Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring

David Howells wrote: > Partially revert commit 41c89b64d7184a780f12f2cccdabe65cb2408893: > > Author: Petko Manolov > Date: Wed Dec 2 17:47:55 2015 +0200 > IMA: create machine owner and blacklist keyrings > > The problem is that prep->trusted is

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

Mimi Zohar wrote: > Once the builtin keys are loaded onto the system keyring, isn't the > system keyring locked? No. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More ma

[PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring

I appreciate what the patch is trying to do, I don't think this is quite the right solution. Signed-off-by: David Howells cc: Petko Manolov cc: Mimi Zohar cc: keyri...@vger.kernel.org --- crypto/asymmetric_keys/x509_public_key.c |2 -- 1 file changed, 2 deletions(-) diff --git a/cryp

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

x27;trusted' is a boolean, a key in the IMA MOK keyring will permit addition to the system keyring. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

Mimi Zohar wrote: > You're missing Petko's patch: > 41c89b6 IMA: create machine owner and blacklist keyrings It should also be cc'd to the keyrings mailing list. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

Mimi Zohar wrote: > You're missing Petko's patch: > 41c89b6 IMA: create machine owner and blacklist keyrings Hmmm... This is wrong. x509_key_preparse() shouldn't be polling the IMA MOK keyring under all circumstances. David -- To unsubscribe from this list: send the lin

[RFC PATCH] X.509: Don't treat self-signed keys specially

bility check on a self-signed cert then succeeding. This is most likely to happen when a duplicate of the certificate is already on the trust keyring - in which case it shouldn't be a problem. Signed-off-by: David Howells cc: David Woodhouse cc: Mimi Zohar --- crypto/asymmetric_keys/x509

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

David Howells wrote: > If a certificate is self-signed, don't bother checking the validity of the > signature. The cert cannot be checked by validation against the next one > in the chain as this is the root of the chain. Trust for this certificate > can only be determi

[RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

e RSA module when the result of calculating "m = s^e mod n" is checked. Signed-off-by: David Howells cc: David Woodhouse cc: Mimi Zohar --- crypto/asymmetric_keys/x509_public_key.c | 25 - 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/crypto/

[RFC PATCH] X.509: Don't check the signature on apparently self-signed keys

e RSA module when the result of calculating "m = s^e mod n" is checked. Signed-off-by: David Howells cc: David Woodhouse cc: Mimi Zohar --- crypto/asymmetric_keys/x509_public_key.c | 15 +-- 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/crypto/

[RFC PATCH 3/4] X.509: Support leap seconds

Signed-off-by: David Howells cc: Arnd Bergmann cc: David Woodhouse cc: John Stultz --- crypto/asymmetric_keys/x509_cert_parser.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c ind

[RFC PATCH 2/4] Handle ISO 8601 leap seconds and encodings of midnight in mktime64()

nt them as valid parameters. These facility will be used by the X.509 parser. Doing it in mktime64() makes the policy common to the whole kernel and easier to find. Signed-off-by: David Howells cc: Arnd Bergmann cc: John Stultz --- kernel/time/time.c |9 - 1 file changed, 8 insert

[RFC PATCH 4/4] X.509: Handle midnight alternative notation in GeneralizedTime

udolf Polzer Signed-off-by: David Howells cc: David Woodhouse cc: John Stultz cc: Arnd Bergmann --- crypto/asymmetric_keys/x509_cert_parser.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_par

[RFC PATCH 1/4] X.509: Fix leap year handling again

00". It's also easier to read. (2) The default month length for any February where the year doesn't divide by four exactly is obtained from the month_length[] array where the value is 29, not 28. This is fixed by altering the table. Reported-by: Rudolf Polzer Sig

[PATCH 0/4] X.509: Fix time handling

Here's a set of patches that fix X.509 time handling in three ways: (1) Fix leap year handling. (2) Add leap second handling (where you get a time of 23:59:60). (3) Add end-of-day midnight encoding (where you get a time of 24:00:00). David --- David Howells (4): X.509: Fix leap

Re: [GIT PULL] Keys fixes

gt; And you know what? If somebody decides that they want to have a key > that says it was done at some nonsensical time like 24:30:60, just let > it go. Just accept it. It's not your problem. I've been told that it's a security hole. David -- To unsubscribe from this list: send

Re: [GIT PULL] Keys fixes

Linus Torvalds wrote: > > David Howells (7): > > Handle leap seconds in mktime64() > > This one is completely wrong. > > Leap seconds are inserted *at* the minute, not at the secodn before the > minute. > > So this code: > > + /* Handle

Re: [PATCH] X.509: Fix determination of self-signedness

Josh Boyer wrote: > Should this also be Cc'd to stable? Argh. Probably. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

[PATCH] KEYS: Fix race between read and revoke

h can be summarised as: BUG: unable to handle kernel NULL pointer dereference at 0010 IP: [] user_read+0x56/0xa3 ... Call Trace: [] keyctl_read_key+0xb6/0xd7 [] SyS_keyctl+0x83/0xe0 [] entry_SYSCALL_64_fastpath+0x12/0x6f Reported-

[PATCH 2/5] Handle leap seconds in mktime64()

rkers from all the parameters since they don't really achieve anything and we do need to alter the sec parameter. Signed-off-by: David Howells cc: John Stultz cc: Arnd Bergmann cc: sta...@vger.kernel.org --- include/linux/time.h | 13 ++--- kernel/time/time.c | 14 +++--

[PATCH] X.509: Fix determination of self-signedness

d if the Issuer and Subject names differ. Signed-off-by: David Howells cc: David Woodhouse --- crypto/asymmetric_keys/x509_public_key.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_pub

[PATCH 1/5] X.509: Fix leap year handling again

00". It's also easier to read. (2) The default month length for any February where the year doesn't divide by four exactly is obtained from the month_length[] array where the value is 29, not 28. This is fixed by altering the table. Reported-by: Rudolf Polzer Sig

[PATCH 3/5] X.509: Support leap seconds

Reported-by: Rudolf Polzer Signed-off-by: David Howells cc: David Woodhouse cc: John Stultz cc: Arnd Bergmann cc: sta...@vger.kernel.org --- crypto/asymmetric_keys/x509_cert_parser.c |6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/crypto/asymmetric_keys/x509_cer

[PATCH 4/5] Handle both ISO 8601 encodings of midnight in mktime64()

8601 dates. Signed-off-by: David Howells cc: John Stultz cc: Arnd Bergmann cc: sta...@vger.kernel.org --- kernel/time/time.c |5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/time/time.c b/kernel/time/time.c index 1858b10602f5..56e7ada38471 100644 --- a/kernel/t

[PATCH 5/5] X.509: Handle midnight alternative notation in GeneralizedTime

(). Without this patch, certain X.509 certificates will be rejected and could lead to an unbootable kernel. Reported-by: Rudolf Polzer Signed-off-by: David Howells cc: David Woodhouse cc: John Stultz cc: Arnd Bergmann cc: sta...@vger.kernel.org --- crypto/asymmetric_keys/x509_cert_parser.c | 12

[PATCH 0/5] X.509: Fix time handling

Here's a set of patches that fix X.509 time handling in three ways: (1) Fix leap year handling. (2) Add leap second handling (where you get a time of 23:59:60). (3) Add end-of-day midnight encoding (where you get a time of 24:00:00). David --- David Howells (5): X.509: Fix leap

Re: [PATCH] X.509: Fix the time validation [ver #3]

Greg Kroah-Hartman wrote: > David, any reason you didn't put a cc: stable in the commit for it to be > picked up in the stable releases? I did cc it to stable. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body o

Re: [PATCH 0/2] security: clarify that some code is really non-modular

Paul Gortmaker wrote: > Paul Gortmaker (2): > security/keys: make big_key.c explicitly non-modular > security/integrity: make ima/ima_mok.c explicitly non-modular Note that I only see patch 1. Note also that keyri...@linux-nfs.org should now be keyri...@vger.kernel.org. Da

Re: [PATCH] X.509: Fix leap year handling again and support leap seconds

David Howells wrote: > > the leap second support still looks a bit suspect, as mktime64 will convert > > mm/dd/ HH/MM/60 and mm/dd/ HH/MM+1/00 to the same time64_t, > > essentially meaning that two different inputs can yield the same output, > > possibly violating

Re: [PATCH] X.509: Fix leap year handling again and support leap seconds

lizedTime is ISO 8601 format. > > It's not entirely clear that ASN.1 expects it, but we can relax the > > seconds check slightly for GeneralizedTime. What I'm not sure of is whether other ASN.1 implementations will expect it. David -- To unsubscribe from this list: se

Re: keyring timestamps

Petko Manolov wrote: > 0) does keyrings keep a timestamp when created or last updated? David? No. > 0) is crucial. If there is no such thing as "time of the last update" for > keyrings i guess we'll either have to implement it or use another mechanism >

Re: [PATCH] X.509: Fix leap year handling again and support leap seconds

nd DER rules. That's a 'bug' in mktime64() not my parsing of the ASN.1. If it's valid ASN.1 then we should accept it. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More

[PATCH] X.509: Fix leap year handling again and support leap seconds

ly supports a seconds value in the range 00-59. Reported-by: Rudolf Polzer Signed-off-by: David Howells --- diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 021d39c0ba75..f57c3c1b5ae7 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.

Re: [PATCH 1/2] KEYS: Reserve an extra certificate symbol for inserting without recompiling

Mehmet Kayaalp wrote: > Place a system_extra_cert buffer of configurable size, right after the > system_certificate_list, so that inserted keys can be readily processed by > the existing mechanism. Do you have a particular use case for this? David -- To unsubscribe from this list:

Re: [PATCH] KEYS: Fix handling of stored error in a negatively instantiated user key

James Morris wrote: > Is this triggerable by normal users? Yes. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH] KEYS: Fix handling of stored error in a negatively instantiated user key

Hi James, Can this be passed straight to Linus please? Thanks, David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

[PATCH] KEYS: Fix handling of stored error in a negatively instantiated user key

d or it will fail with EINVAL before getting to the bit that will crashes. Reported-by: Dmitry Vyukov Signed-off-by: David Howells Acked-by: Mimi Zohar --- security/keys/encrypted-keys/encrypted.c |2 ++ security/keys/trusted.c |5 - security/keys/user_defined.c

Re: [RFC] readlink()-related oddities

u don't have an AFS file of that name and lookup of that non-existent file as an attempt to mount a destination volume encoded by the filename. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vg

[RFC] KEYS: Exposing {a,}symmetric key ops to userspace and other bits

key, encrypting it with an asymmetric key inside the kernel. Again, how to parameterise is probably a tricky question. (*) Sort out the KEYCTL_UPDATE mess with trusted and encrypted keys. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the b

Re: [RFC] readlink()-related oddities

ectory. Do those tools call readlink() > on every directory they spot on AFS volume? David? It has to be a directory so that you can mount on it. If you look in /afs on an OpenAFS client filesystem it appears as a symlink to somewhere under /afs/ because they can't do the in-kernel mountin

Re: [RFC] readlink()-related oddities

re's an AFS userspace command that could be used to query a mountpoint that was going to use it. However, I suspect readlink() will now always trigger the automount. This is one of the things OpenAFS uses pioctl() for - but since I'm not allowed to add that to the kernel, I have to find s

[PATCH] X.509: Fix the time validation [ver #3]

doing the following: cat < Signed-off-by: David Howells Tested-by: Mimi Zohar Acked-by: David Woodhouse --- crypto/asymmetric_keys/x509_cert_parser.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/cry

Re: [PATCH] X.509: Fix the time validation [ver #2]

On Thu, 2015-11-12 at 09:36 +, David Howells wrote: > If it works, it emit a key ID; if it fails, it should give a bad > message error. In this sentence, failure is good, yes? This is a malformed key so we *expect* the failure? -- David WoodhouseOpen

[PATCH] X.509: Fix the time validation [ver #2]

doing the following: cat < Signed-off-by: David Howells Tested-by: Mimi Zohar Acked-by: David Woodhouse --- crypto/asymmetric_keys/x509_cert_parser.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/cry

[PATCH] X.509: Fix the time validation

doing the following: cat < Signed-off-by: David Howells Tested-by: Mimi Zohar Acked-by: David Woodhouse --- crypto/asymmetric_keys/x509_cert_parser.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/cry

Re: [GIT PULL] KEYS: Miscellaneous patches for next

James Morris wrote: > Have these been in next yet? No. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

[GIT PULL] KEYS: Miscellaneous patches for next

eally make any sense to keep them separate. David --- The following changes since commit 09302fd19efbff9569eaad3f78ead8f411defd87: Merge branch 'smack-for-4.4' of https://github.com/cschaufler/smack-next into next (2015-10-21 10:49:29 +1100) are available in the git reposi

[PATCH 05/10] KEYS: Add identifier pointers to public_key_signature struct

Add key identifier pointers to public_key_signature struct so that they can be used to retain the identifier of the key to be used to verify the signature in both PKCS#7 and X.509. Signed-off-by: David Howells --- crypto/asymmetric_keys/public_key.c |2 ++ include/crypto/public_key.h

[PATCH 06/10] X.509: Retain the key verification data

Retain the key verification data (ie. the struct public_key_signature) including the digest and the key identifiers. Note that this means that we need to take a separate copy of the digest in x509_get_sig_params() rather than lumping it in with the crypto layer data. Signed-off-by: David Howells

[PATCH 03/10] KEYS: Add facility to check key trustworthiness upon link creation

-only keyring being searched. (3) KEY_ALLOC_TRUSTED now acts as an override. If this is passed to key_create_or_update() then the ->verify_trust() method will be ignored and the key will be added anyway. Signed-off-by: David Howells --- Documentation/security/keys.txt

[PATCH 02/10] PKCS#7: Make trust determination dependent on contents of trust keyring

Make the determination of the trustworthiness of a key dependent on whether a key that can verify it is present in the ring of trusted keys rather than whether or not the verifying key has KEY_FLAG_TRUSTED set. Signed-off-by: David Howells --- certs/system_keyring.c | 13

[PATCH 01/10] KEYS: Generalise system_verify_data() to provide access to internal content

function. If the callback is not required, that can be set to NULL. The function is now called verify_pkcs7_signature() to contrast with verify_pefile_signature() and the definitions of both have been moved into linux/verification.h along with the key_being_used_for enum. Signed-off-by: David Howells

[PATCH 04/10] KEYS: Allow authentication data to be stored in an asymmetric key

Allow authentication data to be stored in an asymmetric key in the 4th element of the key payload and provide a way for it to be destroyed. For the public key subtype, this will be a public_key_signature struct. Signed-off-by: David Howells --- crypto/asymmetric_keys/asymmetric_type.c |7

[PATCH 00/10] KEYS: Change how keys are determined to be trusted

git/log/?h=keys-trust and are tagged with: keys-trust-20151021 David --- David Howells (10): KEYS: Generalise system_verify_data() to provide access to internal content PKCS#7: Make trust determination dependent on contents of trust keyring KEYS: Add facility to

[PATCH 07/10] X.509: Extract signature digest and make self-signed cert checks earlier

We just can't add it to a ring of trusted keys or follow it further up the chain of trust. Making these checks earlier allows x509_check_signature() to be removed and replaced with direct calls to public_key_verify_signature(). Signed-off-by: David Howells --- crypto/asymmetric_

[PATCH 08/10] PKCS#7: Make the signature a pointer rather than embedding it

means we can use public_key_free() to get rid of the signature record. Signed-off-by: David Howells --- crypto/asymmetric_keys/pkcs7_parser.c | 38 +++- crypto/asymmetric_keys/pkcs7_parser.h | 10 +++--- crypto/asymmetric_keys/pkcs7_trust.c |4 +-- crypto

[PATCH 09/10] X.509: Move the trust validation code out to its own file

Move the X.509 trust validation code out to its own file so that it can be generalised. Signed-off-by: David Howells --- crypto/asymmetric_keys/Makefile |2 crypto/asymmetric_keys/public_key_trust.c | 192 + crypto/asymmetric_keys/x509_parser.h

