diff options
author | David Howells <dhowells@redhat.com> | 2014-07-22 22:55:45 +0200 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2014-07-22 22:55:45 +0200 |
commit | 633706a2ee81637be37b6bc02c5336950cc163b5 (patch) | |
tree | 5dad64c393d3b12276b35c5835c40c6d78f606a2 /security | |
parent | Merge remote-tracking branch 'integrity/next-with-keys' into keys-next (diff) | |
parent | digsig: make crypto builtin if digsig selected as builtin (diff) | |
download | linux-633706a2ee81637be37b6bc02c5336950cc163b5.tar.xz linux-633706a2ee81637be37b6bc02c5336950cc163b5.zip |
Merge branch 'keys-fixes' into keys-next
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/keys/keyctl.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 8a8c23357291..e26f860e5f2e 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -406,12 +406,25 @@ long keyctl_invalidate_key(key_serial_t id) key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH); if (IS_ERR(key_ref)) { ret = PTR_ERR(key_ref); + + /* Root is permitted to invalidate certain special keys */ + if (capable(CAP_SYS_ADMIN)) { + key_ref = lookup_user_key(id, 0, 0); + if (IS_ERR(key_ref)) + goto error; + if (test_bit(KEY_FLAG_ROOT_CAN_INVAL, + &key_ref_to_ptr(key_ref)->flags)) + goto invalidate; + goto error_put; + } + goto error; } +invalidate: key_invalidate(key_ref_to_ptr(key_ref)); ret = 0; - +error_put: key_ref_put(key_ref); error: kleave(" = %ld", ret); |