[PATCH RFC 01/12] KEYS: Add KEY_ALLOC_BYPASS_RESTRICTION option to key_move

Eric Snowberg eric.snowberg at oracle.com
Wed Jul 7 02:43:52 UTC 2021


Callers of key_create_or_update can pass KEY_ALLOC_BYPASS_RESTRICTION to
suppress the restrictions check. Add the same support to key_move to
bypass restrictions on the destination keyring.

Signed-off-by: Eric Snowberg <eric.snowberg at oracle.com>
---
 security/keys/keyring.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 5e6a90760753..56ea2b78d2e5 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -1585,7 +1585,7 @@ EXPORT_SYMBOL(key_unlink);
  *
  * It is assumed that the caller has checked that it is permitted for a link to
  * be made (the keyring should have Write permission and the key Link
- * permission).
+ * permission). It can be overridden by passing KEY_ALLOC_BYPASS_RESTRICTION.
  */
 int key_move(struct key *key,
 	     struct key *from_keyring,
@@ -1618,9 +1618,11 @@ int key_move(struct key *key,
 	if (to_edit->dead_leaf && (flags & KEYCTL_MOVE_EXCL))
 		goto error;
 
-	ret = __key_link_check_restriction(to_keyring, key);
-	if (ret < 0)
-		goto error;
+	if (!(flags & KEY_ALLOC_BYPASS_RESTRICTION)) {
+		ret = __key_link_check_restriction(to_keyring, key);
+		if (ret < 0)
+			goto error;
+	}
 	ret = __key_link_check_live_key(to_keyring, key);
 	if (ret < 0)
 		goto error;
-- 
2.18.4



More information about the Linux-security-module-archive mailing list