1 /* keyctl.c: userspace keyctl operations 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/slab.h> 16 #include <linux/syscalls.h> 17 #include <linux/keyctl.h> 18 #include <linux/fs.h> 19 #include <linux/err.h> 20 #include <asm/uaccess.h> 21 #include "internal.h" 22 23 /*****************************************************************************/ 24 /* 25 * extract the description of a new key from userspace and either add it as a 26 * new key to the specified keyring or update a matching key in that keyring 27 * - the keyring must be writable 28 * - returns the new key's serial number 29 * - implements add_key() 30 */ 31 asmlinkage long sys_add_key(const char __user *_type, 32 const char __user *_description, 33 const void __user *_payload, 34 size_t plen, 35 key_serial_t ringid) 36 { 37 key_ref_t keyring_ref, key_ref; 38 char type[32], *description; 39 void *payload; 40 long dlen, ret; 41 42 ret = -EINVAL; 43 if (plen > 32767) 44 goto error; 45 46 /* draw all the data into kernel space */ 47 ret = strncpy_from_user(type, _type, sizeof(type) - 1); 48 if (ret < 0) 49 goto error; 50 type[31] = '\0'; 51 52 ret = -EPERM; 53 if (type[0] == '.') 54 goto error; 55 56 ret = -EFAULT; 57 dlen = strnlen_user(_description, PAGE_SIZE - 1); 58 if (dlen <= 0) 59 goto error; 60 61 ret = -EINVAL; 62 if (dlen > PAGE_SIZE - 1) 63 goto error; 64 65 ret = -ENOMEM; 66 description = kmalloc(dlen + 1, GFP_KERNEL); 67 if (!description) 68 goto error; 69 70 ret = -EFAULT; 71 if (copy_from_user(description, _description, dlen + 1) != 0) 72 goto error2; 73 74 /* pull the payload in if one was supplied */ 75 payload = NULL; 76 77 if (_payload) { 78 ret = -ENOMEM; 79 payload = kmalloc(plen, GFP_KERNEL); 80 if (!payload) 81 goto error2; 82 83 ret = -EFAULT; 84 if (copy_from_user(payload, _payload, plen) != 0) 85 goto error3; 86 } 87 88 /* find the target keyring (which must be writable) */ 89 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 90 if (IS_ERR(keyring_ref)) { 91 ret = PTR_ERR(keyring_ref); 92 goto error3; 93 } 94 95 /* create or update the requested key and add it to the target 96 * keyring */ 97 key_ref = key_create_or_update(keyring_ref, type, description, 98 payload, plen, 0); 99 if (!IS_ERR(key_ref)) { 100 ret = key_ref_to_ptr(key_ref)->serial; 101 key_ref_put(key_ref); 102 } 103 else { 104 ret = PTR_ERR(key_ref); 105 } 106 107 key_ref_put(keyring_ref); 108 error3: 109 kfree(payload); 110 error2: 111 kfree(description); 112 error: 113 return ret; 114 115 } /* end sys_add_key() */ 116 117 /*****************************************************************************/ 118 /* 119 * search the process keyrings for a matching key 120 * - nested keyrings may also be searched if they have Search permission 121 * - if a key is found, it will be attached to the destination keyring if 122 * there's one specified 123 * - /sbin/request-key will be invoked if _callout_info is non-NULL 124 * - the _callout_info string will be passed to /sbin/request-key 125 * - if the _callout_info string is empty, it will be rendered as "-" 126 * - implements request_key() 127 */ 128 asmlinkage long sys_request_key(const char __user *_type, 129 const char __user *_description, 130 const char __user *_callout_info, 131 key_serial_t destringid) 132 { 133 struct key_type *ktype; 134 struct key *key; 135 key_ref_t dest_ref; 136 char type[32], *description, *callout_info; 137 long dlen, ret; 138 139 /* pull the type into kernel space */ 140 ret = strncpy_from_user(type, _type, sizeof(type) - 1); 141 if (ret < 0) 142 goto error; 143 type[31] = '\0'; 144 145 ret = -EPERM; 146 if (type[0] == '.') 