KEYS: Allow special keyrings to be cleared

The kernel contains some special internal keyrings, for instance the DNS
resolver keyring :

2a93faf1 I-----     1 perm 1f030000     0     0 keyring   .dns_resolver: empty

It would occasionally be useful to allow the contents of such keyrings to be
flushed by root (cache invalidation).

Allow a flag to be set on a keyring to mark that someone possessing the
sysadmin capability can clear the keyring, even without normal write access to
the keyring.

Set this flag on the special keyrings created by the DNS resolver, the NFS
identity mapper and the CIFS identity mapper.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve Dickson <steved@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 14 insertions, 1 deletions

diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 0b3f5d72af1c..6523599e9ac0 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -388,11 +388,24 @@ long keyctl_keyring_clear(key_serial_t ringid)
         keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
         if (IS_ERR(keyring_ref)) {
                 ret = PTR_ERR(keyring_ref);
+
+                /* Root is permitted to invalidate certain special keyrings */
+                if (capable(CAP_SYS_ADMIN)) {
+                        keyring_ref = lookup_user_key(ringid, 0, 0);
+                        if (IS_ERR(keyring_ref))
+                                goto error;
+                        if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR,
+                                     &key_ref_to_ptr(keyring_ref)->flags))
+                                goto clear;
+                        goto error_put;
+                }
+
                 goto error;
         }
 
+clear:
         ret = keyring_clear(key_ref_to_ptr(keyring_ref));
-
+error_put:
         key_ref_put(keyring_ref);
 error:
         return ret;