[RFC PATCH 22/27] KEYS: Replace uid/gid/perm permissions checking with an ACL

[David Howells]

Stephen Smalley <sds at tycho.nsa.gov> wrote:

> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -6560,6 +6560,7 @@ static int selinux_key_permission(key_ref_t key_ref,
> >   {
> >   	struct key *key;
> >   	struct key_security_struct *ksec;
> > +	unsigned oldstyle_perm;
> >   	u32 sid;
> >     	/* if no specific permissions are requested, we skip the
> > @@ -6568,13 +6569,26 @@ static int selinux_key_permission(key_ref_t key_ref,
> >   	if (perm == 0)
> >   		return 0;
> >   +	oldstyle_perm = perm & (KEY_NEED_VIEW | KEY_NEED_READ | KEY_NEED_WRITE
> > |
> > +				KEY_NEED_SEARCH | KEY_NEED_LINK);
> > +	if (perm & KEY_NEED_SETSEC)
> > +		oldstyle_perm |= OLD_KEY_NEED_SETATTR;
> > +	if (perm & KEY_NEED_INVAL)
> > +		oldstyle_perm |= KEY_NEED_SEARCH;
> > +	if (perm & KEY_NEED_REVOKE && !(perm & OLD_KEY_NEED_SETATTR))
> > +		oldstyle_perm |= KEY_NEED_WRITE;
> > +	if (perm & KEY_NEED_JOIN)
> > +		oldstyle_perm |= KEY_NEED_SEARCH;
> > +	if (perm & KEY_NEED_CLEAR)
> > +		oldstyle_perm |= KEY_NEED_WRITE;
> > +
> >   	sid = cred_sid(cred);
> >     	key = key_ref_to_ptr(key_ref);
> >   	ksec = key->security;
> >     	return avc_has_perm(&selinux_state,
> > -			    sid, ksec->sid, SECCLASS_KEY, perm, NULL);
> > +			    sid, ksec->sid, SECCLASS_KEY, oldstyle_perm, NULL);
> 
> This might be ok temporarily for compatibility but we'll want to ultimately
> define the new permissions in SELinux and switch over to using them if a new
> policy capability bit is set to indicate that the policy supports them.  We
> should probably decouple the SELinux permission bits from the KEY_NEED_*
> values and explicitly map them all at the same time.

Sounds reasonable.  I should probably detach the first two ACL patches from
the set and push them separately.

David