diff options
author | David Howells <dhowells@redhat.com> | 2010-02-26 20:27:56 +0000 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2010-02-26 20:27:56 +0000 |
commit | 3a8cc353e0cc88a84f5425bfef1be82933f3646d (patch) | |
tree | 7f27338f2a2b865b0eaeccbac928bee8bc25945e | |
parent | c983bb36ffdb0ac6ad8e34f5446971a9be5d8eb1 (diff) | |
download | keyutils-3a8cc353e0cc88a84f5425bfef1be82933f3646d.tar.gz |
Add a keyctl command to get the security label on a key
Signed-off-by: David Howells <dhowells@redhat.com>
-rw-r--r-- | keyctl.1 | 17 | ||||
-rw-r--r-- | keyctl.c | 26 | ||||
-rw-r--r-- | keyctl_security.3 | 136 | ||||
-rw-r--r-- | keyutils.c | 43 | ||||
-rw-r--r-- | keyutils.h | 3 | ||||
-rw-r--r-- | keyutils.spec | 1 |
6 files changed, 225 insertions, 1 deletions
@@ -72,6 +72,8 @@ keyctl - Key management facility control \fBkeyctl\fR negate <key> <timeout> <keyring> .br \fBkeyctl\fR timeout <key> <timeout> +.br +\fBkeyctl\fR security <key> .SH DESCRIPTION This program is used to control the key management facility in various ways using a variety of subcommands. @@ -579,7 +581,20 @@ into the future. .P .RS testbox>keyctl timeout $1 45 -.RW +.RE +.P +(*) \fBRetrieve a key's security context\fR +.P +\fBkeyctl security\fR <key> +.P +This command is used to retrieve a key's LSM security context. The label is +printed on stdout. +.P +.RS +testbox>keyctl security @s +.br +unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 +.RE .SH ERRORS .P There are a number of common errors returned by this program: @@ -55,6 +55,7 @@ static int act_keyctl_instantiate(int argc, char *argv[]); static int act_keyctl_pinstantiate(int argc, char *argv[]); static int act_keyctl_negate(int argc, char *argv[]); static int act_keyctl_timeout(int argc, char *argv[]); +static int act_keyctl_security(int argc, char *argv[]); const struct command commands[] = { { act_keyctl_show, "show", "" }, @@ -88,6 +89,7 @@ const struct command commands[] = { { act_keyctl_pinstantiate, "pinstantiate","<key> <keyring>" }, { act_keyctl_negate, "negate", "<key> <timeout> <keyring>" }, { act_keyctl_timeout, "timeout", "<key> <timeout>" }, + { act_keyctl_security, "security", "<key>" }, { NULL, NULL, NULL } }; @@ -1176,6 +1178,30 @@ static int act_keyctl_timeout(int argc, char *argv[]) /*****************************************************************************/ /* + * get a key's security label + */ +static int act_keyctl_security(int argc, char *argv[]) +{ + key_serial_t key; + char *buffer; + int ret; + + if (argc != 2) + format(); + + key = get_key_id(argv[1]); + + /* get key description */ + ret = keyctl_get_security_alloc(key, &buffer); + if (ret < 0) + error("keyctl_getsecurity"); + + printf("%s\n", buffer); + return 0; +} + +/*****************************************************************************/ +/* * parse a key identifier */ static key_serial_t get_key_id(const char *arg) diff --git a/keyctl_security.3 b/keyctl_security.3 new file mode 100644 index 0000000..2da7ea8 --- /dev/null +++ b/keyctl_security.3 @@ -0,0 +1,136 @@ +.\" +.\" Copyright (C) 2010 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL_SECURITY 3 "26 Feb 2010" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl_security \- Retrieve a key's security context +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "long keyctl_security(key_serial_t " key ", char *" buffer , +.BI "size_t " buflen ");" +.sp +.BI "long keyctl_security_alloc(key_serial_t " key ", char **" _buffer ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl_security () +retrieves the security context of a key as a NUL-terminated string. This will +be rendered in a form appropriate to the LSM in force - for instance, with +SELinux, it may look like +.IP +.B "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" +.P +The caller must have +.B view +permission on a key to be able to get its security context. +.P +.I buffer +and +.I buflen +specify the buffer into which the string will be placed. If the buffer is too +small, the full size of the string will be returned, and no copy will take +place. +.P +.BR keyctl_security_alloc () +is similar to +.BR keyctl_security () +except that it allocates a buffer big enough to hold the string and copies the +string into it. If successful, A pointer to the buffer is placed in +.IR *_buffer . +The caller must free the buffer. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl_security () +returns the amount of data placed into the buffer. If the buffer was too +small, then the size of buffer required will be returned, but no data will be +transferred. On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.P +On success +.BR keyctl_security_alloc () +returns the amount of data in the buffer, less the NUL terminator. On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +The key specified is invalid. +.TP +.B EKEYEXPIRED +The key specified has expired. +.TP +.B EKEYREVOKED +The key specified had been revoked. +.TP +.B EACCES +The key exists, but is not +.B viewable +by the calling process. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +This is a library function that can be found in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR keyctl (2), +.br +.BR request_key (2), +.br +.BR keyctl_get_keyring_ID (3), +.br +.BR keyctl_join_session_keyring (3), +.br +.BR keyctl_update (3), +.br +.BR keyctl_revoke (3), +.br +.BR keyctl_chown (3), +.br +.BR keyctl_setperm (3), +.br +.BR keyctl_describe (3), +.br +.BR keyctl_clear (3), +.br +.BR keyctl_link (3), +.br +.BR keyctl_unlink (3), +.br +.BR keyctl_search (3), +.br +.BR keyctl_read (3), +.br +.BR keyctl_instantiate (3), +.br +.BR keyctl_negate (3), +.br +.BR keyctl_set_reqkey_keyring (3), +.br +.BR keyctl_set_timeout (3), +.br +.BR keyctl_assume_authority (3), +.br +.BR keyctl_describe_alloc (3), +.br +.BR keyctl_read_alloc (3), +.br +.BR request-key (8) @@ -165,6 +165,11 @@ long keyctl_assume_authority(key_serial_t id) return keyctl(KEYCTL_ASSUME_AUTHORITY, id); } +long keyctl_get_security(key_serial_t id, char *buffer, size_t buflen) +{ + return keyctl(KEYCTL_GET_SECURITY, id, buffer, buflen); +} + /*****************************************************************************/ /* * fetch key description into an allocated buffer @@ -244,6 +249,44 @@ int keyctl_read_alloc(key_serial_t id, void **_buffer) } /* end keyctl_read_alloc() */ +/*****************************************************************************/ +/* + * fetch key security label into an allocated buffer + * - resulting string is NUL terminated + * - returns count not including NUL + */ +int keyctl_get_security_alloc(key_serial_t id, char **_buffer) +{ + char *buf; + long buflen, ret; + + ret = keyctl_get_security(id, NULL, 0); + if (ret < 0) + return -1; + + buflen = ret; + buf = malloc(buflen); + if (!buf) + return -1; + + for (;;) { + ret = keyctl_get_security(id, buf, buflen); + if (ret < 0) + return -1; + + if (buflen >= ret) + break; + + buflen = ret; + buf = realloc(buf, buflen); + if (!buf) + return -1; + } + + *_buffer = buf; + return buflen - 1; +} + #ifdef NO_GLIBC_KEYERR /*****************************************************************************/ /* @@ -89,6 +89,7 @@ typedef uint32_t key_perm_t; #define KEYCTL_SET_REQKEY_KEYRING 14 /* set default request-key keyring */ #define KEYCTL_SET_TIMEOUT 15 /* set timeout on a key */ #define KEYCTL_ASSUME_AUTHORITY 16 /* assume authority to instantiate key */ +#define KEYCTL_GET_SECURITY 17 /* get key security label */ /* * syscall wrappers @@ -132,12 +133,14 @@ extern long keyctl_negate(key_serial_t id, unsigned timeout, key_serial_t ringid extern long keyctl_set_reqkey_keyring(int reqkey_defl); extern long keyctl_set_timeout(key_serial_t key, unsigned timeout); extern long keyctl_assume_authority(key_serial_t key); +extern long keyctl_get_security(key_serial_t key, char *buffer, size_t buflen); /* * utilities */ extern int keyctl_describe_alloc(key_serial_t id, char **_buffer); extern int keyctl_read_alloc(key_serial_t id, void **_buffer); +extern int keyctl_get_security_alloc(key_serial_t id, char **_buffer); #endif /* KEYUTILS_H */ diff --git a/keyutils.spec b/keyutils.spec index 361bf17..152a600 100644 --- a/keyutils.spec +++ b/keyutils.spec @@ -91,6 +91,7 @@ rm -rf $RPM_BUILD_ROOT %changelog * Fri Feb 26 2010 David Howells <dhowells@redhat.com> - Fix compiler warnings in request-key. +- Expose the kernel function to get a key's security context. * Tue Aug 22 2006 David Howells <dhowells@redhat.com> - 1.2-1 - Remove syscall manual pages (section 2) to man-pages package [BZ 203582] |