Commit af34cb0c authored by Mimi Zohar's avatar Mimi Zohar Committed by David Howells

KEYS: Make the system 'trusted' keyring viewable by userspace

Give the root user the ability to read the system keyring and put read
permission on the trusted keys added during boot.  The latter is actually more
theoretical than real for the moment as asymmetric keys do not currently
provide a read operation.
Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parent cd0421dc
...@@ -35,7 +35,7 @@ static __init int system_trusted_keyring_init(void) ...@@ -35,7 +35,7 @@ static __init int system_trusted_keyring_init(void)
keyring_alloc(".system_keyring", keyring_alloc(".system_keyring",
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
((KEY_POS_ALL & ~KEY_POS_SETATTR) | ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ), KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
KEY_ALLOC_NOT_IN_QUOTA, NULL); KEY_ALLOC_NOT_IN_QUOTA, NULL);
if (IS_ERR(system_trusted_keyring)) if (IS_ERR(system_trusted_keyring))
panic("Can't allocate system trusted keyring\n"); panic("Can't allocate system trusted keyring\n");
...@@ -81,8 +81,8 @@ static __init int load_system_certificate_list(void) ...@@ -81,8 +81,8 @@ static __init int load_system_certificate_list(void)
NULL, NULL,
p, p,
plen, plen,
(KEY_POS_ALL & ~KEY_POS_SETATTR) | ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW, KEY_USR_VIEW | KEY_USR_READ),
KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_NOT_IN_QUOTA |
KEY_ALLOC_TRUSTED); KEY_ALLOC_TRUSTED);
if (IS_ERR(key)) { if (IS_ERR(key)) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment