Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris: "Highlights: IMA: - provide ">" and "<" operators for fowner/uid/euid rules KEYS: - add a system blacklist keyring - add KEYCTL_RESTRICT_KEYRING, exposes keyring link restriction functionality to userland via keyctl() LSM: - harden LSM API with __ro_after_init - add prlmit security hook, implement for SELinux - revive security_task_alloc hook TPM: - implement contextual TPM command 'spaces'" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (98 commits) tpm: Fix reference count to main device tpm_tis: convert to using locality callbacks tpm: fix handling of the TPM 2.0 event logs tpm_crb: remove a cruft constant keys: select CONFIG_CRYPTO when selecting DH / KDF apparmor: Make path_max parameter readonly apparmor: fix parameters so that the permission test is bypassed at boot apparmor: fix invalid reference to index variable of iterator line 836 apparmor: use SHASH_DESC_ON_STACK security/apparmor/lsm.c: set debug messages apparmor: fix boolreturn.cocci warnings Smack: Use GFP_KERNEL for smk_netlbl_mls(). smack: fix double free in smack_parse_opts_str() KEYS: add SP800-56A KDF support for DH KEYS: Keyring asymmetric key restrict method with chaining KEYS: Restrict asymmetric key linkage using a specific keychain KEYS: Add a lookup_restriction function for the asymmetric key type KEYS: Add KEYCTL_RESTRICT_KEYRING KEYS: Consistent ordering for __key_link_begin and restrict check KEYS: Add an optional lookup_restriction hook to key_type ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2017-05-03 11:50:52 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2017-05-03 11:50:52 -0400
commit: 0302e28dee643932ee7b3c112ebccdbb9f8ec32c (patch)
tree: 405d4cb3f772ef069ed7f291adc4b74a4e73346e /security/keys/internal.h
parent: 89c9fea3c8034cdb2fd745f551cde0b507fd6893 (diff)
parent: 8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 (diff)
1 files changed, 29 insertions, 3 deletions
diff --git a/security/keys/internal.h b/security/keys/internal.h
index a2f4c0abb8d8..c0f8682eba69 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -17,6 +17,8 @@
 #include <linux/key-type.h>
 #include <linux/task_work.h>
 #include <linux/keyctl.h>
+#include <linux/refcount.h>
+#include <linux/compat.h>
 struct iovec;
@@ -53,7 +55,7 @@ struct key_user {
        struct rb_node          node;
        struct mutex            cons_lock;      /* construction initiation lock */
        spinlock_t              lock;
-        atomic_t                usage;          /* for accessing qnkeys & qnbytes */
+        refcount_t              usage;          /* for accessing qnkeys & qnbytes */
        atomic_t                nkeys;          /* number of keys */
        atomic_t                nikeys;         /* number of instantiated keys */
        kuid_t                  uid;
@@ -167,6 +169,8 @@ extern void key_change_session_keyring(struct callback_head *twork);
 extern struct work_struct key_gc_work;
 extern unsigned key_gc_delay;
 extern void keyring_gc(struct key *keyring, time_t limit);
+extern void keyring_restriction_gc(struct key *keyring,
+                                   struct key_type *dead_type);
 extern void key_schedule_gc(time_t gc_at);
 extern void key_schedule_gc_links(void);
 extern void key_gc_keytype(struct key_type *ktype);
@@ -249,6 +253,9 @@ struct iov_iter;
 extern long keyctl_instantiate_key_common(key_serial_t,
                                          struct iov_iter *,
                                          key_serial_t);
+extern long keyctl_restrict_keyring(key_serial_t id,
+                                    const char __user *_type,
+                                    const char __user *_restriction);
 #ifdef CONFIG_PERSISTENT_KEYRINGS
 extern long keyctl_get_persistent(uid_t, key_serial_t);
 extern unsigned persistent_keyring_expiry;
@@ -261,15 +268,34 @@ static inline long keyctl_get_persistent(uid_t uid, key_serial_t destring)
 #ifdef CONFIG_KEY_DH_OPERATIONS
 extern long keyctl_dh_compute(struct keyctl_dh_params __user *, char __user *,
-                              size_t, void __user *);
+                              size_t, struct keyctl_kdf_params __user *);
+extern long __keyctl_dh_compute(struct keyctl_dh_params __user *, char __user *,
+                                size_t, struct keyctl_kdf_params *);
+#ifdef CONFIG_KEYS_COMPAT
+extern long compat_keyctl_dh_compute(struct keyctl_dh_params __user *params,
+                                char __user *buffer, size_t buflen,
+                                struct compat_keyctl_kdf_params __user *kdf);
+#endif
+#define KEYCTL_KDF_MAX_OUTPUT_LEN       1024    /* max length of KDF output */
+#define KEYCTL_KDF_MAX_OI_LEN           64      /* max length of otherinfo */
 #else
 static inline long keyctl_dh_compute(struct keyctl_dh_params __user *params,
                                     char __user *buffer, size_t buflen,
-                                     void __user *reserved)
+                                     struct keyctl_kdf_params __user *kdf)
+{
+        return -EOPNOTSUPP;
+}
+#ifdef CONFIG_KEYS_COMPAT
+static inline long compat_keyctl_dh_compute(
+                                struct keyctl_dh_params __user *params,
+                                char __user *buffer, size_t buflen,
+                                struct keyctl_kdf_params __user *kdf)
 {
        return -EOPNOTSUPP;
 }
 #endif
+#endif
 /*
 * Debugging key validation
author	Linus Torvalds <torvalds@linux-foundation.org>	2017-05-03 11:50:52 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2017-05-03 11:50:52 -0400
commit	0302e28dee643932ee7b3c112ebccdbb9f8ec32c (patch)
tree	405d4cb3f772ef069ed7f291adc4b74a4e73346e /security/keys/internal.h
parent	89c9fea3c8034cdb2fd745f551cde0b507fd6893 (diff)
parent	8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 (diff)