summaryrefslogtreecommitdiffstats
path: root/security/keys/internal.h
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2019-06-27 23:03:07 +0100
committerDavid Howells <dhowells@redhat.com>2019-07-03 13:05:22 +0100
commit7a1ade847596dadc94b37e49f8c03f167fd71748 (patch)
tree22ba37dfcac2fff9ad83c41bc1dd84e5d268ad35 /security/keys/internal.h
parent2e12256b9a76584fa3a6da19210509d4775aee36 (diff)
downloadlinux-7a1ade847596dadc94b37e49f8c03f167fd71748.tar.gz
linux-7a1ade847596dadc94b37e49f8c03f167fd71748.tar.bz2
linux-7a1ade847596dadc94b37e49f8c03f167fd71748.zip
keys: Provide KEYCTL_GRANT_PERMISSION
Provide a keyctl() operation to grant/remove permissions. The grant operation, wrapped by libkeyutils, looks like: int ret = keyctl_grant_permission(key_serial_t key, enum key_ace_subject_type type, unsigned int subject, unsigned int perm); Where key is the key to be modified, type and subject represent the subject to which permission is to be granted (or removed) and perm is the set of permissions to be granted. 0 is returned on success. SET_SECURITY permission is required for this. The subject type currently must be KEY_ACE_SUBJ_STANDARD for the moment (other subject types will come along later). For subject type KEY_ACE_SUBJ_STANDARD, the following subject values are available: KEY_ACE_POSSESSOR The possessor of the key KEY_ACE_OWNER The owner of the key KEY_ACE_GROUP The key's group KEY_ACE_EVERYONE Everyone perm lists the permissions to be granted: KEY_ACE_VIEW Can view the key metadata KEY_ACE_READ Can read the key content KEY_ACE_WRITE Can update/modify the key content KEY_ACE_SEARCH Can find the key by searching/requesting KEY_ACE_LINK Can make a link to the key KEY_ACE_SET_SECURITY Can set security KEY_ACE_INVAL Can invalidate KEY_ACE_REVOKE Can revoke KEY_ACE_JOIN Can join this keyring KEY_ACE_CLEAR Can clear this keyring If an ACE already exists for the subject, then the permissions mask will be overwritten; if perm is 0, it will be deleted. Currently, the internal ACL is limited to a maximum of 16 entries. For example: int ret = keyctl_grant_permission(key, KEY_ACE_SUBJ_STANDARD, KEY_ACE_OWNER, KEY_ACE_VIEW | KEY_ACE_READ); Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'security/keys/internal.h')
-rw-r--r--security/keys/internal.h5
1 files changed, 5 insertions, 0 deletions
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 9375d6289bb9..5e27ebdf1937 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -342,6 +342,11 @@ static inline long keyctl_pkey_e_d_s(int op,
extern long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen);
+extern long keyctl_grant_permission(key_serial_t keyid,
+ enum key_ace_subject_type type,
+ unsigned int subject,
+ unsigned int perm);
+
/*
* Debugging key validation
*/