Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
9e3ff386
Commit
9e3ff386
authored
Feb 09, 2012
by
James Morris
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'next-queue' into next
parents
2eb6038c
4c2c3927
Changes
10
Hide whitespace changes
Inline
Side-by-side
Showing
10 changed files
with
28 additions
and
3 deletions
+28
-3
Documentation/networking/dns_resolver.txt
Documentation/networking/dns_resolver.txt
+4
-0
Documentation/security/keys.txt
Documentation/security/keys.txt
+4
-0
drivers/char/tpm/Kconfig
drivers/char/tpm/Kconfig
+0
-1
fs/cifs/cifsacl.c
fs/cifs/cifsacl.c
+1
-0
fs/nfs/idmap.c
fs/nfs/idmap.c
+1
-0
include/linux/key.h
include/linux/key.h
+1
-0
net/dns_resolver/dns_key.c
net/dns_resolver/dns_key.c
+1
-0
security/integrity/ima/Kconfig
security/integrity/ima/Kconfig
+1
-1
security/integrity/ima/ima_policy.c
security/integrity/ima/ima_policy.c
+1
-0
security/keys/keyctl.c
security/keys/keyctl.c
+14
-1
No files found.
Documentation/networking/dns_resolver.txt
View file @
9e3ff386
...
@@ -102,6 +102,10 @@ implemented in the module can be called after doing:
...
@@ -102,6 +102,10 @@ implemented in the module can be called after doing:
If _expiry is non-NULL, the expiry time (TTL) of the result will be
If _expiry is non-NULL, the expiry time (TTL) of the result will be
returned also.
returned also.
The kernel maintains an internal keyring in which it caches looked up keys.
This can be cleared by any process that has the CAP_SYS_ADMIN capability by
the use of KEYCTL_KEYRING_CLEAR on the keyring ID.
===============================
===============================
READING DNS KEYS FROM USERSPACE
READING DNS KEYS FROM USERSPACE
...
...
Documentation/security/keys.txt
View file @
9e3ff386
...
@@ -554,6 +554,10 @@ The keyctl syscall functions are:
...
@@ -554,6 +554,10 @@ The keyctl syscall functions are:
process must have write permission on the keyring, and it must be a
process must have write permission on the keyring, and it must be a
keyring (or else error ENOTDIR will result).
keyring (or else error ENOTDIR will result).
This function can also be used to clear special kernel keyrings if they
are appropriately marked if the user has CAP_SYS_ADMIN capability. The
DNS resolver cache keyring is an example of this.
(*) Link a key into a keyring:
(*) Link a key into a keyring:
...
...
drivers/char/tpm/Kconfig
View file @
9e3ff386
...
@@ -5,7 +5,6 @@
...
@@ -5,7 +5,6 @@
menuconfig TCG_TPM
menuconfig TCG_TPM
tristate "TPM Hardware Support"
tristate "TPM Hardware Support"
depends on HAS_IOMEM
depends on HAS_IOMEM
depends on EXPERIMENTAL
select SECURITYFS
select SECURITYFS
---help---
---help---
If you have a TPM security chip in your system, which
If you have a TPM security chip in your system, which
...
...
fs/cifs/cifsacl.c
View file @
9e3ff386
...
@@ -556,6 +556,7 @@ init_cifs_idmap(void)
...
@@ -556,6 +556,7 @@ init_cifs_idmap(void)
/* instruct request_key() to use this special keyring as a cache for
/* instruct request_key() to use this special keyring as a cache for
* the results it looks up */
* the results it looks up */
set_bit
(
KEY_FLAG_ROOT_CAN_CLEAR
,
&
keyring
->
flags
);
cred
->
thread_keyring
=
keyring
;
cred
->
thread_keyring
=
keyring
;
cred
->
jit_keyring
=
KEY_REQKEY_DEFL_THREAD_KEYRING
;
cred
->
jit_keyring
=
KEY_REQKEY_DEFL_THREAD_KEYRING
;
root_cred
=
cred
;
root_cred
=
cred
;
...
...
fs/nfs/idmap.c
View file @
9e3ff386
...
@@ -198,6 +198,7 @@ int nfs_idmap_init(void)
...
@@ -198,6 +198,7 @@ int nfs_idmap_init(void)
if
(
ret
<
0
)
if
(
ret
<
0
)
goto
failed_put_key
;
goto
failed_put_key
;
set_bit
(
KEY_FLAG_ROOT_CAN_CLEAR
,
&
keyring
->
flags
);
cred
->
thread_keyring
=
keyring
;
cred
->
thread_keyring
=
keyring
;
cred
->
jit_keyring
=
KEY_REQKEY_DEFL_THREAD_KEYRING
;
cred
->
jit_keyring
=
KEY_REQKEY_DEFL_THREAD_KEYRING
;
id_resolver_cache
=
cred
;
id_resolver_cache
=
cred
;
...
...
include/linux/key.h
View file @
9e3ff386
...
@@ -155,6 +155,7 @@ struct key {
...
@@ -155,6 +155,7 @@ struct key {
#define KEY_FLAG_IN_QUOTA 3
/* set if key consumes quota */
#define KEY_FLAG_IN_QUOTA 3
/* set if key consumes quota */
#define KEY_FLAG_USER_CONSTRUCT 4
/* set if key is being constructed in userspace */
#define KEY_FLAG_USER_CONSTRUCT 4
/* set if key is being constructed in userspace */
#define KEY_FLAG_NEGATIVE 5
/* set if key is negative */
#define KEY_FLAG_NEGATIVE 5
/* set if key is negative */
#define KEY_FLAG_ROOT_CAN_CLEAR 6
/* set if key can be cleared by root without permission */
/* the description string
/* the description string
* - this is used to match a key against search criteria
* - this is used to match a key against search criteria
...
...
net/dns_resolver/dns_key.c
View file @
9e3ff386
...
@@ -281,6 +281,7 @@ static int __init init_dns_resolver(void)
...
@@ -281,6 +281,7 @@ static int __init init_dns_resolver(void)
/* instruct request_key() to use this special keyring as a cache for
/* instruct request_key() to use this special keyring as a cache for
* the results it looks up */
* the results it looks up */
set_bit
(
KEY_FLAG_ROOT_CAN_CLEAR
,
&
keyring
->
flags
);
cred
->
thread_keyring
=
keyring
;
cred
->
thread_keyring
=
keyring
;
cred
->
jit_keyring
=
KEY_REQKEY_DEFL_THREAD_KEYRING
;
cred
->
jit_keyring
=
KEY_REQKEY_DEFL_THREAD_KEYRING
;
dns_resolver_cache
=
cred
;
dns_resolver_cache
=
cred
;
...
...
security/integrity/ima/Kconfig
View file @
9e3ff386
...
@@ -9,7 +9,7 @@ config IMA
...
@@ -9,7 +9,7 @@ config IMA
select CRYPTO_HMAC
select CRYPTO_HMAC
select CRYPTO_MD5
select CRYPTO_MD5
select CRYPTO_SHA1
select CRYPTO_SHA1
select TCG_TPM if
!S390
&& !UML
select TCG_TPM if
HAS_IOMEM
&& !UML
select TCG_TIS if TCG_TPM
select TCG_TIS if TCG_TPM
help
help
The Trusted Computing Group(TCG) runtime Integrity
The Trusted Computing Group(TCG) runtime Integrity
...
...
security/integrity/ima/ima_policy.c
View file @
9e3ff386
...
@@ -62,6 +62,7 @@ static struct ima_measure_rule_entry default_rules[] = {
...
@@ -62,6 +62,7 @@ static struct ima_measure_rule_entry default_rules[] = {
{.
action
=
DONT_MEASURE
,.
fsmagic
=
SYSFS_MAGIC
,.
flags
=
IMA_FSMAGIC
},
{.
action
=
DONT_MEASURE
,.
fsmagic
=
SYSFS_MAGIC
,.
flags
=
IMA_FSMAGIC
},
{.
action
=
DONT_MEASURE
,.
fsmagic
=
DEBUGFS_MAGIC
,.
flags
=
IMA_FSMAGIC
},
{.
action
=
DONT_MEASURE
,.
fsmagic
=
DEBUGFS_MAGIC
,.
flags
=
IMA_FSMAGIC
},
{.
action
=
DONT_MEASURE
,.
fsmagic
=
TMPFS_MAGIC
,.
flags
=
IMA_FSMAGIC
},
{.
action
=
DONT_MEASURE
,.
fsmagic
=
TMPFS_MAGIC
,.
flags
=
IMA_FSMAGIC
},
{.
action
=
DONT_MEASURE
,.
fsmagic
=
RAMFS_MAGIC
,.
flags
=
IMA_FSMAGIC
},
{.
action
=
DONT_MEASURE
,.
fsmagic
=
SECURITYFS_MAGIC
,.
flags
=
IMA_FSMAGIC
},
{.
action
=
DONT_MEASURE
,.
fsmagic
=
SECURITYFS_MAGIC
,.
flags
=
IMA_FSMAGIC
},
{.
action
=
DONT_MEASURE
,.
fsmagic
=
SELINUX_MAGIC
,.
flags
=
IMA_FSMAGIC
},
{.
action
=
DONT_MEASURE
,.
fsmagic
=
SELINUX_MAGIC
,.
flags
=
IMA_FSMAGIC
},
{.
action
=
MEASURE
,.
func
=
FILE_MMAP
,.
mask
=
MAY_EXEC
,
{.
action
=
MEASURE
,.
func
=
FILE_MMAP
,.
mask
=
MAY_EXEC
,
...
...
security/keys/keyctl.c
View file @
9e3ff386
...
@@ -388,11 +388,24 @@ long keyctl_keyring_clear(key_serial_t ringid)
...
@@ -388,11 +388,24 @@ long keyctl_keyring_clear(key_serial_t ringid)
keyring_ref
=
lookup_user_key
(
ringid
,
KEY_LOOKUP_CREATE
,
KEY_WRITE
);
keyring_ref
=
lookup_user_key
(
ringid
,
KEY_LOOKUP_CREATE
,
KEY_WRITE
);
if
(
IS_ERR
(
keyring_ref
))
{
if
(
IS_ERR
(
keyring_ref
))
{
ret
=
PTR_ERR
(
keyring_ref
);
ret
=
PTR_ERR
(
keyring_ref
);
/* Root is permitted to invalidate certain special keyrings */
if
(
capable
(
CAP_SYS_ADMIN
))
{
keyring_ref
=
lookup_user_key
(
ringid
,
0
,
0
);
if
(
IS_ERR
(
keyring_ref
))
goto
error
;
if
(
test_bit
(
KEY_FLAG_ROOT_CAN_CLEAR
,
&
key_ref_to_ptr
(
keyring_ref
)
->
flags
))
goto
clear
;
goto
error_put
;
}
goto
error
;
goto
error
;
}
}
clear:
ret
=
keyring_clear
(
key_ref_to_ptr
(
keyring_ref
));
ret
=
keyring_clear
(
key_ref_to_ptr
(
keyring_ref
));
error_put:
key_ref_put
(
keyring_ref
);
key_ref_put
(
keyring_ref
);
error:
error:
return
ret
;
return
ret
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment