xref: /openbmc/linux/kernel/cred.c (revision a2cce7a9)
1 /* Task credentials management - see Documentation/security/credentials.txt
2  *
3  * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public Licence
8  * as published by the Free Software Foundation; either version
9  * 2 of the Licence, or (at your option) any later version.
10  */
11 #include <linux/export.h>
12 #include <linux/cred.h>
13 #include <linux/slab.h>
14 #include <linux/sched.h>
15 #include <linux/key.h>
16 #include <linux/keyctl.h>
17 #include <linux/init_task.h>
18 #include <linux/security.h>
19 #include <linux/binfmts.h>
20 #include <linux/cn_proc.h>
21 
22 #if 0
23 #define kdebug(FMT, ...)						\
24 	printk("[%-5.5s%5u] " FMT "\n",					\
25 	       current->comm, current->pid, ##__VA_ARGS__)
26 #else
27 #define kdebug(FMT, ...)						\
28 do {									\
29 	if (0)								\
30 		no_printk("[%-5.5s%5u] " FMT "\n",			\
31 			  current->comm, current->pid, ##__VA_ARGS__);	\
32 } while (0)
33 #endif
34 
35 static struct kmem_cache *cred_jar;
36 
37 /* init to 2 - one for init_task, one to ensure it is never freed */
38 struct group_info init_groups = { .usage = ATOMIC_INIT(2) };
39 
40 /*
41  * The initial credentials for the initial task
42  */
43 struct cred init_cred = {
44 	.usage			= ATOMIC_INIT(4),
45 #ifdef CONFIG_DEBUG_CREDENTIALS
46 	.subscribers		= ATOMIC_INIT(2),
47 	.magic			= CRED_MAGIC,
48 #endif
49 	.uid			= GLOBAL_ROOT_UID,
50 	.gid			= GLOBAL_ROOT_GID,
51 	.suid			= GLOBAL_ROOT_UID,
52 	.sgid			= GLOBAL_ROOT_GID,
53 	.euid			= GLOBAL_ROOT_UID,
54 	.egid			= GLOBAL_ROOT_GID,
55 	.fsuid			= GLOBAL_ROOT_UID,
56 	.fsgid			= GLOBAL_ROOT_GID,
57 	.securebits		= SECUREBITS_DEFAULT,
58 	.cap_inheritable	= CAP_EMPTY_SET,
59 	.cap_permitted		= CAP_FULL_SET,
60 	.cap_effective		= CAP_FULL_SET,
61 	.cap_bset		= CAP_FULL_SET,
62 	.user			= INIT_USER,
63 	.user_ns		= &init_user_ns,
64 	.group_info		= &init_groups,
65 };
66 
67 static inline void set_cred_subscribers(struct cred *cred, int n)
68 {
69 #ifdef CONFIG_DEBUG_CREDENTIALS
70 	atomic_set(&cred->subscribers, n);
71 #endif
72 }
73 
74 static inline int read_cred_subscribers(const struct cred *cred)
75 {
76 #ifdef CONFIG_DEBUG_CREDENTIALS
77 	return atomic_read(&cred->subscribers);
78 #else
79 	return 0;
80 #endif
81 }
82 
83 static inline void alter_cred_subscribers(const struct cred *_cred, int n)
84 {
85 #ifdef CONFIG_DEBUG_CREDENTIALS
86 	struct cred *cred = (struct cred *) _cred;
87 
88 	atomic_add(n, &cred->subscribers);
89 #endif
90 }
91 
92 /*
93  * The RCU callback to actually dispose of a set of credentials
94  */
95 static void put_cred_rcu(struct rcu_head *rcu)
96 {
97 	struct cred *cred = container_of(rcu, struct cred, rcu);
98 
99 	kdebug("put_cred_rcu(%p)", cred);
100 
101 #ifdef CONFIG_DEBUG_CREDENTIALS
102 	if (cred->magic != CRED_MAGIC_DEAD ||
103 	    atomic_read(&cred->usage) != 0 ||
104 	    read_cred_subscribers(cred) != 0)
105 		panic("CRED: put_cred_rcu() sees %p with"
106 		      " mag %x, put %p, usage %d, subscr %d\n",
107 		      cred, cred->magic, cred->put_addr,
108 		      atomic_read(&cred->usage),
109 		      read_cred_subscribers(cred));
110 #else
111 	if (atomic_read(&cred->usage) != 0)
112 		panic("CRED: put_cred_rcu() sees %p with usage %d\n",
113 		      cred, atomic_read(&cred->usage));
114 #endif
115 
116 	security_cred_free(cred);
117 	key_put(cred->session_keyring);
118 	key_put(cred->process_keyring);
119 	key_put(cred->thread_keyring);
120 	key_put(cred->request_key_auth);
121 	if (cred->group_info)
122 		put_group_info(cred->group_info);
123 	free_uid(cred->user);
124 	put_user_ns(cred->user_ns);
125 	kmem_cache_free(cred_jar, cred);
126 }
127 
128 /**
129  * __put_cred - Destroy a set of credentials
130  * @cred: The record to release
131  *
132  * Destroy a set of credentials on which no references remain.
133  */
134 void __put_cred(struct cred *cred)
135 {
136 	kdebug("__put_cred(%p{%d,%d})", cred,
137 	       atomic_read(&cred->usage),
138 	       read_cred_subscribers(cred));
139 
140 	BUG_ON(atomic_read(&cred->usage) != 0);
141 #ifdef CONFIG_DEBUG_CREDENTIALS
142 	BUG_ON(read_cred_subscribers(cred) != 0);
143 	cred->magic = CRED_MAGIC_DEAD;
144 	cred->put_addr = __builtin_return_address(0);
145 #endif
146 	BUG_ON(cred == current->cred);
147 	BUG_ON(cred == current->real_cred);
148 
149 	call_rcu(&cred->rcu, put_cred_rcu);
150 }
151 EXPORT_SYMBOL(__put_cred);
152 
153 /*
154  * Clean up a task's credentials when it exits
155  */
156 void exit_creds(struct task_struct *tsk)
157 {
158 	struct cred *cred;
159 
160 	kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
161 	       atomic_read(&tsk->cred->usage),
162 	       read_cred_subscribers(tsk->cred));
163 
164 	cred = (struct cred *) tsk->real_cred;
165 	tsk->real_cred = NULL;
166 	validate_creds(cred);
167 	alter_cred_subscribers(cred, -1);
168 	put_cred(cred);
169 
170 	cred = (struct cred *) tsk->cred;
171 	tsk->cred = NULL;
172 	validate_creds(cred);
173 	alter_cred_subscribers(cred, -1);
174 	put_cred(cred);
175 }
176 
177 /**
178  * get_task_cred - Get another task's objective credentials
179  * @task: The task to query
180  *
181  * Get the objective credentials of a task, pinning them so that they can't go
182  * away.  Accessing a task's credentials directly is not permitted.
183  *
184  * The caller must also make sure task doesn't get deleted, either by holding a
185  * ref on task or by holding tasklist_lock to prevent it from being unlinked.
186  */
187 const struct cred *get_task_cred(struct task_struct *task)
188 {
189 	const struct cred *cred;
190 
191 	rcu_read_lock();
192 
193 	do {
194 		cred = __task_cred((task));
195 		BUG_ON(!cred);
196 	} while (!atomic_inc_not_zero(&((struct cred *)cred)->usage));
197 
198 	rcu_read_unlock();
199 	return cred;
200 }
201 
202 /*
203  * Allocate blank credentials, such that the credentials can be filled in at a
204  * later date without risk of ENOMEM.
205  */
206 struct cred *cred_alloc_blank(void)
207 {
208 	struct cred *new;
209 
210 	new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
211 	if (!new)
212 		return NULL;
213 
214 	atomic_set(&new->usage, 1);
215 #ifdef CONFIG_DEBUG_CREDENTIALS
216 	new->magic = CRED_MAGIC;
217 #endif
218 
219 	if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
220 		goto error;
221 
222 	return new;
223 
224 error:
225 	abort_creds(new);
226 	return NULL;
227 }
228 
229 /**
230  * prepare_creds - Prepare a new set of credentials for modification
231  *
232  * Prepare a new set of task credentials for modification.  A task's creds
233  * shouldn't generally be modified directly, therefore this function is used to
234  * prepare a new copy, which the caller then modifies and then commits by
235  * calling commit_creds().
236  *
237  * Preparation involves making a copy of the objective creds for modification.
238  *
239  * Returns a pointer to the new creds-to-be if successful, NULL otherwise.
240  *
241  * Call commit_creds() or abort_creds() to clean up.
242  */
243 struct cred *prepare_creds(void)
244 {
245 	struct task_struct *task = current;
246 	const struct cred *old;
247 	struct cred *new;
248 
249 	validate_process_creds();
250 
251 	new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
252 	if (!new)
253 		return NULL;
254 
255 	kdebug("prepare_creds() alloc %p", new);
256 
257 	old = task->cred;
258 	memcpy(new, old, sizeof(struct cred));
259 
260 	atomic_set(&new->usage, 1);
261 	set_cred_subscribers(new, 0);
262 	get_group_info(new->group_info);
263 	get_uid(new->user);
264 	get_user_ns(new->user_ns);
265 
266 #ifdef CONFIG_KEYS
267 	key_get(new->session_keyring);
268 	key_get(new->process_keyring);
269 	key_get(new->thread_keyring);
270 	key_get(new->request_key_auth);
271 #endif
272 
273 #ifdef CONFIG_SECURITY
274 	new->security = NULL;
275 #endif
276 
277 	if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
278 		goto error;
279 	validate_creds(new);
280 	return new;
281 
282 error:
283 	abort_creds(new);
284 	return NULL;
285 }
286 EXPORT_SYMBOL(prepare_creds);
287 
288 /*
289  * Prepare credentials for current to perform an execve()
290  * - The caller must hold ->cred_guard_mutex
291  */
292 struct cred *prepare_exec_creds(void)
293 {
294 	struct cred *new;
295 
296 	new = prepare_creds();
297 	if (!new)
298 		return new;
299 
300 #ifdef CONFIG_KEYS
301 	/* newly exec'd tasks don't get a thread keyring */
302 	key_put(new->thread_keyring);
303 	new->thread_keyring = NULL;
304 
305 	/* inherit the session keyring; new process keyring */
306 	key_put(new->process_keyring);
307 	new->process_keyring = NULL;
308 #endif
309 
310 	return new;
311 }
312 
313 /*
314  * Copy credentials for the new process created by fork()
315  *
316  * We share if we can, but under some circumstances we have to generate a new
317  * set.
318  *
319  * The new process gets the current process's subjective credentials as its
320  * objective and subjective credentials
321  */
322 int copy_creds(struct task_struct *p, unsigned long clone_flags)
323 {
324 	struct cred *new;
325 	int ret;
326 
327 	if (
328 #ifdef CONFIG_KEYS
329 		!p->cred->thread_keyring &&
330 #endif
331 		clone_flags & CLONE_THREAD
332 	    ) {
333 		p->real_cred = get_cred(p->cred);
334 		get_cred(p->cred);
335 		alter_cred_subscribers(p->cred, 2);
336 		kdebug("share_creds(%p{%d,%d})",
337 		       p->cred, atomic_read(&p->cred->usage),
338 		       read_cred_subscribers(p->cred));
339 		atomic_inc(&p->cred->user->processes);
340 		return 0;
341 	}
342 
343 	new = prepare_creds();
344 	if (!new)
345 		return -ENOMEM;
346 
347 	if (clone_flags & CLONE_NEWUSER) {
348 		ret = create_user_ns(new);
349 		if (ret < 0)
350 			goto error_put;
351 	}
352 
353 #ifdef CONFIG_KEYS
354 	/* new threads get their own thread keyrings if their parent already
355 	 * had one */
356 	if (new->thread_keyring) {
357 		key_put(new->thread_keyring);
358 		new->thread_keyring = NULL;
359 		if (clone_flags & CLONE_THREAD)
360 			install_thread_keyring_to_cred(new);
361 	}
362 
363 	/* The process keyring is only shared between the threads in a process;
364 	 * anything outside of those threads doesn't inherit.
365 	 */
366 	if (!(clone_flags & CLONE_THREAD)) {
367 		key_put(new->process_keyring);
368 		new->process_keyring = NULL;
369 	}
370 #endif
371 
372 	atomic_inc(&new->user->processes);
373 	p->cred = p->real_cred = get_cred(new);
374 	alter_cred_subscribers(new, 2);
375 	validate_creds(new);
376 	return 0;
377 
378 error_put:
379 	put_cred(new);
380 	return ret;
381 }
382 
383 static bool cred_cap_issubset(const struct cred *set, const struct cred *subset)
384 {
385 	const struct user_namespace *set_ns = set->user_ns;
386 	const struct user_namespace *subset_ns = subset->user_ns;
387 
388 	/* If the two credentials are in the same user namespace see if
389 	 * the capabilities of subset are a subset of set.
390 	 */
391 	if (set_ns == subset_ns)
392 		return cap_issubset(subset->cap_permitted, set->cap_permitted);
393 
394 	/* The credentials are in a different user namespaces
395 	 * therefore one is a subset of the other only if a set is an
396 	 * ancestor of subset and set->euid is owner of subset or one
397 	 * of subsets ancestors.
398 	 */
399 	for (;subset_ns != &init_user_ns; subset_ns = subset_ns->parent) {
400 		if ((set_ns == subset_ns->parent)  &&
401 		    uid_eq(subset_ns->owner, set->euid))
402 			return true;
403 	}
404 
405 	return false;
406 }
407 
408 /**
409  * commit_creds - Install new credentials upon the current task
410  * @new: The credentials to be assigned
411  *
412  * Install a new set of credentials to the current task, using RCU to replace
413  * the old set.  Both the objective and the subjective credentials pointers are
414  * updated.  This function may not be called if the subjective credentials are
415  * in an overridden state.
416  *
417  * This function eats the caller's reference to the new credentials.
418  *
419  * Always returns 0 thus allowing this function to be tail-called at the end
420  * of, say, sys_setgid().
421  */
422 int commit_creds(struct cred *new)
423 {
424 	struct task_struct *task = current;
425 	const struct cred *old = task->real_cred;
426 
427 	kdebug("commit_creds(%p{%d,%d})", new,
428 	       atomic_read(&new->usage),
429 	       read_cred_subscribers(new));
430 
431 	BUG_ON(task->cred != old);
432 #ifdef CONFIG_DEBUG_CREDENTIALS
433 	BUG_ON(read_cred_subscribers(old) < 2);
434 	validate_creds(old);
435 	validate_creds(new);
436 #endif
437 	BUG_ON(atomic_read(&new->usage) < 1);
438 
439 	get_cred(new); /* we will require a ref for the subj creds too */
440 
441 	/* dumpability changes */
442 	if (!uid_eq(old->euid, new->euid) ||
443 	    !gid_eq(old->egid, new->egid) ||
444 	    !uid_eq(old->fsuid, new->fsuid) ||
445 	    !gid_eq(old->fsgid, new->fsgid) ||
446 	    !cred_cap_issubset(old, new)) {
447 		if (task->mm)
448 			set_dumpable(task->mm, suid_dumpable);
449 		task->pdeath_signal = 0;
450 		smp_wmb();
451 	}
452 
453 	/* alter the thread keyring */
454 	if (!uid_eq(new->fsuid, old->fsuid))
455 		key_fsuid_changed(task);
456 	if (!gid_eq(new->fsgid, old->fsgid))
457 		key_fsgid_changed(task);
458 
459 	/* do it
460 	 * RLIMIT_NPROC limits on user->processes have already been checked
461 	 * in set_user().
462 	 */
463 	alter_cred_subscribers(new, 2);
464 	if (new->user != old->user)
465 		atomic_inc(&new->user->processes);
466 	rcu_assign_pointer(task->real_cred, new);
467 	rcu_assign_pointer(task->cred, new);
468 	if (new->user != old->user)
469 		atomic_dec(&old->user->processes);
470 	alter_cred_subscribers(old, -2);
471 
472 	/* send notifications */
473 	if (!uid_eq(new->uid,   old->uid)  ||
474 	    !uid_eq(new->euid,  old->euid) ||
475 	    !uid_eq(new->suid,  old->suid) ||
476 	    !uid_eq(new->fsuid, old->fsuid))
477 		proc_id_connector(task, PROC_EVENT_UID);
478 
479 	if (!gid_eq(new->gid,   old->gid)  ||
480 	    !gid_eq(new->egid,  old->egid) ||
481 	    !gid_eq(new->sgid,  old->sgid) ||
482 	    !gid_eq(new->fsgid, old->fsgid))
483 		proc_id_connector(task, PROC_EVENT_GID);
484 
485 	/* release the old obj and subj refs both */
486 	put_cred(old);
487 	put_cred(old);
488 	return 0;
489 }
490 EXPORT_SYMBOL(commit_creds);
491 
492 /**
493  * abort_creds - Discard a set of credentials and unlock the current task
494  * @new: The credentials that were going to be applied
495  *
496  * Discard a set of credentials that were under construction and unlock the
497  * current task.
498  */
499 void abort_creds(struct cred *new)
500 {
501 	kdebug("abort_creds(%p{%d,%d})", new,
502 	       atomic_read(&new->usage),
503 	       read_cred_subscribers(new));
504 
505 #ifdef CONFIG_DEBUG_CREDENTIALS
506 	BUG_ON(read_cred_subscribers(new) != 0);
507 #endif
508 	BUG_ON(atomic_read(&new->usage) < 1);
509 	put_cred(new);
510 }
511 EXPORT_SYMBOL(abort_creds);
512 
513 /**
514  * override_creds - Override the current process's subjective credentials
515  * @new: The credentials to be assigned
516  *
517  * Install a set of temporary override subjective credentials on the current
518  * process, returning the old set for later reversion.
519  */
520 const struct cred *override_creds(const struct cred *new)
521 {
522 	const struct cred *old = current->cred;
523 
524 	kdebug("override_creds(%p{%d,%d})", new,
525 	       atomic_read(&new->usage),
526 	       read_cred_subscribers(new));
527 
528 	validate_creds(old);
529 	validate_creds(new);
530 	get_cred(new);
531 	alter_cred_subscribers(new, 1);
532 	rcu_assign_pointer(current->cred, new);
533 	alter_cred_subscribers(old, -1);
534 
535 	kdebug("override_creds() = %p{%d,%d}", old,
536 	       atomic_read(&old->usage),
537 	       read_cred_subscribers(old));
538 	return old;
539 }
540 EXPORT_SYMBOL(override_creds);
541 
542 /**
543  * revert_creds - Revert a temporary subjective credentials override
544  * @old: The credentials to be restored
545  *
546  * Revert a temporary set of override subjective credentials to an old set,
547  * discarding the override set.
548  */
549 void revert_creds(const struct cred *old)
550 {
551 	const struct cred *override = current->cred;
552 
553 	kdebug("revert_creds(%p{%d,%d})", old,
554 	       atomic_read(&old->usage),
555 	       read_cred_subscribers(old));
556 
557 	validate_creds(old);
558 	validate_creds(override);
559 	alter_cred_subscribers(old, 1);
560 	rcu_assign_pointer(current->cred, old);
561 	alter_cred_subscribers(override, -1);
562 	put_cred(override);
563 }
564 EXPORT_SYMBOL(revert_creds);
565 
566 /*
567  * initialise the credentials stuff
568  */
569 void __init cred_init(void)
570 {
571 	/* allocate a slab in which we can store credentials */
572 	cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred),
573 				     0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
574 }
575 
576 /**
577  * prepare_kernel_cred - Prepare a set of credentials for a kernel service
578  * @daemon: A userspace daemon to be used as a reference
579  *
580  * Prepare a set of credentials for a kernel service.  This can then be used to
581  * override a task's own credentials so that work can be done on behalf of that
582  * task that requires a different subjective context.
583  *
584  * @daemon is used to provide a base for the security record, but can be NULL.
585  * If @daemon is supplied, then the security data will be derived from that;
586  * otherwise they'll be set to 0 and no groups, full capabilities and no keys.
587  *
588  * The caller may change these controls afterwards if desired.
589  *
590  * Returns the new credentials or NULL if out of memory.
591  *
592  * Does not take, and does not return holding current->cred_replace_mutex.
593  */
594 struct cred *prepare_kernel_cred(struct task_struct *daemon)
595 {
596 	const struct cred *old;
597 	struct cred *new;
598 
599 	new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
600 	if (!new)
601 		return NULL;
602 
603 	kdebug("prepare_kernel_cred() alloc %p", new);
604 
605 	if (daemon)
606 		old = get_task_cred(daemon);
607 	else
608 		old = get_cred(&init_cred);
609 
610 	validate_creds(old);
611 
612 	*new = *old;
613 	atomic_set(&new->usage, 1);
614 	set_cred_subscribers(new, 0);
615 	get_uid(new->user);
616 	get_user_ns(new->user_ns);
617 	get_group_info(new->group_info);
618 
619 #ifdef CONFIG_KEYS
620 	new->session_keyring = NULL;
621 	new->process_keyring = NULL;
622 	new->thread_keyring = NULL;
623 	new->request_key_auth = NULL;
624 	new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
625 #endif
626 
627 #ifdef CONFIG_SECURITY
628 	new->security = NULL;
629 #endif
630 	if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
631 		goto error;
632 
633 	put_cred(old);
634 	validate_creds(new);
635 	return new;
636 
637 error:
638 	put_cred(new);
639 	put_cred(old);
640 	return NULL;
641 }
642 EXPORT_SYMBOL(prepare_kernel_cred);
643 
644 /**
645  * set_security_override - Set the security ID in a set of credentials
646  * @new: The credentials to alter
647  * @secid: The LSM security ID to set
648  *
649  * Set the LSM security ID in a set of credentials so that the subjective
650  * security is overridden when an alternative set of credentials is used.
651  */
652 int set_security_override(struct cred *new, u32 secid)
653 {
654 	return security_kernel_act_as(new, secid);
655 }
656 EXPORT_SYMBOL(set_security_override);
657 
658 /**
659  * set_security_override_from_ctx - Set the security ID in a set of credentials
660  * @new: The credentials to alter
661  * @secctx: The LSM security context to generate the security ID from.
662  *
663  * Set the LSM security ID in a set of credentials so that the subjective
664  * security is overridden when an alternative set of credentials is used.  The
665  * security ID is specified in string form as a security context to be
666  * interpreted by the LSM.
667  */
668 int set_security_override_from_ctx(struct cred *new, const char *secctx)
669 {
670 	u32 secid;
671 	int ret;
672 
673 	ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
674 	if (ret < 0)
675 		return ret;
676 
677 	return set_security_override(new, secid);
678 }
679 EXPORT_SYMBOL(set_security_override_from_ctx);
680 
681 /**
682  * set_create_files_as - Set the LSM file create context in a set of credentials
683  * @new: The credentials to alter
684  * @inode: The inode to take the context from
685  *
686  * Change the LSM file creation context in a set of credentials to be the same
687  * as the object context of the specified inode, so that the new inodes have
688  * the same MAC context as that inode.
689  */
690 int set_create_files_as(struct cred *new, struct inode *inode)
691 {
692 	new->fsuid = inode->i_uid;
693 	new->fsgid = inode->i_gid;
694 	return security_kernel_create_files_as(new, inode);
695 }
696 EXPORT_SYMBOL(set_create_files_as);
697 
698 #ifdef CONFIG_DEBUG_CREDENTIALS
699 
700 bool creds_are_invalid(const struct cred *cred)
701 {
702 	if (cred->magic != CRED_MAGIC)
703 		return true;
704 #ifdef CONFIG_SECURITY_SELINUX
705 	/*
706 	 * cred->security == NULL if security_cred_alloc_blank() or
707 	 * security_prepare_creds() returned an error.
