Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp998873ybm;
        Wed, 22 May 2019 15:30:48 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxhIsmryRlPOJCTB0qxryyFC6sL4098TMSdAHMGpFrjiwrjLKzX6J4fBTPH/g07G8sMOtSF
X-Received: by 2002:a17:902:7591:: with SMTP id j17mr33167660pll.200.1558564248414;
        Wed, 22 May 2019 15:30:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558564248; cv=none;
        d=google.com; s=arc-20160816;
        b=DnyY92q7y0ShJTOHgd8svtuzjv22Kfi5zAF+cOg0c88Je6+cCjvuf7nUnkv5sNXT2b
         bl8MyfaR08fT1XHZ8I3MlMcJqP1AWNdr9Sb1vODQt5RZR4xdbph/4m/qpDMiUqyaSKWA
         OjI4a0nJEOxPAqDQc1sJCWwDSSAPuNaGZefTieg8RD+lr6kvi4EVVJGg0aiMZDFzJ0jh
         yKeKAkAkGC12pqSRTdAU0yGa845v2hVvFH8Hl+5JfvN0yMVswsBETU7Lz1ZkmWsSEmLL
         J9fX2AwPQrH1akjf0CecL60Cl5MKUcvCuCE1TMwcc7XAjKS5g6qod8cTCSDzcn+4lVgS
         cFIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:cc:to:from
         :subject:organization;
        bh=6prGl2Jn04yawlvU7HXpyo9vIfZ8OCrB8SNmiEjoQJ8=;
        b=Cl0Fq/KtAHzbrnDE2qRKBlDL5ODL1ZXp8mFaurEb2IhP6HuvcmelZoTV0Z24+NU8me
         IPcviBUbZOKRv4e2PbWdgcauShooOf+1DEwXQOLX7SZsQOfaTN+AehDEwNbJmAQJIMiQ
         VAlu4uPszG6m1gDTtoHD/G8cYRZewXzJMldEZ6i2sOjRiL6dAugRMoHKhzn6x/oWKfse
         54se0ZXST6r4IN6NNqdjBRYBIw0JgxAQ43VcPZJdAJrLRWGpjgVT2nZgkxQMO+RrRt0j
         jpqimSu0ANf+keTYKnrbmeYRAYcfh9Bq3ZaWzjF9RLrTjeDKBYQDmFOF/GZk6T2/q6o3
         RcOA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b1si26009492plz.57.2019.05.22.15.30.33;
        Wed, 22 May 2019 15:30:48 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729658AbfEVW25 (ORCPT <rfc822;radocaj.bane@gmail.com>
        + 99 others); Wed, 22 May 2019 18:28:57 -0400
Received: from mx1.redhat.com ([209.132.183.28]:56602 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726781AbfEVW24 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 22 May 2019 18:28:56 -0400
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id AC3643179155;
        Wed, 22 May 2019 22:28:56 +0000 (UTC)
Received: from warthog.procyon.org.uk (ovpn-121-142.rdu2.redhat.com [10.10.121.142])
        by smtp.corp.redhat.com (Postfix) with ESMTP id D1A4519C4F;
        Wed, 22 May 2019 22:28:55 +0000 (UTC)
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
 Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
 Kingdom.
 Registered in England and Wales under Company Registration No. 3798903
Subject: [PATCH 7/7] keys: Grant Link permission to possessers of
 request_key auth keys
From:   David Howells <dhowells@redhat.com>
To:     keyrings@vger.kernel.org
Cc:     dhowells@redhat.com, linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org
Date:   Wed, 22 May 2019 23:28:52 +0100
Message-ID: <155856413201.10428.13385006340817641517.stgit@warthog.procyon.org.uk>
In-Reply-To: <155856408314.10428.17035328117829912815.stgit@warthog.procyon.org.uk>
References: <155856408314.10428.17035328117829912815.stgit@warthog.procyon.org.uk>
User-Agent: StGit/unknown-version
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Wed, 22 May 2019 22:28:56 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Grant Link permission to the possessers of request_key authentication keys,
thereby allowing a daemon that is servicing upcalls to arrange things such
that only the necessary auth key is passed to the actual service program
and not all the daemon's pending auth keys.

Signed-off-by: David Howells <dhowells@redhat.com>
---

 security/keys/request_key_auth.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index 572c7a60473a..ec5226557023 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -204,7 +204,7 @@ struct key *request_key_auth_new(struct key *target, const char *op,
 
 	authkey = key_alloc(&key_type_request_key_auth, desc,
 			    cred->fsuid, cred->fsgid, cred,
-			    KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH |
+			    KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH | KEY_POS_LINK |
 			    KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA, NULL);
 	if (IS_ERR(authkey)) {
 		ret = PTR_ERR(authkey);