rpms/kernel
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Enabled the in-kernel idmapper.

Browse Source 
keyring: allow special keyrings to be cleared
This commit is contained in:
Dave Jones 2011-12-14 15:48:10 -05:00
parent 59806edb4d
commit f3fbdcb713
3 changed files with 118 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config-generic
View File

@ -3706,7 +3706,7 @@ CONFIG_NFSD_V3_ACL=y
CONFIG_NFSD_V4=y CONFIG_NFSD_V4=y
CONFIG_NFS_FSCACHE=y CONFIG_NFS_FSCACHE=y
# CONFIG_NFS_USE_LEGACY_DNS is not set # CONFIG_NFS_USE_LEGACY_DNS is not set
# CONFIG_NFS_USE_NEW_IDMAPPER is not set CONFIG_NFS_USE_NEW_IDMAPPER=y
CONFIG_PNFS_OBJLAYOUT=m CONFIG_PNFS_OBJLAYOUT=m
CONFIG_PNFS_BLOCK=m CONFIG_PNFS_BLOCK=m
CONFIG_LOCKD=m CONFIG_LOCKD=m

8
kernel.spec
View File

@ -464,7 +464,7 @@ Summary: The Linux kernel
# First the general kernel 2.6 required versions as per # First the general kernel 2.6 required versions as per
# Documentation/Changes # Documentation/Changes
# #
%define kernel_dot_org_conflicts ppp < 2.4.3-3, isdn4k-utils < 3.2-32, nfs-utils < 1.0.7-12, e2fsprogs < 1.37-4, util-linux < 2.12, jfsutils < 1.1.7-2, reiserfs-utils < 3.6.19-2, xfsprogs < 2.6.13-4, procps < 3.2.5-6.3, oprofile < 0.9.1-2, device-mapper-libs < 1.02.63-2, mdadm < 3.2.1-5 %define kernel_dot_org_conflicts ppp < 2.4.3-3, isdn4k-utils < 3.2-32, nfs-utils < 1.2.5-7.fc17, e2fsprogs < 1.37-4, util-linux < 2.12, jfsutils < 1.1.7-2, reiserfs-utils < 3.6.19-2, xfsprogs < 2.6.13-4, procps < 3.2.5-6.3, oprofile < 0.9.1-2, device-mapper-libs < 1.02.63-2, mdadm < 3.2.1-5
# #
# Then a series of requirements that are distribution specific, either # Then a series of requirements that are distribution specific, either
@ -697,6 +697,7 @@ Patch2901: linux-2.6-v4l-dvb-experimental.patch
# fs fixes # fs fixes
# NFSv4 # NFSv4
Patch1101: linux-3.1-keys-remove-special-keyring.patch
# patches headed upstream # patches headed upstream
Patch12016: disable-i8042-check-on-apple-mac.patch Patch12016: disable-i8042-check-on-apple-mac.patch
@ -1297,6 +1298,7 @@ ApplyPatch arm-smsc-support-reading-mac-address-from-device-tree.patch
# eCryptfs # eCryptfs
# NFSv4 # NFSv4
ApplyPatch linux-3.1-keys-remove-special-keyring.patch
# USB # USB
@ -2229,6 +2231,10 @@ fi
# ||----w | # ||----w |
# || || # || ||
%changelog %changelog
* Wed Dec 14 2011 Steve Dickson <steved@redhat.com>
- Enabled the in-kernel idmapper.
- keyring: allow special keyrings to be cleared
* Wed Dec 14 2011 Dave Jones <davej@redhat.com> - 3.2.0-0.rc5.git2.1 * Wed Dec 14 2011 Dave Jones <davej@redhat.com> - 3.2.0-0.rc5.git2.1
- Linux 3.2-rc5-git2 (373da0a2a33018d560afcb2c77f8842985d79594) - Linux 3.2-rc5-git2 (373da0a2a33018d560afcb2c77f8842985d79594)

