1 files changed, 4 insertions, 5 deletions
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index d42d2158ce13..566b1cc0118a 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -39,7 +39,7 @@ struct key root_user_keyring = {
        .type           = &key_type_keyring,
        .user           = &root_key_user,
        .sem            = __RWSEM_INITIALIZER(root_user_keyring.sem),
-        .perm           = KEY_POS_ALL | KEY_USR_ALL,
+        .perm           = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL,
        .flags          = 1 << KEY_FLAG_INSTANTIATED,
        .description    = "_uid.0",
 #ifdef KEY_DEBUGGING
@@ -54,7 +54,7 @@ struct key root_session_keyring = {
        .type           = &key_type_keyring,
        .user           = &root_key_user,
        .sem            = __RWSEM_INITIALIZER(root_session_keyring.sem),
-        .perm           = KEY_POS_ALL | KEY_USR_ALL,
+        .perm           = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL,
        .flags          = 1 << KEY_FLAG_INSTANTIATED,
        .description    = "_uid_ses.0",
 #ifdef KEY_DEBUGGING
@@ -666,9 +666,8 @@ key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
                goto invalid_key;
        /* check the permissions */
-        ret = -EACCES;
+        ret = key_task_permission(key_ref, context, perm);
+        if (ret < 0)
-        if (!key_task_permission(key_ref, context, perm))
                goto invalid_key;
 error:

diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index d42d2158ce13..566b1cc0118a 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c
@@ -39,7 +39,7 @@ struct key root_user_keyring = {
39	.type = &key_type_keyring,	39	.type = &key_type_keyring,
40	.user = &root_key_user,	40	.user = &root_key_user,
41	.sem = __RWSEM_INITIALIZER(root_user_keyring.sem),	41	.sem = __RWSEM_INITIALIZER(root_user_keyring.sem),
42	.perm = KEY_POS_ALL \| KEY_USR_ALL,	42	.perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) \| KEY_USR_ALL,
43	.flags = 1 << KEY_FLAG_INSTANTIATED,	43	.flags = 1 << KEY_FLAG_INSTANTIATED,
44	.description = "_uid.0",	44	.description = "_uid.0",
45	#ifdef KEY_DEBUGGING	45	#ifdef KEY_DEBUGGING
@@ -54,7 +54,7 @@ struct key root_session_keyring = {
54	.type = &key_type_keyring,	54	.type = &key_type_keyring,
55	.user = &root_key_user,	55	.user = &root_key_user,
56	.sem = __RWSEM_INITIALIZER(root_session_keyring.sem),	56	.sem = __RWSEM_INITIALIZER(root_session_keyring.sem),
57	.perm = KEY_POS_ALL \| KEY_USR_ALL,	57	.perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) \| KEY_USR_ALL,
58	.flags = 1 << KEY_FLAG_INSTANTIATED,	58	.flags = 1 << KEY_FLAG_INSTANTIATED,
59	.description = "_uid_ses.0",	59	.description = "_uid_ses.0",
60	#ifdef KEY_DEBUGGING	60	#ifdef KEY_DEBUGGING
@@ -666,9 +666,8 @@ key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
666	goto invalid_key;	666	goto invalid_key;
667		667
668	/* check the permissions */	668	/* check the permissions */
669	ret = -EACCES;	669	ret = key_task_permission(key_ref, context, perm);
670		670	if (ret < 0)
671	if (!key_task_permission(key_ref, context, perm))
672	goto invalid_key;	671	goto invalid_key;
673		672
674	error:	673	error: