Merge tag 'keys-fixes-20170419' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs (f205b5dc) · Commits · e / devices / android_kernel_fairphone_FP4

security/keys/gc.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -46,7 +46,7 @@ static unsigned long key_gc_flags;
		* immediately unlinked.
		*/
		struct key_type key_type_dead = {
		.name = "dead",
		.name = ".dead",
		};

		/*

security/keys/keyctl.c

+11 −9

Original line number	Diff line number	Diff line
		@@ -273,7 +273,8 @@ long keyctl_get_keyring_ID(key_serial_t id, int create)
		* Create and join an anonymous session keyring or join a named session
		* keyring, creating it if necessary. A named session keyring must have Search
		* permission for it to be joined. Session keyrings without this permit will
		* be skipped over.
		* be skipped over. It is not permitted for userspace to create or join
		* keyrings whose name begin with a dot.
		*
		* If successful, the ID of the joined session keyring will be returned.
		*/
		@@ -290,12 +291,16 @@ long keyctl_join_session_keyring(const char __user *_name)
		ret = PTR_ERR(name);
		goto error;
		}

		ret = -EPERM;
		if (name[0] == '.')
		goto error_name;
		}

		/* join the session */
		ret = join_session_keyring(name);
		error_name:
		kfree(name);

		error:
		return ret;
		}
		@@ -1253,8 +1258,8 @@ long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error,
		* Read or set the default keyring in which request_key() will cache keys and
		* return the old setting.
		*
		* If a process keyring is specified then this will be created if it doesn't
		* yet exist. The old setting will be returned if successful.
		* If a thread or process keyring is specified then it will be created if it
		* doesn't yet exist. The old setting will be returned if successful.
		*/
		long keyctl_set_reqkey_keyring(int reqkey_defl)
		{
		@@ -1279,11 +1284,8 @@ long keyctl_set_reqkey_keyring(int reqkey_defl)

		case KEY_REQKEY_DEFL_PROCESS_KEYRING:
		ret = install_process_keyring_to_cred(new);
		if (ret < 0) {
		if (ret != -EEXIST)
		if (ret < 0)
		goto error;
		ret = 0;
		}
		goto set;

		case KEY_REQKEY_DEFL_DEFAULT:

security/keys/process_keys.c

+27 −17

Original line number	Diff line number	Diff line
		@@ -128,13 +128,18 @@ int install_user_keyrings(void)
		}

		/*
		* Install a fresh thread keyring directly to new credentials. This keyring is
		* allowed to overrun the quota.
		* Install a thread keyring to the given credentials struct if it didn't have
		* one already. This is allowed to overrun the quota.
		*
		* Return: 0 if a thread keyring is now present; -errno on failure.
		*/
		int install_thread_keyring_to_cred(struct cred *new)
		{
		struct key *keyring;

		if (new->thread_keyring)
		return 0;

		keyring = keyring_alloc("_tid", new->uid, new->gid, new,
		KEY_POS_ALL \| KEY_USR_VIEW,
		KEY_ALLOC_QUOTA_OVERRUN,
		@@ -147,7 +152,9 @@ int install_thread_keyring_to_cred(struct cred *new)
		}

		/*
		* Install a fresh thread keyring, discarding the old one.
		* Install a thread keyring to the current task if it didn't have one already.
		*
		* Return: 0 if a thread keyring is now present; -errno on failure.
		*/
		static int install_thread_keyring(void)
		{
		@@ -158,8 +165,6 @@ static int install_thread_keyring(void)
		if (!new)
		return -ENOMEM;

		BUG_ON(new->thread_keyring);

		ret = install_thread_keyring_to_cred(new);
		if (ret < 0) {
		abort_creds(new);
		@@ -170,17 +175,17 @@ static int install_thread_keyring(void)
		}

		/*
		* Install a process keyring directly to a credentials struct.
		* Install a process keyring to the given credentials struct if it didn't have
		* one already. This is allowed to overrun the quota.
		*
		* Returns -EEXIST if there was already a process keyring, 0 if one installed,
		* and other value on any other error
		* Return: 0 if a process keyring is now present; -errno on failure.
		*/
		int install_process_keyring_to_cred(struct cred *new)
		{
		struct key *keyring;

		if (new->process_keyring)
		return -EEXIST;
		return 0;

		keyring = keyring_alloc("_pid", new->uid, new->gid, new,
		KEY_POS_ALL \| KEY_USR_VIEW,
		@@ -194,11 +199,9 @@ int install_process_keyring_to_cred(struct cred *new)
		}

		/*
		* Make sure a process keyring is installed for the current process. The
		* existing process keyring is not replaced.
		* Install a process keyring to the current task if it didn't have one already.
		*
		* Returns 0 if there is a process keyring by the end of this function, some
		* error otherwise.
		* Return: 0 if a process keyring is now present; -errno on failure.
		*/
		static int install_process_keyring(void)
		{
		@@ -212,14 +215,18 @@ static int install_process_keyring(void)
		ret = install_process_keyring_to_cred(new);
		if (ret < 0) {
		abort_creds(new);
		return ret != -EEXIST ? ret : 0;
		return ret;
		}

		return commit_creds(new);
		}

		/*
		* Install a session keyring directly to a credentials struct.
		* Install the given keyring as the session keyring of the given credentials
		* struct, replacing the existing one if any. If the given keyring is NULL,
		* then install a new anonymous session keyring.
		*
		* Return: 0 on success; -errno on failure.
		*/
		int install_session_keyring_to_cred(struct cred cred, struct key keyring)
		{
		@@ -254,8 +261,11 @@ int install_session_keyring_to_cred(struct cred cred, struct key keyring)
		}

		/*
		* Install a session keyring, discarding the old one. If a keyring is not
		* supplied, an empty one is invented.
		* Install the given keyring as the session keyring of the current task,
		* replacing the existing one if any. If the given keyring is NULL, then
		* install a new anonymous session keyring.
		*
		* Return: 0 on success; -errno on failure.
		*/
		static int install_session_keyring(struct key *keyring)
		{