aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2015-01-22 17:34:32 -0500
committerDavid Howells <dhowells@redhat.com>2015-01-22 17:34:32 -0500
commitdabd39cc2fb1b0e97313ebbe7309ea8e05b7cfb5 (patch)
tree0b3337728b5b9e607ef2b36d5c30f4267a5a343a
parent961be7ef6963806cb978ccd6acf6bf84b0c63346 (diff)
KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y
Now that /proc/keys is used by libkeyutils to look up a key by type and description, we should make it unconditional and remove CONFIG_DEBUG_PROC_KEYS. Reported-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Jiri Kosina <jkosina@suse.cz>
-rw-r--r--Documentation/security/keys.txt2
-rw-r--r--security/keys/Kconfig18
-rw-r--r--security/keys/proc.c8
3 files changed, 0 insertions, 28 deletions
diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt
index 821c936e1a63..c9e7f4f223a5 100644
--- a/Documentation/security/keys.txt
+++ b/Documentation/security/keys.txt
@@ -323,8 +323,6 @@ about the status of the key service:
323 U Under construction by callback to userspace 323 U Under construction by callback to userspace
324 N Negative key 324 N Negative key
325 325
326 This file must be enabled at kernel configuration time as it allows anyone
327 to list the keys database.
328 326
329 (*) /proc/key-users 327 (*) /proc/key-users
330 328
diff --git a/security/keys/Kconfig b/security/keys/Kconfig
index a4f3f8c48d6e..72483b8f1be5 100644
--- a/security/keys/Kconfig
+++ b/security/keys/Kconfig
@@ -80,21 +80,3 @@ config ENCRYPTED_KEYS
80 Userspace only ever sees/stores encrypted blobs. 80 Userspace only ever sees/stores encrypted blobs.
81 81
82 If you are unsure as to whether this is required, answer N. 82 If you are unsure as to whether this is required, answer N.
83
84config KEYS_DEBUG_PROC_KEYS
85 bool "Enable the /proc/keys file by which keys may be viewed"
86 depends on KEYS
87 help
88 This option turns on support for the /proc/keys file - through which
89 can be listed all the keys on the system that are viewable by the
90 reading process.
91
92 The only keys included in the list are those that grant View
93 permission to the reading process whether or not it possesses them.
94 Note that LSM security checks are still performed, and may further
95 filter out keys that the current process is not authorised to view.
96
97 Only key attributes are listed here; key payloads are not included in
98 the resulting table.
99
100 If you are unsure as to whether this is required, answer N.
diff --git a/security/keys/proc.c b/security/keys/proc.c
index 972eeb336b81..f0611a6368cd 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -18,7 +18,6 @@
18#include <asm/errno.h> 18#include <asm/errno.h>
19#include "internal.h" 19#include "internal.h"
20 20
21#ifdef CONFIG_KEYS_DEBUG_PROC_KEYS
22static int proc_keys_open(struct inode *inode, struct file *file); 21static int proc_keys_open(struct inode *inode, struct file *file);
23static void *proc_keys_start(struct seq_file *p, loff_t *_pos); 22static void *proc_keys_start(struct seq_file *p, loff_t *_pos);
24static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos); 23static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos);
@@ -38,7 +37,6 @@ static const struct file_operations proc_keys_fops = {
38 .llseek = seq_lseek, 37 .llseek = seq_lseek,
39 .release = seq_release, 38 .release = seq_release,
40}; 39};
41#endif
42 40
43static int proc_key_users_open(struct inode *inode, struct file *file); 41static int proc_key_users_open(struct inode *inode, struct file *file);
44static void *proc_key_users_start(struct seq_file *p, loff_t *_pos); 42static void *proc_key_users_start(struct seq_file *p, loff_t *_pos);
@@ -67,11 +65,9 @@ static int __init key_proc_init(void)
67{ 65{
68 struct proc_dir_entry *p; 66 struct proc_dir_entry *p;
69 67
70#ifdef CONFIG_KEYS_DEBUG_PROC_KEYS
71 p = proc_create("keys", 0, NULL, &proc_keys_fops); 68 p = proc_create("keys", 0, NULL, &proc_keys_fops);
72 if (!p) 69 if (!p)
73 panic("Cannot create /proc/keys\n"); 70 panic("Cannot create /proc/keys\n");
74#endif
75 71
76 p = proc_create("key-users", 0, NULL, &proc_key_users_fops); 72 p = proc_create("key-users", 0, NULL, &proc_key_users_fops);
77 if (!p) 73 if (!p)
@@ -86,8 +82,6 @@ __initcall(key_proc_init);
86 * Implement "/proc/keys" to provide a list of the keys on the system that 82 * Implement "/proc/keys" to provide a list of the keys on the system that
87 * grant View permission to the caller. 83 * grant View permission to the caller.
88 */ 84 */
89#ifdef CONFIG_KEYS_DEBUG_PROC_KEYS
90
91static struct rb_node *key_serial_next(struct seq_file *p, struct rb_node *n) 85static struct rb_node *key_serial_next(struct seq_file *p, struct rb_node *n)
92{ 86{
93 struct user_namespace *user_ns = seq_user_ns(p); 87 struct user_namespace *user_ns = seq_user_ns(p);
@@ -275,8 +269,6 @@ static int proc_keys_show(struct seq_file *m, void *v)
275 return 0; 269 return 0;
276} 270}
277 271
278#endif /* CONFIG_KEYS_DEBUG_PROC_KEYS */
279
280static struct rb_node *__key_user_next(struct user_namespace *user_ns, struct rb_node *n) 272static struct rb_node *__key_user_next(struct user_namespace *user_ns, struct rb_node *n)
281{ 273{
282 while (n) { 274 while (n) {