1 /* Userspace key control operations 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/sched/task.h> 16 #include <linux/slab.h> 17 #include <linux/syscalls.h> 18 #include <linux/key.h> 19 #include <linux/keyctl.h> 20 #include <linux/fs.h> 21 #include <linux/capability.h> 22 #include <linux/cred.h> 23 #include <linux/string.h> 24 #include <linux/err.h> 25 #include <linux/vmalloc.h> 26 #include <linux/security.h> 27 #include <linux/uio.h> 28 #include <linux/uaccess.h> 29 #include "internal.h" 30 31 #define KEY_MAX_DESC_SIZE 4096 32 33 static int key_get_type_from_user(char *type, 34 const char __user *_type, 35 unsigned len) 36 { 37 int ret; 38 39 ret = strncpy_from_user(type, _type, len); 40 if (ret < 0) 41 return ret; 42 if (ret == 0 || ret >= len) 43 return -EINVAL; 44 if (type[0] == '.') 45 return -EPERM; 46 type[len - 1] = '\0'; 47 return 0; 48 } 49 50 /* 51 * Extract the description of a new key from userspace and either add it as a 52 * new key to the specified keyring or update a matching key in that keyring. 53 * 54 * If the description is NULL or an empty string, the key type is asked to 55 * generate one from the payload. 56 * 57 * The keyring must be writable so that we can attach the key to it. 58 * 59 * If successful, the new key's serial number is returned, otherwise an error 60 * code is returned. 61 */ 62 SYSCALL_DEFINE5(add_key, const char __user *, _type, 63 const char __user *, _description, 64 const void __user *, _payload, 65 size_t, plen, 66 key_serial_t, ringid) 67 { 68 key_ref_t keyring_ref, key_ref; 69 char type[32], *description; 70 void *payload; 71 long ret; 72 73 ret = -EINVAL; 74 if (plen > 1024 * 1024 - 1) 75 goto error; 76 77 /* draw all the data into kernel space */ 78 ret = key_get_type_from_user(type, _type, sizeof(type)); 79 if (ret < 0) 80 goto error; 81 82 description = NULL; 83 if (_description) { 84 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 85 if (IS_ERR(description)) { 86 ret = PTR_ERR(description); 87 goto error; 88 } 89 if (!*description) { 90 kfree(description); 91 description = NULL; 92 } else if ((description[0] == '.') && 93 (strncmp(type, "keyring", 7) == 0)) { 94 ret = -EPERM; 95 goto error2; 96 } 97 } 98 99 /* pull the payload in if one was supplied */ 100 payload = NULL; 101 102 if (_payload) { 103 ret = -ENOMEM; 104 payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN); 105 if (!payload) { 106 if (plen <= PAGE_SIZE) 107 goto error2; 108 payload = vmalloc(plen); 109 if (!payload) 110 goto error2; 111 } 112 113 ret = -EFAULT; 114 if (copy_from_user(payload, _payload, plen) != 0) 115 goto error3; 116 } 117 118 /* find the target keyring (which must be writable) */ 119 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 120 if (IS_ERR(keyring_ref)) { 121 ret = PTR_ERR(keyring_ref); 122 goto error3; 123 } 124 125 /* create or update the requested key and add it to the target 126 * keyring */ 127 key_ref = key_create_or_update(keyring_ref, type, description, 128 payload, plen, KEY_PERM_UNDEF, 129 KEY_ALLOC_IN_QUOTA); 130 if (!IS_ERR(key_ref)) { 131 ret = key_ref_to_ptr(key_ref)->serial; 132 key_ref_put(key_ref); 133 } 134 else { 135 ret = PTR_ERR(key_ref); 136 } 137 138 key_ref_put(keyring_ref); 139 error3: 140 kvfree(payload); 141 error2: 142 kfree(description); 143 error: 144 return ret; 145 } 146 147 /* 148 * Search the process keyrings and keyring trees linked from those for a 149 * matching key. Keyrings must have appropriate Search permission to be 150 * searched. 151 * 152 * If a key is found, it will be attached to the destination keyring if there's 153 * one specified and the serial number of the key will be returned. 154 * 155 * If no key is found, /sbin/request-key will be invoked if _callout_info is 156 * non-NULL in an attempt to create a key. The _callout_info string will be 157 * passed to /sbin/request-key to aid with completing the request. If the 158 * _callout_info string is "" then it will be changed to "-". 159 */ 160 SYSCALL_DEFINE4(request_key, const char __user *, _type, 161 const char __user *, _description, 162 const char __user *, _callout_info, 163 key_serial_t, destringid) 164 { 165 struct key_type *ktype; 166 struct key *key; 167 key_ref_t dest_ref; 168 size_t callout_len; 169 char type[32], *description, *callout_info; 170 long ret; 171 172 /* pull the type into kernel space */ 173 ret = key_get_type_from_user(type, _type, sizeof(type)); 174 if (ret < 0) 175 goto error; 176 177 /* pull the description into kernel space */ 178 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 179 if (IS_ERR(description)) { 180 ret = PTR_ERR(description); 181 goto error; 182 } 183 184 /* pull the callout info into kernel space */ 185 callout_info = NULL; 186 callout_len = 0; 187 if (_callout_info) { 188 callout_info = strndup_user(_callout_info, PAGE_SIZE); 189 if (IS_ERR(callout_info)) { 190 ret = PTR_ERR(callout_info); 191 goto error2; 192 } 193 callout_len = strlen(callout_info); 194 } 195 196 /* get the destination keyring if specified */ 197 dest_ref = NULL; 198 if (destringid) { 199 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 200 KEY_NEED_WRITE); 201 if (IS_ERR(dest_ref)) { 202 ret = PTR_ERR(dest_ref); 203 goto error3; 204 } 205 } 206 207 /* find the key type */ 208 ktype = key_type_lookup(type); 209 if (IS_ERR(ktype)) { 210 ret = PTR_ERR(ktype); 211 goto error4; 212 } 213 214 /* do the search */ 215 key = request_key_and_link(ktype, description, callout_info, 216 callout_len, NULL, key_ref_to_ptr(dest_ref), 217 KEY_ALLOC_IN_QUOTA); 218 if (IS_ERR(key)) { 219 ret = PTR_ERR(key); 220 goto error5; 221 } 222 223 /* wait for the key to finish being constructed */ 224 ret = wait_for_key_construction(key, 1); 225 if (ret < 0) 226 goto error6; 227 228 ret = key->serial; 229 230 error6: 231 key_put(key); 232 error5: 233 key_type_put(ktype); 234 error4: 235 key_ref_put(dest_ref); 236 error3: 237 kfree(callout_info); 238 error2: 239 kfree(description); 240 error: 241 return ret; 242 } 243 244 /* 245 * Get the ID of the specified process keyring. 246 * 247 * The requested keyring must have search permission to be found. 248 * 249 * If successful, the ID of the requested keyring will be returned. 250 */ 251 long keyctl_get_keyring_ID(key_serial_t id, int create) 252 { 253 key_ref_t key_ref; 254 unsigned long lflags; 255 long ret; 256 257 lflags = create ? KEY_LOOKUP_CREATE : 0; 258 key_ref = lookup_user_key(id, lflags, KEY_NEED_SEARCH); 259 if (IS_ERR(key_ref)) { 260 ret = PTR_ERR(key_ref); 261 goto error; 262 } 263 264 ret = key_ref_to_ptr(key_ref)->serial; 265 key_ref_put(key_ref); 266 error: 267 return ret; 268 } 269 270 /* 271 * Join a (named) session keyring. 272 * 273 * Create and join an anonymous session keyring or join a named session 274 * keyring, creating it if necessary. A named session keyring must have Search 275 * permission for it to be joined. Session keyrings without this permit will 276 * be skipped over. It is not permitted for userspace to create or join 277 * keyrings whose name begin with a dot. 278 * 279 * If successful, the ID of the joined session keyring will be returned. 280 */ 281 long keyctl_join_session_keyring(const char __user *_name) 282 { 283 char *name; 284 long ret; 285 286 /* fetch the name from userspace */ 287 name = NULL; 288 if (_name) { 289 name = strndup_user(_name, KEY_MAX_DESC_SIZE); 290 if (IS_ERR(name)) { 291 ret = PTR_ERR(name); 292 goto error; 293 } 294 295 ret = -EPERM; 296 if (name[0] == '.') 297 goto error_name; 298 } 299 300 /* join the session */ 301 ret = join_session_keyring(name); 302 error_name: 303 kfree(name); 304 error: 305 return ret; 306 } 307 308 /* 309 * Update a key's data payload from the given data. 310 * 311 * The key must grant the caller Write permission and the key type must support 312 * updating for this to work. A negative key can be positively instantiated 313 * with this call. 314 * 315 * If successful, 0 will be returned. If the key type does not support 316 * updating, then -EOPNOTSUPP will be returned. 317 */ 318 long keyctl_update_key(key_serial_t id, 319 const void __user *_payload, 320 size_t plen) 321 { 322 key_ref_t key_ref; 323 void *payload; 324 long ret; 325 326 ret = -EINVAL; 327 if (plen > PAGE_SIZE) 328 goto error; 329 330 /* pull the payload in if one was supplied */ 331 payload = NULL; 332 if (_payload) { 333 ret = -ENOMEM; 334 payload = kmalloc(plen, GFP_KERNEL); 335 if (!payload) 336 goto error; 337 338 ret = -EFAULT; 339 if (copy_from_user(payload, _payload, plen) != 0) 340 goto error2; 341 } 342 343 /* find the target key (which must be writable) */ 344 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 345 if (IS_ERR(key_ref)) { 346 ret = PTR_ERR(key_ref); 347 goto error2; 348 } 349 350 /* update the key */ 351 ret = key_update(key_ref, payload, plen); 352 353 key_ref_put(key_ref); 354 error2: 355 kfree(payload); 356 error: 357 return ret; 358 } 359 360 /* 361 * Revoke a key. 362 * 363 * The key must be grant the caller Write or Setattr permission for this to 364 * work. The key type should give up its quota claim when revoked. The key 365 * and any links to the key will be automatically garbage collected after a 366 * certain amount of time (/proc/sys/kernel/keys/gc_delay). 367 * 368 * Keys with KEY_FLAG_KEEP set should not be revoked. 369 * 370 * If successful, 0 is returned. 371 */ 372 long keyctl_revoke_key(key_serial_t id) 373 { 374 key_ref_t key_ref; 375 struct key *key; 376 long ret; 377 378 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 379 if (IS_ERR(key_ref)) { 380 ret = PTR_ERR(key_ref); 381 if (ret != -EACCES) 382 goto error; 383 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 384 if (IS_ERR(key_ref)) { 385 ret = PTR_ERR(key_ref); 386 goto error; 387 } 388 } 389 390 key = key_ref_to_ptr(key_ref); 391 ret = 0; 392 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 393 ret = -EPERM; 394 else 395 key_revoke(key); 396 397 key_ref_put(key_ref); 398 error: 399 return ret; 400 } 401 402 /* 403 * Invalidate a key. 404 * 405 * The key must be grant the caller Invalidate permission for this to work. 406 * The key and any links to the key will be automatically garbage collected 407 * immediately. 408 * 409 * Keys with KEY_FLAG_KEEP set should not be invalidated. 410 * 411 * If successful, 0 is returned. 412 */ 413 long keyctl_invalidate_key(key_serial_t id) 414 { 415 key_ref_t key_ref; 416 struct key *key; 417 long ret; 418 419 kenter("%d", id); 420 421 key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH); 422 if (IS_ERR(key_ref)) { 423 ret = PTR_ERR(key_ref); 424 425 /* Root is permitted to invalidate certain special keys */ 426 if (capable(CAP_SYS_ADMIN)) { 427 key_ref = lookup_user_key(id, 0, 0); 428 if (IS_ERR(key_ref)) 429 goto error; 430 if (test_bit(KEY_FLAG_ROOT_CAN_INVAL, 431 &key_ref_to_ptr(key_ref)->flags)) 432 goto invalidate; 433 goto error_put; 434 } 435 436 goto error; 437 } 438 439 invalidate: 440 key = key_ref_to_ptr(key_ref); 441 ret = 0; 442 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 443 ret = -EPERM; 444 else 445 key_invalidate(key); 446 error_put: 447 key_ref_put(key_ref); 448 error: 449 kleave(" = %ld", ret); 450 return ret; 451 } 452 453 /* 454 * Clear the specified keyring, creating an empty process keyring if one of the 455 * special keyring IDs is used. 456 * 457 * The keyring must grant the caller Write permission and not have 458 * KEY_FLAG_KEEP set for this to work. If successful, 0 will be returned. 