1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Userspace key control operations 3 * 4 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #include <linux/init.h> 9 #include <linux/sched.h> 10 #include <linux/sched/task.h> 11 #include <linux/slab.h> 12 #include <linux/syscalls.h> 13 #include <linux/key.h> 14 #include <linux/keyctl.h> 15 #include <linux/fs.h> 16 #include <linux/capability.h> 17 #include <linux/cred.h> 18 #include <linux/string.h> 19 #include <linux/err.h> 20 #include <linux/vmalloc.h> 21 #include <linux/security.h> 22 #include <linux/uio.h> 23 #include <linux/uaccess.h> 24 #include <keys/request_key_auth-type.h> 25 #include "internal.h" 26 27 #define KEY_MAX_DESC_SIZE 4096 28 29 static const unsigned char keyrings_capabilities[2] = { 30 [0] = (KEYCTL_CAPS0_CAPABILITIES | 31 (IS_ENABLED(CONFIG_PERSISTENT_KEYRINGS) ? KEYCTL_CAPS0_PERSISTENT_KEYRINGS : 0) | 32 (IS_ENABLED(CONFIG_KEY_DH_OPERATIONS) ? KEYCTL_CAPS0_DIFFIE_HELLMAN : 0) | 33 (IS_ENABLED(CONFIG_ASYMMETRIC_KEY_TYPE) ? KEYCTL_CAPS0_PUBLIC_KEY : 0) | 34 (IS_ENABLED(CONFIG_BIG_KEYS) ? KEYCTL_CAPS0_BIG_KEY : 0) | 35 KEYCTL_CAPS0_INVALIDATE | 36 KEYCTL_CAPS0_RESTRICT_KEYRING | 37 KEYCTL_CAPS0_MOVE 38 ), 39 [1] = (KEYCTL_CAPS1_NS_KEYRING_NAME | 40 KEYCTL_CAPS1_NS_KEY_TAG), 41 }; 42 43 static int key_get_type_from_user(char *type, 44 const char __user *_type, 45 unsigned len) 46 { 47 int ret; 48 49 ret = strncpy_from_user(type, _type, len); 50 if (ret < 0) 51 return ret; 52 if (ret == 0 || ret >= len) 53 return -EINVAL; 54 if (type[0] == '.') 55 return -EPERM; 56 type[len - 1] = '\0'; 57 return 0; 58 } 59 60 /* 61 * Extract the description of a new key from userspace and either add it as a 62 * new key to the specified keyring or update a matching key in that keyring. 63 * 64 * If the description is NULL or an empty string, the key type is asked to 65 * generate one from the payload. 66 * 67 * The keyring must be writable so that we can attach the key to it. 68 * 69 * If successful, the new key's serial number is returned, otherwise an error 70 * code is returned. 71 */ 72 SYSCALL_DEFINE5(add_key, const char __user *, _type, 73 const char __user *, _description, 74 const void __user *, _payload, 75 size_t, plen, 76 key_serial_t, ringid) 77 { 78 key_ref_t keyring_ref, key_ref; 79 char type[32], *description; 80 void *payload; 81 long ret; 82 83 ret = -EINVAL; 84 if (plen > 1024 * 1024 - 1) 85 goto error; 86 87 /* draw all the data into kernel space */ 88 ret = key_get_type_from_user(type, _type, sizeof(type)); 89 if (ret < 0) 90 goto error; 91 92 description = NULL; 93 if (_description) { 94 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 95 if (IS_ERR(description)) { 96 ret = PTR_ERR(description); 97 goto error; 98 } 99 if (!*description) { 100 kfree(description); 101 description = NULL; 102 } else if ((description[0] == '.') && 103 (strncmp(type, "keyring", 7) == 0)) { 104 ret = -EPERM; 105 goto error2; 106 } 107 } 108 109 /* pull the payload in if one was supplied */ 110 payload = NULL; 111 112 if (plen) { 113 ret = -ENOMEM; 114 payload = kvmalloc(plen, GFP_KERNEL); 115 if (!payload) 116 goto error2; 117 118 ret = -EFAULT; 119 if (copy_from_user(payload, _payload, plen) != 0) 120 goto error3; 121 } 122 123 /* find the target keyring (which must be writable) */ 124 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 125 if (IS_ERR(keyring_ref)) { 126 ret = PTR_ERR(keyring_ref); 127 goto error3; 128 } 129 130 /* create or update the requested key and add it to the target 131 * keyring */ 132 key_ref = key_create_or_update(keyring_ref, type, description, 133 payload, plen, KEY_PERM_UNDEF, 134 KEY_ALLOC_IN_QUOTA); 135 if (!IS_ERR(key_ref)) { 136 ret = key_ref_to_ptr(key_ref)->serial; 137 key_ref_put(key_ref); 138 } 139 else { 140 ret = PTR_ERR(key_ref); 141 } 142 143 key_ref_put(keyring_ref); 144 error3: 145 kvfree_sensitive(payload, plen); 146 error2: 147 kfree(description); 148 error: 149 return ret; 150 } 151 152 /* 153 * Search the process keyrings and keyring trees linked from those for a 154 * matching key. Keyrings must have appropriate Search permission to be 155 * searched. 156 * 157 * If a key is found, it will be attached to the destination keyring if there's 158 * one specified and the serial number of the key will be returned. 159 * 160 * If no key is found, /sbin/request-key will be invoked if _callout_info is 161 * non-NULL in an attempt to create a key. The _callout_info string will be 162 * passed to /sbin/request-key to aid with completing the request. If the 163 * _callout_info string is "" then it will be changed to "-". 164 */ 165 SYSCALL_DEFINE4(request_key, const char __user *, _type, 166 const char __user *, _description, 167 const char __user *, _callout_info, 168 key_serial_t, destringid) 169 { 170 struct key_type *ktype; 171 struct key *key; 172 key_ref_t dest_ref; 173 size_t callout_len; 174 char type[32], *description, *callout_info; 175 long ret; 176 177 /* pull the type into kernel space */ 178 ret = key_get_type_from_user(type, _type, sizeof(type)); 179 if (ret < 0) 180 goto error; 181 182 /* pull the description into kernel space */ 183 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 184 if (IS_ERR(description)) { 185 ret = PTR_ERR(description); 186 goto error; 187 } 188 189 /* pull the callout info into kernel space */ 190 callout_info = NULL; 191 callout_len = 0; 192 if (_callout_info) { 193 callout_info = strndup_user(_callout_info, PAGE_SIZE); 194 if (IS_ERR(callout_info)) { 195 ret = PTR_ERR(callout_info); 196 goto error2; 197 } 198 callout_len = strlen(callout_info); 199 } 200 201 /* get the destination keyring if specified */ 202 dest_ref = NULL; 203 if (destringid) { 204 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 205 KEY_NEED_WRITE); 206 if (IS_ERR(dest_ref)) { 207 ret = PTR_ERR(dest_ref); 208 goto error3; 209 } 210 } 211 212 /* find the key type */ 213 ktype = key_type_lookup(type); 214 if (IS_ERR(ktype)) { 215 ret = PTR_ERR(ktype); 216 goto error4; 217 } 218 219 /* do the search */ 220 key = request_key_and_link(ktype, description, NULL, callout_info, 221 callout_len, NULL, key_ref_to_ptr(dest_ref), 222 KEY_ALLOC_IN_QUOTA); 223 if (IS_ERR(key)) { 224 ret = PTR_ERR(key); 225 goto error5; 226 } 227 228 /* wait for the key to finish being constructed */ 229 ret = wait_for_key_construction(key, 1); 230 if (ret < 0) 231 goto error6; 232 233 ret = key->serial; 234 235 error6: 236 key_put(key); 237 error5: 238 key_type_put(ktype); 239 error4: 240 key_ref_put(dest_ref); 241 error3: 242 kfree(callout_info); 243 error2: 244 kfree(description); 245 error: 246 return ret; 247 } 248 249 /* 250 * Get the ID of the specified process keyring. 251 * 252 * The requested keyring must have search permission to be found. 253 * 254 * If successful, the ID of the requested keyring will be returned. 255 */ 256 long keyctl_get_keyring_ID(key_serial_t id, int create) 257 { 258 key_ref_t key_ref; 259 unsigned long lflags; 260 long ret; 261 262 lflags = create ? KEY_LOOKUP_CREATE : 0; 263 key_ref = lookup_user_key(id, lflags, KEY_NEED_SEARCH); 264 if (IS_ERR(key_ref)) { 265 ret = PTR_ERR(key_ref); 266 goto error; 267 } 268 269 ret = key_ref_to_ptr(key_ref)->serial; 270 key_ref_put(key_ref); 271 error: 272 return ret; 273 } 274 275 /* 276 * Join a (named) session keyring. 277 * 278 * Create and join an anonymous session keyring or join a named session 279 * keyring, creating it if necessary. A named session keyring must have Search 280 * permission for it to be joined. Session keyrings without this permit will 281 * be skipped over. It is not permitted for userspace to create or join 282 * keyrings whose name begin with a dot. 283 * 284 * If successful, the ID of the joined session keyring will be returned. 285 */ 286 long keyctl_join_session_keyring(const char __user *_name) 287 { 288 char *name; 289 long ret; 290 291 /* fetch the name from userspace */ 292 name = NULL; 293 if (_name) { 294 name = strndup_user(_name, KEY_MAX_DESC_SIZE); 295 if (IS_ERR(name)) { 296 ret = PTR_ERR(name); 297 goto error; 298 } 299 300 ret = -EPERM; 301 if (name[0] == '.') 302 goto error_name; 303 } 304 305 /* join the session */ 306 ret = join_session_keyring(name); 307 error_name: 308 kfree(name); 309 error: 310 return ret; 311 } 312 313 /* 314 * Update a key's data payload from the given data. 315 * 316 * The key must grant the caller Write permission and the key type must support 317 * updating for this to work. A negative key can be positively instantiated 318 * with this call. 319 * 320 * If successful, 0 will be returned. If the key type does not support 321 * updating, then -EOPNOTSUPP will be returned. 322 */ 323 long keyctl_update_key(key_serial_t id, 324 const void __user *_payload, 325 size_t plen) 326 { 327 key_ref_t key_ref; 328 void *payload; 329 long ret; 330 331 ret = -EINVAL; 332 if (plen > PAGE_SIZE) 333 goto error; 334 335 /* pull the payload in if one was supplied */ 336 payload = NULL; 337 if (plen) { 338 ret = -ENOMEM; 339 payload = kvmalloc(plen, GFP_KERNEL); 340 if (!payload) 341 goto error; 342 343 ret = -EFAULT; 344 if (copy_from_user(payload, _payload, plen) != 0) 345 goto error2; 346 } 347 348 /* find the target key (which must be writable) */ 349 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 350 if (IS_ERR(key_ref)) { 351 ret = PTR_ERR(key_ref); 352 goto error2; 353 } 354 355 /* update the key */ 356 ret = key_update(key_ref, payload, plen); 357 358 key_ref_put(key_ref); 359 error2: 360 kvfree_sensitive(payload, plen); 361 error: 362 return ret; 363 } 364 365 /* 366 * Revoke a key. 367 * 368 * The key must be grant the caller Write or Setattr permission for this to 369 * work. The key type should give up its quota claim when revoked. The key 370 * and any links to the key will be automatically garbage collected after a 371 * certain amount of time (/proc/sys/kernel/keys/gc_delay). 372 * 373 * Keys with KEY_FLAG_KEEP set should not be revoked. 374 * 375 * If successful, 0 is returned. 376 */ 377 long keyctl_revoke_key(key_serial_t id) 378 { 379 key_ref_t key_ref; 380 struct key *key; 381 long ret; 382 383 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 384 if (IS_ERR(key_ref)) { 385 ret = PTR_ERR(key_ref); 386 if (ret != -EACCES) 387 goto error; 388 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 389 if (IS_ERR(key_ref)) { 390 ret = PTR_ERR(key_ref); 391 goto error; 392 } 393 } 394 395 key = key_ref_to_ptr(key_ref); 396 ret = 0; 397 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 398 ret = -EPERM; 399 else 400 key_revoke(key); 401 402 key_ref_put(key_ref); 403 error: 404 return ret; 405 } 406 407 /* 408 * Invalidate a key. 409 * 410 * The key must be grant the caller Invalidate permission for this to work. 411 * The key and any links to the key will be automatically garbage collected 412 * immediately. 413 * 414 * Keys with KEY_FLAG_KEEP set should not be invalidated. 415 * 416 * If successful, 0 is returned. 417 */ 418 long keyctl_invalidate_key(key_serial_t id) 419 { 420 key_ref_t key_ref; 421 struct key *key; 422 long ret; 423 424 kenter("%d", id); 425 426 key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH); 427 if (IS_ERR(key_ref)) { 428 ret = PTR_ERR(key_ref); 429 430 /* Root is permitted to invalidate certain special keys */ 431 if (capable(CAP_SYS_ADMIN)) { 432 key_ref = lookup_user_key(id, 0, 0); 433 if (IS_ERR(key_ref)) 434 goto error; 435 if (test_bit(KEY_FLAG_ROOT_CAN_INVAL, 436 &key_ref_to_ptr(key_ref)->flags)) 437 goto invalidate; 438 goto error_put; 439 } 440 441 goto error; 442 } 443 444 invalidate: 445 key = key_ref_to_ptr(key_ref); 446 ret = 0; 447 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 448 ret = -EPERM; 449 else 450 key_invalidate(key); 451 error_put: 452 key_ref_put(key_ref); 453 error: 454 kleave(" = %ld", ret); 455 return ret; 456 } 457 458 /* 459 * Clear the specified keyring, creating an empty process keyring if one of the 460 * special keyring IDs is used. 461 * 462 * The keyring must grant the caller Write permission and not have 463 * KEY_FLAG_KEEP set for this to work. If successful, 0 will be returned. 464 */ 465 long keyctl_keyring_clear(key_serial_t ringid) 466 { 467 key_ref_t keyring_ref; 468 struct key *keyring; 469 long ret; 470 471 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 472 if (IS_ERR(keyring_ref)) { 473 ret = PTR_ERR(keyring_ref); 474 475 /* Root is permitted to invalidate certain special keyrings */ 476 if (capable(CAP_SYS_ADMIN)) { 477 keyring_ref = lookup_user_key(ringid, 0, 0); 478 if (IS_ERR(keyring_ref)) 479 goto error; 480 if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR, 481 &key_ref_to_ptr(keyring_ref)->flags)) 482 goto clear; 483 goto error_put; 484 } 485 486 goto error; 487 } 488 489 clear: 490 keyring = key_ref_to_ptr(keyring_ref); 491 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) 492 ret = -EPERM; 493 else 494 ret = keyring_clear(keyring); 495 error_put: 496 key_ref_put(keyring_ref); 497 error: 498 return ret; 499 } 500 501 /* 502 * Create a link from a keyring to a key if there's no matching key in the 503 * keyring, otherwise replace the link to the matching key with a link to the 504 * new key. 505 * 506 * The key must grant the caller Link permission and the the keyring must grant 507 * the caller Write permission. Furthermore, if an additional link is created, 508 * the keyring's quota will be extended. 