Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / af7cc7d59f3d54caca10e7b771b5683f327111e3^1..af7cc7d59f3d54caca10e7b771b5683f327111e3 / .
commitaf7cc7d59f3d54caca10e7b771b5683f327111e3[log] [tgz]
authorKarsten Tausche <karsten@fairphone.com>Thu Aug 16 14:15:09 2018 +0000
committerGerrit Code Review <gerrit@review>Thu Aug 16 14:15:09 2018 +0000
treec92691f914cb27fd50c9afcf4286cd4bdae9128e
parent8509e530af75ee86143665037988c7d0c88bc2b1 [diff]
parent8e86da9c26afab68d4c2e8efd4a2083314187ad4 [diff]
Merge "KEYS: add missing permission check for request_key() destination" into staging/n/fp2
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index cc37903..02cb0b4 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c

@@ -267,11 +267,12 @@
  * The keyring selected is returned with an extra reference upon it which the
  * caller must release.
  */
-static void construct_get_dest_keyring(struct key **_dest_keyring)
+static int construct_get_dest_keyring(struct key **_dest_keyring)
 {
 	struct request_key_auth *rka;
 	const struct cred *cred = current_cred();
 	struct key *dest_keyring = *_dest_keyring, *authkey;
+	int ret;
 
 	kenter("%p", dest_keyring);
 
@@ -280,6 +281,8 @@
 		/* the caller supplied one */
 		key_get(dest_keyring);
 	} else {
+		bool do_perm_check = true;
+
 		/* use a default keyring; falling through the cases until we
 		 * find one that we actually have */
 		switch (cred->jit_keyring) {
@@ -294,8 +297,10 @@
 					dest_keyring =
 						key_get(rka->dest_keyring);
 				up_read(&authkey->sem);
-				if (dest_keyring)
+				if (dest_keyring) {
+					do_perm_check = false;
 					break;
+				}
 			}
 
 		case KEY_REQKEY_DEFL_THREAD_KEYRING:
@@ -330,11 +335,29 @@
 		default:
 			BUG();
 		}
+
+		/*
+		 * Require Write permission on the keyring.  This is essential
+		 * because the default keyring may be the session keyring, and
+		 * joining a keyring only requires Search permission.
+		 *
+		 * However, this check is skipped for the "requestor keyring" so
+		 * that /sbin/request-key can itself use request_key() to add
+		 * keys to the original requestor's destination keyring.
+		 */
+		if (dest_keyring && do_perm_check) {
+			ret = key_permission(make_key_ref(dest_keyring, 1),
+					     KEY_WRITE);
+			if (ret) {
+				key_put(dest_keyring);
+				return ret;
+			}
+		}
 	}
 
 	*_dest_keyring = dest_keyring;
 	kleave(" [dk %d]", key_serial(dest_keyring));
-	return;
+	return 0;
 }
 
 /*
@@ -449,11 +472,16 @@
 
 	kenter("");
 
-	user = key_user_lookup(current_fsuid(), current_user_ns());
-	if (!user)
-		return ERR_PTR(-ENOMEM);
+	ret = construct_get_dest_keyring(&dest_keyring);
+	if (ret)
+		goto error;
 
-	construct_get_dest_keyring(&dest_keyring);
+	user = key_user_lookup(current_fsuid(), current_user_ns());
+	if (!user) {
+		ret = -ENOMEM;
+		goto error_put_dest_keyring;
+	}
+
 
 	ret = construct_alloc_key(type, description, dest_keyring, flags, user,
 				  &key);
@@ -469,7 +497,7 @@
 	} else if (ret == -EINPROGRESS) {
 		ret = 0;
 	} else {
-		goto couldnt_alloc_key;
+		goto error_put_dest_keyring;
 	}
 
 	key_put(dest_keyring);
@@ -479,8 +507,9 @@
 construction_failed:
 	key_negate_and_link(key, key_negative_timeout, NULL, NULL);
 	key_put(key);
-couldnt_alloc_key:
+error_put_dest_keyring:
 	key_put(dest_keyring);
+error:
 	kleave(" = %d", ret);
 	return ERR_PTR(ret);
 }