)]}' { "log": [ { "commit": "aa84442d674ef83e1cbf2bce52a20ecff4ce515e", "tree": "79e2c846edd607a2dff678d31577552617011cb8", "parents": [ "21e5445928af0d80f7cf803a77f2b65e9e147890" ], "author": { "name": "Pekka Enberg", "email": "penberg@cs.helsinki.fi", "time": "Tue Mar 24 10:54:46 2009 +0200" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Fri Apr 03 12:21:12 2009 +0200" }, "message": "kmemtrace, security: fix linux/key.h header file dependencies\n\nImpact: cleanup\n\nWe want to remove percpu.h from rcupdate.h (for upcoming kmemtrace\nchanges), but this is not possible currently without breaking the\nbuild because key.h has an implicit include file dependency on\nrwsem.h:\n\n CC [M] fs/cifs/cifs_spnego.o\n In file included from include/keys/user-type.h:15,\n from fs/cifs/cifs_spnego.c:24:\n include/linux/key.h:128: error: field ‘sem’ has incomplete type\n make[2]: *** [fs/cifs/cifs_spnego.o] Error 1\n make[1]: *** [fs/cifs] Error 2\n make: *** [fs] Error 2\n\nFix it by making the dependency explicit.\n\nSigned-off-by: Pekka Enberg \u003cpenberg@cs.helsinki.fi\u003e\nCc: Eduard - Gabriel Munteanu \u003ceduard.munteanu@linux360.ro\u003e\nLKML-Reference: \u003c1237884886.25315.39.camel@penberg-laptop\u003e\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\n" }, { "commit": "a6f76f23d297f70e2a6b3ec607f7aeeea9e37e8d", "tree": "8f95617996d0974507f176163459212a7def8b9a", "parents": [ "d84f4f992cbd76e8f39c488cf0c5d123843923b1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:24 2008 +1100" }, "message": "CRED: Make execve() take advantage of copy-on-write credentials\n\nMake execve() take advantage of copy-on-write credentials, allowing it to set\nup the credentials in advance, and then commit the whole lot after the point\nof no return.\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n The credential bits from struct linux_binprm are, for the most part,\n replaced with a single credentials pointer (bprm-\u003ecred). This means that\n all the creds can be calculated in advance and then applied at the point\n of no return with no possibility of failure.\n\n I would like to replace bprm-\u003ecap_effective with:\n\n\tcap_isclear(bprm-\u003ecap_effective)\n\n but this seems impossible due to special behaviour for processes of pid 1\n (they always retain their parent\u0027s capability masks where normally they\u0027d\n be changed - see cap_bprm_set_creds()).\n\n The following sequence of events now happens:\n\n (a) At the start of do_execve, the current task\u0027s cred_exec_mutex is\n \t locked to prevent PTRACE_ATTACH from obsoleting the calculation of\n \t creds that we make.\n\n (a) prepare_exec_creds() is then called to make a copy of the current\n \t task\u0027s credentials and prepare it. This copy is then assigned to\n \t bprm-\u003ecred.\n\n \t This renders security_bprm_alloc() and security_bprm_free()\n \t unnecessary, and so they\u0027ve been removed.\n\n (b) The determination of unsafe execution is now performed immediately\n \t after (a) rather than later on in the code. The result is stored in\n \t bprm-\u003eunsafe for future reference.\n\n (c) prepare_binprm() is called, possibly multiple times.\n\n \t (i) This applies the result of set[ug]id binaries to the new creds\n \t attached to bprm-\u003ecred. Personality bit clearance is recorded,\n \t but now deferred on the basis that the exec procedure may yet\n \t fail.\n\n (ii) This then calls the new security_bprm_set_creds(). This should\n\t calculate the new LSM and capability credentials into *bprm-\u003ecred.\n\n\t This folds together security_bprm_set() and parts of\n\t security_bprm_apply_creds() (these two have been removed).\n\t Anything that might fail must be done at this point.\n\n (iii) bprm-\u003ecred_prepared is set to 1.\n\n\t bprm-\u003ecred_prepared is 0 on the first pass of the security\n\t calculations, and 1 on all subsequent passes. This allows SELinux\n\t in (ii) to base its calculations only on the initial script and\n\t not on the interpreter.\n\n (d) flush_old_exec() is called to commit the task to execution. This\n \t performs the following steps with regard to credentials:\n\n\t (i) Clear pdeath_signal and set dumpable on certain circumstances that\n\t may not be covered by commit_creds().\n\n (ii) Clear any bits in current-\u003epersonality that were deferred from\n (c.i).\n\n (e) install_exec_creds() [compute_creds() as was] is called to install the\n \t new credentials. This performs the following steps with regard to\n \t credentials:\n\n (i) Calls security_bprm_committing_creds() to apply any security\n requirements, such as flushing unauthorised files in SELinux, that\n must be done before the credentials are changed.\n\n\t This is made up of bits of security_bprm_apply_creds() and\n\t security_bprm_post_apply_creds(), both of which have been removed.\n\t This function is not allowed to fail; anything that might fail\n\t must have been done in (c.ii).\n\n (ii) Calls commit_creds() to apply the new credentials in a single\n assignment (more or less). Possibly pdeath_signal and dumpable\n should be part of struct creds.\n\n\t (iii) Unlocks the task\u0027s cred_replace_mutex, thus allowing\n\t PTRACE_ATTACH to take place.\n\n (iv) Clears The bprm-\u003ecred pointer as the credentials it was holding\n are now immutable.\n\n (v) Calls security_bprm_committed_creds() to apply any security\n alterations that must be done after the creds have been changed.\n SELinux uses this to flush signals and signal handlers.\n\n (f) If an error occurs before (d.i), bprm_free() will call abort_creds()\n \t to destroy the proposed new credentials and will then unlock\n \t cred_replace_mutex. No changes to the credentials will have been\n \t made.\n\n (2) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_bprm_alloc(), -\u003ebprm_alloc_security()\n (*) security_bprm_free(), -\u003ebprm_free_security()\n\n \t Removed in favour of preparing new credentials and modifying those.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n (*) security_bprm_post_apply_creds(), -\u003ebprm_post_apply_creds()\n\n \t Removed; split between security_bprm_set_creds(),\n \t security_bprm_committing_creds() and security_bprm_committed_creds().\n\n (*) security_bprm_set(), -\u003ebprm_set_security()\n\n \t Removed; folded into security_bprm_set_creds().\n\n (*) security_bprm_set_creds(), -\u003ebprm_set_creds()\n\n \t New. The new credentials in bprm-\u003ecreds should be checked and set up\n \t as appropriate. bprm-\u003ecred_prepared is 0 on the first call, 1 on the\n \t second and subsequent calls.\n\n (*) security_bprm_committing_creds(), -\u003ebprm_committing_creds()\n (*) security_bprm_committed_creds(), -\u003ebprm_committed_creds()\n\n \t New. Apply the security effects of the new credentials. This\n \t includes closing unauthorised files in SELinux. This function may not\n \t fail. When the former is called, the creds haven\u0027t yet been applied\n \t to the process; when the latter is called, they have.\n\n \t The former may access bprm-\u003ecred, the latter may not.\n\n (3) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) The bprm_security_struct struct has been removed in favour of using\n \t the credentials-under-construction approach.\n\n (c) flush_unauthorized_files() now takes a cred pointer and passes it on\n \t to inode_has_perm(), file_has_perm() and dentry_open().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d84f4f992cbd76e8f39c488cf0c5d123843923b1", "tree": "fc4a0349c42995715b93d0f7a3c78e9ea9b3f36e", "parents": [ "745ca2475a6ac596e3d8d37c2759c0fbe2586227" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:23 2008 +1100" }, "message": "CRED: Inaugurate COW credentials\n\nInaugurate copy-on-write credentials management. This uses RCU to manage the\ncredentials pointer in the task_struct with respect to accesses by other tasks.\nA process may only modify its own credentials, and so does not need locking to\naccess or modify its own credentials.\n\nA mutex (cred_replace_mutex) is added to the task_struct to control the effect\nof PTRACE_ATTACHED on credential calculations, particularly with respect to\nexecve().\n\nWith this patch, the contents of an active credentials struct may not be\nchanged directly; rather a new set of credentials must be prepared, modified\nand committed using something like the following sequence of events:\n\n\tstruct cred *new \u003d prepare_creds();\n\tint ret \u003d blah(new);\n\tif (ret \u003c 0) {\n\t\tabort_creds(new);\n\t\treturn ret;\n\t}\n\treturn commit_creds(new);\n\nThere are some exceptions to this rule: the keyrings pointed to by the active\ncredentials may be instantiated - keyrings violate the COW rule as managing\nCOW keyrings is tricky, given that it is possible for a task to directly alter\nthe keys in a keyring in use by another task.\n\nTo help enforce this, various pointers to sets of credentials, such as those in\nthe task_struct, are declared const. The purpose of this is compile-time\ndiscouragement of altering credentials through those pointers. Once a set of\ncredentials has been made public through one of these pointers, it may not be\nmodified, except under special circumstances:\n\n (1) Its reference count may incremented and decremented.\n\n (2) The keyrings to which it points may be modified, but not replaced.\n\nThe only safe way to modify anything else is to create a replacement and commit\nusing the functions described in Documentation/credentials.txt (which will be\nadded by a later patch).\n\nThis patch and the preceding patches have been tested with the LTP SELinux\ntestsuite.\n\nThis patch makes several logical sets of alteration:\n\n (1) execve().\n\n This now prepares and commits credentials in various places in the\n security code rather than altering the current creds directly.\n\n (2) Temporary credential overrides.\n\n do_coredump() and sys_faccessat() now prepare their own credentials and\n temporarily override the ones currently on the acting thread, whilst\n preventing interference from other threads by holding cred_replace_mutex\n on the thread being dumped.\n\n This will be replaced in a future patch by something that hands down the\n credentials directly to the functions being called, rather than altering\n the task\u0027s objective credentials.\n\n (3) LSM interface.\n\n A number of functions have been changed, added or removed:\n\n (*) security_capset_check(), -\u003ecapset_check()\n (*) security_capset_set(), -\u003ecapset_set()\n\n \t Removed in favour of security_capset().\n\n (*) security_capset(), -\u003ecapset()\n\n \t New. This is passed a pointer to the new creds, a pointer to the old\n \t creds and the proposed capability sets. It should fill in the new\n \t creds or return an error. All pointers, barring the pointer to the\n \t new creds, are now const.\n\n (*) security_bprm_apply_creds(), -\u003ebprm_apply_creds()\n\n \t Changed; now returns a value, which will cause the process to be\n \t killed if it\u0027s an error.\n\n (*) security_task_alloc(), -\u003etask_alloc_security()\n\n \t Removed in favour of security_prepare_creds().\n\n (*) security_cred_free(), -\u003ecred_free()\n\n \t New. Free security data attached to cred-\u003esecurity.\n\n (*) security_prepare_creds(), -\u003ecred_prepare()\n\n \t New. Duplicate any security data attached to cred-\u003esecurity.\n\n (*) security_commit_creds(), -\u003ecred_commit()\n\n \t New. Apply any security effects for the upcoming installation of new\n \t security by commit_creds().\n\n (*) security_task_post_setuid(), -\u003etask_post_setuid()\n\n \t Removed in favour of security_task_fix_setuid().