keys: Invalidate used request_key authentication keys

Invalidate used request_key authentication keys rather than revoking them
so that they get cleaned up immediately rather than potentially hanging
around.  There doesn't seem any need to keep the revoked keys around.

Signed-off-by: David Howells <dhowells@redhat.com>

diff --git a/security/keys/key.c b/security/keys/key.c
index bba71acec88666f438eaf28394eeb456d27d6c79..e792d65c0af80b554b57774a955e9a64b10d48f3 100644 (file)
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -459,7 +459,7 @@ static int __key_instantiate_and_link(struct key *key,
 
                        /* disable the authorisation key */
                        if (authkey)
-                               key_revoke(authkey);
+                               key_invalidate(authkey);
 
                        if (prep->expiry != TIME64_MAX) {
                                key->expiry = prep->expiry;
@@ -616,7 +616,7 @@ int key_reject_and_link(struct key *key,
 
                /* disable the authorisation key */
                if (authkey)
-                       key_revoke(authkey);
+                       key_invalidate(authkey);
        }
 
        mutex_unlock(&key_construction_mutex);

diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index a6543ed98b1f647462bc3dc06744701afaf81c93..244e538d113f983f2b0349616efb4aa239277bfe 100644 (file)
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -222,7 +222,7 @@ static int construct_key(struct key *key, const void *callout_info,
        /* check that the actor called complete_request_key() prior to
         * returning an error */
        WARN_ON(ret < 0 &&
-               !test_bit(KEY_FLAG_REVOKED, &authkey->flags));
+               !test_bit(KEY_FLAG_INVALIDATED, &authkey->flags));
 
        key_put(authkey);
        kleave(" = %d", ret);