Commit Graph

414388 Commits

Author SHA1 Message Date
Lukasz Pawelczyk
6686781852 Smack: adds smackfs/ptrace interface
This allows to limit ptrace beyond the regular smack access rules.
It adds a smackfs/ptrace interface that allows smack to be configured
to require equal smack labels for PTRACE_MODE_ATTACH access.
See the changes in Documentation/security/Smack.txt below for details.

Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
2014-04-11 14:34:35 -07:00
Lukasz Pawelczyk
5663884caa Smack: unify all ptrace accesses in the smack
The decision whether we can trace a process is made in the following
functions:
	smack_ptrace_traceme()
	smack_ptrace_access_check()
	smack_bprm_set_creds() (in case the proces is traced)

This patch unifies all those decisions by introducing one function that
checks whether ptrace is allowed: smk_ptrace_rule_check().

This makes possible to actually trace with TRACEME where first the
TRACEME itself must be allowed and then exec() on a traced process.

Additional bugs fixed:
- The decision is made according to the mode parameter that is now correctly
  translated from PTRACE_MODE_* to MAY_* instead of being treated 1:1.
  PTRACE_MODE_READ requires MAY_READ.
  PTRACE_MODE_ATTACH requires MAY_READWRITE.
- Add a smack audit log in case of exec() refused by bprm_set_creds().
- Honor the PTRACE_MODE_NOAUDIT flag and don't put smack audit info
  in case this flag is set.

Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
2014-04-11 14:34:26 -07:00
Lukasz Pawelczyk
959e6c7f1e Smack: fix the subject/object order in smack_ptrace_traceme()
The order of subject/object is currently reversed in
smack_ptrace_traceme(). It is currently checked if the tracee has a
capability to trace tracer and according to this rule a decision is made
whether the tracer will be allowed to trace tracee.

Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
2014-04-11 14:34:17 -07:00
José Bollo
55dfc5da1a Minor improvement of 'smack_sb_kern_mount'
Fix a possible memory access fault when transmute is true and isp is NULL.

Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
2014-04-11 14:33:59 -07:00
Paul Moore
f64410ec66 selinux: correctly label /proc inodes in use before the policy is loaded
This patch is based on an earlier patch by Eric Paris, he describes
the problem below:

  "If an inode is accessed before policy load it will get placed on a
   list of inodes to be initialized after policy load.  After policy
   load we call inode_doinit() which calls inode_doinit_with_dentry()
   on all inodes accessed before policy load.  In the case of inodes
   in procfs that means we'll end up at the bottom where it does:

     /* Default to the fs superblock SID. */
     isec->sid = sbsec->sid;

     if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
             if (opt_dentry) {
                     isec->sclass = inode_mode_to_security_class(...)
                     rc = selinux_proc_get_sid(opt_dentry,
                                               isec->sclass,
                                               &sid);
                     if (rc)
                             goto out_unlock;
                     isec->sid = sid;
             }
     }

   Since opt_dentry is null, we'll never call selinux_proc_get_sid()
   and will leave the inode labeled with the label on the superblock.
   I believe a fix would be to mimic the behavior of xattrs.  Look
   for an alias of the inode.  If it can't be found, just leave the
   inode uninitialized (and pick it up later) if it can be found, we
   should be able to call selinux_proc_get_sid() ..."

On a system exhibiting this problem, you will notice a lot of files in
/proc with the generic "proc_t" type (at least the ones that were
accessed early in the boot), for example:

   # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }'
   system_u:object_r:proc_t:s0 /proc/sys/kernel/shmmax

However, with this patch in place we see the expected result:

   # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }'
   system_u:object_r:sysctl_kernel_t:s0 /proc/sys/kernel/shmmax

Cc: Eric Paris <eparis@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Acked-by: Eric Paris <eparis@redhat.com>
2014-03-19 16:46:18 -04:00
Paul Moore
98883bfd9d selinux: put the mmap() DAC controls before the MAC controls
It turns out that doing the SELinux MAC checks for mmap() before the
DAC checks was causing users and the SELinux policy folks headaches
as users were seeing a lot of SELinux AVC denials for the
memprotect:mmap_zero permission that would have also been denied by
the normal DAC capability checks (CAP_SYS_RAWIO).

Example:

 # cat mmap_test.c
  #include <stdlib.h>
  #include <stdio.h>
  #include <errno.h>
  #include <sys/mman.h>

  int main(int argc, char *argv[])
  {
        int rc;
        void *mem;

        mem = mmap(0x0, 4096,
                   PROT_READ | PROT_WRITE,
                   MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
        if (mem == MAP_FAILED)
                return errno;
        printf("mem = %p\n", mem);
        munmap(mem, 4096);

        return 0;
  }
 # gcc -g -O0 -o mmap_test mmap_test.c
 # ./mmap_test
 mem = (nil)
 # ausearch -m AVC | grep mmap_zero
 type=AVC msg=audit(...): avc:  denied  { mmap_zero }
   for pid=1025 comm="mmap_test"
   scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   tclass=memprotect

This patch corrects things so that when the above example is run by a
user without CAP_SYS_RAWIO the SELinux AVC is no longer generated as
the DAC capability check fails before the SELinux permission check.

Signed-off-by: Paul Moore <pmoore@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-19 16:46:11 -04:00
Paul Moore
2c5f5c9a1d selinux: fix the output of ./scripts/get_maintainer.pl for SELinux
Correctly tag the SELinux mailing list as moderated for non-subscribers
and do some shuffling of the SELinux maintainers to try and make things
more clear when the scripts/get_maintainer.pl script is used.

 # ./scripts/get_maintainer.pl -f security/selinux
 Paul Moore <paul@paul-moore.com> (supporter:SELINUX SECURITY...)
 Stephen Smalley <sds@tycho.nsa.gov> (supporter:SELINUX SECURITY...)
 Eric Paris <eparis@parisplace.org> (supporter:SELINUX SECURITY...)
 James Morris <james.l.morris@oracle.com> (supporter:SECURITY SUBSYSTEM)
 selinux@tycho.nsa.gov (moderated list:SELINUX SECURITY...)
 linux-security-module@vger.kernel.org (open list:SECURITY SUBSYSTEM)
 linux-kernel@vger.kernel.org (open list)

Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@parisplace.org>
Cc: James Morris <james.l.morris@oracle.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
2014-03-19 16:46:04 -04:00
James Morris
33b2533518 Merge branch 'next-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next 2014-03-12 16:33:48 +11:00
Dmitry Kasatkin
a3aef94b31 evm: enable key retention service automatically
If keys are not enabled, EVM is not visible in the configuration menu.
It may be difficult to figure out what to do unless you really know.
Other subsystems as NFS, CIFS select keys automatically. This patch does
the same.

This patch also removes '(TRUSTED_KEYS=y || TRUSTED_KEYS=n)' dependency,
which is unnecessary. EVM does not depend on trusted keys, but on
encrypted keys. evm.h provides compile time dependency.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07 12:15:49 -05:00
Dmitry Kasatkin
1d91ac6213 ima: skip memory allocation for empty files
Memory allocation is unnecessary for empty files.
This patch calculates the hash without memory allocation.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07 12:15:48 -05:00
Dmitry Kasatkin
e0420039b6 evm: EVM does not use MD5
EVM does not use MD5 HMAC. Selection of CRYPTO_MD5 can be safely removed.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07 12:15:47 -05:00
Dmitry Kasatkin
61997c4383 ima: return d_name.name if d_path fails
This is a small refactoring so ima_d_path() returns dentry name
if path reconstruction fails. It simplifies callers actions
and removes code duplication.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07 12:15:46 -05:00
Dmitry Kasatkin
2bb930abcf integrity: fix checkpatch errors
Between checkpatch changes (eg. sizeof) and inconsistencies between
Lindent and checkpatch, unfixed checkpatch errors make it difficult
to see new errors. This patch fixes them. Some lines with over 80 chars
remained unchanged to improve code readability.

The "extern" keyword is removed from internal evm.h to make it consistent
with internal ima.h.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07 12:15:45 -05:00
Dmitry Kasatkin
09b1148ef5 ima: fix erroneous removal of security.ima xattr
ima_inode_post_setattr() calls ima_must_appraise() to check if the
file needs to be appraised. If it does not then it removes security.ima
xattr. With original policy matching code it might happen that even
file needs to be appraised with FILE_CHECK hook, it might not be
for POST_SETATTR hook. 'security.ima' might be erronously removed.

This patch treats POST_SETATTR as special wildcard function and will
cause ima_must_appraise() to be true if any of the hooks rules matches.
security.ima will not be removed if any of the hooks would require
appraisal.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07 12:15:44 -05:00
Joe Perches
20ee451f5a security: integrity: Use a more current logging style
Convert printks to pr_<level>.
Add pr_fmt.
Remove embedded prefixes.

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07 12:15:21 -05:00
Mimi Zohar
74dd744fd7 MAINTAINERS: email updates and other misc. changes
Changes for Trusted/Encrypted keys, EVM, and IMA.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07 11:32:31 -05:00
Roberto Sassu
e3b64c268b ima: reduce memory usage when a template containing the n field is used
Before this change, to correctly calculate the template digest for the
'ima' template, the event name field (id: 'n') length was set to the fixed
size of 256 bytes.

This patch reduces the length of the event name field to the string
length incremented of one (to make room for the termination character '\0')
and handles the specific case of the digest calculation for the 'ima'
template directly in ima_calc_field_array_hash_tfm().

Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07 11:32:30 -05:00
Roberto Sassu
c019e307ad ima: restore the original behavior for sending data with ima template
With the new template mechanism introduced in IMA since kernel 3.13,
the format of data sent through the binary_runtime_measurements interface
is slightly changed. Now, for a generic measurement, the format of
template data (after the template name) is:

template_len | field1_len | field1 | ... | fieldN_len | fieldN

In addition, fields containing a string now include the '\0' termination
character.

Instead, the format for the 'ima' template should be:

SHA1 digest | event name length | event name

It must be noted that while in the IMA 3.13 code 'event name length' is
'IMA_EVENT_NAME_LEN_MAX + 1' (256 bytes), so that the template digest
is calculated correctly, and 'event name' contains '\0', in the pre 3.13
code 'event name length' is exactly the string length and 'event name'
does not contain the termination character.

The patch restores the behavior of the IMA code pre 3.13 for the 'ima'
template so that legacy userspace tools obtain a consistent behavior
when receiving data from the binary_runtime_measurements interface
regardless of which kernel version is used.

Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Cc: <stable@vger.kernel.org> # 3.3.13: 3ce1217 ima: define template fields library
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07 11:32:29 -05:00
Tetsuo Handa
73a6b44a00 Integrity: Pass commname via get_task_comm()
When we pass task->comm to audit_log_untrustedstring(), we need to pass it
via get_task_comm() because task->comm can be changed to contain untrusted
string by other threads after audit_log_untrustedstring() confirmed that
task->comm does not contain untrusted string.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07 11:32:28 -05:00
Mimi Zohar
d984ea6049 fs: move i_readcount
On a 64-bit system, a hole exists in the 'inode' structure after
i_writecount.  This patch moves i_readcount to fill this hole.

Reported-by: David Howells <dhowells@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Howells <dhowells@redhat.com>
2014-03-07 11:31:55 -05:00
Mimi Zohar
52a1328484 ima: use static const char array definitions
A const char pointer allocates memory for a pointer as well as for
a string,  This patch replaces a number of the const char pointers
throughout IMA, with a static const char array.

Suggested-by: David Howells <dhowells@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Howells <dhowells@redhat.com>
2014-03-07 11:30:36 -05:00
Jeff Layton
d4a141c8e7 security: have cap_dentry_init_security return error
Currently, cap_dentry_init_security returns 0 without actually
initializing the security label. This confuses its only caller
(nfs4_label_init_security) which expects an error in that situation, and
causes it to end up sending out junk onto the wire instead of simply
suppressing the label in the attributes sent.

When CONFIG_SECURITY is disabled, security_dentry_init_security returns
-EOPNOTSUPP. Have cap_dentry_init_security do the same.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
2014-03-07 11:50:01 +11:00
Libo Chen
31d4b76189 ima: new helper: file_inode(file)
Replace "file->f_dentry->d_inode" with the new file_inode() helper
function.

Signed-off-by: Libo Chen <clbchenlibo.chen@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-04 16:53:03 -05:00
Rashika Kheria
864f32a52b kernel: Mark function as static in kernel/seccomp.c
Mark function as static in kernel/seccomp.c because it is not used
outside this file.

This eliminates the following warning in kernel/seccomp.c:
kernel/seccomp.c:296:6: warning: no previous prototype for ?seccomp_attach_user_filter? [-Wmissing-prototypes]

Signed-off-by: Rashika Kheria <rashika.kheria@gmail.com>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Will Drewry <wad@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
2014-02-28 13:54:27 +11:00
Joe Perches
f5645d3575 capability: Use current logging styles
Prefix logging output with "capability: " via pr_fmt.
Convert printks to pr_<level>.
Use pr_<level>_once instead of guard flags.
Coalesce formats.

Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
2014-02-24 14:44:53 +11:00
Sam Ravnborg
e0c2de2b15 security: cleanup Makefiles to use standard syntax for specifying sub-directories
The Makefiles in security/ uses a non-standard way to
specify sub-directories for building.

Fix it up so the normal (and documented) approach is used.

Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Cc: Michal Marek <mmarek@suse.cz>
Signed-off-by: James Morris <james.l.morris@oracle.com>
2014-02-17 11:08:04 +11:00
Paul Moore
e0238b4ced selinux: fix the output of ./scripts/get_maintainer.pl for SELinux
Correctly tag the SELinux mailing list as moderated for non-subscribers
and do some shuffling of the SELinux maintainers to try and make things
more clear when the scripts/get_maintainer.pl script is used.

 # ./scripts/get_maintainer.pl -f security/selinux
 Paul Moore <paul@paul-moore.com> (supporter:SELINUX SECURITY...)
 Stephen Smalley <sds@tycho.nsa.gov> (supporter:SELINUX SECURITY...)
 Eric Paris <eparis@parisplace.org> (supporter:SELINUX SECURITY...)
 James Morris <james.l.morris@oracle.com> (supporter:SECURITY SUBSYSTEM)
 selinux@tycho.nsa.gov (moderated list:SELINUX SECURITY...)
 linux-security-module@vger.kernel.org (open list:SECURITY SUBSYSTEM)
 linux-kernel@vger.kernel.org (open list)

Cc: Eric Paris <eparis@parisplace.org>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
2014-02-07 10:54:35 +11:00
Jingoo Han
29707b206c security: replace strict_strto*() with kstrto*()
The usage of strict_strto*() is not preferred, because
strict_strto*() is obsolete. Thus, kstrto*() should be
used.

Signed-off-by: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
2014-02-06 19:11:04 +11:00
James Morris
923b49ff69 Merge branch 'master' of git://git.infradead.org/users/pcmoore/selinux into next 2014-01-08 17:22:32 +11:00
Tetsuo Handa
8ed8146028 SELinux: Fix memory leak upon loading policy
Hello.

I got below leak with linux-3.10.0-54.0.1.el7.x86_64 .

[  681.903890] kmemleak: 5538 new suspected memory leaks (see /sys/kernel/debug/kmemleak)

Below is a patch, but I don't know whether we need special handing for undoing
ebitmap_set_bit() call.
----------
>>From fe97527a90fe95e2239dfbaa7558f0ed559c0992 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Mon, 6 Jan 2014 16:30:21 +0900
Subject: [PATCH] SELinux: Fix memory leak upon loading policy

Commit 2463c26d "SELinux: put name based create rules in a hashtable" did not
check return value from hashtab_insert() in filename_trans_read(). It leaks
memory if hashtab_insert() returns error.

  unreferenced object 0xffff88005c9160d0 (size 8):
    comm "systemd", pid 1, jiffies 4294688674 (age 235.265s)
    hex dump (first 8 bytes):
      57 0b 00 00 6b 6b 6b a5                          W...kkk.
    backtrace:
      [<ffffffff816604ae>] kmemleak_alloc+0x4e/0xb0
      [<ffffffff811cba5e>] kmem_cache_alloc_trace+0x12e/0x360
      [<ffffffff812aec5d>] policydb_read+0xd1d/0xf70
      [<ffffffff812b345c>] security_load_policy+0x6c/0x500
      [<ffffffff812a623c>] sel_write_load+0xac/0x750
      [<ffffffff811eb680>] vfs_write+0xc0/0x1f0
      [<ffffffff811ec08c>] SyS_write+0x4c/0xa0
      [<ffffffff81690419>] system_call_fastpath+0x16/0x1b
      [<ffffffffffffffff>] 0xffffffffffffffff

However, we should not return EEXIST error to the caller, or the systemd will
show below message and the boot sequence freezes.

  systemd[1]: Failed to load SELinux policy. Freezing.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Eric Paris <eparis@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore <pmoore@redhat.com>
2014-01-07 10:21:44 -05:00
James Morris
d4a82a4a03 Merge branch 'master' of git://git.infradead.org/users/pcmoore/selinux into next
Conflicts:
	security/selinux/hooks.c

Resolved using request struct.

Signed-off-by: James Morris <james.l.morris@oracle.com>
2014-01-07 01:45:59 +11:00
Fengguang Wu
5f64822d63 tpm/tpm-sysfs: active_show() can be static
so we make it static

CC: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
CC: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
2014-01-06 14:37:25 +01:00
Jason Gunthorpe
19b94d2df5 tpm: tpm_tis: Fix compile problems with CONFIG_PM_SLEEP/CONFIG_PNP
If CONFIG_PM_SLEEP=n, CONFIG_PNP=y we get this warning:

drivers/char/tpm/tpm_tis.c:706:13: warning: 'tpm_tis_reenable_interrupts' defined but not used [-Wunused-function]

This seems to have been introduced in a2fa3fb0d 'tpm: convert tpm_tis driver
to use dev_pm_ops from legacy pm_ops'

Also, unpon reviewing, the #ifdefs around tpm_tis_pm are not right, the first
reference is protected, the second is not. tpm_tis_pm is always defined so we
can drop the #ifdef.

Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
2014-01-06 14:37:25 +01:00
Jason Gunthorpe
e3302e0d6d tpm: Make tpm-dev allocate a per-file structure
This consolidates everything that is only used within tpm-dev.c
into tpm-dev.c and out of the publicly visible struct tpm_chip.

The per-file allocation lays the ground work for someday fixing the
strange forced O_EXCL behaviour of the current code.

Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Joel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: Ashley Lai <adlai@linux.vnet.ibm.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
2014-01-06 14:37:25 +01:00
Jason Gunthorpe
5f82e9f004 tpm: Use the ops structure instead of a copy in tpm_vendor_specific
This builds on the last commit to use the ops structure in the core
and reduce the size of tpm_vendor_specific.

Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Joel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: Ashley Lai <adlai@linux.vnet.ibm.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
2014-01-06 14:37:25 +01:00
Jason Gunthorpe
01ad1fa75d tpm: Create a tpm_class_ops structure and use it in the drivers
This replaces the static initialization of a tpm_vendor_specific
structure in the drivers with the standard Linux idiom of providing
a const structure of function pointers.

Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Joel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: Ashley Lai <adlai@linux.vnet.ibm.com>
[phuewe: did apply manually due to commit
191ffc6bde3 tpm/tpm_i2c_atmel: fix coccinelle warnings]
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
2014-01-06 14:37:25 +01:00
Jason Gunthorpe
1e3b73a957 tpm: Pull all driver sysfs code into tpm-sysfs.c
The tpm core now sets up and controls all sysfs attributes, instead
of having each driver have a unique take on it.

All drivers now now have a uniform set of attributes, and no sysfs
related entry points are exported from the tpm core module.

This also uses the new method used to declare sysfs attributes
with DEVICE_ATTR_RO and 'struct attribute *'

Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
[phuewe: had to apply the tpm_i2c_atmel part manually due to commit
191ffc6bde3fc tpm/tpm_i2c_atmel: fix coccinelle warnings]

Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
2014-01-06 14:37:25 +01:00
Jason Gunthorpe
000a07b0aa tpm: Move sysfs functions from tpm-interface to tpm-sysfs
CLASS-sysfs.c is a common idiom for linux subsystems.

