Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c9341ee0 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 

Pull security layer updates from James Morris:
 "Highlights:

   - major AppArmor update: policy namespaces & lots of fixes

   - add /sys/kernel/security/lsm node for easy detection of loaded LSMs

   - SELinux cgroupfs labeling support

   - SELinux context mounts on tmpfs, ramfs, devpts within user
     namespaces

   - improved TPM 2.0 support"

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (117 commits)
  tpm: declare tpm2_get_pcr_allocation() as static
  tpm: Fix expected number of response bytes of TPM1.2 PCR Extend
  tpm xen: drop unneeded chip variable
  tpm: fix misspelled "facilitate" in module parameter description
  tpm_tis: fix the error handling of init_tis()
  KEYS: Use memzero_explicit() for secret data
  KEYS: Fix an error code in request_master_key()
  sign-file: fix build error in sign-file.c with libressl
  selinux: allow changing labels for cgroupfs
  selinux: fix off-by-one in setprocattr
  tpm: silence an array overflow warning
  tpm: fix the type of owned field in cap_t
  tpm: add securityfs support for TPM 2.0 firmware event log
  tpm: enhance read_log_of() to support Physical TPM event log
  tpm: enhance TPM 2.0 PCR extend to support multiple banks
  tpm: implement TPM 2.0 capability to get active PCR banks
  tpm: fix RC value check in tpm2_seal_trusted
  tpm_tis: fix iTPM probe via probe_itpm() function
  tpm: Begin the process to deprecate user_read_timer
  tpm: remove tpm_read_index and tpm_write_index from tpm.h
  ...
parents 7a771cea 61841be6

Documentation/security/LSM.txt

+7 −0
Original line number Diff line number Diff line
@@ -22,6 +22,13 @@ system, building their checks on top of the defined capability hooks. 
For more details on capabilities, see capabilities(7) in the Linux

man-pages project.



A list of the active security modules can be found by reading

/sys/kernel/security/lsm. This is a comma separated list, and

will always include the capability module. The list reflects the

order in which checks are made. The capability module will always

be first, followed by any "minor" modules (e.g. Yama) and then

the one "major" module (e.g. SELinux) if there is one configured.



Based on https://lkml.org/lkml/2007/10/26/215,

a new LSM is accepted into the kernel when its intent (a description of

what it tries to protect against and in what cases one would expect to

drivers/char/tpm/Kconfig

+1 −0
Original line number Diff line number Diff line
@@ -6,6 +6,7 @@ menuconfig TCG_TPM 
	tristate "TPM Hardware Support"

	depends on HAS_IOMEM

	select SECURITYFS

	select CRYPTO_HASH_INFO

	---help---

	  If you have a TPM security chip in your system, which

	  implements the Trusted Computing Group's specification,

drivers/char/tpm/Makefile

+1 −1
Original line number Diff line number Diff line
@@ -3,7 +3,7 @@ 
#

obj-$(CONFIG_TCG_TPM) += tpm.o

tpm-y := tpm-interface.o tpm-dev.o tpm-sysfs.o tpm-chip.o tpm2-cmd.o \

		tpm_eventlog.o

		tpm1_eventlog.o tpm2_eventlog.o

tpm-$(CONFIG_ACPI) += tpm_ppi.o tpm_acpi.o

tpm-$(CONFIG_OF) += tpm_of.o

obj-$(CONFIG_TCG_TIS_CORE) += tpm_tis_core.o

drivers/char/tpm/st33zp24/st33zp24.c

+0 −1
Original line number Diff line number Diff line
@@ -18,7 +18,6 @@ 


#include <linux/module.h>

#include <linux/fs.h>

#include <linux/miscdevice.h>

#include <linux/kernel.h>

#include <linux/delay.h>

#include <linux/wait.h>

drivers/char/tpm/tpm-chip.c

+4 −4
Original line number Diff line number Diff line
@@ -141,7 +141,7 @@ static void tpm_dev_release(struct device *dev) 
 * Allocates a new struct tpm_chip instance and assigns a free

 * device number for it. Must be paired with put_device(&chip->dev).

 */

struct tpm_chip *tpm_chip_alloc(struct device *dev,

struct tpm_chip *tpm_chip_alloc(struct device *pdev,

				const struct tpm_class_ops *ops)

{

	struct tpm_chip *chip;
@@ -160,7 +160,7 @@ struct tpm_chip *tpm_chip_alloc(struct device *dev, 
	rc = idr_alloc(&dev_nums_idr, NULL, 0, TPM_NUM_DEVICES, GFP_KERNEL);

	mutex_unlock(&idr_lock);

	if (rc < 0) {

		dev_err(dev, "No available tpm device numbers\n");

		dev_err(pdev, "No available tpm device numbers\n");

		kfree(chip);

		return ERR_PTR(rc);

	}
@@ -170,7 +170,7 @@ struct tpm_chip *tpm_chip_alloc(struct device *dev, 


	chip->dev.class = tpm_class;

	chip->dev.release = tpm_dev_release;

	chip->dev.parent = dev;

	chip->dev.parent = pdev;

	chip->dev.groups = chip->groups;



	if (chip->dev_num == 0)
@@ -182,7 +182,7 @@ struct tpm_chip *tpm_chip_alloc(struct device *dev, 
	if (rc)

		goto out;



	if (!dev)

	if (!pdev)

		chip->flags |= TPM_CHIP_FLAG_VIRTUAL;



	cdev_init(&chip->cdev, &tpm_fops);