--- David Howells <dhowells@xxxxxxxxxx> wrote: > David Howells <dhowells@xxxxxxxxxx> wrote: > > > I've attached the patch I've come up with so far. > > Oops. One error - I forgot to connect up the new function. > > # LD_PRELOAD=/tmp/libkeyutils-1.2.so /tmp/keyctl add user a a @s > 762693819 > # LD_PRELOAD=/tmp/libkeyutils-1.2.so /tmp/keyctl security 762693819 > root:system_r:unconfined_t:s0-s0:c0.c1023 > > That what you want? > > New patch attached. > > David > --- > KEYS: Add keyctl function to get a security label > > From: David Howells <dhowells@xxxxxxxxxx> > > Add a keyctl() function to get the security label of a key. > > The following is added to Documentation/keys.txt: > > (*) Get the LSM security context attached to a key. > > long keyctl(KEYCTL_GET_SECURITY, key_serial_t key, char *buffer, > size_t buflen) > > This function returns a string that represents the LSM security context > attached to a key in the buffer provided. > > Unless there's an error, it always returns the amount of data it could > produce, even if that's too big for the buffer, but it won't copy more > than requested to userspace. If the buffer pointer is NULL then no copy > will take place. > > A NUL character is included at the end of the string if the buffer is > sufficiently big. This is included in the returned count. If no LSM is > in force then an empty string will be returned. > > A process must have view permission on the key for this function to be > successful. > > Signed-off-by: David Howells <dhowells@xxxxxxxxxx> > --- > > Documentation/keys.txt | 21 +++++++++++++++ > include/linux/keyctl.h | 1 + > include/linux/security.h | 20 +++++++++++++- > security/dummy.c | 8 ++++++ > security/keys/compat.c | 3 ++ > security/keys/keyctl.c | 66 > ++++++++++++++++++++++++++++++++++++++++++++++ > security/security.c | 5 +++ > security/selinux/hooks.c | 21 +++++++++++++-- > 8 files changed, 141 insertions(+), 4 deletions(-) If you're changing the LSM interface you should cross post this to the LSM list. Casey Schaufler casey@xxxxxxxxxxxxxxxx -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
