keys: Pass the network namespace into request_key mechanism

Create a request_key_net() function and use it to pass the network namespace domain tag into DNS revolver keys and rxrpc/AFS keys so that keys for different domains can coexist in the same keyring. Signed-off-by: David Howells <dhowells@redhat.com> cc: netdev@vger.kernel.org cc: linux-nfs@vger.kernel.org cc: linux-cifs@vger.kernel.org cc: linux-afs@lists.infradead.org
author: David Howells <dhowells@redhat.com> 2019-06-26 21:02:33 +0100
committer: David Howells <dhowells@redhat.com> 2019-06-27 23:02:12 +0100
commit: a58946c158a040068e7c94dc1d58bbd273258068 (patch)
tree: e655258b700359cdfd9f762c099b7587dc0eed9b /Documentation/security/keys/core.rst
parent: 9b242610514fe387ef957bce05e1fdd3efd60359 (diff)
1 files changed, 22 insertions, 6 deletions
diff --git a/Documentation/security/keys/core.rst b/Documentation/security/keys/core.rst
index ae930ae9d590..0e74f372e58c 100644
--- a/Documentation/security/keys/core.rst
+++ b/Documentation/security/keys/core.rst
@@ -1102,26 +1102,42 @@ payload contents" for more information.
     See also Documentation/security/keys/request-key.rst.
 
 
+ *  To search for a key in a specific domain, call:
+
+	struct key *request_key_tag(const struct key_type *type,
+				    const char *description,
+				    struct key_tag *domain_tag,
+				    const char *callout_info);
+
+    This is identical to request_key(), except that a domain tag may be
+    specifies that causes search algorithm to only match keys matching that
+    tag.  The domain_tag may be NULL, specifying a global domain that is
+    separate from any nominated domain.
+
+
  *  To search for a key, passing auxiliary data to the upcaller, call::
 
 	struct key *request_key_with_auxdata(const struct key_type *type,
 					     const char *description,
+					     struct key_tag *domain_tag,
 					     const void *callout_info,
 					     size_t callout_len,
 					     void *aux);
 
-    This is identical to request_key(), except that the auxiliary data is
-    passed to the key_type->request_key() op if it exists, and the callout_info
-    is a blob of length callout_len, if given (the length may be 0).
+    This is identical to request_key_tag(), except that the auxiliary data is
+    passed to the key_type->request_key() op if it exists, and the
+    callout_info is a blob of length callout_len, if given (the length may be
+    0).
 
 
  *  To search for a key under RCU conditions, call::
 
 	struct key *request_key_rcu(const struct key_type *type,
-				    const char *description);
+				    const char *description,
+				    struct key_tag *domain_tag);
 
-    which is similar to request_key() except that it does not check for keys
-    that are under construction and it will not call out to userspace to
+    which is similar to request_key_tag() except that it does not check for
+    keys that are under construction and it will not call out to userspace to
     construct a key if it can't find a match.
author	David Howells <dhowells@redhat.com>	2019-06-26 21:02:33 +0100
committer	David Howells <dhowells@redhat.com>	2019-06-27 23:02:12 +0100
commit	a58946c158a040068e7c94dc1d58bbd273258068 (patch)
tree	e655258b700359cdfd9f762c099b7587dc0eed9b /Documentation/security/keys/core.rst
parent	9b242610514fe387ef957bce05e1fdd3efd60359 (diff)