• Jeff Layton's avatar
    keys: add a "logon" key type · 9f6ed2ca
    Jeff Layton authored
    For CIFS, we want to be able to store NTLM credentials (aka username
    and password) in the keyring. We do not, however want to allow users
    to fetch those keys back out of the keyring since that would be a
    security risk.
    
    Unfortunately, due to the nuances of key permission bits, it's not
    possible to do this. We need to grant search permissions so the kernel
    can find these keys, but that also implies permissions to read the
    payload.
    
    Resolve this by adding a new key_type. This key type is essentially
    the same as key_type_user, but does not define a .read op. This
    prevents the payload from ever being visible from userspace. This
    key type also vets the description to ensure that it's "qualified"
    by checking to ensure that it has a ':' in it that is preceded by
    other characters.
    Acked-by: default avatarDavid Howells <dhowells@redhat.com>
    Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
    Signed-off-by: default avatarSteve French <smfrench@gmail.com>
    9f6ed2ca
key.c 25.9 KB