1 /* Userspace key control operations 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/slab.h> 16 #include <linux/syscalls.h> 17 #include <linux/key.h> 18 #include <linux/keyctl.h> 19 #include <linux/fs.h> 20 #include <linux/capability.h> 21 #include <linux/string.h> 22 #include <linux/err.h> 23 #include <linux/vmalloc.h> 24 #include <linux/security.h> 25 #include <linux/uio.h> 26 #include <asm/uaccess.h> 27 #include "internal.h" 28 29 static int key_get_type_from_user(char *type, 30 const char __user *_type, 31 unsigned len) 32 { 33 int ret; 34 35 ret = strncpy_from_user(type, _type, len); 36 if (ret < 0) 37 return ret; 38 if (ret == 0 || ret >= len) 39 return -EINVAL; 40 type[len - 1] = '\0'; 41 return 0; 42 } 43 44 /* 45 * Extract the description of a new key from userspace and either add it as a 46 * new key to the specified keyring or update a matching key in that keyring. 47 * 48 * If the description is NULL or an empty string, the key type is asked to 49 * generate one from the payload. 50 * 51 * The keyring must be writable so that we can attach the key to it. 52 * 53 * If successful, the new key's serial number is returned, otherwise an error 54 * code is returned. 55 */ 56 SYSCALL_DEFINE5(add_key, const char __user *, _type, 57 const char __user *, _description, 58 const void __user *, _payload, 59 size_t, plen, 60 key_serial_t, ringid) 61 { 62 key_ref_t keyring_ref, key_ref; 63 char type[32], *description; 64 void *payload; 65 long ret; 66 bool vm; 67 68 ret = -EINVAL; 69 if (plen > 1024 * 1024 - 1) 70 goto error; 71 72 /* draw all the data into kernel space */ 73 ret = key_get_type_from_user(type, _type, sizeof(type)); 74 if (ret < 0) 75 goto error; 76 77 description = NULL; 78 if (_description) { 79 description = strndup_user(_description, PAGE_SIZE); 80 if (IS_ERR(description)) { 81 ret = PTR_ERR(description); 82 goto error; 83 } 84 if (!*description) { 85 kfree(description); 86 description = NULL; 87 } else if ((description[0] == '.') && 88 (strncmp(type, "keyring", 7) == 0)) { 89 ret = -EPERM; 90 goto error2; 91 } 92 } 93 94 /* pull the payload in if one was supplied */ 95 payload = NULL; 96 97 vm = false; 98 if (_payload) { 99 ret = -ENOMEM; 100 payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN); 101 if (!payload) { 102 if (plen <= PAGE_SIZE) 103 goto error2; 104 vm = true; 105 payload = vmalloc(plen); 106 if (!payload) 107 goto error2; 108 } 109 110 ret = -EFAULT; 111 if (copy_from_user(payload, _payload, plen) != 0) 112 goto error3; 113 } 114 115 /* find the target keyring (which must be writable) */ 116 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 117 if (IS_ERR(keyring_ref)) { 118 ret = PTR_ERR(keyring_ref); 119 goto error3; 120 } 121 122 /* create or update the requested key and add it to the target 123 * keyring */ 124 key_ref = key_create_or_update(keyring_ref, type, description, 125 payload, plen, KEY_PERM_UNDEF, 126 KEY_ALLOC_IN_QUOTA); 127 if (!IS_ERR(key_ref)) { 128 ret = key_ref_to_ptr(key_ref)->serial; 129 key_ref_put(key_ref); 130 } 131 else { 132 ret = PTR_ERR(key_ref); 133 } 134 135 key_ref_put(keyring_ref); 136 error3: 137 if (!vm) 138 kfree(payload); 139 else 140 vfree(payload); 141 error2: 142 kfree(description); 143 error: 144 return ret; 145 } 146 147 /* 148 * Search the process keyrings and keyring trees linked from those for a 149 * matching key. Keyrings must have appropriate Search permission to be 150 * searched. 151 * 152 * If a key is found, it will be attached to the destination keyring if there's 153 * one specified and the serial number of the key will be returned. 154 * 155 * If no key is found, /sbin/request-key will be invoked if _callout_info is 156 * non-NULL in an attempt to create a key. The _callout_info string will be 157 * passed to /sbin/request-key to aid with completing the request. If the 158 * _callout_info string is "" then it will be changed to "-". 159 */ 160 SYSCALL_DEFINE4(request_key, const char __user *, _type, 161 const char __user *, _description, 162 const char __user *, _callout_info, 163 key_serial_t, destringid) 164 { 165 struct key_type *ktype; 166 struct key *key; 167 key_ref_t dest_ref; 168 size_t callout_len; 169 char type[32], *description, *callout_info; 170 long ret; 171 172 /* pull the type into kernel space */ 173 ret = key_get_type_from_user(type, _type, sizeof(type)); 174 if (ret < 0) 175 goto error; 176 177 /* pull the description into kernel space */ 178 description = strndup_user(_description, PAGE_SIZE); 179 if (IS_ERR(description)) { 180 ret = PTR_ERR(description); 181 goto error; 182 } 183 184 /* pull the callout info into kernel space */ 185 callout_info = NULL; 186 callout_len = 0; 187 if (_callout_info) { 188 callout_info = strndup_user(_callout_info, PAGE_SIZE); 189 if (IS_ERR(callout_info)) { 190 ret = PTR_ERR(callout_info); 191 goto error2; 192 } 193 callout_len = strlen(callout_info); 194 } 195 196 /* get the destination keyring if specified */ 197 dest_ref = NULL; 198 if (destringid) { 199 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 200 KEY_NEED_WRITE); 201 if (IS_ERR(dest_ref)) { 202 ret = PTR_ERR(dest_ref); 203 goto error3; 204 } 205 } 206 207 /* find the key type */ 208 ktype = key_type_lookup(type); 209 if (IS_ERR(ktype)) { 210 ret = PTR_ERR(ktype); 211 goto error4; 212 } 213 214 /* do the search */ 215 key = request_key_and_link(ktype, description, callout_info, 216 callout_len, NULL, key_ref_to_ptr(dest_ref), 217 KEY_ALLOC_IN_QUOTA); 218 if (IS_ERR(key)) { 219 ret = PTR_ERR(key); 220 goto error5; 221 } 222 223 /* wait for the key to finish being constructed */ 224 ret = wait_for_key_construction(key, 1); 225 if (ret < 0) 226 goto error6; 227 228 ret = key->serial; 229 230 error6: 231 key_put(key); 232 error5: 233 key_type_put(ktype); 234 error4: 235 key_ref_put(dest_ref); 236 error3: 237 kfree(callout_info); 238 error2: 239 kfree(description); 240 error: 241 return ret; 242 } 243 244 /* 245 * Get the ID of the specified process keyring. 246 * 247 * The requested keyring must have search permission to be found. 248 * 249 * If successful, the ID of the requested keyring will be returned. 250 */ 251 long keyctl_get_keyring_ID(key_serial_t id, int create) 252 { 253 key_ref_t key_ref; 254 unsigned long lflags; 255 long ret; 256 257 lflags = create ? KEY_LOOKUP_CREATE : 0; 258 key_ref = lookup_user_key(id, lflags, KEY_NEED_SEARCH); 259 if (IS_ERR(key_ref)) { 260 ret = PTR_ERR(key_ref); 261 goto error; 262 } 263 264 ret = key_ref_to_ptr(key_ref)->serial; 265 key_ref_put(key_ref); 266 error: 267 return ret; 268 } 269 270 /* 271 * Join a (named) session keyring. 272 * 273 * Create and join an anonymous session keyring or join a named session 274 * keyring, creating it if necessary. A named session keyring must have Search 275 * permission for it to be joined. Session keyrings without this permit will 276 * be skipped over. 277 * 278 * If successful, the ID of the joined session keyring will be returned. 279 */ 280 long keyctl_join_session_keyring(const char __user *_name) 281 { 282 char *name; 283 long ret; 284 285 /* fetch the name from userspace */ 286 name = NULL; 287 if (_name) { 288 name = strndup_user(_name, PAGE_SIZE); 289 if (IS_ERR(name)) { 290 ret = PTR_ERR(name); 291 goto error; 292 } 293 } 294 295 /* join the session */ 296 ret = join_session_keyring(name); 297 kfree(name); 298 299 error: 300 return ret; 301 } 302 303 /* 304 * Update a key's data payload from the given data. 305 * 306 * The key must grant the caller Write permission and the key type must support 307 * updating for this to work. A negative key can be positively instantiated 308 * with this call. 309 * 310 * If successful, 0 will be returned. If the key type does not support 311 * updating, then -EOPNOTSUPP will be returned. 312 */ 313 long keyctl_update_key(key_serial_t id, 314 const void __user *_payload, 315 size_t plen) 316 { 317 key_ref_t key_ref; 318 void *payload; 319 long ret; 320 321 ret = -EINVAL; 322 if (plen > PAGE_SIZE) 323 goto error; 324 325 /* pull the payload in if one was supplied */ 326 payload = NULL; 327 if (_payload) { 328 ret = -ENOMEM; 329 payload = kmalloc(plen, GFP_KERNEL); 330 if (!payload) 331 goto error; 332 333 ret = -EFAULT; 334 if (copy_from_user(payload, _payload, plen) != 0) 335 goto error2; 336 } 337 338 /* find the target key (which must be writable) */ 339 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 340 if (IS_ERR(key_ref)) { 341 ret = PTR_ERR(key_ref); 342 goto error2; 343 } 344 345 /* update the key */ 346 ret = key_update(key_ref, payload, plen); 347 348 key_ref_put(key_ref); 349 error2: 350 kfree(payload); 351 error: 352 return ret; 353 } 354 355 /* 356 * Revoke a key. 357 * 358 * The key must be grant the caller Write or Setattr permission for this to 359 * work. The key type should give up its quota claim when revoked. The key 360 * and any links to the key will be automatically garbage collected after a 361 * certain amount of time (/proc/sys/kernel/keys/gc_delay). 362 * 363 * If successful, 0 is returned. 364 */ 365 long keyctl_revoke_key(key_serial_t id) 366 { 367 key_ref_t key_ref; 368 long ret; 369 370 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 371 if (IS_ERR(key_ref)) { 372 ret = PTR_ERR(key_ref); 373 if (ret != -EACCES) 374 goto error; 375 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 376 if (IS_ERR(key_ref)) { 377 ret = PTR_ERR(key_ref); 378 goto error; 379 } 380 } 381 382 key_revoke(key_ref_to_ptr(key_ref)); 383 ret = 0; 384 385 key_ref_put(key_ref); 386 error: 387 return ret; 388 } 389 390 /* 391 * Invalidate a key. 392 * 393 * The key must be grant the caller Invalidate permission for this to work. 394 * The key and any links to the key will be automatically garbage collected 395 * immediately. 396 * 397 * If successful, 0 is returned. 398 */ 399 long keyctl_invalidate_key(key_serial_t id) 400 { 401 key_ref_t key_ref; 402 long ret; 403 404 kenter("%d", id); 405 406 key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH); 407 if (IS_ERR(key_ref)) { 408 ret = PTR_ERR(key_ref); 409 410 /* Root is permitted to invalidate certain special keys */ 411 if (capable(CAP_SYS_ADMIN)) { 412 key_ref = lookup_user_key(id, 0, 0); 413 if (IS_ERR(key_ref)) 414 goto error; 415 if (test_bit(KEY_FLAG_ROOT_CAN_INVAL, 416 &key_ref_to_ptr(key_ref)->flags)) 417 goto invalidate; 418 goto error_put; 419 } 420 421 goto error; 422 } 423 424 invalidate: 425 key_invalidate(key_ref_to_ptr(key_ref)); 426 ret = 0; 427 error_put: 428 key_ref_put(key_ref); 429 error: 430 kleave(" = %ld", ret); 431 return ret; 432 } 433 434 /* 435 * Clear the specified keyring, creating an empty process keyring if one of the 436 * special keyring IDs is used. 437 * 438 * The keyring must grant the caller Write permission for this to work. If 439 * successful, 0 will be returned. 440 */ 441 long keyctl_keyring_clear(key_serial_t ringid) 442 { 443 key_ref_t keyring_ref; 444 long ret; 445 446 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 447 if (IS_ERR(keyring_ref)) { 448 ret = PTR_ERR(keyring_ref); 449 450 /* Root is permitted to invalidate certain special keyrings */ 451 if (capable(CAP_SYS_ADMIN)) { 452 keyring_ref = lookup_user_key(ringid, 0, 0); 453 if (IS_ERR(keyring_ref)) 454 goto error; 455 if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR, 456 &key_ref_to_ptr(keyring_ref)->flags)) 457 goto clear; 458 goto error_put; 459 } 460 461 goto error; 462 } 463 464 clear: 465 ret = keyring_clear(key_ref_to_ptr(keyring_ref)); 466 error_put: 467 key_ref_put(keyring_ref); 468 error: 469 return ret; 470 } 471 472 /* 473 * Create a link from a keyring to a key if there's no matching key in the 474 * keyring, otherwise replace the link to the matching key with a link to the 475 * new key. 476 * 477 * The key must grant the caller Link permission and the the keyring must grant 478 * the caller Write permission. Furthermore, if an additional link is created, 479 * the keyring's quota will be extended. 480 * 481 * If successful, 0 will be returned. 482 */ 483 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 484 { 485 key_ref_t keyring_ref, key_ref; 486 long ret; 487 488 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 489 if (IS_ERR(keyring_ref)) { 490 ret = PTR_ERR(keyring_ref); 491 goto error; 492 } 493 494 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 495 if (IS_ERR(key_ref)) { 496 ret = PTR_ERR(key_ref); 497 goto error2; 498 } 499 500 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 501 502 key_ref_put(key_ref); 503 error2: 504 key_ref_put(keyring_ref); 505 error: 506 return ret; 507 } 508 509 /* 510 * Unlink a key from a keyring. 511 * 512 * The keyring must grant the caller Write permission for this to work; the key 513 * itself need not grant the caller anything. If the last link to a key is 514 * removed then that key will be scheduled for destruction. 515 * 516 * If successful, 0 will be returned. 517 */ 518 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 519 { 520 key_ref_t keyring_ref, key_ref; 521 long ret; 522 523 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE); 524 if (IS_ERR(keyring_ref)) { 525 ret = PTR_ERR(keyring_ref); 526 goto error; 527 } 528 529 key_ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0); 530 if (IS_ERR(key_ref)) { 531 ret = PTR_ERR(key_ref); 532 goto error2; 533 } 534 535 ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 536 537 key_ref_put(key_ref); 538 error2: 539 key_ref_put(keyring_ref); 540 error: 541 return ret; 542 } 543 544 /* 545 * Return a description of a key to userspace. 546 * 547 * The key must grant the caller View permission for this to work. 548 * 549 * If there's a buffer, we place up to buflen bytes of data into it formatted 550 * in the following way: 551 * 552 * type;uid;gid;perm;description<NUL> 553 * 554 * If successful, we return the amount of description available, irrespective 555 * of how much we may have copied into the buffer. 556 */ 557 long keyctl_describe_key(key_serial_t keyid, 558 char __user *buffer, 559 size_t buflen) 560 { 561 struct key *key, *instkey; 562 key_ref_t key_ref; 563 char *tmpbuf; 564 long ret; 565 566 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 567 if (IS_ERR(key_ref)) { 568 /* viewing a key under construction is permitted if we have the 569 * authorisation token handy */ 570 if (PTR_ERR(key_ref) == -EACCES) { 571 instkey = key_get_instantiation_authkey(keyid); 572 if (!IS_ERR(instkey)) { 573 key_put(instkey); 574 key_ref = lookup_user_key(keyid, 575 KEY_LOOKUP_PARTIAL, 576 0); 577 if (!IS_ERR(key_ref)) 578 goto okay; 579 } 580 } 581 582 ret = PTR_ERR(key_ref); 583 goto error; 584 } 585 586 okay: 587 /* calculate how much description we're going to return */ 588 ret = -ENOMEM; 589 tmpbuf = kmalloc(PAGE_SIZE, GFP_KERNEL); 590 if (!tmpbuf) 591 goto error2; 592 593 key = key_ref_to_ptr(key_ref); 594 595 ret = snprintf(tmpbuf, PAGE_SIZE - 1, 596 "%s;%d;%d;%08x;%s", 597 key->type->name, 598 from_kuid_munged(current_user_ns(), key->uid), 599 from_kgid_munged(current_user_ns(), key->gid), 600 key->perm, 601 key->description ?: ""); 602 603 /* include a NUL char at the end of the data */ 604 if (ret > PAGE_SIZE - 1) 605 ret = PAGE_SIZE - 1; 606 tmpbuf[ret] = 0; 607 ret++; 608 609 /* consider returning the data */ 610 if (buffer && buflen > 0) { 611 if (buflen > ret) 612 buflen = ret; 613 614 if (copy_to_user(buffer, tmpbuf, buflen) != 0) 615 ret = -EFAULT; 616 } 617 618 kfree(tmpbuf); 619 error2: 620 key_ref_put(key_ref); 621 error: 622 return ret; 623 } 624 625 /* 626 * Search the specified keyring and any keyrings it links to for a matching 627 * key. Only keyrings that grant the caller Search permission will be searched 628 * (this includes the starting keyring). Only keys with Search permission can 629 * be found. 630 * 631 * If successful, the found key will be linked to the destination keyring if 632 * supplied and the key has Link permission, and the found key ID will be 633 * returned. 634 */ 635 long keyctl_keyring_search(key_serial_t ringid, 636 const char __user *_type, 637 const char __user *_description, 638 key_serial_t destringid) 639 { 640 struct key_type *ktype; 641 key_ref_t keyring_ref, key_ref, dest_ref; 642 char type[32], *description; 643 long ret; 644 645 /* pull the type and description into kernel space */ 646 ret = key_get_type_from_user(type, _type, sizeof(type)); 647 if (ret < 0) 648 goto error; 649 650 description = strndup_user(_description, PAGE_SIZE); 651 if (IS_ERR(description)) { 652 ret = PTR_ERR(description); 653 goto error; 654 } 655 656 /* get the keyring at which to begin the search */ 657 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_SEARCH); 658 if (IS_ERR(keyring_ref)) { 659 ret = PTR_ERR(keyring_ref); 660 goto error2; 661 } 662 663 /* get the destination keyring if specified */ 664 dest_ref = NULL; 665 if (destringid) { 666 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 667 KEY_NEED_WRITE); 668 if (IS_ERR(dest_ref)) { 669 ret = PTR_ERR(dest_ref); 670 goto error3; 671 } 672 } 673 674 /* find the key type */ 675 ktype = key_type_lookup(type); 676 if (IS_ERR(ktype)) { 677 ret = PTR_ERR(ktype); 678 goto error4; 679 } 680 681 /* do the search */ 682 key_ref = keyring_search(keyring_ref, ktype, description); 683 if (IS_ERR(key_ref)) { 684 ret = PTR_ERR(key_ref); 685 686 /* treat lack or presence of a negative key the same */ 687 if (ret == -EAGAIN) 688 ret = -ENOKEY; 689 goto error5; 690 } 691 692 /* link the resulting key to the destination keyring if we can */ 693 if (dest_ref) { 694 ret = key_permission(key_ref, KEY_NEED_LINK); 695 if (ret < 0) 696 goto error6; 697 698 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 699 if (ret < 0) 700 goto error6; 701 } 702 703 ret = key_ref_to_ptr(key_ref)->serial; 704 705 error6: 706 key_ref_put(key_ref); 707 error5: 708 key_type_put(ktype); 709 error4: 710 key_ref_put(dest_ref); 711 error3: 712 key_ref_put(keyring_ref); 713 error2: 714 kfree(description); 715 error: 716 return ret; 717 } 718 719 /* 720 * Read a key's payload. 721 * 722 * The key must either grant the caller Read permission, or it must grant the 723 * caller Search permission when searched for from the process keyrings. 724 * 725 * If successful, we place up to buflen bytes of data into the buffer, if one 726 * is provided, and return the amount of data that is available in the key, 727 * irrespective of how much we copied into the buffer. 728 */ 729 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 730 { 731 struct key *key; 732 key_ref_t key_ref; 733 long ret; 734 735 /* find the key first */ 736 key_ref = lookup_user_key(keyid, 0, 0); 737 if (IS_ERR(key_ref)) { 738 ret = -ENOKEY; 739 goto error; 740 } 741 742 key = key_ref_to_ptr(key_ref); 743 744 /* see if we can read it directly */ 745 ret = key_permission(key_ref, KEY_NEED_READ); 746 if (ret == 0) 747 goto can_read_key; 748 if (ret != -EACCES) 749 goto error; 750 751 /* we can't; see if it's searchable from this process's keyrings 752 * - we automatically take account of the fact that it may be 753 * dangling off an instantiation key 754 */ 755 if (!is_key_possessed(key_ref)) { 756 ret = -EACCES; 757 goto error2; 758 } 759 760 /* the key is probably readable - now try to read it */ 761 can_read_key: 762 ret = key_validate(key); 763 if (ret == 0) { 764 ret = -EOPNOTSUPP; 765 if (key->type->read) { 766 /* read the data with the semaphore held (since we 767 * might sleep) */ 768 down_read(&key->sem); 769 ret = key->type->read(key, buffer, buflen); 770 up_read(&key->sem); 771 } 772 } 773 774 error2: 775 key_put(key); 776 error: 777 return ret; 778 } 779 780 /* 781 * Change the ownership of a key 782 * 783 * The key must grant the caller Setattr permission for this to work, though 784 * the key need not be fully instantiated yet. For the UID to be changed, or 785 * for the GID to be changed to a group the caller is not a member of, the 786 * caller must have sysadmin capability. If either uid or gid is -1 then that 787 * attribute is not changed. 788 * 789 * If the UID is to be changed, the new user must have sufficient quota to 790 * accept the key. The quota deduction will be removed from the old user to 791 * the new user should the attribute be changed. 792 * 793 * If successful, 0 will be returned. 794 */ 795 long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group) 796 { 797 struct key_user *newowner, *zapowner = NULL; 798 struct key *key; 799 key_ref_t key_ref; 800 long ret; 801 kuid_t uid; 802 kgid_t gid; 803 804 uid = make_kuid(current_user_ns(), user); 805 gid = make_kgid(current_user_ns(), group); 806 ret = -EINVAL; 807 if ((user != (uid_t) -1) && !uid_valid(uid)) 808 goto error; 809 if ((group != (gid_t) -1) && !gid_valid(gid)) 810 goto error; 811 812 ret = 0; 813 if (user == (uid_t) -1 && group == (gid_t) -1) 814 goto error; 815 816 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 817 KEY_NEED_SETATTR); 818 if (IS_ERR(key_ref)) { 819 ret = PTR_ERR(key_ref); 820 goto error; 821 } 822 823 key = key_ref_to_ptr(key_ref); 824 825 /* make the changes with the locks held to prevent chown/chown races */ 826 ret = -EACCES; 827 down_write(&key->sem); 828 829 if (!capable(CAP_SYS_ADMIN)) { 830 /* only the sysadmin can chown a key to some other UID */ 831 if (user != (uid_t) -1 && !uid_eq(key->uid, uid)) 832 goto error_put; 833 834 /* only the sysadmin can set the key's GID to a group other 835 * than one of those that the current process subscribes to */ 836 if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid)) 837 goto error_put; 838 } 839 840 /* change the UID */ 841 if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) { 842 ret = -ENOMEM; 843 newowner = key_user_lookup(uid); 844 if (!newowner) 845 goto error_put; 846 847 /* transfer the quota burden to the new user */ 848 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 849 unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ? 850 key_quota_root_maxkeys : key_quota_maxkeys; 851 unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ? 852 key_quota_root_maxbytes : key_quota_maxbytes; 853 854 spin_lock(&newowner->lock); 855 if (newowner->qnkeys + 1 >= maxkeys || 856 newowner->qnbytes + key->quotalen >= maxbytes || 857 newowner->qnbytes + key->quotalen < 858 newowner->qnbytes) 859 goto quota_overrun; 860 861 newowner->qnkeys++; 862 newowner->qnbytes += key->quotalen; 863 spin_unlock(&newowner->lock); 864 865 spin_lock(&key->user->lock); 866 key->user->qnkeys--; 867 key->user->qnbytes -= key->quotalen; 868 spin_unlock(&key->user->lock); 869 } 870 871 atomic_dec(&key->user->nkeys); 872 atomic_inc(&newowner->nkeys); 873 874 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 875 atomic_dec(&key->user->nikeys); 876 atomic_inc(&newowner->nikeys); 877 } 878 879 zapowner = key->user; 880 key->user = newowner; 881 key->uid = uid; 882 } 883 884 /* change the GID */ 885 if (group != (gid_t) -1) 886 key->gid = gid; 887 888 ret = 0; 889 890 error_put: 891 up_write(&key->sem); 892 key_put(key); 893 if (zapowner) 894 key_user_put(zapowner); 895 error: 896 return ret; 897 898 quota_overrun: 899 spin_unlock(&newowner->lock); 900 zapowner = newowner; 901 ret = -EDQUOT; 902 goto error_put; 903 } 904 905 /* 906 * Change the permission mask on a key. 907 * 908 * The key must grant the caller Setattr permission for this to work, though 909 * the key need not be fully instantiated yet. If the caller does not have 910 * sysadmin capability, it may only change the permission on keys that it owns. 911 */ 912 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 913 { 914 struct key *key; 915 key_ref_t key_ref; 916 long ret; 917 918 ret = -EINVAL; 919 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 920 goto error; 921 922 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 923 KEY_NEED_SETATTR); 924 if (IS_ERR(key_ref)) { 925 ret = PTR_ERR(key_ref); 926 goto error; 927 } 928 929 key = key_ref_to_ptr(key_ref); 930 931 /* make the changes with the locks held to prevent chown/chmod races */ 932 ret = -EACCES; 933 down_write(&key->sem); 934 935 /* if we're not the sysadmin, we can only change a key that we own */ 936 if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) { 937 key->perm = perm; 938 ret = 0; 939 } 940 941 up_write(&key->sem); 942 key_put(key); 943 error: 944 return ret; 945 } 946 947 /* 948 * Get the destination keyring for instantiation and check that the caller has 949 * Write permission on it. 950 */ 951 static long get_instantiation_keyring(key_serial_t ringid, 952 struct request_key_auth *rka, 953 struct key **_dest_keyring) 954 { 955 key_ref_t dkref; 956 957 *_dest_keyring = NULL; 958 959 /* just return a NULL pointer if we weren't asked to make a link */ 960 if (ringid == 0) 961 return 0; 962 963 /* if a specific keyring is nominated by ID, then use that */ 964 if (ringid > 0) { 965 dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 966 if (IS_ERR(dkref)) 967 return PTR_ERR(dkref); 968 *_dest_keyring = key_ref_to_ptr(dkref); 969 return 0; 970 } 971 972 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY) 973 return -EINVAL; 974 975 /* otherwise specify the destination keyring recorded in the 976 * authorisation key (any KEY_SPEC_*_KEYRING) */ 977 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { 978 *_dest_keyring = key_get(rka->dest_keyring); 979 return 0; 980 } 981 982 return -ENOKEY; 983 } 984 985 /* 986 * Change the request_key authorisation key on the current process. 987 */ 988 static int keyctl_change_reqkey_auth(struct key *key) 989 { 990 struct cred *new; 991 992 new = prepare_creds(); 993 if (!new) 994 return -ENOMEM; 995 996 key_put(new->request_key_auth); 997 new->request_key_auth = key_get(key); 998 999 return commit_creds(new); 1000 } 1001 1002 /* 1003 * Copy the iovec data from userspace 1004 */ 1005 static long copy_from_user_iovec(void *buffer, const struct iovec *iov, 1006 unsigned ioc) 1007 { 1008 for (; ioc > 0; ioc--) { 1009 if (copy_from_user(buffer, iov->iov_base, iov->iov_len) != 0) 1010 return -EFAULT; 1011 buffer += iov->iov_len; 1012 iov++; 1013 } 1014 return 0; 1015 } 1016 1017 /* 1018 * Instantiate a key with the specified payload and link the key into the 1019 * destination keyring if one is given. 1020 * 1021 * The caller must have the appropriate instantiation permit set for this to 1022 * work (see keyctl_assume_authority). No other permissions are required. 1023 * 1024 * If successful, 0 will be returned. 1025 */ 1026 long keyctl_instantiate_key_common(key_serial_t id, 1027 const struct iovec *payload_iov, 1028 unsigned ioc, 1029 size_t plen, 1030 key_serial_t ringid) 1031 { 1032 const struct cred *cred = current_cred(); 1033 struct request_key_auth *rka; 1034 struct key *instkey, *dest_keyring; 1035 void *payload; 1036 long ret; 1037 bool vm = false; 1038 1039 kenter("%d,,%zu,%d", id, plen, ringid); 1040 1041 ret = -EINVAL; 1042 if (plen > 1024 * 1024 - 1) 1043 goto error; 1044 1045 /* the appropriate instantiation authorisation key must have been 1046 * assumed before calling this */ 1047 ret = -EPERM; 1048 instkey = cred->request_key_auth; 1049 if (!instkey) 1050 goto error; 1051 1052 rka = instkey->payload.data; 1053 if (rka->target_key->serial != id) 1054 goto error; 1055 1056 /* pull the payload in if one was supplied */ 1057 payload = NULL; 1058 1059 if (payload_iov) { 1060 ret = -ENOMEM; 1061 payload = kmalloc(plen, GFP_KERNEL); 1062 if (!payload) { 1063 if (plen <= PAGE_SIZE) 1064 goto error; 1065 vm = true; 1066 payload = vmalloc(plen); 1067 if (!payload) 1068 goto error; 1069 } 1070 1071 ret = copy_from_user_iovec(payload, payload_iov, ioc); 1072 if (ret < 0) 1073 goto error2; 1074 } 1075 1076 /* find the destination keyring amongst those belonging to the 1077 * requesting task */ 1078 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1079 if (ret < 0) 1080 goto error2; 1081 1082 /* instantiate the key and link it into a keyring */ 1083 ret = key_instantiate_and_link(rka->target_key, payload, plen, 1084 dest_keyring, instkey); 1085 1086 key_put(dest_keyring); 1087 1088 /* discard the assumed authority if it's just been disabled by 1089 * instantiation of the key */ 1090 if (ret == 0) 1091 keyctl_change_reqkey_auth(NULL); 1092 1093 error2: 1094 if (!vm) 1095 kfree(payload); 1096 else 1097 vfree(payload); 1098 error: 1099 return ret; 1100 } 1101 1102 /* 1103 * Instantiate a key with the specified payload and link the key into the 1104 * destination keyring if one is given. 1105 * 1106 * The caller must have the appropriate instantiation permit set for this to 1107 * work (see keyctl_assume_authority). No other permissions are required. 1108 * 1109 * If successful, 0 will be returned. 1110 */ 1111 long keyctl_instantiate_key(key_serial_t id, 1112 const void __user *_payload, 1113 size_t plen, 1114 key_serial_t ringid) 1115 { 1116 if (_payload && plen) { 1117 struct iovec iov[1] = { 1118 [0].iov_base = (void __user *)_payload, 1119 [0].iov_len = plen 1120 }; 1121 1122 return keyctl_instantiate_key_common(id, iov, 1, plen, ringid); 1123 } 1124 1125 return keyctl_instantiate_key_common(id, NULL, 0, 0, ringid); 1126 } 1127 1128 /* 1129 * Instantiate a key with the specified multipart payload and link the key into 1130 * the destination keyring if one is given. 1131 * 1132 * The caller must have the appropriate instantiation permit set for this to 1133 * work (see keyctl_assume_authority). No other permissions are required. 1134 * 1135 * If successful, 0 will be returned. 1136 */ 1137 long keyctl_instantiate_key_iov(key_serial_t id, 1138 const struct iovec __user *_payload_iov, 1139 unsigned ioc, 1140 key_serial_t ringid) 1141 { 1142 struct iovec iovstack[UIO_FASTIOV], *iov = iovstack; 1143 long ret; 1144 1145 if (!_payload_iov || !ioc) 1146 goto no_payload; 1147 1148 ret = rw_copy_check_uvector(WRITE, _payload_iov, ioc, 1149 ARRAY_SIZE(iovstack), iovstack, &iov); 1150 if (ret < 0) 1151 goto err; 1152 if (ret == 0) 1153 goto no_payload_free; 1154 1155 ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid); 1156 err: 1157 if (iov != iovstack) 1158 kfree(iov); 1159 return ret; 1160 1161 no_payload_free: 1162 if (iov != iovstack) 1163 kfree(iov); 1164 no_payload: 1165 return keyctl_instantiate_key_common(id, NULL, 0, 0, ringid); 1166 } 1167 1168 /* 1169 * Negatively instantiate the key with the given timeout (in seconds) and link 1170 * the key into the destination keyring if one is given. 1171 * 1172 * The caller must have the appropriate instantiation permit set for this to 1173 * work (see keyctl_assume_authority). No other permissions are required. 1174 * 1175 * The key and any links to the key will be automatically garbage collected 1176 * after the timeout expires. 1177 * 1178 * Negative keys are used to rate limit repeated request_key() calls by causing 1179 * them to return -ENOKEY until the negative key expires. 1180 * 1181 * If successful, 0 will be returned. 1182 */ 1183 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 1184 { 1185 return keyctl_reject_key(id, timeout, ENOKEY, ringid); 1186 } 1187 1188 /* 1189 * Negatively instantiate the key with the given timeout (in seconds) and error 1190 * code and link the key into the destination keyring if one is given. 1191 * 1192 * The caller must have the appropriate instantiation permit set for this to 1193 * work (see keyctl_assume_authority). No other permissions are required. 1194 * 1195 * The key and any links to the key will be automatically garbage collected 1196 * after the timeout expires. 1197 * 1198 * Negative keys are used to rate limit repeated request_key() calls by causing 1199 * them to return the specified error code until the negative key expires. 1200 * 1201 * If successful, 0 will be returned. 1202 */ 1203 long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error, 1204 key_serial_t ringid) 1205 { 1206 const struct cred *cred = current_cred(); 1207 struct request_key_auth *rka; 1208 struct key *instkey, *dest_keyring; 1209 long ret; 1210 1211 kenter("%d,%u,%u,%d", id, timeout, error, ringid); 1212 1213 /* must be a valid error code and mustn't be a kernel special */ 1214 if (error <= 0 || 1215 error >= MAX_ERRNO || 1216 error == ERESTARTSYS || 1217 error == ERESTARTNOINTR || 1218 error == ERESTARTNOHAND || 1219 error == ERESTART_RESTARTBLOCK) 1220 return -EINVAL; 1221 1222 /* the appropriate instantiation authorisation key must have been 1223 * assumed before calling this */ 1224 ret = -EPERM; 1225 instkey = cred->request_key_auth; 1226 if (!instkey) 1227 goto error; 1228 1229 rka = instkey->payload.data; 1230 if (rka->target_key->serial != id) 1231 goto error; 1232 1233 /* find the destination keyring if present (which must also be 1234 * writable) */ 1235 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1236 if (ret < 0) 1237 goto error; 1238 1239 /* instantiate the key and link it into a keyring */ 1240 ret = key_reject_and_link(rka->target_key, timeout, error, 1241 dest_keyring, instkey); 1242 1243 key_put(dest_keyring); 1244 1245 /* discard the assumed authority if it's just been disabled by 1246 * instantiation of the key */ 1247 if (ret == 0) 1248 keyctl_change_reqkey_auth(NULL); 1249 1250 error: 1251 return ret; 1252 } 1253 1254 /* 1255 * Read or set the default keyring in which request_key() will cache keys and 1256 * return the old setting. 1257 * 1258 * If a process keyring is specified then this will be created if it doesn't 1259 * yet exist. The old setting will be returned if successful. 1260 */ 1261 long keyctl_set_reqkey_keyring(int reqkey_defl) 1262 { 1263 struct cred *new; 1264 int ret, old_setting; 1265 1266 old_setting = current_cred_xxx(jit_keyring); 1267 1268 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE) 1269 return old_setting; 1270 1271 new = prepare_creds(); 1272 if (!new) 1273 return -ENOMEM; 1274 1275 switch (reqkey_defl) { 1276 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1277 ret = install_thread_keyring_to_cred(new); 1278 if (ret < 0) 1279 goto error; 1280 goto set; 1281 1282 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1283 ret = install_process_keyring_to_cred(new); 1284 if (ret < 0) { 1285 if (ret != -EEXIST) 1286 goto error; 1287 ret = 0; 1288 } 1289 goto set; 1290 1291 case KEY_REQKEY_DEFL_DEFAULT: 1292 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1293 case KEY_REQKEY_DEFL_USER_KEYRING: 1294 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1295 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: 1296 goto set; 1297 1298 case KEY_REQKEY_DEFL_NO_CHANGE: 1299 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1300 default: 1301 ret = -EINVAL; 1302 goto error; 1303 } 1304 1305 set: 1306 new->jit_keyring = reqkey_defl; 1307 commit_creds(new); 1308 return old_setting; 1309 error: 1310 abort_creds(new); 1311 return ret; 1312 } 1313 1314 /* 1315 * Set or clear the timeout on a key. 1316 * 1317 * Either the key must grant the caller Setattr permission or else the caller 1318 * must hold an instantiation authorisation token for the key. 1319 * 1320 * The timeout is either 0 to clear the timeout, or a number of seconds from 1321 * the current time. The key and any links to the key will be automatically 1322 * garbage collected after the timeout expires. 1323 * 1324 * If successful, 0 is returned. 1325 */ 1326 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1327 { 1328 struct key *key, *instkey; 1329 key_ref_t key_ref; 1330 long ret; 1331 1332 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1333 KEY_NEED_SETATTR); 1334 if (IS_ERR(key_ref)) { 1335 /* setting the timeout on a key under construction is permitted 1336 * if we have the authorisation token handy */ 1337 if (PTR_ERR(key_ref) == -EACCES) { 1338 instkey = key_get_instantiation_authkey(id); 1339 if (!IS_ERR(instkey)) { 1340 key_put(instkey); 1341 key_ref = lookup_user_key(id, 1342 KEY_LOOKUP_PARTIAL, 1343 0); 1344 if (!IS_ERR(key_ref)) 1345 goto okay; 1346 } 1347 } 1348 1349 ret = PTR_ERR(key_ref); 1350 goto error; 1351 } 1352 1353 okay: 1354 key = key_ref_to_ptr(key_ref); 1355 key_set_timeout(key, timeout); 1356 key_put(key); 1357 1358 ret = 0; 1359 error: 1360 return ret; 1361 } 1362 1363 /* 1364 * Assume (or clear) the authority to instantiate the specified key. 1365 * 1366 * This sets the authoritative token currently in force for key instantiation. 1367 * This must be done for a key to be instantiated. It has the effect of making 1368 * available all the keys from the caller of the request_key() that created a 1369 * key to request_key() calls made by the caller of this function. 1370 * 1371 * The caller must have the instantiation key in their process keyrings with a 1372 * Search permission grant available to the caller. 1373 * 1374 * If the ID given is 0, then the setting will be cleared and 0 returned. 1375 * 1376 * If the ID given has a matching an authorisation key, then that key will be 1377 * set and its ID will be returned. The authorisation key can be read to get 1378 * the callout information passed to request_key(). 1379 */ 1380 long keyctl_assume_authority(key_serial_t id) 1381 { 1382 struct key *authkey; 1383 long ret; 1384 1385 /* special key IDs aren't permitted */ 1386 ret = -EINVAL; 1387 if (id < 0) 1388 goto error; 1389 1390 /* we divest ourselves of authority if given an ID of 0 */ 1391 if (id == 0) { 1392 ret = keyctl_change_reqkey_auth(NULL); 1393 goto error; 1394 } 1395 1396 /* attempt to assume the authority temporarily granted to us whilst we 1397 * instantiate the specified key 1398 * - the authorisation key must be in the current task's keyrings 1399 * somewhere 1400 */ 1401 authkey = key_get_instantiation_authkey(id); 1402 if (IS_ERR(authkey)) { 1403 ret = PTR_ERR(authkey); 1404 goto error; 1405 } 1406 1407 ret = keyctl_change_reqkey_auth(authkey); 1408 if (ret < 0) 1409 goto error; 1410 key_put(authkey); 1411 1412 ret = authkey->serial; 1413 error: 1414 return ret; 1415 } 1416 1417 /* 1418 * Get a key's the LSM security label. 1419 * 1420 * The key must grant the caller View permission for this to work. 1421 * 1422 * If there's a buffer, then up to buflen bytes of data will be placed into it. 1423 * 1424 * If successful, the amount of information available will be returned, 1425 * irrespective of how much was copied (including the terminal NUL). 1426 */ 1427 long keyctl_get_security(key_serial_t keyid, 1428 char __user *buffer, 1429 size_t buflen) 1430 { 1431 struct key *key, *instkey; 1432 key_ref_t key_ref; 1433 char *context; 1434 long ret; 1435 1436 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 1437 if (IS_ERR(key_ref)) { 1438 if (PTR_ERR(key_ref) != -EACCES) 1439 return PTR_ERR(key_ref); 1440 1441 /* viewing a key under construction is also permitted if we 1442 * have the authorisation token handy */ 1443 instkey = key_get_instantiation_authkey(keyid); 1444 if (IS_ERR(instkey)) 1445 return PTR_ERR(instkey); 1446 key_put(instkey); 1447 1448 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0); 1449 if (IS_ERR(key_ref)) 1450 return PTR_ERR(key_ref); 1451 } 1452 1453 key = key_ref_to_ptr(key_ref); 1454 ret = security_key_getsecurity(key, &context); 1455 if (ret == 0) { 1456 /* if no information was returned, give userspace an empty 1457 * string */ 1458 ret = 1; 1459 if (buffer && buflen > 0 && 1460 copy_to_user(buffer, "", 1) != 0) 1461 ret = -EFAULT; 1462 } else if (ret > 0) { 1463 /* return as much data as there's room for */ 1464 if (buffer && buflen > 0) { 1465 if (buflen > ret) 1466 buflen = ret; 1467 1468 if (copy_to_user(buffer, context, buflen) != 0) 1469 ret = -EFAULT; 1470 } 1471 1472 kfree(context); 1473 } 1474 1475 key_ref_put(key_ref); 1476 return ret; 1477 } 1478 1479 /* 1480 * Attempt to install the calling process's session keyring on the process's 1481 * parent process. 1482 * 1483 * The keyring must exist and must grant the caller LINK permission, and the 1484 * parent process must be single-threaded and must have the same effective 1485 * ownership as this process and mustn't be SUID/SGID. 1486 * 1487 * The keyring will be emplaced on the parent when it next resumes userspace. 1488 * 1489 * If successful, 0 will be returned. 1490 */ 1491 long keyctl_session_to_parent(void) 1492 { 1493 struct task_struct *me, *parent; 1494 const struct cred *mycred, *pcred; 1495 struct callback_head *newwork, *oldwork; 1496 key_ref_t keyring_r; 1497 struct cred *cred; 1498 int ret; 1499 1500 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK); 1501 if (IS_ERR(keyring_r)) 1502 return PTR_ERR(keyring_r); 1503 1504 ret = -ENOMEM; 1505 1506 /* our parent is going to need a new cred struct, a new tgcred struct 1507 * and new security data, so we allocate them here to prevent ENOMEM in 1508 * our parent */ 1509 cred = cred_alloc_blank(); 1510 if (!cred) 1511 goto error_keyring; 1512 newwork = &cred->rcu; 1513 1514 cred->session_keyring = key_ref_to_ptr(keyring_r); 1515 keyring_r = NULL; 1516 init_task_work(newwork, key_change_session_keyring); 1517 1518 me = current; 1519 rcu_read_lock(); 1520 write_lock_irq(&tasklist_lock); 1521 1522 ret = -EPERM; 1523 oldwork = NULL; 1524 parent = me->real_parent; 1525 1526 /* the parent mustn't be init and mustn't be a kernel thread */ 1527 if (parent->pid <= 1 || !parent->mm) 1528 goto unlock; 1529 1530 /* the parent must be single threaded */ 1531 if (!thread_group_empty(parent)) 1532 goto unlock; 1533 1534 /* the parent and the child must have different session keyrings or 1535 * there's no point */ 1536 mycred = current_cred(); 1537 pcred = __task_cred(parent); 1538 if (mycred == pcred || 1539 mycred->session_keyring == pcred->session_keyring) { 1540 ret = 0; 1541 goto unlock; 1542 } 1543 1544 /* the parent must have the same effective ownership and mustn't be 1545 * SUID/SGID */ 1546 if (!uid_eq(pcred->uid, mycred->euid) || 1547 !uid_eq(pcred->euid, mycred->euid) || 1548 !uid_eq(pcred->suid, mycred->euid) || 1549 !gid_eq(pcred->gid, mycred->egid) || 1550 !gid_eq(pcred->egid, mycred->egid) || 1551 !gid_eq(pcred->sgid, mycred->egid)) 1552 goto unlock; 1553 1554 /* the keyrings must have the same UID */ 1555 if ((pcred->session_keyring && 1556 !uid_eq(pcred->session_keyring->uid, mycred->euid)) || 1557 !uid_eq(mycred->session_keyring->uid, mycred->euid)) 1558 goto unlock; 1559 1560 /* cancel an already pending keyring replacement */ 1561 oldwork = task_work_cancel(parent, key_change_session_keyring); 1562 1563 /* the replacement session keyring is applied just prior to userspace 1564 * restarting */ 1565 ret = task_work_add(parent, newwork, true); 1566 if (!ret) 1567 newwork = NULL; 1568 unlock: 1569 write_unlock_irq(&tasklist_lock); 1570 rcu_read_unlock(); 1571 if (oldwork) 1572 put_cred(container_of(oldwork, struct cred, rcu)); 1573 if (newwork) 1574 put_cred(cred); 1575 return ret; 1576 1577 error_keyring: 1578 key_ref_put(keyring_r); 1579 return ret; 1580 } 1581 1582 /* 1583 * The key control system call 1584 */ 1585 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, 1586 unsigned long, arg4, unsigned long, arg5) 1587 { 1588 switch (option) { 1589 case KEYCTL_GET_KEYRING_ID: 1590 return keyctl_get_keyring_ID((key_serial_t) arg2, 1591 (int) arg3); 1592 1593 case KEYCTL_JOIN_SESSION_KEYRING: 1594 return keyctl_join_session_keyring((const char __user *) arg2); 1595 1596 case KEYCTL_UPDATE: 1597 return keyctl_update_key((key_serial_t) arg2, 1598 (const void __user *) arg3, 1599 (size_t) arg4); 1600 1601 case KEYCTL_REVOKE: 1602 return keyctl_revoke_key((key_serial_t) arg2); 1603 1604 case KEYCTL_DESCRIBE: 1605 return keyctl_describe_key((key_serial_t) arg2, 1606 (char __user *) arg3, 1607 (unsigned) arg4); 1608 1609 case KEYCTL_CLEAR: 1610 return keyctl_keyring_clear((key_serial_t) arg2); 1611 1612 case KEYCTL_LINK: 1613 return keyctl_keyring_link((key_serial_t) arg2, 1614 (key_serial_t) arg3); 1615 1616 case KEYCTL_UNLINK: 1617 return keyctl_keyring_unlink((key_serial_t) arg2, 1618 (key_serial_t) arg3); 1619 1620 case KEYCTL_SEARCH: 1621 return keyctl_keyring_search((key_serial_t) arg2, 1622 (const char __user *) arg3, 1623 (const char __user *) arg4, 1624 (key_serial_t) arg5); 1625 1626 case KEYCTL_READ: 1627 return keyctl_read_key((key_serial_t) arg2, 1628 (char __user *) arg3, 1629 (size_t) arg4); 1630 1631 case KEYCTL_CHOWN: 1632 return keyctl_chown_key((key_serial_t) arg2, 1633 (uid_t) arg3, 1634 (gid_t) arg4); 1635 1636 case KEYCTL_SETPERM: 1637 return keyctl_setperm_key((key_serial_t) arg2, 1638 (key_perm_t) arg3); 1639 1640 case KEYCTL_INSTANTIATE: 1641 return keyctl_instantiate_key((key_serial_t) arg2, 1642 (const void __user *) arg3, 1643 (size_t) arg4, 1644 (key_serial_t) arg5); 1645 1646 case KEYCTL_NEGATE: 1647 return keyctl_negate_key((key_serial_t) arg2, 1648 (unsigned) arg3, 1649 (key_serial_t) arg4); 1650 1651 case KEYCTL_SET_REQKEY_KEYRING: 1652 return keyctl_set_reqkey_keyring(arg2); 1653 1654 case KEYCTL_SET_TIMEOUT: 1655 return keyctl_set_timeout((key_serial_t) arg2, 1656 (unsigned) arg3); 1657 1658 case KEYCTL_ASSUME_AUTHORITY: 1659 return keyctl_assume_authority((key_serial_t) arg2); 1660 1661 case KEYCTL_GET_SECURITY: 1662 return keyctl_get_security((key_serial_t) arg2, 1663 (char __user *) arg3, 1664 (size_t) arg4); 1665 1666 case KEYCTL_SESSION_TO_PARENT: 1667 return keyctl_session_to_parent(); 1668 1669 case KEYCTL_REJECT: 1670 return keyctl_reject_key((key_serial_t) arg2, 1671 (unsigned) arg3, 1672 (unsigned) arg4, 1673 (key_serial_t) arg5); 1674 1675 case KEYCTL_INSTANTIATE_IOV: 1676 return keyctl_instantiate_key_iov( 1677 (key_serial_t) arg2, 1678 (const struct iovec __user *) arg3, 1679 (unsigned) arg4, 1680 (key_serial_t) arg5); 1681 1682 case KEYCTL_INVALIDATE: 1683 return keyctl_invalidate_key((key_serial_t) arg2); 1684 1685 case KEYCTL_GET_PERSISTENT: 1686 return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3); 1687 1688 default: 1689 return -EOPNOTSUPP; 1690 } 1691 } 1692