1 /* keyctl.c: userspace keyctl operations 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/slab.h> 16 #include <linux/syscalls.h> 17 #include <linux/keyctl.h> 18 #include <linux/fs.h> 19 #include <linux/capability.h> 20 #include <linux/string.h> 21 #include <linux/err.h> 22 #include <linux/vmalloc.h> 23 #include <linux/security.h> 24 #include <asm/uaccess.h> 25 #include "internal.h" 26 27 static int key_get_type_from_user(char *type, 28 const char __user *_type, 29 unsigned len) 30 { 31 int ret; 32 33 ret = strncpy_from_user(type, _type, len); 34 35 if (ret < 0) 36 return ret; 37 38 if (ret == 0 || ret >= len) 39 return -EINVAL; 40 41 if (type[0] == '.') 42 return -EPERM; 43 44 type[len - 1] = '\0'; 45 46 return 0; 47 } 48 49 /*****************************************************************************/ 50 /* 51 * extract the description of a new key from userspace and either add it as a 52 * new key to the specified keyring or update a matching key in that keyring 53 * - the keyring must be writable 54 * - returns the new key's serial number 55 * - implements add_key() 56 */ 57 SYSCALL_DEFINE5(add_key, const char __user *, _type, 58 const char __user *, _description, 59 const void __user *, _payload, 60 size_t, plen, 61 key_serial_t, ringid) 62 { 63 key_ref_t keyring_ref, key_ref; 64 char type[32], *description; 65 void *payload; 66 long ret; 67 bool vm; 68 69 ret = -EINVAL; 70 if (plen > 1024 * 1024 - 1) 71 goto error; 72 73 /* draw all the data into kernel space */ 74 ret = key_get_type_from_user(type, _type, sizeof(type)); 75 if (ret < 0) 76 goto error; 77 78 description = strndup_user(_description, PAGE_SIZE); 79 if (IS_ERR(description)) { 80 ret = PTR_ERR(description); 81 goto error; 82 } 83 84 /* pull the payload in if one was supplied */ 85 payload = NULL; 86 87 vm = false; 88 if (_payload) { 89 ret = -ENOMEM; 90 payload = kmalloc(plen, GFP_KERNEL); 91 if (!payload) { 92 if (plen <= PAGE_SIZE) 93 goto error2; 94 vm = true; 95 payload = vmalloc(plen); 96 if (!payload) 97 goto error2; 98 } 99 100 ret = -EFAULT; 101 if (copy_from_user(payload, _payload, plen) != 0) 102 goto error3; 103 } 104 105 /* find the target keyring (which must be writable) */ 106 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE); 107 if (IS_ERR(keyring_ref)) { 108 ret = PTR_ERR(keyring_ref); 109 goto error3; 110 } 111 112 /* create or update the requested key and add it to the target 113 * keyring */ 114 key_ref = key_create_or_update(keyring_ref, type, description, 115 payload, plen, KEY_PERM_UNDEF, 116 KEY_ALLOC_IN_QUOTA); 117 if (!IS_ERR(key_ref)) { 118 ret = key_ref_to_ptr(key_ref)->serial; 119 key_ref_put(key_ref); 120 } 121 else { 122 ret = PTR_ERR(key_ref); 123 } 124 125 key_ref_put(keyring_ref); 126 error3: 127 if (!vm) 128 kfree(payload); 129 else 130 vfree(payload); 131 error2: 132 kfree(description); 133 error: 134 return ret; 135 136 } /* end sys_add_key() */ 137 138 /*****************************************************************************/ 139 /* 140 * search the process keyrings for a matching key 141 * - nested keyrings may also be searched if they have Search permission 142 * - if a key is found, it will be attached to the destination keyring if 143 * there's one specified 144 * - /sbin/request-key will be invoked if _callout_info is non-NULL 145 * - the _callout_info string will be passed to /sbin/request-key 146 * - if the _callout_info string is empty, it will be rendered as "-" 147 * - implements request_key() 148 */ 149 SYSCALL_DEFINE4(request_key, const char __user *, _type, 150 const char __user *, _description, 151 const char __user *, _callout_info, 152 key_serial_t, destringid) 153 { 154 struct key_type *ktype; 155 struct key *key; 156 key_ref_t dest_ref; 157 size_t callout_len; 158 char type[32], *description, *callout_info; 159 long ret; 160 161 /* pull the type into kernel space */ 162 ret = key_get_type_from_user(type, _type, sizeof(type)); 163 if (ret < 0) 164 goto error; 165 166 /* pull the description into kernel space */ 167 description = strndup_user(_description, PAGE_SIZE); 168 if (IS_ERR(description)) { 169 ret = PTR_ERR(description); 170 goto error; 171 } 172 173 /* pull the callout info into kernel space */ 174 callout_info = NULL; 175 callout_len = 0; 176 if (_callout_info) { 177 callout_info = strndup_user(_callout_info, PAGE_SIZE); 178 if (IS_ERR(callout_info)) { 179 ret = PTR_ERR(callout_info); 180 goto error2; 181 } 182 callout_len = strlen(callout_info); 183 } 184 185 /* get the destination keyring if specified */ 186 dest_ref = NULL; 187 if (destringid) { 188 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 189 KEY_WRITE); 190 if (IS_ERR(dest_ref)) { 191 ret = PTR_ERR(dest_ref); 192 goto error3; 193 } 194 } 195 196 /* find the key type */ 197 ktype = key_type_lookup(type); 198 if (IS_ERR(ktype)) { 199 ret = PTR_ERR(ktype); 200 goto error4; 201 } 202 203 /* do the search */ 204 key = request_key_and_link(ktype, description, callout_info, 205 callout_len, NULL, key_ref_to_ptr(dest_ref), 206 KEY_ALLOC_IN_QUOTA); 207 if (IS_ERR(key)) { 208 ret = PTR_ERR(key); 209 goto error5; 210 } 211 212 ret = key->serial; 213 214 key_put(key); 215 error5: 216 key_type_put(ktype); 217 error4: 218 key_ref_put(dest_ref); 219 error3: 220 kfree(callout_info); 221 error2: 222 kfree(description); 223 error: 224 return ret; 225 226 } /* end sys_request_key() */ 227 228 /*****************************************************************************/ 229 /* 230 * get the ID of the specified process keyring 231 * - the keyring must have search permission to be found 232 * - implements keyctl(KEYCTL_GET_KEYRING_ID) 233 */ 234 long keyctl_get_keyring_ID(key_serial_t id, int create) 235 { 236 key_ref_t key_ref; 237 unsigned long lflags; 238 long ret; 239 240 lflags = create ? KEY_LOOKUP_CREATE : 0; 241 key_ref = lookup_user_key(id, lflags, KEY_SEARCH); 242 if (IS_ERR(key_ref)) { 243 ret = PTR_ERR(key_ref); 244 goto error; 245 } 246 247 ret = key_ref_to_ptr(key_ref)->serial; 248 key_ref_put(key_ref); 249 error: 250 return ret; 251 252 } /* end keyctl_get_keyring_ID() */ 253 254 /*****************************************************************************/ 255 /* 256 * join the session keyring 257 * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING) 258 */ 259 long keyctl_join_session_keyring(const char __user *_name) 260 { 261 char *name; 262 long ret; 263 264 /* fetch the name from userspace */ 265 name = NULL; 266 if (_name) { 267 name = strndup_user(_name, PAGE_SIZE); 268 if (IS_ERR(name)) { 269 ret = PTR_ERR(name); 270 goto error; 271 } 272 } 273 274 /* join the session */ 275 ret = join_session_keyring(name); 276 kfree(name); 277 278 error: 279 return ret; 280 281 } /* end keyctl_join_session_keyring() */ 282 283 /*****************************************************************************/ 284 /* 285 * update a key's data payload 286 * - the key must be writable 287 * - implements keyctl(KEYCTL_UPDATE) 288 */ 289 long keyctl_update_key(key_serial_t id, 290 const void __user *_payload, 291 size_t plen) 292 { 293 key_ref_t key_ref; 294 void *payload; 295 long ret; 296 297 ret = -EINVAL; 298 if (plen > PAGE_SIZE) 299 goto error; 300 301 /* pull the payload in if one was supplied */ 302 payload = NULL; 303 if (_payload) { 304 ret = -ENOMEM; 305 payload = kmalloc(plen, GFP_KERNEL); 306 if (!payload) 307 goto error; 308 309 ret = -EFAULT; 310 if (copy_from_user(payload, _payload, plen) != 0) 311 goto error2; 312 } 313 314 /* find the target key (which must be writable) */ 315 key_ref = lookup_user_key(id, 0, KEY_WRITE); 316 if (IS_ERR(key_ref)) { 317 ret = PTR_ERR(key_ref); 318 goto error2; 319 } 320 321 /* update the key */ 322 ret = key_update(key_ref, payload, plen); 323 324 key_ref_put(key_ref); 325 error2: 326 kfree(payload); 327 error: 328 return ret; 329 330 } /* end keyctl_update_key() */ 331 332 /*****************************************************************************/ 333 /* 334 * revoke a key 335 * - the key must be writable 336 * - implements keyctl(KEYCTL_REVOKE) 337 */ 338 long keyctl_revoke_key(key_serial_t id) 339 { 340 key_ref_t key_ref; 341 long ret; 342 343 key_ref = lookup_user_key(id, 0, KEY_WRITE); 344 if (IS_ERR(key_ref)) { 345 ret = PTR_ERR(key_ref); 346 if (ret != -EACCES) 347 goto error; 348 key_ref = lookup_user_key(id, 0, KEY_SETATTR); 349 if (IS_ERR(key_ref)) { 350 ret = PTR_ERR(key_ref); 351 goto error; 352 } 353 } 354 355 key_revoke(key_ref_to_ptr(key_ref)); 356 ret = 0; 357 358 key_ref_put(key_ref); 359 error: 360 return ret; 361 362 } /* end keyctl_revoke_key() */ 363 364 /*****************************************************************************/ 365 /* 366 * clear the specified process keyring 367 * - the keyring must be writable 368 * - implements keyctl(KEYCTL_CLEAR) 369 */ 370 long keyctl_keyring_clear(key_serial_t ringid) 371 { 372 key_ref_t keyring_ref; 373 long ret; 374 375 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE); 376 if (IS_ERR(keyring_ref)) { 377 ret = PTR_ERR(keyring_ref); 378 goto error; 379 } 380 381 ret = keyring_clear(key_ref_to_ptr(keyring_ref)); 382 383 key_ref_put(keyring_ref); 384 error: 385 return ret; 386 387 } /* end keyctl_keyring_clear() */ 388 389 /*****************************************************************************/ 390 /* 391 * link a key into a keyring 392 * - the keyring must be writable 