Commit 973c9f4f authored by David Howells's avatar David Howells Committed by Linus Torvalds

KEYS: Fix up comments in key management code

Fix up comments in the key management code.  No functional changes.
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent a8b17ed0
/* compat.c: 32-bit compatibility syscall for 64-bit systems /* 32-bit compatibility syscall for 64-bit systems
* *
* Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com) * Written by David Howells (dhowells@redhat.com)
...@@ -15,11 +15,12 @@ ...@@ -15,11 +15,12 @@
#include "internal.h" #include "internal.h"
/* /*
* the key control system call, 32-bit compatibility version for 64-bit archs * The key control system call, 32-bit compatibility version for 64-bit archs
* - this should only be called if the 64-bit arch uses weird pointers in *
* 32-bit mode or doesn't guarantee that the top 32-bits of the argument * This should only be called if the 64-bit arch uses weird pointers in 32-bit
* registers on taking a 32-bit syscall are zero * mode or doesn't guarantee that the top 32-bits of the argument registers on
* - if you can, you should call sys_keyctl directly * taking a 32-bit syscall are zero. If you can, you should call sys_keyctl()
* directly.
*/ */
asmlinkage long compat_sys_keyctl(u32 option, asmlinkage long compat_sys_keyctl(u32 option,
u32 arg2, u32 arg3, u32 arg4, u32 arg5) u32 arg2, u32 arg3, u32 arg4, u32 arg5)
......
...@@ -32,8 +32,8 @@ static time_t key_gc_next_run = LONG_MAX; ...@@ -32,8 +32,8 @@ static time_t key_gc_next_run = LONG_MAX;
static time_t key_gc_new_timer; static time_t key_gc_new_timer;
/* /*
* Schedule a garbage collection run * Schedule a garbage collection run.
* - precision isn't particularly important * - time precision isn't particularly important
*/ */
void key_schedule_gc(time_t gc_at) void key_schedule_gc(time_t gc_at)
{ {
...@@ -61,8 +61,9 @@ static void key_gc_timer_func(unsigned long data) ...@@ -61,8 +61,9 @@ static void key_gc_timer_func(unsigned long data)
} }
/* /*
* Garbage collect pointers from a keyring * Garbage collect pointers from a keyring.
* - return true if we altered the keyring *
* Return true if we altered the keyring.
*/ */
static bool key_gc_keyring(struct key *keyring, time_t limit) static bool key_gc_keyring(struct key *keyring, time_t limit)
__releases(key_serial_lock) __releases(key_serial_lock)
...@@ -107,9 +108,8 @@ static bool key_gc_keyring(struct key *keyring, time_t limit) ...@@ -107,9 +108,8 @@ static bool key_gc_keyring(struct key *keyring, time_t limit)
} }
/* /*
* Garbage collector for keys * Garbage collector for keys. This involves scanning the keyrings for dead,
* - this involves scanning the keyrings for dead, expired and revoked keys * expired and revoked keys that have overstayed their welcome
* that have overstayed their welcome
*/ */
static void key_garbage_collector(struct work_struct *work) static void key_garbage_collector(struct work_struct *work)
{ {
......
/* internal.h: authentication token and access key management internal defs /* Authentication token and access key management internal defs
* *
* Copyright (C) 2003-5, 2007 Red Hat, Inc. All Rights Reserved. * Copyright (C) 2003-5, 2007 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com) * Written by David Howells (dhowells@redhat.com)
...@@ -35,10 +35,12 @@ extern struct key_type key_type_user; ...@@ -35,10 +35,12 @@ extern struct key_type key_type_user;
/*****************************************************************************/ /*****************************************************************************/
/* /*
* keep track of keys for a user * Keep track of keys for a user.
* - this needs to be separate to user_struct to avoid a refcount-loop *
* (user_struct pins some keyrings which pin this struct) * This needs to be separate to user_struct to avoid a refcount-loop
* - this also keeps track of keys under request from userspace for this UID * (user_struct pins some keyrings which pin this struct).
*
* We also keep track of keys under request from userspace for this UID here.
*/ */
struct key_user { struct key_user {
struct rb_node node; struct rb_node node;
...@@ -62,7 +64,7 @@ extern struct key_user *key_user_lookup(uid_t uid, ...@@ -62,7 +64,7 @@ extern struct key_user *key_user_lookup(uid_t uid,
extern void key_user_put(struct key_user *user); extern void key_user_put(struct key_user *user);
/* /*
* key quota limits * Key quota limits.
* - root has its own separate limits to everyone else * - root has its own separate limits to everyone else
*/ */
extern unsigned key_quota_root_maxkeys; extern unsigned key_quota_root_maxkeys;
...@@ -146,13 +148,13 @@ extern unsigned key_gc_delay; ...@@ -146,13 +148,13 @@ extern unsigned key_gc_delay;
extern void keyring_gc(struct key *keyring, time_t limit); extern void keyring_gc(struct key *keyring, time_t limit);
extern void key_schedule_gc(time_t expiry_at); extern void key_schedule_gc(time_t expiry_at);
/*
* check to see whether permission is granted to use a key in the desired way
*/
extern int key_task_permission(const key_ref_t key_ref, extern int key_task_permission(const key_ref_t key_ref,
const struct cred *cred, const struct cred *cred,
key_perm_t perm); key_perm_t perm);
/*
* Check to see whether permission is granted to use a key in the desired way.
*/
static inline int key_permission(const key_ref_t key_ref, key_perm_t perm) static inline int key_permission(const key_ref_t key_ref, key_perm_t perm)
{ {
return key_task_permission(key_ref, current_cred(), perm); return key_task_permission(key_ref, current_cred(), perm);
...@@ -168,7 +170,7 @@ static inline int key_permission(const key_ref_t key_ref, key_perm_t perm) ...@@ -168,7 +170,7 @@ static inline int key_permission(const key_ref_t key_ref, key_perm_t perm)
#define KEY_ALL 0x3f /* all the above permissions */ #define KEY_ALL 0x3f /* all the above permissions */
/* /*
* request_key authorisation * Authorisation record for request_key().
*/ */
struct request_key_auth { struct request_key_auth {
struct key *target_key; struct key *target_key;
...@@ -188,7 +190,7 @@ extern struct key *request_key_auth_new(struct key *target, ...@@ -188,7 +190,7 @@ extern struct key *request_key_auth_new(struct key *target,
extern struct key *key_get_instantiation_authkey(key_serial_t target_id); extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
/* /*
* keyctl functions * keyctl() functions
*/ */
extern long keyctl_get_keyring_ID(key_serial_t, int); extern long keyctl_get_keyring_ID(key_serial_t, int);
extern long keyctl_join_session_keyring(const char __user *); extern long keyctl_join_session_keyring(const char __user *);
...@@ -214,7 +216,7 @@ extern long keyctl_get_security(key_serial_t keyid, char __user *buffer, ...@@ -214,7 +216,7 @@ extern long keyctl_get_security(key_serial_t keyid, char __user *buffer,
extern long keyctl_session_to_parent(void); extern long keyctl_session_to_parent(void);
/* /*
* debugging key validation * Debugging key validation
*/ */
#ifdef KEY_DEBUGGING #ifdef KEY_DEBUGGING
extern void __key_check(const struct key *); extern void __key_check(const struct key *);
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
/* permission.c: key permission determination /* Key permission checking
* *
* Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com) * Written by David Howells (dhowells@redhat.com)
...@@ -15,15 +15,17 @@ ...@@ -15,15 +15,17 @@
/** /**
* key_task_permission - Check a key can be used * key_task_permission - Check a key can be used
* @key_ref: The key to check * @key_ref: The key to check.
* @cred: The credentials to use * @cred: The credentials to use.
* @perm: The permissions to check for * @perm: The permissions to check for.
* *
* Check to see whether permission is granted to use a key in the desired way, * Check to see whether permission is granted to use a key in the desired way,
* but permit the security modules to override. * but permit the security modules to override.
* *
* The caller must hold either a ref on cred or must hold the RCU readlock or a * The caller must hold either a ref on cred or must hold the RCU readlock.
* spinlock. *
* Returns 0 if successful, -EACCES if access is denied based on the
* permissions bits or the LSM check.
*/ */
int key_task_permission(const key_ref_t key_ref, const struct cred *cred, int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
key_perm_t perm) key_perm_t perm)
...@@ -79,11 +81,15 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred, ...@@ -79,11 +81,15 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
/* let LSM be the final arbiter */ /* let LSM be the final arbiter */
return security_key_permission(key_ref, cred, perm); return security_key_permission(key_ref, cred, perm);
} }
EXPORT_SYMBOL(key_task_permission); EXPORT_SYMBOL(key_task_permission);
/* /**
* validate a key * key_validate - Validate a key.
* @key: The key to be validated.
*
* Check that a key is valid, returning 0 if the key is okay, -EKEYREVOKED if
* the key's type has been removed or if the key has been revoked or
* -EKEYEXPIRED if the key has expired.
*/ */
int key_validate(struct key *key) int key_validate(struct key *key)
{ {
...@@ -109,5 +115,4 @@ int key_validate(struct key *key) ...@@ -109,5 +115,4 @@ int key_validate(struct key *key)
error: error:
return ret; return ret;
} }
EXPORT_SYMBOL(key_validate); EXPORT_SYMBOL(key_validate);
/* proc.c: proc files for key database enumeration /* procfs files for key database enumeration
* *
* Copyright (C) 2004 Red Hat, Inc. All Rights Reserved. * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com) * Written by David Howells (dhowells@redhat.com)
...@@ -61,7 +61,7 @@ static const struct file_operations proc_key_users_fops = { ...@@ -61,7 +61,7 @@ static const struct file_operations proc_key_users_fops = {
}; };
/* /*
* declare the /proc files * Declare the /proc files.
*/ */
static int __init key_proc_init(void) static int __init key_proc_init(void)
{ {
...@@ -83,7 +83,8 @@ static int __init key_proc_init(void) ...@@ -83,7 +83,8 @@ static int __init key_proc_init(void)
__initcall(key_proc_init); __initcall(key_proc_init);
/* /*
* implement "/proc/keys" to provides a list of the keys on the system * Implement "/proc/keys" to provide a list of the keys on the system that
* grant View permission to the caller.
*/ */
#ifdef CONFIG_KEYS_DEBUG_PROC_KEYS #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS
...@@ -291,7 +292,8 @@ static struct rb_node *key_user_first(struct rb_root *r) ...@@ -291,7 +292,8 @@ static struct rb_node *key_user_first(struct rb_root *r)
} }
/* /*
* implement "/proc/key-users" to provides a list of the key users * Implement "/proc/key-users" to provides a list of the key users and their
* quotas.
*/ */
static int proc_key_users_open(struct inode *inode, struct file *file) static int proc_key_users_open(struct inode *inode, struct file *file)
{ {
......
/* Management of a process's keyrings /* Manage a process's keyrings
* *
* Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved. * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com) * Written by David Howells (dhowells@redhat.com)
...@@ -21,13 +21,13 @@ ...@@ -21,13 +21,13 @@
#include <asm/uaccess.h> #include <asm/uaccess.h>
#include "internal.h" #include "internal.h"
/* session keyring create vs join semaphore */ /* Session keyring create vs join semaphore */
static DEFINE_MUTEX(key_session_mutex); static DEFINE_MUTEX(key_session_mutex);
/* user keyring creation semaphore */ /* User keyring creation semaphore */
static DEFINE_MUTEX(key_user_keyring_mutex); static DEFINE_MUTEX(key_user_keyring_mutex);
/* the root user's tracking struct */ /* The root user's tracking struct */
struct key_user root_key_user = { struct key_user root_key_user = {
.usage = ATOMIC_INIT(3), .usage = ATOMIC_INIT(3),
.cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock), .cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock),
...@@ -39,7 +39,7 @@ struct key_user root_key_user = { ...@@ -39,7 +39,7 @@ struct key_user root_key_user = {
}; };
/* /*
* install user and user session keyrings for a particular UID * Install the user and user session keyrings for the current process's UID.
*/ */
int install_user_keyrings(void) int install_user_keyrings(void)
{ {
...@@ -121,7 +121,8 @@ int install_user_keyrings(void) ...@@ -121,7 +121,8 @@ int install_user_keyrings(void)
} }
/* /*
* install a fresh thread keyring directly to new credentials * Install a fresh thread keyring directly to new credentials. This keyring is
* allowed to overrun the quota.
*/ */
int install_thread_keyring_to_cred(struct cred *new) int install_thread_keyring_to_cred(struct cred *new)
{ {
...@@ -137,7 +138,7 @@ int install_thread_keyring_to_cred(struct cred *new) ...@@ -137,7 +138,7 @@ int install_thread_keyring_to_cred(struct cred *new)
} }
/* /*
* install a fresh thread keyring, discarding the old one * Install a fresh thread keyring, discarding the old one.
*/ */
static int install_thread_keyring(void) static int install_thread_keyring(void)
{ {
...@@ -160,9 +161,10 @@ static int install_thread_keyring(void) ...@@ -160,9 +161,10 @@ static int install_thread_keyring(void)
} }
/* /*
* install a process keyring directly to a credentials struct * Install a process keyring directly to a credentials struct.
* - returns -EEXIST if there was already a process keyring, 0 if one installed, *
* and other -ve on any other error * Returns -EEXIST if there was already a process keyring, 0 if one installed,
* and other value on any other error
*/ */
int install_process_keyring_to_cred(struct cred *new) int install_process_keyring_to_cred(struct cred *new)
{ {
...@@ -191,8 +193,11 @@ int install_process_keyring_to_cred(struct cred *new) ...@@ -191,8 +193,11 @@ int install_process_keyring_to_cred(struct cred *new)
} }
/* /*
* make sure a process keyring is installed * Make sure a process keyring is installed for the current process. The
* - we * existing process keyring is not replaced.
*
* Returns 0 if there is a process keyring by the end of this function, some
* error otherwise.
*/ */
static int install_process_keyring(void) static int install_process_keyring(void)
{ {
...@@ -213,7 +218,7 @@ static int install_process_keyring(void) ...@@ -213,7 +218,7 @@ static int install_process_keyring(void)
} }
/* /*
* install a session keyring directly to a credentials struct * Install a session keyring directly to a credentials struct.
*/ */
int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
{ {
...@@ -253,8 +258,8 @@ int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) ...@@ -253,8 +258,8 @@ int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
} }
/* /*
* install a session keyring, discarding the old one * Install a session keyring, discarding the old one. If a keyring is not
* - if a keyring is not supplied, an empty one is invented * supplied, an empty one is invented.
*/ */
static int install_session_keyring(struct key *keyring) static int install_session_keyring(struct key *keyring)
{ {
...@@ -275,7 +280,7 @@ static int install_session_keyring(struct key *keyring) ...@@ -275,7 +280,7 @@ static int install_session_keyring(struct key *keyring)
} }
/* /*
* the filesystem user ID changed * Handle the fsuid changing.
*/ */
void key_fsuid_changed(struct task_struct *tsk) void key_fsuid_changed(struct task_struct *tsk)
{ {
...@@ -289,7 +294,7 @@ void key_fsuid_changed(struct task_struct *tsk) ...@@ -289,7 +294,7 @@ void key_fsuid_changed(struct task_struct *tsk)
} }
/* /*
* the filesystem group ID changed * Handle the fsgid changing.
*/ */
void key_fsgid_changed(struct task_struct *tsk) void key_fsgid_changed(struct task_struct *tsk)
{ {
...@@ -303,11 +308,25 @@ void key_fsgid_changed(struct task_struct *tsk) ...@@ -303,11 +308,25 @@ void key_fsgid_changed(struct task_struct *tsk)
} }
/* /*
* search only my process keyrings for the first matching key * Search the process keyrings attached to the supplied cred for the first
* - we use the supplied match function to see if the description (or other * matching key.
* feature of interest) matches *
* - we return -EAGAIN if we didn't find any matching key * The search criteria are the type and the match function. The description is
* - we return -ENOKEY if we found only negative matching keys * given to the match function as a parameter, but doesn't otherwise influence
* the search. Typically the match function will compare the description
* parameter to the key's description.
*
* This can only search keyrings that grant Search permission to the supplied
* credentials. Keyrings linked to searched keyrings will also be searched if
* they grant Search permission too. Keys can only be found if they grant
* Search permission to the credentials.
*
* Returns a pointer to the key with the key usage count incremented if
* successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only
* matched negative keys.
*
* In the case of a successful return, the possession attribute is set on the
* returned key reference.
*/ */
key_ref_t search_my_process_keyrings(struct key_type *type, key_ref_t search_my_process_keyrings(struct key_type *type,
const void *description, const void *description,
...@@ -423,11 +442,12 @@ key_ref_t search_my_process_keyrings(struct key_type *type, ...@@ -423,11 +442,12 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
} }
/* /*
* search the process keyrings for the first matching key * Search the process keyrings attached to the supplied cred for the first
* - we use the supplied match function to see if the description (or other * matching key in the manner of search_my_process_keyrings(), but also search
* feature of interest) matches * the keys attached to the assumed authorisation key using its credentials if
* - we return -EAGAIN if we didn't find any matching key * one is available.
* - we return -ENOKEY if we found only negative matching keys *
* Return same as search_my_process_keyrings().
*/ */
key_ref_t search_process_keyrings(struct key_type *type, key_ref_t search_process_keyrings(struct key_type *type,
const void *description, const void *description,
...@@ -485,7 +505,7 @@ key_ref_t search_process_keyrings(struct key_type *type, ...@@ -485,7 +505,7 @@ key_ref_t search_process_keyrings(struct key_type *type,
} }
/* /*
* see if the key we're looking at is the target key * See if the key we're looking at is the target key.
*/ */
int lookup_user_key_possessed(const struct key *key, const void *target) int lookup_user_key_possessed(const struct key *key, const void *target)
{ {
...@@ -493,9 +513,22 @@ int lookup_user_key_possessed(const struct key *key, const void *target) ...@@ -493,9 +513,22 @@ int lookup_user_key_possessed(const struct key *key, const void *target)
} }
/* /*
* lookup a key given a key ID from userspace with a given permissions mask * Look up a key ID given us by userspace with a given permissions mask to get
* - don't create special keyrings unless so requested * the key it refers to.
* - partially constructed keys aren't found unless requested *
* Flags can be passed to request that special keyrings be created if referred
* to directly, to permit partially constructed keys to be found and to skip
* validity and permission checks on the found key.
*
* Returns a pointer to the key with an incremented usage count if successful;
* -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond
* to a key or the best found key was a negative key; -EKEYREVOKED or
* -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the
* found key doesn't grant the requested permit or the LSM denied access to it;
* or -ENOMEM if a special keyring couldn't be created.
*
* In the case of a successful return, the possession attribute is set on the
* returned key reference.
*/ */
key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
key_perm_t perm) key_perm_t perm)
...@@ -703,10 +736,15 @@ key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, ...@@ -703,10 +736,15 @@ key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
} }
/* /*
* join the named keyring as the session keyring if possible, or attempt to * Join the named keyring as the session keyring if possible else attempt to
* create a new one of that name if not * create a new one of that name and join that.
* - if the name is NULL, an empty anonymous keyring is installed instead *
* - named session keyring joining is done with a semaphore held * If the name is NULL, an empty anonymous keyring will be installed as the
* session keyring.
*
* Named session keyrings are joined with a semaphore held to prevent the
* keyrings from going away whilst the attempt is made to going them and also
* to prevent a race in creating compatible session keyrings.
*/ */
long join_session_keyring(const char *name) long join_session_keyring(const char *name)
{ {
...@@ -778,8 +816,8 @@ long join_session_keyring(const char *name) ...@@ -778,8 +816,8 @@ long join_session_keyring(const char *name)
} }
/* /*
* Replace a process's session keyring when that process resumes userspace on * Replace a process's session keyring on behalf of one of its children when
* behalf of one of its children * the target process is about to resume userspace execution.
*/ */
void key_replace_session_keyring(void) void key_replace_session_keyring(void)
{ {
......
This diff is collapsed.
/* request_key_auth.c: request key authorisation controlling key def /* Request key authorisation token key definition.
* *
* Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com) * Written by David Howells (dhowells@redhat.com)
...@@ -26,7 +26,7 @@ static void request_key_auth_destroy(struct key *); ...@@ -26,7 +26,7 @@ static void request_key_auth_destroy(struct key *);
static long request_key_auth_read(const struct key *, char __user *, size_t); static long request_key_auth_read(const struct key *, char __user *, size_t);
/* /*
* the request-key authorisation key type definition * The request-key authorisation key type definition.
*/ */
struct key_type key_type_request_key_auth = { struct key_type key_type_request_key_auth = {
.name = ".request_key_auth", .name = ".request_key_auth",
...@@ -39,7 +39,7 @@ struct key_type key_type_request_key_auth = { ...@@ -39,7 +39,7 @@ struct key_type key_type_request_key_auth = {
}; };
/* /*
* instantiate a request-key authorisation key * Instantiate a request-key authorisation key.
*/ */
static int request_key_auth_instantiate(struct key *key, static int request_key_auth_instantiate(struct key *key,
const void *data, const void *data,
...@@ -50,7 +50,7 @@ static int request_key_auth_instantiate(struct key *key, ...@@ -50,7 +50,7 @@ static int request_key_auth_instantiate(struct key *key,
} }
/* /*
* reading a request-key authorisation key retrieves the callout information * Describe an authorisation token.
*/ */
static void request_key_auth_describe(const struct key *key, static void request_key_auth_describe(const struct key *key,
struct seq_file *m) struct seq_file *m)
...@@ -63,7 +63,7 @@ static void request_key_auth_describe(const struct key *key, ...@@ -63,7 +63,7 @@ static void request_key_auth_describe(const struct key *key,
} }
/* /*
* read the callout_info data * Read the callout_info data (retrieves the callout information).
* - the key's semaphore is read-locked * - the key's semaphore is read-locked
*/ */
static long request_key_auth_read(const struct key *key, static long request_key_auth_read(const struct key *key,
...@@ -89,8 +89,9 @@ static long request_key_auth_read(const struct key *key, ...@@ -89,8 +89,9 @@ static long request_key_auth_read(const struct key *key,
} }
/* /*
* handle revocation of an authorisation token key * Handle revocation of an authorisation token key.
* - called with the key sem write-locked *
* Called with the key sem write-locked.
*/ */
static void request_key_auth_revoke(struct key *key) static void request_key_auth_revoke(struct key *key)
{ {
...@@ -105,7 +106,7 @@ static void request_key_auth_revoke(struct key *key) ...@@ -105,7 +106,7 @@ static void request_key_auth_revoke(struct key *key)
} }
/* /*
* destroy an instantiation authorisation token key * Destroy an instantiation authorisation token key.
*/ */
static void request_key_auth_destroy(struct key *key) static void request_key_auth_destroy(struct key *key)
{ {
...@@ -125,8 +126,8 @@ static void request_key_auth_destroy(struct key *key) ...@@ -125,8 +126,8 @@ static void request_key_auth_destroy(struct key *key)
} }
/* /*
* create an authorisation token for /sbin/request-key or whoever to gain * Create an authorisation token for /sbin/request-key or whoever to gain
* access to the caller's security data * access to the caller's security data.
*/ */
struct key *request_key_auth_new(struct key *target, const void *callout_info, struct key *request_key_auth_new(struct key *target, const void *callout_info,
size_t callout_len, struct key *dest_keyring) size_t callout_len, struct key *dest_keyring)
...@@ -220,7 +221,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info, ...@@ -220,7 +221,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info,
} }
/* /*
* see if an authorisation key is associated with a particular key * See if an authorisation key is associated with a particular key.
*/ */
static int key_get_instantiation_authkey_match(const struct key *key, static int key_get_instantiation_authkey_match(const struct key *key,
const void *_id) const void *_id)
...@@ -232,11 +233,8 @@ static int key_get_instantiation_authkey_match(const struct key *key, ...@@ -232,11 +233,8 @@ static int key_get_instantiation_authkey_match(const struct key *key,
} }
/* /*
* get the authorisation key for instantiation of a specific key if attached to * Search the current process's keyrings for the authorisation key for
* the current process's keyrings * instantiation of a key.
* - this key is inserted into a keyring and that is set as /sbin/request-key's
* session keyring
* - a target_id of zero specifies any valid token
*/ */
struct key *key_get_instantiation_authkey(key_serial_t target_id) struct key *key_get_instantiation_authkey(key_serial_t target_id)
{ {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment