diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/keys/internal.h | 1 | ||||
-rw-r--r-- | security/keys/key.c | 3 | ||||
-rw-r--r-- | security/keys/keyctl.c | 2 | ||||
-rw-r--r-- | security/keys/request_key.c | 44 | ||||
-rw-r--r-- | security/selinux/hooks.c | 6 |
5 files changed, 42 insertions, 14 deletions
diff --git a/security/keys/internal.h b/security/keys/internal.h index 3c2877f0663e..1bb416f4bbce 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h | |||
@@ -99,6 +99,7 @@ extern int install_process_keyring(struct task_struct *tsk); | |||
99 | extern struct key *request_key_and_link(struct key_type *type, | 99 | extern struct key *request_key_and_link(struct key_type *type, |
100 | const char *description, | 100 | const char *description, |
101 | const char *callout_info, | 101 | const char *callout_info, |
102 | void *aux, | ||
102 | struct key *dest_keyring, | 103 | struct key *dest_keyring, |
103 | unsigned long flags); | 104 | unsigned long flags); |
104 | 105 | ||
diff --git a/security/keys/key.c b/security/keys/key.c index 43295ca37b5d..80de8c3e9cc3 100644 --- a/security/keys/key.c +++ b/security/keys/key.c | |||
@@ -11,6 +11,7 @@ | |||
11 | 11 | ||
12 | #include <linux/module.h> | 12 | #include <linux/module.h> |
13 | #include <linux/init.h> | 13 | #include <linux/init.h> |
14 | #include <linux/poison.h> | ||
14 | #include <linux/sched.h> | 15 | #include <linux/sched.h> |
15 | #include <linux/slab.h> | 16 | #include <linux/slab.h> |
16 | #include <linux/security.h> | 17 | #include <linux/security.h> |
@@ -988,7 +989,7 @@ void unregister_key_type(struct key_type *ktype) | |||
988 | if (key->type == ktype) { | 989 | if (key->type == ktype) { |
989 | if (ktype->destroy) | 990 | if (ktype->destroy) |
990 | ktype->destroy(key); | 991 | ktype->destroy(key); |
991 | memset(&key->payload, 0xbd, sizeof(key->payload)); | 992 | memset(&key->payload, KEY_DESTROY, sizeof(key->payload)); |
992 | } | 993 | } |
993 | } | 994 | } |
994 | 995 | ||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 329411cf8768..d9ca15c109cc 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c | |||
@@ -183,7 +183,7 @@ asmlinkage long sys_request_key(const char __user *_type, | |||
183 | } | 183 | } |
184 | 184 | ||
185 | /* do the search */ | 185 | /* do the search */ |
186 | key = request_key_and_link(ktype, description, callout_info, | 186 | key = request_key_and_link(ktype, description, callout_info, NULL, |
187 | key_ref_to_ptr(dest_ref), | 187 | key_ref_to_ptr(dest_ref), |
188 | KEY_ALLOC_IN_QUOTA); | 188 | KEY_ALLOC_IN_QUOTA); |
189 | if (IS_ERR(key)) { | 189 | if (IS_ERR(key)) { |
diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 58d1efd4fc2c..f573ac189a0a 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c | |||
@@ -1,6 +1,6 @@ | |||
1 | /* request_key.c: request a key from userspace | 1 | /* request_key.c: request a key from userspace |
2 | * | 2 | * |
3 | * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. | 3 | * Copyright (C) 2004-6 Red Hat, Inc. All Rights Reserved. |
4 | * Written by David Howells (dhowells@redhat.com) | 4 | * Written by David Howells (dhowells@redhat.com) |
5 | * | 5 | * |
6 | * This program is free software; you can redistribute it and/or | 6 | * This program is free software; you can redistribute it and/or |
@@ -33,7 +33,8 @@ DECLARE_WAIT_QUEUE_HEAD(request_key_conswq); | |||
33 | */ | 33 | */ |
34 | static int call_sbin_request_key(struct key *key, | 34 | static int call_sbin_request_key(struct key *key, |
35 | struct key *authkey, | 35 | struct key *authkey, |
36 | const char *op) | 36 | const char *op, |
37 | void *aux) | ||
37 | { | 38 | { |
38 | struct task_struct *tsk = current; | 39 | struct task_struct *tsk = current; |
39 | key_serial_t prkey, sskey; | 40 | key_serial_t prkey, sskey; |
@@ -127,6 +128,7 @@ error_alloc: | |||
127 | static struct key *__request_key_construction(struct key_type *type, | 128 | static struct key *__request_key_construction(struct key_type *type, |
128 | const char *description, | 129 | const char *description, |
129 | const char *callout_info, | 130 | const char *callout_info, |
131 | void *aux, | ||
130 | unsigned long flags) | 132 | unsigned long flags) |
131 | { | 133 | { |
132 | request_key_actor_t actor; | 134 | request_key_actor_t actor; |
@@ -164,7 +166,7 @@ static struct key *__request_key_construction(struct key_type *type, | |||
164 | actor = call_sbin_request_key; | 166 | actor = call_sbin_request_key; |
165 | if (type->request_key) | 167 | if (type->request_key) |
166 | actor = type->request_key; | 168 | actor = type->request_key; |
167 | ret = actor(key, authkey, "create"); | 169 | ret = actor(key, authkey, "create", aux); |
168 | if (ret < 0) | 170 | if (ret < 0) |
169 | goto request_failed; | 171 | goto request_failed; |
170 | 172 | ||
@@ -258,8 +260,9 @@ alloc_failed: | |||
258 | */ | 260 | */ |
259 | static struct key *request_key_construction(struct key_type *type, | 261 | static struct key *request_key_construction(struct key_type *type, |
260 | const char *description, | 262 | const char *description, |
261 | struct key_user *user, | ||
262 | const char *callout_info, | 263 | const char *callout_info, |
264 | void *aux, | ||
265 | struct key_user *user, | ||
263 | unsigned long flags) | 266 | unsigned long flags) |
264 | { | 267 | { |
265 | struct key_construction *pcons; | 268 | struct key_construction *pcons; |
@@ -284,7 +287,7 @@ static struct key *request_key_construction(struct key_type *type, | |||
284 | } | 287 | } |
285 | 288 | ||
286 | /* see about getting userspace to construct the key */ | 289 | /* see about getting userspace to construct the key */ |
287 | key = __request_key_construction(type, description, callout_info, | 290 | key = __request_key_construction(type, description, callout_info, aux, |
288 | flags); | 291 | flags); |
289 | error: | 292 | error: |
290 | kleave(" = %p", key); | 293 | kleave(" = %p", key); |
@@ -392,6 +395,7 @@ static void request_key_link(struct key *key, struct key *dest_keyring) | |||
392 | struct key *request_key_and_link(struct key_type *type, | 395 | struct key *request_key_and_link(struct key_type *type, |
393 | const char *description, | 396 | const char *description, |
394 | const char *callout_info, | 397 | const char *callout_info, |
398 | void *aux, | ||
395 | struct key *dest_keyring, | 399 | struct key *dest_keyring, |
396 | unsigned long flags) | 400 | unsigned long flags) |
397 | { | 401 | { |
@@ -399,8 +403,9 @@ struct key *request_key_and_link(struct key_type *type, | |||
399 | struct key *key; | 403 | struct key *key; |
400 | key_ref_t key_ref; | 404 | key_ref_t key_ref; |
401 | 405 | ||
402 | kenter("%s,%s,%s,%p,%lx", | 406 | kenter("%s,%s,%s,%p,%p,%lx", |
403 | type->name, description, callout_info, dest_keyring, flags); | 407 | type->name, description, callout_info, aux, |
408 | dest_keyring, flags); | ||
404 | 409 | ||
405 | /* search all the process keyrings for a key */ | 410 | /* search all the process keyrings for a key */ |
406 | key_ref = search_process_keyrings(type, description, type->match, | 411 | key_ref = search_process_keyrings(type, description, type->match, |
