KEYS: Allow expiry time to be set when preparsing a key

Allow a key type's preparsing routine to set the expiry time for a key.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Steve Dickson <steved@redhat.com>
Acked-by: Jeff Layton <jlayton@primarydata.com>
Reviewed-by: Sage Weil <sage@redhat.com>

diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt
index a4c33f1a7c6de5dc2207a21bab00846266668f90..315cf96a41a2ebd30e586bef2b81a87eb0cf5c8e 100644 (file)
--- a/Documentation/security/keys.txt
+++ b/Documentation/security/keys.txt
@@ -1150,20 +1150,24 @@ The structure has a number of fields, some of which are mandatory:
                const void      *data;
                size_t          datalen;
                size_t          quotalen;
+               time_t          expiry;
        };
 
      Before calling the method, the caller will fill in data and datalen with
      the payload blob parameters; quotalen will be filled in with the default
-     quota size from the key type and the rest will be cleared.
+     quota size from the key type; expiry will be set to TIME_T_MAX and the
+     rest will be cleared.
 
      If a description can be proposed from the payload contents, that should be
      attached as a string to the description field.  This will be used for the
      key description if the caller of add_key() passes NULL or "".
 
      The method can attach anything it likes to type_data[] and payload.  These
-     are merely passed along to the instantiate() or update() operations.
+     are merely passed along to the instantiate() or update() operations.  If
+     set, the expiry time will be applied to the key if it is instantiated from
+     this data.
 
-     The method should return 0 if success ful or a negative error code
+     The method should return 0 if successful or a negative error code
      otherwise.
 
      

diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index d2b4845d74bf1bccde14feb61f6c9e8980599e82..44792ee649de2513b8f5dba53d29758cacef2f24 100644 (file)
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -45,6 +45,7 @@ struct key_preparsed_payload {
        const void      *data;          /* Raw data */
        size_t          datalen;        /* Raw datalen */
        size_t          quotalen;       /* Quota length for proposed payload */
+       time_t          expiry;         /* Expiry time of key */
        bool            trusted;        /* True if key is trusted */
 };
 

diff --git a/security/keys/key.c b/security/keys/key.c
index 03620a35a4dcd29020a736eb925ab8ff99562a34..755fb02df5af47e99e2f143ae30b9e20bbf05f97 100644 (file)
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -437,6 +437,11 @@ static int __key_instantiate_and_link(struct key *key,
                        /* disable the authorisation key */
                        if (authkey)
                                key_revoke(authkey);
+
+                       if (prep->expiry != TIME_T_MAX) {
+                               key->expiry = prep->expiry;
+                               key_schedule_gc(prep->expiry + key_gc_delay);
+                       }
                }
        }
 
@@ -479,6 +484,7 @@ int key_instantiate_and_link(struct key *key,
        prep.data = data;
        prep.datalen = datalen;
        prep.quotalen = key->type->def_datalen;
+       prep.expiry = TIME_T_MAX;
        if (key->type->preparse) {
                ret = key->type->preparse(&prep);
                if (ret < 0)
@@ -811,6 +817,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
        prep.datalen = plen;
        prep.quotalen = index_key.type->def_datalen;
        prep.trusted = flags & KEY_ALLOC_TRUSTED;
+       prep.expiry = TIME_T_MAX;
        if (index_key.type->preparse) {
                ret = index_key.type->preparse(&prep);
                if (ret < 0) {
@@ -941,6 +948,7 @@ int key_update(key_ref_t key_ref, const void *payload, size_t plen)
        prep.data = payload;
        prep.datalen = plen;
        prep.quotalen = key->type->def_datalen;
+       prep.expiry = TIME_T_MAX;
        if (key->type->preparse) {
                ret = key->type->preparse(&prep);
                if (ret < 0)