diff --git a/drivers/platform/msm/Kconfig b/drivers/platform/msm/Kconfig index e5b95378a336..19510e5c2279 100644 --- a/drivers/platform/msm/Kconfig +++ b/drivers/platform/msm/Kconfig @@ -134,16 +134,6 @@ config SSM This driver uses Secure Channel Manager interface for trustzone communication and communicates with modem over SMD channel. -config PFT - bool "Per-File-Tagger driver" - default n - help - This driver is used for tagging enterprise files. - It is part of the Per-File-Encryption (PFE) feature. - The driver is tagging files when created by - registered application. - Tagged files are encrypted using the dm-req-crypt driver. - config GPIO_USB_DETECT tristate "GPIO-based USB VBUS Detection" depends on POWER_SUPPLY diff --git a/drivers/platform/msm/Makefile b/drivers/platform/msm/Makefile index 866338c39760..c33f5e53c1b3 100644 --- a/drivers/platform/msm/Makefile +++ b/drivers/platform/msm/Makefile @@ -1,8 +1,6 @@ # # Makefile for the MSM specific device drivers. # -ccflags-y += -Isecurity/selinux -Isecurity/selinux/include -obj-$(CONFIG_PFT) += pft.o obj-$(CONFIG_QPNP_REVID) += qpnp-revid.o obj-$(CONFIG_QPNP_COINCELL) += qpnp-coincell.o obj-$(CONFIG_MSM_MHI) += mhi/ diff --git a/security/Kconfig b/security/Kconfig index e45237897b43..18568c21e564 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -6,6 +6,11 @@ menu "Security options" source security/keys/Kconfig +if ARCH_QCOM +source security/pfe/Kconfig +endif + + config SECURITY_DMESG_RESTRICT bool "Restrict unprivileged access to the kernel syslog" default n diff --git a/security/Makefile b/security/Makefile index c9bfbc84ff50..5256fe3fca5f 100644 --- a/security/Makefile +++ b/security/Makefile @@ -8,6 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor subdir-$(CONFIG_SECURITY_YAMA) += yama +subdir-$(CONFIG_ARCH_QCOM) += pfe # always enable default capabilities obj-y += commoncap.o @@ -22,6 +23,7 @@ obj-$(CONFIG_AUDIT) += lsm_audit.o obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/ +obj-$(CONFIG_ARCH_QCOM) += pfe/ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists diff --git a/security/pfe/Kconfig b/security/pfe/Kconfig new file mode 100644 index 000000000000..12d0339835e3 --- /dev/null +++ b/security/pfe/Kconfig @@ -0,0 +1,15 @@ +menu "Qualcomm Technologies, Inc Per File Encryption security device drivers" + depends on ARCH_QCOM + +config PFT + bool "Per-File-Tagger driver" + depends on SECURITY + default n + help + This driver is used for tagging enterprise files. + It is part of the Per-File-Encryption (PFE) feature. + The driver is tagging files when created by + registered application. + Tagged files are encrypted using the dm-req-crypt driver. + +endmenu diff --git a/security/pfe/Makefile b/security/pfe/Makefile new file mode 100644 index 000000000000..da43f37d10cf --- /dev/null +++ b/security/pfe/Makefile @@ -0,0 +1,7 @@ +# +# Makefile for the MSM specific security device drivers. +# + +ccflags-y += -Isecurity/selinux -Isecurity/selinux/include -Ifs/ecryptfs + +obj-$(CONFIG_PFT) += pft.o diff --git a/drivers/platform/msm/pft.c b/security/pfe/pft.c similarity index 98% rename from drivers/platform/msm/pft.c rename to security/pfe/pft.c index 9884fd3366ac..e4bbba7b6295 100644 --- a/drivers/platform/msm/pft.c +++ b/security/pfe/pft.c @@ -165,7 +165,7 @@ struct pft_device { /* Device Driver State */ static struct pft_device *pft_dev; -static struct inode *pft_bio_get_inode(struct bio *bio); +static struct inode *pft_bio_get_inode(const struct bio *bio); static int pft_inode_alloc_security(struct inode *inode) { @@ -224,7 +224,7 @@ static int __init pft_lsm_init(struct pft_device *dev) */ static bool pft_is_ready(void) { - return (pft_dev != NULL); + return pft_dev != NULL; } /** @@ -637,7 +637,7 @@ static bool pft_is_inplace_inode(struct inode *inode) if (!pft_dev->inplace_file || !pft_dev->inplace_file->f_path.dentry) return false; - return (pft_dev->inplace_file->f_path.dentry->d_inode == inode); + return pft_dev->inplace_file->f_path.dentry->d_inode == inode; } /** @@ -734,45 +734,6 @@ int pft_get_key_index(struct bio *bio, u32 *key_index, } EXPORT_SYMBOL(pft_get_key_index); -/** - * pft_bio_get_inode() - get the inode from a bio. - * @bio: Pointer to BIO structure. - * - * Walk the bio struct links to get the inode. - * - * Return: pointer to the inode struct if successful, or NULL otherwise. - */ -static struct inode *pft_bio_get_inode(struct bio *bio) -{ - if (!bio) - return NULL; - /* check bio vec count > 0 before using the bio->bi_io_vec[] array */ - if (!bio->bi_vcnt) - return NULL; - if (!bio->bi_io_vec) - return NULL; - if (!bio->bi_io_vec->bv_page) - return NULL; - - if (PageAnon(bio->bi_io_vec->bv_page)) { - struct inode *inode; - - /* Using direct-io (O_DIRECT) without page cache */ - inode = dio_bio_get_inode(bio); - pr_debug("inode on direct-io, inode = 0x%p.\n", inode); - - return inode; - } - - if (!bio->bi_io_vec->bv_page->mapping) - return NULL; - - if (!bio->bi_io_vec->bv_page->mapping->host) - return NULL; - - return bio->bi_io_vec->bv_page->mapping->host; -} - /** * pft_allow_merge_bio()- Check if 2 BIOs can be merged. * @bio1: Pointer to first BIO structure. @@ -796,6 +757,9 @@ bool pft_allow_merge_bio(struct bio *bio1, struct bio *bio2) if (!pft_is_ready()) return true; + if (!bio1 || !bio2) + return -EPERM; + /* * Encrypted BIOs are created only when file encryption is enabled, * which happens only when key is loaded. @@ -820,6 +784,51 @@ bool pft_allow_merge_bio(struct bio *bio1, struct bio *bio2) } EXPORT_SYMBOL(pft_allow_merge_bio); +/** + * pft_bio_get_inode() - get the inode from a bio. + * @bio: Pointer to BIO structure. + * + * Walk the bio struct links to get the inode. + * Please note, that in general bio may consist of several pages from + * several files, but in our case we always assume that all pages come + * from the same file, since our logic ensures it. That is why we only + * walk through the first page to look for inode. + * + * Return: pointer to the inode struct if successful, or NULL otherwise. + * + */ +static struct inode *pft_bio_get_inode(const struct bio *bio) +{ + if (!bio) + return NULL; + /* check bio vec count > 0 before using the bio->bi_io_vec[] array */ + if (!bio->bi_vcnt) + return NULL; + if (!bio->bi_io_vec) + return NULL; + if (!bio->bi_io_vec->bv_page) + return NULL; + + if (PageAnon(bio->bi_io_vec->bv_page)) { + struct inode *inode; + + /* Using direct-io (O_DIRECT) without page cache */ + inode = dio_bio_get_inode((struct bio *)bio); + pr_debug("inode on direct-io, inode = 0x%p.\n", inode); + + return inode; + } + + if (!bio->bi_io_vec->bv_page->mapping) + return NULL; + + if (!bio->bi_io_vec->bv_page->mapping->host) + return NULL; + + return bio->bi_io_vec->bv_page->mapping->host; +} + + /** * pft_inode_create() - file creation callback. * @dir: directory inode pointer