1 /* keyctl.c: userspace keyctl operations 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/slab.h> 16 #include <linux/syscalls.h> 17 #include <linux/keyctl.h> 18 #include <linux/fs.h> 19 #include <linux/capability.h> 20 #include <linux/string.h> 21 #include <linux/err.h> 22 #include <asm/uaccess.h> 23 #include "internal.h" 24 25 static int key_get_type_from_user(char *type, 26 const char __user *_type, 27 unsigned len) 28 { 29 int ret; 30 31 ret = strncpy_from_user(type, _type, len); 32 33 if (ret < 0) 34 return -EFAULT; 35 36 if (ret == 0 || ret >= len) 37 return -EINVAL; 38 39 if (type[0] == '.') 40 return -EPERM; 41 42 type[len - 1] = '\0'; 43 44 return 0; 45 } 46 47 /*****************************************************************************/ 48 /* 49 * extract the description of a new key from userspace and either add it as a 50 * new key to the specified keyring or update a matching key in that keyring 51 * - the keyring must be writable 52 * - returns the new key's serial number 53 * - implements add_key() 54 */ 55 asmlinkage long sys_add_key(const char __user *_type, 56 const char __user *_description, 57 const void __user *_payload, 58 size_t plen, 59 key_serial_t ringid) 60 { 61 key_ref_t keyring_ref, key_ref; 62 char type[32], *description; 63 void *payload; 64 long ret; 65 66 ret = -EINVAL; 67 if (plen > 32767) 68 goto error; 69 70 /* draw all the data into kernel space */ 71 ret = key_get_type_from_user(type, _type, sizeof(type)); 72 if (ret < 0) 73 goto error; 74 75 description = strndup_user(_description, PAGE_SIZE); 76 if (IS_ERR(description)) { 77 ret = PTR_ERR(description); 78 goto error; 79 } 80 81 /* pull the payload in if one was supplied */ 82 payload = NULL; 83 84 if (_payload) { 85 ret = -ENOMEM; 86 payload = kmalloc(plen, GFP_KERNEL); 87 if (!payload) 88 goto error2; 89 90 ret = -EFAULT; 91 if (copy_from_user(payload, _payload, plen) != 0) 92 goto error3; 93 } 94 95 /* find the target keyring (which must be writable) */ 96 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 97 if (IS_ERR(keyring_ref)) { 98 ret = PTR_ERR(keyring_ref); 99 goto error3; 100 } 101 102 /* create or update the requested key and add it to the target 103 * keyring */ 104 key_ref = key_create_or_update(keyring_ref, type, description, 105 payload, plen, KEY_ALLOC_IN_QUOTA); 106 if (!IS_ERR(key_ref)) { 107 ret = key_ref_to_ptr(key_ref)->serial; 108 key_ref_put(key_ref); 109 } 110 else { 111 ret = PTR_ERR(key_ref); 112 } 113 114 key_ref_put(keyring_ref); 115 error3: 116 kfree(payload); 117 error2: 118 kfree(description); 119 error: 120 return ret; 121 122 } /* end sys_add_key() */ 123 124 /*****************************************************************************/ 125 /* 126 * search the process keyrings for a matching key 127 * - nested keyrings may also be searched if they have Search permission 128 * - if a key is found, it will be attached to the destination keyring if 129 * there's one specified 130 * - /sbin/request-key will be invoked if _callout_info is non-NULL 131 * - the _callout_info string will be passed to /sbin/request-key 132 * - if the _callout_info string is empty, it will be rendered as "-" 133 * - implements request_key() 134 */ 135 asmlinkage long sys_request_key(const char __user *_type, 136 const char __user *_description, 137 const char __user *_callout_info, 138 key_serial_t destringid) 139 { 140 struct key_type *ktype; 141 struct key *key; 142 key_ref_t dest_ref; 143 char type[32], *description, *callout_info; 144 long ret; 145 146 /* pull the type into kernel space */ 147 ret = key_get_type_from_user(type, _type, sizeof(type)); 148 if (ret < 0) 149 goto error; 150 151 /* pull the description into kernel space */ 152 description = strndup_user(_description, PAGE_SIZE); 153 if (IS_ERR(description)) { 154 ret = PTR_ERR(description); 155 goto error; 156 } 157 158 /* pull the callout info into kernel space */ 159 callout_info = NULL; 160 if (_callout_info) { 161 callout_info = strndup_user(_callout_info, PAGE_SIZE); 162 if (IS_ERR(callout_info)) { 163 ret = PTR_ERR(callout_info); 164 goto error2; 165 } 166 } 167 168 /* get the destination keyring if specified */ 169 dest_ref = NULL; 170 if (destringid) { 171 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 172 if (IS_ERR(dest_ref)) { 173 ret = PTR_ERR(dest_ref); 174 goto error3; 175 } 176 } 177 178 /* find the key type */ 179 ktype = key_type_lookup(type); 180 if (IS_ERR(ktype)) { 181 ret = PTR_ERR(ktype); 182 goto error4; 183 } 184 185 /* do the search */ 186 key = request_key_and_link(ktype, description, callout_info, NULL, 187 key_ref_to_ptr(dest_ref), 188 KEY_ALLOC_IN_QUOTA); 189 if (IS_ERR(key)) { 190 ret = PTR_ERR(key); 191 goto error5; 192 } 193 194 ret = key->serial; 195 196 key_put(key); 197 error5: 198 key_type_put(ktype); 199 error4: 200 key_ref_put(dest_ref); 201 error3: 202 kfree(callout_info); 203 error2: 204 kfree(description); 205 error: 206 return ret; 207 208 } /* end sys_request_key() */ 209 210 /*****************************************************************************/ 211 /* 212 * get the ID of the specified process keyring 213 * - the keyring must have search permission to be found 214 * - implements keyctl(KEYCTL_GET_KEYRING_ID) 215 */ 216 long keyctl_get_keyring_ID(key_serial_t id, int create) 217 { 218 key_ref_t key_ref; 219 long ret; 220 221 key_ref = lookup_user_key(NULL, id, create, 0, KEY_SEARCH); 222 if (IS_ERR(key_ref)) { 223 ret = PTR_ERR(key_ref); 224 goto error; 225 } 226 227 ret = key_ref_to_ptr(key_ref)->serial; 228 key_ref_put(key_ref); 229 error: 230 return ret; 231 232 } /* end keyctl_get_keyring_ID() */ 233 234 /*****************************************************************************/ 235 /* 236 * join the session keyring 237 * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING) 238 */ 239 long keyctl_join_session_keyring(const char __user *_name) 240 { 241 char *name; 242 long ret; 243 244 /* fetch the name from userspace */ 245 name = NULL; 246 if (_name) { 247 name = strndup_user(_name, PAGE_SIZE); 248 if (IS_ERR(name)) { 249 ret = PTR_ERR(name); 250 goto error; 251 } 252 } 253 254 /* join the session */ 255 ret = join_session_keyring(name); 256 257 error: 258 return ret; 259 260 } /* end keyctl_join_session_keyring() */ 261 262 /*****************************************************************************/ 263 /* 264 * update a key's data payload 265 * - the key must be writable 266 * - implements keyctl(KEYCTL_UPDATE) 267 */ 268 long keyctl_update_key(key_serial_t id, 269 const void __user *_payload, 270 size_t plen) 271 { 272 key_ref_t key_ref; 273 void *payload; 274 long ret; 275 276 ret = -EINVAL; 277 if (plen > PAGE_SIZE) 278 goto error; 279 280 /* pull the payload in if one was supplied */ 281 payload = NULL; 282 if (_payload) { 283 ret = -ENOMEM; 284 payload = kmalloc(plen, GFP_KERNEL); 285 if (!payload) 286 goto error; 287 288 ret = -EFAULT; 289 if (copy_from_user(payload, _payload, plen) != 0) 290 goto error2; 291 } 292 293 /* find the target key (which must be writable) */ 294 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 295 if (IS_ERR(key_ref)) { 296 ret = PTR_ERR(key_ref); 297 goto error2; 298 } 299 300 /* update the key */ 301 ret = key_update(key_ref, payload, plen); 302 303 key_ref_put(key_ref); 304 error2: 305 kfree(payload); 306 error: 307 return ret; 308 309 } /* end keyctl_update_key() */ 310 311 /*****************************************************************************/ 312 /* 313 * revoke a key 314 * - the key must be writable 315 * - implements keyctl(KEYCTL_REVOKE) 316 */ 317 long keyctl_revoke_key(key_serial_t id) 318 { 319 key_ref_t key_ref; 320 long ret; 321 322 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 323 if (IS_ERR(key_ref)) { 324 ret = PTR_ERR(key_ref); 325 goto error; 326 } 327 328 key_revoke(key_ref_to_ptr(key_ref)); 329 ret = 0; 330 331 key_ref_put(key_ref); 332 error: 333 return ret; 334 335 } /* end keyctl_revoke_key() */ 336 337 /*****************************************************************************/ 338 /* 339 * clear the specified process keyring 340 * - the keyring must be writable 341 * - implements keyctl(KEYCTL_CLEAR) 342 */ 343 long keyctl_keyring_clear(key_serial_t ringid) 344 { 345 key_ref_t keyring_ref; 346 long ret; 347 348 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 349 if (IS_ERR(keyring_ref)) { 350 ret = PTR_ERR(keyring_ref); 351 goto error; 352 } 353 354 ret = keyring_clear(key_ref_to_ptr(keyring_ref)); 355 356 key_ref_put(keyring_ref); 357 error: 358 return ret; 359 360 } /* end keyctl_keyring_clear() */ 361 362 /*****************************************************************************/ 363 /* 364 * link a key into a keyring 365 * - the keyring must be writable 366 * - the key must be linkable 367 * - implements keyctl(KEYCTL_LINK) 368 */ 369 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 370 { 371 key_ref_t keyring_ref, key_ref; 372 long ret; 373 374 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 375 if (IS_ERR(keyring_ref)) { 376 ret = PTR_ERR(keyring_ref); 377 goto error; 378 } 379 380 key_ref = lookup_user_key(NULL, id, 1, 0, KEY_LINK); 381 if (IS_ERR(key_ref)) { 382 ret = PTR_ERR(key_ref); 383 goto error2; 384 } 385 386 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 387 388 key_ref_put(key_ref); 389 error2: 390 key_ref_put(keyring_ref); 391 error: 392 return ret; 393 394 } /* end keyctl_keyring_link() */ 395 396 /*****************************************************************************/ 397 /* 398 * unlink the first attachment of a key from a keyring 399 * - the keyring must be writable 400 * - we don't need any permissions on the key 401 * - implements keyctl(KEYCTL_UNLINK) 402 */ 403 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 404 { 405 key_ref_t keyring_ref, key_ref; 406 long ret; 407 408 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE); 409 if (IS_ERR(keyring_ref)) { 410 ret = PTR_ERR(keyring_ref); 411 goto error; 412 } 413 414 key_ref = lookup_user_key(NULL, id, 0, 0, 0); 415 if (IS_ERR(key_ref)) { 416 ret = PTR_ERR(key_ref); 417 goto error2; 418 } 419 420 ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 421 422 key_ref_put(key_ref); 423 error2: 424 key_ref_put(keyring_ref); 425 error: 426 return ret; 427 428 } /* end keyctl_keyring_unlink() */ 429 430 /*****************************************************************************/ 431 /* 432 * describe a user key 433 * - the key must have view permission 434 * - if there's a buffer, we place up to buflen bytes of data into it 435 * - unless there's an error, we return the amount of description available, 436 * irrespective of how much we may have copied 437 * - the description is formatted thus: 438 * type;uid;gid;perm;description<NUL> 439 * - implements keyctl(KEYCTL_DESCRIBE) 440 */ 441 long keyctl_describe_key(key_serial_t keyid, 442 char __user *buffer, 443 size_t buflen) 444 { 445 struct key *key, *instkey; 446 key_ref_t key_ref; 447 char *tmpbuf; 448 long ret; 449 450 key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); 451 if (IS_ERR(key_ref)) { 452 /* viewing a key under construction is permitted if we have the 453 * authorisation token handy */ 454 if (PTR_ERR(key_ref) == -EACCES) { 455 instkey = key_get_instantiation_authkey(keyid); 456 if (!IS_ERR(instkey)) { 457 key_put(instkey); 458 key_ref = lookup_user_key(NULL, keyid, 459 0, 1, 0); 460 if (!IS_ERR(key_ref)) 461 goto okay; 462 } 463 } 464 465 ret = PTR_ERR(key_ref); 466 goto error; 467 } 468 469 okay: 470 /* calculate how much description we're going to return */ 471 ret = -ENOMEM; 472 tmpbuf = kmalloc(PAGE_SIZE, GFP_KERNEL); 473 if (!tmpbuf) 474 goto error2; 475 476 key = key_ref_to_ptr(key_ref); 477 478 ret = snprintf(tmpbuf, PAGE_SIZE - 1, 479 "%s;%d;%d;%08x;%s", 480 key_ref_to_ptr(key_ref)->type->name, 481 key_ref_to_ptr(key_ref)->uid, 482 key_ref_to_ptr(key_ref)->gid, 483 key_ref_to_ptr(key_ref)->perm, 484 key_ref_to_ptr(key_ref)->description ? 485 key_ref_to_ptr(key_ref)->description : "" 486 ); 487 488 /* include a NUL char at the end of the data */ 489 if (ret > PAGE_SIZE - 1) 490 ret = PAGE_SIZE - 1; 491 tmpbuf[ret] = 0; 492 ret++; 493 494 /* consider returning the data */ 495 if (buffer && buflen > 0) { 496 if (buflen > ret) 497 buflen = ret; 498 499 if (copy_to_user(buffer, tmpbuf, buflen) != 0) 500 ret = -EFAULT; 501 } 502 503 kfree(tmpbuf); 504 error2: 505 key_ref_put(key_ref); 506 error: 507 return ret; 508 509 } /* end keyctl_describe_key() */ 510 511 /*****************************************************************************/ 512 /* 513 * search the specified keyring for a matching key 514 * - the start keyring must be searchable 515 * - nested keyrings may also be searched if they are searchable 516 * - only keys with search permission may be found 517 * - if a key is found, it will be attached to the destination keyring if 518 * there's one specified 519 * - implements keyctl(KEYCTL_SEARCH) 520 */ 521 long keyctl_keyring_search(key_serial_t ringid, 522 const char __user *_type, 523 const char __user *_description, 524 key_serial_t destringid) 525 { 526 struct key_type *ktype; 527 key_ref_t keyring_ref, key_ref, dest_ref; 528 char type[32], *description; 529 long ret; 530 531 /* pull the type and description into kernel space */ 532 ret = key_get_type_from_user(type, _type, sizeof(type)); 533 if (ret < 0) 534 goto error; 535 536 description = strndup_user(_description, PAGE_SIZE); 537 if (IS_ERR(description)) { 538 ret = PTR_ERR(description); 539 goto error; 540 } 541 542 /* get the keyring at which to begin the search */ 543 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH); 544 if (IS_ERR(keyring_ref)) { 545 ret = PTR_ERR(keyring_ref); 546 goto error2; 547 } 548 549 /* get the destination keyring if specified */ 550 dest_ref = NULL; 551 if (destringid) { 552 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 553 if (IS_ERR(dest_ref)) { 554 ret = PTR_ERR(dest_ref); 555 goto error3; 556 } 557 } 558 559 /* find the key type */ 560 ktype = key_type_lookup(type); 561 if (IS_ERR(ktype)) { 562 ret = PTR_ERR(ktype); 563 goto error4; 564 } 565 566 /* do the search */ 567 key_ref = keyring_search(keyring_ref, ktype, description); 568 if (IS_ERR(key_ref)) { 569 ret = PTR_ERR(key_ref); 570 571 /* treat lack or presence of a negative key the same */ 572 if (ret == -EAGAIN) 573 ret = -ENOKEY; 574 goto error5; 575 } 576 577 /* link the resulting key to the destination keyring if we can */ 578 if (dest_ref) { 579 ret = key_permission(key_ref, KEY_LINK); 580 if (ret < 0) 581 goto error6; 582 583 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 584 if (ret < 0) 585 goto error6; 586 } 587 588 ret = key_ref_to_ptr(key_ref)->serial; 589 590 error6: 591 key_ref_put(key_ref); 592 error5: 593 key_type_put(ktype); 594 error4: 595 key_ref_put(dest_ref); 596 error3: 597 key_ref_put(keyring_ref); 598 error2: 599 kfree(description); 600 error: 601 return ret; 602 603 } /* end keyctl_keyring_search() */ 604 605 /*****************************************************************************/ 606 /* 607 * read a user key's payload 608 * - the keyring must be readable or the key must be searchable from the 609 * process's keyrings 610 * - if there's a buffer, we place up to buflen bytes of data into it 611 * - unless there's an error, we return the amount of data in the key, 612 * irrespective of how much we may have copied 613 * - implements keyctl(KEYCTL_READ) 614 */ 615 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 616 { 617 struct key *key; 618 key_ref_t key_ref; 619 long ret; 620 621 /* find the key first */ 622 key_ref = lookup_user_key(NULL, keyid, 0, 0, 0); 623 if (IS_ERR(key_ref)) { 624 ret = -ENOKEY; 625 goto error; 626 } 627 628 key = key_ref_to_ptr(key_ref); 629 630 /* see if we can read it directly */ 631 ret = key_permission(key_ref, KEY_READ); 632 if (ret == 0) 633 goto can_read_key; 634 if (ret != -EACCES) 635 goto error; 636 637 /* we can't; see if it's searchable from this process's keyrings 638 * - we automatically take account of the fact that it may be 639 * dangling off an instantiation key 640 */ 641 if (!is_key_possessed(key_ref)) { 642 ret = -EACCES; 643 goto error2; 644 } 645 646 /* the key is probably readable - now try to read it */ 647 can_read_key: 648 ret = key_validate(key); 649 if (ret == 0) { 650 ret = -EOPNOTSUPP; 651 if (key->type->read) { 652 /* read the data with the semaphore held (since we 653 * might sleep) */ 654 down_read(&key->sem); 655 ret = key->type->read(key, buffer, buflen); 656 up_read(&key->sem); 657 } 658 } 659 660 error2: 661 key_put(key); 662 error: 663 return ret; 664 665 } /* end keyctl_read_key() */ 666 667 /*****************************************************************************/ 668 /* 669 * change the ownership of a key 670 * - the keyring owned by the changer 671 * - if the uid or gid is -1, then that parameter is not changed 672 * - implements keyctl(KEYCTL_CHOWN) 673 */ 674 long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) 675 { 676 struct key_user *newowner, *zapowner = NULL; 677 struct key *key; 678 key_ref_t key_ref; 679 long ret; 680 681 ret = 0; 682 if (uid == (uid_t) -1 && gid == (gid_t) -1) 683 goto error; 684 685 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 686 if (IS_ERR(key_ref)) { 687 ret = PTR_ERR(key_ref); 688 goto error; 689 } 690 691 key = key_ref_to_ptr(key_ref); 692 693 /* make the changes with the locks held to prevent chown/chown races */ 694 ret = -EACCES; 695 down_write(&key->sem); 696 697 if (!capable(CAP_SYS_ADMIN)) { 698 /* only the sysadmin can chown a key to some other UID */ 699 if (uid != (uid_t) -1 && key->uid != uid) 700 goto error_put; 701 702 /* only the sysadmin can set the key's GID to a group other 703 * than one of those that the current process subscribes to */ 704 if (gid != (gid_t) -1 && gid != key->gid && !in_group_p(gid)) 705 goto error_put; 706 } 707 708 /* change the UID */ 709 if (uid != (uid_t) -1 && uid != key->uid) { 710 ret = -ENOMEM; 711 newowner = key_user_lookup(uid); 712 if (!newowner) 713 goto error_put; 714 715 /* transfer the quota burden to the new user */ 716 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 717 spin_lock(&newowner->lock); 718 if (newowner->qnkeys + 1 >= KEYQUOTA_MAX_KEYS || 719 newowner->qnbytes + key->quotalen >= 720 KEYQUOTA_MAX_BYTES) 721 goto quota_overrun; 722 723 newowner->qnkeys++; 724 newowner->qnbytes += key->quotalen; 725 spin_unlock(&newowner->lock); 726 727 spin_lock(&key->user->lock); 728 key->user->qnkeys--; 729 key->user->qnbytes -= key->quotalen; 730 spin_unlock(&key->user->lock); 731 } 732 733 atomic_dec(&key->user->nkeys); 734 atomic_inc(&newowner->nkeys); 735 736 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 737 atomic_dec(&key->user->nikeys); 738 atomic_inc(&newowner->nikeys); 739 } 740 741 zapowner = key->user; 742 key->user = newowner; 743 key->uid = uid; 744 } 745 746 /* change the GID */ 747 if (gid != (gid_t) -1) 748 key->gid = gid; 749 750 ret = 0; 751 752 error_put: 753 up_write(&key->sem); 754 key_put(key); 755 if (zapowner) 756 key_user_put(zapowner); 757 error: 758 return ret; 759 760 quota_overrun: 761 spin_unlock(&newowner->lock); 762 zapowner = newowner; 763 ret = -EDQUOT; 764 goto error_put; 765 766 } /* end keyctl_chown_key() */ 767 768 /*****************************************************************************/ 769 /* 770 * change the permission mask on a key 771 * - the keyring owned by the changer 772 * - implements keyctl(KEYCTL_SETPERM) 773 */ 774 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 775 { 776 struct key *key; 777 key_ref_t key_ref; 778 long ret; 779 780 ret = -EINVAL; 781 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 782 goto error; 783 784 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 785 if (IS_ERR(key_ref)) { 786 ret = PTR_ERR(key_ref); 787 goto error; 788 } 789 790 key = key_ref_to_ptr(key_ref); 791 792 /* make the changes with the locks held to prevent chown/chmod races */ 793 ret = -EACCES; 794 down_write(&key->sem); 795 796 /* if we're not the sysadmin, we can only change a key that we own */ 797 if (capable(CAP_SYS_ADMIN) || key->uid == current->fsuid) { 798 key->perm = perm; 799 ret = 0; 800 } 801 802 up_write(&key->sem); 803 key_put(key); 804 error: 805 return ret; 806 807 } /* end keyctl_setperm_key() */ 808 809 /*****************************************************************************/ 810 /* 811 * instantiate the key with the specified payload, and, if one is given, link 812 * the key into the keyring 813 */ 814 long keyctl_instantiate_key(key_serial_t id, 815 const void __user *_payload, 816 size_t plen, 817 key_serial_t ringid) 818 { 819 struct request_key_auth *rka; 820 struct key *instkey; 821 key_ref_t keyring_ref; 822 void *payload; 823 long ret; 824 825 ret = -EINVAL; 826 if (plen > 32767) 827 goto error; 828 829 /* the appropriate instantiation authorisation key must have been 830 * assumed before calling this */ 831 ret = -EPERM; 832 instkey = current->request_key_auth; 833 if (!instkey) 834 goto error; 835 836 rka = instkey->payload.data; 837 if (rka->target_key->serial != id) 838 goto error; 839 840 /* pull the payload in if one was supplied */ 841 payload = NULL; 842 843 if (_payload) { 844 ret = -ENOMEM; 845 payload = kmalloc(plen, GFP_KERNEL); 846 if (!payload) 847 goto error; 848 849 ret = -EFAULT; 850 if (copy_from_user(payload, _payload, plen) != 0) 851 goto error2; 852 } 853 854 /* find the destination keyring amongst those belonging to the 855 * requesting task */ 856 keyring_ref = NULL; 857 if (ringid) { 858 keyring_ref = lookup_user_key(rka->context, ringid, 1, 0, 859 KEY_WRITE); 860 if (IS_ERR(keyring_ref)) { 861 ret = PTR_ERR(keyring_ref); 862 goto error2; 863 } 864 } 865 866 /* instantiate the key and link it into a keyring */ 867 ret = key_instantiate_and_link(rka->target_key, payload, plen, 868 key_ref_to_ptr(keyring_ref), instkey); 869 870 key_ref_put(keyring_ref); 871 872 /* discard the assumed authority if it's just been disabled by 873 * instantiation of the key */ 874 if (ret == 0) { 875 key_put(current->request_key_auth); 876 current->request_key_auth = NULL; 877 } 878 879 error2: 880 kfree(payload); 881 error: 882 return ret; 883 884 } /* end keyctl_instantiate_key() */ 885 886 /*****************************************************************************/ 887 /* 888 * negatively instantiate the key with the given timeout (in seconds), and, if 889 * one is given, link the key into the keyring 890 */ 891 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 892 { 893 struct request_key_auth *rka; 894 struct key *instkey; 895 key_ref_t keyring_ref; 896 long ret; 897 898 /* the appropriate instantiation authorisation key must have been 899 * assumed before calling this */ 900 ret = -EPERM; 901 instkey = current->request_key_auth; 902 if (!instkey) 903 goto error; 904 905 rka = instkey->payload.data; 906 if (rka->target_key->serial != id) 907 goto error; 908 909 /* find the destination keyring if present (which must also be 910 * writable) */ 911 keyring_ref = NULL; 912 if (ringid) { 913 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 914 if (IS_ERR(keyring_ref)) { 915 ret = PTR_ERR(keyring_ref); 916 goto error; 917 } 918 } 919 920 /* instantiate the key and link it into a keyring */ 921 ret = key_negate_and_link(rka->target_key, timeout, 922 key_ref_to_ptr(keyring_ref), instkey); 923 924 key_ref_put(keyring_ref); 925 926 /* discard the assumed authority if it's just been disabled by 927 * instantiation of the key */ 928 if (ret == 0) { 929 key_put(current->request_key_auth); 930 current->request_key_auth = NULL; 931 } 932 933 error: 934 return ret; 935 936 } /* end keyctl_negate_key() */ 937 938 /*****************************************************************************/ 939 /* 940 * set the default keyring in which request_key() will cache keys 941 * - return the old setting 942 */ 943 long keyctl_set_reqkey_keyring(int reqkey_defl) 944 { 945 int ret; 946 947 switch (reqkey_defl) { 948 case KEY_REQKEY_DEFL_THREAD_KEYRING: 949 ret = install_thread_keyring(current); 950 if (ret < 0) 951 return ret; 952 goto set; 953 954 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 955 ret = install_process_keyring(current); 956 if (ret < 0) 957 return ret; 958 959 case KEY_REQKEY_DEFL_DEFAULT: 960 case KEY_REQKEY_DEFL_SESSION_KEYRING: 961 case KEY_REQKEY_DEFL_USER_KEYRING: 962 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 963 set: 964 current->jit_keyring = reqkey_defl; 965 966 case KEY_REQKEY_DEFL_NO_CHANGE: 967 return current->jit_keyring; 968 969 case KEY_REQKEY_DEFL_GROUP_KEYRING: 970 default: 971 return -EINVAL; 972 } 973 974 } /* end keyctl_set_reqkey_keyring() */ 975 976 /*****************************************************************************/ 977 /* 978 * set or clear the timeout for a key 979 */ 980 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 981 { 982 struct timespec now; 983 struct key *key; 984 key_ref_t key_ref; 985 time_t expiry; 986 long ret; 987 988 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 989 if (IS_ERR(key_ref)) { 990 ret = PTR_ERR(key_ref); 991 goto error; 992 } 993 994 key = key_ref_to_ptr(key_ref); 995 996 /* make the changes with the locks held to prevent races */ 997 down_write(&key->sem); 998 999 expiry = 0; 1000 if (timeout > 0) { 1001 now = current_kernel_time(); 1002 expiry = now.tv_sec + timeout; 1003 } 1004 1005 key->expiry = expiry; 1006 1007 up_write(&key->sem); 1008 key_put(key); 1009 1010 ret = 0; 1011 error: 1012 return ret; 1013 1014 } /* end keyctl_set_timeout() */ 1015 1016 /*****************************************************************************/ 1017 /* 1018 * assume the authority to instantiate the specified key 1019 */ 1020 long keyctl_assume_authority(key_serial_t id) 1021 { 1022 struct key *authkey; 1023 long ret; 1024 1025 /* special key IDs aren't permitted */ 1026 ret = -EINVAL; 1027 if (id < 0) 1028 goto error; 1029 1030 /* we divest ourselves of authority if given an ID of 0 */ 1031 if (id == 0) { 1032 key_put(current->request_key_auth); 1033 current->request_key_auth = NULL; 1034 ret = 0; 1035 goto error; 1036 } 1037 1038 /* attempt to assume the authority temporarily granted to us whilst we 1039 * instantiate the specified key 1040 * - the authorisation key must be in the current task's keyrings 1041 * somewhere 1042 */ 1043 authkey = key_get_instantiation_authkey(id); 1044 if (IS_ERR(authkey)) { 1045 ret = PTR_ERR(authkey); 1046 goto error; 1047 } 1048 1049 key_put(current->request_key_auth); 1050 current->request_key_auth = authkey; 1051 ret = authkey->serial; 1052 1053 error: 1054 return ret; 1055 1056 } /* end keyctl_assume_authority() */ 1057 1058 /*****************************************************************************/ 1059 /* 1060 * the key control system call 1061 */ 1062 asmlinkage long sys_keyctl(int option, unsigned long arg2, unsigned long arg3, 1063 unsigned long arg4, unsigned long arg5) 1064 { 1065 switch (option) { 1066 case KEYCTL_GET_KEYRING_ID: 1067 return keyctl_get_keyring_ID((key_serial_t) arg2, 1068 (int) arg3); 1069 1070 case KEYCTL_JOIN_SESSION_KEYRING: 1071 return keyctl_join_session_keyring((const char __user *) arg2); 1072 1073 case KEYCTL_UPDATE: 1074 return keyctl_update_key((key_serial_t) arg2, 1075 (const void __user *) arg3, 1076 (size_t) arg4); 1077 1078 case KEYCTL_REVOKE: 1079 return keyctl_revoke_key((key_serial_t) arg2); 1080 1081 case KEYCTL_DESCRIBE: 1082 return keyctl_describe_key((key_serial_t) arg2, 1083 (char __user *) arg3, 1084 (unsigned) arg4); 1085 1086 case KEYCTL_CLEAR: 1087 return keyctl_keyring_clear((key_serial_t) arg2); 1088 1089 case KEYCTL_LINK: 1090 return keyctl_keyring_link((key_serial_t) arg2, 1091 (key_serial_t) arg3); 1092 1093 case KEYCTL_UNLINK: 1094 return keyctl_keyring_unlink((key_serial_t) arg2, 1095 (key_serial_t) arg3); 1096 1097 case KEYCTL_SEARCH: 1098 return keyctl_keyring_search((key_serial_t) arg2, 1099 (const char __user *) arg3, 1100 (const char __user *) arg4, 1101 (key_serial_t) arg5); 1102 1103 case KEYCTL_READ: 1104 return keyctl_read_key((key_serial_t) arg2, 1105 (char __user *) arg3, 1106 (size_t) arg4); 1107 1108 case KEYCTL_CHOWN: 1109 return keyctl_chown_key((key_serial_t) arg2, 1110 (uid_t) arg3, 1111 (gid_t) arg4); 1112 1113 case KEYCTL_SETPERM: 1114 return keyctl_setperm_key((key_serial_t) arg2, 1115 (key_perm_t) arg3); 1116 1117 case KEYCTL_INSTANTIATE: 1118 return keyctl_instantiate_key((key_serial_t) arg2, 1119 (const void __user *) arg3, 1120 (size_t) arg4, 1121 (key_serial_t) arg5); 1122 1123 case KEYCTL_NEGATE: 1124 return keyctl_negate_key((key_serial_t) arg2, 1125 (unsigned) arg3, 1126 (key_serial_t) arg4); 1127 1128 case KEYCTL_SET_REQKEY_KEYRING: 1129 return keyctl_set_reqkey_keyring(arg2); 1130 1131 case KEYCTL_SET_TIMEOUT: 1132 return keyctl_set_timeout((key_serial_t) arg2, 1133 (unsigned) arg3); 1134 1135 case KEYCTL_ASSUME_AUTHORITY: 1136 return keyctl_assume_authority((key_serial_t) arg2); 1137 1138 default: 1139 return -EOPNOTSUPP; 1140 } 1141 1142 } /* end sys_keyctl() */ 1143