)]}' { "log": [ { "commit": "8aec0f5d4137532de14e6554fd5dd201ff3a3c49", "tree": "314f28e5ad96423c6983aec9270462d76c0bb343", "parents": [ "c39ac49f23424086b43aceeace243f7a8bcc3ad8" ], "author": { "name": "Mathieu Desnoyers", "email": "mathieu.desnoyers@efficios.com", "time": "Mon Feb 25 10:20:36 2013 -0500" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Mar 12 11:05:45 2013 -0700" }, "message": "Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys\n\nLooking at mm/process_vm_access.c:process_vm_rw() and comparing it to\ncompat_process_vm_rw() shows that the compatibility code requires an\nexplicit \"access_ok()\" check before calling\ncompat_rw_copy_check_uvector(). The same difference seems to appear when\nwe compare fs/read_write.c:do_readv_writev() to\nfs/compat.c:compat_do_readv_writev().\n\nThis subtle difference between the compat and non-compat requirements\nshould probably be debated, as it seems to be error-prone. In fact,\nthere are two others sites that use this function in the Linux kernel,\nand they both seem to get it wrong:\n\nNow shifting our attention to fs/aio.c, we see that aio_setup_iocb()\nalso ends up calling compat_rw_copy_check_uvector() through\naio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to\nbe missing. Same situation for\nsecurity/keys/compat.c:compat_keyctl_instantiate_key_iov().\n\nI propose that we add the access_ok() check directly into\ncompat_rw_copy_check_uvector(), so callers don\u0027t have to worry about it,\nand it therefore makes the compat call code similar to its non-compat\ncounterpart. Place the access_ok() check in the same location where\ncopy_from_user() can trigger a -EFAULT error in the non-compat code, so\nthe ABI behaviors are alike on both compat and non-compat.\n\nWhile we are here, fix compat_do_readv_writev() so it checks for\ncompat_rw_copy_check_uvector() negative return values.\n\nAnd also, fix a memory leak in compat_keyctl_instantiate_key_iov() error\nhandling.\n\nAcked-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nAcked-by: Al Viro \u003cviro@ZenIV.linux.org.uk\u003e\nSigned-off-by: Mathieu Desnoyers \u003cmathieu.desnoyers@efficios.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "0da9dfdd2cd9889201bc6f6f43580c99165cd087", "tree": "960a37da7bc3e35d9c598eff7b829ab5959e7027", "parents": [ "7c6baa304b841673d3a55ea4fcf9a5cbf7a1674b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Mar 12 16:44:31 2013 +1100" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Tue Mar 12 16:44:31 2013 +1100" }, "message": "keys: fix race with concurrent install_user_keyrings()\n\nThis fixes CVE-2013-1792.\n\nThere is a race in install_user_keyrings() that can cause a NULL pointer\ndereference when called concurrently for the same user if the uid and\nuid-session keyrings are not yet created. It might be possible for an\nunprivileged user to trigger this by calling keyctl() from userspace in\nparallel immediately after logging in.\n\nAssume that we have two threads both executing lookup_user_key(), both\nlooking for KEY_SPEC_USER_SESSION_KEYRING.\n\n\tTHREAD A\t\t\tTHREAD B\n\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\t\t\t\t\t\u003d\u003d\u003ecall install_user_keyrings();\n\tif (!cred-\u003euser-\u003esession_keyring)\n\t\u003d\u003d\u003ecall install_user_keyrings()\n\t\t\t\t\t...\n\t\t\t\t\tuser-\u003euid_keyring \u003d uid_keyring;\n\tif (user-\u003euid_keyring)\n\t\treturn 0;\n\t\u003c\u003d\u003d\n\tkey \u003d cred-\u003euser-\u003esession_keyring [\u003d\u003d NULL]\n\t\t\t\t\tuser-\u003esession_keyring \u003d session_keyring;\n\tatomic_inc(\u0026key-\u003eusage); [oops]\n\nAt the point thread A dereferences cred-\u003euser-\u003esession_keyring, thread B\nhasn\u0027t updated user-\u003esession_keyring yet, but thread A assumes it is\npopulated because install_user_keyrings() returned ok.\n\nThe race window is really small but can be exploited if, for example,\nthread B is interrupted or preempted after initializing uid_keyring, but\nbefore doing setting session_keyring.\n\nThis couldn\u0027t be reproduced on a stock kernel. However, after placing\nsystemtap probe on \u0027user-\u003esession_keyring \u003d session_keyring;\u0027 that\nintroduced some delay, the kernel could be crashed reliably.\n\nFix this by checking both pointers before deciding whether to return.\nAlternatively, the test could be done away with entirely as it is checked\ninside the mutex - but since the mutex is global, that may not be the best\nway.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReported-by: Mateusz Guzik \u003cmguzik@redhat.com\u003e\nCc: \u003cstable@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "ba0e3427b03c3d1550239779eca5c1c5a53a2152", "tree": "bf73e476924c5a52249e99ce5f4c30978b581800", "parents": [ "6dbe51c251a327e012439c4772097a13df43c5b8" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Sat Mar 02 19:14:03 2013 -0800" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Sun Mar 03 19:35:38 2013 -0800" }, "message": "userns: Stop oopsing in key_change_session_keyring\n\nDave Jones \u003cdavej@redhat.com\u003e writes:\n\u003e Just hit this on Linus\u0027 current tree.\n\u003e\n\u003e [ 89.621770] BUG: unable to handle kernel NULL pointer dereference at 00000000000000c8\n\u003e [ 89.623111] IP: [\u003cffffffff810784b0\u003e] commit_creds+0x250/0x2f0\n\u003e [ 89.624062] PGD 122bfd067 PUD 122bfe067 PMD 0\n\u003e [ 89.624901] Oops: 0000 [#1] PREEMPT SMP\n\u003e [ 89.625678] Modules linked in: caif_socket caif netrom bridge hidp 8021q garp stp mrp rose llc2 af_rxrpc phonet af_key binfmt_misc bnep l2tp_ppp can_bcm l2tp_core pppoe pppox can_raw scsi_transport_iscsi ppp_generic slhc nfnetlink can ipt_ULOG ax25 decnet irda nfc rds x25 crc_ccitt appletalk atm ipx p8023 psnap p8022 llc lockd sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip6table_filter ip6_tables btusb bluetooth snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_pcm vhost_net snd_page_alloc snd_timer tun macvtap usb_debug snd rfkill microcode macvlan edac_core pcspkr serio_raw kvm_amd soundcore kvm r8169 mii\n\u003e [ 89.637846] CPU 2\n\u003e [ 89.638175] Pid: 782, comm: trinity-main Not tainted 3.8.0+ #63 Gigabyte Technology Co., Ltd. GA-MA78GM-S2H/GA-MA78GM-S2H\n\u003e [ 89.639850] RIP: 0010:[\u003cffffffff810784b0\u003e] [\u003cffffffff810784b0\u003e] commit_creds+0x250/0x2f0\n\u003e [ 89.641161] RSP: 0018:ffff880115657eb8 EFLAGS: 00010207\n\u003e [ 89.641984] RAX: 00000000000003e8 RBX: ffff88012688b000 RCX: 0000000000000000\n\u003e [ 89.643069] RDX: 0000000000000000 RSI: ffffffff81c32960 RDI: ffff880105839600\n\u003e [ 89.644167] RBP: ffff880115657ed8 R08: 0000000000000000 R09: 0000000000000000\n\u003e [ 89.645254] R10: 0000000000000001 R11: 0000000000000246 R12: ffff880105839600\n\u003e [ 89.646340] R13: ffff88011beea490 R14: ffff88011beea490 R15: 0000000000000000\n\u003e [ 89.647431] FS: 00007f3ac063b740(0000) GS:ffff88012b200000(0000) knlGS:0000000000000000\n\u003e [ 89.648660] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b\n\u003e [ 89.649548] CR2: 00000000000000c8 CR3: 0000000122bfc000 CR4: 00000000000007e0\n\u003e [ 89.650635] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n\u003e [ 89.651723] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\n\u003e [ 89.652812] Process trinity-main (pid: 782, threadinfo ffff880115656000, task ffff88011beea490)\n\u003e [ 89.654128] Stack:\n\u003e [ 89.654433] 0000000000000000 ffff8801058396a0 ffff880105839600 ffff88011beeaa78\n\u003e [ 89.655769] ffff880115657ef8 ffffffff812c7d9b ffffffff82079be0 0000000000000000\n\u003e [ 89.657073] ffff880115657f28 ffffffff8106c665 0000000000000002 ffff880115657f58\n\u003e [ 89.658399] Call Trace:\n\u003e [ 89.658822] [\u003cffffffff812c7d9b\u003e] key_change_session_keyring+0xfb/0x140\n\u003e [ 89.659845] [\u003cffffffff8106c665\u003e] task_work_run+0xa5/0xd0\n\u003e [ 89.660698] [\u003cffffffff81002911\u003e] do_notify_resume+0x71/0xb0\n\u003e [ 89.661581] [\u003cffffffff816c9a4a\u003e] int_signal+0x12/0x17\n\u003e [ 89.662385] Code: 24 90 00 00 00 48 8b b3 90 00 00 00 49 8b 4c 24 40 48 39 f2 75 08 e9 83 00 00 00 48 89 ca 48 81 fa 60 29 c3 81 0f 84 41 fe ff ff \u003c48\u003e 8b 8a c8 00 00 00 48 39 ce 75 e4 3b 82 d0 00 00 00 0f 84 4b\n\u003e [ 89.667778] RIP [\u003cffffffff810784b0\u003e] commit_creds+0x250/0x2f0\n\u003e [ 89.668733] RSP \u003cffff880115657eb8\u003e\n\u003e [ 89.669301] CR2: 00000000000000c8\n\u003e\n\u003e My fastest trinity induced oops yet!\n\u003e\n\u003e\n\u003e Appears to be..\n\u003e\n\u003e if ((set_ns \u003d\u003d subset_ns-\u003eparent) \u0026\u0026\n\u003e 850: 48 8b 8a c8 00 00 00 mov 0xc8(%rdx),%rcx\n\u003e\n\u003e from the inlined cred_cap_issubset\n\nBy historical accident we have been reading trying to set new-\u003euser_ns\nfrom new-\u003euser_ns. Which is totally silly as new-\u003euser_ns is NULL (as\nis every other field in new except session_keyring at that point).\n\nThe intent is clearly to copy all of the fields from old to new so copy\nold-\u003euser_ns into into new-\u003euser_ns.\n\nCc: stable@vger.kernel.org\nReported-by: Dave Jones \u003cdavej@redhat.com\u003e\nTested-by: Dave Jones \u003cdavej@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\n" }, { "commit": "fe9453a1dcb5fb146f9653267e78f4a558066f6f", "tree": "ba144f62734e9d89ed515466972c318de561ccb2", "parents": [ "a0b1c42951dd06ec83cc1bc2c9788131d9fefcd8" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Feb 21 12:00:25 2013 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Feb 21 07:56:25 2013 -0800" }, "message": "KEYS: Revert one application of \"Fix unreachable code\" patch\n\nA patch to fix some unreachable code in search_my_process_keyrings() got\napplied twice by two different routes upstream as commits e67eab39bee2\nand b010520ab3d2 (both \"fix unreachable code\").\n\nUnfortunately, the second application removed something it shouldn\u0027t\nhave and this wasn\u0027t detected by GIT. This is due to the patch not\nhaving sufficient lines of context to distinguish the two places of\napplication.\n\nThe effect of this is relatively minor: inside the kernel, the keyring\nsearch routines may search multiple keyrings and then prioritise the\nerrors if no keys or negative keys are found in any of them. With the\nextra deletion, the presence of a negative key in the thread keyring\n(causing ENOKEY) is incorrectly overridden by an error searching the\nprocess keyring.\n\nSo revert the second application of the patch.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Jiri Kosina \u003cjkosina@suse.cz\u003e\nCc: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e67eab39bee26f509d38d00ca1a8f24b63f46a31", "tree": "252072ae63bd5ecb8186242ace12e7df3a1311ad", "parents": [ "a68c2f12b4b28994aaf622bbe5724b7258cc2fcf" ], "author": { "name": "Alan Cox", "email": "alan@linux.intel.com", "time": "Thu Dec 20 15:05:54 2012 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Dec 20 17:40:21 2012 -0800" }, "message": "keys: fix unreachable code\n\nWe set ret to NULL then test it. Remove the bogus test\n\nSigned-off-by: Alan Cox \u003calan@linux.intel.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "2a74dbb9a86e8102dcd07d284135b4530a84826e", "tree": "a54403e312b6062dfb57bd904ba8b8ce3b11e720", "parents": [ "770b6cb4d21fb3e3df2a7a51e186a3c14db1ec30", "e93072374112db9dc86635934ee761249be28370" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Dec 16 15:40:50 2012 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Dec 16 15:40:50 2012 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security\n\nPull security subsystem updates from James Morris:\n \"A quiet cycle for the security subsystem with just a few maintenance\n updates.\"\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:\n Smack: create a sysfs mount point for smackfs\n Smack: use select not depends in Kconfig\n Yama: remove locking from delete path\n Yama: add RCU to drop read locking\n drivers/char/tpm: remove tasklet and cleanup\n KEYS: Use keyring_alloc() to create special keyrings\n KEYS: Reduce initial permissions on keys\n KEYS: Make the session and process keyrings per-thread\n seccomp: Make syscall skipping and nr changes more consistent\n key: Fix resource leak\n keys: Fix unreachable code\n KEYS: Add payload preparsing opportunity prior to key instantiate or update\n" }, { "commit": "3bd7bf1f0fe14f591c089ae61bbfa9bd356f178a", "tree": "0058693cc9e70b7461dae551f8a19aff2efd13ca", "parents": [ "f16f84937d769c893492160b1a8c3672e3992beb", "e657e078d3dfa9f96976db7a2b5fd7d7c9f1f1a6" ], "author": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Sun Oct 28 19:28:52 2012 +0100" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Sun Oct 28 19:29:19 2012 +0100" }, "message": "Merge branch \u0027master\u0027 into for-next\n\nSync up with Linus\u0027 tree to be able to apply Cesar\u0027s patch\nagainst newer version of the code.\n\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.cz\u003e\n" }, { "commit": "b010520ab3d2c05eb444ed5e01fe6c33842f597a", "tree": "cf958deb54615a8ff5432bdbf3b70da2a76b9508", "parents": [ "6f7c962c0b8efc78aec4c5514865fb5be83f4d92" ], "author": { "name": "Alan Cox", "email": "alan@linux.intel.com", "time": "Thu Oct 25 15:23:35 2012 +0100" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Thu Oct 25 18:00:27 2012 +0200" }, "message": "keys: Fix unreachable code\n\nWe set ret to NULL then test it. Remove the bogus test\n\nSigned-off-by: Alan Cox \u003calan@linux.intel.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.cz\u003e\n" }, { "commit": "d25282d1c9b9bc4cda7f9d3c0205108e99aa7a9d", "tree": "f414482d768b015a609924293b779b4ad0b8f764", "parents": [ "b6eea87fc6850d3531a64a27d2323a4498cd4e43", "dbadc17683e6c673a69b236c0f041b931cc55c42" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Oct 14 13:39:34 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Oct 14 13:39:34 2012 -0700" }, "message": "Merge branch \u0027modules-next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux\n\nPull module signing support from Rusty Russell:\n \"module signing is the highlight, but it\u0027s an all-over David Howells frenzy...\"\n\nHmm \"Magrathea: Glacier signing key\". Somebody has been reading too much HHGTTG.\n\n* \u0027modules-next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux: (37 commits)\n X.509: Fix indefinite length element skip error handling\n X.509: Convert some printk calls to pr_devel\n asymmetric keys: fix printk format warning\n MODSIGN: Fix 32-bit overflow in X.509 certificate validity date checking\n MODSIGN: Make mrproper should remove generated files.\n MODSIGN: Use utf8 strings in signer\u0027s name in autogenerated X.509 certs\n MODSIGN: Use the same digest for the autogen key sig as for the module sig\n MODSIGN: Sign modules during the build process\n MODSIGN: Provide a script for generating a key ID from an X.509 cert\n MODSIGN: Implement module signature checking\n MODSIGN: Provide module signing public keys to the kernel\n MODSIGN: Automatically generate module signing keys if missing\n MODSIGN: Provide Kconfig options\n MODSIGN: Provide gitignore and make clean rules for extra files\n MODSIGN: Add FIPS policy\n module: signature checking hook\n X.509: Add a crypto key parser for binary (DER) X.509 certificates\n MPILIB: Provide a function to read raw data into an MPI\n X.509: Add an ASN.1 decoder\n X.509: Add simple ASN.1 grammar compiler\n ...