Red Hat Bugzilla – Bug 171705
Kernel key management facility improvements
Last modified: 2007-11-30 17:07:21 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.2 (like Gecko)
Description of problem:
The attached patches are upstream improvements for the key management facility
that need incorporation into RHEL-4.
The patches in requisite order of application are:
(1) A patch to add supplementary rights to the mask for processes/threads
that possess a key in a keyring.
(2) A patch to export user-defined key type operations.
(3) A patch to move the permissions check function from a .h file into a .c
(4) A patch to improve the request-key documentation.
(5) A patch to make possessor permissions additive with normal UID/GID/Other
(6) A patch to remove the key duplication facility.
(7) A patch to add LSM hooks for key management.
(8) A patch to fix a warning in kmod.c if keys are disabled.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Created attachment 120354 [details]
Add supplementary rights for those in possession of a key
Created attachment 120355 [details]
Export user-defined key type operations
Created attachment 120356 [details]
Move permissions check function into a .c file
Created attachment 120357 [details]
Improve the request_key documentation
Created attachment 120359 [details]
Make possessor permissions additive
Created attachment 120361 [details]
Remove key duplication facility
Created attachment 120363 [details]
Add LSM hooks for key management
Created attachment 120365 [details]
Fix a warning in kmod.c if keys are disabled
Created attachment 120600 [details]
Remove incorrect obsolete logical-NOT operators
This patch removes a couple of incorrect and obsolete '!' operators
left over from the conversion of the key permission functions from true/false
returns to zero/error returns.
Created attachment 121673 [details]
Permission checking fix for key update vs add
This patch fixes a bug in the "Add LSM hooks for key management" patch in which
the wrong logic was applied to the tests when searching a keyring for a match
to determine whether add_key() should update an existing key or create a new
Without this patch, it'll always create a new key and discard the old one from
the keyring. With this patch it'll update an old key if it can.
This got into last night's 2.6.9-25 beta build. So setting state to modified.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.