diff mbox series

[RFC,01/12] KEYS: Add KEY_ALLOC_BYPASS_RESTRICTION option to key_move

Message ID 20210707024403.1083977-2-eric.snowberg@oracle.com (mailing list archive)
State New, archived
Headers show
Series Enroll kernel keys thru MOK | expand

Commit Message

Eric Snowberg July 7, 2021, 2:43 a.m. UTC 
Callers of key_create_or_update can pass KEY_ALLOC_BYPASS_RESTRICTION to
suppress the restrictions check. Add the same support to key_move to
bypass restrictions on the destination keyring.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 security/keys/keyring.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)
diff mbox series

Patch

diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 5e6a90760753..56ea2b78d2e5 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -1585,7 +1585,7 @@  EXPORT_SYMBOL(key_unlink);
  *
  * It is assumed that the caller has checked that it is permitted for a link to
  * be made (the keyring should have Write permission and the key Link
- * permission).
+ * permission). It can be overridden by passing KEY_ALLOC_BYPASS_RESTRICTION.
  */
 int key_move(struct key *key,
 	     struct key *from_keyring,
@@ -1618,9 +1618,11 @@  int key_move(struct key *key,
 	if (to_edit->dead_leaf && (flags & KEYCTL_MOVE_EXCL))
 		goto error;
 
-	ret = __key_link_check_restriction(to_keyring, key);
-	if (ret < 0)
-		goto error;
+	if (!(flags & KEY_ALLOC_BYPASS_RESTRICTION)) {
+		ret = __key_link_check_restriction(to_keyring, key);
+		if (ret < 0)
+			goto error;
+	}
 	ret = __key_link_check_live_key(to_keyring, key);
 	if (ret < 0)
 		goto error;