diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2015-06-27 16:26:03 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-06-27 16:26:03 -0400 |
| commit | e22619a29fcdb513b7bc020e84225bb3b5914259 (patch) | |
| tree | 1d1d72a4c8cebad4f2d2bf738395ca4ececa95ec /crypto | |
| parent | 78c10e556ed904d5bfbd71e9cadd8ce8f25d6982 (diff) | |
| parent | b3bddffd35a0b77eee89760eb94cafa18dc431f5 (diff) | |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"The main change in this kernel is Casey's generalized LSM stacking
work, which removes the hard-coding of Capabilities and Yama stacking,
allowing multiple arbitrary "small" LSMs to be stacked with a default
monolithic module (e.g. SELinux, Smack, AppArmor).
See
https://lwn.net/Articles/636056/
This will allow smaller, simpler LSMs to be incorporated into the
mainline kernel and arbitrarily stacked by users. Also, this is a
useful cleanup of the LSM code in its own right"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (38 commits)
tpm, tpm_crb: fix le64_to_cpu conversions in crb_acpi_add()
vTPM: set virtual device before passing to ibmvtpm_reset_crq
tpm_ibmvtpm: remove unneccessary message level.
ima: update builtin policies
ima: extend "mask" policy matching support
ima: add support for new "euid" policy condition
ima: fix ima_show_template_data_ascii()
Smack: freeing an error pointer in smk_write_revoke_subj()
selinux: fix setting of security labels on NFS
selinux: Remove unused permission definitions
selinux: enable genfscon labeling for sysfs and pstore files
selinux: enable per-file labeling for debugfs files.
selinux: update netlink socket classes
signals: don't abuse __flush_signals() in selinux_bprm_committed_creds()
selinux: Print 'sclass' as string when unrecognized netlink message occurs
Smack: allow multiple labels in onlycap
Smack: fix seq operations in smackfs
ima: pass iint to ima_add_violation()
ima: wrap event related data to the new ima_event_data structure
integrity: add validity checks for 'path' parameter
...
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/asymmetric_keys/asymmetric_keys.h | 3 | ||||
| -rw-r--r-- | crypto/asymmetric_keys/asymmetric_type.c | 20 | ||||
| -rw-r--r-- | crypto/asymmetric_keys/x509_public_key.c | 23 |
3 files changed, 35 insertions, 11 deletions
diff --git a/crypto/asymmetric_keys/asymmetric_keys.h b/crypto/asymmetric_keys/asymmetric_keys.h index f97330886d58..3f5b537ab33e 100644 --- a/crypto/asymmetric_keys/asymmetric_keys.h +++ b/crypto/asymmetric_keys/asymmetric_keys.h | |||
| @@ -11,6 +11,9 @@ | |||
| 11 | 11 | ||
| 12 | extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id); | 12 | extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id); |
| 13 | 13 | ||
| 14 | extern int __asymmetric_key_hex_to_key_id(const char *id, | ||
| 15 | struct asymmetric_key_id *match_id, | ||
| 16 | size_t hexlen); | ||
| 14 | static inline | 17 | static inline |
| 15 | const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key) | 18 | const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key) |
| 16 | { | 19 | { |
diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c index bcbbbd794e1d..b0e4ed23d668 100644 --- a/crypto/asymmetric_keys/asymmetric_type.c +++ b/crypto/asymmetric_keys/asymmetric_type.c | |||
| @@ -104,6 +104,15 @@ static bool asymmetric_match_key_ids( | |||
| 104 | return false; | 104 | return false; |
| 105 | } | 105 | } |
| 106 | 106 | ||
| 107 | /* helper function can be called directly with pre-allocated memory */ | ||
| 108 | inline int __asymmetric_key_hex_to_key_id(const char *id, | ||
| 109 | struct asymmetric_key_id *match_id, | ||
| 110 | size_t hexlen) | ||
| 111 | { | ||
| 112 | match_id->len = hexlen; | ||
| 113 | return hex2bin(match_id->data, id, hexlen); | ||
| 114 | } | ||
| 115 | |||
| 107 | /** | 116 | /** |
| 108 | * asymmetric_key_hex_to_key_id - Convert a hex string into a key ID. | 117 | * asymmetric_key_hex_to_key_id - Convert a hex string into a key ID. |
| 109 | * @id: The ID as a hex string. | 118 | * @id: The ID as a hex string. |
| @@ -111,21 +120,20 @@ static bool asymmetric_match_key_ids( | |||
| 111 | struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id) | 120 | struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id) |
| 112 | { | 121 | { |
| 113 | struct asymmetric_key_id *match_id; | 122 | struct asymmetric_key_id *match_id; |
| 114 | size_t hexlen; | 123 | size_t asciihexlen; |
| 115 | int ret; | 124 | int ret; |
| 116 | 125 | ||
| 117 | if (!*id) | 126 | if (!*id) |
| 118 | return ERR_PTR(-EINVAL); | 127 | return ERR_PTR(-EINVAL); |
| 119 | hexlen = strlen(id); | 128 | asciihexlen = strlen(id); |
| 120 | if (hexlen & 1) | 129 | if (asciihexlen & 1) |
| 121 | return ERR_PTR(-EINVAL); | 130 | return ERR_PTR(-EINVAL); |
| 122 | 131 | ||
| 123 | match_id = kmalloc(sizeof(struct asymmetric_key_id) + hexlen / 2, | 132 | match_id = kmalloc(sizeof(struct asymmetric_key_id) + asciihexlen / 2, |
| 124 | GFP_KERNEL); | 133 | GFP_KERNEL); |
| 125 | if (!match_id) | 134 | if (!match_id) |
| 126 | return ERR_PTR(-ENOMEM); | 135 | return ERR_PTR(-ENOMEM); |
| 127 | match_id->len = hexlen / 2; | 136 | ret = __asymmetric_key_hex_to_key_id(id, match_id, asciihexlen / 2); |
| 128 | ret = hex2bin(match_id->data, id, hexlen / 2); | ||
| 129 | if (ret < 0) { | 137 | if (ret < 0) { |
| 130 | kfree(match_id); | 138 | kfree(match_id); |
| 131 | return ERR_PTR(-EINVAL); | 139 | return ERR_PTR(-EINVAL); |
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index a6c42031628e..24f17e6c5904 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c | |||
| @@ -28,17 +28,30 @@ static bool use_builtin_keys; | |||
| 28 | static struct asymmetric_key_id *ca_keyid; | 28 | static struct asymmetric_key_id *ca_keyid; |
| 29 | 29 | ||
| 30 | #ifndef MODULE | 30 | #ifndef MODULE |
| 31 | static struct { | ||
| 32 | struct asymmetric_key_id id; | ||
| 33 | unsigned char data[10]; | ||
| 34 | } cakey; | ||
| 35 | |||
| 31 | static int __init ca_keys_setup(char *str) | 36 | static int __init ca_keys_setup(char *str) |
| 32 | { | 37 | { |
| 33 | if (!str) /* default system keyring */ | 38 | if (!str) /* default system keyring */ |
| 34 | return 1; | 39 | return 1; |
| 35 | 40 | ||
| 36 | if (strncmp(str, "id:", 3) == 0) { | 41 | if (strncmp(str, "id:", 3) == 0) { |
| 37 | struct asymmetric_key_id *p; | 42 | struct asymmetric_key_id *p = &cakey.id; |
| 38 | p = asymmetric_key_hex_to_key_id(str + 3); | 43 | size_t hexlen = (strlen(str) - 3) / 2; |
| 39 | if (p == ERR_PTR(-EINVAL)) | 44 | int ret; |
| 40 | pr_err("Unparsable hex string in ca_keys\n"); | 45 | |
| 41 | else if (!IS_ERR(p)) | 46 | if (hexlen == 0 || hexlen > sizeof(cakey.data)) { |
| 47 | pr_err("Missing or invalid ca_keys id\n"); | ||
| 48 | return 1; | ||
| 49 | } | ||
| 50 | |||
| 51 | ret = __asymmetric_key_hex_to_key_id(str + 3, p, hexlen); | ||
| 52 | if (ret < 0) | ||
| 53 | pr_err("Unparsable ca_keys id hex string\n"); | ||
| 54 | else | ||
| 42 | ca_keyid = p; /* owner key 'id:xxxxxx' */ | 55 | ca_keyid = p; /* owner key 'id:xxxxxx' */ |
| 43 | } else if (strcmp(str, "builtin") == 0) { | 56 | } else if (strcmp(str, "builtin") == 0) { |
| 44 | use_builtin_keys = true; | 57 | use_builtin_keys = true; |