Loading Documentation/Smack.txt +18 −2 Original line number Diff line number Diff line Loading @@ -184,8 +184,9 @@ length. Single character labels using special characters, that being anything other than a letter or digit, are reserved for use by the Smack development team. Smack labels are unstructured, case sensitive, and the only operation ever performed on them is comparison for equality. Smack labels cannot contain unprintable characters or the "/" (slash) character. Smack labels cannot begin with a '-', which is reserved for special options. contain unprintable characters, the "/" (slash), the "\" (backslash), the "'" (quote) and '"' (double-quote) characters. Smack labels cannot begin with a '-', which is reserved for special options. There are some predefined labels: Loading Loading @@ -523,3 +524,18 @@ Smack supports some mount options: These mount options apply to all file system types. Smack auditing If you want Smack auditing of security events, you need to set CONFIG_AUDIT in your kernel configuration. By default, all denied events will be audited. You can change this behavior by writing a single character to the /smack/logging file : 0 : no logging 1 : log denied (default) 2 : log accepted 3 : log denied & accepted Events are logged as 'key=value' pairs, for each event you at least will get the subjet, the object, the rights requested, the action, the kernel function that triggered the event, plus other pairs depending on the type of event audited. Documentation/kernel-parameters.txt +6 −0 Original line number Diff line number Diff line Loading @@ -916,6 +916,12 @@ and is between 256 and 4096 characters. It is defined in the file Formt: { "sha1" | "md5" } default: "sha1" ima_tcb [IMA] Load a policy which meets the needs of the Trusted Computing Base. This means IMA will measure all programs exec'd, files mmap'd for exec, and all files opened for read by uid=0. in2000= [HW,SCSI] See header of drivers/scsi/in2000.c. Loading Documentation/sysctl/kernel.txt +11 −0 Original line number Diff line number Diff line Loading @@ -32,6 +32,7 @@ show up in /proc/sys/kernel: - kstack_depth_to_print [ X86 only ] - l2cr [ PPC only ] - modprobe ==> Documentation/debugging-modules.txt - modules_disabled - msgmax - msgmnb - msgmni Loading Loading @@ -184,6 +185,16 @@ kernel stack. ============================================================== modules_disabled: A toggle value indicating if modules are allowed to be loaded in an otherwise modular kernel. This toggle defaults to off (0), but can be set true (1). Once true, modules can be neither loaded nor unloaded, and the toggle cannot be set back to false. ============================================================== osrelease, ostype & version: # cat osrelease Loading fs/compat.c +3 −3 Original line number Diff line number Diff line Loading @@ -1488,7 +1488,7 @@ int compat_do_execve(char * filename, if (!bprm) goto out_files; retval = mutex_lock_interruptible(¤t->cred_exec_mutex); retval = mutex_lock_interruptible(¤t->cred_guard_mutex); if (retval < 0) goto out_free; current->in_execve = 1; Loading Loading @@ -1550,7 +1550,7 @@ int compat_do_execve(char * filename, /* execve succeeded */ current->fs->in_exec = 0; current->in_execve = 0; mutex_unlock(¤t->cred_exec_mutex); mutex_unlock(¤t->cred_guard_mutex); acct_update_integrals(current); free_bprm(bprm); if (displaced) Loading @@ -1573,7 +1573,7 @@ int compat_do_execve(char * filename, out_unlock: current->in_execve = 0; mutex_unlock(¤t->cred_exec_mutex); mutex_unlock(¤t->cred_guard_mutex); out_free: free_bprm(bprm); Loading fs/exec.c +5 −5 Original line number Diff line number Diff line Loading @@ -1016,7 +1016,7 @@ void install_exec_creds(struct linux_binprm *bprm) commit_creds(bprm->cred); bprm->cred = NULL; /* cred_exec_mutex must be held at least to this point to prevent /* cred_guard_mutex must be held at least to this point to prevent * ptrace_attach() from altering our determination of the task's * credentials; any time after this it may be unlocked */ Loading @@ -1026,7 +1026,7 @@ EXPORT_SYMBOL(install_exec_creds); /* * determine how safe it is to execute the proposed program * - the caller must hold current->cred_exec_mutex to protect against * - the caller must hold current->cred_guard_mutex to protect against * PTRACE_ATTACH */ int check_unsafe_exec(struct linux_binprm *bprm) Loading Loading @@ -1268,7 +1268,7 @@ int do_execve(char * filename, if (!bprm) goto out_files; retval = mutex_lock_interruptible(¤t->cred_exec_mutex); retval = mutex_lock_interruptible(¤t->cred_guard_mutex); if (retval < 0) goto out_free; current->in_execve = 1; Loading Loading @@ -1331,7 +1331,7 @@ int do_execve(char * filename, /* execve succeeded */ current->fs->in_exec = 0; current->in_execve = 0; mutex_unlock(¤t->cred_exec_mutex); mutex_unlock(¤t->cred_guard_mutex); acct_update_integrals(current); free_bprm(bprm); if (displaced) Loading @@ -1354,7 +1354,7 @@ int do_execve(char * filename, out_unlock: current->in_execve = 0; mutex_unlock(¤t->cred_exec_mutex); mutex_unlock(¤t->cred_guard_mutex); out_free: free_bprm(bprm); Loading Loading
Documentation/Smack.txt +18 −2 Original line number Diff line number Diff line Loading @@ -184,8 +184,9 @@ length. Single character labels using special characters, that being anything other than a letter or digit, are reserved for use by the Smack development team. Smack labels are unstructured, case sensitive, and the only operation ever performed on them is comparison for equality. Smack labels cannot contain unprintable characters or the "/" (slash) character. Smack labels cannot begin with a '-', which is reserved for special options. contain unprintable characters, the "/" (slash), the "\" (backslash), the "'" (quote) and '"' (double-quote) characters. Smack labels cannot begin with a '-', which is reserved for special options. There are some predefined labels: Loading Loading @@ -523,3 +524,18 @@ Smack supports some mount options: These mount options apply to all file system types. Smack auditing If you want Smack auditing of security events, you need to set CONFIG_AUDIT in your kernel configuration. By default, all denied events will be audited. You can change this behavior by writing a single character to the /smack/logging file : 0 : no logging 1 : log denied (default) 2 : log accepted 3 : log denied & accepted Events are logged as 'key=value' pairs, for each event you at least will get the subjet, the object, the rights requested, the action, the kernel function that triggered the event, plus other pairs depending on the type of event audited.
Documentation/kernel-parameters.txt +6 −0 Original line number Diff line number Diff line Loading @@ -916,6 +916,12 @@ and is between 256 and 4096 characters. It is defined in the file Formt: { "sha1" | "md5" } default: "sha1" ima_tcb [IMA] Load a policy which meets the needs of the Trusted Computing Base. This means IMA will measure all programs exec'd, files mmap'd for exec, and all files opened for read by uid=0. in2000= [HW,SCSI] See header of drivers/scsi/in2000.c. Loading
Documentation/sysctl/kernel.txt +11 −0 Original line number Diff line number Diff line Loading @@ -32,6 +32,7 @@ show up in /proc/sys/kernel: - kstack_depth_to_print [ X86 only ] - l2cr [ PPC only ] - modprobe ==> Documentation/debugging-modules.txt - modules_disabled - msgmax - msgmnb - msgmni Loading Loading @@ -184,6 +185,16 @@ kernel stack. ============================================================== modules_disabled: A toggle value indicating if modules are allowed to be loaded in an otherwise modular kernel. This toggle defaults to off (0), but can be set true (1). Once true, modules can be neither loaded nor unloaded, and the toggle cannot be set back to false. ============================================================== osrelease, ostype & version: # cat osrelease Loading
fs/compat.c +3 −3 Original line number Diff line number Diff line Loading @@ -1488,7 +1488,7 @@ int compat_do_execve(char * filename, if (!bprm) goto out_files; retval = mutex_lock_interruptible(¤t->cred_exec_mutex); retval = mutex_lock_interruptible(¤t->cred_guard_mutex); if (retval < 0) goto out_free; current->in_execve = 1; Loading Loading @@ -1550,7 +1550,7 @@ int compat_do_execve(char * filename, /* execve succeeded */ current->fs->in_exec = 0; current->in_execve = 0; mutex_unlock(¤t->cred_exec_mutex); mutex_unlock(¤t->cred_guard_mutex); acct_update_integrals(current); free_bprm(bprm); if (displaced) Loading @@ -1573,7 +1573,7 @@ int compat_do_execve(char * filename, out_unlock: current->in_execve = 0; mutex_unlock(¤t->cred_exec_mutex); mutex_unlock(¤t->cred_guard_mutex); out_free: free_bprm(bprm); Loading
fs/exec.c +5 −5 Original line number Diff line number Diff line Loading @@ -1016,7 +1016,7 @@ void install_exec_creds(struct linux_binprm *bprm) commit_creds(bprm->cred); bprm->cred = NULL; /* cred_exec_mutex must be held at least to this point to prevent /* cred_guard_mutex must be held at least to this point to prevent * ptrace_attach() from altering our determination of the task's * credentials; any time after this it may be unlocked */ Loading @@ -1026,7 +1026,7 @@ EXPORT_SYMBOL(install_exec_creds); /* * determine how safe it is to execute the proposed program * - the caller must hold current->cred_exec_mutex to protect against * - the caller must hold current->cred_guard_mutex to protect against * PTRACE_ATTACH */ int check_unsafe_exec(struct linux_binprm *bprm) Loading Loading @@ -1268,7 +1268,7 @@ int do_execve(char * filename, if (!bprm) goto out_files; retval = mutex_lock_interruptible(¤t->cred_exec_mutex); retval = mutex_lock_interruptible(¤t->cred_guard_mutex); if (retval < 0) goto out_free; current->in_execve = 1; Loading Loading @@ -1331,7 +1331,7 @@ int do_execve(char * filename, /* execve succeeded */ current->fs->in_exec = 0; current->in_execve = 0; mutex_unlock(¤t->cred_exec_mutex); mutex_unlock(¤t->cred_guard_mutex); acct_update_integrals(current); free_bprm(bprm); if (displaced) Loading @@ -1354,7 +1354,7 @@ int do_execve(char * filename, out_unlock: current->in_execve = 0; mutex_unlock(¤t->cred_exec_mutex); mutex_unlock(¤t->cred_guard_mutex); out_free: free_bprm(bprm); Loading
