| /linux-4.1.27/include/uapi/linux/ |
| H A D | keyctl.h | 15 /* special process keyring shortcut IDs */
16 #define KEY_SPEC_THREAD_KEYRING -1 /* - key ID for thread-specific keyring */
17 #define KEY_SPEC_PROCESS_KEYRING -2 /* - key ID for process-specific keyring */
18 #define KEY_SPEC_SESSION_KEYRING -3 /* - key ID for session-specific keyring */
19 #define KEY_SPEC_USER_KEYRING -4 /* - key ID for UID-specific keyring */
20 #define KEY_SPEC_USER_SESSION_KEYRING -5 /* - key ID for UID-session keyring */
21 #define KEY_SPEC_GROUP_KEYRING -6 /* - key ID for GID-specific keyring */
23 #define KEY_SPEC_REQUESTOR_KEYRING -8 /* - key ID for request_key() dest keyring */
37 #define KEYCTL_GET_KEYRING_ID 0 /* ask for a keyring's ID */
38 #define KEYCTL_JOIN_SESSION_KEYRING 1 /* join or start named session keyring */
44 #define KEYCTL_CLEAR 7 /* clear contents of a keyring */
45 #define KEYCTL_LINK 8 /* link a key into a keyring */
46 #define KEYCTL_UNLINK 9 /* unlink a key from a keyring */
47 #define KEYCTL_SEARCH 10 /* search for a key in a keyring */
48 #define KEYCTL_READ 11 /* read a key or keyring's contents */
51 #define KEYCTL_SET_REQKEY_KEYRING 14 /* set default request-key keyring */
55 #define KEYCTL_SESSION_TO_PARENT 18 /* apply session keyring to parent process */
59 #define KEYCTL_GET_PERSISTENT 22 /* get a user's persistent keyring */
|
| /linux-4.1.27/security/integrity/ |
| H A D | digsig.c | 24 static struct key *keyring[INTEGRITY_KEYRING_MAX]; variable in typeref:struct:key
42 if (!keyring[id]) { integrity_digsig_verify()
43 keyring[id] = integrity_digsig_verify()
45 if (IS_ERR(keyring[id])) { integrity_digsig_verify()
46 int err = PTR_ERR(keyring[id]); integrity_digsig_verify()
47 pr_err("no %s keyring: %d\n", keyring_name[id], err); integrity_digsig_verify()
48 keyring[id] = NULL; integrity_digsig_verify()
56 return digsig_verify(keyring[id], sig + 1, siglen - 1, integrity_digsig_verify()
59 return asymmetric_verify(keyring[id], sig, siglen, integrity_digsig_verify()
71 keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0), integrity_init_keyring()
77 if (!IS_ERR(keyring[id])) integrity_init_keyring()
78 set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags); integrity_init_keyring()
80 err = PTR_ERR(keyring[id]); integrity_init_keyring()
81 pr_info("Can't allocate %s keyring (%d)\n", integrity_init_keyring()
83 keyring[id] = NULL; integrity_init_keyring()
94 if (!keyring[id]) integrity_load_x509()
101 key = key_create_or_update(make_key_ref(keyring[id], 1), integrity_load_x509()
|
| H A D | digsig_asymmetric.c | 26 static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid) request_asymmetric_key() argument
35 if (keyring) { request_asymmetric_key()
36 /* search in specific keyring */ request_asymmetric_key()
38 kref = keyring_search(make_key_ref(keyring, 1), request_asymmetric_key()
67 int asymmetric_verify(struct key *keyring, const char *sig, asymmetric_verify() argument
86 key = request_asymmetric_key(keyring, __be32_to_cpu(hdr->keyid)); asymmetric_verify()
|
| H A D | integrity.h | 156 int asymmetric_verify(struct key *keyring, const char *sig,
159 static inline int asymmetric_verify(struct key *keyring, const char *sig, asymmetric_verify() argument
|
| /linux-4.1.27/security/keys/ |
| H A D | keyring.c | 19 #include <keys/keyring-type.h>
72 * The keyring key type definition. Keyrings are simply keys of this type and
78 static int keyring_instantiate(struct key *keyring,
80 static void keyring_revoke(struct key *keyring);
81 static void keyring_destroy(struct key *keyring);
82 static void keyring_describe(const struct key *keyring, struct seq_file *m);
83 static long keyring_read(const struct key *keyring,
87 .name = "keyring",
106 * Publish the name of a keyring so that it can be found by name (if it has
109 static void keyring_publish_name(struct key *keyring) keyring_publish_name() argument
113 if (keyring->description) { keyring_publish_name()
114 bucket = keyring_hash(keyring->description); keyring_publish_name()
121 list_add_tail(&keyring->type_data.link, keyring_publish_name()
129 * Preparse a keyring payload
144 * Initialise a keyring.
148 static int keyring_instantiate(struct key *keyring, keyring_instantiate() argument
151 assoc_array_init(&keyring->keys); keyring_instantiate()
152 /* make the keyring available by name if it has one */ keyring_instantiate()
153 keyring_publish_name(keyring); keyring_instantiate()
358 * Free an object after stripping the keyring flag off of the pointer.
366 * Operations for keyring management by the index-tree routines.
377 * Clean up a keyring when it is destroyed. Unpublish its name if it had one
380 * The garbage collector detects the final key_put(), removes the keyring from
385 static void keyring_destroy(struct key *keyring) keyring_destroy() argument
387 if (keyring->description) { keyring_destroy()
390 if (keyring->type_data.link.next != NULL && keyring_destroy()
391 !list_empty(&keyring->type_data.link)) keyring_destroy()
392 list_del(&keyring->type_data.link); keyring_destroy()
397 assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops); keyring_destroy()
401 * Describe a keyring for /proc.
403 static void keyring_describe(const struct key *keyring, struct seq_file *m) keyring_describe() argument
405 if (keyring->description) keyring_describe()
406 seq_puts(m, keyring->description); keyring_describe()
410 if (key_is_instantiated(keyring)) { keyring_describe()
411 if (keyring->keys.nr_leaves_on_tree != 0) keyring_describe()
412 seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree); keyring_describe()
445 * Read a list of key IDs from the keyring's contents in binary form
447 * The keyring's semaphore is read-locked by the caller. This prevents someone
451 static long keyring_read(const struct key *keyring, keyring_read() argument
458 kenter("{%d},,%zu", key_serial(keyring), buflen); keyring_read()
463 nr_keys = keyring->keys.nr_leaves_on_tree; keyring_read()
479 ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx); keyring_read()
490 * Allocate a keyring and link into the destination keyring.
496 struct key *keyring; keyring_alloc() local
499 keyring = key_alloc(&key_type_keyring, description, keyring_alloc()
501 if (!IS_ERR(keyring)) { keyring_alloc()
502 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); keyring_alloc()
504 key_put(keyring); keyring_alloc()
505 keyring = ERR_PTR(ret); keyring_alloc()
509 return keyring; keyring_alloc()
591 * Search inside a keyring for a key. We can search by walking to it
595 static int search_keyring(struct key *keyring, struct keyring_search_context *ctx) search_keyring() argument
600 object = assoc_array_find(&keyring->keys, search_keyring()
605 return assoc_array_iterate(&keyring->keys, ctx->iterator, ctx); search_keyring()
612 static bool search_nested_keyrings(struct key *keyring, search_nested_keyrings() argument
616 struct key *keyring; search_nested_keyrings() member in struct:__anon14304
628 keyring->serial, search_nested_keyrings()
639 /* Check to see if this top-level keyring is what we are looking for search_nested_keyrings()
643 keyring_compare_object(keyring, &ctx->index_key)) { search_nested_keyrings()
645 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) { search_nested_keyrings()
657 /* Start processing a new keyring */ search_nested_keyrings()
659 kdebug("descend to %d", keyring->serial); search_nested_keyrings()
660 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) | search_nested_keyrings()
664 /* Search through the keys in this keyring before its searching its search_nested_keyrings()
667 if (search_keyring(keyring, ctx)) search_nested_keyrings()
678 ptr = ACCESS_ONCE(keyring->keys.root); search_nested_keyrings()
683 /* If the root is a shortcut, either the keyring only contains search_nested_keyrings()
684 * keyring pointers (everything clusters behind root slot 0) or search_nested_keyrings()
685 * doesn't contain any keyring pointers. search_nested_keyrings()
705 /* Descend to a more distal node in this keyring's content tree and go search_nested_keyrings()
742 /* Search a nested keyring */ search_nested_keyrings()
749 stack[sp].keyring = keyring; search_nested_keyrings()
754 /* begin again with the new keyring */ search_nested_keyrings()
755 keyring = key; search_nested_keyrings()
786 /* The keyring we're looking at was disqualified or didn't contain a search_nested_keyrings()
796 /* Resume the processing of a keyring higher up in the tree */ search_nested_keyrings()
798 keyring = stack[sp].keyring; search_nested_keyrings()
801 kdebug("ascend to %d [%d]", keyring->serial, slot); search_nested_keyrings()
810 keyring->last_used_at = ctx->now.tv_sec; search_nested_keyrings()
812 stack[--sp].keyring->last_used_at = ctx->now.tv_sec; search_nested_keyrings()
819 * keyring_search_aux - Search a keyring tree for a key matching some criteria
820 * @keyring_ref: A pointer to the keyring with possession indicator.
821 * @ctx: The keyring search context.
823 * Search the supplied keyring tree for a key that matches the criteria given.
824 * The root keyring and any linked keyrings must grant Search permission to the
826 * to the caller. The possession flag on the root keyring pointer controls use
828 * addition, the LSM gets to forbid keyring searches and key matches.
839 * RCU can be used to prevent the keyring key lists from disappearing without
845 * specified keyring wasn't a keyring.
853 struct key *keyring; keyring_search_aux() local
860 keyring = key_ref_to_ptr(keyring_ref); keyring_search_aux()
861 key_check(keyring); keyring_search_aux()
863 if (keyring->type != &key_type_keyring) keyring_search_aux()
874 if (search_nested_keyrings(keyring, ctx)) keyring_search_aux()
881 * keyring_search - Search the supplied keyring tree for a matching key
882 * @keyring: The root of the keyring tree to be searched.
883 * @type: The type of keyring we want to find.
884 * @description: The name of the keyring we want to find.
889 key_ref_t keyring_search(key_ref_t keyring, keyring_search() argument
911 key = keyring_search_aux(keyring, &ctx); keyring_search()
920 * Search the given keyring for a key that might be updated.
922 * The caller must guarantee that the keyring is a keyring and that the
923 * permission is granted to modify the keyring as no check is made here. The
924 * caller must also hold a lock on the keyring semaphore.
930 * If successful, the possession indicator is propagated from the keyring ref
936 struct key *keyring, *key; find_key_to_update() local
939 keyring = key_ref_to_ptr(keyring_ref); find_key_to_update()
942 keyring->serial, index_key->type->name, index_key->description); find_key_to_update()
944 object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops, find_key_to_update()
966 * Find a keyring with the specified name.
973 * Returns a pointer to the keyring with the keyring's refcount having being
978 struct key *keyring; find_keyring_by_name() local
989 /* search this hash bucket for a keyring with a matching name find_keyring_by_name()
991 list_for_each_entry(keyring, find_keyring_by_name()
995 if (!kuid_has_mapping(current_user_ns(), keyring->user->uid)) find_keyring_by_name()
998 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) find_keyring_by_name()
1001 if (strcmp(keyring->description, name) != 0) find_keyring_by_name()
1005 key_permission(make_key_ref(keyring, 0), find_keyring_by_name()
1010 * key_cleanup() if the keyring is currently 'dead' find_keyring_by_name()
1012 if (!atomic_inc_not_zero(&keyring->usage)) find_keyring_by_name()
1014 keyring->last_used_at = current_kernel_time().tv_sec; find_keyring_by_name()
1019 keyring = ERR_PTR(-ENOKEY); find_keyring_by_name()
1022 return keyring; find_keyring_by_name()
1033 /* We might get a keyring with matching index-key that is nonetheless a keyring_detect_cycle_iterator()
1034 * different keyring. */ keyring_detect_cycle_iterator()
1069 * Preallocate memory so that a key can be linked into to a keyring.
1071 int __key_link_begin(struct key *keyring,
1074 __acquires(&keyring->sem)
1081 keyring->serial, index_key->type->name, index_key->description);
1085 if (keyring->type != &key_type_keyring)
1088 down_write(&keyring->sem);
1091 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
1095 * when linking two keyring in opposite orders */
1100 * keyring tree.
1102 edit = assoc_array_insert(&keyring->keys,
1115 ret = key_payload_reserve(keyring,
1116 keyring->datalen + KEYQUOTA_LINK_BYTES);
1131 up_write(&keyring->sem);
1142 int __key_link_check_live_key(struct key *keyring, struct key *key) __key_link_check_live_key() argument
1146 * keyring to another */ __key_link_check_live_key()
1147 return keyring_detect_cycle(keyring, key); __key_link_check_live_key()
1152 * Link a key into to a keyring.
1155 * already extant link to matching key if there is one, so that each keyring
1168 * Finish linking a key into to a keyring.
1172 void __key_link_end(struct key *keyring,
1175 __releases(&keyring->sem)
1179 kenter("%d,%s,", keyring->serial, index_key->type->name);
1186 key_payload_reserve(keyring,
1187 keyring->datalen - KEYQUOTA_LINK_BYTES);
1191 up_write(&keyring->sem);
1195 * key_link - Link a key to a keyring
1196 * @keyring: The keyring to make the link in.
1199 * Make a link in a keyring to a key, such that the keyring holds a reference
1200 * on that key and the key can potentially be found by searching that keyring.
1202 * This function will write-lock the keyring's semaphore and will consume some
1205 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring,
1206 * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is
1211 * be made (the keyring should have Write permission and the key Link
1214 int key_link(struct key *keyring, struct key *key) key_link() argument
1219 kenter("{%d,%d}", keyring->serial, atomic_read(&keyring->usage)); key_link()
1221 key_check(keyring); key_link()
1224 if (test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags) && key_link()
1228 ret = __key_link_begin(keyring, &key->index_key, &edit); key_link()
1230 kdebug("begun {%d,%d}", keyring->serial, atomic_read(&keyring->usage)); key_link()
1231 ret = __key_link_check_live_key(keyring, key); key_link()
1234 __key_link_end(keyring, &key->index_key, edit); key_link()
1237 kleave(" = %d {%d,%d}", ret, keyring->serial, atomic_read(&keyring->usage)); key_link()
1243 * key_unlink - Unlink the first link to a key from a keyring.
1244 * @keyring: The keyring to remove the link from.
1247 * Remove a link from a keyring to a key.
1249 * This function will write-lock the keyring's semaphore.
1251 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if
1252 * the key isn't linked to by the keyring or -ENOMEM if there's insufficient
1256 * be removed (the keyring should have Write permission; no permissions are
1259 int key_unlink(struct key *keyring, struct key *key) key_unlink() argument
1264 key_check(keyring); key_unlink()
1267 if (keyring->type != &key_type_keyring) key_unlink()
1270 down_write(&keyring->sem); key_unlink()
1272 edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops, key_unlink()
1283 key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES); key_unlink()
1287 up_write(&keyring->sem); key_unlink()
1293 * keyring_clear - Clear a keyring
1294 * @keyring: The keyring to clear.
1296 * Clear the contents of the specified keyring.
1298 * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring.
1300 int keyring_clear(struct key *keyring) keyring_clear() argument
1305 if (keyring->type != &key_type_keyring) keyring_clear()
1308 down_write(&keyring->sem); keyring_clear()
1310 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops); keyring_clear()
1316 key_payload_reserve(keyring, 0); keyring_clear()
1320 up_write(&keyring->sem); keyring_clear()
1326 * Dispose of the links from a revoked keyring.
1330 static void keyring_revoke(struct key *keyring) keyring_revoke() argument
1334 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops); keyring_revoke()
1338 key_payload_reserve(keyring, 0); keyring_revoke()
1363 * Garbage collect pointers from a keyring.
1365 * Not called with any locks held. The keyring's key struct will not be
1368 void keyring_gc(struct key *keyring, time_t limit) keyring_gc() argument
1372 kenter("%x{%s}", keyring->serial, keyring->description ?: ""); keyring_gc()
1374 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) | keyring_gc()
1378 /* scan the keyring looking for dead keys */ keyring_gc()
1380 result = assoc_array_iterate(&keyring->keys, keyring_gc()
1391 down_write(&keyring->sem); keyring_gc()
1392 assoc_array_gc(&keyring->keys, &keyring_assoc_array_ops, keyring_gc()
1394 up_write(&keyring->sem); keyring_gc()
|
| H A D | process_keys.c | 24 /* Session keyring create vs join semaphore */
27 /* User keyring creation semaphore */
69 /* get the UID-specific keyring install_user_keyrings()
86 /* get a default session keyring (which might also exist install_user_keyrings()
101 /* we install a link from the user session keyring to install_user_keyrings()
102 * the user keyring */ install_user_keyrings()
128 * Install a fresh thread keyring directly to new credentials. This keyring is
133 struct key *keyring; install_thread_keyring_to_cred() local
135 keyring = keyring_alloc("_tid", new->uid, new->gid, new, install_thread_keyring_to_cred()
138 if (IS_ERR(keyring)) install_thread_keyring_to_cred()
139 return PTR_ERR(keyring); install_thread_keyring_to_cred()
141 new->thread_keyring = keyring; install_thread_keyring_to_cred()
146 * Install a fresh thread keyring, discarding the old one.
169 * Install a process keyring directly to a credentials struct.
171 * Returns -EEXIST if there was already a process keyring, 0 if one installed,
176 struct key *keyring; install_process_keyring_to_cred() local
181 keyring = keyring_alloc("_pid", new->uid, new->gid, new, install_process_keyring_to_cred()
184 if (IS_ERR(keyring)) install_process_keyring_to_cred()
185 return PTR_ERR(keyring); install_process_keyring_to_cred()
187 new->process_keyring = keyring; install_process_keyring_to_cred()
192 * Make sure a process keyring is installed for the current process. The
193 * existing process keyring is not replaced.
195 * Returns 0 if there is a process keyring by the end of this function, some
217 * Install a session keyring directly to a credentials struct.
219 int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) install_session_keyring_to_cred() argument
226 /* create an empty session keyring */ install_session_keyring_to_cred()
227 if (!keyring) { install_session_keyring_to_cred()
232 keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred, install_session_keyring_to_cred()
235 if (IS_ERR(keyring)) install_session_keyring_to_cred()
236 return PTR_ERR(keyring); install_session_keyring_to_cred()
238 __key_get(keyring); install_session_keyring_to_cred()
241 /* install the keyring */ install_session_keyring_to_cred()
243 rcu_assign_pointer(cred->session_keyring, keyring); install_session_keyring_to_cred()
252 * Install a session keyring, discarding the old one. If a keyring is not
255 static int install_session_keyring(struct key *keyring) install_session_keyring() argument
264 ret = install_session_keyring_to_cred(new, keyring); install_session_keyring()
278 /* update the ownership of the thread keyring */ key_fsuid_changed()
292 /* update the ownership of the thread keyring */ key_fsgid_changed()
337 /* search the thread keyring first */ search_my_process_keyrings()
355 /* search the process keyring second */ search_my_process_keyrings()
375 /* search the session keyring */ search_my_process_keyrings()
398 /* or search the user-session keyring */ search_my_process_keyrings()
511 * or -ENOMEM if a special keyring couldn't be created.
572 /* always install a session keyring upon access if one lookup_user_key()
691 * the permission checks as it is only concerned with the keyring */ lookup_user_key()
735 /* if we attempted to install a keyring, then it may have caused new lookup_user_key()
743 * Join the named keyring as the session keyring if possible else attempt to
746 * If the name is NULL, an empty anonymous keyring will be installed as the
747 * session keyring.
757 struct key *keyring; join_session_keyring() local
765 /* if no name is provided, install an anonymous keyring */ join_session_keyring()
778 /* allow the user to join or create a named keyring */ join_session_keyring()
781 /* look for an existing keyring of this name */ join_session_keyring()
782 keyring = find_keyring_by_name(name, false); join_session_keyring()
783 if (PTR_ERR(keyring) == -ENOKEY) { join_session_keyring()
785 keyring = keyring_alloc( join_session_keyring()
789 if (IS_ERR(keyring)) { join_session_keyring()
790 ret = PTR_ERR(keyring); join_session_keyring()
793 } else if (IS_ERR(keyring)) { join_session_keyring()
794 ret = PTR_ERR(keyring); join_session_keyring()
796 } else if (keyring == new->session_keyring) { join_session_keyring()
797 key_put(keyring); join_session_keyring()
802 /* we've got a keyring - now to install it */ join_session_keyring()
803 ret = install_session_keyring_to_cred(new, keyring); join_session_keyring()
810 ret = keyring->serial; join_session_keyring()
811 key_put(keyring); join_session_keyring()
823 * Replace a process's session keyring on behalf of one of its children when
|
| H A D | Makefile | 11 keyring.o \
|
| H A D | request_key.c | 51 * keyring.
58 struct key *keyring = info->data; umh_keys_init() local
60 return install_session_keyring_to_cred(cred, keyring); umh_keys_init()
64 * Clean up a usermode helper with session keyring.
68 struct key *keyring = info->data; umh_keys_cleanup() local
69 key_put(keyring); umh_keys_cleanup()
73 * Call a usermode helper with a specific session keyring.
92 * - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>"
100 struct key *key = cons->key, *authkey = cons->authkey, *keyring, call_sbin_request_key() local
113 /* allocate a new session keyring */ call_sbin_request_key()
117 keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred, call_sbin_request_key()
121 if (IS_ERR(keyring)) { call_sbin_request_key()
122 ret = PTR_ERR(keyring); call_sbin_request_key()
126 /* attach the auth key to the session keyring */ call_sbin_request_key()
127 ret = key_link(keyring, authkey); call_sbin_request_key()
175 ret = call_usermodehelper_keys(argv[0], argv, envp, keyring, call_sbin_request_key()
190 key_put(keyring); call_sbin_request_key()
248 * Get the appropriate destination keyring for the request.
250 * The keyring selected is returned with an extra reference upon it which the
261 /* find the appropriate keyring */ construct_get_dest_keyring()
266 /* use a default keyring; falling through the cases until we construct_get_dest_keyring()
325 * the requested keyring.
370 /* attach the key to the destination keyring under lock, but we do need construct_alloc_key()
479 * request_key_and_link - Request a key and cache it in a keyring.
494 * keyring if one is provided.
609 * to a keyring if found, new keys are always allocated in the user's quota,
648 * to a keyring if found and new keys are always allocated in the user's quota.
683 * to a keyring if found, new keys are always allocated in the user's quota and
709 * to a keyring if found and new keys are always allocated in the user's quota.
|
| H A D | key.c | 397 * Instantiate a key and link it into the target keyring atomically. Must be
398 * called with the target keyring's semaphore writelocked. The target key's
404 struct key *keyring, __key_instantiate_and_link()
411 key_check(keyring); __key_instantiate_and_link()
431 /* and link it into the destination keyring */ __key_instantiate_and_link()
432 if (keyring) __key_instantiate_and_link()
456 * key_instantiate_and_link - Instantiate a key and link it into the keyring.
458 * @data: The data to use to instantiate the keyring.
460 * @keyring: Keyring to create a link in on success (or NULL).
464 * and, if successful, link it in to the destination keyring if one is
474 struct key *keyring, key_instantiate_and_link()
492 if (keyring) { key_instantiate_and_link()
493 ret = __key_link_begin(keyring, &key->index_key, &edit); key_instantiate_and_link()
498 ret = __key_instantiate_and_link(key, &prep, keyring, authkey, &edit); key_instantiate_and_link()
500 if (keyring) key_instantiate_and_link()
501 __key_link_end(keyring, &key->index_key, edit); key_instantiate_and_link()
512 * key_reject_and_link - Negatively instantiate a key and link it into the keyring.
516 * @keyring: Keyring to create a link in on success (or NULL).
521 * destination keyring if one is supplied. The key and any links to the key
535 struct key *keyring, key_reject_and_link()
543 key_check(keyring); key_reject_and_link()
548 if (keyring) key_reject_and_link()
549 link_ret = __key_link_begin(keyring, &key->index_key, &edit); key_reject_and_link()
570 /* and link it into the destination keyring */ key_reject_and_link()
571 if (keyring && link_ret == 0) key_reject_and_link()
581 if (keyring) key_reject_and_link()
582 __key_link_end(keyring, &key->index_key, edit); key_reject_and_link()
750 * @keyring_ref: A pointer to the destination keyring with possession flag.
758 * Search the destination keyring for a key of the same description and if one
760 * link to it from that keyring.
766 * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the
767 * caller isn't permitted to modify the keyring or the LSM did not permit
770 * On success, the possession flag from the keyring ref will be tacked on to
787 struct key *keyring, *key = NULL; key_create_or_update() local
804 keyring = key_ref_to_ptr(keyring_ref); key_create_or_update()
806 key_check(keyring); key_create_or_update()
809 if (keyring->type != &key_type_keyring) key_create_or_update()
833 if (!prep.trusted && test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags)) key_create_or_update()
837 ret = __key_link_begin(keyring, &index_key, &edit); key_create_or_update()
844 * to modify the keyring */ key_create_or_update()
852 * key of the same type and description in the destination keyring and key_create_or_update()
882 /* instantiate it and link it into the target keyring */ key_create_or_update()
883 ret = __key_instantiate_and_link(key, &prep, keyring, NULL, &edit); key_create_or_update()
893 __key_link_end(keyring, &index_key, edit); key_create_or_update()
906 __key_link_end(keyring, &index_key, edit); key_create_or_update()
402 __key_instantiate_and_link(struct key *key, struct key_preparsed_payload *prep, struct key *keyring, struct key *authkey, struct assoc_array_edit **_edit) __key_instantiate_and_link() argument
471 key_instantiate_and_link(struct key *key, const void *data, size_t datalen, struct key *keyring, struct key *authkey) key_instantiate_and_link() argument
532 key_reject_and_link(struct key *key, unsigned timeout, unsigned error, struct key *keyring, struct key *authkey) key_reject_and_link() argument
|
| H A D | persistent.c | 18 * Create the persistent keyring register for the current user namespace.
38 * Create the persistent keyring for the specified user.
72 * Get the persistent keyring for a specific UID and link it to the nominated
73 * keyring.
126 * Get the persistent keyring for a specific UID and link it to the nominated
127 * keyring.
153 /* There must be a destination keyring */ keyctl_get_persistent()
|
| H A D | keyctl.c | 50 * new key to the specified keyring or update a matching key in that keyring.
55 * The keyring must be writable so that we can attach the key to it.
92 (strncmp(type, "keyring", 7) == 0)) { SYSCALL_DEFINE5()
119 /* find the target keyring (which must be writable) */ SYSCALL_DEFINE5()
127 * keyring */ SYSCALL_DEFINE5()
152 * Search the process keyrings and keyring trees linked from those for a
156 * If a key is found, it will be attached to the destination keyring if there's
200 /* get the destination keyring if specified */ SYSCALL_DEFINE4()
249 * Get the ID of the specified process keyring.
251 * The requested keyring must have search permission to be found.
253 * If successful, the ID of the requested keyring will be returned.
275 * Join a (named) session keyring.
277 * Create and join an anonymous session keyring or join a named session
278 * keyring, creating it if necessary. A named session keyring must have Search
282 * If successful, the ID of the joined session keyring will be returned.
439 * Clear the specified keyring, creating an empty process keyring if one of the
440 * special keyring IDs is used.
442 * The keyring must grant the caller Write permission for this to work. If
477 * Create a link from a keyring to a key if there's no matching key in the
478 * keyring, otherwise replace the link to the matching key with a link to the
481 * The key must grant the caller Link permission and the the keyring must grant
483 * the keyring's quota will be extended.
514 * Unlink a key from a keyring.
516 * The keyring must grant the caller Write permission for this to work; the key
624 * Search the specified keyring and any keyrings it links to for a matching
626 * (this includes the starting keyring). Only keys with Search permission can
629 * If successful, the found key will be linked to the destination keyring if
654 /* get the keyring at which to begin the search */ keyctl_keyring_search()
661 /* get the destination keyring if specified */ keyctl_keyring_search()
690 /* link the resulting key to the destination keyring if we can */ keyctl_keyring_search()
946 * Get the destination keyring for instantiation and check that the caller has
961 /* if a specific keyring is nominated by ID, then use that */ get_instantiation_keyring()
973 /* otherwise specify the destination keyring recorded in the get_instantiation_keyring()
1002 * destination keyring if one is given.
1059 /* find the destination keyring amongst those belonging to the keyctl_instantiate_key_common()
1065 /* instantiate the key and link it into a keyring */ keyctl_instantiate_key_common()
1084 * destination keyring if one is given.
1114 * the destination keyring if one is given.
1144 * the key into the destination keyring if one is given.
1164 * code and link the key into the destination keyring if one is given.
1207 /* find the destination keyring if present (which must also be keyctl_reject_key()
1213 /* instantiate the key and link it into a keyring */ keyctl_reject_key()
1229 * Read or set the default keyring in which request_key() will cache keys and
1232 * If a process keyring is specified then this will be created if it doesn't
1454 * Attempt to install the calling process's session keyring on the process's
1457 * The keyring must exist and must grant the caller LINK permission, and the
1461 * The keyring will be emplaced on the parent when it next resumes userspace.
1534 /* cancel an already pending keyring replacement */ keyctl_session_to_parent()
1537 /* the replacement session keyring is applied just prior to userspace keyctl_session_to_parent()
|
| H A D | internal.h | 78 #define KEYQUOTA_LINK_BYTES 4 /* a link in a keyring is worth 4 bytes */
91 extern int __key_link_begin(struct key *keyring,
94 extern int __key_link_check_live_key(struct key *keyring, struct key *key);
96 extern void __key_link_end(struct key *keyring,
103 extern struct key *keyring_search_instkey(struct key *keyring,
106 extern int iterate_over_keyring(const struct key *keyring,
167 extern void keyring_gc(struct key *keyring, time_t limit);
|
| H A D | user_defined.c | 44 * password pairs in the keyring that you do not want to be readable
141 * dispose of the links from a revoked keyring
|
| H A D | gc.c | 15 #include <keys/keyring-type.h>
285 /* Make sure that all pending keyring payload destructions are key_garbage_collector()
337 /* We found a keyring and we need to check the payload for links to key_garbage_collector()
|
| H A D | compat.c | 20 * link the key into the destination keyring if one is given.
|
| H A D | big_key.c | 121 * dispose of the links from a revoked keyring
|
| H A D | trusted.c | 894 * adding it to the specified keyring.
|
| /linux-4.1.27/include/linux/ |
| H A D | digsig.h | 51 int digsig_verify(struct key *keyring, const char *sig, int siglen,
56 static inline int digsig_verify(struct key *keyring, const char *sig, digsig_verify() argument
|
| H A D | key.h | 43 #define KEY_POS_READ 0x02000000 /* possessor can read key payload / view keyring */
44 #define KEY_POS_WRITE 0x04000000 /* possessor can update key payload / add link to keyring */
45 #define KEY_POS_SEARCH 0x08000000 /* possessor can find a key in search / search a keyring */
46 #define KEY_POS_LINK 0x10000000 /* possessor can create a link to a key/keyring */
126 * authentication token / access credential / keyring
146 time_t last_used_at; /* last time used for LRU keyring discard */
172 #define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */
190 * - this is used by the keyring type to index the name
272 extern key_ref_t key_create_or_update(key_ref_t keyring,
284 extern int key_link(struct key *keyring,
287 extern int key_unlink(struct key *keyring,
296 extern int keyring_clear(struct key *keyring);
298 extern key_ref_t keyring_search(key_ref_t keyring,
302 extern int keyring_add_key(struct key *keyring,
320 #define KEY_NEED_SEARCH 0x08 /* Require permission to search (keyring) or find (key) */
|
| H A D | key-type.h | 166 struct key *keyring,
171 struct key *keyring,
177 struct key *keyring, key_negate_and_link()
180 return key_reject_and_link(key, timeout, ENOKEY, keyring, instkey); key_negate_and_link()
175 key_negate_and_link(struct key *key, unsigned timeout, struct key *keyring, struct key *instkey) key_negate_and_link() argument
|
| H A D | cred.h | 141 unsigned char jit_keyring; /* default keyring to attach requested
143 struct key __rcu *session_keyring; /* keyring inherited over fork */
144 struct key *process_keyring; /* keyring private to this process */
145 struct key *thread_keyring; /* keyring private to this thread */
|
| H A D | sched.h | 808 struct key *uid_keyring; /* UID specific keyring */
809 struct key *session_keyring; /* UID's default session keyring */
2606 * Protects ->fs, ->files, ->mm, ->group_info, ->comm, keyring
|
| /linux-4.1.27/kernel/ |
| H A D | system_keyring.c | 1 /* System trusted keyring for trusted public keys
32 pr_notice("Initialise system trusted keyring\n"); system_trusted_keyring_init()
41 panic("Can't allocate system trusted keyring\n"); system_trusted_keyring_init()
48 * Must be initialised before we try and load the keys into the keyring.
|
| H A D | cred.c | 296 /* newly exec'd tasks don't get a thread keyring */ prepare_exec_creds()
300 /* inherit the session keyring; new process keyring */ prepare_exec_creds()
358 /* The process keyring is only shared between the threads in a process; copy_creds()
448 /* alter the thread keyring */ commit_creds()
|
| H A D | Makefile | 118 # the kernel so that they get loaded into the system trusted keyring during
|
| /linux-4.1.27/fs/cifs/ |
| H A D | cifs_spnego.c | 191 struct key *keyring; init_cifs_spnego() local
198 * Create an override credential set with special thread keyring for init_cifs_spnego()
206 keyring = keyring_alloc(".cifs_spnego", init_cifs_spnego()
211 if (IS_ERR(keyring)) { init_cifs_spnego()
212 ret = PTR_ERR(keyring); init_cifs_spnego()
221 * instruct request_key() to use this special keyring as a cache for init_cifs_spnego()
224 set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags); init_cifs_spnego()
225 cred->thread_keyring = keyring; init_cifs_spnego()
229 cifs_dbg(FYI, "cifs spnego keyring: %d\n", key_serial(keyring)); init_cifs_spnego()
233 key_put(keyring); init_cifs_spnego()
|
| H A D | cifsacl.c | 344 struct key *keyring; init_cifs_idmap() local
350 /* create an override credential set with a special thread keyring in init_cifs_idmap()
360 keyring = keyring_alloc(".cifs_idmap", init_cifs_idmap()
365 if (IS_ERR(keyring)) { init_cifs_idmap()
366 ret = PTR_ERR(keyring); init_cifs_idmap()
374 /* instruct request_key() to use this special keyring as a cache for init_cifs_idmap()
376 set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags); init_cifs_idmap()
377 cred->thread_keyring = keyring; init_cifs_idmap()
381 cifs_dbg(FYI, "cifs idmap keyring: %d\n", key_serial(keyring)); init_cifs_idmap()
385 key_put(keyring); init_cifs_idmap()
|
| H A D | connect.c | 2312 /* Populate username and pw fields from keyring if possible */
|
| /linux-4.1.27/net/dns_resolver/ |
| H A D | dns_key.c | 265 struct key *keyring; init_dns_resolver() local
268 /* create an override credential set with a special thread keyring in init_dns_resolver()
278 keyring = keyring_alloc(".dns_resolver", init_dns_resolver()
283 if (IS_ERR(keyring)) { init_dns_resolver()
284 ret = PTR_ERR(keyring); init_dns_resolver()
292 /* instruct request_key() to use this special keyring as a cache for init_dns_resolver()
294 set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags); init_dns_resolver()
295 cred->thread_keyring = keyring; init_dns_resolver()
299 kdebug("DNS resolver keyring: %d\n", key_serial(keyring)); init_dns_resolver()
303 key_put(keyring); init_dns_resolver()
|
| /linux-4.1.27/lib/ |
| H A D | digsig.c | 176 * @keyring: keyring to search key in
189 int digsig_verify(struct key *keyring, const char *sig, int siglen, digsig_verify() argument
207 if (keyring) { digsig_verify()
208 /* search in specific keyring */ digsig_verify()
210 kref = keyring_search(make_key_ref(keyring, 1UL), digsig_verify()
|
| /linux-4.1.27/include/keys/ |
| H A D | system_keyring.h | 1 /* System keyring containing trusted public keys.
|
| /linux-4.1.27/crypto/asymmetric_keys/ |
| H A D | x509_public_key.c | 38 if (!str) /* default system keyring */ ca_keys_setup()
67 * @keyring: The keys to search.
71 * Find a key in the given keyring by subject name and key ID. These might,
75 struct key *x509_request_asymmetric_key(struct key *keyring, x509_request_asymmetric_key() argument
100 key = keyring_search(make_key_ref(keyring, 1), x509_request_asymmetric_key()
213 * Check the new certificate against the ones in the trust keyring. If one of
|
| H A D | pkcs7_trust.c | 158 * keyring, or:
|
| H A D | pkcs7_verify.c | 158 * the trust keyring. pkcs7_find_key()
|
| H A D | verify_pefile.c | 409 * keyring, or:
|
| /linux-4.1.27/security/integrity/evm/ |
| H A D | evm_secfs.c | 12 * - Used to signal when key is on keyring
|
| /linux-4.1.27/include/crypto/ |
| H A D | public_key.h | 103 extern struct key *x509_request_asymmetric_key(struct key *keyring,
|
| /linux-4.1.27/fs/nfs/ |
| H A D | nfs4idmap.c | 190 struct key *keyring; nfs_idmap_init_keyring() local
200 keyring = keyring_alloc(".id_resolver", nfs_idmap_init_keyring()
205 if (IS_ERR(keyring)) { nfs_idmap_init_keyring()
206 ret = PTR_ERR(keyring); nfs_idmap_init_keyring()
218 set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags); nfs_idmap_init_keyring()
219 cred->thread_keyring = keyring; nfs_idmap_init_keyring()
227 key_put(keyring); nfs_idmap_init_keyring()
|
| /linux-4.1.27/net/rxrpc/ |
| H A D | ar-security.c | 203 /* look through the service's keyring */ rxrpc_init_server_conn_security()
|
| H A D | ar-key.c | 923 * grab the security keyring for a server socket
|
| /linux-4.1.27/fs/ecryptfs/ |
| H A D | ecryptfs_kernel.h | 278 * @global_auth_tok_key: The key from the user's keyring for the sig
283 * in the user keyring that apply to newly created files. A list of
|
| H A D | main.c | 214 "session keyring for sig specified in mount " ecryptfs_init_global_auth_toks()
252 * already in the keyring. Mounting will fail if the key can not be
|