KEYS: Add a new keyctl op to reject a key with a specified error code

Add a new keyctl op to reject a key with a specified error code.  This works
much the same as negating a key, and so keyctl_negate_key() is made a special
case of keyctl_reject_key().  The difference is that keyctl_negate_key()
selects ENOKEY as the error to be reported.

Typically the key would be rejected with EKEYEXPIRED, EKEYREVOKED or
EKEYREJECTED, but this is not mandatory.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>

include/linux/key-type.h

@@ -105,11 +105,20 @@ extern int key_instantiate_and_link(struct key *key,
 				    size_t datalen,
 				    struct key *keyring,
 				    struct key *instkey);
-extern int key_negate_and_link(struct key *key,
+extern int key_reject_and_link(struct key *key,
 			       unsigned timeout,
+			       unsigned error,
 			       struct key *keyring,
 			       struct key *instkey);
 extern void complete_request_key(struct key_construction *cons, int error);
 
+static inline int key_negate_and_link(struct key *key,
+				      unsigned timeout,
+				      struct key *keyring,
+				      struct key *instkey)
+{
+	return key_reject_and_link(key, timeout, ENOKEY, keyring, instkey);
+}
+
 #endif /* CONFIG_KEYS */
 #endif /* _LINUX_KEY_TYPE_H */

include/linux/key.h

@@ -170,6 +170,7 @@ struct key {
 		struct list_head	link;
 		unsigned long		x[2];
 		void			*p[2];
+		int			reject_error;
 	} type_data;
 
 	/* key data

include/linux/keyctl.h

@@ -53,5 +53,6 @@
 #define KEYCTL_ASSUME_AUTHORITY		16	/* assume request_key() authorisation */
 #define KEYCTL_GET_SECURITY		17	/* get key security label */
 #define KEYCTL_SESSION_TO_PARENT	18	/* apply session keyring to parent process */
+#define KEYCTL_REJECT			19	/* reject a partially constructed key */
 
 #endif /*  _LINUX_KEYCTL_H */