Hi all, Today's linux-next merge of the keys tree got a conflict in: fs/crypto/keyinfo.c between commit: feed82586191 ("fscrypt: rename keyinfo.c to keysetup.c") from the fscrypt tree and commit: f802f2b3a991 ("keys: Replace uid/gid/perm permissions checking with an ACL") from the keys tree. I fixed it up (I removed the file and added the following merge resolution patch) and can carry the fix as necessary. This is now fixed as far as linux-next is concerned, but any non trivial conflicts should be mentioned to your upstream maintainer when your tree is submitted for merging. You may also want to consider cooperating with the maintainer of the conflicting tree to minimise any particularly complex conflicts. Thanks Eric for the heads up and instructions. From: Stephen Rothwell Date: Fri, 16 Aug 2019 14:45:08 +1000 Subject: [PATCH] fscrypt: merge resolution for "keys: Replace uid/gid/perm permissions checking with an ACL" Supplied by Eric Biggers Signed-off-by: Stephen Rothwell --- fs/crypto/keyring.c | 40 +++++++++++++++++++++++++++++++++------- fs/crypto/keysetup_v1.c | 2 +- 2 files changed, 34 insertions(+), 8 deletions(-) diff --git a/fs/crypto/keyring.c b/fs/crypto/keyring.c index c34fa7c61b43..fb4f6a44ffcd 100644 --- a/fs/crypto/keyring.c +++ b/fs/crypto/keyring.c @@ -127,6 +127,35 @@ static struct key_type key_type_fscrypt_user = { .describe = fscrypt_user_key_describe, }; +static struct key_acl fscrypt_keyring_acl = { + .usage = REFCOUNT_INIT(1), + .nr_ace = 2, + .aces = { + KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_INVAL | + KEY_ACE_JOIN), + KEY_OWNER_ACE(KEY_ACE_SEARCH | KEY_ACE_INVAL | KEY_ACE_JOIN | + KEY_ACE_READ | KEY_ACE_VIEW), + } +}; + +static struct key_acl fscrypt_key_acl = { + .usage = REFCOUNT_INIT(1), + .nr_ace = 2, + .aces = { + KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_INVAL), + KEY_OWNER_ACE(KEY_ACE_SEARCH | KEY_ACE_INVAL | KEY_ACE_VIEW), + } +}; + +static struct key_acl fscrypt_user_key_acl = { + .usage = REFCOUNT_INIT(1), + .nr_ace = 2, + .aces = { + KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_INVAL), + KEY_OWNER_ACE(KEY_ACE_VIEW), + } +}; + /* Search ->s_master_keys or ->mk_users */ static struct key *search_fscrypt_keyring(struct key *keyring, struct key_type *type, @@ -203,8 +232,7 @@ static int allocate_filesystem_keyring(struct super_block *sb) format_fs_keyring_description(description, sb); keyring = keyring_alloc(description, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, - current_cred(), KEY_POS_SEARCH | - KEY_USR_SEARCH | KEY_USR_READ | KEY_USR_VIEW, + current_cred(), &fscrypt_keyring_acl, KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); if (IS_ERR(keyring)) return PTR_ERR(keyring); @@ -247,8 +275,7 @@ static int allocate_master_key_users_keyring(struct fscrypt_master_key *mk) format_mk_users_keyring_description(description, mk->mk_spec.u.identifier); keyring = keyring_alloc(description, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, - current_cred(), KEY_POS_SEARCH | - KEY_USR_SEARCH | KEY_USR_READ | KEY_USR_VIEW, + current_cred(), &fscrypt_keyring_acl, KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); if (IS_ERR(keyring)) return PTR_ERR(keyring); @@ -285,7 +312,7 @@ static int add_master_key_user(struct fscrypt_master_key *mk) format_mk_user_description(description, mk->mk_spec.u.identifier); mk_user = key_alloc(&key_type_fscrypt_user, description, current_fsuid(), current_gid(), current_cred(), - KEY_POS_SEARCH | KEY_USR_VIEW, 0, NULL); + &fscrypt_user_key_acl, 0, NULL); if (IS_ERR(mk_user)) return PTR_ERR(mk_user); @@ -357,8 +384,7 @@ static int add_new_master_key(struct fscrypt_master_key_secret *secret, format_mk_description(description, mk_spec); key = key_alloc(&key_type_fscrypt, description, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(), - KEY_POS_SEARCH | KEY_USR_SEARCH | KEY_USR_VIEW, - KEY_ALLOC_NOT_IN_QUOTA, NULL); + &fscrypt_key_acl, KEY_ALLOC_NOT_IN_QUOTA, NULL); if (IS_ERR(key)) { err = PTR_ERR(key); goto out_free_mk; diff --git a/fs/crypto/keysetup_v1.c b/fs/crypto/keysetup_v1.c index ad1a36c370c3..0727251be865 100644 --- a/fs/crypto/keysetup_v1.c +++ b/fs/crypto/keysetup_v1.c @@ -104,7 +104,7 @@ find_and_lock_process_key(const char *prefix, if (!description) return ERR_PTR(-ENOMEM); - key = request_key(&key_type_logon, description, NULL); + key = request_key(&key_type_logon, description, NULL, NULL); kfree(description); if (IS_ERR(key)) return key; -- 2.20.1 -- Cheers, Stephen Rothwell