1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Keyring handling 3 * 4 * Copyright (C) 2004-2005, 2008, 2013 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #include <linux/export.h> 9 #include <linux/init.h> 10 #include <linux/sched.h> 11 #include <linux/slab.h> 12 #include <linux/security.h> 13 #include <linux/seq_file.h> 14 #include <linux/err.h> 15 #include <linux/user_namespace.h> 16 #include <linux/nsproxy.h> 17 #include <keys/keyring-type.h> 18 #include <keys/user-type.h> 19 #include <linux/assoc_array_priv.h> 20 #include <linux/uaccess.h> 21 #include <net/net_namespace.h> 22 #include "internal.h" 23 24 /* 25 * When plumbing the depths of the key tree, this sets a hard limit 26 * set on how deep we're willing to go. 27 */ 28 #define KEYRING_SEARCH_MAX_DEPTH 6 29 30 /* 31 * We mark pointers we pass to the associative array with bit 1 set if 32 * they're keyrings and clear otherwise. 33 */ 34 #define KEYRING_PTR_SUBTYPE 0x2UL 35 36 static inline bool keyring_ptr_is_keyring(const struct assoc_array_ptr *x) 37 { 38 return (unsigned long)x & KEYRING_PTR_SUBTYPE; 39 } 40 static inline struct key *keyring_ptr_to_key(const struct assoc_array_ptr *x) 41 { 42 void *object = assoc_array_ptr_to_leaf(x); 43 return (struct key *)((unsigned long)object & ~KEYRING_PTR_SUBTYPE); 44 } 45 static inline void *keyring_key_to_ptr(struct key *key) 46 { 47 if (key->type == &key_type_keyring) 48 return (void *)((unsigned long)key | KEYRING_PTR_SUBTYPE); 49 return key; 50 } 51 52 static DEFINE_RWLOCK(keyring_name_lock); 53 54 /* 55 * Clean up the bits of user_namespace that belong to us. 56 */ 57 void key_free_user_ns(struct user_namespace *ns) 58 { 59 write_lock(&keyring_name_lock); 60 list_del_init(&ns->keyring_name_list); 61 write_unlock(&keyring_name_lock); 62 63 key_put(ns->user_keyring_register); 64 #ifdef CONFIG_PERSISTENT_KEYRINGS 65 key_put(ns->persistent_keyring_register); 66 #endif 67 } 68 69 /* 70 * The keyring key type definition. Keyrings are simply keys of this type and 71 * can be treated as ordinary keys in addition to having their own special 72 * operations. 73 */ 74 static int keyring_preparse(struct key_preparsed_payload *prep); 75 static void keyring_free_preparse(struct key_preparsed_payload *prep); 76 static int keyring_instantiate(struct key *keyring, 77 struct key_preparsed_payload *prep); 78 static void keyring_revoke(struct key *keyring); 79 static void keyring_destroy(struct key *keyring); 80 static void keyring_describe(const struct key *keyring, struct seq_file *m); 81 static long keyring_read(const struct key *keyring, 82 char *buffer, size_t buflen); 83 84 struct key_type key_type_keyring = { 85 .name = "keyring", 86 .def_datalen = 0, 87 .preparse = keyring_preparse, 88 .free_preparse = keyring_free_preparse, 89 .instantiate = keyring_instantiate, 90 .revoke = keyring_revoke, 91 .destroy = keyring_destroy, 92 .describe = keyring_describe, 93 .read = keyring_read, 94 }; 95 EXPORT_SYMBOL(key_type_keyring); 96 97 /* 98 * Semaphore to serialise link/link calls to prevent two link calls in parallel 99 * introducing a cycle. 100 */ 101 static DEFINE_MUTEX(keyring_serialise_link_lock); 102 103 /* 104 * Publish the name of a keyring so that it can be found by name (if it has 105 * one and it doesn't begin with a dot). 106 */ 107 static void keyring_publish_name(struct key *keyring) 108 { 109 struct user_namespace *ns = current_user_ns(); 110 111 if (keyring->description && 112 keyring->description[0] && 113 keyring->description[0] != '.') { 114 write_lock(&keyring_name_lock); 115 list_add_tail(&keyring->name_link, &ns->keyring_name_list); 116 write_unlock(&keyring_name_lock); 117 } 118 } 119 120 /* 121 * Preparse a keyring payload 122 */ 123 static int keyring_preparse(struct key_preparsed_payload *prep) 124 { 125 return prep->datalen != 0 ? -EINVAL : 0; 126 } 127 128 /* 129 * Free a preparse of a user defined key payload 130 */ 131 static void keyring_free_preparse(struct key_preparsed_payload *prep) 132 { 133 } 134 135 /* 136 * Initialise a keyring. 137 * 138 * Returns 0 on success, -EINVAL if given any data. 139 */ 140 static int keyring_instantiate(struct key *keyring, 141 struct key_preparsed_payload *prep) 142 { 143 assoc_array_init(&keyring->keys); 144 /* make the keyring available by name if it has one */ 145 keyring_publish_name(keyring); 146 return 0; 147 } 148 149 /* 150 * Multiply 64-bits by 32-bits to 96-bits and fold back to 64-bit. Ideally we'd 151 * fold the carry back too, but that requires inline asm. 152 */ 153 static u64 mult_64x32_and_fold(u64 x, u32 y) 154 { 155 u64 hi = (u64)(u32)(x >> 32) * y; 156 u64 lo = (u64)(u32)(x) * y; 157 return lo + ((u64)(u32)hi << 32) + (u32)(hi >> 32); 158 } 159 160 /* 161 * Hash a key type and description. 162 */ 163 static void hash_key_type_and_desc(struct keyring_index_key *index_key) 164 { 165 const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP; 166 const unsigned long fan_mask = ASSOC_ARRAY_FAN_MASK; 167 const char *description = index_key->description; 168 unsigned long hash, type; 169 u32 piece; 170 u64 acc; 171 int n, desc_len = index_key->desc_len; 172 173 type = (unsigned long)index_key->type; 174 acc = mult_64x32_and_fold(type, desc_len + 13); 175 acc = mult_64x32_and_fold(acc, 9207); 176 piece = (unsigned long)index_key->domain_tag; 177 acc = mult_64x32_and_fold(acc, piece); 178 acc = mult_64x32_and_fold(acc, 9207); 179 180 for (;;) { 181 n = desc_len; 182 if (n <= 0) 183 break; 184 if (n > 4) 185 n = 4; 186 piece = 0; 187 memcpy(&piece, description, n); 188 description += n; 189 desc_len -= n; 190 acc = mult_64x32_and_fold(acc, piece); 191 acc = mult_64x32_and_fold(acc, 9207); 192 } 193 194 /* Fold the hash down to 32 bits if need be. */ 195 hash = acc; 196 if (ASSOC_ARRAY_KEY_CHUNK_SIZE == 32) 197 hash ^= acc >> 32; 198 199 /* Squidge all the keyrings into a separate part of the tree to 200 * ordinary keys by making sure the lowest level segment in the hash is 201 * zero for keyrings and non-zero otherwise. 202 */ 203 if (index_key->type != &key_type_keyring && (hash & fan_mask) == 0) 204 hash |= (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1; 205 else if (index_key->type == &key_type_keyring && (hash & fan_mask) != 0) 206 hash = (hash + (hash << level_shift)) & ~fan_mask; 207 index_key->hash = hash; 208 } 209 210 /* 211 * Finalise an index key to include a part of the description actually in the 212 * index key, to set the domain tag and to calculate the hash. 213 */ 214 void key_set_index_key(struct keyring_index_key *index_key) 215 { 216 static struct key_tag default_domain_tag = { .usage = REFCOUNT_INIT(1), }; 217 size_t n = min_t(size_t, index_key->desc_len, sizeof(index_key->desc)); 218 219 memcpy(index_key->desc, index_key->description, n); 220 221 if (!index_key->domain_tag) { 222 if (index_key->type->flags & KEY_TYPE_NET_DOMAIN) 223 index_key->domain_tag = current->nsproxy->net_ns->key_domain; 224 else 225 index_key->domain_tag = &default_domain_tag; 226 } 227 228 hash_key_type_and_desc(index_key); 229 } 230 231 /** 232 * key_put_tag - Release a ref on a tag. 233 * @tag: The tag to release. 234 * 235 * This releases a reference the given tag and returns true if that ref was the 236 * last one. 237 */ 238 bool key_put_tag(struct key_tag *tag) 239 { 240 if (refcount_dec_and_test(&tag->usage)) { 241 kfree_rcu(tag, rcu); 242 return true; 243 } 244 245 return false; 246 } 247 248 /** 249 * key_remove_domain - Kill off a key domain and gc its keys 250 * @domain_tag: The domain tag to release. 251 * 252 * This marks a domain tag as being dead and releases a ref on it. If that 253 * wasn't the last reference, the garbage collector is poked to try and delete 254 * all keys that were in the domain. 255 */ 256 void key_remove_domain(struct key_tag *domain_tag) 257 { 258 domain_tag->removed = true; 259 if (!key_put_tag(domain_tag)) 260 key_schedule_gc_links(); 261 } 262 263 /* 264 * Build the next index key chunk. 265 * 266 * We return it one word-sized chunk at a time. 267 */ 268 static unsigned long keyring_get_key_chunk(const void *data, int level) 269 { 270 const struct keyring_index_key *index_key = data; 271 unsigned long chunk = 0; 272 const u8 *d; 273 int desc_len = index_key->desc_len, n = sizeof(chunk); 274 275 level /= ASSOC_ARRAY_KEY_CHUNK_SIZE; 276 switch (level) { 277 case 0: 278 return index_key->hash; 279 case 1: 280 return index_key->x; 281 case 2: 282 return (unsigned long)index_key->type; 283 case 3: 284 return (unsigned long)index_key->domain_tag; 285 default: 286 level -= 4; 287 if (desc_len <= sizeof(index_key->desc)) 288 return 0; 289 290 d = index_key->description + sizeof(index_key->desc); 291 d += level * sizeof(long); 292 desc_len -= sizeof(index_key->desc); 293 if (desc_len > n) 294 desc_len = n; 295 do { 296 chunk <<= 8; 297 chunk |= *d++; 298 } while (--desc_len > 0); 299 return chunk; 300 } 301 } 302 303 static unsigned long keyring_get_object_key_chunk(const void *object, int level) 304 { 305 const struct key *key = keyring_ptr_to_key(object); 306 return keyring_get_key_chunk(&key->index_key, level); 307 } 308 309 static bool keyring_compare_object(const void *object, const void *data) 310 { 311 const struct keyring_index_key *index_key = data; 312 const struct key *key = keyring_ptr_to_key(object); 313 314 return key->index_key.type == index_key->type && 315 key->index_key.domain_tag == index_key->domain_tag && 316 key->index_key.desc_len == index_key->desc_len && 317 memcmp(key->index_key.description, index_key->description, 318 index_key->desc_len) == 0; 319 } 320 321 /* 322 * Compare the index keys of a pair of objects and determine the bit position 323 * at which they differ - if they differ. 324 */ 325 static int keyring_diff_objects(const void *object, const void *data) 326 { 327 const struct key *key_a = keyring_ptr_to_key(object); 328 const struct keyring_index_key *a = &key_a->index_key; 329 const struct keyring_index_key *b = data; 330 unsigned long seg_a, seg_b; 331 int level, i; 332 333 level = 0; 334 seg_a = a->hash; 335 seg_b = b->hash; 336 if ((seg_a ^ seg_b) != 0) 337 goto differ; 338 level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8; 339 340 /* The number of bits contributed by the hash is controlled by a 341 * constant in the assoc_array headers. Everything else thereafter we 342 * can deal with as being machine word-size dependent. 343 */ 344 seg_a = a->x; 345 seg_b = b->x; 346 if ((seg_a ^ seg_b) != 0) 347 goto differ; 348 level += sizeof(unsigned long); 349 350 /* The next bit may not work on big endian */ 351 seg_a = (unsigned long)a->type; 352 seg_b = (unsigned long)b->type; 353 if ((seg_a ^ seg_b) != 0) 354 goto differ; 355 level += sizeof(unsigned long); 356 357 seg_a = (unsigned long)a->domain_tag; 358 seg_b = (unsigned long)b->domain_tag; 359 if ((seg_a ^ seg_b) != 0) 360 goto differ; 361 level += sizeof(unsigned long); 362 363 i = sizeof(a->desc); 364 if (a->desc_len <= i) 365 goto same; 366 367 for (; i < a->desc_len; i++) { 368 seg_a = *(unsigned char *)(a->description + i); 369 seg_b = *(unsigned char *)(b->description + i); 370 if ((seg_a ^ seg_b) != 0) 371 goto differ_plus_i; 372 } 373 374 same: 375 return -1; 376 377 differ_plus_i: 378 level += i; 379 differ: 380 i = level * 8 + __ffs(seg_a ^ seg_b); 381 return i; 382 } 383 384 /* 385 * Free an object after stripping the keyring flag off of the pointer. 386 */ 387 static void keyring_free_object(void *object) 388 { 389 key_put(keyring_ptr_to_key(object)); 390 } 391 392 /* 393 * Operations for keyring management by the index-tree routines. 394 */ 395 static const struct assoc_array_ops keyring_assoc_array_ops = { 396 .get_key_chunk = keyring_get_key_chunk, 397 .get_object_key_chunk = keyring_get_object_key_chunk, 398 .compare_object = keyring_compare_object, 399 .diff_objects = keyring_diff_objects, 400 .free_object = keyring_free_object, 401 }; 402 403 /* 404 * Clean up a keyring when it is destroyed. Unpublish its name if it had one 405 * and dispose of its data. 406 * 407 * The garbage collector detects the final key_put(), removes the keyring from 408 * the serial number tree and then does RCU synchronisation before coming here, 409 * so we shouldn't need to worry about code poking around here with the RCU 410 * readlock held by this time. 411 */ 412 static void keyring_destroy(struct key *keyring) 413 { 414 if (keyring->description) { 415 write_lock(&keyring_name_lock); 416 417 if (keyring->name_link.next != NULL && 418 !list_empty(&keyring->name_link)) 419 list_del(&keyring->name_link); 420 421 write_unlock(&keyring_name_lock); 422 } 423 424 if (keyring->restrict_link) { 425 struct key_restriction *keyres = keyring->restrict_link; 426 427 key_put(keyres->key); 428 kfree(keyres); 429 } 430 431 assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops); 432 } 433 434 /* 435 * Describe a keyring for /proc. 436 */ 437 static void keyring_describe(const struct key *keyring, struct seq_file *m) 438 { 439 if (keyring->description) 440 seq_puts(m, keyring->description); 441 else 442 seq_puts(m, "[anon]"); 443 444 if (key_is_positive(keyring)) { 445 if (keyring->keys.nr_leaves_on_tree != 0) 446 seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree); 447 else 448 seq_puts(m, ": empty"); 449 } 450 } 451 452 struct keyring_read_iterator_context { 453 size_t buflen; 454 size_t count; 455 key_serial_t *buffer; 456 }; 457 458 static int keyring_read_iterator(const void *object, void *data) 459 { 460 struct keyring_read_iterator_context *ctx = data; 461 const struct key *key = keyring_ptr_to_key(object); 462 463 kenter("{%s,%d},,{%zu/%zu}", 464 key->type->name, key->serial, ctx->count, ctx->buflen); 465 466 if (ctx->count >= ctx->buflen) 467 return 1; 468 469 *ctx->buffer++ = key->serial; 470 ctx->count += sizeof(key->serial); 471 return 0; 472 } 473 474 /* 475 * Read a list of key IDs from the keyring's contents in binary form 476 * 477 * The keyring's semaphore is read-locked by the caller. This prevents someone 478 * from modifying it under us - which could cause us to read key IDs multiple 479 * times. 