linux/security/keys
David Howells 96b5c8fea6 KEYS: Reduce initial permissions on keys
Reduce the initial permissions on new keys to grant the possessor everything,
view permission only to the user (so the keys can be seen in /proc/keys) and
nothing else.

This gives the creator a chance to adjust the permissions mask before other
processes can access the new key or create a link to it.

To aid with this, keyring_alloc() now takes a permission argument rather than
setting the permissions itself.

The following permissions are now set:

 (1) The user and user-session keyrings grant the user that owns them full
     permissions and grant a possessor everything bar SETATTR.

 (2) The process and thread keyrings grant the possessor full permissions but
     only grant the user VIEW.  This permits the user to see them in
     /proc/keys, but not to do anything with them.

 (3) Anonymous session keyrings grant the possessor full permissions, but only
     grant the user VIEW and READ.  This means that the user can see them in
     /proc/keys and can list them, but nothing else.  Possibly READ shouldn't
     be provided either.

 (4) Named session keyrings grant everything an anonymous session keyring does,
     plus they grant the user LINK permission.  The whole point of named
     session keyrings is that others can also subscribe to them.  Possibly this
     should be a separate permission to LINK.

 (5) The temporary session keyring created by call_sbin_request_key() gets the
     same permissions as an anonymous session keyring.

 (6) Keys created by add_key() get VIEW, SEARCH, LINK and SETATTR for the
     possessor, plus READ and/or WRITE if the key type supports them.  The used
     only gets VIEW now.

 (7) Keys created by request_key() now get the same as those created by
     add_key().

Reported-by: Lennart Poettering <lennart@poettering.net>
Reported-by: Stef Walter <stefw@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2012-10-02 19:24:56 +01:00
..
encrypted-keys encrypted-keys: fix rcu and sparse messages 2012-01-18 10:41:30 +11:00
compat.c Merge commit 'v3.5-rc2' into next 2012-06-10 22:52:10 +10:00
gc.c KEYS: Add invalidation support 2012-05-11 10:56:56 +01:00
internal.h Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2012-07-23 18:49:06 -07:00
Kconfig KEYS: Move the key config into security/keys/Kconfig 2012-05-11 10:56:56 +01:00
key.c KEYS: Reduce initial permissions on keys 2012-10-02 19:24:56 +01:00
keyctl.c KEYS: Make the session and process keyrings per-thread 2012-10-02 19:24:29 +01:00
keyring.c KEYS: Reduce initial permissions on keys 2012-10-02 19:24:56 +01:00
Makefile KEYS: Reorganise keys Makefile 2012-05-11 10:56:56 +01:00
permission.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2012-05-23 17:42:39 -07:00
proc.c KEYS: Add invalidation support 2012-05-11 10:56:56 +01:00
process_keys.c KEYS: Reduce initial permissions on keys 2012-10-02 19:24:56 +01:00
request_key_auth.c KEYS: Don't return EAGAIN to keyctl_assume_authority() 2011-06-14 15:03:29 +10:00
request_key.c KEYS: Reduce initial permissions on keys 2012-10-02 19:24:56 +01:00
sysctl.c sysctl: Drop & in front of every proc_handler. 2009-11-18 08:37:40 -08:00
trusted.c tpm: Move tpm_get_random api into the TPM device driver 2012-08-22 11:11:33 -05:00
trusted.h trusted-keys: rename trusted_defined files to trusted 2011-01-24 10:14:22 +11:00
user_defined.c Merge git://git.samba.org/sfrench/cifs-2.6 2012-01-23 08:59:49 -08:00