On Thu, Feb 20, 2020 at 2:26 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 2/20/20 1:10 PM, Richard Haines wrote: > > Add a new 'key_perms' policy capability and support for the additional > > key permissions: inval, revoke, join, clear > > > > Also fixes JOIN -> LINK permission translation when policy > > capability 'keys_perms' = 0; > > > > The current "setattr" perm name remains and is used for KEY_NEED_SETSEC. > > This gives the following permissions for the 'key' class: > > > > create Create a key or keyring. > > view View attributes. > > read Read contents. > > write Update or modify. > > search Search (keyring) or find (key). > > link Link a key into the keyring. > > setattr kernel < current version: Change permissions on a keyring. > > kernel >= current version: Set owner, group, ACL. > > inval Invalidate key. > > revoke Revoke key. > > join Join keyring as session. > > clear Clear a keyring. > > > > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> > > Signed-off-by: David Howells <dhowells@xxxxxxxxxx> > > What is this relative to? Didn't apply for me on any of keys-acl or > keys-next or selinux-next. > > Regardless, we need to revert the original patch and create a new one > that addresses the KEY_NEED_PARENT_JOIN issue I mentioned and that adds > the key_perms capability in the right place in the first place, not > apply a fix on top. Yes, you really need to revert this patch David, I mentioned this some time ago when the linux-next conflict appeared. Also, future patches like this *really* need to go in via the SELinux tree, not the keys tree, as they affect the SELinux kernel ABI and if they aren't merged via the same tree lots of bad things can happen if we aren't careful. -- paul moore www.paul-moore.com
