keys: Fix request_key() lack of Link perm check on found key

The request_key() syscall allows a process to gain access to the 'possessor'
permits of any key that grants it Search permission by virtue of request_key()
not checking whether a key it finds grants Link permission to the caller.

Signed-off-by: David Howells <dhowells@redhat.com>
This commit is contained in:
David Howells 2019-06-19 16:10:15 +01:00
parent 45e0f30c30
commit 504b69eb3c
2 changed files with 14 additions and 0 deletions

View File

@ -433,6 +433,10 @@ The main syscalls are:
/sbin/request-key will be invoked in an attempt to obtain a key. The
callout_info string will be passed as an argument to the program.
To link a key into the destination keyring the key must grant link
permission on the key to the caller and the keyring must grant write
permission.
See also Documentation/security/keys/request-key.rst.

View File

@ -564,6 +564,16 @@ struct key *request_key_and_link(struct key_type *type,
key_ref = search_process_keyrings(&ctx);
if (!IS_ERR(key_ref)) {
if (dest_keyring) {
ret = key_task_permission(key_ref, current_cred(),
KEY_NEED_LINK);
if (ret < 0) {
key_ref_put(key_ref);
key = ERR_PTR(ret);
goto error_free;
}
}
key = key_ref_to_ptr(key_ref);
if (dest_keyring) {
ret = key_link(dest_keyring, key);