summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2016-04-06 16:14:26 +0100
committerDavid Howells <dhowells@redhat.com>2016-04-11 22:44:15 +0100
commit77f68bac9481ad440f4f34dda3d28c2dce6eb87b (patch)
tree3366c0ab94b42cc67fdbe36a2af7ac6bc1a50467 /security
parenta511e1af8b12f44c6e55786c463c9f093c214fb6 (diff)
downloadop-kernel-dev-77f68bac9481ad440f4f34dda3d28c2dce6eb87b.zip
op-kernel-dev-77f68bac9481ad440f4f34dda3d28c2dce6eb87b.tar.gz
KEYS: Remove KEY_FLAG_TRUSTED and KEY_ALLOC_TRUSTED
Remove KEY_FLAG_TRUSTED and KEY_ALLOC_TRUSTED as they're no longer meaningful. Also we can drop the trusted flag from the preparse structure. Given this, we no longer need to pass the key flags through to restrict_link(). Further, we can now get rid of keyring_restrict_trusted_only() also. Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/digsig.c3
-rw-r--r--security/keys/key.c11
-rw-r--r--security/keys/keyring.c29
3 files changed, 4 insertions, 39 deletions
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index d647178..98ee4c7 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -51,12 +51,11 @@ static bool init_keyring __initdata;
*/
static int restrict_link_by_ima_mok(struct key *keyring,
const struct key_type *type,
- unsigned long flags,
const union key_payload *payload)
{
int ret;
- ret = restrict_link_by_builtin_trusted(keyring, type, flags, payload);
+ ret = restrict_link_by_builtin_trusted(keyring, type, payload);
if (ret != -ENOKEY)
return ret;
diff --git a/security/keys/key.c b/security/keys/key.c
index deb8817..bd5a272 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -227,7 +227,6 @@ struct key *key_alloc(struct key_type *type, const char *desc,
key_perm_t perm, unsigned long flags,
int (*restrict_link)(struct key *,
const struct key_type *,
- unsigned long,
const union key_payload *))
{
struct key_user *user = NULL;
@@ -300,8 +299,6 @@ struct key *key_alloc(struct key_type *type, const char *desc,
if (!(flags & KEY_ALLOC_NOT_IN_QUOTA))
key->flags |= 1 << KEY_FLAG_IN_QUOTA;
- if (flags & KEY_ALLOC_TRUSTED)
- key->flags |= 1 << KEY_FLAG_TRUSTED;
if (flags & KEY_ALLOC_BUILT_IN)
key->flags |= 1 << KEY_FLAG_BUILTIN;
@@ -504,7 +501,7 @@ int key_instantiate_and_link(struct key *key,
if (keyring) {
if (keyring->restrict_link) {
ret = keyring->restrict_link(keyring, key->type,
- key->flags, &prep.payload);
+ &prep.payload);
if (ret < 0)
goto error;
}
@@ -811,7 +808,6 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
int ret;
int (*restrict_link)(struct key *,
const struct key_type *,
- unsigned long,
const union key_payload *) = NULL;
/* look up the key type to see if it's one of the registered kernel
@@ -843,7 +839,6 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
prep.data = payload;
prep.datalen = plen;
prep.quotalen = index_key.type->def_datalen;
- prep.trusted = flags & KEY_ALLOC_TRUSTED;
prep.expiry = TIME_T_MAX;
if (index_key.type->preparse) {
ret = index_key.type->preparse(&prep);
@@ -860,9 +855,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
index_key.desc_len = strlen(index_key.description);
if (restrict_link) {
- unsigned long kflags = prep.trusted ? KEY_FLAG_TRUSTED : 0;
- ret = restrict_link(keyring,
- index_key.type, kflags, &prep.payload);
+ ret = restrict_link(keyring, index_key.type, &prep.payload);
if (ret < 0) {
key_ref = ERR_PTR(ret);
goto error_free_prep;
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index d2d1f33..c91e4e0 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -494,7 +494,6 @@ struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
unsigned long flags,
int (*restrict_link)(struct key *,
const struct key_type *,
- unsigned long,
const union key_payload *),
struct key *dest)
{
@@ -516,33 +515,9 @@ struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
EXPORT_SYMBOL(keyring_alloc);
/**
- * keyring_restrict_trusted_only - Restrict additions to a keyring to trusted keys only
- * @keyring: The keyring being added to.
- * @type: The type of key being added.
- * @flags: The key flags.
- * @payload: The payload of the key intended to be added.
- *
- * Reject the addition of any links to a keyring that point to keys that aren't
- * marked as being trusted. It can be overridden by passing
- * KEY_ALLOC_BYPASS_RESTRICTION to key_instantiate_and_link() when adding a key
- * to a keyring.
- *
- * This is meant to be passed as the restrict_link parameter to
- * keyring_alloc().
- */
-int keyring_restrict_trusted_only(struct key *keyring,
- const struct key_type *type,
- unsigned long flags,
- const union key_payload *payload)
-{
- return flags & KEY_FLAG_TRUSTED ? 0 : -EPERM;
-}
-
-/**
* restrict_link_reject - Give -EPERM to restrict link
* @keyring: The keyring being added to.
* @type: The type of key being added.
- * @flags: The key flags.
* @payload: The payload of the key intended to be added.
*
* Reject the addition of any links to a keyring. It can be overridden by
@@ -554,7 +529,6 @@ int keyring_restrict_trusted_only(struct key *keyring,
*/
int restrict_link_reject(struct key *keyring,
const struct key_type *type,
- unsigned long flags,
const union key_payload *payload)
{
return -EPERM;
@@ -1248,8 +1222,7 @@ static int __key_link_check_restriction(struct key *keyring, struct key *key)
{
if (!keyring->restrict_link)
return 0;
- return keyring->restrict_link(keyring,
- key->type, key->flags, &key->payload);
+ return keyring->restrict_link(keyring, key->type, &key->payload);
}
/**
OpenPOWER on IntegriCloud