aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Paris2014-03-07 10:41:32 -0600
committerEric Paris2014-03-07 10:41:32 -0600
commitb7d3622a39fde7658170b7f3cf6c6889bb8db30d (patch)
tree64f4e781ecb2a85d675e234072b988560bcd25f1 /security
parentf3411cb2b2e396a41ed3a439863f028db7140a34 (diff)
parentd8ec26d7f8287f5788a494f56e8814210f0e64be (diff)
downloadlinux-phy-b7d3622a39fde7658170b7f3cf6c6889bb8db30d.tar.gz
linux-phy-b7d3622a39fde7658170b7f3cf6c6889bb8db30d.tar.xz
linux-phy-b7d3622a39fde7658170b7f3cf6c6889bb8db30d.zip
Merge tag 'v3.13' into for-3.15
Linux 3.13 Conflicts: include/net/xfrm.h Simple merge where v3.13 removed 'extern' from definitions and the audit tree did s/u32/unsigned int/ to the same definitions.
Diffstat (limited to 'security')
-rw-r--r--security/Makefile1
-rw-r--r--security/apparmor/audit.c14
-rw-r--r--security/apparmor/capability.c15
-rw-r--r--security/apparmor/domain.c16
-rw-r--r--security/apparmor/include/audit.h1
-rw-r--r--security/apparmor/include/capability.h5
-rw-r--r--security/apparmor/include/ipc.h4
-rw-r--r--security/apparmor/ipc.c9
-rw-r--r--security/apparmor/lsm.c2
-rw-r--r--security/capability.c15
-rw-r--r--security/device_cgroup.c11
-rw-r--r--security/integrity/digsig.c7
-rw-r--r--security/integrity/digsig_asymmetric.c11
-rw-r--r--security/integrity/evm/evm_main.c4
-rw-r--r--security/integrity/evm/evm_posix_acl.c3
-rw-r--r--security/integrity/iint.c2
-rw-r--r--security/integrity/ima/Kconfig64
-rw-r--r--security/integrity/ima/Makefile2
-rw-r--r--security/integrity/ima/ima.h106
-rw-r--r--security/integrity/ima/ima_api.c154
-rw-r--r--security/integrity/ima/ima_appraise.c106
-rw-r--r--security/integrity/ima/ima_crypto.c141
-rw-r--r--security/integrity/ima/ima_fs.c75
-rw-r--r--security/integrity/ima/ima_init.c40
-rw-r--r--security/integrity/ima/ima_main.c63
-rw-r--r--security/integrity/ima/ima_policy.c1
-rw-r--r--security/integrity/ima/ima_queue.c10
-rw-r--r--security/integrity/ima/ima_template.c187
-rw-r--r--security/integrity/ima/ima_template_lib.c351
-rw-r--r--security/integrity/ima/ima_template_lib.h49
-rw-r--r--security/integrity/integrity.h40
-rw-r--r--security/keys/Kconfig29
-rw-r--r--security/keys/Makefile2
-rw-r--r--security/keys/big_key.c207
-rw-r--r--security/keys/compat.c3
-rw-r--r--security/keys/gc.c47
-rw-r--r--security/keys/internal.h74
-rw-r--r--security/keys/key.c110
-rw-r--r--security/keys/keyctl.c3
-rw-r--r--security/keys/keyring.c1535
-rw-r--r--security/keys/persistent.c167
-rw-r--r--security/keys/proc.c17
-rw-r--r--security/keys/process_keys.c141
-rw-r--r--security/keys/request_key.c60
-rw-r--r--security/keys/request_key_auth.c31
-rw-r--r--security/keys/sysctl.c11
-rw-r--r--security/keys/user_defined.c18
-rw-r--r--security/lsm_audit.c7
-rw-r--r--security/security.c13
-rw-r--r--security/selinux/hooks.c281
-rw-r--r--security/selinux/include/objsec.h9
-rw-r--r--security/selinux/include/security.h13
-rw-r--r--security/selinux/include/xfrm.h49
-rw-r--r--security/selinux/netlabel.c6
-rw-r--r--security/selinux/netnode.c2
-rw-r--r--security/selinux/selinuxfs.c4
-rw-r--r--security/selinux/ss/ebitmap.c20
-rw-r--r--security/selinux/ss/ebitmap.h10
-rw-r--r--security/selinux/ss/mls.c22
-rw-r--r--security/selinux/ss/mls_types.h2
-rw-r--r--security/selinux/ss/policydb.c3
-rw-r--r--security/selinux/ss/services.c24
-rw-r--r--security/selinux/xfrm.c481
-rw-r--r--security/smack/smack.h12
-rw-r--r--security/smack/smack_access.c10
-rw-r--r--security/smack/smack_lsm.c11
-rw-r--r--security/smack/smackfs.c10
67 files changed, 3320 insertions, 1633 deletions
diff --git a/security/Makefile b/security/Makefile
index c26c81e92571..a5918e01a4f7 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -16,7 +16,6 @@ obj-$(CONFIG_MMU) += min_addr.o
16# Object file lists 16# Object file lists
17obj-$(CONFIG_SECURITY) += security.o capability.o 17obj-$(CONFIG_SECURITY) += security.o capability.o
18obj-$(CONFIG_SECURITYFS) += inode.o 18obj-$(CONFIG_SECURITYFS) += inode.o
19# Must precede capability.o in order to stack properly.
20obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o 19obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
21obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o 20obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
22obj-$(CONFIG_AUDIT) += lsm_audit.o 21obj-$(CONFIG_AUDIT) += lsm_audit.o
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 031d2d9dd695..89c78658031f 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -111,7 +111,6 @@ static const char *const aa_audit_type[] = {
111static void audit_pre(struct audit_buffer *ab, void *ca) 111static void audit_pre(struct audit_buffer *ab, void *ca)
112{ 112{
113 struct common_audit_data *sa = ca; 113 struct common_audit_data *sa = ca;
114 struct task_struct *tsk = sa->aad->tsk ? sa->aad->tsk : current;
115 114
116 if (aa_g_audit_header) { 115 if (aa_g_audit_header) {
117 audit_log_format(ab, "apparmor="); 116 audit_log_format(ab, "apparmor=");
@@ -132,11 +131,6 @@ static void audit_pre(struct audit_buffer *ab, void *ca)
132 131
133 if (sa->aad->profile) { 132 if (sa->aad->profile) {
134 struct aa_profile *profile = sa->aad->profile; 133 struct aa_profile *profile = sa->aad->profile;
135 pid_t pid;
136 rcu_read_lock();
137 pid = rcu_dereference(tsk->real_parent)->pid;
138 rcu_read_unlock();
139 audit_log_format(ab, " parent=%d", pid);
140 if (profile->ns != root_ns) { 134 if (profile->ns != root_ns) {
141 audit_log_format(ab, " namespace="); 135 audit_log_format(ab, " namespace=");
142 audit_log_untrustedstring(ab, profile->ns->base.hname); 136 audit_log_untrustedstring(ab, profile->ns->base.hname);
@@ -149,12 +143,6 @@ static void audit_pre(struct audit_buffer *ab, void *ca)
149 audit_log_format(ab, " name="); 143 audit_log_format(ab, " name=");
150 audit_log_untrustedstring(ab, sa->aad->name); 144 audit_log_untrustedstring(ab, sa->aad->name);
151 } 145 }
152
153 if (sa->aad->tsk) {
154 audit_log_format(ab, " pid=%d comm=", tsk->pid);
155 audit_log_untrustedstring(ab, tsk->comm);
156 }
157
158} 146}
159 147
160/** 148/**
@@ -212,7 +200,7 @@ int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
212 200
213 if (sa->aad->type == AUDIT_APPARMOR_KILL) 201 if (sa->aad->type == AUDIT_APPARMOR_KILL)
214 (void)send_sig_info(SIGKILL, NULL, 202 (void)send_sig_info(SIGKILL, NULL,
215 sa->aad->tsk ? sa->aad->tsk : current); 203 sa->u.tsk ? sa->u.tsk : current);
216 204
217 if (sa->aad->type == AUDIT_APPARMOR_ALLOWED) 205 if (sa->aad->type == AUDIT_APPARMOR_ALLOWED)
218 return complain_error(sa->aad->error); 206 return complain_error(sa->aad->error);
diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
index 84d1f5f53877..1101c6f64bb7 100644
--- a/security/apparmor/capability.c
+++ b/security/apparmor/capability.c
@@ -53,8 +53,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
53 53
54/** 54/**
55 * audit_caps - audit a capability 55 * audit_caps - audit a capability
56 * @profile: profile confining task (NOT NULL) 56 * @profile: profile being tested for confinement (NOT NULL)
57 * @task: task capability test was performed against (NOT NULL)
58 * @cap: capability tested 57 * @cap: capability tested
59 * @error: error code returned by test 58 * @error: error code returned by test
60 * 59 *
@@ -63,8 +62,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
63 * 62 *
64 * Returns: 0 or sa->error on success, error code on failure 63 * Returns: 0 or sa->error on success, error code on failure
65 */ 64 */
66static int audit_caps(struct aa_profile *profile, struct task_struct *task, 65static int audit_caps(struct aa_profile *profile, int cap, int error)
67 int cap, int error)
68{ 66{
69 struct audit_cache *ent; 67 struct audit_cache *ent;
70 int type = AUDIT_APPARMOR_AUTO; 68 int type = AUDIT_APPARMOR_AUTO;
@@ -73,7 +71,6 @@ static int audit_caps(struct aa_profile *profile, struct task_struct *task,
73 sa.type = LSM_AUDIT_DATA_CAP; 71 sa.type = LSM_AUDIT_DATA_CAP;
74 sa.aad = &aad; 72 sa.aad = &aad;
75 sa.u.cap = cap; 73 sa.u.cap = cap;
76 sa.aad->tsk = task;
77 sa.aad->op = OP_CAPABLE; 74 sa.aad->op = OP_CAPABLE;
78 sa.aad->error = error; 75 sa.aad->error = error;
79 76
@@ -124,8 +121,7 @@ static int profile_capable(struct aa_profile *profile, int cap)
124 121
125/** 122/**
126 * aa_capable - test permission to use capability 123 * aa_capable - test permission to use capability
127 * @task: task doing capability test against (NOT NULL) 124 * @profile: profile being tested against (NOT NULL)
128 * @profile: profile confining @task (NOT NULL)
129 * @cap: capability to be tested 125 * @cap: capability to be tested
130 * @audit: whether an audit record should be generated 126 * @audit: whether an audit record should be generated
131 * 127 *
@@ -133,8 +129,7 @@ static int profile_capable(struct aa_profile *profile, int cap)
133 * 129 *
134 * Returns: 0 on success, or else an error code. 130 * Returns: 0 on success, or else an error code.
135 */ 131 */
136int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap, 132int aa_capable(struct aa_profile *profile, int cap, int audit)
137 int audit)
138{ 133{
139 int error = profile_capable(profile, cap); 134 int error = profile_capable(profile, cap);
140 135
@@ -144,5 +139,5 @@ int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap,
144 return error; 139 return error;
145 } 140 }
146 141
147 return audit_caps(profile, task, cap, error); 142 return audit_caps(profile, cap, error);
148} 143}
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 26c607c971f5..452567d3a08e 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -50,23 +50,21 @@ void aa_free_domain_entries(struct aa_domain *domain)
50 50
51/** 51/**
52 * may_change_ptraced_domain - check if can change profile on ptraced task 52 * may_change_ptraced_domain - check if can change profile on ptraced task
53 * @task: task we want to change profile of (NOT NULL)
54 * @to_profile: profile to change to (NOT NULL) 53 * @to_profile: profile to change to (NOT NULL)
55 * 54 *
56 * Check if the task is ptraced and if so if the tracing task is allowed 55 * Check if current is ptraced and if so if the tracing task is allowed
57 * to trace the new domain 56 * to trace the new domain
58 * 57 *
59 * Returns: %0 or error if change not allowed 58 * Returns: %0 or error if change not allowed
60 */ 59 */
61static int may_change_ptraced_domain(struct task_struct *task, 60static int may_change_ptraced_domain(struct aa_profile *to_profile)
62 struct aa_profile *to_profile)
63{ 61{
64 struct task_struct *tracer; 62 struct task_struct *tracer;
65 struct aa_profile *tracerp = NULL; 63 struct aa_profile *tracerp = NULL;
66 int error = 0; 64 int error = 0;
67 65
68 rcu_read_lock(); 66 rcu_read_lock();
69 tracer = ptrace_parent(task); 67 tracer = ptrace_parent(current);
70 if (tracer) 68 if (tracer)
71 /* released below */ 69 /* released below */
72 tracerp = aa_get_task_profile(tracer); 70 tracerp = aa_get_task_profile(tracer);
@@ -75,7 +73,7 @@ static int may_change_ptraced_domain(struct task_struct *task,
75 if (!tracer || unconfined(tracerp)) 73 if (!tracer || unconfined(tracerp))
76 goto out; 74 goto out;
77 75
78 error = aa_may_ptrace(tracer, tracerp, to_profile, PTRACE_MODE_ATTACH); 76 error = aa_may_ptrace(tracerp, to_profile, PTRACE_MODE_ATTACH);
79 77
80out: 78out:
81 rcu_read_unlock(); 79 rcu_read_unlock();
@@ -477,7 +475,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
477 } 475 }
478 476
479 if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 477 if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
480 error = may_change_ptraced_domain(current, new_profile); 478 error = may_change_ptraced_domain(new_profile);
481 if (error) { 479 if (error) {
482 aa_put_profile(new_profile); 480 aa_put_profile(new_profile);
483 goto audit; 481 goto audit;
@@ -690,7 +688,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
690 } 688 }
691 } 689 }
692 690
693 error = may_change_ptraced_domain(current, hat); 691 error = may_change_ptraced_domain(hat);
694 if (error) { 692 if (error) {
695 info = "ptraced"; 693 info = "ptraced";
696 error = -EPERM; 694 error = -EPERM;
@@ -829,7 +827,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
829 } 827 }
830 828
831 /* check if tracing task is allowed to trace target domain */ 829 /* check if tracing task is allowed to trace target domain */
832 error = may_change_ptraced_domain(current, target); 830 error = may_change_ptraced_domain(target);
833 if (error) { 831 if (error) {
834 info = "ptrace prevents transition"; 832 info = "ptrace prevents transition";
835 goto audit; 833 goto audit;
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 30e8d7687259..ba3dfd17f23f 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -109,7 +109,6 @@ struct apparmor_audit_data {
109 void *profile; 109 void *profile;
110 const char *name; 110 const char *name;
111 const char *info; 111 const char *info;
112 struct task_struct *tsk;
113 union { 112 union {
114 void *target; 113 void *target;
115 struct { 114 struct {
diff --git a/security/apparmor/include/capability.h b/security/apparmor/include/capability.h
index 2e7c9d6a2f3b..fc3fa381d850 100644
--- a/security/apparmor/include/capability.h
+++ b/security/apparmor/include/capability.h
@@ -4,7 +4,7 @@
4 * This file contains AppArmor capability mediation definitions. 4 * This file contains AppArmor capability mediation definitions.
5 * 5 *
6 * Copyright (C) 1998-2008 Novell/SUSE 6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd. 7 * Copyright 2009-2013 Canonical Ltd.
8 * 8 *
9 * This program is free software; you can redistribute it and/or 9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as 10 * modify it under the terms of the GNU General Public License as
@@ -38,8 +38,7 @@ struct aa_caps {
38 38
39extern struct aa_fs_entry aa_fs_entry_caps[]; 39extern struct aa_fs_entry aa_fs_entry_caps[];
40 40
41int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap, 41int aa_capable(struct aa_profile *profile, int cap, int audit);
42 int audit);
43 42
44static inline void aa_free_cap_rules(struct aa_caps *caps) 43static inline void aa_free_cap_rules(struct aa_caps *caps)
45{ 44{
diff --git a/security/apparmor/include/ipc.h b/security/apparmor/include/ipc.h
index aeda0fbc8b2f..288ca76e2fb1 100644
--- a/security/apparmor/include/ipc.h
+++ b/security/apparmor/include/ipc.h
@@ -19,8 +19,8 @@
19 19
20struct aa_profile; 20struct aa_profile;
21 21
22int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer, 22int aa_may_ptrace(struct aa_profile *tracer, struct aa_profile *tracee,
23 struct aa_profile *tracee, unsigned int mode); 23 unsigned int mode);
24 24
25int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee, 25int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee,
26 unsigned int mode); 26 unsigned int mode);
diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c
index c51d2266587e..777ac1c47253 100644
--- a/security/apparmor/ipc.c
+++ b/security/apparmor/ipc.c
@@ -54,15 +54,14 @@ static int aa_audit_ptrace(struct aa_profile *profile,
54 54
55/** 55/**
56 * aa_may_ptrace - test if tracer task can trace the tracee 56 * aa_may_ptrace - test if tracer task can trace the tracee
57 * @tracer_task: task who will do the tracing (NOT NULL)
58 * @tracer: profile of the task doing the tracing (NOT NULL) 57 * @tracer: profile of the task doing the tracing (NOT NULL)
59 * @tracee: task to be traced 58 * @tracee: task to be traced
60 * @mode: whether PTRACE_MODE_READ || PTRACE_MODE_ATTACH 59 * @mode: whether PTRACE_MODE_READ || PTRACE_MODE_ATTACH
61 * 60 *
62 * Returns: %0 else error code if permission denied or error 61 * Returns: %0 else error code if permission denied or error
63 */ 62 */
64int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer, 63int aa_may_ptrace(struct aa_profile *tracer, struct aa_profile *tracee,
65 struct aa_profile *tracee, unsigned int mode) 64 unsigned int mode)
66{ 65{
67 /* TODO: currently only based on capability, not extended ptrace 66 /* TODO: currently only based on capability, not extended ptrace
68 * rules, 67 * rules,
@@ -72,7 +71,7 @@ int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer,
72 if (unconfined(tracer) || tracer == tracee) 71 if (unconfined(tracer) || tracer == tracee)
73 return 0; 72 return 0;
74 /* log this capability request */ 73 /* log this capability request */
75 return aa_capable(tracer_task, tracer, CAP_SYS_PTRACE, 1); 74 return aa_capable(tracer, CAP_SYS_PTRACE, 1);
76} 75}
77 76
78/** 77/**
@@ -101,7 +100,7 @@ int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee,
101 if (!unconfined(tracer_p)) { 100 if (!unconfined(tracer_p)) {
102 struct aa_profile *tracee_p = aa_get_task_profile(tracee); 101 struct aa_profile *tracee_p = aa_get_task_profile(tracee);
103 102
104 error = aa_may_ptrace(tracer, tracer_p, tracee_p, mode); 103 error = aa_may_ptrace(tracer_p, tracee_p, mode);
105 error = aa_audit_ptrace(tracer_p, tracee_p, error); 104 error = aa_audit_ptrace(tracer_p, tracee_p, error);
106 105
107 aa_put_profile(tracee_p); 106 aa_put_profile(tracee_p);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index fb99e18123b4..4257b7e2796b 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -145,7 +145,7 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
145 if (!error) { 145 if (!error) {
146 profile = aa_cred_profile(cred); 146 profile = aa_cred_profile(cred);
147 if (!unconfined(profile)) 147 if (!unconfined(profile))
148 error = aa_capable(current, profile, cap, audit); 148 error = aa_capable(profile, cap, audit);
149 } 149 }
150 return error; 150 return error;
151} 151}
diff --git a/security/capability.c b/security/capability.c
index dbeb9bc27b24..8b4f24ae4338 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -777,9 +777,15 @@ static int cap_xfrm_policy_delete_security(struct xfrm_sec_ctx *ctx)
777 return 0; 777 return 0;
778} 778}
779 779
780static int cap_xfrm_state_alloc_security(struct xfrm_state *x, 780static int cap_xfrm_state_alloc(struct xfrm_state *x,
781 struct xfrm_user_sec_ctx *sec_ctx, 781 struct xfrm_user_sec_ctx *sec_ctx)
782 u32 secid) 782{
783 return 0;
784}
785
786static int cap_xfrm_state_alloc_acquire(struct xfrm_state *x,
787 struct xfrm_sec_ctx *polsec,
788 u32 secid)
783{ 789{
784 return 0; 790 return 0;
785} 791}
@@ -1101,7 +1107,8 @@ void __init security_fixup_ops(struct security_operations *ops)
1101 set_to_cap_if_null(ops, xfrm_policy_clone_security); 1107 set_to_cap_if_null(ops, xfrm_policy_clone_security);
1102 set_to_cap_if_null(ops, xfrm_policy_free_security); 1108 set_to_cap_if_null(ops, xfrm_policy_free_security);
1103 set_to_cap_if_null(ops, xfrm_policy_delete_security); 1109 set_to_cap_if_null(ops, xfrm_policy_delete_security);
1104 set_to_cap_if_null(ops, xfrm_state_alloc_security); 1110 set_to_cap_if_null(ops, xfrm_state_alloc);
1111 set_to_cap_if_null(ops, xfrm_state_alloc_acquire);
1105 set_to_cap_if_null(ops, xfrm_state_free_security); 1112 set_to_cap_if_null(ops, xfrm_state_free_security);
1106 set_to_cap_if_null(ops, xfrm_state_delete_security); 1113 set_to_cap_if_null(ops, xfrm_state_delete_security);
1107 set_to_cap_if_null(ops, xfrm_policy_lookup); 1114 set_to_cap_if_null(ops, xfrm_policy_lookup);
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index c123628d3f84..7c2a0a71049e 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -63,16 +63,6 @@ static inline struct dev_cgroup *task_devcgroup(struct task_struct *task)
63 63
64struct cgroup_subsys devices_subsys; 64struct cgroup_subsys devices_subsys;
65 65
66static int devcgroup_can_attach(struct cgroup_subsys_state *new_css,
67 struct cgroup_taskset *set)
68{
69 struct task_struct *task = cgroup_taskset_first(set);
70
71 if (current != task && !capable(CAP_SYS_ADMIN))
72 return -EPERM;
73 return 0;
74}
75
76/* 66/*
77 * called under devcgroup_mutex 67 * called under devcgroup_mutex
78 */ 68 */
@@ -697,7 +687,6 @@ static struct cftype dev_cgroup_files[] = {
697 687
698struct cgroup_subsys devices_subsys = { 688struct cgroup_subsys devices_subsys = {
699 .name = "devices", 689 .name = "devices",
700 .can_attach = devcgroup_can_attach,
701 .css_alloc = devcgroup_css_alloc, 690 .css_alloc = devcgroup_css_alloc,
702 .css_free = devcgroup_css_free, 691 .css_free = devcgroup_css_free,
703 .css_online = devcgroup_online, 692 .css_online = devcgroup_online,
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 0b759e17a131..b4af4ebc5be2 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -28,7 +28,7 @@ static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
28}; 28};
29 29
30int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, 30int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
31 const char *digest, int digestlen) 31 const char *digest, int digestlen)
32{ 32{
33 if (id >= INTEGRITY_KEYRING_MAX) 33 if (id >= INTEGRITY_KEYRING_MAX)
34 return -EINVAL; 34 return -EINVAL;
@@ -44,9 +44,10 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
44 } 44 }
45 } 45 }
46 46
47 switch (sig[0]) { 47 switch (sig[1]) {
48 case 1: 48 case 1:
49 return digsig_verify(keyring[id], sig, siglen, 49 /* v1 API expect signature without xattr type */
50 return digsig_verify(keyring[id], sig + 1, siglen - 1,
50 digest, digestlen); 51 digest, digestlen);
51 case 2: 52 case 2:
52 return asymmetric_verify(keyring[id], sig, siglen, 53 return asymmetric_verify(keyring[id], sig, siglen,
diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index b4754667659d..9eae4809006b 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -20,17 +20,6 @@
20#include "integrity.h" 20#include "integrity.h"
21 21
22/* 22/*
23 * signature format v2 - for using with asymmetric keys
24 */
25struct signature_v2_hdr {
26 uint8_t version; /* signature format version */
27 uint8_t hash_algo; /* Digest algorithm [enum pkey_hash_algo] */
28 uint32_t keyid; /* IMA key identifier - not X509/PGP specific*/
29 uint16_t sig_size; /* signature size */
30 uint8_t sig[0]; /* signature payload */
31} __packed;
32
33/*
34 * Request an asymmetric key. 23 * Request an asymmetric key.
35 */ 24 */
36static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid) 25static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid)
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index af9b6852f4e1..336b3ddfe63f 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -123,7 +123,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
123 goto out; 123 goto out;
124 } 124 }
125 125
126 xattr_len = rc - 1; 126 xattr_len = rc;
127 127
128 /* check value type */ 128 /* check value type */
129 switch (xattr_data->type) { 129 switch (xattr_data->type) {
@@ -143,7 +143,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
143 if (rc) 143 if (rc)
144 break; 144 break;
145 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 145 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
146 xattr_data->digest, xattr_len, 146 (const char *)xattr_data, xattr_len,
147 calc.digest, sizeof(calc.digest)); 147 calc.digest, sizeof(calc.digest));
148 if (!rc) { 148 if (!rc) {
149 /* we probably want to replace rsa with hmac here */ 149 /* we probably want to replace rsa with hmac here */
diff --git a/security/integrity/evm/evm_posix_acl.c b/security/integrity/evm/evm_posix_acl.c
index b1753e98bf9a..46408b9e62e8 100644
--- a/security/integrity/evm/evm_posix_acl.c
+++ b/security/integrity/evm/evm_posix_acl.c
@@ -11,8 +11,9 @@
11 11
12#include <linux/module.h> 12#include <linux/module.h>
13#include <linux/xattr.h> 13#include <linux/xattr.h>
14#include <linux/evm.h>
14 15
15int posix_xattr_acl(char *xattr) 16int posix_xattr_acl(const char *xattr)
16{ 17{
17 int xattr_len = strlen(xattr); 18 int xattr_len = strlen(xattr);
18 19
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 74522dbd10a6..c49d3f14cbec 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -70,6 +70,8 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode)
70 70
71static void iint_free(struct integrity_iint_cache *iint) 71static void iint_free(struct integrity_iint_cache *iint)
72{ 72{
73 kfree(iint->ima_hash);
74 iint->ima_hash = NULL;
73 iint->version = 0; 75 iint->version = 0;
74 iint->flags = 0UL; 76 iint->flags = 0UL;
75 iint->ima_file_status = INTEGRITY_UNKNOWN; 77 iint->ima_file_status = INTEGRITY_UNKNOWN;
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 39196abaff0d..81a27971d884 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -9,6 +9,7 @@ config IMA
9 select CRYPTO_HMAC 9 select CRYPTO_HMAC
10 select CRYPTO_MD5 10 select CRYPTO_MD5
11 select CRYPTO_SHA1 11 select CRYPTO_SHA1
12 select CRYPTO_HASH_INFO
12 select TCG_TPM if HAS_IOMEM && !UML 13 select TCG_TPM if HAS_IOMEM && !UML
13 select TCG_TIS if TCG_TPM && X86 14 select TCG_TIS if TCG_TPM && X86
14 select TCG_IBMVTPM if TCG_TPM && PPC64 15 select TCG_IBMVTPM if TCG_TPM && PPC64
@@ -45,6 +46,69 @@ config IMA_LSM_RULES
45 help 46 help
46 Disabling this option will disregard LSM based policy rules. 47 Disabling this option will disregard LSM based policy rules.
47 48
49choice
50 prompt "Default template"
51 default IMA_NG_TEMPLATE
52 depends on IMA
53 help
54 Select the default IMA measurement template.
55
56 The original 'ima' measurement list template contains a
57 hash, defined as 20 bytes, and a null terminated pathname,
58 limited to 255 characters. The 'ima-ng' measurement list
59 template permits both larger hash digests and longer
60 pathnames.
61
62 config IMA_TEMPLATE
63 bool "ima"
64 config IMA_NG_TEMPLATE
65 bool "ima-ng (default)"
66 config IMA_SIG_TEMPLATE
67 bool "ima-sig"
68endchoice
69
70config IMA_DEFAULT_TEMPLATE
71 string
72 depends on IMA
73 default "ima" if IMA_TEMPLATE
74 default "ima-ng" if IMA_NG_TEMPLATE
75 default "ima-sig" if IMA_SIG_TEMPLATE
76
77choice
78 prompt "Default integrity hash algorithm"
79 default IMA_DEFAULT_HASH_SHA1
80 depends on IMA
81 help
82 Select the default hash algorithm used for the measurement
83 list, integrity appraisal and audit log. The compiled default
84 hash algorithm can be overwritten using the kernel command
85 line 'ima_hash=' option.
86
87 config IMA_DEFAULT_HASH_SHA1
88 bool "SHA1 (default)"
89 depends on CRYPTO_SHA1
90
91 config IMA_DEFAULT_HASH_SHA256
92 bool "SHA256"
93 depends on CRYPTO_SHA256 && !IMA_TEMPLATE
94
95 config IMA_DEFAULT_HASH_SHA512
96 bool "SHA512"
97 depends on CRYPTO_SHA512 && !IMA_TEMPLATE
98
99 config IMA_DEFAULT_HASH_WP512
100 bool "WP512"
101 depends on CRYPTO_WP512 && !IMA_TEMPLATE
102endchoice
103
104config IMA_DEFAULT_HASH
105 string
106 depends on IMA
107 default "sha1" if IMA_DEFAULT_HASH_SHA1
108 default "sha256" if IMA_DEFAULT_HASH_SHA256
109 default "sha512" if IMA_DEFAULT_HASH_SHA512
110 default "wp512" if IMA_DEFAULT_HASH_WP512
111
48config IMA_APPRAISE 112config IMA_APPRAISE
49 bool "Appraise integrity measurements" 113 bool "Appraise integrity measurements"
50 depends on IMA 114 depends on IMA
diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
index 56dfee7cbf61..d79263d2fdbf 100644
--- a/security/integrity/ima/Makefile
+++ b/security/integrity/ima/Makefile
@@ -6,5 +6,5 @@
6obj-$(CONFIG_IMA) += ima.o 6obj-$(CONFIG_IMA) += ima.o
7 7
8ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \ 8ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
9 ima_policy.o 9 ima_policy.o ima_template.o ima_template_lib.o
10ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o 10ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index b3dd616560f7..0356e1d437ca 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -26,7 +26,8 @@
26 26
27#include "../integrity.h" 27#include "../integrity.h"
28 28
29enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_ASCII }; 29enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN,
30 IMA_SHOW_ASCII };
30enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; 31enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
31 32
32/* digest size for IMA, fits SHA1 or MD5 */ 33/* digest size for IMA, fits SHA1 or MD5 */
@@ -36,23 +37,48 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
36#define IMA_HASH_BITS 9 37#define IMA_HASH_BITS 9
37#define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS) 38#define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS)
38 39
40#define IMA_TEMPLATE_FIELD_ID_MAX_LEN 16
41#define IMA_TEMPLATE_NUM_FIELDS_MAX 15
42
43#define IMA_TEMPLATE_IMA_NAME "ima"
44#define IMA_TEMPLATE_IMA_FMT "d|n"
45
39/* set during initialization */ 46/* set during initialization */
40extern int ima_initialized; 47extern int ima_initialized;
41extern int ima_used_chip; 48extern int ima_used_chip;
42extern char *ima_hash; 49extern int ima_hash_algo;
43extern int ima_appraise; 50extern int ima_appraise;
44 51
45/* IMA inode template definition */ 52/* IMA template field data definition */
46struct ima_template_data { 53struct ima_field_data {
47 u8 digest[IMA_DIGEST_SIZE]; /* sha1/md5 measurement hash */ 54 u8 *data;
48 char file_name[IMA_EVENT_NAME_LEN_MAX + 1]; /* name + \0 */ 55 u32 len;
56};
57
58/* IMA template field definition */
59struct ima_template_field {
60 const char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
61 int (*field_init) (struct integrity_iint_cache *iint, struct file *file,
62 const unsigned char *filename,
63 struct evm_ima_xattr_data *xattr_value,
64 int xattr_len, struct ima_field_data *field_data);
65 void (*field_show) (struct seq_file *m, enum ima_show_type show,
66 struct ima_field_data *field_data);
67};
68
69/* IMA template descriptor definition */
70struct ima_template_desc {
71 char *name;
72 char *fmt;
73 int num_fields;
74 struct ima_template_field **fields;
49}; 75};
50 76
51struct ima_template_entry { 77struct ima_template_entry {
52 u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */ 78 u8 digest[TPM_DIGEST_SIZE]; /* sha1 or md5 measurement hash */
53 const char *template_name; 79 struct ima_template_desc *template_desc; /* template descriptor */
54 int template_len; 80 u32 template_data_len;
55 struct ima_template_data template; 81 struct ima_field_data template_data[0]; /* template related data */
56}; 82};
57 83
58struct ima_queue_entry { 84struct ima_queue_entry {
@@ -69,13 +95,22 @@ int ima_fs_init(void);
69void ima_fs_cleanup(void); 95void ima_fs_cleanup(void);
70int ima_inode_alloc(struct inode *inode); 96int ima_inode_alloc(struct inode *inode);
71int ima_add_template_entry(struct ima_template_entry *entry, int violation, 97int ima_add_template_entry(struct ima_template_entry *entry, int violation,
72 const char *op, struct inode *inode); 98 const char *op, struct inode *inode,
73int ima_calc_file_hash(struct file *file, char *digest); 99 const unsigned char *filename);
74int ima_calc_buffer_hash(const void *data, int len, char *digest); 100int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
75int ima_calc_boot_aggregate(char *digest); 101int ima_calc_field_array_hash(struct ima_field_data *field_data,
76void ima_add_violation(struct inode *inode, const unsigned char *filename, 102 struct ima_template_desc *desc, int num_fields,
103 struct ima_digest_data *hash);
104int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
105void ima_add_violation(struct file *file, const unsigned char *filename,
77 const char *op, const char *cause); 106 const char *op, const char *cause);
78int ima_init_crypto(void); 107int ima_init_crypto(void);
108void ima_putc(struct seq_file *m, void *data, int datalen);
109void ima_print_digest(struct seq_file *m, u8 *digest, int size);
110struct ima_template_desc *ima_template_desc_current(void);
111int ima_init_template(void);
112
113int ima_init_template(void);
79 114
80/* 115/*
81 * used to protect h_table and sha_table 116 * used to protect h_table and sha_table
@@ -98,14 +133,22 @@ static inline unsigned long ima_hash_key(u8 *digest)
98int ima_get_action(struct inode *inode, int mask, int function); 133int ima_get_action(struct inode *inode, int mask, int function);
99int ima_must_measure(struct inode *inode, int mask, int function); 134int ima_must_measure(struct inode *inode, int mask, int function);
100int ima_collect_measurement(struct integrity_iint_cache *iint, 135int ima_collect_measurement(struct integrity_iint_cache *iint,
101 struct file *file); 136 struct file *file,
137 struct evm_ima_xattr_data **xattr_value,
138 int *xattr_len);
102void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, 139void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
103 const unsigned char *filename); 140 const unsigned char *filename,
141 struct evm_ima_xattr_data *xattr_value,
142 int xattr_len);
104void ima_audit_measurement(struct integrity_iint_cache *iint, 143void ima_audit_measurement(struct integrity_iint_cache *iint,
105 const unsigned char *filename); 144 const unsigned char *filename);
145int ima_alloc_init_template(struct integrity_iint_cache *iint,
146 struct file *file, const unsigned char *filename,
147 struct evm_ima_xattr_data *xattr_value,
148 int xattr_len, struct ima_template_entry **entry);
106int ima_store_template(struct ima_template_entry *entry, int violation, 149int ima_store_template(struct ima_template_entry *entry, int violation,
107 struct inode *inode); 150 struct inode *inode, const unsigned char *filename);
108void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show); 151void ima_free_template_entry(struct ima_template_entry *entry);
109const char *ima_d_path(struct path *path, char **pathbuf); 152const char *ima_d_path(struct path *path, char **pathbuf);
110 153
111/* rbtree tree calls to lookup, insert, delete 154/* rbtree tree calls to lookup, insert, delete
@@ -131,17 +174,25 @@ void ima_delete_rules(void);
131 174
132#ifdef CONFIG_IMA_APPRAISE 175#ifdef CONFIG_IMA_APPRAISE
133int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, 176int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
134 struct file *file, const unsigned char *filename); 177 struct file *file, const unsigned char *filename,
178 struct evm_ima_xattr_data *xattr_value,
179 int xattr_len);
135int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func); 180int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
136void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file); 181void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
137enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, 182enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
138 int func); 183 int func);
184void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len,
185 struct ima_digest_data *hash);
186int ima_read_xattr(struct dentry *dentry,
187 struct evm_ima_xattr_data **xattr_value);
139 188
140#else 189#else
141static inline int ima_appraise_measurement(int func, 190static inline int ima_appraise_measurement(int func,
142 struct integrity_iint_cache *iint, 191 struct integrity_iint_cache *iint,
143 struct file *file, 192 struct file *file,
144 const unsigned char *filename) 193 const unsigned char *filename,
194 struct evm_ima_xattr_data *xattr_value,
195 int xattr_len)
145{ 196{
146 return INTEGRITY_UNKNOWN; 197 return INTEGRITY_UNKNOWN;
147} 198}
@@ -162,6 +213,19 @@ static inline enum integrity_status ima_get_cache_status(struct integrity_iint_c
162{ 213{
163 return INTEGRITY_UNKNOWN; 214 return INTEGRITY_UNKNOWN;
164} 215}
216
217static inline void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
218 int xattr_len,
219 struct ima_digest_data *hash)
220{
221}
222
223static inline int ima_read_xattr(struct dentry *dentry,
224 struct evm_ima_xattr_data **xattr_value)
225{
226 return 0;
227}
228
165#endif 229#endif
166 230
167/* LSM based policy rules require audit */ 231/* LSM based policy rules require audit */
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 1c03e8f1e0e1..c38bbce8c6a6 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -18,9 +18,59 @@
18#include <linux/fs.h> 18#include <linux/fs.h>
19#include <linux/xattr.h> 19#include <linux/xattr.h>
20#include <linux/evm.h> 20#include <linux/evm.h>
21#include <crypto/hash_info.h>
21#include "ima.h" 22#include "ima.h"
22 23
23static const char *IMA_TEMPLATE_NAME = "ima"; 24/*
25 * ima_free_template_entry - free an existing template entry
26 */
27void ima_free_template_entry(struct ima_template_entry *entry)
28{
29 int i;
30
31 for (i = 0; i < entry->template_desc->num_fields; i++)
32 kfree(entry->template_data[i].data);
33
34 kfree(entry);
35}
36
37/*
38 * ima_alloc_init_template - create and initialize a new template entry
39 */
40int ima_alloc_init_template(struct integrity_iint_cache *iint,
41 struct file *file, const unsigned char *filename,
42 struct evm_ima_xattr_data *xattr_value,
43 int xattr_len, struct ima_template_entry **entry)
44{
45 struct ima_template_desc *template_desc = ima_template_desc_current();
46 int i, result = 0;
47
48 *entry = kzalloc(sizeof(**entry) + template_desc->num_fields *
49 sizeof(struct ima_field_data), GFP_NOFS);
50 if (!*entry)
51 return -ENOMEM;
52
53 (*entry)->template_desc = template_desc;
54 for (i = 0; i < template_desc->num_fields; i++) {
55 struct ima_template_field *field = template_desc->fields[i];
56 u32 len;
57
58 result = field->field_init(iint, file, filename,
59 xattr_value, xattr_len,
60 &((*entry)->template_data[i]));
61 if (result != 0)
62 goto out;
63
64 len = (*entry)->template_data[i].len;
65 (*entry)->template_data_len += sizeof(len);
66 (*entry)->template_data_len += len;
67 }
68 return 0;
69out:
70 ima_free_template_entry(*entry);
71 *entry = NULL;
72 return result;
73}
24 74
25/* 75/*
26 * ima_store_template - store ima template measurements 76 * ima_store_template - store ima template measurements
@@ -39,28 +89,35 @@ static const char *IMA_TEMPLATE_NAME = "ima";
39 * Returns 0 on success, error code otherwise 89 * Returns 0 on success, error code otherwise
40 */ 90 */
41int ima_store_template(struct ima_template_entry *entry, 91int ima_store_template(struct ima_template_entry *entry,
42 int violation, struct inode *inode) 92 int violation, struct inode *inode,
93 const unsigned char *filename)
43{ 94{
44 const char *op = "add_template_measure"; 95 const char *op = "add_template_measure";
45 const char *audit_cause = "hashing_error"; 96 const char *audit_cause = "hashing_error";
97 char *template_name = entry->template_desc->name;
46 int result; 98 int result;
47 99 struct {
48 memset(entry->digest, 0, sizeof(entry->digest)); 100 struct ima_digest_data hdr;
49 entry->template_name = IMA_TEMPLATE_NAME; 101 char digest[TPM_DIGEST_SIZE];
50 entry->template_len = sizeof(entry->template); 102 } hash;
51 103
52 if (!violation) { 104 if (!violation) {
53 result = ima_calc_buffer_hash(&entry->template, 105 int num_fields = entry->template_desc->num_fields;
54 entry->template_len, 106
55 entry->digest); 107 /* this function uses default algo */
108 hash.hdr.algo = HASH_ALGO_SHA1;
109 result = ima_calc_field_array_hash(&entry->template_data[0],
110 entry->template_desc,
111 num_fields, &hash.hdr);
56 if (result < 0) { 112 if (result < 0) {
57 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, 113 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
58 entry->template_name, op, 114 template_name, op,
59 audit_cause, result, 0); 115 audit_cause, result, 0);
60 return result; 116 return result;
61 } 117 }
118 memcpy(entry->digest, hash.hdr.digest, hash.hdr.length);
62 } 119 }
63 result = ima_add_template_entry(entry, violation, op, inode); 120 result = ima_add_template_entry(entry, violation, op, inode, filename);
64 return result; 121 return result;
65} 122}
66 123
@@ -71,26 +128,26 @@ int ima_store_template(struct ima_template_entry *entry,
71 * By extending the PCR with 0xFF's instead of with zeroes, the PCR 128 * By extending the PCR with 0xFF's instead of with zeroes, the PCR
72 * value is invalidated. 129 * value is invalidated.
73 */ 130 */
74void ima_add_violation(struct inode *inode, const unsigned char *filename, 131void ima_add_violation(struct file *file, const unsigned char *filename,
75 const char *op, const char *cause) 132 const char *op, const char *cause)
76{ 133{
77 struct ima_template_entry *entry; 134 struct ima_template_entry *entry;
135 struct inode *inode = file->f_dentry->d_inode;
78 int violation = 1; 136 int violation = 1;
79 int result; 137 int result;
80 138
81 /* can overflow, only indicator */ 139 /* can overflow, only indicator */
82 atomic_long_inc(&ima_htable.violations); 140 atomic_long_inc(&ima_htable.violations);
83 141
84 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 142 result = ima_alloc_init_template(NULL, file, filename,
85 if (!entry) { 143 NULL, 0, &entry);
144 if (result < 0) {
86 result = -ENOMEM; 145 result = -ENOMEM;
87 goto err_out; 146 goto err_out;
88 } 147 }
89 memset(&entry->template, 0, sizeof(entry->template)); 148 result = ima_store_template(entry, violation, inode, filename);
90 strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX);
91 result = ima_store_template(entry, violation, inode);
92 if (result < 0) 149 if (result < 0)
93 kfree(entry); 150 ima_free_template_entry(entry);
94err_out: 151err_out:
95 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 152 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
96 op, cause, result, 0); 153 op, cause, result, 0);
@@ -138,20 +195,42 @@ int ima_must_measure(struct inode *inode, int mask, int function)
138 * Return 0 on success, error code otherwise 195 * Return 0 on success, error code otherwise
139 */ 196 */
140int ima_collect_measurement(struct integrity_iint_cache *iint, 197int ima_collect_measurement(struct integrity_iint_cache *iint,
141 struct file *file) 198 struct file *file,
199 struct evm_ima_xattr_data **xattr_value,
200 int *xattr_len)
142{ 201{
143 struct inode *inode = file_inode(file); 202 struct inode *inode = file_inode(file);
144 const char *filename = file->f_dentry->d_name.name; 203 const char *filename = file->f_dentry->d_name.name;
145 int result = 0; 204 int result = 0;
205 struct {
206 struct ima_digest_data hdr;
207 char digest[IMA_MAX_DIGEST_SIZE];
208 } hash;
209
210 if (xattr_value)
211 *xattr_len = ima_read_xattr(file->f_dentry, xattr_value);
146 212
147 if (!(iint->flags & IMA_COLLECTED)) { 213 if (!(iint->flags & IMA_COLLECTED)) {
148 u64 i_version = file_inode(file)->i_version; 214 u64 i_version = file_inode(file)->i_version;
149 215
150 iint->ima_xattr.type = IMA_XATTR_DIGEST; 216 /* use default hash algorithm */
151 result = ima_calc_file_hash(file, iint->ima_xattr.digest); 217 hash.hdr.algo = ima_hash_algo;
218
219 if (xattr_value)
220 ima_get_hash_algo(*xattr_value, *xattr_len, &hash.hdr);
221
222 result = ima_calc_file_hash(file, &hash.hdr);
152 if (!result) { 223 if (!result) {
153 iint->version = i_version; 224 int length = sizeof(hash.hdr) + hash.hdr.length;
154 iint->flags |= IMA_COLLECTED; 225 void *tmpbuf = krealloc(iint->ima_hash, length,
226 GFP_NOFS);
227 if (tmpbuf) {
228 iint->ima_hash = tmpbuf;
229 memcpy(iint->ima_hash, &hash, length);
230 iint->version = i_version;
231 iint->flags |= IMA_COLLECTED;
232 } else
233 result = -ENOMEM;
155 } 234 }
156 } 235 }
157 if (result) 236 if (result)
@@ -177,7 +256,9 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
177 * Must be called with iint->mutex held. 256 * Must be called with iint->mutex held.
178 */ 257 */
179void ima_store_measurement(struct integrity_iint_cache *iint, 258void ima_store_measurement(struct integrity_iint_cache *iint,
180 struct file *file, const unsigned char *filename) 259 struct file *file, const unsigned char *filename,
260 struct evm_ima_xattr_data *xattr_value,
261 int xattr_len)
181{ 262{
182 const char *op = "add_template_measure"; 263 const char *op = "add_template_measure";
183 const char *audit_cause = "ENOMEM"; 264 const char *audit_cause = "ENOMEM";
@@ -189,37 +270,35 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
189 if (iint->flags & IMA_MEASURED) 270 if (iint->flags & IMA_MEASURED)
190 return; 271 return;
191 272
192 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 273 result = ima_alloc_init_template(iint, file, filename,
193 if (!entry) { 274 xattr_value, xattr_len, &entry);
275 if (result < 0) {
194 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 276 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
195 op, audit_cause, result, 0); 277 op, audit_cause, result, 0);
196 return; 278 return;
197 } 279 }
198 memset(&entry->template, 0, sizeof(entry->template));
199 memcpy(entry->template.digest, iint->ima_xattr.digest, IMA_DIGEST_SIZE);
200 strcpy(entry->template.file_name,
201 (strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ?
202 file->f_dentry->d_name.name : filename);
203 280
204 result = ima_store_template(entry, violation, inode); 281 result = ima_store_template(entry, violation, inode, filename);
205 if (!result || result == -EEXIST) 282 if (!result || result == -EEXIST)
206 iint->flags |= IMA_MEASURED; 283 iint->flags |= IMA_MEASURED;
207 if (result < 0) 284 if (result < 0)
208 kfree(entry); 285 ima_free_template_entry(entry);
209} 286}
210 287
211void ima_audit_measurement(struct integrity_iint_cache *iint, 288void ima_audit_measurement(struct integrity_iint_cache *iint,
212 const unsigned char *filename) 289 const unsigned char *filename)
213{ 290{
214 struct audit_buffer *ab; 291 struct audit_buffer *ab;
215 char hash[(IMA_DIGEST_SIZE * 2) + 1]; 292 char hash[(iint->ima_hash->length * 2) + 1];
293 const char *algo_name = hash_algo_name[iint->ima_hash->algo];
294 char algo_hash[sizeof(hash) + strlen(algo_name) + 2];
216 int i; 295 int i;
217 296
218 if (iint->flags & IMA_AUDITED) 297 if (iint->flags & IMA_AUDITED)
219 return; 298 return;
220 299
221 for (i = 0; i < IMA_DIGEST_SIZE; i++) 300 for (i = 0; i < iint->ima_hash->length; i++)
222 hex_byte_pack(hash + (i * 2), iint->ima_xattr.digest[i]); 301 hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]);
223 hash[i * 2] = '\0'; 302 hash[i * 2] = '\0';
224 303
225 ab = audit_log_start(current->audit_context, GFP_KERNEL, 304 ab = audit_log_start(current->audit_context, GFP_KERNEL,
@@ -230,7 +309,8 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
230 audit_log_format(ab, "file="); 309 audit_log_format(ab, "file=");
231 audit_log_untrustedstring(ab, filename); 310 audit_log_untrustedstring(ab, filename);
232 audit_log_format(ab, " hash="); 311 audit_log_format(ab, " hash=");
233 audit_log_untrustedstring(ab, hash); 312 snprintf(algo_hash, sizeof(algo_hash), "%s:%s", algo_name, hash);
313 audit_log_untrustedstring(ab, algo_hash);
234 314
235 audit_log_task_info(ab, current); 315 audit_log_task_info(ab, current);
236 audit_log_end(ab); 316 audit_log_end(ab);
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 2d4becab8918..734e9468aca0 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -15,6 +15,7 @@
15#include <linux/magic.h> 15#include <linux/magic.h>
16#include <linux/ima.h> 16#include <linux/ima.h>
17#include <linux/evm.h> 17#include <linux/evm.h>
18#include <crypto/hash_info.h>
18 19
19#include "ima.h" 20#include "ima.h"
20 21
@@ -43,19 +44,31 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
43} 44}
44 45
45static int ima_fix_xattr(struct dentry *dentry, 46static int ima_fix_xattr(struct dentry *dentry,
46 struct integrity_iint_cache *iint) 47 struct integrity_iint_cache *iint)
47{ 48{
48 iint->ima_xattr.type = IMA_XATTR_DIGEST; 49 int rc, offset;
49 return __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA, 50 u8 algo = iint->ima_hash->algo;
50 (u8 *)&iint->ima_xattr, 51
51 sizeof(iint->ima_xattr), 0); 52 if (algo <= HASH_ALGO_SHA1) {
53 offset = 1;
54 iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
55 } else {
56 offset = 0;
57 iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
58 iint->ima_hash->xattr.ng.algo = algo;
59 }
60 rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
61 &iint->ima_hash->xattr.data[offset],
62 (sizeof(iint->ima_hash->xattr) - offset) +
63 iint->ima_hash->length, 0);
64 return rc;
52} 65}
53 66
54/* Return specific func appraised cached result */ 67/* Return specific func appraised cached result */
55enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, 68enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
56 int func) 69 int func)
57{ 70{
58 switch(func) { 71 switch (func) {
59 case MMAP_CHECK: 72 case MMAP_CHECK:
60 return iint->ima_mmap_status; 73 return iint->ima_mmap_status;
61 case BPRM_CHECK: 74 case BPRM_CHECK:
@@ -71,7 +84,7 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
71static void ima_set_cache_status(struct integrity_iint_cache *iint, 84static void ima_set_cache_status(struct integrity_iint_cache *iint,
72 int func, enum integrity_status status) 85 int func, enum integrity_status status)
73{ 86{
74 switch(func) { 87 switch (func) {
75 case MMAP_CHECK: 88 case MMAP_CHECK:
76 iint->ima_mmap_status = status; 89 iint->ima_mmap_status = status;
77 break; 90 break;
@@ -90,7 +103,7 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint,
90 103
91static void ima_cache_flags(struct integrity_iint_cache *iint, int func) 104static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
92{ 105{
93 switch(func) { 106 switch (func) {
94 case MMAP_CHECK: 107 case MMAP_CHECK:
95 iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED); 108 iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
96 break; 109 break;
@@ -107,6 +120,50 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
107 } 120 }
108} 121}
109 122
123void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len,
124 struct ima_digest_data *hash)
125{
126 struct signature_v2_hdr *sig;
127
128 if (!xattr_value || xattr_len < 2)
129 return;
130
131 switch (xattr_value->type) {
132 case EVM_IMA_XATTR_DIGSIG:
133 sig = (typeof(sig))xattr_value;
134 if (sig->version != 2 || xattr_len <= sizeof(*sig))
135 return;
136 hash->algo = sig->hash_algo;
137 break;
138 case IMA_XATTR_DIGEST_NG:
139 hash->algo = xattr_value->digest[0];
140 break;
141 case IMA_XATTR_DIGEST:
142 /* this is for backward compatibility */
143 if (xattr_len == 21) {
144 unsigned int zero = 0;
145 if (!memcmp(&xattr_value->digest[16], &zero, 4))
146 hash->algo = HASH_ALGO_MD5;
147 else
148 hash->algo = HASH_ALGO_SHA1;
149 } else if (xattr_len == 17)
150 hash->algo = HASH_ALGO_MD5;
151 break;
152 }
153}
154
155int ima_read_xattr(struct dentry *dentry,
156 struct evm_ima_xattr_data **xattr_value)
157{
158 struct inode *inode = dentry->d_inode;
159
160 if (!inode->i_op->getxattr)
161 return 0;
162
163 return vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)xattr_value,
164 0, GFP_NOFS);
165}
166
110/* 167/*
111 * ima_appraise_measurement - appraise file measurement 168 * ima_appraise_measurement - appraise file measurement
112 * 169 *
@@ -116,23 +173,22 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
116 * Return 0 on success, error code otherwise 173 * Return 0 on success, error code otherwise
117 */ 174 */
118int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, 175int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
119 struct file *file, const unsigned char *filename) 176 struct file *file, const unsigned char *filename,
177 struct evm_ima_xattr_data *xattr_value,
178 int xattr_len)
120{ 179{
121 struct dentry *dentry = file->f_dentry; 180 struct dentry *dentry = file->f_dentry;
122 struct inode *inode = dentry->d_inode; 181 struct inode *inode = dentry->d_inode;
123 struct evm_ima_xattr_data *xattr_value = NULL;
124 enum integrity_status status = INTEGRITY_UNKNOWN; 182 enum integrity_status status = INTEGRITY_UNKNOWN;
125 const char *op = "appraise_data"; 183 const char *op = "appraise_data";
126 char *cause = "unknown"; 184 char *cause = "unknown";
127 int rc; 185 int rc = xattr_len, hash_start = 0;
128 186
129 if (!ima_appraise) 187 if (!ima_appraise)
130 return 0; 188 return 0;
131 if (!inode->i_op->getxattr) 189 if (!inode->i_op->getxattr)
132 return INTEGRITY_UNKNOWN; 190 return INTEGRITY_UNKNOWN;
133 191
134 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)&xattr_value,
135 0, GFP_NOFS);
136 if (rc <= 0) { 192 if (rc <= 0) {
137 if (rc && rc != -ENODATA) 193 if (rc && rc != -ENODATA)
138 goto out; 194 goto out;
@@ -153,14 +209,25 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
153 goto out; 209 goto out;
154 } 210 }
155 switch (xattr_value->type) { 211 switch (xattr_value->type) {
212 case IMA_XATTR_DIGEST_NG:
213 /* first byte contains algorithm id */
214 hash_start = 1;
156 case IMA_XATTR_DIGEST: 215 case IMA_XATTR_DIGEST:
157 if (iint->flags & IMA_DIGSIG_REQUIRED) { 216 if (iint->flags & IMA_DIGSIG_REQUIRED) {
158 cause = "IMA signature required"; 217 cause = "IMA signature required";
159 status = INTEGRITY_FAIL; 218 status = INTEGRITY_FAIL;
160 break; 219 break;
161 } 220 }
162 rc = memcmp(xattr_value->digest, iint->ima_xattr.digest, 221 if (xattr_len - sizeof(xattr_value->type) - hash_start >=
163 IMA_DIGEST_SIZE); 222 iint->ima_hash->length)
223 /* xattr length may be longer. md5 hash in previous
224 version occupied 20 bytes in xattr, instead of 16
225 */
226 rc = memcmp(&xattr_value->digest[hash_start],
227 iint->ima_hash->digest,
228 iint->ima_hash->length);
229 else
230 rc = -EINVAL;
164 if (rc) { 231 if (rc) {
165 cause = "invalid-hash"; 232 cause = "invalid-hash";
166 status = INTEGRITY_FAIL; 233 status = INTEGRITY_FAIL;
@@ -171,9 +238,9 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
171 case EVM_IMA_XATTR_DIGSIG: 238 case EVM_IMA_XATTR_DIGSIG:
172 iint->flags |= IMA_DIGSIG; 239 iint->flags |= IMA_DIGSIG;
173 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, 240 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
174 xattr_value->digest, rc - 1, 241 (const char *)xattr_value, rc,
175 iint->ima_xattr.digest, 242 iint->ima_hash->digest,
176 IMA_DIGEST_SIZE); 243 iint->ima_hash->length);
177 if (rc == -EOPNOTSUPP) { 244 if (rc == -EOPNOTSUPP) {
178 status = INTEGRITY_UNKNOWN; 245 status = INTEGRITY_UNKNOWN;
179 } else if (rc) { 246 } else if (rc) {
@@ -203,7 +270,6 @@ out:
203 ima_cache_flags(iint, func); 270 ima_cache_flags(iint, func);
204 } 271 }
205 ima_set_cache_status(iint, func, status); 272 ima_set_cache_status(iint, func, status);
206 kfree(xattr_value);
207 return status; 273 return status;
208} 274}
209 275
@@ -219,7 +285,7 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
219 if (iint->flags & IMA_DIGSIG) 285 if (iint->flags & IMA_DIGSIG)
220 return; 286 return;
221 287
222 rc = ima_collect_measurement(iint, file); 288 rc = ima_collect_measurement(iint, file, NULL, NULL);
223 if (rc < 0) 289 if (rc < 0)
224 return; 290 return;
225 291
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index a02e0791cf15..fdf60def52e9 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -20,6 +20,7 @@
20#include <linux/err.h> 20#include <linux/err.h>
21#include <linux/slab.h> 21#include <linux/slab.h>
22#include <crypto/hash.h> 22#include <crypto/hash.h>
23#include <crypto/hash_info.h>
23#include "ima.h" 24#include "ima.h"
24 25
25static struct crypto_shash *ima_shash_tfm; 26static struct crypto_shash *ima_shash_tfm;
@@ -28,31 +29,58 @@ int ima_init_crypto(void)
28{ 29{
29 long rc; 30 long rc;
30 31
31 ima_shash_tfm = crypto_alloc_shash(ima_hash, 0, 0); 32 ima_shash_tfm = crypto_alloc_shash(hash_algo_name[ima_hash_algo], 0, 0);
32 if (IS_ERR(ima_shash_tfm)) { 33 if (IS_ERR(ima_shash_tfm)) {
33 rc = PTR_ERR(ima_shash_tfm); 34 rc = PTR_ERR(ima_shash_tfm);
34 pr_err("Can not allocate %s (reason: %ld)\n", ima_hash, rc); 35 pr_err("Can not allocate %s (reason: %ld)\n",
36 hash_algo_name[ima_hash_algo], rc);
35 return rc; 37 return rc;
36 } 38 }
37 return 0; 39 return 0;
38} 40}
39 41
42static struct crypto_shash *ima_alloc_tfm(enum hash_algo algo)
43{
44 struct crypto_shash *tfm = ima_shash_tfm;
45 int rc;
46
47 if (algo != ima_hash_algo && algo < HASH_ALGO__LAST) {
48 tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0);
49 if (IS_ERR(tfm)) {
50 rc = PTR_ERR(tfm);
51 pr_err("Can not allocate %s (reason: %d)\n",
52 hash_algo_name[algo], rc);
53 }
54 }
55 return tfm;
56}
57
58static void ima_free_tfm(struct crypto_shash *tfm)
59{
60 if (tfm != ima_shash_tfm)
61 crypto_free_shash(tfm);
62}
63
40/* 64/*
41 * Calculate the MD5/SHA1 file digest 65 * Calculate the MD5/SHA1 file digest
42 */ 66 */
43int ima_calc_file_hash(struct file *file, char *digest) 67static int ima_calc_file_hash_tfm(struct file *file,
68 struct ima_digest_data *hash,
69 struct crypto_shash *tfm)
44{ 70{
45 loff_t i_size, offset = 0; 71 loff_t i_size, offset = 0;
46 char *rbuf; 72 char *rbuf;
47 int rc, read = 0; 73 int rc, read = 0;
48 struct { 74 struct {
49 struct shash_desc shash; 75 struct shash_desc shash;
50 char ctx[crypto_shash_descsize(ima_shash_tfm)]; 76 char ctx[crypto_shash_descsize(tfm)];
51 } desc; 77 } desc;
52 78
53 desc.shash.tfm = ima_shash_tfm; 79 desc.shash.tfm = tfm;
54 desc.shash.flags = 0; 80 desc.shash.flags = 0;
55 81
82 hash->length = crypto_shash_digestsize(tfm);
83
56 rc = crypto_shash_init(&desc.shash); 84 rc = crypto_shash_init(&desc.shash);
57 if (rc != 0) 85 if (rc != 0)
58 return rc; 86 return rc;
@@ -85,27 +113,90 @@ int ima_calc_file_hash(struct file *file, char *digest)
85 } 113 }
86 kfree(rbuf); 114 kfree(rbuf);
87 if (!rc) 115 if (!rc)
88 rc = crypto_shash_final(&desc.shash, digest); 116 rc = crypto_shash_final(&desc.shash, hash->digest);
89 if (read) 117 if (read)
90 file->f_mode &= ~FMODE_READ; 118 file->f_mode &= ~FMODE_READ;
91out: 119out:
92 return rc; 120 return rc;
93} 121}
94 122
123int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
124{
125 struct crypto_shash *tfm;
126 int rc;
127
128 tfm = ima_alloc_tfm(hash->algo);
129 if (IS_ERR(tfm))
130 return PTR_ERR(tfm);
131
132 rc = ima_calc_file_hash_tfm(file, hash, tfm);
133
134 ima_free_tfm(tfm);
135
136 return rc;
137}
138
95/* 139/*
96 * Calculate the hash of a given buffer 140 * Calculate the hash of template data
97 */ 141 */
98int ima_calc_buffer_hash(const void *data, int len, char *digest) 142static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
143 struct ima_template_desc *td,
144 int num_fields,
145 struct ima_digest_data *hash,
146 struct crypto_shash *tfm)
99{ 147{
100 struct { 148 struct {
101 struct shash_desc shash; 149 struct shash_desc shash;
102 char ctx[crypto_shash_descsize(ima_shash_tfm)]; 150 char ctx[crypto_shash_descsize(tfm)];
103 } desc; 151 } desc;
152 int rc, i;
104 153
105 desc.shash.tfm = ima_shash_tfm; 154 desc.shash.tfm = tfm;
106 desc.shash.flags = 0; 155 desc.shash.flags = 0;
107 156
108 return crypto_shash_digest(&desc.shash, data, len, digest); 157 hash->length = crypto_shash_digestsize(tfm);
158
159 rc = crypto_shash_init(&desc.shash);
160 if (rc != 0)
161 return rc;
162
163 for (i = 0; i < num_fields; i++) {
164 if (strcmp(td->name, IMA_TEMPLATE_IMA_NAME) != 0) {
165 rc = crypto_shash_update(&desc.shash,
166 (const u8 *) &field_data[i].len,
167 sizeof(field_data[i].len));
168 if (rc)
169 break;
170 }
171 rc = crypto_shash_update(&desc.shash, field_data[i].data,
172 field_data[i].len);
173 if (rc)
174 break;
175 }
176
177 if (!rc)
178 rc = crypto_shash_final(&desc.shash, hash->digest);
179
180 return rc;
181}
182
183int ima_calc_field_array_hash(struct ima_field_data *field_data,
184 struct ima_template_desc *desc, int num_fields,
185 struct ima_digest_data *hash)
186{
187 struct crypto_shash *tfm;
188 int rc;
189
190 tfm = ima_alloc_tfm(hash->algo);
191 if (IS_ERR(tfm))
192 return PTR_ERR(tfm);
193
194 rc = ima_calc_field_array_hash_tfm(field_data, desc, num_fields,
195 hash, tfm);
196
197 ima_free_tfm(tfm);
198
199 return rc;
109} 200}
110 201
111static void __init ima_pcrread(int idx, u8 *pcr) 202static void __init ima_pcrread(int idx, u8 *pcr)
@@ -120,16 +211,17 @@ static void __init ima_pcrread(int idx, u8 *pcr)
120/* 211/*
121 * Calculate the boot aggregate hash 212 * Calculate the boot aggregate hash
122 */ 213 */
123int __init ima_calc_boot_aggregate(char *digest) 214static int __init ima_calc_boot_aggregate_tfm(char *digest,
215 struct crypto_shash *tfm)
124{ 216{
125 u8 pcr_i[IMA_DIGEST_SIZE]; 217 u8 pcr_i[TPM_DIGEST_SIZE];
126 int rc, i; 218 int rc, i;
127 struct { 219 struct {
128 struct shash_desc shash; 220 struct shash_desc shash;
129 char ctx[crypto_shash_descsize(ima_shash_tfm)]; 221 char ctx[crypto_shash_descsize(tfm)];
130 } desc; 222 } desc;
131 223
132 desc.shash.tfm = ima_shash_tfm; 224 desc.shash.tfm = tfm;
133 desc.shash.flags = 0; 225 desc.shash.flags = 0;
134 226
135 rc = crypto_shash_init(&desc.shash); 227 rc = crypto_shash_init(&desc.shash);
@@ -140,9 +232,26 @@ int __init ima_calc_boot_aggregate(char *digest)
140 for (i = TPM_PCR0; i < TPM_PCR8; i++) { 232 for (i = TPM_PCR0; i < TPM_PCR8; i++) {
141 ima_pcrread(i, pcr_i); 233 ima_pcrread(i, pcr_i);
142 /* now accumulate with current aggregate */ 234 /* now accumulate with current aggregate */
143 rc = crypto_shash_update(&desc.shash, pcr_i, IMA_DIGEST_SIZE); 235 rc = crypto_shash_update(&desc.shash, pcr_i, TPM_DIGEST_SIZE);
144 } 236 }
145 if (!rc) 237 if (!rc)
146 crypto_shash_final(&desc.shash, digest); 238 crypto_shash_final(&desc.shash, digest);
147 return rc; 239 return rc;
148} 240}
241
242int __init ima_calc_boot_aggregate(struct ima_digest_data *hash)
243{
244 struct crypto_shash *tfm;
245 int rc;
246
247 tfm = ima_alloc_tfm(hash->algo);
248 if (IS_ERR(tfm))
249 return PTR_ERR(tfm);
250
251 hash->length = crypto_shash_digestsize(tfm);
252 rc = ima_calc_boot_aggregate_tfm(hash->digest, tfm);
253
254 ima_free_tfm(tfm);
255
256 return rc;
257}
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 38477c9c3415..db01125926bd 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -88,8 +88,7 @@ static void *ima_measurements_next(struct seq_file *m, void *v, loff_t *pos)
88 * against concurrent list-extension 88 * against concurrent list-extension
89 */ 89 */
90 rcu_read_lock(); 90 rcu_read_lock();
91 qe = list_entry_rcu(qe->later.next, 91 qe = list_entry_rcu(qe->later.next, struct ima_queue_entry, later);
92 struct ima_queue_entry, later);
93 rcu_read_unlock(); 92 rcu_read_unlock();
94 (*pos)++; 93 (*pos)++;
95 94
@@ -100,7 +99,7 @@ static void ima_measurements_stop(struct seq_file *m, void *v)
100{ 99{
101} 100}
102 101
103static void ima_putc(struct seq_file *m, void *data, int datalen) 102void ima_putc(struct seq_file *m, void *data, int datalen)
104{ 103{
105 while (datalen--) 104 while (datalen--)
106 seq_putc(m, *(char *)data++); 105 seq_putc(m, *(char *)data++);
@@ -111,6 +110,7 @@ static void ima_putc(struct seq_file *m, void *data, int datalen)
111 * char[20]=template digest 110 * char[20]=template digest
112 * 32bit-le=template name size 111 * 32bit-le=template name size
113 * char[n]=template name 112 * char[n]=template name
113 * [eventdata length]
114 * eventdata[n]=template specific data 114 * eventdata[n]=template specific data
115 */ 115 */
116static int ima_measurements_show(struct seq_file *m, void *v) 116static int ima_measurements_show(struct seq_file *m, void *v)
@@ -120,6 +120,8 @@ static int ima_measurements_show(struct seq_file *m, void *v)
120 struct ima_template_entry *e; 120 struct ima_template_entry *e;
121 int namelen; 121 int namelen;
122 u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX; 122 u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX;
123 bool is_ima_template = false;
124 int i;
123 125
124 /* get entry */ 126 /* get entry */
125 e = qe->entry; 127 e = qe->entry;
@@ -134,18 +136,32 @@ static int ima_measurements_show(struct seq_file *m, void *v)
134 ima_putc(m, &pcr, sizeof pcr); 136 ima_putc(m, &pcr, sizeof pcr);
135 137
136 /* 2nd: template digest */ 138 /* 2nd: template digest */
137 ima_putc(m, e->digest, IMA_DIGEST_SIZE); 139 ima_putc(m, e->digest, TPM_DIGEST_SIZE);
138 140
139 /* 3rd: template name size */ 141 /* 3rd: template name size */
140 namelen = strlen(e->template_name); 142 namelen = strlen(e->template_desc->name);
141 ima_putc(m, &namelen, sizeof namelen); 143 ima_putc(m, &namelen, sizeof namelen);
142 144
143 /* 4th: template name */ 145 /* 4th: template name */
144 ima_putc(m, (void *)e->template_name, namelen); 146 ima_putc(m, e->template_desc->name, namelen);
147
148 /* 5th: template length (except for 'ima' template) */
149 if (strcmp(e->template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0)
150 is_ima_template = true;
151
152 if (!is_ima_template)
153 ima_putc(m, &e->template_data_len,
154 sizeof(e->template_data_len));
155
156 /* 6th: template specific data */
157 for (i = 0; i < e->template_desc->num_fields; i++) {
158 enum ima_show_type show = IMA_SHOW_BINARY;
159 struct ima_template_field *field = e->template_desc->fields[i];
145 160
146 /* 5th: template specific data */ 161 if (is_ima_template && strcmp(field->field_id, "d") == 0)
147 ima_template_show(m, (struct ima_template_data *)&e->template, 162 show = IMA_SHOW_BINARY_NO_FIELD_LEN;
148 IMA_SHOW_BINARY); 163 field->field_show(m, show, &e->template_data[i]);
164 }
149 return 0; 165 return 0;
150} 166}
151 167
@@ -168,41 +184,21 @@ static const struct file_operations ima_measurements_ops = {
168 .release = seq_release, 184 .release = seq_release,
169}; 185};
170 186
171static void ima_print_digest(struct seq_file *m, u8 *digest) 187void ima_print_digest(struct seq_file *m, u8 *digest, int size)
172{ 188{
173 int i; 189 int i;
174 190
175 for (i = 0; i < IMA_DIGEST_SIZE; i++) 191 for (i = 0; i < size; i++)
176 seq_printf(m, "%02x", *(digest + i)); 192 seq_printf(m, "%02x", *(digest + i));
177} 193}
178 194
179void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show)
180{
181 struct ima_template_data *entry = e;
182 int namelen;
183
184 switch (show) {
185 case IMA_SHOW_ASCII:
186 ima_print_digest(m, entry->digest);
187 seq_printf(m, " %s\n", entry->file_name);
188 break;
189 case IMA_SHOW_BINARY:
190 ima_putc(m, entry->digest, IMA_DIGEST_SIZE);
191
192 namelen = strlen(entry->file_name);
193 ima_putc(m, &namelen, sizeof namelen);
194 ima_putc(m, entry->file_name, namelen);
195 default:
196 break;
197 }
198}
199
200/* print in ascii */ 195/* print in ascii */
201static int ima_ascii_measurements_show(struct seq_file *m, void *v) 196static int ima_ascii_measurements_show(struct seq_file *m, void *v)
202{ 197{
203 /* the list never shrinks, so we don't need a lock here */ 198 /* the list never shrinks, so we don't need a lock here */
204 struct ima_queue_entry *qe = v; 199 struct ima_queue_entry *qe = v;
205 struct ima_template_entry *e; 200 struct ima_template_entry *e;
201 int i;
206 202
207 /* get entry */ 203 /* get entry */
208 e = qe->entry; 204 e = qe->entry;
@@ -213,14 +209,21 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
213 seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX); 209 seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX);
214 210
215 /* 2nd: SHA1 template hash */ 211 /* 2nd: SHA1 template hash */
216 ima_print_digest(m, e->digest); 212 ima_print_digest(m, e->digest, TPM_DIGEST_SIZE);
217 213
218 /* 3th: template name */ 214 /* 3th: template name */
219 seq_printf(m, " %s ", e->template_name); 215 seq_printf(m, " %s", e->template_desc->name);
220 216
221 /* 4th: template specific data */ 217 /* 4th: template specific data */
222 ima_template_show(m, (struct ima_template_data *)&e->template, 218 for (i = 0; i < e->template_desc->num_fields; i++) {
223 IMA_SHOW_ASCII); 219 seq_puts(m, " ");
220 if (e->template_data[i].len == 0)
221 continue;
222
223 e->template_desc->fields[i]->field_show(m, IMA_SHOW_ASCII,
224 &e->template_data[i]);
225 }
226 seq_puts(m, "\n");
224 return 0; 227 return 0;
225} 228}
226 229
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 162ea723db3d..37122768554a 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -18,6 +18,7 @@
18#include <linux/scatterlist.h> 18#include <linux/scatterlist.h>
19#include <linux/slab.h> 19#include <linux/slab.h>
20#include <linux/err.h> 20#include <linux/err.h>
21#include <crypto/hash_info.h>
21#include "ima.h" 22#include "ima.h"
22 23
23/* name for boot aggregate entry */ 24/* name for boot aggregate entry */
@@ -42,30 +43,39 @@ int ima_used_chip;
42static void __init ima_add_boot_aggregate(void) 43static void __init ima_add_boot_aggregate(void)
43{ 44{
44 struct ima_template_entry *entry; 45 struct ima_template_entry *entry;
46 struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
45 const char *op = "add_boot_aggregate"; 47 const char *op = "add_boot_aggregate";
46 const char *audit_cause = "ENOMEM"; 48 const char *audit_cause = "ENOMEM";
47 int result = -ENOMEM; 49 int result = -ENOMEM;
48 int violation = 1; 50 int violation = 0;
51 struct {
52 struct ima_digest_data hdr;
53 char digest[TPM_DIGEST_SIZE];
54 } hash;
49 55
50 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 56 memset(iint, 0, sizeof(*iint));
51 if (!entry) 57 memset(&hash, 0, sizeof(hash));
52 goto err_out; 58 iint->ima_hash = &hash.hdr;
59 iint->ima_hash->algo = HASH_ALGO_SHA1;
60 iint->ima_hash->length = SHA1_DIGEST_SIZE;
53 61
54 memset(&entry->template, 0, sizeof(entry->template));
55 strncpy(entry->template.file_name, boot_aggregate_name,
56 IMA_EVENT_NAME_LEN_MAX);
57 if (ima_used_chip) { 62 if (ima_used_chip) {
58 violation = 0; 63 result = ima_calc_boot_aggregate(&hash.hdr);
59 result = ima_calc_boot_aggregate(entry->template.digest);
60 if (result < 0) { 64 if (result < 0) {
61 audit_cause = "hashing_error"; 65 audit_cause = "hashing_error";
62 kfree(entry);
63 goto err_out; 66 goto err_out;
64 } 67 }
65 } 68 }
66 result = ima_store_template(entry, violation, NULL); 69
70 result = ima_alloc_init_template(iint, NULL, boot_aggregate_name,
71 NULL, 0, &entry);
72 if (result < 0)
73 return;
74
75 result = ima_store_template(entry, violation, NULL,
76 boot_aggregate_name);
67 if (result < 0) 77 if (result < 0)
68 kfree(entry); 78 ima_free_template_entry(entry);
69 return; 79 return;
70err_out: 80err_out:
71 integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, boot_aggregate_name, op, 81 integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, boot_aggregate_name, op,
@@ -74,7 +84,7 @@ err_out:
74 84
75int __init ima_init(void) 85int __init ima_init(void)
76{ 86{
77 u8 pcr_i[IMA_DIGEST_SIZE]; 87 u8 pcr_i[TPM_DIGEST_SIZE];
78 int rc; 88 int rc;
79 89
80 ima_used_chip = 0; 90 ima_used_chip = 0;
@@ -88,6 +98,10 @@ int __init ima_init(void)
88 rc = ima_init_crypto(); 98 rc = ima_init_crypto();
89 if (rc) 99 if (rc)
90 return rc; 100 return rc;
101 rc = ima_init_template();
102 if (rc != 0)
103 return rc;
104
91 ima_add_boot_aggregate(); /* boot aggregate must be first entry */ 105 ima_add_boot_aggregate(); /* boot aggregate must be first entry */
92 ima_init_policy(); 106 ima_init_policy();
93 107
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index e9508d5bbfcf..149ee1119f87 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -24,6 +24,7 @@
24#include <linux/slab.h> 24#include <linux/slab.h>
25#include <linux/xattr.h> 25#include <linux/xattr.h>
26#include <linux/ima.h> 26#include <linux/ima.h>
27#include <crypto/hash_info.h>
27 28
28#include "ima.h" 29#include "ima.h"
29 30
@@ -35,11 +36,33 @@ int ima_appraise = IMA_APPRAISE_ENFORCE;
35int ima_appraise; 36int ima_appraise;
36#endif 37#endif
37 38
38char *ima_hash = "sha1"; 39int ima_hash_algo = HASH_ALGO_SHA1;
40static int hash_setup_done;
41
39static int __init hash_setup(char *str) 42static int __init hash_setup(char *str)
40{ 43{
41 if (strncmp(str, "md5", 3) == 0) 44 struct ima_template_desc *template_desc = ima_template_desc_current();
42 ima_hash = "md5"; 45 int i;
46
47 if (hash_setup_done)
48 return 1;
49
50 if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
51 if (strncmp(str, "sha1", 4) == 0)
52 ima_hash_algo = HASH_ALGO_SHA1;
53 else if (strncmp(str, "md5", 3) == 0)
54 ima_hash_algo = HASH_ALGO_MD5;
55 goto out;
56 }
57
58 for (i = 0; i < HASH_ALGO__LAST; i++) {
59 if (strcmp(str, hash_algo_name[i]) == 0) {
60 ima_hash_algo = i;
61 break;
62 }
63 }
64out:
65 hash_setup_done = 1;
43 return 1; 66 return 1;
44} 67}
45__setup("ima_hash=", hash_setup); 68__setup("ima_hash=", hash_setup);
@@ -92,10 +115,9 @@ out:
92 pathname = dentry->d_name.name; 115 pathname = dentry->d_name.name;
93 116
94 if (send_tomtou) 117 if (send_tomtou)
95 ima_add_violation(inode, pathname, 118 ima_add_violation(file, pathname, "invalid_pcr", "ToMToU");
96 "invalid_pcr", "ToMToU");
97 if (send_writers) 119 if (send_writers)
98 ima_add_violation(inode, pathname, 120 ima_add_violation(file, pathname,
99 "invalid_pcr", "open_writers"); 121 "invalid_pcr", "open_writers");
100 kfree(pathbuf); 122 kfree(pathbuf);
101} 123}
@@ -144,9 +166,12 @@ static int process_measurement(struct file *file, const char *filename,
144{ 166{
145 struct inode *inode = file_inode(file); 167 struct inode *inode = file_inode(file);
146 struct integrity_iint_cache *iint; 168 struct integrity_iint_cache *iint;
169 struct ima_template_desc *template_desc = ima_template_desc_current();
147 char *pathbuf = NULL; 170 char *pathbuf = NULL;
148 const char *pathname = NULL; 171 const char *pathname = NULL;
149 int rc = -ENOMEM, action, must_appraise, _func; 172 int rc = -ENOMEM, action, must_appraise, _func;
173 struct evm_ima_xattr_data *xattr_value = NULL, **xattr_ptr = NULL;
174 int xattr_len = 0;
150 175
151 if (!ima_initialized || !S_ISREG(inode->i_mode)) 176 if (!ima_initialized || !S_ISREG(inode->i_mode))
152 return 0; 177 return 0;
@@ -185,7 +210,13 @@ static int process_measurement(struct file *file, const char *filename,
185 goto out_digsig; 210 goto out_digsig;
186 } 211 }
187 212
188 rc = ima_collect_measurement(iint, file); 213 if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
214 if (action & IMA_APPRAISE_SUBMASK)
215 xattr_ptr = &xattr_value;
216 } else
217 xattr_ptr = &xattr_value;
218
219 rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len);
189 if (rc != 0) 220 if (rc != 0)
190 goto out_digsig; 221 goto out_digsig;
191 222
@@ -194,9 +225,11 @@ static int process_measurement(struct file *file, const char *filename,
194 pathname = (const char *)file->f_dentry->d_name.name; 225 pathname = (const char *)file->f_dentry->d_name.name;
195 226
196 if (action & IMA_MEASURE) 227 if (action & IMA_MEASURE)
197 ima_store_measurement(iint, file, pathname); 228 ima_store_measurement(iint, file, pathname,
229 xattr_value, xattr_len);
198 if (action & IMA_APPRAISE_SUBMASK) 230 if (action & IMA_APPRAISE_SUBMASK)
199 rc = ima_appraise_measurement(_func, iint, file, pathname); 231 rc = ima_appraise_measurement(_func, iint, file, pathname,
232 xattr_value, xattr_len);
200 if (action & IMA_AUDIT) 233 if (action & IMA_AUDIT)
201 ima_audit_measurement(iint, pathname); 234 ima_audit_measurement(iint, pathname);
202 kfree(pathbuf); 235 kfree(pathbuf);
@@ -205,6 +238,7 @@ out_digsig:
205 rc = -EACCES; 238 rc = -EACCES;
206out: 239out:
207 mutex_unlock(&inode->i_mutex); 240 mutex_unlock(&inode->i_mutex);
241 kfree(xattr_value);
208 if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) 242 if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))
209 return -EACCES; 243 return -EACCES;
210 return 0; 244 return 0;
@@ -244,9 +278,9 @@ int ima_file_mmap(struct file *file, unsigned long prot)
244int ima_bprm_check(struct linux_binprm *bprm) 278int ima_bprm_check(struct linux_binprm *bprm)
245{ 279{
246 return process_measurement(bprm->file, 280 return process_measurement(bprm->file,
247 (strcmp(bprm->filename, bprm->interp) == 0) ? 281 (strcmp(bprm->filename, bprm->interp) == 0) ?
248 bprm->filename : bprm->interp, 282 bprm->filename : bprm->interp,
249 MAY_EXEC, BPRM_CHECK); 283 MAY_EXEC, BPRM_CHECK);
250} 284}
251 285
252/** 286/**
@@ -263,8 +297,8 @@ int ima_file_check(struct file *file, int mask)
263{ 297{
264 ima_rdwr_violation_check(file); 298 ima_rdwr_violation_check(file);
265 return process_measurement(file, NULL, 299 return process_measurement(file, NULL,
266 mask & (MAY_READ | MAY_WRITE | MAY_EXEC), 300 mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
267 FILE_CHECK); 301 FILE_CHECK);
268} 302}
269EXPORT_SYMBOL_GPL(ima_file_check); 303EXPORT_SYMBOL_GPL(ima_file_check);
270 304
@@ -294,6 +328,7 @@ static int __init init_ima(void)
294{ 328{
295 int error; 329 int error;
296 330
331 hash_setup(CONFIG_IMA_DEFAULT_HASH);
297 error = ima_init(); 332 error = ima_init();
298 if (!error) 333 if (!error)
299 ima_initialized = 1; 334 ima_initialized = 1;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 399433ad614e..a9c3d3cd1990 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -73,7 +73,6 @@ static struct ima_rule_entry default_rules[] = {
73 {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC}, 73 {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
74 {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC}, 74 {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
75 {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC}, 75 {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
76 {.action = DONT_MEASURE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
77 {.action = DONT_MEASURE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC}, 76 {.action = DONT_MEASURE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC},
78 {.action = DONT_MEASURE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC}, 77 {.action = DONT_MEASURE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC},
79 {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC}, 78 {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index ff63fe00c195..d85e99761f4f 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -50,7 +50,7 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value)
50 key = ima_hash_key(digest_value); 50 key = ima_hash_key(digest_value);
51 rcu_read_lock(); 51 rcu_read_lock();
52 hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) { 52 hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) {
53 rc = memcmp(qe->entry->digest, digest_value, IMA_DIGEST_SIZE); 53 rc = memcmp(qe->entry->digest, digest_value, TPM_DIGEST_SIZE);
54 if (rc == 0) { 54 if (rc == 0) {
55 ret = qe; 55 ret = qe;
56 break; 56 break;
@@ -104,9 +104,10 @@ static int ima_pcr_extend(const u8 *hash)
104 * and extend the pcr. 104 * and extend the pcr.
105 */ 105 */
106int ima_add_template_entry(struct ima_template_entry *entry, int violation, 106int ima_add_template_entry(struct ima_template_entry *entry, int violation,
107 const char *op, struct inode *inode) 107 const char *op, struct inode *inode,
108 const unsigned char *filename)
108{ 109{
109 u8 digest[IMA_DIGEST_SIZE]; 110 u8 digest[TPM_DIGEST_SIZE];
110 const char *audit_cause = "hash_added"; 111 const char *audit_cause = "hash_added";
111 char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX]; 112 char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX];
112 int audit_info = 1; 113 int audit_info = 1;
@@ -141,8 +142,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
141 } 142 }
142out: 143out:
143 mutex_unlock(&ima_extend_list_mutex); 144 mutex_unlock(&ima_extend_list_mutex);
144 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, 145 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
145 entry->template.file_name,
146 op, audit_cause, result, audit_info); 146 op, audit_cause, result, audit_info);
147 return result; 147 return result;
148} 148}
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
new file mode 100644
index 000000000000..635695f6a185
--- /dev/null
+++ b/security/integrity/ima/ima_template.c
@@ -0,0 +1,187 @@
1/*
2 * Copyright (C) 2013 Politecnico di Torino, Italy
3 * TORSEC group -- http://security.polito.it
4 *
5 * Author: Roberto Sassu <roberto.sassu@polito.it>
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation, version 2 of the
10 * License.
11 *
12 * File: ima_template.c
13 * Helpers to manage template descriptors.
14 */
15#include <crypto/hash_info.h>
16
17#include "ima.h"
18#include "ima_template_lib.h"
19
20static struct ima_template_desc defined_templates[] = {
21 {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
22 {.name = "ima-ng",.fmt = "d-ng|n-ng"},
23 {.name = "ima-sig",.fmt = "d-ng|n-ng|sig"},
24};
25
26static struct ima_template_field supported_fields[] = {
27 {.field_id = "d",.field_init = ima_eventdigest_init,
28 .field_show = ima_show_template_digest},
29 {.field_id = "n",.field_init = ima_eventname_init,
30 .field_show = ima_show_template_string},
31 {.field_id = "d-ng",.field_init = ima_eventdigest_ng_init,
32 .field_show = ima_show_template_digest_ng},
33 {.field_id = "n-ng",.field_init = ima_eventname_ng_init,
34 .field_show = ima_show_template_string},
35 {.field_id = "sig",.field_init = ima_eventsig_init,
36 .field_show = ima_show_template_sig},
37};
38
39static struct ima_template_desc *ima_template;
40static struct ima_template_desc *lookup_template_desc(const char *name);
41
42static int __init ima_template_setup(char *str)
43{
44 struct ima_template_desc *template_desc;
45 int template_len = strlen(str);
46
47 /*
48 * Verify that a template with the supplied name exists.
49 * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
50 */
51 template_desc = lookup_template_desc(str);
52 if (!template_desc)
53 return 1;
54
55 /*
56 * Verify whether the current hash algorithm is supported
57 * by the 'ima' template.
58 */
59 if (template_len == 3 && strcmp(str, IMA_TEMPLATE_IMA_NAME) == 0 &&
60 ima_hash_algo != HASH_ALGO_SHA1 && ima_hash_algo != HASH_ALGO_MD5) {
61 pr_err("IMA: template does not support hash alg\n");
62 return 1;
63 }
64
65 ima_template = template_desc;
66 return 1;
67}
68__setup("ima_template=", ima_template_setup);
69
70static struct ima_template_desc *lookup_template_desc(const char *name)
71{
72 int i;
73
74 for (i = 0; i < ARRAY_SIZE(defined_templates); i++) {
75 if (strcmp(defined_templates[i].name, name) == 0)
76 return defined_templates + i;
77 }
78
79 return NULL;
80}
81
82static struct ima_template_field *lookup_template_field(const char *field_id)
83{
84 int i;
85
86 for (i = 0; i < ARRAY_SIZE(supported_fields); i++)
87 if (strncmp(supported_fields[i].field_id, field_id,
88 IMA_TEMPLATE_FIELD_ID_MAX_LEN) == 0)
89 return &supported_fields[i];
90 return NULL;
91}
92
93static int template_fmt_size(const char *template_fmt)
94{
95 char c;
96 int template_fmt_len = strlen(template_fmt);
97 int i = 0, j = 0;
98
99 while (i < template_fmt_len) {
100 c = template_fmt[i];
101 if (c == '|')
102 j++;
103 i++;
104 }
105
106 return j + 1;
107}
108
109static int template_desc_init_fields(const char *template_fmt,
110 struct ima_template_field ***fields,
111 int *num_fields)
112{
113 char *c, *template_fmt_copy, *template_fmt_ptr;
114 int template_num_fields = template_fmt_size(template_fmt);
115 int i, result = 0;
116
117 if (template_num_fields > IMA_TEMPLATE_NUM_FIELDS_MAX)
118 return -EINVAL;
119
120 /* copying is needed as strsep() modifies the original buffer */
121 template_fmt_copy = kstrdup(template_fmt, GFP_KERNEL);
122 if (template_fmt_copy == NULL)
123 return -ENOMEM;
124
125 *fields = kzalloc(template_num_fields * sizeof(*fields), GFP_KERNEL);
126 if (*fields == NULL) {
127 result = -ENOMEM;
128 goto out;
129 }
130
131 template_fmt_ptr = template_fmt_copy;
132 for (i = 0; (c = strsep(&template_fmt_ptr, "|")) != NULL &&
133 i < template_num_fields; i++) {
134 struct ima_template_field *f = lookup_template_field(c);
135
136 if (!f) {
137 result = -ENOENT;
138 goto out;
139 }
140 (*fields)[i] = f;
141 }
142 *num_fields = i;
143out:
144 if (result < 0) {
145 kfree(*fields);
146 *fields = NULL;
147 }
148 kfree(template_fmt_copy);
149 return result;
150}
151
152static int init_defined_templates(void)
153{
154 int i = 0;
155 int result = 0;
156
157 /* Init defined templates. */
158 for (i = 0; i < ARRAY_SIZE(defined_templates); i++) {
159 struct ima_template_desc *template = &defined_templates[i];
160
161 result = template_desc_init_fields(template->fmt,
162 &(template->fields),
163 &(template->num_fields));
164 if (result < 0)
165 return result;
166 }
167 return result;
168}
169
170struct ima_template_desc *ima_template_desc_current(void)
171{
172 if (!ima_template)
173 ima_template =
174 lookup_template_desc(CONFIG_IMA_DEFAULT_TEMPLATE);
175 return ima_template;
176}
177
178int ima_init_template(void)
179{
180 int result;
181
182 result = init_defined_templates();
183 if (result < 0)
184 return result;
185
186 return 0;
187}
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
new file mode 100644
index 000000000000..c38adcc910fb
--- /dev/null
+++ b/security/integrity/ima/ima_template_lib.c
@@ -0,0 +1,351 @@
1/*
2 * Copyright (C) 2013 Politecnico di Torino, Italy
3 * TORSEC group -- http://security.polito.it
4 *
5 * Author: Roberto Sassu <roberto.sassu@polito.it>
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation, version 2 of the
10 * License.
11 *
12 * File: ima_template_lib.c
13 * Library of supported template fields.
14 */
15#include <crypto/hash_info.h>
16
17#include "ima_template_lib.h"
18
19static bool ima_template_hash_algo_allowed(u8 algo)
20{
21 if (algo == HASH_ALGO_SHA1 || algo == HASH_ALGO_MD5)
22 return true;
23
24 return false;
25}
26
27enum data_formats {
28 DATA_FMT_DIGEST = 0,
29 DATA_FMT_DIGEST_WITH_ALGO,
30 DATA_FMT_EVENT_NAME,
31 DATA_FMT_STRING,
32 DATA_FMT_HEX
33};
34
35static int ima_write_template_field_data(const void *data, const u32 datalen,
36 enum data_formats datafmt,
37 struct ima_field_data *field_data)
38{
39 u8 *buf, *buf_ptr;
40 u32 buflen;
41
42 switch (datafmt) {
43 case DATA_FMT_EVENT_NAME:
44 buflen = IMA_EVENT_NAME_LEN_MAX + 1;
45 break;
46 case DATA_FMT_STRING:
47 buflen = datalen + 1;
48 break;
49 default:
50 buflen = datalen;
51 }
52
53 buf = kzalloc(buflen, GFP_KERNEL);
54 if (!buf)
55 return -ENOMEM;
56
57 memcpy(buf, data, datalen);
58
59 /*
60 * Replace all space characters with underscore for event names and
61 * strings. This avoid that, during the parsing of a measurements list,
62 * filenames with spaces or that end with the suffix ' (deleted)' are
63 * split into multiple template fields (the space is the delimitator
64 * character for measurements lists in ASCII format).
65 */
66 if (datafmt == DATA_FMT_EVENT_NAME || datafmt == DATA_FMT_STRING) {
67 for (buf_ptr = buf; buf_ptr - buf < datalen; buf_ptr++)
68 if (*buf_ptr == ' ')
69 *buf_ptr = '_';
70 }
71
72 field_data->data = buf;
73 field_data->len = buflen;
74 return 0;
75}
76
77static void ima_show_template_data_ascii(struct seq_file *m,
78 enum ima_show_type show,
79 enum data_formats datafmt,
80 struct ima_field_data *field_data)
81{
82 u8 *buf_ptr = field_data->data, buflen = field_data->len;
83
84 switch (datafmt) {
85 case DATA_FMT_DIGEST_WITH_ALGO:
86 buf_ptr = strnchr(field_data->data, buflen, ':');
87 if (buf_ptr != field_data->data)
88 seq_printf(m, "%s", field_data->data);
89
90 /* skip ':' and '\0' */
91 buf_ptr += 2;
92 buflen -= buf_ptr - field_data->data;
93 case DATA_FMT_DIGEST:
94 case DATA_FMT_HEX:
95 if (!buflen)
96 break;
97 ima_print_digest(m, buf_ptr, buflen);
98 break;
99 case DATA_FMT_STRING:
100 seq_printf(m, "%s", buf_ptr);
101 break;
102 default:
103 break;
104 }
105}
106
107static void ima_show_template_data_binary(struct seq_file *m,
108 enum ima_show_type show,
109 enum data_formats datafmt,
110 struct ima_field_data *field_data)
111{
112 if (show != IMA_SHOW_BINARY_NO_FIELD_LEN)
113 ima_putc(m, &field_data->len, sizeof(u32));
114
115 if (!field_data->len)
116 return;
117
118 ima_putc(m, field_data->data, field_data->len);
119}
120
121static void ima_show_template_field_data(struct seq_file *m,
122 enum ima_show_type show,
123 enum data_formats datafmt,
124 struct ima_field_data *field_data)
125{
126 switch (show) {
127 case IMA_SHOW_ASCII:
128 ima_show_template_data_ascii(m, show, datafmt, field_data);
129 break;
130 case IMA_SHOW_BINARY:
131 case IMA_SHOW_BINARY_NO_FIELD_LEN:
132 ima_show_template_data_binary(m, show, datafmt, field_data);
133 break;
134 default:
135 break;
136 }
137}
138
139void ima_show_template_digest(struct seq_file *m, enum ima_show_type show,
140 struct ima_field_data *field_data)
141{
142 ima_show_template_field_data(m, show, DATA_FMT_DIGEST, field_data);
143}
144
145void ima_show_template_digest_ng(struct seq_file *m, enum ima_show_type show,
146 struct ima_field_data *field_data)
147{
148 ima_show_template_field_data(m, show, DATA_FMT_DIGEST_WITH_ALGO,
149 field_data);
150}
151
152void ima_show_template_string(struct seq_file *m, enum ima_show_type show,
153 struct ima_field_data *field_data)
154{
155 ima_show_template_field_data(m, show, DATA_FMT_STRING, field_data);
156}
157
158void ima_show_template_sig(struct seq_file *m, enum ima_show_type show,
159 struct ima_field_data *field_data)
160{
161 ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data);
162}
163
164static int ima_eventdigest_init_common(u8 *digest, u32 digestsize, u8 hash_algo,
165 struct ima_field_data *field_data,
166 bool size_limit)
167{
168 /*
169 * digest formats:
170 * - DATA_FMT_DIGEST: digest
171 * - DATA_FMT_DIGEST_WITH_ALGO: [<hash algo>] + ':' + '\0' + digest,
172 * where <hash algo> is provided if the hash algoritm is not
173 * SHA1 or MD5
174 */
175 u8 buffer[CRYPTO_MAX_ALG_NAME + 2 + IMA_MAX_DIGEST_SIZE] = { 0 };
176 enum data_formats fmt = DATA_FMT_DIGEST;
177 u32 offset = 0;
178
179 if (!size_limit) {
180 fmt = DATA_FMT_DIGEST_WITH_ALGO;
181 if (hash_algo < HASH_ALGO__LAST)
182 offset += snprintf(buffer, CRYPTO_MAX_ALG_NAME + 1,
183 "%s", hash_algo_name[hash_algo]);
184 buffer[offset] = ':';
185 offset += 2;
186 }
187
188 if (digest)
189 memcpy(buffer + offset, digest, digestsize);
190 else
191 /*
192 * If digest is NULL, the event being recorded is a violation.
193 * Make room for the digest by increasing the offset of
194 * IMA_DIGEST_SIZE.
195 */
196 offset += IMA_DIGEST_SIZE;
197
198 return ima_write_template_field_data(buffer, offset + digestsize,
199 fmt, field_data);
200}
201
202/*
203 * This function writes the digest of an event (with size limit).
204 */
205int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file,
206 const unsigned char *filename,
207 struct evm_ima_xattr_data *xattr_value, int xattr_len,
208 struct ima_field_data *field_data)
209{
210 struct {
211 struct ima_digest_data hdr;
212 char digest[IMA_MAX_DIGEST_SIZE];
213 } hash;
214 u8 *cur_digest = NULL;
215 u32 cur_digestsize = 0;
216 struct inode *inode;
217 int result;
218
219 memset(&hash, 0, sizeof(hash));
220
221 if (!iint) /* recording a violation. */
222 goto out;
223
224 if (ima_template_hash_algo_allowed(iint->ima_hash->algo)) {
225 cur_digest = iint->ima_hash->digest;
226 cur_digestsize = iint->ima_hash->length;
227 goto out;
228 }
229
230 if (!file) /* missing info to re-calculate the digest */
231 return -EINVAL;
232
233 inode = file_inode(file);
234 hash.hdr.algo = ima_template_hash_algo_allowed(ima_hash_algo) ?
235 ima_hash_algo : HASH_ALGO_SHA1;
236 result = ima_calc_file_hash(file, &hash.hdr);
237 if (result) {
238 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
239 filename, "collect_data",
240 "failed", result, 0);
241 return result;
242 }
243 cur_digest = hash.hdr.digest;
244 cur_digestsize = hash.hdr.length;
245out:
246 return ima_eventdigest_init_common(cur_digest, cur_digestsize, -1,
247 field_data, true);
248}
249
250/*
251 * This function writes the digest of an event (without size limit).
252 */
253int ima_eventdigest_ng_init(struct integrity_iint_cache *iint,
254 struct file *file, const unsigned char *filename,
255 struct evm_ima_xattr_data *xattr_value,
256 int xattr_len, struct ima_field_data *field_data)
257{
258 u8 *cur_digest = NULL, hash_algo = HASH_ALGO__LAST;
259 u32 cur_digestsize = 0;
260
261 /* If iint is NULL, we are recording a violation. */
262 if (!iint)
263 goto out;
264
265 cur_digest = iint->ima_hash->digest;
266 cur_digestsize = iint->ima_hash->length;
267
268 hash_algo = iint->ima_hash->algo;
269out:
270 return ima_eventdigest_init_common(cur_digest, cur_digestsize,
271 hash_algo, field_data, false);
272}
273
274static int ima_eventname_init_common(struct integrity_iint_cache *iint,
275 struct file *file,
276 const unsigned char *filename,
277 struct ima_field_data *field_data,
278 bool size_limit)
279{
280 const char *cur_filename = NULL;
281 u32 cur_filename_len = 0;
282 enum data_formats fmt = size_limit ?
283 DATA_FMT_EVENT_NAME : DATA_FMT_STRING;
284
285 BUG_ON(filename == NULL && file == NULL);
286
287 if (filename) {
288 cur_filename = filename;
289 cur_filename_len = strlen(filename);
290
291 if (!size_limit || cur_filename_len <= IMA_EVENT_NAME_LEN_MAX)
292 goto out;
293 }
294
295 if (file) {
296 cur_filename = file->f_dentry->d_name.name;
297 cur_filename_len = strlen(cur_filename);
298 } else
299 /*
300 * Truncate filename if the latter is too long and
301 * the file descriptor is not available.
302 */
303 cur_filename_len = IMA_EVENT_NAME_LEN_MAX;
304out:
305 return ima_write_template_field_data(cur_filename, cur_filename_len,
306 fmt, field_data);
307}
308
309/*
310 * This function writes the name of an event (with size limit).
311 */
312int ima_eventname_init(struct integrity_iint_cache *iint, struct file *file,
313 const unsigned char *filename,
314 struct evm_ima_xattr_data *xattr_value, int xattr_len,
315 struct ima_field_data *field_data)
316{
317 return ima_eventname_init_common(iint, file, filename,
318 field_data, true);
319}
320
321/*
322 * This function writes the name of an event (without size limit).
323 */
324int ima_eventname_ng_init(struct integrity_iint_cache *iint, struct file *file,
325 const unsigned char *filename,
326 struct evm_ima_xattr_data *xattr_value, int xattr_len,
327 struct ima_field_data *field_data)
328{
329 return ima_eventname_init_common(iint, file, filename,
330 field_data, false);
331}
332
333/*
334 * ima_eventsig_init - include the file signature as part of the template data
335 */
336int ima_eventsig_init(struct integrity_iint_cache *iint, struct file *file,
337 const unsigned char *filename,
338 struct evm_ima_xattr_data *xattr_value, int xattr_len,
339 struct ima_field_data *field_data)
340{
341 enum data_formats fmt = DATA_FMT_HEX;
342 int rc = 0;
343
344 if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG))
345 goto out;
346
347 rc = ima_write_template_field_data(xattr_value, xattr_len, fmt,
348 field_data);
349out:
350 return rc;
351}
diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h
new file mode 100644
index 000000000000..63f6b52cb1c2
--- /dev/null
+++ b/security/integrity/ima/ima_template_lib.h
@@ -0,0 +1,49 @@
1/*
2 * Copyright (C) 2013 Politecnico di Torino, Italy
3 * TORSEC group -- http://security.polito.it
4 *
5 * Author: Roberto Sassu <roberto.sassu@polito.it>
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation, version 2 of the
10 * License.
11 *
12 * File: ima_template_lib.h
13 * Header for the library of supported template fields.
14 */
15#ifndef __LINUX_IMA_TEMPLATE_LIB_H
16#define __LINUX_IMA_TEMPLATE_LIB_H
17
18#include <linux/seq_file.h>
19#include "ima.h"
20
21void ima_show_template_digest(struct seq_file *m, enum ima_show_type show,
22 struct ima_field_data *field_data);
23void ima_show_template_digest_ng(struct seq_file *m, enum ima_show_type show,
24 struct ima_field_data *field_data);
25void ima_show_template_string(struct seq_file *m, enum ima_show_type show,
26 struct ima_field_data *field_data);
27void ima_show_template_sig(struct seq_file *m, enum ima_show_type show,
28 struct ima_field_data *field_data);
29int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file,
30 const unsigned char *filename,
31 struct evm_ima_xattr_data *xattr_value, int xattr_len,
32 struct ima_field_data *field_data);
33int ima_eventname_init(struct integrity_iint_cache *iint, struct file *file,
34 const unsigned char *filename,
35 struct evm_ima_xattr_data *xattr_value, int xattr_len,
36 struct ima_field_data *field_data);
37int ima_eventdigest_ng_init(struct integrity_iint_cache *iint,
38 struct file *file, const unsigned char *filename,
39 struct evm_ima_xattr_data *xattr_value,
40 int xattr_len, struct ima_field_data *field_data);
41int ima_eventname_ng_init(struct integrity_iint_cache *iint, struct file *file,
42 const unsigned char *filename,
43 struct evm_ima_xattr_data *xattr_value, int xattr_len,
44 struct ima_field_data *field_data);
45int ima_eventsig_init(struct integrity_iint_cache *iint, struct file *file,
46 const unsigned char *filename,
47 struct evm_ima_xattr_data *xattr_value, int xattr_len,
48 struct ima_field_data *field_data);
49#endif /* __LINUX_IMA_TEMPLATE_LIB_H */
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index c42fb7a70dee..2fb5e53e927f 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -54,25 +54,57 @@ enum evm_ima_xattr_type {
54 IMA_XATTR_DIGEST = 0x01, 54 IMA_XATTR_DIGEST = 0x01,
55 EVM_XATTR_HMAC, 55 EVM_XATTR_HMAC,
56 EVM_IMA_XATTR_DIGSIG, 56 EVM_IMA_XATTR_DIGSIG,
57 IMA_XATTR_DIGEST_NG,
57}; 58};
58 59
59struct evm_ima_xattr_data { 60struct evm_ima_xattr_data {
60 u8 type; 61 u8 type;
61 u8 digest[SHA1_DIGEST_SIZE]; 62 u8 digest[SHA1_DIGEST_SIZE];
62} __attribute__((packed)); 63} __packed;
64
65#define IMA_MAX_DIGEST_SIZE 64
66
67struct ima_digest_data {
68 u8 algo;
69 u8 length;
70 union {
71 struct {
72 u8 unused;
73 u8 type;
74 } sha1;
75 struct {
76 u8 type;
77 u8 algo;
78 } ng;
79 u8 data[2];
80 } xattr;
81 u8 digest[0];
82} __packed;
83
84/*
85 * signature format v2 - for using with asymmetric keys
86 */
87struct signature_v2_hdr {
88 uint8_t type; /* xattr type */
89 uint8_t version; /* signature format version */
90 uint8_t hash_algo; /* Digest algorithm [enum pkey_hash_algo] */
91 uint32_t keyid; /* IMA key identifier - not X509/PGP specific */
92 uint16_t sig_size; /* signature size */
93 uint8_t sig[0]; /* signature payload */
94} __packed;
63 95
64/* integrity data associated with an inode */ 96/* integrity data associated with an inode */
65struct integrity_iint_cache { 97struct integrity_iint_cache {
66 struct rb_node rb_node; /* rooted in integrity_iint_tree */ 98 struct rb_node rb_node; /* rooted in integrity_iint_tree */
67 struct inode *inode; /* back pointer to inode in question */ 99 struct inode *inode; /* back pointer to inode in question */
68 u64 version; /* track inode changes */ 100 u64 version; /* track inode changes */
69 unsigned long flags; 101 unsigned long flags;
70 struct evm_ima_xattr_data ima_xattr;
71 enum integrity_status ima_file_status:4; 102 enum integrity_status ima_file_status:4;
72 enum integrity_status ima_mmap_status:4; 103 enum integrity_status ima_mmap_status:4;
73 enum integrity_status ima_bprm_status:4; 104 enum integrity_status ima_bprm_status:4;
74 enum integrity_status ima_module_status:4; 105 enum integrity_status ima_module_status:4;
75 enum integrity_status evm_status:4; 106 enum integrity_status evm_status:4;
107 struct ima_digest_data *ima_hash;
76}; 108};
77 109
78/* rbtree tree calls to lookup, insert, delete 110/* rbtree tree calls to lookup, insert, delete
@@ -89,7 +121,7 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
89#ifdef CONFIG_INTEGRITY_SIGNATURE 121#ifdef CONFIG_INTEGRITY_SIGNATURE
90 122
91int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, 123int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
92 const char *digest, int digestlen); 124 const char *digest, int digestlen);
93 125
94#else 126#else
95 127
diff --git a/security/keys/Kconfig b/security/keys/Kconfig
index a90d6d300dbd..a4f3f8c48d6e 100644
--- a/security/keys/Kconfig
+++ b/security/keys/Kconfig
@@ -4,6 +4,7 @@
4 4
5config KEYS 5config KEYS
6 bool "Enable access key retention support" 6 bool "Enable access key retention support"
7 select ASSOCIATIVE_ARRAY
7 help 8 help
8 This option provides support for retaining authentication tokens and 9 This option provides support for retaining authentication tokens and
9 access keys in the kernel. 10 access keys in the kernel.
@@ -19,6 +20,34 @@ config KEYS
19 20
20 If you are unsure as to whether this is required, answer N. 21 If you are unsure as to whether this is required, answer N.
21 22
23config PERSISTENT_KEYRINGS
24 bool "Enable register of persistent per-UID keyrings"
25 depends on KEYS
26 help
27 This option provides a register of persistent per-UID keyrings,
28 primarily aimed at Kerberos key storage. The keyrings are persistent
29 in the sense that they stay around after all processes of that UID
30 have exited, not that they survive the machine being rebooted.
31
32 A particular keyring may be accessed by either the user whose keyring
33 it is or by a process with administrative privileges. The active
34 LSMs gets to rule on which admin-level processes get to access the
35 cache.
36
37 Keyrings are created and added into the register upon demand and get
38 removed if they expire (a default timeout is set upon creation).
39
40config BIG_KEYS
41 bool "Large payload keys"
42 depends on KEYS
43 depends on TMPFS
44 help
45 This option provides support for holding large keys within the kernel
46 (for example Kerberos ticket caches). The data may be stored out to
47 swapspace by tmpfs.
48
49 If you are unsure as to whether this is required, answer N.
50
22config TRUSTED_KEYS 51config TRUSTED_KEYS
23 tristate "TRUSTED KEYS" 52 tristate "TRUSTED KEYS"
24 depends on KEYS && TCG_TPM 53 depends on KEYS && TCG_TPM
diff --git a/security/keys/Makefile b/security/keys/Makefile
index 504aaa008388..dfb3a7bededf 100644
--- a/security/keys/Makefile
+++ b/security/keys/Makefile
@@ -18,9 +18,11 @@ obj-y := \
18obj-$(CONFIG_KEYS_COMPAT) += compat.o 18obj-$(CONFIG_KEYS_COMPAT) += compat.o
19obj-$(CONFIG_PROC_FS) += proc.o 19obj-$(CONFIG_PROC_FS) += proc.o
20obj-$(CONFIG_SYSCTL) += sysctl.o 20obj-$(CONFIG_SYSCTL) += sysctl.o
21obj-$(CONFIG_PERSISTENT_KEYRINGS) += persistent.o
21 22
22# 23#
23# Key types 24# Key types
24# 25#
26obj-$(CONFIG_BIG_KEYS) += big_key.o
25obj-$(CONFIG_TRUSTED_KEYS) += trusted.o 27obj-$(CONFIG_TRUSTED_KEYS) += trusted.o
26obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/ 28obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/
diff --git a/security/keys/big_key.c b/security/keys/big_key.c
new file mode 100644
index 000000000000..8137b27d641d
--- /dev/null
+++ b/security/keys/big_key.c
@@ -0,0 +1,207 @@
1/* Large capacity key type
2 *
3 * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/seq_file.h>
15#include <linux/file.h>
16#include <linux/shmem_fs.h>
17#include <linux/err.h>
18#include <keys/user-type.h>
19#include <keys/big_key-type.h>
20
21MODULE_LICENSE("GPL");
22
23/*
24 * If the data is under this limit, there's no point creating a shm file to
25 * hold it as the permanently resident metadata for the shmem fs will be at
26 * least as large as the data.
27 */
28#define BIG_KEY_FILE_THRESHOLD (sizeof(struct inode) + sizeof(struct dentry))
29
30/*
31 * big_key defined keys take an arbitrary string as the description and an
32 * arbitrary blob of data as the payload
33 */
34struct key_type key_type_big_key = {
35 .name = "big_key",
36 .def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
37 .instantiate = big_key_instantiate,
38 .match = user_match,
39 .revoke = big_key_revoke,
40 .destroy = big_key_destroy,
41 .describe = big_key_describe,
42 .read = big_key_read,
43};
44
45/*
46 * Instantiate a big key
47 */
48int big_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
49{
50 struct path *path = (struct path *)&key->payload.data2;
51 struct file *file;
52 ssize_t written;
53 size_t datalen = prep->datalen;
54 int ret;
55
56 ret = -EINVAL;
57 if (datalen <= 0 || datalen > 1024 * 1024 || !prep->data)
58 goto error;
59
60 /* Set an arbitrary quota */
61 ret = key_payload_reserve(key, 16);
62 if (ret < 0)
63 goto error;
64
65 key->type_data.x[1] = datalen;
66
67 if (datalen > BIG_KEY_FILE_THRESHOLD) {
68 /* Create a shmem file to store the data in. This will permit the data
69 * to be swapped out if needed.
70 *
71 * TODO: Encrypt the stored data with a temporary key.
72 */
73 file = shmem_kernel_file_setup("", datalen, 0);
74 if (IS_ERR(file)) {
75 ret = PTR_ERR(file);
76 goto err_quota;
77 }
78
79 written = kernel_write(file, prep->data, prep->datalen, 0);
80 if (written != datalen) {
81 ret = written;
82 if (written >= 0)
83 ret = -ENOMEM;
84 goto err_fput;
85 }
86
87 /* Pin the mount and dentry to the key so that we can open it again
88 * later
89 */
90 *path = file->f_path;
91 path_get(path);
92 fput(file);
93 } else {
94 /* Just store the data in a buffer */
95 void *data = kmalloc(datalen, GFP_KERNEL);
96 if (!data) {
97 ret = -ENOMEM;
98 goto err_quota;
99 }
100
101 key->payload.data = memcpy(data, prep->data, prep->datalen);
102 }
103 return 0;
104
105err_fput:
106 fput(file);
107err_quota:
108 key_payload_reserve(key, 0);
109error:
110 return ret;
111}
112
113/*
114 * dispose of the links from a revoked keyring
115 * - called with the key sem write-locked
116 */
117void big_key_revoke(struct key *key)
118{
119 struct path *path = (struct path *)&key->payload.data2;
120
121 /* clear the quota */
122 key_payload_reserve(key, 0);
123 if (key_is_instantiated(key) && key->type_data.x[1] > BIG_KEY_FILE_THRESHOLD)
124 vfs_truncate(path, 0);
125}
126
127/*
128 * dispose of the data dangling from the corpse of a big_key key
129 */
130void big_key_destroy(struct key *key)
131{
132 if (key->type_data.x[1] > BIG_KEY_FILE_THRESHOLD) {
133 struct path *path = (struct path *)&key->payload.data2;
134 path_put(path);
135 path->mnt = NULL;
136 path->dentry = NULL;
137 } else {
138 kfree(key->payload.data);
139 key->payload.data = NULL;
140 }
141}
142
143/*
144 * describe the big_key key
145 */
146void big_key_describe(const struct key *key, struct seq_file *m)
147{
148 unsigned long datalen = key->type_data.x[1];
149
150 seq_puts(m, key->description);
151
152 if (key_is_instantiated(key))
153 seq_printf(m, ": %lu [%s]",
154 datalen,
155 datalen > BIG_KEY_FILE_THRESHOLD ? "file" : "buff");
156}
157
158/*
159 * read the key data
160 * - the key's semaphore is read-locked
161 */
162long big_key_read(const struct key *key, char __user *buffer, size_t buflen)
163{
164 unsigned long datalen = key->type_data.x[1];
165 long ret;
166
167 if (!buffer || buflen < datalen)
168 return datalen;
169
170 if (datalen > BIG_KEY_FILE_THRESHOLD) {
171 struct path *path = (struct path *)&key->payload.data2;
172 struct file *file;
173 loff_t pos;
174
175 file = dentry_open(path, O_RDONLY, current_cred());
176 if (IS_ERR(file))
177 return PTR_ERR(file);
178
179 pos = 0;
180 ret = vfs_read(file, buffer, datalen, &pos);
181 fput(file);
182 if (ret >= 0 && ret != datalen)
183 ret = -EIO;
184 } else {
185 ret = datalen;
186 if (copy_to_user(buffer, key->payload.data, datalen) != 0)
187 ret = -EFAULT;
188 }
189
190 return ret;
191}
192
193/*
194 * Module stuff
195 */
196static int __init big_key_init(void)
197{
198 return register_key_type(&key_type_big_key);
199}
200
201static void __exit big_key_cleanup(void)
202{
203 unregister_key_type(&key_type_big_key);
204}
205
206module_init(big_key_init);
207module_exit(big_key_cleanup);
diff --git a/security/keys/compat.c b/security/keys/compat.c
index d65fa7fa29ba..bbd32c729dbb 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -138,6 +138,9 @@ asmlinkage long compat_sys_keyctl(u32 option,
138 case KEYCTL_INVALIDATE: 138 case KEYCTL_INVALIDATE:
139 return keyctl_invalidate_key(arg2); 139 return keyctl_invalidate_key(arg2);
140 140
141 case KEYCTL_GET_PERSISTENT:
142 return keyctl_get_persistent(arg2, arg3);
143
141 default: 144 default:
142 return -EOPNOTSUPP; 145 return -EOPNOTSUPP;
143 } 146 }
diff --git a/security/keys/gc.c b/security/keys/gc.c
index d67c97bb1025..d3222b6d7d59 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -131,50 +131,6 @@ void key_gc_keytype(struct key_type *ktype)
131} 131}
132 132
133/* 133/*
134 * Garbage collect pointers from a keyring.
135 *
136 * Not called with any locks held. The keyring's key struct will not be
137 * deallocated under us as only our caller may deallocate it.
138 */
139static void key_gc_keyring(struct key *keyring, time_t limit)
140{
141 struct keyring_list *klist;
142 int loop;
143
144 kenter("%x", key_serial(keyring));
145
146 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
147 (1 << KEY_FLAG_REVOKED)))
148 goto dont_gc;
149
150 /* scan the keyring looking for dead keys */
151 rcu_read_lock();
152 klist = rcu_dereference(keyring->payload.subscriptions);
153 if (!klist)
154 goto unlock_dont_gc;
155
156 loop = klist->nkeys;
157 smp_rmb();
158 for (loop--; loop >= 0; loop--) {
159 struct key *key = rcu_dereference(klist->keys[loop]);
160 if (key_is_dead(key, limit))
161 goto do_gc;
162 }
163
164unlock_dont_gc:
165 rcu_read_unlock();
166dont_gc:
167 kleave(" [no gc]");
168 return;
169
170do_gc:
171 rcu_read_unlock();
172
173 keyring_gc(keyring, limit);
174 kleave(" [gc]");
175}
176
177/*
178 * Garbage collect a list of unreferenced, detached keys 134 * Garbage collect a list of unreferenced, detached keys
179 */ 135 */
180static noinline void key_gc_unused_keys(struct list_head *keys) 136static noinline void key_gc_unused_keys(struct list_head *keys)
@@ -392,8 +348,7 @@ found_unreferenced_key:
392 */ 348 */
393found_keyring: 349found_keyring:
394 spin_unlock(&key_serial_lock); 350 spin_unlock(&key_serial_lock);
395 kdebug("scan keyring %d", key->serial); 351 keyring_gc(key, limit);
396 key_gc_keyring(key, limit);
397 goto maybe_resched; 352 goto maybe_resched;
398 353
399 /* We found a dead key that is still referenced. Reset its type and 354 /* We found a dead key that is still referenced. Reset its type and
diff --git a/security/keys/internal.h b/security/keys/internal.h
index d4f1468b9b50..80b2aac4f50c 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -89,42 +89,53 @@ extern struct key_type *key_type_lookup(const char *type);
89extern void key_type_put(struct key_type *ktype); 89extern void key_type_put(struct key_type *ktype);
90 90
91extern int __key_link_begin(struct key *keyring, 91extern int __key_link_begin(struct key *keyring,
92 const struct key_type *type, 92 const struct keyring_index_key *index_key,
93 const char *description, 93 struct assoc_array_edit **_edit);
94 unsigned long *_prealloc);
95extern int __key_link_check_live_key(struct key *keyring, struct key *key); 94extern int __key_link_check_live_key(struct key *keyring, struct key *key);
96extern void __key_link(struct key *keyring, struct key *key, 95extern void __key_link(struct key *key, struct assoc_array_edit **_edit);
97 unsigned long *_prealloc);
98extern void __key_link_end(struct key *keyring, 96extern void __key_link_end(struct key *keyring,
99 struct key_type *type, 97 const struct keyring_index_key *index_key,
100 unsigned long prealloc); 98 struct assoc_array_edit *edit);
101 99
102extern key_ref_t __keyring_search_one(key_ref_t keyring_ref, 100extern key_ref_t find_key_to_update(key_ref_t keyring_ref,
103 const struct key_type *type, 101 const struct keyring_index_key *index_key);
104 const char *description,
105 key_perm_t perm);
106 102
107extern struct key *keyring_search_instkey(struct key *keyring, 103extern struct key *keyring_search_instkey(struct key *keyring,
108 key_serial_t target_id); 104 key_serial_t target_id);
109 105
106extern int iterate_over_keyring(const struct key *keyring,
107 int (*func)(const struct key *key, void *data),
108 void *data);
109
110typedef int (*key_match_func_t)(const struct key *, const void *); 110typedef int (*key_match_func_t)(const struct key *, const void *);
111 111
112struct keyring_search_context {
113 struct keyring_index_key index_key;
114 const struct cred *cred;
115 key_match_func_t match;
116 const void *match_data;
117 unsigned flags;
118#define KEYRING_SEARCH_LOOKUP_TYPE 0x0001 /* [as type->def_lookup_type] */
119#define KEYRING_SEARCH_NO_STATE_CHECK 0x0002 /* Skip state checks */
120#define KEYRING_SEARCH_DO_STATE_CHECK 0x0004 /* Override NO_STATE_CHECK */
121#define KEYRING_SEARCH_NO_UPDATE_TIME 0x0008 /* Don't update times */
122#define KEYRING_SEARCH_NO_CHECK_PERM 0x0010 /* Don't check permissions */
123#define KEYRING_SEARCH_DETECT_TOO_DEEP 0x0020 /* Give an error on excessive depth */
124
125 int (*iterator)(const void *object, void *iterator_data);
126
127 /* Internal stuff */
128 int skipped_ret;
129 bool possessed;
130 key_ref_t result;
131 struct timespec now;
132};
133
112extern key_ref_t keyring_search_aux(key_ref_t keyring_ref, 134extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
113 const struct cred *cred, 135 struct keyring_search_context *ctx);
114 struct key_type *type, 136
115 const void *description, 137extern key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx);
116 key_match_func_t match, 138extern key_ref_t search_process_keyrings(struct keyring_search_context *ctx);
117 bool no_state_check);
118
119extern key_ref_t search_my_process_keyrings(struct key_type *type,
120 const void *description,
121 key_match_func_t match,
122 bool no_state_check,
123 const struct cred *cred);
124extern key_ref_t search_process_keyrings(struct key_type *type,
125 const void *description,
126 key_match_func_t match,
127 const struct cred *cred);
128 139
129extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check); 140extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check);
130 141
@@ -202,7 +213,7 @@ extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
202/* 213/*
203 * Determine whether a key is dead. 214 * Determine whether a key is dead.
204 */ 215 */
205static inline bool key_is_dead(struct key *key, time_t limit) 216static inline bool key_is_dead(const struct key *key, time_t limit)
206{ 217{
207 return 218 return
208 key->flags & ((1 << KEY_FLAG_DEAD) | 219 key->flags & ((1 << KEY_FLAG_DEAD) |
@@ -244,6 +255,15 @@ extern long keyctl_invalidate_key(key_serial_t);
244extern long keyctl_instantiate_key_common(key_serial_t, 255extern long keyctl_instantiate_key_common(key_serial_t,
245 const struct iovec *, 256 const struct iovec *,
246 unsigned, size_t, key_serial_t); 257 unsigned, size_t, key_serial_t);
258#ifdef CONFIG_PERSISTENT_KEYRINGS
259extern long keyctl_get_persistent(uid_t, key_serial_t);
260extern unsigned persistent_keyring_expiry;
261#else
262static inline long keyctl_get_persistent(uid_t uid, key_serial_t destring)
263{
264 return -EOPNOTSUPP;
265}
266#endif
247 267
248/* 268/*
249 * Debugging key validation 269 * Debugging key validation
diff --git a/security/keys/key.c b/security/keys/key.c
index 8fb7c7bd4657..6e21c11e48bc 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -242,8 +242,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
242 } 242 }
243 } 243 }
244 244
245 desclen = strlen(desc) + 1; 245 desclen = strlen(desc);
246 quotalen = desclen + type->def_datalen; 246 quotalen = desclen + 1 + type->def_datalen;
247 247
248 /* get hold of the key tracking for this user */ 248 /* get hold of the key tracking for this user */
249 user = key_user_lookup(uid); 249 user = key_user_lookup(uid);
@@ -272,12 +272,13 @@ struct key *key_alloc(struct key_type *type, const char *desc,
272 } 272 }
273 273
274 /* allocate and initialise the key and its description */ 274 /* allocate and initialise the key and its description */
275 key = kmem_cache_alloc(key_jar, GFP_KERNEL); 275 key = kmem_cache_zalloc(key_jar, GFP_KERNEL);
276 if (!key) 276 if (!key)
277 goto no_memory_2; 277 goto no_memory_2;
278 278
279 if (desc) { 279 if (desc) {
280 key->description = kmemdup(desc, desclen, GFP_KERNEL); 280 key->index_key.desc_len = desclen;
281 key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL);
281 if (!key->description) 282 if (!key->description)
282 goto no_memory_3; 283 goto no_memory_3;
283 } 284 }
@@ -285,22 +286,18 @@ struct key *key_alloc(struct key_type *type, const char *desc,
285 atomic_set(&key->usage, 1); 286 atomic_set(&key->usage, 1);
286 init_rwsem(&key->sem); 287 init_rwsem(&key->sem);
287 lockdep_set_class(&key->sem, &type->lock_class); 288 lockdep_set_class(&key->sem, &type->lock_class);
288 key->type = type; 289 key->index_key.type = type;
289 key->user = user; 290 key->user = user;
290 key->quotalen = quotalen; 291 key->quotalen = quotalen;
291 key->datalen = type->def_datalen; 292 key->datalen = type->def_datalen;
292 key->uid = uid; 293 key->uid = uid;
293 key->gid = gid; 294 key->gid = gid;
294 key->perm = perm; 295 key->perm = perm;
295 key->flags = 0;
296 key->expiry = 0;
297 key->payload.data = NULL;
298 key->security = NULL;
299 296
300 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) 297 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA))
301 key->flags |= 1 << KEY_FLAG_IN_QUOTA; 298 key->flags |= 1 << KEY_FLAG_IN_QUOTA;
302 299 if (flags & KEY_ALLOC_TRUSTED)
303 memset(&key->type_data, 0, sizeof(key->type_data)); 300 key->flags |= 1 << KEY_FLAG_TRUSTED;
304 301
305#ifdef KEY_DEBUGGING 302#ifdef KEY_DEBUGGING
306 key->magic = KEY_DEBUG_MAGIC; 303 key->magic = KEY_DEBUG_MAGIC;
@@ -408,7 +405,7 @@ static int __key_instantiate_and_link(struct key *key,
408 struct key_preparsed_payload *prep, 405 struct key_preparsed_payload *prep,
409 struct key *keyring, 406 struct key *keyring,
410 struct key *authkey, 407 struct key *authkey,
411 unsigned long *_prealloc) 408 struct assoc_array_edit **_edit)
412{ 409{
413 int ret, awaken; 410 int ret, awaken;
414 411
@@ -435,7 +432,7 @@ static int __key_instantiate_and_link(struct key *key,
435 432
436 /* and link it into the destination keyring */ 433 /* and link it into the destination keyring */
437 if (keyring) 434 if (keyring)
438 __key_link(keyring, key, _prealloc); 435 __key_link(key, _edit);
439 436
440 /* disable the authorisation key */ 437 /* disable the authorisation key */
441 if (authkey) 438 if (authkey)
@@ -475,7 +472,7 @@ int key_instantiate_and_link(struct key *key,
475 struct key *authkey) 472 struct key *authkey)
476{ 473{
477 struct key_preparsed_payload prep; 474 struct key_preparsed_payload prep;
478 unsigned long prealloc; 475 struct assoc_array_edit *edit;
479 int ret; 476 int ret;
480 477
481 memset(&prep, 0, sizeof(prep)); 478 memset(&prep, 0, sizeof(prep));
@@ -489,17 +486,15 @@ int key_instantiate_and_link(struct key *key,
489 } 486 }
490 487
491 if (keyring) { 488 if (keyring) {
492 ret = __key_link_begin(keyring, key->type, key->description, 489 ret = __key_link_begin(keyring, &key->index_key, &edit);
493 &prealloc);
494 if (ret < 0) 490 if (ret < 0)
495 goto error_free_preparse; 491 goto error_free_preparse;
496 } 492 }
497 493
498 ret = __key_instantiate_and_link(key, &prep, keyring, authkey, 494 ret = __key_instantiate_and_link(key, &prep, keyring, authkey, &edit);
499 &prealloc);
500 495
501 if (keyring) 496 if (keyring)
502 __key_link_end(keyring, key->type, prealloc); 497 __key_link_end(keyring, &key->index_key, edit);
503 498
504error_free_preparse: 499error_free_preparse:
505 if (key->type->preparse) 500 if (key->type->preparse)
@@ -537,7 +532,7 @@ int key_reject_and_link(struct key *key,
537 struct key *keyring, 532 struct key *keyring,
538 struct key *authkey) 533 struct key *authkey)
539{ 534{
540 unsigned long prealloc; 535 struct assoc_array_edit *edit;
541 struct timespec now; 536 struct timespec now;
542 int ret, awaken, link_ret = 0; 537 int ret, awaken, link_ret = 0;
543 538
@@ -548,8 +543,7 @@ int key_reject_and_link(struct key *key,
548 ret = -EBUSY; 543 ret = -EBUSY;
549 544
550 if (keyring) 545 if (keyring)
551 link_ret = __key_link_begin(keyring, key->type, 546 link_ret = __key_link_begin(keyring, &key->index_key, &edit);
552 key->description, &prealloc);
553 547
554 mutex_lock(&key_construction_mutex); 548 mutex_lock(&key_construction_mutex);
555 549
@@ -557,9 +551,10 @@ int key_reject_and_link(struct key *key,
557 if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 551 if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) {
558 /* mark the key as being negatively instantiated */ 552 /* mark the key as being negatively instantiated */
559 atomic_inc(&key->user->nikeys); 553 atomic_inc(&key->user->nikeys);
554 key->type_data.reject_error = -error;
555 smp_wmb();
560 set_bit(KEY_FLAG_NEGATIVE, &key->flags); 556 set_bit(KEY_FLAG_NEGATIVE, &key->flags);
561 set_bit(KEY_FLAG_INSTANTIATED, &key->flags); 557 set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
562 key->type_data.reject_error = -error;
563 now = current_kernel_time(); 558 now = current_kernel_time();
564 key->expiry = now.tv_sec + timeout; 559 key->expiry = now.tv_sec + timeout;
565 key_schedule_gc(key->expiry + key_gc_delay); 560 key_schedule_gc(key->expiry + key_gc_delay);
@@ -571,7 +566,7 @@ int key_reject_and_link(struct key *key,
571 566
572 /* and link it into the destination keyring */ 567 /* and link it into the destination keyring */
573 if (keyring && link_ret == 0) 568 if (keyring && link_ret == 0)
574 __key_link(keyring, key, &prealloc); 569 __key_link(key, &edit);
575 570
576 /* disable the authorisation key */ 571 /* disable the authorisation key */
577 if (authkey) 572 if (authkey)
@@ -581,7 +576,7 @@ int key_reject_and_link(struct key *key,
581 mutex_unlock(&key_construction_mutex); 576 mutex_unlock(&key_construction_mutex);
582 577
583 if (keyring) 578 if (keyring)
584 __key_link_end(keyring, key->type, prealloc); 579 __key_link_end(keyring, &key->index_key, edit);
585 580
586 /* wake up anyone waiting for a key to be constructed */ 581 /* wake up anyone waiting for a key to be constructed */
587 if (awaken) 582 if (awaken)
@@ -645,7 +640,7 @@ found:
645 /* this races with key_put(), but that doesn't matter since key_put() 640 /* this races with key_put(), but that doesn't matter since key_put()
646 * doesn't actually change the key 641 * doesn't actually change the key
647 */ 642 */
648 atomic_inc(&key->usage); 643 __key_get(key);
649 644
650error: 645error:
651 spin_unlock(&key_serial_lock); 646 spin_unlock(&key_serial_lock);
@@ -780,25 +775,27 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
780 key_perm_t perm, 775 key_perm_t perm,
781 unsigned long flags) 776 unsigned long flags)
782{ 777{
783 unsigned long prealloc; 778 struct keyring_index_key index_key = {
779 .description = description,
780 };
784 struct key_preparsed_payload prep; 781 struct key_preparsed_payload prep;
782 struct assoc_array_edit *edit;
785 const struct cred *cred = current_cred(); 783 const struct cred *cred = current_cred();
786 struct key_type *ktype;
787 struct key *keyring, *key = NULL; 784 struct key *keyring, *key = NULL;
788 key_ref_t key_ref; 785 key_ref_t key_ref;
789 int ret; 786 int ret;
790 787
791 /* look up the key type to see if it's one of the registered kernel 788 /* look up the key type to see if it's one of the registered kernel
792 * types */ 789 * types */
793 ktype = key_type_lookup(type); 790 index_key.type = key_type_lookup(type);
794 if (IS_ERR(ktype)) { 791 if (IS_ERR(index_key.type)) {
795 key_ref = ERR_PTR(-ENODEV); 792 key_ref = ERR_PTR(-ENODEV);
796 goto error; 793 goto error;
797 } 794 }
798 795
799 key_ref = ERR_PTR(-EINVAL); 796 key_ref = ERR_PTR(-EINVAL);
800 if (!ktype->match || !ktype->instantiate || 797 if (!index_key.type->match || !index_key.type->instantiate ||
801 (!description && !ktype->preparse)) 798 (!index_key.description && !index_key.type->preparse))
802 goto error_put_type; 799 goto error_put_type;
803 800
804 keyring = key_ref_to_ptr(keyring_ref); 801 keyring = key_ref_to_ptr(keyring_ref);
@@ -812,21 +809,28 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
812 memset(&prep, 0, sizeof(prep)); 809 memset(&prep, 0, sizeof(prep));
813 prep.data = payload; 810 prep.data = payload;
814 prep.datalen = plen; 811 prep.datalen = plen;
815 prep.quotalen = ktype->def_datalen; 812 prep.quotalen = index_key.type->def_datalen;
816 if (ktype->preparse) { 813 prep.trusted = flags & KEY_ALLOC_TRUSTED;
817 ret = ktype->preparse(&prep); 814 if (index_key.type->preparse) {
815 ret = index_key.type->preparse(&prep);
818 if (ret < 0) { 816 if (ret < 0) {
819 key_ref = ERR_PTR(ret); 817 key_ref = ERR_PTR(ret);
820 goto error_put_type; 818 goto error_put_type;
821 } 819 }
822 if (!description) 820 if (!index_key.description)
823 description = prep.description; 821 index_key.description = prep.description;
824 key_ref = ERR_PTR(-EINVAL); 822 key_ref = ERR_PTR(-EINVAL);
825 if (!description) 823 if (!index_key.description)
826 goto error_free_prep; 824 goto error_free_prep;
827 } 825 }
826 index_key.desc_len = strlen(index_key.description);
827
828 key_ref = ERR_PTR(-EPERM);
829 if (!prep.trusted && test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags))
830 goto error_free_prep;
831 flags |= prep.trusted ? KEY_ALLOC_TRUSTED : 0;
828 832
829 ret = __key_link_begin(keyring, ktype, description, &prealloc); 833 ret = __key_link_begin(keyring, &index_key, &edit);
830 if (ret < 0) { 834 if (ret < 0) {
831 key_ref = ERR_PTR(ret); 835 key_ref = ERR_PTR(ret);
832 goto error_free_prep; 836 goto error_free_prep;
@@ -844,10 +848,9 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
844 * key of the same type and description in the destination keyring and 848 * key of the same type and description in the destination keyring and
845 * update that instead if possible 849 * update that instead if possible
846 */ 850 */
847 if (ktype->update) { 851 if (index_key.type->update) {
848 key_ref = __keyring_search_one(keyring_ref, ktype, description, 852 key_ref = find_key_to_update(keyring_ref, &index_key);
849 0); 853 if (key_ref)
850 if (!IS_ERR(key_ref))
851 goto found_matching_key; 854 goto found_matching_key;
852 } 855 }
853 856
@@ -856,23 +859,24 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
856 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR; 859 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
857 perm |= KEY_USR_VIEW; 860 perm |= KEY_USR_VIEW;
858 861
859 if (ktype->read) 862 if (index_key.type->read)
860 perm |= KEY_POS_READ; 863 perm |= KEY_POS_READ;
861 864
862 if (ktype == &key_type_keyring || ktype->update) 865 if (index_key.type == &key_type_keyring ||
866 index_key.type->update)
863 perm |= KEY_POS_WRITE; 867 perm |= KEY_POS_WRITE;
864 } 868 }
865 869
866 /* allocate a new key */ 870 /* allocate a new key */
867 key = key_alloc(ktype, description, cred->fsuid, cred->fsgid, cred, 871 key = key_alloc(index_key.type, index_key.description,
868 perm, flags); 872 cred->fsuid, cred->fsgid, cred, perm, flags);
869 if (IS_ERR(key)) { 873 if (IS_ERR(key)) {
870 key_ref = ERR_CAST(key); 874 key_ref = ERR_CAST(key);
871 goto error_link_end; 875 goto error_link_end;
872 } 876 }
873 877
874 /* instantiate it and link it into the target keyring */ 878 /* instantiate it and link it into the target keyring */
875 ret = __key_instantiate_and_link(key, &prep, keyring, NULL, &prealloc); 879 ret = __key_instantiate_and_link(key, &prep, keyring, NULL, &edit);
876 if (ret < 0) { 880 if (ret < 0) {
877 key_put(key); 881 key_put(key);
878 key_ref = ERR_PTR(ret); 882 key_ref = ERR_PTR(ret);
@@ -882,12 +886,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
882 key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); 886 key_ref = make_key_ref(key, is_key_possessed(keyring_ref));
883 887
884error_link_end: 888error_link_end:
885 __key_link_end(keyring, ktype, prealloc); 889 __key_link_end(keyring, &index_key, edit);
886error_free_prep: 890error_free_prep:
887 if (ktype->preparse) 891 if (index_key.type->preparse)
888 ktype->free_preparse(&prep); 892 index_key.type->free_preparse(&prep);
889error_put_type: 893error_put_type:
890 key_type_put(ktype); 894 key_type_put(index_key.type);
891error: 895error:
892 return key_ref; 896 return key_ref;
893 897
@@ -895,7 +899,7 @@ error:
895 /* we found a matching key, so we're going to try to update it 899 /* we found a matching key, so we're going to try to update it
896 * - we can drop the locks first as we have the key pinned 900 * - we can drop the locks first as we have the key pinned
897 */ 901 */
898 __key_link_end(keyring, ktype, prealloc); 902 __key_link_end(keyring, &index_key, edit);
899 903
900 key_ref = __key_update(key_ref, &prep); 904 key_ref = __key_update(key_ref, &prep);
901 goto error_free_prep; 905 goto error_free_prep;
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 33cfd27b4de2..cee72ce64222 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1667,6 +1667,9 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1667 case KEYCTL_INVALIDATE: 1667 case KEYCTL_INVALIDATE:
1668 return keyctl_invalidate_key((key_serial_t) arg2); 1668 return keyctl_invalidate_key((key_serial_t) arg2);
1669 1669
1670 case KEYCTL_GET_PERSISTENT:
1671 return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3);
1672
1670 default: 1673 default:
1671 return -EOPNOTSUPP; 1674 return -EOPNOTSUPP;
1672 } 1675 }
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 6ece7f2e5707..d46cbc5e335e 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -1,6 +1,6 @@
1/* Keyring handling 1/* Keyring handling
2 * 2 *
3 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved. 3 * Copyright (C) 2004-2005, 2008, 2013 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com) 4 * Written by David Howells (dhowells@redhat.com)
5 * 5 *
6 * This program is free software; you can redistribute it and/or 6 * This program is free software; you can redistribute it and/or
@@ -17,25 +17,11 @@
17#include <linux/seq_file.h> 17#include <linux/seq_file.h>
18#include <linux/err.h> 18#include <linux/err.h>
19#include <keys/keyring-type.h> 19#include <keys/keyring-type.h>
20#include <keys/user-type.h>
21#include <linux/assoc_array_priv.h>
20#include <linux/uaccess.h> 22#include <linux/uaccess.h>
21#include "internal.h" 23#include "internal.h"
22 24
23#define rcu_dereference_locked_keyring(keyring) \
24 (rcu_dereference_protected( \
25 (keyring)->payload.subscriptions, \
26 rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem)))
27
28#define rcu_deref_link_locked(klist, index, keyring) \
29 (rcu_dereference_protected( \
30 (klist)->keys[index], \
31 rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem)))
32
33#define MAX_KEYRING_LINKS \
34 min_t(size_t, USHRT_MAX - 1, \
35 ((PAGE_SIZE - sizeof(struct keyring_list)) / sizeof(struct key *)))
36
37#define KEY_LINK_FIXQUOTA 1UL
38
39/* 25/*
40 * When plumbing the depths of the key tree, this sets a hard limit 26 * When plumbing the depths of the key tree, this sets a hard limit
41 * set on how deep we're willing to go. 27 * set on how deep we're willing to go.
@@ -47,6 +33,28 @@
47 */ 33 */
48#define KEYRING_NAME_HASH_SIZE (1 << 5) 34#define KEYRING_NAME_HASH_SIZE (1 << 5)
49 35
36/*
37 * We mark pointers we pass to the associative array with bit 1 set if
38 * they're keyrings and clear otherwise.
39 */
40#define KEYRING_PTR_SUBTYPE 0x2UL
41
42static inline bool keyring_ptr_is_keyring(const struct assoc_array_ptr *x)
43{
44 return (unsigned long)x & KEYRING_PTR_SUBTYPE;
45}
46static inline struct key *keyring_ptr_to_key(const struct assoc_array_ptr *x)
47{
48 void *object = assoc_array_ptr_to_leaf(x);
49 return (struct key *)((unsigned long)object & ~KEYRING_PTR_SUBTYPE);
50}
51static inline void *keyring_key_to_ptr(struct key *key)
52{
53 if (key->type == &key_type_keyring)
54 return (void *)((unsigned long)key | KEYRING_PTR_SUBTYPE);
55 return key;
56}
57
50static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE]; 58static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE];
51static DEFINE_RWLOCK(keyring_name_lock); 59static DEFINE_RWLOCK(keyring_name_lock);
52 60
@@ -67,7 +75,6 @@ static inline unsigned keyring_hash(const char *desc)
67 */ 75 */
68static int keyring_instantiate(struct key *keyring, 76static int keyring_instantiate(struct key *keyring,
69 struct key_preparsed_payload *prep); 77 struct key_preparsed_payload *prep);
70static int keyring_match(const struct key *keyring, const void *criterion);
71static void keyring_revoke(struct key *keyring); 78static void keyring_revoke(struct key *keyring);
72static void keyring_destroy(struct key *keyring); 79static void keyring_destroy(struct key *keyring);
73static void keyring_describe(const struct key *keyring, struct seq_file *m); 80static void keyring_describe(const struct key *keyring, struct seq_file *m);
@@ -76,9 +83,9 @@ static long keyring_read(const struct key *keyring,
76 83
77struct key_type key_type_keyring = { 84struct key_type key_type_keyring = {
78 .name = "keyring", 85 .name = "keyring",
79 .def_datalen = sizeof(struct keyring_list), 86 .def_datalen = 0,
80 .instantiate = keyring_instantiate, 87 .instantiate = keyring_instantiate,
81 .match = keyring_match, 88 .match = user_match,
82 .revoke = keyring_revoke, 89 .revoke = keyring_revoke,
83 .destroy = keyring_destroy, 90 .destroy = keyring_destroy,
84 .describe = keyring_describe, 91 .describe = keyring_describe,
@@ -127,6 +134,7 @@ static int keyring_instantiate(struct key *keyring,
127 134
128 ret = -EINVAL; 135 ret = -EINVAL;
129 if (prep->datalen == 0) { 136 if (prep->datalen == 0) {
137 assoc_array_init(&keyring->keys);
130 /* make the keyring available by name if it has one */ 138 /* make the keyring available by name if it has one */
131 keyring_publish_name(keyring); 139 keyring_publish_name(keyring);
132 ret = 0; 140 ret = 0;
@@ -136,15 +144,225 @@ static int keyring_instantiate(struct key *keyring,
136} 144}
137 145
138/* 146/*
139 * Match keyrings on their name 147 * Multiply 64-bits by 32-bits to 96-bits and fold back to 64-bit. Ideally we'd
148 * fold the carry back too, but that requires inline asm.
149 */
150static u64 mult_64x32_and_fold(u64 x, u32 y)
151{
152 u64 hi = (u64)(u32)(x >> 32) * y;
153 u64 lo = (u64)(u32)(x) * y;
154 return lo + ((u64)(u32)hi << 32) + (u32)(hi >> 32);
155}
156
157/*
158 * Hash a key type and description.
159 */
160static unsigned long hash_key_type_and_desc(const struct keyring_index_key *index_key)
161{
162 const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP;
163 const unsigned long fan_mask = ASSOC_ARRAY_FAN_MASK;
164 const char *description = index_key->description;
165 unsigned long hash, type;
166 u32 piece;
167 u64 acc;
168 int n, desc_len = index_key->desc_len;
169
170 type = (unsigned long)index_key->type;
171
172 acc = mult_64x32_and_fold(type, desc_len + 13);
173 acc = mult_64x32_and_fold(acc, 9207);
174 for (;;) {
175 n = desc_len;
176 if (n <= 0)
177 break;
178 if (n > 4)
179 n = 4;
180 piece = 0;
181 memcpy(&piece, description, n);
182 description += n;
183 desc_len -= n;
184 acc = mult_64x32_and_fold(acc, piece);
185 acc = mult_64x32_and_fold(acc, 9207);
186 }
187
188 /* Fold the hash down to 32 bits if need be. */
189 hash = acc;
190 if (ASSOC_ARRAY_KEY_CHUNK_SIZE == 32)
191 hash ^= acc >> 32;
192
193 /* Squidge all the keyrings into a separate part of the tree to
194 * ordinary keys by making sure the lowest level segment in the hash is
195 * zero for keyrings and non-zero otherwise.
196 */
197 if (index_key->type != &key_type_keyring && (hash & fan_mask) == 0)
198 return hash | (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1;
199 if (index_key->type == &key_type_keyring && (hash & fan_mask) != 0)
200 return (hash + (hash << level_shift)) & ~fan_mask;
201 return hash;
202}
203
204/*
205 * Build the next index key chunk.
206 *
207 * On 32-bit systems the index key is laid out as:
208 *
209 * 0 4 5 9...
210 * hash desclen typeptr desc[]
211 *
212 * On 64-bit systems:
213 *
214 * 0 8 9 17...
215 * hash desclen typeptr desc[]
216 *
217 * We return it one word-sized chunk at a time.
140 */ 218 */
141static int keyring_match(const struct key *keyring, const void *description) 219static unsigned long keyring_get_key_chunk(const void *data, int level)
220{
221 const struct keyring_index_key *index_key = data;
222 unsigned long chunk = 0;
223 long offset = 0;
224 int desc_len = index_key->desc_len, n = sizeof(chunk);
225
226 level /= ASSOC_ARRAY_KEY_CHUNK_SIZE;
227 switch (level) {
228 case 0:
229 return hash_key_type_and_desc(index_key);
230 case 1:
231 return ((unsigned long)index_key->type << 8) | desc_len;
232 case 2:
233 if (desc_len == 0)
234 return (u8)((unsigned long)index_key->type >>
235 (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8));
236 n--;
237 offset = 1;
238 default:
239 offset += sizeof(chunk) - 1;
240 offset += (level - 3) * sizeof(chunk);
241 if (offset >= desc_len)
242 return 0;
243 desc_len -= offset;
244 if (desc_len > n)
245 desc_len = n;
246 offset += desc_len;
247 do {
248 chunk <<= 8;
249 chunk |= ((u8*)index_key->description)[--offset];
250 } while (--desc_len > 0);
251
252 if (level == 2) {
253 chunk <<= 8;
254 chunk |= (u8)((unsigned long)index_key->type >>
255 (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8));
256 }
257 return chunk;
258 }
259}
260
261static unsigned long keyring_get_object_key_chunk(const void *object, int level)
262{
263 const struct key *key = keyring_ptr_to_key(object);
264 return keyring_get_key_chunk(&key->index_key, level);
265}
266
267static bool keyring_compare_object(const void *object, const void *data)
142{ 268{
143 return keyring->description && 269 const struct keyring_index_key *index_key = data;
144 strcmp(keyring->description, description) == 0; 270 const struct key *key = keyring_ptr_to_key(object);
271
272 return key->index_key.type == index_key->type &&
273 key->index_key.desc_len == index_key->desc_len &&
274 memcmp(key->index_key.description, index_key->description,
275 index_key->desc_len) == 0;
145} 276}
146 277
147/* 278/*
279 * Compare the index keys of a pair of objects and determine the bit position
280 * at which they differ - if they differ.
281 */
282static int keyring_diff_objects(const void *object, const void *data)
283{
284 const struct key *key_a = keyring_ptr_to_key(object);
285 const struct keyring_index_key *a = &key_a->index_key;
286 const struct keyring_index_key *b = data;
287 unsigned long seg_a, seg_b;
288 int level, i;
289
290 level = 0;
291 seg_a = hash_key_type_and_desc(a);
292 seg_b = hash_key_type_and_desc(b);
293 if ((seg_a ^ seg_b) != 0)
294 goto differ;
295
296 /* The number of bits contributed by the hash is controlled by a
297 * constant in the assoc_array headers. Everything else thereafter we
298 * can deal with as being machine word-size dependent.
299 */
300 level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8;
301 seg_a = a->desc_len;
302 seg_b = b->desc_len;
303 if ((seg_a ^ seg_b) != 0)
304 goto differ;
305
306 /* The next bit may not work on big endian */
307 level++;
308 seg_a = (unsigned long)a->type;
309 seg_b = (unsigned long)b->type;
310 if ((seg_a ^ seg_b) != 0)
311 goto differ;
312
313 level += sizeof(unsigned long);
314 if (a->desc_len == 0)
315 goto same;
316
317 i = 0;
318 if (((unsigned long)a->description | (unsigned long)b->description) &
319 (sizeof(unsigned long) - 1)) {
320 do {
321 seg_a = *(unsigned long *)(a->description + i);
322 seg_b = *(unsigned long *)(b->description + i);
323 if ((seg_a ^ seg_b) != 0)
324 goto differ_plus_i;
325 i += sizeof(unsigned long);
326 } while (i < (a->desc_len & (sizeof(unsigned long) - 1)));
327 }
328
329 for (; i < a->desc_len; i++) {
330 seg_a = *(unsigned char *)(a->description + i);
331 seg_b = *(unsigned char *)(b->description + i);
332 if ((seg_a ^ seg_b) != 0)
333 goto differ_plus_i;
334 }
335
336same:
337 return -1;
338
339differ_plus_i:
340 level += i;
341differ:
342 i = level * 8 + __ffs(seg_a ^ seg_b);
343 return i;
344}
345
346/*
347 * Free an object after stripping the keyring flag off of the pointer.
348 */
349static void keyring_free_object(void *object)
350{
351 key_put(keyring_ptr_to_key(object));
352}
353
354/*
355 * Operations for keyring management by the index-tree routines.
356 */
357static const struct assoc_array_ops keyring_assoc_array_ops = {
358 .get_key_chunk = keyring_get_key_chunk,
359 .get_object_key_chunk = keyring_get_object_key_chunk,
360 .compare_object = keyring_compare_object,
361 .diff_objects = keyring_diff_objects,
362 .free_object = keyring_free_object,
363};
364
365/*
148 * Clean up a keyring when it is destroyed. Unpublish its name if it had one 366 * Clean up a keyring when it is destroyed. Unpublish its name if it had one
149 * and dispose of its data. 367 * and dispose of its data.
150 * 368 *
@@ -155,9 +373,6 @@ static int keyring_match(const struct key *keyring, const void *description)
155 */ 373 */
156static void keyring_destroy(struct key *keyring) 374static void keyring_destroy(struct key *keyring)
157{ 375{
158 struct keyring_list *klist;
159 int loop;
160
161 if (keyring->description) { 376 if (keyring->description) {
162 write_lock(&keyring_name_lock); 377 write_lock(&keyring_name_lock);
163 378
@@ -168,12 +383,7 @@ static void keyring_destroy(struct key *keyring)
168 write_unlock(&keyring_name_lock); 383 write_unlock(&keyring_name_lock);
169 } 384 }
170 385
171 klist = rcu_access_pointer(keyring->payload.subscriptions); 386 assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops);
172 if (klist) {
173 for (loop = klist->nkeys - 1; loop >= 0; loop--)
174 key_put(rcu_access_pointer(klist->keys[loop]));
175 kfree(klist);
176 }
177} 387}
178 388
179/* 389/*
@@ -181,76 +391,88 @@ static void keyring_destroy(struct key *keyring)
181 */ 391 */
182static void keyring_describe(const struct key *keyring, struct seq_file *m) 392static void keyring_describe(const struct key *keyring, struct seq_file *m)
183{ 393{
184 struct keyring_list *klist;
185
186 if (keyring->description) 394 if (keyring->description)
187 seq_puts(m, keyring->description); 395 seq_puts(m, keyring->description);
188 else 396 else
189 seq_puts(m, "[anon]"); 397 seq_puts(m, "[anon]");
190 398
191 if (key_is_instantiated(keyring)) { 399 if (key_is_instantiated(keyring)) {
192 rcu_read_lock(); 400 if (keyring->keys.nr_leaves_on_tree != 0)
193 klist = rcu_dereference(keyring->payload.subscriptions); 401 seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree);
194 if (klist)
195 seq_printf(m, ": %u/%u", klist->nkeys, klist->maxkeys);
196 else 402 else
197 seq_puts(m, ": empty"); 403 seq_puts(m, ": empty");
198 rcu_read_unlock();
199 } 404 }
200} 405}
201 406
407struct keyring_read_iterator_context {
408 size_t qty;
409 size_t count;
410 key_serial_t __user *buffer;
411};
412
413static int keyring_read_iterator(const void *object, void *data)
414{
415 struct keyring_read_iterator_context *ctx = data;
416 const struct key *key = keyring_ptr_to_key(object);
417 int ret;
418
419 kenter("{%s,%d},,{%zu/%zu}",
420 key->type->name, key->serial, ctx->count, ctx->qty);
421
422 if (ctx->count >= ctx->qty)
423 return 1;
424
425 ret = put_user(key->serial, ctx->buffer);
426 if (ret < 0)
427 return ret;
428 ctx->buffer++;
429 ctx->count += sizeof(key->serial);
430 return 0;
431}
432
202/* 433/*
203 * Read a list of key IDs from the keyring's contents in binary form 434 * Read a list of key IDs from the keyring's contents in binary form
204 * 435 *
205 * The keyring's semaphore is read-locked by the caller. 436 * The keyring's semaphore is read-locked by the caller. This prevents someone
437 * from modifying it under us - which could cause us to read key IDs multiple
438 * times.
206 */ 439 */
207static long keyring_read(const struct key *keyring, 440static long keyring_read(const struct key *keyring,
208 char __user *buffer, size_t buflen) 441 char __user *buffer, size_t buflen)
209{ 442{
210 struct keyring_list *klist; 443 struct keyring_read_iterator_context ctx;
211 struct key *key; 444 unsigned long nr_keys;
212 size_t qty, tmp; 445 int ret;
213 int loop, ret;
214 446
215 ret = 0; 447 kenter("{%d},,%zu", key_serial(keyring), buflen);
216 klist = rcu_dereference_locked_keyring(keyring); 448
217 if (klist) { 449 if (buflen & (sizeof(key_serial_t) - 1))
218 /* calculate how much data we could return */ 450 return -EINVAL;
219 qty = klist->nkeys * sizeof(key_serial_t); 451
220 452 nr_keys = keyring->keys.nr_leaves_on_tree;
221 if (buffer && buflen > 0) { 453 if (nr_keys == 0)
222 if (buflen > qty) 454 return 0;
223 buflen = qty;
224
225 /* copy the IDs of the subscribed keys into the
226 * buffer */
227 ret = -EFAULT;
228
229 for (loop = 0; loop < klist->nkeys; loop++) {
230 key = rcu_deref_link_locked(klist, loop,
231 keyring);
232
233 tmp = sizeof(key_serial_t);
234 if (tmp > buflen)
235 tmp = buflen;
236
237 if (copy_to_user(buffer,
238 &key->serial,
239 tmp) != 0)
240 goto error;
241
242 buflen -= tmp;
243 if (buflen == 0)
244 break;
245 buffer += tmp;
246 }
247 }
248 455
249 ret = qty; 456 /* Calculate how much data we could return */
457 ctx.qty = nr_keys * sizeof(key_serial_t);
458
459 if (!buffer || !buflen)
460 return ctx.qty;
461
462 if (buflen > ctx.qty)
463 ctx.qty = buflen;
464
465 /* Copy the IDs of the subscribed keys into the buffer */
466 ctx.buffer = (key_serial_t __user *)buffer;
467 ctx.count = 0;
468 ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
469 if (ret < 0) {
470 kleave(" = %d [iterate]", ret);
471 return ret;
250 } 472 }
251 473
252error: 474 kleave(" = %zu [ok]", ctx.count);
253 return ret; 475 return ctx.count;
254} 476}
255 477
256/* 478/*
@@ -277,227 +499,361 @@ struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
277} 499}
278EXPORT_SYMBOL(keyring_alloc); 500EXPORT_SYMBOL(keyring_alloc);
279 501
280/** 502/*
281 * keyring_search_aux - Search a keyring tree for a key matching some criteria 503 * Iteration function to consider each key found.
282 * @keyring_ref: A pointer to the keyring with possession indicator.
283 * @cred: The credentials to use for permissions checks.
284 * @type: The type of key to search for.
285 * @description: Parameter for @match.
286 * @match: Function to rule on whether or not a key is the one required.
287 * @no_state_check: Don't check if a matching key is bad
288 *
289 * Search the supplied keyring tree for a key that matches the criteria given.
290 * The root keyring and any linked keyrings must grant Search permission to the
291 * caller to be searchable and keys can only be found if they too grant Search
292 * to the caller. The possession flag on the root keyring pointer controls use
293 * of the possessor bits in permissions checking of the entire tree. In
294 * addition, the LSM gets to forbid keyring searches and key matches.
295 *
296 * The search is performed as a breadth-then-depth search up to the prescribed
297 * limit (KEYRING_SEARCH_MAX_DEPTH).
298 *
299 * Keys are matched to the type provided and are then filtered by the match
300 * function, which is given the description to use in any way it sees fit. The
301 * match function may use any attributes of a key that it wishes to to
302 * determine the match. Normally the match function from the key type would be
303 * used.
304 *
305 * RCU is used to prevent the keyring key lists from disappearing without the
306 * need to take lots of locks.
307 *
308 * Returns a pointer to the found key and increments the key usage count if
309 * successful; -EAGAIN if no matching keys were found, or if expired or revoked
310 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the
311 * specified keyring wasn't a keyring.
312 *
313 * In the case of a successful return, the possession attribute from
314 * @keyring_ref is propagated to the returned key reference.
315 */ 504 */
316key_ref_t keyring_search_aux(key_ref_t keyring_ref, 505static int keyring_search_iterator(const void *object, void *iterator_data)
317 const struct cred *cred,
318 struct key_type *type,
319 const void *description,
320 key_match_func_t match,
321 bool no_state_check)
322{ 506{
323 struct { 507 struct keyring_search_context *ctx = iterator_data;
324 /* Need a separate keylist pointer for RCU purposes */ 508 const struct key *key = keyring_ptr_to_key(object);
325 struct key *keyring; 509 unsigned long kflags = key->flags;
326 struct keyring_list *keylist;
327 int kix;
328 } stack[KEYRING_SEARCH_MAX_DEPTH];
329
330 struct keyring_list *keylist;
331 struct timespec now;
332 unsigned long possessed, kflags;
333 struct key *keyring, *key;
334 key_ref_t key_ref;
335 long err;
336 int sp, nkeys, kix;
337 510
338 keyring = key_ref_to_ptr(keyring_ref); 511 kenter("{%d}", key->serial);
339 possessed = is_key_possessed(keyring_ref);
340 key_check(keyring);
341 512
342 /* top keyring must have search permission to begin the search */ 513 /* ignore keys not of this type */
343 err = key_task_permission(keyring_ref, cred, KEY_SEARCH); 514 if (key->type != ctx->index_key.type) {
344 if (err < 0) { 515 kleave(" = 0 [!type]");
345 key_ref = ERR_PTR(err); 516 return 0;
346 goto error;
347 } 517 }
348 518
349 key_ref = ERR_PTR(-ENOTDIR); 519 /* skip invalidated, revoked and expired keys */
350 if (keyring->type != &key_type_keyring) 520 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
351 goto error; 521 if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
522 (1 << KEY_FLAG_REVOKED))) {
523 ctx->result = ERR_PTR(-EKEYREVOKED);
524 kleave(" = %d [invrev]", ctx->skipped_ret);
525 goto skipped;
526 }
352 527
353 rcu_read_lock(); 528 if (key->expiry && ctx->now.tv_sec >= key->expiry) {
529 ctx->result = ERR_PTR(-EKEYEXPIRED);
530 kleave(" = %d [expire]", ctx->skipped_ret);
531 goto skipped;
532 }
533 }
354 534
355 now = current_kernel_time(); 535 /* keys that don't match */
356 err = -EAGAIN; 536 if (!ctx->match(key, ctx->match_data)) {
357 sp = 0; 537 kleave(" = 0 [!match]");
358 538 return 0;
359 /* firstly we should check to see if this top-level keyring is what we 539 }
360 * are looking for */
361 key_ref = ERR_PTR(-EAGAIN);
362 kflags = keyring->flags;
363 if (keyring->type == type && match(keyring, description)) {
364 key = keyring;
365 if (no_state_check)
366 goto found;
367 540
368 /* check it isn't negative and hasn't expired or been 541 /* key must have search permissions */
369 * revoked */ 542 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
370 if (kflags & (1 << KEY_FLAG_REVOKED)) 543 key_task_permission(make_key_ref(key, ctx->possessed),
371 goto error_2; 544 ctx->cred, KEY_SEARCH) < 0) {
372 if (key->expiry && now.tv_sec >= key->expiry) 545 ctx->result = ERR_PTR(-EACCES);
373 goto error_2; 546 kleave(" = %d [!perm]", ctx->skipped_ret);
374 key_ref = ERR_PTR(key->type_data.reject_error); 547 goto skipped;
375 if (kflags & (1 << KEY_FLAG_NEGATIVE))
376 goto error_2;
377 goto found;
378 } 548 }
379 549
380 /* otherwise, the top keyring must not be revoked, expired, or 550 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
381 * negatively instantiated if we are to search it */ 551 /* we set a different error code if we pass a negative key */
382 key_ref = ERR_PTR(-EAGAIN); 552 if (kflags & (1 << KEY_FLAG_NEGATIVE)) {
383 if (kflags & ((1 << KEY_FLAG_INVALIDATED) | 553 smp_rmb();
384 (1 << KEY_FLAG_REVOKED) | 554 ctx->result = ERR_PTR(key->type_data.reject_error);
385 (1 << KEY_FLAG_NEGATIVE)) || 555 kleave(" = %d [neg]", ctx->skipped_ret);
386 (keyring->expiry && now.tv_sec >= keyring->expiry)) 556 goto skipped;
387 goto error_2; 557 }
388 558 }
389 /* start processing a new keyring */
390descend:
391 kflags = keyring->flags;
392 if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
393 (1 << KEY_FLAG_REVOKED)))
394 goto not_this_keyring;
395 559
396 keylist = rcu_dereference(keyring->payload.subscriptions); 560 /* Found */
397 if (!keylist) 561 ctx->result = make_key_ref(key, ctx->possessed);
398 goto not_this_keyring; 562 kleave(" = 1 [found]");
563 return 1;
399 564
400 /* iterate through the keys in this keyring first */ 565skipped:
401 nkeys = keylist->nkeys; 566 return ctx->skipped_ret;
402 smp_rmb(); 567}
403 for (kix = 0; kix < nkeys; kix++) {
404 key = rcu_dereference(keylist->keys[kix]);
405 kflags = key->flags;
406 568
407 /* ignore keys not of this type */ 569/*
408 if (key->type != type) 570 * Search inside a keyring for a key. We can search by walking to it
409 continue; 571 * directly based on its index-key or we can iterate over the entire
572 * tree looking for it, based on the match function.
573 */
574static int search_keyring(struct key *keyring, struct keyring_search_context *ctx)
575{
576 if ((ctx->flags & KEYRING_SEARCH_LOOKUP_TYPE) ==
577 KEYRING_SEARCH_LOOKUP_DIRECT) {
578 const void *object;
579
580 object = assoc_array_find(&keyring->keys,
581 &keyring_assoc_array_ops,
582 &ctx->index_key);
583 return object ? ctx->iterator(object, ctx) : 0;
584 }
585 return assoc_array_iterate(&keyring->keys, ctx->iterator, ctx);
586}
410 587
411 /* skip invalidated, revoked and expired keys */ 588/*
412 if (!no_state_check) { 589 * Search a tree of keyrings that point to other keyrings up to the maximum
413 if (kflags & ((1 << KEY_FLAG_INVALIDATED) | 590 * depth.
414 (1 << KEY_FLAG_REVOKED))) 591 */
415 continue; 592static bool search_nested_keyrings(struct key *keyring,
593 struct keyring_search_context *ctx)
594{
595 struct {
596 struct key *keyring;
597 struct assoc_array_node *node;
598 int slot;
599 } stack[KEYRING_SEARCH_MAX_DEPTH];
416 600
417 if (key->expiry && now.tv_sec >= key->expiry) 601 struct assoc_array_shortcut *shortcut;
418 continue; 602 struct assoc_array_node *node;
419 } 603 struct assoc_array_ptr *ptr;
604 struct key *key;
605 int sp = 0, slot;
420 606
421 /* keys that don't match */ 607 kenter("{%d},{%s,%s}",
422 if (!match(key, description)) 608 keyring->serial,
423 continue; 609 ctx->index_key.type->name,
610 ctx->index_key.description);
424 611
425 /* key must have search permissions */ 612 if (ctx->index_key.description)
426 if (key_task_permission(make_key_ref(key, possessed), 613 ctx->index_key.desc_len = strlen(ctx->index_key.description);
427 cred, KEY_SEARCH) < 0)
428 continue;
429 614
430 if (no_state_check) 615 /* Check to see if this top-level keyring is what we are looking for
616 * and whether it is valid or not.
617 */
618 if (ctx->flags & KEYRING_SEARCH_LOOKUP_ITERATE ||
619 keyring_compare_object(keyring, &ctx->index_key)) {
620 ctx->skipped_ret = 2;
621 ctx->flags |= KEYRING_SEARCH_DO_STATE_CHECK;
622 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) {
623 case 1:
431 goto found; 624 goto found;
432 625 case 2:
433 /* we set a different error code if we pass a negative key */ 626 return false;
434 if (kflags & (1 << KEY_FLAG_NEGATIVE)) { 627 default:
435 err = key->type_data.reject_error; 628 break;
436 continue;
437 } 629 }
630 }
631
632 ctx->skipped_ret = 0;
633 if (ctx->flags & KEYRING_SEARCH_NO_STATE_CHECK)
634 ctx->flags &= ~KEYRING_SEARCH_DO_STATE_CHECK;
438 635
636 /* Start processing a new keyring */
637descend_to_keyring:
638 kdebug("descend to %d", keyring->serial);
639 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
640 (1 << KEY_FLAG_REVOKED)))
641 goto not_this_keyring;
642
643 /* Search through the keys in this keyring before its searching its
644 * subtrees.
645 */
646 if (search_keyring(keyring, ctx))
439 goto found; 647 goto found;
440 }
441 648
442 /* search through the keyrings nested in this one */ 649 /* Then manually iterate through the keyrings nested in this one.
443 kix = 0; 650 *
444ascend: 651 * Start from the root node of the index tree. Because of the way the
445 nkeys = keylist->nkeys; 652 * hash function has been set up, keyrings cluster on the leftmost
446 smp_rmb(); 653 * branch of the root node (root slot 0) or in the root node itself.
447 for (; kix < nkeys; kix++) { 654 * Non-keyrings avoid the leftmost branch of the root entirely (root
448 key = rcu_dereference(keylist->keys[kix]); 655 * slots 1-15).
449 if (key->type != &key_type_keyring) 656 */
450 continue; 657 ptr = ACCESS_ONCE(keyring->keys.root);
658 if (!ptr)
659 goto not_this_keyring;
451 660
452 /* recursively search nested keyrings 661 if (assoc_array_ptr_is_shortcut(ptr)) {
453 * - only search keyrings for which we have search permission 662 /* If the root is a shortcut, either the keyring only contains
663 * keyring pointers (everything clusters behind root slot 0) or
664 * doesn't contain any keyring pointers.
454 */ 665 */
455 if (sp >= KEYRING_SEARCH_MAX_DEPTH) 666 shortcut = assoc_array_ptr_to_shortcut(ptr);
667 smp_read_barrier_depends();
668 if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0)
669 goto not_this_keyring;
670
671 ptr = ACCESS_ONCE(shortcut->next_node);
672 node = assoc_array_ptr_to_node(ptr);
673 goto begin_node;
674 }
675
676 node = assoc_array_ptr_to_node(ptr);
677 smp_read_barrier_depends();
678
679 ptr = node->slots[0];
680 if (!assoc_array_ptr_is_meta(ptr))
681 goto begin_node;
682
683descend_to_node:
684 /* Descend to a more distal node in this keyring's content tree and go
685 * through that.
686 */
687 kdebug("descend");
688 if (assoc_array_ptr_is_shortcut(ptr)) {
689 shortcut = assoc_array_ptr_to_shortcut(ptr);
690 smp_read_barrier_depends();
691 ptr = ACCESS_ONCE(shortcut->next_node);
692 BUG_ON(!assoc_array_ptr_is_node(ptr));
693 }
694 node = assoc_array_ptr_to_node(ptr);
695
696begin_node:
697 kdebug("begin_node");
698 smp_read_barrier_depends();
699 slot = 0;
700ascend_to_node:
701 /* Go through the slots in a node */
702 for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) {
703 ptr = ACCESS_ONCE(node->slots[slot]);
704
705 if (assoc_array_ptr_is_meta(ptr) && node->back_pointer)
706 goto descend_to_node;
707
708 if (!keyring_ptr_is_keyring(ptr))
456 continue; 709 continue;
457 710
458 if (key_task_permission(make_key_ref(key, possessed), 711 key = keyring_ptr_to_key(ptr);
459 cred, KEY_SEARCH) < 0) 712
713 if (sp >= KEYRING_SEARCH_MAX_DEPTH) {
714 if (ctx->flags & KEYRING_SEARCH_DETECT_TOO_DEEP) {
715 ctx->result = ERR_PTR(-ELOOP);
716 return false;
717 }
718 goto not_this_keyring;
719 }
720
721 /* Search a nested keyring */
722 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
723 key_task_permission(make_key_ref(key, ctx->possessed),
724 ctx->cred, KEY_SEARCH) < 0)
460 continue; 725 continue;
461 726
462 /* stack the current position */ 727 /* stack the current position */
463 stack[sp].keyring = keyring; 728 stack[sp].keyring = keyring;
464 stack[sp].keylist = keylist; 729 stack[sp].node = node;
465 stack[sp].kix = kix; 730 stack[sp].slot = slot;
466 sp++; 731 sp++;
467 732
468 /* begin again with the new keyring */ 733 /* begin again with the new keyring */
469 keyring = key; 734 keyring = key;
470 goto descend; 735 goto descend_to_keyring;
471 } 736 }
472 737
473 /* the keyring we're looking at was disqualified or didn't contain a 738 /* We've dealt with all the slots in the current node, so now we need
474 * matching key */ 739 * to ascend to the parent and continue processing there.
740 */
741 ptr = ACCESS_ONCE(node->back_pointer);
742 slot = node->parent_slot;
743
744 if (ptr && assoc_array_ptr_is_shortcut(ptr)) {
745 shortcut = assoc_array_ptr_to_shortcut(ptr);
746 smp_read_barrier_depends();
747 ptr = ACCESS_ONCE(shortcut->back_pointer);
748 slot = shortcut->parent_slot;
749 }
750 if (!ptr)
751 goto not_this_keyring;
752 node = assoc_array_ptr_to_node(ptr);
753 smp_read_barrier_depends();
754 slot++;
755
756 /* If we've ascended to the root (zero backpointer), we must have just
757 * finished processing the leftmost branch rather than the root slots -
758 * so there can't be any more keyrings for us to find.
759 */
760 if (node->back_pointer) {
761 kdebug("ascend %d", slot);
762 goto ascend_to_node;
763 }
764
765 /* The keyring we're looking at was disqualified or didn't contain a
766 * matching key.
767 */
475not_this_keyring: 768not_this_keyring:
476 if (sp > 0) { 769 kdebug("not_this_keyring %d", sp);
477 /* resume the processing of a keyring higher up in the tree */ 770 if (sp <= 0) {
478 sp--; 771 kleave(" = false");
479 keyring = stack[sp].keyring; 772 return false;
480 keylist = stack[sp].keylist;
481 kix = stack[sp].kix + 1;
482 goto ascend;
483 } 773 }
484 774
485 key_ref = ERR_PTR(err); 775 /* Resume the processing of a keyring higher up in the tree */
486 goto error_2; 776 sp--;
777 keyring = stack[sp].keyring;
778 node = stack[sp].node;
779 slot = stack[sp].slot + 1;
780 kdebug("ascend to %d [%d]", keyring->serial, slot);
781 goto ascend_to_node;
487 782
488 /* we found a viable match */ 783 /* We found a viable match */
489found: 784found:
490 atomic_inc(&key->usage); 785 key = key_ref_to_ptr(ctx->result);
491 key->last_used_at = now.tv_sec;
492 keyring->last_used_at = now.tv_sec;
493 while (sp > 0)
494 stack[--sp].keyring->last_used_at = now.tv_sec;
495 key_check(key); 786 key_check(key);
496 key_ref = make_key_ref(key, possessed); 787 if (!(ctx->flags & KEYRING_SEARCH_NO_UPDATE_TIME)) {
497error_2: 788 key->last_used_at = ctx->now.tv_sec;
789 keyring->last_used_at = ctx->now.tv_sec;
790 while (sp > 0)
791 stack[--sp].keyring->last_used_at = ctx->now.tv_sec;
792 }
793 kleave(" = true");
794 return true;
795}
796
797/**
798 * keyring_search_aux - Search a keyring tree for a key matching some criteria
799 * @keyring_ref: A pointer to the keyring with possession indicator.
800 * @ctx: The keyring search context.
801 *
802 * Search the supplied keyring tree for a key that matches the criteria given.
803 * The root keyring and any linked keyrings must grant Search permission to the
804 * caller to be searchable and keys can only be found if they too grant Search
805 * to the caller. The possession flag on the root keyring pointer controls use
806 * of the possessor bits in permissions checking of the entire tree. In
807 * addition, the LSM gets to forbid keyring searches and key matches.
808 *
809 * The search is performed as a breadth-then-depth search up to the prescribed
810 * limit (KEYRING_SEARCH_MAX_DEPTH).
811 *
812 * Keys are matched to the type provided and are then filtered by the match
813 * function, which is given the description to use in any way it sees fit. The
814 * match function may use any attributes of a key that it wishes to to
815 * determine the match. Normally the match function from the key type would be
816 * used.
817 *
818 * RCU can be used to prevent the keyring key lists from disappearing without
819 * the need to take lots of locks.
820 *
821 * Returns a pointer to the found key and increments the key usage count if
822 * successful; -EAGAIN if no matching keys were found, or if expired or revoked
823 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the
824 * specified keyring wasn't a keyring.
825 *
826 * In the case of a successful return, the possession attribute from
827 * @keyring_ref is propagated to the returned key reference.
828 */
829key_ref_t keyring_search_aux(key_ref_t keyring_ref,
830 struct keyring_search_context *ctx)
831{
832 struct key *keyring;
833 long err;
834
835 ctx->iterator = keyring_search_iterator;
836 ctx->possessed = is_key_possessed(keyring_ref);
837 ctx->result = ERR_PTR(-EAGAIN);
838
839 keyring = key_ref_to_ptr(keyring_ref);
840 key_check(keyring);
841
842 if (keyring->type != &key_type_keyring)
843 return ERR_PTR(-ENOTDIR);
844
845 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) {
846 err = key_task_permission(keyring_ref, ctx->cred, KEY_SEARCH);
847 if (err < 0)
848 return ERR_PTR(err);
849 }
850
851 rcu_read_lock();
852 ctx->now = current_kernel_time();
853 if (search_nested_keyrings(keyring, ctx))
854 __key_get(key_ref_to_ptr(ctx->result));
498 rcu_read_unlock(); 855 rcu_read_unlock();
499error: 856 return ctx->result;
500 return key_ref;
501} 857}
502 858
503/** 859/**
@@ -507,77 +863,73 @@ error:
507 * @description: The name of the keyring we want to find. 863 * @description: The name of the keyring we want to find.
508 * 864 *
509 * As keyring_search_aux() above, but using the current task's credentials and 865 * As keyring_search_aux() above, but using the current task's credentials and
510 * type's default matching function. 866 * type's default matching function and preferred search method.
511 */ 867 */
512key_ref_t keyring_search(key_ref_t keyring, 868key_ref_t keyring_search(key_ref_t keyring,
513 struct key_type *type, 869 struct key_type *type,
514 const char *description) 870 const char *description)
515{ 871{
516 if (!type->match) 872 struct keyring_search_context ctx = {
873 .index_key.type = type,
874 .index_key.description = description,
875 .cred = current_cred(),
876 .match = type->match,
877 .match_data = description,
878 .flags = (type->def_lookup_type |
879 KEYRING_SEARCH_DO_STATE_CHECK),
880 };
881
882 if (!ctx.match)
517 return ERR_PTR(-ENOKEY); 883 return ERR_PTR(-ENOKEY);
518 884
519 return keyring_search_aux(keyring, current->cred, 885 return keyring_search_aux(keyring, &ctx);
520 type, description, type->match, false);
521} 886}
522EXPORT_SYMBOL(keyring_search); 887EXPORT_SYMBOL(keyring_search);
523 888
524/* 889/*
525 * Search the given keyring only (no recursion). 890 * Search the given keyring for a key that might be updated.
526 * 891 *
527 * The caller must guarantee that the keyring is a keyring and that the 892 * The caller must guarantee that the keyring is a keyring and that the
528 * permission is granted to search the keyring as no check is made here. 893 * permission is granted to modify the keyring as no check is made here. The
529 * 894 * caller must also hold a lock on the keyring semaphore.
530 * RCU is used to make it unnecessary to lock the keyring key list here.
531 * 895 *
532 * Returns a pointer to the found key with usage count incremented if 896 * Returns a pointer to the found key with usage count incremented if
533 * successful and returns -ENOKEY if not found. Revoked keys and keys not 897 * successful and returns NULL if not found. Revoked and invalidated keys are
534 * providing the requested permission are skipped over. 898 * skipped over.
535 * 899 *
536 * If successful, the possession indicator is propagated from the keyring ref 900 * If successful, the possession indicator is propagated from the keyring ref
537 * to the returned key reference. 901 * to the returned key reference.
538 */ 902 */
539key_ref_t __keyring_search_one(key_ref_t keyring_ref, 903key_ref_t find_key_to_update(key_ref_t keyring_ref,
540 const struct key_type *ktype, 904 const struct keyring_index_key *index_key)
541 const char *description,
542 key_perm_t perm)
543{ 905{
544 struct keyring_list *klist;
545 unsigned long possessed;
546 struct key *keyring, *key; 906 struct key *keyring, *key;
547 int nkeys, loop; 907 const void *object;
548 908
549 keyring = key_ref_to_ptr(keyring_ref); 909 keyring = key_ref_to_ptr(keyring_ref);
550 possessed = is_key_possessed(keyring_ref);
551 910
552 rcu_read_lock(); 911 kenter("{%d},{%s,%s}",
912 keyring->serial, index_key->type->name, index_key->description);
553 913
554 klist = rcu_dereference(keyring->payload.subscriptions); 914 object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops,
555 if (klist) { 915 index_key);
556 nkeys = klist->nkeys;
557 smp_rmb();
558 for (loop = 0; loop < nkeys ; loop++) {
559 key = rcu_dereference(klist->keys[loop]);
560 if (key->type == ktype &&
561 (!key->type->match ||
562 key->type->match(key, description)) &&
563 key_permission(make_key_ref(key, possessed),
564 perm) == 0 &&
565 !(key->flags & ((1 << KEY_FLAG_INVALIDATED) |
566 (1 << KEY_FLAG_REVOKED)))
567 )
568 goto found;
569 }
570 }
571 916
572 rcu_read_unlock(); 917 if (object)
573 return ERR_PTR(-ENOKEY); 918 goto found;
919
920 kleave(" = NULL");
921 return NULL;
574 922
575found: 923found:
576 atomic_inc(&key->usage); 924 key = keyring_ptr_to_key(object);
577 keyring->last_used_at = key->last_used_at = 925 if (key->flags & ((1 << KEY_FLAG_INVALIDATED) |
578 current_kernel_time().tv_sec; 926 (1 << KEY_FLAG_REVOKED))) {
579 rcu_read_unlock(); 927 kleave(" = NULL [x]");
580 return make_key_ref(key, possessed); 928 return NULL;
929 }
930 __key_get(key);
931 kleave(" = {%d}", key->serial);
932 return make_key_ref(key, is_key_possessed(keyring_ref));
581} 933}
582 934
583/* 935/*
@@ -640,6 +992,19 @@ out:
640 return keyring; 992 return keyring;
641} 993}
642 994
995static int keyring_detect_cycle_iterator(const void *object,
996 void *iterator_data)
997{
998 struct keyring_search_context *ctx = iterator_data;
999 const struct key *key = keyring_ptr_to_key(object);
1000
1001 kenter("{%d}", key->serial);
1002
1003 BUG_ON(key != ctx->match_data);
1004 ctx->result = ERR_PTR(-EDEADLK);
1005 return 1;
1006}
1007
643/* 1008/*
644 * See if a cycle will will be created by inserting acyclic tree B in acyclic 1009 * See if a cycle will will be created by inserting acyclic tree B in acyclic
645 * tree A at the topmost level (ie: as a direct child of A). 1010 * tree A at the topmost level (ie: as a direct child of A).
@@ -649,116 +1014,39 @@ out:
649 */ 1014 */
650static int keyring_detect_cycle(struct key *A, struct key *B) 1015static int keyring_detect_cycle(struct key *A, struct key *B)
651{ 1016{
652 struct { 1017 struct keyring_search_context ctx = {
653 struct keyring_list *keylist; 1018 .index_key = A->index_key,
654 int kix; 1019 .match_data = A,
655 } stack[KEYRING_SEARCH_MAX_DEPTH]; 1020 .iterator = keyring_detect_cycle_iterator,
656 1021 .flags = (KEYRING_SEARCH_LOOKUP_DIRECT |
657 struct keyring_list *keylist; 1022 KEYRING_SEARCH_NO_STATE_CHECK |
658 struct key *subtree, *key; 1023 KEYRING_SEARCH_NO_UPDATE_TIME |
659 int sp, nkeys, kix, ret; 1024 KEYRING_SEARCH_NO_CHECK_PERM |
1025 KEYRING_SEARCH_DETECT_TOO_DEEP),
1026 };
660 1027
661 rcu_read_lock(); 1028 rcu_read_lock();
662 1029 search_nested_keyrings(B, &ctx);
663 ret = -EDEADLK;
664 if (A == B)
665 goto cycle_detected;
666
667 subtree = B;
668 sp = 0;
669
670 /* start processing a new keyring */
671descend:
672 if (test_bit(KEY_FLAG_REVOKED, &subtree->flags))
673 goto not_this_keyring;
674
675 keylist = rcu_dereference(subtree->payload.subscriptions);
676 if (!keylist)
677 goto not_this_keyring;
678 kix = 0;
679
680ascend:
681 /* iterate through the remaining keys in this keyring */
682 nkeys = keylist->nkeys;
683 smp_rmb();
684 for (; kix < nkeys; kix++) {
685 key = rcu_dereference(keylist->keys[kix]);
686
687 if (key == A)
688 goto cycle_detected;
689
690 /* recursively check nested keyrings */
691 if (key->type == &key_type_keyring) {
692 if (sp >= KEYRING_SEARCH_MAX_DEPTH)
693 goto too_deep;
694
695 /* stack the current position */
696 stack[sp].keylist = keylist;
697 stack[sp].kix = kix;
698 sp++;
699
700 /* begin again with the new keyring */
701 subtree = key;
702 goto descend;
703 }
704 }
705
706 /* the keyring we're looking at was disqualified or didn't contain a
707 * matching key */
708not_this_keyring:
709 if (sp > 0) {
710 /* resume the checking of a keyring higher up in the tree */
711 sp--;
712 keylist = stack[sp].keylist;
713 kix = stack[sp].kix + 1;
714 goto ascend;
715 }
716
717 ret = 0; /* no cycles detected */
718
719error:
720 rcu_read_unlock(); 1030 rcu_read_unlock();
721 return ret; 1031 return PTR_ERR(ctx.result) == -EAGAIN ? 0 : PTR_ERR(ctx.result);
722
723too_deep:
724 ret = -ELOOP;
725 goto error;
726
727cycle_detected:
728 ret = -EDEADLK;
729 goto error;
730}
731
732/*
733 * Dispose of a keyring list after the RCU grace period, freeing the unlinked
734 * key
735 */
736static void keyring_unlink_rcu_disposal(struct rcu_head *rcu)
737{
738 struct keyring_list *klist =
739 container_of(rcu, struct keyring_list, rcu);
740
741 if (klist->delkey != USHRT_MAX)
742 key_put(rcu_access_pointer(klist->keys[klist->delkey]));
743 kfree(klist);
744} 1032}
745 1033
746/* 1034/*
747 * Preallocate memory so that a key can be linked into to a keyring. 1035 * Preallocate memory so that a key can be linked into to a keyring.
748 */ 1036 */
749int __key_link_begin(struct key *keyring, const struct key_type *type, 1037int __key_link_begin(struct key *keyring,
750 const char *description, unsigned long *_prealloc) 1038 const struct keyring_index_key *index_key,
1039 struct assoc_array_edit **_edit)
751 __acquires(&keyring->sem) 1040 __acquires(&keyring->sem)
752 __acquires(&keyring_serialise_link_sem) 1041 __acquires(&keyring_serialise_link_sem)
753{ 1042{
754 struct keyring_list *klist, *nklist; 1043 struct assoc_array_edit *edit;
755 unsigned long prealloc; 1044 int ret;
756 unsigned max; 1045
757 time_t lowest_lru; 1046 kenter("%d,%s,%s,",
758 size_t size; 1047 keyring->serial, index_key->type->name, index_key->description);
759 int loop, lru, ret;
760 1048
761 kenter("%d,%s,%s,", key_serial(keyring), type->name, description); 1049 BUG_ON(index_key->desc_len == 0);
762 1050
763 if (keyring->type != &key_type_keyring) 1051 if (keyring->type != &key_type_keyring)
764 return -ENOTDIR; 1052 return -ENOTDIR;
@@ -771,100 +1059,39 @@ int __key_link_begin(struct key *keyring, const struct key_type *type,
771 1059
772 /* serialise link/link calls to prevent parallel calls causing a cycle 1060 /* serialise link/link calls to prevent parallel calls causing a cycle
773 * when linking two keyring in opposite orders */ 1061 * when linking two keyring in opposite orders */
774 if (type == &key_type_keyring) 1062 if (index_key->type == &key_type_keyring)
775 down_write(&keyring_serialise_link_sem); 1063 down_write(&keyring_serialise_link_sem);
776 1064
777 klist = rcu_dereference_locked_keyring(keyring); 1065 /* Create an edit script that will insert/replace the key in the
778 1066 * keyring tree.
779 /* see if there's a matching key we can displace */ 1067 */
780 lru = -1; 1068 edit = assoc_array_insert(&keyring->keys,
781 if (klist && klist->nkeys > 0) { 1069 &keyring_assoc_array_ops,
782 lowest_lru = TIME_T_MAX; 1070 index_key,
783 for (loop = klist->nkeys - 1; loop >= 0; loop--) { 1071 NULL);
784 struct key *key = rcu_deref_link_locked(klist, loop, 1072 if (IS_ERR(edit)) {
785 keyring); 1073 ret = PTR_ERR(edit);
786 if (key->type == type &&
787 strcmp(key->description, description) == 0) {
788 /* Found a match - we'll replace the link with
789 * one to the new key. We record the slot
790 * position.
791 */
792 klist->delkey = loop;
793 prealloc = 0;
794 goto done;
795 }
796 if (key->last_used_at < lowest_lru) {
797 lowest_lru = key->last_used_at;
798 lru = loop;
799 }
800 }
801 }
802
803 /* If the keyring is full then do an LRU discard */
804 if (klist &&
805 klist->nkeys == klist->maxkeys &&
806 klist->maxkeys >= MAX_KEYRING_LINKS) {
807 kdebug("LRU discard %d\n", lru);
808 klist->delkey = lru;
809 prealloc = 0;
810 goto done;
811 }
812
813 /* check that we aren't going to overrun the user's quota */
814 ret = key_payload_reserve(keyring,
815 keyring->datalen + KEYQUOTA_LINK_BYTES);
816 if (ret < 0)
817 goto error_sem; 1074 goto error_sem;
1075 }
818 1076
819 if (klist && klist->nkeys < klist->maxkeys) { 1077 /* If we're not replacing a link in-place then we're going to need some
820 /* there's sufficient slack space to append directly */ 1078 * extra quota.
821 klist->delkey = klist->nkeys; 1079 */
822 prealloc = KEY_LINK_FIXQUOTA; 1080 if (!edit->dead_leaf) {
823 } else { 1081 ret = key_payload_reserve(keyring,
824 /* grow the key list */ 1082 keyring->datalen + KEYQUOTA_LINK_BYTES);
825 max = 4; 1083 if (ret < 0)
826 if (klist) { 1084 goto error_cancel;
827 max += klist->maxkeys;
828 if (max > MAX_KEYRING_LINKS)
829 max = MAX_KEYRING_LINKS;
830 BUG_ON(max <= klist->maxkeys);
831 }
832
833 size = sizeof(*klist) + sizeof(struct key *) * max;
834
835 ret = -ENOMEM;
836 nklist = kmalloc(size, GFP_KERNEL);
837 if (!nklist)
838 goto error_quota;
839
840 nklist->maxkeys = max;
841 if (klist) {
842 memcpy(nklist->keys, klist->keys,
843 sizeof(struct key *) * klist->nkeys);
844 nklist->delkey = klist->nkeys;
845 nklist->nkeys = klist->nkeys + 1;
846 klist->delkey = USHRT_MAX;
847 } else {
848 nklist->nkeys = 1;
849 nklist->delkey = 0;
850 }
851
852 /* add the key into the new space */
853 RCU_INIT_POINTER(nklist->keys[nklist->delkey], NULL);
854 prealloc = (unsigned long)nklist | KEY_LINK_FIXQUOTA;
855 } 1085 }
856 1086
857done: 1087 *_edit = edit;
858 *_prealloc = prealloc;
859 kleave(" = 0"); 1088 kleave(" = 0");
860 return 0; 1089 return 0;
861 1090
862error_quota: 1091error_cancel:
863 /* undo the quota changes */ 1092 assoc_array_cancel_edit(edit);
864 key_payload_reserve(keyring,
865 keyring->datalen - KEYQUOTA_LINK_BYTES);
866error_sem: 1093error_sem:
867 if (type == &key_type_keyring) 1094 if (index_key->type == &key_type_keyring)
868 up_write(&keyring_serialise_link_sem); 1095 up_write(&keyring_serialise_link_sem);
869error_krsem: 1096error_krsem:
870 up_write(&keyring->sem); 1097 up_write(&keyring->sem);
@@ -895,60 +1122,12 @@ int __key_link_check_live_key(struct key *keyring, struct key *key)
895 * holds at most one link to any given key of a particular type+description 1122 * holds at most one link to any given key of a particular type+description
896 * combination. 1123 * combination.
897 */ 1124 */
898void __key_link(struct key *keyring, struct key *key, 1125void __key_link(struct key *key, struct assoc_array_edit **_edit)
899 unsigned long *_prealloc)
900{ 1126{
901 struct keyring_list *klist, *nklist; 1127 __key_get(key);
902 struct key *discard; 1128 assoc_array_insert_set_object(*_edit, keyring_key_to_ptr(key));
903 1129 assoc_array_apply_edit(*_edit);
904 nklist = (struct keyring_list *)(*_prealloc & ~KEY_LINK_FIXQUOTA); 1130 *_edit = NULL;
905 *_prealloc = 0;
906
907 kenter("%d,%d,%p", keyring->serial, key->serial, nklist);
908
909 klist = rcu_dereference_locked_keyring(keyring);
910
911 atomic_inc(&key->usage);
912 keyring->last_used_at = key->last_used_at =
913 current_kernel_time().tv_sec;
914
915 /* there's a matching key we can displace or an empty slot in a newly
916 * allocated list we can fill */
917 if (nklist) {
918 kdebug("reissue %hu/%hu/%hu",
919 nklist->delkey, nklist->nkeys, nklist->maxkeys);
920
921 RCU_INIT_POINTER(nklist->keys[nklist->delkey], key);
922
923 rcu_assign_pointer(keyring->payload.subscriptions, nklist);
924
925 /* dispose of the old keyring list and, if there was one, the
926 * displaced key */
927 if (klist) {
928 kdebug("dispose %hu/%hu/%hu",
929 klist->delkey, klist->nkeys, klist->maxkeys);
930 call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);
931 }
932 } else if (klist->delkey < klist->nkeys) {
933 kdebug("replace %hu/%hu/%hu",
934 klist->delkey, klist->nkeys, klist->maxkeys);
935
936 discard = rcu_dereference_protected(
937 klist->keys[klist->delkey],
938 rwsem_is_locked(&keyring->sem));
939 rcu_assign_pointer(klist->keys[klist->delkey], key);
940 /* The garbage collector will take care of RCU
941 * synchronisation */
942 key_put(discard);
943 } else {
944 /* there's sufficient slack space to append directly */
945 kdebug("append %hu/%hu/%hu",
946 klist->delkey, klist->nkeys, klist->maxkeys);
947
948 RCU_INIT_POINTER(klist->keys[klist->delkey], key);
949 smp_wmb();
950 klist->nkeys++;
951 }
952} 1131}
953 1132
954/* 1133/*
@@ -956,24 +1135,22 @@ void __key_link(struct key *keyring, struct key *key,
956 * 1135 *
957 * Must be called with __key_link_begin() having being called. 1136 * Must be called with __key_link_begin() having being called.
958 */ 1137 */
959void __key_link_end(struct key *keyring, struct key_type *type, 1138void __key_link_end(struct key *keyring,
960 unsigned long prealloc) 1139 const struct keyring_index_key *index_key,
1140 struct assoc_array_edit *edit)
961 __releases(&keyring->sem) 1141 __releases(&keyring->sem)
962 __releases(&keyring_serialise_link_sem) 1142 __releases(&keyring_serialise_link_sem)
963{ 1143{
964 BUG_ON(type == NULL); 1144 BUG_ON(index_key->type == NULL);
965 BUG_ON(type->name == NULL); 1145 kenter("%d,%s,", keyring->serial, index_key->type->name);
966 kenter("%d,%s,%lx", keyring->serial, type->name, prealloc);
967 1146
968 if (type == &key_type_keyring) 1147 if (index_key->type == &key_type_keyring)
969 up_write(&keyring_serialise_link_sem); 1148 up_write(&keyring_serialise_link_sem);
970 1149
971 if (prealloc) { 1150 if (edit && !edit->dead_leaf) {
972 if (prealloc & KEY_LINK_FIXQUOTA) 1151 key_payload_reserve(keyring,
973 key_payload_reserve(keyring, 1152 keyring->datalen - KEYQUOTA_LINK_BYTES);
974 keyring->datalen - 1153 assoc_array_cancel_edit(edit);
975 KEYQUOTA_LINK_BYTES);
976 kfree((struct keyring_list *)(prealloc & ~KEY_LINK_FIXQUOTA));
977 } 1154 }
978 up_write(&keyring->sem); 1155 up_write(&keyring->sem);
979} 1156}
@@ -1000,20 +1177,28 @@ void __key_link_end(struct key *keyring, struct key_type *type,
1000 */ 1177 */
1001int key_link(struct key *keyring, struct key *key) 1178int key_link(struct key *keyring, struct key *key)
1002{ 1179{
1003 unsigned long prealloc; 1180 struct assoc_array_edit *edit;
1004 int ret; 1181 int ret;
1005 1182
1183 kenter("{%d,%d}", keyring->serial, atomic_read(&keyring->usage));
1184
1006 key_check(keyring); 1185 key_check(keyring);
1007 key_check(key); 1186 key_check(key);
1008 1187
1009 ret = __key_link_begin(keyring, key->type, key->description, &prealloc); 1188 if (test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags) &&
1189 !test_bit(KEY_FLAG_TRUSTED, &key->flags))
1190 return -EPERM;
1191
1192 ret = __key_link_begin(keyring, &key->index_key, &edit);
1010 if (ret == 0) { 1193 if (ret == 0) {
1194 kdebug("begun {%d,%d}", keyring->serial, atomic_read(&keyring->usage));
1011 ret = __key_link_check_live_key(keyring, key); 1195 ret = __key_link_check_live_key(keyring, key);
1012 if (ret == 0) 1196 if (ret == 0)
1013 __key_link(keyring, key, &prealloc); 1197 __key_link(key, &edit);
1014 __key_link_end(keyring, key->type, prealloc); 1198 __key_link_end(keyring, &key->index_key, edit);
1015 } 1199 }
1016 1200
1201 kleave(" = %d {%d,%d}", ret, keyring->serial, atomic_read(&keyring->usage));
1017 return ret; 1202 return ret;
1018} 1203}
1019EXPORT_SYMBOL(key_link); 1204EXPORT_SYMBOL(key_link);
@@ -1037,90 +1222,37 @@ EXPORT_SYMBOL(key_link);
1037 */ 1222 */
1038int key_unlink(struct key *keyring, struct key *key) 1223int key_unlink(struct key *keyring, struct key *key)
1039{ 1224{
1040 struct keyring_list *klist, *nklist; 1225 struct assoc_array_edit *edit;
1041 int loop, ret; 1226 int ret;
1042 1227
1043 key_check(keyring); 1228 key_check(keyring);
1044 key_check(key); 1229 key_check(key);
1045 1230
1046 ret = -ENOTDIR;
1047 if (keyring->type != &key_type_keyring) 1231 if (keyring->type != &key_type_keyring)
1048 goto error; 1232 return -ENOTDIR;
1049 1233
1050 down_write(&keyring->sem); 1234 down_write(&keyring->sem);
1051 1235
1052 klist = rcu_dereference_locked_keyring(keyring); 1236 edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops,
1053 if (klist) { 1237 &key->index_key);
1054 /* search the keyring for the key */ 1238 if (IS_ERR(edit)) {
1055 for (loop = 0; loop < klist->nkeys; loop++) 1239 ret = PTR_ERR(edit);
1056 if (rcu_access_pointer(klist->keys[loop]) == key) 1240 goto error;
1057 goto key_is_present;
1058 } 1241 }
1059
1060 up_write(&keyring->sem);
1061 ret = -ENOENT; 1242 ret = -ENOENT;
1062 goto error; 1243 if (edit == NULL)
1063 1244 goto error;
1064key_is_present:
1065 /* we need to copy the key list for RCU purposes */
1066 nklist = kmalloc(sizeof(*klist) +
1067 sizeof(struct key *) * klist->maxkeys,
1068 GFP_KERNEL);
1069 if (!nklist)
1070 goto nomem;
1071 nklist->maxkeys = klist->maxkeys;
1072 nklist->nkeys = klist->nkeys - 1;
1073
1074 if (loop > 0)
1075 memcpy(&nklist->keys[0],
1076 &klist->keys[0],
1077 loop * sizeof(struct key *));
1078
1079 if (loop < nklist->nkeys)
1080 memcpy(&nklist->keys[loop],
1081 &klist->keys[loop + 1],
1082 (nklist->nkeys - loop) * sizeof(struct key *));
1083
1084 /* adjust the user's quota */
1085 key_payload_reserve(keyring,
1086 keyring->datalen - KEYQUOTA_LINK_BYTES);
1087
1088 rcu_assign_pointer(keyring->payload.subscriptions, nklist);
1089
1090 up_write(&keyring->sem);
1091
1092 /* schedule for later cleanup */
1093 klist->delkey = loop;
1094 call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);
1095 1245
1246 assoc_array_apply_edit(edit);
1247 key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES);
1096 ret = 0; 1248 ret = 0;
1097 1249
1098error: 1250error:
1099 return ret;
1100nomem:
1101 ret = -ENOMEM;
1102 up_write(&keyring->sem); 1251 up_write(&keyring->sem);
1103 goto error; 1252 return ret;
1104} 1253}
1105EXPORT_SYMBOL(key_unlink); 1254EXPORT_SYMBOL(key_unlink);
1106 1255
1107/*
1108 * Dispose of a keyring list after the RCU grace period, releasing the keys it
1109 * links to.
1110 */
1111static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
1112{
1113 struct keyring_list *klist;
1114 int loop;
1115
1116 klist = container_of(rcu, struct keyring_list, rcu);
1117
1118 for (loop = klist->nkeys - 1; loop >= 0; loop--)
1119 key_put(rcu_access_pointer(klist->keys[loop]));
1120
1121 kfree(klist);
1122}
1123
1124/** 1256/**
1125 * keyring_clear - Clear a keyring 1257 * keyring_clear - Clear a keyring
1126 * @keyring: The keyring to clear. 1258 * @keyring: The keyring to clear.
@@ -1131,33 +1263,25 @@ static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
1131 */ 1263 */
1132int keyring_clear(struct key *keyring) 1264int keyring_clear(struct key *keyring)
1133{ 1265{
1134 struct keyring_list *klist; 1266 struct assoc_array_edit *edit;
1135 int ret; 1267 int ret;
1136 1268
1137 ret = -ENOTDIR; 1269 if (keyring->type != &key_type_keyring)
1138 if (keyring->type == &key_type_keyring) { 1270 return -ENOTDIR;
1139 /* detach the pointer block with the locks held */
1140 down_write(&keyring->sem);
1141
1142 klist = rcu_dereference_locked_keyring(keyring);
1143 if (klist) {
1144 /* adjust the quota */
1145 key_payload_reserve(keyring,
1146 sizeof(struct keyring_list));
1147
1148 rcu_assign_pointer(keyring->payload.subscriptions,
1149 NULL);
1150 }
1151
1152 up_write(&keyring->sem);
1153 1271
1154 /* free the keys after the locks have been dropped */ 1272 down_write(&keyring->sem);
1155 if (klist)
1156 call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
1157 1273
1274 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1275 if (IS_ERR(edit)) {
1276 ret = PTR_ERR(edit);
1277 } else {
1278 if (edit)
1279 assoc_array_apply_edit(edit);
1280 key_payload_reserve(keyring, 0);
1158 ret = 0; 1281 ret = 0;
1159 } 1282 }
1160 1283
1284 up_write(&keyring->sem);
1161 return ret; 1285 return ret;
1162} 1286}
1163EXPORT_SYMBOL(keyring_clear); 1287EXPORT_SYMBOL(keyring_clear);
@@ -1169,111 +1293,68 @@ EXPORT_SYMBOL(keyring_clear);
1169 */ 1293 */
1170static void keyring_revoke(struct key *keyring) 1294static void keyring_revoke(struct key *keyring)
1171{ 1295{
1172 struct keyring_list *klist; 1296 struct assoc_array_edit *edit;
1297
1298 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1299 if (!IS_ERR(edit)) {
1300 if (edit)
1301 assoc_array_apply_edit(edit);
1302 key_payload_reserve(keyring, 0);
1303 }
1304}
1305
1306static bool keyring_gc_select_iterator(void *object, void *iterator_data)
1307{
1308 struct key *key = keyring_ptr_to_key(object);
1309 time_t *limit = iterator_data;
1173 1310
1174 klist = rcu_dereference_locked_keyring(keyring); 1311 if (key_is_dead(key, *limit))
1312 return false;
1313 key_get(key);
1314 return true;
1315}
1175 1316
1176 /* adjust the quota */ 1317static int keyring_gc_check_iterator(const void *object, void *iterator_data)
1177 key_payload_reserve(keyring, 0); 1318{
1319 const struct key *key = keyring_ptr_to_key(object);
1320 time_t *limit = iterator_data;
1178 1321
1179 if (klist) { 1322 key_check(key);
1180 rcu_assign_pointer(keyring->payload.subscriptions, NULL); 1323 return key_is_dead(key, *limit);
1181 call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
1182 }
1183} 1324}
1184 1325
1185/* 1326/*
1186 * Collect garbage from the contents of a keyring, replacing the old list with 1327 * Garbage collect pointers from a keyring.
1187 * a new one with the pointers all shuffled down.
1188 * 1328 *
1189 * Dead keys are classed as oned that are flagged as being dead or are revoked, 1329 * Not called with any locks held. The keyring's key struct will not be
1190 * expired or negative keys that were revoked or expired before the specified 1330 * deallocated under us as only our caller may deallocate it.
1191 * limit.
1192 */ 1331 */
1193void keyring_gc(struct key *keyring, time_t limit) 1332void keyring_gc(struct key *keyring, time_t limit)
1194{ 1333{
1195 struct keyring_list *klist, *new; 1334 int result;
1196 struct key *key;
1197 int loop, keep, max;
1198
1199 kenter("{%x,%s}", key_serial(keyring), keyring->description);
1200
1201 down_write(&keyring->sem);
1202
1203 klist = rcu_dereference_locked_keyring(keyring);
1204 if (!klist)
1205 goto no_klist;
1206
1207 /* work out how many subscriptions we're keeping */
1208 keep = 0;
1209 for (loop = klist->nkeys - 1; loop >= 0; loop--)
1210 if (!key_is_dead(rcu_deref_link_locked(klist, loop, keyring),
1211 limit))
1212 keep++;
1213
1214 if (keep == klist->nkeys)
1215 goto just_return;
1216
1217 /* allocate a new keyring payload */
1218 max = roundup(keep, 4);
1219 new = kmalloc(sizeof(struct keyring_list) + max * sizeof(struct key *),
1220 GFP_KERNEL);
1221 if (!new)
1222 goto nomem;
1223 new->maxkeys = max;
1224 new->nkeys = 0;
1225 new->delkey = 0;
1226
1227 /* install the live keys
1228 * - must take care as expired keys may be updated back to life
1229 */
1230 keep = 0;
1231 for (loop = klist->nkeys - 1; loop >= 0; loop--) {
1232 key = rcu_deref_link_locked(klist, loop, keyring);
1233 if (!key_is_dead(key, limit)) {
1234 if (keep >= max)
1235 goto discard_new;
1236 RCU_INIT_POINTER(new->keys[keep++], key_get(key));
1237 }
1238 }
1239 new->nkeys = keep;
1240
1241 /* adjust the quota */
1242 key_payload_reserve(keyring,
1243 sizeof(struct keyring_list) +
1244 KEYQUOTA_LINK_BYTES * keep);
1245 1335
1246 if (keep == 0) { 1336 kenter("%x{%s}", keyring->serial, keyring->description ?: "");
1247 rcu_assign_pointer(keyring->payload.subscriptions, NULL);
1248 kfree(new);
1249 } else {
1250 rcu_assign_pointer(keyring->payload.subscriptions, new);
1251 }
1252 1337
1253 up_write(&keyring->sem); 1338 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
1339 (1 << KEY_FLAG_REVOKED)))
1340 goto dont_gc;
1254 1341
1255 call_rcu(&klist->rcu, keyring_clear_rcu_disposal); 1342 /* scan the keyring looking for dead keys */
1256 kleave(" [yes]"); 1343 rcu_read_lock();
1257 return; 1344 result = assoc_array_iterate(&keyring->keys,
1258 1345 keyring_gc_check_iterator, &limit);
1259discard_new: 1346 rcu_read_unlock();
1260 new->nkeys = keep; 1347 if (result == true)
1261 keyring_clear_rcu_disposal(&new->rcu); 1348 goto do_gc;
1262 up_write(&keyring->sem);
1263 kleave(" [discard]");
1264 return;
1265
1266just_return:
1267 up_write(&keyring->sem);
1268 kleave(" [no dead]");
1269 return;
1270 1349
1271no_klist: 1350dont_gc:
1272 up_write(&keyring->sem); 1351 kleave(" [no gc]");
1273 kleave(" [no_klist]");
1274 return; 1352 return;
1275 1353
1276nomem: 1354do_gc:
1355 down_write(&keyring->sem);
1356 assoc_array_gc(&keyring->keys, &keyring_assoc_array_ops,
1357 keyring_gc_select_iterator, &limit);
1277 up_write(&keyring->sem); 1358 up_write(&keyring->sem);
1278 kleave(" [oom]"); 1359 kleave(" [gc]");
1279} 1360}
diff --git a/security/keys/persistent.c b/security/keys/persistent.c
new file mode 100644
index 000000000000..0ad3ee283781
--- /dev/null
+++ b/security/keys/persistent.c
@@ -0,0 +1,167 @@
1/* General persistent per-UID keyrings register
2 *
3 * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12#include <linux/user_namespace.h>
13#include "internal.h"
14
15unsigned persistent_keyring_expiry = 3 * 24 * 3600; /* Expire after 3 days of non-use */
16
17/*
18 * Create the persistent keyring register for the current user namespace.
19 *
20 * Called with the namespace's sem locked for writing.
21 */
22static int key_create_persistent_register(struct user_namespace *ns)
23{
24 struct key *reg = keyring_alloc(".persistent_register",
25 KUIDT_INIT(0), KGIDT_INIT(0),
26 current_cred(),
27 ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
28 KEY_USR_VIEW | KEY_USR_READ),
29 KEY_ALLOC_NOT_IN_QUOTA, NULL);
30 if (IS_ERR(reg))
31 return PTR_ERR(reg);
32
33 ns->persistent_keyring_register = reg;
34 return 0;
35}
36
37/*
38 * Create the persistent keyring for the specified user.
39 *
40 * Called with the namespace's sem locked for writing.
41 */
42static key_ref_t key_create_persistent(struct user_namespace *ns, kuid_t uid,
43 struct keyring_index_key *index_key)
44{
45 struct key *persistent;
46 key_ref_t reg_ref, persistent_ref;
47
48 if (!ns->persistent_keyring_register) {
49 long err = key_create_persistent_register(ns);
50 if (err < 0)
51 return ERR_PTR(err);
52 } else {
53 reg_ref = make_key_ref(ns->persistent_keyring_register, true);
54 persistent_ref = find_key_to_update(reg_ref, index_key);
55 if (persistent_ref)
56 return persistent_ref;
57 }
58
59 persistent = keyring_alloc(index_key->description,
60 uid, INVALID_GID, current_cred(),
61 ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
62 KEY_USR_VIEW | KEY_USR_READ),
63 KEY_ALLOC_NOT_IN_QUOTA,
64 ns->persistent_keyring_register);
65 if (IS_ERR(persistent))
66 return ERR_CAST(persistent);
67
68 return make_key_ref(persistent, true);
69}
70
71/*
72 * Get the persistent keyring for a specific UID and link it to the nominated
73 * keyring.
74 */
75static long key_get_persistent(struct user_namespace *ns, kuid_t uid,
76 key_ref_t dest_ref)
77{
78 struct keyring_index_key index_key;
79 struct key *persistent;
80 key_ref_t reg_ref, persistent_ref;
81 char buf[32];
82 long ret;
83
84 /* Look in the register if it exists */
85 index_key.type = &key_type_keyring;
86 index_key.description = buf;
87 index_key.desc_len = sprintf(buf, "_persistent.%u", from_kuid(ns, uid));
88
89 if (ns->persistent_keyring_register) {
90 reg_ref = make_key_ref(ns->persistent_keyring_register, true);
91 down_read(&ns->persistent_keyring_register_sem);
92 persistent_ref = find_key_to_update(reg_ref, &index_key);
93 up_read(&ns->persistent_keyring_register_sem);
94
95 if (persistent_ref)
96 goto found;
97 }
98
99 /* It wasn't in the register, so we'll need to create it. We might
100 * also need to create the register.
101 */
102 down_write(&ns->persistent_keyring_register_sem);
103 persistent_ref = key_create_persistent(ns, uid, &index_key);
104 up_write(&ns->persistent_keyring_register_sem);
105 if (!IS_ERR(persistent_ref))
106 goto found;
107
108 return PTR_ERR(persistent_ref);
109
110found:
111 ret = key_task_permission(persistent_ref, current_cred(), KEY_LINK);
112 if (ret == 0) {
113 persistent = key_ref_to_ptr(persistent_ref);
114 ret = key_link(key_ref_to_ptr(dest_ref), persistent);
115 if (ret == 0) {
116 key_set_timeout(persistent, persistent_keyring_expiry);
117 ret = persistent->serial;
118 }
119 }
120
121 key_ref_put(persistent_ref);
122 return ret;
123}
124
125/*
126 * Get the persistent keyring for a specific UID and link it to the nominated
127 * keyring.
128 */
129long keyctl_get_persistent(uid_t _uid, key_serial_t destid)
130{
131 struct user_namespace *ns = current_user_ns();
132 key_ref_t dest_ref;
133 kuid_t uid;
134 long ret;
135
136 /* -1 indicates the current user */
137 if (_uid == (uid_t)-1) {
138 uid = current_uid();
139 } else {
140 uid = make_kuid(ns, _uid);
141 if (!uid_valid(uid))
142 return -EINVAL;
143
144 /* You can only see your own persistent cache if you're not
145 * sufficiently privileged.
146 */
147 if (!uid_eq(uid, current_uid()) &&
148 !uid_eq(uid, current_euid()) &&
149 !ns_capable(ns, CAP_SETUID))
150 return -EPERM;
151 }
152
153 /* There must be a destination keyring */
154 dest_ref = lookup_user_key(destid, KEY_LOOKUP_CREATE, KEY_WRITE);
155 if (IS_ERR(dest_ref))
156 return PTR_ERR(dest_ref);
157 if (key_ref_to_ptr(dest_ref)->type != &key_type_keyring) {
158 ret = -ENOTDIR;
159 goto out_put_dest;
160 }
161
162 ret = key_get_persistent(ns, uid, dest_ref);
163
164out_put_dest:
165 key_ref_put(dest_ref);
166 return ret;
167}
diff --git a/security/keys/proc.c b/security/keys/proc.c
index 217b6855e815..88e9a466940f 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -182,7 +182,6 @@ static void proc_keys_stop(struct seq_file *p, void *v)
182 182
183static int proc_keys_show(struct seq_file *m, void *v) 183static int proc_keys_show(struct seq_file *m, void *v)
184{ 184{
185 const struct cred *cred = current_cred();
186 struct rb_node *_p = v; 185 struct rb_node *_p = v;
187 struct key *key = rb_entry(_p, struct key, serial_node); 186 struct key *key = rb_entry(_p, struct key, serial_node);
188 struct timespec now; 187 struct timespec now;
@@ -191,15 +190,23 @@ static int proc_keys_show(struct seq_file *m, void *v)
191 char xbuf[12]; 190 char xbuf[12];
192 int rc; 191 int rc;
193 192
193 struct keyring_search_context ctx = {
194 .index_key.type = key->type,
195 .index_key.description = key->description,
196 .cred = current_cred(),
197 .match = lookup_user_key_possessed,
198 .match_data = key,
199 .flags = (KEYRING_SEARCH_NO_STATE_CHECK |
200 KEYRING_SEARCH_LOOKUP_DIRECT),
201 };
202
194 key_ref = make_key_ref(key, 0); 203 key_ref = make_key_ref(key, 0);
195 204
196 /* determine if the key is possessed by this process (a test we can 205 /* determine if the key is possessed by this process (a test we can
197 * skip if the key does not indicate the possessor can view it 206 * skip if the key does not indicate the possessor can view it
198 */ 207 */
199 if (key->perm & KEY_POS_VIEW) { 208 if (key->perm & KEY_POS_VIEW) {
200 skey_ref = search_my_process_keyrings(key->type, key, 209 skey_ref = search_my_process_keyrings(&ctx);
201 lookup_user_key_possessed,
202 true, cred);
203 if (!IS_ERR(skey_ref)) { 210 if (!IS_ERR(skey_ref)) {
204 key_ref_put(skey_ref); 211 key_ref_put(skey_ref);
205 key_ref = make_key_ref(key, 1); 212 key_ref = make_key_ref(key, 1);
@@ -211,7 +218,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
211 * - the caller holds a spinlock, and thus the RCU read lock, making our 218 * - the caller holds a spinlock, and thus the RCU read lock, making our
212 * access to __current_cred() safe 219 * access to __current_cred() safe
213 */ 220 */
214 rc = key_task_permission(key_ref, cred, KEY_VIEW); 221 rc = key_task_permission(key_ref, ctx.cred, KEY_VIEW);
215 if (rc < 0) 222 if (rc < 0)
216 return 0; 223 return 0;
217 224
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 42defae1e161..0cf8a130a267 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -235,7 +235,7 @@ int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
235 if (IS_ERR(keyring)) 235 if (IS_ERR(keyring))
236 return PTR_ERR(keyring); 236 return PTR_ERR(keyring);
237 } else { 237 } else {
238 atomic_inc(&keyring->usage); 238 __key_get(keyring);
239 } 239 }
240 240
241 /* install the keyring */ 241 /* install the keyring */
@@ -319,11 +319,7 @@ void key_fsgid_changed(struct task_struct *tsk)
319 * In the case of a successful return, the possession attribute is set on the 319 * In the case of a successful return, the possession attribute is set on the
320 * returned key reference. 320 * returned key reference.
321 */ 321 */
322key_ref_t search_my_process_keyrings(struct key_type *type, 322key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx)
323 const void *description,
324 key_match_func_t match,
325 bool no_state_check,
326 const struct cred *cred)
327{ 323{
328 key_ref_t key_ref, ret, err; 324 key_ref_t key_ref, ret, err;
329 325
@@ -339,10 +335,9 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
339 err = ERR_PTR(-EAGAIN); 335 err = ERR_PTR(-EAGAIN);
340 336
341 /* search the thread keyring first */ 337 /* search the thread keyring first */
342 if (cred->thread_keyring) { 338 if (ctx->cred->thread_keyring) {
343 key_ref = keyring_search_aux( 339 key_ref = keyring_search_aux(
344 make_key_ref(cred->thread_keyring, 1), 340 make_key_ref(ctx->cred->thread_keyring, 1), ctx);
345 cred, type, description, match, no_state_check);
346 if (!IS_ERR(key_ref)) 341 if (!IS_ERR(key_ref))
347 goto found; 342 goto found;
348 343
@@ -358,10 +353,9 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
358 } 353 }
359 354
360 /* search the process keyring second */ 355 /* search the process keyring second */
361 if (cred->process_keyring) { 356 if (ctx->cred->process_keyring) {
362 key_ref = keyring_search_aux( 357 key_ref = keyring_search_aux(
363 make_key_ref(cred->process_keyring, 1), 358 make_key_ref(ctx->cred->process_keyring, 1), ctx);
364 cred, type, description, match, no_state_check);
365 if (!IS_ERR(key_ref)) 359 if (!IS_ERR(key_ref))
366 goto found; 360 goto found;
367 361
@@ -379,11 +373,11 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
379 } 373 }
380 374
381 /* search the session keyring */ 375 /* search the session keyring */
382 if (cred->session_keyring) { 376 if (ctx->cred->session_keyring) {
383 rcu_read_lock(); 377 rcu_read_lock();
384 key_ref = keyring_search_aux( 378 key_ref = keyring_search_aux(
385 make_key_ref(rcu_dereference(cred->session_keyring), 1), 379 make_key_ref(rcu_dereference(ctx->cred->session_keyring), 1),
386 cred, type, description, match, no_state_check); 380 ctx);
387 rcu_read_unlock(); 381 rcu_read_unlock();
388 382
389 if (!IS_ERR(key_ref)) 383 if (!IS_ERR(key_ref))
@@ -402,10 +396,10 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
402 } 396 }
403 } 397 }
404 /* or search the user-session keyring */ 398 /* or search the user-session keyring */
405 else if (cred->user->session_keyring) { 399 else if (ctx->cred->user->session_keyring) {
406 key_ref = keyring_search_aux( 400 key_ref = keyring_search_aux(
407 make_key_ref(cred->user->session_keyring, 1), 401 make_key_ref(ctx->cred->user->session_keyring, 1),
408 cred, type, description, match, no_state_check); 402 ctx);
409 if (!IS_ERR(key_ref)) 403 if (!IS_ERR(key_ref))
410 goto found; 404 goto found;
411 405
@@ -437,18 +431,14 @@ found:
437 * 431 *
438 * Return same as search_my_process_keyrings(). 432 * Return same as search_my_process_keyrings().
439 */ 433 */
440key_ref_t search_process_keyrings(struct key_type *type, 434key_ref_t search_process_keyrings(struct keyring_search_context *ctx)
441 const void *description,
442 key_match_func_t match,
443 const struct cred *cred)
444{ 435{
445 struct request_key_auth *rka; 436 struct request_key_auth *rka;
446 key_ref_t key_ref, ret = ERR_PTR(-EACCES), err; 437 key_ref_t key_ref, ret = ERR_PTR(-EACCES), err;
447 438
448 might_sleep(); 439 might_sleep();
449 440
450 key_ref = search_my_process_keyrings(type, description, match, 441 key_ref = search_my_process_keyrings(ctx);
451 false, cred);
452 if (!IS_ERR(key_ref)) 442 if (!IS_ERR(key_ref))
453 goto found; 443 goto found;
454 err = key_ref; 444 err = key_ref;
@@ -457,18 +447,21 @@ key_ref_t search_process_keyrings(struct key_type *type,
457 * search the keyrings of the process mentioned there 447 * search the keyrings of the process mentioned there
458 * - we don't permit access to request_key auth keys via this method 448 * - we don't permit access to request_key auth keys via this method
459 */ 449 */
460 if (cred->request_key_auth && 450 if (ctx->cred->request_key_auth &&
461 cred == current_cred() && 451 ctx->cred == current_cred() &&
462 type != &key_type_request_key_auth 452 ctx->index_key.type != &key_type_request_key_auth
463 ) { 453 ) {
454 const struct cred *cred = ctx->cred;
455
464 /* defend against the auth key being revoked */ 456 /* defend against the auth key being revoked */
465 down_read(&cred->request_key_auth->sem); 457 down_read(&cred->request_key_auth->sem);
466 458
467 if (key_validate(cred->request_key_auth) == 0) { 459 if (key_validate(ctx->cred->request_key_auth) == 0) {
468 rka = cred->request_key_auth->payload.data; 460 rka = ctx->cred->request_key_auth->payload.data;
469 461
470 key_ref = search_process_keyrings(type, description, 462 ctx->cred = rka->cred;
471 match, rka->cred); 463 key_ref = search_process_keyrings(ctx);
464 ctx->cred = cred;
472 465
473 up_read(&cred->request_key_auth->sem); 466 up_read(&cred->request_key_auth->sem);
474 467
@@ -522,19 +515,23 @@ int lookup_user_key_possessed(const struct key *key, const void *target)
522key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, 515key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
523 key_perm_t perm) 516 key_perm_t perm)
524{ 517{
518 struct keyring_search_context ctx = {
519 .match = lookup_user_key_possessed,
520 .flags = (KEYRING_SEARCH_NO_STATE_CHECK |
521 KEYRING_SEARCH_LOOKUP_DIRECT),
522 };
525 struct request_key_auth *rka; 523 struct request_key_auth *rka;
526 const struct cred *cred;
527 struct key *key; 524 struct key *key;
528 key_ref_t key_ref, skey_ref; 525 key_ref_t key_ref, skey_ref;
529 int ret; 526 int ret;
530 527
531try_again: 528try_again:
532 cred = get_current_cred(); 529 ctx.cred = get_current_cred();
533 key_ref = ERR_PTR(-ENOKEY); 530 key_ref = ERR_PTR(-ENOKEY);
534 531
535 switch (id) { 532 switch (id) {
536 case KEY_SPEC_THREAD_KEYRING: 533 case KEY_SPEC_THREAD_KEYRING:
537 if (!cred->thread_keyring) { 534 if (!ctx.cred->thread_keyring) {
538 if (!(lflags & KEY_LOOKUP_CREATE)) 535 if (!(lflags & KEY_LOOKUP_CREATE))
539 goto error; 536 goto error;
540 537
@@ -546,13 +543,13 @@ try_again:
546 goto reget_creds; 543 goto reget_creds;
547 } 544 }
548 545
549 key = cred->thread_keyring; 546 key = ctx.cred->thread_keyring;
550 atomic_inc(&key->usage); 547 __key_get(key);
551 key_ref = make_key_ref(key, 1); 548 key_ref = make_key_ref(key, 1);
552 break; 549 break;
553 550
554 case KEY_SPEC_PROCESS_KEYRING: 551 case KEY_SPEC_PROCESS_KEYRING:
555 if (!cred->process_keyring) { 552 if (!ctx.cred->process_keyring) {
556 if (!(lflags & KEY_LOOKUP_CREATE)) 553 if (!(lflags & KEY_LOOKUP_CREATE))
557 goto error; 554 goto error;
558 555
@@ -564,13 +561,13 @@ try_again:
564 goto reget_creds; 561 goto reget_creds;
565 } 562 }
566 563
567 key = cred->process_keyring; 564 key = ctx.cred->process_keyring;
568 atomic_inc(&key->usage); 565 __key_get(key);
569 key_ref = make_key_ref(key, 1); 566 key_ref = make_key_ref(key, 1);
570 break; 567 break;
571 568
572 case KEY_SPEC_SESSION_KEYRING: 569 case KEY_SPEC_SESSION_KEYRING:
573 if (!cred->session_keyring) { 570 if (!ctx.cred->session_keyring) {
574 /* always install a session keyring upon access if one 571 /* always install a session keyring upon access if one
575 * doesn't exist yet */ 572 * doesn't exist yet */
576 ret = install_user_keyrings(); 573 ret = install_user_keyrings();
@@ -580,13 +577,13 @@ try_again:
580 ret = join_session_keyring(NULL); 577 ret = join_session_keyring(NULL);
581 else 578 else
582 ret = install_session_keyring( 579 ret = install_session_keyring(
583 cred->user->session_keyring); 580 ctx.cred->user->session_keyring);
584 581
585 if (ret < 0) 582 if (ret < 0)
586 goto error; 583 goto error;
587 goto reget_creds; 584 goto reget_creds;
588 } else if (cred->session_keyring == 585 } else if (ctx.cred->session_keyring ==
589 cred->user->session_keyring && 586 ctx.cred->user->session_keyring &&
590 lflags & KEY_LOOKUP_CREATE) { 587 lflags & KEY_LOOKUP_CREATE) {
591 ret = join_session_keyring(NULL); 588 ret = join_session_keyring(NULL);
592 if (ret < 0) 589 if (ret < 0)
@@ -595,33 +592,33 @@ try_again:
595 } 592 }
596 593
597 rcu_read_lock(); 594 rcu_read_lock();
598 key = rcu_dereference(cred->session_keyring); 595 key = rcu_dereference(ctx.cred->session_keyring);
599 atomic_inc(&key->usage); 596 __key_get(key);
600 rcu_read_unlock(); 597 rcu_read_unlock();
601 key_ref = make_key_ref(key, 1); 598 key_ref = make_key_ref(key, 1);
602 break; 599 break;
603 600
604 case KEY_SPEC_USER_KEYRING: 601 case KEY_SPEC_USER_KEYRING:
605 if (!cred->user->uid_keyring) { 602 if (!ctx.cred->user->uid_keyring) {
606 ret = install_user_keyrings(); 603 ret = install_user_keyrings();
607 if (ret < 0) 604 if (ret < 0)
608 goto error; 605 goto error;
609 } 606 }
610 607
611 key = cred->user->uid_keyring; 608 key = ctx.cred->user->uid_keyring;
612 atomic_inc(&key->usage); 609 __key_get(key);
613 key_ref = make_key_ref(key, 1); 610 key_ref = make_key_ref(key, 1);
614 break; 611 break;
615 612
616 case KEY_SPEC_USER_SESSION_KEYRING: 613 case KEY_SPEC_USER_SESSION_KEYRING:
617 if (!cred->user->session_keyring) { 614 if (!ctx.cred->user->session_keyring) {
618 ret = install_user_keyrings(); 615 ret = install_user_keyrings();
619 if (ret < 0) 616 if (ret < 0)
620 goto error; 617 goto error;
621 } 618 }
622 619
623 key = cred->user->session_keyring; 620 key = ctx.cred->user->session_keyring;
624 atomic_inc(&key->usage); 621 __key_get(key);
625 key_ref = make_key_ref(key, 1); 622 key_ref = make_key_ref(key, 1);
626 break; 623 break;
627 624
@@ -631,29 +628,29 @@ try_again:
631 goto error; 628 goto error;
632 629
633 case KEY_SPEC_REQKEY_AUTH_KEY: 630 case KEY_SPEC_REQKEY_AUTH_KEY:
634 key = cred->request_key_auth; 631 key = ctx.cred->request_key_auth;
635 if (!key) 632 if (!key)
636 goto error; 633 goto error;
637 634
638 atomic_inc(&key->usage); 635 __key_get(key);
639 key_ref = make_key_ref(key, 1); 636 key_ref = make_key_ref(key, 1);
640 break; 637 break;
641 638
642 case KEY_SPEC_REQUESTOR_KEYRING: 639 case KEY_SPEC_REQUESTOR_KEYRING:
643 if (!cred->request_key_auth) 640 if (!ctx.cred->request_key_auth)
644 goto error; 641 goto error;
645 642
646 down_read(&cred->request_key_auth->sem); 643 down_read(&ctx.cred->request_key_auth->sem);
647 if (test_bit(KEY_FLAG_REVOKED, 644 if (test_bit(KEY_FLAG_REVOKED,
648 &cred->request_key_auth->flags)) { 645 &ctx.cred->request_key_auth->flags)) {
649 key_ref = ERR_PTR(-EKEYREVOKED); 646 key_ref = ERR_PTR(-EKEYREVOKED);
650 key = NULL; 647 key = NULL;
651 } else { 648 } else {
652 rka = cred->request_key_auth->payload.data; 649 rka = ctx.cred->request_key_auth->payload.data;
653 key = rka->dest_keyring; 650 key = rka->dest_keyring;
654 atomic_inc(&key->usage); 651 __key_get(key);
655 } 652 }
656 up_read(&cred->request_key_auth->sem); 653 up_read(&ctx.cred->request_key_auth->sem);
657 if (!key) 654 if (!key)
658 goto error; 655 goto error;
659 key_ref = make_key_ref(key, 1); 656 key_ref = make_key_ref(key, 1);
@@ -673,9 +670,13 @@ try_again:
673 key_ref = make_key_ref(key, 0); 670 key_ref = make_key_ref(key, 0);
674 671
675 /* check to see if we possess the key */ 672 /* check to see if we possess the key */
676 skey_ref = search_process_keyrings(key->type, key, 673 ctx.index_key.type = key->type;
677 lookup_user_key_possessed, 674 ctx.index_key.description = key->description;
678 cred); 675 ctx.index_key.desc_len = strlen(key->description);
676 ctx.match_data = key;
677 kdebug("check possessed");
678 skey_ref = search_process_keyrings(&ctx);
679 kdebug("possessed=%p", skey_ref);
679 680
680 if (!IS_ERR(skey_ref)) { 681 if (!IS_ERR(skey_ref)) {
681 key_put(key); 682 key_put(key);
@@ -715,14 +716,14 @@ try_again:
715 goto invalid_key; 716 goto invalid_key;
716 717
717 /* check the permissions */ 718 /* check the permissions */
718 ret = key_task_permission(key_ref, cred, perm); 719 ret = key_task_permission(key_ref, ctx.cred, perm);
719 if (ret < 0) 720 if (ret < 0)
720 goto invalid_key; 721 goto invalid_key;
721 722
722 key->last_used_at = current_kernel_time().tv_sec; 723 key->last_used_at = current_kernel_time().tv_sec;
723 724
724error: 725error:
725 put_cred(cred); 726 put_cred(ctx.cred);
726 return key_ref; 727 return key_ref;
727 728
728invalid_key: 729invalid_key:
@@ -733,7 +734,7 @@ invalid_key:
733 /* if we attempted to install a keyring, then it may have caused new 734 /* if we attempted to install a keyring, then it may have caused new
734 * creds to be installed */ 735 * creds to be installed */
735reget_creds: 736reget_creds:
736 put_cred(cred); 737 put_cred(ctx.cred);
737 goto try_again; 738 goto try_again;
738} 739}
739 740
@@ -856,3 +857,13 @@ void key_change_session_keyring(struct callback_head *twork)
856 857
857 commit_creds(new); 858 commit_creds(new);
858} 859}
860
861/*
862 * Make sure that root's user and user-session keyrings exist.
863 */
864static int __init init_root_keyring(void)
865{
866 return install_user_keyrings();
867}
868
869late_initcall(init_root_keyring);
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index c411f9bb156b..381411941cc1 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -345,33 +345,34 @@ static void construct_get_dest_keyring(struct key **_dest_keyring)
345 * May return a key that's already under construction instead if there was a 345 * May return a key that's already under construction instead if there was a
346 * race between two thread calling request_key(). 346 * race between two thread calling request_key().
347 */ 347 */
348static int construct_alloc_key(struct key_type *type, 348static int construct_alloc_key(struct keyring_search_context *ctx,
349 const char *description,
350 struct key *dest_keyring, 349 struct key *dest_keyring,
351 unsigned long flags, 350 unsigned long flags,
352 struct key_user *user, 351 struct key_user *user,
353 struct key **_key) 352 struct key **_key)
354{ 353{
355 const struct cred *cred = current_cred(); 354 struct assoc_array_edit *edit;
356 unsigned long prealloc;
357 struct key *key; 355 struct key *key;
358 key_perm_t perm; 356 key_perm_t perm;
359 key_ref_t key_ref; 357 key_ref_t key_ref;
360 int ret; 358 int ret;
361 359
362 kenter("%s,%s,,,", type->name, description); 360 kenter("%s,%s,,,",
361 ctx->index_key.type->name, ctx->index_key.description);
363 362
364 *_key = NULL; 363 *_key = NULL;
365 mutex_lock(&user->cons_lock); 364 mutex_lock(&user->cons_lock);
366 365
367 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR; 366 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
368 perm |= KEY_USR_VIEW; 367 perm |= KEY_USR_VIEW;
369 if (type->read) 368 if (ctx->index_key.type->read)
370 perm |= KEY_POS_READ; 369 perm |= KEY_POS_READ;
371 if (type == &key_type_keyring || type->update) 370 if (ctx->index_key.type == &key_type_keyring ||
371 ctx->index_key.type->update)
372 perm |= KEY_POS_WRITE; 372 perm |= KEY_POS_WRITE;
373 373
374 key = key_alloc(type, description, cred->fsuid, cred->fsgid, cred, 374 key = key_alloc(ctx->index_key.type, ctx->index_key.description,
375 ctx->cred->fsuid, ctx->cred->fsgid, ctx->cred,
375 perm, flags); 376 perm, flags);
376 if (IS_ERR(key)) 377 if (IS_ERR(key))
377 goto alloc_failed; 378 goto alloc_failed;
@@ -379,8 +380,7 @@ static int construct_alloc_key(struct key_type *type,
379 set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); 380 set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);
380 381
381 if (dest_keyring) { 382 if (dest_keyring) {
382 ret = __key_link_begin(dest_keyring, type, description, 383 ret = __key_link_begin(dest_keyring, &ctx->index_key, &edit);
383 &prealloc);
384 if (ret < 0) 384 if (ret < 0)
385 goto link_prealloc_failed; 385 goto link_prealloc_failed;
386 } 386 }
@@ -390,16 +390,16 @@ static int construct_alloc_key(struct key_type *type,
390 * waited for locks */ 390 * waited for locks */
391 mutex_lock(&key_construction_mutex); 391 mutex_lock(&key_construction_mutex);
392 392
393 key_ref = search_process_keyrings(type, description, type->match, cred); 393 key_ref = search_process_keyrings(ctx);
394 if (!IS_ERR(key_ref)) 394 if (!IS_ERR(key_ref))
395 goto key_already_present; 395 goto key_already_present;
396 396
397 if (dest_keyring) 397 if (dest_keyring)
398 __key_link(dest_keyring, key, &prealloc); 398 __key_link(key, &edit);
399 399
400 mutex_unlock(&key_construction_mutex); 400 mutex_unlock(&key_construction_mutex);
401 if (dest_keyring) 401 if (dest_keyring)
402 __key_link_end(dest_keyring, type, prealloc); 402 __key_link_end(dest_keyring, &ctx->index_key, edit);
403 mutex_unlock(&user->cons_lock); 403 mutex_unlock(&user->cons_lock);
404 *_key = key; 404 *_key = key;
405 kleave(" = 0 [%d]", key_serial(key)); 405 kleave(" = 0 [%d]", key_serial(key));
@@ -414,8 +414,8 @@ key_already_present:
414 if (dest_keyring) { 414 if (dest_keyring) {
415 ret = __key_link_check_live_key(dest_keyring, key); 415 ret = __key_link_check_live_key(dest_keyring, key);
416 if (ret == 0) 416 if (ret == 0)
417 __key_link(dest_keyring, key, &prealloc); 417 __key_link(key, &edit);
418 __key_link_end(dest_keyring, type, prealloc); 418 __key_link_end(dest_keyring, &ctx->index_key, edit);
419 if (ret < 0) 419 if (ret < 0)
420 goto link_check_failed; 420 goto link_check_failed;
421 } 421 }
@@ -444,8 +444,7 @@ alloc_failed:
444/* 444/*
445 * Commence key construction. 445 * Commence key construction.
446 */ 446 */
447static struct key *construct_key_and_link(struct key_type *type, 447static struct key *construct_key_and_link(struct keyring_search_context *ctx,
448 const char *description,
449 const char *callout_info, 448 const char *callout_info,
450 size_t callout_len, 449 size_t callout_len,
451 void *aux, 450 void *aux,
@@ -464,8 +463,7 @@ static struct key *construct_key_and_link(struct key_type *type,
464 463
465 construct_get_dest_keyring(&dest_keyring); 464 construct_get_dest_keyring(&dest_keyring);
466 465
467 ret = construct_alloc_key(type, description, dest_keyring, flags, user, 466 ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
468 &key);
469 key_user_put(user); 467 key_user_put(user);
470 468
471 if (ret == 0) { 469 if (ret == 0) {
@@ -529,17 +527,24 @@ struct key *request_key_and_link(struct key_type *type,
529 struct key *dest_keyring, 527 struct key *dest_keyring,
530 unsigned long flags) 528 unsigned long flags)
531{ 529{
532 const struct cred *cred = current_cred(); 530 struct keyring_search_context ctx = {
531 .index_key.type = type,
532 .index_key.description = description,
533 .cred = current_cred(),
534 .match = type->match,
535 .match_data = description,
536 .flags = KEYRING_SEARCH_LOOKUP_DIRECT,
537 };
533 struct key *key; 538 struct key *key;
534 key_ref_t key_ref; 539 key_ref_t key_ref;
535 int ret; 540 int ret;
536 541
537 kenter("%s,%s,%p,%zu,%p,%p,%lx", 542 kenter("%s,%s,%p,%zu,%p,%p,%lx",
538 type->name, description, callout_info, callout_len, aux, 543 ctx.index_key.type->name, ctx.index_key.description,
539 dest_keyring, flags); 544 callout_info, callout_len, aux, dest_keyring, flags);
540 545
541 /* search all the process keyrings for a key */ 546 /* search all the process keyrings for a key */
542 key_ref = search_process_keyrings(type, description, type->match, cred); 547 key_ref = search_process_keyrings(&ctx);
543 548
544 if (!IS_ERR(key_ref)) { 549 if (!IS_ERR(key_ref)) {
545 key = key_ref_to_ptr(key_ref); 550 key = key_ref_to_ptr(key_ref);
@@ -562,9 +567,8 @@ struct key *request_key_and_link(struct key_type *type,
562 if (!callout_info) 567 if (!callout_info)
563 goto error; 568 goto error;
564 569
565 key = construct_key_and_link(type, description, callout_info, 570 key = construct_key_and_link(&ctx, callout_info, callout_len,
566 callout_len, aux, dest_keyring, 571 aux, dest_keyring, flags);
567 flags);
568 } 572 }
569 573
570error: 574error:
@@ -592,8 +596,10 @@ int wait_for_key_construction(struct key *key, bool intr)
592 intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE); 596 intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE);
593 if (ret < 0) 597 if (ret < 0)
594 return ret; 598 return ret;
595 if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) 599 if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
600 smp_rmb();
596 return key->type_data.reject_error; 601 return key->type_data.reject_error;
602 }
597 return key_validate(key); 603 return key_validate(key);
598} 604}
599EXPORT_SYMBOL(wait_for_key_construction); 605EXPORT_SYMBOL(wait_for_key_construction);
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index 85730d5a5a59..7495a93b4b90 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -18,6 +18,7 @@
18#include <linux/slab.h> 18#include <linux/slab.h>
19#include <asm/uaccess.h> 19#include <asm/uaccess.h>
20#include "internal.h" 20#include "internal.h"
21#include <keys/user-type.h>
21 22
22static int request_key_auth_instantiate(struct key *, 23static int request_key_auth_instantiate(struct key *,
23 struct key_preparsed_payload *); 24 struct key_preparsed_payload *);
@@ -222,32 +223,26 @@ error_alloc:
222} 223}
223 224
224/* 225/*
225 * See if an authorisation key is associated with a particular key.
