1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Userspace key control operations 3 * 4 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #include <linux/init.h> 9 #include <linux/sched.h> 10 #include <linux/sched/task.h> 11 #include <linux/slab.h> 12 #include <linux/syscalls.h> 13 #include <linux/key.h> 14 #include <linux/keyctl.h> 15 #include <linux/fs.h> 16 #include <linux/capability.h> 17 #include <linux/cred.h> 18 #include <linux/string.h> 19 #include <linux/err.h> 20 #include <linux/vmalloc.h> 21 #include <linux/security.h> 22 #include <linux/uio.h> 23 #include <linux/uaccess.h> 24 #include <keys/request_key_auth-type.h> 25 #include "internal.h" 26 27 #define KEY_MAX_DESC_SIZE 4096 28 29 static const unsigned char keyrings_capabilities[2] = { 30 [0] = (KEYCTL_CAPS0_CAPABILITIES | 31 (IS_ENABLED(CONFIG_PERSISTENT_KEYRINGS) ? KEYCTL_CAPS0_PERSISTENT_KEYRINGS : 0) | 32 (IS_ENABLED(CONFIG_KEY_DH_OPERATIONS) ? KEYCTL_CAPS0_DIFFIE_HELLMAN : 0) | 33 (IS_ENABLED(CONFIG_ASYMMETRIC_KEY_TYPE) ? KEYCTL_CAPS0_PUBLIC_KEY : 0) | 34 (IS_ENABLED(CONFIG_BIG_KEYS) ? KEYCTL_CAPS0_BIG_KEY : 0) | 35 KEYCTL_CAPS0_INVALIDATE | 36 KEYCTL_CAPS0_RESTRICT_KEYRING | 37 KEYCTL_CAPS0_MOVE 38 ), 39 [1] = (KEYCTL_CAPS1_NS_KEYRING_NAME | 40 KEYCTL_CAPS1_NS_KEY_TAG), 41 }; 42 43 static int key_get_type_from_user(char *type, 44 const char __user *_type, 45 unsigned len) 46 { 47 int ret; 48 49 ret = strncpy_from_user(type, _type, len); 50 if (ret < 0) 51 return ret; 52 if (ret == 0 || ret >= len) 53 return -EINVAL; 54 if (type[0] == '.') 55 return -EPERM; 56 type[len - 1] = '\0'; 57 return 0; 58 } 59 60 /* 61 * Extract the description of a new key from userspace and either add it as a 62 * new key to the specified keyring or update a matching key in that keyring. 63 * 64 * If the description is NULL or an empty string, the key type is asked to 65 * generate one from the payload. 66 * 67 * The keyring must be writable so that we can attach the key to it. 68 * 69 * If successful, the new key's serial number is returned, otherwise an error 70 * code is returned. 71 */ 72 SYSCALL_DEFINE5(add_key, const char __user *, _type, 73 const char __user *, _description, 74 const void __user *, _payload, 75 size_t, plen, 76 key_serial_t, ringid) 77 { 78 key_ref_t keyring_ref, key_ref; 79 char type[32], *description; 80 void *payload; 81 long ret; 82 83 ret = -EINVAL; 84 if (plen > 1024 * 1024 - 1) 85 goto error; 86 87 /* draw all the data into kernel space */ 88 ret = key_get_type_from_user(type, _type, sizeof(type)); 89 if (ret < 0) 90 goto error; 91 92 description = NULL; 93 if (_description) { 94 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 95 if (IS_ERR(description)) { 96 ret = PTR_ERR(description); 97 goto error; 98 } 99 if (!*description) { 100 kfree(description); 101 description = NULL; 102 } else if ((description[0] == '.') && 103 (strncmp(type, "keyring", 7) == 0)) { 104 ret = -EPERM; 105 goto error2; 106 } 107 } 108 109 /* pull the payload in if one was supplied */ 110 payload = NULL; 111 112 if (plen) { 113 ret = -ENOMEM; 114 payload = kvmalloc(plen, GFP_KERNEL); 115 if (!payload) 116 goto error2; 117 118 ret = -EFAULT; 119 if (copy_from_user(payload, _payload, plen) != 0) 120 goto error3; 121 } 122 123 /* find the target keyring (which must be writable) */ 124 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 125 if (IS_ERR(keyring_ref)) { 126 ret = PTR_ERR(keyring_ref); 127 goto error3; 128 } 129 130 /* create or update the requested key and add it to the target 131 * keyring */ 132 key_ref = key_create_or_update(keyring_ref, type, description, 133 payload, plen, KEY_PERM_UNDEF, 134 KEY_ALLOC_IN_QUOTA); 135 if (!IS_ERR(key_ref)) { 136 ret = key_ref_to_ptr(key_ref)->serial; 137 key_ref_put(key_ref); 138 } 139 else { 140 ret = PTR_ERR(key_ref); 141 } 142 143 key_ref_put(keyring_ref); 144 error3: 145 if (payload) { 146 memzero_explicit(payload, plen); 147 kvfree(payload); 148 } 149 error2: 150 kfree(description); 151 error: 152 return ret; 153 } 154 155 /* 156 * Search the process keyrings and keyring trees linked from those for a 157 * matching key. Keyrings must have appropriate Search permission to be 158 * searched. 159 * 160 * If a key is found, it will be attached to the destination keyring if there's 161 * one specified and the serial number of the key will be returned. 162 * 163 * If no key is found, /sbin/request-key will be invoked if _callout_info is 164 * non-NULL in an attempt to create a key. The _callout_info string will be 165 * passed to /sbin/request-key to aid with completing the request. If the 166 * _callout_info string is "" then it will be changed to "-". 167 */ 168 SYSCALL_DEFINE4(request_key, const char __user *, _type, 169 const char __user *, _description, 170 const char __user *, _callout_info, 171 key_serial_t, destringid) 172 { 173 struct key_type *ktype; 174 struct key *key; 175 key_ref_t dest_ref; 176 size_t callout_len; 177 char type[32], *description, *callout_info; 178 long ret; 179 180 /* pull the type into kernel space */ 181 ret = key_get_type_from_user(type, _type, sizeof(type)); 182 if (ret < 0) 183 goto error; 184 185 /* pull the description into kernel space */ 186 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 187 if (IS_ERR(description)) { 188 ret = PTR_ERR(description); 189 goto error; 190 } 191 192 /* pull the callout info into kernel space */ 193 callout_info = NULL; 194 callout_len = 0; 195 if (_callout_info) { 196 callout_info = strndup_user(_callout_info, PAGE_SIZE); 197 if (IS_ERR(callout_info)) { 198 ret = PTR_ERR(callout_info); 199 goto error2; 200 } 201 callout_len = strlen(callout_info); 202 } 203 204 /* get the destination keyring if specified */ 205 dest_ref = NULL; 206 if (destringid) { 207 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 208 KEY_NEED_WRITE); 209 if (IS_ERR(dest_ref)) { 210 ret = PTR_ERR(dest_ref); 211 goto error3; 212 } 213 } 214 215 /* find the key type */ 216 ktype = key_type_lookup(type); 217 if (IS_ERR(ktype)) { 218 ret = PTR_ERR(ktype); 219 goto error4; 220 } 221 222 /* do the search */ 223 key = request_key_and_link(ktype, description, NULL, callout_info, 224 callout_len, NULL, key_ref_to_ptr(dest_ref), 225 KEY_ALLOC_IN_QUOTA); 226 if (IS_ERR(key)) { 227 ret = PTR_ERR(key); 228 goto error5; 229 } 230 231 /* wait for the key to finish being constructed */ 232 ret = wait_for_key_construction(key, 1); 233 if (ret < 0) 234 goto error6; 235 236 ret = key->serial; 237 238 error6: 239 key_put(key); 240 error5: 241 key_type_put(ktype); 242 error4: 243 key_ref_put(dest_ref); 244 error3: 245 kfree(callout_info); 246 error2: 247 kfree(description); 248 error: 249 return ret; 250 } 251 252 /* 253 * Get the ID of the specified process keyring. 