summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2014-07-22 22:55:45 +0200
committerDavid Howells <dhowells@redhat.com>2014-07-22 22:55:45 +0200
commit633706a2ee81637be37b6bc02c5336950cc163b5 (patch)
tree5dad64c393d3b12276b35c5835c40c6d78f606a2 /security
parentMerge remote-tracking branch 'integrity/next-with-keys' into keys-next (diff)
parentdigsig: make crypto builtin if digsig selected as builtin (diff)
downloadlinux-633706a2ee81637be37b6bc02c5336950cc163b5.tar.xz
linux-633706a2ee81637be37b6bc02c5336950cc163b5.zip
Merge branch 'keys-fixes' into keys-next
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'security')
-rw-r--r--security/keys/keyctl.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 8a8c23357291..e26f860e5f2e 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -406,12 +406,25 @@ long keyctl_invalidate_key(key_serial_t id)
key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH);
if (IS_ERR(key_ref)) {
ret = PTR_ERR(key_ref);
+
+ /* Root is permitted to invalidate certain special keys */
+ if (capable(CAP_SYS_ADMIN)) {
+ key_ref = lookup_user_key(id, 0, 0);
+ if (IS_ERR(key_ref))
+ goto error;
+ if (test_bit(KEY_FLAG_ROOT_CAN_INVAL,
+ &key_ref_to_ptr(key_ref)->flags))
+ goto invalidate;
+ goto error_put;
+ }
+
goto error;
}
+invalidate:
key_invalidate(key_ref_to_ptr(key_ref));
ret = 0;
-
+error_put:
key_ref_put(key_ref);
error:
kleave(" = %ld", ret);