Commit | Line | Data |
---|---|---|
973c9f4f | 1 | /* Manage a process's keyrings |
1da177e4 | 2 | * |
69664cf1 | 3 | * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved. |
1da177e4 LT |
4 | * Written by David Howells (dhowells@redhat.com) |
5 | * | |
6 | * This program is free software; you can redistribute it and/or | |
7 | * modify it under the terms of the GNU General Public License | |
8 | * as published by the Free Software Foundation; either version | |
9 | * 2 of the License, or (at your option) any later version. | |
10 | */ | |
11 | ||
1da177e4 LT |
12 | #include <linux/init.h> |
13 | #include <linux/sched.h> | |
8703e8a4 | 14 | #include <linux/sched/user.h> |
1da177e4 LT |
15 | #include <linux/keyctl.h> |
16 | #include <linux/fs.h> | |
17 | #include <linux/err.h> | |
bb003079 | 18 | #include <linux/mutex.h> |
ee18d64c | 19 | #include <linux/security.h> |
1d1e9756 | 20 | #include <linux/user_namespace.h> |
7c0f6ba6 | 21 | #include <linux/uaccess.h> |
822ad64d | 22 | #include <keys/request_key_auth-type.h> |
1da177e4 LT |
23 | #include "internal.h" |
24 | ||
973c9f4f | 25 | /* Session keyring create vs join semaphore */ |
bb003079 | 26 | static DEFINE_MUTEX(key_session_mutex); |
1da177e4 | 27 | |
973c9f4f | 28 | /* User keyring creation semaphore */ |
69664cf1 DH |
29 | static DEFINE_MUTEX(key_user_keyring_mutex); |
30 | ||
973c9f4f | 31 | /* The root user's tracking struct */ |
1da177e4 | 32 | struct key_user root_key_user = { |
ddb99e11 | 33 | .usage = REFCOUNT_INIT(3), |
76181c13 | 34 | .cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock), |
6cfd76a2 | 35 | .lock = __SPIN_LOCK_UNLOCKED(root_key_user.lock), |
1da177e4 LT |
36 | .nkeys = ATOMIC_INIT(2), |
37 | .nikeys = ATOMIC_INIT(2), | |
9a56c2db | 38 | .uid = GLOBAL_ROOT_UID, |
1da177e4 LT |
39 | }; |
40 | ||
1da177e4 | 41 | /* |
973c9f4f | 42 | * Install the user and user session keyrings for the current process's UID. |
1da177e4 | 43 | */ |
8bbf4976 | 44 | int install_user_keyrings(void) |
1da177e4 | 45 | { |
d84f4f99 DH |
46 | struct user_struct *user; |
47 | const struct cred *cred; | |
1da177e4 | 48 | struct key *uid_keyring, *session_keyring; |
96b5c8fe | 49 | key_perm_t user_keyring_perm; |
1da177e4 LT |
50 | char buf[20]; |
51 | int ret; | |
9a56c2db | 52 | uid_t uid; |
1da177e4 | 53 | |
96b5c8fe | 54 | user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL; |
d84f4f99 DH |
55 | cred = current_cred(); |
56 | user = cred->user; | |
9a56c2db | 57 | uid = from_kuid(cred->user_ns, user->uid); |
d84f4f99 | 58 | |
9a56c2db | 59 | kenter("%p{%u}", user, uid); |
1da177e4 | 60 | |
0b9dc6c9 | 61 | if (READ_ONCE(user->uid_keyring) && READ_ONCE(user->session_keyring)) { |
69664cf1 DH |
62 | kleave(" = 0 [exist]"); |
63 | return 0; | |
1da177e4 LT |
64 | } |
65 | ||
69664cf1 DH |
66 | mutex_lock(&key_user_keyring_mutex); |
67 | ret = 0; | |
1da177e4 | 68 | |
69664cf1 DH |
69 | if (!user->uid_keyring) { |
70 | /* get the UID-specific keyring | |
71 | * - there may be one in existence already as it may have been | |
72 | * pinned by a session, but the user_struct pointing to it | |
73 | * may have been destroyed by setuid */ | |
9a56c2db | 74 | sprintf(buf, "_uid.%u", uid); |
69664cf1 DH |
75 | |
76 | uid_keyring = find_keyring_by_name(buf, true); | |
77 | if (IS_ERR(uid_keyring)) { | |
9a56c2db | 78 | uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID, |
96b5c8fe | 79 | cred, user_keyring_perm, |
237bbd29 EB |
80 | KEY_ALLOC_UID_KEYRING | |
81 | KEY_ALLOC_IN_QUOTA, | |
5ac7eace | 82 | NULL, NULL); |
69664cf1 DH |
83 | if (IS_ERR(uid_keyring)) { |
84 | ret = PTR_ERR(uid_keyring); | |
85 | goto error; | |
86 | } | |
87 | } | |
88 | ||
89 | /* get a default session keyring (which might also exist | |
90 | * already) */ | |
9a56c2db | 91 | sprintf(buf, "_uid_ses.%u", uid); |
69664cf1 DH |
92 | |
93 | session_keyring = find_keyring_by_name(buf, true); | |
94 | if (IS_ERR(session_keyring)) { | |
95 | session_keyring = | |
9a56c2db | 96 | keyring_alloc(buf, user->uid, INVALID_GID, |
96b5c8fe | 97 | cred, user_keyring_perm, |
237bbd29 EB |
98 | KEY_ALLOC_UID_KEYRING | |
99 | KEY_ALLOC_IN_QUOTA, | |
5ac7eace | 100 | NULL, NULL); |
69664cf1 DH |
101 | if (IS_ERR(session_keyring)) { |
102 | ret = PTR_ERR(session_keyring); | |
103 | goto error_release; | |
104 | } | |
105 | ||
106 | /* we install a link from the user session keyring to | |
107 | * the user keyring */ | |
108 | ret = key_link(session_keyring, uid_keyring); | |
109 | if (ret < 0) | |
110 | goto error_release_both; | |
111 | } | |
112 | ||
113 | /* install the keyrings */ | |
0b9dc6c9 JH |
114 | /* paired with READ_ONCE() */ |
115 | smp_store_release(&user->uid_keyring, uid_keyring); | |
116 | /* paired with READ_ONCE() */ | |
117 | smp_store_release(&user->session_keyring, session_keyring); | |
1da177e4 LT |
118 | } |
119 | ||
69664cf1 DH |
120 | mutex_unlock(&key_user_keyring_mutex); |
121 | kleave(" = 0"); | |
122 | return 0; | |
1da177e4 | 123 | |
69664cf1 DH |
124 | error_release_both: |
125 | key_put(session_keyring); | |
126 | error_release: | |
127 | key_put(uid_keyring); | |
664cceb0 | 128 | error: |
69664cf1 DH |
129 | mutex_unlock(&key_user_keyring_mutex); |
130 | kleave(" = %d", ret); | |
1da177e4 | 131 | return ret; |
69664cf1 | 132 | } |
1da177e4 | 133 | |
1da177e4 | 134 | /* |
c9f838d1 EB |
135 | * Install a thread keyring to the given credentials struct if it didn't have |
136 | * one already. This is allowed to overrun the quota. | |
137 | * | |
138 | * Return: 0 if a thread keyring is now present; -errno on failure. | |
1da177e4 | 139 | */ |
d84f4f99 | 140 | int install_thread_keyring_to_cred(struct cred *new) |
1da177e4 | 141 | { |
d84f4f99 | 142 | struct key *keyring; |
1da177e4 | 143 | |
c9f838d1 EB |
144 | if (new->thread_keyring) |
145 | return 0; | |
146 | ||
d84f4f99 | 147 | keyring = keyring_alloc("_tid", new->uid, new->gid, new, |
96b5c8fe | 148 | KEY_POS_ALL | KEY_USR_VIEW, |
5ac7eace DH |
149 | KEY_ALLOC_QUOTA_OVERRUN, |
150 | NULL, NULL); | |
d84f4f99 DH |
151 | if (IS_ERR(keyring)) |
152 | return PTR_ERR(keyring); | |
1da177e4 | 153 | |
d84f4f99 DH |
154 | new->thread_keyring = keyring; |
155 | return 0; | |
156 | } | |
1da177e4 | 157 | |
1da177e4 | 158 | /* |
c9f838d1 EB |
159 | * Install a thread keyring to the current task if it didn't have one already. |
160 | * | |
161 | * Return: 0 if a thread keyring is now present; -errno on failure. | |
1da177e4 | 162 | */ |
d84f4f99 | 163 | static int install_thread_keyring(void) |
1da177e4 | 164 | { |
d84f4f99 | 165 | struct cred *new; |
1da177e4 LT |
166 | int ret; |
167 | ||
d84f4f99 DH |
168 | new = prepare_creds(); |
169 | if (!new) | |
170 | return -ENOMEM; | |
1da177e4 | 171 | |
d84f4f99 DH |
172 | ret = install_thread_keyring_to_cred(new); |
173 | if (ret < 0) { | |
174 | abort_creds(new); | |
175 | return ret; | |
1da177e4 LT |
176 | } |
177 | ||
d84f4f99 DH |
178 | return commit_creds(new); |
179 | } | |
1da177e4 | 180 | |
d84f4f99 | 181 | /* |
c9f838d1 EB |
182 | * Install a process keyring to the given credentials struct if it didn't have |
183 | * one already. This is allowed to overrun the quota. | |
973c9f4f | 184 | * |
c9f838d1 | 185 | * Return: 0 if a process keyring is now present; -errno on failure. |
d84f4f99 DH |
186 | */ |
187 | int install_process_keyring_to_cred(struct cred *new) | |
188 | { | |
189 | struct key *keyring; | |
1da177e4 | 190 | |
3a50597d | 191 | if (new->process_keyring) |
c9f838d1 | 192 | return 0; |
d84f4f99 | 193 | |
96b5c8fe DH |
194 | keyring = keyring_alloc("_pid", new->uid, new->gid, new, |
195 | KEY_POS_ALL | KEY_USR_VIEW, | |
5ac7eace DH |
196 | KEY_ALLOC_QUOTA_OVERRUN, |
197 | NULL, NULL); | |
d84f4f99 DH |
198 | if (IS_ERR(keyring)) |
199 | return PTR_ERR(keyring); | |
200 | ||
3a50597d DH |
201 | new->process_keyring = keyring; |
202 | return 0; | |
d84f4f99 | 203 | } |
1da177e4 | 204 | |
1da177e4 | 205 | /* |
c9f838d1 | 206 | * Install a process keyring to the current task if it didn't have one already. |
973c9f4f | 207 | * |
c9f838d1 | 208 | * Return: 0 if a process keyring is now present; -errno on failure. |
1da177e4 | 209 | */ |
d84f4f99 | 210 | static int install_process_keyring(void) |
1da177e4 | 211 | { |
d84f4f99 | 212 | struct cred *new; |
1da177e4 LT |
213 | int ret; |
214 | ||
d84f4f99 DH |
215 | new = prepare_creds(); |
216 | if (!new) | |
217 | return -ENOMEM; | |
1da177e4 | 218 | |
d84f4f99 DH |
219 | ret = install_process_keyring_to_cred(new); |
220 | if (ret < 0) { | |
221 | abort_creds(new); | |
c9f838d1 | 222 | return ret; |
1da177e4 LT |
223 | } |
224 | ||
d84f4f99 DH |
225 | return commit_creds(new); |
226 | } | |
1da177e4 | 227 | |
1da177e4 | 228 | /* |
c9f838d1 EB |
229 | * Install the given keyring as the session keyring of the given credentials |
230 | * struct, replacing the existing one if any. If the given keyring is NULL, | |
231 | * then install a new anonymous session keyring. | |
5c7e372c | 232 | * @cred can not be in use by any task yet. |
c9f838d1 EB |
233 | * |
234 | * Return: 0 on success; -errno on failure. | |
1da177e4 | 235 | */ |
685bfd2c | 236 | int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) |
1da177e4 | 237 | { |
7e047ef5 | 238 | unsigned long flags; |
1da177e4 | 239 | struct key *old; |
1a26feb9 DH |
240 | |
241 | might_sleep(); | |
1da177e4 LT |
242 | |
243 | /* create an empty session keyring */ | |
244 | if (!keyring) { | |
7e047ef5 | 245 | flags = KEY_ALLOC_QUOTA_OVERRUN; |
3a50597d | 246 | if (cred->session_keyring) |
7e047ef5 DH |
247 | flags = KEY_ALLOC_IN_QUOTA; |
248 | ||
96b5c8fe DH |
249 | keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred, |
250 | KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ, | |
5ac7eace | 251 | flags, NULL, NULL); |
1a26feb9 DH |
252 | if (IS_ERR(keyring)) |
253 | return PTR_ERR(keyring); | |
d84f4f99 | 254 | } else { |
ccc3e6d9 | 255 | __key_get(keyring); |
1da177e4 LT |
256 | } |
257 | ||
258 | /* install the keyring */ | |
3a50597d | 259 | old = cred->session_keyring; |
5c7e372c | 260 | cred->session_keyring = keyring; |
3a50597d DH |
261 | |
262 | if (old) | |
1a26feb9 | 263 | key_put(old); |
1da177e4 | 264 | |
1a26feb9 | 265 | return 0; |
d84f4f99 | 266 | } |
1da177e4 | 267 | |
1da177e4 | 268 | /* |
c9f838d1 EB |
269 | * Install the given keyring as the session keyring of the current task, |
270 | * replacing the existing one if any. If the given keyring is NULL, then | |
271 | * install a new anonymous session keyring. | |
272 | * | |
273 | * Return: 0 on success; -errno on failure. | |
1da177e4 | 274 | */ |
d84f4f99 | 275 | static int install_session_keyring(struct key *keyring) |
1da177e4 | 276 | { |
d84f4f99 DH |
277 | struct cred *new; |
278 | int ret; | |
1da177e4 | 279 | |
d84f4f99 DH |
280 | new = prepare_creds(); |
281 | if (!new) | |
282 | return -ENOMEM; | |
1da177e4 | 283 | |
99599537 | 284 | ret = install_session_keyring_to_cred(new, keyring); |
d84f4f99 DH |
285 | if (ret < 0) { |
286 | abort_creds(new); | |
287 | return ret; | |
288 | } | |
1da177e4 | 289 | |
d84f4f99 DH |
290 | return commit_creds(new); |
291 | } | |
1da177e4 | 292 | |
1da177e4 | 293 | /* |
973c9f4f | 294 | * Handle the fsuid changing. |
1da177e4 | 295 | */ |
2e21865f | 296 | void key_fsuid_changed(struct cred *new_cred) |
1da177e4 LT |
297 | { |
298 | /* update the ownership of the thread keyring */ | |
2e21865f DH |
299 | if (new_cred->thread_keyring) { |
300 | down_write(&new_cred->thread_keyring->sem); | |
301 | new_cred->thread_keyring->uid = new_cred->fsuid; | |
302 | up_write(&new_cred->thread_keyring->sem); | |
1da177e4 | 303 | } |
a8b17ed0 | 304 | } |
1da177e4 | 305 | |
1da177e4 | 306 | /* |
973c9f4f | 307 | * Handle the fsgid changing. |
1da177e4 | 308 | */ |
2e21865f | 309 | void key_fsgid_changed(struct cred *new_cred) |
1da177e4 LT |
310 | { |
311 | /* update the ownership of the thread keyring */ | |
2e21865f DH |
312 | if (new_cred->thread_keyring) { |
313 | down_write(&new_cred->thread_keyring->sem); | |
314 | new_cred->thread_keyring->gid = new_cred->fsgid; | |
315 | up_write(&new_cred->thread_keyring->sem); | |
1da177e4 | 316 | } |
a8b17ed0 | 317 | } |
1da177e4 | 318 | |
1da177e4 | 319 | /* |
973c9f4f DH |
320 | * Search the process keyrings attached to the supplied cred for the first |
321 | * matching key. | |
322 | * | |
323 | * The search criteria are the type and the match function. The description is | |
324 | * given to the match function as a parameter, but doesn't otherwise influence | |
325 | * the search. Typically the match function will compare the description | |
326 | * parameter to the key's description. | |
327 | * | |
328 | * This can only search keyrings that grant Search permission to the supplied | |
