keyring: support restriction rules for keyrings

Fixes: #11

Author: mathstuf

keyutils-raw/src/functions.rs

@@ -378,3 +378,38 @@ pub fn keyctl_dh_compute(
     }
     .map(size)
 }
+
+pub enum Restriction<'a> {
+    AllLinks,
+    ByType {
+        type_: &'a str,
+        restriction: &'a str,
+    },
+}
+
+pub fn keyctl_restrict_keyring(keyring: KeyringSerial, restriction: Restriction) -> Result<()> {
+    let type_cstr;
+    let restriction_cstr;
+
+    let (type_ptr, restriction_ptr) = match restriction {
+        Restriction::AllLinks => (ptr::null(), ptr::null()),
+        Restriction::ByType {
+            type_,
+            restriction,
+        } => {
+            type_cstr = cstring(type_);
+            restriction_cstr = cstring(restriction);
+
+            (type_cstr.as_ptr(), restriction_cstr.as_ptr())
+        },
+    };
+    unsafe {
+        keyctl!(
+            libc::KEYCTL_RESTRICT_KEYRING,
+            keyring.get(),
+            type_ptr,
+            restriction_ptr,
+        )
+    }
+    .map(ignore)
+}

src/api.rs

@@ -403,6 +403,32 @@ impl Keyring {
         keyctl_setperm(self.id, perms)
     }
 
+    /// Restrict all links into the keyring.
+    ///
+    /// Requires the `setattr` permission on the keyring and the SysAdmin capability to change it to
+    /// anything other than the current user.
+    pub fn restrict_all(&mut self) -> Result<()> {
+        keyctl_restrict_keyring(self.id, Restriction::AllLinks)
+    }
+
+    /// Restrict links into the keyring.
+    ///
+    /// Requires the `setattr` permission on the keyring and the SysAdmin capability to change it to
+    /// anything other than the current user.
+    pub fn restrict_by_type<K, R>(&mut self, restriction: R) -> Result<()>
+    where
+        K: RestrictableKeyType,
+        R: Borrow<K::Restriction>,
+    {
+        keyctl_restrict_keyring(
+            self.id,
+            Restriction::ByType {
+                type_: K::name(),
+                restriction: &restriction.borrow().restriction(),
+            },
+        )
+    }
+
     fn description_raw(&self) -> Result<String> {
         // Get the size of the description.
         let mut sz = keyctl_describe(self.id, None)?;

src/keytype.rs

@@ -90,3 +90,27 @@ impl KeyPayload for Vec<u8> {
         Cow::Borrowed(&self)
     }
 }
+
+/// A key which may be restricted into being added to a keyring.
+pub trait RestrictableKeyType: KeyType {
+    /// The type for representing a restriction for adding keys of this type.
+    type Restriction: KeyRestriction + ?Sized;
+}
+
+/// A restriction for a key.
+pub trait KeyRestriction {
+    /// The restriction string of the key.
+    fn restriction(&self) -> Cow<str>;
+}
+
+impl KeyRestriction for str {
+    fn restriction(&self) -> Cow<str> {
+        Cow::Borrowed(&self)
+    }
+}
+
+impl KeyRestriction for String {
+    fn restriction(&self) -> Cow<str> {
+        Cow::Borrowed(&self)
+    }
+}