keys: Replace uid/gid/perm permissions checking with an ACL

[linux-2.6-block.git] / net / dns_resolver / dns_key.c

diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
index 3e1a906690063fab671e9d077cf500a190423157..6b201531b1655a90404630419503a81ae34aaf92 100644 (file)
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -46,6 +46,15 @@ const struct cred *dns_resolver_cache;
 
 #define        DNS_ERRORNO_OPTION      "dnserror"
 
+static struct key_acl dns_keyring_acl = {
+       .usage  = REFCOUNT_INIT(1),
+       .nr_ace = 2,
+       .aces = {
+               KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE),
+               KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_CLEAR),
+       }
+};
+
 /*
  * Preparse instantiation data for a dns_resolver key.
  *
@@ -343,8 +352,7 @@ static int __init init_dns_resolver(void)
 
        keyring = keyring_alloc(".dns_resolver",
                                GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
-                               (KEY_POS_ALL & ~KEY_POS_SETATTR) |
-                               KEY_USR_VIEW | KEY_USR_READ,
+                               &dns_keyring_acl,
                                KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
        if (IS_ERR(keyring)) {
                ret = PTR_ERR(keyring);