\n" }, { "commit": "cf7f601c067994f371ba77721d1e45fce61a4569", "tree": "4ff5a12ae84cf47a9815c3e3979341a66360cb31", "parents": [ "9bb9c3be56834653878f766f471fa1c20e562f4c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Sep 13 13:06:29 2012 +0100" }, "committer": { "name": "Rusty Russell", "email": "rusty@rustcorp.com.au", "time": "Mon Oct 08 13:49:48 2012 +1030" }, "message": "KEYS: Add payload preparsing opportunity prior to key instantiate or update\n\nGive the key type the opportunity to preparse the payload prior to the\ninstantiation and update routines being called. This is done with the\nprovision of two new key type operations:\n\n\tint (*preparse)(struct key_preparsed_payload *prep);\n\tvoid (*free_preparse)(struct key_preparsed_payload *prep);\n\nIf the first operation is present, then it is called before key creation (in\nthe add/update case) or before the key semaphore is taken (in the update and\ninstantiate cases). The second operation is called to clean up if the first\nwas called.\n\npreparse() is given the opportunity to fill in the following structure:\n\n\tstruct key_preparsed_payload {\n\t\tchar\t\t*description;\n\t\tvoid\t\t*type_data[2];\n\t\tvoid\t\t*payload;\n\t\tconst void\t*data;\n\t\tsize_t\t\tdatalen;\n\t\tsize_t\t\tquotalen;\n\t};\n\nBefore the preparser is called, the first three fields will have been cleared,\nthe payload pointer and size will be stored in data and datalen and the default\nquota size from the key_type struct will be stored into quotalen.\n\nThe preparser may parse the payload in any way it likes and may store data in\nthe type_data[] and payload fields for use by the instantiate() and update()\nops.\n\nThe preparser may also propose a description for the key by attaching it as a\nstring to the description field. This can be used by passing a NULL or \"\"\ndescription to the add_key() system call or the key_create_or_update()\nfunction. This cannot work with request_key() as that required the description\nto tell the upcall about the key to be created.\n\nThis, for example permits keys that store PGP public keys to generate their own\nname from the user ID and public key fingerprint in the key.\n\nThe instantiate() and update() operations are then modified to look like this:\n\n\tint (*instantiate)(struct key *key, struct key_preparsed_payload *prep);\n\tint (*update)(struct key *key, struct key_preparsed_payload *prep);\n\nand the new payload data is passed in *prep, whether or not it was preparsed.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Rusty Russell \u003crusty@rustcorp.com.au\u003e\n" }, { "commit": "88265322c14cce39f7afbc416726ef4fac413298", "tree": "e4956f905ef617971f87788d8f8a09dbb66b70a3", "parents": [ "65b99c74fdd325d1ffa2e5663295888704712604", "bf5308344527d015ac9a6d2bda4ad4d40fd7d943" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 02 21:38:48 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 02 21:38:48 2012 -0700" }, "message": "Merge branch \u0027next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security\n\nPull security subsystem updates from James Morris:\n \"Highlights:\n\n - Integrity: add local fs integrity verification to detect offline\n attacks\n - Integrity: add digital signature verification\n - Simple stacking of Yama with other LSMs (per LSS discussions)\n - IBM vTPM support on ppc64\n - Add new driver for Infineon I2C TIS TPM\n - Smack: add rule revocation for subject labels\"\n\nFixed conflicts with the user namespace support in kernel/auditsc.c and\nsecurity/integrity/ima/ima_policy.c.\n\n* \u0027next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (39 commits)\n Documentation: Update git repository URL for Smack userland tools\n ima: change flags container data type\n Smack: setprocattr memory leak fix\n Smack: implement revoking all rules for a subject label\n Smack: remove task_wait() hook.\n ima: audit log hashes\n ima: generic IMA action flag handling\n ima: rename ima_must_appraise_or_measure\n audit: export audit_log_task_info\n tpm: fix tpm_acpi sparse warning on different address spaces\n samples/seccomp: fix 31 bit build on s390\n ima: digital signature verification support\n ima: add support for different security.ima data types\n ima: add ima_inode_setxattr/removexattr function and calls\n ima: add inode_post_setattr call\n ima: replace iint spinblock with rwlock/read_lock\n ima: allocating iint improvements\n ima: add appraise action keywords and default rules\n ima: integrity appraisal extension\n vfs: move ima_file_free before releasing the file\n ...\n" }, { "commit": "4442d7704c7311d1c42383d365e0b883e0075975", "tree": "ee80c095ea8b13c2ad62c9406ddc6166c5b09cb4", "parents": [ "f8aa23a55f813c9bddec2a6176e0e67274e6e7c1", "d4f65b5d2497b2fd9c45f06b71deb4ab084a5b66" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Oct 02 19:30:19 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Oct 02 19:30:19 2012 +0100" }, "message": "Merge branch \u0027modsign-keys-devel\u0027 into security-next-keys\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "f8aa23a55f813c9bddec2a6176e0e67274e6e7c1", "tree": "1b1927cedb4f1d769fac19242f3a365c84e40cec", "parents": [ "96b5c8fea6c0861621051290d705ec2e971963f1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Oct 02 19:24:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Oct 02 19:24:56 2012 +0100" }, "message": "KEYS: Use keyring_alloc() to create special keyrings\n\nUse keyring_alloc() to create special keyrings now that it has a permissions\nparameter rather than using key_alloc() + key_instantiate_and_link().\n\nAlso document and export keyring_alloc() so that modules can use it too.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "96b5c8fea6c0861621051290d705ec2e971963f1", "tree": "3e3812fb8eb9590b8dca812e916d16cfd53aa862", "parents": [ "3a50597de8635cd05133bd12c95681c82fe7b878" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Oct 02 19:24:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Oct 02 19:24:56 2012 +0100" }, "message": "KEYS: Reduce initial permissions on keys\n\nReduce the initial permissions on new keys to grant the possessor everything,\nview permission only to the user (so the keys can be seen in /proc/keys) and\nnothing else.\n\nThis gives the creator a chance to adjust the permissions mask before other\nprocesses can access the new key or create a link to it.\n\nTo aid with this, keyring_alloc() now takes a permission argument rather than\nsetting the permissions itself.\n\nThe following permissions are now set:\n\n (1) The user and user-session keyrings grant the user that owns them full\n permissions and grant a possessor everything bar SETATTR.\n\n (2) The process and thread keyrings grant the possessor full permissions but\n only grant the user VIEW. This permits the user to see them in\n /proc/keys, but not to do anything with them.\n\n (3) Anonymous session keyrings grant the possessor full permissions, but only\n grant the user VIEW and READ. This means that the user can see them in\n /proc/keys and can list them, but nothing else. Possibly READ shouldn\u0027t\n be provided either.\n\n (4) Named session keyrings grant everything an anonymous session keyring does,\n plus they grant the user LINK permission. The whole point of named\n session keyrings is that others can also subscribe to them. Possibly this\n should be a separate permission to LINK.\n\n (5) The temporary session keyring created by call_sbin_request_key() gets the\n same permissions as an anonymous session keyring.\n\n (6) Keys created by add_key() get VIEW, SEARCH, LINK and SETATTR for the\n possessor, plus READ and/or WRITE if the key type supports them. The used\n only gets VIEW now.\n\n (7) Keys created by request_key() now get the same as those created by\n add_key().\n\nReported-by: Lennart Poettering \u003clennart@poettering.net\u003e\nReported-by: Stef Walter \u003cstefw@redhat.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "3a50597de8635cd05133bd12c95681c82fe7b878", "tree": "d81c3e46dcef80fbaf84fdf1e8f43676625bab8e", "parents": [ "a84a921978b7d56e0e4b87ffaca6367429b4d8ff" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Oct 02 19:24:29 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Oct 02 19:24:29 2012 +0100" }, "message": "KEYS: Make the session and process keyrings per-thread\n\nMake the session keyring per-thread rather than per-process, but still\ninherited from the parent thread to solve a problem with PAM and gdm.\n\nThe problem is that join_session_keyring() will reject attempts to change the\nsession keyring of a multithreaded program but gdm is now multithreaded before\nit gets to the point of starting PAM and running pam_keyinit to create the\nsession keyring. See:\n\n\thttps://bugs.freedesktop.org/show_bug.cgi?id\u003d49211\n\nThe reason that join_session_keyring() will only change the session keyring\nunder a single-threaded environment is that it\u0027s hard to alter the other\nthread\u0027s credentials to effect the change in a multi-threaded program. The\nproblems are such as:\n\n (1) How to prevent two threads both running join_session_keyring() from\n racing.\n\n (2) Another thread\u0027s credentials may not be modified directly by this process.\n\n (3) The number of threads is uncertain whilst we\u0027re not holding the\n appropriate spinlock, making preallocation slightly tricky.\n\n (4) We could use TIF_NOTIFY_RESUME and key_replace_session_keyring() to get\n another thread to replace its keyring, but that means preallocating for\n each thread.\n\nA reasonable way around this is to make the session keyring per-thread rather\nthan per-process and just document that if you want a common session keyring,\nyou must get it before you spawn any threads - which is the current situation\nanyway.\n\nWhilst we\u0027re at it, we can the process keyring behave in the same way. This\nmeans we can clean up some of the ickyness in the creds code.\n\nBasically, after this patch, the session, process and thread keyrings are about\ninheritance rules only and not about sharing changes of keyring.\n\nReported-by: Mantas M. \u003cgrawity@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Ray Strode \u003crstrode@redhat.com\u003e\n" }, { "commit": "437589a74b6a590d175f86cf9f7b2efcee7765e7", "tree": "37bf8635b1356d80ef002b00e84f3faf3d555a63", "parents": [ "68d47a137c3bef754923bccf73fb639c9b0bbd5e", "72235465864d84cedb2d9f26f8e1de824ee20339" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 02 11:11:09 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 02 11:11:09 2012 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace\n\nPull user namespace changes from Eric Biederman:\n \"This is a mostly modest set of changes to enable basic user namespace\n support. This allows the code to code to compile with user namespaces\n enabled and removes the assumption there is only the initial user\n namespace. Everything is converted except for the most complex of the\n filesystems: autofs4, 9p, afs, ceph, cifs, coda, fuse, gfs2, ncpfs,\n nfs, ocfs2 and xfs as those patches need a bit more review.\n\n The strategy is to push kuid_t and kgid_t values are far down into\n subsystems and filesystems as reasonable. Leaving the make_kuid and\n from_kuid operations to happen at the edge of userspace, as the values\n come off the disk, and as the values come in from the network.\n Letting compile type incompatible compile errors (present when user\n namespaces are enabled) guide me to find the issues.\n\n The most tricky areas have been the places where we had an implicit\n union of uid and gid values and were storing them in an unsigned int.\n Those places were converted into explicit unions. I made certain to\n handle those places with simple trivial patches.\n\n Out of that work I discovered we have generic interfaces for storing\n quota by projid. I had never heard of the project identifiers before.\n Adding full user namespace support for project identifiers accounts\n for most of the code size growth in my git tree.\n\n Ultimately there will be work to relax privlige checks from\n \"capable(FOO)\" to \"ns_capable(user_ns, FOO)\" where it is safe allowing\n root in a user names to do those things that today we only forbid to\n non-root users because it will confuse suid root applications.\n\n While I was pushing kuid_t and kgid_t changes deep into the audit code\n I made a few other cleanups. I capitalized on the fact we process\n netlink messages in the context of the message sender. I removed\n usage of NETLINK_CRED, and started directly using current-\u003etty.\n\n Some of these patches have also made it into maintainer trees, with no\n problems from identical code from different trees showing up in\n linux-next.\n\n After reading through all of this code I feel like I might be able to\n win a game of kernel trivial pursuit.\"\n\nFix up some fairly trivial conflicts in netfilter uid/git logging code.\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (107 commits)\n userns: Convert the ufs filesystem to use kuid/kgid where appropriate\n userns: Convert the udf filesystem to use kuid/kgid where appropriate\n userns: Convert ubifs to use kuid/kgid\n userns: Convert squashfs to use kuid/kgid where appropriate\n userns: Convert reiserfs to use kuid and kgid where appropriate\n userns: Convert jfs to use kuid/kgid where appropriate\n userns: Convert jffs2 to use kuid and kgid where appropriate\n userns: Convert hpfs to use kuid and kgid where appropriate\n userns: Convert btrfs to use kuid/kgid where appropriate\n userns: Convert bfs to use kuid/kgid where appropriate\n userns: Convert affs to use kuid/kgid wherwe appropriate\n userns: On alpha modify linux_to_osf_stat to use convert from kuids and kgids\n userns: On ia64 deal with current_uid and current_gid being kuid and kgid\n userns: On ppc convert current_uid from a kuid before printing.\n userns: Convert s390 getting uid and gid system calls to use kuid and kgid\n userns: Convert s390 hypfs to use kuid and kgid where appropriate\n userns: Convert binder ipc to use kuids\n userns: Teach security_path_chown to take kuids and kgids\n userns: Add user namespace support to IMA\n userns: Convert EVM to deal with kuids and kgids in it\u0027s hmac computation\n ...\n" }, { "commit": "033d9959ed2dc1029217d4165f80a71702dc578e", "tree": "3d306316e44bdabce2e0bf2ef7e466e525f90b4c", "parents": [ "974a847e00cf3ff1695e62b276892137893706ab", "7c6e72e46c9ea4a88f3f8ba96edce9db4bd48726" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 02 09:54:49 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 02 09:54:49 2012 -0700" }, "message": "Merge branch \u0027for-3.7\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq\n\nPull workqueue changes from Tejun Heo:\n \"This is workqueue updates for v3.7-rc1. A lot of activities this\n round including considerable API and behavior cleanups.\n\n * delayed_work combines a timer and a work item. The handling of the\n timer part has always been a bit clunky leading to confusing\n cancelation API with weird corner-case behaviors. delayed_work is\n updated to use new IRQ safe timer and cancelation now works as\n expected.\n\n * Another deficiency of delayed_work was lack of the counterpart of\n mod_timer() which led to cancel+queue combinations or open-coded\n timer+work usages. mod_delayed_work[_on]() are added.\n\n These two delayed_work changes make delayed_work provide interface\n and behave like timer which is executed with process context.\n\n * A work item could be executed concurrently on multiple CPUs, which\n is rather unintuitive and made flush_work() behavior confusing and\n half-broken under certain circumstances. This problem doesn\u0027t\n exist for non-reentrant workqueues. While non-reentrancy check\n isn\u0027t free, the overhead is incurred only when a work item bounces\n across different CPUs and even in simulated pathological scenario\n the overhead isn\u0027t too high.\n\n All workqueues are made non-reentrant. This removes the\n distinction between flush_[delayed_]work() and\n flush_[delayed_]_work_sync(). The former is now as strong as the\n latter and the specified work item is guaranteed to have finished\n execution of any previous queueing on return.\n\n * In addition to the various bug fixes, Lai redid and simplified CPU\n hotplug handling significantly.\n\n * Joonsoo introduced system_highpri_wq and used it during CPU\n hotplug.\n\n There are two merge commits - one to pull in IRQ safe timer from\n tip/timers/core and the other to pull in CPU hotplug fixes from\n wq/for-3.6-fixes as Lai\u0027s hotplug restructuring depended on them.\"\n\nFixed a number of trivial conflicts, but the more interesting conflicts\nwere silent ones where the deprecated interfaces had been used by new\ncode in the merge window, and thus didn\u0027t cause any real data conflicts.\n\nTejun pointed out a few of them, I fixed a couple more.\n\n* \u0027for-3.7\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq: (46 commits)\n workqueue: remove spurious WARN_ON_ONCE(in_irq()) from try_to_grab_pending()\n workqueue: use cwq_set_max_active() helper for workqueue_set_max_active()\n workqueue: introduce cwq_set_max_active() helper for thaw_workqueues()\n workqueue: remove @delayed from cwq_dec_nr_in_flight()\n workqueue: fix possible stall on try_to_grab_pending() of a delayed work item\n workqueue: use hotcpu_notifier() for workqueue_cpu_down_callback()\n workqueue: use __cpuinit instead of __devinit for cpu callbacks\n workqueue: rename manager_mutex to assoc_mutex\n workqueue: WORKER_REBIND is no longer necessary for idle rebinding\n workqueue: WORKER_REBIND is no longer necessary for busy rebinding\n workqueue: reimplement idle worker rebinding\n workqueue: deprecate __cancel_delayed_work()\n workqueue: reimplement cancel_delayed_work() using try_to_grab_pending()\n workqueue: use mod_delayed_work() instead of __cancel + queue\n workqueue: use irqsafe timer for delayed_work\n workqueue: clean up delayed_work initializers and add missing one\n workqueue: make deferrable delayed_work initializer names consistent\n workqueue: cosmetic whitespace updates for macro definitions\n workqueue: deprecate system_nrt[_freezable]_wq\n workqueue: deprecate flush[_delayed]_work_sync()\n ...\n" }, { "commit": "a84a921978b7d56e0e4b87ffaca6367429b4d8ff", "tree": "03edfc3a5039edd443078d7adc20d585be89022b", "parents": [ "631527703d1aa2f0c5dc2af0d998f4da95c83f0e" ], "author": { "name": "Alan Cox", "email": "alan@linux.intel.com", "time": "Fri Sep 28 12:20:02 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Sep 28 12:20:02 2012 +0100" }, "message": "key: Fix resource leak\n\nOn an error iov may still have been reallocated and need freeing\n\nSigned-off-by: Alan Cox \u003calan@linux.intel.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "631527703d1aa2f0c5dc2af0d998f4da95c83f0e", "tree": "a2aec36285e598c3f1c34aef166b242859bddb63", "parents": [ "bf5308344527d015ac9a6d2bda4ad4d40fd7d943" ], "author": { "name": "Alan Cox", "email": "alan@linux.intel.com", "time": "Fri Sep 28 12:20:02 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Sep 28 12:20:02 2012 +0100" }, "message": "keys: Fix unreachable code\n\nWe set ret to NULL then test it. Remove the bogus test\n\nSigned-off-by: Alan Cox \u003calan@linux.intel.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "9a56c2db49e7349c7963f0ce66c1ef578d44ebd3", "tree": "de29b56483bb00efabca3ba35c7001cab2aab7be", "parents": [ "5fce5e0bbd44263c36f58ad1113b599d06ed1978" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Wed Feb 08 07:53:04 2012 -0800" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Thu Sep 13 18:28:02 2012 -0700" }, "message": "userns: Convert security/keys to the new userns infrastructure\n\n- Replace key_user -\u003euser_ns equality checks with kuid_has_mapping checks.\n- Use from_kuid to generate key descriptions\n- Use kuid_t and kgid_t and the associated helpers instead of uid_t and gid_t\n- Avoid potential problems with file descriptor passing by displaying\n keys in the user namespace of the opener of key status proc files.\n\nCc: linux-security-module@vger.kernel.org\nCc: keyrings@linux-nfs.org\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "b3f68f16dbcde6fcdf0fd27695391ff7e9d41233", "tree": "26833634b038b8fd9d18f109deb10770eb3f2a6e", "parents": [ "9da33de62431c7839f98156720862262272a8380" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Sun Aug 26 21:12:14 2012 +0200" }, "committer": { "name": "Ingo Molnar", "email": "mingo@kernel.org", "time": "Thu Sep 13 16:47:36 2012 +0200" }, "message": "task_work: Revert \"hold task_lock around checks in keyctl\"\n\nThis reverts commit d35abdb28824cf74f0a106a0f9c6f3ff700a35bf.\n\ntask_lock() was added to ensure exit_mm() and thus exit_task_work() is\nnot possible before task_work_add().\n\nThis is wrong, task_lock() must not be nested with write_lock(tasklist).\nAnd this is no longer needed, task_work_add() now fails if it is called\nafter exit_task_work().\n\nReported-by: Dave Jones \u003cdavej@redhat.com\u003e\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nSigned-off-by: Peter Zijlstra \u003ca.p.zijlstra@chello.nl\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nLink: http://lkml.kernel.org/r/20120826191214.GA4231@redhat.com\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\n" }, { "commit": "d4f65b5d2497b2fd9c45f06b71deb4ab084a5b66", "tree": "57128a75a755e2b4a6521408cc2eaf73c88e54aa", "parents": [ "eeea3ac912207dcf759b95b2b4c36f96bce583bf" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Sep 13 13:06:29 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Sep 13 13:06:29 2012 +0100" }, "message": "KEYS: Add payload preparsing opportunity prior to key instantiate or update\n\nGive the key type the opportunity to preparse the payload prior to the\ninstantiation and update routines being called. This is done with the\nprovision of two new key type operations:\n\n\tint (*preparse)(struct key_preparsed_payload *prep);\n\tvoid (*free_preparse)(struct key_preparsed_payload *prep);\n\nIf the first operation is present, then it is called before key creation (in\nthe add/update case) or before the key semaphore is taken (in the update and\ninstantiate cases). The second operation is called to clean up if the first\nwas called.\n\npreparse() is given the opportunity to fill in the following structure:\n\n\tstruct key_preparsed_payload {\n\t\tchar\t\t*description;\n\t\tvoid\t\t*type_data[2];\n\t\tvoid\t\t*payload;\n\t\tconst void\t*data;\n\t\tsize_t\t\tdatalen;\n\t\tsize_t\t\tquotalen;\n\t};\n\nBefore the preparser is called, the first three fields will have been cleared,\nthe payload pointer and size will be stored in data and datalen and the default\nquota size from the key_type struct will be stored into quotalen.\n\nThe preparser may parse the payload in any way it likes and may store data in\nthe type_data[] and payload fields for use by the instantiate() and update()\nops.\n\nThe preparser may also propose a description for the key by attaching it as a\nstring to the description field. This can be used by passing a NULL or \"\"\ndescription to the add_key() system call or the key_create_or_update()\nfunction. This cannot work with request_key() as that required the description\nto tell the upcall about the key to be created.\n\nThis, for example permits keys that store PGP public keys to generate their own\nname from the user ID and public key fingerprint in the key.\n\nThe instantiate() and update() operations are then modified to look like this:\n\n\tint (*instantiate)(struct key *key, struct key_preparsed_payload *prep);\n\tint (*update)(struct key *key, struct key_preparsed_payload *prep);\n\nand the new payload data is passed in *prep, whether or not it was preparsed.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "41ab999c80f1d368f32a2554ba8f44feff26f54d", "tree": "8d53970a210364e19ecbdc05f6d8c8f88e6aadbf", "parents": [ "e5dcd87fee12ed64a9ea911102025facc0c7d10c" ], "author": { "name": "Kent Yoder", "email": "key@linux.vnet.ibm.com", "time": "Thu Jun 07 13:47:14 2012 -0500" }, "committer": { "name": "Kent Yoder", "email": "key@linux.vnet.ibm.com", "time": "Wed Aug 22 11:11:33 2012 -0500" }, "message": "tpm: Move tpm_get_random api into the TPM device driver\n\nMove the tpm_get_random api from the trusted keys code into the TPM\ndevice driver itself so that other callers can make use of it. Also,\nchange the api slightly so that the number of bytes read is returned in\nthe call, since the TPM command can potentially return fewer bytes than\nrequested.\n\nAcked-by: David Safford \u003csafford@linux.vnet.ibm.com\u003e\nReviewed-by: H. Peter Anvin \u003chpa@linux.intel.com\u003e\nSigned-off-by: Kent Yoder \u003ckey@linux.vnet.ibm.com\u003e\n" }, { "commit": "3b07e9ca26866697616097044f25fbe53dbab693", "tree": "7621d076c91c05bc0fc3c63bdc54c279a487dfea", "parents": [ "43829731dd372d04d6706c51052b9dabab9ca356" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Mon Aug 20 14:51:24 2012 -0700" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Mon Aug 20 14:51:24 2012 -0700" }, "message": "workqueue: deprecate system_nrt[_freezable]_wq\n\nsystem_nrt[_freezable]_wq are now spurious. Mark them deprecated and\nconvert all users to system[_freezable]_wq.\n\nIf you\u0027re cc\u0027d and wondering what\u0027s going on: Now all workqueues are\nnon-reentrant, so there\u0027s no reason to use system_nrt[_freezable]_wq.\nPlease use system[_freezable]_wq instead.\n\nThis patch doesn\u0027t make any functional difference.\n\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nAcked-By: Lai Jiangshan \u003claijs@cn.fujitsu.com\u003e\n\nCc: Jens Axboe \u003caxboe@kernel.dk\u003e\nCc: David Airlie \u003cairlied@linux.ie\u003e\nCc: Jiri Kosina \u003cjkosina@suse.cz\u003e\nCc: \"David S. Miller\" \u003cdavem@davemloft.net\u003e\nCc: Rusty Russell \u003crusty@rustcorp.com.au\u003e\nCc: \"Paul E. McKenney\" \u003cpaulmck@linux.vnet.ibm.com\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "e05644e17e744315bce12b0948cdc36910b9a76e", "tree": "92d62ff59c57f991ef6b5c3cc2c2dcd205946a11", "parents": [ "97e7292ab5ccd30a13c3612835535fc3f3e59715", "663728418e3494f8e4a82f5d1b2f23c22d11be35" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jul 23 18:49:06 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jul 23 18:49:06 2012 -0700" }, "message": "Merge branch \u0027next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security\n\nPull security subsystem updates from James Morris:\n \"Nothing groundbreaking for this kernel, just cleanups and fixes, and a\n couple of Smack enhancements.\"\n\n* \u0027next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (21 commits)\n Smack: Maintainer Record\n Smack: don\u0027t show empty rules when /smack/load or /smack/load2 is read\n Smack: user access check bounds\n Smack: onlycap limits on CAP_MAC_ADMIN\n Smack: fix smack_new_inode bogosities\n ima: audit is compiled only when enabled\n ima: ima_initialized is set only if successful\n ima: add policy for pseudo fs\n ima: remove unused cleanup functions\n ima: free securityfs violations file\n ima: use full pathnames in measurement list\n security: Fix nommu build.\n samples: seccomp: add .gitignore for untracked executables\n tpm: check the chip reference before using it\n TPM: fix memleak when register hardware fails\n TPM: chip disabled state erronously being reported as error\n MAINTAINERS: TPM maintainers\u0027 contacts update\n Merge branches \u0027next-queue\u0027 and \u0027next\u0027 into next\n Remove unused code from MPI library\n Revert \"crypto: GnuPG based MPI lib - additional sources (part 4)\"\n ...\n" }, { "commit": "d35abdb28824cf74f0a106a0f9c6f3ff700a35bf", "tree": "860bbe5c9e2d42293698cd93c32299b2c6dac5a2", "parents": [ "6120d3dbb1220792ebea88cd475e1ec8f8620a93" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Jun 30 11:55:24 2012 +0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jul 22 23:58:01 2012 +0400" }, "message": "hold task_lock around checks in keyctl\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "67d1214551e800f9fe7dc7c47a346d2df0fafed5", "tree": "ffcc93af9390339adda36668255e617073b724a1", "parents": [ "158e1645e07f3e9f7e4962d7a0997f5c3b98311b" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Jun 27 11:07:19 2012 +0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jul 22 23:57:56 2012 +0400" }, "message": "merge task_work and rcu_head, get rid of separate allocation for keyring case\n\ntask_work and rcu_head are identical now; merge them (calling the result\nstruct callback_head, rcu_head #define\u0027d to it), kill separate allocation\nin security/keys since we can just use cred-\u003ercu now.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "41f9d29f09ca0b22c3631e8a39676e74cda9bcc0", "tree": "7ab5ed25f14466471fb55536e1cf71c514fb7fe9", "parents": [ "7266702805f9d824f92ce5c4069eca65d0f21d28" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jun 26 22:10:04 2012 +0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jul 22 23:57:54 2012 +0400" }, "message": "trimming task_work: kill -\u003edata\n\nget rid of the only user of -\u003edata; this is _not_ the final variant - in the\nend we\u0027ll have task_work and rcu_head identical and just use cred-\u003ercu,\nat which point the separate allocation will be gone completely.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "66dd07b88a1c9d446f32253da606b87324fa620e", "tree": "4e0971bdd543585c7ab46716ae808a7fd82f9c35", "parents": [ "f52c44cd27b4a0be37ef97f0466e4095ebebef3f", "cfaf025112d3856637ff34a767ef785ef5cf2ca9" ], "author": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Sun Jun 10 22:52:10 2012 +1000" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Sun Jun 10 22:52:10 2012 +1000" }, "message": "Merge commit \u0027v3.5-rc2\u0027 into next\n" }, { "commit": "fb21affa49204acd409328415b49bfe90136653c", "tree": "3535dbe0c0aad049a38cadfcffe78409397a1b32", "parents": [ "a00b6151a2ae4c52576c35d3998e144a993d50b8", "f23ca335462e3c84f13270b9e65f83936068ec2c" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 31 18:47:30 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 31 18:47:30 2012 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/signal\n\nPull second pile of signal handling patches from Al Viro:\n \"This one is just task_work_add() series + remaining prereqs for it.\n\n There probably will be another pull request from that tree this\n cycle - at least for helpers, to get them out of the way for per-arch\n fixes remaining in the tree.\"\n\nFix trivial conflict in kernel/irq/manage.c: the merge of Andrew\u0027s pile\nhad brought in commit 97fd75b7b8e0 (\"kernel/irq/manage.c: use the\npr_foo() infrastructure to prefix printks\") which changed one of the\npr_err() calls that this merge moves around.