linux-hardened/security/keys
David Howells 69664cf16a keys: don't generate user and user session keyrings unless they're accessed
Don't generate the per-UID user and user session keyrings unless they're
explicitly accessed.  This solves a problem during a login process whereby
set*uid() is called before the SELinux PAM module, resulting in the per-UID
keyrings having the wrong security labels.

This also cures the problem of multiple per-UID keyrings sometimes appearing
due to PAM modules (including pam_keyinit) setuiding and causing user_structs
to come into and go out of existence whilst the session keyring pins the user
keyring.  This is achieved by first searching for extant per-UID keyrings
before inventing new ones.

The serial bound argument is also dropped from find_keyring_by_name() as it's
not currently made use of (setting it to 0 disables the feature).

Signed-off-by: David Howells <dhowells@redhat.com>
Cc: <kwc@citi.umich.edu>
Cc: <arunsr@cse.iitk.ac.in>
Cc: <dwalsh@redhat.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Cc: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 08:06:17 -07:00
..
compat.c keys: add keyctl function to get a security label 2008-04-29 08:06:16 -07:00
internal.h keys: don't generate user and user session keyrings unless they're accessed 2008-04-29 08:06:17 -07:00
key.c keys: don't generate user and user session keyrings unless they're accessed 2008-04-29 08:06:17 -07:00
keyctl.c keys: allow clients to set key perms in key_create_or_update() 2008-04-29 08:06:16 -07:00
keyring.c keys: don't generate user and user session keyrings unless they're accessed 2008-04-29 08:06:17 -07:00
Makefile [PATCH] Keys: Split key permissions checking into a .c file 2005-10-08 14:53:31 -07:00
permission.c [PATCH] keys: Permit running process to instantiate keys 2006-01-08 20:13:53 -08:00
proc.c keys: switch to proc_create() 2008-04-29 08:06:16 -07:00
process_keys.c keys: don't generate user and user session keyrings unless they're accessed 2008-04-29 08:06:17 -07:00
request_key.c keys: allow the callout data to be passed as a blob rather than a string 2008-04-29 08:06:16 -07:00
request_key_auth.c keys: allow the callout data to be passed as a blob rather than a string 2008-04-29 08:06:16 -07:00
user_defined.c [PATCH] remove many unneeded #includes of sched.h 2007-02-14 08:09:54 -08:00