From: Linus Torvalds Date: Sun, 12 Oct 2014 14:13:55 +0000 (-0400) Subject: Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux... X-Git-Tag: v3.18-rc1~77 X-Git-Url: https://git.kernel.dk/?a=commitdiff_plain;h=5e40d331bd72447197f26525f21711c4a265b6a6;p=linux-2.6-block.git Merge branch 'next' of git://git./linux/kernel/git/jmorris/linux-security Pull security subsystem updates from James Morris. Mostly ima, selinux, smack and key handling updates. * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (65 commits) integrity: do zero padding of the key id KEYS: output last portion of fingerprint in /proc/keys KEYS: strip 'id:' from ca_keyid KEYS: use swapped SKID for performing partial matching KEYS: Restore partial ID matching functionality for asymmetric keys X.509: If available, use the raw subjKeyId to form the key description KEYS: handle error code encoded in pointer selinux: normalize audit log formatting selinux: cleanup error reporting in selinux_nlmsg_perm() KEYS: Check hex2bin()'s return when generating an asymmetric key ID ima: detect violations for mmaped files ima: fix race condition on ima_rdwr_violation_check and process_measurement ima: added ima_policy_flag variable ima: return an error code from ima_add_boot_aggregate() ima: provide 'ima_appraise=log' kernel option ima: move keyring initialization to ima_init() PKCS#7: Handle PKCS#7 messages that contain no X.509 certs PKCS#7: Better handling of unsupported crypto KEYS: Overhaul key identification when searching for asymmetric keys KEYS: Implement binary asymmetric key ID handling ... --- 5e40d331bd72447197f26525f21711c4a265b6a6 diff --cc fs/nfsd/vfs.c index 965cffd17a0c,d49c778faecb..989129e2d6ea --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@@ -714,25 -704,19 +714,25 @@@ nfsd_open(struct svc_rqst *rqstp, struc else flags = O_WRONLY|O_LARGEFILE; } - *filp = dentry_open(&path, flags, current_cred()); - if (IS_ERR(*filp)) { - host_err = PTR_ERR(*filp); - *filp = NULL; - } else { - host_err = ima_file_check(*filp, may_flags, 0); - if (may_flags & NFSD_MAY_64BIT_COOKIE) - (*filp)->f_mode |= FMODE_64BITHASH; - else - (*filp)->f_mode |= FMODE_32BITHASH; + file = dentry_open(&path, flags, current_cred()); + if (IS_ERR(file)) { + host_err = PTR_ERR(file); + goto out_nfserr; } - host_err = ima_file_check(file, may_flags); ++ host_err = ima_file_check(file, may_flags, 0); + if (host_err) { + nfsd_close(file); + goto out_nfserr; + } + + if (may_flags & NFSD_MAY_64BIT_COOKIE) + file->f_mode |= FMODE_64BITHASH; + else + file->f_mode |= FMODE_32BITHASH; + + *filp = file; out_nfserr: err = nfserrno(host_err); out: diff --cc include/linux/kernel.h index e9e420b6d931,89a0b8e5a952..35c8ffb0136f --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@@ -494,10 -493,16 +494,11 @@@ static inline char *hex_byte_pack_upper return buf; } -static inline char * __deprecated pack_hex_byte(char *buf, u8 byte) -{ - return hex_byte_pack(buf, byte); -} - extern int hex_to_bin(char ch); extern int __must_check hex2bin(u8 *dst, const char *src, size_t count); + extern char *bin2hex(char *dst, const void *src, size_t count); -int mac_pton(const char *s, u8 *mac); +bool mac_pton(const char *s, u8 *mac); /* * General tracing related utility functions - trace_printk(), diff --cc security/smack/smack_lsm.c index 69e5635d89e5,93dc876734a4..d515ec25ae9f --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@@ -1394,7 -1574,8 +1574,7 @@@ static void smack_file_set_fowner(struc { struct smack_known *skp = smk_of_current(); - file->f_security = skp->smk_known; + file->f_security = skp; - return 0; } /**