\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/signal:\n keys: kill task_struct-\u003ereplacement_session_keyring\n keys: kill the dummy key_replace_session_keyring()\n keys: change keyctl_session_to_parent() to use task_work_add()\n genirq: reimplement exit_irq_thread() hook via task_work_add()\n task_work_add: generic process-context callbacks\n avr32: missed _TIF_NOTIFY_RESUME on one of do_notify_resume callers\n parisc: need to check NOTIFY_RESUME when exiting from syscall\n move key_repace_session_keyring() into tracehook_notify_resume()\n TIF_NOTIFY_RESUME is defined on all targets now\n" }, { "commit": "ac34ebb3a67e699edcb5ac72f19d31679369dfaa", "tree": "21785208005952128545c0d7804c2dddf177766f", "parents": [ "ee62c6b2dc93c09585b51fad18449dc5edb9977f" ], "author": { "name": "Christopher Yeoh", "email": "cyeoh@au1.ibm.com", "time": "Thu May 31 16:26:42 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 31 17:49:32 2012 -0700" }, "message": "aio/vfs: cleanup of rw_copy_check_uvector() and compat_rw_copy_check_uvector()\n\nA cleanup of rw_copy_check_uvector and compat_rw_copy_check_uvector after\nchanges made to support CMA in an earlier patch.\n\nRather than having an additional check_access parameter to these\nfunctions, the first paramater type is overloaded to allow the caller to\nspecify CHECK_IOVEC_ONLY which means check that the contents of the iovec\nare valid, but do not check the memory that they point to. This is used\nby process_vm_readv/writev where we need to validate that a iovec passed\nto the syscall is valid but do not want to check the memory that it points\nto at this point because it refers to an address space in another process.\n\nSigned-off-by: Chris Yeoh \u003cyeohc@au1.ibm.com\u003e\nReviewed-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "81ab6e7b26b453a795d46f2616ed0e31d97f05b9", "tree": "a8d50eb5b35ad93b793450bfef4d90df34494a2c", "parents": [ "ae3cef7300e9fddc35ad251dd5f27c5b88c8594a" ], "author": { "name": "Boaz Harrosh", "email": "bharrosh@panasas.com", "time": "Thu May 31 16:26:15 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 31 17:49:28 2012 -0700" }, "message": "kmod: convert two call sites to call_usermodehelper_fns()\n\nBoth kernel/sys.c \u0026\u0026 security/keys/request_key.c where inlining the exact\nsame code as call_usermodehelper_fns(); So simply convert these sites to\ndirectly use call_usermodehelper_fns().\n\nSigned-off-by: Boaz Harrosh \u003cbharrosh@panasas.com\u003e\nCc: Oleg Nesterov \u003coleg@redhat.com\u003e\nCc: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nCc: Ingo Molnar \u003cmingo@elte.hu\u003e\nCc: Peter Zijlstra \u003ca.p.zijlstra@chello.nl\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4f1c28d241d0882f25112d494885cd6084db225b", "tree": "4332c441b47b3ce6f29b424d24923aebdc44d7eb", "parents": [ "ecb41a77411358d385e3fde5b4e98a5f3d9cfdd5" ], "author": { "name": "Andrew Morton", "email": "akpm@linux-foundation.org", "time": "Thu May 31 16:26:02 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 31 17:49:26 2012 -0700" }, "message": "security/keys/keyctl.c: suppress memory allocation failure warning\n\nThis allocation may be large. The code is probing to see if it will\nsucceed and if not, it falls back to vmalloc(). We should suppress any\npage-allocation failure messages when the fallback happens.\n\nReported-by: Dave Jones \u003cdavej@redhat.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "423b9788023263364ea5de04189f02bd9b6a12db", "tree": "fc3ee4814aa8322fb2abb01c50d96568aa51bd9b", "parents": [ "ff2bb047c4bce9742e94911eeb44b4d6ff4734ab" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon May 21 12:32:13 2012 +0100" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Fri May 25 20:51:42 2012 +1000" }, "message": "KEYS: Fix some sparse warnings\n\nFix some sparse warnings in the keyrings code:\n\n (1) compat_keyctl_instantiate_key_iov() should be static.\n\n (2) There were a couple of places where a pointer was being compared against\n integer 0 rather than NULL.\n\n (3) keyctl_instantiate_key_common() should not take a __user-labelled iovec\n pointer as the caller must have copied the iovec to kernel space.\n\n (4) __key_link_begin() takes and __key_link_end() releases\n keyring_serialise_link_sem under some circumstances and so this should be\n declared.\n\n Note that adding __acquires() and __releases() for this doesn\u0027t help cure\n the warnings messages - something only commenting out both helps.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "413cd3d9abeaef590e5ce00564f7a443165db238", "tree": "fc7d254053793a95d1470f7c9eafb782d8cf91d6", "parents": [ "4d1d61a6b203d957777d73fcebf19d90b038b5b2" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Fri May 11 10:59:08 2012 +1000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed May 23 22:11:23 2012 -0400" }, "message": "keys: change keyctl_session_to_parent() to use task_work_add()\n\nChange keyctl_session_to_parent() to use task_work_add() and move\nkey_replace_session_keyring() logic into task_work-\u003efunc().\n\nNote that we do task_work_cancel() before task_work_add() to ensure that\nonly one work can be pending at any time. This is important, we must not\nallow user-space to abuse the parent\u0027s -\u003etask_works list.\n\nThe callback, replace_session_keyring(), checks PF_EXITING. I guess this\nis not really needed but looks better.\n\nAs a side effect, this fixes the (unlikely) race. The callers of\nkey_replace_session_keyring() and keyctl_session_to_parent() lack the\nnecessary barriers, the parent can miss the request.\n\nNow we can remove task_struct-\u003ereplacement_session_keyring and related\ncode.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Richard Kuo \u003crkuo@codeaurora.org\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Alexander Gordeev \u003cagordeev@redhat.com\u003e\nCc: Chris Zankel \u003cchris@zankel.net\u003e\nCc: David Smith \u003cdsmith@redhat.com\u003e\nCc: \"Frank Ch. Eigler\" \u003cfche@redhat.com\u003e\nCc: Geert Uytterhoeven \u003cgeert@linux-m68k.org\u003e\nCc: Larry Woodman \u003clwoodman@redhat.com\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Tejun Heo \u003ctj@kernel.org\u003e\nCc: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "1227dd773d8d4e3983b4b751f9ffa0f41402fb7c", "tree": "8fb48e099710fa179c6ca7dd4c5298513dcd5659", "parents": [ "f9369910a6225b8d4892c3f20ae740a711cd5ace" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Apr 24 02:44:49 2012 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed May 23 22:09:19 2012 -0400" }, "message": "TIF_NOTIFY_RESUME is defined on all targets now\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "644473e9c60c1ff4f6351fed637a6e5551e3dce7", "tree": "10316518bedc735a2c6552886658d69dfd9f1eb0", "parents": [ "fb827ec68446c83e9e8754fa9b55aed27ecc4661", "4b06a81f1daee668fbd6de85557bfb36dd36078f" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 23 17:42:39 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 23 17:42:39 2012 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace\n\nPull user namespace enhancements from Eric Biederman:\n \"This is a course correction for the user namespace, so that we can\n reach an inexpensive, maintainable, and reasonably complete\n implementation.\n\n Highlights:\n - Config guards make it impossible to enable the user namespace and\n code that has not been converted to be user namespace safe.\n\n - Use of the new kuid_t type ensures the if you somehow get past the\n config guards the kernel will encounter type errors if you enable\n user namespaces and attempt to compile in code whose permission\n checks have not been updated to be user namespace safe.\n\n - All uids from child user namespaces are mapped into the initial\n user namespace before they are processed. Removing the need to add\n an additional check to see if the user namespace of the compared\n uids remains the same.\n\n - With the user namespaces compiled out the performance is as good or\n better than it is today.\n\n - For most operations absolutely nothing changes performance or\n operationally with the user namespace enabled.\n\n - The worst case performance I could come up with was timing 1\n billion cache cold stat operations with the user namespace code\n enabled. This went from 156s to 164s on my laptop (or 156ns to\n 164ns per stat operation).\n\n - (uid_t)-1 and (gid_t)-1 are reserved as an internal error value.\n Most uid/gid setting system calls treat these value specially\n anyway so attempting to use -1 as a uid would likely cause\n entertaining failures in userspace.\n\n - If setuid is called with a uid that can not be mapped setuid fails.\n I have looked at sendmail, login, ssh and every other program I\n could think of that would call setuid and they all check for and\n handle the case where setuid fails.\n\n - If stat or a similar system call is called from a context in which\n we can not map a uid we lie and return overflowuid. The LFS\n experience suggests not lying and returning an error code might be\n better, but the historical precedent with uids is different and I\n can not think of anything that would break by lying about a uid we\n can\u0027t map.\n\n - Capabilities are localized to the current user namespace making it\n safe to give the initial user in a user namespace all capabilities.\n\n My git tree covers all of the modifications needed to convert the core\n kernel and enough changes to make a system bootable to runlevel 1.\"\n\nFix up trivial conflicts due to nearby independent changes in fs/stat.c\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (46 commits)\n userns: Silence silly gcc warning.\n cred: use correct cred accessor with regards to rcu read lock\n userns: Convert the move_pages, and migrate_pages permission checks to use uid_eq\n userns: Convert cgroup permission checks to use uid_eq\n userns: Convert tmpfs to use kuid and kgid where appropriate\n userns: Convert sysfs to use kgid/kuid where appropriate\n userns: Convert sysctl permission checks to use kuid and kgids.\n userns: Convert proc to use kuid/kgid where appropriate\n userns: Convert ext4 to user kuid/kgid where appropriate\n userns: Convert ext3 to use kuid/kgid where appropriate\n userns: Convert ext2 to use kuid/kgid where appropriate.\n userns: Convert devpts to use kuid/kgid where appropriate\n userns: Convert binary formats to use kuid/kgid where appropriate\n userns: Add negative depends on entries to avoid building code that is userns unsafe\n userns: signal remove unnecessary map_cred_ns\n userns: Teach inode_capable to understand inodes whose uids map to other namespaces.\n userns: Fail exec for suid and sgid binaries with ids outside our user namespace.\n userns: Convert stat to return values mapped from kuids and kgids\n userns: Convert user specfied uids and gids in chown into kuids and kgid\n userns: Use uid_eq gid_eq helpers when comparing kuids and kgids in the vfs\n ...\n" }, { "commit": "b404aef72fdafb601c945c714164c0ee2b04c364", "tree": "46efed0307e7c208a254614361bbe08ed160ef52", "parents": [ "2cc8a71641b4460783ea3bd7a3476043fdf85397" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue May 15 14:11:11 2012 +0100" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Wed May 16 00:54:33 2012 +1000" }, "message": "KEYS: Don\u0027t check for NULL key pointer in key_validate()\n\nDon\u0027t bother checking for NULL key pointer in key_validate() as all of the\nplaces that call it will crash anyway if the relevant key pointer is NULL by\nthe time they call key_validate(). Therefore, the checking must be done prior\nto calling here.\n\nWhilst we\u0027re at it, simplify the key_validate() function a bit and mark its\nargument const.\n\nReported-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\ncc: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "fd75815f727f157a05f4c96b5294a4617c0557da", "tree": "b2e76abf176d37b5d810b0c813b8c0219754b88c", "parents": [ "31d5a79d7f3d436da176a78ebc12d53c06da402e" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Add invalidation support\n\nAdd support for invalidating a key - which renders it immediately invisible to\nfurther searches and causes the garbage collector to immediately wake up,\nremove it from keyrings and then destroy it when it\u0027s no longer referenced.\n\nIt\u0027s better not to do this with keyctl_revoke() as that marks the key to start\nreturning -EKEYREVOKED to searches when what is actually desired is to have the\nkey refetched.\n\nTo invalidate a key the caller must be granted SEARCH permission by the key.\nThis may be too strict. It may be better to also permit invalidation if the\ncaller has any of READ, WRITE or SETATTR permission.\n\nThe primary use for this is to evict keys that are cached in special keyrings,\nsuch as the DNS resolver or an ID mapper.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "31d5a79d7f3d436da176a78ebc12d53c06da402e", "tree": "d39a75d7d0d0e85102ff8ce5e55e5d6ab7db7262", "parents": [ "233e4735f2a45d9e641c2488b8d7afeb1f377dac" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Do LRU discard in full keyrings\n\nDo an LRU discard in keyrings that are full rather than returning ENFILE. To\nperform this, a time_t is added to the key struct and updated by the creation\nof a link to a key and by a key being found as the result of a search. At the\ncompletion of a successful search, the keyrings in the path between the root of\nthe search and the first found link to it also have their last-used times\nupdated.\n\nNote that discarding a link to a key from a keyring does not necessarily\ndestroy the key as there may be references held by other places.\n\nAn alternate discard method that might suffice is to perform FIFO discard from\nthe keyring, using the spare 2-byte hole in the keylist header as the index of\nthe next link to be discarded.\n\nThis is useful when using a keyring as a cache for DNS results or foreign\nfilesystem IDs.\n\n\nThis can be tested by the following. As root do:\n\n\techo 1000 \u003e/proc/sys/kernel/keys/root_maxkeys\n\n\tkr\u003d`keyctl newring foo @s`\n\tfor ((i\u003d0; i\u003c2000; i++)); do keyctl add user a$i a $kr; done\n\nWithout this patch ENFILE should be reported when the keyring fills up. With\nthis patch, the keyring discards keys in an LRU fashion. Note that the stored\nLRU time has a granularity of 1s.\n\nAfter doing this, /proc/key-users can be observed and should show that most of\nthe 2000 keys have been discarded:\n\n\t[root@andromeda ~]# cat /proc/key-users\n\t 0: 517 516/516 513/1000 5249/20000\n\nThe \"513/1000\" here is the number of quota-accounted keys present for this user\nout of the maximum permitted.\n\nIn /proc/keys, the keyring shows the number of keys it has and the number of\nslots it has allocated:\n\n\t[root@andromeda ~]# grep foo /proc/keys\n\t200c64c4 I--Q-- 1 perm 3b3f0000 0 0 keyring foo: 509/509\n\nThe maximum is (PAGE_SIZE - header) / key pointer size. That\u0027s typically 509\non a 64-bit system and 1020 on a 32-bit system.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "233e4735f2a45d9e641c2488b8d7afeb1f377dac", "tree": "d273536aaea91cf4817dd305450f327ebb37059f", "parents": [ "65d87fe68abf2fc226a9e96be61160f65d6b4680" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Permit in-place link replacement in keyring list\n\nMake use of the previous patch that makes the garbage collector perform RCU\nsynchronisation before destroying defunct keys. Key pointers can now be\nreplaced in-place without creating a new keyring payload and replacing the\nwhole thing as the discarded keys will not be destroyed until all currently\nheld RCU read locks are released.\n\nIf the keyring payload space needs to be expanded or contracted, then a\nreplacement will still need allocating, and the original will still have to be\nfreed by RCU.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "65d87fe68abf2fc226a9e96be61160f65d6b4680", "tree": "23881b6daf54c7522178363f0ae32ddb6c836784", "parents": [ "1eb1bcf5bfad001128293b86d891c9d6f2f27333" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Perform RCU synchronisation on keys prior to key destruction\n\nMake the keys garbage collector invoke synchronize_rcu() prior to destroying\nkeys with a zero usage count. This means that a key can be examined under the\nRCU read lock in the safe knowledge that it won\u0027t get deallocated until after\nthe lock is released - even if its usage count becomes zero whilst we\u0027re\nlooking at it.\n\nThis is useful in keyring search vs key link. Consider a keyring containing a\nlink to a key. That link can be replaced in-place in the keyring without\nrequiring an RCU copy-and-replace on the keyring contents without breaking a\nsearch underway on that keyring when the displaced key is released, provided\nthe key is actually destroyed only after the RCU read lock held by the search\nalgorithm is released.\n\nThis permits __key_link() to replace a key without having to reallocate the key\npayload. A key gets replaced if a new key being linked into a keyring has the\nsame type and description.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\n" }, { "commit": "1eb1bcf5bfad001128293b86d891c9d6f2f27333", "tree": "af7fce4f0dae5bad37335b0fcf8b2e0d27342a9b", "parents": [ "9f7ce8e249ab761c7ed753059cb16319ede41762" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Announce key type (un)registration\n\nAnnounce the (un)registration of a key type in the core key code rather than\nin the callers.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "9f7ce8e249ab761c7ed753059cb16319ede41762", "tree": "2116852f541464dc8591fd201ae479c27b889bf3", "parents": [ "f0894940aed13b21f363a411c7ec57358827ad87" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Reorganise keys Makefile\n\nReorganise the keys directory Makefile to put all the core bits together and\nthe type-specific bits after.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "f0894940aed13b21f363a411c7ec57358827ad87", "tree": "43b1fcfc6e9ff2912943b2b2789559b36e7a192d", "parents": [ "45de6767dc51358a188f75dc4ad9dfddb7fb9480" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Move the key config into security/keys/Kconfig\n\nMove the key config into security/keys/Kconfig as there are going to be a lot\nof key-related options.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "ae2975bc3476243b45a1e2344236d7920c268f38", "tree": "e4b2a8472f6047734b6e7e2bdc994375b2790323", "parents": [ "22d917d80e842829d0ca0a561967d728eb1d6303" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Mon Nov 14 15:56:38 2011 -0800" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Thu May 03 03:27:21 2012 -0700" }, "message": "userns: Convert group_info values from gid_t to kgid_t.\n\nAs a first step to converting struct cred to be all kuid_t and kgid_t\nvalues convert the group values stored in group_info to always be\nkgid_t values. Unless user namespaces are used this change should\nhave no effect.\n\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "0093ccb68f3753c0ba4d74c89d7e0f444b8d6123", "tree": "a6fc0ea2a6dfc338fa8fc7126005f40109ef8dce", "parents": [ "c4a4d603796c727b9555867571f89483be9c565e" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Wed Nov 16 21:52:53 2011 -0800" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Sat Apr 07 16:55:52 2012 -0700" }, "message": "cred: Refcount the user_ns pointed to by the cred.\n\nstruct user_struct will shortly loose it\u0027s user_ns reference\nso make the cred user_ns reference a proper reference complete\nwith reference counting.\n\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "c4a4d603796c727b9555867571f89483be9c565e", "tree": "ae3b47a7b8b35c866df53cb4b4a051d49a28904a", "parents": [ "7e6bd8fadd1216f50468f965d0308f45e5109ced" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Wed Nov 16 23:15:31 2011 -0800" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Sat Apr 07 16:55:51 2012 -0700" }, "message": "userns: Use cred-\u003euser_ns instead of cred-\u003euser-\u003euser_ns\n\nOptimize performance and prepare for the removal of the user_ns reference\nfrom user_struct. Remove the slow long walk through cred-\u003euser-\u003euser_ns and\ninstead go straight to cred-\u003euser_ns.\n\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "9d944ef32e83405a07376f112e9f02161d3e9731", "tree": "24170ff64fb83221da133e2afb53f58e840a6eee", "parents": [ "d0bd587a80960d7ba7e0c8396e154028c9045c54" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Fri Mar 23 15:02:48 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Mar 23 16:58:41 2012 -0700" }, "message": "usermodehelper: kill umh_wait, renumber UMH_* constants\n\nNo functional changes. It is not sane to use UMH_KILLABLE with enum\numh_wait, but obviously we do not want another argument in\ncall_usermodehelper_* helpers. Kill this enum, use the plain int.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nCc: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nCc: Rusty Russell \u003crusty@rustcorp.com.au\u003e\nCc: Tejun Heo \u003ctj@kernel.org\u003e\nCc: David Rientjes \u003crientjes@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "f63d395d47f37a4fe771e6d4b1db9d2cdae5ffc5", "tree": "3448a14ae965802adb963762cadeb9989ce4caa2", "parents": [ "643ac9fc5429e85b8b7f534544b80bcc4f34c367", "5a7c9eec9fde1da0e3adf0a4ddb64ff2a324a492" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Mar 23 08:53:47 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Mar 23 08:53:47 2012 -0700" }, "message": "Merge tag \u0027nfs-for-3.4-1\u0027 of git://git.linux-nfs.org/projects/trondmy/linux-nfs\n\nPull NFS client updates for Linux 3.4 from Trond Myklebust:\n \"New features include:\n - Add NFS client support for containers.\n\n This should enable most of the necessary functionality, including\n lockd support, and support for rpc.statd, NFSv4 idmapper and\n RPCSEC_GSS upcalls into the correct network namespace from which\n the mount system call was issued.\n\n - NFSv4 idmapper scalability improvements\n\n Base the idmapper cache on the keyring interface to allow\n concurrent access to idmapper entries. Start the process of\n migrating users from the single-threaded daemon-based approach to\n the multi-threaded request-key based approach.\n\n - NFSv4.1 implementation id.\n\n Allows the NFSv4.1 client and server to mutually identify each\n other for logging and debugging purposes.\n\n - Support the \u0027vers\u003d4.1\u0027 mount option for mounting NFSv4.1 instead of\n having to use the more counterintuitive \u0027vers\u003d4,minorversion\u003d1\u0027.\n\n - SUNRPC tracepoints.\n\n Start the process of adding tracepoints in order to improve\n debugging of the RPC layer.\n\n - pNFS object layout support for autologin.\n\n Important bugfixes include:\n\n - Fix a bug in rpc_wake_up/rpc_wake_up_status that caused them to\n fail to wake up all tasks when applied to priority waitqueues.\n\n - Ensure that we handle read delegations correctly, when we try to\n truncate a file.\n\n - A number of fixes for NFSv4 state manager loops (mostly to do with\n delegation recovery).\"\n\n* tag \u0027nfs-for-3.4-1\u0027 of git://git.linux-nfs.org/projects/trondmy/linux-nfs: (224 commits)\n NFS: fix sb-\u003es_id in nfs debug prints\n xprtrdma: Remove assumption that each segment is \u003c\u003d PAGE_SIZE\n xprtrdma: The transport should not bug-check when a dup reply is received\n pnfs-obj: autologin: Add support for protocol autologin\n NFS: Remove nfs4_setup_sequence from generic rename code\n NFS: Remove nfs4_setup_sequence from generic unlink code\n NFS: Remove nfs4_setup_sequence from generic read code\n NFS: Remove nfs4_setup_sequence from generic write code\n NFS: Fix more NFS debug related build warnings\n SUNRPC/LOCKD: Fix build warnings when CONFIG_SUNRPC_DEBUG is undefined\n nfs: non void functions must return a value\n SUNRPC: Kill compiler warning when RPC_DEBUG is unset\n SUNRPC/NFS: Add Kbuild dependencies for NFS_DEBUG/RPC_DEBUG\n NFS: Use cond_resched_lock() to reduce latencies in the commit scans\n NFSv4: It is not safe to dereference lsp-\u003els_state in release_lockowner\n NFS: ncommit count is being double decremented\n SUNRPC: We must not use list_for_each_entry_safe() in rpc_wake_up()\n Try using machine credentials for RENEW calls\n NFSv4.1: Fix a few issues in filelayout_commit_pagelist\n NFSv4.1: Clean ups and bugfixes for the pNFS read/writeback/commit code\n ...\n" }, { "commit": "f67dabbdde1fe112dfff05d02890f1e0d54117a8", "tree": "5cf73d686d39df4e9986194ff64e98fdcdd4e444", "parents": [ "df91e49477a9be15921cb2854e1d12a3bdb5e425" ], "author": { "name": "Dan Carpenter", "email": "dan.carpenter@oracle.com", "time": "Tue Mar 06 13:32:16 2012 +0000" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Wed Mar 07 11:12:06 2012 +1100" }, "message": "KEYS: testing wrong bit for KEY_FLAG_REVOKED\n\nThe test for \"if (cred-\u003erequest_key_auth-\u003eflags \u0026 KEY_FLAG_REVOKED) {\"\nshould actually testing that the (1 \u003c\u003c KEY_FLAG_REVOKED) bit is set.\nThe current code actually checks for KEY_FLAG_DEAD.\n\nSigned-off-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "59e6b9c11341e3b8ac5925427c903d4eae435bd8", "tree": "68b39f847badedfca1476fbbf7ef6049a444f493", "parents": [ "0cb3284b535bd5eacc287632b55150c8e5d9edc7" ], "author": { "name": "Bryan Schumaker", "email": "bjschuma@netapp.com", "time": "Fri Feb 24 14:14:50 2012 -0500" }, "committer": { "name": "Trond Myklebust", "email": "Trond.Myklebust@netapp.com", "time": "Thu Mar 01 16:50:31 2012 -0500" }, "message": "Created a function for setting timeouts on keys\n\nThe keyctl_set_timeout function isn\u0027t exported to other parts of the\nkernel, but I want to use it for the NFS idmapper. I already have the\nkey, but I wanted a generic way to set the timeout.\n\nSigned-off-by: Bryan Schumaker \u003cbjschuma@netapp.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Trond Myklebust \u003cTrond.Myklebust@netapp.com\u003e\n" }, { "commit": "9e3ff38647a316e4f92d59b14c8f0eb13b33bb2c", "tree": "2750d9fc94b8fb78d9982ea4a62d586e7f0a7862", "parents": [ "2eb6038c51034bf7f9335b15ce9238a028fdd2d6", "4c2c392763a682354fac65b6a569adec4e4b5387" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 09 17:02:34 2012 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 09 17:02:34 2012 +1100" }, "message": "Merge branch \u0027next-queue\u0027 into next\n" }, { "commit": "7908b3ef6809e49c77d914342dfaa4b946476d7a", "tree": "44af103c5457b4c2286400158dcfc18846a7c4f0", "parents": [ "dcd6c92267155e70a94b3927bce681ce74b80d1f", "acbbb76a26648dfae6fed0989879e40d75692bfc" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 23 08:59:49 2012 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 23 08:59:49 2012 -0800" }, "message": "Merge git://git.samba.org/sfrench/cifs-2.6\n\n* git://git.samba.org/sfrench/cifs-2.6:\n CIFS: Rename *UCS* functions to *UTF16*\n [CIFS] ACL and FSCACHE support no longer EXPERIMENTAL\n [CIFS] Fix build break with multiuser patch when LANMAN disabled\n cifs: warn about impending deprecation of legacy MultiuserMount code\n cifs: fetch credentials out of keyring for non-krb5 auth multiuser mounts\n cifs: sanitize username handling\n keys: add a \"logon\" key type\n cifs: lower default wsize when unix extensions are not used\n cifs: better instrumentation for coalesce_t2\n cifs: integer overflow in parse_dacl()\n cifs: Fix sparse warning when calling cifs_strtoUCS\n CIFS: Add descriptions to the brlock cache functions\n" }, { "commit": "f6b24579d099ebb67f39cd7924a72a7eec0ce6ae", "tree": "a97004bb108138294b77e98466a4b9e76a9a198c", "parents": [ "3db59dd93309710c40aaf1571c607cb0feef3ecb" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Jan 18 10:03:14 2012 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 19 16:16:29 2012 +1100" }, "message": "keys: fix user_defined key sparse messages\n\nReplace the rcu_assign_pointer() calls with rcu_assign_keypointer().\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "700920eb5ba4de5417b446c9a8bb008df2b973e0", "tree": "8e2caa32a5cdcd47347ff84bc3e95915d000f537", "parents": [ "53999bf34d55981328f8ba9def558d3e104d6e36" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Jan 18 15:31:45 2012 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 19 14:38:51 2012 +1100" }, "message": "KEYS: Allow special keyrings to be cleared\n\nThe kernel contains some special internal keyrings, for instance the DNS\nresolver keyring :\n\n2a93faf1 I----- 1 perm 1f030000 0 0 keyring .dns_resolver: empty\n\nIt would occasionally be useful to allow the contents of such keyrings to be\nflushed by root (cache invalidation).\n\nAllow a flag to be set on a keyring to mark that someone possessing the\nsysadmin capability can clear the keyring, even without normal write access to\nthe keyring.\n\nSet this flag on the special keyrings created by the DNS resolver, the NFS\nidentity mapper and the CIFS identity mapper.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nAcked-by: Steve Dickson \u003csteved@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9f6ed2ca257fa8650b876377833e6f14e272848b", "tree": "8b664dced5415a6d463a56c2bc98756bd5ea5e44", "parents": [ "ce91acb3acae26f4163c5a6f1f695d1a1e8d9009" ], "author": { "name": "Jeff Layton", "email": "jlayton@redhat.com", "time": "Tue Jan 17 16:09:11 2012 -0500" }, "committer": { "name": "Steve French", "email": "smfrench@gmail.com", "time": "Tue Jan 17 22:39:40 2012 -0600" }, "message": "keys: add a \"logon\" key type\n\nFor CIFS, we want to be able to store NTLM credentials (aka username\nand password) in the keyring. We do not, however want to allow users\nto fetch those keys back out of the keyring since that would be a\nsecurity risk.\n\nUnfortunately, due to the nuances of key permission bits, it\u0027s not\npossible to do this. We need to grant search permissions so the kernel\ncan find these keys, but that also implies permissions to read the\npayload.\n\nResolve this by adding a new key_type. This key type is essentially\nthe same as key_type_user, but does not define a .read op. This\nprevents the payload from ever being visible from userspace. This\nkey type also vets the description to ensure that it\u0027s \"qualified\"\nby checking to ensure that it has a \u0027:\u0027 in it that is preceded by\nother characters.\n\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Steve French \u003csmfrench@gmail.com\u003e\n" }, { "commit": "6ac6172a935d1faf7ef259802267657bc0007a62", "tree": "034c1a79a3d401926f6b968eb270d34f561e50f1", "parents": [ "ee0b31a25a010116f44fca6c96f4516d417793dd" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 17 20:40:02 2012 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 18 10:41:30 2012 +1100" }, "message": "encrypted-keys: fix rcu and sparse messages\n\nEnabling CONFIG_PROVE_RCU and CONFIG_SPARSE_RCU_POINTER resulted in\n\"suspicious rcu_dereference_check() usage!\" and \"incompatible types\nin comparison expression (different address spaces)\" messages.\n\nAccess the masterkey directly when holding the rwsem.\n\nChangelog v1:\n- Use either rcu_read_lock()/rcu_derefence_key()/rcu_read_unlock()\nor remove the unnecessary rcu_derefence() - David Howells\n\nReported-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ee0b31a25a010116f44fca6c96f4516d417793dd", "tree": "d7670d202d0f4888b5213ed73d88c9a80bd05b74", "parents": [ "efde8b6e16f11e7d1681c68d86c7fd51053cada7" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 17 20:39:51 2012 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 18 10:41:29 2012 +1100" }, "message": "keys: fix trusted/encrypted keys sparse rcu_assign_pointer messages\n\nDefine rcu_assign_keypointer(), which uses the key payload.rcudata instead\nof payload.data, to resolve the CONFIG_SPARSE_RCU_POINTER message:\n\"incompatible types in comparison expression (different address spaces)\"\n\nReplace the rcu_assign_pointer() calls in encrypted/trusted keys with\nrcu_assign_keypointer().\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "efde8b6e16f11e7d1681c68d86c7fd51053cada7", "tree": "4fb5e80428c4f36c5da35ff3319cd71c1771451c", "parents": [ "25add8cf99c9ec8b8dc0acd8b9241e963fc0d29c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 17 20:39:40 2012 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 18 10:41:27 2012 +1100" }, "message": "KEYS: Add missing smp_rmb() primitives to the keyring search code\n\nAdd missing smp_rmb() primitives to the keyring search code.\n\nWhen keyring payloads are appended to without replacement (thus using up spare\nslots in the key pointer array), an smp_wmb() is issued between the pointer\nassignment and the increment of the key count (nkeys).\n\nThere should be corresponding read barriers between the read of nkeys and\ndereferences of keys[n] when n is dependent on the value of nkeys.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8fcc99549522fc7a0bbaeb5755855ab0d9a59ce8", "tree": "a118eaef15d4ba22247f45ee01537ecc906cd161", "parents": [ "805a6af8dba5dfdd35ec35dc52ec0122400b2610", "7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 09 12:16:48 2012 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 09 12:16:48 2012 +1100" }, "message": "Merge branch \u0027next\u0027 into for-linus\n\nConflicts:\n\tsecurity/integrity/evm/evm_crypto.c\n\nResolved upstream fix vs. next conflict manually.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7845bc3964756240863ae453ffe4f7ee27ddc954", "tree": "3a3b9bf568184a3ae82bc581b63e1576ce99d7c8", "parents": [ "24942c8e5cc8696064ee207ff29d4cf21f70dafc" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Nov 16 11:15:54 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 17 09:35:32 2011 +1100" }, "message": "KEYS: Give key types their own lockdep class for key-\u003esem\n\nGive keys their own lockdep class to differentiate them from each other in case\na key of one type has to refer to a key of another type.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9c69898783a0121399ec078d40d4ccc00e3cb0df", "tree": "7163913d680c3160918a466f92cacb473c2c91ec", "parents": [ "f4a0d5abef14562c37dee5a1d49180f494106230" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sun Oct 16 19:17:48 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Nov 16 14:23:14 2011 -0500" }, "message": "encrypted-keys: module build fixes\n\nEncrypted keys are encrypted/decrypted using either a trusted or\nuser-defined key type, which is referred to as the \u0027master\u0027 key.\nThe master key may be of type trusted iff the trusted key is\nbuiltin or both the trusted key and encrypted keys are built as\nmodules. This patch resolves the build dependency problem.\n\n- Use \"masterkey-$(CONFIG_TRUSTED_KEYS)-$(CONFIG_ENCRYPTED_KEYS)\" construct\nto encapsulate the above logic. (Suggested by Dimtry Kasatkin.)\n- Fixing the encrypted-keys Makefile, results in a module name change\nfrom encrypted.ko to encrypted-keys.ko.\n- Add module dependency for request_trusted_key() definition\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "f4a0d5abef14562c37dee5a1d49180f494106230", "tree": "be3b35ecaf9a2372fae08ac83d006b21e1c43021", "parents": [ "ff0ff78068dd8a962358dbbdafa9d6f24540d3e5" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Oct 24 08:17:42 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Nov 16 14:23:13 2011 -0500" }, "message": "encrypted-keys: fix error return code\n\nFix request_master_key() error return code.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "9f35a33b8d06263a165efe3541d9aa0cdbd70b3b", "tree": "2825d1bf9ea73d22e4cab45bb2cdc021c6e09380", "parents": [ "cfcfc9eca2bcbd26a8e206baeb005b055dbf8e37" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Nov 15 22:09:45 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Nov 15 22:32:38 2011 -0200" }, "message": "KEYS: Fix a NULL pointer deref in the user-defined key type\n\nFix a NULL pointer deref in the user-defined key type whereby updating a\nnegative key into a fully instantiated key will cause an oops to occur\nwhen the code attempts to free the non-existent old payload.\n\nThis results in an oops that looks something like the following:\n\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000008\n IP: [\u003cffffffff81085fa1\u003e] __call_rcu+0x11/0x13e\n PGD 3391d067 PUD 3894a067 PMD 0\n Oops: 0002 [#1] SMP\n CPU 1\n Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140 /DG965RY\n RIP: 0010:[\u003cffffffff81085fa1\u003e] [\u003cffffffff81085fa1\u003e] __call_rcu+0x11/0x13e\n RSP: 0018:ffff88003d591df8 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e\n RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c\n R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538\n R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908\n FS: 00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\n Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040)\n Stack:\n ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50\n ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea\n ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0\n Call Trace:\n [\u003cffffffff810860f0\u003e] call_rcu_sched+0x10/0x12\n [\u003cffffffff8117bfea\u003e] user_update+0x8d/0xa2\n [\u003cffffffff8117723a\u003e] key_create_or_update+0x236/0x270\n [\u003cffffffff811789b1\u003e] sys_add_key+0x123/0x17e\n [\u003cffffffff813b84bb\u003e] system_call_fastpath+0x16/0x1b\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nAcked-by: Neil Horman \u003cnhorman@redhat.com\u003e\nAcked-by: Steve Dickson \u003csteved@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "02473119bc54b0b239c2501064c7a37314347f87", "tree": "e3f0cdfbe4ee67d089ab731f213b2e0f91a3daa1", "parents": [ "50e1499f468fd74c6db95deb2e1e6bfee578ae70" ], "author": { "name": "Andy Shevchenko", "email": "andriy.shevchenko@linux.intel.com", "time": "Mon Oct 31 17:12:55 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 31 17:30:56 2011 -0700" }, "message": "security: follow rename pack_hex_byte() to hex_byte_pack()\n\nThere is no functional change.\n\nSigned-off-by: Andy Shevchenko \u003candriy.shevchenko@linux.intel.com\u003e\nCc: Mimi Zohar \u003czohar@us.ibm.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "fcf634098c00dd9cd247447368495f0b79be12d1", "tree": "77fc98cd461bd52ba3b14e833d54a115ffbbd7bc", "parents": [ "32ea845d5bafc37b7406bea1aee3005407cb0900" ], "author": { "name": "Christopher Yeoh", "email": "cyeoh@au1.ibm.com", "time": "Mon Oct 31 17:06:39 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 31 17:30:44 2011 -0700" }, "message": "Cross Memory Attach\n\nThe basic idea behind cross memory attach is to allow MPI programs doing\nintra-node communication to do a single copy of the message rather than a\ndouble copy of the message via shared memory.\n\nThe following patch attempts to achieve this by allowing a destination\nprocess, given an address and size from a source process, to copy memory\ndirectly from the source process into its own address space via a system\ncall. There is also a symmetrical ability to copy from the current\nprocess\u0027s address space into a destination process\u0027s address space.\n\n- Use of /proc/pid/mem has been considered, but there are issues with\n using it:\n - Does not allow for specifying iovecs for both src and dest, assuming\n preadv or pwritev was implemented either the area read from or\n written to would need to be contiguous.\n - Currently mem_read allows only processes who are currently\n ptrace\u0027ing the target and are still able to ptrace the target to read\n from the target. This check could possibly be moved to the open call,\n but its not clear exactly what race this restriction is stopping\n (reason appears to have been lost)\n - Having to send the fd of /proc/self/mem via SCM_RIGHTS on unix\n domain socket is a bit ugly from a userspace point of view,\n especially when you may have hundreds if not (eventually) thousands\n of processes that all need to do this with each other\n - Doesn\u0027t allow for some future use of the interface we would like to\n consider adding in the future (see below)\n - Interestingly reading from /proc/pid/mem currently actually\n involves two copies! (But this could be fixed pretty easily)\n\nAs mentioned previously use of vmsplice instead was considered, but has\nproblems. Since you need the reader and writer working co-operatively if\nthe pipe is not drained then you block. Which requires some wrapping to\ndo non blocking on the send side or polling on the receive. In all to all\ncommunication it requires ordering otherwise you can deadlock. And in the\nexample of many MPI tasks writing to one MPI task vmsplice serialises the\ncopying.\n\nThere are some cases of MPI collectives where even a single copy interface\ndoes not get us the performance gain we could. For example in an\nMPI_Reduce rather than copy the data from the source we would like to\ninstead use it directly in a mathops (say the reduce is doing a sum) as\nthis would save us doing a copy. We don\u0027t need to keep a copy of the data\nfrom the source. I haven\u0027t implemented this, but I think this interface\ncould in the future do all this through the use of the flags - eg could\nspecify the math operation and type and the kernel rather than just\ncopying the data would apply the specified operation between the source\nand destination and store it in the destination.\n\nAlthough we don\u0027t have a \"second user\" of the interface (though I\u0027ve had\nsome nibbles from people who may be interested in using it for intra\nprocess messaging which is not MPI). This interface is something which\nhardware vendors are already doing for their custom drivers to implement\nfast local communication. And so in addition to this being useful for\nOpenMPI it would mean the driver maintainers don\u0027t have to fix things up\nwhen the mm changes.\n\nThere was some discussion about how much faster a true zero copy would\ngo. Here\u0027s a link back to the email with some testing I did on that:\n\nhttp://marc.info/?l\u003dlinux-mm\u0026m\u003d130105930902915\u0026w\u003d2\n\nThere is a basic man page for the proposed interface here:\n\nhttp://ozlabs.org/~cyeoh/cma/process_vm_readv.txt\n\nThis has been implemented for x86 and powerpc, other architecture should\nmainly (I think) just need to add syscall numbers for the process_vm_readv\nand process_vm_writev. There are 32 bit compatibility versions for\n64-bit kernels.\n\nFor arch maintainers there are some simple tests to be able to quickly\nverify that the syscalls are working correctly here:\n\nhttp://ozlabs.org/~cyeoh/cma/cma-test-20110718.tgz\n\nSigned-off-by: Chris Yeoh \u003cyeohc@au1.ibm.com\u003e\nCc: Ingo Molnar \u003cmingo@elte.hu\u003e\nCc: \"H. Peter Anvin\" \u003chpa@zytor.com\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Arnd Bergmann \u003carnd@arndb.de\u003e\nCc: Paul Mackerras \u003cpaulus@samba.org\u003e\nCc: Benjamin Herrenschmidt \u003cbenh@kernel.crashing.org\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: \u003clinux-man@vger.kernel.org\u003e\nCc: \u003clinux-arch@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "2b3ff6319e2312656fbefe0209bef02d58b6836a", "tree": "43041b8a5e6fe31dadf2ad682d73fa873476b952", "parents": [ "2684bf7f29cfb13ef2c60f3b3a53ee47d0db7022" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Sep 20 11:23:55 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Sep 20 23:26:44 2011 -0400" }, "message": "encrypted-keys: check hex2bin result\n\nFor each hex2bin call in encrypted keys, check that the ascii hex string\nis valid. On failure, return -EINVAL.\n\nChangelog v1:\n- hex2bin now returns an int\n\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nAcked-by: Andy Shevchenko \u003candy.shevchenko@gmail.com\u003e\n" }, { "commit": "2684bf7f29cfb13ef2c60f3b3a53ee47d0db7022", "tree": "bbdc0709c643e58a22443ab086c6e4aa80329e17", "parents": [ "b78049831ffed65f0b4e61f69df14f3ab17922cb" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Sep 20 11:23:52 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Sep 20 23:26:05 2011 -0400" }, "message": "trusted-keys: check hex2bin result\n\nFor each hex2bin call in trusted keys, check that the ascii hex string is\nvalid. On failure, return -EINVAL.\n\nChangelog v1:\n- hex2bin now returns an int\n\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nAcked-by: Andy Shevchenko \u003candy.shevchenko@gmail.com\u003e\n" }, { "commit": "cc100551b4d92f47abebfa7c7918b2be71263b4a", "tree": "d603f15ff5ef28efd5f818817aca036045ac8a8b", "parents": [ "8de6ac7f58a22fdab399fbe97763e465ea49c735" ], "author": { "name": "Stephen Rothwell", "email": "sfr@canb.auug.org.au", "time": "Thu Sep 15 17:07:15 2011 +1000" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Sep 15 17:37:24 2011 -0400" }, "message": "encrypted-keys: IS_ERR need include/err.h\n\nFixes this build error:\n\nsecurity/keys/encrypted-keys/masterkey_trusted.c: In function \u0027request_trusted_key\u0027:\nsecurity/keys/encrypted-keys/masterkey_trusted.c:35:2: error: implicit declaration of function \u0027IS_ERR\u0027\n\nSigned-off-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "982e617a313b57abee3bcfa53381c356d00fd64a", "tree": "ba23ab206aaff2331bca116cebd11ad4ef580c32", "parents": [ "61cf45d0199041df1a8ba334b6bf4a3a13b7f904" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sat Aug 27 22:21:26 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:23:49 2011 -0400" }, "message": "encrypted-keys: remove trusted-keys dependency\n\nEncrypted keys are decrypted/encrypted using either a trusted-key or,\nfor those systems without a TPM, a user-defined key. This patch\nremoves the trusted-keys and TCG_TPM dependencies.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "61cf45d0199041df1a8ba334b6bf4a3a13b7f904", "tree": "b287399eb3704b766d2ba3d9a36de0bb57f70139", "parents": [ "a8f7640963ada66c412314c3559c11ff6946c1a5" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:06:00 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:22:26 2011 -0400" }, "message": "encrypted-keys: create encrypted-keys directory\n\nMove all files associated with encrypted keys to keys/encrypted-keys.