From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu, 21 Feb 2013 16:18:12 +0000 (-0800)
Subject: Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux...
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=33673dcb372b5d8179c22127ca71deb5f3dc7016;p=linux.git
Merge branch 'next' of git://git./linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"This is basically a maintenance update for the TPM driver and EVM/IMA"
Fix up conflicts in lib/digsig.c and security/integrity/ima/ima_main.c
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (45 commits)
tpm/ibmvtpm: build only when IBM pseries is configured
ima: digital signature verification using asymmetric keys
ima: rename hash calculation functions
ima: use new crypto_shash API instead of old crypto_hash
ima: add policy support for file system uuid
evm: add file system uuid to EVM hmac
tpm_tis: check pnp_acpi_device return code
char/tpm/tpm_i2c_stm_st33: drop temporary variable for return value
char/tpm/tpm_i2c_stm_st33: remove dead assignment in tpm_st33_i2c_probe
char/tpm/tpm_i2c_stm_st33: Remove __devexit attribute
char/tpm/tpm_i2c_stm_st33: Don't use memcpy for one byte assignment
tpm_i2c_stm_st33: removed unused variables/code
TPM: Wait for TPM_ACCESS tpmRegValidSts to go high at startup
tpm: Fix cancellation of TPM commands (interrupt mode)
tpm: Fix cancellation of TPM commands (polling mode)
tpm: Store TPM vendor ID
TPM: Work around buggy TPMs that block during continue self test
tpm_i2c_stm_st33: fix oops when i2c client is unavailable
char/tpm: Use struct dev_pm_ops for power management
TPM: STMicroelectronics ST33 I2C BUILD STUFF
...
---
33673dcb372b5d8179c22127ca71deb5f3dc7016
diff --cc lib/digsig.c
index dc2be7ed1765b,0103c5b9b8029..2f31e6a45f0af
--- a/lib/digsig.c
+++ b/lib/digsig.c
@@@ -162,13 -152,9 +152,11 @@@ static int digsig_verify_rsa(struct ke
memset(out1, 0, head);
memcpy(out1 + head, p, l);
+ kfree(p);
+
- err = pkcs_1_v1_5_decode_emsa(out1, len, mblen, out2, &len);
- if (err)
- goto err;
+ m = pkcs_1_v1_5_decode_emsa(out1, len, mblen, &len);
- if (len != hlen || memcmp(out2, h, hlen))
+ if (!m || len != hlen || memcmp(m, h, hlen))
err = -EINVAL;
err:
diff --cc security/integrity/ima/ima.h
index 079a85dc37b2b,6e69697fd5300..a41c9c18e5e07
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@@ -139,10 -141,9 +141,10 @@@ void ima_delete_rules(void)
/* Appraise integrity measurements */
#define IMA_APPRAISE_ENFORCE 0x01
#define IMA_APPRAISE_FIX 0x02
+#define IMA_APPRAISE_MODULES 0x04
#ifdef CONFIG_IMA_APPRAISE
- int ima_appraise_measurement(struct integrity_iint_cache *iint,
+ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
struct file *file, const unsigned char *filename);
int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
diff --cc security/integrity/ima/ima_main.c
index dba965de90d3f,3e751a9743a18..5127afcc4b898
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@@ -291,18 -282,10 +282,15 @@@ EXPORT_SYMBOL_GPL(ima_file_check)
*/
int ima_module_check(struct file *file)
{
- int rc = 0;
-
- if (!file)
- return -EACCES; /* INTEGRITY_UNKNOWN */
+ if (!file) {
- if (ima_appraise & IMA_APPRAISE_MODULES) {
+#ifndef CONFIG_MODULE_SIG_FORCE
- rc = -EACCES; /* INTEGRITY_UNKNOWN */
++ if (ima_appraise & IMA_APPRAISE_MODULES)
++ return -EACCES; /* INTEGRITY_UNKNOWN */
+#endif
- }
- } else
- rc = process_measurement(file, file->f_dentry->d_name.name,
- MAY_EXEC, MODULE_CHECK);
- return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;
++ return 0; /* We rely on module signature checking */
++ }
+ return process_measurement(file, file->f_dentry->d_name.name,
+ MAY_EXEC, MODULE_CHECK);
}
static int __init init_ima(void)