480 */ 481 static long keyring_read(const struct key *keyring, 482 char *buffer, size_t buflen) 483 { 484 struct keyring_read_iterator_context ctx; 485 long ret; 486 487 kenter("{%d},,%zu", key_serial(keyring), buflen); 488 489 if (buflen & (sizeof(key_serial_t) - 1)) 490 return -EINVAL; 491 492 /* Copy as many key IDs as fit into the buffer */ 493 if (buffer && buflen) { 494 ctx.buffer = (key_serial_t *)buffer; 495 ctx.buflen = buflen; 496 ctx.count = 0; 497 ret = assoc_array_iterate(&keyring->keys, 498 keyring_read_iterator, &ctx); 499 if (ret < 0) { 500 kleave(" = %ld [iterate]", ret); 501 return ret; 502 } 503 } 504 505 /* Return the size of the buffer needed */ 506 ret = keyring->keys.nr_leaves_on_tree * sizeof(key_serial_t); 507 if (ret <= buflen) 508 kleave("= %ld [ok]", ret); 509 else 510 kleave("= %ld [buffer too small]", ret); 511 return ret; 512 } 513 514 /* 515 * Allocate a keyring and link into the destination keyring. 516 */ 517 struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid, 518 const struct cred *cred, key_perm_t perm, 519 unsigned long flags, 520 struct key_restriction *restrict_link, 521 struct key *dest) 522 { 523 struct key *keyring; 524 int ret; 525 526 keyring = key_alloc(&key_type_keyring, description, 527 uid, gid, cred, perm, flags, restrict_link); 528 if (!IS_ERR(keyring)) { 529 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); 530 if (ret < 0) { 531 key_put(keyring); 532 keyring = ERR_PTR(ret); 533 } 534 } 535 536 return keyring; 537 } 538 EXPORT_SYMBOL(keyring_alloc); 539 540 /** 541 * restrict_link_reject - Give -EPERM to restrict link 542 * @keyring: The keyring being added to. 543 * @type: The type of key being added. 544 * @payload: The payload of the key intended to be added. 545 * @restriction_key: Keys providing additional data for evaluating restriction. 546 * 547 * Reject the addition of any links to a keyring. It can be overridden by 548 * passing KEY_ALLOC_BYPASS_RESTRICTION to key_instantiate_and_link() when 549 * adding a key to a keyring. 550 * 551 * This is meant to be stored in a key_restriction structure which is passed 552 * in the restrict_link parameter to keyring_alloc(). 553 */ 554 int restrict_link_reject(struct key *keyring, 555 const struct key_type *type, 556 const union key_payload *payload, 557 struct key *restriction_key) 558 { 559 return -EPERM; 560 } 561 562 /* 563 * By default, we keys found by getting an exact match on their descriptions. 564 */ 565 bool key_default_cmp(const struct key *key, 566 const struct key_match_data *match_data) 567 { 568 return strcmp(key->description, match_data->raw_data) == 0; 569 } 570 571 /* 572 * Iteration function to consider each key found. 573 */ 574 static int keyring_search_iterator(const void *object, void *iterator_data) 575 { 576 struct keyring_search_context *ctx = iterator_data; 577 const struct key *key = keyring_ptr_to_key(object); 578 unsigned long kflags = READ_ONCE(key->flags); 579 short state = READ_ONCE(key->state); 580 581 kenter("{%d}", key->serial); 582 583 /* ignore keys not of this type */ 584 if (key->type != ctx->index_key.type) { 585 kleave(" = 0 [!type]"); 586 return 0; 587 } 588 589 /* skip invalidated, revoked and expired keys */ 590 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) { 591 time64_t expiry = READ_ONCE(key->expiry); 592 593 if (kflags & ((1 << KEY_FLAG_INVALIDATED) | 594 (1 << KEY_FLAG_REVOKED))) { 595 ctx->result = ERR_PTR(-EKEYREVOKED); 596 kleave(" = %d [invrev]", ctx->skipped_ret); 597 goto skipped; 598 } 599 600 if (expiry && ctx->now >= expiry) { 601 if (!