708 	 */
709 	if (selinux_is_enabled() && cred->security) {
710 		if ((unsigned long) cred->security < PAGE_SIZE)
711 			return true;
712 		if ((*(u32 *)cred->security & 0xffffff00) ==
713 		    (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
714 			return true;
715 	}
716 #endif
717 	return false;
718 }
719 EXPORT_SYMBOL(creds_are_invalid);
720 
721 /*
722  * dump invalid credentials
723  */
724 static void dump_invalid_creds(const struct cred *cred, const char *label,
725 			       const struct task_struct *tsk)
726 {
727 	printk(KERN_ERR "CRED: %s credentials: %p %s%s%s\n",
728 	       label, cred,
729 	       cred == &init_cred ? "[init]" : "",
730 	       cred == tsk->real_cred ? "[real]" : "",
731 	       cred == tsk->cred ? "[eff]" : "");
732 	printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
733 	       cred->magic, cred->put_addr);
734 	printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
735 	       atomic_read(&cred->usage),
736 	       read_cred_subscribers(cred));
737 	printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
738 		from_kuid_munged(&init_user_ns, cred->uid),
739 		from_kuid_munged(&init_user_ns, cred->euid),
740 		from_kuid_munged(&init_user_ns, cred->suid),
741 		from_kuid_munged(&init_user_ns, cred->fsuid));
742 	printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
743 		from_kgid_munged(&init_user_ns, cred->gid),
744 		from_kgid_munged(&init_user_ns, cred->egid),
745 		from_kgid_munged(&init_user_ns, cred->sgid),
746 		from_kgid_munged(&init_user_ns, cred->fsgid));
747 #ifdef CONFIG_SECURITY
748 	printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
749 	if ((unsigned long) cred->security >= PAGE_SIZE &&
750 	    (((unsigned long) cred->security & 0xffffff00) !=
751 	     (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
752 		printk(KERN_ERR "CRED: ->security {%x, %x}\n",
753 		       ((u32*)cred->security)[0],
754 		       ((u32*)cred->security)[1]);
755 #endif
756 }
757 
758 /*
759  * report use of invalid credentials
760  */
761 void __invalid_creds(const struct cred *cred, const char *file, unsigned line)
762 {
763 	printk(KERN_ERR "CRED: Invalid credentials\n");
764 	printk(KERN_ERR "CRED: At %s:%u\n", file, line);
765 	dump_invalid_creds(cred, "Specified", current);
766 	BUG();
767 }
768 EXPORT_SYMBOL(__invalid_creds);
769 
770 /*
771  * check the credentials on a process
772  */
773 void __validate_process_creds(struct task_struct *tsk,
774 			      const char *file, unsigned line)
775 {
776 	if (tsk->cred == tsk->real_cred) {
777 		if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
778 			     creds_are_invalid(tsk->cred)))
779 			goto invalid_creds;
780 	} else {
781 		if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
782 			     read_cred_subscribers(tsk->cred) < 1 ||
783 			     creds_are_invalid(tsk->real_cred) ||
784 			     creds_are_invalid(tsk->cred)))
785 			goto invalid_creds;
786 	}
787 	return;
788 
789 invalid_creds:
790 	printk(KERN_ERR "CRED: Invalid process credentials\n");
791 	printk(KERN_ERR "CRED: At %s:%u\n", file, line);
792 
793 	dump_invalid_creds(tsk->real_cred, "Real", tsk);
794 	if (tsk->cred != tsk->real_cred)
795 		dump_invalid_creds(tsk->cred, "Effective", tsk);
796 	else
797 		printk(KERN_ERR "CRED: Effective creds == Real creds\n");
798 	BUG();
799 }
800 EXPORT_SYMBOL(__validate_process_creds);
801 
802 /*
803  * check creds for do_exit()
804  */
805 void validate_creds_for_do_exit(struct task_struct *tsk)
806 {
807 	kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
808 	       tsk->real_cred, tsk->cred,
809 	       atomic_read(&tsk->cred->usage),
810 	       read_cred_subscribers(tsk->cred));
811 
812 	__validate_process_creds(tsk, __FILE__, __LINE__);
813 }
814 
815 #endif /* CONFIG_DEBUG_CREDENTIALS */
816