Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowel...

[sfrench/cifs-2.6.git] / security / integrity / digsig.c
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c

index 4582bc26770a34a71eb5c9b0c3d11501cc7f9d4e..ceb10553a6ba64a093a747bf1f5f1605ba9fecf6 100644 (file)
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -47,7 +47,8 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
  
         if (!keyring[id]) {
                 keyring[id] =
-                       request_key(&key_type_keyring, keyring_name[id], NULL);
+                       request_key(&key_type_keyring, keyring_name[id],
+                                   NULL, NULL);
                 if (IS_ERR(keyring[id])) {
                         int err = PTR_ERR(keyring[id]);
                         pr_err("no %s keyring: %d\n", keyring_name[id], err);
@@ -69,14 +70,14 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
         return -EOPNOTSUPP;
  }
  
-static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
+static int __integrity_init_keyring(const unsigned int id, struct key_acl *acl,
                                     struct key_restriction *restriction)
  {
         const struct cred *cred = current_cred();
         int err = 0;
  
         keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
-                                   KGIDT_INIT(0), cred, perm,
+                                   KGIDT_INIT(0), cred, acl,
                                     KEY_ALLOC_NOT_IN_QUOTA, restriction, NULL);
         if (IS_ERR(keyring[id])) {
                 err = PTR_ERR(keyring[id]);
@@ -94,10 +95,7 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
  int __init integrity_init_keyring(const unsigned int id)
  {
         struct key_restriction *restriction;
-       key_perm_t perm;
-
-       perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW
-               | KEY_USR_READ | KEY_USR_SEARCH;
+       struct key_acl *acl = &internal_keyring_acl;
  
         if (id == INTEGRITY_KEYRING_PLATFORM) {
                 restriction = NULL;
@@ -112,14 +110,14 @@ int __init integrity_init_keyring(const unsigned int id)
                 return -ENOMEM;
  
         restriction->check = restrict_link_to_ima;
-       perm |= KEY_USR_WRITE;
+       acl = &internal_writable_keyring_acl;
  
  out:
-       return __integrity_init_keyring(id, perm, restriction);
+       return __integrity_init_keyring(id, acl, restriction);
  }
  
-int __init integrity_add_key(const unsigned int id, const void *data,
-                            off_t size, key_perm_t perm)
+static int __init integrity_add_key(const unsigned int id, const void *data,
+                                   off_t size, struct key_acl *acl)
  {
         key_ref_t key;
         int rc = 0;
@@ -128,7 +126,7 @@ int __init integrity_add_key(const unsigned int id, const void *data,
                 return -EINVAL;
  
         key = key_create_or_update(make_key_ref(keyring[id], 1), "asymmetric",
-                                  NULL, data, size, perm,
+                                  NULL, data, size, acl ?: &internal_key_acl,
                                    KEY_ALLOC_NOT_IN_QUOTA);
         if (IS_ERR(key)) {
                 rc = PTR_ERR(key);
@@ -148,7 +146,6 @@ int __init integrity_load_x509(const unsigned int id, const char *path)
         void *data;
         loff_t size;
         int rc;
-       key_perm_t perm;
  
         rc = kernel_read_file_from_path(path, &data, &size, 0,
                                         READING_X509_CERTIFICATE);
@@ -157,21 +154,19 @@ int __init integrity_load_x509(const unsigned int id, const char *path)
                 return rc;
         }
  
-       perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ;
-
         pr_info("Loading X.509 certificate: %s\n", path);
-       rc = integrity_add_key(id, (const void *)data, size, perm);
+       rc = integrity_add_key(id, data, size, NULL);
  
         vfree(data);
         return rc;
  }
  
  int __init integrity_load_cert(const unsigned int id, const char *source,
-                              const void *data, size_t len, key_perm_t perm)
+                              const void *data, size_t len, struct key_acl *acl)
  {
         if (!data)
                 return -EINVAL;
  
         pr_info("Loading X.509 certificate: %s\n", source);
-       return integrity_add_key(id, data, len, perm);
+       return integrity_add_key(id, data, len, acl);
  }