KEYS: Make the system 'trusted' keyring viewable by userspace
authorMimi Zohar <zohar@linux.vnet.ibm.com>
Tue, 20 Aug 2013 18:36:26 +0000 (14:36 -0400)
committerDavid Howells <dhowells@redhat.com>
Wed, 25 Sep 2013 16:17:01 +0000 (17:17 +0100)
Give the root user the ability to read the system keyring and put read
permission on the trusted keys added during boot.  The latter is actually more
theoretical than real for the moment as asymmetric keys do not currently
provide a read operation.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: David Howells <dhowells@redhat.com>
kernel/system_keyring.c

index 5296721eca5bc165feef20aaef7920e537348d95..564dd93430a276b0ac7db03a59cbb5648a639c93 100644 (file)
@@ -35,7 +35,7 @@ static __init int system_trusted_keyring_init(void)
                keyring_alloc(".system_keyring",
                              KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
                              ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
-                              KEY_USR_VIEW | KEY_USR_READ),
+                             KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
                              KEY_ALLOC_NOT_IN_QUOTA, NULL);
        if (IS_ERR(system_trusted_keyring))
                panic("Can't allocate system trusted keyring\n");
@@ -81,8 +81,8 @@ static __init int load_system_certificate_list(void)
                                           NULL,
                                           p,
                                           plen,
-                                          (KEY_POS_ALL & ~KEY_POS_SETATTR) |
-                                          KEY_USR_VIEW,
+                                          ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
+                                          KEY_USR_VIEW | KEY_USR_READ),
                                           KEY_ALLOC_NOT_IN_QUOTA |
                                           KEY_ALLOC_TRUSTED);
                if (IS_ERR(key)) {