Re: linux-next: manual merge of the security tree with Linus' tree
Hi all,
Just adding a couple of more Cc's
On Wed, 21 Aug 2019 13:01:06 +1000 Stephen Rothwell
wrote:
>
> Today's linux-next merge of the security tree got conflicts in:
>
> arch/s390/configs/debug_defconfig
> arch/s390/configs/defconfig
>
> between commit:
>
> 3361f3193c74 ("s390: update configs")
>
> from Linus' tree and commit:
>
> 99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and
> KEXEC_SIG_FORCE")
>
> from the security tree.
>
> I fixed it up (the former removed the CONFIG option updated by the latter)
> and can carry the fix as necessary. This is now fixed as far as linux-next
> is concerned, but any non trivial conflicts should be mentioned to your
> upstream maintainer when your tree is submitted for merging. You may
> also want to consider cooperating with the maintainer of the conflicting
> tree to minimise any particularly complex conflicts.
--
Cheers,
Stephen Rothwell
pgp6y7Eibt40a.pgp
Description: OpenPGP digital signature
linux-next: manual merge of the security tree with Linus' tree
Hi all,
Today's linux-next merge of the security tree got a conflict in:
arch/s390/configs/performance_defconfig
between commit:
d1523a8f4b8b ("s390: replace defconfig with performance_defconfig")
from Linus' tree and commit:
99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and
KEXEC_SIG_FORCE")
from the security tree.
I fixed it up (the former removed this file) and can carry the fix as
necessary. This is now fixed as far as linux-next is concerned, but any
non trivial conflicts should be mentioned to your upstream maintainer
when your tree is submitted for merging. You may also want to consider
cooperating with the maintainer of the conflicting tree to minimise any
particularly complex conflicts.
--
Cheers,
Stephen Rothwell
pgpofz7RCShSZ.pgp
Description: OpenPGP digital signature
linux-next: manual merge of the security tree with Linus' tree
Hi all,
Today's linux-next merge of the security tree got a conflict in:
security/integrity/ima/Kconfig
between commit:
9e1e5d4372d6 ("x86/ima: fix the Kconfig dependency for IMA_ARCH_POLICY")
from Linus' tree and commit:
99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and
KEXEC_SIG_FORCE")
from the security tree.
I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging. You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.
--
Cheers,
Stephen Rothwell
diff --cc security/integrity/ima/Kconfig
index 2ced99dde694,32cd25fa44a5..
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@@ -160,8 -160,7 +160,8 @@@ config IMA_APPRAIS
config IMA_ARCH_POLICY
bool "Enable loading an IMA architecture specific policy"
- depends on (KEXEC_VERIFY_SIG && IMA) || IMA_APPRAISE \
-depends on KEXEC_SIG || IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
++depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \
+ && INTEGRITY_ASYMMETRIC_KEYS
default n
help
This option enables loading an IMA architecture specific policy
pgpAmHSoPWXBw.pgp
Description: OpenPGP digital signature
linux-next: manual merge of the security tree with Linus' tree
Hi all,
FIXME: Add owner of second tree to To:
Add author(s)/SOB of conflicting commits.
Today's linux-next merge of the security tree got conflicts in:
arch/s390/configs/debug_defconfig
arch/s390/configs/defconfig
between commit:
3361f3193c74 ("s390: update configs")
from Linus' tree and commit:
99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and
KEXEC_SIG_FORCE")
from the security tree.
I fixed it up (the former removed the CONFIG option updated by the latter)
and can carry the fix as necessary. This is now fixed as far as linux-next
is concerned, but any non trivial conflicts should be mentioned to your
upstream maintainer when your tree is submitted for merging. You may
also want to consider cooperating with the maintainer of the conflicting
tree to minimise any particularly complex conflicts.
