| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMHSBOXGBC2skDB2KVsVJGB-W-j44gNWsVWv4H1-h2WXYENMMg@mail.gmail.com>
Date: Tue, 3 May 2016 11:34:09 -0700
From: Gwendal Grignou <gwendal@...gle.com>
To: Gwendal Grignou <gwendal@...omium.org>
Cc: dhowells@...hat.com, james.l.morris@...cle.com, serge@...lyn.com,
keyrings@...r.kernel.org,
Linux Kernel <linux-kernel@...r.kernel.org>,
linux-security-module@...r.kernel.org,
"Theodore Ts'o" <tytso@....edu>
Subject: Re: [PATCH] keyrings: Allow searching the user session keyring
Any feedback on this? It is mandatory if we want to mount a ecryptfs
directory while the session keyring is used.
Thanks,
Gwendal.
On Thu, Mar 17, 2016 at 10:04 AM, Gwendal Grignou <gwendal@...omium.org> wrote:
> Resent to a larger audience.
>
> On Thu, Mar 10, 2016 at 2:20 PM, Gwendal Grignou <gwendal@...omium.org> wrote:
>> Currently, if a session keyring exists, we are not searching in the
>> user session or user keyrings.
>>
>> This is a problem when a session keyring exists and we want to use
>> ecryptfs, who adds the needed key only in the user keyring.
>>
>> TEST=Without this change, mounting an ecryptfs "partition" fails when a
>> session keyring exists:
>> ...
>> [ 2686.047522] Could not find key with description: [dd6f92bd8660b36c]
>> ...
>> Although the key exits:
>> keyctl show @us
>> Keyring
>> 549666721 --alswrv 0 65534 keyring: _uid_ses.0
>> 346719914 --alswrv 0 65534 \_ keyring: _uid.0
>> 235623693 --alswrv 0 0 \_ user: dd6f92bd8660b36c
>> 747773852 --alswrv 0 0 \_ user: 7025717e50fd74a2
>> With this change, ecryptfs can see the keys it needs.
>>
>> Note that 'keyctl show' still only shows the session keyring by default.
>> We need to specify 'keyctl show @us' to see the user session keyring
>> when the session keyring exits.
>>
>> Signed-off-by: Gwendal Grignou <gwendal@...omium.org>
>> ---
>> security/keys/process_keys.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
>> index e6d50172..a77d66e 100644
>> --- a/security/keys/process_keys.c
>> +++ b/security/keys/process_keys.c
>> @@ -395,8 +395,8 @@ key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx)
>> break;
>> }
>> }
>> - /* or search the user-session keyring */
>> - else if (ctx->cred->user->session_keyring) {
>> + /* finally search the user-session keyring */
>> + if (ctx->cred->user->session_keyring) {
>> key_ref = keyring_search_aux(
>> make_key_ref(ctx->cred->user->session_keyring, 1),
>> ctx);
>> --
>> 2.7.0.rc3.207.g0ac5344
>>
Powered by blists - more mailing lists