diff options
author | David Howells <dhowells@redhat.com> | 2011-08-22 09:08:43 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2011-08-22 19:57:34 -0400 |
commit | 3ecf1b4f347210e39b156177e5b8a26ff8d00279 (patch) | |
tree | ba3cf0155e5dd29c4963e6a8895d7262e0ef13d5 /security | |
parent | 995995378f996a8aa1cf4e4ddc0f79fbfd45496f (diff) |
KEYS: keyctl_get_keyring_ID() should create a session keyring if create flag set
The keyctl call:
keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1)
should create a session keyring if the process doesn't have one of its own
because the create flag argument is set - rather than subscribing to and
returning the user-session keyring as:
keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)
will do.
This can be tested by commenting out pam_keyinit in the /etc/pam.d files and
running the following program a couple of times in a row:
#include <stdio.h>
#include <stdlib.h>
#include <keyutils.h>
int main(int argc, char *argv[])
{
key_serial_t uk, usk, sk, nsk;
uk = keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);
usk = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
sk = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
nsk = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1);
printf("keys: %08x %08x %08x %08x\n", uk, usk, sk, nsk);
return 0;
}
Without this patch, I see:
keys: 3975ddc7 119c0c66 119c0c66 119c0c66
keys: 3975ddc7 119c0c66 119c0c66 119c0c66
With this patch, I see:
keys: 2cb4997b 34112878 34112878 17db2ce3
keys: 2cb4997b 34112878 34112878 39f3c73e
As can be seen, the session keyring starts off the same as the user-session
keyring each time, but with the patch a new session keyring is created when
the create flag is set.
Reported-by: Greg Wettstein <greg@enjellic.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Greg Wettstein <greg@enjellic.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/keys/process_keys.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index 3bc6071ad633..1068cb1939b3 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c | |||
@@ -589,12 +589,22 @@ try_again: | |||
589 | ret = install_user_keyrings(); | 589 | ret = install_user_keyrings(); |
590 | if (ret < 0) | 590 | if (ret < 0) |
591 | goto error; | 591 | goto error; |
592 | ret = install_session_keyring( | 592 | if (lflags & KEY_LOOKUP_CREATE) |
593 | cred->user->session_keyring); | 593 | ret = join_session_keyring(NULL); |
594 | else | ||
595 | ret = install_session_keyring( | ||
596 | cred->user->session_keyring); | ||
594 | 597 | ||
595 | if (ret < 0) | 598 | if (ret < 0) |
596 | goto error; | 599 | goto error; |
597 | goto reget_creds; | 600 | goto reget_creds; |
601 | } else if (cred->tgcred->session_keyring == | ||
602 | cred->user->session_keyring && | ||
603 | lflags & KEY_LOOKUP_CREATE) { | ||
604 | ret = join_session_keyring(NULL); | ||
605 | if (ret < 0) | ||
606 | goto error; | ||
607 | goto reget_creds; | ||
598 | } | 608 | } |
599 | 609 | ||
600 | rcu_read_lock(); | 610 | rcu_read_lock(); |