226 */
227static int key_get_instantiation_authkey_match(const struct key *key,
228 const void *_id)
229{
230 struct request_key_auth *rka = key->payload.data;
231 key_serial_t id = (key_serial_t)(unsigned long) _id;
232
233 return rka->target_key->serial == id;
234}
235
236/*
237 * Search the current process's keyrings for the authorisation key for 226 * Search the current process's keyrings for the authorisation key for
238 * instantiation of a key. 227 * instantiation of a key.
239 */ 228 */
240struct key *key_get_instantiation_authkey(key_serial_t target_id) 229struct key *key_get_instantiation_authkey(key_serial_t target_id)
241{ 230{
242 const struct cred *cred = current_cred(); 231 char description[16];
232 struct keyring_search_context ctx = {
233 .index_key.type = &key_type_request_key_auth,
234 .index_key.description = description,
235 .cred = current_cred(),
236 .match = user_match,
237 .match_data = description,
238 .flags = KEYRING_SEARCH_LOOKUP_DIRECT,
239 };
243 struct key *authkey; 240 struct key *authkey;
244 key_ref_t authkey_ref; 241 key_ref_t authkey_ref;
245 242
246 authkey_ref = search_process_keyrings( 243 sprintf(description, "%x", target_id);
247 &key_type_request_key_auth, 244
248 (void *) (unsigned long) target_id, 245 authkey_ref = search_process_keyrings(&ctx);
249 key_get_instantiation_authkey_match,
250 cred);
251 246
252 if (IS_ERR(authkey_ref)) { 247 if (IS_ERR(authkey_ref)) {
253 authkey = ERR_CAST(authkey_ref); 248 authkey = ERR_CAST(authkey_ref);
diff --git a/security/keys/sysctl.c b/security/keys/sysctl.c
index ee32d181764a..8c0af08760c8 100644
--- a/security/keys/sysctl.c
+++ b/security/keys/sysctl.c
@@ -61,5 +61,16 @@ ctl_table key_sysctls[] = {
61 .extra1 = (void *) &zero, 61 .extra1 = (void *) &zero,
62 .extra2 = (void *) &max, 62 .extra2 = (void *) &max,
63 }, 63 },
64#ifdef CONFIG_PERSISTENT_KEYRINGS
65 {
66 .procname = "persistent_keyring_expiry",
67 .data = &persistent_keyring_expiry,
68 .maxlen = sizeof(unsigned),
69 .mode = 0644,
70 .proc_handler = proc_dointvec_minmax,
71 .extra1 = (void *) &zero,
72 .extra2 = (void *) &max,
73 },
74#endif
64 { } 75 { }
65}; 76};
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 55dc88939185..faa2caeb593f 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -25,14 +25,15 @@ static int logon_vet_description(const char *desc);
25 * arbitrary blob of data as the payload 25 * arbitrary blob of data as the payload
26 */ 26 */
27struct key_type key_type_user = { 27struct key_type key_type_user = {
28 .name = "user", 28 .name = "user",
29 .instantiate = user_instantiate, 29 .def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
30 .update = user_update, 30 .instantiate = user_instantiate,
31 .match = user_match, 31 .update = user_update,
32 .revoke = user_revoke, 32 .match = user_match,
33 .destroy = user_destroy, 33 .revoke = user_revoke,
34 .describe = user_describe, 34 .destroy = user_destroy,
35 .read = user_read, 35 .describe = user_describe,
36 .read = user_read,
36}; 37};
37 38
38EXPORT_SYMBOL_GPL(key_type_user); 39EXPORT_SYMBOL_GPL(key_type_user);
@@ -45,6 +46,7 @@ EXPORT_SYMBOL_GPL(key_type_user);
45 */ 46 */
46struct key_type key_type_logon = { 47struct key_type key_type_logon = {
47 .name = "logon", 48 .name = "logon",
49 .def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
48 .instantiate = user_instantiate, 50 .instantiate = user_instantiate,
49 .update = user_update, 51 .update = user_update,
50 .match = user_match, 52 .match = user_match,
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index b0f249d1a1ef..9a62045e6282 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -302,18 +302,19 @@ static void dump_common_audit_data(struct audit_buffer *ab,
302 "faddr", "fport"); 302 "faddr", "fport");
303 break; 303 break;
304 } 304 }
305#if IS_ENABLED(CONFIG_IPV6)
305 case AF_INET6: { 306 case AF_INET6: {
306 struct inet_sock *inet = inet_sk(sk); 307 struct inet_sock *inet = inet_sk(sk);
307 struct ipv6_pinfo *inet6 = inet6_sk(sk);
308 308
309 print_ipv6_addr(ab, &inet6->rcv_saddr, 309 print_ipv6_addr(ab, &sk->sk_v6_rcv_saddr,
310 inet->inet_sport, 310 inet->inet_sport,
311 "laddr", "lport"); 311 "laddr", "lport");
312 print_ipv6_addr(ab, &inet6->daddr, 312 print_ipv6_addr(ab, &sk->sk_v6_daddr,
313 inet->inet_dport, 313 inet->inet_dport,
314 "faddr", "fport"); 314 "faddr", "fport");
315 break; 315 break;
316 } 316 }
317#endif
317 case AF_UNIX: 318 case AF_UNIX:
318 u = unix_sk(sk); 319 u = unix_sk(sk);
319 if (u->path.dentry) { 320 if (u->path.dentry) {
diff --git a/security/security.c b/security/security.c
index 4dc31f4f2700..15b6928592ef 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1340,22 +1340,17 @@ int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
1340 return security_ops->xfrm_policy_delete_security(ctx); 1340 return security_ops->xfrm_policy_delete_security(ctx);
1341} 1341}
1342 1342
1343int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) 1343int security_xfrm_state_alloc(struct xfrm_state *x,
1344 struct xfrm_user_sec_ctx *sec_ctx)
1344{ 1345{
1345 return security_ops->xfrm_state_alloc_security(x, sec_ctx, 0); 1346 return security_ops->xfrm_state_alloc(x, sec_ctx);
1346} 1347}
1347EXPORT_SYMBOL(security_xfrm_state_alloc); 1348EXPORT_SYMBOL(security_xfrm_state_alloc);
1348 1349
1349int security_xfrm_state_alloc_acquire(struct xfrm_state *x, 1350int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
1350 struct xfrm_sec_ctx *polsec, u32 secid) 1351 struct xfrm_sec_ctx *polsec, u32 secid)
1351{ 1352{
1352 if (!polsec) 1353 return security_ops->xfrm_state_alloc_acquire(x, polsec, secid);
1353 return 0;
1354 /*
1355 * We want the context to be taken from secid which is usually
1356 * from the sock.
1357 */
1358 return security_ops->xfrm_state_alloc_security(x, NULL, secid);
1359} 1354}
1360 1355
1361int security_xfrm_state_delete(struct xfrm_state *x) 1356int security_xfrm_state_delete(struct xfrm_state *x)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5b5231068516..57b0b49f4e6e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -53,6 +53,7 @@
53#include <net/ip.h> /* for local_port_range[] */ 53#include <net/ip.h> /* for local_port_range[] */
54#include <net/sock.h> 54#include <net/sock.h>
55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56#include <net/inet_connection_sock.h>
56#include <net/net_namespace.h> 57#include <net/net_namespace.h>
57#include <net/netlabel.h> 58#include <net/netlabel.h>
58#include <linux/uaccess.h> 59#include <linux/uaccess.h>
@@ -95,8 +96,6 @@
95#include "audit.h" 96#include "audit.h"
96#include "avc_ss.h" 97#include "avc_ss.h"
97 98
98#define NUM_SEL_MNT_OPTS 5
99
100extern struct security_operations *security_ops; 99extern struct security_operations *security_ops;
101 100
102/* SECMARK reference count */ 101/* SECMARK reference count */
@@ -139,12 +138,28 @@ static struct kmem_cache *sel_inode_cache;
139 * This function checks the SECMARK reference counter to see if any SECMARK 138 * This function checks the SECMARK reference counter to see if any SECMARK
140 * targets are currently configured, if the reference counter is greater than 139 * targets are currently configured, if the reference counter is greater than
141 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
142 * enabled, false (0) if SECMARK is disabled. 141 * enabled, false (0) if SECMARK is disabled. If the always_check_network
142 * policy capability is enabled, SECMARK is always considered enabled.
143 * 143 *
144 */ 144 */
145static int selinux_secmark_enabled(void) 145static int selinux_secmark_enabled(void)
146{ 146{
147 return (atomic_read(&selinux_secmark_refcount) > 0); 147 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148}
149
150/**
151 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
152 *
153 * Description:
154 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
155 * (1) if any are enabled or false (0) if neither are enabled. If the
156 * always_check_network policy capability is enabled, peer labeling
157 * is always considered enabled.
158 *
159 */
160static int selinux_peerlbl_enabled(void)
161{
162 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
148} 163}
149 164
150/* 165/*
@@ -219,6 +234,14 @@ static int inode_alloc_security(struct inode *inode)
219 return 0; 234 return 0;
220} 235}
221 236
237static void inode_free_rcu(struct rcu_head *head)
238{
239 struct inode_security_struct *isec;
240
241 isec = container_of(head, struct inode_security_struct, rcu);
242 kmem_cache_free(sel_inode_cache, isec);
243}
244
222static void inode_free_security(struct inode *inode) 245static void inode_free_security(struct inode *inode)
223{ 246{
224 struct inode_security_struct *isec = inode->i_security; 247 struct inode_security_struct *isec = inode->i_security;
@@ -229,8 +252,16 @@ static void inode_free_security(struct inode *inode)
229 list_del_init(&isec->list); 252 list_del_init(&isec->list);
230 spin_unlock(&sbsec->isec_lock); 253 spin_unlock(&sbsec->isec_lock);
231 254
232 inode->i_security = NULL; 255 /*
233 kmem_cache_free(sel_inode_cache, isec); 256 * The inode may still be referenced in a path walk and
257 * a call to selinux_inode_permission() can be made
258 * after inode_free_security() is called. Ideally, the VFS
259 * wouldn't do this, but fixing that is a much harder
260 * job. For now, simply free the i_security via RCU, and
261 * leave the current inode->i_security pointer intact.
262 * The inode will be freed after the RCU grace period too.
263 */
264 call_rcu(&isec->rcu, inode_free_rcu);
234} 265}
235 266
236static int file_alloc_security(struct file *file) 267static int file_alloc_security(struct file *file)
@@ -309,8 +340,11 @@ enum {
309 Opt_defcontext = 3, 340 Opt_defcontext = 3,
310 Opt_rootcontext = 4, 341 Opt_rootcontext = 4,
311 Opt_labelsupport = 5, 342 Opt_labelsupport = 5,
343 Opt_nextmntopt = 6,
312}; 344};
313 345
346#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
347
314static const match_table_t tokens = { 348static const match_table_t tokens = {
315 {Opt_context, CONTEXT_STR "%s"}, 349 {Opt_context, CONTEXT_STR "%s"},
316 {Opt_fscontext, FSCONTEXT_STR "%s"}, 350 {Opt_fscontext, FSCONTEXT_STR "%s"},
@@ -355,6 +389,29 @@ static int may_context_mount_inode_relabel(u32 sid,
355 return rc; 389 return rc;
356} 390}
357 391
392static int selinux_is_sblabel_mnt(struct super_block *sb)
393{
394 struct superblock_security_struct *sbsec = sb->s_security;
395
396 if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
397 sbsec->behavior == SECURITY_FS_USE_TRANS ||
398 sbsec->behavior == SECURITY_FS_USE_TASK)
399 return 1;
400
401 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
402 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
403 return 1;
404
405 /*
406 * Special handling for rootfs. Is genfs but supports
407 * setting SELinux context on in-core inodes.
408 */
409 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
410 return 1;
411
412 return 0;
413}
414
358static int sb_finish_set_opts(struct super_block *sb) 415static int sb_finish_set_opts(struct super_block *sb)
359{ 416{
360 struct superblock_security_struct *sbsec = sb->s_security; 417 struct superblock_security_struct *sbsec = sb->s_security;
@@ -388,8 +445,6 @@ static int sb_finish_set_opts(struct super_block *sb)
388 } 445 }
389 } 446 }
390 447
391 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
392
393 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 448 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
394 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 449 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
395 sb->s_id, sb->s_type->name); 450 sb->s_id, sb->s_type->name);
@@ -398,15 +453,9 @@ static int sb_finish_set_opts(struct super_block *sb)
398 sb->s_id, sb->s_type->name, 453 sb->s_id, sb->s_type->name,
399 labeling_behaviors[sbsec->behavior-1]); 454 labeling_behaviors[sbsec->behavior-1]);
400 455
401 if (sbsec->behavior == SECURITY_FS_USE_GENFS || 456 sbsec->flags |= SE_SBINITIALIZED;
402 sbsec->behavior == SECURITY_FS_USE_MNTPOINT || 457 if (selinux_is_sblabel_mnt(sb))
403 sbsec->behavior == SECURITY_FS_USE_NONE || 458 sbsec->flags |= SBLABEL_MNT;
404 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
405 sbsec->flags &= ~SE_SBLABELSUPP;
406
407 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
408 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
409 sbsec->flags |= SE_SBLABELSUPP;
410 459
411 /* Initialize the root inode. */ 460 /* Initialize the root inode. */
412 rc = inode_doinit_with_dentry(root_inode, root); 461 rc = inode_doinit_with_dentry(root_inode, root);
@@ -460,15 +509,18 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
460 if (!ss_initialized) 509 if (!ss_initialized)
461 return -EINVAL; 510 return -EINVAL;
462 511
512 /* make sure we always check enough bits to cover the mask */
513 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
514
463 tmp = sbsec->flags & SE_MNTMASK; 515 tmp = sbsec->flags & SE_MNTMASK;
464 /* count the number of mount options for this sb */ 516 /* count the number of mount options for this sb */
465 for (i = 0; i < 8; i++) { 517 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
466 if (tmp & 0x01) 518 if (tmp & 0x01)
467 opts->num_mnt_opts++; 519 opts->num_mnt_opts++;
468 tmp >>= 1; 520 tmp >>= 1;
469 } 521 }
470 /* Check if the Label support flag is set */ 522 /* Check if the Label support flag is set */
471 if (sbsec->flags & SE_SBLABELSUPP) 523 if (sbsec->flags & SBLABEL_MNT)
472 opts->num_mnt_opts++; 524 opts->num_mnt_opts++;
473 525
474 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 526 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
@@ -515,9 +567,9 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
515 opts->mnt_opts[i] = context; 567 opts->mnt_opts[i] = context;
516 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 568 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
517 } 569 }
518 if (sbsec->flags & SE_SBLABELSUPP) { 570 if (sbsec->flags & SBLABEL_MNT) {
519 opts->mnt_opts[i] = NULL; 571 opts->mnt_opts[i] = NULL;
520 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP; 572 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
521 } 573 }
522 574
523 BUG_ON(i != opts->num_mnt_opts); 575 BUG_ON(i != opts->num_mnt_opts);
@@ -614,7 +666,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
614 for (i = 0; i < num_opts; i++) { 666 for (i = 0; i < num_opts; i++) {
615 u32 sid; 667 u32 sid;
616 668
617 if (flags[i] == SE_SBLABELSUPP) 669 if (flags[i] == SBLABEL_MNT)
618 continue; 670 continue;
619 rc = security_context_to_sid(mount_options[i], 671 rc = security_context_to_sid(mount_options[i],
620 strlen(mount_options[i]), &sid); 672 strlen(mount_options[i]), &sid);
@@ -685,9 +737,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
685 * Determine the labeling behavior to use for this 737 * Determine the labeling behavior to use for this
686 * filesystem type. 738 * filesystem type.
687 */ 739 */
688 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? 740 rc = security_fs_use(sb);
689 "proc" : sb->s_type->name,
690 &sbsec->behavior, &sbsec->sid);
691 if (rc) { 741 if (rc) {
692 printk(KERN_WARNING 742 printk(KERN_WARNING
693 "%s: security_fs_use(%s) returned %d\n", 743 "%s: security_fs_use(%s) returned %d\n",
@@ -1037,7 +1087,7 @@ static void selinux_write_opts(struct seq_file *m,
1037 case DEFCONTEXT_MNT: 1087 case DEFCONTEXT_MNT:
1038 prefix = DEFCONTEXT_STR; 1088 prefix = DEFCONTEXT_STR;
1039 break; 1089 break;
1040 case SE_SBLABELSUPP: 1090 case SBLABEL_MNT:
1041 seq_putc(m, ','); 1091 seq_putc(m, ',');
1042 seq_puts(m, LABELSUPP_STR); 1092 seq_puts(m, LABELSUPP_STR);
1043 continue; 1093 continue;
@@ -1649,7 +1699,7 @@ static int may_create(struct inode *dir,
1649 if (rc) 1699 if (rc)
1650 return rc; 1700 return rc;
1651 1701
1652 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { 1702 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1653 rc = security_transition_sid(sid, dsec->sid, tclass, 1703 rc = security_transition_sid(sid, dsec->sid, tclass,
1654 &dentry->d_name, &newsid); 1704 &dentry->d_name, &newsid);
1655 if (rc) 1705 if (rc)
@@ -2437,7 +2487,7 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
2437 u32 sid; 2487 u32 sid;
2438 size_t len; 2488 size_t len;
2439 2489
2440 if (flags[i] == SE_SBLABELSUPP) 2490 if (flags[i] == SBLABEL_MNT)
2441 continue; 2491 continue;
2442 len = strlen(mount_options[i]); 2492 len = strlen(mount_options[i]);
2443 rc = security_context_to_sid(mount_options[i], len, &sid); 2493 rc = security_context_to_sid(mount_options[i], len, &sid);
@@ -2606,7 +2656,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2606 if ((sbsec->flags & SE_SBINITIALIZED) && 2656 if ((sbsec->flags & SE_SBINITIALIZED) &&
2607 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) 2657 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2608 newsid = sbsec->mntpoint_sid; 2658 newsid = sbsec->mntpoint_sid;
2609 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { 2659 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2610 rc = security_transition_sid(sid, dsec->sid, 2660 rc = security_transition_sid(sid, dsec->sid,
2611 inode_mode_to_security_class(inode->i_mode), 2661 inode_mode_to_security_class(inode->i_mode),
2612 qstr, &newsid); 2662 qstr, &newsid);
@@ -2628,7 +2678,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2628 isec->initialized = 1; 2678 isec->initialized = 1;
2629 } 2679 }
2630 2680
2631 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP)) 2681 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2632 return -EOPNOTSUPP; 2682 return -EOPNOTSUPP;
2633 2683
2634 if (name) 2684 if (name)
@@ -2830,7 +2880,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2830 return selinux_inode_setotherxattr(dentry, name); 2880 return selinux_inode_setotherxattr(dentry, name);
2831 2881
2832 sbsec = inode->i_sb->s_security; 2882 sbsec = inode->i_sb->s_security;
2833 if (!(sbsec->flags & SE_SBLABELSUPP)) 2883 if (!(sbsec->flags & SBLABEL_MNT))
2834 return -EOPNOTSUPP; 2884 return -EOPNOTSUPP;
2835 2885
2836 if (!inode_owner_or_capable(inode)) 2886 if (!inode_owner_or_capable(inode))
@@ -3791,8 +3841,12 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3791 u32 nlbl_sid; 3841 u32 nlbl_sid;
3792 u32 nlbl_type; 3842 u32 nlbl_type;
3793 3843
3794 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3844 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
3795 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 3845 if (unlikely(err))
3846 return -EACCES;
3847 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3848 if (unlikely(err))
3849 return -EACCES;
3796 3850
3797 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 3851 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3798 if (unlikely(err)) { 3852 if (unlikely(err)) {
@@ -3805,6 +3859,30 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3805 return 0; 3859 return 0;
3806} 3860}
3807 3861
3862/**
3863 * selinux_conn_sid - Determine the child socket label for a connection
3864 * @sk_sid: the parent socket's SID
3865 * @skb_sid: the packet's SID
3866 * @conn_sid: the resulting connection SID
3867 *
3868 * If @skb_sid is valid then the user:role:type information from @sk_sid is
3869 * combined with the MLS information from @skb_sid in order to create
3870 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
3871 * of @sk_sid. Returns zero on success, negative values on failure.
3872 *
3873 */
3874static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3875{
3876 int err = 0;
3877
3878 if (skb_sid != SECSID_NULL)
3879 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3880 else
3881 *conn_sid = sk_sid;
3882
3883 return err;
3884}
3885
3808/* socket security operations */ 3886/* socket security operations */
3809 3887
3810static int socket_sockcreate_sid(const struct task_security_struct *tsec, 3888static int socket_sockcreate_sid(const struct task_security_struct *tsec,
@@ -3928,7 +4006,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3928 if (snum) { 4006 if (snum) {
3929 int low, high; 4007 int low, high;
3930 4008
3931 inet_get_local_port_range(&low, &high); 4009 inet_get_local_port_range(sock_net(sk), &low, &high);
3932 4010
3933 if (snum < max(PROT_SOCK, low) || snum > high) { 4011 if (snum < max(PROT_SOCK, low) || snum > high) {
3934 err = sel_netport_sid(sk->sk_protocol, 4012 err = sel_netport_sid(sk->sk_protocol,
@@ -4246,7 +4324,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4246 return selinux_sock_rcv_skb_compat(sk, skb, family); 4324 return selinux_sock_rcv_skb_compat(sk, skb, family);
4247 4325
4248 secmark_active = selinux_secmark_enabled(); 4326 secmark_active = selinux_secmark_enabled();
4249 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4327 peerlbl_active = selinux_peerlbl_enabled();
4250 if (!secmark_active && !peerlbl_active) 4328 if (!secmark_active && !peerlbl_active)
4251 return 0; 4329 return 0;
4252 4330
@@ -4272,8 +4350,10 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4272 } 4350 }
4273 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4351 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4274 PEER__RECV, &ad); 4352 PEER__RECV, &ad);
4275 if (err) 4353 if (err) {
4276 selinux_netlbl_err(skb, err, 0); 4354 selinux_netlbl_err(skb, err, 0);
4355 return err;
4356 }
4277 } 4357 }
4278 4358
4279 if (secmark_active) { 4359 if (secmark_active) {
@@ -4411,7 +4491,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4411 struct sk_security_struct *sksec = sk->sk_security; 4491 struct sk_security_struct *sksec = sk->sk_security;
4412 int err; 4492 int err;
4413 u16 family = sk->sk_family; 4493 u16 family = sk->sk_family;
4414 u32 newsid; 4494 u32 connsid;
4415 u32 peersid; 4495 u32 peersid;
4416 4496
4417 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4497 /* handle mapped IPv4 packets arriving via IPv6 sockets */
@@ -4421,16 +4501,11 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4421 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 4501 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4422 if (err) 4502 if (err)
4423 return err; 4503 return err;
4424 if (peersid == SECSID_NULL) { 4504 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4425 req->secid = sksec->sid; 4505 if (err)
4426 req->peer_secid = SECSID_NULL; 4506 return err;
4427 } else { 4507 req->secid = connsid;
4428 err = security_sid_mls_copy(sksec->sid, peersid, &newsid); 4508 req->peer_secid = peersid;
4429 if (err)
4430 return err;
4431 req->secid = newsid;
4432 req->peer_secid = peersid;
4433 }
4434 4509
4435 return selinux_netlbl_inet_conn_request(req, family); 4510 return selinux_netlbl_inet_conn_request(req, family);
4436} 4511}
@@ -4628,7 +4703,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4628 4703
4629 secmark_active = selinux_secmark_enabled(); 4704 secmark_active = selinux_secmark_enabled();
4630 netlbl_active = netlbl_enabled(); 4705 netlbl_active = netlbl_enabled();
4631 peerlbl_active = netlbl_active || selinux_xfrm_enabled(); 4706 peerlbl_active = selinux_peerlbl_enabled();
4632 if (!secmark_active && !peerlbl_active) 4707 if (!secmark_active && !peerlbl_active)
4633 return NF_ACCEPT; 4708 return NF_ACCEPT;
4634 4709
@@ -4667,7 +4742,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4667 return NF_ACCEPT; 4742 return NF_ACCEPT;
4668} 4743}
4669 4744
4670static unsigned int selinux_ipv4_forward(unsigned int hooknum, 4745static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4671 struct sk_buff *skb, 4746 struct sk_buff *skb,
4672 const struct net_device *in, 4747 const struct net_device *in,
4673 const struct net_device *out, 4748 const struct net_device *out,
@@ -4677,7 +4752,7 @@ static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4677} 4752}
4678 4753
4679#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4754#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4680static unsigned int selinux_ipv6_forward(unsigned int hooknum, 4755static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4681 struct sk_buff *skb, 4756 struct sk_buff *skb,
4682 const struct net_device *in, 4757 const struct net_device *in,
4683 const struct net_device *out, 4758 const struct net_device *out,
@@ -4690,6 +4765,7 @@ static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4690static unsigned int selinux_ip_output(struct sk_buff *skb, 4765static unsigned int selinux_ip_output(struct sk_buff *skb,
4691 u16 family) 4766 u16 family)
4692{ 4767{
4768 struct sock *sk;
4693 u32 sid; 4769 u32 sid;
4694 4770
4695 if (!netlbl_enabled()) 4771 if (!netlbl_enabled())
@@ -4698,8 +4774,27 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
4698 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 4774 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4699 * because we want to make sure we apply the necessary labeling 4775 * because we want to make sure we apply the necessary labeling
4700 * before IPsec is applied so we can leverage AH protection */ 4776 * before IPsec is applied so we can leverage AH protection */
4701 if (skb->sk) { 4777 sk = skb->sk;
4702 struct sk_security_struct *sksec = skb->sk->sk_security; 4778 if (sk) {
4779 struct sk_security_struct *sksec;
4780
4781 if (sk->sk_state == TCP_LISTEN)
4782 /* if the socket is the listening state then this
4783 * packet is a SYN-ACK packet which means it needs to
4784 * be labeled based on the connection/request_sock and
4785 * not the parent socket. unfortunately, we can't
4786 * lookup the request_sock yet as it isn't queued on
4787 * the parent socket until after the SYN-ACK is sent.
4788 * the "solution" is to simply pass the packet as-is
4789 * as any IP option based labeling should be copied
4790 * from the initial connection request (in the IP
4791 * layer). it is far from ideal, but until we get a
4792 * security label in the packet itself this is the
4793 * best we can do. */
4794 return NF_ACCEPT;
4795
4796 /* standard practice, label using the parent socket */
4797 sksec = sk->sk_security;
4703 sid = sksec->sid; 4798 sid = sksec->sid;
4704 } else 4799 } else
4705 sid = SECINITSID_KERNEL; 4800 sid = SECINITSID_KERNEL;
@@ -4709,7 +4804,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
4709 return NF_ACCEPT; 4804 return NF_ACCEPT;
4710} 4805}
4711 4806
4712static unsigned int selinux_ipv4_output(unsigned int hooknum, 4807static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
4713 struct sk_buff *skb, 4808 struct sk_buff *skb,
4714 const struct net_device *in, 4809 const struct net_device *in,
4715 const struct net_device *out, 4810 const struct net_device *out,
@@ -4769,27 +4864,36 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4769 * as fast and as clean as possible. */ 4864 * as fast and as clean as possible. */
4770 if (!selinux_policycap_netpeer) 4865 if (!selinux_policycap_netpeer)
4771 return selinux_ip_postroute_compat(skb, ifindex, family); 4866 return selinux_ip_postroute_compat(skb, ifindex, family);
4867
4868 secmark_active = selinux_secmark_enabled();
4869 peerlbl_active = selinux_peerlbl_enabled();
4870 if (!secmark_active && !peerlbl_active)
4871 return NF_ACCEPT;
4872
4873 sk = skb->sk;
4874
4772#ifdef CONFIG_XFRM 4875#ifdef CONFIG_XFRM
4773 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 4876 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4774 * packet transformation so allow the packet to pass without any checks 4877 * packet transformation so allow the packet to pass without any checks
4775 * since we'll have another chance to perform access control checks 4878 * since we'll have another chance to perform access control checks
4776 * when the packet is on it's final way out. 4879 * when the packet is on it's final way out.
4777 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 4880 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4778 * is NULL, in this case go ahead and apply access control. */ 4881 * is NULL, in this case go ahead and apply access control.
4779 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL) 4882 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4883 * TCP listening state we cannot wait until the XFRM processing
4884 * is done as we will miss out on the SA label if we do;
4885 * unfortunately, this means more work, but it is only once per
4886 * connection. */
4887 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4888 !(sk != NULL && sk->sk_state == TCP_LISTEN))
4780 return NF_ACCEPT; 4889 return NF_ACCEPT;
4781#endif 4890#endif
4782 secmark_active = selinux_secmark_enabled();
4783 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4784 if (!secmark_active && !peerlbl_active)
4785 return NF_ACCEPT;
4786 4891
4787 /* if the packet is being forwarded then get the peer label from the
4788 * packet itself; otherwise check to see if it is from a local
4789 * application or the kernel, if from an application get the peer label
4790 * from the sending socket, otherwise use the kernel's sid */
4791 sk = skb->sk;
4792 if (sk == NULL) { 4892 if (sk == NULL) {
4893 /* Without an associated socket the packet is either coming
4894 * from the kernel or it is being forwarded; check the packet
4895 * to determine which and if the packet is being forwarded
4896 * query the packet directly to determine the security label. */
4793 if (skb->skb_iif) { 4897 if (skb->skb_iif) {
4794 secmark_perm = PACKET__FORWARD_OUT; 4898 secmark_perm = PACKET__FORWARD_OUT;
4795 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 4899 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
@@ -4798,7 +4902,45 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4798 secmark_perm = PACKET__SEND; 4902 secmark_perm = PACKET__SEND;
4799 peer_sid = SECINITSID_KERNEL; 4903 peer_sid = SECINITSID_KERNEL;
4800 } 4904 }
4905 } else if (sk->sk_state == TCP_LISTEN) {
4906 /* Locally generated packet but the associated socket is in the
4907 * listening state which means this is a SYN-ACK packet. In
4908 * this particular case the correct security label is assigned
4909 * to the connection/request_sock but unfortunately we can't
4910 * query the request_sock as it isn't queued on the parent
4911 * socket until after the SYN-ACK packet is sent; the only
4912 * viable choice is to regenerate the label like we do in
4913 * selinux_inet_conn_request(). See also selinux_ip_output()
4914 * for similar problems. */
4915 u32 skb_sid;
4916 struct sk_security_struct *sksec = sk->sk_security;
4917 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4918 return NF_DROP;
4919 /* At this point, if the returned skb peerlbl is SECSID_NULL
4920 * and the packet has been through at least one XFRM
4921 * transformation then we must be dealing with the "final"
4922 * form of labeled IPsec packet; since we've already applied
4923 * all of our access controls on this packet we can safely
4924 * pass the packet. */
4925 if (skb_sid == SECSID_NULL) {
4926 switch (family) {
4927 case PF_INET:
4928 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
4929 return NF_ACCEPT;
4930 break;
4931 case PF_INET6:
4932 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4933 return NF_ACCEPT;
4934 default:
4935 return NF_DROP_ERR(-ECONNREFUSED);
4936 }
4937 }
4938 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
4939 return NF_DROP;
4940 secmark_perm = PACKET__SEND;
4801 } else { 4941 } else {
4942 /* Locally generated packet, fetch the security label from the
4943 * associated socket. */
4802 struct sk_security_struct *sksec = sk->sk_security; 4944 struct sk_security_struct *sksec = sk->sk_security;
4803 peer_sid = sksec->sid; 4945 peer_sid = sksec->sid;
4804 secmark_perm = PACKET__SEND; 4946 secmark_perm = PACKET__SEND;
@@ -4836,7 +4978,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4836 return NF_ACCEPT; 4978 return NF_ACCEPT;
4837} 4979}
4838 4980
4839static unsigned int selinux_ipv4_postroute(unsigned int hooknum, 4981static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
4840 struct sk_buff *skb, 4982 struct sk_buff *skb,
4841 const struct net_device *in, 4983 const struct net_device *in,
4842 const struct net_device *out, 4984 const struct net_device *out,
@@ -4846,7 +4988,7 @@ static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4846} 4988}
4847 4989
4848#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4990#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4849static unsigned int selinux_ipv6_postroute(unsigned int hooknum, 4991static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
4850 struct sk_buff *skb, 4992 struct sk_buff *skb,
4851 const struct net_device *in, 4993 const struct net_device *in,
4852 const struct net_device *out, 4994 const struct net_device *out,
@@ -5462,11 +5604,11 @@ static int selinux_setprocattr(struct task_struct *p,
5462 /* Check for ptracing, and update the task SID if ok. 5604 /* Check for ptracing, and update the task SID if ok.
5463 Otherwise, leave SID unchanged and fail. */ 5605 Otherwise, leave SID unchanged and fail. */
5464 ptsid = 0; 5606 ptsid = 0;
5465 task_lock(p); 5607 rcu_read_lock();
5466 tracer = ptrace_parent(p); 5608 tracer = ptrace_parent(p);
5467 if (tracer) 5609 if (tracer)
5468 ptsid = task_sid(tracer); 5610 ptsid = task_sid(tracer);
5469 task_unlock(p); 5611 rcu_read_unlock();
5470 5612
5471 if (tracer) { 5613 if (tracer) {
5472 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 5614 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
@@ -5784,7 +5926,8 @@ static struct security_operations selinux_ops = {
5784 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 5926 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5785 .xfrm_policy_free_security = selinux_xfrm_policy_free, 5927 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5786 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 5928 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5787 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 5929 .xfrm_state_alloc = selinux_xfrm_state_alloc,
5930 .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire,
5788 .xfrm_state_free_security = selinux_xfrm_state_free, 5931 .xfrm_state_free_security = selinux_xfrm_state_free,
5789 .xfrm_state_delete_security = selinux_xfrm_state_delete, 5932 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5790 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 5933 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index aa47bcabb5f6..078e553f52f2 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -38,7 +38,10 @@ struct task_security_struct {
38 38
39struct inode_security_struct { 39struct inode_security_struct {
40 struct inode *inode; /* back pointer to inode object */ 40 struct inode *inode; /* back pointer to inode object */
41 struct list_head list; /* list of inode_security_struct */ 41 union {
42 struct list_head list; /* list of inode_security_struct */
43 struct rcu_head rcu; /* for freeing the inode_security_struct */
44 };
42 u32 task_sid; /* SID of creating task */ 45 u32 task_sid; /* SID of creating task */
43 u32 sid; /* SID of this object */ 46 u32 sid; /* SID of this object */
44 u16 sclass; /* security class of this object */ 47 u16 sclass; /* security class of this object */
@@ -58,8 +61,8 @@ struct superblock_security_struct {
58 u32 sid; /* SID of file system superblock */ 61 u32 sid; /* SID of file system superblock */
59 u32 def_sid; /* default SID for labeling */ 62 u32 def_sid; /* default SID for labeling */
60 u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ 63 u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */
61 unsigned int behavior; /* labeling behavior */ 64 unsigned short behavior; /* labeling behavior */
62 unsigned char flags; /* which mount options were specified */ 65 unsigned short flags; /* which mount options were specified */
63 struct mutex lock; 66 struct mutex lock;
64 struct list_head isec_head; 67 struct list_head isec_head;
65 spinlock_t isec_lock; 68 spinlock_t isec_lock;
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 8fd8e18ea340..fe341ae37004 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -45,14 +45,15 @@
45/* Mask for just the mount related flags */ 45/* Mask for just the mount related flags */
46#define SE_MNTMASK 0x0f 46#define SE_MNTMASK 0x0f
47/* Super block security struct flags for mount options */ 47/* Super block security struct flags for mount options */
48/* BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts */
48#define CONTEXT_MNT 0x01 49#define CONTEXT_MNT 0x01
49#define FSCONTEXT_MNT 0x02 50#define FSCONTEXT_MNT 0x02
50#define ROOTCONTEXT_MNT 0x04 51#define ROOTCONTEXT_MNT 0x04
51#define DEFCONTEXT_MNT 0x08 52#define DEFCONTEXT_MNT 0x08
53#define SBLABEL_MNT 0x10
52/* Non-mount related flags */ 54/* Non-mount related flags */
53#define SE_SBINITIALIZED 0x10 55#define SE_SBINITIALIZED 0x0100
54#define SE_SBPROC 0x20 56#define SE_SBPROC 0x0200
55#define SE_SBLABELSUPP 0x40
56 57
57#define CONTEXT_STR "context=" 58#define CONTEXT_STR "context="
58#define FSCONTEXT_STR "fscontext=" 59#define FSCONTEXT_STR "fscontext="
@@ -68,12 +69,15 @@ extern int selinux_enabled;
68enum { 69enum {
69 POLICYDB_CAPABILITY_NETPEER, 70 POLICYDB_CAPABILITY_NETPEER,
70 POLICYDB_CAPABILITY_OPENPERM, 71 POLICYDB_CAPABILITY_OPENPERM,
72 POLICYDB_CAPABILITY_REDHAT1,
73 POLICYDB_CAPABILITY_ALWAYSNETWORK,
71 __POLICYDB_CAPABILITY_MAX 74 __POLICYDB_CAPABILITY_MAX
72}; 75};
73#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) 76#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
74 77
75extern int selinux_policycap_netpeer; 78extern int selinux_policycap_netpeer;
76extern int selinux_policycap_openperm; 79extern int selinux_policycap_openperm;
80extern int selinux_policycap_alwaysnetwork;
77 81
78/* 82/*
79 * type_datum properties 83 * type_datum properties
@@ -172,8 +176,7 @@ int security_get_allow_unknown(void);
172#define SECURITY_FS_USE_NATIVE 7 /* use native label support */ 176#define SECURITY_FS_USE_NATIVE 7 /* use native label support */
173#define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */ 177#define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */
174 178
175int security_fs_use(const char *fstype, unsigned int *behavior, 179int security_fs_use(struct super_block *sb);
176 u32 *sid);
177 180
178int security_genfs_sid(const char *fstype, char *name, u16 sclass, 181int security_genfs_sid(const char *fstype, char *name, u16 sclass,
179 u32 *sid); 182 u32 *sid);
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 6713f04e30ba..48c3cc94c168 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -10,29 +10,21 @@
10#include <net/flow.h> 10#include <net/flow.h>
11 11
12int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, 12int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
13 struct xfrm_user_sec_ctx *sec_ctx); 13 struct xfrm_user_sec_ctx *uctx);
14int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, 14int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
15 struct xfrm_sec_ctx **new_ctxp); 15 struct xfrm_sec_ctx **new_ctxp);
16void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx); 16void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
17int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx); 17int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
18int selinux_xfrm_state_alloc(struct xfrm_state *x, 18int selinux_xfrm_state_alloc(struct xfrm_state *x,
19 struct xfrm_user_sec_ctx *sec_ctx, u32 secid); 19 struct xfrm_user_sec_ctx *uctx);
20int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
21 struct xfrm_sec_ctx *polsec, u32 secid);
20void selinux_xfrm_state_free(struct xfrm_state *x); 22void selinux_xfrm_state_free(struct xfrm_state *x);
21int selinux_xfrm_state_delete(struct xfrm_state *x); 23int selinux_xfrm_state_delete(struct xfrm_state *x);
22int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); 24int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
23int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, 25int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
24 struct xfrm_policy *xp, const struct flowi *fl); 26 struct xfrm_policy *xp,
25 27 const struct flowi *fl);
26/*
27 * Extract the security blob from the sock (it's actually on the socket)
28 */
29static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
30{
31 if (!sk->sk_socket)
32 return NULL;
33
34 return SOCK_INODE(sk->sk_socket)->i_security;
35}
36 28
37#ifdef CONFIG_SECURITY_NETWORK_XFRM 29#ifdef CONFIG_SECURITY_NETWORK_XFRM
38extern atomic_t selinux_xfrm_refcount; 30extern atomic_t selinux_xfrm_refcount;
@@ -42,11 +34,12 @@ static inline int selinux_xfrm_enabled(void)
42 return (atomic_read(&selinux_xfrm_refcount) > 0); 34 return (atomic_read(&selinux_xfrm_refcount) > 0);
43} 35}
44 36
45int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, 37int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
46 struct common_audit_data *ad); 38 struct common_audit_data *ad);
47int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 39int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
48 struct common_audit_data *ad, u8 proto); 40 struct common_audit_data *ad, u8 proto);
49int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); 41int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
42int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid);
50 43
51static inline void selinux_xfrm_notify_policyload(void) 44static inline void selinux_xfrm_notify_policyload(void)
52{ 45{
@@ -64,19 +57,21 @@ static inline int selinux_xfrm_enabled(void)
64 return 0; 57 return 0;
65} 58}
66 59
67static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, 60static inline int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
68 struct common_audit_data *ad) 61 struct common_audit_data *ad)
69{ 62{
70 return 0; 63 return 0;
71} 64}
72 65
73static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 66static inline int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
74 struct common_audit_data *ad, u8 proto) 67 struct common_audit_data *ad,
68 u8 proto)
75{ 69{
76 return 0; 70 return 0;
77} 71}
78 72
79static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) 73static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid,
74 int ckall)
80{ 75{
81 *sid = SECSID_NULL; 76 *sid = SECSID_NULL;
82 return 0; 77 return 0;
@@ -85,12 +80,12 @@ static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int
85static inline void selinux_xfrm_notify_policyload(void) 80static inline void selinux_xfrm_notify_policyload(void)
86{ 81{
87} 82}
88#endif
89 83
90static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid) 84static inline int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
91{ 85{
92 int err = selinux_xfrm_decode_session(skb, sid, 0); 86 *sid = SECSID_NULL;
93 BUG_ON(err); 87 return 0;
94} 88}
89#endif
95 90
96#endif /* _SELINUX_XFRM_H_ */ 91#endif /* _SELINUX_XFRM_H_ */
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index da4b8b233280..6235d052338b 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -442,8 +442,7 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
442 sksec->nlbl_state != NLBL_CONNLABELED) 442 sksec->nlbl_state != NLBL_CONNLABELED)
443 return 0; 443 return 0;
444 444
445 local_bh_disable(); 445 lock_sock(sk);
446 bh_lock_sock_nested(sk);
447 446
448 /* connected sockets are allowed to disconnect when the address family 447 /* connected sockets are allowed to disconnect when the address family
449 * is set to AF_UNSPEC, if that is what is happening we want to reset 448 * is set to AF_UNSPEC, if that is what is happening we want to reset
@@ -464,7 +463,6 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
464 sksec->nlbl_state = NLBL_CONNLABELED; 463 sksec->nlbl_state = NLBL_CONNLABELED;
465 464
466socket_connect_return: 465socket_connect_return:
467 bh_unlock_sock(sk); 466 release_sock(sk);
468 local_bh_enable();
469 return rc; 467 return rc;
470} 468}
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index c5454c0477c3..03a72c32afd7 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -166,6 +166,7 @@ static void sel_netnode_insert(struct sel_netnode *node)
166 break; 166 break;
167 default: 167 default:
168 BUG(); 168 BUG();
169 return;
169 } 170 }
170 171
171 /* we need to impose a limit on the growth of the hash table so check 172 /* we need to impose a limit on the growth of the hash table so check
@@ -225,6 +226,7 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid)
225 break; 226 break;
226 default: 227 default:
227 BUG(); 228 BUG();
229 ret = -EINVAL;
228 } 230 }
229 if (ret != 0) 231 if (ret != 0)
230 goto out; 232 goto out;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index ff427733c290..5122affe06a8 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -44,7 +44,9 @@
44/* Policy capability filenames */ 44/* Policy capability filenames */
45static char *policycap_names[] = { 45static char *policycap_names[] = {
46 "network_peer_controls", 46 "network_peer_controls",
47 "open_perms" 47 "open_perms",
48 "redhat1",
49 "always_check_network"
48}; 50};
49 51
50unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 52unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index 30f119b1d1ec..820313a04d49 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -213,7 +213,12 @@ netlbl_import_failure:
213} 213}
214#endif /* CONFIG_NETLABEL */ 214#endif /* CONFIG_NETLABEL */
215 215
216int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2) 216/*
217 * Check to see if all the bits set in e2 are also set in e1. Optionally,
218 * if last_e2bit is non-zero, the highest set bit in e2 cannot exceed
219 * last_e2bit.
220 */
221int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit)
217{ 222{
218 struct ebitmap_node *n1, *n2; 223 struct ebitmap_node *n1, *n2;
219 int i; 224 int i;
@@ -223,14 +228,25 @@ int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2)
223 228
224 n1 = e1->node; 229 n1 = e1->node;
225 n2 = e2->node; 230 n2 = e2->node;
231
226 while (n1 && n2 && (n1->startbit <= n2->startbit)) { 232 while (n1 && n2 && (n1->startbit <= n2->startbit)) {
227 if (n1->startbit < n2->startbit) { 233 if (n1->startbit < n2->startbit) {
228 n1 = n1->next; 234 n1 = n1->next;
229 continue; 235 continue;
230 } 236 }
231 for (i = 0; i < EBITMAP_UNIT_NUMS; i++) { 237 for (i = EBITMAP_UNIT_NUMS - 1; (i >= 0) && !n2->maps[i]; )
238 i--; /* Skip trailing NULL map entries */
239 if (last_e2bit && (i >= 0)) {
240 u32 lastsetbit = n2->startbit + i * EBITMAP_UNIT_SIZE +
241 __fls(n2->maps[i]);
242 if (lastsetbit > last_e2bit)
243 return 0;
244 }
245
246 while (i >= 0) {
232 if ((n1->maps[i] & n2->maps[i]) != n2->maps[i]) 247 if ((n1->maps[i] & n2->maps[i]) != n2->maps[i])
233 return 0; 248 return 0;
249 i--;
234 } 250 }
235 251
236 n1 = n1->next; 252 n1 = n1->next;
diff --git a/security/selinux/ss/ebitmap.h b/security/selinux/ss/ebitmap.h
index 922f8afa89dd..712c8a7b8e8b 100644
--- a/security/selinux/ss/ebitmap.h
+++ b/security/selinux/ss/ebitmap.h
@@ -16,7 +16,13 @@
16 16
17#include <net/netlabel.h> 17#include <net/netlabel.h>
18 18
19#define EBITMAP_UNIT_NUMS ((32 - sizeof(void *) - sizeof(u32)) \ 19#ifdef CONFIG_64BIT
20#define EBITMAP_NODE_SIZE 64
21#else
22#define EBITMAP_NODE_SIZE 32
23#endif
24
25#define EBITMAP_UNIT_NUMS ((EBITMAP_NODE_SIZE-sizeof(void *)-sizeof(u32))\
20 / sizeof(unsigned long)) 26 / sizeof(unsigned long))
21#define EBITMAP_UNIT_SIZE BITS_PER_LONG 27#define EBITMAP_UNIT_SIZE BITS_PER_LONG
22#define EBITMAP_SIZE (EBITMAP_UNIT_NUMS * EBITMAP_UNIT_SIZE) 28#define EBITMAP_SIZE (EBITMAP_UNIT_NUMS * EBITMAP_UNIT_SIZE)
@@ -117,7 +123,7 @@ static inline void ebitmap_node_clr_bit(struct ebitmap_node *n,
117 123
118int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2); 124int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2);
119int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src); 125int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src);
120int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2); 126int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit);
121int ebitmap_get_bit(struct ebitmap *e, unsigned long bit); 127int ebitmap_get_bit(struct ebitmap *e, unsigned long bit);
122int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value); 128int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value);
123void ebitmap_destroy(struct ebitmap *e); 129void ebitmap_destroy(struct ebitmap *e);
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 40de8d3f208e..c85bc1ec040c 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -160,8 +160,6 @@ void mls_sid_to_context(struct context *context,
160int mls_level_isvalid(struct policydb *p, struct mls_level *l) 160int mls_level_isvalid(struct policydb *p, struct mls_level *l)
161{ 161{
162 struct level_datum *levdatum; 162 struct level_datum *levdatum;
163 struct ebitmap_node *node;
164 int i;
165 163
166 if (!l->sens || l->sens > p->p_levels.nprim) 164 if (!l->sens || l->sens > p->p_levels.nprim)
167 return 0; 165 return 0;
@@ -170,19 +168,13 @@ int mls_level_isvalid(struct policydb *p, struct mls_level *l)
170 if (!levdatum) 168 if (!levdatum)
171 return 0; 169 return 0;
172 170
173 ebitmap_for_each_positive_bit(&l->cat, node, i) { 171 /*
174 if (i > p->p_cats.nprim) 172 * Return 1 iff all the bits set in l->cat are also be set in
175 return 0; 173 * levdatum->level->cat and no bit in l->cat is larger than
176 if (!ebitmap_get_bit(&levdatum->level->cat, i)) { 174 * p->p_cats.nprim.
177 /* 175 */
178 * Category may not be associated with 176 return ebitmap_contains(&levdatum->level->cat, &l->cat,
179 * sensitivity. 177 p->p_cats.nprim);
180 */
181 return 0;
182 }
183 }
184
185 return 1;
186} 178}
187 179
188int mls_range_isvalid(struct policydb *p, struct mls_range *r) 180int mls_range_isvalid(struct policydb *p, struct mls_range *r)
diff --git a/security/selinux/ss/mls_types.h b/security/selinux/ss/mls_types.h
index 03bed52a8052..e93648774137 100644
--- a/security/selinux/ss/mls_types.h
+++ b/security/selinux/ss/mls_types.h
@@ -35,7 +35,7 @@ static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
35static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2) 35static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
36{ 36{
37 return ((l1->sens >= l2->sens) && 37 return ((l1->sens >= l2->sens) &&
38 ebitmap_contains(&l1->cat, &l2->cat)); 38 ebitmap_contains(&l1->cat, &l2->cat, 0));
39} 39}
40 40
41#define mls_level_incomp(l1, l2) \ 41#define mls_level_incomp(l1, l2) \
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index c8adde3aff8f..f6195ebde3c9 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -3203,9 +3203,8 @@ static int range_write_helper(void *key, void *data, void *ptr)
3203 3203
3204static int range_write(struct policydb *p, void *fp) 3204static int range_write(struct policydb *p, void *fp)
3205{ 3205{
3206 size_t nel;
3207 __le32 buf[1]; 3206 __le32 buf[1];
3208 int rc; 3207 int rc, nel;
3209 struct policy_data pd; 3208 struct policy_data pd;
3210 3209
3211 pd.p = p; 3210 pd.p = p;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index f4dda05d7db0..ba5bb9be9d92 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -72,6 +72,7 @@
72 72
73int selinux_policycap_netpeer; 73int selinux_policycap_netpeer;
74int selinux_policycap_openperm; 74int selinux_policycap_openperm;
75int selinux_policycap_alwaysnetwork;
75 76
76static DEFINE_RWLOCK(policy_rwlock); 77static DEFINE_RWLOCK(policy_rwlock);
77 78
@@ -1812,6 +1813,8 @@ static void security_load_policycaps(void)
1812 POLICYDB_CAPABILITY_NETPEER); 1813 POLICYDB_CAPABILITY_NETPEER);
1813 selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps, 1814 selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
1814 POLICYDB_CAPABILITY_OPENPERM); 1815 POLICYDB_CAPABILITY_OPENPERM);
1816 selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
1817 POLICYDB_CAPABILITY_ALWAYSNETWORK);
1815} 1818}
1816 1819
1817static int security_preserve_bools(struct policydb *p); 1820static int security_preserve_bools(struct policydb *p);
@@ -2323,17 +2326,14 @@ out:
2323 2326
2324/** 2327/**
2325 * security_fs_use - Determine how to handle labeling for a filesystem. 2328 * security_fs_use - Determine how to handle labeling for a filesystem.
2326 * @fstype: filesystem type 2329 * @sb: superblock in question
2327 * @behavior: labeling behavior
2328 * @sid: SID for filesystem (superblock)
2329 */ 2330 */
2330int security_fs_use( 2331int security_fs_use(struct super_block *sb)
2331 const char *fstype,
2332 unsigned int *behavior,
2333 u32 *sid)
2334{ 2332{
2335 int rc = 0; 2333 int rc = 0;
2336 struct ocontext *c; 2334 struct ocontext *c;
2335 struct superblock_security_struct *sbsec = sb->s_security;
2336 const char *fstype = sb->s_type->name;
2337 2337
2338 read_lock(&policy_rwlock); 2338 read_lock(&policy_rwlock);
2339 2339
@@ -2345,21 +2345,21 @@ int security_fs_use(
2345 } 2345 }
2346 2346
2347 if (c) { 2347 if (c) {
2348 *behavior = c->v.behavior; 2348 sbsec->behavior = c->v.behavior;
2349 if (!c->sid[0]) { 2349 if (!c->sid[0]) {
2350 rc = sidtab_context_to_sid(&sidtab, &c->context[0], 2350 rc = sidtab_context_to_sid(&sidtab, &c->context[0],
2351 &c->sid[0]); 2351 &c->sid[0]);
2352 if (rc) 2352 if (rc)
2353 goto out; 2353 goto out;
2354 } 2354 }
2355 *sid = c->sid[0]; 2355 sbsec->sid = c->sid[0];
2356 } else { 2356 } else {
2357 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid); 2357 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, &sbsec->sid);
2358 if (rc) { 2358 if (rc) {
2359 *behavior = SECURITY_FS_USE_NONE; 2359 sbsec->behavior = SECURITY_FS_USE_NONE;
2360 rc = 0; 2360 rc = 0;
2361 } else { 2361 } else {
2362 *behavior = SECURITY_FS_USE_GENFS; 2362 sbsec->behavior = SECURITY_FS_USE_GENFS;
2363 } 2363 }
2364 } 2364 }
2365 2365
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index d03081886214..0462cb3ff0a7 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -56,7 +56,7 @@
56atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0); 56atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0);
57 57
58/* 58/*
59 * Returns true if an LSM/SELinux context 59 * Returns true if the context is an LSM/SELinux context.
60 */ 60 */
61static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) 61static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
62{ 62{
@@ -66,7 +66,7 @@ static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
66} 66}
67 67
68/* 68/*
69 * Returns true if the xfrm contains a security blob for SELinux 69 * Returns true if the xfrm contains a security blob for SELinux.
70 */ 70 */
71static inline int selinux_authorizable_xfrm(struct xfrm_state *x) 71static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
72{ 72{
@@ -74,48 +74,111 @@ static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
74} 74}
75 75
76/* 76/*
77 * LSM hook implementation that authorizes that a flow can use 77 * Allocates a xfrm_sec_state and populates it using the supplied security
78 * a xfrm policy rule. 78 * xfrm_user_sec_ctx context.
79 */ 79 */
80int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) 80static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
81 struct xfrm_user_sec_ctx *uctx)
81{ 82{
82 int rc; 83 int rc;
83 u32 sel_sid; 84 const struct task_security_struct *tsec = current_security();
85 struct xfrm_sec_ctx *ctx = NULL;
86 u32 str_len;
84 87
85 /* Context sid is either set to label or ANY_ASSOC */ 88 if (ctxp == NULL || uctx == NULL ||
86 if (ctx) { 89 uctx->ctx_doi != XFRM_SC_DOI_LSM ||
87 if (!selinux_authorizable_ctx(ctx)) 90 uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
88 return -EINVAL; 91 return -EINVAL;
89 92
90 sel_sid = ctx->ctx_sid; 93 str_len = uctx->ctx_len;
91 } else 94 if (str_len >= PAGE_SIZE)
92 /* 95 return -ENOMEM;
93 * All flows should be treated as polmatch'ing an 96
94 * otherwise applicable "non-labeled" policy. This 97 ctx = kmalloc(sizeof(*ctx) + str_len + 1, GFP_KERNEL);
95 * would prevent inadvertent "leaks". 98 if (!ctx)
96 */ 99 return -ENOMEM;
97 return 0;
98 100
99 rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION, 101 ctx->ctx_doi = XFRM_SC_DOI_LSM;
100 ASSOCIATION__POLMATCH, 102 ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
101 NULL); 103 ctx->ctx_len = str_len;
104 memcpy(ctx->ctx_str, &uctx[1], str_len);
105 ctx->ctx_str[str_len] = '\0';
106 rc = security_context_to_sid(ctx->ctx_str, str_len, &ctx->ctx_sid);
107 if (rc)
108 goto err;
102 109
103 if (rc == -EACCES) 110 rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
104 return -ESRCH; 111 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
112 if (rc)
113 goto err;
105 114
115 *ctxp = ctx;
116 atomic_inc(&selinux_xfrm_refcount);
117 return 0;
118
119err:
120 kfree(ctx);
106 return rc; 121 return rc;
107} 122}
108 123
109/* 124/*
125 * Free the xfrm_sec_ctx structure.
126 */
127static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
128{
129 if (!ctx)
130 return;
131
132 atomic_dec(&selinux_xfrm_refcount);
133 kfree(ctx);
134}
135
136/*
137 * Authorize the deletion of a labeled SA or policy rule.
138 */
139static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
140{
141 const struct task_security_struct *tsec = current_security();
142
143 if (!ctx)
144 return 0;
145
146 return avc_has_perm(tsec->sid, ctx->ctx_sid,
147 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
148 NULL);
149}
150
151/*
152 * LSM hook implementation that authorizes that a flow can use a xfrm policy
153 * rule.
154 */
155int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
156{
157 int rc;
158
159 /* All flows should be treated as polmatch'ing an otherwise applicable
160 * "non-labeled" policy. This would prevent inadvertent "leaks". */
161 if (!ctx)
162 return 0;
163
164 /* Context sid is either set to label or ANY_ASSOC */
165 if (!selinux_authorizable_ctx(ctx))
166 return -EINVAL;
167
168 rc = avc_has_perm(fl_secid, ctx->ctx_sid,
169 SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
170 return (rc == -EACCES ? -ESRCH : rc);
171}
172
173/*
110 * LSM hook implementation that authorizes that a state matches 174 * LSM hook implementation that authorizes that a state matches
111 * the given policy, flow combo. 175 * the given policy, flow combo.
112 */ 176 */
113 177int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
114int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, 178 struct xfrm_policy *xp,
115 const struct flowi *fl) 179 const struct flowi *fl)
116{ 180{
117 u32 state_sid; 181 u32 state_sid;
118 int rc;
119 182
120 if (!xp->security) 183 if (!xp->security)
121 if (x->security) 184 if (x->security)
@@ -138,187 +201,111 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *
138 if (fl->flowi_secid != state_sid) 201 if (fl->flowi_secid != state_sid)
139 return 0; 202 return 0;
140 203
141 rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION, 204 /* We don't need a separate SA Vs. policy polmatch check since the SA
142 ASSOCIATION__SENDTO, 205 * is now of the same label as the flow and a flow Vs. policy polmatch
143 NULL)? 0:1; 206 * check had already happened in selinux_xfrm_policy_lookup() above. */
144 207 return (avc_has_perm(fl->flowi_secid, state_sid,
145 /* 208 SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
146 * We don't need a separate SA Vs. policy polmatch check 209 NULL) ? 0 : 1);
147 * since the SA is now of the same label as the flow and
148 * a flow Vs. policy polmatch check had already happened
149 * in selinux_xfrm_policy_lookup() above.
150 */
151
152 return rc;
153} 210}
154 211
155/* 212static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb)
156 * LSM hook implementation that checks and/or returns the xfrm sid for the
157 * incoming packet.
158 */
159
160int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
161{ 213{
162 struct sec_path *sp; 214 struct dst_entry *dst = skb_dst(skb);
215 struct xfrm_state *x;
163 216
164 *sid = SECSID_NULL; 217 if (dst == NULL)
218 return SECSID_NULL;
219 x = dst->xfrm;
220 if (x == NULL || !selinux_authorizable_xfrm(x))
221 return SECSID_NULL;
165 222
166 if (skb == NULL) 223 return x->security->ctx_sid;
167 return 0; 224}
225
226static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb,
227 u32 *sid, int ckall)
228{
229 u32 sid_session = SECSID_NULL;
230 struct sec_path *sp = skb->sp;
168 231
169 sp = skb->sp;
170 if (sp) { 232 if (sp) {
171 int i, sid_set = 0; 233 int i;
172 234
173 for (i = sp->len-1; i >= 0; i--) { 235 for (i = sp->len - 1; i >= 0; i--) {
174 struct xfrm_state *x = sp->xvec[i]; 236 struct xfrm_state *x = sp->xvec[i];
175 if (selinux_authorizable_xfrm(x)) { 237 if (selinux_authorizable_xfrm(x)) {
176 struct xfrm_sec_ctx *ctx = x->security; 238 struct xfrm_sec_ctx *ctx = x->security;
177 239
178 if (!sid_set) { 240 if (sid_session == SECSID_NULL) {
179 *sid = ctx->ctx_sid; 241 sid_session = ctx->ctx_sid;
180 sid_set = 1;
181
182 if (!ckall) 242 if (!ckall)
183 break; 243 goto out;
184 } else if (*sid != ctx->ctx_sid) 244 } else if (sid_session != ctx->ctx_sid) {
245 *sid = SECSID_NULL;
185 return -EINVAL; 246 return -EINVAL;
247 }
186 } 248 }
187 } 249 }
188 } 250 }
189 251
252out:
253 *sid = sid_session;
190 return 0; 254 return 0;
191} 255}
192 256
193/* 257/*
194 * Security blob allocation for xfrm_policy and xfrm_state 258 * LSM hook implementation that checks and/or returns the xfrm sid for the
195 * CTX does not have a meaningful value on input 259 * incoming packet.
196 */ 260 */
197static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, 261int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
198 struct xfrm_user_sec_ctx *uctx, u32 sid)
199{ 262{
200 int rc = 0; 263 if (skb == NULL) {
201 const struct task_security_struct *tsec = current_security(); 264 *sid = SECSID_NULL;
202 struct xfrm_sec_ctx *ctx = NULL; 265 return 0;
203 char *ctx_str = NULL;
204 u32 str_len;
205
206 BUG_ON(uctx && sid);
207
208 if (!uctx)
209 goto not_from_user;
210
211 if (uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
212 return -EINVAL;
213
214 str_len = uctx->ctx_len;
215 if (str_len >= PAGE_SIZE)
216 return -ENOMEM;
217
218 *ctxp = ctx = kmalloc(sizeof(*ctx) +
219 str_len + 1,
220 GFP_KERNEL);
221
222 if (!ctx)
223 return -ENOMEM;
224
225 ctx->ctx_doi = uctx->ctx_doi;
226 ctx->ctx_len = str_len;
227 ctx->ctx_alg = uctx->ctx_alg;
228
229 memcpy(ctx->ctx_str,
230 uctx+1,
231 str_len);
232 ctx->ctx_str[str_len] = 0;
233 rc = security_context_to_sid(ctx->ctx_str,
234 str_len,
235 &ctx->ctx_sid);
236
237 if (rc)
238 goto out;
239
240 /*
241 * Does the subject have permission to set security context?
242 */
243 rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
244 SECCLASS_ASSOCIATION,
245 ASSOCIATION__SETCONTEXT, NULL);
246 if (rc)
247 goto out;
248
249 return rc;
250
251not_from_user:
252 rc = security_sid_to_context(sid, &ctx_str, &str_len);
253 if (rc)
254 goto out;
255
256 *ctxp = ctx = kmalloc(sizeof(*ctx) +
257 str_len,
258 GFP_ATOMIC);
259
260 if (!ctx) {
261 rc = -ENOMEM;
262 goto out;
263 } 266 }
267 return selinux_xfrm_skb_sid_ingress(skb, sid, ckall);
268}
264 269
265 ctx->ctx_doi = XFRM_SC_DOI_LSM; 270int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
266 ctx->ctx_alg = XFRM_SC_ALG_SELINUX; 271{
267 ctx->ctx_sid = sid; 272 int rc;
268 ctx->ctx_len = str_len;
269 memcpy(ctx->ctx_str,
270 ctx_str,
271 str_len);
272 273
273 goto out2; 274 rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0);
275 if (rc == 0 && *sid == SECSID_NULL)
276 *sid = selinux_xfrm_skb_sid_egress(skb);
274 277
275out:
276 *ctxp = NULL;
277 kfree(ctx);
278out2:
279 kfree(ctx_str);
280 return rc; 278 return rc;
281} 279}
282 280
283/* 281/*
284 * LSM hook implementation that allocs and transfers uctx spec to 282 * LSM hook implementation that allocs and transfers uctx spec to xfrm_policy.
285 * xfrm_policy.
286 */ 283 */
287int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, 284int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
288 struct xfrm_user_sec_ctx *uctx) 285 struct xfrm_user_sec_ctx *uctx)
289{ 286{
290 int err; 287 return selinux_xfrm_alloc_user(ctxp, uctx);
291
292 BUG_ON(!uctx);
293
294 err = selinux_xfrm_sec_ctx_alloc(ctxp, uctx, 0);
295 if (err == 0)
296 atomic_inc(&selinux_xfrm_refcount);
297
298 return err;
299} 288}
300 289
301
302/* 290/*
303 * LSM hook implementation that copies security data structure from old to 291 * LSM hook implementation that copies security data structure from old to new
304 * new for policy cloning. 292 * for policy cloning.
305 */ 293 */
306int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, 294int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
307 struct xfrm_sec_ctx **new_ctxp) 295 struct xfrm_sec_ctx **new_ctxp)
308{ 296{
309 struct xfrm_sec_ctx *new_ctx; 297 struct xfrm_sec_ctx *new_ctx;
310 298
311 if (old_ctx) { 299 if (!old_ctx)
312 new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, 300 return 0;
313 GFP_ATOMIC); 301
314 if (!new_ctx) 302 new_ctx = kmemdup(old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len,
315 return -ENOMEM; 303 GFP_ATOMIC);
304 if (!new_ctx)
305 return -ENOMEM;
306 atomic_inc(&selinux_xfrm_refcount);
307 *new_ctxp = new_ctx;
316 308
317 memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
318 memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
319 atomic_inc(&selinux_xfrm_refcount);
320 *new_ctxp = new_ctx;
321 }
322 return 0; 309 return 0;
323} 310}
324 311
@@ -327,8 +314,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
327 */ 314 */
328void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) 315void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
329{ 316{
330 atomic_dec(&selinux_xfrm_refcount); 317 selinux_xfrm_free(ctx);
331 kfree(ctx);
332} 318}
333 319
334/* 320/*
@@ -336,31 +322,58 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
336 */ 322 */
337int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) 323int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
338{ 324{
339 const struct task_security_struct *tsec = current_security(); 325 return selinux_xfrm_delete(ctx);
340 326}
341 if (!ctx)
342 return 0;
343 327
344 return avc_has_perm(tsec->sid, ctx->ctx_sid, 328/*
345 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, 329 * LSM hook implementation that allocates a xfrm_sec_state, populates it using
346 NULL); 330 * the supplied security context, and assigns it to the xfrm_state.
331 */
332int selinux_xfrm_state_alloc(struct xfrm_state *x,
333 struct xfrm_user_sec_ctx *uctx)
334{
335 return selinux_xfrm_alloc_user(&x->security, uctx);
347} 336}
348 337
349/* 338/*
350 * LSM hook implementation that allocs and transfers sec_ctx spec to 339 * LSM hook implementation that allocates a xfrm_sec_state and populates based
351 * xfrm_state. 340 * on a secid.
352 */ 341 */
353int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx, 342int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
354 u32 secid) 343 struct xfrm_sec_ctx *polsec, u32 secid)
355{ 344{
356 int err; 345 int rc;
346 struct xfrm_sec_ctx *ctx;
347 char *ctx_str = NULL;
348 int str_len;
349
350 if (!polsec)
351 return 0;
352
353 if (secid == 0)
354 return -EINVAL;
355
356 rc = security_sid_to_context(secid, &ctx_str, &str_len);
357 if (rc)
358 return rc;
357 359
358 BUG_ON(!x); 360 ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC);
361 if (!ctx) {
362 rc = -ENOMEM;
363 goto out;
364 }
359 365
360 err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid); 366 ctx->ctx_doi = XFRM_SC_DOI_LSM;
361 if (err == 0) 367 ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
362 atomic_inc(&selinux_xfrm_refcount); 368 ctx->ctx_sid = secid;
363 return err; 369 ctx->ctx_len = str_len;
370 memcpy(ctx->ctx_str, ctx_str, str_len);
371
372 x->security = ctx;
373 atomic_inc(&selinux_xfrm_refcount);
374out:
375 kfree(ctx_str);
376 return rc;
364} 377}
365 378
366/* 379/*
@@ -368,24 +381,15 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct
368 */ 381 */
369void selinux_xfrm_state_free(struct xfrm_state *x) 382void selinux_xfrm_state_free(struct xfrm_state *x)
370{ 383{
371 atomic_dec(&selinux_xfrm_refcount); 384 selinux_xfrm_free(x->security);
372 kfree(x->security);
373} 385}
374 386
375 /* 387/*
376 * LSM hook implementation that authorizes deletion of labeled SAs. 388 * LSM hook implementation that authorizes deletion of labeled SAs.
377 */ 389 */
378int selinux_xfrm_state_delete(struct xfrm_state *x) 390int selinux_xfrm_state_delete(struct xfrm_state *x)
379{ 391{
380 const struct task_security_struct *tsec = current_security(); 392 return selinux_xfrm_delete(x->security);
381 struct xfrm_sec_ctx *ctx = x->security;
382
383 if (!ctx)
384 return 0;
385
386 return avc_has_perm(tsec->sid, ctx->ctx_sid,
387 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
388 NULL);
389} 393}
390 394
391/* 395/*
@@ -395,14 +399,12 @@ int selinux_xfrm_state_delete(struct xfrm_state *x)
395 * we need to check for unlabelled access since this may not have 399 * we need to check for unlabelled access since this may not have
396 * gone thru the IPSec process. 400 * gone thru the IPSec process.
397 */ 401 */
398int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, 402int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
399 struct common_audit_data *ad) 403 struct common_audit_data *ad)
400{ 404{
401 int i, rc = 0; 405 int i;
402 struct sec_path *sp; 406 struct sec_path *sp = skb->sp;
403 u32 sel_sid = SECINITSID_UNLABELED; 407 u32 peer_sid = SECINITSID_UNLABELED;
404
405 sp = skb->sp;
406 408
407 if (sp) { 409 if (sp) {
408 for (i = 0; i < sp->len; i++) { 410 for (i = 0; i < sp->len; i++) {
@@ -410,23 +412,17 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
410 412
411 if (x && selinux_authorizable_xfrm(x)) { 413 if (x && selinux_authorizable_xfrm(x)) {
412 struct xfrm_sec_ctx *ctx = x->security; 414 struct xfrm_sec_ctx *ctx = x->security;
413 sel_sid = ctx->ctx_sid; 415 peer_sid = ctx->ctx_sid;
414 break; 416 break;
415 } 417 }
416 } 418 }
417 } 419 }
418 420
419 /* 421 /* This check even when there's no association involved is intended,
420 * This check even when there's no association involved is 422 * according to Trent Jaeger, to make sure a process can't engage in
421 * intended, according to Trent Jaeger, to make sure a 423 * non-IPsec communication unless explicitly allowed by policy. */
422 * process can't engage in non-ipsec communication unless 424 return avc_has_perm(sk_sid, peer_sid,
423 * explicitly allowed by policy. 425 SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad);
424 */
425
426 rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
427 ASSOCIATION__RECVFROM, ad);
428
429 return rc;
430} 426}
431 427
432/* 428/*
@@ -436,49 +432,38 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
436 * If we do have a authorizable security association, then it has already been 432 * If we do have a authorizable security association, then it has already been
437 * checked in the selinux_xfrm_state_pol_flow_match hook above. 433 * checked in the selinux_xfrm_state_pol_flow_match hook above.
438 */ 434 */
439int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 435int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
440 struct common_audit_data *ad, u8 proto) 436 struct common_audit_data *ad, u8 proto)
441{ 437{
442 struct dst_entry *dst; 438 struct dst_entry *dst;
443 int rc = 0;
444
445 dst = skb_dst(skb);
446
447 if (dst) {
448 struct dst_entry *dst_test;
449
450 for (dst_test = dst; dst_test != NULL;
451 dst_test = dst_test->child) {
452 struct xfrm_state *x = dst_test->xfrm;
453
454 if (x && selinux_authorizable_xfrm(x))
455 goto out;
456 }
457 }
458 439
459 switch (proto) { 440 switch (proto) {
460 case IPPROTO_AH: 441 case IPPROTO_AH:
461 case IPPROTO_ESP: 442 case IPPROTO_ESP:
462 case IPPROTO_COMP: 443 case IPPROTO_COMP:
463 /* 444 /* We should have already seen this packet once before it
464 * We should have already seen this packet once before 445 * underwent xfrm(s). No need to subject it to the unlabeled
465 * it underwent xfrm(s). No need to subject it to the 446 * check. */
466 * unlabeled check. 447 return 0;
467 */
468 goto out;
469 default: 448 default:
470 break; 449 break;
471 } 450 }
472 451
473 /* 452 dst = skb_dst(skb);
474 * This check even when there's no association involved is 453 if (dst) {
475 * intended, according to Trent Jaeger, to make sure a 454 struct dst_entry *iter;
476 * process can't engage in non-ipsec communication unless
477 * explicitly allowed by policy.
478 */
479 455
480 rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION, 456 for (iter = dst; iter != NULL; iter = iter->child) {
481 ASSOCIATION__SENDTO, ad); 457 struct xfrm_state *x = iter->xfrm;
482out: 458
483 return rc; 459 if (x && selinux_authorizable_xfrm(x))
460 return 0;
461 }
462 }
463
464 /* This check even when there's no association involved is intended,
465 * according to Trent Jaeger, to make sure a process can't engage in
466 * non-IPsec communication unless explicitly allowed by policy. */
467 return avc_has_perm(sk_sid, SECINITSID_UNLABELED,
468 SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad);
484} 469}
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 076b8e8a51ab..364cc64fce71 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -177,9 +177,13 @@ struct smk_port_label {
177#define SMACK_CIPSO_MAXCATNUM 184 /* 23 * 8 */ 177#define SMACK_CIPSO_MAXCATNUM 184 /* 23 * 8 */
178 178
179/* 179/*
180 * Flag for transmute access 180 * Flags for untraditional access modes.
181 * It shouldn't be necessary to avoid conflicts with definitions
182 * in fs.h, but do so anyway.
181 */ 183 */
182#define MAY_TRANSMUTE 64 184#define MAY_TRANSMUTE 0x00001000 /* Controls directory labeling */
185#define MAY_LOCK 0x00002000 /* Locks should be writes, but ... */
186
183/* 187/*
184 * Just to make the common cases easier to deal with 188 * Just to make the common cases easier to deal with
185 */ 189 */
@@ -188,9 +192,9 @@ struct smk_port_label {
188#define MAY_NOT 0 192#define MAY_NOT 0
189 193
190/* 194/*
191 * Number of access types used by Smack (rwxat) 195 * Number of access types used by Smack (rwxatl)
192 */ 196 */
193#define SMK_NUM_ACCESS_TYPE 5 197#define SMK_NUM_ACCESS_TYPE 6
194 198
195/* SMACK data */ 199/* SMACK data */
196struct smack_audit_data { 200struct smack_audit_data {
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index b3b59b1e93d6..14293cd9b1e5 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -84,6 +84,8 @@ int log_policy = SMACK_AUDIT_DENIED;
84 * 84 *
85 * Do the object check first because that is more 85 * Do the object check first because that is more
86 * likely to differ. 86 * likely to differ.
87 *
88 * Allowing write access implies allowing locking.
87 */ 89 */
88int smk_access_entry(char *subject_label, char *object_label, 90int smk_access_entry(char *subject_label, char *object_label,
89 struct list_head *rule_list) 91 struct list_head *rule_list)
@@ -99,6 +101,11 @@ int smk_access_entry(char *subject_label, char *object_label,
99 } 101 }
100 } 102 }
101 103
104 /*
105 * MAY_WRITE implies MAY_LOCK.
106 */
107 if ((may & MAY_WRITE) == MAY_WRITE)
108 may |= MAY_LOCK;
102 return may; 109 return may;
103} 110}
104 111
@@ -245,6 +252,7 @@ out_audit:
245static inline void smack_str_from_perm(char *string, int access) 252static inline void smack_str_from_perm(char *string, int access)
246{ 253{
247 int i = 0; 254 int i = 0;
255
248 if (access & MAY_READ) 256 if (access & MAY_READ)
249 string[i++] = 'r'; 257 string[i++] = 'r';
250 if (access & MAY_WRITE) 258 if (access & MAY_WRITE)
@@ -255,6 +263,8 @@ static inline void smack_str_from_perm(char *string, int access)
255 string[i++] = 'a'; 263 string[i++] = 'a';
256 if (access & MAY_TRANSMUTE) 264 if (access & MAY_TRANSMUTE)
257 string[i++] = 't'; 265 string[i++] = 't';
266 if (access & MAY_LOCK)
267 string[i++] = 'l';
258 string[i] = '\0'; 268 string[i] = '\0';
259} 269}
260/** 270/**
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 185e2e73cd33..aaf770159ebb 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -185,7 +185,7 @@ static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
185 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 185 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
186 smk_ad_setfield_u_tsk(&ad, ctp); 186 smk_ad_setfield_u_tsk(&ad, ctp);
187 187
188 rc = smk_curacc(skp->smk_known, MAY_READWRITE, &ad); 188 rc = smk_curacc(skp->smk_known, mode, &ad);
189 return rc; 189 return rc;
190} 190}
191 191
@@ -1146,7 +1146,7 @@ static int smack_file_ioctl(struct file *file, unsigned int cmd,
1146 * @file: the object 1146 * @file: the object
1147 * @cmd: unused 1147 * @cmd: unused
1148 * 1148 *
1149 * Returns 0 if current has write access, error code otherwise 1149 * Returns 0 if current has lock access, error code otherwise
1150 */ 1150 */
1151static int smack_file_lock(struct file *file, unsigned int cmd) 1151static int smack_file_lock(struct file *file, unsigned int cmd)
1152{ 1152{
@@ -1154,7 +1154,7 @@ static int smack_file_lock(struct file *file, unsigned int cmd)
1154 1154
1155 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1155 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1156 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1156 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1157 return smk_curacc(file->f_security, MAY_WRITE, &ad); 1157 return smk_curacc(file->f_security, MAY_LOCK, &ad);
1158} 1158}
1159 1159
1160/** 1160/**
@@ -1178,8 +1178,13 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
1178 1178
1179 switch (cmd) { 1179 switch (cmd) {
1180 case F_GETLK: 1180 case F_GETLK:
1181 break;
1181 case F_SETLK: 1182 case F_SETLK:
1182 case F_SETLKW: 1183 case F_SETLKW:
1184 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1185 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1186 rc = smk_curacc(file->f_security, MAY_LOCK, &ad);
1187 break;
1183 case F_SETOWN: 1188 case F_SETOWN:
1184 case F_SETSIG: 1189 case F_SETSIG:
1185 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1190 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 80f4b4a45725..160aa08e3cd5 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -139,7 +139,7 @@ const char *smack_cipso_option = SMACK_CIPSO_OPTION;
139 * SMK_LOADLEN: Smack rule length 139 * SMK_LOADLEN: Smack rule length
140 */ 140 */
141#define SMK_OACCESS "rwxa" 141#define SMK_OACCESS "rwxa"
142#define SMK_ACCESS "rwxat" 142#define SMK_ACCESS "rwxatl"
143#define SMK_OACCESSLEN (sizeof(SMK_OACCESS) - 1) 143#define SMK_OACCESSLEN (sizeof(SMK_OACCESS) - 1)
144#define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1) 144#define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1)
145#define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN) 145#define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN)
@@ -282,6 +282,10 @@ static int smk_perm_from_str(const char *string)
282 case 'T': 282 case 'T':
283 perm |= MAY_TRANSMUTE; 283 perm |= MAY_TRANSMUTE;
284 break; 284 break;
285 case 'l':
286 case 'L':
287 perm |= MAY_LOCK;
288 break;
285 default: 289 default:
286 return perm; 290 return perm;
287 } 291 }
@@ -452,7 +456,7 @@ static ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
452 /* 456 /*
453 * Minor hack for backward compatibility 457 * Minor hack for backward compatibility
454 */ 458 */
455 if (count != SMK_OLOADLEN && count != SMK_LOADLEN) 459 if (count < SMK_OLOADLEN || count > SMK_LOADLEN)
456 return -EINVAL; 460 return -EINVAL;
457 } else { 461 } else {
458 if (count >= PAGE_SIZE) { 462 if (count >= PAGE_SIZE) {
@@ -592,6 +596,8 @@ static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
592 seq_putc(s, 'a'); 596 seq_putc(s, 'a');
593 if (srp->smk_access & MAY_TRANSMUTE) 597 if (srp->smk_access & MAY_TRANSMUTE)
594 seq_putc(s, 't'); 598 seq_putc(s, 't');
599 if (srp->smk_access & MAY_LOCK)
600 seq_putc(s, 'l');
595 601
596 seq_putc(s, '\n'); 602 seq_putc(s, '\n');
597} 603}