Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp3197226pxa;
        Tue, 18 Aug 2020 08:59:42 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwcQ94lhoDP6O/KEYrHaRTqoO6+t8UzKFV7ysx16fPu/ugPQ624y/h/ZTbDZD4gtqKvhie5
X-Received: by 2002:a17:906:401b:: with SMTP id v27mr20516911ejj.300.1597766382296;
        Tue, 18 Aug 2020 08:59:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597766382; cv=none;
        d=google.com; s=arc-20160816;
        b=lFi5+MWR/w2q7q1nS1D7m6aj97TnnJ3P+PwDpGBijL57ZW/izYhwOCj3WUaWsHAN+o
         UC6XdYbC35cMIwHdL/c7o7U6FeS31A4dcCChAG/1A4iIMlYSvCounkVNdPzK8kuqplxq
         b5w4Pi6N1KNN9pOPMX1+ju1i2DP0Dsh+wdQkCEtu69dud4S87x9CSoJV9TReNnA1JOwg
         LH+Yp2Tzf6vKq8LpWMYvjeNWnlGJeDOBDyx29h1Y5grhY5p+pvhvAZvhi6HRjNpJXxeR
         KGyXYd/nIR9KtRYYdJxUI88KIJjhD3Fe8LUP9iSI7rkpR6KlsOuMZBh4/tNxZgOPir75
         oTng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=O3EnGDOcponIScBLAGXrWWId/voVmiFUGwC1waxgbXU=;
        b=pJiDKjpH5z9lrDW/hdtbNNdJevn9HbaYbVgjilbAuvWi0NkZ9jZLx0ZbAio0YHNDjG
         4hD4M1QnjQ4aYWusSfTE9TAdAHSwaZGgNPT22UhY2pUk3ttPHsCeog0lcqfmMPLgnPFx
         1MSA3TjoyOLw9nHm7f54JJTD3FqM92iDcrLxnHXVvY6uIr433cDzfOdHXwcvaDVlqdtN
         Tx5BfuSFyQnPAy7WjqnQDJxHYHXktSZ5KPldW7u/RGyjh61pe38rKTysH732h/LVzBCr
         4o43otZ96fG7Us7yEiwhVr3NLos6ANOhf7YohOyaUTeKibrdxsqiESpDRNgAAmrMxiys
         EZDw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y3si12489132eju.146.2020.08.18.08.59.18;
        Tue, 18 Aug 2020 08:59:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728377AbgHRP5y (ORCPT <rfc822;rao.subba.venkata@gmail.com>
        + 99 others); Tue, 18 Aug 2020 11:57:54 -0400
Received: from lhrrgout.huawei.com ([185.176.76.210]:2647 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1727931AbgHRPq5 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 18 Aug 2020 11:46:57 -0400
Received: from lhreml722-chm.china.huawei.com (unknown [172.18.7.106])
        by Forcepoint Email with ESMTP id 4CFA21D71B243D763320;
        Tue, 18 Aug 2020 16:46:56 +0100 (IST)
Received: from kstruczy-linux-box (10.204.65.138) by
 lhreml722-chm.china.huawei.com (10.201.108.73) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.1913.5; Tue, 18 Aug 2020 16:46:54 +0100
Received: by kstruczy-linux-box (sSMTP sendmail emulation); Tue, 18 Aug 2020 17:46:57 +0200
From:   <krzysztof.struczynski@huawei.com>
To:     <linux-integrity@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        <containers@lists.linux-foundation.org>,
        <linux-security-module@vger.kernel.org>
CC:     <zohar@linux.ibm.com>, <stefanb@linux.vnet.ibm.com>,
        <sunyuqiong1988@gmail.com>, <mkayaalp@cs.binghamton.edu>,
        <dmitry.kasatkin@gmail.com>, <serge@hallyn.com>,
        <jmorris@namei.org>, <christian@brauner.io>,
        <silviu.vlasceanu@huawei.com>, <roberto.sassu@huawei.com>,
        Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
Subject: [RFC PATCH 24/30] keys: Include key domain tag in the iterative search
Date:   Tue, 18 Aug 2020 17:42:24 +0200
Message-ID: <20200818154230.14016-15-krzysztof.struczynski@huawei.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20200818154230.14016-1-krzysztof.struczynski@huawei.com>
References: <20200818154230.14016-1-krzysztof.struczynski@huawei.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [10.204.65.138]
X-ClientProxiedBy: fraeml707-chm.china.huawei.com (10.206.15.35) To
 lhreml722-chm.china.huawei.com (10.201.108.73)
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>

Add domain tag to the key_match_data. If set, check domain tag in the
default match function and asymmetric keys match functions.

This will allow to use the key domain tag in the search criteria for
the iterative search, not only for the direct lookup that is based on
the index key.

Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
---
 crypto/asymmetric_keys/asymmetric_type.c | 20 ++++++++++++++++----
 include/linux/key-type.h                 |  1 +
 security/keys/keyring.c                  | 10 +++++++++-
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c
index 33e77d846caa..177429bc5c7b 100644
--- a/crypto/asymmetric_keys/asymmetric_type.c
+++ b/crypto/asymmetric_keys/asymmetric_type.c
@@ -249,9 +249,15 @@ static bool asymmetric_key_cmp(const struct key *key,
 {
 	const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
 	const struct asymmetric_key_id *match_id = match_data->preparsed;
+	bool match;
 
-	return asymmetric_match_key_ids(kids, match_id,
-					asymmetric_key_id_same);
+	match = asymmetric_match_key_ids(kids, match_id,
+					 asymmetric_key_id_same);
+
+	if (match_data->domain_tag)
+		match &= key->index_key.domain_tag == match_data->domain_tag;
+
+	return match;
 }
 
 /*
@@ -262,9 +268,15 @@ static bool asymmetric_key_cmp_partial(const struct key *key,
 {
 	const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
 	const struct asymmetric_key_id *match_id = match_data->preparsed;
+	bool match;
+
+	match = asymmetric_match_key_ids(kids, match_id,
+					 asymmetric_key_id_partial);
+
+	if (match_data->domain_tag)
+		match &= key->index_key.domain_tag == match_data->domain_tag;
 
-	return asymmetric_match_key_ids(kids, match_id,
-					asymmetric_key_id_partial);
+	return match;
 }
 
 /*
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 2ab2d6d6aeab..c8ea26ab242c 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -55,6 +55,7 @@ struct key_match_data {
 	unsigned	lookup_type;	/* Type of lookup for this search. */
 #define KEYRING_SEARCH_LOOKUP_DIRECT	0x0000	/* Direct lookup by description. */
 #define KEYRING_SEARCH_LOOKUP_ITERATE	0x0001	/* Iterative search. */
+	struct key_tag  *domain_tag;    /* Key domain tag */
 };
 
 /*
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 12583241ff63..7e45e534035f 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -565,7 +565,13 @@ int restrict_link_reject(struct key *keyring,
 bool key_default_cmp(const struct key *key,
 		     const struct key_match_data *match_data)
 {
-	return strcmp(key->description, match_data->raw_data) == 0;
+	bool match;
+
+	match = strcmp(key->description, match_data->raw_data) == 0;
+	if (match_data->domain_tag)
+		match &= key->index_key.domain_tag == match_data->domain_tag;
+
+	return match;
 }
 
 /*
@@ -957,6 +963,8 @@ key_ref_t keyring_search_tag(key_ref_t keyring,
 
 	if (recurse)
 		ctx.flags |= KEYRING_SEARCH_RECURSE;
+	if (domain_tag)
+		ctx.match_data.domain_tag = domain_tag;
 	if (type->match_preparse) {
 		ret = type->match_preparse(&ctx.match_data);
 		if (ret < 0)
-- 
2.20.1