tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris:
"In this patchset, there are a couple of minor updates, as well as some
reworking of the LSM initialization code from Kees Cook (these prepare
the way for ordered stackable LSMs, but are a valuable cleanup on
their own)"

* 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
LSM: Don't ignore initialization failures
LSM: Provide init debugging infrastructure
LSM: Record LSM name in struct lsm_info
LSM: Convert security_initcall() into DEFINE_LSM()
vmlinux.lds.h: Move LSM_TABLE into INIT_DATA
LSM: Convert from initcall to struct lsm_info
LSM: Remove initcall tracing
LSM: Rename .security_initcall section to .lsm_info
vmlinux.lds.h: Avoid copy/paste of security_init section
LSM: Correctly announce start of LSM initialization
security: fix LSM description location
keys: Fix the use of the C++ keyword "private" in uapi/linux/keyctl.h
seccomp: remove unnecessary unlikely()
security: tomoyo: Fix obsolete function
security/capabilities: remove check for -EINVAL

Linus Torvalds 638820d8 d5e4d81d

+85 -58
+2
Documentation/admin-guide/kernel-parameters.txt
··· 2284 2284 ltpc= [NET] 2285 2285 Format: <io>,<irq>,<dma> 2286 2286 2287 + lsm.debug [SECURITY] Enable LSM initialization debugging output. 2288 + 2287 2289 machvec= [IA-64] Force the use of a particular machine-vector 2288 2290 (machvec) in a generic kernel. 2289 2291 Example: machvec=hpzx1_swiotlb
+1 -1
Documentation/security/LSM.rst
··· 5 5 Based on https://lkml.org/lkml/2007/10/26/215, 6 6 a new LSM is accepted into the kernel when its intent (a description of 7 7 what it tries to protect against and in what cases one would expect to 8 - use it) has been appropriately documented in ``Documentation/security/LSM.rst``. 8 + use it) has been appropriately documented in ``Documentation/admin-guide/LSM/``. 9 9 This allows an LSM's code to be easily compared to its goals, and so 10 10 that end users and distros can make a more informed decision about which 11 11 LSMs suit their requirements.
-1
arch/arc/kernel/vmlinux.lds.S
··· 71 71 INIT_SETUP(L1_CACHE_BYTES) 72 72 INIT_CALLS 73 73 CON_INITCALL 74 - SECURITY_INITCALL 75 74 } 76 75 77 76 .init.arch.info : {
-1
arch/arm/kernel/vmlinux-xip.lds.S
··· 96 96 INIT_SETUP(16) 97 97 INIT_CALLS 98 98 CON_INITCALL 99 - SECURITY_INITCALL 100 99 INIT_RAM_FS 101 100 } 102 101
-1
arch/arm64/kernel/vmlinux.lds.S
··· 183 183 INIT_SETUP(16) 184 184 INIT_CALLS 185 185 CON_INITCALL 186 - SECURITY_INITCALL 187 186 INIT_RAM_FS 188 187 *(.init.rodata.* .init.bss) /* from the EFI stub */ 189 188 }
-1
arch/h8300/kernel/vmlinux.lds.S
··· 56 56 __init_begin = .; 57 57 INIT_TEXT_SECTION(4) 58 58 INIT_DATA_SECTION(4) 59 - SECURITY_INIT 60 59 __init_end = .; 61 60 _edata = . ; 62 61 _begin_data = LOADADDR(.data);
-2
arch/microblaze/kernel/vmlinux.lds.S
··· 117 117 CON_INITCALL 118 118 } 119 119 120 - SECURITY_INIT 121 - 122 120 __init_end_before_initramfs = .; 123 121 124 122 .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
-2
arch/powerpc/kernel/vmlinux.lds.S
··· 212 212 CON_INITCALL 213 213 } 214 214 215 - SECURITY_INIT 216 - 217 215 . = ALIGN(8); 218 216 __ftr_fixup : AT(ADDR(__ftr_fixup) - LOAD_OFFSET) { 219 217 __start___ftr_fixup = .;
-2
arch/um/include/asm/common.lds.S
··· 53 53 CON_INITCALL 54 54 } 55 55 56 - SECURITY_INIT 57 - 58 56 .exitcall : { 59 57 __exitcall_begin = .; 60 58 *(.exitcall.exit)
-1
arch/xtensa/kernel/vmlinux.lds.S
··· 197 197 INIT_SETUP(XCHAL_ICACHE_LINESIZE) 198 198 INIT_CALLS 199 199 CON_INITCALL 200 - SECURITY_INITCALL 201 200 INIT_RAM_FS 202 201 } 203 202
+11 -14
include/asm-generic/vmlinux.lds.h
··· 203 203 #define EARLYCON_TABLE() 204 204 #endif 205 205 206 + #ifdef CONFIG_SECURITY 207 + #define LSM_TABLE() . = ALIGN(8); \ 208 + __start_lsm_info = .; \ 209 + KEEP(*(.lsm_info.init)) \ 210 + __end_lsm_info = .; 211 + #else 212 + #define LSM_TABLE() 213 + #endif 214 + 206 215 #define ___OF_TABLE(cfg, name) _OF_TABLE_##cfg(name) 207 216 #define __OF_TABLE(cfg, name) ___OF_TABLE(cfg, name) 208 217 #define OF_TABLE(cfg, name) __OF_TABLE(IS_ENABLED(cfg), name) ··· 485 476 #define RODATA RO_DATA_SECTION(4096) 486 477 #define RO_DATA(align) RO_DATA_SECTION(align) 487 478 488 - #define SECURITY_INIT \ 489 - .security_initcall.init : AT(ADDR(.security_initcall.init) - LOAD_OFFSET) { \ 490 - __security_initcall_start = .; \ 491 - KEEP(*(.security_initcall.init)) \ 492 - __security_initcall_end = .; \ 493 - } 494 - 495 479 /* 496 480 * .text section. Map to function alignment to avoid address changes 497 481 * during second ld run in second ld pass when generating System.map ··· 609 607 IRQCHIP_OF_MATCH_TABLE() \ 610 608 ACPI_PROBE_TABLE(irqchip) \ 611 609 ACPI_PROBE_TABLE(timer) \ 612 - EARLYCON_TABLE() 610 + EARLYCON_TABLE() \ 611 + LSM_TABLE() 613 612 614 613 #define INIT_TEXT \ 615 614 *(.init.text .init.text.*) \ ··· 799 796 KEEP(*(.con_initcall.init)) \ 800 797 __con_initcall_end = .; 801 798 802 - #define SECURITY_INITCALL \ 803 - __security_initcall_start = .; \ 804 - KEEP(*(.security_initcall.init)) \ 805 - __security_initcall_end = .; 806 - 807 799 #ifdef CONFIG_BLK_DEV_INITRD 808 800 #define INIT_RAM_FS \ 809 801 . = ALIGN(4); \ ··· 965 967 INIT_SETUP(initsetup_align) \ 966 968 INIT_CALLS \ 967 969 CON_INITCALL \ 968 - SECURITY_INITCALL \ 969 970 INIT_RAM_FS \ 970 971 } 971 972
-2
include/linux/init.h
··· 133 133 #endif 134 134 135 135 extern initcall_entry_t __con_initcall_start[], __con_initcall_end[]; 136 - extern initcall_entry_t __security_initcall_start[], __security_initcall_end[]; 137 136 138 137 /* Used for contructor calls. */ 139 138 typedef void (*ctor_fn_t)(void); ··· 235 236 static exitcall_t __exitcall_##fn __exit_call = fn 236 237 237 238 #define console_initcall(fn) ___define_initcall(fn,, .con_initcall) 238 - #define security_initcall(fn) ___define_initcall(fn,, .security_initcall) 239 239 240 240 struct obs_kernel_param { 241 241 const char *str;
+12
include/linux/lsm_hooks.h
