Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

 *	@type contains the requested communications type.

 *	@protocol contains the requested protocol.

 *	@kern set to 1 if a kernel socket.

 * @socket_socketpair:

 *	Check permissions before creating a fresh pair of sockets.

 *	@socka contains the first socket structure.

 *	@sockb contains the second socket structure.

 *	Return 0 if permission is granted and the connection was established.

 * @socket_bind:

 *	Check permission before socket protocol layer bind operation is

 *	performed and the socket @sock is bound to the address specified in the

	int (*socket_create)(int family, int type, int protocol, int kern);

	int (*socket_post_create)(struct socket *sock, int family, int type,

					int protocol, int kern);

	int (*socket_socketpair)(struct socket *socka, struct socket *sockb);

	int (*socket_bind)(struct socket *sock, struct sockaddr *address,

				int addrlen);

	int (*socket_connect)(struct socket *sock, struct sockaddr *address,

	struct hlist_head unix_may_send;

	struct hlist_head socket_create;

	struct hlist_head socket_post_create;

	struct hlist_head socket_socketpair;

	struct hlist_head socket_bind;

	struct hlist_head socket_connect;

	struct hlist_head socket_listen;

int security_quota_on(struct dentry *dentry);

int security_syslog(int type);

int security_settime64(const struct timespec64 *ts, const struct timezone *tz);

static inline int security_settime(const struct timespec *ts, const struct timezone *tz)

{

	struct timespec64 ts64 = timespec_to_timespec64(*ts);

	return security_settime64(&ts64, tz);

}

int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);

int security_bprm_set_creds(struct linux_binprm *bprm);

int security_bprm_check(struct linux_binprm *bprm);

	return cap_settime(ts, tz);

}

static inline int security_settime(const struct timespec *ts,

				   const struct timezone *tz)

{

	struct timespec64 ts64 = timespec_to_timespec64(*ts);

	return cap_settime(&ts64, tz);

}

static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)

{

	return __vm_enough_memory(mm, pages, cap_vm_enough_memory(mm, pages));

int security_socket_create(int family, int type, int protocol, int kern);

int security_socket_post_create(struct socket *sock, int family,

				int type, int protocol, int kern);

int security_socket_socketpair(struct socket *socka, struct socket *sockb);

int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen);

int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen);

int security_socket_listen(struct socket *sock, int backlog);

	return 0;

}

static inline int security_socket_socketpair(struct socket *socka,

					     struct socket *sockb)

{

	return 0;

}

static inline int security_socket_bind(struct socket *sock,

				       struct sockaddr *address,

				       int addrlen)

		goto out;

	}

	err = security_socket_socketpair(sock1, sock2);

	if (unlikely(err)) {

		sock_release(sock2);

		sock_release(sock1);

		goto out;

	}

	err = sock1->ops->socketpair(sock1, sock2);

	if (unlikely(err < 0)) {

		sock_release(sock2);

#include <keys/user-type.h>

#include <keys/big_key-type.h>

#include <crypto/aead.h>

#include <crypto/gcm.h>

struct big_key_buf {

	unsigned int		nr_pages;

 * Crypto names for big_key data authenticated encryption

 */

static const char big_key_alg_name[] = "gcm(aes)";

#define BIG_KEY_IV_SIZE		GCM_AES_IV_SIZE

/*

 * Crypto algorithms for big_key data authenticated encryption

	 * an .update function, so there's no chance we'll wind up reusing the

	 * key to encrypt updated data. Simply put: one key, one encryption.

	 */

	u8 zero_nonce[crypto_aead_ivsize(big_key_aead)];

	u8 zero_nonce[BIG_KEY_IV_SIZE];

	aead_req = aead_request_alloc(big_key_aead, GFP_KERNEL);

	if (!aead_req)

		pr_err("Can't alloc crypto: %d\n", ret);

		return ret;

	}

	if (unlikely(crypto_aead_ivsize(big_key_aead) != BIG_KEY_IV_SIZE)) {

		WARN(1, "big key algorithm changed?");

		ret = -EINVAL;

		goto free_aead;

	}

	ret = crypto_aead_setauthsize(big_key_aead, ENC_AUTHTAG_SIZE);

	if (ret < 0) {

		pr_err("Can't set crypto auth tag len: %d\n", ret);

			goto err;

		if (zlen && h) {

			u8 tmpbuffer[h];

			size_t chunk = min_t(size_t, zlen, h);

			u8 tmpbuffer[32];

			size_t chunk = min_t(size_t, zlen, sizeof(tmpbuffer));

			memset(tmpbuffer, 0, chunk);

			do {

					goto err;

				zlen -= chunk;

				chunk = min_t(size_t, zlen, h);

				chunk = min_t(size_t, zlen, sizeof(tmpbuffer));

			} while (zlen);

		}

				goto err;

		}

		if (dlen < h) {

			u8 tmpbuffer[h];

			err = crypto_shash_final(desc, tmpbuffer);

			if (err)

				goto err;

			memcpy(dst, tmpbuffer, dlen);

			memzero_explicit(tmpbuffer, h);

			return 0;

		} else {

		err = crypto_shash_final(desc, dst);

		if (err)

			goto err;

		dst += h;

		counter = cpu_to_be32(be32_to_cpu(counter) + 1);

	}

	}

	return 0;

{

	uint8_t *outbuf = NULL;

	int ret;

	size_t outbuf_len = round_up(buflen,

			             crypto_shash_digestsize(sdesc->shash.tfm));

	outbuf = kmalloc(buflen, GFP_KERNEL);

	outbuf = kmalloc(outbuf_len, GFP_KERNEL);

	if (!outbuf) {

		ret = -ENOMEM;

		goto err;

	}

	ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, buflen, lzero);

	ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, outbuf_len, lzero);

	if (ret)

		goto err;