Commit f5895943 authored by David Howells's avatar David Howells
Browse files

KEYS: Move the flags representing required permission to linux/key.h 



Move the flags representing required permission to linux/key.h as the perm
parameter of security_key_permission() is in terms of them - and not the
permissions mask flags used in key->perm.

Whilst we're at it:

 (1) Rename them to be KEY_NEED_xxx rather than KEY_xxx to avoid collisions
     with symbols in uapi/linux/input.h.

 (2) Don't use key_perm_t for a mask of required permissions, but rather limit
     it to the permissions mask attached to the key and arguments related
     directly to that.

Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Tested-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
parent c60f7d5a

include/linux/key.h

+11 −0
Original line number Diff line number Diff line
@@ -309,6 +309,17 @@ static inline key_serial_t key_serial(const struct key *key) 


extern void key_set_timeout(struct key *, unsigned);



/*

 * The permissions required on a key that we're looking up.

 */

#define	KEY_NEED_VIEW	0x01	/* Require permission to view attributes */

#define	KEY_NEED_READ	0x02	/* Require permission to read content */

#define	KEY_NEED_WRITE	0x04	/* Require permission to update / modify */

#define	KEY_NEED_SEARCH	0x08	/* Require permission to search (keyring) or find (key) */

#define	KEY_NEED_LINK	0x10	/* Require permission to link */

#define	KEY_NEED_SETATTR 0x20	/* Require permission to change attributes */

#define	KEY_NEED_ALL	0x3f	/* All the above permissions */



/**

 * key_is_instantiated - Determine if a key has been positively instantiated

 * @key: The key to check.

include/linux/security.h

+3 −3
Original line number Diff line number Diff line
@@ -1707,7 +1707,7 @@ struct security_operations { 
	void (*key_free) (struct key *key);

	int (*key_permission) (key_ref_t key_ref,

			       const struct cred *cred,

			       key_perm_t perm);

			       unsigned perm);

	int (*key_getsecurity)(struct key *key, char **_buffer);

#endif	/* CONFIG_KEYS */
@@ -3026,7 +3026,7 @@ static inline int security_path_chroot(struct path *path) 
int security_key_alloc(struct key *key, const struct cred *cred, unsigned long flags);

void security_key_free(struct key *key);

int security_key_permission(key_ref_t key_ref,

			    const struct cred *cred, key_perm_t perm);

			    const struct cred *cred, unsigned perm);

int security_key_getsecurity(struct key *key, char **_buffer);



#else
@@ -3044,7 +3044,7 @@ static inline void security_key_free(struct key *key) 


static inline int security_key_permission(key_ref_t key_ref,

					  const struct cred *cred,

					  key_perm_t perm)

					  unsigned perm)

{

	return 0;

}

security/capability.c

+1 −1
Original line number Diff line number Diff line
@@ -878,7 +878,7 @@ static void cap_key_free(struct key *key) 
}



static int cap_key_permission(key_ref_t key_ref, const struct cred *cred,

			      key_perm_t perm)

			      unsigned perm)

{

	return 0;

}

security/keys/internal.h

+1 −10
Original line number Diff line number Diff line
@@ -176,20 +176,11 @@ extern int key_task_permission(const key_ref_t key_ref, 
/*

 * Check to see whether permission is granted to use a key in the desired way.

 */

static inline int key_permission(const key_ref_t key_ref, key_perm_t perm)

static inline int key_permission(const key_ref_t key_ref, unsigned perm)

{

	return key_task_permission(key_ref, current_cred(), perm);

}



/* required permissions */

#define	KEY_VIEW	0x01	/* require permission to view attributes */

#define	KEY_READ	0x02	/* require permission to read content */

#define	KEY_WRITE	0x04	/* require permission to update / modify */

#define	KEY_SEARCH	0x08	/* require permission to search (keyring) or find (key) */

#define	KEY_LINK	0x10	/* require permission to link */

#define	KEY_SETATTR	0x20	/* require permission to change attributes */

#define	KEY_ALL		0x3f	/* all the above permissions */



/*

 * Authorisation record for request_key().

 */

security/keys/key.c

+3 −3
Original line number Diff line number Diff line
@@ -714,7 +714,7 @@ static inline key_ref_t __key_update(key_ref_t key_ref, 
	int ret;



	/* need write permission on the key to update it */

	ret = key_permission(key_ref, KEY_WRITE);

	ret = key_permission(key_ref, KEY_NEED_WRITE);

	if (ret < 0)

		goto error;
@@ -838,7 +838,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, 


	/* if we're going to allocate a new key, we're going to have

	 * to modify the keyring */

	ret = key_permission(keyring_ref, KEY_WRITE);

	ret = key_permission(keyring_ref, KEY_NEED_WRITE);

	if (ret < 0) {

		key_ref = ERR_PTR(ret);

		goto error_link_end;
@@ -928,7 +928,7 @@ int key_update(key_ref_t key_ref, const void *payload, size_t plen) 
	key_check(key);



	/* the key must be writable */

	ret = key_permission(key_ref, KEY_WRITE);

	ret = key_permission(key_ref, KEY_NEED_WRITE);

	if (ret < 0)

		goto error;

CRA Git | Maintained and supported by SUSTech CRA and CCSE