diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-10-12 10:13:55 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-10-12 10:13:55 -0400 |
commit | 5e40d331bd72447197f26525f21711c4a265b6a6 (patch) | |
tree | cfbf5efba46b0c5c5b3c8149395f721eab839945 /security/keys | |
parent | d0ca47575ab3b41bb7f0fe5feec13c6cddb2913a (diff) | |
parent | 594081ee7145cc30a3977cb4e218f81213b63dc5 (diff) |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris.
Mostly ima, selinux, smack and key handling updates.
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (65 commits)
integrity: do zero padding of the key id
KEYS: output last portion of fingerprint in /proc/keys
KEYS: strip 'id:' from ca_keyid
KEYS: use swapped SKID for performing partial matching
KEYS: Restore partial ID matching functionality for asymmetric keys
X.509: If available, use the raw subjKeyId to form the key description
KEYS: handle error code encoded in pointer
selinux: normalize audit log formatting
selinux: cleanup error reporting in selinux_nlmsg_perm()
KEYS: Check hex2bin()'s return when generating an asymmetric key ID
ima: detect violations for mmaped files
ima: fix race condition on ima_rdwr_violation_check and process_measurement
ima: added ima_policy_flag variable
ima: return an error code from ima_add_boot_aggregate()
ima: provide 'ima_appraise=log' kernel option
ima: move keyring initialization to ima_init()
PKCS#7: Handle PKCS#7 messages that contain no X.509 certs
PKCS#7: Better handling of unsupported crypto
KEYS: Overhaul key identification when searching for asymmetric keys
KEYS: Implement binary asymmetric key ID handling
...
Diffstat (limited to 'security/keys')
-rw-r--r-- | security/keys/big_key.c | 2 | ||||
-rw-r--r-- | security/keys/encrypted-keys/encrypted.c | 1 | ||||
-rw-r--r-- | security/keys/internal.h | 21 | ||||
-rw-r--r-- | security/keys/key.c | 2 | ||||
-rw-r--r-- | security/keys/keyctl.c | 2 | ||||
-rw-r--r-- | security/keys/keyring.c | 58 | ||||
-rw-r--r-- | security/keys/proc.c | 8 | ||||
-rw-r--r-- | security/keys/process_keys.c | 13 | ||||
-rw-r--r-- | security/keys/request_key.c | 21 | ||||
-rw-r--r-- | security/keys/request_key_auth.c | 10 | ||||
-rw-r--r-- | security/keys/trusted.c | 1 | ||||
-rw-r--r-- | security/keys/user_defined.c | 14 |
12 files changed, 82 insertions, 71 deletions
diff --git a/security/keys/big_key.c b/security/keys/big_key.c index c2f91a0cf889..b6adb94f6d52 100644 --- a/security/keys/big_key.c +++ b/security/keys/big_key.c | |||
@@ -33,11 +33,9 @@ MODULE_LICENSE("GPL"); | |||
33 | */ | 33 | */ |
34 | struct key_type key_type_big_key = { | 34 | struct key_type key_type_big_key = { |
35 | .name = "big_key", | 35 | .name = "big_key", |
36 | .def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, | ||
37 | .preparse = big_key_preparse, | 36 | .preparse = big_key_preparse, |
38 | .free_preparse = big_key_free_preparse, | 37 | .free_preparse = big_key_free_preparse, |
39 | .instantiate = generic_key_instantiate, | 38 | .instantiate = generic_key_instantiate, |
40 | .match = user_match, | ||
41 | .revoke = big_key_revoke, | 39 | .revoke = big_key_revoke, |
42 | .destroy = big_key_destroy, | 40 | .destroy = big_key_destroy, |
43 | .describe = big_key_describe, | 41 | .describe = big_key_describe, |
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c index 5fe443d120af..db9675db1026 100644 --- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c | |||
@@ -970,7 +970,6 @@ struct key_type key_type_encrypted = { | |||
970 | .name = "encrypted", | 970 | .name = "encrypted", |
971 | .instantiate = encrypted_instantiate, | 971 | .instantiate = encrypted_instantiate, |
972 | .update = encrypted_update, | 972 | .update = encrypted_update, |
973 | .match = user_match, | ||
974 | .destroy = encrypted_destroy, | 973 | .destroy = encrypted_destroy, |
975 | .describe = user_describe, | 974 | .describe = user_describe, |
976 | .read = encrypted_read, | 975 | .read = encrypted_read, |
diff --git a/security/keys/internal.h b/security/keys/internal.h index 5f20da01fd8d..b8960c4959a5 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h | |||
@@ -107,20 +107,16 @@ extern int iterate_over_keyring(const struct key *keyring, | |||
107 | int (*func)(const struct key *key, void *data), | 107 | int (*func)(const struct key *key, void *data), |
108 | void *data); | 108 | void *data); |
109 | 109 | ||
110 | typedef int (*key_match_func_t)(const struct key *, const void *); | ||
111 | |||
112 | struct keyring_search_context { | 110 | struct keyring_search_context { |
113 | struct keyring_index_key index_key; | 111 | struct keyring_index_key index_key; |
114 | const struct cred *cred; | 112 | const struct cred *cred; |
115 | key_match_func_t match; | 113 | struct key_match_data match_data; |
116 | const void *match_data; | ||
117 | unsigned flags; | 114 | unsigned flags; |
118 | #define KEYRING_SEARCH_LOOKUP_TYPE 0x0001 /* [as type->def_lookup_type] */ | 115 | #define KEYRING_SEARCH_NO_STATE_CHECK 0x0001 /* Skip state checks */ |
119 | #define KEYRING_SEARCH_NO_STATE_CHECK 0x0002 /* Skip state checks */ | 116 | #define KEYRING_SEARCH_DO_STATE_CHECK 0x0002 /* Override NO_STATE_CHECK */ |
120 | #define KEYRING_SEARCH_DO_STATE_CHECK 0x0004 /* Override NO_STATE_CHECK */ | 117 | #define KEYRING_SEARCH_NO_UPDATE_TIME 0x0004 /* Don't update times */ |
121 | #define KEYRING_SEARCH_NO_UPDATE_TIME 0x0008 /* Don't update times */ | 118 | #define KEYRING_SEARCH_NO_CHECK_PERM 0x0008 /* Don't check permissions */ |
122 | #define KEYRING_SEARCH_NO_CHECK_PERM 0x0010 /* Don't check permissions */ | 119 | #define KEYRING_SEARCH_DETECT_TOO_DEEP 0x0010 /* Give an error on excessive depth */ |
123 | #define KEYRING_SEARCH_DETECT_TOO_DEEP 0x0020 /* Give an error on excessive depth */ | ||
124 | 120 | ||
125 | int (*iterator)(const void *object, void *iterator_data); | 121 | int (*iterator)(const void *object, void *iterator_data); |
126 | 122 | ||
@@ -131,6 +127,8 @@ struct keyring_search_context { | |||
131 | struct timespec now; | 127 | struct timespec now; |
132 | }; | 128 | }; |
133 | 129 | ||
130 | extern bool key_default_cmp(const struct key *key, | ||
131 | const struct key_match_data *match_data); | ||
134 | extern key_ref_t keyring_search_aux(key_ref_t keyring_ref, | 132 | extern key_ref_t keyring_search_aux(key_ref_t keyring_ref, |
135 | struct keyring_search_context *ctx); | 133 | struct keyring_search_context *ctx); |
136 | 134 | ||
@@ -152,7 +150,8 @@ extern struct key *request_key_and_link(struct key_type *type, | |||
152 | struct key *dest_keyring, | 150 | struct key *dest_keyring, |
153 | unsigned long flags); | 151 | unsigned long flags); |
154 | 152 | ||
155 | extern int lookup_user_key_possessed(const struct key *key, const void *target); | 153 | extern bool lookup_user_key_possessed(const struct key *key, |
154 | const struct key_match_data *match_data); | ||
156 | extern key_ref_t lookup_user_key(key_serial_t id, unsigned long flags, | 155 | extern key_ref_t lookup_user_key(key_serial_t id, unsigned long flags, |
157 | key_perm_t perm); | 156 | key_perm_t perm); |
158 | #define KEY_LOOKUP_CREATE 0x01 | 157 | #define KEY_LOOKUP_CREATE 0x01 |
