Lines Matching defs:key
2 /* Userspace key control operations
13 #include <linux/key.h>
63 * Extract the description of a new key from userspace and either add it as a
64 * new key to the specified keyring or update a matching key in that keyring.
66 * If the description is NULL or an empty string, the key type is asked to
69 * The keyring must be writable so that we can attach the key to it.
71 * If successful, the new key's serial number is returned, otherwise an error
132 /* create or update the requested key and add it to the target
156 * matching key. Keyrings must have appropriate Search permission to be
159 * If a key is found, it will be attached to the destination keyring if there's
160 * one specified and the serial number of the key will be returned.
162 * If no key is found, /sbin/request-key will be invoked if _callout_info is
163 * non-NULL in an attempt to create a key. The _callout_info string will be
164 * passed to /sbin/request-key to aid with completing the request. If the
173 struct key *key;
214 /* find the key type */
222 key = request_key_and_link(ktype, description, NULL, callout_info,
225 if (IS_ERR(key)) {
226 ret = PTR_ERR(key);
230 /* wait for the key to finish being constructed */
231 ret = wait_for_key_construction(key, 1);
235 ret = key->serial;
238 key_put(key);
316 * Update a key's data payload from the given data.
318 * The key must grant the caller Write permission and the key type must support
319 * updating for this to work. A negative key can be positively instantiated
322 * If successful, 0 will be returned. If the key type does not support
350 /* find the target key (which must be writable) */
357 /* update the key */
368 * Revoke a key.
370 * The key must be grant the caller Write or Setattr permission for this to
371 * work. The key type should give up its quota claim when revoked. The key
372 * and any links to the key will be automatically garbage collected after a
382 struct key *key;
397 key = key_ref_to_ptr(key_ref);
399 if (test_bit(KEY_FLAG_KEEP, &key->flags))
402 key_revoke(key);
410 * Invalidate a key.
412 * The key must be grant the caller Invalidate permission for this to work.
413 * The key and any links to the key will be automatically garbage collected
423 struct key *key;
447 key = key_ref_to_ptr(key_ref);
449 if (test_bit(KEY_FLAG_KEEP, &key->flags))
452 key_invalidate(key);
470 struct key *keyring;
505 * Create a link from a keyring to a key if there's no matching key in the
506 * keyring, otherwise replace the link to the matching key with a link to the
507 * new key.
509 * The key must grant the caller Link permission and the the keyring must grant
542 * Unlink a key from a keyring.
544 * The keyring must grant the caller Write permission for this to work; the key
545 * itself need not grant the caller anything. If the last link to a key is
546 * removed then that key will be scheduled for destruction.
555 struct key *keyring, *key;
571 key = key_ref_to_ptr(key_ref);
573 test_bit(KEY_FLAG_KEEP, &key->flags))
576 ret = key_unlink(keyring, key);
586 * Move a link to a key from one keyring to another, displacing any matching
587 * key from the destination keyring.
589 * The key must grant the caller Link permission and both keyrings must grant
591 * to the key. If both keyrings are the same, nothing is done.
632 * Return a description of a key to userspace.
634 * The key must grant the caller View permission for this to work.
648 struct key *key, *instkey;
656 /* viewing a key under construction is permitted if we have the
675 key = key_ref_to_ptr(key_ref);
676 desclen = strlen(key->description);
682 key->type->name,
683 from_kuid_munged(current_user_ns(), key->uid),
684 from_kgid_munged(current_user_ns(), key->gid),
685 key->perm);
694 copy_to_user(buffer + infolen, key->description,
708 * key. Only keyrings that grant the caller Search permission will be searched
712 * If successful, the found key will be linked to the destination keyring if
713 * supplied and the key has Link permission, and the found key ID will be
755 /* find the key type */
767 /* treat lack or presence of a negative key the same */
773 /* link the resulting key to the destination keyring if we can */
803 static long __keyctl_read_key(struct key *key, char *buffer, size_t buflen)
807 down_read(&key->sem);
808 ret = key_validate(key);
810 ret = key->type->read(key, buffer, buflen);
811 up_read(&key->sem);
816 * Read a key's payload.
818 * The key must either grant the caller Read permission, or it must grant the
822 * is provided, and return the amount of data that is available in the key,
827 struct key *key;
833 /* find the key first */
840 key = key_ref_to_ptr(key_ref);
842 ret = key_read_state(key);
855 * dangling off an instantiation key
862 /* the key is probably readable - now try to read it */
864 if (!key->type->read) {
870 /* Get the key length from the read method */
871 ret = __keyctl_read_key(key, NULL, 0);
877 * to protect against the key being updated or revoked.
884 * ? buflen : actual length of key data
887 * be much larger than the actual key length. In the latter case,
900 ret = __keyctl_read_key(key, key_data, key_data_len);
910 * The key may change (unlikely) in between 2 consecutive
912 * a larger buffer and redo the key read when
929 key_put(key);
935 * Change the ownership of a key
937 * The key must grant the caller Setattr permission for this to work, though
938 * the key need not be fully instantiated yet. For the UID to be changed, or
944 * accept the key. The quota deduction will be removed from the old user to
952 struct key *key;
977 key = key_ref_to_ptr(key_ref);
981 down_write(&key->sem);
986 /* only the sysadmin can chown a key to some other UID */
987 if (user != (uid_t) -1 && !uid_eq(key->uid, uid))
990 /* only the sysadmin can set the key's GID to a group other
992 if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid))
1000 if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) {
1007 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
1015 newowner->qnbytes + key->quotalen > maxbytes ||
1016 newowner->qnbytes + key->quotalen <
1021 newowner->qnbytes += key->quotalen;
1024 spin_lock(&key->user->lock);
1025 key->user->qnkeys--;
1026 key->user->qnbytes -= key->quotalen;
1027 spin_unlock(&key->user->lock);
1030 atomic_dec(&key->user->nkeys);
1033 if (key->state != KEY_IS_UNINSTANTIATED) {
1034 atomic_dec(&key->user->nikeys);
1038 zapowner = key->user;
1039 key->user = newowner;
1040 key->uid = uid;
1045 key->gid = gid;
1047 notify_key(key, NOTIFY_KEY_SETATTR, 0);
1051 up_write(&key->sem);
1052 key_put(key);
1066 * Change the permission mask on a key.
1068 * The key must grant the caller Setattr permission for this to work, though
1069 * the key need not be fully instantiated yet. If the caller does not have
1074 struct key *key;
1089 key = key_ref_to_ptr(key_ref);
1093 down_write(&key->sem);
1095 /* if we're not the sysadmin, we can only change a key that we own */
1096 if (uid_eq(key->uid, current_fsuid()) || capable(CAP_SYS_ADMIN)) {
1097 key->perm = perm;
1098 notify_key(key, NOTIFY_KEY_SETATTR, 0);
1102 up_write(&key->sem);
1103 key_put(key);
1114 struct key **_dest_keyring)
1137 * authorisation key (any KEY_SPEC_*_KEYRING) */
1147 * Change the request_key authorisation key on the current process.
1149 static int keyctl_change_reqkey_auth(struct key *key)
1158 new->request_key_auth = key_get(key);
1164 * Instantiate a key with the specified payload and link the key into the
1178 struct key *instkey, *dest_keyring;
1192 /* the appropriate instantiation authorisation key must have been
1223 /* instantiate the key and link it into a keyring */
1230 * instantiation of the key */
1241 * Instantiate a key with the specified payload and link the key into the
1271 * Instantiate a key with the specified multipart payload and link the key into
1301 * Negatively instantiate the key with the given timeout (in seconds) and link
1302 * the key into the destination keyring if one is given.
1307 * The key and any links to the key will be automatically garbage collected
1311 * them to return -ENOKEY until the negative key expires.
1321 * Negatively instantiate the key with the given timeout (in seconds) and error
1322 * code and link the key into the destination keyring if one is given.
1327 * The key and any links to the key will be automatically garbage collected
1331 * them to return the specified error code until the negative key expires.
1340 struct key *instkey, *dest_keyring;
1354 /* the appropriate instantiation authorisation key must have been
1371 /* instantiate the key and link it into a keyring */
1378 * instantiation of the key */
1444 * Set or clear the timeout on a key.
1446 * Either the key must grant the caller Setattr permission or else the caller
1447 * must hold an instantiation authorisation token for the key.
1450 * the current time. The key and any links to the key will be automatically
1459 struct key *key, *instkey;
1466 /* setting the timeout on a key under construction is permitted
1485 key = key_ref_to_ptr(key_ref);
1487 if (test_bit(KEY_FLAG_KEEP, &key->flags)) {
1490 key_set_timeout(key, timeout);
1491 notify_key(key, NOTIFY_KEY_SETATTR, 0);
1493 key_put(key);
1500 * Assume (or clear) the authority to instantiate the specified key.
1502 * This sets the authoritative token currently in force for key instantiation.
1503 * This must be done for a key to be instantiated. It has the effect of making
1505 * key to request_key() calls made by the caller of this function.
1507 * The caller must have the instantiation key in their process keyrings with a
1512 * If the ID given has a matching an authorisation key, then that key will be
1513 * set and its ID will be returned. The authorisation key can be read to get
1518 struct key *authkey;
1521 /* special key IDs aren't permitted */
1533 * instantiate the specified key
1534 * - the authorisation key must be in the current task's keyrings
1552 * Get a key's the LSM security label.
1554 * The key must grant the caller View permission for this to work.
1565 struct key *key, *instkey;
1575 /* viewing a key under construction is also permitted if we
1588 key = key_ref_to_ptr(key_ref);
1589 ret = security_key_getsecurity(key, &context);
1769 * Watch for changes to a key.
1771 * The caller must have View permission to watch a key or keyring.
1778 struct key *key;
1788 key = key_ref_to_ptr(key_ref);
1798 if (!key->watchers) {
1810 watch->id = key->serial;
1813 ret = security_watch_key(key);
1817 down_write(&key->sem);
1818 if (!key->watchers) {
1819 key->watchers = wlist;
1823 ret = add_watch_to_object(watch, key->watchers);
1824 up_write(&key->sem);
1830 if (key->watchers) {
1831 down_write(&key->sem);
1832 ret = remove_watch_from_object(key->watchers,
1833 wqueue, key_serial(key),
1835 up_write(&key->sem);
1846 key_put(key);
1872 * The key control system call