diff options
author | David Howells <dhowells@redhat.com> | 2011-11-15 20:45:11 +0000 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2011-11-15 20:45:11 +0000 |
commit | d9f9beeaca6882563bf5085650d6d9ce6ca81398 (patch) | |
tree | 41d5102f5d21e17de211fdab20f42b2f79740fed | |
parent | 38604366dbe30f9ab3a57112c4b143df2dbd04a5 (diff) | |
download | keyutils-d9f9beeaca6882563bf5085650d6d9ce6ca81398.tar.gz |
Make it possible to provide keytype-specific request key configs
Make it possible to provide keytype-specific request key configs in userspace
as /etc/request-key.d/<keytype>.conf. If present, this will be used in
preference to /etc/request-key.conf.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Steve Dickson <steved@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
-rw-r--r-- | Makefile | 1 | ||||
-rw-r--r-- | keyutils.spec | 3 | ||||
-rw-r--r-- | request-key.8 | 7 | ||||
-rw-r--r-- | request-key.c | 81 | ||||
-rw-r--r-- | request-key.conf.5 | 21 |
5 files changed, 73 insertions, 40 deletions
@@ -156,6 +156,7 @@ endif $(INSTALL) -D request-key-debug.sh $(DESTDIR)$(SHAREDIR)/request-key-debug.sh $(INSTALL) -D key.dns_resolver $(DESTDIR)$(SBINDIR)/key.dns_resolver $(INSTALL) -D -m 0644 request-key.conf $(DESTDIR)$(ETCDIR)/request-key.conf + mkdir -p $(DESTDIR)$(ETCDIR)/request-key.d $(INSTALL) -D -m 0644 keyctl.1 $(DESTDIR)$(MAN1)/keyctl.1 $(INSTALL) -D -m 0644 keyctl_chown.3 $(DESTDIR)$(MAN3)/keyctl_chown.3 $(INSTALL) -D -m 0644 keyctl_clear.3 $(DESTDIR)$(MAN3)/keyctl_clear.3 diff --git a/keyutils.spec b/keyutils.spec index 6033af1..6dd8aea 100644 --- a/keyutils.spec +++ b/keyutils.spec @@ -93,6 +93,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man3/* %changelog +* Tue Nov 15 2011 David Howells <dhowells@redhat.com> +- Allow /sbin/request-key to have multiple config files. + * Wed Aug 14 2011 David Howells <dhowells@redhat.com> - Adjust the manual page for 'keyctl unlink' to show keyring is optional. - Add --version support for the keyutils version and build date. diff --git a/request-key.8 b/request-key.8 index 00b6ebb..8d4a880 100644 --- a/request-key.8 +++ b/request-key.8 @@ -7,7 +7,7 @@ .\" as published by the Free Software Foundation; either version .\" 2 of the License, or (at your option) any later version. .\" -.TH REQUEST-KEY 8 "17 Nov 2005" Linux "Linux Key Management Utilities" +.TH REQUEST-KEY 8 "15 Nov 2011" Linux "Linux Key Management Utilities" .SH NAME request-key - Handle key instantiation callback requests from the kernel .SH SYNOPSIS @@ -25,5 +25,10 @@ All errors will be logged to the syslog. /etc/request-key.conf .ul 0 Instantiation handler configuration file. +.P +.ul +/etc/request-key.d/<keytype>.conf +.ul 0 +Keytype specific configuration file. .SH SEE ALSO \fBkeyctl\fR(1), \fBrequest-key.conf\fR(5) diff --git a/request-key.c b/request-key.c index ade1cea..3762e9a 100644 --- a/request-key.c +++ b/request-key.c @@ -40,6 +40,7 @@ static char *xgid; static char *xthread_keyring; static char *xprocess_keyring; static char *xsession_keyring; +static char conffile[256]; static int confline; static int norecurse; @@ -115,6 +116,9 @@ static void error(const char *fmt, ...) exit(1); } +#define file_error(FMT, ...) error("%s: "FMT, conffile, ## __VA_ARGS__) +#define line_error(FMT, ...) error("%s:%d: "FMT, conffile, confline, ## __VA_ARGS__) + static void oops(int x) { error("Died on signal %d", x); @@ -262,21 +266,42 @@ static void lookup_action(char *op, cilen = strlen(callout_info); /* search the config file for a command to run */ - conf = fopen(xdebug < 2 ? "/etc/request-key.conf" : "request-key.conf", "r"); + if (strlen(ktype) <= sizeof(conffile) - 30) { + if (xdebug < 2) + snprintf(conffile, sizeof(conffile) - 1, + "/etc/request-key.d/%s.conf", ktype); + else + snprintf(conffile, sizeof(conffile) - 1, + "request-key.d/%s.conf", ktype); + conf = fopen(conffile, "r"); + if (conf) + goto opened_conf_file; + if (errno != ENOENT) + error("Cannot open %s: %m\n", conffile); + } + + if (xdebug < 2) + snprintf(conffile, sizeof(conffile) - 1, "/etc/request-key.conf"); + else + snprintf(conffile, sizeof(conffile) - 1, "request-key.conf"); + conf = fopen(conffile, "r"); if (!conf) - error("Cannot open /etc/request-key.conf: %m\n"); + error("Cannot open %s: %m\n", conffile); + +opened_conf_file: + debug("Opened config file '%s'\n", conffile); for (confline = 1;; confline++) { /* read the file line-by-line */ if (!fgets(buf, sizeof(buf), conf)) { if (feof(conf)) error("Cannot find command to construct key %d\n", key); - error("Error reading /etc/request-key.conf\n"); + file_error("error %m\n"); } len = strlen(buf); if (len >= sizeof(buf) - 2) - error("/etc/request-key.conf:%d: Line too long\n", confline); + line_error("Line too long\n"); /* ignore blank lines and comments */ if (len == 1 || buf[0] == '#' || isspace(buf[0])) @@ -345,7 +370,7 @@ static void lookup_action(char *op, p++; - debug("Line %d matches\n", confline); + debug("%s:%d: Line matches\n", conffile, confline); /* we've got an action */ while (isspace(*p)) p++; @@ -357,10 +382,10 @@ static void lookup_action(char *op, execute_program(op, key, ktype, kdesc, callout_info, p); } - error("/etc/request-key.conf: No matching action\n"); + file_error("No matching action\n"); syntax_error: - error("/etc/request-key.conf:%d: Syntax error\n", confline); + line_error("Syntax error\n"); } /* end lookup_action() */ @@ -457,7 +482,7 @@ static void execute_program(char *op, prog = p = cmdline; while (*p && !isspace(*p)) p++; // if (!*p) -// error("/etc/request-key.conf:%d: No command path\n", confline); +// line_error("No command path\n"); // *p++ = 0; if (*p) *p++ = 0; @@ -471,7 +496,7 @@ static void execute_program(char *op, break; if (argc >= 254) - error("/etc/request-key.conf:%d: Too many arguments\n", confline); + line_error("Too many arguments\n"); argv[argc] = q = p; while (*p && !isspace(*p)) p++; @@ -489,7 +514,7 @@ static void execute_program(char *op, /* it's a macro */ q++; if (!*q) - error("/etc/request-key.conf:%d: Missing macro name\n", confline); + line_error("Missing macro name\n"); if (*q == '%') { /* it's actually an anti-macro escape "%%..." -> "%..." */ @@ -511,7 +536,7 @@ static void execute_program(char *op, case 'P': argv[argc] = xprocess_keyring; continue; case 'S': argv[argc] = xsession_keyring; continue; default: - error("/etc/request-key.conf:%d: Unsupported macro\n", confline); + line_error("Unsupported macro\n"); } } @@ -526,50 +551,40 @@ static void execute_program(char *op, q++; ksdesc = strchr(q, ':'); if (!ksdesc) - error("/etc/request-key.conf:%d: Keysub macro lacks ':'\n", - confline); + line_error("Keysub macro lacks ':'\n"); *ksdesc++ = 0; end = strchr(ksdesc, '}'); if (!end) - error("/etc/request-key.conf:%d: Unterminated keysub macro\n", - confline); + line_error("Unterminated keysub macro\n"); *end++ = 0; if (*end) - error("/etc/request-key.conf:%d:" - " Keysub macro has trailing rubbish\n", - confline); + line_error("Keysub macro has trailing rubbish\n"); debug("Keysub: %s key \"%s\"\n", q, ksdesc); if (!q[0]) - error("/etc/request-key.conf:%d: Keysub type empty\n", confline); + line_error("Keysub type empty\n"); if (!ksdesc[0]) - error("/etc/request-key.conf:%d: Keysub description empty\n", - confline); + line_error("Keysub description empty\n"); /* look up the key in the requestor's keyrings, but fail immediately if the * key is not found rather than invoking /sbin/request-key again */ keysub = request_key(q, ksdesc, NULL, 0); if (keysub < 0) - error("/etc/request-key.conf:%d:" - " Keysub key not found: %m\n", - confline); + line_error("Keysub key not found: %m\n"); ret = keyctl_read_alloc(keysub, &tmp); if (ret < 0) - error("/etc/request-key.conf:%d:" - " Can't read keysub %d data: %m\n", - confline, keysub); + line_error("Can't read keysub %d data: %m\n", keysub); subdata = tmp; for (loop = 0; loop < ret; loop++) if (!isprint(subdata[loop])) - error("/etc/request-key.conf:%d:" - " keysub %d data not printable ('%02hhx')\n", - confline, keysub, subdata[loop]); + error("keysub %d data not printable ('%02hhx')\n", + keysub, subdata[loop]); argv[argc] = subdata; continue; @@ -577,7 +592,7 @@ static void execute_program(char *op, } if (argc == 0) - error("/etc/request-key.conf:%d: No arguments\n", confline); + line_error("No arguments\n"); argv[argc] = NULL; @@ -602,7 +617,7 @@ static void execute_program(char *op, /* attempt to execute the command */ execv(prog, argv); - error("/etc/request-key.conf:%d: Failed to execute '%s': %m\n", confline, prog); + line_error("Failed to execute '%s': %m\n", prog); } /* end execute_program() */ @@ -646,7 +661,7 @@ static void pipe_to_program(char *op, close(epi[1]); execv(prog, argv); - error("/etc/request-key.conf:%d: Failed to execute '%s': %m\n", confline, prog); + line_error("Failed to execute '%s': %m\n", prog); } /* parent process */ diff --git a/request-key.conf.5 b/request-key.conf.5 index eb22c9e..9549d81 100644 --- a/request-key.conf.5 +++ b/request-key.conf.5 @@ -7,17 +7,22 @@ .\" as published by the Free Software Foundation; either version .\" 2 of the License, or (at your option) any later version. .\" -.TH REQUEST-KEY.CONF 5 "11 July 2005" Linux "Linux Key Management Utilities" +.TH REQUEST-KEY.CONF 5 "15 November 2011" Linux "Linux Key Management Utilities" .SH NAME request-key.conf - Instantiation handler configuration file .SH DESCRIPTION .P -This file is used by the /sbin/request-key program to determine which program -it should run to instantiate a key. +This file and its associated key-type specific variants are used by the +/sbin/request-key program to determine which program it should run to +instantiate a key. .P -request-key works scans through the file a line at a time until it finds a -match, which it will then use. If it doesn't find a match, it'll return an -error and the kernel will automatically negate the key. +request-key looks first in /etc/request-key.d/ for a file of the key type name +plus ".conf" that it can use. If that is not found, it will fall back to +/etc/request-key.conf. +.P +request-key works scans through the chosen file one line at a time until it +finds a match, which it will then use. If it doesn't find a match, it'll return +an error and the kernel will automatically negate the key. .P Any blank line or line beginning with a hash mark '#' is considered to be a comment and ignored. @@ -128,5 +133,9 @@ the payload. .ul /etc/request-key.conf .ul 0 +.br +.ul +/etc/request-key.d/<keytype>.conf +.ul 0 .SH SEE ALSO \fBkeyctl\fR(1), \fBrequest-key.conf\fR(5) |