diff options
Diffstat (limited to 'security')
32 files changed, 45 insertions, 43 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 8963203319ea..3f80a684c232 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -15,7 +15,7 @@ #include <linux/ctype.h> #include <linux/security.h> #include <linux/vmalloc.h> -#include <linux/module.h> +#include <linux/init.h> #include <linux/seq_file.h> #include <linux/uaccess.h> #include <linux/mount.h> diff --git a/security/commoncap.c b/security/commoncap.c index 18a4fdf6f6eb..232db019f051 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -9,7 +9,6 @@ #include <linux/capability.h> #include <linux/audit.h> -#include <linux/module.h> #include <linux/init.h> #include <linux/kernel.h> #include <linux/lsm_hooks.h> diff --git a/security/inode.c b/security/inode.c index 8dd9ca8848e4..b7772a9b315e 100644 --- a/security/inode.c +++ b/security/inode.c @@ -13,7 +13,8 @@ */ /* #define DEBUG */ -#include <linux/module.h> +#include <linux/sysfs.h> +#include <linux/kobject.h> #include <linux/fs.h> #include <linux/mount.h> #include <linux/pagemap.h> @@ -341,7 +342,4 @@ static int __init securityfs_init(void) #endif return 0; } - core_initcall(securityfs_init); -MODULE_LICENSE("GPL"); - diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c index 6dc075144508..d775e03fbbcc 100644 --- a/security/integrity/digsig_asymmetric.c +++ b/security/integrity/digsig_asymmetric.c @@ -106,6 +106,7 @@ int asymmetric_verify(struct key *keyring, const char *sig, pks.pkey_algo = "rsa"; pks.hash_algo = hash_algo_name[hdr->hash_algo]; + pks.encoding = "pkcs1"; pks.digest = (u8 *)data; pks.digest_size = datalen; pks.s = hdr->sig; diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index 8c25f949ebdb..77ef210a8a6b 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -15,7 +15,7 @@ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -#include <linux/module.h> +#include <linux/export.h> #include <linux/crypto.h> #include <linux/xattr.h> #include <linux/evm.h> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 7f3f54d89a6e..5ecaa3d6fe0b 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -16,7 +16,7 @@ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -#include <linux/module.h> +#include <linux/init.h> #include <linux/crypto.h> #include <linux/audit.h> #include <linux/xattr.h> @@ -592,6 +592,3 @@ error: } late_initcall(init_evm); - -MODULE_DESCRIPTION("Extended Verification Module"); -MODULE_LICENSE("GPL"); diff --git a/security/integrity/evm/evm_posix_acl.c b/security/integrity/evm/evm_posix_acl.c index 46408b9e62e8..7faf98c20373 100644 --- a/security/integrity/evm/evm_posix_acl.c +++ b/security/integrity/evm/evm_posix_acl.c @@ -9,7 +9,6 @@ * the Free Software Foundation, version 2 of the License. */ -#include <linux/module.h> #include <linux/xattr.h> #include <linux/evm.h> diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c index 77de71b7794c..015aea8fdf1e 100644 --- a/security/integrity/evm/evm_secfs.c +++ b/security/integrity/evm/evm_secfs.c @@ -17,7 +17,7 @@ #include <linux/audit.h> #include <linux/uaccess.h> -#include <linux/module.h> +#include <linux/init.h> #include <linux/mutex.h> #include "evm.h" diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 1ea05da2323d..88f04b3380d4 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -16,7 +16,7 @@ * using a rbtree tree. */ #include <linux/slab.h> -#include <linux/module.h> +#include <linux/init.h> #include <linux/spinlock.h> #include <linux/rbtree.h> #include <linux/file.h> diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 99dd1d53fc35..67dfbd1af3ca 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -12,7 +12,6 @@ * Implements must_appraise_or_measure, collect_measurement, * appraise_measurement, store_measurement and store_template. */ -#include <linux/module.h> #include <linux/slab.h> #include <linux/file.h> #include <linux/fs.h> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index deec1804a00a..2e11e750a067 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -8,7 +8,7 @@ * it under the terms of the GNU General Public License as published by * the Free Software Foundation, version 2 of the License. */ -#include <linux/module.h> +#include <linux/init.h> #include <linux/file.h> #include <linux/fs.h> #include <linux/xattr.h> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 3183cc23d0f8..0af792833f42 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -20,7 +20,7 @@ #include <linux/fcntl.h> #include <linux/slab.h> -#include <linux/module.h> +#include <linux/init.h> #include <linux/seq_file.h> #include <linux/rculist.h> #include <linux/rcupdate.h> diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 59d834219cd6..6bb42a9c5e47 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -17,7 +17,7 @@ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -#include <linux/module.h> +#include <linux/init.h> #include <linux/scatterlist.h> #include <linux/slab.h> #include <linux/err.h> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 1b88d58e1325..adaf96932237 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -1,4 +1,6 @@ /* + * Integrity Measurement Architecture + * * Copyright (C) 2005,2006,2007,2008 IBM Corporation * * Authors: @@ -19,7 +21,7 @@ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -#include <linux/module.h> +#include <linux/init.h> #include <linux/file.h> #include <linux/binfmts.h> #include <linux/mount.h> @@ -560,6 +562,3 @@ static int __init init_ima(void) } late_initcall(init_ima); /* Start IMA after the TPM is available */ - -MODULE_DESCRIPTION("Integrity Measurement Architecture"); -MODULE_LICENSE("GPL"); diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 8c9499867c91..3778dc396193 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -10,7 +10,7 @@ * - initialize default measure policy rules * */ -#include <linux/module.h> +#include <linux/init.h> #include <linux/list.h> #include <linux/fs.h> #include <linux/security.h> diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index b186819bd5aa..0e41dc1df1d4 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -21,7 +21,6 @@ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -#include <linux/module.h> #include <linux/rculist.h> #include <linux/slab.h> #include "ima.h" diff --git a/security/keys/encrypted-keys/ecryptfs_format.c b/security/keys/encrypted-keys/ecryptfs_format.c index 6daa3b6ff9ed..efac03047919 100644 --- a/security/keys/encrypted-keys/ecryptfs_format.c +++ b/security/keys/encrypted-keys/ecryptfs_format.c @@ -15,7 +15,8 @@ * the Free Software Foundation, version 2 of the License. */ -#include <linux/module.h> +#include <linux/export.h> +#include <linux/string.h> #include "ecryptfs_format.h" u8 *ecryptfs_get_auth_tok_key(struct ecryptfs_auth_tok *auth_tok) @@ -77,5 +78,3 @@ int ecryptfs_fill_auth_tok(struct ecryptfs_auth_tok *auth_tok, return 0; } EXPORT_SYMBOL(ecryptfs_fill_auth_tok); - -MODULE_LICENSE("GPL"); diff --git a/security/keys/encrypted-keys/masterkey_trusted.c b/security/keys/encrypted-keys/masterkey_trusted.c index cbf0bc127a73..dc3d18cae642 100644 --- a/security/keys/encrypted-keys/masterkey_trusted.c +++ b/security/keys/encrypted-keys/masterkey_trusted.c @@ -15,7 +15,6 @@ */ #include <linux/uaccess.h> -#include <linux/module.h> #include <linux/err.h> #include <keys/trusted-type.h> #include <keys/encrypted-type.h> diff --git a/security/keys/gc.c b/security/keys/gc.c index 7207e6094dc1..634e96b380e8 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c @@ -9,7 +9,6 @@ * 2 of the Licence, or (at your option) any later version. */ -#include <linux/module.h> #include <linux/slab.h> #include <linux/security.h> #include <keys/keyring-type.h> diff --git a/security/keys/key.c b/security/keys/key.c index d97c9394b5dd..44a80d6741a1 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -9,7 +9,7 @@ * 2 of the License, or (at your option) any later version. */ -#include <linux/module.h> +#include <linux/export.h> #include <linux/init.h> #include <linux/poison.h> #include <linux/sched.h> diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 18619690ce77..e8093d025966 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -9,7 +9,6 @@ * 2 of the License, or (at your option) any later version. */ -#include <linux/module.h> #include <linux/init.h> #include <linux/sched.h> #include <linux/sched/task.h> diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 41bcf57e96f2..eadebb92986a 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -9,7 +9,7 @@ * 2 of the License, or (at your option) any later version. */ -#include <linux/module.h> +#include <linux/export.h> #include <linux/init.h> #include <linux/sched.h> #include <linux/slab.h> diff --git a/security/keys/permission.c b/security/keys/permission.c index f68dc04d614e..06df9d5e7572 100644 --- a/security/keys/permission.c +++ b/security/keys/permission.c @@ -9,7 +9,7 @@ * 2 of the License, or (at your option) any later version. */ -#include <linux/module.h> +#include <linux/export.h> #include <linux/security.h> #include "internal.h" diff --git a/security/keys/proc.c b/security/keys/proc.c index 5af2934965d8..d2b802072693 100644 --- a/security/keys/proc.c +++ b/security/keys/proc.c @@ -9,7 +9,6 @@ * 2 of the License, or (at your option) any later version. */ -#include <linux/module.h> #include <linux/init.h> #include <linux/sched.h> #include <linux/fs.h> diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index d5b25e535d3a..8b8994920620 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c @@ -9,7 +9,6 @@ * 2 of the License, or (at your option) any later version. */ -#include <linux/module.h> #include <linux/init.h> #include <linux/sched.h> #include <linux/sched/user.h> diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 114f7408feee..301f0e300dbd 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c @@ -11,7 +11,7 @@ * See Documentation/security/keys/request-key.rst */ -#include <linux/module.h> +#include <linux/export.h> #include <linux/sched.h> #include <linux/kmod.h> #include <linux/err.h> diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c index 424e1d90412e..87ea2f54dedc 100644 --- a/security/keys/request_key_auth.c +++ b/security/keys/request_key_auth.c @@ -11,7 +11,6 @@ * See Documentation/security/keys/request-key.rst */ -#include <linux/module.h> #include <linux/sched.h> #include <linux/err.h> #include <linux/seq_file.h> diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c index 9f558bedba23..5666fe0352f7 100644 --- a/security/keys/user_defined.c +++ b/security/keys/user_defined.c @@ -9,7 +9,7 @@ * 2 of the License, or (at your option) any later version. */ -#include <linux/module.h> +#include <linux/export.h> #include <linux/init.h> #include <linux/slab.h> #include <linux/seq_file.h> diff --git a/security/security.c b/security/security.c index 04d173eb93f6..d670136dda2c 100644 --- a/security/security.c +++ b/security/security.c @@ -17,7 +17,7 @@ #include <linux/bpf.h> #include <linux/capability.h> #include <linux/dcache.h> -#include <linux/module.h> +#include <linux/export.h> #include <linux/init.h> #include <linux/kernel.h> #include <linux/lsm_hooks.h> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7ce683259357..a67459eb62d5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5318,6 +5318,9 @@ static int selinux_sctp_bind_connect(struct sock *sk, int optname, addr_buf = address; while (walk_size < addrlen) { + if (walk_size + sizeof(sa_family_t) > addrlen) + return -EINVAL; + addr = addr_buf; switch (addr->sa_family) { case AF_UNSPEC: diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index 74b951f55608..9cec81209617 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c @@ -80,6 +80,9 @@ static const struct nlmsg_perm nlmsg_route_perms[] = { RTM_NEWSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_NEWCACHEREPORT, NETLINK_ROUTE_SOCKET__NLMSG_READ }, + { RTM_NEWCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, + { RTM_DELCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, + { RTM_GETCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_READ }, }; static const struct nlmsg_perm nlmsg_tcpdiag_perms[] = @@ -158,7 +161,11 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm) switch (sclass) { case SECCLASS_NETLINK_ROUTE_SOCKET: - /* RTM_MAX always point to RTM_SETxxxx, ie RTM_NEWxxx + 3 */ + /* RTM_MAX always points to RTM_SETxxxx, ie RTM_NEWxxx + 3. + * If the BUILD_BUG_ON() below fails you must update the + * structures at the top of this file with the new mappings + * before updating the BUILD_BUG_ON() macro! + */ BUILD_BUG_ON(RTM_MAX != (RTM_NEWCHAIN + 3)); err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms, sizeof(nlmsg_route_perms)); @@ -170,6 +177,10 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm) break; case SECCLASS_NETLINK_XFRM_SOCKET: + /* If the BUILD_BUG_ON() below fails you must update the + * structures at the top of this file with the new mappings + * before updating the BUILD_BUG_ON() macro! + */ BUILD_BUG_ON(XFRM_MSG_MAX != XFRM_MSG_MAPPING); err = nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms, sizeof(nlmsg_xfrm_perms)); diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index 2fe459df3c85..b7efa2296969 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c @@ -245,9 +245,13 @@ int mls_context_to_sid(struct policydb *pol, char *rangep[2]; if (!pol->mls_enabled) { - if ((def_sid != SECSID_NULL && oldc) || (*scontext) == '\0') - return 0; - return -EINVAL; + /* + * With no MLS, only return -EINVAL if there is a MLS field + * and it did not come from an xattr. + */ + if (oldc && def_sid == SECSID_NULL) + return -EINVAL; + return 0; } /* |