110
linux-3.1-keys-remove-special-keyring.patch Normal file
View File

@ -0,0 +1,110 @@
diff -up linux-3.1.x86_64/Documentation/networking/dns_resolver.txt.orig linux-3.1.x86_64/Documentation/networking/dns_resolver.txt
--- linux-3.1.x86_64/Documentation/networking/dns_resolver.txt.orig 2011-10-24 03:10:05.000000000 -0400
+++ linux-3.1.x86_64/Documentation/networking/dns_resolver.txt 2011-12-13 15:09:35.705766078 -0500
@@ -102,6 +102,10 @@ implemented in the module can be called
If _expiry is non-NULL, the expiry time (TTL) of the result will be
returned also.
+The kernel maintains an internal keyring in which it caches looked up keys.
+This can be cleared by any process that has the CAP_SYS_ADMIN capability by
+the use of KEYCTL_KEYRING_CLEAR on the keyring ID.
+
===============================
READING DNS KEYS FROM USERSPACE
diff -up linux-3.1.x86_64/Documentation/security/keys.txt.orig linux-3.1.x86_64/Documentation/security/keys.txt
--- linux-3.1.x86_64/Documentation/security/keys.txt.orig 2011-10-24 03:10:05.000000000 -0400
+++ linux-3.1.x86_64/Documentation/security/keys.txt 2011-12-13 15:09:35.706766099 -0500
@@ -554,6 +554,10 @@ The keyctl syscall functions are:
process must have write permission on the keyring, and it must be a
keyring (or else error ENOTDIR will result).
+ This function can also be used to clear special kernel keyrings if they
+ are appropriately marked if the user has CAP_SYS_ADMIN capability. The
+ DNS resolver cache keyring is an example of this.
+
(*) Link a key into a keyring:
diff -up linux-3.1.x86_64/fs/cifs/cifsacl.c.orig linux-3.1.x86_64/fs/cifs/cifsacl.c
--- linux-3.1.x86_64/fs/cifs/cifsacl.c.orig 2011-12-13 12:54:12.221145867 -0500
+++ linux-3.1.x86_64/fs/cifs/cifsacl.c 2011-12-13 15:09:35.707766122 -0500
@@ -556,6 +556,7 @@ init_cifs_idmap(void)
/* instruct request_key() to use this special keyring as a cache for
* the results it looks up */
+ set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
cred->thread_keyring = keyring;
cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
root_cred = cred;
diff -up linux-3.1.x86_64/fs/nfs/idmap.c.orig linux-3.1.x86_64/fs/nfs/idmap.c
--- linux-3.1.x86_64/fs/nfs/idmap.c.orig 2011-12-13 12:54:14.657203507 -0500
+++ linux-3.1.x86_64/fs/nfs/idmap.c 2011-12-13 15:10:14.731681691 -0500
@@ -115,6 +115,7 @@ int nfs_idmap_init(void)
if (ret < 0)
goto failed_put_key;
+ set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
cred->thread_keyring = keyring;
cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
id_resolver_cache = cred;
@@ -185,7 +186,7 @@ static ssize_t nfs_idmap_request_key(con
}
rcu_read_lock();
- rkey->perm |= KEY_USR_VIEW;
+ rkey->perm |= KEY_USR_VIEW|KEY_USR_WRITE;
ret = key_validate(rkey);
if (ret < 0)
diff -up linux-3.1.x86_64/include/linux/key.h.orig linux-3.1.x86_64/include/linux/key.h
--- linux-3.1.x86_64/include/linux/key.h.orig 2011-10-24 03:10:05.000000000 -0400
+++ linux-3.1.x86_64/include/linux/key.h 2011-12-13 15:09:35.748767078 -0500
@@ -155,6 +155,7 @@ struct key {
#define KEY_FLAG_IN_QUOTA 3 /* set if key consumes quota */
#define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */
#define KEY_FLAG_NEGATIVE 5 /* set if key is negative */
+#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */
/* the description string
* - this is used to match a key against search criteria
diff -up linux-3.1.x86_64/net/dns_resolver/dns_key.c.orig linux-3.1.x86_64/net/dns_resolver/dns_key.c
--- linux-3.1.x86_64/net/dns_resolver/dns_key.c.orig 2011-10-24 03:10:05.000000000 -0400
+++ linux-3.1.x86_64/net/dns_resolver/dns_key.c 2011-12-13 15:09:35.748767078 -0500
@@ -281,6 +281,7 @@ static int __init init_dns_resolver(void
/* instruct request_key() to use this special keyring as a cache for
* the results it looks up */
+ set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
cred->thread_keyring = keyring;
cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
dns_resolver_cache = cred;
diff -up linux-3.1.x86_64/security/keys/keyctl.c.orig linux-3.1.x86_64/security/keys/keyctl.c
--- linux-3.1.x86_64/security/keys/keyctl.c.orig 2011-12-13 12:54:30.322571289 -0500
+++ linux-3.1.x86_64/security/keys/keyctl.c 2011-12-13 15:09:35.756767271 -0500
@@ -388,11 +388,24 @@ long keyctl_keyring_clear(key_serial_t r
keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
if (IS_ERR(keyring_ref)) {
ret = PTR_ERR(keyring_ref);
+
+ /* Root is permitted to invalidate certain special keyrings */
+ if (capable(CAP_SYS_ADMIN)) {
+ keyring_ref = lookup_user_key(ringid, 0, 0);
+ if (IS_ERR(keyring_ref))
+ goto error;
+ if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR,
+ &key_ref_to_ptr(keyring_ref)->flags))
+ goto clear;
+ goto error_put;
+ }
+
goto error;
}
+clear:
ret = keyring_clear(key_ref_to_ptr(keyring_ref));
-
+error_put:
key_ref_put(keyring_ref);
error:
return ret;