summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Li Peng [Sun, 22 Sep 2013 03:10:50 +0000 (11:10 +0800)]
gfx: PM control through dpms interface
enable gfx device suspend/resume at dpms off/on to fit with Tizen PM framework
Signed-off-by: Li Peng <peng.li@intel.com>
Li Peng [Sun, 22 Sep 2013 06:49:08 +0000 (14:49 +0800)]
config: backlight control support
Signed-off-by: Li Peng <peng.li@intel.com>
Li Peng [Sun, 22 Sep 2013 02:35:25 +0000 (10:35 +0800)]
config: Disable ANDROID_PARANOID_NETWORK
For less strict security in socket creation
Signed-off-by: Li Peng <peng.li@intel.com>
Li Peng [Wed, 18 Sep 2013 08:43:39 +0000 (16:43 +0800)]
gfx: Don't change scale property and swapchain property in mode setting
Signed-off-by: Li Peng <peng.li@intel.com>
Li Peng [Tue, 17 Sep 2013 08:32:26 +0000 (16:32 +0800)]
gfx: Fix wrong attribute in device memory map
Signed-off-by: Li Peng <peng.li@intel.com>
Li Peng [Mon, 16 Sep 2013 13:58:23 +0000 (21:58 +0800)]
gfx: Fix DRI2 authenticate failure
Signed-off-by: Li Peng <peng.li@intel.com>
Li Peng [Thu, 12 Sep 2013 01:47:33 +0000 (09:47 +0800)]
gfx: Enable build config SUPPORT_PVRSRV_GET_DC_SYSTEM_BUFFER
Signed-off-by: Li Peng <peng.li@intel.com>
Yin Kangkai [Wed, 18 Sep 2013 00:53:34 +0000 (08:53 +0800)]
Enable sensors for ZTE Geek
Geek has these sensors:
Accel: lsm330d_a
Gyro: lsm330d_g
Compass: akm8963
Ambient light and proximity: tmd2771x
No pressure sensor.
Also removed don't needed sensors configs.
Change-Id: Idfef539e381b937d93026e14a966925c524d03e6
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
Yin Kangkai [Tue, 10 Sep 2013 09:28:42 +0000 (17:28 +0800)]
Battery/charger/bq24192: add charger online sysfs interface
Add sysfs interface "online" to indicate whether charger is online or not.
Interface is here:
/sys/devices/pci0000:00/0000:00:00.5/i2c-2/2-006b/online
Or
/sys/class/power_supply/bq24192_charger/device/online
Pre-OS needs this flag to update the UI (charger is inserted or not).
Change-Id: I5dc683c22461d3b632fd983465b9282fb8b9d3a7
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
Yin Kangkai [Mon, 9 Sep 2013 05:46:48 +0000 (13:46 +0800)]
Battery/charger/bq24192: fix charging status
Add the charger throttle logic for bq24192, and fix the charging status.
Before this fix, battery (max17047) is in state "Discharging" even after you
inserted AC charger or USB. e.g.:
-sh-4.1# pwd
/sys/class/power_supply
-sh-4.1# ls
ac bq24192_charger max17047_battery usb wireless
-sh-4.1# cat ac/online
1
-sh-4.1# cat max17047_battery/status
Discharging
Change-Id: I94e428cd023eb1d3d1d36471a16bffd7580c644d
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
Yin Kangkai [Mon, 9 Sep 2013 02:29:45 +0000 (10:29 +0800)]
battery/charger/bq24192: indent only
Indent using the scripts/Lindent
Change-Id: I9a73915eb1438458c5312f8e62c5d3cd7da1d1de
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
vivian,zhang [Thu, 5 Sep 2013 08:22:13 +0000 (16:22 +0800)]
audio: export jack status through /sys/devices/platform/jack/earjack_online
Sound driver should set jack status: earjack_online, the status is
required for earjack type detecting in avsystem (Tizen audio middleware
project), which is used for enabling speaker & headset runtime switch feature
Change-Id: I1be3eb575b8d1af48f76e4d55bae9490c967fc32
Signed-off-by: Vivian Zhang <vivian.zhang@intel.com>
Yin Kangkai [Wed, 4 Sep 2013 03:25:16 +0000 (11:25 +0800)]
smack: enable smack in defconfig for Tizen
Change-Id: Ia1ab6aea69c0f8e58c44297126be9b3e1635d128
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
Yan Yin [Tue, 21 Feb 2012 09:23:26 +0000 (17:23 +0800)]
Enable proc fs to print more than 32 groups entries
from security-server-0.0.1/include/SLP_security-server_PG.h:
"In kernel version 2.6, there is a file in proc file system
"/proc/[pid]/status" which describes various information about the
process as text, it has a line named "Groups:" and it lists the group
IDs that the process is belonged to. B
ut there is a drawback in this file, it only shows at most 32 group IDs,
if number of groups of the process is bigger than 32, it ignores
them.
