Merge branch 'master' of /home/davem/src/GIT/linux-2.6/

S: Germany

N: Gertjan van Wingerde

E: gwingerde@home.nl

E: gwingerde@gmail.com

D: Ralink rt2x00 WLAN driver

D: Minix V2 file-system

D: Misc fixes

What:		security/ima/policy

Date:		May 2008

Contact:	Mimi Zohar <zohar@us.ibm.com>

Description:

		The Trusted Computing Group(TCG) runtime Integrity

		Measurement Architecture(IMA) maintains a list of hash

		values of executables and other sensitive system files

		loaded into the run-time of this system.  At runtime,

		the policy can be constrained based on LSM specific data.

		Policies are loaded into the securityfs file ima/policy

		by opening the file, writing the rules one at a time and

		then closing the file.  The new policy takes effect after

		the file ima/policy is closed.

		rule format: action [condition ...]

		action: measure | dont_measure

		condition:= base | lsm

			base:	[[func=] [mask=] [fsmagic=] [uid=]]

			lsm:	[[subj_user=] [subj_role=] [subj_type=]

				 [obj_user=] [obj_role=] [obj_type=]]

		base: 	func:= [BPRM_CHECK][FILE_MMAP][INODE_PERMISSION]

			mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]

			fsmagic:= hex value

			uid:= decimal value

		lsm:  	are LSM specific

		default policy:

			# PROC_SUPER_MAGIC

			dont_measure fsmagic=0x9fa0

			# SYSFS_MAGIC

			dont_measure fsmagic=0x62656572

			# DEBUGFS_MAGIC

			dont_measure fsmagic=0x64626720

			# TMPFS_MAGIC

			dont_measure fsmagic=0x01021994

			# SECURITYFS_MAGIC

			dont_measure fsmagic=0x73636673

			measure func=BPRM_CHECK

			measure func=FILE_MMAP mask=MAY_EXEC

			measure func=INODE_PERM mask=MAY_READ uid=0

		The default policy measures all executables in bprm_check,

		all files mmapped executable in file_mmap, and all files

		open for read by root in inode_permission.

		Examples of LSM specific definitions:

		SELinux:

			# SELINUX_MAGIC

			dont_measure fsmagic=0xF97CFF8C

			dont_measure obj_type=var_log_t

			dont_measure obj_type=auditd_log_t

			measure subj_user=system_u func=INODE_PERM mask=MAY_READ

			measure subj_role=system_r func=INODE_PERM mask=MAY_READ

		Smack:

			measure subj_user=_ func=INODE_PERM mask=MAY_READ

	    kernel-api.xml filesystems.xml lsm.xml usb.xml kgdb.xml \

	    gadget.xml libata.xml mtdnand.xml librs.xml rapidio.xml \

	    genericirq.xml s390-drivers.xml uio-howto.xml scsi.xml \

	    mac80211.xml debugobjects.xml sh.xml regulator.xml

	    mac80211.xml debugobjects.xml sh.xml regulator.xml \

	    alsa-driver-api.xml writing-an-alsa-driver.xml

###

# The build process is as follows (targets):

<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN">

<book>

<?dbhtml filename="index.html">

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"

	"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" []>

<!-- ****************************************************** -->

<!-- Header  -->

<!-- ****************************************************** -->

<book id="ALSA-Driver-API">

  <bookinfo>

    <title>The ALSA Driver API</title>

  </bookinfo>

<toc></toc>

  <chapter><title>Management of Cards and Devices</title>

     <sect1><title>Card Management</title>

!Esound/core/init.c

!Esound/pci/ac97/ac97_codec.c

!Esound/pci/ac97/ac97_pcm.c

     </sect1>

     <sect1><title>Virtual Master Control API</title>

!Esound/core/vmaster.c

!Iinclude/sound/control.h

     </sect1>

  </chapter>

  <chapter><title>MIDI API</title>

     <sect1><title>Raw MIDI API</title>

  <chapter><title>Miscellaneous Functions</title>

     <sect1><title>Hardware-Dependent Devices API</title>

!Esound/core/hwdep.c

     </sect1>

     <sect1><title>Jack Abstraction Layer API</title>

!Esound/core/jack.c

     </sect1>

     <sect1><title>ISA DMA Helpers</title>

!Esound/core/isadma.c

</abstract>

<revhistory>

	<revision>

	<revnumber>0.8</revnumber>

	<date>2008-12-24</date>

	<authorinitials>hjk</authorinitials>

	<revremark>Added name attributes in mem and portio sysfs directories.

		</revremark>

	</revision>

	<revision>

	<revnumber>0.7</revnumber>

	<date>2008-12-23</date>

	appear if the size of the mapping is not 0.

</para>

<para>

	Each <filename>mapX/</filename> directory contains two read-only files

	that show start address and size of the memory:

	Each <filename>mapX/</filename> directory contains four read-only files

	that show attributes of the memory:

</para>

<itemizedlist>

<listitem>

	<para>

	<filename>name</filename>: A string identifier for this mapping. This

	is optional, the string can be empty. Drivers can set this to make it

	easier for userspace to find the correct mapping.

	</para>

</listitem>

<listitem>

	<para>

	<filename>addr</filename>: The address of memory that can be mapped.

	<filename>/sys/class/uio/uioX/portio/</filename>.

</para>

<para>

	Each <filename>portX/</filename> directory contains three read-only

	files that show start, size, and type of the port region:

	Each <filename>portX/</filename> directory contains four read-only

	files that show name, start, size, and type of the port region:

</para>

<itemizedlist>

<listitem>

	<para>

	<filename>name</filename>: A string identifier for this port region.

	The string is optional and can be empty. Drivers can set it to make it

	easier for userspace to find a certain port region.

	</para>

</listitem>

<listitem>

	<para>

	<filename>start</filename>: The first port of this region.