KEYS: Add a 'trusted' flag and a 'trusted only' flag (008643b8) · Commits · e / devices / android_kernel_teracube_2e

include/linux/key-type.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -45,6 +45,7 @@ struct key_preparsed_payload {
		const void data; / Raw data */
		size_t datalen; /* Raw datalen */
		size_t quotalen; /* Quota length for proposed payload */
		bool trusted; /* True if key is trusted */
		};

		typedef int (request_key_actor_t)(struct key_construction key,

+3 −0

Original line number	Diff line number	Diff line
		@@ -168,6 +168,8 @@ struct key {
		#define KEY_FLAG_NEGATIVE 5 /* set if key is negative */
		#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */
		#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */
		#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */
		#define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */

		/* the key type and key description string
		* - the desc is used to match a key against search criteria
		@@ -218,6 +220,7 @@ extern struct key key_alloc(struct key_type type,
		#define KEY_ALLOC_IN_QUOTA 0x0000 /* add to quota, reject if would overrun */
		#define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */
		#define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */
		#define KEY_ALLOC_TRUSTED 0x0004 /* Key should be flagged as trusted */

		extern void key_revoke(struct key *key);
		extern void key_invalidate(struct key *key);

+3 −1

Original line number	Diff line number	Diff line
		@@ -40,6 +40,7 @@ static __init int system_trusted_keyring_init(void)
		if (IS_ERR(system_trusted_keyring))
		panic("Can't allocate system trusted keyring\n");

		set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
		return 0;
		}

		@@ -82,7 +83,8 @@ static __init int load_system_certificate_list(void)
		plen,
		(KEY_POS_ALL & ~KEY_POS_SETATTR) \|
		KEY_USR_VIEW,
		KEY_ALLOC_NOT_IN_QUOTA);
		KEY_ALLOC_NOT_IN_QUOTA \|
		KEY_ALLOC_TRUSTED);
		if (IS_ERR(key)) {
		pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
		PTR_ERR(key));

+8 −0

Original line number	Diff line number	Diff line
		@@ -300,6 +300,8 @@ struct key key_alloc(struct key_type type, const char *desc,

		if (!(flags & KEY_ALLOC_NOT_IN_QUOTA))
		key->flags \|= 1 << KEY_FLAG_IN_QUOTA;
		if (flags & KEY_ALLOC_TRUSTED)
		key->flags \|= 1 << KEY_FLAG_TRUSTED;

		memset(&key->type_data, 0, sizeof(key->type_data));

		@@ -813,6 +815,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
		prep.data = payload;
		prep.datalen = plen;
		prep.quotalen = index_key.type->def_datalen;
		prep.trusted = flags & KEY_ALLOC_TRUSTED;
		if (index_key.type->preparse) {
		ret = index_key.type->preparse(&prep);
		if (ret < 0) {
		@@ -827,6 +830,11 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
		}
		index_key.desc_len = strlen(index_key.description);

		key_ref = ERR_PTR(-EPERM);
		if (!prep.trusted && test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags))
		goto error_free_prep;
		flags \|= prep.trusted ? KEY_ALLOC_TRUSTED : 0;

		ret = __key_link_begin(keyring, &index_key, &edit);
		if (ret < 0) {
		key_ref = ERR_PTR(ret);

+4 −0

Original line number	Diff line number	Diff line
		@@ -1183,6 +1183,10 @@ int key_link(struct key keyring, struct key key)
		key_check(keyring);
		key_check(key);

		if (test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags) &&
		!test_bit(KEY_FLAG_TRUSTED, &key->flags))
		return -EPERM;

		ret = __key_link_begin(keyring, &key->index_key, &edit);
		if (ret == 0) {
		kdebug("begun {%d,%d}", keyring->serial, atomic_read(&keyring->usage));