diff options
author | Praneeth Bajjuri | 2017-08-28 18:03:19 -0500 |
---|---|---|
committer | Praneeth Bajjuri | 2017-08-28 18:03:19 -0500 |
commit | dda8acaf6f2d9bddce62c305edf6b3071f04c136 (patch) | |
tree | 612f8b7b18ff3a84184ddc0ce456b9b0287cace6 /security | |
parent | b22bbe0c5fa4fd5eb4609108a750b28a744a643e (diff) | |
parent | eabbcea7629d5f2ec91568f7bd104536614107db (diff) | |
download | kernel-omap-6AM.1.3-rvc-video.tar.gz kernel-omap-6AM.1.3-rvc-video.tar.xz kernel-omap-6AM.1.3-rvc-video.zip |
Merge branch 'p-ti-lsk-android-linux-4.4.y' of git://git.omapzoom.org/kernel/omap into 6AM.1.3-rvc-video6AM.1.3-rvc-video
* 'p-ti-lsk-android-linux-4.4.y' of git://git.omapzoom.org/kernel/omap: (2048 commits)
ARM: dts: dra7: Remove deprecated PCI compatible string
ARM: dts: dra76-evm: Enable x2 PCIe lanes
ARM: dts: DRA72x: Use PCIe compatible specific to dra72
ARM: dts: DRA74x: Use PCIe compatible specific to dra74
ARM: dts: dra7: Add properties to enable PCIe x2 lane mode
PCI: dwc: pci-dra7xx: Enable x2 mode support
PCI: dwc: dra7xx: Add support for SoC specific compatible strings
dt-bindings: PCI: dra7xx: Add properties to enable x2 lane in dra7
dt-bindings: PCI: dra7xx: Add SoC specific compatible strings
ARM: dts: dra7-evm: Move pcie RC node to common file
ARM: dts: dra76-evm: add higher speed MMC/SD modes
Linux 4.4.84
usb: qmi_wwan: add D-Link DWM-222 device ID
usb: optimize acpi companion search for usb port devices
perf/x86: Fix LBR related crashes on Intel Atom
pids: make task_tgid_nr_ns() safe
Sanitize 'move_pages()' permission checks
irqchip/atmel-aic: Fix unbalanced refcount in aic_common_rtc_irq_fixup()
irqchip/atmel-aic: Fix unbalanced of_node_put() in aic_common_irq_fixup()
x86/asm/64: Clear AC on NMI entries
...
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
Conflicts:
arch/arm/boot/dts/Makefile
drivers/gpu/drm/omapdrm/dss/dispc.c
Diffstat (limited to 'security')
-rw-r--r-- | security/inode.c | 2 | ||||
-rw-r--r-- | security/integrity/ima/ima_appraise.c | 5 | ||||
-rw-r--r-- | security/keys/encrypted-keys/encrypted.c | 2 | ||||
-rw-r--r-- | security/keys/gc.c | 2 | ||||
-rw-r--r-- | security/keys/key.c | 5 | ||||
-rw-r--r-- | security/keys/keyctl.c | 24 | ||||
-rw-r--r-- | security/keys/process_keys.c | 44 | ||||
-rw-r--r-- | security/security.c | 1 | ||||
-rw-r--r-- | security/selinux/hooks.c | 2 |
9 files changed, 50 insertions, 37 deletions
diff --git a/security/inode.c b/security/inode.c index 16622aef9bde..0f1a041bf6cb 100644 --- a/security/inode.c +++ b/security/inode.c | |||
@@ -100,7 +100,7 @@ struct dentry *securityfs_create_file(const char *name, umode_t mode, | |||
100 | dir = d_inode(parent); | 100 | dir = d_inode(parent); |
101 | 101 | ||
102 | mutex_lock(&dir->i_mutex); | 102 | mutex_lock(&dir->i_mutex); |
103 | dentry = lookup_one_len(name, parent, strlen(name)); | 103 | dentry = lookup_one_len2(name, mount, parent, strlen(name)); |
104 | if (IS_ERR(dentry)) | 104 | if (IS_ERR(dentry)) |
105 | goto out; | 105 | goto out; |
106 | 106 | ||
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index ed5a9c110b3a..9ce9d5003dcc 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c | |||
@@ -203,10 +203,11 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, | |||
203 | 203 | ||
204 | cause = "missing-hash"; | 204 | cause = "missing-hash"; |
205 | status = INTEGRITY_NOLABEL; | 205 | status = INTEGRITY_NOLABEL; |
206 | if (opened & FILE_CREATED) { | 206 | if (opened & FILE_CREATED) |
207 | iint->flags |= IMA_NEW_FILE; | 207 | iint->flags |= IMA_NEW_FILE; |
208 | if ((iint->flags & IMA_NEW_FILE) && | ||
209 | !(iint->flags & IMA_DIGSIG_REQUIRED)) | ||
208 | status = INTEGRITY_PASS; | 210 | status = INTEGRITY_PASS; |
209 | } | ||
210 | goto out; | 211 | goto out; |
211 | } | 212 | } |
212 | 213 | ||
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c index 696ccfa08d10..31898856682e 100644 --- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c | |||
@@ -428,7 +428,7 @@ static int init_blkcipher_desc(struct blkcipher_desc *desc, const u8 *key, | |||
428 | static struct key *request_master_key(struct encrypted_key_payload *epayload, | 428 | static struct key *request_master_key(struct encrypted_key_payload *epayload, |
429 | const u8 **master_key, size_t *master_keylen) | 429 | const u8 **master_key, size_t *master_keylen) |
430 | { | 430 | { |
431 | struct key *mkey = NULL; | 431 | struct key *mkey = ERR_PTR(-EINVAL); |
432 | 432 | ||
433 | if (!strncmp(epayload->master_desc, KEY_TRUSTED_PREFIX, | 433 | if (!strncmp(epayload->master_desc, KEY_TRUSTED_PREFIX, |
434 | KEY_TRUSTED_PREFIX_LEN)) { | 434 | KEY_TRUSTED_PREFIX_LEN)) { |
diff --git a/security/keys/gc.c b/security/keys/gc.c index addf060399e0..9cb4fe4478a1 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c | |||
@@ -46,7 +46,7 @@ static unsigned long key_gc_flags; | |||
46 | * immediately unlinked. | 46 | * immediately unlinked. |
47 | */ | 47 | */ |
48 | struct key_type key_type_dead = { | 48 | struct key_type key_type_dead = { |
49 | .name = "dead", | 49 | .name = ".dead", |
50 | }; | 50 | }; |
51 | 51 | ||
52 | /* | 52 | /* |
diff --git a/security/keys/key.c b/security/keys/key.c index 534808915371..09c10b181881 100644 --- a/security/keys/key.c +++ b/security/keys/key.c | |||
@@ -934,12 +934,11 @@ int key_update(key_ref_t key_ref, const void *payload, size_t plen) | |||
934 | /* the key must be writable */ | 934 | /* the key must be writable */ |
935 | ret = key_permission(key_ref, KEY_NEED_WRITE); | 935 | ret = key_permission(key_ref, KEY_NEED_WRITE); |
936 | if (ret < 0) | 936 | if (ret < 0) |
937 | goto error; | 937 | return ret; |
938 | 938 | ||
939 | /* attempt to update it if supported */ | 939 | /* attempt to update it if supported */ |
940 | ret = -EOPNOTSUPP; | ||
941 | if (!key->type->update) | 940 | if (!key->type->update) |
942 | goto error; | 941 | return -EOPNOTSUPP; |
943 | 942 | ||
944 | memset(&prep, 0, sizeof(prep)); | 943 | memset(&prep, 0, sizeof(prep)); |
945 | prep.data = payload; | 944 | prep.data = payload; |
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 1c3872aeed14..671709d8610d 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c | |||
@@ -97,7 +97,7 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type, | |||
97 | /* pull the payload in if one was supplied */ | 97 | /* pull the payload in if one was supplied */ |
98 | payload = NULL; | 98 | payload = NULL; |
99 | 99 | ||
100 | if (_payload) { | 100 | if (plen) { |
101 | ret = -ENOMEM; | 101 | ret = -ENOMEM; |
102 | payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN); | 102 | payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN); |
103 | if (!payload) { | 103 | if (!payload) { |
@@ -271,7 +271,8 @@ error: | |||
271 | * Create and join an anonymous session keyring or join a named session | 271 | * Create and join an anonymous session keyring or join a named session |
