update to PKT lts-v4.19.18-base-190130T184924Z

Signed-off-by: Alek Du <alek.du@intel.com>

0087-LSM-Infrastructure-management-of-the-cred-.patch

@@ -33,24 +33,24 @@ Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
  security/tomoyo/tomoyo.c          |  56 +++++++++++++---
  17 files changed, 303 insertions(+), 143 deletions(-)
 
-diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index 97a020c616ad..0bef312efd45 100644
---- a/include/linux/lsm_hooks.h
-+++ b/include/linux/lsm_hooks.h
-@@ -2024,6 +2024,13 @@ struct security_hook_list {
- 	char				*lsm;
+Index: kernel-lts2018/include/linux/lsm_hooks.h
+===================================================================
+--- kernel-lts2018.orig/include/linux/lsm_hooks.h
++++ kernel-lts2018/include/linux/lsm_hooks.h
+@@ -2025,6 +2025,13 @@ struct security_hook_list {
  } __randomize_layout;
  
-+/*
+ /*
 + * Security blob size or offset data.
 + */
 +struct lsm_blob_sizes {
 +	int	lbs_cred;
 +};
 +
- /*
++/*
   * Initializing a security_hook_list structure takes
   * up a lot of space in a source file. This macro takes
+  * care of the common case and reduces the amount of
 @@ -2036,6 +2043,7 @@ struct security_hook_list {
  extern struct security_hook_heads security_hook_heads;
  extern char *lsm_names;
@@ -70,11 +70,11 @@ index 97a020c616ad..0bef312efd45 100644
 +#endif
 +
  #endif /* ! __LINUX_LSM_HOOKS_H */
-diff --git a/kernel/cred.c b/kernel/cred.c
-index ecf03657e71c..fa2061ee4955 100644
---- a/kernel/cred.c
-+++ b/kernel/cred.c
-@@ -704,19 +704,6 @@ bool creds_are_invalid(const struct cred *cred)
+Index: kernel-lts2018/kernel/cred.c
+===================================================================
+--- kernel-lts2018.orig/kernel/cred.c
++++ kernel-lts2018/kernel/cred.c
+@@ -704,19 +704,6 @@ bool creds_are_invalid(const struct cred
  {
  	if (cred->magic != CRED_MAGIC)
  		return true;
@@ -94,10 +94,10 @@ index ecf03657e71c..fa2061ee4955 100644
  	return false;
  }
  EXPORT_SYMBOL(creds_are_invalid);
-diff --git a/security/Kconfig b/security/Kconfig
-index d9aa521b5206..0447d9d8c875 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
+Index: kernel-lts2018/security/Kconfig
+===================================================================
+--- kernel-lts2018.orig/security/Kconfig
++++ kernel-lts2018/security/Kconfig
 @@ -36,6 +36,17 @@ config SECURITY_WRITABLE_HOOKS
  	bool
  	default n
@@ -116,11 +116,11 @@ index d9aa521b5206..0447d9d8c875 100644
  config SECURITYFS
  	bool "Enable the securityfs filesystem"
  	help
-diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
-index 08c88de0ffda..726910bba84b 100644
---- a/security/apparmor/domain.c
-+++ b/security/apparmor/domain.c
-@@ -975,7 +975,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+Index: kernel-lts2018/security/apparmor/domain.c
+===================================================================
+--- kernel-lts2018.orig/security/apparmor/domain.c
++++ kernel-lts2018/security/apparmor/domain.c
+@@ -975,7 +975,7 @@ int apparmor_bprm_set_creds(struct linux
  	}
  	aa_put_label(cred_label(bprm->cred));
  	/* transfer reference, released when cred is freed */
@@ -129,10 +129,10 @@ index 08c88de0ffda..726910bba84b 100644
  
  done:
  	aa_put_label(label);
-diff --git a/security/apparmor/include/cred.h b/security/apparmor/include/cred.h
-index e287b7d0d4be..a90eae76d7c1 100644
---- a/security/apparmor/include/cred.h
-+++ b/security/apparmor/include/cred.h
+Index: kernel-lts2018/security/apparmor/include/cred.h
+===================================================================
+--- kernel-lts2018.orig/security/apparmor/include/cred.h
++++ kernel-lts2018/security/apparmor/include/cred.h
 @@ -23,8 +23,22 @@
  #include "policy_ns.h"
  #include "task.h"
@@ -141,11 +141,11 @@ index e287b7d0d4be..a90eae76d7c1 100644
 +static inline struct aa_label *cred_label(const struct cred *cred)
 +{
 +	struct aa_label **blob = cred->security;
-+
+ 
 +	AA_BUG(!blob);
 +	return *blob;
 +}
- 
++
 +static inline void set_cred_label(const struct cred *cred,
 +				  struct aa_label *label)
 +{
@@ -157,11 +157,11 @@ index e287b7d0d4be..a90eae76d7c1 100644
  
  /**
   * aa_cred_raw_label - obtain cred's label
-diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index 8b8b70620bbe..c2566aaa138e 100644
---- a/security/apparmor/lsm.c
-+++ b/security/apparmor/lsm.c
-@@ -57,7 +57,7 @@ DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
+Index: kernel-lts2018/security/apparmor/lsm.c
+===================================================================
+--- kernel-lts2018.orig/security/apparmor/lsm.c
++++ kernel-lts2018/security/apparmor/lsm.c
+@@ -57,7 +57,7 @@ DEFINE_PER_CPU(struct aa_buffers, aa_buf
  static void apparmor_cred_free(struct cred *cred)
  {
  	aa_put_label(cred_label(cred));
@@ -170,7 +170,7 @@ index 8b8b70620bbe..c2566aaa138e 100644
  }
  
  /*
-@@ -65,7 +65,7 @@ static void apparmor_cred_free(struct cred *cred)
+@@ -65,7 +65,7 @@ static void apparmor_cred_free(struct cr
   */
  static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
  {
@@ -179,7 +179,7 @@ index 8b8b70620bbe..c2566aaa138e 100644
  	return 0;
  }
  
-@@ -75,7 +75,7 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
+@@ -75,7 +75,7 @@ static int apparmor_cred_alloc_blank(str
  static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
  				 gfp_t gfp)
  {
@@ -188,7 +188,7 @@ index 8b8b70620bbe..c2566aaa138e 100644
  	return 0;
  }
  
-@@ -84,7 +84,7 @@ static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
+@@ -84,7 +84,7 @@ static int apparmor_cred_prepare(struct
   */
  static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
  {
@@ -197,7 +197,7 @@ index 8b8b70620bbe..c2566aaa138e 100644
  }
  
  static void apparmor_task_free(struct task_struct *task)
-@@ -1126,6 +1126,13 @@ static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
+@@ -1126,6 +1126,13 @@ static void apparmor_sock_graft(struct s
  		ctx->label = aa_get_current_label();
  }
  
@@ -221,7 +221,7 @@ index 8b8b70620bbe..c2566aaa138e 100644
  	task_ctx(current) = ctx;
  
  	return 0;
-@@ -1540,8 +1548,18 @@ static inline int apparmor_init_sysctl(void)
+@@ -1540,8 +1548,18 @@ static inline int apparmor_init_sysctl(v
  
  static int __init apparmor_init(void)
  {
@@ -240,11 +240,11 @@ index 8b8b70620bbe..c2566aaa138e 100644
  	if (!apparmor_enabled || !security_module_enable("apparmor")) {
  		aa_info_message("AppArmor disabled by boot time parameter");
  		apparmor_enabled = false;
-diff --git a/security/apparmor/task.c b/security/apparmor/task.c
-index c6b78a14da91..4551110f0496 100644
---- a/security/apparmor/task.c
-+++ b/security/apparmor/task.c
-@@ -81,7 +81,7 @@ int aa_replace_current_label(struct aa_label *label)
+Index: kernel-lts2018/security/apparmor/task.c
+===================================================================
+--- kernel-lts2018.orig/security/apparmor/task.c
++++ kernel-lts2018/security/apparmor/task.c
+@@ -81,7 +81,7 @@ int aa_replace_current_label(struct aa_l
  	 */
  	aa_get_label(label);
  	aa_put_label(cred_label(new));
@@ -253,7 +253,7 @@ index c6b78a14da91..4551110f0496 100644
  
  	commit_creds(new);
  	return 0;
-@@ -138,7 +138,7 @@ int aa_set_current_hat(struct aa_label *label, u64 token)
+@@ -138,7 +138,7 @@ int aa_set_current_hat(struct aa_label *
  		return -EACCES;
  	}
  
@@ -271,11 +271,11 @@ index c6b78a14da91..4551110f0496 100644
  	AA_BUG(!cred_label(new));
  	/* clear exec && prev information when restoring to previous context */
  	aa_clear_task_ctx_trans(ctx);
-diff --git a/security/security.c b/security/security.c
-index 3dfe75d0d373..ff7df14f6db1 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -41,6 +41,8 @@ struct security_hook_heads security_hook_heads __lsm_ro_after_init;
+Index: kernel-lts2018/security/security.c
+===================================================================
+--- kernel-lts2018.orig/security/security.c
++++ kernel-lts2018/security/security.c
+@@ -41,6 +41,8 @@ struct security_hook_heads security_hook
  static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
  
  char *lsm_names;
@@ -308,7 +308,7 @@ index 3dfe75d0d373..ff7df14f6db1 100644
  	return 0;
  }
  
-@@ -198,6 +212,73 @@ int unregister_lsm_notifier(struct notifier_block *nb)
+@@ -198,6 +212,73 @@ int unregister_lsm_notifier(struct notif
  }
  EXPORT_SYMBOL(unregister_lsm_notifier);
  
@@ -382,7 +382,7 @@ index 3dfe75d0d373..ff7df14f6db1 100644
  /*
   * Hook list operation macros.
   *
-@@ -998,17 +1079,36 @@ void security_task_free(struct task_struct *task)
+@@ -998,7 +1079,15 @@ void security_task_free(struct task_stru
  
  int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
  {
@@ -399,7 +399,9 @@ index 3dfe75d0d373..ff7df14f6db1 100644
  }
  
  void security_cred_free(struct cred *cred)
- {
+@@ -1011,11 +1100,22 @@ void security_cred_free(struct cred *cre
+ 		return;
+ 
  	call_void_hook(cred_free, cred);
 +
 +	kfree(cred->security);
@@ -421,10 +423,10 @@ index 3dfe75d0d373..ff7df14f6db1 100644
  }
  
  void security_transfer_creds(struct cred *new, const struct cred *old)
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 9d6cdd21acb6..9b49698754a7 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
+Index: kernel-lts2018/security/selinux/hooks.c
+===================================================================
+--- kernel-lts2018.orig/security/selinux/hooks.c
++++ kernel-lts2018/security/selinux/hooks.c
 @@ -213,12 +213,9 @@ static void cred_init_security(void)
  	struct cred *cred = (struct cred *) current->real_cred;
  	struct task_security_struct *tsec;
@@ -440,11 +442,10 @@ index 9d6cdd21acb6..9b49698754a7 100644
  }
  
  /*
-@@ -3898,53 +3895,17 @@ static int selinux_task_alloc(struct task_struct *task,
- 			    sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
+@@ -3904,52 +3901,16 @@ static int selinux_task_alloc(struct tas
  }
  
--/*
+ /*
 - * allocate the SELinux part of blank credentials
 - */
 -static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
@@ -475,7 +476,7 @@ index 9d6cdd21acb6..9b49698754a7 100644
 -	kfree(tsec);
 -}
 -
- /*
+-/*
   * prepare a new set of credentials for modification
   */
  static int selinux_cred_prepare(struct cred *new, const struct cred *old,
@@ -497,7 +498,7 @@ index 9d6cdd21acb6..9b49698754a7 100644
  	return 0;
  }
  
-@@ -6894,6 +6855,10 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
+@@ -6902,6 +6863,10 @@ static void selinux_bpf_prog_free(struct
  }
  #endif
  
@@ -508,7 +509,7 @@ index 9d6cdd21acb6..9b49698754a7 100644
  static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
  	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
  	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
-@@ -6976,8 +6941,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
+@@ -6984,8 +6949,6 @@ static struct security_hook_list selinux
  	LSM_HOOK_INIT(file_open, selinux_file_open),
  
