diff options
author | David Howells <dhowells@redhat.com> | 2005-10-30 18:02:44 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-10-30 20:37:23 -0500 |
commit | 29db9190634067c5a328ee5fcc2890251b836b4b (patch) | |
tree | 07ec242789230824f1fa8bcbbe681fd5bf166fa8 /security/dummy.c | |
parent | 2aa349f6e37ce030060c994d3aebbff4ab703565 (diff) |
[PATCH] Keys: Add LSM hooks for key management [try #3]
The attached patch adds LSM hooks for key management facilities. The notable
changes are:
(1) The key struct now supports a security pointer for the use of security
modules. This will permit key labelling and restrictions on which
programs may access a key.
(2) Security modules get a chance to note (or abort) the allocation of a key.
(3) The key permission checking can now be enhanced by the security modules;
the permissions check consults LSM if all other checks bear out.
(4) The key permissions checking functions now return an error code rather
than a boolean value.
(5) An extra permission has been added to govern the modification of
attributes (UID, GID, permissions).
Note that there isn't an LSM hook specifically for each keyctl() operation,
but rather the permissions hook allows control of individual operations based
on the permission request bits.
Key management access control through LSM is enabled by automatically if both
CONFIG_KEYS and CONFIG_SECURITY are enabled.
This should be applied on top of the patch ensubjected:
[PATCH] Keys: Possessor permissions should be additive
Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'security/dummy.c')
-rw-r--r-- | security/dummy.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/security/dummy.c b/security/dummy.c index 2a0337a52d32..3ca5f2b828a0 100644 --- a/security/dummy.c +++ b/security/dummy.c | |||
@@ -803,6 +803,23 @@ static int dummy_setprocattr(struct task_struct *p, char *name, void *value, siz | |||
803 | return -EINVAL; | 803 | return -EINVAL; |
804 | } | 804 | } |
805 | 805 | ||
806 | #ifdef CONFIG_KEYS | ||
807 | static inline int dummy_key_alloc(struct key *key) | ||
808 | { | ||
809 | return 0; | ||
810 | } | ||
811 | |||
812 | static inline void dummy_key_free(struct key *key) | ||
813 | { | ||
814 | } | ||
815 | |||
816 | static inline int dummy_key_permission(key_ref_t key_ref, | ||
817 | struct task_struct *context, | ||
818 | key_perm_t perm) | ||
819 | { | ||
820 | return 0; | ||
821 | } | ||
822 | #endif /* CONFIG_KEYS */ | ||
806 | 823 | ||
807 | struct security_operations dummy_security_ops; | 824 | struct security_operations dummy_security_ops; |
808 | 825 | ||
@@ -954,5 +971,11 @@ void security_fixup_ops (struct security_operations *ops) | |||
954 | set_to_dummy_if_null(ops, sk_alloc_security); | 971 | set_to_dummy_if_null(ops, sk_alloc_security); |
955 | set_to_dummy_if_null(ops, sk_free_security); | 972 | set_to_dummy_if_null(ops, sk_free_security); |
956 | #endif /* CONFIG_SECURITY_NETWORK */ | 973 | #endif /* CONFIG_SECURITY_NETWORK */ |
974 | #ifdef CONFIG_KEYS | ||
975 | set_to_dummy_if_null(ops, key_alloc); | ||
976 | set_to_dummy_if_null(ops, key_free); | ||
977 | set_to_dummy_if_null(ops, key_permission); | ||
978 | #endif /* CONFIG_KEYS */ | ||
979 | |||
957 | } | 980 | } |
958 | 981 | ||