diff options
author | David Howells <dhowells@redhat.com> | 2011-03-11 17:57:33 +0000 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2011-03-17 11:59:49 +1100 |
commit | 4aab1e896a0a9d57420ff2867caa5a369123d8cb (patch) | |
tree | 92212870353a9493c10fb46a0dd9b6ce27230012 /security | |
parent | 78b7280cce23293f7570ad52c1ffe1485c6d9669 (diff) | |
download | talos-op-linux-4aab1e896a0a9d57420ff2867caa5a369123d8cb.tar.gz talos-op-linux-4aab1e896a0a9d57420ff2867caa5a369123d8cb.zip |
KEYS: Make request_key() and co. return an error for a negative key
Make request_key() and co. return an error for a negative or rejected key. If
the key was simply negated, then return ENOKEY, otherwise return the error
with which it was rejected.
Without this patch, the following command returns a key number (with the latest
keyutils):
[root@andromeda ~]# keyctl request2 user debug:foo rejected @s
586569904
Trying to print the key merely gets you a permission denied error:
[root@andromeda ~]# keyctl print 586569904
keyctl_read_alloc: Permission denied
Doing another request_key() call does get you the error, as long as it hasn't
expired yet:
[root@andromeda ~]# keyctl request user debug:foo
request_key: Key was rejected by service
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/keys/keyctl.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 427fddcaeb19..eca51918c951 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -206,8 +206,14 @@ SYSCALL_DEFINE4(request_key, const char __user *, _type, goto error5; } + /* wait for the key to finish being constructed */ + ret = wait_for_key_construction(key, 1); + if (ret < 0) + goto error6; + ret = key->serial; +error6: key_put(key); error5: key_type_put(ktype); |