rpms/kernel
9
2
Fork 4
Code Issues Pull Requests Releases Activity

fix ima patch, and add xhci_hcd suspend resume backport

Browse Source
This commit is contained in:
Kyle McMartin 2010-10-18 13:40:37 -04:00
parent 52c02bb8d1
commit 9ecbc015d1
3 changed files with 1370 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

278
ima-allow-it-to-be-completely-disabled-and-default-off.patch
View File

@ -1,137 +1,55 @@
From 6887ac55c66179ecd6191c21cf9c629cb2317ca4 Mon Sep 17 00:00:00 2001 From 785465d9cffd65b5a69dd2f465d2f7c917713220 Mon Sep 17 00:00:00 2001
From: Kyle McMartin <kyle@mcmartin.ca> From: Kyle McMartin <kyle@mcmartin.ca>
Date: Mon, 18 Oct 2010 02:08:35 -0400 Date: Mon, 18 Oct 2010 13:30:39 -0400
Subject: [PATCH] ima: allow it to be completely disabled (and default to off) Subject: [PATCH] ima: provide a toggle to disable it entirely
Allow IMA to be entirely disabled, don't even bother calling into
the provided hooks, and avoid initializing caches.
(A lot of the hooks will test iint_initialized, and so this doubly
disables them, since the iint cache won't be enabled. But hey, we
avoid a pointless branch...)
Signed-off-by: Kyle McMartin <kyle@redhat.com> Signed-off-by: Kyle McMartin <kyle@redhat.com>
--- ---
include/linux/ima.h | 66 +++++++++++++++++++++++++++++++++---- security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_iint.c | 13 +++++-- security/integrity/ima/ima_iint.c | 9 +++++++++
security/integrity/ima/ima_main.c | 34 +++++++++++++------ security/integrity/ima/ima_main.c | 24 +++++++++++++++++++++---
3 files changed, 91 insertions(+), 22 deletions(-) 3 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/include/linux/ima.h b/include/linux/ima.h diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 975837e..2fa456d 100644 index 3fbcd1d..65c3977 100644
--- a/include/linux/ima.h --- a/security/integrity/ima/ima.h
+++ b/include/linux/ima.h +++ b/security/integrity/ima/ima.h
@@ -14,13 +14,65 @@ @@ -37,6 +37,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
struct linux_binprm; /* set during initialization */
extern int iint_initialized;
#ifdef CONFIG_IMA extern int ima_initialized;
-extern int ima_bprm_check(struct linux_binprm *bprm);
-extern int ima_inode_alloc(struct inode *inode);
-extern void ima_inode_free(struct inode *inode);
-extern int ima_file_check(struct file *file, int mask);
-extern void ima_file_free(struct file *file);
-extern int ima_file_mmap(struct file *file, unsigned long prot);
-extern void ima_counts_get(struct file *file);
+
+extern int ima_enabled; +extern int ima_enabled;
+ extern int ima_used_chip;
+extern int __ima_bprm_check(struct linux_binprm *bprm); extern char *ima_hash;
+extern int __ima_inode_alloc(struct inode *inode);
+extern void __ima_inode_free(struct inode *inode);
+extern int __ima_file_check(struct file *file, int mask);
+extern void __ima_file_free(struct file *file);
+extern int __ima_file_mmap(struct file *file, unsigned long prot);
+extern void __ima_counts_get(struct file *file);
+
+static inline int ima_bprm_check(struct linux_binprm *bprm)
+{
+ if (ima_enabled)
+ return __ima_bprm_check(bprm);
+ return 0;
+}
+
+static inline int ima_inode_alloc(struct inode *inode)
+{
+ if (ima_enabled)
+ return __ima_inode_alloc(inode);
+ return 0;
+}
+
+static inline void ima_inode_free(struct inode *inode)
+{
+ if (ima_enabled)
+ __ima_inode_free(inode);
+ return;
+}
+
+static inline int ima_file_check(struct file *file, int mask)
+{
+ if (ima_enabled)
+ return __ima_file_check(file, mask);
+ return 0;
+}
+
+static inline void ima_file_free(struct file *file)
+{
+ if (ima_enabled)
+ __ima_file_free(file);
+ return;
+}
+
+static inline int ima_file_mmap(struct file *file, unsigned long prot)
+{
+ if (ima_enabled)
+ return __ima_file_mmap(file, prot);
+ return 0;
+}
+
+static inline void ima_counts_get(struct file *file)
+{
+ if (ima_enabled)
+ return __ima_counts_get(file);
+ return;
+}
#else
static inline int ima_bprm_check(struct linux_binprm *bprm)
diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c
index afba4ae..767f026 100644 index afba4ae..3d191ef 100644
--- a/security/integrity/ima/ima_iint.c --- a/security/integrity/ima/ima_iint.c
+++ b/security/integrity/ima/ima_iint.c +++ b/security/integrity/ima/ima_iint.c
@@ -46,10 +46,10 @@ out: @@ -54,6 +54,9 @@ int ima_inode_alloc(struct inode *inode)
}
/**
- * ima_inode_alloc - allocate an iint associated with an inode
+ * __ima_inode_alloc - allocate an iint associated with an inode
* @inode: pointer to the inode
*/
-int ima_inode_alloc(struct inode *inode)
+int __ima_inode_alloc(struct inode *inode)
{
struct ima_iint_cache *iint = NULL; struct ima_iint_cache *iint = NULL;
int rc = 0; int rc = 0;
@@ -107,12 +107,12 @@ void iint_rcu_free(struct rcu_head *rcu_head)
}
/** + if (!ima_enabled)
- * ima_inode_free - called on security_inode_free + return 0;
+ * __ima_inode_free - called on security_inode_free +
* @inode: pointer to the inode iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
* if (!iint)
* Free the integrity information(iint) associated with an inode. return -ENOMEM;
*/ @@ -116,6 +119,9 @@ void ima_inode_free(struct inode *inode)
-void ima_inode_free(struct inode *inode)
+void __ima_inode_free(struct inode *inode)
{ {
struct ima_iint_cache *iint; struct ima_iint_cache *iint;
@@ -139,6 +139,11 @@ static void init_once(void *foo) + if (!ima_enabled)
+ return;
+
spin_lock(&ima_iint_lock);
iint = radix_tree_delete(&ima_iint_store, (unsigned long)inode);
spin_unlock(&ima_iint_lock);
@@ -139,6 +145,9 @@ static void init_once(void *foo)
static int __init ima_iintcache_init(void) static int __init ima_iintcache_init(void)
{ {
+ extern int ima_enabled;
+
+ if (!ima_enabled) + if (!ima_enabled)
+ return 0; + return 0;
+ +
@ -139,14 +57,14 @@ index afba4ae..767f026 100644
kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0, kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0,
SLAB_PANIC, init_once); SLAB_PANIC, init_once);
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index e662b89..92e084c 100644 index e662b89..6e91905 100644
--- a/security/integrity/ima/ima_main.c --- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c
@@ -26,6 +26,7 @@ @@ -26,6 +26,7 @@
#include "ima.h" #include "ima.h"
int ima_initialized; int ima_initialized;
+int ima_enabled = 0; +int ima_enabled;
char *ima_hash = "sha1"; char *ima_hash = "sha1";
static int __init hash_setup(char *str) static int __init hash_setup(char *str)
@ -165,102 +83,54 @@ index e662b89..92e084c 100644
struct ima_imbalance { struct ima_imbalance {
struct hlist_node node; struct hlist_node node;
unsigned long fsmagic; unsigned long fsmagic;
@@ -130,7 +139,7 @@ static void ima_inc_counts(struct ima_iint_cache *iint, fmode_t mode) @@ -148,7 +157,7 @@ void ima_counts_get(struct file *file)
} struct ima_iint_cache *iint;
int rc;
/* - if (!iint_initialized || !S_ISREG(inode->i_mode))
- * ima_counts_get - increment file counts + if (!ima_enabled || !iint_initialized || !S_ISREG(inode->i_mode))
+ * __ima_counts_get - increment file counts return;
* iint = ima_iint_find_get(inode);
* Maintain read/write counters for all files, but only if (!iint)
* invalidate the PCR for measured files: @@ -215,7 +224,7 @@ void ima_file_free(struct file *file)
@@ -140,7 +149,7 @@ static void ima_inc_counts(struct ima_iint_cache *iint, fmode_t mode)
* could result in a file measurement error.
*
*/
-void ima_counts_get(struct file *file)
+void __ima_counts_get(struct file *file)
{
struct dentry *dentry = file->f_path.dentry;
struct inode *inode = dentry->d_inode;
@@ -204,13 +213,13 @@ static void ima_dec_counts(struct ima_iint_cache *iint, struct inode *inode,
}
/**
- * ima_file_free - called on __fput()
+ * __ima_file_free - called on __fput()
* @file: pointer to file structure being freed
*
* Flag files that changed, based on i_version;
* and decrement the iint readcount/writecount.
*/
-void ima_file_free(struct file *file)
+void __ima_file_free(struct file *file)
{
struct inode *inode = file->f_dentry->d_inode; struct inode *inode = file->f_dentry->d_inode;
struct ima_iint_cache *iint; struct ima_iint_cache *iint;
@@ -255,7 +264,7 @@ out:
}
/** - if (!iint_initialized || !S_ISREG(inode->i_mode))
- * ima_file_mmap - based on policy, collect/store measurement. + if (!ima_enabled || !iint_initialized || !S_ISREG(inode->i_mode))
+ * __ima_file_mmap - based on policy, collect/store measurement. return;
* @file: pointer to the file to be measured (May be NULL) iint = ima_iint_find_get(inode);
* @prot: contains the protection that will be applied by the kernel. if (!iint)
* @@ -269,7 +278,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
@@ -265,7 +274,7 @@ out:
* Return 0 on success, an error code on failure.
* (Based on the results of appraise_measurement().)
*/
-int ima_file_mmap(struct file *file, unsigned long prot)
+int __ima_file_mmap(struct file *file, unsigned long prot)
{ {
int rc; int rc;
@@ -278,7 +287,7 @@ int ima_file_mmap(struct file *file, unsigned long prot) - if (!file)
} + if (!ima_enabled || !file)
/**
- * ima_bprm_check - based on policy, collect/store measurement.
+ * __ima_bprm_check - based on policy, collect/store measurement.
* @bprm: contains the linux_binprm structure
*
* The OS protects against an executable file, already open for write,
@@ -290,7 +299,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
* Return 0 on success, an error code on failure.
* (Based on the results of appraise_measurement().)
*/
-int ima_bprm_check(struct linux_binprm *bprm)
+int __ima_bprm_check(struct linux_binprm *bprm)
{
int rc;
@@ -300,7 +309,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
}
/**
- * ima_path_check - based on policy, collect/store measurement.
+ * __ima_path_check - based on policy, collect/store measurement.
* @file: pointer to the file to be measured
* @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
*
@@ -309,7 +318,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
* Always return 0 and audit dentry_open failures.
* (Return code will be based upon measurement appraisal.)
*/
-int ima_file_check(struct file *file, int mask)
+int __ima_file_check(struct file *file, int mask)
{
int rc;
@@ -318,12 +327,15 @@ int ima_file_check(struct file *file, int mask)
FILE_CHECK);
return 0; return 0;
} if (prot & PROT_EXEC)
-EXPORT_SYMBOL_GPL(ima_file_check); rc = process_measurement(file, file->f_dentry->d_name.name,
+EXPORT_SYMBOL_GPL(__ima_file_check); @@ -294,6 +303,9 @@ int ima_bprm_check(struct linux_binprm *bprm)
{
int rc;
static int __init init_ima(void) + if (!ima_enabled)
+ return 0;
+
rc = process_measurement(bprm->file, bprm->filename,
MAY_EXEC, BPRM_CHECK);
return 0;
@@ -313,6 +325,9 @@ int ima_file_check(struct file *file, int mask)
{
int rc;
+ if (!ima_enabled)
+ return 0;
+
rc = process_measurement(file, file->f_dentry->d_name.name,
mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
FILE_CHECK);
@@ -324,6 +339,9 @@ static int __init init_ima(void)
{ {
int error; int error;

13
kernel.spec
View File

@ -51,7 +51,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be prepended with "0.", so # For non-released -rc kernels, this will be prepended with "0.", so
# for example a 3 here will become 0.3 # for example a 3 here will become 0.3
# #
%global baserelease 39 %global baserelease 40
%global fedora_build %{baserelease} %global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching # base_sublevel is the kernel version we're starting with and patching
@ -617,6 +617,8 @@ Patch380: linux-2.6-defaults-pci_no_msi.patch
Patch381: linux-2.6-defaults-pci_use_crs.patch Patch381: linux-2.6-defaults-pci_use_crs.patch
Patch383: linux-2.6-defaults-aspm.patch Patch383: linux-2.6-defaults-aspm.patch
Patch385: ima-allow-it-to-be-completely-disabled-and-default-off.patch
Patch390: linux-2.6-defaults-acpi-video.patch Patch390: linux-2.6-defaults-acpi-video.patch
Patch391: linux-2.6-acpi-video-dos.patch Patch391: linux-2.6-acpi-video-dos.patch
Patch393: acpi-ec-add-delay-before-write.patch Patch393: acpi-ec-add-delay-before-write.patch
@ -727,7 +729,7 @@ Patch12302: pnpacpi-cope-with-invalid-device-ids.patch
Patch12303: dmar-disable-when-ricoh-multifunction.patch Patch12303: dmar-disable-when-ricoh-multifunction.patch
Patch12304: ima-allow-it-to-be-completely-disabled-and-default-off.patch Patch12305: xhci_hcd-suspend-resume.patch
%endif %endif
@ -1213,6 +1215,8 @@ ApplyPatch linux-2.6-defaults-pci_use_crs.patch
# enable ASPM by default on hardware we expect to work # enable ASPM by default on hardware we expect to work
ApplyPatch linux-2.6-defaults-aspm.patch ApplyPatch linux-2.6-defaults-aspm.patch
ApplyPatch ima-allow-it-to-be-completely-disabled-and-default-off.patch
# #
# SCSI Bits. # SCSI Bits.
# #
@ -1345,7 +1349,7 @@ ApplyPatch pnpacpi-cope-with-invalid-device-ids.patch
# rhbz#605888 # rhbz#605888
ApplyPatch dmar-disable-when-ricoh-multifunction.patch ApplyPatch dmar-disable-when-ricoh-multifunction.patch
ApplyPatch ima-allow-it-to-be-completely-disabled-and-default-off.patch ApplyPatch xhci_hcd-suspend-resume.patch
# END OF PATCH APPLICATIONS # END OF PATCH APPLICATIONS
@ -1954,6 +1958,9 @@ fi
# || || # || ||
%changelog %changelog
* Mon Oct 18 2010 Kyle McMartin <kyle@redhat.com> 2.6.36-0.40.rc8.git0
- Backport xHCI suspend/resume code from linux-next.
* Mon Oct 18 2010 Kyle McMartin <kyle@redhat.com> * Mon Oct 18 2010 Kyle McMartin <kyle@redhat.com>
- ima: Default it to off, pass ima=on to enable. Reduce impact of the option - ima: Default it to off, pass ima=on to enable. Reduce impact of the option
when disabled. when disabled.

1289
xhci_hcd-suspend-resume.patch Normal file
View File

File diff suppressed because it is too large Load Diff