)]}' { "log": [ { "commit": "644473e9c60c1ff4f6351fed637a6e5551e3dce7", "tree": "10316518bedc735a2c6552886658d69dfd9f1eb0", "parents": [ "fb827ec68446c83e9e8754fa9b55aed27ecc4661", "4b06a81f1daee668fbd6de85557bfb36dd36078f" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 23 17:42:39 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 23 17:42:39 2012 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace\n\nPull user namespace enhancements from Eric Biederman:\n \"This is a course correction for the user namespace, so that we can\n reach an inexpensive, maintainable, and reasonably complete\n implementation.\n\n Highlights:\n - Config guards make it impossible to enable the user namespace and\n code that has not been converted to be user namespace safe.\n\n - Use of the new kuid_t type ensures the if you somehow get past the\n config guards the kernel will encounter type errors if you enable\n user namespaces and attempt to compile in code whose permission\n checks have not been updated to be user namespace safe.\n\n - All uids from child user namespaces are mapped into the initial\n user namespace before they are processed. Removing the need to add\n an additional check to see if the user namespace of the compared\n uids remains the same.\n\n - With the user namespaces compiled out the performance is as good or\n better than it is today.\n\n - For most operations absolutely nothing changes performance or\n operationally with the user namespace enabled.\n\n - The worst case performance I could come up with was timing 1\n billion cache cold stat operations with the user namespace code\n enabled. This went from 156s to 164s on my laptop (or 156ns to\n 164ns per stat operation).\n\n - (uid_t)-1 and (gid_t)-1 are reserved as an internal error value.\n Most uid/gid setting system calls treat these value specially\n anyway so attempting to use -1 as a uid would likely cause\n entertaining failures in userspace.\n\n - If setuid is called with a uid that can not be mapped setuid fails.\n I have looked at sendmail, login, ssh and every other program I\n could think of that would call setuid and they all check for and\n handle the case where setuid fails.\n\n - If stat or a similar system call is called from a context in which\n we can not map a uid we lie and return overflowuid. The LFS\n experience suggests not lying and returning an error code might be\n better, but the historical precedent with uids is different and I\n can not think of anything that would break by lying about a uid we\n can\u0027t map.\n\n - Capabilities are localized to the current user namespace making it\n safe to give the initial user in a user namespace all capabilities.\n\n My git tree covers all of the modifications needed to convert the core\n kernel and enough changes to make a system bootable to runlevel 1.\"\n\nFix up trivial conflicts due to nearby independent changes in fs/stat.c\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (46 commits)\n userns: Silence silly gcc warning.\n cred: use correct cred accessor with regards to rcu read lock\n userns: Convert the move_pages, and migrate_pages permission checks to use uid_eq\n userns: Convert cgroup permission checks to use uid_eq\n userns: Convert tmpfs to use kuid and kgid where appropriate\n userns: Convert sysfs to use kgid/kuid where appropriate\n userns: Convert sysctl permission checks to use kuid and kgids.\n userns: Convert proc to use kuid/kgid where appropriate\n userns: Convert ext4 to user kuid/kgid where appropriate\n userns: Convert ext3 to use kuid/kgid where appropriate\n userns: Convert ext2 to use kuid/kgid where appropriate.\n userns: Convert devpts to use kuid/kgid where appropriate\n userns: Convert binary formats to use kuid/kgid where appropriate\n userns: Add negative depends on entries to avoid building code that is userns unsafe\n userns: signal remove unnecessary map_cred_ns\n userns: Teach inode_capable to understand inodes whose uids map to other namespaces.\n userns: Fail exec for suid and sgid binaries with ids outside our user namespace.\n userns: Convert stat to return values mapped from kuids and kgids\n userns: Convert user specfied uids and gids in chown into kuids and kgid\n userns: Use uid_eq gid_eq helpers when comparing kuids and kgids in the vfs\n ...\n" }, { "commit": "b404aef72fdafb601c945c714164c0ee2b04c364", "tree": "46efed0307e7c208a254614361bbe08ed160ef52", "parents": [ "2cc8a71641b4460783ea3bd7a3476043fdf85397" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue May 15 14:11:11 2012 +0100" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Wed May 16 00:54:33 2012 +1000" }, "message": "KEYS: Don\u0027t check for NULL key pointer in key_validate()\n\nDon\u0027t bother checking for NULL key pointer in key_validate() as all of the\nplaces that call it will crash anyway if the relevant key pointer is NULL by\nthe time they call key_validate(). Therefore, the checking must be done prior\nto calling here.\n\nWhilst we\u0027re at it, simplify the key_validate() function a bit and mark its\nargument const.\n\nReported-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\ncc: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "fd75815f727f157a05f4c96b5294a4617c0557da", "tree": "b2e76abf176d37b5d810b0c813b8c0219754b88c", "parents": [ "31d5a79d7f3d436da176a78ebc12d53c06da402e" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Add invalidation support\n\nAdd support for invalidating a key - which renders it immediately invisible to\nfurther searches and causes the garbage collector to immediately wake up,\nremove it from keyrings and then destroy it when it\u0027s no longer referenced.\n\nIt\u0027s better not to do this with keyctl_revoke() as that marks the key to start\nreturning -EKEYREVOKED to searches when what is actually desired is to have the\nkey refetched.\n\nTo invalidate a key the caller must be granted SEARCH permission by the key.\nThis may be too strict. It may be better to also permit invalidation if the\ncaller has any of READ, WRITE or SETATTR permission.\n\nThe primary use for this is to evict keys that are cached in special keyrings,\nsuch as the DNS resolver or an ID mapper.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "31d5a79d7f3d436da176a78ebc12d53c06da402e", "tree": "d39a75d7d0d0e85102ff8ce5e55e5d6ab7db7262", "parents": [ "233e4735f2a45d9e641c2488b8d7afeb1f377dac" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Do LRU discard in full keyrings\n\nDo an LRU discard in keyrings that are full rather than returning ENFILE. To\nperform this, a time_t is added to the key struct and updated by the creation\nof a link to a key and by a key being found as the result of a search. At the\ncompletion of a successful search, the keyrings in the path between the root of\nthe search and the first found link to it also have their last-used times\nupdated.\n\nNote that discarding a link to a key from a keyring does not necessarily\ndestroy the key as there may be references held by other places.\n\nAn alternate discard method that might suffice is to perform FIFO discard from\nthe keyring, using the spare 2-byte hole in the keylist header as the index of\nthe next link to be discarded.\n\nThis is useful when using a keyring as a cache for DNS results or foreign\nfilesystem IDs.\n\n\nThis can be tested by the following. As root do:\n\n\techo 1000 \u003e/proc/sys/kernel/keys/root_maxkeys\n\n\tkr\u003d`keyctl newring foo @s`\n\tfor ((i\u003d0; i\u003c2000; i++)); do keyctl add user a$i a $kr; done\n\nWithout this patch ENFILE should be reported when the keyring fills up. With\nthis patch, the keyring discards keys in an LRU fashion. Note that the stored\nLRU time has a granularity of 1s.\n\nAfter doing this, /proc/key-users can be observed and should show that most of\nthe 2000 keys have been discarded:\n\n\t[root@andromeda ~]# cat /proc/key-users\n\t 0: 517 516/516 513/1000 5249/20000\n\nThe \"513/1000\" here is the number of quota-accounted keys present for this user\nout of the maximum permitted.\n\nIn /proc/keys, the keyring shows the number of keys it has and the number of\nslots it has allocated:\n\n\t[root@andromeda ~]# grep foo /proc/keys\n\t200c64c4 I--Q-- 1 perm 3b3f0000 0 0 keyring foo: 509/509\n\nThe maximum is (PAGE_SIZE - header) / key pointer size. That\u0027s typically 509\non a 64-bit system and 1020 on a 32-bit system.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "233e4735f2a45d9e641c2488b8d7afeb1f377dac", "tree": "d273536aaea91cf4817dd305450f327ebb37059f", "parents": [ "65d87fe68abf2fc226a9e96be61160f65d6b4680" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Permit in-place link replacement in keyring list\n\nMake use of the previous patch that makes the garbage collector perform RCU\nsynchronisation before destroying defunct keys. Key pointers can now be\nreplaced in-place without creating a new keyring payload and replacing the\nwhole thing as the discarded keys will not be destroyed until all currently\nheld RCU read locks are released.\n\nIf the keyring payload space needs to be expanded or contracted, then a\nreplacement will still need allocating, and the original will still have to be\nfreed by RCU.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "65d87fe68abf2fc226a9e96be61160f65d6b4680", "tree": "23881b6daf54c7522178363f0ae32ddb6c836784", "parents": [ "1eb1bcf5bfad001128293b86d891c9d6f2f27333" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Perform RCU synchronisation on keys prior to key destruction\n\nMake the keys garbage collector invoke synchronize_rcu() prior to destroying\nkeys with a zero usage count. This means that a key can be examined under the\nRCU read lock in the safe knowledge that it won\u0027t get deallocated until after\nthe lock is released - even if its usage count becomes zero whilst we\u0027re\nlooking at it.\n\nThis is useful in keyring search vs key link. Consider a keyring containing a\nlink to a key. That link can be replaced in-place in the keyring without\nrequiring an RCU copy-and-replace on the keyring contents without breaking a\nsearch underway on that keyring when the displaced key is released, provided\nthe key is actually destroyed only after the RCU read lock held by the search\nalgorithm is released.\n\nThis permits __key_link() to replace a key without having to reallocate the key\npayload. A key gets replaced if a new key being linked into a keyring has the\nsame type and description.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\n" }, { "commit": "1eb1bcf5bfad001128293b86d891c9d6f2f27333", "tree": "af7fce4f0dae5bad37335b0fcf8b2e0d27342a9b", "parents": [ "9f7ce8e249ab761c7ed753059cb16319ede41762" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Announce key type (un)registration\n\nAnnounce the (un)registration of a key type in the core key code rather than\nin the callers.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "9f7ce8e249ab761c7ed753059cb16319ede41762", "tree": "2116852f541464dc8591fd201ae479c27b889bf3", "parents": [ "f0894940aed13b21f363a411c7ec57358827ad87" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Reorganise keys Makefile\n\nReorganise the keys directory Makefile to put all the core bits together and\nthe type-specific bits after.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "f0894940aed13b21f363a411c7ec57358827ad87", "tree": "43b1fcfc6e9ff2912943b2b2789559b36e7a192d", "parents": [ "45de6767dc51358a188f75dc4ad9dfddb7fb9480" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Move the key config into security/keys/Kconfig\n\nMove the key config into security/keys/Kconfig as there are going to be a lot\nof key-related options.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "ae2975bc3476243b45a1e2344236d7920c268f38", "tree": "e4b2a8472f6047734b6e7e2bdc994375b2790323", "parents": [ "22d917d80e842829d0ca0a561967d728eb1d6303" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Mon Nov 14 15:56:38 2011 -0800" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Thu May 03 03:27:21 2012 -0700" }, "message": "userns: Convert group_info values from gid_t to kgid_t.\n\nAs a first step to converting struct cred to be all kuid_t and kgid_t\nvalues convert the group values stored in group_info to always be\nkgid_t values. Unless user namespaces are used this change should\nhave no effect.\n\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "0093ccb68f3753c0ba4d74c89d7e0f444b8d6123", "tree": "a6fc0ea2a6dfc338fa8fc7126005f40109ef8dce", "parents": [ "c4a4d603796c727b9555867571f89483be9c565e" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Wed Nov 16 21:52:53 2011 -0800" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Sat Apr 07 16:55:52 2012 -0700" }, "message": "cred: Refcount the user_ns pointed to by the cred.\n\nstruct user_struct will shortly loose it\u0027s user_ns reference\nso make the cred user_ns reference a proper reference complete\nwith reference counting.\n\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "c4a4d603796c727b9555867571f89483be9c565e", "tree": "ae3b47a7b8b35c866df53cb4b4a051d49a28904a", "parents": [ "7e6bd8fadd1216f50468f965d0308f45e5109ced" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Wed Nov 16 23:15:31 2011 -0800" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Sat Apr 07 16:55:51 2012 -0700" }, "message": "userns: Use cred-\u003euser_ns instead of cred-\u003euser-\u003euser_ns\n\nOptimize performance and prepare for the removal of the user_ns reference\nfrom user_struct. Remove the slow long walk through cred-\u003euser-\u003euser_ns and\ninstead go straight to cred-\u003euser_ns.\n\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "9d944ef32e83405a07376f112e9f02161d3e9731", "tree": "24170ff64fb83221da133e2afb53f58e840a6eee", "parents": [ "d0bd587a80960d7ba7e0c8396e154028c9045c54" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Fri Mar 23 15:02:48 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Mar 23 16:58:41 2012 -0700" }, "message": "usermodehelper: kill umh_wait, renumber UMH_* constants\n\nNo functional changes. It is not sane to use UMH_KILLABLE with enum\numh_wait, but obviously we do not want another argument in\ncall_usermodehelper_* helpers. Kill this enum, use the plain int.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nCc: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nCc: Rusty Russell \u003crusty@rustcorp.com.au\u003e\nCc: Tejun Heo \u003ctj@kernel.org\u003e\nCc: David Rientjes \u003crientjes@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "f63d395d47f37a4fe771e6d4b1db9d2cdae5ffc5", "tree": "3448a14ae965802adb963762cadeb9989ce4caa2", "parents": [ "643ac9fc5429e85b8b7f534544b80bcc4f34c367", "5a7c9eec9fde1da0e3adf0a4ddb64ff2a324a492" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Mar 23 08:53:47 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Mar 23 08:53:47 2012 -0700" }, "message": "Merge tag \u0027nfs-for-3.4-1\u0027 of git://git.linux-nfs.org/projects/trondmy/linux-nfs\n\nPull NFS client updates for Linux 3.4 from Trond Myklebust:\n \"New features include:\n - Add NFS client support for containers.\n\n This should enable most of the necessary functionality, including\n lockd support, and support for rpc.statd, NFSv4 idmapper and\n RPCSEC_GSS upcalls into the correct network namespace from which\n the mount system call was issued.\n\n - NFSv4 idmapper scalability improvements\n\n Base the idmapper cache on the keyring interface to allow\n concurrent access to idmapper entries. Start the process of\n migrating users from the single-threaded daemon-based approach to\n the multi-threaded request-key based approach.\n\n - NFSv4.1 implementation id.\n\n Allows the NFSv4.1 client and server to mutually identify each\n other for logging and debugging purposes.\n\n - Support the \u0027vers\u003d4.1\u0027 mount option for mounting NFSv4.1 instead of\n having to use the more counterintuitive \u0027vers\u003d4,minorversion\u003d1\u0027.\n\n - SUNRPC tracepoints.\n\n Start the process of adding tracepoints in order to improve\n debugging of the RPC layer.\n\n - pNFS object layout support for autologin.\n\n Important bugfixes include:\n\n - Fix a bug in rpc_wake_up/rpc_wake_up_status that caused them to\n fail to wake up all tasks when applied to priority waitqueues.\n\n - Ensure that we handle read delegations correctly, when we try to\n truncate a file.\n\n - A number of fixes for NFSv4 state manager loops (mostly to do with\n delegation recovery).\"\n\n* tag \u0027nfs-for-3.4-1\u0027 of git://git.linux-nfs.org/projects/trondmy/linux-nfs: (224 commits)\n NFS: fix sb-\u003es_id in nfs debug prints\n xprtrdma: Remove assumption that each segment is \u003c\u003d PAGE_SIZE\n xprtrdma: The transport should not bug-check when a dup reply is received\n pnfs-obj: autologin: Add support for protocol autologin\n NFS: Remove nfs4_setup_sequence from generic rename code\n NFS: Remove nfs4_setup_sequence from generic unlink code\n NFS: Remove nfs4_setup_sequence from generic read code\n NFS: Remove nfs4_setup_sequence from generic write code\n NFS: Fix more NFS debug related build warnings\n SUNRPC/LOCKD: Fix build warnings when CONFIG_SUNRPC_DEBUG is undefined\n nfs: non void functions must return a value\n SUNRPC: Kill compiler warning when RPC_DEBUG is unset\n SUNRPC/NFS: Add Kbuild dependencies for NFS_DEBUG/RPC_DEBUG\n NFS: Use cond_resched_lock() to reduce latencies in the commit scans\n NFSv4: It is not safe to dereference lsp-\u003els_state in release_lockowner\n NFS: ncommit count is being double decremented\n SUNRPC: We must not use list_for_each_entry_safe() in rpc_wake_up()\n Try using machine credentials for RENEW calls\n NFSv4.1: Fix a few issues in filelayout_commit_pagelist\n NFSv4.1: Clean ups and bugfixes for the pNFS read/writeback/commit code\n ...\n" }, { "commit": "f67dabbdde1fe112dfff05d02890f1e0d54117a8", "tree": "5cf73d686d39df4e9986194ff64e98fdcdd4e444", "parents": [ "df91e49477a9be15921cb2854e1d12a3bdb5e425" ], "author": { "name": "Dan Carpenter", "email": "dan.carpenter@oracle.com", "time": "Tue Mar 06 13:32:16 2012 +0000" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Wed Mar 07 11:12:06 2012 +1100" }, "message": "KEYS: testing wrong bit for KEY_FLAG_REVOKED\n\nThe test for \"if (cred-\u003erequest_key_auth-\u003eflags \u0026 KEY_FLAG_REVOKED) {\"\nshould actually testing that the (1 \u003c\u003c KEY_FLAG_REVOKED) bit is set.\nThe current code actually checks for KEY_FLAG_DEAD.\n\nSigned-off-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "59e6b9c11341e3b8ac5925427c903d4eae435bd8", "tree": "68b39f847badedfca1476fbbf7ef6049a444f493", "parents": [ "0cb3284b535bd5eacc287632b55150c8e5d9edc7" ], "author": { "name": "Bryan Schumaker", "email": "bjschuma@netapp.com", "time": "Fri Feb 24 14:14:50 2012 -0500" }, "committer": { "name": "Trond Myklebust", "email": "Trond.Myklebust@netapp.com", "time": "Thu Mar 01 16:50:31 2012 -0500" }, "message": "Created a function for setting timeouts on keys\n\nThe keyctl_set_timeout function isn\u0027t exported to other parts of the\nkernel, but I want to use it for the NFS idmapper. I already have the\nkey, but I wanted a generic way to set the timeout.\n\nSigned-off-by: Bryan Schumaker \u003cbjschuma@netapp.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Trond Myklebust \u003cTrond.Myklebust@netapp.com\u003e\n" }, { "commit": "9e3ff38647a316e4f92d59b14c8f0eb13b33bb2c", "tree": "2750d9fc94b8fb78d9982ea4a62d586e7f0a7862", "parents": [ "2eb6038c51034bf7f9335b15ce9238a028fdd2d6", "4c2c392763a682354fac65b6a569adec4e4b5387" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 09 17:02:34 2012 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 09 17:02:34 2012 +1100" }, "message": "Merge branch \u0027next-queue\u0027 into next\n" }, { "commit": "7908b3ef6809e49c77d914342dfaa4b946476d7a", "tree": "44af103c5457b4c2286400158dcfc18846a7c4f0", "parents": [ "dcd6c92267155e70a94b3927bce681ce74b80d1f", "acbbb76a26648dfae6fed0989879e40d75692bfc" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 23 08:59:49 2012 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 23 08:59:49 2012 -0800" }, "message": "Merge git://git.samba.org/sfrench/cifs-2.6\n\n* git://git.samba.org/sfrench/cifs-2.6:\n CIFS: Rename *UCS* functions to *UTF16*\n [CIFS] ACL and FSCACHE support no longer EXPERIMENTAL\n [CIFS] Fix build break with multiuser patch when LANMAN disabled\n cifs: warn about impending deprecation of legacy MultiuserMount code\n cifs: fetch credentials out of keyring for non-krb5 auth multiuser mounts\n cifs: sanitize username handling\n keys: add a \"logon\" key type\n cifs: lower default wsize when unix extensions are not used\n cifs: better instrumentation for coalesce_t2\n cifs: integer overflow in parse_dacl()\n cifs: Fix sparse warning when calling cifs_strtoUCS\n CIFS: Add descriptions to the brlock cache functions\n" }, { "commit": "f6b24579d099ebb67f39cd7924a72a7eec0ce6ae", "tree": "a97004bb108138294b77e98466a4b9e76a9a198c", "parents": [ "3db59dd93309710c40aaf1571c607cb0feef3ecb" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Jan 18 10:03:14 2012 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 19 16:16:29 2012 +1100" }, "message": "keys: fix user_defined key sparse messages\n\nReplace the rcu_assign_pointer() calls with rcu_assign_keypointer().\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "700920eb5ba4de5417b446c9a8bb008df2b973e0", "tree": "8e2caa32a5cdcd47347ff84bc3e95915d000f537", "parents": [ "53999bf34d55981328f8ba9def558d3e104d6e36" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Jan 18 15:31:45 2012 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 19 14:38:51 2012 +1100" }, "message": "KEYS: Allow special keyrings to be cleared\n\nThe kernel contains some special internal keyrings, for instance the DNS\nresolver keyring :\n\n2a93faf1 I----- 1 perm 1f030000 0 0 keyring .dns_resolver: empty\n\nIt would occasionally be useful to allow the contents of such keyrings to be\nflushed by root (cache invalidation).\n\nAllow a flag to be set on a keyring to mark that someone possessing the\nsysadmin capability can clear the keyring, even without normal write access to\nthe keyring.\n\nSet this flag on the special keyrings created by the DNS resolver, the NFS\nidentity mapper and the CIFS identity mapper.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nAcked-by: Steve Dickson \u003csteved@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9f6ed2ca257fa8650b876377833e6f14e272848b", "tree": "8b664dced5415a6d463a56c2bc98756bd5ea5e44", "parents": [ "ce91acb3acae26f4163c5a6f1f695d1a1e8d9009" ], "author": { "name": "Jeff Layton", "email": "jlayton@redhat.com", "time": "Tue Jan 17 16:09:11 2012 -0500" }, "committer": { "name": "Steve French", "email": "smfrench@gmail.com", "time": "Tue Jan 17 22:39:40 2012 -0600" }, "message": "keys: add a \"logon\" key type\n\nFor CIFS, we want to be able to store NTLM credentials (aka username\nand password) in the keyring. We do not, however want to allow users\nto fetch those keys back out of the keyring since that would be a\nsecurity risk.\n\nUnfortunately, due to the nuances of key permission bits, it\u0027s not\npossible to do this. We need to grant search permissions so the kernel\ncan find these keys, but that also implies permissions to read the\npayload.\n\nResolve this by adding a new key_type. This key type is essentially\nthe same as key_type_user, but does not define a .read op. This\nprevents the payload from ever being visible from userspace. This\nkey type also vets the description to ensure that it\u0027s \"qualified\"\nby checking to ensure that it has a \u0027:\u0027 in it that is preceded by\nother characters.\n\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Steve French \u003csmfrench@gmail.com\u003e\n" }, { "commit": "6ac6172a935d1faf7ef259802267657bc0007a62", "tree": "034c1a79a3d401926f6b968eb270d34f561e50f1", "parents": [ "ee0b31a25a010116f44fca6c96f4516d417793dd" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 17 20:40:02 2012 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 18 10:41:30 2012 +1100" }, "message": "encrypted-keys: fix rcu and sparse messages\n\nEnabling CONFIG_PROVE_RCU and CONFIG_SPARSE_RCU_POINTER resulted in\n\"suspicious rcu_dereference_check() usage!\" and \"incompatible types\nin comparison expression (different address spaces)\" messages.\n\nAccess the masterkey directly when holding the rwsem.\n\nChangelog v1:\n- Use either rcu_read_lock()/rcu_derefence_key()/rcu_read_unlock()\nor remove the unnecessary rcu_derefence() - David Howells\n\nReported-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ee0b31a25a010116f44fca6c96f4516d417793dd", "tree": "d7670d202d0f4888b5213ed73d88c9a80bd05b74", "parents": [ "efde8b6e16f11e7d1681c68d86c7fd51053cada7" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 17 20:39:51 2012 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 18 10:41:29 2012 +1100" }, "message": "keys: fix trusted/encrypted keys sparse rcu_assign_pointer messages\n\nDefine rcu_assign_keypointer(), which uses the key payload.rcudata instead\nof payload.data, to resolve the CONFIG_SPARSE_RCU_POINTER message:\n\"incompatible types in comparison expression (different address spaces)\"\n\nReplace the rcu_assign_pointer() calls in encrypted/trusted keys with\nrcu_assign_keypointer().\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "efde8b6e16f11e7d1681c68d86c7fd51053cada7", "tree": "4fb5e80428c4f36c5da35ff3319cd71c1771451c", "parents": [ "25add8cf99c9ec8b8dc0acd8b9241e963fc0d29c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 17 20:39:40 2012 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 18 10:41:27 2012 +1100" }, "message": "KEYS: Add missing smp_rmb() primitives to the keyring search code\n\nAdd missing smp_rmb() primitives to the keyring search code.\n\nWhen keyring payloads are appended to without replacement (thus using up spare\nslots in the key pointer array), an smp_wmb() is issued between the pointer\nassignment and the increment of the key count (nkeys).\n\nThere should be corresponding read barriers between the read of nkeys and\ndereferences of keys[n] when n is dependent on the value of nkeys.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8fcc99549522fc7a0bbaeb5755855ab0d9a59ce8", "tree": "a118eaef15d4ba22247f45ee01537ecc906cd161", "parents": [ "805a6af8dba5dfdd35ec35dc52ec0122400b2610", "7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 09 12:16:48 2012 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 09 12:16:48 2012 +1100" }, "message": "Merge branch \u0027next\u0027 into for-linus\n\nConflicts:\n\tsecurity/integrity/evm/evm_crypto.c\n\nResolved upstream fix vs. next conflict manually.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7845bc3964756240863ae453ffe4f7ee27ddc954", "tree": "3a3b9bf568184a3ae82bc581b63e1576ce99d7c8", "parents": [ "24942c8e5cc8696064ee207ff29d4cf21f70dafc" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Nov 16 11:15:54 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Nov 17 09:35:32 2011 +1100" }, "message": "KEYS: Give key types their own lockdep class for key-\u003esem\n\nGive keys their own lockdep class to differentiate them from each other in case\na key of one type has to refer to a key of another type.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9c69898783a0121399ec078d40d4ccc00e3cb0df", "tree": "7163913d680c3160918a466f92cacb473c2c91ec", "parents": [ "f4a0d5abef14562c37dee5a1d49180f494106230" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sun Oct 16 19:17:48 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Nov 16 14:23:14 2011 -0500" }, "message": "encrypted-keys: module build fixes\n\nEncrypted keys are encrypted/decrypted using either a trusted or\nuser-defined key type, which is referred to as the \u0027master\u0027 key.\nThe master key may be of type trusted iff the trusted key is\nbuiltin or both the trusted key and encrypted keys are built as\nmodules. This patch resolves the build dependency problem.\n\n- Use \"masterkey-$(CONFIG_TRUSTED_KEYS)-$(CONFIG_ENCRYPTED_KEYS)\" construct\nto encapsulate the above logic. (Suggested by Dimtry Kasatkin.)\n- Fixing the encrypted-keys Makefile, results in a module name change\nfrom encrypted.ko to encrypted-keys.ko.\n- Add module dependency for request_trusted_key() definition\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "f4a0d5abef14562c37dee5a1d49180f494106230", "tree": "be3b35ecaf9a2372fae08ac83d006b21e1c43021", "parents": [ "ff0ff78068dd8a962358dbbdafa9d6f24540d3e5" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Oct 24 08:17:42 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Nov 16 14:23:13 2011 -0500" }, "message": "encrypted-keys: fix error return code\n\nFix request_master_key() error return code.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "9f35a33b8d06263a165efe3541d9aa0cdbd70b3b", "tree": "2825d1bf9ea73d22e4cab45bb2cdc021c6e09380", "parents": [ "cfcfc9eca2bcbd26a8e206baeb005b055dbf8e37" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Nov 15 22:09:45 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Nov 15 22:32:38 2011 -0200" }, "message": "KEYS: Fix a NULL pointer deref in the user-defined key type\n\nFix a NULL pointer deref in the user-defined key type whereby updating a\nnegative key into a fully instantiated key will cause an oops to occur\nwhen the code attempts to free the non-existent old payload.\n\nThis results in an oops that looks something like the following:\n\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000008\n IP: [\u003cffffffff81085fa1\u003e] __call_rcu+0x11/0x13e\n PGD 3391d067 PUD 3894a067 PMD 0\n Oops: 0002 [#1] SMP\n CPU 1\n Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140 /DG965RY\n RIP: 0010:[\u003cffffffff81085fa1\u003e] [\u003cffffffff81085fa1\u003e] __call_rcu+0x11/0x13e\n RSP: 0018:ffff88003d591df8 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e\n RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c\n R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538\n R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908\n FS: 00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\n Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040)\n Stack:\n ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50\n ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea\n ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0\n Call Trace:\n [\u003cffffffff810860f0\u003e] call_rcu_sched+0x10/0x12\n [\u003cffffffff8117bfea\u003e] user_update+0x8d/0xa2\n [\u003cffffffff8117723a\u003e] key_create_or_update+0x236/0x270\n [\u003cffffffff811789b1\u003e] sys_add_key+0x123/0x17e\n [\u003cffffffff813b84bb\u003e] system_call_fastpath+0x16/0x1b\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nAcked-by: Neil Horman \u003cnhorman@redhat.com\u003e\nAcked-by: Steve Dickson \u003csteved@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "02473119bc54b0b239c2501064c7a37314347f87", "tree": "e3f0cdfbe4ee67d089ab731f213b2e0f91a3daa1", "parents": [ "50e1499f468fd74c6db95deb2e1e6bfee578ae70" ], "author": { "name": "Andy Shevchenko", "email": "andriy.shevchenko@linux.intel.com", "time": "Mon Oct 31 17:12:55 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 31 17:30:56 2011 -0700" }, "message": "security: follow rename pack_hex_byte() to hex_byte_pack()\n\nThere is no functional change.\n\nSigned-off-by: Andy Shevchenko \u003candriy.shevchenko@linux.intel.com\u003e\nCc: Mimi Zohar \u003czohar@us.ibm.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "fcf634098c00dd9cd247447368495f0b79be12d1", "tree": "77fc98cd461bd52ba3b14e833d54a115ffbbd7bc", "parents": [ "32ea845d5bafc37b7406bea1aee3005407cb0900" ], "author": { "name": "Christopher Yeoh", "email": "cyeoh@au1.ibm.com", "time": "Mon Oct 31 17:06:39 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 31 17:30:44 2011 -0700" }, "message": "Cross Memory Attach\n\nThe basic idea behind cross memory attach is to allow MPI programs doing\nintra-node communication to do a single copy of the message rather than a\ndouble copy of the message via shared memory.\n\nThe following patch attempts to achieve this by allowing a destination\nprocess, given an address and size from a source process, to copy memory\ndirectly from the source process into its own address space via a system\ncall. There is also a symmetrical ability to copy from the current\nprocess\u0027s address space into a destination process\u0027s address space.\n\n- Use of /proc/pid/mem has been considered, but there are issues with\n using it:\n - Does not allow for specifying iovecs for both src and dest, assuming\n preadv or pwritev was implemented either the area read from or\n written to would need to be contiguous.\n - Currently mem_read allows only processes who are currently\n ptrace\u0027ing the target and are still able to ptrace the target to read\n from the target. This check could possibly be moved to the open call,\n but its not clear exactly what race this restriction is stopping\n (reason appears to have been lost)\n - Having to send the fd of /proc/self/mem via SCM_RIGHTS on unix\n domain socket is a bit ugly from a userspace point of view,\n especially when you may have hundreds if not (eventually) thousands\n of processes that all need to do this with each other\n - Doesn\u0027t allow for some future use of the interface we would like to\n consider adding in the future (see below)\n - Interestingly reading from /proc/pid/mem currently actually\n involves two copies! (But this could be fixed pretty easily)\n\nAs mentioned previously use of vmsplice instead was considered, but has\nproblems. Since you need the reader and writer working co-operatively if\nthe pipe is not drained then you block. Which requires some wrapping to\ndo non blocking on the send side or polling on the receive. In all to all\ncommunication it requires ordering otherwise you can deadlock. And in the\nexample of many MPI tasks writing to one MPI task vmsplice serialises the\ncopying.\n\nThere are some cases of MPI collectives where even a single copy interface\ndoes not get us the performance gain we could. For example in an\nMPI_Reduce rather than copy the data from the source we would like to\ninstead use it directly in a mathops (say the reduce is doing a sum) as\nthis would save us doing a copy. We don\u0027t need to keep a copy of the data\nfrom the source. I haven\u0027t implemented this, but I think this interface\ncould in the future do all this through the use of the flags - eg could\nspecify the math operation and type and the kernel rather than just\ncopying the data would apply the specified operation between the source\nand destination and store it in the destination.\n\nAlthough we don\u0027t have a \"second user\" of the interface (though I\u0027ve had\nsome nibbles from people who may be interested in using it for intra\nprocess messaging which is not MPI). This interface is something which\nhardware vendors are already doing for their custom drivers to implement\nfast local communication. And so in addition to this being useful for\nOpenMPI it would mean the driver maintainers don\u0027t have to fix things up\nwhen the mm changes.\n\nThere was some discussion about how much faster a true zero copy would\ngo. Here\u0027s a link back to the email with some testing I did on that:\n\nhttp://marc.info/?l\u003dlinux-mm\u0026m\u003d130105930902915\u0026w\u003d2\n\nThere is a basic man page for the proposed interface here:\n\nhttp://ozlabs.org/~cyeoh/cma/process_vm_readv.txt\n\nThis has been implemented for x86 and powerpc, other architecture should\nmainly (I think) just need to add syscall numbers for the process_vm_readv\nand process_vm_writev. There are 32 bit compatibility versions for\n64-bit kernels.\n\nFor arch maintainers there are some simple tests to be able to quickly\nverify that the syscalls are working correctly here:\n\nhttp://ozlabs.org/~cyeoh/cma/cma-test-20110718.tgz\n\nSigned-off-by: Chris Yeoh \u003cyeohc@au1.ibm.com\u003e\nCc: Ingo Molnar \u003cmingo@elte.hu\u003e\nCc: \"H. Peter Anvin\" \u003chpa@zytor.com\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Arnd Bergmann \u003carnd@arndb.de\u003e\nCc: Paul Mackerras \u003cpaulus@samba.org\u003e\nCc: Benjamin Herrenschmidt \u003cbenh@kernel.crashing.org\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: \u003clinux-man@vger.kernel.org\u003e\nCc: \u003clinux-arch@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "2b3ff6319e2312656fbefe0209bef02d58b6836a", "tree": "43041b8a5e6fe31dadf2ad682d73fa873476b952", "parents": [ "2684bf7f29cfb13ef2c60f3b3a53ee47d0db7022" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Sep 20 11:23:55 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Sep 20 23:26:44 2011 -0400" }, "message": "encrypted-keys: check hex2bin result\n\nFor each hex2bin call in encrypted keys, check that the ascii hex string\nis valid. On failure, return -EINVAL.\n\nChangelog v1:\n- hex2bin now returns an int\n\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nAcked-by: Andy Shevchenko \u003candy.shevchenko@gmail.com\u003e\n" }, { "commit": "2684bf7f29cfb13ef2c60f3b3a53ee47d0db7022", "tree": "bbdc0709c643e58a22443ab086c6e4aa80329e17", "parents": [ "b78049831ffed65f0b4e61f69df14f3ab17922cb" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Sep 20 11:23:52 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Sep 20 23:26:05 2011 -0400" }, "message": "trusted-keys: check hex2bin result\n\nFor each hex2bin call in trusted keys, check that the ascii hex string is\nvalid. On failure, return -EINVAL.\n\nChangelog v1:\n- hex2bin now returns an int\n\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nAcked-by: Andy Shevchenko \u003candy.shevchenko@gmail.com\u003e\n" }, { "commit": "cc100551b4d92f47abebfa7c7918b2be71263b4a", "tree": "d603f15ff5ef28efd5f818817aca036045ac8a8b", "parents": [ "8de6ac7f58a22fdab399fbe97763e465ea49c735" ], "author": { "name": "Stephen Rothwell", "email": "sfr@canb.auug.org.au", "time": "Thu Sep 15 17:07:15 2011 +1000" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Sep 15 17:37:24 2011 -0400" }, "message": "encrypted-keys: IS_ERR need include/err.h\n\nFixes this build error:\n\nsecurity/keys/encrypted-keys/masterkey_trusted.c: In function \u0027request_trusted_key\u0027:\nsecurity/keys/encrypted-keys/masterkey_trusted.c:35:2: error: implicit declaration of function \u0027IS_ERR\u0027\n\nSigned-off-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "982e617a313b57abee3bcfa53381c356d00fd64a", "tree": "ba23ab206aaff2331bca116cebd11ad4ef580c32", "parents": [ "61cf45d0199041df1a8ba334b6bf4a3a13b7f904" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sat Aug 27 22:21:26 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:23:49 2011 -0400" }, "message": "encrypted-keys: remove trusted-keys dependency\n\nEncrypted keys are decrypted/encrypted using either a trusted-key or,\nfor those systems without a TPM, a user-defined key. This patch\nremoves the trusted-keys and TCG_TPM dependencies.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "61cf45d0199041df1a8ba334b6bf4a3a13b7f904", "tree": "b287399eb3704b766d2ba3d9a36de0bb57f70139", "parents": [ "a8f7640963ada66c412314c3559c11ff6946c1a5" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:06:00 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:22:26 2011 -0400" }, "message": "encrypted-keys: create encrypted-keys directory\n\nMove all files associated with encrypted keys to keys/encrypted-keys.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "0c061b5707ab84ebfe8f18f1c9c3110ae5cd6073", "tree": "cb6e83458126f3cc9ef9f5504937c8445f790b0f", "parents": [ "d199798bdf969873f78d48140600ff0a98a87e69" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:09:36 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:37 2011 +1000" }, "message": "KEYS: Correctly destroy key payloads when their keytype is removed\n\nunregister_key_type() has code to mark a key as dead and make it unavailable in\none loop and then destroy all those unavailable key payloads in the next loop.\nHowever, the loop to mark keys dead renders the key undetectable to the second\nloop by changing the key type pointer also.\n\nFix this by the following means:\n\n (1) The key code has two garbage collectors: one deletes unreferenced keys and\n the other alters keyrings to delete links to old dead, revoked and expired\n keys. They can end up holding each other up as both want to scan the key\n serial tree under spinlock. Combine these into a single routine.\n\n (2) Move the dead key marking, dead link removal and dead key removal into the\n garbage collector as a three phase process running over the three cycles\n of the normal garbage collection procedure. This is tracked by the\n KEY_GC_REAPING_DEAD_1, _2 and _3 state flags.\n\n unregister_key_type() then just unlinks the key type from the list, wakes\n up the garbage collector and waits for the third phase to complete.\n\n (3) Downgrade the key types sem in unregister_key_type() once it has deleted\n the key type from the list so that it doesn\u0027t block the keyctl() syscall.\n\n (4) Dead keys that cannot be simply removed in the third phase have their\n payloads destroyed with the key\u0027s semaphore write-locked to prevent\n interference by the keyctl() syscall. There should be no in-kernel users\n of dead keys of that type by the point of unregistration, though keyctl()\n may be holding a reference.\n\n (5) Only perform timer recalculation in the GC if the timer actually expired.\n If it didn\u0027t, we\u0027ll get another cycle when it goes off - and if the key\n that actually triggered it has been removed, it\u0027s not a problem.\n\n (6) Only garbage collect link if the timer expired or if we\u0027re doing dead key\n clean up phase 2.\n\n (7) As only key_garbage_collector() is permitted to use rb_erase() on the key\n serial tree, it doesn\u0027t need to revalidate its cursor after dropping the\n spinlock as the node the cursor points to must still exist in the tree.\n\n (8) Drop the spinlock in the GC if there is contention on it or if we need to\n reschedule. After dealing with that, get the spinlock again and resume\n scanning.\n\nThis has been tested in the following ways:\n\n (1) Run the keyutils testsuite against it.\n\n (2) Using the AF_RXRPC and RxKAD modules to test keytype removal:\n\n Load the rxrpc_s key type:\n\n\t# insmod /tmp/af-rxrpc.ko\n\t# insmod /tmp/rxkad.ko\n\n Create a key (http://people.redhat.com/~dhowells/rxrpc/listen.c):\n\n\t# /tmp/listen \u0026\n\t[1] 8173\n\n Find the key:\n\n\t# grep rxrpc_s /proc/keys\n\t091086e1 I--Q-- 1 perm 39390000 0 0 rxrpc_s 52:2\n\n Link it to a session keyring, preferably one with a higher serial number:\n\n\t# keyctl link 0x20e36251 @s\n\n Kill the process (the key should remain as it\u0027s linked to another place):\n\n\t# fg\n\t/tmp/listen\n\t^C\n\n Remove the key type:\n\n\trmmod rxkad\n\trmmod af-rxrpc\n\n This can be made a more effective test by altering the following part of\n the patch:\n\n\tif (unlikely(gc_state \u0026 KEY_GC_REAPING_DEAD_2)) {\n\t\t/* Make sure everyone revalidates their keys if we marked a\n\t\t * bunch as being dead and make sure all keyring ex-payloads\n\t\t * are destroyed.\n\t\t */\n\t\tkdebug(\"dead sync\");\n\t\tsynchronize_rcu();\n\n To call synchronize_rcu() in GC phase 1 instead. That causes that the\n keyring\u0027s old payload content to hang around longer until it\u0027s RCU\n destroyed - which usually happens after GC phase 3 is complete. This\n allows the destroy_dead_key branch to be tested.\n\nReported-by: Benjamin Coddington \u003cbcodding@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d199798bdf969873f78d48140600ff0a98a87e69", "tree": "fb0fbfe0eda27054eae9c9efe0240ace297c3661", "parents": [ "b072e9bc2fe9aeff4e104e80e479160349f474a9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:09:28 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:36 2011 +1000" }, "message": "KEYS: The dead key link reaper should be non-reentrant\n\nThe dead key link reaper should be non-reentrant as it relies on global state\nto keep track of where it\u0027s got to when it returns to the work queue manager to\ngive it some air.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b072e9bc2fe9aeff4e104e80e479160349f474a9", "tree": "4f243698284aace64f4b5c9e5b9bee107c10e13b", "parents": [ "8bc16deabce7649e480e94b648c88d4e90c34352" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:09:20 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:36 2011 +1000" }, "message": "KEYS: Make the key reaper non-reentrant\n\nMake the key reaper non-reentrant by sticking it on the appropriate system work\nqueue when we queue it. This will allow it to have global state and drop\nlocks. It should probably be non-reentrant already as it may spend a long time\nholding the key serial spinlock, and so multiple entrants can spend long\nperiods of time just sitting there spinning, waiting to get the lock.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8bc16deabce7649e480e94b648c88d4e90c34352", "tree": "d9e28a921375e7448801b0b89ff43a7e0d2e61ff", "parents": [ "012146d0728f85f7a5c7c36fb84bba33e2760507" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:09:11 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:36 2011 +1000" }, "message": "KEYS: Move the unreferenced key reaper to the keys garbage collector file\n\nMove the unreferenced key reaper function to the keys garbage collector file\nas that\u0027s a more appropriate place with the dead key link reaper.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6d528b082294f0ddabd6368297546a2c0b67d4fe", "tree": "268bf5dbd454c689947c51867bf5b77e21c97eae", "parents": [ "3ecf1b4f347210e39b156177e5b8a26ff8d00279" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:08:51 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:34 2011 +1000" }, "message": "KEYS: __key_link() should use the RCU deref wrapper for keyring payloads\n\n__key_link() should use the RCU deref wrapper rcu_dereference_locked_keyring()\nfor accessing keyring payloads rather than calling rcu_dereference_protected()\ndirectly.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3ecf1b4f347210e39b156177e5b8a26ff8d00279", "tree": "ba3cf0155e5dd29c4963e6a8895d7262e0ef13d5", "parents": [ "995995378f996a8aa1cf4e4ddc0f79fbfd45496f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:08:43 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:34 2011 +1000" }, "message": "KEYS: keyctl_get_keyring_ID() should create a session keyring if create flag set\n\nThe keyctl call:\n\n\tkeyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1)\n\nshould create a session keyring if the process doesn\u0027t have one of its own\nbecause the create flag argument is set - rather than subscribing to and\nreturning the user-session keyring as:\n\n\tkeyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)\n\nwill do.\n\nThis can be tested by commenting out pam_keyinit in the /etc/pam.d files and\nrunning the following program a couple of times in a row:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\tint main(int argc, char *argv[])\n\t{\n\t\tkey_serial_t uk, usk, sk, nsk;\n\t\tuk \u003d keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);\n\t\tusk \u003d keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);\n\t\tsk \u003d keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);\n\t\tnsk \u003d keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1);\n\t\tprintf(\"keys: %08x %08x %08x %08x\\n\", uk, usk, sk, nsk);\n\t\treturn 0;\n\t}\n\nWithout this patch, I see:\n\n\tkeys: 3975ddc7 119c0c66 119c0c66 119c0c66\n\tkeys: 3975ddc7 119c0c66 119c0c66 119c0c66\n\nWith this patch, I see:\n\n\tkeys: 2cb4997b 34112878 34112878 17db2ce3\n\tkeys: 2cb4997b 34112878 34112878 39f3c73e\n\nAs can be seen, the session keyring starts off the same as the user-session\nkeyring each time, but with the patch a new session keyring is created when\nthe create flag is set.\n\nReported-by: Greg Wettstein \u003cgreg@enjellic.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Greg Wettstein \u003cgreg@enjellic.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "995995378f996a8aa1cf4e4ddc0f79fbfd45496f", "tree": "ddc0c1305767e683535120361a5f5848b7ae3803", "parents": [ "c5532b09bf40c398f2acfdd8f100c796d1d3f881" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:08:33 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:33 2011 +1000" }, "message": "KEYS: If install_session_keyring() is given a keyring, it should install it\n\nIf install_session_keyring() is given a keyring, it should install it rather\nthan just creating a new one anyway. This was accidentally broken in:\n\n\tcommit d84f4f992cbd76e8f39c488cf0c5d123843923b1\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Fri Nov 14 10:39:23 2008 +1100\n\tSubject: CRED: Inaugurate COW credentials\n\nThe impact of that commit is that pam_keyinit no longer works correctly if\n\u0027force\u0027 isn\u0027t specified against a login process. This is because:\n\n\tkeyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)\n\nnow always creates a new session keyring and thus the check whether the session\nkeyring and the user-session keyring are the same is always false. This leads\npam_keyinit to conclude that a session keyring is installed and it shouldn\u0027t be\nrevoked by pam_keyinit here if \u0027revoke\u0027 is specified.\n\nAny system that specifies \u0027force\u0027 against pam_keyinit in the PAM configuration\nfiles for login methods (login, ssh, su -l, kdm, etc.) is not affected since\nthat bypasses the broken check and forces the creation of a new session keyring\nanyway (for which the revoke flag is not cleared) - and any subsequent call to\npam_keyinit really does have a session keyring already installed, and so the\ncheck works correctly there.\n\nReverting to the previous behaviour will cause the kernel to subscribe the\nprocess to the user-session keyring as its session keyring if it doesn\u0027t have a\nsession keyring of its own. pam_keyinit will detect this and install a new\nsession keyring anyway (and won\u0027t clear the revert flag).\n\nThis can be tested by commenting out pam_keyinit in the /etc/pam.d files and\nrunning the following program a couple of times in a row:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\tint main(int argc, char *argv[])\n\t{\n\t\tkey_serial_t uk, usk, sk;\n\t\tuk \u003d keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);\n\t\tusk \u003d keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);\n\t\tsk \u003d keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);\n\t\tprintf(\"keys: %08x %08x %08x\\n\", uk, usk, sk);\n\t\treturn 0;\n\t}\n\nWithout the patch, I see:\n\n\tkeys: 3884e281 24c4dfcf 22825f8e\n\tkeys: 3884e281 24c4dfcf 068772be\n\nWith the patch, I see:\n\n\tkeys: 26be9c83 0e755ce0 0e755ce0\n\tkeys: 26be9c83 0e755ce0 0e755ce0\n\nAs can be seen, with the patch, the session keyring is the same as the\nuser-session keyring each time; without the patch a new session keyring is\ngenerated each time.\n\nReported-by: Greg Wettstein \u003cgreg@enjellic.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Greg Wettstein \u003cgreg@enjellic.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "95b6886526bb510b8370b625a49bc0ab3b8ff10f", "tree": "2862606224820d200be12d2092dcd26df1654b80", "parents": [ "22712200e175e0df5c7f9edfe6c6bf5c94c23b83", "29412f0f6a19e34336368f13eab848091c343952" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jul 27 19:26:38 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jul 27 19:26:38 2011 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (54 commits)\n tpm_nsc: Fix bug when loading multiple TPM drivers\n tpm: Move tpm_tis_reenable_interrupts out of CONFIG_PNP block\n tpm: Fix compilation warning when CONFIG_PNP is not defined\n TOMOYO: Update kernel-doc.\n tpm: Fix a typo\n tpm_tis: Probing function for Intel iTPM bug\n tpm_tis: Fix the probing for interrupts\n tpm_tis: Delay ACPI S3 suspend while the TPM is busy\n tpm_tis: Re-enable interrupts upon (S3) resume\n tpm: Fix display of data in pubek sysfs entry\n tpm_tis: Add timeouts sysfs entry\n tpm: Adjust interface timeouts if they are too small\n tpm: Use interface timeouts returned from the TPM\n tpm_tis: Introduce durations sysfs entry\n tpm: Adjust the durations if they are too small\n tpm: Use durations returned from TPM\n TOMOYO: Enable conditional ACL.\n TOMOYO: Allow using argv[]/envp[] of execve() as conditions.\n TOMOYO: Allow using executable\u0027s realpath and symlink\u0027s target as conditions.\n TOMOYO: Allow using owner/group etc. of file objects as conditions.\n ...\n\nFix up trivial conflict in security/tomoyo/realpath.c\n" }, { "commit": "b7e9c223be8ce335e30f2cf6ba588e6a4092275c", "tree": "2d1e3b75606abc18df7ad65e51ac3f90cd68b38d", "parents": [ "c172d82500a6cf3c32d1e650722a1055d72ce858", "e3bbfa78bab125f58b831b5f7f45b5a305091d72" ], "author": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Mon Jul 11 14:15:48 2011 +0200" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Mon Jul 11 14:15:55 2011 +0200" }, "message": "Merge branch \u0027master\u0027 into for-next\n\nSync with Linus\u0027 tree to be able to apply pending patches that\nare based on newer code already present upstream.\n" }, { "commit": "d8bf4ca9ca9576548628344c9725edd3786e90b1", "tree": "df338f50a5af6bc3651bd863b79fa91e6b1e9e20", "parents": [ "eb032b9837a958e21ca000358a5bde5e17192ddb" ], "author": { "name": "Michal Hocko", "email": "mhocko@suse.cz", "time": "Fri Jul 08 14:39:41 2011 +0200" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Fri Jul 08 22:21:58 2011 +0200" }, "message": "rcu: treewide: Do not use rcu_read_lock_held when calling rcu_dereference_check\n\nSince ca5ecddf (rcu: define __rcu address space modifier for sparse)\nrcu_dereference_check use rcu_read_lock_held as a part of condition\nautomatically so callers do not have to do that as well.\n\nSigned-off-by: Michal Hocko \u003cmhocko@suse.cz\u003e\nAcked-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.cz\u003e\n" }, { "commit": "5b944a71a192977c1c018bbcfa0c52dca48e2368", "tree": "9f234c4a93bb28890ad086c846d2bf0b35f7f7ae", "parents": [ "0e4ae0e0dec634b2ae53ac57d14141b140467dbe", "c017d0d1351f916c0ced3f358afc491fdcf490b4" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 30 18:43:56 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 30 18:43:56 2011 +1000" }, "message": "Merge branch \u0027linus\u0027 into next\n" }, { "commit": "79a73d188726b473ca3bf483244bc96096831905", "tree": "787ba050c91981cae2524b1e95e415424b067e64", "parents": [ "f8f8527103a264b5e4ab2ce5c1743b28f3219d90" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Jun 27 13:45:44 2011 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 27 09:11:17 2011 -0400" }, "message": "encrypted-keys: add ecryptfs format support\n\nThe \u0027encrypted\u0027 key type defines its own payload format which contains a\nsymmetric key randomly generated that cannot be used directly to mount\nan eCryptfs filesystem, because it expects an authentication token\nstructure.\n\nThis patch introduces the new format \u0027ecryptfs\u0027 that allows to store an\nauthentication token structure inside the encrypted key payload containing\na randomly generated symmetric key, as the same for the format \u0027default\u0027.\n\nMore details about the usage of encrypted keys with the eCryptfs\nfilesystem can be found in the file \u0027Documentation/keys-ecryptfs.txt\u0027.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nAcked-by: Gianluca Ramunno \u003cramunno@polito.it\u003e\nAcked-by: Tyler Hicks \u003ctyhicks@linux.vnet.ibm.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "4e561d388feff18e4b798cef6a1a84a2cc7f20c2", "tree": "9208588c7d0e5e75766dd2c98e960840fdc8681e", "parents": [ "7103dff0e598cd634767f17a2958302c515700ca" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Jun 27 13:45:42 2011 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 27 09:10:45 2011 -0400" }, "message": "encrypted-keys: add key format support\n\nThis patch introduces a new parameter, called \u0027format\u0027, that defines the\nformat of data stored by encrypted keys. The \u0027default\u0027 format identifies\nencrypted keys containing only the symmetric key, while other formats can\nbe defined to support additional information. The \u0027format\u0027 parameter is\nwritten in the datablob produced by commands \u0027keyctl print\u0027 or\n\u0027keyctl pipe\u0027 and is integrity protected by the HMAC.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nAcked-by: Gianluca Ramunno \u003cramunno@polito.it\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "7103dff0e598cd634767f17a2958302c515700ca", "tree": "cbbacf38aee2ecd3ad6d004307197186dd35ab73", "parents": [ "08fa2aa54e72ddde8076cc77126bace8d4780e0f" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Jun 27 13:45:41 2011 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 27 09:10:34 2011 -0400" }, "message": "encrypted-keys: added additional debug messages\n\nSome debug messages have been added in the function datablob_parse() in\norder to better identify errors returned when dealing with \u0027encrypted\u0027\nkeys.\n\nChangelog from version v4:\n- made the debug messages more understandable \n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nAcked-by: Gianluca Ramunno \u003cramunno@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "08fa2aa54e72ddde8076cc77126bace8d4780e0f", "tree": "5ced9b831123e37b6e91367ed5f56e4acd095a0c", "parents": [ "f91c2c5cfa2950a20265b45bcc13e49ed9e49aac" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Jun 27 13:45:40 2011 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 27 09:08:52 2011 -0400" }, "message": "encrypted-keys: fixed valid_master_desc() function description\n\nValid key type prefixes for the parameter \u0027key-type\u0027 are: \u0027trusted\u0027 and\n\u0027user\u0027.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nAcked-by: Gianluca Ramunno \u003cramunno@polito.it\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "f91c2c5cfa2950a20265b45bcc13e49ed9e49aac", "tree": "f5ed8f02cc44dfe9274440c8cdcd50b4345621e6", "parents": [ "4d67431f80b1b822f0286afc9123ee453eac7334" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Jun 27 13:45:39 2011 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 27 09:08:39 2011 -0400" }, "message": "encrypted_keys: avoid dumping the master key if the request fails\n\nDo not dump the master key if an error is encountered during the request.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nAcked-by: Gianluca Ramunno \u003cramunno@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "b1d7dd80aadb9042e83f9778b484a2f92e0b04d4", "tree": "33044314f0a058724e9ee912cca6fe55c2284cf1", "parents": [ "35052cffe0081904f3362c05818db900dd9dc7de" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jun 21 14:32:05 2011 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jun 21 18:31:45 2011 -0700" }, "message": "KEYS: Fix error handling in construct_key_and_link()\n\nFix error handling in construct_key_and_link().\n\nIf construct_alloc_key() returns an error, it shouldn\u0027t pass out through\nthe normal path as the key_serial() called by the kleave() statement\nwill oops when it gets an error code in the pointer:\n\n BUG: unable to handle kernel paging request at ffffffffffffff84\n IP: [\u003cffffffff8120b401\u003e] request_key_and_link+0x4d7/0x52f\n ..\n Call Trace:\n [\u003cffffffff8120b52c\u003e] request_key+0x41/0x75\n [\u003cffffffffa00ed6e8\u003e] cifs_get_spnego_key+0x206/0x226 [cifs]\n [\u003cffffffffa00eb0c9\u003e] CIFS_SessSetup+0x511/0x1234 [cifs]\n [\u003cffffffffa00d9799\u003e] cifs_setup_session+0x90/0x1ae [cifs]\n [\u003cffffffffa00d9c02\u003e] cifs_get_smb_ses+0x34b/0x40f [cifs]\n [\u003cffffffffa00d9e05\u003e] cifs_mount+0x13f/0x504 [cifs]\n [\u003cffffffffa00caabb\u003e] cifs_do_mount+0xc4/0x672 [cifs]\n [\u003cffffffff8113ae8c\u003e] mount_fs+0x69/0x155\n [\u003cffffffff8114ff0e\u003e] vfs_kern_mount+0x63/0xa0\n [\u003cffffffff81150be2\u003e] do_kern_mount+0x4d/0xdf\n [\u003cffffffff81152278\u003e] do_mount+0x63c/0x69f\n [\u003cffffffff8115255c\u003e] sys_mount+0x88/0xc2\n [\u003cffffffff814fbdc2\u003e] system_call_fastpath+0x16/0x1b\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "879669961b11e7f40b518784863a259f735a72bf", "tree": "9bff5392e365caf656c9dd9be38f7471c182278c", "parents": [ "eb96c925152fc289311e5d7e956b919e9b60ab53" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Jun 17 11:25:59 2011 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jun 17 09:40:48 2011 -0700" }, "message": "KEYS/DNS: Fix ____call_usermodehelper() to not lose the session keyring\n\n____call_usermodehelper() now erases any credentials set by the\nsubprocess_inf::init() function. The problem is that commit\n17f60a7da150 (\"capabilites: allow the application of capability limits\nto usermode helpers\") creates and commits new credentials with\nprepare_kernel_cred() after the call to the init() function. This wipes\nall keyrings after umh_keys_init() is called.\n\nThe best way to deal with this is to put the init() call just prior to\nthe commit_creds() call, and pass the cred pointer to init(). That\nmeans that umh_keys_init() and suchlike can modify the credentials\n_before_ they are published and potentially in use by the rest of the\nsystem.\n\nThis prevents request_key() from working as it is prevented from passing\nthe session keyring it set up with the authorisation token to\n/sbin/request-key, and so the latter can\u0027t assume the authority to\ninstantiate the key. This causes the in-kernel DNS resolver to fail\nwith ENOKEY unconditionally.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nTested-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4d67431f80b1b822f0286afc9123ee453eac7334", "tree": "47ae7c273186e49a49440f95d0655cc538e2b829", "parents": [ "2ce9738bac1b386f46e8478fd2c263460e7c2b09" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Jun 13 22:33:52 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 14 15:03:29 2011 +1000" }, "message": "KEYS: Don\u0027t return EAGAIN to keyctl_assume_authority()\n\nDon\u0027t return EAGAIN to keyctl_assume_authority() to indicate that a key could\nnot be found (ENOKEY is only returned if a negative key is found). Instead\nreturn ENOKEY in both cases.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e52e713ec30a31e9a4663d9aebbaae5ec07466a6", "tree": "68f9680577ae68f3972a5ed73afed5d1c2794310", "parents": [ "bdf7cf1c83872a0586ce4c4da6889103cc36dbd3", "2f3e4af471e38e0658e701973238ae4b5e50fcd6" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 27 10:25:02 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 27 10:25:02 2011 -0700" }, "message": "Merge branch \u0027docs-move\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rdunlap/linux-docs\n\n* \u0027docs-move\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rdunlap/linux-docs:\n Create Documentation/security/, move LSM-, credentials-, and keys-related files from Documentation/ to Documentation/security/, add Documentation/security/00-INDEX, and update all occurrences of Documentation/\u003cmoved_file\u003e to Documentation/security/\u003cmoved_file\u003e.\n" }, { "commit": "f7285b5d631fd6096b11c6af0058ed3a2b30ef4e", "tree": "956fff16b2327818eae72cfe47cf2260986e2fd2", "parents": [ "b7c2f036284452627d793af981877817b37d4351" ], "author": { "name": "Serge E. Hallyn", "email": "serge@hallyn.com", "time": "Thu May 26 15:25:05 2011 -0500" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 26 13:49:19 2011 -0700" }, "message": "Set cred-\u003euser_ns in key_replace_session_keyring\n\nSince this cred was not created with copy_creds(), it needs to get\ninitialized. Otherwise use of syscall(__NR_keyctl, KEYCTL_SESSION_TO_PARENT);\ncan lead to a NULL deref. Thanks to Robert for finding this.\n\nBut introduced by commit 47a150edc2a (\"Cache user_ns in struct cred\").\n\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nReported-by: Robert Święcki \u003crobert@swiecki.net\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nCc: stable@kernel.org (2.6.39)\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "434d42cfd05a7cc452457a81d2029540cba12150", "tree": "3a6b9b7f9ff2e1b7409dd66c15242b2a75aa4422", "parents": [ "d762f4383100c2a87b1a3f2d678cd3b5425655b4", "12a5a2621b1ee14d32beca35304d7c6076a58815" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 24 22:55:24 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 24 22:55:24 2011 +1000" }, "message": "Merge branch \u0027next\u0027 into for-linus\n" }, { "commit": "d410fa4ef99112386de5f218dd7df7b4fca910b4", "tree": "e29fbc3f6d27b20d73d8feb4ed73f6767f2e18fe", "parents": [ "61c4f2c81c61f73549928dfd9f3e8f26aa36a8cf" ], "author": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Thu May 19 15:59:38 2011 -0700" }, "committer": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Thu May 19 15:59:38 2011 -0700" }, "message": "Create Documentation/security/,\nmove LSM-, credentials-, and keys-related files from Documentation/\n to Documentation/security/,\nadd Documentation/security/00-INDEX, and\nupdate all occurrences of Documentation/\u003cmoved_file\u003e\n to Documentation/security/\u003cmoved_file\u003e.