Commit | Line | Data |
---|---|---|
973c9f4f | 1 | /* Manage a process's keyrings |
1da177e4 | 2 | * |
69664cf1 | 3 | * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved. |
1da177e4 LT |
4 | * Written by David Howells (dhowells@redhat.com) |
5 | * | |
6 | * This program is free software; you can redistribute it and/or | |
7 | * modify it under the terms of the GNU General Public License | |
8 | * as published by the Free Software Foundation; either version | |
9 | * 2 of the License, or (at your option) any later version. | |
10 | */ | |
11 | ||
12 | #include <linux/module.h> | |
13 | #include <linux/init.h> | |
14 | #include <linux/sched.h> | |
1da177e4 LT |
15 | #include <linux/keyctl.h> |
16 | #include <linux/fs.h> | |
17 | #include <linux/err.h> | |
bb003079 | 18 | #include <linux/mutex.h> |
ee18d64c | 19 | #include <linux/security.h> |
1d1e9756 | 20 | #include <linux/user_namespace.h> |
1da177e4 LT |
21 | #include <asm/uaccess.h> |
22 | #include "internal.h" | |
23 | ||
973c9f4f | 24 | /* Session keyring create vs join semaphore */ |
bb003079 | 25 | static DEFINE_MUTEX(key_session_mutex); |
1da177e4 | 26 | |
973c9f4f | 27 | /* User keyring creation semaphore */ |
69664cf1 DH |
28 | static DEFINE_MUTEX(key_user_keyring_mutex); |
29 | ||
973c9f4f | 30 | /* The root user's tracking struct */ |
1da177e4 LT |
31 | struct key_user root_key_user = { |
32 | .usage = ATOMIC_INIT(3), | |
76181c13 | 33 | .cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock), |
6cfd76a2 | 34 | .lock = __SPIN_LOCK_UNLOCKED(root_key_user.lock), |
1da177e4 LT |
35 | .nkeys = ATOMIC_INIT(2), |
36 | .nikeys = ATOMIC_INIT(2), | |
9a56c2db | 37 | .uid = GLOBAL_ROOT_UID, |
1da177e4 LT |
38 | }; |
39 | ||
1da177e4 | 40 | /* |
973c9f4f | 41 | * Install the user and user session keyrings for the current process's UID. |
1da177e4 | 42 | */ |
8bbf4976 | 43 | int install_user_keyrings(void) |
1da177e4 | 44 | { |
d84f4f99 DH |
45 | struct user_struct *user; |
46 | const struct cred *cred; | |
1da177e4 | 47 | struct key *uid_keyring, *session_keyring; |
96b5c8fe | 48 | key_perm_t user_keyring_perm; |
1da177e4 LT |
49 | char buf[20]; |
50 | int ret; | |
9a56c2db | 51 | uid_t uid; |
1da177e4 | 52 | |
96b5c8fe | 53 | user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL; |
d84f4f99 DH |
54 | cred = current_cred(); |
55 | user = cred->user; | |
9a56c2db | 56 | uid = from_kuid(cred->user_ns, user->uid); |
d84f4f99 | 57 | |
9a56c2db | 58 | kenter("%p{%u}", user, uid); |
1da177e4 | 59 | |
0da9dfdd | 60 | if (user->uid_keyring && user->session_keyring) { |
69664cf1 DH |
61 | kleave(" = 0 [exist]"); |
62 | return 0; | |
1da177e4 LT |
63 | } |
64 | ||
69664cf1 DH |
65 | mutex_lock(&key_user_keyring_mutex); |
66 | ret = 0; | |
1da177e4 | 67 | |
69664cf1 DH |
68 | if (!user->uid_keyring) { |
69 | /* get the UID-specific keyring | |
70 | * - there may be one in existence already as it may have been | |
71 | * pinned by a session, but the user_struct pointing to it | |
72 | * may have been destroyed by setuid */ | |
9a56c2db | 73 | sprintf(buf, "_uid.%u", uid); |
69664cf1 DH |
74 | |
75 | uid_keyring = find_keyring_by_name(buf, true); | |
76 | if (IS_ERR(uid_keyring)) { | |
9a56c2db | 77 | uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID, |
96b5c8fe | 78 | cred, user_keyring_perm, |
5ac7eace DH |
79 | KEY_ALLOC_IN_QUOTA, |
80 | NULL, NULL); | |
69664cf1 DH |
81 | if (IS_ERR(uid_keyring)) { |
82 | ret = PTR_ERR(uid_keyring); | |
83 | goto error; | |
84 | } | |
85 | } | |
86 | ||
87 | /* get a default session keyring (which might also exist | |
88 | * already) */ | |
9a56c2db | 89 | sprintf(buf, "_uid_ses.%u", uid); |
69664cf1 DH |
90 | |
91 | session_keyring = find_keyring_by_name(buf, true); | |
92 | if (IS_ERR(session_keyring)) { | |
93 | session_keyring = | |
9a56c2db | 94 | keyring_alloc(buf, user->uid, INVALID_GID, |
96b5c8fe | 95 | cred, user_keyring_perm, |
5ac7eace DH |
96 | KEY_ALLOC_IN_QUOTA, |
97 | NULL, NULL); | |
69664cf1 DH |
98 | if (IS_ERR(session_keyring)) { |
99 | ret = PTR_ERR(session_keyring); | |
100 | goto error_release; | |
101 | } | |
102 | ||
103 | /* we install a link from the user session keyring to | |
104 | * the user keyring */ | |
105 | ret = key_link(session_keyring, uid_keyring); | |
106 | if (ret < 0) | |
107 | goto error_release_both; | |
108 | } | |
109 | ||
110 | /* install the keyrings */ | |
111 | user->uid_keyring = uid_keyring; | |
112 | user->session_keyring = session_keyring; | |
1da177e4 LT |
113 | } |
114 | ||
69664cf1 DH |
115 | mutex_unlock(&key_user_keyring_mutex); |
116 | kleave(" = 0"); | |
117 | return 0; | |
1da177e4 | 118 | |
69664cf1 DH |
119 | error_release_both: |
120 | key_put(session_keyring); | |
121 | error_release: | |
122 | key_put(uid_keyring); | |
664cceb0 | 123 | error: |
69664cf1 DH |
124 | mutex_unlock(&key_user_keyring_mutex); |
125 | kleave(" = %d", ret); | |
1da177e4 | 126 | return ret; |
69664cf1 | 127 | } |
1da177e4 | 128 | |
1da177e4 | 129 | /* |
973c9f4f DH |
130 | * Install a fresh thread keyring directly to new credentials. This keyring is |
131 | * allowed to overrun the quota. | |
1da177e4 | 132 | */ |
d84f4f99 | 133 | int install_thread_keyring_to_cred(struct cred *new) |
1da177e4 | 134 | { |
d84f4f99 | 135 | struct key *keyring; |
1da177e4 | 136 | |
d84f4f99 | 137 | keyring = keyring_alloc("_tid", new->uid, new->gid, new, |
96b5c8fe | 138 | KEY_POS_ALL | KEY_USR_VIEW, |
5ac7eace DH |
139 | KEY_ALLOC_QUOTA_OVERRUN, |
140 | NULL, NULL); | |
d84f4f99 DH |
141 | if (IS_ERR(keyring)) |
142 | return PTR_ERR(keyring); | |
1da177e4 | 143 | |
d84f4f99 DH |
144 | new->thread_keyring = keyring; |
145 | return 0; | |
146 | } | |
1da177e4 | 147 | |
1da177e4 | 148 | /* |
973c9f4f | 149 | * Install a fresh thread keyring, discarding the old one. |
1da177e4 | 150 | */ |
d84f4f99 | 151 | static int install_thread_keyring(void) |
1da177e4 | 152 | { |
d84f4f99 | 153 | struct cred *new; |
1da177e4 LT |
154 | int ret; |
155 | ||
d84f4f99 DH |
156 | new = prepare_creds(); |
157 | if (!new) | |
158 | return -ENOMEM; | |
1da177e4 | 159 | |
d84f4f99 DH |
160 | BUG_ON(new->thread_keyring); |
161 | ||
162 | ret = install_thread_keyring_to_cred(new); | |
163 | if (ret < 0) { | |
164 | abort_creds(new); | |
165 | return ret; | |
1da177e4 LT |
166 | } |
167 | ||
d84f4f99 DH |
168 | return commit_creds(new); |
169 | } | |
1da177e4 | 170 | |
d84f4f99 | 171 | /* |
973c9f4f DH |
172 | * Install a process keyring directly to a credentials struct. |
173 | * | |
174 | * Returns -EEXIST if there was already a process keyring, 0 if one installed, | |
175 | * and other value on any other error | |
d84f4f99 DH |
176 | */ |
177 | int install_process_keyring_to_cred(struct cred *new) | |
178 | { | |
179 | struct key *keyring; | |
1da177e4 | 180 | |
3a50597d | 181 | if (new->process_keyring) |
d84f4f99 DH |
182 | return -EEXIST; |
183 | ||
96b5c8fe DH |
184 | keyring = keyring_alloc("_pid", new->uid, new->gid, new, |
185 | KEY_POS_ALL | KEY_USR_VIEW, | |
5ac7eace DH |
186 | KEY_ALLOC_QUOTA_OVERRUN, |
187 | NULL, NULL); | |
d84f4f99 DH |
188 | if (IS_ERR(keyring)) |
189 | return PTR_ERR(keyring); | |
190 | ||
3a50597d DH |
191 | new->process_keyring = keyring; |
192 | return 0; | |
d84f4f99 | 193 | } |
1da177e4 | 194 | |
1da177e4 | 195 | /* |
973c9f4f DH |
196 | * Make sure a process keyring is installed for the current process. The |
197 | * existing process keyring is not replaced. | |
198 | * | |
199 | * Returns 0 if there is a process keyring by the end of this function, some | |
200 | * error otherwise. | |
1da177e4 | 201 | */ |
d84f4f99 | 202 | static int install_process_keyring(void) |
1da177e4 | 203 | { |
d84f4f99 | 204 | struct cred *new; |
1da177e4 LT |
205 | int ret; |
206 | ||
d84f4f99 DH |
207 | new = prepare_creds(); |
208 | if (!new) | |
209 | return -ENOMEM; | |
1da177e4 | 210 | |
d84f4f99 DH |
211 | ret = install_process_keyring_to_cred(new); |
212 | if (ret < 0) { | |
213 | abort_creds(new); | |
27d63798 | 214 | return ret != -EEXIST ? ret : 0; |
1da177e4 LT |
215 | } |
216 | ||
d84f4f99 DH |
217 | return commit_creds(new); |
218 | } | |
1da177e4 | 219 | |
1da177e4 | 220 | /* |
973c9f4f | 221 | * Install a session keyring directly to a credentials struct. |
