1 files changed, 73 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 607ee209ea3b..f7e0ae018712 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -30,6 +30,7 @@
 #include <linux/shm.h>
 #include <linux/msg.h>
 #include <linux/sched.h>
+#include <linux/key.h>
 struct ctl_table;
@@ -788,6 +789,27 @@ struct swap_info_struct;
 * @sk_free_security:
 *      Deallocate security structure.
 *
+ * Security hooks affecting all Key Management operations
+ *
+ * @key_alloc:
+ *      Permit allocation of a key and assign security data. Note that key does
+ *      not have a serial number assigned at this point.
+ *      @key points to the key.
+ *      Return 0 if permission is granted, -ve error otherwise.
+ * @key_free:
+ *      Notification of destruction; free security data.
+ *      @key points to the key.
+ *      No return value.
+ * @key_permission:
+ *      See whether a specific operational right is granted to a process on a
+ *      key.
+ *      @key_ref refers to the key (key pointer + possession attribute bit).
+ *      @context points to the process to provide the context against which to
+ *       evaluate the security data on the key.
+ *      @perm describes the combination of permissions required of this key.
+ *      Return 1 if permission granted, 0 if permission denied and -ve it the
+ *      normal permissions model should be effected.
+ *
 * Security hooks affecting all System V IPC operations.
 *
 * @ipc_permission:
@@ -1216,6 +1238,17 @@ struct security_operations {
        int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority);
        void (*sk_free_security) (struct sock *sk);
 #endif  /* CONFIG_SECURITY_NETWORK */
+        /* key management security hooks */
+#ifdef CONFIG_KEYS
+        int (*key_alloc)(struct key *key);
+        void (*key_free)(struct key *key);
+        int (*key_permission)(key_ref_t key_ref,
+                              struct task_struct *context,
+                              key_perm_t perm);
+#endif  /* CONFIG_KEYS */
 };
 /* global variables */
@@ -2764,5 +2797,45 @@ static inline void security_sk_free(struct sock *sk)
 }
 #endif  /* CONFIG_SECURITY_NETWORK */
+#ifdef CONFIG_KEYS
+#ifdef CONFIG_SECURITY
+static inline int security_key_alloc(struct key *key)
+{
+        return security_ops->key_alloc(key);
+}
+static inline void security_key_free(struct key *key)
+{
+        security_ops->key_free(key);
+}
+static inline int security_key_permission(key_ref_t key_ref,
+                                          struct task_struct *context,
+                                          key_perm_t perm)
+{
+        return security_ops->key_permission(key_ref, context, perm);
+}
+#else
+static inline int security_key_alloc(struct key *key)
+{
+        return 0;
+}
+static inline void security_key_free(struct key *key)
+{
+}
+static inline int security_key_permission(key_ref_t key_ref,
+                                          struct task_struct *context,
+                                          key_perm_t perm)
+{
+        return 0;
+}
+#endif
+#endif /* CONFIG_KEYS */
 #endif /* ! __LINUX_SECURITY_H */

diff --git a/include/linux/security.h b/include/linux/security.h index 607ee209ea3b..f7e0ae018712 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -30,6 +30,7 @@
30	#include <linux/shm.h>	30	#include <linux/shm.h>
31	#include <linux/msg.h>	31	#include <linux/msg.h>
32	#include <linux/sched.h>	32	#include <linux/sched.h>
		33	#include <linux/key.h>
33		34
34	struct ctl_table;	35	struct ctl_table;
35		36
@@ -788,6 +789,27 @@ struct swap_info_struct;
788	* @sk_free_security:	789	* @sk_free_security:
789	* Deallocate security structure.	790	* Deallocate security structure.
790	*	791	*
		792	* Security hooks affecting all Key Management operations
		793	*
		794	* @key_alloc:
		795	* Permit allocation of a key and assign security data. Note that key does
		796	* not have a serial number assigned at this point.
		797	* @key points to the key.
		798	* Return 0 if permission is granted, -ve error otherwise.
		799	* @key_free:
		800	* Notification of destruction; free security data.
		801	* @key points to the key.
		802	* No return value.
		803	* @key_permission:
		804	* See whether a specific operational right is granted to a process on a
		805	* key.
		806	* @key_ref refers to the key (key pointer + possession attribute bit).
		807	* @context points to the process to provide the context against which to
		808	* evaluate the security data on the key.
		809	* @perm describes the combination of permissions required of this key.
		810	* Return 1 if permission granted, 0 if permission denied and -ve it the
		811	* normal permissions model should be effected.
		812	*
791	* Security hooks affecting all System V IPC operations.	813	* Security hooks affecting all System V IPC operations.
792	*	814	*
793	* @ipc_permission:	815	* @ipc_permission:
@@ -1216,6 +1238,17 @@ struct security_operations {
1216	int (sk_alloc_security) (struct sock sk, int family, gfp_t priority);	1238	int (sk_alloc_security) (struct sock sk, int family, gfp_t priority);
1217	void (sk_free_security) (struct sock sk);	1239	void (sk_free_security) (struct sock sk);
1218	#endif /* CONFIG_SECURITY_NETWORK */	1240	#endif /* CONFIG_SECURITY_NETWORK */
		1241
		1242	/* key management security hooks */
		1243	#ifdef CONFIG_KEYS
		1244	int (key_alloc)(struct key key);
		1245	void (key_free)(struct key key);
		1246	int (*key_permission)(key_ref_t key_ref,
		1247	struct task_struct *context,
		1248	key_perm_t perm);
		1249
		1250	#endif /* CONFIG_KEYS */
		1251
1219	};	1252	};
1220		1253
1221	/* global variables */	1254	/* global variables */
@@ -2764,5 +2797,45 @@ static inline void security_sk_free(struct sock *sk)
2764	}	2797	}
2765	#endif /* CONFIG_SECURITY_NETWORK */	2798	#endif /* CONFIG_SECURITY_NETWORK */
2766		2799
		2800	#ifdef CONFIG_KEYS
		2801	#ifdef CONFIG_SECURITY
		2802	static inline int security_key_alloc(struct key *key)
		2803	{
		2804	return security_ops->key_alloc(key);
		2805	}
		2806
		2807	static inline void security_key_free(struct key *key)
		2808	{
		2809	security_ops->key_free(key);
		2810	}
		2811
		2812	static inline int security_key_permission(key_ref_t key_ref,
		2813	struct task_struct *context,
		2814	key_perm_t perm)
		2815	{
		2816	return security_ops->key_permission(key_ref, context, perm);
		2817	}
		2818
		2819	#else
		2820
		2821	static inline int security_key_alloc(struct key *key)
		2822	{
		2823	return 0;
		2824	}
		2825
		2826	static inline void security_key_free(struct key *key)
		2827	{
		2828	}
		2829
		2830	static inline int security_key_permission(key_ref_t key_ref,
		2831	struct task_struct *context,
		2832	key_perm_t perm)
		2833	{
		2834	return 0;
		2835	}
		2836
		2837	#endif
		2838	#endif /* CONFIG_KEYS */
		2839
2767	#endif /* ! __LINUX_SECURITY_H */	2840	#endif /* ! __LINUX_SECURITY_H */
2768		2841