Google Git
Sign in
chromium / chromiumos / third_party / kernel / 7d2731e2fe837b65d21a21122da9b940cd038058
commit7d2731e2fe837b65d21a21122da9b940cd038058[log] [tgz]
authorDavid Howells <dhowells@redhat.com>Mon Oct 19 10:20:28 2015
committerchrome-bot <chrome-bot@chromium.org>Tue Dec 08 01:15:12 2015
treeb9751b31b6d6ce13f85638ce50764ccbde70fed5
parentbaa1b69c3f518113a9ec06df0051b864474eb55b [diff]
BACKPORT: KEYS: Don't permit request_key() to construct a new keyring

If request_key() is used to find a keyring, only do the search part - don't
do the construction part if the keyring was not found by the search.  We
don't really want keyrings in the negative instantiated state since the
rejected/negative instantiation error value in the payload is unioned with
keyring metadata.

Now the kernel gives an error:

	request_key("keyring", "#selinux,bdekeyring", "keyring", KEY_SPEC_USER_SESSION_KEYRING) = -1 EPERM (Operation not permitted)

BUG=chromium:542341
TEST=build/boot amd64-generic

Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit 911b79cde95c7da0ec02f48105358a36636b7a71)
Signed-off-by: Sonny Rao <sonnyrao@chromium.org>

Change-Id: Ifdf01a8910c56a8da6ad779e58746e1d1c20dd6e
Reviewed-on: https://chromium-review.googlesource.com/316444
Commit-Ready: Sonny Rao <sonnyrao@chromium.org>
Tested-by: Sonny Rao <sonnyrao@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
1 file changed
tree: b9751b31b6d6ce13f85638ce50764ccbde70fed5
  1. arch/
  2. block/
  3. chromeos/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .gitignore
  24. .mailmap
  25. .scmversion
  26. COMMIT-QUEUE.ini
  27. COPYING
  28. CREDITS
  29. Kbuild
  30. Kconfig
  31. MAINTAINERS
  32. Makefile
  33. PRESUBMIT.cfg
  34. README
  35. REPORTING-BUGS