From: David Howells <dhowells@redhat.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: dhowells@redhat.com, keyrings <keyrings@linux-nfs.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
Josh Boyer <jwboyer@redhat.com>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Subject: Re: [PATCH v6 1/6] KEYS: special dot prefixed keyring name bug fix
Date: Fri, 27 Jun 2014 14:24:20 +0100 [thread overview]
Message-ID: <7422.1403875460@warthog.procyon.org.uk> (raw)
In-Reply-To: <1403620852-16476-2-git-send-email-zohar@linux.vnet.ibm.com>
Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> Dot prefixed keyring names are supposed to be reserved for the
> kernel, but add_key() calls key_get_type_from_user(), which
> incorrectly verifies the 'type' field, not the 'description' field.
> This patch verifies the 'description' field isn't dot prefixed,
> when creating a new keyring, and removes the dot prefix test in
> key_get_type_from_user().
>
> Changelog v6:
> - whitespace and other cleanup
>
> Changelog v5:
> - Only prevent userspace from creating a dot prefixed keyring, not
> regular keys - Dmitry
>
> Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
> Cc: David Howells <dhowells@redhat.com>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Howells <dhowells@redhat.com>
next prev parent reply other threads:[~2014-06-27 13:24 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-24 14:40 [PATCH v6 0/6] ima: extending secure boot certificate chain of trust Mimi Zohar
2014-06-24 14:40 ` [PATCH v6 1/6] KEYS: special dot prefixed keyring name bug fix Mimi Zohar
2014-06-27 13:24 ` David Howells [this message]
2014-06-24 14:40 ` [PATCH v6 2/6] KEYS: verify a certificate is signed by a 'trusted' key Mimi Zohar
2014-06-24 14:40 ` [PATCH v6 3/6] KEYS: make partial key id matching as a dedicated function Mimi Zohar
2014-06-27 13:38 ` David Howells
2014-06-30 13:14 ` Dmitry Kasatkin
2014-06-30 19:20 ` Mimi Zohar
2014-06-24 14:40 ` [PATCH v6 4/6] KEYS: validate certificate trust only with selected owner key Mimi Zohar
2014-06-27 13:55 ` David Howells
2014-06-27 17:44 ` Mimi Zohar
2014-06-30 13:47 ` Dmitry Kasatkin
2014-06-30 13:57 ` Mimi Zohar
2014-06-24 14:40 ` [PATCH v6 5/6] KEYS: validate certificate trust only with builtin keys Mimi Zohar
2014-06-27 13:54 ` David Howells
2014-06-27 17:50 ` Mimi Zohar
2014-06-24 14:40 ` [PATCH v6 6/6] ima: define '.ima' as a builtin 'trusted' keyring Mimi Zohar
2014-06-27 14:17 ` David Howells
2014-07-09 15:31 ` [PATCH v6 0/6] ima: extending secure boot certificate chain of trust David Howells
2014-07-09 16:40 ` Mimi Zohar
2014-07-09 18:56 ` David Howells
2014-07-09 21:29 ` Mimi Zohar
2014-07-10 14:47 ` Dmitry Kasatkin
2014-07-13 21:06 ` David Howells
2014-07-16 13:15 ` Mimi Zohar
2014-07-17 19:43 ` David Howells
2014-07-17 20:07 ` Mimi Zohar
2014-07-17 20:37 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7422.1403875460@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jwboyer@redhat.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.