1 /* Keyring handling 2 * 3 * Copyright (C) 2004-2005, 2008, 2013 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/slab.h> 16 #include <linux/security.h> 17 #include <linux/seq_file.h> 18 #include <linux/err.h> 19 #include <keys/keyring-type.h> 20 #include <keys/user-type.h> 21 #include <linux/assoc_array_priv.h> 22 #include <linux/uaccess.h> 23 #include "internal.h" 24 25 /* 26 * When plumbing the depths of the key tree, this sets a hard limit 27 * set on how deep we're willing to go. 28 */ 29 #define KEYRING_SEARCH_MAX_DEPTH 6 30 31 /* 32 * We keep all named keyrings in a hash to speed looking them up. 33 */ 34 #define KEYRING_NAME_HASH_SIZE (1 << 5) 35 36 /* 37 * We mark pointers we pass to the associative array with bit 1 set if 38 * they're keyrings and clear otherwise. 39 */ 40 #define KEYRING_PTR_SUBTYPE 0x2UL 41 42 static inline bool keyring_ptr_is_keyring(const struct assoc_array_ptr *x) 43 { 44 return (unsigned long)x & KEYRING_PTR_SUBTYPE; 45 } 46 static inline struct key *keyring_ptr_to_key(const struct assoc_array_ptr *x) 47 { 48 void *object = assoc_array_ptr_to_leaf(x); 49 return (struct key *)((unsigned long)object & ~KEYRING_PTR_SUBTYPE); 50 } 51 static inline void *keyring_key_to_ptr(struct key *key) 52 { 53 if (key->type == &key_type_keyring) 54 return (void *)((unsigned long)key | KEYRING_PTR_SUBTYPE); 55 return key; 56 } 57 58 static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE]; 59 static DEFINE_RWLOCK(keyring_name_lock); 60 61 static inline unsigned keyring_hash(const char *desc) 62 { 63 unsigned bucket = 0; 64 65 for (; *desc; desc++) 66 bucket += (unsigned char)*desc; 67 68 return bucket & (KEYRING_NAME_HASH_SIZE - 1); 69 } 70 71 /* 72 * The keyring key type definition. Keyrings are simply keys of this type and 73 * can be treated as ordinary keys in addition to having their own special 74 * operations. 75 */ 76 static int keyring_preparse(struct key_preparsed_payload *prep); 77 static void keyring_free_preparse(struct key_preparsed_payload *prep); 78 static int keyring_instantiate(struct key *keyring, 79 struct key_preparsed_payload *prep); 80 static void keyring_revoke(struct key *keyring); 81 static void keyring_destroy(struct key *keyring); 82 static void keyring_describe(const struct key *keyring, struct seq_file *m); 83 static long keyring_read(const struct key *keyring, 84 char __user *buffer, size_t buflen); 85 86 struct key_type key_type_keyring = { 87 .name = "keyring", 88 .def_datalen = 0, 89 .preparse = keyring_preparse, 90 .free_preparse = keyring_free_preparse, 91 .instantiate = keyring_instantiate, 92 .match = user_match, 93 .revoke = keyring_revoke, 94 .destroy = keyring_destroy, 95 .describe = keyring_describe, 96 .read = keyring_read, 97 }; 98 EXPORT_SYMBOL(key_type_keyring); 99 100 /* 101 * Semaphore to serialise link/link calls to prevent two link calls in parallel 102 * introducing a cycle. 103 */ 104 static DECLARE_RWSEM(keyring_serialise_link_sem); 105 106 /* 107 * Publish the name of a keyring so that it can be found by name (if it has 108 * one). 109 */ 110 static void keyring_publish_name(struct key *keyring) 111 { 112 int bucket; 113 114 if (keyring->description) { 115 bucket = keyring_hash(keyring->description); 116 117 write_lock(&keyring_name_lock); 118 119 if (!keyring_name_hash[bucket].next) 120 INIT_LIST_HEAD(&keyring_name_hash[bucket]); 121 122 list_add_tail(&keyring->type_data.link, 123 &keyring_name_hash[bucket]); 124 125 write_unlock(&keyring_name_lock); 126 } 127 } 128 129 /* 130 * Preparse a keyring payload 131 */ 132 static int keyring_preparse(struct key_preparsed_payload *prep) 133 { 134 return prep->datalen != 0 ? -EINVAL : 0; 135 } 136 137 /* 138 * Free a preparse of a user defined key payload 139 */ 140 static void keyring_free_preparse(struct key_preparsed_payload *prep) 141 { 142 } 143 144 /* 145 * Initialise a keyring. 146 * 147 * Returns 0 on success, -EINVAL if given any data. 148 */ 149 static int keyring_instantiate(struct key *keyring, 150 struct key_preparsed_payload *prep) 151 { 152 assoc_array_init(&keyring->keys); 153 /* make the keyring available by name if it has one */ 154 keyring_publish_name(keyring); 155 return 0; 156 } 157 158 /* 159 * Multiply 64-bits by 32-bits to 96-bits and fold back to 64-bit. Ideally we'd 160 * fold the carry back too, but that requires inline asm. 161 */ 162 static u64 mult_64x32_and_fold(u64 x, u32 y) 163 { 164 u64 hi = (u64)(u32)(x >> 32) * y; 165 u64 lo = (u64)(u32)(x) * y; 166 return lo + ((u64)(u32)hi << 32) + (u32)(hi >> 32); 167 } 168 169 /* 170 * Hash a key type and description. 171 */ 172 static unsigned long hash_key_type_and_desc(const struct keyring_index_key *index_key) 173 { 174 const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP; 175 const unsigned long fan_mask = ASSOC_ARRAY_FAN_MASK; 176 const char *description = index_key->description; 177 unsigned long hash, type; 178 u32 piece; 179 u64 acc; 180 int n, desc_len = index_key->desc_len; 181 182 type = (unsigned long)index_key->type; 183 184 acc = mult_64x32_and_fold(type, desc_len + 13); 185 acc = mult_64x32_and_fold(acc, 9207); 186 for (;;) { 187 n = desc_len; 188 if (n <= 0) 189 break; 190 if (n > 4) 191 n = 4; 192 piece = 0; 193 memcpy(&piece, description, n); 194 description += n; 195 desc_len -= n; 196 acc = mult_64x32_and_fold(acc, piece); 197 acc = mult_64x32_and_fold(acc, 9207); 198 } 199 200 /* Fold the hash down to 32 bits if need be. */ 201 hash = acc; 202 if (ASSOC_ARRAY_KEY_CHUNK_SIZE == 32) 203 hash ^= acc >> 32; 204 205 /* Squidge all the keyrings into a separate part of the tree to 206 * ordinary keys by making sure the lowest level segment in the hash is 207 * zero for keyrings and non-zero otherwise. 208 */ 209 if (index_key->type != &key_type_keyring && (hash & fan_mask) == 0) 210 return hash | (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1; 211 if (index_key->type == &key_type_keyring && (hash & fan_mask) != 0) 212 return (hash + (hash << level_shift)) & ~fan_mask; 213 return hash; 214 } 215 216 /* 217 * Build the next index key chunk. 218 * 219 * On 32-bit systems the index key is laid out as: 220 * 221 * 0 4 5 9... 222 * hash desclen typeptr desc[] 223 * 224 * On 64-bit systems: 225 * 226 * 0 8 9 17... 227 * hash desclen typeptr desc[] 228 * 229 * We return it one word-sized chunk at a time. 230 */ 231 static unsigned long keyring_get_key_chunk(const void *data, int level) 232 { 233 const struct keyring_index_key *index_key = data; 234 unsigned long chunk = 0; 235 long offset = 0; 236 int desc_len = index_key->desc_len, n = sizeof(chunk); 237 238 level /= ASSOC_ARRAY_KEY_CHUNK_SIZE; 239 switch (level) { 240 case 0: 241 return hash_key_type_and_desc(index_key); 242 case 1: 243 return ((unsigned long)index_key->type << 8) | desc_len; 244 case 2: 245 if (desc_len == 0) 246 return (u8)((unsigned long)index_key->type >> 247 (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8)); 248 n--; 249 offset = 1; 250 default: 251 offset += sizeof(chunk) - 1; 252 offset += (level - 3) * sizeof(chunk); 253 if (offset >= desc_len) 254 return 0; 255 desc_len -= offset; 256 if (desc_len > n) 257 desc_len = n; 258 offset += desc_len; 259 do { 260 chunk <<= 8; 261 chunk |= ((u8*)index_key->description)[--offset]; 262 } while (--desc_len > 0); 263 264 if (level == 2) { 265 chunk <<= 8; 266 chunk |= (u8)((unsigned long)index_key->type >> 267 (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8)); 268 } 269 return chunk; 270 } 271 } 272 273 static unsigned long keyring_get_object_key_chunk(const void *object, int level) 274 { 275 const struct key *key = keyring_ptr_to_key(object); 276 return keyring_get_key_chunk(&key->index_key, level); 277 } 278 279 static bool keyring_compare_object(const void *object, const void *data) 280 { 281 const struct keyring_index_key *index_key = data; 282 const struct key *key = keyring_ptr_to_key(object); 283 284 return key->index_key.type == index_key->type && 285 key->index_key.desc_len == index_key->desc_len && 286 memcmp(key->index_key.description, index_key->description, 287 index_key->desc_len) == 0; 288 } 289 290 /* 291 * Compare the index keys of a pair of objects and determine the bit position 292 * at which they differ - if they differ. 293 */ 294 static int keyring_diff_objects(const void *object, const void *data) 295 { 296 const struct key *key_a = keyring_ptr_to_key(object); 297 const struct keyring_index_key *a = &key_a->index_key; 298 const struct keyring_index_key *b = data; 299 unsigned long seg_a, seg_b; 300 int level, i; 301 302 level = 0; 303 seg_a = hash_key_type_and_desc(a); 304 seg_b = hash_key_type_and_desc(b); 305 if ((seg_a ^ seg_b) != 0) 306 goto differ; 307 308 /* The number of bits contributed by the hash is controlled by a 309 * constant in the assoc_array headers. Everything else thereafter we 310 * can deal with as being machine word-size dependent. 311 */ 312 level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8; 313 seg_a = a->desc_len; 314 seg_b = b->desc_len; 315 if ((seg_a ^ seg_b) != 0) 316 goto differ; 317 318 /* The next bit may not work on big endian */ 319 level++; 320 seg_a = (unsigned long)a->type; 321 seg_b = (unsigned long)b->type; 322 if ((seg_a ^ seg_b) != 0) 323 goto differ; 324 325 level += sizeof(unsigned long); 326 if (a->desc_len == 0) 327 goto same; 328 329 i = 0; 330 if (((unsigned long)a->description | (unsigned long)b->description) & 331 (sizeof(unsigned long) - 1)) { 332 do { 333 seg_a = *(unsigned long *)(a->description + i); 334 seg_b = *(unsigned long *)(b->description + i); 335 if ((seg_a ^ seg_b) != 0) 336 goto differ_plus_i; 337 i += sizeof(unsigned long); 338 } while (i < (a->desc_len & (sizeof(unsigned long) - 1))); 339 } 340 341 for (; i < a->desc_len; i++) { 342 seg_a = *(unsigned char *)(a->description + i); 343 seg_b = *(unsigned char *)(b->description + i); 344 if ((seg_a ^ seg_b) != 0) 345 goto differ_plus_i; 346 } 347 348 same: 349 return -1; 350 351 differ_plus_i: 352 level += i; 353 differ: 354 i = level * 8 + __ffs(seg_a ^ seg_b); 355 return i; 356 } 357 358 /* 359 * Free an object after stripping the keyring flag off of the pointer. 360 */ 361 static void keyring_free_object(void *object) 362 { 363 key_put(keyring_ptr_to_key(object)); 364 } 365 366 /* 367 * Operations for keyring management by the index-tree routines. 368 */ 369 static const struct assoc_array_ops keyring_assoc_array_ops = { 370 .get_key_chunk = keyring_get_key_chunk, 371 .get_object_key_chunk = keyring_get_object_key_chunk, 372 .compare_object = keyring_compare_object, 373 .diff_objects = keyring_diff_objects, 374 .free_object = keyring_free_object, 375 }; 376 377 /* 378 * Clean up a keyring when it is destroyed. Unpublish its name if it had one 379 * and dispose of its data. 380 * 381 * The garbage collector detects the final key_put(), removes the keyring from 382 * the serial number tree and then does RCU synchronisation before coming here, 383 * so we shouldn't need to worry about code poking around here with the RCU 384 * readlock held by this time. 385 */ 386 static void keyring_destroy(struct key *keyring) 387 { 388 if (keyring->description) { 389 write_lock(&keyring_name_lock); 390 391 if (keyring->type_data.link.next != NULL && 392 !list_empty(&keyring->type_data.link)) 393 list_del(&keyring->type_data.link); 394 395 write_unlock(&keyring_name_lock); 396 } 397 398 assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops); 399 } 400 401 /* 402 * Describe a keyring for /proc. 403 */ 404 static void keyring_describe(const struct key *keyring, struct seq_file *m) 405 { 406 if (keyring->description) 407 seq_puts(m, keyring->description); 408 else 409 seq_puts(m, "[anon]"); 410 411 if (key_is_instantiated(keyring)) { 412 if (keyring->keys.nr_leaves_on_tree != 0) 413 seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree); 414 else 415 seq_puts(m, ": empty"); 416 } 417 } 418 419 struct keyring_read_iterator_context { 420 size_t qty; 421 size_t count; 422 key_serial_t __user *buffer; 423 }; 424 425 static int keyring_read_iterator(const void *object, void *data) 426 { 427 struct keyring_read_iterator_context *ctx = data; 428 const struct key *key = keyring_ptr_to_key(object); 429 int ret; 430 431 kenter("{%s,%d},,{%zu/%zu}", 432 key->type->name, key->serial, ctx->count, ctx->qty); 433 434 if (ctx->count >= ctx->qty) 435 return 1; 436 437 ret = put_user(key->serial, ctx->buffer); 438 if (ret < 0) 439 return ret; 440 ctx->buffer++; 441 ctx->count += sizeof(key->serial); 442 return 0; 443 } 444 445 /* 446 * Read a list of key IDs from the keyring's contents in binary form 447 * 448 * The keyring's semaphore is read-locked by the caller. This prevents someone 449 * from modifying it under us - which could cause us to read key IDs multiple 450 * times. 451 */ 452 static long keyring_read(const struct key *keyring, 453 char __user *buffer, size_t buflen) 454 { 455 struct keyring_read_iterator_context ctx; 456 unsigned long nr_keys; 457 int ret; 458 459 kenter("{%d},,%zu", key_serial(keyring), buflen); 460 461 if (buflen & (sizeof(key_serial_t) - 1)) 462 return -EINVAL; 463 464 nr_keys = keyring->keys.nr_leaves_on_tree; 465 if (nr_keys == 0) 466 return 0; 467 468 /* Calculate how much data we could return */ 469 ctx.qty = nr_keys * sizeof(key_serial_t); 470 471 if (!buffer || !buflen) 472 return ctx.qty; 473 474 if (buflen > ctx.qty) 475 ctx.qty = buflen; 476 477 /* Copy the IDs of the subscribed keys into the buffer */ 478 ctx.buffer = (key_serial_t __user *)buffer; 479 ctx.count = 0; 480 ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx); 481 if (ret < 0) { 482 kleave(" = %d [iterate]", ret); 483 return ret; 484 } 485 486 kleave(" = %zu [ok]", ctx.count); 487 return ctx.count; 488 } 489 490 /* 491 * Allocate a keyring and link into the destination keyring. 492 */ 493 struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid, 494 const struct cred *cred, key_perm_t perm, 495 unsigned long flags, struct key *dest) 496 { 497 struct key *keyring; 498 int ret; 499 500 keyring = key_alloc(&key_type_keyring, description, 501 uid, gid, cred, perm, flags); 502 if (!IS_ERR(keyring)) { 503 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); 504 if (ret < 0) { 505 key_put(keyring); 506 keyring = ERR_PTR(ret); 507 } 508 } 509 510 return keyring; 511 } 512 EXPORT_SYMBOL(keyring_alloc); 513 514 /* 515 * Iteration function to consider each key found. 516 */ 517 static int keyring_search_iterator(const void *object, void *iterator_data) 518 { 519 struct keyring_search_context *ctx = iterator_data; 520 const struct key *key = keyring_ptr_to_key(object); 521 unsigned long kflags = key->flags; 522 523 kenter("{%d}", key->serial); 524 525 /* ignore keys not of this type */ 526 if (key->type != ctx->index_key.type) { 527 kleave(" = 0 [!type]"); 528 return 0; 529 } 530 531 /* skip invalidated, revoked and expired keys */ 532 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) { 533 if (kflags & ((1 << KEY_FLAG_INVALIDATED) | 534 (1 << KEY_FLAG_REVOKED))) { 535 ctx->result = ERR_PTR(-EKEYREVOKED); 536 kleave(" = %d [invrev]", ctx->skipped_ret); 537 goto skipped; 538 } 539 540 if (key->expiry && ctx->now.tv_sec >= key->expiry) { 541 ctx->result = ERR_PTR(-EKEYEXPIRED); 542 kleave(" = %d [expire]", ctx->skipped_ret); 543 goto skipped; 544 } 545 } 546 547 /* keys that don't match */ 548 if (!ctx->match(key, ctx->match_data)) { 549 kleave(" = 0 [!match]"); 550 return 0; 551 } 552 553 /* key must have search permissions */ 554 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) && 555 key_task_permission(make_key_ref(key, ctx->possessed), 556 ctx->cred, KEY_NEED_SEARCH) < 0) { 557 ctx->result = ERR_PTR(-EACCES); 558 kleave(" = %d [!perm]", ctx->skipped_ret); 559 goto skipped; 560 } 561 562 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) { 563 /* we set a different error code if we pass a negative key */ 564 if (kflags & (1 << KEY_FLAG_NEGATIVE)) { 565 smp_rmb(); 566 ctx->result = ERR_PTR(key->type_data.reject_error); 567 kleave(" = %d [neg]", ctx->skipped_ret); 568 goto skipped; 569 } 570 } 571 572 /* Found */ 573 ctx->result = make_key_ref(key, ctx->possessed); 574 kleave(" = 1 [found]"); 575 return 1; 576 577 skipped: 578 return ctx->skipped_ret; 579 } 580 581 /* 582 * Search inside a keyring for a key. We can search by walking to it 583 * directly based on its index-key or we can iterate over the entire 584 * tree looking for it, based on the match function. 585 */ 586 static int search_keyring(struct key *keyring, struct keyring_search_context *ctx) 587 { 588 if ((ctx->flags & KEYRING_SEARCH_LOOKUP_TYPE) == 589 KEYRING_SEARCH_LOOKUP_DIRECT) { 590 const void *object; 591 592 object = assoc_array_find(&keyring->keys, 593 &keyring_assoc_array_ops, 594 &ctx->index_key); 595 return object ? ctx->iterator(object, ctx) : 0; 596 } 597 return assoc_array_iterate(&keyring->keys, ctx->iterator, ctx); 598 } 599 600 /* 601 * Search a tree of keyrings that point to other keyrings up to the maximum 602 * depth. 603 */ 604 static bool search_nested_keyrings(struct key *keyring, 605 struct keyring_search_context *ctx) 606 { 607 struct { 608 struct key *keyring; 609 struct assoc_array_node *node; 610 int slot; 611 } stack[KEYRING_SEARCH_MAX_DEPTH]; 612 613 struct assoc_array_shortcut *shortcut; 614 struct assoc_array_node *node; 615 struct assoc_array_ptr *ptr; 616 struct key *key; 617 int sp = 0, slot; 618 619 kenter("{%d},{%s,%s}", 620 keyring->serial, 621 ctx->index_key.type->name, 622 ctx->index_key.description); 623 624 if (ctx->index_key.description) 625 ctx->index_key.desc_len = strlen(ctx->index_key.description); 626 627 /* Check to see if this top-level keyring is what we are looking for 628 * and whether it is valid or not. 629 */ 630 if (ctx->flags & KEYRING_SEARCH_LOOKUP_ITERATE || 631 keyring_compare_object(keyring, &ctx->index_key)) { 632 ctx->skipped_ret = 2; 633 ctx->flags |= KEYRING_SEARCH_DO_STATE_CHECK; 634 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) { 635 case 1: 636 goto found; 637 case 2: 638 return false; 639 default: 640 break; 641 } 642 } 643 644 ctx->skipped_ret = 0; 645 if (ctx->flags & KEYRING_SEARCH_NO_STATE_CHECK) 646 ctx->flags &= ~KEYRING_SEARCH_DO_STATE_CHECK; 647 648 /* Start processing a new keyring */ 649 descend_to_keyring: 650 kdebug("descend to %d", keyring->serial); 651 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) | 652 (1 << KEY_FLAG_REVOKED))) 653 goto not_this_keyring; 654 655 /* Search through the keys in this keyring before its searching its 656 * subtrees. 657 */ 658 if (search_keyring(keyring, ctx)) 659 goto found; 660 661 /* Then manually iterate through the keyrings nested in this one. 662 * 663 * Start from the root node of the index tree. Because of the way the 664 * hash function has been set up, keyrings cluster on the leftmost 665 * branch of the root node (root slot 0) or in the root node itself. 666 * Non-keyrings avoid the leftmost branch of the root entirely (root 667 * slots 1-15). 668 */ 669 ptr = ACCESS_ONCE(keyring->keys.root); 670 if (!ptr) 671 goto not_this_keyring; 672 673 if (assoc_array_ptr_is_shortcut(ptr)) { 674 /* If the root is a shortcut, either the keyring only contains 675 * keyring pointers (everything clusters behind root slot 0) or 676 * doesn't contain any keyring pointers. 677 */ 678 shortcut = assoc_array_ptr_to_shortcut(ptr); 679 smp_read_barrier_depends(); 680 if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0) 681 goto not_this_keyring; 682 683 ptr = ACCESS_ONCE(shortcut->next_node); 684 node = assoc_array_ptr_to_node(ptr); 685 goto begin_node; 686 } 687 688 node = assoc_array_ptr_to_node(ptr); 689 smp_read_barrier_depends(); 690 691 ptr = node->slots[0]; 692 if (!assoc_array_ptr_is_meta(ptr)) 693 goto begin_node; 694 695 descend_to_node: 696 /* Descend to a more distal node in this keyring's content tree and go 697 * through that. 698 */ 699 kdebug("descend"); 700 if (assoc_array_ptr_is_shortcut(ptr)) { 701 shortcut = assoc_array_ptr_to_shortcut(ptr); 702 smp_read_barrier_depends(); 703 ptr = ACCESS_ONCE(shortcut->next_node); 704 BUG_ON(!assoc_array_ptr_is_node(ptr)); 705 } 706 node = assoc_array_ptr_to_node(ptr); 707 708 begin_node: 709 kdebug("begin_node"); 710 smp_read_barrier_depends(); 711 slot = 0; 712 ascend_to_node: 713 /* Go through the slots in a node */ 714 for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) { 715 ptr = ACCESS_ONCE(node->slots[slot]); 716 717 if (assoc_array_ptr_is_meta(ptr) && node->back_pointer) 718 goto descend_to_node; 719 720 if (!keyring_ptr_is_keyring(ptr)) 721 continue; 722 723 key = keyring_ptr_to_key(ptr); 724 725 if (sp >= KEYRING_SEARCH_MAX_DEPTH) { 726 if (ctx->flags & KEYRING_SEARCH_DETECT_TOO_DEEP) { 727 ctx->result = ERR_PTR(-ELOOP); 728 return false; 729 } 730 goto not_this_keyring; 731 } 732 733 /* Search a nested keyring */ 734 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) && 735 key_task_permission(make_key_ref(key, ctx->possessed), 736 ctx->cred, KEY_NEED_SEARCH) < 0) 737 continue; 738 739 /* stack the current position */ 740 stack[sp].keyring = keyring; 741 stack[sp].node = node; 742 stack[sp].slot = slot; 743 sp++; 744 745 /* begin again with the new keyring */ 746 keyring = key; 747 goto descend_to_keyring; 748 } 749 750 /* We've dealt with all the slots in the current node, so now we need 751 * to ascend to the parent and continue processing there. 752 */ 753 ptr = ACCESS_ONCE(node->back_pointer); 754 slot = node->parent_slot; 755 756 if (ptr && assoc_array_ptr_is_shortcut(ptr)) { 757 shortcut = assoc_array_ptr_to_shortcut(ptr); 758 smp_read_barrier_depends(); 759 ptr = ACCESS_ONCE(shortcut->back_pointer); 760 slot = shortcut->parent_slot; 761 } 762 if (!ptr) 763 goto not_this_keyring; 764 node = assoc_array_ptr_to_node(ptr); 765 smp_read_barrier_depends(); 766 slot++; 767 768 /* If we've ascended to the root (zero backpointer), we must have just 769 * finished processing the leftmost branch rather than the root slots - 770 * so there can't be any more keyrings for us to find. 771 */ 772 if (node->back_pointer) { 773 kdebug("ascend %d", slot); 774 goto ascend_to_node; 775 } 776 777 /* The keyring we're looking at was disqualified or didn't contain a 778 * matching key. 779 */ 780 not_this_keyring: 781 kdebug("not_this_keyring %d", sp); 782 if (sp <= 0) { 783 kleave(" = false"); 784 return false; 785 } 786 787 /* Resume the processing of a keyring higher up in the tree */ 788 sp--; 789 keyring = stack[sp].keyring; 790 node = stack[sp].node; 791 slot = stack[sp].slot + 1; 792 kdebug("ascend to %d [%d]", keyring->serial, slot); 793 goto ascend_to_node; 794 795 /* We found a viable match */ 796 found: 797 key = key_ref_to_ptr(ctx->result); 798 key_check(key); 799 if (!(ctx->flags & KEYRING_SEARCH_NO_UPDATE_TIME)) { 800 key->last_used_at = ctx->now.tv_sec; 801 keyring->last_used_at = ctx->now.tv_sec; 802 while (sp > 0) 803 stack[--sp].keyring->last_used_at = ctx->now.tv_sec; 804 } 805 kleave(" = true"); 806 return true; 807 } 808 809 /** 810 * keyring_search_aux - Search a keyring tree for a key matching some criteria 811 * @keyring_ref: A pointer to the keyring with possession indicator. 812 * @ctx: The keyring search context. 813 * 814 * Search the supplied keyring tree for a key that matches the criteria given. 815 * The root keyring and any linked keyrings must grant Search permission to the 816 * caller to be searchable and keys can only be found if they too grant Search 817 * to the caller. The possession flag on the root keyring pointer controls use 818 * of the possessor bits in permissions checking of the entire tree. In 819 * addition, the LSM gets to forbid keyring searches and key matches. 820 * 821 * The search is performed as a breadth-then-depth search up to the prescribed 822 * limit (KEYRING_SEARCH_MAX_DEPTH). 823 * 824 * Keys are matched to the type provided and are then filtered by the match 825 * function, which is given the description to use in any way it sees fit. The 826 * match function may use any attributes of a key that it wishes to to 827 * determine the match. Normally the match function from the key type would be 828 * used. 829 * 830 * RCU can be used to prevent the keyring key lists from disappearing without 831 * the need to take lots of locks. 832 * 833 * Returns a pointer to the found key and increments the key usage count if 834 * successful; -EAGAIN if no matching keys were found, or if expired or revoked 835 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the 836 * specified keyring wasn't a keyring. 837 * 838 * In the case of a successful return, the possession attribute from 839 * @keyring_ref is propagated to the returned key reference. 840 */ 841 key_ref_t keyring_search_aux(key_ref_t keyring_ref, 842 struct keyring_search_context *ctx) 843 { 844 struct key *keyring; 845 long err; 846 847 ctx->iterator = keyring_search_iterator; 848 ctx->possessed = is_key_possessed(keyring_ref); 849 ctx->result = ERR_PTR(-EAGAIN); 850 851 keyring = key_ref_to_ptr(keyring_ref); 852 key_check(keyring); 853 854 if (keyring->type != &key_type_keyring) 855 return ERR_PTR(-ENOTDIR); 856 857 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) { 858 err = key_task_permission(keyring_ref, ctx->cred, KEY_NEED_SEARCH); 859 if (err < 0) 860 return ERR_PTR(err); 861 } 862 863 rcu_read_lock(); 864 ctx->now = current_kernel_time(); 865 if (search_nested_keyrings(keyring, ctx)) 866 __key_get(key_ref_to_ptr(ctx->result)); 867 rcu_read_unlock(); 868 return ctx->result; 869 } 870 871 /** 872 * keyring_search - Search the supplied keyring tree for a matching key 873 * @keyring: The root of the keyring tree to be searched. 874 * @type: The type of keyring we want to find. 875 * @description: The name of the keyring we want to find. 876 * 877 * As keyring_search_aux() above, but using the current task's credentials and 878 * type's default matching function and preferred search method. 879 */ 880 key_ref_t keyring_search(key_ref_t keyring, 881 struct key_type *type, 882 const char *description) 883 { 884 struct keyring_search_context ctx = { 885 .index_key.type = type, 886 .index_key.description = description, 887 .cred = current_cred(), 888 .match = type->match, 889 .match_data = description, 890 .flags = (type->def_lookup_type | 891 KEYRING_SEARCH_DO_STATE_CHECK), 892 }; 893 894 if (!ctx.match) 895 return ERR_PTR(-ENOKEY); 896 897 return keyring_search_aux(keyring, &ctx); 898 } 899 EXPORT_SYMBOL(keyring_search); 900 901 /* 902 * Search the given keyring for a key that might be updated. 903 * 904 * The caller must guarantee that the keyring is a keyring and that the 905 * permission is granted to modify the keyring as no check is made here. The 906 * caller must also hold a lock on the keyring semaphore. 907 * 908 * Returns a pointer to the found key with usage count incremented if 909 * successful and returns NULL if not found. Revoked and invalidated keys are 910 * skipped over. 911 * 912 * If successful, the possession indicator is propagated from the keyring ref 913 * to the returned key reference. 914 */ 915 key_ref_t find_key_to_update(key_ref_t keyring_ref, 916 const struct keyring_index_key *index_key) 917 { 918 struct key *keyring, *key; 919 const void *object; 920 921 keyring = key_ref_to_ptr(keyring_ref); 922 923 kenter("{%d},{%s,%s}", 924 keyring->serial, index_key->type->name, index_key->description); 925 926 object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops, 927 index_key); 928 929 if (object) 930 goto found; 931 932 kleave(" = NULL"); 933 return NULL; 934 935 found: 936 key = keyring_ptr_to_key(object); 937 if (key->flags & ((1 << KEY_FLAG_INVALIDATED) | 938 (1 << KEY_FLAG_REVOKED))) { 939 kleave(" = NULL [x]"); 940 return NULL; 941 } 942 __key_get(key); 943 kleave(" = {%d}", key->serial); 944 return make_key_ref(key, is_key_possessed(keyring_ref)); 945 } 946 947 /* 948 * Find a keyring with the specified name. 949 * 950 * All named keyrings in the current user namespace are searched, provided they 951 * grant Search permission directly to the caller (unless this check is 952 * skipped). Keyrings whose usage points have reached zero or who have been 953 * revoked are skipped. 954 * 955 * Returns a pointer to the keyring with the keyring's refcount having being 956 * incremented on success. -ENOKEY is returned if a key could not be found. 957 */ 958 struct key *find_keyring_by_name(const char *name, bool skip_perm_check) 959 { 960 struct key *keyring; 961 int bucket; 962 963 if (!name) 964 return ERR_PTR(-EINVAL); 965 966 bucket = keyring_hash(name); 967 968 read_lock(&keyring_name_lock); 969 970 if (keyring_name_hash[bucket].next) { 971 /* search this hash bucket for a keyring with a matching name 972 * that's readable and that hasn't been revoked */ 973 list_for_each_entry(keyring, 974 &keyring_name_hash[bucket], 975 type_data.link 976 ) { 977 if (!kuid_has_mapping(current_user_ns(), keyring->user->uid)) 978 continue; 979 980 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 981 continue; 982 983 if (strcmp(keyring->description, name) != 0) 984 continue; 985 986 if (!skip_perm_check && 987 key_permission(make_key_ref(keyring, 0), 988 KEY_NEED_SEARCH) < 0) 989 continue; 990 991 /* we've got a match but we might end up racing with 992 * key_cleanup() if the keyring is currently 'dead' 993 * (ie. it has a zero usage count) */ 994 if (!atomic_inc_not_zero(&keyring->usage)) 995 continue; 996 keyring->last_used_at = current_kernel_time().tv_sec; 997 goto out; 998 } 999 } 1000 1001 keyring = ERR_PTR(-ENOKEY); 1002 out: 1003 read_unlock(&keyring_name_lock); 1004 return keyring; 1005 } 1006 1007 static int keyring_detect_cycle_iterator(const void *object, 1008 void *iterator_data) 1009 { 1010 struct keyring_search_context *ctx = iterator_data; 1011 const struct key *key = keyring_ptr_to_key(object); 1012 1013 kenter("{%d}", key->serial); 1014 1015 /* We might get a keyring with matching index-key that is nonetheless a 1016 * different keyring. */ 1017 if (key != ctx->match_data) 1018 return 0; 1019 1020 ctx->result = ERR_PTR(-EDEADLK); 1021 return 1; 1022 } 1023 1024 /* 1025 * See if a cycle will will be created by inserting acyclic tree B in acyclic 1026 * tree A at the topmost level (ie: as a direct child of A). 1027 * 1028 * Since we are adding B to A at the top level, checking for cycles should just 1029 * be a matter of seeing if node A is somewhere in tree B. 1030 */ 1031 static int keyring_detect_cycle(struct key *A, struct key *B) 1032 { 1033 struct keyring_search_context ctx = { 1034 .index_key = A->index_key, 1035 .match_data = A, 1036 .iterator = keyring_detect_cycle_iterator, 1037 .flags = (KEYRING_SEARCH_LOOKUP_DIRECT | 1038 KEYRING_SEARCH_NO_STATE_CHECK | 1039 KEYRING_SEARCH_NO_UPDATE_TIME | 1040 KEYRING_SEARCH_NO_CHECK_PERM | 1041 KEYRING_SEARCH_DETECT_TOO_DEEP), 1042 }; 1043 1044 rcu_read_lock(); 1045 search_nested_keyrings(B, &ctx); 1046 rcu_read_unlock(); 1047 return PTR_ERR(ctx.result) == -EAGAIN ? 0 : PTR_ERR(ctx.result); 1048 } 1049 1050 /* 1051 * Preallocate memory so that a key can be linked into to a keyring. 1052 */ 1053 int __key_link_begin(struct key *keyring, 1054 const struct keyring_index_key *index_key, 1055 struct assoc_array_edit **_edit) 1056 __acquires(&keyring->sem) 1057 __acquires(&keyring_serialise_link_sem) 1058 { 1059 struct assoc_array_edit *edit; 1060 int ret; 1061 1062 kenter("%d,%s,%s,", 1063 keyring->serial, index_key->type->name, index_key->description); 1064 1065 BUG_ON(index_key->desc_len == 0); 1066 1067 if (keyring->type != &key_type_keyring) 1068 return -ENOTDIR; 1069 1070 down_write(&keyring->sem); 1071 1072 ret = -EKEYREVOKED; 1073 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 1074 goto error_krsem; 1075 1076 /* serialise link/link calls to prevent parallel calls causing a cycle 1077 * when linking two keyring in opposite orders */ 1078 if (index_key->type == &key_type_keyring) 1079 down_write(&keyring_serialise_link_sem); 1080 1081 /* Create an edit script that will insert/replace the key in the 1082 * keyring tree. 1083 */ 1084 edit = assoc_array_insert(&keyring->keys, 1085 &keyring_assoc_array_ops, 1086 index_key, 1087 NULL); 1088 if (IS_ERR(edit)) { 1089 ret = PTR_ERR(edit); 1090 goto error_sem; 1091 } 1092 1093 /* If we're not replacing a link in-place then we're going to need some 1094 * extra quota. 1095 */ 1096 if (!edit->dead_leaf) { 1097 ret = key_payload_reserve(keyring, 1098 keyring->datalen + KEYQUOTA_LINK_BYTES); 1099 if (ret < 0) 1100 goto error_cancel; 1101 } 1102 1103 *_edit = edit; 1104 kleave(" = 0"); 1105 return 0; 1106 1107 error_cancel: 1108 assoc_array_cancel_edit(edit); 1109 error_sem: 1110 if (index_key->type == &key_type_keyring) 1111 up_write(&keyring_serialise_link_sem); 1112 error_krsem: 1113 up_write(&keyring->sem); 1114 kleave(" = %d", ret); 1115 return ret; 1116 } 1117 1118 /* 1119 * Check already instantiated keys aren't going to be a problem. 1120 * 1121 * The caller must have called __key_link_begin(). Don't need to call this for 1122 * keys that were created since __key_link_begin() was called. 1123 */ 1124 int __key_link_check_live_key(struct key *keyring, struct key *key) 1125 { 1126 if (key->type == &key_type_keyring) 1127 /* check that we aren't going to create a cycle by linking one 1128 * keyring to another */ 1129 return keyring_detect_cycle(keyring, key); 1130 return 0; 1131 } 1132 1133 /* 1134 * Link a key into to a keyring. 1135 * 1136 * Must be called with __key_link_begin() having being called. Discards any 1137 * already extant link to matching key if there is one, so that each keyring 1138 * holds at most one link to any given key of a particular type+description 1139 * combination. 1140 */ 1141 void __key_link(struct key *key, struct assoc_array_edit **_edit) 1142 { 1143 __key_get(key); 1144 assoc_array_insert_set_object(*_edit, keyring_key_to_ptr(key)); 1145 assoc_array_apply_edit(*_edit); 1146 *_edit = NULL; 1147 } 1148 1149 /* 1150 * Finish linking a key into to a keyring. 1151 * 1152 * Must be called with __key_link_begin() having being called. 1153 */ 1154 void __key_link_end(struct key *keyring, 1155 const struct keyring_index_key *index_key, 1156 struct assoc_array_edit *edit) 1157 __releases(&keyring->sem) 1158 __releases(&keyring_serialise_link_sem) 1159 { 1160 BUG_ON(index_key->type == NULL); 1161 kenter("%d,%s,", keyring->serial, index_key->type->name); 1162 1163 if (index_key->type == &key_type_keyring) 1164 up_write(&keyring_serialise_link_sem); 1165 1166 if (edit && !edit->dead_leaf) { 1167 key_payload_reserve(keyring, 1168 keyring->datalen - KEYQUOTA_LINK_BYTES); 1169 assoc_array_cancel_edit(edit); 1170 } 1171 up_write(&keyring->sem); 1172 } 1173 1174 /** 1175 * key_link - Link a key to a keyring 1176 * @keyring: The keyring to make the link in. 1177 * @key: The key to link to. 1178 * 1179 * Make a link in a keyring to a key, such that the keyring holds a reference 1180 * on that key and the key can potentially be found by searching that keyring. 1181 * 1182 * This function will write-lock the keyring's semaphore and will consume some 1183 * of the user's key data quota to hold the link. 1184 * 1185 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, 1186 * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is 1187 * full, -EDQUOT if there is insufficient key data quota remaining to add 1188 * another link or -ENOMEM if there's insufficient memory. 1189 * 1190 * It is assumed that the caller has checked that it is permitted for a link to 1191 * be made (the keyring should have Write permission and the key Link 1192 * permission). 1193 */ 1194 int key_link(struct key *keyring, struct key *key) 1195 { 1196 struct assoc_array_edit *edit; 1197 int ret; 1198 1199 kenter("{%d,%d}", keyring->serial, atomic_read(&keyring->usage)); 1200 1201 key_check(keyring); 1202 key_check(key); 1203 1204 if (test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags) && 1205 !test_bit(KEY_FLAG_TRUSTED, &key->flags)) 1206 return -EPERM; 1207 1208 ret = __key_link_begin(keyring, &key->index_key, &edit); 1209 if (ret == 0) { 1210 kdebug("begun {%d,%d}", keyring->serial, atomic_read(&keyring->usage)); 1211 ret = __key_link_check_live_key(keyring, key); 1212 if (ret == 0) 1213 __key_link(key, &edit); 1214 __key_link_end(keyring, &key->index_key, edit); 1215 } 1216 1217 kleave(" = %d {%d,%d}", ret, keyring->serial, atomic_read(&keyring->usage)); 1218 return ret; 1219 } 1220 EXPORT_SYMBOL(key_link); 1221 1222 /** 1223 * key_unlink - Unlink the first link to a key from a keyring. 1224 * @keyring: The keyring to remove the link from. 1225 * @key: The key the link is to. 1226 * 1227 * Remove a link from a keyring to a key. 1228 * 1229 * This function will write-lock the keyring's semaphore. 1230 * 1231 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if 1232 * the key isn't linked to by the keyring or -ENOMEM if there's insufficient 1233 * memory. 1234 * 1235 * It is assumed that the caller has checked that it is permitted for a link to 1236 * be removed (the keyring should have Write permission; no permissions are 1237 * required on the key). 1238 */ 1239 int key_unlink(struct key *keyring, struct key *key) 1240 { 1241 struct assoc_array_edit *edit; 1242 int ret; 1243 1244 key_check(keyring); 1245 key_check(key); 1246 1247 if (keyring->type != &key_type_keyring) 1248 return -ENOTDIR; 1249 1250 down_write(&keyring->sem); 1251 1252 edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops, 1253 &key->index_key); 1254 if (IS_ERR(edit)) { 1255 ret = PTR_ERR(edit); 1256 goto error; 1257 } 1258 ret = -ENOENT; 1259 if (edit == NULL) 1260 goto error; 1261 1262 assoc_array_apply_edit(edit); 1263 key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES); 1264 ret = 0; 1265 1266 error: 1267 up_write(&keyring->sem); 1268 return ret; 1269 } 1270 EXPORT_SYMBOL(key_unlink); 1271 1272 /** 1273 * keyring_clear - Clear a keyring 1274 * @keyring: The keyring to clear. 1275 * 1276 * Clear the contents of the specified keyring. 1277 * 1278 * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring. 1279 */ 1280 int keyring_clear(struct key *keyring) 1281 { 1282 struct assoc_array_edit *edit; 1283 int ret; 1284 1285 if (keyring->type != &key_type_keyring) 1286 return -ENOTDIR; 1287 1288 down_write(&keyring->sem); 1289 1290 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops); 1291 if (IS_ERR(edit)) { 1292 ret = PTR_ERR(edit); 1293 } else { 1294 if (edit) 1295 assoc_array_apply_edit(edit); 1296 key_payload_reserve(keyring, 0); 1297 ret = 0; 1298 } 1299 1300 up_write(&keyring->sem); 1301 return ret; 1302 } 1303 EXPORT_SYMBOL(keyring_clear); 1304 1305 /* 1306 * Dispose of the links from a revoked keyring. 1307 * 1308 * This is called with the key sem write-locked. 1309 */ 1310 static void keyring_revoke(struct key *keyring) 1311 { 1312 struct assoc_array_edit *edit; 1313 1314 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops); 1315 if (!IS_ERR(edit)) { 1316 if (edit) 1317 assoc_array_apply_edit(edit); 1318 key_payload_reserve(keyring, 0); 1319 } 1320 } 1321 1322 static bool keyring_gc_select_iterator(void *object, void *iterator_data) 1323 { 1324 struct key *key = keyring_ptr_to_key(object); 1325 time_t *limit = iterator_data; 1326 1327 if (key_is_dead(key, *limit)) 1328 return false; 1329 key_get(key); 1330 return true; 1331 } 1332 1333 static int keyring_gc_check_iterator(const void *object, void *iterator_data) 1334 { 1335 const struct key *key = keyring_ptr_to_key(object); 1336 time_t *limit = iterator_data; 1337 1338 key_check(key); 1339 return key_is_dead(key, *limit); 1340 } 1341 1342 /* 1343 * Garbage collect pointers from a keyring. 1344 * 1345 * Not called with any locks held. The keyring's key struct will not be 1346 * deallocated under us as only our caller may deallocate it. 1347 */ 1348 void keyring_gc(struct key *keyring, time_t limit) 1349 { 1350 int result; 1351 1352 kenter("%x{%s}", keyring->serial, keyring->description ?: ""); 1353 1354 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) | 1355 (1 << KEY_FLAG_REVOKED))) 1356 goto dont_gc; 1357 1358 /* scan the keyring looking for dead keys */ 1359 rcu_read_lock(); 1360 result = assoc_array_iterate(&keyring->keys, 1361 keyring_gc_check_iterator, &limit); 1362 rcu_read_unlock(); 1363 if (result == true) 1364 goto do_gc; 1365 1366 dont_gc: 1367 kleave(" [no gc]"); 1368 return; 1369 1370 do_gc: 1371 down_write(&keyring->sem); 1372 assoc_array_gc(&keyring->keys, &keyring_assoc_array_ops, 1373 keyring_gc_select_iterator, &limit); 1374 up_write(&keyring->sem); 1375 kleave(" [gc]"); 1376 } 1377