Commit 40482bb4 authored by David Howells's avatar David Howells

KEYS: Remove KEY_FLAG_TRUSTED

Remove KEY_FLAG_TRUSTED as it's no longer meaningful.

Given this, we no longer need to pass the key flags through to
restrict_link().

Further, we can now get rid of keyring_restrict_trusted_only() also.
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parent cbf44a8c
......@@ -31,7 +31,6 @@ extern __initconst const unsigned long system_certificate_list_size;
*/
int restrict_link_by_system_trusted(struct key *keyring,
const struct key_type *type,
unsigned long flags,
const union key_payload *payload)
{
return public_key_restrict_link(system_trusted_keyring, type, payload);
......
......@@ -18,7 +18,6 @@
extern int restrict_link_by_system_trusted(struct key *keyring,
const struct key_type *type,
unsigned long flags,
const union key_payload *payload);
#endif
......
......@@ -173,10 +173,9 @@ struct key {
#define KEY_FLAG_NEGATIVE 5 /* set if key is negative */
#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */
#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */
#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */
#define KEY_FLAG_BUILTIN 9 /* set if key is built in to the kernel */
#define KEY_FLAG_ROOT_CAN_INVAL 10 /* set if key can be invalidated by root without permission */
#define KEY_FLAG_KEEP 11 /* set if key should not be removed */
#define KEY_FLAG_BUILTIN 8 /* set if key is built in to the kernel */
#define KEY_FLAG_ROOT_CAN_INVAL 9 /* set if key can be invalidated by root without permission */
#define KEY_FLAG_KEEP 10 /* set if key should not be removed */
/* the key type and key description string
* - the desc is used to match a key against search criteria
......@@ -217,7 +216,6 @@ struct key {
*/
int (*restrict_link)(struct key *keyring,
const struct key_type *type,
unsigned long flags,
const union key_payload *payload);
};
......@@ -229,7 +227,6 @@ extern struct key *key_alloc(struct key_type *type,
unsigned long flags,
int (*restrict_link)(struct key *,
const struct key_type *,
unsigned long,
const union key_payload *));
......@@ -309,15 +306,9 @@ extern struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid
unsigned long flags,
int (*restrict_link)(struct key *,
const struct key_type *,
unsigned long,
const union key_payload *),
struct key *dest);
extern int keyring_restrict_trusted_only(struct key *keyring,
const struct key_type *type,
unsigned long,
const union key_payload *payload);
extern int keyring_clear(struct key *keyring);
extern key_ref_t keyring_search(key_ref_t keyring,
......
......@@ -50,12 +50,11 @@ static bool init_keyring __initdata;
*/
static int restrict_link_by_ima_mok(struct key *keyring,
const struct key_type *type,
unsigned long flags,
const union key_payload *payload)
{
int ret;
ret = restrict_link_by_system_trusted(keyring, type, flags, payload);
ret = restrict_link_by_system_trusted(keyring, type, payload);
if (ret != -ENOKEY)
return ret;
......@@ -96,7 +95,6 @@ int __init integrity_init_keyring(const unsigned int id)
{
int (*restrict_link)(struct key *,
const struct key_type *,
unsigned long,
const union key_payload *) = NULL;
const struct cred *cred = current_cred();
int err = 0;
......
......@@ -227,7 +227,6 @@ struct key *key_alloc(struct key_type *type, const char *desc,
key_perm_t perm, unsigned long flags,
int (*restrict_link)(struct key *,
const struct key_type *,
unsigned long,
const union key_payload *))
{
struct key_user *user = NULL;
......@@ -300,8 +299,6 @@ struct key *key_alloc(struct key_type *type, const char *desc,
if (!(flags & KEY_ALLOC_NOT_IN_QUOTA))
key->flags |= 1 << KEY_FLAG_IN_QUOTA;
if (flags & KEY_ALLOC_TRUSTED)
key->flags |= 1 << KEY_FLAG_TRUSTED;
if (flags & KEY_ALLOC_BUILT_IN)
key->flags |= 1 << KEY_FLAG_BUILTIN;
......@@ -504,7 +501,7 @@ int key_instantiate_and_link(struct key *key,
if (keyring) {
if (keyring->restrict_link) {
ret = keyring->restrict_link(keyring, key->type,
key->flags, &prep.payload);
&prep.payload);
if (ret < 0)
goto error;
}
......@@ -811,7 +808,6 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
int ret;
int (*restrict_link)(struct key *,
const struct key_type *,
unsigned long,
const union key_payload *) = NULL;
/* look up the key type to see if it's one of the registered kernel
......@@ -860,9 +856,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
index_key.desc_len = strlen(index_key.description);
if (restrict_link) {
unsigned long kflags = prep.trusted ? KEY_FLAG_TRUSTED : 0;
ret = restrict_link(keyring,
index_key.type, kflags, &prep.payload);
ret = restrict_link(keyring, index_key.type, &prep.payload);
if (ret < 0) {
key_ref = ERR_PTR(ret);
goto error_free_prep;
......
......@@ -494,7 +494,6 @@ struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
unsigned long flags,
int (*restrict_link)(struct key *,
const struct key_type *,
unsigned long,
const union key_payload *),
struct key *dest)
{
......@@ -515,30 +514,6 @@ struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
}
EXPORT_SYMBOL(keyring_alloc);
/**
* keyring_restrict_trusted_only - Restrict additions to a keyring to trusted keys only
* @keyring: The keyring being added to.
* @type: The type of key being added.
* @flags: The key flags.
* @payload: The payload of the key intended to be added.
*
* Reject the addition of any links to a keyring that point to keys that aren't
* marked as being trusted. It can be overridden by passing
* KEY_ALLOC_BYPASS_RESTRICTION to key_instantiate_and_link() when adding a key
* to a keyring.
*
* This is meant to be passed as the restrict_link parameter to
* keyring_alloc().
*/
int keyring_restrict_trusted_only(struct key *keyring,
const struct key_type *type,
unsigned long flags,
const union key_payload *payload)
{
return flags & KEY_FLAG_TRUSTED ? 0 : -EPERM;
}
/*
* By default, we keys found by getting an exact match on their descriptions.
*/
......@@ -1227,8 +1202,7 @@ static int __key_link_check_restriction(struct key *keyring, struct key *key)
{
if (!keyring->restrict_link)
return 0;
return keyring->restrict_link(keyring,
key->type, key->flags, &key->payload);
return keyring->restrict_link(keyring, key->type, &key->payload);
}
/**
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment