kernel/linux.git/security/keys/keyring.c, branch linux-2.6.18.y

[PATCH] keys: discard the contents of a key on revocation

2006-06-26T16:58:18+00:00

Cause the keys linked to a keyring to be unlinked from it when revoked and it causes the data attached to a user-defined key to be discarded when revoked. This frees up most of the quota a key occupied at that point, rather than waiting for the key to actually be destroyed. Signed-off-by: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] keys: sort out key quota system

2006-06-26T16:58:18+00:00

Add the ability for key creation to overrun the user's quota in some circumstances - notably when a session keyring is created and assigned to a process that didn't previously have one. This means it's still possible to log in, should PAM require the creation of a new session keyring, and fix an overburdened key quota. Signed-off-by: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] selinux: add hooks for key subsystem

2006-06-22T22:05:55+00:00

Introduce SELinux hooks to support the access key retention subsystem within the kernel. Incorporate new flask headers from a modified version of the SELinux reference policy, with support for the new security class representing retained keys. Extend the "key_alloc" security hook with a task parameter representing the intended ownership context for the key being allocated. Attach security information to root's default keyrings within the SELinux initialization routine. Has passed David's testsuite. Signed-off-by: Michael LeMay Signed-off-by: David Howells Signed-off-by: James Morris Acked-by: Chris Wright Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[Security] Keys: Fix oops when adding key to non-keyring

2006-04-10T16:33:46+00:00

This fixes the problem of an oops occuring when a user attempts to add a key to a non-keyring key [CVE-2006-1522]. The problem is that __keyring_search_one() doesn't check that the keyring it's been given is actually a keyring. I've fixed this problem by: (1) declaring that caller of __keyring_search_one() must guarantee that the keyring is a keyring; and (2) making key_create_or_update() check that the keyring is a keyring, and return -ENOTDIR if it isn't. This can be tested by: keyctl add user b b `keyctl add user a a @s` Signed-off-by: David Howells Signed-off-by: Linus Torvalds

[PATCH] keys: Permit running process to instantiate keys

2006-01-09T04:13:53+00:00

Make it possible for a running process (such as gssapid) to be able to instantiate a key, as was requested by Trond Myklebust for NFS4. The patch makes the following changes: (1) A new, optional key type method has been added. This permits a key type to intercept requests at the point /sbin/request-key is about to be spawned and do something else with them - passing them over the rpc_pipefs files or netlink sockets for instance. The uninstantiated key, the authorisation key and the intended operation name are passed to the method. (2) The callout_info is no longer passed as an argument to /sbin/request-key to prevent unauthorised viewing of this data using ps or by looking in /proc/pid/cmdline. This means that the old /sbin/request-key program will not work with the patched kernel as it will expect to see an extra argument that is no longer there. A revised keyutils package will be made available tomorrow. (3) The callout_info is now attached to the authorisation key. Reading this key will retrieve the information. (4) A new field has been added to the task_struct. This holds the authorisation key currently active for a thread. Searches now look here for the caller's set of keys rather than looking for an auth key in the lowest level of the session keyring. This permits a thread to be servicing multiple requests at once and to switch between them. Note that this is per-thread, not per-process, and so is usable in multithreaded programs. The setting of this field is inherited across fork and exec. (5) A new keyctl function (KEYCTL_ASSUME_AUTHORITY) has been added that permits a thread to assume the authority to deal with an uninstantiated key. Assumption is only permitted if the authorisation key associated with the uninstantiated key is somewhere in the thread's keyrings. This function can also clear the assumption. (6) A new magic key specifier has been added to refer to the currently assumed authorisation key (KEY_SPEC_REQKEY_AUTH_KEY). (7) Instantiation will only proceed if the appropriate authorisation key is assumed first. The assumed authorisation key is discarded if instantiation is successful. (8) key_validate() is moved from the file of request_key functions to the file of permissions functions. (9) The documentation is updated. From: Build fix. Signed-off-by: David Howells Cc: Trond Myklebust Cc: Alexander Zangerl Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] keys: Discard duplicate keys from a keyring on link

2006-01-09T04:13:53+00:00

Cause any links within a keyring to keys that match a key to be linked into that keyring to be discarded as a link to the new key is added. The match is contingent on the type and description strings being the same. This permits requests, adds and searches to displace negative, expired, revoked and dead keys easily. After some discussion it was concluded that duplicate valid keys should probably be discarded also as they would otherwise hide the new key. Since request_key() is intended to be the primary method by which keys are added to a keyring, duplicate valid keys wouldn't be an issue there as that function would return an existing match in preference to creating a new key. Signed-off-by: David Howells Cc: Trond Myklebust Cc: Alexander Zangerl Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] security/: possible cleanups

2006-01-06T16:33:30+00:00

make needlessly global code static Signed-off-by: Adrian Bunk Cc: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] Keys: Remove key duplication

2006-01-06T16:33:29+00:00

Remove the key duplication stuff since there's nothing that uses it, no way to get at it and it's awkward to deal with for LSM purposes. Signed-off-by: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] Keys: Fix permissions check for update vs add

2005-12-01T23:48:56+00:00

Permit add_key() to once again update a matching key rather than adding a new one if a matching key already exists in the target keyring. This bug causes add_key() to always add a new key, displacing the old from the target keyring. Signed-off-by: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] Keys: Remove incorrect and obsolete '!' operators

2005-11-07T15:53:37+00:00

The attached patch removes a couple of incorrect and obsolete '!' operators left over from the conversion of the key permission functions from true/false returns to zero/error returns. Signed-Off-By: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds