From: David Howells <dhowells@redhat.com> To: ebiederm@xmission.com Cc: keyrings@vger.kernel.org, dhowells@redhat.com, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, dwalsh@redhat.com, vgoyal@redhat.com Subject: [PATCH 01/11] keys: Invalidate used request_key authentication keys Date: Wed, 24 Apr 2019 16:13:31 +0000 [thread overview] Message-ID: <155612241118.8564.13789880165583709711.stgit@warthog.procyon.org.uk> (raw) In-Reply-To: <155612240208.8564.13865046977065545591.stgit@warthog.procyon.org.uk> Invalidate used request_key authentication keys rather than revoking them so that they get cleaned up immediately rather than potentially hanging around. There doesn't seem any need to keep the revoked keys around. Signed-off-by: David Howells <dhowells@redhat.com> --- security/keys/key.c | 4 ++-- security/keys/request_key.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/security/keys/key.c b/security/keys/key.c index 696f1c092c50..d705b950ce2a 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -459,7 +459,7 @@ static int __key_instantiate_and_link(struct key *key, /* disable the authorisation key */ if (authkey) - key_revoke(authkey); + key_invalidate(authkey); if (prep->expiry != TIME64_MAX) { key->expiry = prep->expiry; @@ -607,7 +607,7 @@ int key_reject_and_link(struct key *key, /* disable the authorisation key */ if (authkey) - key_revoke(authkey); + key_invalidate(authkey); } mutex_unlock(&key_construction_mutex); diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 75d87f9e0f49..a7b698394257 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c @@ -222,7 +222,7 @@ static int construct_key(struct key *key, const void *callout_info, /* check that the actor called complete_request_key() prior to * returning an error */ WARN_ON(ret < 0 && - !test_bit(KEY_FLAG_REVOKED, &authkey->flags)); + !test_bit(KEY_FLAG_INVALIDATED, &authkey->flags)); key_put(authkey); kleave(" = %d", ret);
WARNING: multiple messages have this Message-ID (diff)
From: David Howells <dhowells@redhat.com> To: ebiederm@xmission.com Cc: keyrings@vger.kernel.org, dhowells@redhat.com, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, dwalsh@redhat.com, vgoyal@redhat.com Subject: [PATCH 01/11] keys: Invalidate used request_key authentication keys Date: Wed, 24 Apr 2019 17:13:31 +0100 [thread overview] Message-ID: <155612241118.8564.13789880165583709711.stgit@warthog.procyon.org.uk> (raw) In-Reply-To: <155612240208.8564.13865046977065545591.stgit@warthog.procyon.org.uk> Invalidate used request_key authentication keys rather than revoking them so that they get cleaned up immediately rather than potentially hanging around. There doesn't seem any need to keep the revoked keys around. Signed-off-by: David Howells <dhowells@redhat.com> --- security/keys/key.c | 4 ++-- security/keys/request_key.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/security/keys/key.c b/security/keys/key.c index 696f1c092c50..d705b950ce2a 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -459,7 +459,7 @@ static int __key_instantiate_and_link(struct key *key, /* disable the authorisation key */ if (authkey) - key_revoke(authkey); + key_invalidate(authkey); if (prep->expiry != TIME64_MAX) { key->expiry = prep->expiry; @@ -607,7 +607,7 @@ int key_reject_and_link(struct key *key, /* disable the authorisation key */ if (authkey) - key_revoke(authkey); + key_invalidate(authkey); } mutex_unlock(&key_construction_mutex); diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 75d87f9e0f49..a7b698394257 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c @@ -222,7 +222,7 @@ static int construct_key(struct key *key, const void *callout_info, /* check that the actor called complete_request_key() prior to * returning an error */ WARN_ON(ret < 0 && - !test_bit(KEY_FLAG_REVOKED, &authkey->flags)); + !test_bit(KEY_FLAG_INVALIDATED, &authkey->flags)); key_put(authkey); kleave(" = %d", ret);
next prev parent reply other threads:[~2019-04-24 16:13 UTC|newest] Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-04-24 16:13 [PATCH 00/11] keys: Namespacing David Howells 2019-04-24 16:13 ` David Howells 2019-04-24 16:13 ` David Howells [this message] 2019-04-24 16:13 ` [PATCH 01/11] keys: Invalidate used request_key authentication keys David Howells 2019-04-24 16:13 ` [PATCH 02/11] keys: Kill off request_key_async{,_with_auxdata} David Howells 2019-04-24 16:13 ` David Howells 2019-04-24 16:13 ` [PATCH 03/11] keys: Simplify key description management David Howells 2019-04-24 16:13 ` David Howells 2019-04-24 16:14 ` [PATCH 04/11] keys: Cache the hash value to avoid lots of recalculation David Howells 2019-04-24 16:14 ` David Howells 2019-04-24 16:14 ` [PATCH 05/11] keys: Add a 'recurse' flag for keyring searches David Howells 2019-04-24 16:14 ` David Howells 2019-04-25 4:27 ` Andrew Zaborowski 2019-04-25 4:27 ` Andrew Zaborowski 2019-04-25 11:02 ` David Howells 2019-04-25 11:02 ` David Howells 2019-04-24 16:14 ` [PATCH 06/11] keys: Namespace keyring names David Howells 2019-04-24 16:14 ` David Howells 2019-04-24 16:14 ` [PATCH 07/11] keys: Move the user and user-session keyrings to the user_namespace David Howells 2019-04-24 16:14 ` David Howells 2019-04-24 22:03 ` Jann Horn 2019-04-24 22:03 ` Jann Horn 2019-04-24 22:24 ` David Howells 2019-04-24 22:24 ` David Howells 2019-04-25 11:38 ` David Howells 2019-04-25 11:38 ` David Howells 2019-04-24 16:14 ` [PATCH 08/11] keys: Include target namespace in match criteria David Howells 2019-04-24 16:14 ` David Howells 2019-04-24 16:14 ` [PATCH 09/11] keys: Garbage collect keys for which the domain has been removed David Howells 2019-04-24 16:14 ` David Howells 2019-04-24 16:14 ` [PATCH 10/11] keys: Network namespace domain tag David Howells 2019-04-24 16:14 ` David Howells 2019-04-24 16:15 ` [PATCH 11/11] keys: Pass the network namespace into request_key mechanism David Howells 2019-04-24 16:15 ` David Howells 2019-04-24 21:54 ` [PATCH 10/11] keys: Network namespace domain tag David Howells 2019-04-24 21:54 ` David Howells
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=155612241118.8564.13789880165583709711.stgit@warthog.procyon.org.uk \ --to=dhowells@redhat.com \ --cc=dwalsh@redhat.com \ --cc=ebiederm@xmission.com \ --cc=keyrings@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=vgoyal@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.