN_ERR "\tdirty %u\n", ui->dirty);
- printk(KERN_ERR "\txattr %u\n", ui->xattr);
- printk(KERN_ERR "\tbulk_read %u\n", ui->xattr);
- printk(KERN_ERR "\tsynced_i_size %llu\n",
+ pr_err("\tcreat_sqnum %llu\n", ui->creat_sqnum);
+ pr_err("\txattr_size %u\n", ui->xattr_size);
+ pr_err("\txattr_cnt %u\n", ui->xattr_cnt);
+ pr_err("\txattr_names %u\n", ui->xattr_names);
+ pr_err("\tdirty %u\n", ui->dirty);
+ pr_err("\txattr %u\n", ui->xattr);
+ pr_err("\tbulk_read %u\n", ui->xattr);
+ pr_err("\tsynced_i_size %llu\n",
(unsigned long long)ui->synced_i_size);
- printk(KERN_ERR "\tui_size %llu\n",
+ pr_err("\tui_size %llu\n",
(unsigned long long)ui->ui_size);
- printk(KERN_ERR "\tflags %d\n", ui->flags);
- printk(KERN_ERR "\tcompr_type %d\n", ui->compr_type);
- printk(KERN_ERR "\tlast_page_read %lu\n", ui->last_page_read);
- printk(KERN_ERR "\tread_in_a_row %lu\n", ui->read_in_a_row);
- printk(KERN_ERR "\tdata_len %d\n", ui->data_len);
+ pr_err("\tflags %d\n", ui->flags);
+ pr_err("\tcompr_type %d\n", ui->compr_type);
+ pr_err("\tlast_page_read %lu\n", ui->last_page_read);
+ pr_err("\tread_in_a_row %lu\n", ui->read_in_a_row);
+ pr_err("\tdata_len %d\n", ui->data_len);
if (!S_ISDIR(inode->i_mode))
return;
#define audit_core_dumps(i) do { ; } while (0)
#define audit_seccomp(i,s,c) do { ; } while (0)
#define auditsc_get_stamp(c,t,s) (0)
- #define audit_get_loginuid(t) (-1)
+ #define audit_get_loginuid(t) (INVALID_UID)
#define audit_get_sessionid(t) (-1)
#define audit_log_task_context(b) do { ; } while (0)
+#define audit_log_task_info(b, t) do { ; } while (0)
#define audit_ipc_obj(i) ((void)0)
#define audit_ipc_set_perm(q,u,g,m) ((void)0)
#define audit_bprm(p) ({ 0; })
size--;
audit_log_n_untrustedstring(ab, data, size);
}
- audit_set_pid(ab, pid);
- audit_set_pid(ab, NETLINK_CB(skb).pid);
++ audit_set_pid(ab, NETLINK_CB(skb).portid);
audit_log_end(ab);
}
break;
}
/* fallthrough */
case AUDIT_LIST:
- err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid,
+ err = audit_receive_filter(msg_type, NETLINK_CB(skb).portid,
- uid, seq, data, nlmsg_len(nlh),
+ seq, data, nlmsg_len(nlh),
loginuid, sessionid, sid);
break;
case AUDIT_ADD_RULE:
}
/* fallthrough */
case AUDIT_LIST_RULES:
- err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid,
+ err = audit_receive_filter(msg_type, NETLINK_CB(skb).portid,
- uid, seq, data, nlmsg_len(nlh),
+ seq, data, nlmsg_len(nlh),
loginuid, sessionid, sid);
break;
case AUDIT_TRIM:
break;
case AUDIT_TTY_GET: {
struct audit_tty_status s;
- struct task_struct *tsk;
- unsigned long flags;
-
- rcu_read_lock();
- tsk = find_task_by_vpid(pid);
- if (tsk && lock_task_sighand(tsk, &flags)) {
- s.enabled = tsk->signal->audit_tty != 0;
- unlock_task_sighand(tsk, &flags);
- } else
- err = -ESRCH;
- rcu_read_unlock();
-
- if (!err)
- audit_send_reply(NETLINK_CB(skb).portid, seq,
- AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
+ struct task_struct *tsk = current;
+
+ spin_lock_irq(&tsk->sighand->siglock);
+ s.enabled = tsk->signal->audit_tty != 0;
+ spin_unlock_irq(&tsk->sighand->siglock);
+
- audit_send_reply(NETLINK_CB(skb).pid, seq,
++ audit_send_reply(NETLINK_CB(skb).portid, seq,
+ AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
break;
}
case AUDIT_TTY_SET: {
char name[sizeof(tsk->comm)];
struct mm_struct *mm = tsk->mm;
struct vm_area_struct *vma;
+ char *tty;
+
+ if (!ab)
+ return;
/* tsk == current */
- tsk->loginuid, cred->uid, cred->gid,
- cred->euid, cred->suid, cred->fsuid,
- cred->egid, cred->sgid, cred->fsgid,
+ cred = current_cred();
+
+ spin_lock_irq(&tsk->sighand->siglock);
+ if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
+ tty = tsk->signal->tty->name;
+ else
+ tty = "(none)";
+ spin_unlock_irq(&tsk->sighand->siglock);
+
+
+ audit_log_format(ab,
+ " ppid=%ld pid=%d auid=%u uid=%u gid=%u"
+ " euid=%u suid=%u fsuid=%u"
+ " egid=%u sgid=%u fsgid=%u ses=%u tty=%s",
+ sys_getppid(),
+ tsk->pid,
++ from_kuid(&init_user_ns, tsk->loginuid),
++ from_kuid(&init_user_ns, cred->uid),
++ from_kgid(&init_user_ns, cred->gid),
++ from_kuid(&init_user_ns, cred->euid),
++ from_kuid(&init_user_ns, cred->suid),
++ from_kuid(&init_user_ns, cred->fsuid),
++ from_kgid(&init_user_ns, cred->egid),
++ from_kgid(&init_user_ns, cred->sgid),
++ from_kgid(&init_user_ns, cred->fsgid),
+ tsk->sessionid, tty);
get_task_comm(name, tsk);
audit_log_format(ab, " comm=");
audit_log_task_context(ab);
}
+EXPORT_SYMBOL(audit_log_task_info);
+
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
- uid_t auid, uid_t uid, unsigned int sessionid,
+ kuid_t auid, kuid_t uid, unsigned int sessionid,
u32 sid, char *comm)
{
struct audit_buffer *ab;
err = PTR_ERR(resp_skb);
} else {
err = nlmsg_unicast(net->xfrm.nlsk, resp_skb,
- NETLINK_CB(skb).pid);
+ NETLINK_CB(skb).portid);
}
} else {
- uid_t loginuid = audit_get_loginuid(current);
+ kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
u32 sid;
err = -EINVAL;
if (x->km.state != XFRM_STATE_VALID)
goto out;
- km_state_expired(x, ue->hard, current->pid);
+ km_state_expired(x, ue->hard, nlh->nlmsg_pid);
if (ue->hard) {
- uid_t loginuid = audit_get_loginuid(current);
+ kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
u32 sid;
enum ima_hooks func;
int mask;
unsigned long fsmagic;
- uid_t uid;
- uid_t fowner;
+ kuid_t uid;
++ kuid_t fowner;
struct {
void *rule; /* LSM file metadata specific */
int type; /* audit type */
.flags = IMA_FUNC | IMA_MASK | IMA_UID},
};
-static LIST_HEAD(measure_default_rules);
-static LIST_HEAD(measure_policy_rules);
-static struct list_head *ima_measure;
+static struct ima_rule_entry default_appraise_rules[] = {
+ {.action = DONT_APPRAISE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},
+ {.action = DONT_APPRAISE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
+ {.action = DONT_APPRAISE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
+ {.action = DONT_APPRAISE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
+ {.action = DONT_APPRAISE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
+ {.action = DONT_APPRAISE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC},
+ {.action = DONT_APPRAISE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC},
+ {.action = DONT_APPRAISE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
+ {.action = DONT_APPRAISE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
+ {.action = DONT_APPRAISE,.fsmagic = CGROUP_SUPER_MAGIC,.flags = IMA_FSMAGIC},
- {.action = APPRAISE,.fowner = 0,.flags = IMA_FOWNER},
++ {.action = APPRAISE,.fowner = GLOBAL_ROOT_UID,.flags = IMA_FOWNER},
+};
+
+static LIST_HEAD(ima_default_rules);
+static LIST_HEAD(ima_policy_rules);
+static struct list_head *ima_rules;
-static DEFINE_MUTEX(ima_measure_mutex);
+static DEFINE_MUTEX(ima_rules_mutex);
static bool ima_use_tcb __initdata;
-static int __init default_policy_setup(char *str)
+static int __init default_measure_policy_setup(char *str)
{
ima_use_tcb = 1;
return 1;
if ((rule->flags & IMA_FSMAGIC)
&& rule->fsmagic != inode->i_sb->s_magic)
return false;
- if ((rule->flags & IMA_UID) && rule->uid != cred->uid)
+ if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
return false;
- if ((rule->flags & IMA_FOWNER) && rule->fowner != inode->i_uid)
++ if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid))
+ return false;
for (i = 0; i < MAX_LSM_RULES; i++) {
int rc = 0;
u32 osid, sid;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
- entry->uid = -1;
- entry->fowner = -1;
+ entry->uid = INVALID_UID;
++ entry->fowner = INVALID_UID;
entry->action = UNKNOWN;
while ((p = strsep(&rule, " \t")) != NULL) {
substring_t args[MAX_OPT_ARGS];
entry->flags |= IMA_UID;
}
break;
- if (entry->fowner != -1) {
+ case Opt_fowner:
+ ima_log_string(ab, "fowner", args[0].from);
+
- entry->fowner = (uid_t) lnum;
- if (entry->fowner != lnum)
++ if (uid_valid(entry->fowner)) {
+ result = -EINVAL;
+ break;
+ }
+
+ result = strict_strtoul(args[0].from, 10, &lnum);
+ if (!result) {
++ entry->fowner = make_kuid(current_user_ns(), (uid_t) lnum);
++ if (!uid_valid(entry->fowner) || ((uid_t)lnum != lnum))
+ result = -EINVAL;
+ else
+ entry->flags |= IMA_FOWNER;
+ }
+ break;
case Opt_obj_user:
ima_log_string(ab, "obj_user", args[0].from);
result = ima_lsm_rule_init(entry, args[0].from,
projects / karo-tx-linux.git / commitdiff