@@ -433,8 +438,8 @@ struct key *request_key_and_link(struct key_type *type, | |||
433 | /* ask userspace (returns NULL if it waited on a key | 438 | /* ask userspace (returns NULL if it waited on a key |
434 | * being constructed) */ | 439 | * being constructed) */ |
435 | key = request_key_construction(type, description, | 440 | key = request_key_construction(type, description, |
436 | user, callout_info, | 441 | callout_info, aux, |
437 | flags); | 442 | user, flags); |
438 | if (key) | 443 | if (key) |
439 | break; | 444 | break; |
440 | 445 | ||
@@ -491,8 +496,27 @@ struct key *request_key(struct key_type *type, | |||
491 | const char *callout_info) | 496 | const char *callout_info) |
492 | { | 497 | { |
493 | return request_key_and_link(type, description, callout_info, NULL, | 498 | return request_key_and_link(type, description, callout_info, NULL, |
494 | KEY_ALLOC_IN_QUOTA); | 499 | NULL, KEY_ALLOC_IN_QUOTA); |
495 | 500 | ||
496 | } /* end request_key() */ | 501 | } /* end request_key() */ |
497 | 502 | ||
498 | EXPORT_SYMBOL(request_key); | 503 | EXPORT_SYMBOL(request_key); |
504 | |||
505 | /*****************************************************************************/ | ||
506 | /* | ||
507 | * request a key with auxiliary data for the upcaller | ||
508 | * - search the process's keyrings | ||
509 | * - check the list of keys being created or updated | ||
510 | * - call out to userspace for a key if supplementary info was provided | ||
511 | */ | ||
512 | struct key *request_key_with_auxdata(struct key_type *type, | ||
513 | const char *description, | ||
514 | const char *callout_info, | ||
515 | void *aux) | ||
516 | { | ||
517 | return request_key_and_link(type, description, callout_info, aux, | ||
518 | NULL, KEY_ALLOC_IN_QUOTA); | ||
519 | |||
520 | } /* end request_key_with_auxdata() */ | ||
521 | |||
522 | EXPORT_SYMBOL(request_key_with_auxdata); | ||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ac7f2b2e3924..28832e689800 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1532,8 +1532,9 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) | |||
1532 | /* Default to the current task SID. */ | 1532 | /* Default to the current task SID. */ |
1533 | bsec->sid = tsec->sid; | 1533 | bsec->sid = tsec->sid; |
1534 | 1534 | ||
1535 | /* Reset create and sockcreate SID on execve. */ | 1535 | /* Reset fs, key, and sock SIDs on execve. */ |
1536 | tsec->create_sid = 0; | 1536 | tsec->create_sid = 0; |
1537 | tsec->keycreate_sid = 0; | ||
1537 | tsec->sockcreate_sid = 0; | 1538 | tsec->sockcreate_sid = 0; |
1538 | 1539 | ||
1539 | if (tsec->exec_sid) { | 1540 | if (tsec->exec_sid) { |
@@ -2586,9 +2587,10 @@ static int selinux_task_alloc_security(struct task_struct *tsk) | |||
2586 | tsec2->osid = tsec1->osid; | 2587 | tsec2->osid = tsec1->osid; |
2587 | tsec2->sid = tsec1->sid; | 2588 | tsec2->sid = tsec1->sid; |
2588 | 2589 | ||
2589 | /* Retain the exec, create, and sock SIDs across fork */ | 2590 | /* Retain the exec, fs, key, and sock SIDs across fork */ |
2590 | tsec2->exec_sid = tsec1->exec_sid; | 2591 | tsec2->exec_sid = tsec1->exec_sid; |
2591 | tsec2->create_sid = tsec1->create_sid; | 2592 | tsec2->create_sid = tsec1->create_sid; |
2593 | tsec2->keycreate_sid = tsec1->keycreate_sid; | ||
2592 | tsec2->sockcreate_sid = tsec1->sockcreate_sid; | 2594 | tsec2->sockcreate_sid = tsec1->sockcreate_sid; |
2593 | 2595 | ||
2594 | /* Retain ptracer SID across fork, if any. | 2596 | /* Retain ptracer SID across fork, if any. |