Add samsung specific changes

security/Kconfig

@@ -196,12 +196,6 @@ source "security/lockdown/Kconfig"
 source "security/landlock/Kconfig"
 
 source "security/integrity/Kconfig"
-source "security/samsung/kumiho/Kconfig"
-source "security/samsung/dsms/Kconfig"
-source "security/samsung/defex_lsm/Kconfig"
-source "security/samsung/five/Kconfig"
-source "security/samsung/proca/Kconfig"
-source "security/samsung/proca/gaf/Kconfig"
 
 choice
 	prompt "First legacy 'major LSM' to be initialized"
@@ -253,19 +247,6 @@ config LSM
 
 	  If unsure, leave this as the default.
 
-config DDAR
-	bool "Enables dual encryption"
-	default n
-	help
-	  Knox Dual-DAR (Data-At-Rest) protection
-
-config DDAR_KEY_DUMP
-	bool "DDAR KEY DUMP"
-	default n
-	help
-	  For dumping sensitive keying material for CC Certification test.
-	  Enabled only for eng and userdebug builds.
-
 source "security/Kconfig.hardening"
 
 endmenu

security/Makefile

@@ -27,14 +27,3 @@ obj-$(CONFIG_SECURITY_LANDLOCK)		+= landlock/
 
 # Object integrity file lists
 obj-$(CONFIG_INTEGRITY)			+= integrity/
-# FIVE
-obj-$(CONFIG_FIVE)			+= samsung/five/
-# PROCA
-obj-$(CONFIG_PROCA)			+= samsung/proca/
-obj-$(CONFIG_GAF)			+= samsung/proca/gaf/
-obj-$(CONFIG_SECURITY_DSMS)		+= samsung/dsms/
-# DEFEX
-obj-$(CONFIG_SECURITY_DEFEX)		+= samsung/defex_lsm/
-# KNOX DAR
-obj-$(CONFIG_DDAR) += ddar/
-obj-$(CONFIG_DDAR) += ddar/built-in.a

security/integrity/iint.c

@@ -19,9 +19,6 @@
 #include <linux/uaccess.h>
 #include <linux/security.h>
 #include <linux/lsm_hooks.h>
-#ifdef CONFIG_FIVE
-#include <uapi/linux/magic.h>
-#endif
 #include "integrity.h"
 
 static struct rb_root integrity_iint_tree = RB_ROOT;
@@ -112,13 +109,6 @@ static void iint_init_always(struct integrity_iint_cache *iint,
 
 static void iint_free(struct integrity_iint_cache *iint)
 {
-#ifdef CONFIG_FIVE
-	kfree(iint->five_label);
-	iint->five_label = NULL;
-	iint->five_flags = 0UL;
-	iint->five_status = FIVE_FILE_UNKNOWN;
-	iint->five_signing = false;
-#endif
 	kfree(iint->ima_hash);
 	mutex_destroy(&iint->mutex);
 	kmem_cache_free(iint_cache, iint);
@@ -190,10 +180,6 @@ void integrity_inode_free(struct inode *inode)
 
 	write_lock(&integrity_iint_lock);
 	iint = __integrity_iint_find(inode);
-	if (!iint) {
-		write_unlock(&integrity_iint_lock);
-		return;
-	}
 	rb_erase(&iint->rb_node, &integrity_iint_tree);
 	write_unlock(&integrity_iint_lock);
 
@@ -205,11 +191,6 @@ static void iint_init_once(void *foo)
 	struct integrity_iint_cache *iint = (struct integrity_iint_cache *) foo;
 
 	memset(iint, 0, sizeof(*iint));
-#ifdef CONFIG_FIVE
-	iint->five_flags = 0UL;
-	iint->five_status = FIVE_FILE_UNKNOWN;
-	iint->five_signing = false;
-#endif
 }
 
 static int __init integrity_iintcache_init(void)

security/integrity/integrity.h

@@ -18,17 +18,6 @@
 #include <crypto/hash.h>
 #include <linux/key.h>
 #include <linux/audit.h>
-#include <crypto/hash_info.h>
-
-struct integrity_label;
-enum five_file_integrity {
-	FIVE_FILE_UNKNOWN,
-	FIVE_FILE_FAIL,
-	FIVE_FILE_RSA,
-	FIVE_FILE_DMVERITY,
-	FIVE_FILE_FSVERITY,
-	FIVE_FILE_HMAC
-};
 
 /* iint action cache flags */
 #define IMA_MEASURE		0x00000001
@@ -70,10 +59,6 @@ enum five_file_integrity {
 #define IMA_READ_APPRAISED	0x00080000
 #define IMA_CREDS_APPRAISE	0x00100000
 #define IMA_CREDS_APPRAISED	0x00200000
-
-#define FIVE_DMVERITY_PROTECTED	0x00040000
-#define FIVE_TRUSTED_FILE	0x00080000
-
 #define IMA_APPRAISE_SUBMASK	(IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \
 				 IMA_BPRM_APPRAISE | IMA_READ_APPRAISE | \
 				 IMA_CREDS_APPRAISE)
@@ -188,12 +173,6 @@ struct integrity_iint_cache {
 	enum integrity_status ima_creds_status:4;
 	enum integrity_status evm_status:4;
 	struct ima_digest_data *ima_hash;
-#ifdef CONFIG_FIVE
-	unsigned long five_flags;
-	enum five_file_integrity five_status;
-	struct integrity_label *five_label;
-	bool five_signing;
-#endif
 };
 
 /* rbtree tree calls to lookup, insert, delete
@@ -208,8 +187,7 @@ int integrity_kernel_read(struct file *file, loff_t offset,
 #define INTEGRITY_KEYRING_IMA		1
 #define INTEGRITY_KEYRING_PLATFORM	2
 #define INTEGRITY_KEYRING_MACHINE	3
-#define INTEGRITY_KEYRING_FIVE		4
-#define INTEGRITY_KEYRING_MAX		5
+#define INTEGRITY_KEYRING_MAX		4
 
 extern struct dentry *integrity_dir;
 
@@ -225,8 +203,6 @@ int __init integrity_init_keyring(const unsigned int id);
 int __init integrity_load_x509(const unsigned int id, const char *path);
 int __init integrity_load_cert(const unsigned int id, const char *source,
 			       const void *data, size_t len, key_perm_t perm);
-int __init integrity_load_x509_from_mem(const unsigned int id,
-					const char *data, size_t size);
 #else
 
 static inline int integrity_digsig_verify(const unsigned int id,

security/security.c

@@ -29,7 +29,6 @@
 #include <linux/backing-dev.h>
 #include <linux/string.h>
 #include <linux/msg.h>
-#include <linux/task_integrity.h>
 #include <net/flow.h>
 
 /* How many LSMs were built into the kernel? */
@@ -2196,9 +2195,6 @@ int security_inode_setxattr(struct mnt_idmap *idmap,
 
 	if (ret == 1)
 		ret = cap_inode_setxattr(dentry, name, value, size, flags);
-	if (ret)
-		return ret;
-	ret = five_inode_setxattr(dentry, name, value, size);
 	if (ret)
 		return ret;
 	ret = ima_inode_setxattr(dentry, name, value, size);
@@ -2360,9 +2356,6 @@ int security_inode_removexattr(struct mnt_idmap *idmap,
 	ret = call_int_hook(inode_removexattr, 1, idmap, dentry, name);
 	if (ret == 1)
 		ret = cap_inode_removexattr(idmap, dentry, name);
-	if (ret)
-		return ret;
-	ret = five_inode_removexattr(dentry, name);
 	if (ret)
 		return ret;
 	ret = ima_inode_removexattr(dentry, name);
@@ -2736,9 +2729,6 @@ int security_mmap_file(struct file *file, unsigned long prot,
 	int ret;
 
 	ret = call_int_hook(mmap_file, 0, file, prot, prot_adj, flags);
-	if (ret)
-		return ret;
-	ret = five_file_mmap(file, prot);
 	if (ret)
 		return ret;
 	return ima_file_mmap(file, prot, prot_adj, flags);
@@ -2877,11 +2867,7 @@ int security_file_open(struct file *file)
 	if (ret)
 		return ret;
 
-	ret = fsnotify_perm(file, MAY_OPEN);
-	if (ret)
-		return ret;
-
-	return five_file_open(file);
+	return fsnotify_perm(file, MAY_OPEN);
 }
 
 /**
@@ -2930,7 +2916,6 @@ int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
 void security_task_free(struct task_struct *task)
 {
 	call_void_hook(task_free, task);
-	five_task_free(task);
 
 	kfree(task->security);
 	task->security = NULL;