Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris:
 "Highlights:

  IMA:
   - provide ">" and "<" operators for fowner/uid/euid rules

  KEYS:
   - add a system blacklist keyring

   - add KEYCTL_RESTRICT_KEYRING, exposes keyring link restriction
     functionality to userland via keyctl()

  LSM:
   - harden LSM API with __ro_after_init

   - add prlmit security hook, implement for SELinux

   - revive security_task_alloc hook

  TPM:
   - implement contextual TPM command 'spaces'"

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (98 commits)
  tpm: Fix reference count to main device
  tpm_tis: convert to using locality callbacks
  tpm: fix handling of the TPM 2.0 event logs
  tpm_crb: remove a cruft constant
  keys: select CONFIG_CRYPTO when selecting DH / KDF
  apparmor: Make path_max parameter readonly
  apparmor: fix parameters so that the permission test is bypassed at boot
  apparmor: fix invalid reference to index variable of iterator line 836
  apparmor: use SHASH_DESC_ON_STACK
  security/apparmor/lsm.c: set debug messages
  apparmor: fix boolreturn.cocci warnings
  Smack: Use GFP_KERNEL for smk_netlbl_mls().
  smack: fix double free in smack_parse_opts_str()
  KEYS: add SP800-56A KDF support for DH
  KEYS: Keyring asymmetric key restrict method with chaining
  KEYS: Restrict asymmetric key linkage using a specific keychain
  KEYS: Add a lookup_restriction function for the asymmetric key type
  KEYS: Add KEYCTL_RESTRICT_KEYRING
  KEYS: Consistent ordering for __key_link_begin and restrict check
  KEYS: Add an optional lookup_restriction hook to key_type
  ...

1 files changed, 13 insertions, 19 deletions

diff --git a/security/apparmor/crypto.c b/security/apparmor/crypto.c
index de8dc78b6144..136f2a047836 100644
--- a/security/apparmor/crypto.c
+++ b/security/apparmor/crypto.c
@@ -31,10 +31,7 @@ unsigned int aa_hash_size(void)
 
 char *aa_calc_hash(void *data, size_t len)
 {
-	struct {
-		struct shash_desc shash;
-		char ctx[crypto_shash_descsize(apparmor_tfm)];
-	} desc;
+	SHASH_DESC_ON_STACK(desc, apparmor_tfm);
 	char *hash = NULL;
 	int error = -ENOMEM;
 
@@ -45,16 +42,16 @@ char *aa_calc_hash(void *data, size_t len)
 	if (!hash)
 		goto fail;
 
-	desc.shash.tfm = apparmor_tfm;
-	desc.shash.flags = 0;
+	desc->tfm = apparmor_tfm;
+	desc->flags = 0;
 
-	error = crypto_shash_init(&desc.shash);
+	error = crypto_shash_init(desc);
 	if (error)
 		goto fail;
-	error = crypto_shash_update(&desc.shash, (u8 *) data, len);
+	error = crypto_shash_update(desc, (u8 *) data, len);
 	if (error)
 		goto fail;
-	error = crypto_shash_final(&desc.shash, hash);
+	error = crypto_shash_final(desc, hash);
 	if (error)
 		goto fail;
 
@@ -69,10 +66,7 @@ fail:
 int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
 			 size_t len)
 {
-	struct {
-		struct shash_desc shash;
-		char ctx[crypto_shash_descsize(apparmor_tfm)];
-	} desc;
+	SHASH_DESC_ON_STACK(desc, apparmor_tfm);
 	int error = -ENOMEM;
 	__le32 le32_version = cpu_to_le32(version);
 
@@ -86,19 +80,19 @@ int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
 	if (!profile->hash)
 		goto fail;
 
-	desc.shash.tfm = apparmor_tfm;
-	desc.shash.flags = 0;
+	desc->tfm = apparmor_tfm;
+	desc->flags = 0;
 
-	error = crypto_shash_init(&desc.shash);
+	error = crypto_shash_init(desc);
 	if (error)
 		goto fail;
-	error = crypto_shash_update(&desc.shash, (u8 *) &le32_version, 4);
+	error = crypto_shash_update(desc, (u8 *) &le32_version, 4);
 	if (error)
 		goto fail;
-	error = crypto_shash_update(&desc.shash, (u8 *) start, len);
+	error = crypto_shash_update(desc, (u8 *) start, len);
 	if (error)
 		goto fail;
-	error = crypto_shash_final(&desc.shash, profile->hash);
+	error = crypto_shash_final(desc, profile->hash);
 	if (error)
 		goto fail;