Handle kernel having key/keyring ACLs

Handle the kernel using ACLs to store the list of permits for a key or
keyring:

 (1) Make the "keyctl supports" command show it

 (2) Change the behaviour of the keyctl/permitting/valid tests to take
     account of the fact that 'Other' permits are replaced with 'Everyone'
     permits and so are added to the other permits rather than being used
     as a fallback instead of the other permits.

Signed-off-by: David Howells <dhowells@redhat.com>

9 files changed, 62 insertions, 30 deletions

diff --git a/keyctl.c b/keyctl.c
index b1e100e..f5fa3eb 100644
--- a/keyctl.c
+++ b/keyctl.c
@@ -2291,6 +2291,7 @@ static const struct capability_def capabilities[] = {
 	{ "ns_keyring_name",		1,	KEYCTL_CAPS1_NS_KEYRING_NAME },
 	{ "ns_key_tag",			1,	KEYCTL_CAPS1_NS_KEY_TAG },
 	{ "notify",			1,	KEYCTL_CAPS1_NOTIFICATIONS },
+	{ "acl",			1,	KEYCTL_CAPS1_ACL },
 	{}
 };
 
diff --git a/keyutils.h b/keyutils.h
index 8570045..5d46fff 100644
--- a/keyutils.h
+++ b/keyutils.h
@@ -166,6 +166,7 @@ struct keyctl_pkey_params {
 #define KEYCTL_CAPS1_NS_KEYRING_NAME	0x01 /* Keyring names are per-user_namespace */
 #define KEYCTL_CAPS1_NS_KEY_TAG		0x02 /* Key indexing can include a namespace tag */
 #define KEYCTL_CAPS1_NOTIFICATIONS	0x04 /* Keys generate watchable notifications */
+#define KEYCTL_CAPS1_ACL		0x08 /* Keys have ACLs rather than a p-u-g-o bitmask */
 
 /*
  * syscall wrappers
diff --git a/man/keyctl.1 b/man/keyctl.1
index 2343762..634a141 100644
--- a/man/keyctl.1
+++ b/man/keyctl.1
@@ -265,6 +265,12 @@ keyrings are created.
 Keys can get tagged with namespace tags, allowing keys with the same type and
 description, but different namespaces to coexist in the same keyring.  Tagging
 is done automatically according to the key type.
+.TP
+.B acl
+Keys have ACLs rather than a permissions-bit mask.  This means that the permits
+granted are cumulative rather than alternative and that the 'Other' permits are
+replaced with 'Everyone' permits.  The permissions-bit mask shown when the
+permissions are described are an approximation calculated on the fly.
 
 .SS Show actual key or keyring ID
 \fBkeyctl id [<key>]\fR
@@ -564,9 +570,10 @@ keyring;4043;\-1;3f1f0000;_uid_ses.4043
 .RE
 
 The raw string is "<type>;<uid>;<gid>;<perms>;<description>", where \fIuid\fR
-and \fIgid\fR are the decimal user and group IDs, \fIperms\fR is the
-permissions mask in hex, \fItype\fR and \fIdescription\fR are the type name and
-description strings (neither of which will contain semicolons).
+and \fIgid\fR are the decimal user and group IDs, \fIperms\fR is the ACL
+approximated as a permissions mask in hex, \fItype\fR and \fIdescription\fR are
+the type name and description strings (neither of which will contain
+semicolons).
 .SS Change the access controls on a key
 \fBkeyctl chown\fR <key> <uid>
 .br
@@ -591,9 +598,9 @@ $ sudo keyctl chgrp 27 0
 .SS Set the permissions mask on a key
 \fBkeyctl setperm\fR <key> <mask>
 
-This command changes the permission control mask on a key. The mask may be
-specified as a hex number if it begins "0x", an octal number if it begins "0"
-or a decimal number otherwise.
+This command calculates a new ACL for a key according to a permissions mask and
+then replaces the old ACL. The mask may be specified as a hex number if it
+begins "0x", an octal number if it begins "0" or a decimal number otherwise.
 
 The hex numbers are a combination of:
 
@@ -624,8 +631,8 @@ linked is searched.
 
 \fILink\fR permits a key to be linked to a keyring.
 
-\fISet Attribute\fR permits a key to have its owner, group membership,
-permissions mask and timeout changed.
+\fISet\ Attribute\fR permits a key to have its owner, group membership, ACL and
+timeout changed.
 
 .RS
 .nf
diff --git a/man/keyctl_capabilities.3 b/man/keyctl_capabilities.3
index 63cee3c..43bb5c7 100644
--- a/man/keyctl_capabilities.3
+++ b/man/keyctl_capabilities.3
@@ -87,6 +87,16 @@ This is set if a key or keyring may get tagged with a namespace, thereby
 allowing multiple keys with the same type and description, but different
 namespace tags, to coexist within the same keyring.  Tagging may be automatic
 depending on the key type.  Only network-namespace tagging is currently used.
+.TP
+.B KEYCTL_CAPS1_ACL
+This is set if keys have an ACL rather than a permissions-bit mask.  This means
+that the permits granted are cumulative rather than alternative and that
+the 'Other' permits are replaced with 'Everyone' permits.  The permissions-bit
+mask returned by
+.BR keyctl_describe ()
+is an approximation calculated on the fly.
+.BR keyctl_setperm ()
+replaces the ACL with one calculated from the supplied mask.
 .P
 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 .SH RETURN VALUE
diff --git a/man/keyctl_describe.3 b/man/keyctl_describe.3
index b4f100e..29365dc 100644
--- a/man/keyctl_describe.3
+++ b/man/keyctl_describe.3
@@ -26,7 +26,7 @@ keyctl_describe \- describe a key
 describes the attributes of a key as a NUL-terminated string.
 .P
 The caller must have
-.B view
+.B VIEW
 permission on a key to be able to get a description of it.
 .P
 .I buffer
@@ -49,8 +49,8 @@ The description will be a string of format:
 .IP
 .B "\*(lq%s;%d;%d;%08x;%s\*(rq"
 .P
-where the arguments are: key type name, key UID, key GID, key permissions mask
-and key description.
+where the arguments are: key type name, key UID, key GID, old-style key
+permissions mask approximated from the ACL and key description.
 .P
 .B NOTE!
 The key description will not contain any semicolons, so that should be
diff --git a/man/keyctl_setperm.3 b/man/keyctl_setperm.3
index 0a4426d..e4134d9 100644
--- a/man/keyctl_setperm.3
+++ b/man/keyctl_setperm.3
@@ -20,7 +20,7 @@ keyctl_setperm \- change the permissions mask on a key
 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 .SH DESCRIPTION
 .BR keyctl_setperm ()
-changes the permissions mask on a key.
+overwrites the ACL on a key.
 .P
 A process that does not have the
 .B SysAdmin
@@ -28,10 +28,11 @@ capability may not change the permissions mask on a key that doesn't have the
 same UID as the caller.
 .P
 The caller must have
-.B setattr
-permission on a key to be able change its permissions mask.
+.B SETATTR
+permission on a key to be able change its ACL.
 .P
-The permissions mask is a bitwise-OR of the following flags:
+The permissions mask is a bitwise-OR of the following flags, and from these a
+new ACL will be calculated:
 .TP
 .B KEY_xxx_VIEW
 Grant permission to view the attributes of a key.
@@ -71,18 +72,12 @@ Grant the permission to a process with the same GID as the key, or with a
 match for the key's GID amongst that process's Groups list.
 .TP
 .B OTH
-Grant the permission to any other process.
+Grant the permission to everyone.
 .P
 Examples include:
 .BR KEY_POS_VIEW ", " KEY_USR_READ ", " KEY_GRP_SEARCH " and " KEY_OTH_ALL .
 .P
-User, group and other grants are exclusive: if a process qualifies in
-the 'user' category, it will not qualify in the 'groups' category; and if a
-process qualifies in either 'user' or 'groups' then it will not qualify in
-the 'other' category.
-.P
-Possessor grants are cumulative with the grants from the 'user', 'groups'
-and 'other' categories.
+All grants are cumulative.
 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 .SH RETURN VALUE
 On success
diff --git a/tests/keyctl/dh_compute/bad-args/runtest.sh b/tests/keyctl/dh_compute/bad-args/runtest.sh
index 5c4c160..54facfd 100644
--- a/tests/keyctl/dh_compute/bad-args/runtest.sh
+++ b/tests/keyctl/dh_compute/bad-args/runtest.sh
@@ -65,7 +65,12 @@ create_key --new=logonid	-x logon dh:logon	"00" @s
 
 marker "CHECK WRONG KEY TYPE"
 dh_compute --fail $privateid $primeid $logonid
-expect_error ENOKEY
+if [ $have_acl == 1 ]
+then
+    expect_error EOPNOTSUPP
+else
+    expect_error ENOKEY
+fi    
 dh_compute --fail $privateid $primeid @s
 expect_error EOPNOTSUPP
 
diff --git a/tests/keyctl/permitting/valid/runtest.sh b/tests/keyctl/permitting/valid/runtest.sh
index d901164..83d282c 100644
--- a/tests/keyctl/permitting/valid/runtest.sh
+++ b/tests/keyctl/permitting/valid/runtest.sh
@@ -70,12 +70,24 @@ set_key_perm $keyid 0x00201f00
 describe_key --fail $keyid
 expect_error EACCES
 
-# check that we can't use other perms instead of user perms to view the key
-# (our UID matches that of the key)
-marker "VIEW OTHER PERMISSIONS"
-set_key_perm $keyid 0x0020001f
-describe_key --fail $keyid
-expect_error EACCES
+if [ $have_acl == 1 ]
+then
+    # check that we can use "everyone" perms to view the key (our UID matches
+    # that of the key)
+    marker "VIEW EVERYONE PERMISSIONS"
+    set_key_perm $keyid 0x0020001e
+    describe_key --fail $keyid
+    expect_error EACCES
+    set_key_perm $keyid 0x0020001f
+    describe_key $keyid
+else
+    # check that we can't use other perms instead of user perms to
+    # view the key (our UID matches that of the key)
+    marker "VIEW OTHER PERMISSIONS"
+    set_key_perm $keyid 0x0020001f
+    describe_key --fail $keyid
+    expect_error EACCES
+fi
 
 # check that taking away setattr permission renders the key immune to setperm
 marker "REMOVE SETATTR"
diff --git a/tests/prepare.inc.sh b/tests/prepare.inc.sh
index 0b66237..9aa2187 100644
--- a/tests/prepare.inc.sh
+++ b/tests/prepare.inc.sh
@@ -97,6 +97,7 @@ have_big_key_type=0
 have_dh_compute=0
 have_restrict_keyring=0
 have_notify=0
+have_acl=0
 
 if keyctl supports capabilities >&/dev/null
 then