Michael Kerrisk
c69490ae43
keyctl.2: Improve a KEYCTL_SET_REQKEY_KEYRING detail
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:23 +01:00
Michael Kerrisk
5e0d5def6c
request_key.2: Improve description of default keyring when dest_keyring is zero
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:23 +01:00
Michael Kerrisk
6dfb4dda6e
request_key.2: Minor wording fixes
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:23 +01:00
Eugene Syromyatnikov
2bcf858070
request_key.2: Add information regarding default keyring
...
Notes from Eugene:
Based on linux v4.9-rc6 (9c763584):
* security/keys/keyctl.c, SYSCALL_DEFINE4(request_key, ...), line 158:
* Assume that call is performed with with destringid == 0:
* We skip check on line 196, so dest_ref remains NULL
* On line 213, request_key_and_link is called with key_ref_to_ptr(dest_ref)
* key_ref_to_ptr() itself just zeroes lower bit which is used for
indication that key reference in the possession of the current
context.
* security/keys/request_key.c, request_key_and_link, line 508:
* On line 543, we try to search process keyrings for the key (we
fill ctx at hte beginning of the function and then pass it to
search_process_keyrings)
* If key is found (key_ref is not erroneous), we convert key_ref to
ptr on line 546 and skip the following block on line 547 since
dest_keyring is 0.
* If key is not found and error is not EAGAIN, then
construct_key_and_link is called on line 566 with dest_keyring ==
NULL.
* security/keys/request_key.c, construct_key_and_link, line 430:
* On line 450, construct_get_dest_keyring is called with dest_keyring
== NULL.
* security/keys/request_key.c, construct_get_dest_keyring, line 253:
* The argument here (which is pointer to pointer to struct key) is
named _dest_keyring, but on line 257 it is dereferenced to local
variable dest_keyring (so it stores NULL now).
* We re going to the "else" branch (starting from line 266) of check
on line 262
* Now we are switching against cred->jit_keyring with the behavour
described in the patch.
* git grep jit_keyring security/keys reveals that it is assigned inside
keyctl_set_reqkey_keyring, security/keys/keyctl.c, line 1257.
* keyctl_set_reqkey_keyring is called from SYSCALL_DEFINE5(keyctl,
...), when option passed to keyctl is KEYCTL_SET_REQKEY_KEYRING (line
1652).
* Default value for jit_keyring is sort of difficult to find out, since
it is inherited, but overall it is explicitly set to
KEY_REQKEY_DEFL_THREAD_KEYRING or copied from zeroed-out structures
(so it is equal to KEY_REQKEY_DEFL_DEFAULT) which leads to the same
behaviour in case the process has not been upcalled by request_key
construction.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:23 +01:00
Michael Kerrisk
34795036d1
keyrings.7: Number the fields in /proc/keys for easy reference in discussion
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:23 +01:00
Michael Kerrisk
1704100353
keyrings.7: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
8a141d6b8f
keyrings.7: wfix
...
Reported-by: David Howells <dhowells@redhat.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
b51c7752ea
keyrings.7: Fixes after feedback from David Howells
...
Reported-by: David Howells <dhowells@redhat.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
805aa46622
keyrings.7: wfix
...
Reported-by: David Howells <dhowells@redhat.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
7c5c6f2c9e
keyrings.7: Add a little more detail on the encryption of the big_key payload
...
Reported-by: Eugene Syromyatnikov <evgsyr@gmail.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
790ba8ccf8
keyrings.7: ff
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
e8722fc5a2
keyrings.7: Rework 'big_key' text a little
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
23e10faf7b
keyrings.7: Fixes after review by David Howells
...
Reported-by: David Howells <dhowells@redhat.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
9fd70ffaf6
keyrings.7: Reorder list of key types
...
Place "keyring" first.
Reported-by: David Howells <dhowells@redhat.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
1d452eeca3
add_key.2: Various fixes after review by David Howells
...
Reported-by: David Howells <dhowells@redhat.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
eebdcb80a8
add_key.2: Reorder list of key tpes (pace keyrings first)
...
Reported-by: David Howells <dhowells@redhat.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
6cf27f3f8c
keyrings.7: Add a note on the unimplemented group keyring
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
dc26e4994b
keyrings.7: Note the special keyring IDs used in add_key()/request_key()/keyctl()
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
46d584ecbb
keyrings.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
ecf9a3e30b
keyrings.7: Extend SEE ALSO list
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
f5e0c167f4
add_key.2: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
722772aa01
keyrings.7: Minor tweaks
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Eugene Syromyatnikov
efeccbf659
keyrings.7: Add info regarding pre-3.17 defaults in root_maxbytes/root_maxkeys
2016-12-27 09:36:22 +01:00
Eugene Syromyatnikov
f391cd5a93
keyrings.7: tfix
2016-12-27 09:36:22 +01:00
Eugene Syromyatnikov
be851e7e53
keyrings.7: Minor clarification on where big_key payload is stored
2016-12-27 09:36:22 +01:00
Eugene Syromyatnikov
d78255b88b
keyrings.7: tfix
2016-12-27 09:36:22 +01:00
Eugene Syromyatnikov
cd27ab965e
keyrings.7: Minor clarification regarding storage method used in keyrings
2016-12-27 09:36:22 +01:00
Eugene Syromyatnikov
87c6aeea76
keyctl.2: tfix
2016-12-27 09:36:22 +01:00
Michael Kerrisk
0b617a3a9c
request_key.2: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Michael Kerrisk
24fcf1d3e7
request_key.2: Tweaks to Eugene Syromyatnikov's patches
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Eugene Syromyatnikov
b58584686b
request_key.2: VERSIONS: Note kernel version that added key instantiation on request
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Eugene Syromyatnikov
f70b502db6
request_key.2: Document some additional errors
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:22 +01:00
Eugene Syromyatnikov
9b0ac3ef53
request_key.2: wfix
2016-12-27 09:36:22 +01:00
Eugene Syromyatnikov
1bf661a0d8
request_key.2: tfix
2016-12-27 09:36:21 +01:00
Michael Kerrisk
8880b194be
keyrings.7: Note key types and descriptions that are reserved to the implementation
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:21 +01:00
Michael Kerrisk
b67331f9b3
add_key.2: ERRORS: Note key types and descriptions that are reserved
...
Some key type names and keyring description names are
reserved to the implementation.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:21 +01:00
Michael Kerrisk
924ebcde51
add_key.2: Tweaks to Eugene Syromyatnikov's patches
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:21 +01:00
Eugene Syromyatnikov
62975dc234
add_key.2: Add information regarding EPERM
2016-12-27 09:36:21 +01:00
Eugene Syromyatnikov
c99809b93e
add_key.2: Add information regarding EFAULT
2016-12-27 09:36:21 +01:00
Eugene Syromyatnikov
94dd02f476
add_key.2: Change wording regarding storing of big_key payload
2016-12-27 09:36:21 +01:00
Eugene Syromyatnikov
89bcd51753
add_key.2: Wording change regarding the reasons of call failure
2016-12-27 09:36:21 +01:00
Michael Kerrisk
9d85c78908
user_namespaces.7: Change page cross reference: keyctl(2) ==> keyrings(7)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:21 +01:00
Michael Kerrisk
1f39876b88
request_key.2: Minor tweaks
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:21 +01:00
Michael Kerrisk
4051799cd8
request_key.2: Remove errExit() from example program
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:21 +01:00
Michael Kerrisk
6052344b05
add_key.2: Remove errExit() from example program
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:21 +01:00
Michael Kerrisk
d38d705386
add_key.2: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:21 +01:00
Michael Kerrisk
16dfd5cea1
keyrings.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:21 +01:00
Michael Kerrisk
e22cb0c493
keyrings.7, persistent-keyring.7, process-keyring.7, session-keyring.7, thread-keyring.7, user-keyring.7, user-session-keyring.7: srcfix: spfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:21 +01:00
Michael Kerrisk
51139f08f7
keyrings.7: /proc/keys also shows keys that are not possessed by reader
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:21 +01:00
Michael Kerrisk
c9630289cd
keyrings.7: /proc/keys permissions are determined by reading thread (not process)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:21 +01:00