diff options
| author | Serge E. Hallyn <serue@us.ibm.com> | 2009-02-26 19:28:04 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2009-02-26 20:35:15 -0500 |
| commit | 454804ab0302b354e35d992d08e53fe03313baaf (patch) | |
| tree | e01a4928e19ac2e8318bc88d0b79970cccc60665 /security | |
| parent | 2ea190d0a006ce5218baa6e798512652446a605a (diff) | |
keys: make procfiles per-user-namespace
Restrict the /proc/keys and /proc/key-users output to keys
belonging to the same user namespace as the reading task.
We may want to make this more complicated - so that any
keys in a user-namespace which is belongs to the reading
task are also shown. But let's see if anyone wants that
first.
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/keys/proc.c | 55 |
1 files changed, 49 insertions, 6 deletions
diff --git a/security/keys/proc.c b/security/keys/proc.c index 7f508def50e3..769f9bdfd2b3 100644 --- a/security/keys/proc.c +++ b/security/keys/proc.c | |||
| @@ -91,6 +91,28 @@ __initcall(key_proc_init); | |||
| 91 | */ | 91 | */ |
| 92 | #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS | 92 | #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS |
| 93 | 93 | ||
| 94 | static struct rb_node *__key_serial_next(struct rb_node *n) | ||
| 95 | { | ||
| 96 | while (n) { | ||
| 97 | struct key *key = rb_entry(n, struct key, serial_node); | ||
| 98 | if (key->user->user_ns == current_user_ns()) | ||
| 99 | break; | ||
| 100 | n = rb_next(n); | ||
| 101 | } | ||
| 102 | return n; | ||
| 103 | } | ||
| 104 | |||
| 105 | static struct rb_node *key_serial_next(struct rb_node *n) | ||
| 106 | { | ||
| 107 | return __key_serial_next(rb_next(n)); | ||
| 108 | } | ||
| 109 | |||
| 110 | static struct rb_node *key_serial_first(struct rb_root *r) | ||
| 111 | { | ||
| 112 | struct rb_node *n = rb_first(r); | ||
| 113 | return __key_serial_next(n); | ||
| 114 | } | ||
| 115 | |||
| 94 | static int proc_keys_open(struct inode *inode, struct file *file) | 116 | static int proc_keys_open(struct inode *inode, struct file *file) |
| 95 | { | 117 | { |
| 96 | return seq_open(file, &proc_keys_ops); | 118 | return seq_open(file, &proc_keys_ops); |
| @@ -104,10 +126,10 @@ static void *proc_keys_start(struct seq_file *p, loff_t *_pos) | |||
| 104 | 126 | ||
| 105 | spin_lock(&key_serial_lock); | 127 | spin_lock(&key_serial_lock); |
| 106 | 128 | ||
| 107 | _p = rb_first(&key_serial_tree); | 129 | _p = key_serial_first(&key_serial_tree); |
| 108 | while (pos > 0 && _p) { | 130 | while (pos > 0 && _p) { |
| 109 | pos--; | 131 | pos--; |
| 110 | _p = rb_next(_p); | 132 | _p = key_serial_next(_p); |
| 111 | } | 133 | } |
| 112 | 134 | ||
| 113 | return _p; | 135 | return _p; |
| @@ -117,7 +139,7 @@ static void *proc_keys_start(struct seq_file *p, loff_t *_pos) | |||
| 117 | static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos) | 139 | static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos) |
| 118 | { | 140 | { |
| 119 | (*_pos)++; | 141 | (*_pos)++; |
| 120 | return rb_next((struct rb_node *) v); | 142 | return key_serial_next((struct rb_node *) v); |
| 121 | 143 | ||
| 122 | } | 144 | } |
| 123 | 145 | ||
| @@ -203,6 +225,27 @@ static int proc_keys_show(struct seq_file *m, void *v) | |||
| 203 | 225 | ||
| 204 | #endif /* CONFIG_KEYS_DEBUG_PROC_KEYS */ | 226 | #endif /* CONFIG_KEYS_DEBUG_PROC_KEYS */ |
| 205 | 227 | ||
| 228 | static struct rb_node *__key_user_next(struct rb_node *n) | ||
| 229 | { | ||
| 230 | while (n) { | ||
| 231 | struct key_user *user = rb_entry(n, struct key_user, node); | ||
| 232 | if (user->user_ns == current_user_ns()) | ||
| 233 | break; | ||
| 234 | n = rb_next(n); | ||
| 235 | } | ||
| 236 | return n; | ||
| 237 | } | ||
| 238 | |||
| 239 | static struct rb_node *key_user_next(struct rb_node *n) | ||
| 240 | { | ||
| 241 | return __key_user_next(rb_next(n)); | ||
| 242 | } | ||
| 243 | |||
| 244 | static struct rb_node *key_user_first(struct rb_root *r) | ||
| 245 | { | ||
| 246 | struct rb_node *n = rb_first(r); | ||
| 247 | return __key_user_next(n); | ||
| 248 | } | ||
| 206 | /*****************************************************************************/ | 249 | /*****************************************************************************/ |
| 207 | /* | 250 | /* |
| 208 | * implement "/proc/key-users" to provides a list of the key users | 251 | * implement "/proc/key-users" to provides a list of the key users |
| @@ -220,10 +263,10 @@ static void *proc_key_users_start(struct seq_file *p, loff_t *_pos) | |||
| 220 | 263 | ||
| 221 | spin_lock(&key_user_lock); | 264 | spin_lock(&key_user_lock); |
| 222 | 265 | ||
| 223 | _p = rb_first(&key_user_tree); | 266 | _p = key_user_first(&key_user_tree); |
| 224 | while (pos > 0 && _p) { | 267 | while (pos > 0 && _p) { |
| 225 | pos--; | 268 | pos--; |
| 226 | _p = rb_next(_p); | 269 | _p = key_user_next(_p); |
| 227 | } | 270 | } |
| 228 | 271 | ||
| 229 | return _p; | 272 | return _p; |
| @@ -233,7 +276,7 @@ static void *proc_key_users_start(struct seq_file *p, loff_t *_pos) | |||
| 233 | static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos) | 276 | static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos) |
| 234 | { | 277 | { |
| 235 | (*_pos)++; | 278 | (*_pos)++; |
| 236 | return rb_next((struct rb_node *) v); | 279 | return key_user_next((struct rb_node *) v); |
| 237 | 280 | ||
| 238 | } | 281 | } |
| 239 | 282 | ||