\n\n (*) security_task_fix_setuid(), -\u003etask_fix_setuid()\n\n \t Fix up the proposed new credentials for setuid(). This is used by\n \t cap_set_fix_setuid() to implicitly adjust capabilities in line with\n \t setuid() changes. Changes are made to the new credentials, rather\n \t than the task itself as in security_task_post_setuid().\n\n (*) security_task_reparent_to_init(), -\u003etask_reparent_to_init()\n\n \t Removed. Instead the task being reparented to init is referred\n \t directly to init\u0027s credentials.\n\n\t NOTE! This results in the loss of some state: SELinux\u0027s osid no\n\t longer records the sid of the thread that forked it.\n\n (*) security_key_alloc(), -\u003ekey_alloc()\n (*) security_key_permission(), -\u003ekey_permission()\n\n \t Changed. These now take cred pointers rather than task pointers to\n \t refer to the security context.\n\n (4) sys_capset().\n\n This has been simplified and uses less locking. The LSM functions it\n calls have been merged.\n\n (5) reparent_to_kthreadd().\n\n This gives the current thread the same credentials as init by simply using\n commit_thread() to point that way.\n\n (6) __sigqueue_alloc() and switch_uid()\n\n __sigqueue_alloc() can\u0027t stop the target task from changing its creds\n beneath it, so this function gets a reference to the currently applicable\n user_struct which it then passes into the sigqueue struct it returns if\n successful.\n\n switch_uid() is now called from commit_creds(), and possibly should be\n folded into that. commit_creds() should take care of protecting\n __sigqueue_alloc().\n\n (7) [sg]et[ug]id() and co and [sg]et_current_groups.\n\n The set functions now all use prepare_creds(), commit_creds() and\n abort_creds() to build and check a new set of credentials before applying\n it.\n\n security_task_set[ug]id() is called inside the prepared section. This\n guarantees that nothing else will affect the creds until we\u0027ve finished.\n\n The calling of set_dumpable() has been moved into commit_creds().\n\n Much of the functionality of set_user() has been moved into\n commit_creds().\n\n The get functions all simply access the data directly.\n\n (8) security_task_prctl() and cap_task_prctl().\n\n security_task_prctl() has been modified to return -ENOSYS if it doesn\u0027t\n want to handle a function, or otherwise return the return value directly\n rather than through an argument.\n\n Additionally, cap_task_prctl() now prepares a new set of credentials, even\n if it doesn\u0027t end up using it.\n\n (9) Keyrings.\n\n A number of changes have been made to the keyrings code:\n\n (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have\n \t all been dropped and built in to the credentials functions directly.\n \t They may want separating out again later.\n\n (b) key_alloc() and search_process_keyrings() now take a cred pointer\n \t rather than a task pointer to specify the security context.\n\n (c) copy_creds() gives a new thread within the same thread group a new\n \t thread keyring if its parent had one, otherwise it discards the thread\n \t keyring.\n\n (d) The authorisation key now points directly to the credentials to extend\n \t the search into rather pointing to the task that carries them.\n\n (e) Installing thread, process or session keyrings causes a new set of\n \t credentials to be created, even though it\u0027s not strictly necessary for\n \t process or session keyrings (they\u0027re shared).\n\n(10) Usermode helper.\n\n The usermode helper code now carries a cred struct pointer in its\n subprocess_info struct instead of a new session keyring pointer. This set\n of credentials is derived from init_cred and installed on the new process\n after it has been cloned.\n\n call_usermodehelper_setup() allocates the new credentials and\n call_usermodehelper_freeinfo() discards them if they haven\u0027t been used. A\n special cred function (prepare_usermodeinfo_creds()) is provided\n specifically for call_usermodehelper_setup() to call.\n\n call_usermodehelper_setkeys() adjusts the credentials to sport the\n supplied keyring as the new session keyring.\n\n(11) SELinux.\n\n SELinux has a number of changes, in addition to those to support the LSM\n interface changes mentioned above:\n\n (a) selinux_setprocattr() no longer does its check for whether the\n \t current ptracer can access processes with the new SID inside the lock\n \t that covers getting the ptracer\u0027s SID. Whilst this lock ensures that\n \t the check is done with the ptracer pinned, the result is only valid\n \t until the lock is released, so there\u0027s no point doing it inside the\n \t lock.\n\n(12) is_single_threaded().\n\n This function has been extracted from selinux_setprocattr() and put into\n a file of its own in the lib/ directory as join_session_keyring() now\n wants to use it too.\n\n The code in SELinux just checked to see whether a task shared mm_structs\n with other tasks (CLONE_VM), but that isn\u0027t good enough. We really want\n to know if they\u0027re part of the same thread group (CLONE_THREAD).\n\n(13) nfsd.\n\n The NFS server daemon now has to use the COW credentials to set the\n credentials it is going to use. It really needs to pass the credentials\n down to the functions it calls, but it can\u0027t do that until other patches\n in this series have been applied.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bb952bb98a7e479262c7eb25d5592545a3af147d", "tree": "9a2158c07a22a5fbddcec412944d2e7534eecc8f", "parents": [ "275bb41e9d058fbb327e7642f077e1beaeac162e" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:20 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:20 2008 +1100" }, "message": "CRED: Separate per-task-group keyrings from signal_struct\n\nSeparate per-task-group keyrings from signal_struct and dangle their anchor\nfrom the cred struct rather than the signal_struct.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8bbf4976b59fc9fc2861e79cab7beb3f6d647640", "tree": "9bd621217cbdfcf94aca5b220de7363254d7fc23", "parents": [ "e9e349b051d98799b743ebf248cc2d986fedf090" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:14 2008 +1100" }, "message": "KEYS: Alter use of key instantiation link-to-keyring argument\n\nAlter the use of the key instantiation and negation functions\u0027 link-to-keyring\narguments. Currently this specifies a keyring in the target process to link\nthe key into, creating the keyring if it doesn\u0027t exist. This, however, can be\na problem for copy-on-write credentials as it means that the instantiating\nprocess can alter the credentials of the requesting process.\n\nThis patch alters the behaviour such that:\n\n (1) If keyctl_instantiate_key() or keyctl_negate_key() are given a specific\n keyring by ID (ringid \u003e\u003d 0), then that keyring will be used.\n\n (2) If keyctl_instantiate_key() or keyctl_negate_key() are given one of the\n special constants that refer to the requesting process\u0027s keyrings\n (KEY_SPEC_*_KEYRING, all \u003c\u003d 0), then:\n\n (a) If sys_request_key() was given a keyring to use (destringid) then the\n \t key will be attached to that keyring.\n\n (b) If sys_request_key() was given a NULL keyring, then the key being\n \t instantiated will be attached to the default keyring as set by\n \t keyctl_set_reqkey_keyring().\n\n (3) No extra link will be made.\n\nDecision point (1) follows current behaviour, and allows those instantiators\nwho\u0027ve searched for a specifically named keyring in the requestor\u0027s keyring so\nas to partition the keys by type to still have their named keyrings.\n\nDecision point (2) allows the requestor to make sure that the key or keys that\nget produced by request_key() go where they want, whilst allowing the\ninstantiator to request that the key is retained. This is mainly useful for\nsituations where the instantiator makes a secondary request, the key for which\nshould be retained by the initial requestor:\n\n\t+-----------+ +--------------+ +--------------+\n\t| | | | | |\n\t| Requestor |-------\u003e| Instantiator |-------\u003e| Instantiator |\n\t| | | | | |\n\t+-----------+ +--------------+ +--------------+\n\t request_key() request_key()\n\nThis might be useful, for example, in Kerberos, where the requestor requests a\nticket, and then the ticket instantiator requests the TGT, which someone else\nthen has to go and fetch. The TGT, however, should be retained in the\nkeyrings of the requestor, not the first instantiator. To make this explict\nan extra special keyring constant is also added.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0dab9cfa17179d1f5b067a32a3bca06cd31a3149", "tree": "e65e82135f688b9c9cc711d916912194f54ca13c", "parents": [ "07104839597803ccd9b2c4f543ee4651522b4aa1" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Sun Oct 12 07:10:50 2008 +0300" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Oct 12 11:44:37 2008 -0700" }, "message": "add key_revoke() dummy for KEYS\u003dn\n\nThis fixes the following build error with CONFIG_KEYS\u003dn, caused by\ncommit dfd15c46a6c2cafb006183c0c14f07e59eee4ac0 (\"cifs: explicitly\nrevoke SPNEGO key after session setup\"):\n\n CC [M] fs/cifs/sess.o\n fs/cifs/sess.c: In function \u0027CIFS_SessSetup\u0027:\n fs/cifs/sess.c:628: error: implicit declaration of function \u0027key_revoke\u0027\n make[3]: *** [fs/cifs/sess.o] Error 1\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "7249db2c281ac688977ecc6862cdee9969d310e2", "tree": "7d0c42af5c2cb3724fd18aa3aff8de3c827bfe77", "parents": [ "fdb89bce6c9ccb17dae13ec43a25d2fdd405233f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:34 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:17 2008 -0700" }, "message": "keys: make key_serial() a function if CONFIG_KEYS\u003dy\n\nMake key_serial() an inline function rather than a macro if CONFIG_KEYS\u003dy.\nThis prevents double evaluation of the key pointer and also provides better\ntype checking.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "0b77f5bfb45c13e1e5142374f9d6ca75292252a4", "tree": "cf62055536d267e9a4abe6518e5d9f683a1ceb75", "parents": [ "69664cf16af4f31cd54d77948a4baf9c7e0ca7b9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:32 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:17 2008 -0700" }, "message": "keys: make the keyring quotas controllable through /proc/sys\n\nMake the keyring quotas controllable through /proc/sys files:\n\n (*) /proc/sys/kernel/keys/root_maxkeys\n /proc/sys/kernel/keys/root_maxbytes\n\n Maximum number of keys that root may have and the maximum total number of\n bytes of data that root may have stored in those keys.\n\n (*) /proc/sys/kernel/keys/maxkeys\n /proc/sys/kernel/keys/maxbytes\n\n Maximum number of keys that each non-root user may have and the maximum\n total number of bytes of data that each of those users may have stored in\n their keys.\n\nAlso increase the quotas as a number of people have been complaining that it\u0027s\nnot big enough. I\u0027m not sure that it\u0027s big enough now either, but on the\nother hand, it can now be set in /etc/sysctl.conf.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: \u003ckwc@citi.umich.edu\u003e\nCc: \u003carunsr@cse.iitk.ac.in\u003e\nCc: \u003cdwalsh@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "69664cf16af4f31cd54d77948a4baf9c7e0ca7b9", "tree": "3ff4ecae21c140a2beed25cfa9e55b788f9814ac", "parents": [ "6b79ccb5144f9ffb4d4596c23e7570238dd12abc" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:31 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:17 2008 -0700" }, "message": "keys: don\u0027t generate user and user session keyrings unless they\u0027re accessed\n\nDon\u0027t generate the per-UID user and user session keyrings unless they\u0027re\nexplicitly accessed. This solves a problem during a login process whereby\nset*uid() is called before the SELinux PAM module, resulting in the per-UID\nkeyrings having the wrong security labels.\n\nThis also cures the problem of multiple per-UID keyrings sometimes appearing\ndue to PAM modules (including pam_keyinit) setuiding and causing user_structs\nto come into and go out of existence whilst the session keyring pins the user\nkeyring. This is achieved by first searching for extant per-UID keyrings\nbefore inventing new ones.\n\nThe serial bound argument is also dropped from find_keyring_by_name() as it\u0027s\nnot currently made use of (setting it to 0 disables the feature).\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: \u003ckwc@citi.umich.edu\u003e\nCc: \u003carunsr@cse.iitk.ac.in\u003e\nCc: \u003cdwalsh@redhat.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "6b79ccb5144f9ffb4d4596c23e7570238dd12abc", "tree": "e674339e9f86c3607304496792b417b0ed66de6f", "parents": [ "da91d2ef9fe4fd84cc0a8a729201d38e40ac9f2e" ], "author": { "name": "Arun Raghavan", "email": "arunsr@cse.iitk.ac.in", "time": "Tue Apr 29 01:01:28 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:16 2008 -0700" }, "message": "keys: allow clients to set key perms in key_create_or_update()\n\nThe key_create_or_update() function provided by the keyring code has a default\nset of permissions that are always applied to the key when created. This\nmight not be desirable to all clients.\n\nHere\u0027s a patch that adds a \"perm\" parameter to the function to address this,\nwhich can be set to KEY_PERM_UNDEF to revert to the current behaviour.\n\nSigned-off-by: Arun Raghavan \u003carunsr@cse.iitk.ac.in\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Satyam Sharma \u003cssatyam@cse.iitk.ac.in\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4a38e122e2cc6294779021ff4ccc784a3997059e", "tree": "84b401b44e0550b04f831d98a91eacfd7cffb51d", "parents": [ "dceba9944181b1fd5993417b5c8fa0e3dda38f8d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 29 01:01:24 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:16 2008 -0700" }, "message": "keys: allow the callout data to be passed as a blob rather than a string\n\nAllow the callout data to be passed as a blob rather than a string for\ninternal kernel services that call any request_key_*() interface other than\nrequest_key(). request_key() itself still takes a NUL-terminated string.\n\nThe functions that change are:\n\n\trequest_key_with_auxdata()\n\trequest_key_async()\n\trequest_key_async_with_auxdata()\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nCc: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Kevin Coffman \u003ckwc@citi.umich.edu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "5b7741b3325d0d94c88b2ad46657a536890aaa2f", "tree": "11bc16f7d9991f248652e60ec1ce8d6c528d8d8c", "parents": [ "9f966be8996f2829406324c68e4c67c2d64d864b" ], "author": { "name": "Sebastian Siewior", "email": "sebastian@breakpoint.cc", "time": "Tue Jan 08 15:32:47 2008 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Jan 08 16:10:35 2008 -0800" }, "message": "KEYS: fix macro\n\nCommit 664cceb0093b755739e56572b836a99104ee8a75 changed the parameters of\nthe function make_key_ref(). The macros that are used in case CONFIG_KEY\nis not defined did not change.\n\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Sebastian Siewior \u003csebastian@breakpoint.cc\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "76181c134f87479fa13bf2548ddf2999055d34d4", "tree": "34694341c190e7ecdd3111ee48e4b98602ff012f", "parents": [ "398c95bdf2c24d7866692a40ba04425aef238cdd" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Oct 16 23:29:46 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:42:57 2007 -0700" }, "message": "KEYS: Make request_key() and co fundamentally asynchronous\n\nMake request_key() and co fundamentally asynchronous to make it easier for\nNFS to make use of them. There are now accessor functions that do\nasynchronous constructions, a wait function to wait for construction to\ncomplete, and a completion function for the key type to indicate completion\nof construction.\n\nNote that the construction queue is now gone. Instead, keys under\nconstruction are linked in to the appropriate keyring in advance, and that\nanyone encountering one must wait for it to be complete before they can use\nit. This is done automatically for userspace.\n\nThe following auxiliary changes are also made:\n\n (1) Key type implementation stuff is split from linux/key.h into\n linux/key-type.h.\n\n (2) AF_RXRPC provides a way to allocate null rxrpc-type keys so that AFS does\n not need to call key_instantiate_and_link() directly.\n\n (3) Adjust the debugging macros so that they\u0027re -Wformat checked even if\n they are disabled, and make it so they can be enabled simply by defining\n __KDEBUG to be consistent with other code of mine.\n\n (3) Documentation.\n\n[alan@lxorguk.ukuu.org.uk: keys: missing word in documentation]\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Alan Cox \u003calan@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "7318226ea2931a627f3572e5f4804c91ca19ecbc", "tree": "d2492bb7e87a9c1740432c4dcde13e75ee46ad8d", "parents": [ "071b638689464c6b39407025eedd810d5b5e6f5d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Apr 26 15:46:23 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Apr 26 15:46:23 2007 -0700" }, "message": "[AF_RXRPC]: Key facility changes for AF_RXRPC\n\nExport the keyring key type definition and document its availability.\n\nAdd alternative types into the key\u0027s type_data union to make it more useful.\nNot all users necessarily want to use it as a list_head (AF_RXRPC doesn\u0027t, for\nexample), so make it clear that it can be used in other ways.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4e54f08543d05e519e601368571cc3787fefae96", "tree": "0cd9d982e5bb25abcb9251d26c36ff11e7dc81a5", "parents": [ "94583779e6625154e8d7fce33d097ae7d089e9de" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jun 29 02:24:28 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Thu Jun 29 10:26:20 2006 -0700" }, "message": "[PATCH] Keys: Allow in-kernel key requestor to pass auxiliary data to upcaller\n\nThe proposed NFS key type uses its own method of passing key requests to\nuserspace (upcalling) rather than invoking /sbin/request-key. This is\nbecause the responsible userspace daemon should already be running and will\nbe contacted through rpc_pipefs.\n\nThis patch permits the NFS filesystem to pass auxiliary data to the upcall\noperation (struct key_type::request_key) so that the upcaller can use a\npre-existing communications channel more easily.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-By: Kevin Coffman \u003ckwc@citi.umich.edu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "7e047ef5fe2d52e83020e856b1bf2556a6a2ce98", "tree": "97656e2c56a27be9d1da451dde627b693b8643f2", "parents": [ "f116629d03655adaf7832b93b03c99391d09d4a7" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Jun 26 00:24:50 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Jun 26 09:58:18 2006 -0700" }, "message": "[PATCH] keys: sort out key quota system\n\nAdd the ability for key creation to overrun the user\u0027s quota in some\ncircumstances - notably when a session keyring is created and assigned to a\nprocess that didn\u0027t previously have one.\n\nThis means it\u0027s still possible to log in, should PAM require the creation of a\nnew session keyring, and fix an overburdened key quota.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "04c567d9313e4927b9835361d8ac0318ce65af6b", "tree": "d040ef59337342603f2cc30917493fb6a74a212a", "parents": [ "d720024e94de4e8b7f10ee83c532926f3ad5d708" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jun 22 14:47:18 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Thu Jun 22 15:05:56 2006 -0700" }, "message": "[PATCH] Keys: Fix race between two instantiators of a key\n\nAdd a revocation notification method to the key type and calls it whilst\nthe key\u0027s semaphore is still write-locked after setting the revocation\nflag.\n\nThe patch then uses this to maintain a reference on the task_struct of the\nprocess that calls request_key() for as long as the authorisation key\nremains unrevoked.\n\nThis fixes a potential race between two processes both of which have\nassumed the authority to instantiate a key (one may have forked the other\nfor example). The problem is that there\u0027s no locking around the check for\nrevocation of the auth key and the use of the task_struct it points to, nor\ndoes the auth key keep a reference on the task_struct.\n\nAccess to the \"context\" pointer in the auth key must thenceforth be done\nwith the auth key semaphore held. The revocation method is called with the\ntarget key semaphore held write-locked and the search of the context\nprocess\u0027s keyrings is done with the auth key semaphore read-locked.\n\nThe check for the revocation state of the auth key just prior to searching\nit is done after the auth key is read-locked for the search. This ensures\nthat the auth key can\u0027t be revoked between the check and the search.\n\nThe revocation notification method is added so that the context task_struct\ncan be released as soon as instantiation happens rather than waiting for\nthe auth key to be destroyed, thus avoiding the unnecessary pinning of the\nrequesting process.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "d720024e94de4e8b7f10ee83c532926f3ad5d708", "tree": "8f21613c29a26bfbeb334cb0104b8b998b09fbdc", "parents": [ "f893afbe1262e27e91234506f72e17716190dd2f" ], "author": { "name": "Michael LeMay", "email": "mdlemay@epoch.ncsc.mil", "time": "Thu Jun 22 14:47:17 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Thu Jun 22 15:05:55 2006 -0700" }, "message": "[PATCH] selinux: add hooks for key subsystem\n\nIntroduce SELinux hooks to support the access key retention subsystem\nwithin the kernel. Incorporate new flask headers from a modified version\nof the SELinux reference policy, with support for the new security class\nrepresenting retained keys. Extend the \"key_alloc\" security hook with a\ntask parameter representing the intended ownership context for the key\nbeing allocated. Attach security information to root\u0027s default keyrings\nwithin the SELinux initialization routine.\n\nHas passed David\u0027s testsuite.\n\nSigned-off-by: Michael LeMay \u003cmdlemay@epoch.ncsc.mil\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "b5f545c880a2a47947ba2118b2509644ab7a2969", "tree": "8720e02262b0ff6309ae79603f6c63965296d378", "parents": [ "cab8eb594e84b434d20412fc5a3985b0bee3ab9f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Sun Jan 08 01:02:47 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sun Jan 08 20:13:53 2006 -0800" }, "message": "[PATCH] keys: Permit running process to instantiate keys\n\nMake it possible for a running process (such as gssapid) to be able to\ninstantiate a key, as was requested by Trond Myklebust for NFS4.\n\nThe patch makes the following changes:\n\n (1) A new, optional key type method has been added. This permits a key type\n to intercept requests at the point /sbin/request-key is about to be\n spawned and do something else with them - passing them over the\n rpc_pipefs files or netlink sockets for instance.\n\n The uninstantiated key, the authorisation key and the intended operation\n name are passed to the method.\n\n (2) The callout_info is no longer passed as an argument to /sbin/request-key\n to prevent unauthorised viewing of this data using ps or by looking in\n /proc/pid/cmdline.\n\n This means that the old /sbin/request-key program will not work with the\n patched kernel as it will expect to see an extra argument that is no\n longer there.\n\n A revised keyutils package will be made available tomorrow.\n\n (3) The callout_info is now attached to the authorisation key. Reading this\n key will retrieve the information.