\n" }, { "commit": "3acb458c32293405cf68985b7b3ac5dc0a5e7929", "tree": "2943bc04adaedf25377c954087c7277118a4aae1", "parents": [ "75ef0368d182785c7c5c06ac11081e31257a313e" ], "author": { "name": "Lai Jiangshan", "email": "laijs@cn.fujitsu.com", "time": "Fri Mar 18 12:11:07 2011 +0800" }, "committer": { "name": "Paul E. McKenney", "email": "paulmck@linux.vnet.ibm.com", "time": "Sat May 07 22:50:54 2011 -0700" }, "message": "security,rcu: convert call_rcu(user_update_rcu_disposal) to kfree_rcu()\n\nThe rcu callback user_update_rcu_disposal() just calls a kfree(),\nso we use kfree_rcu() instead of the call_rcu(user_update_rcu_disposal).\n\nSigned-off-by: Lai Jiangshan \u003claijs@cn.fujitsu.com\u003e\nSigned-off-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: Josh Triplett \u003cjosh@joshtriplett.org\u003e\n" }, { "commit": "4aab1e896a0a9d57420ff2867caa5a369123d8cb", "tree": "92212870353a9493c10fb46a0dd9b6ce27230012", "parents": [ "78b7280cce23293f7570ad52c1ffe1485c6d9669" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Mar 11 17:57:33 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 17 11:59:49 2011 +1100" }, "message": "KEYS: Make request_key() and co. return an error for a negative key\n\nMake request_key() and co. return an error for a negative or rejected key. If\nthe key was simply negated, then return ENOKEY, otherwise return the error\nwith which it was rejected.\n\nWithout this patch, the following command returns a key number (with the latest\nkeyutils):\n\n\t[root@andromeda ~]# keyctl request2 user debug:foo rejected @s\n\t586569904\n\nTrying to print the key merely gets you a permission denied error:\n\n\t[root@andromeda ~]# keyctl print 586569904\n\tkeyctl_read_alloc: Permission denied\n\nDoing another request_key() call does get you the error, as long as it hasn\u0027t\nexpired yet:\n\n\t[root@andromeda ~]# keyctl request user debug:foo\n\trequest_key: Key was rejected by service\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "78b7280cce23293f7570ad52c1ffe1485c6d9669", "tree": "f3051c5fe69cb41e88f9470dead8534dda3e94e0", "parents": [ "c151694b2c48d956ac8c8c59c6927f89cc29ef70" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Mar 11 17:57:23 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 17 11:59:32 2011 +1100" }, "message": "KEYS: Improve /proc/keys\n\nImprove /proc/keys by:\n\n (1) Don\u0027t attempt to summarise the payload of a negated key. It won\u0027t have\n one. To this end, a helper function - key_is_instantiated() has been\n added that allows the caller to find out whether the key is positively\n instantiated (as opposed to being uninstantiated or negatively\n instantiated).\n\n (2) Do show keys that are negative, expired or revoked rather than hiding\n them. This requires an override flag (no_state_check) to be passed to\n search_my_process_keyrings() and keyring_search_aux() to suppress this\n check.\n\n Without this, keys that are possessed by the caller, but only grant\n permissions to the caller if possessed are skipped as the possession check\n fails.\n\n Keys that are visible due to user, group or other checks are visible with\n or without this patch.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ee009e4a0d4555ed522a631bae9896399674f064", "tree": "ee309fb4a98d9e7792cec99935c2d33652b3f440", "parents": [ "fdd1b94581782a2ddf9124414e5b7a5f48ce2f9c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Mar 07 15:06:20 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:17:22 2011 +1100" }, "message": "KEYS: Add an iovec version of KEYCTL_INSTANTIATE\n\nAdd a keyctl op (KEYCTL_INSTANTIATE_IOV) that is like KEYCTL_INSTANTIATE, but\ntakes an iovec array and concatenates the data in-kernel into one buffer.\nSince the KEYCTL_INSTANTIATE copies the data anyway, this isn\u0027t too much of a\nproblem.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "fdd1b94581782a2ddf9124414e5b7a5f48ce2f9c", "tree": "ce83bfd1f0b1a7d4b9521bdb3d6afef1bff1d4f2", "parents": [ "b9fffa3877a3ebbe0a5ad5a247358e2f7df15b24" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Mar 07 15:06:09 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:17:18 2011 +1100" }, "message": "KEYS: Add a new keyctl op to reject a key with a specified error code\n\nAdd a new keyctl op to reject a key with a specified error code. This works\nmuch the same as negating a key, and so keyctl_negate_key() is made a special\ncase of keyctl_reject_key(). The difference is that keyctl_negate_key()\nselects ENOKEY as the error to be reported.\n\nTypically the key would be rejected with EKEYEXPIRED, EKEYREVOKED or\nEKEYREJECTED, but this is not mandatory.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b9fffa3877a3ebbe0a5ad5a247358e2f7df15b24", "tree": "0f58a92c2616b3663f88935290d32a4c90d57025", "parents": [ "633e804e89464d3875e59de1959a53f9041d3094" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Mar 07 15:05:59 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:17:15 2011 +1100" }, "message": "KEYS: Add a key type op to permit the key description to be vetted\n\nAdd a key type operation to permit the key type to vet the description of a new\nkey that key_alloc() is about to allocate. The operation may reject the\ndescription if it wishes with an error of its choosing. If it does this, the\nkey will not be allocated.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "633e804e89464d3875e59de1959a53f9041d3094", "tree": "0a2464267c5f7a4e8166771fdc88e181a5b6219a", "parents": [ "1cc26bada9f6807814806db2f0d78792eecdac71" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Mar 07 15:05:51 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:17:11 2011 +1100" }, "message": "KEYS: Add an RCU payload dereference macro\n\nAdd an RCU payload dereference macro as this seems to be a common piece of code\namongst key types that use RCU referenced payloads.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ceb73c12047b8d543570b23353e7848eb7c540a1", "tree": "a637dc88d418be1b705a66bea375af955bd14e22", "parents": [ "f5c66d70ac2a9016a7ad481bd37e39afd7dd7369" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 25 16:34:28 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jan 26 08:58:20 2011 +1000" }, "message": "KEYS: Fix __key_link_end() quota fixup on error\n\nFix __key_link_end()\u0027s attempt to fix up the quota if an error occurs.\n\nThere are two erroneous cases: Firstly, we always decrease the quota if\nthe preallocated replacement keyring needs cleaning up, irrespective of\nwhether or not we should (we may have replaced a pointer rather than\nadding another pointer).\n\nSecondly, we never clean up the quota if we added a pointer without the\nkeyring storage being extended (we allocate multiple pointers at a time,\neven if we\u0027re not going to use them all immediately).\n\nWe handle this by setting the bottom bit of the preallocation pointer in\n__key_link_begin() to indicate that the quota needs fixing up, which is\nthen passed to __key_link() (which clears the whole thing) and\n__key_link_end().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "5403110943a2dcf1f96416d7a412a8b46895facd", "tree": "48e3501e71511200c911315b8bdffde4788d357d", "parents": [ "7f3c68bee977ab872827e44de017216736fe21d7" ], "author": { "name": "Jesper Juhl", "email": "jj@chaosbits.net", "time": "Sun Jan 23 22:40:42 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 24 10:59:58 2011 +1100" }, "message": "trusted keys: Fix a memory leak in trusted_update().\n\nOne failure path in security/keys/trusted.c::trusted_update() does\nnot free \u0027new_p\u0027 while the others do. This patch makes sure we also free\nit in the remaining path (if datablob_parse() returns different from\nOpt_update).\n\nSigned-off-by: Jesper Juhl \u003cjj@chaosbits.net\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b9703449347603289cac0bd04e574ac2e777275d", "tree": "287d7d8cccfad36f238d826f87e474afb8db424d", "parents": [ "4b174b6d281f5c87234fc65bafc02877f565c5cf" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 18 09:07:12 2011 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 24 10:27:57 2011 +1100" }, "message": "encrypted-keys: rename encrypted_defined files to encrypted\n\nRename encrypted_defined.c and encrypted_defined.h files to encrypted.c and\nencrypted.h, respectively. Based on request from David Howells.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4b174b6d281f5c87234fc65bafc02877f565c5cf", "tree": "5c1f0519d2f4d642ac9ecec9a180019fe980958e", "parents": [ "1bae4ce27c9c90344f23c65ea6966c50ffeae2f5" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 18 09:07:11 2011 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 24 10:14:22 2011 +1100" }, "message": "trusted-keys: rename trusted_defined files to trusted\n\nRename trusted_defined.c and trusted_defined.h files to trusted.c and\ntrusted.h, respectively. Based on request from David Howells.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "973c9f4f49ca96a53bcf6384c4c59ccd26c33906", "tree": "e3535a43c1e5cb5f0c06c040f58bc25c9b869fd1", "parents": [ "a8b17ed019bd40d3bfa20439d9c36a99f9be9180" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jan 20 16:38:33 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 21 14:59:30 2011 -0800" }, "message": "KEYS: Fix up comments in key management code\n\nFix up comments in the key management code. No functional changes.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "a8b17ed019bd40d3bfa20439d9c36a99f9be9180", "tree": "beb3b08575aa01c7ebb24939b678d533b1f59adf", "parents": [ "9093ba53b7f26dbb5210de1157769e59e34bbe23" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jan 20 16:38:27 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 21 14:59:29 2011 -0800" }, "message": "KEYS: Do some style cleanup in the key management code.\n\nDo a bit of a style clean up in the key management code. No functional\nchanges.\n\nDone using:\n\n perl -p -i -e \u0027s!^/[*]*/\\n!!\u0027 security/keys/*.c\n perl -p -i -e \u0027s!} /[*] end [a-z0-9_]*[(][)] [*]/\\n!}\\n!\u0027 security/keys/*.c\n sed -i -s -e \": next\" -e N -e \u0027s/^\\n[}]$/}/\u0027 -e t -e P -e \u0027s/^.*\\n//\u0027 -e \"b next\" security/keys/*.c\n\nTo remove /*****/ lines, remove comments on the closing brace of a\nfunction to name the function and remove blank lines before the closing\nbrace of a function.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "154a96bfcd53b8e5020718c64769e542c44788b9", "tree": "2fc7a4c8992fb4222a6fb47f22907a94da48eebd", "parents": [ "0e7491f685cbc962f2ef977f7b5f8ed0b3100e88" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Jan 17 09:27:27 2011 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 19 09:53:59 2011 +1100" }, "message": "trusted-keys: avoid scattring va_end()\n\nWe can avoid scattering va_end() within the\n\n va_start();\n for (;;) {\n\n }\n va_end();\n\nloop, assuming that crypto_shash_init()/crypto_shash_update() return 0 on\nsuccess and negative value otherwise.\n\nMake TSS_authhmac()/TSS_checkhmac1()/TSS_checkhmac2() similar to TSS_rawhmac()\nby removing \"va_end()/goto\" from the loop.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nReviewed-by: Jesper Juhl \u003cjj@chaosbits.net\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0e7491f685cbc962f2ef977f7b5f8ed0b3100e88", "tree": "44d27bf6f64b974eb8d177316c3fd77f66324b13", "parents": [ "35576eab390df313095306e2a8216134910e7014" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Jan 17 09:25:34 2011 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 19 09:53:56 2011 +1100" }, "message": "trusted-keys: check for NULL before using it\n\nTSS_rawhmac() checks for data !\u003d NULL before using it.\nWe should do the same thing for TSS_authhmac().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nReviewed-by: Jesper Juhl \u003cjj@chaosbits.net\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "35576eab390df313095306e2a8216134910e7014", "tree": "c35b52f6797ce69091c3e3bc596783f45e19496a", "parents": [ "40c1001792de63e0f90e977eb05393fd71f78692" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Jan 17 09:22:47 2011 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 19 09:53:53 2011 +1100" }, "message": "trusted-keys: another free memory bugfix\n\nTSS_rawhmac() forgot to call va_end()/kfree() when data \u003d\u003d NULL and\nforgot to call va_end() when crypto_shash_update() \u003c 0.\nFix these bugs by escaping from the loop using \"break\"\n(rather than \"return\"/\"goto\") in order to make sure that\nva_end()/kfree() are always called.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nReviewed-by: Jesper Juhl \u003cjj@chaosbits.net\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "40c1001792de63e0f90e977eb05393fd71f78692", "tree": "7172e92ccefd8f4b8ee42401901ddab5bec687b5", "parents": [ "581548db3b3c0f6e25b500329eb02e3c72e7acbe" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 20 12:37:18 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 14 10:27:46 2011 +1100" }, "message": "trusted-keys: free memory bugfix\n\nAdd missing kfree(td) in tpm_seal() before the return, freeing\ntd on error paths as well.\n\nReported-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Safford \u003csafford@watson.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Serge Hallyn \u003cserge@hallyn.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d2e7ad19229f982fc1eb731827d82ceac90abfb3", "tree": "98a3741b4d4b27a48b3c7ea9babe331e539416a8", "parents": [ "d03a5d888fb688c832d470b749acc5ed38e0bc1d", "0c21e3aaf6ae85bee804a325aa29c325209180fd" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 09:46:24 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 09:46:24 2011 +1100" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\tsecurity/smack/smack_lsm.c\n\nVerified and added fix by Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nOk\u0027d by Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3fc5e98d8cf85e0d77fc597b49e9268dff67400e", "tree": "acd7c7a2579f945ff856bd570988f48f652f93c1", "parents": [ "44658a11f312fb9217674cb90b1a11cbe17fd18d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Dec 22 16:24:13 2010 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Dec 23 15:31:48 2010 -0800" }, "message": "KEYS: Don\u0027t call up_write() if __key_link_begin() returns an error\n\nIn construct_alloc_key(), up_write() is called in the error path if\n__key_link_begin() fails, but this is incorrect as __key_link_begin() only\nreturns with the nominated keyring locked if it returns successfully.\n\nWithout this patch, you might see the following in dmesg:\n\n\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\t[ BUG: bad unlock balance detected! ]\n\t-------------------------------------\n\tmount.cifs/5769 is trying to release lock (\u0026key-\u003esem) at:\n\t[\u003cffffffff81201159\u003e] request_key_and_link+0x263/0x3fc\n\tbut there are no more locks to release!\n\n\tother info that might help us debug this:\n\t3 locks held by mount.cifs/5769:\n\t #0: (\u0026type-\u003es_umount_key#41/1){+.+.+.}, at: [\u003cffffffff81131321\u003e] sget+0x278/0x3e7\n\t #1: (\u0026ret_buf-\u003esession_mutex){+.+.+.}, at: [\u003cffffffffa0258e59\u003e] cifs_get_smb_ses+0x35a/0x443 [cifs]\n\t #2: (root_key_user.cons_lock){+.+.+.}, at: [\u003cffffffff81201000\u003e] request_key_and_link+0x10a/0x3fc\n\n\tstack backtrace:\n\tPid: 5769, comm: mount.cifs Not tainted 2.6.37-rc6+ #1\n\tCall Trace:\n\t [\u003cffffffff81201159\u003e] ? request_key_and_link+0x263/0x3fc\n\t [\u003cffffffff81081601\u003e] print_unlock_inbalance_bug+0xca/0xd5\n\t [\u003cffffffff81083248\u003e] lock_release_non_nested+0xc1/0x263\n\t [\u003cffffffff81201159\u003e] ? request_key_and_link+0x263/0x3fc\n\t [\u003cffffffff81201159\u003e] ? request_key_and_link+0x263/0x3fc\n\t [\u003cffffffff81083567\u003e] lock_release+0x17d/0x1a4\n\t [\u003cffffffff81073f45\u003e] up_write+0x23/0x3b\n\t [\u003cffffffff81201159\u003e] request_key_and_link+0x263/0x3fc\n\t [\u003cffffffffa026fe9e\u003e] ? cifs_get_spnego_key+0x61/0x21f [cifs]\n\t [\u003cffffffff812013c5\u003e] request_key+0x41/0x74\n\t [\u003cffffffffa027003d\u003e] cifs_get_spnego_key+0x200/0x21f [cifs]\n\t [\u003cffffffffa026e296\u003e] CIFS_SessSetup+0x55d/0x1273 [cifs]\n\t [\u003cffffffffa02589e1\u003e] cifs_setup_session+0x90/0x1ae [cifs]\n\t [\u003cffffffffa0258e7e\u003e] cifs_get_smb_ses+0x37f/0x443 [cifs]\n\t [\u003cffffffffa025a9e3\u003e] cifs_mount+0x1aa1/0x23f3 [cifs]\n\t [\u003cffffffff8111fd94\u003e] ? alloc_debug_processing+0xdb/0x120\n\t [\u003cffffffffa027002c\u003e] ? cifs_get_spnego_key+0x1ef/0x21f [cifs]\n\t [\u003cffffffffa024cc71\u003e] cifs_do_mount+0x165/0x2b3 [cifs]\n\t [\u003cffffffff81130e72\u003e] vfs_kern_mount+0xaf/0x1dc\n\t [\u003cffffffff81131007\u003e] do_kern_mount+0x4d/0xef\n\t [\u003cffffffff811483b9\u003e] do_mount+0x6f4/0x733\n\t [\u003cffffffff8114861f\u003e] sys_mount+0x88/0xc2\n\t [\u003cffffffff8100ac42\u003e] system_call_fastpath+0x16/0x1b\n\nReported-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-and-Tested-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3b1826cebe1d534ec05417a29b9a9f82651a5cb5", "tree": "38fc352e647df90c86a0b03722eff8f66b7eb607", "parents": [ "1f35065a9e2573427ce3fd6c4a40b355c2ddfb92" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 13 16:53:13 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Dec 15 12:14:34 2010 +0530" }, "message": "encrypted-keys: style and other cleanup\n\nCleanup based on David Howells suggestions:\n- use static const char arrays instead of #define\n- rename init_sdesc to alloc_sdesc\n- convert \u0027unsigned int\u0027 definitions to \u0027size_t\u0027\n- revert remaining \u0027const unsigned int\u0027 definitions to \u0027unsigned int\u0027\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1f35065a9e2573427ce3fd6c4a40b355c2ddfb92", "tree": "9ee6990e21b34dda09efc625a8bca4fa6c4e5d67", "parents": [ "1bdbb4024c309e470711b434a24fb356fc92edea" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 13 16:53:12 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Dec 15 12:14:32 2010 +0530" }, "message": "encrypted-keys: verify datablob size before converting to binary\n\nVerify the hex ascii datablob length is correct before converting the IV,\nencrypted data, and HMAC to binary.\n\nReported-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1bdbb4024c309e470711b434a24fb356fc92edea", "tree": "129f4136a53e0133fcdff81065f2e15fb4aac374", "parents": [ "bc5e0af0b36b6cc9de301074426c279fc9b72675" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 13 16:53:11 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Dec 15 12:14:27 2010 +0530" }, "message": "trusted-keys: kzalloc and other cleanup\n\nCleanup based on David Howells suggestions:\n- replace kzalloc, where possible, with kmalloc\n- revert \u0027const unsigned int\u0027 definitions to \u0027unsigned int\u0027\n\nSigned-off-by: David Safford \u003csafford@watson.ibm.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bc5e0af0b36b6cc9de301074426c279fc9b72675", "tree": "116b20ec3e81f4a956ecf0fde2dfba11d43117dc", "parents": [ "38ef4c2e437d11b5922723504b62824e96761459" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 13 16:53:10 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Dec 15 12:14:25 2010 +0530" }, "message": "trusted-keys: additional TSS return code and other error handling\n\nPreviously not all TSS return codes were tested, as they were all eventually\ncaught by the TPM. Now all returns are tested and handled immediately.\n\nThis patch also fixes memory leaks in error and non-error paths.\n\nSigned-off-by: David Safford \u003csafford@watson.ibm.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge E. Hallyn \u003cserge@hallyn.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "93ae86e759299718c611bc543b9b1633bf32905a", "tree": "e8b054d9df2c2f9e935d656d5eb25c7c6231c940", "parents": [ "b4e0d5f0791bd6dd12a1c1edea0340969c7c1f90" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Nov 29 16:20:04 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 30 09:20:27 2010 +1100" }, "message": "keys: add missing include file for trusted and encrypted keys\n\nThis patch fixes the linux-next powerpc build errors as reported by\nStephen Rothwell.\n\nReported-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nTested-by: Rajiv Andrade \u003csrajiv@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7e70cb4978507cf31d76b90e4cfb4c28cad87f0c", "tree": "c5df493eef8d30dcb40d647b0528970eb4a391c6", "parents": [ "d00a1c72f7f4661212299e6cb132dfa58030bcdb" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Nov 23 18:55:35 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Nov 29 08:55:29 2010 +1100" }, "message": "keys: add new key-type encrypted\n\nDefine a new kernel key-type called \u0027encrypted\u0027. Encrypted keys are kernel\ngenerated random numbers, which are encrypted/decrypted with a \u0027trusted\u0027\nsymmetric key. Encrypted keys are created/encrypted/decrypted in the kernel.\nUserspace only ever sees/stores encrypted blobs.\n\nChangelog:\n- bug fix: replaced master-key rcu based locking with semaphore\n (reported by David Howells)\n- Removed memset of crypto_shash_digest() digest output\n- Replaced verification of \u0027key-type:key-desc\u0027 using strcspn(), with\n one based on string constants.\n- Moved documentation to Documentation/keys-trusted-encrypted.txt\n- Replace hash with shash (based on comments by David Howells)\n- Make lengths/counts size_t where possible (based on comments by David Howells)\n Could not convert most lengths, as crypto expects \u0027unsigned int\u0027\n (size_t: on 32 bit is defined as unsigned int, but on 64 bit is unsigned long)\n- Add \u0027const\u0027 where possible (based on comments by David Howells)\n- allocate derived_buf dynamically to support arbitrary length master key\n (fixed by Roberto Sassu)\n- wait until late_initcall for crypto libraries to be registered\n- cleanup security/Kconfig\n- Add missing \u0027update\u0027 keyword (reported/fixed by Roberto Sassu)\n- Free epayload on failure to create key (reported/fixed by Roberto Sassu)\n- Increase the data size limit (requested by Roberto Sassu)\n- Crypto return codes are always 0 on success and negative on failure,\n remove unnecessary tests.\n- Replaced kzalloc() with kmalloc()\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: David Safford \u003csafford@watson.ibm.com\u003e\nReviewed-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d00a1c72f7f4661212299e6cb132dfa58030bcdb", "tree": "2c873e461f42bbf3aea03b7b2e59cea8f941d841", "parents": [ "c749ba912e87ccebd674ae24b97462176c63732e" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Nov 23 17:50:34 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Nov 29 08:55:25 2010 +1100" }, "message": "keys: add new trusted key-type\n\nDefine a new kernel key-type called \u0027trusted\u0027. Trusted keys are random\nnumber symmetric keys, generated and RSA-sealed by the TPM. The TPM\nonly unseals the keys, if the boot PCRs and other criteria match.\nUserspace can only ever see encrypted blobs.\n\nBased on suggestions by Jason Gunthorpe, several new options have been\nadded to support additional usages.\n\nThe new options are:\nmigratable\u003d designates that the key may/may not ever be updated\n (resealed under a new key, new pcrinfo or new auth.)\n\npcrlock\u003dn extends the designated PCR \u0027n\u0027 with a random value,\n so that a key sealed to that PCR may not be unsealed\n again until after a reboot.\n\nkeyhandle\u003d specifies the sealing/unsealing key handle.\n\nkeyauth\u003d specifies the sealing/unsealing key auth.\n\nblobauth\u003d specifies the sealed data auth.\n\nImplementation of a kernel reserved locality for trusted keys will be\ninvestigated for a possible future extension.\n\nChangelog:\n- Updated and added examples to Documentation/keys-trusted-encrypted.txt\n- Moved generic TPM constants to include/linux/tpm_command.h\n (David Howell\u0027s suggestion.)\n- trusted_defined.c: replaced kzalloc with kmalloc, added pcrlock failure\n error handling, added const qualifiers where appropriate.\n- moved to late_initcall\n- updated from hash to shash (suggestion by David Howells)\n- reduced worst stack usage (tpm_seal) from 530 to 312 bytes\n- moved documentation to Documentation directory (suggestion by David Howells)\n- all the other code cleanups suggested by David Howells\n- Add pcrlock CAP_SYS_ADMIN dependency (based on comment by Jason Gunthorpe)\n- New options: migratable, pcrlock, keyhandle, keyauth, blobauth (based on\n discussions with Jason Gunthorpe)\n- Free payload on failure to create key(reported/fixed by Roberto Sassu)\n- Updated Kconfig and other descriptions (based on Serge Hallyn\u0027s suggestion)\n- Replaced kzalloc() with kmalloc() (reported by Serge Hallyn)\n\nSigned-off-by: David Safford \u003csafford@watson.ibm.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "27d6379894be4a81984da4d48002196a83939ca9", "tree": "1d5a7338b0fc66ba4c0b799eb60df44b8f0fc08a", "parents": [ "765aaafe38050790301e89745b991dbdf3dded4c" ], "author": { "name": "Andi Kleen", "email": "ak@linux.intel.com", "time": "Thu Oct 28 13:16:13 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Oct 28 09:02:15 2010 -0700" }, "message": "Fix install_process_keyring error handling\n\nFix an incorrect error check that returns 1 for error instead of the\nexpected error code.\n\nSigned-off-by: Andi Kleen \u003cak@linux.intel.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3d96406c7da1ed5811ea52a3b0905f4f0e295376", "tree": "051e3a0ab6b0c9d9ac12b88fd244ff09766f8f50", "parents": [ "9d1ac65a9698513d00e5608d93fca0c53f536c14" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Sep 10 09:59:51 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Sep 10 07:30:00 2010 -0700" }, "message": "KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring\n\nFix a bug in keyctl_session_to_parent() whereby it tries to check the ownership\nof the parent process\u0027s session keyring whether or not the parent has a session\nkeyring [CVE-2010-2960].\n\nThis results in the following oops:\n\n BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0\n IP: [\u003cffffffff811ae4dd\u003e] keyctl_session_to_parent+0x251/0x443\n ...\n Call Trace:\n [\u003cffffffff811ae2f3\u003e] ? keyctl_session_to_parent+0x67/0x443\n [\u003cffffffff8109d286\u003e] ? __do_fault+0x24b/0x3d0\n [\u003cffffffff811af98c\u003e] sys_keyctl+0xb4/0xb8\n [\u003cffffffff81001eab\u003e] system_call_fastpath+0x16/0x1b\n\nif the parent process has no session keyring.\n\nIf the system is using pam_keyinit then it mostly protected against this as all\nprocesses derived from a login will have inherited the session keyring created\nby pam_keyinit during the log in procedure.\n\nTo test this, pam_keyinit calls need to be commented out in /etc/pam.d/.\n\nReported-by: Tavis Ormandy \u003ctaviso@cmpxchg8b.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Tavis Ormandy \u003ctaviso@cmpxchg8b.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "9d1ac65a9698513d00e5608d93fca0c53f536c14", "tree": "859809638bdf52f56b6b3890bedefcc1bae89b32", "parents": [ "ff3cb3fec3c5bbb5110e652bbdd410bc99a47e9f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Sep 10 09:59:46 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Sep 10 07:30:00 2010 -0700" }, "message": "KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()\n\nThere\u0027s an protected access to the parent process\u0027s credentials in the middle\nof keyctl_session_to_parent(). This results in the following RCU warning:\n\n \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n [ INFO: suspicious rcu_dereference_check() usage. ]\n ---------------------------------------------------\n security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!\n\n other info that might help us debug this:\n\n rcu_scheduler_active \u003d 1, debug_locks \u003d 0\n 1 lock held by keyctl-session-/2137:\n #0: (tasklist_lock){.+.+..}, at: [\u003cffffffff811ae2ec\u003e] keyctl_session_to_parent+0x60/0x236\n\n stack backtrace:\n Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1\n Call Trace:\n [\u003cffffffff8105606a\u003e] lockdep_rcu_dereference+0xaa/0xb3\n [\u003cffffffff811ae379\u003e] keyctl_session_to_parent+0xed/0x236\n [\u003cffffffff811af77e\u003e] sys_keyctl+0xb4/0xb6\n [\u003cffffffff81001eab\u003e] system_call_fastpath+0x16/0x1b\n\nThe code should take the RCU read lock to make sure the parents credentials\ndon\u0027t go away, even though it\u0027s holding a spinlock and has IRQ disabled.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "12fdff3fc2483f906ae6404a6e8dcf2550310b6f", "tree": "a79fb1365fce7c7529655a8802d6d6bf8509b374", "parents": [ "1490cf5f0cb07dd49cdab4bceb769d7f711d7ca6" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Aug 12 16:54:57 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Aug 12 09:51:35 2010 -0700" }, "message": "Add a dummy printk function for the maintenance of unused printks\n\nAdd a dummy printk function for the maintenance of unused printks through gcc\nformat checking, and also so that side-effect checking is maintained too.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "1e456a124353a753e9d1fadfbf5cd459c2f197ae", "tree": "4977d4fa275faafc0ba99a635d4c853a1f0df2a1", "parents": [ "fc1caf6eafb30ea185720e29f7f5eccca61ecd60" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Aug 06 16:08:27 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Aug 06 09:17:02 2010 -0700" }, "message": "KEYS: request_key() should return -ENOKEY if the constructed key is negative\n\nrequest_key() should return -ENOKEY if the key it constructs has been\nnegatively instantiated.\n\nWithout this, request_key() can return an unusable key to its caller,\nand if the caller then does key_validate() that won\u0027t catch the problem.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "5ad18a0d59ba9e65b3c8b2b489fd23bc6b3daf94", "tree": "9de21bbe321012bd8e51d9d8ed09b81785cfcbec", "parents": [ "94fd8405ea62bd2d4a40f3013e8e6935b6643235" ], "author": { "name": "Justin P. Mattock", "email": "justinmattock@gmail.com", "time": "Wed Jun 30 10:39:11 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:56 2010 +1000" }, "message": "KEYS: Reinstate lost passing of process keyring ID in call_sbin_request_key()\n\nIn commit bb952bb98a7e479262c7eb25d5592545a3af147d there was the accidental\ndeletion of a statement from call_sbin_request_key() to render the process\nkeyring ID to a text string so that it can be passed to /sbin/request-key.\n\nWith gcc 4.6.0 this causes the following warning:\n\n CC security/keys/request_key.o\nsecurity/keys/request_key.c: In function \u0027call_sbin_request_key\u0027:\nsecurity/keys/request_key.c:102:15: warning: variable \u0027prkey\u0027 set but not used\n\nThis patch reinstates that statement.\n\nWithout this statement, /sbin/request-key will get some random rubbish from the\nstack as that parameter.\n\nSigned-off-by: Justin P. Mattock \u003cjustinmattock@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "94fd8405ea62bd2d4a40f3013e8e6935b6643235", "tree": "14bff044866db418ec7f84944fc80998df851a99", "parents": [ "0849e3ba53c3ef603dffa9758a73e07ed186a937" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Jun 28 14:05:04 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:56 2010 +1000" }, "message": "KEYS: Use the variable \u0027key\u0027 in keyctl_describe_key()\n\nkeyctl_describe_key() turns the key reference it gets into a usable key pointer\nand assigns that to a variable called \u0027key\u0027, which it then ignores in favour of\nrecomputing the key pointer each time it needs it. Make it use the precomputed\npointer instead.\n\nWithout this patch, gcc 4.6 reports that the variable key is set but not used:\n\n\tbuilding with gcc 4.6 I\u0027m getting a warning message:\n\t CC security/keys/keyctl.o\n\tsecurity/keys/keyctl.c: In function \u0027keyctl_describe_key\u0027:\n\tsecurity/keys/keyctl.c:472:14: warning: variable \u0027key\u0027 set but not used\n\nReported-by: Justin P. Mattock \u003cjustinmattock@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "927942aabbbe506bf9bc70a16dc5460ecc64c148", "tree": "2c53ccb405bd4afb03ff9f7acab892fafc7e9b0f", "parents": [ "9156235b3427d6f01c5c95022f72f381f07583f5" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Jun 11 17:31:10 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:27 2010 +1000" }, "message": "KEYS: Make /proc/keys check to see if a key is possessed before security check\n\nMake /proc/keys check to see if the calling process possesses each key before\nperforming the security check. The possession check can be skipped if the key\ndoesn\u0027t have the possessor-view permission bit set.\n\nThis causes the keys a process possesses to show up in /proc/keys, even if they\ndon\u0027t have matching user/group/other view permissions.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9156235b3427d6f01c5c95022f72f381f07583f5", "tree": "16df30be93847e73a3b188b98f9ef2e034d82a90", "parents": [ "57c2590fb7fd38bd52708ff2716a577d0c2b3c5a" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Jun 11 17:31:05 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:27 2010 +1000" }, "message": "KEYS: Authorise keyctl_set_timeout() on a key if we have its authorisation key\n\nAuthorise a process to perform keyctl_set_timeout() on an uninstantiated key if\nthat process has the authorisation key for it.\n\nThis allows the instantiator to set the timeout on a key it is instantiating -\nprovided it does it before instantiating the key.\n\nFor instance, the test upcall script provided with the keyutils package could\nbe modified to set the expiry to an hour hence before instantiating the key:\n\n\t[/usr/share/keyutils/request-key-debug.sh]\n\t if [ \"$3\" !\u003d \"neg\" ]\n\t then\n\t+ keyctl timeout $1 3600\n\t keyctl instantiate $1 \"Debug $3\" $4 || exit 1\n\t else\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4303ef19c6e6d16ea845c04b02b9cf086bcb8ed7", "tree": "83e649d3b9d3583c7576920a0feb08e38a19d1b5", "parents": [ "7e27d6e778cd87b6f2415515d7127eba53fe5d02" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Fri Jun 11 17:30:05 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Jun 27 07:02:34 2010 -0700" }, "message": "KEYS: Propagate error code instead of returning -EINVAL\n\nThis is from a Smatch check I\u0027m writing.\n\nstrncpy_from_user() returns -EFAULT on error so the first change just\nsilences a warning but doesn\u0027t change how the code works.\n\nThe other change is a bug fix because install_thread_keyring_to_cred()\ncan return a variety of errors such as -EINVAL, -EEXIST, -ENOMEM or\n-EKEYREVOKED.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "dd98acf74762764fbc4382a1d9a244f11a2658cc", "tree": "e194cc516ccc8812a0424dfd2ca1c32bf1052cd4", "parents": [ "5089a9768041206c76fac299ccd82a528c24c254" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Wed May 26 14:43:23 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 27 09:12:47 2010 -0700" }, "message": "keyctl_session_to_parent(): use thread_group_empty() to check singlethreadness\n\nNo functional changes.\n\nkeyctl_session_to_parent() is the only user of signal-\u003ecount which needs\nthe correct value. Change it to use thread_group_empty() instead, this\nmust be strictly equivalent under tasklist, and imho looks better.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nAcked-by: Roland McGrath \u003croland@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "685bfd2c48bb3284d31e73ff3151c957d76deda9", "tree": "177210787515f48c0eaad5216bd012f4a2fb2149", "parents": [ "898b374af6f71041bd3bceebe257e564f3f1d458" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Wed May 26 14:43:00 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 27 09:12:45 2010 -0700" }, "message": "umh: creds: convert call_usermodehelper_keys() to use subprocess_info-\u003einit()\n\ncall_usermodehelper_keys() uses call_usermodehelper_setkeys() to change\nsubprocess_info-\u003ecred in advance. Now that we have info-\u003einit() we can\nchange this code to set tgcred-\u003esession_keyring in context of execing\nkernel thread.\n\nNote: since currently call_usermodehelper_keys() is never called with\nUMH_NO_WAIT, call_usermodehelper_keys()-\u003ekey_get() and umh_keys_cleanup()\nare not really needed, we could rely on install_session_keyring_to_cred()\nwhich does key_get() on success.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nAcked-by: Neil Horman \u003cnhorman@tuxdriver.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4be929be34f9bdeffa40d815d32d7d60d2c7f03b", "tree": "4d2c6e2b8ef766e565e2e050ee151de2e02081d3", "parents": [ "940370fc86b920b51a34217a1facc3e9e97c2456" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Mon May 24 14:33:03 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue May 25 08:07:02 2010 -0700" }, "message": "kernel-wide: replace USHORT_MAX, SHORT_MAX and SHORT_MIN with USHRT_MAX, SHRT_MAX and SHRT_MIN\n\n- C99 knows about USHRT_MAX/SHRT_MAX/SHRT_MIN, not\n USHORT_MAX/SHORT_MAX/SHORT_MIN.\n\n- Make SHRT_MIN of type s16, not int, for consistency.\n\n[akpm@linux-foundation.org: fix drivers/dma/timb_dma.c]\n[akpm@linux-foundation.org: fix security/keys/keyring.c]\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nAcked-by: WANG Cong \u003cxiyou.wangcong@gmail.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4d09ec0f705cf88a12add029c058b53f288cfaa2", "tree": "d756921f5391953295404ccf3ba570ddaaca404f", "parents": [ "c80901f2755c582e3096e6708028a8daca59e6e2" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Mon May 17 14:42:35 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 18 08:50:55 2010 +1000" }, "message": "KEYS: Return more accurate error codes\n\nWe were using the wrong variable here so the error codes weren\u0027t being returned\nproperly. The original code returns -ENOKEY.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f70e2e06196ad4c1c762037da2f75354f6c16b81", "tree": "9632a1e655efb684c87f8c7be6d091fbb1a430e7", "parents": [ "043b4d40f53131c5f72eca2a46555fe35328a930" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 30 14:32:39 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 22:25:02 2010 +1000" }, "message": "KEYS: Do preallocation for __key_link()\n\nDo preallocation for __key_link() so that the various callers in request_key.c\ncan deal with any errors from this source before attempting to construct a key.\nThis allows them to assume that the actual linkage step is guaranteed to be\nsuccessful.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ], "next": "043b4d40f53131c5f72eca2a46555fe35328a930" }