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "0c061b5707ab84ebfe8f18f1c9c3110ae5cd6073", "tree": "cb6e83458126f3cc9ef9f5504937c8445f790b0f", "parents": [ "d199798bdf969873f78d48140600ff0a98a87e69" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:09:36 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:37 2011 +1000" }, "message": "KEYS: Correctly destroy key payloads when their keytype is removed\n\nunregister_key_type() has code to mark a key as dead and make it unavailable in\none loop and then destroy all those unavailable key payloads in the next loop.\nHowever, the loop to mark keys dead renders the key undetectable to the second\nloop by changing the key type pointer also.\n\nFix this by the following means:\n\n (1) The key code has two garbage collectors: one deletes unreferenced keys and\n the other alters keyrings to delete links to old dead, revoked and expired\n keys. They can end up holding each other up as both want to scan the key\n serial tree under spinlock. Combine these into a single routine.\n\n (2) Move the dead key marking, dead link removal and dead key removal into the\n garbage collector as a three phase process running over the three cycles\n of the normal garbage collection procedure. This is tracked by the\n KEY_GC_REAPING_DEAD_1, _2 and _3 state flags.\n\n unregister_key_type() then just unlinks the key type from the list, wakes\n up the garbage collector and waits for the third phase to complete.\n\n (3) Downgrade the key types sem in unregister_key_type() once it has deleted\n the key type from the list so that it doesn\u0027t block the keyctl() syscall.\n\n (4) Dead keys that cannot be simply removed in the third phase have their\n payloads destroyed with the key\u0027s semaphore write-locked to prevent\n interference by the keyctl() syscall. There should be no in-kernel users\n of dead keys of that type by the point of unregistration, though keyctl()\n may be holding a reference.\n\n (5) Only perform timer recalculation in the GC if the timer actually expired.\n If it didn\u0027t, we\u0027ll get another cycle when it goes off - and if the key\n that actually triggered it has been removed, it\u0027s not a problem.\n\n (6) Only garbage collect link if the timer expired or if we\u0027re doing dead key\n clean up phase 2.\n\n (7) As only key_garbage_collector() is permitted to use rb_erase() on the key\n serial tree, it doesn\u0027t need to revalidate its cursor after dropping the\n spinlock as the node the cursor points to must still exist in the tree.\n\n (8) Drop the spinlock in the GC if there is contention on it or if we need to\n reschedule. After dealing with that, get the spinlock again and resume\n scanning.\n\nThis has been tested in the following ways:\n\n (1) Run the keyutils testsuite against it.\n\n (2) Using the AF_RXRPC and RxKAD modules to test keytype removal:\n\n Load the rxrpc_s key type:\n\n\t# insmod /tmp/af-rxrpc.ko\n\t# insmod /tmp/rxkad.ko\n\n Create a key (http://people.redhat.com/~dhowells/rxrpc/listen.c):\n\n\t# /tmp/listen \u0026\n\t[1] 8173\n\n Find the key:\n\n\t# grep rxrpc_s /proc/keys\n\t091086e1 I--Q-- 1 perm 39390000 0 0 rxrpc_s 52:2\n\n Link it to a session keyring, preferably one with a higher serial number:\n\n\t# keyctl link 0x20e36251 @s\n\n Kill the process (the key should remain as it\u0027s linked to another place):\n\n\t# fg\n\t/tmp/listen\n\t^C\n\n Remove the key type:\n\n\trmmod rxkad\n\trmmod af-rxrpc\n\n This can be made a more effective test by altering the following part of\n the patch:\n\n\tif (unlikely(gc_state \u0026 KEY_GC_REAPING_DEAD_2)) {\n\t\t/* Make sure everyone revalidates their keys if we marked a\n\t\t * bunch as being dead and make sure all keyring ex-payloads\n\t\t * are destroyed.\n\t\t */\n\t\tkdebug(\"dead sync\");\n\t\tsynchronize_rcu();\n\n To call synchronize_rcu() in GC phase 1 instead. That causes that the\n keyring\u0027s old payload content to hang around longer until it\u0027s RCU\n destroyed - which usually happens after GC phase 3 is complete. This\n allows the destroy_dead_key branch to be tested.\n\nReported-by: Benjamin Coddington \u003cbcodding@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d199798bdf969873f78d48140600ff0a98a87e69", "tree": "fb0fbfe0eda27054eae9c9efe0240ace297c3661", "parents": [ "b072e9bc2fe9aeff4e104e80e479160349f474a9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:09:28 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:36 2011 +1000" }, "message": "KEYS: The dead key link reaper should be non-reentrant\n\nThe dead key link reaper should be non-reentrant as it relies on global state\nto keep track of where it\u0027s got to when it returns to the work queue manager to\ngive it some air.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b072e9bc2fe9aeff4e104e80e479160349f474a9", "tree": "4f243698284aace64f4b5c9e5b9bee107c10e13b", "parents": [ "8bc16deabce7649e480e94b648c88d4e90c34352" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:09:20 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:36 2011 +1000" }, "message": "KEYS: Make the key reaper non-reentrant\n\nMake the key reaper non-reentrant by sticking it on the appropriate system work\nqueue when we queue it. This will allow it to have global state and drop\nlocks. It should probably be non-reentrant already as it may spend a long time\nholding the key serial spinlock, and so multiple entrants can spend long\nperiods of time just sitting there spinning, waiting to get the lock.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8bc16deabce7649e480e94b648c88d4e90c34352", "tree": "d9e28a921375e7448801b0b89ff43a7e0d2e61ff", "parents": [ "012146d0728f85f7a5c7c36fb84bba33e2760507" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:09:11 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:36 2011 +1000" }, "message": "KEYS: Move the unreferenced key reaper to the keys garbage collector file\n\nMove the unreferenced key reaper function to the keys garbage collector file\nas that\u0027s a more appropriate place with the dead key link reaper.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6d528b082294f0ddabd6368297546a2c0b67d4fe", "tree": "268bf5dbd454c689947c51867bf5b77e21c97eae", "parents": [ "3ecf1b4f347210e39b156177e5b8a26ff8d00279" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:08:51 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:34 2011 +1000" }, "message": "KEYS: __key_link() should use the RCU deref wrapper for keyring payloads\n\n__key_link() should use the RCU deref wrapper rcu_dereference_locked_keyring()\nfor accessing keyring payloads rather than calling rcu_dereference_protected()\ndirectly.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3ecf1b4f347210e39b156177e5b8a26ff8d00279", "tree": "ba3cf0155e5dd29c4963e6a8895d7262e0ef13d5", "parents": [ "995995378f996a8aa1cf4e4ddc0f79fbfd45496f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:08:43 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:34 2011 +1000" }, "message": "KEYS: keyctl_get_keyring_ID() should create a session keyring if create flag set\n\nThe keyctl call:\n\n\tkeyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1)\n\nshould create a session keyring if the process doesn\u0027t have one of its own\nbecause the create flag argument is set - rather than subscribing to and\nreturning the user-session keyring as:\n\n\tkeyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)\n\nwill do.\n\nThis can be tested by commenting out pam_keyinit in the /etc/pam.d files and\nrunning the following program a couple of times in a row:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\tint main(int argc, char *argv[])\n\t{\n\t\tkey_serial_t uk, usk, sk, nsk;\n\t\tuk \u003d keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);\n\t\tusk \u003d keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);\n\t\tsk \u003d keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);\n\t\tnsk \u003d keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1);\n\t\tprintf(\"keys: %08x %08x %08x %08x\\n\", uk, usk, sk, nsk);\n\t\treturn 0;\n\t}\n\nWithout this patch, I see:\n\n\tkeys: 3975ddc7 119c0c66 119c0c66 119c0c66\n\tkeys: 3975ddc7 119c0c66 119c0c66 119c0c66\n\nWith this patch, I see:\n\n\tkeys: 2cb4997b 34112878 34112878 17db2ce3\n\tkeys: 2cb4997b 34112878 34112878 39f3c73e\n\nAs can be seen, the session keyring starts off the same as the user-session\nkeyring each time, but with the patch a new session keyring is created when\nthe create flag is set.\n\nReported-by: Greg Wettstein \u003cgreg@enjellic.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Greg Wettstein \u003cgreg@enjellic.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "995995378f996a8aa1cf4e4ddc0f79fbfd45496f", "tree": "ddc0c1305767e683535120361a5f5848b7ae3803", "parents": [ "c5532b09bf40c398f2acfdd8f100c796d1d3f881" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:08:33 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:33 2011 +1000" }, "message": "KEYS: If install_session_keyring() is given a keyring, it should install it\n\nIf install_session_keyring() is given a keyring, it should install it rather\nthan just creating a new one anyway. This was accidentally broken in:\n\n\tcommit d84f4f992cbd76e8f39c488cf0c5d123843923b1\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Fri Nov 14 10:39:23 2008 +1100\n\tSubject: CRED: Inaugurate COW credentials\n\nThe impact of that commit is that pam_keyinit no longer works correctly if\n\u0027force\u0027 isn\u0027t specified against a login process. This is because:\n\n\tkeyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)\n\nnow always creates a new session keyring and thus the check whether the session\nkeyring and the user-session keyring are the same is always false. This leads\npam_keyinit to conclude that a session keyring is installed and it shouldn\u0027t be\nrevoked by pam_keyinit here if \u0027revoke\u0027 is specified.\n\nAny system that specifies \u0027force\u0027 against pam_keyinit in the PAM configuration\nfiles for login methods (login, ssh, su -l, kdm, etc.) is not affected since\nthat bypasses the broken check and forces the creation of a new session keyring\nanyway (for which the revoke flag is not cleared) - and any subsequent call to\npam_keyinit really does have a session keyring already installed, and so the\ncheck works correctly there.\n\nReverting to the previous behaviour will cause the kernel to subscribe the\nprocess to the user-session keyring as its session keyring if it doesn\u0027t have a\nsession keyring of its own. pam_keyinit will detect this and install a new\nsession keyring anyway (and won\u0027t clear the revert flag).\n\nThis can be tested by commenting out pam_keyinit in the /etc/pam.d files and\nrunning the following program a couple of times in a row:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\tint main(int argc, char *argv[])\n\t{\n\t\tkey_serial_t uk, usk, sk;\n\t\tuk \u003d keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);\n\t\tusk \u003d keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);\n\t\tsk \u003d keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);\n\t\tprintf(\"keys: %08x %08x %08x\\n\", uk, usk, sk);\n\t\treturn 0;\n\t}\n\nWithout the patch, I see:\n\n\tkeys: 3884e281 24c4dfcf 22825f8e\n\tkeys: 3884e281 24c4dfcf 068772be\n\nWith the patch, I see:\n\n\tkeys: 26be9c83 0e755ce0 0e755ce0\n\tkeys: 26be9c83 0e755ce0 0e755ce0\n\nAs can be seen, with the patch, the session keyring is the same as the\nuser-session keyring each time; without the patch a new session keyring is\ngenerated each time.\n\nReported-by: Greg Wettstein \u003cgreg@enjellic.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Greg Wettstein \u003cgreg@enjellic.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "95b6886526bb510b8370b625a49bc0ab3b8ff10f", "tree": "2862606224820d200be12d2092dcd26df1654b80", "parents": [ "22712200e175e0df5c7f9edfe6c6bf5c94c23b83", "29412f0f6a19e34336368f13eab848091c343952" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jul 27 19:26:38 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jul 27 19:26:38 2011 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (54 commits)\n tpm_nsc: Fix bug when loading multiple TPM drivers\n tpm: Move tpm_tis_reenable_interrupts out of CONFIG_PNP block\n tpm: Fix compilation warning when CONFIG_PNP is not defined\n TOMOYO: Update kernel-doc.\n tpm: Fix a typo\n tpm_tis: Probing function for Intel iTPM bug\n tpm_tis: Fix the probing for interrupts\n tpm_tis: Delay ACPI S3 suspend while the TPM is busy\n tpm_tis: Re-enable interrupts upon (S3) resume\n tpm: Fix display of data in pubek sysfs entry\n tpm_tis: Add timeouts sysfs entry\n tpm: Adjust interface timeouts if they are too small\n tpm: Use interface timeouts returned from the TPM\n tpm_tis: Introduce durations sysfs entry\n tpm: Adjust the durations if they are too small\n tpm: Use durations returned from TPM\n TOMOYO: Enable conditional ACL.\n TOMOYO: Allow using argv[]/envp[] of execve() as conditions.\n TOMOYO: Allow using executable\u0027s realpath and symlink\u0027s target as conditions.\n TOMOYO: Allow using owner/group etc. of file objects as conditions.\n ...\n\nFix up trivial conflict in security/tomoyo/realpath.c\n" }, { "commit": "b7e9c223be8ce335e30f2cf6ba588e6a4092275c", "tree": "2d1e3b75606abc18df7ad65e51ac3f90cd68b38d", "parents": [ "c172d82500a6cf3c32d1e650722a1055d72ce858", "e3bbfa78bab125f58b831b5f7f45b5a305091d72" ], "author": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Mon Jul 11 14:15:48 2011 +0200" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Mon Jul 11 14:15:55 2011 +0200" }, "message": "Merge branch \u0027master\u0027 into for-next\n\nSync with Linus\u0027 tree to be able to apply pending patches that\nare based on newer code already present upstream.\n" }, { "commit": "d8bf4ca9ca9576548628344c9725edd3786e90b1", "tree": "df338f50a5af6bc3651bd863b79fa91e6b1e9e20", "parents": [ "eb032b9837a958e21ca000358a5bde5e17192ddb" ], "author": { "name": "Michal Hocko", "email": "mhocko@suse.cz", "time": "Fri Jul 08 14:39:41 2011 +0200" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Fri Jul 08 22:21:58 2011 +0200" }, "message": "rcu: treewide: Do not use rcu_read_lock_held when calling rcu_dereference_check\n\nSince ca5ecddf (rcu: define __rcu address space modifier for sparse)\nrcu_dereference_check use rcu_read_lock_held as a part of condition\nautomatically so callers do not have to do that as well.\n\nSigned-off-by: Michal Hocko \u003cmhocko@suse.cz\u003e\nAcked-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.cz\u003e\n" }, { "commit": "5b944a71a192977c1c018bbcfa0c52dca48e2368", "tree": "9f234c4a93bb28890ad086c846d2bf0b35f7f7ae", "parents": [ "0e4ae0e0dec634b2ae53ac57d14141b140467dbe", "c017d0d1351f916c0ced3f358afc491fdcf490b4" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 30 18:43:56 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 30 18:43:56 2011 +1000" }, "message": "Merge branch \u0027linus\u0027 into next\n" }, { "commit": "79a73d188726b473ca3bf483244bc96096831905", "tree": "787ba050c91981cae2524b1e95e415424b067e64", "parents": [ "f8f8527103a264b5e4ab2ce5c1743b28f3219d90" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Jun 27 13:45:44 2011 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 27 09:11:17 2011 -0400" }, "message": "encrypted-keys: add ecryptfs format support\n\nThe \u0027encrypted\u0027 key type defines its own payload format which contains a\nsymmetric key randomly generated that cannot be used directly to mount\nan eCryptfs filesystem, because it expects an authentication token\nstructure.