To enable to show all the groups you have to patch the kernel source
code to show more groups than 32, but there is another drawback. All
files in the proc file system has size limit to 4k bytes because the
file buffer size is 4k bytes, so it's not possible to show all possible
groups of the process(64k), but currently number of all groups in the
LiMo platform is much lower than the size, so it's not a big problem.
But near future we need to apply this patch into kernel mainline source
code by any form.
Heikki Krogerus [Tue, 3 Sep 2013 10:59:23 +0000 (13:59 +0300)]
packaging: update changelog
Enabling Smack support.
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Heikki Krogerus [Tue, 3 Sep 2013 10:07:56 +0000 (13:07 +0300)]
x86: defconfig: enable smack on clovertrail
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Passion,Zhao [Mon, 3 Jun 2013 03:42:24 +0000 (11:42 +0800)]
Smack: Fix the bug smackcipso can't set CIPSO correctly
commit
0fcfee61d63b82c1eefb5b1a914240480f17d63f upstream
Bug report: https://tizendev.org/bugs/browse/TDIS-3891
The reason is userspace libsmack only use "smackfs/cipso2" long-label interface,
but the code's logical is still for orginal fixed length label. Now update
smack_cipso_apply() to support flexible label (<=256 including tailing '\0')
There is also a bug in kernel/security/smack/smackfs.c:
When smk_set_cipso() parsing the CIPSO setting from userspace, the offset of
CIPSO level should be "strlen(label)+1" instead of "strlen(label)"
Signed-off-by: Passion,Zhao <passion.zhao@intel.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Tetsuo Handa [Mon, 27 May 2013 11:11:27 +0000 (20:11 +0900)]
Smack: Fix possible NULL pointer dereference at smk_netlbl_mls()
commit
8cd77a0bd4b4a7d02c2a6926a69585d8088ee721 upstream
netlbl_secattr_catmap_alloc(GFP_ATOMIC) can return NULL.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Casey Schaufler [Thu, 23 May 2013 01:43:07 +0000 (18:43 -0700)]
Smack: Add smkfstransmute mount option
commit
e830b39412ca2bbedd7508243f21c04d57ad543c upstream
Suppliment the smkfsroot mount option with another, smkfstransmute,
that does the same thing but also marks the root inode as
transmutting. This allows a freshly created filesystem to
be mounted with a transmutting heirarchy.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Casey Schaufler [Thu, 23 May 2013 01:43:03 +0000 (18:43 -0700)]
Smack: Improve access check performance
commit
2f823ff8bec03a1e6f9e11fd0c4d54e4c7d09532 upstream
Each Smack label that the kernel has seen is added to a
list of labels. The list of access rules for a given subject
label hangs off of the label list entry for the label.
This patch changes the structures that contain subject
labels to point at the label list entry rather that the
label itself. Doing so removes a label list lookup in
smk_access() that was accounting for the largest single
chunk of Smack overhead.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Casey Schaufler [Thu, 23 May 2013 01:42:56 +0000 (18:42 -0700)]
Smack: Local IPv6 port based controls
commit
c673944347edfd4362b10eea11ac384a582b1cf5 upstream
Smack does not provide access controls on IPv6 communications.
This patch introduces a mechanism for maintaining Smack lables
for local IPv6 communications. It is based on labeling local ports.
The behavior should be compatible with any future "real" IPv6
support as it provides no interfaces for users to manipulate
the labeling. Remote IPv6 connections use the ambient label
the same way that unlabeled IPv4 packets are treated.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Casey Schaufler [Tue, 2 Apr 2013 18:41:18 +0000 (11:41 -0700)]
Smack: include magic.h in smackfs.c
commit
958d2c2f4ad905e3ffa1711d19184d21d9b00cc1 upstream
As reported for linux-next: Tree for Apr 2 (smack)
Add the required include for smackfs.c
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Igor Zhbanov [Tue, 19 Mar 2013 09:49:47 +0000 (13:49 +0400)]
Fix NULL pointer dereference in smack_inode_unlink() and smack_inode_rmdir()
commit
cdb56b60884c687ea396ae96a418554739b40129 upstream
This patch fixes kernel Oops because of wrong common_audit_data type
in smack_inode_unlink() and smack_inode_rmdir().
