linux-next: manual merge of the keys tree with the integrity tree

linux-next: manual merge of the keys tree with the integrity tree

[Stephen Rothwell]

[-- Attachment #1: Type: text/plain, Size: 1395 bytes --]

Hi all,

Today's linux-next merge of the keys tree got a conflict in:

  security/integrity/digsig.c

between commit:

  8c655784e2cf ("integrity: Fix __integrity_init_keyring() section mismatch")

from the integrity tree and commit:

  79512db59dc8 ("keys: Replace uid/gid/perm permissions checking with an ACL")

from the keys tree.

I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging.  You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.

-- 
Cheers,
Stephen Rothwell

diff --cc security/integrity/digsig.c
index 868ade3e8970,e432900c00b9..000000000000
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@@ -69,9 -70,8 +70,9 @@@ int integrity_digsig_verify(const unsig
  	return -EOPNOTSUPP;
  }
  
 -static int __integrity_init_keyring(const unsigned int id, struct key_acl *acl,
 -				    struct key_restriction *restriction)
 +static int __init __integrity_init_keyring(const unsigned int id,
- 					   key_perm_t perm,
++					   struct key_acl *acl,
 +					   struct key_restriction *restriction)
  {
  	const struct cred *cred = current_cred();
  	int err = 0;

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: linux-next: manual merge of the keys tree with the integrity tree

[Stephen Rothwell]

[-- Attachment #1: Type: text/plain, Size: 1730 bytes --]

Hi all,

On Wed, 26 Jun 2019 14:33:33 +1000 Stephen Rothwell <sfr@canb.auug.org.au> wrote:
> 
> Today's linux-next merge of the keys tree got a conflict in:
> 
>   security/integrity/digsig.c
> 
> between commit:
> 
>   8c655784e2cf ("integrity: Fix __integrity_init_keyring() section mismatch")
> 
> from the integrity tree and commit:
> 
>   79512db59dc8 ("keys: Replace uid/gid/perm permissions checking with an ACL")
> 
> from the keys tree.
> 
> I fixed it up (see below) and can carry the fix as necessary. This
> is now fixed as far as linux-next is concerned, but any non trivial
> conflicts should be mentioned to your upstream maintainer when your tree
> is submitted for merging.  You may also want to consider cooperating
> with the maintainer of the conflicting tree to minimise any particularly
> complex conflicts.
> 
> -- 
> Cheers,
> Stephen Rothwell
> 
> diff --cc security/integrity/digsig.c
> index 868ade3e8970,e432900c00b9..000000000000
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@@ -69,9 -70,8 +70,9 @@@ int integrity_digsig_verify(const unsig
>   	return -EOPNOTSUPP;
>   }
>   
>  -static int __integrity_init_keyring(const unsigned int id, struct key_acl *acl,
>  -				    struct key_restriction *restriction)
>  +static int __init __integrity_init_keyring(const unsigned int id,
> - 					   key_perm_t perm,
> ++					   struct key_acl *acl,
>  +					   struct key_restriction *restriction)
>   {
>   	const struct cred *cred = current_cred();
>   	int err = 0;

I am still getting this conflict (the commit ids may have changed).
Just a reminder in case you think Linus may need to know.

-- 
Cheers,
Stephen Rothwell

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: linux-next: manual merge of the keys tree with the integrity tree

[Mimi Zohar]

Hi Stephen,

On Tue, 2019-07-09 at 10:11 +1000, Stephen Rothwell wrote:
> > diff --cc security/integrity/digsig.c
> > index 868ade3e8970,e432900c00b9..000000000000
> > --- a/security/integrity/digsig.c
> > +++ b/security/integrity/digsig.c
> > @@@ -69,9 -70,8 +70,9 @@@ int integrity_digsig_verify(const unsig
> >   	return -EOPNOTSUPP;
> >   }
> >   
> >  -static int __integrity_init_keyring(const unsigned int id, struct key_acl *acl,
> >  -				    struct key_restriction *restriction)
> >  +static int __init __integrity_init_keyring(const unsigned int id,
> > - 					   key_perm_t perm,
> > ++					   struct key_acl *acl,
> >  +					   struct key_restriction *restriction)
> >   {
> >   	const struct cred *cred = current_cred();
> >   	int err = 0;
> 
> I am still getting this conflict (the commit ids may have changed).
> Just a reminder in case you think Linus may need to know.

