diff options
Diffstat (limited to 'net')
| -rw-r--r-- | net/ceph/ceph_common.c | 2 | ||||
| -rw-r--r-- | net/dns_resolver/dns_key.c | 12 | ||||
| -rw-r--r-- | net/dns_resolver/dns_query.c | 15 | ||||
| -rw-r--r-- | net/rxrpc/key.c | 19 | ||||
| -rw-r--r-- | net/wireless/reg.c | 6 |
5 files changed, 14 insertions, 40 deletions
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c index 38de80d01aae..1c811c74bfc0 100644 --- a/net/ceph/ceph_common.c +++ b/net/ceph/ceph_common.c @@ -306,7 +306,7 @@ static int get_secret(struct ceph_crypto_key *dst, const char *name) { int err = 0; struct ceph_crypto_key *ckey; - ukey = request_key(&key_type_ceph, name, NULL, NULL); + ukey = request_key(&key_type_ceph, name, NULL); if (IS_ERR(ukey)) { /* request_key errors don't map nicely to mount(2) errors; don't even try, but still printk */ diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c index 6b201531b165..3e1a90669006 100644 --- a/net/dns_resolver/dns_key.c +++ b/net/dns_resolver/dns_key.c @@ -46,15 +46,6 @@ const struct cred *dns_resolver_cache; #define DNS_ERRORNO_OPTION "dnserror" -static struct key_acl dns_keyring_acl = { - .usage = REFCOUNT_INIT(1), - .nr_ace = 2, - .aces = { - KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE), - KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_CLEAR), - } -}; - /* * Preparse instantiation data for a dns_resolver key. * @@ -352,7 +343,8 @@ static int __init init_dns_resolver(void) keyring = keyring_alloc(".dns_resolver", GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, - &dns_keyring_acl, + (KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ, KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); if (IS_ERR(keyring)) { ret = PTR_ERR(keyring); diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c index 236baf2bfa4c..cab4e0df924f 100644 --- a/net/dns_resolver/dns_query.c +++ b/net/dns_resolver/dns_query.c @@ -47,16 +47,6 @@ #include "internal.h" -static struct key_acl dns_key_acl = { - .usage = REFCOUNT_INIT(1), - .nr_ace = 2, - .possessor_viewable = true, - .aces = { - KEY_POSSESSOR_ACE(KEY_ACE_VIEW | KEY_ACE_SEARCH | KEY_ACE_READ), - KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_INVAL), - } -}; - /** * dns_query - Query the DNS * @net: The network namespace to operate in. @@ -135,8 +125,7 @@ int dns_query(struct net *net, * add_key() to preinstall malicious redirections */ saved_cred = override_creds(dns_resolver_cache); - rkey = request_key_net(&key_type_dns_resolver, desc, net, options, - &dns_key_acl); + rkey = request_key_net(&key_type_dns_resolver, desc, net, options); revert_creds(saved_cred); kfree(desc); if (IS_ERR(rkey)) { @@ -146,6 +135,8 @@ int dns_query(struct net *net, down_read(&rkey->sem); set_bit(KEY_FLAG_ROOT_CAN_INVAL, &rkey->flags); + rkey->perm |= KEY_USR_VIEW; + ret = key_validate(rkey); if (ret < 0) goto put; diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index 2032f6a8225e..6c3f35fac42d 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -23,14 +23,6 @@ #include <keys/user-type.h> #include "ar-internal.h" -static struct key_acl rxrpc_null_key_acl = { - .usage = REFCOUNT_INIT(1), - .nr_ace = 1, - .aces = { - KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_READ), - } -}; - static int rxrpc_vet_description_s(const char *); static int rxrpc_preparse(struct key_preparsed_payload *); static int rxrpc_preparse_s(struct key_preparsed_payload *); @@ -918,8 +910,7 @@ int rxrpc_request_key(struct rxrpc_sock *rx, char __user *optval, int optlen) if (IS_ERR(description)) return PTR_ERR(description); - key = request_key_net(&key_type_rxrpc, description, sock_net(&rx->sk), - NULL, NULL); + key = request_key_net(&key_type_rxrpc, description, sock_net(&rx->sk), NULL); if (IS_ERR(key)) { kfree(description); _leave(" = %ld", PTR_ERR(key)); @@ -950,8 +941,7 @@ int rxrpc_server_keyring(struct rxrpc_sock *rx, char __user *optval, if (IS_ERR(description)) return PTR_ERR(description); - key = request_key_net(&key_type_keyring, description, sock_net(&rx->sk), - NULL, NULL); + key = request_key_net(&key_type_keyring, description, sock_net(&rx->sk), NULL); if (IS_ERR(key)) { kfree(description); _leave(" = %ld", PTR_ERR(key)); @@ -984,8 +974,7 @@ int rxrpc_get_server_data_key(struct rxrpc_connection *conn, _enter(""); key = key_alloc(&key_type_rxrpc, "x", - GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, - &internal_key_acl, + GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, 0, KEY_ALLOC_NOT_IN_QUOTA, NULL); if (IS_ERR(key)) { _leave(" = -ENOMEM [alloc %ld]", PTR_ERR(key)); @@ -1033,7 +1022,7 @@ struct key *rxrpc_get_null_key(const char *keyname) key = key_alloc(&key_type_rxrpc, keyname, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, - &rxrpc_null_key_acl, KEY_ALLOC_NOT_IN_QUOTA, NULL); + KEY_POS_SEARCH, KEY_ALLOC_NOT_IN_QUOTA, NULL); if (IS_ERR(key)) return key; diff --git a/net/wireless/reg.c b/net/wireless/reg.c index 298fe91557f7..4831ad745f91 100644 --- a/net/wireless/reg.c +++ b/net/wireless/reg.c @@ -741,7 +741,8 @@ static void __init load_keys_from_buffer(const u8 *p, unsigned int buflen) key = key_create_or_update(make_key_ref(builtin_regdb_keys, 1), "asymmetric", NULL, p, plen, - &internal_key_acl, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ), KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN | KEY_ALLOC_BYPASS_RESTRICTION); @@ -767,7 +768,8 @@ static int __init load_builtin_regdb_keys(void) builtin_regdb_keys = keyring_alloc(".builtin_regdb_keys", KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), - &internal_keyring_acl, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH), KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); if (IS_ERR(builtin_regdb_keys)) return PTR_ERR(builtin_regdb_keys); |