Commit cfd68b33 authored by Juergen Christ's avatar Juergen Christ Committed by Vasily Gorbik
Browse files

s390/zcrypt: Filter admin CPRBs on custom devices 



Add a filter for custom devices to check for allowed control domains of
admin CPRBs.  This filter only applies to custom devices and not to the
main device.

Signed-off-by: default avatarJuergen Christ <jchrist@linux.ibm.com>
Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
parent 895ae58d

drivers/s390/crypto/zcrypt_api.c

+24 −1
Original line number Diff line number Diff line
@@ -923,11 +923,22 @@ static long _zcrypt_send_cprb(bool userspace, struct ap_perms *perms, 
	if (rc)

		goto out;



	tdom = *domain;

	if (perms != &ap_perms && tdom < AP_DOMAINS) {

		if (ap_msg.flags & AP_MSG_FLAG_ADMIN) {

			if (!test_bit_inv(tdom, perms->adm)) {

				rc = -ENODEV;

				goto out;

			}

		} else if ((ap_msg.flags & AP_MSG_FLAG_USAGE) == 0) {

			rc = -EOPNOTSUPP;

			goto out;

		}

	}

	/*

	 * If a valid target domain is set and this domain is NOT a usage

	 * domain but a control only domain, autoselect target domain.

	 */

	tdom = *domain;

	if (tdom < AP_DOMAINS &&

	    !ap_test_config_usage_domain(tdom) &&

	    ap_test_config_ctrl_domain(tdom))
@@ -1105,6 +1116,18 @@ static long _zcrypt_send_ep11_cprb(bool userspace, struct ap_perms *perms, 
	if (rc)

		goto out_free;



	if (perms != &ap_perms && domain < AUTOSEL_DOM) {

		if (ap_msg.flags & AP_MSG_FLAG_ADMIN) {

			if (!test_bit_inv(domain, perms->adm)) {

				rc = -ENODEV;

				goto out_free;

			}

		} else if ((ap_msg.flags & AP_MSG_FLAG_USAGE) == 0) {

			rc = -EOPNOTSUPP;

			goto out_free;

		}

	}



	pref_zc = NULL;

	pref_zq = NULL;

	spin_lock(&zcrypt_list_lock);