Thank you for carrying the patch!  I did remember to mention it in the
pull request.  :)

Mimi

Re: linux-next: manual merge of the keys tree with the integrity tree

[Stephen Rothwell]

[-- Attachment #1: Type: text/plain, Size: 235 bytes --]

Hi Mimi,

On Mon, 08 Jul 2019 20:31:35 -0400 Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> Thank you for carrying the patch!  I did remember to mention it in the
> pull request.  :)

Excellent!

-- 
Cheers,
Stephen Rothwell

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

linux-next: manual merge of the keys tree with the integrity tree

[Stephen Rothwell]

[-- Attachment #1: Type: text/plain, Size: 3403 bytes --]

Hi all,

Today's linux-next merge of the keys tree got a conflict in:

  certs/system_keyring.c

between commit:

  df73a4001959 ("ima: enable loading of build time generated key on .ima keyring")

from the integrity tree and commit:

  9536390dcc8c ("certs: Move load_system_certificate_list to a common function")

from the keys tree.

I fixed it up (I think - see below) and can carry the fix as
necessary. This is now fixed as far as linux-next is concerned, but any
non trivial conflicts should be mentioned to your upstream maintainer
when your tree is submitted for merging.  You may also want to consider
cooperating with the maintainer of the conflicting tree to minimise any
particularly complex conflicts.

-- 
Cheers,
Stephen Rothwell

diff --cc certs/system_keyring.c
index bb122bf4cc17,0c9a4795e847..000000000000
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@@ -133,85 -133,15 +134,34 @@@ static __init int system_trusted_keyrin
   */
  device_initcall(system_trusted_keyring_init);
  
- static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring)
- {
- 	key_ref_t key;
- 	size_t plen;
- 
- 	while (p < end) {
- 		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
- 		 * than 256 bytes in size.
- 		 */
- 		if (end - p < 4)
- 			goto dodgy_cert;
- 		if (p[0] != 0x30 &&
- 		    p[1] != 0x82)
- 			goto dodgy_cert;
- 		plen = (p[2] << 8) | p[3];
- 		plen += 4;
- 		if (plen > end - p)
- 			goto dodgy_cert;
- 
- 		key = key_create_or_update(make_key_ref(keyring, 1),
- 					   "asymmetric",
- 					   NULL,
- 					   p,
- 					   plen,
- 					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
- 					   KEY_USR_VIEW | KEY_USR_READ),
- 					   KEY_ALLOC_NOT_IN_QUOTA |
- 					   KEY_ALLOC_BUILT_IN |
- 					   KEY_ALLOC_BYPASS_RESTRICTION);
- 		if (IS_ERR(key)) {
- 			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
- 			       PTR_ERR(key));
- 		} else {
- 			pr_notice("Loaded X.509 cert '%s'\n",
- 				  key_ref_to_ptr(key)->description);
- 			key_ref_put(key);
- 		}
- 		p += plen;
- 	}
- 
- 	return 0;
- 
- dodgy_cert:
- 	pr_err("Problem parsing in-kernel X.509 certificate list\n");
- 	return 0;
- }
- 
 +__init int load_module_cert(struct key *keyring)
 +{
- 	const u8 *p, *end;
- 
 +	if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
 +		return 0;
 +
 +	pr_notice("Loading compiled-in module X.509 certificates\n");
 +
- 	p = system_certificate_list;
- 	end = p + module_cert_size;
- 
- 	return load_cert(p, end, keyring);
++	return load_certificate_list(system_certificate_list, module_cert_size,
++				     keyring);
 +}
 +
  /*
   * Load the compiled-in list of X.509 certificates.
   */
  static __init int load_system_certificate_list(void)
  {
- 	const u8 *p, *end;
++	const u8 *p;
 +
  	pr_notice("Loading compiled-in X.509 certificates\n");
  
 -	return load_certificate_list(system_certificate_list, system_certificate_list_size,
 +#ifdef CONFIG_MODULE_SIG
 +	p = system_certificate_list;
 +#else
 +	p = system_certificate_list + module_cert_size;
 +#endif
 +
- 	end = p + system_certificate_list_size;
- 	return load_cert(p, end, builtin_trusted_keys);
++	return load_certificate_list(p, system_certificate_list_size,
+ 				     builtin_trusted_keys);
  }
  late_initcall(load_system_certificate_list);
  

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

linux-next: manual merge of the keys tree with the integrity tree

[Stephen Rothwell]

[-- Attachment #1: Type: text/plain, Size: 3585 bytes --]

Hi all,

FIXME: Add owner of second tree to To:
       Add author(s)/SOB of conflicting commits.

Today's linux-next merge of the keys tree got a conflict in:

  certs/system_keyring.c

between commit:

  6cbdfb3d91ba ("ima: enable loading of build time generated key on .ima keyring")

from the integrity tree and commit:

  9536390dcc8c ("certs: Move load_system_certificate_list to a common function")

from the keys tree.

I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging.  You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.

-- 
Cheers,
Stephen Rothwell

diff --cc certs/system_keyring.c
index 2b3ad375ecc1,0c9a4795e847..000000000000
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@@ -133,88 -133,15 +134,36 @@@ static __init int system_trusted_keyrin
   */
  device_initcall(system_trusted_keyring_init);
  
- static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring)
- {
- 	key_ref_t key;
- 	size_t plen;
- 
- 	while (p < end) {
- 		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
- 		 * than 256 bytes in size.
- 		 */
- 		if (end - p < 4)
- 			goto dodgy_cert;
- 		if (p[0] != 0x30 &&
- 		    p[1] != 0x82)
- 			goto dodgy_cert;
- 		plen = (p[2] << 8) | p[3];
- 		plen += 4;
- 		if (plen > end - p)
- 			goto dodgy_cert;
- 
- 		key = key_create_or_update(make_key_ref(keyring, 1),
- 					   "asymmetric",
- 					   NULL,
- 					   p,
- 					   plen,
- 					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
- 					   KEY_USR_VIEW | KEY_USR_READ),
- 					   KEY_ALLOC_NOT_IN_QUOTA |
- 					   KEY_ALLOC_BUILT_IN |
- 					   KEY_ALLOC_BYPASS_RESTRICTION);
- 		if (IS_ERR(key)) {
- 			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
- 			       PTR_ERR(key));
- 		} else {
- 			pr_notice("Loaded X.509 cert '%s'\n",
- 				  key_ref_to_ptr(key)->description);
- 			key_ref_put(key);
- 		}
- 		p += plen;
- 	}
- 
- 	return 0;
- 
- dodgy_cert:
- 	pr_err("Problem parsing in-kernel X.509 certificate list\n");
- 	return 0;
- }
- 
 +__init int load_module_cert(struct key *keyring)
 +{
- 	const u8 *p, *end;
- 
 +	if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
 +		return 0;
 +
 +	pr_notice("Loading compiled-in module X.509 certificates\n");
 +
- 	p = system_certificate_list;
- 	end = p + module_cert_size;
- 
- 	return load_cert(p, end, keyring);
++	return load_certificate_list(system_certificate_list, module_cert_size,
++				     keyring);
 +}
 +
  /*
   * Load the compiled-in list of X.509 certificates.
   */
  static __init int load_system_certificate_list(void)
  {
- 	const u8 *p, *end;
++	const u8 *p;
 +	unsigned long size;
 +
  	pr_notice("Loading compiled-in X.509 certificates\n");
  
 -	return load_certificate_list(system_certificate_list, system_certificate_list_size,
 -				     builtin_trusted_keys);
 +#ifdef CONFIG_MODULE_SIG
 +	p = system_certificate_list;
 +	size = system_certificate_list_size;
 +#else
 +	p = system_certificate_list + module_cert_size;
 +	size = system_certificate_list_size - module_cert_size;
 +#endif
 +
- 	end = p + size;
- 	return load_cert(p, end, builtin_trusted_keys);
++	return load_certificate_list(p, size, builtin_trusted_keys);
  }
  late_initcall(load_system_certificate_list);
  

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]