[PATCH] selinux: add hooks for key subsystem

Introduce SELinux hooks to support the access key retention subsystem
within the kernel.  Incorporate new flask headers from a modified version
of the SELinux reference policy, with support for the new security class
representing retained keys.  Extend the "key_alloc" security hook with a
task parameter representing the intended ownership context for the key
being allocated.  Attach security information to root's default keyrings
within the SELinux initialization routine.

Has passed David's testsuite.

Signed-off-by: Michael LeMay <mdlemay@epoch.ncsc.mil>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

1 files changed, 13 insertions, 5 deletions

diff --git a/include/linux/key.h b/include/linux/key.h
index cbf464ad9589..8c275d12ef63 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -241,8 +241,9 @@ extern void unregister_key_type(struct key_type *ktype);
 
 extern struct key *key_alloc(struct key_type *type,
                              const char *desc,
-                             uid_t uid, gid_t gid, key_perm_t perm,
-                             int not_in_quota);
+                             uid_t uid, gid_t gid,
+                             struct task_struct *ctx,
+                             key_perm_t perm, int not_in_quota);
 extern int key_payload_reserve(struct key *key, size_t datalen);
 extern int key_instantiate_and_link(struct key *key,
                                     const void *data,
@@ -292,7 +293,9 @@ extern int key_unlink(struct key *keyring,
                       struct key *key);
 
 extern struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
-                                 int not_in_quota, struct key *dest);
+                                 struct task_struct *ctx,
+                                 int not_in_quota,
+                                 struct key *dest);
 
 extern int keyring_clear(struct key *keyring);
 
@@ -313,7 +316,8 @@ extern void keyring_replace_payload(struct key *key, void *replacement);
  * the userspace interface
  */
 extern struct key root_user_keyring, root_session_keyring;
-extern int alloc_uid_keyring(struct user_struct *user);
+extern int alloc_uid_keyring(struct user_struct *user,
+                             struct task_struct *ctx);
 extern void switch_uid_keyring(struct user_struct *new_user);
 extern int copy_keys(unsigned long clone_flags, struct task_struct *tsk);
 extern int copy_thread_group_keys(struct task_struct *tsk);
@@ -342,7 +346,7 @@ extern void key_init(void);
 #define make_key_ref(k)                 ({ NULL; })
 #define key_ref_to_ptr(k)               ({ NULL; })
 #define is_key_possessed(k)             0
-#define alloc_uid_keyring(u)            0
+#define alloc_uid_keyring(u,c)          0
 #define switch_uid_keyring(u)           do { } while(0)
 #define __install_session_keyring(t, k) ({ NULL; })
 #define copy_keys(f,t)                  0
@@ -355,6 +359,10 @@ extern void key_init(void);
 #define key_fsgid_changed(t)            do { } while(0)
 #define key_init()                      do { } while(0)
 
+/* Initial keyrings */
+extern struct key root_user_keyring;
+extern struct key root_session_keyring;
+
 #endif /* CONFIG_KEYS */
 #endif /* __KERNEL__ */
 #endif /* _LINUX_KEY_H */