Merge branch 'keyctl-restrict' of...
Merge branch 'keyctl-restrict' of git://git.kernel.org/pub/scm/linux/kernel/git/martineau/linux into keys-next To quote Mat Martineau: """ Keyrings recently acquired the ability to validate keys before they are linked using kernel internal APIs. This patch set enables configuration of restricted keyrings from userspace. These patches apply to linux-fs/keys-misc and are also available here: https://git.kernel.org/cgit/linux/kernel/git/martineau/linux.git/log/?h=keyctl-restrict v13: Detect and avoid cycles in restriction references, and change restrictions to store a single key pointer rather than arbitrary data. v12: Rework the KEYCTL_RESTRICT_KEYRING command to take an additional parameter, renamed some functions based on feedback, and dropped an unnecessary locking change (patch 1 in previous set). v11: Configure restrictions using KEYCTL_RESTRICT_KEYRING instead of using a keyring payload at creation time. Make the garbage collector aware of restrictions. v10: Fixups from maintainer feedback. Added some missing documentation. v9: Rebased on linux-fs/keys-misc (v4.9-rc5) v8: Add option to look for signing keys within the destination keyring. Fix a consistency issue with keyring locking and restriction checks. v7: Rework key restriction payload syntax. Move key-type-specific payload parsing to the key-type. Attach more restriction information to keyrings (restriction function, data, and data free) so future restrictions are not limited to storing a key ID to use for key validation. Validate key before using it to verify another key. Modify key type locking model to allow key type lookup during keyring creation. v6: Return error if only restrict_key is supplied, address misc. review comments. v5: Fixed signature bypass problem in patch 3/6 v4: Added userspace restriction options based on builtin keyrings. restrict_link_by_signature implementation is no longer modified. Split up v3's patch 2/5 to isolate the change to key.h. v3: Updated commit message for patch 2/5 (restrict_link_by_signature_indirect) v2: Payload is now preparsed """ Signed-off-by: David Howells <dhowells@redhat.com>
Showing
Please register or sign in to comment