lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CACE9dm-2TB-CKkYB+p7ESSOKR-Bfjmy7nACowzsbK0nEexM=tA@mail.gmail.com>
Date:	Thu, 11 Sep 2014 15:28:44 +0300
From:	Dmitry Kasatkin <dmitry.kasatkin@...il.com>
To:	David Howells <dhowells@...hat.com>
Cc:	Mimi Zohar <zohar@...ux.vnet.ibm.com>,
	James Morris <jmorris@...ei.org>,
	keyrings <keyrings@...ux-nfs.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	linux-security-module <linux-security-module@...r.kernel.org>,
	Vivek Goyal <vgoyal@...hat.com>
Subject: Re: [PATCH 2/6] KEYS: Reinstate EPERM for a key type name beginning
 with a '.'

On 11 September 2014 15:27, Dmitry Kasatkin <dmitry.kasatkin@...il.com> wrote:
> On 11 September 2014 15:09, David Howells <dhowells@...hat.com> wrote:
>> Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote:
>>
>>> On Wed, 2014-09-10 at 19:36 -0400, Mimi Zohar wrote:
>>> > On Wed, 2014-09-10 at 22:22 +0100, David Howells wrote:
>>> > > Reinstate the generation of EPERM for a key type name beginning with a
>>> > > '.' in a userspace call.  Types whose name begins with a '.' are
>>> > > internal only.
>>>
>>> After re-reading your comment and looking at the different types,
>>> testing for dot prefixed types now makes sense.  Both dot prefixed types
>>> and keyring names are reserved for the kernel.
>>
>> Are you withdrawing your objection, then?
>>
>
> For me, type test looks unrelated to "." prefixed key/keyring names...
>
> The rest of that patch does following:
>
> + } else if ((description[0] == '.') &&
> +                    (strncmp(type, "keyring", 7) == 0)) {
> +             ret = -EPERM;
> +             goto error2;
>
>
> I wonder why this test is only disallowing keyrings...
> Why not also keys?
>
> keyctl add user ".ring1" Hello @u
>
> keyctl show
>   50463278 --alswrv      0     0       \_ user: .ring1
>
>

sorry... it was confusing name

keyctl newring ".ring1" @u
add_key: Operation not permitted

But for keys..

 keyctl add user ".key1" Hello @u

 keyctl show
   50463298 --alswrv      0     0       \_ user: .key1

- Dmitry

> - Dmitry
>
>> David
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
>> the body of a message to majordomo@...r.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
>
>
> --
> Thanks,
> Dmitry



-- 
Thanks,
Dmitry
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