From 6f51a6d00d1b4e13d053c94ee77df21640dab2d4 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Fri, 21 Jul 2017 11:07:55 +0000
Subject: [PATCH] keyctl: add support for KEYCTL_RESTRICT_KEYRING operation

* keyctl.c (keyctl_restrict_keyring): New function.
(SYS_FUNC(keyctl)): Use it to implement KEYCTL_RESTRICT_KEYRING support.
* NEWS: Mention this.
* tests/keyctl.c (main): Check KEYCTL_RESTRICT_KEYRING decoding.
---
 NEWS           |  1 +
 keyctl.c       | 17 +++++++++++++++++
 tests/keyctl.c | 28 ++++++++++++++++++++++++++++
 3 files changed, 46 insertions(+)

diff --git a/NEWS b/NEWS
index 161a9418..88229fb7 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,7 @@ Noteworthy changes in release ?.?? (????-??-??)
     IPV6_ADD_MEMBERSHIP, IPV6_DROP_MEMBERSHIP, IPV6_JOIN_ANYCAST,
     IPV6_LEAVE_ANYCAST, MCAST_JOIN_GROUP, and MCAST_LEAVE_GROUP options
     of setsockopt syscall.
+  * Implemented decoding of KEYCTL_RESTRICT_KEYRING operation of keyctl syscall.
   * Enhanced decoding of UFFDIO_API ioctl command.
   * Implemented decoding of linux socket filter programs specified
     for SO_ATTACH_FILTER and SO_ATTACH_REUSEPORT_CBPF socket options.
diff --git a/keyctl.c b/keyctl.c
index 3165fcd7..a11bd3d3 100644
--- a/keyctl.c
+++ b/keyctl.c
@@ -263,6 +263,19 @@ keyctl_dh_compute(struct tcb *tcp, kernel_ulong_t params, kernel_ulong_t buf,
 	}
 }
 
+static void
+keyctl_restrict_keyring(struct tcb *const tcp,
+			const key_serial_t id,
+			const kernel_ulong_t addr1,
+			const kernel_ulong_t addr2)
+{
+	print_keyring_serial_number(id);
+	tprints(", ");
+	printstr(tcp, addr1);
+	tprints(", ");
+	printstr(tcp, addr2);
+}
+
 #include "xlat/key_reqkeys.h"
 #include "xlat/keyctl_commands.h"
 
@@ -363,6 +376,10 @@ SYS_FUNC(keyctl)
 		keyctl_dh_compute(tcp, arg2, arg3, arg4);
 		return 0;
 
+	case KEYCTL_RESTRICT_KEYRING:
+		keyctl_restrict_keyring(tcp, arg2, arg3, arg4);
+		break;
+
 	default:
 		tprintf("%#" PRI_klx ", %#" PRI_klx
 			", %#" PRI_klx ", %#" PRI_klx,
diff --git a/tests/keyctl.c b/tests/keyctl.c
index bfc6d508..cb70e79c 100644
--- a/tests/keyctl.c
+++ b/tests/keyctl.c
@@ -506,6 +506,34 @@ main(void)
 		  sizeof(long_type_str), long_desc, NULL, NULL,
 		  sizeof(kernel_ulong_t), bogus_key3, bogus_key3_str, NULL);
 
+	/* KEYCTL_RESTRICT_KEYRING */
+
+	do_keyctl(ARG_STR(KEYCTL_RESTRICT_KEYRING),
+		  sizeof(int32_t), ARG_STR(KEY_SPEC_REQUESTOR_KEYRING), NULL,
+		  sizeof(char *), ARG_STR(NULL), NULL,
+		  sizeof(char *), ARG_STR(NULL), NULL,
+			  NULL);
+	do_keyctl(ARG_STR(KEYCTL_RESTRICT_KEYRING),
+		  sizeof(int32_t), bogus_key1, NULL, "%d",
+		  sizeof(char *), (char *) 0xfffffacefffffeedULL, NULL, ptr_fmt,
+		  sizeof(char *), (char *) 0xfffff00dfffff157ULL, NULL, ptr_fmt,
+			  NULL);
+	do_keyctl(ARG_STR(KEYCTL_RESTRICT_KEYRING),
+		  sizeof(int32_t), bogus_key2, NULL, "%d",
+		  sizeof(char *), bogus_str, NULL, ptr_fmt,
+		  sizeof(char *), bogus_desc, NULL, ptr_fmt,
+			  NULL);
+	do_keyctl(ARG_STR(KEYCTL_RESTRICT_KEYRING),
+		  sizeof(kernel_ulong_t), bogus_key3, bogus_key3_str, NULL,
+		  sizeof(short_type_str), short_type, NULL, NULL,
+		  sizeof(short_desc_str), short_desc, NULL, NULL,
+			  NULL);
+	do_keyctl(ARG_STR(KEYCTL_RESTRICT_KEYRING),
+		  sizeof(int32_t), 0, NULL, "%d",
+		  sizeof(long_type_str), long_type, NULL, NULL,
+		  sizeof(long_type_str), long_desc, NULL, NULL,
+			  NULL);
+
 	buf_in_arg = false;