| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
/lib64 directory.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
The contents of a keyring aren't ordered, so we can't check ordering.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
| |
The add_key() and keyctl_instantiate() calls can take a buffer of up to 1MB,
so grab_stdin() should be using a buffer capable of holding that rather than
one limited to 64KB.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
| |
Fix the maximum depth of the key tree dump made my "keyctl show". The depth
increases in multiples of four because it is used to determine how many spaces
to prefix each printed line with - and not multiples of one.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
| |
A search for a revoked key should return EKEYREVOKED if that key has not yet
been gc'd.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recent upstream kernel commit:
commit 96b5c8fea6c0861621051290d705ec2e971963f1
Author: David Howells <dhowells@redhat.com>
Date: Tue Oct 2 19:24:56 2012 +0100
KEYS: Reduce initial permissions on keys
reduced initial permissions and some tests are now hitting EACCES
because they don't get to use the 'possessed' key permissions, but
must instead use the user/group/other permissions only.
This particularly affects the recursion test because the test for possession
hits the recursion limit and we don't see keys of that depth as being
possessed. To fix this, the keyrings in the recursion test are given full
user access and the eighth keyring is created elsewhere and linked in.
Signed-off-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Remove an incorrect word from request-key.conf.5.
Reported-by: Jiri Jaburek <jjaburek@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The behaviour of how keys are deleted changed between RHEL6 and RHEL7.
In following sequence, key will go away only after gc delay time, which can
take several minutes. The Documentation doesn't make any statements about
when will the key go away, so this most likely is not a bug.
$ keyctl request2 user debug:lizard gizzard
$ keyctl unlink 580084255 @s
keyctl_unlink: No such file or directory
... after gc timeout ...
$ keyctl unlink 580084255 @s
keyctl_unlink: Required key not available
Signed-off-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Fix the Makefile to generate tarballs with correct pathname ('keyutils' rather
than 'cachefilesd'). This was code copied from another project.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Suppress the output of pushd/popd in runtest.sh to reduce the overall amount
of output produced.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
| |
Fix the expr command that extracts the keyutils version number from the keyctl
program output to handle spaces in the string produced by keyctl.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
| |
Fix the test case for "keyctl show" as the root key ID is no longer printed as
the special key ID. Instead we need to check that it's the session keyring by
examining the keyring's description.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow the recursive dump of a specified keyring rather than the session keyring
by doing:
keyctl show <keyringID>
The following:
keyctl show
still dumps the session keyring.
Also make some fixes to the show subcommand:
(*) 31-bit decimal numbers can be up to 10 chars long, so allow for an extra
char in the serial number when displaying it.
(*) Permit numbers to be displayed in hex with a -x flag:
keyctl show [-x] [<keyringID>]
(*) Turn the special keyring ID of the root keyring into the real serial
number and display that instead of the special ID.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
| |
Fix complaints generated by rpmlint.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
| |
Add a build ID facility to the specfile and the Makefile and add a make rule
to run rpmlint.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
| |
Fix the keyctl padd, pinstantiate and pupdate commands to not use strlen() on
the data read from stdin as the data may be binary, but rather to have
grab_stdin() return the amount of data read.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Make it possible to provide keytype-specific request key configs in userspace
as /etc/request-key.d/<keytype>.conf. If present, this will be used in
preference to /etc/request-key.conf.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Steve Dickson <steved@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Make will search link paths for "-lkeyutils" and if you already have
keyutils installed, then it won't wait around for the local keyutils
library to get built. This causes random parallel build failures.
So just change the dependency to use the local soname symlink.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure that when we're waiting for a timeout to expire, we don't undersleep
- lest we start analysing the state too early and rule that a test is broken.
This can be seen just occasionally by the key timeout test when the sleep
command sleeps for less than the amount of time specified.
Reported-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the unlink argument validity check that checks that just one argument
fails as it's now valid to pass a single argument.
Add a test for the unlink with single argument case (which searches the process
keyrings for all instances of the specified key and attempts to unlink them
all).
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
| |
Provide a way to test for the absence of a key in a keyring other than just
testing to see if the keyring is now empty.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
| |
Allow non-root users to run the testsuite to completion successfully. In such
a case, check that chown and chgrp tests fail with EACCES rather than
completing successfully and warn the invoker that they should run this as root.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
| |
Extract the version string from keyctl so that tests can be made contingent
upon it.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
| |
Check to the end of the keyring description string in the valid-session test.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
| |
Import the RHEL test suite and make it able to run without the RHTS testing
infrastructure available.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The package version number and build date are stored in the library in:
const char keyutils_version_string[];
const char keyutils_build_string[];
And are displayable with the programs built as part of it:
# keyctl --version
keyctl from keyutils-1.5.3 (Built 2011-08-24)
# request-key --version
request-key from keyutils-1.5.3 (Built 2011-08-24)
The DNS query resolver gets extended version information as it already has its
own version number:
# key.dns_resolver --version
version: 1.0 from keyutils-1.5.3 (2011-08-24)
(the keyutils version is simply appended to the original).
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
| |
Fix the unlink entry in the keyctl.1 manual page command list to indicate that
the keyring is optional.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
| |
Add the rpmbuild dir to .gitignore.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The main keyutils rpm should depend on exactly the same version of the
keyutils-libs rpm so that they get updated together.
This should fix the following complaint from RHEL rpmdiff:
Report from TEST_REQUIRES:
[VERIFY] [keyutils] Subpackage keyutils on i686 ppc s390 consumes libraries libkeyutils.so.1 libkeyutils.so.1(KEYUTILS_0.3) libkeyutils.so.1(KEYUTILS_1.0) libkeyutils.so.1(KEYUTILS_1.3) from subpackage keyutils-libs but does not have explicit package version requirement.
Please add Requires: keyutils-libs = %{version}-%{release} to keyutils in the specfile to avoid the need to test interoperability between the various combinations of old and new subpackages.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use ptrdiff_t format spec ("%td") in printf when displaying a pointer
subtraction result rather than a size_t ("%zu") or ssize_t ("%zd") format spec
as on something like the S390 pointers are not the same size as size_t,
resulting in the following warnings:
request-key.c: In function 'execute_program':
request-key.c:583:4: error: format '%zd' expects argument of type 'signed size_t', but argument 2 has type 'int' [-Werror=format]
request-key.c: In function 'pipe_to_program':
request-key.c:841:2: error: format '%zd' expects argument of type 'signed size_t', but argument 2 has type 'int' [-Werror=format]
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Fix the address of the FSF in the GPL licence file and add a URL to both
licence files whilst we're at it.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clean up variables that are set but not read, giving:
keyutils.c: In function 'recursive_key_scan_aux':
keyutils.c:353:46: error: variable 'is_keyring' set but not used [-Werror=unused-but-set-variable]
key.dns_resolver.c: In function 'main':
key.dns_resolver.c:643:7: error: variable 'hostbuf' set but not used [-Werror=unused-but-set-variable]
with the F16 compiler.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
| |
Move to version 1.5.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Allow multiple lines in the commands[] table with same name by setting the
action function pointer to NULL for the second and subsequent entries. This
prevents the partial matcher from proclaiming ambiguity for short versions of
commands that have multiple lines ('session' and 'purge').
Also alphabetically order the commands table.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a purge command to keyctl to unlink all matching keys from the session
keyring tree that it can find. There are three cases:
(1) keyctl purge <type>
Perform a depth-first search to find all keys of this type and unlink
them.
(2) keyctl purge [-i] [-p] <type> <desc>
Perform a depth-first search to find all keys of this type and unlink them
if their description matches the specified description textually. The
caller can request a case-independent match on the description by
supplying the -i flag or a prefix match by supplying the -p flag.
(3) keyctl purge -s <type> <desc>
Repeat 'keyctl search' in all the searchable keyrings in the session
keyring tree and unlink matching keys from those keyrings. The comparison
is therefore done with the key type's comparator in the kernel and may
thus match different keys to (2).
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Permit unlinking of all instances of a key in session keyring tree by not
electing not to provide a keyring ID to the unlink command. With this, the
unlink command becomes:
keyctl unlink <key> [<keyring>]
If <keyring> is given, just the link to <key> in the nominated keyring is
removed.
If <keyring> is not given, all links to <key> in the session keyring are
removed.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new command:
keyctl reap
will do a depth-first search of the session keyring tree looking for negative,
rejected, expired, revoked and dead keys and unlink them if possible (the
keyring containing the link has to grant Write permission to the caller).
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a pair of depth-first recursive key scanning functions to the library.
The first applies the named function to all the accessible keys in the keyring
tree rooted at key:
int recursive_key_scan(key_serial_t key,
recursive_key_scanner_t func,
void *data);
The second is the same as the first, with the calling process's session
keyring as the root keyring:
int recursive_key_session_scan(recursive_key_scanner_t func,
void *data);
Both functions take a pointer to a callback function to be applied and a data
item to pass to it. The callback function should fit the following template:
typedef int (*recursive_key_scanner_t)(
key_serial_t parent, key_serial_t key,
char *desc, int desc_len,
void *data);
The parameters are: the keyring currently being scanned (parent); the key
linked to by the current slot in that keyring (key); the raw description of
that key (desc) as fetched by keyctl_describe or NULL if it couldn't be
fetched; the length of the raw description (desc_len) or -1 if
keyctl_describe_alloc() returned an error; and the data passed to whichever
scanning function was called.
Keyrings must grant View and Read permission to be iterated through. Target
keys need not grant any permissions to have the callback function applied.
The return value of the scanning functions is the sum of the return values of
the callback function applied to each key. Errors are ignored.
Signed-off-by: David Howells <dhowells@redhat.com>
|