[PATCH] keys: Allow disabling read permissions for key possessor
Jarkko Sakkinen
jarkko at kernel.org
Tue Mar 23 02:02:15 UTC 2021
On Mon, Mar 22, 2021 at 12:57:26PM +0300, Andrey Ryabinin wrote:
> keyctl_read_key() has a strange code which allows possessor to read
> key's payload regardless of READ permission status:
>
> $ keyctl add user test test @u
> 196773443
> $ keyctl print 196773443
> test
> $ keyctl describe 196773443
> 196773443: alswrv-----v------------ 1000 1000 user: test
> $ keyctl rdescribe 196773443
> user;1000;1000;3f010000;test
> $ keyctl setperm 196773443 0x3d010000
> $ keyctl describe 196773443
> 196773443: alsw-v-----v------------ 1000 1000 user: test
> $ keyctl print 196773443
> test
>
> The last keyctl print should fail with -EACCESS instead of success.
> Fix this by removing weird possessor checks.
>
> Signed-off-by: Andrey Ryabinin <arbn at yandex-team.ru>
I wrote a new test. If you include a test into a commit please
describe it so that it can be easily executed. Otherwise, it is
somewhat useless.
Anyway,
https://gist.github.com/jarkk0sakkinen/7b417be20cb52ed971a90561192f0883
David, why all of these end up allowing to still print the payload?
/Jarkko
More information about the Linux-security-module-archive
mailing list