diff options
| author | Michael J. Chudobiak <mjc@avtechpulse.com> | 2016-04-25 10:00:44 -0400 |
|---|---|---|
| committer | Michael J. Chudobiak <mjc@avtechpulse.com> | 2016-04-25 10:00:44 -0400 |
| commit | a1df417e74aa6dae7352dc8cbb0ad471af5b7c69 (patch) | |
| tree | c34b2311e37ea31db153c90cb8f4570374d05e78 /linux/security/yama | |
initial Olimex linux tree from Daniel, originally Feb 3, 2016
Diffstat (limited to 'linux/security/yama')
| -rw-r--r-- | linux/security/yama/.built-in.o.cmd | 1 | ||||
| -rw-r--r-- | linux/security/yama/.yama.o.cmd | 1 | ||||
| -rw-r--r-- | linux/security/yama/.yama_lsm.o.cmd | 629 | ||||
| -rw-r--r-- | linux/security/yama/Kconfig | 19 | ||||
| -rw-r--r-- | linux/security/yama/Makefile | 3 | ||||
| -rw-r--r-- | linux/security/yama/built-in.o | bin | 0 -> 7404 bytes | |||
| -rw-r--r-- | linux/security/yama/yama.o | bin | 0 -> 7404 bytes | |||
| -rw-r--r-- | linux/security/yama/yama_lsm.c | 440 | ||||
| -rw-r--r-- | linux/security/yama/yama_lsm.o | bin | 0 -> 8704 bytes |
9 files changed, 1093 insertions, 0 deletions
diff --git a/linux/security/yama/.built-in.o.cmd b/linux/security/yama/.built-in.o.cmd new file mode 100644 index 00000000..8b42132d --- /dev/null +++ b/linux/security/yama/.built-in.o.cmd @@ -0,0 +1 @@ +cmd_security/yama/built-in.o := arm-linux-gnueabihf-ld -EL -r -o security/yama/built-in.o security/yama/yama.o diff --git a/linux/security/yama/.yama.o.cmd b/linux/security/yama/.yama.o.cmd new file mode 100644 index 00000000..e8e60bc2 --- /dev/null +++ b/linux/security/yama/.yama.o.cmd @@ -0,0 +1 @@ +cmd_security/yama/yama.o := arm-linux-gnueabihf-ld -EL -r -o security/yama/yama.o security/yama/yama_lsm.o diff --git a/linux/security/yama/.yama_lsm.o.cmd b/linux/security/yama/.yama_lsm.o.cmd new file mode 100644 index 00000000..3838f886 --- /dev/null +++ b/linux/security/yama/.yama_lsm.o.cmd @@ -0,0 +1,629 @@ +cmd_security/yama/yama_lsm.o := arm-linux-gnueabihf-gcc -Wp,-MD,security/yama/.yama_lsm.o.d -nostdinc -isystem /usr/lib/gcc-cross/arm-linux-gnueabihf/5/include -I./arch/arm/include -Iarch/arm/include/generated/uapi -Iarch/arm/include/generated -Iinclude -I./arch/arm/include/uapi -Iarch/arm/include/generated/uapi -I./include/uapi -Iinclude/generated/uapi -include ./include/linux/kconfig.h -D__KERNEL__ -mlittle-endian -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Werror-implicit-function-declaration -Wno-format-security -std=gnu89 -fno-dwarf2-cfi-asm -fno-ipa-sra -mabi=aapcs-linux -mno-thumb-interwork -mfpu=vfp -funwind-tables -mthumb -Wa,-mimplicit-it=always -Wa,-mno-warn-deprecated -D__LINUX_ARM_ARCH__=7 -march=armv7-a -msoft-float -Uarm -fno-delete-null-pointer-checks -O2 --param=allow-store-data-races=0 -Wframe-larger-than=1024 -fstack-protector -Wno-unused-but-set-variable -fno-var-tracking-assignments -pg -Wdeclaration-after-statement -Wno-pointer-sign -fno-strict-overflow -fconserve-stack -Werror=implicit-int -Werror=strict-prototypes -Werror=date-time -DCC_HAVE_ASM_GOTO -D"KBUILD_STR(s)=\#s" -D"KBUILD_BASENAME=KBUILD_STR(yama_lsm)" -D"KBUILD_MODNAME=KBUILD_STR(yama)" -c -o security/yama/.tmp_yama_lsm.o security/yama/yama_lsm.c + +source_security/yama/yama_lsm.o := security/yama/yama_lsm.c + +deps_security/yama/yama_lsm.o := \ + $(wildcard include/config/security/yama/stacked.h) \ + $(wildcard include/config/sysctl.h) \ + include/linux/security.h \ + $(wildcard include/config/mmu.h) \ + $(wildcard include/config/security.h) \ + $(wildcard include/config/fw/loader/user/helper.h) \ + $(wildcard include/config/security/path.h) \ + $(wildcard include/config/security/network.h) \ + $(wildcard include/config/security/network/xfrm.h) \ + $(wildcard include/config/keys.h) \ + $(wildcard include/config/audit.h) \ + $(wildcard include/config/securityfs.h) \ + $(wildcard include/config/security/yama.h) \ + include/linux/key.h \ + include/linux/types.h \ + $(wildcard include/config/uid16.h) \ + $(wildcard include/config/lbdaf.h) \ + $(wildcard include/config/arch/dma/addr/t/64bit.h) \ + $(wildcard include/config/phys/addr/t/64bit.h) \ + $(wildcard include/config/64bit.h) \ + include/uapi/linux/types.h \ + arch/arm/include/asm/types.h \ + include/asm-generic/int-ll64.h \ + include/uapi/asm-generic/int-ll64.h \ + arch/arm/include/generated/asm/bitsperlong.h \ + include/asm-generic/bitsperlong.h \ + include/uapi/asm-generic/bitsperlong.h \ + include/uapi/linux/posix_types.h \ + include/linux/stddef.h \ + include/uapi/linux/stddef.h \ + include/linux/compiler.h \ + $(wildcard include/config/sparse/rcu/pointer.h) \ + $(wildcard include/config/trace/branch/profiling.h) \ + $(wildcard include/config/profile/all/branches.h) \ + $(wildcard include/config/enable/must/check.h) \ + $(wildcard include/config/enable/warn/deprecated.h) \ + $(wildcard include/config/kprobes.h) \ + include/linux/compiler-gcc.h \ + $(wildcard include/config/arch/supports/optimized/inlining.h) \ + $(wildcard include/config/optimize/inlining.h) \ + include/linux/compiler-gcc5.h \ + $(wildcard include/config/arch/use/builtin/bswap.h) \ + arch/arm/include/uapi/asm/posix_types.h \ + include/uapi/asm-generic/posix_types.h \ + include/linux/list.h \ + $(wildcard include/config/debug/list.h) \ + include/linux/poison.h \ + $(wildcard include/config/illegal/pointer/value.h) \ + include/uapi/linux/const.h \ + include/linux/kernel.h \ + $(wildcard include/config/preempt/voluntary.h) \ + $(wildcard include/config/debug/atomic/sleep.h) \ + $(wildcard include/config/prove/locking.h) \ + $(wildcard include/config/panic/timeout.h) \ + $(wildcard include/config/ring/buffer.h) \ + $(wildcard include/config/tracing.h) \ + $(wildcard include/config/ftrace/mcount/record.h) \ + /usr/lib/gcc-cross/arm-linux-gnueabihf/5/include/stdarg.h \ + include/linux/linkage.h \ + include/linux/stringify.h \ + include/linux/export.h \ + $(wildcard include/config/have/underscore/symbol/prefix.h) \ + $(wildcard include/config/modules.h) \ + $(wildcard include/config/modversions.h) \ + $(wildcard include/config/unused/symbols.h) \ + arch/arm/include/asm/linkage.h \ + include/linux/bitops.h \ + arch/arm/include/asm/bitops.h \ + $(wildcard include/config/smp.h) \ + include/linux/irqflags.h \ + $(wildcard include/config/trace/irqflags.h) \ + $(wildcard include/config/preempt/rt/full.h) \ + $(wildcard include/config/irqsoff/tracer.h) \ + $(wildcard include/config/preempt/tracer.h) \ + $(wildcard include/config/trace/irqflags/support.h) \ + include/linux/typecheck.h \ + arch/arm/include/asm/irqflags.h \ + $(wildcard include/config/cpu/v7m.h) \ + arch/arm/include/asm/ptrace.h \ + $(wildcard include/config/arm/thumb.h) \ + $(wildcard include/config/thumb2/kernel.h) \ + arch/arm/include/uapi/asm/ptrace.h \ + $(wildcard include/config/cpu/endian/be8.h) \ + arch/arm/include/asm/hwcap.h \ + arch/arm/include/uapi/asm/hwcap.h \ + arch/arm/include/asm/barrier.h \ + $(wildcard include/config/cpu/32v6k.h) \ + $(wildcard include/config/cpu/xsc3.h) \ + $(wildcard include/config/cpu/fa526.h) \ + $(wildcard include/config/arm/heavy/mb.h) \ + $(wildcard include/config/arch/has/barriers.h) \ + $(wildcard include/config/arm/dma/mem/bufferable.h) \ + include/asm-generic/bitops/non-atomic.h \ + include/asm-generic/bitops/fls64.h \ + include/asm-generic/bitops/sched.h \ + include/asm-generic/bitops/hweight.h \ + include/asm-generic/bitops/arch_hweight.h \ + include/asm-generic/bitops/const_hweight.h \ + include/asm-generic/bitops/lock.h \ + include/asm-generic/bitops/le.h \ + arch/arm/include/uapi/asm/byteorder.h \ + include/linux/byteorder/little_endian.h \ + include/uapi/linux/byteorder/little_endian.h \ + include/linux/swab.h \ + include/uapi/linux/swab.h \ + arch/arm/include/asm/swab.h \ + arch/arm/include/uapi/asm/swab.h \ + include/linux/byteorder/generic.h \ + include/asm-generic/bitops/ext2-atomic-setbit.h \ + include/linux/log2.h \ + $(wildcard include/config/arch/has/ilog2/u32.h) \ + $(wildcard include/config/arch/has/ilog2/u64.h) \ + include/linux/printk.h \ + $(wildcard include/config/message/loglevel/default.h) \ + $(wildcard include/config/early/printk.h) \ + $(wildcard include/config/printk.h) \ + $(wildcard include/config/dynamic/debug.h) \ + include/linux/init.h \ + $(wildcard include/config/broken/rodata.h) \ + $(wildcard include/config/lto.h) \ + include/linux/kern_levels.h \ + include/linux/cache.h \ + $(wildcard include/config/arch/has/cache/line/size.h) \ + include/uapi/linux/kernel.h \ + include/uapi/linux/sysinfo.h \ + arch/arm/include/asm/cache.h \ + $(wildcard include/config/arm/l1/cache/shift.h) \ + $(wildcard include/config/aeabi.h) \ + include/linux/dynamic_debug.h \ + arch/arm/include/asm/div64.h \ + arch/arm/include/asm/compiler.h \ + arch/arm/include/asm/bug.h \ + $(wildcard include/config/bug.h) \ + $(wildcard include/config/debug/bugverbose.h) \ + $(wildcard include/config/arm/lpae.h) \ + arch/arm/include/asm/opcodes.h \ + $(wildcard include/config/cpu/endian/be32.h) \ + include/asm-generic/bug.h \ + $(wildcard include/config/generic/bug.h) \ + $(wildcard include/config/generic/bug/relative/pointers.h) \ + $(wildcard include/config/preempt/rt/base.h) \ + include/linux/rbtree.h \ + include/linux/rcupdate.h \ + $(wildcard include/config/tiny/rcu.h) \ + $(wildcard include/config/tree/rcu.h) \ + $(wildcard include/config/preempt/rcu.h) \ + $(wildcard include/config/rcu/trace.h) \ + $(wildcard include/config/rcu/stall/common.h) \ + $(wildcard include/config/rcu/user/qs.h) \ + $(wildcard include/config/rcu/nocb/cpu.h) \ + $(wildcard include/config/tasks/rcu.h) \ + $(wildcard include/config/debug/lock/alloc.h) \ + $(wildcard include/config/debug/objects/rcu/head.h) \ + $(wildcard include/config/hotplug/cpu.h) \ + $(wildcard include/config/prove/rcu.h) \ + $(wildcard include/config/preempt/count.h) \ + $(wildcard include/config/preempt.h) \ + $(wildcard include/config/rcu/boost.h) \ + $(wildcard include/config/rcu/nocb/cpu/all.h) \ + $(wildcard include/config/no/hz/full/sysidle.h) \ + include/linux/spinlock.h \ + $(wildcard include/config/debug/spinlock.h) \ + $(wildcard include/config/generic/lockbreak.h) \ + include/linux/preempt.h \ + $(wildcard include/config/debug/preempt.h) \ + $(wildcard include/config/preempt/lazy.h) \ + $(wildcard include/config/context/tracking.h) \ + $(wildcard include/config/preempt/notifiers.h) \ + arch/arm/include/generated/asm/preempt.h \ + include/asm-generic/preempt.h \ + include/linux/thread_info.h \ + $(wildcard include/config/compat.h) \ + $(wildcard include/config/debug/stack/usage.h) \ + include/linux/bug.h \ + arch/arm/include/asm/thread_info.h \ + $(wildcard include/config/crunch.h) \ + $(wildcard include/config/arm/thumbee.h) \ + arch/arm/include/asm/fpstate.h \ + $(wildcard include/config/vfpv3.h) \ + $(wildcard include/config/iwmmxt.h) \ + arch/arm/include/asm/page.h \ + $(wildcard include/config/cpu/copy/v4wt.h) \ + $(wildcard include/config/cpu/copy/v4wb.h) \ + $(wildcard include/config/cpu/copy/feroceon.h) \ + $(wildcard include/config/cpu/copy/fa.h) \ + $(wildcard include/config/cpu/sa1100.h) \ + $(wildcard include/config/cpu/xscale.h) \ + $(wildcard include/config/cpu/copy/v6.h) \ + $(wildcard include/config/kuser/helpers.h) \ + $(wildcard include/config/have/arch/pfn/valid.h) \ + arch/arm/include/asm/glue.h \ + arch/arm/include/asm/pgtable-2level-types.h \ + arch/arm/include/asm/memory.h \ + $(wildcard include/config/need/mach/memory/h.h) \ + $(wildcard include/config/page/offset.h) \ + $(wildcard include/config/highmem.h) \ + $(wildcard include/config/dram/base.h) \ + $(wildcard include/config/dram/size.h) \ + $(wildcard include/config/have/tcm.h) \ + $(wildcard include/config/arm/patch/phys/virt.h) \ + $(wildcard include/config/phys/offset.h) \ + $(wildcard include/config/virt/to/bus.h) \ + include/linux/sizes.h \ + include/asm-generic/memory_model.h \ + $(wildcard include/config/flatmem.h) \ + $(wildcard include/config/discontigmem.h) \ + $(wildcard include/config/sparsemem/vmemmap.h) \ + $(wildcard include/config/sparsemem.h) \ + include/asm-generic/getorder.h \ + arch/arm/include/asm/domain.h \ + $(wildcard include/config/io/36.h) \ + $(wildcard include/config/cpu/use/domains.h) \ + include/linux/bottom_half.h \ + include/linux/preempt_mask.h \ + include/linux/spinlock_types.h \ + include/linux/spinlock_types_raw.h \ + arch/arm/include/asm/spinlock_types.h \ + include/linux/lockdep.h \ + $(wildcard include/config/lockdep.h) \ + $(wildcard include/config/lock/stat.h) \ + include/linux/rtmutex.h \ + $(wildcard include/config/debug/mutexes.h) \ + $(wildcard include/config/debug/rt/mutexes.h) \ + include/linux/spinlock_types_rt.h \ + include/linux/rwlock_types_rt.h \ + arch/arm/include/asm/spinlock.h \ + include/linux/prefetch.h \ + arch/arm/include/asm/processor.h \ + $(wildcard include/config/have/hw/breakpoint.h) \ + $(wildcard include/config/arm/errata/754327.h) \ + arch/arm/include/asm/hw_breakpoint.h \ + arch/arm/include/asm/unified.h \ + $(wildcard include/config/arm/asm/unified.h) \ + include/linux/rwlock_rt.h \ + include/linux/spinlock_api_smp.h \ + $(wildcard include/config/inline/spin/lock.h) \ + $(wildcard include/config/inline/spin/lock/bh.h) \ + $(wildcard include/config/inline/spin/lock/irq.h) \ + $(wildcard include/config/inline/spin/lock/irqsave.h) \ + $(wildcard include/config/inline/spin/trylock.h) \ + $(wildcard include/config/inline/spin/trylock/bh.h) \ + $(wildcard include/config/uninline/spin/unlock.h) \ + $(wildcard include/config/inline/spin/unlock/bh.h) \ + $(wildcard include/config/inline/spin/unlock/irq.h) \ + $(wildcard include/config/inline/spin/unlock/irqrestore.h) \ + include/linux/spinlock_rt.h \ + include/linux/threads.h \ + $(wildcard include/config/nr/cpus.h) \ + $(wildcard include/config/base/small.h) \ + include/linux/cpumask.h \ + $(wildcard include/config/cpumask/offstack.h) \ + $(wildcard include/config/debug/per/cpu/maps.h) \ + include/linux/bitmap.h \ + include/linux/string.h \ + $(wildcard include/config/binary/printf.h) \ + include/uapi/linux/string.h \ + arch/arm/include/asm/string.h \ + include/linux/seqlock.h \ + include/linux/completion.h \ + include/linux/wait-simple.h \ + arch/arm/include/generated/asm/current.h \ + include/asm-generic/current.h \ + include/linux/debugobjects.h \ + $(wildcard include/config/debug/objects.h) \ + $(wildcard include/config/debug/objects/free.h) \ + include/linux/rcutree.h \ + include/linux/sysctl.h \ + include/linux/wait.h \ + include/uapi/linux/wait.h \ + include/linux/atomic.h \ + $(wildcard include/config/arch/has/atomic/or.h) \ + $(wildcard include/config/generic/atomic64.h) \ + arch/arm/include/asm/atomic.h \ + arch/arm/include/asm/cmpxchg.h \ + $(wildcard include/config/cpu/sa110.h) \ + $(wildcard include/config/cpu/v6.h) \ + include/asm-generic/cmpxchg-local.h \ + include/asm-generic/atomic-long.h \ + include/uapi/linux/sysctl.h \ + include/linux/rwsem.h \ + $(wildcard include/config/rwsem/spin/on/owner.h) \ + $(wildcard include/config/rwsem/generic/spinlock.h) \ + include/linux/rwsem_rt.h \ + include/linux/assoc_array.h \ + $(wildcard include/config/associative/array.h) \ + include/linux/uidgid.h \ + $(wildcard include/config/multiuser.h) \ + $(wildcard include/config/user/ns.h) \ + include/linux/highuid.h \ + include/linux/capability.h \ + include/uapi/linux/capability.h \ + include/linux/slab.h \ + $(wildcard include/config/debug/slab.h) \ + $(wildcard include/config/kmemcheck.h) \ + $(wildcard include/config/failslab.h) \ + $(wildcard include/config/slab.h) \ + $(wildcard include/config/slub.h) \ + $(wildcard