diff options
Diffstat (limited to 'net/dns_resolver')
-rw-r--r-- | net/dns_resolver/Kconfig | 1 | ||||
-rw-r--r-- | net/dns_resolver/Makefile | 1 | ||||
-rw-r--r-- | net/dns_resolver/dns_key.c | 13 | ||||
-rw-r--r-- | net/dns_resolver/dns_query.c | 26 |
4 files changed, 34 insertions, 7 deletions
diff --git a/net/dns_resolver/Kconfig b/net/dns_resolver/Kconfig index 50d49f7e0472..0a1c2238b4bd 100644 --- a/net/dns_resolver/Kconfig +++ b/net/dns_resolver/Kconfig @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: GPL-2.0-only # # Configuration for DNS Resolver # diff --git a/net/dns_resolver/Makefile b/net/dns_resolver/Makefile index d5c13c2eb36d..877532d662d0 100644 --- a/net/dns_resolver/Makefile +++ b/net/dns_resolver/Makefile @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: GPL-2.0-only # # Makefile for the Linux DNS Resolver. # diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c index a65d553e730d..6b201531b165 100644 --- a/net/dns_resolver/dns_key.c +++ b/net/dns_resolver/dns_key.c @@ -46,6 +46,15 @@ const struct cred *dns_resolver_cache; #define DNS_ERRORNO_OPTION "dnserror" +static struct key_acl dns_keyring_acl = { + .usage = REFCOUNT_INIT(1), + .nr_ace = 2, + .aces = { + KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE), + KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_CLEAR), + } +}; + /* * Preparse instantiation data for a dns_resolver key. * @@ -314,6 +323,7 @@ static long dns_resolver_read(const struct key *key, struct key_type key_type_dns_resolver = { .name = "dns_resolver", + .flags = KEY_TYPE_NET_DOMAIN, .preparse = dns_resolver_preparse, .free_preparse = dns_resolver_free_preparse, .instantiate = generic_key_instantiate, @@ -342,8 +352,7 @@ static int __init init_dns_resolver(void) keyring = keyring_alloc(".dns_resolver", GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, - (KEY_POS_ALL & ~KEY_POS_SETATTR) | - KEY_USR_VIEW | KEY_USR_READ, + &dns_keyring_acl, KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); if (IS_ERR(keyring)) { ret = PTR_ERR(keyring); diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c index 19aa32fc1802..236baf2bfa4c 100644 --- a/net/dns_resolver/dns_query.c +++ b/net/dns_resolver/dns_query.c @@ -40,20 +40,33 @@ #include <linux/cred.h> #include <linux/dns_resolver.h> #include <linux/err.h> +#include <net/net_namespace.h> #include <keys/dns_resolver-type.h> #include <keys/user-type.h> #include "internal.h" +static struct key_acl dns_key_acl = { + .usage = REFCOUNT_INIT(1), + .nr_ace = 2, + .possessor_viewable = true, + .aces = { + KEY_POSSESSOR_ACE(KEY_ACE_VIEW | KEY_ACE_SEARCH | KEY_ACE_READ), + KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_INVAL), + } +}; + /** * dns_query - Query the DNS + * @net: The network namespace to operate in. * @type: Query type (or NULL for straight host->IP lookup) * @name: Name to look up * @namelen: Length of name * @options: Request options (or NULL if no options) * @_result: Where to place the returned data (or NULL) * @_expiry: Where to store the result expiry time (or NULL) + * @invalidate: Always invalidate the key after use * * The data will be returned in the pointer at *result, if provided, and the * caller is responsible for freeing it. @@ -68,8 +81,10 @@ * * Returns the size of the result on success, -ve error code otherwise. */ -int dns_query(const char *type, const char *name, size_t namelen, - const char *options, char **_result, time64_t *_expiry) +int dns_query(struct net *net, + const char *type, const char *name, size_t namelen, + const char *options, char **_result, time64_t *_expiry, + bool invalidate) { struct key *rkey; struct user_key_payload *upayload; @@ -120,7 +135,8 @@ int dns_query(const char *type, const char *name, size_t namelen, * add_key() to preinstall malicious redirections */ saved_cred = override_creds(dns_resolver_cache); - rkey = request_key(&key_type_dns_resolver, desc, options); + rkey = request_key_net(&key_type_dns_resolver, desc, net, options, + &dns_key_acl); revert_creds(saved_cred); kfree(desc); if (IS_ERR(rkey)) { @@ -130,8 +146,6 @@ int dns_query(const char *type, const char *name, size_t namelen, down_read(&rkey->sem); set_bit(KEY_FLAG_ROOT_CAN_INVAL, &rkey->flags); - rkey->perm |= KEY_USR_VIEW; - ret = key_validate(rkey); if (ret < 0) goto put; @@ -157,6 +171,8 @@ int dns_query(const char *type, const char *name, size_t namelen, ret = len; put: up_read(&rkey->sem); + if (invalidate) + key_invalidate(rkey); key_put(rkey); out: kleave(" = %d", ret); |