diff options
author | Dave Jones <davej@redhat.com> | 2012-03-22 12:05:20 -0400 |
---|---|---|
committer | Dave Jones <davej@redhat.com> | 2012-03-22 12:05:20 -0400 |
commit | 7bd4dec4713c108dfe307272f1cfc22071d306a1 (patch) | |
tree | e15eef4a48831f55562f0d58a712782ccde1b6d9 /linux-3.1-keys-remove-special-keyring.patch | |
parent | 70f8133b7196205f2d5d745d69eb8e62027ff650 (diff) | |
download | kernel-7bd4dec4713c108dfe307272f1cfc22071d306a1.tar.gz kernel-7bd4dec4713c108dfe307272f1cfc22071d306a1.tar.xz kernel-7bd4dec4713c108dfe307272f1cfc22071d306a1.zip |
Linux v3.3-4074-g5375871
Diffstat (limited to 'linux-3.1-keys-remove-special-keyring.patch')
-rw-r--r-- | linux-3.1-keys-remove-special-keyring.patch | 110 |
1 files changed, 0 insertions, 110 deletions
diff --git a/linux-3.1-keys-remove-special-keyring.patch b/linux-3.1-keys-remove-special-keyring.patch deleted file mode 100644 index 4e7f1395b..000000000 --- a/linux-3.1-keys-remove-special-keyring.patch +++ /dev/null @@ -1,110 +0,0 @@ -diff -up linux-3.1.x86_64/Documentation/networking/dns_resolver.txt.orig linux-3.1.x86_64/Documentation/networking/dns_resolver.txt ---- linux-3.1.x86_64/Documentation/networking/dns_resolver.txt.orig 2011-10-24 03:10:05.000000000 -0400 -+++ linux-3.1.x86_64/Documentation/networking/dns_resolver.txt 2011-12-13 15:09:35.705766078 -0500 -@@ -102,6 +102,10 @@ implemented in the module can be called - If _expiry is non-NULL, the expiry time (TTL) of the result will be - returned also. - -+The kernel maintains an internal keyring in which it caches looked up keys. -+This can be cleared by any process that has the CAP_SYS_ADMIN capability by -+the use of KEYCTL_KEYRING_CLEAR on the keyring ID. -+ - - =============================== - READING DNS KEYS FROM USERSPACE -diff -up linux-3.1.x86_64/Documentation/security/keys.txt.orig linux-3.1.x86_64/Documentation/security/keys.txt ---- linux-3.1.x86_64/Documentation/security/keys.txt.orig 2011-10-24 03:10:05.000000000 -0400 -+++ linux-3.1.x86_64/Documentation/security/keys.txt 2011-12-13 15:09:35.706766099 -0500 -@@ -554,6 +554,10 @@ The keyctl syscall functions are: - process must have write permission on the keyring, and it must be a - keyring (or else error ENOTDIR will result). - -+ This function can also be used to clear special kernel keyrings if they -+ are appropriately marked if the user has CAP_SYS_ADMIN capability. The -+ DNS resolver cache keyring is an example of this. -+ - - (*) Link a key into a keyring: - -diff -up linux-3.1.x86_64/fs/cifs/cifsacl.c.orig linux-3.1.x86_64/fs/cifs/cifsacl.c ---- linux-3.1.x86_64/fs/cifs/cifsacl.c.orig 2011-12-13 12:54:12.221145867 -0500 -+++ linux-3.1.x86_64/fs/cifs/cifsacl.c 2011-12-13 15:09:35.707766122 -0500 -@@ -556,6 +556,7 @@ init_cifs_idmap(void) - - /* instruct request_key() to use this special keyring as a cache for - * the results it looks up */ -+ set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags); - cred->thread_keyring = keyring; - cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING; - root_cred = cred; -diff -up linux-3.1.x86_64/fs/nfs/idmap.c.orig linux-3.1.x86_64/fs/nfs/idmap.c ---- linux-3.1.x86_64/fs/nfs/idmap.c.orig 2011-12-13 12:54:14.657203507 -0500 -+++ linux-3.1.x86_64/fs/nfs/idmap.c 2011-12-13 15:10:14.731681691 -0500 -@@ -115,6 +115,7 @@ int nfs_idmap_init(void) - if (ret < 0) - goto failed_put_key; - -+ set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags); - cred->thread_keyring = keyring; - cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING; - id_resolver_cache = cred; -@@ -185,7 +186,7 @@ static ssize_t nfs_idmap_request_key(con - } - - rcu_read_lock(); -- rkey->perm |= KEY_USR_VIEW; -+ rkey->perm |= KEY_USR_VIEW|KEY_USR_WRITE; - - ret = key_validate(rkey); - if (ret < 0) -diff -up linux-3.1.x86_64/include/linux/key.h.orig linux-3.1.x86_64/include/linux/key.h ---- linux-3.1.x86_64/include/linux/key.h.orig 2011-10-24 03:10:05.000000000 -0400 -+++ linux-3.1.x86_64/include/linux/key.h 2011-12-13 15:09:35.748767078 -0500 -@@ -155,6 +155,7 @@ struct key { - #define KEY_FLAG_IN_QUOTA 3 /* set if key consumes quota */ - #define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */ - #define KEY_FLAG_NEGATIVE 5 /* set if key is negative */ -+#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */ - - /* the description string - * - this is used to match a key against search criteria -diff -up linux-3.1.x86_64/net/dns_resolver/dns_key.c.orig linux-3.1.x86_64/net/dns_resolver/dns_key.c ---- linux-3.1.x86_64/net/dns_resolver/dns_key.c.orig 2011-10-24 03:10:05.000000000 -0400 -+++ linux-3.1.x86_64/net/dns_resolver/dns_key.c 2011-12-13 15:09:35.748767078 -0500 -@@ -281,6 +281,7 @@ static int __init init_dns_resolver(void - - /* instruct request_key() to use this special keyring as a cache for - * the results it looks up */ -+ set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags); - cred->thread_keyring = keyring; - cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING; - dns_resolver_cache = cred; -diff -up linux-3.1.x86_64/security/keys/keyctl.c.orig linux-3.1.x86_64/security/keys/keyctl.c ---- linux-3.1.x86_64/security/keys/keyctl.c.orig 2011-12-13 12:54:30.322571289 -0500 -+++ linux-3.1.x86_64/security/keys/keyctl.c 2011-12-13 15:09:35.756767271 -0500 -@@ -388,11 +388,24 @@ long keyctl_keyring_clear(key_serial_t r - keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE); - if (IS_ERR(keyring_ref)) { - ret = PTR_ERR(keyring_ref); -+ -+ /* Root is permitted to invalidate certain special keyrings */ -+ if (capable(CAP_SYS_ADMIN)) { -+ keyring_ref = lookup_user_key(ringid, 0, 0); -+ if (IS_ERR(keyring_ref)) -+ goto error; -+ if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR, -+ &key_ref_to_ptr(keyring_ref)->flags)) -+ goto clear; -+ goto error_put; -+ } -+ - goto error; - } - -+clear: - ret = keyring_clear(key_ref_to_ptr(keyring_ref)); -- -+error_put: - key_ref_put(keyring_ref); - error: - return ret; |