\n\n (4) A new field has been added to the task_struct. This holds the\n authorisation key currently active for a thread. Searches now look here\n for the caller\u0027s set of keys rather than looking for an auth key in the\n lowest level of the session keyring.\n\n This permits a thread to be servicing multiple requests at once and to\n switch between them. Note that this is per-thread, not per-process, and\n so is usable in multithreaded programs.\n\n The setting of this field is inherited across fork and exec.\n\n (5) A new keyctl function (KEYCTL_ASSUME_AUTHORITY) has been added that\n permits a thread to assume the authority to deal with an uninstantiated\n key. Assumption is only permitted if the authorisation key associated\n with the uninstantiated key is somewhere in the thread\u0027s keyrings.\n\n This function can also clear the assumption.\n\n (6) A new magic key specifier has been added to refer to the currently\n assumed authorisation key (KEY_SPEC_REQKEY_AUTH_KEY).\n\n (7) Instantiation will only proceed if the appropriate authorisation key is\n assumed first. The assumed authorisation key is discarded if\n instantiation is successful.\n\n (8) key_validate() is moved from the file of request_key functions to the\n file of permissions functions.\n\n (9) The documentation is updated.\n\nFrom: \u003cValdis.Kletnieks@vt.edu\u003e\n\n Build fix.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Trond Myklebust \u003ctrond.myklebust@fys.uio.no\u003e\nCc: Alexander Zangerl \u003caz@bond.edu.au\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "8d9067bda99c68e1a17d93e78cf3a5a3f67e0c35", "tree": "6f3c7fe665012c456b57840c290eafd4deabbeb2", "parents": [ "32725ad8430b58e42c5d54757ce7871e680d05cb" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Jan 06 00:11:24 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Jan 06 08:33:29 2006 -0800" }, "message": "[PATCH] Keys: Remove key duplication\n\nRemove the key duplication stuff since there\u0027s nothing that uses it, no way\nto get at it and it\u0027s awkward to deal with for LSM purposes.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "29db9190634067c5a328ee5fcc2890251b836b4b", "tree": "07ec242789230824f1fa8bcbbe681fd5bf166fa8", "parents": [ "2aa349f6e37ce030060c994d3aebbff4ab703565" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Sun Oct 30 15:02:44 2005 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sun Oct 30 17:37:23 2005 -0800" }, "message": "[PATCH] Keys: Add LSM hooks for key management [try #3]\n\nThe attached patch adds LSM hooks for key management facilities. The notable\nchanges are:\n\n (1) The key struct now supports a security pointer for the use of security\n modules. This will permit key labelling and restrictions on which\n programs may access a key.\n\n (2) Security modules get a chance to note (or abort) the allocation of a key.\n\n (3) The key permission checking can now be enhanced by the security modules;\n the permissions check consults LSM if all other checks bear out.\n\n (4) The key permissions checking functions now return an error code rather\n than a boolean value.\n\n (5) An extra permission has been added to govern the modification of\n attributes (UID, GID, permissions).\n\nNote that there isn\u0027t an LSM hook specifically for each keyctl() operation,\nbut rather the permissions hook allows control of individual operations based\non the permission request bits.\n\nKey management access control through LSM is enabled by automatically if both\nCONFIG_KEYS and CONFIG_SECURITY are enabled.\n\nThis should be applied on top of the patch ensubjected:\n\n\t[PATCH] Keys: Possessor permissions should be additive\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Chris Wright \u003cchrisw@osdl.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "664cceb0093b755739e56572b836a99104ee8a75", "tree": "dbaa3ab802803879f29532db4d8a91a54294cf88", "parents": [ "5134fc15b643dc36eb9aa77e4318b886844a9ac5" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 28 17:03:15 2005 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Wed Sep 28 09:10:47 2005 -0700" }, "message": "[PATCH] Keys: Add possessor permissions to keys [try #3]\n\nThe attached patch adds extra permission grants to keys for the possessor of a\nkey in addition to the owner, group and other permissions bits. This makes\nSUID binaries easier to support without going as far as labelling keys and key\ntargets using the LSM facilities.\n\nThis patch adds a second \"pointer type\" to key structures (struct key_ref *)\nthat can have the bottom bit of the address set to indicate the possession of\na key. This is propagated through searches from the keyring to the discovered\nkey. It has been made a separate type so that the compiler can spot attempts\nto dereference a potentially incorrect pointer.\n\nThe \"possession\" attribute can\u0027t be attached to a key structure directly as\nit\u0027s not an intrinsic property of a key.\n\nPointers to keys have been replaced with struct key_ref *\u0027s wherever\npossession information needs to be passed through.\n\nThis does assume that the bottom bit of the pointer will always be zero on\nreturn from kmem_cache_alloc().\n\nThe key reference type has been made into a typedef so that at least it can be\nlocated in the sources, even though it\u0027s basically a pointer to an undefined\ntype. I\u0027ve also renamed the accessor functions to be more useful, and all\nreference variables should now end in \"_ref\".\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "3e30148c3d524a9c1c63ca28261bc24c457eb07a", "tree": "a2fcc46cc11fe871ad976c07476d934a07313576", "parents": [ "8589b4e00e352f983259140f25a262d973be6bc5" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jun 23 22:00:56 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Fri Jun 24 00:05:19 2005 -0700" }, "message": "[PATCH] Keys: Make request-key create an authorisation key\n\nThe attached patch makes the following changes:\n\n (1) There\u0027s a new special key type called \".request_key_auth\".\n\n This is an authorisation key for when one process requests a key and\n another process is started to construct it. This type of key cannot be\n created by the user; nor can it be requested by kernel services.\n\n Authorisation keys hold two references:\n\n (a) Each refers to a key being constructed. When the key being\n \t constructed is instantiated the authorisation key is revoked,\n \t rendering it of no further use.\n\n (b) The \"authorising process\". This is either:\n\n \t (i) the process that called request_key(), or:\n\n \t (ii) if the process that called request_key() itself had an\n \t authorisation key in its session keyring, then the authorising\n \t process referred to by that authorisation key will also be\n \t referred to by the new authorisation key.\n\n\t This means that the process that initiated a chain of key requests\n\t will authorise the lot of them, and will, by default, wind up with\n\t the keys obtained from them in its keyrings.\n\n (2) request_key() creates an authorisation key which is then passed to\n /sbin/request-key in as part of a new session keyring.\n\n (3) When request_key() is searching for a key to hand back to the caller, if\n it comes across an authorisation key in the session keyring of the\n calling process, it will also search the keyrings of the process\n specified therein and it will use the specified process\u0027s credentials\n (fsuid, fsgid, groups) to do that rather than the calling process\u0027s\n credentials.\n\n This allows a process started by /sbin/request-key to find keys belonging\n to the authorising process.\n\n (4) A key can be read, even if the process executing KEYCTL_READ doesn\u0027t have\n direct read or search permission if that key is contained within the\n keyrings of a process specified by an authorisation key found within the\n calling process\u0027s session keyring, and is searchable using the\n credentials of the authorising process.\n\n This allows a process started by /sbin/request-key to read keys belonging\n to the authorising process.\n\n (5) The magic KEY_SPEC_*_KEYRING key IDs when passed to KEYCTL_INSTANTIATE or\n KEYCTL_NEGATE will specify a keyring of the authorising process, rather\n than the process doing the instantiation.\n\n (6) One of the process keyrings can be nominated as the default to which\n request_key() should attach new keys if not otherwise specified. This is\n done with KEYCTL_SET_REQKEY_KEYRING and one of the KEY_REQKEY_DEFL_*\n constants. The current setting can also be read using this call.\n\n (7) request_key() is partially interruptible. If it is waiting for another\n process to finish constructing a key, it can be interrupted. This permits\n a request-key cycle to be broken without recourse to rebooting.\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\nSigned-Off-By: Benoit Boissinot \u003cbenoit.boissinot@ens-lyon.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "7888e7ff4ee579442128d7d12a9c9dbf2cf7de6a", "tree": "abe428ecb966e1dae07fce17f38e3e0c0ab4f134", "parents": [ "76d8aeabfeb1c42641a81c44280177b9a08670d8" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jun 23 22:00:51 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Fri Jun 24 00:05:18 2005 -0700" }, "message": "[PATCH] Keys: Pass session keyring to call_usermodehelper()\n\nThe attached patch makes it possible to pass a session keyring through to the\nprocess spawned by call_usermodehelper(). This allows patch 3/3 to pass an\nauthorisation key through to /sbin/request-key, thus permitting better access\ncontrols when doing just-in-time key creation.\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "76d8aeabfeb1c42641a81c44280177b9a08670d8", "tree": "0a584439bb44e440717aa77a1398ba9eea24a137", "parents": [ "7286aa9b9ab35f20b1ff16d867f4535701df99b5" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jun 23 22:00:49 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Fri Jun 24 00:05:18 2005 -0700" }, "message": "[PATCH] keys: Discard key spinlock and use RCU for key payload\n\nThe attached patch changes the key implementation in a number of ways:\n\n (1) It removes the spinlock from the key structure.\n\n (2) The key flags are now accessed using atomic bitops instead of\n write-locking the key spinlock and using C bitwise operators.\n\n The three instantiation flags are dealt with with the construction\n semaphore held during the request_key/instantiate/negate sequence, thus\n rendering the spinlock superfluous.\n\n The key flags are also now bit numbers not bit masks.\n\n (3) The key payload is now accessed using RCU. This permits the recursive\n keyring search algorithm to be simplified greatly since no locks need be\n taken other than the usual RCU preemption disablement. Searching now does\n not require any locks or semaphores to be held; merely that the starting\n keyring be pinned.\n\n (4) The keyring payload now includes an RCU head so that it can be disposed\n of by call_rcu(). This requires that the payload be copied on unlink to\n prevent introducing races in copy-down vs search-up.\n\n (5) The user key payload is now a structure with the data following it. It\n includes an RCU head like the keyring payload and for the same reason. It\n also contains a data length because the data length in the key may be\n changed on another CPU whilst an RCU protected read is in progress on the\n payload. This would then see the supposed RCU payload and the on-key data\n length getting out of sync.\n\n I\u0027m tempted to drop the key\u0027s datalen entirely, except that it\u0027s used in\n conjunction with quota management and so is a little tricky to get rid\n of.\n\n (6) Update the keys documentation.\n\nSigned-Off-By: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }