Linux v3.11-9411-gc2d9572
This commit is contained in:
parent
5f27adc0d3
commit
356f0cab41
@ -329,6 +329,7 @@ CONFIG_BLK_DEV_BSG=y
|
|||||||
CONFIG_BLK_DEV_BSGLIB=y
|
CONFIG_BLK_DEV_BSGLIB=y
|
||||||
CONFIG_BLK_DEV_INTEGRITY=y
|
CONFIG_BLK_DEV_INTEGRITY=y
|
||||||
CONFIG_BLK_DEV_THROTTLING=y
|
CONFIG_BLK_DEV_THROTTLING=y
|
||||||
|
# CONFIG_CMDLINE_PARSER is not set
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1333,7 +1334,7 @@ CONFIG_IXGBE_DCA=y
|
|||||||
CONFIG_IXGBE_DCB=y
|
CONFIG_IXGBE_DCB=y
|
||||||
CONFIG_IXGBE_HWMON=y
|
CONFIG_IXGBE_HWMON=y
|
||||||
CONFIG_IXGBE_PTP=y
|
CONFIG_IXGBE_PTP=y
|
||||||
|
CONFIG_I40E=m
|
||||||
|
|
||||||
# CONFIG_NET_VENDOR_I825XX is not set
|
# CONFIG_NET_VENDOR_I825XX is not set
|
||||||
CONFIG_NET_VENDOR_MARVELL=y
|
CONFIG_NET_VENDOR_MARVELL=y
|
||||||
@ -2611,6 +2612,7 @@ CONFIG_RTC_DRV_PCF50633=m
|
|||||||
CONFIG_RTC_DRV_DS3232=m
|
CONFIG_RTC_DRV_DS3232=m
|
||||||
CONFIG_RTC_DRV_ISL12022=m
|
CONFIG_RTC_DRV_ISL12022=m
|
||||||
# CONFIG_RTC_DRV_HID_SENSOR_TIME is not set
|
# CONFIG_RTC_DRV_HID_SENSOR_TIME is not set
|
||||||
|
# CONFIG_RTC_DRV_MOXART is not set
|
||||||
|
|
||||||
CONFIG_R3964=m
|
CONFIG_R3964=m
|
||||||
# CONFIG_APPLICOM is not set
|
# CONFIG_APPLICOM is not set
|
||||||
@ -3831,6 +3833,7 @@ CONFIG_ECRYPT_FS=m
|
|||||||
# CONFIG_ECRYPT_FS_MESSAGING is not set
|
# CONFIG_ECRYPT_FS_MESSAGING is not set
|
||||||
CONFIG_HFS_FS=m
|
CONFIG_HFS_FS=m
|
||||||
CONFIG_HFSPLUS_FS=m
|
CONFIG_HFSPLUS_FS=m
|
||||||
|
# CONFIG_HFSPLUS_FS_POSIX_ACL is not set
|
||||||
CONFIG_BEFS_FS=m
|
CONFIG_BEFS_FS=m
|
||||||
# CONFIG_BEFS_DEBUG is not set
|
# CONFIG_BEFS_DEBUG is not set
|
||||||
# CONFIG_BFS_FS is not set
|
# CONFIG_BFS_FS is not set
|
||||||
@ -3969,6 +3972,7 @@ CONFIG_SUN_PARTITION=y
|
|||||||
# CONFIG_SYSV68_PARTITION is not set
|
# CONFIG_SYSV68_PARTITION is not set
|
||||||
CONFIG_UNIXWARE_DISKLABEL=y
|
CONFIG_UNIXWARE_DISKLABEL=y
|
||||||
# CONFIG_ULTRIX_PARTITION is not set
|
# CONFIG_ULTRIX_PARTITION is not set
|
||||||
|
# CONFIG_CMDLINE_PARTITION is not set
|
||||||
|
|
||||||
CONFIG_NLS=y
|
CONFIG_NLS=y
|
||||||
|
|
||||||
@ -4577,6 +4581,7 @@ CONFIG_MEMSTICK=m
|
|||||||
# CONFIG_MEMSTICK_DEBUG is not set
|
# CONFIG_MEMSTICK_DEBUG is not set
|
||||||
# CONFIG_MEMSTICK_UNSAFE_RESUME is not set
|
# CONFIG_MEMSTICK_UNSAFE_RESUME is not set
|
||||||
CONFIG_MSPRO_BLOCK=m
|
CONFIG_MSPRO_BLOCK=m
|
||||||
|
# CONFIG_MS_BLOCK is not set
|
||||||
CONFIG_MEMSTICK_TIFM_MS=m
|
CONFIG_MEMSTICK_TIFM_MS=m
|
||||||
CONFIG_MEMSTICK_JMICRON_38X=m
|
CONFIG_MEMSTICK_JMICRON_38X=m
|
||||||
CONFIG_MEMSTICK_R592=m
|
CONFIG_MEMSTICK_R592=m
|
||||||
|
@ -1,76 +0,0 @@
|
|||||||
Allow threads other than the main thread to do introspection of files in
|
|
||||||
proc without relying on read permissions. proc_pid_follow_link() calls
|
|
||||||
proc_fd_access_allowed() which ultimately calls __ptrace_may_access().
|
|
||||||
|
|
||||||
Though this allows additional access to some proc files, we do not
|
|
||||||
believe that this has any unintended security implications. However it
|
|
||||||
probably needs to be looked at carefully.
|
|
||||||
|
|
||||||
The original problem was a thread of a process whose permissions were
|
|
||||||
111 couldn't open its own /proc/self/exe This was interfering with a
|
|
||||||
special purpose debugging tool. A simple reproducer is below.:
|
|
||||||
|
|
||||||
#include <pthread.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <errno.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <sys/types.h>
|
|
||||||
|
|
||||||
#define BUFSIZE 2048
|
|
||||||
|
|
||||||
void *thread_main(void *arg){
|
|
||||||
char *str=(char*)arg;
|
|
||||||
char buf[BUFSIZE];
|
|
||||||
ssize_t len=readlink("/proc/self/exe", buf, BUFSIZE);
|
|
||||||
if(len==-1)
|
|
||||||
printf("/proc/self/exe in %s: %s\n", str,sys_errlist[errno]);
|
|
||||||
else
|
|
||||||
printf("/proc/self/exe in %s: OK\n", str);
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
int main(){
|
|
||||||
pthread_t thread;
|
|
||||||
|
|
||||||
int retval=pthread_create( &thread, NULL, thread_main, "thread");
|
|
||||||
if(retval!=0)
|
|
||||||
exit(1);
|
|
||||||
|
|
||||||
thread_main("main");
|
|
||||||
pthread_join(thread, NULL);
|
|
||||||
|
|
||||||
exit(0);
|
|
||||||
}
|
|
||||||
|
|
||||||
Signed-off-by: Ben Woodard <woodard@redhat.com>
|
|
||||||
Signed-off-by: Mark Grondona <mgrondona@llnl.gov>
|
|
||||||
---
|
|
||||||
kernel/ptrace.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
|
|
||||||
index acbd284..347c4c7 100644
|
|
||||||
--- a/kernel/ptrace.c
|
|
||||||
+++ b/kernel/ptrace.c
|
|
||||||
diff -ruNp linux-3.8.4-103.fc17.noarch/kernel/ptrace.c linux-3.8.4-103.fc17.ptrace/kernel/ptrace.c
|
|
||||||
--- linux-3.8.4-103.fc17.noarch/kernel/ptrace.c 2013-02-18 17:58:34.000000000 -0600
|
|
||||||
+++ linux-3.8.4-103.fc17.ptrace/kernel/ptrace.c 2013-03-26 14:59:01.939396346 -0500
|
|
||||||
@@ -234,7 +234,7 @@ static int __ptrace_may_access(struct ta
|
|
||||||
*/
|
|
||||||
int dumpable = 0;
|
|
||||||
/* Don't let security modules deny introspection */
|
|
||||||
- if (task == current)
|
|
||||||
+ if (same_thread_group(task, current))
|
|
||||||
return 0;
|
|
||||||
rcu_read_lock();
|
|
||||||
tcred = __task_cred(task);
|
|
||||||
--
|
|
||||||
1.8.1.4
|
|
||||||
|
|
||||||
--
|
|
||||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
|
||||||
the body of a message to majordomo@vger.kernel.org
|
|
||||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
|
||||||
Please read the FAQ at http://www.tux.org/lkml/
|
|
11
kernel.spec
11
kernel.spec
@ -95,7 +95,7 @@ Summary: The Linux kernel
|
|||||||
# The rc snapshot level
|
# The rc snapshot level
|
||||||
%define rcrev 0
|
%define rcrev 0
|
||||||
# The git snapshot level
|
# The git snapshot level
|
||||||
%define gitrev 20
|
%define gitrev 21
|
||||||
# Set rpm version accordingly
|
# Set rpm version accordingly
|
||||||
%define rpmversion 3.%{upstream_sublevel}.0
|
%define rpmversion 3.%{upstream_sublevel}.0
|
||||||
%endif
|
%endif
|
||||||
@ -749,9 +749,6 @@ Patch22000: weird-root-dentry-name-debug.patch
|
|||||||
#selinux ptrace child permissions
|
#selinux ptrace child permissions
|
||||||
Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
|
Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
|
||||||
|
|
||||||
#rhbz 927469
|
|
||||||
Patch23006: fix-child-thread-introspection.patch
|
|
||||||
|
|
||||||
#CVE-2013-2147 rhbz 971242 971249
|
#CVE-2013-2147 rhbz 971242 971249
|
||||||
Patch25032: cve-2013-2147-ciss-info-leak.patch
|
Patch25032: cve-2013-2147-ciss-info-leak.patch
|
||||||
|
|
||||||
@ -1476,9 +1473,6 @@ ApplyPatch criu-no-expert.patch
|
|||||||
#rhbz 892811
|
#rhbz 892811
|
||||||
ApplyPatch ath9k_rx_dma_stop_check.patch
|
ApplyPatch ath9k_rx_dma_stop_check.patch
|
||||||
|
|
||||||
#rhbz 927469
|
|
||||||
ApplyPatch fix-child-thread-introspection.patch
|
|
||||||
|
|
||||||
#CVE-2013-2147 rhbz 971242 971249
|
#CVE-2013-2147 rhbz 971242 971249
|
||||||
ApplyPatch cve-2013-2147-ciss-info-leak.patch
|
ApplyPatch cve-2013-2147-ciss-info-leak.patch
|
||||||
|
|
||||||
@ -2295,6 +2289,9 @@ fi
|
|||||||
# ||----w |
|
# ||----w |
|
||||||
# || ||
|
# || ||
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Sep 12 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.12.0-0.rc0.git21.1
|
||||||
|
- Linux v3.11-9411-gc2d9572
|
||||||
|
|
||||||
* Wed Sep 11 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.12.0-0.rc0.git20.1
|
* Wed Sep 11 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.12.0-0.rc0.git20.1
|
||||||
- Linux v3.11-9031-ga22a0fd
|
- Linux v3.11-9031-ga22a0fd
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From abaac4978b6719e7ae12babb6be5e35184b61cde Mon Sep 17 00:00:00 2001
|
From 7712dc43315febf4bce07a4c549787cf5c60a428 Mon Sep 17 00:00:00 2001
|
||||||
From: David Howells <dhowells@redhat.com>
|
From: David Howells <dhowells@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 16:07:13 +0100
|
Date: Fri, 30 Aug 2013 16:07:13 +0100
|
||||||
Subject: [PATCH 01/14] KEYS: Load *.x509 files into kernel keyring
|
Subject: [PATCH 01/13] KEYS: Load *.x509 files into kernel keyring
|
||||||
|
|
||||||
Load all the files matching the pattern "*.x509" that are to be found in kernel
|
Load all the files matching the pattern "*.x509" that are to be found in kernel
|
||||||
base source dir and base build dir into the module signing keyring.
|
base source dir and base build dir into the module signing keyring.
|
||||||
@ -15,10 +15,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
|||||||
2 files changed, 30 insertions(+), 8 deletions(-)
|
2 files changed, 30 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
diff --git a/kernel/Makefile b/kernel/Makefile
|
diff --git a/kernel/Makefile b/kernel/Makefile
|
||||||
index 470839d..4a2ee4e 100644
|
index 35ef118..ab231ac 100644
|
||||||
--- a/kernel/Makefile
|
--- a/kernel/Makefile
|
||||||
+++ b/kernel/Makefile
|
+++ b/kernel/Makefile
|
||||||
@@ -141,17 +141,40 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
|
@@ -142,17 +142,40 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
|
||||||
$(call if_changed,bc)
|
$(call if_changed,bc)
|
||||||
|
|
||||||
ifeq ($(CONFIG_MODULE_SIG),y)
|
ifeq ($(CONFIG_MODULE_SIG),y)
|
||||||
@ -81,11 +81,10 @@ index 4a9a86d..6fe03c7 100644
|
|||||||
1.8.3.1
|
1.8.3.1
|
||||||
|
|
||||||
|
|
||||||
|
From d1bf7ed78a52477636cdcb5a1bff5b19352472f5 Mon Sep 17 00:00:00 2001
|
||||||
From 2d6ac2896c3b4b48be96b7dbdfda1668609e35aa Mon Sep 17 00:00:00 2001
|
|
||||||
From: David Howells <dhowells@redhat.com>
|
From: David Howells <dhowells@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 16:07:30 +0100
|
Date: Fri, 30 Aug 2013 16:07:30 +0100
|
||||||
Subject: [PATCH 03/14] KEYS: Separate the kernel signature checking keyring
|
Subject: [PATCH 02/13] KEYS: Separate the kernel signature checking keyring
|
||||||
from module signing
|
from module signing
|
||||||
|
|
||||||
Separate the kernel signature checking keyring from module signing so that it
|
Separate the kernel signature checking keyring from module signing so that it
|
||||||
@ -139,10 +138,10 @@ index 0000000..8dabc39
|
|||||||
+
|
+
|
||||||
+#endif /* _KEYS_SYSTEM_KEYRING_H */
|
+#endif /* _KEYS_SYSTEM_KEYRING_H */
|
||||||
diff --git a/init/Kconfig b/init/Kconfig
|
diff --git a/init/Kconfig b/init/Kconfig
|
||||||
index 247084b..6abf0e0 100644
|
index 18bd9e3..cf14d07 100644
|
||||||
--- a/init/Kconfig
|
--- a/init/Kconfig
|
||||||
+++ b/init/Kconfig
|
+++ b/init/Kconfig
|
||||||
@@ -1664,6 +1664,18 @@ config BASE_SMALL
|
@@ -1668,6 +1668,18 @@ config BASE_SMALL
|
||||||
default 0 if BASE_FULL
|
default 0 if BASE_FULL
|
||||||
default 1 if !BASE_FULL
|
default 1 if !BASE_FULL
|
||||||
|
|
||||||
@ -160,8 +159,8 @@ index 247084b..6abf0e0 100644
|
|||||||
+
|
+
|
||||||
menuconfig MODULES
|
menuconfig MODULES
|
||||||
bool "Enable loadable module support"
|
bool "Enable loadable module support"
|
||||||
help
|
option modules
|
||||||
@@ -1736,6 +1748,7 @@ config MODULE_SRCVERSION_ALL
|
@@ -1741,6 +1753,7 @@ config MODULE_SRCVERSION_ALL
|
||||||
config MODULE_SIG
|
config MODULE_SIG
|
||||||
bool "Module signature verification"
|
bool "Module signature verification"
|
||||||
depends on MODULES
|
depends on MODULES
|
||||||
@ -170,10 +169,10 @@ index 247084b..6abf0e0 100644
|
|||||||
select CRYPTO
|
select CRYPTO
|
||||||
select ASYMMETRIC_KEY_TYPE
|
select ASYMMETRIC_KEY_TYPE
|
||||||
diff --git a/kernel/Makefile b/kernel/Makefile
|
diff --git a/kernel/Makefile b/kernel/Makefile
|
||||||
index 7bd1565..68f7182 100644
|
index ab231ac..1262c6d 100644
|
||||||
--- a/kernel/Makefile
|
--- a/kernel/Makefile
|
||||||
+++ b/kernel/Makefile
|
+++ b/kernel/Makefile
|
||||||
@@ -52,8 +52,9 @@ obj-$(CONFIG_SMP) += spinlock.o
|
@@ -53,8 +53,9 @@ obj-$(CONFIG_SMP) += spinlock.o
|
||||||
obj-$(CONFIG_DEBUG_SPINLOCK) += spinlock.o
|
obj-$(CONFIG_DEBUG_SPINLOCK) += spinlock.o
|
||||||
obj-$(CONFIG_PROVE_LOCKING) += spinlock.o
|
obj-$(CONFIG_PROVE_LOCKING) += spinlock.o
|
||||||
obj-$(CONFIG_UID16) += uid16.o
|
obj-$(CONFIG_UID16) += uid16.o
|
||||||
@ -184,7 +183,7 @@ index 7bd1565..68f7182 100644
|
|||||||
obj-$(CONFIG_KALLSYMS) += kallsyms.o
|
obj-$(CONFIG_KALLSYMS) += kallsyms.o
|
||||||
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
|
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
|
||||||
obj-$(CONFIG_KEXEC) += kexec.o
|
obj-$(CONFIG_KEXEC) += kexec.o
|
||||||
@@ -140,13 +141,14 @@ targets += timeconst.h
|
@@ -141,13 +142,14 @@ targets += timeconst.h
|
||||||
$(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
|
$(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
|
||||||
$(call if_changed,bc)
|
$(call if_changed,bc)
|
||||||
|
|
||||||
@ -201,8 +200,8 @@ index 7bd1565..68f7182 100644
|
|||||||
+ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
|
+ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
|
||||||
X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
|
X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
|
||||||
X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509
|
X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509
|
||||||
X509_CERTIFICATES := $(sort $(realpath $(X509_CERTIFICATES-y)))
|
X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y))
|
||||||
@@ -162,10 +164,11 @@ $(shell rm $(obj)/.x509.list)
|
@@ -163,10 +165,11 @@ $(shell rm $(obj)/.x509.list)
|
||||||
endif
|
endif
|
||||||
endif
|
endif
|
||||||
|
|
||||||
@ -216,7 +215,7 @@ index 7bd1565..68f7182 100644
|
|||||||
targets += $(obj)/x509_certificate_list
|
targets += $(obj)/x509_certificate_list
|
||||||
$(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
|
$(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
|
||||||
$(call if_changed,x509certs)
|
$(call if_changed,x509certs)
|
||||||
@@ -175,7 +178,9 @@ $(obj)/.x509.list:
|
@@ -176,7 +179,9 @@ $(obj)/.x509.list:
|
||||||
@echo $(X509_CERTIFICATES) >$@
|
@echo $(X509_CERTIFICATES) >$@
|
||||||
|
|
||||||
clean-files := x509_certificate_list .x509.list
|
clean-files := x509_certificate_list .x509.list
|
||||||
@ -245,7 +244,7 @@ index 6fe03c7..0000000
|
|||||||
-GLOBAL(modsign_certificate_list_end)
|
-GLOBAL(modsign_certificate_list_end)
|
||||||
diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c
|
diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c
|
||||||
deleted file mode 100644
|
deleted file mode 100644
|
||||||
index 2b6e699..0000000
|
index 7cbd450..0000000
|
||||||
--- a/kernel/modsign_pubkey.c
|
--- a/kernel/modsign_pubkey.c
|
||||||
+++ /dev/null
|
+++ /dev/null
|
||||||
@@ -1,104 +0,0 @@
|
@@ -1,104 +0,0 @@
|
||||||
@ -269,14 +268,14 @@ index 2b6e699..0000000
|
|||||||
-
|
-
|
||||||
-struct key *modsign_keyring;
|
-struct key *modsign_keyring;
|
||||||
-
|
-
|
||||||
-extern __initdata const u8 modsign_certificate_list[];
|
-extern __initconst const u8 modsign_certificate_list[];
|
||||||
-extern __initdata const u8 modsign_certificate_list_end[];
|
-extern __initconst const u8 modsign_certificate_list_end[];
|
||||||
-
|
-
|
||||||
-/*
|
-/*
|
||||||
- * We need to make sure ccache doesn't cache the .o file as it doesn't notice
|
- * We need to make sure ccache doesn't cache the .o file as it doesn't notice
|
||||||
- * if modsign.pub changes.
|
- * if modsign.pub changes.
|
||||||
- */
|
- */
|
||||||
-static __initdata const char annoy_ccache[] = __TIME__ "foo";
|
-static __initconst const char annoy_ccache[] = __TIME__ "foo";
|
||||||
-
|
-
|
||||||
-/*
|
-/*
|
||||||
- * Load the compiled-in keys
|
- * Load the compiled-in keys
|
||||||
@ -404,7 +403,7 @@ index 0000000..5cffe86
|
|||||||
+GLOBAL(system_certificate_list_end)
|
+GLOBAL(system_certificate_list_end)
|
||||||
diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
|
diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..cd5cd3f
|
index 0000000..51c3514
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/kernel/system_keyring.c
|
+++ b/kernel/system_keyring.c
|
||||||
@@ -0,0 +1,103 @@
|
@@ -0,0 +1,103 @@
|
||||||
@ -431,8 +430,8 @@ index 0000000..cd5cd3f
|
|||||||
+struct key *system_trusted_keyring;
|
+struct key *system_trusted_keyring;
|
||||||
+EXPORT_SYMBOL_GPL(system_trusted_keyring);
|
+EXPORT_SYMBOL_GPL(system_trusted_keyring);
|
||||||
+
|
+
|
||||||
+extern __initdata const u8 system_certificate_list[];
|
+extern __initconst const u8 system_certificate_list[];
|
||||||
+extern __initdata const u8 system_certificate_list_end[];
|
+extern __initconst const u8 system_certificate_list_end[];
|
||||||
+
|
+
|
||||||
+/*
|
+/*
|
||||||
+ * Load the compiled-in keys
|
+ * Load the compiled-in keys
|
||||||
@ -515,10 +514,10 @@ index 0000000..cd5cd3f
|
|||||||
1.8.3.1
|
1.8.3.1
|
||||||
|
|
||||||
|
|
||||||
From 6f90d07a776d7babf30a3322dafd66c8c25db681 Mon Sep 17 00:00:00 2001
|
From 209cfd7eda86173415d394a9ff868345197d7b3d Mon Sep 17 00:00:00 2001
|
||||||
From: David Howells <dhowells@redhat.com>
|
From: David Howells <dhowells@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 16:07:37 +0100
