Commit 633706a2 authored by David Howells's avatar David Howells

Merge branch 'keys-fixes' into keys-next

Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parents 64724cfc 0d1f64f6
...@@ -22,7 +22,6 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE ...@@ -22,7 +22,6 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
config PUBLIC_KEY_ALGO_RSA config PUBLIC_KEY_ALGO_RSA
tristate "RSA public-key algorithm" tristate "RSA public-key algorithm"
select MPILIB_EXTRA
select MPILIB select MPILIB
help help
This option enables support for the RSA algorithm (PKCS#1, RFC3447). This option enables support for the RSA algorithm (PKCS#1, RFC3447).
......
...@@ -284,6 +284,8 @@ static struct key *nfs_idmap_request_key(const char *name, size_t namelen, ...@@ -284,6 +284,8 @@ static struct key *nfs_idmap_request_key(const char *name, size_t namelen,
desc, "", 0, idmap); desc, "", 0, idmap);
mutex_unlock(&idmap->idmap_mutex); mutex_unlock(&idmap->idmap_mutex);
} }
if (!IS_ERR(rkey))
set_bit(KEY_FLAG_ROOT_CAN_INVAL, &rkey->flags);
kfree(desc); kfree(desc);
return rkey; return rkey;
......
...@@ -171,6 +171,7 @@ struct key { ...@@ -171,6 +171,7 @@ struct key {
#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */ #define KEY_FLAG_TRUSTED 8 /* set if key is trusted */
#define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */ #define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */
#define KEY_FLAG_BUILTIN 10 /* set if key is builtin */ #define KEY_FLAG_BUILTIN 10 /* set if key is builtin */
#define KEY_FLAG_ROOT_CAN_INVAL 11 /* set if key can be invalidated by root without permission */
/* the key type and key description string /* the key type and key description string
* - the desc is used to match a key against search criteria * - the desc is used to match a key against search criteria
......
...@@ -451,7 +451,8 @@ config MPILIB ...@@ -451,7 +451,8 @@ config MPILIB
config SIGNATURE config SIGNATURE
tristate tristate
depends on KEYS && CRYPTO depends on KEYS
select CRYPTO
select CRYPTO_SHA1 select CRYPTO_SHA1
select MPILIB select MPILIB
help help
......
...@@ -129,6 +129,7 @@ int dns_query(const char *type, const char *name, size_t namelen, ...@@ -129,6 +129,7 @@ int dns_query(const char *type, const char *name, size_t namelen,
} }
down_read(&rkey->sem); down_read(&rkey->sem);
set_bit(KEY_FLAG_ROOT_CAN_INVAL, &rkey->flags);
rkey->perm |= KEY_USR_VIEW; rkey->perm |= KEY_USR_VIEW;
ret = key_validate(rkey); ret = key_validate(rkey);
......
...@@ -406,12 +406,25 @@ long keyctl_invalidate_key(key_serial_t id) ...@@ -406,12 +406,25 @@ long keyctl_invalidate_key(key_serial_t id)
key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH); key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH);
if (IS_ERR(key_ref)) { if (IS_ERR(key_ref)) {
ret = PTR_ERR(key_ref); ret = PTR_ERR(key_ref);
/* Root is permitted to invalidate certain special keys */
if (capable(CAP_SYS_ADMIN)) {
key_ref = lookup_user_key(id, 0, 0);
if (IS_ERR(key_ref))
goto error; goto error;
if (test_bit(KEY_FLAG_ROOT_CAN_INVAL,
&key_ref_to_ptr(key_ref)->flags))
goto invalidate;
goto error_put;
} }
goto error;
}
invalidate:
key_invalidate(key_ref_to_ptr(key_ref)); key_invalidate(key_ref_to_ptr(key_ref));
ret = 0; ret = 0;
error_put:
key_ref_put(key_ref); key_ref_put(key_ref);
error: error:
kleave(" = %ld", ret); kleave(" = %ld", ret);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment