Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris:
 "Highlights:

   - PKCS#7 support added to support signed kexec, also utilized for
     module signing.  See comments in 3f1e1bea.

     ** NOTE: this requires linking against the OpenSSL library, which
        must be installed, e.g.  the openssl-devel on Fedora **

   - Smack
      - add IPv6 host labeling; ignore labels on kernel threads
      - support smack labeling mounts which use binary mount data

   - SELinux:
      - add ioctl whitelisting (see
        http://kernsec.org/files/lss2015/vanderstoep.pdf)
      - fix mprotect PROT_EXEC regression caused by mm change

   - Seccomp:
      - add ptrace options for suspend/resume"

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (57 commits)
  PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them
  Documentation/Changes: Now need OpenSSL devel packages for module signing
  scripts: add extract-cert and sign-file to .gitignore
  modsign: Handle signing key in source tree
  modsign: Use if_changed rule for extracting cert from module signing key
  Move certificate handling to its own directory
  sign-file: Fix warning about BIO_reset() return value
  PKCS#7: Add MODULE_LICENSE() to test module
  Smack - Fix build error with bringup unconfigured
  sign-file: Document dependency on OpenSSL devel libraries
  PKCS#7: Appropriately restrict authenticated attributes and content type
  KEYS: Add a name for PKEY_ID_PKCS7
  PKCS#7: Improve and export the X.509 ASN.1 time object decoder
  modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS
  extract-cert: Cope with multiple X.509 certificates in a single file
  sign-file: Generate CMS message as signature instead of PKCS#7
  PKCS#7: Support CMS messages also [RFC5652]
  X.509: Change recorded SKID & AKID to not include Subject or Issuer
  PKCS#7: Check content type and versions
  MAINTAINERS: The keyrings mailing list has moved
  ...

11 files changed, 75 insertions, 14 deletions

diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
index 691c79172a26..441aff9b5aa7 100644
--- a/include/crypto/pkcs7.h
+++ b/include/crypto/pkcs7.h
@@ -9,6 +9,11 @@
  * 2 of the Licence, or (at your option) any later version.
  */
 
+#ifndef _CRYPTO_PKCS7_H
+#define _CRYPTO_PKCS7_H
+
+#include <crypto/public_key.h>
+
 struct key;
 struct pkcs7_message;
 
@@ -33,4 +38,10 @@ extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
 /*
  * pkcs7_verify.c
  */
-extern int pkcs7_verify(struct pkcs7_message *pkcs7);
+extern int pkcs7_verify(struct pkcs7_message *pkcs7,
+                        enum key_being_used_for usage);
+
+extern int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7,
+                                      const void *data, size_t datalen);
+
+#endif /* _CRYPTO_PKCS7_H */
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index 54add2069901..067c242b1e15 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -33,12 +33,27 @@ extern const struct public_key_algorithm *pkey_algo[PKEY_ALGO__LAST];
 enum pkey_id_type {
         PKEY_ID_PGP,            /* OpenPGP generated key ID */
         PKEY_ID_X509,           /* X.509 arbitrary subjectKeyIdentifier */
+        PKEY_ID_PKCS7,          /* Signature in PKCS#7 message */
         PKEY_ID_TYPE__LAST
 };
 
 extern const char *const pkey_id_type_name[PKEY_ID_TYPE__LAST];
 
 /*
+ * The use to which an asymmetric key is being put.
+ */
+enum key_being_used_for {
+        VERIFYING_MODULE_SIGNATURE,
+        VERIFYING_FIRMWARE_SIGNATURE,
+        VERIFYING_KEXEC_PE_SIGNATURE,
+        VERIFYING_KEY_SIGNATURE,
+        VERIFYING_KEY_SELF_SIGNATURE,
+        VERIFYING_UNSPECIFIED_SIGNATURE,
+        NR__KEY_BEING_USED_FOR
+};
+extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR];
+
+/*
  * Cryptographic data for the public-key subtype of the asymmetric key type.
  *
  * Note that this may include private part of the key as well as the public
@@ -101,7 +116,8 @@ extern int verify_signature(const struct key *key,
 
 struct asymmetric_key_id;
 extern struct key *x509_request_asymmetric_key(struct key *keyring,
-                                               const struct asymmetric_key_id *kid,
+                                               const struct asymmetric_key_id *id,
+                                               const struct asymmetric_key_id *skid,
                                                bool partial);
 
 #endif /* _LINUX_PUBLIC_KEY_H */
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 72665eb80692..b20cd885c1fd 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -15,6 +15,7 @@
 #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
 
 #include <linux/key.h>
+#include <crypto/public_key.h>
 
 extern struct key *system_trusted_keyring;
 static inline struct key *get_system_trusted_keyring(void)
@@ -28,4 +29,10 @@ static inline struct key *get_system_trusted_keyring(void)
 }
 #endif
 
+#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
+extern int system_verify_data(const void *data, unsigned long len,
+                              const void *raw_pkcs7, size_t pkcs7_len,
+                              enum key_being_used_for usage);
+#endif
+
 #endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/include/linux/asn1_ber_bytecode.h b/include/linux/asn1_ber_bytecode.h
index 945d44ae529c..ab3a6c002f7b 100644
--- a/include/linux/asn1_ber_bytecode.h
+++ b/include/linux/asn1_ber_bytecode.h
@@ -45,23 +45,27 @@ enum asn1_opcode {
         ASN1_OP_MATCH_JUMP              = 0x04,
         ASN1_OP_MATCH_JUMP_OR_SKIP      = 0x05,
         ASN1_OP_MATCH_ANY               = 0x08,
+        ASN1_OP_MATCH_ANY_OR_SKIP       = 0x09,
         ASN1_OP_MATCH_ANY_ACT           = 0x0a,
+        ASN1_OP_MATCH_ANY_ACT_OR_SKIP   = 0x0b,
         /* Everything before here matches unconditionally */
 
         ASN1_OP_COND_MATCH_OR_SKIP      = 0x11,
         ASN1_OP_COND_MATCH_ACT_OR_SKIP  = 0x13,
         ASN1_OP_COND_MATCH_JUMP_OR_SKIP = 0x15,
         ASN1_OP_COND_MATCH_ANY          = 0x18,
+        ASN1_OP_COND_MATCH_ANY_OR_SKIP  = 0x19,
         ASN1_OP_COND_MATCH_ANY_ACT      = 0x1a,
+        ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP = 0x1b,
 
         /* Everything before here will want a tag from the data */
-#define ASN1_OP__MATCHES_TAG ASN1_OP_COND_MATCH_ANY_ACT
+#define ASN1_OP__MATCHES_TAG ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP
 
         /* These are here to help fill up space */
-        ASN1_OP_COND_FAIL               = 0x1b,
-        ASN1_OP_COMPLETE                = 0x1c,
-        ASN1_OP_ACT                     = 0x1d,
-        ASN1_OP_RETURN                  = 0x1e,
+        ASN1_OP_COND_FAIL               = 0x1c,
+        ASN1_OP_COMPLETE                = 0x1d,
+        ASN1_OP_ACT                     = 0x1e,
+        ASN1_OP_MAYBE_ACT               = 0x1f,
 
         /* The following eight have bit 0 -> SET, 1 -> OF, 2 -> ACT */
         ASN1_OP_END_SEQ                 = 0x20,
@@ -76,6 +80,8 @@ enum asn1_opcode {
 #define ASN1_OP_END__OF                   0x02
 #define ASN1_OP_END__ACT                  0x04
 
+        ASN1_OP_RETURN                  = 0x28,
+
         ASN1_OP__NR
 };
 
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 1cc89e9df480..ffb9c9da4f39 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -40,6 +40,11 @@ struct lsm_network_audit {
         } fam;
 };
 
+struct lsm_ioctlop_audit {
+        struct path path;
+        u16 cmd;
+};
+
 /* Auxiliary data to use in generating the audit record. */
 struct common_audit_data {
         char type;
@@ -53,6 +58,7 @@ struct common_audit_data {
 #define LSM_AUDIT_DATA_KMOD     8
 #define LSM_AUDIT_DATA_INODE    9
 #define LSM_AUDIT_DATA_DENTRY   10
+#define LSM_AUDIT_DATA_IOCTL_OP 11
         union   {
                 struct path path;
                 struct dentry *dentry;
@@ -68,6 +74,7 @@ struct common_audit_data {
                 } key_struct;
 #endif
                 char *kmod_name;
+                struct lsm_ioctlop_audit *op;
         } u;
         /* this union contains LSM specific data */
         union {
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 9429f054c323..ec3a6bab29de 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1881,8 +1881,10 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
 
 extern int __init security_module_enable(const char *module);
 extern void __init capability_add_hooks(void);
-#ifdef CONFIG_SECURITY_YAMA_STACKED
-void __init yama_add_hooks(void);
+#ifdef CONFIG_SECURITY_YAMA
+extern void __init yama_add_hooks(void);
+#else
+static inline void __init yama_add_hooks(void) { }
 #endif
 
 #endif /* ! __LINUX_LSM_HOOKS_H */
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
index c2bbf672b84e..d2fa9ca42e9a 100644
--- a/include/linux/oid_registry.h
+++ b/include/linux/oid_registry.h
@@ -41,7 +41,7 @@ enum OID {
         OID_signed_data,                /* 1.2.840.113549.1.7.2 */
         /* PKCS#9 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)} */
         OID_email_address,              /* 1.2.840.113549.1.9.1 */
-        OID_content_type,               /* 1.2.840.113549.1.9.3 */
+        OID_contentType,                /* 1.2.840.113549.1.9.3 */
         OID_messageDigest,              /* 1.2.840.113549.1.9.4 */
         OID_signingTime,                /* 1.2.840.113549.1.9.5 */
         OID_smimeCapabilites,           /* 1.2.840.113549.1.9.15 */
@@ -54,6 +54,8 @@ enum OID {
 
         /* Microsoft Authenticode & Software Publishing */
         OID_msIndirectData,             /* 1.3.6.1.4.1.311.2.1.4 */
+        OID_msStatementType,            /* 1.3.6.1.4.1.311.2.1.11 */
+        OID_msSpOpusInfo,               /* 1.3.6.1.4.1.311.2.1.12 */
         OID_msPeImageDataObjId,         /* 1.3.6.1.4.1.311.2.1.15 */
         OID_msIndividualSPKeyPurpose,   /* 1.3.6.1.4.1.311.2.1.21 */
         OID_msOutlookExpress,           /* 1.3.6.1.4.1.311.16.4 */
@@ -61,6 +63,9 @@ enum OID {
         OID_certAuthInfoAccess,         /* 1.3.6.1.5.5.7.1.1 */
         OID_sha1,                       /* 1.3.14.3.2.26 */
         OID_sha256,                     /* 2.16.840.1.101.3.4.2.1 */
+        OID_sha384,                     /* 2.16.840.1.101.3.4.2.2 */
+        OID_sha512,                     /* 2.16.840.1.101.3.4.2.3 */
+        OID_sha224,                     /* 2.16.840.1.101.3.4.2.4 */
 
         /* Distinguished Name attribute IDs [RFC 2256] */
         OID_commonName,                 /* 2.5.4.3 */
diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h
index 987a73a40ef8..061265f92876 100644
--- a/include/linux/ptrace.h
+++ b/include/linux/ptrace.h
@@ -34,6 +34,7 @@
 #define PT_TRACE_SECCOMP        PT_EVENT_FLAG(PTRACE_EVENT_SECCOMP)
 
 #define PT_EXITKILL             (PTRACE_O_EXITKILL << PT_OPT_FLAG_SHIFT)
+#define PT_SUSPEND_SECCOMP      (PTRACE_O_SUSPEND_SECCOMP << PT_OPT_FLAG_SHIFT)
 
 /* single stepping state bits (used on ARM and PA-RISC) */
 #define PT_SINGLESTEP_BIT       31
diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
index a19ddacdac30..f4265039a94c 100644
--- a/include/linux/seccomp.h
+++ b/include/linux/seccomp.h
@@ -78,7 +78,7 @@ static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
 
 static inline int seccomp_mode(struct seccomp *s)
 {
-        return 0;
+        return SECCOMP_MODE_DISABLED;
 }
 #endif /* CONFIG_SECCOMP */
 
diff --git a/include/linux/verify_pefile.h b/include/linux/verify_pefile.h
index ac34819214f9..da2049b5161c 100644
--- a/include/linux/verify_pefile.h
+++ b/include/linux/verify_pefile.h
@@ -12,7 +12,11 @@
 #ifndef _LINUX_VERIFY_PEFILE_H
 #define _LINUX_VERIFY_PEFILE_H
 
+#include <crypto/public_key.h>
+
 extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
-                                   struct key *trusted_keyring, bool *_trusted);
+                                   struct key *trusted_keyring,
+                                   enum key_being_used_for usage,
+                                   bool *_trusted);
 
 #endif /* _LINUX_VERIFY_PEFILE_H */
diff --git a/include/uapi/linux/ptrace.h b/include/uapi/linux/ptrace.h
index cf1019e15f5b..a7a697986614 100644
--- a/include/uapi/linux/ptrace.h
+++ b/include/uapi/linux/ptrace.h
@@ -89,9 +89,11 @@ struct ptrace_peeksiginfo_args {
 #define PTRACE_O_TRACESECCOMP   (1 << PTRACE_EVENT_SECCOMP)
 
 /* eventless options */
-#define PTRACE_O_EXITKILL       (1 << 20)
+#define PTRACE_O_EXITKILL               (1 << 20)
+#define PTRACE_O_SUSPEND_SECCOMP        (1 << 21)
 
-#define PTRACE_O_MASK           (0x000000ff | PTRACE_O_EXITKILL)
+#define PTRACE_O_MASK           (\
+        0x000000ff | PTRACE_O_EXITKILL | PTRACE_O_SUSPEND_SECCOMP)
 
 #include <asm/ptrace.h>