diff options
author | David Howells <dhowells@redhat.com> | 2008-11-13 18:39:16 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-11-13 18:39:16 -0500 |
commit | b6dff3ec5e116e3af6f537d4caedcad6b9e5082a (patch) | |
tree | 9e76f972eb7ce9b84e0146c8e4126a3f86acb428 /security/keys | |
parent | 15a2460ed0af7538ca8e6c610fe607a2cd9da142 (diff) |
CRED: Separate task security context from task_struct
Separate the task security context from task_struct. At this point, the
security data is temporarily embedded in the task_struct with two pointers
pointing to it.
Note that the Alpha arch is altered as it refers to (E)UID and (E)GID in
entry.S via asm-offsets.
With comment fixes Signed-off-by: Marc Dionne <marc.c.dionne@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/keys')
-rw-r--r-- | security/keys/keyctl.c | 25 | ||||
-rw-r--r-- | security/keys/permission.c | 11 | ||||
-rw-r--r-- | security/keys/process_keys.c | 98 | ||||
-rw-r--r-- | security/keys/request_key.c | 18 | ||||
-rw-r--r-- | security/keys/request_key_auth.c | 12 |
5 files changed, 86 insertions, 78 deletions
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index fcce331eca7..8833b447ade 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c | |||
@@ -889,7 +889,7 @@ long keyctl_instantiate_key(key_serial_t id, | |||
889 | /* the appropriate instantiation authorisation key must have been | 889 | /* the appropriate instantiation authorisation key must have been |
890 | * assumed before calling this */ | 890 | * assumed before calling this */ |
891 | ret = -EPERM; | 891 | ret = -EPERM; |
892 | instkey = current->request_key_auth; | 892 | instkey = current->cred->request_key_auth; |
893 | if (!instkey) | 893 | if (!instkey) |
894 | goto error; | 894 | goto error; |
895 | 895 | ||
@@ -932,8 +932,8 @@ long keyctl_instantiate_key(key_serial_t id, | |||
932 | /* discard the assumed authority if it's just been disabled by | 932 | /* discard the assumed authority if it's just been disabled by |
933 | * instantiation of the key */ | 933 | * instantiation of the key */ |
934 | if (ret == 0) { | 934 | if (ret == 0) { |
935 | key_put(current->request_key_auth); | 935 | key_put(current->cred->request_key_auth); |
936 | current->request_key_auth = NULL; | 936 | current->cred->request_key_auth = NULL; |
937 | } | 937 | } |
938 | 938 | ||
939 | error2: | 939 | error2: |
@@ -960,7 +960,7 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) | |||
960 | /* the appropriate instantiation authorisation key must have been | 960 | /* the appropriate instantiation authorisation key must have been |
961 | * assumed before calling this */ | 961 | * assumed before calling this */ |
962 | ret = -EPERM; | 962 | ret = -EPERM; |
963 | instkey = current->request_key_auth; | 963 | instkey = current->cred->request_key_auth; |
964 | if (!instkey) | 964 | if (!instkey) |
965 | goto error; | 965 | goto error; |
966 | 966 | ||
@@ -983,8 +983,8 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) | |||
983 | /* discard the assumed authority if it's just been disabled by | 983 | /* discard the assumed authority if it's just been disabled by |
984 | * instantiation of the key */ | 984 | * instantiation of the key */ |
985 | if (ret == 0) { | 985 | if (ret == 0) { |
986 | key_put(current->request_key_auth); | 986 | key_put(current->cred->request_key_auth); |
987 | current->request_key_auth = NULL; | 987 | current->cred->request_key_auth = NULL; |
988 | } | 988 | } |
989 | 989 | ||
990 | error: | 990 | error: |
@@ -999,6 +999,7 @@ error: | |||
999 | */ | 999 | */ |
