From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757732AbcDFArj (ORCPT ); Tue, 5 Apr 2016 20:47:39 -0400 Received: from e28smtp04.in.ibm.com ([125.16.236.4]:33291 "EHLO e28smtp04.in.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750959AbcDFArh (ORCPT ); Tue, 5 Apr 2016 20:47:37 -0400 X-IBM-Helo: d28relay04.in.ibm.com X-IBM-MailFrom: zohar@linux.vnet.ibm.com X-IBM-RcptTo: linux-kernel@vger.kernel.org;keyrings@vger.kernel.org;linux-security-module@vger.kernel.org Message-ID: <1459903039.3166.8.camel@linux.vnet.ibm.com> Subject: Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #3] From: Mimi Zohar To: David Howells Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Date: Tue, 05 Apr 2016 20:37:19 -0400 In-Reply-To: <20160309111932.28811.28906.stgit@warthog.procyon.org.uk> References: <20160309111814.28811.95697.stgit@warthog.procyon.org.uk> <20160309111932.28811.28906.stgit@warthog.procyon.org.uk> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable x-cbid: 16040600-0013-0000-0000-00000B74F7A6 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2016-03-09 at 11:19 +0000, David Howells wrote: > +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING > +/** > + * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring > + * addition by both builtin and secondary keyrings > + * > + * Restrict the addition of keys into a keyring based on the key-to-be-added > + * being vouched for by a key in either the built-in or the secondary system > + * keyrings. > + */ > +int restrict_link_by_builtin_and_secondary_trusted( > + struct key *keyring, > + const struct key_type *type, > + const union key_payload *payload) > +{ > + /* If we have a secondary trusted keyring, then that contains a link > + * through to the builtin keyring and the search will follow that link. > + */ > + if (type == &key_type_keyring && > + keyring == secondary_trusted_keys && > + payload == &builtin_trusted_keys->payload) > + /* Allow the builtin keyring to be added to the secondary */ > + return 0; > + > + return restrict_link_by_signature(builtin_trusted_keys, type, payload); Shouldn't thi be secondary_trusted_keys? Mimi > +} > +#endif