diff options
| author | Eric W. Biederman <ebiederm@xmission.com> | 2012-02-08 10:53:04 -0500 |
|---|---|---|
| committer | Eric W. Biederman <ebiederm@xmission.com> | 2012-09-13 21:28:02 -0400 |
| commit | 9a56c2db49e7349c7963f0ce66c1ef578d44ebd3 (patch) | |
| tree | de29b56483bb00efabca3ba35c7001cab2aab7be /security/keys/permission.c | |
| parent | 5fce5e0bbd44263c36f58ad1113b599d06ed1978 (diff) | |
userns: Convert security/keys to the new userns infrastructure
- Replace key_user ->user_ns equality checks with kuid_has_mapping checks.
- Use from_kuid to generate key descriptions
- Use kuid_t and kgid_t and the associated helpers instead of uid_t and gid_t
- Avoid potential problems with file descriptor passing by displaying
keys in the user namespace of the opener of key status proc files.
Cc: linux-security-module@vger.kernel.org
Cc: keyrings@linux-nfs.org
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'security/keys/permission.c')
| -rw-r--r-- | security/keys/permission.c | 14 |
1 files changed, 4 insertions, 10 deletions
diff --git a/security/keys/permission.c b/security/keys/permission.c index 0b4d019e027d..efcc0c855a0d 100644 --- a/security/keys/permission.c +++ b/security/keys/permission.c | |||
| @@ -36,33 +36,27 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred, | |||
| 36 | 36 | ||
| 37 | key = key_ref_to_ptr(key_ref); | 37 | key = key_ref_to_ptr(key_ref); |
| 38 | 38 | ||
| 39 | if (key->user->user_ns != cred->user_ns) | ||
| 40 | goto use_other_perms; | ||
| 41 | |||
| 42 | /* use the second 8-bits of permissions for keys the caller owns */ | 39 | /* use the second 8-bits of permissions for keys the caller owns */ |
| 43 | if (key->uid == cred->fsuid) { | 40 | if (uid_eq(key->uid, cred->fsuid)) { |
| 44 | kperm = key->perm >> 16; | 41 | kperm = key->perm >> 16; |
| 45 | goto use_these_perms; | 42 | goto use_these_perms; |
| 46 | } | 43 | } |
| 47 | 44 | ||
| 48 | /* use the third 8-bits of permissions for keys the caller has a group | 45 | /* use the third 8-bits of permissions for keys the caller has a group |
| 49 | * membership in common with */ | 46 | * membership in common with */ |
| 50 | if (key->gid != -1 && key->perm & KEY_GRP_ALL) { | 47 | if (gid_valid(key->gid) && key->perm & KEY_GRP_ALL) { |
| 51 | if (key->gid == cred->fsgid) { | 48 | if (gid_eq(key->gid, cred->fsgid)) { |
| 52 | kperm = key->perm >> 8; | 49 | kperm = key->perm >> 8; |
| 53 | goto use_these_perms; | 50 | goto use_these_perms; |
| 54 | } | 51 | } |
| 55 | 52 | ||
| 56 | ret = groups_search(cred->group_info, | 53 | ret = groups_search(cred->group_info, key->gid); |
| 57 | make_kgid(current_user_ns(), key->gid)); | ||
| 58 | if (ret) { | 54 | if (ret) { |
| 59 | kperm = key->perm >> 8; | 55 | kperm = key->perm >> 8; |
| 60 | goto use_these_perms; | 56 | goto use_these_perms; |
| 61 | } | 57 | } |
| 62 | } | 58 | } |
| 63 | 59 | ||
| 64 | use_other_perms: | ||
| 65 | |||
| 66 | /* otherwise use the least-significant 8-bits */ | 60 | /* otherwise use the least-significant 8-bits */ |
| 67 | kperm = key->perm; | 61 | kperm = key->perm; |
| 68 | 62 | ||