From: Jarkko Sakkinen <jarkko@kernel.org>
To: Liu Mingyu <Edwardliu0214@outlook.com>
Cc: David Howells <dhowells@redhat.com>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Eric Biggers <ebiggers@kernel.org>, Kees Cook <kees@kernel.org>,
Mimi Zohar <zohar@linux.ibm.com>,
Randy Dunlap <rdunlap@infradead.org>
Subject: Re: [PATCH v2 1/2] keys: Enforce keep guard when moving keys
Date: Mon, 8 Jun 2026 06:45:00 +0300 [thread overview]
Message-ID: <aiY6vNLxs5y5YOPX@kernel.org> (raw)
In-Reply-To: <20260531205059.mliu-keyrings-v2-1@outlook.com>
On Sun, May 31, 2026 at 08:51:49PM +0000, Liu Mingyu wrote:
> KEYCTL_MOVE removes the source link as part of moving a key
> between keyrings. key_unlink() rejects removal of a
> KEY_FLAG_KEEP-protected key from a KEY_FLAG_KEEP-protected keyring,
> but key_move() did not enforce the same rule.
>
> Reject such moves with -EPERM when both the source keyring and key
"Enforce the same resriction in key_move() with -EPERM ..."?
> are protected. Leave same-keyring moves as a no-op so callers can
> continue to use KEYCTL_MOVE idempotently. Document the errno so
> callers can distinguish the protected removal case.
>
> Fixes: ed0ac5c7ec37 ("keys: Add a keyctl to move a key between keyrings")
> Cc: stable@vger.kernel.org
> Signed-off-by: Mingyu Liu <edwardliu0214@outlook.com>
> ---
> Documentation/security/keys/core.rst | 1 +
> security/keys/keyctl.c | 2 ++
> security/keys/keyring.c | 7 ++++++-
> 3 files changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/security/keys/core.rst b/Documentation/security/keys/core.rst
> index 326b8a973828..6096ce6c63da 100644
> --- a/Documentation/security/keys/core.rst
> +++ b/Documentation/security/keys/core.rst
> @@ -600,6 +600,7 @@ The keyctl syscall functions are:
> A process must have link permission on the key for this function to be
> successful and write permission on both keyrings. Any errors that can
> occur from KEYCTL_LINK also apply on the destination keyring here.
> + If the key and source keyring are protected, EPERM will be returned.
>
>
> * Unlink a key or keyring from another keyring::
> diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
> index ef855d69c97a..b37bf1505ec5 100644
> --- a/security/keys/keyctl.c
> +++ b/security/keys/keyctl.c
> @@ -590,6 +590,8 @@ long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
> * the caller Write permission. There must also be a link in the from keyring
> * to the key. If both keyrings are the same, nothing is done.
> *
> + * If the key and source keyring are protected, -EPERM will be returned.
> + *
> * If successful, 0 will be returned.
> */
> long keyctl_keyring_move(key_serial_t id, key_serial_t from_ringid,
> diff --git a/security/keys/keyring.c b/security/keys/keyring.c
> index 5a9887d6b7be..60c184bd9a8d 100644
> --- a/security/keys/keyring.c
> +++ b/security/keys/keyring.c
> @@ -1582,7 +1582,8 @@ EXPORT_SYMBOL(key_unlink);
> *
> * Returns 0 if successful, -ENOTDIR if either keyring isn't a keyring,
> * -EKEYREVOKED if either keyring has been revoked, -ENFILE if the second
> - * keyring is full, -EDQUOT if there is insufficient key data quota remaining
> + * keyring is full, -EPERM if this would remove a protected key from a
> + * protected keyring, -EDQUOT if there is insufficient key data quota remaining
> * to add another link or -ENOMEM if there's insufficient memory. If
> * KEYCTL_MOVE_EXCL is set, then -EEXIST will be returned if there's already a
> * matching key in @to_keyring.
> @@ -1608,6 +1609,10 @@ int key_move(struct key *key,
> key_check(from_keyring);
> key_check(to_keyring);
>
> + if (test_bit(KEY_FLAG_KEEP, &from_keyring->flags) &&
> + test_bit(KEY_FLAG_KEEP, &key->flags))
> + return -EPERM;
> +
> ret = __key_move_lock(from_keyring, to_keyring, &key->index_key);
> if (ret < 0)
> goto out;
> --
> 2.51.2.windows.1
>
That would makeobvious that something is missing here.
BR, Jarkko
next prev parent reply other threads:[~2026-06-08 3:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-31 20:51 [PATCH v2 0/2] keys: Enforce keep guard when moving keys Liu Mingyu
2026-05-31 20:51 ` [PATCH v2 1/2] " Liu Mingyu
2026-06-08 3:45 ` Jarkko Sakkinen [this message]
2026-05-31 20:51 ` [PATCH v2 2/2] keys: Add KUnit coverage for KEYCTL_MOVE keep guard Liu Mingyu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aiY6vNLxs5y5YOPX@kernel.org \
--to=jarkko@kernel.org \
--cc=Edwardliu0214@outlook.com \
--cc=dhowells@redhat.com \
--cc=ebiggers@kernel.org \
--cc=kees@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rdunlap@infradead.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox