[linux] 01/01: KEYS: Simplify KEYRING_SEARCH_{NO, DO}_STATE_CHECK flags

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Fri Oct 6 04:15:45 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie
in repository linux.

commit b14f3533e5b11b48083bd27ec15b42a14fae675d
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Oct 5 17:16:34 2017 +0200

    KEYS: Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags
    
    Closes: #877760
---
 debian/changelog                                   |  6 ++
 ...fy-KEYRING_SEARCH_-NO-DO-_STATE_CHECK-fla.patch | 96 ++++++++++++++++++++++
 ...t_key-should-reget-expired-keys-rather-th.patch |  8 +-
 debian/patches/series                              |  1 +
 4 files changed, 107 insertions(+), 4 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 935d8a7..511bfa8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux (3.16.48-2) UNRELEASED; urgency=medium
+
+  * KEYS: Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags (Closes: #877760)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Thu, 05 Oct 2017 21:54:27 +0200
+
 linux (3.16.48-1) jessie; urgency=medium
 
   * New upstream stable update:
diff --git a/debian/patches/bugfix/all/KEYS-Simplify-KEYRING_SEARCH_-NO-DO-_STATE_CHECK-fla.patch b/debian/patches/bugfix/all/KEYS-Simplify-KEYRING_SEARCH_-NO-DO-_STATE_CHECK-fla.patch
new file mode 100644
index 0000000..44f9cae
--- /dev/null
+++ b/debian/patches/bugfix/all/KEYS-Simplify-KEYRING_SEARCH_-NO-DO-_STATE_CHECK-fla.patch
@@ -0,0 +1,96 @@
+From: David Howells <dhowells at redhat.com>
+Date: Mon, 1 Dec 2014 22:52:50 +0000
+Subject: KEYS: Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags
+Origin: https://git.kernel.org/linus/054f6180d8b5602b431b5924976c956e760488b1
+
+Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags to be two variations of the
+same flag.  They are effectively mutually exclusive and one or the other
+should be provided, but not both.
+
+Keyring cycle detection and key possession determination are the only things
+that set NO_STATE_CHECK, except that neither flag really does anything there
+because neither purpose makes use of the keyring_search_iterator() function,
+but rather provides their own.
+
+For cycle detection we definitely want to check inside of expired keyrings,
+just so that we don't create a cycle we can't get rid of.  Revoked keyrings
+are cleared at revocation time and can't then be reused, so shouldn't be a
+problem either way.
+
+For possession determination, we *might* want to validate each keyring before
+searching it: do you possess a key that's hidden behind an expired or just
+plain inaccessible keyring?  Currently, the answer is yes.  Note that you
+cannot, however, possess a key behind a revoked keyring because they are
+cleared on revocation.
+
+keyring_search() sets DO_STATE_CHECK, which is correct.
+
+request_key_and_link() currently doesn't specify whether to check the key
+state or not - but it should set DO_STATE_CHECK.
+
+key_get_instantiation_authkey() also currently doesn't specify whether to
+check the key state or not - but it probably should also set DO_STATE_CHECK.
+
+Signed-off-by: David Howells <dhowells at redhat.com>
+Tested-by: Chuck Lever <chuck.lever at oracle.com>
+[carnil: Backported to 3.16: Adjust context]
+---
+ security/keys/keyring.c          | 7 ++++---
+ security/keys/request_key.c      | 1 +
+ security/keys/request_key_auth.c | 1 +
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -609,6 +609,10 @@ static bool search_nested_keyrings(struc
+ 	       ctx->index_key.type->name,
+ 	       ctx->index_key.description);
+ 
++#define STATE_CHECKS (KEYRING_SEARCH_NO_STATE_CHECK | KEYRING_SEARCH_DO_STATE_CHECK)
++	BUG_ON((ctx->flags & STATE_CHECKS) == 0 ||
++	       (ctx->flags & STATE_CHECKS) == STATE_CHECKS);
++
+ 	if (ctx->index_key.description)
+ 		ctx->index_key.desc_len = strlen(ctx->index_key.description);
+ 
+@@ -618,7 +622,6 @@ static bool search_nested_keyrings(struc
+ 	if (ctx->flags & KEYRING_SEARCH_LOOKUP_ITERATE ||
+ 	    keyring_compare_object(keyring, &ctx->index_key)) {
+ 		ctx->skipped_ret = 2;
+-		ctx->flags |= KEYRING_SEARCH_DO_STATE_CHECK;
+ 		switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) {
+ 		case 1:
+ 			goto found;
+@@ -630,8 +633,6 @@ static bool search_nested_keyrings(struc
+ 	}
+ 
+ 	ctx->skipped_ret = 0;
+-	if (ctx->flags & KEYRING_SEARCH_NO_STATE_CHECK)
+-		ctx->flags &= ~KEYRING_SEARCH_DO_STATE_CHECK;
+ 
+ 	/* Start processing a new keyring */
+ descend_to_keyring:
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -536,7 +536,8 @@ struct key *request_key_and_link(struct
+ 		.cred			= current_cred(),
+ 		.match			= type->match,
+ 		.match_data		= description,
+-		.flags			= KEYRING_SEARCH_LOOKUP_DIRECT,
++		.flags			= (KEYRING_SEARCH_LOOKUP_DIRECT |
++					   KEYRING_SEARCH_DO_STATE_CHECK),
+ 	};
+ 	struct key *key;
+ 	key_ref_t key_ref;
+--- a/security/keys/request_key_auth.c
++++ b/security/keys/request_key_auth.c
+@@ -235,7 +235,8 @@ struct key *key_get_instantiation_authke
+ 		.cred			= current_cred(),
+ 		.match			= user_match,
+ 		.match_data		= description,
+-		.flags			= KEYRING_SEARCH_LOOKUP_DIRECT,
++		.flags			= (KEYRING_SEARCH_LOOKUP_DIRECT |
++					   KEYRING_SEARCH_DO_STATE_CHECK),
+ 	};
+ 	struct key *authkey;
+ 	key_ref_t authkey_ref;
diff --git a/debian/patches/bugfix/all/keys-request_key-should-reget-expired-keys-rather-th.patch b/debian/patches/bugfix/all/keys-request_key-should-reget-expired-keys-rather-th.patch
index 842c580..daf861c 100644
--- a/debian/patches/bugfix/all/keys-request_key-should-reget-expired-keys-rather-th.patch
+++ b/debian/patches/bugfix/all/keys-request_key-should-reget-expired-keys-rather-th.patch
@@ -90,12 +90,12 @@ Tested-by: Chuck Lever <chuck.lever at oracle.com>
  		}
 --- a/security/keys/request_key.c
 +++ b/security/keys/request_key.c
-@@ -533,7 +533,8 @@ struct key *request_key_and_link(struct
- 		.cred			= current_cred(),
+@@ -537,7 +537,8 @@ struct key *request_key_and_link(struct
  		.match			= type->match,
  		.match_data		= description,
--		.flags			= KEYRING_SEARCH_LOOKUP_DIRECT,
-+		.flags			= (KEYRING_SEARCH_LOOKUP_DIRECT |
+ 		.flags			= (KEYRING_SEARCH_LOOKUP_DIRECT |
+-					   KEYRING_SEARCH_DO_STATE_CHECK),
++					   KEYRING_SEARCH_DO_STATE_CHECK |
 +					   KEYRING_SEARCH_SKIP_EXPIRED),
  	};
  	struct key *key;
diff --git a/debian/patches/series b/debian/patches/series
index 14667b6..62acbe8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -222,6 +222,7 @@ bugfix/all/aufs-move-d_rcu-from-overlapping-d_child-to-overlapping-d.patch
 bugfix/all/net-mv643xx-disable-tso-by-default.patch
 bugfix/all/xen-balloon-cancel-ballooning-if-adding-new-memory-f.patch
 bugfix/all/xen-balloon-Don-t-continue-ballooning-when-BP_ECANCE.patch
+bugfix/all/KEYS-Simplify-KEYRING_SEARCH_-NO-DO-_STATE_CHECK-fla.patch
 bugfix/all/keys-request_key-should-reget-expired-keys-rather-th.patch
 bugfix/all/hid-thingm-fix-workqueue-race-on-remove.patch
 debian/emmc-don-t-initialize-partitions-on-rpmb-flagged-areas.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list