diff options
author | Michael LeMay <mdlemay@epoch.ncsc.mil> | 2006-06-22 17:47:17 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-06-22 18:05:55 -0400 |
commit | d720024e94de4e8b7f10ee83c532926f3ad5d708 (patch) | |
tree | 8f21613c29a26bfbeb334cb0104b8b998b09fbdc /include | |
parent | f893afbe1262e27e91234506f72e17716190dd2f (diff) |
[PATCH] selinux: add hooks for key subsystem
Introduce SELinux hooks to support the access key retention subsystem
within the kernel. Incorporate new flask headers from a modified version
of the SELinux reference policy, with support for the new security class
representing retained keys. Extend the "key_alloc" security hook with a
task parameter representing the intended ownership context for the key
being allocated. Attach security information to root's default keyrings
within the SELinux initialization routine.
Has passed David's testsuite.
Signed-off-by: Michael LeMay <mdlemay@epoch.ncsc.mil>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/key.h | 18 | ||||
-rw-r--r-- | include/linux/security.h | 10 |
2 files changed, 19 insertions, 9 deletions
diff --git a/include/linux/key.h b/include/linux/key.h index cbf464ad9589..8c275d12ef63 100644 --- a/include/linux/key.h +++ b/include/linux/key.h | |||
@@ -241,8 +241,9 @@ extern void unregister_key_type(struct key_type *ktype); | |||
241 | 241 | ||
242 | extern struct key *key_alloc(struct key_type *type, | 242 | extern struct key *key_alloc(struct key_type *type, |
243 | const char *desc, | 243 | const char *desc, |
244 | uid_t uid, gid_t gid, key_perm_t perm, | 244 | uid_t uid, gid_t gid, |
245 | int not_in_quota); | 245 | struct task_struct *ctx, |
246 | key_perm_t perm, int not_in_quota); | ||
246 | extern int key_payload_reserve(struct key *key, size_t datalen); | 247 | extern int key_payload_reserve(struct key *key, size_t datalen); |
247 | extern int key_instantiate_and_link(struct key *key, | 248 | extern int key_instantiate_and_link(struct key *key, |
248 | const void *data, | 249 | const void *data, |
@@ -292,7 +293,9 @@ extern int key_unlink(struct key *keyring, | |||
292 | struct key *key); | 293 | struct key *key); |
293 | 294 | ||
294 | extern struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, | 295 | extern struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, |
295 | int not_in_quota, struct key *dest); | 296 | struct task_struct *ctx, |
297 | int not_in_quota, | ||
298 | struct key *dest); | ||
296 | 299 | ||
297 | extern int keyring_clear(struct key *keyring); | 300 | extern int keyring_clear(struct key *keyring); |
298 | 301 | ||
@@ -313,7 +316,8 @@ extern void keyring_replace_payload(struct key *key, void *replacement); | |||
313 | * the userspace interface | 316 | * the userspace interface |
314 | */ | 317 | */ |
315 | extern struct key root_user_keyring, root_session_keyring; | 318 | extern struct key root_user_keyring, root_session_keyring; |
316 | extern int alloc_uid_keyring(struct user_struct *user); | 319 | extern int alloc_uid_keyring(struct user_struct *user, |
320 | struct task_struct *ctx); | ||
317 | extern void switch_uid_keyring(struct user_struct *new_user); | 321 | extern void switch_uid_keyring(struct user_struct *new_user); |
318 | extern int copy_keys(unsigned long clone_flags, struct task_struct *tsk); | 322 | extern int copy_keys(unsigned long clone_flags, struct task_struct *tsk); |
319 | extern int copy_thread_group_keys(struct task_struct *tsk); | 323 | extern int copy_thread_group_keys(struct task_struct *tsk); |
@@ -342,7 +346,7 @@ extern void key_init(void); | |||
342 | #define make_key_ref(k) ({ NULL; }) | 346 | #define make_key_ref(k) ({ NULL; }) |
343 | #define key_ref_to_ptr(k) ({ NULL; }) | 347 | #define key_ref_to_ptr(k) ({ NULL; }) |
344 | #define is_key_possessed(k) 0 | 348 | #define is_key_possessed(k) 0 |
345 | #define alloc_uid_keyring(u) 0 | 349 | #define alloc_uid_keyring(u,c) 0 |
346 | #define switch_uid_keyring(u) do { } while(0) | 350 | #define switch_uid_keyring(u) do { } while(0) |
347 | #define __install_session_keyring(t, k) ({ NULL; }) | 351 | #define __install_session_keyring(t, k) ({ NULL; }) |
348 | #define copy_keys(f,t) 0 | 352 | #define copy_keys(f,t) 0 |
@@ -355,6 +359,10 @@ extern void key_init(void); | |||
355 | #define key_fsgid_changed(t) do { } while(0) | 359 | #define key_fsgid_changed(t) do { } while(0) |
356 | #define key_init() do { } while(0) | 360 | #define key_init() do { } while(0) |
357 | 361 | ||
362 | /* Initial keyrings */ | ||
363 | extern struct key root_user_keyring; | ||
364 | extern struct key root_session_keyring; | ||
365 | |||
358 | #endif /* CONFIG_KEYS */ | 366 | #endif /* CONFIG_KEYS */ |
359 | #endif /* __KERNEL__ */ | 367 | #endif /* __KERNEL__ */ |
360 | #endif /* _LINUX_KEY_H */ | 368 | #endif /* _LINUX_KEY_H */ |
diff --git a/include/linux/security.h b/include/linux/security.h index 4dfb1b84a9b3..47722d355532 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -1313,7 +1313,7 @@ struct security_operations { | |||
1313 | 1313 | ||
1314 | /* key management security hooks */ | 1314 | /* key management security hooks */ |
1315 | #ifdef CONFIG_KEYS | 1315 | #ifdef CONFIG_KEYS |
1316 | int (*key_alloc)(struct key *key); | 1316 | int (*key_alloc)(struct key *key, struct task_struct *tsk); |
1317 | void (*key_free)(struct key *key); | 1317 | void (*key_free)(struct key *key); |
1318 | int (*key_permission)(key_ref_t key_ref, | 1318 | int (*key_permission)(key_ref_t key_ref, |
1319 | struct task_struct *context, | 1319 | struct task_struct *context, |
@@ -3008,9 +3008,10 @@ static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid | |||
3008 | 3008 | ||
3009 | #ifdef CONFIG_KEYS | 3009 | #ifdef CONFIG_KEYS |
3010 | #ifdef CONFIG_SECURITY | 3010 | #ifdef CONFIG_SECURITY |
3011 | static inline int security_key_alloc(struct key *key) | 3011 | static inline int security_key_alloc(struct key *key, |
3012 | struct task_struct *tsk) | ||
3012 | { | 3013 | { |
3013 | return security_ops->key_alloc(key); | 3014 | return security_ops->key_alloc(key, tsk); |
3014 | } | 3015 | } |
3015 | 3016 | ||
3016 | static inline void security_key_free(struct key *key) | 3017 | static inline void security_key_free(struct key *key) |
@@ -3027,7 +3028,8 @@ static inline int security_key_permission(key_ref_t key_ref, | |||
3027 | 3028 | ||
3028 | #else | 3029 | #else |
3029 | 3030 | ||
3030 | static inline int security_key_alloc(struct key *key) | 3031 | static inline int security_key_alloc(struct key *key, |
3032 | struct task_struct *tsk) | ||
3031 | { | 3033 | { |
3032 | return 0; | 3034 | return 0; |
3033 | } | 3035 | } |