Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  integrity: digital signature config option name change
  lib: Removed MPILIB, MPILIB_EXTRA, and SIGNATURE prompts
  lib: MPILIB Kconfig description update
  lib: digital signature dependency fix
  lib: digital signature config option name change
  encrypted-keys: fix rcu and sparse messages
  keys: fix trusted/encrypted keys sparse rcu_assign_pointer messages
  KEYS: Add missing smp_rmb() primitives to the keyring search code
  TOMOYO: Accept \000 as a valid character.
  security: update MAINTAINERS file with new git repo
This commit is contained in:
Linus Torvalds 2012-01-17 16:43:39 -08:00
commit a25a2b8409
14 changed files with 50 additions and 36 deletions

View file

@ -5846,7 +5846,7 @@ F: drivers/mmc/host/sdhci-spear.c
SECURITY SUBSYSTEM
M: James Morris <jmorris@namei.org>
L: linux-security-module@vger.kernel.org (suggested Cc:)
T: git git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6.git
T: git git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
W: http://security.wiki.kernel.org/
S: Supported
F: security/

View file

@ -46,7 +46,7 @@ struct signature_hdr {
char mpi[0];
} __packed;
#if defined(CONFIG_DIGSIG) || defined(CONFIG_DIGSIG_MODULE)
#if defined(CONFIG_SIGNATURE) || defined(CONFIG_SIGNATURE_MODULE)
int digsig_verify(struct key *keyring, const char *sig, int siglen,
const char *digest, int digestlen);
@ -59,6 +59,6 @@ static inline int digsig_verify(struct key *keyring, const char *sig,
return -EOPNOTSUPP;
}
#endif /* CONFIG_DIGSIG */
#endif /* CONFIG_SIGNATURE */
#endif /* _DIGSIG_H */

View file

@ -293,6 +293,9 @@ static inline bool key_is_instantiated(const struct key *key)
(rcu_dereference_protected((KEY)->payload.rcudata, \
rwsem_is_locked(&((struct key *)(KEY))->sem)))
#define rcu_assign_keypointer(KEY, PAYLOAD) \
(rcu_assign_pointer((KEY)->payload.rcudata, PAYLOAD))
#ifdef CONFIG_SYSCTL
extern ctl_table key_sysctls[];
#endif

View file

@ -286,25 +286,24 @@ config CORDIC
calculations are in fixed point. Module will be called cordic.
config MPILIB
tristate "Multiprecision maths library"
tristate
help
Multiprecision maths library from GnuPG.
It is used to implement RSA digital signature verification,
which is used by IMA/EVM digital signature extension.
config MPILIB_EXTRA
bool "Multiprecision maths library - additional sources"
bool
depends on MPILIB
help
Multiprecision maths library from GnuPG.
It is used to implement RSA digital signature verification,
which is used by IMA/EVM digital signature extension.
This code in unnecessary for RSA digital signature verification,
and can be compiled if needed.
Additional sources of multiprecision maths library from GnuPG.
This code is unnecessary for RSA digital signature verification,
but can be compiled if needed.
config DIGSIG
tristate "In-kernel signature checker"
depends on KEYS
config SIGNATURE
tristate
depends on KEYS && CRYPTO
select CRYPTO_SHA1
select MPILIB
help
Digital signature verification. Currently only RSA is supported.

View file

@ -119,7 +119,7 @@ obj-$(CONFIG_CORDIC) += cordic.o
obj-$(CONFIG_DQL) += dynamic_queue_limits.o
obj-$(CONFIG_MPILIB) += mpi/
obj-$(CONFIG_DIGSIG) += digsig.o
obj-$(CONFIG_SIGNATURE) += digsig.o
hostprogs-y := gen_crc32table
clean-files := crc32table.h

View file

@ -3,11 +3,11 @@ config INTEGRITY
def_bool y
depends on IMA || EVM
config INTEGRITY_DIGSIG
config INTEGRITY_SIGNATURE
boolean "Digital signature verification using multiple keyrings"
depends on INTEGRITY && KEYS
default n
select DIGSIG
select SIGNATURE
help
This option enables digital signature verification support
using multiple keyrings. It defines separate keyrings for each

View file

@ -3,7 +3,7 @@
#
obj-$(CONFIG_INTEGRITY) += integrity.o
obj-$(CONFIG_INTEGRITY_DIGSIG) += digsig.o
obj-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
integrity-y := iint.o

View file

@ -51,7 +51,7 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
#define INTEGRITY_KEYRING_IMA 2
#define INTEGRITY_KEYRING_MAX 3
#ifdef CONFIG_INTEGRITY_DIGSIG
#ifdef CONFIG_INTEGRITY_SIGNATURE
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen);
@ -65,7 +65,7 @@ static inline int integrity_digsig_verify(const unsigned int id,
return -EOPNOTSUPP;
}
#endif /* CONFIG_INTEGRITY_DIGSIG */
#endif /* CONFIG_INTEGRITY_SIGNATURE */
/* set during initialization */
extern int iint_initialized;

View file

@ -314,7 +314,7 @@ static struct key *request_user_key(const char *master_desc, u8 **master_key,
goto error;
down_read(&ukey->sem);
upayload = rcu_dereference(ukey->payload.data);
upayload = ukey->payload.data;
*master_key = upayload->data;
*master_keylen = upayload->datalen;
error:
@ -810,7 +810,7 @@ static int encrypted_instantiate(struct key *key, const void *data,
goto out;
}
rcu_assign_pointer(key->payload.data, epayload);
rcu_assign_keypointer(key, epayload);
out:
kfree(datablob);
return ret;
@ -874,7 +874,7 @@ static int encrypted_update(struct key *key, const void *data, size_t datalen)
memcpy(new_epayload->payload_data, epayload->payload_data,
epayload->payload_datalen);
rcu_assign_pointer(key->payload.data, new_epayload);
rcu_assign_keypointer(key, new_epayload);
call_rcu(&epayload->rcu, encrypted_rcu_free);
out:
kfree(buf);

View file

@ -18,6 +18,8 @@
#include <linux/module.h>
#include <linux/err.h>
#include <keys/trusted-type.h>
#include <keys/encrypted-type.h>
#include "encrypted.h"
/*
* request_trusted_key - request the trusted key
@ -37,7 +39,7 @@ struct key *request_trusted_key(const char *trusted_desc,
goto error;
down_read(&tkey->sem);
tpayload = rcu_dereference(tkey->payload.data);
tpayload = tkey->payload.data;
*master_key = tpayload->key;
*master_keylen = tpayload->key_len;
error:

View file

@ -145,7 +145,9 @@ static void key_gc_keyring(struct key *keyring, time_t limit)
if (!klist)
goto unlock_dont_gc;
for (loop = klist->nkeys - 1; loop >= 0; loop--) {
loop = klist->nkeys;
smp_rmb();
for (loop--; loop >= 0; loop--) {
key = klist->keys[loop];
if (test_bit(KEY_FLAG_DEAD, &key->flags) ||
(key->expiry > 0 && key->expiry <= limit))

View file

@ -319,7 +319,7 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
struct key *keyring, *key;
key_ref_t key_ref;
long err;
int sp, kix;
int sp, nkeys, kix;
keyring = key_ref_to_ptr(keyring_ref);
possessed = is_key_possessed(keyring_ref);
@ -380,7 +380,9 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
goto not_this_keyring;
/* iterate through the keys in this keyring first */
for (kix = 0; kix < keylist->nkeys; kix++) {
nkeys = keylist->nkeys;
smp_rmb();
for (kix = 0; kix < nkeys; kix++) {
key = keylist->keys[kix];
kflags = key->flags;
@ -421,7 +423,9 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
/* search through the keyrings nested in this one */
kix = 0;
ascend:
for (; kix < keylist->nkeys; kix++) {
nkeys = keylist->nkeys;
smp_rmb();
for (; kix < nkeys; kix++) {
key = keylist->keys[kix];
if (key->type != &key_type_keyring)
continue;
@ -515,7 +519,7 @@ key_ref_t __keyring_search_one(key_ref_t keyring_ref,
struct keyring_list *klist;
unsigned long possessed;
struct key *keyring, *key;
int loop;
int nkeys, loop;
keyring = key_ref_to_ptr(keyring_ref);
possessed = is_key_possessed(keyring_ref);
@ -524,7 +528,9 @@ key_ref_t __keyring_search_one(key_ref_t keyring_ref,
klist = rcu_dereference(keyring->payload.subscriptions);
if (klist) {
for (loop = 0; loop < klist->nkeys; loop++) {
nkeys = klist->nkeys;
smp_rmb();
for (loop = 0; loop < nkeys ; loop++) {
key = klist->keys[loop];
if (key->type == ktype &&
@ -622,7 +628,7 @@ static int keyring_detect_cycle(struct key *A, struct key *B)
struct keyring_list *keylist;
struct key *subtree, *key;
int sp, kix, ret;
int sp, nkeys, kix, ret;
rcu_read_lock();
@ -645,7 +651,9 @@ static int keyring_detect_cycle(struct key *A, struct key *B)
ascend:
/* iterate through the remaining keys in this keyring */
for (; kix < keylist->nkeys; kix++) {
nkeys = keylist->nkeys;
smp_rmb();
for (; kix < nkeys; kix++) {
key = keylist->keys[kix];
if (key == A)

View file

@ -993,7 +993,7 @@ static int trusted_instantiate(struct key *key, const void *data,
kfree(datablob);
kfree(options);
if (!ret)
rcu_assign_pointer(key->payload.data, payload);
rcu_assign_keypointer(key, payload);
else
kfree(payload);
return ret;
@ -1067,7 +1067,7 @@ static int trusted_update(struct key *key, const void *data, size_t datalen)
goto out;
}
}
rcu_assign_pointer(key->payload.data, new_p);
rcu_assign_keypointer(key, new_p);
call_rcu(&p->rcu, trusted_rcu_free);
out:
kfree(datablob);

View file

@ -492,13 +492,13 @@ static bool tomoyo_correct_word2(const char *string, size_t len)
if (d < '0' || d > '7' || e < '0' || e > '7')
break;
c = tomoyo_make_byte(c, d, e);
if (tomoyo_invalid(c))
continue; /* pattern is not \000 */
if (c <= ' ' || c >= 127)
continue;
}
goto out;
} else if (in_repetition && c == '/') {
goto out;
} else if (tomoyo_invalid(c)) {
} else if (c <= ' ' || c >= 127) {
goto out;
}
}