Simplify st33zp24_i2c_acpi_request_resources, st33zp24_i2c_of_request_resources
and st33zp24_i2c_request_resources to have the same prototype and using
i2c_get_clientdata.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Add support for acpi probing. SMO3324 is used for st33zp24.
It has been tested with the following acpi node on Minnowboard:

Device (TPM1)
{
	Name (_ADR, Zero)  // _ADR: Address
	Name (_HID, "SMO3324")  // _HID: Hardware ID
	Name (_CID, "SMO3324")  // _CID: Compatible ID
	Name (_DDN, "SMO TPM")  // _DDN: DOS Device Name
	Name (_UID, One)  // _UID: Unique ID
	Method (_CRS, 0, NotSerialized)  // _CRS: Current Resource Settings
	{
		Name (SBUF, ResourceTemplate ()
		{
			SpiSerialBus (0, PolarityLow, FourWireMode, 8,
				      ControllerInitiated, 4000000, ClockPolarityLow,
				      ClockPhaseFirst, "\\_SB.SPI1",
				      0x00, ResourceConsumer, ,)
			GpioInt (Edge, ActiveHigh, ExclusiveAndWake, PullNone, 0x0000,
				 "\\_SB.GPO2", 0x00, ResourceConsumer, ,)
			{       // Pin list
				0x0001
			}
			GpioIo (Exclusive, PullDefault, 0x0000, 0x0000, IoRestrictionOutputOnly,
				"\\_SB.GPO2", 0x00, ResourceConsumer, ,)
			{       // Pin list
				0x0002,
			}
		})
		Return (SBUF) /* \_SB_.SPI1.TPM1._CRS.SBUF */
	}
	Method (_STA, 0, NotSerialized)  // _STA: Status
	{
		Return (0x0F)
	}
}
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Add support for acpi probing. SMO3324 is used for st33zp24.
It has been tested with the following acpi node on Minnowboard:

Device (TPM1)
{
	Name (_ADR, Zero)  // _ADR: Address
	Name (_HID, "SMO3324")  // _HID: Hardware ID
	Name (_CID, "SMO3324")  // _CID: Compatible ID
	Name (_DDN, "SMO TPM")  // _DDN: DOS Device Name
	Name (_UID, One)  // _UID: Unique ID
	Method (_CRS, 0, NotSerialized)  // _CRS: Current Resource Settings
	{
		Name (SBUF, ResourceTemplate ()
		{
			I2cSerialBus (0x0013, ControllerInitiated, 400000,
				      AddressingMode7Bit, "\\_SB.I2C7",
				      0x00, ResourceConsumer, ,)
			GpioInt (Edge, ActiveHigh, ExclusiveAndWake, PullNone, 0x0000,
				 "\\_SB.GPO2", 0x00, ResourceConsumer, ,)
			{   	// Pin list
				0x0001
			}
			GpioIo (Exclusive, PullDefault, 0x0000, 0x0000, IoRestrictionOutputOnly,
				"\\_SB.GPO2", 0x00, ResourceConsumer, ,)
			{	// Pin list
				0x0002,
			}
		})
		Return (SBUF) /* \_SB_.I2C7.TPM1._CRS.SBUF */
	}

	Method (_STA, 0, NotSerialized)  // _STA: Status
	{
		Return (0x0F)
	}
}
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Extend copyright header to 2016
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Add check in st33zp24_spi_evaluate_latency helping to diagnose if the chip
is present or in a bad state.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

DT headers already define NOOP routines when CONFIG_OF is not defined.

[jarkko.sakkinen@linux.intel.com: I tested that the driver compiles
 without warnings and errors with and without CONFIG_OF flag.]
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Remove spi_xfer from st33zp24_spi_phy structure and declare local spi_xfer
when needed instead.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

An affectation is enough when copying 1 byte. Remove memcpy usage where
possible.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Make sure every function name use st33zp24_spi_ prefix.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

nbr_dummy_bytes variable could be easily replaced by phy->latency in
st33zp24_spi_send and st33zp24_spi_recv.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Simplify st33zp24_spi_acpi_request_resources, st33zp24_spi_of_request_resources
and st33zp24_spi_request_resources to have the same prototype and using
spi_get_drvdata.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Simplify st33zp24_i2c_acpi_request_resources, st33zp24_i2c_of_request_resources
and st33zp24_i2c_request_resources to have the same prototype and using
i2c_get_clientdata.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Add support for acpi probing. SMO3324 is used for st33zp24.
It has been tested with the following acpi node on Minnowboard:

Device (TPM1)
{
	Name (_ADR, Zero)  // _ADR: Address
	Name (_HID, "SMO3324")  // _HID: Hardware ID
	Name (_CID, "SMO3324")  // _CID: Compatible ID
	Name (_DDN, "SMO TPM")  // _DDN: DOS Device Name
	Name (_UID, One)  // _UID: Unique ID
	Method (_CRS, 0, NotSerialized)  // _CRS: Current Resource Settings
	{
		Name (SBUF, ResourceTemplate ()
		{
			SpiSerialBus (0, PolarityLow, FourWireMode, 8,
				      ControllerInitiated, 4000000, ClockPolarityLow,
				      ClockPhaseFirst, "\\_SB.SPI1",
				      0x00, ResourceConsumer, ,)
			GpioInt (Edge, ActiveHigh, ExclusiveAndWake, PullNone, 0x0000,
				 "\\_SB.GPO2", 0x00, ResourceConsumer, ,)
			{       // Pin list
				0x0001
			}
			GpioIo (Exclusive, PullDefault, 0x0000, 0x0000, IoRestrictionOutputOnly,
				"\\_SB.GPO2", 0x00, ResourceConsumer, ,)
			{       // Pin list
				0x0002,
			}
		})
		Return (SBUF) /* \_SB_.SPI1.TPM1._CRS.SBUF */
	}
	Method (_STA, 0, NotSerialized)  // _STA: Status
	{
		Return (0x0F)
	}
}
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Add support for acpi probing. SMO3324 is used for st33zp24.
It has been tested with the following acpi node on Minnowboard:

Device (TPM1)
{
	Name (_ADR, Zero)  // _ADR: Address
	Name (_HID, "SMO3324")  // _HID: Hardware ID
	Name (_CID, "SMO3324")  // _CID: Compatible ID
	Name (_DDN, "SMO TPM")  // _DDN: DOS Device Name
	Name (_UID, One)  // _UID: Unique ID
	Method (_CRS, 0, NotSerialized)  // _CRS: Current Resource Settings
	{
		Name (SBUF, ResourceTemplate ()
		{
			I2cSerialBus (0x0013, ControllerInitiated, 400000,
				      AddressingMode7Bit, "\\_SB.I2C7",
				      0x00, ResourceConsumer, ,)
			GpioInt (Edge, ActiveHigh, ExclusiveAndWake, PullNone, 0x0000,
				 "\\_SB.GPO2", 0x00, ResourceConsumer, ,)
			{   	// Pin list
				0x0001
			}
			GpioIo (Exclusive, PullDefault, 0x0000, 0x0000, IoRestrictionOutputOnly,
				"\\_SB.GPO2", 0x00, ResourceConsumer, ,)
			{	// Pin list
				0x0002,
			}
		})
		Return (SBUF) /* \_SB_.I2C7.TPM1._CRS.SBUF */
	}

	Method (_STA, 0, NotSerialized)  // _STA: Status
	{
		Return (0x0F)
	}
}
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Extend copyright header to 2016
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Add check in st33zp24_spi_evaluate_latency helping to diagnose if the chip
is present or in a bad state.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

The core st33zp24 module is useless without either the I2C or the
SPI access module. So hide NFC_ST_NCI and select it automatically
if either TCG_TIS_ST33ZP24_I2C or TCG_TIS_ST33ZP24_SPI is selected.

This avoids presenting TCG_TIS_ST33ZP24 when neither TCG_TIS_ST33ZP24_I2C
nor TCG_TIS_ST33ZP24_SPI can be selected.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

DT headers already define NOOP routines when CONFIG_OF is not defined.

[jarkko.sakkinen@linux.intel.com: I tested that the driver compiles
 without warnings and errors with and without CONFIG_OF flag.]
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Remove spi_xfer from st33zp24_spi_phy structure and declare local spi_xfer
when needed instead.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

An affectation is enough when copying 1 byte. Remove memcpy usage where
possible.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Make sure every function name use st33zp24_spi_ prefix.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

nbr_dummy_bytes variable could be easily replaced by phy->latency in
st33zp24_spi_send and st33zp24_spi_recv.
Signed-off-by: NChristophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: NKees Cook <keescook@chromium.org>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: user-mode-linux-devel@lists.sourceforge.net

Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: NKees Cook <keescook@chromium.org>
Cc: Chris Metcalf <cmetcalf@mellanox.com>

Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: NKees Cook <keescook@chromium.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: linuxppc-dev@lists.ozlabs.org

Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: NKees Cook <keescook@chromium.org>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: linux-s390@vger.kernel.org

Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: NKees Cook <keescook@chromium.org>
Cc: "James E.J. Bottomley" <jejb@parisc-linux.org>
Cc: Helge Deller <deller@gmx.de>
Cc: linux-parisc@vger.kernel.org

Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: NKees Cook <keescook@chromium.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: "Maciej W. Rozycki" <macro@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org

Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: NKees Cook <keescook@chromium.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: linux-arm-kernel@lists.infradead.org

Close the hole where ptrace can change a syscall out from under seccomp.
Signed-off-by: NKees Cook <keescook@chromium.org>
Cc: Russell King <linux@armlinux.org.uk>
Cc: linux-arm-kernel@lists.infradead.org

This moves seccomp after ptrace on x86 to that seccomp can catch changes
made by ptrace. Emulation should skip the rest of processing too.

We can get rid of test_thread_flag because there's no longer any
opportunity for seccomp to mess with ptrace state before invoking
ptrace.
Suggested-by: NAndy Lutomirski <luto@kernel.org>
Signed-off-by: NKees Cook <keescook@chromium.org>
Cc: x86@kernel.org
Cc: Andy Lutomirski <luto@kernel.org>

When RET_TRACE triggers, a tracer may change a syscall into something that
should be filtered by seccomp. This re-runs seccomp after a trace event
to make sure things continue to pass.
Signed-off-by: NKees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@kernel.org>

Since nothing is using the 2-phase API, and it adds more complexity than
benefit, remove it.
Signed-off-by: NKees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@kernel.org>

I added two-phase syscall entry work back when the entry slow path
was very slow.  Nowadays, the entry slow path is fast and two-phase
entry work serves no purpose.  Remove it.
Signed-off-by: NAndy Lutomirski <luto@kernel.org>
Signed-off-by: NKees Cook <keescook@chromium.org>

Currently, if arch code wants to supply seccomp_data directly to
seccomp (which is generally much faster than having seccomp do it
using the syscall_get_xyz() API), it has to use the two-phase
seccomp hooks. Add it to the easy hooks, too.

Cc: linux-arch@vger.kernel.org
Signed-off-by: NAndy Lutomirski <luto@kernel.org>
Signed-off-by: NKees Cook <keescook@chromium.org>

One problem with seccomp was that ptrace could be used to change a
syscall after seccomp filtering had completed. This was a well documented
limitation, and it was recommended to block ptrace when defining a filter
to avoid this problem. This can be quite a limitation for containers or
other places where ptrace is desired even under seccomp filters.

This adds tests for both SECCOMP_RET_TRACE and PTRACE_SYSCALL manipulations.
Signed-off-by: NKees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@kernel.org>

The code is doing the equivalent of the kthread_run macro.
Signed-off-by: NMike Danese <mikedanese@google.com>
Acked-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

The capability check should not be audited since it is only being used
to determine the inode permissions. A failed check does not indicate a
violation of security policy but, when an LSM is enabled, a denial audit
message was being generated.

The denial audit message caused confusion for some application authors
because root-running Go applications always triggered the denial. To
prevent this confusion, the capability check in net_ctl_permissions() is
switched to the noaudit variant.

BugLink: https://launchpad.net/bugs/1465724Signed-off-by: NTyler Hicks <tyhicks@canonical.com>
Acked-by: NSerge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

When checking the current cred for a capability in a specific user
namespace, it isn't always desirable to have the LSMs audit the check.
This patch adds a noaudit variant of ns_capable() for when those
situations arise.

The common logic between ns_capable() and the new ns_capable_noaudit()
is moved into a single, shared function to keep duplicated code to a
minimum and ease maintainability.
Signed-off-by: NTyler Hicks <tyhicks@canonical.com>
Acked-by: NSerge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Serge Hallyn pointed out that the current implementation of
security_inode_getsecurity() works if there is only one hook
provided for it, but will fail if there is more than one and
the attribute requested isn't supplied by the first module.
This isn't a problem today, since only SELinux and Smack
provide this hook and there is (currently) no way to enable
both of those modules at the same time. Serge, however, wants
to introduce a capability attribute and an inode_getsecurity
hook in the capability security module to handle it. This
addresses that upcoming problem, will be required for "extreme
stacking" and is just a better implementation.
Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
Acked-by: NSerge Hallyn <serge@hallyn.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>