When SMACK security module is enabled and SMACK logging is on (/smack/logging
is not zero) and you try to delete the file which
1) you cannot delete due to SMACK rules and logging of failures is on
or
2) you can delete and logging of success is on,
you will see following:
Unable to handle kernel NULL pointer dereference at virtual address
000002d7
[<...>] (strlen+0x0/0x28)
[<...>] (audit_log_untrustedstring+0x14/0x28)
[<...>] (common_lsm_audit+0x108/0x6ac)
[<...>] (smack_log+0xc4/0xe4)
[<...>] (smk_curacc+0x80/0x10c)
[<...>] (smack_inode_unlink+0x74/0x80)
[<...>] (security_inode_unlink+0x2c/0x30)
[<...>] (vfs_unlink+0x7c/0x100)
[<...>] (do_unlinkat+0x144/0x16c)
The function smack_inode_unlink() (and smack_inode_rmdir()) need
to log two structures of different types. First of all it does:
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
This will set common audit data type to LSM_AUDIT_DATA_DENTRY
and store dentry for auditing (by function smk_curacc(), which in turn calls
dump_common_audit_data(), which is actually uses provided data and logs it).
/*
* You need write access to the thing you're unlinking
*/
rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad);
if (rc == 0) {
/*
* You also need write access to the containing directory
*/
Then this function wants to log anoter data:
smk_ad_setfield_u_fs_path_dentry(&ad, NULL);
smk_ad_setfield_u_fs_inode(&ad, dir);
The function sets inode field, but don't change common_audit_data type.
rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
}
So the dump_common_audit() function incorrectly interprets inode structure
as dentry, and Oops will happen.
This patch reinitializes common_audit_data structures with correct type.
Also I removed unneeded
smk_ad_setfield_u_fs_path_dentry(&ad, NULL);
initialization, because both dentry and inode pointers are stored
in the same union.
Signed-off-by: Igor Zhbanov <i.zhbanov@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Rafal Krypa [Thu, 10 Jan 2013 18:42:00 +0000 (19:42 +0100)]
Smack: add support for modification of existing rules
commit
e05b6f982a049113a88a1750e13fdb15298cbed4 upstream
Rule modifications are enabled via /smack/change-rule. Format is as follows:
"Subject Object rwaxt rwaxt"
First two strings are subject and object labels up to 255 characters.
Third string contains permissions to enable.
Fourth string contains permissions to disable.
All unmentioned permissions will be left unchanged.
If no rule previously existed, it will be created.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Rafal Krypa [Tue, 27 Nov 2012 15:29:07 +0000 (16:29 +0100)]
Smack: add missing support for transmute bit in smack_str_from_perm()
commit
a87d79ad7cfa299aa14bb22758313dec33909875 upstream
This fixes audit logs for granting or denial of permissions to show
information about transmute bit.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Rafal Krypa [Tue, 27 Nov 2012 15:28:11 +0000 (16:28 +0100)]
Smack: prevent revoke-subject from failing when unseen label is written to it
commit
d15d9fad16f6aa459cf4926a1d3aba36b004e9a2 upstream
Special file /smack/revoke-subject will silently accept labels that are not
present on the subject label list. Nothing has to be done for such labels,
as there are no rules for them to revoke.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Casey Schaufler [Fri, 2 Nov 2012 01:14:32 +0000 (18:14 -0700)]
Smack: create a sysfs mount point for smackfs
commit
e93072374112db9dc86635934ee761249be28370 upstream
There are a number of "conventions" for where to put LSM filesystems.
Smack adheres to none of them. Create a mount point at /sys/fs/smackfs
for mounting smackfs so that Smack can be conventional.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Casey Schaufler [Fri, 2 Nov 2012 18:28:11 +0000 (11:28 -0700)]
Smack: use select not depends in Kconfig
commit
111fe8bd65e473d5fc6a0478cf1e2c8c6a77489a upstream
The components NETLABEL and SECURITY_NETWORK are required by
Smack. Using "depends" in Kconfig hides the Smack option
if the user hasn't figured out that they need to be enabled
while using make menuconfig. Using select is a better choice.