··· 2039 2039 extern void security_add_hooks(struct security_hook_list *hooks, int count, 2040 2040 char *lsm); 2041 2041 2042 + struct lsm_info { 2043 + const char *name; /* Required. */ 2044 + int (*init)(void); /* Required. */ 2045 + }; 2046 + 2047 + extern struct lsm_info __start_lsm_info[], __end_lsm_info[]; 2048 + 2049 + #define DEFINE_LSM(lsm) \ 2050 + static struct lsm_info __lsm_##lsm \ 2051 + __used __section(.lsm_info.init) \ 2052 + __aligned(sizeof(unsigned long)) 2053 + 2042 2054 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 2043 2055 /* 2044 2056 * Assuring the safety of deleting a security module is up to
-1
include/linux/module.h
··· 124 124 #define late_initcall_sync(fn) module_init(fn) 125 125 126 126 #define console_initcall(fn) module_init(fn) 127 - #define security_initcall(fn) module_init(fn) 128 127 129 128 /* Each module must use one module_init(). */ 130 129 #define module_init(initfn) \
+6 -1
include/uapi/linux/keyctl.h
··· 65 65 66 66 /* keyctl structures */ 67 67 struct keyctl_dh_params { 68 - __s32 private; 68 + union { 69 + #ifndef __cplusplus 70 + __s32 private; 71 + #endif 72 + __s32 priv; 73 + }; 69 74 __s32 prime; 70 75 __s32 base; 71 76 };
+2 -2
kernel/seccomp.c
··· 195 195 READ_ONCE(current->seccomp.filter); 196 196 197 197 /* Ensure unexpected behavior doesn't result in failing open. */ 198 - if (unlikely(WARN_ON(f == NULL))) 198 + if (WARN_ON(f == NULL)) 199 199 return SECCOMP_RET_KILL_PROCESS; 200 200 201 201 if (!sd) { ··· 297 297 /* Return the first thread that cannot be synchronized. */ 298 298 failed = task_pid_vnr(thread); 299 299 /* If the pid cannot be resolved, then return -ESRCH */ 300 - if (unlikely(WARN_ON(failed == 0))) 300 + if (WARN_ON(failed == 0)) 301 301 failed = -ESRCH; 302 302 return failed; 303 303 }
+4 -1
security/apparmor/lsm.c
··· 1606 1606 return error; 1607 1607 } 1608 1608 1609 - security_initcall(apparmor_init); 1609 + DEFINE_LSM(apparmor) = { 1610 + .name = "apparmor", 1611 + .init = apparmor_init, 1612 + };
-3
security/commoncap.c
··· 684 684 } 685 685 686 686 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_fcap); 687 - if (rc == -EINVAL) 688 - printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n", 689 - __func__, rc, bprm->filename); 690 687 691 688 out: 692 689 if (rc)
+5 -1
security/integrity/iint.c
··· 22 22 #include <linux/file.h> 23 23 #include <linux/uaccess.h> 24 24 #include <linux/security.h> 25 + #include <linux/lsm_hooks.h> 25 26 #include "integrity.h" 26 27 27 28 static struct rb_root integrity_iint_tree = RB_ROOT; ··· 175 174 0, SLAB_PANIC, init_once); 176 175 return 0; 177 176 } 178 - security_initcall(integrity_iintcache_init); 177 + DEFINE_LSM(integrity) = { 178 + .name = "integrity", 179 + .init = integrity_iintcache_init, 180 + }; 179 181 180 182 181 183 /*
+28 -17
security/security.c
