Linux-Next Archive on lore.kernel.org
 help / color / Atom feed
* linux-next: manual merge of the security tree with Linus' tree
@ 2019-08-12  4:48 Stephen Rothwell
  0 siblings, 0 replies; 14+ messages in thread
From: Stephen Rothwell @ 2019-08-12  4:48 UTC (permalink / raw)
  To: James Morris
  Cc: Linux Next Mailing List, Linux Kernel Mailing List,
	David Howells, Matthew Garrett, Masami Hiramatsu,
	Steven Rostedt (VMware)

[-- Attachment #1: Type: text/plain, Size: 1569 bytes --]

Hi all,

Today's linux-next merge of the security tree got a conflict in:

  kernel/trace/trace_kprobe.c

between commit:

  715fa2fd4c6c ("tracing/kprobe: Check registered state using kprobe")

from Linus' tree and commit:

  e87402c063fd ("lockdown: Lock down tracing and perf kprobes when in confidentiality mode")

from the security tree.

I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging.  You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.

-- 
Cheers,
Stephen Rothwell

diff --cc kernel/trace/trace_kprobe.c
index 9d483ad9bb6c,fcb28b0702b2..000000000000
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@@ -11,9 -11,8 +11,10 @@@
  #include <linux/uaccess.h>
  #include <linux/rculist.h>
  #include <linux/error-injection.h>
+ #include <linux/security.h>
  
 +#include <asm/setup.h>  /* for COMMAND_LINE_SIZE */
 +
  #include "trace_dynevent.h"
  #include "trace_kprobe_selftest.h"
  #include "trace_probe.h"
@@@ -389,7 -416,11 +390,11 @@@ static int __register_trace_kprobe(stru
  {
  	int i, ret;
  
+ 	ret = security_locked_down(LOCKDOWN_KPROBES);
+ 	if (ret)
+ 		return ret;
+ 
 -	if (trace_probe_is_registered(&tk->tp))
 +	if (trace_kprobe_is_registered(tk))
  		return -EINVAL;
  
  	if (within_notrace_func(tk)) {

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: linux-next: manual merge of the security tree with Linus' tree
  2019-08-21  3:01 Stephen Rothwell
@ 2019-08-21  3:18 ` Stephen Rothwell
  0 siblings, 0 replies; 14+ messages in thread
From: Stephen Rothwell @ 2019-08-21  3:18 UTC (permalink / raw)
  To: James Morris
  Cc: Linux Next Mailing List, Linux Kernel Mailing List, Jiri Bohac,
	Heiko Carstens, Vasily Gorbik, David Howells, Matthew Garrett

[-- Attachment #1: Type: text/plain, Size: 985 bytes --]

Hi all,

Just adding a couple of more Cc's

On Wed, 21 Aug 2019 13:01:06 +1000 Stephen Rothwell <sfr@canb.auug.org.au> wrote:
> 
> Today's linux-next merge of the security tree got conflicts in:
> 
>   arch/s390/configs/debug_defconfig
>   arch/s390/configs/defconfig
> 
> between commit:
> 
>   3361f3193c74 ("s390: update configs")
> 
> from Linus' tree and commit:
> 
>   99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE")
> 
> from the security tree.
> 
> I fixed it up (the former removed the CONFIG option updated by the latter)
> and can carry the fix as necessary. This is now fixed as far as linux-next
> is concerned, but any non trivial conflicts should be mentioned to your
> upstream maintainer when your tree is submitted for merging.  You may
> also want to consider cooperating with the maintainer of the conflicting
> tree to minimise any particularly complex conflicts.

-- 
Cheers,
Stephen Rothwell

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* linux-next: manual merge of the security tree with Linus' tree
@ 2019-08-21  3:09 Stephen Rothwell
  0 siblings, 0 replies; 14+ messages in thread
From: Stephen Rothwell @ 2019-08-21  3:09 UTC (permalink / raw)
  To: James Morris
  Cc: Linux Next Mailing List, Linux Kernel Mailing List, Jiri Bohac,
	David Howells, Matthew Garrett, Heiko Carstens, Vasily Gorbik

[-- Attachment #1: Type: text/plain, Size: 795 bytes --]

Hi all,

Today's linux-next merge of the security tree got a conflict in:

  arch/s390/configs/performance_defconfig

between commit:

  d1523a8f4b8b ("s390: replace defconfig with performance_defconfig")

from Linus' tree and commit:

  99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE")

from the security tree.

I fixed it up (the former removed this file) and can carry the fix as
necessary. This is now fixed as far as linux-next is concerned, but any
non trivial conflicts should be mentioned to your upstream maintainer
when your tree is submitted for merging.  You may also want to consider
cooperating with the maintainer of the conflicting tree to minimise any
particularly complex conflicts.

-- 
Cheers,
Stephen Rothwell

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* linux-next: manual merge of the security tree with Linus' tree
@ 2019-08-21  3:05 Stephen Rothwell
  0 siblings, 0 replies; 14+ messages in thread
From: Stephen Rothwell @ 2019-08-21  3:05 UTC (permalink / raw)
  To: James Morris
  Cc: Linux Next Mailing List, Linux Kernel Mailing List, Jiri Bohac,
	David Howells, Matthew Garrett, Nayna Jain, Mimi Zohar

[-- Attachment #1: Type: text/plain, Size: 1440 bytes --]

Hi all,

Today's linux-next merge of the security tree got a conflict in:

  security/integrity/ima/Kconfig

between commit:

  9e1e5d4372d6 ("x86/ima: fix the Kconfig dependency for IMA_ARCH_POLICY")

from Linus' tree and commit:

  99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE")

from the security tree.

I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging.  You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.

-- 
Cheers,
Stephen Rothwell

diff --cc security/integrity/ima/Kconfig
index 2ced99dde694,32cd25fa44a5..000000000000
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@@ -160,8 -160,7 +160,8 @@@ config IMA_APPRAIS
  
  config IMA_ARCH_POLICY
          bool "Enable loading an IMA architecture specific policy"
-         depends on (KEXEC_VERIFY_SIG && IMA) || IMA_APPRAISE \
 -        depends on KEXEC_SIG || IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
++        depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \
 +		   && INTEGRITY_ASYMMETRIC_KEYS
          default n
          help
            This option enables loading an IMA architecture specific policy

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* linux-next: manual merge of the security tree with Linus' tree
@ 2019-08-21  3:01 Stephen Rothwell
  2019-08-21  3:18 ` Stephen Rothwell
  0 siblings, 1 reply; 14+ messages in thread
From: Stephen Rothwell @ 2019-08-21  3:01 UTC (permalink / raw)
  To: James Morris
  Cc: Linux Next Mailing List, Linux Kernel Mailing List, Jiri Bohac,
	Heiko Carstens, Vasily Gorbik

[-- Attachment #1: Type: text/plain, Size: 915 bytes --]

Hi all,

FIXME: Add owner of second tree to To:
       Add author(s)/SOB of conflicting commits.

Today's linux-next merge of the security tree got conflicts in:

  arch/s390/configs/debug_defconfig
  arch/s390/configs/defconfig

between commit:

  3361f3193c74 ("s390: update configs")

from Linus' tree and commit:

  99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE")

from the security tree.

I fixed it up (the former removed the CONFIG option updated by the latter)
and can carry the fix as necessary. This is now fixed as far as linux-next
is concerned, but any non trivial conflicts should be mentioned to your
upstream maintainer when your tree is submitted for merging.  You may
also want to consider cooperating with the maintainer of the conflicting
tree to minimise any particularly complex conflicts.



-- 
Cheers,
Stephen Rothwell

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* linux-next: manual merge of the security tree with Linus' tree
@ 2015-08-04  1:14 Stephen Rothwell
  0 siblings, 0 replies; 14+ messages in thread
From: Stephen Rothwell @ 2015-08-04  1:14 UTC (permalink / raw)
  To: James Morris; +Cc: linux-next, linux-kernel, Salvatore Mesoraca, Kees Cook

Hi James,

Today's linux-next merge of the security tree got a conflict in:

  security/yama/yama_lsm.c

between commit:

  5413fcdbe9e7 ("Adding YAMA hooks also when YAMA is not stacked.")

from Linus' tree and commit:

  730daa164e7c ("Yama: remove needless CONFIG_SECURITY_YAMA_STACKED")

from the security tree.

I fixed it up (the latter removed the code updated by the former, so I
just did that) and can carry the fix as necessary (no action is required).

