keys: Replace uid/gid/perm permissions checking with an ACL

[linux-2.6-block.git] / net / dns_resolver / dns_query.c

diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
index cab4e0df924f5c5f3ae9d67b22903ae8411b53ba..236baf2bfa4c6fc4e11a017ccca866666116d6fb 100644 (file)
--- a/net/dns_resolver/dns_query.c
+++ b/net/dns_resolver/dns_query.c
@@ -47,6 +47,16 @@
 
 #include "internal.h"
 
+static struct key_acl dns_key_acl = {
+       .usage  = REFCOUNT_INIT(1),
+       .nr_ace = 2,
+       .possessor_viewable = true,
+       .aces = {
+               KEY_POSSESSOR_ACE(KEY_ACE_VIEW | KEY_ACE_SEARCH | KEY_ACE_READ),
+               KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_INVAL),
+       }
+};
+
 /**
  * dns_query - Query the DNS
  * @net: The network namespace to operate in.
@@ -125,7 +135,8 @@ int dns_query(struct net *net,
         * add_key() to preinstall malicious redirections
         */
        saved_cred = override_creds(dns_resolver_cache);
-       rkey = request_key_net(&key_type_dns_resolver, desc, net, options);
+       rkey = request_key_net(&key_type_dns_resolver, desc, net, options,
+                              &dns_key_acl);
        revert_creds(saved_cred);
        kfree(desc);
        if (IS_ERR(rkey)) {
@@ -135,8 +146,6 @@ int dns_query(struct net *net,
 
        down_read(&rkey->sem);
        set_bit(KEY_FLAG_ROOT_CAN_INVAL, &rkey->flags);
-       rkey->perm |= KEY_USR_VIEW;
-
        ret = key_validate(rkey);
        if (ret < 0)
                goto put;