254 * 255 * The requested keyring must have search permission to be found. 256 * 257 * If successful, the ID of the requested keyring will be returned. 258 */ 259 long keyctl_get_keyring_ID(key_serial_t id, int create) 260 { 261 key_ref_t key_ref; 262 unsigned long lflags; 263 long ret; 264 265 lflags = create ? KEY_LOOKUP_CREATE : 0; 266 key_ref = lookup_user_key(id, lflags, KEY_NEED_SEARCH); 267 if (IS_ERR(key_ref)) { 268 ret = PTR_ERR(key_ref); 269 goto error; 270 } 271 272 ret = key_ref_to_ptr(key_ref)->serial; 273 key_ref_put(key_ref); 274 error: 275 return ret; 276 } 277 278 /* 279 * Join a (named) session keyring. 280 * 281 * Create and join an anonymous session keyring or join a named session 282 * keyring, creating it if necessary. A named session keyring must have Search 283 * permission for it to be joined. Session keyrings without this permit will 284 * be skipped over. It is not permitted for userspace to create or join 285 * keyrings whose name begin with a dot. 286 * 287 * If successful, the ID of the joined session keyring will be returned. 288 */ 289 long keyctl_join_session_keyring(const char __user *_name) 290 { 291 char *name; 292 long ret; 293 294 /* fetch the name from userspace */ 295 name = NULL; 296 if (_name) { 297 name = strndup_user(_name, KEY_MAX_DESC_SIZE); 298 if (IS_ERR(name)) { 299 ret = PTR_ERR(name); 300 goto error; 301 } 302 303 ret = -EPERM; 304 if (name[0] == '.') 305 goto error_name; 306 } 307 308 /* join the session */ 309 ret = join_session_keyring(name); 310 error_name: 311 kfree(name); 312 error: 313 return ret; 314 } 315 316 /* 317 * Update a key's data payload from the given data. 318 * 319 * The key must grant the caller Write permission and the key type must support 320 * updating for this to work. A negative key can be positively instantiated 321 * with this call. 322 * 323 * If successful, 0 will be returned. If the key type does not support 324 * updating, then -EOPNOTSUPP will be returned. 325 */ 326 long keyctl_update_key(key_serial_t id, 327 const void __user *_payload, 328 size_t plen) 329 { 330 key_ref_t key_ref; 331 void *payload; 332 long ret; 333 334 ret = -EINVAL; 335 if (plen > PAGE_SIZE) 336 goto error; 337 338 /* pull the payload in if one was supplied */ 339 payload = NULL; 340 if (plen) { 341 ret = -ENOMEM; 342 payload = kmalloc(plen, GFP_KERNEL); 343 if (!payload) 344 goto error; 345 346 ret = -EFAULT; 347 if (copy_from_user(payload, _payload, plen) != 0) 348 goto error2; 349 } 350 351 /* find the target key (which must be writable) */ 352 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 353 if (IS_ERR(key_ref)) { 354 ret = PTR_ERR(key_ref); 355 goto error2; 356 } 357 358 /* update the key */ 359 ret = key_update(key_ref, payload, plen); 360 361 key_ref_put(key_ref); 362 error2: 363 kzfree(payload); 364 error: 365 return ret; 366 } 367 368 /* 369 * Revoke a key. 370 * 371 * The key must be grant the caller Write or Setattr permission for this to 372 * work. The key type should give up its quota claim when revoked. The key 373 * and any links to the key will be automatically garbage collected after a 374 * certain amount of time (/proc/sys/kernel/keys/gc_delay). 375 * 376 * Keys with KEY_FLAG_KEEP set should not be revoked. 377 * 378 * If successful, 0 is returned. 379 */ 380 long keyctl_revoke_key(key_serial_t id) 381 { 382 key_ref_t key_ref; 383 struct key *key; 384 long ret; 385 386 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 387 if (IS_ERR(key_ref)) { 388 ret = PTR_ERR(key_ref); 389 if (ret != -EACCES) 390 goto error; 391 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 392 if (IS_ERR(key_ref)) { 393 ret = PTR_ERR(key_ref); 394 goto error; 395 } 396 } 397 398 key = key_ref_to_ptr(key_ref); 399 ret = 0; 400 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 401 ret = -EPERM; 402 else 403 key_revoke(key); 404 405 key_ref_put(key_ref); 406 error: 407 return ret; 408 } 409 410 /* 411 * Invalidate a key. 412 * 413 * The key must be grant the caller Invalidate permission for this to work. 414 * The key and any links to the key will be automatically garbage collected 415 * immediately. 416 * 417 * Keys with KEY_FLAG_KEEP set should not be invalidated. 418 * 419 * If successful, 0 is returned. 420 */ 421 long keyctl_invalidate_key(key_serial_t id) 422 { 423 key_ref_t key_ref; 424 struct key *key; 425 long ret; 426 427 kenter("%d", id); 428 429 key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH); 430 if (IS_ERR(key_ref)) { 431 ret = PTR_ERR(key_ref); 432 433 /* Root is permitted to invalidate certain special keys */ 434 if (capable(CAP_SYS_ADMIN)) { 435 key_ref = lookup_user_key(id, 0, 0); 436 if (IS_ERR(key_ref)) 437 goto error; 438 if (test_bit(KEY_FLAG_ROOT_CAN_INVAL, 439 &key_ref_to_ptr(key_ref)->flags)) 440 goto invalidate; 441 goto error_put; 442 } 443 444 goto error; 445 } 446 447 invalidate: 448 key = key_ref_to_ptr(key_ref); 449 ret = 0; 450 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 451 ret = -EPERM; 452 else 453 key_invalidate(key); 454 error_put: 455 key_ref_put(key_ref); 456 error: 457 kleave(" = %ld", ret); 458 return ret; 459 } 460 461 /* 462 * Clear the specified keyring, creating an empty process keyring if one of the 463 * special keyring IDs is used. 464 * 465 * The keyring must grant the caller Write permission and not have 466 * KEY_FLAG_KEEP set for this to work. If successful, 0 will be returned. 467 */ 468 long keyctl_keyring_clear(key_serial_t ringid) 469 { 470 key_ref_t keyring_ref; 471 struct key *keyring; 472 long ret; 473 474 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 475 if (IS_ERR(keyring_ref)) { 476 ret = PTR_ERR(keyring_ref); 477 478 /* Root is permitted to invalidate certain special keyrings */ 479 if (capable(CAP_SYS_ADMIN)) { 480 keyring_ref = lookup_user_key(ringid, 0, 0); 481 if (IS_ERR(keyring_ref)) 482 goto error; 483 if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR, 484 &key_ref_to_ptr(keyring_ref)->flags)) 485 goto clear; 486 goto error_put; 487 } 488 489 goto error; 490 } 491 492 clear: 493 keyring = key_ref_to_ptr(keyring_ref); 494 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) 495 ret = -EPERM; 496 else 497 ret = keyring_clear(keyring); 498 error_put: 499 key_ref_put(keyring_ref); 500 error: 501 return ret; 502 } 503 504 /* 505 * Create a link from a keyring to a key if there's no matching key in the 506 * keyring, otherwise replace the link to the matching key with a link to the 507 * new key. 508 * 509 * The key must grant the caller Link permission and the the keyring must grant 510 * the caller Write permission. Furthermore, if an additional link is created, 511 * the keyring's quota will be extended. 512 * 513 * If successful, 0 will be returned. 514 */ 515 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 516 { 517 key_ref_t keyring_ref, key_ref; 518 long ret; 519 520 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 521 if (IS_ERR(keyring_ref)) { 522 ret = PTR_ERR(keyring_ref); 523 goto error; 524 } 525 526 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 527 if (IS_ERR(key_ref)) { 528 ret = PTR_ERR(key_ref); 529 goto error2; 530 } 531 532 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 533 534 key_ref_put(key_ref); 535 error2: 536 key_ref_put(keyring_ref); 537 error: 538 return ret; 539 } 540 541 /* 542 * Unlink a key from a keyring. 543 * 544 * The keyring must grant the caller Write permission for this to work; the key 545 * itself need not grant the caller anything. If the last link to a key is 546 * removed then that key will be scheduled for destruction. 547 * 548 * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked. 549 * 550 * If successful, 0 will be returned. 551 */ 552 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 553 { 554 key_ref_t keyring_ref, key_ref; 555 struct key *keyring, *key; 556 long ret; 557 558 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE); 559 if (IS_ERR(keyring_ref)) { 560 ret = PTR_ERR(keyring_ref); 561 goto error; 562 } 563 564 key_ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0); 565 if (IS_ERR(key_ref)) { 566 ret = PTR_ERR(key_ref); 567 goto error2; 568 } 569 570 keyring = key_ref_to_ptr(keyring_ref); 571 key = key_ref_to_ptr(key_ref); 572 if (test_bit(KEY_FLAG_KEEP, &keyring->flags) && 573 test_bit(KEY_FLAG_KEEP, &key->flags)) 574 ret = -EPERM; 575 else 576 ret = key_unlink(keyring, key); 577 578 key_ref_put(key_ref); 579 error2: 580 key_ref_put(keyring_ref); 581 error: 582 return ret; 583 } 584 585 /* 586 * Move a link to a key from one keyring to another, displacing any matching 587 * key from the destination keyring. 588 * 589 * The key must grant the caller Link permission and both keyrings must grant 590 * the caller Write permission. There must also be a link in the from keyring 591 * to the key. If both keyrings are the same, nothing is done. 592 * 593 * If successful, 0 will be returned. 594 */ 595 long keyctl_keyring_move(key_serial_t id, key_serial_t from_ringid, 596 key_serial_t to_ringid, unsigned int flags) 597 { 598 key_ref_t key_ref, from_ref, to_ref; 599 long ret; 600 601 if (flags & ~KEYCTL_MOVE_EXCL) 602 return -EINVAL; 603 604 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 605 if (IS_ERR(key_ref)) 606 return PTR_ERR(key_ref); 607 608 from_ref = lookup_user_key(from_ringid, 0, KEY_NEED_WRITE); 609 if (IS_ERR(from_ref)) { 610 ret = PTR_ERR(from_ref); 611 goto error2; 612 } 613 614 to_ref = lookup_user_key(to_ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 615 if (IS_ERR(to_ref)) { 616 ret = PTR_ERR(to_ref); 617 goto error3; 618 } 619 620 ret = key_move(key_ref_to_ptr(key_ref), key_ref_to_ptr(from_ref), 621 key_ref_to_ptr(to_ref), flags); 622 623 key_ref_put(to_ref); 624 error3: 625 key_ref_put(from_ref); 626 error2: 627 key_ref_put(key_ref); 628 return ret; 629 } 630 631 /* 632 * Return a description of a key to userspace. 633 * 634 * The key must grant the caller View permission for this to work. 635 * 636 * If there's a buffer, we place up to buflen bytes of data into it formatted 637 * in the following way: 638 * 639 * type;uid;gid;perm;description<NUL> 640 * 641 * If successful, we return the amount of description available, irrespective 642 * of how much we may have copied into the buffer. 643 */ 644 long keyctl_describe_key(key_serial_t keyid, 645 char __user *buffer, 646 size_t buflen) 647 { 648 struct key *key, *instkey; 649 key_ref_t key_ref; 650 char *infobuf; 651 long ret; 652 int desclen, infolen; 653 654 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 655 if (IS_ERR(key_ref)) { 656 /* viewing a key under construction is permitted if we have the 657 * authorisation token handy */ 658 if (PTR_ERR(key_ref) == -EACCES) { 659 instkey = key_get_instantiation_authkey(keyid); 660 if (!IS_ERR(instkey)) { 661 key_put(instkey); 662 key_ref = lookup_user_key(keyid, 663 KEY_LOOKUP_PARTIAL, 664 0); 665 if (!IS_ERR(key_ref)) 666 goto okay; 667 } 668 } 669 670 ret = PTR_ERR(key_ref); 671 goto error; 672 } 673 674 okay: 675 key = key_ref_to_ptr(key_ref); 676 desclen = strlen(key->description); 677 678 /* calculate how much information we're going to return */ 679 ret = -ENOMEM; 680 infobuf = kasprintf(GFP_KERNEL, 681 "%s;%d;%d;%08x;", 682 key->type->name, 683 from_kuid_munged(current_user_ns(), key->uid), 684 from_kgid_munged(current_user_ns(), key->gid), 685 key->perm); 686 if (!infobuf) 687 goto error2; 688 infolen = strlen(infobuf); 689 ret = infolen + desclen + 1; 690 691 /* consider returning the data */ 692 if (buffer && buflen >= ret) { 693 if (copy_to_user(buffer, infobuf, infolen) != 0 || 694 copy_to_user(buffer + infolen, key->description, 695 desclen + 1) != 0) 696 ret = -EFAULT; 697 } 698 699 kfree(infobuf); 700 error2: 701 key_ref_put(key_ref); 702 error: 703 return ret; 704 } 705 706 /* 707 * Search the specified keyring and any keyrings it links to for a matching 708 * key. Only keyrings that grant the caller Search permission will be searched 709 * (this includes the starting keyring). Only keys with Search permission can 710 * be found. 711 * 712 * If successful, the found key will be linked to the destination keyring if 713 * supplied and the key has Link permission, and the found key ID will be 714 * returned. 715 */ 716 long keyctl_keyring_search(key_serial_t ringid, 717 const char __user *_type, 718 const char __user *_description, 719 key_serial_t destringid) 720 { 721 struct key_type *ktype; 722 key_ref_t keyring_ref, key_ref, dest_ref; 723 char type[32], *description; 724 long ret; 725 726 /* pull the type and description into kernel space */ 727 ret = key_get_type_from_user(type, _type, sizeof(type)); 728 if (ret < 0) 729 goto error; 730 731 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 732 if (IS_ERR(description)) { 733 ret = PTR_ERR(description); 734 goto error; 735 } 736 737 /* get the keyring at which to begin the search */ 738 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_SEARCH); 739 if (IS_ERR(keyring_ref)) { 740 ret = PTR_ERR(keyring_ref); 741 goto error2; 742 } 743 744 /* get the destination keyring if specified */ 745 dest_ref = NULL; 746 if (destringid) { 747 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 748 KEY_NEED_WRITE); 749 if (IS_ERR(dest_ref)) { 750 ret = PTR_ERR(dest_ref); 751 goto error3; 752 } 753 } 754 755 /* find the key type */ 756 ktype = key_type_lookup(type); 757 if (IS_ERR(ktype)) { 758 ret = PTR_ERR(ktype); 759 goto error4; 760 } 761 762 /* do the search */ 763 key_ref = keyring_search(keyring_ref, ktype, description, true); 764 if (IS_ERR(key_ref)) { 765 ret = PTR_ERR(key_ref); 766 767 /* treat lack or presence of a negative key the same */ 768 if (ret == -EAGAIN) 769 ret = -ENOKEY; 770 goto error5; 771 } 772 773 /* link the resulting key to the destination keyring if we can */ 774 if (dest_ref) { 775 ret = key_permission(key_ref, KEY_NEED_LINK); 776 if (ret < 0) 777 goto error6; 778 779 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 780 if (ret < 0) 781 goto error6; 782 } 783 784 ret = key_ref_to_ptr(key_ref)->serial; 785 786 error6: 787 key_ref_put(key_ref); 788 error5: 789 key_type_put(ktype); 790 error4: 791 key_ref_put(dest_ref); 792 error3: 793 key_ref_put(keyring_ref); 794 error2: 795 kfree(description); 796 error: 797 return ret; 798 } 799 800 /* 801 * Read a key's payload. 802 * 803 * The key must either grant the caller Read permission, or it must grant the 804 * caller Search permission when searched for from the process keyrings. 805 * 806 * If successful, we place up to buflen bytes of data into the buffer, if one 807 * is provided, and return the amount of data that is available in the key, 808 * irrespective of how much we copied into the buffer. 809 */ 810 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 811 { 812 struct key *key; 813 key_ref_t key_ref; 814 long ret; 815 816 /* find the key first */ 817 key_ref = lookup_user_key(keyid, 0, 0); 818 if (IS_ERR(key_ref)) { 819 ret = -ENOKEY; 820 goto error; 821 } 822 823 key = key_ref_to_ptr(key_ref); 824 825 ret = key_read_state(key); 826 if (ret < 0) 827 goto error2; /* Negatively instantiated */ 828 829 /* see if we can read it directly */ 830 ret = key_permission(key_ref, KEY_NEED_READ); 831 if (ret == 0) 832 goto can_read_key; 833 if (ret != -EACCES) 834 goto error2; 835 836 /* we can't; see if it's searchable from this process's keyrings 837 * - we automatically take account of the fact that it may be 838 * dangling off an instantiation key 839 */ 840 if (!is_key_possessed(key_ref)) { 841 ret = -EACCES; 842 goto error2; 843 } 844 845 /* the key is probably readable - now try to read it */ 846 can_read_key: 847 ret = -EOPNOTSUPP; 848 if (key->type->read) { 849 /* Read the data with the semaphore held (since we might sleep) 850 * to protect against the key being updated or revoked. 851 */ 852 down_read(&key->sem); 853 ret = key_validate(key); 854 if (ret == 0) 855 ret = key->type->read(key, buffer, buflen); 856 up_read(&key->sem); 857 } 858 859 error2: 860 key_put(key); 861 error: 862 return ret; 863 } 864 865 /* 866 * Change the ownership of a key 867 * 868 * The key must grant the caller Setattr permission for this to work, though 869 * the key need not be fully instantiated yet. For the UID to be changed, or 870 * for the GID to be changed to a group the caller is not a member of, the 871 * caller must have sysadmin capability. If either uid or gid is -1 then that 872 * attribute is not changed. 873 * 874 * If the UID is to be changed, the new user must have sufficient quota to 875 * accept the key. The quota deduction will be removed from the old user to 876 * the new user should the attribute be changed. 877 * 878 * If successful, 0 will be returned. 879 */ 880 long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group) 881 { 882 struct key_user *newowner, *zapowner = NULL; 883 struct key *key; 884 key_ref_t key_ref; 885 long ret; 886 kuid_t uid; 887 kgid_t gid; 888 889 uid = make_kuid(current_user_ns(), user); 890 gid = make_kgid(current_user_ns(), group); 891 ret = -EINVAL; 892 if ((user != (uid_t) -1) && !uid_valid(uid)) 893 goto error; 894 if ((group != (gid_t) -1) && !gid_valid(gid)) 895 goto error; 896 897 ret = 0; 898 if (user == (uid_t) -1 && group == (gid_t) -1) 899 goto error; 900 901 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 902 KEY_NEED_SETATTR); 903 if (IS_ERR(key_ref)) { 904 ret = PTR_ERR(key_ref); 905 goto error; 906 } 907 908 key = key_ref_to_ptr(key_ref); 909 910 /* make the changes with the locks held to prevent chown/chown races */ 911 ret = -EACCES; 912 down_write(&key->sem); 913 914 if (!capable(CAP_SYS_ADMIN)) { 915 /* only the sysadmin can chown a key to some other UID */ 916 if (user != (uid_t) -1 && !uid_eq(key->uid, uid)) 917 goto error_put; 918 919 /* only the sysadmin can set the key's GID to a group other 920 * than one of those that the current process subscribes to */ 921 if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid)) 922 goto error_put; 923 } 924 925 /* change the UID */ 926 if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) { 927 ret = -ENOMEM; 928 newowner = key_user_lookup(uid); 929 if (!newowner) 930 goto error_put; 931 932 /* transfer the quota burden to the new user */ 933 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 934 unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ? 935 key_quota_root_maxkeys : key_quota_maxkeys; 936 unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ? 937 key_quota_root_maxbytes : key_quota_maxbytes; 938 939 spin_lock(&newowner->lock); 940 if (newowner->qnkeys + 1 >= maxkeys || 941 newowner->qnbytes + key->quotalen >= maxbytes || 942 newowner->qnbytes + key->quotalen < 943 newowner->qnbytes) 944 goto quota_overrun; 945 946 newowner->qnkeys++; 947 newowner->qnbytes += key->quotalen; 948 spin_unlock(&newowner->lock); 949 950 spin_lock(&key->user->lock); 951 key->user->qnkeys--; 952 key->user->qnbytes -= key->quotalen; 953 spin_unlock(&key->user->lock); 954 } 955 956 atomic_dec(&key->user->nkeys); 957 atomic_inc(&newowner->nkeys); 958 959 if (key->state != KEY_IS_UNINSTANTIATED) { 960 atomic_dec(&key->user->nikeys); 961 atomic_inc(&newowner->nikeys); 962 } 963 964 zapowner = key->user; 965 key->user = newowner; 966 key->uid = uid; 967 } 968 969 /* change the GID */ 970 if (group != (gid_t) -1) 971 key->gid = gid; 972 973 ret = 0; 974 975 error_put: 976 up_write(&key->sem); 977 key_put(key); 978 if (zapowner) 979 key_user_put(zapowner); 980 error: 981 return ret; 982 983 quota_overrun: 984 spin_unlock(&newowner->lock); 985 zapowner = newowner; 986 ret = -EDQUOT; 987 goto error_put; 988 } 989 990 /* 991 * Change the permission mask on a key. 992 * 993 * The key must grant the caller Setattr permission for this to work, though 994 * the key need not be fully instantiated yet. If the caller does not have 995 * sysadmin capability, it may only change the permission on keys that it owns. 996 */ 997 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 998 { 999 struct key *key; 1000 key_ref_t key_ref; 1001 long ret; 1002 1003 ret = -EINVAL; 1004 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 1005 goto error; 1006 1007 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1008 KEY_NEED_SETATTR); 1009 if (IS_ERR(key_ref)) { 1010 ret = PTR_ERR(key_ref); 1011 goto error; 1012 } 1013 1014 key = key_ref_to_ptr(key_ref); 1015 1016 /* make the changes with the locks held to prevent chown/chmod races */ 1017 ret = -EACCES; 1018 down_write(&key->sem); 1019 1020 /* if we're not the sysadmin, we can only change a key that we own */ 1021 if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) { 1022 key->perm = perm; 1023 ret = 0; 1024 } 1025 1026 up_write(&key->sem); 1027 key_put(key); 1028 error: 1029 return ret; 1030 } 1031 1032 /* 1033 * Get the destination keyring for instantiation and check that the caller has 1034 * Write permission on it. 1035 */ 1036 static long get_instantiation_keyring(key_serial_t ringid, 1037 struct request_key_auth *rka, 1038 struct key **_dest_keyring) 1039 { 1040 key_ref_t dkref; 1041 1042 *_dest_keyring = NULL; 1043 1044 /* just return a NULL pointer if we weren't asked to make a link */ 1045 if (ringid == 0) 1046 return 0; 1047 1048 /* if a specific keyring is nominated by ID, then use that */ 1049 if (ringid > 0) { 1050 dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 1051 if (IS_ERR(dkref)) 1052 return PTR_ERR(dkref); 1053 *_dest_keyring = key_ref_to_ptr(dkref); 1054 return 0; 1055 } 1056 1057 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY) 1058 return -EINVAL; 1059 1060 /* otherwise specify the destination keyring recorded in the 1061 * authorisation key (any KEY_SPEC_*_KEYRING) */ 1062 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { 1063 *_dest_keyring = key_get(rka->dest_keyring); 1064 return 0; 1065 } 1066 1067 return -ENOKEY; 1068 } 1069 1070 /* 1071 * Change the request_key authorisation key on the current process. 1072 */ 1073 static int keyctl_change_reqkey_auth(struct key *key) 1074 { 1075 struct cred *new; 1076 1077 new = prepare_creds(); 1078 if (!new) 1079 return -ENOMEM; 1080 1081 key_put(new->request_key_auth); 1082 new->request_key_auth = key_get(key); 1083 1084 return commit_creds(new); 1085 } 1086 1087 /* 1088 * Instantiate a key with the specified payload and link the key into the 1089 * destination keyring if one is given. 1090 * 1091 * The caller must have the appropriate instantiation permit set for this to 1092 * work (see keyctl_assume_authority). No other permissions are required. 1093 * 1094 * If successful, 0 will be returned. 1095 */ 1096 long keyctl_instantiate_key_common(key_serial_t id, 1097 struct iov_iter *from, 1098 key_serial_t ringid) 1099 { 1100 const struct cred *cred = current_cred(); 1101 struct request_key_auth *rka; 1102 struct key *instkey, *dest_keyring; 1103 size_t plen = from ? iov_iter_count(from) : 0; 1104 void *payload; 1105 long ret; 1106 1107 kenter("%d,,%zu,%d", id, plen, ringid); 1108 1109 if (!plen) 1110 from = NULL; 1111 1112 ret = -EINVAL; 1113 if (plen > 1024 * 1024 - 1) 1114 goto error; 1115 1116 /* the appropriate instantiation authorisation key must have been 1117 * assumed before calling this */ 1118 ret = -EPERM; 1119 instkey = cred->request_key_auth; 1120 if (!instkey) 1121 goto error; 1122 1123 rka = instkey->payload.data[0]; 1124 if (rka->target_key->serial != id) 1125 goto error; 1126 1127 /* pull the payload in if one was supplied */ 1128 payload = NULL; 1129 1130 if (from) { 1131 ret = -ENOMEM; 1132 payload = kvmalloc(plen, GFP_KERNEL); 1133 if (!payload) 1134 goto error; 1135 1136 ret = -EFAULT; 1137 if (!copy_from_iter_full(payload, plen, from)) 1138 goto error2; 1139 } 1140 1141 /* find the destination keyring amongst those belonging to the 1142 * requesting task */ 1143 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1144 if (ret < 0) 1145 goto error2; 1146 1147 /* instantiate the key and link it into a keyring */ 1148 ret = key_instantiate_and_link(rka->target_key, payload, plen, 1149 dest_keyring, instkey); 1150 1151 key_put(dest_keyring); 1152 1153 /* discard the assumed authority if it's just been disabled by 1154 * instantiation of the key */ 1155 if (ret == 0) 1156 keyctl_change_reqkey_auth(NULL); 1157 1158 error2: 1159 if (payload) { 1160 memzero_explicit(payload, plen); 1161 kvfree(payload); 1162 } 1163 error: 1164 return ret; 1165 } 1166 1167 /* 1168 * Instantiate a key with the specified payload and link the key into the 1169 * destination keyring if one is given. 1170 * 1171 * The caller must have the appropriate instantiation permit set for this to 1172 * work (see keyctl_assume_authority). No other permissions are required. 1173 * 1174 * If successful, 0 will be returned. 1175 */ 1176 long keyctl_instantiate_key(key_serial_t id, 1177 const void __user *_payload, 1178 size_t plen, 1179 key_serial_t ringid) 1180 { 1181 if (_payload && plen) { 1182 struct iovec iov; 1183 struct iov_iter from; 1184 int ret; 1185 1186 ret = import_single_range(WRITE, (void __user *)_payload, plen, 1187 &iov, &from); 1188 if (unlikely(ret)) 1189 return ret; 1190 1191 return keyctl_instantiate_key_common(id, &from, ringid); 1192 } 1193 1194 return keyctl_instantiate_key_common(id, NULL, ringid); 1195 } 1196 1197 /* 1198 * Instantiate a key with the specified multipart payload and link the key into 1199 * the destination keyring if one is given. 1200 * 1201 * The caller must have the appropriate instantiation permit set for this to 1202 * work (see keyctl_assume_authority). No other permissions are required. 1203 * 1204 * If successful, 0 will be returned. 1205 */ 1206 long keyctl_instantiate_key_iov(key_serial_t id, 1207 const struct iovec __user *_payload_iov, 1208 unsigned ioc, 1209 key_serial_t ringid) 1210 { 1211 struct iovec iovstack[UIO_FASTIOV], *iov = iovstack; 1212 struct iov_iter from; 1213 long ret; 1214 1215 if (!_payload_iov) 1216 ioc = 0; 1217 1218 ret = import_iovec(WRITE, _payload_iov, ioc, 1219 ARRAY_SIZE(iovstack), &iov, &from); 1220 if (ret < 0) 1221 return ret; 1222 ret = keyctl_instantiate_key_common(id, &from, ringid); 1223 kfree(iov); 1224 return ret; 1225 } 1226 1227 /* 1228 * Negatively instantiate the key with the given timeout (in seconds) and link 1229 * the key into the destination keyring if one is given. 1230 * 1231 * The caller must have the appropriate instantiation permit set for this to 1232 * work (see keyctl_assume_authority). No other permissions are required. 1233 * 1234 * The key and any links to the key will be automatically garbage collected 1235 * after the timeout expires. 1236 * 1237 * Negative keys are used to rate limit repeated request_key() calls by causing 1238 * them to return -ENOKEY until the negative key expires. 1239 * 1240 * If successful, 0 will be returned. 1241 */ 1242 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 1243 { 1244 return keyctl_reject_key(id, timeout, ENOKEY, ringid); 1245 } 1246 1247 /* 1248 * Negatively instantiate the key with the given timeout (in seconds) and error 1249 * code and link the key into the destination keyring if one is given. 1250 * 1251 * The caller must have the appropriate instantiation permit set for this to 1252 * work (see keyctl_assume_authority). No other permissions are required. 1253 * 1254 * The key and any links to the key will be automatically garbage collected 1255 * after the timeout expires. 1256 * 1257 * Negative keys are used to rate limit repeated request_key() calls by causing 1258 * them to return the specified error code until the negative key expires. 1259 * 1260 * If successful, 0 will be returned. 1261 */ 1262 long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error, 1263 key_serial_t ringid) 1264 { 1265 const struct cred *cred = current_cred(); 1266 struct request_key_auth *rka; 1267 struct key *instkey, *dest_keyring; 1268 long ret; 1269 1270 kenter("%d,%u,%u,%d", id, timeout, error, ringid); 1271 1272 /* must be a valid error code and mustn't be a kernel special */ 1273 if (error <= 0 || 1274 error >= MAX_ERRNO || 1275 error == ERESTARTSYS || 1276 error == ERESTARTNOINTR || 1277 error == ERESTARTNOHAND || 1278 error == ERESTART_RESTARTBLOCK) 1279 return -EINVAL; 1280 1281 /* the appropriate instantiation authorisation key must have been 1282 * assumed before calling this */ 1283 ret = -EPERM; 1284 instkey = cred->request_key_auth; 1285 if (!instkey) 1286 goto error; 1287 1288 rka = instkey->payload.data[0]; 1289 if (rka->target_key->serial != id) 1290 goto error; 1291 1292 /* find the destination keyring if present (which must also be 1293 * writable) */ 1294 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1295 if (ret < 0) 1296 goto error; 1297 1298 /* instantiate the key and link it into a keyring */ 1299 ret = key_reject_and_link(rka->target_key, timeout, error, 1300 dest_keyring, instkey); 1301 1302 key_put(dest_keyring); 1303 1304 /* discard the assumed authority if it's just been disabled by 1305 * instantiation of the key */ 1306 if (ret == 0) 1307 keyctl_change_reqkey_auth(NULL); 1308 1309 error: 1310 return ret; 1311 } 1312 1313 /* 1314 * Read or set the default keyring in which request_key() will cache keys and 1315 * return the old setting. 1316 * 1317 * If a thread or process keyring is specified then it will be created if it 1318 * doesn't yet exist. The old setting will be returned if successful. 1319 */ 1320 long keyctl_set_reqkey_keyring(int reqkey_defl) 1321 { 1322 struct cred *new; 1323 int ret, old_setting; 1324 1325 old_setting = current_cred_xxx(jit_keyring); 1326 1327 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE) 1328 return old_setting; 1329 1330 new = prepare_creds(); 1331 if (!new) 1332 return -ENOMEM; 1333 1334 switch (reqkey_defl) { 1335 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1336 ret = install_thread_keyring_to_cred(new); 1337 if (ret < 0) 1338 goto error; 1339 goto set; 1340 1341 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1342 ret = install_process_keyring_to_cred(new); 1343 if (ret < 0) 1344 goto error; 1345 goto set; 1346 1347 case KEY_REQKEY_DEFL_DEFAULT: 1348 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1349 case KEY_REQKEY_DEFL_USER_KEYRING: 1350 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1351 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: 1352 goto set; 1353 1354 case KEY_REQKEY_DEFL_NO_CHANGE: 1355 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1356 default: 1357 ret = -EINVAL; 1358 goto error; 1359 } 1360 1361 set: 1362 new->jit_keyring = reqkey_defl; 1363 commit_creds(new); 1364 return old_setting; 1365 error: 1366 abort_creds(new); 1367 return ret; 1368 } 1369 1370 /* 1371 * Set or clear the timeout on a key. 1372 * 1373 * Either the key must grant the caller Setattr permission or else the caller 1374 * must hold an instantiation authorisation token for the key. 1375 * 1376 * The timeout is either 0 to clear the timeout, or a number of seconds from 1377 * the current time. The key and any links to the key will be automatically 1378 * garbage collected after the timeout expires. 1379 * 1380 * Keys with KEY_FLAG_KEEP set should not be timed out. 1381 * 1382 * If successful, 0 is returned. 1383 */ 1384 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1385 { 1386 struct key *key, *instkey; 1387 key_ref_t key_ref; 1388 long ret; 1389 1390 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1391 KEY_NEED_SETATTR); 1392 if (IS_ERR(key_ref)) { 1393 /* setting the timeout on a key under construction is permitted 1394 * if we have the authorisation token handy */ 1395 if (PTR_ERR(key_ref) == -EACCES) { 1396 instkey = key_get_instantiation_authkey(id); 1397 if (!IS_ERR(instkey)) { 1398 key_put(instkey); 1399 key_ref = lookup_user_key(id, 1400 KEY_LOOKUP_PARTIAL, 1401 0); 1402 if (!IS_ERR(key_ref)) 1403 goto okay; 1404 } 1405 } 1406 1407 ret = PTR_ERR(key_ref); 1408 goto error; 1409 } 1410 1411 okay: 1412 key = key_ref_to_ptr(key_ref); 1413 ret = 0; 1414 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 1415 ret = -EPERM; 1416 else 1417 key_set_timeout(key, timeout); 1418 key_put(key); 1419 1420 error: 1421 return ret; 1422 } 1423 1424 /* 1425 * Assume (or clear) the authority to instantiate the specified key. 1426 * 1427 * This sets the authoritative token currently in force for key instantiation. 1428 * This must be done for a key to be instantiated. It has the effect of making 1429 * available all the keys from the caller of the request_key() that created a 1430 * key to request_key() calls made by the caller of this function. 1431 * 1432 * The caller must have the instantiation key in their process keyrings with a 1433 * Search permission grant available to the caller. 1434 * 1435 * If the ID given is 0, then the setting will be cleared and 0 returned. 1436 * 1437 * If the ID given has a matching an authorisation key, then that key will be 1438 * set and its ID will be returned. The authorisation key can be read to get 1439 * the callout information passed to request_key(). 1440 */ 1441 long keyctl_assume_authority(key_serial_t id) 1442 { 1443 struct key *authkey; 1444 long ret; 1445 1446 /* special key IDs aren't permitted */ 1447 ret = -EINVAL; 1448 if (id < 0) 1449 goto error; 1450 1451 /* we divest ourselves of authority if given an ID of 0 */ 1452 if (id == 0) { 1453 ret = keyctl_change_reqkey_auth(NULL); 1454 goto error; 1455 } 1456 1457 /* attempt to assume the authority temporarily granted to us whilst we 1458 * instantiate the specified key 1459 * - the authorisation key must be in the current task's keyrings 1460 * somewhere 1461 */ 1462 authkey = key_get_instantiation_authkey(id); 1463 if (IS_ERR(authkey)) { 1464 ret = PTR_ERR(authkey); 1465 goto error; 1466 } 1467 1468 ret = keyctl_change_reqkey_auth(authkey); 1469 if (ret == 0) 1470 ret = authkey->serial; 1471 key_put(authkey); 1472 error: 1473 return ret; 1474 } 1475 1476 /* 1477 * Get a key's the LSM security label. 1478 * 1479 * The key must grant the caller View permission for this to work. 1480 * 1481 * If there's a buffer, then up to buflen bytes of data will be placed into it. 1482 * 1483 * If successful, the amount of information available will be returned, 1484 * irrespective of how much was copied (including the terminal NUL). 1485 */ 1486 long keyctl_get_security(key_serial_t keyid, 1487 char __user *buffer, 1488 size_t buflen) 1489 { 1490 struct key *key, *instkey; 1491 key_ref_t key_ref; 1492 char *context; 1493 long ret; 1494 1495 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 1496 if (IS_ERR(key_ref)) { 1497 if (PTR_ERR(key_ref) != -EACCES) 1498 return PTR_ERR(key_ref); 1499 1500 /* viewing a key under construction is also permitted if we 1501 * have the authorisation token handy */ 1502 instkey = key_get_instantiation_authkey(keyid); 1503 if (IS_ERR(instkey)) 1504 return PTR_ERR(instkey); 1505 key_put(instkey); 1506 1507 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0); 1508 if (IS_ERR(key_ref)) 1509 return PTR_ERR(key_ref); 1510 } 1511 1512 key = key_ref_to_ptr(key_ref); 1513 ret = security_key_getsecurity(key, &context); 1514 if (ret == 0) { 1515 /* if no information was returned, give userspace an empty 1516 * string */ 1517 ret = 1; 1518 if (buffer && buflen > 0 && 1519 copy_to_user(buffer, "", 1) != 0) 1520 ret = -EFAULT; 1521 } else if (ret > 0) { 1522 /* return as much data as there's room for */ 1523 if (buffer && buflen > 0) { 1524 if (buflen > ret) 1525 buflen = ret; 1526 1527 if (copy_to_user(buffer, context, buflen) != 0) 1528 ret = -EFAULT; 1529 } 1530 1531 kfree(context); 1532 } 1533 1534 key_ref_put(key_ref); 1535 return ret; 1536 } 1537 1538 /* 1539 * Attempt to install the calling process's session keyring on the process's 1540 * parent process. 1541 * 1542 * The keyring must exist and must grant the caller LINK permission, and the 1543 * parent process must be single-threaded and must have the same effective 1544 * ownership as this process and mustn't be SUID/SGID. 1545 * 1546 * The keyring will be emplaced on the parent when it next resumes userspace. 1547 * 1548 * If successful, 0 will be returned. 1549 */ 1550 long keyctl_session_to_parent(void) 1551 { 1552 struct task_struct *me, *parent; 1553 const struct cred *mycred, *pcred; 1554 struct callback_head *newwork, *oldwork; 1555 key_ref_t keyring_r; 1556 struct cred *cred; 1557 int ret; 1558 1559 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK); 1560 if (IS_ERR(keyring_r)) 1561 return PTR_ERR(keyring_r); 1562 1563 ret = -ENOMEM; 1564 1565 /* our parent is going to need a new cred struct, a new tgcred struct 1566 * and new security data, so we allocate them here to prevent ENOMEM in 1567 * our parent */ 1568 cred = cred_alloc_blank(); 1569 if (!cred) 1570 goto error_keyring; 1571 newwork = &cred->rcu; 1572 1573 cred->session_keyring = key_ref_to_ptr(keyring_r); 1574 keyring_r = NULL; 1575 init_task_work(newwork, key_change_session_keyring); 1576 1577 me = current; 1578 rcu_read_lock(); 1579 write_lock_irq(&tasklist_lock); 1580 1581 ret = -EPERM; 1582 oldwork = NULL; 1583 parent = rcu_dereference_protected(me->real_parent, 1584 lockdep_is_held(&tasklist_lock)); 1585 1586 /* the parent mustn't be init and mustn't be a kernel thread */ 1587 if (parent->pid <= 1 || !parent->mm) 1588 goto unlock; 1589 1590 /* the parent must be single threaded */ 1591 if (!thread_group_empty(parent)) 1592 goto unlock; 1593 1594 /* the parent and the child must have different session keyrings or 1595 * there's no point */ 1596 mycred = current_cred(); 1597 pcred = __task_cred(parent); 1598 if (mycred == pcred || 1599 mycred->session_keyring == pcred->session_keyring) { 1600 ret = 0; 1601 goto unlock; 1602 } 1603 1604 /* the parent must have the same effective ownership and mustn't be 1605 * SUID/SGID */ 1606 if (!uid_eq(pcred->uid, mycred->euid) || 1607 !uid_eq(pcred->euid, mycred->euid) || 1608 !uid_eq(pcred->suid, mycred->euid) || 1609 !gid_eq(pcred->gid, mycred->egid) || 1610 !gid_eq(pcred->egid, mycred->egid) || 1611 !gid_eq(pcred->sgid, mycred->egid)) 1612 goto unlock; 1613 1614 /* the keyrings must have the same UID */ 1615 if ((pcred->session_keyring && 1616 !uid_eq(pcred->session_keyring->uid, mycred->euid)) || 1617 !uid_eq(mycred->session_keyring->uid, mycred->euid)) 1618 goto unlock; 1619 1620 /* cancel an already pending keyring replacement */ 1621 oldwork = task_work_cancel(parent, key_change_session_keyring); 1622 1623 /* the replacement session keyring is applied just prior to userspace 1624 * restarting */ 1625 ret = task_work_add(parent, newwork, true); 1626 if (!ret) 1627 newwork = NULL; 1628 unlock: 1629 write_unlock_irq(&tasklist_lock); 1630 rcu_read_unlock(); 1631 if (oldwork) 1632 put_cred(container_of(oldwork, struct cred, rcu)); 1633 if (newwork) 1634 put_cred(cred); 1635 return ret; 1636 1637 error_keyring: 1638 key_ref_put(keyring_r); 1639 return ret; 1640 } 1641 1642 /* 1643 * Apply a restriction to a given keyring. 