--
Cheers,
Stephen Rothwell
pgpNxQV6sJTHX.pgp
Description: OpenPGP digital signature
linux-next: manual merge of the security tree with Linus' tree
Hi all,
Today's linux-next merge of the security tree got a conflict in:
kernel/trace/trace_kprobe.c
between commit:
715fa2fd4c6c ("tracing/kprobe: Check registered state using kprobe")
from Linus' tree and commit:
e87402c063fd ("lockdown: Lock down tracing and perf kprobes when in
confidentiality mode")
from the security tree.
I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging. You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.
--
Cheers,
Stephen Rothwell
diff --cc kernel/trace/trace_kprobe.c
index 9d483ad9bb6c,fcb28b0702b2..
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@@ -11,9 -11,8 +11,10 @@@
#include
#include
#include
+ #include
+#include /* for COMMAND_LINE_SIZE */
+
#include "trace_dynevent.h"
#include "trace_kprobe_selftest.h"
#include "trace_probe.h"
@@@ -389,7 -416,11 +390,11 @@@ static int __register_trace_kprobe(stru
{
int i, ret;
+ ret = security_locked_down(LOCKDOWN_KPROBES);
+ if (ret)
+ return ret;
+
- if (trace_probe_is_registered(>tp))
+ if (trace_kprobe_is_registered(tk))
return -EINVAL;
if (within_notrace_func(tk)) {
pgpORsMik9qkr.pgp
Description: OpenPGP digital signature
linux-next: manual merge of the security tree with Linus' tree
Hi James,
Today's linux-next merge of the security tree got a conflict in:
security/yama/yama_lsm.c
between commit:
5413fcdbe9e7 ("Adding YAMA hooks also when YAMA is not stacked.")
from Linus' tree and commit:
730daa164e7c ("Yama: remove needless CONFIG_SECURITY_YAMA_STACKED")
from the security tree.
I fixed it up (the latter removed the code updated by the former, so I
just did that) and can carry the fix as necessary (no action is required).
--
Cheers,
Stephen Rothwells...@canb.auug.org.au
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
linux-next: manual merge of the security tree with Linus' tree
Hi James, Today's linux-next merge of the security tree got a conflict in: security/yama/yama_lsm.c between commit: 5413fcdbe9e7 (Adding YAMA hooks also when YAMA is not stacked.) from Linus' tree and commit: 730daa164e7c (Yama: remove needless CONFIG_SECURITY_YAMA_STACKED) from the security tree. I fixed it up (the latter removed the code updated by the former, so I just did that) and can carry the fix as necessary (no action is required). -- Cheers, Stephen Rothwells...@canb.auug.org.au -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
linux-next: manual merge of the security tree with Linus' tree
Hi James,
Today's linux-next merge of the security tree got a conflict in
lib/digsig.c between commit 7810cc1e7721 ("digsig: Fix memory leakage in
digsig_verify_rsa()") from Linus' tree and commit 26d438457ed1 ("digsig:
remove unnecessary memory allocation and copying") from the security tree.
I fixed it up (see below) and can carry the fix as necessary (no action
is required).