393 * - the key must be linkable 394 * - implements keyctl(KEYCTL_LINK) 395 */ 396 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 397 { 398 key_ref_t keyring_ref, key_ref; 399 long ret; 400 401 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE); 402 if (IS_ERR(keyring_ref)) { 403 ret = PTR_ERR(keyring_ref); 404 goto error; 405 } 406 407 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_LINK); 408 if (IS_ERR(key_ref)) { 409 ret = PTR_ERR(key_ref); 410 goto error2; 411 } 412 413 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 414 415 key_ref_put(key_ref); 416 error2: 417 key_ref_put(keyring_ref); 418 error: 419 return ret; 420 421 } /* end keyctl_keyring_link() */ 422 423 /*****************************************************************************/ 424 /* 425 * unlink the first attachment of a key from a keyring 426 * - the keyring must be writable 427 * - we don't need any permissions on the key 428 * - implements keyctl(KEYCTL_UNLINK) 429 */ 430 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 431 { 432 key_ref_t keyring_ref, key_ref; 433 long ret; 434 435 keyring_ref = lookup_user_key(ringid, 0, KEY_WRITE); 436 if (IS_ERR(keyring_ref)) { 437 ret = PTR_ERR(keyring_ref); 438 goto error; 439 } 440 441 key_ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0); 442 if (IS_ERR(key_ref)) { 443 ret = PTR_ERR(key_ref); 444 goto error2; 445 } 446 447 ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 448 449 key_ref_put(key_ref); 450 error2: 451 key_ref_put(keyring_ref); 452 error: 453 return ret; 454 455 } /* end keyctl_keyring_unlink() */ 456 457 /*****************************************************************************/ 458 /* 459 * describe a user key 460 * - the key must have view permission 461 * - if there's a buffer, we place up to buflen bytes of data into it 462 * - unless there's an error, we return the amount of description available, 463 * irrespective of how much we may have copied 464 * - the description is formatted thus: 465 * type;uid;gid;perm;description<NUL> 466 * - implements keyctl(KEYCTL_DESCRIBE) 467 */ 468 long keyctl_describe_key(key_serial_t keyid, 469 char __user *buffer, 470 size_t buflen) 471 { 472 struct key *key, *instkey; 473 key_ref_t key_ref; 474 char *tmpbuf; 475 long ret; 476 477 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_VIEW); 478 if (IS_ERR(key_ref)) { 479 /* viewing a key under construction is permitted if we have the 480 * authorisation token handy */ 481 if (PTR_ERR(key_ref) == -EACCES) { 482 instkey = key_get_instantiation_authkey(keyid); 483 if (!IS_ERR(instkey)) { 484 key_put(instkey); 485 key_ref = lookup_user_key(keyid, 486 KEY_LOOKUP_PARTIAL, 487 0); 488 if (!IS_ERR(key_ref)) 489 goto okay; 490 } 491 } 492 493 ret = PTR_ERR(key_ref); 494 goto error; 495 } 496 497 okay: 498 /* calculate how much description we're going to return */ 499 ret = -ENOMEM; 500 tmpbuf = kmalloc(PAGE_SIZE, GFP_KERNEL); 501 if (!tmpbuf) 502 goto error2; 503 504 key = key_ref_to_ptr(key_ref); 505 506 ret = snprintf(tmpbuf, PAGE_SIZE - 1, 507 "%s;%d;%d;%08x;%s", 508 key->type->name, 509 key->uid, 510 key->gid, 511 key->perm, 512 key->description ?: ""); 513 514 /* include a NUL char at the end of the data */ 515 if (ret > PAGE_SIZE - 1) 516 ret = PAGE_SIZE - 1; 517 tmpbuf[ret] = 0; 518 ret++; 519 520 /* consider returning the data */ 521 if (buffer && buflen > 0) { 522 if (buflen > ret) 523 buflen = ret; 524 525 if (copy_to_user(buffer, tmpbuf, buflen) != 0) 526 ret = -EFAULT; 527 } 528 529 kfree(tmpbuf); 530 error2: 531 key_ref_put(key_ref); 532 error: 533 return ret; 534 535 } /* end keyctl_describe_key() */ 536 537 /*****************************************************************************/ 538 /* 539 * search the specified keyring for a matching key 540 * - the start keyring must be searchable 541 * - nested keyrings may also be searched if they are searchable 542 * - only keys with search permission may be found 543 * - if a key is found, it will be attached to the destination keyring if 544 * there's one specified 545 * - implements keyctl(KEYCTL_SEARCH) 546 */ 547 long keyctl_keyring_search(key_serial_t ringid, 548 const char __user *_type, 549 const char __user *_description, 550 key_serial_t destringid) 551 { 552 struct key_type *ktype; 553 key_ref_t keyring_ref, key_ref, dest_ref; 554 char type[32], *description; 555 long ret; 556 557 /* pull the type and description into kernel space */ 558 ret = key_get_type_from_user(type, _type, sizeof(type)); 559 if (ret < 0) 560 goto error; 561 562 description = strndup_user(_description, PAGE_SIZE); 563 if (IS_ERR(description)) { 564 ret = PTR_ERR(description); 565 goto error; 566 } 567 568 /* get the keyring at which to begin the search */ 569 keyring_ref = lookup_user_key(ringid, 0, KEY_SEARCH); 570 if (IS_ERR(keyring_ref)) { 571 ret = PTR_ERR(keyring_ref); 572 goto error2; 573 } 574 575 /* get the destination keyring if specified */ 576 dest_ref = NULL; 577 if (destringid) { 578 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 579 KEY_WRITE); 580 if (IS_ERR(dest_ref)) { 581 ret = PTR_ERR(dest_ref); 582 goto error3; 583 } 584 } 585 586 /* find the key type */ 587 ktype = key_type_lookup(type); 588 if (IS_ERR(ktype)) { 589 ret = PTR_ERR(ktype); 590 goto error4; 591 } 592 593 /* do the search */ 594 key_ref = keyring_search(keyring_ref, ktype, description); 595 if (IS_ERR(key_ref)) { 596 ret = PTR_ERR(key_ref); 597 598 /* treat lack or presence of a negative key the same */ 599 if (ret == -EAGAIN) 600 ret = -ENOKEY; 601 goto error5; 602 } 603 604 /* link the resulting key to the destination keyring if we can */ 605 if (dest_ref) { 606 ret = key_permission(key_ref, KEY_LINK); 607 if (ret < 0) 608 goto error6; 609 610 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 611 if (ret < 0) 612 goto error6; 613 } 614 615 ret = key_ref_to_ptr(key_ref)->serial; 616 617 error6: 618 key_ref_put(key_ref); 619 error5: 620 key_type_put(ktype); 621 error4: 622 key_ref_put(dest_ref); 623 error3: 624 key_ref_put(keyring_ref); 625 error2: 626 kfree(description); 627 error: 628 return ret; 629 630 } /* end keyctl_keyring_search() */ 631 632 /*****************************************************************************/ 633 /* 634 * read a user key's payload 635 * - the keyring must be readable or the key must be searchable from the 636 * process's keyrings 637 * - if there's a buffer, we place up to buflen bytes of data into it 638 * - unless there's an error, we return the amount of data in the key, 639 * irrespective of how much we may have copied 640 * - implements keyctl(KEYCTL_READ) 641 */ 642 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 643 { 644 struct key *key; 645 key_ref_t key_ref; 646 long ret; 647 648 /* find the key first */ 649 key_ref = lookup_user_key(keyid, 0, 0); 650 if (IS_ERR(key_ref)) { 651 ret = -ENOKEY; 652 goto error; 653 } 654 655 key = key_ref_to_ptr(key_ref); 656 657 /* see if we can read it directly */ 658 ret = key_permission(key_ref, KEY_READ); 659 if (ret == 0) 660 goto can_read_key; 661 if (ret != -EACCES) 662 goto error; 663 664 /* we can't; see if it's searchable from this process's keyrings 665 * - we automatically take account of the fact that it may be 666 * dangling off an instantiation key 667 */ 668 if (!is_key_possessed(key_ref)) { 669 ret = -EACCES; 670 goto error2; 671 } 672 673 /* the key is probably readable - now try to read it */ 674 can_read_key: 675 ret = key_validate(key); 676 if (ret == 0) { 677 ret = -EOPNOTSUPP; 678 if (key->type->read) { 679 /* read the data with the semaphore held (since we 680 * might sleep) */ 681 down_read(&key->sem); 682 ret = key->type->read(key, buffer, buflen); 683 up_read(&key->sem); 684 } 685 } 686 687 error2: 688 key_put(key); 689 error: 690 return ret; 691 692 } /* end keyctl_read_key() */ 693 694 /*****************************************************************************/ 695 /* 696 * change the ownership of a key 697 * - the keyring owned by the changer 698 * - if the uid or gid is -1, then that parameter is not changed 699 * - implements keyctl(KEYCTL_CHOWN) 700 */ 701 long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) 702 { 703 struct key_user *newowner, *zapowner = NULL; 704 struct key *key; 705 key_ref_t key_ref; 706 long ret; 707 708 ret = 0; 709 if (uid == (uid_t) -1 && gid == (gid_t) -1) 710 goto error; 711 712 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 713 KEY_SETATTR); 714 if (IS_ERR(key_ref)) { 715 ret = PTR_ERR(key_ref); 716 goto error; 717 } 718 719 key = key_ref_to_ptr(key_ref); 720 721 /* make the changes with the locks held to prevent chown/chown races */ 722 ret = -EACCES; 723 down_write(&key->sem); 724 725 if (!capable(CAP_SYS_ADMIN)) { 726 /* only the sysadmin can chown a key to some other UID */ 727 if (uid != (uid_t) -1 && key->uid != uid) 728 goto error_put; 729 730 /* only the sysadmin can set the key's GID to a group other 731 * than one of those that the current process subscribes to */ 732 if (gid != (gid_t) -1 && gid != key->gid && !in_group_p(gid)) 733 goto error_put; 734 } 735 736 /* change the UID */ 737 if (uid != (uid_t) -1 && uid != key->uid) { 738 ret = -ENOMEM; 739 newowner = key_user_lookup(uid, current_user_ns()); 740 if (!newowner) 741 goto error_put; 742 743 /* transfer the quota burden to the new user */ 744 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 745 unsigned maxkeys = (uid == 0) ? 746 key_quota_root_maxkeys : key_quota_maxkeys; 747 unsigned maxbytes = (uid == 0) ? 748 key_quota_root_maxbytes : key_quota_maxbytes; 749 750 spin_lock(&newowner->lock); 751 if (newowner->qnkeys + 1 >= maxkeys || 752 newowner->qnbytes + key->quotalen >= maxbytes || 753 newowner->qnbytes + key->quotalen < 754 newowner->qnbytes) 755 goto quota_overrun; 756 757 newowner->qnkeys++; 758 newowner->qnbytes += key->quotalen; 759 spin_unlock(&newowner->lock); 760 761 spin_lock(&key->user->lock); 762 key->user->qnkeys--; 763 key->user->qnbytes -= key->quotalen; 764 spin_unlock(&key->user->lock); 765 } 766 767 atomic_dec(&key->user->nkeys); 768 atomic_inc(&newowner->nkeys); 769 770 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 771 atomic_dec(&key->user->nikeys); 772 atomic_inc(&newowner->nikeys); 773 } 774 775 zapowner = key->user; 776 key->user = newowner; 777 key->uid = uid; 778 } 779 780 /* change the GID */ 781 if (gid != (gid_t) -1) 782 key->gid = gid; 783 784 ret = 0; 785 786 error_put: 787 up_write(&key->sem); 788 key_put(key); 789 if (zapowner) 790 key_user_put(zapowner); 791 error: 792 return ret; 793 794 quota_overrun: 795 spin_unlock(&newowner->lock); 796 zapowner = newowner; 797 ret = -EDQUOT; 798 goto error_put; 799 800 } /* end keyctl_chown_key() */ 801 802 /*****************************************************************************/ 803 /* 804 * change the permission mask on a key 805 * - the keyring owned by the changer 806 * - implements keyctl(KEYCTL_SETPERM) 807 */ 808 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 809 { 810 struct key *key; 811 key_ref_t key_ref; 812 long ret; 813 814 ret = -EINVAL; 815 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 816 goto error; 817 818 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 819 KEY_SETATTR); 820 if (IS_ERR(key_ref)) { 821 ret = PTR_ERR(key_ref); 822 goto error; 823 } 824 825 key = key_ref_to_ptr(key_ref); 826 827 /* make the changes with the locks held to prevent chown/chmod races */ 828 ret = -EACCES; 829 down_write(&key->sem); 830 831 /* if we're not the sysadmin, we can only change a key that we own */ 832 if (capable(CAP_SYS_ADMIN) || key->uid == current_fsuid()) { 833 key->perm = perm; 834 ret = 0; 835 } 836 837 up_write(&key->sem); 838 key_put(key); 839 error: 840 return ret; 841 842 } /* end keyctl_setperm_key() */ 843 844 /* 845 * get the destination keyring for instantiation 846 */ 847 static long get_instantiation_keyring(key_serial_t ringid, 848 struct request_key_auth *rka, 849 struct key **_dest_keyring) 850 { 851 key_ref_t dkref; 852 853 *_dest_keyring = NULL; 854 855 /* just return a NULL pointer if we weren't asked to make a link */ 856 if (ringid == 0) 857 return 0; 858 859 /* if a specific keyring is nominated by ID, then use that */ 860 if (ringid > 0) { 861 dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE); 862 if (IS_ERR(dkref)) 863 return PTR_ERR(dkref); 864 *_dest_keyring = key_ref_to_ptr(dkref); 865 return 0; 866 } 867 868 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY) 869 return -EINVAL; 870 871 /* otherwise specify the destination keyring recorded in the 872 * authorisation key (any KEY_SPEC_*_KEYRING) */ 873 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { 874 *_dest_keyring = key_get(rka->dest_keyring); 875 return 0; 876 } 877 878 return -ENOKEY; 879 } 880 881 /* 882 * change the request_key authorisation key on the current process 883 */ 884 static int keyctl_change_reqkey_auth(struct key *key) 885 { 886 struct cred *new; 887 888 new = prepare_creds(); 889 if (!new) 890 return -ENOMEM; 891 892 key_put(new->request_key_auth); 893 new->request_key_auth = key_get(key); 894 895 return commit_creds(new); 896 } 897 898 /*****************************************************************************/ 899 /* 900 * instantiate the key with the specified payload, and, if one is given, link 901 * the key into the keyring 902 */ 903 long keyctl_instantiate_key(key_serial_t id, 904 const void __user *_payload, 905 size_t plen, 906 key_serial_t ringid) 907 { 908 const struct cred *cred = current_cred(); 909 struct request_key_auth *rka; 910 struct key *instkey, *dest_keyring; 911 void *payload; 912 long ret; 913 bool vm = false; 914 915 kenter("%d,,%zu,%d", id, plen, ringid); 916 917 ret = -EINVAL; 918 if (plen > 1024 * 1024 - 1) 919 goto error; 920 921 /* the appropriate instantiation authorisation key must have been 922 * assumed before calling this */ 923 ret = -EPERM; 924 instkey = cred->request_key_auth; 925 if (!instkey) 926 goto error; 927 928 rka = instkey->payload.data; 929 if (rka->target_key->serial != id) 930 goto error; 931 932 /* pull the payload in if one was supplied */ 933 payload = NULL; 934 935 if (_payload) { 936 ret = -ENOMEM; 937 payload = kmalloc(plen, GFP_KERNEL); 938 if (!payload) { 939 if (plen <= PAGE_SIZE) 940 goto error; 941 vm = true; 942 payload = vmalloc(plen); 943 if (!payload) 944 goto error; 945 } 946 947 ret = -EFAULT; 948 if (copy_from_user(payload, _payload, plen) != 0) 949 goto error2; 950 } 951 952 /* find the destination keyring amongst those belonging to the 953 * requesting task */ 954 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 955 if (ret < 0) 956 goto error2; 957 958 /* instantiate the key and link it into a keyring */ 959 ret = key_instantiate_and_link(rka->target_key, payload, plen, 960 dest_keyring, instkey); 961 962 key_put(dest_keyring); 963 964 /* discard the assumed authority if it's just been disabled by 965 * instantiation of the key */ 966 if (ret == 0) 967 keyctl_change_reqkey_auth(NULL); 968 969 error2: 970 if (!vm) 971 kfree(payload); 972 else 973 vfree(payload); 974 error: 975 return ret; 976 977 } /* end keyctl_instantiate_key() */ 978 979 /*****************************************************************************/ 980 /* 981 * negatively instantiate the key with the given timeout (in seconds), and, if 982 * one is given, link the key into the keyring 983 */ 984 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 985 { 986 const struct cred *cred = current_cred(); 987 struct request_key_auth *rka; 988 struct key *instkey, *dest_keyring; 989 long ret; 990 991 kenter("%d,%u,%d", id, timeout, ringid); 992 993 /* the appropriate instantiation authorisation key must have been 994 * assumed before calling this */ 995 ret = -EPERM; 996 instkey = cred->request_key_auth; 997 if (!instkey) 998 goto error; 999 1000 rka = instkey->payload.data; 1001 if (rka->target_key->serial != id) 1002 goto error; 1003 1004 /* find the destination keyring if present (which must also be 1005 * writable) */ 1006 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1007 if (ret < 0) 1008 goto error; 1009 1010 /* instantiate the key and link it into a keyring */ 1011 ret = key_negate_and_link(rka->target_key, timeout, 1012 dest_keyring, instkey); 1013 1014 key_put(dest_keyring); 1015 1016 /* discard the assumed authority if it's just been disabled by 1017 * instantiation of the key */ 1018 if (ret == 0) 1019 keyctl_change_reqkey_auth(NULL); 1020 1021 error: 1022 return ret; 1023 1024 } /* end keyctl_negate_key() */ 1025 1026 /*****************************************************************************/ 1027 /* 1028 * set the default keyring in which request_key() will cache keys 1029 * - return the old setting 1030 */ 1031 long keyctl_set_reqkey_keyring(int reqkey_defl) 1032 { 1033 struct cred *new; 1034 int ret, old_setting; 1035 1036 old_setting = current_cred_xxx(jit_keyring); 1037 1038 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE) 1039 return old_setting; 1040 1041 new = prepare_creds(); 1042 if (!new) 1043 return -ENOMEM; 1044 1045 switch (reqkey_defl) { 1046 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1047 ret = install_thread_keyring_to_cred(new); 1048 if (ret < 0) 1049 goto error; 1050 goto set; 1051 1052 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1053 ret = install_process_keyring_to_cred(new); 1054 if (ret < 0) { 1055 if (ret != -EEXIST) 1056 goto error; 1057 ret = 0; 1058 } 1059 goto set; 1060 1061 case KEY_REQKEY_DEFL_DEFAULT: 1062 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1063 case KEY_REQKEY_DEFL_USER_KEYRING: 1064 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1065 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: 1066 goto set; 1067 1068 case KEY_REQKEY_DEFL_NO_CHANGE: 1069 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1070 default: 1071 ret = -EINVAL; 1072 goto error; 1073 } 1074 1075 set: 1076 new->jit_keyring = reqkey_defl; 1077 commit_creds(new); 1078 return old_setting; 1079 error: 1080 abort_creds(new); 1081 return ret; 1082 1083 } /* end keyctl_set_reqkey_keyring() */ 1084 1085 /*****************************************************************************/ 1086 /* 1087 * set or clear the timeout for a key 1088 */ 1089 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1090 { 1091 struct timespec now; 1092 struct key *key, *instkey; 1093 key_ref_t key_ref; 1094 time_t expiry; 1095 long ret; 1096 1097 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1098 KEY_SETATTR); 1099 if (IS_ERR(key_ref)) { 1100 /* setting the timeout on a key under construction is permitted 1101 * if we have the authorisation token handy */ 1102 if (PTR_ERR(key_ref) == -EACCES) { 1103 instkey = key_get_instantiation_authkey(id); 1104 if (!IS_ERR(instkey)) { 1105 key_put(instkey); 1106 key_ref = lookup_user_key(id, 1107 KEY_LOOKUP_PARTIAL, 1108 0); 1109 if (!IS_ERR(key_ref)) 1110 goto okay; 1111 } 1112 } 1113 1114 ret = PTR_ERR(key_ref); 1115 goto error; 1116 } 1117 1118 okay: 1119 key = key_ref_to_ptr(key_ref); 1120 1121 /* make the changes with the locks held to prevent races */ 1122 down_write(&key->sem); 1123 1124 expiry = 0; 1125 if (timeout > 0) { 1126 now = current_kernel_time(); 1127 expiry = now.tv_sec + timeout; 1128 } 1129 1130 key->expiry = expiry; 1131 key_schedule_gc(key->expiry + key_gc_delay); 1132 1133 up_write(&key->sem); 1134 key_put(key); 1135 1136 ret = 0; 1137 error: 1138 return ret; 1139 1140 } /* end keyctl_set_timeout() */ 1141 1142 /*****************************************************************************/ 1143 /* 1144 * assume the authority to instantiate the specified key 1145 */ 1146 long keyctl_assume_authority(key_serial_t id) 1147 { 1148 struct key *authkey; 1149 long ret; 1150 1151 /* special key IDs aren't permitted */ 1152 ret = -EINVAL; 1153 if (id < 0) 1154 goto error; 1155 1156 /* we divest ourselves of authority if given an ID of 0 */ 1157 if (id == 0) { 1158 ret = keyctl_change_reqkey_auth(NULL); 1159 goto error; 1160 } 1161 1162 /* attempt to assume the authority temporarily granted to us whilst we 1163 * instantiate the specified key 1164 * - the authorisation key must be in the current task's keyrings 1165 * somewhere 1166 */ 1167 authkey = key_get_instantiation_authkey(id); 1168 if (IS_ERR(authkey)) { 1169 ret = PTR_ERR(authkey); 1170 goto error; 1171 } 1172 1173 ret = keyctl_change_reqkey_auth(authkey); 1174 if (ret < 0) 1175 goto error; 1176 key_put(authkey); 1177 1178 ret = authkey->serial; 1179 error: 1180 return ret; 1181 1182 } /* end keyctl_assume_authority() */ 1183 1184 /* 1185 * get the security label of a key 1186 * - the key must grant us view permission 1187 * - if there's a buffer, we place up to buflen bytes of data into it 1188 * - unless there's an error, we return the amount of information available, 1189 * irrespective of how much we may have copied (including the terminal NUL) 1190 * - implements keyctl(KEYCTL_GET_SECURITY) 1191 */ 1192 long keyctl_get_security(key_serial_t keyid, 1193 char __user *buffer, 1194 size_t buflen) 1195 { 1196 struct key *key, *instkey; 1197 key_ref_t key_ref; 1198 char *context; 1199 long ret; 1200 1201 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_VIEW); 1202 if (IS_ERR(key_ref)) { 1203 if (PTR_ERR(key_ref) != -EACCES) 1204 return PTR_ERR(key_ref); 1205 1206 /* viewing a key under construction is also permitted if we 1207 * have the authorisation token handy */ 1208 instkey = key_get_instantiation_authkey(keyid); 1209 if (IS_ERR(instkey)) 1210 return PTR_ERR(instkey); 1211 key_put(instkey); 1212 1213 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0); 1214 if (IS_ERR(key_ref)) 1215 return PTR_ERR(key_ref); 1216 } 1217 1218 key = key_ref_to_ptr(key_ref); 1219 ret = security_key_getsecurity(key, &context); 1220 if (ret == 0) { 1221 /* if no information was returned, give userspace an empty 1222 * string */ 1223 ret = 1; 1224 if (buffer && buflen > 0 && 1225 copy_to_user(buffer, "", 1) != 0) 1226 ret = -EFAULT; 1227 } else if (ret > 0) { 1228 /* return as much data as there's room for */ 1229 if (buffer && buflen > 0) { 1230 if (buflen > ret) 1231 buflen = ret; 1232 1233 if (copy_to_user(buffer, context, buflen) != 0) 1234 ret = -EFAULT; 1235 } 1236 1237 kfree(context); 1238 } 1239 1240 key_ref_put(key_ref); 1241 return ret; 1242 } 1243 1244 /* 1245 * attempt to install the calling process's session keyring on the process's 1246 * parent process 1247 * - the keyring must exist and must grant us LINK permission 1248 * - implements keyctl(KEYCTL_SESSION_TO_PARENT) 1249 */ 1250 long keyctl_session_to_parent(void) 1251 { 1252 #ifdef TIF_NOTIFY_RESUME 1253 struct task_struct *me, *parent; 1254 const struct cred *mycred, *pcred; 1255 struct cred *cred, *oldcred; 1256 key_ref_t keyring_r; 1257 int ret; 1258 1259 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_LINK); 1260 if (IS_ERR(keyring_r)) 1261 return PTR_ERR(keyring_r); 1262 1263 /* our parent is going to need a new cred struct, a new tgcred struct 1264 * and new security data, so we allocate them here to prevent ENOMEM in 1265 * our parent */ 1266 ret = -ENOMEM; 1267 cred = cred_alloc_blank(); 1268 if (!cred) 1269 goto error_keyring; 1270 1271 cred->tgcred->session_keyring = key_ref_to_ptr(keyring_r); 1272 keyring_r = NULL; 1273 1274 me = current; 1275 rcu_read_lock(); 1276 write_lock_irq(&tasklist_lock); 1277 1278 parent = me->real_parent; 1279 ret = -EPERM; 1280 1281 /* the parent mustn't be init and mustn't be a kernel thread */ 1282 if (parent->pid <= 1 || !parent->mm) 1283 goto not_permitted; 1284 1285 /* the parent must be single threaded */ 1286 if (!thread_group_empty(parent)) 1287 goto not_permitted; 1288 1289 /* the parent and the child must have different session keyrings or 1290 * there's no point */ 1291 mycred = current_cred(); 1292 pcred = __task_cred(parent); 1293 if (mycred == pcred || 1294 mycred->tgcred->session_keyring == pcred->tgcred->session_keyring) 1295 goto already_same; 1296 1297 /* the parent must have the same effective ownership and mustn't be 1298 * SUID/SGID */ 1299 if (pcred->uid != mycred->euid || 1300 pcred->euid != mycred->euid || 1301 pcred->suid != mycred->euid || 1302 pcred->gid != mycred->egid || 1303 pcred->egid != mycred->egid || 1304 pcred->sgid != mycred->egid) 1305 goto not_permitted; 1306 1307 /* the keyrings must have the same UID */ 1308 if ((pcred->tgcred->session_keyring && 1309 pcred->tgcred->session_keyring->uid != mycred->euid) || 1310 mycred->tgcred->session_keyring->uid != mycred->euid) 1311 goto not_permitted; 1312 1313 /* if there's an already pending keyring replacement, then we replace 1314 * that */ 1315 oldcred = parent->replacement_session_keyring; 1316 1317 /* the replacement session keyring is applied just prior to userspace 1318 * restarting */ 1319 parent->replacement_session_keyring = cred; 1320 cred = NULL; 1321 set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME); 1322 1323 write_unlock_irq(&tasklist_lock); 1324 rcu_read_unlock(); 1325 if (oldcred) 1326 put_cred(oldcred); 1327 return 0; 1328 1329 already_same: 1330 ret = 0; 1331 not_permitted: 1332 write_unlock_irq(&tasklist_lock); 1333 rcu_read_unlock(); 1334 put_cred(cred); 1335 return ret; 1336 1337 error_keyring: 1338 key_ref_put(keyring_r); 1339 return ret; 1340 1341 #else /* !TIF_NOTIFY_RESUME */ 1342 /* 1343 * To be removed when TIF_NOTIFY_RESUME has been implemented on 1344 * m68k/xtensa 1345 */ 1346 #warning TIF_NOTIFY_RESUME not implemented 1347 return -EOPNOTSUPP; 1348 #endif /* !TIF_NOTIFY_RESUME */ 1349 } 1350 1351 /*****************************************************************************/ 1352 /* 1353 * the key control system call 1354 */ 1355 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, 1356 unsigned long, arg4, unsigned long, arg5) 1357 { 1358 switch (option) { 1359 case KEYCTL_GET_KEYRING_ID: 1360 return keyctl_get_keyring_ID((key_serial_t) arg2, 1361 (int) arg3); 1362 1363 case KEYCTL_JOIN_SESSION_KEYRING: 1364 return keyctl_join_session_keyring((const char __user *) arg2); 1365 1366 case KEYCTL_UPDATE: 1367 return keyctl_update_key((key_serial_t) arg2, 1368 (const void __user *) arg3, 1369 (size_t) arg4); 1370 1371 case KEYCTL_REVOKE: 1372 return keyctl_revoke_key((key_serial_t) arg2); 1373 1374 case KEYCTL_DESCRIBE: 1375 return keyctl_describe_key((key_serial_t) arg2, 1376 (char __user *) arg3, 1377 (unsigned) arg4); 1378 1379 case KEYCTL_CLEAR: 1380 return keyctl_keyring_clear((key_serial_t) arg2); 1381 1382 case KEYCTL_LINK: 1383 return keyctl_keyring_link((key_serial_t) arg2, 1384 (key_serial_t) arg3); 1385 1386 case KEYCTL_UNLINK: 1387 return keyctl_keyring_unlink((key_serial_t) arg2, 1388 (key_serial_t) arg3); 1389 1390 case KEYCTL_SEARCH: 1391 return keyctl_keyring_search((key_serial_t) arg2, 1392 (const char __user *) arg3, 1393 (const char __user *) arg4, 1394 (key_serial_t) arg5); 1395 1396 case KEYCTL_READ: 1397 return keyctl_read_key((key_serial_t) arg2, 1398 (char __user *) arg3, 1399 (size_t) arg4); 1400 1401 case KEYCTL_CHOWN: 1402 return keyctl_chown_key((key_serial_t) arg2, 1403 (uid_t) arg3, 1404 (gid_t) arg4); 1405 1406 case KEYCTL_SETPERM: 1407 return keyctl_setperm_key((key_serial_t) arg2, 1408 (key_perm_t) arg3); 1409 1410 case KEYCTL_INSTANTIATE: 1411 return keyctl_instantiate_key((key_serial_t) arg2, 1412 (const void __user *) arg3, 1413 (size_t) arg4, 1414 (key_serial_t) arg5); 1415 1416 case KEYCTL_NEGATE: 1417 return keyctl_negate_key((key_serial_t) arg2, 1418 (unsigned) arg3, 1419 (key_serial_t) arg4); 1420 1421 case KEYCTL_SET_REQKEY_KEYRING: 1422 return keyctl_set_reqkey_keyring(arg2); 1423 1424 case KEYCTL_SET_TIMEOUT: 1425 return keyctl_set_timeout((key_serial_t) arg2, 1426 (unsigned) arg3); 1427 1428 case KEYCTL_ASSUME_AUTHORITY: 1429 return keyctl_assume_authority((key_serial_t) arg2); 1430 1431 case KEYCTL_GET_SECURITY: 1432 return keyctl_get_security((key_serial_t) arg2, 1433 (char __user *) arg3, 1434 (size_t) arg4); 1435 1436 case KEYCTL_SESSION_TO_PARENT: 1437 return keyctl_session_to_parent(); 1438 1439 default: 1440 return -EOPNOTSUPP; 1441 } 1442 1443 } /* end sys_keyctl() */ 1444