Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris...
authorLinus Torvalds <torvalds@linux-foundation.org>
Sun, 16 Dec 2012 23:40:50 +0000 (15:40 -0800)
committerLinus Torvalds <torvalds@linux-foundation.org>
Sun, 16 Dec 2012 23:40:50 +0000 (15:40 -0800)
Pull security subsystem updates from James Morris:
 "A quiet cycle for the security subsystem with just a few maintenance
  updates."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  Smack: create a sysfs mount point for smackfs
  Smack: use select not depends in Kconfig
  Yama: remove locking from delete path
  Yama: add RCU to drop read locking
  drivers/char/tpm: remove tasklet and cleanup
  KEYS: Use keyring_alloc() to create special keyrings
  KEYS: Reduce initial permissions on keys
  KEYS: Make the session and process keyrings per-thread
  seccomp: Make syscall skipping and nr changes more consistent
  key: Fix resource leak
  keys: Fix unreachable code
  KEYS: Add payload preparsing opportunity prior to key instantiate or update

12 files changed:
1  2 
arch/x86/kernel/vsyscall_64.c
drivers/char/tpm/tpm_ibmvtpm.c
fs/cifs/cifsacl.c
fs/nfs/idmap.c
include/linux/key.h
kernel/cred.c
net/dns_resolver/dns_key.c
security/keys/key.c
security/keys/keyctl.c
security/keys/keyring.c
security/keys/process_keys.c
security/keys/request_key.c

Simple merge
Simple merge
Simple merge
diff --cc fs/nfs/idmap.c
Simple merge
@@@ -263,8 -262,9 +263,9 @@@ extern int key_link(struct key *keyring
  extern int key_unlink(struct key *keyring,
                      struct key *key);
  
 -extern struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
 +extern struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
                                 const struct cred *cred,
+                                key_perm_t perm,
                                 unsigned long flags,
                                 struct key *dest);
  
diff --cc kernel/cred.c
Simple merge
@@@ -259,11 -259,10 +259,11 @@@ static int __init init_dns_resolver(voi
        if (!cred)
                return -ENOMEM;
  
-       keyring = key_alloc(&key_type_keyring, ".dns_resolver",
-                           GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
-                           (KEY_POS_ALL & ~KEY_POS_SETATTR) |
-                           KEY_USR_VIEW | KEY_USR_READ,
-                           KEY_ALLOC_NOT_IN_QUOTA);
 -      keyring = keyring_alloc(".dns_resolver", 0, 0, cred,
++      keyring = keyring_alloc(".dns_resolver",
++                              GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
+                               (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+                               KEY_USR_VIEW | KEY_USR_READ,
+                               KEY_ALLOC_NOT_IN_QUOTA, NULL);
        if (IS_ERR(keyring)) {
                ret = PTR_ERR(keyring);
                goto failed_put_cred;
Simple merge
@@@ -1535,9 -1527,9 +1536,9 @@@ long keyctl_session_to_parent(void
                goto unlock;
  
        /* the keyrings must have the same UID */
-       if ((pcred->tgcred->session_keyring &&
-            !uid_eq(pcred->tgcred->session_keyring->uid, mycred->euid)) ||
-           !uid_eq(mycred->tgcred->session_keyring->uid, mycred->euid))
+       if ((pcred->session_keyring &&
 -           pcred->session_keyring->uid != mycred->euid) ||
 -          mycred->session_keyring->uid != mycred->euid)
++           !uid_eq(pcred->session_keyring->uid, mycred->euid)) ||
++          !uid_eq(mycred->session_keyring->uid, mycred->euid))
                goto unlock;
  
        /* cancel an already pending keyring replacement */
@@@ -256,9 -256,9 +256,9 @@@ error
  /*
   * Allocate a keyring and link into the destination keyring.
   */
 -struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
 +struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
-                         const struct cred *cred, unsigned long flags,
-                         struct key *dest)
+                         const struct cred *cred, key_perm_t perm,
+                         unsigned long flags, struct key *dest)
  {
        struct key *keyring;
        int ret;
@@@ -45,15 -46,15 +45,17 @@@ int install_user_keyrings(void
        struct user_struct *user;
        const struct cred *cred;
        struct key *uid_keyring, *session_keyring;
+       key_perm_t user_keyring_perm;
        char buf[20];
        int ret;
 +      uid_t uid;
  
+       user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
        cred = current_cred();
        user = cred->user;
 +      uid = from_kuid(cred->user_ns, user->uid);
  
 -      kenter("%p{%u}", user, user->uid);
 +      kenter("%p{%u}", user, uid);
  
        if (user->uid_keyring) {
                kleave(" = 0 [exist]");
@@@ -72,9 -73,9 +74,9 @@@
  
                uid_keyring = find_keyring_by_name(buf, true);
                if (IS_ERR(uid_keyring)) {
 -                      uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
 +                      uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
-                                                   cred, KEY_ALLOC_IN_QUOTA,
-                                                   NULL);
+                                                   cred, user_keyring_perm,
+                                                   KEY_ALLOC_IN_QUOTA, NULL);
                        if (IS_ERR(uid_keyring)) {
                                ret = PTR_ERR(uid_keyring);
                                goto error;
@@@ -88,8 -89,9 +90,9 @@@
                session_keyring = find_keyring_by_name(buf, true);
                if (IS_ERR(session_keyring)) {
                        session_keyring =
 -                              keyring_alloc(buf, user->uid, (gid_t) -1,
 +                              keyring_alloc(buf, user->uid, INVALID_GID,
-                                             cred, KEY_ALLOC_IN_QUOTA, NULL);
+                                             cred, user_keyring_perm,
+                                             KEY_ALLOC_IN_QUOTA, NULL);
                        if (IS_ERR(session_keyring)) {
                                ret = PTR_ERR(session_keyring);
                                goto error_release;
Simple merge