Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6339204e authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
  Take ima_file_free() to proper place.
  ima: rename PATH_CHECK to FILE_CHECK
  ima: rename ima_path_check to ima_file_check
  ima: initialize ima before inodes can be allocated
  fix ima breakage
  Take ima_path_check() in nfsd past dentry_open() in nfsd_open()
  freeze_bdev: don't deactivate successfully frozen MS_RDONLY sb
  befs: fix leak
parents 80e1e823 89068c57

Documentation/ABI/testing/ima_policy

+6 −6
Original line number Original line Diff line number Diff line
@@ -20,7 +20,7 @@ Description: 
			lsm:	[[subj_user=] [subj_role=] [subj_type=]

			lsm:	[[subj_user=] [subj_role=] [subj_type=]

				 [obj_user=] [obj_role=] [obj_type=]]

				 [obj_user=] [obj_role=] [obj_type=]]





		base: 	func:= [BPRM_CHECK][FILE_MMAP][INODE_PERMISSION]

		base: 	func:= [BPRM_CHECK][FILE_MMAP][FILE_CHECK]

			mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]

			mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]

			fsmagic:= hex value

			fsmagic:= hex value

			uid:= decimal value

			uid:= decimal value
@@ -40,11 +40,11 @@ Description: 




			measure func=BPRM_CHECK

			measure func=BPRM_CHECK

			measure func=FILE_MMAP mask=MAY_EXEC

			measure func=FILE_MMAP mask=MAY_EXEC

			measure func=INODE_PERM mask=MAY_READ uid=0

			measure func=FILE_CHECK mask=MAY_READ uid=0





		The default policy measures all executables in bprm_check,

		The default policy measures all executables in bprm_check,

		all files mmapped executable in file_mmap, and all files

		all files mmapped executable in file_mmap, and all files

		open for read by root in inode_permission.

		open for read by root in do_filp_open.





		Examples of LSM specific definitions:

		Examples of LSM specific definitions:
@@ -54,8 +54,8 @@ Description: 




			dont_measure obj_type=var_log_t

			dont_measure obj_type=var_log_t

			dont_measure obj_type=auditd_log_t

			dont_measure obj_type=auditd_log_t

			measure subj_user=system_u func=INODE_PERM mask=MAY_READ

			measure subj_user=system_u func=FILE_CHECK mask=MAY_READ

			measure subj_role=system_r func=INODE_PERM mask=MAY_READ

			measure subj_role=system_r func=FILE_CHECK mask=MAY_READ





		Smack:

		Smack:

			measure subj_user=_ func=INODE_PERM mask=MAY_READ
 
			measure subj_user=_ func=FILE_CHECK mask=MAY_READ

fs/befs/linuxvfs.c

+1 −0
Original line number Original line Diff line number Diff line
@@ -873,6 +873,7 @@ befs_fill_super(struct super_block *sb, void *data, int silent) 
	brelse(bh);

	brelse(bh);





      unacquire_priv_sbp:

      unacquire_priv_sbp:

	kfree(befs_sb->mount_opts.iocharset);

	kfree(sb->s_fs_info);

	kfree(sb->s_fs_info);





      unacquire_none:

      unacquire_none:

fs/block_dev.c

+4 −3
Original line number Original line Diff line number Diff line
@@ -246,7 +246,8 @@ struct super_block *freeze_bdev(struct block_device *bdev) 
	if (!sb)

	if (!sb)

		goto out;

		goto out;

	if (sb->s_flags & MS_RDONLY) {

	if (sb->s_flags & MS_RDONLY) {

		deactivate_locked_super(sb);

		sb->s_frozen = SB_FREEZE_TRANS;

		up_write(&sb->s_umount);

		mutex_unlock(&bdev->bd_fsfreeze_mutex);

		mutex_unlock(&bdev->bd_fsfreeze_mutex);

		return sb;

		return sb;

	}

	}
@@ -307,7 +308,7 @@ int thaw_bdev(struct block_device *bdev, struct super_block *sb) 
	BUG_ON(sb->s_bdev != bdev);

	BUG_ON(sb->s_bdev != bdev);

	down_write(&sb->s_umount);

	down_write(&sb->s_umount);

	if (sb->s_flags & MS_RDONLY)

	if (sb->s_flags & MS_RDONLY)

		goto out_deactivate;

		goto out_unfrozen;





	if (sb->s_op->unfreeze_fs) {

	if (sb->s_op->unfreeze_fs) {

		error = sb->s_op->unfreeze_fs(sb);

		error = sb->s_op->unfreeze_fs(sb);
@@ -321,11 +322,11 @@ int thaw_bdev(struct block_device *bdev, struct super_block *sb) 
		}

		}

	}

	}





out_unfrozen:

	sb->s_frozen = SB_UNFROZEN;

	sb->s_frozen = SB_UNFROZEN;

	smp_wmb();

	smp_wmb();

	wake_up(&sb->s_wait_unfrozen);

	wake_up(&sb->s_wait_unfrozen);





out_deactivate:

	if (sb)

	if (sb)

		deactivate_locked_super(sb);

		deactivate_locked_super(sb);

out_unlock:

out_unlock:

fs/file_table.c

+1 −0
Original line number Original line Diff line number Diff line
@@ -253,6 +253,7 @@ void __fput(struct file *file) 
	if (file->f_op && file->f_op->release)

	if (file->f_op && file->f_op->release)

		file->f_op->release(inode, file);

		file->f_op->release(inode, file);

	security_file_free(file);

	security_file_free(file);

	ima_file_free(file);

	if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL))

	if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL))

		cdev_put(inode->i_cdev);

		cdev_put(inode->i_cdev);

	fops_put(file->f_op);

	fops_put(file->f_op);

fs/namei.c

+2 −4
Original line number Original line Diff line number Diff line
@@ -1736,8 +1736,7 @@ struct file *do_filp_open(int dfd, const char *pathname, 
		if (nd.root.mnt)

		if (nd.root.mnt)

			path_put(&nd.root);

			path_put(&nd.root);

		if (!IS_ERR(filp)) {

		if (!IS_ERR(filp)) {

			error = ima_path_check(&filp->f_path, filp->f_mode &

			error = ima_file_check(filp, acc_mode);

				       (MAY_READ | MAY_WRITE | MAY_EXEC));

			if (error) {

			if (error) {

				fput(filp);

				fput(filp);

				filp = ERR_PTR(error);

				filp = ERR_PTR(error);
@@ -1797,8 +1796,7 @@ struct file *do_filp_open(int dfd, const char *pathname, 
	}

	}

	filp = nameidata_to_filp(&nd);

	filp = nameidata_to_filp(&nd);

	if (!IS_ERR(filp)) {

	if (!IS_ERR(filp)) {

		error = ima_path_check(&filp->f_path, filp->f_mode &

		error = ima_file_check(filp, acc_mode);

			       (MAY_READ | MAY_WRITE | MAY_EXEC));

		if (error) {

		if (error) {

			fput(filp);

			fput(filp);

			filp = ERR_PTR(error);

			filp = ERR_PTR(error);