From: Paul Moore <paul@paul-moore.com>
To: linux-security-module@vger.kernel.org
Subject: [PATCH 14/22] lsm: move the key hook comments to security/security.c
Date: Thu, 16 Feb 2023 22:26:17 -0500 [thread overview]
Message-ID: <20230217032625.678457-15-paul@paul-moore.com> (raw)
In-Reply-To: <20230217032625.678457-1-paul@paul-moore.com>
This patch relocates the LSM hook function comments to the function
definitions, in keeping with the current kernel conventions. This
should make the hook descriptions more easily discoverable and easier
to maintain.
While formatting changes have been done to better fit the kernel-doc
style, content changes have been kept to a minimum and limited to
text which was obviously incorrect and/or outdated. It is expected
the future patches will improve the quality of the function header
comments.
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
include/linux/lsm_hooks.h | 32 -------------------------------
security/security.c | 40 +++++++++++++++++++++++++++++++++++++++
2 files changed, 40 insertions(+), 32 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 9c5254e4e9d1..2cfa56e3abc3 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -32,38 +32,6 @@
/**
* union security_list_options - Linux Security Module hook function list
*
- * Security hooks affecting all Key Management operations
- *
- * @key_alloc:
- * Permit allocation of a key and assign security data. Note that key does
- * not have a serial number assigned at this point.
- * @key points to the key.
- * @flags is the allocation flags.
- * Return 0 if permission is granted, -ve error otherwise.
- * @key_free:
- * Notification of destruction; free security data.
- * @key points to the key.
- * No return value.
- * @key_permission:
- * See whether a specific operational right is granted to a process on a
- * key.
- * @key_ref refers to the key (key pointer + possession attribute bit).
- * @cred points to the credentials to provide the context against which to
- * evaluate the security data on the key.
- * @perm describes the combination of permissions required of this key.
- * Return 0 if permission is granted, -ve error otherwise.
- * @key_getsecurity:
- * Get a textual representation of the security context attached to a key
- * for the purposes of honouring KEYCTL_GETSECURITY. This function
- * allocates the storage for the NUL-terminated string and the caller
- * should free it.
- * @key points to the key to be queried.
- * @_buffer points to a pointer that should be set to point to the
- * resulting string (if no label or an error occurs).
- * Return the length of the string (including terminating NUL) or -ve if
- * an error.
- * May also return 0 (and a NULL buffer pointer) if there is no label.
- *
* Security hooks affecting all System V IPC operations.
*
* @ipc_permission:
diff --git a/security/security.c b/security/security.c
index f06b95a9705c..cc2294e094ec 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4467,23 +4467,63 @@ EXPORT_SYMBOL(security_skb_classify_flow);
#ifdef CONFIG_KEYS
+/**
+ * security_key_alloc() - Allocate and initialize a kernel key LSM blob
+ * @key: key
+ * @cred: credentials
+ * @flags: allocation flags
+ *
+ * Permit allocation of a key and assign security data. Note that key does not
+ * have a serial number assigned at this point.
+ *
+ * Return: Return 0 if permission is granted, -ve error otherwise.
+ */
int security_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
return call_int_hook(key_alloc, 0, key, cred, flags);
}
+/**
+ * security_key_free() - Free a kernel key LSM blob
+ * @key: key
+ *
+ * Notification of destruction; free security data.
+ */
void security_key_free(struct key *key)
{
call_void_hook(key_free, key);
}
+/**
+ * security_key_permission() - Check if a kernel key operation is allowed
+ * @key_ref: key reference
+ * @cred: credentials of actor requesting access
+ * @need_perm: requested permissions
+ *
+ * See whether a specific operational right is granted to a process on a key.
+ *
+ * Return: Return 0 if permission is granted, -ve error otherwise.
+ */
int security_key_permission(key_ref_t key_ref, const struct cred *cred,
enum key_need_perm need_perm)
{
return call_int_hook(key_permission, 0, key_ref, cred, need_perm);
}
+/**
+ * security_key_getsecurity() - Get the key's security label
+ * @key: key
+ * @buffer: security label buffer
+ *
+ * Get a textual representation of the security context attached to a key for
+ * the purposes of honouring KEYCTL_GETSECURITY. This function allocates the
+ * storage for the NUL-terminated string and the caller should free it.
+ *
+ * Return: Returns the length of @buffer (including terminating NUL) or -ve if
+ * an error occurs. May also return 0 (and a NULL buffer pointer) if
+ * there is no security label assigned to the key.
+ */
int security_key_getsecurity(struct key *key, char **_buffer)
{
*_buffer = NULL;
--
2.39.2
next prev parent reply other threads:[~2023-02-17 3:27 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-17 3:26 [PATCH 00/22] Move LSM hook comments into security/security.c Paul Moore
2023-02-17 3:26 ` [PATCH 01/22] lsm: move the program execution hook comments to security/security.c Paul Moore
2023-02-17 3:26 ` [PATCH 02/22] lsm: move the fs_context " Paul Moore
2023-02-17 3:26 ` [PATCH 03/22] lsm: move the filesystem " Paul Moore
2023-02-17 3:26 ` [PATCH 04/22] lsm: move the inode " Paul Moore
2023-02-17 3:26 ` [PATCH 05/22] lsm: move the kernfs " Paul Moore
2023-02-17 3:26 ` [PATCH 06/22] lsm: move the file " Paul Moore
2023-02-17 3:26 ` [PATCH 07/22] lsm: move the task " Paul Moore
2023-02-17 3:26 ` [PATCH 08/22] lsm: move the netlink " Paul Moore
2023-02-17 3:26 ` [PATCH 09/22] lsm: move the AF_UNIX " Paul Moore
2023-02-17 3:26 ` [PATCH 10/22] lsm: move the socket " Paul Moore
2023-02-17 3:26 ` [PATCH 11/22] lsm: move the SCTP " Paul Moore
2023-02-17 3:26 ` [PATCH 12/22] lsm: move the Infiniband " Paul Moore
2023-02-17 3:26 ` [PATCH 13/22] lsm: move the xfrm " Paul Moore
2023-02-17 3:26 ` Paul Moore [this message]
2023-02-17 3:26 ` [PATCH 15/22] lsm: move the sysv " Paul Moore
2023-02-17 3:26 ` [PATCH 16/22] lsm: move the binder " Paul Moore
2023-02-17 3:26 ` [PATCH 17/22] lsm: move the audit " Paul Moore
2023-02-17 3:26 ` [PATCH 18/22] lsm: move the bpf " Paul Moore
2023-02-17 3:26 ` [PATCH 19/22] lsm: move the perf " Paul Moore
2023-02-17 3:26 ` [PATCH 20/22] lsm: move the io_uring " Paul Moore
2023-02-17 3:26 ` [PATCH 21/22] lsm: move the remaining LSM " Paul Moore
2023-02-17 3:26 ` [PATCH 22/22] lsm: styling fixes " Paul Moore
2023-02-17 14:07 ` [PATCH 00/22] Move LSM hook comments into security/security.c Paul Moore
2023-02-17 17:22 ` Casey Schaufler
2023-02-17 19:04 ` Paul Moore
2023-03-06 18:49 ` Paul Moore
2023-03-07 8:08 ` Roberto Sassu
2023-03-07 16:33 ` Paul Moore
2023-03-07 16:38 ` Roberto Sassu
2023-03-08 17:09 ` Paul Moore
2023-03-08 17:14 ` Roberto Sassu
2023-03-08 17:20 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230217032625.678457-15-paul@paul-moore.com \
--to=paul@paul-moore.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).