1. 14 11月, 2008 3 次提交
    • D
      KEYS: Alter use of key instantiation link-to-keyring argument · 8bbf4976
      David Howells 提交于
      Alter the use of the key instantiation and negation functions' link-to-keyring
      arguments.  Currently this specifies a keyring in the target process to link
      the key into, creating the keyring if it doesn't exist.  This, however, can be
      a problem for copy-on-write credentials as it means that the instantiating
      process can alter the credentials of the requesting process.
      
      This patch alters the behaviour such that:
      
       (1) If keyctl_instantiate_key() or keyctl_negate_key() are given a specific
           keyring by ID (ringid >= 0), then that keyring will be used.
      
       (2) If keyctl_instantiate_key() or keyctl_negate_key() are given one of the
           special constants that refer to the requesting process's keyrings
           (KEY_SPEC_*_KEYRING, all <= 0), then:
      
           (a) If sys_request_key() was given a keyring to use (destringid) then the
           	 key will be attached to that keyring.
      
           (b) If sys_request_key() was given a NULL keyring, then the key being
           	 instantiated will be attached to the default keyring as set by
           	 keyctl_set_reqkey_keyring().
      
       (3) No extra link will be made.
      
      Decision point (1) follows current behaviour, and allows those instantiators
      who've searched for a specifically named keyring in the requestor's keyring so
      as to partition the keys by type to still have their named keyrings.
      
      Decision point (2) allows the requestor to make sure that the key or keys that
      get produced by request_key() go where they want, whilst allowing the
      instantiator to request that the key is retained.  This is mainly useful for
      situations where the instantiator makes a secondary request, the key for which
      should be retained by the initial requestor:
      
      	+-----------+        +--------------+        +--------------+
      	|           |        |              |        |              |
      	| Requestor |------->| Instantiator |------->| Instantiator |
      	|           |        |              |        |              |
      	+-----------+        +--------------+        +--------------+
      	           request_key()           request_key()
      
      This might be useful, for example, in Kerberos, where the requestor requests a
      ticket, and then the ticket instantiator requests the TGT, which someone else
      then has to go and fetch.  The TGT, however, should be retained in the
      keyrings of the requestor, not the first instantiator.  To make this explict
      an extra special keyring constant is also added.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Reviewed-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      8bbf4976
    • D
      KEYS: Disperse linux/key_ui.h · e9e349b0
      David Howells 提交于
      Disperse the bits of linux/key_ui.h as the reason they were put here (keyfs)
      didn't get in.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Reviewed-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      e9e349b0
    • D
      CRED: Wrap task credential accesses in the key management code · 47d804bf
      David Howells 提交于
      Wrap access to task credentials so that they can be separated more easily from
      the task_struct during the introduction of COW creds.
      
      Change most current->(|e|s|fs)[ug]id to current_(|e|s|fs)[ug]id().
      
      Change some task->e?[ug]id to task_e?[ug]id().  In some places it makes more
      sense to use RCU directly rather than a convenient wrapper; these will be
      addressed by later patches.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Reviewed-by: NJames Morris <jmorris@namei.org>
      Acked-by: NSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      47d804bf
  2. 07 6月, 2008 1 次提交
  3. 29 4月, 2008 9 次提交
  4. 18 4月, 2008 1 次提交
  5. 08 2月, 2008 1 次提交
  6. 25 1月, 2008 1 次提交
  7. 17 10月, 2007 1 次提交
    • D
      KEYS: Make request_key() and co fundamentally asynchronous · 76181c13
      David Howells 提交于
      Make request_key() and co fundamentally asynchronous to make it easier for
      NFS to make use of them.  There are now accessor functions that do
      asynchronous constructions, a wait function to wait for construction to
      complete, and a completion function for the key type to indicate completion
      of construction.
      
      Note that the construction queue is now gone.  Instead, keys under
      construction are linked in to the appropriate keyring in advance, and that
      anyone encountering one must wait for it to be complete before they can use
      it.  This is done automatically for userspace.
      
      The following auxiliary changes are also made:
      
       (1) Key type implementation stuff is split from linux/key.h into
           linux/key-type.h.
      
       (2) AF_RXRPC provides a way to allocate null rxrpc-type keys so that AFS does
           not need to call key_instantiate_and_link() directly.
      
       (3) Adjust the debugging macros so that they're -Wformat checked even if
           they are disabled, and make it so they can be enabled simply by defining
           __KDEBUG to be consistent with other code of mine.
      
       (3) Documentation.
      
      [alan@lxorguk.ukuu.org.uk: keys: missing word in documentation]
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NAlan Cox <alan@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      76181c13
  8. 20 7月, 2007 1 次提交
    • P
      mm: Remove slab destructors from kmem_cache_create(). · 20c2df83
      Paul Mundt 提交于
      Slab destructors were no longer supported after Christoph's
      c59def9f change. They've been
      BUGs for both slab and slub, and slob never supported them
      either.
      
      This rips out support for the dtor pointer from kmem_cache_create()
      completely and fixes up every single callsite in the kernel (there were
      about 224, not including the slab allocator definitions themselves,
      or the documentation references).
      Signed-off-by: NPaul Mundt <lethal@linux-sh.org>
      20c2df83
  9. 18 7月, 2007 1 次提交
    • J
      usermodehelper: Tidy up waiting · 86313c48
      Jeremy Fitzhardinge 提交于
      Rather than using a tri-state integer for the wait flag in
      call_usermodehelper_exec, define a proper enum, and use that.  I've
      preserved the integer values so that any callers I've missed should
      still work OK.
      Signed-off-by: NJeremy Fitzhardinge <jeremy@xensource.com>
      Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
      Cc: Randy Dunlap <randy.dunlap@oracle.com>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: Andi Kleen <ak@suse.de>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Johannes Berg <johannes@sipsolutions.net>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Bjorn Helgaas <bjorn.helgaas@hp.com>
      Cc: Joel Becker <joel.becker@oracle.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Kay Sievers <kay.sievers@vrfy.org>
      Cc: Srivatsa Vaddagiri <vatsa@in.ibm.com>
      Cc: Oleg Nesterov <oleg@tv-sign.ru>
      Cc: David Howells <dhowells@redhat.com>
      86313c48
  10. 27 4月, 2007 1 次提交
  11. 15 2月, 2007 1 次提交
    • T
      [PATCH] remove many unneeded #includes of sched.h · cd354f1a
      Tim Schmielau 提交于
      After Al Viro (finally) succeeded in removing the sched.h #include in module.h
      recently, it makes sense again to remove other superfluous sched.h includes.
      There are quite a lot of files which include it but don't actually need
      anything defined in there.  Presumably these includes were once needed for
      macros that used to live in sched.h, but moved to other header files in the
      course of cleaning it up.
      
      To ease the pain, this time I did not fiddle with any header files and only
      removed #includes from .c-files, which tend to cause less trouble.
      
      Compile tested against 2.6.20-rc2 and 2.6.20-rc2-mm2 (with offsets) on alpha,
      arm, i386, ia64, mips, powerpc, and x86_64 with allnoconfig, defconfig,
      allmodconfig, and allyesconfig as well as a few randconfigs on x86_64 and all
      configs in arch/arm/configs on arm.  I also checked that no new warnings were
      introduced by the patch (actually, some warnings are removed that were emitted
      by unnecessarily included header files).
      Signed-off-by: NTim Schmielau <tim@physik3.uni-rostock.de>
      Acked-by: NRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      cd354f1a
  12. 13 2月, 2007 1 次提交
  13. 07 2月, 2007 1 次提交
    • D
      [PATCH] Keys: Fix key serial number collision handling · 9ad0830f
      David Howells 提交于
      Fix the key serial number collision avoidance code in key_alloc_serial().
      
      This didn't use to be so much of a problem as the key serial numbers were
      allocated from a simple incremental counter, and it would have to go through
      two billion keys before it could possibly encounter a collision.  However, now
      that random numbers are used instead, collisions are much more likely.
      
      This is fixed by finding a hole in the rbtree where the next unused serial
      number ought to be and using that by going almost back to the top of the
      insertion routine and redoing the insertion with the new serial number rather
      than trying to be clever and attempting to work out the insertion point
      pointer directly.
      
      This fixes kernel BZ #7727.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      9ad0830f
  14. 08 12月, 2006 4 次提交
  15. 22 11月, 2006 1 次提交
    • D
      WorkStruct: Pass the work_struct pointer instead of context data · 65f27f38
      David Howells 提交于
      Pass the work_struct pointer to the work function rather than context data.
      The work function can use container_of() to work out the data.
      
      For the cases where the container of the work_struct may go away the moment the
      pending bit is cleared, it is made possible to defer the release of the
      structure by deferring the clearing of the pending bit.
      
      To make this work, an extra flag is introduced into the management side of the
      work_struct.  This governs auto-release of the structure upon execution.
      
      Ordinarily, the work queue executor would release the work_struct for further
      scheduling or deallocation by clearing the pending bit prior to jumping to the
      work function.  This means that, unless the driver makes some guarantee itself
      that the work_struct won't go away, the work function may not access anything
      else in the work_struct or its container lest they be deallocated..  This is a
      problem if the auxiliary data is taken away (as done by the last patch).
      
      However, if the pending bit is *not* cleared before jumping to the work
      function, then the work function *may* access the work_struct and its container
      with no problems.  But then the work function must itself release the
      work_struct by calling work_release().
      
