summaryrefslogtreecommitdiff
path: root/security/apparmor
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2013-11-14 17:02:31 +0400
committerDavid Howells <dhowells@redhat.com>2013-11-14 18:09:53 +0400
commit62fe318256befbd1b4a6765e71d9c997f768fe79 (patch)
treea24b4672750ceea1850f7b97131256f163554ea7 /security/apparmor
parent97826c821ec6724fc359d9b7840dc10af914c641 (diff)
downloadlinux-62fe318256befbd1b4a6765e71d9c997f768fe79.tar.xz
KEYS: Fix keyring content gc scanner
Key pointers stored in the keyring are marked in bit 1 to indicate if they point to a keyring. We need to strip off this bit before using the pointer when iterating over the keyring for the purpose of looking for links to garbage collect. This means that expirable keyrings aren't correctly expiring because the checker is seeing their key pointer with 2 added to it. Since the fix for this involves knowing about the internals of the keyring, key_gc_keyring() is moved to keyring.c and merged into keyring_gc(). This can be tested by: echo 2 >/proc/sys/kernel/keys/gc_delay keyctl timeout `keyctl add keyring qwerty "" @s` 2 cat /proc/keys sleep 5; cat /proc/keys which should see a keyring called "qwerty" appear in the session keyring and then disappear after it expires, and: echo 2 >/proc/sys/kernel/keys/gc_delay a=`keyctl get_persistent @s` b=`keyctl add keyring 0 "" $a` keyctl add user a a $b keyctl timeout $b 2 cat /proc/keys sleep 5; cat /proc/keys which should see a keyring called "0" with a key called "a" in it appear in the user's persistent keyring (which will be attached to the session keyring) and then both the "0" keyring and the "a" key should disappear when the "0" keyring expires. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'security/apparmor')
0 files changed, 0 insertions, 0 deletions