fix ima patch, and add xhci_hcd suspend resume backport

author: Kyle McMartin <kyle@mcmartin.ca> 2010-10-18 13:40:37 -0400
committer: Kyle McMartin <kyle@mcmartin.ca> 2010-10-18 13:40:37 -0400
commit: 9ecbc015d1e7cf485bc774f86c5e3362f69fe830 (patch)
tree: eabe59835ebfe4db1565e71c45dea67e5ecdd8da /ima-allow-it-to-be-completely-disabled-and-default-off.patch
parent: 52c02bb8d14e4e9a8087e25cfb1e8482f3d6c8a4 (diff)
download: kernel-9ecbc015d1e7cf485bc774f86c5e3362f69fe830.tar.gz
kernel-9ecbc015d1e7cf485bc774f86c5e3362f69fe830.tar.xz
kernel-9ecbc015d1e7cf485bc774f86c5e3362f69fe830.zip
1 files changed, 69 insertions, 199 deletions
diff --git a/ima-allow-it-to-be-completely-disabled-and-default-off.patch b/ima-allow-it-to-be-completely-disabled-and-default-off.patch
index 91bdb7528..4f8f1f180 100644
--- a/ima-allow-it-to-be-completely-disabled-and-default-off.patch
+++ b/ima-allow-it-to-be-completely-disabled-and-default-off.patch
@@ -1,137 +1,55 @@
-From 6887ac55c66179ecd6191c21cf9c629cb2317ca4 Mon Sep 17 00:00:00 2001
+From 785465d9cffd65b5a69dd2f465d2f7c917713220 Mon Sep 17 00:00:00 2001
 From: Kyle McMartin <kyle@mcmartin.ca>
-Date: Mon, 18 Oct 2010 02:08:35 -0400
-Subject: [PATCH] ima: allow it to be completely disabled (and default to off)
-
-Allow IMA to be entirely disabled, don't even bother calling into
-the provided hooks, and avoid initializing caches.
-
-(A lot of the hooks will test iint_initialized, and so this doubly
- disables them, since the iint cache won't be enabled. But hey, we
- avoid a pointless branch...)
+Date: Mon, 18 Oct 2010 13:30:39 -0400
+Subject: [PATCH] ima: provide a toggle to disable it entirely
 
 Signed-off-by: Kyle McMartin <kyle@redhat.com>
 ---
- include/linux/ima.h               |   66 +++++++++++++++++++++++++++++++++----
- security/integrity/ima/ima_iint.c |   13 +++++--
- security/integrity/ima/ima_main.c |   34 +++++++++++++------
- 3 files changed, 91 insertions(+), 22 deletions(-)
+ security/integrity/ima/ima.h      |    1 +
+ security/integrity/ima/ima_iint.c |    9 +++++++++
+ security/integrity/ima/ima_main.c |   24 +++++++++++++++++++++---
+ 3 files changed, 31 insertions(+), 3 deletions(-)
 
-diff --git a/include/linux/ima.h b/include/linux/ima.h
-index 975837e..2fa456d 100644
---- a/include/linux/ima.h
-+++ b/include/linux/ima.h
-@@ -14,13 +14,65 @@
- struct linux_binprm;
- 
- #ifdef CONFIG_IMA
--extern int ima_bprm_check(struct linux_binprm *bprm);
--extern int ima_inode_alloc(struct inode *inode);
--extern void ima_inode_free(struct inode *inode);
--extern int ima_file_check(struct file *file, int mask);
--extern void ima_file_free(struct file *file);
--extern int ima_file_mmap(struct file *file, unsigned long prot);
--extern void ima_counts_get(struct file *file);
-+
+diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
+index 3fbcd1d..65c3977 100644
+--- a/security/integrity/ima/ima.h
++++ b/security/integrity/ima/ima.h
+@@ -37,6 +37,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
+ /* set during initialization */
+ extern int iint_initialized;
+ extern int ima_initialized;
 +extern int ima_enabled;
-+
-+extern int __ima_bprm_check(struct linux_binprm *bprm);
-+extern int __ima_inode_alloc(struct inode *inode);
-+extern void __ima_inode_free(struct inode *inode);
-+extern int __ima_file_check(struct file *file, int mask);
-+extern void __ima_file_free(struct file *file);
-+extern int __ima_file_mmap(struct file *file, unsigned long prot);
-+extern void __ima_counts_get(struct file *file);
-+
-+static inline int ima_bprm_check(struct linux_binprm *bprm)
-+{
-+	if (ima_enabled)
-+		return __ima_bprm_check(bprm);
-+	return 0;
-+}
-+
-+static inline int ima_inode_alloc(struct inode *inode)
-+{
-+	if (ima_enabled)
-+		return __ima_inode_alloc(inode);
-+	return 0;
-+}
-+
-+static inline void ima_inode_free(struct inode *inode)
-+{
-+	if (ima_enabled)
-+		__ima_inode_free(inode);
-+	return;
-+}
-+
-+static inline int ima_file_check(struct file *file, int mask)
-+{
-+	if (ima_enabled)
-+		return __ima_file_check(file, mask);
-+	return 0;
-+}
-+
-+static inline void ima_file_free(struct file *file)
-+{
-+	if (ima_enabled)
-+		__ima_file_free(file);
-+	return;
-+}
-+
-+static inline int ima_file_mmap(struct file *file, unsigned long prot)
-+{
-+	if (ima_enabled)
-+		return __ima_file_mmap(file, prot);
-+	return 0;
-+}
-+
-+static inline void ima_counts_get(struct file *file)
-+{
-+	if (ima_enabled)
-+		return __ima_counts_get(file);
-+	return;
-+}
+ extern int ima_used_chip;
+ extern char *ima_hash;
  
- #else
- static inline int ima_bprm_check(struct linux_binprm *bprm)
 diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c
-index afba4ae..767f026 100644
+index afba4ae..3d191ef 100644
 --- a/security/integrity/ima/ima_iint.c
 +++ b/security/integrity/ima/ima_iint.c
-@@ -46,10 +46,10 @@ out:
- }
- 
- /**
-- * ima_inode_alloc - allocate an iint associated with an inode
-+ * __ima_inode_alloc - allocate an iint associated with an inode
-  * @inode: pointer to the inode
-  */
--int ima_inode_alloc(struct inode *inode)
-+int __ima_inode_alloc(struct inode *inode)
- {
+@@ -54,6 +54,9 @@ int ima_inode_alloc(struct inode *inode)
  	struct ima_iint_cache *iint = NULL;
  	int rc = 0;
-@@ -107,12 +107,12 @@ void iint_rcu_free(struct rcu_head *rcu_head)
- }
  
- /**
-- * ima_inode_free - called on security_inode_free
-+ * __ima_inode_free - called on security_inode_free
-  * @inode: pointer to the inode
-  *
-  * Free the integrity information(iint) associated with an inode.
-  */
--void ima_inode_free(struct inode *inode)
-+void __ima_inode_free(struct inode *inode)
++	if (!ima_enabled)
++		return 0;
++
+ 	iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
+ 	if (!iint)
+ 		return -ENOMEM;
+@@ -116,6 +119,9 @@ void ima_inode_free(struct inode *inode)
  {
  	struct ima_iint_cache *iint;
  
-@@ -139,6 +139,11 @@ static void init_once(void *foo)
++	if (!ima_enabled)
++		return;
++
+ 	spin_lock(&ima_iint_lock);
+ 	iint = radix_tree_delete(&ima_iint_store, (unsigned long)inode);
+ 	spin_unlock(&ima_iint_lock);
+@@ -139,6 +145,9 @@ static void init_once(void *foo)
  
  static int __init ima_iintcache_init(void)
  {
-+	extern int ima_enabled;
-+
 +	if (!ima_enabled)
 +		return 0;
 +
@@ -139,14 +57,14 @@ index afba4ae..767f026 100644
  	    kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0,
  			      SLAB_PANIC, init_once);
 diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index e662b89..92e084c 100644
+index e662b89..6e91905 100644
 --- a/security/integrity/ima/ima_main.c
 +++ b/security/integrity/ima/ima_main.c
 @@ -26,6 +26,7 @@
  #include "ima.h"
  
  int ima_initialized;
-+int ima_enabled = 0;
++int ima_enabled;
  
  char *ima_hash = "sha1";
  static int __init hash_setup(char *str)
@@ -165,102 +83,54 @@ index e662b89..92e084c 100644
  struct ima_imbalance {
  	struct hlist_node node;
  	unsigned long fsmagic;
-@@ -130,7 +139,7 @@ static void ima_inc_counts(struct ima_iint_cache *iint, fmode_t mode)
- }
- 
- /*
-- * ima_counts_get - increment file counts
-+ * __ima_counts_get - increment file counts
-  *
-  * Maintain read/write counters for all files, but only
-  * invalidate the PCR for measured files:
-@@ -140,7 +149,7 @@ static void ima_inc_counts(struct ima_iint_cache *iint, fmode_t mode)
-  * 	  could result in a file measurement error.
-  *
-  */
--void ima_counts_get(struct file *file)
-+void __ima_counts_get(struct file *file)
- {
- 	struct dentry *dentry = file->f_path.dentry;
- 	struct inode *inode = dentry->d_inode;
-@@ -204,13 +213,13 @@ static void ima_dec_counts(struct ima_iint_cache *iint, struct inode *inode,
- }
+@@ -148,7 +157,7 @@ void ima_counts_get(struct file *file)
+ 	struct ima_iint_cache *iint;
+ 	int rc;
  
- /**
-- * ima_file_free - called on __fput()
-+ * __ima_file_free - called on __fput()
-  * @file: pointer to file structure being freed
-  *
-  * Flag files that changed, based on i_version;
-  * and decrement the iint readcount/writecount.
-  */
--void ima_file_free(struct file *file)
-+void __ima_file_free(struct file *file)
- {
+-	if (!iint_initialized || !S_ISREG(inode->i_mode))
++	if (!ima_enabled || !iint_initialized || !S_ISREG(inode->i_mode))
+ 		return;
+ 	iint = ima_iint_find_get(inode);
+ 	if (!iint)
+@@ -215,7 +224,7 @@ void ima_file_free(struct file *file)
  	struct inode *inode = file->f_dentry->d_inode;
  	struct ima_iint_cache *iint;
-@@ -255,7 +264,7 @@ out:
- }
  
- /**
-- * ima_file_mmap - based on policy, collect/store measurement.
-+ * __ima_file_mmap - based on policy, collect/store measurement.
-  * @file: pointer to the file to be measured (May be NULL)
-  * @prot: contains the protection that will be applied by the kernel.
-  *
-@@ -265,7 +274,7 @@ out:
-  * Return 0 on success, an error code on failure.
-  * (Based on the results of appraise_measurement().)
-  */
--int ima_file_mmap(struct file *file, unsigned long prot)
-+int __ima_file_mmap(struct file *file, unsigned long prot)
+-	if (!iint_initialized || !S_ISREG(inode->i_mode))
++	if (!ima_enabled || !iint_initialized || !S_ISREG(inode->i_mode))
+ 		return;
+ 	iint = ima_iint_find_get(inode);
+ 	if (!iint)
+@@ -269,7 +278,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
  {
  	int rc;
  
-@@ -278,7 +287,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
- }
- 
- /**
-- * ima_bprm_check - based on policy, collect/store measurement.
-+ * __ima_bprm_check - based on policy, collect/store measurement.
-  * @bprm: contains the linux_binprm structure
-  *
-  * The OS protects against an executable file, already open for write,
-@@ -290,7 +299,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
-  * Return 0 on success, an error code on failure.
-  * (Based on the results of appraise_measurement().)
-  */
--int ima_bprm_check(struct linux_binprm *bprm)
-+int __ima_bprm_check(struct linux_binprm *bprm)
+-	if (!file)
++	if (!ima_enabled || !file)
+ 		return 0;
+ 	if (prot & PROT_EXEC)
+ 		rc = process_measurement(file, file->f_dentry->d_name.name,
+@@ -294,6 +303,9 @@ int ima_bprm_check(struct linux_binprm *bprm)
  {
  	int rc;
  
-@@ -300,7 +309,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
- }
- 
- /**
-- * ima_path_check - based on policy, collect/store measurement.
-+ * __ima_path_check - based on policy, collect/store measurement.
-  * @file: pointer to the file to be measured
-  * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
-  *
-@@ -309,7 +318,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
-  * Always return 0 and audit dentry_open failures.
-  * (Return code will be based upon measurement appraisal.)
-  */
--int ima_file_check(struct file *file, int mask)
-+int __ima_file_check(struct file *file, int mask)
++	if (!ima_enabled)
++		return 0;
++
+ 	rc = process_measurement(bprm->file, bprm->filename,
+ 				 MAY_EXEC, BPRM_CHECK);
+ 	return 0;
+@@ -313,6 +325,9 @@ int ima_file_check(struct file *file, int mask)
  {
  	int rc;
  
-@@ -318,12 +327,15 @@ int ima_file_check(struct file *file, int mask)
++	if (!ima_enabled)
++		return 0;
++
+ 	rc = process_measurement(file, file->f_dentry->d_name.name,
+ 				 mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
  				 FILE_CHECK);
- 	return 0;
- }
--EXPORT_SYMBOL_GPL(ima_file_check);
-+EXPORT_SYMBOL_GPL(__ima_file_check);
- 
- static int __init init_ima(void)
+@@ -324,6 +339,9 @@ static int __init init_ima(void)
  {
  	int error;
author	Kyle McMartin <kyle@mcmartin.ca>	2010-10-18 13:40:37 -0400
committer	Kyle McMartin <kyle@mcmartin.ca>	2010-10-18 13:40:37 -0400
commit	9ecbc015d1e7cf485bc774f86c5e3362f69fe830 (patch)
tree	eabe59835ebfe4db1565e71c45dea67e5ecdd8da /ima-allow-it-to-be-completely-disabled-and-default-off.patch
parent	52c02bb8d14e4e9a8087e25cfb1e8482f3d6c8a4 (diff)
download	kernel-9ecbc015d1e7cf485bc774f86c5e3362f69fe830.tar.gz kernel-9ecbc015d1e7cf485bc774f86c5e3362f69fe830.tar.xz kernel-9ecbc015d1e7cf485bc774f86c5e3362f69fe830.zip