summaryrefslogtreecommitdiffstats
path: root/linux-3.1-keys-remove-special-keyring.patch
diff options
context:
space:
mode:
authorDave Jones <davej@redhat.com>2011-12-14 15:48:10 -0500
committerDave Jones <davej@redhat.com>2011-12-14 15:48:10 -0500
commitf3fbdcb713c55e0ae54b46e3af628d472df51c54 (patch)
tree3f67b082ab2b7a8b3afdb8da0743d7995e580ff7 /linux-3.1-keys-remove-special-keyring.patch
parent59806edb4d89586894ad7a52e4bc13656ff49a9c (diff)
downloadkernel-f3fbdcb713c55e0ae54b46e3af628d472df51c54.tar.gz
kernel-f3fbdcb713c55e0ae54b46e3af628d472df51c54.tar.xz
kernel-f3fbdcb713c55e0ae54b46e3af628d472df51c54.zip
Enabled the in-kernel idmapper.
keyring: allow special keyrings to be cleared
Diffstat (limited to 'linux-3.1-keys-remove-special-keyring.patch')
-rw-r--r--linux-3.1-keys-remove-special-keyring.patch110
1 files changed, 110 insertions, 0 deletions
diff --git a/linux-3.1-keys-remove-special-keyring.patch b/linux-3.1-keys-remove-special-keyring.patch
new file mode 100644
index 000000000..4e7f1395b
--- /dev/null
+++ b/linux-3.1-keys-remove-special-keyring.patch
@@ -0,0 +1,110 @@
+diff -up linux-3.1.x86_64/Documentation/networking/dns_resolver.txt.orig linux-3.1.x86_64/Documentation/networking/dns_resolver.txt
+--- linux-3.1.x86_64/Documentation/networking/dns_resolver.txt.orig 2011-10-24 03:10:05.000000000 -0400
++++ linux-3.1.x86_64/Documentation/networking/dns_resolver.txt 2011-12-13 15:09:35.705766078 -0500
+@@ -102,6 +102,10 @@ implemented in the module can be called
+ If _expiry is non-NULL, the expiry time (TTL) of the result will be
+ returned also.
+
++The kernel maintains an internal keyring in which it caches looked up keys.
++This can be cleared by any process that has the CAP_SYS_ADMIN capability by
++the use of KEYCTL_KEYRING_CLEAR on the keyring ID.
++
+
+ ===============================
+ READING DNS KEYS FROM USERSPACE
+diff -up linux-3.1.x86_64/Documentation/security/keys.txt.orig linux-3.1.x86_64/Documentation/security/keys.txt
+--- linux-3.1.x86_64/Documentation/security/keys.txt.orig 2011-10-24 03:10:05.000000000 -0400
++++ linux-3.1.x86_64/Documentation/security/keys.txt 2011-12-13 15:09:35.706766099 -0500
+@@ -554,6 +554,10 @@ The keyctl syscall functions are:
+ process must have write permission on the keyring, and it must be a
+ keyring (or else error ENOTDIR will result).
+
++ This function can also be used to clear special kernel keyrings if they
++ are appropriately marked if the user has CAP_SYS_ADMIN capability. The
++ DNS resolver cache keyring is an example of this.
++
+
+ (*) Link a key into a keyring:
+
+diff -up linux-3.1.x86_64/fs/cifs/cifsacl.c.orig linux-3.1.x86_64/fs/cifs/cifsacl.c
+--- linux-3.1.x86_64/fs/cifs/cifsacl.c.orig 2011-12-13 12:54:12.221145867 -0500
++++ linux-3.1.x86_64/fs/cifs/cifsacl.c 2011-12-13 15:09:35.707766122 -0500
+@@ -556,6 +556,7 @@ init_cifs_idmap(void)
+
+ /* instruct request_key() to use this special keyring as a cache for
+ * the results it looks up */
++ set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
+ cred->thread_keyring = keyring;
+ cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
+ root_cred = cred;
+diff -up linux-3.1.x86_64/fs/nfs/idmap.c.orig linux-3.1.x86_64/fs/nfs/idmap.c
+--- linux-3.1.x86_64/fs/nfs/idmap.c.orig 2011-12-13 12:54:14.657203507 -0500
++++ linux-3.1.x86_64/fs/nfs/idmap.c 2011-12-13 15:10:14.731681691 -0500
+@@ -115,6 +115,7 @@ int nfs_idmap_init(void)
+ if (ret < 0)
+ goto failed_put_key;
+
++ set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
+ cred->thread_keyring = keyring;
+ cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
+ id_resolver_cache = cred;
+@@ -185,7 +186,7 @@ static ssize_t nfs_idmap_request_key(con
+ }
+
+ rcu_read_lock();
+- rkey->perm |= KEY_USR_VIEW;
++ rkey->perm |= KEY_USR_VIEW|KEY_USR_WRITE;
+
+ ret = key_validate(rkey);
+ if (ret < 0)
+diff -up linux-3.1.x86_64/include/linux/key.h.orig linux-3.1.x86_64/include/linux/key.h
+--- linux-3.1.x86_64/include/linux/key.h.orig 2011-10-24 03:10:05.000000000 -0400
++++ linux-3.1.x86_64/include/linux/key.h 2011-12-13 15:09:35.748767078 -0500
+@@ -155,6 +155,7 @@ struct key {
+ #define KEY_FLAG_IN_QUOTA 3 /* set if key consumes quota */
+ #define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */
+ #define KEY_FLAG_NEGATIVE 5 /* set if key is negative */
++#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */
+
+ /* the description string
+ * - this is used to match a key against search criteria
+diff -up linux-3.1.x86_64/net/dns_resolver/dns_key.c.orig linux-3.1.x86_64/net/dns_resolver/dns_key.c
+--- linux-3.1.x86_64/net/dns_resolver/dns_key.c.orig 2011-10-24 03:10:05.000000000 -0400
++++ linux-3.1.x86_64/net/dns_resolver/dns_key.c 2011-12-13 15:09:35.748767078 -0500
+@@ -281,6 +281,7 @@ static int __init init_dns_resolver(void
+
+ /* instruct request_key() to use this special keyring as a cache for
+ * the results it looks up */
++ set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
+ cred->thread_keyring = keyring;
+ cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
+ dns_resolver_cache = cred;
+diff -up linux-3.1.x86_64/security/keys/keyctl.c.orig linux-3.1.x86_64/security/keys/keyctl.c
+--- linux-3.1.x86_64/security/keys/keyctl.c.orig 2011-12-13 12:54:30.322571289 -0500
++++ linux-3.1.x86_64/security/keys/keyctl.c 2011-12-13 15:09:35.756767271 -0500
+@@ -388,11 +388,24 @@ long keyctl_keyring_clear(key_serial_t r
+ keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
+ if (IS_ERR(keyring_ref)) {
+ ret = PTR_ERR(keyring_ref);
++
++ /* Root is permitted to invalidate certain special keyrings */
++ if (capable(CAP_SYS_ADMIN)) {
++ keyring_ref = lookup_user_key(ringid, 0, 0);
++ if (IS_ERR(keyring_ref))
++ goto error;
++ if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR,
++ &key_ref_to_ptr(keyring_ref)->flags))
++ goto clear;
++ goto error_put;
++ }
++
+ goto error;
+ }
+
++clear:
+ ret = keyring_clear(key_ref_to_ptr(keyring_ref));
+-
++error_put:
+ key_ref_put(keyring_ref);
+ error:
+ return ret;