https://github.com/torvalds/linux
Revision 879669961b11e7f40b518784863a259f735a72bf authored by David Howells on 17 June 2011, 10:25:59 UTC, committed by Linus Torvalds on 17 June 2011, 16:40:48 UTC
____call_usermodehelper() now erases any credentials set by the subprocess_inf::init() function. The problem is that commit 17f60a7da150 ("capabilites: allow the application of capability limits to usermode helpers") creates and commits new credentials with prepare_kernel_cred() after the call to the init() function. This wipes all keyrings after umh_keys_init() is called. The best way to deal with this is to put the init() call just prior to the commit_creds() call, and pass the cred pointer to init(). That means that umh_keys_init() and suchlike can modify the credentials _before_ they are published and potentially in use by the rest of the system. This prevents request_key() from working as it is prevented from passing the session keyring it set up with the authorisation token to /sbin/request-key, and so the latter can't assume the authority to instantiate the key. This causes the in-kernel DNS resolver to fail with ENOKEY unconditionally. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Eric Paris <eparis@redhat.com> Tested-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent eb96c92
Tip revision: 879669961b11e7f40b518784863a259f735a72bf authored by David Howells on 17 June 2011, 10:25:59 UTC
KEYS/DNS: Fix ____call_usermodehelper() to not lose the session keyring
KEYS/DNS: Fix ____call_usermodehelper() to not lose the session keyring
Tip revision: 8796699
File | Mode | Size |
---|---|---|
apparmor | ||
integrity | ||
keys | ||
selinux | ||
smack | ||
tomoyo | ||
Kconfig | -rw-r--r-- | 7.8 KB |
Makefile | -rw-r--r-- | 938 bytes |
capability.c | -rw-r--r-- | 23.3 KB |
commoncap.c | -rw-r--r-- | 27.2 KB |
device_cgroup.c | -rw-r--r-- | 11.7 KB |
inode.c | -rw-r--r-- | 8.7 KB |
lsm_audit.c | -rw-r--r-- | 8.9 KB |
min_addr.c | -rw-r--r-- | 1.3 KB |
security.c | -rw-r--r-- | 32.5 KB |
Computing file changes ...