[PATCH] KEYS: Skip key state checks when checking for possession

From: David Howells
Date: Tue Jun 18 2013 - 12:47:33 EST


Skip key state checks (invalidation, revocation and expiration) when checking
for possession. Without this, keys that have been marked invalid, revoked
keys and expired keys are not given a possession attribute - which means the
possessor is not granted any possession permits and cannot do anything with
them unless they also have one a user, group or other permit.

This causes failures in the keyutils test suite's revocation and expiration
tests now that commit 96b5c8fea6c0861621051290d705ec2e971963f1 reduced the
initial permissions granted to a key.

The failures are due to accesses to revoked and expired keys being given
EACCES instead of EKEYREVOKED or EKEYEXPIRED.

Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
---

security/keys/internal.h | 1 +
security/keys/process_keys.c | 8 +++++---
security/keys/request_key.c | 6 ++++--
security/keys/request_key_auth.c | 2 +-
4 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/security/keys/internal.h b/security/keys/internal.h
index d4f1468..df971fe 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -124,6 +124,7 @@ extern key_ref_t search_my_process_keyrings(struct key_type *type,
extern key_ref_t search_process_keyrings(struct key_type *type,
const void *description,
key_match_func_t match,
+ bool no_state_check,
const struct cred *cred);

extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check);
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 42defae..a3410d6 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -440,6 +440,7 @@ found:
key_ref_t search_process_keyrings(struct key_type *type,
const void *description,
key_match_func_t match,
+ bool no_state_check,
const struct cred *cred)
{
struct request_key_auth *rka;
@@ -448,7 +449,7 @@ key_ref_t search_process_keyrings(struct key_type *type,
might_sleep();

key_ref = search_my_process_keyrings(type, description, match,
- false, cred);
+ no_state_check, cred);
if (!IS_ERR(key_ref))
goto found;
err = key_ref;
@@ -468,7 +469,8 @@ key_ref_t search_process_keyrings(struct key_type *type,
rka = cred->request_key_auth->payload.data;

key_ref = search_process_keyrings(type, description,
- match, rka->cred);
+ match, no_state_check,
+ rka->cred);

up_read(&cred->request_key_auth->sem);

@@ -675,7 +677,7 @@ try_again:
/* check to see if we possess the key */
skey_ref = search_process_keyrings(key->type, key,
lookup_user_key_possessed,
- cred);
+ true, cred);

if (!IS_ERR(skey_ref)) {
key_put(key);
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index c411f9b..172115b 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -390,7 +390,8 @@ static int construct_alloc_key(struct key_type *type,
* waited for locks */
mutex_lock(&key_construction_mutex);

- key_ref = search_process_keyrings(type, description, type->match, cred);
+ key_ref = search_process_keyrings(type, description, type->match,
+ false, cred);
if (!IS_ERR(key_ref))
goto key_already_present;

@@ -539,7 +540,8 @@ struct key *request_key_and_link(struct key_type *type,
dest_keyring, flags);

/* search all the process keyrings for a key */
- key_ref = search_process_keyrings(type, description, type->match, cred);
+ key_ref = search_process_keyrings(type, description, type->match,
+ false, cred);

if (!IS_ERR(key_ref)) {
key = key_ref_to_ptr(key_ref);
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index 85730d5..92077de 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -247,7 +247,7 @@ struct key *key_get_instantiation_authkey(key_serial_t target_id)
&key_type_request_key_auth,
(void *) (unsigned long) target_id,
key_get_instantiation_authkey_match,
- cred);
+ false, cred);

if (IS_ERR(authkey_ref)) {
authkey = ERR_CAST(authkey_ref);

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/