Re: [RFC PATCH 01/20] KEYS: Add an alloc flag to convey the builtinness of a key [ver #2]

From: Mimi Zohar
Date: Wed Jan 20 2016 - 13:59:50 EST

Next message: Peter Zijlstra: "Re: [RFC V2 2/2] sched: idle: IRQ based next prediction for idle period"
Previous message: Mimi Zohar: "Re: [RFC PATCH 00/20] KEYS: Restrict additions to 'trusted' keyrings [ver #2]"
In reply to: David Howells: "[RFC PATCH 01/20] KEYS: Add an alloc flag to convey the builtinness of a key [ver #2]"
Next in thread: David Howells: "[RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2016-01-19 at 11:30 +0000, David Howells wrote:
> Add KEY_ALLOC_BUILT_IN to convey that a key should have KEY_FLAG_BUILTIN
> set rather than setting it after the fact.
>
> Signed-off-by: David Howells <dhowells@xxxxxxxxxx>

Acked-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>

> ---
>
> certs/system_keyring.c | 4 ++--
> include/linux/key.h | 1 +
> security/keys/key.c | 2 ++
> 3 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 2570598b784d..f4180326c2e1 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -84,12 +84,12 @@ static __init int load_system_certificate_list(void)
> ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
> KEY_USR_VIEW | KEY_USR_READ),
> KEY_ALLOC_NOT_IN_QUOTA |
> - KEY_ALLOC_TRUSTED);
> + KEY_ALLOC_TRUSTED |
> + KEY_ALLOC_BUILT_IN);
> if (IS_ERR(key)) {
> pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
> PTR_ERR(key));
> } else {
> - set_bit(KEY_FLAG_BUILTIN, &key_ref_to_ptr(key)->flags);
> pr_notice("Loaded X.509 cert '%s'\n",
> key_ref_to_ptr(key)->description);
> key_ref_put(key);
> diff --git a/include/linux/key.h b/include/linux/key.h
> index 7321ab8ef949..5f5b1129dc92 100644
> --- a/include/linux/key.h
> +++ b/include/linux/key.h
> @@ -219,6 +219,7 @@ extern struct key *key_alloc(struct key_type *type,
> #define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */
> #define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */
> #define KEY_ALLOC_TRUSTED 0x0004 /* Key should be flagged as trusted */
> +#define KEY_ALLOC_BUILT_IN 0x0008 /* Key is built into kernel */
>
> extern void key_revoke(struct key *key);
> extern void key_invalidate(struct key *key);
> diff --git a/security/keys/key.c b/security/keys/key.c
> index 07a87311055c..48dbfa543bcb 100644
> --- a/security/keys/key.c
> +++ b/security/keys/key.c
> @@ -296,6 +296,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
> key->flags |= 1 << KEY_FLAG_IN_QUOTA;
> if (flags & KEY_ALLOC_TRUSTED)
> key->flags |= 1 << KEY_FLAG_TRUSTED;
> + if (flags & KEY_ALLOC_BUILT_IN)
> + key->flags |= 1 << KEY_FLAG_BUILTIN;
>
> #ifdef KEY_DEBUGGING
> key->magic = KEY_DEBUG_MAGIC;

Next message: Peter Zijlstra: "Re: [RFC V2 2/2] sched: idle: IRQ based next prediction for idle period"
Previous message: Mimi Zohar: "Re: [RFC PATCH 00/20] KEYS: Restrict additions to 'trusted' keyrings [ver #2]"
In reply to: David Howells: "[RFC PATCH 01/20] KEYS: Add an alloc flag to convey the builtinness of a key [ver #2]"
Next in thread: David Howells: "[RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]