keys: Fix request_key() lack of Link perm check on found key
The request_key() syscall allows a process to gain access to the 'possessor' permits of any key that grants it Search permission by virtue of request_key() not checking whether a key it finds grants Link permission to the caller. Signed-off-by: David Howells <dhowells@redhat.com>
This commit is contained in:
David Howells
parent
45e0f30c30
commit
504b69eb3c
@ -433,6 +433,10 @@ The main syscalls are:
|
|||||||
/sbin/request-key will be invoked in an attempt to obtain a key. The
|
/sbin/request-key will be invoked in an attempt to obtain a key. The
|
||||||
callout_info string will be passed as an argument to the program.
|
callout_info string will be passed as an argument to the program.
|
||||||
|
|
||||||
|
To link a key into the destination keyring the key must grant link
|
||||||
|
permission on the key to the caller and the keyring must grant write
|
||||||
|
permission.
|
||||||
|
|
||||||
See also Documentation/security/keys/request-key.rst.
|
See also Documentation/security/keys/request-key.rst.
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -564,6 +564,16 @@ struct key *request_key_and_link(struct key_type *type,
|
|||||||
key_ref = search_process_keyrings(&ctx);
|
key_ref = search_process_keyrings(&ctx);
|
||||||
|
|
||||||
if (!IS_ERR(key_ref)) {
|
if (!IS_ERR(key_ref)) {
|
||||||
|
if (dest_keyring) {
|
||||||
|
ret = key_task_permission(key_ref, current_cred(),
|
||||||
|
KEY_NEED_LINK);
|
||||||
|
if (ret < 0) {
|
||||||
|
key_ref_put(key_ref);
|
||||||
|
key = ERR_PTR(ret);
|
||||||
|
goto error_free;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
key = key_ref_to_ptr(key_ref);
|
key = key_ref_to_ptr(key_ref);
|
||||||
if (dest_keyring) {
|
if (dest_keyring) {
|
||||||
ret = key_link(dest_keyring, key);
|
ret = key_link(dest_keyring, key);
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user