10 Sep, 2011
5 commits
-
Sparse fix: make selinux_secmark_refcount static.
Signed-off-by: James Morris
-
Sparse fix: make aa_create_aafs static.
Signed-off-by: James Morris
Acked-by: John Johansen -
Sparse fix: move iint_initialized to integrity.h
Signed-off-by: James Morris
-
Fix a typo.
Signed-off-by: Roy.Li
Signed-off-by: James Morris -
In tomoyo_get_mode() since 2.6.36, CONFIG::file::execute was by error used in
place of CONFIG::file if CONFIG::file::execute was set to other than default.
As a result, enforcing mode was not applied in a way documentation says.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
24 Aug, 2011
1 commit
-
Suppress the output in the 'durations' sysfs entry if they were not read
during driver initialization. This is similar to other sysfs entries
that return nothing if for some reason sending the commands to the TPM
fails.Signed-off-by: Stefan Berger
Signed-off-by: James Morris
23 Aug, 2011
9 commits
-
This patch adds CONFIG_KEYS guard for tgcred to fix below build error
if CONFIG_KEYS is not configured.CC kernel/cred.o
kernel/cred.c: In function 'prepare_kernel_cred':
kernel/cred.c:657: error: 'tgcred' undeclared (first use in this function)
kernel/cred.c:657: error: (Each undeclared identifier is reported only once
kernel/cred.c:657: error: for each function it appears in.)
make[1]: *** [kernel/cred.o] Error 1
make: *** [kernel] Error 2Signed-off-by: Axel Lin
Acked-by: David Howells
Signed-off-by: James Morris -
unregister_key_type() has code to mark a key as dead and make it unavailable in
one loop and then destroy all those unavailable key payloads in the next loop.
However, the loop to mark keys dead renders the key undetectable to the second
loop by changing the key type pointer also.Fix this by the following means:
(1) The key code has two garbage collectors: one deletes unreferenced keys and
the other alters keyrings to delete links to old dead, revoked and expired
keys. They can end up holding each other up as both want to scan the key
serial tree under spinlock. Combine these into a single routine.(2) Move the dead key marking, dead link removal and dead key removal into the
garbage collector as a three phase process running over the three cycles
of the normal garbage collection procedure. This is tracked by the
KEY_GC_REAPING_DEAD_1, _2 and _3 state flags.unregister_key_type() then just unlinks the key type from the list, wakes
up the garbage collector and waits for the third phase to complete.(3) Downgrade the key types sem in unregister_key_type() once it has deleted
the key type from the list so that it doesn't block the keyctl() syscall.(4) Dead keys that cannot be simply removed in the third phase have their
payloads destroyed with the key's semaphore write-locked to prevent
interference by the keyctl() syscall. There should be no in-kernel users
of dead keys of that type by the point of unregistration, though keyctl()
may be holding a reference.(5) Only perform timer recalculation in the GC if the timer actually expired.
If it didn't, we'll get another cycle when it goes off - and if the key
that actually triggered it has been removed, it's not a problem.(6) Only garbage collect link if the timer expired or if we're doing dead key
clean up phase 2.(7) As only key_garbage_collector() is permitted to use rb_erase() on the key
serial tree, it doesn't need to revalidate its cursor after dropping the
spinlock as the node the cursor points to must still exist in the tree.(8) Drop the spinlock in the GC if there is contention on it or if we need to
reschedule. After dealing with that, get the spinlock again and resume
scanning.This has been tested in the following ways:
(1) Run the keyutils testsuite against it.
(2) Using the AF_RXRPC and RxKAD modules to test keytype removal:
Load the rxrpc_s key type:
# insmod /tmp/af-rxrpc.ko
# insmod /tmp/rxkad.koCreate a key (http://people.redhat.com/~dhowells/rxrpc/listen.c):
# /tmp/listen &
[1] 8173Find the key:
# grep rxrpc_s /proc/keys
091086e1 I--Q-- 1 perm 39390000 0 0 rxrpc_s 52:2Link it to a session keyring, preferably one with a higher serial number:
# keyctl link 0x20e36251 @s
Kill the process (the key should remain as it's linked to another place):
# fg
/tmp/listen
^CRemove the key type:
rmmod rxkad
rmmod af-rxrpcThis can be made a more effective test by altering the following part of
the patch:if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2)) {
/* Make sure everyone revalidates their keys if we marked a
* bunch as being dead and make sure all keyring ex-payloads
* are destroyed.
*/
kdebug("dead sync");
synchronize_rcu();To call synchronize_rcu() in GC phase 1 instead. That causes that the
keyring's old payload content to hang around longer until it's RCU
destroyed - which usually happens after GC phase 3 is complete. This
allows the destroy_dead_key branch to be tested.Reported-by: Benjamin Coddington
Signed-off-by: David Howells
Signed-off-by: James Morris -
The dead key link reaper should be non-reentrant as it relies on global state
to keep track of where it's got to when it returns to the work queue manager to
give it some air.Signed-off-by: David Howells
Signed-off-by: James Morris -
Make the key reaper non-reentrant by sticking it on the appropriate system work
queue when we queue it. This will allow it to have global state and drop
locks. It should probably be non-reentrant already as it may spend a long time
holding the key serial spinlock, and so multiple entrants can spend long
periods of time just sitting there spinning, waiting to get the lock.Signed-off-by: David Howells
Signed-off-by: James Morris -
Move the unreferenced key reaper function to the keys garbage collector file
as that's a more appropriate place with the dead key link reaper.Signed-off-by: David Howells
Signed-off-by: James Morris -
Fix prepare_kernel_cred() to provide a new, separate thread_group_cred struct
otherwise when using request_key() ____call_usermodehelper() calls
umh_keys_init() with the new creds pointing to init_tgcred, which
umh_keys_init() then blithely alters.The problem can be demonstrated by:
# keyctl request2 user a debug:a @s
249681132
# grep req /proc/keys
079906a5 I--Q-- 1 perm 1f3f0000 0 0 keyring _req.249681132: 1/4
38ef1626 IR---- 1 expd 0b010000 0 0 .request_ key:ee1d4ec pid:4371 ci:1The keyring _req.XXXX should have gone away, but something (init_tgcred) is
pinning it.That key actually requested can then be removed and a new one created:
# keyctl unlink 249681132
1 links removed
[root@andromeda ~]# grep req /proc/keys
116cecac IR---- 1 expd 0b010000 0 0 .request_ key:eeb4911 pid:4379 ci:1
36d1cbf8 I--Q-- 1 perm 1f3f0000 0 0 keyring _req.250300689: 1/4which causes the old _req keyring to go away and a new one to take its place.
This is a consequence of the changes in:
commit 879669961b11e7f40b518784863a259f735a72bf
Author: David Howells
Date: Fri Jun 17 11:25:59 2011 +0100
KEYS/DNS: Fix ____call_usermodehelper() to not lose the session keyringand:
commit 17f60a7da150fdd0cfb9756f86a262daa72c835f
Author: Eric Paris
Date: Fri Apr 1 17:07:50 2011 -0400
capabilites: allow the application of capability limits to usermode helpersAfter this patch is applied, the _req keyring and the .request_key key are
cleaned up.Signed-off-by: David Howells
cc: Eric Paris
Signed-off-by: James Morris -
__key_link() should use the RCU deref wrapper rcu_dereference_locked_keyring()
for accessing keyring payloads rather than calling rcu_dereference_protected()
directly.Signed-off-by: David Howells
Signed-off-by: James Morris -
The keyctl call:
keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1)
should create a session keyring if the process doesn't have one of its own
because the create flag argument is set - rather than subscribing to and
returning the user-session keyring as:keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)
will do.
This can be tested by commenting out pam_keyinit in the /etc/pam.d files and
running the following program a couple of times in a row:#include
#include
#include
int main(int argc, char *argv[])
{
key_serial_t uk, usk, sk, nsk;
uk = keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);
usk = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
sk = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
nsk = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1);
printf("keys: %08x %08x %08x %08x\n", uk, usk, sk, nsk);
return 0;
}Without this patch, I see:
keys: 3975ddc7 119c0c66 119c0c66 119c0c66
keys: 3975ddc7 119c0c66 119c0c66 119c0c66With this patch, I see:
keys: 2cb4997b 34112878 34112878 17db2ce3
keys: 2cb4997b 34112878 34112878 39f3c73eAs can be seen, the session keyring starts off the same as the user-session
keyring each time, but with the patch a new session keyring is created when
the create flag is set.Reported-by: Greg Wettstein
Signed-off-by: David Howells
Tested-by: Greg Wettstein
Signed-off-by: James Morris -
If install_session_keyring() is given a keyring, it should install it rather
than just creating a new one anyway. This was accidentally broken in:commit d84f4f992cbd76e8f39c488cf0c5d123843923b1
Author: David Howells
Date: Fri Nov 14 10:39:23 2008 +1100
Subject: CRED: Inaugurate COW credentialsThe impact of that commit is that pam_keyinit no longer works correctly if
'force' isn't specified against a login process. This is because:keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)
now always creates a new session keyring and thus the check whether the session
keyring and the user-session keyring are the same is always false. This leads
pam_keyinit to conclude that a session keyring is installed and it shouldn't be
revoked by pam_keyinit here if 'revoke' is specified.Any system that specifies 'force' against pam_keyinit in the PAM configuration
files for login methods (login, ssh, su -l, kdm, etc.) is not affected since
that bypasses the broken check and forces the creation of a new session keyring
anyway (for which the revoke flag is not cleared) - and any subsequent call to
pam_keyinit really does have a session keyring already installed, and so the
check works correctly there.Reverting to the previous behaviour will cause the kernel to subscribe the
process to the user-session keyring as its session keyring if it doesn't have a
session keyring of its own. pam_keyinit will detect this and install a new
session keyring anyway (and won't clear the revert flag).This can be tested by commenting out pam_keyinit in the /etc/pam.d files and
running the following program a couple of times in a row:#include
#include
#include
int main(int argc, char *argv[])
{
key_serial_t uk, usk, sk;
uk = keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);
usk = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
sk = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
printf("keys: %08x %08x %08x\n", uk, usk, sk);
return 0;
}Without the patch, I see:
keys: 3884e281 24c4dfcf 22825f8e
keys: 3884e281 24c4dfcf 068772beWith the patch, I see:
keys: 26be9c83 0e755ce0 0e755ce0
keys: 26be9c83 0e755ce0 0e755ce0As can be seen, with the patch, the session keyring is the same as the
user-session keyring each time; without the patch a new session keyring is
generated each time.Reported-by: Greg Wettstein
Signed-off-by: David Howells
Tested-by: Greg Wettstein
Signed-off-by: James Morris
18 Aug, 2011
2 commits
-
Update the MAINTAINERS file with an entry for EVM.
Reported-by: Randy Dunlap
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris -
Although the EVM encrypted-key should be encrypted/decrypted using a
trusted-key, a user-defined key could be used instead. When using a user-
defined key, a TCG_TPM dependency should not be required. Unfortunately,
the encrypted-key code needs to be refactored a bit in order to remove
this dependency.This patch adds the TCG_TPM dependency.
Reported-by: Stephen Rothwell ,
Randy Dunlap
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
17 Aug, 2011
1 commit
-
daemonize() is only needed when a user-space task does kernel_thread().
tomoyo_gc_thread() is kthread_create()'ed and thus it doesn't need
the soon-to-be-deprecated daemonize().Signed-off-by: Oleg Nesterov
Acked-by: Tejun Heo
Acked-by: Matt Fleming
Signed-off-by: James Morris
16 Aug, 2011
2 commits
-
- Make the previously missing security_old_inode_init_security() stub
function definition static inline.- The stub security_inode_init_security() function previously returned
-EOPNOTSUPP and relied on the callers to change it to 0. The stub
security/security_old_inode_init_security() functions now return 0.Reported-by: Stephen Rothwell
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris -
Initialize has_cap in cap_bprm_set_creds()
Reported-by: Andrew G. Morgan
Signed-off-by: Serge Hallyn
Signed-off-by: James Morris
12 Aug, 2011
2 commits
-
A task (when !SECURE_NOROOT) which executes a setuid-root binary will
obtain root privileges while executing that binary. If the binary also
has effective capabilities set, then only those capabilities will be
granted. The rationale is that the same binary can carry both setuid-root
and the minimal file capability set, so that on a filesystem not
supporting file caps the binary can still be executed with privilege,
while on a filesystem supporting file caps it will run with minimal
privilege.This special case currently does NOT happen if there are file capabilities
but no effective capabilities. Since capability-aware programs can very
well start with empty pE but populated pP and move those caps to pE when
needed. In other words, if the file has file capabilities but NOT
effective capabilities, then we should do the same thing as if there
were file capabilities, and not grant full root privileges.This patchset does that.
(Changelog by Serge Hallyn).
Signed-off-by: Zhi Li
Acked-by: Serge Hallyn
Signed-off-by: James Morris -
Local XATTR_TRUSTED_PREFIX_LEN and XATTR_SECURITY_PREFIX_LEN definitions
redefined ones in 'linux/xattr.h'. This was caused by commit 9d8f13ba3f48
("security: new security_inode_init_security API adds function callback")
including 'linux/xattr.h' in 'linux/security.h'.In file included from include/linux/security.h:39,
from include/net/sock.h:54,
from fs/cifs/cifspdu.h:25,
from fs/cifs/xattr.c:26:This patch removes the local definitions.
Reported-by: Stephen Rothwell
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
11 Aug, 2011
2 commits
-
evm_inode_init_security() should return 0, when EVM is not enabled.
(Returning an error is a remnant of evm_inode_post_init_security.)Signed-off-by: Mimi Zohar
Signed-off-by: James Morris -
- Missing 'inline' on evm_inode_setattr() definition.
Introduced by commit 817b54aa45db ("evm: add evm_inode_setattr to prevent
updating an invalid security.evm").- Missing security_old_inode_init_security() stub function definition.
