5 files changed, 20 insertions, 40 deletions

diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt
index 821c936e1a63..c9e7f4f223a5 100644
--- a/Documentation/security/keys.txt
+++ b/Documentation/security/keys.txt
@@ -323,8 +323,6 @@ about the status of the key service:
         U       Under construction by callback to userspace
         N       Negative key
 
-     This file must be enabled at kernel configuration time as it allows anyone
-     to list the keys database.
 
  (*) /proc/key-users
 
diff --git a/kernel/Makefile b/kernel/Makefile
index a59481a3fa6c..23e17a7e7a63 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -142,7 +142,7 @@ endif
 kernel/system_certificates.o: $(obj)/x509_certificate_list
 
 quiet_cmd_x509certs  = CERTS   $@
-      cmd_x509certs  = cat $(X509_CERTIFICATES) /dev/null >$@ $(foreach X509,$(X509_CERTIFICATES),; echo "  - Including cert $(X509)")
+      cmd_x509certs  = cat $(X509_CERTIFICATES) /dev/null >$@ $(foreach X509,$(X509_CERTIFICATES),; $(kecho) "  - Including cert $(X509)")
 
 targets += $(obj)/x509_certificate_list
 $(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
diff --git a/scripts/asn1_compiler.c b/scripts/asn1_compiler.c
index 91c4117637ae..7750e9c31483 100644
--- a/scripts/asn1_compiler.c
+++ b/scripts/asn1_compiler.c
@@ -311,6 +311,9 @@ struct token {
 
 static struct token *token_list;
 static unsigned nr_tokens;
+static _Bool verbose;
+
+#define debug(fmt, ...) do { if (verbose) printf(fmt, ## __VA_ARGS__); } while (0)
 
 static int directive_compare(const void *_key, const void *_pdir)
 {
@@ -322,21 +325,21 @@ static int directive_compare(const void *_key, const void *_pdir)
         dlen = strlen(dir);
         clen = (dlen < token->size) ? dlen : token->size;
 
-        //printf("cmp(%*.*s,%s) = ",
+        //debug("cmp(%*.*s,%s) = ",
         //       (int)token->size, (int)token->size, token->value,
         //       dir);
 
         val = memcmp(token->value, dir, clen);
         if (val != 0) {
-                //printf("%d [cmp]\n", val);
+                //debug("%d [cmp]\n", val);
                 return val;
         }
 
         if (dlen == token->size) {
-                //printf("0\n");
+                //debug("0\n");
                 return 0;
         }
-        //printf("%d\n", (int)dlen - (int)token->size);
+        //debug("%d\n", (int)dlen - (int)token->size);
         return dlen - token->size; /* shorter -> negative */
 }
 
@@ -515,13 +518,13 @@ static void tokenise(char *buffer, char *end)
         }
 
         nr_tokens = tix;
-        printf("Extracted %u tokens\n", nr_tokens);
+        debug("Extracted %u tokens\n", nr_tokens);
 
 #if 0
         {
                 int n;
                 for (n = 0; n < nr_tokens; n++)
-                        printf("Token %3u: '%*.*s'\n",
+                        debug("Token %3u: '%*.*s'\n",
                                n,
                                (int)token_list[n].size, (int)token_list[n].size,
                                token_list[n].value);
@@ -542,6 +545,7 @@ int main(int argc, char **argv)
         ssize_t readlen;
         FILE *out, *hdr;
         char *buffer, *p;
+        char *kbuild_verbose;
         int fd;
 
         if (argc != 4) {
@@ -550,6 +554,10 @@ int main(int argc, char **argv)
                 exit(2);
         }
 
+        kbuild_verbose = getenv("KBUILD_VERBOSE");
+        if (kbuild_verbose)
+                verbose = atoi(kbuild_verbose);
+
         filename = argv[1];
         outputname = argv[2];
         headername = argv[3];
@@ -748,11 +756,11 @@ static void build_type_list(void)
 
         qsort(type_index, nr, sizeof(type_index[0]), type_index_compare);
 
