From d3600bcf9d64d88dc1d189a754dcfab960ce751f Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Tue, 10 Nov 2015 08:34:46 -0500 Subject: KEYS: prevent keys from being removed from specified keyrings Userspace should not be allowed to remove keys from certain keyrings (eg. blacklist), though the keys themselves can expire. This patch defines a new key flag named KEY_FLAG_KEEP to prevent userspace from being able to unlink, revoke, invalidate or timed out a key on a keyring. When this flag is set on the keyring, all keys subsequently added are flagged. In addition, when this flag is set, the keyring itself can not be cleared. Signed-off-by: Mimi Zohar Cc: David Howells --- security/keys/key.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'security/keys/key.c') diff --git a/security/keys/key.c b/security/keys/key.c index ab7997ded725..09ef276c4bdc 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -429,8 +429,12 @@ static int __key_instantiate_and_link(struct key *key, awaken = 1; /* and link it into the destination keyring */ - if (keyring) + if (keyring) { + if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) + set_bit(KEY_FLAG_KEEP, &key->flags); + __key_link(key, _edit); + } /* disable the authorisation key */ if (authkey) -- cgit v1.2.3 From 1d6d167c2efcfe9539d9cffb1a1be9c92e39c2c0 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Thu, 7 Jan 2016 07:46:36 -0500 Subject: KEYS: refcount bug fix This patch fixes the key_ref leak, removes the unnecessary KEY_FLAG_KEEP test before setting the flag, and cleans up the if/then brackets style introduced in commit: d3600bc KEYS: prevent keys from being removed from specified keyrings Reported-by: David Howells Signed-off-by: Mimi Zohar Acked-by: David Howells --- security/keys/key.c | 3 +-- security/keys/keyctl.c | 17 +++++++---------- 2 files changed, 8 insertions(+), 12 deletions(-) (limited to 'security/keys/key.c') diff --git a/security/keys/key.c b/security/keys/key.c index 09ef276c4bdc..07a87311055c 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -430,8 +430,7 @@ static int __key_instantiate_and_link(struct key *key, /* and link it into the destination keyring */ if (keyring) { - if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) - set_bit(KEY_FLAG_KEEP, &key->flags); + set_bit(KEY_FLAG_KEEP, &key->flags); __key_link(key, _edit); } diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index e83ec6b9eb9d..8f9f323f372b 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -381,12 +381,11 @@ long keyctl_revoke_key(key_serial_t id) } key = key_ref_to_ptr(key_ref); + ret = 0; if (test_bit(KEY_FLAG_KEEP, &key->flags)) - return -EPERM; - else { + ret = -EPERM; + else key_revoke(key); - ret = 0; - } key_ref_put(key_ref); error: @@ -432,12 +431,11 @@ long keyctl_invalidate_key(key_serial_t id) invalidate: key = key_ref_to_ptr(key_ref); + ret = 0; if (test_bit(KEY_FLAG_KEEP, &key->flags)) ret = -EPERM; - else { + else key_invalidate(key); - ret = 0; - } error_put: key_ref_put(key_ref); error: @@ -1352,12 +1350,11 @@ long keyctl_set_timeout(key_serial_t id, unsigned timeout) okay: key = key_ref_to_ptr(key_ref); + ret = 0; if (test_bit(KEY_FLAG_KEEP, &key->flags)) ret = -EPERM; - else { + else key_set_timeout(key, timeout); - ret = 0; - } key_put(key); error: -- cgit v1.2.3 From eee045021fb22aeac7f5d6f2092430b530c880ee Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 27 Jan 2016 01:02:03 +0000 Subject: KEYS: Only apply KEY_FLAG_KEEP to a key if a parent keyring has it set KEY_FLAG_KEEP should only be applied to a key if the keyring it is being linked into has KEY_FLAG_KEEP set. To this end, partially revert the following patch: commit 1d6d167c2efcfe9539d9cffb1a1be9c92e39c2c0 Author: Mimi Zohar Date: Thu Jan 7 07:46:36 2016 -0500 KEYS: refcount bug fix to undo the change that made it unconditional (Mimi got it right the first time). Without undoing this change, it becomes impossible to delete, revoke or invalidate keys added to keyrings through __key_instantiate_and_link() where the keyring has itself been linked to. To test this, run the following command sequence: keyctl newring foo @s keyctl add user a a %:foo keyctl unlink %user:a %:foo keyctl clear %:foo With the commit mentioned above the third and fourth commands fail with EPERM when they should succeed. Reported-by: Stephen Gallager Signed-off-by: David Howells Acked-by: Mimi Zohar cc: Mimi Zohar cc: keyrings@vger.kernel.org cc: stable@vger.kernel.org Signed-off-by: James Morris --- security/keys/key.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'security/keys/key.c') diff --git a/security/keys/key.c b/security/keys/key.c index 07a87311055c..09ef276c4bdc 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -430,7 +430,8 @@ static int __key_instantiate_and_link(struct key *key, /* and link it into the destination keyring */ if (keyring) { - set_bit(KEY_FLAG_KEEP, &key->flags); + if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) + set_bit(KEY_FLAG_KEEP, &key->flags); __key_link(key, _edit); } -- cgit v1.2.3