KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Now that /proc/keys is used by libkeyutils to look up a key by type and
description, we should make it unconditional and remove
CONFIG_DEBUG_PROC_KEYS.

Reported-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Jiri Kosina <jkosina@suse.cz>

David Howells 11 years ago dabd39cc 961be7ef

-28

3 changed files

expand all

Documentation

security

keys.txt

security

keys

Kconfig

proc.c

-2

Documentation/security/keys.txt

··· 323 323 U Under construction by callback to userspace 324 324 N Negative key 325 325 326 - This file must be enabled at kernel configuration time as it allows anyone 327 - to list the keys database. 328 326 329 327 (*) /proc/key-users 330 328

-18

security/keys/Kconfig

··· 80 80 Userspace only ever sees/stores encrypted blobs. 81 81 82 82 If you are unsure as to whether this is required, answer N. 83 - 84 - config KEYS_DEBUG_PROC_KEYS 85 - bool "Enable the /proc/keys file by which keys may be viewed" 86 - depends on KEYS 87 - help 88 - This option turns on support for the /proc/keys file - through which 89 - can be listed all the keys on the system that are viewable by the 90 - reading process. 91 - 92 - The only keys included in the list are those that grant View 93 - permission to the reading process whether or not it possesses them. 94 - Note that LSM security checks are still performed, and may further 95 - filter out keys that the current process is not authorised to view. 96 - 97 - Only key attributes are listed here; key payloads are not included in 98 - the resulting table. 99 - 100 - If you are unsure as to whether this is required, answer N.

-8

security/keys/proc.c

··· 18 18 #include <asm/errno.h> 19 19 #include "internal.h" 20 20 21 - #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS 22 21 static int proc_keys_open(struct inode *inode, struct file *file); 23 22 static void *proc_keys_start(struct seq_file *p, loff_t *_pos); 24 23 static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos); ··· 37 38 .llseek = seq_lseek, 38 39 .release = seq_release, 39 40 }; 40 - #endif 41 41 42 42 static int proc_key_users_open(struct inode *inode, struct file *file); 43 43 static void *proc_key_users_start(struct seq_file *p, loff_t *_pos); ··· 65 67 { 66 68 struct proc_dir_entry *p; 67 69 68 - #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS 69 70 p = proc_create("keys", 0, NULL, &proc_keys_fops); 70 71 if (!p) 71 72 panic("Cannot create /proc/keys\n"); 72 - #endif 73 73 74 74 p = proc_create("key-users", 0, NULL, &proc_key_users_fops); 75 75 if (!p) ··· 82 86 * Implement "/proc/keys" to provide a list of the keys on the system that 83 87 * grant View permission to the caller. 84 88 */ 85 - #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS 86 - 87 89 static struct rb_node *key_serial_next(struct seq_file *p, struct rb_node *n) 88 90 { 89 91 struct user_namespace *user_ns = seq_user_ns(p); ··· 268 274 rcu_read_unlock(); 269 275 return 0; 270 276 } 271 - 272 - #endif /* CONFIG_KEYS_DEBUG_PROC_KEYS */ 273 277 274 278 static struct rb_node *__key_user_next(struct user_namespace *user_ns, struct rb_node *n) 275 279 {