--
Cheers,
Stephen Rothwells...@canb.auug.org.au
diff --cc lib/digsig.c
index dc2be7e,0103c5b..000
--- a/lib/digsig.c
+++ b/lib/digsig.c
@@@ -162,13 -152,9 +152,11 @@@ static int digsig_verify_rsa(struct ke
memset(out1, 0, head);
memcpy(out1 + head, p, l);
+ kfree(p);
+
- err = pkcs_1_v1_5_decode_emsa(out1, len, mblen, out2, );
- if (err)
- goto err;
+ m = pkcs_1_v1_5_decode_emsa(out1, len, mblen, );
- if (len != hlen || memcmp(out2, h, hlen))
+ if (!m || len != hlen || memcmp(m, h, hlen))
err = -EINVAL;
err:
pgpDjDUy44BkH.pgp
Description: PGP signature
linux-next: manual merge of the security tree with Linus' tree
Hi James, Today's linux-next merge of the security tree got a conflict in lib/digsig.c between commit 7810cc1e7721 (digsig: Fix memory leakage in digsig_verify_rsa()) from Linus' tree and commit 26d438457ed1 (digsig: remove unnecessary memory allocation and copying) from the security tree. I fixed it up (see below) and can carry the fix as necessary (no action is required). -- Cheers, Stephen Rothwells...@canb.auug.org.au diff --cc lib/digsig.c index dc2be7e,0103c5b..000 --- a/lib/digsig.c +++ b/lib/digsig.c @@@ -162,13 -152,9 +152,11 @@@ static int digsig_verify_rsa(struct ke memset(out1, 0, head); memcpy(out1 + head, p, l); + kfree(p); + - err = pkcs_1_v1_5_decode_emsa(out1, len, mblen, out2, len); - if (err) - goto err; + m = pkcs_1_v1_5_decode_emsa(out1, len, mblen, len); - if (len != hlen || memcmp(out2, h, hlen)) + if (!m || len != hlen || memcmp(m, h, hlen)) err = -EINVAL; err: pgpDjDUy44BkH.pgp Description: PGP signature
Re: linux-next: manual merge of the security tree with Linus' tree
Hi Mimi,
On Sun, 20 Jan 2013 22:10:23 -0500 Mimi Zohar wrote:
>
> Sorry Stephen, the merged result should look like what's contained in
> linux-integrity/next-upstreamed-patches:
>
> int ima_module_check(struct file *file)
> {
> if (!file) {
> if ((ima_appraise & IMA_APPRAISE_MODULES) &&
> (ima_appraise & IMA_APPRAISE_ENFORCE)) {
> #ifndef CONFIG_MODULE_SIG_FORCE
> return -EACCES; /* INTEGRITY_UNKNOWN */
> #endif
> }
> return 0;
> }
> return process_measurement(file, file->f_dentry->d_name.name,
>MAY_EXEC, MODULE_CHECK);
> }
OK, I will use that version tomorrow.
--
Cheers,
Stephen Rothwells...@canb.auug.org.au
pgppP6zI04_oW.pgp
Description: PGP signature
Re: linux-next: manual merge of the security tree with Linus' tree
On Mon, 2013-01-21 at 13:12 +1100, Stephen Rothwell wrote:
> Hi James,
>
> Today's linux-next merge of the security tree got a conflict in
> security/integrity/ima/ima_main.c between commit a7f2a366f623 ("ima:
> fallback to MODULE_SIG_ENFORCE for existing kernel module syscall") from
> Linus' tree and commit 750943a30714 ("ima: remove enforce checking
> duplication") from the security tree.
>
> I think I fixed it up (see below).
Sorry Stephen, the merged result should look like what's contained in
linux-integrity/next-upstreamed-patches:
int ima_module_check(struct file *file)
{
if (!file) {
if ((ima_appraise & IMA_APPRAISE_MODULES) &&
(ima_appraise & IMA_APPRAISE_ENFORCE)) {
#ifndef CONFIG_MODULE_SIG_FORCE
return -EACCES; /* INTEGRITY_UNKNOWN */
#endif
}
return 0;
}
return process_measurement(file, file->f_dentry->d_name.name,
MAY_EXEC, MODULE_CHECK);
}
thanks,
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
linux-next: manual merge of the security tree with Linus' tree
Hi James,
Today's linux-next merge of the security tree got a conflict in
security/integrity/ima/ima_main.c between commit a7f2a366f623 ("ima:
fallback to MODULE_SIG_ENFORCE for existing kernel module syscall") from
Linus' tree and commit 750943a30714 ("ima: remove enforce checking
duplication") from the security tree.
I think I fixed it up (see below).
--
Cheers,
Stephen Rothwells...@canb.auug.org.au
diff --cc security/integrity/ima/ima_main.c
index dba965d,cd00ba3..000
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@@ -291,18 -275,10 +275,18 @@@ EXPORT_SYMBOL_GPL(ima_file_check)
*/
int ima_module_check(struct file *file)
{
- int rc = 0;
-
- if (!file)
+ if (!file) {
+ if (ima_appraise & IMA_APPRAISE_MODULES) {
+#ifndef CONFIG_MODULE_SIG_FORCE
- rc = -EACCES; /* INTEGRITY_UNKNOWN */
++ return -EACCES; /* INTEGRITY_UNKNOWN */
++#else
++ return 0;
+#endif
+ }
- } else
- rc = process_measurement(file, file->f_dentry->d_name.name,
-MAY_EXEC, MODULE_CHECK);
- return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;
+ return -EACCES; /* INTEGRITY_UNKNOWN */
++ }
+ return process_measurement(file, file->f_dentry->d_name.name,
+ MAY_EXEC, MODULE_CHECK);
}
static int __init init_ima(void)
pgpdkg_5ejhEe.pgp
Description: PGP signature
linux-next: manual merge of the security tree with Linus' tree
Hi James,
Today's linux-next merge of the security tree got a conflict in
security/integrity/ima/ima_main.c between commit a7f2a366f623 (ima:
fallback to MODULE_SIG_ENFORCE for existing kernel module syscall) from
Linus' tree and commit 750943a30714 (ima: remove enforce checking
duplication) from the security tree.
I think I fixed it up (see below).
--
Cheers,
Stephen Rothwells...@canb.auug.org.au
diff --cc security/integrity/ima/ima_main.c
index dba965d,cd00ba3..000
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@@ -291,18 -275,10 +275,18 @@@ EXPORT_SYMBOL_GPL(ima_file_check)
*/
int ima_module_check(struct file *file)
{
- int rc = 0;
-
- if (!file)
+ if (!file) {
+ if (ima_appraise IMA_APPRAISE_MODULES) {
+#ifndef CONFIG_MODULE_SIG_FORCE
- rc = -EACCES; /* INTEGRITY_UNKNOWN */
++ return -EACCES; /* INTEGRITY_UNKNOWN */
++#else
++ return 0;
+#endif
+ }
- } else
- rc = process_measurement(file, file-f_dentry-d_name.name,
-MAY_EXEC, MODULE_CHECK);
- return (ima_appraise IMA_APPRAISE_ENFORCE) ? rc : 0;
+ return -EACCES; /* INTEGRITY_UNKNOWN */
++ }
+ return process_measurement(file, file-f_dentry-d_name.name,
+ MAY_EXEC, MODULE_CHECK);
}
static int __init init_ima(void)
pgpdkg_5ejhEe.pgp
Description: PGP signature
Re: linux-next: manual merge of the security tree with Linus' tree
On Mon, 2013-01-21 at 13:12 +1100, Stephen Rothwell wrote:
Hi James,
Today's linux-next merge of the security tree got a conflict in
security/integrity/ima/ima_main.c between commit a7f2a366f623 (ima:
fallback to MODULE_SIG_ENFORCE for existing kernel module syscall) from
Linus' tree and commit 750943a30714 (ima: remove enforce checking
duplication) from the security tree.
I think I fixed it up (see below).
Sorry Stephen, the merged result should look like what's contained in
linux-integrity/next-upstreamed-patches:
int ima_module_check(struct file *file)
{
if (!file) {
if ((ima_appraise IMA_APPRAISE_MODULES)
(ima_appraise IMA_APPRAISE_ENFORCE)) {
#ifndef CONFIG_MODULE_SIG_FORCE
return -EACCES; /* INTEGRITY_UNKNOWN */
#endif
}
return 0;
}
return process_measurement(file, file-f_dentry-d_name.name,
MAY_EXEC, MODULE_CHECK);
}
thanks,
Mimi
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: linux-next: manual merge of the security tree with Linus' tree
Hi Mimi,
On Sun, 20 Jan 2013 22:10:23 -0500 Mimi Zohar zo...@linux.vnet.ibm.com wrote:
Sorry Stephen, the merged result should look like what's contained in
linux-integrity/next-upstreamed-patches:
int ima_module_check(struct file *file)
{
if (!file) {
if ((ima_appraise IMA_APPRAISE_MODULES)
(ima_appraise IMA_APPRAISE_ENFORCE)) {
#ifndef CONFIG_MODULE_SIG_FORCE
return -EACCES; /* INTEGRITY_UNKNOWN */
#endif
}
return 0;
}
return process_measurement(file, file-f_dentry-d_name.name,
MAY_EXEC, MODULE_CHECK);
}
OK, I will use that version tomorrow.
--
Cheers,
Stephen Rothwells...@canb.auug.org.au
pgppP6zI04_oW.pgp
Description: PGP signature
Re: linux-next: manual merge of the security tree with Linus' tree
Hi James,
On Wed, 17 Oct 2012 11:41:57 +1100 Stephen Rothwell
wrote:
>
> Today's linux-next merge of the security tree got a conflict in
> net/dns_resolver/dns_key.c between commit c6089735e724 ("userns: net:
> Call key_alloc with GLOBAL_ROOT_UID, GLOBAL_ROOT_GID instead of 0, 0")
> from Linus' tree and commit f8aa23a55f81 ("KEYS: Use keyring_alloc() to
> create special keyrings") from the security tree.
>
> I fixed it up (see below) and can carry the fix as necessary (no action
> is required).
>
> --
> Cheers,
> Stephen Rothwells...@canb.auug.org.au
>
> diff --cc net/dns_resolver/dns_key.c
> index 8aa4b11,b53bb4a..000
> --- a/net/dns_resolver/dns_key.c
> +++ b/net/dns_resolver/dns_key.c
> @@@ -259,11 -259,10 +259,11 @@@ static int __init init_dns_resolver(voi
> if (!cred)
> return -ENOMEM;
>
> - keyring = key_alloc(_type_keyring, ".dns_resolver",
> -keyring = keyring_alloc(".dns_resolver", 0, 0, cred,
> -(KEY_POS_ALL & ~KEY_POS_SETATTR) |
> -KEY_USR_VIEW | KEY_USR_READ,
> -KEY_ALLOC_NOT_IN_QUOTA, NULL);
> ++keyring = keyring_alloc(".dns_resolver",
> +GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
> +(KEY_POS_ALL & ~KEY_POS_SETATTR) |
> +KEY_USR_VIEW | KEY_USR_READ,
> +KEY_ALLOC_NOT_IN_QUOTA);
Oops, there should be a ", NULL" before the closing parenthesis above. I
fixed that in my tree.
--
Cheers,
Stephen Rothwells...@canb.auug.org.au
pgpKuRCKdjjmo.pgp
Description: PGP signature
linux-next: manual merge of the security tree with Linus' tree
Hi James,
Today's linux-next merge of the security tree got a conflict in
net/dns_resolver/dns_key.c between commit c6089735e724 ("userns: net:
Call key_alloc with GLOBAL_ROOT_UID, GLOBAL_ROOT_GID instead of 0, 0")
from Linus' tree and commit f8aa23a55f81 ("KEYS: Use keyring_alloc() to
create special keyrings") from the security tree.
I fixed it up (see below) and can carry the fix as necessary (no action
is required).
--
Cheers,
Stephen Rothwells...@canb.auug.org.au
diff --cc net/dns_resolver/dns_key.c
index 8aa4b11,b53bb4a..000
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@@ -259,11 -259,10 +259,11 @@@ static int __init init_dns_resolver(voi
if (!cred)
return -ENOMEM;
- keyring = key_alloc(_type_keyring, ".dns_resolver",
- keyring = keyring_alloc(".dns_resolver", 0, 0, cred,
- (KEY_POS_ALL & ~KEY_POS_SETATTR) |
- KEY_USR_VIEW | KEY_USR_READ,
- KEY_ALLOC_NOT_IN_QUOTA, NULL);
++ keyring = keyring_alloc(".dns_resolver",
+ GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW | KEY_USR_READ,
+ KEY_ALLOC_NOT_IN_QUOTA);
if (IS_ERR(keyring)) {
ret = PTR_ERR(keyring);
goto failed_put_cred;
pgpW17iNxFoJe.pgp
Description: PGP signature
linux-next: manual merge of the security tree with Linus' tree
Hi James,
Today's linux-next merge of the security tree got a conflict in
security/keys/keyctl.c between commit 9a56c2db49e7 ("userns: Convert
security/keys to the new userns infrastructure") from Linus' tree and
commit 3a50597de863 ("KEYS: Make the session and process keyrings
per-thread") from the security tree.
I fixed it up (see below) and can carry the fix as necessary (no action
is required).
--
Cheers,
Stephen Rothwells...@canb.auug.org.au
diff --cc security/keys/keyctl.c
index 5d34b4e,6d9d0c7..000
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@@ -1535,9 -1527,9 +1536,9 @@@ long keyctl_session_to_parent(void
goto unlock;
/* the keyrings must have the same UID */
- if ((pcred->tgcred->session_keyring &&
-!uid_eq(pcred->tgcred->session_keyring->uid, mycred->euid)) ||
- !uid_eq(mycred->tgcred->session_keyring->uid, mycred->euid))
+ if ((pcred->session_keyring &&
- pcred->session_keyring->uid != mycred->euid) ||
- mycred->session_keyring->uid != mycred->euid)
++ !uid_eq(pcred->session_keyring->uid, mycred->euid)) ||
++ !uid_eq(mycred->session_keyring->uid, mycred->euid))
goto unlock;
/* cancel an already pending keyring replacement */
pgpZF7J6Wz2oG.pgp
Description: PGP signature
linux-next: manual merge of the security tree with Linus' tree
Hi James,
Today's linux-next merge of the security tree got conflicts in
security/keys/keyring.c and security/keys/process_keys.c between commit
9a56c2db49e7 ("userns: Convert security/keys to the new userns
infrastructure") from Linus' tree and commit 96b5c8fea6c0 ("KEYS: Reduce
initial permissions on keys") from the security tree.
I fixed it up (see below) and can carry the fix as necessary (no action
is required).
--
Cheers,
Stephen Rothwells...@canb.auug.org.au
diff --cc security/keys/keyring.c
index 6e42df1,9270ba0..000
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@@ -256,9 -256,9 +256,9 @@@ error
/*
* Allocate a keyring and link into the destination keyring.
*/
-struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
+struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
- const struct cred *cred, unsigned long flags,
- struct key *dest)
+ const struct cred *cred, key_perm_t perm,
+ unsigned long flags, struct key *dest)
{
struct key *keyring;
int ret;
diff --cc security/keys/process_keys.c
index a58f712,b58d938..000
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@@ -45,15 -46,15 +45,17 @@@ int install_user_keyrings(void
struct user_struct *user;
const struct cred *cred;
struct key *uid_keyring, *session_keyring;
+ key_perm_t user_keyring_perm;
char buf[20];
int ret;
+ uid_t uid;
+ user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
cred = current_cred();
user = cred->user;
+ uid = from_kuid(cred->user_ns, user->uid);
- kenter("%p{%u}", user, user->uid);
+ kenter("%p{%u}", user, uid);
if (user->uid_keyring) {
kleave(" = 0 [exist]");
@@@ -72,9 -73,9 +74,9 @@@
uid_keyring = find_keyring_by_name(buf, true);
if (IS_ERR(uid_keyring)) {
- uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
+ uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
- cred, KEY_ALLOC_IN_QUOTA,
- NULL);
+ cred, user_keyring_perm,
+ KEY_ALLOC_IN_QUOTA, NULL);
if (IS_ERR(uid_keyring)) {
ret = PTR_ERR(uid_keyring);
goto error;
@@@ -88,8 -89,9 +90,9 @@@
session_keyring = find_keyring_by_name(buf, true);
if (IS_ERR(session_keyring)) {
session_keyring =
- keyring_alloc(buf, user->uid, (gid_t) -1,
+ keyring_alloc(buf, user->uid, INVALID_GID,
- cred, KEY_ALLOC_IN_QUOTA, NULL);
+ cred, user_keyring_perm,
+ KEY_ALLOC_IN_QUOTA, NULL);
if (IS_ERR(session_keyring)) {
ret = PTR_ERR(session_keyring);
goto error_release;
pgp1mOnuo2FCv.pgp
Description: PGP signature
linux-next: manual merge of the security tree with Linus' tree
Hi James,
Today's linux-next merge of the security tree got conflicts in
security/keys/keyring.c and security/keys/process_keys.c between commit
9a56c2db49e7 (userns: Convert security/keys to the new userns
infrastructure) from Linus' tree and commit 96b5c8fea6c0 (KEYS: Reduce
initial permissions on keys) from the security tree.
I fixed it up (see below) and can carry the fix as necessary (no action
is required).
--
Cheers,
Stephen Rothwells...@canb.auug.org.au
diff --cc security/keys/keyring.c
index 6e42df1,9270ba0..000
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@@ -256,9 -256,9 +256,9 @@@ error
/*
* Allocate a keyring and link into the destination keyring.
*/
-struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
+struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
- const struct cred *cred, unsigned long flags,
- struct key *dest)
+ const struct cred *cred, key_perm_t perm,
+ unsigned long flags, struct key *dest)
{
struct key *keyring;
int ret;
diff --cc security/keys/process_keys.c
index a58f712,b58d938..000
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@@ -45,15 -46,15 +45,17 @@@ int install_user_keyrings(void
struct user_struct *user;
const struct cred *cred;
struct key *uid_keyring, *session_keyring;
+ key_perm_t user_keyring_perm;
char buf[20];
int ret;
+ uid_t uid;
+ user_keyring_perm = (KEY_POS_ALL ~KEY_POS_SETATTR) | KEY_USR_ALL;
cred = current_cred();
user = cred-user;
+ uid = from_kuid(cred-user_ns, user-uid);
- kenter(%p{%u}, user, user-uid);
+ kenter(%p{%u}, user, uid);
if (user-uid_keyring) {
kleave( = 0 [exist]);
@@@ -72,9 -73,9 +74,9 @@@
uid_keyring = find_keyring_by_name(buf, true);
if (IS_ERR(uid_keyring)) {
- uid_keyring = keyring_alloc(buf, user-uid, (gid_t) -1,
+ uid_keyring = keyring_alloc(buf, user-uid, INVALID_GID,
- cred, KEY_ALLOC_IN_QUOTA,
- NULL);
+ cred, user_keyring_perm,
+ KEY_ALLOC_IN_QUOTA, NULL);
if (IS_ERR(uid_keyring)) {
ret = PTR_ERR(uid_keyring);
goto error;
@@@ -88,8 -89,9 +90,9 @@@
session_keyring = find_keyring_by_name(buf, true);
if (IS_ERR(session_keyring)) {
session_keyring =
- keyring_alloc(buf, user-uid, (gid_t) -1,
+ keyring_alloc(buf, user-uid, INVALID_GID,
- cred, KEY_ALLOC_IN_QUOTA, NULL);
+ cred, user_keyring_perm,
+ KEY_ALLOC_IN_QUOTA, NULL);
if (IS_ERR(session_keyring)) {
ret = PTR_ERR(session_keyring);
goto error_release;
pgp1mOnuo2FCv.pgp
Description: PGP signature
linux-next: manual merge of the security tree with Linus' tree
Hi James, Today's linux-next merge of the security tree got a conflict in security/keys/keyctl.c between commit 9a56c2db49e7 (userns: Convert security/keys to the new userns infrastructure) from Linus' tree and commit 3a50597de863 (KEYS: Make the session and process keyrings per-thread) from the security tree. I fixed it up (see below) and can carry the fix as necessary (no action is required). -- Cheers, Stephen Rothwells...@canb.auug.org.au diff --cc security/keys/keyctl.c index 5d34b4e,6d9d0c7..000 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@@ -1535,9 -1527,9 +1536,9 @@@ long keyctl_session_to_parent(void goto unlock; /* the keyrings must have the same UID */ - if ((pcred-tgcred-session_keyring -!uid_eq(pcred-tgcred-session_keyring-uid, mycred-euid)) || - !uid_eq(mycred-tgcred-session_keyring-uid, mycred-euid)) + if ((pcred-session_keyring - pcred-session_keyring-uid != mycred-euid) || - mycred-session_keyring-uid != mycred-euid) ++ !uid_eq(pcred-session_keyring-uid, mycred-euid)) || ++ !uid_eq(mycred-session_keyring-uid, mycred-euid)) goto unlock; /* cancel an already pending keyring replacement */ pgpZF7J6Wz2oG.pgp Description: PGP signature
linux-next: manual merge of the security tree with Linus' tree
Hi James,
Today's linux-next merge of the security tree got a conflict in
net/dns_resolver/dns_key.c between commit c6089735e724 (userns: net:
Call key_alloc with GLOBAL_ROOT_UID, GLOBAL_ROOT_GID instead of 0, 0)
from Linus' tree and commit f8aa23a55f81 (KEYS: Use keyring_alloc() to
create special keyrings) from the security tree.
