Merge tag 'nfs-for-3.4-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs

[~andy/linux] / security / keys / keyctl.c

diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 0a4a21d73f6a44086026008f910f37106f5772f1..fb767c6cd99f6a92da8fa989999a18988bce1a19 100644 (file)
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -389,11 +389,24 @@ long keyctl_keyring_clear(key_serial_t ringid)
        keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
        if (IS_ERR(keyring_ref)) {
                ret = PTR_ERR(keyring_ref);
+
+               /* Root is permitted to invalidate certain special keyrings */
+               if (capable(CAP_SYS_ADMIN)) {
+                       keyring_ref = lookup_user_key(ringid, 0, 0);
+                       if (IS_ERR(keyring_ref))
+                               goto error;
+                       if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR,
+                                    &key_ref_to_ptr(keyring_ref)->flags))
+                               goto clear;
+                       goto error_put;
+               }
+
                goto error;
        }
 
+clear:
        ret = keyring_clear(key_ref_to_ptr(keyring_ref));
-
+error_put:
        key_ref_put(keyring_ref);
 error:
        return ret;