include/config/slob.h) \ + $(wildcard include/config/zone/dma.h) \ + $(wildcard include/config/numa.h) \ + include/linux/gfp.h \ + $(wildcard include/config/zone/dma32.h) \ + $(wildcard include/config/pm/sleep.h) \ + $(wildcard include/config/cma.h) \ + include/linux/mmdebug.h \ + $(wildcard include/config/debug/vm.h) \ + $(wildcard include/config/debug/virtual.h) \ + include/linux/mmzone.h \ + $(wildcard include/config/force/max/zoneorder.h) \ + $(wildcard include/config/memory/isolation.h) \ + $(wildcard include/config/memcg.h) \ + $(wildcard include/config/memory/hotplug.h) \ + $(wildcard include/config/compaction.h) \ + $(wildcard include/config/have/memblock/node/map.h) \ + $(wildcard include/config/flat/node/mem/map.h) \ + $(wildcard include/config/page/extension.h) \ + $(wildcard include/config/no/bootmem.h) \ + $(wildcard include/config/numa/balancing.h) \ + $(wildcard include/config/have/memory/present.h) \ + $(wildcard include/config/have/memoryless/nodes.h) \ + $(wildcard include/config/need/node/memmap/size.h) \ + $(wildcard include/config/need/multiple/nodes.h) \ + $(wildcard include/config/have/arch/early/pfn/to/nid.h) \ + $(wildcard include/config/sparsemem/extreme.h) \ + $(wildcard include/config/nodes/span/other/nodes.h) \ + $(wildcard include/config/holes/in/zone.h) \ + $(wildcard include/config/arch/has/holes/memorymodel.h) \ + include/linux/numa.h \ + $(wildcard include/config/nodes/shift.h) \ + include/linux/nodemask.h \ + $(wildcard include/config/movable/node.h) \ + include/linux/pageblock-flags.h \ + $(wildcard include/config/hugetlb/page.h) \ + $(wildcard include/config/hugetlb/page/size/variable.h) \ + include/linux/page-flags-layout.h \ + include/generated/bounds.h \ + include/linux/memory_hotplug.h \ + $(wildcard include/config/memory/hotremove.h) \ + $(wildcard include/config/have/arch/nodedata/extension.h) \ + $(wildcard include/config/have/bootmem/info/node.h) \ + include/linux/notifier.h \ + include/linux/errno.h \ + include/uapi/linux/errno.h \ + arch/arm/include/generated/asm/errno.h \ + include/uapi/asm-generic/errno.h \ + include/uapi/asm-generic/errno-base.h \ + include/linux/mutex.h \ + $(wildcard include/config/mutex/spin/on/owner.h) \ + include/linux/osq_lock.h \ + include/linux/mutex_rt.h \ + include/linux/srcu.h \ + include/linux/workqueue.h \ + $(wildcard include/config/debug/objects/work.h) \ + $(wildcard include/config/freezer.h) \ + $(wildcard include/config/sysfs.h) \ + include/linux/timer.h \ + $(wildcard include/config/timer/stats.h) \ + $(wildcard include/config/debug/objects/timers.h) \ + include/linux/ktime.h \ + include/linux/time.h \ + $(wildcard include/config/arch/uses/gettimeoffset.h) \ + include/linux/math64.h \ + $(wildcard include/config/arch/supports/int128.h) \ + include/linux/time64.h \ + include/uapi/linux/time.h \ + include/linux/jiffies.h \ + include/linux/timex.h \ + include/uapi/linux/timex.h \ + include/uapi/linux/param.h \ + arch/arm/include/generated/asm/param.h \ + include/asm-generic/param.h \ + $(wildcard include/config/hz.h) \ + include/uapi/asm-generic/param.h \ + arch/arm/include/asm/timex.h \ + include/linux/timekeeping.h \ + include/linux/topology.h \ + $(wildcard include/config/use/percpu/numa/node/id.h) \ + $(wildcard include/config/sched/smt.h) \ + include/linux/smp.h \ + $(wildcard include/config/up/late/init.h) \ + include/linux/llist.h \ + $(wildcard include/config/arch/have/nmi/safe/cmpxchg.h) \ + arch/arm/include/asm/smp.h \ + include/linux/percpu.h \ + $(wildcard include/config/need/per/cpu/embed/first/chunk.h) \ + $(wildcard include/config/need/per/cpu/page/first/chunk.h) \ + $(wildcard include/config/have/setup/per/cpu/area.h) \ + include/linux/pfn.h \ + arch/arm/include/asm/percpu.h \ + include/asm-generic/percpu.h \ + include/linux/percpu-defs.h \ + $(wildcard include/config/debug/force/weak/per/cpu.h) \ + arch/arm/include/asm/topology.h \ + $(wildcard include/config/arm/cpu/topology.h) \ + include/asm-generic/topology.h \ + include/linux/kmemleak.h \ + $(wildcard include/config/debug/kmemleak.h) \ + include/linux/kasan.h \ + $(wildcard include/config/kasan.h) \ + $(wildcard include/config/kasan/shadow/offset.h) \ + include/linux/err.h \ + include/linux/ptrace.h \ + include/linux/sched.h \ + $(wildcard include/config/sched/debug.h) \ + $(wildcard include/config/no/hz/common.h) \ + $(wildcard include/config/lockup/detector.h) \ + $(wildcard include/config/detect/hung/task.h) \ + $(wildcard include/config/core/dump/default/elf/headers.h) \ + $(wildcard include/config/sched/autogroup.h) \ + $(wildcard include/config/virt/cpu/accounting/native.h) \ + $(wildcard include/config/bsd/process/acct.h) \ + $(wildcard include/config/taskstats.h) \ + $(wildcard include/config/cgroups.h) \ + $(wildcard include/config/inotify/user.h) \ + $(wildcard include/config/fanotify.h) \ + $(wildcard include/config/epoll.h) \ + $(wildcard include/config/posix/mqueue.h) \ + $(wildcard include/config/perf/events.h) \ + $(wildcard include/config/schedstats.h) \ + $(wildcard include/config/task/delay/acct.h) \ + $(wildcard include/config/sched/mc.h) \ + $(wildcard include/config/fair/group/sched.h) \ + $(wildcard include/config/rt/group/sched.h) \ + $(wildcard include/config/cgroup/sched.h) \ + $(wildcard include/config/blk/dev/io/trace.h) \ + $(wildcard include/config/compat/brk.h) \ + $(wildcard include/config/memcg/kmem.h) \ + $(wildcard include/config/cc/stackprotector.h) \ + $(wildcard include/config/virt/cpu/accounting/gen.h) \ + $(wildcard include/config/sysvipc.h) \ + $(wildcard include/config/auditsyscall.h) \ + $(wildcard include/config/rt/mutexes.h) \ + $(wildcard include/config/block.h) \ + $(wildcard include/config/task/xacct.h) \ + $(wildcard include/config/cpusets.h) \ + $(wildcard include/config/futex.h) \ + $(wildcard include/config/fault/injection.h) \ + $(wildcard include/config/latencytop.h) \ + $(wildcard include/config/function/graph/tracer.h) \ + $(wildcard include/config/wakeup/latency/hist.h) \ + $(wildcard include/config/missed/timer/offsets/hist.h) \ + $(wildcard include/config/uprobes.h) \ + $(wildcard include/config/bcache.h) \ + $(wildcard include/config/x86/32.h) \ + $(wildcard include/config/have/unstable/sched/clock.h) \ + $(wildcard include/config/irq/time/accounting.h) \ + $(wildcard include/config/no/hz/full.h) \ + $(wildcard include/config/proc/fs.h) \ + $(wildcard include/config/stack/growsup.h) \ + include/uapi/linux/sched.h \ + include/linux/sched/prio.h \ + include/linux/plist.h \ + $(wildcard include/config/debug/pi/list.h) \ + include/linux/mm_types.h \ + $(wildcard include/config/split/ptlock/cpus.h) \ + $(wildcard include/config/arch/enable/split/pmd/ptlock.h) \ + $(wildcard include/config/have/cmpxchg/double.h) \ + $(wildcard include/config/have/aligned/struct/page.h) \ + $(wildcard include/config/transparent/hugepage.h) \ + $(wildcard include/config/pgtable/levels.h) \ + $(wildcard include/config/aio.h) \ + $(wildcard include/config/mmu/notifier.h) \ + $(wildcard include/config/x86/intel/mpx.h) \ + include/linux/auxvec.h \ + include/uapi/linux/auxvec.h \ + arch/arm/include/asm/auxvec.h \ + arch/arm/include/uapi/asm/auxvec.h \ + include/linux/uprobes.h \ + arch/arm/include/asm/uprobes.h \ + arch/arm/include/asm/probes.h \ + arch/arm/include/asm/mmu.h \ + $(wildcard include/config/cpu/has/asid.h) \ + $(wildcard include/config/vdso.h) \ + arch/arm/include/asm/kmap_types.h \ + include/linux/cputime.h \ + arch/arm/include/generated/asm/cputime.h \ + include/asm-generic/cputime.h \ + $(wildcard include/config/virt/cpu/accounting.h) \ + include/asm-generic/cputime_jiffies.h \ + include/linux/sem.h \ + include/uapi/linux/sem.h \ + include/linux/ipc.h \ + include/uapi/linux/ipc.h \ + arch/arm/include/generated/asm/ipcbuf.h \ + include/uapi/asm-generic/ipcbuf.h \ + arch/arm/include/generated/asm/sembuf.h \ + include/uapi/asm-generic/sembuf.h \ + include/linux/shm.h \ + include/uapi/linux/shm.h \ + arch/arm/include/generated/asm/shmbuf.h \ + include/uapi/asm-generic/shmbuf.h \ + arch/arm/include/asm/shmparam.h \ + include/linux/signal.h \ + $(wildcard include/config/old/sigaction.h) \ + include/uapi/linux/signal.h \ + arch/arm/include/asm/signal.h \ + arch/arm/include/uapi/asm/signal.h \ + include/uapi/asm-generic/signal-defs.h \ + arch/arm/include/uapi/asm/sigcontext.h \ + arch/arm/include/generated/asm/siginfo.h \ + include/asm-generic/siginfo.h \ + include/uapi/asm-generic/siginfo.h \ + include/linux/pid.h \ + include/linux/proportions.h \ + include/linux/percpu_counter.h \ + include/linux/seccomp.h \ + $(wildcard include/config/seccomp.h) \ + $(wildcard include/config/have/arch/seccomp/filter.h) \ + $(wildcard include/config/seccomp/filter.h) \ + include/uapi/linux/seccomp.h \ + arch/arm/include/generated/asm/seccomp.h \ + include/asm-generic/seccomp.h \ + include/uapi/linux/unistd.h \ + arch/arm/include/asm/unistd.h \ + $(wildcard include/config/oabi/compat.h) \ + arch/arm/include/uapi/asm/unistd.h \ + include/linux/rculist.h \ + include/linux/resource.h \ + include/uapi/linux/resource.h \ + arch/arm/include/generated/asm/resource.h \ + include/asm-generic/resource.h \ + include/uapi/asm-generic/resource.h \ + include/linux/hrtimer.h \ + $(wildcard include/config/high/res/timers.h) \ + $(wildcard include/config/timerfd.h) \ + include/linux/timerqueue.h \ + include/linux/task_io_accounting.h \ + $(wildcard include/config/task/io/accounting.h) \ + include/linux/latencytop.h \ + include/linux/cred.h \ + $(wildcard include/config/debug/credentials.h) \ + include/linux/selinux.h \ + $(wildcard include/config/security/selinux.h) \ + include/uapi/linux/magic.h \ + include/linux/pid_namespace.h \ + $(wildcard include/config/pid/ns.h) \ + include/linux/mm.h \ + $(wildcard include/config/mem/soft/dirty.h) \ + $(wildcard include/config/x86.h) \ + $(wildcard include/config/ppc.h) \ + $(wildcard include/config/parisc.h) \ + $(wildcard include/config/metag.h) \ + $(wildcard include/config/ia64.h) \ + $(wildcard include/config/shmem.h) \ + $(wildcard include/config/debug/vm/rb.h) \ + $(wildcard include/config/debug/pagealloc.h) \ + $(wildcard include/config/hibernation.h) \ + $(wildcard include/config/hugetlbfs.h) \ + include/linux/debug_locks.h \ + $(wildcard include/config/debug/locking/api/selftests.h) \ + include/linux/range.h \ + include/linux/bit_spinlock.h \ + include/linux/shrinker.h \ + include/linux/page_ext.h \ + $(wildcard include/config/page/owner.h) \ + include/linux/stacktrace.h \ + $(wildcard include/config/stacktrace.h) \ + $(wildcard include/config/user/stacktrace/support.h) \ + arch/arm/include/asm/pgtable.h \ + $(wildcard include/config/highpte.h) \ + arch/arm/include/asm/proc-fns.h \ + arch/arm/include/asm/glue-proc.h \ + $(wildcard include/config/cpu/arm7tdmi.h) \ + $(wildcard include/config/cpu/arm720t.h) \ + $(wildcard include/config/cpu/arm740t.h) \ + $(wildcard include/config/cpu/arm9tdmi.h) \ + $(wildcard include/config/cpu/arm920t.h) \ + $(wildcard include/config/cpu/arm922t.h) \ + $(wildcard include/config/cpu/arm925t.h) \ + $(wildcard include/config/cpu/arm926t.h) \ + $(wildcard include/config/cpu/arm940t.h) \ + $(wildcard include/config/cpu/arm946e.h) \ + $(wildcard include/config/cpu/arm1020.h) \ + $(wildcard include/config/cpu/arm1020e.h) \ + $(wildcard include/config/cpu/arm1022.h) \ + $(wildcard include/config/cpu/arm1026.h) \ + $(wildcard include/config/cpu/mohawk.h) \ + $(wildcard include/config/cpu/feroceon.h) \ + $(wildcard include/config/cpu/v6k.h) \ + $(wildcard include/config/cpu/pj4b.h) \ + $(wildcard include/config/cpu/v7.h) \ + include/asm-generic/pgtable-nopud.h \ + arch/arm/include/asm/pgtable-hwdef.h \ + arch/arm/include/asm/pgtable-2level-hwdef.h \ + arch/arm/include/asm/tlbflush.h \ + $(wildcard include/config/smp/on/up.h) \ + $(wildcard include/config/cpu/tlb/v4wt.h) \ + $(wildcard include/config/cpu/tlb/fa.h) \ + $(wildcard include/config/cpu/tlb/v4wbi.h) \ + $(wildcard include/config/cpu/tlb/feroceon.h) \ + $(wildcard include/config/cpu/tlb/v4wb.h) \ + $(wildcard include/config/cpu/tlb/v6.h) \ + $(wildcard include/config/cpu/tlb/v7.h) \ + $(wildcard include/config/arm/errata/720789.h) \ + $(wildcard include/config/arm/errata/798181.h) \ + arch/arm/include/asm/pgtable-2level.h \ + include/asm-generic/pgtable.h \ + $(wildcard include/config/have/arch/soft/dirty.h) \ + $(wildcard include/config/have/arch/huge/vmap.h) \ + include/linux/page-flags.h \ + $(wildcard include/config/pageflags/extended.h) \ + $(wildcard include/config/arch/uses/pg/uncached.h) \ + $(wildcard include/config/memory/failure.h) \ + $(wildcard include/config/swap.h) \ + $(wildcard include/config/ksm.h) \ + include/linux/huge_mm.h \ + include/linux/vmstat.h \ + $(wildcard include/config/vm/event/counters.h) \ + $(wildcard include/config/debug/tlbflush.h) \ + $(wildcard include/config/debug/vm/vmacache.h) \ + include/linux/vm_event_item.h \ + $(wildcard include/config/migration.h) \ + $(wildcard include/config/memory/balloon.h) \ + $(wildcard include/config/balloon/compaction.h) \ + include/linux/nsproxy.h \ + include/linux/kref.h \ + include/linux/ns_common.h \ + include/uapi/linux/ptrace.h \ + include/uapi/linux/prctl.h \ + include/linux/ratelimit.h \ + +security/yama/yama_lsm.o: $(deps_security/yama/yama_lsm.o) + +$(deps_security/yama/yama_lsm.o): diff --git a/linux/security/yama/Kconfig b/linux/security/yama/Kconfig new file mode 100644 index 00000000..3123e1da --- /dev/null +++ b/linux/security/yama/Kconfig @@ -0,0 +1,19 @@ +config SECURITY_YAMA + bool "Yama support" + depends on SECURITY + default n + help + This selects Yama, which extends DAC support with additional + system-wide security settings beyond regular Linux discretionary + access controls. Currently available is ptrace scope restriction. + Further information can be found in Documentation/security/Yama.txt. + + If you are unsure how to answer this question, answer N. + +config SECURITY_YAMA_STACKED + bool "Yama stacked with other LSMs" + depends on SECURITY_YAMA + default n + help + When Yama is built into the kernel, force it to stack with the + selected primary LSM. diff --git a/linux/security/yama/Makefile b/linux/security/yama/Makefile new file mode 100644 index 00000000..8b5e0658 --- /dev/null +++ b/linux/security/yama/Makefile @@ -0,0 +1,3 @@ +obj-$(CONFIG_SECURITY_YAMA) := yama.o + +yama-y := yama_lsm.o diff --git a/linux/security/yama/built-in.o b/linux/security/yama/built-in.o Binary files differnew file mode 100644 index 00000000..5c35c01c --- /dev/null +++ b/linux/security/yama/built-in.o diff --git a/linux/security/yama/yama.o b/linux/security/yama/yama.o Binary files differnew file mode 100644 index 00000000..5c35c01c --- /dev/null +++ b/linux/security/yama/yama.o diff --git a/linux/security/yama/yama_lsm.c b/linux/security/yama/yama_lsm.c new file mode 100644 index 00000000..24aae2ae --- /dev/null +++ b/linux/security/yama/yama_lsm.c @@ -0,0 +1,440 @@ +/* + * Yama Linux Security Module + * + * Author: Kees Cook <keescook@chromium.org> + * + * Copyright (C) 2010 Canonical, Ltd. + * Copyright (C) 2011 The Chromium OS Authors. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, as + * published by the Free Software Foundation. + * + */ + +#include <linux/security.h> +#include <linux/sysctl.h> +#include <linux/ptrace.h> +#include <linux/prctl.h> +#include <linux/ratelimit.h> +#include <linux/workqueue.h> + +#define YAMA_SCOPE_DISABLED 0 +#define YAMA_SCOPE_RELATIONAL 1 +#define YAMA_SCOPE_CAPABILITY 2 +#define YAMA_SCOPE_NO_ATTACH 3 + +static int ptrace_scope = YAMA_SCOPE_RELATIONAL; + +/* describe a ptrace relationship for potential exception */ +struct ptrace_relation { + struct task_struct *tracer; + struct task_struct *tracee; + bool invalid; + struct list_head node; + struct rcu_head rcu; +}; + +static LIST_HEAD(ptracer_relations); +static DEFINE_SPINLOCK(ptracer_relations_lock); + +static void yama_relation_cleanup(struct work_struct *work); +static DECLARE_WORK(yama_relation_work, yama_relation_cleanup); + +/** + * yama_relation_cleanup - remove invalid entries from the relation list + * + */ +static void yama_relation_cleanup(struct work_struct *work) +{ + struct ptrace_relation *relation; + + spin_lock(&ptracer_relations_lock); + rcu_read_lock(); + list_for_each_entry_rcu(relation, &ptracer_relations, node) { + if (relation->invalid) { + list_del_rcu(&relation->node); + kfree_rcu(relation, rcu); + } + } + rcu_read_unlock(); + spin_unlock(&ptracer_relations_lock); +} + +/** + * yama_ptracer_add - add/replace an exception for this tracer/tracee pair + * @tracer: the task_struct of the process doing the ptrace + * @tracee: the task_struct of the process to be ptraced + * + * Each tracee can have, at most, one tracer registered. Each time this + * is called, the prior registered tracer will be replaced for the tracee. + * + * Returns 0 if relationship was added, -ve on error. + */ +static int yama_ptracer_add(struct task_struct *tracer, + struct task_struct *tracee) +{ + struct ptrace_relation *relation, *added; + + added = kmalloc(sizeof(*added), GFP_KERNEL); + if (!added) + return -ENOMEM; + + added->tracee = tracee; + added->tracer = tracer; + added->invalid = false; + + spin_lock(&ptracer_relations_lock); + rcu_read_lock(); + list_for_each_entry_rcu(relation, &ptracer_relations, node) { + if (relation->invalid) + continue; + if (relation->tracee == tracee) { + list_replace_rcu(&relation->node, &added->node); + kfree_rcu(relation, rcu); + goto out; + } + } + + list_add_rcu(&added->node, &ptracer_relations); + +out: + rcu_read_unlock(); + spin_unlock(&ptracer_relations_lock); + return 0; +} + +/** + * yama_ptracer_del - remove exceptions related to the given tasks + * @tracer: remove any relation where tracer task matches + * @tracee: remove any relation where tracee task matches + */ +static void yama_ptracer_del(struct task_struct *tracer, + struct task_struct *tracee) +{ + struct ptrace_relation *relation; + bool marked = false; + + rcu_read_lock(); + list_for_each_entry_rcu(relation, &ptracer_relations, node) { + if (relation->invalid) + continue; + if (relation->tracee == tracee || + (tracer && relation->tracer == tracer)) { + relation->invalid = true; + marked = true; + } + } + rcu_read_unlock(); + + if (marked) + schedule_work(&yama_relation_work); +} + +/** + * yama_task_free - check for task_pid to remove from exception list + * @task: task being removed + */ +void yama_task_free(struct task_struct *task) +{ + yama_ptracer_del(task, task); +} + +/** + * yama_task_prctl - check for Yama-specific prctl operations + * @option: operation + * @arg2: argument + * @arg3: argument + * @arg4: argument + * @arg5: argument + * + * Return 0 on success, -ve on error. -ENOSYS is returned when Yama + * does not handle the given option. + */ +int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3, + unsigned long arg4, unsigned long arg5) +{ + int rc; + struct task_struct *myself = current; + + rc = cap_task_prctl(option, arg2, arg3, arg4, arg5); + if (rc != -ENOSYS) + return rc; + + switch (option) { + case PR_SET_PTRACER: + /* Since a thread can call prctl(), find the group leader + * before calling _add() or _del() on it, since we want + * process-level granularity of control. The tracer group + * leader checking is handled later when walking the ancestry + * at the time of PTRACE_ATTACH check. + */ + rcu_read_lock(); + if (!thread_group_leader(myself)) + myself = rcu_dereference(myself->group_leader); + get_task_struct(myself); + rcu_read_unlock(); + + if (arg2 == 0) { + yama_ptracer_del(NULL, myself); + rc = 0; + } else if (arg2 == PR_SET_PTRACER_ANY || (int)arg2 == -1) { + rc = yama_ptracer_add(NULL, myself); + } else { + struct task_struct *tracer; + + rcu_read_lock(); + tracer = find_task_by_vpid(arg2); + if (tracer) + get_task_struct(tracer); + else + rc = -EINVAL; + rcu_read_unlock(); + + if (tracer) { + rc = yama_ptracer_add(tracer, myself); + put_task_struct(tracer); + } + } + + put_task_struct(myself); + break; + } + + return rc; +} + +/** + * task_is_descendant - walk up a process family tree looking for a match + * @parent: the process to compare against while walking up from child + * @child: the process to start from while looking upwards for parent + * + * Returns 1 if child is a descendant of parent, 0 if not. + */ +static int task_is_descendant(struct task_struct *parent, + struct task_struct *child) +{ + int rc = 0; + struct task_struct *walker = child; + + if (!parent || !child) + return 0; + + rcu_read_lock(); + if (!thread_group_leader(parent)) + parent = rcu_dereference(parent->group_leader); + while (walker->pid > 0) { + if (!thread_group_leader(walker)) + walker = rcu_dereference(walker->group_leader); + if (walker == parent) { + rc = 1; + break; + } + walker = rcu_dereference(walker->real_parent); + } + rcu_read_unlock(); + + return rc; +} + +/** + * ptracer_exception_found - tracer registered as exception for this tracee + * @tracer: the task_struct of the process attempting ptrace + * @tracee: the task_struct of the process to be ptraced + * + * Returns 1 if tracer has is ptracer exception ancestor for tracee. + */ +static int ptracer_exception_found(struct task_struct *tracer, + struct task_struct *tracee) +{ + int rc = 0; + struct ptrace_relation *relation; + struct task_struct *parent = NULL; + bool found = false; + + rcu_read_lock(); + if (!thread_group_leader(tracee)) + tracee = rcu_dereference(tracee->group_leader); + list_for_each_entry_rcu(relation, &ptracer_relations, node) { + if (relation->invalid) + continue; + if (relation->tracee == tracee) { + parent = relation->tracer; + found = true; + break; + } + } + + if (found && (parent == NULL || task_is_descendant(parent, tracer))) + rc = 1; + rcu_read_unlock(); + + return rc; +} + +/** + * yama_ptrace_access_check - validate PTRACE_ATTACH calls + * @child: task that current task is attempting to ptrace + * @mode: ptrace attach mode + * + * Returns 0 if following the ptrace is allowed, -ve on error. + */ +int yama_ptrace_access_check(struct task_struct *child, + unsigned int mode) +{ + int rc; + + /* If standard caps disallows it, so does Yama. We should + * only tighten restrictions further. + */ + rc = cap_ptrace_access_check(child, mode); + if (rc) + return rc; + + /* require ptrace target be a child of ptracer on attach */ + if (mode == PTRACE_MODE_ATTACH) { + switch (ptrace_scope) { + case YAMA_SCOPE_DISABLED: + /* No additional restrictions. */ + break; + case YAMA_SCOPE_RELATIONAL: + rcu_read_lock(); + if (!task_is_descendant(current, child) && + !ptracer_exception_found(current, child) && + !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) + rc = -EPERM; + rcu_read_unlock(); + break; + case YAMA_SCOPE_CAPABILITY: + rcu_read_lock(); + if (!ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) + rc = -EPERM; + rcu_read_unlock(); + break; + case YAMA_SCOPE_NO_ATTACH: + default: + rc = -EPERM; + break; + } + } + + if (rc) { + printk_ratelimited(KERN_NOTICE + "ptrace of pid %d was attempted by: %s (pid %d)\n", + child->pid, current->comm, current->pid); + } + + return rc; +} + +/** + * yama_ptrace_traceme - validate PTRACE_TRACEME calls + * @parent: task that will become the ptracer of the current task + * + * Returns 0 if following the ptrace is allowed, -ve on error. + */ +int yama_ptrace_traceme(struct task_struct *parent) +{ + int rc; + + /* If standard caps disallows it, so does Yama. We should + * only tighten restrictions further. + */ + rc = cap_ptrace_traceme(parent); + if (rc) + return rc; + + /* Only disallow PTRACE_TRACEME on more aggressive settings. */ + switch (ptrace_scope) { + case YAMA_SCOPE_CAPABILITY: + if (!has_ns_capability(parent, current_user_ns(), CAP_SYS_PTRACE)) + rc = -EPERM; + break; + case YAMA_SCOPE_NO_ATTACH: + rc = -EPERM; + break; + } + + if (rc) { + printk_ratelimited(KERN_NOTICE + "ptraceme of pid %d was attempted by: %s (pid %d)\n", + current->pid, parent->comm, parent->pid); + } + + return rc; +} + +#ifndef CONFIG_SECURITY_YAMA_STACKED +static struct security_operations yama_ops = { + .name = "yama", + + .ptrace_access_check = yama_ptrace_access_check, + .ptrace_traceme = yama_ptrace_traceme, + .task_prctl = yama_task_prctl, + .task_free = yama_task_free, +}; +#endif + +#ifdef CONFIG_SYSCTL +static int yama_dointvec_minmax(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) +{ + struct ctl_table table_copy; + + if (write && !capable(CAP_SYS_PTRACE)) + return -EPERM; + + /* Lock the max value if it ever gets set. */ + table_copy = *table; + if (*(int *)table_copy.data == *(int *)table_copy.extra2) + table_copy.extra1 = table_copy.extra2; + + return proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos); +} + +static int zero; +static int max_scope = YAMA_SCOPE_NO_ATTACH; + +struct ctl_path yama_sysctl_path[] = { + { .procname = "kernel", }, + { .procname = "yama", }, + { } +}; + +static struct ctl_table yama_sysctl_table[] = { + { + .procname = "ptrace_scope", + .data = &ptrace_scope, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = yama_dointvec_minmax, + .extra1 = &zero, + .extra2 = &max_scope, + }, + { } +}; +#endif /* CONFIG_SYSCTL */ + +static __init int yama_init(void) +{ +#ifndef CONFIG_SECURITY_YAMA_STACKED + if (!security_module_enable(&yama_ops)) + return 0; +#endif + + printk(KERN_INFO "Yama: becoming mindful.\n"); + +#ifndef CONFIG_SECURITY_YAMA_STACKED + if (register_security(&yama_ops)) + panic("Yama: kernel registration failed.\n"); +#endif + +#ifdef CONFIG_SYSCTL + if (!register_sysctl_paths(yama_sysctl_path, yama_sysctl_table)) + panic("Yama: sysctl registration failed.\n"); +#endif + + return 0; +} + +security_initcall(yama_init); diff --git a/linux/security/yama/yama_lsm.o b/linux/security/yama/yama_lsm.o Binary files differnew file mode 100644 index 00000000..9c880bca --- /dev/null +++ b/linux/security/yama/yama_lsm.o |