Re: In-kernel Authentication Tokens (PAGs)
From: David Howells
Date: Wed Jun 16 2004 - 09:42:17 EST
> > I've a sample aklog program (key submission) should you be interested.
>
> I'd be intereseted. BTW, I just took a brief look and had a quick
> question.
Please see attached files.
key_afs.c Rudimentary kAFS filesystem token handling
afsutil.h }
kernel.c } aklog program
aklog.c }
> > + if (bprm->e_uid != current->uid)
> > + suid_keys(current);
> > + exec_keys(current);
> > +
>
> would the security module be expected update/revoke keys if the thing changes
> security domains on exec?
I don't know. Currently this patch replaces the old session keyring in favour
of a new empty one upon SUID exec. I suspect that depends on the policy set by
the administrator.
If you've a better suggestion than what I've done, feel free to make it.
> > task_lock(current);
> > unsafe = unsafe_exec(current);
> > security_bprm_apply_creds(bprm, unsafe);
David
Attachment:
key_afs.c
Description: Binary data
Attachment:
afsutil.h
Description: Binary data
Attachment:
kernel.c
Description: Binary data
Attachment:
aklog.c
Description: Binary data