| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Test permission granting using the internal ACL.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a keyctl command to allow permits to be granted or removed on a key for
a specific subject. The kernel maintains the ACL internally from these
alterations, but the ACL isn't directly accessible.
The command looks like:
keyctl grant <keyid> <subject> <permits>
where subject can currently be one of
pos - Permits available to a possessor of the key
own - Permits available to key's owner
grp - Permits available to key's group ID
all - Permits available to everyone
and permits can be any combination of the following letters:
v - Permit the subject to view the key's attributes
r - Permit the subject to read the key's payload
w - Permit the subject to change the key's payload
s - Permit the subject to find the key in a search
l - Permit the subject to create a link to the key
I - Permit the subject to invalidate the key
R - Permit the subject to revoke the key
S - Permit the subject to change the key's security
j - Permit the subject to join the session keyring
c - Permit the subject to clear the keyring
For example:
$ keyctl grant @s own j
will grant the key's owner a permit to join the key as its session keyring,
but will remove all other permits for the owner directly, such as view,
read, etc..
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Handle the kernel using ACLs to store the list of permits for a key or
keyring:
(1) Make the "keyctl supports" command show it
(2) Change the behaviour of the keyctl/permitting/valid tests to take
account of the fact that 'Other' permits are replaced with 'Everyone'
permits and so are added to the other permits rather than being used
as a fallback instead of the other permits.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| | |
|
| |
|
|
| |
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
| |
Declare all the functions as extern "C" in keyutils.h to instruct a
C++ compiler that these functions are not mangled.
Signed-off-by: Christophe Vu-Brugier <cvubrugier@fastmail.fm>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Christophe Vu-Brugier <cvubrugier@fastmail.fm>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The declaration of the keyctl_dh_compute_kdf() function contains a
parameter named "private". Unfortunately, "private" is a C++ reserved
keyword. As a consequence, compiling a C++ program that includes
keyutils.h fails.
This patch renames the "private" variable to "priv" since a similar
parameter is named this way in the nearby keyctl_dh_compute()
function.
Signed-off-by: Christophe Vu-Brugier <cvubrugier@fastmail.fm>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Christophe Vu-Brugier <cvubrugier@fastmail.fm>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
| |
Add the ability to supply filters to watches set with "keyctl watch" and
"keyctl watch_session".
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
| |
Make the testing infrastructure do automatic checking for notifications as
tests manipulate keys.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add keyctl commands and library functions to handle the setting and removal
of watches on keys for notifications of change events. Five keyctl
commands are defined:
(1) keyctl watch <key>
Watch the specified key for changes, logging notifications to stdout.
(2) keyctl watch_session [-n <name>] <notifylog> <gclog> <fd> prog [<arg>...]
Create a new session keyring and attach a watch to it that an
auxiliary logging process monitors. The nominated program is run with
the session program with the arguments given.
The session keyring can be given a name. The logging process will log
synchronous events to file notifylog and asynchronous events to file
gclog.
The specified file descriptor will be attached to the watch_queue and
left open across the exec. This can be made use of by the next few
commands.
(3) keyctl watch_add <fd> <key>
(4) keyctl watch_rm <fd> <key>
Add/remove a watch on the specified key to/from the given watch_queue
derived from watch_session.
(5) keyctl watch_sync <fd>
Wait for the logging process that's watching the given watch_queue to
synchronise.
Commands (2) to (5) are primarily provided for the testsuite's purposes.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
| |
Open API version KEYUTILS_1.10 in the shared library.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Address records obtained from getaddrinfo() don't come with any TTL
information, even if they're obtained from the DNS, with the result that
key.dns_resolver upcall program doesn't set an expiry time on dns_resolver
records unless they include a component obtained directly from the DNS,
such as an SRV or AFSDB record.
Fix this to apply a default TTL of 10mins in the event that we haven't got
one. This can be configured in /etc/keyutils/key.dns_resolver.conf by
adding the line:
default_ttl = <number-of-seconds>
to the file.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Ben Boeckel <me@benboeckel.net>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
|
| |
|
|
|
|
|
| |
Use the rpmspec program to calculate the package name rather than trying to
substitute macros that keep changing.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
| |
The prose mentions this, but the return value section gave conflicting
information.
Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The key being added or updated likely contains secrets so it would be best
not to leave it in memory or in a core dump when no longer needed.
Glibc 2.25+ provides the explicit_bzero() function that can be used for
this purpose, let's utilize it if it is present.
Tested by redefining exit(n) to abort() and inspecting the resulting core
file for key data.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
| |
Use keyctl add's hex input capability for keyctl/dh_compute/bad-args rather
than an "echo -e | keyctl padd" construct.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
These stanzas were essentially duplicates of the previous blocks.
Fix them to test first disabling Search on the first keyring and then the
second keyring. Also add disabling of Search on the target key and
checking searches from the session keyring.
[DH: Modified to fix the searches and add Ben's change as a separate test
in its own right]
Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
| |
This should fail because the actually found key has a type mismatch.
Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
| |
This comment was copied from another test. This one actually fails
because search permissions were also removed.
Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
| |
Testing the `0` ID just repeats the "BAD KEY" tests at the beginning of
the file.
Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
| |
Both spelling seems to be accepted, but the majority of uses agreed on
the "unparsable" variant.
Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
| |
Fold the use of expect_keyid into create_key and suchlike to make it easier
to integrate notification checks into the existing superstructure, thereby
making them happen automatically rather than having to manually code them.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
| |
Fix the determination of the version string for "make rpm" by making sure
that all otherwise unhandled %{...} variable substitutions get deleted.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The guesser for the default LIBDIR examines the libraries used by make,
looking for libc. Make uses libcrypt as well as libc, so if libcrypt
happens to come first, that matches and the sed command to extract the
library path fails.
Fix this by looking for a match on "libc." instead of "libc".
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
| |
Test kernel features like the builtin trusted keyring.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
| |
Use hex-converting padd to load data for dh_compute tests.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Allow add, padd, update, pupdate, instantiate, pinstantiate and
dh_compute_kdf_oi to take hex-encoded data which is then converted into
binary before being passed to the kernel, e.g.:
$ keyctl add -x user foo 686578 @s
$ echo 686578 | keyctl padd -x user foo @s
This makes it easier to stash data in scripts.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
| |
Check that the KEYCTL_SESSION_TO_PARENT keyctl function works.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Allow "keyctl new_session" to name the session keyring it creates and
attaches to the parent:
$ keyctl new_session fred
52095209
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add a keyctl command to look up a symbolic key ID (such as "@s") or a named
reference (such as "%user:foo") and return the numeric ID for the key or
keyring, eg:
$ keyctl id @s
259509209
The command will also just convert numeric IDs to themselves.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
| |
Put the keyctl get_persistent command in the right place in the alphabetic
command order.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
| |
Allow "keyctl supports" to be given a "--raw" flag to request a hexdump of
the data retrieved.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
| |
Add missing ns_keyring_name and ns_key_tag capability tags to "keyctl
supports".
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Test all possible type, description and payload lengths to add_key() to
make sure that the kernel doesn't crash when handling them.
The bulk of this test is implemented in C in the keyctl command so that it
completes in a reasonable amount of time (testing over a million different
sizes of payload from shell script is just too slow).
Signed-off-by: David Howells <dhowells@redhat.com>
|
| | |
|
| |
|
|
| |
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
| |
Provide the ability to query the capabilities of the keyrings subsystem.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
| |
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
keyctl's help message suggests that including a key=value style list
of arguments is optional for the pkey_* operations, and for pkey_query
and pkey_verify it indeed seems to be optional, but the other three
operations require that at least one key=value pair be passed in.
This patch changes the logic to make key=value lists optional for
all pkey_* operations.
Signed-off-by: Lennert Buytenhek <buytenh@wantstofly.org>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, running 'keyctl pkey_query' (or pkey_{encrypt,decrypt,sign},
due to those using pkey_query internally) will always return:
keyctl_pkey_query: Invalid argument
This is because we invoke KEYCTL_PKEY_QUERY as:
return keyctl(KEYCTL_PKEY_QUERY, key_id, info, result);
While the kernel code (security/keys/keyctl.c) does this:
[...]
case KEYCTL_PKEY_QUERY:
if (arg3 != 0)
return -EINVAL;
return keyctl_pkey_query((key_serial_t)arg2,
(const char __user *)arg4,
(struct keyctl_pkey_query __user *)arg5);
[...]
In other words, there is supposed to be an argument between 'key_id'
and 'info' (presumably for the (currently unsupported) key password
field?) which is supposed to be NULL. Adding a NULL argument seems to
make things happy.
Signed-off-by: Lennert Buytenhek <buytenh@wantstofly.org>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
keyctl's pkey_* operations each have an argument that allows specifying
a key password, but since that feature isn't currently supported, it
is supposed to always be passed in as "0":
if (strcmp(argv[2], "0") != 0) {
fprintf(stderr, "Password passing is not yet supported\n");
exit(2);
}
However, act_keyctl_pkey_query() has an off-by-one that makes it
start parsing key=value style option pairs at the password argument,
which causes the following error if the password argument is not in
key=value format:
$ keyctl pkey_query 541826697 0
Option not in key=val form
$
And this error if the password argument is in key=value format:
$ keyctl pkey_query 541826697 a=b
Password passing is not yet supported
$
This patch fixes act_keyctl_pkey_query() to start parsing key=value
pairs from the right place in its argument list, which gets it a
little further.
Signed-off-by: Lennert Buytenhek <buytenh@wantstofly.org>
Signed-off-by: David Howells <dhowells@redhat.com>
|
