6 files changed, 20 insertions, 3 deletions
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index ca41be5631c7..4870f28403f5 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -22,7 +22,6 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
 config PUBLIC_KEY_ALGO_RSA
        tristate "RSA public-key algorithm"
-        select MPILIB_EXTRA
        select MPILIB
        help
          This option enables support for the RSA algorithm (PKCS#1, RFC3447).
diff --git a/fs/nfs/idmap.c b/fs/nfs/idmap.c
index 59b217a3266d..7dd55b745c4d 100644
--- a/fs/nfs/idmap.c
+++ b/fs/nfs/idmap.c
@@ -284,6 +284,8 @@ static struct key *nfs_idmap_request_key(const char *name, size_t namelen,
                                                desc, "", 0, idmap);
                mutex_unlock(&idmap->idmap_mutex);
        }
+        if (!IS_ERR(rkey))
+                set_bit(KEY_FLAG_ROOT_CAN_INVAL, &rkey->flags);
        kfree(desc);
        return rkey;
diff --git a/include/linux/key.h b/include/linux/key.h
index 65316f7ae794..e1d4715f3222 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -171,6 +171,7 @@ struct key {
 #define KEY_FLAG_TRUSTED        8       /* set if key is trusted */
 #define KEY_FLAG_TRUSTED_ONLY   9       /* set if keyring only accepts links to trusted keys */
 #define KEY_FLAG_BUILTIN        10      /* set if key is builtin */
+#define KEY_FLAG_ROOT_CAN_INVAL 11      /* set if key can be invalidated by root without permission */
        /* the key type and key description string
         * - the desc is used to match a key against search criteria
diff --git a/lib/Kconfig b/lib/Kconfig
index 334f7722a999..a8a775730c09 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -451,7 +451,8 @@ config MPILIB
 config SIGNATURE
        tristate
-        depends on KEYS && CRYPTO
+        depends on KEYS
+        select CRYPTO
        select CRYPTO_SHA1
        select MPILIB
        help
diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
index 9acec61f5433..9a32f55cf9b9 100644
--- a/net/dns_resolver/dns_query.c
+++ b/net/dns_resolver/dns_query.c
@@ -129,6 +129,7 @@ int dns_query(const char *type, const char *name, size_t namelen,
        }
        down_read(&rkey->sem);
+        set_bit(KEY_FLAG_ROOT_CAN_INVAL, &rkey->flags);
        rkey->perm |= KEY_USR_VIEW;
        ret = key_validate(rkey);
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 8a8c23357291..e26f860e5f2e 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -406,12 +406,25 @@ long keyctl_invalidate_key(key_serial_t id)
        key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH);
        if (IS_ERR(key_ref)) {
                ret = PTR_ERR(key_ref);
+                /* Root is permitted to invalidate certain special keys */
+                if (capable(CAP_SYS_ADMIN)) {
+                        key_ref = lookup_user_key(id, 0, 0);
+                        if (IS_ERR(key_ref))
+                                goto error;
+                        if (test_bit(KEY_FLAG_ROOT_CAN_INVAL,
+                                     &key_ref_to_ptr(key_ref)->flags))
+                                goto invalidate;
+                        goto error_put;
+                }
                goto error;
        }
+invalidate:
        key_invalidate(key_ref_to_ptr(key_ref));
        ret = 0;
+error_put:
        key_ref_put(key_ref);
 error:
        kleave(" = %ld", ret);

diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig index ca41be5631c7..4870f28403f5 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig
@@ -22,7 +22,6 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
22		22
23	config PUBLIC_KEY_ALGO_RSA	23	config PUBLIC_KEY_ALGO_RSA
24	tristate "RSA public-key algorithm"	24	tristate "RSA public-key algorithm"
25	select MPILIB_EXTRA
26	select MPILIB	25	select MPILIB
27	help	26	help
28	This option enables support for the RSA algorithm (PKCS#1, RFC3447).	27	This option enables support for the RSA algorithm (PKCS#1, RFC3447).


diff --git a/fs/nfs/idmap.c b/fs/nfs/idmap.c index 59b217a3266d..7dd55b745c4d 100644 --- a/fs/nfs/idmap.c +++ b/fs/nfs/idmap.c
@@ -284,6 +284,8 @@ static struct key nfs_idmap_request_key(const char name, size_t namelen,
284	desc, "", 0, idmap);	284	desc, "", 0, idmap);
285	mutex_unlock(&idmap->idmap_mutex);	285	mutex_unlock(&idmap->idmap_mutex);
286	}	286	}
		287	if (!IS_ERR(rkey))
		288	set_bit(KEY_FLAG_ROOT_CAN_INVAL, &rkey->flags);
287		289
288	kfree(desc);	290	kfree(desc);
289	return rkey;	291	return rkey;


diff --git a/include/linux/key.h b/include/linux/key.h index 65316f7ae794..e1d4715f3222 100644 --- a/include/linux/key.h +++ b/include/linux/key.h
@@ -171,6 +171,7 @@ struct key {
171	#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */	171	#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */
172	#define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */	172	#define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */
173	#define KEY_FLAG_BUILTIN 10 /* set if key is builtin */	173	#define KEY_FLAG_BUILTIN 10 /* set if key is builtin */
		174	#define KEY_FLAG_ROOT_CAN_INVAL 11 /* set if key can be invalidated by root without permission */
174		175
175	/* the key type and key description string	176	/* the key type and key description string
176	* - the desc is used to match a key against search criteria	177	* - the desc is used to match a key against search criteria


diff --git a/lib/Kconfig b/lib/Kconfig index 334f7722a999..a8a775730c09 100644 --- a/lib/Kconfig +++ b/lib/Kconfig
@@ -451,7 +451,8 @@ config MPILIB
451		451
452	config SIGNATURE	452	config SIGNATURE
453	tristate	453	tristate
454	depends on KEYS && CRYPTO	454	depends on KEYS
		455	select CRYPTO
455	select CRYPTO_SHA1	456	select CRYPTO_SHA1
456	select MPILIB	457	select MPILIB
457	help	458	help


diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c index 9acec61f5433..9a32f55cf9b9 100644 --- a/net/dns_resolver/dns_query.c +++ b/net/dns_resolver/dns_query.c
@@ -129,6 +129,7 @@ int dns_query(const char type, const char name, size_t namelen,
129	}	129	}
130		130
131	down_read(&rkey->sem);	131	down_read(&rkey->sem);
		132	set_bit(KEY_FLAG_ROOT_CAN_INVAL, &rkey->flags);
132	rkey->perm \|= KEY_USR_VIEW;	133	rkey->perm \|= KEY_USR_VIEW;
133		134
134	ret = key_validate(rkey);	135	ret = key_validate(rkey);


diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 8a8c23357291..e26f860e5f2e 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c
@@ -406,12 +406,25 @@ long keyctl_invalidate_key(key_serial_t id)
406	key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH);	406	key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH);
407	if (IS_ERR(key_ref)) {	407	if (IS_ERR(key_ref)) {
408	ret = PTR_ERR(key_ref);	408	ret = PTR_ERR(key_ref);
		409
		410	/* Root is permitted to invalidate certain special keys */
		411	if (capable(CAP_SYS_ADMIN)) {
		412	key_ref = lookup_user_key(id, 0, 0);
		413	if (IS_ERR(key_ref))
		414	goto error;
		415	if (test_bit(KEY_FLAG_ROOT_CAN_INVAL,
		416	&key_ref_to_ptr(key_ref)->flags))
		417	goto invalidate;
		418	goto error_put;
		419	}
		420
409	goto error;	421	goto error;
410	}	422	}
411		423
		424	invalidate:
412	key_invalidate(key_ref_to_ptr(key_ref));	425	key_invalidate(key_ref_to_ptr(key_ref));
413	ret = 0;	426	ret = 0;
414		427	error_put:
415	key_ref_put(key_ref);	428	key_ref_put(key_ref);
416	error:	429	error:
417	kleave(" = %ld", ret);	430	kleave(" = %ld", ret);