From: Stephen Rothwell Date: Wed, 26 Sep 2012 05:23:03 +0000 (+1000) Subject: Merge remote-tracking branch 'userns/for-next' X-Git-Tag: next-20120926~4 X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=d4ea11d13a6d167baa35aec3ab527dba46b965b7;p=karo-tx-linux.git Merge remote-tracking branch 'userns/for-next' Conflicts: fs/ubifs/debug.c init/Kconfig kernel/audit.c kernel/auditsc.c security/integrity/ima/ima_policy.c --- d4ea11d13a6d167baa35aec3ab527dba46b965b7 diff --cc fs/jfs/jfs_incore.h index 4fa958ae1986,680605d7bf15..cf47f09e8ac8 --- a/fs/jfs/jfs_incore.h +++ b/fs/jfs/jfs_incore.h @@@ -192,10 -192,9 +192,10 @@@ struct jfs_sb_info uint state; /* mount/recovery state */ unsigned long flag; /* mount time flags */ uint p_state; /* state prior to going no integrity */ - uint uid; /* uid to override on-disk uid */ - uint gid; /* gid to override on-disk gid */ + kuid_t uid; /* uid to override on-disk uid */ + kgid_t gid; /* gid to override on-disk gid */ uint umask; /* umask to override on-disk umask */ + uint minblks_trim; /* minimum blocks, for online trim */ }; /* jfs_sb_info commit_state */ diff --cc fs/jfs/super.c index 6f4ac1c070f0,706692f24033..53b896446e6c --- a/fs/jfs/super.c +++ b/fs/jfs/super.c @@@ -322,17 -321,21 +322,23 @@@ static int parse_options(char *options case Opt_uid: { char *uid = args[0].from; - sbi->uid = simple_strtoul(uid, &uid, 0); + uid_t val = simple_strtoul(uid, &uid, 0); + sbi->uid = make_kuid(current_user_ns(), val); + if (!uid_valid(sbi->uid)) + goto cleanup; break; } + case Opt_gid: { char *gid = args[0].from; - sbi->gid = simple_strtoul(gid, &gid, 0); + gid_t val = simple_strtoul(gid, &gid, 0); + sbi->gid = make_kgid(current_user_ns(), val); + if (!gid_valid(sbi->gid)) + goto cleanup; break; } + case Opt_umask: { char *umask = args[0].from; diff --cc fs/ubifs/debug.c index 2714e02093a4,340d1afc1302..62911637e12f --- a/fs/ubifs/debug.c +++ b/fs/ubifs/debug.c @@@ -238,38 -238,38 +238,38 @@@ void ubifs_dump_inode(struct ubifs_inf struct ubifs_dent_node *dent, *pdent = NULL; int count = 2; - printk(KERN_ERR "Dump in-memory inode:"); - printk(KERN_ERR "\tinode %lu\n", inode->i_ino); - printk(KERN_ERR "\tsize %llu\n", + pr_err("Dump in-memory inode:"); + pr_err("\tinode %lu\n", inode->i_ino); + pr_err("\tsize %llu\n", (unsigned long long)i_size_read(inode)); - printk(KERN_ERR "\tnlink %u\n", inode->i_nlink); - printk(KERN_ERR "\tuid %u\n", (unsigned int)i_uid_read(inode)); - printk(KERN_ERR "\tgid %u\n", (unsigned int)i_gid_read(inode)); - printk(KERN_ERR "\tatime %u.%u\n", + pr_err("\tnlink %u\n", inode->i_nlink); - pr_err("\tuid %u\n", (unsigned int)inode->i_uid); - pr_err("\tgid %u\n", (unsigned int)inode->i_gid); ++ pr_err("\tuid %u\n", (unsigned int)i_uid_read(inode)); ++ pr_err("\tgid %u\n", (unsigned int)i_gid_read(inode)); + pr_err("\tatime %u.%u\n", (unsigned int)inode->i_atime.tv_sec, (unsigned int)inode->i_atime.tv_nsec); - printk(KERN_ERR "\tmtime %u.%u\n", + pr_err("\tmtime %u.%u\n", (unsigned int)inode->i_mtime.tv_sec, (unsigned int)inode->i_mtime.tv_nsec); - printk(KERN_ERR "\tctime %u.%u\n", + pr_err("\tctime %u.