[PATCH 10/10] KEYS: Move the point of trust determination to __key_link()

ich it could be secondarily linked. To accomplish this, the authentication data associated with the key source must now be retained. For an X.509 cert, this means the contents of the AuthorityKeyIdentifier and the signature data. Signed-off-by: David Howells --- certs/s

Re: [PATCH 1/6] KEYS: use kvfree() in add_key

These patches can be found here also: http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-next And tagged with: keys-next-20151021 David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a

[PATCH 5/6] KEYS: Provide a script to extract a module signature

e key identifier contents. (*) "-s". Dumps the cryptographic signature contents. In the case that the signature is a PKCS#7 (or CMS) message, -n and -k will print a warning to stderr and dump nothing to stdout, but will otherwise complete okay; the entire PKCS#7/CMS message will

[PATCH 3/6] keys: Be more consistent in selection of union members used

From: Insu Yun key->description and key->index_key.description are same because they are unioned. But, for readability, using same name for duplication and validation seems better. Signed-off-by: Insu Yun Signed-off-by: David Howells --- security/keys/key.c |2 +- 1 file chan

[PATCH 4/6] KEYS: Provide a script to extract the sys cert list from a vmlinux file

Certificate list at file offset 0x141c540 If vmlinux contains symbols then that is used rather than System.map - even if one is given. Signed-off-by: David Howells --- scripts/extract-sys-certs.pl | 144 ++ 1 file changed, 144 insertions(+) create mode 100755

[PATCH 2/6] certs: add .gitignore to stop git nagging about x509_certificate_list

re entry at the same time. I didn't bother to dig through git history to see when it moved, since it is just a minor annoyance at most. Cc: David Woodhouse Cc: keyri...@linux-nfs.org Signed-off-by: Paul Gortmaker Signed-off-by: David Howells --- certs/.gitignore |4 kernel/.gi

[PATCH 6/6] KEYS: Merge the type-specific data with the payload data

Merge the type-specific data with the payload data into one four-word chunk as it seems pointless to keep them separate. Use user_key_payload() for accessing the payloads of overloaded user-defined keys. Signed-off-by: David Howells cc: linux-c...@vger.kernel.org cc: ecryp...@vger.kernel.org cc

[PATCH 1/6] KEYS: use kvfree() in add_key

From: Geliang Tang There is no need to make a flag to tell that this memory is allocated by kmalloc or vmalloc. Just use kvfree to free the memory. Signed-off-by: Geliang Tang Signed-off-by: David Howells --- security/keys/keyctl.c |8 +--- 1 file changed, 1 insertion(+), 7

Re: [PATCH v4 2/3] Create IMA machine owner keys (MOK) and blacklist keyrings;

Petko Manolov wrote: > > > As far as i know there is no concept of write-once to a keyring in the > > > kernel. David will correct me if i am wrong. I wonder how hard would > > > it be to add such functionality, in case it is missing? > > > > Not hard,

Re: [PATCH v4 2/3] Create IMA machine owner keys (MOK) and blacklist keyrings;

or -EKEYREVOKED (the key is blacklisted)? That might be getting too over-complicated though. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH v4 2/3] Create IMA machine owner keys (MOK) and blacklist keyrings;

Petko Manolov wrote: > As far as i know there is no concept of write-once to a keyring in the > kernel. David will correct me if i am wrong. I wonder how hard would it be > to add such functionality, in case it is missing? Not hard, particularly if it's only an attribute that

Re: [PATCH v4 2/3] Create IMA machine owner keys (MOK) and blacklist keyrings;

serspace, even by a privileged user, by dot prefixing the keyrings.) That doesn't stop keys being addressed directly for invalidation and revocation, but you can probably manage that with permissions. David -- To unsubscribe from this list: send the line "unsubscribe linux-securi

[PATCH 2/2] KEYS: Don't permit request_key() to construct a new keyring

ioned with keyring metadata. Now the kernel gives an error: request_key("keyring", "#selinux,bdekeyring", "keyring", KEY_SPEC_USER_SESSION_KEYRING) = -1 EPERM (Operation not permitted) Signed-off-by: David Howells --- security/keys/request_key.c |3 ++