  	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
@@ -517,7 +518,7 @@ index 9d6cdd21acb6..9b49698754a7 100644
  	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
  	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
  	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
-@@ -7133,11 +7096,19 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
+@@ -7141,11 +7104,19 @@ static struct security_hook_list selinux
  
  static __init int selinux_init(void)
  {
@@ -537,10 +538,10 @@ index 9d6cdd21acb6..9b49698754a7 100644
  	if (!selinux_enabled) {
  		pr_info("SELinux:  Disabled at boot.\n");
  		return 0;
-diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
-index 734b6833bdff..db1c7000ada3 100644
---- a/security/selinux/include/objsec.h
-+++ b/security/selinux/include/objsec.h
+Index: kernel-lts2018/security/selinux/include/objsec.h
+===================================================================
+--- kernel-lts2018.orig/security/selinux/include/objsec.h
++++ kernel-lts2018/security/selinux/include/objsec.h
 @@ -25,6 +25,9 @@
  #include <linux/binfmts.h>
  #include <linux/in.h>
@@ -559,10 +560,10 @@ index 734b6833bdff..db1c7000ada3 100644
  static inline struct task_security_struct *selinux_cred(const struct cred *cred)
  {
  	return cred->security;
-diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
-index f3a5a138a096..b5665bdc29fc 100644
---- a/security/selinux/selinuxfs.c
-+++ b/security/selinux/selinuxfs.c
+Index: kernel-lts2018/security/selinux/selinuxfs.c
+===================================================================
+--- kernel-lts2018.orig/security/selinux/selinuxfs.c
++++ kernel-lts2018/security/selinux/selinuxfs.c
 @@ -31,6 +31,7 @@
  #include <linux/uaccess.h>
  #include <linux/kobject.h>
@@ -571,10 +572,10 @@ index f3a5a138a096..b5665bdc29fc 100644
  
  /* selinuxfs pseudo filesystem for exporting the security policy API.
     Based on the proc code and the fs/nfsd/nfsctl.c code. */
-diff --git a/security/smack/smack.h b/security/smack/smack.h
-index 0b55d6a55b26..0c6dce446825 100644
---- a/security/smack/smack.h
-+++ b/security/smack/smack.h
+Index: kernel-lts2018/security/smack/smack.h
+===================================================================
+--- kernel-lts2018.orig/security/smack/smack.h
++++ kernel-lts2018/security/smack/smack.h
 @@ -24,6 +24,7 @@
  #include <linux/list.h>
  #include <linux/rculist.h>
@@ -583,11 +584,11 @@ index 0b55d6a55b26..0c6dce446825 100644
  
  /*
   * Use IPv6 port labeling if IPv6 is enabled and secmarks
-diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
-index 68ee3ae8f25c..a06ea8aa89c4 100644
---- a/security/smack/smack_lsm.c
-+++ b/security/smack/smack_lsm.c
-@@ -309,29 +309,20 @@ static struct inode_smack *new_inode_smack(struct smack_known *skp)
+Index: kernel-lts2018/security/smack/smack_lsm.c
+===================================================================
+--- kernel-lts2018.orig/security/smack/smack_lsm.c
++++ kernel-lts2018/security/smack/smack_lsm.c
+@@ -309,29 +309,20 @@ static struct inode_smack *new_inode_sma
  }
  
  /**
@@ -621,7 +622,7 @@ index 68ee3ae8f25c..a06ea8aa89c4 100644
  }
  
  /**
-@@ -1958,14 +1949,7 @@ static int smack_file_open(struct file *file)
+@@ -1965,14 +1956,7 @@ static int smack_file_open(struct file *
   */
  static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
  {
@@ -637,7 +638,7 @@ index 68ee3ae8f25c..a06ea8aa89c4 100644
  	return 0;
  }
  
-@@ -1982,10 +1966,6 @@ static void smack_cred_free(struct cred *cred)
+@@ -1989,10 +1973,6 @@ static void smack_cred_free(struct cred
  	struct list_head *l;
  	struct list_head *n;
  
@@ -648,7 +649,7 @@ index 68ee3ae8f25c..a06ea8aa89c4 100644
  	smk_destroy_label_list(&tsp->smk_relabel);
  
  	list_for_each_safe(l, n, &tsp->smk_rules) {
-@@ -1993,7 +1973,6 @@ static void smack_cred_free(struct cred *cred)
+@@ -2000,7 +1980,6 @@ static void smack_cred_free(struct cred
  		list_del(&rp->list);
  		kfree(rp);
  	}
@@ -656,7 +657,7 @@ index 68ee3ae8f25c..a06ea8aa89c4 100644
  }
  
  /**
-@@ -2008,14 +1987,10 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
+@@ -2015,14 +1994,10 @@ static int smack_cred_prepare(struct cre
  			      gfp_t gfp)
  {
  	struct task_smack *old_tsp = smack_cred(old);
@@ -673,7 +674,7 @@ index 68ee3ae8f25c..a06ea8aa89c4 100644
  
  	rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp);
  	if (rc != 0)
-@@ -2023,10 +1998,7 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
+@@ -2030,10 +2005,7 @@ static int smack_cred_prepare(struct cre
  
  	rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel,
  				gfp);
@@ -685,7 +686,7 @@ index 68ee3ae8f25c..a06ea8aa89c4 100644
  }
  
  /**
-@@ -4652,6 +4624,10 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
+@@ -4659,6 +4631,10 @@ static int smack_dentry_create_files_as(
  	return 0;
  }
  
@@ -696,7 +697,7 @@ index 68ee3ae8f25c..a06ea8aa89c4 100644
  static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
  	LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
  	LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
-@@ -4830,23 +4806,35 @@ static __init void init_smack_known_list(void)
+@@ -4837,23 +4813,35 @@ static __init void init_smack_known_list
   */
  static __init int smack_init(void)
  {
@@ -739,7 +740,7 @@ index 68ee3ae8f25c..a06ea8aa89c4 100644
  	smack_enabled = 1;
  
  	pr_info("Smack:  Initializing.\n");
-@@ -4860,20 +4848,9 @@ static __init int smack_init(void)
+@@ -4867,20 +4855,9 @@ static __init int smack_init(void)
  	pr_info("Smack:  IPv6 Netfilter enabled.\n");
  #endif
  
@@ -760,10 +761,10 @@ index 68ee3ae8f25c..a06ea8aa89c4 100644
  	return 0;
  }
  
-diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
-index 539bcdd30bb8..0110bebe86e2 100644
---- a/security/tomoyo/common.h
-+++ b/security/tomoyo/common.h
+Index: kernel-lts2018/security/tomoyo/common.h
+===================================================================
+--- kernel-lts2018.orig/security/tomoyo/common.h
++++ kernel-lts2018/security/tomoyo/common.h
 @@ -29,6 +29,7 @@
  #include <linux/in.h>
  #include <linux/in6.h>
@@ -772,7 +773,7 @@ index 539bcdd30bb8..0110bebe86e2 100644
  #include <net/sock.h>
  #include <net/af_unix.h>
  #include <net/ip.h>
-@@ -1062,6 +1063,7 @@ void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt,
+@@ -1062,6 +1063,7 @@ void tomoyo_write_log2(struct tomoyo_req
  /********** External variable definitions. **********/
  
  extern bool tomoyo_policy_loaded;
@@ -780,11 +781,10 @@ index 539bcdd30bb8..0110bebe86e2 100644
  extern const char * const tomoyo_condition_keyword
  [TOMOYO_MAX_CONDITION_KEYWORD];
  extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
-@@ -1196,6 +1198,17 @@ static inline void tomoyo_put_group(struct tomoyo_group *group)
- 		atomic_dec(&group->head.users);
+@@ -1197,13 +1199,26 @@ static inline void tomoyo_put_group(stru
  }
  
-+/**
+ /**
 + * tomoyo_cred - Get a pointer to the tomoyo cred security blob
 + * @cred - the relevant cred
 + *
@@ -795,10 +795,10 @@ index 539bcdd30bb8..0110bebe86e2 100644
 +	return cred->security;
 +}
 +
- /**
++/**
   * tomoyo_domain - Get "struct tomoyo_domain_info" for current thread.
   *
-@@ -1203,7 +1216,9 @@ static inline void tomoyo_put_group(struct tomoyo_group *group)
+  * Returns pointer to "struct tomoyo_domain_info" for current thread.
   */
  static inline struct tomoyo_domain_info *tomoyo_domain(void)
  {
@@ -809,7 +809,7 @@ index 539bcdd30bb8..0110bebe86e2 100644
  }
  
  /**
-@@ -1216,7 +1231,9 @@ static inline struct tomoyo_domain_info *tomoyo_domain(void)
+@@ -1216,7 +1231,9 @@ static inline struct tomoyo_domain_info
  static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
  							    *task)
  {
@@ -820,11 +820,11 @@ index 539bcdd30bb8..0110bebe86e2 100644
  }
  
  /**
-diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
-index f6758dad981f..b7469fdbff01 100644
---- a/security/tomoyo/domain.c
-+++ b/security/tomoyo/domain.c
-@@ -678,6 +678,7 @@ static int tomoyo_environ(struct tomoyo_execve *ee)
+Index: kernel-lts2018/security/tomoyo/domain.c
+===================================================================
+--- kernel-lts2018.orig/security/tomoyo/domain.c
++++ kernel-lts2018/security/tomoyo/domain.c
+@@ -678,6 +678,7 @@ out:
   */
  int tomoyo_find_next_domain(struct linux_binprm *bprm)
  {
@@ -832,7 +832,7 @@ index f6758dad981f..b7469fdbff01 100644
  	struct tomoyo_domain_info *old_domain = tomoyo_domain();
  	struct tomoyo_domain_info *domain = NULL;
  	const char *original_name = bprm->filename;
-@@ -843,7 +844,8 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
+@@ -843,7 +844,8 @@ force_jump_domain:
  		domain = old_domain;
  	/* Update reference count on "struct tomoyo_domain_info". */
  	atomic_inc(&domain->users);
@@ -842,11 +842,11 @@ index f6758dad981f..b7469fdbff01 100644
  	kfree(exename.name);
  	if (!retval) {
  		ee->r.domain = domain;
-diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c
-index 1d3d7e7a1f05..768dff9608b1 100644
---- a/security/tomoyo/securityfs_if.c
-+++ b/security/tomoyo/securityfs_if.c
-@@ -71,9 +71,12 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf,
+Index: kernel-lts2018/security/tomoyo/securityfs_if.c
+===================================================================
+--- kernel-lts2018.orig/security/tomoyo/securityfs_if.c
++++ kernel-lts2018/security/tomoyo/securityfs_if.c
+@@ -71,9 +71,12 @@ static ssize_t tomoyo_write_self(struct
  				if (!cred) {
  					error = -ENOMEM;
  				} else {
@@ -862,7 +862,7 @@ index 1d3d7e7a1f05..768dff9608b1 100644
  					atomic_inc(&new_domain->users);
  					atomic_dec(&old_domain->users);
  					commit_creds(cred);
-@@ -234,10 +237,14 @@ static void __init tomoyo_create_entry(const char *name, const umode_t mode,
+@@ -234,10 +237,14 @@ static void __init tomoyo_create_entry(c
   */
  static int __init tomoyo_initerface_init(void)
  {
@@ -878,10 +878,10 @@ index 1d3d7e7a1f05..768dff9608b1 100644
  		return 0;
  
  	tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
-diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
-index 9f932e2d6852..bb84e6ec3886 100644
---- a/security/tomoyo/tomoyo.c
-+++ b/security/tomoyo/tomoyo.c
+Index: kernel-lts2018/security/tomoyo/tomoyo.c
+===================================================================
+--- kernel-lts2018.orig/security/tomoyo/tomoyo.c
++++ kernel-lts2018/security/tomoyo/tomoyo.c
 @@ -18,7 +18,9 @@
   */
  static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
@@ -893,7 +893,7 @@ index 9f932e2d6852..bb84e6ec3886 100644
  	return 0;
  }
  
