diff options
Diffstat (limited to 'security/keys/permission.c')
| -rw-r--r-- | security/keys/permission.c | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/security/keys/permission.c b/security/keys/permission.c index 3b41f9b52537..5d9fc7b93f2e 100644 --- a/security/keys/permission.c +++ b/security/keys/permission.c | |||
| @@ -14,12 +14,19 @@ | |||
| 14 | #include "internal.h" | 14 | #include "internal.h" |
| 15 | 15 | ||
| 16 | /*****************************************************************************/ | 16 | /*****************************************************************************/ |
| 17 | /* | 17 | /** |
| 18 | * check to see whether permission is granted to use a key in the desired way, | 18 | * key_task_permission - Check a key can be used |
| 19 | * but permit the security modules to override | 19 | * @key_ref: The key to check |
| 20 | * @cred: The credentials to use | ||
| 21 | * @perm: The permissions to check for | ||
| 22 | * | ||
| 23 | * Check to see whether permission is granted to use a key in the desired way, | ||
| 24 | * but permit the security modules to override. | ||
| 25 | * | ||
| 26 | * The caller must hold either a ref on cred or must hold the RCU readlock or a | ||
| 27 | * spinlock. | ||
| 20 | */ | 28 | */ |
| 21 | int key_task_permission(const key_ref_t key_ref, | 29 | int key_task_permission(const key_ref_t key_ref, const struct cred *cred, |
| 22 | struct task_struct *context, | ||
| 23 | key_perm_t perm) | 30 | key_perm_t perm) |
| 24 | { | 31 | { |
| 25 | struct key *key; | 32 | struct key *key; |
| @@ -29,7 +36,7 @@ int key_task_permission(const key_ref_t key_ref, | |||
| 29 | key = key_ref_to_ptr(key_ref); | 36 | key = key_ref_to_ptr(key_ref); |
| 30 | 37 | ||
| 31 | /* use the second 8-bits of permissions for keys the caller owns */ | 38 | /* use the second 8-bits of permissions for keys the caller owns */ |
| 32 | if (key->uid == context->fsuid) { | 39 | if (key->uid == cred->fsuid) { |
| 33 | kperm = key->perm >> 16; | 40 | kperm = key->perm >> 16; |
| 34 | goto use_these_perms; | 41 | goto use_these_perms; |
| 35 | } | 42 | } |
| @@ -37,15 +44,12 @@ int key_task_permission(const key_ref_t key_ref, | |||
| 37 | /* use the third 8-bits of permissions for keys the caller has a group | 44 | /* use the third 8-bits of permissions for keys the caller has a group |
| 38 | * membership in common with */ | 45 | * membership in common with */ |
| 39 | if (key->gid != -1 && key->perm & KEY_GRP_ALL) { | 46 | if (key->gid != -1 && key->perm & KEY_GRP_ALL) { |
| 40 | if (key->gid == context->fsgid) { | 47 | if (key->gid == cred->fsgid) { |
| 41 | kperm = key->perm >> 8; | 48 | kperm = key->perm >> 8; |
| 42 | goto use_these_perms; | 49 | goto use_these_perms; |
| 43 | } | 50 | } |
| 44 | 51 | ||
| 45 | task_lock(context); | 52 | ret = groups_search(cred->group_info, key->gid); |
| 46 | ret = groups_search(context->group_info, key->gid); | ||
| 47 | task_unlock(context); | ||
| 48 | |||
| 49 | if (ret) { | 53 | if (ret) { |
| 50 | kperm = key->perm >> 8; | 54 | kperm = key->perm >> 8; |
| 51 | goto use_these_perms; | 55 | goto use_these_perms; |
| @@ -56,6 +60,7 @@ int key_task_permission(const key_ref_t key_ref, | |||
| 56 | kperm = key->perm; | 60 | kperm = key->perm; |
| 57 | 61 | ||
| 58 | use_these_perms: | 62 | use_these_perms: |
| 63 | |||
| 59 | /* use the top 8-bits of permissions for keys the caller possesses | 64 | /* use the top 8-bits of permissions for keys the caller possesses |
| 60 | * - possessor permissions are additive with other permissions | 65 | * - possessor permissions are additive with other permissions |
| 61 | */ | 66 | */ |
| @@ -68,7 +73,7 @@ use_these_perms: | |||
| 68 | return -EACCES; | 73 | return -EACCES; |
| 69 | 74 | ||
| 70 | /* let LSM be the final arbiter */ | 75 | /* let LSM be the final arbiter */ |
| 71 | return security_key_permission(key_ref, context, perm); | 76 | return security_key_permission(key_ref, cred, perm); |
| 72 | 77 | ||
| 73 | } /* end key_task_permission() */ | 78 | } /* end key_task_permission() */ |
| 74 | 79 | ||