1 files changed, 11 insertions, 8 deletions
diff --git a/security/keys/key.c b/security/keys/key.c
index 8e315ef2e88e..f7f9d93f08d9 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -511,26 +511,29 @@ int key_instantiate_and_link(struct key *key,
 EXPORT_SYMBOL(key_instantiate_and_link);
 /**
- * key_negate_and_link - Negatively instantiate a key and link it into the keyring.
+ * key_reject_and_link - Negatively instantiate a key and link it into the keyring.
 * @key: The key to instantiate.
 * @timeout: The timeout on the negative key.
+ * @error: The error to return when the key is hit.
 * @keyring: Keyring to create a link in on success (or NULL).
 * @authkey: The authorisation token permitting instantiation.
 *
 * Negatively instantiate a key that's in the uninstantiated state and, if
- * successful, set its timeout and link it in to the destination keyring if one
+ * successful, set its timeout and stored error and link it in to the
- * is supplied.  The key and any links to the key will be automatically garbage
+ * destination keyring if one is supplied.  The key and any links to the key
- * collected after the timeout expires.
+ * will be automatically garbage collected after the timeout expires.
 *
 * Negative keys are used to rate limit repeated request_key() calls by causing
- * them to return -ENOKEY until the negative key expires.
+ * them to return the stored error code (typically ENOKEY) until the negative
+ * key expires.
 *
 * If successful, 0 is returned, the authorisation token is revoked and anyone
 * waiting for the key is woken up.  If the key was already instantiated,
 * -EBUSY will be returned.
 */
-int key_negate_and_link(struct key *key,
+int key_reject_and_link(struct key *key,
                        unsigned timeout,
+                        unsigned error,
                        struct key *keyring,
                        struct key *authkey)
 {
@@ -556,6 +559,7 @@ int key_negate_and_link(struct key *key,
                atomic_inc(&key->user->nikeys);
                set_bit(KEY_FLAG_NEGATIVE, &key->flags);
                set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
+                key->type_data.reject_error = -error;
                now = current_kernel_time();
                key->expiry = now.tv_sec + timeout;
                key_schedule_gc(key->expiry + key_gc_delay);
@@ -585,8 +589,7 @@ int key_negate_and_link(struct key *key,
        return ret == 0 ? link_ret : ret;
 }
+EXPORT_SYMBOL(key_reject_and_link);
-EXPORT_SYMBOL(key_negate_and_link);
 /*
 * Garbage collect keys in process context so that we don't have to disable

diff --git a/security/keys/key.c b/security/keys/key.c index 8e315ef2e88e..f7f9d93f08d9 100644 --- a/security/keys/key.c +++ b/security/keys/key.c
@@ -511,26 +511,29 @@ int key_instantiate_and_link(struct key *key,
511	EXPORT_SYMBOL(key_instantiate_and_link);	511	EXPORT_SYMBOL(key_instantiate_and_link);
512		512
513	/**	513	/**
514	* key_negate_and_link - Negatively instantiate a key and link it into the keyring.	514	* key_reject_and_link - Negatively instantiate a key and link it into the keyring.
515	* @key: The key to instantiate.	515	* @key: The key to instantiate.
516	* @timeout: The timeout on the negative key.	516	* @timeout: The timeout on the negative key.
		517	* @error: The error to return when the key is hit.
517	* @keyring: Keyring to create a link in on success (or NULL).	518	* @keyring: Keyring to create a link in on success (or NULL).
518	* @authkey: The authorisation token permitting instantiation.	519	* @authkey: The authorisation token permitting instantiation.
519	*	520	*
520	* Negatively instantiate a key that's in the uninstantiated state and, if	521	* Negatively instantiate a key that's in the uninstantiated state and, if
521	* successful, set its timeout and link it in to the destination keyring if one	522	* successful, set its timeout and stored error and link it in to the
522	* is supplied. The key and any links to the key will be automatically garbage	523	* destination keyring if one is supplied. The key and any links to the key
523	* collected after the timeout expires.	524	* will be automatically garbage collected after the timeout expires.
524	*	525	*
525	* Negative keys are used to rate limit repeated request_key() calls by causing	526	* Negative keys are used to rate limit repeated request_key() calls by causing
526	* them to return -ENOKEY until the negative key expires.	527	* them to return the stored error code (typically ENOKEY) until the negative
		528	* key expires.
527	*	529	*
528	* If successful, 0 is returned, the authorisation token is revoked and anyone	530	* If successful, 0 is returned, the authorisation token is revoked and anyone
529	* waiting for the key is woken up. If the key was already instantiated,	531	* waiting for the key is woken up. If the key was already instantiated,
530	* -EBUSY will be returned.	532	* -EBUSY will be returned.
531	*/	533	*/
532	int key_negate_and_link(struct key *key,	534	int key_reject_and_link(struct key *key,
533	unsigned timeout,	535	unsigned timeout,
		536	unsigned error,
534	struct key *keyring,	537	struct key *keyring,
535	struct key *authkey)	538	struct key *authkey)
536	{	539	{
@@ -556,6 +559,7 @@ int key_negate_and_link(struct key *key,
556	atomic_inc(&key->user->nikeys);	559	atomic_inc(&key->user->nikeys);
557	set_bit(KEY_FLAG_NEGATIVE, &key->flags);	560	set_bit(KEY_FLAG_NEGATIVE, &key->flags);
558	set_bit(KEY_FLAG_INSTANTIATED, &key->flags);	561	set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
		562	key->type_data.reject_error = -error;
559	now = current_kernel_time();	563	now = current_kernel_time();
560	key->expiry = now.tv_sec + timeout;	564	key->expiry = now.tv_sec + timeout;
561	key_schedule_gc(key->expiry + key_gc_delay);	565	key_schedule_gc(key->expiry + key_gc_delay);
@@ -585,8 +589,7 @@ int key_negate_and_link(struct key *key,
585		589
586	return ret == 0 ? link_ret : ret;	590	return ret == 0 ? link_ret : ret;
587	}	591	}
588		592	EXPORT_SYMBOL(key_reject_and_link);
589	EXPORT_SYMBOL(key_negate_and_link);
590		593
591	/*	594	/*
592	* Garbage collect keys in process context so that we don't have to disable	595	* Garbage collect keys in process context so that we don't have to disable