summaryrefslogtreecommitdiffstats
path: root/security/keys/internal.h
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2017-09-18 20:37:03 +0200
committerDavid Howells <dhowells@redhat.com>2017-09-25 16:19:57 +0200
commit237bbd29f7a049d310d907f4b2716a7feef9abf3 (patch)
treebc95e55675ae062350f77c9f6d8f8d0816b83207 /security/keys/internal.h
parentKEYS: fix writing past end of user-supplied buffer in keyring_read() (diff)
downloadlinux-237bbd29f7a049d310d907f4b2716a7feef9abf3.tar.xz
linux-237bbd29f7a049d310d907f4b2716a7feef9abf3.zip
KEYS: prevent creating a different user's keyrings
It was possible for an unprivileged user to create the user and user session keyrings for another user. For example: sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u keyctl add keyring _uid_ses.4000 "" @u sleep 15' & sleep 1 sudo -u '#4000' keyctl describe @u sudo -u '#4000' keyctl describe @us This is problematic because these "fake" keyrings won't have the right permissions. In particular, the user who created them first will own them and will have full access to them via the possessor permissions, which can be used to compromise the security of a user's keys: -4: alswrv-----v------------ 3000 0 keyring: _uid.4000 -5: alswrv-----v------------ 3000 0 keyring: _uid_ses.4000 Fix it by marking user and user session keyrings with a flag KEY_FLAG_UID_KEYRING. Then, when searching for a user or user session keyring by name, skip all keyrings that don't have the flag set. Fixes: 69664cf16af4 ("keys: don't generate user and user session keyrings unless they're accessed") Cc: <stable@vger.kernel.org> [v2.6.26+] Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'security/keys/internal.h')
-rw-r--r--security/keys/internal.h2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 1c02c6547038..503adbae7b0d 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -141,7 +141,7 @@ extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
extern key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx);
extern key_ref_t search_process_keyrings(struct keyring_search_context *ctx);
-extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check);
+extern struct key *find_keyring_by_name(const char *name, bool uid_keyring);
extern int install_user_keyrings(void);
extern int install_thread_keyring_to_cred(struct cred *);