509 * 510 * If successful, 0 will be returned. 511 */ 512 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 513 { 514 key_ref_t keyring_ref, key_ref; 515 long ret; 516 517 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 518 if (IS_ERR(keyring_ref)) { 519 ret = PTR_ERR(keyring_ref); 520 goto error; 521 } 522 523 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 524 if (IS_ERR(key_ref)) { 525 ret = PTR_ERR(key_ref); 526 goto error2; 527 } 528 529 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 530 531 key_ref_put(key_ref); 532 error2: 533 key_ref_put(keyring_ref); 534 error: 535 return ret; 536 } 537 538 /* 539 * Unlink a key from a keyring. 540 * 541 * The keyring must grant the caller Write permission for this to work; the key 542 * itself need not grant the caller anything. If the last link to a key is 543 * removed then that key will be scheduled for destruction. 544 * 545 * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked. 546 * 547 * If successful, 0 will be returned. 548 */ 549 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 550 { 551 key_ref_t keyring_ref, key_ref; 552 struct key *keyring, *key; 553 long ret; 554 555 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE); 556 if (IS_ERR(keyring_ref)) { 557 ret = PTR_ERR(keyring_ref); 558 goto error; 559 } 560 561 key_ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0); 562 if (IS_ERR(key_ref)) { 563 ret = PTR_ERR(key_ref); 564 goto error2; 565 } 566 567 keyring = key_ref_to_ptr(keyring_ref); 568 key = key_ref_to_ptr(key_ref); 569 if (test_bit(KEY_FLAG_KEEP, &keyring->flags) && 570 test_bit(KEY_FLAG_KEEP, &key->flags)) 571 ret = -EPERM; 572 else 573 ret = key_unlink(keyring, key); 574 575 key_ref_put(key_ref); 576 error2: 577 key_ref_put(keyring_ref); 578 error: 579 return ret; 580 } 581 582 /* 583 * Move a link to a key from one keyring to another, displacing any matching 584 * key from the destination keyring. 585 * 586 * The key must grant the caller Link permission and both keyrings must grant 587 * the caller Write permission. There must also be a link in the from keyring 588 * to the key. If both keyrings are the same, nothing is done. 589 * 590 * If successful, 0 will be returned. 591 */ 592 long keyctl_keyring_move(key_serial_t id, key_serial_t from_ringid, 593 key_serial_t to_ringid, unsigned int flags) 594 { 595 key_ref_t key_ref, from_ref, to_ref; 596 long ret; 597 598 if (flags & ~KEYCTL_MOVE_EXCL) 599 return -EINVAL; 600 601 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 602 if (IS_ERR(key_ref)) 603 return PTR_ERR(key_ref); 604 605 from_ref = lookup_user_key(from_ringid, 0, KEY_NEED_WRITE); 606 if (IS_ERR(from_ref)) { 607 ret = PTR_ERR(from_ref); 608 goto error2; 609 } 610 611 to_ref = lookup_user_key(to_ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 612 if (IS_ERR(to_ref)) { 613 ret = PTR_ERR(to_ref); 614 goto error3; 615 } 616 617 ret = key_move(key_ref_to_ptr(key_ref), key_ref_to_ptr(from_ref), 618 key_ref_to_ptr(to_ref), flags); 619 620 key_ref_put(to_ref); 621 error3: 622 key_ref_put(from_ref); 623 error2: 624 key_ref_put(key_ref); 625 return ret; 626 } 627 628 /* 629 * Return a description of a key to userspace. 630 * 631 * The key must grant the caller View permission for this to work. 632 * 633 * If there's a buffer, we place up to buflen bytes of data into it formatted 634 * in the following way: 635 * 636 * type;uid;gid;perm;description<NUL> 637 * 638 * If successful, we return the amount of description available, irrespective 639 * of how much we may have copied into the buffer. 640 */ 641 long keyctl_describe_key(key_serial_t keyid, 642 char __user *buffer, 643 size_t buflen) 644 { 645 struct key *key, *instkey; 646 key_ref_t key_ref; 647 char *infobuf; 648 long ret; 649 int desclen, infolen; 650 651 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 652 if (IS_ERR(key_ref)) { 653 /* viewing a key under construction is permitted if we have the 654 * authorisation token handy */ 655 if (PTR_ERR(key_ref) == -EACCES) { 656 instkey = key_get_instantiation_authkey(keyid); 657 if (!IS_ERR(instkey)) { 658 key_put(instkey); 659 key_ref = lookup_user_key(keyid, 660 KEY_LOOKUP_PARTIAL, 661 0); 662 if (!IS_ERR(key_ref)) 663 goto okay; 664 } 665 } 666 667 ret = PTR_ERR(key_ref); 668 goto error; 669 } 670 671 okay: 672 key = key_ref_to_ptr(key_ref); 673 desclen = strlen(key->description); 674 675 /* calculate how much information we're going to return */ 676 ret = -ENOMEM; 677 infobuf = kasprintf(GFP_KERNEL, 678 "%s;%d;%d;%08x;", 679 key->type->name, 680 from_kuid_munged(current_user_ns(), key->uid), 681 from_kgid_munged(current_user_ns(), key->gid), 682 key->perm); 683 if (!infobuf) 684 goto error2; 685 infolen = strlen(infobuf); 686 ret = infolen + desclen + 1; 687 688 /* consider returning the data */ 689 if (buffer && buflen >= ret) { 690 if (copy_to_user(buffer, infobuf, infolen) != 0 || 691 copy_to_user(buffer + infolen, key->description, 692 desclen + 1) != 0) 693 ret = -EFAULT; 694 } 695 696 kfree(infobuf); 697 error2: 698 key_ref_put(key_ref); 699 error: 700 return ret; 701 } 702 703 /* 704 * Search the specified keyring and any keyrings it links to for a matching 705 * key. Only keyrings that grant the caller Search permission will be searched 706 * (this includes the starting keyring). Only keys with Search permission can 707 * be found. 708 * 709 * If successful, the found key will be linked to the destination keyring if 710 * supplied and the key has Link permission, and the found key ID will be 711 * returned. 712 */ 713 long keyctl_keyring_search(key_serial_t ringid, 714 const char __user *_type, 715 const char __user *_description, 716 key_serial_t destringid) 717 { 718 struct key_type *ktype; 719 key_ref_t keyring_ref, key_ref, dest_ref; 720 char type[32], *description; 721 long ret; 722 723 /* pull the type and description into kernel space */ 724 ret = key_get_type_from_user(type, _type, sizeof(type)); 725 if (ret < 0) 726 goto error; 727 728 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 729 if (IS_ERR(description)) { 730 ret = PTR_ERR(description); 731 goto error; 732 } 733 734 /* get the keyring at which to begin the search */ 735 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_SEARCH); 736 if (IS_ERR(keyring_ref)) { 737 ret = PTR_ERR(keyring_ref); 738 goto error2; 739 } 740 741 /* get the destination keyring if specified */ 742 dest_ref = NULL; 743 if (destringid) { 744 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 745 KEY_NEED_WRITE); 746 if (IS_ERR(dest_ref)) { 747 ret = PTR_ERR(dest_ref); 748 goto error3; 749 } 750 } 751 752 /* find the key type */ 753 ktype = key_type_lookup(type); 754 if (IS_ERR(ktype)) { 755 ret = PTR_ERR(ktype); 756 goto error4; 757 } 758 759 /* do the search */ 760 key_ref = keyring_search(keyring_ref, ktype, description, true); 761 if (IS_ERR(key_ref)) { 762 ret = PTR_ERR(key_ref); 763 764 /* treat lack or presence of a negative key the same */ 765 if (ret == -EAGAIN) 766 ret = -ENOKEY; 767 goto error5; 768 } 769 770 /* link the resulting key to the destination keyring if we can */ 771 if (dest_ref) { 772 ret = key_permission(key_ref, KEY_NEED_LINK); 773 if (ret < 0) 774 goto error6; 775 776 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 777 if (ret < 0) 778 goto error6; 779 } 780 781 ret = key_ref_to_ptr(key_ref)->serial; 782 783 error6: 784 key_ref_put(key_ref); 785 error5: 786 key_type_put(ktype); 787 error4: 788 key_ref_put(dest_ref); 789 error3: 790 key_ref_put(keyring_ref); 791 error2: 792 kfree(description); 793 error: 794 return ret; 795 } 796 797 /* 798 * Call the read method 799 */ 800 static long __keyctl_read_key(struct key *key, char *buffer, size_t buflen) 801 { 802 long ret; 803 804 down_read(&key->sem); 805 ret = key_validate(key); 806 if (ret == 0) 807 ret = key->type->read(key, buffer, buflen); 808 up_read(&key->sem); 809 return ret; 810 } 811 812 /* 813 * Read a key's payload. 814 * 815 * The key must either grant the caller Read permission, or it must grant the 816 * caller Search permission when searched for from the process keyrings. 817 * 818 * If successful, we place up to buflen bytes of data into the buffer, if one 819 * is provided, and return the amount of data that is available in the key, 820 * irrespective of how much we copied into the buffer. 821 */ 822 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 823 { 824 struct key *key; 825 key_ref_t key_ref; 826 long ret; 827 char *key_data = NULL; 828 size_t key_data_len; 829 830 /* find the key first */ 831 key_ref = lookup_user_key(keyid, 0, 0); 832 if (IS_ERR(key_ref)) { 833 ret = -ENOKEY; 834 goto out; 835 } 836 837 key = key_ref_to_ptr(key_ref); 838 839 ret = key_read_state(key); 840 if (ret < 0) 841 goto key_put_out; /* Negatively instantiated */ 842 843 /* see if we can read it directly */ 844 ret = key_permission(key_ref, KEY_NEED_READ); 845 if (ret == 0) 846 goto can_read_key; 847 if (ret != -EACCES) 848 goto key_put_out; 849 850 /* we can't; see if it's searchable from this process's keyrings 851 * - we automatically take account of the fact that it may be 852 * dangling off an instantiation key 853 */ 854 if (!is_key_possessed(key_ref)) { 855 ret = -EACCES; 856 goto key_put_out; 857 } 858 859 /* the key is probably readable - now try to read it */ 860 can_read_key: 861 if (!key->type->read) { 862 ret = -EOPNOTSUPP; 863 goto key_put_out; 864 } 865 866 if (!buffer || !buflen) { 867 /* Get the key length from the read method */ 868 ret = __keyctl_read_key(key, NULL, 0); 869 goto key_put_out; 870 } 871 872 /* 873 * Read the data with the semaphore held (since we might sleep) 874 * to protect against the key being updated or revoked. 875 * 876 * Allocating a temporary buffer to hold the keys before 877 * transferring them to user buffer to avoid potential 878 * deadlock involving page fault and mmap_lock. 879 * 880 * key_data_len = (buflen <= PAGE_SIZE) 881 * ? buflen : actual length of key data 882 * 883 * This prevents allocating arbitrary large buffer which can 884 * be much larger than the actual key length. In the latter case, 885 * at least 2 passes of this loop is required. 886 */ 887 key_data_len = (buflen <= PAGE_SIZE) ? buflen : 0; 888 for (;;) { 889 if (key_data_len) { 890 key_data = kvmalloc(key_data_len, GFP_KERNEL); 891 if (!key_data) { 892 ret = -ENOMEM; 893 goto key_put_out; 894 } 895 } 896 897 ret = __keyctl_read_key(key, key_data, key_data_len); 898 899 /* 900 * Read methods will just return the required length without 901 * any copying if the provided length isn't large enough. 902 */ 903 if (ret <= 0 || ret > buflen) 904 break; 905 906 /* 907 * The key may change (unlikely) in between 2 consecutive 908 * __keyctl_read_key() calls. In this case, we reallocate 909 * a larger buffer and redo the key read when 910 * key_data_len < ret <= buflen. 911 */ 912 if (ret > key_data_len) { 913 if (unlikely(key_data)) 914 kvfree_sensitive(key_data, key_data_len); 915 key_data_len = ret; 916 continue; /* Allocate buffer */ 917 } 918 919 if (copy_to_user(buffer, key_data, ret)) 920 ret = -EFAULT; 921 break; 922 } 923 kvfree_sensitive(key_data, key_data_len); 924 925 key_put_out: 926 key_put(key); 927 out: 928 return ret; 929 } 930 931 /* 932 * Change the ownership of a key 933 * 934 * The key must grant the caller Setattr permission for this to work, though 935 * the key need not be fully instantiated yet. For the UID to be changed, or 936 * for the GID to be changed to a group the caller is not a member of, the 937 * caller must have sysadmin capability. If either uid or gid is -1 then that 938 * attribute is not changed. 939 * 940 * If the UID is to be changed, the new user must have sufficient quota to 941 * accept the key. The quota deduction will be removed from the old user to 942 * the new user should the attribute be changed. 943 * 944 * If successful, 0 will be returned. 945 */ 946 long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group) 947 { 948 struct key_user *newowner, *zapowner = NULL; 949 struct key *key; 950 key_ref_t key_ref; 951 long ret; 952 kuid_t uid; 953 kgid_t gid; 954 955 uid = make_kuid(current_user_ns(), user); 956 gid = make_kgid(current_user_ns(), group); 957 ret = -EINVAL; 958 if ((user != (uid_t) -1) && !uid_valid(uid)) 959 goto error; 960 if ((group != (gid_t) -1) && !gid_valid(gid)) 961 goto error; 962 963 ret = 0; 964 if (user == (uid_t) -1 && group == (gid_t) -1) 965 goto error; 966 967 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 968 KEY_NEED_SETATTR); 969 if (IS_ERR(key_ref)) { 970 ret = PTR_ERR(key_ref); 971 goto error; 972 } 973 974 key = key_ref_to_ptr(key_ref); 975 976 /* make the changes with the locks held to prevent chown/chown races */ 977 ret = -EACCES; 978 down_write(&key->sem); 979 980 if (!capable(CAP_SYS_ADMIN)) { 981 /* only the sysadmin can chown a key to some other UID */ 982 if (user != (uid_t) -1 && !uid_eq(key->uid, uid)) 983 goto error_put; 984 985 /* only the sysadmin can set the key's GID to a group other 986 * than one of those that the current process subscribes to */ 987 if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid)) 988 goto error_put; 989 } 990 991 /* change the UID */ 992 if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) { 993 ret = -ENOMEM; 994 newowner = key_user_lookup(uid); 995 if (!newowner) 996 goto error_put; 997 998 /* transfer the quota burden to the new user */ 999 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 1000 unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ? 1001 key_quota_root_maxkeys : key_quota_maxkeys; 1002 unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ? 1003 key_quota_root_maxbytes : key_quota_maxbytes; 1004 1005 spin_lock(&newowner->lock); 1006 if (newowner->qnkeys + 1 > maxkeys || 1007 newowner->qnbytes + key->quotalen > maxbytes || 1008 newowner->qnbytes + key->quotalen < 1009 newowner->qnbytes) 1010 goto quota_overrun; 1011 1012 newowner->qnkeys++; 1013 newowner->qnbytes += key->quotalen; 1014 spin_unlock(&newowner->lock); 1015 1016 spin_lock(&key->user->lock); 1017 key->user->qnkeys--; 1018 key->user->qnbytes -= key->quotalen; 1019 spin_unlock(&key->user->lock); 1020 } 1021 1022 atomic_dec(&key->user->nkeys); 1023 atomic_inc(&newowner->nkeys); 1024 1025 if (key->state != KEY_IS_UNINSTANTIATED) { 1026 atomic_dec(&key->user->nikeys); 1027 atomic_inc(&newowner->nikeys); 1028 } 1029 1030 zapowner = key->user; 1031 key->user = newowner; 1032 key->uid = uid; 1033 } 1034 1035 /* change the GID */ 1036 if (group != (gid_t) -1) 1037 key->gid = gid; 1038 1039 ret = 0; 1040 1041 error_put: 1042 up_write(&key->sem); 1043 key_put(key); 1044 if (zapowner) 1045 key_user_put(zapowner); 1046 error: 1047 return ret; 1048 1049 quota_overrun: 1050 spin_unlock(&newowner->lock); 1051 zapowner = newowner; 1052 ret = -EDQUOT; 1053 goto error_put; 1054 } 1055 1056 /* 1057 * Change the permission mask on a key. 1058 * 1059 * The key must grant the caller Setattr permission for this to work, though 1060 * the key need not be fully instantiated yet. If the caller does not have 1061 * sysadmin capability, it may only change the permission on keys that it owns. 1062 */ 1063 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 1064 { 1065 struct key *key; 1066 key_ref_t key_ref; 1067 long ret; 1068 1069 ret = -EINVAL; 1070 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 1071 goto error; 1072 1073 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1074 KEY_NEED_SETATTR); 1075 if (IS_ERR(key_ref)) { 1076 ret = PTR_ERR(key_ref); 1077 goto error; 1078 } 1079 1080 key = key_ref_to_ptr(key_ref); 1081 1082 /* make the changes with the locks held to prevent chown/chmod races */ 1083 ret = -EACCES; 1084 down_write(&key->sem); 1085 1086 /* if we're not the sysadmin, we can only change a key that we own */ 1087 if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) { 1088 key->perm = perm; 1089 ret = 0; 1090 } 1091 1092 up_write(&key->sem); 1093 key_put(key); 1094 error: 1095 return ret; 1096 } 1097 1098 /* 1099 * Get the destination keyring for instantiation and check that the caller has 1100 * Write permission on it. 1101 */ 1102 static long get_instantiation_keyring(key_serial_t ringid, 1103 struct request_key_auth *rka, 1104 struct key **_dest_keyring) 1105 { 1106 key_ref_t dkref; 1107 1108 *_dest_keyring = NULL; 1109 1110 /* just return a NULL pointer if we weren't asked to make a link */ 1111 if (ringid == 0) 1112 return 0; 1113 1114 /* if a specific keyring is nominated by ID, then use that */ 1115 if (ringid > 0) { 1116 dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 1117 if (IS_ERR(dkref)) 1118 return PTR_ERR(dkref); 1119 *_dest_keyring = key_ref_to_ptr(dkref); 1120 return 0; 1121 } 1122 1123 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY) 1124 return -EINVAL; 1125 1126 /* otherwise specify the destination keyring recorded in the 1127 * authorisation key (any KEY_SPEC_*_KEYRING) */ 1128 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { 1129 *_dest_keyring = key_get(rka->dest_keyring); 1130 return 0; 1131 } 1132 1133 return -ENOKEY; 1134 } 1135 1136 /* 1137 * Change the request_key authorisation key on the current process. 1138 */ 1139 static int keyctl_change_reqkey_auth(struct key *key) 1140 { 1141 struct cred *new; 1142 1143 new = prepare_creds(); 1144 if (!new) 1145 return -ENOMEM; 1146 1147 key_put(new->request_key_auth); 1148 new->request_key_auth = key_get(key); 1149 1150 return commit_creds(new); 1151 } 1152 1153 /* 1154 * Instantiate a key with the specified payload and link the key into the 1155 * destination keyring if one is given. 1156 * 1157 * The caller must have the appropriate instantiation permit set for this to 1158 * work (see keyctl_assume_authority). No other permissions are required. 1159 * 1160 * If successful, 0 will be returned. 1161 */ 1162 long keyctl_instantiate_key_common(key_serial_t id, 1163 struct iov_iter *from, 1164 key_serial_t ringid) 1165 { 1166 const struct cred *cred = current_cred(); 1167 struct request_key_auth *rka; 1168 struct key *instkey, *dest_keyring; 1169 size_t plen = from ? iov_iter_count(from) : 0; 1170 void *payload; 1171 long ret; 1172 1173 kenter("%d,,%zu,%d", id, plen, ringid); 1174 1175 if (!plen) 1176 from = NULL; 1177 1178 ret = -EINVAL; 1179 if (plen > 1024 * 1024 - 1) 1180 goto error; 1181 1182 /* the appropriate instantiation authorisation key must have been 1183 * assumed before calling this */ 1184 ret = -EPERM; 1185 instkey = cred->request_key_auth; 1186 if (!instkey) 1187 goto error; 1188 1189 rka = instkey->payload.data[0]; 1190 if (rka->target_key->serial != id) 1191 goto error; 1192 1193 /* pull the payload in if one was supplied */ 1194 payload = NULL; 1195 1196 if (from) { 1197 ret = -ENOMEM; 1198 payload = kvmalloc(plen, GFP_KERNEL); 1199 if (!payload) 1200 goto error; 1201 1202 ret = -EFAULT; 1203 if (!copy_from_iter_full(payload, plen, from)) 1204 goto error2; 1205 } 1206 1207 /* find the destination keyring amongst those belonging to the 1208 * requesting task */ 1209 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1210 if (ret < 0) 1211 goto error2; 1212 1213 /* instantiate the key and link it into a keyring */ 1214 ret = key_instantiate_and_link(rka->target_key, payload, plen, 1215 dest_keyring, instkey); 1216 1217 key_put(dest_keyring); 1218 1219 /* discard the assumed authority if it's just been disabled by 1220 * instantiation of the key */ 1221 if (ret == 0) 1222 keyctl_change_reqkey_auth(NULL); 1223 1224 error2: 1225 kvfree_sensitive(payload, plen); 1226 error: 1227 return ret; 1228 } 1229 1230 /* 1231 * Instantiate a key with the specified payload and link the key into the 1232 * destination keyring if one is given. 1233 * 1234 * The caller must have the appropriate instantiation permit set for this to 1235 * work (see keyctl_assume_authority). No other permissions are required. 1236 * 1237 * If successful, 0 will be returned. 1238 */ 1239 long keyctl_instantiate_key(key_serial_t id, 1240 const void __user *_payload, 1241 size_t plen, 1242 key_serial_t ringid) 1243 { 1244 if (_payload && plen) { 1245 struct iovec iov; 1246 struct iov_iter from; 1247 int ret; 1248 1249 ret = import_single_range(WRITE, (void __user *)_payload, plen, 1250 &iov, &from); 1251 if (unlikely(ret)) 1252 return ret; 1253 1254 return keyctl_instantiate_key_common(id, &from, ringid); 1255 } 1256 1257 return keyctl_instantiate_key_common(id, NULL, ringid); 1258 } 1259 1260 /* 1261 * Instantiate a key with the specified multipart payload and link the key into 1262 * the destination keyring if one is given. 1263 * 1264 * The caller must have the appropriate instantiation permit set for this to 1265 * work (see keyctl_assume_authority). No other permissions are required. 1266 * 1267 * If successful, 0 will be returned. 1268 */ 1269 long keyctl_instantiate_key_iov(key_serial_t id, 1270 const struct iovec __user *_payload_iov, 1271 unsigned ioc, 1272 key_serial_t ringid) 1273 { 1274 struct iovec iovstack[UIO_FASTIOV], *iov = iovstack; 1275 struct iov_iter from; 1276 long ret; 1277 1278 if (!_payload_iov) 1279 ioc = 0; 1280 1281 ret = import_iovec(WRITE, _payload_iov, ioc, 1282 ARRAY_SIZE(iovstack), &iov, &from); 1283 if (ret < 0) 1284 return ret; 1285 ret = keyctl_instantiate_key_common(id, &from, ringid); 1286 kfree(iov); 1287 return ret; 1288 } 1289 1290 /* 1291 * Negatively instantiate the key with the given timeout (in seconds) and link 1292 * the key into the destination keyring if one is given. 1293 * 1294 * The caller must have the appropriate instantiation permit set for this to 1295 * work (see keyctl_assume_authority). No other permissions are required. 1296 * 1297 * The key and any links to the key will be automatically garbage collected 1298 * after the timeout expires. 1299 * 1300 * Negative keys are used to rate limit repeated request_key() calls by causing 1301 * them to return -ENOKEY until the negative key expires. 1302 * 1303 * If successful, 0 will be returned. 1304 */ 1305 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 1306 { 1307 return keyctl_reject_key(id, timeout, ENOKEY, ringid); 1308 } 1309 1310 /* 1311 * Negatively instantiate the key with the given timeout (in seconds) and error 1312 * code and link the key into the destination keyring if one is given. 1313 * 1314 * The caller must have the appropriate instantiation permit set for this to 1315 * work (see keyctl_assume_authority). No other permissions are required. 1316 * 1317 * The key and any links to the key will be automatically garbage collected 1318 * after the timeout expires. 1319 * 1320 * Negative keys are used to rate limit repeated request_key() calls by causing 1321 * them to return the specified error code until the negative key expires. 1322 * 1323 * If successful, 0 will be returned. 1324 */ 1325 long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error, 1326 key_serial_t ringid) 1327 { 1328 const struct cred *cred = current_cred(); 1329 struct request_key_auth *rka; 1330 struct key *instkey, *dest_keyring; 1331 long ret; 1332 1333 kenter("%d,%u,%u,%d", id, timeout, error, ringid); 1334 1335 /* must be a valid error code and mustn't be a kernel special */ 1336 if (error <= 0 || 1337 error >= MAX_ERRNO || 1338 error == ERESTARTSYS || 1339 error == ERESTARTNOINTR || 1340 error == ERESTARTNOHAND || 1341 error == ERESTART_RESTARTBLOCK) 1342 return -EINVAL; 1343 1344 /* the appropriate instantiation authorisation key must have been 1345 * assumed before calling this */ 1346 ret = -EPERM; 1347 instkey = cred->request_key_auth; 1348 if (!instkey) 1349 goto error; 1350 1351 rka = instkey->payload.data[0]; 1352 if (rka->target_key->serial != id) 1353 goto error; 1354 1355 /* find the destination keyring if present (which must also be 1356 * writable) */ 1357 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1358 if (ret < 0) 1359 goto error; 1360 1361 /* instantiate the key and link it into a keyring */ 1362 ret = key_reject_and_link(rka->target_key, timeout, error, 1363 dest_keyring, instkey); 1364 1365 key_put(dest_keyring); 1366 1367 /* discard the assumed authority if it's just been disabled by 1368 * instantiation of the key */ 1369 if (ret == 0) 1370 keyctl_change_reqkey_auth(NULL); 1371 1372 error: 1373 return ret; 1374 } 1375 1376 /* 1377 * Read or set the default keyring in which request_key() will cache keys and 1378 * return the old setting. 1379 * 1380 * If a thread or process keyring is specified then it will be created if it 1381 * doesn't yet exist. The old setting will be returned if successful. 1382 */ 1383 long keyctl_set_reqkey_keyring(int reqkey_defl) 1384 { 1385 struct cred *new; 1386 int ret, old_setting; 1387 1388 old_setting = current_cred_xxx(jit_keyring); 1389 1390 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE) 1391 return old_setting; 1392 1393 new = prepare_creds(); 1394 if (!new) 1395 return -ENOMEM; 1396 1397 switch (reqkey_defl) { 1398 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1399 ret = install_thread_keyring_to_cred(new); 1400 if (ret < 0) 1401 goto error; 1402 goto set; 1403 1404 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1405 ret = install_process_keyring_to_cred(new); 1406 if (ret < 0) 1407 goto error; 1408 goto set; 1409 1410 case KEY_REQKEY_DEFL_DEFAULT: 1411 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1412 case KEY_REQKEY_DEFL_USER_KEYRING: 1413 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1414 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: 1415 goto set; 1416 1417 case KEY_REQKEY_DEFL_NO_CHANGE: 1418 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1419 default: 1420 ret = -EINVAL; 1421 goto error; 1422 } 1423 1424 set: 1425 new->jit_keyring = reqkey_defl; 1426 commit_creds(new); 1427 return old_setting; 1428 error: 1429 abort_creds(new); 1430 return ret; 1431 } 1432 1433 /* 1434 * Set or clear the timeout on a key. 1435 * 1436 * Either the key must grant the caller Setattr permission or else the caller 1437 * must hold an instantiation authorisation token for the key. 1438 * 1439 * The timeout is either 0 to clear the timeout, or a number of seconds from 1440 * the current time. The key and any links to the key will be automatically 1441 * garbage collected after the timeout expires. 1442 * 1443 * Keys with KEY_FLAG_KEEP set should not be timed out. 1444 * 1445 * If successful, 0 is returned. 1446 */ 1447 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1448 { 1449 struct key *key, *instkey; 1450 key_ref_t key_ref; 1451 long ret; 1452 1453 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1454 KEY_NEED_SETATTR); 1455 if (IS_ERR(key_ref)) { 1456 /* setting the timeout on a key under construction is permitted 1457 * if we have the authorisation token handy */ 1458 if (PTR_ERR(key_ref) == -EACCES) { 1459 instkey = key_get_instantiation_authkey(id); 1460 if (!IS_ERR(instkey)) { 1461 key_put(instkey); 1462 key_ref = lookup_user_key(id, 1463 KEY_LOOKUP_PARTIAL, 1464 0); 1465 if (!IS_ERR(key_ref)) 1466 goto okay; 1467 } 1468 } 1469 1470 ret = PTR_ERR(key_ref); 1471 goto error; 1472 } 1473 1474 okay: 1475 key = key_ref_to_ptr(key_ref); 1476 ret = 0; 1477 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 1478 ret = -EPERM; 1479 else 1480 key_set_timeout(key, timeout); 1481 key_put(key); 1482 1483 error: 1484 return ret; 1485 } 1486 1487 /* 1488 * Assume (or clear) the authority to instantiate the specified key. 1489 * 1490 * This sets the authoritative token currently in force for key instantiation. 1491 * This must be done for a key to be instantiated. It has the effect of making 1492 * available all the keys from the caller of the request_key() that created a 1493 * key to request_key() calls made by the caller of this function. 1494 * 1495 * The caller must have the instantiation key in their process keyrings with a 1496 * Search permission grant available to the caller. 1497 * 1498 * If the ID given is 0, then the setting will be cleared and 0 returned. 1499 * 1500 * If the ID given has a matching an authorisation key, then that key will be 1501 * set and its ID will be returned. The authorisation key can be read to get 1502 * the callout information passed to request_key(). 1503 */ 1504 long keyctl_assume_authority(key_serial_t id) 1505 { 1506 struct key *authkey; 1507 long ret; 1508 1509 /* special key IDs aren't permitted */ 1510 ret = -EINVAL; 1511 if (id < 0) 1512 goto error; 1513 1514 /* we divest ourselves of authority if given an ID of 0 */ 1515 if (id == 0) { 1516 ret = keyctl_change_reqkey_auth(NULL); 1517 goto error; 1518 } 1519 1520 /* attempt to assume the authority temporarily granted to us whilst we 1521 * instantiate the specified key 1522 * - the authorisation key must be in the current task's keyrings 1523 * somewhere 1524 */ 1525 authkey = key_get_instantiation_authkey(id); 1526 if (IS_ERR(authkey)) { 1527 ret = PTR_ERR(authkey); 1528 goto error; 1529 } 1530 1531 ret = keyctl_change_reqkey_auth(authkey); 1532 if (ret == 0) 1533 ret = authkey->serial; 1534 key_put(authkey); 1535 error: 1536 return ret; 1537 } 1538 1539 /* 1540 * Get a key's the LSM security label. 1541 * 1542 * The key must grant the caller View permission for this to work. 1543 * 1544 * If there's a buffer, then up to buflen bytes of data will be placed into it. 1545 * 1546 * If successful, the amount of information available will be returned, 1547 * irrespective of how much was copied (including the terminal NUL). 1548 */ 1549 long keyctl_get_security(key_serial_t keyid, 1550 char __user *buffer, 1551 size_t buflen) 1552 { 1553 struct key *key, *instkey; 1554 key_ref_t key_ref; 1555 char *context; 1556 long ret; 1557 1558 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 1559 if (IS_ERR(key_ref)) { 1560 if (PTR_ERR(key_ref) != -EACCES) 1561 return PTR_ERR(key_ref); 1562 1563 /* viewing a key under construction is also permitted if we 1564 * have the authorisation token handy */ 1565 instkey = key_get_instantiation_authkey(keyid); 1566 if (IS_ERR(instkey)) 1567 return PTR_ERR(instkey); 1568 key_put(instkey); 1569 1570 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0); 1571 if (IS_ERR(key_ref)) 1572 return PTR_ERR(key_ref); 1573 } 1574 1575 key = key_ref_to_ptr(key_ref); 1576 ret = security_key_getsecurity(key, &context); 1577 if (ret == 0) { 1578 /* if no information was returned, give userspace an empty 1579 * string */ 1580 ret = 1; 1581 if (buffer && buflen > 0 && 1582 copy_to_user(buffer, "", 1) != 0) 1583 ret = -EFAULT; 1584 } else if (ret > 0) { 1585 /* return as much data as there's room for */ 1586 if (buffer && buflen > 0) { 1587 if (buflen > ret) 1588 buflen = ret; 1589 1590 if (copy_to_user(buffer, context, buflen) != 0) 1591 ret = -EFAULT; 1592 } 1593 1594 kfree(context); 1595 } 1596 1597 key_ref_put(key_ref); 1598 return ret; 1599 } 1600 1601 /* 1602 * Attempt to install the calling process's session keyring on the process's 1603 * parent process. 1604 * 1605 * The keyring must exist and must grant the caller LINK permission, and the 1606 * parent process must be single-threaded and must have the same effective 1607 * ownership as this process and mustn't be SUID/SGID. 1608 * 1609 * The keyring will be emplaced on the parent when it next resumes userspace. 1610 * 1611 * If successful, 0 will be returned. 1612 */ 1613 long keyctl_session_to_parent(void) 1614 { 1615 struct task_struct *me, *parent; 1616 const struct cred *mycred, *pcred; 1617 struct callback_head *newwork, *oldwork; 1618 key_ref_t keyring_r; 1619 struct cred *cred; 1620 int ret; 1621 1622 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK); 1623 if (IS_ERR(keyring_r)) 1624 return PTR_ERR(keyring_r); 1625 1626 ret = -ENOMEM; 1627 1628 /* our parent is going to need a new cred struct, a new tgcred struct 1629 * and new security data, so we allocate them here to prevent ENOMEM in 1630 * our parent */ 1631 cred = cred_alloc_blank(); 1632 if (!cred) 1633 goto error_keyring; 1634 newwork = &cred->rcu; 1635 1636 cred->session_keyring = key_ref_to_ptr(keyring_r); 1637 keyring_r = NULL; 1638 init_task_work(newwork, key_change_session_keyring); 1639 1640 me = current; 1641 rcu_read_lock(); 1642 write_lock_irq(&tasklist_lock); 1643 1644 ret = -EPERM; 1645 oldwork = NULL; 1646 parent = rcu_dereference_protected(me->real_parent, 1647 lockdep_is_held(&tasklist_lock)); 1648 1649 /* the parent mustn't be init and mustn't be a kernel thread */ 1650 if (parent->pid <= 1 || !parent->mm) 1651 goto unlock; 1652 1653 /* the parent must be single threaded */ 1654 if (!thread_group_empty(parent)) 1655 goto unlock; 1656 1657 /* the parent and the child must have different session keyrings or 1658 * there's no point */ 1659 mycred = current_cred(); 1660 pcred = __task_cred(parent); 1661 if (mycred == pcred || 1662 mycred->session_keyring == pcred->session_keyring) { 1663 ret = 0; 1664 goto unlock; 1665 } 1666 1667 /* the parent must have the same effective ownership and mustn't be 1668 * SUID/SGID */ 1669 if (!uid_eq(pcred->uid, mycred->euid) || 1670 !uid_eq(pcred->euid, mycred->euid) || 1671 !uid_eq(pcred->suid, mycred->euid) || 1672 !gid_eq(pcred->gid, mycred->egid) || 1673 !gid_eq(pcred->egid, mycred->egid) || 1674 !gid_eq(pcred->sgid, mycred->egid)) 1675 goto unlock; 1676 1677 /* the keyrings must have the same UID */ 1678 if ((pcred->session_keyring && 1679 !uid_eq(pcred->session_keyring->uid, mycred->euid)) || 1680 !uid_eq(mycred->session_keyring->uid, mycred->euid)) 1681 goto unlock; 1682 1683 /* cancel an already pending keyring replacement */ 1684 oldwork = task_work_cancel(parent, key_change_session_keyring); 1685 1686 /* the replacement session keyring is applied just prior to userspace 1687 * restarting */ 1688 ret = task_work_add(parent, newwork, true); 1689 if (!ret) 1690 newwork = NULL; 1691 unlock: 1692 write_unlock_irq(&tasklist_lock); 1693 rcu_read_unlock(); 1694 if (oldwork) 1695 put_cred(container_of(oldwork, struct cred, rcu)); 1696 if (newwork) 1697 put_cred(cred); 1698 return ret; 1699 1700 error_keyring: 1701 key_ref_put(keyring_r); 1702 return ret; 1703 } 1704 1705 /* 1706 * Apply a restriction to a given keyring. 