(ctx->flags & KEYRING_SEARCH_SKIP_EXPIRED)) 602 ctx->result = ERR_PTR(-EKEYEXPIRED); 603 kleave(" = %d [expire]", ctx->skipped_ret); 604 goto skipped; 605 } 606 } 607 608 /* keys that don't match */ 609 if (!ctx->match_data.cmp(key, &ctx->match_data)) { 610 kleave(" = 0 [!match]"); 611 return 0; 612 } 613 614 /* key must have search permissions */ 615 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) && 616 key_task_permission(make_key_ref(key, ctx->possessed), 617 ctx->cred, KEY_NEED_SEARCH) < 0) { 618 ctx->result = ERR_PTR(-EACCES); 619 kleave(" = %d [!perm]", ctx->skipped_ret); 620 goto skipped; 621 } 622 623 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) { 624 /* we set a different error code if we pass a negative key */ 625 if (state < 0) { 626 ctx->result = ERR_PTR(state); 627 kleave(" = %d [neg]", ctx->skipped_ret); 628 goto skipped; 629 } 630 } 631 632 /* Found */ 633 ctx->result = make_key_ref(key, ctx->possessed); 634 kleave(" = 1 [found]"); 635 return 1; 636 637 skipped: 638 return ctx->skipped_ret; 639 } 640 641 /* 642 * Search inside a keyring for a key. We can search by walking to it 643 * directly based on its index-key or we can iterate over the entire 644 * tree looking for it, based on the match function. 645 */ 646 static int search_keyring(struct key *keyring, struct keyring_search_context *ctx) 647 { 648 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_DIRECT) { 649 const void *object; 650 651 object = assoc_array_find(&keyring->keys, 652 &keyring_assoc_array_ops, 653 &ctx->index_key); 654 return object ? ctx->iterator(object, ctx) : 0; 655 } 656 return assoc_array_iterate(&keyring->keys, ctx->iterator, ctx); 657 } 658 659 /* 660 * Search a tree of keyrings that point to other keyrings up to the maximum 661 * depth. 662 */ 663 static bool search_nested_keyrings(struct key *keyring, 664 struct keyring_search_context *ctx) 665 { 666 struct { 667 struct key *keyring; 668 struct assoc_array_node *node; 669 int slot; 670 } stack[KEYRING_SEARCH_MAX_DEPTH]; 671 672 struct assoc_array_shortcut *shortcut; 673 struct assoc_array_node *node; 674 struct assoc_array_ptr *ptr; 675 struct key *key; 676 int sp = 0, slot; 677 678 kenter("{%d},{%s,%s}", 679 keyring->serial, 680 ctx->index_key.type->name, 681 ctx->index_key.description); 682 683 #define STATE_CHECKS (KEYRING_SEARCH_NO_STATE_CHECK | KEYRING_SEARCH_DO_STATE_CHECK) 684 BUG_ON((ctx->flags & STATE_CHECKS) == 0 || 685 (ctx->flags & STATE_CHECKS) == STATE_CHECKS); 686 687 if (ctx->index_key.description) 688 key_set_index_key(&ctx->index_key); 689 690 /* Check to see if this top-level keyring is what we are looking for 691 * and whether it is valid or not. 692 */ 693 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_ITERATE || 694 keyring_compare_object(keyring, &ctx->index_key)) { 695 ctx->skipped_ret = 2; 696 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) { 697 case 1: 698 goto found; 699 case 2: 700 return false; 701 default: 702 break; 703 } 704 } 705 706 ctx->skipped_ret = 0; 707 708 /* Start processing a new keyring */ 709 descend_to_keyring: 710 kdebug("descend to %d", keyring->serial); 711 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) | 712 (1 << KEY_FLAG_REVOKED))) 713 goto not_this_keyring; 714 715 /* Search through the keys in this keyring before its searching its 716 * subtrees. 717 */ 718 if (search_keyring(keyring, ctx)) 719 goto found; 720 721 /* Then manually iterate through the keyrings nested in this one. 722 * 723 * Start from the root node of the index tree. Because of the way the 724 * hash function has been set up, keyrings cluster on the leftmost 725 * branch of the root node (root slot 0) or in the root node itself. 