2 files changed, 20 insertions, 1 deletions
diff --git a/include/linux/keyctl.h b/include/linux/keyctl.h
index 3365945640c9..656ee6b77a4a 100644
--- a/include/linux/keyctl.h
+++ b/include/linux/keyctl.h
@@ -49,5 +49,6 @@
 #define KEYCTL_SET_REQKEY_KEYRING       14      /* set default request-key keyring */
 #define KEYCTL_SET_TIMEOUT              15      /* set key timeout */
 #define KEYCTL_ASSUME_AUTHORITY         16      /* assume request_key() authorisation */
+#define KEYCTL_GET_SECURITY             17      /* get key security label */
 #endif /*  _LINUX_KEYCTL_H */
diff --git a/include/linux/security.h b/include/linux/security.h
index 3ebcdd00b17d..adb09d893ae0 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1009,6 +1009,17 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @perm describes the combination of permissions required of this key.
 *      Return 1 if permission granted, 0 if permission denied and -ve it the
 *      normal permissions model should be effected.
+ * @key_getsecurity:
+ *      Get a textual representation of the security context attached to a key
+ *      for the purposes of honouring KEYCTL_GETSECURITY.  This function
+ *      allocates the storage for the NUL-terminated string and the caller
+ *      should free it.
+ *      @key points to the key to be queried.
+ *      @_buffer points to a pointer that should be set to point to the
+ *       resulting string (if no label or an error occurs).
+ *      Return the length of the string (including terminating NUL) or -ve if
+ *      an error.
+ *      May also return 0 (and a NULL buffer pointer) if there is no label.
 *
 * Security hooks affecting all System V IPC operations.
 *
@@ -1538,7 +1549,7 @@ struct security_operations {
        int (*key_permission) (key_ref_t key_ref,
                               struct task_struct *context,
                               key_perm_t perm);
+        int (*key_getsecurity)(struct key *key, char **_buffer);
 #endif  /* CONFIG_KEYS */
 #ifdef CONFIG_AUDIT
@@ -2732,6 +2743,7 @@ int security_key_alloc(struct key *key, struct task_struct *tsk, unsigned long f
 void security_key_free(struct key *key);
 int security_key_permission(key_ref_t key_ref,
                            struct task_struct *context, key_perm_t perm);
+int security_key_getsecurity(struct key *key, char **_buffer);
 #else
@@ -2753,6 +2765,12 @@ static inline int security_key_permission(key_ref_t key_ref,
        return 0;
 }
+static inline int security_key_getsecurity(struct key *key, char **_buffer)
+{
+        *_buffer = NULL;
+        return 0;
+}
 #endif
 #endif /* CONFIG_KEYS */

diff --git a/include/linux/keyctl.h b/include/linux/keyctl.h index 3365945640c9..656ee6b77a4a 100644 --- a/include/linux/keyctl.h +++ b/include/linux/keyctl.h
@@ -49,5 +49,6 @@
49	#define KEYCTL_SET_REQKEY_KEYRING 14 /* set default request-key keyring */	49	#define KEYCTL_SET_REQKEY_KEYRING 14 /* set default request-key keyring */
50	#define KEYCTL_SET_TIMEOUT 15 /* set key timeout */	50	#define KEYCTL_SET_TIMEOUT 15 /* set key timeout */
51	#define KEYCTL_ASSUME_AUTHORITY 16 /* assume request_key() authorisation */	51	#define KEYCTL_ASSUME_AUTHORITY 16 /* assume request_key() authorisation */
		52	#define KEYCTL_GET_SECURITY 17 /* get key security label */
52		53
53	#endif /* _LINUX_KEYCTL_H */	54	#endif /* _LINUX_KEYCTL_H */


diff --git a/include/linux/security.h b/include/linux/security.h index 3ebcdd00b17d..adb09d893ae0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -1009,6 +1009,17 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
1009	* @perm describes the combination of permissions required of this key.	1009	* @perm describes the combination of permissions required of this key.
1010	* Return 1 if permission granted, 0 if permission denied and -ve it the	1010	* Return 1 if permission granted, 0 if permission denied and -ve it the
1011	* normal permissions model should be effected.	1011	* normal permissions model should be effected.
		1012	* @key_getsecurity:
		1013	* Get a textual representation of the security context attached to a key
		1014	* for the purposes of honouring KEYCTL_GETSECURITY. This function
		1015	* allocates the storage for the NUL-terminated string and the caller
		1016	* should free it.
		1017	* @key points to the key to be queried.
		1018	* @_buffer points to a pointer that should be set to point to the
		1019	* resulting string (if no label or an error occurs).
		1020	* Return the length of the string (including terminating NUL) or -ve if
		1021	* an error.
		1022	* May also return 0 (and a NULL buffer pointer) if there is no label.
1012	*	1023	*
1013	* Security hooks affecting all System V IPC operations.	1024	* Security hooks affecting all System V IPC operations.
1014	*	1025	*
@@ -1538,7 +1549,7 @@ struct security_operations {
1538	int (*key_permission) (key_ref_t key_ref,	1549	int (*key_permission) (key_ref_t key_ref,
1539	struct task_struct *context,	1550	struct task_struct *context,
1540	key_perm_t perm);	1551	key_perm_t perm);
1541		1552	int (key_getsecurity)(struct key key, char **_buffer);
1542	#endif /* CONFIG_KEYS */	1553	#endif /* CONFIG_KEYS */
1543		1554
1544	#ifdef CONFIG_AUDIT	1555	#ifdef CONFIG_AUDIT
@@ -2732,6 +2743,7 @@ int security_key_alloc(struct key key, struct task_struct tsk, unsigned long f
2732	void security_key_free(struct key *key);	2743	void security_key_free(struct key *key);
2733	int security_key_permission(key_ref_t key_ref,	2744	int security_key_permission(key_ref_t key_ref,
2734	struct task_struct *context, key_perm_t perm);	2745	struct task_struct *context, key_perm_t perm);
		2746	int security_key_getsecurity(struct key key, char *_buffer);
2735		2747
2736	#else	2748	#else
2737		2749
@@ -2753,6 +2765,12 @@ static inline int security_key_permission(key_ref_t key_ref,
2753	return 0;	2765	return 0;
2754	}	2766	}
2755		2767
		2768	static inline int security_key_getsecurity(struct key key, char *_buffer)
		2769	{
		2770	*_buffer = NULL;
		2771	return 0;
		2772	}
		2773
2756	#endif	2774	#endif
2757	#endif /* CONFIG_KEYS */	2775	#endif /* CONFIG_KEYS */
2758		2776