Root/
1 | /* Key permission checking |
2 | * |
3 | * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. |
4 | * Written by David Howells (dhowells@redhat.com) |
5 | * |
6 | * This program is free software; you can redistribute it and/or |
7 | * modify it under the terms of the GNU General Public License |
8 | * as published by the Free Software Foundation; either version |
9 | * 2 of the License, or (at your option) any later version. |
10 | */ |
11 | |
12 | #include <linux/module.h> |
13 | #include <linux/security.h> |
14 | #include "internal.h" |
15 | |
16 | /** |
17 | * key_task_permission - Check a key can be used |
18 | * @key_ref: The key to check. |
19 | * @cred: The credentials to use. |
20 | * @perm: The permissions to check for. |
21 | * |
22 | * Check to see whether permission is granted to use a key in the desired way, |
23 | * but permit the security modules to override. |
24 | * |
25 | * The caller must hold either a ref on cred or must hold the RCU readlock. |
26 | * |
27 | * Returns 0 if successful, -EACCES if access is denied based on the |
28 | * permissions bits or the LSM check. |
29 | */ |
30 | int key_task_permission(const key_ref_t key_ref, const struct cred *cred, |
31 | key_perm_t perm) |
32 | { |
33 | struct key *key; |
34 | key_perm_t kperm; |
35 | int ret; |
36 | |
37 | key = key_ref_to_ptr(key_ref); |
38 | |
39 | if (key->user->user_ns != cred->user_ns) |
40 | goto use_other_perms; |
41 | |
42 | /* use the second 8-bits of permissions for keys the caller owns */ |
43 | if (key->uid == cred->fsuid) { |
44 | kperm = key->perm >> 16; |
45 | goto use_these_perms; |
46 | } |
47 | |
48 | /* use the third 8-bits of permissions for keys the caller has a group |
49 | * membership in common with */ |
50 | if (key->gid != -1 && key->perm & KEY_GRP_ALL) { |
51 | if (key->gid == cred->fsgid) { |
52 | kperm = key->perm >> 8; |
53 | goto use_these_perms; |
54 | } |
55 | |
56 | ret = groups_search(cred->group_info, |
57 | make_kgid(current_user_ns(), key->gid)); |
58 | if (ret) { |
59 | kperm = key->perm >> 8; |
60 | goto use_these_perms; |
61 | } |
62 | } |
63 | |
64 | use_other_perms: |
65 | |
66 | /* otherwise use the least-significant 8-bits */ |
67 | kperm = key->perm; |
68 | |
69 | use_these_perms: |
70 | |
71 | /* use the top 8-bits of permissions for keys the caller possesses |
72 | * - possessor permissions are additive with other permissions |
73 | */ |
74 | if (is_key_possessed(key_ref)) |
75 | kperm |= key->perm >> 24; |
76 | |
77 | kperm = kperm & perm & KEY_ALL; |
78 | |
79 | if (kperm != perm) |
80 | return -EACCES; |
81 | |
82 | /* let LSM be the final arbiter */ |
83 | return security_key_permission(key_ref, cred, perm); |
84 | } |
85 | EXPORT_SYMBOL(key_task_permission); |
86 | |
87 | /** |
88 | * key_validate - Validate a key. |
89 | * @key: The key to be validated. |
90 | * |
91 | * Check that a key is valid, returning 0 if the key is okay, -ENOKEY if the |
92 | * key is invalidated, -EKEYREVOKED if the key's type has been removed or if |
93 | * the key has been revoked or -EKEYEXPIRED if the key has expired. |
94 | */ |
95 | int key_validate(const struct key *key) |
96 | { |
97 | unsigned long flags = key->flags; |
98 | |
99 | if (flags & (1 << KEY_FLAG_INVALIDATED)) |
100 | return -ENOKEY; |
101 | |
102 | /* check it's still accessible */ |
103 | if (flags & ((1 << KEY_FLAG_REVOKED) | |
104 | (1 << KEY_FLAG_DEAD))) |
105 | return -EKEYREVOKED; |
106 | |
107 | /* check it hasn't expired */ |
108 | if (key->expiry) { |
109 | struct timespec now = current_kernel_time(); |
110 | if (now.tv_sec >= key->expiry) |
111 | return -EKEYEXPIRED; |
112 | } |
113 | |
114 | return 0; |
115 | } |
116 | EXPORT_SYMBOL(key_validate); |
117 |
Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.11
jz-3.12
jz-3.13
jz-3.15
jz-3.16
jz-3.18-dt
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master
Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9