459 */ 460 long keyctl_keyring_clear(key_serial_t ringid) 461 { 462 key_ref_t keyring_ref; 463 struct key *keyring; 464 long ret; 465 466 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 467 if (IS_ERR(keyring_ref)) { 468 ret = PTR_ERR(keyring_ref); 469 470 /* Root is permitted to invalidate certain special keyrings */ 471 if (capable(CAP_SYS_ADMIN)) { 472 keyring_ref = lookup_user_key(ringid, 0, 0); 473 if (IS_ERR(keyring_ref)) 474 goto error; 475 if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR, 476 &key_ref_to_ptr(keyring_ref)->flags)) 477 goto clear; 478 goto error_put; 479 } 480 481 goto error; 482 } 483 484 clear: 485 keyring = key_ref_to_ptr(keyring_ref); 486 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) 487 ret = -EPERM; 488 else 489 ret = keyring_clear(keyring); 490 error_put: 491 key_ref_put(keyring_ref); 492 error: 493 return ret; 494 } 495 496 /* 497 * Create a link from a keyring to a key if there's no matching key in the 498 * keyring, otherwise replace the link to the matching key with a link to the 499 * new key. 500 * 501 * The key must grant the caller Link permission and the the keyring must grant 502 * the caller Write permission. Furthermore, if an additional link is created, 503 * the keyring's quota will be extended. 504 * 505 * If successful, 0 will be returned. 506 */ 507 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 508 { 509 key_ref_t keyring_ref, key_ref; 510 long ret; 511 512 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 513 if (IS_ERR(keyring_ref)) { 514 ret = PTR_ERR(keyring_ref); 515 goto error; 516 } 517 518 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 519 if (IS_ERR(key_ref)) { 520 ret = PTR_ERR(key_ref); 521 goto error2; 522 } 523 524 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 525 526 key_ref_put(key_ref); 527 error2: 528 key_ref_put(keyring_ref); 529 error: 530 return ret; 531 } 532 533 /* 534 * Unlink a key from a keyring. 535 * 536 * The keyring must grant the caller Write permission for this to work; the key 537 * itself need not grant the caller anything. If the last link to a key is 538 * removed then that key will be scheduled for destruction. 539 * 540 * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked. 541 * 542 * If successful, 0 will be returned. 543 */ 544 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 545 { 546 key_ref_t keyring_ref, key_ref; 547 struct key *keyring, *key; 548 long ret; 549 550 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE); 551 if (IS_ERR(keyring_ref)) { 552 ret = PTR_ERR(keyring_ref); 553 goto error; 554 } 555 556 key_ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0); 557 if (IS_ERR(key_ref)) { 558 ret = PTR_ERR(key_ref); 559 goto error2; 560 } 561 562 keyring = key_ref_to_ptr(keyring_ref); 563 key = key_ref_to_ptr(key_ref); 564 if (test_bit(KEY_FLAG_KEEP, &keyring->flags) && 565 test_bit(KEY_FLAG_KEEP, &key->flags)) 566 ret = -EPERM; 567 else 568 ret = key_unlink(keyring, key); 569 570 key_ref_put(key_ref); 571 error2: 572 key_ref_put(keyring_ref); 573 error: 574 return ret; 575 } 576 577 /* 578 * Return a description of a key to userspace. 579 * 580 * The key must grant the caller View permission for this to work. 581 * 582 * If there's a buffer, we place up to buflen bytes of data into it formatted 583 * in the following way: 584 * 585 * type;uid;gid;perm;description<NUL> 586 * 587 * If successful, we return the amount of description available, irrespective 588 * of how much we may have copied into the buffer. 589 */ 590 long keyctl_describe_key(key_serial_t keyid, 591 char __user *buffer, 592 size_t buflen) 593 { 594 struct key *key, *instkey; 595 key_ref_t key_ref; 596 char *infobuf; 597 long ret; 598 int desclen, infolen; 599 600 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 601 if (IS_ERR(key_ref)) { 602 /* viewing a key under construction is permitted if we have the 603 * authorisation token handy */ 604 if (PTR_ERR(key_ref) == -EACCES) { 605 instkey = key_get_instantiation_authkey(keyid); 606 if (!IS_ERR(instkey)) { 607 key_put(instkey); 608 key_ref = lookup_user_key(keyid, 609 KEY_LOOKUP_PARTIAL, 610 0); 611 if (!IS_ERR(key_ref)) 612 goto okay; 613 } 614 } 615 616 ret = PTR_ERR(key_ref); 617 goto error; 618 } 619 620 okay: 621 key = key_ref_to_ptr(key_ref); 622 desclen = strlen(key->description); 623 624 /* calculate how much information we're going to return */ 625 ret = -ENOMEM; 626 infobuf = kasprintf(GFP_KERNEL, 627 "%s;%d;%d;%08x;", 628 key->type->name, 629 from_kuid_munged(current_user_ns(), key->uid), 630 from_kgid_munged(current_user_ns(), key->gid), 631 key->perm); 632 if (!infobuf) 633 goto error2; 634 infolen = strlen(infobuf); 635 ret = infolen + desclen + 1; 636 637 /* consider returning the data */ 638 if (buffer && buflen >= ret) { 639 if (copy_to_user(buffer, infobuf, infolen) != 0 || 640 copy_to_user(buffer + infolen, key->description, 641 desclen + 1) != 0) 642 ret = -EFAULT; 643 } 644 645 kfree(infobuf); 646 error2: 647 key_ref_put(key_ref); 648 error: 649 return ret; 650 } 651 652 /* 653 * Search the specified keyring and any keyrings it links to for a matching 654 * key. Only keyrings that grant the caller Search permission will be searched 655 * (this includes the starting keyring). Only keys with Search permission can 656 * be found. 657 * 658 * If successful, the found key will be linked to the destination keyring if 659 * supplied and the key has Link permission, and the found key ID will be 660 * returned. 661 */ 662 long keyctl_keyring_search(key_serial_t ringid, 663 const char __user *_type, 664 const char __user *_description, 665 key_serial_t destringid) 666 { 667 struct key_type *ktype; 668 key_ref_t keyring_ref, key_ref, dest_ref; 669 char type[32], *description; 670 long ret; 671 672 /* pull the type and description into kernel space */ 673 ret = key_get_type_from_user(type, _type, sizeof(type)); 674 if (ret < 0) 675 goto error; 676 677 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 678 if (IS_ERR(description)) { 679 ret = PTR_ERR(description); 680 goto error; 681 } 682 683 /* get the keyring at which to begin the search */ 684 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_SEARCH); 685 if (IS_ERR(keyring_ref)) { 686 ret = PTR_ERR(keyring_ref); 687 goto error2; 688 } 689 690 /* get the destination keyring if specified */ 691 dest_ref = NULL; 692 if (destringid) { 693 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 694 KEY_NEED_WRITE); 695 if (IS_ERR(dest_ref)) { 696 ret = PTR_ERR(dest_ref); 697 goto error3; 698 } 699 } 700 701 /* find the key type */ 702 ktype = key_type_lookup(type); 703 if (IS_ERR(ktype)) { 704 ret = PTR_ERR(ktype); 705 goto error4; 706 } 707 708 /* do the search */ 709 key_ref = keyring_search(keyring_ref, ktype, description); 710 if (IS_ERR(key_ref)) { 711 ret = PTR_ERR(key_ref); 712 713 /* treat lack or presence of a negative key the same */ 714 if (ret == -EAGAIN) 715 ret = -ENOKEY; 716 goto error5; 717 } 718 719 /* link the resulting key to the destination keyring if we can */ 720 if (dest_ref) { 721 ret = key_permission(key_ref, KEY_NEED_LINK); 722 if (ret < 0) 723 goto error6; 724 725 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 726 if (ret < 0) 727 goto error6; 728 } 729 730 ret = key_ref_to_ptr(key_ref)->serial; 731 732 error6: 733 key_ref_put(key_ref); 734 error5: 735 key_type_put(ktype); 736 error4: 737 key_ref_put(dest_ref); 738 error3: 739 key_ref_put(keyring_ref); 740 error2: 741 kfree(description); 742 error: 743 return ret; 744 } 745 746 /* 747 * Read a key's payload. 748 * 749 * The key must either grant the caller Read permission, or it must grant the 750 * caller Search permission when searched for from the process keyrings. 751 * 752 * If successful, we place up to buflen bytes of data into the buffer, if one 753 * is provided, and return the amount of data that is available in the key, 754 * irrespective of how much we copied into the buffer. 755 */ 756 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 757 { 758 struct key *key; 759 key_ref_t key_ref; 760 long ret; 761 762 /* find the key first */ 763 key_ref = lookup_user_key(keyid, 0, 0); 764 if (IS_ERR(key_ref)) { 765 ret = -ENOKEY; 766 goto error; 767 } 768 769 key = key_ref_to_ptr(key_ref); 770 771 /* see if we can read it directly */ 772 ret = key_permission(key_ref, KEY_NEED_READ); 773 if (ret == 0) 774 goto can_read_key; 775 if (ret != -EACCES) 776 goto error; 777 778 /* we can't; see if it's searchable from this process's keyrings 779 * - we automatically take account of the fact that it may be 780 * dangling off an instantiation key 781 */ 782 if (!is_key_possessed(key_ref)) { 783 ret = -EACCES; 784 goto error2; 785 } 786 787 /* the key is probably readable - now try to read it */ 788 can_read_key: 789 ret = -EOPNOTSUPP; 790 if (key->type->read) { 791 /* Read the data with the semaphore held (since we might sleep) 792 * to protect against the key being updated or revoked. 793 */ 794 down_read(&key->sem); 795 ret = key_validate(key); 796 if (ret == 0) 797 ret = key->type->read(key, buffer, buflen); 798 up_read(&key->sem); 799 } 800 801 error2: 802 key_put(key); 803 error: 804 return ret; 805 } 806 807 /* 808 * Change the ownership of a key 809 * 810 * The key must grant the caller Setattr permission for this to work, though 811 * the key need not be fully instantiated yet. For the UID to be changed, or 812 * for the GID to be changed to a group the caller is not a member of, the 813 * caller must have sysadmin capability. If either uid or gid is -1 then that 814 * attribute is not changed. 815 * 816 * If the UID is to be changed, the new user must have sufficient quota to 817 * accept the key. The quota deduction will be removed from the old user to 818 * the new user should the attribute be changed. 819 * 820 * If successful, 0 will be returned. 821 */ 822 long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group) 823 { 824 struct key_user *newowner, *zapowner = NULL; 825 struct key *key; 826 key_ref_t key_ref; 827 long ret; 828 kuid_t uid; 829 kgid_t gid; 830 831 uid = make_kuid(current_user_ns(), user); 832 gid = make_kgid(current_user_ns(), group); 833 ret = -EINVAL; 834 if ((user != (uid_t) -1) && !uid_valid(uid)) 835 goto error; 836 if ((group != (gid_t) -1) && !gid_valid(gid)) 837 goto error; 838 839 ret = 0; 840 if (user == (uid_t) -1 && group == (gid_t) -1) 841 goto error; 842 843 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 844 KEY_NEED_SETATTR); 845 if (IS_ERR(key_ref)) { 846 ret = PTR_ERR(key_ref); 847 goto error; 848 } 849 850 key = key_ref_to_ptr(key_ref); 851 852 /* make the changes with the locks held to prevent chown/chown races */ 853 ret = -EACCES; 854 down_write(&key->sem); 855 856 if (!capable(CAP_SYS_ADMIN)) { 857 /* only the sysadmin can chown a key to some other UID */ 858 if (user != (uid_t) -1 && !uid_eq(key->uid, uid)) 859 goto error_put; 860 861 /* only the sysadmin can set the key's GID to a group other 862 * than one of those that the current process subscribes to */ 863 if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid)) 864 goto error_put; 865 } 866 867 /* change the UID */ 868 if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) { 869 ret = -ENOMEM; 870 newowner = key_user_lookup(uid); 871 if (!newowner) 872 goto error_put; 873 874 /* transfer the quota burden to the new user */ 875 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 876 unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ? 877 key_quota_root_maxkeys : key_quota_maxkeys; 878 unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ? 879 key_quota_root_maxbytes : key_quota_maxbytes; 880 881 spin_lock(&newowner->lock); 882 if (newowner->qnkeys + 1 >= maxkeys || 883 newowner->qnbytes + key->quotalen >= maxbytes || 884 newowner->qnbytes + key->quotalen < 885 newowner->qnbytes) 886 goto quota_overrun; 887 888 newowner->qnkeys++; 889 newowner->qnbytes += key->quotalen; 890 spin_unlock(&newowner->lock); 891 892 spin_lock(&key->user->lock); 893 key->user->qnkeys--; 894 key->user->qnbytes -= key->quotalen; 895 spin_unlock(&key->user->lock); 896 } 897 898 atomic_dec(&key->user->nkeys); 899 atomic_inc(&newowner->nkeys); 900 901 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 902 atomic_dec(&key->user->nikeys); 903 atomic_inc(&newowner->nikeys); 904 } 905 906 zapowner = key->user; 907 key->user = newowner; 908 key->uid = uid; 909 } 910 911 /* change the GID */ 912 if (group != (gid_t) -1) 913 key->gid = gid; 914 915 ret = 0; 916 917 error_put: 918 up_write(&key->sem); 919 key_put(key); 920 if (zapowner) 921 key_user_put(zapowner); 922 error: 923 return ret; 924 925 quota_overrun: 926 spin_unlock(&newowner->lock); 927 zapowner = newowner; 928 ret = -EDQUOT; 929 goto error_put; 930 } 931 932 /* 933 * Change the permission mask on a key. 934 * 935 * The key must grant the caller Setattr permission for this to work, though 936 * the key need not be fully instantiated yet. If the caller does not have 937 * sysadmin capability, it may only change the permission on keys that it owns. 938 */ 939 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 940 { 941 struct key *key; 942 key_ref_t key_ref; 943 long ret; 944 945 ret = -EINVAL; 946 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 947 goto error; 948 949 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 950 KEY_NEED_SETATTR); 951 if (IS_ERR(key_ref)) { 952 ret = PTR_ERR(key_ref); 953 goto error; 954 } 955 956 key = key_ref_to_ptr(key_ref); 957 958 /* make the changes with the locks held to prevent chown/chmod races */ 959 ret = -EACCES; 960 down_write(&key->sem); 961 962 /* if we're not the sysadmin, we can only change a key that we own */ 963 if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) { 964 key->perm = perm; 965 ret = 0; 966 } 967 968 up_write(&key->sem); 969 key_put(key); 970 error: 971 return ret; 972 } 973 974 /* 975 * Get the destination keyring for instantiation and check that the caller has 976 * Write permission on it. 977 */ 978 static long get_instantiation_keyring(key_serial_t ringid, 979 struct request_key_auth *rka, 980 struct key **_dest_keyring) 981 { 982 key_ref_t dkref; 983 984 *_dest_keyring = NULL; 985 986 /* just return a NULL pointer if we weren't asked to make a link */ 987 if (ringid == 0) 988 return 0; 989 990 /* if a specific keyring is nominated by ID, then use that */ 991 if (ringid > 0) { 992 dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 993 if (IS_ERR(dkref)) 994 return PTR_ERR(dkref); 995 *_dest_keyring = key_ref_to_ptr(dkref); 996 return 0; 997 } 998 999 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY) 1000 return -EINVAL; 1001 1002 /* otherwise specify the destination keyring recorded in the 1003 * authorisation key (any KEY_SPEC_*_KEYRING) */ 1004 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { 1005 *_dest_keyring = key_get(rka->dest_keyring); 1006 return 0; 1007 } 1008 1009 return -ENOKEY; 1010 } 1011 1012 /* 1013 * Change the request_key authorisation key on the current process. 1014 */ 1015 static int keyctl_change_reqkey_auth(struct key *key) 1016 { 1017 struct cred *new; 1018 1019 new = prepare_creds(); 1020 if (!new) 1021 return -ENOMEM; 1022 1023 key_put(new->request_key_auth); 1024 new->request_key_auth = key_get(key); 1025 1026 return commit_creds(new); 1027 } 1028 1029 /* 1030 * Instantiate a key with the specified payload and link the key into the 1031 * destination keyring if one is given. 1032 * 1033 * The caller must have the appropriate instantiation permit set for this to 1034 * work (see keyctl_assume_authority). No other permissions are required. 1035 * 1036 * If successful, 0 will be returned. 1037 */ 1038 long keyctl_instantiate_key_common(key_serial_t id, 1039 struct iov_iter *from, 1040 key_serial_t ringid) 1041 { 1042 const struct cred *cred = current_cred(); 1043 struct request_key_auth *rka; 1044 struct key *instkey, *dest_keyring; 1045 size_t plen = from ? iov_iter_count(from) : 0; 1046 void *payload; 1047 long ret; 1048 1049 kenter("%d,,%zu,%d", id, plen, ringid); 1050 1051 if (!plen) 1052 from = NULL; 1053 1054 ret = -EINVAL; 1055 if (plen > 1024 * 1024 - 1) 1056 goto error; 1057 1058 /* the appropriate instantiation authorisation key must have been 1059 * assumed before calling this */ 1060 ret = -EPERM; 1061 instkey = cred->request_key_auth; 1062 if (!instkey) 1063 goto error; 1064 1065 rka = instkey->payload.data[0]; 1066 if (rka->target_key->serial != id) 1067 goto error; 1068 1069 /* pull the payload in if one was supplied */ 1070 payload = NULL; 1071 1072 if (from) { 1073 ret = -ENOMEM; 1074 payload = kmalloc(plen, GFP_KERNEL); 1075 if (!payload) { 1076 if (plen <= PAGE_SIZE) 1077 goto error; 1078 payload = vmalloc(plen); 1079 if (!payload) 1080 goto error; 1081 } 1082 1083 ret = -EFAULT; 1084 if (!copy_from_iter_full(payload, plen, from)) 1085 goto error2; 1086 } 1087 1088 /* find the destination keyring amongst those belonging to the 1089 * requesting task */ 1090 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1091 if (ret < 0) 1092 goto error2; 1093 1094 /* instantiate the key and link it into a keyring */ 1095 ret = key_instantiate_and_link(rka->target_key, payload, plen, 1096 dest_keyring, instkey); 1097 1098 key_put(dest_keyring); 1099 1100 /* discard the assumed authority if it's just been disabled by 1101 * instantiation of the key */ 1102 if (ret == 0) 1103 keyctl_change_reqkey_auth(NULL); 1104 1105 error2: 1106 kvfree(payload); 1107 error: 1108 return ret; 1109 } 1110 1111 /* 1112 * Instantiate a key with the specified payload and link the key into the 1113 * destination keyring if one is given. 1114 * 1115 * The caller must have the appropriate instantiation permit set for this to 1116 * work (see keyctl_assume_authority). No other permissions are required. 1117 * 1118 * If successful, 0 will be returned. 1119 */ 1120 long keyctl_instantiate_key(key_serial_t id, 1121 const void __user *_payload, 1122 size_t plen, 1123 key_serial_t ringid) 1124 { 1125 if (_payload && plen) { 1126 struct iovec iov; 1127 struct iov_iter from; 1128 int ret; 1129 1130 ret = import_single_range(WRITE, (void __user *)_payload, plen, 1131 &iov, &from); 1132 if (unlikely(ret)) 1133 return ret; 1134 1135 return keyctl_instantiate_key_common(id, &from, ringid); 1136 } 1137 1138 return keyctl_instantiate_key_common(id, NULL, ringid); 1139 } 1140 1141 /* 1142 * Instantiate a key with the specified multipart payload and link the key into 1143 * the destination keyring if one is given. 1144 * 1145 * The caller must have the appropriate instantiation permit set for this to 1146 * work (see keyctl_assume_authority). No other permissions are required. 1147 * 1148 * If successful, 0 will be returned. 1149 */ 1150 long keyctl_instantiate_key_iov(key_serial_t id, 1151 const struct iovec __user *_payload_iov, 1152 unsigned ioc, 1153 key_serial_t ringid) 1154 { 1155 struct iovec iovstack[UIO_FASTIOV], *iov = iovstack; 1156 struct iov_iter from; 1157 long ret; 1158 1159 if (!_payload_iov) 1160 ioc = 0; 1161 1162 ret = import_iovec(WRITE, _payload_iov, ioc, 1163 ARRAY_SIZE(iovstack), &iov, &from); 1164 if (ret < 0) 1165 return ret; 1166 ret = keyctl_instantiate_key_common(id, &from, ringid); 1167 kfree(iov); 1168 return ret; 1169 } 1170 1171 /* 1172 * Negatively instantiate the key with the given timeout (in seconds) and link 1173 * the key into the destination keyring if one is given. 1174 * 1175 * The caller must have the appropriate instantiation permit set for this to 1176 * work (see keyctl_assume_authority). No other permissions are required. 1177 * 1178 * The key and any links to the key will be automatically garbage collected 1179 * after the timeout expires. 1180 * 1181 * Negative keys are used to rate limit repeated request_key() calls by causing 1182 * them to return -ENOKEY until the negative key expires. 1183 * 1184 * If successful, 0 will be returned. 1185 */ 1186 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 1187 { 1188 return keyctl_reject_key(id, timeout, ENOKEY, ringid); 1189 } 1190 1191 /* 1192 * Negatively instantiate the key with the given timeout (in seconds) and error 1193 * code and link the key into the destination keyring if one is given. 1194 * 1195 * The caller must have the appropriate instantiation permit set for this to 1196 * work (see keyctl_assume_authority). No other permissions are required. 1197 * 1198 * The key and any links to the key will be automatically garbage collected 1199 * after the timeout expires. 1200 * 1201 * Negative keys are used to rate limit repeated request_key() calls by causing 1202 * them to return the specified error code until the negative key expires. 1203 * 1204 * If successful, 0 will be returned. 1205 */ 1206 long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error, 1207 key_serial_t ringid) 1208 { 1209 const struct cred *cred = current_cred(); 1210 struct request_key_auth *rka; 1211 struct key *instkey, *dest_keyring; 1212 long ret; 1213 1214 kenter("%d,%u,%u,%d", id, timeout, error, ringid); 1215 1216 /* must be a valid error code and mustn't be a kernel special */ 1217 if (error <= 0 || 1218 error >= MAX_ERRNO || 1219 error == ERESTARTSYS || 1220 error == ERESTARTNOINTR || 1221 error == ERESTARTNOHAND || 1222 error == ERESTART_RESTARTBLOCK) 1223 return -EINVAL; 1224 1225 /* the appropriate instantiation authorisation key must have been 1226 * assumed before calling this */ 1227 ret = -EPERM; 1228 instkey = cred->request_key_auth; 1229 if (!instkey) 1230 goto error; 1231 1232 rka = instkey->payload.data[0]; 1233 if (rka->target_key->serial != id) 1234 goto error; 1235 1236 /* find the destination keyring if present (which must also be 1237 * writable) */ 1238 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1239 if (ret < 0) 1240 goto error; 1241 1242 /* instantiate the key and link it into a keyring */ 1243 ret = key_reject_and_link(rka->target_key, timeout, error, 1244 dest_keyring, instkey); 1245 1246 key_put(dest_keyring); 1247 1248 /* discard the assumed authority if it's just been disabled by 1249 * instantiation of the key */ 1250 if (ret == 0) 1251 keyctl_change_reqkey_auth(NULL); 1252 1253 error: 1254 return ret; 1255 } 1256 1257 /* 1258 * Read or set the default keyring in which request_key() will cache keys and 1259 * return the old setting. 1260 * 1261 * If a thread or process keyring is specified then it will be created if it 1262 * doesn't yet exist. The old setting will be returned if successful. 1263 */ 1264 long keyctl_set_reqkey_keyring(int reqkey_defl) 1265 { 1266 struct cred *new; 1267 int ret, old_setting; 1268 1269 old_setting = current_cred_xxx(jit_keyring); 1270 1271 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE) 1272 return old_setting; 1273 1274 new = prepare_creds(); 1275 if (!new) 1276 return -ENOMEM; 1277 1278 switch (reqkey_defl) { 1279 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1280 ret = install_thread_keyring_to_cred(new); 1281 if (ret < 0) 1282 goto error; 1283 goto set; 1284 1285 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1286 ret = install_process_keyring_to_cred(new); 1287 if (ret < 0) 1288 goto error; 1289 goto set; 1290 1291 case KEY_REQKEY_DEFL_DEFAULT: 1292 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1293 case KEY_REQKEY_DEFL_USER_KEYRING: 1294 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1295 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: 1296 goto set; 1297 1298 case KEY_REQKEY_DEFL_NO_CHANGE: 1299 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1300 default: 1301 ret = -EINVAL; 1302 goto error; 1303 } 1304 1305 set: 1306 new->jit_keyring = reqkey_defl; 1307 commit_creds(new); 1308 return old_setting; 1309 error: 1310 abort_creds(new); 1311 return ret; 1312 } 1313 1314 /* 1315 * Set or clear the timeout on a key. 1316 * 1317 * Either the key must grant the caller Setattr permission or else the caller 1318 * must hold an instantiation authorisation token for the key. 1319 * 1320 * The timeout is either 0 to clear the timeout, or a number of seconds from 1321 * the current time. The key and any links to the key will be automatically 1322 * garbage collected after the timeout expires. 1323 * 1324 * Keys with KEY_FLAG_KEEP set should not be timed out. 1325 * 1326 * If successful, 0 is returned. 1327 */ 1328 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1329 { 1330 struct key *key, *instkey; 1331 key_ref_t key_ref; 1332 long ret; 1333 1334 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1335 KEY_NEED_SETATTR); 1336 if (IS_ERR(key_ref)) { 1337 /* setting the timeout on a key under construction is permitted 1338 * if we have the authorisation token handy */ 1339 if (PTR_ERR(key_ref) == -EACCES) { 1340 instkey = key_get_instantiation_authkey(id); 1341 if (!IS_ERR(instkey)) { 1342 key_put(instkey); 1343 key_ref = lookup_user_key(id, 1344 KEY_LOOKUP_PARTIAL, 1345 0); 1346 if (!IS_ERR(key_ref)) 1347 goto okay; 1348 } 1349 } 1350 1351 ret = PTR_ERR(key_ref); 1352 goto error; 1353 } 1354 1355 okay: 1356 key = key_ref_to_ptr(key_ref); 1357 ret = 0; 1358 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 1359 ret = -EPERM; 1360 else 1361 key_set_timeout(key, timeout); 1362 key_put(key); 1363 1364 error: 1365 return ret; 1366 } 1367 1368 /* 1369 * Assume (or clear) the authority to instantiate the specified key. 1370 * 1371 * This sets the authoritative token currently in force for key instantiation. 1372 * This must be done for a key to be instantiated. It has the effect of making 1373 * available all the keys from the caller of the request_key() that created a 1374 * key to request_key() calls made by the caller of this function. 1375 * 1376 * The caller must have the instantiation key in their process keyrings with a 1377 * Search permission grant available to the caller. 1378 * 1379 * If the ID given is 0, then the setting will be cleared and 0 returned. 1380 * 1381 * If the ID given has a matching an authorisation key, then that key will be 1382 * set and its ID will be returned. The authorisation key can be read to get 1383 * the callout information passed to request_key(). 1384 */ 1385 long keyctl_assume_authority(key_serial_t id) 1386 { 1387 struct key *authkey; 1388 long ret; 1389 1390 /* special key IDs aren't permitted */ 1391 ret = -EINVAL; 1392 if (id < 0) 1393 goto error; 1394 1395 /* we divest ourselves of authority if given an ID of 0 */ 1396 if (id == 0) { 1397 ret = keyctl_change_reqkey_auth(NULL); 1398 goto error; 1399 } 1400 1401 /* attempt to assume the authority temporarily granted to us whilst we 1402 * instantiate the specified key 1403 * - the authorisation key must be in the current task's keyrings 1404 * somewhere 1405 */ 1406 authkey = key_get_instantiation_authkey(id); 1407 if (IS_ERR(authkey)) { 1408 ret = PTR_ERR(authkey); 1409 goto error; 1410 } 1411 1412 ret = keyctl_change_reqkey_auth(authkey); 1413 if (ret < 0) 1414 goto error; 1415 key_put(authkey); 1416 1417 ret = authkey->serial; 1418 error: 1419 return ret; 1420 } 1421 1422 /* 1423 * Get a key's the LSM security label. 1424 * 1425 * The key must grant the caller View permission for this to work. 1426 * 1427 * If there's a buffer, then up to buflen bytes of data will be placed into it. 1428 * 1429 * If successful, the amount of information available will be returned, 1430 * irrespective of how much was copied (including the terminal NUL). 1431 */ 1432 long keyctl_get_security(key_serial_t keyid, 1433 char __user *buffer, 1434 size_t buflen) 1435 { 1436 struct key *key, *instkey; 1437 key_ref_t key_ref; 1438 char *context; 1439 long ret; 1440 1441 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 1442 if (IS_ERR(key_ref)) { 1443 if (PTR_ERR(key_ref) != -EACCES) 1444 return PTR_ERR(key_ref); 1445 1446 /* viewing a key under construction is also permitted if we 1447 * have the authorisation token handy */ 1448 instkey = key_get_instantiation_authkey(keyid); 1449 if (IS_ERR(instkey)) 1450 return PTR_ERR(instkey); 1451 key_put(instkey); 1452 1453 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0); 1454 if (IS_ERR(key_ref)) 1455 return PTR_ERR(key_ref); 1456 } 1457 1458 key = key_ref_to_ptr(key_ref); 1459 ret = security_key_getsecurity(key, &context); 1460 if (ret == 0) { 1461 /* if no information was returned, give userspace an empty 1462 * string */ 1463 ret = 1; 1464 if (buffer && buflen > 0 && 1465 copy_to_user(buffer, "", 1) != 0) 1466 ret = -EFAULT; 1467 } else if (ret > 0) { 1468 /* return as much data as there's room for */ 1469 if (buffer && buflen > 0) { 1470 if (buflen > ret) 1471 buflen = ret; 1472 1473 if (copy_to_user(buffer, context, buflen) != 0) 1474 ret = -EFAULT; 1475 } 1476 1477 kfree(context); 1478 } 1479 1480 key_ref_put(key_ref); 1481 return ret; 1482 } 1483 1484 /* 1485 * Attempt to install the calling process's session keyring on the process's 1486 * parent process. 1487 * 1488 * The keyring must exist and must grant the caller LINK permission, and the 1489 * parent process must be single-threaded and must have the same effective 1490 * ownership as this process and mustn't be SUID/SGID. 1491 * 1492 * The keyring will be emplaced on the parent when it next resumes userspace. 1493 * 1494 * If successful, 0 will be returned. 1495 */ 1496 long keyctl_session_to_parent(void) 1497 { 1498 struct task_struct *me, *parent; 1499 const struct cred *mycred, *pcred; 1500 struct callback_head *newwork, *oldwork; 1501 key_ref_t keyring_r; 1502 struct cred *cred; 1503 int ret; 1504 1505 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK); 1506 if (IS_ERR(keyring_r)) 1507 return PTR_ERR(keyring_r); 1508 1509 ret = -ENOMEM; 1510 1511 /* our parent is going to need a new cred struct, a new tgcred struct 1512 * and new security data, so we allocate them here to prevent ENOMEM in 1513 * our parent */ 1514 cred = cred_alloc_blank(); 1515 if (!cred) 1516 goto error_keyring; 1517 newwork = &cred->rcu; 1518 1519 cred->session_keyring = key_ref_to_ptr(keyring_r); 1520 keyring_r = NULL; 1521 init_task_work(newwork, key_change_session_keyring); 1522 1523 me = current; 1524 rcu_read_lock(); 1525 write_lock_irq(&tasklist_lock); 1526 1527 ret = -EPERM; 1528 oldwork = NULL; 1529 parent = me->real_parent; 1530 1531 /* the parent mustn't be init and mustn't be a kernel thread */ 1532 if (parent->pid <= 1 || !parent->mm) 1533 goto unlock; 1534 1535 /* the parent must be single threaded */ 1536 if (!thread_group_empty(parent)) 1537 goto unlock; 1538 1539 /* the parent and the child must have different session keyrings or 1540 * there's no point */ 1541 mycred = current_cred(); 1542 pcred = __task_cred(parent); 1543 if (mycred == pcred || 1544 mycred->session_keyring == pcred->session_keyring) { 1545 ret = 0; 1546 goto unlock; 1547 } 1548 1549 /* the parent must have the same effective ownership and mustn't be 1550 * SUID/SGID */ 1551 if (!uid_eq(pcred->uid, mycred->euid) || 1552 !uid_eq(pcred->euid, mycred->euid) || 1553 !uid_eq(pcred->suid, mycred->euid) || 1554 !gid_eq(pcred->gid, mycred->egid) || 1555 !gid_eq(pcred->egid, mycred->egid) || 1556 !gid_eq(pcred->sgid, mycred->egid)) 1557 goto unlock; 1558 1559 /* the keyrings must have the same UID */ 1560 if ((pcred->session_keyring && 1561 !uid_eq(pcred->session_keyring->uid, mycred->euid)) || 1562 !uid_eq(mycred->session_keyring->uid, mycred->euid)) 1563 goto unlock; 1564 1565 /* cancel an already pending keyring replacement */ 1566 oldwork = task_work_cancel(parent, key_change_session_keyring); 1567 1568 /* the replacement session keyring is applied just prior to userspace 1569 * restarting */ 1570 ret = task_work_add(parent, newwork, true); 1571 if (!ret) 1572 newwork = NULL; 1573 unlock: 1574 write_unlock_irq(&tasklist_lock); 1575 rcu_read_unlock(); 1576 if (oldwork) 1577 put_cred(container_of(oldwork, struct cred, rcu)); 1578 if (newwork) 1579 put_cred(cred); 1580 return ret; 1581 1582 error_keyring: 1583 key_ref_put(keyring_r); 1584 return ret; 1585 } 1586 1587 /* 1588 * The key control system call 1589 */ 1590 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, 1591 unsigned long, arg4, unsigned long, arg5) 1592 { 1593 switch (option) { 1594 case KEYCTL_GET_KEYRING_ID: 1595 return keyctl_get_keyring_ID((key_serial_t) arg2, 1596 (int) arg3); 1597 1598 case KEYCTL_JOIN_SESSION_KEYRING: 1599 return keyctl_join_session_keyring((const char __user *) arg2); 1600 1601 case KEYCTL_UPDATE: 1602 return keyctl_update_key((key_serial_t) arg2, 1603 (const void __user *) arg3, 1604 (size_t) arg4); 1605 1606 case KEYCTL_REVOKE: 1607 return keyctl_revoke_key((key_serial_t) arg2); 1608 1609 case KEYCTL_DESCRIBE: 1610 return keyctl_describe_key((key_serial_t) arg2, 1611 (char __user *) arg3, 1612 (unsigned) arg4); 1613 1614 case KEYCTL_CLEAR: 1615 return keyctl_keyring_clear((key_serial_t) arg2); 1616 1617 case KEYCTL_LINK: 1618 return keyctl_keyring_link((key_serial_t) arg2, 1619 (key_serial_t) arg3); 1620 1621 case KEYCTL_UNLINK: 1622 return keyctl_keyring_unlink((key_serial_t) arg2, 1623 (key_serial_t) arg3); 1624 1625 case KEYCTL_SEARCH: 1626 return keyctl_keyring_search((key_serial_t) arg2, 1627 (const char __user *) arg3, 1628 (const char __user *) arg4, 1629 (key_serial_t) arg5); 1630 1631 case KEYCTL_READ: 1632 return keyctl_read_key((key_serial_t) arg2, 1633 (char __user *) arg3, 1634 (size_t) arg4); 1635 1636 case KEYCTL_CHOWN: 1637 return keyctl_chown_key((key_serial_t) arg2, 1638 (uid_t) arg3, 1639 (gid_t) arg4); 1640 1641 case KEYCTL_SETPERM: 1642 return keyctl_setperm_key((key_serial_t) arg2, 1643 (key_perm_t) arg3); 1644 1645 case KEYCTL_INSTANTIATE: 1646 return keyctl_instantiate_key((key_serial_t) arg2, 1647 (const void __user *) arg3, 1648 (size_t) arg4, 1649 (key_serial_t) arg5); 1650 1651 case KEYCTL_NEGATE: 1652 return keyctl_negate_key((key_serial_t) arg2, 1653 (unsigned) arg3, 1654 (key_serial_t) arg4); 1655 1656 case KEYCTL_SET_REQKEY_KEYRING: 1657 return keyctl_set_reqkey_keyring(arg2); 1658 1659 case KEYCTL_SET_TIMEOUT: 1660 return keyctl_set_timeout((key_serial_t) arg2, 1661 (unsigned) arg3); 1662 1663 case KEYCTL_ASSUME_AUTHORITY: 1664 return keyctl_assume_authority((key_serial_t) arg2); 1665 1666 case KEYCTL_GET_SECURITY: 1667 return keyctl_get_security((key_serial_t) arg2, 1668 (char __user *) arg3, 1669 (size_t) arg4); 1670 1671 case KEYCTL_SESSION_TO_PARENT: 1672 return keyctl_session_to_parent(); 1673 1674 case KEYCTL_REJECT: 1675 return keyctl_reject_key((key_serial_t) arg2, 1676 (unsigned) arg3, 1677 (unsigned) arg4, 1678 (key_serial_t) arg5); 1679 1680 case KEYCTL_INSTANTIATE_IOV: 1681 return keyctl_instantiate_key_iov( 1682 (key_serial_t) arg2, 1683 (const struct iovec __user *) arg3, 1684 (unsigned) arg4, 1685 (key_serial_t) arg5); 1686 1687 case KEYCTL_INVALIDATE: 1688 return keyctl_invalidate_key((key_serial_t) arg2); 1689 1690 case KEYCTL_GET_PERSISTENT: 1691 return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3); 1692 1693 case KEYCTL_DH_COMPUTE: 1694 return keyctl_dh_compute((struct keyctl_dh_params __user *) arg2, 1695 (char __user *) arg3, (size_t) arg4, 1696 (void __user *) arg5); 1697 1698 default: 1699 return -EOPNOTSUPP; 1700 } 1701 } 1702