Merge pull request #46 from mathstuf/support-key-restrictions

Support key restrictions

Author: mathstuf

keyutils-raw/src/functions.rs

@@ -378,3 +378,38 @@ pub fn keyctl_dh_compute(
     }
     .map(size)
 }
+
+pub enum Restriction<'a> {
+    AllLinks,
+    ByType {
+        type_: &'a str,
+        restriction: &'a str,
+    },
+}
+
+pub fn keyctl_restrict_keyring(keyring: KeyringSerial, restriction: Restriction) -> Result<()> {
+    let type_cstr;
+    let restriction_cstr;
+
+    let (type_ptr, restriction_ptr) = match restriction {
+        Restriction::AllLinks => (ptr::null(), ptr::null()),
+        Restriction::ByType {
+            type_,
+            restriction,
+        } => {
+            type_cstr = cstring(type_);
+            restriction_cstr = cstring(restriction);
+
+            (type_cstr.as_ptr(), restriction_cstr.as_ptr())
+        },
+    };
+    unsafe {
+        keyctl!(
+            libc::KEYCTL_RESTRICT_KEYRING,
+            keyring.get(),
+            type_ptr,
+            restriction_ptr,
+        )
+    }
+    .map(ignore)
+}

src/api.rs

@@ -101,7 +101,6 @@ impl Keyring {
         }
     }
 
-    #[cfg(test)]
     pub(crate) fn serial(&self) -> KeyringSerial {
         self.id
     }
@@ -403,6 +402,32 @@ impl Keyring {
         keyctl_setperm(self.id, perms)
     }
 
+    /// Restrict all links into the keyring.
+    ///
+    /// Requires the `setattr` permission on the keyring and the SysAdmin capability to change it to
+    /// anything other than the current user.
+    pub fn restrict_all(&mut self) -> Result<()> {
+        keyctl_restrict_keyring(self.id, Restriction::AllLinks)
+    }
+
+    /// Restrict links into the keyring.
+    ///
+    /// Requires the `setattr` permission on the keyring and the SysAdmin capability to change it to
+    /// anything other than the current user.
+    pub fn restrict_by_type<K, R>(&mut self, restriction: R) -> Result<()>
+    where
+        K: RestrictableKeyType,
+        R: Borrow<K::Restriction>,
+    {
+        keyctl_restrict_keyring(
+            self.id,
+            Restriction::ByType {
+                type_: K::name(),
+                restriction: &restriction.borrow().restriction(),
+            },
+        )
+    }
+
     fn description_raw(&self) -> Result<String> {
         // Get the size of the description.
         let mut sz = keyctl_describe(self.id, None)?;
@@ -504,7 +529,6 @@ impl Key {
         }
     }
 
-    #[cfg(test)]
     pub(crate) fn serial(&self) -> KeyringSerial {
         self.id
     }

src/keytype.rs

@@ -90,3 +90,27 @@ impl KeyPayload for Vec<u8> {
         Cow::Borrowed(&self)
     }
 }
+
+/// A key which may be restricted into being added to a keyring.
+pub trait RestrictableKeyType: KeyType {
+    /// The type for representing a restriction for adding keys of this type.
+    type Restriction: KeyRestriction + ?Sized;
+}
+
+/// A restriction for a key.
+pub trait KeyRestriction {
+    /// The restriction string of the key.
+    fn restriction(&self) -> Cow<str>;
+}
+
+impl KeyRestriction for str {
+    fn restriction(&self) -> Cow<str> {
+        Cow::Borrowed(&self)
+    }
+}
+
+impl KeyRestriction for String {
+    fn restriction(&self) -> Cow<str> {
+        Cow::Borrowed(&self)
+    }
+}

src/keytypes/asymmetric.rs

@@ -26,7 +26,10 @@
 
 //! Asymmetric keys
 
+use std::borrow::Cow;
+
 use crate::keytype::*;
+use crate::{Key, Keyring, KeyringSerial};
 
 /// Asymmetric keys support encrypting, decrypting, signing, and verifying data.
 ///
@@ -54,3 +57,62 @@ impl KeyType for Asymmetric {
         "asymmetric"
     }
 }
+
+/// A restriction that may be placed onto a keyring using an asymmetric key.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum AsymmetricRestriction {
+    /// Only allow keys which have been signed by a key on the builtin trusted keyring.
+    BuiltinTrusted,
+    /// Only allow keys which have been signed by a key on the builtin or secondary trusted
+    /// keyrings.
+    BuiltinAndSecondaryTrusted,
+    /// Only allow keys which have been signed by the given key.
+    Key {
+        /// The signing key.
+        key: Key,
+        /// Whether or not chaining should be used (see `Chained`).
+        chained: bool,
+    },
+    /// Only allow keys which have been signed by a key on the given keyring.
+    Keyring {
+        /// The keyring with permitted signing keys.
+        keyring: Keyring,
+        /// Whether or not chaining should be used (see `Chained`).
+        chained: bool,
+    },
+    /// When chaining the destination keyring is also searched for signing keys.
+    ///
+    /// This allows building up a chain of trust in the destination keyring.
+    Chained,
+}
+
+impl AsymmetricRestriction {
+    fn restriction_str(id: KeyringSerial, chained: bool) -> String {
+        let chain_suffix = if chained { ":chain" } else { "" };
+        format!("key_or_keyring:{}{}", id, chain_suffix)
+    }
+}
+
+impl KeyRestriction for AsymmetricRestriction {
+    fn restriction(&self) -> Cow<str> {
+        match self {
+            AsymmetricRestriction::BuiltinTrusted => "builtin_trusted".into(),
+            AsymmetricRestriction::BuiltinAndSecondaryTrusted => {
+                "builtin_and_secondary_trusted".into()
+            },
+            AsymmetricRestriction::Key {
+                key,
+                chained,
+            } => Self::restriction_str(key.serial(), *chained).into(),
+            AsymmetricRestriction::Keyring {
+                keyring,
+                chained,
+            } => Self::restriction_str(keyring.serial(), *chained).into(),
+            AsymmetricRestriction::Chained => "key_or_keyring:0:chain".into(),
+        }
+    }
+}
+
+impl RestrictableKeyType for Asymmetric {
+    type Restriction = AsymmetricRestriction;
+}