summaryrefslogtreecommitdiffstats
path: root/Documentation/security
diff options
context:
space:
mode:
authorMat Martineau <mathew.j.martineau@linux.intel.com>2016-08-30 20:33:13 +0200
committerMat Martineau <mathew.j.martineau@linux.intel.com>2017-04-03 19:24:56 +0200
commitaaf66c883813f0078e3dafe7d20d1461321ac14f (patch)
tree5198162cc55309f8653a0a333c2cbdffc64debad /Documentation/security
parentKEYS: Use a typedef for restrict_link function pointers (diff)
downloadlinux-aaf66c883813f0078e3dafe7d20d1461321ac14f.tar.xz
linux-aaf66c883813f0078e3dafe7d20d1461321ac14f.zip
KEYS: Split role of the keyring pointer for keyring restrict functions
The first argument to the restrict_link_func_t functions was a keyring pointer. These functions are called by the key subsystem with this argument set to the destination keyring, but restrict_link_by_signature expects a pointer to the relevant trusted keyring. Restrict functions may need something other than a single struct key pointer to allow or reject key linkage, so the data used to make that decision (such as the trust keyring) is moved to a new, fourth argument. The first argument is now always the destination keyring. Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Diffstat (limited to 'Documentation/security')
-rw-r--r--Documentation/security/keys.txt8
1 files changed, 4 insertions, 4 deletions
diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt
index 4502237b12a7..bb575ab80207 100644
--- a/Documentation/security/keys.txt
+++ b/Documentation/security/keys.txt
@@ -1054,10 +1054,10 @@ payload contents" for more information.
can be verified by a key the kernel already has.
When called, the restriction function will be passed the keyring being
- added to, the key flags value and the type and payload of the key being
- added. Note that when a new key is being created, this is called between
- payload preparsing and actual key creation. The function should return 0
- to allow the link or an error to reject it.
+ added to, the key type, the payload of the key being added, and data to be
+ used in the restriction check. Note that when a new key is being created,
+ this is called between payload preparsing and actual key creation. The
+ function should return 0 to allow the link or an error to reject it.
A convenience function, restrict_link_reject, exists to always return
-EPERM to in this case.