Merge branch 'keys-fixes' into keys-next

Signed-off-by: David Howells <dhowells@redhat.com>
author: David Howells <dhowells@redhat.com> 2014-07-22 21:55:45 +0100
committer: David Howells <dhowells@redhat.com> 2014-07-22 21:55:45 +0100
commit: 633706a2ee81637be37b6bc02c5336950cc163b5 (patch)
tree: 5dad64c393d3b12276b35c5835c40c6d78f606a2 /security/keys/keyctl.c
parent: 64724cfc6eea920dbaada14f0fb978b1dd31192d (diff)
parent: 0d1f64f60b4c50a8c604010ad3eef5cdfe9926bc (diff)
download: linux-633706a2ee81637be37b6bc02c5336950cc163b5.tar.gz
1 files changed, 14 insertions, 1 deletions
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 8a8c23357291..e26f860e5f2e 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -406,12 +406,25 @@ long keyctl_invalidate_key(key_serial_t id)
 	key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH);
 	if (IS_ERR(key_ref)) {
 		ret = PTR_ERR(key_ref);
+
+		/* Root is permitted to invalidate certain special keys */
+		if (capable(CAP_SYS_ADMIN)) {
+			key_ref = lookup_user_key(id, 0, 0);
+			if (IS_ERR(key_ref))
+				goto error;
+			if (test_bit(KEY_FLAG_ROOT_CAN_INVAL,
+				     &key_ref_to_ptr(key_ref)->flags))
+				goto invalidate;
+			goto error_put;
+		}
+
 		goto error;
 	}
 
+invalidate:
 	key_invalidate(key_ref_to_ptr(key_ref));
 	ret = 0;
-
+error_put:
 	key_ref_put(key_ref);
 error:
 	kleave(" = %ld", ret);
author	David Howells <dhowells@redhat.com>	2014-07-22 21:55:45 +0100
committer	David Howells <dhowells@redhat.com>	2014-07-22 21:55:45 +0100
commit	633706a2ee81637be37b6bc02c5336950cc163b5 (patch)
tree	5dad64c393d3b12276b35c5835c40c6d78f606a2 /security/keys/keyctl.c
parent	64724cfc6eea920dbaada14f0fb978b1dd31192d (diff)
parent	0d1f64f60b4c50a8c604010ad3eef5cdfe9926bc (diff)
download	linux-633706a2ee81637be37b6bc02c5336950cc163b5.tar.gz