[kernel] Enabled the in-kernel idmapper. keyring: allow special keyrings to be cleared

Dave Jones davej at fedoraproject.org
Wed Dec 14 20:48:22 UTC 2011 

commit f3fbdcb713c55e0ae54b46e3af628d472df51c54
Author: Dave Jones <davej at redhat.com>
Date:   Wed Dec 14 15:48:10 2011 -0500

    Enabled the in-kernel idmapper.
    keyring: allow special keyrings to be cleared

 config-generic                              |    2 +-
 kernel.spec                                 |    8 ++-
 linux-3.1-keys-remove-special-keyring.patch |  110 +++++++++++++++++++++++++++
 3 files changed, 118 insertions(+), 2 deletions(-)
---
diff --git a/config-generic b/config-generic
index edec149..1fac1b6 100644
--- a/config-generic
+++ b/config-generic
@@ -3706,7 +3706,7 @@ CONFIG_NFSD_V3_ACL=y
 CONFIG_NFSD_V4=y
 CONFIG_NFS_FSCACHE=y
 # CONFIG_NFS_USE_LEGACY_DNS is not set
-# CONFIG_NFS_USE_NEW_IDMAPPER is not set
+CONFIG_NFS_USE_NEW_IDMAPPER=y
 CONFIG_PNFS_OBJLAYOUT=m
 CONFIG_PNFS_BLOCK=m
 CONFIG_LOCKD=m
diff --git a/kernel.spec b/kernel.spec
index d748722..9793c71 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -464,7 +464,7 @@ Summary: The Linux kernel
 # First the general kernel 2.6 required versions as per
 # Documentation/Changes
 #
-%define kernel_dot_org_conflicts  ppp < 2.4.3-3, isdn4k-utils < 3.2-32, nfs-utils < 1.0.7-12, e2fsprogs < 1.37-4, util-linux < 2.12, jfsutils < 1.1.7-2, reiserfs-utils < 3.6.19-2, xfsprogs < 2.6.13-4, procps < 3.2.5-6.3, oprofile < 0.9.1-2, device-mapper-libs < 1.02.63-2, mdadm < 3.2.1-5
+%define kernel_dot_org_conflicts  ppp < 2.4.3-3, isdn4k-utils < 3.2-32, nfs-utils < 1.2.5-7.fc17, e2fsprogs < 1.37-4, util-linux < 2.12, jfsutils < 1.1.7-2, reiserfs-utils < 3.6.19-2, xfsprogs < 2.6.13-4, procps < 3.2.5-6.3, oprofile < 0.9.1-2, device-mapper-libs < 1.02.63-2, mdadm < 3.2.1-5
 
 #
 # Then a series of requirements that are distribution specific, either
@@ -697,6 +697,7 @@ Patch2901: linux-2.6-v4l-dvb-experimental.patch
 # fs fixes
 
 # NFSv4
+Patch1101: linux-3.1-keys-remove-special-keyring.patch
 
 # patches headed upstream
 Patch12016: disable-i8042-check-on-apple-mac.patch
@@ -1297,6 +1298,7 @@ ApplyPatch arm-smsc-support-reading-mac-address-from-device-tree.patch
 # eCryptfs
 
 # NFSv4
+ApplyPatch linux-3.1-keys-remove-special-keyring.patch
 
 # USB
 
@@ -2229,6 +2231,10 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Wed Dec 14 2011 Steve Dickson <steved at redhat.com>
+- Enabled the in-kernel idmapper.
+- keyring: allow special keyrings to be cleared
+
 * Wed Dec 14 2011 Dave Jones <davej at redhat.com> - 3.2.0-0.rc5.git2.1
 - Linux 3.2-rc5-git2 (373da0a2a33018d560afcb2c77f8842985d79594)
 
