171705 – Kernel key management facility improvements

Bug 171705 - Kernel key management facility improvements

Summary: Kernel key management facility improvements

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	David Howells
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	168429 172741 173386
TreeView+	depends on / blocked

Reported:	2005-10-25 13:55 UTC by David Howells
Modified:	2007-11-30 22:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:	RHSA-2006-0132
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-03-07 20:32:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Add supplementary rights for those in possession of a key (55.16 KB, patch) 2005-10-25 14:03 UTC, David Howells	no flags	Details \| Diff
Export user-defined key type operations (6.58 KB, patch) 2005-10-25 14:04 UTC, David Howells	no flags	Details \| Diff
Move permissions check function into a .c file (4.77 KB, patch) 2005-10-25 14:05 UTC, David Howells	no flags	Details \| Diff
Improve the request_key documentation (9.46 KB, patch) 2005-10-25 14:05 UTC, David Howells	no flags	Details \| Diff
Make possessor permissions additive (925 bytes, patch) 2005-10-25 14:06 UTC, David Howells	no flags	Details \| Diff
Remove key duplication facility (8.60 KB, patch) 2005-10-25 14:07 UTC, David Howells	no flags	Details \| Diff
Add LSM hooks for key management (18.44 KB, patch) 2005-10-25 14:08 UTC, David Howells	no flags	Details \| Diff
Fix a warning in kmod.c if keys are disabled (780 bytes, patch) 2005-10-25 14:08 UTC, David Howells	no flags	Details \| Diff
Remove incorrect obsolete logical-NOT operators (949 bytes, patch) 2005-11-01 14:20 UTC, David Howells	no flags	Details \| Diff
Permission checking fix for key update vs add (470 bytes, patch) 2005-12-01 10:31 UTC, David Howells	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2005:808	0	normal	SHIPPED_LIVE	Important: kernel security update	2005-10-27 04:00:00 UTC
Red Hat Product Errata	RHSA-2006:0132	0	qe-ready	SHIPPED_LIVE	Moderate: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 3	2006-03-09 16:31:00 UTC

Description David Howells 2005-10-25 13:55:22 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.2 (like Gecko)

Description of problem:
The attached patches are upstream improvements for the key management facility  
that need incorporation into RHEL-4.  
 
The patches in requisite order of application are: 
 
 (1) A patch to add supplementary rights to the mask for processes/threads 
that possess a key in a keyring. 
 
 (2) A patch to export user-defined key type operations. 
 
 (3) A patch to move the permissions check function from a .h file into a .c 
file. 
 
 (4) A patch to improve the request-key documentation. 
 
 (5) A patch to make possessor permissions additive with normal UID/GID/Other 
permissions. 
 
 (6) A patch to remove the key duplication facility. 
 
 (7) A patch to add LSM hooks for key management. 
 
 (8) A patch to fix a warning in kmod.c if keys are disabled. 

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
N/A  

Additional info:

Comment 1 David Howells 2005-10-25 14:03:45 UTC

Created attachment 120354 [details]
Add supplementary rights for those in possession of a key

Comment 2 David Howells 2005-10-25 14:04:38 UTC

Created attachment 120355 [details]
Export user-defined key type operations

Comment 3 David Howells 2005-10-25 14:05:24 UTC

Created attachment 120356 [details]
Move permissions check function into a .c file

Comment 4 David Howells 2005-10-25 14:05:53 UTC

Created attachment 120357 [details]
Improve the request_key documentation

Comment 5 David Howells 2005-10-25 14:06:40 UTC

Created attachment 120359 [details]
Make possessor permissions additive

Comment 6 David Howells 2005-10-25 14:07:33 UTC

Created attachment 120361 [details]
Remove key duplication facility

Comment 7 David Howells 2005-10-25 14:08:04 UTC

Created attachment 120363 [details]
Add LSM hooks for key management

Comment 8 David Howells 2005-10-25 14:08:46 UTC

Created attachment 120365 [details]
Fix a warning in kmod.c if keys are disabled

Comment 9 David Howells 2005-11-01 14:20:59 UTC

Created attachment 120600 [details]
Remove incorrect obsolete logical-NOT operators

This patch removes a couple of incorrect and obsolete '!' operators
left over from the conversion of the key permission functions from true/false
returns to zero/error returns.

Comment 13 David Howells 2005-12-01 10:31:13 UTC

Created attachment 121673 [details]
Permission checking fix for key update vs add

This patch fixes a bug in the "Add LSM hooks for key management" patch in which
the wrong logic was applied to the tests when searching a keyring for a match
to determine whether add_key() should update an existing key or create a new
one.

Without this patch, it'll always create a new key and discard the old one from
the keyring. With this patch it'll update an old key if it can.

Comment 14 Tim Burke 2005-12-13 18:04:38 UTC

This got into last night's 2.6.9-25 beta build.  So setting state to modified.

Comment 16 Red Hat Bugzilla 2006-03-07 20:32:46 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0132.html

Note You need to log in before you can comment on or make changes to this bug.