From: Michael LeMay Restrict /proc/keys such that only those keys to which the current task is granted View permission are presented. The documentation is also updated to reflect these changes. Signed-off-by: Michael LeMay Signed-off-by: James Morris Signed-off-by: David Howells Signed-off-by: Andrew Morton --- Documentation/keys.txt | 16 ++++++++++++---- security/Kconfig | 20 +++++++++++++------- security/keys/proc.c | 7 +++++++ 3 files changed, 32 insertions(+), 11 deletions(-) diff -puN Documentation/keys.txt~keys-restrict-contents-of-proc-keys-to-viewable-keys Documentation/keys.txt --- 25/Documentation/keys.txt~keys-restrict-contents-of-proc-keys-to-viewable-keys Tue Jun 20 17:00:34 2006 +++ 25-akpm/Documentation/keys.txt Tue Jun 20 17:00:34 2006 @@ -270,9 +270,17 @@ about the status of the key service: (*) /proc/keys - This lists all the keys on the system, giving information about their - type, description and permissions. The payload of the key is not available - this way: + This lists the keys that are currently viewable by the task reading the + file, giving information about their type, description and permissions. + It is not possible to view the payload of the key this way, though some + information about it may be given. + + The only keys included in the list are those that grant View permission to + the reading process whether or not it possesses them. Note that LSM + security checks are still performed, and may further filter out keys that + the current process is not authorised to view. + + The contents of the file look like this: SERIAL FLAGS USAGE EXPY PERM UID GID TYPE DESCRIPTION: SUMMARY 00000001 I----- 39 perm 1f3f0000 0 0 keyring _uid_ses.0: 1/4 @@ -300,7 +308,7 @@ about the status of the key service: (*) /proc/key-users This file lists the tracking data for each user that has at least one key - on the system. Such data includes quota information and statistics: + on the system. Such data includes quota information and statistics: [root@andromeda root]# cat /proc/key-users 0: 46 45/45 1/100 13/10000 diff -puN security/Kconfig~keys-restrict-contents-of-proc-keys-to-viewable-keys security/Kconfig --- 25/security/Kconfig~keys-restrict-contents-of-proc-keys-to-viewable-keys Tue Jun 20 17:00:34 2006 +++ 25-akpm/security/Kconfig Tue Jun 20 17:00:34 2006 @@ -22,16 +22,22 @@ config KEYS If you are unsure as to whether this is required, answer N. config KEYS_DEBUG_PROC_KEYS - bool "Enable the /proc/keys file by which all keys may be viewed" + bool "Enable the /proc/keys file by which keys may be viewed" depends on KEYS help - This option turns on support for the /proc/keys file through which - all the keys on the system can be listed. + This option turns on support for the /proc/keys file - through which + can be listed all the keys on the system that are viewable by the + reading process. - This option is a slight security risk in that it makes it possible - for anyone to see all the keys on the system. Normally the manager - pretends keys that are inaccessible to a process don't exist as far - as that process is concerned. + The only keys included in the list are those that grant View + permission to the reading process whether or not it possesses them. + Note that LSM security checks are still performed, and may further + filter out keys that the current process is not authorised to view. + + Only key attributes are listed here; key payloads are not included in + the resulting table. + + If you are unsure as to whether this is required, answer N. config SECURITY bool "Enable different security models" diff -puN security/keys/proc.c~keys-restrict-contents-of-proc-keys-to-viewable-keys security/keys/proc.c --- 25/security/keys/proc.c~keys-restrict-contents-of-proc-keys-to-viewable-keys Tue Jun 20 17:00:34 2006 +++ 25-akpm/security/keys/proc.c Tue Jun 20 17:00:34 2006 @@ -137,6 +137,13 @@ static int proc_keys_show(struct seq_fil struct timespec now; unsigned long timo; char xbuf[12]; + int rc; + + /* check whether the current task is allowed to view the key (assuming + * non-possession) */ + rc = key_task_permission(make_key_ref(key, 0), current, KEY_VIEW); + if (rc < 0) + return 0; now = current_kernel_time(); _