Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris...

Pull security subsystem updates from James Morris:
 "A quiet cycle for the security subsystem with just a few maintenance
  updates."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  Smack: create a sysfs mount point for smackfs
  Smack: use select not depends in Kconfig
  Yama: remove locking from delete path
  Yama: add RCU to drop read locking
  drivers/char/tpm: remove tasklet and cleanup
  KEYS: Use keyring_alloc() to create special keyrings
  KEYS: Reduce initial permissions on keys
  KEYS: Make the session and process keyrings per-thread
  seccomp: Make syscall skipping and nr changes more consistent
  key: Fix resource leak
  keys: Fix unreachable code
  KEYS: Add payload preparsing opportunity prior to key instantiate or update

diff --cc arch/x86/kernel/vsyscall_64.c
Simple merge

diff --cc drivers/char/tpm/tpm_ibmvtpm.c
Simple merge

diff --cc fs/cifs/cifsacl.c
Simple merge

diff --cc fs/nfs/idmap.c
Simple merge

diff --cc include/linux/key.h
index 2393b1c040b695d69d3a2f700300d3b4cec296c5,890699815212009a4ba7bf08cdb86f7128477408..4dfde1161c5e7878565d05ad7f5293e9e4d19cef
--- 1/include/linux/key.h
--- 2/include/linux/key.h
+++ b/include/linux/key.h
@@@ -263,8 -262,9 +263,9 @@@ extern int key_link(struct key *keyring
  extern int key_unlink(struct key *keyring,
                      struct key *key);
  
 -extern struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
 +extern struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
                                 const struct cred *cred,
+                                key_perm_t perm,
                                 unsigned long flags,
                                 struct key *dest);
  

diff --cc kernel/cred.c
Simple merge

diff --cc net/dns_resolver/dns_key.c
index 8aa4b1115384e3018b461ca153bd932a511c3fef,b53bb4a41daa6cf0b05dedfb5df9c1979af46bf8..0a69d075779556fa1f8093b2ba6816e7f7d5cb77
--- 1/net/dns_resolver/dns_key.c
--- 2/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@@ -259,11 -259,10 +259,11 @@@ static int __init init_dns_resolver(voi
        if (!cred)
                return -ENOMEM;
  
-       keyring = key_alloc(&key_type_keyring, ".dns_resolver",
-                           GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
-                           (KEY_POS_ALL & ~KEY_POS_SETATTR) |
-                           KEY_USR_VIEW | KEY_USR_READ,
-                           KEY_ALLOC_NOT_IN_QUOTA);
 -      keyring = keyring_alloc(".dns_resolver", 0, 0, cred,
++      keyring = keyring_alloc(".dns_resolver",
++                              GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
+                               (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+                               KEY_USR_VIEW | KEY_USR_READ,
+                               KEY_ALLOC_NOT_IN_QUOTA, NULL);
        if (IS_ERR(keyring)) {
                ret = PTR_ERR(keyring);
                goto failed_put_cred;

diff --cc security/keys/key.c
Simple merge

diff --cc security/keys/keyctl.c
index 5d34b4e827d6349a46f6b892573e129e500e49db,6d9d0c747525fe3dee3458d2f20c235d5126d623..4b5c948eb41426c76ef1810239cb0a98f9c4f918
--- 1/security/keys/keyctl.c
--- 2/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@@ -1535,9 -1527,9 +1536,9 @@@ long keyctl_session_to_parent(void
                goto unlock;
  
        /* the keyrings must have the same UID */
-       if ((pcred->tgcred->session_keyring &&
-            !uid_eq(pcred->tgcred->session_keyring->uid, mycred->euid)) ||
-           !uid_eq(mycred->tgcred->session_keyring->uid, mycred->euid))
+       if ((pcred->session_keyring &&
 -           pcred->session_keyring->uid != mycred->euid) ||
 -          mycred->session_keyring->uid != mycred->euid)
++           !uid_eq(pcred->session_keyring->uid, mycred->euid)) ||
++          !uid_eq(mycred->session_keyring->uid, mycred->euid))
                goto unlock;
  
        /* cancel an already pending keyring replacement */

diff --cc security/keys/keyring.c
index 6e42df15a24c3b3509455d8afedaed3dccf66662,9270ba054a1ea57096e7bce87e766704377bf825..6ece7f2e5707f45c2736ca4a05504c2dd391ea00
--- 1/security/keys/keyring.c
--- 2/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@@ -256,9 -256,9 +256,9 @@@ error
  /*
   * Allocate a keyring and link into the destination keyring.
   */
 -struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
 +struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
-                         const struct cred *cred, unsigned long flags,
-                         struct key *dest)
+                         const struct cred *cred, key_perm_t perm,
+                         unsigned long flags, struct key *dest)
  {
        struct key *keyring;
        int ret;

diff --cc security/keys/process_keys.c
index 86468f385fc8ef1ac0422afb117114f8d81b6ba4,b58d93892740476ed115568167d3dac8a5b2db34..58dfe089094793030f56fdb895f6621e403e4157
--- 1/security/keys/process_keys.c
--- 2/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@@ -45,15 -46,15 +45,17 @@@ int install_user_keyrings(void
        struct user_struct *user;
        const struct cred *cred;
        struct key *uid_keyring, *session_keyring;
+       key_perm_t user_keyring_perm;
        char buf[20];
        int ret;
 +      uid_t uid;
  
+       user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
        cred = current_cred();
        user = cred->user;
 +      uid = from_kuid(cred->user_ns, user->uid);
  
 -      kenter("%p{%u}", user, user->uid);
 +      kenter("%p{%u}", user, uid);
  
        if (user->uid_keyring) {
                kleave(" = 0 [exist]");
@@@ -72,9 -73,9 +74,9 @@@
  
                uid_keyring = find_keyring_by_name(buf, true);
                if (IS_ERR(uid_keyring)) {
 -                      uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
 +                      uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
-                                                   cred, KEY_ALLOC_IN_QUOTA,
-                                                   NULL);
+                                                   cred, user_keyring_perm,
+                                                   KEY_ALLOC_IN_QUOTA, NULL);
                        if (IS_ERR(uid_keyring)) {
                                ret = PTR_ERR(uid_keyring);
                                goto error;
@@@ -88,8 -89,9 +90,9 @@@
                session_keyring = find_keyring_by_name(buf, true);
                if (IS_ERR(session_keyring)) {
                        session_keyring =
 -                              keyring_alloc(buf, user->uid, (gid_t) -1,
 +                              keyring_alloc(buf, user->uid, INVALID_GID,
-                                             cred, KEY_ALLOC_IN_QUOTA, NULL);
+                                             cred, user_keyring_perm,
+                                             KEY_ALLOC_IN_QUOTA, NULL);
                        if (IS_ERR(session_keyring)) {
                                ret = PTR_ERR(session_keyring);
                                goto error_release;

diff --cc security/keys/request_key.c
Simple merge