keys: allow clients to set key perms in key_create_or_update()

The key_create_or_update() function provided by the keyring code has a default set of permissions that are always applied to the key when created. This might not be desirable to all clients. Here's a patch that adds a "perm" parameter to the function to address this, which can be set to KEY_PERM_UNDEF to revert to the current behaviour. Signed-off-by: Arun Raghavan <arunsr@cse.iitk.ac.in> Signed-off-by: David Howells <dhowells@redhat.com> Cc: Satyam Sharma <ssatyam@cse.iitk.ac.in> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

keys: allow clients to set key perms in key_create_or_update()
The key_create_or_update() function provided by the keyring code has a default set of permissions that are always applied to the key when created. This might not be desirable to all clients. Here's a patch that adds a "perm" parameter to the function to address this, which can be set to KEY_PERM_UNDEF to revert to the current behaviour. Signed-off-by: Arun Raghavan <arunsr@cse.iitk.ac.in> Signed-off-by: David Howells <dhowells@redhat.com> Cc: Satyam Sharma <ssatyam@cse.iitk.ac.in> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Arun Raghavan · Linus Torvalds
1 parent da91d2ef9f
Showing 3 changed files with 15 additions and 9 deletions Side-by-side Diff
include/linux/key.h
security/keys/key.c
security/keys/keyctl.c
@@ -67,6 +67,8 @@
 #define KEY_OTH_SETATTR	0x00000020
 #define KEY_OTH_ALL	0x0000003f
  
+#define KEY_PERM_UNDEF	0xffffffff
+
 struct seq_file;
 struct user_struct;
 struct signal_struct;
@@ -232,6 +234,7 @@
 				      const char *description,
 				      const void *payload,
 				      size_t plen,
+				      key_perm_t perm,
 				      unsigned long flags);
  
 extern int key_update(key_ref_t key,
@@ -757,11 +757,11 @@
 			       const char *description,
 			       const void *payload,
 			       size_t plen,
+			       key_perm_t perm,
 			       unsigned long flags)
 {
 	struct key_type *ktype;
 	struct key *keyring, *key = NULL;
-	key_perm_t perm;
 	key_ref_t key_ref;
 	int ret;
  
  
  
@@ -806,15 +806,17 @@
 			goto found_matching_key;
 	}
  
-	/* decide on the permissions we want */
-	perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
-	perm |= KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_LINK | KEY_USR_SETATTR;
+	/* if the client doesn't provide, decide on the permissions we want */
+	if (perm == KEY_PERM_UNDEF) {
+		perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
+		perm |= KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_LINK | KEY_USR_SETATTR;
  
-	if (ktype->read)
-		perm |= KEY_POS_READ | KEY_USR_READ;
+		if (ktype->read)
+			perm |= KEY_POS_READ | KEY_USR_READ;
  
-	if (ktype == &key_type_keyring || ktype->update)
-		perm |= KEY_USR_WRITE;
+		if (ktype == &key_type_keyring || ktype->update)
+			perm |= KEY_USR_WRITE;
+	}
  
 	/* allocate a new key */
 	key = key_alloc(ktype, description, current->fsuid, current->fsgid,
@@ -112,7 +112,8 @@
 	/* create or update the requested key and add it to the target
 	 * keyring */
 	key_ref = key_create_or_update(keyring_ref, type, description,
-				       payload, plen, KEY_ALLOC_IN_QUOTA);
+				       payload, plen, KEY_PERM_UNDEF,
+				       KEY_ALLOC_IN_QUOTA);
 	if (!IS_ERR(key_ref)) {
 		ret = key_ref_to_ptr(key_ref)->serial;
 		key_ref_put(key_ref);
...	...	@@ -67,6 +67,8 @@
67	67	#define KEY_OTH_SETATTR 0x00000020
68	68	#define KEY_OTH_ALL 0x0000003f
69	69
	70	+#define KEY_PERM_UNDEF 0xffffffff
	71	+
70	72	struct seq_file;
71	73	struct user_struct;
72	74	struct signal_struct;
...	...	@@ -232,6 +234,7 @@
232	234	const char *description,
233	235	const void *payload,
234	236	size_t plen,
	237	+ key_perm_t perm,
235	238	unsigned long flags);
236	239
237	240	extern int key_update(key_ref_t key,
...	...	@@ -757,11 +757,11 @@
757	757	const char *description,
758	758	const void *payload,
759	759	size_t plen,
	760	+ key_perm_t perm,
760	761	unsigned long flags)
761	762	{
762	763	struct key_type *ktype;
763	764	struct key keyring, key = NULL;
764		- key_perm_t perm;
765	765	key_ref_t key_ref;
766	766	int ret;
767	767
768	768
769	769
...	...	@@ -806,15 +806,17 @@
806	806	goto found_matching_key;
807	807	}
808	808
809		- /* decide on the permissions we want */
810		- perm = KEY_POS_VIEW \| KEY_POS_SEARCH \| KEY_POS_LINK \| KEY_POS_SETATTR;
811		- perm \|= KEY_USR_VIEW \| KEY_USR_SEARCH \| KEY_USR_LINK \| KEY_USR_SETATTR;
	809	+ /* if the client doesn't provide, decide on the permissions we want */
	810	+ if (perm == KEY_PERM_UNDEF) {
	811	+ perm = KEY_POS_VIEW \| KEY_POS_SEARCH \| KEY_POS_LINK \| KEY_POS_SETATTR;
	812	+ perm \|= KEY_USR_VIEW \| KEY_USR_SEARCH \| KEY_USR_LINK \| KEY_USR_SETATTR;
812	813
813		- if (ktype->read)
814		- perm \|= KEY_POS_READ \| KEY_USR_READ;
	814	+ if (ktype->read)
	815	+ perm \|= KEY_POS_READ \| KEY_USR_READ;
815	816
816		- if (ktype == &key_type_keyring \|\| ktype->update)
817		- perm \|= KEY_USR_WRITE;
	817	+ if (ktype == &key_type_keyring \|\| ktype->update)
	818	+ perm \|= KEY_USR_WRITE;
	819	+ }
818	820
819	821	/* allocate a new key */
820	822	key = key_alloc(ktype, description, current->fsuid, current->fsgid,
...	...	@@ -112,7 +112,8 @@
112	112	/* create or update the requested key and add it to the target
113	113	* keyring */
114	114	key_ref = key_create_or_update(keyring_ref, type, description,
115		- payload, plen, KEY_ALLOC_IN_QUOTA);
	115	+ payload, plen, KEY_PERM_UNDEF,
	116	+ KEY_ALLOC_IN_QUOTA);
116	117	if (!IS_ERR(key_ref)) {
117	118	ret = key_ref_to_ptr(key_ref)->serial;
118	119	key_ref_put(key_ref);