\n\nThis patch introduces the new format \u0027ecryptfs\u0027 that allows to store an\nauthentication token structure inside the encrypted key payload containing\na randomly generated symmetric key, as the same for the format \u0027default\u0027.\n\nMore details about the usage of encrypted keys with the eCryptfs\nfilesystem can be found in the file \u0027Documentation/keys-ecryptfs.txt\u0027.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nAcked-by: Gianluca Ramunno \u003cramunno@polito.it\u003e\nAcked-by: Tyler Hicks \u003ctyhicks@linux.vnet.ibm.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "4e561d388feff18e4b798cef6a1a84a2cc7f20c2", "tree": "9208588c7d0e5e75766dd2c98e960840fdc8681e", "parents": [ "7103dff0e598cd634767f17a2958302c515700ca" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Jun 27 13:45:42 2011 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 27 09:10:45 2011 -0400" }, "message": "encrypted-keys: add key format support\n\nThis patch introduces a new parameter, called \u0027format\u0027, that defines the\nformat of data stored by encrypted keys. The \u0027default\u0027 format identifies\nencrypted keys containing only the symmetric key, while other formats can\nbe defined to support additional information. The \u0027format\u0027 parameter is\nwritten in the datablob produced by commands \u0027keyctl print\u0027 or\n\u0027keyctl pipe\u0027 and is integrity protected by the HMAC.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nAcked-by: Gianluca Ramunno \u003cramunno@polito.it\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "7103dff0e598cd634767f17a2958302c515700ca", "tree": "cbbacf38aee2ecd3ad6d004307197186dd35ab73", "parents": [ "08fa2aa54e72ddde8076cc77126bace8d4780e0f" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Jun 27 13:45:41 2011 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 27 09:10:34 2011 -0400" }, "message": "encrypted-keys: added additional debug messages\n\nSome debug messages have been added in the function datablob_parse() in\norder to better identify errors returned when dealing with \u0027encrypted\u0027\nkeys.\n\nChangelog from version v4:\n- made the debug messages more understandable \n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nAcked-by: Gianluca Ramunno \u003cramunno@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "08fa2aa54e72ddde8076cc77126bace8d4780e0f", "tree": "5ced9b831123e37b6e91367ed5f56e4acd095a0c", "parents": [ "f91c2c5cfa2950a20265b45bcc13e49ed9e49aac" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Jun 27 13:45:40 2011 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 27 09:08:52 2011 -0400" }, "message": "encrypted-keys: fixed valid_master_desc() function description\n\nValid key type prefixes for the parameter \u0027key-type\u0027 are: \u0027trusted\u0027 and\n\u0027user\u0027.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nAcked-by: Gianluca Ramunno \u003cramunno@polito.it\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "f91c2c5cfa2950a20265b45bcc13e49ed9e49aac", "tree": "f5ed8f02cc44dfe9274440c8cdcd50b4345621e6", "parents": [ "4d67431f80b1b822f0286afc9123ee453eac7334" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Jun 27 13:45:39 2011 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 27 09:08:39 2011 -0400" }, "message": "encrypted_keys: avoid dumping the master key if the request fails\n\nDo not dump the master key if an error is encountered during the request.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nAcked-by: Gianluca Ramunno \u003cramunno@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "b1d7dd80aadb9042e83f9778b484a2f92e0b04d4", "tree": "33044314f0a058724e9ee912cca6fe55c2284cf1", "parents": [ "35052cffe0081904f3362c05818db900dd9dc7de" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jun 21 14:32:05 2011 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jun 21 18:31:45 2011 -0700" }, "message": "KEYS: Fix error handling in construct_key_and_link()\n\nFix error handling in construct_key_and_link().\n\nIf construct_alloc_key() returns an error, it shouldn\u0027t pass out through\nthe normal path as the key_serial() called by the kleave() statement\nwill oops when it gets an error code in the pointer:\n\n BUG: unable to handle kernel paging request at ffffffffffffff84\n IP: [\u003cffffffff8120b401\u003e] request_key_and_link+0x4d7/0x52f\n ..\n Call Trace:\n [\u003cffffffff8120b52c\u003e] request_key+0x41/0x75\n [\u003cffffffffa00ed6e8\u003e] cifs_get_spnego_key+0x206/0x226 [cifs]\n [\u003cffffffffa00eb0c9\u003e] CIFS_SessSetup+0x511/0x1234 [cifs]\n [\u003cffffffffa00d9799\u003e] cifs_setup_session+0x90/0x1ae [cifs]\n [\u003cffffffffa00d9c02\u003e] cifs_get_smb_ses+0x34b/0x40f [cifs]\n [\u003cffffffffa00d9e05\u003e] cifs_mount+0x13f/0x504 [cifs]\n [\u003cffffffffa00caabb\u003e] cifs_do_mount+0xc4/0x672 [cifs]\n [\u003cffffffff8113ae8c\u003e] mount_fs+0x69/0x155\n [\u003cffffffff8114ff0e\u003e] vfs_kern_mount+0x63/0xa0\n [\u003cffffffff81150be2\u003e] do_kern_mount+0x4d/0xdf\n [\u003cffffffff81152278\u003e] do_mount+0x63c/0x69f\n [\u003cffffffff8115255c\u003e] sys_mount+0x88/0xc2\n [\u003cffffffff814fbdc2\u003e] system_call_fastpath+0x16/0x1b\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "879669961b11e7f40b518784863a259f735a72bf", "tree": "9bff5392e365caf656c9dd9be38f7471c182278c", "parents": [ "eb96c925152fc289311e5d7e956b919e9b60ab53" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Jun 17 11:25:59 2011 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jun 17 09:40:48 2011 -0700" }, "message": "KEYS/DNS: Fix ____call_usermodehelper() to not lose the session keyring\n\n____call_usermodehelper() now erases any credentials set by the\nsubprocess_inf::init() function. The problem is that commit\n17f60a7da150 (\"capabilites: allow the application of capability limits\nto usermode helpers\") creates and commits new credentials with\nprepare_kernel_cred() after the call to the init() function. This wipes\nall keyrings after umh_keys_init() is called.\n\nThe best way to deal with this is to put the init() call just prior to\nthe commit_creds() call, and pass the cred pointer to init(). That\nmeans that umh_keys_init() and suchlike can modify the credentials\n_before_ they are published and potentially in use by the rest of the\nsystem.\n\nThis prevents request_key() from working as it is prevented from passing\nthe session keyring it set up with the authorisation token to\n/sbin/request-key, and so the latter can\u0027t assume the authority to\ninstantiate the key. This causes the in-kernel DNS resolver to fail\nwith ENOKEY unconditionally.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nTested-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4d67431f80b1b822f0286afc9123ee453eac7334", "tree": "47ae7c273186e49a49440f95d0655cc538e2b829", "parents": [ "2ce9738bac1b386f46e8478fd2c263460e7c2b09" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Jun 13 22:33:52 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 14 15:03:29 2011 +1000" }, "message": "KEYS: Don\u0027t return EAGAIN to keyctl_assume_authority()\n\nDon\u0027t return EAGAIN to keyctl_assume_authority() to indicate that a key could\nnot be found (ENOKEY is only returned if a negative key is found). Instead\nreturn ENOKEY in both cases.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e52e713ec30a31e9a4663d9aebbaae5ec07466a6", "tree": "68f9680577ae68f3972a5ed73afed5d1c2794310", "parents": [ "bdf7cf1c83872a0586ce4c4da6889103cc36dbd3", "2f3e4af471e38e0658e701973238ae4b5e50fcd6" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 27 10:25:02 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 27 10:25:02 2011 -0700" }, "message": "Merge branch \u0027docs-move\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rdunlap/linux-docs\n\n* \u0027docs-move\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rdunlap/linux-docs:\n Create Documentation/security/, move LSM-, credentials-, and keys-related files from Documentation/ to Documentation/security/, add Documentation/security/00-INDEX, and update all occurrences of Documentation/\u003cmoved_file\u003e to Documentation/security/\u003cmoved_file\u003e.\n" }, { "commit": "f7285b5d631fd6096b11c6af0058ed3a2b30ef4e", "tree": "956fff16b2327818eae72cfe47cf2260986e2fd2", "parents": [ "b7c2f036284452627d793af981877817b37d4351" ], "author": { "name": "Serge E. Hallyn", "email": "serge@hallyn.com", "time": "Thu May 26 15:25:05 2011 -0500" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 26 13:49:19 2011 -0700" }, "message": "Set cred-\u003euser_ns in key_replace_session_keyring\n\nSince this cred was not created with copy_creds(), it needs to get\ninitialized. Otherwise use of syscall(__NR_keyctl, KEYCTL_SESSION_TO_PARENT);\ncan lead to a NULL deref. Thanks to Robert for finding this.\n\nBut introduced by commit 47a150edc2a (\"Cache user_ns in struct cred\").\n\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nReported-by: Robert Święcki \u003crobert@swiecki.net\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nCc: stable@kernel.org (2.6.39)\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "434d42cfd05a7cc452457a81d2029540cba12150", "tree": "3a6b9b7f9ff2e1b7409dd66c15242b2a75aa4422", "parents": [ "d762f4383100c2a87b1a3f2d678cd3b5425655b4", "12a5a2621b1ee14d32beca35304d7c6076a58815" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 24 22:55:24 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 24 22:55:24 2011 +1000" }, "message": "Merge branch \u0027next\u0027 into for-linus\n" }, { "commit": "d410fa4ef99112386de5f218dd7df7b4fca910b4", "tree": "e29fbc3f6d27b20d73d8feb4ed73f6767f2e18fe", "parents": [ "61c4f2c81c61f73549928dfd9f3e8f26aa36a8cf" ], "author": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Thu May 19 15:59:38 2011 -0700" }, "committer": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Thu May 19 15:59:38 2011 -0700" }, "message": "Create Documentation/security/,\nmove LSM-, credentials-, and keys-related files from Documentation/\n to Documentation/security/,\nadd Documentation/security/00-INDEX, and\nupdate all occurrences of Documentation/\u003cmoved_file\u003e\n to Documentation/security/\u003cmoved_file\u003e.\n" }, { "commit": "3acb458c32293405cf68985b7b3ac5dc0a5e7929", "tree": "2943bc04adaedf25377c954087c7277118a4aae1", "parents": [ "75ef0368d182785c7c5c06ac11081e31257a313e" ], "author": { "name": "Lai Jiangshan", "email": "laijs@cn.fujitsu.com", "time": "Fri Mar 18 12:11:07 2011 +0800" }, "committer": { "name": "Paul E. McKenney", "email": "paulmck@linux.vnet.ibm.com", "time": "Sat May 07 22:50:54 2011 -0700" }, "message": "security,rcu: convert call_rcu(user_update_rcu_disposal) to kfree_rcu()\n\nThe rcu callback user_update_rcu_disposal() just calls a kfree(),\nso we use kfree_rcu() instead of the call_rcu(user_update_rcu_disposal).\n\nSigned-off-by: Lai Jiangshan \u003claijs@cn.fujitsu.com\u003e\nSigned-off-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: Josh Triplett \u003cjosh@joshtriplett.org\u003e\n" }, { "commit": "4aab1e896a0a9d57420ff2867caa5a369123d8cb", "tree": "92212870353a9493c10fb46a0dd9b6ce27230012", "parents": [ "78b7280cce23293f7570ad52c1ffe1485c6d9669" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Mar 11 17:57:33 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 17 11:59:49 2011 +1100" }, "message": "KEYS: Make request_key() and co. return an error for a negative key\n\nMake request_key() and co. return an error for a negative or rejected key. If\nthe key was simply negated, then return ENOKEY, otherwise return the error\nwith which it was rejected.\n\nWithout this patch, the following command returns a key number (with the latest\nkeyutils):\n\n\t[root@andromeda ~]# keyctl request2 user debug:foo rejected @s\n\t586569904\n\nTrying to print the key merely gets you a permission denied error:\n\n\t[root@andromeda ~]# keyctl print 586569904\n\tkeyctl_read_alloc: Permission denied\n\nDoing another request_key() call does get you the error, as long as it hasn\u0027t\nexpired yet:\n\n\t[root@andromeda ~]# keyctl request user debug:foo\n\trequest_key: Key was rejected by service\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "78b7280cce23293f7570ad52c1ffe1485c6d9669", "tree": "f3051c5fe69cb41e88f9470dead8534dda3e94e0", "parents": [ "c151694b2c48d956ac8c8c59c6927f89cc29ef70" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Mar 11 17:57:23 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 17 11:59:32 2011 +1100" }, "message": "KEYS: Improve /proc/keys\n\nImprove /proc/keys by:\n\n (1) Don\u0027t attempt to summarise the payload of a negated key. It won\u0027t have\n one. To this end, a helper function - key_is_instantiated() has been\n added that allows the caller to find out whether the key is positively\n instantiated (as opposed to being uninstantiated or negatively\n instantiated).\n\n (2) Do show keys that are negative, expired or revoked rather than hiding\n them. This requires an override flag (no_state_check) to be passed to\n search_my_process_keyrings() and keyring_search_aux() to suppress this\n check.\n\n Without this, keys that are possessed by the caller, but only grant\n permissions to the caller if possessed are skipped as the possession check\n fails.\n\n Keys that are visible due to user, group or other checks are visible with\n or without this patch.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ee009e4a0d4555ed522a631bae9896399674f064", "tree": "ee309fb4a98d9e7792cec99935c2d33652b3f440", "parents": [ "fdd1b94581782a2ddf9124414e5b7a5f48ce2f9c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Mar 07 15:06:20 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:17:22 2011 +1100" }, "message": "KEYS: Add an iovec version of KEYCTL_INSTANTIATE\n\nAdd a keyctl op (KEYCTL_INSTANTIATE_IOV) that is like KEYCTL_INSTANTIATE, but\ntakes an iovec array and concatenates the data in-kernel into one buffer.\nSince the KEYCTL_INSTANTIATE copies the data anyway, this isn\u0027t too much of a\nproblem.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "fdd1b94581782a2ddf9124414e5b7a5f48ce2f9c", "tree": "ce83bfd1f0b1a7d4b9521bdb3d6afef1bff1d4f2", "parents": [ "b9fffa3877a3ebbe0a5ad5a247358e2f7df15b24" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Mar 07 15:06:09 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:17:18 2011 +1100" }, "message": "KEYS: Add a new keyctl op to reject a key with a specified error code\n\nAdd a new keyctl op to reject a key with a specified error code. This works\nmuch the same as negating a key, and so keyctl_negate_key() is made a special\ncase of keyctl_reject_key(). The difference is that keyctl_negate_key()\nselects ENOKEY as the error to be reported.\n\nTypically the key would be rejected with EKEYEXPIRED, EKEYREVOKED or\nEKEYREJECTED, but this is not mandatory.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ], "next": "b9fffa3877a3ebbe0a5ad5a247358e2f7df15b24" }