Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp916776imj; Fri, 15 Feb 2019 08:56:07 -0800 (PST) X-Google-Smtp-Source: AHgI3IaSzuJE4xN4WW1VkXM89U12sibE31TYqbv9CkCQuLfFD23QykQ8Bf1PRVuQK7NbP1/Gf8O4 X-Received: by 2002:a17:902:282a:: with SMTP id e39mr11279204plb.26.1550249767172; Fri, 15 Feb 2019 08:56:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550249767; cv=none; d=google.com; s=arc-20160816; b=FRQsIH8wGrhZCZdIuo5OCNzyPr1f8oUI3aOehXiBgbGUSPtbYkx1m0ibEjsMkRhe9w a2hV831nJeFbKP64xdIVN3VMF3Vt+L+vDVsZiSDegFcAg0oftnWLHww7iwNFOCysnPn0 ezOePR4WsFp9miuOUjcX73x0ULPYmIqWaNdYlokx9iyG6X/lWE/6dlOKH4NQURr7un8w N4xmGs2+AGiOorCjNVKR1PUFLcwKB9BMndFl23Llh1XnWrOqcBs+0+uLaaqzeNPhLc9G UahJLVCJmcIBz3mDUAuro9LYQx2MPtiCfLJ3oEI/VwqtVDpk9QrnCc0IeCY6cCaFRmtE wI0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:cc:to:from :subject:organization; bh=VzyApsxhMvDefcFguerRj7IeHivdrFmnhxXhyHeuQN4=; b=GRm7/hRrSr63gPY3zIXjqg4qu2DUcLozkGsxwp4Knn6m6cBqjvpC0GljWR/kxm037n dDLzivpru0LtB1EWTQI/FplDjzn2kJBbIfR5p4gJaJOeN40YUcgUHAGPUDvrKQxR0Diw 34bo/4a8pJv8S518EUgmM7quJ22jyU3EDtf5e0mxexWpn8q5TZt2QlmaLKco/tTHYKkM QTkRgHjNXompnasQNLlPsAYXKNU2jemUYsRmGghdfCTK/YYT6KGtCqM9Igu89rK5ravm EPId7+HZc0erRBUmxD3On3vUYlaIUQr6ACWYHlYA5z1jY5uRqofPC2S1uiOFGywF/Kyx 1gWg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r135si3971387pfc.123.2019.02.15.08.55.51; Fri, 15 Feb 2019 08:56:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391559AbfBOQKB (ORCPT + 99 others); Fri, 15 Feb 2019 11:10:01 -0500 Received: from mx1.redhat.com ([209.132.183.28]:15175 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726335AbfBOQKA (ORCPT ); Fri, 15 Feb 2019 11:10:00 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C5CD531A10D; Fri, 15 Feb 2019 16:09:59 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-121-129.rdu2.redhat.com [10.10.121.129]) by smtp.corp.redhat.com (Postfix) with ESMTP id 33A415DD6B; Fri, 15 Feb 2019 16:09:51 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [RFC PATCH 16/27] keys: Grant Link permission to possessers of request_key auth keys From: David Howells To: keyrings@vger.kernel.org, trond.myklebust@hammerspace.com, sfrench@samba.org Cc: linux-security-module@vger.kernel.org, linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org, linux-fsdevel@vger.kernel.org, rgb@redhat.com, dhowells@redhat.com, linux-kernel@vger.kernel.org Date: Fri, 15 Feb 2019 16:09:50 +0000 Message-ID: <155024699041.21651.17284583580026798362.stgit@warthog.procyon.org.uk> In-Reply-To: <155024683432.21651.14153938339749694146.stgit@warthog.procyon.org.uk> References: <155024683432.21651.14153938339749694146.stgit@warthog.procyon.org.uk> User-Agent: StGit/unknown-version MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Fri, 15 Feb 2019 16:09:59 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Grant Link permission to the possessers of request_key authentication keys, thereby allowing a daemon that is servicing upcalls to arrange things such that only the necessary auth key is passed to the actual service program and not all the daemon's pending auth keys. Signed-off-by: David Howells --- security/keys/request_key_auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c index cd75173cadad..726555a0639c 100644 --- a/security/keys/request_key_auth.c +++ b/security/keys/request_key_auth.c @@ -208,7 +208,7 @@ struct key *request_key_auth_new(struct key *target, const char *op, authkey = key_alloc(&key_type_request_key_auth, desc, cred->fsuid, cred->fsgid, cred, - KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH | + KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH | KEY_POS_LINK | KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA, NULL); if (IS_ERR(authkey)) { ret = PTR_ERR(authkey);