diff --git a/linux-3.1-keys-remove-special-keyring.patch b/linux-3.1-keys-remove-special-keyring.patch
new file mode 100644
index 0000000..4e7f139
--- /dev/null
+++ b/linux-3.1-keys-remove-special-keyring.patch
@@ -0,0 +1,110 @@
+diff -up linux-3.1.x86_64/Documentation/networking/dns_resolver.txt.orig linux-3.1.x86_64/Documentation/networking/dns_resolver.txt
+--- linux-3.1.x86_64/Documentation/networking/dns_resolver.txt.orig	2011-10-24 03:10:05.000000000 -0400
++++ linux-3.1.x86_64/Documentation/networking/dns_resolver.txt	2011-12-13 15:09:35.705766078 -0500
+@@ -102,6 +102,10 @@ implemented in the module can be called
+      If _expiry is non-NULL, the expiry time (TTL) of the result will be
+      returned also.
+ 
++The kernel maintains an internal keyring in which it caches looked up keys.
++This can be cleared by any process that has the CAP_SYS_ADMIN capability by
++the use of KEYCTL_KEYRING_CLEAR on the keyring ID.
++
+ 
+ ===============================
+ READING DNS KEYS FROM USERSPACE
+diff -up linux-3.1.x86_64/Documentation/security/keys.txt.orig linux-3.1.x86_64/Documentation/security/keys.txt
+--- linux-3.1.x86_64/Documentation/security/keys.txt.orig	2011-10-24 03:10:05.000000000 -0400
++++ linux-3.1.x86_64/Documentation/security/keys.txt	2011-12-13 15:09:35.706766099 -0500
+@@ -554,6 +554,10 @@ The keyctl syscall functions are:
+      process must have write permission on the keyring, and it must be a
+      keyring (or else error ENOTDIR will result).
+ 
++     This function can also be used to clear special kernel keyrings if they
++     are appropriately marked if the user has CAP_SYS_ADMIN capability.  The
++     DNS resolver cache keyring is an example of this.
++
+ 
+  (*) Link a key into a keyring:
+ 
+diff -up linux-3.1.x86_64/fs/cifs/cifsacl.c.orig linux-3.1.x86_64/fs/cifs/cifsacl.c
+--- linux-3.1.x86_64/fs/cifs/cifsacl.c.orig	2011-12-13 12:54:12.221145867 -0500
++++ linux-3.1.x86_64/fs/cifs/cifsacl.c	2011-12-13 15:09:35.707766122 -0500
+@@ -556,6 +556,7 @@ init_cifs_idmap(void)
+ 
+ 	/* instruct request_key() to use this special keyring as a cache for
+ 	 * the results it looks up */
++	set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
+ 	cred->thread_keyring = keyring;
+ 	cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
+ 	root_cred = cred;
+diff -up linux-3.1.x86_64/fs/nfs/idmap.c.orig linux-3.1.x86_64/fs/nfs/idmap.c
+--- linux-3.1.x86_64/fs/nfs/idmap.c.orig	2011-12-13 12:54:14.657203507 -0500
++++ linux-3.1.x86_64/fs/nfs/idmap.c	2011-12-13 15:10:14.731681691 -0500
+@@ -115,6 +115,7 @@ int nfs_idmap_init(void)
+ 	if (ret < 0)
+ 		goto failed_put_key;
+ 
++	set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
+ 	cred->thread_keyring = keyring;
+ 	cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
+ 	id_resolver_cache = cred;
+@@ -185,7 +186,7 @@ static ssize_t nfs_idmap_request_key(con
+ 	}
+ 
+ 	rcu_read_lock();
+-	rkey->perm |= KEY_USR_VIEW;
++	rkey->perm |= KEY_USR_VIEW|KEY_USR_WRITE;
+ 
+ 	ret = key_validate(rkey);
+ 	if (ret < 0)
+diff -up linux-3.1.x86_64/include/linux/key.h.orig linux-3.1.x86_64/include/linux/key.h
+--- linux-3.1.x86_64/include/linux/key.h.orig	2011-10-24 03:10:05.000000000 -0400
++++ linux-3.1.x86_64/include/linux/key.h	2011-12-13 15:09:35.748767078 -0500
+@@ -155,6 +155,7 @@ struct key {
+ #define KEY_FLAG_IN_QUOTA	3	/* set if key consumes quota */
+ #define KEY_FLAG_USER_CONSTRUCT	4	/* set if key is being constructed in userspace */
+ #define KEY_FLAG_NEGATIVE	5	/* set if key is negative */
++#define KEY_FLAG_ROOT_CAN_CLEAR	6	/* set if key can be cleared by root without permission */
+ 
+ 	/* the description string
+ 	 * - this is used to match a key against search criteria
+diff -up linux-3.1.x86_64/net/dns_resolver/dns_key.c.orig linux-3.1.x86_64/net/dns_resolver/dns_key.c
+--- linux-3.1.x86_64/net/dns_resolver/dns_key.c.orig	2011-10-24 03:10:05.000000000 -0400
++++ linux-3.1.x86_64/net/dns_resolver/dns_key.c	2011-12-13 15:09:35.748767078 -0500
+@@ -281,6 +281,7 @@ static int __init init_dns_resolver(void
+ 
+ 	/* instruct request_key() to use this special keyring as a cache for
+ 	 * the results it looks up */
++	set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
+ 	cred->thread_keyring = keyring;
+ 	cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
+ 	dns_resolver_cache = cred;
+diff -up linux-3.1.x86_64/security/keys/keyctl.c.orig linux-3.1.x86_64/security/keys/keyctl.c
+--- linux-3.1.x86_64/security/keys/keyctl.c.orig	2011-12-13 12:54:30.322571289 -0500
++++ linux-3.1.x86_64/security/keys/keyctl.c	2011-12-13 15:09:35.756767271 -0500
+@@ -388,11 +388,24 @@ long keyctl_keyring_clear(key_serial_t r
+ 	keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
+ 	if (IS_ERR(keyring_ref)) {
+ 		ret = PTR_ERR(keyring_ref);
++
++		/* Root is permitted to invalidate certain special keyrings */
++		if (capable(CAP_SYS_ADMIN)) {
++			keyring_ref = lookup_user_key(ringid, 0, 0);
++			if (IS_ERR(keyring_ref))
++				goto error;
++			if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR,
++				     &key_ref_to_ptr(keyring_ref)->flags))
++				goto clear;
++			goto error_put;
++		}
++
+ 		goto error;
+ 	}
+ 
++clear:
+ 	ret = keyring_clear(key_ref_to_ptr(keyring_ref));
+-
++error_put:
+ 	key_ref_put(keyring_ref);
+ error:
+ 	return ret;

More information about the scm-commits mailing list