• David Howells's avatar
    KEYS: keyctl_get_keyring_ID() should create a session keyring if create flag set · 3ecf1b4f
    David Howells authored
    The keyctl call:
    
    	keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1)
    
    should create a session keyring if the process doesn't have one of its own
    because the create flag argument is set - rather than subscribing to and
    returning the user-session keyring as:
    
    	keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)
    
    will do.
    
    This can be tested by commenting out pam_keyinit in the /etc/pam.d files and
    running the following program a couple of times in a row:
    
    	#include <stdio.h>
    	#include <stdlib.h>
    	#include <keyutils.h>
    	int main(int argc, char *argv[])
    	{
    		key_serial_t uk, usk, sk, nsk;
    		uk  = keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);
    		usk = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
    		sk  = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
    		nsk = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1);
    		printf("keys: %08x %08x %08x %08x\n", uk, usk, sk, nsk);
    		return 0;
    	}
    
    Without this patch, I see:
    
    	keys: 3975ddc7 119c0c66 119c0c66 119c0c66
    	keys: 3975ddc7 119c0c66 119c0c66 119c0c66
    
    With this patch, I see:
    
    	keys: 2cb4997b 34112878 34112878 17db2ce3
    	keys: 2cb4997b 34112878 34112878 39f3c73e
    
    As can be seen, the session keyring starts off the same as the user-session
    keyring each time, but with the patch a new session keyring is created when
    the create flag is set.
    Reported-by: default avatarGreg Wettstein <greg@enjellic.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Tested-by: default avatarGreg Wettstein <greg@enjellic.com>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    3ecf1b4f
process_keys.c 20.6 KB