From: Mimi Zohar <zohar@linux.ibm.com>
To: Linus Torvalds <torvalds@linux-foundation.org>,
David Howells <dhowells@redhat.com>,
James Morris <jmorris@namei.org>,
keyrings@vger.kernel.org, Netdev <netdev@vger.kernel.org>,
linux-nfs@vger.kernel.org, CIFS <linux-cifs@vger.kernel.org>,
linux-afs@lists.infradead.org,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
linux-integrity@vger.kernel.org,
LSM List <linux-security-module@vger.kernel.org>,
Linux List Kernel Mailing <linux-kernel@vger.kernel.org>
Subject: Re: [GIT PULL] Keys: Set 4 - Key ACLs for 5.3
Date: Thu, 11 Jul 2019 03:07:15 +0000 [thread overview]
Message-ID: <1562814435.4014.11.camel@linux.ibm.com> (raw)
In-Reply-To: <CAHk-=wiFti6=K2fyAYhx-PSX9ovQPJUNp0FMdV0pDaO_pSx9MQ@mail.gmail.com>
Hi Linus,
On Wed, 2019-07-10 at 18:59 -0700, Linus Torvalds wrote:
> Anyway, since it does seem like David is offline, I've just reverted
> this from my tree, and will be continuing my normal merge window pull
> requests (the other issues I have seen have fixes in their respective
> trees).
Sorry for the delay. An exception is needed for loading builtin keys
"KEY_ALLOC_BUILT_IN" onto a keyring that is not writable by userspace.
The following works, but probably is not how David would handle the
exception.
diff --git a/security/keys/key.c b/security/keys/key.c
index 519211a996e7..a99332c1e014 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -896,7 +896,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
/* if we're going to allocate a new key, we're going to have
* to modify the keyring */
ret = key_permission(keyring_ref, KEY_NEED_WRITE);
- if (ret < 0) {
+ if (ret < 0 && !(flags & KEY_ALLOC_BUILT_IN)) {
key_ref = ERR_PTR(ret);
goto error_link_end;
}
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Linus Torvalds <torvalds@linux-foundation.org>,
David Howells <dhowells@redhat.com>,
James Morris <jmorris@namei.org>,
keyrings@vger.kernel.org, Netdev <netdev@vger.kernel.org>,
linux-nfs@vger.kernel.org, CIFS <linux-cifs@vger.kernel.org>,
linux-afs@lists.infradead.org,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
linux-integrity@vger.kernel.org,
LSM List <linux-security-module@vger.kernel.org>,
Linux List Kernel Mailing <linux-kernel@vger.kernel.org>
Subject: Re: [GIT PULL] Keys: Set 4 - Key ACLs for 5.3
Date: Wed, 10 Jul 2019 23:07:15 -0400 [thread overview]
Message-ID: <1562814435.4014.11.camel@linux.ibm.com> (raw)
In-Reply-To: <CAHk-=wiFti6=K2fyAYhx-PSX9ovQPJUNp0FMdV0pDaO_pSx9MQ@mail.gmail.com>
Hi Linus,
On Wed, 2019-07-10 at 18:59 -0700, Linus Torvalds wrote:
> Anyway, since it does seem like David is offline, I've just reverted
> this from my tree, and will be continuing my normal merge window pull
> requests (the other issues I have seen have fixes in their respective
> trees).
Sorry for the delay. An exception is needed for loading builtin keys
"KEY_ALLOC_BUILT_IN" onto a keyring that is not writable by userspace.
The following works, but probably is not how David would handle the
exception.
diff --git a/security/keys/key.c b/security/keys/key.c
index 519211a996e7..a99332c1e014 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -896,7 +896,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
/* if we're going to allocate a new key, we're going to have
* to modify the keyring */
ret = key_permission(keyring_ref, KEY_NEED_WRITE);
- if (ret < 0) {
+ if (ret < 0 && !(flags & KEY_ALLOC_BUILT_IN)) {
key_ref = ERR_PTR(ret);
goto error_link_end;
}
Mimi
next prev parent reply other threads:[~2019-07-11 3:07 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-05 21:30 [GIT PULL] Keys: Set 4 - Key ACLs for 5.3 David Howells
2019-07-05 21:30 ` David Howells
2019-07-09 3:15 ` pr-tracker-bot
2019-07-09 3:15 ` pr-tracker-bot
2019-07-10 18:35 ` Linus Torvalds
2019-07-10 18:35 ` Linus Torvalds
2019-07-10 19:46 ` Eric Biggers
2019-07-10 19:46 ` Eric Biggers
2019-07-10 20:15 ` Eric Biggers
2019-07-10 20:15 ` Eric Biggers
2019-07-11 1:59 ` Linus Torvalds
2019-07-11 1:59 ` Linus Torvalds
2019-07-11 3:07 ` Mimi Zohar [this message]
2019-07-11 3:07 ` Mimi Zohar
2019-08-16 13:36 ` David Howells
2019-08-16 13:36 ` David Howells
2019-08-21 14:20 ` Mimi Zohar
2019-08-21 14:20 ` Mimi Zohar
2019-08-21 15:43 ` Mimi Zohar
2019-08-21 15:43 ` Mimi Zohar
2019-08-21 19:22 ` David Howells
2019-08-21 19:22 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1562814435.4014.11.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.