Because select is not recursive depends on NET and SECURITY
are added. The reflects similar usage in TOMOYO and AppArmor.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Casey Schaufler [Wed, 22 Aug 2012 18:44:03 +0000 (11:44 -0700)]
Smack: setprocattr memory leak fix
commit
46a2f3b9e99353cc63e15563e8abee71162330f7 upstream
The data structure allocations being done in prepare_creds
are duplicated in smack_setprocattr. This results in the
structure allocated in prepare_creds being orphaned and
never freed. The duplicate code is removed from
smack_setprocattr.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Rafal Krypa [Wed, 11 Jul 2012 15:49:30 +0000 (17:49 +0200)]
Smack: implement revoking all rules for a subject label
commit
449543b0436a9146b855aad39eab76ae4853e88d upstream
Add /smack/revoke-subject special file. Writing a SMACK label to this file will
set the access to '-' for all access rules with that subject label.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Casey Schaufler [Fri, 10 Aug 2012 00:46:38 +0000 (17:46 -0700)]
Smack: remove task_wait() hook.
commit
c00bedb368ae02a066aed8a888afc286c1df2e60 upstream
On 12/20/2011 11:20 PM, Jarkko Sakkinen wrote:
> Allow SIGCHLD to be passed to child process without
> explicit policy. This will help to keep the access
> control policy simple and easily maintainable with
> complex applications that require use of multiple
> security contexts. It will also help to keep them
> as isolated as possible.
>
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@intel.com>
I have a slightly different version that applies to the
current smack-next tree.
Allow SIGCHLD to be passed to child process without
explicit policy. This will help to keep the access
control policy simple and easily maintainable with
complex applications that require use of multiple
security contexts. It will also help to keep them
as isolated as possible.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
security/smack/smack_lsm.c | 37 ++++++++-----------------------------
1 files changed, 8 insertions(+), 29 deletions(-)
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Alan Cox [Thu, 26 Jul 2012 21:47:11 +0000 (14:47 -0700)]
smack: off by one error
commit
3b9fc37280c521b086943f9aedda767f5bf3b2d3 upstream
Consider the input case of a rule that consists entirely of non space
symbols followed by a \0. Say 64 + \0
In this case strlen(data) = 64
kzalloc of subject and object are 64 byte objects
sscanfdata, "%s %s %s", subject, ...)
will put 65 bytes into subject.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Rafal Krypa [Mon, 9 Jul 2012 17:36:34 +0000 (19:36 +0200)]
Smack: don't show empty rules when /smack/load or /smack/load2 is read
commit
65ee7f45cf075adcdd6b6ef365f5a5507f1ea5c5 upstream
This patch removes empty rules (i.e. with access set to '-') from the
rule list presented to user space.
Smack by design never removes labels nor rules from its lists. Access
for a rule may be set to '-' to effectively disable it. Such rules would
show up in the listing generated when /smack/load or /smack/load2 is
read. This may cause clutter if many rules were disabled.
As a rule with access set to '-' is equivalent to no rule at all, they
may be safely hidden from the listing.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Casey Schaufler [Tue, 19 Jun 2012 02:01:36 +0000 (19:01 -0700)]
Smack: user access check bounds
commit
3518721a8932b2a243f415c374aef020380efc9d upstream
Some of the bounds checking used on the /smack/access
interface was lost when support for long labels was
added. No kernel access checks are affected, however
this is a case where /smack/access could be used
incorrectly and fail to detect the error. This patch
reintroduces the original checks.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Casey Schaufler [Tue, 5 Jun 2012 22:28:30 +0000 (15:28 -0700)]
Smack: onlycap limits on CAP_MAC_ADMIN
commit
1880eff77e7a7cb46c68fae7cfa33f72f0a6e70e upstream
Smack is integrated with the POSIX capabilities scheme,
using the capabilities CAP_MAC_OVERRIDE and CAP_MAC_ADMIN to
determine if a process is allowed to ignore Smack checks or
change Smack related data respectively. Smack provides an
additional restriction that if an onlycap value is set
by writing to /smack/onlycap only tasks with that Smack
label are allowed to use CAP_MAC_OVERRIDE.
This change adds CAP_MAC_ADMIN as a capability that is affected
by the onlycap mechanism.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Casey Schaufler [Thu, 24 May 2012 00:46:58 +0000 (17:46 -0700)]
Smack: fix smack_new_inode bogosities
commit
eb982cb4cf6405b97ea1f9e1d10864981f269d46 upstream
In January of 2012 Al Viro pointed out three bits of code that
he titled "new_inode_smack bogosities". This patch repairs these
errors.
1. smack_sb_kern_mount() included a NULL check that is impossible.
The check and NULL case are removed.
2. smack_kb_kern_mount() included pointless locking. The locking is
removed. Since this is the only place that lock was used the lock
is removed from the superblock_smack structure.
3. smk_fill_super() incorrectly and unnecessarily set the Smack label
for the smackfs root inode. The assignment has been removed.
Targeted for git://gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Al Viro [Wed, 30 May 2012 17:30:51 +0000 (13:30 -0400)]
split ->file_mmap() into ->mmap_addr()/->mmap_file()
commit
e5467859f7f79b69fc49004403009dfdba3bec53 upstream
... i.e. file-dependent and address-dependent checks.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Al Viro [Wed, 30 May 2012 17:11:37 +0000 (13:11 -0400)]
split cap_mmap_addr() out of cap_file_mmap()
commit
d007794a182bc072a7b7479909dbd0d67ba341be upstream
... switch callers.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Eric Paris [Wed, 4 Apr 2012 17:45:40 +0000 (13:45 -0400)]
SELinux: rename dentry_open to file_open
commit
83d498569e9a7a4b92c4c5d3566f2d6a604f28c9 upstream
dentry_open takes a file, rename it to file_open
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Casey Schaufler [Sun, 6 May 2012 22:22:02 +0000 (15:22 -0700)]
Smack: allow for significantly longer Smack labels v4
commit
f7112e6c9abf1c70f001dcf097c1d6e218a93f5c upstream
V4 updated to current linux-security#next
Targeted for git://gitorious.org/smack-next/kernel.git
Modern application runtime environments like to use
naming schemes that are structured and generated without
human intervention. Even though the Smack limit of 23
characters for a label name is perfectly rational for
human use there have been complaints that the limit is
a problem in environments where names are composed from
a set or sources, including vendor, author, distribution
channel and application name. Names like
softwarehouse-pgwodehouse-coolappstore-mellowmuskrats
are becoming harder to avoid. This patch introduces long
label support in Smack. Labels are now limited to 255
characters instead of the old 23.
The primary reason for limiting the labels to 23 characters
was so they could be directly contained in CIPSO category sets.
This is still done were possible, but for labels that are too
large a mapping is required. This is perfectly safe for communication
that stays "on the box" and doesn't require much coordination
between boxes beyond what would have been required to keep label
names consistent.
The bulk of this patch is in smackfs, adding and updating
administrative interfaces. Because existing APIs can't be
changed new ones that do much the same things as old ones
have been introduced.
The Smack specific CIPSO data representation has been removed
and replaced with the data format used by netlabel. The CIPSO
header is now computed when a label is imported rather than
on use. This results in improved IP performance. The smack
label is now allocated separately from the containing structure,
allowing for larger strings.
Four new /smack interfaces have been introduced as four
of the old interfaces strictly required labels be specified
in fixed length arrays.
The access interface is supplemented with the check interface:
access "Subject Object rwxat"
access2 "Subject Object rwaxt"
The load interface is supplemented with the rules interface:
load "Subject Object rwxat"
load2 "Subject Object rwaxt"
The load-self interface is supplemented with the self-rules interface:
load-self "Subject Object rwxat"
load-self2 "Subject Object rwaxt"
The cipso interface is supplemented with the wire interface:
cipso "Subject lvl cnt c1 c2 ..."
cipso2 "Subject lvl cnt c1 c2 ..."
The old interfaces are maintained for compatibility.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Tetsuo Handa [Thu, 29 Mar 2012 07:19:05 +0000 (16:19 +0900)]
gfp flags for security_inode_alloc()?
commit
ceffec5541cc22486d3ff492e3d76a33a68fbfa3 upstream
Dave Chinner wrote:
> Yes, because you have no idea what the calling context is except
> for the fact that is from somewhere inside filesystem code and the
> filesystem could be holding locks. Therefore, GFP_NOFS is really the
> only really safe way to allocate memory here.
I see. Thank you.
I'm not sure, but can call trace happen where somewhere inside network
filesystem or stackable filesystem code with locks held invokes operations that
involves GFP_KENREL memory allocation outside that filesystem?
----------
[PATCH] SMACK: Fix incorrect GFP_KERNEL usage.
new_inode_smack() which can be called from smack_inode_alloc_security() needs
to use GFP_NOFS like SELinux's inode_alloc_security() does, for
security_inode_alloc() is called from inode_init_always() and
inode_init_always() is called from xfs_inode_alloc() which is using GFP_NOFS.
smack_inode_init_security() needs to use GFP_NOFS like
selinux_inode_init_security() does, for initxattrs() callback function (e.g.
btrfs_initxattrs()) which is called from security_inode_init_security() is
using GFP_NOFS.
smack_audit_rule_match() needs to use GFP_ATOMIC, for
security_audit_rule_match() can be called from audit_filter_user_rules() and
audit_filter_user_rules() is called from audit_filter_user() with RCU read lock
held.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Casey Schaufler <cschaufler@cschaufler-intel.(none)>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Casey Schaufler [Wed, 14 Mar 2012 02:14:19 +0000 (19:14 -0700)]
Smack: recursive tramsmute
commit
2267b13a7cad1f9dfe0073c1f902d45953f9faff upstream
The transmuting directory feature of Smack requires that
the transmuting attribute be explicitly set in all cases.
It seems the users of this facility would expect that the
transmuting attribute be inherited by subdirectories that
are created in a transmuting directory. This does not seem
to add any additional complexity to the understanding of
how the system works.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Austin Zhang [Mon, 26 Aug 2013 08:58:06 +0000 (16:58 +0800)]
Video: OV camera: Enable camera config for power investigation
Note: For performance reason, we should build-in those driver as
much as possible, but so far, we'd like to set them as module if
possible, the reason is that we can easily debug power issue for
finding culprit with those load/unload way so that we don't need
to compile and re-burn the kernel again and again.
Before product level release, we should revert such changes and
make them 'Y' as much as possible.
Signed-off-by: Austin Zhang <austin.zhang@intel.com>
Austin Zhang [Mon, 26 Aug 2013 08:34:05 +0000 (16:34 +0800)]
PM: input: touchscreen: synaptics: Added screen off notifier callback
Added screen off notifier callback so that 'touch' will not light
on the LCD during one pending suspend process which is being blocked
by wakeup count from one wakeup event.
Signed-off-by: Austin Zhang <austin.zhang@intel.com>
Austin Zhang [Tue, 16 Jul 2013 10:05:25 +0000 (18:05 +0800)]
PM: gfx: Added screen-off notifier.
Added notifier which would indicate the screen is being turned off,
then we should disable some devices from this stage, for example,
we should disable touch panel after screen off so that 'touch' will
not light on the LCD again when there is being pended suspend process
due to wakeup event, like insert USB cable.
Signed-off-by: Austin Zhang <austin.zhang@intel.com>
Austin Zhang [Mon, 26 Aug 2013 07:01:19 +0000 (15:01 +0800)]
NFC: Disable NFC due to we don't have it
Signed-off-by: Austin Zhang <austin.zhang@intel.com>
Austin Zhang [Wed, 28 Aug 2013 10:35:30 +0000 (18:35 +0800)]
PM: Reuse Android Macro for convinence.
Here, we reuse the same Macro like Android, so that we can still
use that original wakelock API interface even though the underlay
has been changed with new power managerment autosleep and wake locks.
Note:
Once possible, we should switch to actrul PM API in the future.
Signed-off-by: Austin Zhang <austin.zhang@intel.com>
Austin Zhang [Mon, 26 Aug 2013 06:03:23 +0000 (14:03 +0800)]
PM: Disable android earlysuspend and wakelock features.
Signed-off-by: Austin Zhang <austin.zhang@intel.com>
Austin Zhang [Mon, 26 Aug 2013 05:47:30 +0000 (13:47 +0800)]
Enable compass sensor
Note: For performance reason, we should build-in those driver as
much as possible, but so far, we'd like to set them as module if
possible, the reason is that we can easily debug power issue for
findinf culprit with those load/unload way so that we don't need
to compile and re-burn the kernel again and again.
Before product level release, we should revert such changes and
make them 'Y' as much as possible.
Signed-off-by: Austin Zhang <austin.zhang@intel.com>
Austin Zhang [Mon, 26 Aug 2013 05:18:02 +0000 (13:18 +0800)]
Enable Accel and Gyro sensors.
Signed-off-by: Austin Zhang <austin.zhang@intel.com>
Arron Wang [Tue, 20 Aug 2013 11:22:29 +0000 (19:22 +0800)]
defconfig: Enable bcmdhd wifi driver
Change-Id: I85b540dbac3a3e472c170eddbd2946288131e3c0
Yin Kangkai [Fri, 23 Aug 2013 07:54:34 +0000 (15:54 +0800)]
Revert "defconfig: Enable bcmdhd wifi driver"
This reverts commit
e40d9270d269c3702643746383328365dc1f701a.
Reason: build failure.
Arron Wang [Tue, 20 Aug 2013 11:22:29 +0000 (19:22 +0800)]
defconfig: Enable bcmdhd wifi driver
Change-Id: I1bf26b4b6525d2d1f04ce023d3cf82df217cec8f
Yin Kangkai [Thu, 22 Aug 2013 12:29:10 +0000 (20:29 +0800)]
defconfig: rename i386_tizen_defconfig to tizen_clovertrail_defconfig
Change-Id: Ie1c4c3619850205d2c8c10867ac79fc6d9199d60
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
Austin Zhang [Thu, 22 Aug 2013 11:04:58 +0000 (19:04 +0800)]
Added packaging dir and spec files for building under OBS
Note:
[Fixme]Disable perf due to Tizen doesn't have flex
Change-Id: Ifaf924353e51b80a89dc65ccff98f61b83b74690
Signed-off-by: Austin Zhang <austin.zhang@intel.com>
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
Austin Zhang [Thu, 22 Aug 2013 10:59:59 +0000 (18:59 +0800)]
fix kernel compile error with old gcc version
Signed-off-by: Peng Li <peng.li@intel.com>
Signed-off-by: Austin Zhang <austin.zhang@intel.com>
Yin Kangkai [Thu, 22 Aug 2013 09:11:25 +0000 (17:11 +0800)]
touch/synaptics_i2c_rmi_ex: separate touchkey into different input device
Separate touch key as different input device, so that is more convenient for
user space X input driver(evdev/evdevmultitouch) to handle.
Change-Id: Ifba8d2c78f5aea66d11d73f8c6acbb1b8e185aea
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
Yin Kangkai [Wed, 21 Aug 2013 06:27:25 +0000 (14:27 +0800)]
touch/synaptics_i2c_rmi_ex: indent only
./scripts/Lindent drivers/input/touchscreen/synaptics_i2c_rmi_ex.c
Change-Id: I3f2bee6908e2fa31afcc4ac93df6581c41b9dd4f
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
Yin Kangkai [Thu, 15 Aug 2013 10:22:47 +0000 (18:22 +0800)]
touch/synaptics_i2c_rmi_ex: enable the touch driver
Give some quick and dirty work arounds to enable the touch driver, so that
touch does not block other components' bring up work.
FIXME: this driver needs heavily clean up for sure.
Change-Id: I8a15167e80e7ab122986cd3b60ef6455c530346b
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
Yin Kangkai [Wed, 14 Aug 2013 09:32:32 +0000 (17:32 +0800)]
gfx/fb: another work around to enable X with frame buffer
Turns out we need this work around too to enable X/fb.
Change-Id: If624ec0124771959b124679884513a0afed66591
Signed-off-by: Li Peng <peng.li@intel.com>
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
Yin Kangkai [Tue, 13 Aug 2013 06:03:46 +0000 (14:03 +0800)]
gfx/fb: work around to enable X with frame buffer
For unknown reason (yet), although X with fb driver launches successfully, but
there is nothing show up in the panel/screen, this is a temporary work around
to enable that.
Signed-off-by: Li Peng <peng.li@intel.com>
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
Chengwei Yang [Thu, 13 Jun 2013 01:45:58 +0000 (09:45 +0800)]
Export usb connection status
There are several components depends on kernel export usb connection
status correctly. First, system-server check usb status by calling OEM
interface to launch usb-server; second, usb-server does the usb mode
setting work and launch syspopup. In addition, setting usb mode from UI
depends on usb-server too.
This also fix TZSP-3142.
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
[Port from mfld kernel and support CTP]
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
vivian, zhang [Thu, 13 Jun 2013 01:45:28 +0000 (09:45 +0800)]
Misc: import Jack Monitoring Interface from samsung
Jack monitor framework monitors jack events (e.g. earjack, usb) and then
export through /sys.
Both sound and usb driver has some dependency on this framework.
(FIXME: we should isolate this jack monitor framework, independent of sound or
usb patches)
For the sound driver, it is used to set jack status: earjack_online,
earkey_online; these status are required for earjack type detecting in
avsystem project.
Signed-off-by: Vivian Zhang <vivian.zhang@intel.com>
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
[Port to support CTP platform, and add FIXME]
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
Yin Kangkai [Fri, 9 Aug 2013 03:43:19 +0000 (11:43 +0800)]
gfx: build in sgx.o and make sure sgx.o is load after gfx.o
Make sure sgx component is initialized after gfx component, otherwise there
will be a BUG:
[ 1.320399] BUG: unable to handle kernel NULL pointer dereference at
00000294
[ 1.327797] IP: [<
c17ecea9>] SYSPVRFillCallback+0x9/0xd0
[ 1.333315] *pdpt =
0000000000000000
[ 1.335913] sep_sec_driver 0000:00:01.5: Chaabi status from SCU
11112222
[ 1.343804] *pde =
20676e696c6c0a0d
[ 1.347570] Oops: 0000 [#1] PREEMPT SMP
[ 1.351667] Modules linked in:
[ 1.354809]
[ 1.356444] Pid: 1, comm: swapper/0 Not tainted 3.4.34-00004-g37403a5-dirty #27 Intel Corporation CloverTraill
[ 1.367590] EIP: 0060:[<
c17ecea9>] EFLAGS:
00010296 CPU: 3
[ 1.373221] EIP is at SYSPVRFillCallback+0x9/0xd0
[ 1.377970] EAX:
00000000 EBX:
00000006 ECX:
00001211 EDX:
00000000
[ 1.384379] ESI:
00000179 EDI:
c1e690bc EBP:
f2c83f60 ESP:
f2c83f5c
[ 1.390691] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[ 1.396133] CR0:
8005003b CR2:
00000294 CR3:
01e81000 CR4:
000007f0
[ 1.402541] DR0:
00000000 DR1:
00000000 DR2:
00000000 DR3:
00000000
[ 1.408849] DR6:
ffff0ff0 DR7:
00000400
[ 1.412729] Process swapper/0 (pid: 1, ti=
f2c82000 task=
f2c88000 task.ti=
f2c82000)
[ 1.420439] Stack:
[ 1.422488]
00000006 f2c83f70 c1e13f71 c1c85966 00000006 f2c83fa0 c1201034 00000000
[ 1.430746]
c1c1dde4 00060001 c1d4b230 f360a58d c1e13f56 00000000 00000006 00000179
[ 1.439003]
c1e690bc f2c83fc4 c1de97f8 00000179 00000006 00000006 c1de92bf c1e689f4
[ 1.447143] Call Trace:
[ 1.449749] [<
c1e13f71>] PVRSRVDrmInit+0x1b/0x5c
[ 1.454512] [<
c1201034>] do_one_initcall+0x34/0x170
[ 1.459536] [<
c1e13f56>] ? lowmem_init+0x11/0x11
[ 1.464398] [<
c1de97f8>] do_basic_setup+0x8a/0xa3
[ 1.469249] [<
c1de92bf>] ? do_early_param+0x74/0x74
[ 1.474371] [<
c1de98b0>] kernel_init+0x9f/0x123
[ 1.479049] [<
c1de9811>] ? do_basic_setup+0xa3/0xa3
[ 1.484172] [<
c19fce3a>] kernel_thread_helper+0x6/0x10
[ 1.489444] Code: 26 00 55 89 e5 3e 8d 74 26 00 e8 d3 d1 00 00 5d 83 f8 01 19 c0 f7 d0 83 e0 ea c3 8d b4 26 0
[ 1.5041[ 1.509336] ---[ end trace
e5fdc0f6bb87e119 ]---
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
Chengwei Yang [Fri, 7 Jun 2013 02:56:44 +0000 (10:56 +0800)]
Support usb mode framework in Tizen
So far, we have a forked usb-server for PR3 to make sure the usb mode
framework works on PR3. However, we'd like to patch kernel now rather
than maintain another forked package.
This is the correct way because there maybe no way to work out without
patch kernel in future. So it's better to patch one rather than two.
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Chengwei Yang [Fri, 7 Jun 2013 02:55:23 +0000 (10:55 +0800)]
Change adb protocol to sdb protocol
Currently, we have a forked sdbd for our kernel so there was no need to
patch our kernel.
However, the forked sdbd will be merged to upstream sdbd and to make it
compatible with adb in userspace cost a large effort.
So the better way is patch our kernel to adopt sdb protocol, on the
other hand, no patch needed to sdbd user space server and client.
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Yin Kangkai [Thu, 8 Aug 2013 13:11:25 +0000 (21:11 +0800)]
configs: i386_tizen_defconfig
Add a basic functional (boot to cmdline, and fb ok) def config, that works for
P940F01 device.
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
Yin Kangkai [Thu, 8 Aug 2013 10:36:53 +0000 (18:36 +0800)]
intel_mdf_battery.c: Fix build error section mismatch
WARNING: drivers/power/built-in.o(.text+0x80dc): Section mismatch in
reference from the function msic_battery_probe() to the function
.init.text:sfi_table_populate()
The function msic_battery_probe() references
the function __init sfi_table_populate().
This is often because msic_battery_probe lacks a __init
annotation or the annotation of sfi_table_populate is wrong.
Yin Kangkai [Thu, 26 Dec 2013 14:32:00 +0000 (22:32 +0800)]
initial import
Change-Id: I10a809ebfe35facab3592c6bdd87f6ccca8e2e68
projects / platform / kernel / kernel-clovertrail.git / log