[PATCH] Keys: Possessor permissions should be additive

This patch makes the possessor permissions on a key additive with
user/group/other permissions on the same key.

This permits extra rights to be granted to the possessor of a key without
taking away any rights conferred by them owning the key or having common group
membership.

Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/security/keys/permission.c b/security/keys/permission.c
index 1c3651670ce9add5b2f008bf07f58d20c3de03bc..03db073ba45c526ef82979babcc4abff47ea8438 100644 (file)
--- a/security/keys/permission.c
+++ b/security/keys/permission.c
@@ -27,12 +27,6 @@ int key_task_permission(const key_ref_t key_ref,
 
        key = key_ref_to_ptr(key_ref);
 
-       /* use the top 8-bits of permissions for keys the caller possesses */
-       if (is_key_possessed(key_ref)) {
-               kperm = key->perm >> 24;
-               goto use_these_perms;
-       }
-
        /* use the second 8-bits of permissions for keys the caller owns */
        if (key->uid == context->fsuid) {
                kperm = key->perm >> 16;
@@ -61,6 +55,12 @@ int key_task_permission(const key_ref_t key_ref,
        kperm = key->perm;
 
 use_these_perms:
+       /* use the top 8-bits of permissions for keys the caller possesses
+        * - possessor permissions are additive with other permissions
+        */
+       if (is_key_possessed(key_ref))
+               kperm |= key->perm >> 24;
+
        kperm = kperm & perm & KEY_ALL;
 
        return kperm == perm;