KEYS: Allow special keyrings to be cleared

The kernel contains some special internal keyrings, for instance the DNS
resolver keyring :

2a93faf1 I-----     1 perm 1f030000     0     0 keyring   .dns_resolver: empty

It would occasionally be useful to allow the contents of such keyrings to be
flushed by root (cache invalidation).

Allow a flag to be set on a keyring to mark that someone possessing the
sysadmin capability can clear the keyring, even without normal write access to
the keyring.

Set this flag on the special keyrings created by the DNS resolver, the NFS
identity mapper and the CIFS identity mapper.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve Dickson <steved@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>

2 files changed, 2 insertions, 0 deletions

diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
index 72ddf23ef6f7..854749d21bb1 100644
--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -556,6 +556,7 @@ init_cifs_idmap(void)
 
         /* instruct request_key() to use this special keyring as a cache for
          * the results it looks up */
+        set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
         cred->thread_keyring = keyring;
         cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
         root_cred = cred;
diff --git a/fs/nfs/idmap.c b/fs/nfs/idmap.c
index 2c05f1991e1e..a1bbf7780dfc 100644
--- a/fs/nfs/idmap.c
+++ b/fs/nfs/idmap.c
@@ -198,6 +198,7 @@ int nfs_idmap_init(void)
         if (ret < 0)
                 goto failed_put_key;
 
+        set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
         cred->thread_keyring = keyring;
         cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
         id_resolver_cache = cred;