linux_dsm_epyc7002/security
David Howells 7a1ade8475 keys: Provide KEYCTL_GRANT_PERMISSION
Provide a keyctl() operation to grant/remove permissions.  The grant
operation, wrapped by libkeyutils, looks like:

	int ret = keyctl_grant_permission(key_serial_t key,
					  enum key_ace_subject_type type,
					  unsigned int subject,
					  unsigned int perm);

Where key is the key to be modified, type and subject represent the subject
to which permission is to be granted (or removed) and perm is the set of
permissions to be granted.  0 is returned on success.  SET_SECURITY
permission is required for this.

The subject type currently must be KEY_ACE_SUBJ_STANDARD for the moment
(other subject types will come along later).

For subject type KEY_ACE_SUBJ_STANDARD, the following subject values are
available:

	KEY_ACE_POSSESSOR	The possessor of the key
	KEY_ACE_OWNER		The owner of the key
	KEY_ACE_GROUP		The key's group
	KEY_ACE_EVERYONE	Everyone

perm lists the permissions to be granted:

	KEY_ACE_VIEW		Can view the key metadata
	KEY_ACE_READ		Can read the key content
	KEY_ACE_WRITE		Can update/modify the key content
	KEY_ACE_SEARCH		Can find the key by searching/requesting
	KEY_ACE_LINK		Can make a link to the key
	KEY_ACE_SET_SECURITY	Can set security
	KEY_ACE_INVAL		Can invalidate
	KEY_ACE_REVOKE		Can revoke
	KEY_ACE_JOIN		Can join this keyring
	KEY_ACE_CLEAR		Can clear this keyring

If an ACE already exists for the subject, then the permissions mask will be
overwritten; if perm is 0, it will be deleted.

Currently, the internal ACL is limited to a maximum of 16 entries.

For example:

	int ret = keyctl_grant_permission(key,
					  KEY_ACE_SUBJ_STANDARD,
					  KEY_ACE_OWNER,
					  KEY_ACE_VIEW | KEY_ACE_READ);

Signed-off-by: David Howells <dhowells@redhat.com>
2019-07-03 13:05:22 +01:00
..
apparmor Merge branch 'work.icache' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-05-07 10:57:05 -07:00
integrity keys: Replace uid/gid/perm permissions checking with an ACL 2019-06-27 23:03:07 +01:00
keys keys: Provide KEYCTL_GRANT_PERMISSION 2019-07-03 13:05:22 +01:00
loadpin LoadPin: Initialize as ordered LSM 2019-01-08 13:18:43 -08:00
safesetid LSM: fix return value check in safesetid_init_securityfs() 2019-02-12 10:59:22 -08:00
selinux keys: Replace uid/gid/perm permissions checking with an ACL 2019-06-27 23:03:07 +01:00
smack keys: Replace uid/gid/perm permissions checking with an ACL 2019-06-27 23:03:07 +01:00
tomoyo tomoyo: Don't emit WARNING: string while fuzzing testing. 2019-05-10 14:58:35 -07:00
yama Yama: mark function as static 2019-04-10 10:36:45 -07:00
commoncap.c audit/stable-5.1 PR 20190305 2019-03-07 12:20:11 -08:00
device_cgroup.c device_cgroup: fix RCU imbalance in error case 2019-03-19 10:46:15 -07:00
inode.c securityfs: switch to ->free_inode() 2019-05-01 22:43:26 -04:00
Kconfig compiler-based memory initialization 2019-05-07 12:44:49 -07:00
Kconfig.hardening security: Implement Clang's stack initialization 2019-04-24 14:00:56 -07:00
lsm_audit.c missing barriers in some of unix_sock ->addr and ->path accesses 2019-02-20 20:06:28 -08:00
Makefile LSM: add SafeSetID module that gates setid calls 2019-01-25 11:22:45 -08:00
min_addr.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
security.c Merge branch 'work.mount-syscalls' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-05-07 20:17:51 -07:00