147 goto error; 148 149 /* pull the description into kernel space */ 150 ret = -EFAULT; 151 dlen = strnlen_user(_description, PAGE_SIZE - 1); 152 if (dlen <= 0) 153 goto error; 154 155 ret = -EINVAL; 156 if (dlen > PAGE_SIZE - 1) 157 goto error; 158 159 ret = -ENOMEM; 160 description = kmalloc(dlen + 1, GFP_KERNEL); 161 if (!description) 162 goto error; 163 164 ret = -EFAULT; 165 if (copy_from_user(description, _description, dlen + 1) != 0) 166 goto error2; 167 168 /* pull the callout info into kernel space */ 169 callout_info = NULL; 170 if (_callout_info) { 171 ret = -EFAULT; 172 dlen = strnlen_user(_callout_info, PAGE_SIZE - 1); 173 if (dlen <= 0) 174 goto error2; 175 176 ret = -EINVAL; 177 if (dlen > PAGE_SIZE - 1) 178 goto error2; 179 180 ret = -ENOMEM; 181 callout_info = kmalloc(dlen + 1, GFP_KERNEL); 182 if (!callout_info) 183 goto error2; 184 185 ret = -EFAULT; 186 if (copy_from_user(callout_info, _callout_info, dlen + 1) != 0) 187 goto error3; 188 } 189 190 /* get the destination keyring if specified */ 191 dest_ref = NULL; 192 if (destringid) { 193 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 194 if (IS_ERR(dest_ref)) { 195 ret = PTR_ERR(dest_ref); 196 goto error3; 197 } 198 } 199 200 /* find the key type */ 201 ktype = key_type_lookup(type); 202 if (IS_ERR(ktype)) { 203 ret = PTR_ERR(ktype); 204 goto error4; 205 } 206 207 /* do the search */ 208 key = request_key_and_link(ktype, description, callout_info, 209 key_ref_to_ptr(dest_ref)); 210 if (IS_ERR(key)) { 211 ret = PTR_ERR(key); 212 goto error5; 213 } 214 215 ret = key->serial; 216 217 key_put(key); 218 error5: 219 key_type_put(ktype); 220 error4: 221 key_ref_put(dest_ref); 222 error3: 223 kfree(callout_info); 224 error2: 225 kfree(description); 226 error: 227 return ret; 228 229 } /* end sys_request_key() */ 230 231 /*****************************************************************************/ 232 /* 233 * get the ID of the specified process keyring 234 * - the keyring must have search permission to be found 235 * - implements keyctl(KEYCTL_GET_KEYRING_ID) 236 */ 237 long keyctl_get_keyring_ID(key_serial_t id, int create) 238 { 239 key_ref_t key_ref; 240 long ret; 241 242 key_ref = lookup_user_key(NULL, id, create, 0, KEY_SEARCH); 243 if (IS_ERR(key_ref)) { 244 ret = PTR_ERR(key_ref); 245 goto error; 246 } 247 248 ret = key_ref_to_ptr(key_ref)->serial; 249 key_ref_put(key_ref); 250 error: 251 return ret; 252 253 } /* end keyctl_get_keyring_ID() */ 254 255 /*****************************************************************************/ 256 /* 257 * join the session keyring 258 * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING) 259 */ 260 long keyctl_join_session_keyring(const char __user *_name) 261 { 262 char *name; 263 long nlen, ret; 264 265 /* fetch the name from userspace */ 266 name = NULL; 267 if (_name) { 268 ret = -EFAULT; 269 nlen = strnlen_user(_name, PAGE_SIZE - 1); 270 if (nlen <= 0) 271 goto error; 272 273 ret = -EINVAL; 274 if (nlen > PAGE_SIZE - 1) 275 goto error; 276 277 ret = -ENOMEM; 278 name = kmalloc(nlen + 1, GFP_KERNEL); 279 if (!name) 280 goto error; 281 282 ret = -EFAULT; 283 if (copy_from_user(name, _name, nlen + 1) != 0) 284 goto error2; 285 } 286 287 /* join the session */ 288 ret = join_session_keyring(name); 289 290 error2: 291 kfree(name); 292 error: 293 return ret; 294 295 } /* end keyctl_join_session_keyring() */ 296 297 /*****************************************************************************/ 298 /* 299 * update a key's data payload 300 * - the key must be writable 301 * - implements keyctl(KEYCTL_UPDATE) 302 */ 303 long keyctl_update_key(key_serial_t id, 304 const void __user *_payload, 305 size_t plen) 306 { 307 key_ref_t key_ref; 308 void *payload; 309 long ret; 310 311 ret = -EINVAL; 312 if (plen > PAGE_SIZE) 313 goto error; 314 315 /* pull the payload in if one was supplied */ 316 payload = NULL; 317 if (_payload) { 318 ret = -ENOMEM; 319 payload = kmalloc(plen, GFP_KERNEL); 320 if (!payload) 321 goto error; 322 323 ret = -EFAULT; 324 if (copy_from_user(payload, _payload, plen) != 0) 325 goto error2; 326 } 327 328 /* find the target key (which must be writable) */ 329 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 330 if (IS_ERR(key_ref)) { 331 ret = PTR_ERR(key_ref); 332 goto error2; 333 } 334 335 /* update the key */ 336 ret = key_update(key_ref, payload, plen); 337 338 key_ref_put(key_ref); 339 error2: 340 kfree(payload); 341 error: 342 return ret; 343 344 } /* end keyctl_update_key() */ 345 346 /*****************************************************************************/ 347 /* 348 * revoke a key 349 * - the key must be writable 350 * - implements keyctl(KEYCTL_REVOKE) 351 */ 352 long keyctl_revoke_key(key_serial_t id) 353 { 354 key_ref_t key_ref; 355 long ret; 356 357 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 358 if (IS_ERR(key_ref)) { 359 ret = PTR_ERR(key_ref); 360 goto error; 361 } 362 363 key_revoke(key_ref_to_ptr(key_ref)); 364 ret = 0; 365 366 key_ref_put(key_ref); 367 error: 368 return ret; 369 370 } /* end keyctl_revoke_key() */ 371 372 /*****************************************************************************/ 373 /* 374 * clear the specified process keyring 375 * - the keyring must be writable 376 * - implements keyctl(KEYCTL_CLEAR) 377 */ 378 long keyctl_keyring_clear(key_serial_t ringid) 379 { 380 key_ref_t keyring_ref; 381 long ret; 382 383 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 384 if (IS_ERR(keyring_ref)) { 385 ret = PTR_ERR(keyring_ref); 386 goto error; 387 } 388 389 ret = keyring_clear(key_ref_to_ptr(keyring_ref)); 390 391 key_ref_put(keyring_ref); 392 error: 393 return ret; 394 395 } /* end keyctl_keyring_clear() */ 396 397 /*****************************************************************************/ 398 /* 399 * link a key into a keyring 400 * - the keyring must be writable 401 * - the key must be linkable 402 * - implements keyctl(KEYCTL_LINK) 403 */ 404 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 405 { 406 key_ref_t keyring_ref, key_ref; 407 long ret; 408 409 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 410 if (IS_ERR(keyring_ref)) { 411 ret = PTR_ERR(keyring_ref); 412 goto error; 413 } 414 415 key_ref = lookup_user_key(NULL, id, 1, 0, KEY_LINK); 416 if (IS_ERR(key_ref)) { 417 ret = PTR_ERR(key_ref); 418 goto error2; 419 } 420 421 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 422 423 key_ref_put(key_ref); 424 error2: 425 key_ref_put(keyring_ref); 426 error: 427 return ret; 428 429 } /* end keyctl_keyring_link() */ 430 431 /*****************************************************************************/ 432 /* 433 * unlink the first attachment of a key from a keyring 434 * - the keyring must be writable 435 * - we don't need any permissions on the key 436 * - implements keyctl(KEYCTL_UNLINK) 437 */ 438 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 439 { 440 key_ref_t keyring_ref, key_ref; 441 long ret; 442 443 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE); 444 if (IS_ERR(keyring_ref)) { 445 ret = PTR_ERR(keyring_ref); 446 goto error; 447 } 448 449 key_ref = lookup_user_key(NULL, id, 0, 0, 0); 450 if (IS_ERR(key_ref)) { 451 ret = PTR_ERR(key_ref); 452 goto error2; 453 } 454 455 ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 456 457 key_ref_put(key_ref); 458 error2: 459 key_ref_put(keyring_ref); 460 error: 461 return ret; 462 463 } /* end keyctl_keyring_unlink() */ 464 465 /*****************************************************************************/ 466 /* 467 * describe a user key 468 * - the key must have view permission 469 * - if there's a buffer, we place up to buflen bytes of data into it 470 * - unless there's an error, we return the amount of description available, 471 * irrespective of how much we may have copied 472 * - the description is formatted thus: 473 * type;uid;gid;perm;description<NUL> 474 * - implements keyctl(KEYCTL_DESCRIBE) 475 */ 476 long keyctl_describe_key(key_serial_t keyid, 477 char __user *buffer, 478 size_t buflen) 479 { 480 struct key *key, *instkey; 481 key_ref_t key_ref; 482 char *tmpbuf; 483 long ret; 484 485 key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); 486 if (IS_ERR(key_ref)) { 487 /* viewing a key under construction is permitted if we have the 488 * authorisation token handy */ 489 if (PTR_ERR(key_ref) == -EACCES) { 490 instkey = key_get_instantiation_authkey(keyid); 491 if (!IS_ERR(instkey)) { 492 key_put(instkey); 493 key_ref = lookup_user_key(NULL, keyid, 494 0, 1, 0); 495 if (!IS_ERR(key_ref)) 496 goto okay; 497 } 498 } 499 500 ret = PTR_ERR(key_ref); 501 goto error; 502 } 503 504 okay: 505 /* calculate how much description we're going to return */ 506 ret = -ENOMEM; 507 tmpbuf = kmalloc(PAGE_SIZE, GFP_KERNEL); 508 if (!tmpbuf) 509 goto error2; 510 511 key = key_ref_to_ptr(key_ref); 512 513 ret = snprintf(tmpbuf, PAGE_SIZE - 1, 514 "%s;%d;%d;%08x;%s", 515 key_ref_to_ptr(key_ref)->type->name, 516 key_ref_to_ptr(key_ref)->uid, 517 key_ref_to_ptr(key_ref)->gid, 518 key_ref_to_ptr(key_ref)->perm, 519 key_ref_to_ptr(key_ref)->description ? 520 key_ref_to_ptr(key_ref)->description : "" 521 ); 522 523 /* include a NUL char at the end of the data */ 524 if (ret > PAGE_SIZE - 1) 525 ret = PAGE_SIZE - 1; 526 tmpbuf[ret] = 0; 527 ret++; 528 529 /* consider returning the data */ 530 if (buffer && buflen > 0) { 531 if (buflen > ret) 532 buflen = ret; 533 534 if (copy_to_user(buffer, tmpbuf, buflen) != 0) 535 ret = -EFAULT; 536 } 537 538 kfree(tmpbuf); 539 error2: 540 key_ref_put(key_ref); 541 error: 542 return ret; 543 544 } /* end keyctl_describe_key() */ 545 546 /*****************************************************************************/ 547 /* 548 * search the specified keyring for a matching key 549 * - the start keyring must be searchable 550 * - nested keyrings may also be searched if they are searchable 551 * - only keys with search permission may be found 552 * - if a key is found, it will be attached to the destination keyring if 553 * there's one specified 554 * - implements keyctl(KEYCTL_SEARCH) 555 */ 556 long keyctl_keyring_search(key_serial_t ringid, 557 const char __user *_type, 558 const char __user *_description, 559 key_serial_t destringid) 560 { 561 struct key_type *ktype; 562 key_ref_t keyring_ref, key_ref, dest_ref; 563 char type[32], *description; 564 long dlen, ret; 565 566 /* pull the type and description into kernel space */ 567 ret = strncpy_from_user(type, _type, sizeof(type) - 1); 568 if (ret < 0) 569 goto error; 570 type[31] = '\0'; 571 572 ret = -EFAULT; 573 dlen = strnlen_user(_description, PAGE_SIZE - 1); 574 if (dlen <= 0) 575 goto error; 576 577 ret = -EINVAL; 578 if (dlen > PAGE_SIZE - 1) 579 goto error; 580 581 ret = -ENOMEM; 582 description = kmalloc(dlen + 1, GFP_KERNEL); 583 if (!description) 584 goto error; 585 586 ret = -EFAULT; 587 if (copy_from_user(description, _description, dlen + 1) != 0) 588 goto error2; 589 590 /* get the keyring at which to begin the search */ 591 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH); 592 if (IS_ERR(keyring_ref)) { 593 ret = PTR_ERR(keyring_ref); 594 goto error2; 595 } 596 597 /* get the destination keyring if specified */ 598 dest_ref = NULL; 599 if (destringid) { 600 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 601 if (IS_ERR(dest_ref)) { 602 ret = PTR_ERR(dest_ref); 603 goto error3; 604 } 605 } 606 607 /* find the key type */ 608 ktype = key_type_lookup(type); 609 if (IS_ERR(ktype)) { 610 ret = PTR_ERR(ktype); 611 goto error4; 612 } 613 614 /* do the search */ 615 key_ref = keyring_search(keyring_ref, ktype, description); 616 if (IS_ERR(key_ref)) { 617 ret = PTR_ERR(key_ref); 618 619 /* treat lack or presence of a negative key the same */ 620 if (ret == -EAGAIN) 621 ret = -ENOKEY; 622 goto error5; 623 } 624 625 /* link the resulting key to the destination keyring if we can */ 626 if (dest_ref) { 627 ret = key_permission(key_ref, KEY_LINK); 628 if (ret < 0) 629 goto error6; 630 631 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 632 if (ret < 0) 633 goto error6; 634 } 635 636 ret = key_ref_to_ptr(key_ref)->serial; 637 638 error6: 639 key_ref_put(key_ref); 640 error5: 641 key_type_put(ktype); 642 error4: 643 key_ref_put(dest_ref); 644 error3: 645 key_ref_put(keyring_ref); 646 error2: 647 kfree(description); 648 error: 649 return ret; 650 651 } /* end keyctl_keyring_search() */ 652 653 /*****************************************************************************/ 654 /* 655 * read a user key's payload 656 * - the keyring must be readable or the key must be searchable from the 657 * process's keyrings 658 * - if there's a buffer, we place up to buflen bytes of data into it 659 * - unless there's an error, we return the amount of data in the key, 660 * irrespective of how much we may have copied 661 * - implements keyctl(KEYCTL_READ) 662 */ 663 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 664 { 665 struct key *key; 666 key_ref_t key_ref; 667 long ret; 668 669 /* find the key first */ 670 key_ref = lookup_user_key(NULL, keyid, 0, 0, 0); 671 if (IS_ERR(key_ref)) { 672 ret = -ENOKEY; 673 goto error; 674 } 675 676 key = key_ref_to_ptr(key_ref); 677 678 /* see if we can read it directly */ 679 ret = key_permission(key_ref, KEY_READ); 680 if (ret == 0) 681 goto can_read_key; 682 if (ret != -EACCES) 683 goto error; 684 685 /* we can't; see if it's searchable from this process's keyrings 686 * - we automatically take account of the fact that it may be 687 * dangling off an instantiation key 688 */ 689 if (!is_key_possessed(key_ref)) { 690 ret = -EACCES; 691 goto error2; 692 } 693 694 /* the key is probably readable - now try to read it */ 695 can_read_key: 696 ret = key_validate(key); 697 if (ret == 0) { 698 ret = -EOPNOTSUPP; 699 if (key->type->read) { 700 /* read the data with the semaphore held (since we 701 * might sleep) */ 702 down_read(&key->sem); 703 ret = key->type->read(key, buffer, buflen); 704 up_read(&key->sem); 705 } 706 } 707 708 error2: 709 key_put(key); 710 error: 711 return ret; 712 713 } /* end keyctl_read_key() */ 714 715 /*****************************************************************************/ 716 /* 717 * change the ownership of a key 718 * - the keyring owned by the changer 719 * - if the uid or gid is -1, then that parameter is not changed 720 * - implements keyctl(KEYCTL_CHOWN) 721 */ 722 long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) 723 { 724 struct key *key; 725 key_ref_t key_ref; 726 long ret; 727 728 ret = 0; 729 if (uid == (uid_t) -1 && gid == (gid_t) -1) 730 goto error; 731 732 