|
Date: Fri, 30 Aug 2013 16:07:37 +0100
|
||||||
Subject: [PATCH 04/14] KEYS: Add a 'trusted' flag and a 'trusted only' flag
|
Subject: [PATCH 03/13] KEYS: Add a 'trusted' flag and a 'trusted only' flag
|
||||||
|
|
||||||
Add KEY_FLAG_TRUSTED to indicate that a key either comes from a trusted source
|
Add KEY_FLAG_TRUSTED to indicate that a key either comes from a trusted source
|
||||||
or had a cryptographic signature chain that led back to a trusted key the
|
or had a cryptographic signature chain that led back to a trusted key the
|
||||||
@ -571,7 +570,7 @@ index 010dbb6..80d6774 100644
|
|||||||
extern void key_revoke(struct key *key);
|
extern void key_revoke(struct key *key);
|
||||||
extern void key_invalidate(struct key *key);
|
extern void key_invalidate(struct key *key);
|
||||||
diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
|
diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
|
||||||
index cd5cd3f..4ca7072 100644
|
index 51c3514..5296721 100644
|
||||||
--- a/kernel/system_keyring.c
|
--- a/kernel/system_keyring.c
|
||||||
+++ b/kernel/system_keyring.c
|
+++ b/kernel/system_keyring.c
|
||||||
@@ -40,6 +40,7 @@ static __init int system_trusted_keyring_init(void)
|
@@ -40,6 +40,7 @@ static __init int system_trusted_keyring_init(void)
|
||||||
@ -644,10 +643,10 @@ index f7cdea2..9b6f6e0 100644
|
|||||||
1.8.3.1
|
1.8.3.1
|
||||||
|
|
||||||
|
|
||||||
From 559cc3ad765e1b443bc89965be9ef9ff3caabdcc Mon Sep 17 00:00:00 2001
|
From 6549cbca91abf561df8f501c763a8e7822936294 Mon Sep 17 00:00:00 2001
|
||||||
From: David Howells <dhowells@redhat.com>
|
From: David Howells <dhowells@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 16:15:10 +0100
|
Date: Fri, 30 Aug 2013 16:15:10 +0100
|
||||||
Subject: [PATCH 05/14] KEYS: Rename public key parameter name arrays
|
Subject: [PATCH 04/13] KEYS: Rename public key parameter name arrays
|
||||||
|
|
||||||
Rename the arrays of public key parameters (public key algorithm names, hash
|
Rename the arrays of public key parameters (public key algorithm names, hash
|
||||||
algorithm names and ID type names) so that the array name ends in "_name".
|
algorithm names and ID type names) so that the array name ends in "_name".
|
||||||
@ -799,10 +798,10 @@ index 0034e36..0b6b870 100644
|
|||||||
1.8.3.1
|
1.8.3.1
|
||||||
|
|
||||||
|
|
||||||
From a0aab2065bbdd0bc56ae6d7767e1df7c58b8997f Mon Sep 17 00:00:00 2001
|
From b2c8f8924f17c25209d8fe55f74b9d5830ad191c Mon Sep 17 00:00:00 2001
|
||||||
From: David Howells <dhowells@redhat.com>
|
From: David Howells <dhowells@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 16:15:18 +0100
|
Date: Fri, 30 Aug 2013 16:15:18 +0100
|
||||||
Subject: [PATCH 06/14] KEYS: Move the algorithm pointer array from x509 to
|
Subject: [PATCH 05/13] KEYS: Move the algorithm pointer array from x509 to
|
||||||
public_key.c
|
public_key.c
|
||||||
|
|
||||||
Move the public-key algorithm pointer array from x509_public_key.c to
|
Move the public-key algorithm pointer array from x509_public_key.c to
|
||||||
@ -881,10 +880,10 @@ index 619d570..46bde25 100644
|
|||||||
1.8.3.1
|
1.8.3.1
|
||||||
|
|
||||||
|
|
||||||
From 7009b65ddc1d8bf62dc017795265b9cf331a4d70 Mon Sep 17 00:00:00 2001
|
From 760486c4376aab8cd8ce9c7d2ad67a19d713b119 Mon Sep 17 00:00:00 2001
|
||||||
From: David Howells <dhowells@redhat.com>
|
From: David Howells <dhowells@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 16:15:24 +0100
|
Date: Fri, 30 Aug 2013 16:15:24 +0100
|
||||||
Subject: [PATCH 07/14] KEYS: Store public key algo ID in public_key struct
|
Subject: [PATCH 06/13] KEYS: Store public key algo ID in public_key struct
|
||||||
|
|
||||||
Store public key algo ID in public_key struct for reference purposes. This
|
Store public key algo ID in public_key struct for reference purposes. This
|
||||||
allows it to be removed from the x509_certificate struct and used to find a
|
allows it to be removed from the x509_certificate struct and used to find a
|
||||||
@ -966,10 +965,10 @@ index 46bde25..05778df 100644
|
|||||||
1.8.3.1
|
1.8.3.1
|
||||||
|
|
||||||
|
|
||||||
From cad6ff6b429f31611ccb231cfe6adcb69d891352 Mon Sep 17 00:00:00 2001
|
From 37688af0338d8c521ffefce187b03a5fbaefa423 Mon Sep 17 00:00:00 2001
|
||||||
From: David Howells <dhowells@redhat.com>
|
From: David Howells <dhowells@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 16:15:30 +0100
|
Date: Fri, 30 Aug 2013 16:15:30 +0100
|
||||||
Subject: [PATCH 08/14] KEYS: Split public_key_verify_signature() and make
|
Subject: [PATCH 07/13] KEYS: Split public_key_verify_signature() and make
|
||||||
available
|
available
|
||||||
|
|
||||||
Modify public_key_verify_signature() so that it now takes a public_key struct
|
Modify public_key_verify_signature() so that it now takes a public_key struct
|
||||||
@ -1082,10 +1081,10 @@ index fac574c..8cb2f70 100644
|
|||||||
1.8.3.1
|
1.8.3.1
|
||||||
|
|
||||||
|
|
||||||
From 87854340605a64fcc54109ea415d9e54c45e8533 Mon Sep 17 00:00:00 2001
|
From 49763042e968f7342711ecf28e9465f6d77c0ddd Mon Sep 17 00:00:00 2001
|
||||||
From: David Howells <dhowells@redhat.com>
|
From: David Howells <dhowells@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 16:15:37 +0100
|
Date: Fri, 30 Aug 2013 16:15:37 +0100
|
||||||
Subject: [PATCH 09/14] KEYS: Store public key algo ID in public_key_signature
|
Subject: [PATCH 08/13] KEYS: Store public key algo ID in public_key_signature
|
||||||
struct
|
struct
|
||||||
|
|
||||||
Store public key algorithm ID in public_key_signature struct for reference
|
Store public key algorithm ID in public_key_signature struct for reference
|
||||||
@ -1115,10 +1114,10 @@ index 05778df..b34fda4 100644
|
|||||||
1.8.3.1
|
1.8.3.1
|
||||||
|
|
||||||
|
|
||||||
From ae4684a05d87123de310b69c616922dc993694ca Mon Sep 17 00:00:00 2001
|
From d759ad5c13364bc7dcd6dd66d1a63f29f3432f72 Mon Sep 17 00:00:00 2001
|
||||||
From: David Howells <dhowells@redhat.com>
|
From: David Howells <dhowells@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 16:16:34 +0100
|
Date: Fri, 30 Aug 2013 16:16:34 +0100
|
||||||
Subject: [PATCH 10/14] X.509: struct x509_certificate needs struct tm
|
Subject: [PATCH 09/13] X.509: struct x509_certificate needs struct tm
|
||||||
declaring
|
declaring
|
||||||
|
|
||||||
struct x509_certificate needs struct tm declaring by #inclusion of linux/time.h
|
struct x509_certificate needs struct tm declaring by #inclusion of linux/time.h
|
||||||
@ -1147,10 +1146,10 @@ index e583ad0..2d01182 100644
|
|||||||
1.8.3.1
|
1.8.3.1
|
||||||
|
|
||||||
|
|
||||||
From dacde6f44ebe5a5c89bd1a25b35b1b63c139b375 Mon Sep 17 00:00:00 2001
|
From 779ecd05627f895cfd6970dcfbd3ed35092f7510 Mon Sep 17 00:00:00 2001
|
||||||
From: David Howells <dhowells@redhat.com>
|
From: David Howells <dhowells@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 16:18:02 +0100
|
Date: Fri, 30 Aug 2013 16:18:02 +0100
|
||||||
Subject: [PATCH 11/14] X.509: Embed public_key_signature struct and create
|
Subject: [PATCH 10/13] X.509: Embed public_key_signature struct and create
|
||||||
filler function
|
filler function
|
||||||
|
|
||||||
Embed a public_key_signature struct in struct x509_certificate, eliminating
|
Embed a public_key_signature struct in struct x509_certificate, eliminating
|
||||||
@ -1410,10 +1409,10 @@ index 8cb2f70..b7c81d8 100644
|
|||||||
1.8.3.1
|
1.8.3.1
|
||||||
|
|
||||||
|
|
||||||
From 650fdcb141f65f3a03dc7eba1179c823fd1a3a54 Mon Sep 17 00:00:00 2001
|
From 81dc804bab8ac3703f237e74464054fae71c429e Mon Sep 17 00:00:00 2001
|
||||||
From: David Howells <dhowells@redhat.com>
|
From: David Howells <dhowells@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 16:18:15 +0100
|
Date: Fri, 30 Aug 2013 16:18:15 +0100
|
||||||
Subject: [PATCH 12/14] X.509: Check the algorithm IDs obtained from parsing an
|
Subject: [PATCH 11/13] X.509: Check the algorithm IDs obtained from parsing an
|
||||||
X.509 certificate
|
X.509 certificate
|
||||||
|
|
||||||
Check that the algorithm IDs obtained from the ASN.1 parse by OID lookup
|
Check that the algorithm IDs obtained from the ASN.1 parse by OID lookup
|
||||||
@ -1451,10 +1450,10 @@ index b7c81d8..eb368d4 100644
|
|||||||
1.8.3.1
|
1.8.3.1
|
||||||
|
|
||||||
|
|
||||||
From 8671bdd55802c4b93b9205b6ecd02c7e351ac5c5 Mon Sep 17 00:00:00 2001
|
From 9d3c831f1409174fcda6a21ede05f3a3155b1671 Mon Sep 17 00:00:00 2001
|
||||||
From: David Howells <dhowells@redhat.com>
|
From: David Howells <dhowells@redhat.com>
|
||||||
Date: Fri, 30 Aug 2013 16:18:31 +0100
|
Date: Fri, 30 Aug 2013 16:18:31 +0100
|
||||||
Subject: [PATCH 13/14] X.509: Handle certificates that lack an
|
Subject: [PATCH 12/13] X.509: Handle certificates that lack an
|
||||||
authorityKeyIdentifier field
|
authorityKeyIdentifier field
|
||||||
|
|
||||||
Handle certificates that lack an authorityKeyIdentifier field by assuming
|
Handle certificates that lack an authorityKeyIdentifier field by assuming
|
||||||
@ -1498,10 +1497,10 @@ index eb368d4..0f55e3b 100644
|
|||||||
1.8.3.1
|
1.8.3.1
|
||||||
|
|
||||||
|
|
||||||
From e2d665556f4b60ce76e880a62f98c81622271e71 Mon Sep 17 00:00:00 2001
|
From 1a62a422d6b6e084ba88062d1d1f33e6a92dc35c Mon Sep 17 00:00:00 2001
|
||||||
From: David Howells <dhowells@redhat.com>
|
From: David Howells <dhowells@redhat.com>
|
||||||
Date: Tue, 18 Jun 2013 17:40:44 +0100
|
Date: Tue, 18 Jun 2013 17:40:44 +0100
|
||||||
Subject: [PATCH 14/14] X.509: Remove certificate date checks
|
Subject: [PATCH 13/13] X.509: Remove certificate date checks
|
||||||
|
|
||||||
Remove the certificate date checks that are performed when a certificate is
|
Remove the certificate date checks that are performed when a certificate is
|
||||||
parsed. There are two checks: a valid from and a valid to. The first check is
|
parsed. There are two checks: a valid from and a valid to. The first check is
|
||||||
|
@ -321,8 +321,8 @@ index 4ca7072..b19cc6e 100644
|
|||||||
+struct key *system_blacklist_keyring;
|
+struct key *system_blacklist_keyring;
|
||||||
+#endif
|
+#endif
|
||||||
|
|
||||||
extern __initdata const u8 system_certificate_list[];
|
extern __initconst const u8 system_certificate_list[];
|
||||||
extern __initdata const u8 system_certificate_list_end[];
|
extern __initconst const u8 system_certificate_list_end[];
|
||||||
@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void)
|
@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void)
|
||||||
panic("Can't allocate system trusted keyring\n");
|
panic("Can't allocate system trusted keyring\n");
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user