1 /* Userspace key control operations 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/slab.h> 16 #include <linux/syscalls.h> 17 #include <linux/key.h> 18 #include <linux/keyctl.h> 19 #include <linux/fs.h> 20 #include <linux/capability.h> 21 #include <linux/cred.h> 22 #include <linux/string.h> 23 #include <linux/err.h> 24 #include <linux/vmalloc.h> 25 #include <linux/security.h> 26 #include <linux/uio.h> 27 #include <linux/uaccess.h> 28 #include "internal.h" 29 30 #define KEY_MAX_DESC_SIZE 4096 31 32 static int key_get_type_from_user(char *type, 33 const char __user *_type, 34 unsigned len) 35 { 36 int ret; 37 38 ret = strncpy_from_user(type, _type, len); 39 if (ret < 0) 40 return ret; 41 if (ret == 0 || ret >= len) 42 return -EINVAL; 43 if (type[0] == '.') 44 return -EPERM; 45 type[len - 1] = '\0'; 46 return 0; 47 } 48 49 /* 50 * Extract the description of a new key from userspace and either add it as a 51 * new key to the specified keyring or update a matching key in that keyring. 52 * 53 * If the description is NULL or an empty string, the key type is asked to 54 * generate one from the payload. 55 * 56 * The keyring must be writable so that we can attach the key to it. 57 * 58 * If successful, the new key's serial number is returned, otherwise an error 59 * code is returned. 60 */ 61 SYSCALL_DEFINE5(add_key, const char __user *, _type, 62 const char __user *, _description, 63 const void __user *, _payload, 64 size_t, plen, 65 key_serial_t, ringid) 66 { 67 key_ref_t keyring_ref, key_ref; 68 char type[32], *description; 69 void *payload; 70 long ret; 71 72 ret = -EINVAL; 73 if (plen > 1024 * 1024 - 1) 74 goto error; 75 76 /* draw all the data into kernel space */ 77 ret = key_get_type_from_user(type, _type, sizeof(type)); 78 if (ret < 0) 79 goto error; 80 81 description = NULL; 82 if (_description) { 83 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 84 if (IS_ERR(description)) { 85 ret = PTR_ERR(description); 86 goto error; 87 } 88 if (!*description) { 89 kfree(description); 90 description = NULL; 91 } else if ((description[0] == '.') && 92 (strncmp(type, "keyring", 7) == 0)) { 93 ret = -EPERM; 94 goto error2; 95 } 96 } 97 98 /* pull the payload in if one was supplied */ 99 payload = NULL; 100 101 if (_payload) { 102 ret = -ENOMEM; 103 payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN); 104 if (!payload) { 105 if (plen <= PAGE_SIZE) 106 goto error2; 107 payload = vmalloc(plen); 108 if (!payload) 109 goto error2; 110 } 111 112 ret = -EFAULT; 113 if (copy_from_user(payload, _payload, plen) != 0) 114 goto error3; 115 } 116 117 /* find the target keyring (which must be writable) */ 118 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 119 if (IS_ERR(keyring_ref)) { 120 ret = PTR_ERR(keyring_ref); 121 goto error3; 122 } 123 124 /* create or update the requested key and add it to the target 125 * keyring */ 126 key_ref = key_create_or_update(keyring_ref, type, description, 127 payload, plen, KEY_PERM_UNDEF, 128 KEY_ALLOC_IN_QUOTA); 129 if (!IS_ERR(key_ref)) { 130 ret = key_ref_to_ptr(key_ref)->serial; 131 key_ref_put(key_ref); 132 } 133 else { 134 ret = PTR_ERR(key_ref); 135 } 136 137 key_ref_put(keyring_ref); 138 error3: 139 kvfree(payload); 140 error2: 141 kfree(description); 142 error: 143 return ret; 144 } 145 146 /* 147 * Search the process keyrings and keyring trees linked from those for a 148 * matching key. Keyrings must have appropriate Search permission to be 149 * searched. 150 * 151 * If a key is found, it will be attached to the destination keyring if there's 152 * one specified and the serial number of the key will be returned. 153 * 154 * If no key is found, /sbin/request-key will be invoked if _callout_info is 155 * non-NULL in an attempt to create a key. The _callout_info string will be 156 * passed to /sbin/request-key to aid with completing the request. If the 157 * _callout_info string is "" then it will be changed to "-". 158 */ 159 SYSCALL_DEFINE4(request_key, const char __user *, _type, 160 const char __user *, _description, 161 const char __user *, _callout_info, 162 key_serial_t, destringid) 163 { 164 struct key_type *ktype; 165 struct key *key; 166 key_ref_t dest_ref; 167 size_t callout_len; 168 char type[32], *description, *callout_info; 169 long ret; 170 171 /* pull the type into kernel space */ 172 ret = key_get_type_from_user(type, _type, sizeof(type)); 173 if (ret < 0) 174 goto error; 175 176 /* pull the description into kernel space */ 177 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 178 if (IS_ERR(description)) { 179 ret = PTR_ERR(description); 180 goto error; 181 } 182 183 /* pull the callout info into kernel space */ 184 callout_info = NULL; 185 callout_len = 0; 186 if (_callout_info) { 187 callout_info = strndup_user(_callout_info, PAGE_SIZE); 188 if (IS_ERR(callout_info)) { 189 ret = PTR_ERR(callout_info); 190 goto error2; 191 } 192 callout_len = strlen(callout_info); 193 } 194 195 /* get the destination keyring if specified */ 196 dest_ref = NULL; 197 if (destringid) { 198 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 199 KEY_NEED_WRITE); 200 if (IS_ERR(dest_ref)) { 201 ret = PTR_ERR(dest_ref); 202 goto error3; 203 } 204 } 205 206 /* find the key type */ 207 ktype = key_type_lookup(type); 208 if (IS_ERR(ktype)) { 209 ret = PTR_ERR(ktype); 210 goto error4; 211 } 212 213 /* do the search */ 214 key = request_key_and_link(ktype, description, callout_info, 215 callout_len, NULL, key_ref_to_ptr(dest_ref), 216 KEY_ALLOC_IN_QUOTA); 217 if (IS_ERR(key)) { 218 ret = PTR_ERR(key); 219 goto error5; 220 } 221 222 /* wait for the key to finish being constructed */ 223 ret = wait_for_key_construction(key, 1); 224 if (ret < 0) 225 goto error6; 226 227 ret = key->serial; 228 229 error6: 230 key_put(key); 231 error5: 232 key_type_put(ktype); 233 error4: 234 key_ref_put(dest_ref); 235 error3: 236 kfree(callout_info); 237 error2: 238 kfree(description); 239 error: 240 return ret; 241 } 242 243 /* 244 * Get the ID of the specified process keyring. 245 * 246 * The requested keyring must have search permission to be found. 247 * 248 * If successful, the ID of the requested keyring will be returned. 249 */ 250 long keyctl_get_keyring_ID(key_serial_t id, int create) 251 { 252 key_ref_t key_ref; 253 unsigned long lflags; 254 long ret; 255 256 lflags = create ? KEY_LOOKUP_CREATE : 0; 257 key_ref = lookup_user_key(id, lflags, KEY_NEED_SEARCH); 258 if (IS_ERR(key_ref)) { 259 ret = PTR_ERR(key_ref); 260 goto error; 261 } 262 263 ret = key_ref_to_ptr(key_ref)->serial; 264 key_ref_put(key_ref); 265 error: 266 return ret; 267 } 268 269 /* 270 * Join a (named) session keyring. 271 * 272 * Create and join an anonymous session keyring or join a named session 273 * keyring, creating it if necessary. A named session keyring must have Search 274 * permission for it to be joined. Session keyrings without this permit will 275 * be skipped over. 276 * 277 * If successful, the ID of the joined session keyring will be returned. 278 */ 279 long keyctl_join_session_keyring(const char __user *_name) 280 { 281 char *name; 282 long ret; 283 284 /* fetch the name from userspace */ 285 name = NULL; 286 if (_name) { 287 name = strndup_user(_name, KEY_MAX_DESC_SIZE); 288 if (IS_ERR(name)) { 289 ret = PTR_ERR(name); 290 goto error; 291 } 292 } 293 294 /* join the session */ 295 ret = join_session_keyring(name); 296 kfree(name); 297 298 error: 299 return ret; 300 } 301 302 /* 303 * Update a key's data payload from the given data. 304 * 305 * The key must grant the caller Write permission and the key type must support 306 * updating for this to work. A negative key can be positively instantiated 307 * with this call. 308 * 309 * If successful, 0 will be returned. If the key type does not support 310 * updating, then -EOPNOTSUPP will be returned. 311 */ 312 long keyctl_update_key(key_serial_t id, 313 const void __user *_payload, 314 size_t plen) 315 { 316 key_ref_t key_ref; 317 void *payload; 318 long ret; 319 320 ret = -EINVAL; 321 if (plen > PAGE_SIZE) 322 goto error; 323 324 /* pull the payload in if one was supplied */ 325 payload = NULL; 326 if (_payload) { 327 ret = -ENOMEM; 328 payload = kmalloc(plen, GFP_KERNEL); 329 if (!payload) 330 goto error; 331 332 ret = -EFAULT; 333 if (copy_from_user(payload, _payload, plen) != 0) 334 goto error2; 335 } 336 337 /* find the target key (which must be writable) */ 338 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 339 if (IS_ERR(key_ref)) { 340 ret = PTR_ERR(key_ref); 341 goto error2; 342 } 343 344 /* update the key */ 345 ret = key_update(key_ref, payload, plen); 346 347 key_ref_put(key_ref); 348 error2: 349 kfree(payload); 350 error: 351 return ret; 352 } 353 354 /* 355 * Revoke a key. 356 * 357 * The key must be grant the caller Write or Setattr permission for this to 358 * work. The key type should give up its quota claim when revoked. The key 359 * and any links to the key will be automatically garbage collected after a 360 * certain amount of time (/proc/sys/kernel/keys/gc_delay). 361 * 362 * Keys with KEY_FLAG_KEEP set should not be revoked. 363 * 364 * If successful, 0 is returned. 365 */ 366 long keyctl_revoke_key(key_serial_t id) 367 { 368 key_ref_t key_ref; 369 struct key *key; 370 long ret; 371 372 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 373 if (IS_ERR(key_ref)) { 374 ret = PTR_ERR(key_ref); 375 if (ret != -EACCES) 376 goto error; 377 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 378 if (IS_ERR(key_ref)) { 379 ret = PTR_ERR(key_ref); 380 goto error; 381 } 382 } 383 384 key = key_ref_to_ptr(key_ref); 385 ret = 0; 386 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 387 ret = -EPERM; 388 else 389 key_revoke(key); 390 391 key_ref_put(key_ref); 392 error: 393 return ret; 394 } 395 396 /* 397 * Invalidate a key. 398 * 399 * The key must be grant the caller Invalidate permission for this to work. 400 * The key and any links to the key will be automatically garbage collected 401 * immediately. 402 * 403 * Keys with KEY_FLAG_KEEP set should not be invalidated. 404 * 405 * If successful, 0 is returned. 406 */ 407 long keyctl_invalidate_key(key_serial_t id) 408 { 409 key_ref_t key_ref; 410 struct key *key; 411 long ret; 412 413 kenter("%d", id); 414 415 key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH); 416 if (IS_ERR(key_ref)) { 417 ret = PTR_ERR(key_ref); 418 419 /* Root is permitted to invalidate certain special keys */ 420 if (capable(CAP_SYS_ADMIN)) { 421 key_ref = lookup_user_key(id, 0, 0); 422 if (IS_ERR(key_ref)) 423 goto error; 424 if (test_bit(KEY_FLAG_ROOT_CAN_INVAL, 425 &key_ref_to_ptr(key_ref)->flags)) 426 goto invalidate; 427 goto error_put; 428 } 429 430 goto error; 431 } 432 433 invalidate: 434 key = key_ref_to_ptr(key_ref); 435 ret = 0; 436 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 437 ret = -EPERM; 438 else 439 key_invalidate(key); 440 error_put: 441 key_ref_put(key_ref); 442 error: 443 kleave(" = %ld", ret); 444 return ret; 445 } 446 447 /* 448 * Clear the specified keyring, creating an empty process keyring if one of the 449 * special keyring IDs is used. 450 * 451 * The keyring must grant the caller Write permission and not have 452 * KEY_FLAG_KEEP set for this to work. If successful, 0 will be returned. 453 */ 454 long keyctl_keyring_clear(key_serial_t ringid) 455 { 456 key_ref_t keyring_ref; 457 struct key *keyring; 458 long ret; 459 460 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 461 if (IS_ERR(keyring_ref)) { 462 ret = PTR_ERR(keyring_ref); 463 464 /* Root is permitted to invalidate certain special keyrings */ 465 if (capable(CAP_SYS_ADMIN)) { 466 keyring_ref = lookup_user_key(ringid, 0, 0); 467 if (IS_ERR(keyring_ref)) 468 goto error; 469 if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR, 470 &key_ref_to_ptr(keyring_ref)->flags)) 471 goto clear; 472 goto error_put; 473 } 474 475 goto error; 476 } 477 478 clear: 479 keyring = key_ref_to_ptr(keyring_ref); 480 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) 481 ret = -EPERM; 482 else 483 ret = keyring_clear(keyring); 484 error_put: 485 key_ref_put(keyring_ref); 486 error: 487 return ret; 488 } 489 490 /* 491 * Create a link from a keyring to a key if there's no matching key in the 492 * keyring, otherwise replace the link to the matching key with a link to the 493 * new key. 494 * 495 * The key must grant the caller Link permission and the the keyring must grant 496 * the caller Write permission. Furthermore, if an additional link is created, 497 * the keyring's quota will be extended. 498 * 499 * If successful, 0 will be returned. 500 */ 501 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 502 { 503 key_ref_t keyring_ref, key_ref; 504 long ret; 505 506 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 507 if (IS_ERR(keyring_ref)) { 508 ret = PTR_ERR(keyring_ref); 509 goto error; 510 } 511 512 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 513 if (IS_ERR(key_ref)) { 514 ret = PTR_ERR(key_ref); 515 goto error2; 516 } 517 518 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 519 520 key_ref_put(key_ref); 521 error2: 522 key_ref_put(keyring_ref); 523 error: 524 return ret; 525 } 526 527 /* 528 * Unlink a key from a keyring. 529 * 530 * The keyring must grant the caller Write permission for this to work; the key 531 * itself need not grant the caller anything. If the last link to a key is 532 * removed then that key will be scheduled for destruction. 533 * 534 * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked. 535 * 536 * If successful, 0 will be returned. 537 */ 538 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 539 { 540 key_ref_t keyring_ref, key_ref; 541 struct key *keyring, *key; 542 long ret; 543 544 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE); 545 if (IS_ERR(keyring_ref)) { 546 ret = PTR_ERR(keyring_ref); 547 goto error; 548 } 549 550 key_ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0); 551 if (IS_ERR(key_ref)) { 552 ret = PTR_ERR(key_ref); 553 goto error2; 554 } 555 556 keyring = key_ref_to_ptr(keyring_ref); 557 key = key_ref_to_ptr(key_ref); 558 if (test_bit(KEY_FLAG_KEEP, &keyring->flags) && 559 test_bit(KEY_FLAG_KEEP, &key->flags)) 560 ret = -EPERM; 561 else 562 ret = key_unlink(keyring, key); 563 564 key_ref_put(key_ref); 565 error2: 566 key_ref_put(keyring_ref); 567 error: 568 return ret; 569 } 570 571 /* 572 * Return a description of a key to userspace. 573 * 574 * The key must grant the caller View permission for this to work. 575 * 576 * If there's a buffer, we place up to buflen bytes of data into it formatted 577 * in the following way: 578 * 579 * type;uid;gid;perm;description<NUL> 580 * 581 * If successful, we return the amount of description available, irrespective 582 * of how much we may have copied into the buffer. 583 */ 584 long keyctl_describe_key(key_serial_t keyid, 585 char __user *buffer, 586 size_t buflen) 587 { 588 struct key *key, *instkey; 589 key_ref_t key_ref; 590 char *infobuf; 591 long ret; 592 int desclen, infolen; 593 594 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 595 if (IS_ERR(key_ref)) { 596 /* viewing a key under construction is permitted if we have the 597 * authorisation token handy */ 598 if (PTR_ERR(key_ref) == -EACCES) { 599 instkey = key_get_instantiation_authkey(keyid); 600 if (!IS_ERR(instkey)) { 601 key_put(instkey); 602 key_ref = lookup_user_key(keyid, 603 KEY_LOOKUP_PARTIAL, 604 0); 605 if (!IS_ERR(key_ref)) 606 goto okay; 607 } 608 } 609 610 ret = PTR_ERR(key_ref); 611 goto error; 612 } 613 614 okay: 615 key = key_ref_to_ptr(key_ref); 616 desclen = strlen(key->description); 617 618 /* calculate how much information we're going to return */ 619 ret = -ENOMEM; 620 infobuf = kasprintf(GFP_KERNEL, 621 "%s;%d;%d;%08x;", 622 key->type->name, 623 from_kuid_munged(current_user_ns(), key->uid), 624 from_kgid_munged(current_user_ns(), key->gid), 625 key->perm); 626 if (!infobuf) 627 goto error2; 628 infolen = strlen(infobuf); 629 ret = infolen + desclen + 1; 630 631 /* consider returning the data */ 632 if (buffer && buflen >= ret) { 633 if (copy_to_user(buffer, infobuf, infolen) != 0 || 634 copy_to_user(buffer + infolen, key->description, 635 desclen + 1) != 0) 636 ret = -EFAULT; 637 } 638 639 kfree(infobuf); 640 error2: 641 key_ref_put(key_ref); 642 error: 643 return ret; 644 } 645 646 /* 647 * Search the specified keyring and any keyrings it links to for a matching 648 * key. Only keyrings that grant the caller Search permission will be searched 649 * (this includes the starting keyring). Only keys with Search permission can 650 * be found. 651 * 652 * If successful, the found key will be linked to the destination keyring if 653 * supplied and the key has Link permission, and the found key ID will be 654 * returned. 655 */ 656 long keyctl_keyring_search(key_serial_t ringid, 657 const char __user *_type, 658 const char __user *_description, 659 key_serial_t destringid) 660 { 661 struct key_type *ktype; 662 key_ref_t keyring_ref, key_ref, dest_ref; 663 char type[32], *description; 664 long ret; 665 666 /* pull the type and description into kernel space */ 667 ret = key_get_type_from_user(type, _type, sizeof(type)); 668 if (ret < 0) 669 goto error; 670 671 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 672 if (IS_ERR(description)) { 673 ret = PTR_ERR(description); 674 goto error; 675 } 676 677 /* get the keyring at which to begin the search */ 678 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_SEARCH); 679 if (IS_ERR(keyring_ref)) { 680 ret = PTR_ERR(keyring_ref); 681 goto error2; 682 } 683 684 /* get the destination keyring if specified */ 685 dest_ref = NULL; 686 if (destringid) { 687 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 688 KEY_NEED_WRITE); 689 if (IS_ERR(dest_ref)) { 690 ret = PTR_ERR(dest_ref); 691 goto error3; 692 } 693 } 694 695 /* find the key type */ 696 ktype = key_type_lookup(type); 697 if (IS_ERR(ktype)) { 698 ret = PTR_ERR(ktype); 699 goto error4; 700 } 701 702 /* do the search */ 703 key_ref = keyring_search(keyring_ref, ktype, description); 704 if (IS_ERR(key_ref)) { 705 ret = PTR_ERR(key_ref); 706 707 /* treat lack or presence of a negative key the same */ 708 if (ret == -EAGAIN) 709 ret = -ENOKEY; 710 goto error5; 711 } 712 713 /* link the resulting key to the destination keyring if we can */ 714 if (dest_ref) { 715 ret = key_permission(key_ref, KEY_NEED_LINK); 716 if (ret < 0) 717 goto error6; 718 719 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 720 if (ret < 0) 721 goto error6; 722 } 723 724 ret = key_ref_to_ptr(key_ref)->serial; 725 726 error6: 727 key_ref_put(key_ref); 728 error5: 729 key_type_put(ktype); 730 error4: 731 key_ref_put(dest_ref); 732 error3: 733 key_ref_put(keyring_ref); 734 error2: 735 kfree(description); 736 error: 737 return ret; 738 } 739 740 /* 741 * Read a key's payload. 742 * 743 * The key must either grant the caller Read permission, or it must grant the 744 * caller Search permission when searched for from the process keyrings. 745 * 746 * If successful, we place up to buflen bytes of data into the buffer, if one 747 * is provided, and return the amount of data that is available in the key, 748 * irrespective of how much we copied into the buffer. 749 */ 750 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 751 { 752 struct key *key; 753 key_ref_t key_ref; 754 long ret; 755 756 /* find the key first */ 757 key_ref = lookup_user_key(keyid, 0, 0); 758 if (IS_ERR(key_ref)) { 759 ret = -ENOKEY; 760 goto error; 761 } 762 763 key = key_ref_to_ptr(key_ref); 764 765 /* see if we can read it directly */ 766 ret = key_permission(key_ref, KEY_NEED_READ); 767 if (ret == 0) 768 goto can_read_key; 769 if (ret != -EACCES) 770 goto error; 771 772 /* we can't; see if it's searchable from this process's keyrings 773 * - we automatically take account of the fact that it may be 774 * dangling off an instantiation key 775 */ 776 if (!is_key_possessed(key_ref)) { 777 ret = -EACCES; 778 goto error2; 779 } 780 781 /* the key is probably readable - now try to read it */ 782 can_read_key: 783 ret = -EOPNOTSUPP; 784 if (key->type->read) { 785 /* Read the data with the semaphore held (since we might sleep) 786 * to protect against the key being updated or revoked. 787 */ 788 down_read(&key->sem); 789 ret = key_validate(key); 790 if (ret == 0) 791 ret = key->type->read(key, buffer, buflen); 792 up_read(&key->sem); 793 } 794 795 error2: 796 key_put(key); 797 error: 798 return ret; 799 } 800 801 /* 802 * Change the ownership of a key 803 * 804 * The key must grant the caller Setattr permission for this to work, though 805 * the key need not be fully instantiated yet. For the UID to be changed, or 806 * for the GID to be changed to a group the caller is not a member of, the 807 * caller must have sysadmin capability. If either uid or gid is -1 then that 808 * attribute is not changed. 809 * 810 * If the UID is to be changed, the new user must have sufficient quota to 811 * accept the key. The quota deduction will be removed from the old user to 812 * the new user should the attribute be changed. 813 * 814 * If successful, 0 will be returned. 815 */ 816 long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group) 817 { 818 struct key_user *newowner, *zapowner = NULL; 819 struct key *key; 820 key_ref_t key_ref; 821 long ret; 822 kuid_t uid; 823 kgid_t gid; 824 825 uid = make_kuid(current_user_ns(), user); 826 gid = make_kgid(current_user_ns(), group); 827 ret = -EINVAL; 828 if ((user != (uid_t) -1) && !uid_valid(uid)) 829 goto error; 830 if ((group != (gid_t) -1) && !gid_valid(gid)) 831 goto error; 832 833 ret = 0; 834 if (user == (uid_t) -1 && group == (gid_t) -1) 835 goto error; 836 837 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 838 KEY_NEED_SETATTR); 839 if (IS_ERR(key_ref)) { 840 ret = PTR_ERR(key_ref); 841 goto error; 842 } 843 844 key = key_ref_to_ptr(key_ref); 845 846 /* make the changes with the locks held to prevent chown/chown races */ 847 ret = -EACCES; 848 down_write(&key->sem); 849 850 if (!capable(CAP_SYS_ADMIN)) { 851 /* only the sysadmin can chown a key to some other UID */ 852 if (user != (uid_t) -1 && !uid_eq(key->uid, uid)) 853 goto error_put; 854 855 /* only the sysadmin can set the key's GID to a group other 856 * than one of those that the current process subscribes to */ 857 if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid)) 858 goto error_put; 859 } 860 861 /* change the UID */ 862 if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) { 863 ret = -ENOMEM; 864 newowner = key_user_lookup(uid); 865 if (!newowner) 866 goto error_put; 867 868 /* transfer the quota burden to the new user */ 869 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 870 unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ? 871 key_quota_root_maxkeys : key_quota_maxkeys; 872 unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ? 873 key_quota_root_maxbytes : key_quota_maxbytes; 874 875 spin_lock(&newowner->lock); 876 if (newowner->qnkeys + 1 >= maxkeys || 877 newowner->qnbytes + key->quotalen >= maxbytes || 878 newowner->qnbytes + key->quotalen < 879 newowner->qnbytes) 880 goto quota_overrun; 881 882 newowner->qnkeys++; 883 newowner->qnbytes += key->quotalen; 884 spin_unlock(&newowner->lock); 885 886 spin_lock(&key->user->lock); 887 key->user->qnkeys--; 888 key->user->qnbytes -= key->quotalen; 889 spin_unlock(&key->user->lock); 890 } 891 892 atomic_dec(&key->user->nkeys); 893 atomic_inc(&newowner->nkeys); 894 895 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 896 atomic_dec(&key->user->nikeys); 897 atomic_inc(&newowner->nikeys); 898 } 899 900 zapowner = key->user; 901 key->user = newowner; 902 key->uid = uid; 903 } 904 905 /* change the GID */ 906 if (group != (gid_t) -1) 907 key->gid = gid; 908 909 ret = 0; 910 911 error_put: 912 up_write(&key->sem); 913 key_put(key); 914 if (zapowner) 915 key_user_put(zapowner); 916 error: 917 return ret; 918 919 quota_overrun: 920 spin_unlock(&newowner->lock); 921 zapowner = newowner; 922 ret = -EDQUOT; 923 goto error_put; 924 } 925 926 /* 927 * Change the permission mask on a key. 928 * 929 * The key must grant the caller Setattr permission for this to work, though 930 * the key need not be fully instantiated yet. If the caller does not have 931 * sysadmin capability, it may only change the permission on keys that it owns. 932 */ 933 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 934 { 935 struct key *key; 936 key_ref_t key_ref; 937 long ret; 938 939 ret = -EINVAL; 940 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 941 goto error; 942 943 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 944 KEY_NEED_SETATTR); 945 if (IS_ERR(key_ref)) { 946 ret = PTR_ERR(key_ref); 947 goto error; 948 } 949 950 key = key_ref_to_ptr(key_ref); 951 952 /* make the changes with the locks held to prevent chown/chmod races */ 953 ret = -EACCES; 954 down_write(&key->sem); 955 956 /* if we're not the sysadmin, we can only change a key that we own */ 957 if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) { 958 key->perm = perm; 959 ret = 0; 960 } 961 962 up_write(&key->sem); 963 key_put(key); 964 error: 965 return ret; 966 } 967 968 /* 969 * Get the destination keyring for instantiation and check that the caller has 970 * Write permission on it. 971 */ 972 static long get_instantiation_keyring(key_serial_t ringid, 973 struct request_key_auth *rka, 974 struct key **_dest_keyring) 975 { 976 key_ref_t dkref; 977 978 *_dest_keyring = NULL; 979 980 /* just return a NULL pointer if we weren't asked to make a link */ 981 if (ringid == 0) 982 return 0; 983 984 /* if a specific keyring is nominated by ID, then use that */ 985 if (ringid > 0) { 986 dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 987 if (IS_ERR(dkref)) 988 return PTR_ERR(dkref); 989 *_dest_keyring = key_ref_to_ptr(dkref); 990 return 0; 991 } 992 993 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY) 994 return -EINVAL; 995 996 /* otherwise specify the destination keyring recorded in the 997 * authorisation key (any KEY_SPEC_*_KEYRING) */ 998 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { 999 *_dest_keyring = key_get(rka->dest_keyring); 1000 return 0; 1001 } 1002 1003 return -ENOKEY; 1004 } 1005 1006 /* 1007 * Change the request_key authorisation key on the current process. 1008 */ 1009 static int keyctl_change_reqkey_auth(struct key *key) 1010 { 1011 struct cred *new; 1012 1013 new = prepare_creds(); 1014 if (!new) 1015 return -ENOMEM; 1016 1017 key_put(new->request_key_auth); 1018 new->request_key_auth = key_get(key); 1019 1020 return commit_creds(new); 1021 } 1022 1023 /* 1024 * Instantiate a key with the specified payload and link the key into the 1025 * destination keyring if one is given. 1026 * 1027 * The caller must have the appropriate instantiation permit set for this to 1028 * work (see keyctl_assume_authority). No other permissions are required. 1029 * 1030 * If successful, 0 will be returned. 1031 */ 1032 long keyctl_instantiate_key_common(key_serial_t id, 1033 struct iov_iter *from, 1034 key_serial_t ringid) 1035 { 1036 const struct cred *cred = current_cred(); 1037 struct request_key_auth *rka; 1038 struct key *instkey, *dest_keyring; 1039 size_t plen = from ? iov_iter_count(from) : 0; 1040 void *payload; 1041 long ret; 1042 1043 kenter("%d,,%zu,%d", id, plen, ringid); 1044 1045 if (!plen) 1046 from = NULL; 1047 1048 ret = -EINVAL; 1049 if (plen > 1024 * 1024 - 1) 1050 goto error; 1051 1052 /* the appropriate instantiation authorisation key must have been 1053 * assumed before calling this */ 1054 ret = -EPERM; 1055 instkey = cred->request_key_auth; 1056 if (!instkey) 1057 goto error; 1058 1059 rka = instkey->payload.data[0]; 1060 if (rka->target_key->serial != id) 1061 goto error; 1062 1063 /* pull the payload in if one was supplied */ 1064 payload = NULL; 1065 1066 if (from) { 1067 ret = -ENOMEM; 1068 payload = kmalloc(plen, GFP_KERNEL); 1069 if (!payload) { 1070 if (plen <= PAGE_SIZE) 1071 goto error; 1072 payload = vmalloc(plen); 1073 if (!payload) 1074 goto error; 1075 } 1076 1077 ret = -EFAULT; 1078 if (!copy_from_iter_full(payload, plen, from)) 1079 goto error2; 1080 } 1081 1082 /* find the destination keyring amongst those belonging to the 1083 * requesting task */ 1084 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1085 if (ret < 0) 1086 goto error2; 1087 1088 /* instantiate the key and link it into a keyring */ 1089 ret = key_instantiate_and_link(rka->target_key, payload, plen, 1090 dest_keyring, instkey); 1091 1092 key_put(dest_keyring); 1093 1094 /* discard the assumed authority if it's just been disabled by 1095 * instantiation of the key */ 1096 if (ret == 0) 1097 keyctl_change_reqkey_auth(NULL); 1098 1099 error2: 1100 kvfree(payload); 1101 error: 1102 return ret; 1103 } 1104 1105 /* 1106 * Instantiate a key with the specified payload and link the key into the 1107 * destination keyring if one is given. 1108 * 1109 * The caller must have the appropriate instantiation permit set for this to 1110 * work (see keyctl_assume_authority). No other permissions are required. 1111 * 1112 * If successful, 0 will be returned. 1113 */ 1114 long keyctl_instantiate_key(key_serial_t id, 1115 const void __user *_payload, 1116 size_t plen, 1117 key_serial_t ringid) 1118 { 1119 if (_payload && plen) { 1120 struct iovec iov; 1121 struct iov_iter from; 1122 int ret; 1123 1124 ret = import_single_range(WRITE, (void __user *)_payload, plen, 1125 &iov, &from); 1126 if (unlikely(ret)) 1127 return ret; 1128 1129 return keyctl_instantiate_key_common(id, &from, ringid); 1130 } 1131 1132 return keyctl_instantiate_key_common(id, NULL, ringid); 1133 } 1134 1135 /* 1136 * Instantiate a key with the specified multipart payload and link the key into 1137 * the destination keyring if one is given. 1138 * 1139 * The caller must have the appropriate instantiation permit set for this to 1140 * work (see keyctl_assume_authority). No other permissions are required. 1141 * 1142 * If successful, 0 will be returned. 1143 */ 1144 long keyctl_instantiate_key_iov(key_serial_t id, 1145 const struct iovec __user *_payload_iov, 1146 unsigned ioc, 1147 key_serial_t ringid) 1148 { 1149 struct iovec iovstack[UIO_FASTIOV], *iov = iovstack; 1150 struct iov_iter from; 1151 long ret; 1152 1153 if (!_payload_iov) 1154 ioc = 0; 1155 1156 ret = import_iovec(WRITE, _payload_iov, ioc, 1157 ARRAY_SIZE(iovstack), &iov, &from); 1158 if (ret < 0) 1159 return ret; 1160 ret = keyctl_instantiate_key_common(id, &from, ringid); 1161 kfree(iov); 1162 return ret; 1163 } 1164 1165 /* 1166 * Negatively instantiate the key with the given timeout (in seconds) and link 1167 * the key into the destination keyring if one is given. 1168 * 1169 * The caller must have the appropriate instantiation permit set for this to 1170 * work (see keyctl_assume_authority). No other permissions are required. 1171 * 1172 * The key and any links to the key will be automatically garbage collected 1173 * after the timeout expires. 1174 * 1175 * Negative keys are used to rate limit repeated request_key() calls by causing 1176 * them to return -ENOKEY until the negative key expires. 1177 * 1178 * If successful, 0 will be returned. 1179 */ 1180 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 1181 { 1182 return keyctl_reject_key(id, timeout, ENOKEY, ringid); 1183 } 1184 1185 /* 1186 * Negatively instantiate the key with the given timeout (in seconds) and error 1187 * code and link the key into the destination keyring if one is given. 1188 * 1189 * The caller must have the appropriate instantiation permit set for this to 1190 * work (see keyctl_assume_authority). No other permissions are required. 1191 * 1192 * The key and any links to the key will be automatically garbage collected 1193 * after the timeout expires. 1194 * 1195 * Negative keys are used to rate limit repeated request_key() calls by causing 1196 * them to return the specified error code until the negative key expires. 1197 * 1198 * If successful, 0 will be returned. 1199 */ 1200 long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error, 1201 key_serial_t ringid) 1202 { 1203 const struct cred *cred = current_cred(); 1204 struct request_key_auth *rka; 1205 struct key *instkey, *dest_keyring; 1206 long ret; 1207 1208 kenter("%d,%u,%u,%d", id, timeout, error, ringid); 1209 1210 /* must be a valid error code and mustn't be a kernel special */ 1211 if (error <= 0 || 1212 error >= MAX_ERRNO || 1213 error == ERESTARTSYS || 1214 error == ERESTARTNOINTR || 1215 error == ERESTARTNOHAND || 1216 error == ERESTART_RESTARTBLOCK) 1217 return -EINVAL; 1218 1219 /* the appropriate instantiation authorisation key must have been 1220 * assumed before calling this */ 1221 ret = -EPERM; 1222 instkey = cred->request_key_auth; 1223 if (!instkey) 1224 goto error; 1225 1226 rka = instkey->payload.data[0]; 1227 if (rka->target_key->serial != id) 1228 goto error; 1229 1230 /* find the destination keyring if present (which must also be 1231 * writable) */ 1232 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1233 if (ret < 0) 1234 goto error; 1235 1236 /* instantiate the key and link it into a keyring */ 1237 ret = key_reject_and_link(rka->target_key, timeout, error, 1238 dest_keyring, instkey); 1239 1240 key_put(dest_keyring); 1241 1242 /* discard the assumed authority if it's just been disabled by 1243 * instantiation of the key */ 1244 if (ret == 0) 1245 keyctl_change_reqkey_auth(NULL); 1246 1247 error: 1248 return ret; 1249 } 1250 1251 /* 1252 * Read or set the default keyring in which request_key() will cache keys and 1253 * return the old setting. 1254 * 1255 * If a process keyring is specified then this will be created if it doesn't 1256 * yet exist. The old setting will be returned if successful. 1257 */ 1258 long keyctl_set_reqkey_keyring(int reqkey_defl) 1259 { 1260 struct cred *new; 1261 int ret, old_setting; 1262 1263 old_setting = current_cred_xxx(jit_keyring); 1264 1265 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE) 1266 return old_setting; 1267 1268 new = prepare_creds(); 1269 if (!new) 1270 return -ENOMEM; 1271 1272 switch (reqkey_defl) { 1273 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1274 ret = install_thread_keyring_to_cred(new); 1275 if (ret < 0) 1276 goto error; 1277 goto set; 1278 1279 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1280 ret = install_process_keyring_to_cred(new); 1281 if (ret < 0) { 1282 if (ret != -EEXIST) 1283 goto error; 1284 ret = 0; 1285 } 1286 goto set; 1287 1288 case KEY_REQKEY_DEFL_DEFAULT: 1289 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1290 case KEY_REQKEY_DEFL_USER_KEYRING: 1291 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1292 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: 1293 goto set; 1294 1295 case KEY_REQKEY_DEFL_NO_CHANGE: 1296 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1297 default: 1298 ret = -EINVAL; 1299 goto error; 1300 } 1301 1302 set: 1303 new->jit_keyring = reqkey_defl; 1304 commit_creds(new); 1305 return old_setting; 1306 error: 1307 abort_creds(new); 1308 return ret; 1309 } 1310 1311 /* 1312 * Set or clear the timeout on a key. 1313 * 1314 * Either the key must grant the caller Setattr permission or else the caller 1315 * must hold an instantiation authorisation token for the key. 1316 * 1317 * The timeout is either 0 to clear the timeout, or a number of seconds from 1318 * the current time. The key and any links to the key will be automatically 1319 * garbage collected after the timeout expires. 1320 * 1321 * Keys with KEY_FLAG_KEEP set should not be timed out. 1322 * 1323 * If successful, 0 is returned. 1324 */ 1325 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1326 { 1327 struct key *key, *instkey; 1328 key_ref_t key_ref; 1329 long ret; 1330 1331 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1332 KEY_NEED_SETATTR); 1333 if (IS_ERR(key_ref)) { 1334 /* setting the timeout on a key under construction is permitted 1335 * if we have the authorisation token handy */ 1336 if (PTR_ERR(key_ref) == -EACCES) { 1337 instkey = key_get_instantiation_authkey(id); 1338 if (!IS_ERR(instkey)) { 1339 key_put(instkey); 1340 key_ref = lookup_user_key(id, 1341 KEY_LOOKUP_PARTIAL, 1342 0); 1343 if (!IS_ERR(key_ref)) 1344 goto okay; 1345 } 1346 } 1347 1348 ret = PTR_ERR(key_ref); 1349 goto error; 1350 } 1351 1352 okay: 1353 key = key_ref_to_ptr(key_ref); 1354 ret = 0; 1355 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 1356 ret = -EPERM; 1357 else 1358 key_set_timeout(key, timeout); 1359 key_put(key); 1360 1361 error: 1362 return ret; 1363 } 1364 1365 /* 1366 * Assume (or clear) the authority to instantiate the specified key. 1367 * 1368 * This sets the authoritative token currently in force for key instantiation. 1369 * This must be done for a key to be instantiated. It has the effect of making 1370 * available all the keys from the caller of the request_key() that created a 1371 * key to request_key() calls made by the caller of this function. 1372 * 1373 * The caller must have the instantiation key in their process keyrings with a 1374 * Search permission grant available to the caller. 1375 * 1376 * If the ID given is 0, then the setting will be cleared and 0 returned. 1377 * 1378 * If the ID given has a matching an authorisation key, then that key will be 1379 * set and its ID will be returned. The authorisation key can be read to get 1380 * the callout information passed to request_key(). 1381 */ 1382 long keyctl_assume_authority(key_serial_t id) 1383 { 1384 struct key *authkey; 1385 long ret; 1386 1387 /* special key IDs aren't permitted */ 1388 ret = -EINVAL; 1389 if (id < 0) 1390 goto error; 1391 1392 /* we divest ourselves of authority if given an ID of 0 */ 1393 if (id == 0) { 1394 ret = keyctl_change_reqkey_auth(NULL); 1395 goto error; 1396 } 1397 1398 /* attempt to assume the authority temporarily granted to us whilst we 1399 * instantiate the specified key 1400 * - the authorisation key must be in the current task's keyrings 1401 * somewhere 1402 */ 1403 authkey = key_get_instantiation_authkey(id); 1404 if (IS_ERR(authkey)) { 1405 ret = PTR_ERR(authkey); 1406 goto error; 1407 } 1408 1409 ret = keyctl_change_reqkey_auth(authkey); 1410 if (ret < 0) 1411 goto error; 1412 key_put(authkey); 1413 1414 ret = authkey->serial; 1415 error: 1416 return ret; 1417 } 1418 1419 /* 1420 * Get a key's the LSM security label. 1421 * 1422 * The key must grant the caller View permission for this to work. 1423 * 1424 * If there's a buffer, then up to buflen bytes of data will be placed into it. 1425 * 1426 * If successful, the amount of information available will be returned, 1427 * irrespective of how much was copied (including the terminal NUL). 1428 */ 1429 long keyctl_get_security(key_serial_t keyid, 1430 char __user *buffer, 1431 size_t buflen) 1432 { 1433 struct key *key, *instkey; 1434 key_ref_t key_ref; 1435 char *context; 1436 long ret; 1437 1438 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 1439 if (IS_ERR(key_ref)) { 1440 if (PTR_ERR(key_ref) != -EACCES) 1441 return PTR_ERR(key_ref); 1442 1443 /* viewing a key under construction is also permitted if we 1444 * have the authorisation token handy */ 1445 instkey = key_get_instantiation_authkey(keyid); 1446 if (IS_ERR(instkey)) 1447 return PTR_ERR(instkey); 1448 key_put(instkey); 1449 1450 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0); 1451 if (IS_ERR(key_ref)) 1452 return PTR_ERR(key_ref); 1453 } 1454 1455 key = key_ref_to_ptr(key_ref); 1456 ret = security_key_getsecurity(key, &context); 1457 if (ret == 0) { 1458 /* if no information was returned, give userspace an empty 1459 * string */ 1460 ret = 1; 1461 if (buffer && buflen > 0 && 1462 copy_to_user(buffer, "", 1) != 0) 1463 ret = -EFAULT; 1464 } else if (ret > 0) { 1465 /* return as much data as there's room for */ 1466 if (buffer && buflen > 0) { 1467 if (buflen > ret) 1468 buflen = ret; 1469 1470 if (copy_to_user(buffer, context, buflen) != 0) 1471 ret = -EFAULT; 1472 } 1473 1474 kfree(context); 1475 } 1476 1477 key_ref_put(key_ref); 1478 return ret; 1479 } 1480 1481 /* 1482 * Attempt to install the calling process's session keyring on the process's 1483 * parent process. 1484 * 1485 * The keyring must exist and must grant the caller LINK permission, and the 1486 * parent process must be single-threaded and must have the same effective 1487 * ownership as this process and mustn't be SUID/SGID. 1488 * 1489 * The keyring will be emplaced on the parent when it next resumes userspace. 1490 * 1491 * If successful, 0 will be returned. 1492 */ 1493 long keyctl_session_to_parent(void) 1494 { 1495 struct task_struct *me, *parent; 1496 const struct cred *mycred, *pcred; 1497 struct callback_head *newwork, *oldwork; 1498 key_ref_t keyring_r; 1499 struct cred *cred; 1500 int ret; 1501 1502 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK); 1503 if (IS_ERR(keyring_r)) 1504 return PTR_ERR(keyring_r); 1505 1506 ret = -ENOMEM; 1507 1508 /* our parent is going to need a new cred struct, a new tgcred struct 1509 * and new security data, so we allocate them here to prevent ENOMEM in 1510 * our parent */ 1511 cred = cred_alloc_blank(); 1512 if (!cred) 1513 goto error_keyring; 1514 newwork = &cred->rcu; 1515 1516 cred->session_keyring = key_ref_to_ptr(keyring_r); 1517 keyring_r = NULL; 1518 init_task_work(newwork, key_change_session_keyring); 1519 1520 me = current; 1521 rcu_read_lock(); 1522 write_lock_irq(&tasklist_lock); 1523 1524 ret = -EPERM; 1525 oldwork = NULL; 1526 parent = me->real_parent; 1527 1528 /* the parent mustn't be init and mustn't be a kernel thread */ 1529 if (parent->pid <= 1 || !parent->mm) 1530 goto unlock; 1531 1532 /* the parent must be single threaded */ 1533 if (!thread_group_empty(parent)) 1534 goto unlock; 1535 1536 /* the parent and the child must have different session keyrings or 1537 * there's no point */ 1538 mycred = current_cred(); 1539 pcred = __task_cred(parent); 1540 if (mycred == pcred || 1541 mycred->session_keyring == pcred->session_keyring) { 1542 ret = 0; 1543 goto unlock; 1544 } 1545 1546 /* the parent must have the same effective ownership and mustn't be 1547 * SUID/SGID */ 1548 if (!uid_eq(pcred->uid, mycred->euid) || 1549 !uid_eq(pcred->euid, mycred->euid) || 1550 !uid_eq(pcred->suid, mycred->euid) || 1551 !gid_eq(pcred->gid, mycred->egid) || 1552 !gid_eq(pcred->egid, mycred->egid) || 1553 !gid_eq(pcred->sgid, mycred->egid)) 1554 goto unlock; 1555 1556 /* the keyrings must have the same UID */ 1557 if ((pcred->session_keyring && 1558 !uid_eq(pcred->session_keyring->uid, mycred->euid)) || 1559 !uid_eq(mycred->session_keyring->uid, mycred->euid)) 1560 goto unlock; 1561 1562 /* cancel an already pending keyring replacement */ 1563 oldwork = task_work_cancel(parent, key_change_session_keyring); 1564 1565 /* the replacement session keyring is applied just prior to userspace 1566 * restarting */ 1567 ret = task_work_add(parent, newwork, true); 1568 if (!ret) 1569 newwork = NULL; 1570 unlock: 1571 write_unlock_irq(&tasklist_lock); 1572 rcu_read_unlock(); 1573 if (oldwork) 1574 put_cred(container_of(oldwork, struct cred, rcu)); 1575 if (newwork) 1576 put_cred(cred); 1577 return ret; 1578 1579 error_keyring: 1580 key_ref_put(keyring_r); 1581 return ret; 1582 } 1583 1584 /* 1585 * The key control system call 1586 */ 1587 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, 1588 unsigned long, arg4, unsigned long, arg5) 1589 { 1590 switch (option) { 1591 case KEYCTL_GET_KEYRING_ID: 1592 return keyctl_get_keyring_ID((key_serial_t) arg2, 1593 (int) arg3); 1594 1595 case KEYCTL_JOIN_SESSION_KEYRING: 1596 return keyctl_join_session_keyring((const char __user *) arg2); 1597 1598 case KEYCTL_UPDATE: 1599 return keyctl_update_key((key_serial_t) arg2, 1600 (const void __user *) arg3, 1601 (size_t) arg4); 1602 1603 case KEYCTL_REVOKE: 1604 return keyctl_revoke_key((key_serial_t) arg2); 1605 1606 case KEYCTL_DESCRIBE: 1607 return keyctl_describe_key((key_serial_t) arg2, 1608 (char __user *) arg3, 1609 (unsigned) arg4); 1610 1611 case KEYCTL_CLEAR: 1612 return keyctl_keyring_clear((key_serial_t) arg2); 1613 1614 case KEYCTL_LINK: 1615 return keyctl_keyring_link((key_serial_t) arg2, 1616 (key_serial_t) arg3); 1617 1618 case KEYCTL_UNLINK: 1619 return keyctl_keyring_unlink((key_serial_t) arg2, 1620 (key_serial_t) arg3); 1621 1622 case KEYCTL_SEARCH: 1623 return keyctl_keyring_search((key_serial_t) arg2, 1624 (const char __user *) arg3, 1625 (const char __user *) arg4, 1626 (key_serial_t) arg5); 1627 1628 case KEYCTL_READ: 1629 return keyctl_read_key((key_serial_t) arg2, 1630 (char __user *) arg3, 1631 (size_t) arg4); 1632 1633 case KEYCTL_CHOWN: 1634 return keyctl_chown_key((key_serial_t) arg2, 1635 (uid_t) arg3, 1636 (gid_t) arg4); 1637 1638 case KEYCTL_SETPERM: 1639 return keyctl_setperm_key((key_serial_t) arg2, 1640 (key_perm_t) arg3); 1641 1642 case KEYCTL_INSTANTIATE: 1643 return keyctl_instantiate_key((key_serial_t) arg2, 1644 (const void __user *) arg3, 1645 (size_t) arg4, 1646 (key_serial_t) arg5); 1647 1648 case KEYCTL_NEGATE: 1649 return keyctl_negate_key((key_serial_t) arg2, 1650 (unsigned) arg3, 1651 (key_serial_t) arg4); 1652 1653 case KEYCTL_SET_REQKEY_KEYRING: 1654 return keyctl_set_reqkey_keyring(arg2); 1655 1656 case KEYCTL_SET_TIMEOUT: 1657 return keyctl_set_timeout((key_serial_t) arg2, 1658 (unsigned) arg3); 1659 1660 case KEYCTL_ASSUME_AUTHORITY: 1661 return keyctl_assume_authority((key_serial_t) arg2); 1662 1663 case KEYCTL_GET_SECURITY: 1664 return keyctl_get_security((key_serial_t) arg2, 1665 (char __user *) arg3, 1666 (size_t) arg4); 1667 1668 case KEYCTL_SESSION_TO_PARENT: 1669 return keyctl_session_to_parent(); 1670 1671 case KEYCTL_REJECT: 1672 return keyctl_reject_key((key_serial_t) arg2, 1673 (unsigned) arg3, 1674 (unsigned) arg4, 1675 (key_serial_t) arg5); 1676 1677 case KEYCTL_INSTANTIATE_IOV: 1678 return keyctl_instantiate_key_iov( 1679 (key_serial_t) arg2, 1680 (const struct iovec __user *) arg3, 1681 (unsigned) arg4, 1682 (key_serial_t) arg5); 1683 1684 case KEYCTL_INVALIDATE: 1685 return keyctl_invalidate_key((key_serial_t) arg2); 1686 1687 case KEYCTL_GET_PERSISTENT: 1688 return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3); 1689 1690 case KEYCTL_DH_COMPUTE: 1691 return keyctl_dh_compute((struct keyctl_dh_params __user *) arg2, 1692 (char __user *) arg3, (size_t) arg4, 1693 (void __user *) arg5); 1694 1695 default: 1696 return -EOPNOTSUPP; 1697 } 1698 } 1699