-- 
Cheers,
Stephen Rothwell                    sfr@canb.auug.org.au

^ permalink raw reply	[flat|nested] 14+ messages in thread

* linux-next: manual merge of the security tree with Linus' tree
@ 2013-02-04  3:06 Stephen Rothwell
  0 siblings, 0 replies; 14+ messages in thread
From: Stephen Rothwell @ 2013-02-04  3:06 UTC (permalink / raw)
  To: James Morris; +Cc: linux-next, linux-kernel, YOSHIFUJI Hideaki, Dmitry Kasatkin

[-- Attachment #1: Type: text/plain, Size: 996 bytes --]

Hi James,

Today's linux-next merge of the security tree got a conflict in
lib/digsig.c between commit 7810cc1e7721 ("digsig: Fix memory leakage in
digsig_verify_rsa()") from Linus' tree and commit 26d438457ed1 ("digsig:
remove unnecessary memory allocation and copying") from the security tree.

I fixed it up (see below) and can carry the fix as necessary (no action
is required).

-- 
Cheers,
Stephen Rothwell                    sfr@canb.auug.org.au

diff --cc lib/digsig.c
index dc2be7e,0103c5b..0000000
--- a/lib/digsig.c
+++ b/lib/digsig.c
@@@ -162,13 -152,9 +152,11 @@@ static int digsig_verify_rsa(struct ke
  	memset(out1, 0, head);
  	memcpy(out1 + head, p, l);
  
 +	kfree(p);
 +
- 	err = pkcs_1_v1_5_decode_emsa(out1, len, mblen, out2, &len);
- 	if (err)
- 		goto err;
+ 	m = pkcs_1_v1_5_decode_emsa(out1, len, mblen, &len);
  
- 	if (len != hlen || memcmp(out2, h, hlen))
+ 	if (!m || len != hlen || memcmp(m, h, hlen))
  		err = -EINVAL;
  
  err:

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: linux-next: manual merge of the security tree with Linus' tree
  2013-01-21  3:10 ` Mimi Zohar
@ 2013-01-21  4:30   ` Stephen Rothwell
  0 siblings, 0 replies; 14+ messages in thread
From: Stephen Rothwell @ 2013-01-21  4:30 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: James Morris, linux-next, linux-kernel, Dmitry Kasatkin

[-- Attachment #1: Type: text/plain, Size: 848 bytes --]

Hi Mimi,

On Sun, 20 Jan 2013 22:10:23 -0500 Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>
> Sorry Stephen, the merged result should look like what's contained in
> linux-integrity/next-upstreamed-patches:
> 
> int ima_module_check(struct file *file)
> {
>         if (!file) {
>                 if ((ima_appraise & IMA_APPRAISE_MODULES) &&
>                     (ima_appraise & IMA_APPRAISE_ENFORCE)) {
> #ifndef CONFIG_MODULE_SIG_FORCE
>                         return -EACCES; /* INTEGRITY_UNKNOWN */
> #endif
>                 }
>                 return 0;
>         }
>         return process_measurement(file, file->f_dentry->d_name.name,
>                                    MAY_EXEC, MODULE_CHECK);
> }

OK, I will use that version tomorrow.

-- 
Cheers,
Stephen Rothwell                    sfr@canb.auug.org.au

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: linux-next: manual merge of the security tree with Linus' tree
  2013-01-21  2:12 Stephen Rothwell
@ 2013-01-21  3:10 ` Mimi Zohar
  2013-01-21  4:30   ` Stephen Rothwell
  0 siblings, 1 reply; 14+ messages in thread
From: Mimi Zohar @ 2013-01-21  3:10 UTC (permalink / raw)
  To: Stephen Rothwell; +Cc: James Morris, linux-next, linux-kernel, Dmitry Kasatkin

On Mon, 2013-01-21 at 13:12 +1100, Stephen Rothwell wrote:
> Hi James,
> 
> Today's linux-next merge of the security tree got a conflict in
> security/integrity/ima/ima_main.c between commit a7f2a366f623 ("ima:
> fallback to MODULE_SIG_ENFORCE for existing kernel module syscall") from
> Linus' tree and commit 750943a30714 ("ima: remove enforce checking
> duplication") from the security tree.
> 
> I think I fixed it up (see below).