[PATCH 1/2] KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring

m_fork+0x3f/0x70 [] ? kthread_create_on_node+0x1c2/0x1c2 Note the value in RAX. This is a 32-bit representation of -ENOKEY. The solution is to only call ->destroy() if the key was successfully instantiated. Reported-by: Dmitry Vyukov Signed-off-by: David Howells Tested-by: Dmitry Vyukov ---

[PATCH 0/2] KEYS: Fix crash in GC

okay with patch (2) being deferred to the next merge window if we're only fixing security bugs at this time upstream. The patches can be found here also: http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes David --- David Howells (2): KEYS:

Re: GPF in keyring_destroy

Dmitry Vyukov wrote: > Do you mean in addition or instead of the previous one? From your > description, it sounds like it alone should prevent the crash. I'm going to submit them both, so if you could test them together. You're right, though, I think this should also prevent t

Re: GPF in keyring_destroy

previous one also? Thanks, David --- commit 27874345bb8d2c39f3d493607a86ecbfcb100405 Author: David Howells Date: Mon Oct 19 11:20:28 2015 +0100 KEYS: Don't permit request_key() to construct a new keyring If request_key() is used to find a keyring, only do the search part -

Re: GPF in keyring_destroy

Dmitry Vyukov wrote: > Yes, sure. Do I need to say something like: > > Tested-by: Dmitry Vyukov > > in future? That helps:-) David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kerne

Re: GPF in keyring_destroy

Dmitry Vyukov wrote: > > Does the attached patch fix it for you? > > Yes, it fixes the crash for me. Can I put you down as a Tested-by? David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord..

Re: [PATCH v2 0/4] Basic trusted keys support for TPM 2.0

Hi Jarkko, For some reason I don't see patch 1. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH] keys: change member variable name

ject line to: keys: Be more consistent in selection of union members used if you're okay with that. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH] keys: correctly check failed allocation for kmemdup

Insu Yun wrote: > Thanks David. Then it is not a bug. > It's a pure question. > Why use different name for allocation and check? > For me, it is quite confusing. Either I didn't notice at the time, or the shorter variant is the original. If you want to give me a patc

Re: GPF in keyring_destroy

Does the attached patch fix it for you? David --- commit a7609e0bb3973d6ee3c9f1ecd0b6a382d99d6248 Author: David Howells Date: Thu Oct 15 17:21:37 2015 +0100 KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring The following sequence of commands

Re: [PATCH] keys: correctly check failed allocation for kmemdup

Insu Yun wrote: > kmemdup return value is saved in 'key->index_key.description', not > 'key->descrption' and kmemdup can be failed in memory pressure. > Therefore, key->index_key.description should be checked. The fields are unioned. It makes no differen

Re: GPF in keyring_destroy

Dmitry Vyukov wrote: > RAX: ff82 This is the value that matters. It would appear to be -ENOKEY and would be in key->type_data.reject_error, I think. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a m

Re: [PATCH] af_unix: introduce unix_sk_const helper

From: Arnd Bergmann Date: Tue, 06 Oct 2015 22:52:46 +0200 > Commit 124613012db1 ("af_unix: Convert the unix_sk macro to an inline > function for type safety") was recently added to catch incorrect > uses of the unix_sk helper using compiler warnings. > > It has now caught one such case in lsm_au

Re: [PATCH 00/37] Permit filesystem local caching

he > 2) filesystem hosting the cache > > I think it is the second, but that is already double caching, which > has got to hurt. Actually, it is ideally: 1) NFS client page cache. But, because I can't do in-kernel O_DIRECT at the moment, with _CacheFiles_, it is: 1) NFS

Re: [PATCH 00/37] Permit filesystem local caching

Daniel Phillips <[EMAIL PROTECTED]> wrote: > On Monday 25 February 2008 15:19, David Howells wrote: > > So I guess there's a problem in cachefiles's efficiency - possibly due > > to the fact that it tries to be fully asynchronous. > > OK, not just my ima

Re: [PATCH 00/37] Permit filesystem local caching

desktop machine. The only way to guarantee that the memory is scrubbed is to reboot it:-( I'll look at setting up one of my other machines as an NFS server. David - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 00/37] Permit filesystem local caching

s the file to get a list of vnode IDs that that directory points to. It could then do bulk status fetch operations to instantiate the inodes 50 at a time. I don't know whether NFS could use it. Someone like Trond or SteveD or Chuck would have to answer that. David - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 00/37] Permit filesystem local caching

Chris Mason <[EMAIL PROTECTED]> wrote: > Thanks for trying this, of course I'll ask you to try again with the latest > v0.13 code, it has a number of optimizations especially for CPU usage. Here you go. The numbers are very similar. David = F

Re: [PATCH 00/37] Permit filesystem local caching

David Howells <[EMAIL PROTECTED]> wrote: > > > Have you got before/after benchmark results? > > > > See attached. > > Attached here are results using BTRFS (patched so that it'll work at all) > rather than Ext3 on the client on the partition backing the

Re: [PATCH 00/37] Permit filesystem local caching

to wait > for that defrag to finish. BTRFS might not be doing any writing at all here - apart from local atimes (used by cache culling), that is. What it does have to do is lots of lookups, reads and getxattrs, all of which are synchronous. David - To unsubscribe from this list: send the line

Re: [PATCH 09/37] Security: Allow kernel services to override LSM settings for task actions

new files created by CacheFiles should be created with. For smack_task_kernel_act_as(), it may be sufficient to set CAP_MAC_OVERRIDE in the task_security struct and leave it as that. It also may not be sufficient, as NFSd may end up using this to set the subjective security label supplied by the N

Re: [PATCH 00/37] Permit filesystem local caching

n-t-get-there-from-here is the round trip to the server to > determine whether you should read from the local cache. Got any ideas? I'm not sure what you mean. Your statement should probably read "... to determine _what_ you should read from the local cache". > And where is the Trond-meister in all of this? Keeping quiet as far as I can tell. David - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 00/37] Permit filesystem local caching

y traffic. (2) It may help with slow connections (like doing NFS between the UK and Australia). (3) It could be used to do offline/disconnected operation. David - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 00/37] Permit filesystem local caching

David Howells <[EMAIL PROTECTED]> wrote: > > Have you got before/after benchmark results? > > See attached. Attached here are results using BTRFS (patched so that it'll work at all) rather than Ext3 on the client on the partition backing the cache. Note that I didn

Re: [PATCH 00/37] Permit filesystem local caching

on various factors. Note that currently FS-Caching is disabled for individual NFS files opened for writing as there's no way to handle the coherency problems thereby introduced. David --- === FS-

Re: [PATCH 00/37] Permit filesystem local caching

lts. It does seem, however, that the I/O error handling capabilities of FS-Cache work properly:-) David - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 00/37] Permit filesystem local caching

y data. I'll try and get some though. > Oh, manually copied from patch 6, I see you have in the task_security > struct definition: > > kernel_cap_tcap_bset; /* ? */ > > That comment can be filled in with 'capability bounding set' (for this > task an

[PATCH 37/37] NFS: Add mount options to enable local caching on NFS

ng and give a warning into the kernel log. Signed-off-by: David Howells <[EMAIL PROTECTED]> --- fs/nfs/client.c |2 ++ fs/nfs/internal.h |1 + fs/nfs/super.c| 25 + 3 files changed, 28 insertions(+), 0 deletions(-) diff --git a/fs/nfs/client.c

[PATCH 32/37] NFS: Add read context retention for FS-Cache to call back with

Add read context retention so that FS-Cache can call back into NFS when a read operation on the cache fails EIO rather than reading data. This permits NFS to then fetch the data from the server instead using the appropriate security context. Signed-off-by: David Howells <[EMAIL PROTEC

[PATCH 30/37] NFS: Add some new I/O event counters for FS-Cache events

Add some new NFS I/O event counters for FS-Cache events. They have to be added as byte counters because I may need to be able to increase the numbers by more than 1 at a time. Signed-off-by: David Howells <[EMAIL PROTECTED]> --- fs/nfs/iostat.h |7 +++ 1 files changed, 7 inse

  1   2   3   4   5   >