diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/keys/key.c | 6 | ||||
| -rw-r--r-- | security/keys/keyring.c | 9 | ||||
| -rw-r--r-- | security/keys/process_keys.c | 26 | ||||
| -rw-r--r-- | security/keys/request_key.c | 11 |
4 files changed, 33 insertions, 19 deletions
diff --git a/security/keys/key.c b/security/keys/key.c index 50d96d4e06f2..bebeca3a78e4 100644 --- a/security/keys/key.c +++ b/security/keys/key.c | |||
| @@ -826,13 +826,13 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, | |||
| 826 | /* if the client doesn't provide, decide on the permissions we want */ | 826 | /* if the client doesn't provide, decide on the permissions we want */ |
| 827 | if (perm == KEY_PERM_UNDEF) { | 827 | if (perm == KEY_PERM_UNDEF) { |
| 828 | perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR; | 828 | perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR; |
| 829 | perm |= KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_LINK | KEY_USR_SETATTR; | 829 | perm |= KEY_USR_VIEW; |
| 830 | 830 | ||
| 831 | if (ktype->read) | 831 | if (ktype->read) |
| 832 | perm |= KEY_POS_READ | KEY_USR_READ; | 832 | perm |= KEY_POS_READ; |
| 833 | 833 | ||
| 834 | if (ktype == &key_type_keyring || ktype->update) | 834 | if (ktype == &key_type_keyring || ktype->update) |
| 835 | perm |= KEY_USR_WRITE; | 835 | perm |= KEY_POS_WRITE; |
| 836 | } | 836 | } |
| 837 | 837 | ||
| 838 | /* allocate a new key */ | 838 | /* allocate a new key */ |
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 81e7852d281d..cf704a92083f 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c | |||
| @@ -257,17 +257,14 @@ error: | |||
| 257 | * Allocate a keyring and link into the destination keyring. | 257 | * Allocate a keyring and link into the destination keyring. |
| 258 | */ | 258 | */ |
| 259 | struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, | 259 | struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, |
| 260 | const struct cred *cred, unsigned long flags, | 260 | const struct cred *cred, key_perm_t perm, |
| 261 | struct key *dest) | 261 | unsigned long flags, struct key *dest) |
| 262 | { | 262 | { |
| 263 | struct key *keyring; | 263 | struct key *keyring; |
| 264 | int ret; | 264 | int ret; |
| 265 | 265 | ||
| 266 | keyring = key_alloc(&key_type_keyring, description, | 266 | keyring = key_alloc(&key_type_keyring, description, |
| 267 | uid, gid, cred, | 267 | uid, gid, cred, perm, flags); |
| 268 | (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL, | ||
| 269 | flags); | ||
| 270 | |||
| 271 | if (!IS_ERR(keyring)) { | 268 | if (!IS_ERR(keyring)) { |
| 272 | ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); | 269 | ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); |
| 273 | if (ret < 0) { | 270 | if (ret < 0) { |
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index 9de5dc598276..b58d93892740 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c | |||
| @@ -46,9 +46,11 @@ int install_user_keyrings(void) | |||
| 46 | struct user_struct *user; | 46 | struct user_struct *user; |
| 47 | const struct cred *cred; | 47 | const struct cred *cred; |
| 48 | struct key *uid_keyring, *session_keyring; | 48 | struct key *uid_keyring, *session_keyring; |
| 49 | key_perm_t user_keyring_perm; | ||
| 49 | char buf[20]; | 50 | char buf[20]; |
| 50 | int ret; | 51 | int ret; |
| 51 | 52 | ||
| 53 | user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL; | ||
| 52 | cred = current_cred(); | 54 | cred = current_cred(); |
| 53 | user = cred->user; | 55 | user = cred->user; |
| 54 | 56 | ||
| @@ -72,8 +74,8 @@ int install_user_keyrings(void) | |||
| 72 | uid_keyring = find_keyring_by_name(buf, true); | 74 | uid_keyring = find_keyring_by_name(buf, true); |
| 73 | if (IS_ERR(uid_keyring)) { | 75 | if (IS_ERR(uid_keyring)) { |
| 74 | uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1, | 76 | uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1, |
| 75 | cred, KEY_ALLOC_IN_QUOTA, | 77 | cred, user_keyring_perm, |
| 76 | NULL); | 78 | KEY_ALLOC_IN_QUOTA, NULL); |
| 77 | if (IS_ERR(uid_keyring)) { | 79 | if (IS_ERR(uid_keyring)) { |
| 78 | ret = PTR_ERR(uid_keyring); | 80 | ret = PTR_ERR(uid_keyring); |
| 79 | goto error; | 81 | goto error; |
| @@ -88,7 +90,8 @@ int install_user_keyrings(void) | |||
| 88 | if (IS_ERR(session_keyring)) { | 90 | if (IS_ERR(session_keyring)) { |
| 89 | session_keyring = | 91 | session_keyring = |
| 90 | keyring_alloc(buf, user->uid, (gid_t) -1, | 92 | keyring_alloc(buf, user->uid, (gid_t) -1, |
| 91 | cred, KEY_ALLOC_IN_QUOTA, NULL); | 93 | cred, user_keyring_perm, |
| 94 | KEY_ALLOC_IN_QUOTA, NULL); | ||
| 92 | if (IS_ERR(session_keyring)) { | 95 | if (IS_ERR(session_keyring)) { |
| 93 | ret = PTR_ERR(session_keyring); | 96 | ret = PTR_ERR(session_keyring); |
| 94 | goto error_release; | 97 | goto error_release; |
| @@ -129,6 +132,7 @@ int install_thread_keyring_to_cred(struct cred *new) | |||
| 129 | struct key *keyring; | 132 | struct key *keyring; |
| 130 | 133 | ||
| 131 | keyring = keyring_alloc("_tid", new->uid, new->gid, new, | 134 | keyring = keyring_alloc("_tid", new->uid, new->gid, new, |
| 135 | KEY_POS_ALL | KEY_USR_VIEW, | ||
| 132 | KEY_ALLOC_QUOTA_OVERRUN, NULL); | 136 | KEY_ALLOC_QUOTA_OVERRUN, NULL); |
| 133 | if (IS_ERR(keyring)) | 137 | if (IS_ERR(keyring)) |
| 134 | return PTR_ERR(keyring); | 138 | return PTR_ERR(keyring); |
| @@ -173,8 +177,9 @@ int install_process_keyring_to_cred(struct cred *new) | |||
| 173 | if (new->process_keyring) | 177 | if (new->process_keyring) |
| 174 | return -EEXIST; | 178 | return -EEXIST; |
| 175 | 179 | ||
| 176 | keyring = keyring_alloc("_pid", new->uid, new->gid, | 180 | keyring = keyring_alloc("_pid", new->uid, new->gid, new, |
| 177 | new, KEY_ALLOC_QUOTA_OVERRUN, NULL); | 181 | KEY_POS_ALL | KEY_USR_VIEW, |
| 182 | KEY_ALLOC_QUOTA_OVERRUN, NULL); | ||
| 178 | if (IS_ERR(keyring)) | 183 | if (IS_ERR(keyring)) |
| 179 | return PTR_ERR(keyring); | 184 | return PTR_ERR(keyring); |
| 180 | 185 | ||
| @@ -223,8 +228,9 @@ int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) | |||
| 223 | if (cred->session_keyring) | 228 | if (cred->session_keyring) |
| 224 | flags = KEY_ALLOC_IN_QUOTA; | 229 | flags = KEY_ALLOC_IN_QUOTA; |
| 225 | 230 | ||
| 226 | keyring = keyring_alloc("_ses", cred->uid, cred->gid, | 231 | keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred, |
| 227 | cred, flags, NULL); | 232 | KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ, |
| 233 | flags, NULL); | ||
| 228 | if (IS_ERR(keyring)) | 234 | if (IS_ERR(keyring)) |
| 229 | return PTR_ERR(keyring); | 235 | return PTR_ERR(keyring); |
| 230 | } else { | 236 | } else { |
| @@ -773,8 +779,10 @@ long join_session_keyring(const char *name) | |||
| 773 | keyring = find_keyring_by_name(name, false); | 779 | keyring = find_keyring_by_name(name, false); |
| 774 | if (PTR_ERR(keyring) == -ENOKEY) { | 780 | if (PTR_ERR(keyring) == -ENOKEY) { |
| 775 | /* not found - try and create a new one */ | 781 | /* not found - try and create a new one */ |
| 776 | keyring = keyring_alloc(name, old->uid, old->gid, old, | 782 | keyring = keyring_alloc( |
| 777 | KEY_ALLOC_IN_QUOTA, NULL); | 783 | name, old->uid, old->gid, old, |
| 784 | KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK, | ||
| 785 | KEY_ALLOC_IN_QUOTA, NULL); | ||
| 778 | if (IS_ERR(keyring)) { | 786 | if (IS_ERR(keyring)) { |
| 779 | ret = PTR_ERR(keyring); | 787 | ret = PTR_ERR(keyring); |
| 780 | goto error2; | 788 | goto error2; |
diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 275c4f9e4b8c..0ae3a2202771 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c | |||
| @@ -126,6 +126,7 @@ static int call_sbin_request_key(struct key_construction *cons, | |||
| 126 | 126 | ||
| 127 | cred = get_current_cred(); | 127 | cred = get_current_cred(); |
| 128 | keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred, | 128 | keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred, |
| 129 | KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ, | ||
| 129 | KEY_ALLOC_QUOTA_OVERRUN, NULL); | 130 | KEY_ALLOC_QUOTA_OVERRUN, NULL); |
| 130 | put_cred(cred); | 131 | put_cred(cred); |
| 131 | if (IS_ERR(keyring)) { | 132 | if (IS_ERR(keyring)) { |
| @@ -347,6 +348,7 @@ static int construct_alloc_key(struct key_type *type, | |||
| 347 | const struct cred *cred = current_cred(); | 348 | const struct cred *cred = current_cred(); |
| 348 | unsigned long prealloc; | 349 | unsigned long prealloc; |
| 349 | struct key *key; | 350 | struct key *key; |
| 351 | key_perm_t perm; | ||
| 350 | key_ref_t key_ref; | 352 | key_ref_t key_ref; |
| 351 | int ret; | 353 | int ret; |
| 352 | 354 | ||
| @@ -355,8 +357,15 @@ static int construct_alloc_key(struct key_type *type, | |||
| 355 | *_key = NULL; | 357 | *_key = NULL; |
| 356 | mutex_lock(&user->cons_lock); | 358 | mutex_lock(&user->cons_lock); |
| 357 | 359 | ||
| 360 | perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR; | ||
| 361 | perm |= KEY_USR_VIEW; | ||
| 362 | if (type->read) | ||
| 363 | perm |= KEY_POS_READ; | ||
| 364 | if (type == &key_type_keyring || type->update) | ||
| 365 | perm |= KEY_POS_WRITE; | ||
| 366 | |||
| 358 | key = key_alloc(type, description, cred->fsuid, cred->fsgid, cred, | 367 | key = key_alloc(type, description, cred->fsuid, cred->fsgid, cred, |
| 359 | KEY_POS_ALL, flags); | 368 | perm, flags); |
| 360 | if (IS_ERR(key)) | 369 | if (IS_ERR(key)) |
| 361 | goto alloc_failed; | 370 | goto alloc_failed; |
| 362 | 371 | ||