1 /* keyctl.c: userspace keyctl operations 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/slab.h> 16 #include <linux/syscalls.h> 17 #include <linux/keyctl.h> 18 #include <linux/fs.h> 19 #include <linux/capability.h> 20 #include <linux/string.h> 21 #include <linux/err.h> 22 #include <linux/vmalloc.h> 23 #include <asm/uaccess.h> 24 #include "internal.h" 25 26 static int key_get_type_from_user(char *type, 27 const char __user *_type, 28 unsigned len) 29 { 30 int ret; 31 32 ret = strncpy_from_user(type, _type, len); 33 34 if (ret < 0) 35 return -EFAULT; 36 37 if (ret == 0 || ret >= len) 38 return -EINVAL; 39 40 if (type[0] == '.') 41 return -EPERM; 42 43 type[len - 1] = '\0'; 44 45 return 0; 46 } 47 48 /*****************************************************************************/ 49 /* 50 * extract the description of a new key from userspace and either add it as a 51 * new key to the specified keyring or update a matching key in that keyring 52 * - the keyring must be writable 53 * - returns the new key's serial number 54 * - implements add_key() 55 */ 56 asmlinkage long sys_add_key(const char __user *_type, 57 const char __user *_description, 58 const void __user *_payload, 59 size_t plen, 60 key_serial_t ringid) 61 { 62 key_ref_t keyring_ref, key_ref; 63 char type[32], *description; 64 void *payload; 65 long ret; 66 bool vm; 67 68 ret = -EINVAL; 69 if (plen > 1024 * 1024 - 1) 70 goto error; 71 72 /* draw all the data into kernel space */ 73 ret = key_get_type_from_user(type, _type, sizeof(type)); 74 if (ret < 0) 75 goto error; 76 77 description = strndup_user(_description, PAGE_SIZE); 78 if (IS_ERR(description)) { 79 ret = PTR_ERR(description); 80 goto error; 81 } 82 83 /* pull the payload in if one was supplied */ 84 payload = NULL; 85 86 vm = false; 87 if (_payload) { 88 ret = -ENOMEM; 89 payload = kmalloc(plen, GFP_KERNEL); 90 if (!payload) { 91 if (plen <= PAGE_SIZE) 92 goto error2; 93 vm = true; 94 payload = vmalloc(plen); 95 if (!payload) 96 goto error2; 97 } 98 99 ret = -EFAULT; 100 if (copy_from_user(payload, _payload, plen) != 0) 101 goto error3; 102 } 103 104 /* find the target keyring (which must be writable) */ 105 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 106 if (IS_ERR(keyring_ref)) { 107 ret = PTR_ERR(keyring_ref); 108 goto error3; 109 } 110 111 /* create or update the requested key and add it to the target 112 * keyring */ 113 key_ref = key_create_or_update(keyring_ref, type, description, 114 payload, plen, KEY_ALLOC_IN_QUOTA); 115 if (!IS_ERR(key_ref)) { 116 ret = key_ref_to_ptr(key_ref)->serial; 117 key_ref_put(key_ref); 118 } 119 else { 120 ret = PTR_ERR(key_ref); 121 } 122 123 key_ref_put(keyring_ref); 124 error3: 125 if (!vm) 126 kfree(payload); 127 else 128 vfree(payload); 129 error2: 130 kfree(description); 131 error: 132 return ret; 133 134 } /* end sys_add_key() */ 135 136 /*****************************************************************************/ 137 /* 138 * search the process keyrings for a matching key 139 * - nested keyrings may also be searched if they have Search permission 140 * - if a key is found, it will be attached to the destination keyring if 141 * there's one specified 142 * - /sbin/request-key will be invoked if _callout_info is non-NULL 143 * - the _callout_info string will be passed to /sbin/request-key 144 * - if the _callout_info string is empty, it will be rendered as "-" 145 * - implements request_key() 146 */ 147 asmlinkage long sys_request_key(const char __user *_type, 148 const char __user *_description, 149 const char __user *_callout_info, 150 key_serial_t destringid) 151 { 152 struct key_type *ktype; 153 struct key *key; 154 key_ref_t dest_ref; 155 size_t callout_len; 156 char type[32], *description, *callout_info; 157 long ret; 158 159 /* pull the type into kernel space */ 160 ret = key_get_type_from_user(type, _type, sizeof(type)); 161 if (ret < 0) 162 goto error; 163 164 /* pull the description into kernel space */ 165 description = strndup_user(_description, PAGE_SIZE); 166 if (IS_ERR(description)) { 167 ret = PTR_ERR(description); 168 goto error; 169 } 170 171 /* pull the callout info into kernel space */ 172 callout_info = NULL; 173 callout_len = 0; 174 if (_callout_info) { 175 callout_info = strndup_user(_callout_info, PAGE_SIZE); 176 if (IS_ERR(callout_info)) { 177 ret = PTR_ERR(callout_info); 178 goto error2; 179 } 180 callout_len = strlen(callout_info); 181 } 182 183 /* get the destination keyring if specified */ 184 dest_ref = NULL; 185 if (destringid) { 186 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 187 if (IS_ERR(dest_ref)) { 188 ret = PTR_ERR(dest_ref); 189 goto error3; 190 } 191 } 192 193 /* find the key type */ 194 ktype = key_type_lookup(type); 195 if (IS_ERR(ktype)) { 196 ret = PTR_ERR(ktype); 197 goto error4; 198 } 199 200 /* do the search */ 201 key = request_key_and_link(ktype, description, callout_info, 202 callout_len, NULL, key_ref_to_ptr(dest_ref), 203 KEY_ALLOC_IN_QUOTA); 204 if (IS_ERR(key)) { 205 ret = PTR_ERR(key); 206 goto error5; 207 } 208 209 ret = key->serial; 210 211 key_put(key); 212 error5: 213 key_type_put(ktype); 214 error4: 215 key_ref_put(dest_ref); 216 error3: 217 kfree(callout_info); 218 error2: 219 kfree(description); 220 error: 221 return ret; 222 223 } /* end sys_request_key() */ 224 225 /*****************************************************************************/ 226 /* 227 * get the ID of the specified process keyring 228 * - the keyring must have search permission to be found 229 * - implements keyctl(KEYCTL_GET_KEYRING_ID) 230 */ 231 long keyctl_get_keyring_ID(key_serial_t id, int create) 232 { 233 key_ref_t key_ref; 234 long ret; 235 236 key_ref = lookup_user_key(NULL, id, create, 0, KEY_SEARCH); 237 if (IS_ERR(key_ref)) { 238 ret = PTR_ERR(key_ref); 239 goto error; 240 } 241 242 ret = key_ref_to_ptr(key_ref)->serial; 243 key_ref_put(key_ref); 244 error: 245 return ret; 246 247 } /* end keyctl_get_keyring_ID() */ 248 249 /*****************************************************************************/ 250 /* 251 * join the session keyring 252 * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING) 253 */ 254 long keyctl_join_session_keyring(const char __user *_name) 255 { 256 char *name; 257 long ret; 258 259 /* fetch the name from userspace */ 260 name = NULL; 261 if (_name) { 262 name = strndup_user(_name, PAGE_SIZE); 263 if (IS_ERR(name)) { 264 ret = PTR_ERR(name); 265 goto error; 266 } 267 } 268 269 /* join the session */ 270 ret = join_session_keyring(name); 271 272 error: 273 return ret; 274 275 } /* end keyctl_join_session_keyring() */ 276 277 /*****************************************************************************/ 278 /* 279 * update a key's data payload 280 * - the key must be writable 281 * - implements keyctl(KEYCTL_UPDATE) 282 */ 283 long keyctl_update_key(key_serial_t id, 284 const void __user *_payload, 285 size_t plen) 286 { 287 key_ref_t key_ref; 288 void *payload; 289 long ret; 290 291 ret = -EINVAL; 292 if (plen > PAGE_SIZE) 293 goto error; 294 295 /* pull the payload in if one was supplied */ 296 payload = NULL; 297 if (_payload) { 298 ret = -ENOMEM; 299 payload = kmalloc(plen, GFP_KERNEL); 300 if (!payload) 301 goto error; 302 303 ret = -EFAULT; 304 if (copy_from_user(payload, _payload, plen) != 0) 305 goto error2; 306 } 307 308 /* find the target key (which must be writable) */ 309 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 