Hello community,
here is the log from the commit of package keyutils for openSUSE:Factory
checked in at Thu Mar 18 22:56:40 CET 2010.
--------
--- keyutils/keyutils.changes 2009-12-14 16:33:57.000000000 +0100
+++ keyutils/keyutils.changes 2010-03-18 13:29:13.000000000 +0100
@@ -1,0 +2,8 @@
+Thu Mar 18 13:27:59 CET 2010 - meissner@suse.de
+
+- Upgraded to 1.3
+ - Expose the kernel function to get a key's security context.
+ - Expose the kernel function to set a processes keyring onto its parent.
+ - Move libkeyutils library version to 1.3.
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
keyutils-1.2.tar.bz2
New:
----
keyutils-1.3.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ keyutils.spec ++++++
--- /var/tmp/diff_new_pack.PxzHaQ/_old 2010-03-18 22:55:55.000000000 +0100
+++ /var/tmp/diff_new_pack.PxzHaQ/_new 2010-03-18 22:55:55.000000000 +0100
@@ -1,7 +1,7 @@
#
-# spec file for package keyutils (Version 1.2)
+# spec file for package keyutils (Version 1.3)
#
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,8 +24,8 @@
Group: System/Kernel
AutoReqProv: on
Summary: Linux Key Management Utilities
-Version: 1.2
-Release: 108
+Version: 1.3
+Release: 1
Source0: http://people.redhat.com/~dhowells/keyutils/%name-%version.tar.bz2
Source1: baselibs.conf
Patch0: keyutils-1.2-strict-aliasing-punning.patch
++++++ keyutils-1.2.tar.bz2 -> keyutils-1.3.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/keyutils-1.2/Makefile new/keyutils-1.3/Makefile
--- old/keyutils-1.2/Makefile 2006-08-22 18:40:00.000000000 +0200
+++ new/keyutils-1.3/Makefile 2010-02-26 21:31:05.000000000 +0100
@@ -2,7 +2,7 @@
INSTALL := install
DESTDIR :=
MAJOR := 1
-MINOR := 2
+MINOR := 3
VERSION := $(MAJOR).$(MINOR)
NO_GLIBC_KEYERR := 0
NO_GLIBC_KEYSYS := 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/keyutils-1.2/keyctl.1 new/keyutils-1.3/keyctl.1
--- old/keyutils-1.2/keyctl.1 2005-11-29 22:13:04.000000000 +0100
+++ new/keyutils-1.3/keyctl.1 2010-02-26 21:31:05.000000000 +0100
@@ -72,6 +72,8 @@
\fBkeyctl\fR negate <key> <timeout> <keyring>
.br
\fBkeyctl\fR timeout <key> <timeout>
+.br
+\fBkeyctl\fR security <key>
.SH DESCRIPTION
This program is used to control the key management facility in various ways
using a variety of subcommands.
@@ -579,7 +581,55 @@
.P
.RS
testbox>keyctl timeout $1 45
-.RW
+.RE
+.P
+(*) \fBRetrieve a key's security context\fR
+.P
+\fBkeyctl security\fR <key>
+.P
+This command is used to retrieve a key's LSM security context. The label is
+printed on stdout.
+.P
+.RS
+testbox>keyctl security @s
+.br
+unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+.RE
+.P
+(*) \fBGive the parent process a new session keyring\fR
+.P
+\fBkeyctl new_session\fR
+.P
+This command is used to give the invoking process (typically a shell) a new
+session keyring, discarding its old session keyring.
+.P
+.RS
+testbox> keyctl session foo
+.br
+Joined session keyring: 723488146
+.br
+testbox> keyctl show
+.br
+Session Keyring
+.br
+ -3 --alswrv 0 0 keyring: foo
+.br
+testbox> keyctl new_session
+.br
+490511412
+.br
+testbox> keyctl show
+.br
+Session Keyring
+.br
+ -3 --alswrv 0 0 keyring: _ses
+.RE
+.P
+Note that this affects the \fIparent\fP of the process that invokes the system
+call, and so may only affect processes with matching credentials.
+Furthermore, the change does not take effect till the parent process next
+transitions from kernel space to user space - typically when the \fBwait\fP()
+system call returns.
.SH ERRORS
.P
There are a number of common errors returned by this program:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/keyutils-1.2/keyctl.c new/keyutils-1.3/keyctl.c
--- old/keyutils-1.2/keyctl.c 2005-11-29 22:14:39.000000000 +0100
+++ new/keyutils-1.3/keyctl.c 2010-02-26 21:31:05.000000000 +0100
@@ -55,6 +55,8 @@
static int act_keyctl_pinstantiate(int argc, char *argv[]);
static int act_keyctl_negate(int argc, char *argv[]);
static int act_keyctl_timeout(int argc, char *argv[]);
+static int act_keyctl_security(int argc, char *argv[]);
+static int act_keyctl_new_session(int argc, char *argv[]);
const struct command commands[] = {
{ act_keyctl_show, "show", "" },
@@ -88,6 +90,8 @@
{ act_keyctl_pinstantiate, "pinstantiate","<key> <keyring>" },
{ act_keyctl_negate, "negate", "<key> <timeout> <keyring>" },
{ act_keyctl_timeout, "timeout", "<key> <timeout>" },
+ { act_keyctl_security, "security", "<key>" },
+ { act_keyctl_new_session, "new_session", "" },
{ NULL, NULL, NULL }
};
@@ -1176,6 +1180,56 @@
/*****************************************************************************/
/*
+ * get a key's security label
+ */
+static int act_keyctl_security(int argc, char *argv[])
+{
+ key_serial_t key;
+ char *buffer;
+ int ret;
+
+ if (argc != 2)
+ format();
+
+ key = get_key_id(argv[1]);
+
+ /* get key description */
+ ret = keyctl_get_security_alloc(key, &buffer);
+ if (ret < 0)
+ error("keyctl_getsecurity");
+
+ printf("%s\n", buffer);
+ return 0;
+}
+
+/*****************************************************************************/
+/*
+ * install a new session keyring on the parent process
+ */
+static int act_keyctl_new_session(int argc, char *argv[])
+{
+ key_serial_t keyring;
+
+ if (argc != 1)
+ format();
+
+ if (keyctl_join_session_keyring(NULL) < 0)
+ error("keyctl_join_session_keyring");
+
+ if (keyctl_session_to_parent() < 0)
+ error("keyctl_session_to_parent");
+
+ keyring = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
+ if (keyring < 0)
+ error("keyctl_get_keyring_ID");
+
+ /* print the resulting key ID */
+ printf("%d\n", keyring);
+ return 0;
+}
+
+/*****************************************************************************/
+/*
* parse a key identifier
*/
static key_serial_t get_key_id(const char *arg)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/keyutils-1.2/keyctl_security.3 new/keyutils-1.3/keyctl_security.3
--- old/keyutils-1.2/keyctl_security.3 1970-01-01 01:00:00.000000000 +0100
+++ new/keyutils-1.3/keyctl_security.3 2010-02-26 21:31:05.000000000 +0100
@@ -0,0 +1,136 @@
+.\"
+.\" Copyright (C) 2010 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_SECURITY 3 "26 Feb 2010" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_security \- Retrieve a key's security context
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include
+.sp
+.BI "long keyctl_security(key_serial_t " key ", char *" buffer ,
+.BI "size_t " buflen ");"
+.sp
+.BI "long keyctl_security_alloc(key_serial_t " key ", char **" _buffer ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_security ()
+retrieves the security context of a key as a NUL-terminated string. This will
+be rendered in a form appropriate to the LSM in force - for instance, with
+SELinux, it may look like
+.IP
+.B "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
+.P
+The caller must have
+.B view
+permission on a key to be able to get its security context.
+.P
+.I buffer
+and
+.I buflen
+specify the buffer into which the string will be placed. If the buffer is too
+small, the full size of the string will be returned, and no copy will take
+place.
+.P
+.BR keyctl_security_alloc ()
+is similar to
+.BR keyctl_security ()
+except that it allocates a buffer big enough to hold the string and copies the
+string into it. If successful, A pointer to the buffer is placed in
+.IR *_buffer .
+The caller must free the buffer.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_security ()
+returns the amount of data placed into the buffer. If the buffer was too
+small, then the size of buffer required will be returned, but no data will be
+transferred. On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.P
+On success
+.BR keyctl_security_alloc ()
+returns the amount of data in the buffer, less the NUL terminator. On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+The key specified is invalid.
+.TP
+.B EKEYEXPIRED
+The key specified has expired.
+.TP
+.B EKEYREVOKED
+The key specified had been revoked.
+.TP
+.B EACCES
+The key exists, but is not
+.B viewable
+by the calling process.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+This is a library function that can be found in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_join_session_keyring (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/keyutils-1.2/keyctl_session_to_parent.3 new/keyutils-1.3/keyctl_session_to_parent.3
--- old/keyutils-1.2/keyctl_session_to_parent.3 1970-01-01 01:00:00.000000000 +0100
+++ new/keyutils-1.3/keyctl_session_to_parent.3 2010-02-26 21:31:05.000000000 +0100
@@ -0,0 +1,109 @@
+.\"
+.\" Copyright (C) 2010 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_SESSION_TO_PARENT 3 "26 Jun 2010" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_session_to_parent \- Set the parent process's session keyring
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include
+.sp
+.BI "long keyctl_session_to_parent();"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_session_to_parent ()
+changes the session keyring to which the calling process's parent subscribes
+to be the that of the calling process.
+.P
+The keyring must have
+.B link
+permission available to the calling process, the parent process must have the
+same UIDs/GIDs as the calling process, and the LSM must not reject the
+replacement. Furthermore, this may not be used to affect init or a kernel
+thread.
+.P
+Note that the replacement will not take immediate effect upon the parent
+process, but will rather be deferred to the next time it returns to userspace
+from kernel space.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_session_to_parent ()
+returns 0. On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOMEM
+Insufficient memory to create a key.
+.TP
+.B EPERM
+The credentials of the parent don't match those of the caller.
+.TP
+.B EACCES
+The named keyring exists, but is not
+.B linkable
+by the calling process.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+This is a library function that can be found in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/keyutils-1.2/keyutils.c new/keyutils-1.3/keyutils.c
--- old/keyutils-1.2/keyutils.c 2005-11-28 13:45:08.000000000 +0100
+++ new/keyutils-1.3/keyutils.c 2010-02-26 21:31:05.000000000 +0100
@@ -165,6 +165,16 @@
return keyctl(KEYCTL_ASSUME_AUTHORITY, id);
}
+long keyctl_get_security(key_serial_t id, char *buffer, size_t buflen)
+{
+ return keyctl(KEYCTL_GET_SECURITY, id, buffer, buflen);
+}
+
+long keyctl_session_to_parent(void)
+{
+ return keyctl(KEYCTL_SESSION_TO_PARENT);
+}
+
/*****************************************************************************/
/*
* fetch key description into an allocated buffer
@@ -244,6 +254,44 @@
} /* end keyctl_read_alloc() */
+/*****************************************************************************/
+/*
+ * fetch key security label into an allocated buffer
+ * - resulting string is NUL terminated
+ * - returns count not including NUL
+ */
+int keyctl_get_security_alloc(key_serial_t id, char **_buffer)
+{
+ char *buf;
+ long buflen, ret;
+
+ ret = keyctl_get_security(id, NULL, 0);
+ if (ret < 0)
+ return -1;
+
+ buflen = ret;
+ buf = malloc(buflen);
+ if (!buf)
+ return -1;
+
+ for (;;) {
+ ret = keyctl_get_security(id, buf, buflen);
+ if (ret < 0)
+ return -1;
+
+ if (buflen >= ret)
+ break;
+
+ buflen = ret;
+ buf = realloc(buf, buflen);
+ if (!buf)
+ return -1;
+ }
+
+ *_buffer = buf;
+ return buflen - 1;
+}
+
#ifdef NO_GLIBC_KEYERR
/*****************************************************************************/
/*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/keyutils-1.2/keyutils.h new/keyutils-1.3/keyutils.h
--- old/keyutils-1.2/keyutils.h 2005-11-28 14:39:54.000000000 +0100
+++ new/keyutils-1.3/keyutils.h 2010-02-26 21:31:05.000000000 +0100
@@ -89,6 +89,8 @@
#define KEYCTL_SET_REQKEY_KEYRING 14 /* set default request-key keyring */
#define KEYCTL_SET_TIMEOUT 15 /* set timeout on a key */
#define KEYCTL_ASSUME_AUTHORITY 16 /* assume authority to instantiate key */
+#define KEYCTL_GET_SECURITY 17 /* get key security label */
+#define KEYCTL_SESSION_TO_PARENT 18 /* set my session keyring on my parent process */
/*
* syscall wrappers
@@ -132,12 +134,15 @@
extern long keyctl_set_reqkey_keyring(int reqkey_defl);
extern long keyctl_set_timeout(key_serial_t key, unsigned timeout);
extern long keyctl_assume_authority(key_serial_t key);
+extern long keyctl_get_security(key_serial_t key, char *buffer, size_t buflen);
+extern long keyctl_session_to_parent(void);
/*
* utilities
*/
extern int keyctl_describe_alloc(key_serial_t id, char **_buffer);
extern int keyctl_read_alloc(key_serial_t id, void **_buffer);
+extern int keyctl_get_security_alloc(key_serial_t id, char **_buffer);
#endif /* KEYUTILS_H */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/keyutils-1.2/keyutils.spec new/keyutils-1.3/keyutils.spec
--- old/keyutils-1.2/keyutils.spec 2006-08-22 18:43:47.000000000 +0200
+++ new/keyutils-1.3/keyutils.spec 2010-02-26 21:31:05.000000000 +0100
@@ -1,5 +1,5 @@
%define vermajor 1
-%define version %{vermajor}.2
+%define version %{vermajor}.3
%define libdir /%{_lib}
%define usrlibdir %{_prefix}/%{_lib}
@@ -89,6 +89,12 @@
%{_mandir}/man3/*
%changelog
+* Fri Feb 26 2010 David Howells - 1.3-1
+- Fix compiler warnings in request-key.
+- Expose the kernel function to get a key's security context.
+- Expose the kernel function to set a processes keyring onto its parent.
+- Move libkeyutils library version to 1.3.
+
* Tue Aug 22 2006 David Howells - 1.2-1
- Remove syscall manual pages (section 2) to man-pages package [BZ 203582]
- Don't write to serial port in debugging script
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/keyutils-1.2/request-key.c new/keyutils-1.3/request-key.c
--- old/keyutils-1.2/request-key.c 2005-11-29 21:52:05.000000000 +0100
+++ new/keyutils-1.3/request-key.c 2010-02-26 21:31:05.000000000 +0100
@@ -709,11 +709,6 @@
if (tmp < 0)
error("select failed: %m\n");
- debug("select -> %d r=%x w=%x\n",
- tmp,
- *(unsigned *) (void *) &rfds,
- *(unsigned *) (void *) &wfds);
-
if (TOSTDIN != -1 && FD_ISSET(TOSTDIN, &wfds)) {
tmp = write(TOSTDIN, pc, ninfo);
if (tmp < 0) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/keyutils-1.2/version.lds new/keyutils-1.3/version.lds
--- old/keyutils-1.2/version.lds 2005-11-28 13:52:38.000000000 +0100
+++ new/keyutils-1.3/version.lds 2010-02-26 21:31:05.000000000 +0100
@@ -32,3 +32,11 @@
keyctl_set_timeout;
} KEYUTILS_0.3;
+
+KEYUTILS_1.3 {
+ /* management functions */
+ keyctl_get_security;
+ keyctl_get_security_alloc;
+ keyctl_session_to_parent;
+
+} KEYUTILS_1.0;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org