-        printf("Extracted %u types\n", nr_types);
+        debug("Extracted %u types\n", nr_types);
 #if 0
         for (n = 0; n < nr_types; n++) {
                 struct type *type = type_index[n];
-                printf("- %*.*s\n",
+                debug("- %*.*s\n",
                        (int)type->name->size,
                        (int)type->name->size,
                        type->name->value);
@@ -793,7 +801,7 @@ static void parse(void)
 
         } while (type++, !(type->flags & TYPE_STOP_MARKER));
 
-        printf("Extracted %u actions\n", nr_actions);
+        debug("Extracted %u actions\n", nr_actions);
 }
 
 static struct element *element_list;
@@ -1284,7 +1292,7 @@ static void render(FILE *out, FILE *hdr)
         }
 
         /* We do two passes - the first one calculates all the offsets */
-        printf("Pass 1\n");
+        debug("Pass 1\n");
         nr_entries = 0;
         root = &type_list[0];
         render_element(NULL, root->element, NULL);
@@ -1295,7 +1303,7 @@ static void render(FILE *out, FILE *hdr)
                 e->flags &= ~ELEMENT_RENDERED;
 
         /* And then we actually render */
-        printf("Pass 2\n");
+        debug("Pass 2\n");
         fprintf(out, "\n");
         fprintf(out, "static const unsigned char %s_machine[] = {\n",
                 grammar_name);
diff --git a/security/keys/Kconfig b/security/keys/Kconfig
index a4f3f8c48d6e..72483b8f1be5 100644
--- a/security/keys/Kconfig
+++ b/security/keys/Kconfig
@@ -80,21 +80,3 @@ config ENCRYPTED_KEYS
           Userspace only ever sees/stores encrypted blobs.
 
           If you are unsure as to whether this is required, answer N.
-
-config KEYS_DEBUG_PROC_KEYS
-        bool "Enable the /proc/keys file by which keys may be viewed"
-        depends on KEYS
-        help
-          This option turns on support for the /proc/keys file - through which
-          can be listed all the keys on the system that are viewable by the
-          reading process.
-
-          The only keys included in the list are those that grant View
-          permission to the reading process whether or not it possesses them.
-          Note that LSM security checks are still performed, and may further
-          filter out keys that the current process is not authorised to view.
-
-          Only key attributes are listed here; key payloads are not included in
-          the resulting table.
-
-          If you are unsure as to whether this is required, answer N.
diff --git a/security/keys/proc.c b/security/keys/proc.c
index 972eeb336b81..f0611a6368cd 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -18,7 +18,6 @@
 #include <asm/errno.h>
 #include "internal.h"
 
-#ifdef CONFIG_KEYS_DEBUG_PROC_KEYS
 static int proc_keys_open(struct inode *inode, struct file *file);
 static void *proc_keys_start(struct seq_file *p, loff_t *_pos);
 static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos);
@@ -38,7 +37,6 @@ static const struct file_operations proc_keys_fops = {
         .llseek         = seq_lseek,
         .release        = seq_release,
 };
-#endif
 
 static int proc_key_users_open(struct inode *inode, struct file *file);
 static void *proc_key_users_start(struct seq_file *p, loff_t *_pos);
@@ -67,11 +65,9 @@ static int __init key_proc_init(void)
 {
         struct proc_dir_entry *p;
 
-#ifdef CONFIG_KEYS_DEBUG_PROC_KEYS
         p = proc_create("keys", 0, NULL, &proc_keys_fops);
         if (!p)
                 panic("Cannot create /proc/keys\n");
-#endif
 
         p = proc_create("key-users", 0, NULL, &proc_key_users_fops);
         if (!p)
@@ -86,8 +82,6 @@ __initcall(key_proc_init);
  * Implement "/proc/keys" to provide a list of the keys on the system that
  * grant View permission to the caller.
  */
-#ifdef CONFIG_KEYS_DEBUG_PROC_KEYS
-
 static struct rb_node *key_serial_next(struct seq_file *p, struct rb_node *n)
 {
         struct user_namespace *user_ns = seq_user_ns(p);
@@ -275,8 +269,6 @@ static int proc_keys_show(struct seq_file *m, void *v)
         return 0;
 }
 
-#endif /* CONFIG_KEYS_DEBUG_PROC_KEYS */
-
 static struct rb_node *__key_user_next(struct user_namespace *user_ns, struct rb_node *n)
 {
         while (n) {