329 | * credentials. Keyrings linked to searched keyrings will also be searched if | |
330 | * they grant Search permission too. Keys can only be found if they grant | |
331 | * Search permission to the credentials. | |
332 | * | |
333 | * Returns a pointer to the key with the key usage count incremented if | |
334 | * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only | |
335 | * matched negative keys. | |
336 | * | |
337 | * In the case of a successful return, the possession attribute is set on the | |
338 | * returned key reference. | |
1da177e4 | 339 | */ |
4bdf0bc3 | 340 | key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx) |
1da177e4 | 341 | { |
b5f545c8 | 342 | key_ref_t key_ref, ret, err; |
0b9dc6c9 | 343 | const struct cred *cred = ctx->cred; |
1da177e4 LT |
344 | |
345 | /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were | |
346 | * searchable, but we failed to find a key or we found a negative key; | |
347 | * otherwise we want to return a sample error (probably -EACCES) if | |
348 | * none of the keyrings were searchable | |
349 | * | |
350 | * in terms of priority: success > -ENOKEY > -EAGAIN > other error | |
351 | */ | |
664cceb0 | 352 | key_ref = NULL; |
1da177e4 LT |
353 | ret = NULL; |
354 | err = ERR_PTR(-EAGAIN); | |
355 | ||
356 | /* search the thread keyring first */ | |
0b9dc6c9 | 357 | if (cred->thread_keyring) { |
664cceb0 | 358 | key_ref = keyring_search_aux( |
0b9dc6c9 | 359 | make_key_ref(cred->thread_keyring, 1), ctx); |
664cceb0 | 360 | if (!IS_ERR(key_ref)) |
1da177e4 LT |
361 | goto found; |
362 | ||
664cceb0 | 363 | switch (PTR_ERR(key_ref)) { |
1da177e4 | 364 | case -EAGAIN: /* no key */ |
1da177e4 | 365 | case -ENOKEY: /* negative key */ |
664cceb0 | 366 | ret = key_ref; |
1da177e4 LT |
367 | break; |
368 | default: | |
664cceb0 | 369 | err = key_ref; |
1da177e4 LT |
370 | break; |
371 | } | |
372 | } | |
373 | ||
374 | /* search the process keyring second */ | |
0b9dc6c9 | 375 | if (cred->process_keyring) { |
664cceb0 | 376 | key_ref = keyring_search_aux( |
0b9dc6c9 | 377 | make_key_ref(cred->process_keyring, 1), ctx); |
664cceb0 | 378 | if (!IS_ERR(key_ref)) |
1da177e4 LT |
379 | goto found; |
380 | ||
664cceb0 | 381 | switch (PTR_ERR(key_ref)) { |
1da177e4 | 382 | case -EAGAIN: /* no key */ |
fe9453a1 DH |
383 | if (ret) |
384 | break; | |
0f949bcc | 385 | /* fall through */ |
1da177e4 | 386 | case -ENOKEY: /* negative key */ |
664cceb0 | 387 | ret = key_ref; |
1da177e4 LT |
388 | break; |
389 | default: | |
664cceb0 | 390 | err = key_ref; |
1da177e4 LT |
391 | break; |
392 | } | |
393 | } | |
394 | ||
3e30148c | 395 | /* search the session keyring */ |
0b9dc6c9 | 396 | if (cred->session_keyring) { |
664cceb0 | 397 | key_ref = keyring_search_aux( |
0b9dc6c9 | 398 | make_key_ref(cred->session_keyring, 1), ctx); |
3e30148c | 399 | |
664cceb0 | 400 | if (!IS_ERR(key_ref)) |
3e30148c DH |
401 | goto found; |
402 | ||
664cceb0 | 403 | switch (PTR_ERR(key_ref)) { |
3e30148c DH |
404 | case -EAGAIN: /* no key */ |
405 | if (ret) | |
406 | break; | |
0f949bcc | 407 | /* fall through */ |
3e30148c | 408 | case -ENOKEY: /* negative key */ |
664cceb0 | 409 | ret = key_ref; |
3e30148c DH |
410 | break; |
411 | default: | |
664cceb0 | 412 | err = key_ref; |
3e30148c DH |
413 | break; |
414 | } | |
b5f545c8 DH |
415 | } |
416 | /* or search the user-session keyring */ | |
0b9dc6c9 | 417 | else if (READ_ONCE(cred->user->session_keyring)) { |
b5f545c8 | 418 | key_ref = keyring_search_aux( |
0b9dc6c9 | 419 | make_key_ref(READ_ONCE(cred->user->session_keyring), 1), |
4bdf0bc3 | 420 | ctx); |
664cceb0 | 421 | if (!IS_ERR(key_ref)) |
3e30148c DH |
422 | goto found; |
423 | ||
664cceb0 | 424 | switch (PTR_ERR(key_ref)) { |
3e30148c DH |
425 | case -EAGAIN: /* no key */ |
426 | if (ret) | |
427 | break; | |
0f949bcc | 428 | /* fall through */ |
3e30148c | 429 | case -ENOKEY: /* negative key */ |
664cceb0 | 430 | ret = key_ref; |
3e30148c DH |
431 | break; |
432 | default: | |
664cceb0 | 433 | err = key_ref; |
3e30148c DH |
434 | break; |
435 | } | |
8589b4e0 | 436 | } |
b5f545c8 | 437 | |
927942aa DH |
438 | /* no key - decide on the error we're going to go for */ |
439 | key_ref = ret ? ret : err; | |
440 | ||
441 | found: | |
442 | return key_ref; | |
443 | } | |
444 | ||
927942aa | 445 | /* |
973c9f4f DH |
446 | * Search the process keyrings attached to the supplied cred for the first |
447 | * matching key in the manner of search_my_process_keyrings(), but also search | |
448 | * the keys attached to the assumed authorisation key using its credentials if | |
449 | * one is available. | |
450 | * | |
451 | * Return same as search_my_process_keyrings(). | |
927942aa | 452 | */ |
4bdf0bc3 | 453 | key_ref_t search_process_keyrings(struct keyring_search_context *ctx) |
927942aa DH |
454 | { |
455 | struct request_key_auth *rka; | |
456 | key_ref_t key_ref, ret = ERR_PTR(-EACCES), err; | |
457 | ||
458 | might_sleep(); | |
459 | ||
4bdf0bc3 | 460 | key_ref = search_my_process_keyrings(ctx); |
927942aa DH |
461 | if (!IS_ERR(key_ref)) |
462 | goto found; | |
463 | err = key_ref; | |
464 | ||
b5f545c8 DH |
465 | /* if this process has an instantiation authorisation key, then we also |
466 | * search the keyrings of the process mentioned there | |
467 | * - we don't permit access to request_key auth keys via this method | |
468 | */ | |
4bdf0bc3 DH |
469 | if (ctx->cred->request_key_auth && |
470 | ctx->cred == current_cred() && | |
471 | ctx->index_key.type != &key_type_request_key_auth | |
b5f545c8 | 472 | ) { |
4bdf0bc3 DH |
473 | const struct cred *cred = ctx->cred; |
474 | ||
04c567d9 | 475 | /* defend against the auth key being revoked */ |
c69e8d9c | 476 | down_read(&cred->request_key_auth->sem); |
b5f545c8 | 477 | |
4bdf0bc3 | 478 | if (key_validate(ctx->cred->request_key_auth) == 0) { |
146aa8b1 | 479 | rka = ctx->cred->request_key_auth->payload.data[0]; |
b5f545c8 | 480 | |
4bdf0bc3 DH |
481 | ctx->cred = rka->cred; |
482 | key_ref = search_process_keyrings(ctx); | |
483 | ctx->cred = cred; | |
1da177e4 | 484 | |
c69e8d9c | 485 | up_read(&cred->request_key_auth->sem); |
04c567d9 DH |
486 | |
487 | if (!IS_ERR(key_ref)) | |
488 | goto found; | |
489 | ||
927942aa | 490 | ret = key_ref; |
04c567d9 | 491 | } else { |
c69e8d9c | 492 | up_read(&cred->request_key_auth->sem); |
3e30148c | 493 | } |
1da177e4 LT |
494 | } |
495 | ||
496 | /* no key - decide on the error we're going to go for */ | |
927942aa DH |
497 | if (err == ERR_PTR(-ENOKEY) || ret == ERR_PTR(-ENOKEY)) |
498 | key_ref = ERR_PTR(-ENOKEY); | |
499 | else if (err == ERR_PTR(-EACCES)) | |
500 | key_ref = ret; | |
501 | else | |
502 | key_ref = err; | |
1da177e4 | 503 | |
3e30148c | 504 | found: |
664cceb0 | 505 | return key_ref; |
a8b17ed0 | 506 | } |
1da177e4 | 507 | |
664cceb0 | 508 | /* |
973c9f4f | 509 | * See if the key we're looking at is the target key. |
664cceb0 | 510 | */ |
0c903ab6 DH |
511 | bool lookup_user_key_possessed(const struct key *key, |
512 | const struct key_match_data *match_data) | |
664cceb0 | 513 | { |
46291959 | 514 | return key == match_data->raw_data; |
a8b17ed0 | 515 | } |
664cceb0 | 516 | |
1da177e4 | 517 | /* |
973c9f4f DH |
518 | * Look up a key ID given us by userspace with a given permissions mask to get |
519 | * the key it refers to. | |
520 | * | |
521 | * Flags can be passed to request that special keyrings be created if referred | |
522 | * to directly, to permit partially constructed keys to be found and to skip | |
523 | * validity and permission checks on the found key. | |
524 | * | |
525 | * Returns a pointer to the key with an incremented usage count if successful; | |
526 | * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond | |
527 | * to a key or the best found key was a negative key; -EKEYREVOKED or | |
528 | * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the | |
529 | * found key doesn't grant the requested permit or the LSM denied access to it; | |
530 | * or -ENOMEM if a special keyring couldn't be created. | |
531 | * | |
532 | * In the case of a successful return, the possession attribute is set on the | |
533 | * returned key reference. | |
1da177e4 | 534 | */ |
5593122e | 535 | key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, |
8bbf4976 | 536 | key_perm_t perm) |
1da177e4 | 537 | { |
4bdf0bc3 | 538 | struct keyring_search_context ctx = { |
46291959 DH |
539 | .match_data.cmp = lookup_user_key_possessed, |
540 | .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, | |
541 | .flags = KEYRING_SEARCH_NO_STATE_CHECK, | |
4bdf0bc3 | 542 | }; |
8bbf4976 | 543 | struct request_key_auth *rka; |
1da177e4 | 544 | struct key *key; |
b6dff3ec | 545 | key_ref_t key_ref, skey_ref; |
1da177e4 LT |
546 | int ret; |
547 | ||
bb952bb9 | 548 | try_again: |
4bdf0bc3 | 549 | ctx.cred = get_current_cred(); |
664cceb0 | 550 | key_ref = ERR_PTR(-ENOKEY); |
1da177e4 LT |
551 | |
552 | switch (id) { | |
553 | case KEY_SPEC_THREAD_KEYRING: | |
4bdf0bc3 | 554 | if (!ctx.cred->thread_keyring) { |
5593122e | 555 | if (!(lflags & KEY_LOOKUP_CREATE)) |
1da177e4 LT |
556 | goto error; |
557 | ||
8bbf4976 | 558 | ret = install_thread_keyring(); |
1da177e4 | 559 | if (ret < 0) { |
4d09ec0f | 560 | key_ref = ERR_PTR(ret); |
1da177e4 LT |
561 | goto error; |
562 | } | |
bb952bb9 | 563 | goto reget_creds; |
1da177e4 LT |
564 | } |
565 | ||
4bdf0bc3 | 566 | key = ctx.cred->thread_keyring; |
ccc3e6d9 | 567 | __key_get(key); |
664cceb0 | 568 | key_ref = make_key_ref(key, 1); |
1da177e4 LT |
569 | break; |
570 | ||
571 | case KEY_SPEC_PROCESS_KEYRING: | |
4bdf0bc3 | 572 | if (!ctx.cred->process_keyring) { |
5593122e | 573 | if (!(lflags & KEY_LOOKUP_CREATE)) |
1da177e4 LT |
574 | goto error; |
575 | ||
8bbf4976 | 576 | ret = install_process_keyring(); |
1da177e4 | 577 | if (ret < 0) { |
4d09ec0f | 578 | key_ref = ERR_PTR(ret); |
1da177e4 LT |
579 | goto error; |
580 | } | |
bb952bb9 | 581 | goto reget_creds; |
1da177e4 LT |
582 | } |
583 | ||
4bdf0bc3 | 584 | key = ctx.cred->process_keyring; |
ccc3e6d9 | 585 | __key_get(key); |
664cceb0 | 586 | key_ref = make_key_ref(key, 1); |
1da177e4 LT |
587 | break; |
588 | ||
589 | case KEY_SPEC_SESSION_KEYRING: | |
4bdf0bc3 | 590 | if (!ctx.cred->session_keyring) { |
1da177e4 LT |
591 | /* always install a session keyring upon access if one |
592 | * doesn't exist yet */ | |
8bbf4976 | 593 | ret = install_user_keyrings(); |
69664cf1 DH |
594 | if (ret < 0) |
595 | goto error; | |
3ecf1b4f DH |
596 | if (lflags & KEY_LOOKUP_CREATE) |
597 | ret = join_session_keyring(NULL); | |
598 | else | |
599 | ret = install_session_keyring( | |
4bdf0bc3 | 600 | ctx.cred->user->session_keyring); |
d84f4f99 | 601 | |
1da177e4 LT |
602 | if (ret < 0) |
603 | goto error; | |
bb952bb9 | 604 | goto reget_creds; |
4bdf0bc3 | 605 | } else if (ctx.cred->session_keyring == |
0b9dc6c9 | 606 | READ_ONCE(ctx.cred->user->session_keyring) && |
3ecf1b4f DH |
607 | lflags & KEY_LOOKUP_CREATE) { |
608 | ret = join_session_keyring(NULL); | |
609 | if (ret < 0) | |
610 | goto error; | |
611 | goto reget_creds; | |
1da177e4 LT |
612 | } |
613 | ||
5c7e372c | 614 | key = ctx.cred->session_keyring; |
ccc3e6d9 | 615 | __key_get(key); |
664cceb0 | 616 | key_ref = make_key_ref(key, 1); |
1da177e4 LT |
617 | break; |
618 | ||
619 | case KEY_SPEC_USER_KEYRING: | |
0b9dc6c9 | 620 | if (!READ_ONCE(ctx.cred->user->uid_keyring)) { |
8bbf4976 | 621 | ret = install_user_keyrings(); |
69664cf1 DH |
622 | if (ret < 0) |
623 | goto error; | |
624 | } | |
625 | ||
4bdf0bc3 | 626 | key = ctx.cred->user->uid_keyring; |
ccc3e6d9 | 627 | __key_get(key); |
664cceb0 | 628 | key_ref = make_key_ref(key, 1); |
1da177e4 LT |
629 | break; |
630 | ||
631 | case KEY_SPEC_USER_SESSION_KEYRING: | |
0b9dc6c9 | 632 | if (!READ_ONCE(ctx.cred->user->session_keyring)) { |
8bbf4976 | 633 | ret = install_user_keyrings(); |
69664cf1 DH |
634 | if (ret < 0) |
635 | goto error; | |
636 | } | |
637 | ||
4bdf0bc3 | 638 | key = ctx.cred->user->session_keyring; |
ccc3e6d9 | 639 | __key_get(key); |
664cceb0 | 640 | key_ref = make_key_ref(key, 1); |
1da177e4 LT |
641 | break; |
642 | ||
643 | case KEY_SPEC_GROUP_KEYRING: | |
644 | /* group keyrings are not yet supported */ | |
4d09ec0f | 645 | key_ref = ERR_PTR(-EINVAL); |
1da177e4 LT |
646 | goto error; |
647 | ||
b5f545c8 | 648 | case KEY_SPEC_REQKEY_AUTH_KEY: |
4bdf0bc3 | 649 | key = ctx.cred->request_key_auth; |
b5f545c8 DH |
650 | if (!key) |
651 | goto error; | |
652 | ||
ccc3e6d9 | 653 | __key_get(key); |
b5f545c8 DH |
654 | key_ref = make_key_ref(key, 1); |
655 | break; | |
656 | ||
8bbf4976 | 657 | case KEY_SPEC_REQUESTOR_KEYRING: |
4bdf0bc3 | 658 | if (!ctx.cred->request_key_auth) |
8bbf4976 DH |
659 | goto error; |
660 | ||
4bdf0bc3 | 661 | down_read(&ctx.cred->request_key_auth->sem); |
f67dabbd | 662 | if (test_bit(KEY_FLAG_REVOKED, |
4bdf0bc3 | 663 | &ctx.cred->request_key_auth->flags)) { |
8bbf4976 DH |
664 | key_ref = ERR_PTR(-EKEYREVOKED); |
665 | key = NULL; | |
666 | } else { | |
146aa8b1 | 667 | rka = ctx.cred->request_key_auth->payload.data[0]; |
8bbf4976 | 668 | key = rka->dest_keyring; |
ccc3e6d9 | 669 | __key_get(key); |
8bbf4976 | 670 | } |
4bdf0bc3 | 671 | up_read(&ctx.cred->request_key_auth->sem); |
8bbf4976 DH |
672 | if (!key) |
673 | goto error; | |
674 | key_ref = make_key_ref(key, 1); | |
675 | break; | |
676 | ||
1da177e4 | 677 | default: |
664cceb0 | 678 | key_ref = ERR_PTR(-EINVAL); |
1da177e4 LT |
679 | if (id < 1) |
680 | goto error; | |
681 | ||
682 | key = key_lookup(id); | |
664cceb0 | 683 | if (IS_ERR(key)) { |
e231c2ee | 684 | key_ref = ERR_CAST(key); |
1da177e4 | 685 | goto error; |
664cceb0 DH |
686 | } |
687 | ||
688 | key_ref = make_key_ref(key, 0); | |
689 | ||
690 | /* check to see if we possess the key */ | |
4bdf0bc3 DH |
691 | ctx.index_key.type = key->type; |
692 | ctx.index_key.description = key->description; | |
693 | ctx.index_key.desc_len = strlen(key->description); | |
46291959 | 694 | ctx.match_data.raw_data = key; |
4bdf0bc3 DH |
695 | kdebug("check possessed"); |
696 | skey_ref = search_process_keyrings(&ctx); | |
697 | kdebug("possessed=%p", skey_ref); | |
664cceb0 DH |
698 | |
699 | if (!IS_ERR(skey_ref)) { | |
700 | key_put(key); | |
701 | key_ref = skey_ref; | |
702 | } | |
703 | ||
1da177e4 LT |
704 | break; |
705 | } | |
706 | ||
5593122e DH |
707 | /* unlink does not use the nominated key in any way, so can skip all |
708 | * the permission checks as it is only concerned with the keyring */ | |
709 | if (lflags & KEY_LOOKUP_FOR_UNLINK) { | |
710 | ret = 0; | |
711 | goto error; | |
712 | } | |
713 | ||
714 | if (!(lflags & KEY_LOOKUP_PARTIAL)) { | |
76181c13 DH |
715 | ret = wait_for_key_construction(key, true); |
716 | switch (ret) { | |
717 | case -ERESTARTSYS: | |
718 | goto invalid_key; | |
719 | default: | |
720 | if (perm) | |
721 | goto invalid_key; | |
722 | case 0: | |
723 | break; | |
724 | } | |
725 | } else if (perm) { | |
1da177e4 LT |
726 | ret = key_validate(key); |
727 | if (ret < 0) | |
728 | goto invalid_key; | |
729 | } | |
730 | ||
731 | ret = -EIO; | |
5593122e | 732 | if (!(lflags & KEY_LOOKUP_PARTIAL) && |
363b02da | 733 | key_read_state(key) == KEY_IS_UNINSTANTIATED) |
1da177e4 LT |
734 | goto invalid_key; |
735 | ||
3e30148c | 736 | /* check the permissions */ |
4bdf0bc3 | 737 | ret = key_task_permission(key_ref, ctx.cred, perm); |
29db9190 | 738 | if (ret < 0) |
1da177e4 LT |
739 | goto invalid_key; |
740 | ||
074d5898 | 741 | key->last_used_at = ktime_get_real_seconds(); |
31d5a79d | 742 | |
664cceb0 | 743 | error: |
4bdf0bc3 | 744 | put_cred(ctx.cred); |
664cceb0 | 745 | return key_ref; |
1da177e4 | 746 | |
664cceb0 DH |
747 | invalid_key: |
748 | key_ref_put(key_ref); | |
749 | key_ref = ERR_PTR(ret); | |
1da177e4 LT |
750 | goto error; |
751 | ||
bb952bb9 DH |
752 | /* if we attempted to install a keyring, then it may have caused new |
753 | * creds to be installed */ | |
754 | reget_creds: | |
4bdf0bc3 | 755 | put_cred(ctx.cred); |
bb952bb9 | 756 | goto try_again; |
a8b17ed0 | 757 | } |
76ef5e17 | 758 | EXPORT_SYMBOL(lookup_user_key); |
bb952bb9 | 759 | |
1da177e4 | 760 | /* |
973c9f4f DH |
761 | * Join the named keyring as the session keyring if possible else attempt to |
762 | * create a new one of that name and join that. | |
763 | * | |
764 | * If the name is NULL, an empty anonymous keyring will be installed as the | |
765 | * session keyring. | |
766 | * | |
767 | * Named session keyrings are joined with a semaphore held to prevent the | |
768 | * keyrings from going away whilst the attempt is made to going them and also | |
769 | * to prevent a race in creating compatible session keyrings. | |
1da177e4 LT |
770 | */ |
771 | long join_session_keyring(const char *name) | |
772 | { | |
d84f4f99 DH |
773 | const struct cred *old; |
774 | struct cred *new; | |
1da177e4 | 775 | struct key *keyring; |
d84f4f99 DH |
776 | long ret, serial; |
777 | ||
d84f4f99 DH |
778 | new = prepare_creds(); |
