diff options
author | Serge E. Hallyn <serue@us.ibm.com> | 2009-02-26 19:28:04 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-02-26 20:35:15 -0500 |
commit | 454804ab0302b354e35d992d08e53fe03313baaf (patch) | |
tree | e01a4928e19ac2e8318bc88d0b79970cccc60665 | |
parent | 2ea190d0a006ce5218baa6e798512652446a605a (diff) |
keys: make procfiles per-user-namespace
Restrict the /proc/keys and /proc/key-users output to keys
belonging to the same user namespace as the reading task.
We may want to make this more complicated - so that any
keys in a user-namespace which is belongs to the reading
task are also shown. But let's see if anyone wants that
first.
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/keys/proc.c | 55 |
1 files changed, 49 insertions, 6 deletions
diff --git a/security/keys/proc.c b/security/keys/proc.c index 7f508def50e3..769f9bdfd2b3 100644 --- a/security/keys/proc.c +++ b/security/keys/proc.c | |||
@@ -91,6 +91,28 @@ __initcall(key_proc_init); | |||
91 | */ | 91 | */ |
92 | #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS | 92 | #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS |
93 | 93 | ||
94 | static struct rb_node *__key_serial_next(struct rb_node *n) | ||
95 | { | ||
96 | while (n) { | ||
97 | struct key *key = rb_entry(n, struct key, serial_node); | ||
98 | if (key->user->user_ns == current_user_ns()) | ||
99 | break; | ||
100 | n = rb_next(n); | ||
101 | } | ||
102 | return n; | ||
103 | } | ||
104 | |||
105 | static struct rb_node *key_serial_next(struct rb_node *n) | ||
106 | { | ||
107 | return __key_serial_next(rb_next(n)); | ||
108 | } | ||
109 | |||
110 | static struct rb_node *key_serial_first(struct rb_root *r) | ||
111 | { | ||
112 | struct rb_node *n = rb_first(r); | ||
113 | return __key_serial_next(n); | ||
114 | } | ||
115 | |||
94 | static int proc_keys_open(struct inode *inode, struct file *file) | 116 | static int proc_keys_open(struct inode *inode, struct file *file) |
95 | { | 117 | { |
96 | return seq_open(file, &proc_keys_ops); | 118 | return seq_open(file, &proc_keys_ops); |
@@ -104,10 +126,10 @@ static void *proc_keys_start(struct seq_file *p, loff_t *_pos) | |||
104 | 126 | ||
105 | spin_lock(&key_serial_lock); | 127 | spin_lock(&key_serial_lock); |
106 | 128 | ||
107 | _p = rb_first(&key_serial_tree); | 129 | _p = key_serial_first(&key_serial_tree); |
108 | while (pos > 0 && _p) { | 130 | while (pos > 0 && _p) { |
109 | pos--; | 131 | pos--; |
110 | _p = rb_next(_p); | 132 | _p = key_serial_next(_p); |
111 | } | 133 | } |
112 | 134 | ||
113 | return _p; | 135 | return _p; |
@@ -117,7 +139,7 @@ static void *proc_keys_start(struct seq_file *p, loff_t *_pos) | |||
117 | static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos) | 139 | static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos) |
118 | { | 140 | { |
119 | (*_pos)++; | 141 | (*_pos)++; |
120 | return rb_next((struct rb_node *) v); | 142 | return key_serial_next((struct rb_node *) v); |
121 | 143 | ||
122 | } | 144 | } |
123 | 145 | ||
@@ -203,6 +225,27 @@ static int proc_keys_show(struct seq_file *m, void *v) | |||
203 | 225 | ||
204 | #endif /* CONFIG_KEYS_DEBUG_PROC_KEYS */ | 226 | #endif /* CONFIG_KEYS_DEBUG_PROC_KEYS */ |
205 | 227 | ||
228 | static struct rb_node *__key_user_next(struct rb_node *n) | ||
229 | { | ||
230 | while (n) { | ||
231 | struct key_user *user = rb_entry(n, struct key_user, node); | ||
232 | if (user->user_ns == current_user_ns()) | ||
233 | break; | ||
234 | n = rb_next(n); | ||
235 | } | ||
236 | return n; | ||
237 | } | ||
238 | |||
239 | static struct rb_node *key_user_next(struct rb_node *n) | ||
240 | { | ||
241 | return __key_user_next(rb_next(n)); | ||
242 | } | ||
243 | |||
244 | static struct rb_node *key_user_first(struct rb_root *r) | ||
245 | { | ||
246 | struct rb_node *n = rb_first(r); | ||
247 | return __key_user_next(n); | ||
248 | } | ||
206 | /*****************************************************************************/ | 249 | /*****************************************************************************/ |
207 | /* | 250 | /* |
208 | * implement "/proc/key-users" to provides a list of the key users | 251 | * implement "/proc/key-users" to provides a list of the key users |
@@ -220,10 +263,10 @@ static void *proc_key_users_start(struct seq_file *p, loff_t *_pos) | |||
220 | 263 | ||
221 | spin_lock(&key_user_lock); | 264 | spin_lock(&key_user_lock); |
222 | 265 | ||
223 | _p = rb_first(&key_user_tree); | 266 | _p = key_user_first(&key_user_tree); |
224 | while (pos > 0 && _p) { | 267 | while (pos > 0 && _p) { |
225 | pos--; | 268 | pos--; |
226 | _p = rb_next(_p); | 269 | _p = key_user_next(_p); |
227 | } | 270 | } |
228 | 271 | ||
229 | return _p; | 272 | return _p; |
@@ -233,7 +276,7 @@ static void *proc_key_users_start(struct seq_file *p, loff_t *_pos) | |||
233 | static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos) | 276 | static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos) |
234 | { | 277 | { |
235 | (*_pos)++; | 278 | (*_pos)++; |
236 | return rb_next((struct rb_node *) v); | 279 | return key_user_next((struct rb_node *) v); |
237 | 280 | ||
238 | } | 281 | } |
239 | 282 | ||