KEYS: Add an alloc flag to convey the builtinness of a key

Add KEY_ALLOC_BUILT_IN to convey that a key should have KEY_FLAG_BUILTIN
set rather than setting it after the fact.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 2570598b784de05e9030d3e08aca1c199b2a8fc6..f4180326c2e158129ed7527224c3ab33cacb5503 100644 (file)
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -84,12 +84,12 @@ static __init int load_system_certificate_list(void)
                                           ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
                                           KEY_USR_VIEW | KEY_USR_READ),
                                           KEY_ALLOC_NOT_IN_QUOTA |
-                                          KEY_ALLOC_TRUSTED);
+                                          KEY_ALLOC_TRUSTED |
+                                          KEY_ALLOC_BUILT_IN);
                if (IS_ERR(key)) {
                        pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
                               PTR_ERR(key));
                } else {
-                       set_bit(KEY_FLAG_BUILTIN, &key_ref_to_ptr(key)->flags);
                        pr_notice("Loaded X.509 cert '%s'\n",
                                  key_ref_to_ptr(key)->description);
                        key_ref_put(key);

diff --git a/include/linux/key.h b/include/linux/key.h
index 7321ab8ef949c8fb73da592e75c3dacddf723b6f..5f5b1129dc92705edd5c1658571cffb6548453b7 100644 (file)
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -219,6 +219,7 @@ extern struct key *key_alloc(struct key_type *type,
 #define KEY_ALLOC_QUOTA_OVERRUN        0x0001  /* add to quota, permit even if overrun */
 #define KEY_ALLOC_NOT_IN_QUOTA 0x0002  /* not in quota */
 #define KEY_ALLOC_TRUSTED      0x0004  /* Key should be flagged as trusted */
+#define KEY_ALLOC_BUILT_IN     0x0008  /* Key is built into kernel */
 
 extern void key_revoke(struct key *key);
 extern void key_invalidate(struct key *key);

diff --git a/security/keys/key.c b/security/keys/key.c
index 09ef276c4bdcaf8e0c419df61d1cd7b07bf5253c..b28755131687ea89de81ff5813c3fa9eb4acee74 100644 (file)
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -296,6 +296,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
                key->flags |= 1 << KEY_FLAG_IN_QUOTA;
        if (flags & KEY_ALLOC_TRUSTED)
                key->flags |= 1 << KEY_FLAG_TRUSTED;
+       if (flags & KEY_ALLOC_BUILT_IN)
+               key->flags |= 1 << KEY_FLAG_BUILTIN;
 
 #ifdef KEY_DEBUGGING
        key->magic = KEY_DEBUG_MAGIC;