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 733 if (IS_ERR(key_ref)) { 734 ret = PTR_ERR(key_ref); 735 goto error; 736 } 737 738 key = key_ref_to_ptr(key_ref); 739 740 /* make the changes with the locks held to prevent chown/chown races */ 741 ret = -EACCES; 742 down_write(&key->sem); 743 744 if (!capable(CAP_SYS_ADMIN)) { 745 /* only the sysadmin can chown a key to some other UID */ 746 if (uid != (uid_t) -1 && key->uid != uid) 747 goto no_access; 748 749 /* only the sysadmin can set the key's GID to a group other 750 * than one of those that the current process subscribes to */ 751 if (gid != (gid_t) -1 && gid != key->gid && !in_group_p(gid)) 752 goto no_access; 753 } 754 755 /* change the UID (have to update the quotas) */ 756 if (uid != (uid_t) -1 && uid != key->uid) { 757 /* don't support UID changing yet */ 758 ret = -EOPNOTSUPP; 759 goto no_access; 760 } 761 762 /* change the GID */ 763 if (gid != (gid_t) -1) 764 key->gid = gid; 765 766 ret = 0; 767 768 no_access: 769 up_write(&key->sem); 770 key_put(key); 771 error: 772 return ret; 773 774 } /* end keyctl_chown_key() */ 775 776 /*****************************************************************************/ 777 /* 778 * change the permission mask on a key 779 * - the keyring owned by the changer 780 * - implements keyctl(KEYCTL_SETPERM) 781 */ 782 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 783 { 784 struct key *key; 785 key_ref_t key_ref; 786 long ret; 787 788 ret = -EINVAL; 789 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 790 goto error; 791 792 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 793 if (IS_ERR(key_ref)) { 794 ret = PTR_ERR(key_ref); 795 goto error; 796 } 797 798 key = key_ref_to_ptr(key_ref); 799 800 /* make the changes with the locks held to prevent chown/chmod races */ 801 ret = -EACCES; 802 down_write(&key->sem); 803 804 /* if we're not the sysadmin, we can only change a key that we own */ 805 if (capable(CAP_SYS_ADMIN) || key->uid == current->fsuid) { 806 key->perm = perm; 807 ret = 0; 808 } 809 810 up_write(&key->sem); 811 key_put(key); 812 error: 813 return ret; 814 815 } /* end keyctl_setperm_key() */ 816 817 /*****************************************************************************/ 818 /* 819 * instantiate the key with the specified payload, and, if one is given, link 820 * the key into the keyring 821 */ 822 long keyctl_instantiate_key(key_serial_t id, 823 const void __user *_payload, 824 size_t plen, 825 key_serial_t ringid) 826 { 827 struct request_key_auth *rka; 828 struct key *instkey; 829 key_ref_t keyring_ref; 830 void *payload; 831 long ret; 832 833 ret = -EINVAL; 834 if (plen > 32767) 835 goto error; 836 837 /* the appropriate instantiation authorisation key must have been 838 * assumed before calling this */ 839 ret = -EPERM; 840 instkey = current->request_key_auth; 841 if (!instkey) 842 goto error; 843 844 rka = instkey->payload.data; 845 if (rka->target_key->serial != id) 846 goto error; 847 848 /* pull the payload in if one was supplied */ 849 payload = NULL; 850 851 if (_payload) { 852 ret = -ENOMEM; 853 payload = kmalloc(plen, GFP_KERNEL); 854 if (!payload) 855 goto error; 856 857 ret = -EFAULT; 858 if (copy_from_user(payload, _payload, plen) != 0) 859 goto error2; 860 } 861 862 /* find the destination keyring amongst those belonging to the 863 * requesting task */ 864 keyring_ref = NULL; 865 if (ringid) { 866 keyring_ref = lookup_user_key(rka->context, ringid, 1, 0, 867 KEY_WRITE); 868 if (IS_ERR(keyring_ref)) { 869 ret = PTR_ERR(keyring_ref); 870 goto error2; 871 } 872 } 873 874 /* instantiate the key and link it into a keyring */ 875 ret = key_instantiate_and_link(rka->target_key, payload, plen, 876 key_ref_to_ptr(keyring_ref), instkey); 877 878 key_ref_put(keyring_ref); 879 880 /* discard the assumed authority if it's just been disabled by 881 * instantiation of the key */ 882 if (ret == 0) { 883 key_put(current->request_key_auth); 884 current->request_key_auth = NULL; 885 } 886 887 error2: 888 kfree(payload); 889 error: 890 return ret; 891 892 } /* end keyctl_instantiate_key() */ 893 894 /*****************************************************************************/ 895 /* 896 * negatively instantiate the key with the given timeout (in seconds), and, if 897 * one is given, link the key into the keyring 898 */ 899 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 900 { 901 struct request_key_auth *rka; 902 struct key *instkey; 903 key_ref_t keyring_ref; 904 long ret; 905 906 /* the appropriate instantiation authorisation key must have been 907 * assumed before calling this */ 908 ret = -EPERM; 909 instkey = current->request_key_auth; 910 if (!instkey) 911 goto error; 912 913 rka = instkey->payload.data; 914 if (rka->target_key->serial != id) 915 goto error; 916 917 /* find the destination keyring if present (which must also be 918 * writable) */ 919 keyring_ref = NULL; 920 if (ringid) { 921 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 922 if (IS_ERR(keyring_ref)) { 923 ret = PTR_ERR(keyring_ref); 924 goto error; 925 } 926 } 927 928 /* instantiate the key and link it into a keyring */ 929 ret = key_negate_and_link(rka->target_key, timeout, 930 key_ref_to_ptr(keyring_ref), instkey); 931 932 key_ref_put(keyring_ref); 933 934 /* discard the assumed authority if it's just been disabled by 935 * instantiation of the key */ 936 if (ret == 0) { 937 key_put(current->request_key_auth); 938 current->request_key_auth = NULL; 939 } 940 941 error: 942 return ret; 943 944 } /* end keyctl_negate_key() */ 945 946 /*****************************************************************************/ 947 /* 948 * set the default keyring in which request_key() will cache keys 949 * - return the old setting 950 */ 951 long keyctl_set_reqkey_keyring(int reqkey_defl) 952 { 953 int ret; 954 955 switch (reqkey_defl) { 956 case KEY_REQKEY_DEFL_THREAD_KEYRING: 957 ret = install_thread_keyring(current); 958 if (ret < 0) 959 return ret; 960 goto set; 961 962 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 963 ret = install_process_keyring(current); 964 if (ret < 0) 965 return ret; 966 967 case KEY_REQKEY_DEFL_DEFAULT: 968 case KEY_REQKEY_DEFL_SESSION_KEYRING: 969 case KEY_REQKEY_DEFL_USER_KEYRING: 970 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 971 set: 972 current->jit_keyring = reqkey_defl; 973 974 case KEY_REQKEY_DEFL_NO_CHANGE: 975 return current->jit_keyring; 976 977 case KEY_REQKEY_DEFL_GROUP_KEYRING: 978 default: 979 return -EINVAL; 980 } 981 982 } /* end keyctl_set_reqkey_keyring() */ 983 984 /*****************************************************************************/ 985 /* 986 * set or clear the timeout for a key 987 */ 988 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 989 { 990 struct timespec now; 991 struct key *key; 992 key_ref_t key_ref; 993 time_t expiry; 994 long ret; 995 996 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 997 if (IS_ERR(key_ref)) { 998 ret = PTR_ERR(key_ref); 999 goto error; 1000 } 1001 1002 key = key_ref_to_ptr(key_ref); 1003 1004 /* make the changes with the locks held to prevent races */ 1005 down_write(&key->sem); 1006 1007 expiry = 0; 1008 if (timeout > 0) { 1009 now = current_kernel_time(); 1010 expiry = now.tv_sec + timeout; 1011 } 1012 1013 key->expiry = expiry; 1014 1015 up_write(&key->sem); 1016 key_put(key); 1017 1018 ret = 0; 1019 error: 1020 return ret; 1021 1022 } /* end keyctl_set_timeout() */ 1023 1024 /*****************************************************************************/ 1025 /* 1026 * assume the authority to instantiate the specified key 1027 */ 1028 long keyctl_assume_authority(key_serial_t id) 1029 { 1030 struct key *authkey; 1031 long ret; 1032 1033 /* special key IDs aren't permitted */ 1034 ret = -EINVAL; 1035 if (id < 0) 1036 goto error; 1037 1038 /* we divest ourselves of authority if given an ID of 0 */ 1039 if (id == 0) { 1040 key_put(current->request_key_auth); 1041 current->request_key_auth = NULL; 1042 ret = 0; 1043 goto error; 1044 } 1045 1046 /* attempt to assume the authority temporarily granted to us whilst we 1047 * instantiate the specified key 1048 * - the authorisation key must be in the current task's keyrings 1049 * somewhere 1050 */ 1051 authkey = key_get_instantiation_authkey(id); 1052 if (IS_ERR(authkey)) { 1053 ret = PTR_ERR(authkey); 1054 goto error; 1055 } 1056 1057 key_put(current->request_key_auth); 1058 current->request_key_auth = authkey; 1059 ret = authkey->serial; 1060 1061 error: 1062 return ret; 1063 1064 } /* end keyctl_assume_authority() */ 1065 1066 /*****************************************************************************/ 1067 /* 1068 * the key control system call 1069 */ 1070 asmlinkage long sys_keyctl(int option, unsigned long arg2, unsigned long arg3, 1071 unsigned long arg4, unsigned long arg5) 1072 { 1073 switch (option) { 1074 case KEYCTL_GET_KEYRING_ID: 1075 return keyctl_get_keyring_ID((key_serial_t) arg2, 1076 (int) arg3); 1077 1078 case KEYCTL_JOIN_SESSION_KEYRING: 1079 return keyctl_join_session_keyring((const char __user *) arg2); 1080 1081 case KEYCTL_UPDATE: 1082 return keyctl_update_key((key_serial_t) arg2, 1083 (const void __user *) arg3, 1084 (size_t) arg4); 1085 1086 case KEYCTL_REVOKE: 1087 return keyctl_revoke_key((key_serial_t) arg2); 1088 1089 case KEYCTL_DESCRIBE: 1090 return keyctl_describe_key((key_serial_t) arg2, 1091 (char __user *) arg3, 1092 (unsigned) arg4); 1093 1094 case KEYCTL_CLEAR: 1095 return keyctl_keyring_clear((key_serial_t) arg2); 1096 1097 case KEYCTL_LINK: 1098 return keyctl_keyring_link((key_serial_t) arg2, 1099 (key_serial_t) arg3); 1100 1101 case KEYCTL_UNLINK: 1102 return keyctl_keyring_unlink((key_serial_t) arg2, 1103 (key_serial_t) arg3); 1104 1105 case KEYCTL_SEARCH: 1106 return keyctl_keyring_search((key_serial_t) arg2, 1107 (const char __user *) arg3, 1108 (const char __user *) arg4, 1109 (key_serial_t) arg5); 1110 1111 case KEYCTL_READ: 1112 return keyctl_read_key((key_serial_t) arg2, 1113 (char __user *) arg3, 1114 (size_t) arg4); 1115 1116 case KEYCTL_CHOWN: 1117 return keyctl_chown_key((key_serial_t) arg2, 1118 (uid_t) arg3, 1119 (gid_t) arg4); 1120 1121 case KEYCTL_SETPERM: 1122 return keyctl_setperm_key((key_serial_t) arg2, 1123 (key_perm_t) arg3); 1124 1125 case KEYCTL_INSTANTIATE: 1126 return keyctl_instantiate_key((key_serial_t) arg2, 1127 (const void __user *) arg3, 1128 (size_t) arg4, 1129 (key_serial_t) arg5); 1130 1131 case KEYCTL_NEGATE: 1132 return keyctl_negate_key((key_serial_t) arg2, 1133 (unsigned) arg3, 1134 (key_serial_t) arg4); 1135 1136 case KEYCTL_SET_REQKEY_KEYRING: 1137 return keyctl_set_reqkey_keyring(arg2); 1138 1139 case KEYCTL_SET_TIMEOUT: 1140 return keyctl_set_timeout((key_serial_t) arg2, 1141 (unsigned) arg3); 1142 1143 case KEYCTL_ASSUME_AUTHORITY: 1144 return keyctl_assume_authority((key_serial_t) arg2); 1145 1146 default: 1147 return -EOPNOTSUPP; 1148 } 1149 1150 } /* end sys_keyctl() */ 1151