28 Jul, 2011
1 commit
-
…s/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (54 commits)
tpm_nsc: Fix bug when loading multiple TPM drivers
tpm: Move tpm_tis_reenable_interrupts out of CONFIG_PNP block
tpm: Fix compilation warning when CONFIG_PNP is not defined
TOMOYO: Update kernel-doc.
tpm: Fix a typo
tpm_tis: Probing function for Intel iTPM bug
tpm_tis: Fix the probing for interrupts
tpm_tis: Delay ACPI S3 suspend while the TPM is busy
tpm_tis: Re-enable interrupts upon (S3) resume
tpm: Fix display of data in pubek sysfs entry
tpm_tis: Add timeouts sysfs entry
tpm: Adjust interface timeouts if they are too small
tpm: Use interface timeouts returned from the TPM
tpm_tis: Introduce durations sysfs entry
tpm: Adjust the durations if they are too small
tpm: Use durations returned from TPM
TOMOYO: Enable conditional ACL.
TOMOYO: Allow using argv[]/envp[] of execve() as conditions.
TOMOYO: Allow using executable's realpath and symlink's target as conditions.
TOMOYO: Allow using owner/group etc. of file objects as conditions.
...Fix up trivial conflict in security/tomoyo/realpath.c
11 Jul, 2011
1 commit
-
Sync with Linus' tree to be able to apply pending patches that
are based on newer code already present upstream.
09 Jul, 2011
1 commit
-
Since ca5ecddf (rcu: define __rcu address space modifier for sparse)
rcu_dereference_check use rcu_read_lock_held as a part of condition
automatically so callers do not have to do that as well.Signed-off-by: Michal Hocko
Acked-by: Paul E. McKenney
Signed-off-by: Jiri Kosina
30 Jun, 2011
1 commit
27 Jun, 2011
5 commits
-
The 'encrypted' key type defines its own payload format which contains a
symmetric key randomly generated that cannot be used directly to mount
an eCryptfs filesystem, because it expects an authentication token
structure.This patch introduces the new format 'ecryptfs' that allows to store an
authentication token structure inside the encrypted key payload containing
a randomly generated symmetric key, as the same for the format 'default'.More details about the usage of encrypted keys with the eCryptfs
filesystem can be found in the file 'Documentation/keys-ecryptfs.txt'.Signed-off-by: Roberto Sassu
Acked-by: Gianluca Ramunno
Acked-by: Tyler Hicks
Signed-off-by: Mimi Zohar -
This patch introduces a new parameter, called 'format', that defines the
format of data stored by encrypted keys. The 'default' format identifies
encrypted keys containing only the symmetric key, while other formats can
be defined to support additional information. The 'format' parameter is
written in the datablob produced by commands 'keyctl print' or
'keyctl pipe' and is integrity protected by the HMAC.Signed-off-by: Roberto Sassu
Acked-by: Gianluca Ramunno
Acked-by: David Howells
Signed-off-by: Mimi Zohar -
Some debug messages have been added in the function datablob_parse() in
order to better identify errors returned when dealing with 'encrypted'
keys.Changelog from version v4:
- made the debug messages more understandableSigned-off-by: Roberto Sassu
Acked-by: Gianluca Ramunno
Signed-off-by: Mimi Zohar -
Valid key type prefixes for the parameter 'key-type' are: 'trusted' and
'user'.Signed-off-by: Roberto Sassu
Acked-by: Gianluca Ramunno
Acked-by: David Howells
Signed-off-by: Mimi Zohar -
Do not dump the master key if an error is encountered during the request.
Signed-off-by: Roberto Sassu
Acked-by: Gianluca Ramunno
Signed-off-by: Mimi Zohar
22 Jun, 2011
1 commit
-
Fix error handling in construct_key_and_link().
If construct_alloc_key() returns an error, it shouldn't pass out through
the normal path as the key_serial() called by the kleave() statement
will oops when it gets an error code in the pointer:BUG: unable to handle kernel paging request at ffffffffffffff84
IP: [] request_key_and_link+0x4d7/0x52f
..
Call Trace:
[] request_key+0x41/0x75
[] cifs_get_spnego_key+0x206/0x226 [cifs]
[] CIFS_SessSetup+0x511/0x1234 [cifs]
[] cifs_setup_session+0x90/0x1ae [cifs]
[] cifs_get_smb_ses+0x34b/0x40f [cifs]
[] cifs_mount+0x13f/0x504 [cifs]
[] cifs_do_mount+0xc4/0x672 [cifs]
[] mount_fs+0x69/0x155
[] vfs_kern_mount+0x63/0xa0
[] do_kern_mount+0x4d/0xdf
[] do_mount+0x63c/0x69f
[] sys_mount+0x88/0xc2
[] system_call_fastpath+0x16/0x1bSigned-off-by: David Howells
Acked-by: Jeff Layton
Signed-off-by: Linus Torvalds
18 Jun, 2011
1 commit
-
____call_usermodehelper() now erases any credentials set by the
subprocess_inf::init() function. The problem is that commit
17f60a7da150 ("capabilites: allow the application of capability limits
to usermode helpers") creates and commits new credentials with
prepare_kernel_cred() after the call to the init() function. This wipes
all keyrings after umh_keys_init() is called.The best way to deal with this is to put the init() call just prior to
the commit_creds() call, and pass the cred pointer to init(). That
means that umh_keys_init() and suchlike can modify the credentials
_before_ they are published and potentially in use by the rest of the
system.This prevents request_key() from working as it is prevented from passing
the session keyring it set up with the authorisation token to
/sbin/request-key, and so the latter can't assume the authority to
instantiate the key. This causes the in-kernel DNS resolver to fail
with ENOKEY unconditionally.Signed-off-by: David Howells
Acked-by: Eric Paris
Tested-by: Jeff Layton
Signed-off-by: Linus Torvalds
14 Jun, 2011
1 commit
-
Don't return EAGAIN to keyctl_assume_authority() to indicate that a key could
not be found (ENOKEY is only returned if a negative key is found). Instead
return ENOKEY in both cases.Signed-off-by: David Howells
Signed-off-by: James Morris
28 May, 2011
1 commit
-
* 'docs-move' of git://git.kernel.org/pub/scm/linux/kernel/git/rdunlap/linux-docs:
Create Documentation/security/, move LSM-, credentials-, and keys-related files from Documentation/ to Documentation/security/, add Documentation/security/00-INDEX, and update all occurrences of Documentation/ to Documentation/security/.
27 May, 2011
1 commit
-
Since this cred was not created with copy_creds(), it needs to get
initialized. Otherwise use of syscall(__NR_keyctl, KEYCTL_SESSION_TO_PARENT);
can lead to a NULL deref. Thanks to Robert for finding this.But introduced by commit 47a150edc2a ("Cache user_ns in struct cred").
Signed-off-by: Serge E. Hallyn
Reported-by: Robert Święcki
Cc: David Howells
Cc: stable@kernel.org (2.6.39)
Signed-off-by: Linus Torvalds
24 May, 2011
1 commit
20 May, 2011
1 commit
-
move LSM-, credentials-, and keys-related files from Documentation/
to Documentation/security/,
add Documentation/security/00-INDEX, and
update all occurrences of Documentation/
to Documentation/security/.
08 May, 2011
1 commit
-
The rcu callback user_update_rcu_disposal() just calls a kfree(),
so we use kfree_rcu() instead of the call_rcu(user_update_rcu_disposal).Signed-off-by: Lai Jiangshan
Signed-off-by: Paul E. McKenney
Acked-by: David Howells
Reviewed-by: Josh Triplett
17 Mar, 2011
2 commits
-
Make request_key() and co. return an error for a negative or rejected key. If
the key was simply negated, then return ENOKEY, otherwise return the error
with which it was rejected.Without this patch, the following command returns a key number (with the latest
keyutils):[root@andromeda ~]# keyctl request2 user debug:foo rejected @s
586569904Trying to print the key merely gets you a permission denied error:
[root@andromeda ~]# keyctl print 586569904
keyctl_read_alloc: Permission deniedDoing another request_key() call does get you the error, as long as it hasn't
expired yet:[root@andromeda ~]# keyctl request user debug:foo
request_key: Key was rejected by serviceSigned-off-by: David Howells
Signed-off-by: James Morris -
Improve /proc/keys by:
(1) Don't attempt to summarise the payload of a negated key. It won't have
one. To this end, a helper function - key_is_instantiated() has been
added that allows the caller to find out whether the key is positively
instantiated (as opposed to being uninstantiated or negatively
instantiated).(2) Do show keys that are negative, expired or revoked rather than hiding
them. This requires an override flag (no_state_check) to be passed to
search_my_process_keyrings() and keyring_search_aux() to suppress this
check.Without this, keys that are possessed by the caller, but only grant
permissions to the caller if possessed are skipped as the possession check
fails.Keys that are visible due to user, group or other checks are visible with
or without this patch.Signed-off-by: David Howells
Signed-off-by: James Morris
08 Mar, 2011
4 commits
-
Add a keyctl op (KEYCTL_INSTANTIATE_IOV) that is like KEYCTL_INSTANTIATE, but
takes an iovec array and concatenates the data in-kernel into one buffer.
Since the KEYCTL_INSTANTIATE copies the data anyway, this isn't too much of a
problem.Signed-off-by: David Howells
Signed-off-by: James Morris -
Add a new keyctl op to reject a key with a specified error code. This works
much the same as negating a key, and so keyctl_negate_key() is made a special
case of keyctl_reject_key(). The difference is that keyctl_negate_key()
selects ENOKEY as the error to be reported.Typically the key would be rejected with EKEYEXPIRED, EKEYREVOKED or
EKEYREJECTED, but this is not mandatory.Signed-off-by: David Howells
Signed-off-by: James Morris -
Add a key type operation to permit the key type to vet the description of a new
key that key_alloc() is about to allocate. The operation may reject the
description if it wishes with an error of its choosing. If it does this, the
key will not be allocated.Signed-off-by: David Howells
Reviewed-by: Mimi Zohar
Signed-off-by: James Morris -
Add an RCU payload dereference macro as this seems to be a common piece of code
amongst key types that use RCU referenced payloads.Signed-off-by: David Howells
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
26 Jan, 2011
1 commit
-
Fix __key_link_end()'s attempt to fix up the quota if an error occurs.
There are two erroneous cases: Firstly, we always decrease the quota if
the preallocated replacement keyring needs cleaning up, irrespective of
whether or not we should (we may have replaced a pointer rather than
adding another pointer).Secondly, we never clean up the quota if we added a pointer without the
keyring storage being extended (we allocate multiple pointers at a time,
even if we're not going to use them all immediately).We handle this by setting the bottom bit of the preallocation pointer in
__key_link_begin() to indicate that the quota needs fixing up, which is
then passed to __key_link() (which clears the whole thing) and
__key_link_end().Signed-off-by: David Howells
Signed-off-by: Linus Torvalds
24 Jan, 2011
3 commits
-
One failure path in security/keys/trusted.c::trusted_update() does
not free 'new_p' while the others do. This patch makes sure we also free
it in the remaining path (if datablob_parse() returns different from
Opt_update).Signed-off-by: Jesper Juhl
Signed-off-by: James Morris -
Rename encrypted_defined.c and encrypted_defined.h files to encrypted.c and
encrypted.h, respectively. Based on request from David Howells.Signed-off-by: Mimi Zohar
Acked-by: David Howells
Signed-off-by: James Morris -
Rename trusted_defined.c and trusted_defined.h files to trusted.c and
trusted.h, respectively. Based on request from David Howells.Signed-off-by: Mimi Zohar
Acked-by: David Howells
Signed-off-by: James Morris
22 Jan, 2011
2 commits
-
Fix up comments in the key management code. No functional changes.
Signed-off-by: David Howells
Signed-off-by: Linus Torvalds -
Do a bit of a style clean up in the key management code. No functional
changes.Done using:
perl -p -i -e 's!^/[*]*/\n!!' security/keys/*.c
perl -p -i -e 's!} /[*] end [a-z0-9_]*[(][)] [*]/\n!}\n!' security/keys/*.c
sed -i -s -e ": next" -e N -e 's/^\n[}]$/}/' -e t -e P -e 's/^.*\n//' -e "b next" security/keys/*.cTo remove /*****/ lines, remove comments on the closing brace of a
function to name the function and remove blank lines before the closing
brace of a function.Signed-off-by: David Howells
Signed-off-by: Linus Torvalds
19 Jan, 2011
3 commits
-
We can avoid scattering va_end() within the
va_start();
for (;;) {}
va_end();loop, assuming that crypto_shash_init()/crypto_shash_update() return 0 on
success and negative value otherwise.Make TSS_authhmac()/TSS_checkhmac1()/TSS_checkhmac2() similar to TSS_rawhmac()
by removing "va_end()/goto" from the loop.Signed-off-by: Tetsuo Handa
Reviewed-by: Jesper Juhl
Acked-by: Mimi Zohar
Acked-by: David Howells
Signed-off-by: James Morris -
TSS_rawhmac() checks for data != NULL before using it.
We should do the same thing for TSS_authhmac().Signed-off-by: Tetsuo Handa
Reviewed-by: Jesper Juhl
Acked-by: Mimi Zohar
Acked-by: David Howells
Signed-off-by: James Morris -
TSS_rawhmac() forgot to call va_end()/kfree() when data == NULL and
forgot to call va_end() when crypto_shash_update() < 0.
Fix these bugs by escaping from the loop using "break"
(rather than "return"/"goto") in order to make sure that
va_end()/kfree() are always called.Signed-off-by: Tetsuo Handa
Reviewed-by: Jesper Juhl
Acked-by: Mimi Zohar
Acked-by: David Howells
Signed-off-by: James Morris
14 Jan, 2011
1 commit
-
Add missing kfree(td) in tpm_seal() before the return, freeing
td on error paths as well.Reported-by: Dan Carpenter
Signed-off-by: Mimi Zohar
Acked-by: David Safford
Acked-by: David Howells
Signed-off-by: Serge Hallyn
Signed-off-by: James Morris
10 Jan, 2011
1 commit
-
Conflicts:
security/smack/smack_lsm.cVerified and added fix by Stephen Rothwell
Ok'd by Casey SchauflerSigned-off-by: James Morris
24 Dec, 2010
1 commit
-
In construct_alloc_key(), up_write() is called in the error path if
__key_link_begin() fails, but this is incorrect as __key_link_begin() only
returns with the nominated keyring locked if it returns successfully.Without this patch, you might see the following in dmesg:
=====================================
[ BUG: bad unlock balance detected! ]
-------------------------------------
mount.cifs/5769 is trying to release lock (&key->sem) at:
[] request_key_and_link+0x263/0x3fc
but there are no more locks to release!other info that might help us debug this:
3 locks held by mount.cifs/5769:
#0: (&type->s_umount_key#41/1){+.+.+.}, at: [] sget+0x278/0x3e7
#1: (&ret_buf->session_mutex){+.+.+.}, at: [] cifs_get_smb_ses+0x35a/0x443 [cifs]
#2: (root_key_user.cons_lock){+.+.+.}, at: [] request_key_and_link+0x10a/0x3fcstack backtrace:
Pid: 5769, comm: mount.cifs Not tainted 2.6.37-rc6+ #1
Call Trace:
[] ? request_key_and_link+0x263/0x3fc
[] print_unlock_inbalance_bug+0xca/0xd5
[] lock_release_non_nested+0xc1/0x263
[] ? request_key_and_link+0x263/0x3fc
[] ? request_key_and_link+0x263/0x3fc
[] lock_release+0x17d/0x1a4
[] up_write+0x23/0x3b
[] request_key_and_link+0x263/0x3fc
[] ? cifs_get_spnego_key+0x61/0x21f [cifs]
[] request_key+0x41/0x74
[] cifs_get_spnego_key+0x200/0x21f [cifs]
[] CIFS_SessSetup+0x55d/0x1273 [cifs]
[] cifs_setup_session+0x90/0x1ae [cifs]
[] cifs_get_smb_ses+0x37f/0x443 [cifs]
[] cifs_mount+0x1aa1/0x23f3 [cifs]
[] ? alloc_debug_processing+0xdb/0x120
[] ? cifs_get_spnego_key+0x1ef/0x21f [cifs]
[] cifs_do_mount+0x165/0x2b3 [cifs]
[] vfs_kern_mount+0xaf/0x1dc
[] do_kern_mount+0x4d/0xef
[] do_mount+0x6f4/0x733
[] sys_mount+0x88/0xc2
[] system_call_fastpath+0x16/0x1bReported-by: Jeff Layton
Signed-off-by: David Howells
Reviewed-and-Tested-by: Jeff Layton
Signed-off-by: Linus Torvalds
15 Dec, 2010
4 commits
-
Cleanup based on David Howells suggestions:
- use static const char arrays instead of #define
- rename init_sdesc to alloc_sdesc
- convert 'unsigned int' definitions to 'size_t'
- revert remaining 'const unsigned int' definitions to 'unsigned int'Signed-off-by: Mimi Zohar
Acked-by: David Howells
Signed-off-by: James Morris -
Verify the hex ascii datablob length is correct before converting the IV,
encrypted data, and HMAC to binary.Reported-by: David Howells
Signed-off-by: Mimi Zohar
Acked-by: David Howells
Signed-off-by: James Morris -
Cleanup based on David Howells suggestions:
- replace kzalloc, where possible, with kmalloc
- revert 'const unsigned int' definitions to 'unsigned int'Signed-off-by: David Safford
Acked-by: Mimi Zohar
Acked-by: David Howells
Signed-off-by: James Morris -
Previously not all TSS return codes were tested, as they were all eventually
caught by the TPM. Now all returns are tested and handled immediately.This patch also fixes memory leaks in error and non-error paths.
Signed-off-by: David Safford
Acked-by: Mimi Zohar
Acked-by: David Howells
Acked-by: Serge E. Hallyn
Signed-off-by: James Morris
30 Nov, 2010
1 commit
-
This patch fixes the linux-next powerpc build errors as reported by
Stephen Rothwell.Reported-by: Stephen Rothwell
Signed-off-by: Mimi Zohar
Tested-by: Rajiv Andrade
Signed-off-by: James Morris