1000 | long keyctl_set_reqkey_keyring(int reqkey_defl) | 1000 | long keyctl_set_reqkey_keyring(int reqkey_defl) |
1001 | { | 1001 | { |
1002 | struct cred *cred = current->cred; | ||
1002 | int ret; | 1003 | int ret; |
1003 | 1004 | ||
1004 | switch (reqkey_defl) { | 1005 | switch (reqkey_defl) { |
@@ -1018,10 +1019,10 @@ long keyctl_set_reqkey_keyring(int reqkey_defl) | |||
1018 | case KEY_REQKEY_DEFL_USER_KEYRING: | 1019 | case KEY_REQKEY_DEFL_USER_KEYRING: |
1019 | case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: | 1020 | case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: |
1020 | set: | 1021 | set: |
1021 | current->jit_keyring = reqkey_defl; | 1022 | cred->jit_keyring = reqkey_defl; |
1022 | 1023 | ||
1023 | case KEY_REQKEY_DEFL_NO_CHANGE: | 1024 | case KEY_REQKEY_DEFL_NO_CHANGE: |
1024 | return current->jit_keyring; | 1025 | return cred->jit_keyring; |
1025 | 1026 | ||
1026 | case KEY_REQKEY_DEFL_GROUP_KEYRING: | 1027 | case KEY_REQKEY_DEFL_GROUP_KEYRING: |
1027 | default: | 1028 | default: |
@@ -1086,8 +1087,8 @@ long keyctl_assume_authority(key_serial_t id) | |||
1086 | 1087 | ||
1087 | /* we divest ourselves of authority if given an ID of 0 */ | 1088 | /* we divest ourselves of authority if given an ID of 0 */ |
1088 | if (id == 0) { | 1089 | if (id == 0) { |
1089 | key_put(current->request_key_auth); | 1090 | key_put(current->cred->request_key_auth); |
1090 | current->request_key_auth = NULL; | 1091 | current->cred->request_key_auth = NULL; |
1091 | ret = 0; | 1092 | ret = 0; |
1092 | goto error; | 1093 | goto error; |
1093 | } | 1094 | } |
@@ -1103,8 +1104,8 @@ long keyctl_assume_authority(key_serial_t id) | |||
1103 | goto error; | 1104 | goto error; |
1104 | } | 1105 | } |
1105 | 1106 | ||
1106 | key_put(current->request_key_auth); | 1107 | key_put(current->cred->request_key_auth); |
1107 | current->request_key_auth = authkey; | 1108 | current->cred->request_key_auth = authkey; |
1108 | ret = authkey->serial; | 1109 | ret = authkey->serial; |
1109 | 1110 | ||
1110 | error: | 1111 | error: |
diff --git a/security/keys/permission.c b/security/keys/permission.c index 3b41f9b5253..baf3d5f31e7 100644 --- a/security/keys/permission.c +++ b/security/keys/permission.c | |||
@@ -22,6 +22,7 @@ int key_task_permission(const key_ref_t key_ref, | |||
22 | struct task_struct *context, | 22 | struct task_struct *context, |
23 | key_perm_t perm) | 23 | key_perm_t perm) |
24 | { | 24 | { |
25 | struct cred *cred = context->cred; | ||
25 | struct key *key; | 26 | struct key *key; |
26 | key_perm_t kperm; | 27 | key_perm_t kperm; |
27 | int ret; | 28 | int ret; |
@@ -29,7 +30,7 @@ int key_task_permission(const key_ref_t key_ref, | |||
29 | key = key_ref_to_ptr(key_ref); | 30 | key = key_ref_to_ptr(key_ref); |
30 | 31 | ||
31 | /* use the second 8-bits of permissions for keys the caller owns */ | 32 | /* use the second 8-bits of permissions for keys the caller owns */ |
32 | if (key->uid == context->fsuid) { | 33 | if (key->uid == cred->fsuid) { |
33 | kperm = key->perm >> 16; | 34 | kperm = key->perm >> 16; |
34 | goto use_these_perms; | 35 | goto use_these_perms; |
35 | } | 36 | } |
@@ -37,14 +38,14 @@ int key_task_permission(const key_ref_t key_ref, | |||
37 | /* use the third 8-bits of permissions for keys the caller has a group | 38 | /* use the third 8-bits of permissions for keys the caller has a group |
38 | * membership in common with */ | 39 | * membership in common with */ |
39 | if (key->gid != -1 && key->perm & KEY_GRP_ALL) { | 40 | if (key->gid != -1 && key->perm & KEY_GRP_ALL) { |
40 | if (key->gid == context->fsgid) { | 41 | if (key->gid == cred->fsgid) { |
41 | kperm = key->perm >> 8; | 42 | kperm = key->perm >> 8; |
42 | goto use_these_perms; | 43 | goto use_these_perms; |
43 | } | 44 | } |
44 | 45 | ||
45 | task_lock(context); | 46 | spin_lock(&cred->lock); |
46 | ret = groups_search(context->group_info, key->gid); | 47 | ret = groups_search(cred->group_info, key->gid); |
47 | task_unlock(context); | 48 | spin_unlock(&cred->lock); |
48 | 49 | ||
49 | if (ret) { | 50 | if (ret) { |
50 | kperm = key->perm >> 8; | 51 | kperm = key->perm >> 8; |
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index 1c793b7090a..b0904cdda2e 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c | |||
@@ -42,7 +42,7 @@ struct key_user root_key_user = { | |||
42 | */ | 42 | */ |
43 | int install_user_keyrings(void) | 43 | int install_user_keyrings(void) |
44 | { | 44 | { |
45 | struct user_struct *user = current->user; | 45 | struct user_struct *user = current->cred->user; |
46 | struct key *uid_keyring, *session_keyring; | 46 | struct key *uid_keyring, *session_keyring; |
47 | char buf[20]; | 47 | char buf[20]; |
48 | int ret; | 48 | int ret; |
@@ -156,7 +156,7 @@ int install_thread_keyring(void) | |||
156 | 156 | ||
157 | sprintf(buf, "_tid.%u", tsk->pid); | 157 | sprintf(buf, "_tid.%u", tsk->pid); |
158 | 158 | ||
159 | keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, | 159 | keyring = keyring_alloc(buf, tsk->cred->uid, tsk->cred->gid, tsk, |
160 | KEY_ALLOC_QUOTA_OVERRUN, NULL); | 160 | KEY_ALLOC_QUOTA_OVERRUN, NULL); |
161 | if (IS_ERR(keyring)) { | 161 | if (IS_ERR(keyring)) { |
162 | ret = PTR_ERR(keyring); | 162 | ret = PTR_ERR(keyring); |
@@ -164,8 +164,8 @@ int install_thread_keyring(void) | |||
164 | } | 164 | } |
165 | 165 | ||
166 | task_lock(tsk); | 166 | task_lock(tsk); |
167 | old = tsk->thread_keyring; | 167 | old = tsk->cred->thread_keyring; |
168 | tsk->thread_keyring = keyring; | 168 | tsk->cred->thread_keyring = keyring; |
169 | task_unlock(tsk); | 169 | task_unlock(tsk); |
170 | 170 | ||
171 | ret = 0; | 171 | ret = 0; |
@@ -192,7 +192,7 @@ int install_process_keyring(void) | |||
192 | if (!tsk->signal->process_keyring) { | 192 | if (!tsk->signal->process_keyring) { |
193 | sprintf(buf, "_pid.%u", tsk->tgid); | 193 | sprintf(buf, "_pid.%u", tsk->tgid); |
194 | 194 | ||
195 | keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, | 195 | keyring = keyring_alloc(buf, tsk->cred->uid, tsk->cred->gid, tsk, |
196 | KEY_ALLOC_QUOTA_OVERRUN, NULL); | 196 | KEY_ALLOC_QUOTA_OVERRUN, NULL); |
197 | if (IS_ERR(keyring)) { | 197 | if (IS_ERR(keyring)) { |
198 | ret = PTR_ERR(keyring); | 198 | ret = PTR_ERR(keyring); |
@@ -238,7 +238,7 @@ static int install_session_keyring(struct key *keyring) | |||
238 | if (tsk->signal->session_keyring) | 238 | if (tsk->signal->session_keyring) |
239 | flags = KEY_ALLOC_IN_QUOTA; | 239 | flags = KEY_ALLOC_IN_QUOTA; |
240 | 240 | ||
241 | keyring = keyring_alloc(buf, tsk->uid, tsk->gid, tsk, | 241 | keyring = keyring_alloc(buf, tsk->cred->uid, tsk->cred->gid, tsk, |
242 | flags, NULL); | 242 | flags, NULL); |
243 | if (IS_ERR(keyring)) | 243 | if (IS_ERR(keyring)) |
244 | return PTR_ERR(keyring); | 244 | return PTR_ERR(keyring); |
@@ -292,14 +292,14 @@ int copy_thread_group_keys(struct task_struct *tsk) | |||
292 | */ | 292 | */ |
293 | int copy_keys(unsigned long clone_flags, struct task_struct *tsk) | 293 | int copy_keys(unsigned long clone_flags, struct task_struct *tsk) |
294 | { | 294 | { |
295 | key_check(tsk->thread_keyring); | 295 | key_check(tsk->cred->thread_keyring); |
296 | key_check(tsk->request_key_auth); | 296 | key_check(tsk->cred->request_key_auth); |
297 | 297 | ||
298 | /* no thread keyring yet */ | 298 | /* no thread keyring yet */ |
299 | tsk->thread_keyring = NULL; | 299 | tsk->cred->thread_keyring = NULL; |
300 | 300 | ||
301 | /* copy the request_key() authorisation for this thread */ | 301 | /* copy the request_key() authorisation for this thread */ |
302 | key_get(tsk->request_key_auth); | 302 | key_get(tsk->cred->request_key_auth); |
303 | 303 | ||
304 | return 0; | 304 | return 0; |
305 | 305 | ||
@@ -322,8 +322,8 @@ void exit_thread_group_keys(struct signal_struct *tg) | |||
322 | */ | 322 | */ |
323 | void exit_keys(struct task_struct *tsk) | 323 | void exit_keys(struct task_struct *tsk) |
324 | { | 324 | { |
325 | key_put(tsk->thread_keyring); | 325 | key_put(tsk->cred->thread_keyring); |
326 | key_put(tsk->request_key_auth); | 326 | key_put(tsk->cred->request_key_auth); |
327 | 327 | ||
328 | } /* end exit_keys() */ | 328 | } /* end exit_keys() */ |
329 | 329 | ||
@@ -337,8 +337,8 @@ int exec_keys(struct task_struct *tsk) | |||
337 | 337 | ||
338 | /* newly exec'd tasks don't get a thread keyring */ | 338 | /* newly exec'd tasks don't get a thread keyring */ |
339 | task_lock(tsk); | 339 | task_lock(tsk); |
340 | old = tsk->thread_keyring; | 340 | old = tsk->cred->thread_keyring; |
341 | tsk->thread_keyring = NULL; | 341 | tsk->cred->thread_keyring = NULL; |
342 | task_unlock(tsk); | 342 | task_unlock(tsk); |
343 | 343 | ||
344 | key_put(old); | 344 | key_put(old); |
@@ -373,10 +373,11 @@ int suid_keys(struct task_struct *tsk) | |||
373 | void key_fsuid_changed(struct task_struct *tsk) | 373 | void key_fsuid_changed(struct task_struct *tsk) |
374 | { | 374 | { |
375 | /* update the ownership of the thread keyring */ | 375 | /* update the ownership of the thread keyring */ |
376 | if (tsk->thread_keyring) { | 376 | BUG_ON(!tsk->cred); |
377 | down_write(&tsk->thread_keyring->sem); | 377 | if (tsk->cred->thread_keyring) { |
378 | tsk->thread_keyring->uid = tsk->fsuid; | 378 | down_write(&tsk->cred->thread_keyring->sem); |
379 | up_write(&tsk->thread_keyring->sem); | 379 | tsk->cred->thread_keyring->uid = tsk->cred->fsuid; |
380 | up_write(&tsk->cred->thread_keyring->sem); | ||
380 | } | 381 | } |
381 | 382 | ||
382 | } /* end key_fsuid_changed() */ | 383 | } /* end key_fsuid_changed() */ |
@@ -388,10 +389,11 @@ void key_fsuid_changed(struct task_struct *tsk) | |||
388 | void key_fsgid_changed(struct task_struct *tsk) | 389 | void key_fsgid_changed(struct task_struct *tsk) |
389 | { | 390 | { |
390 | /* update the ownership of the thread keyring */ | 391 | /* update the ownership of the thread keyring */ |
391 | if (tsk->thread_keyring) { | 392 | BUG_ON(!tsk->cred); |
392 | down_write(&tsk->thread_keyring->sem); | 393 | if (tsk->cred->thread_keyring) { |
393 | tsk->thread_keyring->gid = tsk->fsgid; | 394 | down_write(&tsk->cred->thread_keyring->sem); |
394 | up_write(&tsk->thread_keyring->sem); | 395 | tsk->cred->thread_keyring->gid = tsk->cred->fsgid; |
396 | up_write(&tsk->cred->thread_keyring->sem); | ||
395 | } | 397 | } |
396 | 398 | ||
397 | } /* end key_fsgid_changed() */ | 399 | } /* end key_fsgid_changed() */ |
@@ -426,9 +428,9 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
426 | err = ERR_PTR(-EAGAIN); | 428 | err = ERR_PTR(-EAGAIN); |
427 | 429 | ||
428 | /* search the thread keyring first */ | 430 | /* search the thread keyring first */ |
429 | if (context->thread_keyring) { | 431 | if (context->cred->thread_keyring) { |
430 | key_ref = keyring_search_aux( | 432 | key_ref = keyring_search_aux( |
431 | make_key_ref(context->thread_keyring, 1), | 433 | make_key_ref(context->cred->thread_keyring, 1), |
432 | context, type, description, match); | 434 | context, type, description, match); |
433 | if (!IS_ERR(key_ref)) | 435 | if (!IS_ERR(key_ref)) |
434 | goto found; | 436 | goto found; |
@@ -493,9 +495,9 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
493 | } | 495 | } |
494 | } | 496 | } |
495 | /* or search the user-session keyring */ | 497 | /* or search the user-session keyring */ |
496 | else if (context->user->session_keyring) { | 498 | else if (context->cred->user->session_keyring) { |
497 | key_ref = keyring_search_aux( | 499 | key_ref = keyring_search_aux( |
498 | make_key_ref(context->user->session_keyring, 1), | 500 | make_key_ref(context->cred->user->session_keyring, 1), |
499 | context, type, description, match); | 501 | context, type, description, match); |
500 | if (!IS_ERR(key_ref)) | 502 | if (!IS_ERR(key_ref)) |
501 | goto found; | 503 | goto found; |
@@ -517,20 +519,20 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
517 | * search the keyrings of the process mentioned there | 519 | * search the keyrings of the process mentioned there |
518 | * - we don't permit access to request_key auth keys via this method | 520 | * - we don't permit access to request_key auth keys via this method |
519 | */ | 521 | */ |
520 | if (context->request_key_auth && | 522 | if (context->cred->request_key_auth && |
521 | context == current && | 523 | context == current && |
522 | type != &key_type_request_key_auth | 524 | type != &key_type_request_key_auth |
523 | ) { | 525 | ) { |
524 | /* defend against the auth key being revoked */ | 526 | /* defend against the auth key being revoked */ |
525 | down_read(&context->request_key_auth->sem); | 527 | down_read(&context->cred->request_key_auth->sem); |
526 | 528 | ||
527 | if (key_validate(context->request_key_auth) == 0) { | 529 | if (key_validate(context->cred->request_key_auth) == 0) { |
528 | rka = context->request_key_auth->payload.data; | 530 | rka = context->cred->request_key_auth->payload.data; |
529 | 531 | ||
530 | key_ref = search_process_keyrings(type, description, | 532 | key_ref = search_process_keyrings(type, description, |
531 | match, rka->context); | 533 | match, rka->context); |
532 | 534 | ||
533 | up_read(&context->request_key_auth->sem); | 535 | up_read(&context->cred->request_key_auth->sem); |
534 | 536 | ||
535 | if (!IS_ERR(key_ref)) | 537 | if (!IS_ERR(key_ref)) |
536 | goto found; | 538 | goto found; |
@@ -547,7 +549,7 @@ key_ref_t search_process_keyrings(struct key_type *type, | |||
547 | break; | 549 | break; |
548 | } | 550 | } |
549 | } else { | 551 | } else { |
550 | up_read(&context->request_key_auth->sem); | 552 | up_read(&context->cred->request_key_auth->sem); |
551 | } | 553 | } |
552 | } | 554 | } |
553 | 555 | ||
@@ -580,15 +582,16 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
580 | { | 582 | { |
581 | struct request_key_auth *rka; | 583 | struct request_key_auth *rka; |
582 | struct task_struct *t = current; | 584 | struct task_struct *t = current; |
583 | key_ref_t key_ref, skey_ref; | 585 | struct cred *cred = t->cred; |
584 | struct key *key; | 586 | struct key *key; |
587 | key_ref_t key_ref, skey_ref; | ||
585 | int ret; | 588 | int ret; |
586 | 589 | ||
587 | key_ref = ERR_PTR(-ENOKEY); | 590 | key_ref = ERR_PTR(-ENOKEY); |
588 | 591 | ||
589 | switch (id) { | 592 | switch (id) { |
590 | case KEY_SPEC_THREAD_KEYRING: | 593 | case KEY_SPEC_THREAD_KEYRING: |
591 | if (!t->thread_keyring) { | 594 | if (!cred->thread_keyring) { |
592 | if (!create) | 595 | if (!create) |
593 | goto error; | 596 | goto error; |
594 | 597 | ||
@@ -599,7 +602,7 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
599 | } | 602 | } |
600 | } | 603 | } |
601 | 604 | ||
602 | key = t->thread_keyring; | 605 | key = cred->thread_keyring; |
603 | atomic_inc(&key->usage); | 606 | atomic_inc(&key->usage); |
604 | key_ref = make_key_ref(key, 1); | 607 | key_ref = make_key_ref(key, 1); |
605 | break; | 608 | break; |
@@ -628,7 +631,8 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
628 | ret = install_user_keyrings(); | 631 | ret = install_user_keyrings(); |
629 | if (ret < 0) | 632 | if (ret < 0) |
630 | goto error; | 633 | goto error; |
631 | ret = install_session_keyring(t->user->session_keyring); | 634 | ret = install_session_keyring( |
635 | cred->user->session_keyring); | ||
632 | if (ret < 0) | 636 | if (ret < 0) |
633 | goto error; | 637 | goto error; |
634 | } | 638 | } |
@@ -641,25 +645,25 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
641 | break; | 645 | break; |
642 | 646 | ||
643 | case KEY_SPEC_USER_KEYRING: | 647 | case KEY_SPEC_USER_KEYRING: |
644 | if (!t->user->uid_keyring) { | 648 | if (!cred->user->uid_keyring) { |
645 | ret = install_user_keyrings(); | 649 | ret = install_user_keyrings(); |
646 | if (ret < 0) | 650 | if (ret < 0) |
647 | goto error; | 651 | goto error; |
648 | } | 652 | } |
649 | 653 | ||
650 | key = t->user->uid_keyring; | 654 | key = cred->user->uid_keyring; |
651 | atomic_inc(&key->usage); | 655 | atomic_inc(&key->usage); |
652 | key_ref = make_key_ref(key, 1); | 656 | key_ref = make_key_ref(key, 1); |
653 | break; | 657 | break; |
654 | 658 | ||
655 | case KEY_SPEC_USER_SESSION_KEYRING: | 659 | case KEY_SPEC_USER_SESSION_KEYRING: |
656 | if (!t->user->session_keyring) { | 660 | if (!cred->user->session_keyring) { |
657 | ret = install_user_keyrings(); | 661 | ret = install_user_keyrings(); |
658 | if (ret < 0) | 662 | if (ret < 0) |
659 | goto error; | 663 | goto error; |
660 | } | 664 | } |
661 | 665 | ||
662 | key = t->user->session_keyring; | 666 | key = cred->user->session_keyring; |
663 | atomic_inc(&key->usage); | 667 | atomic_inc(&key->usage); |
664 | key_ref = make_key_ref(key, 1); | 668 | key_ref = make_key_ref(key, 1); |
665 | break; | 669 | break; |
@@ -670,7 +674,7 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
670 | goto error; | 674 | goto error; |
671 | 675 | ||
672 | case KEY_SPEC_REQKEY_AUTH_KEY: | 676 | case KEY_SPEC_REQKEY_AUTH_KEY: |
673 | key = t->request_key_auth; | 677 | key = cred->request_key_auth; |
674 | if (!key) | 678 | if (!key) |
675 | goto error; | 679 | goto error; |
676 | 680 | ||
@@ -679,19 +683,19 @@ key_ref_t lookup_user_key(key_serial_t id, int create, int partial, | |||
679 | break; | 683 | break; |
680 | 684 | ||
681 | case KEY_SPEC_REQUESTOR_KEYRING: | 685 | case KEY_SPEC_REQUESTOR_KEYRING: |
682 | if (!t->request_key_auth) | 686 | if (!cred->request_key_auth) |
683 | goto error; | 687 | goto error; |
684 | 688 | ||
685 | down_read(&t->request_key_auth->sem); | 689 | down_read(&cred->request_key_auth->sem); |
686 | if (t->request_key_auth->flags & KEY_FLAG_REVOKED) { | 690 | if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) { |
687 | key_ref = ERR_PTR(-EKEYREVOKED); | 691 | key_ref = ERR_PTR(-EKEYREVOKED); |
688 | key = NULL; | 692 | key = NULL; |
