[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200818154230.14016-15-krzysztof.struczynski@huawei.com>
Date: Tue, 18 Aug 2020 17:42:24 +0200
From: <krzysztof.struczynski@...wei.com>
To: <linux-integrity@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<containers@...ts.linux-foundation.org>,
<linux-security-module@...r.kernel.org>
CC: <zohar@...ux.ibm.com>, <stefanb@...ux.vnet.ibm.com>,
<sunyuqiong1988@...il.com>, <mkayaalp@...binghamton.edu>,
<dmitry.kasatkin@...il.com>, <serge@...lyn.com>,
<jmorris@...ei.org>, <christian@...uner.io>,
<silviu.vlasceanu@...wei.com>, <roberto.sassu@...wei.com>,
Krzysztof Struczynski <krzysztof.struczynski@...wei.com>
Subject: [RFC PATCH 24/30] keys: Include key domain tag in the iterative search
From: Krzysztof Struczynski <krzysztof.struczynski@...wei.com>
Add domain tag to the key_match_data. If set, check domain tag in the
default match function and asymmetric keys match functions.
This will allow to use the key domain tag in the search criteria for
the iterative search, not only for the direct lookup that is based on
the index key.
Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@...wei.com>
---
crypto/asymmetric_keys/asymmetric_type.c | 20 ++++++++++++++++----
include/linux/key-type.h | 1 +
security/keys/keyring.c | 10 +++++++++-
3 files changed, 26 insertions(+), 5 deletions(-)
diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c
index 33e77d846caa..177429bc5c7b 100644
--- a/crypto/asymmetric_keys/asymmetric_type.c
+++ b/crypto/asymmetric_keys/asymmetric_type.c
@@ -249,9 +249,15 @@ static bool asymmetric_key_cmp(const struct key *key,
{
const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
const struct asymmetric_key_id *match_id = match_data->preparsed;
+ bool match;
- return asymmetric_match_key_ids(kids, match_id,
- asymmetric_key_id_same);
+ match = asymmetric_match_key_ids(kids, match_id,
+ asymmetric_key_id_same);
+
+ if (match_data->domain_tag)
+ match &= key->index_key.domain_tag == match_data->domain_tag;
+
+ return match;
}
/*
@@ -262,9 +268,15 @@ static bool asymmetric_key_cmp_partial(const struct key *key,
{
const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
const struct asymmetric_key_id *match_id = match_data->preparsed;
+ bool match;
+
+ match = asymmetric_match_key_ids(kids, match_id,
+ asymmetric_key_id_partial);
+
+ if (match_data->domain_tag)
+ match &= key->index_key.domain_tag == match_data->domain_tag;
- return asymmetric_match_key_ids(kids, match_id,
- asymmetric_key_id_partial);
+ return match;
}
/*
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 2ab2d6d6aeab..c8ea26ab242c 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -55,6 +55,7 @@ struct key_match_data {
unsigned lookup_type; /* Type of lookup for this search. */
#define KEYRING_SEARCH_LOOKUP_DIRECT 0x0000 /* Direct lookup by description. */
#define KEYRING_SEARCH_LOOKUP_ITERATE 0x0001 /* Iterative search. */
+ struct key_tag *domain_tag; /* Key domain tag */
};
/*
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 12583241ff63..7e45e534035f 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -565,7 +565,13 @@ int restrict_link_reject(struct key *keyring,
bool key_default_cmp(const struct key *key,
const struct key_match_data *match_data)
{
- return strcmp(key->description, match_data->raw_data) == 0;
+ bool match;
+
+ match = strcmp(key->description, match_data->raw_data) == 0;
+ if (match_data->domain_tag)
+ match &= key->index_key.domain_tag == match_data->domain_tag;
+
+ return match;
}
/*
@@ -957,6 +963,8 @@ key_ref_t keyring_search_tag(key_ref_t keyring,
if (recurse)
ctx.flags |= KEYRING_SEARCH_RECURSE;
+ if (domain_tag)
+ ctx.match_data.domain_tag = domain_tag;
if (type->match_preparse) {
ret = type->match_preparse(&ctx.match_data);
if (ret < 0)
--
2.20.1
Powered by blists - more mailing lists