Commit 700920eb authored by David Howells's avatar David Howells Committed by James Morris

KEYS: Allow special keyrings to be cleared

The kernel contains some special internal keyrings, for instance the DNS
resolver keyring :

2a93faf1 I-----     1 perm 1f030000     0     0 keyring   .dns_resolver: empty

It would occasionally be useful to allow the contents of such keyrings to be
flushed by root (cache invalidation).

Allow a flag to be set on a keyring to mark that someone possessing the
sysadmin capability can clear the keyring, even without normal write access to
the keyring.

Set this flag on the special keyrings created by the DNS resolver, the NFS
identity mapper and the CIFS identity mapper.
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Acked-by: default avatarJeff Layton <jlayton@redhat.com>
Acked-by: default avatarSteve Dickson <steved@redhat.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 53999bf3
...@@ -102,6 +102,10 @@ implemented in the module can be called after doing: ...@@ -102,6 +102,10 @@ implemented in the module can be called after doing:
If _expiry is non-NULL, the expiry time (TTL) of the result will be If _expiry is non-NULL, the expiry time (TTL) of the result will be
returned also. returned also.
The kernel maintains an internal keyring in which it caches looked up keys.
This can be cleared by any process that has the CAP_SYS_ADMIN capability by
the use of KEYCTL_KEYRING_CLEAR on the keyring ID.
=============================== ===============================
READING DNS KEYS FROM USERSPACE READING DNS KEYS FROM USERSPACE
......
...@@ -554,6 +554,10 @@ The keyctl syscall functions are: ...@@ -554,6 +554,10 @@ The keyctl syscall functions are:
process must have write permission on the keyring, and it must be a process must have write permission on the keyring, and it must be a
keyring (or else error ENOTDIR will result). keyring (or else error ENOTDIR will result).
This function can also be used to clear special kernel keyrings if they
are appropriately marked if the user has CAP_SYS_ADMIN capability. The
DNS resolver cache keyring is an example of this.
(*) Link a key into a keyring: (*) Link a key into a keyring:
......
...@@ -556,6 +556,7 @@ init_cifs_idmap(void) ...@@ -556,6 +556,7 @@ init_cifs_idmap(void)
/* instruct request_key() to use this special keyring as a cache for /* instruct request_key() to use this special keyring as a cache for
* the results it looks up */ * the results it looks up */
set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
cred->thread_keyring = keyring; cred->thread_keyring = keyring;
cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING; cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
root_cred = cred; root_cred = cred;
......
...@@ -198,6 +198,7 @@ int nfs_idmap_init(void) ...@@ -198,6 +198,7 @@ int nfs_idmap_init(void)
if (ret < 0) if (ret < 0)
goto failed_put_key; goto failed_put_key;
set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
cred->thread_keyring = keyring; cred->thread_keyring = keyring;
cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING; cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
id_resolver_cache = cred; id_resolver_cache = cred;
......
...@@ -155,6 +155,7 @@ struct key { ...@@ -155,6 +155,7 @@ struct key {
#define KEY_FLAG_IN_QUOTA 3 /* set if key consumes quota */ #define KEY_FLAG_IN_QUOTA 3 /* set if key consumes quota */
#define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */ #define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */
#define KEY_FLAG_NEGATIVE 5 /* set if key is negative */ #define KEY_FLAG_NEGATIVE 5 /* set if key is negative */
#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */
/* the description string /* the description string
* - this is used to match a key against search criteria * - this is used to match a key against search criteria
......
...@@ -281,6 +281,7 @@ static int __init init_dns_resolver(void) ...@@ -281,6 +281,7 @@ static int __init init_dns_resolver(void)
/* instruct request_key() to use this special keyring as a cache for /* instruct request_key() to use this special keyring as a cache for
* the results it looks up */ * the results it looks up */
set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
cred->thread_keyring = keyring; cred->thread_keyring = keyring;
cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING; cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
dns_resolver_cache = cred; dns_resolver_cache = cred;
......
...@@ -388,11 +388,24 @@ long keyctl_keyring_clear(key_serial_t ringid) ...@@ -388,11 +388,24 @@ long keyctl_keyring_clear(key_serial_t ringid)
keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE); keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
if (IS_ERR(keyring_ref)) { if (IS_ERR(keyring_ref)) {
ret = PTR_ERR(keyring_ref); ret = PTR_ERR(keyring_ref);
/* Root is permitted to invalidate certain special keyrings */
if (capable(CAP_SYS_ADMIN)) {
keyring_ref = lookup_user_key(ringid, 0, 0);
if (IS_ERR(keyring_ref))
goto error; goto error;
if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR,
&key_ref_to_ptr(keyring_ref)->flags))
goto clear;
goto error_put;
} }
ret = keyring_clear(key_ref_to_ptr(keyring_ref)); goto error;
}
clear:
ret = keyring_clear(key_ref_to_ptr(keyring_ref));
error_put:
key_ref_put(keyring_ref); key_ref_put(keyring_ref);
error: error:
return ret; return ret;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment