X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=security%2Fkeys%2Fpermission.c;h=e7f579c0eaf541e393df94815eecffc565dcde3d;hb=26205e026cf2b3bb039d6169978ae520973f4141;hp=1c3651670ce9add5b2f008bf07f58d20c3de03bc;hpb=468ed2b0c85ec4310b429e60358213b6d077289e;p=linux-2.6

diff --git a/security/keys/permission.c b/security/keys/permission.c
index 1c3651670c..e7f579c0ea 100644
--- a/security/keys/permission.c
+++ b/security/keys/permission.c
@@ -10,6 +10,7 @@
  */
 
 #include <linux/module.h>
+#include <linux/security.h>
 #include "internal.h"
 
 /*****************************************************************************/
@@ -27,12 +28,6 @@ int key_task_permission(const key_ref_t key_ref,
 
 	key = key_ref_to_ptr(key_ref);
 
-	/* use the top 8-bits of permissions for keys the caller possesses */
-	if (is_key_possessed(key_ref)) {
-		kperm = key->perm >> 24;
-		goto use_these_perms;
-	}
-
 	/* use the second 8-bits of permissions for keys the caller owns */
 	if (key->uid == context->fsuid) {
 		kperm = key->perm >> 16;
@@ -61,9 +56,19 @@ int key_task_permission(const key_ref_t key_ref,
 	kperm = key->perm;
 
 use_these_perms:
+	/* use the top 8-bits of permissions for keys the caller possesses
+	 * - possessor permissions are additive with other permissions
+	 */
+	if (is_key_possessed(key_ref))
+		kperm |= key->perm >> 24;
+
 	kperm = kperm & perm & KEY_ALL;
 
-	return kperm == perm;
+	if (kperm != perm)
+		return -EACCES;
+
+	/* let LSM be the final arbiter */
+	return security_key_permission(key_ref, context, perm);
 
 } /* end key_task_permission() */