1 /* keyctl.c: userspace keyctl operations 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/slab.h> 16 #include <linux/syscalls.h> 17 #include <linux/keyctl.h> 18 #include <linux/fs.h> 19 #include <linux/capability.h> 20 #include <linux/string.h> 21 #include <linux/err.h> 22 #include <linux/vmalloc.h> 23 #include <linux/security.h> 24 #include <asm/uaccess.h> 25 #include "internal.h" 26 27 static int key_get_type_from_user(char *type, 28 const char __user *_type, 29 unsigned len) 30 { 31 int ret; 32 33 ret = strncpy_from_user(type, _type, len); 34 35 if (ret < 0) 36 return -EFAULT; 37 38 if (ret == 0 || ret >= len) 39 return -EINVAL; 40 41 if (type[0] == '.') 42 return -EPERM; 43 44 type[len - 1] = '\0'; 45 46 return 0; 47 } 48 49 /*****************************************************************************/ 50 /* 51 * extract the description of a new key from userspace and either add it as a 52 * new key to the specified keyring or update a matching key in that keyring 53 * - the keyring must be writable 54 * - returns the new key's serial number 55 * - implements add_key() 56 */ 57 SYSCALL_DEFINE5(add_key, const char __user *, _type, 58 const char __user *, _description, 59 const void __user *, _payload, 60 size_t, plen, 61 key_serial_t, ringid) 62 { 63 key_ref_t keyring_ref, key_ref; 64 char type[32], *description; 65 void *payload; 66 long ret; 67 bool vm; 68 69 ret = -EINVAL; 70 if (plen > 1024 * 1024 - 1) 71 goto error; 72 73 /* draw all the data into kernel space */ 74 ret = key_get_type_from_user(type, _type, sizeof(type)); 75 if (ret < 0) 76 goto error; 77 78 description = strndup_user(_description, PAGE_SIZE); 79 if (IS_ERR(description)) { 80 ret = PTR_ERR(description); 81 goto error; 82 } 83 84 /* pull the payload in if one was supplied */ 85 payload = NULL; 86 87 vm = false; 88 if (_payload) { 89 ret = -ENOMEM; 90 payload = kmalloc(plen, GFP_KERNEL); 91 if (!payload) { 92 if (plen <= PAGE_SIZE) 93 goto error2; 94 vm = true; 95 payload = vmalloc(plen); 96 if (!payload) 97 goto error2; 98 } 99 100 ret = -EFAULT; 101 if (copy_from_user(payload, _payload, plen) != 0) 102 goto error3; 103 } 104 105 /* find the target keyring (which must be writable) */ 106 keyring_ref = lookup_user_key(ringid, 1, 0, KEY_WRITE); 107 if (IS_ERR(keyring_ref)) { 108 ret = PTR_ERR(keyring_ref); 109 goto error3; 110 } 111 112 /* create or update the requested key and add it to the target 113 * keyring */ 114 key_ref = key_create_or_update(keyring_ref, type, description, 115 payload, plen, KEY_PERM_UNDEF, 116 KEY_ALLOC_IN_QUOTA); 117 if (!IS_ERR(key_ref)) { 118 ret = key_ref_to_ptr(key_ref)->serial; 119 key_ref_put(key_ref); 120 } 121 else { 122 ret = PTR_ERR(key_ref); 123 } 124 125 key_ref_put(keyring_ref); 126 error3: 127 if (!vm) 128 kfree(payload); 129 else 130 vfree(payload); 131 error2: 132 kfree(description); 133 error: 134 return ret; 135 136 } /* end sys_add_key() */ 137 138 /*****************************************************************************/ 139 /* 140 * search the process keyrings for a matching key 141 * - nested keyrings may also be searched if they have Search permission 142 * - if a key is found, it will be attached to the destination keyring if 143 * there's one specified 144 * - /sbin/request-key will be invoked if _callout_info is non-NULL 145 * - the _callout_info string will be passed to /sbin/request-key 146 * - if the _callout_info string is empty, it will be rendered as "-" 147 * - implements request_key() 148 */ 149 SYSCALL_DEFINE4(request_key, const char __user *, _type, 150 const char __user *, _description, 151 const char __user *, _callout_info, 152 key_serial_t, destringid) 153 { 154 struct key_type *ktype; 155 struct key *key; 156 key_ref_t dest_ref; 157 size_t callout_len; 158 char type[32], *description, *callout_info; 159 long ret; 160 161 /* pull the type into kernel space */ 162 ret = key_get_type_from_user(type, _type, sizeof(type)); 163 if (ret < 0) 164 goto error; 165 166 /* pull the description into kernel space */ 167 description = strndup_user(_description, PAGE_SIZE); 168 if (IS_ERR(description)) { 169 ret = PTR_ERR(description); 170 goto error; 171 } 172 173 /* pull the callout info into kernel space */ 174 callout_info = NULL; 175 callout_len = 0; 176 if (_callout_info) { 177 callout_info = strndup_user(_callout_info, PAGE_SIZE); 178 if (IS_ERR(callout_info)) { 179 ret = PTR_ERR(callout_info); 180 goto error2; 181 } 182 callout_len = strlen(callout_info); 183 } 184 185 /* get the destination keyring if specified */ 186 dest_ref = NULL; 187 if (destringid) { 188 dest_ref = lookup_user_key(destringid, 1, 0, KEY_WRITE); 189 if (IS_ERR(dest_ref)) { 190 ret = PTR_ERR(dest_ref); 191 goto error3; 192 } 193 } 194 195 /* find the key type */ 196 ktype = key_type_lookup(type); 197 if (IS_ERR(ktype)) { 198 ret = PTR_ERR(ktype); 199 goto error4; 200 } 201 202 /* do the search */ 203 key = request_key_and_link(ktype, description, callout_info, 204 callout_len, NULL, key_ref_to_ptr(dest_ref), 205 KEY_ALLOC_IN_QUOTA); 206 if (IS_ERR(key)) { 207 ret = PTR_ERR(key); 208 goto error5; 209 } 210 211 ret = key->serial; 212 213 key_put(key); 214 error5: 215 key_type_put(ktype); 216 error4: 217 key_ref_put(dest_ref); 218 error3: 219 kfree(callout_info); 220 error2: 221 kfree(description); 222 error: 223 return ret; 224 225 } /* end sys_request_key() */ 226 227 /*****************************************************************************/ 228 /* 229 * get the ID of the specified process keyring 230 * - the keyring must have search permission to be found 231 * - implements keyctl(KEYCTL_GET_KEYRING_ID) 232 */ 233 long keyctl_get_keyring_ID(key_serial_t id, int create) 234 { 235 key_ref_t key_ref; 236 long ret; 237 238 key_ref = lookup_user_key(id, create, 0, KEY_SEARCH); 239 if (IS_ERR(key_ref)) { 240 ret = PTR_ERR(key_ref); 241 goto error; 242 } 243 244 ret = key_ref_to_ptr(key_ref)->serial; 245 key_ref_put(key_ref); 246 error: 247 return ret; 248 249 } /* end keyctl_get_keyring_ID() */ 250 251 /*****************************************************************************/ 252 /* 253 * join the session keyring 254 * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING) 255 */ 256 long keyctl_join_session_keyring(const char __user *_name) 257 { 258 char *name; 259 long ret; 260 261 /* fetch the name from userspace */ 262 name = NULL; 263 if (_name) { 264 name = strndup_user(_name, PAGE_SIZE); 265 if (IS_ERR(name)) { 266 ret = PTR_ERR(name); 267 goto error; 268 } 269 } 270 271 /* join the session */ 272 ret = join_session_keyring(name); 273 kfree(name); 274 275 error: 276 return ret; 277 278 } /* end keyctl_join_session_keyring() */ 279 280 /*****************************************************************************/ 281 /* 282 * update a key's data payload 283 * - the key must be writable 284 * - implements keyctl(KEYCTL_UPDATE) 285 */ 286 long keyctl_update_key(key_serial_t id, 287 const void __user *_payload, 288 size_t plen) 289 { 290 key_ref_t key_ref; 291 void *payload; 292 long ret; 293 294 ret = -EINVAL; 295 if (plen > PAGE_SIZE) 296 goto error; 297 298 /* pull the payload in if one was supplied */ 299 payload = NULL; 300 if (_payload) { 301 ret = -ENOMEM; 302 payload = kmalloc(plen, GFP_KERNEL); 303 if (!payload) 304 goto error; 305 306 ret = -EFAULT; 307 if (copy_from_user(payload, _payload, plen) != 0) 308 goto error2; 309 } 310 311 /* find the target key (which must be writable) */ 312 key_ref = lookup_user_key(id, 0, 0, KEY_WRITE); 313 if (IS_ERR(key_ref)) { 314 ret = PTR_ERR(key_ref); 315 goto error2; 316 } 317 318 /* update the key */ 319 ret = key_update(key_ref, payload, plen); 320 321 key_ref_put(key_ref); 322 error2: 323 kfree(payload); 324 error: 325 return ret; 326 327 } /* end keyctl_update_key() */ 328 329 /*****************************************************************************/ 330 /* 331 * revoke a key 332 * - the key must be writable 333 * - implements keyctl(KEYCTL_REVOKE) 334 */ 335 long keyctl_revoke_key(key_serial_t id) 336 { 337 key_ref_t key_ref; 338 long ret; 339 340 key_ref = lookup_user_key(id, 0, 0, KEY_WRITE); 341 if (IS_ERR(key_ref)) { 342 ret = PTR_ERR(key_ref); 343 goto error; 344 } 345 346 key_revoke(key_ref_to_ptr(key_ref)); 347 ret = 0; 348 349 key_ref_put(key_ref); 350 error: 351 return ret; 352 353 } /* end keyctl_revoke_key() */ 354 355 /*****************************************************************************/ 356 /* 357 * clear the specified process keyring 358 * - the keyring must be writable 359 * - implements keyctl(KEYCTL_CLEAR) 360 */ 361 long keyctl_keyring_clear(key_serial_t ringid) 362 { 363 key_ref_t keyring_ref; 364 long ret; 365 366 keyring_ref = lookup_user_key(ringid, 1, 0, KEY_WRITE); 367 if (IS_ERR(keyring_ref)) { 368 ret = PTR_ERR(keyring_ref); 369 goto error; 370 } 371 372 ret = keyring_clear(key_ref_to_ptr(keyring_ref)); 373 374 key_ref_put(keyring_ref); 375 error: 376 return ret; 377 378 } /* end keyctl_keyring_clear() */ 379 380 /*****************************************************************************/ 381 /* 382 * link a key into a keyring 383 * - the keyring must be writable 384 * - the key must be linkable 385 * - implements keyctl(KEYCTL_LINK) 386 */ 387 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 388 { 389 key_ref_t keyring_ref, key_ref; 390 long ret; 391 392 keyring_ref = lookup_user_key(ringid, 1, 0, KEY_WRITE); 393 if (IS_ERR(keyring_ref)) { 394 ret = PTR_ERR(keyring_ref); 395 goto error; 396 } 397 398 key_ref = lookup_user_key(id, 1, 0, KEY_LINK); 399 if (IS_ERR(key_ref)) { 400 ret = PTR_ERR(key_ref); 401 goto error2; 402 } 403 404 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 405 406 key_ref_put(key_ref); 407 error2: 408 key_ref_put(keyring_ref); 409 error: 410 return ret; 411 412 } /* end keyctl_keyring_link() */ 413 414 /*****************************************************************************/ 415 /* 416 * unlink the first attachment of a key from a keyring 417 * - the keyring must be writable 418 * - we don't need any permissions on the key 419 * - implements keyctl(KEYCTL_UNLINK) 420 */ 421 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 422 { 423 key_ref_t keyring_ref, key_ref; 424 long ret; 425 426 keyring_ref = lookup_user_key(ringid, 0, 0, KEY_WRITE); 427 if (IS_ERR(keyring_ref)) { 428 ret = PTR_ERR(keyring_ref); 429 goto error; 430 } 431 432 key_ref = lookup_user_key(id, 0, 0, 0); 433 if (IS_ERR(key_ref)) { 434 ret = PTR_ERR(key_ref); 435 goto error2; 436 } 437 438 ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 439 440 key_ref_put(key_ref); 441 error2: 442 key_ref_put(keyring_ref); 443 error: 444 return ret; 445 446 } /* end keyctl_keyring_unlink() */ 447 448 /*****************************************************************************/ 449 /* 450 * describe a user key 451 * - the key must have view permission 452 * - if there's a buffer, we place up to buflen bytes of data into it 453 * - unless there's an error, we return the amount of description available, 454 * irrespective of how much we may have copied 455 * - the description is formatted thus: 456 * type;uid;gid;perm;description<NUL> 457 * - implements keyctl(KEYCTL_DESCRIBE) 458 */ 459 long keyctl_describe_key(key_serial_t keyid, 460 char __user *buffer, 461 size_t buflen) 462 { 463 struct key *key, *instkey; 464 key_ref_t key_ref; 465 char *tmpbuf; 466 long ret; 467 468 key_ref = lookup_user_key(keyid, 0, 1, KEY_VIEW); 469 if (IS_ERR(key_ref)) { 470 /* viewing a key under construction is permitted if we have the 471 * authorisation token handy */ 472 if (PTR_ERR(key_ref) == -EACCES) { 473 instkey = key_get_instantiation_authkey(keyid); 474 if (!IS_ERR(instkey)) { 475 key_put(instkey); 476 key_ref = lookup_user_key(keyid, 477 0, 1, 0); 478 if (!IS_ERR(key_ref)) 479 goto okay; 480 } 481 } 482 483 ret = PTR_ERR(key_ref); 484 goto error; 485 } 486 487 okay: 488 /* calculate how much description we're going to return */ 489 ret = -ENOMEM; 490 tmpbuf = kmalloc(PAGE_SIZE, GFP_KERNEL); 491 if (!tmpbuf) 492 goto error2; 493 494 key = key_ref_to_ptr(key_ref); 495 496 ret = snprintf(tmpbuf, PAGE_SIZE - 1, 497 "%s;%d;%d;%08x;%s", 498 key_ref_to_ptr(key_ref)->type->name, 499 key_ref_to_ptr(key_ref)->uid, 500 key_ref_to_ptr(key_ref)->gid, 501 key_ref_to_ptr(key_ref)->perm, 502 key_ref_to_ptr(key_ref)->description ? 503 key_ref_to_ptr(key_ref)->description : "" 504 ); 505 506 /* include a NUL char at the end of the data */ 507 if (ret > PAGE_SIZE - 1) 508 ret = PAGE_SIZE - 1; 509 tmpbuf[ret] = 0; 510 ret++; 511 512 /* consider returning the data */ 513 if (buffer && buflen > 0) { 514 if (buflen > ret) 515 buflen = ret; 516 517 if (copy_to_user(buffer, tmpbuf, buflen) != 0) 518 ret = -EFAULT; 519 } 520 521 kfree(tmpbuf); 522 error2: 523 key_ref_put(key_ref); 524 error: 525 return ret; 526 527 } /* end keyctl_describe_key() */ 528 529 /*****************************************************************************/ 530 /* 531 * search the specified keyring for a matching key 532 * - the start keyring must be searchable 533 * - nested keyrings may also be searched if they are searchable 534 * - only keys with search permission may be found 535 * - if a key is found, it will be attached to the destination keyring if 536 * there's one specified 537 * - implements keyctl(KEYCTL_SEARCH) 538 */ 539 long keyctl_keyring_search(key_serial_t ringid, 540 const char __user *_type, 541 const char __user *_description, 542 key_serial_t destringid) 543 { 544 struct key_type *ktype; 545 key_ref_t keyring_ref, key_ref, dest_ref; 546 char type[32], *description; 547 long ret; 548 549 /* pull the type and description into kernel space */ 550 ret = key_get_type_from_user(type, _type, sizeof(type)); 551 if (ret < 0) 552 goto error; 553 554 description = strndup_user(_description, PAGE_SIZE); 555 if (IS_ERR(description)) { 556 ret = PTR_ERR(description); 557 goto error; 558 } 559 560 /* get the keyring at which to begin the search */ 561 keyring_ref = lookup_user_key(ringid, 0, 0, KEY_SEARCH); 562 if (IS_ERR(keyring_ref)) { 563 ret = PTR_ERR(keyring_ref); 564 goto error2; 565 } 566 567 /* get the destination keyring if specified */ 568 dest_ref = NULL; 569 if (destringid) { 570 dest_ref = lookup_user_key(destringid, 1, 0, KEY_WRITE); 571 if (IS_ERR(dest_ref)) { 572 ret = PTR_ERR(dest_ref); 573 goto error3; 574 } 575 } 576 577 /* find the key type */ 578 ktype = key_type_lookup(type); 579 if (IS_ERR(ktype)) { 580 ret = PTR_ERR(ktype); 581 goto error4; 582 } 583 584 /* do the search */ 585 key_ref = keyring_search(keyring_ref, ktype, description); 586 if (IS_ERR(key_ref)) { 587 ret = PTR_ERR(key_ref); 588 589 /* treat lack or presence of a negative key the same */ 590 if (ret == -EAGAIN) 591 ret = -ENOKEY; 592 goto error5; 593 } 594 595 /* link the resulting key to the destination keyring if we can */ 596 if (dest_ref) { 597 ret = key_permission(key_ref, KEY_LINK); 598 if (ret < 0) 599 goto error6; 600 601 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 602 if (ret < 0) 603 goto error6; 604 } 605 606 ret = key_ref_to_ptr(key_ref)->serial; 607 608 error6: 609 key_ref_put(key_ref); 610 error5: 611 key_type_put(ktype); 612 error4: 613 key_ref_put(dest_ref); 614 error3: 615 key_ref_put(keyring_ref); 616 error2: 617 kfree(description); 618 error: 619 return ret; 620 621 } /* end keyctl_keyring_search() */ 622 623 /*****************************************************************************/ 624 /* 625 * read a user key's payload 626 * - the keyring must be readable or the key must be searchable from the 627 * process's keyrings 628 * - if there's a buffer, we place up to buflen bytes of data into it 629 * - unless there's an error, we return the amount of data in the key, 630 * irrespective of how much we may have copied 631 * - implements keyctl(KEYCTL_READ) 632 */ 633 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 634 { 635 struct key *key; 636 key_ref_t key_ref; 637 long ret; 638 639 /* find the key first */ 640 key_ref = lookup_user_key(keyid, 0, 0, 0); 641 if (IS_ERR(key_ref)) { 642 ret = -ENOKEY; 643 goto error; 644 } 645 646 key = key_ref_to_ptr(key_ref); 647 648 /* see if we can read it directly */ 649 ret = key_permission(key_ref, KEY_READ); 650 if (ret == 0) 651 goto can_read_key; 652 if (ret != -EACCES) 653 goto error; 654 655 /* we can't; see if it's searchable from this process's keyrings 656 * - we automatically take account of the fact that it may be 657 * dangling off an instantiation key 658 */ 659 if (!is_key_possessed(key_ref)) { 660 ret = -EACCES; 661 goto error2; 662 } 663 664 /* the key is probably readable - now try to read it */ 665 can_read_key: 666 ret = key_validate(key); 667 if (ret == 0) { 668 ret = -EOPNOTSUPP; 669 if (key->type->read) { 670 /* read the data with the semaphore held (since we 671 * might sleep) */ 672 down_read(&key->sem); 673 ret = key->type->read(key, buffer, buflen); 674 up_read(&key->sem); 675 } 676 } 677 678 error2: 679 key_put(key); 680 error: 681 return ret; 682 683 } /* end keyctl_read_key() */ 684 685 /*****************************************************************************/ 686 /* 687 * change the ownership of a key 688 * - the keyring owned by the changer 689 * - if the uid or gid is -1, then that parameter is not changed 690 * - implements keyctl(KEYCTL_CHOWN) 691 */ 692 long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) 693 { 694 struct key_user *newowner, *zapowner = NULL; 695 struct key *key; 696 key_ref_t key_ref; 697 long ret; 698 699 ret = 0; 700 if (uid == (uid_t) -1 && gid == (gid_t) -1) 701 goto error; 702 703 key_ref = lookup_user_key(id, 1, 1, KEY_SETATTR); 704 if (IS_ERR(key_ref)) { 705 ret = PTR_ERR(key_ref); 706 goto error; 707 } 708 709 key = key_ref_to_ptr(key_ref); 710 711 /* make the changes with the locks held to prevent chown/chown races */ 712 ret = -EACCES; 713 down_write(&key->sem); 714 715 if (!capable(CAP_SYS_ADMIN)) { 716 /* only the sysadmin can chown a key to some other UID */ 717 if (uid != (uid_t) -1 && key->uid != uid) 718 goto error_put; 719 720 /* only the sysadmin can set the key's GID to a group other 721 * than one of those that the current process subscribes to */ 722 if (gid != (gid_t) -1 && gid != key->gid && !in_group_p(gid)) 723 goto error_put; 724 } 725 726 /* change the UID */ 727 if (uid != (uid_t) -1 && uid != key->uid) { 728 ret = -ENOMEM; 729 newowner = key_user_lookup(uid, current_user_ns()); 730 if (!newowner) 731 goto error_put; 732 733 /* transfer the quota burden to the new user */ 734 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 735 unsigned maxkeys = (uid == 0) ? 736 key_quota_root_maxkeys : key_quota_maxkeys; 737 unsigned maxbytes = (uid == 0) ? 738 key_quota_root_maxbytes : key_quota_maxbytes; 739 740 spin_lock(&newowner->lock); 741 if (newowner->qnkeys + 1 >= maxkeys || 742 newowner->qnbytes + key->quotalen >= maxbytes || 743 newowner->qnbytes + key->quotalen < 744 newowner->qnbytes) 745 goto quota_overrun; 746 747 newowner->qnkeys++; 748 newowner->qnbytes += key->quotalen; 749 spin_unlock(&newowner->lock); 750 751 spin_lock(&key->user->lock); 752 key->user->qnkeys--; 753 key->user->qnbytes -= key->quotalen; 754 spin_unlock(&key->user->lock); 755 } 756 757 atomic_dec(&key->user->nkeys); 758 atomic_inc(&newowner->nkeys); 759 760 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 761 atomic_dec(&key->user->nikeys); 762 atomic_inc(&newowner->nikeys); 763 } 764 765 zapowner = key->user; 766 key->user = newowner; 767 key->uid = uid; 768 } 769 770 /* change the GID */ 771 if (gid != (gid_t) -1) 772 key->gid = gid; 773 774 ret = 0; 775 776 error_put: 777 up_write(&key->sem); 778 key_put(key); 779 if (zapowner) 780 key_user_put(zapowner); 781 error: 782 return ret; 783 784 quota_overrun: 785 spin_unlock(&newowner->lock); 786 zapowner = newowner; 787 ret = -EDQUOT; 788 goto error_put; 789 790 } /* end keyctl_chown_key() */ 791 792 /*****************************************************************************/ 793 /* 794 * change the permission mask on a key 795 * - the keyring owned by the changer 796 * - implements keyctl(KEYCTL_SETPERM) 797 */ 798 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 799 { 800 struct key *key; 801 key_ref_t key_ref; 802 long ret; 803 804 ret = -EINVAL; 805 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 806 goto error; 807 808 key_ref = lookup_user_key(id, 1, 1, KEY_SETATTR); 809 if (IS_ERR(key_ref)) { 810 ret = PTR_ERR(key_ref); 811 goto error; 812 } 813 814 key = key_ref_to_ptr(key_ref); 815 816 /* make the changes with the locks held to prevent chown/chmod races */ 817 ret = -EACCES; 818 down_write(&key->sem); 819 820 /* if we're not the sysadmin, we can only change a key that we own */ 821 if (capable(CAP_SYS_ADMIN) || key->uid == current_fsuid()) { 822 key->perm = perm; 823 ret = 0; 824 } 825 826 up_write(&key->sem); 827 key_put(key); 828 error: 829 return ret; 830 831 } /* end keyctl_setperm_key() */ 832 833 /* 834 * get the destination keyring for instantiation 835 */ 836 static long get_instantiation_keyring(key_serial_t ringid, 837 struct request_key_auth *rka, 838 struct key **_dest_keyring) 839 { 840 key_ref_t dkref; 841 842 *_dest_keyring = NULL; 843 844 /* just return a NULL pointer if we weren't asked to make a link */ 845 if (ringid == 0) 846 return 0; 847 848 /* if a specific keyring is nominated by ID, then use that */ 849 if (ringid > 0) { 850 dkref = lookup_user_key(ringid, 1, 0, KEY_WRITE); 851 if (IS_ERR(dkref)) 852 return PTR_ERR(dkref); 853 *_dest_keyring = key_ref_to_ptr(dkref); 854 return 0; 855 } 856 857 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY) 858 return -EINVAL; 859 860 /* otherwise specify the destination keyring recorded in the 861 * authorisation key (any KEY_SPEC_*_KEYRING) */ 862 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { 863 *_dest_keyring = rka->dest_keyring; 864 return 0; 865 } 866 867 return -ENOKEY; 868 } 869 870 /* 871 * change the request_key authorisation key on the current process 872 */ 873 static int keyctl_change_reqkey_auth(struct key *key) 874 { 875 struct cred *new; 876 877 new = prepare_creds(); 878 if (!new) 879 return -ENOMEM; 880 881 key_put(new->request_key_auth); 882 new->request_key_auth = key_get(key); 883 884 return commit_creds(new); 885 } 886 887 /*****************************************************************************/ 888 /* 889 * instantiate the key with the specified payload, and, if one is given, link 890 * the key into the keyring 891 */ 892 long keyctl_instantiate_key(key_serial_t id, 893 const void __user *_payload, 894 size_t plen, 895 key_serial_t ringid) 896 { 897 const struct cred *cred = current_cred(); 898 struct request_key_auth *rka; 899 struct key *instkey, *dest_keyring; 900 void *payload; 901 long ret; 902 bool vm = false; 903 904 kenter("%d,,%zu,%d", id, plen, ringid); 905 906 ret = -EINVAL; 907 if (plen > 1024 * 1024 - 1) 908 goto error; 909 910 /* the appropriate instantiation authorisation key must have been 911 * assumed before calling this */ 912 ret = -EPERM; 913 instkey = cred->request_key_auth; 914 if (!instkey) 915 goto error; 916 917 rka = instkey->payload.data; 918 if (rka->target_key->serial != id) 919 goto error; 920 921 /* pull the payload in if one was supplied */ 922 payload = NULL; 923 924 if (_payload) { 925 ret = -ENOMEM; 926 payload = kmalloc(plen, GFP_KERNEL); 927 if (!payload) { 928 if (plen <= PAGE_SIZE) 929 goto error; 930 vm = true; 931 payload = vmalloc(plen); 932 if (!payload) 933 goto error; 934 } 935 936 ret = -EFAULT; 937 if (copy_from_user(payload, _payload, plen) != 0) 938 goto error2; 939 } 940 941 /* find the destination keyring amongst those belonging to the 942 * requesting task */ 943 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 944 if (ret < 0) 945 goto error2; 946 947 /* instantiate the key and link it into a keyring */ 948 ret = key_instantiate_and_link(rka->target_key, payload, plen, 949 dest_keyring, instkey); 950 951 key_put(dest_keyring); 952 953 /* discard the assumed authority if it's just been disabled by 954 * instantiation of the key */ 955 if (ret == 0) 956 keyctl_change_reqkey_auth(NULL); 957 958 error2: 959 if (!vm) 960 kfree(payload); 961 else 962 vfree(payload); 963 error: 964 return ret; 965 966 } /* end keyctl_instantiate_key() */ 967 968 /*****************************************************************************/ 969 /* 970 * negatively instantiate the key with the given timeout (in seconds), and, if 971 * one is given, link the key into the keyring 972 */ 973 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 974 { 975 const struct cred *cred = current_cred(); 976 struct request_key_auth *rka; 977 struct key *instkey, *dest_keyring; 978 long ret; 979 980 kenter("%d,%u,%d", id, timeout, ringid); 981 982 /* the appropriate instantiation authorisation key must have been 983 * assumed before calling this */ 984 ret = -EPERM; 985 instkey = cred->request_key_auth; 986 if (!instkey) 987 goto error; 988 989 rka = instkey->payload.data; 990 if (rka->target_key->serial != id) 991 goto error; 992 993 /* find the destination keyring if present (which must also be 994 * writable) */ 995 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 996 if (ret < 0) 997 goto error; 998 999 /* instantiate the key and link it into a keyring */ 1000 ret = key_negate_and_link(rka->target_key, timeout, 1001 dest_keyring, instkey); 1002 1003 key_put(dest_keyring); 1004 1005 /* discard the assumed authority if it's just been disabled by 1006 * instantiation of the key */ 1007 if (ret == 0) 1008 keyctl_change_reqkey_auth(NULL); 1009 1010 error: 1011 return ret; 1012 1013 } /* end keyctl_negate_key() */ 1014 1015 /*****************************************************************************/ 1016 /* 1017 * set the default keyring in which request_key() will cache keys 1018 * - return the old setting 1019 */ 1020 long keyctl_set_reqkey_keyring(int reqkey_defl) 1021 { 1022 struct cred *new; 1023 int ret, old_setting; 1024 1025 old_setting = current_cred_xxx(jit_keyring); 1026 1027 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE) 1028 return old_setting; 1029 1030 new = prepare_creds(); 1031 if (!new) 1032 return -ENOMEM; 1033 1034 switch (reqkey_defl) { 1035 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1036 ret = install_thread_keyring_to_cred(new); 1037 if (ret < 0) 1038 goto error; 1039 goto set; 1040 1041 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1042 ret = install_process_keyring_to_cred(new); 1043 if (ret < 0) { 1044 if (ret != -EEXIST) 1045 goto error; 1046 ret = 0; 1047 } 1048 goto set; 1049 1050 case KEY_REQKEY_DEFL_DEFAULT: 1051 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1052 case KEY_REQKEY_DEFL_USER_KEYRING: 1053 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1054 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: 1055 goto set; 1056 1057 case KEY_REQKEY_DEFL_NO_CHANGE: 1058 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1059 default: 1060 ret = -EINVAL; 1061 goto error; 1062 } 1063 1064 set: 1065 new->jit_keyring = reqkey_defl; 1066 commit_creds(new); 1067 return old_setting; 1068 error: 1069 abort_creds(new); 1070 return -EINVAL; 1071 1072 } /* end keyctl_set_reqkey_keyring() */ 1073 1074 /*****************************************************************************/ 1075 /* 1076 * set or clear the timeout for a key 1077 */ 1078 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1079 { 1080 struct timespec now; 1081 struct key *key; 1082 key_ref_t key_ref; 1083 time_t expiry; 1084 long ret; 1085 1086 key_ref = lookup_user_key(id, 1, 1, KEY_SETATTR); 1087 if (IS_ERR(key_ref)) { 1088 ret = PTR_ERR(key_ref); 1089 goto error; 1090 } 1091 1092 key = key_ref_to_ptr(key_ref); 1093 1094 /* make the changes with the locks held to prevent races */ 1095 down_write(&key->sem); 1096 1097 expiry = 0; 1098 if (timeout > 0) { 1099 now = current_kernel_time(); 1100 expiry = now.tv_sec + timeout; 1101 } 1102 1103 key->expiry = expiry; 1104 1105 up_write(&key->sem); 1106 key_put(key); 1107 1108 ret = 0; 1109 error: 1110 return ret; 1111 1112 } /* end keyctl_set_timeout() */ 1113 1114 /*****************************************************************************/ 1115 /* 1116 * assume the authority to instantiate the specified key 1117 */ 1118 long keyctl_assume_authority(key_serial_t id) 1119 { 1120 struct key *authkey; 1121 long ret; 1122 1123 /* special key IDs aren't permitted */ 1124 ret = -EINVAL; 1125 if (id < 0) 1126 goto error; 1127 1128 /* we divest ourselves of authority if given an ID of 0 */ 1129 if (id == 0) { 1130 ret = keyctl_change_reqkey_auth(NULL); 1131 goto error; 1132 } 1133 1134 /* attempt to assume the authority temporarily granted to us whilst we 1135 * instantiate the specified key 1136 * - the authorisation key must be in the current task's keyrings 1137 * somewhere 1138 */ 1139 authkey = key_get_instantiation_authkey(id); 1140 if (IS_ERR(authkey)) { 1141 ret = PTR_ERR(authkey); 1142 goto error; 1143 } 1144 1145 ret = keyctl_change_reqkey_auth(authkey); 1146 if (ret < 0) 1147 goto error; 1148 key_put(authkey); 1149 1150 ret = authkey->serial; 1151 error: 1152 return ret; 1153 1154 } /* end keyctl_assume_authority() */ 1155 1156 /* 1157 * get the security label of a key 1158 * - the key must grant us view permission 1159 * - if there's a buffer, we place up to buflen bytes of data into it 1160 * - unless there's an error, we return the amount of information available, 1161 * irrespective of how much we may have copied (including the terminal NUL) 1162 * - implements keyctl(KEYCTL_GET_SECURITY) 1163 */ 1164 long keyctl_get_security(key_serial_t keyid, 1165 char __user *buffer, 1166 size_t buflen) 1167 { 1168 struct key *key, *instkey; 1169 key_ref_t key_ref; 1170 char *context; 1171 long ret; 1172 1173 key_ref = lookup_user_key(keyid, 0, 1, KEY_VIEW); 1174 if (IS_ERR(key_ref)) { 1175 if (PTR_ERR(key_ref) != -EACCES) 1176 return PTR_ERR(key_ref); 1177 1178 /* viewing a key under construction is also permitted if we 1179 * have the authorisation token handy */ 1180 instkey = key_get_instantiation_authkey(keyid); 1181 if (IS_ERR(instkey)) 1182 return PTR_ERR(key_ref); 1183 key_put(instkey); 1184 1185 key_ref = lookup_user_key(keyid, 0, 1, 0); 1186 if (IS_ERR(key_ref)) 1187 return PTR_ERR(key_ref); 1188 } 1189 1190 key = key_ref_to_ptr(key_ref); 1191 ret = security_key_getsecurity(key, &context); 1192 if (ret == 0) { 1193 /* if no information was returned, give userspace an empty 1194 * string */ 1195 ret = 1; 1196 if (buffer && buflen > 0 && 1197 copy_to_user(buffer, "", 1) != 0) 1198 ret = -EFAULT; 1199 } else if (ret > 0) { 1200 /* return as much data as there's room for */ 1201 if (buffer && buflen > 0) { 1202 if (buflen > ret) 1203 buflen = ret; 1204 1205 if (copy_to_user(buffer, context, buflen) != 0) 1206 ret = -EFAULT; 1207 } 1208 1209 kfree(context); 1210 } 1211 1212 key_ref_put(key_ref); 1213 return ret; 1214 } 1215 1216 /*****************************************************************************/ 1217 /* 1218 * the key control system call 1219 */ 1220 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, 1221 unsigned long, arg4, unsigned long, arg5) 1222 { 1223 switch (option) { 1224 case KEYCTL_GET_KEYRING_ID: 1225 return keyctl_get_keyring_ID((key_serial_t) arg2, 1226 (int) arg3); 1227 1228 case KEYCTL_JOIN_SESSION_KEYRING: 1229 return keyctl_join_session_keyring((const char __user *) arg2); 1230 1231 case KEYCTL_UPDATE: 1232 return keyctl_update_key((key_serial_t) arg2, 1233 (const void __user *) arg3, 1234 (size_t) arg4); 1235 1236 case KEYCTL_REVOKE: 1237 return keyctl_revoke_key((key_serial_t) arg2); 1238 1239 case KEYCTL_DESCRIBE: 1240 return keyctl_describe_key((key_serial_t) arg2, 1241 (char __user *) arg3, 1242 (unsigned) arg4); 1243 1244 case KEYCTL_CLEAR: 1245 return keyctl_keyring_clear((key_serial_t) arg2); 1246 1247 case KEYCTL_LINK: 1248 return keyctl_keyring_link((key_serial_t) arg2, 1249 (key_serial_t) arg3); 1250 1251 case KEYCTL_UNLINK: 1252 return keyctl_keyring_unlink((key_serial_t) arg2, 1253 (key_serial_t) arg3); 1254 1255 case KEYCTL_SEARCH: 1256 return keyctl_keyring_search((key_serial_t) arg2, 1257 (const char __user *) arg3, 1258 (const char __user *) arg4, 1259 (key_serial_t) arg5); 1260 1261 case KEYCTL_READ: 1262 return keyctl_read_key((key_serial_t) arg2, 1263 (char __user *) arg3, 1264 (size_t) arg4); 1265 1266 case KEYCTL_CHOWN: 1267 return keyctl_chown_key((key_serial_t) arg2, 1268 (uid_t) arg3, 1269 (gid_t) arg4); 1270 1271 case KEYCTL_SETPERM: 1272 return keyctl_setperm_key((key_serial_t) arg2, 1273 (key_perm_t) arg3); 1274 1275 case KEYCTL_INSTANTIATE: 1276 return keyctl_instantiate_key((key_serial_t) arg2, 1277 (const void __user *) arg3, 1278 (size_t) arg4, 1279 (key_serial_t) arg5); 1280 1281 case KEYCTL_NEGATE: 1282 return keyctl_negate_key((key_serial_t) arg2, 1283 (unsigned) arg3, 1284 (key_serial_t) arg4); 1285 1286 case KEYCTL_SET_REQKEY_KEYRING: 1287 return keyctl_set_reqkey_keyring(arg2); 1288 1289 case KEYCTL_SET_TIMEOUT: 1290 return keyctl_set_timeout((key_serial_t) arg2, 1291 (unsigned) arg3); 1292 1293 case KEYCTL_ASSUME_AUTHORITY: 1294 return keyctl_assume_authority((key_serial_t) arg2); 1295 1296 case KEYCTL_GET_SECURITY: 1297 return keyctl_get_security((key_serial_t) arg2, 1298 (char __user *) arg3, 1299 (size_t) arg4); 1300 1301 default: 1302 return -EOPNOTSUPP; 1303 } 1304 1305 } /* end sys_keyctl() */ 1306