I see the 'keys-acl' [1] patch is now back in kernel.org's 'linux-next'
tree.
After some investigation, I have a query on this that I've attempted to
explain below.
The keyutils tests work with this patch on standard Fedora policy
because the policy gives most domains access to all key permissions.
Also the polcy is built using 'hide_broken_symptoms' that adds 'allow
domain domain:key { link search };', therefore calls made by these
always pass:
keys/keyring.c - find_keyring_by_name():
Originally required: KEY_NEED_SEARCH
Now requires: KEY_NEED_JOIN
keys/keyctl.c - keyctl_session_to_parent():
Originally required: KEY_NEED_LINK
Now requires: KEY_NEED_JOIN
However if (as in the selinux-testsuite - test/keys), 'domain' is
replaced by a macro that excludes the { link search }, and allows each
permission to be tested, two tests fail. This is because:
1) keyctl_session_to_parent() requires KEY_NEED_JOIN translated to
KEY_NEED_LINK permission.
2) find_keyring_by_name() requires KEY_NEED_JOIN translated to
KEY_NEED_SEARCH permission.
The patch always translates KEY_NEED_JOIN to KEY_NEED_SEARCH
Any views on this as it seems a regression.
[1]
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/security/selinux?h=next-20200122&id=a862a799537490b74a81e14a62623af502bdb25d
