KEYS: Skip key state checks when checking for possession

Skip key state checks (invalidation, revocation and expiration) when checking for possession. Without this, keys that have been marked invalid, revoked keys and expired keys are not given a possession attribute - which means the possessor is not granted any possession permits and cannot do anything with them unless they also have one a user, group or other permit. This causes failures in the keyutils test suite's revocation and expiration tests now that commit 96b5c8fea6c0861621051290d705ec2e971963f1 reduced the initial permissions granted to a key. The failures are due to accesses to revoked and expired keys being given EACCES instead of EKEYREVOKED or EKEYEXPIRED. Signed-off-by: David Howells <dhowells@redhat.com>
author: David Howells <dhowells@redhat.com> 2013-09-24 05:35:13 -0400
committer: David Howells <dhowells@redhat.com> 2013-09-24 05:35:13 -0400
commit: 61ea0c0ba904a55f55317d850c1072ff7835ac92 (patch)
tree: 259f6872bc88d1cb4e94e405d5273c6dbc678175 /security
parent: 5a5f2acfd04269e2e0958067216b68ff461c285c (diff)
4 files changed, 11 insertions, 6 deletions
diff --git a/security/keys/internal.h b/security/keys/internal.h
index d4f1468b9b50..df971feceaf2 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -124,6 +124,7 @@ extern key_ref_t search_my_process_keyrings(struct key_type *type,
 extern key_ref_t search_process_keyrings(struct key_type *type,
                                         const void *description,
                                         key_match_func_t match,
+                                         bool no_state_check,
                                         const struct cred *cred);
 extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check);
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 42defae1e161..a3410d605849 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -440,6 +440,7 @@ found:
 key_ref_t search_process_keyrings(struct key_type *type,
                                  const void *description,
                                  key_match_func_t match,
+                                  bool no_state_check,
                                  const struct cred *cred)
 {
        struct request_key_auth *rka;
@@ -448,7 +449,7 @@ key_ref_t search_process_keyrings(struct key_type *type,
        might_sleep();
        key_ref = search_my_process_keyrings(type, description, match,
-                                             false, cred);
+                                             no_state_check, cred);
        if (!IS_ERR(key_ref))
                goto found;
        err = key_ref;
@@ -468,7 +469,8 @@ key_ref_t search_process_keyrings(struct key_type *type,
                        rka = cred->request_key_auth->payload.data;
                        key_ref = search_process_keyrings(type, description,
-                                                          match, rka->cred);
+                                                          match, no_state_check,
+                                                          rka->cred);
                        up_read(&cred->request_key_auth->sem);
@@ -675,7 +677,7 @@ try_again:
                /* check to see if we possess the key */
                skey_ref = search_process_keyrings(key->type, key,
                                                   lookup_user_key_possessed,
-                                                   cred);
+                                                   true, cred);
                if (!IS_ERR(skey_ref)) {
                        key_put(key);
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index c411f9bb156b..172115b38054 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -390,7 +390,8 @@ static int construct_alloc_key(struct key_type *type,
         * waited for locks */
        mutex_lock(&key_construction_mutex);
-        key_ref = search_process_keyrings(type, description, type->match, cred);
+        key_ref = search_process_keyrings(type, description, type->match,
+                                          false, cred);
        if (!IS_ERR(key_ref))
                goto key_already_present;
@@ -539,7 +540,8 @@ struct key *request_key_and_link(struct key_type *type,
               dest_keyring, flags);
        /* search all the process keyrings for a key */
-        key_ref = search_process_keyrings(type, description, type->match, cred);
+        key_ref = search_process_keyrings(type, description, type->match,
+                                          false, cred);
        if (!IS_ERR(key_ref)) {
                key = key_ref_to_ptr(key_ref);
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index 85730d5a5a59..92077de555df 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -247,7 +247,7 @@ struct key *key_get_instantiation_authkey(key_serial_t target_id)
                &key_type_request_key_auth,
                (void *) (unsigned long) target_id,
                key_get_instantiation_authkey_match,
-                cred);
+                false, cred);
        if (IS_ERR(authkey_ref)) {
                authkey = ERR_CAST(authkey_ref);
author	David Howells <dhowells@redhat.com>	2013-09-24 05:35:13 -0400
committer	David Howells <dhowells@redhat.com>	2013-09-24 05:35:13 -0400
commit	61ea0c0ba904a55f55317d850c1072ff7835ac92 (patch)
tree	259f6872bc88d1cb4e94e405d5273c6dbc678175 /security
parent	5a5f2acfd04269e2e0958067216b68ff461c285c (diff)