Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux...
Linus Torvalds [Thu, 21 Feb 2013 16:18:12 +0000 (08:18 -0800)]
Pull security subsystem updates from James Morris:
 "This is basically a maintenance update for the TPM driver and EVM/IMA"

Fix up conflicts in lib/digsig.c and security/integrity/ima/ima_main.c

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (45 commits)
  tpm/ibmvtpm: build only when IBM pseries is configured
  ima: digital signature verification using asymmetric keys
  ima: rename hash calculation functions
  ima: use new crypto_shash API instead of old crypto_hash
  ima: add policy support for file system uuid
  evm: add file system uuid to EVM hmac
  tpm_tis: check pnp_acpi_device return code
  char/tpm/tpm_i2c_stm_st33: drop temporary variable for return value
  char/tpm/tpm_i2c_stm_st33: remove dead assignment in tpm_st33_i2c_probe
  char/tpm/tpm_i2c_stm_st33: Remove __devexit attribute
  char/tpm/tpm_i2c_stm_st33: Don't use memcpy for one byte assignment
  tpm_i2c_stm_st33: removed unused variables/code
  TPM: Wait for TPM_ACCESS tpmRegValidSts to go high at startup
  tpm: Fix cancellation of TPM commands (interrupt mode)
  tpm: Fix cancellation of TPM commands (polling mode)
  tpm: Store TPM vendor ID
  TPM: Work around buggy TPMs that block during continue self test
  tpm_i2c_stm_st33: fix oops when i2c client is unavailable
  char/tpm: Use struct dev_pm_ops for power management
  TPM: STMicroelectronics ST33 I2C BUILD STUFF
  ...

1  2 
lib/digsig.c
security/integrity/evm/evm_crypto.c
security/integrity/ima/ima.h
security/integrity/ima/ima_main.c
security/integrity/ima/ima_policy.c

diff --cc lib/digsig.c
@@@ -162,13 -152,9 +152,11 @@@ static int digsig_verify_rsa(struct ke
        memset(out1, 0, head);
        memcpy(out1 + head, p, l);
  
 +      kfree(p);
 +
-       err = pkcs_1_v1_5_decode_emsa(out1, len, mblen, out2, &len);
-       if (err)
-               goto err;
+       m = pkcs_1_v1_5_decode_emsa(out1, len, mblen, &len);
  
-       if (len != hlen || memcmp(out2, h, hlen))
+       if (!m || len != hlen || memcmp(m, h, hlen))
                err = -EINVAL;
  
  err:
Simple merge
@@@ -139,10 -141,9 +141,10 @@@ void ima_delete_rules(void)
  /* Appraise integrity measurements */
  #define IMA_APPRAISE_ENFORCE  0x01
  #define IMA_APPRAISE_FIX      0x02
 +#define IMA_APPRAISE_MODULES  0x04
  
  #ifdef CONFIG_IMA_APPRAISE
- int ima_appraise_measurement(struct integrity_iint_cache *iint,
+ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
                             struct file *file, const unsigned char *filename);
  int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
  void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
@@@ -291,18 -282,10 +282,15 @@@ EXPORT_SYMBOL_GPL(ima_file_check)
   */
  int ima_module_check(struct file *file)
  {
-       int rc = 0;
 -      if (!file)
 -              return -EACCES; /* INTEGRITY_UNKNOWN */
 +      if (!file) {
-               if (ima_appraise & IMA_APPRAISE_MODULES) {
 +#ifndef CONFIG_MODULE_SIG_FORCE
-                       rc = -EACCES;   /* INTEGRITY_UNKNOWN */
++              if (ima_appraise & IMA_APPRAISE_MODULES)
++                      return -EACCES; /* INTEGRITY_UNKNOWN */
 +#endif
-               }
-       } else
-               rc = process_measurement(file, file->f_dentry->d_name.name,
-                                        MAY_EXEC, MODULE_CHECK);
-       return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;
++              return 0;       /* We rely on module signature checking */
++      }
+       return process_measurement(file, file->f_dentry->d_name.name,
+                                  MAY_EXEC, MODULE_CHECK);
  }
  
  static int __init init_ima(void)
Simple merge