* [PATCH] KEYS: allow searching of user-session keyring if session keyring exists
@ 2017-11-02 22:05 Marcho
2017-11-02 22:29 ` David Howells
0 siblings, 1 reply; 2+ messages in thread
From: Marcho @ 2017-11-02 22:05 UTC (permalink / raw)
To: keyrings
In search_my_process_keyrings(), if a session keyring exists, we will skip the search of a potential user-session keyring.
This is exhibited when using ecryptfs:
kernel: [ 27.441621] Could not find key with description: [3bea61015ca4c0e2]
kernel: [ 27.441653] process_request_key_err: No key
kernel: [ 27.441653] Could not find valid key in user session keyring for sig specified in mount option: [3bea61015ca4c0e2]
$ keyctl show # session keyring exists
Session Keyring
67329122 --alswrv 1000 1000 keyring: _ses
83033473 ----s-rv 0 0 \_ user: invocation_id
$ keyctl show @us #requested user-session key exists even though it is reported missing
Keyring
765040937 --alswrv 1000 65534 keyring: _uid_ses.1000
546860119 --alswrv 1000 65534 \_ keyring: _uid.1000
213500744 --alswrv 1000 1000 \_ user: 3bea61015ca4c0e2
This allows ecryptfs to see the key it needs.
--- a/security/keys/process_keys.c 2017-11-02 22:28:29.247550207 +0100
+++ b/security/keys/process_keys.c 2017-11-02 22:29:58.707095600 +0100
@@ -412,8 +412,9 @@ key_ref_t search_my_process_keyrings(str
break;
}
}
- /* or search the user-session keyring */
- else if (ctx->cred->user->session_keyring) {
+
+ /* search the user-session keyring */
+ if (ctx->cred->user->session_keyring) {
key_ref = keyring_search_aux(
make_key_ref(ctx->cred->user->session_keyring, 1),
ctx);
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] KEYS: allow searching of user-session keyring if session keyring exists
2017-11-02 22:05 [PATCH] KEYS: allow searching of user-session keyring if session keyring exists Marcho
@ 2017-11-02 22:29 ` David Howells
0 siblings, 0 replies; 2+ messages in thread
From: David Howells @ 2017-11-02 22:29 UTC (permalink / raw)
To: keyrings
Marcho <marcho.markov@gmail.com> wrote:
> In search_my_process_keyrings(), if a session keyring exists, we will skip
> the search of a potential user-session keyring.
That is the correct behaviour.
You can fix this in userspace by adding a link into the session keyring that
points to the user-session keyring if you must. You may have noted that the
search algorithm also does not directly search the user keyring - pam_keyinit
adds the link, thereby explicitly adding the user keyring to the search tree.
You should not be using the user-session keyring like this. I would recommend
either using the user keyring or the newer persistent keyring.
David
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-11-02 22:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-02 22:05 [PATCH] KEYS: allow searching of user-session keyring if session keyring exists Marcho
2017-11-02 22:29 ` David Howells
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.