From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935690AbcCQRFO (ORCPT ); Thu, 17 Mar 2016 13:05:14 -0400 Received: from mail-wm0-f45.google.com ([74.125.82.45]:37803 "EHLO mail-wm0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932781AbcCQRFL (ORCPT ); Thu, 17 Mar 2016 13:05:11 -0400 MIME-Version: 1.0 In-Reply-To: <1457648428-34445-1-git-send-email-gwendal@chromium.org> References: <1457648428-34445-1-git-send-email-gwendal@chromium.org> From: Gwendal Grignou Date: Thu, 17 Mar 2016 10:04:49 -0700 X-Google-Sender-Auth: qNRACrWIPmF1wFTBszVWj4Ir2QQ Message-ID: Subject: Re: [PATCH] keyrings: Allow searching the user session keyring To: Gwendal Grignou , dhowells@redhat.com, james.l.morris@oracle.com, serge@hallyn.com Cc: keyrings@vger.kernel.org, Linux Kernel , linux-security-module@vger.kernel.org, "Theodore Ts'o" Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Resent to a larger audience. On Thu, Mar 10, 2016 at 2:20 PM, Gwendal Grignou wrote: > Currently, if a session keyring exists, we are not searching in the > user session or user keyrings. > > This is a problem when a session keyring exists and we want to use > ecryptfs, who adds the needed key only in the user keyring. > > TEST=Without this change, mounting an ecryptfs "partition" fails when a > session keyring exists: > ... > [ 2686.047522] Could not find key with description: [dd6f92bd8660b36c] > ... > Although the key exits: > keyctl show @us > Keyring > 549666721 --alswrv 0 65534 keyring: _uid_ses.0 > 346719914 --alswrv 0 65534 \_ keyring: _uid.0 > 235623693 --alswrv 0 0 \_ user: dd6f92bd8660b36c > 747773852 --alswrv 0 0 \_ user: 7025717e50fd74a2 > With this change, ecryptfs can see the keys it needs. > > Note that 'keyctl show' still only shows the session keyring by default. > We need to specify 'keyctl show @us' to see the user session keyring > when the session keyring exits. > > Signed-off-by: Gwendal Grignou > --- > security/keys/process_keys.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c > index e6d50172..a77d66e 100644 > --- a/security/keys/process_keys.c > +++ b/security/keys/process_keys.c > @@ -395,8 +395,8 @@ key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx) > break; > } > } > - /* or search the user-session keyring */ > - else if (ctx->cred->user->session_keyring) { > + /* finally search the user-session keyring */ > + if (ctx->cred->user->session_keyring) { > key_ref = keyring_search_aux( > make_key_ref(ctx->cred->user->session_keyring, 1), > ctx); > -- > 2.7.0.rc3.207.g0ac5344 >