KEYS: keyctl_get_keyring_ID() should create a session keyring if create flag set
authorDavid Howells <dhowells@redhat.com>
Mon, 22 Aug 2011 13:08:43 +0000 (14:08 +0100)
committerJames Morris <jmorris@namei.org>
Mon, 22 Aug 2011 23:57:34 +0000 (09:57 +1000)
The keyctl call:

keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1)

should create a session keyring if the process doesn't have one of its own
because the create flag argument is set - rather than subscribing to and
returning the user-session keyring as:

keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)

will do.

This can be tested by commenting out pam_keyinit in the /etc/pam.d files and
running the following program a couple of times in a row:

#include <stdio.h>
#include <stdlib.h>
#include <keyutils.h>
int main(int argc, char *argv[])
{
key_serial_t uk, usk, sk, nsk;
uk  = keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);
usk = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
sk  = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
nsk = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1);
printf("keys: %08x %08x %08x %08x\n", uk, usk, sk, nsk);
return 0;
}

Without this patch, I see:

keys: 3975ddc7 119c0c66 119c0c66 119c0c66
keys: 3975ddc7 119c0c66 119c0c66 119c0c66

With this patch, I see:

keys: 2cb4997b 34112878 34112878 17db2ce3
keys: 2cb4997b 34112878 34112878 39f3c73e

As can be seen, the session keyring starts off the same as the user-session
keyring each time, but with the patch a new session keyring is created when
the create flag is set.

Reported-by: Greg Wettstein <greg@enjellic.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Greg Wettstein <greg@enjellic.com>
Signed-off-by: James Morris <jmorris@namei.org>
security/keys/process_keys.c

index 3bc6071ad63352bde81e28b4338463497859f028..1068cb1939b3122ca857b042ac0df9d304cda6a7 100644 (file)
@@ -589,12 +589,22 @@ try_again:
                        ret = install_user_keyrings();
                        if (ret < 0)
                                goto error;
-                       ret = install_session_keyring(
-                               cred->user->session_keyring);
+                       if (lflags & KEY_LOOKUP_CREATE)
+                               ret = join_session_keyring(NULL);
+                       else
+                               ret = install_session_keyring(
+                                       cred->user->session_keyring);
 
                        if (ret < 0)
                                goto error;
                        goto reget_creds;
+               } else if (cred->tgcred->session_keyring ==
+                          cred->user->session_keyring &&
+                          lflags & KEY_LOOKUP_CREATE) {
+                       ret = join_session_keyring(NULL);
+                       if (ret < 0)
+                               goto error;
+                       goto reget_creds;
                }
 
                rcu_read_lock();