1707 * 1708 * The caller must have Setattr permission to change keyring restrictions. 1709 * 1710 * The requested type name may be a NULL pointer to reject all attempts 1711 * to link to the keyring. In this case, _restriction must also be NULL. 1712 * Otherwise, both _type and _restriction must be non-NULL. 1713 * 1714 * Returns 0 if successful. 1715 */ 1716 long keyctl_restrict_keyring(key_serial_t id, const char __user *_type, 1717 const char __user *_restriction) 1718 { 1719 key_ref_t key_ref; 1720 char type[32]; 1721 char *restriction = NULL; 1722 long ret; 1723 1724 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 1725 if (IS_ERR(key_ref)) 1726 return PTR_ERR(key_ref); 1727 1728 ret = -EINVAL; 1729 if (_type) { 1730 if (!_restriction) 1731 goto error; 1732 1733 ret = key_get_type_from_user(type, _type, sizeof(type)); 1734 if (ret < 0) 1735 goto error; 1736 1737 restriction = strndup_user(_restriction, PAGE_SIZE); 1738 if (IS_ERR(restriction)) { 1739 ret = PTR_ERR(restriction); 1740 goto error; 1741 } 1742 } else { 1743 if (_restriction) 1744 goto error; 1745 } 1746 1747 ret = keyring_restrict(key_ref, _type ? type : NULL, restriction); 1748 kfree(restriction); 1749 error: 1750 key_ref_put(key_ref); 1751 return ret; 1752 } 1753 1754 /* 1755 * Get keyrings subsystem capabilities. 1756 */ 1757 long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen) 1758 { 1759 size_t size = buflen; 1760 1761 if (size > 0) { 1762 if (size > sizeof(keyrings_capabilities)) 1763 size = sizeof(keyrings_capabilities); 1764 if (copy_to_user(_buffer, keyrings_capabilities, size) != 0) 1765 return -EFAULT; 1766 if (size < buflen && 1767 clear_user(_buffer + size, buflen - size) != 0) 1768 return -EFAULT; 1769 } 1770 1771 return sizeof(keyrings_capabilities); 1772 } 1773 1774 /* 1775 * The key control system call 1776 */ 1777 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, 1778 unsigned long, arg4, unsigned long, arg5) 1779 { 1780 switch (option) { 1781 case KEYCTL_GET_KEYRING_ID: 1782 return keyctl_get_keyring_ID((key_serial_t) arg2, 1783 (int) arg3); 1784 1785 case KEYCTL_JOIN_SESSION_KEYRING: 1786 return keyctl_join_session_keyring((const char __user *) arg2); 1787 1788 case KEYCTL_UPDATE: 1789 return keyctl_update_key((key_serial_t) arg2, 1790 (const void __user *) arg3, 1791 (size_t) arg4); 1792 1793 case KEYCTL_REVOKE: 1794 return keyctl_revoke_key((key_serial_t) arg2); 1795 1796 case KEYCTL_DESCRIBE: 1797 return keyctl_describe_key((key_serial_t) arg2, 1798 (char __user *) arg3, 1799 (unsigned) arg4); 1800 1801 case KEYCTL_CLEAR: 1802 return keyctl_keyring_clear((key_serial_t) arg2); 1803 1804 case KEYCTL_LINK: 1805 return keyctl_keyring_link((key_serial_t) arg2, 1806 (key_serial_t) arg3); 1807 1808 case KEYCTL_UNLINK: 1809 return keyctl_keyring_unlink((key_serial_t) arg2, 1810 (key_serial_t) arg3); 1811 1812 case KEYCTL_SEARCH: 1813 return keyctl_keyring_search((key_serial_t) arg2, 1814 (const char __user *) arg3, 1815 (const char __user *) arg4, 1816 (key_serial_t) arg5); 1817 1818 case KEYCTL_READ: 1819 return keyctl_read_key((key_serial_t) arg2, 1820 (char __user *) arg3, 1821 (size_t) arg4); 1822 1823 case KEYCTL_CHOWN: 1824 return keyctl_chown_key((key_serial_t) arg2, 1825 (uid_t) arg3, 1826 (gid_t) arg4); 1827 1828 case KEYCTL_SETPERM: 1829 return keyctl_setperm_key((key_serial_t) arg2, 1830 (key_perm_t) arg3); 1831 1832 case KEYCTL_INSTANTIATE: 1833 return keyctl_instantiate_key((key_serial_t) arg2, 1834 (const void __user *) arg3, 1835 (size_t) arg4, 1836 (key_serial_t) arg5); 1837 1838 case KEYCTL_NEGATE: 1839 return keyctl_negate_key((key_serial_t) arg2, 1840 (unsigned) arg3, 1841 (key_serial_t) arg4); 1842 1843 case KEYCTL_SET_REQKEY_KEYRING: 1844 return keyctl_set_reqkey_keyring(arg2); 1845 1846 case KEYCTL_SET_TIMEOUT: 1847 return keyctl_set_timeout((key_serial_t) arg2, 1848 (unsigned) arg3); 1849 1850 case KEYCTL_ASSUME_AUTHORITY: 1851 return keyctl_assume_authority((key_serial_t) arg2); 1852 1853 case KEYCTL_GET_SECURITY: 1854 return keyctl_get_security((key_serial_t) arg2, 1855 (char __user *) arg3, 1856 (size_t) arg4); 1857 1858 case KEYCTL_SESSION_TO_PARENT: 1859 return keyctl_session_to_parent(); 1860 1861 case KEYCTL_REJECT: 1862 return keyctl_reject_key((key_serial_t) arg2, 1863 (unsigned) arg3, 1864 (unsigned) arg4, 1865 (key_serial_t) arg5); 1866 1867 case KEYCTL_INSTANTIATE_IOV: 1868 return keyctl_instantiate_key_iov( 1869 (key_serial_t) arg2, 1870 (const struct iovec __user *) arg3, 1871 (unsigned) arg4, 1872 (key_serial_t) arg5); 1873 1874 case KEYCTL_INVALIDATE: 1875 return keyctl_invalidate_key((key_serial_t) arg2); 1876 1877 case KEYCTL_GET_PERSISTENT: 1878 return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3); 1879 1880 case KEYCTL_DH_COMPUTE: 1881 return keyctl_dh_compute((struct keyctl_dh_params __user *) arg2, 1882 (char __user *) arg3, (size_t) arg4, 1883 (struct keyctl_kdf_params __user *) arg5); 1884 1885 case KEYCTL_RESTRICT_KEYRING: 1886 return keyctl_restrict_keyring((key_serial_t) arg2, 1887 (const char __user *) arg3, 1888 (const char __user *) arg4); 1889 1890 case KEYCTL_PKEY_QUERY: 1891 if (arg3 != 0) 1892 return -EINVAL; 1893 return keyctl_pkey_query((key_serial_t)arg2, 1894 (const char __user *)arg4, 1895 (struct keyctl_pkey_query __user *)arg5); 1896 1897 case KEYCTL_PKEY_ENCRYPT: 1898 case KEYCTL_PKEY_DECRYPT: 1899 case KEYCTL_PKEY_SIGN: 1900 return keyctl_pkey_e_d_s( 1901 option, 1902 (const struct keyctl_pkey_params __user *)arg2, 1903 (const char __user *)arg3, 1904 (const void __user *)arg4, 1905 (void __user *)arg5); 1906 1907 case KEYCTL_PKEY_VERIFY: 1908 return keyctl_pkey_verify( 1909 (const struct keyctl_pkey_params __user *)arg2, 1910 (const char __user *)arg3, 1911 (const void __user *)arg4, 1912 (const void __user *)arg5); 1913 1914 case KEYCTL_MOVE: 1915 return keyctl_keyring_move((key_serial_t)arg2, 1916 (key_serial_t)arg3, 1917 (key_serial_t)arg4, 1918 (unsigned int)arg5); 1919 1920 case KEYCTL_CAPABILITIES: 1921 return keyctl_capabilities((unsigned char __user *)arg2, (size_t)arg3); 1922 1923 default: 1924 return -EOPNOTSUPP; 1925 } 1926 } 1927