Sorry Stephen, the merged result should look like what's contained in
linux-integrity/next-upstreamed-patches:

int ima_module_check(struct file *file)
{
        if (!file) {
                if ((ima_appraise & IMA_APPRAISE_MODULES) &&
                    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
#ifndef CONFIG_MODULE_SIG_FORCE
                        return -EACCES; /* INTEGRITY_UNKNOWN */
#endif
                }
                return 0;
        }
        return process_measurement(file, file->f_dentry->d_name.name,
                                   MAY_EXEC, MODULE_CHECK);
}

thanks,

Mimi

^ permalink raw reply	[flat|nested] 14+ messages in thread

* linux-next: manual merge of the security tree with Linus' tree
@ 2013-01-21  2:12 Stephen Rothwell
  2013-01-21  3:10 ` Mimi Zohar
  0 siblings, 1 reply; 14+ messages in thread
From: Stephen Rothwell @ 2013-01-21  2:12 UTC (permalink / raw)
  To: James Morris; +Cc: linux-next, linux-kernel, Mimi Zohar, Dmitry Kasatkin

[-- Attachment #1: Type: text/plain, Size: 1357 bytes --]

Hi James,

Today's linux-next merge of the security tree got a conflict in
security/integrity/ima/ima_main.c between commit a7f2a366f623 ("ima:
fallback to MODULE_SIG_ENFORCE for existing kernel module syscall") from
Linus' tree and commit 750943a30714 ("ima: remove enforce checking
duplication") from the security tree.

I think I fixed it up (see below).

-- 
Cheers,
Stephen Rothwell                    sfr@canb.auug.org.au

diff --cc security/integrity/ima/ima_main.c
index dba965d,cd00ba3..0000000
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@@ -291,18 -275,10 +275,18 @@@ EXPORT_SYMBOL_GPL(ima_file_check)
   */
  int ima_module_check(struct file *file)
  {
- 	int rc = 0;
- 
 -	if (!file)
 +	if (!file) {
 +		if (ima_appraise & IMA_APPRAISE_MODULES) {
 +#ifndef CONFIG_MODULE_SIG_FORCE
- 			rc = -EACCES;	/* INTEGRITY_UNKNOWN */
++			return -EACCES;	/* INTEGRITY_UNKNOWN */
++#else
++			return 0;
 +#endif
 +		}
- 	} else
- 		rc = process_measurement(file, file->f_dentry->d_name.name,
- 					 MAY_EXEC, MODULE_CHECK);
- 	return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;
+ 		return -EACCES;	/* INTEGRITY_UNKNOWN */
++	}
+ 	return process_measurement(file, file->f_dentry->d_name.name,
+ 				   MAY_EXEC, MODULE_CHECK);
  }
  
  static int __init init_ima(void)

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: linux-next: manual merge of the security tree with Linus' tree
  2012-10-17  0:41 Stephen Rothwell
@ 2012-10-17  0:52 ` Stephen Rothwell
  0 siblings, 0 replies; 14+ messages in thread
From: Stephen Rothwell @ 2012-10-17  0:52 UTC (permalink / raw)
  To: James Morris; +Cc: linux-next, linux-kernel, David Howells, Eric W. Biederman

[-- Attachment #1: Type: text/plain, Size: 1532 bytes --]

Hi James,

On Wed, 17 Oct 2012 11:41:57 +1100 Stephen Rothwell <sfr@canb.auug.org.au> wrote:
>
> Today's linux-next merge of the security tree got a conflict in
> net/dns_resolver/dns_key.c between commit c6089735e724 ("userns: net:
> Call key_alloc with GLOBAL_ROOT_UID, GLOBAL_ROOT_GID instead of 0, 0")
> from Linus' tree and commit f8aa23a55f81 ("KEYS: Use keyring_alloc() to
> create special keyrings") from the security tree.
> 
> I fixed it up (see below) and can carry the fix as necessary (no action
> is required).
> 
> -- 
> Cheers,
> Stephen Rothwell                    sfr@canb.auug.org.au
> 
> diff --cc net/dns_resolver/dns_key.c
> index 8aa4b11,b53bb4a..0000000
> --- a/net/dns_resolver/dns_key.c
> +++ b/net/dns_resolver/dns_key.c
> @@@ -259,11 -259,10 +259,11 @@@ static int __init init_dns_resolver(voi
>   	if (!cred)
>   		return -ENOMEM;
>   
> - 	keyring = key_alloc(&key_type_keyring, ".dns_resolver",
>  -	keyring = keyring_alloc(".dns_resolver", 0, 0, cred,
>  -				(KEY_POS_ALL & ~KEY_POS_SETATTR) |
>  -				KEY_USR_VIEW | KEY_USR_READ,
>  -				KEY_ALLOC_NOT_IN_QUOTA, NULL);
> ++	keyring = keyring_alloc(".dns_resolver",
>  +			    GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
>  +			    (KEY_POS_ALL & ~KEY_POS_SETATTR) |
>  +			    KEY_USR_VIEW | KEY_USR_READ,
>  +			    KEY_ALLOC_NOT_IN_QUOTA);

Oops, there should be a ", NULL" before the closing parenthesis above.  I
fixed that in my tree.

-- 
Cheers,
Stephen Rothwell                    sfr@canb.auug.org.au

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* linux-next: manual merge of the security tree with Linus' tree
@ 2012-10-17  0:41 Stephen Rothwell
  2012-10-17  0:52 ` Stephen Rothwell
  0 siblings, 1 reply; 14+ messages in thread
From: Stephen Rothwell @ 2012-10-17  0:41 UTC (permalink / raw)
  To: James Morris; +Cc: linux-next, linux-kernel, David Howells, Eric W. Biederman

[-- Attachment #1: Type: text/plain, Size: 1292 bytes --]

Hi James,

Today's linux-next merge of the security tree got a conflict in
net/dns_resolver/dns_key.c between commit c6089735e724 ("userns: net:
Call key_alloc with GLOBAL_ROOT_UID, GLOBAL_ROOT_GID instead of 0, 0")
from Linus' tree and commit f8aa23a55f81 ("KEYS: Use keyring_alloc() to
create special keyrings") from the security tree.

I fixed it up (see below) and can carry the fix as necessary (no action
is required).

-- 
Cheers,
Stephen Rothwell                    sfr@canb.auug.org.au

diff --cc net/dns_resolver/dns_key.c
index 8aa4b11,b53bb4a..0000000
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@@ -259,11 -259,10 +259,11 @@@ static int __init init_dns_resolver(voi
  	if (!cred)
  		return -ENOMEM;
  
- 	keyring = key_alloc(&key_type_keyring, ".dns_resolver",
 -	keyring = keyring_alloc(".dns_resolver", 0, 0, cred,
 -				(KEY_POS_ALL & ~KEY_POS_SETATTR) |
 -				KEY_USR_VIEW | KEY_USR_READ,
 -				KEY_ALLOC_NOT_IN_QUOTA, NULL);
++	keyring = keyring_alloc(".dns_resolver",
 +			    GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
 +			    (KEY_POS_ALL & ~KEY_POS_SETATTR) |
 +			    KEY_USR_VIEW | KEY_USR_READ,
 +			    KEY_ALLOC_NOT_IN_QUOTA);
  	if (IS_ERR(keyring)) {
  		ret = PTR_ERR(keyring);
  		goto failed_put_cred;

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* linux-next: manual merge of the security tree with Linus' tree
@ 2012-10-17  0:41 Stephen Rothwell
  0 siblings, 0 replies; 14+ messages in thread
From: Stephen Rothwell @ 2012-10-17  0:41 UTC (permalink / raw)
  To: James Morris; +Cc: linux-next, linux-kernel, Eric W. Biederman, David Howells

[-- Attachment #1: Type: text/plain, Size: 1285 bytes --]

Hi James,

Today's linux-next merge of the security tree got a conflict in
security/keys/keyctl.c between commit 9a56c2db49e7 ("userns: Convert
security/keys to the new userns infrastructure") from Linus' tree and
commit 3a50597de863 ("KEYS: Make the session and process keyrings
per-thread") from the security tree.

I fixed it up (see below) and can carry the fix as necessary (no action
is required).

-- 
Cheers,
Stephen Rothwell                    sfr@canb.auug.org.au

diff --cc security/keys/keyctl.c
index 5d34b4e,6d9d0c7..0000000
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@@ -1535,9 -1527,9 +1536,9 @@@ long keyctl_session_to_parent(void
  		goto unlock;
  
  	/* the keyrings must have the same UID */
- 	if ((pcred->tgcred->session_keyring &&
- 	     !uid_eq(pcred->tgcred->session_keyring->uid, mycred->euid)) ||
- 	    !uid_eq(mycred->tgcred->session_keyring->uid, mycred->euid))
+ 	if ((pcred->session_keyring &&
 -	     pcred->session_keyring->uid != mycred->euid) ||
 -	    mycred->session_keyring->uid != mycred->euid)
++	     !uid_eq(pcred->session_keyring->uid, mycred->euid)) ||
++	    !uid_eq(mycred->session_keyring->uid, mycred->euid))
  		goto unlock;
  
