@@ -1645,6 +1645,15 @@ The structure has a number of fields, some of which are mandatory:
If successful, 0 will be returned. If the key doesn't support this,
EOPNOTSUPP will be returned.
+ (*) struct key_restriction *(*lookup_restrict)(const char *params);
+
+ This optional method is used to enable userspace configuration of
+ keyring restrictions. The restriction parameter string (not including the
+ key type name) is passed in, and this method returns a pointer to a
+ key_restriction structure containing the relevant functions and data to
+ evaluate each attempted key link operation. If there is no match, -EINVAL
+ is returned.
+
============================
REQUEST-KEY CALLBACK SERVICE
@@ -158,6 +158,14 @@ struct key_type {
int (*asym_verify_signature)(struct kernel_pkey_params *params,
const void *in, const void *in2);
+ /* Look up a keyring access restriction (optional)
+ *
+ * - NULL is a valid return value (meaning the requested restriction
+ * is known but will never block addition of a key)
+ * - should return -EINVAL if the restriction is unknown
+ */
+ struct key_restriction *(*lookup_restrict)(char *params);
+
/* internal fields */
struct list_head link; /* link in types list */
struct lock_class_key lock_class; /* key->sem lock class */
The restrict_link functions used to validate keys as they are linked to a keyring can be associated with specific key types. Each key type may be loaded (or not) at runtime, so lookup of restrict_link functions needs to be part of the key type implementation to ensure that the requested keys can be examined. Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com> --- Documentation/security/keys.txt | 9 +++++++++ include/linux/key-type.h | 8 ++++++++ 2 files changed, 17 insertions(+)