tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security layer fixes from James Morris:
"A fix for SELinux policy processing (regression introduced by
commit fa1aa143ac4a: "selinux: extended permissions for ioctls"), as
well as a fix for the user-triggerable oops in the Keys code"

* 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
KEYS: Fix handling of stored error in a negatively instantiated user key
selinux: fix bug in conditional rules handling

Linus Torvalds 7e4b9359 c64410f3

+12 -4
+2
security/keys/encrypted-keys/encrypted.c
··· 845 845 size_t datalen = prep->datalen; 846 846 int ret = 0; 847 847 848 + if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) 849 + return -ENOKEY; 848 850 if (datalen <= 0 || datalen > 32767 || !prep->data) 849 851 return -EINVAL; 850 852
+4 -1
security/keys/trusted.c
··· 1007 1007 */ 1008 1008 static int trusted_update(struct key *key, struct key_preparsed_payload *prep) 1009 1009 { 1010 - struct trusted_key_payload *p = key->payload.data[0]; 1010 + struct trusted_key_payload *p; 1011 1011 struct trusted_key_payload *new_p; 1012 1012 struct trusted_key_options *new_o; 1013 1013 size_t datalen = prep->datalen; 1014 1014 char *datablob; 1015 1015 int ret = 0; 1016 1016 1017 + if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) 1018 + return -ENOKEY; 1019 + p = key->payload.data[0]; 1017 1020 if (!p->migratable) 1018 1021 return -EPERM; 1019 1022 if (datalen <= 0 || datalen > 32767 || !prep->data)
+4 -1
security/keys/user_defined.c
··· 120 120 121 121 if (ret == 0) { 122 122 /* attach the new data, displacing the old */ 123 - zap = key->payload.data[0]; 123 + if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags)) 124 + zap = key->payload.data[0]; 125 + else 126 + zap = NULL; 124 127 rcu_assign_keypointer(key, upayload); 125 128 key->expiry = 0; 126 129 }
+2 -2
security/selinux/ss/conditional.c
··· 638 638 { 639 639 struct avtab_node *node; 640 640 641 - if (!ctab || !key || !avd || !xperms) 641 + if (!ctab || !key || !avd) 642 642 return; 643 643 644 644 for (node = avtab_search_node(ctab, key); node; ··· 657 657 if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) == 658 658 (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED))) 659 659 avd->auditallow |= node->datum.u.data; 660 - if ((node->key.specified & AVTAB_ENABLED) && 660 + if (xperms && (node->key.specified & AVTAB_ENABLED) && 661 661 (node->key.specified & AVTAB_XPERMS)) 662 662 services_compute_xperms_drivers(xperms, node); 663 663 }