aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2010-06-11 12:31:05 -0400
committerJames Morris <jmorris@namei.org>2010-08-02 01:34:27 -0400
commit9156235b3427d6f01c5c95022f72f381f07583f5 (patch)
tree16df30be93847e73a3b188b98f9ef2e034d82a90
parent57c2590fb7fd38bd52708ff2716a577d0c2b3c5a (diff)
KEYS: Authorise keyctl_set_timeout() on a key if we have its authorisation key
Authorise a process to perform keyctl_set_timeout() on an uninstantiated key if that process has the authorisation key for it. This allows the instantiator to set the timeout on a key it is instantiating - provided it does it before instantiating the key. For instance, the test upcall script provided with the keyutils package could be modified to set the expiry to an hour hence before instantiating the key: [/usr/share/keyutils/request-key-debug.sh] if [ "$3" != "neg" ] then + keyctl timeout $1 3600 keyctl instantiate $1 "Debug $3" $4 || exit 1 else Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--security/keys/keyctl.c17
1 files changed, 16 insertions, 1 deletions
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 6261745e4459..639226afd0db 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1091,7 +1091,7 @@ error:
1091long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1091long keyctl_set_timeout(key_serial_t id, unsigned timeout)
1092{ 1092{
1093 struct timespec now; 1093 struct timespec now;
1094 struct key *key; 1094 struct key *key, *instkey;
1095 key_ref_t key_ref; 1095 key_ref_t key_ref;
1096 time_t expiry; 1096 time_t expiry;
1097 long ret; 1097 long ret;
@@ -1099,10 +1099,25 @@ long keyctl_set_timeout(key_serial_t id, unsigned timeout)
1099 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1099 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
1100 KEY_SETATTR); 1100 KEY_SETATTR);
1101 if (IS_ERR(key_ref)) { 1101 if (IS_ERR(key_ref)) {
1102 /* setting the timeout on a key under construction is permitted
1103 * if we have the authorisation token handy */
1104 if (PTR_ERR(key_ref) == -EACCES) {
1105 instkey = key_get_instantiation_authkey(id);
1106 if (!IS_ERR(instkey)) {
1107 key_put(instkey);
1108 key_ref = lookup_user_key(id,
1109 KEY_LOOKUP_PARTIAL,
1110 0);
1111 if (!IS_ERR(key_ref))
1112 goto okay;
1113 }
1114 }
1115
1102 ret = PTR_ERR(key_ref); 1116 ret = PTR_ERR(key_ref);
1103 goto error; 1117 goto error;
1104 } 1118 }
1105 1119
1120okay:
1106 key = key_ref_to_ptr(key_ref); 1121 key = key_ref_to_ptr(key_ref);
1107 1122
1108 /* make the changes with the locks held to prevent races */ 1123 /* make the changes with the locks held to prevent races */