Caused by commit 9d8f13ba3f48 ("security: new security_inode_init_security
API adds function callback").Reported-by: Stephen Rothwell
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
09 Aug, 2011
2 commits
-
Select trusted and encrypted keys if EVM is selected, to ensure
the requisite symbols are available. Otherwise, these can be
selected as modules while EVM is static, leading to a kernel
build failure.Signed-off-by: James Morris
-
Conflicts:
fs/attr.cResolve conflict manually.
Signed-off-by: James Morris
08 Aug, 2011
9 commits
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
sparc: Fix build with DEBUG_PAGEALLOC enabled. -
Commit d006199e72a9 ("serial: sh-sci: Regtype probing doesn't need to be
fatal.") made sci_init_single() return when sci_probe_regmap() succeeds,
although it should return when sci_probe_regmap() fails. This causes
systems using the serial sh-sci driver to crash during boot.Fix the problem by using the right return condition.
Signed-off-by: Rafael J. Wysocki
Signed-off-by: Linus Torvalds -
The generic library code already exports the generic function, this was
left-over from the ARM-specific version that just got removed.Signed-off-by: Linus Torvalds
-
Since commit 1eb19a12bd22 ("lib/sha1: use the git implementation of
SHA-1"), the ARM SHA1 routines no longer work. The reason? They
depended on the larger 320-byte workspace, and now the sha1 workspace is
just 16 words (64 bytes). So the assembly version would overwrite the
stack randomly.The optimized asm version is also probably slower than the new improved
C version, so there's no reason to keep it around. At least that was
the case in git, where what appears to be the same assembly language
version was removed two years ago because the optimized C BLK_SHA1 code
was faster.Reported-and-tested-by: Joachim Eastwood
Cc: Andreas Schwab
Cc: Nicolas Pitre
Signed-off-by: Linus Torvalds -
task->cred is declared as __rcu, and access to other tasks' ->cred is,
indeed, protected. Access to current->cred does not need rcu_dereference()
at all, since only the task itself can change its ->cred. sparse, of
course, has no way of knowing that...Add force-cast in current_cred(), make current_fsuid() et.al. use it.
Signed-off-by: Al Viro
Signed-off-by: Linus Torvalds -
Al points out that the do_follow_link() helper function really is
misnamed - it's about whether we should try to follow a symlink or not,
not about actually doing the following.Signed-off-by: Linus Torvalds
07 Aug, 2011
5 commits
-
After commit 3567866bf261: "RCUify freeing acls, let check_acl() go ahead in
RCU mode if acl is cached" posix_acl_permission is being called with an
unsupported flag and the permission check fails. This patch fixes the issue.Signed-off-by: Ari Savolainen
Signed-off-by: Al Viro -
* 'for-linus' of git://git.open-osd.org/linux-open-osd:
ore: Make ore its own module
exofs: Rename raid engine from exofs/ios.c => ore
exofs: ios: Move to a per inode components & device-table
exofs: Move exofs specific osd operations out of ios.c
exofs: Add offset/length to exofs_get_io_state
exofs: Fix truncate for the raid-groups case
exofs: Small cleanup of exofs_fill_super
exofs: BUG: Avoid sbi realloc
exofs: Remove pnfs-osd private definitions
nfs_xdr: Move nfs4_string definition out of #ifdef CONFIG_NFS_V4 -
The inode structure layout is largely random, and some of the vfs paths
really do care. The path lookup in particular is already quite D$
intensive, and profiles show that accessing the 'inode->i_op->xyz'
fields is quite costly.We already optimized the dcache to not unnecessarily load the d_op
structure for members that are often NULL using the DCACHE_OP_xyz bits
in dentry->d_flags, and this does something very similar for the inode
ops that are used during pathname lookup.It also re-orders the fields so that the fields accessed by 'stat' are
together at the beginning of the inode structure, and roughly in the
order accessed.The effect of this seems to be in the 1-2% range for an empty kernel
"make -j" run (which is fairly kernel-intensive, mostly in filename
lookup), so it's visible. The numbers are fairly noisy, though, and
likely depend a lot on exact microarchitecture. So there's more tuning
to be done.Signed-off-by: Linus Torvalds
-
Gcc tends to generate better code with small integers, including the
DCACHE_xyz flag tests - so move the common ones to be first in the list.
Also just remove the unused DCACHE_INOTIFY_PARENT_WATCHED and
DCACHE_AUTOFS_PENDING values, their users no longer exists in the source
tree.And add a "unlikely()" to the DCACHE_OP_COMPARE test, since we want the
common case to be a nice straight-line fall-through.Signed-off-by: Linus Torvalds
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
net: Compute protocol sequence numbers and fragment IDs using MD5.
crypto: Move md5_transform to lib/md5.c
