diff options
| author | David Howells <dhowells@redhat.com> | 2008-04-29 04:01:31 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-04-29 11:06:17 -0400 |
| commit | 69664cf16af4f31cd54d77948a4baf9c7e0ca7b9 (patch) | |
| tree | 3ff4ecae21c140a2beed25cfa9e55b788f9814ac /include | |
| parent | 6b79ccb5144f9ffb4d4596c23e7570238dd12abc (diff) | |
keys: don't generate user and user session keyrings unless they're accessed
Don't generate the per-UID user and user session keyrings unless they're
explicitly accessed. This solves a problem during a login process whereby
set*uid() is called before the SELinux PAM module, resulting in the per-UID
keyrings having the wrong security labels.
This also cures the problem of multiple per-UID keyrings sometimes appearing
due to PAM modules (including pam_keyinit) setuiding and causing user_structs
to come into and go out of existence whilst the session keyring pins the user
keyring. This is achieved by first searching for extant per-UID keyrings
before inventing new ones.
The serial bound argument is also dropped from find_keyring_by_name() as it's
not currently made use of (setting it to 0 disables the feature).
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: <kwc@citi.umich.edu>
Cc: <arunsr@cse.iitk.ac.in>
Cc: <dwalsh@redhat.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Cc: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/key.h | 8 |
1 files changed, 0 insertions, 8 deletions
diff --git a/include/linux/key.h b/include/linux/key.h index 8b0bd3393abc..2effd031a817 100644 --- a/include/linux/key.h +++ b/include/linux/key.h | |||
| @@ -268,9 +268,6 @@ extern struct key *key_lookup(key_serial_t id); | |||
| 268 | /* | 268 | /* |
| 269 | * the userspace interface | 269 | * the userspace interface |
| 270 | */ | 270 | */ |
| 271 | extern struct key root_user_keyring, root_session_keyring; | ||
| 272 | extern int alloc_uid_keyring(struct user_struct *user, | ||
| 273 | struct task_struct *ctx); | ||
| 274 | extern void switch_uid_keyring(struct user_struct *new_user); | 271 | extern void switch_uid_keyring(struct user_struct *new_user); |
| 275 | extern int copy_keys(unsigned long clone_flags, struct task_struct *tsk); | 272 | extern int copy_keys(unsigned long clone_flags, struct task_struct *tsk); |
| 276 | extern int copy_thread_group_keys(struct task_struct *tsk); | 273 | extern int copy_thread_group_keys(struct task_struct *tsk); |
| @@ -299,7 +296,6 @@ extern void key_init(void); | |||
| 299 | #define make_key_ref(k, p) ({ NULL; }) | 296 | #define make_key_ref(k, p) ({ NULL; }) |
| 300 | #define key_ref_to_ptr(k) ({ NULL; }) | 297 | #define key_ref_to_ptr(k) ({ NULL; }) |
| 301 | #define is_key_possessed(k) 0 | 298 | #define is_key_possessed(k) 0 |
| 302 | #define alloc_uid_keyring(u,c) 0 | ||
| 303 | #define switch_uid_keyring(u) do { } while(0) | 299 | #define switch_uid_keyring(u) do { } while(0) |
| 304 | #define __install_session_keyring(t, k) ({ NULL; }) | 300 | #define __install_session_keyring(t, k) ({ NULL; }) |
| 305 | #define copy_keys(f,t) 0 | 301 | #define copy_keys(f,t) 0 |
| @@ -312,10 +308,6 @@ extern void key_init(void); | |||
| 312 | #define key_fsgid_changed(t) do { } while(0) | 308 | #define key_fsgid_changed(t) do { } while(0) |
| 313 | #define key_init() do { } while(0) | 309 | #define key_init() do { } while(0) |
| 314 | 310 | ||
| 315 | /* Initial keyrings */ | ||
| 316 | extern struct key root_user_keyring; | ||
| 317 | extern struct key root_session_keyring; | ||
| 318 | |||
| 319 | #endif /* CONFIG_KEYS */ | 311 | #endif /* CONFIG_KEYS */ |
| 320 | #endif /* __KERNEL__ */ | 312 | #endif /* __KERNEL__ */ |
| 321 | #endif /* _LINUX_KEY_H */ | 313 | #endif /* _LINUX_KEY_H */ |