linux-yocto: update recipe

* Add missing Tizen patches (mostly related to security).
* Update the defconfig files (use the ones from Tizen).
* Select the right defconfig based on the architecture instead of the
  machine.

Change-Id: Idab8996d77b3ac4f112634fc0fc21daae274b1ad
Signed-off-by: Kévin THIERRY <kevin.thierry@open.eurogiciel.org>

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0001-Smack-Cgroup-filesystem-access.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0001-Smack-Cgroup-filesystem-access.patch
index 5f47b83..3c5cf9f 100644 (file)
--- a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0001-Smack-Cgroup-filesystem-access.patch
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0001-Smack-Cgroup-filesystem-access.patch
@@ -1,6 +1,7 @@
+From f029d2b6e4516c4ea5ecc9a740f4cafadb081330 Mon Sep 17 00:00:00 2001
 From: Casey Schaufler <casey@schaufler-ca.com>
 Date: Thu, 21 Nov 2013 10:55:10 +0200
-Subject: Smack: Cgroup filesystem access
+Subject: [PATCH 01/20] Smack: Cgroup filesystem access
 
 The cgroup filesystems are not mounted using conventional
 mechanisms. This prevents the use of mount options to
@@ -11,6 +12,7 @@ uses them.
 Change-Id: I1e0429f133db9e14117dc754d682dec08221354c
 Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
 Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Stephane Desneux <stephane.desneux@open.eurogiciel.org>
 ---
  security/smack/smack_lsm.c | 30 ++++++++++++++++++------------
  1 file changed, 18 insertions(+), 12 deletions(-)
@@ -75,3 +77,6 @@ index 14f52be..acd8574 100644
        case PROC_SUPER_MAGIC:
                /*
                 * Casey says procfs appears not to care.
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0002-SMACK-Fix-handling-value-NULL-in-post-setxattr.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0002-SMACK-Fix-handling-value-NULL-in-post-setxattr.patch
index aa7f5da..1307495 100644 (file)
--- a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0002-SMACK-Fix-handling-value-NULL-in-post-setxattr.patch
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0002-SMACK-Fix-handling-value-NULL-in-post-setxattr.patch
@@ -1,8 +1,9 @@
-From: =?utf-8?q?Jos=C3=A9_Bollo?= <jose.bollo@open.eurogiciel.org>
+From f7723d32c993ea1e00bc11d9ef1c4a9ba2050f31 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@open.eurogiciel.org>
 Date: Thu, 3 Apr 2014 09:51:07 +0200
-Subject: SMACK: Fix handling value==NULL in post setxattr
+Subject: [PATCH 02/20] SMACK: Fix handling value==NULL in post setxattr
 MIME-Version: 1.0
-Content-Type: text/plain; charset="utf-8"
+Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
 The function `smack_inode_post_setxattr` is called each
@@ -28,6 +29,7 @@ write.
 
 Change-Id: Iaf0039c2be9bccb6cee11c24a3b44d209101fe47
 Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
+Signed-off-by: Stephane Desneux <stephane.desneux@open.eurogiciel.org>
 ---
  security/smack/smack_lsm.c | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)
@@ -58,3 +60,6 @@ index acd8574..f0ebcb0 100644
                if (skp != NULL)
                        isp->smk_mmap = skp;
                else
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0003-Revert-x86-efi-Correct-EFI-boot-stub-use-of-code32_s.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0003-Revert-x86-efi-Correct-EFI-boot-stub-use-of-code32_s.patch
new file mode 100644 (file)
index 0000000..8e6c827
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0003-Revert-x86-efi-Correct-EFI-boot-stub-use-of-code32_s.patch
@@ -0,0 +1,110 @@
+From da699868113882aae41dab690c98788abffe263a Mon Sep 17 00:00:00 2001
+From: Philippe Coval <philippe.coval@open.eurogiciel.org>
+Date: Fri, 22 Aug 2014 10:09:19 +0200
+Subject: [PATCH 03/20] Revert "x86/efi: Correct EFI boot stub use of
+ code32_start"
+
+This reverts commit 45ada9fae6d836aa8e3be5302d7aeb50c44e0629.
+
+With this change in , nexcom's vtc1010 does not boot anynore
+even rebased on latest version v3.14.17
+and with latest firmware :
+ftp://ftp.nexcom.com/pub/BIOS/VTC1010/x86_32bit/MV11A109.rom
+( md5=f5ccb5284ca5bd8668fa1031067dad27 )
+
+The bug is now tracked upstream.
+
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=82891
+Change-Id: I82bb1227dcbcbfe1371d685d241e985a6e58ddf3
+Bug-Tizen: TC-1513/part
+---
+ arch/x86/boot/compressed/eboot.c   |  5 ++---
+ arch/x86/boot/compressed/head_32.S | 14 ++++++--------
+ arch/x86/boot/compressed/head_64.S |  9 ++++++---
+ 3 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index 78cbb2d..a7677ba 100644
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -425,9 +425,6 @@ void setup_graphics(struct boot_params *boot_params)
+  * Because the x86 boot code expects to be passed a boot_params we
+  * need to create one ourselves (usually the bootloader would create
+  * one for us).
+- *
+- * The caller is responsible for filling out ->code32_start in the
+- * returned boot_params.
+  */
+ struct boot_params *make_boot_params(void *handle, efi_system_table_t *_table)
+ {
+@@ -486,6 +483,8 @@ struct boot_params *make_boot_params(void *handle, efi_system_table_t *_table)
+       hdr->vid_mode = 0xffff;
+       hdr->boot_flag = 0xAA55;
+ 
++      hdr->code32_start = (__u64)(unsigned long)image->image_base;
++
+       hdr->type_of_loader = 0x21;
+ 
+       /* Convert unicode cmdline to ascii */
+diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S
+index c5b56ed..42cb93f 100644
+--- a/arch/x86/boot/compressed/head_32.S
++++ b/arch/x86/boot/compressed/head_32.S
+@@ -50,13 +50,6 @@ ENTRY(efi_pe_entry)
+       pushl   %eax
+       pushl   %esi
+       pushl   %ecx
+-
+-      call    reloc
+-reloc:
+-      popl    %ecx
+-      subl    reloc, %ecx
+-      movl    %ecx, BP_code32_start(%eax)
+-
+       sub     $0x4, %esp
+ 
+ ENTRY(efi_stub_entry)
+@@ -70,7 +63,12 @@ ENTRY(efi_stub_entry)
+       hlt
+       jmp     1b
+ 2:
+-      movl    BP_code32_start(%esi), %eax
++      call    3f
++3:
++      popl    %eax
++      subl    $3b, %eax
++      subl    BP_pref_address(%esi), %eax
++      add     BP_code32_start(%esi), %eax
+       leal    preferred_addr(%eax), %eax
+       jmp     *%eax
+ 
+diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
+index 34bbc09..036d37f 100644
+--- a/arch/x86/boot/compressed/head_64.S
++++ b/arch/x86/boot/compressed/head_64.S
+@@ -217,8 +217,6 @@ ENTRY(efi_pe_entry)
+       cmpq    $0,%rax
+       je      1f
+       mov     %rax, %rdx
+-      leaq    startup_32(%rip), %rax
+-      movl    %eax, BP_code32_start(%rdx)
+       popq    %rsi
+       popq    %rdi
+ 
+@@ -232,7 +230,12 @@ ENTRY(efi_stub_entry)
+       hlt
+       jmp     1b
+ 2:
+-      movl    BP_code32_start(%esi), %eax
++      call    3f
++3:
++      popq    %rax
++      subq    $3b, %rax
++      subq    BP_pref_address(%rsi), %rax
++      add     BP_code32_start(%esi), %eax
+       leaq    preferred_addr(%rax), %rax
+       jmp     *%rax
+ 
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0004-KEYS-Move-the-flags-representing-required-permission.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0004-KEYS-Move-the-flags-representing-required-permission.patch
new file mode 100644 (file)
index 0000000..9dd1db9
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0004-KEYS-Move-the-flags-representing-required-permission.patch
@@ -0,0 +1,499 @@
+From 5bcfdca5ba3685dff3b0b0de0cf4d0a0fd4e6567 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 14 Mar 2014 17:44:49 +0000
+Subject: [PATCH 04/20] KEYS: Move the flags representing required permission
+ to linux/key.h
+
+Move the flags representing required permission to linux/key.h as the perm
+parameter of security_key_permission() is in terms of them - and not the
+permissions mask flags used in key->perm.
+
+Whilst we're at it:
+
+ (1) Rename them to be KEY_NEED_xxx rather than KEY_xxx to avoid collisions
+     with symbols in uapi/linux/input.h.
+
+ (2) Don't use key_perm_t for a mask of required permissions, but rather limit
+     it to the permissions mask attached to the key and arguments related
+     directly to that.
+
+Change-Id: Id9de84f93e5dd668a3b8ba00fc2440c6d6c6f988
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+Origin: upstream
+---
+ include/linux/key.h        | 11 +++++++++++
+ include/linux/security.h   |  6 +++---
+ security/capability.c      |  2 +-
+ security/keys/internal.h   | 11 +----------
+ security/keys/key.c        |  6 +++---
+ security/keys/keyctl.c     | 44 ++++++++++++++++++++++----------------------
+ security/keys/keyring.c    |  8 ++++----
+ security/keys/permission.c |  4 ++--
+ security/keys/persistent.c |  4 ++--
+ security/keys/proc.c       |  2 +-
+ security/security.c        |  2 +-
+ security/selinux/hooks.c   |  2 +-
+ security/smack/smack_lsm.c |  2 +-
+ 13 files changed, 53 insertions(+), 51 deletions(-)
+
+diff --git a/include/linux/key.h b/include/linux/key.h
+index 80d6774..cd0abb8 100644
+--- a/include/linux/key.h
++++ b/include/linux/key.h
+@@ -309,6 +309,17 @@ static inline key_serial_t key_serial(const struct key *key)
+ 
+ extern void key_set_timeout(struct key *, unsigned);
+ 
++/*
++ * The permissions required on a key that we're looking up.
++ */
++#define       KEY_NEED_VIEW   0x01    /* Require permission to view attributes */
++#define       KEY_NEED_READ   0x02    /* Require permission to read content */
++#define       KEY_NEED_WRITE  0x04    /* Require permission to update / modify */
++#define       KEY_NEED_SEARCH 0x08    /* Require permission to search (keyring) or find (key) */
++#define       KEY_NEED_LINK   0x10    /* Require permission to link */
++#define       KEY_NEED_SETATTR 0x20   /* Require permission to change attributes */
++#define       KEY_NEED_ALL    0x3f    /* All the above permissions */
++
+ /**
+  * key_is_instantiated - Determine if a key has been positively instantiated
+  * @key: The key to check.
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 2fc42d1..6726006 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -1708,7 +1708,7 @@ struct security_operations {
+       void (*key_free) (struct key *key);
+       int (*key_permission) (key_ref_t key_ref,
+                              const struct cred *cred,
+-                             key_perm_t perm);
++                             unsigned perm);
+       int (*key_getsecurity)(struct key *key, char **_buffer);
+ #endif        /* CONFIG_KEYS */
+ 
+@@ -3030,7 +3030,7 @@ static inline int security_path_chroot(struct path *path)
+ int security_key_alloc(struct key *key, const struct cred *cred, unsigned long flags);
+ void security_key_free(struct key *key);
+ int security_key_permission(key_ref_t key_ref,
+-                          const struct cred *cred, key_perm_t perm);
++                          const struct cred *cred, unsigned perm);
+ int security_key_getsecurity(struct key *key, char **_buffer);
+ 
+ #else
+@@ -3048,7 +3048,7 @@ static inline void security_key_free(struct key *key)
+ 
+ static inline int security_key_permission(key_ref_t key_ref,
+                                         const struct cred *cred,
+-                                        key_perm_t perm)
++                                        unsigned perm)
+ {
+       return 0;
+ }
+diff --git a/security/capability.c b/security/capability.c
+index 21e2b9c..4a4bc41 100644
+--- a/security/capability.c
++++ b/security/capability.c
+@@ -879,7 +879,7 @@ static void cap_key_free(struct key *key)
+ }
+ 
+ static int cap_key_permission(key_ref_t key_ref, const struct cred *cred,
+-                            key_perm_t perm)
++                            unsigned perm)
+ {
+       return 0;
+ }
+diff --git a/security/keys/internal.h b/security/keys/internal.h
+index 80b2aac..5f20da0 100644
+--- a/security/keys/internal.h
++++ b/security/keys/internal.h
+@@ -176,20 +176,11 @@ extern int key_task_permission(const key_ref_t key_ref,
+ /*
+  * Check to see whether permission is granted to use a key in the desired way.
+  */
+-static inline int key_permission(const key_ref_t key_ref, key_perm_t perm)
++static inline int key_permission(const key_ref_t key_ref, unsigned perm)
+ {
+       return key_task_permission(key_ref, current_cred(), perm);
+ }
+ 
+-/* required permissions */
+-#define       KEY_VIEW        0x01    /* require permission to view attributes */
+-#define       KEY_READ        0x02    /* require permission to read content */
+-#define       KEY_WRITE       0x04    /* require permission to update / modify */
+-#define       KEY_SEARCH      0x08    /* require permission to search (keyring) or find (key) */
+-#define       KEY_LINK        0x10    /* require permission to link */
+-#define       KEY_SETATTR     0x20    /* require permission to change attributes */
+-#define       KEY_ALL         0x3f    /* all the above permissions */
+-
+ /*
+  * Authorisation record for request_key().
+  */
+diff --git a/security/keys/key.c b/security/keys/key.c
+index 6e21c11..2048a11 100644
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -714,7 +714,7 @@ static inline key_ref_t __key_update(key_ref_t key_ref,
+       int ret;
+ 
+       /* need write permission on the key to update it */
+-      ret = key_permission(key_ref, KEY_WRITE);
++      ret = key_permission(key_ref, KEY_NEED_WRITE);
+       if (ret < 0)
+               goto error;
+ 
+@@ -838,7 +838,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
+ 
+       /* if we're going to allocate a new key, we're going to have
+        * to modify the keyring */
+-      ret = key_permission(keyring_ref, KEY_WRITE);
++      ret = key_permission(keyring_ref, KEY_NEED_WRITE);
+       if (ret < 0) {
+               key_ref = ERR_PTR(ret);
+               goto error_link_end;
+@@ -928,7 +928,7 @@ int key_update(key_ref_t key_ref, const void *payload, size_t plen)
+       key_check(key);
+ 
+       /* the key must be writable */
+-      ret = key_permission(key_ref, KEY_WRITE);
++      ret = key_permission(key_ref, KEY_NEED_WRITE);
+       if (ret < 0)
+               goto error;
+ 
+diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
+index cee72ce..cd5bd0c 100644
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -111,7 +111,7 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
+       }
+ 
+       /* find the target keyring (which must be writable) */
+-      keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
++      keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
+       if (IS_ERR(keyring_ref)) {
+               ret = PTR_ERR(keyring_ref);
+               goto error3;
+@@ -195,7 +195,7 @@ SYSCALL_DEFINE4(request_key, const char __user *, _type,
+       dest_ref = NULL;
+       if (destringid) {
+               dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE,
+-                                         KEY_WRITE);
++                                         KEY_NEED_WRITE);
+               if (IS_ERR(dest_ref)) {
+                       ret = PTR_ERR(dest_ref);
+                       goto error3;
+@@ -253,7 +253,7 @@ long keyctl_get_keyring_ID(key_serial_t id, int create)
+       long ret;
+ 
+       lflags = create ? KEY_LOOKUP_CREATE : 0;
+-      key_ref = lookup_user_key(id, lflags, KEY_SEARCH);
++      key_ref = lookup_user_key(id, lflags, KEY_NEED_SEARCH);
+       if (IS_ERR(key_ref)) {
+               ret = PTR_ERR(key_ref);
+               goto error;
+@@ -334,7 +334,7 @@ long keyctl_update_key(key_serial_t id,
+       }
+ 
+       /* find the target key (which must be writable) */
+-      key_ref = lookup_user_key(id, 0, KEY_WRITE);
++      key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE);
+       if (IS_ERR(key_ref)) {
+               ret = PTR_ERR(key_ref);
+               goto error2;
+@@ -365,12 +365,12 @@ long keyctl_revoke_key(key_serial_t id)
+       key_ref_t key_ref;
+       long ret;
+ 
+-      key_ref = lookup_user_key(id, 0, KEY_WRITE);
++      key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE);
+       if (IS_ERR(key_ref)) {
+               ret = PTR_ERR(key_ref);
+               if (ret != -EACCES)
+                       goto error;
+-              key_ref = lookup_user_key(id, 0, KEY_SETATTR);
++              key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR);
+               if (IS_ERR(key_ref)) {
+                       ret = PTR_ERR(key_ref);
+                       goto error;
+@@ -401,7 +401,7 @@ long keyctl_invalidate_key(key_serial_t id)
+ 
+       kenter("%d", id);
+ 
+-      key_ref = lookup_user_key(id, 0, KEY_SEARCH);
++      key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH);
+       if (IS_ERR(key_ref)) {
+               ret = PTR_ERR(key_ref);
+               goto error;
+@@ -428,7 +428,7 @@ long keyctl_keyring_clear(key_serial_t ringid)
+       key_ref_t keyring_ref;
+       long ret;
+ 
+-      keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
++      keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
+       if (IS_ERR(keyring_ref)) {
+               ret = PTR_ERR(keyring_ref);
+ 
+@@ -470,13 +470,13 @@ long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
+       key_ref_t keyring_ref, key_ref;
+       long ret;
+ 
+-      keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
++      keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
+       if (IS_ERR(keyring_ref)) {
+               ret = PTR_ERR(keyring_ref);
+               goto error;
+       }
+ 
+-      key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_LINK);
++      key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK);
+       if (IS_ERR(key_ref)) {
+               ret = PTR_ERR(key_ref);
+               goto error2;
+@@ -505,7 +505,7 @@ long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
+       key_ref_t keyring_ref, key_ref;
+       long ret;
+ 
+-      keyring_ref = lookup_user_key(ringid, 0, KEY_WRITE);
++      keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE);
+       if (IS_ERR(keyring_ref)) {
+               ret = PTR_ERR(keyring_ref);
+               goto error;
+@@ -548,7 +548,7 @@ long keyctl_describe_key(key_serial_t keyid,
+       char *tmpbuf;
+       long ret;
+ 
+-      key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_VIEW);
++      key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW);
+       if (IS_ERR(key_ref)) {
+               /* viewing a key under construction is permitted if we have the
+                * authorisation token handy */
+@@ -639,7 +639,7 @@ long keyctl_keyring_search(key_serial_t ringid,
+       }
+ 
+       /* get the keyring at which to begin the search */
+-      keyring_ref = lookup_user_key(ringid, 0, KEY_SEARCH);
++      keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_SEARCH);
+       if (IS_ERR(keyring_ref)) {
+               ret = PTR_ERR(keyring_ref);
+               goto error2;
+@@ -649,7 +649,7 @@ long keyctl_keyring_search(key_serial_t ringid,
+       dest_ref = NULL;
+       if (destringid) {
+               dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE,
+-                                         KEY_WRITE);
++                                         KEY_NEED_WRITE);
+               if (IS_ERR(dest_ref)) {
+                       ret = PTR_ERR(dest_ref);
+                       goto error3;
+@@ -676,7 +676,7 @@ long keyctl_keyring_search(key_serial_t ringid,
+ 
+       /* link the resulting key to the destination keyring if we can */
+       if (dest_ref) {
+-              ret = key_permission(key_ref, KEY_LINK);
++              ret = key_permission(key_ref, KEY_NEED_LINK);
+               if (ret < 0)
+                       goto error6;
+ 
+@@ -727,7 +727,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
+       key = key_ref_to_ptr(key_ref);
+ 
+       /* see if we can read it directly */
+-      ret = key_permission(key_ref, KEY_READ);
++      ret = key_permission(key_ref, KEY_NEED_READ);
+       if (ret == 0)
+               goto can_read_key;
+       if (ret != -EACCES)
+@@ -799,7 +799,7 @@ long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group)
+               goto error;
+ 
+       key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
+-                                KEY_SETATTR);
++                                KEY_NEED_SETATTR);
+       if (IS_ERR(key_ref)) {
+               ret = PTR_ERR(key_ref);
+               goto error;
+@@ -905,7 +905,7 @@ long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
+               goto error;
+ 
+       key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
+-                                KEY_SETATTR);
++                                KEY_NEED_SETATTR);
+       if (IS_ERR(key_ref)) {
+               ret = PTR_ERR(key_ref);
+               goto error;
+@@ -947,7 +947,7 @@ static long get_instantiation_keyring(key_serial_t ringid,
+ 
+       /* if a specific keyring is nominated by ID, then use that */
+       if (ringid > 0) {
+-              dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
++              dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
+               if (IS_ERR(dkref))
+                       return PTR_ERR(dkref);
+               *_dest_keyring = key_ref_to_ptr(dkref);
+@@ -1315,7 +1315,7 @@ long keyctl_set_timeout(key_serial_t id, unsigned timeout)
+       long ret;
+ 
+       key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
+-                                KEY_SETATTR);
++                                KEY_NEED_SETATTR);
+       if (IS_ERR(key_ref)) {
+               /* setting the timeout on a key under construction is permitted
+                * if we have the authorisation token handy */
+@@ -1418,7 +1418,7 @@ long keyctl_get_security(key_serial_t keyid,
+       char *context;
+       long ret;
+ 
+-      key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_VIEW);
++      key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW);
+       if (IS_ERR(key_ref)) {
+               if (PTR_ERR(key_ref) != -EACCES)
+                       return PTR_ERR(key_ref);
+@@ -1482,7 +1482,7 @@ long keyctl_session_to_parent(void)
+       struct cred *cred;
+       int ret;
+ 
+-      keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_LINK);
++      keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK);
+       if (IS_ERR(keyring_r))
+               return PTR_ERR(keyring_r);
+ 
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index 2fb2576..9cf2575 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -541,7 +541,7 @@ static int keyring_search_iterator(const void *object, void *iterator_data)
+       /* key must have search permissions */
+       if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
+           key_task_permission(make_key_ref(key, ctx->possessed),
+-                              ctx->cred, KEY_SEARCH) < 0) {
++                              ctx->cred, KEY_NEED_SEARCH) < 0) {
+               ctx->result = ERR_PTR(-EACCES);
+               kleave(" = %d [!perm]", ctx->skipped_ret);
+               goto skipped;
+@@ -721,7 +721,7 @@ ascend_to_node:
+               /* Search a nested keyring */
+               if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
+                   key_task_permission(make_key_ref(key, ctx->possessed),
+-                                      ctx->cred, KEY_SEARCH) < 0)
++                                      ctx->cred, KEY_NEED_SEARCH) < 0)
+                       continue;
+ 
+               /* stack the current position */
+@@ -843,7 +843,7 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
+               return ERR_PTR(-ENOTDIR);
+ 
+       if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) {
+-              err = key_task_permission(keyring_ref, ctx->cred, KEY_SEARCH);
++              err = key_task_permission(keyring_ref, ctx->cred, KEY_NEED_SEARCH);
+               if (err < 0)
+                       return ERR_PTR(err);
+       }
+@@ -973,7 +973,7 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
+ 
+                       if (!skip_perm_check &&
+                           key_permission(make_key_ref(keyring, 0),
+-                                         KEY_SEARCH) < 0)
++                                         KEY_NEED_SEARCH) < 0)
+                               continue;
+ 
+                       /* we've got a match but we might end up racing with
+diff --git a/security/keys/permission.c b/security/keys/permission.c
+index efcc0c8..732cc0b 100644
+--- a/security/keys/permission.c
++++ b/security/keys/permission.c
+@@ -28,7 +28,7 @@
+  * permissions bits or the LSM check.
+  */
+ int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
+-                      key_perm_t perm)
++                      unsigned perm)
+ {
+       struct key *key;
+       key_perm_t kperm;
+@@ -68,7 +68,7 @@ use_these_perms:
+       if (is_key_possessed(key_ref))
+               kperm |= key->perm >> 24;
+ 
+-      kperm = kperm & perm & KEY_ALL;
++      kperm = kperm & perm & KEY_NEED_ALL;
+ 
+       if (kperm != perm)
+               return -EACCES;
+diff --git a/security/keys/persistent.c b/security/keys/persistent.c
+index 0ad3ee2..c9fae5e 100644
+--- a/security/keys/persistent.c
++++ b/security/keys/persistent.c
+@@ -108,7 +108,7 @@ static long key_get_persistent(struct user_namespace *ns, kuid_t uid,
+       return PTR_ERR(persistent_ref);
+ 
+ found:
+-      ret = key_task_permission(persistent_ref, current_cred(), KEY_LINK);
++      ret = key_task_permission(persistent_ref, current_cred(), KEY_NEED_LINK);
+       if (ret == 0) {
+               persistent = key_ref_to_ptr(persistent_ref);
+               ret = key_link(key_ref_to_ptr(dest_ref), persistent);
+@@ -151,7 +151,7 @@ long keyctl_get_persistent(uid_t _uid, key_serial_t destid)
+       }
+ 
+       /* There must be a destination keyring */
+-      dest_ref = lookup_user_key(destid, KEY_LOOKUP_CREATE, KEY_WRITE);
++      dest_ref = lookup_user_key(destid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
+       if (IS_ERR(dest_ref))
+               return PTR_ERR(dest_ref);
+       if (key_ref_to_ptr(dest_ref)->type != &key_type_keyring) {
+diff --git a/security/keys/proc.c b/security/keys/proc.c
+index 88e9a46..d3f6f2f 100644
+--- a/security/keys/proc.c
++++ b/security/keys/proc.c
+@@ -218,7 +218,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
+        * - the caller holds a spinlock, and thus the RCU read lock, making our
+        *   access to __current_cred() safe
+        */
+-      rc = key_task_permission(key_ref, ctx.cred, KEY_VIEW);
++      rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW);
+       if (rc < 0)
+               return 0;
+ 
+diff --git a/security/security.c b/security/security.c
+index 919cad9..d91fec4 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -1407,7 +1407,7 @@ void security_key_free(struct key *key)
+ }
+ 
+ int security_key_permission(key_ref_t key_ref,
+-                          const struct cred *cred, key_perm_t perm)
++                          const struct cred *cred, unsigned perm)
+ {
+       return security_ops->key_permission(key_ref, cred, perm);
+ }
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 47b5c69..c8195b3 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -5723,7 +5723,7 @@ static void selinux_key_free(struct key *k)
+ 
+ static int selinux_key_permission(key_ref_t key_ref,
+                                 const struct cred *cred,
+-                                key_perm_t perm)
++                                unsigned perm)
+ {
+       struct key *key;
+       struct key_security_struct *ksec;
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index f0ebcb0..eabb97f 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -3514,7 +3514,7 @@ static void smack_key_free(struct key *key)
+  * an error code otherwise
+  */
+ static int smack_key_permission(key_ref_t key_ref,
+-                              const struct cred *cred, key_perm_t perm)
++                              const struct cred *cred, unsigned perm)
+ {
+       struct key *keyp;
+       struct smk_audit_info ad;
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0005-smack-fix-key-permission-verification.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0005-smack-fix-key-permission-verification.patch
new file mode 100644 (file)
index 0000000..d7b8b2d
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0005-smack-fix-key-permission-verification.patch
@@ -0,0 +1,48 @@
+From 959c5046ea4ee48436d62d41f60c0ae70872deeb Mon Sep 17 00:00:00 2001
+From: Dmitry Kasatkin <d.kasatkin@samsung.com>
+Date: Fri, 14 Mar 2014 17:44:49 +0000
+Subject: [PATCH 05/20] smack: fix key permission verification
+
+For any keyring access type SMACK always used MAY_READWRITE access check.
+It prevents reading the key with label "_", which should be allowed for anyone.
+
+This patch changes default access check to MAY_READ and use MAY_READWRITE in only
+appropriate cases.
+
+Change-Id: Ie357956730df93058198e2df13ef307ce4e8f675
+Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+---
+ security/smack/smack_lsm.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index eabb97f..c972a71 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -3519,6 +3519,7 @@ static int smack_key_permission(key_ref_t key_ref,
+       struct key *keyp;
+       struct smk_audit_info ad;
+       struct smack_known *tkp = smk_of_task(cred->security);
++      int request = 0;
+ 
+       keyp = key_ref_to_ptr(key_ref);
+       if (keyp == NULL)
+@@ -3539,7 +3540,11 @@ static int smack_key_permission(key_ref_t key_ref,
+       ad.a.u.key_struct.key = keyp->serial;
+       ad.a.u.key_struct.key_desc = keyp->description;
+ #endif
+-      return smk_access(tkp, keyp->security, MAY_READWRITE, &ad);
++      if (perm & KEY_NEED_READ)
++              request = MAY_READ;
++      if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
++              request = MAY_WRITE;
++      return smk_access(tkp, keyp->security, request, &ad);
+ }
+ #endif /* CONFIG_KEYS */
+ 
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0006-Minor-improvement-of-smack_sb_kern_mount.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0006-Minor-improvement-of-smack_sb_kern_mount.patch
new file mode 100644 (file)
index 0000000..f518a3b
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0006-Minor-improvement-of-smack_sb_kern_mount.patch
@@ -0,0 +1,39 @@
+From 0d2724a3b7e348b2e2de0bbcdc147d0cd190a35f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@open.eurogiciel.org>
+Date: Wed, 8 Jan 2014 15:53:05 +0100
+Subject: [PATCH 06/20] Minor improvement of 'smack_sb_kern_mount'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix a possible memory access fault when transmute is true and isp is NULL.
+
+Change-Id: I29708ce54b96b34b440cf349e2b1891ea8d9d34f
+Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+---
+ security/smack/smack_lsm.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index c972a71..816e785 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -413,9 +413,11 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
+        * Initialize the root inode.
+        */
+       isp = inode->i_security;
+-      if (inode->i_security == NULL) {
+-              inode->i_security = new_inode_smack(sp->smk_root);
+-              isp = inode->i_security;
++      if (isp == NULL) {
++              isp = new_inode_smack(sp->smk_root);
++              if (isp == NULL)
++                      return -ENOMEM;
++              inode->i_security = isp;
+       } else
+               isp->smk_inode = sp->smk_root;
+ 
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0007-Smack-fix-the-subject-object-order-in-smack_ptrace_t.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0007-Smack-fix-the-subject-object-order-in-smack_ptrace_t.patch
new file mode 100644 (file)
index 0000000..7284a3b
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0007-Smack-fix-the-subject-object-order-in-smack_ptrace_t.patch
@@ -0,0 +1,119 @@
+From 78cb905ed59e8b3c7c37c0ab562549aa105502d6 Mon Sep 17 00:00:00 2001
+From: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
+Date: Tue, 11 Mar 2014 17:07:04 +0100
+Subject: [PATCH 07/20] Smack: fix the subject/object order in
+ smack_ptrace_traceme()
+
+The order of subject/object is currently reversed in
+smack_ptrace_traceme(). It is currently checked if the tracee has a
+capability to trace tracer and according to this rule a decision is made
+whether the tracer will be allowed to trace tracee.
+
+Change-Id: I70afd604b29e5d6515d042ab648b0513c1f77d7a
+Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+---
+ security/smack/smack.h        |  1 +
+ security/smack/smack_access.c | 33 ++++++++++++++++++++++++++-------
+ security/smack/smack_lsm.c    |  4 ++--
+ 3 files changed, 29 insertions(+), 9 deletions(-)
+
+diff --git a/security/smack/smack.h b/security/smack/smack.h
+index d072fd3..b9dfc4e 100644
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -225,6 +225,7 @@ struct inode_smack *new_inode_smack(char *);
+  */
+ int smk_access_entry(char *, char *, struct list_head *);
+ int smk_access(struct smack_known *, char *, int, struct smk_audit_info *);
++int smk_tskacc(struct task_smack *, char *, u32, struct smk_audit_info *);
+ int smk_curacc(char *, u32, struct smk_audit_info *);
+ struct smack_known *smack_from_secid(const u32);
+ char *smk_parse_smack(const char *string, int len);
+diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
+index 14293cd..f161deb 100644
+--- a/security/smack/smack_access.c
++++ b/security/smack/smack_access.c
+@@ -192,20 +192,21 @@ out_audit:
+ }
+ 
+ /**
+- * smk_curacc - determine if current has a specific access to an object
++ * smk_tskacc - determine if a task has a specific access to an object
++ * @tsp: a pointer to the subject task
+  * @obj_label: a pointer to the object's Smack label
+  * @mode: the access requested, in "MAY" format
+  * @a : common audit data
+  *
+- * This function checks the current subject label/object label pair
++ * This function checks the subject task's label/object label pair
+  * in the access rule list and returns 0 if the access is permitted,
+- * non zero otherwise. It allows that current may have the capability
++ * non zero otherwise. It allows that the task may have the capability
+  * to override the rules.
+  */
+-int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
++int smk_tskacc(struct task_smack *subject, char *obj_label,
++             u32 mode, struct smk_audit_info *a)
+ {
+-      struct task_smack *tsp = current_security();
+-      struct smack_known *skp = smk_of_task(tsp);
++      struct smack_known *skp = smk_of_task(subject);
+       int may;
+       int rc;
+ 
+@@ -219,7 +220,7 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
+                * it can further restrict access.
+                */
+               may = smk_access_entry(skp->smk_known, obj_label,
+-                                      &tsp->smk_rules);
++                                      &subject->smk_rules);
+               if (may < 0)
+                       goto out_audit;
+               if ((mode & may) == mode)
+@@ -241,6 +242,24 @@ out_audit:
+       return rc;
+ }
+ 
++/**
++ * smk_curacc - determine if current has a specific access to an object
++ * @obj_label: a pointer to the object's Smack label
++ * @mode: the access requested, in "MAY" format
++ * @a : common audit data
++ *
++ * This function checks the current subject label/object label pair
++ * in the access rule list and returns 0 if the access is permitted,
++ * non zero otherwise. It allows that current may have the capability
++ * to override the rules.
++ */
++int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
++{
++      struct task_smack *tsp = current_security();
++
++      return smk_tskacc(tsp, obj_label, mode, a);
++}
++
+ #ifdef CONFIG_AUDIT
+ /**
+  * smack_str_from_perm : helper to transalate an int to a
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 816e785..3617a56 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -207,11 +207,11 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
+       if (rc != 0)
+               return rc;
+ 
+-      skp = smk_of_task(task_security(ptp));
++      skp = smk_of_task(current_security());
+       smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+       smk_ad_setfield_u_tsk(&ad, ptp);
+ 
+-      rc = smk_curacc(skp->smk_known, MAY_READWRITE, &ad);
++      rc = smk_tskacc(ptp, skp->smk_known, MAY_READWRITE, &ad);
+       return rc;
+ }
+ 
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0008-Smack-unify-all-ptrace-accesses-in-the-smack.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0008-Smack-unify-all-ptrace-accesses-in-the-smack.patch
new file mode 100644 (file)
index 0000000..935a1a3
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0008-Smack-unify-all-ptrace-accesses-in-the-smack.patch
@@ -0,0 +1,186 @@
+From f9ddb212e091949c27b5461015e817455f40a1fc Mon Sep 17 00:00:00 2001
+From: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
+Date: Tue, 11 Mar 2014 17:07:05 +0100
+Subject: [PATCH 08/20] Smack: unify all ptrace accesses in the smack
+
+The decision whether we can trace a process is made in the following
+functions:
+       smack_ptrace_traceme()
+       smack_ptrace_access_check()
+       smack_bprm_set_creds() (in case the proces is traced)
+
+This patch unifies all those decisions by introducing one function that
+checks whether ptrace is allowed: smk_ptrace_rule_check().
+
+This makes possible to actually trace with TRACEME where first the
+TRACEME itself must be allowed and then exec() on a traced process.
+
+Additional bugs fixed:
+- The decision is made according to the mode parameter that is now correctly
+  translated from PTRACE_MODE_* to MAY_* instead of being treated 1:1.
+  PTRACE_MODE_READ requires MAY_READ.
+  PTRACE_MODE_ATTACH requires MAY_READWRITE.
+- Add a smack audit log in case of exec() refused by bprm_set_creds().
+- Honor the PTRACE_MODE_NOAUDIT flag and don't put smack audit info
+  in case this flag is set.
+
+Change-Id: I14d6de0c11ce190e53788a0b4fc096471506c736
+Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+---
+ security/smack/smack_lsm.c | 84 +++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 71 insertions(+), 13 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 3617a56..23d90cd 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -157,6 +157,54 @@ static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead,
+       return rc;
+ }
+ 
++/**
++ * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_*
++ * @mode - input mode in form of PTRACE_MODE_*
++ *
++ * Returns a converted MAY_* mode usable by smack rules
++ */
++static inline unsigned int smk_ptrace_mode(unsigned int mode)
++{
++      switch (mode) {
++      case PTRACE_MODE_READ:
++              return MAY_READ;
++      case PTRACE_MODE_ATTACH:
++              return MAY_READWRITE;
++      }
++
++      return 0;
++}
++
++/**
++ * smk_ptrace_rule_check - helper for ptrace access
++ * @tracer: tracer process
++ * @tracee_label: label of the process that's about to be traced
++ * @mode: ptrace attachment mode (PTRACE_MODE_*)
++ * @func: name of the function that called us, used for audit
++ *
++ * Returns 0 on access granted, -error on error
++ */
++static int smk_ptrace_rule_check(struct task_struct *tracer, char *tracee_label,
++                               unsigned int mode, const char *func)
++{
++      int rc;
++      struct smk_audit_info ad, *saip = NULL;
++      struct task_smack *tsp;
++      struct smack_known *skp;
++
++      if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
++              smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK);
++              smk_ad_setfield_u_tsk(&ad, tracer);
++              saip = &ad;
++      }
++
++      tsp = task_security(tracer);
++      skp = smk_of_task(tsp);
++
++      rc = smk_tskacc(tsp, tracee_label, smk_ptrace_mode(mode), saip);
++      return rc;
++}
++
+ /*
+  * LSM hooks.
+  * We he, that is fun!
+@@ -165,16 +213,15 @@ static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead,
+ /**
+  * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH
+  * @ctp: child task pointer
+- * @mode: ptrace attachment mode
++ * @mode: ptrace attachment mode (PTRACE_MODE_*)
+  *
+  * Returns 0 if access is OK, an error code otherwise
+  *
+- * Do the capability checks, and require read and write.
++ * Do the capability checks.
+  */
+ static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
+ {
+       int rc;
+-      struct smk_audit_info ad;
+       struct smack_known *skp;
+ 
+       rc = cap_ptrace_access_check(ctp, mode);
+@@ -182,10 +229,8 @@ static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
+               return rc;
+ 
+       skp = smk_of_task(task_security(ctp));
+-      smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+-      smk_ad_setfield_u_tsk(&ad, ctp);
+ 
+-      rc = smk_curacc(skp->smk_known, mode, &ad);
++      rc = smk_ptrace_rule_check(current, skp->smk_known, mode, __func__);
+       return rc;
+ }
+ 
+@@ -195,12 +240,11 @@ static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
+  *
+  * Returns 0 if access is OK, an error code otherwise
+  *
+- * Do the capability checks, and require read and write.
++ * Do the capability checks, and require PTRACE_MODE_ATTACH.
+  */
+ static int smack_ptrace_traceme(struct task_struct *ptp)
+ {
+       int rc;
+-      struct smk_audit_info ad;
+       struct smack_known *skp;
+ 
+       rc = cap_ptrace_traceme(ptp);
+@@ -208,10 +252,9 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
+               return rc;
+ 
+       skp = smk_of_task(current_security());
+-      smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+-      smk_ad_setfield_u_tsk(&ad, ptp);
+ 
+-      rc = smk_tskacc(ptp, skp->smk_known, MAY_READWRITE, &ad);
++      rc = smk_ptrace_rule_check(ptp, skp->smk_known,
++                                 PTRACE_MODE_ATTACH, __func__);
+       return rc;
+ }
+ 
+@@ -455,7 +498,7 @@ static int smack_sb_statfs(struct dentry *dentry)
+  * smack_bprm_set_creds - set creds for exec
+  * @bprm: the exec information
+  *
+- * Returns 0 if it gets a blob, -ENOMEM otherwise
++ * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise
+  */
+ static int smack_bprm_set_creds(struct linux_binprm *bprm)
+ {
+@@ -475,7 +518,22 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
+       if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task)
+               return 0;
+ 
+-      if (bprm->unsafe)
++      if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
++              struct task_struct *tracer;
++              rc = 0;
++
++              rcu_read_lock();
++              tracer = ptrace_parent(current);
++              if (likely(tracer != NULL))
++                      rc = smk_ptrace_rule_check(tracer,
++                                                 isp->smk_task->smk_known,
++                                                 PTRACE_MODE_ATTACH,
++                                                 __func__);
++              rcu_read_unlock();
++
++              if (rc != 0)
++                      return rc;
++      } else if (bprm->unsafe)
+               return -EPERM;
+ 
+       bsp->smk_task = isp->smk_task;
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0009-Smack-adds-smackfs-ptrace-interface.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0009-Smack-adds-smackfs-ptrace-interface.patch
new file mode 100644 (file)
index 0000000..d0950ce
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0009-Smack-adds-smackfs-ptrace-interface.patch
@@ -0,0 +1,234 @@
+From 60ba6997583de20f90e354b4dc795424c053cb42 Mon Sep 17 00:00:00 2001
+From: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
+Date: Tue, 11 Mar 2014 17:07:06 +0100
+Subject: [PATCH 09/20] Smack: adds smackfs/ptrace interface
+
+This allows to limit ptrace beyond the regular smack access rules.