This is the first step to pulling all the sysfs support code from
the drivers into tpm-sysfs. This is a plain text copy from tpm-interface
with support changes to make it compile.

_tpm_pcr_read is made non-static and is called tpm_pcr_read_dev.

Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
2014-01-06 14:37:24 +01:00
Jason Gunthorpe
afdba32e2a tpm: Pull everything related to /dev/tpmX into tpm-dev.c
CLASS-dev.c is a common idiom for Linux subsystems

This pulls all the code related to the miscdev into tpm-dev.c and makes it
static. The identical file_operation structs in the drivers are purged and the
tpm common code unconditionally creates the miscdev.

Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Joel Schopp <jschopp@linux.vnet.ibm.com>
Reviewed-by: Ashley Lai <adlai@linux.vnet.ibm.com>
[phuewe:
tpm_dev_release is now used only in this file, thus the EXPORT_SYMBOL
can be dropped and the function be marked as static.
It has no other in-kernel users]
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
2014-01-06 14:37:24 +01:00
Michal Nazarewicz
d65e55d499 char: tpm: nuvoton: remove unused variable
“wait” wait queue is defined but never used in the function, thus
it can be removed.

Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Acked-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
2014-01-06 14:37:24 +01:00
Peter Huewe
383dec1fa3 tpm: MAINTAINERS: Cleanup TPM Maintainers file
- removing stale/inactive maintainers
- removing stale/outdated website
- regrouped maintainers

Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
2014-01-06 14:37:24 +01:00
Fengguang Wu
ba6a09d7c0 tpm/tpm_i2c_atmel: fix coccinelle warnings
drivers/char/tpm/tpm_i2c_atmel.c:178:8-9: WARNING: return of 0/1 in function 'i2c_atmel_req_canceled' with return type bool

 Return statements in functions returning bool should use
 true/false instead of 1/0.
Generated by: coccinelle/misc/boolreturn.cocci

CC: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
CC: Peter Huewe <peterhuewe@gmx.de>
Acked-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
2014-01-06 14:37:24 +01:00
Peter Huewe
37bd99d7cb tpm/tpm_ibmvtpm: fix unreachable code warning (smatch warning)
smatch complains:
drivers/char/tpm/tpm_ibmvtpm.c:510
ibmvtpm_crq_process() info: ignoring unreachable code.

-> The return is not necessary here, remove it

Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
2014-01-06 14:37:24 +01:00
Peter Huewe
85c5e0d451 tpm/tpm_i2c_stm_st33: Check return code of get_burstcount
The 'get_burstcount' function can in some circumstances 'return -EBUSY' which
in tpm_stm_i2c_send is stored in an 'u32 burstcnt'
thus converting the signed value into an unsigned value, resulting
in 'burstcnt' being huge.
Changing the type to u32 only does not solve the problem as the signed
value is converted to an unsigned in I2C_WRITE_DATA, resulting in the
same effect.

Thus
-> Change type of burstcnt to u32 (the return type of get_burstcount)
-> Add a check for the return value of 'get_burstcount' and propagate a
potential error.

This makes also sense in the 'I2C_READ_DATA' case, where the there is no
signed/unsigned conversion.

found by coverity
Cc: stable@vger.kernel.org
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
2014-01-06 14:37:24 +01:00
Peter Huewe
238b1eaa59 tpm/tpm_ppi: Check return value of acpi_get_name
If
 status = acpi_get_name(handle, ACPI_FULL_PATHNAME, &buffer);
fails for whatever reason and does not return AE_OK
 if (strstr(buffer.pointer, context) != NULL) {
does dereference a null pointer.

-> Check the return value and return the status to the caller

Found by coverity
Cc: stable@vger.kernel.org
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
2014-01-06 14:37:23 +01:00
Peter Huewe
747d35bd9b tpm/tpm_ppi: Do not compare strcmp(a,b) == -1
Depending on the implementation strcmp might return the difference between
two strings not only -1,0,1 consequently
 if (strcmp (a,b) == -1)
might lead to taking the wrong branch

-> compare with < 0  instead,
which in any case is more canonical.

