hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'next-queue' into next

This commit is contained in:
James Morris 2012-02-09 17:02:34 +11:00
parent 2eb6038c51 4c2c392763
commit 9e3ff38647
10 changed files with 28 additions and 3 deletions
Documentation
networking
dns_resolver.txt
security
keys.txt
drivers/char/tpm
Kconfig
fs
cifs
cifsacl.c
nfs
idmap.c
include/linux
key.h
net/dns_resolver
dns_key.c
security
integrity/ima
Kconfigima_policy.c
keys
keyctl.c

4
Documentation/networking/dns_resolver.txt
View File

@ -102,6 +102,10 @@ implemented in the module can be called after doing:
If _expiry is non-NULL, the expiry time (TTL) of the result will be If _expiry is non-NULL, the expiry time (TTL) of the result will be
returned also. returned also.
The kernel maintains an internal keyring in which it caches looked up keys.
This can be cleared by any process that has the CAP_SYS_ADMIN capability by
the use of KEYCTL_KEYRING_CLEAR on the keyring ID.
=============================== ===============================
READING DNS KEYS FROM USERSPACE READING DNS KEYS FROM USERSPACE

4
Documentation/security/keys.txt
View File

@ -554,6 +554,10 @@ The keyctl syscall functions are:
process must have write permission on the keyring, and it must be a process must have write permission on the keyring, and it must be a
keyring (or else error ENOTDIR will result). keyring (or else error ENOTDIR will result).
This function can also be used to clear special kernel keyrings if they
are appropriately marked if the user has CAP_SYS_ADMIN capability. The
DNS resolver cache keyring is an example of this.
(*) Link a key into a keyring: (*) Link a key into a keyring:

1
drivers/char/tpm/Kconfig
View File

@ -5,7 +5,6 @@
menuconfig TCG_TPM menuconfig TCG_TPM
tristate "TPM Hardware Support" tristate "TPM Hardware Support"
depends on HAS_IOMEM depends on HAS_IOMEM
depends on EXPERIMENTAL
select SECURITYFS select SECURITYFS
---help--- ---help---
If you have a TPM security chip in your system, which If you have a TPM security chip in your system, which

1
fs/cifs/cifsacl.c
View File

@ -556,6 +556,7 @@ init_cifs_idmap(void)
/* instruct request_key() to use this special keyring as a cache for /* instruct request_key() to use this special keyring as a cache for
* the results it looks up */ * the results it looks up */
set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
cred->thread_keyring = keyring; cred->thread_keyring = keyring;
cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING; cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
root_cred = cred; root_cred = cred;

1
fs/nfs/idmap.c
View File

@ -198,6 +198,7 @@ int nfs_idmap_init(void)
if (ret < 0) if (ret < 0)
goto failed_put_key; goto failed_put_key;
set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
cred->thread_keyring = keyring; cred->thread_keyring = keyring;
cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING; cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
id_resolver_cache = cred; id_resolver_cache = cred;

1
include/linux/key.h
View File

@ -155,6 +155,7 @@ struct key {
#define KEY_FLAG_IN_QUOTA 3 /* set if key consumes quota */ #define KEY_FLAG_IN_QUOTA 3 /* set if key consumes quota */
#define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */ #define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */
#define KEY_FLAG_NEGATIVE 5 /* set if key is negative */ #define KEY_FLAG_NEGATIVE 5 /* set if key is negative */
#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */
/* the description string /* the description string
* - this is used to match a key against search criteria * - this is used to match a key against search criteria

1
net/dns_resolver/dns_key.c
View File

@ -281,6 +281,7 @@ static int __init init_dns_resolver(void)
/* instruct request_key() to use this special keyring as a cache for /* instruct request_key() to use this special keyring as a cache for
* the results it looks up */ * the results it looks up */
set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
cred->thread_keyring = keyring; cred->thread_keyring = keyring;
cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING; cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
dns_resolver_cache = cred; dns_resolver_cache = cred;

2
security/integrity/ima/Kconfig
View File

@ -9,7 +9,7 @@ config IMA
select CRYPTO_HMAC select CRYPTO_HMAC
select CRYPTO_MD5 select CRYPTO_MD5
select CRYPTO_SHA1 select CRYPTO_SHA1
select TCG_TPM if !S390 && !UML select TCG_TPM if HAS_IOMEM && !UML
select TCG_TIS if TCG_TPM select TCG_TIS if TCG_TPM
help help
The Trusted Computing Group(TCG) runtime Integrity The Trusted Computing Group(TCG) runtime Integrity

1
security/integrity/ima/ima_policy.c
View File

@ -62,6 +62,7 @@ static struct ima_measure_rule_entry default_rules[] = {
{.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC}, {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
{.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC}, {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
{.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC}, {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
{.action = DONT_MEASURE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
{.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC}, {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
{.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC}, {.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
{.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC, {.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,

15
security/keys/keyctl.c
View File

@ -388,11 +388,24 @@ long keyctl_keyring_clear(key_serial_t ringid)
keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE); keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
if (IS_ERR(keyring_ref)) { if (IS_ERR(keyring_ref)) {
ret = PTR_ERR(keyring_ref); ret = PTR_ERR(keyring_ref);
/* Root is permitted to invalidate certain special keyrings */
if (capable(CAP_SYS_ADMIN)) {
keyring_ref = lookup_user_key(ringid, 0, 0);
if (IS_ERR(keyring_ref))
goto error;
if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR,
&key_ref_to_ptr(keyring_ref)->flags))
goto clear;
goto error_put;
}
goto error; goto error;
} }
clear:
ret = keyring_clear(key_ref_to_ptr(keyring_ref)); ret = keyring_clear(key_ref_to_ptr(keyring_ref));
error_put:
key_ref_put(keyring_ref); key_ref_put(keyring_ref);
error: error:
return ret; return ret;