Merge branch 'keys-fixes' into keys-next

Signed-off-by: David Howells <dhowells@redhat.com>

6 files changed, 20 insertions, 3 deletions

diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index ca41be5631c7..4870f28403f5 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -22,7 +22,6 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
 
 config PUBLIC_KEY_ALGO_RSA
         tristate "RSA public-key algorithm"
-        select MPILIB_EXTRA
         select MPILIB
         help
           This option enables support for the RSA algorithm (PKCS#1, RFC3447).
diff --git a/fs/nfs/idmap.c b/fs/nfs/idmap.c
index 59b217a3266d..7dd55b745c4d 100644
--- a/fs/nfs/idmap.c
+++ b/fs/nfs/idmap.c
@@ -284,6 +284,8 @@ static struct key *nfs_idmap_request_key(const char *name, size_t namelen,
                                                 desc, "", 0, idmap);
                 mutex_unlock(&idmap->idmap_mutex);
         }
+        if (!IS_ERR(rkey))
+                set_bit(KEY_FLAG_ROOT_CAN_INVAL, &rkey->flags);
 
         kfree(desc);
         return rkey;
diff --git a/include/linux/key.h b/include/linux/key.h
index 65316f7ae794..e1d4715f3222 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -171,6 +171,7 @@ struct key {
 #define KEY_FLAG_TRUSTED        8       /* set if key is trusted */
 #define KEY_FLAG_TRUSTED_ONLY   9       /* set if keyring only accepts links to trusted keys */
 #define KEY_FLAG_BUILTIN        10      /* set if key is builtin */
+#define KEY_FLAG_ROOT_CAN_INVAL 11      /* set if key can be invalidated by root without permission */
 
         /* the key type and key description string
          * - the desc is used to match a key against search criteria
diff --git a/lib/Kconfig b/lib/Kconfig
index 334f7722a999..a8a775730c09 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -451,7 +451,8 @@ config MPILIB
 
 config SIGNATURE
         tristate
-        depends on KEYS && CRYPTO
+        depends on KEYS
+        select CRYPTO
         select CRYPTO_SHA1
         select MPILIB
         help
diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
index 9acec61f5433..9a32f55cf9b9 100644
--- a/net/dns_resolver/dns_query.c
+++ b/net/dns_resolver/dns_query.c
@@ -129,6 +129,7 @@ int dns_query(const char *type, const char *name, size_t namelen,
         }
 
         down_read(&rkey->sem);
+        set_bit(KEY_FLAG_ROOT_CAN_INVAL, &rkey->flags);
         rkey->perm |= KEY_USR_VIEW;
 
         ret = key_validate(rkey);
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 8a8c23357291..e26f860e5f2e 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -406,12 +406,25 @@ long keyctl_invalidate_key(key_serial_t id)
         key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH);
         if (IS_ERR(key_ref)) {
                 ret = PTR_ERR(key_ref);
+
+                /* Root is permitted to invalidate certain special keys */
+                if (capable(CAP_SYS_ADMIN)) {
+                        key_ref = lookup_user_key(id, 0, 0);
+                        if (IS_ERR(key_ref))
+                                goto error;
+                        if (test_bit(KEY_FLAG_ROOT_CAN_INVAL,
+                                     &key_ref_to_ptr(key_ref)->flags))
+                                goto invalidate;
+                        goto error_put;
+                }
+
                 goto error;
         }
 
+invalidate:
         key_invalidate(key_ref_to_ptr(key_ref));
         ret = 0;
-
+error_put:
         key_ref_put(key_ref);
 error:
         kleave(" = %ld", ret);