keys: add keyctl function to get a security label

     The assumed authoritative key is inherited across fork and exec.

 (*) Get the LSM security context attached to a key.

	long keyctl(KEYCTL_GET_SECURITY, key_serial_t key, char *buffer,

		    size_t buflen)

     This function returns a string that represents the LSM security context

     attached to a key in the buffer provided.

     Unless there's an error, it always returns the amount of data it could

     produce, even if that's too big for the buffer, but it won't copy more

     than requested to userspace. If the buffer pointer is NULL then no copy

     will take place.

     A NUL character is included at the end of the string if the buffer is

     sufficiently big.  This is included in the returned count.  If no LSM is

     in force then an empty string will be returned.

     A process must have view permission on the key for this function to be

     successful.

===============

KERNEL SERVICES

===============

#define KEYCTL_SET_REQKEY_KEYRING	14	/* set default request-key keyring */

#define KEYCTL_SET_TIMEOUT		15	/* set key timeout */

#define KEYCTL_ASSUME_AUTHORITY		16	/* assume request_key() authorisation */

#define KEYCTL_GET_SECURITY		17	/* get key security label */

#endif /*  _LINUX_KEYCTL_H */

 *	@perm describes the combination of permissions required of this key.

 *	Return 1 if permission granted, 0 if permission denied and -ve it the

 *	normal permissions model should be effected.

 * @key_getsecurity:

 *	Get a textual representation of the security context attached to a key

 *	for the purposes of honouring KEYCTL_GETSECURITY.  This function

 *	allocates the storage for the NUL-terminated string and the caller

 *	should free it.

 *	@key points to the key to be queried.

 *	@_buffer points to a pointer that should be set to point to the

 *	 resulting string (if no label or an error occurs).

 *	Return the length of the string (including terminating NUL) or -ve if

 *      an error.

 *	May also return 0 (and a NULL buffer pointer) if there is no label.

 *

 * Security hooks affecting all System V IPC operations.

 *

	int (*key_permission) (key_ref_t key_ref,

			       struct task_struct *context,

			       key_perm_t perm);

	int (*key_getsecurity)(struct key *key, char **_buffer);

#endif	/* CONFIG_KEYS */

#ifdef CONFIG_AUDIT

void security_key_free(struct key *key);

int security_key_permission(key_ref_t key_ref,

			    struct task_struct *context, key_perm_t perm);

int security_key_getsecurity(struct key *key, char **_buffer);

#else

	return 0;

}

static inline int security_key_getsecurity(struct key *key, char **_buffer)

{

	*_buffer = NULL;

	return 0;

}

#endif

#endif /* CONFIG_KEYS */

{

	return 0;

}

static int dummy_key_getsecurity(struct key *key, char **_buffer)

{

	*_buffer = NULL;

	return 0;

}

#endif /* CONFIG_KEYS */

#ifdef CONFIG_AUDIT

	set_to_dummy_if_null(ops, key_alloc);

	set_to_dummy_if_null(ops, key_free);

	set_to_dummy_if_null(ops, key_permission);

	set_to_dummy_if_null(ops, key_getsecurity);

#endif	/* CONFIG_KEYS */

#ifdef CONFIG_AUDIT

	set_to_dummy_if_null(ops, audit_rule_init);

	case KEYCTL_ASSUME_AUTHORITY:

		return keyctl_assume_authority(arg2);

	case KEYCTL_GET_SECURITY:

		return keyctl_get_security(arg2, compat_ptr(arg3), arg4);

	default:

		return -EOPNOTSUPP;

	}