KEYS: Skip key state checks when checking for possession
Skip key state checks (invalidation, revocation and expiration) when checking
for possession. Without this, keys that have been marked invalid, revoked
keys and expired keys are not given a possession attribute - which means the
possessor is not granted any possession permits and cannot do anything with
them unless they also have one a user, group or other permit.
This causes failures in the keyutils test suite's revocation and expiration
tests now that commit 96b5c8fea6c0861621051290d705ec2e971963f1 reduced the
initial permissions granted to a key.
The failures are due to accesses to revoked and expired keys being given
EACCES instead of EKEYREVOKED or EKEYEXPIRED.
Signed-off-by: David Howells <dhowells@redhat.com>
diff --git a/security/keys/internal.h b/security/keys/internal.h
index d4f1468..df971fe 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -124,6 +124,7 @@
extern key_ref_t search_process_keyrings(struct key_type *type,
const void *description,
key_match_func_t match,
+ bool no_state_check,
const struct cred *cred);
extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check);
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 42defae..a3410d6 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -440,6 +440,7 @@
key_ref_t search_process_keyrings(struct key_type *type,
const void *description,
key_match_func_t match,
+ bool no_state_check,
const struct cred *cred)
{
struct request_key_auth *rka;
@@ -448,7 +449,7 @@
might_sleep();
key_ref = search_my_process_keyrings(type, description, match,
- false, cred);
+ no_state_check, cred);
if (!IS_ERR(key_ref))
goto found;
err = key_ref;
@@ -468,7 +469,8 @@
rka = cred->request_key_auth->payload.data;
key_ref = search_process_keyrings(type, description,
- match, rka->cred);
+ match, no_state_check,
+ rka->cred);
up_read(&cred->request_key_auth->sem);
@@ -675,7 +677,7 @@
/* check to see if we possess the key */
skey_ref = search_process_keyrings(key->type, key,
lookup_user_key_possessed,
- cred);
+ true, cred);
if (!IS_ERR(skey_ref)) {
key_put(key);
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index c411f9b..172115b 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -390,7 +390,8 @@
* waited for locks */
mutex_lock(&key_construction_mutex);
- key_ref = search_process_keyrings(type, description, type->match, cred);
+ key_ref = search_process_keyrings(type, description, type->match,
+ false, cred);
if (!IS_ERR(key_ref))
goto key_already_present;
@@ -539,7 +540,8 @@
dest_keyring, flags);
/* search all the process keyrings for a key */
- key_ref = search_process_keyrings(type, description, type->match, cred);
+ key_ref = search_process_keyrings(type, description, type->match,
+ false, cred);
if (!IS_ERR(key_ref)) {
key = key_ref_to_ptr(key_ref);
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index 85730d5..92077de 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -247,7 +247,7 @@
&key_type_request_key_auth,
(void *) (unsigned long) target_id,
key_get_instantiation_authkey_match,
- cred);
+ false, cred);
if (IS_ERR(authkey_ref)) {
authkey = ERR_CAST(authkey_ref);