aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/inode.c2
-rw-r--r--security/integrity/ima/ima_appraise.c5
-rw-r--r--security/keys/encrypted-keys/encrypted.c2
-rw-r--r--security/keys/gc.c2
-rw-r--r--security/keys/key.c5
-rw-r--r--security/keys/keyctl.c24
-rw-r--r--security/keys/process_keys.c44
-rw-r--r--security/security.c1
-rw-r--r--security/selinux/hooks.c2
9 files changed, 50 insertions, 37 deletions
diff --git a/security/inode.c b/security/inode.c
index 16622aef9bde..0f1a041bf6cb 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -100,7 +100,7 @@ struct dentry *securityfs_create_file(const char *name, umode_t mode,
100 dir = d_inode(parent); 100 dir = d_inode(parent);
101 101
102 mutex_lock(&dir->i_mutex); 102 mutex_lock(&dir->i_mutex);
103 dentry = lookup_one_len(name, parent, strlen(name)); 103 dentry = lookup_one_len2(name, mount, parent, strlen(name));
104 if (IS_ERR(dentry)) 104 if (IS_ERR(dentry))
105 goto out; 105 goto out;
106 106
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index ed5a9c110b3a..9ce9d5003dcc 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -203,10 +203,11 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
203 203
204 cause = "missing-hash"; 204 cause = "missing-hash";
205 status = INTEGRITY_NOLABEL; 205 status = INTEGRITY_NOLABEL;
206 if (opened & FILE_CREATED) { 206 if (opened & FILE_CREATED)
207 iint->flags |= IMA_NEW_FILE; 207 iint->flags |= IMA_NEW_FILE;
208 if ((iint->flags & IMA_NEW_FILE) &&
209 !(iint->flags & IMA_DIGSIG_REQUIRED))
208 status = INTEGRITY_PASS; 210 status = INTEGRITY_PASS;
209 }
210 goto out; 211 goto out;
211 } 212 }
212 213
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index 696ccfa08d10..31898856682e 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -428,7 +428,7 @@ static int init_blkcipher_desc(struct blkcipher_desc *desc, const u8 *key,
428static struct key *request_master_key(struct encrypted_key_payload *epayload, 428static struct key *request_master_key(struct encrypted_key_payload *epayload,
429 const u8 **master_key, size_t *master_keylen) 429 const u8 **master_key, size_t *master_keylen)
430{ 430{
431 struct key *mkey = NULL; 431 struct key *mkey = ERR_PTR(-EINVAL);
432 432
433 if (!strncmp(epayload->master_desc, KEY_TRUSTED_PREFIX, 433 if (!strncmp(epayload->master_desc, KEY_TRUSTED_PREFIX,
434 KEY_TRUSTED_PREFIX_LEN)) { 434 KEY_TRUSTED_PREFIX_LEN)) {
diff --git a/security/keys/gc.c b/security/keys/gc.c
index addf060399e0..9cb4fe4478a1 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -46,7 +46,7 @@ static unsigned long key_gc_flags;
46 * immediately unlinked. 46 * immediately unlinked.
47 */ 47 */
48struct key_type key_type_dead = { 48struct key_type key_type_dead = {
49 .name = "dead", 49 .name = ".dead",
50}; 50};
51 51
52/* 52/*
diff --git a/security/keys/key.c b/security/keys/key.c
index 534808915371..09c10b181881 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -934,12 +934,11 @@ int key_update(key_ref_t key_ref, const void *payload, size_t plen)
934 /* the key must be writable */ 934 /* the key must be writable */
935 ret = key_permission(key_ref, KEY_NEED_WRITE); 935 ret = key_permission(key_ref, KEY_NEED_WRITE);
936 if (ret < 0) 936 if (ret < 0)
937 goto error; 937 return ret;
938 938
939 /* attempt to update it if supported */ 939 /* attempt to update it if supported */
940 ret = -EOPNOTSUPP;
941 if (!key->type->update) 940 if (!key->type->update)
942 goto error; 941 return -EOPNOTSUPP;
943 942
944 memset(&prep, 0, sizeof(prep)); 943 memset(&prep, 0, sizeof(prep));
945 prep.data = payload; 944 prep.data = payload;
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 1c3872aeed14..671709d8610d 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -97,7 +97,7 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
97 /* pull the payload in if one was supplied */ 97 /* pull the payload in if one was supplied */
98 payload = NULL; 98 payload = NULL;
99 99
100 if (_payload) { 100 if (plen) {
101 ret = -ENOMEM; 101 ret = -ENOMEM;
102 payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN); 102 payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN);
103 if (!payload) { 103 if (!payload) {
@@ -271,7 +271,8 @@ error:
271 * Create and join an anonymous session keyring or join a named session 271 * Create and join an anonymous session keyring or join a named session
272 * keyring, creating it if necessary. A named session keyring must have Search 272 * keyring, creating it if necessary. A named session keyring must have Search
273 * permission for it to be joined. Session keyrings without this permit will 273 * permission for it to be joined. Session keyrings without this permit will
274 * be skipped over. 274 * be skipped over. It is not permitted for userspace to create or join
275 * keyrings whose name begin with a dot.
275 * 276 *
276 * If successful, the ID of the joined session keyring will be returned. 277 * If successful, the ID of the joined session keyring will be returned.
277 */ 278 */
@@ -288,12 +289,16 @@ long keyctl_join_session_keyring(const char __user *_name)
288 ret = PTR_ERR(name); 289 ret = PTR_ERR(name);
289 goto error; 290 goto error;
290 } 291 }
292
293 ret = -EPERM;
294 if (name[0] == '.')
295 goto error_name;
291 } 296 }
292 297
293 /* join the session */ 298 /* join the session */
294 ret = join_session_keyring(name); 299 ret = join_session_keyring(name);
300error_name:
295 kfree(name); 301 kfree(name);
296
297error: 302error:
298 return ret; 303 return ret;
299} 304}
@@ -322,7 +327,7 @@ long keyctl_update_key(key_serial_t id,
322 327
323 /* pull the payload in if one was supplied */ 328 /* pull the payload in if one was supplied */
324 payload = NULL; 329 payload = NULL;
325 if (_payload) { 330 if (plen) {
326 ret = -ENOMEM; 331 ret = -ENOMEM;
327 payload = kmalloc(plen, GFP_KERNEL); 332 payload = kmalloc(plen, GFP_KERNEL);
328 if (!payload) 333 if (!payload)
@@ -1223,8 +1228,8 @@ error:
1223 * Read or set the default keyring in which request_key() will cache keys and 1228 * Read or set the default keyring in which request_key() will cache keys and
1224 * return the old setting. 1229 * return the old setting.
1225 * 1230 *
1226 * If a process keyring is specified then this will be created if it doesn't 1231 * If a thread or process keyring is specified then it will be created if it
1227 * yet exist. The old setting will be returned if successful. 1232 * doesn't yet exist. The old setting will be returned if successful.
1228 */ 1233 */
1229long keyctl_set_reqkey_keyring(int reqkey_defl) 1234long keyctl_set_reqkey_keyring(int reqkey_defl)
1230{ 1235{
@@ -1249,11 +1254,8 @@ long keyctl_set_reqkey_keyring(int reqkey_defl)
1249 1254
1250 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1255 case KEY_REQKEY_DEFL_PROCESS_KEYRING:
1251 ret = install_process_keyring_to_cred(new); 1256 ret = install_process_keyring_to_cred(new);
1252 if (ret < 0) { 1257 if (ret < 0)
1253 if (ret != -EEXIST) 1258 goto error;
1254 goto error;
1255 ret = 0;
1256 }
1257 goto set; 1259 goto set;
1258 1260
1259 case KEY_REQKEY_DEFL_DEFAULT: 1261 case KEY_REQKEY_DEFL_DEFAULT:
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index e6d50172872f..4ed909142956 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -125,13 +125,18 @@ error:
125} 125}
126 126
127/* 127/*
128 * Install a fresh thread keyring directly to new credentials. This keyring is 128 * Install a thread keyring to the given credentials struct if it didn't have
129 * allowed to overrun the quota. 129 * one already. This is allowed to overrun the quota.
130 *
131 * Return: 0 if a thread keyring is now present; -errno on failure.
130 */ 132 */
131int install_thread_keyring_to_cred(struct cred *new) 133int install_thread_keyring_to_cred(struct cred *new)
132{ 134{
133 struct key *keyring; 135 struct key *keyring;
134 136
137 if (new->thread_keyring)
138 return 0;
139
135 keyring = keyring_alloc("_tid", new->uid, new->gid, new, 140 keyring = keyring_alloc("_tid", new->uid, new->gid, new,
136 KEY_POS_ALL | KEY_USR_VIEW, 141 KEY_POS_ALL | KEY_USR_VIEW,
137 KEY_ALLOC_QUOTA_OVERRUN, NULL); 142 KEY_ALLOC_QUOTA_OVERRUN, NULL);
@@ -143,7 +148,9 @@ int install_thread_keyring_to_cred(struct cred *new)
143} 148}
144 149
145/* 150/*
146 * Install a fresh thread keyring, discarding the old one. 151 * Install a thread keyring to the current task if it didn't have one already.
152 *
153 * Return: 0 if a thread keyring is now present; -errno on failure.
147 */ 154 */
148static int install_thread_keyring(void) 155static int install_thread_keyring(void)
149{ 156{
@@ -154,8 +161,6 @@ static int install_thread_keyring(void)
154 if (!new) 161 if (!new)
155 return -ENOMEM; 162 return -ENOMEM;
156 163
157 BUG_ON(new->thread_keyring);
158
159 ret = install_thread_keyring_to_cred(new); 164 ret = install_thread_keyring_to_cred(new);
160 if (ret < 0) { 165 if (ret < 0) {
161 abort_creds(new); 166 abort_creds(new);
@@ -166,17 +171,17 @@ static int install_thread_keyring(void)
166} 171}
167 172
168/* 173/*
169 * Install a process keyring directly to a credentials struct. 174 * Install a process keyring to the given credentials struct if it didn't have
175 * one already. This is allowed to overrun the quota.
170 * 176 *
171 * Returns -EEXIST if there was already a process keyring, 0 if one installed, 177 * Return: 0 if a process keyring is now present; -errno on failure.
172 * and other value on any other error
173 */ 178 */
174int install_process_keyring_to_cred(struct cred *new) 179int install_process_keyring_to_cred(struct cred *new)
175{ 180{
176 struct key *keyring; 181 struct key *keyring;
177 182
178 if (new->process_keyring) 183 if (new->process_keyring)
179 return -EEXIST; 184 return 0;
180 185
181 keyring = keyring_alloc("_pid", new->uid, new->gid, new, 186 keyring = keyring_alloc("_pid", new->uid, new->gid, new,
182 KEY_POS_ALL | KEY_USR_VIEW, 187 KEY_POS_ALL | KEY_USR_VIEW,
@@ -189,11 +194,9 @@ int install_process_keyring_to_cred(struct cred *new)
189} 194}
190 195
191/* 196/*
192 * Make sure a process keyring is installed for the current process. The 197 * Install a process keyring to the current task if it didn't have one already.
193 * existing process keyring is not replaced.
194 * 198 *
195 * Returns 0 if there is a process keyring by the end of this function, some 199 * Return: 0 if a process keyring is now present; -errno on failure.
196 * error otherwise.
197 */ 200 */
198static int install_process_keyring(void) 201static int install_process_keyring(void)
199{ 202{
@@ -207,14 +210,18 @@ static int install_process_keyring(void)
207 ret = install_process_keyring_to_cred(new); 210 ret = install_process_keyring_to_cred(new);
208 if (ret < 0) { 211 if (ret < 0) {
209 abort_creds(new); 212 abort_creds(new);
210 return ret != -EEXIST ? ret : 0; 213 return ret;
211 } 214 }
212 215
213 return commit_creds(new); 216 return commit_creds(new);
214} 217}
215 218
216/* 219/*
217 * Install a session keyring directly to a credentials struct. 220 * Install the given keyring as the session keyring of the given credentials
221 * struct, replacing the existing one if any. If the given keyring is NULL,
222 * then install a new anonymous session keyring.
223 *
224 * Return: 0 on success; -errno on failure.
218 */ 225 */
219int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) 226int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
220{ 227{
@@ -249,8 +256,11 @@ int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
249} 256}
250 257
251/* 258/*
252 * Install a session keyring, discarding the old one. If a keyring is not 259 * Install the given keyring as the session keyring of the current task,
253 * supplied, an empty one is invented. 260 * replacing the existing one if any. If the given keyring is NULL, then
261 * install a new anonymous session keyring.
262 *
263 * Return: 0 on success; -errno on failure.
254 */ 264 */
255static int install_session_keyring(struct key *keyring) 265static int install_session_keyring(struct key *keyring)
256{ 266{
diff --git a/security/security.c b/security/security.c
index 46f405ce6b0f..ae05ab153c5a 100644
--- a/security/security.c
+++ b/security/security.c
@@ -498,6 +498,7 @@ int security_path_chown(struct path *path, kuid_t uid, kgid_t gid)
498 return 0; 498 return 0;
499 return call_int_hook(path_chown, 0, path, uid, gid); 499 return call_int_hook(path_chown, 0, path, uid, gid);
500} 500}
501EXPORT_SYMBOL(security_path_chown);
501 502
502int security_path_chroot(struct path *path) 503int security_path_chroot(struct path *path)
503{ 504{
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 94a0bfc748d1..2bc8b555bca9 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5673,7 +5673,7 @@ static int selinux_setprocattr(struct task_struct *p,
5673 return error; 5673 return error;
5674 5674
5675 /* Obtain a SID for the context, if one was specified. */ 5675 /* Obtain a SID for the context, if one was specified. */
5676 if (size && str[1] && str[1] != '\n') { 5676 if (size && str[0] && str[0] != '\n') {
5677 if (str[size-1] == '\n') { 5677 if (str[size-1] == '\n') {
5678 str[size-1] = 0; 5678 str[size-1] = 0;
5679 size--; 5679 size--;