KEYS: Add a new keyctl op to reject a key with a specified error code

Add a new keyctl op to reject a key with a specified error code. This works much the same as negating a key, and so keyctl_negate_key() is made a special case of keyctl_reject_key(). The difference is that keyctl_negate_key() selects ENOKEY as the error to be reported. Typically the key would be rejected with EKEYEXPIRED, EKEYREVOKED or EKEYREJECTED, but this is not mandatory. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
author: David Howells <dhowells@redhat.com> 2011-03-07 10:06:09 -0500
committer: James Morris <jmorris@namei.org> 2011-03-07 19:17:18 -0500
commit: fdd1b94581782a2ddf9124414e5b7a5f48ce2f9c (patch)
tree: ce83bfd1f0b1a7d4b9521bdb3d6afef1bff1d4f2 /security
parent: b9fffa3877a3ebbe0a5ad5a247358e2f7df15b24 (diff)
6 files changed, 56 insertions, 13 deletions
diff --git a/security/keys/compat.c b/security/keys/compat.c
index 07a5f35e3970..17c99d0149ec 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -85,6 +85,9 @@ asmlinkage long compat_sys_keyctl(u32 option,
        case KEYCTL_SESSION_TO_PARENT:
                return keyctl_session_to_parent();
+        case KEYCTL_REJECT:
+                return keyctl_reject_key(arg2, arg3, arg4, arg5);
        default:
                return -EOPNOTSUPP;
        }
diff --git a/security/keys/internal.h b/security/keys/internal.h
index a52aa7c88b41..286c0959ee51 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -214,6 +214,7 @@ extern long keyctl_assume_authority(key_serial_t);
 extern long keyctl_get_security(key_serial_t keyid, char __user *buffer,
                                size_t buflen);
 extern long keyctl_session_to_parent(void);
+extern long keyctl_reject_key(key_serial_t, unsigned, unsigned, key_serial_t);
 /*
 * Debugging key validation
diff --git a/security/keys/key.c b/security/keys/key.c
index 8e315ef2e88e..f7f9d93f08d9 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -511,26 +511,29 @@ int key_instantiate_and_link(struct key *key,
 EXPORT_SYMBOL(key_instantiate_and_link);
 /**
- * key_negate_and_link - Negatively instantiate a key and link it into the keyring.
+ * key_reject_and_link - Negatively instantiate a key and link it into the keyring.
 * @key: The key to instantiate.
 * @timeout: The timeout on the negative key.
+ * @error: The error to return when the key is hit.
 * @keyring: Keyring to create a link in on success (or NULL).
 * @authkey: The authorisation token permitting instantiation.
 *
 * Negatively instantiate a key that's in the uninstantiated state and, if
- * successful, set its timeout and link it in to the destination keyring if one
+ * successful, set its timeout and stored error and link it in to the
- * is supplied.  The key and any links to the key will be automatically garbage
+ * destination keyring if one is supplied.  The key and any links to the key
- * collected after the timeout expires.
+ * will be automatically garbage collected after the timeout expires.
 *
 * Negative keys are used to rate limit repeated request_key() calls by causing
- * them to return -ENOKEY until the negative key expires.
+ * them to return the stored error code (typically ENOKEY) until the negative
+ * key expires.
 *
 * If successful, 0 is returned, the authorisation token is revoked and anyone
 * waiting for the key is woken up.  If the key was already instantiated,
 * -EBUSY will be returned.
 */
-int key_negate_and_link(struct key *key,
+int key_reject_and_link(struct key *key,
                        unsigned timeout,
+                        unsigned error,
                        struct key *keyring,
                        struct key *authkey)
 {
@@ -556,6 +559,7 @@ int key_negate_and_link(struct key *key,
                atomic_inc(&key->user->nikeys);
                set_bit(KEY_FLAG_NEGATIVE, &key->flags);
                set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
+                key->type_data.reject_error = -error;
                now = current_kernel_time();
                key->expiry = now.tv_sec + timeout;
                key_schedule_gc(key->expiry + key_gc_delay);
@@ -585,8 +589,7 @@ int key_negate_and_link(struct key *key,
        return ret == 0 ? link_ret : ret;
 }
+EXPORT_SYMBOL(key_reject_and_link);
-EXPORT_SYMBOL(key_negate_and_link);
 /*
 * Garbage collect keys in process context so that we don't have to disable
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 31a0fd8189f1..0d7b1946ff94 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1013,12 +1013,42 @@ error:
 */
 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
 {
+        return keyctl_reject_key(id, timeout, ENOKEY, ringid);
+}
+/*
+ * Negatively instantiate the key with the given timeout (in seconds) and error
+ * code and link the key into the destination keyring if one is given.
+ *
+ * The caller must have the appropriate instantiation permit set for this to
+ * work (see keyctl_assume_authority).  No other permissions are required.
+ *
+ * The key and any links to the key will be automatically garbage collected
+ * after the timeout expires.
+ *
+ * Negative keys are used to rate limit repeated request_key() calls by causing
+ * them to return the specified error code until the negative key expires.
+ *
+ * If successful, 0 will be returned.
+ */
+long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error,
+                       key_serial_t ringid)
+{
        const struct cred *cred = current_cred();
        struct request_key_auth *rka;
        struct key *instkey, *dest_keyring;
        long ret;
-        kenter("%d,%u,%d", id, timeout, ringid);
+        kenter("%d,%u,%u,%d", id, timeout, error, ringid);
+        /* must be a valid error code and mustn't be a kernel special */
+        if (error <= 0 ||
+            error >= MAX_ERRNO ||
+            error == ERESTARTSYS ||
+            error == ERESTARTNOINTR ||
+            error == ERESTARTNOHAND ||
+            error == ERESTART_RESTARTBLOCK)
+                return -EINVAL;
        /* the appropriate instantiation authorisation key must have been
         * assumed before calling this */
@@ -1038,7 +1068,7 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
                goto error;
        /* instantiate the key and link it into a keyring */
-        ret = key_negate_and_link(rka->target_key, timeout,
+        ret = key_reject_and_link(rka->target_key, timeout, error,
                                  dest_keyring, instkey);
        key_put(dest_keyring);
@@ -1492,6 +1522,12 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
        case KEYCTL_SESSION_TO_PARENT:
                return keyctl_session_to_parent();
+        case KEYCTL_REJECT:
+                return keyctl_reject_key((key_serial_t) arg2,
+                                         (unsigned) arg3,
+                                         (unsigned) arg4,
+                                         (key_serial_t) arg5);
        default:
                return -EOPNOTSUPP;
        }
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 5620f084dede..cdd2f3f88c88 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -352,7 +352,7 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
                        goto error_2;
                if (key->expiry && now.tv_sec >= key->expiry)
                        goto error_2;
-                key_ref = ERR_PTR(-ENOKEY);
+                key_ref = ERR_PTR(key->type_data.reject_error);
                if (kflags & (1 << KEY_FLAG_NEGATIVE))
                        goto error_2;
                goto found;
@@ -401,7 +401,7 @@ descend:
                /* we set a different error code if we pass a negative key */
                if (kflags & (1 << KEY_FLAG_NEGATIVE)) {
-                        err = -ENOKEY;
+                        err = key->type_data.reject_error;
                        continue;
                }
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index a3dc0d460def..df3c0417ee40 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -585,7 +585,7 @@ int wait_for_key_construction(struct key *key, bool intr)
        if (ret < 0)
                return ret;
        if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
-                return -ENOKEY;
+                return key->type_data.reject_error;
        return key_validate(key);
 }
 EXPORT_SYMBOL(wait_for_key_construction);
author	David Howells <dhowells@redhat.com>	2011-03-07 10:06:09 -0500
committer	James Morris <jmorris@namei.org>	2011-03-07 19:17:18 -0500
commit	fdd1b94581782a2ddf9124414e5b7a5f48ce2f9c (patch)
tree	ce83bfd1f0b1a7d4b9521bdb3d6afef1bff1d4f2 /security
parent	b9fffa3877a3ebbe0a5ad5a247358e2f7df15b24 (diff)

diff --git a/security/keys/compat.c b/security/keys/compat.c index 07a5f35e3970..17c99d0149ec 100644 --- a/security/keys/compat.c +++ b/security/keys/compat.c
@@ -85,6 +85,9 @@ asmlinkage long compat_sys_keyctl(u32 option,
85	case KEYCTL_SESSION_TO_PARENT:	85	case KEYCTL_SESSION_TO_PARENT:
86	return keyctl_session_to_parent();	86	return keyctl_session_to_parent();
87		87
		88	case KEYCTL_REJECT:
		89	return keyctl_reject_key(arg2, arg3, arg4, arg5);
		90
88	default:	91	default:
89	return -EOPNOTSUPP;	92	return -EOPNOTSUPP;
90	}	93	}


diff --git a/security/keys/internal.h b/security/keys/internal.h index a52aa7c88b41..286c0959ee51 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h
@@ -214,6 +214,7 @@ extern long keyctl_assume_authority(key_serial_t);
214	extern long keyctl_get_security(key_serial_t keyid, char __user *buffer,	214	extern long keyctl_get_security(key_serial_t keyid, char __user *buffer,
215	size_t buflen);	215	size_t buflen);
216	extern long keyctl_session_to_parent(void);	216	extern long keyctl_session_to_parent(void);
		217	extern long keyctl_reject_key(key_serial_t, unsigned, unsigned, key_serial_t);
217		218
218	/*	219	/*
219	* Debugging key validation	220	* Debugging key validation


diff --git a/security/keys/key.c b/security/keys/key.c index 8e315ef2e88e..f7f9d93f08d9 100644 --- a/security/keys/key.c +++ b/security/keys/key.c
@@ -511,26 +511,29 @@ int key_instantiate_and_link(struct key *key,
511	EXPORT_SYMBOL(key_instantiate_and_link);	511	EXPORT_SYMBOL(key_instantiate_and_link);
512		512
513	/**	513	/**
514	* key_negate_and_link - Negatively instantiate a key and link it into the keyring.	514	* key_reject_and_link - Negatively instantiate a key and link it into the keyring.
515	* @key: The key to instantiate.	515	* @key: The key to instantiate.
516	* @timeout: The timeout on the negative key.	516	* @timeout: The timeout on the negative key.
		517	* @error: The error to return when the key is hit.
517	* @keyring: Keyring to create a link in on success (or NULL).	518	* @keyring: Keyring to create a link in on success (or NULL).
518	* @authkey: The authorisation token permitting instantiation.	519	* @authkey: The authorisation token permitting instantiation.
519	*	520	*
520	* Negatively instantiate a key that's in the uninstantiated state and, if	521	* Negatively instantiate a key that's in the uninstantiated state and, if
521	* successful, set its timeout and link it in to the destination keyring if one	522	* successful, set its timeout and stored error and link it in to the
522	* is supplied. The key and any links to the key will be automatically garbage	523	* destination keyring if one is supplied. The key and any links to the key
523	* collected after the timeout expires.	524	* will be automatically garbage collected after the timeout expires.
524	*	525	*
525	* Negative keys are used to rate limit repeated request_key() calls by causing	526	* Negative keys are used to rate limit repeated request_key() calls by causing
526	* them to return -ENOKEY until the negative key expires.	527	* them to return the stored error code (typically ENOKEY) until the negative
		528	* key expires.
527	*	529	*
528	* If successful, 0 is returned, the authorisation token is revoked and anyone	530	* If successful, 0 is returned, the authorisation token is revoked and anyone
529	* waiting for the key is woken up. If the key was already instantiated,	531	* waiting for the key is woken up. If the key was already instantiated,
530	* -EBUSY will be returned.	532	* -EBUSY will be returned.
531	*/	533	*/
532	int key_negate_and_link(struct key *key,	534	int key_reject_and_link(struct key *key,
533	unsigned timeout,	535	unsigned timeout,
		536	unsigned error,
534	struct key *keyring,	537	struct key *keyring,
535	struct key *authkey)	538	struct key *authkey)
536	{	539	{
@@ -556,6 +559,7 @@ int key_negate_and_link(struct key *key,
556	atomic_inc(&key->user->nikeys);	559	atomic_inc(&key->user->nikeys);
557	set_bit(KEY_FLAG_NEGATIVE, &key->flags);	560	set_bit(KEY_FLAG_NEGATIVE, &key->flags);
558	set_bit(KEY_FLAG_INSTANTIATED, &key->flags);	561	set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
		562	key->type_data.reject_error = -error;
559	now = current_kernel_time();	563	now = current_kernel_time();
560	key->expiry = now.tv_sec + timeout;	564	key->expiry = now.tv_sec + timeout;
561	key_schedule_gc(key->expiry + key_gc_delay);	565	key_schedule_gc(key->expiry + key_gc_delay);
@@ -585,8 +589,7 @@ int key_negate_and_link(struct key *key,
585		589
586	return ret == 0 ? link_ret : ret;	590	return ret == 0 ? link_ret : ret;
587	}	591	}
588		592	EXPORT_SYMBOL(key_reject_and_link);
589	EXPORT_SYMBOL(key_negate_and_link);
590		593
591	/*	594	/*
592	* Garbage collect keys in process context so that we don't have to disable	595	* Garbage collect keys in process context so that we don't have to disable


diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 31a0fd8189f1..0d7b1946ff94 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c
@@ -1013,12 +1013,42 @@ error:
1013	*/	1013	*/
1014	long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)	1014	long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
1015	{	1015	{
		1016	return keyctl_reject_key(id, timeout, ENOKEY, ringid);
		1017	}
		1018
		1019	/*
		1020	* Negatively instantiate the key with the given timeout (in seconds) and error
		1021	* code and link the key into the destination keyring if one is given.
		1022	*
		1023	* The caller must have the appropriate instantiation permit set for this to
		1024	* work (see keyctl_assume_authority). No other permissions are required.
		1025	*
		1026	* The key and any links to the key will be automatically garbage collected
		1027	* after the timeout expires.
		1028	*
		1029	* Negative keys are used to rate limit repeated request_key() calls by causing
		1030	* them to return the specified error code until the negative key expires.
		1031	*
		1032	* If successful, 0 will be returned.
		1033	*/
		1034	long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error,
		1035	key_serial_t ringid)
		1036	{
1016	const struct cred *cred = current_cred();	1037	const struct cred *cred = current_cred();
1017	struct request_key_auth *rka;	1038	struct request_key_auth *rka;
1018	struct key instkey, dest_keyring;	1039	struct key instkey, dest_keyring;
1019	long ret;	1040	long ret;
1020		1041
1021	kenter("%d,%u,%d", id, timeout, ringid);	1042	kenter("%d,%u,%u,%d", id, timeout, error, ringid);
		1043
		1044	/* must be a valid error code and mustn't be a kernel special */
		1045	if (error <= 0 \|\|
		1046	error >= MAX_ERRNO \|\|
		1047	error == ERESTARTSYS \|\|
		1048	error == ERESTARTNOINTR \|\|
		1049	error == ERESTARTNOHAND \|\|
		1050	error == ERESTART_RESTARTBLOCK)
		1051	return -EINVAL;
1022		1052
1023	/* the appropriate instantiation authorisation key must have been	1053	/* the appropriate instantiation authorisation key must have been
1024	* assumed before calling this */	1054	* assumed before calling this */
@@ -1038,7 +1068,7 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
1038	goto error;	1068	goto error;
1039		1069
1040	/* instantiate the key and link it into a keyring */	1070	/* instantiate the key and link it into a keyring */
1041	ret = key_negate_and_link(rka->target_key, timeout,	1071	ret = key_reject_and_link(rka->target_key, timeout, error,
1042	dest_keyring, instkey);	1072	dest_keyring, instkey);
1043		1073
1044	key_put(dest_keyring);	1074	key_put(dest_keyring);
@@ -1492,6 +1522,12 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1492	case KEYCTL_SESSION_TO_PARENT:	1522	case KEYCTL_SESSION_TO_PARENT:
1493	return keyctl_session_to_parent();	1523	return keyctl_session_to_parent();
1494		1524
		1525	case KEYCTL_REJECT:
		1526	return keyctl_reject_key((key_serial_t) arg2,
		1527	(unsigned) arg3,
		1528	(unsigned) arg4,
		1529	(key_serial_t) arg5);
		1530
1495	default:	1531	default:
1496	return -EOPNOTSUPP;	1532	return -EOPNOTSUPP;
1497	}	1533	}


diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 5620f084dede..cdd2f3f88c88 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c
@@ -352,7 +352,7 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
352	goto error_2;	352	goto error_2;
353	if (key->expiry && now.tv_sec >= key->expiry)	353	if (key->expiry && now.tv_sec >= key->expiry)
354	goto error_2;	354	goto error_2;
355	key_ref = ERR_PTR(-ENOKEY);	355	key_ref = ERR_PTR(key->type_data.reject_error);
356	if (kflags & (1 << KEY_FLAG_NEGATIVE))	356	if (kflags & (1 << KEY_FLAG_NEGATIVE))
357	goto error_2;	357	goto error_2;
358	goto found;	358	goto found;
@@ -401,7 +401,7 @@ descend:
401		401
402	/* we set a different error code if we pass a negative key */	402	/* we set a different error code if we pass a negative key */
403	if (kflags & (1 << KEY_FLAG_NEGATIVE)) {	403	if (kflags & (1 << KEY_FLAG_NEGATIVE)) {
404	err = -ENOKEY;	404	err = key->type_data.reject_error;
405	continue;	405	continue;
406	}	406	}
407		407


diff --git a/security/keys/request_key.c b/security/keys/request_key.c index a3dc0d460def..df3c0417ee40 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c
@@ -585,7 +585,7 @@ int wait_for_key_construction(struct key *key, bool intr)
585	if (ret < 0)	585	if (ret < 0)
586	return ret;	586	return ret;
587	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))	587	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
588	return -ENOKEY;	588	return key->type_data.reject_error;
589	return key_validate(key);	589	return key_validate(key);
590	}	590	}
591	EXPORT_SYMBOL(wait_for_key_construction);	591	EXPORT_SYMBOL(wait_for_key_construction);