• David Howells's avatar
    keys: Provide KEYCTL_GRANT_PERMISSION · 7a1ade84
    David Howells authored
    Provide a keyctl() operation to grant/remove permissions.  The grant
    operation, wrapped by libkeyutils, looks like:
    
    	int ret = keyctl_grant_permission(key_serial_t key,
    					  enum key_ace_subject_type type,
    					  unsigned int subject,
    					  unsigned int perm);
    
    Where key is the key to be modified, type and subject represent the subject
    to which permission is to be granted (or removed) and perm is the set of
    permissions to be granted.  0 is returned on success.  SET_SECURITY
    permission is required for this.
    
    The subject type currently must be KEY_ACE_SUBJ_STANDARD for the moment
    (other subject types will come along later).
    
    For subject type KEY_ACE_SUBJ_STANDARD, the following subject values are
    available:
    
    	KEY_ACE_POSSESSOR	The possessor of the key
    	KEY_ACE_OWNER		The owner of the key
    	KEY_ACE_GROUP		The key's group
    	KEY_ACE_EVERYONE	Everyone
    
    perm lists the permissions to be granted:
    
    	KEY_ACE_VIEW		Can view the key metadata
    	KEY_ACE_READ		Can read the key content
    	KEY_ACE_WRITE		Can update/modify the key content
    	KEY_ACE_SEARCH		Can find the key by searching/requesting
    	KEY_ACE_LINK		Can make a link to the key
    	KEY_ACE_SET_SECURITY	Can set security
    	KEY_ACE_INVAL		Can invalidate
    	KEY_ACE_REVOKE		Can revoke
    	KEY_ACE_JOIN		Can join this keyring
    	KEY_ACE_CLEAR		Can clear this keyring
    
    If an ACE already exists for the subject, then the permissions mask will be
    overwritten; if perm is 0, it will be deleted.
    
    Currently, the internal ACL is limited to a maximum of 16 entries.
    
    For example:
    
    	int ret = keyctl_grant_permission(key,
    					  KEY_ACE_SUBJ_STANDARD,
    					  KEY_ACE_OWNER,
    					  KEY_ACE_VIEW | KEY_ACE_READ);
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    7a1ade84
keyctl.c 46.9 KB