310 if (IS_ERR(key_ref)) { 311 ret = PTR_ERR(key_ref); 312 goto error2; 313 } 314 315 /* update the key */ 316 ret = key_update(key_ref, payload, plen); 317 318 key_ref_put(key_ref); 319 error2: 320 kfree(payload); 321 error: 322 return ret; 323 324 } /* end keyctl_update_key() */ 325 326 /*****************************************************************************/ 327 /* 328 * revoke a key 329 * - the key must be writable 330 * - implements keyctl(KEYCTL_REVOKE) 331 */ 332 long keyctl_revoke_key(key_serial_t id) 333 { 334 key_ref_t key_ref; 335 long ret; 336 337 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 338 if (IS_ERR(key_ref)) { 339 ret = PTR_ERR(key_ref); 340 goto error; 341 } 342 343 key_revoke(key_ref_to_ptr(key_ref)); 344 ret = 0; 345 346 key_ref_put(key_ref); 347 error: 348 return ret; 349 350 } /* end keyctl_revoke_key() */ 351 352 /*****************************************************************************/ 353 /* 354 * clear the specified process keyring 355 * - the keyring must be writable 356 * - implements keyctl(KEYCTL_CLEAR) 357 */ 358 long keyctl_keyring_clear(key_serial_t ringid) 359 { 360 key_ref_t keyring_ref; 361 long ret; 362 363 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 364 if (IS_ERR(keyring_ref)) { 365 ret = PTR_ERR(keyring_ref); 366 goto error; 367 } 368 369 ret = keyring_clear(key_ref_to_ptr(keyring_ref)); 370 371 key_ref_put(keyring_ref); 372 error: 373 return ret; 374 375 } /* end keyctl_keyring_clear() */ 376 377 /*****************************************************************************/ 378 /* 379 * link a key into a keyring 380 * - the keyring must be writable 381 * - the key must be linkable 382 * - implements keyctl(KEYCTL_LINK) 383 */ 384 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 385 { 386 key_ref_t keyring_ref, key_ref; 387 long ret; 388 389 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 390 if (IS_ERR(keyring_ref)) { 391 ret = PTR_ERR(keyring_ref); 392 goto error; 393 } 394 395 key_ref = lookup_user_key(NULL, id, 1, 0, KEY_LINK); 396 if (IS_ERR(key_ref)) { 397 ret = PTR_ERR(key_ref); 398 goto error2; 399 } 400 401 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 402 403 key_ref_put(key_ref); 404 error2: 405 key_ref_put(keyring_ref); 406 error: 407 return ret; 408 409 } /* end keyctl_keyring_link() */ 410 411 /*****************************************************************************/ 412 /* 413 * unlink the first attachment of a key from a keyring 414 * - the keyring must be writable 415 * - we don't need any permissions on the key 416 * - implements keyctl(KEYCTL_UNLINK) 417 */ 418 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 419 { 420 key_ref_t keyring_ref, key_ref; 421 long ret; 422 423 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE); 424 if (IS_ERR(keyring_ref)) { 425 ret = PTR_ERR(keyring_ref); 426 goto error; 427 } 428 429 key_ref = lookup_user_key(NULL, id, 0, 0, 0); 430 if (IS_ERR(key_ref)) { 431 ret = PTR_ERR(key_ref); 432 goto error2; 433 } 434 435 ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 436 437 key_ref_put(key_ref); 438 error2: 439 key_ref_put(keyring_ref); 440 error: 441 return ret; 442 443 } /* end keyctl_keyring_unlink() */ 444 445 /*****************************************************************************/ 446 /* 447 * describe a user key 448 * - the key must have view permission 449 * - if there's a buffer, we place up to buflen bytes of data into it 450 * - unless there's an error, we return the amount of description available, 451 * irrespective of how much we may have copied 452 * - the description is formatted thus: 453 * type;uid;gid;perm;description<NUL> 454 * - implements keyctl(KEYCTL_DESCRIBE) 455 */ 456 long keyctl_describe_key(key_serial_t keyid, 457 char __user *buffer, 458 size_t buflen) 459 { 460 struct key *key, *instkey; 461 key_ref_t key_ref; 462 char *tmpbuf; 463 long ret; 464 465 key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); 466 if (IS_ERR(key_ref)) { 467 /* viewing a key under construction is permitted if we have the 468 * authorisation token handy */ 469 if (PTR_ERR(key_ref) == -EACCES) { 470 instkey = key_get_instantiation_authkey(keyid); 471 if (!IS_ERR(instkey)) { 472 key_put(instkey); 473 key_ref = lookup_user_key(NULL, keyid, 474 0, 1, 0); 475 if (!IS_ERR(key_ref)) 476 goto okay; 477 } 478 } 479 480 ret = PTR_ERR(key_ref); 481 goto error; 482 } 483 484 okay: 485 /* calculate how much description we're going to return */ 486 ret = -ENOMEM; 487 tmpbuf = kmalloc(PAGE_SIZE, GFP_KERNEL); 488 if (!tmpbuf) 489 goto error2; 490 491 key = key_ref_to_ptr(key_ref); 492 493 ret = snprintf(tmpbuf, PAGE_SIZE - 1, 494 "%s;%d;%d;%08x;%s", 495 key_ref_to_ptr(key_ref)->type->name, 496 key_ref_to_ptr(key_ref)->uid, 497 key_ref_to_ptr(key_ref)->gid, 498 key_ref_to_ptr(key_ref)->perm, 499 key_ref_to_ptr(key_ref)->description ? 500 key_ref_to_ptr(key_ref)->description : "" 501 ); 502 503 /* include a NUL char at the end of the data */ 504 if (ret > PAGE_SIZE - 1) 505 ret = PAGE_SIZE - 1; 506 tmpbuf[ret] = 0; 507 ret++; 508 509 /* consider returning the data */ 510 if (buffer && buflen > 0) { 511 if (buflen > ret) 512 buflen = ret; 513 514 if (copy_to_user(buffer, tmpbuf, buflen) != 0) 515 ret = -EFAULT; 516 } 517 518 kfree(tmpbuf); 519 error2: 520 key_ref_put(key_ref); 521 error: 522 return ret; 523 524 } /* end keyctl_describe_key() */ 525 526 /*****************************************************************************/ 527 /* 528 * search the specified keyring for a matching key 529 * - the start keyring must be searchable 530 * - nested keyrings may also be searched if they are searchable 531 * - only keys with search permission may be found 532 * - if a key is found, it will be attached to the destination keyring if 533 * there's one specified 534 * - implements keyctl(KEYCTL_SEARCH) 535 */ 536 long keyctl_keyring_search(key_serial_t ringid, 537 const char __user *_type, 538 const char __user *_description, 539 key_serial_t destringid) 540 { 541 struct key_type *ktype; 542 key_ref_t keyring_ref, key_ref, dest_ref; 543 char type[32], *description; 544 long ret; 545 546 /* pull the type and description into kernel space */ 547 ret = key_get_type_from_user(type, _type, sizeof(type)); 548 if (ret < 0) 549 goto error; 550 551 description = strndup_user(_description, PAGE_SIZE); 552 if (IS_ERR(description)) { 553 ret = PTR_ERR(description); 554 goto error; 555 } 556 557 /* get the keyring at which to begin the search */ 558 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH); 559 if (IS_ERR(keyring_ref)) { 560 ret = PTR_ERR(keyring_ref); 561 goto error2; 562 } 563 564 /* get the destination keyring if specified */ 565 dest_ref = NULL; 566 if (destringid) { 567 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 568 if (IS_ERR(dest_ref)) { 569 ret = PTR_ERR(dest_ref); 570 goto error3; 571 } 572 } 573 574 /* find the key type */ 575 ktype = key_type_lookup(type); 576 if (IS_ERR(ktype)) { 577 ret = PTR_ERR(ktype); 578 goto error4; 579 } 580 581 /* do the search */ 582 key_ref = keyring_search(keyring_ref, ktype, description); 583 if (IS_ERR(key_ref)) { 584 ret = PTR_ERR(key_ref); 585 586 /* treat lack or presence of a negative key the same */ 587 if (ret == -EAGAIN) 588 ret = -ENOKEY; 589 goto error5; 590 } 591 592 /* link the resulting key to the destination keyring if we can */ 593 if (dest_ref) { 594 ret = key_permission(key_ref, KEY_LINK); 595 if (ret < 0) 596 goto error6; 597 598 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 599 if (ret < 0) 600 goto error6; 601 } 602 603 ret = key_ref_to_ptr(key_ref)->serial; 604 605 error6: 606 key_ref_put(key_ref); 607 error5: 608 key_type_put(ktype); 609 error4: 610 key_ref_put(dest_ref); 611 error3: 612 key_ref_put(keyring_ref); 613 error2: 614 kfree(description); 615 error: 616 return ret; 617 618 } /* end keyctl_keyring_search() */ 619 620 /*****************************************************************************/ 621 /* 622 * read a user key's payload 623 * - the keyring must be readable or the key must be searchable from the 624 * process's keyrings 625 * - if there's a buffer, we place up to buflen bytes of data into it 626 * - unless there's an error, we return the amount of data in the key, 627 * irrespective of how much we may have copied 628 * - implements keyctl(KEYCTL_READ) 629 */ 630 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 631 { 632 struct key *key; 633 key_ref_t key_ref; 634 long ret; 635 636 /* find the key first */ 637 key_ref = lookup_user_key(NULL, keyid, 0, 0, 0); 638 if (IS_ERR(key_ref)) { 639 ret = -ENOKEY; 640 goto error; 641 } 642 643 key = key_ref_to_ptr(key_ref); 644 645 /* see if we can read it directly */ 646 ret = key_permission(key_ref, KEY_READ); 647 if (ret == 0) 648 goto can_read_key; 649 if (ret != -EACCES) 650 goto error; 651 652 /* we can't; see if it's searchable from this process's keyrings 653 * - we automatically take account of the fact that it may be 654 * dangling off an instantiation key 655 */ 656 if (!is_key_possessed(key_ref)) { 657 ret = -EACCES; 658 goto error2; 659 } 660 661 /* the key is probably readable - now try to read it */ 662 can_read_key: 663 ret = key_validate(key); 664 if (ret == 0) { 665 ret = -EOPNOTSUPP; 666 if (key->type->read) { 667 /* read the data with the semaphore held (since we 668 * might sleep) */ 669 down_read(&key->sem); 670 ret = key->type->read(key, buffer, buflen); 671 up_read(&key->sem); 672 } 673 } 674 675 error2: 676 key_put(key); 677 error: 678 return ret; 679 680 } /* end keyctl_read_key() */ 681 682 /*****************************************************************************/ 683 /* 684 * change the ownership of a key 685 * - the keyring owned by the changer 686 * - if the uid or gid is -1, then that parameter is not changed 687 * - implements keyctl(KEYCTL_CHOWN) 688 */ 689 long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) 690 { 691 struct key_user *newowner, *zapowner = NULL; 692 struct key *key; 693 key_ref_t key_ref; 694 long ret; 695 696 ret = 0; 697 if (uid == (uid_t) -1 && gid == (gid_t) -1) 698 goto error; 699 700 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 701 if (IS_ERR(key_ref)) { 702 ret = PTR_ERR(key_ref); 703 goto error; 704 } 705 706 key = key_ref_to_ptr(key_ref); 707 708 /* make the changes with the locks held to prevent chown/chown races */ 709 ret = -EACCES; 710 down_write(&key->sem); 711 712 if (!capable(CAP_SYS_ADMIN)) { 713 /* only the sysadmin can chown a key to some other UID */ 714 if (uid != (uid_t) -1 && key->uid != uid) 715 goto error_put; 716 717 /* only the sysadmin can set the key's GID to a group other 718 * than one of those that the current process subscribes to */ 719 if (gid != (gid_t) -1 && gid != key->gid && !in_group_p(gid)) 720 goto error_put; 721 } 722 723 /* change the UID */ 724 if (uid != (uid_t) -1 && uid != key->uid) { 725 ret = -ENOMEM; 726 newowner = key_user_lookup(uid); 727 if (!newowner) 728 goto error_put; 729 730 /* transfer the quota burden to the new user */ 731 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 732 spin_lock(&newowner->lock); 733 if (newowner->qnkeys + 1 >= KEYQUOTA_MAX_KEYS || 734 newowner->qnbytes + key->quotalen >= 735 KEYQUOTA_MAX_BYTES) 736 goto quota_overrun; 737 738 newowner->qnkeys++; 739 newowner->qnbytes += key->quotalen; 740 spin_unlock(&newowner->lock); 741 742 spin_lock(&key->user->lock); 743 key->user->qnkeys--; 744 key->user->qnbytes -= key->quotalen; 745 spin_unlock(&key->user->lock); 746 } 747 748 atomic_dec(&key->user->nkeys); 749 atomic_inc(&newowner->nkeys); 750 751 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 752 atomic_dec(&key->user->nikeys); 753 atomic_inc(&newowner->nikeys); 754 } 755 756 zapowner = key->user; 757 key->user = newowner; 758 key->uid = uid; 759 } 760 761 /* change the GID */ 762 if (gid != (gid_t) -1) 763 key->gid = gid; 764 765 ret = 0; 766 767 error_put: 768 up_write(&key->sem); 769 key_put(key); 770 if (zapowner) 771 key_user_put(zapowner); 772 error: 773 return ret; 774 775 quota_overrun: 776 spin_unlock(&newowner->lock); 777 zapowner = newowner; 778 ret = -EDQUOT; 779 goto error_put; 780 781 } /* end keyctl_chown_key() */ 782 783 /*****************************************************************************/ 784 /* 785 * change the permission mask on a key 786 * - the keyring owned by the changer 787 * - implements keyctl(KEYCTL_SETPERM) 788 */ 789 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 790 { 791 struct key *key; 792 key_ref_t key_ref; 793 long ret; 794 795 ret = -EINVAL; 796 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 797 goto error; 798 799 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 800 if (IS_ERR(key_ref)) { 801 ret = PTR_ERR(key_ref); 802 goto error; 803 } 804 805 key = key_ref_to_ptr(key_ref); 806 807 /* make the changes with the locks held to prevent chown/chmod races */ 808 ret = -EACCES; 809 down_write(&key->sem); 810 811 /* if we're not the sysadmin, we can only change a key that we own */ 812 if (capable(CAP_SYS_ADMIN) || key->uid == current->fsuid) { 813 key->perm = perm; 814 ret = 0; 815 } 816 817 up_write(&key->sem); 818 key_put(key); 819 error: 820 return ret; 821 822 } /* end keyctl_setperm_key() */ 823 824 /*****************************************************************************/ 825 /* 826 * instantiate the key with the specified payload, and, if one is given, link 827 * the key into the keyring 828 */ 829 long keyctl_instantiate_key(key_serial_t id, 830 const void __user *_payload, 831 size_t plen, 832 key_serial_t ringid) 833 { 834 struct request_key_auth *rka; 835 struct key *instkey; 836 key_ref_t keyring_ref; 837 void *payload; 838 long ret; 839 bool vm = false; 840 841 ret = -EINVAL; 842 if (plen > 1024 * 1024 - 1) 843 goto error; 844 845 /* the appropriate instantiation authorisation key must have been 846 * assumed before calling this */ 847 ret = -EPERM; 848 instkey = current->request_key_auth; 849 if (!instkey) 850 goto error; 851 852 rka = instkey->payload.data; 853 if (rka->target_key->serial != id) 854 goto error; 855 856 /* pull the payload in if one was supplied */ 857 payload = NULL; 858 859 if (_payload) { 860 ret = -ENOMEM; 861 payload = kmalloc(plen, GFP_KERNEL); 862 if (!payload) { 863 if (plen <= PAGE_SIZE) 864 goto error; 865 vm = true; 866 payload = vmalloc(plen); 867 if (!payload) 868 goto error; 869 } 870 871 ret = -EFAULT; 872 if (copy_from_user(payload, _payload, plen) != 0) 873 goto error2; 874 } 875 876 /* find the destination keyring amongst those belonging to the 877 * requesting task */ 878 keyring_ref = NULL; 879 if (ringid) { 880 keyring_ref = lookup_user_key(rka->context, ringid, 1, 0, 881 KEY_WRITE); 882 if (IS_ERR(keyring_ref)) { 883 ret = PTR_ERR(keyring_ref); 884 goto error2; 885 } 886 } 887 888 /* instantiate the key and link it into a keyring */ 889 ret = key_instantiate_and_link(rka->target_key, payload, plen, 890 key_ref_to_ptr(keyring_ref), instkey); 891 892 key_ref_put(keyring_ref); 893 894 /* discard the assumed authority if it's just been disabled by 895 * instantiation of the key */ 896 if (ret == 0) { 897 key_put(current->request_key_auth); 898 current->request_key_auth = NULL; 899 } 900 901 error2: 902 if (!vm) 903 kfree(payload); 904 else 905 vfree(payload); 906 error: 907 return ret; 908 909 } /* end keyctl_instantiate_key() */ 910 911 /*****************************************************************************/ 912 /* 913 * negatively instantiate the key with the given timeout (in seconds), and, if 914 * one is given, link the key into the keyring 915 */ 916 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 917 { 918 struct request_key_auth *rka; 919 struct key *instkey; 920 key_ref_t keyring_ref; 921 long ret; 922 923 /* the appropriate instantiation authorisation key must have been 924 * assumed before calling this */ 925 ret = -EPERM; 926 instkey = current->request_key_auth; 927 if (!instkey) 928 goto error; 929 930 rka = instkey->payload.data; 931 if (rka->target_key->serial != id) 932 goto error; 933 934 /* find the destination keyring if present (which must also be 935 * writable) */ 936 keyring_ref = NULL; 937 if (ringid) { 938 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 939 if (IS_ERR(keyring_ref)) { 940 ret = PTR_ERR(keyring_ref); 941 goto error; 942 } 943 } 944 945 /* instantiate the key and link it into a keyring */ 946 ret = key_negate_and_link(rka->target_key, timeout, 947 key_ref_to_ptr(keyring_ref), instkey); 948 949 key_ref_put(keyring_ref); 950 951 /* discard the assumed authority if it's just been disabled by 952 * instantiation of the key */ 953 if (ret == 0) { 954 key_put(current->request_key_auth); 955 current->request_key_auth = NULL; 956 } 957 958 error: 959 return ret; 960 961 } /* end keyctl_negate_key() */ 962 963 /*****************************************************************************/ 964 /* 965 * set the default keyring in which request_key() will cache keys 966 * - return the old setting 967 */ 968 long keyctl_set_reqkey_keyring(int reqkey_defl) 969 { 970 int ret; 971 972 switch (reqkey_defl) { 973 case KEY_REQKEY_DEFL_THREAD_KEYRING: 974 ret = install_thread_keyring(current); 975 if (ret < 0) 976 return ret; 977 goto set; 978 979 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 980 ret = install_process_keyring(current); 981 if (ret < 0) 982 return ret; 983 984 case KEY_REQKEY_DEFL_DEFAULT: 985 case KEY_REQKEY_DEFL_SESSION_KEYRING: 986 case KEY_REQKEY_DEFL_USER_KEYRING: 987 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 988 set: 989 current->jit_keyring = reqkey_defl; 990 991 case KEY_REQKEY_DEFL_NO_CHANGE: 992 return current->jit_keyring; 993 994 case KEY_REQKEY_DEFL_GROUP_KEYRING: 995 default: 996 return -EINVAL; 997 } 998 999 } /* end keyctl_set_reqkey_keyring() */ 1000 1001 /*****************************************************************************/ 1002 /* 1003 * set or clear the timeout for a key 1004 */ 1005 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1006 { 1007 struct timespec now; 1008 struct key *key; 1009 key_ref_t key_ref; 1010 time_t expiry; 1011 long ret; 1012 1013 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 1014 if (IS_ERR(key_ref)) { 1015 ret = PTR_ERR(key_ref); 1016 goto error; 1017 } 1018 1019 key = key_ref_to_ptr(key_ref); 1020 1021 /* make the changes with the locks held to prevent races */ 1022 down_write(&key->sem); 1023 1024 expiry = 0; 1025 if (timeout > 0) { 1026 now = current_kernel_time(); 1027 expiry = now.tv_sec + timeout; 1028 } 1029 1030 key->expiry = expiry; 1031 1032 up_write(&key->sem); 1033 key_put(key); 1034 1035 ret = 0; 1036 error: 1037 return ret; 1038 1039 } /* end keyctl_set_timeout() */ 1040 1041 /*****************************************************************************/ 1042 /* 1043 * assume the authority to instantiate the specified key 1044 */ 1045 long keyctl_assume_authority(key_serial_t id) 1046 { 1047 struct key *authkey; 1048 long ret; 1049 1050 /* special key IDs aren't permitted */ 1051 ret = -EINVAL; 1052 if (id < 0) 1053 goto error; 1054 1055 /* we divest ourselves of authority if given an ID of 0 */ 1056 if (id == 0) { 1057 key_put(current->request_key_auth); 1058 current->request_key_auth = NULL; 1059 ret = 0; 1060 goto error; 1061 } 1062 1063 /* attempt to assume the authority temporarily granted to us whilst we 1064 * instantiate the specified key 1065 * - the authorisation key must be in the current task's keyrings 1066 * somewhere 1067 */ 1068 authkey = key_get_instantiation_authkey(id); 1069 if (IS_ERR(authkey)) { 1070 ret = PTR_ERR(authkey); 1071 goto error; 1072 } 1073 1074 key_put(current->request_key_auth); 1075 current->request_key_auth = authkey; 1076 ret = authkey->serial; 1077 1078 error: 1079 return ret; 1080 1081 } /* end keyctl_assume_authority() */ 1082 1083 /*****************************************************************************/ 1084 /* 1085 * the key control system call 1086 */ 1087 asmlinkage long sys_keyctl(int option, unsigned long arg2, unsigned long arg3, 1088 unsigned long arg4, unsigned long arg5) 1089 { 1090 switch (option) { 1091 case KEYCTL_GET_KEYRING_ID: 1092 return keyctl_get_keyring_ID((key_serial_t) arg2, 1093 (int) arg3); 1094 1095 case KEYCTL_JOIN_SESSION_KEYRING: 1096 return keyctl_join_session_keyring((const char __user *) arg2); 1097 1098 case KEYCTL_UPDATE: 1099 return keyctl_update_key((key_serial_t) arg2, 1100 (const void __user *) arg3, 1101 (size_t) arg4); 1102 1103 case KEYCTL_REVOKE: 1104 return keyctl_revoke_key((key_serial_t) arg2); 1105 1106 case KEYCTL_DESCRIBE: 1107 return keyctl_describe_key((key_serial_t) arg2, 1108 (char __user *) arg3, 1109 (unsigned) arg4); 1110 1111 case KEYCTL_CLEAR: 1112 return keyctl_keyring_clear((key_serial_t) arg2); 1113 1114 case KEYCTL_LINK: 1115 return keyctl_keyring_link((key_serial_t) arg2, 1116 (key_serial_t) arg3); 1117 1118 case KEYCTL_UNLINK: 1119 return keyctl_keyring_unlink((key_serial_t) arg2, 1120 (key_serial_t) arg3); 1121 1122 case KEYCTL_SEARCH: 1123 return keyctl_keyring_search((key_serial_t) arg2, 1124 (const char __user *) arg3, 1125 (const char __user *) arg4, 1126 (key_serial_t) arg5); 1127 1128 case KEYCTL_READ: 1129 return keyctl_read_key((key_serial_t) arg2, 1130 (char __user *) arg3, 1131 (size_t) arg4); 1132 1133 case KEYCTL_CHOWN: 1134 return keyctl_chown_key((key_serial_t) arg2, 1135 (uid_t) arg3, 1136 (gid_t) arg4); 1137 1138 case KEYCTL_SETPERM: 1139 return keyctl_setperm_key((key_serial_t) arg2, 1140 (key_perm_t) arg3); 1141 1142 case KEYCTL_INSTANTIATE: 1143 return keyctl_instantiate_key((key_serial_t) arg2, 1144 (const void __user *) arg3, 1145 (size_t) arg4, 1146 (key_serial_t) arg5); 1147 1148 case KEYCTL_NEGATE: 1149 return keyctl_negate_key((key_serial_t) arg2, 1150 (unsigned) arg3, 1151 (key_serial_t) arg4); 1152 1153 case KEYCTL_SET_REQKEY_KEYRING: 1154 return keyctl_set_reqkey_keyring(arg2); 1155 1156 case KEYCTL_SET_TIMEOUT: 1157 return keyctl_set_timeout((key_serial_t) arg2, 1158 (unsigned) arg3); 1159 1160 case KEYCTL_ASSUME_AUTHORITY: 1161 return keyctl_assume_authority((key_serial_t) arg2); 1162 1163 default: 1164 return -EOPNOTSUPP; 1165 } 1166 1167 } /* end sys_keyctl() */ 1168