| 1 | /* Manage a process's keyrings |
| 2 | * |
| 3 | * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved. |
| 4 | * Written by David Howells (dhowells@redhat.com) |
| 5 | * |
| 6 | * This program is free software; you can redistribute it and/or |
| 7 | * modify it under the terms of the GNU General Public License |
| 8 | * as published by the Free Software Foundation; either version |
| 9 | * 2 of the License, or (at your option) any later version. |
| 10 | */ |
| 11 | |
| 12 | #include <linux/module.h> |
| 13 | #include <linux/init.h> |
| 14 | #include <linux/sched.h> |
| 15 | #include <linux/keyctl.h> |
| 16 | #include <linux/fs.h> |
| 17 | #include <linux/err.h> |
| 18 | #include <linux/mutex.h> |
| 19 | #include <linux/security.h> |
| 20 | #include <linux/user_namespace.h> |
| 21 | #include <asm/uaccess.h> |
| 22 | #include "internal.h" |
| 23 | |
| 24 | /* Session keyring create vs join semaphore */ |
| 25 | static DEFINE_MUTEX(key_session_mutex); |
| 26 | |
| 27 | /* User keyring creation semaphore */ |
| 28 | static DEFINE_MUTEX(key_user_keyring_mutex); |
| 29 | |
| 30 | /* The root user's tracking struct */ |
| 31 | struct key_user root_key_user = { |
| 32 | .usage = ATOMIC_INIT(3), |
| 33 | .cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock), |
| 34 | .lock = __SPIN_LOCK_UNLOCKED(root_key_user.lock), |
| 35 | .nkeys = ATOMIC_INIT(2), |
| 36 | .nikeys = ATOMIC_INIT(2), |
| 37 | .uid = GLOBAL_ROOT_UID, |
| 38 | }; |
| 39 | |
| 40 | /* |
| 41 | * Install the user and user session keyrings for the current process's UID. |
| 42 | */ |
| 43 | int install_user_keyrings(void) |
| 44 | { |
| 45 | struct user_struct *user; |
| 46 | const struct cred *cred; |
| 47 | struct key *uid_keyring, *session_keyring; |
| 48 | key_perm_t user_keyring_perm; |
| 49 | char buf[20]; |
| 50 | int ret; |
| 51 | uid_t uid; |
| 52 | |
| 53 | user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL; |
| 54 | cred = current_cred(); |
| 55 | user = cred->user; |
| 56 | uid = from_kuid(cred->user_ns, user->uid); |
| 57 | |
| 58 | kenter("%p{%u}", user, uid); |
| 59 | |
| 60 | if (user->uid_keyring && user->session_keyring) { |
| 61 | kleave(" = 0 [exist]"); |
| 62 | return 0; |
| 63 | } |
| 64 | |
| 65 | mutex_lock(&key_user_keyring_mutex); |
| 66 | ret = 0; |
| 67 | |
| 68 | if (!user->uid_keyring) { |
| 69 | /* get the UID-specific keyring |
| 70 | * - there may be one in existence already as it may have been |
| 71 | * pinned by a session, but the user_struct pointing to it |
| 72 | * may have been destroyed by setuid */ |
| 73 | sprintf(buf, "_uid.%u", uid); |
| 74 | |
| 75 | uid_keyring = find_keyring_by_name(buf, true); |
| 76 | if (IS_ERR(uid_keyring)) { |
| 77 | uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID, |
| 78 | cred, user_keyring_perm, |
| 79 | KEY_ALLOC_IN_QUOTA, |
| 80 | NULL, NULL); |
| 81 | if (IS_ERR(uid_keyring)) { |
| 82 | ret = PTR_ERR(uid_keyring); |
| 83 | goto error; |
| 84 | } |
| 85 | } |
| 86 | |
| 87 | /* get a default session keyring (which might also exist |
| 88 | * already) */ |
| 89 | sprintf(buf, "_uid_ses.%u", uid); |
| 90 | |
| 91 | session_keyring = find_keyring_by_name(buf, true); |
| 92 | if (IS_ERR(session_keyring)) { |
| 93 | session_keyring = |
| 94 | keyring_alloc(buf, user->uid, INVALID_GID, |
| 95 | cred, user_keyring_perm, |
| 96 | KEY_ALLOC_IN_QUOTA, |
| 97 | NULL, NULL); |
| 98 | if (IS_ERR(session_keyring)) { |
| 99 | ret = PTR_ERR(session_keyring); |
| 100 | goto error_release; |
| 101 | } |
| 102 | |
| 103 | /* we install a link from the user session keyring to |
| 104 | * the user keyring */ |
| 105 | ret = key_link(session_keyring, uid_keyring); |
| 106 | if (ret < 0) |
| 107 | goto error_release_both; |
| 108 | } |
| 109 | |
| 110 | /* install the keyrings */ |
| 111 | user->uid_keyring = uid_keyring; |
| 112 | user->session_keyring = session_keyring; |
| 113 | } |
| 114 | |
| 115 | mutex_unlock(&key_user_keyring_mutex); |
| 116 | kleave(" = 0"); |
| 117 | return 0; |
| 118 | |
| 119 | error_release_both: |
| 120 | key_put(session_keyring); |
| 121 | error_release: |
| 122 | key_put(uid_keyring); |
| 123 | error: |
| 124 | mutex_unlock(&key_user_keyring_mutex); |
| 125 | kleave(" = %d", ret); |
| 126 | return ret; |
| 127 | } |
| 128 | |
| 129 | /* |
| 130 | * Install a fresh thread keyring directly to new credentials. This keyring is |
| 131 | * allowed to overrun the quota. |
| 132 | */ |
| 133 | int install_thread_keyring_to_cred(struct cred *new) |
| 134 | { |
| 135 | struct key *keyring; |
| 136 | |
| 137 | keyring = keyring_alloc("_tid", new->uid, new->gid, new, |
| 138 | KEY_POS_ALL | KEY_USR_VIEW, |
| 139 | KEY_ALLOC_QUOTA_OVERRUN, |
| 140 | NULL, NULL); |
| 141 | if (IS_ERR(keyring)) |
| 142 | return PTR_ERR(keyring); |
| 143 | |
| 144 | new->thread_keyring = keyring; |
| 145 | return 0; |
| 146 | } |
| 147 | |
| 148 | /* |
| 149 | * Install a fresh thread keyring, discarding the old one. |
| 150 | */ |
| 151 | static int install_thread_keyring(void) |
| 152 | { |
| 153 | struct cred *new; |
| 154 | int ret; |
| 155 | |
| 156 | new = prepare_creds(); |
| 157 | if (!new) |
| 158 | return -ENOMEM; |
| 159 | |
| 160 | BUG_ON(new->thread_keyring); |
| 161 | |
| 162 | ret = install_thread_keyring_to_cred(new); |
| 163 | if (ret < 0) { |
| 164 | abort_creds(new); |
| 165 | return ret; |
| 166 | } |
| 167 | |
| 168 | return commit_creds(new); |
| 169 | } |
| 170 | |
| 171 | /* |
| 172 | * Install a process keyring directly to a credentials struct. |
| 173 | * |
| 174 | * Returns -EEXIST if there was already a process keyring, 0 if one installed, |
| 175 | * and other value on any other error |
| 176 | */ |
| 177 | int install_process_keyring_to_cred(struct cred *new) |
| 178 | { |
| 179 | struct key *keyring; |
| 180 | |
| 181 | if (new->process_keyring) |
| 182 | return -EEXIST; |
| 183 | |
| 184 | keyring = keyring_alloc("_pid", new->uid, new->gid, new, |
| 185 | KEY_POS_ALL | KEY_USR_VIEW, |
| 186 | KEY_ALLOC_QUOTA_OVERRUN, |
| 187 | NULL, NULL); |
| 188 | if (IS_ERR(keyring)) |
| 189 | return PTR_ERR(keyring); |
| 190 | |
| 191 | new->process_keyring = keyring; |
| 192 | return 0; |
| 193 | } |
| 194 | |
| 195 | /* |
| 196 | * Make sure a process keyring is installed for the current process. The |
| 197 | * existing process keyring is not replaced. |
| 198 | * |
| 199 | * Returns 0 if there is a process keyring by the end of this function, some |
| 200 | * error otherwise. |
| 201 | */ |
| 202 | static int install_process_keyring(void) |
| 203 | { |
| 204 | struct cred *new; |
| 205 | int ret; |
| 206 | |
| 207 | new = prepare_creds(); |
| 208 | if (!new) |
| 209 | return -ENOMEM; |
| 210 | |
| 211 | ret = install_process_keyring_to_cred(new); |
| 212 | if (ret < 0) { |
| 213 | abort_creds(new); |
| 214 | return ret != -EEXIST ? ret : 0; |
| 215 | } |
| 216 | |
| 217 | return commit_creds(new); |
| 218 | } |
| 219 | |
| 220 | /* |
| 221 | * Install a session keyring directly to a credentials struct. |
| 222 | */ |
| 223 | int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) |
| 224 | { |
| 225 | unsigned long flags; |
| 226 | struct key *old; |
| 227 | |
| 228 | might_sleep(); |
| 229 | |
| 230 | /* create an empty session keyring */ |
| 231 | if (!keyring) { |
| 232 | flags = KEY_ALLOC_QUOTA_OVERRUN; |
| 233 | if (cred->session_keyring) |
| 234 | flags = KEY_ALLOC_IN_QUOTA; |
| 235 | |
| 236 | keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred, |
| 237 | KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ, |
| 238 | flags, NULL, NULL); |
| 239 | if (IS_ERR(keyring)) |
| 240 | return PTR_ERR(keyring); |
| 241 | } else { |
| 242 | __key_get(keyring); |
| 243 | } |
| 244 | |
| 245 | /* install the keyring */ |
| 246 | old = cred->session_keyring; |
| 247 | rcu_assign_pointer(cred->session_keyring, keyring); |
| 248 | |
| 249 | if (old) |
| 250 | key_put(old); |
| 251 | |
| 252 | return 0; |
| 253 | } |
| 254 | |
| 255 | /* |
| 256 | * Install a session keyring, discarding the old one. If a keyring is not |
| 257 | * supplied, an empty one is invented. |
| 258 | */ |
| 259 | static int install_session_keyring(struct key *keyring) |
| 260 | { |
| 261 | struct cred *new; |
| 262 | int ret; |
| 263 | |
| 264 | new = prepare_creds(); |
| 265 | if (!new) |
| 266 | return -ENOMEM; |
| 267 | |
| 268 | ret = install_session_keyring_to_cred(new, keyring); |
| 269 | if (ret < 0) { |
| 270 | abort_creds(new); |
| 271 | return ret; |
| 272 | } |
| 273 | |
| 274 | return commit_creds(new); |
| 275 | } |
| 276 | |
| 277 | /* |
| 278 | * Handle the fsuid changing. |
| 279 | */ |
| 280 | void key_fsuid_changed(struct task_struct *tsk) |
| 281 | { |
| 282 | /* update the ownership of the thread keyring */ |
| 283 | BUG_ON(!tsk->cred); |
| 284 | if (tsk->cred->thread_keyring) { |
| 285 | down_write(&tsk->cred->thread_keyring->sem); |
| 286 | tsk->cred->thread_keyring->uid = tsk->cred->fsuid; |
| 287 | up_write(&tsk->cred->thread_keyring->sem); |
| 288 | } |
| 289 | } |
| 290 | |
| 291 | /* |
| 292 | * Handle the fsgid changing. |
| 293 | */ |
| 294 | void key_fsgid_changed(struct task_struct *tsk) |
| 295 | { |
| 296 | /* update the ownership of the thread keyring */ |
| 297 | BUG_ON(!tsk->cred); |
| 298 | if (tsk->cred->thread_keyring) { |
| 299 | down_write(&tsk->cred->thread_keyring->sem); |
| 300 | tsk->cred->thread_keyring->gid = tsk->cred->fsgid; |
| 301 | up_write(&tsk->cred->thread_keyring->sem); |
| 302 | } |
| 303 | } |
| 304 | |
| 305 | /* |
| 306 | * Search the process keyrings attached to the supplied cred for the first |
| 307 | * matching key. |
| 308 | * |
| 309 | * The search criteria are the type and the match function. The description is |
| 310 | * given to the match function as a parameter, but doesn't otherwise influence |
| 311 | * the search. Typically the match function will compare the description |
| 312 | * parameter to the key's description. |
| 313 | * |
| 314 | * This can only search keyrings that grant Search permission to the supplied |
| 315 | * credentials. Keyrings linked to searched keyrings will also be searched if |
| 316 | * they grant Search permission too. Keys can only be found if they grant |
| 317 | * Search permission to the credentials. |
| 318 | * |
| 319 | * Returns a pointer to the key with the key usage count incremented if |
| 320 | * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only |
| 321 | * matched negative keys. |
| 322 | * |
| 323 | * In the case of a successful return, the possession attribute is set on the |
| 324 | * returned key reference. |
| 325 | */ |
| 326 | key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx) |
| 327 | { |
| 328 | key_ref_t key_ref, ret, err; |
| 329 | |
| 330 | /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were |
| 331 | * searchable, but we failed to find a key or we found a negative key; |
| 332 | * otherwise we want to return a sample error (probably -EACCES) if |
| 333 | * none of the keyrings were searchable |
| 334 | * |
| 335 | * in terms of priority: success > -ENOKEY > -EAGAIN > other error |
| 336 | */ |
| 337 | key_ref = NULL; |
| 338 | ret = NULL; |
| 339 | err = ERR_PTR(-EAGAIN); |
| 340 | |
| 341 | /* search the thread keyring first */ |
| 342 | if (ctx->cred->thread_keyring) { |
| 343 | key_ref = keyring_search_aux( |
| 344 | make_key_ref(ctx->cred->thread_keyring, 1), ctx); |
| 345 | if (!IS_ERR(key_ref)) |
| 346 | goto found; |
| 347 | |
| 348 | switch (PTR_ERR(key_ref)) { |
| 349 | case -EAGAIN: /* no key */ |
| 350 | case -ENOKEY: /* negative key */ |
| 351 | ret = key_ref; |
| 352 | break; |
| 353 | default: |
| 354 | err = key_ref; |
| 355 | break; |
| 356 | } |
| 357 | } |
| 358 | |
| 359 | /* search the process keyring second */ |
| 360 | if (ctx->cred->process_keyring) { |
| 361 | key_ref = keyring_search_aux( |
| 362 | make_key_ref(ctx->cred->process_keyring, 1), ctx); |
| 363 | if (!IS_ERR(key_ref)) |
| 364 | goto found; |
| 365 | |
| 366 | switch (PTR_ERR(key_ref)) { |
| 367 | case -EAGAIN: /* no key */ |
| 368 | if (ret) |
| 369 | break; |
| 370 | case -ENOKEY: /* negative key */ |
| 371 | ret = key_ref; |
| 372 | break; |
| 373 | default: |
| 374 | err = key_ref; |
| 375 | break; |
| 376 | } |
| 377 | } |
| 378 | |
| 379 | /* search the session keyring */ |
| 380 | if (ctx->cred->session_keyring) { |
| 381 | rcu_read_lock(); |
| 382 | key_ref = keyring_search_aux( |
| 383 | make_key_ref(rcu_dereference(ctx->cred->session_keyring), 1), |
| 384 | ctx); |
| 385 | rcu_read_unlock(); |
| 386 | |
| 387 | if (!IS_ERR(key_ref)) |
| 388 | goto found; |
| 389 | |
| 390 | switch (PTR_ERR(key_ref)) { |
| 391 | case -EAGAIN: /* no key */ |
| 392 | if (ret) |
| 393 | break; |
| 394 | case -ENOKEY: /* negative key */ |
| 395 | ret = key_ref; |
| 396 | break; |
| 397 | default: |
| 398 | err = key_ref; |
| 399 | break; |
| 400 | } |
| 401 | } |
| 402 | /* or search the user-session keyring */ |
| 403 | else if (ctx->cred->user->session_keyring) { |
| 404 | key_ref = keyring_search_aux( |
| 405 | make_key_ref(ctx->cred->user->session_keyring, 1), |
| 406 | ctx); |
| 407 | if (!IS_ERR(key_ref)) |
| 408 | goto found; |
| 409 | |
| 410 | switch (PTR_ERR(key_ref)) { |
| 411 | case -EAGAIN: /* no key */ |
| 412 | if (ret) |
| 413 | break; |
| 414 | case -ENOKEY: /* negative key */ |
| 415 | ret = key_ref; |
| 416 | break; |
| 417 | default: |
| 418 | err = key_ref; |
| 419 | break; |
| 420 | } |
| 421 | } |
| 422 | |
| 423 | /* no key - decide on the error we're going to go for */ |
| 424 | key_ref = ret ? ret : err; |
| 425 | |
| 426 | found: |
| 427 | return key_ref; |
| 428 | } |
| 429 | |
| 430 | /* |
| 431 | * Search the process keyrings attached to the supplied cred for the first |
| 432 | * matching key in the manner of search_my_process_keyrings(), but also search |
| 433 | * the keys attached to the assumed authorisation key using its credentials if |
| 434 | * one is available. |
| 435 | * |
| 436 | * Return same as search_my_process_keyrings(). |
| 437 | */ |
| 438 | key_ref_t search_process_keyrings(struct keyring_search_context *ctx) |
| 439 | { |
| 440 | struct request_key_auth *rka; |
| 441 | key_ref_t key_ref, ret = ERR_PTR(-EACCES), err; |
| 442 | |
| 443 | might_sleep(); |
| 444 | |
| 445 | key_ref = search_my_process_keyrings(ctx); |
| 446 | if (!IS_ERR(key_ref)) |
| 447 | goto found; |
| 448 | err = key_ref; |
| 449 | |
| 450 | /* if this process has an instantiation authorisation key, then we also |
| 451 | * search the keyrings of the process mentioned there |
| 452 | * - we don't permit access to request_key auth keys via this method |
| 453 | */ |
| 454 | if (ctx->cred->request_key_auth && |
| 455 | ctx->cred == current_cred() && |
| 456 | ctx->index_key.type != &key_type_request_key_auth |
| 457 | ) { |
| 458 | const struct cred *cred = ctx->cred; |
| 459 | |
| 460 | /* defend against the auth key being revoked */ |
| 461 | down_read(&cred->request_key_auth->sem); |
| 462 | |
| 463 | if (key_validate(ctx->cred->request_key_auth) == 0) { |
| 464 | rka = ctx->cred->request_key_auth->payload.data[0]; |
| 465 | |
| 466 | ctx->cred = rka->cred; |
| 467 | key_ref = search_process_keyrings(ctx); |
| 468 | ctx->cred = cred; |
| 469 | |
| 470 | up_read(&cred->request_key_auth->sem); |
| 471 | |
| 472 | if (!IS_ERR(key_ref)) |
| 473 | goto found; |
| 474 | |
| 475 | ret = key_ref; |
| 476 | } else { |
| 477 | up_read(&cred->request_key_auth->sem); |
| 478 | } |
| 479 | } |
| 480 | |
| 481 | /* no key - decide on the error we're going to go for */ |
| 482 | if (err == ERR_PTR(-ENOKEY) || ret == ERR_PTR(-ENOKEY)) |
| 483 | key_ref = ERR_PTR(-ENOKEY); |
| 484 | else if (err == ERR_PTR(-EACCES)) |
| 485 | key_ref = ret; |
| 486 | else |
| 487 | key_ref = err; |
| 488 | |
| 489 | found: |
| 490 | return key_ref; |
| 491 | } |
| 492 | |
| 493 | /* |
| 494 | * See if the key we're looking at is the target key. |
| 495 | */ |
| 496 | bool lookup_user_key_possessed(const struct key *key, |
| 497 | const struct key_match_data *match_data) |
| 498 | { |
| 499 | return key == match_data->raw_data; |
| 500 | } |
| 501 | |
| 502 | /* |
| 503 | * Look up a key ID given us by userspace with a given permissions mask to get |
| 504 | * the key it refers to. |
| 505 | * |
| 506 | * Flags can be passed to request that special keyrings be created if referred |
| 507 | * to directly, to permit partially constructed keys to be found and to skip |
| 508 | * validity and permission checks on the found key. |
| 509 | * |
| 510 | * Returns a pointer to the key with an incremented usage count if successful; |
| 511 | * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond |
| 512 | * to a key or the best found key was a negative key; -EKEYREVOKED or |
| 513 | * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the |
| 514 | * found key doesn't grant the requested permit or the LSM denied access to it; |
| 515 | * or -ENOMEM if a special keyring couldn't be created. |
| 516 | * |
| 517 | * In the case of a successful return, the possession attribute is set on the |
| 518 | * returned key reference. |
| 519 | */ |
| 520 | key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, |
| 521 | key_perm_t perm) |
| 522 | { |
| 523 | struct keyring_search_context ctx = { |
| 524 | .match_data.cmp = lookup_user_key_possessed, |
| 525 | .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, |
| 526 | .flags = KEYRING_SEARCH_NO_STATE_CHECK, |
| 527 | }; |
| 528 | struct request_key_auth *rka; |
| 529 | struct key *key; |
| 530 | key_ref_t key_ref, skey_ref; |
| 531 | int ret; |
| 532 | |
| 533 | try_again: |
| 534 | ctx.cred = get_current_cred(); |
| 535 | key_ref = ERR_PTR(-ENOKEY); |
| 536 | |
| 537 | switch (id) { |
| 538 | case KEY_SPEC_THREAD_KEYRING: |
| 539 | if (!ctx.cred->thread_keyring) { |
| 540 | if (!(lflags & KEY_LOOKUP_CREATE)) |
| 541 | goto error; |
| 542 | |
| 543 | ret = install_thread_keyring(); |
| 544 | if (ret < 0) { |
| 545 | key_ref = ERR_PTR(ret); |
| 546 | goto error; |
| 547 | } |
| 548 | goto reget_creds; |
| 549 | } |
| 550 | |
| 551 | key = ctx.cred->thread_keyring; |
| 552 | __key_get(key); |
| 553 | key_ref = make_key_ref(key, 1); |
| 554 | break; |
| 555 | |
| 556 | case KEY_SPEC_PROCESS_KEYRING: |
| 557 | if (!ctx.cred->process_keyring) { |
| 558 | if (!(lflags & KEY_LOOKUP_CREATE)) |
| 559 | goto error; |
| 560 | |
| 561 | ret = install_process_keyring(); |
| 562 | if (ret < 0) { |
| 563 | key_ref = ERR_PTR(ret); |
| 564 | goto error; |
| 565 | } |
| 566 | goto reget_creds; |
| 567 | } |
| 568 | |
| 569 | key = ctx.cred->process_keyring; |
| 570 | __key_get(key); |
| 571 | key_ref = make_key_ref(key, 1); |
| 572 | break; |
| 573 | |
| 574 | case KEY_SPEC_SESSION_KEYRING: |
| 575 | if (!ctx.cred->session_keyring) { |
| 576 | /* always install a session keyring upon access if one |
| 577 | * doesn't exist yet */ |
| 578 | ret = install_user_keyrings(); |
| 579 | if (ret < 0) |
| 580 | goto error; |
| 581 | if (lflags & KEY_LOOKUP_CREATE) |
| 582 | ret = join_session_keyring(NULL); |
| 583 | else |
| 584 | ret = install_session_keyring( |
| 585 | ctx.cred->user->session_keyring); |
| 586 | |
| 587 | if (ret < 0) |
| 588 | goto error; |
| 589 | goto reget_creds; |
| 590 | } else if (ctx.cred->session_keyring == |
| 591 | ctx.cred->user->session_keyring && |
| 592 | lflags & KEY_LOOKUP_CREATE) { |
| 593 | ret = join_session_keyring(NULL); |
| 594 | if (ret < 0) |
| 595 | goto error; |
| 596 | goto reget_creds; |
| 597 | } |
| 598 | |
| 599 | rcu_read_lock(); |
| 600 | key = rcu_dereference(ctx.cred->session_keyring); |
| 601 | __key_get(key); |
| 602 | rcu_read_unlock(); |
| 603 | key_ref = make_key_ref(key, 1); |
| 604 | break; |
| 605 | |
| 606 | case KEY_SPEC_USER_KEYRING: |
| 607 | if (!ctx.cred->user->uid_keyring) { |
| 608 | ret = install_user_keyrings(); |
| 609 | if (ret < 0) |
| 610 | goto error; |
| 611 | } |
| 612 | |
| 613 | key = ctx.cred->user->uid_keyring; |
| 614 | __key_get(key); |
| 615 | key_ref = make_key_ref(key, 1); |
| 616 | break; |
| 617 | |
| 618 | case KEY_SPEC_USER_SESSION_KEYRING: |
| 619 | if (!ctx.cred->user->session_keyring) { |
| 620 | ret = install_user_keyrings(); |
| 621 | if (ret < 0) |
| 622 | goto error; |
| 623 | } |
| 624 | |
| 625 | key = ctx.cred->user->session_keyring; |
| 626 | __key_get(key); |
| 627 | key_ref = make_key_ref(key, 1); |
| 628 | break; |
| 629 | |
| 630 | case KEY_SPEC_GROUP_KEYRING: |
| 631 | /* group keyrings are not yet supported */ |
| 632 | key_ref = ERR_PTR(-EINVAL); |
| 633 | goto error; |
| 634 | |
| 635 | case KEY_SPEC_REQKEY_AUTH_KEY: |
| 636 | key = ctx.cred->request_key_auth; |
| 637 | if (!key) |
| 638 | goto error; |
| 639 | |
| 640 | __key_get(key); |
| 641 | key_ref = make_key_ref(key, 1); |
| 642 | break; |
| 643 | |
| 644 | case KEY_SPEC_REQUESTOR_KEYRING: |
| 645 | if (!ctx.cred->request_key_auth) |
| 646 | goto error; |
| 647 | |
| 648 | down_read(&ctx.cred->request_key_auth->sem); |
| 649 | if (test_bit(KEY_FLAG_REVOKED, |
| 650 | &ctx.cred->request_key_auth->flags)) { |
| 651 | key_ref = ERR_PTR(-EKEYREVOKED); |
| 652 | key = NULL; |
| 653 | } else { |
| 654 | rka = ctx.cred->request_key_auth->payload.data[0]; |
| 655 | key = rka->dest_keyring; |
| 656 | __key_get(key); |
| 657 | } |
| 658 | up_read(&ctx.cred->request_key_auth->sem); |
| 659 | if (!key) |
| 660 | goto error; |
| 661 | key_ref = make_key_ref(key, 1); |
| 662 | break; |
| 663 | |
| 664 | default: |
| 665 | key_ref = ERR_PTR(-EINVAL); |
| 666 | if (id < 1) |
| 667 | goto error; |
| 668 | |
| 669 | key = key_lookup(id); |
| 670 | if (IS_ERR(key)) { |
| 671 | key_ref = ERR_CAST(key); |
| 672 | goto error; |
| 673 | } |
| 674 | |
| 675 | key_ref = make_key_ref(key, 0); |
| 676 | |
| 677 | /* check to see if we possess the key */ |
| 678 | ctx.index_key.type = key->type; |
| 679 | ctx.index_key.description = key->description; |
| 680 | ctx.index_key.desc_len = strlen(key->description); |
| 681 | ctx.match_data.raw_data = key; |
| 682 | kdebug("check possessed"); |
| 683 | skey_ref = search_process_keyrings(&ctx); |
| 684 | kdebug("possessed=%p", skey_ref); |
| 685 | |
| 686 | if (!IS_ERR(skey_ref)) { |
| 687 | key_put(key); |
| 688 | key_ref = skey_ref; |
| 689 | } |
| 690 | |
| 691 | break; |
| 692 | } |
| 693 | |
| 694 | /* unlink does not use the nominated key in any way, so can skip all |
| 695 | * the permission checks as it is only concerned with the keyring */ |
| 696 | if (lflags & KEY_LOOKUP_FOR_UNLINK) { |
| 697 | ret = 0; |
| 698 | goto error; |
| 699 | } |
| 700 | |
| 701 | if (!(lflags & KEY_LOOKUP_PARTIAL)) { |
| 702 | ret = wait_for_key_construction(key, true); |
| 703 | switch (ret) { |
| 704 | case -ERESTARTSYS: |
| 705 | goto invalid_key; |
| 706 | default: |
| 707 | if (perm) |
| 708 | goto invalid_key; |
| 709 | case 0: |
| 710 | break; |
| 711 | } |
| 712 | } else if (perm) { |
| 713 | ret = key_validate(key); |
| 714 | if (ret < 0) |
| 715 | goto invalid_key; |
| 716 | } |
| 717 | |
| 718 | ret = -EIO; |
| 719 | if (!(lflags & KEY_LOOKUP_PARTIAL) && |
| 720 | !test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) |
| 721 | goto invalid_key; |
| 722 | |
| 723 | /* check the permissions */ |
| 724 | ret = key_task_permission(key_ref, ctx.cred, perm); |
| 725 | if (ret < 0) |
| 726 | goto invalid_key; |
| 727 | |
| 728 | key->last_used_at = current_kernel_time().tv_sec; |
| 729 | |
| 730 | error: |
| 731 | put_cred(ctx.cred); |
| 732 | return key_ref; |
| 733 | |
| 734 | invalid_key: |
| 735 | key_ref_put(key_ref); |
| 736 | key_ref = ERR_PTR(ret); |
| 737 | goto error; |
| 738 | |
| 739 | /* if we attempted to install a keyring, then it may have caused new |
| 740 | * creds to be installed */ |
| 741 | reget_creds: |
| 742 | put_cred(ctx.cred); |
| 743 | goto try_again; |
| 744 | } |
| 745 | |
| 746 | /* |
| 747 | * Join the named keyring as the session keyring if possible else attempt to |
| 748 | * create a new one of that name and join that. |
| 749 | * |
| 750 | * If the name is NULL, an empty anonymous keyring will be installed as the |
| 751 | * session keyring. |
| 752 | * |
| 753 | * Named session keyrings are joined with a semaphore held to prevent the |
| 754 | * keyrings from going away whilst the attempt is made to going them and also |
| 755 | * to prevent a race in creating compatible session keyrings. |
| 756 | */ |
| 757 | long join_session_keyring(const char *name) |
| 758 | { |
| 759 | const struct cred *old; |
| 760 | struct cred *new; |
| 761 | struct key *keyring; |
| 762 | long ret, serial; |
| 763 | |
| 764 | new = prepare_creds(); |
| 765 | if (!new) |
| 766 | return -ENOMEM; |
| 767 | old = current_cred(); |
| 768 | |
| 769 | /* if no name is provided, install an anonymous keyring */ |
| 770 | if (!name) { |
| 771 | ret = install_session_keyring_to_cred(new, NULL); |
| 772 | if (ret < 0) |
| 773 | goto error; |
| 774 | |
| 775 | serial = new->session_keyring->serial; |
| 776 | ret = commit_creds(new); |
| 777 | if (ret == 0) |
| 778 | ret = serial; |
| 779 | goto okay; |
| 780 | } |
| 781 | |
| 782 | /* allow the user to join or create a named keyring */ |
| 783 | mutex_lock(&key_session_mutex); |
| 784 | |
| 785 | /* look for an existing keyring of this name */ |
| 786 | keyring = find_keyring_by_name(name, false); |
| 787 | if (PTR_ERR(keyring) == -ENOKEY) { |
| 788 | /* not found - try and create a new one */ |
| 789 | keyring = keyring_alloc( |
| 790 | name, old->uid, old->gid, old, |
| 791 | KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK, |
| 792 | KEY_ALLOC_IN_QUOTA, NULL, NULL); |
| 793 | if (IS_ERR(keyring)) { |
| 794 | ret = PTR_ERR(keyring); |
| 795 | goto error2; |
| 796 | } |
| 797 | } else if (IS_ERR(keyring)) { |
| 798 | ret = PTR_ERR(keyring); |
| 799 | goto error2; |
| 800 | } else if (keyring == new->session_keyring) { |
| 801 | key_put(keyring); |
| 802 | ret = 0; |
| 803 | goto error2; |
| 804 | } |
| 805 | |
| 806 | /* we've got a keyring - now to install it */ |
| 807 | ret = install_session_keyring_to_cred(new, keyring); |
| 808 | if (ret < 0) |
| 809 | goto error2; |
| 810 | |
| 811 | commit_creds(new); |
| 812 | mutex_unlock(&key_session_mutex); |
| 813 | |
| 814 | ret = keyring->serial; |
| 815 | key_put(keyring); |
| 816 | okay: |
| 817 | return ret; |
| 818 | |
| 819 | error2: |
| 820 | mutex_unlock(&key_session_mutex); |
| 821 | error: |
| 822 | abort_creds(new); |
| 823 | return ret; |
| 824 | } |
| 825 | |
| 826 | /* |
| 827 | * Replace a process's session keyring on behalf of one of its children when |
| 828 | * the target process is about to resume userspace execution. |
| 829 | */ |
| 830 | void key_change_session_keyring(struct callback_head *twork) |
| 831 | { |
| 832 | const struct cred *old = current_cred(); |
| 833 | struct cred *new = container_of(twork, struct cred, rcu); |
| 834 | |
| 835 | if (unlikely(current->flags & PF_EXITING)) { |
| 836 | put_cred(new); |
| 837 | return; |
| 838 | } |
| 839 | |
| 840 | new-> uid = old-> uid; |
| 841 | new-> euid = old-> euid; |
| 842 | new-> suid = old-> suid; |
| 843 | new->fsuid = old->fsuid; |
| 844 | new-> gid = old-> gid; |
| 845 | new-> egid = old-> egid; |
| 846 | new-> sgid = old-> sgid; |
| 847 | new->fsgid = old->fsgid; |
| 848 | new->user = get_uid(old->user); |
| 849 | new->user_ns = get_user_ns(old->user_ns); |
| 850 | new->group_info = get_group_info(old->group_info); |
| 851 | |
| 852 | new->securebits = old->securebits; |
| 853 | new->cap_inheritable = old->cap_inheritable; |
| 854 | new->cap_permitted = old->cap_permitted; |
| 855 | new->cap_effective = old->cap_effective; |
| 856 | new->cap_ambient = old->cap_ambient; |
| 857 | new->cap_bset = old->cap_bset; |
| 858 | |
| 859 | new->jit_keyring = old->jit_keyring; |
| 860 | new->thread_keyring = key_get(old->thread_keyring); |
| 861 | new->process_keyring = key_get(old->process_keyring); |
| 862 | |
| 863 | security_transfer_creds(new, old); |
| 864 | |
| 865 | commit_creds(new); |
| 866 | } |
| 867 | |
| 868 | /* |
| 869 | * Make sure that root's user and user-session keyrings exist. |
| 870 | */ |
| 871 | static int __init init_root_keyring(void) |
| 872 | { |
| 873 | return install_user_keyrings(); |
| 874 | } |
| 875 | |
| 876 | late_initcall(init_root_keyring); |