LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: David Howells <dhowells@redhat.com>
To: Trond.Myklebust@netapp.com, chuck.lever@oracle.com,
	casey@schaufler-ca.com
Cc: nfsv4@linux-nfs.org, linux-kernel@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, selinux@tycho.nsa.gov,
	linux-security-module@vger.kernel.org, dhowells@redhat.com
Subject: [PATCH 02/37] KEYS: Check starting keyring as part of search [ver #34]
Date: Fri, 29 Feb 2008 00:43:44 +0000	[thread overview]
Message-ID: <20080229004343.4142.27423.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <20080229004332.4142.51771.stgit@warthog.procyon.org.uk>

Check the starting keyring as part of the search to (a) see if that is what
we're searching for, and (b) to check it is still valid for searching.

The scenario:  User in process A does things that cause things to be
created in its process session keyring.  The user then does an su to
another user and starts a new process, B.  The two processes now
share the same process session keyring.

Process B does an NFS access which results in an upcall to gssd.
When gssd attempts to instantiate the context key (to be linked
into the process session keyring), it is denied access even though it
has an authorization key.

The order of calls is:

   keyctl_instantiate_key()
      lookup_user_key()				    (the default: case)
         search_process_keyrings(current)
	    search_process_keyrings(rka->context)   (recursive call)
	       keyring_search_aux()

keyring_search_aux() verifies the keys and keyrings underneath the
top-level keyring it is given, but that top-level keyring is neither
fully validated nor checked to see if it is the thing being searched for.

This patch changes keyring_search_aux() to:
1) do more validation on the top keyring it is given and
2) check whether that top-level keyring is the thing being searched for


Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: David Howells <dhowells@redhat.com>
---

 security/keys/keyring.c |   35 +++++++++++++++++++++++++++++++----
 1 files changed, 31 insertions(+), 4 deletions(-)


diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 88292e3..76b89b2 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -292,7 +292,7 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
 
 	struct keyring_list *keylist;
 	struct timespec now;
-	unsigned long possessed;
+	unsigned long possessed, kflags;
 	struct key *keyring, *key;
 	key_ref_t key_ref;
 	long err;
@@ -318,6 +318,32 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
 	now = current_kernel_time();
 	err = -EAGAIN;
 	sp = 0;
+	
+	/* firstly we should check to see if this top-level keyring is what we
+	 * are looking for */
+	key_ref = ERR_PTR(-EAGAIN);
+	kflags = keyring->flags;
+	if (keyring->type == type && match(keyring, description)) {
+		key = keyring;
+
+		/* check it isn't negative and hasn't expired or been
+		 * revoked */
+		if (kflags & (1 << KEY_FLAG_REVOKED))
+			goto error_2;
+		if (key->expiry && now.tv_sec >= key->expiry)
+			goto error_2;
+		key_ref = ERR_PTR(-ENOKEY);
+		if (kflags & (1 << KEY_FLAG_NEGATIVE))
+			goto error_2;
+		goto found;
+	}
+
+	/* otherwise, the top keyring must not be revoked, expired, or
+	 * negatively instantiated if we are to search it */
+	key_ref = ERR_PTR(-EAGAIN);
+	if (kflags & ((1 << KEY_FLAG_REVOKED) | (1 << KEY_FLAG_NEGATIVE)) ||
+	    (keyring->expiry && now.tv_sec >= keyring->expiry))
+		goto error_2;
 
 	/* start processing a new keyring */
 descend:
@@ -331,13 +357,14 @@ descend:
 	/* iterate through the keys in this keyring first */
 	for (kix = 0; kix < keylist->nkeys; kix++) {
 		key = keylist->keys[kix];
+		kflags = key->flags;
 
 		/* ignore keys not of this type */
 		if (key->type != type)
 			continue;
 
 		/* skip revoked keys and expired keys */
-		if (test_bit(KEY_FLAG_REVOKED, &key->flags))
+		if (kflags & (1 << KEY_FLAG_REVOKED))
 			continue;
 
 		if (key->expiry && now.tv_sec >= key->expiry)
@@ -352,8 +379,8 @@ descend:
 					context, KEY_SEARCH) < 0)
 			continue;
 
-		/* we set a different error code if we find a negative key */
-		if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
+		/* we set a different error code if we pass a negative key */
+		if (kflags & (1 << KEY_FLAG_NEGATIVE)) {
 			err = -ENOKEY;
 			continue;
 		}


  parent reply	other threads:[~2008-02-29  0:46 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-29  0:43 [PATCH 00/37] Permit filesystem local caching " David Howells
2008-02-29  0:43 ` [PATCH 01/37] KEYS: Increase the payload size when instantiating a key " David Howells
2008-02-29  0:43 ` David Howells [this message]
2008-02-29  0:43 ` [PATCH 03/37] KEYS: Allow the callout data to be passed as a blob rather than a string " David Howells
2008-02-29  0:43 ` [PATCH 04/37] KEYS: Add keyctl function to get a security label " David Howells
2008-02-29  0:44 ` [PATCH 05/37] Security: Change current->fs[ug]id to current_fs[ug]id() " David Howells
2008-02-29  0:44 ` [PATCH 06/37] Security: Separate task security context from task_struct " David Howells
2008-02-29  0:44 ` [PATCH 07/37] Security: De-embed task security record from task and use refcounting " David Howells
2008-02-29  0:44 ` [PATCH 08/37] Security: Add a kernel_service object class to SELinux " David Howells
2008-02-29  0:44 ` [PATCH 09/37] Security: Allow kernel services to override LSM settings for task actions " David Howells
2008-02-29  0:44 ` [PATCH 10/37] Security: Make NFSD work with detached security " David Howells
2008-02-29  0:44 ` [PATCH 11/37] FS-Cache: Release page->private after failed readahead " David Howells
2008-02-29  0:44 ` [PATCH 12/37] FS-Cache: Recruit a couple of page flags for cache management " David Howells
2008-02-29  0:44 ` [PATCH 13/37] FS-Cache: Provide an add_wait_queue_tail() function " David Howells
2008-02-29  0:44 ` [PATCH 14/37] FS-Cache: Generic filesystem caching facility " David Howells
2008-02-29  0:44 ` [PATCH 15/37] CacheFiles: Add missing copy_page export for ia64 " David Howells
2008-02-29  0:44 ` [PATCH 16/37] CacheFiles: Be consistent about the use of mapping vs file->f_mapping in Ext3 " David Howells
2008-02-29  0:45 ` [PATCH 17/37] CacheFiles: Add a hook to write a single page of data to an inode " David Howells
2008-02-29  0:45 ` [PATCH 18/37] CacheFiles: Permit the page lock state to be monitored " David Howells
2008-02-29  0:45 ` [PATCH 19/37] CacheFiles: Export things for CacheFiles " David Howells
2008-02-29  0:45 ` [PATCH 20/37] CacheFiles: A cache that backs onto a mounted filesystem " David Howells
2008-02-29  0:45 ` [PATCH 21/37] NFS: Add comment banners to some NFS functions " David Howells
2008-02-29  0:45 ` [PATCH 22/37] NFS: Add FS-Cache option bit and debug bit " David Howells
2008-02-29  0:45 ` [PATCH 23/37] NFS: Permit local filesystem caching to be enabled for NFS " David Howells
2008-02-29  0:45 ` [PATCH 24/37] NFS: Register NFS for caching and retrieve the top-level index " David Howells
2008-02-29  0:45 ` [PATCH 25/37] NFS: Define and create server-level objects " David Howells
2008-02-29  0:45 ` [PATCH 26/37] NFS: Define and create superblock-level " David Howells
2008-02-29  0:45 ` [PATCH 27/37] NFS: Define and create inode-level cache " David Howells
2008-02-29  0:46 ` [PATCH 28/37] NFS: Use local disk inode cache " David Howells
2008-02-29  0:46 ` [PATCH 29/37] NFS: Invalidate FsCache page flags when cache removed " David Howells
2008-02-29  0:46 ` [PATCH 30/37] NFS: Add some new I/O event counters for FS-Cache events " David Howells
2008-02-29  0:46 ` [PATCH 31/37] NFS: FS-Cache page management " David Howells
2008-02-29  0:46 ` [PATCH 32/37] NFS: Add read context retention for FS-Cache to call back with " David Howells
2008-02-29  0:46 ` [PATCH 33/37] NFS: nfs_readpage_async() needs to be accessible as a fallback for local caching " David Howells
2008-02-29  0:46 ` [PATCH 34/37] NFS: Read pages from FS-Cache into an NFS inode " David Howells
2008-02-29  0:46 ` [PATCH 35/37] NFS: Store pages from an NFS inode into a local cache " David Howells
2008-02-29  0:46 ` [PATCH 36/37] NFS: Display local caching state " David Howells
2008-02-29  0:46 ` [PATCH 37/37] NFS: Add mount options to enable local caching on NFS " David Howells
2008-03-19 17:12 ` Performance degradation measurement [was Re: [PATCH 06/37] Security: Separate task security context from task_struct [ver #34]] David Howells
2008-03-23  5:17   ` Valdis.Kletnieks
2008-03-23 12:40   ` David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080229004343.4142.27423.stgit@warthog.procyon.org.uk \
    --to=dhowells@redhat.com \
    --cc=Trond.Myklebust@netapp.com \
    --cc=casey@schaufler-ca.com \
    --cc=chuck.lever@oracle.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nfsv4@linux-nfs.org \
    --cc=selinux@tycho.nsa.gov \
    --subject='Re: [PATCH 02/37] KEYS: Check starting keyring as part of search [ver #34]' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).