1 /* Userspace key control operations 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/sched/task.h> 16 #include <linux/slab.h> 17 #include <linux/syscalls.h> 18 #include <linux/key.h> 19 #include <linux/keyctl.h> 20 #include <linux/fs.h> 21 #include <linux/capability.h> 22 #include <linux/cred.h> 23 #include <linux/string.h> 24 #include <linux/err.h> 25 #include <linux/vmalloc.h> 26 #include <linux/security.h> 27 #include <linux/uio.h> 28 #include <linux/uaccess.h> 29 #include "internal.h" 30 31 #define KEY_MAX_DESC_SIZE 4096 32 33 static int key_get_type_from_user(char *type, 34 const char __user *_type, 35 unsigned len) 36 { 37 int ret; 38 39 ret = strncpy_from_user(type, _type, len); 40 if (ret < 0) 41 return ret; 42 if (ret == 0 || ret >= len) 43 return -EINVAL; 44 if (type[0] == '.') 45 return -EPERM; 46 type[len - 1] = '\0'; 47 return 0; 48 } 49 50 /* 51 * Extract the description of a new key from userspace and either add it as a 52 * new key to the specified keyring or update a matching key in that keyring. 53 * 54 * If the description is NULL or an empty string, the key type is asked to 55 * generate one from the payload. 56 * 57 * The keyring must be writable so that we can attach the key to it. 58 * 59 * If successful, the new key's serial number is returned, otherwise an error 60 * code is returned. 61 */ 62 SYSCALL_DEFINE5(add_key, const char __user *, _type, 63 const char __user *, _description, 64 const void __user *, _payload, 65 size_t, plen, 66 key_serial_t, ringid) 67 { 68 key_ref_t keyring_ref, key_ref; 69 char type[32], *description; 70 void *payload; 71 long ret; 72 73 ret = -EINVAL; 74 if (plen > 1024 * 1024 - 1) 75 goto error; 76 77 /* draw all the data into kernel space */ 78 ret = key_get_type_from_user(type, _type, sizeof(type)); 79 if (ret < 0) 80 goto error; 81 82 description = NULL; 83 if (_description) { 84 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 85 if (IS_ERR(description)) { 86 ret = PTR_ERR(description); 87 goto error; 88 } 89 if (!*description) { 90 kfree(description); 91 description = NULL; 92 } else if ((description[0] == '.') && 93 (strncmp(type, "keyring", 7) == 0)) { 94 ret = -EPERM; 95 goto error2; 96 } 97 } 98 99 /* pull the payload in if one was supplied */ 100 payload = NULL; 101 102 if (plen) { 103 ret = -ENOMEM; 104 payload = kvmalloc(plen, GFP_KERNEL); 105 if (!payload) 106 goto error2; 107 108 ret = -EFAULT; 109 if (copy_from_user(payload, _payload, plen) != 0) 110 goto error3; 111 } 112 113 /* find the target keyring (which must be writable) */ 114 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 115 if (IS_ERR(keyring_ref)) { 116 ret = PTR_ERR(keyring_ref); 117 goto error3; 118 } 119 120 /* create or update the requested key and add it to the target 121 * keyring */ 122 key_ref = key_create_or_update(keyring_ref, type, description, 123 payload, plen, KEY_PERM_UNDEF, 124 KEY_ALLOC_IN_QUOTA); 125 if (!IS_ERR(key_ref)) { 126 ret = key_ref_to_ptr(key_ref)->serial; 127 key_ref_put(key_ref); 128 } 129 else { 130 ret = PTR_ERR(key_ref); 131 } 132 133 key_ref_put(keyring_ref); 134 error3: 135 if (payload) { 136 memzero_explicit(payload, plen); 137 kvfree(payload); 138 } 139 error2: 140 kfree(description); 141 error: 142 return ret; 143 } 144 145 /* 146 * Search the process keyrings and keyring trees linked from those for a 147 * matching key. Keyrings must have appropriate Search permission to be 148 * searched. 149 * 150 * If a key is found, it will be attached to the destination keyring if there's 151 * one specified and the serial number of the key will be returned. 152 * 153 * If no key is found, /sbin/request-key will be invoked if _callout_info is 154 * non-NULL in an attempt to create a key. The _callout_info string will be 155 * passed to /sbin/request-key to aid with completing the request. If the 156 * _callout_info string is "" then it will be changed to "-". 157 */ 158 SYSCALL_DEFINE4(request_key, const char __user *, _type, 159 const char __user *, _description, 160 const char __user *, _callout_info, 161 key_serial_t, destringid) 162 { 163 struct key_type *ktype; 164 struct key *key; 165 key_ref_t dest_ref; 166 size_t callout_len; 167 char type[32], *description, *callout_info; 168 long ret; 169 170 /* pull the type into kernel space */ 171 ret = key_get_type_from_user(type, _type, sizeof(type)); 172 if (ret < 0) 173 goto error; 174 175 /* pull the description into kernel space */ 176 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 177 if (IS_ERR(description)) { 178 ret = PTR_ERR(description); 179 goto error; 180 } 181 182 /* pull the callout info into kernel space */ 183 callout_info = NULL; 184 callout_len = 0; 185 if (_callout_info) { 186 callout_info = strndup_user(_callout_info, PAGE_SIZE); 187 if (IS_ERR(callout_info)) { 188 ret = PTR_ERR(callout_info); 189 goto error2; 190 } 191 callout_len = strlen(callout_info); 192 } 193 194 /* get the destination keyring if specified */ 195 dest_ref = NULL; 196 if (destringid) { 197 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 198 KEY_NEED_WRITE); 199 if (IS_ERR(dest_ref)) { 200 ret = PTR_ERR(dest_ref); 201 goto error3; 202 } 203 } 204 205 /* find the key type */ 206 ktype = key_type_lookup(type); 207 if (IS_ERR(ktype)) { 208 ret = PTR_ERR(ktype); 209 goto error4; 210 } 211 212 /* do the search */ 213 key = request_key_and_link(ktype, description, callout_info, 214 callout_len, NULL, key_ref_to_ptr(dest_ref), 215 KEY_ALLOC_IN_QUOTA); 216 if (IS_ERR(key)) { 217 ret = PTR_ERR(key); 218 goto error5; 219 } 220 221 /* wait for the key to finish being constructed */ 222 ret = wait_for_key_construction(key, 1); 223 if (ret < 0) 224 goto error6; 225 226 ret = key->serial; 227 228 error6: 229 key_put(key); 230 error5: 231 key_type_put(ktype); 232 error4: 233 key_ref_put(dest_ref); 234 error3: 235 kfree(callout_info); 236 error2: 237 kfree(description); 238 error: 239 return ret; 240 } 241 242 /* 243 * Get the ID of the specified process keyring. 244 * 245 * The requested keyring must have search permission to be found. 246 * 247 * If successful, the ID of the requested keyring will be returned. 248 */ 249 long keyctl_get_keyring_ID(key_serial_t id, int create) 250 { 251 key_ref_t key_ref; 252 unsigned long lflags; 253 long ret; 254 255 lflags = create ? KEY_LOOKUP_CREATE : 0; 256 key_ref = lookup_user_key(id, lflags, KEY_NEED_SEARCH); 257 if (IS_ERR(key_ref)) { 258 ret = PTR_ERR(key_ref); 259 goto error; 260 } 261 262 ret = key_ref_to_ptr(key_ref)->serial; 263 key_ref_put(key_ref); 264 error: 265 return ret; 266 } 267 268 /* 269 * Join a (named) session keyring. 270 * 271 * Create and join an anonymous session keyring or join a named session 272 * keyring, creating it if necessary. A named session keyring must have Search 273 * permission for it to be joined. Session keyrings without this permit will 274 * be skipped over. It is not permitted for userspace to create or join 275 * keyrings whose name begin with a dot. 276 * 277 * If successful, the ID of the joined session keyring will be returned. 278 */ 279 long keyctl_join_session_keyring(const char __user *_name) 280 { 281 char *name; 282 long ret; 283 284 /* fetch the name from userspace */ 285 name = NULL; 286 if (_name) { 287 name = strndup_user(_name, KEY_MAX_DESC_SIZE); 288 if (IS_ERR(name)) { 289 ret = PTR_ERR(name); 290 goto error; 291 } 292 293 ret = -EPERM; 294 if (name[0] == '.') 295 goto error_name; 296 } 297 298 /* join the session */ 299 ret = join_session_keyring(name); 300 error_name: 301 kfree(name); 302 error: 303 return ret; 304 } 305 306 /* 307 * Update a key's data payload from the given data. 308 * 309 * The key must grant the caller Write permission and the key type must support 310 * updating for this to work. A negative key can be positively instantiated 311 * with this call. 312 * 313 * If successful, 0 will be returned. If the key type does not support 314 * updating, then -EOPNOTSUPP will be returned. 315 */ 316 long keyctl_update_key(key_serial_t id, 317 const void __user *_payload, 318 size_t plen) 319 { 320 key_ref_t key_ref; 321 void *payload; 322 long ret; 323 324 ret = -EINVAL; 325 if (plen > PAGE_SIZE) 326 goto error; 327 328 /* pull the payload in if one was supplied */ 329 payload = NULL; 330 if (plen) { 331 ret = -ENOMEM; 332 payload = kmalloc(plen, GFP_KERNEL); 333 if (!payload) 334 goto error; 335 336 ret = -EFAULT; 337 if (copy_from_user(payload, _payload, plen) != 0) 338 goto error2; 339 } 340 341 /* find the target key (which must be writable) */ 342 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 343 if (IS_ERR(key_ref)) { 344 ret = PTR_ERR(key_ref); 345 goto error2; 346 } 347 348 /* update the key */ 349 ret = key_update(key_ref, payload, plen); 350 351 key_ref_put(key_ref); 352 error2: 353 kzfree(payload); 354 error: 355 return ret; 356 } 357 358 /* 359 * Revoke a key. 360 * 361 * The key must be grant the caller Write or Setattr permission for this to 362 * work. The key type should give up its quota claim when revoked. The key 363 * and any links to the key will be automatically garbage collected after a 364 * certain amount of time (/proc/sys/kernel/keys/gc_delay). 365 * 366 * Keys with KEY_FLAG_KEEP set should not be revoked. 367 * 368 * If successful, 0 is returned. 369 */ 370 long keyctl_revoke_key(key_serial_t id) 371 { 372 key_ref_t key_ref; 373 struct key *key; 374 long ret; 375 376 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 377 if (IS_ERR(key_ref)) { 378 ret = PTR_ERR(key_ref); 379 if (ret != -EACCES) 380 goto error; 381 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 382 if (IS_ERR(key_ref)) { 383 ret = PTR_ERR(key_ref); 384 goto error; 385 } 386 } 387 388 key = key_ref_to_ptr(key_ref); 389 ret = 0; 390 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 391 ret = -EPERM; 392 else 393 key_revoke(key); 394 395 key_ref_put(key_ref); 396 error: 397 return ret; 398 } 399 400 /* 401 * Invalidate a key. 402 * 403 * The key must be grant the caller Invalidate permission for this to work. 404 * The key and any links to the key will be automatically garbage collected 405 * immediately. 406 * 407 * Keys with KEY_FLAG_KEEP set should not be invalidated. 408 * 409 * If successful, 0 is returned. 410 */ 411 long keyctl_invalidate_key(key_serial_t id) 412 { 413 key_ref_t key_ref; 414 struct key *key; 415 long ret; 416 417 kenter("%d", id); 418 419 key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH); 420 if (IS_ERR(key_ref)) { 421 ret = PTR_ERR(key_ref); 422 423 /* Root is permitted to invalidate certain special keys */ 424 if (capable(CAP_SYS_ADMIN)) { 425 key_ref = lookup_user_key(id, 0, 0); 426 if (IS_ERR(key_ref)) 427 goto error; 428 if (test_bit(KEY_FLAG_ROOT_CAN_INVAL, 429 &key_ref_to_ptr(key_ref)->flags)) 430 goto invalidate; 431 goto error_put; 432 } 433 434 goto error; 435 } 436 437 invalidate: 438 key = key_ref_to_ptr(key_ref); 439 ret = 0; 440 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 441 ret = -EPERM; 442 else 443 key_invalidate(key); 444 error_put: 445 key_ref_put(key_ref); 446 error: 447 kleave(" = %ld", ret); 448 return ret; 449 } 450 451 /* 452 * Clear the specified keyring, creating an empty process keyring if one of the 453 * special keyring IDs is used. 454 * 455 * The keyring must grant the caller Write permission and not have 456 * KEY_FLAG_KEEP set for this to work. If successful, 0 will be returned. 457 */ 458 long keyctl_keyring_clear(key_serial_t ringid) 459 { 460 key_ref_t keyring_ref; 461 struct key *keyring; 462 long ret; 463 464 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 465 if (IS_ERR(keyring_ref)) { 466 ret = PTR_ERR(keyring_ref); 467 468 /* Root is permitted to invalidate certain special keyrings */ 469 if (capable(CAP_SYS_ADMIN)) { 470 keyring_ref = lookup_user_key(ringid, 0, 0); 471 if (IS_ERR(keyring_ref)) 472 goto error; 473 if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR, 474 &key_ref_to_ptr(keyring_ref)->flags)) 475 goto clear; 476 goto error_put; 477 } 478 479 goto error; 480 } 481 482 clear: 483 keyring = key_ref_to_ptr(keyring_ref); 484 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) 485 ret = -EPERM; 486 else 487 ret = keyring_clear(keyring); 488 error_put: 489 key_ref_put(keyring_ref); 490 error: 491 return ret; 492 } 493 494 /* 495 * Create a link from a keyring to a key if there's no matching key in the 496 * keyring, otherwise replace the link to the matching key with a link to the 497 * new key. 498 * 499 * The key must grant the caller Link permission and the the keyring must grant 500 * the caller Write permission. Furthermore, if an additional link is created, 501 * the keyring's quota will be extended. 502 * 503 * If successful, 0 will be returned. 504 */ 505 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 506 { 507 key_ref_t keyring_ref, key_ref; 508 long ret; 509 510 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 511 if (IS_ERR(keyring_ref)) { 512 ret = PTR_ERR(keyring_ref); 513 goto error; 514 } 515 516 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 517 if (IS_ERR(key_ref)) { 518 ret = PTR_ERR(key_ref); 519 goto error2; 520 } 521 522 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 523 524 key_ref_put(key_ref); 525 error2: 526 key_ref_put(keyring_ref); 527 error: 528 return ret; 529 } 530 531 /* 532 * Unlink a key from a keyring. 533 * 534 * The keyring must grant the caller Write permission for this to work; the key 535 * itself need not grant the caller anything. If the last link to a key is 536 * removed then that key will be scheduled for destruction. 537 * 538 * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked. 539 * 540 * If successful, 0 will be returned. 541 */ 542 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 543 { 544 key_ref_t keyring_ref, key_ref; 545 struct key *keyring, *key; 546 long ret; 547 548 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE); 549 if (IS_ERR(keyring_ref)) { 550 ret = PTR_ERR(keyring_ref); 551 goto error; 552 } 553 554 key_ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0); 555 if (IS_ERR(key_ref)) { 556 ret = PTR_ERR(key_ref); 557 goto error2; 558 } 559 560 keyring = key_ref_to_ptr(keyring_ref); 561 key = key_ref_to_ptr(key_ref); 562 if (test_bit(KEY_FLAG_KEEP, &keyring->flags) && 563 test_bit(KEY_FLAG_KEEP, &key->flags)) 564 ret = -EPERM; 565 else 566 ret = key_unlink(keyring, key); 567 568 key_ref_put(key_ref); 569 error2: 570 key_ref_put(keyring_ref); 571 error: 572 return ret; 573 } 574 575 /* 576 * Return a description of a key to userspace. 577 * 578 * The key must grant the caller View permission for this to work. 579 * 580 * If there's a buffer, we place up to buflen bytes of data into it formatted 581 * in the following way: 582 * 583 * type;uid;gid;perm;description<NUL> 584 * 585 * If successful, we return the amount of description available, irrespective 586 * of how much we may have copied into the buffer. 587 */ 588 long keyctl_describe_key(key_serial_t keyid, 589 char __user *buffer, 590 size_t buflen) 591 { 592 struct key *key, *instkey; 593 key_ref_t key_ref; 594 char *infobuf; 595 long ret; 596 int desclen, infolen; 597 598 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 599 if (IS_ERR(key_ref)) { 600 /* viewing a key under construction is permitted if we have the 601 * authorisation token handy */ 602 if (PTR_ERR(key_ref) == -EACCES) { 603 instkey = key_get_instantiation_authkey(keyid); 604 if (!IS_ERR(instkey)) { 605 key_put(instkey); 606 key_ref = lookup_user_key(keyid, 607 KEY_LOOKUP_PARTIAL, 608 0); 609 if (!IS_ERR(key_ref)) 610 goto okay; 611 } 612 } 613 614 ret = PTR_ERR(key_ref); 615 goto error; 616 } 617 618 okay: 619 key = key_ref_to_ptr(key_ref); 620 desclen = strlen(key->description); 621 622 /* calculate how much information we're going to return */ 623 ret = -ENOMEM; 624 infobuf = kasprintf(GFP_KERNEL, 625 "%s;%d;%d;%08x;", 626 key->type->name, 627 from_kuid_munged(current_user_ns(), key->uid), 628 from_kgid_munged(current_user_ns(), key->gid), 629 key->perm); 630 if (!infobuf) 631 goto error2; 632 infolen = strlen(infobuf); 633 ret = infolen + desclen + 1; 634 635 /* consider returning the data */ 636 if (buffer && buflen >= ret) { 637 if (copy_to_user(buffer, infobuf, infolen) != 0 || 638 copy_to_user(buffer + infolen, key->description, 639 desclen + 1) != 0) 640 ret = -EFAULT; 641 } 642 643 kfree(infobuf); 644 error2: 645 key_ref_put(key_ref); 646 error: 647 return ret; 648 } 649 650 /* 651 * Search the specified keyring and any keyrings it links to for a matching 652 * key. Only keyrings that grant the caller Search permission will be searched 653 * (this includes the starting keyring). Only keys with Search permission can 654 * be found. 655 * 656 * If successful, the found key will be linked to the destination keyring if 657 * supplied and the key has Link permission, and the found key ID will be 658 * returned. 659 */ 660 long keyctl_keyring_search(key_serial_t ringid, 661 const char __user *_type, 662 const char __user *_description, 663 key_serial_t destringid) 664 { 665 struct key_type *ktype; 666 key_ref_t keyring_ref, key_ref, dest_ref; 667 char type[32], *description; 668 long ret; 669 670 /* pull the type and description into kernel space */ 671 ret = key_get_type_from_user(type, _type, sizeof(type)); 672 if (ret < 0) 673 goto error; 674 675 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 676 if (IS_ERR(description)) { 677 ret = PTR_ERR(description); 678 goto error; 679 } 680 681 /* get the keyring at which to begin the search */ 682 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_SEARCH); 683 if (IS_ERR(keyring_ref)) { 684 ret = PTR_ERR(keyring_ref); 685 goto error2; 686 } 687 688 /* get the destination keyring if specified */ 689 dest_ref = NULL; 690 if (destringid) { 691 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 692 KEY_NEED_WRITE); 693 if (IS_ERR(dest_ref)) { 694 ret = PTR_ERR(dest_ref); 695 goto error3; 696 } 697 } 698 699 /* find the key type */ 700 ktype = key_type_lookup(type); 701 if (IS_ERR(ktype)) { 702 ret = PTR_ERR(ktype); 703 goto error4; 704 } 705 706 /* do the search */ 707 key_ref = keyring_search(keyring_ref, ktype, description); 708 if (IS_ERR(key_ref)) { 709 ret = PTR_ERR(key_ref); 710 711 /* treat lack or presence of a negative key the same */ 712 if (ret == -EAGAIN) 713 ret = -ENOKEY; 714 goto error5; 715 } 716 717 /* link the resulting key to the destination keyring if we can */ 718 if (dest_ref) { 719 ret = key_permission(key_ref, KEY_NEED_LINK); 720 if (ret < 0) 721 goto error6; 722 723 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 724 if (ret < 0) 725 goto error6; 726 } 727 728 ret = key_ref_to_ptr(key_ref)->serial; 729 730 error6: 731 key_ref_put(key_ref); 732 error5: 733 key_type_put(ktype); 734 error4: 735 key_ref_put(dest_ref); 736 error3: 737 key_ref_put(keyring_ref); 738 error2: 739 kfree(description); 740 error: 741 return ret; 742 } 743 744 /* 745 * Read a key's payload. 746 * 747 * The key must either grant the caller Read permission, or it must grant the 748 * caller Search permission when searched for from the process keyrings. 749 * 750 * If successful, we place up to buflen bytes of data into the buffer, if one 751 * is provided, and return the amount of data that is available in the key, 752 * irrespective of how much we copied into the buffer. 753 */ 754 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 755 { 756 struct key *key; 757 key_ref_t key_ref; 758 long ret; 759 760 /* find the key first */ 761 key_ref = lookup_user_key(keyid, 0, 0); 762 if (IS_ERR(key_ref)) { 763 ret = -ENOKEY; 764 goto error; 765 } 766 767 key = key_ref_to_ptr(key_ref); 768 769 if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) { 770 ret = -ENOKEY; 771 goto error2; 772 } 773 774 /* see if we can read it directly */ 775 ret = key_permission(key_ref, KEY_NEED_READ); 776 if (ret == 0) 777 goto can_read_key; 778 if (ret != -EACCES) 779 goto error2; 780 781 /* we can't; see if it's searchable from this process's keyrings 782 * - we automatically take account of the fact that it may be 783 * dangling off an instantiation key 784 */ 785 if (!is_key_possessed(key_ref)) { 786 ret = -EACCES; 787 goto error2; 788 } 789 790 /* the key is probably readable - now try to read it */ 791 can_read_key: 792 ret = -EOPNOTSUPP; 793 if (key->type->read) { 794 /* Read the data with the semaphore held (since we might sleep) 795 * to protect against the key being updated or revoked. 796 */ 797 down_read(&key->sem); 798 ret = key_validate(key); 799 if (ret == 0) 800 ret = key->type->read(key, buffer, buflen); 801 up_read(&key->sem); 802 } 803 804 error2: 805 key_put(key); 806 error: 807 return ret; 808 } 809 810 /* 811 * Change the ownership of a key 812 * 813 * The key must grant the caller Setattr permission for this to work, though 814 * the key need not be fully instantiated yet. For the UID to be changed, or 815 * for the GID to be changed to a group the caller is not a member of, the 816 * caller must have sysadmin capability. If either uid or gid is -1 then that 817 * attribute is not changed. 818 * 819 * If the UID is to be changed, the new user must have sufficient quota to 820 * accept the key. The quota deduction will be removed from the old user to 821 * the new user should the attribute be changed. 822 * 823 * If successful, 0 will be returned. 824 */ 825 long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group) 826 { 827 struct key_user *newowner, *zapowner = NULL; 828 struct key *key; 829 key_ref_t key_ref; 830 long ret; 831 kuid_t uid; 832 kgid_t gid; 833 834 uid = make_kuid(current_user_ns(), user); 835 gid = make_kgid(current_user_ns(), group); 836 ret = -EINVAL; 837 if ((user != (uid_t) -1) && !uid_valid(uid)) 838 goto error; 839 if ((group != (gid_t) -1) && !gid_valid(gid)) 840 goto error; 841 842 ret = 0; 843 if (user == (uid_t) -1 && group == (gid_t) -1) 844 goto error; 845 846 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 847 KEY_NEED_SETATTR); 848 if (IS_ERR(key_ref)) { 849 ret = PTR_ERR(key_ref); 850 goto error; 851 } 852 853 key = key_ref_to_ptr(key_ref); 854 855 /* make the changes with the locks held to prevent chown/chown races */ 856 ret = -EACCES; 857 down_write(&key->sem); 858 859 if (!capable(CAP_SYS_ADMIN)) { 860 /* only the sysadmin can chown a key to some other UID */ 861 if (user != (uid_t) -1 && !uid_eq(key->uid, uid)) 862 goto error_put; 863 864 /* only the sysadmin can set the key's GID to a group other 865 * than one of those that the current process subscribes to */ 866 if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid)) 867 goto error_put; 868 } 869 870 /* change the UID */ 871 if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) { 872 ret = -ENOMEM; 873 newowner = key_user_lookup(uid); 874 if (!newowner) 875 goto error_put; 876 877 /* transfer the quota burden to the new user */ 878 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 879 unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ? 880 key_quota_root_maxkeys : key_quota_maxkeys; 881 unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ? 882 key_quota_root_maxbytes : key_quota_maxbytes; 883 884 spin_lock(&newowner->lock); 885 if (newowner->qnkeys + 1 >= maxkeys || 886 newowner->qnbytes + key->quotalen >= maxbytes || 887 newowner->qnbytes + key->quotalen < 888 newowner->qnbytes) 889 goto quota_overrun; 890 891 newowner->qnkeys++; 892 newowner->qnbytes += key->quotalen; 893 spin_unlock(&newowner->lock); 894 895 spin_lock(&key->user->lock); 896 key->user->qnkeys--; 897 key->user->qnbytes -= key->quotalen; 898 spin_unlock(&key->user->lock); 899 } 900 901 atomic_dec(&key->user->nkeys); 902 atomic_inc(&newowner->nkeys); 903 904 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 905 atomic_dec(&key->user->nikeys); 906 atomic_inc(&newowner->nikeys); 907 } 908 909 zapowner = key->user; 910 key->user = newowner; 911 key->uid = uid; 912 } 913 914 /* change the GID */ 915 if (group != (gid_t) -1) 916 key->gid = gid; 917 918 ret = 0; 919 920 error_put: 921 up_write(&key->sem); 922 key_put(key); 923 if (zapowner) 924 key_user_put(zapowner); 925 error: 926 return ret; 927 928 quota_overrun: 929 spin_unlock(&newowner->lock); 930 zapowner = newowner; 931 ret = -EDQUOT; 932 goto error_put; 933 } 934 935 /* 936 * Change the permission mask on a key. 937 * 938 * The key must grant the caller Setattr permission for this to work, though 939 * the key need not be fully instantiated yet. If the caller does not have 940 * sysadmin capability, it may only change the permission on keys that it owns. 941 */ 942 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 943 { 944 struct key *key; 945 key_ref_t key_ref; 946 long ret; 947 948 ret = -EINVAL; 949 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 950 goto error; 951 952 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 953 KEY_NEED_SETATTR); 954 if (IS_ERR(key_ref)) { 955 ret = PTR_ERR(key_ref); 956 goto error; 957 } 958 959 key = key_ref_to_ptr(key_ref); 960 961 /* make the changes with the locks held to prevent chown/chmod races */ 962 ret = -EACCES; 963 down_write(&key->sem); 964 965 /* if we're not the sysadmin, we can only change a key that we own */ 966 if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) { 967 key->perm = perm; 968 ret = 0; 969 } 970 971 up_write(&key->sem); 972 key_put(key); 973 error: 974 return ret; 975 } 976 977 /* 978 * Get the destination keyring for instantiation and check that the caller has 979 * Write permission on it. 980 */ 981 static long get_instantiation_keyring(key_serial_t ringid, 982 struct request_key_auth *rka, 983 struct key **_dest_keyring) 984 { 985 key_ref_t dkref; 986 987 *_dest_keyring = NULL; 988 989 /* just return a NULL pointer if we weren't asked to make a link */ 990 if (ringid == 0) 991 return 0; 992 993 /* if a specific keyring is nominated by ID, then use that */ 994 if (ringid > 0) { 995 dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 996 if (IS_ERR(dkref)) 997 return PTR_ERR(dkref); 998 *_dest_keyring = key_ref_to_ptr(dkref); 999 return 0; 1000 } 1001 1002 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY) 1003 return -EINVAL; 1004 1005 /* otherwise specify the destination keyring recorded in the 1006 * authorisation key (any KEY_SPEC_*_KEYRING) */ 1007 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { 1008 *_dest_keyring = key_get(rka->dest_keyring); 1009 return 0; 1010 } 1011 1012 return -ENOKEY; 1013 } 1014 1015 /* 1016 * Change the request_key authorisation key on the current process. 1017 */ 1018 static int keyctl_change_reqkey_auth(struct key *key) 1019 { 1020 struct cred *new; 1021 1022 new = prepare_creds(); 1023 if (!new) 1024 return -ENOMEM; 1025 1026 key_put(new->request_key_auth); 1027 new->request_key_auth = key_get(key); 1028 1029 return commit_creds(new); 1030 } 1031 1032 /* 1033 * Instantiate a key with the specified payload and link the key into the 1034 * destination keyring if one is given. 1035 * 1036 * The caller must have the appropriate instantiation permit set for this to 1037 * work (see keyctl_assume_authority). No other permissions are required. 1038 * 1039 * If successful, 0 will be returned. 1040 */ 1041 long keyctl_instantiate_key_common(key_serial_t id, 1042 struct iov_iter *from, 1043 key_serial_t ringid) 1044 { 1045 const struct cred *cred = current_cred(); 1046 struct request_key_auth *rka; 1047 struct key *instkey, *dest_keyring; 1048 size_t plen = from ? iov_iter_count(from) : 0; 1049 void *payload; 1050 long ret; 1051 1052 kenter("%d,,%zu,%d", id, plen, ringid); 1053 1054 if (!plen) 1055 from = NULL; 1056 1057 ret = -EINVAL; 1058 if (plen > 1024 * 1024 - 1) 1059 goto error; 1060 1061 /* the appropriate instantiation authorisation key must have been 1062 * assumed before calling this */ 1063 ret = -EPERM; 1064 instkey = cred->request_key_auth; 1065 if (!instkey) 1066 goto error; 1067 1068 rka = instkey->payload.data[0]; 1069 if (rka->target_key->serial != id) 1070 goto error; 1071 1072 /* pull the payload in if one was supplied */ 1073 payload = NULL; 1074 1075 if (from) { 1076 ret = -ENOMEM; 1077 payload = kvmalloc(plen, GFP_KERNEL); 1078 if (!payload) 1079 goto error; 1080 1081 ret = -EFAULT; 1082 if (!copy_from_iter_full(payload, plen, from)) 1083 goto error2; 1084 } 1085 1086 /* find the destination keyring amongst those belonging to the 1087 * requesting task */ 1088 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1089 if (ret < 0) 1090 goto error2; 1091 1092 /* instantiate the key and link it into a keyring */ 1093 ret = key_instantiate_and_link(rka->target_key, payload, plen, 1094 dest_keyring, instkey); 1095 1096 key_put(dest_keyring); 1097 1098 /* discard the assumed authority if it's just been disabled by 1099 * instantiation of the key */ 1100 if (ret == 0) 1101 keyctl_change_reqkey_auth(NULL); 1102 1103 error2: 1104 if (payload) { 1105 memzero_explicit(payload, plen); 1106 kvfree(payload); 1107 } 1108 error: 1109 return ret; 1110 } 1111 1112 /* 1113 * Instantiate a key with the specified payload and link the key into the 1114 * destination keyring if one is given. 1115 * 1116 * The caller must have the appropriate instantiation permit set for this to 1117 * work (see keyctl_assume_authority). No other permissions are required. 1118 * 1119 * If successful, 0 will be returned. 1120 */ 1121 long keyctl_instantiate_key(key_serial_t id, 1122 const void __user *_payload, 1123 size_t plen, 1124 key_serial_t ringid) 1125 { 1126 if (_payload && plen) { 1127 struct iovec iov; 1128 struct iov_iter from; 1129 int ret; 1130 1131 ret = import_single_range(WRITE, (void __user *)_payload, plen, 1132 &iov, &from); 1133 if (unlikely(ret)) 1134 return ret; 1135 1136 return keyctl_instantiate_key_common(id, &from, ringid); 1137 } 1138 1139 return keyctl_instantiate_key_common(id, NULL, ringid); 1140 } 1141 1142 /* 1143 * Instantiate a key with the specified multipart payload and link the key into 1144 * the destination keyring if one is given. 1145 * 1146 * The caller must have the appropriate instantiation permit set for this to 1147 * work (see keyctl_assume_authority). No other permissions are required. 