Date: Wed, 5 Oct 2005 13:40:58 -0500
From: serue@us.ibm.com
To: David Howells <dhowells@redhat.com>
Cc: torvalds@osdl.org, akpm@osdl.org, keyrings@linux-nfs.org,
       linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Keys: Add LSM hooks for key management
Message-ID: <20051005184058.GA12008@sergelap.austin.ibm.com>
References: <29942.1128529714@warthog.cambridge.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <29942.1128529714@warthog.cambridge.redhat.com>
User-Agent: Mutt/1.5.8i
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1185
Lines: 38

> +int key_task_permission(const key_ref_t key_ref,
> +			struct task_struct *context,
> +			key_perm_t perm)
> +{
> +	struct key *key;
> +	key_perm_t kperm;
> +	int ret;
> +
> +	/* let the security module have first say
> +	 * - it should return:
> +	 *	+ve to grant access
> +	 *	0   to deny access
> +	 *	-ve to fall back to normal permission checking
> +	 */
> +	ret = security_key_permission(key_ref, context, perm);
> +	if (ret >= 0)
> +		return ret;

Hmm, my only problem here is that this is nonstandard compared to
expected return values from other security_ authorization hooks.
Could this be switched to

	-ve : deny access (and return the error)
	0: grant access
	+ve: fall back to normal permission checking

Actually that's still nonstandard.  On the whole, LSM only
restricts, does not authorize, with capable() being the notable
exception.  Is there good reason to allow LSMs to fully authorize
in this case?

thanks,
-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/