+It adds a smackfs/ptrace interface that allows smack to be configured
+to require equal smack labels for PTRACE_MODE_ATTACH access.
+See the changes in Documentation/security/Smack.txt below for details.
+
+Change-Id: If5d887a86b8d05ac46c82e1e7e123b86a5d62ddb
+Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+---
+ Documentation/security/Smack.txt | 10 ++++++
+ security/smack/smack.h           |  9 +++++
+ security/smack/smack_access.c    |  5 ++-
+ security/smack/smack_lsm.c       | 22 +++++++++++-
+ security/smack/smackfs.c         | 74 ++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 118 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt
+index 7a2d30c..5597917 100644
+--- a/Documentation/security/Smack.txt
++++ b/Documentation/security/Smack.txt
+@@ -204,6 +204,16 @@ onlycap
+       these capabilities are effective at for processes with any
+       label. The value is set by writing the desired label to the
+       file or cleared by writing "-" to the file.
++ptrace
++      This is used to define the current ptrace policy
++      0 - default: this is the policy that relies on smack access rules.
++          For the PTRACE_READ a subject needs to have a read access on
++          object. For the PTRACE_ATTACH a read-write access is required.
++      1 - exact: this is the policy that limits PTRACE_ATTACH. Attach is
++          only allowed when subject's and object's labels are equal.
++          PTRACE_READ is not affected. Can be overriden with CAP_SYS_PTRACE.
++      2 - draconian: this policy behaves like the 'exact' above with an
++          exception that it can't be overriden with CAP_SYS_PTRACE.
+ revoke-subject
+       Writing a Smack label here sets the access to '-' for all access
+       rules with that subject label.
+diff --git a/security/smack/smack.h b/security/smack/smack.h
+index b9dfc4e..fade085 100644
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -177,6 +177,14 @@ struct smk_port_label {
+ #define SMACK_CIPSO_MAXCATNUM           184     /* 23 * 8 */
+ 
+ /*
++ * Ptrace rules
++ */
++#define SMACK_PTRACE_DEFAULT  0
++#define SMACK_PTRACE_EXACT    1
++#define SMACK_PTRACE_DRACONIAN        2
++#define SMACK_PTRACE_MAX      SMACK_PTRACE_DRACONIAN
++
++/*
+  * Flags for untraditional access modes.
+  * It shouldn't be necessary to avoid conflicts with definitions
+  * in fs.h, but do so anyway.
+@@ -245,6 +253,7 @@ extern struct smack_known *smack_net_ambient;
+ extern struct smack_known *smack_onlycap;
+ extern struct smack_known *smack_syslog_label;
+ extern const char *smack_cipso_option;
++extern int smack_ptrace_rule;
+ 
+ extern struct smack_known smack_known_floor;
+ extern struct smack_known smack_known_hat;
+diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
+index f161deb..c062e94 100644
+--- a/security/smack/smack_access.c
++++ b/security/smack/smack_access.c
+@@ -304,7 +304,10 @@ static void smack_log_callback(struct audit_buffer *ab, void *a)
+       audit_log_untrustedstring(ab, sad->subject);
+       audit_log_format(ab, " object=");
+       audit_log_untrustedstring(ab, sad->object);
+-      audit_log_format(ab, " requested=%s", sad->request);
++      if (sad->request[0] == '\0')
++              audit_log_format(ab, " labels_differ");
++      else
++              audit_log_format(ab, " requested=%s", sad->request);
+ }
+ 
+ /**
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 23d90cd..d430977 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -178,7 +178,8 @@ static inline unsigned int smk_ptrace_mode(unsigned int mode)
+ /**
+  * smk_ptrace_rule_check - helper for ptrace access
+  * @tracer: tracer process
+- * @tracee_label: label of the process that's about to be traced
++ * @tracee_label: label of the process that's about to be traced,
++ *                the pointer must originate from smack structures
+  * @mode: ptrace attachment mode (PTRACE_MODE_*)
+  * @func: name of the function that called us, used for audit
+  *
+@@ -201,6 +202,25 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, char *tracee_label,
+       tsp = task_security(tracer);
+       skp = smk_of_task(tsp);
+ 
++      if ((mode & PTRACE_MODE_ATTACH) &&
++          (smack_ptrace_rule == SMACK_PTRACE_EXACT ||
++           smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) {
++              if (skp->smk_known == tracee_label)
++                      rc = 0;
++              else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
++                      rc = -EACCES;
++              else if (capable(CAP_SYS_PTRACE))
++                      rc = 0;
++              else
++                      rc = -EACCES;
++
++              if (saip)
++                      smack_log(skp->smk_known, tracee_label, 0, rc, saip);
++
++              return rc;
++      }
++
++      /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */
+       rc = smk_tskacc(tsp, tracee_label, smk_ptrace_mode(mode), saip);
+       return rc;
+ }
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index 3198cfe..177d878 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -53,6 +53,7 @@ enum smk_inos {
+       SMK_REVOKE_SUBJ = 18,   /* set rules with subject label to '-' */
+       SMK_CHANGE_RULE = 19,   /* change or add rules (long labels) */
+       SMK_SYSLOG      = 20,   /* change syslog label) */
++      SMK_PTRACE      = 21,   /* set ptrace rule */
+ };
+ 
+ /*
+@@ -101,6 +102,15 @@ struct smack_known *smack_onlycap;
+ struct smack_known *smack_syslog_label;
+ 
+ /*
++ * Ptrace current rule
++ * SMACK_PTRACE_DEFAULT    regular smack ptrace rules (/proc based)
++ * SMACK_PTRACE_EXACT      labels must match, but can be overriden with
++ *                       CAP_SYS_PTRACE
++ * SMACK_PTRACE_DRACONIAN  lables must match, CAP_SYS_PTRACE has no effect
++ */
++int smack_ptrace_rule = SMACK_PTRACE_DEFAULT;
++
++/*
+  * Certain IP addresses may be designated as single label hosts.
+  * Packets are sent there unlabeled, but only from tasks that
+  * can write to the specified label.
+@@ -2244,6 +2254,68 @@ static const struct file_operations smk_syslog_ops = {
+ 
+ 
+ /**
++ * smk_read_ptrace - read() for /smack/ptrace
++ * @filp: file pointer, not actually used
++ * @buf: where to put the result
++ * @count: maximum to send along
++ * @ppos: where to start
++ *
++ * Returns number of bytes read or error code, as appropriate
++ */
++static ssize_t smk_read_ptrace(struct file *filp, char __user *buf,
++                             size_t count, loff_t *ppos)
++{
++      char temp[32];
++      ssize_t rc;
++
++      if (*ppos != 0)
++              return 0;
++
++      sprintf(temp, "%d\n", smack_ptrace_rule);
++      rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
++      return rc;
++}
++
++/**
++ * smk_write_ptrace - write() for /smack/ptrace
++ * @file: file pointer
++ * @buf: data from user space
++ * @count: bytes sent
++ * @ppos: where to start - must be 0
++ */
++static ssize_t smk_write_ptrace(struct file *file, const char __user *buf,
++                              size_t count, loff_t *ppos)
++{
++      char temp[32];
++      int i;
++
++      if (!smack_privileged(CAP_MAC_ADMIN))
++              return -EPERM;
++
++      if (*ppos != 0 || count >= sizeof(temp) || count == 0)
++              return -EINVAL;
++
++      if (copy_from_user(temp, buf, count) != 0)
++              return -EFAULT;
++
++      temp[count] = '\0';
++
++      if (sscanf(temp, "%d", &i) != 1)
++              return -EINVAL;
++      if (i < SMACK_PTRACE_DEFAULT || i > SMACK_PTRACE_MAX)
++              return -EINVAL;
++      smack_ptrace_rule = i;
++
++      return count;
++}
++
++static const struct file_operations smk_ptrace_ops = {
++      .write          = smk_write_ptrace,
++      .read           = smk_read_ptrace,
++      .llseek         = default_llseek,
++};
++
++/**
+  * smk_fill_super - fill the smackfs superblock
+  * @sb: the empty superblock
+  * @data: unused
+@@ -2296,6 +2368,8 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
+                       "change-rule", &smk_change_rule_ops, S_IRUGO|S_IWUSR},
+               [SMK_SYSLOG] = {
+                       "syslog", &smk_syslog_ops, S_IRUGO|S_IWUSR},
++              [SMK_PTRACE] = {
++                      "ptrace", &smk_ptrace_ops, S_IRUGO|S_IWUSR},
+               /* last one */
+                       {""}
+       };
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0010-bugfix-patch-for-SMACK.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0010-bugfix-patch-for-SMACK.patch
new file mode 100644 (file)
index 0000000..4fc2f9c
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0010-bugfix-patch-for-SMACK.patch
@@ -0,0 +1,45 @@
+From d162327c8181f3cefeb0dc9ed1e1399ab6637288 Mon Sep 17 00:00:00 2001
+From: Pankaj Kumar <pankaj.k2@samsung.com>
+Date: Fri, 13 Dec 2013 15:12:22 +0530
+Subject: [PATCH 10/20] bugfix patch for SMACK
+
+1. In order to remove any SMACK extended attribute from a file, a user
+should have CAP_MAC_ADMIN capability. But user without having this
+capability is able to remove SMACK64MMAP security attribute.
+
+2. While validating size and value of smack extended attribute in
+smack_inode_setsecurity hook, wrong error code is returned.
+
+Change-Id: Ib4b290150f4a003733f76cbb7ccc25d228310ecb
+Signed-off-by: Pankaj Kumar <pamkaj.k2@samsung.com>
+Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+---
+ security/smack/smack_lsm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index d430977..b86825b 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1020,7 +1020,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
+           strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 ||
+           strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
+           strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 ||
+-          strcmp(name, XATTR_NAME_SMACKMMAP)) {
++          strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
+               if (!smack_privileged(CAP_MAC_ADMIN))
+                       rc = -EPERM;
+       } else
+@@ -2158,7 +2158,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
+       int rc = 0;
+ 
+       if (value == NULL || size > SMK_LONGLABEL || size == 0)
+-              return -EACCES;
++              return -EINVAL;
+ 
+       skp = smk_import_entry(value, size);
+       if (skp == NULL)
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0011-Smack-Correctly-remove-SMACK64TRANSMUTE-attribute.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0011-Smack-Correctly-remove-SMACK64TRANSMUTE-attribute.patch
new file mode 100644 (file)
index 0000000..4a3be50
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0011-Smack-Correctly-remove-SMACK64TRANSMUTE-attribute.patch
@@ -0,0 +1,66 @@
+From a9aab799877935740562b588c00c74e7f092b626 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Thu, 10 Apr 2014 16:35:36 -0700
+Subject: [PATCH 11/20] Smack: Correctly remove SMACK64TRANSMUTE attribute
+
+Sam Henderson points out that removing the SMACK64TRANSMUTE
+attribute from a directory does not result in the directory
+transmuting. This is because the inode flag indicating that
+the directory is transmuting isn't cleared. The fix is a tad
+less than trivial because smk_task and smk_mmap should have
+been broken out, too.
+
+Targeted for git://git.gitorious.org/smack-next/kernel.git
+
+Change-Id: Iae25080bfd0ec247391c997a59f3e2327423e33d
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+---
+ security/smack/smack_lsm.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index b86825b..1c05130 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1026,18 +1026,31 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
+       } else
+               rc = cap_inode_removexattr(dentry, name);
+ 
++      if (rc != 0)
++              return rc;
++
+       smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
+       smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
+-      if (rc == 0)
+-              rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
+ 
+-      if (rc == 0) {
+-              isp = dentry->d_inode->i_security;
++      rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
++      if (rc != 0)
++              return rc;
++
++      isp = dentry->d_inode->i_security;
++      /*
++       * Don't do anything special for these.
++       *      XATTR_NAME_SMACKIPIN
++       *      XATTR_NAME_SMACKIPOUT
++       *      XATTR_NAME_SMACKEXEC
++       */
++      if (strcmp(name, XATTR_NAME_SMACK) == 0)
+               isp->smk_task = NULL;
++      else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0)
+               isp->smk_mmap = NULL;
+-      }
++      else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0)
++              isp->smk_flags &= ~SMK_INODE_TRANSMUTE;
+ 
+-      return rc;
++      return 0;
+ }
+ 
+ /**
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0012-Smack-bidirectional-UDS-connect-check.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0012-Smack-bidirectional-UDS-connect-check.patch
new file mode 100644 (file)
index 0000000..5bb9f31
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0012-Smack-bidirectional-UDS-connect-check.patch
@@ -0,0 +1,206 @@
+From fe21a66f10ef0ce622fd71befe95eefab7648457 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Thu, 10 Apr 2014 16:37:08 -0700
+Subject: [PATCH 12/20] Smack: bidirectional UDS connect check
+
+Smack IPC policy requires that the sender have write access
+to the receiver. UDS streams don't do per-packet checks. The
+only check is done at connect time. The existing code checks
+if the connecting process can write to the other, but not the
+other way around. This change adds a check that the other end
+can write to the connecting process.
+
+Targeted for git://git.gitorious.org/smack-next/kernel.git
+
+Change-Id: I0dd9124261cb66a364322ed88e9dcb3213157cb6
+Signed-off-by: Casey Schuafler <casey@schaufler-ca.com>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+---
+ security/smack/smack.h     |  6 +++---
+ security/smack/smack_lsm.c | 44 ++++++++++++++++++++++++--------------------
+ 2 files changed, 27 insertions(+), 23 deletions(-)
+
+diff --git a/security/smack/smack.h b/security/smack/smack.h
+index fade085..020307e 100644
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -80,8 +80,8 @@ struct superblock_smack {
+ 
+ struct socket_smack {
+       struct smack_known      *smk_out;       /* outbound label */
+-      char                    *smk_in;        /* inbound label */
+-      char                    *smk_packet;    /* TCP peer label */
++      struct smack_known      *smk_in;        /* inbound label */
++      struct smack_known      *smk_packet;    /* TCP peer label */
+ };
+ 
+ /*
+@@ -133,7 +133,7 @@ struct smk_port_label {
+       struct list_head        list;
+       struct sock             *smk_sock;      /* socket initialized on */
+       unsigned short          smk_port;       /* the port number */
+-      char                    *smk_in;        /* incoming label */
++      struct smack_known      *smk_in;        /* inbound label */
+       struct smack_known      *smk_out;       /* outgoing label */
+ };
+ 
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 1c05130..40f2681 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1095,7 +1095,7 @@ static int smack_inode_getsecurity(const struct inode *inode,
+       ssp = sock->sk->sk_security;
+ 
+       if (strcmp(name, XATTR_SMACK_IPIN) == 0)
+-              isp = ssp->smk_in;
++              isp = ssp->smk_in->smk_known;
+       else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
+               isp = ssp->smk_out->smk_known;
+       else
+@@ -1859,7 +1859,7 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
+       if (ssp == NULL)
+               return -ENOMEM;
+ 
+-      ssp->smk_in = skp->smk_known;
++      ssp->smk_in = skp;
+       ssp->smk_out = skp;
+       ssp->smk_packet = NULL;
+ 
+@@ -2099,7 +2099,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
+ 
+       if (act == SMK_RECEIVING) {
+               skp = smack_net_ambient;
+-              object = ssp->smk_in;
++              object = ssp->smk_in->smk_known;
+       } else {
+               skp = ssp->smk_out;
+               object = smack_net_ambient->smk_known;
+@@ -2129,9 +2129,9 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
+       list_for_each_entry(spp, &smk_ipv6_port_list, list) {
+               if (spp->smk_port != port)
+                       continue;
+-              object = spp->smk_in;
++              object = spp->smk_in->smk_known;
+               if (act == SMK_CONNECTING)
+-                      ssp->smk_packet = spp->smk_out->smk_known;
++                      ssp->smk_packet = spp->smk_out;
+               break;
+       }
+ 
+@@ -2195,7 +2195,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
+       ssp = sock->sk->sk_security;
+ 
+       if (strcmp(name, XATTR_SMACK_IPIN) == 0)
+-              ssp->smk_in = skp->smk_known;
++              ssp->smk_in = skp;
+       else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) {
+               ssp->smk_out = skp;
+               if (sock->sk->sk_family == PF_INET) {
+@@ -3060,30 +3060,34 @@ static int smack_unix_stream_connect(struct sock *sock,
+                                    struct sock *other, struct sock *newsk)
+ {
+       struct smack_known *skp;
++      struct smack_known *okp;
+       struct socket_smack *ssp = sock->sk_security;
+       struct socket_smack *osp = other->sk_security;
+       struct socket_smack *nsp = newsk->sk_security;
+       struct smk_audit_info ad;
+       int rc = 0;
+-
+ #ifdef CONFIG_AUDIT
+       struct lsm_network_audit net;
+-
+-      smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
+-      smk_ad_setfield_u_net_sk(&ad, other);
+ #endif
+ 
+       if (!smack_privileged(CAP_MAC_OVERRIDE)) {
+               skp = ssp->smk_out;
+-              rc = smk_access(skp, osp->smk_in, MAY_WRITE, &ad);
++              okp = osp->smk_out;
++#ifdef CONFIG_AUDIT
++              smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
++              smk_ad_setfield_u_net_sk(&ad, other);
++#endif
++              rc = smk_access(skp, okp->smk_known, MAY_WRITE, &ad);
++              if (rc == 0)
++                      rc = smk_access(okp, okp->smk_known, MAY_WRITE, NULL);
+       }
+ 
+       /*
+        * Cross reference the peer labels for SO_PEERSEC.
+        */
+       if (rc == 0) {
+-              nsp->smk_packet = ssp->smk_out->smk_known;
+-              ssp->smk_packet = osp->smk_out->smk_known;
++              nsp->smk_packet = ssp->smk_out;
++              ssp->smk_packet = osp->smk_out;
+       }
+ 
+       return rc;
+@@ -3115,7 +3119,7 @@ static int smack_unix_may_send(struct socket *sock, struct socket *other)
+               return 0;
+ 
+       skp = ssp->smk_out;
+-      return smk_access(skp, osp->smk_in, MAY_WRITE, &ad);
++      return smk_access(skp, osp->smk_in->smk_known, MAY_WRITE, &ad);
+ }
+ 
+ /**
+@@ -3210,7 +3214,7 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
+               if (found)
+                       return skp;
+ 
+-              if (ssp != NULL && ssp->smk_in == smack_known_star.smk_known)
++              if (ssp != NULL && ssp->smk_in == &smack_known_star)
+                       return &smack_known_web;
+               return &smack_known_star;
+       }
+@@ -3329,7 +3333,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
+                * This is the simplist possible security model
+                * for networking.
+                */
+-              rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
++              rc = smk_access(skp, ssp->smk_in->smk_known, MAY_WRITE, &ad);
+               if (rc != 0)
+                       netlbl_skbuff_err(skb, rc, 0);
+               break;
+@@ -3364,7 +3368,7 @@ static int smack_socket_getpeersec_stream(struct socket *sock,
+ 
+       ssp = sock->sk->sk_security;
+       if (ssp->smk_packet != NULL) {
+-              rcp = ssp->smk_packet;
++              rcp = ssp->smk_packet->smk_known;
+               slen = strlen(rcp) + 1;
+       }
+ 
+@@ -3449,7 +3453,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
+               return;
+ 
+       ssp = sk->sk_security;
+-      ssp->smk_in = skp->smk_known;
++      ssp->smk_in = skp;
+       ssp->smk_out = skp;
+       /* cssp->smk_packet is already set in smack_inet_csk_clone() */
+ }
+@@ -3509,7 +3513,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
+        * Receiving a packet requires that the other end be able to write
+        * here. Read access is not required.
+        */
+-      rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
++      rc = smk_access(skp, ssp->smk_in->smk_known, MAY_WRITE, &ad);
+       if (rc != 0)
+               return rc;
+ 
+@@ -3553,7 +3557,7 @@ static void smack_inet_csk_clone(struct sock *sk,
+ 
+       if (req->peer_secid != 0) {
+               skp = smack_from_secid(req->peer_secid);
+-              ssp->smk_packet = skp->smk_known;
++              ssp->smk_packet = skp;
+       } else
+               ssp->smk_packet = NULL;
+ }
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0013-Smack-Verify-read-access-on-file-open-v3.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0013-Smack-Verify-read-access-on-file-open-v3.patch
new file mode 100644 (file)
index 0000000..5cf1737
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0013-Smack-Verify-read-access-on-file-open-v3.patch
@@ -0,0 +1,64 @@
+From 8bc0ffa8453714e928d548164560c52d2c7c4897 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Mon, 21 Apr 2014 11:10:26 -0700
+Subject: [PATCH 13/20] Smack: Verify read access on file open - v3
+
+Smack believes that many of the operatons that can
+be performed on an open file descriptor are read operations.
+The fstat and lseek system calls are examples.
+An implication of this is that files shouldn't be open
+if the task doesn't have read access even if it has
+write access and the file is being opened write only.
+
+Targeted for git://git.gitorious.org/smack-next/kernel.git
+
+Change-Id: Iefff38549f9f2e242fd21fce42db067c4c4d8a12
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+---
+ security/smack/smack_lsm.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 40f2681..f2c3080 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1462,19 +1462,32 @@ static int smack_file_receive(struct file *file)
+ /**
+  * smack_file_open - Smack dentry open processing
+  * @file: the object
+- * @cred: unused
++ * @cred: task credential
+  *
+  * Set the security blob in the file structure.
++ * Allow the open only if the task has read access. There are
++ * many read operations (e.g. fstat) that you can do with an
++ * fd even if you have the file open write-only.
+  *
+  * Returns 0
+  */
+ static int smack_file_open(struct file *file, const struct cred *cred)
+ {
++      struct task_smack *tsp = cred->security;
+       struct inode_smack *isp = file_inode(file)->i_security;
++      struct smk_audit_info ad;
++      int rc;
+ 
+-      file->f_security = isp->smk_inode;
++      if (smack_privileged(CAP_MAC_OVERRIDE))
++              return 0;
+ 
+-      return 0;
++      smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
++      smk_ad_setfield_u_fs_path(&ad, file->f_path);
++      rc = smk_access(tsp->smk_task, isp->smk_inode, MAY_READ, &ad);
++      if (rc == 0)
++              file->f_security = isp->smk_inode;
++
++      return rc;
+ }
+ 
+ /*
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0014-Warning-in-scanf-string-typing.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0014-Warning-in-scanf-string-typing.patch
new file mode 100644 (file)
index 0000000..3d9c4c3
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0014-Warning-in-scanf-string-typing.patch
@@ -0,0 +1,34 @@
+From 2feea04e966c9c32a9ae53931f5b54f5a830712c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Toralf=20F=C3=B6rster?= <toralf.foerster@gmx.de>
+Date: Sun, 27 Apr 2014 19:33:34 +0200
+Subject: [PATCH 14/20] Warning in scanf string typing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes a warning about the mismatch of types between
+the declared unsigned and integer.
+
+Change-Id: Ie7170fa22c1f641b2990721b44059d399c92ffe6
+Signed-off-by: Toralf Förster <toralf.foerster@gmx.de>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+---
+ security/smack/smackfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index 177d878..32b2488 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -1193,7 +1193,7 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
+ 
+       data[count] = '\0';
+ 
+-      rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%d %s",
++      rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%u %s",
+               &host[0], &host[1], &host[2], &host[3], &m, smack);
+       if (rc != 6) {
+               rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd %s",
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0015-Smack-fix-behavior-of-smack_inode_listsecurity.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0015-Smack-fix-behavior-of-smack_inode_listsecurity.patch
new file mode 100644 (file)
index 0000000..c7bf1af
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0015-Smack-fix-behavior-of-smack_inode_listsecurity.patch
@@ -0,0 +1,47 @@
+From f57b7f5bb1c2d7d1fa93a807f3290eae2514ab3f Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Date: Thu, 7 Aug 2014 20:52:33 +0400
+Subject: [PATCH 15/20] Smack: fix behavior of smack_inode_listsecurity
+
+Security operation ->inode_listsecurity is used for generating list of
+available extended attributes for syscall listxattr. Currently it's used
+only in nfs4 or if filesystem doesn't provide i_op->listxattr.
+
+The list is the set of NULL-terminated names, one after the other.
+This method must include zero byte at the and into result.
+
+Also this function must return length even if string does not fit into
+output buffer or it is NULL, see similar method in selinux and man listxattr.
+
+Change-Id: I3ba4524fead6ef6ab0c93238fa8d422e6b155efb
+Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+---
+ security/smack/smack_lsm.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index f2c3080..8473576 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1122,13 +1122,12 @@ static int smack_inode_getsecurity(const struct inode *inode,
+ static int smack_inode_listsecurity(struct inode *inode, char *buffer,
+                                   size_t buffer_size)
+ {
+-      int len = strlen(XATTR_NAME_SMACK);
++      int len = sizeof(XATTR_NAME_SMACK);
+ 
+-      if (buffer != NULL && len <= buffer_size) {
++      if (buffer != NULL && len <= buffer_size)
+               memcpy(buffer, XATTR_NAME_SMACK, len);
+-              return len;
+-      }
+-      return -EINVAL;
++
++      return len;
+ }
+ 
+ /**
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0016-Smack-handle-zero-length-security-labels-without-pan.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0016-Smack-handle-zero-length-security-labels-without-pan.patch
new file mode 100644 (file)
index 0000000..6bb276a
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0016-Smack-handle-zero-length-security-labels-without-pan.patch
@@ -0,0 +1,62 @@
+From bc71ad29132e6774789de28eda50693be0beeef0 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Date: Thu, 7 Aug 2014 20:52:43 +0400
+Subject: [PATCH 16/20] Smack: handle zero-length security labels without panic
+
+Zero-length security labels are invalid but kernel should handle them.
+
+This patch fixes kernel panic after setting zero-length security labels:
+
+And after writing zero-length string into smackfs files syslog and onlycp:
+
+The problem is caused by brain-damaged logic in function smk_parse_smack()
+which takes pointer to buffer and its length but if length below or equal zero
+it thinks that the buffer is zero-terminated. Unfortunately callers of this
+function are widely used and proper fix requires serious refactoring.
+
+Change-Id: I931735ccfaea4d8d2f0a98eacf8467f0a8359bc6
+Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+---
+ security/smack/smack_lsm.c | 2 +-
+ security/smack/smackfs.c   | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 8473576..7bd0363 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -923,7 +923,7 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
+               rc = -EPERM;
+ 
+       if (rc == 0 && check_import) {
+-              skp = smk_import_entry(value, size);
++              skp = size ? smk_import_entry(value, size) : NULL;
+               if (skp == NULL || (check_star &&
+                   (skp == &smack_known_star || skp == &smack_known_web)))
+                       rc = -EINVAL;
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index 32b2488..585bea0 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -1677,7 +1677,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
+       if (smack_onlycap != NULL && smack_onlycap != skp)
+               return -EPERM;
+ 
+-      data = kzalloc(count, GFP_KERNEL);
++      data = kzalloc(count + 1, GFP_KERNEL);
+       if (data == NULL)
+               return -ENOMEM;
+ 
+@@ -2228,7 +2228,7 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
+       if (!smack_privileged(CAP_MAC_ADMIN))
+               return -EPERM;
+ 
+-      data = kzalloc(count, GFP_KERNEL);
++      data = kzalloc(count + 1, GFP_KERNEL);
+       if (data == NULL)
+               return -ENOMEM;
+ 
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0017-Smack-remove-unneeded-NULL-termination-from-securtit.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0017-Smack-remove-unneeded-NULL-termination-from-securtit.patch
new file mode 100644 (file)
index 0000000..8473d95
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0017-Smack-remove-unneeded-NULL-termination-from-securtit.patch
@@ -0,0 +1,56 @@
+From 5cb34576acc99cf42232a14f4645c6a9fbc78c63 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Date: Thu, 7 Aug 2014 20:52:49 +0400
+Subject: [PATCH 17/20] Smack: remove unneeded NULL-termination from securtity
+ label
+
+Values of extended attributes are stored as binary blobs. NULL-termination
+of them isn't required. It just wastes disk space and confuses command-line
+tools like getfattr because they have to print that zero byte at the end.
+
+This patch removes terminating zero byte from initial security label in
+smack_inode_init_security and cuts it out in function smack_inode_getsecurity
+which is used by syscall getxattr. This change seems completely safe, because
+function smk_parse_smack ignores everything after first zero byte.
+
+Change-Id: I131879e36fc9e71b65857b46714ccd0e512fc83c
+Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+---
+ security/smack/smack_lsm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 7bd0363..d347b79 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -672,7 +672,7 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
+       }
+ 
+       if (len)
+-              *len = strlen(isp) + 1;
++              *len = strlen(isp);
+ 
+       return 0;
+ }
+@@ -1076,7 +1076,7 @@ static int smack_inode_getsecurity(const struct inode *inode,
+ 
+       if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
+               isp = smk_of_inode(inode);
+-              ilen = strlen(isp) + 1;
++              ilen = strlen(isp);
+               *buffer = isp;
+               return ilen;
+       }
+@@ -1101,7 +1101,7 @@ static int smack_inode_getsecurity(const struct inode *inode,
+       else
+               return -EOPNOTSUPP;
+ 
+-      ilen = strlen(isp) + 1;
++      ilen = strlen(isp);
+       if (rc == 0) {
+               *buffer = isp;
+               rc = ilen;
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0018-Smack-Fix-setting-label-on-successful-file-open.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0018-Smack-Fix-setting-label-on-successful-file-open.patch
new file mode 100644 (file)
index 0000000..10ce5da
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0018-Smack-Fix-setting-label-on-successful-file-open.patch
@@ -0,0 +1,35 @@
+From 6bcb8f43991ad739edfb61f59359c2e9ea9fd159 Mon Sep 17 00:00:00 2001
+From: Marcin Niesluchowski <m.niesluchow@samsung.com>
+Date: Tue, 19 Aug 2014 14:26:32 +0200
+Subject: [PATCH 18/20] Smack: Fix setting label on successful file open
+
+While opening with CAP_MAC_OVERRIDE file label is not set.
+Other calls may access it after CAP_MAC_OVERRIDE is dropped from process.
+
+Change-Id: I937d070e1c0cb251f4a0dd3291efbc94be3ca548
+Signed-off-by: Marcin Niesluchowski <m.niesluchow@samsung.com>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+Origin: git://git.gitorious.org/smack-next/kernel.git# smack-for-3.18
+---
+ security/smack/smack_lsm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index d347b79..47ed6a4 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1477,8 +1477,10 @@ static int smack_file_open(struct file *file, const struct cred *cred)
+       struct smk_audit_info ad;
+       int rc;
+ 
+-      if (smack_privileged(CAP_MAC_OVERRIDE))
++      if (smack_privileged(CAP_MAC_OVERRIDE)) {
++              file->f_security = isp->smk_inode;
+               return 0;
++      }
+ 
+       smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
+       smk_ad_setfield_u_fs_path(&ad, file->f_path);
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0019-perf-tools-define-_DEFAULT_SOURCE-for-glibc_2.20.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0019-perf-tools-define-_DEFAULT_SOURCE-for-glibc_2.20.patch
new file mode 100644 (file)
index 0000000..a24d246
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0019-perf-tools-define-_DEFAULT_SOURCE-for-glibc_2.20.patch
@@ -0,0 +1,33 @@
+From bd0310a223ab0726327e59d4dfe52c5a138449aa Mon Sep 17 00:00:00 2001
+From: Chanho Park <chanho61.park@samsung.com>
+Date: Fri, 12 Sep 2014 11:03:01 +0900
+Subject: [PATCH 19/20] perf tools: define _DEFAULT_SOURCE for glibc_2.20
+
+_BSD_SOURCE was deprecated in favour of _DEFAULT_SOURCE since glibc
+2.20[1]. To avoid build warning on glibc2.20, _DEFAULT_SOURCE should
+also be defined.
+
+[1]: https://sourceware.org/glibc/wiki/Release/2.20
+
+Change-Id: I01a2849bb8642cbf5c875caf227ab05e6fa0fa41
+Signed-off-by: Chanho Park <chanho61.park@samsung.com>
+---
+ tools/perf/util/util.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/util/util.h b/tools/perf/util/util.h
+index 6995d66..3830f6d 100644
+--- a/tools/perf/util/util.h
++++ b/tools/perf/util/util.h
+@@ -39,6 +39,8 @@
+ 
+ #define _ALL_SOURCE 1
+ #define _BSD_SOURCE 1
++/* glibc 2.20 deprecates _BSD_SOURCE in favour of _DEFAULT_SOURCE */
++#define _DEFAULT_SOURCE 1
+ #define HAS_BOOL
+ 
+ #include <unistd.h>
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0020-SMACK-Fix-wrong-copy-size.patch b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0020-SMACK-Fix-wrong-copy-size.patch
new file mode 100644 (file)
index 0000000..a16b20d
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/0020-SMACK-Fix-wrong-copy-size.patch
@@ -0,0 +1,33 @@
+From d686f81341ff627f841153f6ebe0a382f30a9f4f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@open.eurogiciel.org>
+Date: Mon, 15 Sep 2014 11:42:04 +0200
+Subject: [PATCH 20/20] SMACK: Fix wrong copy size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The function strncpy was copying an extra character    9
+when i == len (what is possible via revoke interface).
+
+Change-Id: Ic7452da05773e620a1d7bbc55e859c25a86c65f6
+Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
+---
+ security/smack/smack_access.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
+index c062e94..930e548 100644
+--- a/security/smack/smack_access.c
++++ b/security/smack/smack_access.c
+@@ -432,7 +432,7 @@ char *smk_parse_smack(const char *string, int len)
+ 
+       smack = kzalloc(i + 1, GFP_KERNEL);
+       if (smack != NULL) {
+-              strncpy(smack, string, i + 1);
++              strncpy(smack, string, i);
+               smack[i] = '\0';
+       }
+       return smack;
+-- 
+1.8.1.4
+

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/arm/defconfig b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/arm/defconfig
new file mode 100644 (file)
index 0000000..77de9a0
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/arm/defconfig
@@ -0,0 +1,153 @@
+# CONFIG_LOCALVERSION_AUTO is not set
+CONFIG_SYSVIPC=y
+CONFIG_FHANDLE=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_CGROUPS=y
+CONFIG_CPUSETS=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_PID_NS is not set
+CONFIG_NET_NS=y
+CONFIG_SYSFS_DEPRECATED=n
+CONFIG_BLK_DEV_INITRD=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_PROFILING=y
+CONFIG_OPROFILE=y
+CONFIG_MODULES=y
+CONFIG_MODULE_UNLOAD=y
+CONFIG_BLK_DEV_BSG=y
+CONFIG_EFI_PARTITION=y
+# CONFIG_IOSCHED_DEADLINE is not set
+# CONFIG_IOSCHED_CFQ is not set
+CONFIG_CMA=y
+CONFIG_SECCOMP=y
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_MULTIPLE_DRIVERS=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_NET=y
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+CONFIG_INET=y
+CONFIG_IP_PNP=y
+CONFIG_IP_PNP_DHCP=y
+CONFIG_IP_PNP_BOOTP=y
+# CONFIG_INET_LRO is not set
+CONFIG_IPV6=m
+# CONFIG_WIRELESS is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+CONFIG_UEVENT_HELPER_PATH=""
+CONFIG_DEVTMPFS=y
+CONFIG_FW_LOADER_USER_HELPER=n
+CONFIG_MTD=y
+CONFIG_MTD_CMDLINE_PARTS=y
+CONFIG_MTD_BLOCK=y
+CONFIG_MTD_CFI=y
+CONFIG_MTD_CFI_INTELEXT=y
+CONFIG_MTD_CFI_AMDSTD=y
+CONFIG_MTD_PHYSMAP=y
+CONFIG_MTD_PLATRAM=y
+CONFIG_MTD_UBI=y
+CONFIG_VIRTIO_BLK=y
+# CONFIG_SCSI_PROC_FS is not set
+CONFIG_BLK_DEV_SD=y
+CONFIG_SCSI_VIRTIO=y
+CONFIG_ATA=y
+# CONFIG_SATA_PMP is not set
+CONFIG_NETDEVICES=y
+CONFIG_VIRTIO_NET=y
+CONFIG_SMSC911X=y
+# CONFIG_WLAN is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_SERIO_SERPORT is not set
+CONFIG_LEGACY_PTY_COUNT=16
+CONFIG_VIRTIO_CONSOLE=y
+CONFIG_HW_RANDOM=y
+CONFIG_HW_RANDOM_VIRTIO=y
+CONFIG_I2C=y
+CONFIG_POWER_SUPPLY=y
+CONFIG_POWER_RESET=y
+CONFIG_THERMAL=y
+CONFIG_THERMAL_GOV_USER_SPACE=y
+CONFIG_REGULATOR=y
+CONFIG_REGULATOR_FIXED_VOLTAGE=y
+CONFIG_FB=y
+CONFIG_FRAMEBUFFER_CONSOLE=y
+CONFIG_LOGO=y
+# CONFIG_LOGO_LINUX_MONO is not set
+# CONFIG_LOGO_LINUX_VGA16 is not set
+CONFIG_SOUND=y
+CONFIG_SND=y
+CONFIG_SND_MIXER_OSS=y
+CONFIG_SND_PCM_OSS=y
+# CONFIG_SND_DRIVERS is not set
+CONFIG_HID_DRAGONRISE=y
+CONFIG_HID_GYRATION=y
+CONFIG_HID_TWINHAN=y
+CONFIG_HID_NTRIG=y
+CONFIG_HID_PANTHERLORD=y
+CONFIG_HID_PETALYNX=y
+CONFIG_HID_SAMSUNG=y
+CONFIG_HID_SONY=y
+CONFIG_HID_SUNPLUS=y
+CONFIG_HID_GREENASIA=y
+CONFIG_HID_SMARTJOYPLUS=y
+CONFIG_HID_TOPSEED=y
+CONFIG_HID_THRUSTMASTER=y
+CONFIG_HID_ZEROPLUS=y
+CONFIG_USB=y
+CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
+CONFIG_USB_MON=y
+CONFIG_USB_ISP1760_HCD=y
+CONFIG_USB_STORAGE=y
+CONFIG_MMC=y
+CONFIG_NEW_LEDS=y
+CONFIG_LEDS_CLASS=y
+CONFIG_LEDS_TRIGGERS=y
+CONFIG_LEDS_TRIGGER_HEARTBEAT=y
+CONFIG_LEDS_TRIGGER_CPU=y
+CONFIG_RTC_CLASS=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
+CONFIG_EXT2_FS=y
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+CONFIG_EXT4_FS=y
+CONFIG_INOTIFY_USER=y
+CONFIG_AUTOFS4_FS=y
+CONFIG_VFAT_FS=y
+CONFIG_PROC_FS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+CONFIG_TMPFS_POSIX_ACL=y
+CONFIG_TMPFS_XATTR=y
+CONFIG_JFFS2_FS=y
+CONFIG_UBIFS_FS=y
+CONFIG_CRAMFS=y
+CONFIG_SQUASHFS=y
+CONFIG_SQUASHFS_LZO=y
+# CONFIG_EFIVAR_FS is not set
+CONFIG_NFS_FS=y
+CONFIG_ROOT_NFS=y
+CONFIG_9P_FS=y
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ISO8859_1=y
+CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_FS=y
+CONFIG_MAGIC_SYSRQ=y
+CONFIG_DEBUG_KERNEL=y
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_SCHED_DEBUG=y
+CONFIG_SCHEDSTATS=y
+CONFIG_SECURITY=y
+CONFIG_SECURITY_SMACK=y
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+# CONFIG_CRYPTO_HW is not set

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/i586/defconfig b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/i586/defconfig
new file mode 100644 (file)
index 0000000..a6a4452
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/i586/defconfig
@@ -0,0 +1,320 @@
+# CONFIG_64BIT is not set
+# CONFIG_LOCALVERSION_AUTO is not set
+CONFIG_SYSVIPC=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_FHANDLE=y
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+CONFIG_BSD_PROCESS_ACCT=y
+CONFIG_TASKSTATS=y
+CONFIG_TASK_DELAY_ACCT=y
+CONFIG_TASK_XACCT=y
+CONFIG_TASK_IO_ACCOUNTING=y
+CONFIG_LOG_BUF_SHIFT=18
+CONFIG_CGROUPS=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CPUSETS=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_RESOURCE_COUNTERS=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
+CONFIG_NET_NS=y
+CONFIG_SYSFS_DEPRECATED=n
+CONFIG_BLK_DEV_INITRD=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+# CONFIG_COMPAT_BRK is not set
+CONFIG_PROFILING=y
+CONFIG_KPROBES=y
+CONFIG_MODULES=y
+CONFIG_MODULE_UNLOAD=y
+CONFIG_MODULE_FORCE_UNLOAD=y
+CONFIG_BLK_DEV_BSG=y
+CONFIG_PARTITION_ADVANCED=y
+CONFIG_OSF_PARTITION=y
+CONFIG_AMIGA_PARTITION=y
+CONFIG_MAC_PARTITION=y
+CONFIG_BSD_DISKLABEL=y
+CONFIG_MINIX_SUBPARTITION=y
+CONFIG_SOLARIS_X86_PARTITION=y
+CONFIG_UNIXWARE_DISKLABEL=y
+CONFIG_SGI_PARTITION=y
+CONFIG_SUN_PARTITION=y
+CONFIG_KARMA_PARTITION=y
+CONFIG_EFI_PARTITION=y
+CONFIG_SMP=y
+CONFIG_X86_GENERIC=y
+CONFIG_HPET_TIMER=y
+CONFIG_SCHED_SMT=y
+CONFIG_PREEMPT_VOLUNTARY=y
+CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
+CONFIG_X86_REBOOTFIXUPS=y
+CONFIG_MICROCODE=y
+CONFIG_MICROCODE_AMD=y
+CONFIG_X86_MSR=y
+CONFIG_X86_CPUID=y
+CONFIG_HIGHPTE=y
+CONFIG_X86_CHECK_BIOS_CORRUPTION=y
+# CONFIG_MTRR_SANITIZER is not set
+CONFIG_EFI=y
+CONFIG_EFI_STUB=y
+CONFIG_SECCOMP=y
+CONFIG_HZ_1000=y
+CONFIG_KEXEC=y
+CONFIG_CRASH_DUMP=y
+# CONFIG_COMPAT_VDSO is not set
+CONFIG_HIBERNATION=y
+CONFIG_PM_DEBUG=y
+CONFIG_PM_TRACE_RTC=y
+CONFIG_ACPI_PROCFS=y
+CONFIG_ACPI_DOCK=y
+CONFIG_CPU_FREQ=y
+# CONFIG_CPU_FREQ_STAT is not set
+CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE=y
+CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
+CONFIG_CPU_FREQ_GOV_ONDEMAND=y
+CONFIG_X86_ACPI_CPUFREQ=y
+CONFIG_PCIEPORTBUS=y
+CONFIG_PCI_MSI=y
+CONFIG_PCCARD=y
+CONFIG_YENTA=y
+CONFIG_HOTPLUG_PCI=y
+CONFIG_BINFMT_MISC=y
+CONFIG_NET=y
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+CONFIG_XFRM_USER=y
+CONFIG_INET=y
+CONFIG_IP_MULTICAST=y
+CONFIG_IP_ADVANCED_ROUTER=y
+CONFIG_IP_MULTIPLE_TABLES=y
+CONFIG_IP_ROUTE_MULTIPATH=y
+CONFIG_IP_ROUTE_VERBOSE=y
+CONFIG_IP_PNP=y
+CONFIG_IP_PNP_DHCP=y
+CONFIG_IP_PNP_BOOTP=y
+CONFIG_IP_PNP_RARP=y
+CONFIG_IP_MROUTE=y
+CONFIG_IP_PIMSM_V1=y
+CONFIG_IP_PIMSM_V2=y
+CONFIG_SYN_COOKIES=y
+# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
+# CONFIG_INET_XFRM_MODE_TUNNEL is not set
+# CONFIG_INET_XFRM_MODE_BEET is not set
+# CONFIG_INET_DIAG is not set
+CONFIG_TCP_CONG_ADVANCED=y
+# CONFIG_TCP_CONG_BIC is not set
+# CONFIG_TCP_CONG_WESTWOOD is not set
+# CONFIG_TCP_CONG_HTCP is not set
+CONFIG_TCP_MD5SIG=y
+CONFIG_IPV6=m
+CONFIG_INET6_AH=m
+CONFIG_INET6_ESP=m
+CONFIG_NETWORK_SECMARK=y
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_ADVANCED is not set
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_FTP=y
+CONFIG_NF_CONNTRACK_IRC=y
+CONFIG_NF_CONNTRACK_SIP=y
+CONFIG_NF_CT_NETLINK=y
+CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_SECMARK=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_NET_SCHED=y
+CONFIG_NET_EMATCH=y
+CONFIG_NET_CLS_ACT=y
+CONFIG_HAMRADIO=y
+CONFIG_CFG80211=y
+CONFIG_MAC80211=y
+CONFIG_MAC80211_LEDS=y
+CONFIG_RFKILL=y
+CONFIG_UEVENT_HELPER_PATH=""
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_FW_LOADER_USER_HELPER=n
+CONFIG_DEBUG_DEVRES=y
+CONFIG_CONNECTOR=y
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_SD=y
+CONFIG_BLK_DEV_SR=y
+CONFIG_BLK_DEV_SR_VENDOR=y
+CONFIG_CHR_DEV_SG=y
+CONFIG_SCSI_CONSTANTS=y
+CONFIG_SCSI_SPI_ATTRS=y
+# CONFIG_SCSI_LOWLEVEL is not set
+CONFIG_ATA=y
+CONFIG_SATA_AHCI=y
+CONFIG_ATA_PIIX=y
+CONFIG_PATA_AMD=y
+CONFIG_PATA_OLDPIIX=y
+CONFIG_PATA_SCH=y
+CONFIG_PATA_MPIIX=y
+CONFIG_ATA_GENERIC=y
+CONFIG_MD=y
+CONFIG_BLK_DEV_MD=y
+CONFIG_BLK_DEV_DM=y
+CONFIG_DM_MIRROR=y
+CONFIG_DM_ZERO=y
+CONFIG_MACINTOSH_DRIVERS=y
+CONFIG_MAC_EMUMOUSEBTN=y
+CONFIG_NETDEVICES=y
+CONFIG_NETCONSOLE=y
+CONFIG_BNX2=y
+CONFIG_TIGON3=y
+CONFIG_NET_TULIP=y
+CONFIG_E100=y
+CONFIG_E1000=y
+CONFIG_E1000E=y
+CONFIG_SKY2=y
+CONFIG_NE2K_PCI=y
+CONFIG_FORCEDETH=y
+CONFIG_8139TOO=y
+# CONFIG_8139TOO_PIO is not set
+CONFIG_R8169=y
+CONFIG_FDDI=y
+CONFIG_INPUT_POLLDEV=y
+# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
+CONFIG_INPUT_EVDEV=y
+CONFIG_INPUT_JOYSTICK=y
+CONFIG_INPUT_TABLET=y
+CONFIG_INPUT_TOUCHSCREEN=y
+CONFIG_INPUT_MISC=y
+# CONFIG_LEGACY_PTYS is not set
+CONFIG_SERIAL_NONSTANDARD=y
+CONFIG_SERIAL_8250=y
+CONFIG_SERIAL_8250_CONSOLE=y
+CONFIG_SERIAL_8250_NR_UARTS=32
+CONFIG_SERIAL_8250_EXTENDED=y
+CONFIG_SERIAL_8250_MANY_PORTS=y
+CONFIG_SERIAL_8250_SHARE_IRQ=y
+CONFIG_SERIAL_8250_DETECT_IRQ=y
+CONFIG_SERIAL_8250_RSA=y
+CONFIG_HW_RANDOM=y
+CONFIG_NVRAM=y
+CONFIG_HPET=y
+# CONFIG_HPET_MMAP is not set
+CONFIG_I2C_I801=y
+CONFIG_WATCHDOG=y
+CONFIG_AGP=y
+CONFIG_AGP_AMD64=y
+CONFIG_DRM=y
+CONFIG_DRM_I915=y
+CONFIG_FB_MODE_HELPERS=y
+CONFIG_FB_TILEBLITTING=y
+CONFIG_FB_EFI=y
+# CONFIG_LCD_CLASS_DEVICE is not set
+CONFIG_VGACON_SOFT_SCROLLBACK=y
+CONFIG_LOGO=y
+# CONFIG_LOGO_LINUX_MONO is not set
+# CONFIG_LOGO_LINUX_VGA16 is not set
+CONFIG_SOUND=y
+CONFIG_SND=y
+CONFIG_SND_SEQUENCER=y
+CONFIG_SND_SEQ_DUMMY=y
+CONFIG_SND_MIXER_OSS=y
+CONFIG_SND_PCM_OSS=y
+CONFIG_SND_SEQUENCER_OSS=y
+CONFIG_SND_HRTIMER=y
+CONFIG_SND_HDA_INTEL=y
+CONFIG_SND_HDA_HWDEP=y
+CONFIG_HIDRAW=y
+CONFIG_HID_GYRATION=y
+CONFIG_LOGITECH_FF=y
+CONFIG_HID_NTRIG=y
+CONFIG_HID_PANTHERLORD=y
+CONFIG_PANTHERLORD_FF=y
+CONFIG_HID_PETALYNX=y
+CONFIG_HID_SAMSUNG=y
+CONFIG_HID_SONY=y
+CONFIG_HID_SUNPLUS=y
+CONFIG_HID_TOPSEED=y
+CONFIG_HID_PID=y
+CONFIG_USB_HIDDEV=y
+CONFIG_USB=y
+CONFIG_USB_DEBUG=y
+CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
+CONFIG_USB_MON=y
+CONFIG_USB_EHCI_HCD=y
+# CONFIG_USB_EHCI_TT_NEWSCHED is not set
+CONFIG_USB_OHCI_HCD=y
+CONFIG_USB_UHCI_HCD=y
+CONFIG_USB_PRINTER=y
+CONFIG_USB_STORAGE=y
+CONFIG_EDAC=y
+CONFIG_RTC_CLASS=y
+# CONFIG_RTC_HCTOSYS is not set
+CONFIG_DMADEVICES=y
+CONFIG_EEEPC_LAPTOP=y
+CONFIG_EFI_VARS=y
+CONFIG_EXT4_FS=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_INOTIFY_USER=y
+CONFIG_QUOTA=y
+CONFIG_QUOTA_NETLINK_INTERFACE=y
+# CONFIG_PRINT_QUOTA_WARNING is not set
+CONFIG_QFMT_V2=y
+CONFIG_AUTOFS4_FS=y
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+CONFIG_ZISOFS=y
+CONFIG_MSDOS_FS=y
+CONFIG_VFAT_FS=y
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS_POSIX_ACL=y
+CONFIG_TMPFS_XATTR=y
+CONFIG_HUGETLBFS=y
+CONFIG_EFIVAR_FS=y
+CONFIG_NFS_FS=y
+CONFIG_NFS_V3_ACL=y
+CONFIG_NFS_V4=y
+CONFIG_ROOT_NFS=y
+CONFIG_NLS_DEFAULT="utf8"
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ASCII=y
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_UTF8=y
+CONFIG_PRINTK_TIME=y
+# CONFIG_ENABLE_WARN_DEPRECATED is not set
+CONFIG_FRAME_WARN=2048
+# CONFIG_UNUSED_SYMBOLS is not set
+CONFIG_MAGIC_SYSRQ=y
+CONFIG_DEBUG_KERNEL=y
+CONFIG_DEBUG_STACK_USAGE=y
+CONFIG_DEBUG_STACKOVERFLOW=y
+CONFIG_SCHED_DEBUG=y
+CONFIG_SCHEDSTATS=y
+CONFIG_TIMER_STATS=y
+CONFIG_BLK_DEV_IO_TRACE=y
+CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
+CONFIG_EARLY_PRINTK_DBGP=y
+# CONFIG_DEBUG_RODATA_TEST is not set
+CONFIG_DEBUG_BOOT_PARAMS=y
+CONFIG_OPTIMIZE_INLINING=y
+CONFIG_KEYS_DEBUG_PROC_KEYS=y
+CONFIG_SECURITY=y
+CONFIG_SECURITY_SMACK=y
+CONFIG_CRYPTO_AES_586=y
+# CONFIG_CRYPTO_ANSI_CPRNG is not set

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/x86-64/defconfig b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/x86-64/defconfig
new file mode 100644 (file)
index 0000000..caea44f
--- /dev/null
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto/x86-64/defconfig
@@ -0,0 +1,316 @@
+# CONFIG_LOCALVERSION_AUTO is not set
+CONFIG_SYSVIPC=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_FHANDLE=y
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+CONFIG_BSD_PROCESS_ACCT=y
+CONFIG_TASKSTATS=y
+CONFIG_TASK_DELAY_ACCT=y
+CONFIG_TASK_XACCT=y
+CONFIG_TASK_IO_ACCOUNTING=y
+CONFIG_LOG_BUF_SHIFT=18
+CONFIG_CGROUPS=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CPUSETS=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_RESOURCE_COUNTERS=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
+CONFIG_NET_NS=y
+CONFIG_SYSFS_DEPRECATED=n
+CONFIG_BLK_DEV_INITRD=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+# CONFIG_COMPAT_BRK is not set
+CONFIG_PROFILING=y
+CONFIG_KPROBES=y
+CONFIG_MODULES=y
+CONFIG_MODULE_UNLOAD=y
+CONFIG_MODULE_FORCE_UNLOAD=y
+CONFIG_BLK_DEV_BSG=y
+CONFIG_PARTITION_ADVANCED=y
+CONFIG_OSF_PARTITION=y
+CONFIG_AMIGA_PARTITION=y
+CONFIG_MAC_PARTITION=y
+CONFIG_BSD_DISKLABEL=y
+CONFIG_MINIX_SUBPARTITION=y
+CONFIG_SOLARIS_X86_PARTITION=y
+CONFIG_UNIXWARE_DISKLABEL=y
+CONFIG_SGI_PARTITION=y
+CONFIG_SUN_PARTITION=y
+CONFIG_KARMA_PARTITION=y
+CONFIG_EFI_PARTITION=y
+CONFIG_SMP=y
+CONFIG_CALGARY_IOMMU=y
+CONFIG_NR_CPUS=64
+CONFIG_SCHED_SMT=y
+CONFIG_PREEMPT_VOLUNTARY=y
+CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
+CONFIG_MICROCODE=y
+CONFIG_MICROCODE_AMD=y
+CONFIG_X86_MSR=y
+CONFIG_X86_CPUID=y
+CONFIG_NUMA=y
+CONFIG_X86_CHECK_BIOS_CORRUPTION=y
+# CONFIG_MTRR_SANITIZER is not set
+CONFIG_EFI=y
+CONFIG_EFI_STUB=y
+CONFIG_SECCOMP=y
+CONFIG_HZ_1000=y
+CONFIG_KEXEC=y
+CONFIG_CRASH_DUMP=y
+# CONFIG_COMPAT_VDSO is not set
+CONFIG_HIBERNATION=y
+CONFIG_PM_DEBUG=y
+CONFIG_PM_TRACE_RTC=y
+CONFIG_ACPI_PROCFS=y
+CONFIG_ACPI_DOCK=y
+CONFIG_CPU_FREQ=y
+# CONFIG_CPU_FREQ_STAT is not set
+CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE=y
+CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
+CONFIG_CPU_FREQ_GOV_ONDEMAND=y
+CONFIG_X86_ACPI_CPUFREQ=y
+CONFIG_PCI_MMCONFIG=y
+CONFIG_PCIEPORTBUS=y
+CONFIG_PCCARD=y
+CONFIG_YENTA=y
+CONFIG_HOTPLUG_PCI=y
+CONFIG_BINFMT_MISC=y
+CONFIG_IA32_EMULATION=y
+CONFIG_NET=y
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+CONFIG_XFRM_USER=y
+CONFIG_INET=y
+CONFIG_IP_MULTICAST=y
+CONFIG_IP_ADVANCED_ROUTER=y
+CONFIG_IP_MULTIPLE_TABLES=y
+CONFIG_IP_ROUTE_MULTIPATH=y
+CONFIG_IP_ROUTE_VERBOSE=y
+CONFIG_IP_PNP=y
+CONFIG_IP_PNP_DHCP=y
+CONFIG_IP_PNP_BOOTP=y
+CONFIG_IP_PNP_RARP=y
+CONFIG_IP_MROUTE=y
+CONFIG_IP_PIMSM_V1=y
+CONFIG_IP_PIMSM_V2=y
+CONFIG_SYN_COOKIES=y
+# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
+# CONFIG_INET_XFRM_MODE_TUNNEL is not set
+# CONFIG_INET_XFRM_MODE_BEET is not set
+# CONFIG_INET_DIAG is not set
+CONFIG_TCP_CONG_ADVANCED=y
+# CONFIG_TCP_CONG_BIC is not set
+# CONFIG_TCP_CONG_WESTWOOD is not set
+# CONFIG_TCP_CONG_HTCP is not set
+CONFIG_TCP_MD5SIG=y
+CONFIG_IPV6=m
+CONFIG_INET6_AH=m
+CONFIG_INET6_ESP=m
+CONFIG_NETWORK_SECMARK=y
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_ADVANCED is not set
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_FTP=y
+CONFIG_NF_CONNTRACK_IRC=y
+CONFIG_NF_CONNTRACK_SIP=y
+CONFIG_NF_CT_NETLINK=y
+CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_SECMARK=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_NET_SCHED=y
+CONFIG_NET_EMATCH=y
+CONFIG_NET_CLS_ACT=y
+CONFIG_HAMRADIO=y
+CONFIG_CFG80211=y
+CONFIG_MAC80211=y
+CONFIG_MAC80211_LEDS=y
+CONFIG_RFKILL=y
+CONFIG_UEVENT_HELPER_PATH=""
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_FW_LOADER_USER_HELPER=n
+CONFIG_DEBUG_DEVRES=y
+CONFIG_CONNECTOR=y
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_SD=y
+CONFIG_BLK_DEV_SR=y
+CONFIG_BLK_DEV_SR_VENDOR=y
+CONFIG_CHR_DEV_SG=y
+CONFIG_SCSI_CONSTANTS=y
+CONFIG_SCSI_SPI_ATTRS=y
+# CONFIG_SCSI_LOWLEVEL is not set
+CONFIG_ATA=y
+CONFIG_SATA_AHCI=y
+CONFIG_ATA_PIIX=y
+CONFIG_PATA_AMD=y
+CONFIG_PATA_OLDPIIX=y
+CONFIG_PATA_SCH=y
+CONFIG_MD=y
+CONFIG_BLK_DEV_MD=y
+CONFIG_BLK_DEV_DM=y
+CONFIG_DM_MIRROR=y
+CONFIG_DM_ZERO=y
+CONFIG_MACINTOSH_DRIVERS=y
+CONFIG_MAC_EMUMOUSEBTN=y
+CONFIG_NETDEVICES=y
+CONFIG_NETCONSOLE=y
+CONFIG_TIGON3=y
+CONFIG_NET_TULIP=y
+CONFIG_E100=y
+CONFIG_E1000=y
+CONFIG_SKY2=y
+CONFIG_FORCEDETH=y
+CONFIG_8139TOO=y
+CONFIG_FDDI=y
+CONFIG_INPUT_POLLDEV=y
+# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
+CONFIG_INPUT_EVDEV=y
+CONFIG_INPUT_JOYSTICK=y
+CONFIG_INPUT_TABLET=y
+CONFIG_INPUT_TOUCHSCREEN=y
+CONFIG_INPUT_MISC=y
+# CONFIG_LEGACY_PTYS is not set
+CONFIG_SERIAL_NONSTANDARD=y
+CONFIG_SERIAL_8250=y
+CONFIG_SERIAL_8250_CONSOLE=y
+CONFIG_SERIAL_8250_NR_UARTS=32
+CONFIG_SERIAL_8250_EXTENDED=y
+CONFIG_SERIAL_8250_MANY_PORTS=y
+CONFIG_SERIAL_8250_SHARE_IRQ=y
+CONFIG_SERIAL_8250_DETECT_IRQ=y
+CONFIG_SERIAL_8250_RSA=y
+CONFIG_HW_RANDOM=y
+# CONFIG_HW_RANDOM_INTEL is not set
+# CONFIG_HW_RANDOM_AMD is not set
+CONFIG_NVRAM=y
+CONFIG_HPET=y
+# CONFIG_HPET_MMAP is not set
+CONFIG_I2C_I801=y
+CONFIG_WATCHDOG=y
+CONFIG_AGP=y
+CONFIG_AGP_AMD64=y
+CONFIG_DRM=y
+CONFIG_DRM_I915=y
+CONFIG_FB_MODE_HELPERS=y
+CONFIG_FB_TILEBLITTING=y
+CONFIG_FB_EFI=y
+# CONFIG_LCD_CLASS_DEVICE is not set
+CONFIG_VGACON_SOFT_SCROLLBACK=y
+CONFIG_LOGO=y
+# CONFIG_LOGO_LINUX_MONO is not set
+# CONFIG_LOGO_LINUX_VGA16 is not set
+CONFIG_SOUND=y
+CONFIG_SND=y
+CONFIG_SND_SEQUENCER=y
+CONFIG_SND_SEQ_DUMMY=y
+CONFIG_SND_MIXER_OSS=y
+CONFIG_SND_PCM_OSS=y
+CONFIG_SND_SEQUENCER_OSS=y
+CONFIG_SND_HRTIMER=y
+CONFIG_SND_HDA_INTEL=y
+CONFIG_SND_HDA_HWDEP=y
+CONFIG_HIDRAW=y
+CONFIG_HID_GYRATION=y
+CONFIG_LOGITECH_FF=y
+CONFIG_HID_NTRIG=y
+CONFIG_HID_PANTHERLORD=y
+CONFIG_PANTHERLORD_FF=y
+CONFIG_HID_PETALYNX=y
+CONFIG_HID_SAMSUNG=y
+CONFIG_HID_SONY=y
+CONFIG_HID_SUNPLUS=y
+CONFIG_HID_TOPSEED=y
+CONFIG_HID_PID=y
+CONFIG_USB_HIDDEV=y
+CONFIG_USB=y
+CONFIG_USB_DEBUG=y
+CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
+CONFIG_USB_MON=y
+CONFIG_USB_EHCI_HCD=y
+# CONFIG_USB_EHCI_TT_NEWSCHED is not set
+CONFIG_USB_OHCI_HCD=y
+CONFIG_USB_UHCI_HCD=y
+CONFIG_USB_PRINTER=y
+CONFIG_USB_STORAGE=y
+CONFIG_EDAC=y
+CONFIG_RTC_CLASS=y
+# CONFIG_RTC_HCTOSYS is not set
+CONFIG_DMADEVICES=y
+CONFIG_EEEPC_LAPTOP=y
+CONFIG_AMD_IOMMU=y
+CONFIG_AMD_IOMMU_STATS=y
+CONFIG_INTEL_IOMMU=y
+# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
+CONFIG_EFI_VARS=y
+CONFIG_EXT4_FS=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_INOTIFY_USER=y
+CONFIG_QUOTA=y
+CONFIG_QUOTA_NETLINK_INTERFACE=y
+# CONFIG_PRINT_QUOTA_WARNING is not set
+CONFIG_QFMT_V2=y
+CONFIG_AUTOFS4_FS=y
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+CONFIG_ZISOFS=y
+CONFIG_MSDOS_FS=y
+CONFIG_VFAT_FS=y
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS_POSIX_ACL=y
+CONFIG_TMPFS_XATTR=y
+CONFIG_HUGETLBFS=y
+CONFIG_EFIVAR_FS=y
+CONFIG_NFS_FS=y
+CONFIG_NFS_V3_ACL=y
+CONFIG_NFS_V4=y
+CONFIG_ROOT_NFS=y
+CONFIG_NLS_DEFAULT="utf8"
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ASCII=y
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_UTF8=y
+CONFIG_PRINTK_TIME=y
+# CONFIG_ENABLE_WARN_DEPRECATED is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+CONFIG_MAGIC_SYSRQ=y
+CONFIG_DEBUG_KERNEL=y
+CONFIG_DEBUG_STACK_USAGE=y
+CONFIG_DEBUG_STACKOVERFLOW=y
+CONFIG_SCHED_DEBUG=y
+CONFIG_SCHEDSTATS=y
+CONFIG_TIMER_STATS=y
+CONFIG_BLK_DEV_IO_TRACE=y
+CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
+CONFIG_EARLY_PRINTK_DBGP=y
+# CONFIG_DEBUG_RODATA_TEST is not set
+CONFIG_DEBUG_BOOT_PARAMS=y
+CONFIG_OPTIMIZE_INLINING=y
+CONFIG_KEYS_DEBUG_PROC_KEYS=y
+CONFIG_SECURITY=y
+CONFIG_SECURITY_SMACK=y
+# CONFIG_CRYPTO_ANSI_CPRNG is not set

diff --git a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto_3.14.bbappend b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto_3.14.bbappend
index 065c2c3..318eb25 100644 (file)
--- a/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/meta-tizen-adaptation/meta/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -1,30 +1,40 @@
 FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 
-SRC_URI += "file://defconfig"
-SRC_URI += "file://0001-Smack-Cgroup-filesystem-access.patch"
-SRC_URI += "file://0002-SMACK-Fix-handling-value-NULL-in-post-setxattr.patch"
+# Tizen defconfig
+SRC_URI += "${DEFCONFIG}"
+
 # TMP fix for error: "implicit declaration of function 'sk_run_filter'"
 SRC_URI += "file://0001-net-ptp-use-sk_unattached_filter_create-for-BPF.patch"
 SRC_URI += "file://0001-net-ptp-do-not-reimplement-PTP-BPF-classifier.patch"
 SRC_URI += "file://0001-net-ptp-move-PTP-classifier-in-its-own-file.patch"
 
+# Tizen patches
+SRC_URI += "file://0001-Smack-Cgroup-filesystem-access.patch"
+SRC_URI += "file://0002-SMACK-Fix-handling-value-NULL-in-post-setxattr.patch"
+SRC_URI += "file://0003-Revert-x86-efi-Correct-EFI-boot-stub-use-of-code32_s.patch"
+SRC_URI += "file://0004-KEYS-Move-the-flags-representing-required-permission.patch"
+SRC_URI += "file://0005-smack-fix-key-permission-verification.patch"
+SRC_URI += "file://0006-Minor-improvement-of-smack_sb_kern_mount.patch"
+SRC_URI += "file://0007-Smack-fix-the-subject-object-order-in-smack_ptrace_t.patch"
+SRC_URI += "file://0008-Smack-unify-all-ptrace-accesses-in-the-smack.patch"
+SRC_URI += "file://0009-Smack-adds-smackfs-ptrace-interface.patch"
+SRC_URI += "file://0010-bugfix-patch-for-SMACK.patch"
+SRC_URI += "file://0011-Smack-Correctly-remove-SMACK64TRANSMUTE-attribute.patch"
+SRC_URI += "file://0012-Smack-bidirectional-UDS-connect-check.patch"
+SRC_URI += "file://0013-Smack-Verify-read-access-on-file-open-v3.patch"
+SRC_URI += "file://0014-Warning-in-scanf-string-typing.patch"
+SRC_URI += "file://0015-Smack-fix-behavior-of-smack_inode_listsecurity.patch"
+SRC_URI += "file://0016-Smack-handle-zero-length-security-labels-without-pan.patch"
+SRC_URI += "file://0017-Smack-remove-unneeded-NULL-termination-from-securtit.patch"
+SRC_URI += "file://0018-Smack-Fix-setting-label-on-successful-file-open.patch"
+SRC_URI += "file://0019-perf-tools-define-_DEFAULT_SOURCE-for-glibc_2.20.patch"
+SRC_URI += "file://0020-SMACK-Fix-wrong-copy-size.patch"
+
+# Per architecture defconfig files.
+DEFCONFIG_i586 = "file://defconfig"
+DEFCONFIG_x86-64 = "file://defconfig"
+DEFCONFIG_arm= "file://defconfig"
+
 # Setting the KCONFIG_MODE variable prevents it to being set to
 # "--allnoconfig" which disable all kernel options.
 KCONFIG_MODE = "--reconfig"
-
-# Per MACHINE defconfig files.
-# Since only two different defconfig files exist, one for i586 arch and
-# the other one for x86_64 arch, there may be a better way to select the
-# right defconfig file so we don't have to add all the MACHINE.
-# arm defconfig
-COMPATIBLE_MACHINE_qemuarm = "(.*)"
-# i586 defconfig
-COMPATIBLE_MACHINE_valleyisland-32 = "(.*)"
-COMPATIBLE_MACHINE_genericx86 = "(.*)"
-COMPATIBLE_MACHINE_qemux86 = "(.*)"
-# x86_64 defconfig
-COMPATIBLE_MACHINE_valleyisland-64 = "(.*)"
-COMPATIBLE_MACHINE_romley-ivb = "(.*)"
-COMPATIBLE_MACHINE_haswell-wc = "(.*)"
-COMPATIBLE_MACHINE_genericx86-64 = "(.*)"
-COMPATIBLE_MACHINE_qemux86-64 = "(.*)"