linux/security/keys/keyctl.c, branch v2.6.19

[PATCH] Keys: Allow in-kernel key requestor to pass auxiliary data to upcaller

2006-06-29T17:26:20Z

The proposed NFS key type uses its own method of passing key requests to userspace (upcalling) rather than invoking /sbin/request-key. This is because the responsible userspace daemon should already be running and will be contacted through rpc_pipefs. This patch permits the NFS filesystem to pass auxiliary data to the upcall operation (struct key_type::request_key) so that the upcaller can use a pre-existing communications channel more easily. Signed-off-by: David Howells Acked-By: Kevin Coffman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] keys: let keyctl_chown() change a key's owner

2006-06-26T16:58:18Z

Let keyctl_chown() change a key's owner, including attempting to transfer the quota burden to the new user. Signed-off-by: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] keys: sort out key quota system

2006-06-26T16:58:18Z

Add the ability for key creation to overrun the user's quota in some circumstances - notably when a session keyring is created and assigned to a process that didn't previously have one. This means it's still possible to log in, should PAM require the creation of a new session keyring, and fix an overburdened key quota. Signed-off-by: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] strndup_user: convert keyctl

2006-03-24T15:33:31Z

Copies user-space string with strndup_user() and moves the type string duplication code to a function (thus fixing a wrong check on the length of the type.) Signed-off-by: Davi Arnaut Cc: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] Fix keyctl usage of strnlen_user()

2006-02-03T16:32:10Z

In the small window between strnlen_user() and copy_from_user() userspace could alter the terminating `\0' character. Signed-off-by: Davi Arnaut Cc: David Howells Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] move capable() to capability.h

2006-01-12T02:42:13Z

- Move capable() from sched.h to capability.h; - Use where capable() is used (in include/, block/, ipc/, kernel/, a few drivers/, mm/, security/, & sound/; many more drivers/ to go) Signed-off-by: Randy Dunlap Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] keys: Permit running process to instantiate keys

2006-01-09T04:13:53Z

Make it possible for a running process (such as gssapid) to be able to instantiate a key, as was requested by Trond Myklebust for NFS4. The patch makes the following changes: (1) A new, optional key type method has been added. This permits a key type to intercept requests at the point /sbin/request-key is about to be spawned and do something else with them - passing them over the rpc_pipefs files or netlink sockets for instance. The uninstantiated key, the authorisation key and the intended operation name are passed to the method. (2) The callout_info is no longer passed as an argument to /sbin/request-key to prevent unauthorised viewing of this data using ps or by looking in /proc/pid/cmdline. This means that the old /sbin/request-key program will not work with the patched kernel as it will expect to see an extra argument that is no longer there. A revised keyutils package will be made available tomorrow. (3) The callout_info is now attached to the authorisation key. Reading this key will retrieve the information. (4) A new field has been added to the task_struct. This holds the authorisation key currently active for a thread. Searches now look here for the caller's set of keys rather than looking for an auth key in the lowest level of the session keyring. This permits a thread to be servicing multiple requests at once and to switch between them. Note that this is per-thread, not per-process, and so is usable in multithreaded programs. The setting of this field is inherited across fork and exec. (5) A new keyctl function (KEYCTL_ASSUME_AUTHORITY) has been added that permits a thread to assume the authority to deal with an uninstantiated key. Assumption is only permitted if the authorisation key associated with the uninstantiated key is somewhere in the thread's keyrings. This function can also clear the assumption. (6) A new magic key specifier has been added to refer to the currently assumed authorisation key (KEY_SPEC_REQKEY_AUTH_KEY). (7) Instantiation will only proceed if the appropriate authorisation key is assumed first. The assumed authorisation key is discarded if instantiation is successful. (8) key_validate() is moved from the file of request_key functions to the file of permissions functions. (9) The documentation is updated. From: Build fix. Signed-off-by: David Howells Cc: Trond Myklebust Cc: Alexander Zangerl Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] keys: Permit key expiry time to be set

2006-01-09T04:13:53Z

Add a new keyctl function that allows the expiry time to be set on a key or removed from a key, provided the caller has attribute modification access. Signed-off-by: David Howells Cc: Trond Myklebust Cc: Alexander Zangerl Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] Keys: Add LSM hooks for key management [try #3]

2005-10-31T01:37:23Z

The attached patch adds LSM hooks for key management facilities. The notable changes are: (1) The key struct now supports a security pointer for the use of security modules. This will permit key labelling and restrictions on which programs may access a key. (2) Security modules get a chance to note (or abort) the allocation of a key. (3) The key permission checking can now be enhanced by the security modules; the permissions check consults LSM if all other checks bear out. (4) The key permissions checking functions now return an error code rather than a boolean value. (5) An extra permission has been added to govern the modification of attributes (UID, GID, permissions). Note that there isn't an LSM hook specifically for each keyctl() operation, but rather the permissions hook allows control of individual operations based on the permission request bits. Key management access control through LSM is enabled by automatically if both CONFIG_KEYS and CONFIG_SECURITY are enabled. This should be applied on top of the patch ensubjected: [PATCH] Keys: Possessor permissions should be additive Signed-Off-By: David Howells Signed-off-by: Chris Wright Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] Keys: Add possessor permissions to keys [try #3]

2005-09-28T16:10:47Z

The attached patch adds extra permission grants to keys for the possessor of a key in addition to the owner, group and other permissions bits. This makes SUID binaries easier to support without going as far as labelling keys and key targets using the LSM facilities. This patch adds a second "pointer type" to key structures (struct key_ref *) that can have the bottom bit of the address set to indicate the possession of a key. This is propagated through searches from the keyring to the discovered key. It has been made a separate type so that the compiler can spot attempts to dereference a potentially incorrect pointer. The "possession" attribute can't be attached to a key structure directly as it's not an intrinsic property of a key. Pointers to keys have been replaced with struct key_ref *'s wherever possession information needs to be passed through. This does assume that the bottom bit of the pointer will always be zero on return from kmem_cache_alloc(). The key reference type has been made into a typedef so that at least it can be located in the sources, even though it's basically a pointer to an undefined type. I've also renamed the accessor functions to be more useful, and all reference variables should now end in "_ref". Signed-Off-By: David Howells Signed-off-by: Linus Torvalds