Merge branch 'fixes-v4.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem fixes from James Morris:

 - keys fixes via David Howells:
      "A collection of fixes for Linux keyrings, mostly thanks to Eric
       Biggers:

        - Fix some PKCS#7 verification issues.

        - Fix handling of unsupported crypto in X.509.

        - Fix too-large allocation in big_key"

 - Seccomp updates via Kees Cook:
      "These are fixes for the get_metadata interface that landed during
       -rc1. While the new selftest is strictly not a bug fix, I think
       it's in the same spirit of avoiding bugs"

 - an IMA build fix from Randy Dunlap

* 'fixes-v4.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  integrity/security: fix digsig.c build error with header file
  KEYS: Use individual pages in big_key for crypto buffers
  X.509: fix NULL dereference when restricting key with unsupported_sig
  X.509: fix BUG_ON() when hash algorithm is unsupported
  PKCS#7: fix direct verification of SignerInfo signature
  PKCS#7: fix certificate blacklisting
  PKCS#7: fix certificate chain verification
  seccomp: add a selftest for get_metadata
  ptrace, seccomp: tweak get_metadata behavior slightly
  seccomp, ptrace: switch get_metadata types to arch independent

1 files changed, 61 insertions, 0 deletions

diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 0b457e8e0f0c..5df609950a66 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -141,6 +141,15 @@ struct seccomp_data {
 #define SECCOMP_FILTER_FLAG_LOG 2
 #endif
 
+#ifndef PTRACE_SECCOMP_GET_METADATA
+#define PTRACE_SECCOMP_GET_METADATA     0x420d
+
+struct seccomp_metadata {
+        __u64 filter_off;       /* Input: which filter */
+        __u64 flags;             /* Output: filter's flags */
+};
+#endif
+
 #ifndef seccomp
 int seccomp(unsigned int op, unsigned int flags, void *args)
 {
@@ -2845,6 +2854,58 @@ TEST(get_action_avail)
         EXPECT_EQ(errno, EOPNOTSUPP);
 }
 
+TEST(get_metadata)
+{
+        pid_t pid;
+        int pipefd[2];
+        char buf;
+        struct seccomp_metadata md;
+
+        ASSERT_EQ(0, pipe(pipefd));
+
+        pid = fork();
+        ASSERT_GE(pid, 0);
+        if (pid == 0) {
+                struct sock_filter filter[] = {
+                        BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+                };
+                struct sock_fprog prog = {
+                        .len = (unsigned short)ARRAY_SIZE(filter),
+                        .filter = filter,
+                };
+
+                /* one with log, one without */
+                ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER,
+                                     SECCOMP_FILTER_FLAG_LOG, &prog));
+                ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog));
+
+                ASSERT_EQ(0, close(pipefd[0]));
+                ASSERT_EQ(1, write(pipefd[1], "1", 1));
+                ASSERT_EQ(0, close(pipefd[1]));
+
+                while (1)
+                        sleep(100);
+        }
+
+        ASSERT_EQ(0, close(pipefd[1]));
+        ASSERT_EQ(1, read(pipefd[0], &buf, 1));
+
+        ASSERT_EQ(0, ptrace(PTRACE_ATTACH, pid));
+        ASSERT_EQ(pid, waitpid(pid, NULL, 0));
+
+        md.filter_off = 0;
+        ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md));
+        EXPECT_EQ(md.flags, SECCOMP_FILTER_FLAG_LOG);
+        EXPECT_EQ(md.filter_off, 0);
+
+        md.filter_off = 1;
+        ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md));
+        EXPECT_EQ(md.flags, 0);
+        EXPECT_EQ(md.filter_off, 1);
+
+        ASSERT_EQ(0, kill(pid, SIGKILL));
+}
+
 /*
  * TODO:
  * - add microbenchmarks