-@@ -34,8 +36,13 @@ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
+@@ -34,8 +36,13 @@ static int tomoyo_cred_alloc_blank(struc
  static int tomoyo_cred_prepare(struct cred *new, const struct cred *old,
  			       gfp_t gfp)
  {
@@ -909,7 +909,7 @@ index 9f932e2d6852..bb84e6ec3886 100644
  	if (domain)
  		atomic_inc(&domain->users);
  	return 0;
-@@ -59,7 +66,9 @@ static void tomoyo_cred_transfer(struct cred *new, const struct cred *old)
+@@ -59,7 +66,9 @@ static void tomoyo_cred_transfer(struct
   */
  static void tomoyo_cred_free(struct cred *cred)
  {
@@ -920,7 +920,7 @@ index 9f932e2d6852..bb84e6ec3886 100644
  	if (domain)
  		atomic_dec(&domain->users);
  }
-@@ -73,6 +82,9 @@ static void tomoyo_cred_free(struct cred *cred)
+@@ -73,6 +82,9 @@ static void tomoyo_cred_free(struct cred
   */
  static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
  {
@@ -930,7 +930,7 @@ index 9f932e2d6852..bb84e6ec3886 100644
  	/*
  	 * Do only if this function is called for the first time of an execve
  	 * operation.
-@@ -93,13 +105,14 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
+@@ -93,13 +105,14 @@ static int tomoyo_bprm_set_creds(struct
  	 * stored inside "bprm->cred->security" will be acquired later inside
  	 * tomoyo_find_next_domain().
  	 */
@@ -948,7 +948,7 @@ index 9f932e2d6852..bb84e6ec3886 100644
  	return 0;
  }
  
-@@ -112,8 +125,11 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
+@@ -112,8 +125,11 @@ static int tomoyo_bprm_set_creds(struct
   */
  static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
  {
@@ -961,7 +961,7 @@ index 9f932e2d6852..bb84e6ec3886 100644
  	/*
  	 * Execute permission is checked against pathname passed to do_execve()
  	 * using current domain.
-@@ -493,6 +509,10 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
+@@ -493,6 +509,10 @@ static int tomoyo_socket_sendmsg(struct
  	return tomoyo_socket_sendmsg_permission(sock, msg, size);
  }
  
@@ -972,7 +972,7 @@ index 9f932e2d6852..bb84e6ec3886 100644
  /*
   * tomoyo_security_ops is a "struct security_operations" which is used for
   * registering TOMOYO.
-@@ -531,6 +551,8 @@ static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = {
+@@ -531,6 +551,8 @@ static struct security_hook_list tomoyo_
  /* Lock for GC. */
  DEFINE_SRCU(tomoyo_ss);
  
@@ -1012,6 +1012,3 @@ index 9f932e2d6852..bb84e6ec3886 100644
  	tomoyo_mm_init();
  	return 0;
  }
--- 
-2.19.1
-

0113-tpm-tpm_try_transmit-refactor-error-flow.patch

@@ -1,64 +0,0 @@
-From 6b6f5442b66c3e8f002810f33cf7ed446bca0cfa Mon Sep 17 00:00:00 2001
-From: Tomas Winkler <tomas.winkler@intel.com>
-Date: Mon, 15 Oct 2018 14:03:26 +0300
-Subject: [PATCH 37/97] tpm: tpm_try_transmit() refactor error flow.
-
-First, rename out_no_locality to out_locality for bailing out on
-both tpm_cmd_ready() and tpm_request_locality() failure.
-Second, ignore the return value of go_to_idle() as  it may override
-the return value of the actual tpm operation, the go_to_idle() error
-will be caught on any consequent command.
-Last, fix the wrong 'goto out', that jumped back instead of forward.
-
-Change-Id: Id7258267830705661f51ed6213b8405fc2d9ec77
-Cc: stable@vger.kernel.org
-Fixes: 627448e85c76 ("tpm: separate cmd_ready/go_idle from runtime_pm")
-Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
----
- drivers/char/tpm/tpm-interface.c | 15 ++++++++-------
- 1 file changed, 8 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
-index 129f640424b7..95db630dd722 100644
---- a/drivers/char/tpm/tpm-interface.c
-+++ b/drivers/char/tpm/tpm-interface.c
-@@ -477,13 +477,15 @@ static ssize_t tpm_try_transmit(struct tpm_chip *chip,
- 
- 	if (need_locality) {
- 		rc = tpm_request_locality(chip, flags);
--		if (rc < 0)
--			goto out_no_locality;
-+		if (rc < 0) {
-+			need_locality = false;
-+			goto out_locality;
-+		}
- 	}
- 
- 	rc = tpm_cmd_ready(chip, flags);
- 	if (rc)
--		goto out;
-+		goto out_locality;
- 
- 	rc = tpm2_prepare_space(chip, space, ordinal, buf);
- 	if (rc)
-@@ -547,14 +549,13 @@ static ssize_t tpm_try_transmit(struct tpm_chip *chip,
- 		dev_err(&chip->dev, "tpm2_commit_space: error %d\n", rc);
- 
- out:
--	rc = tpm_go_idle(chip, flags);
--	if (rc)
--		goto out;
-+	/* may fail but do not override previous error value in rc */
-+	tpm_go_idle(chip, flags);
- 
-+out_locality:
- 	if (need_locality)
- 		tpm_relinquish_locality(chip, flags);
- 
--out_no_locality:
- 	if (chip->ops->clk_enable != NULL)
- 		chip->ops->clk_enable(chip, false);
- 
--- 
-2.19.1
-

0114-tpm-tpm_i2c_nuvoton-use-correct-command-du.patch

@@ -1,52 +0,0 @@
-From 321108a27e95e79885db33946b685b0e74031ca1 Mon Sep 17 00:00:00 2001
-From: Tomas Winkler <tomas.winkler@intel.com>
-Date: Wed, 17 Oct 2018 19:23:18 +0300
-Subject: [PATCH 38/97] tpm: tpm_i2c_nuvoton: use correct command duration for
- TPM 2.x
-
-tpm_i2c_nuvoton calculated commands duration using TPM 1.x
-values via tpm_calc_ordinal_duration() also for TPM 2.x chips.
-Call tpm2_calc_ordinal_duration() for retrieving ordinal
-duration for TPM 2.X chips.
-
-Change-Id: If979415a7e21daad80c02b08e66ce652d0bc2b6c
-Cc: Nayna Jain <nayna@linux.vnet.ibm.com>
-Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
-Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
-Tested-by: Nayna Jain <nayna@linux.ibm.com> (For TPM 2.0)
----
- drivers/char/tpm/tpm_i2c_nuvoton.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c
-index caa86b19c76d..f74f451baf6a 100644
---- a/drivers/char/tpm/tpm_i2c_nuvoton.c
-+++ b/drivers/char/tpm/tpm_i2c_nuvoton.c
-@@ -369,6 +369,7 @@ static int i2c_nuvoton_send(struct tpm_chip *chip, u8 *buf, size_t len)
- 	struct device *dev = chip->dev.parent;
- 	struct i2c_client *client = to_i2c_client(dev);
- 	u32 ordinal;
-+	unsigned long duration;
- 	size_t count = 0;
- 	int burst_count, bytes2write, retries, rc = -EIO;
- 
-@@ -455,10 +456,12 @@ static int i2c_nuvoton_send(struct tpm_chip *chip, u8 *buf, size_t len)
- 		return rc;
- 	}
- 	ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
--	rc = i2c_nuvoton_wait_for_data_avail(chip,
--					     tpm_calc_ordinal_duration(chip,
--								       ordinal),
--					     &priv->read_queue);
-+	if (chip->flags & TPM_CHIP_FLAG_TPM2)
-+		duration = tpm2_calc_ordinal_duration(chip, ordinal);
-+	else
-+		duration = tpm_calc_ordinal_duration(chip, ordinal);
-+
-+	rc = i2c_nuvoton_wait_for_data_avail(chip, duration, &priv->read_queue);
- 	if (rc) {
- 		dev_err(dev, "%s() timeout command duration\n", __func__);
- 		i2c_nuvoton_ready(chip);
--- 
-2.19.1
-