272 | * keyring, creating it if necessary. A named session keyring must have Search | 272 | * keyring, creating it if necessary. A named session keyring must have Search |
273 | * permission for it to be joined. Session keyrings without this permit will | 273 | * permission for it to be joined. Session keyrings without this permit will |
274 | * be skipped over. | 274 | * be skipped over. It is not permitted for userspace to create or join |
275 | * keyrings whose name begin with a dot. | ||
275 | * | 276 | * |
276 | * If successful, the ID of the joined session keyring will be returned. | 277 | * If successful, the ID of the joined session keyring will be returned. |
277 | */ | 278 | */ |
@@ -288,12 +289,16 @@ long keyctl_join_session_keyring(const char __user *_name) | |||
288 | ret = PTR_ERR(name); | 289 | ret = PTR_ERR(name); |
289 | goto error; | 290 | goto error; |
290 | } | 291 | } |
292 | |||
293 | ret = -EPERM; | ||
294 | if (name[0] == '.') | ||
295 | goto error_name; | ||
291 | } | 296 | } |
292 | 297 | ||
293 | /* join the session */ | 298 | /* join the session */ |
294 | ret = join_session_keyring(name); | 299 | ret = join_session_keyring(name); |
300 | error_name: | ||
295 | kfree(name); | 301 | kfree(name); |
296 | |||
297 | error: | 302 | error: |
298 | return ret; | 303 | return ret; |
299 | } | 304 | } |
@@ -322,7 +327,7 @@ long keyctl_update_key(key_serial_t id, | |||
322 | 327 | ||
323 | /* pull the payload in if one was supplied */ | 328 | /* pull the payload in if one was supplied */ |
324 | payload = NULL; | 329 | payload = NULL; |
325 | if (_payload) { | 330 | if (plen) { |
326 | ret = -ENOMEM; | 331 | ret = -ENOMEM; |
327 | payload = kmalloc(plen, GFP_KERNEL); | 332 | payload = kmalloc(plen, GFP_KERNEL); |
328 | if (!payload) | 333 | if (!payload) |
@@ -1223,8 +1228,8 @@ error: | |||
1223 | * Read or set the default keyring in which request_key() will cache keys and | 1228 | * Read or set the default keyring in which request_key() will cache keys and |
1224 | * return the old setting. | 1229 | * return the old setting. |
1225 | * | 1230 | * |
1226 | * If a process keyring is specified then this will be created if it doesn't | 1231 | * If a thread or process keyring is specified then it will be created if it |
1227 | * yet exist. The old setting will be returned if successful. | 1232 | * doesn't yet exist. The old setting will be returned if successful. |
1228 | */ | 1233 | */ |
1229 | long keyctl_set_reqkey_keyring(int reqkey_defl) | 1234 | long keyctl_set_reqkey_keyring(int reqkey_defl) |
1230 | { | 1235 | { |
@@ -1249,11 +1254,8 @@ long keyctl_set_reqkey_keyring(int reqkey_defl) | |||
1249 | 1254 | ||
1250 | case KEY_REQKEY_DEFL_PROCESS_KEYRING: | 1255 | case KEY_REQKEY_DEFL_PROCESS_KEYRING: |
1251 | ret = install_process_keyring_to_cred(new); | 1256 | ret = install_process_keyring_to_cred(new); |
1252 | if (ret < 0) { | 1257 | if (ret < 0) |
1253 | if (ret != -EEXIST) | 1258 | goto error; |
1254 | goto error; | ||
1255 | ret = 0; | ||
1256 | } | ||
1257 | goto set; | 1259 | goto set; |
1258 | 1260 | ||
1259 | case KEY_REQKEY_DEFL_DEFAULT: | 1261 | case KEY_REQKEY_DEFL_DEFAULT: |
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index e6d50172872f..4ed909142956 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c | |||
@@ -125,13 +125,18 @@ error: | |||
125 | } | 125 | } |
126 | 126 | ||
127 | /* | 127 | /* |
128 | * Install a fresh thread keyring directly to new credentials. This keyring is | 128 | * Install a thread keyring to the given credentials struct if it didn't have |
129 | * allowed to overrun the quota. | 129 | * one already. This is allowed to overrun the quota. |
130 | * | ||
131 | * Return: 0 if a thread keyring is now present; -errno on failure. | ||
130 | */ | 132 | */ |
131 | int install_thread_keyring_to_cred(struct cred *new) | 133 | int install_thread_keyring_to_cred(struct cred *new) |
132 | { | 134 | { |
133 | struct key *keyring; | 135 | struct key *keyring; |
134 | 136 | ||
137 | if (new->thread_keyring) | ||
138 | return 0; | ||
139 | |||
135 | keyring = keyring_alloc("_tid", new->uid, new->gid, new, | 140 | keyring = keyring_alloc("_tid", new->uid, new->gid, new, |
136 | KEY_POS_ALL | KEY_USR_VIEW, | 141 | KEY_POS_ALL | KEY_USR_VIEW, |
137 | KEY_ALLOC_QUOTA_OVERRUN, NULL); | 142 | KEY_ALLOC_QUOTA_OVERRUN, NULL); |
@@ -143,7 +148,9 @@ int install_thread_keyring_to_cred(struct cred *new) | |||
143 | } | 148 | } |
144 | 149 | ||
145 | /* | 150 | /* |
146 | * Install a fresh thread keyring, discarding the old one. | 151 | * Install a thread keyring to the current task if it didn't have one already. |
152 | * | ||
153 | * Return: 0 if a thread keyring is now present; -errno on failure. | ||
147 | */ | 154 | */ |
148 | static int install_thread_keyring(void) | 155 | static int install_thread_keyring(void) |
149 | { | 156 | { |
@@ -154,8 +161,6 @@ static int install_thread_keyring(void) | |||
154 | if (!new) | 161 | if (!new) |
155 | return -ENOMEM; | 162 | return -ENOMEM; |
156 | 163 | ||
157 | BUG_ON(new->thread_keyring); | ||
158 | |||
159 | ret = install_thread_keyring_to_cred(new); | 164 | ret = install_thread_keyring_to_cred(new); |
160 | if (ret < 0) { | 165 | if (ret < 0) { |
161 | abort_creds(new); | 166 | abort_creds(new); |
@@ -166,17 +171,17 @@ static int install_thread_keyring(void) | |||
166 | } | 171 | } |
167 | 172 | ||
168 | /* | 173 | /* |
169 | * Install a process keyring directly to a credentials struct. | 174 | * Install a process keyring to the given credentials struct if it didn't have |
175 | * one already. This is allowed to overrun the quota. | ||
170 | * | 176 | * |
171 | * Returns -EEXIST if there was already a process keyring, 0 if one installed, | 177 | * Return: 0 if a process keyring is now present; -errno on failure. |
172 | * and other value on any other error | ||
173 | */ | 178 | */ |
174 | int install_process_keyring_to_cred(struct cred *new) | 179 | int install_process_keyring_to_cred(struct cred *new) |
175 | { | 180 | { |
176 | struct key *keyring; | 181 | struct key *keyring; |
177 | 182 | ||
178 | if (new->process_keyring) | 183 | if (new->process_keyring) |
179 | return -EEXIST; | 184 | return 0; |
180 | 185 | ||
181 | keyring = keyring_alloc("_pid", new->uid, new->gid, new, | 186 | keyring = keyring_alloc("_pid", new->uid, new->gid, new, |
182 | KEY_POS_ALL | KEY_USR_VIEW, | 187 | KEY_POS_ALL | KEY_USR_VIEW, |
@@ -189,11 +194,9 @@ int install_process_keyring_to_cred(struct cred *new) | |||
189 | } | 194 | } |
190 | 195 | ||
191 | /* | 196 | /* |
192 | * Make sure a process keyring is installed for the current process. The | 197 | * Install a process keyring to the current task if it didn't have one already. |
193 | * existing process keyring is not replaced. | ||
194 | * | 198 | * |
195 | * Returns 0 if there is a process keyring by the end of this function, some | 199 | * Return: 0 if a process keyring is now present; -errno on failure. |
196 | * error otherwise. | ||
197 | */ | 200 | */ |
198 | static int install_process_keyring(void) | 201 | static int install_process_keyring(void) |
199 | { | 202 | { |
@@ -207,14 +210,18 @@ static int install_process_keyring(void) | |||
207 | ret = install_process_keyring_to_cred(new); | 210 | ret = install_process_keyring_to_cred(new); |
208 | if (ret < 0) { | 211 | if (ret < 0) { |
209 | abort_creds(new); | 212 | abort_creds(new); |
210 | return ret != -EEXIST ? ret : 0; | 213 | return ret; |
211 | } | 214 | } |
212 | 215 | ||
213 | return commit_creds(new); | 216 | return commit_creds(new); |
214 | } | 217 | } |
215 | 218 | ||
216 | /* | 219 | /* |
217 | * Install a session keyring directly to a credentials struct. | 220 | * Install the given keyring as the session keyring of the given credentials |
221 | * struct, replacing the existing one if any. If the given keyring is NULL, | ||
222 | * then install a new anonymous session keyring. | ||
223 | * | ||
224 | * Return: 0 on success; -errno on failure. | ||
218 | */ | 225 | */ |
219 | int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) | 226 | int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) |
220 | { | 227 | { |
@@ -249,8 +256,11 @@ int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) | |||
249 | } | 256 | } |
250 | 257 | ||
251 | /* | 258 | /* |
252 | * Install a session keyring, discarding the old one. If a keyring is not | 259 | * Install the given keyring as the session keyring of the current task, |
253 | * supplied, an empty one is invented. | 260 | * replacing the existing one if any. If the given keyring is NULL, then |
261 | * install a new anonymous session keyring. | ||
262 | * | ||
263 | * Return: 0 on success; -errno on failure. | ||
254 | */ | 264 | */ |
255 | static int install_session_keyring(struct key *keyring) | 265 | static int install_session_keyring(struct key *keyring) |
256 | { | 266 | { |
diff --git a/security/security.c b/security/security.c index 46f405ce6b0f..ae05ab153c5a 100644 --- a/security/security.c +++ b/security/security.c | |||
@@ -498,6 +498,7 @@ int security_path_chown(struct path *path, kuid_t uid, kgid_t gid) | |||
498 | return 0; | 498 | return 0; |
499 | return call_int_hook(path_chown, 0, path, uid, gid); | 499 | return call_int_hook(path_chown, 0, path, uid, gid); |
500 | } | 500 | } |
501 | EXPORT_SYMBOL(security_path_chown); | ||
501 | 502 | ||
502 | int security_path_chroot(struct path *path) | 503 | int security_path_chroot(struct path *path) |
503 | { | 504 | { |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 94a0bfc748d1..2bc8b555bca9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -5673,7 +5673,7 @@ static int selinux_setprocattr(struct task_struct *p, | |||
5673 | return error; | 5673 | return error; |
5674 | 5674 | ||
5675 | /* Obtain a SID for the context, if one was specified. */ | 5675 | /* Obtain a SID for the context, if one was specified. */ |
5676 | if (size && str[1] && str[1] != '\n') { | 5676 | if (size && str[0] && str[0] != '\n') { |
5677 | if (str[size-1] == '\n') { | 5677 | if (str[size-1] == '\n') { |
5678 | str[size-1] = 0; | 5678 | str[size-1] = 0; |
5679 | size--; | 5679 | size--; |