Commit 61ea0c0b authored by David Howells's avatar David Howells

KEYS: Skip key state checks when checking for possession

Skip key state checks (invalidation, revocation and expiration) when checking
for possession.  Without this, keys that have been marked invalid, revoked
keys and expired keys are not given a possession attribute - which means the
possessor is not granted any possession permits and cannot do anything with
them unless they also have one a user, group or other permit.

This causes failures in the keyutils test suite's revocation and expiration
tests now that commit 96b5c8fe reduced the
initial permissions granted to a key.

The failures are due to accesses to revoked and expired keys being given
EACCES instead of EKEYREVOKED or EKEYEXPIRED.
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parent 5a5f2acf
...@@ -124,6 +124,7 @@ extern key_ref_t search_my_process_keyrings(struct key_type *type, ...@@ -124,6 +124,7 @@ extern key_ref_t search_my_process_keyrings(struct key_type *type,
extern key_ref_t search_process_keyrings(struct key_type *type, extern key_ref_t search_process_keyrings(struct key_type *type,
const void *description, const void *description,
key_match_func_t match, key_match_func_t match,
bool no_state_check,
const struct cred *cred); const struct cred *cred);
extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check); extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check);
......
...@@ -440,6 +440,7 @@ key_ref_t search_my_process_keyrings(struct key_type *type, ...@@ -440,6 +440,7 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
key_ref_t search_process_keyrings(struct key_type *type, key_ref_t search_process_keyrings(struct key_type *type,
const void *description, const void *description,
key_match_func_t match, key_match_func_t match,
bool no_state_check,
const struct cred *cred) const struct cred *cred)
{ {
struct request_key_auth *rka; struct request_key_auth *rka;
...@@ -448,7 +449,7 @@ key_ref_t search_process_keyrings(struct key_type *type, ...@@ -448,7 +449,7 @@ key_ref_t search_process_keyrings(struct key_type *type,
might_sleep(); might_sleep();
key_ref = search_my_process_keyrings(type, description, match, key_ref = search_my_process_keyrings(type, description, match,
false, cred); no_state_check, cred);
if (!IS_ERR(key_ref)) if (!IS_ERR(key_ref))
goto found; goto found;
err = key_ref; err = key_ref;
...@@ -468,7 +469,8 @@ key_ref_t search_process_keyrings(struct key_type *type, ...@@ -468,7 +469,8 @@ key_ref_t search_process_keyrings(struct key_type *type,
rka = cred->request_key_auth->payload.data; rka = cred->request_key_auth->payload.data;
key_ref = search_process_keyrings(type, description, key_ref = search_process_keyrings(type, description,
match, rka->cred); match, no_state_check,
rka->cred);
up_read(&cred->request_key_auth->sem); up_read(&cred->request_key_auth->sem);
...@@ -675,7 +677,7 @@ key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, ...@@ -675,7 +677,7 @@ key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
/* check to see if we possess the key */ /* check to see if we possess the key */
skey_ref = search_process_keyrings(key->type, key, skey_ref = search_process_keyrings(key->type, key,
lookup_user_key_possessed, lookup_user_key_possessed,
cred); true, cred);
if (!IS_ERR(skey_ref)) { if (!IS_ERR(skey_ref)) {
key_put(key); key_put(key);
......
...@@ -390,7 +390,8 @@ static int construct_alloc_key(struct key_type *type, ...@@ -390,7 +390,8 @@ static int construct_alloc_key(struct key_type *type,
* waited for locks */ * waited for locks */
mutex_lock(&key_construction_mutex); mutex_lock(&key_construction_mutex);
key_ref = search_process_keyrings(type, description, type->match, cred); key_ref = search_process_keyrings(type, description, type->match,
false, cred);
if (!IS_ERR(key_ref)) if (!IS_ERR(key_ref))
goto key_already_present; goto key_already_present;
...@@ -539,7 +540,8 @@ struct key *request_key_and_link(struct key_type *type, ...@@ -539,7 +540,8 @@ struct key *request_key_and_link(struct key_type *type,
dest_keyring, flags); dest_keyring, flags);
/* search all the process keyrings for a key */ /* search all the process keyrings for a key */
key_ref = search_process_keyrings(type, description, type->match, cred); key_ref = search_process_keyrings(type, description, type->match,
false, cred);
if (!IS_ERR(key_ref)) { if (!IS_ERR(key_ref)) {
key = key_ref_to_ptr(key_ref); key = key_ref_to_ptr(key_ref);
......
...@@ -247,7 +247,7 @@ struct key *key_get_instantiation_authkey(key_serial_t target_id) ...@@ -247,7 +247,7 @@ struct key *key_get_instantiation_authkey(key_serial_t target_id)
&key_type_request_key_auth, &key_type_request_key_auth,
(void *) (unsigned long) target_id, (void *) (unsigned long) target_id,
key_get_instantiation_authkey_match, key_get_instantiation_authkey_match,
cred); false, cred);
if (IS_ERR(authkey_ref)) { if (IS_ERR(authkey_ref)) {
authkey = ERR_CAST(authkey_ref); authkey = ERR_CAST(authkey_ref);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment