diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt index 821c936e1a63..c9e7f4f223a5 100644 --- a/Documentation/security/keys.txt +++ b/Documentation/security/keys.txt @@ -323,8 +323,6 @@ about the status of the key service: U Under construction by callback to userspace N Negative key - This file must be enabled at kernel configuration time as it allows anyone - to list the keys database. (*) /proc/key-users diff --git a/kernel/Makefile b/kernel/Makefile index a59481a3fa6c..23e17a7e7a63 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -142,7 +142,7 @@ endif kernel/system_certificates.o: $(obj)/x509_certificate_list quiet_cmd_x509certs = CERTS $@ - cmd_x509certs = cat $(X509_CERTIFICATES) /dev/null >$@ $(foreach X509,$(X509_CERTIFICATES),; echo " - Including cert $(X509)") + cmd_x509certs = cat $(X509_CERTIFICATES) /dev/null >$@ $(foreach X509,$(X509_CERTIFICATES),; $(kecho) " - Including cert $(X509)") targets += $(obj)/x509_certificate_list $(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list diff --git a/scripts/asn1_compiler.c b/scripts/asn1_compiler.c index 91c4117637ae..7750e9c31483 100644 --- a/scripts/asn1_compiler.c +++ b/scripts/asn1_compiler.c @@ -311,6 +311,9 @@ struct token { static struct token *token_list; static unsigned nr_tokens; +static _Bool verbose; + +#define debug(fmt, ...) do { if (verbose) printf(fmt, ## __VA_ARGS__); } while (0) static int directive_compare(const void *_key, const void *_pdir) { @@ -322,21 +325,21 @@ static int directive_compare(const void *_key, const void *_pdir) dlen = strlen(dir); clen = (dlen < token->size) ? dlen : token->size; - //printf("cmp(%*.*s,%s) = ", + //debug("cmp(%*.*s,%s) = ", // (int)token->size, (int)token->size, token->value, // dir); val = memcmp(token->value, dir, clen); if (val != 0) { - //printf("%d [cmp]\n", val); + //debug("%d [cmp]\n", val); return val; } if (dlen == token->size) { - //printf("0\n"); + //debug("0\n"); return 0; } - //printf("%d\n", (int)dlen - (int)token->size); + //debug("%d\n", (int)dlen - (int)token->size); return dlen - token->size; /* shorter -> negative */ } @@ -515,13 +518,13 @@ static void tokenise(char *buffer, char *end) } nr_tokens = tix; - printf("Extracted %u tokens\n", nr_tokens); + debug("Extracted %u tokens\n", nr_tokens); #if 0 { int n; for (n = 0; n < nr_tokens; n++) - printf("Token %3u: '%*.*s'\n", + debug("Token %3u: '%*.*s'\n", n, (int)token_list[n].size, (int)token_list[n].size, token_list[n].value); @@ -542,6 +545,7 @@ int main(int argc, char **argv) ssize_t readlen; FILE *out, *hdr; char *buffer, *p; + char *kbuild_verbose; int fd; if (argc != 4) { @@ -550,6 +554,10 @@ int main(int argc, char **argv) exit(2); } + kbuild_verbose = getenv("KBUILD_VERBOSE"); + if (kbuild_verbose) + verbose = atoi(kbuild_verbose); + filename = argv[1]; outputname = argv[2]; headername = argv[3]; @@ -748,11 +756,11 @@ static void build_type_list(void) qsort(type_index, nr, sizeof(type_index[0]), type_index_compare); - printf("Extracted %u types\n", nr_types); + debug("Extracted %u types\n", nr_types); #if 0 for (n = 0; n < nr_types; n++) { struct type *type = type_index[n]; - printf("- %*.*s\n", + debug("- %*.*s\n", (int)type->name->size, (int)type->name->size, type->name->value); @@ -793,7 +801,7 @@ static void parse(void) } while (type++, !(type->flags & TYPE_STOP_MARKER)); - printf("Extracted %u actions\n", nr_actions); + debug("Extracted %u actions\n", nr_actions); } static struct element *element_list; @@ -1284,7 +1292,7 @@ static void render(FILE *out, FILE *hdr) } /* We do two passes - the first one calculates all the offsets */ - printf("Pass 1\n"); + debug("Pass 1\n"); nr_entries = 0; root = &type_list[0]; render_element(NULL, root->element, NULL); @@ -1295,7 +1303,7 @@ static void render(FILE *out, FILE *hdr) e->flags &= ~ELEMENT_RENDERED; /* And then we actually render */ - printf("Pass 2\n"); + debug("Pass 2\n"); fprintf(out, "\n"); fprintf(out, "static const unsigned char %s_machine[] = {\n", grammar_name); diff --git a/security/keys/Kconfig b/security/keys/Kconfig index a4f3f8c48d6e..72483b8f1be5 100644 --- a/security/keys/Kconfig +++ b/security/keys/Kconfig @@ -80,21 +80,3 @@ config ENCRYPTED_KEYS Userspace only ever sees/stores encrypted blobs. If you are unsure as to whether this is required, answer N. - -config KEYS_DEBUG_PROC_KEYS - bool "Enable the /proc/keys file by which keys may be viewed" - depends on KEYS - help - This option turns on support for the /proc/keys file - through which - can be listed all the keys on the system that are viewable by the - reading process. - - The only keys included in the list are those that grant View - permission to the reading process whether or not it possesses them. - Note that LSM security checks are still performed, and may further - filter out keys that the current process is not authorised to view. - - Only key attributes are listed here; key payloads are not included in - the resulting table. - - If you are unsure as to whether this is required, answer N. diff --git a/security/keys/proc.c b/security/keys/proc.c index 972eeb336b81..f0611a6368cd 100644 --- a/security/keys/proc.c +++ b/security/keys/proc.c @@ -18,7 +18,6 @@ #include #include "internal.h" -#ifdef CONFIG_KEYS_DEBUG_PROC_KEYS static int proc_keys_open(struct inode *inode, struct file *file); static void *proc_keys_start(struct seq_file *p, loff_t *_pos); static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos); @@ -38,7 +37,6 @@ static const struct file_operations proc_keys_fops = { .llseek = seq_lseek, .release = seq_release, }; -#endif static int proc_key_users_open(struct inode *inode, struct file *file); static void *proc_key_users_start(struct seq_file *p, loff_t *_pos); @@ -67,11 +65,9 @@ static int __init key_proc_init(void) { struct proc_dir_entry *p; -#ifdef CONFIG_KEYS_DEBUG_PROC_KEYS p = proc_create("keys", 0, NULL, &proc_keys_fops); if (!p) panic("Cannot create /proc/keys\n"); -#endif p = proc_create("key-users", 0, NULL, &proc_key_users_fops); if (!p) @@ -86,8 +82,6 @@ __initcall(key_proc_init); * Implement "/proc/keys" to provide a list of the keys on the system that * grant View permission to the caller. */ -#ifdef CONFIG_KEYS_DEBUG_PROC_KEYS - static struct rb_node *key_serial_next(struct seq_file *p, struct rb_node *n) { struct user_namespace *user_ns = seq_user_ns(p); @@ -275,8 +269,6 @@ static int proc_keys_show(struct seq_file *m, void *v) return 0; } -#endif /* CONFIG_KEYS_DEBUG_PROC_KEYS */ - static struct rb_node *__key_user_next(struct user_namespace *user_ns, struct rb_node *n) { while (n) {