2005-10-07 15:07:38 +01:00
/* permission.c: key permission determination
*
* Copyright ( C ) 2005 Red Hat , Inc . All Rights Reserved .
* Written by David Howells ( dhowells @ redhat . com )
*
* This program is free software ; you can redistribute it and / or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation ; either version
* 2 of the License , or ( at your option ) any later version .
*/
# include <linux/module.h>
2005-10-30 15:02:44 -08:00
# include <linux/security.h>
2005-10-07 15:07:38 +01:00
# include "internal.h"
/*****************************************************************************/
/*
* check to see whether permission is granted to use a key in the desired way ,
* but permit the security modules to override
*/
int key_task_permission ( const key_ref_t key_ref ,
struct task_struct * context ,
key_perm_t perm )
{
2008-11-14 10:39:16 +11:00
struct cred * cred = context - > cred ;
2005-10-07 15:07:38 +01:00
struct key * key ;
key_perm_t kperm ;
int ret ;
key = key_ref_to_ptr ( key_ref ) ;
/* use the second 8-bits of permissions for keys the caller owns */
2008-11-14 10:39:16 +11:00
if ( key - > uid = = cred - > fsuid ) {
2005-10-07 15:07:38 +01:00
kperm = key - > perm > > 16 ;
goto use_these_perms ;
}
/* use the third 8-bits of permissions for keys the caller has a group
* membership in common with */
if ( key - > gid ! = - 1 & & key - > perm & KEY_GRP_ALL ) {
2008-11-14 10:39:16 +11:00
if ( key - > gid = = cred - > fsgid ) {
2005-10-07 15:07:38 +01:00
kperm = key - > perm > > 8 ;
goto use_these_perms ;
}
2008-11-14 10:39:16 +11:00
spin_lock ( & cred - > lock ) ;
ret = groups_search ( cred - > group_info , key - > gid ) ;
spin_unlock ( & cred - > lock ) ;
2005-10-07 15:07:38 +01:00
if ( ret ) {
kperm = key - > perm > > 8 ;
goto use_these_perms ;
}
}
/* otherwise use the least-significant 8-bits */
kperm = key - > perm ;
use_these_perms :
2005-10-07 16:41:24 +01:00
/* use the top 8-bits of permissions for keys the caller possesses
* - possessor permissions are additive with other permissions
*/
if ( is_key_possessed ( key_ref ) )
kperm | = key - > perm > > 24 ;
2005-10-07 15:07:38 +01:00
kperm = kperm & perm & KEY_ALL ;
2005-10-30 15:02:44 -08:00
if ( kperm ! = perm )
return - EACCES ;
/* let LSM be the final arbiter */
return security_key_permission ( key_ref , context , perm ) ;
2005-10-07 15:07:38 +01:00
} /* end key_task_permission() */
EXPORT_SYMBOL ( key_task_permission ) ;
2006-01-08 01:02:47 -08:00
/*****************************************************************************/
/*
* validate a key
*/
int key_validate ( struct key * key )
{
struct timespec now ;
int ret = 0 ;
if ( key ) {
/* check it's still accessible */
ret = - EKEYREVOKED ;
if ( test_bit ( KEY_FLAG_REVOKED , & key - > flags ) | |
test_bit ( KEY_FLAG_DEAD , & key - > flags ) )
goto error ;
/* check it hasn't expired */
ret = 0 ;
if ( key - > expiry ) {
now = current_kernel_time ( ) ;
if ( now . tv_sec > = key - > expiry )
ret = - EKEYEXPIRED ;
}
}
error :
return ret ;
} /* end key_validate() */
EXPORT_SYMBOL ( key_validate ) ;