Cc: stable@vger.kernel.org
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
2014-01-06 14:37:23 +01:00
James Morris
38fd2c202a Merge to v3.13-rc7 for prerequisite changes in the Xen code for TPM 2014-01-06 22:23:01 +11:00
Linus Torvalds
d6e0a2dd12 Linux 3.13-rc7 2014-01-04 15:12:14 -08:00
Linus Torvalds
9a2f1aad2f Two fixes:
- Fix build error caused by max17042_battery conversion to the regmap API.
 
 - Fix kernel oops when booting with wakeup_source_activate enabled.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJSxnmOAAoJEGgI9fZJve1bWXkQAI+FwHDIVhrv14Inmpw0z8FE
 m3FFqqpiKpilP4lKxAuKLiRGIry8Gj5q7XPLt6PMaHjeD0tO6DNZETEDqyo1ey21
 lZSvOVqhJJakqZGxyp7gMnrVAdxXNj6umC3er9uQVpmKM1bVMBHUZS+FRezX1a8Q
 pz6DhgfKXNaHHdSnDTOQOfjY6wQmwkN9kT5I5Re89ZpPT2FrfgeyiPTDgchbXQ3N
 zSNN/iKhoDfR36gpnvAffLxAxCrg1ZuuL5qilPC4x3wzHmZZ9hJmNtoQu3u+1qQX
 YpbSUCBlmtzfXaUV6dXJ8ah+wqnPphCcxcnCKFTGl1jwhCTfwvcLTTJwkaHPK9Dc
 I4I602L4Qreeu6KC0Cj/RIkLQK1ry566+C3yDKx94TpP6VofMib7j17RE5YJCPlq
 KC1RlxQr/9CpDAsgWlEq/F+YI0Iekcj6cl0z8CuQ4AFEmv0DhuRAo2JyIhzgRWs3
 cROU6fbwsfH9W2ngSi4nR45VxqFzKtDnlWvboqTp51HSyXBCuBAATOL883fq/ouG
 svAM34k7YEZvdkG1/aSwg4FEGwetFsOIlPVxcNJa9FTQ35Lr+5OWHBS3llmdQQmC
 xRf2LIy+c8/h4kSfLDqr08CZnJYWrl6FheEWAof7XjR5j3XbUJQHbtEcHN0rp8jd
 q9MCoICz/dUm8VgpGm5H
 =SW7z
 -----END PGP SIGNATURE-----

Merge tag 'for-v3.13-fixes' of git://git.infradead.org/battery-2.6

Pull battery fixes from Anton Vorontsov:
 "Two fixes:

   - fix build error caused by max17042_battery conversion to the regmap
     API.

   - fix kernel oops when booting with wakeup_source_activate enabled"

* tag 'for-v3.13-fixes' of git://git.infradead.org/battery-2.6:
  max17042_battery: Fix build errors caused by missing REGMAP_I2C config
  power_supply: Fix Oops from NULL pointer dereference from wakeup_source_activate
2014-01-03 13:48:25 -08:00
Linus Torvalds
23e8e5901d ACPI and power management fixes and new device IDs for 3.13-rc7
- VGA switcheroo was broken for some users as a result of the ACPI-based
   PCI hotplug (ACPIPHP) changes in 3.12, because some previously ignored
   hotplug events started to be handled.  The fix causes them to be
   ignored again.
 
 - There are two more issues related to cpufreq's suspend/resume handling
   changes from the 3.12 cycle addressed by Viresh Kumar's fixes.
 
 - intel_pstate triggers a divide error in a timer function if the P-state
   information it needs is missing during initialization.  This leads to
   kernel panics on nested KVM clients and is fixed by failing the
   initialization cleanly in those cases.
 
 - PCI initalization code changes during the 3.9 cycle uncovered BIOS
   issues related to ACPI wakeup notifications (some BIOSes send them
   for devices that aren't supposed to support ACPI wakeup).  Work around
   them by installing an ACPI wakeup notify handler for all PCI devices
   with ACPI support.
 
 - The Calxeda cpuilde driver's probe function is tagged as __init, which
   is incorrect and causes a section mismatch to occur during build.  Fix
   from Andre Przywara removes the __init tag from there.
 
 - During the 3.12 cycle ACPIPHP started to print warnings about missing
   _ADR for devices that legitimately don't have it.  Fix from Toshi Kani
   makes it only print the warnings where they make sense.
 
 /
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQIcBAABCAAGBQJSxrJgAAoJEILEb/54YlRxRPkP/ifzrrVhdzqXIEy44b93JeDx
 oSmZW6yTO51GZlDx2bjt6CGJcIUDC4ExYV6S2tB44/DL19CYdIxi7oBaXtUvzGRs
 oZ6B1wfvKOIxZ0RQguaGd1uerQU304CGwUXu/jpRZ/UuZZFKq5Uts6O3bilGzCfR
 Y+MUH+qECwdBXaFHUISdWFsa3lxj0U0kglszh+DsxwS4gy/pLbCu5fKLgHLuNNQC
 hhEEToQ6uF4o8hbkGJvgUPo3V3aUSXObgvJh4ntP09YE1AEJScLB4wKmqL0zN8Qj
 pbBf1WC5OpGXv8zGM9ErrY64YaKA36uhJvOi6RtBGLbG+pYM6E6IM9zNf4Ku+T79
 JNEulpq27aEx2JghNSgMFYQZEOGTH+q24iXZdZlOIvqWpMymATlqP/gAQQIpg3VC
 OIIdocMFRsbgwFXf41uyUqs458fg5xREz5k6geWZeyriM45wFShR+JnMopQWc5OB
 a3sbcWUShFBL1T0pqYR4SDLDvH4NdEP2NKO2jlqMXUewLXsVRRt/42etGoe0rI3C
 cMWPQq7z0GNN+NboUviqwHdxUKqONWGt+pd/3u8FI/Y1IlXEeXQYGawhSu81uCpT
 5gLaKDkwOrCSwOw68Msuod0Cce6TnoTowi6hP2aAEu8mDJwQY+toqA3+CPoO8nty
 DdhZjP1afEgsVVyjErX4
 =LXh0
 -----END PGP SIGNATURE-----

Merge tag 'pm+acpi-3.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI and PM fixes and new device IDs from Rafael Wysocki:
 "These commits, except for one, are regression fixes and the remaining
  one fixes a divide error leading to a kernel panic.  The majority of
  the regressions fixed here were introduced during the 3.12 cycle, one
  of them is from this cycle and one is older.

  Specifics:

   - VGA switcheroo was broken for some users as a result of the
     ACPI-based PCI hotplug (ACPIPHP) changes in 3.12, because some
     previously ignored hotplug events started to be handled.  The fix
     causes them to be ignored again.

   - There are two more issues related to cpufreq's suspend/resume
     handling changes from the 3.12 cycle addressed by Viresh Kumar's
     fixes.

   - intel_pstate triggers a divide error in a timer function if the
     P-state information it needs is missing during initialization.
     This leads to kernel panics on nested KVM clients and is fixed by
     failing the initialization cleanly in those cases.

   - PCI initalization code changes during the 3.9 cycle uncovered BIOS
     issues related to ACPI wakeup notifications (some BIOSes send them
     for devices that aren't supposed to support ACPI wakeup).  Work
     around them by installing an ACPI wakeup notify handler for all PCI
     devices with ACPI support.

   - The Calxeda cpuilde driver's probe function is tagged as __init,
     which is incorrect and causes a section mismatch to occur during
     build.  Fix from Andre Przywara removes the __init tag from there.

   - During the 3.12 cycle ACPIPHP started to print warnings about
     missing _ADR for devices that legitimately don't have it.  Fix from
     Toshi Kani makes it only print the warnings where they make sense"

* tag 'pm+acpi-3.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPIPHP / radeon / nouveau: Fix VGA switcheroo problem related to hotplug
  intel_pstate: Fail initialization if P-state information is missing
  ARM/cpuidle: remove __init tag from Calxeda cpuidle probe function
  PCI / ACPI: Install wakeup notify handlers for all PCI devs with ACPI
  cpufreq: preserve user_policy across suspend/resume
  cpufreq: Clean up after a failing light-weight initialization
  ACPI / PCI / hotplug: Avoid warning when _ADR not present
2014-01-03 13:44:41 -08:00