13 years ago · 9e3ff38647
--- a/Documentation/networking/dns_resolver.txt
+++ b/Documentation/networking/dns_resolver.txt
@@ -102,6 +102,10 @@ implemented in the module can be called after doing:
 
				      If _expiry is non-NULL, the expiry time (TTL) of the result will be
			
 
				      returned also.
			
 
				 
			
 
				+The kernel maintains an internal keyring in which it caches looked up keys.
			
 
				+This can be cleared by any process that has the CAP_SYS_ADMIN capability by
			
 
				+the use of KEYCTL_KEYRING_CLEAR on the keyring ID.
			
 
				+
			
 
				 
			
 
				 ===============================
			
 
				 READING DNS KEYS FROM USERSPACE
			
--- a/Documentation/security/keys.txt
+++ b/Documentation/security/keys.txt
@@ -554,6 +554,10 @@ The keyctl syscall functions are:
 
				      process must have write permission on the keyring, and it must be a
			
 
				      keyring (or else error ENOTDIR will result).
			
 
				 
			
 
				+     This function can also be used to clear special kernel keyrings if they
			
 
				+     are appropriately marked if the user has CAP_SYS_ADMIN capability.  The
			
 
				+     DNS resolver cache keyring is an example of this.
			
 
				+
			
 
				 
			
 
				  (*) Link a key into a keyring:
			
 
				 
			
--- a/drivers/char/tpm/Kconfig
+++ b/drivers/char/tpm/Kconfig
@@ -5,7 +5,6 @@
 
				 menuconfig TCG_TPM
			
 
				 	tristate "TPM Hardware Support"
			
 
				 	depends on HAS_IOMEM
			
 
				-	depends on EXPERIMENTAL
			
 
				 	select SECURITYFS
			
 
				 	---help---
			
 
				 	  If you have a TPM security chip in your system, which
			
--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -556,6 +556,7 @@ init_cifs_idmap(void)
 
				 
			
 
				 	/* instruct request_key() to use this special keyring as a cache for
			
 
				 	 * the results it looks up */
			
 
				+	set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
			
 
				 	cred->thread_keyring = keyring;
			
 
				 	cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
			
 
				 	root_cred = cred;
			
--- a/fs/nfs/idmap.c
+++ b/fs/nfs/idmap.c
@@ -198,6 +198,7 @@ int nfs_idmap_init(void)
 
				 	if (ret < 0)
			
 
				 		goto failed_put_key;
			
 
				 
			
 
				+	set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
			
 
				 	cred->thread_keyring = keyring;
			
 
				 	cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
			
 
				 	id_resolver_cache = cred;
			
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -155,6 +155,7 @@ struct key {
 
				 #define KEY_FLAG_IN_QUOTA	3	/* set if key consumes quota */
			
 
				 #define KEY_FLAG_USER_CONSTRUCT	4	/* set if key is being constructed in userspace */
			
 
				 #define KEY_FLAG_NEGATIVE	5	/* set if key is negative */
			
 
				+#define KEY_FLAG_ROOT_CAN_CLEAR	6	/* set if key can be cleared by root without permission */
			
 
				 
			
 
				 	/* the description string
			
 
				 	 * - this is used to match a key against search criteria
			
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -281,6 +281,7 @@ static int __init init_dns_resolver(void)
 
				 
			
 
				 	/* instruct request_key() to use this special keyring as a cache for
			
 
				 	 * the results it looks up */
			
 
				+	set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
			
 
				 	cred->thread_keyring = keyring;
			
 
				 	cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
			
 
				 	dns_resolver_cache = cred;
			
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -9,7 +9,7 @@ config IMA
 
				 	select CRYPTO_HMAC
			
 
				 	select CRYPTO_MD5
			
 
				 	select CRYPTO_SHA1
			
 
				-	select TCG_TPM if !S390 && !UML
			
 
				+	select TCG_TPM if HAS_IOMEM && !UML
			
 
				 	select TCG_TIS if TCG_TPM
			
 
				 	help
			
 
				 	  The Trusted Computing Group(TCG) runtime Integrity
			
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -62,6 +62,7 @@ static struct ima_measure_rule_entry default_rules[] = {
 
				 	{.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
			
 
				 	{.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
			
 
				 	{.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
			
 
				+	{.action = DONT_MEASURE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
			
 
				 	{.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
			
 
				 	{.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
			
 
				 	{.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,
			
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -388,11 +388,24 @@ long keyctl_keyring_clear(key_serial_t ringid)
 
				 	keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
			
 
				 	if (IS_ERR(keyring_ref)) {
			
 
				 		ret = PTR_ERR(keyring_ref);
			
 
				+
			
 
				+		/* Root is permitted to invalidate certain special keyrings */
			
 
				+		if (capable(CAP_SYS_ADMIN)) {
			
 
				+			keyring_ref = lookup_user_key(ringid, 0, 0);
			
 
				+			if (IS_ERR(keyring_ref))
			
 
				+				goto error;
			
 
				+			if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR,
			
 
				+				     &key_ref_to_ptr(keyring_ref)->flags))
			
 
				+				goto clear;
			
 
				+			goto error_put;
			
 
				+		}
			
 
				+
			
 
				 		goto error;
			
 
				 	}
			
 
				 
			
 
				+clear:
			
 
				 	ret = keyring_clear(key_ref_to_ptr(keyring_ref));
			
 
				-
			
 
				+error_put:
			
 
				 	key_ref_put(keyring_ref);
			
 
				 error:
			
 
				 	return ret;