linux/security/keys
David Howells 7a1ade8475 keys: Provide KEYCTL_GRANT_PERMISSION
Provide a keyctl() operation to grant/remove permissions.  The grant
operation, wrapped by libkeyutils, looks like:

	int ret = keyctl_grant_permission(key_serial_t key,
					  enum key_ace_subject_type type,
					  unsigned int subject,
					  unsigned int perm);

Where key is the key to be modified, type and subject represent the subject
to which permission is to be granted (or removed) and perm is the set of
permissions to be granted.  0 is returned on success.  SET_SECURITY
permission is required for this.

The subject type currently must be KEY_ACE_SUBJ_STANDARD for the moment
(other subject types will come along later).

For subject type KEY_ACE_SUBJ_STANDARD, the following subject values are
available:

	KEY_ACE_POSSESSOR	The possessor of the key
	KEY_ACE_OWNER		The owner of the key
	KEY_ACE_GROUP		The key's group
	KEY_ACE_EVERYONE	Everyone

perm lists the permissions to be granted:

	KEY_ACE_VIEW		Can view the key metadata
	KEY_ACE_READ		Can read the key content
	KEY_ACE_WRITE		Can update/modify the key content
	KEY_ACE_SEARCH		Can find the key by searching/requesting
	KEY_ACE_LINK		Can make a link to the key
	KEY_ACE_SET_SECURITY	Can set security
	KEY_ACE_INVAL		Can invalidate
	KEY_ACE_REVOKE		Can revoke
	KEY_ACE_JOIN		Can join this keyring
	KEY_ACE_CLEAR		Can clear this keyring

If an ACE already exists for the subject, then the permissions mask will be
overwritten; if perm is 0, it will be deleted.

Currently, the internal ACL is limited to a maximum of 16 entries.

For example:

	int ret = keyctl_grant_permission(key,
					  KEY_ACE_SUBJ_STANDARD,
					  KEY_ACE_OWNER,
					  KEY_ACE_VIEW | KEY_ACE_READ);

Signed-off-by: David Howells <dhowells@redhat.com>
2019-07-03 13:05:22 +01:00
..
encrypted-keys keys: Replace uid/gid/perm permissions checking with an ACL 2019-06-27 23:03:07 +01:00
big_key.c big key: get rid of stack array allocation 2018-05-11 13:07:45 -07:00
compat_dh.c KEYS: DH: validate __spare field 2017-07-14 11:01:38 +10:00
compat.c keys: Provide KEYCTL_GRANT_PERMISSION 2019-07-03 13:05:22 +01:00
dh.c crypto: shash - remove shash_desc::flags 2019-04-25 15:38:12 +08:00
gc.c keys: Replace uid/gid/perm permissions checking with an ACL 2019-06-27 23:03:07 +01:00
internal.h keys: Provide KEYCTL_GRANT_PERMISSION 2019-07-03 13:05:22 +01:00
Kconfig keys: Cache result of request_key*() temporarily in task_struct 2019-06-19 16:10:15 +01:00
key.c keys: Replace uid/gid/perm permissions checking with an ACL 2019-06-27 23:03:07 +01:00
keyctl_pkey.c KEYS: fix parsing invalid pkey info string 2019-01-01 13:13:19 -08:00
keyctl.c keys: Provide KEYCTL_GRANT_PERMISSION 2019-07-03 13:05:22 +01:00
keyring.c keys: Replace uid/gid/perm permissions checking with an ACL 2019-06-27 23:03:07 +01:00
Makefile KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2] 2018-10-26 09:30:46 +01:00
permission.c keys: Provide KEYCTL_GRANT_PERMISSION 2019-07-03 13:05:22 +01:00
persistent.c keys: Replace uid/gid/perm permissions checking with an ACL 2019-06-27 23:03:07 +01:00
proc.c keys: Replace uid/gid/perm permissions checking with an ACL 2019-06-27 23:03:07 +01:00
process_keys.c keys: Replace uid/gid/perm permissions checking with an ACL 2019-06-27 23:03:07 +01:00
request_key_auth.c keys: Replace uid/gid/perm permissions checking with an ACL 2019-06-27 23:03:07 +01:00
request_key.c keys: Replace uid/gid/perm permissions checking with an ACL 2019-06-27 23:03:07 +01:00
sysctl.c security: Convert use of typedef ctl_table to struct ctl_table 2014-04-15 13:39:58 +10:00
trusted.c Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2019-05-06 20:15:06 -07:00
user_defined.c security: audit and remove any unnecessary uses of module.h 2018-12-12 14:58:51 -08:00