diff options
Diffstat (limited to 'modsign-20120510.patch')
| -rw-r--r-- | modsign-20120510.patch | 284 |
1 files changed, 0 insertions, 284 deletions
diff --git a/modsign-20120510.patch b/modsign-20120510.patch index d9aabf83..ee67a2a6 100644 --- a/modsign-20120510.patch +++ b/modsign-20120510.patch @@ -74,290 +74,6 @@ index 1f3219e..3d514b9 100644 1.7.10.2 -From 335abcad2d9fa26198c8e99bae2bb9b3185dce22 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Fri, 4 May 2012 15:55:50 +0100 -Subject: [PATCH 02/36] KEYS: Move the key config into security/keys/Kconfig - -Move the key config into security/keys/Kconfig as there are going to be a lot -of key-related options. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - security/Kconfig | 68 +--------------------------------------------- - security/keys/Kconfig | 71 +++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 72 insertions(+), 67 deletions(-) - create mode 100644 security/keys/Kconfig - -diff --git a/security/Kconfig b/security/Kconfig -index ccc61f8..e9c6ac7 100644 ---- a/security/Kconfig -+++ b/security/Kconfig -@@ -4,73 +4,7 @@ - - menu "Security options" - --config KEYS -- bool "Enable access key retention support" -- help -- This option provides support for retaining authentication tokens and -- access keys in the kernel. -- -- It also includes provision of methods by which such keys might be -- associated with a process so that network filesystems, encryption -- support and the like can find them. -- -- Furthermore, a special type of key is available that acts as keyring: -- a searchable sequence of keys. Each process is equipped with access -- to five standard keyrings: UID-specific, GID-specific, session, -- process and thread. -- -- If you are unsure as to whether this is required, answer N. -- --config TRUSTED_KEYS -- tristate "TRUSTED KEYS" -- depends on KEYS && TCG_TPM -- select CRYPTO -- select CRYPTO_HMAC -- select CRYPTO_SHA1 -- help -- This option provides support for creating, sealing, and unsealing -- keys in the kernel. Trusted keys are random number symmetric keys, -- generated and RSA-sealed by the TPM. The TPM only unseals the keys, -- if the boot PCRs and other criteria match. Userspace will only ever -- see encrypted blobs. -- -- If you are unsure as to whether this is required, answer N. -- --config ENCRYPTED_KEYS -- tristate "ENCRYPTED KEYS" -- depends on KEYS -- select CRYPTO -- select CRYPTO_HMAC -- select CRYPTO_AES -- select CRYPTO_CBC -- select CRYPTO_SHA256 -- select CRYPTO_RNG -- help -- This option provides support for create/encrypting/decrypting keys -- in the kernel. Encrypted keys are kernel generated random numbers, -- which are encrypted/decrypted with a 'master' symmetric key. The -- 'master' key can be either a trusted-key or user-key type. -- Userspace only ever sees/stores encrypted blobs. -- -- If you are unsure as to whether this is required, answer N. -- --config KEYS_DEBUG_PROC_KEYS -- bool "Enable the /proc/keys file by which keys may be viewed" -- depends on KEYS -- help -- This option turns on support for the /proc/keys file - through which -- can be listed all the keys on the system that are viewable by the -- reading process. -- -- The only keys included in the list are those that grant View -- permission to the reading process whether or not it possesses them. -- Note that LSM security checks are still performed, and may further -- filter out keys that the current process is not authorised to view. -- -- Only key attributes are listed here; key payloads are not included in -- the resulting table. -- -- If you are unsure as to whether this is required, answer N. -+source security/keys/Kconfig - - config SECURITY_DMESG_RESTRICT - bool "Restrict unprivileged access to the kernel syslog" -diff --git a/security/keys/Kconfig b/security/keys/Kconfig -new file mode 100644 -index 0000000..a90d6d3 ---- /dev/null -+++ b/security/keys/Kconfig -@@ -0,0 +1,71 @@ -+# -+# Key management configuration -+# -+ -+config KEYS -+ bool "Enable access key retention support" -+ help -+ This option provides support for retaining authentication tokens and -+ access keys in the kernel. -+ -+ It also includes provision of methods by which such keys might be -+ associated with a process so that network filesystems, encryption -+ support and the like can find them. -+ -+ Furthermore, a special type of key is available that acts as keyring: -+ a searchable sequence of keys. Each process is equipped with access -+ to five standard keyrings: UID-specific, GID-specific, session, -+ process and thread. -+ -+ If you are unsure as to whether this is required, answer N. -+ -+config TRUSTED_KEYS -+ tristate "TRUSTED KEYS" -+ depends on KEYS && TCG_TPM -+ select CRYPTO -+ select CRYPTO_HMAC -+ select CRYPTO_SHA1 -+ help -+ This option provides support for creating, sealing, and unsealing -+ keys in the kernel. Trusted keys are random number symmetric keys, -+ generated and RSA-sealed by the TPM. The TPM only unseals the keys, -+ if the boot PCRs and other criteria match. Userspace will only ever -+ see encrypted blobs. -+ -+ If you are unsure as to whether this is required, answer N. -+ -+config ENCRYPTED_KEYS -+ tristate "ENCRYPTED KEYS" -+ depends on KEYS -+ select CRYPTO -+ select CRYPTO_HMAC -+ select CRYPTO_AES -+ select CRYPTO_CBC -+ select CRYPTO_SHA256 -+ select CRYPTO_RNG -+ help -+ This option provides support for create/encrypting/decrypting keys -+ in the kernel. Encrypted keys are kernel generated random numbers, -+ which are encrypted/decrypted with a 'master' symmetric key. The -+ 'master' key can be either a trusted-key or user-key type. -+ Userspace only ever sees/stores encrypted blobs. -+ -+ If you are unsure as to whether this is required, answer N. -+ -+config KEYS_DEBUG_PROC_KEYS -+ bool "Enable the /proc/keys file by which keys may be viewed" -+ depends on KEYS -+ help -+ This option turns on support for the /proc/keys file - through which -+ can be listed all the keys on the system that are viewable by the -+ reading process. -+ -+ The only keys included in the list are those that grant View -+ permission to the reading process whether or not it possesses them. -+ Note that LSM security checks are still performed, and may further -+ filter out keys that the current process is not authorised to view. -+ -+ Only key attributes are listed here; key payloads are not included in -+ the resulting table. -+ -+ If you are unsure as to whether this is required, answer N. --- -1.7.10.2 - - -From 6569015cb5801f36324c76dee156a3e880fcf9be Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Fri, 4 May 2012 15:55:50 +0100 -Subject: [PATCH 03/36] KEYS: Announce key type (un)registration - -Announce the (un)registration of a key type in the core key code rather than -in the callers. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - net/dns_resolver/dns_key.c | 5 ----- - security/keys/key.c | 3 +++ - 2 files changed, 3 insertions(+), 5 deletions(-) - -diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c -index c73bba3..14b2c3d 100644 ---- a/net/dns_resolver/dns_key.c -+++ b/net/dns_resolver/dns_key.c -@@ -249,9 +249,6 @@ static int __init init_dns_resolver(void) - struct key *keyring; - int ret; - -- printk(KERN_NOTICE "Registering the %s key type\n", -- key_type_dns_resolver.name); -- - /* create an override credential set with a special thread keyring in - * which DNS requests are cached - * -@@ -301,8 +298,6 @@ static void __exit exit_dns_resolver(void) - key_revoke(dns_resolver_cache->thread_keyring); - unregister_key_type(&key_type_dns_resolver); - put_cred(dns_resolver_cache); -- printk(KERN_NOTICE "Unregistered %s key type\n", -- key_type_dns_resolver.name); - } - - module_init(init_dns_resolver) -diff --git a/security/keys/key.c b/security/keys/key.c -index 06783cf..dc62894 100644 ---- a/security/keys/key.c -+++ b/security/keys/key.c -@@ -980,6 +980,8 @@ int register_key_type(struct key_type *ktype) - - /* store the type */ - list_add(&ktype->link, &key_types_list); -+ -+ pr_notice("Key type %s registered\n", ktype->name); - ret = 0; - - out: -@@ -1002,6 +1004,7 @@ void unregister_key_type(struct key_type *ktype) - list_del_init(&ktype->link); - downgrade_write(&key_types_sem); - key_gc_keytype(ktype); -+ pr_notice("Key type %s unregistered\n", ktype->name); - up_read(&key_types_sem); - } - EXPORT_SYMBOL(unregister_key_type); --- -1.7.10.2 - - -From 13628af46a92a030fdb7dc33976b46cfcc4b3f31 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Fri, 4 May 2012 15:55:51 +0100 -Subject: [PATCH 04/36] KEYS: Reorganise keys Makefile - -Reorganise the keys directory Makefile to put all the core bits together and -the type-specific bits after. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - security/keys/Makefile | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/security/keys/Makefile b/security/keys/Makefile -index a56f1ff..504aaa0 100644 ---- a/security/keys/Makefile -+++ b/security/keys/Makefile -@@ -2,6 +2,9 @@ - # Makefile for key management - # - -+# -+# Core -+# - obj-y := \ - gc.o \ - key.o \ -@@ -12,9 +15,12 @@ obj-y := \ - request_key.o \ - request_key_auth.o \ - user_defined.o -- --obj-$(CONFIG_TRUSTED_KEYS) += trusted.o --obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/ - obj-$(CONFIG_KEYS_COMPAT) += compat.o - obj-$(CONFIG_PROC_FS) += proc.o - obj-$(CONFIG_SYSCTL) += sysctl.o -+ -+# -+# Key types -+# -+obj-$(CONFIG_TRUSTED_KEYS) += trusted.o -+obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/ --- -1.7.10.2 - - From 8c5366bc5c1c9ecaa1104d769f60c7b83ed342a9 Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> Date: Fri, 4 May 2012 16:15:09 +0100 |