1644 * 1645 * The caller must have Setattr permission to change keyring restrictions. 1646 * 1647 * The requested type name may be a NULL pointer to reject all attempts 1648 * to link to the keyring. In this case, _restriction must also be NULL. 1649 * Otherwise, both _type and _restriction must be non-NULL. 1650 * 1651 * Returns 0 if successful. 1652 */ 1653 long keyctl_restrict_keyring(key_serial_t id, const char __user *_type, 1654 const char __user *_restriction) 1655 { 1656 key_ref_t key_ref; 1657 char type[32]; 1658 char *restriction = NULL; 1659 long ret; 1660 1661 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 1662 if (IS_ERR(key_ref)) 1663 return PTR_ERR(key_ref); 1664 1665 ret = -EINVAL; 1666 if (_type) { 1667 if (!_restriction) 1668 goto error; 1669 1670 ret = key_get_type_from_user(type, _type, sizeof(type)); 1671 if (ret < 0) 1672 goto error; 1673 1674 restriction = strndup_user(_restriction, PAGE_SIZE); 1675 if (IS_ERR(restriction)) { 1676 ret = PTR_ERR(restriction); 1677 goto error; 1678 } 1679 } else { 1680 if (_restriction) 1681 goto error; 1682 } 1683 1684 ret = keyring_restrict(key_ref, _type ? type : NULL, restriction); 1685 kfree(restriction); 1686 error: 1687 key_ref_put(key_ref); 1688 return ret; 1689 } 1690 1691 /* 1692 * Get keyrings subsystem capabilities. 1693 */ 1694 long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen) 1695 { 1696 size_t size = buflen; 1697 1698 if (size > 0) { 1699 if (size > sizeof(keyrings_capabilities)) 1700 size = sizeof(keyrings_capabilities); 1701 if (copy_to_user(_buffer, keyrings_capabilities, size) != 0) 1702 return -EFAULT; 1703 if (size < buflen && 1704 clear_user(_buffer + size, buflen - size) != 0) 1705 return -EFAULT; 1706 } 1707 1708 return sizeof(keyrings_capabilities); 1709 } 1710 1711 /* 1712 * The key control system call 1713 */ 1714 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, 1715 unsigned long, arg4, unsigned long, arg5) 1716 { 1717 switch (option) { 1718 case KEYCTL_GET_KEYRING_ID: 1719 return keyctl_get_keyring_ID((key_serial_t) arg2, 1720 (int) arg3); 1721 1722 case KEYCTL_JOIN_SESSION_KEYRING: 1723 return keyctl_join_session_keyring((const char __user *) arg2); 1724 1725 case KEYCTL_UPDATE: 1726 return keyctl_update_key((key_serial_t) arg2, 1727 (const void __user *) arg3, 1728 (size_t) arg4); 1729 1730 case KEYCTL_REVOKE: 1731 return keyctl_revoke_key((key_serial_t) arg2); 1732 1733 case KEYCTL_DESCRIBE: 1734 return keyctl_describe_key((key_serial_t) arg2, 1735 (char __user *) arg3, 1736 (unsigned) arg4); 1737 1738 case KEYCTL_CLEAR: 1739 return keyctl_keyring_clear((key_serial_t) arg2); 1740 1741 case KEYCTL_LINK: 1742 return keyctl_keyring_link((key_serial_t) arg2, 1743 (key_serial_t) arg3); 1744 1745 case KEYCTL_UNLINK: 1746 return keyctl_keyring_unlink((key_serial_t) arg2, 1747 (key_serial_t) arg3); 1748 1749 case KEYCTL_SEARCH: 1750 return keyctl_keyring_search((key_serial_t) arg2, 1751 (const char __user *) arg3, 1752 (const char __user *) arg4, 1753 (key_serial_t) arg5); 1754 1755 case KEYCTL_READ: 1756 return keyctl_read_key((key_serial_t) arg2, 1757 (char __user *) arg3, 1758 (size_t) arg4); 1759 1760 case KEYCTL_CHOWN: 1761 return keyctl_chown_key((key_serial_t) arg2, 1762 (uid_t) arg3, 1763 (gid_t) arg4); 1764 1765 case KEYCTL_SETPERM: 1766 return keyctl_setperm_key((key_serial_t) arg2, 1767 (key_perm_t) arg3); 1768 1769 case KEYCTL_INSTANTIATE: 1770 return keyctl_instantiate_key((key_serial_t) arg2, 1771 (const void __user *) arg3, 1772 (size_t) arg4, 1773 (key_serial_t) arg5); 1774 1775 case KEYCTL_NEGATE: 1776 return keyctl_negate_key((key_serial_t) arg2, 1777 (unsigned) arg3, 1778 (key_serial_t) arg4); 1779 1780 case KEYCTL_SET_REQKEY_KEYRING: 1781 return keyctl_set_reqkey_keyring(arg2); 1782 1783 case KEYCTL_SET_TIMEOUT: 1784 return keyctl_set_timeout((key_serial_t) arg2, 1785 (unsigned) arg3); 1786 1787 case KEYCTL_ASSUME_AUTHORITY: 1788 return keyctl_assume_authority((key_serial_t) arg2); 1789 1790 case KEYCTL_GET_SECURITY: 1791 return keyctl_get_security((key_serial_t) arg2, 1792 (char __user *) arg3, 1793 (size_t) arg4); 1794 1795 case KEYCTL_SESSION_TO_PARENT: 1796 return keyctl_session_to_parent(); 1797 1798 case KEYCTL_REJECT: 1799 return keyctl_reject_key((key_serial_t) arg2, 1800 (unsigned) arg3, 1801 (unsigned) arg4, 1802 (key_serial_t) arg5); 1803 1804 case KEYCTL_INSTANTIATE_IOV: 1805 return keyctl_instantiate_key_iov( 1806 (key_serial_t) arg2, 1807 (const struct iovec __user *) arg3, 1808 (unsigned) arg4, 1809 (key_serial_t) arg5); 1810 1811 case KEYCTL_INVALIDATE: 1812 return keyctl_invalidate_key((key_serial_t) arg2); 1813 1814 case KEYCTL_GET_PERSISTENT: 1815 return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3); 1816 1817 case KEYCTL_DH_COMPUTE: 1818 return keyctl_dh_compute((struct keyctl_dh_params __user *) arg2, 1819 (char __user *) arg3, (size_t) arg4, 1820 (struct keyctl_kdf_params __user *) arg5); 1821 1822 case KEYCTL_RESTRICT_KEYRING: 1823 return keyctl_restrict_keyring((key_serial_t) arg2, 1824 (const char __user *) arg3, 1825 (const char __user *) arg4); 1826 1827 case KEYCTL_PKEY_QUERY: 1828 if (arg3 != 0) 1829 return -EINVAL; 1830 return keyctl_pkey_query((key_serial_t)arg2, 1831 (const char __user *)arg4, 1832 (struct keyctl_pkey_query __user *)arg5); 1833 1834 case KEYCTL_PKEY_ENCRYPT: 1835 case KEYCTL_PKEY_DECRYPT: 1836 case KEYCTL_PKEY_SIGN: 1837 return keyctl_pkey_e_d_s( 1838 option, 1839 (const struct keyctl_pkey_params __user *)arg2, 1840 (const char __user *)arg3, 1841 (const void __user *)arg4, 1842 (void __user *)arg5); 1843 1844 case KEYCTL_PKEY_VERIFY: 1845 return keyctl_pkey_verify( 1846 (const struct keyctl_pkey_params __user *)arg2, 1847 (const char __user *)arg3, 1848 (const void __user *)arg4, 1849 (const void __user *)arg5); 1850 1851 case KEYCTL_MOVE: 1852 return keyctl_keyring_move((key_serial_t)arg2, 1853 (key_serial_t)arg3, 1854 (key_serial_t)arg4, 1855 (unsigned int)arg5); 1856 1857 case KEYCTL_CAPABILITIES: 1858 return keyctl_capabilities((unsigned char __user *)arg2, (size_t)arg3); 1859 1860 default: 1861 return -EOPNOTSUPP; 1862 } 1863 } 1864