1148 * 1149 * If successful, 0 will be returned. 1150 */ 1151 long keyctl_instantiate_key_iov(key_serial_t id, 1152 const struct iovec __user *_payload_iov, 1153 unsigned ioc, 1154 key_serial_t ringid) 1155 { 1156 struct iovec iovstack[UIO_FASTIOV], *iov = iovstack; 1157 struct iov_iter from; 1158 long ret; 1159 1160 if (!_payload_iov) 1161 ioc = 0; 1162 1163 ret = import_iovec(WRITE, _payload_iov, ioc, 1164 ARRAY_SIZE(iovstack), &iov, &from); 1165 if (ret < 0) 1166 return ret; 1167 ret = keyctl_instantiate_key_common(id, &from, ringid); 1168 kfree(iov); 1169 return ret; 1170 } 1171 1172 /* 1173 * Negatively instantiate the key with the given timeout (in seconds) and link 1174 * the key into the destination keyring if one is given. 1175 * 1176 * The caller must have the appropriate instantiation permit set for this to 1177 * work (see keyctl_assume_authority). No other permissions are required. 1178 * 1179 * The key and any links to the key will be automatically garbage collected 1180 * after the timeout expires. 1181 * 1182 * Negative keys are used to rate limit repeated request_key() calls by causing 1183 * them to return -ENOKEY until the negative key expires. 1184 * 1185 * If successful, 0 will be returned. 1186 */ 1187 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 1188 { 1189 return keyctl_reject_key(id, timeout, ENOKEY, ringid); 1190 } 1191 1192 /* 1193 * Negatively instantiate the key with the given timeout (in seconds) and error 1194 * code and link the key into the destination keyring if one is given. 1195 * 1196 * The caller must have the appropriate instantiation permit set for this to 1197 * work (see keyctl_assume_authority). No other permissions are required. 1198 * 1199 * The key and any links to the key will be automatically garbage collected 1200 * after the timeout expires. 1201 * 1202 * Negative keys are used to rate limit repeated request_key() calls by causing 1203 * them to return the specified error code until the negative key expires. 1204 * 1205 * If successful, 0 will be returned. 1206 */ 1207 long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error, 1208 key_serial_t ringid) 1209 { 1210 const struct cred *cred = current_cred(); 1211 struct request_key_auth *rka; 1212 struct key *instkey, *dest_keyring; 1213 long ret; 1214 1215 kenter("%d,%u,%u,%d", id, timeout, error, ringid); 1216 1217 /* must be a valid error code and mustn't be a kernel special */ 1218 if (error <= 0 || 1219 error >= MAX_ERRNO || 1220 error == ERESTARTSYS || 1221 error == ERESTARTNOINTR || 1222 error == ERESTARTNOHAND || 1223 error == ERESTART_RESTARTBLOCK) 1224 return -EINVAL; 1225 1226 /* the appropriate instantiation authorisation key must have been 1227 * assumed before calling this */ 1228 ret = -EPERM; 1229 instkey = cred->request_key_auth; 1230 if (!instkey) 1231 goto error; 1232 1233 rka = instkey->payload.data[0]; 1234 if (rka->target_key->serial != id) 1235 goto error; 1236 1237 /* find the destination keyring if present (which must also be 1238 * writable) */ 1239 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1240 if (ret < 0) 1241 goto error; 1242 1243 /* instantiate the key and link it into a keyring */ 1244 ret = key_reject_and_link(rka->target_key, timeout, error, 1245 dest_keyring, instkey); 1246 1247 key_put(dest_keyring); 1248 1249 /* discard the assumed authority if it's just been disabled by 1250 * instantiation of the key */ 1251 if (ret == 0) 1252 keyctl_change_reqkey_auth(NULL); 1253 1254 error: 1255 return ret; 1256 } 1257 1258 /* 1259 * Read or set the default keyring in which request_key() will cache keys and 1260 * return the old setting. 1261 * 1262 * If a thread or process keyring is specified then it will be created if it 1263 * doesn't yet exist. The old setting will be returned if successful. 1264 */ 1265 long keyctl_set_reqkey_keyring(int reqkey_defl) 1266 { 1267 struct cred *new; 1268 int ret, old_setting; 1269 1270 old_setting = current_cred_xxx(jit_keyring); 1271 1272 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE) 1273 return old_setting; 1274 1275 new = prepare_creds(); 1276 if (!new) 1277 return -ENOMEM; 1278 1279 switch (reqkey_defl) { 1280 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1281 ret = install_thread_keyring_to_cred(new); 1282 if (ret < 0) 1283 goto error; 1284 goto set; 1285 1286 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1287 ret = install_process_keyring_to_cred(new); 1288 if (ret < 0) 1289 goto error; 1290 goto set; 1291 1292 case KEY_REQKEY_DEFL_DEFAULT: 1293 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1294 case KEY_REQKEY_DEFL_USER_KEYRING: 1295 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1296 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: 1297 goto set; 1298 1299 case KEY_REQKEY_DEFL_NO_CHANGE: 1300 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1301 default: 1302 ret = -EINVAL; 1303 goto error; 1304 } 1305 1306 set: 1307 new->jit_keyring = reqkey_defl; 1308 commit_creds(new); 1309 return old_setting; 1310 error: 1311 abort_creds(new); 1312 return ret; 1313 } 1314 1315 /* 1316 * Set or clear the timeout on a key. 1317 * 1318 * Either the key must grant the caller Setattr permission or else the caller 1319 * must hold an instantiation authorisation token for the key. 1320 * 1321 * The timeout is either 0 to clear the timeout, or a number of seconds from 1322 * the current time. The key and any links to the key will be automatically 1323 * garbage collected after the timeout expires. 1324 * 1325 * Keys with KEY_FLAG_KEEP set should not be timed out. 1326 * 1327 * If successful, 0 is returned. 1328 */ 1329 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1330 { 1331 struct key *key, *instkey; 1332 key_ref_t key_ref; 1333 long ret; 1334 1335 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1336 KEY_NEED_SETATTR); 1337 if (IS_ERR(key_ref)) { 1338 /* setting the timeout on a key under construction is permitted 1339 * if we have the authorisation token handy */ 1340 if (PTR_ERR(key_ref) == -EACCES) { 1341 instkey = key_get_instantiation_authkey(id); 1342 if (!IS_ERR(instkey)) { 1343 key_put(instkey); 1344 key_ref = lookup_user_key(id, 1345 KEY_LOOKUP_PARTIAL, 1346 0); 1347 if (!IS_ERR(key_ref)) 1348 goto okay; 1349 } 1350 } 1351 1352 ret = PTR_ERR(key_ref); 1353 goto error; 1354 } 1355 1356 okay: 1357 key = key_ref_to_ptr(key_ref); 1358 ret = 0; 1359 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 1360 ret = -EPERM; 1361 else 1362 key_set_timeout(key, timeout); 1363 key_put(key); 1364 1365 error: 1366 return ret; 1367 } 1368 1369 /* 1370 * Assume (or clear) the authority to instantiate the specified key. 1371 * 1372 * This sets the authoritative token currently in force for key instantiation. 1373 * This must be done for a key to be instantiated. It has the effect of making 1374 * available all the keys from the caller of the request_key() that created a 1375 * key to request_key() calls made by the caller of this function. 1376 * 1377 * The caller must have the instantiation key in their process keyrings with a 1378 * Search permission grant available to the caller. 1379 * 1380 * If the ID given is 0, then the setting will be cleared and 0 returned. 1381 * 1382 * If the ID given has a matching an authorisation key, then that key will be 1383 * set and its ID will be returned. The authorisation key can be read to get 1384 * the callout information passed to request_key(). 1385 */ 1386 long keyctl_assume_authority(key_serial_t id) 1387 { 1388 struct key *authkey; 1389 long ret; 1390 1391 /* special key IDs aren't permitted */ 1392 ret = -EINVAL; 1393 if (id < 0) 1394 goto error; 1395 1396 /* we divest ourselves of authority if given an ID of 0 */ 1397 if (id == 0) { 1398 ret = keyctl_change_reqkey_auth(NULL); 1399 goto error; 1400 } 1401 1402 /* attempt to assume the authority temporarily granted to us whilst we 1403 * instantiate the specified key 1404 * - the authorisation key must be in the current task's keyrings 1405 * somewhere 1406 */ 1407 authkey = key_get_instantiation_authkey(id); 1408 if (IS_ERR(authkey)) { 1409 ret = PTR_ERR(authkey); 1410 goto error; 1411 } 1412 1413 ret = keyctl_change_reqkey_auth(authkey); 1414 if (ret == 0) 1415 ret = authkey->serial; 1416 key_put(authkey); 1417 error: 1418 return ret; 1419 } 1420 1421 /* 1422 * Get a key's the LSM security label. 1423 * 1424 * The key must grant the caller View permission for this to work. 1425 * 1426 * If there's a buffer, then up to buflen bytes of data will be placed into it. 1427 * 1428 * If successful, the amount of information available will be returned, 1429 * irrespective of how much was copied (including the terminal NUL). 1430 */ 1431 long keyctl_get_security(key_serial_t keyid, 1432 char __user *buffer, 1433 size_t buflen) 1434 { 1435 struct key *key, *instkey; 1436 key_ref_t key_ref; 1437 char *context; 1438 long ret; 1439 1440 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 1441 if (IS_ERR(key_ref)) { 1442 if (PTR_ERR(key_ref) != -EACCES) 1443 return PTR_ERR(key_ref); 1444 1445 /* viewing a key under construction is also permitted if we 1446 * have the authorisation token handy */ 1447 instkey = key_get_instantiation_authkey(keyid); 1448 if (IS_ERR(instkey)) 1449 return PTR_ERR(instkey); 1450 key_put(instkey); 1451 1452 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0); 1453 if (IS_ERR(key_ref)) 1454 return PTR_ERR(key_ref); 1455 } 1456 1457 key = key_ref_to_ptr(key_ref); 1458 ret = security_key_getsecurity(key, &context); 1459 if (ret == 0) { 1460 /* if no information was returned, give userspace an empty 1461 * string */ 1462 ret = 1; 1463 if (buffer && buflen > 0 && 1464 copy_to_user(buffer, "", 1) != 0) 1465 ret = -EFAULT; 1466 } else if (ret > 0) { 1467 /* return as much data as there's room for */ 1468 if (buffer && buflen > 0) { 1469 if (buflen > ret) 1470 buflen = ret; 1471 1472 if (copy_to_user(buffer, context, buflen) != 0) 1473 ret = -EFAULT; 1474 } 1475 1476 kfree(context); 1477 } 1478 1479 key_ref_put(key_ref); 1480 return ret; 1481 } 1482 1483 /* 1484 * Attempt to install the calling process's session keyring on the process's 1485 * parent process. 1486 * 1487 * The keyring must exist and must grant the caller LINK permission, and the 1488 * parent process must be single-threaded and must have the same effective 1489 * ownership as this process and mustn't be SUID/SGID. 1490 * 1491 * The keyring will be emplaced on the parent when it next resumes userspace. 1492 * 1493 * If successful, 0 will be returned. 1494 */ 1495 long keyctl_session_to_parent(void) 1496 { 1497 struct task_struct *me, *parent; 1498 const struct cred *mycred, *pcred; 1499 struct callback_head *newwork, *oldwork; 1500 key_ref_t keyring_r; 1501 struct cred *cred; 1502 int ret; 1503 1504 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK); 1505 if (IS_ERR(keyring_r)) 1506 return PTR_ERR(keyring_r); 1507 1508 ret = -ENOMEM; 1509 1510 /* our parent is going to need a new cred struct, a new tgcred struct 1511 * and new security data, so we allocate them here to prevent ENOMEM in 1512 * our parent */ 1513 cred = cred_alloc_blank(); 1514 if (!cred) 1515 goto error_keyring; 1516 newwork = &cred->rcu; 1517 1518 cred->session_keyring = key_ref_to_ptr(keyring_r); 1519 keyring_r = NULL; 1520 init_task_work(newwork, key_change_session_keyring); 1521 1522 me = current; 1523 rcu_read_lock(); 1524 write_lock_irq(&tasklist_lock); 1525 1526 ret = -EPERM; 1527 oldwork = NULL; 1528 parent = me->real_parent; 1529 1530 /* the parent mustn't be init and mustn't be a kernel thread */ 1531 if (parent->pid <= 1 || !parent->mm) 1532 goto unlock; 1533 1534 /* the parent must be single threaded */ 1535 if (!thread_group_empty(parent)) 1536 goto unlock; 1537 1538 /* the parent and the child must have different session keyrings or 1539 * there's no point */ 1540 mycred = current_cred(); 1541 pcred = __task_cred(parent); 1542 if (mycred == pcred || 1543 mycred->session_keyring == pcred->session_keyring) { 1544 ret = 0; 1545 goto unlock; 1546 } 1547 1548 /* the parent must have the same effective ownership and mustn't be 1549 * SUID/SGID */ 1550 if (!uid_eq(pcred->uid, mycred->euid) || 1551 !uid_eq(pcred->euid, mycred->euid) || 1552 !uid_eq(pcred->suid, mycred->euid) || 1553 !gid_eq(pcred->gid, mycred->egid) || 1554 !gid_eq(pcred->egid, mycred->egid) || 1555 !gid_eq(pcred->sgid, mycred->egid)) 1556 goto unlock; 1557 1558 /* the keyrings must have the same UID */ 1559 if ((pcred->session_keyring && 1560 !uid_eq(pcred->session_keyring->uid, mycred->euid)) || 1561 !uid_eq(mycred->session_keyring->uid, mycred->euid)) 1562 goto unlock; 1563 1564 /* cancel an already pending keyring replacement */ 1565 oldwork = task_work_cancel(parent, key_change_session_keyring); 1566 1567 /* the replacement session keyring is applied just prior to userspace 1568 * restarting */ 1569 ret = task_work_add(parent, newwork, true); 1570 if (!ret) 1571 newwork = NULL; 1572 unlock: 1573 write_unlock_irq(&tasklist_lock); 1574 rcu_read_unlock(); 1575 if (oldwork) 1576 put_cred(container_of(oldwork, struct cred, rcu)); 1577 if (newwork) 1578 put_cred(cred); 1579 return ret; 1580 1581 error_keyring: 1582 key_ref_put(keyring_r); 1583 return ret; 1584 } 1585 1586 /* 1587 * Apply a restriction to a given keyring. 1588 * 1589 * The caller must have Setattr permission to change keyring restrictions. 1590 * 1591 * The requested type name may be a NULL pointer to reject all attempts 1592 * to link to the keyring. If _type is non-NULL, _restriction can be 1593 * NULL or a pointer to a string describing the restriction. If _type is 1594 * NULL, _restriction must also be NULL. 1595 * 1596 * Returns 0 if successful. 1597 */ 1598 long keyctl_restrict_keyring(key_serial_t id, const char __user *_type, 1599 const char __user *_restriction) 1600 { 1601 key_ref_t key_ref; 1602 bool link_reject = !_type; 1603 char type[32]; 1604 char *restriction = NULL; 1605 long ret; 1606 1607 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 1608 if (IS_ERR(key_ref)) 1609 return PTR_ERR(key_ref); 1610 1611 if (_type) { 1612 ret = key_get_type_from_user(type, _type, sizeof(type)); 1613 if (ret < 0) 1614 goto error; 1615 } 1616 1617 if (_restriction) { 1618 if (!_type) { 1619 ret = -EINVAL; 1620 goto error; 1621 } 1622 1623 restriction = strndup_user(_restriction, PAGE_SIZE); 1624 if (IS_ERR(restriction)) { 1625 ret = PTR_ERR(restriction); 1626 goto error; 1627 } 1628 } 1629 1630 ret = keyring_restrict(key_ref, link_reject ? NULL : type, restriction); 1631 kfree(restriction); 1632 1633 error: 1634 key_ref_put(key_ref); 1635 1636 return ret; 1637 } 1638 1639 /* 1640 * The key control system call 1641 */ 1642 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, 1643 unsigned long, arg4, unsigned long, arg5) 1644 { 1645 switch (option) { 1646 case KEYCTL_GET_KEYRING_ID: 1647 return keyctl_get_keyring_ID((key_serial_t) arg2, 1648 (int) arg3); 1649 1650 case KEYCTL_JOIN_SESSION_KEYRING: 1651 return keyctl_join_session_keyring((const char __user *) arg2); 1652 1653 case KEYCTL_UPDATE: 1654 return keyctl_update_key((key_serial_t) arg2, 1655 (const void __user *) arg3, 1656 (size_t) arg4); 1657 1658 case KEYCTL_REVOKE: 1659 return keyctl_revoke_key((key_serial_t) arg2); 1660 1661 case KEYCTL_DESCRIBE: 1662 return keyctl_describe_key((key_serial_t) arg2, 1663 (char __user *) arg3, 1664 (unsigned) arg4); 1665 1666 case KEYCTL_CLEAR: 1667 return keyctl_keyring_clear((key_serial_t) arg2); 1668 1669 case KEYCTL_LINK: 1670 return keyctl_keyring_link((key_serial_t) arg2, 1671 (key_serial_t) arg3); 1672 1673 case KEYCTL_UNLINK: 1674 return keyctl_keyring_unlink((key_serial_t) arg2, 1675 (key_serial_t) arg3); 1676 1677 case KEYCTL_SEARCH: 1678 return keyctl_keyring_search((key_serial_t) arg2, 1679 (const char __user *) arg3, 1680 (const char __user *) arg4, 1681 (key_serial_t) arg5); 1682 1683 case KEYCTL_READ: 1684 return keyctl_read_key((key_serial_t) arg2, 1685 (char __user *) arg3, 1686 (size_t) arg4); 1687 1688 case KEYCTL_CHOWN: 1689 return keyctl_chown_key((key_serial_t) arg2, 1690 (uid_t) arg3, 1691 (gid_t) arg4); 1692 1693 case KEYCTL_SETPERM: 1694 return keyctl_setperm_key((key_serial_t) arg2, 1695 (key_perm_t) arg3); 1696 1697 case KEYCTL_INSTANTIATE: 1698 return keyctl_instantiate_key((key_serial_t) arg2, 1699 (const void __user *) arg3, 1700 (size_t) arg4, 1701 (key_serial_t) arg5); 1702 1703 case KEYCTL_NEGATE: 1704 return keyctl_negate_key((key_serial_t) arg2, 1705 (unsigned) arg3, 1706 (key_serial_t) arg4); 1707 1708 case KEYCTL_SET_REQKEY_KEYRING: 1709 return keyctl_set_reqkey_keyring(arg2); 1710 1711 case KEYCTL_SET_TIMEOUT: 1712 return keyctl_set_timeout((key_serial_t) arg2, 1713 (unsigned) arg3); 1714 1715 case KEYCTL_ASSUME_AUTHORITY: 1716 return keyctl_assume_authority((key_serial_t) arg2); 1717 1718 case KEYCTL_GET_SECURITY: 1719 return keyctl_get_security((key_serial_t) arg2, 1720 (char __user *) arg3, 1721 (size_t) arg4); 1722 1723 case KEYCTL_SESSION_TO_PARENT: 1724 return keyctl_session_to_parent(); 1725 1726 case KEYCTL_REJECT: 1727 return keyctl_reject_key((key_serial_t) arg2, 1728 (unsigned) arg3, 1729 (unsigned) arg4, 1730 (key_serial_t) arg5); 1731 1732 case KEYCTL_INSTANTIATE_IOV: 1733 return keyctl_instantiate_key_iov( 1734 (key_serial_t) arg2, 1735 (const struct iovec __user *) arg3, 1736 (unsigned) arg4, 1737 (key_serial_t) arg5); 1738 1739 case KEYCTL_INVALIDATE: 1740 return keyctl_invalidate_key((key_serial_t) arg2); 1741 1742 case KEYCTL_GET_PERSISTENT: 1743 return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3); 1744 1745 case KEYCTL_DH_COMPUTE: 1746 return keyctl_dh_compute((struct keyctl_dh_params __user *) arg2, 1747 (char __user *) arg3, (size_t) arg4, 1748 (struct keyctl_kdf_params __user *) arg5); 1749 1750 case KEYCTL_RESTRICT_KEYRING: 1751 return keyctl_restrict_keyring((key_serial_t) arg2, 1752 (const char __user *) arg3, 1753 (const char __user *) arg4); 1754 1755 default: 1756 return -EOPNOTSUPP; 1757 } 1758 } 1759