aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2011-08-22 09:08:43 -0400
committerJames Morris <jmorris@namei.org>2011-08-22 19:57:34 -0400
commit3ecf1b4f347210e39b156177e5b8a26ff8d00279 (patch)
treeba3cf0155e5dd29c4963e6a8895d7262e0ef13d5 /security
parent995995378f996a8aa1cf4e4ddc0f79fbfd45496f (diff)
KEYS: keyctl_get_keyring_ID() should create a session keyring if create flag set
The keyctl call: keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1) should create a session keyring if the process doesn't have one of its own because the create flag argument is set - rather than subscribing to and returning the user-session keyring as: keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0) will do. This can be tested by commenting out pam_keyinit in the /etc/pam.d files and running the following program a couple of times in a row: #include <stdio.h> #include <stdlib.h> #include <keyutils.h> int main(int argc, char *argv[]) { key_serial_t uk, usk, sk, nsk; uk = keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0); usk = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0); sk = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0); nsk = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1); printf("keys: %08x %08x %08x %08x\n", uk, usk, sk, nsk); return 0; } Without this patch, I see: keys: 3975ddc7 119c0c66 119c0c66 119c0c66 keys: 3975ddc7 119c0c66 119c0c66 119c0c66 With this patch, I see: keys: 2cb4997b 34112878 34112878 17db2ce3 keys: 2cb4997b 34112878 34112878 39f3c73e As can be seen, the session keyring starts off the same as the user-session keyring each time, but with the patch a new session keyring is created when the create flag is set. Reported-by: Greg Wettstein <greg@enjellic.com> Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Greg Wettstein <greg@enjellic.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/keys/process_keys.c14
1 files changed, 12 insertions, 2 deletions
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 3bc6071ad633..1068cb1939b3 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -589,12 +589,22 @@ try_again:
589 ret = install_user_keyrings(); 589 ret = install_user_keyrings();
590 if (ret < 0) 590 if (ret < 0)
591 goto error; 591 goto error;
592 ret = install_session_keyring( 592 if (lflags & KEY_LOOKUP_CREATE)
593 cred->user->session_keyring); 593 ret = join_session_keyring(NULL);
594 else
595 ret = install_session_keyring(
596 cred->user->session_keyring);
594 597
595 if (ret < 0) 598 if (ret < 0)
596 goto error; 599 goto error;
597 goto reget_creds; 600 goto reget_creds;
601 } else if (cred->tgcred->session_keyring ==
602 cred->user->session_keyring &&
603 lflags & KEY_LOOKUP_CREATE) {
604 ret = join_session_keyring(NULL);
605 if (ret < 0)
606 goto error;
607 goto reget_creds;
598 } 608 }
599 609
600 rcu_read_lock(); 610 rcu_read_lock();