aboutsummaryrefslogtreecommitdiffstats
path: root/security/keys/process_keys.c
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2012-02-08 10:53:04 -0500
committerEric W. Biederman <ebiederm@xmission.com>2012-09-13 21:28:02 -0400
commit9a56c2db49e7349c7963f0ce66c1ef578d44ebd3 (patch)
treede29b56483bb00efabca3ba35c7001cab2aab7be /security/keys/process_keys.c
parent5fce5e0bbd44263c36f58ad1113b599d06ed1978 (diff)
userns: Convert security/keys to the new userns infrastructure
- Replace key_user ->user_ns equality checks with kuid_has_mapping checks. - Use from_kuid to generate key descriptions - Use kuid_t and kgid_t and the associated helpers instead of uid_t and gid_t - Avoid potential problems with file descriptor passing by displaying keys in the user namespace of the opener of key status proc files. Cc: linux-security-module@vger.kernel.org Cc: keyrings@linux-nfs.org Cc: David Howells <dhowells@redhat.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'security/keys/process_keys.c')
-rw-r--r--security/keys/process_keys.c15
1 files changed, 8 insertions, 7 deletions
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 54339cfd6734..a58f712605d8 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -34,8 +34,7 @@ struct key_user root_key_user = {
34 .lock = __SPIN_LOCK_UNLOCKED(root_key_user.lock), 34 .lock = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
35 .nkeys = ATOMIC_INIT(2), 35 .nkeys = ATOMIC_INIT(2),
36 .nikeys = ATOMIC_INIT(2), 36 .nikeys = ATOMIC_INIT(2),
37 .uid = 0, 37 .uid = GLOBAL_ROOT_UID,
38 .user_ns = &init_user_ns,
39}; 38};
40 39
41/* 40/*
@@ -48,11 +47,13 @@ int install_user_keyrings(void)
48 struct key *uid_keyring, *session_keyring; 47 struct key *uid_keyring, *session_keyring;
49 char buf[20]; 48 char buf[20];
50 int ret; 49 int ret;
50 uid_t uid;
51 51
52 cred = current_cred(); 52 cred = current_cred();
53 user = cred->user; 53 user = cred->user;
54 uid = from_kuid(cred->user_ns, user->uid);
54 55
55 kenter("%p{%u}", user, user->uid); 56 kenter("%p{%u}", user, uid);
56 57
57 if (user->uid_keyring) { 58 if (user->uid_keyring) {
58 kleave(" = 0 [exist]"); 59 kleave(" = 0 [exist]");
@@ -67,11 +68,11 @@ int install_user_keyrings(void)
67 * - there may be one in existence already as it may have been 68 * - there may be one in existence already as it may have been
68 * pinned by a session, but the user_struct pointing to it 69 * pinned by a session, but the user_struct pointing to it
69 * may have been destroyed by setuid */ 70 * may have been destroyed by setuid */
70 sprintf(buf, "_uid.%u", user->uid); 71 sprintf(buf, "_uid.%u", uid);
71 72
72 uid_keyring = find_keyring_by_name(buf, true); 73 uid_keyring = find_keyring_by_name(buf, true);
73 if (IS_ERR(uid_keyring)) { 74 if (IS_ERR(uid_keyring)) {
74 uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1, 75 uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
75 cred, KEY_ALLOC_IN_QUOTA, 76 cred, KEY_ALLOC_IN_QUOTA,
76 NULL); 77 NULL);
77 if (IS_ERR(uid_keyring)) { 78 if (IS_ERR(uid_keyring)) {
@@ -82,12 +83,12 @@ int install_user_keyrings(void)
82 83
83 /* get a default session keyring (which might also exist 84 /* get a default session keyring (which might also exist
84 * already) */ 85 * already) */
85 sprintf(buf, "_uid_ses.%u", user->uid); 86 sprintf(buf, "_uid_ses.%u", uid);
86 87
87 session_keyring = find_keyring_by_name(buf, true); 88 session_keyring = find_keyring_by_name(buf, true);
88 if (IS_ERR(session_keyring)) { 89 if (IS_ERR(session_keyring)) {
89 session_keyring = 90 session_keyring =
90 keyring_alloc(buf, user->uid, (gid_t) -1, 91 keyring_alloc(buf, user->uid, INVALID_GID,
91 cred, KEY_ALLOC_IN_QUOTA, NULL); 92 cred, KEY_ALLOC_IN_QUOTA, NULL);
92 if (IS_ERR(session_keyring)) { 93 if (IS_ERR(session_keyring)) {
93 ret = PTR_ERR(session_keyring); 94 ret = PTR_ERR(session_keyring);