keys: Fix request_key() lack of Link perm check on found key
The request_key() syscall allows a process to gain access to the 'possessor' permits of any key that grants it Search permission by virtue of request_key() not checking whether a key it finds grants Link permission to the caller. Signed-off-by: David Howells <dhowells@redhat.com>
This commit is contained in:
David Howells
parent
45e0f30c30
commit
504b69eb3c
|
|
@ -433,6 +433,10 @@ The main syscalls are:
|
|||
/sbin/request-key will be invoked in an attempt to obtain a key. The
|
||||
callout_info string will be passed as an argument to the program.
|
||||
|
||||
To link a key into the destination keyring the key must grant link
|
||||
permission on the key to the caller and the keyring must grant write
|
||||
permission.
|
||||
|
||||
See also Documentation/security/keys/request-key.rst.
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -564,6 +564,16 @@ struct key *request_key_and_link(struct key_type *type,
|
|||
key_ref = search_process_keyrings(&ctx);
|
||||
|
||||
if (!IS_ERR(key_ref)) {
|
||||
if (dest_keyring) {
|
||||
ret = key_task_permission(key_ref, current_cred(),
|
||||
KEY_NEED_LINK);
|
||||
if (ret < 0) {
|
||||
key_ref_put(key_ref);
|
||||
key = ERR_PTR(ret);
|
||||
goto error_free;
|
||||
}
|
||||
}
|
||||
|
||||
key = key_ref_to_ptr(key_ref);
|
||||
if (dest_keyring) {
|
||||
ret = key_link(dest_keyring, key);
|
||||
|
|
|
|||
Loading…
Reference in New Issue