KEYS: Add KEYCTL_RESTRICT_KEYRING (6563c91f) · Commits · 戴 / test

Documentation/security/keys.txt

+25 −0

Original line number	Diff line number	Diff line
		@@ -857,6 +857,31 @@ The keyctl syscall functions are:
		supported, error ENOKEY if the key could not be found, or error
		EACCES if the key is not readable by the caller.

		(*) Restrict keyring linkage

		long keyctl(KEYCTL_RESTRICT_KEYRING, key_serial_t keyring,
		const char type, const char restriction);

		An existing keyring can restrict linkage of additional keys by evaluating
		the contents of the key according to a restriction scheme.

		"keyring" is the key ID for an existing keyring to apply a restriction
		to. It may be empty or may already have keys linked. Existing linked keys
		will remain in the keyring even if the new restriction would reject them.

		"type" is a registered key type.

		"restriction" is a string describing how key linkage is to be restricted.
		The format varies depending on the key type, and the string is passed to
		the lookup_restriction() function for the requested type. It may specify
		a method and relevant data for the restriction such as signature
		verification or constraints on key payload. If the requested key type is
		later unregistered, no keys may be added to the keyring after the key type
		is removed.

		To apply a keyring restriction the process must have Set Attribute
		permission and the keyring must not be previously restricted.

		===============
		KERNEL SERVICES
		===============

+5 −1

Original line number	Diff line number	Diff line
		@@ -219,7 +219,8 @@ struct key {
		/* This is set on a keyring to restrict the addition of a link to a key
		* to it. If this structure isn't provided then it is assumed that the
		* keyring is open to any addition. It is ignored for non-keyring
		* keys.
		* keys. Only set this value using keyring_restrict(), keyring_alloc(),
		* or key_alloc().
		*
		* This is intended for use with rings of trusted keys whereby addition
		* to the keyring needs to be controlled. KEY_ALLOC_BYPASS_RESTRICTION
		@@ -328,6 +329,9 @@ extern key_ref_t keyring_search(key_ref_t keyring,
		extern int keyring_add_key(struct key *keyring,
		struct key *key);

		extern int keyring_restrict(key_ref_t keyring, const char *type,
		const char *restriction);

		extern struct key *key_lookup(key_serial_t id);

		static inline key_serial_t key_serial(const struct key *key)

+1 −0

Original line number	Diff line number	Diff line
		@@ -60,6 +60,7 @@
		#define KEYCTL_INVALIDATE 21 /* invalidate a key */
		#define KEYCTL_GET_PERSISTENT 22 /* get a user's persistent keyring */
		#define KEYCTL_DH_COMPUTE 23 /* Compute Diffie-Hellman values */
		#define KEYCTL_RESTRICT_KEYRING 29 /* Restrict keys allowed to link to a keyring */

		/* keyctl structures */
		struct keyctl_dh_params {

+4 −0

Original line number	Diff line number	Diff line
		@@ -136,6 +136,10 @@ COMPAT_SYSCALL_DEFINE5(keyctl, u32, option,
		return keyctl_dh_compute(compat_ptr(arg2), compat_ptr(arg3),
		arg4, compat_ptr(arg5));

		case KEYCTL_RESTRICT_KEYRING:
		return keyctl_restrict_keyring(arg2, compat_ptr(arg3),
		compat_ptr(arg4));

		default:
		return -EOPNOTSUPP;
		}

+3 −0

Original line number	Diff line number	Diff line
		@@ -252,6 +252,9 @@ struct iov_iter;
		extern long keyctl_instantiate_key_common(key_serial_t,
		struct iov_iter *,
		key_serial_t);
		extern long keyctl_restrict_keyring(key_serial_t id,
		const char __user *_type,
		const char __user *_restriction);
		#ifdef CONFIG_PERSISTENT_KEYRINGS
		extern long keyctl_get_persistent(uid_t, key_serial_t);
		extern unsigned persistent_keyring_expiry;