aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux/key.h
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2012-05-11 05:56:56 -0400
committerDavid Howells <dhowells@redhat.com>2012-05-11 05:56:56 -0400
commitfd75815f727f157a05f4c96b5294a4617c0557da (patch)
treeb2e76abf176d37b5d810b0c813b8c0219754b88c /include/linux/key.h
parent31d5a79d7f3d436da176a78ebc12d53c06da402e (diff)
KEYS: Add invalidation support
Add support for invalidating a key - which renders it immediately invisible to further searches and causes the garbage collector to immediately wake up, remove it from keyrings and then destroy it when it's no longer referenced. It's better not to do this with keyctl_revoke() as that marks the key to start returning -EKEYREVOKED to searches when what is actually desired is to have the key refetched. To invalidate a key the caller must be granted SEARCH permission by the key. This may be too strict. It may be better to also permit invalidation if the caller has any of READ, WRITE or SETATTR permission. The primary use for this is to evict keys that are cached in special keyrings, such as the DNS resolver or an ID mapper. Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'include/linux/key.h')
-rw-r--r--include/linux/key.h3
1 files changed, 3 insertions, 0 deletions
diff --git a/include/linux/key.h b/include/linux/key.h
index 13c0dcd8ee48..b145b054b3e0 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -160,6 +160,7 @@ struct key {
160#define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */ 160#define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */
161#define KEY_FLAG_NEGATIVE 5 /* set if key is negative */ 161#define KEY_FLAG_NEGATIVE 5 /* set if key is negative */
162#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */ 162#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */
163#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */
163 164
164 /* the description string 165 /* the description string
165 * - this is used to match a key against search criteria 166 * - this is used to match a key against search criteria
@@ -203,6 +204,7 @@ extern struct key *key_alloc(struct key_type *type,
203#define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */ 204#define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */
204 205
205extern void key_revoke(struct key *key); 206extern void key_revoke(struct key *key);
207extern void key_invalidate(struct key *key);
206extern void key_put(struct key *key); 208extern void key_put(struct key *key);
207 209
208static inline struct key *key_get(struct key *key) 210static inline struct key *key_get(struct key *key)
@@ -323,6 +325,7 @@ extern void key_init(void);
323#define key_serial(k) 0 325#define key_serial(k) 0
324#define key_get(k) ({ NULL; }) 326#define key_get(k) ({ NULL; })
325#define key_revoke(k) do { } while(0) 327#define key_revoke(k) do { } while(0)
328#define key_invalidate(k) do { } while(0)
326#define key_put(k) do { } while(0) 329#define key_put(k) do { } while(0)
327#define key_ref_put(k) do { } while(0) 330#define key_ref_put(k) do { } while(0)
328#define make_key_ref(k, p) NULL 331#define make_key_ref(k, p) NULL