1
linux/security/keys
David Howells 62fe318256 KEYS: Fix keyring content gc scanner
Key pointers stored in the keyring are marked in bit 1 to indicate if they
point to a keyring.  We need to strip off this bit before using the pointer
when iterating over the keyring for the purpose of looking for links to garbage
collect.

This means that expirable keyrings aren't correctly expiring because the
checker is seeing their key pointer with 2 added to it.

Since the fix for this involves knowing about the internals of the keyring,
key_gc_keyring() is moved to keyring.c and merged into keyring_gc().

This can be tested by:

	echo 2 >/proc/sys/kernel/keys/gc_delay
	keyctl timeout `keyctl add keyring qwerty "" @s` 2
	cat /proc/keys
	sleep 5; cat /proc/keys

which should see a keyring called "qwerty" appear in the session keyring and
then disappear after it expires, and:

	echo 2 >/proc/sys/kernel/keys/gc_delay
	a=`keyctl get_persistent @s`
	b=`keyctl add keyring 0 "" $a`
	keyctl add user a a $b
	keyctl timeout $b 2
	cat /proc/keys
	sleep 5; cat /proc/keys

which should see a keyring called "0" with a key called "a" in it appear in the
user's persistent keyring (which will be attached to the session keyring) and
then both the "0" keyring and the "a" key should disappear when the "0" keyring
expires.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Simo Sorce <simo@redhat.com>
2013-11-14 14:09:53 +00:00
..
encrypted-keys KEYS: Add payload preparsing opportunity prior to key instantiate or update 2012-10-08 13:49:48 +10:30
big_key.c KEYS: Fix error handling in big_key instantiation 2013-11-13 16:51:06 +00:00
compat.c KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches 2013-09-24 10:35:19 +01:00
gc.c KEYS: Fix keyring content gc scanner 2013-11-14 14:09:53 +00:00
internal.h KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches 2013-09-24 10:35:19 +01:00
Kconfig KEYS: Make BIG_KEYS boolean 2013-10-30 11:15:23 +00:00
key.c KEYS: Fix a race between negating a key and reading the error set 2013-10-30 11:15:24 +00:00
keyctl.c KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches 2013-09-24 10:35:19 +01:00
keyring.c KEYS: Fix keyring content gc scanner 2013-11-14 14:09:53 +00:00
Makefile KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches 2013-09-24 10:35:19 +01:00
permission.c userns: Convert security/keys to the new userns infrastructure 2012-09-13 18:28:02 -07:00
persistent.c KEYS: Fix UID check in keyctl_get_persistent() 2013-11-06 14:01:51 +00:00
proc.c KEYS: Introduce a search context structure 2013-09-24 10:35:15 +01:00
process_keys.c KEYS: initialize root uid and session keyrings early 2013-09-25 17:17:01 +01:00
request_key_auth.c KEYS: Search for auth-key by name rather than target key ID 2013-09-24 10:35:16 +01:00
request_key.c KEYS: Fix a race between negating a key and reading the error set 2013-10-30 11:15:24 +00:00
sysctl.c KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches 2013-09-24 10:35:19 +01:00
trusted.c Merge branch 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux 2012-10-14 13:39:34 -07:00
trusted.h trusted-keys: rename trusted_defined files to trusted 2011-01-24 10:14:22 +11:00
user_defined.c KEYS: Introduce a search context structure 2013-09-24 10:35:15 +01:00