Resent to a larger audience.
On Thu, Mar 10, 2016 at 2:20 PM, Gwendal Grignou <[email protected]> wrote: > Currently, if a session keyring exists, we are not searching in the > user session or user keyrings. > > This is a problem when a session keyring exists and we want to use > ecryptfs, who adds the needed key only in the user keyring. > > TEST=Without this change, mounting an ecryptfs "partition" fails when a > session keyring exists: > ... > [ 2686.047522] Could not find key with description: [dd6f92bd8660b36c] > ... > Although the key exits: > keyctl show @us > Keyring > 549666721 --alswrv 0 65534 keyring: _uid_ses.0 > 346719914 --alswrv 0 65534 \_ keyring: _uid.0 > 235623693 --alswrv 0 0 \_ user: dd6f92bd8660b36c > 747773852 --alswrv 0 0 \_ user: 7025717e50fd74a2 > With this change, ecryptfs can see the keys it needs. > > Note that 'keyctl show' still only shows the session keyring by default. > We need to specify 'keyctl show @us' to see the user session keyring > when the session keyring exits. > > Signed-off-by: Gwendal Grignou <[email protected]> > --- > security/keys/process_keys.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c > index e6d50172..a77d66e 100644 > --- a/security/keys/process_keys.c > +++ b/security/keys/process_keys.c > @@ -395,8 +395,8 @@ key_ref_t search_my_process_keyrings(struct > keyring_search_context *ctx) > break; > } > } > - /* or search the user-session keyring */ > - else if (ctx->cred->user->session_keyring) { > + /* finally search the user-session keyring */ > + if (ctx->cred->user->session_keyring) { > key_ref = keyring_search_aux( > make_key_ref(ctx->cred->user->session_keyring, 1), > ctx); > -- > 2.7.0.rc3.207.g0ac5344 >
