PFT: moved to a new directory
QCOM security components were moved to security folder inside kernel which is more appropriate Change-Id: I4e450a23583ceac929a3980b1b5998f4e0c7cfa9 Signed-off-by: Andrey Markovytch <andreym@codeaurora.org> [gbroner@codeaurora.org: fix merge conflicts and updated ARCH_QCOM] Signed-off-by: Gilad Broner <gbroner@codeaurora.org>
This commit is contained in:
Andrey Markovytch
David Keitel
parent
ecc052ba4e
commit
eaf3acf0d2
7 changed files with 80 additions and 54 deletions
|
|
@ -134,16 +134,6 @@ config SSM
|
|||
This driver uses Secure Channel Manager interface for trustzone
|
||||
communication and communicates with modem over SMD channel.
|
||||
|
||||
config PFT
|
||||
bool "Per-File-Tagger driver"
|
||||
default n
|
||||
help
|
||||
This driver is used for tagging enterprise files.
|
||||
It is part of the Per-File-Encryption (PFE) feature.
|
||||
The driver is tagging files when created by
|
||||
registered application.
|
||||
Tagged files are encrypted using the dm-req-crypt driver.
|
||||
|
||||
config GPIO_USB_DETECT
|
||||
tristate "GPIO-based USB VBUS Detection"
|
||||
depends on POWER_SUPPLY
|
||||
|
|
|
|||
|
|
@ -1,8 +1,6 @@
|
|||
#
|
||||
# Makefile for the MSM specific device drivers.
|
||||
#
|
||||
ccflags-y += -Isecurity/selinux -Isecurity/selinux/include
|
||||
obj-$(CONFIG_PFT) += pft.o
|
||||
obj-$(CONFIG_QPNP_REVID) += qpnp-revid.o
|
||||
obj-$(CONFIG_QPNP_COINCELL) += qpnp-coincell.o
|
||||
obj-$(CONFIG_MSM_MHI) += mhi/
|
||||
|
|
|
|||
|
|
@ -6,6 +6,11 @@ menu "Security options"
|
|||
|
||||
source security/keys/Kconfig
|
||||
|
||||
if ARCH_QCOM
|
||||
source security/pfe/Kconfig
|
||||
endif
|
||||
|
||||
|
||||
config SECURITY_DMESG_RESTRICT
|
||||
bool "Restrict unprivileged access to the kernel syslog"
|
||||
default n
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack
|
|||
subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
|
||||
subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
|
||||
subdir-$(CONFIG_SECURITY_YAMA) += yama
|
||||
subdir-$(CONFIG_ARCH_QCOM) += pfe
|
||||
|
||||
# always enable default capabilities
|
||||
obj-y += commoncap.o
|
||||
|
|
@ -22,6 +23,7 @@ obj-$(CONFIG_AUDIT) += lsm_audit.o
|
|||
obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
|
||||
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
|
||||
obj-$(CONFIG_SECURITY_YAMA) += yama/
|
||||
obj-$(CONFIG_ARCH_QCOM) += pfe/
|
||||
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
|
||||
|
||||
# Object integrity file lists
|
||||
|
|
|
|||
15
security/pfe/Kconfig
Normal file
15
security/pfe/Kconfig
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
menu "Qualcomm Technologies, Inc Per File Encryption security device drivers"
|
||||
depends on ARCH_QCOM
|
||||
|
||||
config PFT
|
||||
bool "Per-File-Tagger driver"
|
||||
depends on SECURITY
|
||||
default n
|
||||
help
|
||||
This driver is used for tagging enterprise files.
|
||||
It is part of the Per-File-Encryption (PFE) feature.
|
||||
The driver is tagging files when created by
|
||||
registered application.
|
||||
Tagged files are encrypted using the dm-req-crypt driver.
|
||||
|
||||
endmenu
|
||||
7
security/pfe/Makefile
Normal file
7
security/pfe/Makefile
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
#
|
||||
# Makefile for the MSM specific security device drivers.
|
||||
#
|
||||
|
||||
ccflags-y += -Isecurity/selinux -Isecurity/selinux/include -Ifs/ecryptfs
|
||||
|
||||
obj-$(CONFIG_PFT) += pft.o
|
||||
|
|
@ -165,7 +165,7 @@ struct pft_device {
|
|||
/* Device Driver State */
|
||||
static struct pft_device *pft_dev;
|
||||
|
||||
static struct inode *pft_bio_get_inode(struct bio *bio);
|
||||
static struct inode *pft_bio_get_inode(const struct bio *bio);
|
||||
|
||||
static int pft_inode_alloc_security(struct inode *inode)
|
||||
{
|
||||
|
|
@ -224,7 +224,7 @@ static int __init pft_lsm_init(struct pft_device *dev)
|
|||
*/
|
||||
static bool pft_is_ready(void)
|
||||
{
|
||||
return (pft_dev != NULL);
|
||||
return pft_dev != NULL;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -637,7 +637,7 @@ static bool pft_is_inplace_inode(struct inode *inode)
|
|||
if (!pft_dev->inplace_file || !pft_dev->inplace_file->f_path.dentry)
|
||||
return false;
|
||||
|
||||
return (pft_dev->inplace_file->f_path.dentry->d_inode == inode);
|
||||
return pft_dev->inplace_file->f_path.dentry->d_inode == inode;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -734,45 +734,6 @@ int pft_get_key_index(struct bio *bio, u32 *key_index,
|
|||
}
|
||||
EXPORT_SYMBOL(pft_get_key_index);
|
||||
|
||||
/**
|
||||
* pft_bio_get_inode() - get the inode from a bio.
|
||||
* @bio: Pointer to BIO structure.
|
||||
*
|
||||
* Walk the bio struct links to get the inode.
|
||||
*
|
||||
* Return: pointer to the inode struct if successful, or NULL otherwise.
|
||||
*/
|
||||
static struct inode *pft_bio_get_inode(struct bio *bio)
|
||||
{
|
||||
if (!bio)
|
||||
return NULL;
|
||||
/* check bio vec count > 0 before using the bio->bi_io_vec[] array */
|
||||
if (!bio->bi_vcnt)
|
||||
return NULL;
|
||||
if (!bio->bi_io_vec)
|
||||
return NULL;
|
||||
if (!bio->bi_io_vec->bv_page)
|
||||
return NULL;
|
||||
|
||||
if (PageAnon(bio->bi_io_vec->bv_page)) {
|
||||
struct inode *inode;
|
||||
|
||||
/* Using direct-io (O_DIRECT) without page cache */
|
||||
inode = dio_bio_get_inode(bio);
|
||||
pr_debug("inode on direct-io, inode = 0x%p.\n", inode);
|
||||
|
||||
return inode;
|
||||
}
|
||||
|
||||
if (!bio->bi_io_vec->bv_page->mapping)
|
||||
return NULL;
|
||||
|
||||
if (!bio->bi_io_vec->bv_page->mapping->host)
|
||||
return NULL;
|
||||
|
||||
return bio->bi_io_vec->bv_page->mapping->host;
|
||||
}
|
||||
|
||||
/**
|
||||
* pft_allow_merge_bio()- Check if 2 BIOs can be merged.
|
||||
* @bio1: Pointer to first BIO structure.
|
||||
|
|
@ -796,6 +757,9 @@ bool pft_allow_merge_bio(struct bio *bio1, struct bio *bio2)
|
|||
if (!pft_is_ready())
|
||||
return true;
|
||||
|
||||
if (!bio1 || !bio2)
|
||||
return -EPERM;
|
||||
|
||||
/*
|
||||
* Encrypted BIOs are created only when file encryption is enabled,
|
||||
* which happens only when key is loaded.
|
||||
|
|
@ -820,6 +784,51 @@ bool pft_allow_merge_bio(struct bio *bio1, struct bio *bio2)
|
|||
}
|
||||
EXPORT_SYMBOL(pft_allow_merge_bio);
|
||||
|
||||
/**
|
||||
* pft_bio_get_inode() - get the inode from a bio.
|
||||
* @bio: Pointer to BIO structure.
|
||||
*
|
||||
* Walk the bio struct links to get the inode.
|
||||
* Please note, that in general bio may consist of several pages from
|
||||
* several files, but in our case we always assume that all pages come
|
||||
* from the same file, since our logic ensures it. That is why we only
|
||||
* walk through the first page to look for inode.
|
||||
*
|
||||
* Return: pointer to the inode struct if successful, or NULL otherwise.
|
||||
*
|
||||
*/
|
||||
static struct inode *pft_bio_get_inode(const struct bio *bio)
|
||||
{
|
||||
if (!bio)
|
||||
return NULL;
|
||||
/* check bio vec count > 0 before using the bio->bi_io_vec[] array */
|
||||
if (!bio->bi_vcnt)
|
||||
return NULL;
|
||||
if (!bio->bi_io_vec)
|
||||
return NULL;
|
||||
if (!bio->bi_io_vec->bv_page)
|
||||
return NULL;
|
||||
|
||||
if (PageAnon(bio->bi_io_vec->bv_page)) {
|
||||
struct inode *inode;
|
||||
|
||||
/* Using direct-io (O_DIRECT) without page cache */
|
||||
inode = dio_bio_get_inode((struct bio *)bio);
|
||||
pr_debug("inode on direct-io, inode = 0x%p.\n", inode);
|
||||
|
||||
return inode;
|
||||
}
|
||||
|
||||
if (!bio->bi_io_vec->bv_page->mapping)
|
||||
return NULL;
|
||||
|
||||
if (!bio->bi_io_vec->bv_page->mapping->host)
|
||||
return NULL;
|
||||
|
||||
return bio->bi_io_vec->bv_page->mapping->host;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* pft_inode_create() - file creation callback.
|
||||
* @dir: directory inode pointer
|
||||
Loading…
Add table
Reference in a new issue