  	/* cancel an already pending keyring replacement */

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* linux-next: manual merge of the security tree with Linus' tree
@ 2012-10-17  0:41 Stephen Rothwell
  0 siblings, 0 replies; 14+ messages in thread
From: Stephen Rothwell @ 2012-10-17  0:41 UTC (permalink / raw)
  To: James Morris; +Cc: linux-next, linux-kernel, Eric W. Biederman, David Howells

[-- Attachment #1: Type: text/plain, Size: 2763 bytes --]

Hi James,

Today's linux-next merge of the security tree got conflicts in
security/keys/keyring.c and security/keys/process_keys.c between commit
9a56c2db49e7 ("userns: Convert security/keys to the new userns
infrastructure") from Linus' tree and commit 96b5c8fea6c0 ("KEYS: Reduce
initial permissions on keys") from the security tree.

I fixed it up (see below) and can carry the fix as necessary (no action
is required).

-- 
Cheers,
Stephen Rothwell                    sfr@canb.auug.org.au

diff --cc security/keys/keyring.c
index 6e42df1,9270ba0..0000000
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@@ -256,9 -256,9 +256,9 @@@ error
  /*
   * Allocate a keyring and link into the destination keyring.
   */
 -struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
 +struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
- 			  const struct cred *cred, unsigned long flags,
- 			  struct key *dest)
+ 			  const struct cred *cred, key_perm_t perm,
+ 			  unsigned long flags, struct key *dest)
  {
  	struct key *keyring;
  	int ret;
diff --cc security/keys/process_keys.c
index a58f712,b58d938..0000000
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@@ -45,15 -46,15 +45,17 @@@ int install_user_keyrings(void
  	struct user_struct *user;
  	const struct cred *cred;
  	struct key *uid_keyring, *session_keyring;
+ 	key_perm_t user_keyring_perm;
  	char buf[20];
  	int ret;
 +	uid_t uid;
  
+ 	user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
  	cred = current_cred();
  	user = cred->user;
 +	uid = from_kuid(cred->user_ns, user->uid);
  
 -	kenter("%p{%u}", user, user->uid);
 +	kenter("%p{%u}", user, uid);
  
  	if (user->uid_keyring) {
  		kleave(" = 0 [exist]");
@@@ -72,9 -73,9 +74,9 @@@
  
  		uid_keyring = find_keyring_by_name(buf, true);
  		if (IS_ERR(uid_keyring)) {
 -			uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
 +			uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
- 						    cred, KEY_ALLOC_IN_QUOTA,
- 						    NULL);
+ 						    cred, user_keyring_perm,
+ 						    KEY_ALLOC_IN_QUOTA, NULL);
  			if (IS_ERR(uid_keyring)) {
  				ret = PTR_ERR(uid_keyring);
  				goto error;
@@@ -88,8 -89,9 +90,9 @@@
  		session_keyring = find_keyring_by_name(buf, true);
  		if (IS_ERR(session_keyring)) {
  			session_keyring =
 -				keyring_alloc(buf, user->uid, (gid_t) -1,
 +				keyring_alloc(buf, user->uid, INVALID_GID,
- 					      cred, KEY_ALLOC_IN_QUOTA, NULL);
+ 					      cred, user_keyring_perm,
+ 					      KEY_ALLOC_IN_QUOTA, NULL);
  			if (IS_ERR(session_keyring)) {
  				ret = PTR_ERR(session_keyring);
  				goto error_release;

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, back to index

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-12  4:48 linux-next: manual merge of the security tree with Linus' tree Stephen Rothwell
  -- strict thread matches above, loose matches on Subject: below --
2019-08-21  3:09 Stephen Rothwell
2019-08-21  3:05 Stephen Rothwell
2019-08-21  3:01 Stephen Rothwell
2019-08-21  3:18 ` Stephen Rothwell
2015-08-04  1:14 Stephen Rothwell
2013-02-04  3:06 Stephen Rothwell
2013-01-21  2:12 Stephen Rothwell
2013-01-21  3:10 ` Mimi Zohar
2013-01-21  4:30   ` Stephen Rothwell
2012-10-17  0:41 Stephen Rothwell
2012-10-17  0:52 ` Stephen Rothwell
2012-10-17  0:41 Stephen Rothwell
2012-10-17  0:41 Stephen Rothwell

Linux-Next Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-next/0 linux-next/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-next linux-next/ https://lore.kernel.org/linux-next \
		linux-next@vger.kernel.org linux-next@archiver.kernel.org
	public-inbox-index linux-next


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-next


AGPL code for this site: git clone https://public-inbox.org/ public-inbox