linux/security/keys
David Howells 39299bdd25 keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry
If a key has an expiration time, then when that time passes, the key is
left around for a certain amount of time before being collected (5 mins by
default) so that EKEYEXPIRED can be returned instead of ENOKEY.  This is a
problem for DNS keys because we want to redo the DNS lookup immediately at
that point.

Fix this by allowing key types to be marked such that keys of that type
don't have this extra period, but are reclaimed as soon as they expire and
turn this on for dns_resolver-type keys.  To make this easier to handle,
key->expiry is changed to be permanent if TIME64_MAX rather than 0.

Furthermore, give such new-style negative DNS results a 1s default expiry
if no other expiry time is set rather than allowing it to stick around
indefinitely.  This shouldn't be zero as ls will follow a failing stat call
immediately with a second with AT_SYMLINK_NOFOLLOW added.

Fixes: 1a4240f476 ("DNS: Separate out CIFS DNS Resolver code")
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Markus Suvanto <markus.suvanto@gmail.com>
cc: Wang Lei <wang840925@gmail.com>
cc: Jeff Layton <jlayton@redhat.com>
cc: Steve French <smfrench@gmail.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jarkko Sakkinen <jarkko@kernel.org>
cc: "David S. Miller" <davem@davemloft.net>
cc: Eric Dumazet <edumazet@google.com>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: linux-afs@lists.infradead.org
cc: linux-cifs@vger.kernel.org
cc: linux-nfs@vger.kernel.org
cc: ceph-devel@vger.kernel.org
cc: keyrings@vger.kernel.org
cc: netdev@vger.kernel.org
2023-12-21 13:47:38 +00:00
..
encrypted-keys KEYS: encrypted: Do not include crypto/algapi.h 2023-09-15 18:30:43 +08:00
trusted-keys KEYS: trusted: tee: Refactor register SHM usage 2023-10-24 03:06:35 +03:00
big_key.c big_keys: Use struct for internal payload 2022-05-16 16:02:21 -07:00
compat_dh.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
compat.c security/keys: remove compat_keyctl_instantiate_key_iov 2020-10-03 00:02:16 -04:00
dh.c KEYS: DH: Use crypto_wait_req 2023-02-13 18:34:48 +08:00
gc.c keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry 2023-12-21 13:47:38 +00:00
internal.h keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry 2023-12-21 13:47:38 +00:00
Kconfig KEYS: trusted: allow use of TEE as backend without TCG_TPM support 2022-05-23 18:47:50 +03:00
key.c keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry 2023-12-21 13:47:38 +00:00
keyctl_pkey.c KEYS: fix length validation in keyctl_pkey_params_get_2() 2022-03-08 10:33:18 +02:00
keyctl.c security: keys: perform capable check only on privileged operations 2023-07-28 18:07:41 +00:00
keyring.c security/keys: Remove inconsistent __user annotation 2022-10-05 00:25:56 +03:00
Makefile KEYS: remove CONFIG_KEYS_COMPAT 2019-12-12 23:41:17 +02:00
permission.c keys: Make the KEY_NEED_* perms an enum rather than a mask 2020-05-19 15:42:22 +01:00
persistent.c Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs" 2019-07-10 18:43:43 -07:00
proc.c keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry 2023-12-21 13:47:38 +00:00
process_keys.c ucounts: Move get_ucounts from cred_alloc_blank to key_change_session_keyring 2021-10-20 10:34:20 -05:00
request_key_auth.c KEYS: Replace all non-returning strlcpy with strscpy 2023-08-17 20:12:35 +00:00
request_key.c keys: Fix linking a duplicate key to a keyring's assoc_array 2023-07-17 19:32:30 +00:00
sysctl.c sysctl: set variable key_sysctls storage-class-specifier to static 2023-08-07 17:55:54 +00:00
user_defined.c mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00