KEYS: Add a facility to restrict new links into a keyring
authorDavid Howells <dhowells@redhat.com>
Wed, 6 Apr 2016 15:14:24 +0000 (16:14 +0100)
committerDavid Howells <dhowells@redhat.com>
Mon, 11 Apr 2016 21:37:37 +0000 (22:37 +0100)
Add a facility whereby proposed new links to be added to a keyring can be
vetted, permitting them to be rejected if necessary.  This can be used to
block public keys from which the signature cannot be verified or for which
the signature verification fails.  It could also be used to provide
blacklisting.

This affects operations like add_key(), KEYCTL_LINK and KEYCTL_INSTANTIATE.

To this end:

 (1) A function pointer is added to the key struct that, if set, points to
     the vetting function.  This is called as:

int (*restrict_link)(struct key *keyring,
     const struct key_type *key_type,
     unsigned long key_flags,
     const union key_payload *key_payload),

     where 'keyring' will be the keyring being added to, key_type and
     key_payload will describe the key being added and key_flags[*] can be
     AND'ed with KEY_FLAG_TRUSTED.

     [*] This parameter will be removed in a later patch when
       KEY_FLAG_TRUSTED is removed.

     The function should return 0 to allow the link to take place or an
     error (typically -ENOKEY, -ENOPKG or -EKEYREJECTED) to reject the
     link.

     The pointer should not be set directly, but rather should be set
     through keyring_alloc().

     Note that if called during add_key(), preparse is called before this
     method, but a key isn't actually allocated until after this function
     is called.

 (2) KEY_ALLOC_BYPASS_RESTRICTION is added.  This can be passed to
     key_create_or_update() or key_instantiate_and_link() to bypass the
     restriction check.

 (3) KEY_FLAG_TRUSTED_ONLY is removed.  The entire contents of a keyring
     with this restriction emplaced can be considered 'trustworthy' by
     virtue of being in the keyring when that keyring is consulted.

 (4) key_alloc() and keyring_alloc() take an extra argument that will be
     used to set restrict_link in the new key.  This ensures that the
     pointer is set before the key is published, thus preventing a window
     of unrestrictedness.  Normally this argument will be NULL.

 (5) As a temporary affair, keyring_restrict_trusted_only() is added.  It
     should be passed to keyring_alloc() as the extra argument instead of
     setting KEY_FLAG_TRUSTED_ONLY on a keyring.  This will be replaced in
     a later patch with functions that look in the appropriate places for
     authoritative keys.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
15 files changed:
Documentation/security/keys.txt
certs/system_keyring.c
fs/cifs/cifsacl.c
fs/nfs/nfs4idmap.c
include/linux/key.h
net/dns_resolver/dns_key.c
net/rxrpc/ar-key.c
security/integrity/digsig.c
security/integrity/ima/ima_mok.c
security/keys/key.c
security/keys/keyring.c
security/keys/persistent.c
security/keys/process_keys.c
security/keys/request_key.c
security/keys/request_key_auth.c

index 8c183873b2b77f771deb13dd74c21c49e19ec5ed..a6a50b359025f76f51959a40c11a5bbe2e48f095 100644 (file)
@@ -999,6 +999,10 @@ payload contents" for more information.
        struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
                                  const struct cred *cred,
                                  key_perm_t perm,
+                                 int (*restrict_link)(struct key *,
+                                                      const struct key_type *,
+                                                      unsigned long,
+                                                      const union key_payload *),
                                  unsigned long flags,
                                  struct key *dest);
 
@@ -1010,6 +1014,24 @@ payload contents" for more information.
     KEY_ALLOC_NOT_IN_QUOTA in flags if the keyring shouldn't be accounted
     towards the user's quota).  Error ENOMEM can also be returned.
 
+    If restrict_link not NULL, it should point to a function that will be
+    called each time an attempt is made to link a key into the new keyring.
+    This function is called to check whether a key may be added into the keying
+    or not.  Callers of key_create_or_update() within the kernel can pass
+    KEY_ALLOC_BYPASS_RESTRICTION to suppress the check.  An example of using
+    this is to manage rings of cryptographic keys that are set up when the
+    kernel boots where userspace is also permitted to add keys - provided they
+    can be verified by a key the kernel already has.
+
+    When called, the restriction function will be passed the keyring being
+    added to, the key flags value and the type and payload of the key being
+    added.  Note that when a new key is being created, this is called between
+    payload preparsing and actual key creation.  The function should return 0
+    to allow the link or an error to reject it.
+
+    A convenience function, restrict_link_reject, exists to always return
+    -EPERM to in this case.
+
 
 (*) To check the validity of a key, this function can be called:
 
index dc18869ff680ab489dd6b1a54da69d5641a5cc8e..417d658828708e0ffc2a4fd6d36fedb9dcedb067 100644 (file)
@@ -36,11 +36,10 @@ static __init int system_trusted_keyring_init(void)
                              KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
                              ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
                              KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
-                             KEY_ALLOC_NOT_IN_QUOTA, NULL);
+                             KEY_ALLOC_NOT_IN_QUOTA,
+                             keyring_restrict_trusted_only, NULL);
        if (IS_ERR(system_trusted_keyring))
                panic("Can't allocate system trusted keyring\n");
-
-       set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
        return 0;
 }
 
@@ -85,7 +84,8 @@ static __init int load_system_certificate_list(void)
                                           KEY_USR_VIEW | KEY_USR_READ),
                                           KEY_ALLOC_NOT_IN_QUOTA |
                                           KEY_ALLOC_TRUSTED |
-                                          KEY_ALLOC_BUILT_IN);
+                                          KEY_ALLOC_BUILT_IN |
+                                          KEY_ALLOC_BYPASS_RESTRICTION);
                if (IS_ERR(key)) {
                        pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
                               PTR_ERR(key));
index 3f93125916bf041e824e0d98df07c7b8195abdf3..71e8a56e9479567e9f5ad0fb201a2ea3e91d6e99 100644 (file)
@@ -360,7 +360,7 @@ init_cifs_idmap(void)
                                GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
                                (KEY_POS_ALL & ~KEY_POS_SETATTR) |
                                KEY_USR_VIEW | KEY_USR_READ,
-                               KEY_ALLOC_NOT_IN_QUOTA, NULL);
+                               KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
        if (IS_ERR(keyring)) {
                ret = PTR_ERR(keyring);
                goto failed_put_cred;
index 5ba22c6b0ffa6d8bafb302c2660b56f1992fd792..c444285bb1b1698a985c1dd155ec83e12eb1cdd8 100644 (file)
@@ -201,7 +201,7 @@ int nfs_idmap_init(void)
                                GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
                                (KEY_POS_ALL & ~KEY_POS_SETATTR) |
                                KEY_USR_VIEW | KEY_USR_READ,
-                               KEY_ALLOC_NOT_IN_QUOTA, NULL);
+                               KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
        if (IS_ERR(keyring)) {
                ret = PTR_ERR(keyring);
                goto failed_put_cred;
index 5f5b1129dc92705edd5c1658571cffb6548453b7..83b603639d2e71d17cfa49e29a62adc87921d0a9 100644 (file)
@@ -174,10 +174,9 @@ struct key {
 #define KEY_FLAG_ROOT_CAN_CLEAR        6       /* set if key can be cleared by root without permission */
 #define KEY_FLAG_INVALIDATED   7       /* set if key has been invalidated */
 #define KEY_FLAG_TRUSTED       8       /* set if key is trusted */
-#define KEY_FLAG_TRUSTED_ONLY  9       /* set if keyring only accepts links to trusted keys */
-#define KEY_FLAG_BUILTIN       10      /* set if key is builtin */
-#define KEY_FLAG_ROOT_CAN_INVAL        11      /* set if key can be invalidated by root without permission */
-#define KEY_FLAG_KEEP          12      /* set if key should not be removed */
+#define KEY_FLAG_BUILTIN       9       /* set if key is built in to the kernel */
+#define KEY_FLAG_ROOT_CAN_INVAL        10      /* set if key can be invalidated by root without permission */
+#define KEY_FLAG_KEEP          11      /* set if key should not be removed */
 
        /* the key type and key description string
         * - the desc is used to match a key against search criteria
@@ -205,6 +204,21 @@ struct key {
                };
                int reject_error;
        };
+
+       /* This is set on a keyring to restrict the addition of a link to a key
+        * to it.  If this method isn't provided then it is assumed that the
+        * keyring is open to any addition.  It is ignored for non-keyring
+        * keys.
+        *
+        * This is intended for use with rings of trusted keys whereby addition
+        * to the keyring needs to be controlled.  KEY_ALLOC_BYPASS_RESTRICTION
+        * overrides this, allowing the kernel to add extra keys without
+        * restriction.
+        */
+       int (*restrict_link)(struct key *keyring,
+                            const struct key_type *type,
+                            unsigned long flags,
+                            const union key_payload *payload);
 };
 
 extern struct key *key_alloc(struct key_type *type,
@@ -212,14 +226,19 @@ extern struct key *key_alloc(struct key_type *type,
                             kuid_t uid, kgid_t gid,
                             const struct cred *cred,
                             key_perm_t perm,
-                            unsigned long flags);
+                            unsigned long flags,
+                            int (*restrict_link)(struct key *,
+                                                 const struct key_type *,
+                                                 unsigned long,
+                                                 const union key_payload *));
 
 
-#define KEY_ALLOC_IN_QUOTA     0x0000  /* add to quota, reject if would overrun */
-#define KEY_ALLOC_QUOTA_OVERRUN        0x0001  /* add to quota, permit even if overrun */
-#define KEY_ALLOC_NOT_IN_QUOTA 0x0002  /* not in quota */
-#define KEY_ALLOC_TRUSTED      0x0004  /* Key should be flagged as trusted */
-#define KEY_ALLOC_BUILT_IN     0x0008  /* Key is built into kernel */
+#define KEY_ALLOC_IN_QUOTA             0x0000  /* add to quota, reject if would overrun */
+#define KEY_ALLOC_QUOTA_OVERRUN                0x0001  /* add to quota, permit even if overrun */
+#define KEY_ALLOC_NOT_IN_QUOTA         0x0002  /* not in quota */
+#define KEY_ALLOC_TRUSTED              0x0004  /* Key should be flagged as trusted */
+#define KEY_ALLOC_BUILT_IN             0x0008  /* Key is built into kernel */
+#define KEY_ALLOC_BYPASS_RESTRICTION   0x0010  /* Override the check on restricted keyrings */
 
 extern void key_revoke(struct key *key);
 extern void key_invalidate(struct key *key);
@@ -288,8 +307,22 @@ extern struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid
                                 const struct cred *cred,
                                 key_perm_t perm,
                                 unsigned long flags,
+                                int (*restrict_link)(struct key *,
+                                                     const struct key_type *,
+                                                     unsigned long,
+                                                     const union key_payload *),
                                 struct key *dest);
 
+extern int keyring_restrict_trusted_only(struct key *keyring,
+                                        const struct key_type *type,
+                                        unsigned long,
+                                        const union key_payload *payload);
+
+extern int restrict_link_reject(struct key *keyring,
+                               const struct key_type *type,
+                               unsigned long flags,
+                               const union key_payload *payload);
+
 extern int keyring_clear(struct key *keyring);
 
 extern key_ref_t keyring_search(key_ref_t keyring,
index c79b85eb4d4ca4712465b6bbeda7ed74d2624344..8737412c7b27f33125c14c8aa6e64c4ce5cd2dc8 100644 (file)
@@ -281,7 +281,7 @@ static int __init init_dns_resolver(void)
                                GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
                                (KEY_POS_ALL & ~KEY_POS_SETATTR) |
                                KEY_USR_VIEW | KEY_USR_READ,
-                               KEY_ALLOC_NOT_IN_QUOTA, NULL);
+                               KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
        if (IS_ERR(keyring)) {
                ret = PTR_ERR(keyring);
                goto failed_put_cred;
index 3fb492eedeb98e3e7e97496e792f83ad61fa6436..1021b4c0bdd21e776481e771a4f3a1385e67f5a6 100644 (file)
@@ -965,7 +965,7 @@ int rxrpc_get_server_data_key(struct rxrpc_connection *conn,
 
        key = key_alloc(&key_type_rxrpc, "x",
                        GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, 0,
-                       KEY_ALLOC_NOT_IN_QUOTA);
+                       KEY_ALLOC_NOT_IN_QUOTA, NULL);
        if (IS_ERR(key)) {
                _leave(" = -ENOMEM [alloc %ld]", PTR_ERR(key));
                return -ENOMEM;
@@ -1012,7 +1012,7 @@ struct key *rxrpc_get_null_key(const char *keyname)
 
        key = key_alloc(&key_type_rxrpc, keyname,
                        GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
-                       KEY_POS_SEARCH, KEY_ALLOC_NOT_IN_QUOTA);
+                       KEY_POS_SEARCH, KEY_ALLOC_NOT_IN_QUOTA, NULL);
        if (IS_ERR(key))
                return key;
 
index 8ef15118cc78cfdb373c1962f3504e9364e0d453..659566c2200b2f93fd07fe990c57f8c8fd0f1fec 100644 (file)
@@ -83,10 +83,9 @@ int __init integrity_init_keyring(const unsigned int id)
                                    ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
                                     KEY_USR_VIEW | KEY_USR_READ |
                                     KEY_USR_WRITE | KEY_USR_SEARCH),
-                                   KEY_ALLOC_NOT_IN_QUOTA, NULL);
-       if (!IS_ERR(keyring[id]))
-               set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
-       else {
+                                   KEY_ALLOC_NOT_IN_QUOTA,
+                                   NULL, NULL);
+       if (IS_ERR(keyring[id])) {
                err = PTR_ERR(keyring[id]);
                pr_info("Can't allocate %s keyring (%d)\n",
                        keyring_name[id], err);
index 676885e4320e4314d6003490645bd74d256ebf92..ef91248cb9347d755a6da62acc042feb29e0c30c 100644 (file)
@@ -35,20 +35,20 @@ __init int ima_mok_init(void)
                              (KEY_POS_ALL & ~KEY_POS_SETATTR) |
                              KEY_USR_VIEW | KEY_USR_READ |
                              KEY_USR_WRITE | KEY_USR_SEARCH,
-                             KEY_ALLOC_NOT_IN_QUOTA, NULL);
+                             KEY_ALLOC_NOT_IN_QUOTA,
+                             keyring_restrict_trusted_only, NULL);
 
        ima_blacklist_keyring = keyring_alloc(".ima_blacklist",
                                KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
                                (KEY_POS_ALL & ~KEY_POS_SETATTR) |
                                KEY_USR_VIEW | KEY_USR_READ |
                                KEY_USR_WRITE | KEY_USR_SEARCH,
-                               KEY_ALLOC_NOT_IN_QUOTA, NULL);
+                               KEY_ALLOC_NOT_IN_QUOTA,
+                               keyring_restrict_trusted_only, NULL);
 
        if (IS_ERR(ima_mok_keyring) || IS_ERR(ima_blacklist_keyring))
                panic("Can't allocate IMA MOK or blacklist keyrings.");
-       set_bit(KEY_FLAG_TRUSTED_ONLY, &ima_mok_keyring->flags);
 
-       set_bit(KEY_FLAG_TRUSTED_ONLY, &ima_blacklist_keyring->flags);
        set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags);
        return 0;
 }
index b28755131687ea89de81ff5813c3fa9eb4acee74..deb881754e03ae22fa165b7290ebee6550cf6dcd 100644 (file)
@@ -201,6 +201,7 @@ serial_exists:
  * @cred: The credentials specifying UID namespace.
  * @perm: The permissions mask of the new key.
  * @flags: Flags specifying quota properties.
+ * @restrict_link: Optional link restriction method for new keyrings.
  *
  * Allocate a key of the specified type with the attributes given.  The key is
  * returned in an uninstantiated state and the caller needs to instantiate the
@@ -223,7 +224,11 @@ serial_exists:
  */
 struct key *key_alloc(struct key_type *type, const char *desc,
                      kuid_t uid, kgid_t gid, const struct cred *cred,
-                     key_perm_t perm, unsigned long flags)
+                     key_perm_t perm, unsigned long flags,
+                     int (*restrict_link)(struct key *,
+                                          const struct key_type *,
+                                          unsigned long,
+                                          const union key_payload *))
 {
        struct key_user *user = NULL;
        struct key *key;
@@ -291,6 +296,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
        key->uid = uid;
        key->gid = gid;
        key->perm = perm;
+       key->restrict_link = restrict_link;
 
        if (!(flags & KEY_ALLOC_NOT_IN_QUOTA))
                key->flags |= 1 << KEY_FLAG_IN_QUOTA;
@@ -496,6 +502,12 @@ int key_instantiate_and_link(struct key *key,
        }
 
        if (keyring) {
+               if (keyring->restrict_link) {
+                       ret = keyring->restrict_link(keyring, key->type,
+                                                    key->flags, &prep.payload);
+                       if (ret < 0)
+                               goto error;
+               }
                ret = __key_link_begin(keyring, &key->index_key, &edit);
                if (ret < 0)
                        goto error;
@@ -551,8 +563,12 @@ int key_reject_and_link(struct key *key,
        awaken = 0;
        ret = -EBUSY;
 
-       if (keyring)
+       if (keyring) {
+               if (keyring->restrict_link)
+                       return -EPERM;
+
                link_ret = __key_link_begin(keyring, &key->index_key, &edit);
+       }
 
        mutex_lock(&key_construction_mutex);
 
@@ -793,6 +809,10 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
        struct key *keyring, *key = NULL;
        key_ref_t key_ref;
        int ret;
+       int (*restrict_link)(struct key *,
+                            const struct key_type *,
+                            unsigned long,
+                            const union key_payload *) = NULL;
 
        /* look up the key type to see if it's one of the registered kernel
         * types */
@@ -811,6 +831,10 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
 
        key_check(keyring);
 
+       key_ref = ERR_PTR(-EPERM);
+       if (!(flags & KEY_ALLOC_BYPASS_RESTRICTION))
+               restrict_link = keyring->restrict_link;
+
        key_ref = ERR_PTR(-ENOTDIR);
        if (keyring->type != &key_type_keyring)
                goto error_put_type;
@@ -835,10 +859,15 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
        }
        index_key.desc_len = strlen(index_key.description);
 
-       key_ref = ERR_PTR(-EPERM);
-       if (!prep.trusted && test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags))
-               goto error_free_prep;
-       flags |= prep.trusted ? KEY_ALLOC_TRUSTED : 0;
+       if (restrict_link) {
+               unsigned long kflags = prep.trusted ? KEY_FLAG_TRUSTED : 0;
+               ret = restrict_link(keyring,
+                                   index_key.type, kflags, &prep.payload);
+               if (ret < 0) {
+                       key_ref = ERR_PTR(ret);
+                       goto error_free_prep;
+               }
+       }
 
        ret = __key_link_begin(keyring, &index_key, &edit);
        if (ret < 0) {
@@ -879,7 +908,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
 
        /* allocate a new key */
        key = key_alloc(index_key.type, index_key.description,
-                       cred->fsuid, cred->fsgid, cred, perm, flags);
+                       cred->fsuid, cred->fsgid, cred, perm, flags, NULL);
        if (IS_ERR(key)) {
                key_ref = ERR_CAST(key);
                goto error_link_end;
index f931ccfeefb01b34b7067caa2fe58774d0274edc..d2d1f3378008b00e2b4b225b6a0a2be54af3bdac 100644 (file)
@@ -491,13 +491,18 @@ static long keyring_read(const struct key *keyring,
  */
 struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
                          const struct cred *cred, key_perm_t perm,
-                         unsigned long flags, struct key *dest)
+                         unsigned long flags,
+                         int (*restrict_link)(struct key *,
+                                              const struct key_type *,
+                                              unsigned long,
+                                              const union key_payload *),
+                         struct key *dest)
 {
        struct key *keyring;
        int ret;
 
        keyring = key_alloc(&key_type_keyring, description,
-                           uid, gid, cred, perm, flags);
+                           uid, gid, cred, perm, flags, restrict_link);
        if (!IS_ERR(keyring)) {
                ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
                if (ret < 0) {
@@ -510,6 +515,51 @@ struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
 }
 EXPORT_SYMBOL(keyring_alloc);
 
+/**
+ * keyring_restrict_trusted_only - Restrict additions to a keyring to trusted keys only
+ * @keyring: The keyring being added to.
+ * @type: The type of key being added.
+ * @flags: The key flags.
+ * @payload: The payload of the key intended to be added.
+ *
+ * Reject the addition of any links to a keyring that point to keys that aren't
+ * marked as being trusted.  It can be overridden by passing
+ * KEY_ALLOC_BYPASS_RESTRICTION to key_instantiate_and_link() when adding a key
+ * to a keyring.
+ *
+ * This is meant to be passed as the restrict_link parameter to
+ * keyring_alloc().
+ */
+int keyring_restrict_trusted_only(struct key *keyring,
+                                 const struct key_type *type,
+                                 unsigned long flags,
+                                 const union key_payload *payload)
+{
+       return flags & KEY_FLAG_TRUSTED ? 0 : -EPERM;
+}
+
+/**
+ * restrict_link_reject - Give -EPERM to restrict link
+ * @keyring: The keyring being added to.
+ * @type: The type of key being added.
+ * @flags: The key flags.
+ * @payload: The payload of the key intended to be added.
+ *
+ * Reject the addition of any links to a keyring.  It can be overridden by
+ * passing KEY_ALLOC_BYPASS_RESTRICTION to key_instantiate_and_link() when
+ * adding a key to a keyring.
+ *
+ * This is meant to be passed as the restrict_link parameter to
+ * keyring_alloc().
+ */
+int restrict_link_reject(struct key *keyring,
+                        const struct key_type *type,
+                        unsigned long flags,
+                        const union key_payload *payload)
+{
+       return -EPERM;
+}
+
 /*
  * By default, we keys found by getting an exact match on their descriptions.
  */
@@ -1191,6 +1241,17 @@ void __key_link_end(struct key *keyring,
        up_write(&keyring->sem);
 }
 
+/*
+ * Check addition of keys to restricted keyrings.
+ */
+static int __key_link_check_restriction(struct key *keyring, struct key *key)
+{
+       if (!keyring->restrict_link)
+               return 0;
+       return keyring->restrict_link(keyring,
+                                     key->type, key->flags, &key->payload);
+}
+
 /**
  * key_link - Link a key to a keyring
  * @keyring: The keyring to make the link in.
@@ -1221,14 +1282,12 @@ int key_link(struct key *keyring, struct key *key)
        key_check(keyring);
        key_check(key);
 
-       if (test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags) &&
-           !test_bit(KEY_FLAG_TRUSTED, &key->flags))
-               return -EPERM;
-
        ret = __key_link_begin(keyring, &key->index_key, &edit);
        if (ret == 0) {
                kdebug("begun {%d,%d}", keyring->serial, atomic_read(&keyring->usage));
-               ret = __key_link_check_live_key(keyring, key);
+               ret = __key_link_check_restriction(keyring, key);
+               if (ret == 0)
+                       ret = __key_link_check_live_key(keyring, key);
                if (ret == 0)
                        __key_link(key, &edit);
                __key_link_end(keyring, &key->index_key, edit);
index c9fae5ea89fe68b2dcaeed5a30acc9f47c54c6ad..2ef45b319dd9f07961840db9722325d2d7290f67 100644 (file)
@@ -26,7 +26,7 @@ static int key_create_persistent_register(struct user_namespace *ns)
                                        current_cred(),
                                        ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
                                         KEY_USR_VIEW | KEY_USR_READ),
-                                       KEY_ALLOC_NOT_IN_QUOTA, NULL);
+                                       KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
        if (IS_ERR(reg))
                return PTR_ERR(reg);
 
@@ -60,7 +60,7 @@ static key_ref_t key_create_persistent(struct user_namespace *ns, kuid_t uid,
                                   uid, INVALID_GID, current_cred(),
                                   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
                                    KEY_USR_VIEW | KEY_USR_READ),
-                                  KEY_ALLOC_NOT_IN_QUOTA,
+                                  KEY_ALLOC_NOT_IN_QUOTA, NULL,
                                   ns->persistent_keyring_register);
        if (IS_ERR(persistent))
                return ERR_CAST(persistent);
index e6d50172872fb2b516f7c88fa3e4ba3e814ffa1a..40a88523978256278e64ace2befc3e45f9868de9 100644 (file)
@@ -76,7 +76,8 @@ int install_user_keyrings(void)
                if (IS_ERR(uid_keyring)) {
                        uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
                                                    cred, user_keyring_perm,
-                                                   KEY_ALLOC_IN_QUOTA, NULL);
+                                                   KEY_ALLOC_IN_QUOTA,
+                                                   NULL, NULL);
                        if (IS_ERR(uid_keyring)) {
                                ret = PTR_ERR(uid_keyring);
                                goto error;
@@ -92,7 +93,8 @@ int install_user_keyrings(void)
                        session_keyring =
                                keyring_alloc(buf, user->uid, INVALID_GID,
                                              cred, user_keyring_perm,
-                                             KEY_ALLOC_IN_QUOTA, NULL);
+                                             KEY_ALLOC_IN_QUOTA,
+                                             NULL, NULL);
                        if (IS_ERR(session_keyring)) {
                                ret = PTR_ERR(session_keyring);
                                goto error_release;
@@ -134,7 +136,8 @@ int install_thread_keyring_to_cred(struct cred *new)
 
        keyring = keyring_alloc("_tid", new->uid, new->gid, new,
                                KEY_POS_ALL | KEY_USR_VIEW,
-                               KEY_ALLOC_QUOTA_OVERRUN, NULL);
+                               KEY_ALLOC_QUOTA_OVERRUN,
+                               NULL, NULL);
        if (IS_ERR(keyring))
                return PTR_ERR(keyring);
 
@@ -180,7 +183,8 @@ int install_process_keyring_to_cred(struct cred *new)
 
        keyring = keyring_alloc("_pid", new->uid, new->gid, new,
                                KEY_POS_ALL | KEY_USR_VIEW,
-                               KEY_ALLOC_QUOTA_OVERRUN, NULL);
+                               KEY_ALLOC_QUOTA_OVERRUN,
+                               NULL, NULL);
        if (IS_ERR(keyring))
                return PTR_ERR(keyring);
 
@@ -231,7 +235,7 @@ int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
 
                keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred,
                                        KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
-                                       flags, NULL);
+                                       flags, NULL, NULL);
                if (IS_ERR(keyring))
                        return PTR_ERR(keyring);
        } else {
@@ -785,7 +789,7 @@ long join_session_keyring(const char *name)
                keyring = keyring_alloc(
                        name, old->uid, old->gid, old,
                        KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK,
-                       KEY_ALLOC_IN_QUOTA, NULL);
+                       KEY_ALLOC_IN_QUOTA, NULL, NULL);
                if (IS_ERR(keyring)) {
                        ret = PTR_ERR(keyring);
                        goto error2;
index c7a117c9a8f3030d66afc6cbf5767ce5069c813b..a29e3554751e0862003b430ce116f52d182c27bb 100644 (file)
@@ -116,7 +116,7 @@ static int call_sbin_request_key(struct key_construction *cons,
        cred = get_current_cred();
        keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred,
                                KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
-                               KEY_ALLOC_QUOTA_OVERRUN, NULL);
+                               KEY_ALLOC_QUOTA_OVERRUN, NULL, NULL);
        put_cred(cred);
        if (IS_ERR(keyring)) {
                ret = PTR_ERR(keyring);
@@ -355,7 +355,7 @@ static int construct_alloc_key(struct keyring_search_context *ctx,
 
        key = key_alloc(ctx->index_key.type, ctx->index_key.description,
                        ctx->cred->fsuid, ctx->cred->fsgid, ctx->cred,
-                       perm, flags);
+                       perm, flags, NULL);
        if (IS_ERR(key))
                goto alloc_failed;
 
index 4f0f112fe276fd7da1714e65113753394b5453e0..9db8b4a8278711fdf5d157160bb08a19fdd276d2 100644 (file)
@@ -202,7 +202,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info,
        authkey = key_alloc(&key_type_request_key_auth, desc,
                            cred->fsuid, cred->fsgid, cred,
                            KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH |
-                           KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA);
+                           KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA, NULL);
        if (IS_ERR(authkey)) {
                ret = PTR_ERR(authkey);
                goto error_alloc;