KEYS: Add invalidation support

Add support for invalidating a key - which renders it immediately invisible to
further searches and causes the garbage collector to immediately wake up,
remove it from keyrings and then destroy it when it's no longer referenced.

It's better not to do this with keyctl_revoke() as that marks the key to start
returning -EKEYREVOKED to searches when what is actually desired is to have the
key refetched.

To invalidate a key the caller must be granted SEARCH permission by the key.
This may be too strict.  It may be better to also permit invalidation if the
caller has any of READ, WRITE or SETATTR permission.

The primary use for this is to evict keys that are cached in special keyrings,
such as the DNS resolver or an ID mapper.

Signed-off-by: David Howells <dhowells@redhat.com>

1 files changed, 11 insertions, 14 deletions

diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 89d02cfb00c..7445875f681 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -382,13 +382,17 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
         /* otherwise, the top keyring must not be revoked, expired, or
          * negatively instantiated if we are to search it */
         key_ref = ERR_PTR(-EAGAIN);
-        if (kflags & ((1 << KEY_FLAG_REVOKED) | (1 << KEY_FLAG_NEGATIVE)) ||
+        if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
+                      (1 << KEY_FLAG_REVOKED) |
+                      (1 << KEY_FLAG_NEGATIVE)) ||
             (keyring->expiry && now.tv_sec >= keyring->expiry))
                 goto error_2;
 
         /* start processing a new keyring */
 descend:
-        if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
+        kflags = keyring->flags;
+        if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
+                      (1 << KEY_FLAG_REVOKED)))
                 goto not_this_keyring;
 
         keylist = rcu_dereference(keyring->payload.subscriptions);
@@ -406,9 +410,10 @@ descend:
                 if (key->type != type)
                         continue;
 
-                /* skip revoked keys and expired keys */
+                /* skip invalidated, revoked and expired keys */
                 if (!no_state_check) {
-                        if (kflags & (1 << KEY_FLAG_REVOKED))
+                        if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
+                                      (1 << KEY_FLAG_REVOKED)))
                                 continue;
 
                         if (key->expiry && now.tv_sec >= key->expiry)
@@ -559,7 +564,8 @@ key_ref_t __keyring_search_one(key_ref_t keyring_ref,
                              key->type->match(key, description)) &&
                             key_permission(make_key_ref(key, possessed),
                                            perm) == 0 &&
-                            !test_bit(KEY_FLAG_REVOKED, &key->flags)
+                            !(key->flags & ((1 << KEY_FLAG_INVALIDATED) |
+                                            (1 << KEY_FLAG_REVOKED)))
                             )
                                 goto found;
                 }
@@ -1177,15 +1183,6 @@ static void keyring_revoke(struct key *keyring)
 }
 
 /*
- * Determine whether a key is dead.
- */
-static bool key_is_dead(struct key *key, time_t limit)
-{
-        return test_bit(KEY_FLAG_DEAD, &key->flags) ||
-                (key->expiry > 0 && key->expiry <= limit);
-}
-
-/*
  * Collect garbage from the contents of a keyring, replacing the old list with
  * a new one with the pointers all shuffled down.
  *