1da177e4 | 222 | */ |
685bfd2c | 223 | int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) |
1da177e4 | 224 | { |
7e047ef5 | 225 | unsigned long flags; |
1da177e4 | 226 | struct key *old; |
1a26feb9 DH |
227 | |
228 | might_sleep(); | |
1da177e4 LT |
229 | |
230 | /* create an empty session keyring */ | |
231 | if (!keyring) { | |
7e047ef5 | 232 | flags = KEY_ALLOC_QUOTA_OVERRUN; |
3a50597d | 233 | if (cred->session_keyring) |
7e047ef5 DH |
234 | flags = KEY_ALLOC_IN_QUOTA; |
235 | ||
96b5c8fe DH |
236 | keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred, |
237 | KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ, | |
5ac7eace | 238 | flags, NULL, NULL); |
1a26feb9 DH |
239 | if (IS_ERR(keyring)) |
240 | return PTR_ERR(keyring); | |
d84f4f99 | 241 | } else { |
ccc3e6d9 | 242 | __key_get(keyring); |
1da177e4 LT |
243 | } |
244 | ||
245 | /* install the keyring */ | |
3a50597d DH |
246 | old = cred->session_keyring; |
247 | rcu_assign_pointer(cred->session_keyring, keyring); | |
248 | ||
249 | if (old) | |
1a26feb9 | 250 | key_put(old); |
1da177e4 | 251 | |
1a26feb9 | 252 | return 0; |
d84f4f99 | 253 | } |
1da177e4 | 254 | |
1da177e4 | 255 | /* |
973c9f4f DH |
256 | * Install a session keyring, discarding the old one. If a keyring is not |
257 | * supplied, an empty one is invented. | |
1da177e4 | 258 | */ |
d84f4f99 | 259 | static int install_session_keyring(struct key *keyring) |
1da177e4 | 260 | { |
d84f4f99 DH |
261 | struct cred *new; |
262 | int ret; | |
1da177e4 | 263 | |
d84f4f99 DH |
264 | new = prepare_creds(); |
265 | if (!new) | |
266 | return -ENOMEM; | |
1da177e4 | 267 | |
99599537 | 268 | ret = install_session_keyring_to_cred(new, keyring); |
d84f4f99 DH |
269 | if (ret < 0) { |
270 | abort_creds(new); | |
271 | return ret; | |
272 | } | |
1da177e4 | 273 | |
d84f4f99 DH |
274 | return commit_creds(new); |
275 | } | |
1da177e4 | 276 | |
1da177e4 | 277 | /* |
973c9f4f | 278 | * Handle the fsuid changing. |
1da177e4 LT |
279 | */ |
280 | void key_fsuid_changed(struct task_struct *tsk) | |
281 | { | |
282 | /* update the ownership of the thread keyring */ | |
b6dff3ec DH |
283 | BUG_ON(!tsk->cred); |
284 | if (tsk->cred->thread_keyring) { | |
285 | down_write(&tsk->cred->thread_keyring->sem); | |
286 | tsk->cred->thread_keyring->uid = tsk->cred->fsuid; | |
287 | up_write(&tsk->cred->thread_keyring->sem); | |
1da177e4 | 288 | } |
a8b17ed0 | 289 | } |
1da177e4 | 290 | |
1da177e4 | 291 | /* |
973c9f4f | 292 | * Handle the fsgid changing. |
1da177e4 LT |
293 | */ |
294 | void key_fsgid_changed(struct task_struct *tsk) | |
295 | { | |
296 | /* update the ownership of the thread keyring */ | |
b6dff3ec DH |
297 | BUG_ON(!tsk->cred); |
298 | if (tsk->cred->thread_keyring) { | |
299 | down_write(&tsk->cred->thread_keyring->sem); | |
300 | tsk->cred->thread_keyring->gid = tsk->cred->fsgid; | |
301 | up_write(&tsk->cred->thread_keyring->sem); | |
1da177e4 | 302 | } |
a8b17ed0 | 303 | } |
1da177e4 | 304 | |
1da177e4 | 305 | /* |
973c9f4f DH |
306 | * Search the process keyrings attached to the supplied cred for the first |
307 | * matching key. | |
308 | * | |
309 | * The search criteria are the type and the match function. The description is | |
310 | * given to the match function as a parameter, but doesn't otherwise influence | |
311 | * the search. Typically the match function will compare the description | |
312 | * parameter to the key's description. | |
313 | * | |
314 | * This can only search keyrings that grant Search permission to the supplied | |
315 | * credentials. Keyrings linked to searched keyrings will also be searched if | |
316 | * they grant Search permission too. Keys can only be found if they grant | |
317 | * Search permission to the credentials. | |
318 | * | |
319 | * Returns a pointer to the key with the key usage count incremented if | |
320 | * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only | |
321 | * matched negative keys. | |
322 | * | |
323 | * In the case of a successful return, the possession attribute is set on the | |
324 | * returned key reference. | |
1da177e4 | 325 | */ |
4bdf0bc3 | 326 | key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx) |
1da177e4 | 327 | { |
b5f545c8 | 328 | key_ref_t key_ref, ret, err; |
1da177e4 LT |
329 | |
330 | /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were | |
331 | * searchable, but we failed to find a key or we found a negative key; | |
332 | * otherwise we want to return a sample error (probably -EACCES) if | |
333 | * none of the keyrings were searchable | |
334 | * | |
335 | * in terms of priority: success > -ENOKEY > -EAGAIN > other error | |
336 | */ | |
664cceb0 | 337 | key_ref = NULL; |
1da177e4 LT |
338 | ret = NULL; |
339 | err = ERR_PTR(-EAGAIN); | |
340 | ||
341 | /* search the thread keyring first */ | |
4bdf0bc3 | 342 | if (ctx->cred->thread_keyring) { |
664cceb0 | 343 | key_ref = keyring_search_aux( |
4bdf0bc3 | 344 | make_key_ref(ctx->cred->thread_keyring, 1), ctx); |
664cceb0 | 345 | if (!IS_ERR(key_ref)) |
1da177e4 LT |
346 | goto found; |
347 | ||
664cceb0 | 348 | switch (PTR_ERR(key_ref)) { |
1da177e4 | 349 | case -EAGAIN: /* no key */ |
1da177e4 | 350 | case -ENOKEY: /* negative key */ |
664cceb0 | 351 | ret = key_ref; |
1da177e4 LT |
352 | break; |
353 | default: | |
664cceb0 | 354 | err = key_ref; |
1da177e4 LT |
355 | break; |
356 | } | |
357 | } | |
358 | ||
359 | /* search the process keyring second */ | |
4bdf0bc3 | 360 | if (ctx->cred->process_keyring) { |
664cceb0 | 361 | key_ref = keyring_search_aux( |
4bdf0bc3 | 362 | make_key_ref(ctx->cred->process_keyring, 1), ctx); |
664cceb0 | 363 | if (!IS_ERR(key_ref)) |
1da177e4 LT |
364 | goto found; |
365 | ||
664cceb0 | 366 | switch (PTR_ERR(key_ref)) { |
1da177e4 | 367 | case -EAGAIN: /* no key */ |
fe9453a1 DH |
368 | if (ret) |
369 | break; | |
1da177e4 | 370 | case -ENOKEY: /* negative key */ |
664cceb0 | 371 | ret = key_ref; |
1da177e4 LT |
372 | break; |
373 | default: | |
664cceb0 | 374 | err = key_ref; |
1da177e4 LT |
375 | break; |
376 | } | |
377 | } | |
378 | ||
3e30148c | 379 | /* search the session keyring */ |
4bdf0bc3 | 380 | if (ctx->cred->session_keyring) { |
8589b4e0 | 381 | rcu_read_lock(); |
664cceb0 | 382 | key_ref = keyring_search_aux( |
4bdf0bc3 DH |
383 | make_key_ref(rcu_dereference(ctx->cred->session_keyring), 1), |
384 | ctx); | |
8589b4e0 | 385 | rcu_read_unlock(); |
3e30148c | 386 | |
664cceb0 | 387 | if (!IS_ERR(key_ref)) |
3e30148c DH |
388 | goto found; |
389 | ||
664cceb0 | 390 | switch (PTR_ERR(key_ref)) { |
3e30148c DH |
391 | case -EAGAIN: /* no key */ |
392 | if (ret) | |
393 | break; | |
394 | case -ENOKEY: /* negative key */ | |
664cceb0 | 395 | ret = key_ref; |
3e30148c DH |
396 | break; |
397 | default: | |
664cceb0 | 398 | err = key_ref; |
3e30148c DH |
399 | break; |
400 | } | |
b5f545c8 DH |
401 | } |
402 | /* or search the user-session keyring */ | |
4bdf0bc3 | 403 | else if (ctx->cred->user->session_keyring) { |
b5f545c8 | 404 | key_ref = keyring_search_aux( |
4bdf0bc3 DH |
405 | make_key_ref(ctx->cred->user->session_keyring, 1), |
406 | ctx); | |
664cceb0 | 407 | if (!IS_ERR(key_ref)) |
3e30148c DH |
408 | goto found; |
409 | ||
664cceb0 | 410 | switch (PTR_ERR(key_ref)) { |
3e30148c DH |
411 | case -EAGAIN: /* no key */ |
412 | if (ret) | |
413 | break; | |
414 | case -ENOKEY: /* negative key */ | |
664cceb0 | 415 | ret = key_ref; |
3e30148c DH |
416 | break; |
417 | default: | |
664cceb0 | 418 | err = key_ref; |
3e30148c DH |
419 | break; |
420 | } | |
8589b4e0 | 421 | } |
b5f545c8 | 422 | |
927942aa DH |
423 | /* no key - decide on the error we're going to go for */ |
424 | key_ref = ret ? ret : err; | |
425 | ||
426 | found: | |
427 | return key_ref; | |
428 | } | |
429 | ||
927942aa | 430 | /* |
973c9f4f DH |
431 | * Search the process keyrings attached to the supplied cred for the first |
432 | * matching key in the manner of search_my_process_keyrings(), but also search | |
433 | * the keys attached to the assumed authorisation key using its credentials if | |
434 | * one is available. | |
435 | * | |
436 | * Return same as search_my_process_keyrings(). | |
927942aa | 437 | */ |
4bdf0bc3 | 438 | key_ref_t search_process_keyrings(struct keyring_search_context *ctx) |
927942aa DH |
439 | { |
440 | struct request_key_auth *rka; | |
441 | key_ref_t key_ref, ret = ERR_PTR(-EACCES), err; | |
442 | ||
443 | might_sleep(); | |
444 | ||
4bdf0bc3 | 445 | key_ref = search_my_process_keyrings(ctx); |
927942aa DH |
446 | if (!IS_ERR(key_ref)) |
447 | goto found; | |
448 | err = key_ref; | |
449 | ||
b5f545c8 DH |
450 | /* if this process has an instantiation authorisation key, then we also |
451 | * search the keyrings of the process mentioned there | |
452 | * - we don't permit access to request_key auth keys via this method | |
453 | */ | |
4bdf0bc3 DH |
454 | if (ctx->cred->request_key_auth && |
455 | ctx->cred == current_cred() && | |
456 | ctx->index_key.type != &key_type_request_key_auth | |
b5f545c8 | 457 | ) { |
4bdf0bc3 DH |
458 | const struct cred *cred = ctx->cred; |
459 | ||
04c567d9 | 460 | /* defend against the auth key being revoked */ |
c69e8d9c | 461 | down_read(&cred->request_key_auth->sem); |
b5f545c8 | 462 | |
4bdf0bc3 | 463 | if (key_validate(ctx->cred->request_key_auth) == 0) { |
146aa8b1 | 464 | rka = ctx->cred->request_key_auth->payload.data[0]; |
b5f545c8 | 465 | |
4bdf0bc3 DH |
466 | ctx->cred = rka->cred; |
467 | key_ref = search_process_keyrings(ctx); | |
468 | ctx->cred = cred; | |
1da177e4 | 469 | |
c69e8d9c | 470 | up_read(&cred->request_key_auth->sem); |
04c567d9 DH |
471 | |
472 | if (!IS_ERR(key_ref)) | |
473 | goto found; | |
474 | ||
927942aa | 475 | ret = key_ref; |
04c567d9 | 476 | } else { |
c69e8d9c | 477 | up_read(&cred->request_key_auth->sem); |
3e30148c | 478 | } |
1da177e4 LT |
479 | } |
480 | ||
481 | /* no key - decide on the error we're going to go for */ | |
927942aa DH |
482 | if (err == ERR_PTR(-ENOKEY) || ret == ERR_PTR(-ENOKEY)) |
483 | key_ref = ERR_PTR(-ENOKEY); | |
484 | else if (err == ERR_PTR(-EACCES)) | |
485 | key_ref = ret; | |
486 | else | |
487 | key_ref = err; | |
1da177e4 | 488 | |
3e30148c | 489 | found: |
664cceb0 | 490 | return key_ref; |
a8b17ed0 | 491 | } |
1da177e4 | 492 | |
664cceb0 | 493 | /* |
973c9f4f | 494 | * See if the key we're looking at is the target key. |
664cceb0 | 495 | */ |
0c903ab6 DH |
496 | bool lookup_user_key_possessed(const struct key *key, |
497 | const struct key_match_data *match_data) | |
664cceb0 | 498 | { |
46291959 | 499 | return key == match_data->raw_data; |
a8b17ed0 | 500 | } |
664cceb0 | 501 | |
1da177e4 | 502 | /* |
973c9f4f DH |
503 | * Look up a key ID given us by userspace with a given permissions mask to get |
504 | * the key it refers to. | |
505 | * | |
506 | * Flags can be passed to request that special keyrings be created if referred | |
507 | * to directly, to permit partially constructed keys to be found and to skip | |
508 | * validity and permission checks on the found key. | |
509 | * | |
510 | * Returns a pointer to the key with an incremented usage count if successful; | |
511 | * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond | |
512 | * to a key or the best found key was a negative key; -EKEYREVOKED or | |
513 | * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the | |
514 | * found key doesn't grant the requested permit or the LSM denied access to it; | |
515 | * or -ENOMEM if a special keyring couldn't be created. | |
516 | * | |
517 | * In the case of a successful return, the possession attribute is set on the | |
518 | * returned key reference. | |
1da177e4 | 519 | */ |
5593122e | 520 | key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, |
8bbf4976 | 521 | key_perm_t perm) |
1da177e4 | 522 | { |
4bdf0bc3 | 523 | struct keyring_search_context ctx = { |
46291959 DH |
524 | .match_data.cmp = lookup_user_key_possessed, |
525 | .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, | |
526 | .flags = KEYRING_SEARCH_NO_STATE_CHECK, | |
4bdf0bc3 | 527 | }; |
8bbf4976 | 528 | struct request_key_auth *rka; |
1da177e4 | 529 | struct key *key; |
b6dff3ec | 530 | key_ref_t key_ref, skey_ref; |
1da177e4 LT |
531 | int ret; |
532 | ||
bb952bb9 | 533 | try_again: |
4bdf0bc3 | 534 | ctx.cred = get_current_cred(); |