··· 12 12 * (at your option) any later version. 13 13 */ 14 14 15 + #define pr_fmt(fmt) "LSM: " fmt 16 + 15 17 #include <linux/bpf.h> 16 18 #include <linux/capability.h> 17 19 #include <linux/dcache.h> ··· 32 30 #include <linux/string.h> 33 31 #include <net/flow.h> 34 32 35 - #include <trace/events/initcall.h> 36 - 37 33 #define MAX_LSM_EVM_XATTR 2 38 34 39 35 /* Maximum number of letters for an LSM name string */ ··· 45 45 static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = 46 46 CONFIG_DEFAULT_SECURITY; 47 47 48 - static void __init do_security_initcalls(void) 49 - { 50 - int ret; 51 - initcall_t call; 52 - initcall_entry_t *ce; 48 + static __initdata bool debug; 49 + #define init_debug(...) \ 50 + do { \ 51 + if (debug) \ 52 + pr_info(__VA_ARGS__); \ 53 + } while (0) 53 54 54 - ce = __security_initcall_start; 55 - trace_initcall_level("security"); 56 - while (ce < __security_initcall_end) { 57 - call = initcall_from_entry(ce); 58 - trace_initcall_start(call); 59 - ret = call(); 60 - trace_initcall_finish(call, ret); 61 - ce++; 55 + static void __init major_lsm_init(void) 56 + { 57 + struct lsm_info *lsm; 58 + int ret; 59 + 60 + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { 61 + init_debug("initializing %s\n", lsm->name); 62 + ret = lsm->init(); 63 + WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); 62 64 } 63 65 } 64 66 ··· 74 72 int i; 75 73 struct hlist_head *list = (struct hlist_head *) &security_hook_heads; 76 74 75 + pr_info("Security Framework initializing\n"); 76 + 77 77 for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); 78 78 i++) 79 79 INIT_HLIST_HEAD(&list[i]); 80 - pr_info("Security Framework initialized\n"); 81 80 82 81 /* 83 82 * Load minor LSMs, with the capability module always first. ··· 90 87 /* 91 88 * Load all the remaining security modules. 92 89 */ 93 - do_security_initcalls(); 90 + major_lsm_init(); 94 91 95 92 return 0; 96 93 } ··· 102 99 return 1; 103 100 } 104 101 __setup("security=", choose_lsm); 102 + 103 + /* Enable LSM order debugging. */ 104 + static int __init enable_debug(char *str) 105 + { 106 + debug = true; 107 + return 1; 108 + } 109 + __setup("lsm.debug", enable_debug); 105 110 106 111 static bool match_last_lsm(const char *list, const char *lsm) 107 112 {
+4 -1
security/selinux/hooks.c
··· 7207 7207 7208 7208 /* SELinux requires early initialization in order to label 7209 7209 all processes and objects when they are created. */ 7210 - security_initcall(selinux_init); 7210 + DEFINE_LSM(selinux) = { 7211 + .name = "selinux", 7212 + .init = selinux_init, 7213 + }; 7211 7214 7212 7215 #if defined(CONFIG_NETFILTER) 7213 7216
+4 -1
security/smack/smack_lsm.c
··· 4882 4882 * Smack requires early initialization in order to label 4883 4883 * all processes and objects when they are created. 4884 4884 */ 4885 - security_initcall(smack_init); 4885 + DEFINE_LSM(smack) = { 4886 + .name = "smack", 4887 + .init = smack_init, 4888 + };
+2 -1
security/tomoyo/common.c
··· 1660 1660 head->r.eof = true; 1661 1661 if (tomoyo_str_starts(&buf, "global-pid ")) 1662 1662 global_pid = true; 1663 - pid = (unsigned int) simple_strtoul(buf, NULL, 10); 1663 + if (kstrtouint(buf, 10, &pid)) 1664 + return; 1664 1665 rcu_read_lock(); 1665 1666 if (global_pid) 1666 1667 p = find_task_by_pid_ns(pid, &init_pid_ns);
+4 -1
security/tomoyo/tomoyo.c
··· 550 550 return 0; 551 551 } 552 552 553 - security_initcall(tomoyo_init); 553 + DEFINE_LSM(tomoyo) = { 554 + .name = "tomoyo", 555 + .init = tomoyo_init, 556 + };