Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"Highlights:
- Integrity: add local fs integrity verification to detect offline
attacks
- Integrity: add digital signature verification
- Simple stacking of Yama with other LSMs (per LSS discussions)
- IBM vTPM support on ppc64
- Add new driver for Infineon I2C TIS TPM
- Smack: add rule revocation for subject labels"
Fixed conflicts with the user namespace support in kernel/auditsc.c and
security/integrity/ima/ima_policy.c.
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (39 commits)
Documentation: Update git repository URL for Smack userland tools
ima: change flags container data type
Smack: setprocattr memory leak fix
Smack: implement revoking all rules for a subject label
Smack: remove task_wait() hook.
ima: audit log hashes
ima: generic IMA action flag handling
ima: rename ima_must_appraise_or_measure
audit: export audit_log_task_info
tpm: fix tpm_acpi sparse warning on different address spaces
samples/seccomp: fix 31 bit build on s390
ima: digital signature verification support
ima: add support for different security.ima data types
ima: add ima_inode_setxattr/removexattr function and calls
ima: add inode_post_setattr call
ima: replace iint spinblock with rwlock/read_lock
ima: allocating iint improvements
ima: add appraise action keywords and default rules
ima: integrity appraisal extension
vfs: move ima_file_free before releasing the file
...
This commit is contained in:
Linus Torvalds
@@ -1146,13 +1146,44 @@ error_path:
|
||||
|
||||
EXPORT_SYMBOL(audit_log_task_context);
|
||||
|
||||
static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
|
||||
void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
|
||||
{
|
||||
const struct cred *cred;
|
||||
char name[sizeof(tsk->comm)];
|
||||
struct mm_struct *mm = tsk->mm;
|
||||
struct vm_area_struct *vma;
|
||||
char *tty;
|
||||
|
||||
if (!ab)
|
||||
return;
|
||||
|
||||
/* tsk == current */
|
||||
cred = current_cred();
|
||||
|
||||
spin_lock_irq(&tsk->sighand->siglock);
|
||||
if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
|
||||
tty = tsk->signal->tty->name;
|
||||
else
|
||||
tty = "(none)";
|
||||
spin_unlock_irq(&tsk->sighand->siglock);
|
||||
|
||||
|
||||
audit_log_format(ab,
|
||||
" ppid=%ld pid=%d auid=%u uid=%u gid=%u"
|
||||
" euid=%u suid=%u fsuid=%u"
|
||||
" egid=%u sgid=%u fsgid=%u ses=%u tty=%s",
|
||||
sys_getppid(),
|
||||
tsk->pid,
|
||||
from_kuid(&init_user_ns, tsk->loginuid),
|
||||
from_kuid(&init_user_ns, cred->uid),
|
||||
from_kgid(&init_user_ns, cred->gid),
|
||||
from_kuid(&init_user_ns, cred->euid),
|
||||
from_kuid(&init_user_ns, cred->suid),
|
||||
from_kuid(&init_user_ns, cred->fsuid),
|
||||
from_kgid(&init_user_ns, cred->egid),
|
||||
from_kgid(&init_user_ns, cred->sgid),
|
||||
from_kgid(&init_user_ns, cred->fsgid),
|
||||
tsk->sessionid, tty);
|
||||
|
||||
get_task_comm(name, tsk);
|
||||
audit_log_format(ab, " comm=");
|
||||
@@ -1175,6 +1206,8 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
|
||||
audit_log_task_context(ab);
|
||||
}
|
||||
|
||||
EXPORT_SYMBOL(audit_log_task_info);
|
||||
|
||||
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
|
||||
kuid_t auid, kuid_t uid, unsigned int sessionid,
|
||||
u32 sid, char *comm)
|
||||
@@ -1580,26 +1613,12 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
|
||||
|
||||
static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
|
||||
{
|
||||
const struct cred *cred;
|
||||
int i, call_panic = 0;
|
||||
struct audit_buffer *ab;
|
||||
struct audit_aux_data *aux;
|
||||
const char *tty;
|
||||
struct audit_names *n;
|
||||
|
||||
/* tsk == current */
|
||||
context->pid = tsk->pid;
|
||||
if (!context->ppid)
|
||||
context->ppid = sys_getppid();
|
||||
cred = current_cred();
|
||||
context->uid = cred->uid;
|
||||
context->gid = cred->gid;
|
||||
context->euid = cred->euid;
|
||||
context->suid = cred->suid;
|
||||
context->fsuid = cred->fsuid;
|
||||
context->egid = cred->egid;
|
||||
context->sgid = cred->sgid;
|
||||
context->fsgid = cred->fsgid;
|
||||
context->personality = tsk->personality;
|
||||
|
||||
ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
|
||||
@@ -1614,37 +1633,13 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
|
||||
(context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
|
||||
context->return_code);
|
||||
|
||||
spin_lock_irq(&tsk->sighand->siglock);
|
||||
if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
|
||||
tty = tsk->signal->tty->name;
|
||||
else
|
||||
tty = "(none)";
|
||||
spin_unlock_irq(&tsk->sighand->siglock);
|
||||
|
||||
audit_log_format(ab,
|
||||
" a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
|
||||
" ppid=%d pid=%d auid=%u uid=%u gid=%u"
|
||||
" euid=%u suid=%u fsuid=%u"
|
||||
" egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
|
||||
context->argv[0],
|
||||
context->argv[1],
|
||||
context->argv[2],
|
||||
context->argv[3],
|
||||
context->name_count,
|
||||
context->ppid,
|
||||
context->pid,
|
||||
from_kuid(&init_user_ns, tsk->loginuid),
|
||||
from_kuid(&init_user_ns, context->uid),
|
||||
from_kgid(&init_user_ns, context->gid),
|
||||
from_kuid(&init_user_ns, context->euid),
|
||||
from_kuid(&init_user_ns, context->suid),
|
||||
from_kuid(&init_user_ns, context->fsuid),
|
||||
from_kgid(&init_user_ns, context->egid),
|
||||
from_kgid(&init_user_ns, context->sgid),
|
||||
from_kgid(&init_user_ns, context->fsgid),
|
||||
tty,
|
||||
tsk->sessionid);
|
||||
|
||||
" a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
|
||||
context->argv[0],
|
||||
context->argv[1],
|
||||
context->argv[2],
|
||||
context->argv[3],
|
||||
context->name_count);
|
||||
|
||||
audit_log_task_info(ab, tsk);
|
||||
audit_log_key(ab, context->filterkey);
|
||||
|
||||
Reference in New Issue
Block a user