664cceb0 | 535 | key_ref = ERR_PTR(-ENOKEY); |
1da177e4 LT |
536 | |
537 | switch (id) { | |
538 | case KEY_SPEC_THREAD_KEYRING: | |
4bdf0bc3 | 539 | if (!ctx.cred->thread_keyring) { |
5593122e | 540 | if (!(lflags & KEY_LOOKUP_CREATE)) |
1da177e4 LT |
541 | goto error; |
542 | ||
8bbf4976 | 543 | ret = install_thread_keyring(); |
1da177e4 | 544 | if (ret < 0) { |
4d09ec0f | 545 | key_ref = ERR_PTR(ret); |
1da177e4 LT |
546 | goto error; |
547 | } | |
bb952bb9 | 548 | goto reget_creds; |
1da177e4 LT |
549 | } |
550 | ||
4bdf0bc3 | 551 | key = ctx.cred->thread_keyring; |
ccc3e6d9 | 552 | __key_get(key); |
664cceb0 | 553 | key_ref = make_key_ref(key, 1); |
1da177e4 LT |
554 | break; |
555 | ||
556 | case KEY_SPEC_PROCESS_KEYRING: | |
4bdf0bc3 | 557 | if (!ctx.cred->process_keyring) { |
5593122e | 558 | if (!(lflags & KEY_LOOKUP_CREATE)) |
1da177e4 LT |
559 | goto error; |
560 | ||
8bbf4976 | 561 | ret = install_process_keyring(); |
1da177e4 | 562 | if (ret < 0) { |
4d09ec0f | 563 | key_ref = ERR_PTR(ret); |
1da177e4 LT |
564 | goto error; |
565 | } | |
bb952bb9 | 566 | goto reget_creds; |
1da177e4 LT |
567 | } |
568 | ||
4bdf0bc3 | 569 | key = ctx.cred->process_keyring; |
ccc3e6d9 | 570 | __key_get(key); |
664cceb0 | 571 | key_ref = make_key_ref(key, 1); |
1da177e4 LT |
572 | break; |
573 | ||
574 | case KEY_SPEC_SESSION_KEYRING: | |
4bdf0bc3 | 575 | if (!ctx.cred->session_keyring) { |
1da177e4 LT |
576 | /* always install a session keyring upon access if one |
577 | * doesn't exist yet */ | |
8bbf4976 | 578 | ret = install_user_keyrings(); |
69664cf1 DH |
579 | if (ret < 0) |
580 | goto error; | |
3ecf1b4f DH |
581 | if (lflags & KEY_LOOKUP_CREATE) |
582 | ret = join_session_keyring(NULL); | |
583 | else | |
584 | ret = install_session_keyring( | |
4bdf0bc3 | 585 | ctx.cred->user->session_keyring); |
d84f4f99 | 586 | |
1da177e4 LT |
587 | if (ret < 0) |
588 | goto error; | |
bb952bb9 | 589 | goto reget_creds; |
4bdf0bc3 DH |
590 | } else if (ctx.cred->session_keyring == |
591 | ctx.cred->user->session_keyring && | |
3ecf1b4f DH |
592 | lflags & KEY_LOOKUP_CREATE) { |
593 | ret = join_session_keyring(NULL); | |
594 | if (ret < 0) | |
595 | goto error; | |
596 | goto reget_creds; | |
1da177e4 LT |
597 | } |
598 | ||
3e30148c | 599 | rcu_read_lock(); |
4bdf0bc3 | 600 | key = rcu_dereference(ctx.cred->session_keyring); |
ccc3e6d9 | 601 | __key_get(key); |
3e30148c | 602 | rcu_read_unlock(); |
664cceb0 | 603 | key_ref = make_key_ref(key, 1); |
1da177e4 LT |
604 | break; |
605 | ||
606 | case KEY_SPEC_USER_KEYRING: | |
4bdf0bc3 | 607 | if (!ctx.cred->user->uid_keyring) { |
8bbf4976 | 608 | ret = install_user_keyrings(); |
69664cf1 DH |
609 | if (ret < 0) |
610 | goto error; | |
611 | } | |
612 | ||
4bdf0bc3 | 613 | key = ctx.cred->user->uid_keyring; |
ccc3e6d9 | 614 | __key_get(key); |
664cceb0 | 615 | key_ref = make_key_ref(key, 1); |
1da177e4 LT |
616 | break; |
617 | ||
618 | case KEY_SPEC_USER_SESSION_KEYRING: | |
4bdf0bc3 | 619 | if (!ctx.cred->user->session_keyring) { |
8bbf4976 | 620 | ret = install_user_keyrings(); |
69664cf1 DH |
621 | if (ret < 0) |
622 | goto error; | |
623 | } | |
624 | ||
4bdf0bc3 | 625 | key = ctx.cred->user->session_keyring; |
ccc3e6d9 | 626 | __key_get(key); |
664cceb0 | 627 | key_ref = make_key_ref(key, 1); |
1da177e4 LT |
628 | break; |
629 | ||
630 | case KEY_SPEC_GROUP_KEYRING: | |
631 | /* group keyrings are not yet supported */ | |
4d09ec0f | 632 | key_ref = ERR_PTR(-EINVAL); |
1da177e4 LT |
633 | goto error; |
634 | ||
b5f545c8 | 635 | case KEY_SPEC_REQKEY_AUTH_KEY: |
4bdf0bc3 | 636 | key = ctx.cred->request_key_auth; |
b5f545c8 DH |
637 | if (!key) |
638 | goto error; | |
639 | ||
ccc3e6d9 | 640 | __key_get(key); |
b5f545c8 DH |
641 | key_ref = make_key_ref(key, 1); |
642 | break; | |
643 | ||
8bbf4976 | 644 | case KEY_SPEC_REQUESTOR_KEYRING: |
4bdf0bc3 | 645 | if (!ctx.cred->request_key_auth) |
8bbf4976 DH |
646 | goto error; |
647 | ||
4bdf0bc3 | 648 | down_read(&ctx.cred->request_key_auth->sem); |
f67dabbd | 649 | if (test_bit(KEY_FLAG_REVOKED, |
4bdf0bc3 | 650 | &ctx.cred->request_key_auth->flags)) { |
8bbf4976 DH |
651 | key_ref = ERR_PTR(-EKEYREVOKED); |
652 | key = NULL; | |
653 | } else { | |
146aa8b1 | 654 | rka = ctx.cred->request_key_auth->payload.data[0]; |
8bbf4976 | 655 | key = rka->dest_keyring; |
ccc3e6d9 | 656 | __key_get(key); |
8bbf4976 | 657 | } |
4bdf0bc3 | 658 | up_read(&ctx.cred->request_key_auth->sem); |
8bbf4976 DH |
659 | if (!key) |
660 | goto error; | |
661 | key_ref = make_key_ref(key, 1); | |
662 | break; | |
663 | ||
1da177e4 | 664 | default: |
664cceb0 | 665 | key_ref = ERR_PTR(-EINVAL); |
1da177e4 LT |
666 | if (id < 1) |
667 | goto error; | |
668 | ||
669 | key = key_lookup(id); | |
664cceb0 | 670 | if (IS_ERR(key)) { |
e231c2ee | 671 | key_ref = ERR_CAST(key); |
1da177e4 | 672 | goto error; |
664cceb0 DH |
673 | } |
674 | ||
675 | key_ref = make_key_ref(key, 0); | |
676 | ||
677 | /* check to see if we possess the key */ | |
4bdf0bc3 DH |
678 | ctx.index_key.type = key->type; |
679 | ctx.index_key.description = key->description; | |
680 | ctx.index_key.desc_len = strlen(key->description); | |
46291959 | 681 | ctx.match_data.raw_data = key; |
4bdf0bc3 DH |
682 | kdebug("check possessed"); |
683 | skey_ref = search_process_keyrings(&ctx); | |
684 | kdebug("possessed=%p", skey_ref); | |
664cceb0 DH |
685 | |
686 | if (!IS_ERR(skey_ref)) { | |
687 | key_put(key); | |
688 | key_ref = skey_ref; | |
689 | } | |
690 | ||
1da177e4 LT |
691 | break; |
692 | } | |
693 | ||
5593122e DH |
694 | /* unlink does not use the nominated key in any way, so can skip all |
695 | * the permission checks as it is only concerned with the keyring */ | |
696 | if (lflags & KEY_LOOKUP_FOR_UNLINK) { | |
697 | ret = 0; | |
698 | goto error; | |
699 | } | |
700 | ||
701 | if (!(lflags & KEY_LOOKUP_PARTIAL)) { | |
76181c13 DH |
702 | ret = wait_for_key_construction(key, true); |
703 | switch (ret) { | |
704 | case -ERESTARTSYS: | |
705 | goto invalid_key; | |
706 | default: | |
707 | if (perm) | |
708 | goto invalid_key; | |
709 | case 0: | |
710 | break; | |
711 | } | |
712 | } else if (perm) { | |
1da177e4 LT |
713 | ret = key_validate(key); |
714 | if (ret < 0) | |
715 | goto invalid_key; | |
716 | } | |
717 | ||
718 | ret = -EIO; | |
5593122e DH |
719 | if (!(lflags & KEY_LOOKUP_PARTIAL) && |
720 | !test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) | |
1da177e4 LT |
721 | goto invalid_key; |
722 | ||
3e30148c | 723 | /* check the permissions */ |
4bdf0bc3 | 724 | ret = key_task_permission(key_ref, ctx.cred, perm); |
29db9190 | 725 | if (ret < 0) |
1da177e4 LT |
726 | goto invalid_key; |
727 | ||
31d5a79d DH |
728 | key->last_used_at = current_kernel_time().tv_sec; |
729 | ||
664cceb0 | 730 | error: |
4bdf0bc3 | 731 | put_cred(ctx.cred); |
664cceb0 | 732 | return key_ref; |
1da177e4 | 733 | |
664cceb0 DH |
734 | invalid_key: |
735 | key_ref_put(key_ref); | |
736 | key_ref = ERR_PTR(ret); | |
1da177e4 LT |
737 | goto error; |
738 | ||
bb952bb9 DH |
739 | /* if we attempted to install a keyring, then it may have caused new |
740 | * creds to be installed */ | |
741 | reget_creds: | |
4bdf0bc3 | 742 | put_cred(ctx.cred); |
bb952bb9 | 743 | goto try_again; |
a8b17ed0 | 744 | } |
bb952bb9 | 745 | |
1da177e4 | 746 | /* |
973c9f4f DH |
747 | * Join the named keyring as the session keyring if possible else attempt to |
748 | * create a new one of that name and join that. | |
749 | * | |
750 | * If the name is NULL, an empty anonymous keyring will be installed as the | |
751 | * session keyring. | |
752 | * | |
753 | * Named session keyrings are joined with a semaphore held to prevent the | |
754 | * keyrings from going away whilst the attempt is made to going them and also | |
755 | * to prevent a race in creating compatible session keyrings. | |
1da177e4 LT |
756 | */ |
757 | long join_session_keyring(const char *name) | |
758 | { | |
d84f4f99 DH |
759 | const struct cred *old; |
760 | struct cred *new; | |
1da177e4 | 761 | struct key *keyring; |
d84f4f99 DH |
762 | long ret, serial; |
763 | ||
d84f4f99 DH |
764 | new = prepare_creds(); |
765 | if (!new) | |
766 | return -ENOMEM; | |
767 | old = current_cred(); | |
1da177e4 LT |
768 | |
769 | /* if no name is provided, install an anonymous keyring */ | |
770 | if (!name) { | |
d84f4f99 | 771 | ret = install_session_keyring_to_cred(new, NULL); |
1da177e4 LT |
772 | if (ret < 0) |
773 | goto error; | |
774 | ||
3a50597d | 775 | serial = new->session_keyring->serial; |
d84f4f99 DH |
776 | ret = commit_creds(new); |
777 | if (ret == 0) | |
778 | ret = serial; | |
779 | goto okay; | |
1da177e4 LT |
780 | } |
781 | ||
782 | /* allow the user to join or create a named keyring */ | |
bb003079 | 783 | mutex_lock(&key_session_mutex); |
1da177e4 LT |
784 | |
785 | /* look for an existing keyring of this name */ | |
69664cf1 | 786 | keyring = find_keyring_by_name(name, false); |
1da177e4 LT |
787 | if (PTR_ERR(keyring) == -ENOKEY) { |
788 | /* not found - try and create a new one */ | |
96b5c8fe DH |
789 | keyring = keyring_alloc( |
790 | name, old->uid, old->gid, old, | |
791 | KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK, | |
5ac7eace | 792 | KEY_ALLOC_IN_QUOTA, NULL, NULL); |
1da177e4 LT |
793 | if (IS_ERR(keyring)) { |
794 | ret = PTR_ERR(keyring); | |
bcf945d3 | 795 | goto error2; |
1da177e4 | 796 | } |
d84f4f99 | 797 | } else if (IS_ERR(keyring)) { |
1da177e4 LT |
798 | ret = PTR_ERR(keyring); |
799 | goto error2; | |
3a50597d | 800 | } else if (keyring == new->session_keyring) { |
23567fd0 | 801 | key_put(keyring); |
3a50597d DH |
802 | ret = 0; |
803 | goto error2; | |
1da177e4 LT |
804 | } |
805 | ||
806 | /* we've got a keyring - now to install it */ | |
d84f4f99 | 807 | ret = install_session_keyring_to_cred(new, keyring); |
1da177e4 LT |
808 | if (ret < 0) |
809 | goto error2; | |
810 | ||
d84f4f99 DH |
811 | commit_creds(new); |
812 | mutex_unlock(&key_session_mutex); | |
813 | ||
1da177e4 LT |
814 | ret = keyring->serial; |
815 | key_put(keyring); | |
d84f4f99 DH |
816 | okay: |
817 | return ret; | |
1da177e4 | 818 | |
664cceb0 | 819 | error2: |
bb003079 | 820 | mutex_unlock(&key_session_mutex); |
664cceb0 | 821 | error: |
d84f4f99 | 822 | abort_creds(new); |
1da177e4 | 823 | return ret; |
d84f4f99 | 824 | } |
ee18d64c DH |
825 | |
826 | /* | |
973c9f4f DH |
827 | * Replace a process's session keyring on behalf of one of its children when |
828 | * the target process is about to resume userspace execution. | |
ee18d64c | 829 | */ |
67d12145 | 830 | void key_change_session_keyring(struct callback_head *twork) |
ee18d64c | 831 | { |
413cd3d9 | 832 | const struct cred *old = current_cred(); |
67d12145 | 833 | struct cred *new = container_of(twork, struct cred, rcu); |
ee18d64c | 834 | |
413cd3d9 ON |
835 | if (unlikely(current->flags & PF_EXITING)) { |
836 | put_cred(new); | |
ee18d64c | 837 | return; |
413cd3d9 | 838 | } |
ee18d64c | 839 | |
ee18d64c DH |
840 | new-> uid = old-> uid; |
841 | new-> euid = old-> euid; | |
842 | new-> suid = old-> suid; | |
843 | new->fsuid = old->fsuid; | |
844 | new-> gid = old-> gid; | |
845 | new-> egid = old-> egid; | |
846 | new-> sgid = old-> sgid; | |
847 | new->fsgid = old->fsgid; | |
848 | new->user = get_uid(old->user); | |
ba0e3427 | 849 | new->user_ns = get_user_ns(old->user_ns); |
ee18d64c DH |
850 | new->group_info = get_group_info(old->group_info); |
851 | ||
852 | new->securebits = old->securebits; | |
853 | new->cap_inheritable = old->cap_inheritable; | |
854 | new->cap_permitted = old->cap_permitted; | |
855 | new->cap_effective = old->cap_effective; | |
58319057 | 856 | new->cap_ambient = old->cap_ambient; |
ee18d64c DH |
857 | new->cap_bset = old->cap_bset; |
858 | ||
859 | new->jit_keyring = old->jit_keyring; | |
860 | new->thread_keyring = key_get(old->thread_keyring); | |
3a50597d | 861 | new->process_keyring = key_get(old->process_keyring); |
ee18d64c DH |
862 | |
863 | security_transfer_creds(new, old); | |
864 | ||
865 | commit_creds(new); | |
866 | } | |
c124bde2 MZ |
867 | |
868 | /* | |
869 | * Make sure that root's user and user-session keyrings exist. | |
870 | */ | |
871 | static int __init init_root_keyring(void) | |
872 | { | |
873 | return install_user_keyrings(); | |
874 | } | |
875 | ||
876 | late_initcall(init_root_keyring); |