779 | if (!new) | |
780 | return -ENOMEM; | |
781 | old = current_cred(); | |
1da177e4 LT |
782 | |
783 | /* if no name is provided, install an anonymous keyring */ | |
784 | if (!name) { | |
d84f4f99 | 785 | ret = install_session_keyring_to_cred(new, NULL); |
1da177e4 LT |
786 | if (ret < 0) |
787 | goto error; | |
788 | ||
3a50597d | 789 | serial = new->session_keyring->serial; |
d84f4f99 DH |
790 | ret = commit_creds(new); |
791 | if (ret == 0) | |
792 | ret = serial; | |
793 | goto okay; | |
1da177e4 LT |
794 | } |
795 | ||
796 | /* allow the user to join or create a named keyring */ | |
bb003079 | 797 | mutex_lock(&key_session_mutex); |
1da177e4 LT |
798 | |
799 | /* look for an existing keyring of this name */ | |
69664cf1 | 800 | keyring = find_keyring_by_name(name, false); |
1da177e4 LT |
801 | if (PTR_ERR(keyring) == -ENOKEY) { |
802 | /* not found - try and create a new one */ | |
96b5c8fe DH |
803 | keyring = keyring_alloc( |
804 | name, old->uid, old->gid, old, | |
805 | KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK, | |
5ac7eace | 806 | KEY_ALLOC_IN_QUOTA, NULL, NULL); |
1da177e4 LT |
807 | if (IS_ERR(keyring)) { |
808 | ret = PTR_ERR(keyring); | |
bcf945d3 | 809 | goto error2; |
1da177e4 | 810 | } |
d84f4f99 | 811 | } else if (IS_ERR(keyring)) { |
1da177e4 LT |
812 | ret = PTR_ERR(keyring); |
813 | goto error2; | |
3a50597d DH |
814 | } else if (keyring == new->session_keyring) { |
815 | ret = 0; | |
d636bd9f | 816 | goto error3; |
1da177e4 LT |
817 | } |
818 | ||
819 | /* we've got a keyring - now to install it */ | |
d84f4f99 | 820 | ret = install_session_keyring_to_cred(new, keyring); |
1da177e4 | 821 | if (ret < 0) |
d636bd9f | 822 | goto error3; |
1da177e4 | 823 | |
d84f4f99 DH |
824 | commit_creds(new); |
825 | mutex_unlock(&key_session_mutex); | |
826 | ||
1da177e4 LT |
827 | ret = keyring->serial; |
828 | key_put(keyring); | |
d84f4f99 DH |
829 | okay: |
830 | return ret; | |
1da177e4 | 831 | |
d636bd9f EB |
832 | error3: |
833 | key_put(keyring); | |
664cceb0 | 834 | error2: |
bb003079 | 835 | mutex_unlock(&key_session_mutex); |
664cceb0 | 836 | error: |
d84f4f99 | 837 | abort_creds(new); |
1da177e4 | 838 | return ret; |
d84f4f99 | 839 | } |
ee18d64c DH |
840 | |
841 | /* | |
973c9f4f DH |
842 | * Replace a process's session keyring on behalf of one of its children when |
843 | * the target process is about to resume userspace execution. | |
ee18d64c | 844 | */ |
67d12145 | 845 | void key_change_session_keyring(struct callback_head *twork) |
ee18d64c | 846 | { |
413cd3d9 | 847 | const struct cred *old = current_cred(); |
67d12145 | 848 | struct cred *new = container_of(twork, struct cred, rcu); |
ee18d64c | 849 | |
413cd3d9 ON |
850 | if (unlikely(current->flags & PF_EXITING)) { |
851 | put_cred(new); | |
ee18d64c | 852 | return; |
413cd3d9 | 853 | } |
ee18d64c | 854 | |
ee18d64c DH |
855 | new-> uid = old-> uid; |
856 | new-> euid = old-> euid; | |
857 | new-> suid = old-> suid; | |
858 | new->fsuid = old->fsuid; | |
859 | new-> gid = old-> gid; | |
860 | new-> egid = old-> egid; | |
861 | new-> sgid = old-> sgid; | |
862 | new->fsgid = old->fsgid; | |
863 | new->user = get_uid(old->user); | |
ba0e3427 | 864 | new->user_ns = get_user_ns(old->user_ns); |
ee18d64c DH |
865 | new->group_info = get_group_info(old->group_info); |
866 | ||
867 | new->securebits = old->securebits; | |
868 | new->cap_inheritable = old->cap_inheritable; | |
869 | new->cap_permitted = old->cap_permitted; | |
870 | new->cap_effective = old->cap_effective; | |
58319057 | 871 | new->cap_ambient = old->cap_ambient; |
ee18d64c DH |
872 | new->cap_bset = old->cap_bset; |
873 | ||
874 | new->jit_keyring = old->jit_keyring; | |
875 | new->thread_keyring = key_get(old->thread_keyring); | |
3a50597d | 876 | new->process_keyring = key_get(old->process_keyring); |
ee18d64c DH |
877 | |
878 | security_transfer_creds(new, old); | |
879 | ||
880 | commit_creds(new); | |
881 | } | |
c124bde2 MZ |
882 | |
883 | /* | |
884 | * Make sure that root's user and user-session keyrings exist. | |
885 | */ | |
886 | static int __init init_root_keyring(void) | |
887 | { | |
888 | return install_user_keyrings(); | |
889 | } | |
890 | ||
891 | late_initcall(init_root_keyring); |