Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.17 2014-08-06T15:06:39Z 2014-08-06T15:06:39Z Linus Torvalds torvalds@linux-foundation.org 2014-08-06T15:06:39Z urn:sha1:bb2cbf5e9367d8598fecd0c48dead69560750223 Pull security subsystem updates from James Morris: "In this release: - PKCS#7 parser for the key management subsystem from David Howells - appoint Kees Cook as seccomp maintainer - bugfixes and general maintenance across the subsystem" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (94 commits) X.509: Need to export x509_request_asymmetric_key() netlabel: shorter names for the NetLabel catmap funcs/structs netlabel: fix the catmap walking functions netlabel: fix the horribly broken catmap functions netlabel: fix a problem when setting bits below the previously lowest bit PKCS#7: X.509 certificate issuer and subject are mandatory fields in the ASN.1 tpm: simplify code by using %*phN specifier tpm: Provide a generic means to override the chip returned timeouts tpm: missing tpm_chip_put in tpm_get_random() tpm: Properly clean sysfs entries in error path tpm: Add missing tpm_do_selftest to ST33 I2C driver PKCS#7: Use x509_request_asymmetric_key() Revert "selinux: fix the default socket labeling in sock_graft()" X.509: x509_request_asymmetric_keys() doesn't need string length arguments PKCS#7: fix sparse non static symbol warning KEYS: revert encrypted key change ima: add support for measuring and appraising firmware firmware_class: perform new LSM checks security: introduce kernel_fw_from_file hook PKCS#7: Missing inclusion of linux/err.h ... 2014-07-22T20:55:45Z David Howells dhowells@redhat.com 2014-07-22T20:55:45Z urn:sha1:633706a2ee81637be37b6bc02c5336950cc163b5 Signed-off-by: David Howells <dhowells@redhat.com> 2014-07-22T20:46:36Z David Howells dhowells@redhat.com 2014-07-18T17:56:36Z urn:sha1:d46d494214cabfd03eb836e3a8ff3768d4c51497 Make use of key preparsing in the DNS resolver so that quota size determination can take place prior to keyring locking when a key is being added. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Steve Dickson <steved@redhat.com> Acked-by: Jeff Layton <jlayton@primarydata.com> 2014-07-21T05:33:32Z Ben Hutchings ben@decadent.org.uk 2014-07-20T23:06:48Z urn:sha1:640d7efe4c08f06c4ae5d31b79bd8740e7f6790a *_result[len] is parsed as *(_result[len]) which is not at all what we want to touch here. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Fixes: 84a7c0b1db1c ("dns_resolver: assure that dns_query() result is null-terminated") Signed-off-by: David S. Miller <davem@davemloft.net> 2014-07-17T19:45:08Z David Howells dhowells@redhat.com 2014-07-17T19:45:08Z urn:sha1:0c7774abb41bd00d5836d9ba098825a40fa94133 Special kernel keys, such as those used to hold DNS results for AFS, CIFS and NFS and those used to hold idmapper results for NFS, used to be 'invalidateable' with key_revoke(). However, since the default permissions for keys were reduced: Commit: 96b5c8fea6c0861621051290d705ec2e971963f1 KEYS: Reduce initial permissions on keys it has become impossible to do this. Add a key flag (KEY_FLAG_ROOT_CAN_INVAL) that will permit a key to be invalidated by root. This should not be used for system keyrings as the garbage collector will try and remove any invalidate key. For system keyrings, KEY_FLAG_ROOT_CAN_CLEAR can be used instead. After this, from userspace, keyctl_invalidate() and "keyctl invalidate" can be used by any possessor of CAP_SYS_ADMIN (typically root) to invalidate DNS and idmapper keys. Invalidated keys are immediately garbage collected and will be immediately rerequested if needed again. Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Steve Dickson <steved@redhat.com> 2014-06-11T23:02:55Z David S. Miller davem@davemloft.net 2014-06-11T23:02:55Z urn:sha1:902455e00720018d1dbd38327c3fd5bda6d844ee Conflicts: net/core/rtnetlink.c net/core/skbuff.c Both conflicts were very simple overlapping changes. Signed-off-by: David S. Miller <davem@davemloft.net> 2014-06-11T07:12:04Z Manuel Schölling manuel.schoelling@gmx.de 2014-06-07T21:57:25Z urn:sha1:84a7c0b1db1c17d5ded8d3800228a608e1070b40 dns_query() credulously assumes that keys are null-terminated and returns a copy of a memory block that is off by one. Signed-off-by: Manuel Schölling <manuel.schoelling@gmx.de> Signed-off-by: David S. Miller <davem@davemloft.net> 2014-06-05T07:05:53Z Manuel Schölling manuel.schoelling@gmx.de 2014-05-31T21:37:40Z urn:sha1:9638f6713ff556bdc34e9d18eeb7c1b25b35e5ce According to RFC1035 "[...] the total length of a domain name (i.e., label octets and label length octets) is restricted to 255 octets or less." Signed-off-by: Manuel Schölling <manuel.schoelling@gmx.de> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-12-06T17:37:57Z Jeff Kirsher jeffrey.t.kirsher@intel.com 2013-12-06T17:13:44Z urn:sha1:c057b190b82063c57cb8b2b575a00520f9976e2b Several files refer to an old address for the Free Software Foundation in the file header comment. Resolve by replacing the address with the URL <http://www.gnu.org/licenses/> so that we do not have to keep updating the header comments anytime the address changes. CC: John Fastabend <john.r.fastabend@intel.com> CC: Alex Duyck <alexander.h.duyck@intel.com> CC: Marcel Holtmann <marcel@holtmann.org> CC: Gustavo Padovan <gustavo@padovan.org> CC: Johan Hedberg <johan.hedberg@gmail.com> CC: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-07-12T23:09:14Z “Cosmin cosmin90stanescu@gmail.com 2013-07-12T06:33:33Z urn:sha1:92338dc2fb33c8526256a458a520af73d9ab2d14 patch found using checkpatch.pl Signed-off-by: Cosmin Stanescu <cosmin90stanescu@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>