From 0c2c9a3fc77e8b60d43d9bd2ca46eb4dddb0ff76 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 2 Sep 2009 09:13:50 +0100
Subject: KEYS: Allow keyctl_revoke() on keys that have SETATTR but not WRITE
 perm [try #6]

Allow keyctl_revoke() to operate on keys that have SETATTR but not WRITE
permission, rather than only on keys that have WRITE permission.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
---
 security/keys/keyctl.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'security/keys')

diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index b85ace218395..1160b644dace 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -343,7 +343,13 @@ long keyctl_revoke_key(key_serial_t id)
 	key_ref = lookup_user_key(id, 0, KEY_WRITE);
 	if (IS_ERR(key_ref)) {
 		ret = PTR_ERR(key_ref);
-		goto error;
+		if (ret != -EACCES)
+			goto error;
+		key_ref = lookup_user_key(id, 0, KEY_SETATTR);
+		if (IS_ERR(key_ref)) {
+			ret = PTR_ERR(key_ref);
+			goto error;
+		}
 	}
 
 	key_revoke(key_ref_to_ptr(key_ref));
-- 
cgit v1.2.3-59-g8ed1b