* [PATCH] KEYS: Only apply KEY_FLAG_KEEP to a key if a parent keyring has it set
@ 2016-01-27 1:02 David Howells
2016-01-27 1:05 ` David Howells
0 siblings, 1 reply; 5+ messages in thread
From: David Howells @ 2016-01-27 1:02 UTC (permalink / raw)
To: jmorris
Cc: linux-kernel, stable, dhowells, linux-security-module, keyrings,
sgallagh, Mimi Zohar
KEY_FLAG_KEEP should only be applied to a key if the keyring it is being
linked into has KEY_FLAG_KEEP set.
To this end, partially revert the following patch:
commit 1d6d167c2efcfe9539d9cffb1a1be9c92e39c2c0
Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Thu Jan 7 07:46:36 2016 -0500
KEYS: refcount bug fix
to undo the change that made it unconditional (Mimi got it right the first
time).
Without undoing this change, it becomes impossible to delete, revoke or
invalidate keys added to keyrings through __key_instantiate_and_link()
where the keyring has itself been linked to. To test this, run the
following command sequence:
keyctl newring foo @s
keyctl add user a a %:foo
keyctl unlink %user:a %:foo
keyctl clear %:foo
With the commit mentioned above the third and fourth commands fail with
EPERM when they should succeed.
Reported-by: Stephen Gallager <sgallagh@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
cc: keyrings@vger.kernel.org
cc: stable@vger.kernel.org
---
security/keys/key.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/keys/key.c b/security/keys/key.c
index 07a87311055c..09ef276c4bdc 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -430,7 +430,8 @@ static int __key_instantiate_and_link(struct key *key,
/* and link it into the destination keyring */
if (keyring) {
- set_bit(KEY_FLAG_KEEP, &key->flags);
+ if (test_bit(KEY_FLAG_KEEP, &keyring->flags))
+ set_bit(KEY_FLAG_KEEP, &key->flags);
__key_link(key, _edit);
}
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] KEYS: Only apply KEY_FLAG_KEEP to a key if a parent keyring has it set
2016-01-27 1:02 [PATCH] KEYS: Only apply KEY_FLAG_KEEP to a key if a parent keyring has it set David Howells
@ 2016-01-27 1:05 ` David Howells
2016-01-27 5:18 ` James Morris
0 siblings, 1 reply; 5+ messages in thread
From: David Howells @ 2016-01-27 1:05 UTC (permalink / raw)
To: jmorris
Cc: dhowells, linux-kernel, stable, linux-security-module, keyrings,
sgallagh, Mimi Zohar
Hi James,
Can you pass this onto Linus asap? The thing it fixes breaks kerberos and
sssd.
Thanks,
David
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] KEYS: Only apply KEY_FLAG_KEEP to a key if a parent keyring has it set
2016-01-27 1:05 ` David Howells
@ 2016-01-27 5:18 ` James Morris
2016-01-27 13:09 ` Mimi Zohar
0 siblings, 1 reply; 5+ messages in thread
From: James Morris @ 2016-01-27 5:18 UTC (permalink / raw)
To: David Howells
Cc: linux-kernel, stable, linux-security-module, keyrings, sgallagh,
Mimi Zohar
On Wed, 27 Jan 2016, David Howells wrote:
> Hi James,
>
> Can you pass this onto Linus asap? The thing it fixes breaks kerberos and
> sssd.
>
I'd like to see some acks on this.
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] KEYS: Only apply KEY_FLAG_KEEP to a key if a parent keyring has it set
2016-01-27 5:18 ` James Morris
@ 2016-01-27 13:09 ` Mimi Zohar
2016-01-28 13:46 ` Stephen Gallagher
0 siblings, 1 reply; 5+ messages in thread
From: Mimi Zohar @ 2016-01-27 13:09 UTC (permalink / raw)
To: James Morris
Cc: David Howells, linux-kernel, stable, linux-security-module,
keyrings, sgallagh
On Wed, 2016-01-27 at 16:18 +1100, James Morris wrote:
> On Wed, 27 Jan 2016, David Howells wrote:
>
> > Hi James,
> >
> > Can you pass this onto Linus asap? The thing it fixes breaks kerberos and
> > sssd.
> >
>
> I'd like to see some acks on this.
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] KEYS: Only apply KEY_FLAG_KEEP to a key if a parent keyring has it set
2016-01-27 13:09 ` Mimi Zohar
@ 2016-01-28 13:46 ` Stephen Gallagher
0 siblings, 0 replies; 5+ messages in thread
From: Stephen Gallagher @ 2016-01-28 13:46 UTC (permalink / raw)
To: Mimi Zohar, James Morris
Cc: David Howells, linux-kernel, stable, linux-security-module, keyrings
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/27/2016 08:09 AM, Mimi Zohar wrote:
> On Wed, 2016-01-27 at 16:18 +1100, James Morris wrote:
>> On Wed, 27 Jan 2016, David Howells wrote:
>>
>>> Hi James,
>>>
>>> Can you pass this onto Linus asap? The thing it fixes breaks kerberos
>>> and sssd.
>>>
>>
>> I'd like to see some acks on this.
>
> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
>
Tested-by: Stephen Gallagher <sgallagh@redhat.com>
Acked-by: Stephen Gallagher <sgallagh@redhat.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlaqG7QACgkQeiVVYja6o6OVKQCgkMqVRVWUovbVkXGSH4+5Myom
a9AAoKXvY/0RRPb8poYcVKvQ71HAqmsE
=jIRp
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-01-28 13:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-27 1:02 [PATCH] KEYS: Only apply KEY_FLAG_KEEP to a key if a parent keyring has it set David Howells
2016-01-27 1:05 ` David Howells
2016-01-27 5:18 ` James Morris
2016-01-27 13:09 ` Mimi Zohar
2016-01-28 13:46 ` Stephen Gallagher
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.