linux/security/keys
David Howells 0b0a84154e KEYS: request_key() should reget expired keys rather than give EKEYEXPIRED
Since the keyring facility can be viewed as a cache (at least in some
applications), the local expiration time on the key should probably be viewed
as a 'needs updating after this time' property rather than an absolute 'anyone
now wanting to use this object is out of luck' property.

Since request_key() is the main interface for the usage of keys, this should
update or replace an expired key rather than issuing EKEYEXPIRED if the local
expiration has been reached (ie. it should refresh the cache).

For absolute conditions where refreshing the cache probably doesn't help, the
key can be negatively instantiated using KEYCTL_REJECT_KEY with EKEYEXPIRED
given as the error to issue.  This will still cause request_key() to return
EKEYEXPIRED as that was explicitly set.

In the future, if the key type has an update op available, we might want to
upcall with the expired key and allow the upcall to update it.  We would pass
a different operation name (the first column in /etc/request-key.conf) to the
request-key program.

request_key() returning EKEYEXPIRED is causing an NFS problem which Chuck
Lever describes thusly:

	After about 10 minutes, my NFSv4 functional tests fail because the
	ownership of the test files goes to "-2". Looking at /proc/keys
	shows that the id_resolv keys that map to my test user ID have
	expired. The ownership problem persists until the expired keys are
	purged from the keyring, and fresh keys are obtained.

	I bisected the problem to 3.13 commit b2a4df200d ("KEYS: Expand
	the capacity of a keyring"). This commit inadvertantly changes the
	API contract of the internal function keyring_search_aux().

	The root cause appears to be that b2a4df200d made "no state check"
	the default behavior. "No state check" means the keyring search
	iterator function skips checking the key's expiry timeout, and
	returns expired keys.  request_key_and_link() depends on getting
	an -EAGAIN result code to know when to perform an upcall to refresh
	an expired key.

This patch can be tested directly by:

	keyctl request2 user debug:fred a @s
	keyctl timeout %user:debug:fred 3
	sleep 4
	keyctl request2 user debug:fred a @s

Without the patch, the last command gives error EKEYEXPIRED, but with the
command it gives a new key.

Reported-by: Carl Hetherington <cth@carlh.net>
Reported-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Chuck Lever <chuck.lever@oracle.com>
2014-12-01 22:52:53 +00:00
..
encrypted-keys KEYS: Remove key_type::match in favour of overriding default by match_preparse 2014-09-16 17:36:06 +01:00
big_key.c KEYS: Remove key_type::match in favour of overriding default by match_preparse 2014-09-16 17:36:06 +01:00
compat.c security/compat: convert to COMPAT_SYSCALL_DEFINE 2014-03-06 16:30:42 +01:00
gc.c sched: Remove proliferation of wait_on_bit() action functions 2014-07-16 15:10:39 +02:00
internal.h KEYS: request_key() should reget expired keys rather than give EKEYEXPIRED 2014-12-01 22:52:53 +00:00
Kconfig
key.c Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2014-10-12 10:13:55 -04:00
keyctl.c KEYS: Fix the size of the key description passed to/from userspace 2014-12-01 22:52:45 +00:00
keyring.c KEYS: request_key() should reget expired keys rather than give EKEYEXPIRED 2014-12-01 22:52:53 +00:00
Makefile
permission.c KEYS: Move the flags representing required permission to linux/key.h 2014-03-14 17:44:49 +00:00
persistent.c KEYS: Move the flags representing required permission to linux/key.h 2014-03-14 17:44:49 +00:00
proc.c KEYS: Preparse match data 2014-09-16 17:36:02 +01:00
process_keys.c KEYS: Make the key matching functions return bool 2014-09-16 17:36:08 +01:00
request_key_auth.c KEYS: Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags 2014-12-01 22:52:50 +00:00
request_key.c KEYS: request_key() should reget expired keys rather than give EKEYEXPIRED 2014-12-01 22:52:53 +00:00
sysctl.c security: Convert use of typedef ctl_table to struct ctl_table 2014-04-15 13:39:58 +10:00
trusted.c KEYS: Remove key_type::match in favour of overriding default by match_preparse 2014-09-16 17:36:06 +01:00
trusted.h
user_defined.c KEYS: Remove key_type::match in favour of overriding default by match_preparse 2014-09-16 17:36:06 +01:00