1 /* Userspace key control operations 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/sched/task.h> 16 #include <linux/slab.h> 17 #include <linux/syscalls.h> 18 #include <linux/key.h> 19 #include <linux/keyctl.h> 20 #include <linux/fs.h> 21 #include <linux/capability.h> 22 #include <linux/cred.h> 23 #include <linux/string.h> 24 #include <linux/err.h> 25 #include <linux/vmalloc.h> 26 #include <linux/security.h> 27 #include <linux/uio.h> 28 #include <linux/uaccess.h> 29 #include "internal.h" 30 31 #define KEY_MAX_DESC_SIZE 4096 32 33 static int key_get_type_from_user(char *type, 34 const char __user *_type, 35 unsigned len) 36 { 37 int ret; 38 39 ret = strncpy_from_user(type, _type, len); 40 if (ret < 0) 41 return ret; 42 if (ret == 0 || ret >= len) 43 return -EINVAL; 44 if (type[0] == '.') 45 return -EPERM; 46 type[len - 1] = '\0'; 47 return 0; 48 } 49 50 /* 51 * Extract the description of a new key from userspace and either add it as a 52 * new key to the specified keyring or update a matching key in that keyring. 53 * 54 * If the description is NULL or an empty string, the key type is asked to 55 * generate one from the payload. 56 * 57 * The keyring must be writable so that we can attach the key to it. 58 * 59 * If successful, the new key's serial number is returned, otherwise an error 60 * code is returned. 61 */ 62 SYSCALL_DEFINE5(add_key, const char __user *, _type, 63 const char __user *, _description, 64 const void __user *, _payload, 65 size_t, plen, 66 key_serial_t, ringid) 67 { 68 key_ref_t keyring_ref, key_ref; 69 char type[32], *description; 70 void *payload; 71 long ret; 72 73 ret = -EINVAL; 74 if (plen > 1024 * 1024 - 1) 75 goto error; 76 77 /* draw all the data into kernel space */ 78 ret = key_get_type_from_user(type, _type, sizeof(type)); 79 if (ret < 0) 80 goto error; 81 82 description = NULL; 83 if (_description) { 84 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 85 if (IS_ERR(description)) { 86 ret = PTR_ERR(description); 87 goto error; 88 } 89 if (!*description) { 90 kfree(description); 91 description = NULL; 92 } else if ((description[0] == '.') && 93 (strncmp(type, "keyring", 7) == 0)) { 94 ret = -EPERM; 95 goto error2; 96 } 97 } 98 99 /* pull the payload in if one was supplied */ 100 payload = NULL; 101 102 if (_payload) { 103 ret = -ENOMEM; 104 payload = kvmalloc(plen, GFP_KERNEL); 105 if (!payload) 106 goto error2; 107 108 ret = -EFAULT; 109 if (copy_from_user(payload, _payload, plen) != 0) 110 goto error3; 111 } 112 113 /* find the target keyring (which must be writable) */ 114 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 115 if (IS_ERR(keyring_ref)) { 116 ret = PTR_ERR(keyring_ref); 117 goto error3; 118 } 119 120 /* create or update the requested key and add it to the target 121 * keyring */ 122 key_ref = key_create_or_update(keyring_ref, type, description, 123 payload, plen, KEY_PERM_UNDEF, 124 KEY_ALLOC_IN_QUOTA); 125 if (!IS_ERR(key_ref)) { 126 ret = key_ref_to_ptr(key_ref)->serial; 127 key_ref_put(key_ref); 128 } 129 else { 130 ret = PTR_ERR(key_ref); 131 } 132 133 key_ref_put(keyring_ref); 134 error3: 135 kvfree(payload); 136 error2: 137 kfree(description); 138 error: 139 return ret; 140 } 141 142 /* 143 * Search the process keyrings and keyring trees linked from those for a 144 * matching key. Keyrings must have appropriate Search permission to be 145 * searched. 146 * 147 * If a key is found, it will be attached to the destination keyring if there's 148 * one specified and the serial number of the key will be returned. 149 * 150 * If no key is found, /sbin/request-key will be invoked if _callout_info is 151 * non-NULL in an attempt to create a key. The _callout_info string will be 152 * passed to /sbin/request-key to aid with completing the request. If the 153 * _callout_info string is "" then it will be changed to "-". 154 */ 155 SYSCALL_DEFINE4(request_key, const char __user *, _type, 156 const char __user *, _description, 157 const char __user *, _callout_info, 158 key_serial_t, destringid) 159 { 160 struct key_type *ktype; 161 struct key *key; 162 key_ref_t dest_ref; 163 size_t callout_len; 164 char type[32], *description, *callout_info; 165 long ret; 166 167 /* pull the type into kernel space */ 168 ret = key_get_type_from_user(type, _type, sizeof(type)); 169 if (ret < 0) 170 goto error; 171 172 /* pull the description into kernel space */ 173 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 174 if (IS_ERR(description)) { 175 ret = PTR_ERR(description); 176 goto error; 177 } 178 179 /* pull the callout info into kernel space */ 180 callout_info = NULL; 181 callout_len = 0; 182 if (_callout_info) { 183 callout_info = strndup_user(_callout_info, PAGE_SIZE); 184 if (IS_ERR(callout_info)) { 185 ret = PTR_ERR(callout_info); 186 goto error2; 187 } 188 callout_len = strlen(callout_info); 189 } 190 191 /* get the destination keyring if specified */ 192 dest_ref = NULL; 193 if (destringid) { 194 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 195 KEY_NEED_WRITE); 196 if (IS_ERR(dest_ref)) { 197 ret = PTR_ERR(dest_ref); 198 goto error3; 199 } 200 } 201 202 /* find the key type */ 203 ktype = key_type_lookup(type); 204 if (IS_ERR(ktype)) { 205 ret = PTR_ERR(ktype); 206 goto error4; 207 } 208 209 /* do the search */ 210 key = request_key_and_link(ktype, description, callout_info, 211 callout_len, NULL, key_ref_to_ptr(dest_ref), 212 KEY_ALLOC_IN_QUOTA); 213 if (IS_ERR(key)) { 214 ret = PTR_ERR(key); 215 goto error5; 216 } 217 218 /* wait for the key to finish being constructed */ 219 ret = wait_for_key_construction(key, 1); 220 if (ret < 0) 221 goto error6; 222 223 ret = key->serial; 224 225 error6: 226 key_put(key); 227 error5: 228 key_type_put(ktype); 229 error4: 230 key_ref_put(dest_ref); 231 error3: 232 kfree(callout_info); 233 error2: 234 kfree(description); 235 error: 236 return ret; 237 } 238 239 /* 240 * Get the ID of the specified process keyring. 241 * 242 * The requested keyring must have search permission to be found. 