aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2005-06-24 01:00:51 -0400
committerLinus Torvalds <torvalds@ppc970.osdl.org>2005-06-24 03:05:18 -0400
commit7888e7ff4ee579442128d7d12a9c9dbf2cf7de6a (patch)
treeabe428ecb966e1dae07fce17f38e3e0c0ab4f134
parent76d8aeabfeb1c42641a81c44280177b9a08670d8 (diff)
[PATCH] Keys: Pass session keyring to call_usermodehelper()
The attached patch makes it possible to pass a session keyring through to the process spawned by call_usermodehelper(). This allows patch 3/3 to pass an authorisation key through to /sbin/request-key, thus permitting better access controls when doing just-in-time key creation. Signed-Off-By: David Howells <dhowells@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--include/linux/key.h10
-rw-r--r--include/linux/kmod.h13
-rw-r--r--kernel/kmod.c17
-rw-r--r--security/keys/request_key.c2
4 files changed, 35 insertions, 7 deletions
diff --git a/include/linux/key.h b/include/linux/key.h
index 2c24ffaca86f..2bfbf88d2740 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -273,14 +273,22 @@ extern void key_fsuid_changed(struct task_struct *tsk);
273extern void key_fsgid_changed(struct task_struct *tsk); 273extern void key_fsgid_changed(struct task_struct *tsk);
274extern void key_init(void); 274extern void key_init(void);
275 275
276#define __install_session_keyring(tsk, keyring) \
277({ \
278 struct key *old_session = tsk->signal->session_keyring; \
279 tsk->signal->session_keyring = keyring; \
280 old_session; \
281})
282
276#else /* CONFIG_KEYS */ 283#else /* CONFIG_KEYS */
277 284
278#define key_validate(k) 0 285#define key_validate(k) 0
279#define key_serial(k) 0 286#define key_serial(k) 0
280#define key_get(k) NULL 287#define key_get(k) ({ NULL; })
281#define key_put(k) do { } while(0) 288#define key_put(k) do { } while(0)
282#define alloc_uid_keyring(u) 0 289#define alloc_uid_keyring(u) 0
283#define switch_uid_keyring(u) do { } while(0) 290#define switch_uid_keyring(u) do { } while(0)
291#define __install_session_keyring(t, k) ({ NULL; })
284#define copy_keys(f,t) 0 292#define copy_keys(f,t) 0
285#define copy_thread_group_keys(t) 0 293#define copy_thread_group_keys(t) 0
286#define exit_keys(t) do { } while(0) 294#define exit_keys(t) do { } while(0)
diff --git a/include/linux/kmod.h b/include/linux/kmod.h
index 95d0e4b0814d..e4a231549407 100644
--- a/include/linux/kmod.h
+++ b/include/linux/kmod.h
@@ -19,6 +19,7 @@
19 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 19 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 */ 20 */
21 21
22#include <linux/stddef.h>
22#include <linux/config.h> 23#include <linux/config.h>
23#include <linux/errno.h> 24#include <linux/errno.h>
24#include <linux/compiler.h> 25#include <linux/compiler.h>
@@ -34,7 +35,17 @@ static inline int request_module(const char * name, ...) { return -ENOSYS; }
34#endif 35#endif
35 36
36#define try_then_request_module(x, mod...) ((x) ?: (request_module(mod), (x))) 37#define try_then_request_module(x, mod...) ((x) ?: (request_module(mod), (x)))
37extern int call_usermodehelper(char *path, char *argv[], char *envp[], int wait); 38
39struct key;
40extern int call_usermodehelper_keys(char *path, char *argv[], char *envp[],
41 struct key *session_keyring, int wait);
42
43static inline int
44call_usermodehelper(char *path, char **argv, char **envp, int wait)
45{
46 return call_usermodehelper_keys(path, argv, envp, NULL, wait);
47}
48
38extern void usermodehelper_init(void); 49extern void usermodehelper_init(void);
39 50
40#endif /* __LINUX_KMOD_H__ */ 51#endif /* __LINUX_KMOD_H__ */
diff --git a/kernel/kmod.c b/kernel/kmod.c
index eed53d4f5230..44166e3bb8af 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -120,6 +120,7 @@ struct subprocess_info {
120 char *path; 120 char *path;
121 char **argv; 121 char **argv;
122 char **envp; 122 char **envp;
123 struct key *ring;
123 int wait; 124 int wait;
124 int retval; 125 int retval;
125}; 126};
@@ -130,16 +131,21 @@ struct subprocess_info {
130static int ____call_usermodehelper(void *data) 131static int ____call_usermodehelper(void *data)
131{ 132{
132 struct subprocess_info *sub_info = data; 133 struct subprocess_info *sub_info = data;
134 struct key *old_session;
133 int retval; 135 int retval;
134 136
135 /* Unblock all signals. */ 137 /* Unblock all signals and set the session keyring. */
138 key_get(sub_info->ring);
136 flush_signals(current); 139 flush_signals(current);
137 spin_lock_irq(&current->sighand->siglock); 140 spin_lock_irq(&current->sighand->siglock);
141 old_session = __install_session_keyring(current, sub_info->ring);
138 flush_signal_handlers(current, 1); 142 flush_signal_handlers(current, 1);
139 sigemptyset(&current->blocked); 143 sigemptyset(&current->blocked);
140 recalc_sigpending(); 144 recalc_sigpending();
141 spin_unlock_irq(&current->sighand->siglock); 145 spin_unlock_irq(&current->sighand->siglock);
142 146
147 key_put(old_session);
148
143 /* We can run anywhere, unlike our parent keventd(). */ 149 /* We can run anywhere, unlike our parent keventd(). */
144 set_cpus_allowed(current, CPU_MASK_ALL); 150 set_cpus_allowed(current, CPU_MASK_ALL);
145 151
@@ -211,10 +217,11 @@ static void __call_usermodehelper(void *data)
211} 217}
212 218
213/** 219/**
214 * call_usermodehelper - start a usermode application 220 * call_usermodehelper_keys - start a usermode application
215 * @path: pathname for the application 221 * @path: pathname for the application
216 * @argv: null-terminated argument list 222 * @argv: null-terminated argument list
217 * @envp: null-terminated environment list 223 * @envp: null-terminated environment list
224 * @session_keyring: session keyring for process (NULL for an empty keyring)
218 * @wait: wait for the application to finish and return status. 225 * @wait: wait for the application to finish and return status.
219 * 226 *
220 * Runs a user-space application. The application is started 227 * Runs a user-space application. The application is started
@@ -224,7 +231,8 @@ static void __call_usermodehelper(void *data)
224 * Must be called from process context. Returns a negative error code 231 * Must be called from process context. Returns a negative error code
225 * if program was not execed successfully, or 0. 232 * if program was not execed successfully, or 0.
226 */ 233 */
227int call_usermodehelper(char *path, char **argv, char **envp, int wait) 234int call_usermodehelper_keys(char *path, char **argv, char **envp,
235 struct key *session_keyring, int wait)
228{ 236{
229 DECLARE_COMPLETION(done); 237 DECLARE_COMPLETION(done);
230 struct subprocess_info sub_info = { 238 struct subprocess_info sub_info = {
@@ -232,6 +240,7 @@ int call_usermodehelper(char *path, char **argv, char **envp, int wait)
232 .path = path, 240 .path = path,
233 .argv = argv, 241 .argv = argv,
234 .envp = envp, 242 .envp = envp,
243 .ring = session_keyring,
235 .wait = wait, 244 .wait = wait,
236 .retval = 0, 245 .retval = 0,
237 }; 246 };
@@ -247,7 +256,7 @@ int call_usermodehelper(char *path, char **argv, char **envp, int wait)
247 wait_for_completion(&done); 256 wait_for_completion(&done);
248 return sub_info.retval; 257 return sub_info.retval;
249} 258}
250EXPORT_SYMBOL(call_usermodehelper); 259EXPORT_SYMBOL(call_usermodehelper_keys);
251 260
252void __init usermodehelper_init(void) 261void __init usermodehelper_init(void)
253{ 262{
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index 1f6c0940297f..1919540f047d 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -88,7 +88,7 @@ static int call_request_key(struct key *key,
88 argv[i] = NULL; 88 argv[i] = NULL;
89 89
90 /* do it */ 90 /* do it */
91 return call_usermodehelper(argv[0], argv, envp, 1); 91 return call_usermodehelper_keys(argv[0], argv, envp, NULL, 1);
92 92
93} /* end call_request_key() */ 93} /* end call_request_key() */
94 94