689 | } else { | 693 | } else { |
690 | rka = t->request_key_auth->payload.data; | 694 | rka = cred->request_key_auth->payload.data; |
691 | key = rka->dest_keyring; | 695 | key = rka->dest_keyring; |
692 | atomic_inc(&key->usage); | 696 | atomic_inc(&key->usage); |
693 | } | 697 | } |
694 | up_read(&t->request_key_auth->sem); | 698 | up_read(&cred->request_key_auth->sem); |
695 | if (!key) | 699 | if (!key) |
696 | goto error; | 700 | goto error; |
697 | key_ref = make_key_ref(key, 1); | 701 | key_ref = make_key_ref(key, 1); |
@@ -791,7 +795,7 @@ long join_session_keyring(const char *name) | |||
791 | keyring = find_keyring_by_name(name, false); | 795 | keyring = find_keyring_by_name(name, false); |
792 | if (PTR_ERR(keyring) == -ENOKEY) { | 796 | if (PTR_ERR(keyring) == -ENOKEY) { |
793 | /* not found - try and create a new one */ | 797 | /* not found - try and create a new one */ |
794 | keyring = keyring_alloc(name, tsk->uid, tsk->gid, tsk, | 798 | keyring = keyring_alloc(name, tsk->cred->uid, tsk->cred->gid, tsk, |
795 | KEY_ALLOC_IN_QUOTA, NULL); | 799 | KEY_ALLOC_IN_QUOTA, NULL); |
796 | if (IS_ERR(keyring)) { | 800 | if (IS_ERR(keyring)) { |
797 | ret = PTR_ERR(keyring); | 801 | ret = PTR_ERR(keyring); |
diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 8e9d93b4a40..3e9b9eb1dd2 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c | |||
@@ -104,7 +104,8 @@ static int call_sbin_request_key(struct key_construction *cons, | |||
104 | 104 | ||
105 | /* we specify the process's default keyrings */ | 105 | /* we specify the process's default keyrings */ |
106 | sprintf(keyring_str[0], "%d", | 106 | sprintf(keyring_str[0], "%d", |
107 | tsk->thread_keyring ? tsk->thread_keyring->serial : 0); | 107 | tsk->cred->thread_keyring ? |
108 | tsk->cred->thread_keyring->serial : 0); | ||
108 | 109 | ||
109 | prkey = 0; | 110 | prkey = 0; |
110 | if (tsk->signal->process_keyring) | 111 | if (tsk->signal->process_keyring) |
@@ -117,7 +118,7 @@ static int call_sbin_request_key(struct key_construction *cons, | |||
117 | sskey = rcu_dereference(tsk->signal->session_keyring)->serial; | 118 | sskey = rcu_dereference(tsk->signal->session_keyring)->serial; |
118 | rcu_read_unlock(); | 119 | rcu_read_unlock(); |
119 | } else { | 120 | } else { |
120 | sskey = tsk->user->session_keyring->serial; | 121 | sskey = tsk->cred->user->session_keyring->serial; |
121 | } | 122 | } |
122 | 123 | ||
123 | sprintf(keyring_str[2], "%d", sskey); | 124 | sprintf(keyring_str[2], "%d", sskey); |
@@ -232,11 +233,11 @@ static void construct_get_dest_keyring(struct key **_dest_keyring) | |||
232 | } else { | 233 | } else { |
233 | /* use a default keyring; falling through the cases until we | 234 | /* use a default keyring; falling through the cases until we |
234 | * find one that we actually have */ | 235 | * find one that we actually have */ |
235 | switch (tsk->jit_keyring) { | 236 | switch (tsk->cred->jit_keyring) { |
236 | case KEY_REQKEY_DEFL_DEFAULT: | 237 | case KEY_REQKEY_DEFL_DEFAULT: |
237 | case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: | 238 | case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: |
238 | if (tsk->request_key_auth) { | 239 | if (tsk->cred->request_key_auth) { |
239 | authkey = tsk->request_key_auth; | 240 | authkey = tsk->cred->request_key_auth; |
240 | down_read(&authkey->sem); | 241 | down_read(&authkey->sem); |
241 | rka = authkey->payload.data; | 242 | rka = authkey->payload.data; |
242 | if (!test_bit(KEY_FLAG_REVOKED, | 243 | if (!test_bit(KEY_FLAG_REVOKED, |
@@ -249,7 +250,7 @@ static void construct_get_dest_keyring(struct key **_dest_keyring) | |||
249 | } | 250 | } |
250 | 251 | ||
251 | case KEY_REQKEY_DEFL_THREAD_KEYRING: | 252 | case KEY_REQKEY_DEFL_THREAD_KEYRING: |
252 | dest_keyring = key_get(tsk->thread_keyring); | 253 | dest_keyring = key_get(tsk->cred->thread_keyring); |
253 | if (dest_keyring) | 254 | if (dest_keyring) |
254 | break; | 255 | break; |
255 | 256 | ||
@@ -268,11 +269,12 @@ static void construct_get_dest_keyring(struct key **_dest_keyring) | |||
268 | break; | 269 | break; |
269 | 270 | ||
270 | case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: | 271 | case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: |
271 | dest_keyring = key_get(tsk->user->session_keyring); | 272 | dest_keyring = |
273 | key_get(tsk->cred->user->session_keyring); | ||
272 | break; | 274 | break; |
273 | 275 | ||
274 | case KEY_REQKEY_DEFL_USER_KEYRING: | 276 | case KEY_REQKEY_DEFL_USER_KEYRING: |
275 | dest_keyring = key_get(tsk->user->uid_keyring); | 277 | dest_keyring = key_get(tsk->cred->user->uid_keyring); |
276 | break; | 278 | break; |
277 | 279 | ||
278 | case KEY_REQKEY_DEFL_GROUP_KEYRING: | 280 | case KEY_REQKEY_DEFL_GROUP_KEYRING: |
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c index 1762d44711d..2125579d5d7 100644 --- a/security/keys/request_key_auth.c +++ b/security/keys/request_key_auth.c | |||
@@ -164,22 +164,22 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info, | |||
164 | 164 | ||
165 | /* see if the calling process is already servicing the key request of | 165 | /* see if the calling process is already servicing the key request of |
166 | * another process */ | 166 | * another process */ |
167 | if (current->request_key_auth) { | 167 | if (current->cred->request_key_auth) { |
168 | /* it is - use that instantiation context here too */ | 168 | /* it is - use that instantiation context here too */ |
169 | down_read(¤t->request_key_auth->sem); | 169 | down_read(¤t->cred->request_key_auth->sem); |
170 | 170 | ||
171 | /* if the auth key has been revoked, then the key we're | 171 | /* if the auth key has been revoked, then the key we're |
172 | * servicing is already instantiated */ | 172 | * servicing is already instantiated */ |
173 | if (test_bit(KEY_FLAG_REVOKED, | 173 | if (test_bit(KEY_FLAG_REVOKED, |
174 | ¤t->request_key_auth->flags)) | 174 | ¤t->cred->request_key_auth->flags)) |
175 | goto auth_key_revoked; | 175 | goto auth_key_revoked; |
176 | 176 | ||
177 | irka = current->request_key_auth->payload.data; | 177 | irka = current->cred->request_key_auth->payload.data; |
178 | rka->context = irka->context; | 178 | rka->context = irka->context; |
179 | rka->pid = irka->pid; | 179 | rka->pid = irka->pid; |
180 | get_task_struct(rka->context); | 180 | get_task_struct(rka->context); |
181 | 181 | ||
182 | up_read(¤t->request_key_auth->sem); | 182 | up_read(¤t->cred->request_key_auth->sem); |
183 | } | 183 | } |
184 | else { | 184 | else { |
185 | /* it isn't - use this process as the context */ | 185 | /* it isn't - use this process as the context */ |
@@ -214,7 +214,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info, | |||
214 | return authkey; | 214 | return authkey; |
215 | 215 | ||
216 | auth_key_revoked: | 216 | auth_key_revoked: |
217 | up_read(¤t->request_key_auth->sem); | 217 | up_read(¤t->cred->request_key_auth->sem); |
218 | kfree(rka->callout_info); | 218 | kfree(rka->callout_info); |
219 | kfree(rka); | 219 | kfree(rka); |
220 | kleave("= -EKEYREVOKED"); | 220 | kleave("= -EKEYREVOKED"); |