Commit | Line | Data |
---|---|---|
b4d0d230 | 1 | // SPDX-License-Identifier: GPL-2.0-or-later |
f36f8c75 DH |
2 | /* General persistent per-UID keyrings register |
3 | * | |
4 | * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved. | |
5 | * Written by David Howells (dhowells@redhat.com) | |
f36f8c75 DH |
6 | */ |
7 | ||
8 | #include <linux/user_namespace.h> | |
5b825c3a IM |
9 | #include <linux/cred.h> |
10 | ||
f36f8c75 DH |
11 | #include "internal.h" |
12 | ||
13 | unsigned persistent_keyring_expiry = 3 * 24 * 3600; /* Expire after 3 days of non-use */ | |
14 | ||
15 | /* | |
16 | * Create the persistent keyring register for the current user namespace. | |
17 | * | |
18 | * Called with the namespace's sem locked for writing. | |
19 | */ | |
20 | static int key_create_persistent_register(struct user_namespace *ns) | |
21 | { | |
22 | struct key *reg = keyring_alloc(".persistent_register", | |
23 | KUIDT_INIT(0), KGIDT_INIT(0), | |
24 | current_cred(), | |
25 | ((KEY_POS_ALL & ~KEY_POS_SETATTR) | | |
26 | KEY_USR_VIEW | KEY_USR_READ), | |
5ac7eace | 27 | KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); |
f36f8c75 DH |
28 | if (IS_ERR(reg)) |
29 | return PTR_ERR(reg); | |
30 | ||
31 | ns->persistent_keyring_register = reg; | |
32 | return 0; | |
33 | } | |
34 | ||
35 | /* | |
36 | * Create the persistent keyring for the specified user. | |
37 | * | |
38 | * Called with the namespace's sem locked for writing. | |
39 | */ | |
40 | static key_ref_t key_create_persistent(struct user_namespace *ns, kuid_t uid, | |
41 | struct keyring_index_key *index_key) | |
42 | { | |
43 | struct key *persistent; | |
44 | key_ref_t reg_ref, persistent_ref; | |
45 | ||
46 | if (!ns->persistent_keyring_register) { | |
47 | long err = key_create_persistent_register(ns); | |
48 | if (err < 0) | |
49 | return ERR_PTR(err); | |
50 | } else { | |
51 | reg_ref = make_key_ref(ns->persistent_keyring_register, true); | |
52 | persistent_ref = find_key_to_update(reg_ref, index_key); | |
53 | if (persistent_ref) | |
54 | return persistent_ref; | |
55 | } | |
56 | ||
57 | persistent = keyring_alloc(index_key->description, | |
58 | uid, INVALID_GID, current_cred(), | |
59 | ((KEY_POS_ALL & ~KEY_POS_SETATTR) | | |
60 | KEY_USR_VIEW | KEY_USR_READ), | |
5ac7eace | 61 | KEY_ALLOC_NOT_IN_QUOTA, NULL, |
f36f8c75 DH |
62 | ns->persistent_keyring_register); |
63 | if (IS_ERR(persistent)) | |
64 | return ERR_CAST(persistent); | |
65 | ||
66 | return make_key_ref(persistent, true); | |
67 | } | |
68 | ||
69 | /* | |
70 | * Get the persistent keyring for a specific UID and link it to the nominated | |
71 | * keyring. | |
72 | */ | |
73 | static long key_get_persistent(struct user_namespace *ns, kuid_t uid, | |
74 | key_ref_t dest_ref) | |
75 | { | |
76 | struct keyring_index_key index_key; | |
77 | struct key *persistent; | |
78 | key_ref_t reg_ref, persistent_ref; | |
79 | char buf[32]; | |
80 | long ret; | |
81 | ||
82 | /* Look in the register if it exists */ | |
83 | index_key.type = &key_type_keyring; | |
84 | index_key.description = buf; | |
85 | index_key.desc_len = sprintf(buf, "_persistent.%u", from_kuid(ns, uid)); | |
86 | ||
87 | if (ns->persistent_keyring_register) { | |
88 | reg_ref = make_key_ref(ns->persistent_keyring_register, true); | |
89 | down_read(&ns->persistent_keyring_register_sem); | |
90 | persistent_ref = find_key_to_update(reg_ref, &index_key); | |
91 | up_read(&ns->persistent_keyring_register_sem); | |
92 | ||
93 | if (persistent_ref) | |
94 | goto found; | |
95 | } | |
96 | ||
97 | /* It wasn't in the register, so we'll need to create it. We might | |
98 | * also need to create the register. | |
99 | */ | |
100 | down_write(&ns->persistent_keyring_register_sem); | |
101 | persistent_ref = key_create_persistent(ns, uid, &index_key); | |
102 | up_write(&ns->persistent_keyring_register_sem); | |
103 | if (!IS_ERR(persistent_ref)) | |
104 | goto found; | |
105 | ||
106 | return PTR_ERR(persistent_ref); | |
107 | ||
108 | found: | |
f5895943 | 109 | ret = key_task_permission(persistent_ref, current_cred(), KEY_NEED_LINK); |
f36f8c75 DH |
110 | if (ret == 0) { |
111 | persistent = key_ref_to_ptr(persistent_ref); | |
112 | ret = key_link(key_ref_to_ptr(dest_ref), persistent); | |
113 | if (ret == 0) { | |
114 | key_set_timeout(persistent, persistent_keyring_expiry); | |
965475ac | 115 | ret = persistent->serial; |
f36f8c75 DH |
116 | } |
117 | } | |
118 | ||
119 | key_ref_put(persistent_ref); | |
120 | return ret; | |
121 | } | |
122 | ||
123 | /* | |
124 | * Get the persistent keyring for a specific UID and link it to the nominated | |
125 | * keyring. | |
126 | */ | |
127 | long keyctl_get_persistent(uid_t _uid, key_serial_t destid) | |
128 | { | |
129 | struct user_namespace *ns = current_user_ns(); | |
130 | key_ref_t dest_ref; | |
131 | kuid_t uid; | |
132 | long ret; | |
133 | ||
134 | /* -1 indicates the current user */ | |
135 | if (_uid == (uid_t)-1) { | |
136 | uid = current_uid(); | |
137 | } else { | |
138 | uid = make_kuid(ns, _uid); | |
139 | if (!uid_valid(uid)) | |
140 | return -EINVAL; | |
141 | ||
142 | /* You can only see your own persistent cache if you're not | |
143 | * sufficiently privileged. | |
144 | */ | |
fbf8c53f DH |
145 | if (!uid_eq(uid, current_uid()) && |
146 | !uid_eq(uid, current_euid()) && | |
f36f8c75 DH |
147 | !ns_capable(ns, CAP_SETUID)) |
148 | return -EPERM; | |
149 | } | |
150 | ||
151 | /* There must be a destination keyring */ | |
f5895943 | 152 | dest_ref = lookup_user_key(destid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); |
f36f8c75 DH |
153 | if (IS_ERR(dest_ref)) |
154 | return PTR_ERR(dest_ref); | |
155 | if (key_ref_to_ptr(dest_ref)->type != &key_type_keyring) { | |
156 | ret = -ENOTDIR; | |
157 | goto out_put_dest; | |
158 | } | |
159 | ||
160 | ret = key_get_persistent(ns, uid, dest_ref); | |
161 | ||
162 | out_put_dest: | |
163 | key_ref_put(dest_ref); | |
164 | return ret; | |
165 | } |