243 * 244 * If successful, the ID of the requested keyring will be returned. 245 */ 246 long keyctl_get_keyring_ID(key_serial_t id, int create) 247 { 248 key_ref_t key_ref; 249 unsigned long lflags; 250 long ret; 251 252 lflags = create ? KEY_LOOKUP_CREATE : 0; 253 key_ref = lookup_user_key(id, lflags, KEY_NEED_SEARCH); 254 if (IS_ERR(key_ref)) { 255 ret = PTR_ERR(key_ref); 256 goto error; 257 } 258 259 ret = key_ref_to_ptr(key_ref)->serial; 260 key_ref_put(key_ref); 261 error: 262 return ret; 263 } 264 265 /* 266 * Join a (named) session keyring. 267 * 268 * Create and join an anonymous session keyring or join a named session 269 * keyring, creating it if necessary. A named session keyring must have Search 270 * permission for it to be joined. Session keyrings without this permit will 271 * be skipped over. It is not permitted for userspace to create or join 272 * keyrings whose name begin with a dot. 273 * 274 * If successful, the ID of the joined session keyring will be returned. 275 */ 276 long keyctl_join_session_keyring(const char __user *_name) 277 { 278 char *name; 279 long ret; 280 281 /* fetch the name from userspace */ 282 name = NULL; 283 if (_name) { 284 name = strndup_user(_name, KEY_MAX_DESC_SIZE); 285 if (IS_ERR(name)) { 286 ret = PTR_ERR(name); 287 goto error; 288 } 289 290 ret = -EPERM; 291 if (name[0] == '.') 292 goto error_name; 293 } 294 295 /* join the session */ 296 ret = join_session_keyring(name); 297 error_name: 298 kfree(name); 299 error: 300 return ret; 301 } 302 303 /* 304 * Update a key's data payload from the given data. 305 * 306 * The key must grant the caller Write permission and the key type must support 307 * updating for this to work. A negative key can be positively instantiated 308 * with this call. 309 * 310 * If successful, 0 will be returned. If the key type does not support 311 * updating, then -EOPNOTSUPP will be returned. 312 */ 313 long keyctl_update_key(key_serial_t id, 314 const void __user *_payload, 315 size_t plen) 316 { 317 key_ref_t key_ref; 318 void *payload; 319 long ret; 320 321 ret = -EINVAL; 322 if (plen > PAGE_SIZE) 323 goto error; 324 325 /* pull the payload in if one was supplied */ 326 payload = NULL; 327 if (_payload) { 328 ret = -ENOMEM; 329 payload = kmalloc(plen, GFP_KERNEL); 330 if (!payload) 331 goto error; 332 333 ret = -EFAULT; 334 if (copy_from_user(payload, _payload, plen) != 0) 335 goto error2; 336 } 337 338 /* find the target key (which must be writable) */ 339 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 340 if (IS_ERR(key_ref)) { 341 ret = PTR_ERR(key_ref); 342 goto error2; 343 } 344 345 /* update the key */ 346 ret = key_update(key_ref, payload, plen); 347 348 key_ref_put(key_ref); 349 error2: 350 kfree(payload); 351 error: 352 return ret; 353 } 354 355 /* 356 * Revoke a key. 357 * 358 * The key must be grant the caller Write or Setattr permission for this to 359 * work. The key type should give up its quota claim when revoked. The key 360 * and any links to the key will be automatically garbage collected after a 361 * certain amount of time (/proc/sys/kernel/keys/gc_delay). 362 * 363 * Keys with KEY_FLAG_KEEP set should not be revoked. 364 * 365 * If successful, 0 is returned. 366 */ 367 long keyctl_revoke_key(key_serial_t id) 368 { 369 key_ref_t key_ref; 370 struct key *key; 371 long ret; 372 373 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 374 if (IS_ERR(key_ref)) { 375 ret = PTR_ERR(key_ref); 376 if (ret != -EACCES) 377 goto error; 378 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 379 if (IS_ERR(key_ref)) { 380 ret = PTR_ERR(key_ref); 381 goto error; 382 } 383 } 384 385 key = key_ref_to_ptr(key_ref); 386 ret = 0; 387 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 388 ret = -EPERM; 389 else 390 key_revoke(key); 391 392 key_ref_put(key_ref); 393 error: 394 return ret; 395 } 396 397 /* 398 * Invalidate a key. 399 * 400 * The key must be grant the caller Invalidate permission for this to work. 401 * The key and any links to the key will be automatically garbage collected 402 * immediately. 403 * 404 * Keys with KEY_FLAG_KEEP set should not be invalidated. 405 * 406 * If successful, 0 is returned. 407 */ 408 long keyctl_invalidate_key(key_serial_t id) 409 { 410 key_ref_t key_ref; 411 struct key *key; 412 long ret; 413 414 kenter("%d", id); 415 416 key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH); 417 if (IS_ERR(key_ref)) { 418 ret = PTR_ERR(key_ref); 419 420 /* Root is permitted to invalidate certain special keys */ 421 if (capable(CAP_SYS_ADMIN)) { 422 key_ref = lookup_user_key(id, 0, 0); 423 if (IS_ERR(key_ref)) 424 goto error; 425 if (test_bit(KEY_FLAG_ROOT_CAN_INVAL, 426 &key_ref_to_ptr(key_ref)->flags)) 427 goto invalidate; 428 goto error_put; 429 } 430 431 goto error; 432 } 433 434 invalidate: 435 key = key_ref_to_ptr(key_ref); 436 ret = 0; 437 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 438 ret = -EPERM; 439 else 440 key_invalidate(key); 441 error_put: 442 key_ref_put(key_ref); 443 error: 444 kleave(" = %ld", ret); 445 return ret; 446 } 447 448 /* 449 * Clear the specified keyring, creating an empty process keyring if one of the 450 * special keyring IDs is used. 451 * 452 * The keyring must grant the caller Write permission and not have 453 * KEY_FLAG_KEEP set for this to work. If successful, 0 will be returned. 454 */ 455 long keyctl_keyring_clear(key_serial_t ringid) 456 { 457 key_ref_t keyring_ref; 458 struct key *keyring; 459 long ret; 460 461 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 462 if (IS_ERR(keyring_ref)) { 463 ret = PTR_ERR(keyring_ref); 464 465 /* Root is permitted to invalidate certain special keyrings */ 466 if (capable(CAP_SYS_ADMIN)) { 467 keyring_ref = lookup_user_key(ringid, 0, 0); 468 if (IS_ERR(keyring_ref)) 469 goto error; 470 if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR, 471 &key_ref_to_ptr(keyring_ref)->flags)) 472 goto clear; 473 goto error_put; 474 } 475 476 goto error; 477 } 478 479 clear: 480 keyring = key_ref_to_ptr(keyring_ref); 481 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) 482 ret = -EPERM; 483 else 484 ret = keyring_clear(keyring); 485 error_put: 486 key_ref_put(keyring_ref); 487 error: 488 return ret; 489 } 490 491 /* 492 * Create a link from a keyring to a key if there's no matching key in the 493 * keyring, otherwise replace the link to the matching key with a link to the 494 * new key. 495 * 496 * The key must grant the caller Link permission and the the keyring must grant 497 * the caller Write permission. Furthermore, if an additional link is created, 498 * the keyring's quota will be extended. 499 * 500 * If successful, 0 will be returned. 501 */ 502 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 503 { 504 key_ref_t keyring_ref, key_ref; 505 long ret; 506 507 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 508 if (IS_ERR(keyring_ref)) { 509 ret = PTR_ERR(keyring_ref); 510 goto error; 511 } 512 513 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 514 if (IS_ERR(key_ref)) { 515 ret = PTR_ERR(key_ref); 516 goto error2; 517 } 518 519 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 520 521 key_ref_put(key_ref); 522 error2: 523 key_ref_put(keyring_ref); 524 error: 525 return ret; 526 } 527 528 /* 529 * Unlink a key from a keyring. 530 * 531 * The keyring must grant the caller Write permission for this to work; the key 532 * itself need not grant the caller anything. If the last link to a key is 533 * removed then that key will be scheduled for destruction. 534 * 535 * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked. 536 * 537 * If successful, 0 will be returned. 538 */ 539 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 540 { 541 key_ref_t keyring_ref, key_ref; 542 struct key *keyring, *key; 543 long ret; 544 545 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE); 546 if (IS_ERR(keyring_ref)) { 547 ret = PTR_ERR(keyring_ref); 548 goto error; 549 } 550 551 key_ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0); 552 if (IS_ERR(key_ref)) { 553 ret = PTR_ERR(key_ref); 554 goto error2; 555 } 556 557 keyring = key_ref_to_ptr(keyring_ref); 558 key = key_ref_to_ptr(key_ref); 559 if (test_bit(KEY_FLAG_KEEP, &keyring->flags) && 560 test_bit(KEY_FLAG_KEEP, &key->flags)) 561 ret = -EPERM; 562 else 563 ret = key_unlink(keyring, key); 564 565 key_ref_put(key_ref); 566 error2: 567 key_ref_put(keyring_ref); 568 error: 569 return ret; 570 } 571 572 /* 573 * Return a description of a key to userspace. 574 * 575 * The key must grant the caller View permission for this to work. 576 * 577 * If there's a buffer, we place up to buflen bytes of data into it formatted 578 * in the following way: 579 * 580 * type;uid;gid;perm;description<NUL> 581 * 582 * If successful, we return the amount of description available, irrespective 583 * of how much we may have copied into the buffer. 584 */ 585 long keyctl_describe_key(key_serial_t keyid, 586 char __user *buffer, 587 size_t buflen) 588 { 589 struct key *key, *instkey; 590 key_ref_t key_ref; 591 char *infobuf; 592 long ret; 593 int desclen, infolen; 594 595 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 596 if (IS_ERR(key_ref)) { 597 /* viewing a key under construction is permitted if we have the 598 * authorisation token handy */ 599 if (PTR_ERR(key_ref) == -EACCES) { 600 instkey = key_get_instantiation_authkey(keyid); 601 if (!IS_ERR(instkey)) { 602 key_put(instkey); 603 key_ref = lookup_user_key(keyid, 604 KEY_LOOKUP_PARTIAL, 605 0); 606 if (!IS_ERR(key_ref)) 607 goto okay; 608 } 609 } 610 611 ret = PTR_ERR(key_ref); 612 goto error; 613 } 614 615 okay: 616 key = key_ref_to_ptr(key_ref); 617 desclen = strlen(key->description); 618 619 /* calculate how much information we're going to return */ 620 ret = -ENOMEM; 621 infobuf = kasprintf(GFP_KERNEL, 622 "%s;%d;%d;%08x;", 623 key->type->name, 624 from_kuid_munged(current_user_ns(), key->uid), 625 from_kgid_munged(current_user_ns(), key->gid), 626 key->perm); 627 if (!infobuf) 628 goto error2; 629 infolen = strlen(infobuf); 630 ret = infolen + desclen + 1; 631 632 /* consider returning the data */ 633 if (buffer && buflen >= ret) { 634 if (copy_to_user(buffer, infobuf, infolen) != 0 || 635 copy_to_user(buffer + infolen, key->description, 636 desclen + 1) != 0) 637 ret = -EFAULT; 638 } 639 640 kfree(infobuf); 641 error2: 642 key_ref_put(key_ref); 643 error: 644 return ret; 645 } 646 647 /* 648 * Search the specified keyring and any keyrings it links to for a matching 649 * key. Only keyrings that grant the caller Search permission will be searched 650 * (this includes the starting keyring). Only keys with Search permission can 651 * be found. 652 * 653 * If successful, the found key will be linked to the destination keyring if 654 * supplied and the key has Link permission, and the found key ID will be 655 * returned. 656 */ 657 long keyctl_keyring_search(key_serial_t ringid, 658 const char __user *_type, 659 const char __user *_description, 660 key_serial_t destringid) 661 { 662 struct key_type *ktype; 663 key_ref_t keyring_ref, key_ref, dest_ref; 664 char type[32], *description; 665 long ret; 666 667 /* pull the type and description into kernel space */ 668 ret = key_get_type_from_user(type, _type, sizeof(type)); 669 if (ret < 0) 670 goto error; 671 672 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 673 if (IS_ERR(description)) { 674 ret = PTR_ERR(description); 675 goto error; 676 } 677 678 /* get the keyring at which to begin the search */ 679 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_SEARCH); 680 if (IS_ERR(keyring_ref)) { 681 ret = PTR_ERR(keyring_ref); 682 goto error2; 683 } 684 685 /* get the destination keyring if specified */ 686 dest_ref = NULL; 687 if (destringid) { 688 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 689 KEY_NEED_WRITE); 690 if (IS_ERR(dest_ref)) { 691 ret = PTR_ERR(dest_ref); 692 goto error3; 693 } 694 } 695 696 /* find the key type */ 697 ktype = key_type_lookup(type); 698 if (IS_ERR(ktype)) { 699 ret = PTR_ERR(ktype); 700 goto error4; 701 } 702 703 /* do the search */ 704 key_ref = keyring_search(keyring_ref, ktype, description); 705 if (IS_ERR(key_ref)) { 706 ret = PTR_ERR(key_ref); 707 708 /* treat lack or presence of a negative key the same */ 709 if (ret == -EAGAIN) 710 ret = -ENOKEY; 711 goto error5; 712 } 713 714 /* link the resulting key to the destination keyring if we can */ 715 if (dest_ref) { 716 ret = key_permission(key_ref, KEY_NEED_LINK); 717 if (ret < 0) 718 goto error6; 719 720 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 721 if (ret < 0) 722 goto error6; 723 } 724 725 ret = key_ref_to_ptr(key_ref)->serial; 726 727 error6: 728 key_ref_put(key_ref); 729 error5: 730 key_type_put(ktype); 731 error4: 732 key_ref_put(dest_ref); 733 error3: 734 key_ref_put(keyring_ref); 735 error2: 736 kfree(description); 737 error: 738 return ret; 739 } 740 741 /* 742 * Read a key's payload. 743 * 744 * The key must either grant the caller Read permission, or it must grant the 745 * caller Search permission when searched for from the process keyrings. 746 * 747 * If successful, we place up to buflen bytes of data into the buffer, if one 748 * is provided, and return the amount of data that is available in the key, 749 * irrespective of how much we copied into the buffer. 750 */ 751 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 752 { 753 struct key *key; 754 key_ref_t key_ref; 755 long ret; 756 757 /* find the key first */ 758 key_ref = lookup_user_key(keyid, 0, 0); 759 if (IS_ERR(key_ref)) { 760 ret = -ENOKEY; 761 goto error; 762 } 763 764 key = key_ref_to_ptr(key_ref); 765 766 /* see if we can read it directly */ 767 ret = key_permission(key_ref, KEY_NEED_READ); 768 if (ret == 0) 769 goto can_read_key; 770 if (ret != -EACCES) 771 goto error; 772 773 /* we can't; see if it's searchable from this process's keyrings 774 * - we automatically take account of the fact that it may be 775 * dangling off an instantiation key 776 */ 777 if (!is_key_possessed(key_ref)) { 778 ret = -EACCES; 779 goto error2; 780 } 781 782 /* the key is probably readable - now try to read it */ 783 can_read_key: 784 ret = -EOPNOTSUPP; 785 if (key->type->read) { 786 /* Read the data with the semaphore held (since we might sleep) 787 * to protect against the key being updated or revoked. 788 */ 789 down_read(&key->sem); 790 ret = key_validate(key); 791 if (ret == 0) 792 ret = key->type->read(key, buffer, buflen); 793 up_read(&key->sem); 794 } 795 796 error2: 797 key_put(key); 798 error: 799 return ret; 800 } 801 802 /* 803 * Change the ownership of a key 804 * 805 * The key must grant the caller Setattr permission for this to work, though 806 * the key need not be fully instantiated yet. For the UID to be changed, or 807 * for the GID to be changed to a group the caller is not a member of, the 808 * caller must have sysadmin capability. If either uid or gid is -1 then that 809 * attribute is not changed. 810 * 811 * If the UID is to be changed, the new user must have sufficient quota to 812 * accept the key. The quota deduction will be removed from the old user to 813 * the new user should the attribute be changed. 814 * 815 * If successful, 0 will be returned. 816 */ 817 long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group) 818 { 819 struct key_user *newowner, *zapowner = NULL; 820 struct key *key; 821 key_ref_t key_ref; 822 long ret; 823 kuid_t uid; 824 kgid_t gid; 825 826 uid = make_kuid(current_user_ns(), user); 827 gid = make_kgid(current_user_ns(), group); 828 ret = -EINVAL; 829 if ((user != (uid_t) -1) && !uid_valid(uid)) 830 goto error; 831 if ((group != (gid_t) -1) && !gid_valid(gid)) 832 goto error; 833 834 ret = 0; 835 if (user == (uid_t) -1 && group == (gid_t) -1) 836 goto error; 837 838 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 839 KEY_NEED_SETATTR); 840 if (IS_ERR(key_ref)) { 841 ret = PTR_ERR(key_ref); 842 goto error; 843 } 844 845 key = key_ref_to_ptr(key_ref); 846 847 /* make the changes with the locks held to prevent chown/chown races */ 848 ret = -EACCES; 849 down_write(&key->sem); 850 851 if (!capable(CAP_SYS_ADMIN)) { 852 /* only the sysadmin can chown a key to some other UID */ 853 if (user != (uid_t) -1 && !uid_eq(key->uid, uid)) 854 goto error_put; 855 856 /* only the sysadmin can set the key's GID to a group other 857 * than one of those that the current process subscribes to */ 858 if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid)) 859 goto error_put; 860 } 861 862 /* change the UID */ 863 if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) { 864 ret = -ENOMEM; 865 newowner = key_user_lookup(uid); 866 if (!newowner) 867 goto error_put; 868 869 /* transfer the quota burden to the new user */ 870 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 871 unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ? 872 key_quota_root_maxkeys : key_quota_maxkeys; 873 unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ? 874 key_quota_root_maxbytes : key_quota_maxbytes; 875 876 spin_lock(&newowner->lock); 877 if (newowner->qnkeys + 1 >= maxkeys || 878 newowner->qnbytes + key->quotalen >= maxbytes || 879 newowner->qnbytes + key->quotalen < 880 newowner->qnbytes) 881 goto quota_overrun; 882 883 newowner->qnkeys++; 884 newowner->qnbytes += key->quotalen; 885 spin_unlock(&newowner->lock); 886 887 spin_lock(&key->user->lock); 888 key->user->qnkeys--; 889 key->user->qnbytes -= key->quotalen; 890 spin_unlock(&key->user->lock); 891 } 892 893 atomic_dec(&key->user->nkeys); 894 atomic_inc(&newowner->nkeys); 895 896 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 897 atomic_dec(&key->user->nikeys); 898 atomic_inc(&newowner->nikeys); 899 } 900 901 zapowner = key->user; 902 key->user = newowner; 903 key->uid = uid; 904 } 905 906 /* change the GID */ 907 if (group != (gid_t) -1) 908 key->gid = gid; 909 910 ret = 0; 911 912 error_put: 913 up_write(&key->sem); 914 key_put(key); 915 if (zapowner) 916 key_user_put(zapowner); 917 error: 918 return ret; 919 920 quota_overrun: 921 spin_unlock(&newowner->lock); 922 zapowner = newowner; 923 ret = -EDQUOT; 924 goto error_put; 925 } 926 927 /* 928 * Change the permission mask on a key. 929 * 930 * The key must grant the caller Setattr permission for this to work, though 931 * the key need not be fully instantiated yet. If the caller does not have 932 * sysadmin capability, it may only change the permission on keys that it owns. 933 */ 934 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 935 { 936 struct key *key; 937 key_ref_t key_ref; 938 long ret; 939 940 ret = -EINVAL; 941 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 942 goto error; 943 944 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 945 KEY_NEED_SETATTR); 946 if (IS_ERR(key_ref)) { 947 ret = PTR_ERR(key_ref); 948 goto error; 949 } 950 951 key = key_ref_to_ptr(key_ref); 952 953 /* make the changes with the locks held to prevent chown/chmod races */ 954 ret = -EACCES; 955 down_write(&key->sem); 956 957 /* if we're not the sysadmin, we can only change a key that we own */ 958 if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) { 959 key->perm = perm; 960 ret = 0; 961 } 962 963 up_write(&key->sem); 964 key_put(key); 965 error: 966 return ret; 967 } 968 969 /* 970 * Get the destination keyring for instantiation and check that the caller has 971 * Write permission on it. 972 */ 973 static long get_instantiation_keyring(key_serial_t ringid, 974 struct request_key_auth *rka, 975 struct key **_dest_keyring) 976 { 977 key_ref_t dkref; 978 979 *_dest_keyring = NULL; 980 981 /* just return a NULL pointer if we weren't asked to make a link */ 982 if (ringid == 0) 983 return 0; 984 985 /* if a specific keyring is nominated by ID, then use that */ 986 if (ringid > 0) { 987 dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 988 if (IS_ERR(dkref)) 989 return PTR_ERR(dkref); 990 *_dest_keyring = key_ref_to_ptr(dkref); 991 return 0; 992 } 993 994 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY) 995 return -EINVAL; 996 997 /* otherwise specify the destination keyring recorded in the 998 * authorisation key (any KEY_SPEC_*_KEYRING) */ 999 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { 1000 *_dest_keyring = key_get(rka->dest_keyring); 1001 return 0; 1002 } 1003 1004 return -ENOKEY; 1005 } 1006 1007 /* 1008 * Change the request_key authorisation key on the current process. 1009 */ 1010 static int keyctl_change_reqkey_auth(struct key *key) 1011 { 1012 struct cred *new; 1013 1014 new = prepare_creds(); 1015 if (!new) 1016 return -ENOMEM; 1017 1018 key_put(new->request_key_auth); 1019 new->request_key_auth = key_get(key); 1020 1021 return commit_creds(new); 1022 } 1023 1024 /* 1025 * Instantiate a key with the specified payload and link the key into the 1026 * destination keyring if one is given. 1027 * 1028 * The caller must have the appropriate instantiation permit set for this to 1029 * work (see keyctl_assume_authority). No other permissions are required. 1030 * 1031 * If successful, 0 will be returned. 1032 */ 1033 long keyctl_instantiate_key_common(key_serial_t id, 1034 struct iov_iter *from, 1035 key_serial_t ringid) 1036 { 1037 const struct cred *cred = current_cred(); 1038 struct request_key_auth *rka; 1039 struct key *instkey, *dest_keyring; 1040 size_t plen = from ? iov_iter_count(from) : 0; 1041 void *payload; 1042 long ret; 1043 1044 kenter("%d,,%zu,%d", id, plen, ringid); 1045 1046 if (!plen) 1047 from = NULL; 1048 1049 ret = -EINVAL; 1050 if (plen > 1024 * 1024 - 1) 1051 goto error; 1052 1053 /* the appropriate instantiation authorisation key must have been 1054 * assumed before calling this */ 1055 ret = -EPERM; 1056 instkey = cred->request_key_auth; 1057 if (!instkey) 1058 goto error; 1059 1060 rka = instkey->payload.data[0]; 1061 if (rka->target_key->serial != id) 1062 goto error; 1063 1064 /* pull the payload in if one was supplied */ 1065 payload = NULL; 1066 1067 if (from) { 1068 ret = -ENOMEM; 1069 payload = kvmalloc(plen, GFP_KERNEL); 1070 if (!payload) 1071 goto error; 1072 1073 ret = -EFAULT; 1074 if (!copy_from_iter_full(payload, plen, from)) 1075 goto error2; 1076 } 1077 1078 /* find the destination keyring amongst those belonging to the 1079 * requesting task */ 1080 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1081 if (ret < 0) 1082 goto error2; 1083 1084 /* instantiate the key and link it into a keyring */ 1085 ret = key_instantiate_and_link(rka->target_key, payload, plen, 1086 dest_keyring, instkey); 1087 1088 key_put(dest_keyring); 1089 1090 /* discard the assumed authority if it's just been disabled by 1091 * instantiation of the key */ 1092 if (ret == 0) 1093 keyctl_change_reqkey_auth(NULL); 1094 1095 error2: 1096 kvfree(payload); 1097 error: 1098 return ret; 1099 } 1100 1101 /* 1102 * Instantiate a key with the specified payload and link the key into the 1103 * destination keyring if one is given. 1104 * 1105 * The caller must have the appropriate instantiation permit set for this to 1106 * work (see keyctl_assume_authority). No other permissions are required. 1107 * 1108 * If successful, 0 will be returned. 1109 */ 1110 long keyctl_instantiate_key(key_serial_t id, 1111 const void __user *_payload, 1112 size_t plen, 1113 key_serial_t ringid) 1114 { 1115 if (_payload && plen) { 1116 struct iovec iov; 1117 struct iov_iter from; 1118 int ret; 1119 1120 ret = import_single_range(WRITE, (void __user *)_payload, plen, 1121 &iov, &from); 1122 if (unlikely(ret)) 1123 return ret; 1124 1125 return keyctl_instantiate_key_common(id, &from, ringid); 1126 } 1127 1128 return keyctl_instantiate_key_common(id, NULL, ringid); 1129 } 1130 1131 /* 1132 * Instantiate a key with the specified multipart payload and link the key into 1133 * the destination keyring if one is given. 1134 * 1135 * The caller must have the appropriate instantiation permit set for this to 1136 * work (see keyctl_assume_authority). No other permissions are required. 1137 * 1138 * If successful, 0 will be returned. 1139 */ 1140 long keyctl_instantiate_key_iov(key_serial_t id, 1141 const struct iovec __user *_payload_iov, 1142 unsigned ioc, 1143 key_serial_t ringid) 1144 { 1145 struct iovec iovstack[UIO_FASTIOV], *iov = iovstack; 1146 struct iov_iter from; 1147 long ret; 1148 1149 if (!_payload_iov) 1150 ioc = 0; 1151 1152 ret = import_iovec(WRITE, _payload_iov, ioc, 1153 ARRAY_SIZE(iovstack), &iov, &from); 1154 if (ret < 0) 1155 return ret; 1156 ret = keyctl_instantiate_key_common(id, &from, ringid); 1157 kfree(iov); 1158 return ret; 1159 } 1160 1161 /* 1162 * Negatively instantiate the key with the given timeout (in seconds) and link 1163 * the key into the destination keyring if one is given. 1164 * 1165 * The caller must have the appropriate instantiation permit set for this to 1166 * work (see keyctl_assume_authority). No other permissions are required. 1167 * 1168 * The key and any links to the key will be automatically garbage collected 1169 * after the timeout expires. 1170 * 1171 * Negative keys are used to rate limit repeated request_key() calls by causing 1172 * them to return -ENOKEY until the negative key expires. 1173 * 1174 * If successful, 0 will be returned. 1175 */ 1176 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 1177 { 1178 return keyctl_reject_key(id, timeout, ENOKEY, ringid); 1179 } 1180 1181 /* 1182 * Negatively instantiate the key with the given timeout (in seconds) and error 1183 * code and link the key into the destination keyring if one is given. 1184 * 1185 * The caller must have the appropriate instantiation permit set for this to 1186 * work (see keyctl_assume_authority). No other permissions are required. 1187 * 1188 * The key and any links to the key will be automatically garbage collected 1189 * after the timeout expires. 1190 * 1191 * Negative keys are used to rate limit repeated request_key() calls by causing 1192 * them to return the specified error code until the negative key expires. 1193 * 1194 * If successful, 0 will be returned. 1195 */ 1196 long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error, 1197 key_serial_t ringid) 1198 { 1199 const struct cred *cred = current_cred(); 1200 struct request_key_auth *rka; 1201 struct key *instkey, *dest_keyring; 1202 long ret; 1203 1204 kenter("%d,%u,%u,%d", id, timeout, error, ringid); 1205 1206 /* must be a valid error code and mustn't be a kernel special */ 1207 if (error <= 0 || 1208 error >= MAX_ERRNO || 1209 error == ERESTARTSYS || 1210 error == ERESTARTNOINTR || 1211 error == ERESTARTNOHAND || 1212 error == ERESTART_RESTARTBLOCK) 1213 return -EINVAL; 1214 1215 /* the appropriate instantiation authorisation key must have been 1216 * assumed before calling this */ 1217 ret = -EPERM; 1218 instkey = cred->request_key_auth; 1219 if (!instkey) 1220 goto error; 1221 1222 rka = instkey->payload.data[0]; 1223 if (rka->target_key->serial != id) 1224 goto error; 1225 1226 /* find the destination keyring if present (which must also be 1227 * writable) */ 1228 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1229 if (ret < 0) 1230 goto error; 1231 1232 /* instantiate the key and link it into a keyring */ 1233 ret = key_reject_and_link(rka->target_key, timeout, error, 1234 dest_keyring, instkey); 1235 1236 key_put(dest_keyring); 1237 1238 /* discard the assumed authority if it's just been disabled by 1239 * instantiation of the key */ 1240 if (ret == 0) 1241 keyctl_change_reqkey_auth(NULL); 1242 1243 error: 1244 return ret; 1245 } 1246 1247 /* 1248 * Read or set the default keyring in which request_key() will cache keys and 1249 * return the old setting. 1250 * 1251 * If a thread or process keyring is specified then it will be created if it 1252 * doesn't yet exist. The old setting will be returned if successful. 1253 */ 1254 long keyctl_set_reqkey_keyring(int reqkey_defl) 1255 { 1256 struct cred *new; 1257 int ret, old_setting; 1258 1259 old_setting = current_cred_xxx(jit_keyring); 1260 1261 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE) 1262 return old_setting; 1263 1264 new = prepare_creds(); 1265 if (!new) 1266 return -ENOMEM; 1267 1268 switch (reqkey_defl) { 1269 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1270 ret = install_thread_keyring_to_cred(new); 1271 if (ret < 0) 1272 goto error; 1273 goto set; 1274 1275 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1276 ret = install_process_keyring_to_cred(new); 1277 if (ret < 0) 1278 goto error; 1279 goto set; 1280 1281 case KEY_REQKEY_DEFL_DEFAULT: 1282 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1283 case KEY_REQKEY_DEFL_USER_KEYRING: 1284 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1285 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: 1286 goto set; 1287 1288 case KEY_REQKEY_DEFL_NO_CHANGE: 1289 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1290 default: 1291 ret = -EINVAL; 1292 goto error; 1293 } 1294 1295 set: 1296 new->jit_keyring = reqkey_defl; 1297 commit_creds(new); 1298 return old_setting; 1299 error: 1300 abort_creds(new); 1301 return ret; 1302 } 1303 1304 /* 1305 * Set or clear the timeout on a key. 1306 * 1307 * Either the key must grant the caller Setattr permission or else the caller 1308 * must hold an instantiation authorisation token for the key. 1309 * 1310 * The timeout is either 0 to clear the timeout, or a number of seconds from 1311 * the current time. The key and any links to the key will be automatically 1312 * garbage collected after the timeout expires. 1313 * 1314 * Keys with KEY_FLAG_KEEP set should not be timed out. 1315 * 1316 * If successful, 0 is returned. 1317 */ 1318 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1319 { 1320 struct key *key, *instkey; 1321 key_ref_t key_ref; 1322 long ret; 1323 1324 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1325 KEY_NEED_SETATTR); 1326 if (IS_ERR(key_ref)) { 1327 /* setting the timeout on a key under construction is permitted 1328 * if we have the authorisation token handy */ 1329 if (PTR_ERR(key_ref) == -EACCES) { 1330 instkey = key_get_instantiation_authkey(id); 1331 if (!IS_ERR(instkey)) { 1332 key_put(instkey); 1333 key_ref = lookup_user_key(id, 1334 KEY_LOOKUP_PARTIAL, 1335 0); 1336 if (!IS_ERR(key_ref)) 1337 goto okay; 1338 } 1339 } 1340 1341 ret = PTR_ERR(key_ref); 1342 goto error; 1343 } 1344 1345 okay: 1346 key = key_ref_to_ptr(key_ref); 1347 ret = 0; 1348 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 1349 ret = -EPERM; 1350 else 1351 key_set_timeout(key, timeout); 1352 key_put(key); 1353 1354 error: 1355 return ret; 1356 } 1357 1358 /* 1359 * Assume (or clear) the authority to instantiate the specified key. 1360 * 1361 * This sets the authoritative token currently in force for key instantiation. 1362 * This must be done for a key to be instantiated. It has the effect of making 1363 * available all the keys from the caller of the request_key() that created a 1364 * key to request_key() calls made by the caller of this function. 1365 * 1366 * The caller must have the instantiation key in their process keyrings with a 1367 * Search permission grant available to the caller. 1368 * 1369 * If the ID given is 0, then the setting will be cleared and 0 returned. 1370 * 1371 * If the ID given has a matching an authorisation key, then that key will be 1372 * set and its ID will be returned. The authorisation key can be read to get 1373 * the callout information passed to request_key(). 1374 */ 1375 long keyctl_assume_authority(key_serial_t id) 1376 { 1377 struct key *authkey; 1378 long ret; 1379 1380 /* special key IDs aren't permitted */ 1381 ret = -EINVAL; 1382 if (id < 0) 1383 goto error; 1384 1385 /* we divest ourselves of authority if given an ID of 0 */ 1386 if (id == 0) { 1387 ret = keyctl_change_reqkey_auth(NULL); 1388 goto error; 1389 } 1390 1391 /* attempt to assume the authority temporarily granted to us whilst we 1392 * instantiate the specified key 1393 * - the authorisation key must be in the current task's keyrings 1394 * somewhere 1395 */ 1396 authkey = key_get_instantiation_authkey(id); 1397 if (IS_ERR(authkey)) { 1398 ret = PTR_ERR(authkey); 1399 goto error; 1400 } 1401 1402 ret = keyctl_change_reqkey_auth(authkey); 1403 if (ret < 0) 1404 goto error; 1405 key_put(authkey); 1406 1407 ret = authkey->serial; 1408 error: 1409 return ret; 1410 } 1411 1412 /* 1413 * Get a key's the LSM security label. 1414 * 1415 * The key must grant the caller View permission for this to work. 1416 * 1417 * If there's a buffer, then up to buflen bytes of data will be placed into it. 1418 * 1419 * If successful, the amount of information available will be returned, 1420 * irrespective of how much was copied (including the terminal NUL). 1421 */ 1422 long keyctl_get_security(key_serial_t keyid, 1423 char __user *buffer, 1424 size_t buflen) 1425 { 1426 struct key *key, *instkey; 1427 key_ref_t key_ref; 1428 char *context; 1429 long ret; 1430 1431 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 1432 if (IS_ERR(key_ref)) { 1433 if (PTR_ERR(key_ref) != -EACCES) 1434 return PTR_ERR(key_ref); 1435 1436 /* viewing a key under construction is also permitted if we 1437 * have the authorisation token handy */ 1438 instkey = key_get_instantiation_authkey(keyid); 1439 if (IS_ERR(instkey)) 1440 return PTR_ERR(instkey); 1441 key_put(instkey); 1442 1443 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0); 1444 if (IS_ERR(key_ref)) 1445 return PTR_ERR(key_ref); 1446 } 1447 1448 key = key_ref_to_ptr(key_ref); 1449 ret = security_key_getsecurity(key, &context); 1450 if (ret == 0) { 1451 /* if no information was returned, give userspace an empty 1452 * string */ 1453 ret = 1; 1454 if (buffer && buflen > 0 && 1455 copy_to_user(buffer, "", 1) != 0) 1456 ret = -EFAULT; 1457 } else if (ret > 0) { 1458 /* return as much data as there's room for */ 1459 if (buffer && buflen > 0) { 1460 if (buflen > ret) 1461 buflen = ret; 1462 1463 if (copy_to_user(buffer, context, buflen) != 0) 1464 ret = -EFAULT; 1465 } 1466 1467 kfree(context); 1468 } 1469 1470 key_ref_put(key_ref); 1471 return ret; 1472 } 1473 1474 /* 1475 * Attempt to install the calling process's session keyring on the process's 1476 * parent process. 1477 * 1478 * The keyring must exist and must grant the caller LINK permission, and the 1479 * parent process must be single-threaded and must have the same effective 1480 * ownership as this process and mustn't be SUID/SGID. 1481 * 1482 * The keyring will be emplaced on the parent when it next resumes userspace. 1483 * 1484 * If successful, 0 will be returned. 1485 */ 1486 long keyctl_session_to_parent(void) 1487 { 1488 struct task_struct *me, *parent; 1489 const struct cred *mycred, *pcred; 1490 struct callback_head *newwork, *oldwork; 1491 key_ref_t keyring_r; 1492 struct cred *cred; 1493 int ret; 1494 1495 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK); 1496 if (IS_ERR(keyring_r)) 1497 return PTR_ERR(keyring_r); 1498 1499 ret = -ENOMEM; 1500 1501 /* our parent is going to need a new cred struct, a new tgcred struct 1502 * and new security data, so we allocate them here to prevent ENOMEM in 1503 * our parent */ 1504 cred = cred_alloc_blank(); 1505 if (!cred) 1506 goto error_keyring; 1507 newwork = &cred->rcu; 1508 1509 cred->session_keyring = key_ref_to_ptr(keyring_r); 1510 keyring_r = NULL; 1511 init_task_work(newwork, key_change_session_keyring); 1512 1513 me = current; 1514 rcu_read_lock(); 1515 write_lock_irq(&tasklist_lock); 1516 1517 ret = -EPERM; 1518 oldwork = NULL; 1519 parent = me->real_parent; 1520 1521 /* the parent mustn't be init and mustn't be a kernel thread */ 1522 if (parent->pid <= 1 || !parent->mm) 1523 goto unlock; 1524 1525 /* the parent must be single threaded */ 1526 if (!thread_group_empty(parent)) 1527 goto unlock; 1528 1529 /* the parent and the child must have different session keyrings or 1530 * there's no point */ 1531 mycred = current_cred(); 1532 pcred = __task_cred(parent); 1533 if (mycred == pcred || 1534 mycred->session_keyring == pcred->session_keyring) { 1535 ret = 0; 1536 goto unlock; 1537 } 1538 1539 /* the parent must have the same effective ownership and mustn't be 1540 * SUID/SGID */ 1541 if (!uid_eq(pcred->uid, mycred->euid) || 1542 !uid_eq(pcred->euid, mycred->euid) || 1543 !uid_eq(pcred->suid, mycred->euid) || 1544 !gid_eq(pcred->gid, mycred->egid) || 1545 !gid_eq(pcred->egid, mycred->egid) || 1546 !gid_eq(pcred->sgid, mycred->egid)) 1547 goto unlock; 1548 1549 /* the keyrings must have the same UID */ 1550 if ((pcred->session_keyring && 1551 !uid_eq(pcred->session_keyring->uid, mycred->euid)) || 1552 !uid_eq(mycred->session_keyring->uid, mycred->euid)) 1553 goto unlock; 1554 1555 /* cancel an already pending keyring replacement */ 1556 oldwork = task_work_cancel(parent, key_change_session_keyring); 1557 1558 /* the replacement session keyring is applied just prior to userspace 1559 * restarting */ 1560 ret = task_work_add(parent, newwork, true); 1561 if (!ret) 1562 newwork = NULL; 1563 unlock: 1564 write_unlock_irq(&tasklist_lock); 1565 rcu_read_unlock(); 1566 if (oldwork) 1567 put_cred(container_of(oldwork, struct cred, rcu)); 1568 if (newwork) 1569 put_cred(cred); 1570 return ret; 1571 1572 error_keyring: 1573 key_ref_put(keyring_r); 1574 return ret; 1575 } 1576 1577 /* 1578 * Apply a restriction to a given keyring. 1579 * 1580 * The caller must have Setattr permission to change keyring restrictions. 1581 * 1582 * The requested type name may be a NULL pointer to reject all attempts 1583 * to link to the keyring. If _type is non-NULL, _restriction can be 1584 * NULL or a pointer to a string describing the restriction. If _type is 1585 * NULL, _restriction must also be NULL. 1586 * 1587 * Returns 0 if successful. 1588 */ 1589 long keyctl_restrict_keyring(key_serial_t id, const char __user *_type, 1590 const char __user *_restriction) 1591 { 1592 key_ref_t key_ref; 1593 bool link_reject = !_type; 1594 char type[32]; 1595 char *restriction = NULL; 1596 long ret; 1597 1598 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 1599 if (IS_ERR(key_ref)) 1600 return PTR_ERR(key_ref); 1601 1602 if (_type) { 1603 ret = key_get_type_from_user(type, _type, sizeof(type)); 1604 if (ret < 0) 1605 goto error; 1606 } 1607 1608 if (_restriction) { 1609 if (!_type) { 1610 ret = -EINVAL; 1611 goto error; 1612 } 1613 1614 restriction = strndup_user(_restriction, PAGE_SIZE); 1615 if (IS_ERR(restriction)) { 1616 ret = PTR_ERR(restriction); 1617 goto error; 1618 } 1619 } 1620 1621 ret = keyring_restrict(key_ref, link_reject ? NULL : type, restriction); 1622 kfree(restriction); 1623 1624 error: 1625 key_ref_put(key_ref); 1626 1627 return ret; 1628 } 1629 1630 /* 1631 * The key control system call 1632 */ 1633 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, 1634 unsigned long, arg4, unsigned long, arg5) 1635 { 1636 switch (option) { 1637 case KEYCTL_GET_KEYRING_ID: 1638 return keyctl_get_keyring_ID((key_serial_t) arg2, 1639 (int) arg3); 1640 1641 case KEYCTL_JOIN_SESSION_KEYRING: 1642 return keyctl_join_session_keyring((const char __user *) arg2); 1643 1644 case KEYCTL_UPDATE: 1645 return keyctl_update_key((key_serial_t) arg2, 1646 (const void __user *) arg3, 1647 (size_t) arg4); 1648 1649 case KEYCTL_REVOKE: 1650 return keyctl_revoke_key((key_serial_t) arg2); 1651 1652 case KEYCTL_DESCRIBE: 1653 return keyctl_describe_key((key_serial_t) arg2, 1654 (char __user *) arg3, 1655 (unsigned) arg4); 1656 1657 case KEYCTL_CLEAR: 1658 return keyctl_keyring_clear((key_serial_t) arg2); 1659 1660 case KEYCTL_LINK: 1661 return keyctl_keyring_link((key_serial_t) arg2, 1662 (key_serial_t) arg3); 1663 1664 case KEYCTL_UNLINK: 1665 return keyctl_keyring_unlink((key_serial_t) arg2, 1666 (key_serial_t) arg3); 1667 1668 case KEYCTL_SEARCH: 1669 return keyctl_keyring_search((key_serial_t) arg2, 1670 (const char __user *) arg3, 1671 (const char __user *) arg4, 1672 (key_serial_t) arg5); 1673 1674 case KEYCTL_READ: 1675 return keyctl_read_key((key_serial_t) arg2, 1676 (char __user *) arg3, 1677 (size_t) arg4); 1678 1679 case KEYCTL_CHOWN: 1680 return keyctl_chown_key((key_serial_t) arg2, 1681 (uid_t) arg3, 1682 (gid_t) arg4); 1683 1684 case KEYCTL_SETPERM: 1685 return keyctl_setperm_key((key_serial_t) arg2, 1686 (key_perm_t) arg3); 1687 1688 case KEYCTL_INSTANTIATE: 1689 return keyctl_instantiate_key((key_serial_t) arg2, 1690 (const void __user *) arg3, 1691 (size_t) arg4, 1692 (key_serial_t) arg5); 1693 1694 case KEYCTL_NEGATE: 1695 return keyctl_negate_key((key_serial_t) arg2, 1696 (unsigned) arg3, 1697 (key_serial_t) arg4); 1698 1699 case KEYCTL_SET_REQKEY_KEYRING: 1700 return keyctl_set_reqkey_keyring(arg2); 1701 1702 case KEYCTL_SET_TIMEOUT: 1703 return keyctl_set_timeout((key_serial_t) arg2, 1704 (unsigned) arg3); 1705 1706 case KEYCTL_ASSUME_AUTHORITY: 1707 return keyctl_assume_authority((key_serial_t) arg2); 1708 1709 case KEYCTL_GET_SECURITY: 1710 return keyctl_get_security((key_serial_t) arg2, 1711 (char __user *) arg3, 1712 (size_t) arg4); 1713 1714 case KEYCTL_SESSION_TO_PARENT: 1715 return keyctl_session_to_parent(); 1716 1717 case KEYCTL_REJECT: 1718 return keyctl_reject_key((key_serial_t) arg2, 1719 (unsigned) arg3, 1720 (unsigned) arg4, 1721 (key_serial_t) arg5); 1722 1723 case KEYCTL_INSTANTIATE_IOV: 1724 return keyctl_instantiate_key_iov( 1725 (key_serial_t) arg2, 1726 (const struct iovec __user *) arg3, 1727 (unsigned) arg4, 1728 (key_serial_t) arg5); 1729 1730 case KEYCTL_INVALIDATE: 1731 return keyctl_invalidate_key((key_serial_t) arg2); 1732 1733 case KEYCTL_GET_PERSISTENT: 1734 return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3); 1735 1736 case KEYCTL_DH_COMPUTE: 1737 return keyctl_dh_compute((struct keyctl_dh_params __user *) arg2, 1738 (char __user *) arg3, (size_t) arg4, 1739 (struct keyctl_kdf_params __user *) arg5); 1740 1741 case KEYCTL_RESTRICT_KEYRING: 1742 return keyctl_restrict_keyring((key_serial_t) arg2, 1743 (const char __user *) arg3, 1744 (const char __user *) arg4); 1745 1746 default: 1747 return -EOPNOTSUPP; 1748 } 1749 } 1750