diff options
author | David Howells <dhowells@redhat.com> | 2019-08-15 15:18:44 +0100 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2020-01-31 16:15:44 +0000 |
commit | 088dca0eebbfaa055d3d1ee3ba3262ef8c2088fb (patch) | |
tree | f468bafc18b3bd5956f5e0da3eba5283bfd3b3df | |
parent | 4bcc3b3bb97e7925a1e08553bbdfee9cfea2d5b5 (diff) | |
download | keyutils-088dca0eebbfaa055d3d1ee3ba3262ef8c2088fb.tar.gz |
Handle kernel having key/keyring ACLs
Handle the kernel using ACLs to store the list of permits for a key or
keyring:
(1) Make the "keyctl supports" command show it
(2) Change the behaviour of the keyctl/permitting/valid tests to take
account of the fact that 'Other' permits are replaced with 'Everyone'
permits and so are added to the other permits rather than being used
as a fallback instead of the other permits.
Signed-off-by: David Howells <dhowells@redhat.com>
-rw-r--r-- | keyctl.c | 1 | ||||
-rw-r--r-- | keyutils.h | 1 | ||||
-rw-r--r-- | man/keyctl.1 | 23 | ||||
-rw-r--r-- | man/keyctl_capabilities.3 | 10 | ||||
-rw-r--r-- | man/keyctl_describe.3 | 6 | ||||
-rw-r--r-- | man/keyctl_setperm.3 | 19 | ||||
-rw-r--r-- | tests/keyctl/dh_compute/bad-args/runtest.sh | 7 | ||||
-rw-r--r-- | tests/keyctl/permitting/valid/runtest.sh | 24 | ||||
-rw-r--r-- | tests/prepare.inc.sh | 1 |
9 files changed, 62 insertions, 30 deletions
@@ -2291,6 +2291,7 @@ static const struct capability_def capabilities[] = { { "ns_keyring_name", 1, KEYCTL_CAPS1_NS_KEYRING_NAME }, { "ns_key_tag", 1, KEYCTL_CAPS1_NS_KEY_TAG }, { "notify", 1, KEYCTL_CAPS1_NOTIFICATIONS }, + { "acl", 1, KEYCTL_CAPS1_ACL }, {} }; @@ -166,6 +166,7 @@ struct keyctl_pkey_params { #define KEYCTL_CAPS1_NS_KEYRING_NAME 0x01 /* Keyring names are per-user_namespace */ #define KEYCTL_CAPS1_NS_KEY_TAG 0x02 /* Key indexing can include a namespace tag */ #define KEYCTL_CAPS1_NOTIFICATIONS 0x04 /* Keys generate watchable notifications */ +#define KEYCTL_CAPS1_ACL 0x08 /* Keys have ACLs rather than a p-u-g-o bitmask */ /* * syscall wrappers diff --git a/man/keyctl.1 b/man/keyctl.1 index 2343762..634a141 100644 --- a/man/keyctl.1 +++ b/man/keyctl.1 @@ -265,6 +265,12 @@ keyrings are created. Keys can get tagged with namespace tags, allowing keys with the same type and description, but different namespaces to coexist in the same keyring. Tagging is done automatically according to the key type. +.TP +.B acl +Keys have ACLs rather than a permissions-bit mask. This means that the permits +granted are cumulative rather than alternative and that the 'Other' permits are +replaced with 'Everyone' permits. The permissions-bit mask shown when the +permissions are described are an approximation calculated on the fly. .SS Show actual key or keyring ID \fBkeyctl id [<key>]\fR @@ -564,9 +570,10 @@ keyring;4043;\-1;3f1f0000;_uid_ses.4043 .RE The raw string is "<type>;<uid>;<gid>;<perms>;<description>", where \fIuid\fR -and \fIgid\fR are the decimal user and group IDs, \fIperms\fR is the -permissions mask in hex, \fItype\fR and \fIdescription\fR are the type name and -description strings (neither of which will contain semicolons). +and \fIgid\fR are the decimal user and group IDs, \fIperms\fR is the ACL +approximated as a permissions mask in hex, \fItype\fR and \fIdescription\fR are +the type name and description strings (neither of which will contain +semicolons). .SS Change the access controls on a key \fBkeyctl chown\fR <key> <uid> .br @@ -591,9 +598,9 @@ $ sudo keyctl chgrp 27 0 .SS Set the permissions mask on a key \fBkeyctl setperm\fR <key> <mask> -This command changes the permission control mask on a key. The mask may be -specified as a hex number if it begins "0x", an octal number if it begins "0" -or a decimal number otherwise. +This command calculates a new ACL for a key according to a permissions mask and +then replaces the old ACL. The mask may be specified as a hex number if it +begins "0x", an octal number if it begins "0" or a decimal number otherwise. The hex numbers are a combination of: @@ -624,8 +631,8 @@ linked is searched. \fILink\fR permits a key to be linked to a keyring. -\fISet Attribute\fR permits a key to have its owner, group membership, -permissions mask and timeout changed. +\fISet\ Attribute\fR permits a key to have its owner, group membership, ACL and +timeout changed. .RS .nf diff --git a/man/keyctl_capabilities.3 b/man/keyctl_capabilities.3 index 63cee3c..43bb5c7 100644 --- a/man/keyctl_capabilities.3 +++ b/man/keyctl_capabilities.3 @@ -87,6 +87,16 @@ This is set if a key or keyring may get tagged with a namespace, thereby allowing multiple keys with the same type and description, but different namespace tags, to coexist within the same keyring. Tagging may be automatic depending on the key type. Only network-namespace tagging is currently used. +.TP +.B KEYCTL_CAPS1_ACL +This is set if keys have an ACL rather than a permissions-bit mask. This means +that the permits granted are cumulative rather than alternative and that +the 'Other' permits are replaced with 'Everyone' permits. The permissions-bit +mask returned by +.BR keyctl_describe () +is an approximation calculated on the fly. +.BR keyctl_setperm () +replaces the ACL with one calculated from the supplied mask. .P .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .SH RETURN VALUE diff --git a/man/keyctl_describe.3 b/man/keyctl_describe.3 index b4f100e..29365dc 100644 --- a/man/keyctl_describe.3 +++ b/man/keyctl_describe.3 @@ -26,7 +26,7 @@ keyctl_describe \- describe a key describes the attributes of a key as a NUL-terminated string. .P The caller must have -.B view +.B VIEW permission on a key to be able to get a description of it. .P .I buffer @@ -49,8 +49,8 @@ The description will be a string of format: .IP .B "\*(lq%s;%d;%d;%08x;%s\*(rq" .P -where the arguments are: key type name, key UID, key GID, key permissions mask -and key description. +where the arguments are: key type name, key UID, key GID, old-style key +permissions mask approximated from the ACL and key description. .P .B NOTE! The key description will not contain any semicolons, so that should be diff --git a/man/keyctl_setperm.3 b/man/keyctl_setperm.3 index 0a4426d..e4134d9 100644 --- a/man/keyctl_setperm.3 +++ b/man/keyctl_setperm.3 @@ -20,7 +20,7 @@ keyctl_setperm \- change the permissions mask on a key .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .SH DESCRIPTION .BR keyctl_setperm () -changes the permissions mask on a key. +overwrites the ACL on a key. .P A process that does not have the .B SysAdmin @@ -28,10 +28,11 @@ capability may not change the permissions mask on a key that doesn't have the same UID as the caller. .P The caller must have -.B setattr -permission on a key to be able change its permissions mask. +.B SETATTR +permission on a key to be able change its ACL. .P -The permissions mask is a bitwise-OR of the following flags: +The permissions mask is a bitwise-OR of the following flags, and from these a +new ACL will be calculated: .TP .B KEY_xxx_VIEW Grant permission to view the attributes of a key. @@ -71,18 +72,12 @@ Grant the permission to a process with the same GID as the key, or with a match for the key's GID amongst that process's Groups list. .TP .B OTH -Grant the permission to any other process. +Grant the permission to everyone. .P Examples include: .BR KEY_POS_VIEW ", " KEY_USR_READ ", " KEY_GRP_SEARCH " and " KEY_OTH_ALL . .P -User, group and other grants are exclusive: if a process qualifies in -the 'user' category, it will not qualify in the 'groups' category; and if a -process qualifies in either 'user' or 'groups' then it will not qualify in -the 'other' category. -.P -Possessor grants are cumulative with the grants from the 'user', 'groups' -and 'other' categories. +All grants are cumulative. .\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" .SH RETURN VALUE On success diff --git a/tests/keyctl/dh_compute/bad-args/runtest.sh b/tests/keyctl/dh_compute/bad-args/runtest.sh index 5c4c160..54facfd 100644 --- a/tests/keyctl/dh_compute/bad-args/runtest.sh +++ b/tests/keyctl/dh_compute/bad-args/runtest.sh @@ -65,7 +65,12 @@ create_key --new=logonid -x logon dh:logon "00" @s marker "CHECK WRONG KEY TYPE" dh_compute --fail $privateid $primeid $logonid -expect_error ENOKEY +if [ $have_acl == 1 ] +then + expect_error EOPNOTSUPP +else + expect_error ENOKEY +fi dh_compute --fail $privateid $primeid @s expect_error EOPNOTSUPP diff --git a/tests/keyctl/permitting/valid/runtest.sh b/tests/keyctl/permitting/valid/runtest.sh index d901164..83d282c 100644 --- a/tests/keyctl/permitting/valid/runtest.sh +++ b/tests/keyctl/permitting/valid/runtest.sh @@ -70,12 +70,24 @@ set_key_perm $keyid 0x00201f00 describe_key --fail $keyid expect_error EACCES -# check that we can't use other perms instead of user perms to view the key -# (our UID matches that of the key) -marker "VIEW OTHER PERMISSIONS" -set_key_perm $keyid 0x0020001f -describe_key --fail $keyid -expect_error EACCES +if [ $have_acl == 1 ] +then + # check that we can use "everyone" perms to view the key (our UID matches + # that of the key) + marker "VIEW EVERYONE PERMISSIONS" + set_key_perm $keyid 0x0020001e + describe_key --fail $keyid + expect_error EACCES + set_key_perm $keyid 0x0020001f + describe_key $keyid +else + # check that we can't use other perms instead of user perms to + # view the key (our UID matches that of the key) + marker "VIEW OTHER PERMISSIONS" + set_key_perm $keyid 0x0020001f + describe_key --fail $keyid + expect_error EACCES +fi # check that taking away setattr permission renders the key immune to setperm marker "REMOVE SETATTR" diff --git a/tests/prepare.inc.sh b/tests/prepare.inc.sh index 0b66237..9aa2187 100644 --- a/tests/prepare.inc.sh +++ b/tests/prepare.inc.sh @@ -97,6 +97,7 @@ have_big_key_type=0 have_dh_compute=0 have_restrict_keyring=0 have_notify=0 +have_acl=0 if keyctl supports capabilities >&/dev/null then |