1 /* Basic authentication token and access key management 2 * 3 * Copyright (C) 2004-2008 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/export.h> 13 #include <linux/init.h> 14 #include <linux/poison.h> 15 #include <linux/sched.h> 16 #include <linux/slab.h> 17 #include <linux/security.h> 18 #include <linux/workqueue.h> 19 #include <linux/random.h> 20 #include <linux/err.h> 21 #include "internal.h" 22 23 struct kmem_cache *key_jar; 24 struct rb_root key_serial_tree; /* tree of keys indexed by serial */ 25 DEFINE_SPINLOCK(key_serial_lock); 26 27 struct rb_root key_user_tree; /* tree of quota records indexed by UID */ 28 DEFINE_SPINLOCK(key_user_lock); 29 30 unsigned int key_quota_root_maxkeys = 1000000; /* root's key count quota */ 31 unsigned int key_quota_root_maxbytes = 25000000; /* root's key space quota */ 32 unsigned int key_quota_maxkeys = 200; /* general key count quota */ 33 unsigned int key_quota_maxbytes = 20000; /* general key space quota */ 34 35 static LIST_HEAD(key_types_list); 36 static DECLARE_RWSEM(key_types_sem); 37 38 /* We serialise key instantiation and link */ 39 DEFINE_MUTEX(key_construction_mutex); 40 41 #ifdef KEY_DEBUGGING 42 void __key_check(const struct key *key) 43 { 44 printk("__key_check: key %p {%08x} should be {%08x}\n", 45 key, key->magic, KEY_DEBUG_MAGIC); 46 BUG(); 47 } 48 #endif 49 50 /* 51 * Get the key quota record for a user, allocating a new record if one doesn't 52 * already exist. 53 */ 54 struct key_user *key_user_lookup(kuid_t uid) 55 { 56 struct key_user *candidate = NULL, *user; 57 struct rb_node *parent, **p; 58 59 try_again: 60 parent = NULL; 61 p = &key_user_tree.rb_node; 62 spin_lock(&key_user_lock); 63 64 /* search the tree for a user record with a matching UID */ 65 while (*p) { 66 parent = *p; 67 user = rb_entry(parent, struct key_user, node); 68 69 if (uid_lt(uid, user->uid)) 70 p = &(*p)->rb_left; 71 else if (uid_gt(uid, user->uid)) 72 p = &(*p)->rb_right; 73 else 74 goto found; 75 } 76 77 /* if we get here, we failed to find a match in the tree */ 78 if (!candidate) { 79 /* allocate a candidate user record if we don't already have 80 * one */ 81 spin_unlock(&key_user_lock); 82 83 user = NULL; 84 candidate = kmalloc(sizeof(struct key_user), GFP_KERNEL); 85 if (unlikely(!candidate)) 86 goto out; 87 88 /* the allocation may have scheduled, so we need to repeat the 89 * search lest someone else added the record whilst we were 90 * asleep */ 91 goto try_again; 92 } 93 94 /* if we get here, then the user record still hadn't appeared on the 95 * second pass - so we use the candidate record */ 96 refcount_set(&candidate->usage, 1); 97 atomic_set(&candidate->nkeys, 0); 98 atomic_set(&candidate->nikeys, 0); 99 candidate->uid = uid; 100 candidate->qnkeys = 0; 101 candidate->qnbytes = 0; 102 spin_lock_init(&candidate->lock); 103 mutex_init(&candidate->cons_lock); 104 105 rb_link_node(&candidate->node, parent, p); 106 rb_insert_color(&candidate->node, &key_user_tree); 107 spin_unlock(&key_user_lock); 108 user = candidate; 109 goto out; 110 111 /* okay - we found a user record for this UID */ 112 found: 113 refcount_inc(&user->usage); 114 spin_unlock(&key_user_lock); 115 kfree(candidate); 116 out: 117 return user; 118 } 119 120 /* 121 * Dispose of a user structure 122 */ 123 void key_user_put(struct key_user *user) 124 { 125 if (refcount_dec_and_lock(&user->usage, &key_user_lock)) { 126 rb_erase(&user->node, &key_user_tree); 127 spin_unlock(&key_user_lock); 128 129 kfree(user); 130 } 131 } 132 133 /* 134 * Allocate a serial number for a key. These are assigned randomly to avoid 135 * security issues through covert channel problems. 136 */ 137 static inline void key_alloc_serial(struct key *key) 138 { 139 struct rb_node *parent, **p; 140 struct key *xkey; 141 142 /* propose a random serial number and look for a hole for it in the 143 * serial number tree */ 144 do { 145 get_random_bytes(&key->serial, sizeof(key->serial)); 146 147 key->serial >>= 1; /* negative numbers are not permitted */ 148 } while (key->serial < 3); 149 150 spin_lock(&key_serial_lock); 151 152 attempt_insertion: 153 parent = NULL; 154 p = &key_serial_tree.rb_node; 155 156 while (*p) { 157 parent = *p; 158 xkey = rb_entry(parent, struct key, serial_node); 159 160 if (key->serial < xkey->serial) 161 p = &(*p)->rb_left; 162 else if (key->serial > xkey->serial) 163 p = &(*p)->rb_right; 164 else 165 goto serial_exists; 166 } 167 168 /* we've found a suitable hole - arrange for this key to occupy it */ 169 rb_link_node(&key->serial_node, parent, p); 170 rb_insert_color(&key->serial_node, &key_serial_tree); 171 172 spin_unlock(&key_serial_lock); 173 return; 174 175 /* we found a key with the proposed serial number - walk the tree from 176 * that point looking for the next unused serial number */ 177 serial_exists: 178 for (;;) { 179 key->serial++; 180 if (key->serial < 3) { 181 key->serial = 3; 182 goto attempt_insertion; 183 } 184 185 parent = rb_next(parent); 186 if (!parent) 187 goto attempt_insertion; 188 189 xkey = rb_entry(parent, struct key, serial_node); 190 if (key->serial < xkey->serial) 191 goto attempt_insertion; 192 } 193 } 194 195 /** 196 * key_alloc - Allocate a key of the specified type. 197 * @type: The type of key to allocate. 198 * @desc: The key description to allow the key to be searched out. 199 * @uid: The owner of the new key. 200 * @gid: The group ID for the new key's group permissions. 201 * @cred: The credentials specifying UID namespace. 202 * @perm: The permissions mask of the new key. 203 * @flags: Flags specifying quota properties. 204 * @restrict_link: Optional link restriction for new keyrings. 205 * 206 * Allocate a key of the specified type with the attributes given. The key is 207 * returned in an uninstantiated state and the caller needs to instantiate the 208 * key before returning. 209 * 210 * The restrict_link structure (if not NULL) will be freed when the 211 * keyring is destroyed, so it must be dynamically allocated. 212 * 213 * The user's key count quota is updated to reflect the creation of the key and 214 * the user's key data quota has the default for the key type reserved. The 215 * instantiation function should amend this as necessary. If insufficient 216 * quota is available, -EDQUOT will be returned. 217 * 218 * The LSM security modules can prevent a key being created, in which case 219 * -EACCES will be returned. 220 * 221 * Returns a pointer to the new key if successful and an error code otherwise. 222 * 223 * Note that the caller needs to ensure the key type isn't uninstantiated. 224 * Internally this can be done by locking key_types_sem. Externally, this can 225 * be done by either never unregistering the key type, or making sure 226 * key_alloc() calls don't race with module unloading. 227 */ 228 struct key *key_alloc(struct key_type *type, const char *desc, 229 kuid_t uid, kgid_t gid, const struct cred *cred, 230 key_perm_t perm, unsigned long flags, 231 struct key_restriction *restrict_link) 232 { 233 struct key_user *user = NULL; 234 struct key *key; 235 size_t desclen, quotalen; 236 int ret; 237 238 key = ERR_PTR(-EINVAL); 239 if (!desc || !*desc) 240 goto error; 241 242 if (type->vet_description) { 243 ret = type->vet_description(desc); 244 if (ret < 0) { 245 key = ERR_PTR(ret); 246 goto error; 247 } 248 } 249 250 desclen = strlen(desc); 251 quotalen = desclen + 1 + type->def_datalen; 252 253 /* get hold of the key tracking for this user */ 254 user = key_user_lookup(uid); 255 if (!user) 256 goto no_memory_1; 257 258 /* check that the user's quota permits allocation of another key and 259 * its description */ 260 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { 261 unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ? 262 key_quota_root_maxkeys : key_quota_maxkeys; 263 unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ? 264 key_quota_root_maxbytes : key_quota_maxbytes; 265 266 spin_lock(&user->lock); 267 if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) { 268 if (user->qnkeys + 1 > maxkeys || 269 user->qnbytes + quotalen > maxbytes || 270 user->qnbytes + quotalen < user->qnbytes) 271 goto no_quota; 272 } 273 274 user->qnkeys++; 275 user->qnbytes += quotalen; 276 spin_unlock(&user->lock); 277 } 278 279 /* allocate and initialise the key and its description */ 280 key = kmem_cache_zalloc(key_jar, GFP_KERNEL); 281 if (!key) 282 goto no_memory_2; 283 284 key->index_key.desc_len = desclen; 285 key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL); 286 if (!key->index_key.description) 287 goto no_memory_3; 288 289 refcount_set(&key->usage, 1); 290 init_rwsem(&key->sem); 291 lockdep_set_class(&key->sem, &type->lock_class); 292 key->index_key.type = type; 293 key->user = user; 294 key->quotalen = quotalen; 295 key->datalen = type->def_datalen; 296 key->uid = uid; 297 key->gid = gid; 298 key->perm = perm; 299 key->restrict_link = restrict_link; 300 key->last_used_at = ktime_get_real_seconds(); 301 302 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) 303 key->flags |= 1 << KEY_FLAG_IN_QUOTA; 304 if (flags & KEY_ALLOC_BUILT_IN) 305 key->flags |= 1 << KEY_FLAG_BUILTIN; 306 if (flags & KEY_ALLOC_UID_KEYRING) 307 key->flags |= 1 << KEY_FLAG_UID_KEYRING; 308 309 #ifdef KEY_DEBUGGING 310 key->magic = KEY_DEBUG_MAGIC; 311 #endif 312 313 /* let the security module know about the key */ 314 ret = security_key_alloc(key, cred, flags); 315 if (ret < 0) 316 goto security_error; 317 318 /* publish the key by giving it a serial number */ 319 atomic_inc(&user->nkeys); 320 key_alloc_serial(key); 321 322 error: 323 return key; 324 325 security_error: 326 kfree(key->description); 327 kmem_cache_free(key_jar, key); 328 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { 329 spin_lock(&user->lock); 330 user->qnkeys--; 331 user->qnbytes -= quotalen; 332 spin_unlock(&user->lock); 333 } 334 key_user_put(user); 335 key = ERR_PTR(ret); 336 goto error; 337 338 no_memory_3: 339 kmem_cache_free(key_jar, key); 340 no_memory_2: 341 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { 342 spin_lock(&user->lock); 343 user->qnkeys--; 344 user->qnbytes -= quotalen; 345 spin_unlock(&user->lock); 346 } 347 key_user_put(user); 348 no_memory_1: 349 key = ERR_PTR(-ENOMEM); 350 goto error; 351 352 no_quota: 353 spin_unlock(&user->lock); 354 key_user_put(user); 355 key = ERR_PTR(-EDQUOT); 356 goto error; 357 } 358 EXPORT_SYMBOL(key_alloc); 359 360 /** 361 * key_payload_reserve - Adjust data quota reservation for the key's payload 362 * @key: The key to make the reservation for. 363 * @datalen: The amount of data payload the caller now wants. 364 * 365 * Adjust the amount of the owning user's key data quota that a key reserves. 366 * If the amount is increased, then -EDQUOT may be returned if there isn't 367 * enough free quota available. 368 * 369 * If successful, 0 is returned. 370 */ 371 int key_payload_reserve(struct key *key, size_t datalen) 372 { 373 int delta = (int)datalen - key->datalen; 374 int ret = 0; 375 376 key_check(key); 377 378 /* contemplate the quota adjustment */ 379 if (delta != 0 && test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 380 unsigned maxbytes = uid_eq(key->user->uid, GLOBAL_ROOT_UID) ? 381 key_quota_root_maxbytes : key_quota_maxbytes; 382 383 spin_lock(&key->user->lock); 384 385 if (delta > 0 && 386 (key->user->qnbytes + delta >= maxbytes || 387 key->user->qnbytes + delta < key->user->qnbytes)) { 388 ret = -EDQUOT; 389 } 390 else { 391 key->user->qnbytes += delta; 392 key->quotalen += delta; 393 } 394 spin_unlock(&key->user->lock); 395 } 396 397 /* change the recorded data length if that didn't generate an error */ 398 if (ret == 0) 399 key->datalen = datalen; 400 401 return ret; 402 } 403 EXPORT_SYMBOL(key_payload_reserve); 404 405 /* 406 * Change the key state to being instantiated. 407 */ 408 static void mark_key_instantiated(struct key *key, int reject_error) 409 { 410 /* Commit the payload before setting the state; barrier versus 411 * key_read_state(). 412 */ 413 smp_store_release(&key->state, 414 (reject_error < 0) ? reject_error : KEY_IS_POSITIVE); 415 } 416 417 /* 418 * Instantiate a key and link it into the target keyring atomically. Must be 419 * called with the target keyring's semaphore writelocked. The target key's 420 * semaphore need not be locked as instantiation is serialised by 421 * key_construction_mutex. 422 */ 423 static int __key_instantiate_and_link(struct key *key, 424 struct key_preparsed_payload *prep, 425 struct key *keyring, 426 struct key *authkey, 427 struct assoc_array_edit **_edit) 428 { 429 int ret, awaken; 430 431 key_check(key); 432 key_check(keyring); 433 434 awaken = 0; 435 ret = -EBUSY; 436 437 mutex_lock(&key_construction_mutex); 438 439 /* can't instantiate twice */ 440 if (key->state == KEY_IS_UNINSTANTIATED) { 441 /* instantiate the key */ 442 ret = key->type->instantiate(key, prep); 443 444 if (ret == 0) { 445 /* mark the key as being instantiated */ 446 atomic_inc(&key->user->nikeys); 447 mark_key_instantiated(key, 0); 448 449 if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) 450 awaken = 1; 451 452 /* and link it into the destination keyring */ 453 if (keyring) { 454 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) 455 set_bit(KEY_FLAG_KEEP, &key->flags); 456 457 __key_link(key, _edit); 458 } 459 460 /* disable the authorisation key */ 461 if (authkey) 462 key_revoke(authkey); 463 464 if (prep->expiry != TIME64_MAX) { 465 key->expiry = prep->expiry; 466 key_schedule_gc(prep->expiry + key_gc_delay); 467 } 468 } 469 } 470 471 mutex_unlock(&key_construction_mutex); 472 473 /* wake up anyone waiting for a key to be constructed */ 474 if (awaken) 475 wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT); 476 477 return ret; 478 } 479 480 /** 481 * key_instantiate_and_link - Instantiate a key and link it into the keyring. 482 * @key: The key to instantiate. 483 * @data: The data to use to instantiate the keyring. 484 * @datalen: The length of @data. 485 * @keyring: Keyring to create a link in on success (or NULL). 486 * @authkey: The authorisation token permitting instantiation. 487 * 488 * Instantiate a key that's in the uninstantiated state using the provided data 489 * and, if successful, link it in to the destination keyring if one is 490 * supplied. 491 * 492 * If successful, 0 is returned, the authorisation token is revoked and anyone 493 * waiting for the key is woken up. If the key was already instantiated, 494 * -EBUSY will be returned. 495 */ 496 int key_instantiate_and_link(struct key *key, 497 const void *data, 498 size_t datalen, 499 struct key *keyring, 500 struct key *authkey) 501 { 502 struct key_preparsed_payload prep; 503 struct assoc_array_edit *edit; 504 int ret; 505 506 memset(&prep, 0, sizeof(prep)); 507 prep.data = data; 508 prep.datalen = datalen; 509 prep.quotalen = key->type->def_datalen; 510 prep.expiry = TIME64_MAX; 511 if (key->type->preparse) { 512 ret = key->type->preparse(&prep); 513 if (ret < 0) 514 goto error; 515 } 516 517 if (keyring) { 518 ret = __key_link_begin(keyring, &key->index_key, &edit); 519 if (ret < 0) 520 goto error; 521 522 if (keyring->restrict_link && keyring->restrict_link->check) { 523 struct key_restriction *keyres = keyring->restrict_link; 524 525 ret = keyres->check(keyring, key->type, &prep.payload, 526 keyres->key); 527 if (ret < 0) 528 goto error_link_end; 529 } 530 } 531 532 ret = __key_instantiate_and_link(key, &prep, keyring, authkey, &edit); 533 534 error_link_end: 535 if (keyring) 536 __key_link_end(keyring, &key->index_key, edit); 537 538 error: 539 if (key->type->preparse) 540 key->type->free_preparse(&prep); 541 return ret; 542 } 543 544 EXPORT_SYMBOL(key_instantiate_and_link); 545 546 /** 547 * key_reject_and_link - Negatively instantiate a key and link it into the keyring. 548 * @key: The key to instantiate. 549 * @timeout: The timeout on the negative key. 550 * @error: The error to return when the key is hit. 551 * @keyring: Keyring to create a link in on success (or NULL). 552 * @authkey: The authorisation token permitting instantiation. 553 * 554 * Negatively instantiate a key that's in the uninstantiated state and, if 555 * successful, set its timeout and stored error and link it in to the 556 * destination keyring if one is supplied. The key and any links to the key 557 * will be automatically garbage collected after the timeout expires. 558 * 559 * Negative keys are used to rate limit repeated request_key() calls by causing 560 * them to return the stored error code (typically ENOKEY) until the negative 561 * key expires. 562 * 563 * If successful, 0 is returned, the authorisation token is revoked and anyone 564 * waiting for the key is woken up. If the key was already instantiated, 565 * -EBUSY will be returned. 566 */ 567 int key_reject_and_link(struct key *key, 568 unsigned timeout, 569 unsigned error, 570 struct key *keyring, 571 struct key *authkey) 572 { 573 struct assoc_array_edit *edit; 574 int ret, awaken, link_ret = 0; 575 576 key_check(key); 577 key_check(keyring); 578 579 awaken = 0; 580 ret = -EBUSY; 581 582 if (keyring) { 583 if (keyring->restrict_link) 584 return -EPERM; 585 586 link_ret = __key_link_begin(keyring, &key->index_key, &edit); 587 } 588 589 mutex_lock(&key_construction_mutex); 590 591 /* can't instantiate twice */ 592 if (key->state == KEY_IS_UNINSTANTIATED) { 593 /* mark the key as being negatively instantiated */ 594 atomic_inc(&key->user->nikeys); 595 mark_key_instantiated(key, -error); 596 key->expiry = ktime_get_real_seconds() + timeout; 597 key_schedule_gc(key->expiry + key_gc_delay); 598 599 if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) 600 awaken = 1; 601 602 ret = 0; 603 604 /* and link it into the destination keyring */ 605 if (keyring && link_ret == 0) 606 __key_link(key, &edit); 607 608 /* disable the authorisation key */ 609 if (authkey) 610 key_revoke(authkey); 611 } 612 613 mutex_unlock(&key_construction_mutex); 614 615 if (keyring && link_ret == 0) 616 __key_link_end(keyring, &key->index_key, edit); 617 618 /* wake up anyone waiting for a key to be constructed */ 619 if (awaken) 620 wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT); 621 622 return ret == 0 ? link_ret : ret; 623 } 624 EXPORT_SYMBOL(key_reject_and_link); 625 626 /** 627 * key_put - Discard a reference to a key. 628 * @key: The key to discard a reference from. 629 * 630 * Discard a reference to a key, and when all the references are gone, we 631 * schedule the cleanup task to come and pull it out of the tree in process 632 * context at some later time. 633 */ 634 void key_put(struct key *key) 635 { 636 if (key) { 637 key_check(key); 638 639 if (refcount_dec_and_test(&key->usage)) 640 schedule_work(&key_gc_work); 641 } 642 } 643 EXPORT_SYMBOL(key_put); 644 645 /* 646 * Find a key by its serial number. 647 */ 648 struct key *key_lookup(key_serial_t id) 649 { 650 struct rb_node *n; 651 struct key *key; 652 653 spin_lock(&key_serial_lock); 654 655 /* search the tree for the specified key */ 656 n = key_serial_tree.rb_node; 657 while (n) { 658 key = rb_entry(n, struct key, serial_node); 659 660 if (id < key->serial) 661 n = n->rb_left; 662 else if (id > key->serial) 663 n = n->rb_right; 664 else 665 goto found; 666 } 667 668 not_found: 669 key = ERR_PTR(-ENOKEY); 670 goto error; 671 672 found: 673 /* A key is allowed to be looked up only if someone still owns a 674 * reference to it - otherwise it's awaiting the gc. 675 */ 676 if (!refcount_inc_not_zero(&key->usage)) 677 goto not_found; 678 679 error: 680 spin_unlock(&key_serial_lock); 681 return key; 682 } 683 684 /* 685 * Find and lock the specified key type against removal. 686 * 687 * We return with the sem read-locked if successful. If the type wasn't 688 * available -ENOKEY is returned instead. 689 */ 690 struct key_type *key_type_lookup(const char *type) 691 { 692 struct key_type *ktype; 693 694 down_read(&key_types_sem); 695 696 /* look up the key type to see if it's one of the registered kernel 697 * types */ 698 list_for_each_entry(ktype, &key_types_list, link) { 699 if (strcmp(ktype->name, type) == 0) 700 goto found_kernel_type; 701 } 702 703 up_read(&key_types_sem); 704 ktype = ERR_PTR(-ENOKEY); 705 706 found_kernel_type: 707 return ktype; 708 } 709 710 void key_set_timeout(struct key *key, unsigned timeout) 711 { 712 time64_t expiry = 0; 713 714 /* make the changes with the locks held to prevent races */ 715 down_write(&key->sem); 716 717 if (timeout > 0) 718 expiry = ktime_get_real_seconds() + timeout; 719 720 key->expiry = expiry; 721 key_schedule_gc(key->expiry + key_gc_delay); 722 723 up_write(&key->sem); 724 } 725 EXPORT_SYMBOL_GPL(key_set_timeout); 726 727 /* 728 * Unlock a key type locked by key_type_lookup(). 729 */ 730 void key_type_put(struct key_type *ktype) 731 { 732 up_read(&key_types_sem); 733 } 734 735 /* 736 * Attempt to update an existing key. 737 * 738 * The key is given to us with an incremented refcount that we need to discard 739 * if we get an error. 740 */ 741 static inline key_ref_t __key_update(key_ref_t key_ref, 742 struct key_preparsed_payload *prep) 743 { 744 struct key *key = key_ref_to_ptr(key_ref); 745 int ret; 746 747 /* need write permission on the key to update it */ 748 ret = key_permission(key_ref, KEY_NEED_WRITE); 749 if (ret < 0) 750 goto error; 751 752 ret = -EEXIST; 753 if (!key->type->update) 754 goto error; 755 756 down_write(&key->sem); 757 758 ret = key->type->update(key, prep); 759 if (ret == 0) 760 /* Updating a negative key positively instantiates it */ 761 mark_key_instantiated(key, 0); 762 763 up_write(&key->sem); 764 765 if (ret < 0) 766 goto error; 767 out: 768 return key_ref; 769 770 error: 771 key_put(key); 772 key_ref = ERR_PTR(ret); 773 goto out; 774 } 775 776 /** 777 * key_create_or_update - Update or create and instantiate a key. 778 * @keyring_ref: A pointer to the destination keyring with possession flag. 779 * @type: The type of key. 780 * @description: The searchable description for the key. 781 * @payload: The data to use to instantiate or update the key. 782 * @plen: The length of @payload. 783 * @perm: The permissions mask for a new key. 784 * @flags: The quota flags for a new key. 785 * 786 * Search the destination keyring for a key of the same description and if one 787 * is found, update it, otherwise create and instantiate a new one and create a 788 * link to it from that keyring. 789 * 790 * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be 791 * concocted. 792 * 793 * Returns a pointer to the new key if successful, -ENODEV if the key type 794 * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the 795 * caller isn't permitted to modify the keyring or the LSM did not permit 796 * creation of the key. 797 * 798 * On success, the possession flag from the keyring ref will be tacked on to 799 * the key ref before it is returned. 800 */ 801 key_ref_t key_create_or_update(key_ref_t keyring_ref, 802 const char *type, 803 const char *description, 804 const void *payload, 805 size_t plen, 806 key_perm_t perm, 807 unsigned long flags) 808 { 809 struct keyring_index_key index_key = { 810 .description = description, 811 }; 812 struct key_preparsed_payload prep; 813 struct assoc_array_edit *edit; 814 const struct cred *cred = current_cred(); 815 struct key *keyring, *key = NULL; 816 key_ref_t key_ref; 817 int ret; 818 struct key_restriction *restrict_link = NULL; 819 820 /* look up the key type to see if it's one of the registered kernel 821 * types */ 822 index_key.type = key_type_lookup(type); 823 if (IS_ERR(index_key.type)) { 824 key_ref = ERR_PTR(-ENODEV); 825 goto error; 826 } 827 828 key_ref = ERR_PTR(-EINVAL); 829 if (!index_key.type->instantiate || 830 (!index_key.description && !index_key.type->preparse)) 831 goto error_put_type; 832 833 keyring = key_ref_to_ptr(keyring_ref); 834 835 key_check(keyring); 836 837 if (!(flags & KEY_ALLOC_BYPASS_RESTRICTION)) 838 restrict_link = keyring->restrict_link; 839 840 key_ref = ERR_PTR(-ENOTDIR); 841 if (keyring->type != &key_type_keyring) 842 goto error_put_type; 843 844 memset(&prep, 0, sizeof(prep)); 845 prep.data = payload; 846 prep.datalen = plen; 847 prep.quotalen = index_key.type->def_datalen; 848 prep.expiry = TIME64_MAX; 849 if (index_key.type->preparse) { 850 ret = index_key.type->preparse(&prep); 851 if (ret < 0) { 852 key_ref = ERR_PTR(ret); 853 goto error_free_prep; 854 } 855 if (!index_key.description) 856 index_key.description = prep.description; 857 key_ref = ERR_PTR(-EINVAL); 858 if (!index_key.description) 859 goto error_free_prep; 860 } 861 index_key.desc_len = strlen(index_key.description); 862 863 ret = __key_link_begin(keyring, &index_key, &edit); 864 if (ret < 0) { 865 key_ref = ERR_PTR(ret); 866 goto error_free_prep; 867 } 868 869 if (restrict_link && restrict_link->check) { 870 ret = restrict_link->check(keyring, index_key.type, 871 &prep.payload, restrict_link->key); 872 if (ret < 0) { 873 key_ref = ERR_PTR(ret); 874 goto error_link_end; 875 } 876 } 877 878 /* if we're going to allocate a new key, we're going to have 879 * to modify the keyring */ 880 ret = key_permission(keyring_ref, KEY_NEED_WRITE); 881 if (ret < 0) { 882 key_ref = ERR_PTR(ret); 883 goto error_link_end; 884 } 885 886 /* if it's possible to update this type of key, search for an existing 887 * key of the same type and description in the destination keyring and 888 * update that instead if possible 889 */ 890 if (index_key.type->update) { 891 key_ref = find_key_to_update(keyring_ref, &index_key); 892 if (key_ref) 893 goto found_matching_key; 894 } 895 896 /* if the client doesn't provide, decide on the permissions we want */ 897 if (perm == KEY_PERM_UNDEF) { 898 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR; 899 perm |= KEY_USR_VIEW; 900 901 if (index_key.type->read) 902 perm |= KEY_POS_READ; 903 904 if (index_key.type == &key_type_keyring || 905 index_key.type->update) 906 perm |= KEY_POS_WRITE; 907 } 908 909 /* allocate a new key */ 910 key = key_alloc(index_key.type, index_key.description, 911 cred->fsuid, cred->fsgid, cred, perm, flags, NULL); 912 if (IS_ERR(key)) { 913 key_ref = ERR_CAST(key); 914 goto error_link_end; 915 } 916 917 /* instantiate it and link it into the target keyring */ 918 ret = __key_instantiate_and_link(key, &prep, keyring, NULL, &edit); 919 if (ret < 0) { 920 key_put(key); 921 key_ref = ERR_PTR(ret); 922 goto error_link_end; 923 } 924 925 key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); 926 927 error_link_end: 928 __key_link_end(keyring, &index_key, edit); 929 error_free_prep: 930 if (index_key.type->preparse) 931 index_key.type->free_preparse(&prep); 932 error_put_type: 933 key_type_put(index_key.type); 934 error: 935 return key_ref; 936 937 found_matching_key: 938 /* we found a matching key, so we're going to try to update it 939 * - we can drop the locks first as we have the key pinned 940 */ 941 __key_link_end(keyring, &index_key, edit); 942 943 key = key_ref_to_ptr(key_ref); 944 if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) { 945 ret = wait_for_key_construction(key, true); 946 if (ret < 0) { 947 key_ref_put(key_ref); 948 key_ref = ERR_PTR(ret); 949 goto error_free_prep; 950 } 951 } 952 953 key_ref = __key_update(key_ref, &prep); 954 goto error_free_prep; 955 } 956 EXPORT_SYMBOL(key_create_or_update); 957 958 /** 959 * key_update - Update a key's contents. 960 * @key_ref: The pointer (plus possession flag) to the key. 961 * @payload: The data to be used to update the key. 962 * @plen: The length of @payload. 963 * 964 * Attempt to update the contents of a key with the given payload data. The 965 * caller must be granted Write permission on the key. Negative keys can be 966 * instantiated by this method. 967 * 968 * Returns 0 on success, -EACCES if not permitted and -EOPNOTSUPP if the key 969 * type does not support updating. The key type may return other errors. 970 */ 971 int key_update(key_ref_t key_ref, const void *payload, size_t plen) 972 { 973 struct key_preparsed_payload prep; 974 struct key *key = key_ref_to_ptr(key_ref); 975 int ret; 976 977 key_check(key); 978 979 /* the key must be writable */ 980 ret = key_permission(key_ref, KEY_NEED_WRITE); 981 if (ret < 0) 982 return ret; 983 984 /* attempt to update it if supported */ 985 if (!key->type->update) 986 return -EOPNOTSUPP; 987 988 memset(&prep, 0, sizeof(prep)); 989 prep.data = payload; 990 prep.datalen = plen; 991 prep.quotalen = key->type->def_datalen; 992 prep.expiry = TIME64_MAX; 993 if (key->type->preparse) { 994 ret = key->type->preparse(&prep); 995 if (ret < 0) 996 goto error; 997 } 998 999 down_write(&key->sem); 1000 1001 ret = key->type->update(key, &prep); 1002 if (ret == 0) 1003 /* Updating a negative key positively instantiates it */ 1004 mark_key_instantiated(key, 0); 1005 1006 up_write(&key->sem); 1007 1008 error: 1009 if (key->type->preparse) 1010 key->type->free_preparse(&prep); 1011 return ret; 1012 } 1013 EXPORT_SYMBOL(key_update); 1014 1015 /** 1016 * key_revoke - Revoke a key. 1017 * @key: The key to be revoked. 1018 * 1019 * Mark a key as being revoked and ask the type to free up its resources. The 1020 * revocation timeout is set and the key and all its links will be 1021 * automatically garbage collected after key_gc_delay amount of time if they 1022 * are not manually dealt with first. 1023 */ 1024 void key_revoke(struct key *key) 1025 { 1026 time64_t time; 1027 1028 key_check(key); 1029 1030 /* make sure no one's trying to change or use the key when we mark it 1031 * - we tell lockdep that we might nest because we might be revoking an 1032 * authorisation key whilst holding the sem on a key we've just 1033 * instantiated 1034 */ 1035 down_write_nested(&key->sem, 1); 1036 if (!test_and_set_bit(KEY_FLAG_REVOKED, &key->flags) && 1037 key->type->revoke) 1038 key->type->revoke(key); 1039 1040 /* set the death time to no more than the expiry time */ 1041 time = ktime_get_real_seconds(); 1042 if (key->revoked_at == 0 || key->revoked_at > time) { 1043 key->revoked_at = time; 1044 key_schedule_gc(key->revoked_at + key_gc_delay); 1045 } 1046 1047 up_write(&key->sem); 1048 } 1049 EXPORT_SYMBOL(key_revoke); 1050 1051 /** 1052 * key_invalidate - Invalidate a key. 1053 * @key: The key to be invalidated. 1054 * 1055 * Mark a key as being invalidated and have it cleaned up immediately. The key 1056 * is ignored by all searches and other operations from this point. 1057 */ 1058 void key_invalidate(struct key *key) 1059 { 1060 kenter("%d", key_serial(key)); 1061 1062 key_check(key); 1063 1064 if (!test_bit(KEY_FLAG_INVALIDATED, &key->flags)) { 1065 down_write_nested(&key->sem, 1); 1066 if (!test_and_set_bit(KEY_FLAG_INVALIDATED, &key->flags)) 1067 key_schedule_gc_links(); 1068 up_write(&key->sem); 1069 } 1070 } 1071 EXPORT_SYMBOL(key_invalidate); 1072 1073 /** 1074 * generic_key_instantiate - Simple instantiation of a key from preparsed data 1075 * @key: The key to be instantiated 1076 * @prep: The preparsed data to load. 1077 * 1078 * Instantiate a key from preparsed data. We assume we can just copy the data 1079 * in directly and clear the old pointers. 1080 * 1081 * This can be pointed to directly by the key type instantiate op pointer. 1082 */ 1083 int generic_key_instantiate(struct key *key, struct key_preparsed_payload *prep) 1084 { 1085 int ret; 1086 1087 pr_devel("==>%s()\n", __func__); 1088 1089 ret = key_payload_reserve(key, prep->quotalen); 1090 if (ret == 0) { 1091 rcu_assign_keypointer(key, prep->payload.data[0]); 1092 key->payload.data[1] = prep->payload.data[1]; 1093 key->payload.data[2] = prep->payload.data[2]; 1094 key->payload.data[3] = prep->payload.data[3]; 1095 prep->payload.data[0] = NULL; 1096 prep->payload.data[1] = NULL; 1097 prep->payload.data[2] = NULL; 1098 prep->payload.data[3] = NULL; 1099 } 1100 pr_devel("<==%s() = %d\n", __func__, ret); 1101 return ret; 1102 } 1103 EXPORT_SYMBOL(generic_key_instantiate); 1104 1105 /** 1106 * register_key_type - Register a type of key. 1107 * @ktype: The new key type. 1108 * 1109 * Register a new key type. 1110 * 1111 * Returns 0 on success or -EEXIST if a type of this name already exists. 1112 */ 1113 int register_key_type(struct key_type *ktype) 1114 { 1115 struct key_type *p; 1116 int ret; 1117 1118 memset(&ktype->lock_class, 0, sizeof(ktype->lock_class)); 1119 1120 ret = -EEXIST; 1121 down_write(&key_types_sem); 1122 1123 /* disallow key types with the same name */ 1124 list_for_each_entry(p, &key_types_list, link) { 1125 if (strcmp(p->name, ktype->name) == 0) 1126 goto out; 1127 } 1128 1129 /* store the type */ 1130 list_add(&ktype->link, &key_types_list); 1131 1132 pr_notice("Key type %s registered\n", ktype->name); 1133 ret = 0; 1134 1135 out: 1136 up_write(&key_types_sem); 1137 return ret; 1138 } 1139 EXPORT_SYMBOL(register_key_type); 1140 1141 /** 1142 * unregister_key_type - Unregister a type of key. 1143 * @ktype: The key type. 1144 * 1145 * Unregister a key type and mark all the extant keys of this type as dead. 1146 * Those keys of this type are then destroyed to get rid of their payloads and 1147 * they and their links will be garbage collected as soon as possible. 1148 */ 1149 void unregister_key_type(struct key_type *ktype) 1150 { 1151 down_write(&key_types_sem); 1152 list_del_init(&ktype->link); 1153 downgrade_write(&key_types_sem); 1154 key_gc_keytype(ktype); 1155 pr_notice("Key type %s unregistered\n", ktype->name); 1156 up_read(&key_types_sem); 1157 } 1158 EXPORT_SYMBOL(unregister_key_type); 1159 1160 /* 1161 * Initialise the key management state. 1162 */ 1163 void __init key_init(void) 1164 { 1165 /* allocate a slab in which we can store keys */ 1166 key_jar = kmem_cache_create("key_jar", sizeof(struct key), 1167 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); 1168 1169 /* add the special key types */ 1170 list_add_tail(&key_type_keyring.link, &key_types_list); 1171 list_add_tail(&key_type_dead.link, &key_types_list); 1172 list_add_tail(&key_type_user.link, &key_types_list); 1173 list_add_tail(&key_type_logon.link, &key_types_list); 1174 1175 /* record the root user tracking */ 1176 rb_link_node(&root_key_user.node, 1177 NULL, 1178 &key_user_tree.rb_node); 1179 1180 rb_insert_color(&root_key_user.node, 1181 &key_user_tree); 1182 } 1183