[v11,04/11] KEYS: Add a key restriction struct

Message ID	20170303002559.8280-5-mathew.j.martineau@linux.intel.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: Mat Martineau <mathew.j.martineau@linux.intel.com> To: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, dhowells@redhat.com Cc: Mat Martineau <mathew.j.martineau@linux.intel.com>, zohar@linux.vnet.ibm.com Subject: [PATCH v11 04/11] KEYS: Add a key restriction struct Date: Thu, 2 Mar 2017 16:25:52 -0800 Message-Id: <20170303002559.8280-5-mathew.j.martineau@linux.intel.com> In-Reply-To: <20170303002559.8280-1-mathew.j.martineau@linux.intel.com> References: <20170303002559.8280-1-mathew.j.martineau@linux.intel.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk

Message ID

20170303002559.8280-5-mathew.j.martineau@linux.intel.com (mailing list archive)

State

New, archived

Headers

From: Mat Martineau <mathew.j.martineau@linux.intel.com>
To: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	dhowells@redhat.com
Cc: Mat Martineau <mathew.j.martineau@linux.intel.com>,
	zohar@linux.vnet.ibm.com
Subject: [PATCH v11 04/11] KEYS: Add a key restriction struct
Date: Thu,  2 Mar 2017 16:25:52 -0800
Message-Id: <20170303002559.8280-5-mathew.j.martineau@linux.intel.com>
In-Reply-To: <20170303002559.8280-1-mathew.j.martineau@linux.intel.com>
References: <20170303002559.8280-1-mathew.j.martineau@linux.intel.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Commit Message

Mat Martineau March 3, 2017, 12:25 a.m. UTC

Key link restrictions require restriction-specific data as well as a
restriction-specific function pointer. As a first step toward replacing
the restrict_link pointer in struct key, define a more general
key_restriction structure that captures the function and data, as well
as a data freeing function and key type information for use in garbage
collection.

Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
---
 include/linux/key.h | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

David Howells March 3, 2017, 8:51 a.m. UTC | #1

Mat Martineau <mathew.j.martineau@linux.intel.com> wrote:

> +struct key_restriction {
> +	key_restrict_link_func_t check;
> +	void (*free_data)(void *data);
> +	void *data;
> +	struct key_type *keytype;
> +};

What happens if the key_type gets removed?

You may need to pin the module that implements the key_type.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

David Howells March 3, 2017, 8:53 a.m. UTC | #2

David Howells <dhowells@redhat.com> wrote:

> What happens if the key_type gets removed?
> 
> You may need to pin the module that implements the key_type.

This appears to be addressed in the next patch.  It might be worth a note in
the patch description to this effect.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/include/linux/key.h b/include/linux/key.h
index c4016bc314f7..771eda3385e0 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -131,6 +131,13 @@  typedef int (*key_restrict_link_func_t)(struct key *dest_keyring,
 					const union key_payload *payload,
 					void *data);
 
+struct key_restriction {
+	key_restrict_link_func_t check;
+	void (*free_data)(void *data);
+	void *data;
+	struct key_type *keytype;
+};
+
 /*****************************************************************************/
 /*
  * authentication token / access credential / keyring

[v11,04/11] KEYS: Add a key restriction struct

Commit Message

Comments

Patch