%u\n", (unsigned int)inode->i_ctime.tv_sec, (unsigned int)inode->i_ctime.tv_nsec); - printk(KERN_ERR "\tcreat_sqnum %llu\n", ui->creat_sqnum); - printk(KERN_ERR "\txattr_size %u\n", ui->xattr_size); - printk(KERN_ERR "\txattr_cnt %u\n", ui->xattr_cnt); - printk(KERN_ERR "\txattr_names %u\n", ui->xattr_names); - printk(KERN_ERR "\tdirty %u\n", ui->dirty); - printk(KERN_ERR "\txattr %u\n", ui->xattr); - printk(KERN_ERR "\tbulk_read %u\n", ui->xattr); - printk(KERN_ERR "\tsynced_i_size %llu\n", + pr_err("\tcreat_sqnum %llu\n", ui->creat_sqnum); + pr_err("\txattr_size %u\n", ui->xattr_size); + pr_err("\txattr_cnt %u\n", ui->xattr_cnt); + pr_err("\txattr_names %u\n", ui->xattr_names); + pr_err("\tdirty %u\n", ui->dirty); + pr_err("\txattr %u\n", ui->xattr); + pr_err("\tbulk_read %u\n", ui->xattr); + pr_err("\tsynced_i_size %llu\n", (unsigned long long)ui->synced_i_size); - printk(KERN_ERR "\tui_size %llu\n", + pr_err("\tui_size %llu\n", (unsigned long long)ui->ui_size); - printk(KERN_ERR "\tflags %d\n", ui->flags); - printk(KERN_ERR "\tcompr_type %d\n", ui->compr_type); - printk(KERN_ERR "\tlast_page_read %lu\n", ui->last_page_read); - printk(KERN_ERR "\tread_in_a_row %lu\n", ui->read_in_a_row); - printk(KERN_ERR "\tdata_len %d\n", ui->data_len); + pr_err("\tflags %d\n", ui->flags); + pr_err("\tcompr_type %d\n", ui->compr_type); + pr_err("\tlast_page_read %lu\n", ui->last_page_read); + pr_err("\tread_in_a_row %lu\n", ui->read_in_a_row); + pr_err("\tdata_len %d\n", ui->data_len); if (!S_ISDIR(inode->i_mode)) return; diff --cc include/linux/audit.h index 77de570e9b1b,12367cbadfe1..a7a7db90a5a3 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@@ -639,10 -639,9 +641,10 @@@ extern int audit_signals #define audit_core_dumps(i) do { ; } while (0) #define audit_seccomp(i,s,c) do { ; } while (0) #define auditsc_get_stamp(c,t,s) (0) - #define audit_get_loginuid(t) (-1) + #define audit_get_loginuid(t) (INVALID_UID) #define audit_get_sessionid(t) (-1) #define audit_log_task_context(b) do { ; } while (0) +#define audit_log_task_info(b, t) do { ; } while (0) #define audit_ipc_obj(i) ((void)0) #define audit_ipc_set_perm(q,u,g,m) ((void)0) #define audit_bprm(p) ({ 0; }) diff --cc kernel/audit.c index e0cf64a0ae2d,511488a7bc71..4d0ceede3319 --- a/kernel/audit.c +++ b/kernel/audit.c @@@ -763,7 -750,7 +750,7 @@@ static int audit_receive_msg(struct sk_ size--; audit_log_n_untrustedstring(ab, data, size); } - audit_set_pid(ab, pid); - audit_set_pid(ab, NETLINK_CB(skb).pid); ++ audit_set_pid(ab, NETLINK_CB(skb).portid); audit_log_end(ab); } break; @@@ -782,8 -769,8 +769,8 @@@ } /* fallthrough */ case AUDIT_LIST: - err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid, + err = audit_receive_filter(msg_type, NETLINK_CB(skb).portid, - uid, seq, data, nlmsg_len(nlh), + seq, data, nlmsg_len(nlh), loginuid, sessionid, sid); break; case AUDIT_ADD_RULE: @@@ -801,8 -788,8 +788,8 @@@ } /* fallthrough */ case AUDIT_LIST_RULES: - err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid, + err = audit_receive_filter(msg_type, NETLINK_CB(skb).portid, - uid, seq, data, nlmsg_len(nlh), + seq, data, nlmsg_len(nlh), loginuid, sessionid, sid); break; case