Commit 0f221a31 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 

Pull security subsystem fixes from James Morris:
 "Two fixes for the security subsystem:

   - keys: split both rcu_dereference_key() and user_key_payload() into
     versions which can be called with or without holding the key
     semaphore.

   - SELinux: fix Android init(8) breakage due to new cgroup security
     labeling support when using older policy"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  selinux: wrap cgroup seclabel support with its own policy capability
  KEYS: Differentiate uses of rcu_dereference_key() and user_key_payload()
parents 4f1f2b8f 2651225b

Documentation/security/keys.txt

+15 −2
Original line number Diff line number Diff line
@@ -1151,8 +1151,21 @@ access the data: 
     usage.  This is called key->payload.rcu_data0.  The following accessors

     wrap the RCU calls to this element:



     (a) Set or change the first payload pointer:



		rcu_assign_keypointer(struct key *key, void *data);

	void *rcu_dereference_key(struct key *key);



     (b) Read the first payload pointer with the key semaphore held:



		[const] void *dereference_key_locked([const] struct key *key);



	 Note that the return value will inherit its constness from the key

	 parameter.  Static analysis will give an error if it things the lock

	 isn't held.



     (c) Read the first payload pointer with the RCU read lock held:



		const void *dereference_key_rcu(const struct key *key);





===================

drivers/md/dm-crypt.c

+1 −1
Original line number Diff line number Diff line
@@ -1536,7 +1536,7 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string 


	down_read(&key->sem);



	ukp = user_key_payload(key);

	ukp = user_key_payload_locked(key);

	if (!ukp) {

		up_read(&key->sem);

		key_put(key);

fs/cifs/connect.c

+1 −1
Original line number Diff line number Diff line
@@ -2455,7 +2455,7 @@ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) 
	}



	down_read(&key->sem);

	upayload = user_key_payload(key);

	upayload = user_key_payload_locked(key);

	if (IS_ERR_OR_NULL(upayload)) {

		rc = upayload ? PTR_ERR(upayload) : -EINVAL;

		goto out_key_put;

fs/crypto/keyinfo.c

+1 −1
Original line number Diff line number Diff line
@@ -103,7 +103,7 @@ static int validate_user_key(struct fscrypt_info *crypt_info, 
		goto out;

	}

	down_read(&keyring_key->sem);

	ukp = user_key_payload(keyring_key);

	ukp = user_key_payload_locked(keyring_key);

	if (ukp->datalen != sizeof(struct fscrypt_key)) {

		res = -EINVAL;

		up_read(&keyring_key->sem);

fs/ecryptfs/ecryptfs_kernel.h

+1 −1
Original line number Diff line number Diff line
@@ -117,7 +117,7 @@ ecryptfs_get_key_payload_data(struct key *key) 


	auth_tok = ecryptfs_get_encrypted_key_payload_data(key);

	if (!auth_tok)

		return (struct ecryptfs_auth_tok *)user_key_payload(key)->data;

		return (struct ecryptfs_auth_tok *)user_key_payload_locked(key)->data;

	else

		return auth_tok;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE