KEYS: Add a new keyctl op to reject a key with a specified error code

Add a new keyctl op to reject a key with a specified error code.  This works
much the same as negating a key, and so keyctl_negate_key() is made a special
case of keyctl_reject_key().  The difference is that keyctl_negate_key()
selects ENOKEY as the error to be reported.

Typically the key would be rejected with EKEYEXPIRED, EKEYREVOKED or
EKEYREJECTED, but this is not mandatory.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 2 insertions, 2 deletions

diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 5620f084dede..cdd2f3f88c88 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -352,7 +352,7 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
                         goto error_2;
                 if (key->expiry && now.tv_sec >= key->expiry)
                         goto error_2;
-                key_ref = ERR_PTR(-ENOKEY);
+                key_ref = ERR_PTR(key->type_data.reject_error);
                 if (kflags & (1 << KEY_FLAG_NEGATIVE))
                         goto error_2;
                 goto found;
@@ -401,7 +401,7 @@ descend:
 
                 /* we set a different error code if we pass a negative key */
                 if (kflags & (1 << KEY_FLAG_NEGATIVE)) {
-                        err = -ENOKEY;
+                        err = key->type_data.reject_error;
                         continue;
                 }