1 /* keyctl.c: userspace keyctl operations 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/slab.h> 16 #include <linux/syscalls.h> 17 #include <linux/keyctl.h> 18 #include <linux/fs.h> 19 #include <linux/capability.h> 20 #include <linux/string.h> 21 #include <linux/err.h> 22 #include <linux/vmalloc.h> 23 #include <linux/security.h> 24 #include <asm/uaccess.h> 25 #include "internal.h" 26 27 static int key_get_type_from_user(char *type, 28 const char __user *_type, 29 unsigned len) 30 { 31 int ret; 32 33 ret = strncpy_from_user(type, _type, len); 34 35 if (ret < 0) 36 return -EFAULT; 37 38 if (ret == 0 || ret >= len) 39 return -EINVAL; 40 41 if (type[0] == '.') 42 return -EPERM; 43 44 type[len - 1] = '\0'; 45 46 return 0; 47 } 48 49 /*****************************************************************************/ 50 /* 51 * extract the description of a new key from userspace and either add it as a 52 * new key to the specified keyring or update a matching key in that keyring 53 * - the keyring must be writable 54 * - returns the new key's serial number 55 * - implements add_key() 56 */ 57 asmlinkage long sys_add_key(const char __user *_type, 58 const char __user *_description, 59 const void __user *_payload, 60 size_t plen, 61 key_serial_t ringid) 62 { 63 key_ref_t keyring_ref, key_ref; 64 char type[32], *description; 65 void *payload; 66 long ret; 67 bool vm; 68 69 ret = -EINVAL; 70 if (plen > 1024 * 1024 - 1) 71 goto error; 72 73 /* draw all the data into kernel space */ 74 ret = key_get_type_from_user(type, _type, sizeof(type)); 75 if (ret < 0) 76 goto error; 77 78 description = strndup_user(_description, PAGE_SIZE); 79 if (IS_ERR(description)) { 80 ret = PTR_ERR(description); 81 goto error; 82 } 83 84 /* pull the payload in if one was supplied */ 85 payload = NULL; 86 87 vm = false; 88 if (_payload) { 89 ret = -ENOMEM; 90 payload = kmalloc(plen, GFP_KERNEL); 91 if (!payload) { 92 if (plen <= PAGE_SIZE) 93 goto error2; 94 vm = true; 95 payload = vmalloc(plen); 96 if (!payload) 97 goto error2; 98 } 99 100 ret = -EFAULT; 101 if (copy_from_user(payload, _payload, plen) != 0) 102 goto error3; 103 } 104 105 /* find the target keyring (which must be writable) */ 106 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 107 if (IS_ERR(keyring_ref)) { 108 ret = PTR_ERR(keyring_ref); 109 goto error3; 110 } 111 112 /* create or update the requested key and add it to the target 113 * keyring */ 114 key_ref = key_create_or_update(keyring_ref, type, description, 115 payload, plen, KEY_ALLOC_IN_QUOTA); 116 if (!IS_ERR(key_ref)) { 117 ret = key_ref_to_ptr(key_ref)->serial; 118 key_ref_put(key_ref); 119 } 120 else { 121 ret = PTR_ERR(key_ref); 122 } 123 124 key_ref_put(keyring_ref); 125 error3: 126 if (!vm) 127 kfree(payload); 128 else 129 vfree(payload); 130 error2: 131 kfree(description); 132 error: 133 return ret; 134 135 } /* end sys_add_key() */ 136 137 /*****************************************************************************/ 138 /* 139 * search the process keyrings for a matching key 140 * - nested keyrings may also be searched if they have Search permission 141 * - if a key is found, it will be attached to the destination keyring if 142 * there's one specified 143 * - /sbin/request-key will be invoked if _callout_info is non-NULL 144 * - the _callout_info string will be passed to /sbin/request-key 145 * - if the _callout_info string is empty, it will be rendered as "-" 146 * - implements request_key() 147 */ 148 asmlinkage long sys_request_key(const char __user *_type, 149 const char __user *_description, 150 const char __user *_callout_info, 151 key_serial_t destringid) 152 { 153 struct key_type *ktype; 154 struct key *key; 155 key_ref_t dest_ref; 156 size_t callout_len; 157 char type[32], *description, *callout_info; 158 long ret; 159 160 /* pull the type into kernel space */ 161 ret = key_get_type_from_user(type, _type, sizeof(type)); 162 if (ret < 0) 163 goto error; 164 165 /* pull the description into kernel space */ 166 description = strndup_user(_description, PAGE_SIZE); 167 if (IS_ERR(description)) { 168 ret = PTR_ERR(description); 169 goto error; 170 } 171 172 /* pull the callout info into kernel space */ 173 callout_info = NULL; 174 callout_len = 0; 175 if (_callout_info) { 176 callout_info = strndup_user(_callout_info, PAGE_SIZE); 177 if (IS_ERR(callout_info)) { 178 ret = PTR_ERR(callout_info); 179 goto error2; 180 } 181 callout_len = strlen(callout_info); 182 } 183 184 /* get the destination keyring if specified */ 185 dest_ref = NULL; 186 if (destringid) { 187 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 188 if (IS_ERR(dest_ref)) { 189 ret = PTR_ERR(dest_ref); 190 goto error3; 191 } 192 } 193 194 /* find the key type */ 195 ktype = key_type_lookup(type); 196 if (IS_ERR(ktype)) { 197 ret = PTR_ERR(ktype); 198 goto error4; 199 } 200 201 /* do the search */ 202 key = request_key_and_link(ktype, description, callout_info, 203 callout_len, NULL, key_ref_to_ptr(dest_ref), 204 KEY_ALLOC_IN_QUOTA); 205 if (IS_ERR(key)) { 206 ret = PTR_ERR(key); 207 goto error5; 208 } 209 210 ret = key->serial; 211 212 key_put(key); 213 error5: 214 key_type_put(ktype); 215 error4: 216 key_ref_put(dest_ref); 217 error3: 218 kfree(callout_info); 219 error2: 220 kfree(description); 221 error: 222 return ret; 223 224 } /* end sys_request_key() */ 225 226 /*****************************************************************************/ 227 /* 228 * get the ID of the specified process keyring 229 * - the keyring must have search permission to be found 230 * - implements keyctl(KEYCTL_GET_KEYRING_ID) 231 */ 232 long keyctl_get_keyring_ID(key_serial_t id, int create) 233 { 234 key_ref_t key_ref; 235 long ret; 236 237 key_ref = lookup_user_key(NULL, id, create, 0, KEY_SEARCH); 238 if (IS_ERR(key_ref)) { 239 ret = PTR_ERR(key_ref); 240 goto error; 241 } 242 243 ret = key_ref_to_ptr(key_ref)->serial; 244 key_ref_put(key_ref); 245 error: 246 return ret; 247 248 } /* end keyctl_get_keyring_ID() */ 249 250 /*****************************************************************************/ 251 /* 252 * join the session keyring 253 * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING) 254 */ 255 long keyctl_join_session_keyring(const char __user *_name) 256 { 257 char *name; 258 long ret; 259 260 /* fetch the name from userspace */ 261 name = NULL; 262 if (_name) { 263 name = strndup_user(_name, PAGE_SIZE); 264 if (IS_ERR(name)) { 265 ret = PTR_ERR(name); 266 goto error; 267 } 268 } 269 270 /* join the session */ 271 ret = join_session_keyring(name); 272 273 error: 274 return ret; 275 276 } /* end keyctl_join_session_keyring() */ 277 278 /*****************************************************************************/ 279 /* 280 * update a key's data payload 281 * - the key must be writable 282 * - implements keyctl(KEYCTL_UPDATE) 283 */ 284 long keyctl_update_key(key_serial_t id, 285 const void __user *_payload, 286 size_t plen) 287 { 288 key_ref_t key_ref; 289 void *payload; 290 long ret; 291 292 ret = -EINVAL; 293 if (plen > PAGE_SIZE) 294 goto error; 295 296 /* pull the payload in if one was supplied */ 297 payload = NULL; 298 if (_payload) { 299 ret = -ENOMEM; 300 payload = kmalloc(plen, GFP_KERNEL); 301 if (!payload) 302 goto error; 303 304 ret = -EFAULT; 305 if (copy_from_user(payload, _payload, plen) != 0) 306 goto error2; 307 } 308 309 /* find the target key (which must be writable) */ 310 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 311 if (IS_ERR(key_ref)) { 312 ret = PTR_ERR(key_ref); 313 goto error2; 314 } 315 316 /* update the key */ 317 ret = key_update(key_ref, payload, plen); 318 319 key_ref_put(key_ref); 320 error2: 321 kfree(payload); 322 error: 323 return ret; 324 325 } /* end keyctl_update_key() */ 326 327 /*****************************************************************************/ 328 /* 329 * revoke a key 330 * - the key must be writable 331 * - implements keyctl(KEYCTL_REVOKE) 332 */ 333 long keyctl_revoke_key(key_serial_t id) 334 { 335 key_ref_t key_ref; 336 long ret; 337 338 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 339 if (IS_ERR(key_ref)) { 340 ret = PTR_ERR(key_ref); 341 goto error; 342 } 343 344 key_revoke(key_ref_to_ptr(key_ref)); 345 ret = 0; 346 347 key_ref_put(key_ref); 348 error: 349 return ret; 350 351 } /* end keyctl_revoke_key() */ 352 353 /*****************************************************************************/ 354 /* 355 * clear the specified process keyring 356 * - the keyring must be writable 357 * - implements keyctl(KEYCTL_CLEAR) 358 */ 359 long keyctl_keyring_clear(key_serial_t ringid) 360 { 361 key_ref_t keyring_ref; 362 long ret; 363 364 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 365 if (IS_ERR(keyring_ref)) { 366 ret = PTR_ERR(keyring_ref); 367 goto error; 368 } 369 370 ret = keyring_clear(key_ref_to_ptr(keyring_ref)); 371 372 key_ref_put(keyring_ref); 373 error: 374 return ret; 375 376 } /* end keyctl_keyring_clear() */ 377 378 /*****************************************************************************/ 379 /* 380 * link a key into a keyring 381 * - the keyring must be writable 382 * - the key must be linkable 383 * - implements keyctl(KEYCTL_LINK) 384 */ 385 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 386 { 387 key_ref_t keyring_ref, key_ref; 388 long ret; 389 390 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 391 if (IS_ERR(keyring_ref)) { 392 ret = PTR_ERR(keyring_ref); 393 goto error; 394 } 395 396 key_ref = lookup_user_key(NULL, id, 1, 0, KEY_LINK); 397 if (IS_ERR(key_ref)) { 398 ret = PTR_ERR(key_ref); 399 goto error2; 400 } 401 402 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 403 404 key_ref_put(key_ref); 405 error2: 406 key_ref_put(keyring_ref); 407 error: 408 return ret; 409 410 } /* end keyctl_keyring_link() */ 411 412 /*****************************************************************************/ 413 /* 414 * unlink the first attachment of a key from a keyring 415 * - the keyring must be writable 416 * - we don't need any permissions on the key 417 * - implements keyctl(KEYCTL_UNLINK) 418 */ 419 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 420 { 421 key_ref_t keyring_ref, key_ref; 422 long ret; 423 424 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE); 425 if (IS_ERR(keyring_ref)) { 426 ret = PTR_ERR(keyring_ref); 427 goto error; 428 } 429 430 key_ref = lookup_user_key(NULL, id, 0, 0, 0); 431 if (IS_ERR(key_ref)) { 432 ret = PTR_ERR(key_ref); 433 goto error2; 434 } 435 436 ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 437 438 key_ref_put(key_ref); 439 error2: 440 key_ref_put(keyring_ref); 441 error: 442 return ret; 443 444 } /* end keyctl_keyring_unlink() */ 445 446 /*****************************************************************************/ 447 /* 448 * describe a user key 449 * - the key must have view permission 450 * - if there's a buffer, we place up to buflen bytes of data into it 451 * - unless there's an error, we return the amount of description available, 452 * irrespective of how much we may have copied 453 * - the description is formatted thus: 454 * type;uid;gid;perm;description<NUL> 455 * - implements keyctl(KEYCTL_DESCRIBE) 456 */ 457 long keyctl_describe_key(key_serial_t keyid, 458 char __user *buffer, 459 size_t buflen) 460 { 461 struct key *key, *instkey; 462 key_ref_t key_ref; 463 char *tmpbuf; 464 long ret; 465 466 key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); 467 if (IS_ERR(key_ref)) { 468 /* viewing a key under construction is permitted if we have the 469 * authorisation token handy */ 470 if (PTR_ERR(key_ref) == -EACCES) { 471 instkey = key_get_instantiation_authkey(keyid); 472 if (!IS_ERR(instkey)) { 473 key_put(instkey); 474 key_ref = lookup_user_key(NULL, keyid, 475 0, 1, 0); 476 if (!IS_ERR(key_ref)) 477 goto okay; 478 } 479 } 480 481 ret = PTR_ERR(key_ref); 482 goto error; 483 } 484 485 okay: 486 /* calculate how much description we're going to return */ 487 ret = -ENOMEM; 488 tmpbuf = kmalloc(PAGE_SIZE, GFP_KERNEL); 489 if (!tmpbuf) 490 goto error2; 491 492 key = key_ref_to_ptr(key_ref); 493 494 ret = snprintf(tmpbuf, PAGE_SIZE - 1, 495 "%s;%d;%d;%08x;%s", 496 key_ref_to_ptr(key_ref)->type->name, 497 key_ref_to_ptr(key_ref)->uid, 498 key_ref_to_ptr(key_ref)->gid, 499 key_ref_to_ptr(key_ref)->perm, 500 key_ref_to_ptr(key_ref)->description ? 501 key_ref_to_ptr(key_ref)->description : "" 502 ); 503 504 /* include a NUL char at the end of the data */ 505 if (ret > PAGE_SIZE - 1) 506 ret = PAGE_SIZE - 1; 507 tmpbuf[ret] = 0; 508 ret++; 509 510 /* consider returning the data */ 511 if (buffer && buflen > 0) { 512 if (buflen > ret) 513 buflen = ret; 514 515 if (copy_to_user(buffer, tmpbuf, buflen) != 0) 516 ret = -EFAULT; 517 } 518 519 kfree(tmpbuf); 520 error2: 521 key_ref_put(key_ref); 522 error: 523 return ret; 524 525 } /* end keyctl_describe_key() */ 526 527 /*****************************************************************************/ 528 /* 529 * search the specified keyring for a matching key 530 * - the start keyring must be searchable 531 * - nested keyrings may also be searched if they are searchable 532 * - only keys with search permission may be found 533 * - if a key is found, it will be attached to the destination keyring if 534 * there's one specified 535 * - implements keyctl(KEYCTL_SEARCH) 536 */ 537 long keyctl_keyring_search(key_serial_t ringid, 538 const char __user *_type, 539 const char __user *_description, 540 key_serial_t destringid) 541 { 542 struct key_type *ktype; 543 key_ref_t keyring_ref, key_ref, dest_ref; 544 char type[32], *description; 545 long ret; 546 547 /* pull the type and description into kernel space */ 548 ret = key_get_type_from_user(type, _type, sizeof(type)); 549 if (ret < 0) 550 goto error; 551 552 description = strndup_user(_description, PAGE_SIZE); 553 if (IS_ERR(description)) { 554 ret = PTR_ERR(description); 555 goto error; 556 } 557 558 /* get the keyring at which to begin the search */ 559 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH); 560 if (IS_ERR(keyring_ref)) { 561 ret = PTR_ERR(keyring_ref); 562 goto error2; 563 } 564 565 /* get the destination keyring if specified */ 566 dest_ref = NULL; 567 if (destringid) { 568 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 569 if (IS_ERR(dest_ref)) { 570 ret = PTR_ERR(dest_ref); 571 goto error3; 572 } 573 } 574 575 /* find the key type */ 576 ktype = key_type_lookup(type); 577 if (IS_ERR(ktype)) { 578 ret = PTR_ERR(ktype); 579 goto error4; 580 } 581 582 /* do the search */ 583 key_ref = keyring_search(keyring_ref, ktype, description); 584 if (IS_ERR(key_ref)) { 585 ret = PTR_ERR(key_ref); 586 587 /* treat lack or presence of a negative key the same */ 588 if (ret == -EAGAIN) 589 ret = -ENOKEY; 590 goto error5; 591 } 592 593 /* link the resulting key to the destination keyring if we can */ 594 if (dest_ref) { 595 ret = key_permission(key_ref, KEY_LINK); 596 if (ret < 0) 597 goto error6; 598 599 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 600 if (ret < 0) 601 goto error6; 602 } 603 604 ret = key_ref_to_ptr(key_ref)->serial; 605 606 error6: 607 key_ref_put(key_ref); 608 error5: 609 key_type_put(ktype); 610 error4: 611 key_ref_put(dest_ref); 612 error3: 613 key_ref_put(keyring_ref); 614 error2: 615 kfree(description); 616 error: 617 return ret; 618 619 } /* end keyctl_keyring_search() */ 620 621 /*****************************************************************************/ 622 /* 623 * read a user key's payload 624 * - the keyring must be readable or the key must be searchable from the 625 * process's keyrings 626 * - if there's a buffer, we place up to buflen bytes of data into it 627 * - unless there's an error, we return the amount of data in the key, 628 * irrespective of how much we may have copied 629 * - implements keyctl(KEYCTL_READ) 630 */ 631 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 632 { 633 struct key *key; 634 key_ref_t key_ref; 635 long ret; 636 637 /* find the key first */ 638 key_ref = lookup_user_key(NULL, keyid, 0, 0, 0); 639 if (IS_ERR(key_ref)) { 640 ret = -ENOKEY; 641 goto error; 642 } 643 644 key = key_ref_to_ptr(key_ref); 645 646 /* see if we can read it directly */ 647 ret = key_permission(key_ref, KEY_READ); 648 if (ret == 0) 649 goto can_read_key; 650 if (ret != -EACCES) 651 goto error; 652 653 /* we can't; see if it's searchable from this process's keyrings 654 * - we automatically take account of the fact that it may be 655 * dangling off an instantiation key 656 */ 657 if (!is_key_possessed(key_ref)) { 658 ret = -EACCES; 659 goto error2; 660 } 661 662 /* the key is probably readable - now try to read it */ 663 can_read_key: 664 ret = key_validate(key); 665 if (ret == 0) { 666 ret = -EOPNOTSUPP; 667 if (key->type->read) { 668 /* read the data with the semaphore held (since we 669 * might sleep) */ 670 down_read(&key->sem); 671 ret = key->type->read(key, buffer, buflen); 672 up_read(&key->sem); 673 } 674 } 675 676 error2: 677 key_put(key); 678 error: 679 return ret; 680 681 } /* end keyctl_read_key() */ 682 683 /*****************************************************************************/ 684 /* 685 * change the ownership of a key 686 * - the keyring owned by the changer 687 * - if the uid or gid is -1, then that parameter is not changed 688 * - implements keyctl(KEYCTL_CHOWN) 689 */ 690 long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) 691 { 692 struct key_user *newowner, *zapowner = NULL; 693 struct key *key; 694 key_ref_t key_ref; 695 long ret; 696 697 ret = 0; 698 if (uid == (uid_t) -1 && gid == (gid_t) -1) 699 goto error; 700 701 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 702 if (IS_ERR(key_ref)) { 703 ret = PTR_ERR(key_ref); 704 goto error; 705 } 706 707 key = key_ref_to_ptr(key_ref); 708 709 /* make the changes with the locks held to prevent chown/chown races */ 710 ret = -EACCES; 711 down_write(&key->sem); 712 713 if (!capable(CAP_SYS_ADMIN)) { 714 /* only the sysadmin can chown a key to some other UID */ 715 if (uid != (uid_t) -1 && key->uid != uid) 716 goto error_put; 717 718 /* only the sysadmin can set the key's GID to a group other 719 * than one of those that the current process subscribes to */ 720 if (gid != (gid_t) -1 && gid != key->gid && !in_group_p(gid)) 721 goto error_put; 722 } 723 724 /* change the UID */ 725 if (uid != (uid_t) -1 && uid != key->uid) { 726 ret = -ENOMEM; 727 newowner = key_user_lookup(uid); 728 if (!newowner) 729 goto error_put; 730 731 /* transfer the quota burden to the new user */ 732 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 733 spin_lock(&newowner->lock); 734 if (newowner->qnkeys + 1 >= KEYQUOTA_MAX_KEYS || 735 newowner->qnbytes + key->quotalen >= 736 KEYQUOTA_MAX_BYTES) 737 goto quota_overrun; 738 739 newowner->qnkeys++; 740 newowner->qnbytes += key->quotalen; 741 spin_unlock(&newowner->lock); 742 743 spin_lock(&key->user->lock); 744 key->user->qnkeys--; 745 key->user->qnbytes -= key->quotalen; 746 spin_unlock(&key->user->lock); 747 } 748 749 atomic_dec(&key->user->nkeys); 750 atomic_inc(&newowner->nkeys); 751 752 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 753 atomic_dec(&key->user->nikeys); 754 atomic_inc(&newowner->nikeys); 755 } 756 757 zapowner = key->user; 758 key->user = newowner; 759 key->uid = uid; 760 } 761 762 /* change the GID */ 763 if (gid != (gid_t) -1) 764 key->gid = gid; 765 766 ret = 0; 767 768 error_put: 769 up_write(&key->sem); 770 key_put(key); 771 if (zapowner) 772 key_user_put(zapowner); 773 error: 774 return ret; 775 776 quota_overrun: 777 spin_unlock(&newowner->lock); 778 zapowner = newowner; 779 ret = -EDQUOT; 780 goto error_put; 781 782 } /* end keyctl_chown_key() */ 783 784 /*****************************************************************************/ 785 /* 786 * change the permission mask on a key 787 * - the keyring owned by the changer 788 * - implements keyctl(KEYCTL_SETPERM) 789 */ 790 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 791 { 792 struct key *key; 793 key_ref_t key_ref; 794 long ret; 795 796 ret = -EINVAL; 797 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 798 goto error; 799 800 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 801 if (IS_ERR(key_ref)) { 802 ret = PTR_ERR(key_ref); 803 goto error; 804 } 805 806 key = key_ref_to_ptr(key_ref); 807 808 /* make the changes with the locks held to prevent chown/chmod races */ 809 ret = -EACCES; 810 down_write(&key->sem); 811 812 /* if we're not the sysadmin, we can only change a key that we own */ 813 if (capable(CAP_SYS_ADMIN) || key->uid == current->fsuid) { 814 key->perm = perm; 815 ret = 0; 816 } 817 818 up_write(&key->sem); 819 key_put(key); 820 error: 821 return ret; 822 823 } /* end keyctl_setperm_key() */ 824 825 /*****************************************************************************/ 826 /* 827 * instantiate the key with the specified payload, and, if one is given, link 828 * the key into the keyring 829 */ 830 long keyctl_instantiate_key(key_serial_t id, 831 const void __user *_payload, 832 size_t plen, 833 key_serial_t ringid) 834 { 835 struct request_key_auth *rka; 836 struct key *instkey; 837 key_ref_t keyring_ref; 838 void *payload; 839 long ret; 840 bool vm = false; 841 842 ret = -EINVAL; 843 if (plen > 1024 * 1024 - 1) 844 goto error; 845 846 /* the appropriate instantiation authorisation key must have been 847 * assumed before calling this */ 848 ret = -EPERM; 849 instkey = current->request_key_auth; 850 if (!instkey) 851 goto error; 852 853 rka = instkey->payload.data; 854 if (rka->target_key->serial != id) 855 goto error; 856 857 /* pull the payload in if one was supplied */ 858 payload = NULL; 859 860 if (_payload) { 861 ret = -ENOMEM; 862 payload = kmalloc(plen, GFP_KERNEL); 863 if (!payload) { 864 if (plen <= PAGE_SIZE) 865 goto error; 866 vm = true; 867 payload = vmalloc(plen); 868 if (!payload) 869 goto error; 870 } 871 872 ret = -EFAULT; 873 if (copy_from_user(payload, _payload, plen) != 0) 874 goto error2; 875 } 876 877 /* find the destination keyring amongst those belonging to the 878 * requesting task */ 879 keyring_ref = NULL; 880 if (ringid) { 881 keyring_ref = lookup_user_key(rka->context, ringid, 1, 0, 882 KEY_WRITE); 883 if (IS_ERR(keyring_ref)) { 884 ret = PTR_ERR(keyring_ref); 885 goto error2; 886 } 887 } 888 889 /* instantiate the key and link it into a keyring */ 890 ret = key_instantiate_and_link(rka->target_key, payload, plen, 891 key_ref_to_ptr(keyring_ref), instkey); 892 893 key_ref_put(keyring_ref); 894 895 /* discard the assumed authority if it's just been disabled by 896 * instantiation of the key */ 897 if (ret == 0) { 898 key_put(current->request_key_auth); 899 current->request_key_auth = NULL; 900 } 901 902 error2: 903 if (!vm) 904 kfree(payload); 905 else 906 vfree(payload); 907 error: 908 return ret; 909 910 } /* end keyctl_instantiate_key() */ 911 912 /*****************************************************************************/ 913 /* 914 * negatively instantiate the key with the given timeout (in seconds), and, if 915 * one is given, link the key into the keyring 916 */ 917 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 918 { 919 struct request_key_auth *rka; 920 struct key *instkey; 921 key_ref_t keyring_ref; 922 long ret; 923 924 /* the appropriate instantiation authorisation key must have been 925 * assumed before calling this */ 926 ret = -EPERM; 927 instkey = current->request_key_auth; 928 if (!instkey) 929 goto error; 930 931 rka = instkey->payload.data; 932 if (rka->target_key->serial != id) 933 goto error; 934 935 /* find the destination keyring if present (which must also be 936 * writable) */ 937 keyring_ref = NULL; 938 if (ringid) { 939 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 940 if (IS_ERR(keyring_ref)) { 941 ret = PTR_ERR(keyring_ref); 942 goto error; 943 } 944 } 945 946 /* instantiate the key and link it into a keyring */ 947 ret = key_negate_and_link(rka->target_key, timeout, 948 key_ref_to_ptr(keyring_ref), instkey); 949 950 key_ref_put(keyring_ref); 951 952 /* discard the assumed authority if it's just been disabled by 953 * instantiation of the key */ 954 if (ret == 0) { 955 key_put(current->request_key_auth); 956 current->request_key_auth = NULL; 957 } 958 959 error: 960 return ret; 961 962 } /* end keyctl_negate_key() */ 963 964 /*****************************************************************************/ 965 /* 966 * set the default keyring in which request_key() will cache keys 967 * - return the old setting 968 */ 969 long keyctl_set_reqkey_keyring(int reqkey_defl) 970 { 971 int ret; 972 973 switch (reqkey_defl) { 974 case KEY_REQKEY_DEFL_THREAD_KEYRING: 975 ret = install_thread_keyring(current); 976 if (ret < 0) 977 return ret; 978 goto set; 979 980 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 981 ret = install_process_keyring(current); 982 if (ret < 0) 983 return ret; 984 985 case KEY_REQKEY_DEFL_DEFAULT: 986 case KEY_REQKEY_DEFL_SESSION_KEYRING: 987 case KEY_REQKEY_DEFL_USER_KEYRING: 988 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 989 set: 990 current->jit_keyring = reqkey_defl; 991 992 case KEY_REQKEY_DEFL_NO_CHANGE: 993 return current->jit_keyring; 994 995 case KEY_REQKEY_DEFL_GROUP_KEYRING: 996 default: 997 return -EINVAL; 998 } 999 1000 } /* end keyctl_set_reqkey_keyring() */ 1001 1002 /*****************************************************************************/ 1003 /* 1004 * set or clear the timeout for a key 1005 */ 1006 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1007 { 1008 struct timespec now; 1009 struct key *key; 1010 key_ref_t key_ref; 1011 time_t expiry; 1012 long ret; 1013 1014 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 1015 if (IS_ERR(key_ref)) { 1016 ret = PTR_ERR(key_ref); 1017 goto error; 1018 } 1019 1020 key = key_ref_to_ptr(key_ref); 1021 1022 /* make the changes with the locks held to prevent races */ 1023 down_write(&key->sem); 1024 1025 expiry = 0; 1026 if (timeout > 0) { 1027 now = current_kernel_time(); 1028 expiry = now.tv_sec + timeout; 1029 } 1030 1031 key->expiry = expiry; 1032 1033 up_write(&key->sem); 1034 key_put(key); 1035 1036 ret = 0; 1037 error: 1038 return ret; 1039 1040 } /* end keyctl_set_timeout() */ 1041 1042 /*****************************************************************************/ 1043 /* 1044 * assume the authority to instantiate the specified key 1045 */ 1046 long keyctl_assume_authority(key_serial_t id) 1047 { 1048 struct key *authkey; 1049 long ret; 1050 1051 /* special key IDs aren't permitted */ 1052 ret = -EINVAL; 1053 if (id < 0) 1054 goto error; 1055 1056 /* we divest ourselves of authority if given an ID of 0 */ 1057 if (id == 0) { 1058 key_put(current->request_key_auth); 1059 current->request_key_auth = NULL; 1060 ret = 0; 1061 goto error; 1062 } 1063 1064 /* attempt to assume the authority temporarily granted to us whilst we 1065 * instantiate the specified key 1066 * - the authorisation key must be in the current task's keyrings 1067 * somewhere 1068 */ 1069 authkey = key_get_instantiation_authkey(id); 1070 if (IS_ERR(authkey)) { 1071 ret = PTR_ERR(authkey); 1072 goto error; 1073 } 1074 1075 key_put(current->request_key_auth); 1076 current->request_key_auth = authkey; 1077 ret = authkey->serial; 1078 1079 error: 1080 return ret; 1081 1082 } /* end keyctl_assume_authority() */ 1083 1084 /* 1085 * get the security label of a key 1086 * - the key must grant us view permission 1087 * - if there's a buffer, we place up to buflen bytes of data into it 1088 * - unless there's an error, we return the amount of information available, 1089 * irrespective of how much we may have copied (including the terminal NUL) 1090 * - implements keyctl(KEYCTL_GET_SECURITY) 1091 */ 1092 long keyctl_get_security(key_serial_t keyid, 1093 char __user *buffer, 1094 size_t buflen) 1095 { 1096 struct key *key, *instkey; 1097 key_ref_t key_ref; 1098 char *context; 1099 long ret; 1100 1101 key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); 1102 if (IS_ERR(key_ref)) { 1103 if (PTR_ERR(key_ref) != -EACCES) 1104 return PTR_ERR(key_ref); 1105 1106 /* viewing a key under construction is also permitted if we 1107 * have the authorisation token handy */ 1108 instkey = key_get_instantiation_authkey(keyid); 1109 if (IS_ERR(instkey)) 1110 return PTR_ERR(key_ref); 1111 key_put(instkey); 1112 1113 key_ref = lookup_user_key(NULL, keyid, 0, 1, 0); 1114 if (IS_ERR(key_ref)) 1115 return PTR_ERR(key_ref); 1116 } 1117 1118 key = key_ref_to_ptr(key_ref); 1119 ret = security_key_getsecurity(key, &context); 1120 if (ret == 0) { 1121 /* if no information was returned, give userspace an empty 1122 * string */ 1123 ret = 1; 1124 if (buffer && buflen > 0 && 1125 copy_to_user(buffer, "", 1) != 0) 1126 ret = -EFAULT; 1127 } else if (ret > 0) { 1128 /* return as much data as there's room for */ 1129 if (buffer && buflen > 0) { 1130 if (buflen > ret) 1131 buflen = ret; 1132 1133 if (copy_to_user(buffer, context, buflen) != 0) 1134 ret = -EFAULT; 1135 } 1136 1137 kfree(context); 1138 } 1139 1140 key_ref_put(key_ref); 1141 return ret; 1142 } 1143 1144 /*****************************************************************************/ 1145 /* 1146 * the key control system call 1147 */ 1148 asmlinkage long sys_keyctl(int option, unsigned long arg2, unsigned long arg3, 1149 unsigned long arg4, unsigned long arg5) 1150 { 1151 switch (option) { 1152 case KEYCTL_GET_KEYRING_ID: 1153 return keyctl_get_keyring_ID((key_serial_t) arg2, 1154 (int) arg3); 1155 1156 case KEYCTL_JOIN_SESSION_KEYRING: 1157 return keyctl_join_session_keyring((const char __user *) arg2); 1158 1159 case KEYCTL_UPDATE: 1160 return keyctl_update_key((key_serial_t) arg2, 1161 (const void __user *) arg3, 1162 (size_t) arg4); 1163 1164 case KEYCTL_REVOKE: 1165 return keyctl_revoke_key((key_serial_t) arg2); 1166 1167 case KEYCTL_DESCRIBE: 1168 return keyctl_describe_key((key_serial_t) arg2, 1169 (char __user *) arg3, 1170 (unsigned) arg4); 1171 1172 case KEYCTL_CLEAR: 1173 return keyctl_keyring_clear((key_serial_t) arg2); 1174 1175 case KEYCTL_LINK: 1176 return keyctl_keyring_link((key_serial_t) arg2, 1177 (key_serial_t) arg3); 1178 1179 case KEYCTL_UNLINK: 1180 return keyctl_keyring_unlink((key_serial_t) arg2, 1181 (key_serial_t) arg3); 1182 1183 case KEYCTL_SEARCH: 1184 return keyctl_keyring_search((key_serial_t) arg2, 1185 (const char __user *) arg3, 1186 (const char __user *) arg4, 1187 (key_serial_t) arg5); 1188 1189 case KEYCTL_READ: 1190 return keyctl_read_key((key_serial_t) arg2, 1191 (char __user *) arg3, 1192 (size_t) arg4); 1193 1194 case KEYCTL_CHOWN: 1195 return keyctl_chown_key((key_serial_t) arg2, 1196 (uid_t) arg3, 1197 (gid_t) arg4); 1198 1199 case KEYCTL_SETPERM: 1200 return keyctl_setperm_key((key_serial_t) arg2, 1201 (key_perm_t) arg3); 1202 1203 case KEYCTL_INSTANTIATE: 1204 return keyctl_instantiate_key((key_serial_t) arg2, 1205 (const void __user *) arg3, 1206 (size_t) arg4, 1207 (key_serial_t) arg5); 1208 1209 case KEYCTL_NEGATE: 1210 return keyctl_negate_key((key_serial_t) arg2, 1211 (unsigned) arg3, 1212 (key_serial_t) arg4); 1213 1214 case KEYCTL_SET_REQKEY_KEYRING: 1215 return keyctl_set_reqkey_keyring(arg2); 1216 1217 case KEYCTL_SET_TIMEOUT: 1218 return keyctl_set_timeout((key_serial_t) arg2, 1219 (unsigned) arg3); 1220 1221 case KEYCTL_ASSUME_AUTHORITY: 1222 return keyctl_assume_authority((key_serial_t) arg2); 1223 1224 case KEYCTL_GET_SECURITY: 1225 return keyctl_get_security((key_serial_t) arg2, 1226 (char *) arg3, 1227 (size_t) arg4); 1228 1229 default: 1230 return -EOPNOTSUPP; 1231 } 1232 1233 } /* end sys_keyctl() */ 1234