summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--certs/system_keyring.c2
-rw-r--r--include/keys/system_keyring.h1
-rw-r--r--include/linux/key-type.h1
-rw-r--r--include/linux/key.h21
-rw-r--r--security/integrity/digsig.c3
-rw-r--r--security/keys/key.c11
-rw-r--r--security/keys/keyring.c29
7 files changed, 9 insertions, 59 deletions
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 4e2fa8a..e460d00 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -31,7 +31,6 @@ extern __initconst const unsigned long system_certificate_list_size;
*/
int restrict_link_by_builtin_trusted(struct key *keyring,
const struct key_type *type,
- unsigned long flags,
const union key_payload *payload)
{
return restrict_link_by_signature(system_trusted_keyring,
@@ -97,7 +96,6 @@ static __init int load_system_certificate_list(void)
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ),
KEY_ALLOC_NOT_IN_QUOTA |
- KEY_ALLOC_TRUSTED |
KEY_ALLOC_BUILT_IN |
KEY_ALLOC_BYPASS_RESTRICTION);
if (IS_ERR(key)) {
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 9371591..c72330a 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -18,7 +18,6 @@
extern int restrict_link_by_builtin_trusted(struct key *keyring,
const struct key_type *type,
- unsigned long flags,
const union key_payload *payload);
#else
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 7463355..eaee981 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -45,7 +45,6 @@ struct key_preparsed_payload {
size_t datalen; /* Raw datalen */
size_t quotalen; /* Quota length for proposed payload */
time_t expiry; /* Expiry time of key */
- bool trusted; /* True if key is trusted */
};
typedef int (*request_key_actor_t)(struct key_construction *key,
diff --git a/include/linux/key.h b/include/linux/key.h
index 83b6036..7229147 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -173,10 +173,9 @@ struct key {
#define KEY_FLAG_NEGATIVE 5 /* set if key is negative */
#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */
#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */
-#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */
-#define KEY_FLAG_BUILTIN 9 /* set if key is built in to the kernel */
-#define KEY_FLAG_ROOT_CAN_INVAL 10 /* set if key can be invalidated by root without permission */
-#define KEY_FLAG_KEEP 11 /* set if key should not be removed */
+#define KEY_FLAG_BUILTIN 8 /* set if key is built in to the kernel */
+#define KEY_FLAG_ROOT_CAN_INVAL 9 /* set if key can be invalidated by root without permission */
+#define KEY_FLAG_KEEP 10 /* set if key should not be removed */
/* the key type and key description string
* - the desc is used to match a key against search criteria
@@ -217,7 +216,6 @@ struct key {
*/
int (*restrict_link)(struct key *keyring,
const struct key_type *type,
- unsigned long flags,
const union key_payload *payload);
};
@@ -229,16 +227,14 @@ extern struct key *key_alloc(struct key_type *type,
unsigned long flags,
int (*restrict_link)(struct key *,
const struct key_type *,
- unsigned long,
const union key_payload *));
#define KEY_ALLOC_IN_QUOTA 0x0000 /* add to quota, reject if would overrun */
#define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */
#define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */
-#define KEY_ALLOC_TRUSTED 0x0004 /* Key should be flagged as trusted */
-#define KEY_ALLOC_BUILT_IN 0x0008 /* Key is built into kernel */
-#define KEY_ALLOC_BYPASS_RESTRICTION 0x0010 /* Override the check on restricted keyrings */
+#define KEY_ALLOC_BUILT_IN 0x0004 /* Key is built into kernel */
+#define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */
extern void key_revoke(struct key *key);
extern void key_invalidate(struct key *key);
@@ -309,18 +305,11 @@ extern struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid
unsigned long flags,
int (*restrict_link)(struct key *,
const struct key_type *,
- unsigned long,
const union key_payload *),
struct key *dest);
-extern int keyring_restrict_trusted_only(struct key *keyring,
- const struct key_type *type,
- unsigned long,
- const union key_payload *payload);
-
extern int restrict_link_reject(struct key *keyring,
const struct key_type *type,
- unsigned long flags,
const union key_payload *payload);
extern int keyring_clear(struct key *keyring);
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index d647178..98ee4c7 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -51,12 +51,11 @@ static bool init_keyring __initdata;
*/
static int restrict_link_by_ima_mok(struct key *keyring,
const struct key_type *type,
- unsigned long flags,
const union key_payload *payload)
{
int ret;
- ret = restrict_link_by_builtin_trusted(keyring, type, flags, payload);
+ ret = restrict_link_by_builtin_trusted(keyring, type, payload);
if (ret != -ENOKEY)
return ret;
diff --git a/security/keys/key.c b/security/keys/key.c
index deb8817..bd5a272 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -227,7 +227,6 @@ struct key *key_alloc(struct key_type *type, const char *desc,
key_perm_t perm, unsigned long flags,
int (*restrict_link)(struct key *,
const struct key_type *,
- unsigned long,
const union key_payload *))
{
struct key_user *user = NULL;
@@ -300,8 +299,6 @@ struct key *key_alloc(struct key_type *type, const char *desc,
if (!(flags & KEY_ALLOC_NOT_IN_QUOTA))
key->flags |= 1 << KEY_FLAG_IN_QUOTA;
- if (flags & KEY_ALLOC_TRUSTED)
- key->flags |= 1 << KEY_FLAG_TRUSTED;
if (flags & KEY_ALLOC_BUILT_IN)
key->flags |= 1 << KEY_FLAG_BUILTIN;
@@ -504,7 +501,7 @@ int key_instantiate_and_link(struct key *key,
if (keyring) {
if (keyring->restrict_link) {
ret = keyring->restrict_link(keyring, key->type,
- key->flags, &prep.payload);
+ &prep.payload);
if (ret < 0)
goto error;
}
@@ -811,7 +808,6 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
int ret;
int (*restrict_link)(struct key *,
const struct key_type *,
- unsigned long,
const union key_payload *) = NULL;
/* look up the key type to see if it's one of the registered kernel
@@ -843,7 +839,6 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
prep.data = payload;
prep.datalen = plen;
prep.quotalen = index_key.type->def_datalen;
- prep.trusted = flags & KEY_ALLOC_TRUSTED;
prep.expiry = TIME_T_MAX;
if (index_key.type->preparse) {
ret = index_key.type->preparse(&prep);
@@ -860,9 +855,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
index_key.desc_len = strlen(index_key.description);
if (restrict_link) {
- unsigned long kflags = prep.trusted ? KEY_FLAG_TRUSTED : 0;
- ret = restrict_link(keyring,
- index_key.type, kflags, &prep.payload);
+ ret = restrict_link(keyring, index_key.type, &prep.payload);
if (ret < 0) {
key_ref = ERR_PTR(ret);
goto error_free_prep;
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index d2d1f33..c91e4e0 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -494,7 +494,6 @@ struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
unsigned long flags,
int (*restrict_link)(struct key *,
const struct key_type *,
- unsigned long,
const union key_payload *),
struct key *dest)
{
@@ -516,33 +515,9 @@ struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
EXPORT_SYMBOL(keyring_alloc);
/**
- * keyring_restrict_trusted_only - Restrict additions to a keyring to trusted keys only
- * @keyring: The keyring being added to.
- * @type: The type of key being added.
- * @flags: The key flags.
- * @payload: The payload of the key intended to be added.
- *
- * Reject the addition of any links to a keyring that point to keys that aren't
- * marked as being trusted. It can be overridden by passing
- * KEY_ALLOC_BYPASS_RESTRICTION to key_instantiate_and_link() when adding a key
- * to a keyring.
- *
- * This is meant to be passed as the restrict_link parameter to
- * keyring_alloc().
- */
-int keyring_restrict_trusted_only(struct key *keyring,
- const struct key_type *type,
- unsigned long flags,
- const union key_payload *payload)
-{
- return flags & KEY_FLAG_TRUSTED ? 0 : -EPERM;
-}
-
-/**
* restrict_link_reject - Give -EPERM to restrict link
* @keyring: The keyring being added to.
* @type: The type of key being added.
- * @flags: The key flags.
* @payload: The payload of the key intended to be added.
*
* Reject the addition of any links to a keyring. It can be overridden by
@@ -554,7 +529,6 @@ int keyring_restrict_trusted_only(struct key *keyring,
*/
int restrict_link_reject(struct key *keyring,
const struct key_type *type,
- unsigned long flags,
const union key_payload *payload)
{
return -EPERM;
@@ -1248,8 +1222,7 @@ static int __key_link_check_restriction(struct key *keyring, struct key *key)
{
if (!keyring->restrict_link)
return 0;
- return keyring->restrict_link(keyring,
- key->type, key->flags, &key->payload);
+ return keyring->restrict_link(keyring, key->type, &key->payload);
}
/**
OpenPOWER on IntegriCloud