I fixed it up (see below) and can carry the fix as necessary (no action
is required).
--
Cheers,
Stephen Rothwells...@canb.auug.org.au
diff --cc net/dns_resolver/dns_key.c
index 8aa4b11,b53bb4a..000
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@@ -259,11 -259,10 +259,11 @@@ static int __init init_dns_resolver(voi
if (!cred)
return -ENOMEM;
- keyring = key_alloc(key_type_keyring, .dns_resolver,
- keyring = keyring_alloc(.dns_resolver, 0, 0, cred,
- (KEY_POS_ALL ~KEY_POS_SETATTR) |
- KEY_USR_VIEW | KEY_USR_READ,
- KEY_ALLOC_NOT_IN_QUOTA, NULL);
++ keyring = keyring_alloc(.dns_resolver,
+ GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
+ (KEY_POS_ALL ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW | KEY_USR_READ,
+ KEY_ALLOC_NOT_IN_QUOTA);
if (IS_ERR(keyring)) {
ret = PTR_ERR(keyring);
goto failed_put_cred;
pgpW17iNxFoJe.pgp
Description: PGP signature
Re: linux-next: manual merge of the security tree with Linus' tree
Hi James, On Wed, 17 Oct 2012 11:41:57 +1100 Stephen Rothwell s...@canb.auug.org.au wrote: Today's linux-next merge of the security tree got a conflict in net/dns_resolver/dns_key.c between commit c6089735e724 (userns: net: Call key_alloc with GLOBAL_ROOT_UID, GLOBAL_ROOT_GID instead of 0, 0) from Linus' tree and commit f8aa23a55f81 (KEYS: Use keyring_alloc() to create special keyrings) from the security tree. I fixed it up (see below) and can carry the fix as necessary (no action is required). -- Cheers, Stephen Rothwells...@canb.auug.org.au diff --cc net/dns_resolver/dns_key.c index 8aa4b11,b53bb4a..000 --- a/net/dns_resolver/dns_key.c +++ b/net/dns_resolver/dns_key.c @@@ -259,11 -259,10 +259,11 @@@ static int __init init_dns_resolver(voi if (!cred) return -ENOMEM; - keyring = key_alloc(key_type_keyring, .dns_resolver, -keyring = keyring_alloc(.dns_resolver, 0, 0, cred, -(KEY_POS_ALL ~KEY_POS_SETATTR) | -KEY_USR_VIEW | KEY_USR_READ, -KEY_ALLOC_NOT_IN_QUOTA, NULL); ++keyring = keyring_alloc(.dns_resolver, +GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, +(KEY_POS_ALL ~KEY_POS_SETATTR) | +KEY_USR_VIEW | KEY_USR_READ, +KEY_ALLOC_NOT_IN_QUOTA); Oops, there should be a , NULL before the closing parenthesis above. I fixed that in my tree. -- Cheers, Stephen Rothwells...@canb.auug.org.au pgpKuRCKdjjmo.pgp Description: PGP signature
