date:20151224

Re: [PATCH v3 5/5] firmware: add an extensible system data helpers

2015-12-24 Thread kbuild test robot

Hi Luis,

[auto build test WARNING on v4.4-rc6]
[also build test WARNING on next-20151223]

url:
https://github.com/0day-ci/linux/commits/Luis-R-Rodriguez/firmware_class-extensible-firmware-API/20151224-053852
reproduce: make htmldocs

All warnings (new ones prefixed by >>):

   include/linux/init.h:1: warning: no structured comments found
   kernel/sys.c:1: warning: no structured comments found
>> drivers/base/firmware_class.c:1336: warning: No description found for 
>> parameter 'sysdata'
>> drivers/base/firmware_class.c:1336: warning: Excess function parameter 
>> 'sysdata_file' description in 'release_sysdata_file'
   drivers/dma-buf/seqno-fence.c:1: warning: no structured comments found
   drivers/dma-buf/reservation.c:1: warning: no structured comments found
   include/linux/reservation.h:1: warning: no structured comments found
   include/linux/hsi/hsi.h:150: warning: Excess struct/union/enum/typedef 
member 'e_handler' description in 'hsi_client'
   include/linux/hsi/hsi.h:150: warning: Excess struct/union/enum/typedef 
member 'pclaimed' description in 'hsi_client'
   include/linux/hsi/hsi.h:150: warning: Excess struct/union/enum/typedef 
member 'nb' description in 'hsi_client'

vim +/sysdata +1336 drivers/base/firmware_class.c

  1320  __func__);
  1321  return -ENOMEM;
  1322  }
  1323  
  1324  ret = _request_firmware_prepare(&fw, name, device);
  1325  if (ret >= 0)
  1326  sysdata->priv = fw;
  1327  
  1328  return ret;
  1329  }
  1330  
  1331  /**
  1332   * release_sysdata_file: - release the resource associated with the 
sysdata file
  1333   * @sysdata_file: sysdata resource to release
  1334   **/
  1335  void release_sysdata_file(const struct sysdata_file *sysdata)
> 1336  {
  1337  struct firmware *fw;
  1338  
  1339  if (sysdata) {
  1340  if (sysdata->priv) {
  1341  fw = sysdata->priv;
  1342  release_firmware(fw);
  1343  }
  1344  }

---
0-DAY kernel test infrastructureOpen Source Technology Center
https://lists.01.org/pipermail/kbuild-all   Intel Corporation


.config.gz
Description: Binary data

[GIT PULL] SELinux patches for 4.5

2015-12-24 Thread Paul Moore

Hi James,

Nine patches for v4.5; there are a handful of minor fixes (constify 
parameters, warning rate-limits, etc.) but there are a couple of significant 
patches that invalidate/revalidate inode labels (needed for gfs2) and make 
validate_trans decisions visible via selinuxfs.  All the patches pass the 
selinux-testsuite and have been included in the pcmoore/kernel-secnext Fedora 
COPR repository[1] for some time now, all looks good.

As of about five minutes ago, selinux#upstream applied cleanly on top of 
linux-security#next so I don't expect you should have any problems merging the 
code.

Happy holidays and merry merging,
-Paul

[1] https://copr.fedoraproject.org/coprs/pcmoore/kernel-secnext

---
The following changes since commit ebd68df3f24b318d391d15c458d6f43f340ba36a:

  Sync to Linus v4.4-rc2 for LSM developers. (2015-11-23 22:46:28 +1100)

are available in the git repository at:

  git://git.infradead.org/users/pcmoore/selinux upstream

for you to fetch changes up to 76319946f321e30872dd72af7de867cb26e7a373:

  selinux: rate-limit netlink message warnings in selinux_nlmsg_perm() 
(2015-12-24 11:09:41 -0500)


Andreas Gruenbacher (7):
  selinux: Remove unused variable in selinux_inode_init_security
  security: Make inode argument of inode_getsecurity non-const
  security: Make inode argument of inode_getsecid non-const
  selinux: Add accessor functions for inode->i_security
  security: Add hook to invalidate inode security labels
  selinux: Revalidate invalid inode security labels
  gfs2: Invalid security labels of inodes when they go invalid

Andrew Perepechko (1):
  selinux: export validatetrans decisions

Vladis Dronov (1):
  selinux: rate-limit netlink message warnings in selinux_nlmsg_perm()

 fs/gfs2/glops.c |   2 +
 include/linux/audit.h   |   8 +-
 include/linux/lsm_hooks.h   |  10 +-
 include/linux/security.h|  13 ++-
 kernel/audit.c  |   2 +-
 kernel/audit.h  |   2 +-
 kernel/auditsc.c|   6 +-
 security/security.c |  12 ++-
 security/selinux/hooks.c| 206 --
 security/selinux/include/classmap.h |   2 +-
 security/selinux/include/objsec.h   |   6 ++
 security/selinux/include/security.h |   3 +
 security/selinux/selinuxfs.c|  80 ++
 security/selinux/ss/services.c  |  34 --
 security/smack/smack_lsm.c  |   4 +-
 15 files changed, 302 insertions(+), 88 deletions(-)

-- 
paul moore
security @ redhat

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [Linux-ima-devel] [PATCH v2 4/7] ima: measure and appraise kexec image and initramfs

2015-12-24 Thread Dave Young

Hi, Mimi

CCing kexec list, not all kexec people subscribed to IMA list.
I just subscribed to it since Vivek CCed me last time about the V1 of this
series.

On 12/23/15 at 06:55pm, Mimi Zohar wrote:
> This patch defines a new IMA hook ima_hash_and_process_file() for
> measuring and appraising files read by the kernel.  The caller loads
> the file into memory before calling this function, which calculates
> the hash followed by the normal IMA policy based processing.
> 
> Two new IMA policy functions named KEXEC_CHECK and INITRAMFS_CHECK
> are defined for measuring, appraising or auditing the kexec image
> and initramfs.

Could you help us understand why do we need it first.

I think I do not really understand the purpose of the IMA handling
about kexec kernel and initramfs.

* Does the files in disk space have already contains some hash values 
and when kernel load it IMA functions will do some checking? But seems I do not
see such handling..

* Does it try to calculate the hash of the file buffer after copying,
and IMA will avoid future modification based on the hash calculated?
If this is the purpose I think it should be wrong because kexe file buffers  
will be freed at the end of kexec_file_load syscall.

> 
> Changelog v2:
> - Calculate the file hash from the in memory buffer (suggested by Dave Young)
> - Rename ima_read_and_process_file() to ima_hash_and_process_file()
> - replace individual case statements with range:
>   KEXEC_CHECK ... IMA_MAX_READ_CHECK - 1
> v1:
> - Instead of ima_read_and_process_file() allocating memory, the caller
> allocates and frees the memory.
> - Moved the kexec measurement/appraisal call to copy_file_from_fd(). The
> same call now measures and appraises both the kexec image and initramfs.
> 
> Signed-off-by: Mimi Zohar 
> ---
>  Documentation/ABI/testing/ima_policy  |  2 +-
>  include/linux/ima.h   | 16 ++
>  kernel/kexec_file.c   | 24 
>  security/integrity/iint.c |  1 +
>  security/integrity/ima/ima.h  | 21 --
>  security/integrity/ima/ima_api.c  |  6 +++--
>  security/integrity/ima/ima_appraise.c | 11 --
>  security/integrity/ima/ima_main.c | 41 
> ---
>  security/integrity/ima/ima_policy.c   | 38 
>  security/integrity/integrity.h|  7 --
>  10 files changed, 127 insertions(+), 40 deletions(-)
> 
> diff --git a/Documentation/ABI/testing/ima_policy 
> b/Documentation/ABI/testing/ima_policy
> index 0a378a8..e80f767 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -26,7 +26,7 @@ Description:
>   option: [[appraise_type=]] [permit_directio]
>  
>   base:   func:= 
> [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
> - [FIRMWARE_CHECK]
> + [FIRMWARE_CHECK] [KEXEC_CHECK] [INITRAMFS_CHECK]
>   mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
>  [[^]MAY_EXEC]
>   fsmagic:= hex value
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index 120ccc5..020de0f 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -13,6 +13,12 @@
>  #include 
>  struct linux_binprm;
>  
> +enum ima_read_hooks {
> + KEXEC_CHECK = 1,
> + INITRAMFS_CHECK,
> + IMA_MAX_READ_CHECK
> +};
> +
>  #ifdef CONFIG_IMA
>  extern int ima_bprm_check(struct linux_binprm *bprm);
>  extern int ima_file_check(struct file *file, int mask, int opened);
> @@ -20,6 +26,9 @@ extern void ima_file_free(struct file *file);
>  extern int ima_file_mmap(struct file *file, unsigned long prot);
>  extern int ima_module_check(struct file *file);
>  extern int ima_fw_from_file(struct file *file, char *buf, size_t size);
> +extern int ima_hash_and_process_file(struct file *file,
> +  void *buf, size_t size,
> +  enum ima_read_hooks read_func);
>  
>  #else
>  static inline int ima_bprm_check(struct linux_binprm *bprm)
> @@ -52,6 +61,13 @@ static inline int ima_fw_from_file(struct file *file, char 
> *buf, size_t size)
>   return 0;
>  }
>  
> +static inline int ima_hash_and_process_file(struct file *file,
> + void *buf, size_t size,
> + enum ima_read_hooks read_func)
> +{
> + return 0;
> +}
> +
>  #endif /* CONFIG_IMA */
>  
>  #ifdef CONFIG_IMA_APPRAISE
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index b70ada0..1d0d998 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -18,6 +18,7 @@
>  #include 
>  #include 
>  #include 
> +#include 
>  #include 
>  #include 
>  #include 
> @@ -33,7 +34,8 @@ size_t __weak kexec_purgatory_size = 0;
>  
>  static int kexec_calculate_store_digests(struct kimage *image);
>  
> -static

Re: [PATCH v3 5/5] firmware: add an extensible system data helpers

[GIT PULL] SELinux patches for 4.5

Re: [Linux-ima-devel] [PATCH v2 4/7] ima: measure and appraise kexec image and initramfs

3 matches

Site Navigation

Mail list logo

Footer information