AUDIT_TRIM: @@@ -878,21 -865,14 +865,14 @@@ break; case AUDIT_TTY_GET: { struct audit_tty_status s; - struct task_struct *tsk; - unsigned long flags; - - rcu_read_lock(); - tsk = find_task_by_vpid(pid); - if (tsk && lock_task_sighand(tsk, &flags)) { - s.enabled = tsk->signal->audit_tty != 0; - unlock_task_sighand(tsk, &flags); - } else - err = -ESRCH; - rcu_read_unlock(); - - if (!err) - audit_send_reply(NETLINK_CB(skb).portid, seq, - AUDIT_TTY_GET, 0, 0, &s, sizeof(s)); + struct task_struct *tsk = current; + + spin_lock_irq(&tsk->sighand->siglock); + s.enabled = tsk->signal->audit_tty != 0; + spin_unlock_irq(&tsk->sighand->siglock); + - audit_send_reply(NETLINK_CB(skb).pid, seq, ++ audit_send_reply(NETLINK_CB(skb).portid, seq, + AUDIT_TTY_GET, 0, 0, &s, sizeof(s)); break; } case AUDIT_TTY_SET: { diff --cc kernel/auditsc.c index 37f52f27828d,ff4798fcb488..29e090cc0e46 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@@ -1160,32 -1151,8 +1152,38 @@@ void audit_log_task_info(struct audit_b char name[sizeof(tsk->comm)]; struct mm_struct *mm = tsk->mm; struct vm_area_struct *vma; + char *tty; + + if (!ab) + return; /* tsk == current */ + cred = current_cred(); + + spin_lock_irq(&tsk->sighand->siglock); + if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name) + tty = tsk->signal->tty->name; + else + tty = "(none)"; + spin_unlock_irq(&tsk->sighand->siglock); + + + audit_log_format(ab, + " ppid=%ld pid=%d auid=%u uid=%u gid=%u" + " euid=%u suid=%u fsuid=%u" + " egid=%u sgid=%u fsgid=%u ses=%u tty=%s", + sys_getppid(), + tsk->pid, - tsk->loginuid, cred->uid, cred->gid, - cred->euid, cred->suid, cred->fsuid, - cred->egid, cred->sgid, cred->fsgid, ++ from_kuid(&init_user_ns, tsk->loginuid), ++ from_kuid(&init_user_ns, cred->uid), ++ from_kgid(&init_user_ns, cred->gid), ++ from_kuid(&init_user_ns, cred->euid), ++ from_kuid(&init_user_ns, cred->suid), ++ from_kuid(&init_user_ns, cred->fsuid), ++ from_kgid(&init_user_ns, cred->egid), ++ from_kgid(&init_user_ns, cred->sgid), ++ from_kgid(&init_user_ns, cred->fsgid), + tsk->sessionid, tty); get_task_comm(name, tsk); audit_log_format(ab, " comm="); @@@ -1208,10 -1175,8 +1206,10 @@@ audit_log_task_context(ab); } +EXPORT_SYMBOL(audit_log_task_info); + static int audit_log_pid_context(struct audit_context *context, pid_t pid, - uid_t auid, uid_t uid, unsigned int sessionid, + kuid_t auid, kuid_t uid, unsigned int sessionid, u32 sid, char *comm) { struct audit_buffer *ab; diff --cc net/xfrm/xfrm_user.c index 94a2a1f726f9,9ea55db737b4..421f98444335 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@@ -1648,10 -1621,10 +1648,10 @@@ static int xfrm_get_policy(struct sk_bu err = PTR_ERR(resp_skb); } else { err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, - NETLINK_CB(skb).pid); + NETLINK_CB(skb).portid); } } else { - uid_t loginuid = audit_get_loginuid(current); + kuid_t loginuid = audit_get_loginuid(current); u32 sessionid = audit_get_sessionid(current); u32 sid; @@@ -1985,10 -1958,10 +1985,10 @@@ static int xfrm_add_sa_expire(struct sk err = -EINVAL; if (x->km.state != XFRM_STATE_VALID) goto out; - km_state_expired(x, ue->hard, current->pid); + km_state_expired(x, ue->hard, nlh->nlmsg_pid); if (ue->hard) { - uid_t loginuid = audit_get_loginuid(current); + kuid_t loginuid = audit_get_loginuid(current); u32 sessionid = audit_get_sessionid(current); u32 sid; diff --cc security/integrity/ima/ima_policy.c index cda903131dbf,c84df05180cb..346fe8fe07f5 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@@ -45,8 -39,7 +45,8 @@@ struct ima_rule_entry enum ima_hooks func; int mask; unsigned long fsmagic; - uid_t uid; - uid_t fowner; + kuid_t uid; ++ kuid_t fowner; struct { void *rule; /* LSM file metadata specific */ int type; /* audit type */ @@@ -82,28 -75,14 +82,28 @@@ static struct ima_rule_entry default_ru .flags = IMA_FUNC | IMA_MASK | IMA_UID}, }; -static LIST_HEAD(measure_default_rules); -static LIST_HEAD(measure_policy_rules); -static struct list_head *ima_measure; +static struct ima_rule_entry default_appraise_rules[] = { + {.action = DONT_APPRAISE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE,.fsmagic = CGROUP_SUPER_MAGIC,.flags = IMA_FSMAGIC}, - {.action = APPRAISE,.fowner = 0,.flags = IMA_FOWNER}, ++ {.action = APPRAISE,.fowner = GLOBAL_ROOT_UID,.flags = IMA_FOWNER}, +}; + +static LIST_HEAD(ima_default_rules); +static LIST_HEAD(ima_policy_rules); +static struct list_head *ima_rules; -static DEFINE_MUTEX(ima_measure_mutex); +static DEFINE_MUTEX(ima_rules_mutex); static bool ima_use_tcb __initdata; -static int __init default_policy_setup(char *str) +static int __init default_measure_policy_setup(char *str) { ima_use_tcb = 1; return 1; @@@ -141,10 -112,8 +141,10 @@@ static bool ima_match_rules(struct ima_ if ((rule->flags & IMA_FSMAGIC) && rule->fsmagic != inode->i_sb->s_magic) return false; - if ((rule->flags & IMA_UID) && rule->uid != cred->uid) + if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid)) return false; - if ((rule->flags & IMA_FOWNER) && rule->fowner != inode->i_uid) ++ if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid)) + return false; for (i = 0; i < MAX_LSM_RULES; i++) { int rc = 0; u32 osid, sid; @@@ -336,8 -277,7 +336,8 @@@ static int ima_parse_rule(char *rule, s ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE); - entry->uid = -1; - entry->fowner = -1; + entry->uid = INVALID_UID; ++ entry->fowner = INVALID_UID; entry->action = UNKNOWN; while ((p = strsep(&rule, " \t")) != NULL) { substring_t args[MAX_OPT_ARGS]; @@@ -459,23 -375,6 +459,23 @@@ entry->flags |= IMA_UID; } break; + case Opt_fowner: + ima_log_string(ab, "fowner", args[0].from); + - if (entry->fowner != -1) { ++ if (uid_valid(entry->fowner)) { + result = -EINVAL; + break; + } + + result = strict_strtoul(args[0].from, 10, &lnum); + if (!result) { - entry->fowner = (uid_t) lnum; - if (entry->fowner != lnum) ++ entry->fowner = make_kuid(current_user_ns(), (uid_t) lnum); ++ if (!uid_valid(entry->fowner) || ((uid_t)lnum != lnum)) + result = -EINVAL; + else + entry->flags |= IMA_FOWNER; + } + break; case Opt_obj_user: ima_log_string(ab, "obj_user", args[0].from); result = ima_lsm_rule_init(entry, args[0].from,