      In most cases, automatic release is fine, so this is the default.  Special
      initiators exist for the non-auto-release case (ending in _NAR).
      Signed-Off-By: NDavid Howells <dhowells@redhat.com>
      65f27f38
  16. 30 6月, 2006 1 次提交
  17. 28 6月, 2006 1 次提交
    • R
      [PATCH] poison: add & use more constants · a7807a32
      Randy Dunlap 提交于
      Add more poison values to include/linux/poison.h.  It's not clear to me
      whether some others should be added or not, so I haven't added any of
      these:
      
      ./include/linux/libata.h:#define ATA_TAG_POISON		0xfafbfcfdU
      ./arch/ppc/8260_io/fcc_enet.c:1918:	memset((char *)(&(immap->im_dprambase[(mem_addr+64)])), 0x88, 32);
      ./drivers/usb/mon/mon_text.c:429:	memset(mem, 0xe5, sizeof(struct mon_event_text));
      ./drivers/char/ftape/lowlevel/ftape-ctl.c:738:		memset(ft_buffer[i]->address, 0xAA, FT_BUFF_SIZE);
      ./drivers/block/sx8.c:/* 0xf is just arbitrary, non-zero noise; this is sorta like poisoning */
      Signed-off-by: NRandy Dunlap <rdunlap@xenotime.net>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      a7807a32
  18. 27 6月, 2006 5 次提交
  19. 23 6月, 2006 2 次提交
    • D
      [PATCH] Keys: Fix race between two instantiators of a key · 04c567d9
      David Howells 提交于
      Add a revocation notification method to the key type and calls it whilst
      the key's semaphore is still write-locked after setting the revocation
      flag.
      
      The patch then uses this to maintain a reference on the task_struct of the
      process that calls request_key() for as long as the authorisation key
      remains unrevoked.
      
      This fixes a potential race between two processes both of which have
      assumed the authority to instantiate a key (one may have forked the other
      for example).  The problem is that there's no locking around the check for
      revocation of the auth key and the use of the task_struct it points to, nor
      does the auth key keep a reference on the task_struct.
      
      Access to the "context" pointer in the auth key must thenceforth be done
      with the auth key semaphore held.  The revocation method is called with the
      target key semaphore held write-locked and the search of the context
      process's keyrings is done with the auth key semaphore read-locked.
      
      The check for the revocation state of the auth key just prior to searching
      it is done after the auth key is read-locked for the search.  This ensures
      that the auth key can't be revoked between the check and the search.
      
      The revocation notification method is added so that the context task_struct
      can be released as soon as instantiation happens rather than waiting for
      the auth key to be destroyed, thus avoiding the unnecessary pinning of the
      requesting process.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      04c567d9
    • M
      [PATCH] selinux: add hooks for key subsystem · d720024e
      Michael LeMay 提交于
      Introduce SELinux hooks to support the access key retention subsystem
      within the kernel.  Incorporate new flask headers from a modified version
      of the SELinux reference policy, with support for the new security class
      representing retained keys.  Extend the "key_alloc" security hook with a
      task parameter representing the intended ownership context for the key
      being allocated.  Attach security information to root's default keyrings
      within the SELinux initialization routine.
      
      Has passed David's testsuite.
      Signed-off-by: NMichael LeMay <mdlemay@epoch.ncsc.mil>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Acked-by: NChris Wright <chrisw@sous-sol.org>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      d720024e
  20. 21 4月, 2006 1 次提交
  21. 11 4月, 2006 2 次提交
    • D
      [PATCH] Keys: Improve usage of memory barriers and remove IRQ disablement · 1a26feb9
      David Howells 提交于
      Remove an unnecessary memory barrier (implicit in rcu_dereference()) from
      install_session_keyring().
      
      install_session_keyring() is also rearranged a little to make it slightly
      more efficient.
      
      As install_*_keyring() may schedule (in synchronize_rcu() or
      keyring_alloc()), they may not be entered with interrupts disabled - and so
      there's no point saving the interrupt disablement state over the critical
      section.
      
      exec_keys() will also be invoked with interrupts enabled, and so that doesn't
      need to save the interrupt state either.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      1a26feb9
    • D
      [Security] Keys: Fix oops when adding key to non-keyring · c3a9d654
      David Howells 提交于
      This fixes the problem of an oops occuring when a user attempts to add a
      key to a non-keyring key [CVE-2006-1522].
      
      The problem is that __keyring_search_one() doesn't check that the
      keyring it's been given is actually a keyring.
      
      I've fixed this problem by:
      
       (1) declaring that caller of __keyring_search_one() must guarantee that
           the keyring is a keyring; and
      
       (2) making key_create_or_update() check that the keyring is a keyring,
           and return -ENOTDIR if it isn't.
      
      This can be tested by:
      
      	keyctl add user b b `keyctl add user a a @s`
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      c3a9d654