diff --git a/security/keys/key.c b/security/keys/key.c index 6d0cad16f002..e17ba6aefdc0 100644 --- a/security/keys/key.c +++ b/security/keys/key.c | |||
@@ -799,7 +799,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, | |||
799 | } | 799 | } |
800 | 800 | ||
801 | key_ref = ERR_PTR(-EINVAL); | 801 | key_ref = ERR_PTR(-EINVAL); |
802 | if (!index_key.type->match || !index_key.type->instantiate || | 802 | if (!index_key.type->instantiate || |
803 | (!index_key.description && !index_key.type->preparse)) | 803 | (!index_key.description && !index_key.type->preparse)) |
804 | goto error_put_type; | 804 | goto error_put_type; |
805 | 805 | ||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index e26f860e5f2e..eff88a5f5d40 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c | |||
@@ -37,6 +37,8 @@ static int key_get_type_from_user(char *type, | |||
37 | return ret; | 37 | return ret; |
38 | if (ret == 0 || ret >= len) | 38 | if (ret == 0 || ret >= len) |
39 | return -EINVAL; | 39 | return -EINVAL; |
40 | if (type[0] == '.') | ||
41 | return -EPERM; | ||
40 | type[len - 1] = '\0'; | 42 | type[len - 1] = '\0'; |
41 | return 0; | 43 | return 0; |
42 | } | 44 | } |
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 8314a7d2104d..8177010174f7 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c | |||
@@ -89,7 +89,6 @@ struct key_type key_type_keyring = { | |||
89 | .preparse = keyring_preparse, | 89 | .preparse = keyring_preparse, |
90 | .free_preparse = keyring_free_preparse, | 90 | .free_preparse = keyring_free_preparse, |
91 | .instantiate = keyring_instantiate, | 91 | .instantiate = keyring_instantiate, |
92 | .match = user_match, | ||
93 | .revoke = keyring_revoke, | 92 | .revoke = keyring_revoke, |
94 | .destroy = keyring_destroy, | 93 | .destroy = keyring_destroy, |
95 | .describe = keyring_describe, | 94 | .describe = keyring_describe, |
@@ -512,6 +511,15 @@ struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid, | |||
512 | EXPORT_SYMBOL(keyring_alloc); | 511 | EXPORT_SYMBOL(keyring_alloc); |
513 | 512 | ||
514 | /* | 513 | /* |
514 | * By default, we keys found by getting an exact match on their descriptions. | ||
515 | */ | ||
516 | bool key_default_cmp(const struct key *key, | ||
517 | const struct key_match_data *match_data) | ||
518 | { | ||
519 | return strcmp(key->description, match_data->raw_data) == 0; | ||
520 | } | ||
521 | |||
522 | /* | ||
515 | * Iteration function to consider each key found. | 523 | * Iteration function to consider each key found. |
516 | */ | 524 | */ |
517 | static int keyring_search_iterator(const void *object, void *iterator_data) | 525 | static int keyring_search_iterator(const void *object, void *iterator_data) |
@@ -545,7 +553,7 @@ static int keyring_search_iterator(const void *object, void *iterator_data) | |||
545 | } | 553 | } |
546 | 554 | ||
547 | /* keys that don't match */ | 555 | /* keys that don't match */ |
548 | if (!ctx->match(key, ctx->match_data)) { | 556 | if (!ctx->match_data.cmp(key, &ctx->match_data)) { |
549 | kleave(" = 0 [!match]"); | 557 | kleave(" = 0 [!match]"); |
550 | return 0; | 558 | return 0; |
551 | } | 559 | } |
@@ -585,8 +593,7 @@ skipped: | |||
585 | */ | 593 | */ |
586 | static int search_keyring(struct key *keyring, struct keyring_search_context *ctx) | 594 | static int search_keyring(struct key *keyring, struct keyring_search_context *ctx) |
587 | { | 595 | { |
588 | if ((ctx->flags & KEYRING_SEARCH_LOOKUP_TYPE) == | 596 | if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_DIRECT) { |
589 | KEYRING_SEARCH_LOOKUP_DIRECT) { | ||
590 | const void *object; | 597 | const void *object; |
591 | 598 | ||
592 | object = assoc_array_find(&keyring->keys, | 599 | object = assoc_array_find(&keyring->keys, |
@@ -627,7 +634,7 @@ static bool search_nested_keyrings(struct key *keyring, | |||
627 | /* Check to see if this top-level keyring is what we are looking for | 634 | /* Check to see if this top-level keyring is what we are looking for |
628 | * and whether it is valid or not. | 635 | * and whether it is valid or not. |
629 | */ | 636 | */ |
630 | if (ctx->flags & KEYRING_SEARCH_LOOKUP_ITERATE || | 637 | if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_ITERATE || |
631 | keyring_compare_object(keyring, &ctx->index_key)) { | 638 | keyring_compare_object(keyring, &ctx->index_key)) { |
632 | ctx->skipped_ret = 2; | 639 | ctx->skipped_ret = 2; |
633 | ctx->flags |= KEYRING_SEARCH_DO_STATE_CHECK; | 640 | ctx->flags |= KEYRING_SEARCH_DO_STATE_CHECK; |
@@ -885,16 +892,25 @@ key_ref_t keyring_search(key_ref_t keyring, | |||
885 | .index_key.type = type, | 892 | .index_key.type = type, |
886 | .index_key.description = description, | 893 | .index_key.description = description, |
887 | .cred = current_cred(), | 894 | .cred = current_cred(), |
888 | .match = type->match, | 895 | .match_data.cmp = key_default_cmp, |
889 | .match_data = description, | 896 | .match_data.raw_data = description, |
890 | .flags = (type->def_lookup_type | | 897 | .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, |
891 | KEYRING_SEARCH_DO_STATE_CHECK), | 898 | .flags = KEYRING_SEARCH_DO_STATE_CHECK, |
892 | }; | 899 | }; |
900 | key_ref_t key; | ||
901 | int ret; | ||
893 | 902 | ||
894 | if (!ctx.match) | 903 | if (type->match_preparse) { |
895 | return ERR_PTR(-ENOKEY); | 904 | ret = type->match_preparse(&ctx.match_data); |
905 | if (ret < 0) | ||
906 | return ERR_PTR(ret); | ||
907 | } | ||
896 | 908 | ||
897 | return keyring_search_aux(keyring, &ctx); | 909 | key = keyring_search_aux(keyring, &ctx); |
910 | |||
911 | if (type->match_free) | ||
912 | type->match_free(&ctx.match_data); | ||
913 | return key; | ||
898 | } | 914 | } |
899 | EXPORT_SYMBOL(keyring_search); | 915 | EXPORT_SYMBOL(keyring_search); |
900 | 916 | ||
@@ -1014,7 +1030,7 @@ static int keyring_detect_cycle_iterator(const void *object, | |||
1014 | 1030 | ||
1015 | /* We might get a keyring with matching index-key that is nonetheless a | 1031 | /* We might get a keyring with matching index-key that is nonetheless a |
1016 | * different keyring. */ | 1032 | * different keyring. */ |
1017 | if (key != ctx->match_data) | 1033 | if (key != ctx->match_data.raw_data) |
1018 | return 0; | 1034 | return 0; |
1019 | 1035 | ||
1020 | ctx->result = ERR_PTR(-EDEADLK); | 1036 | ctx->result = ERR_PTR(-EDEADLK); |
@@ -1031,14 +1047,14 @@ static int keyring_detect_cycle_iterator(const void *object, | |||
1031 | static int keyring_detect_cycle(struct key *A, struct key *B) | 1047 | static int keyring_detect_cycle(struct key *A, struct key *B) |
1032 | { | 1048 | { |
1033 | struct keyring_search_context ctx = { | 1049 | struct keyring_search_context ctx = { |
1034 | .index_key = A->index_key, | 1050 | .index_key = A->index_key, |
1035 | .match_data = A, | 1051 | .match_data.raw_data = A, |
1036 | .iterator = keyring_detect_cycle_iterator, | 1052 | .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, |
1037 | .flags = (KEYRING_SEARCH_LOOKUP_DIRECT | | 1053 | .iterator = keyring_detect_cycle_iterator, |
1038 | KEYRING_SEARCH_NO_STATE_CHECK | | 1054 | .flags = (KEYRING_SEARCH_NO_STATE_CHECK | |
1039 | KEYRING_SEARCH_NO_UPDATE_TIME | | 1055 | KEYRING_SEARCH_NO_UPDATE_TIME | |
1040 | KEYRING_SEARCH_NO_CHECK_PERM | | 1056 | KEYRING_SEARCH_NO_CHECK_PERM | |
1041 | KEYRING_SEARCH_DETECT_TOO_DEEP), | 1057 | KEYRING_SEARCH_DETECT_TOO_DEEP), |
1042 | }; | 1058 | }; |
1043 | 1059 | ||
1044 | rcu_read_lock(); | 1060 | rcu_read_lock(); |
diff --git a/security/keys/proc.c b/security/keys/proc.c index d3f6f2fd21db..972eeb336b81 100644 --- a/security/keys/proc.c +++ b/security/keys/proc.c | |||
@@ -194,10 +194,10 @@ static int proc_keys_show(struct seq_file *m, void *v) | |||
194 | .index_key.type = key->type, | 194 | .index_key.type = key->type, |
195 | .index_key.description = key->description, | 195 | .index_key.description = key->description, |
196 | .cred = current_cred(), | 196 | .cred = current_cred(), |
197 | .match = lookup_user_key_possessed, | 197 | .match_data.cmp = lookup_user_key_possessed, |
198 | .match_data = key, | 198 | .match_data.raw_data = key, |
199 | .flags = (KEYRING_SEARCH_NO_STATE_CHECK | | 199 | .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, |
200 | KEYRING_SEARCH_LOOKUP_DIRECT), | 200 | .flags = KEYRING_SEARCH_NO_STATE_CHECK, |
201 | }; | 201 | }; |
202 | 202 | ||
203 | key_ref = make_key_ref(key, 0); | 203 | key_ref = make_key_ref(key, 0); |
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index 0cf8a130a267..bd536cb221e2 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c | |||
@@ -489,9 +489,10 @@ found: | |||
489 | /* | 489 | /* |
490 | * See if the key we're looking at is the target key. | 490 | * See if the key we're looking at is the target key. |
491 | */ | 491 | */ |
492 | int lookup_user_key_possessed(const struct key *key, const void *target) | 492 | bool lookup_user_key_possessed(const struct key *key, |
493 | const struct key_match_data *match_data) | ||
493 | { | 494 | { |
494 | return key == target; | 495 | return key == match_data->raw_data; |
495 | } | 496 | } |
496 | 497 | ||
497 | /* | 498 | /* |
@@ -516,9 +517,9 @@ key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, | |||
516 | key_perm_t perm) | 517 | key_perm_t perm) |
517 | { | 518 | { |
518 | struct keyring_search_context ctx = { | 519 | struct keyring_search_context ctx = { |
519 | .match = lookup_user_key_possessed, | 520 | .match_data.cmp = lookup_user_key_possessed, |
520 | .flags = (KEYRING_SEARCH_NO_STATE_CHECK | | 521 | .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, |
521 | KEYRING_SEARCH_LOOKUP_DIRECT), | 522 | .flags = KEYRING_SEARCH_NO_STATE_CHECK, |
522 | }; | 523 | }; |
523 | struct request_key_auth *rka; | 524 | struct request_key_auth *rka; |
524 | struct key *key; | 525 | struct key *key; |
@@ -673,7 +674,7 @@ try_again: | |||
673 | ctx.index_key.type = key->type; | 674 | ctx.index_key.type = key->type; |
674 | ctx.index_key.description = key->description; | 675 | ctx.index_key.description = key->description; |
675 | ctx.index_key.desc_len = strlen(key->description); | 676 | ctx.index_key.desc_len = strlen(key->description); |
676 | ctx.match_data = key; | 677 | ctx.match_data.raw_data = key; |
677 | kdebug("check possessed"); | 678 | kdebug("check possessed"); |
678 | skey_ref = search_process_keyrings(&ctx); | 679 | skey_ref = search_process_keyrings(&ctx); |
679 | kdebug("possessed=%p", skey_ref); | 680 | kdebug("possessed=%p", skey_ref); |
diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 26a94f18af94..bb4337c7ae1b 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c | |||
@@ -513,9 +513,9 @@ struct key *request_key_and_link(struct key_type *type, | |||
513 | .index_key.type = type, | 513 | .index_key.type = type, |
514 | .index_key.description = description, | 514 | .index_key.description = description, |
515 | .cred = current_cred(), | 515 | .cred = current_cred(), |
516 | .match = type->match, | 516 | .match_data.cmp = key_default_cmp, |
517 | .match_data = description, | 517 | .match_data.raw_data = description, |
518 | .flags = KEYRING_SEARCH_LOOKUP_DIRECT, | 518 | .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, |
519 | }; | 519 | }; |
520 | struct key *key; | 520 | struct key *key; |
521 | key_ref_t key_ref; | 521 | key_ref_t key_ref; |
@@ -525,6 +525,14 @@ struct key *request_key_and_link(struct key_type *type, | |||
525 | ctx.index_key.type->name, ctx.index_key.description, | 525 | ctx.index_key.type->name, ctx.index_key.description, |
526 | callout_info, callout_len, aux, dest_keyring, flags); | 526 | callout_info, callout_len, aux, dest_keyring, flags); |
527 | 527 | ||
528 | if (type->match_preparse) { | ||
529 | ret = type->match_preparse(&ctx.match_data); | ||
530 | if (ret < 0) { | ||
531 | key = ERR_PTR(ret); | ||
532 | goto error; | ||
533 | } | ||
534 | } | ||
535 | |||
528 | /* search all the process keyrings for a key */ | 536 | /* search all the process keyrings for a key */ |
529 | key_ref = search_process_keyrings(&ctx); | 537 | key_ref = search_process_keyrings(&ctx); |
530 | 538 | ||
@@ -537,7 +545,7 @@ struct key *request_key_and_link(struct key_type *type, | |||
537 | if (ret < 0) { | 545 | if (ret < 0) { |
538 | key_put(key); | 546 | key_put(key); |
539 | key = ERR_PTR(ret); | 547 | key = ERR_PTR(ret); |
540 | goto error; | 548 | goto error_free; |
541 | } | 549 | } |
542 | } | 550 | } |
543 | } else if (PTR_ERR(key_ref) != -EAGAIN) { | 551 | } else if (PTR_ERR(key_ref) != -EAGAIN) { |
@@ -547,12 +555,15 @@ struct key *request_key_and_link(struct key_type *type, | |||
547 | * should consult userspace if we can */ | 555 | * should consult userspace if we can */ |
548 | key = ERR_PTR(-ENOKEY); | 556 | key = ERR_PTR(-ENOKEY); |
549 | if (!callout_info) | 557 | if (!callout_info) |
550 | goto error; | 558 | goto error_free; |
551 | 559 | ||
552 | key = construct_key_and_link(&ctx, callout_info, callout_len, | 560 | key = construct_key_and_link(&ctx, callout_info, callout_len, |
553 | aux, dest_keyring, flags); | 561 | aux, dest_keyring, flags); |
554 | } | 562 | } |
555 | 563 | ||
564 | error_free: | ||
565 | if (type->match_free) | ||
566 | type->match_free(&ctx.match_data); | ||
556 | error: | 567 | error: |
557 | kleave(" = %p", key); | 568 | kleave(" = %p", key); |
558 | return key; | 569 | return key; |
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c index 842e6f410d50..6639e2cb8853 100644 --- a/security/keys/request_key_auth.c +++ b/security/keys/request_key_auth.c | |||
@@ -44,12 +44,12 @@ struct key_type key_type_request_key_auth = { | |||
44 | .read = request_key_auth_read, | 44 | .read = request_key_auth_read, |
45 | }; | 45 | }; |
46 | 46 | ||
47 | int request_key_auth_preparse(struct key_preparsed_payload *prep) | 47 | static int request_key_auth_preparse(struct key_preparsed_payload *prep) |
48 | { | 48 | { |
49 | return 0; | 49 | return 0; |
50 | } | 50 | } |
51 | 51 | ||
52 | void request_key_auth_free_preparse(struct key_preparsed_payload *prep) | 52 | static void request_key_auth_free_preparse(struct key_preparsed_payload *prep) |
53 | { | 53 | { |
54 | } | 54 | } |
55 | 55 | ||
@@ -246,9 +246,9 @@ struct key *key_get_instantiation_authkey(key_serial_t target_id) | |||
246 | .index_key.type = &key_type_request_key_auth, | 246 | .index_key.type = &key_type_request_key_auth, |
247 | .index_key.description = description, | 247 | .index_key.description = description, |
248 | .cred = current_cred(), | 248 | .cred = current_cred(), |
249 | .match = user_match, | 249 | .match_data.cmp = key_default_cmp, |
250 | .match_data = description, | 250 | .match_data.raw_data = description, |
251 | .flags = KEYRING_SEARCH_LOOKUP_DIRECT, | 251 | .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, |
252 | }; | 252 | }; |
253 | struct key *authkey; | 253 | struct key *authkey; |
254 | key_ref_t authkey_ref; | 254 | key_ref_t authkey_ref; |
diff --git a/security/keys/trusted.c b/security/keys/trusted.c index 6b804aa4529a..c0594cb07ada 100644 --- a/security/keys/trusted.c +++ b/security/keys/trusted.c | |||
@@ -1096,7 +1096,6 @@ struct key_type key_type_trusted = { | |||
1096 | .name = "trusted", | 1096 | .name = "trusted", |
1097 | .instantiate = trusted_instantiate, | 1097 | .instantiate = trusted_instantiate, |
1098 | .update = trusted_update, | 1098 | .update = trusted_update, |
1099 | .match = user_match, | ||
1100 | .destroy = trusted_destroy, | 1099 | .destroy = trusted_destroy, |
1101 | .describe = user_describe, | 1100 | .describe = user_describe, |
1102 | .read = trusted_read, | 1101 | .read = trusted_read, |
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c index eee340011f2b..36b47bbd3d8c 100644 --- a/security/keys/user_defined.c +++ b/security/keys/user_defined.c | |||
@@ -26,12 +26,10 @@ static int logon_vet_description(const char *desc); | |||
26 | */ | 26 | */ |
27 | struct key_type key_type_user = { | 27 | struct key_type key_type_user = { |
28 | .name = "user", | 28 | .name = "user", |
29 | .def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, | ||
30 | .preparse = user_preparse, | 29 | .preparse = user_preparse, |
31 | .free_preparse = user_free_preparse, | 30 | .free_preparse = user_free_preparse, |
32 | .instantiate = generic_key_instantiate, | 31 | .instantiate = generic_key_instantiate, |
33 | .update = user_update, | 32 | .update = user_update, |
34 | .match = user_match, | ||
35 | .revoke = user_revoke, | 33 | .revoke = user_revoke, |
36 | .destroy = user_destroy, | 34 | .destroy = user_destroy, |
37 | .describe = user_describe, | 35 | .describe = user_describe, |
@@ -48,12 +46,10 @@ EXPORT_SYMBOL_GPL(key_type_user); | |||
48 | */ | 46 | */ |
49 | struct key_type key_type_logon = { | 47 | struct key_type key_type_logon = { |
50 | .name = "logon", | 48 | .name = "logon", |
51 | .def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, | ||
52 | .preparse = user_preparse, | 49 | .preparse = user_preparse, |
53 | .free_preparse = user_free_preparse, | 50 | .free_preparse = user_free_preparse, |
54 | .instantiate = generic_key_instantiate, | 51 | .instantiate = generic_key_instantiate, |
55 | .update = user_update, | 52 | .update = user_update, |
56 | .match = user_match, | ||
57 | .revoke = user_revoke, | 53 | .revoke = user_revoke, |
58 | .destroy = user_destroy, | 54 | .destroy = user_destroy, |
59 | .describe = user_describe, | 55 | .describe = user_describe, |
@@ -139,16 +135,6 @@ error: | |||
139 | EXPORT_SYMBOL_GPL(user_update); | 135 | EXPORT_SYMBOL_GPL(user_update); |
140 | 136 | ||
141 | /* | 137 | /* |
142 | * match users on their name | ||
143 | */ | ||
144 | int user_match(const struct key *key, const void *description) | ||
145 | { | ||
146 | return strcmp(key->description, description) == 0; | ||
147 | } | ||
148 | |||
149 | EXPORT_SYMBOL_GPL(user_match); | ||
150 | |||
151 | /* | ||
152 | * dispose of the links from a revoked keyring | 138 | * dispose of the links from a revoked keyring |
153 | * - called with the key sem write-locked | 139 | * - called with the key sem write-locked |
154 | */ | 140 | */ |