From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sun, 16 Dec 2012 23:40:50 +0000 (-0800)
Subject: Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris... 
X-Git-Tag: v3.8-rc1~90
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=2a74dbb9a86e8102dcd07d284135b4530a84826e;p=platform%2Fupstream%2Fkernel-adaptation-pc.git

Merge branch 'for-linus' of git://git./linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris:
 "A quiet cycle for the security subsystem with just a few maintenance
  updates."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  Smack: create a sysfs mount point for smackfs
  Smack: use select not depends in Kconfig
  Yama: remove locking from delete path
  Yama: add RCU to drop read locking
  drivers/char/tpm: remove tasklet and cleanup
  KEYS: Use keyring_alloc() to create special keyrings
  KEYS: Reduce initial permissions on keys
  KEYS: Make the session and process keyrings per-thread
  seccomp: Make syscall skipping and nr changes more consistent
  key: Fix resource leak
  keys: Fix unreachable code
  KEYS: Add payload preparsing opportunity prior to key instantiate or update
---

2a74dbb9a86e8102dcd07d284135b4530a84826e
diff --cc include/linux/key.h
index 2393b1c,8906998..4dfde11
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@@ -263,8 -262,9 +263,9 @@@ extern int key_link(struct key *keyring
  extern int key_unlink(struct key *keyring,
  		      struct key *key);
  
 -extern struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
 +extern struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
  				 const struct cred *cred,
+ 				 key_perm_t perm,
  				 unsigned long flags,
  				 struct key *dest);
  
diff --cc net/dns_resolver/dns_key.c
index 8aa4b11,b53bb4a..0a69d07
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@@ -259,11 -259,10 +259,11 @@@ static int __init init_dns_resolver(voi
  	if (!cred)
  		return -ENOMEM;
  
- 	keyring = key_alloc(&key_type_keyring, ".dns_resolver",
- 			    GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
- 			    (KEY_POS_ALL & ~KEY_POS_SETATTR) |
- 			    KEY_USR_VIEW | KEY_USR_READ,
- 			    KEY_ALLOC_NOT_IN_QUOTA);
 -	keyring = keyring_alloc(".dns_resolver", 0, 0, cred,
++	keyring = keyring_alloc(".dns_resolver",
++				GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
+ 				(KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ 				KEY_USR_VIEW | KEY_USR_READ,
+ 				KEY_ALLOC_NOT_IN_QUOTA, NULL);
  	if (IS_ERR(keyring)) {
  		ret = PTR_ERR(keyring);
  		goto failed_put_cred;
diff --cc security/keys/keyctl.c
index 5d34b4e,6d9d0c7..4b5c948
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@@ -1535,9 -1527,9 +1536,9 @@@ long keyctl_session_to_parent(void
  		goto unlock;
  
  	/* the keyrings must have the same UID */
- 	if ((pcred->tgcred->session_keyring &&
- 	     !uid_eq(pcred->tgcred->session_keyring->uid, mycred->euid)) ||
- 	    !uid_eq(mycred->tgcred->session_keyring->uid, mycred->euid))
+ 	if ((pcred->session_keyring &&
 -	     pcred->session_keyring->uid != mycred->euid) ||
 -	    mycred->session_keyring->uid != mycred->euid)
++	     !uid_eq(pcred->session_keyring->uid, mycred->euid)) ||
++	    !uid_eq(mycred->session_keyring->uid, mycred->euid))
  		goto unlock;
  
  	/* cancel an already pending keyring replacement */
diff --cc security/keys/keyring.c
index 6e42df1,9270ba0..6ece7f2
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@@ -256,9 -256,9 +256,9 @@@ error
  /*
   * Allocate a keyring and link into the destination keyring.
   */
 -struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
 +struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
- 			  const struct cred *cred, unsigned long flags,
- 			  struct key *dest)
+ 			  const struct cred *cred, key_perm_t perm,
+ 			  unsigned long flags, struct key *dest)
  {
  	struct key *keyring;
  	int ret;
diff --cc security/keys/process_keys.c
index 86468f3,b58d938..58dfe08
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@@ -45,15 -46,15 +45,17 @@@ int install_user_keyrings(void
  	struct user_struct *user;
  	const struct cred *cred;
  	struct key *uid_keyring, *session_keyring;
+ 	key_perm_t user_keyring_perm;
  	char buf[20];
  	int ret;
 +	uid_t uid;
  
+ 	user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
  	cred = current_cred();
  	user = cred->user;
 +	uid = from_kuid(cred->user_ns, user->uid);
  
 -	kenter("%p{%u}", user, user->uid);
 +	kenter("%p{%u}", user, uid);
  
  	if (user->uid_keyring) {
  		kleave(" = 0 [exist]");
@@@ -72,9 -73,9 +74,9 @@@
  
  		uid_keyring = find_keyring_by_name(buf, true);
  		if (IS_ERR(uid_keyring)) {
 -			uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
 +			uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
- 						    cred, KEY_ALLOC_IN_QUOTA,
- 						    NULL);
+ 						    cred, user_keyring_perm,
+ 						    KEY_ALLOC_IN_QUOTA, NULL);
  			if (IS_ERR(uid_keyring)) {
  				ret = PTR_ERR(uid_keyring);
  				goto error;
@@@ -88,8 -89,9 +90,9 @@@
  		session_keyring = find_keyring_by_name(buf, true);
  		if (IS_ERR(session_keyring)) {
  			session_keyring =
 -				keyring_alloc(buf, user->uid, (gid_t) -1,
 +				keyring_alloc(buf, user->uid, INVALID_GID,
- 					      cred, KEY_ALLOC_IN_QUOTA, NULL);
+ 					      cred, user_keyring_perm,
+ 					      KEY_ALLOC_IN_QUOTA, NULL);
  			if (IS_ERR(session_keyring)) {
  				ret = PTR_ERR(session_keyring);
  				goto error_release;