Re: [PATCH 2/6] KEYS: Reinstate EPERM for a key type name beginning with a '.'
From: Dmitry Kasatkin
Date: Thu Sep 11 2014 - 08:28:57 EST
On 11 September 2014 15:27, Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxx> wrote:
> On 11 September 2014 15:09, David Howells <dhowells@xxxxxxxxxx> wrote:
>> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
>>
>>> On Wed, 2014-09-10 at 19:36 -0400, Mimi Zohar wrote:
>>> > On Wed, 2014-09-10 at 22:22 +0100, David Howells wrote:
>>> > > Reinstate the generation of EPERM for a key type name beginning with a
>>> > > '.' in a userspace call. Types whose name begins with a '.' are
>>> > > internal only.
>>>
>>> After re-reading your comment and looking at the different types,
>>> testing for dot prefixed types now makes sense. Both dot prefixed types
>>> and keyring names are reserved for the kernel.
>>
>> Are you withdrawing your objection, then?
>>
>
> For me, type test looks unrelated to "." prefixed key/keyring names...
>
> The rest of that patch does following:
>
> + } else if ((description[0] == '.') &&
> + (strncmp(type, "keyring", 7) == 0)) {
> + ret = -EPERM;
> + goto error2;
>
>
> I wonder why this test is only disallowing keyrings...
> Why not also keys?
>
> keyctl add user ".ring1" Hello @u
>
> keyctl show
> 50463278 --alswrv 0 0 \_ user: .ring1
>
>
sorry... it was confusing name
keyctl newring ".ring1" @u
add_key: Operation not permitted
But for keys..
keyctl add user ".key1" Hello @u
keyctl show
50463298 --alswrv 0 0 \_ user: .key1
- Dmitry
> - Dmitry
>
>> David
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
>
>
> --
> Thanks,
> Dmitry
--
Thanks,
Dmitry
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/