keys: Make the KEY_NEED_* perms an enum rather than a mask

[sfrench/cifs-2.6.git] / security / selinux / hooks.c

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4c037c2545c1613b2b517d583f8d696ae00452bf..196acaccbfddf56a8fe0135babb53478e0778506 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6561,20 +6561,43 @@ static void selinux_key_free(struct key *k)
 
 static int selinux_key_permission(key_ref_t key_ref,
                                  const struct cred *cred,
-                                 unsigned perm)
+                                 enum key_need_perm need_perm)
 {
        struct key *key;
        struct key_security_struct *ksec;
-       u32 sid;
+       u32 perm, sid;
 
-       /* if no specific permissions are requested, we skip the
-          permission check. No serious, additional covert channels
-          appear to be created. */
-       if (perm == 0)
+       switch (need_perm) {
+       case KEY_NEED_VIEW:
+               perm = KEY__VIEW;
+               break;
+       case KEY_NEED_READ:
+               perm = KEY__READ;
+               break;
+       case KEY_NEED_WRITE:
+               perm = KEY__WRITE;
+               break;
+       case KEY_NEED_SEARCH:
+               perm = KEY__SEARCH;
+               break;
+       case KEY_NEED_LINK:
+               perm = KEY__LINK;
+               break;
+       case KEY_NEED_SETATTR:
+               perm = KEY__SETATTR;
+               break;
+       case KEY_NEED_UNLINK:
+       case KEY_SYSADMIN_OVERRIDE:
+       case KEY_AUTHTOKEN_OVERRIDE:
+       case KEY_DEFER_PERM_CHECK:
                return 0;
+       default:
+               WARN_ON(1);
+               return -EPERM;
 
-       sid = cred_sid(cred);
+       }
 
+       sid = cred_sid(cred);
        key = key_ref_to_ptr(key_ref);
        ksec = key->security;