123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197 |
- diff --git a/Pal/linux-3.14/Kconfig b/Pal/linux-3.14/Kconfig
- index c13f48d..e18713e 100644
- --- a/Pal/linux-3.14/Kconfig
- +++ b/Pal/linux-3.14/Kconfig
- @@ -9,3 +9,4 @@ config SRCARCH
- option env="SRCARCH"
-
- source "arch/$SRCARCH/Kconfig"
- +source "graphene/Kconfig"
- diff --git a/Pal/linux-3.14/Makefile b/Pal/linux-3.14/Makefile
- index e5ac8a6..116ac82 100644
- --- a/Pal/linux-3.14/Makefile
- +++ b/Pal/linux-3.14/Makefile
- @@ -779,7 +779,7 @@ export mod_sign_cmd
-
-
- ifeq ($(KBUILD_EXTMOD),)
- -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
- +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ graphene/
-
- vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
- $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
- diff --git a/Pal/linux-3.14/include/linux/miscdevice.h b/Pal/linux-3.14/include/linux/miscdevice.h
- index 3737f72..f7a4aba 100644
- --- a/Pal/linux-3.14/include/linux/miscdevice.h
- +++ b/Pal/linux-3.14/include/linux/miscdevice.h
- @@ -3,6 +3,7 @@
- #include <linux/major.h>
- #include <linux/list.h>
- #include <linux/types.h>
- +#include <../graphene/graphene.h>
-
- /*
- * These allocations are managed by device@lanana.org. If you use an
- diff --git a/Pal/linux-3.14/include/linux/sched.h b/Pal/linux-3.14/include/linux/sched.h
- index a781dec..3381137 100644
- --- a/Pal/linux-3.14/include/linux/sched.h
- +++ b/Pal/linux-3.14/include/linux/sched.h
- @@ -1161,6 +1161,11 @@ enum perf_event_task_context {
- perf_nr_task_contexts,
- };
-
- +#ifdef CONFIG_GRAPHENE
- +# include <../graphene/graphene.h>
- +struct graphene_struct;
- +#endif
- +
- struct task_struct {
- volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
- void *stack;
- @@ -1581,6 +1586,11 @@ struct task_struct {
- unsigned int sequential_io;
- unsigned int sequential_io_avg;
- #endif
- +
- +#ifdef CONFIG_GRAPHENE
- + /* for graphene tasks */
- + struct graphene_struct *graphene; /* structure to store graphene info */
- +#endif
- };
-
- /* Future-safe accessor for struct task_struct's cpus_allowed. */
- diff --git a/Pal/linux-3.14/kernel/fork.c b/Pal/linux-3.14/kernel/fork.c
- index a17621c..41d5958 100644
- --- a/Pal/linux-3.14/kernel/fork.c
- +++ b/Pal/linux-3.14/kernel/fork.c
- @@ -11,6 +11,7 @@
- * management can be a bitch. See 'mm/memory.c': 'copy_page_range()'
- */
-
- +#include <linux/version.h>
- #include <linux/slab.h>
- #include <linux/init.h>
- #include <linux/unistd.h>
- @@ -84,6 +85,10 @@
- #define CREATE_TRACE_POINTS
- #include <trace/events/task.h>
-
- +#ifdef CONFIG_GRAPHENE
- +# include <../graphene/graphene.h>
- +#endif
- +
- /*
- * Protected counters by write_lock_irq(&tasklist_lock)
- */
- @@ -242,6 +247,10 @@ void __put_task_struct(struct task_struct *tsk)
- delayacct_tsk_free(tsk);
- put_signal_struct(tsk->signal);
-
- +#ifdef CONFIG_GRAPHENE
- + put_graphene_struct(tsk);
- +#endif
- +
- if (!profile_handoff_task(tsk))
- free_task(tsk);
- }
- @@ -322,6 +331,16 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
- tsk->stack_canary = get_random_int();
- #endif
-
- +#ifdef CONFIG_GRAPHENE
- + err = dup_graphene_struct(tsk);
- + if (err)
- +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 6, 0)
- + goto free_ti;
- +#else
- + goto out;
- +#endif
- +#endif
- +
- /*
- * One for us, one for whoever does the "release_task()" (usually
- * parent)
- diff --git a/Pal/linux-3.14/security/apparmor/lsm.c b/Pal/linux-3.14/security/apparmor/lsm.c
- index 4257b7e..b21c19d 100644
- --- a/Pal/linux-3.14/security/apparmor/lsm.c
- +++ b/Pal/linux-3.14/security/apparmor/lsm.c
- @@ -36,6 +36,10 @@
- #include "include/policy.h"
- #include "include/procattr.h"
-
- +#ifdef CONFIG_GRAPHENE
- +# include <../graphene/graphene.h>
- +#endif
- +
- /* Flag indicating whether initialization completed */
- int apparmor_initialized __initdata;
-
- @@ -165,6 +169,12 @@ static int common_perm(int op, struct path *path, u32 mask,
- struct aa_profile *profile;
- int error = 0;
-
- +#ifdef CONFIG_GRAPHENE
- + if (GRAPHENE_ENABLED() &&
- + (error = graphene_common_perm(op, path, mask)))
- + return error;
- +#endif
- +
- profile = __aa_current_profile();
- if (!unconfined(profile))
- error = aa_path_perm(op, profile, path, 0, mask, cond);
- @@ -377,6 +387,7 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
- {
- struct aa_file_cxt *fcxt = file->f_security;
- struct aa_profile *profile;
- + u32 mask;
- int error = 0;
-
- if (!mediated_filesystem(file_inode(file)))
- @@ -388,10 +399,21 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
- * actually execute the image.
- */
- if (current->in_execve) {
- +#ifdef CONFIG_GRAPHENE
- + if (GRAPHENE_ENABLED() && (error = graphene_execve_open(file)))
- + return error;
- +#endif
- fcxt->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
- return 0;
- }
-
- +#ifdef CONFIG_GRAPHENE
- + mask = aa_map_file_to_perms(file);
- + if (GRAPHENE_ENABLED() &&
- + (error = graphene_common_perm(OP_OPEN, &file->f_path, mask)))
- + return error;
- +#endif
- +
- profile = aa_cred_profile(cred);
- if (!unconfined(profile)) {
- struct inode *inode = file_inode(file);
- @@ -647,6 +669,14 @@ static struct security_operations apparmor_ops = {
- .getprocattr = apparmor_getprocattr,
- .setprocattr = apparmor_setprocattr,
-
- +#ifdef CONFIG_GRAPHENE
- + .socket_bind = graphene_socket_bind,
- + .socket_listen = graphene_socket_listen,
- + .socket_connect = graphene_socket_connect,
- + .socket_sendmsg = graphene_socket_sendmsg,
- + .socket_recvmsg = graphene_socket_recvmsg,
- +#endif
- +
- .cred_alloc_blank = apparmor_cred_alloc_blank,
- .cred_free = apparmor_cred_free,
- .cred_prepare = apparmor_cred_prepare,
- @@ -658,6 +688,10 @@ static struct security_operations apparmor_ops = {
- .bprm_secureexec = apparmor_bprm_secureexec,
-
- .task_setrlimit = apparmor_task_setrlimit,
- +
- +#ifdef CONFIG_GRAPHENE
- + .task_kill = graphene_task_kill,
- +#endif
- };
-
- /*
|