726 * Non-keyrings avoid the leftmost branch of the root entirely (root 727 * slots 1-15). 728 */ 729 if (!(ctx->flags & KEYRING_SEARCH_RECURSE)) 730 goto not_this_keyring; 731 732 ptr = READ_ONCE(keyring->keys.root); 733 if (!ptr) 734 goto not_this_keyring; 735 736 if (assoc_array_ptr_is_shortcut(ptr)) { 737 /* If the root is a shortcut, either the keyring only contains 738 * keyring pointers (everything clusters behind root slot 0) or 739 * doesn't contain any keyring pointers. 740 */ 741 shortcut = assoc_array_ptr_to_shortcut(ptr); 742 if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0) 743 goto not_this_keyring; 744 745 ptr = READ_ONCE(shortcut->next_node); 746 node = assoc_array_ptr_to_node(ptr); 747 goto begin_node; 748 } 749 750 node = assoc_array_ptr_to_node(ptr); 751 ptr = node->slots[0]; 752 if (!assoc_array_ptr_is_meta(ptr)) 753 goto begin_node; 754 755 descend_to_node: 756 /* Descend to a more distal node in this keyring's content tree and go 757 * through that. 758 */ 759 kdebug("descend"); 760 if (assoc_array_ptr_is_shortcut(ptr)) { 761 shortcut = assoc_array_ptr_to_shortcut(ptr); 762 ptr = READ_ONCE(shortcut->next_node); 763 BUG_ON(!assoc_array_ptr_is_node(ptr)); 764 } 765 node = assoc_array_ptr_to_node(ptr); 766 767 begin_node: 768 kdebug("begin_node"); 769 slot = 0; 770 ascend_to_node: 771 /* Go through the slots in a node */ 772 for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) { 773 ptr = READ_ONCE(node->slots[slot]); 774 775 if (assoc_array_ptr_is_meta(ptr)) { 776 if (node->back_pointer || 777 assoc_array_ptr_is_shortcut(ptr)) 778 goto descend_to_node; 779 } 780 781 if (!keyring_ptr_is_keyring(ptr)) 782 continue; 783 784 key = keyring_ptr_to_key(ptr); 785 786 if (sp >= KEYRING_SEARCH_MAX_DEPTH) { 787 if (ctx->flags & KEYRING_SEARCH_DETECT_TOO_DEEP) { 788 ctx->result = ERR_PTR(-ELOOP); 789 return false; 790 } 791 goto not_this_keyring; 792 } 793 794 /* Search a nested keyring */ 795 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) && 796 key_task_permission(make_key_ref(key, ctx->possessed), 797 ctx->cred, KEY_NEED_SEARCH) < 0) 798 continue; 799 800 /* stack the current position */ 801 stack[sp].keyring = keyring; 802 stack[sp].node = node; 803 stack[sp].slot = slot; 804 sp++; 805 806 /* begin again with the new keyring */ 807 keyring = key; 808 goto descend_to_keyring; 809 } 810 811 /* We've dealt with all the slots in the current node, so now we need 812 * to ascend to the parent and continue processing there. 813 */ 814 ptr = READ_ONCE(node->back_pointer); 815 slot = node->parent_slot; 816 817 if (ptr && assoc_array_ptr_is_shortcut(ptr)) { 818 shortcut = assoc_array_ptr_to_shortcut(ptr); 819 ptr = READ_ONCE(shortcut->back_pointer); 820 slot = shortcut->parent_slot; 821 } 822 if (!ptr) 823 goto not_this_keyring; 824 node = assoc_array_ptr_to_node(ptr); 825 slot++; 826 827 /* If we've ascended to the root (zero backpointer), we must have just 828 * finished processing the leftmost branch rather than the root slots - 829 * so there can't be any more keyrings for us to find. 830 */ 831 if (node->back_pointer) { 832 kdebug("ascend %d", slot); 833 goto ascend_to_node; 834 } 835 836 /* The keyring we're looking at was disqualified or didn't contain a 837 * matching key. 838 */ 839 not_this_keyring: 840 kdebug("not_this_keyring %d", sp); 841 if (sp <= 0) { 842 kleave(" = false"); 843 return false; 844 } 845 846 /* Resume the processing of a keyring higher up in the tree */ 847 sp--; 848 keyring = stack[sp].keyring; 849 node = stack[sp].node; 850 slot = stack[sp].slot + 1; 851 kdebug("ascend to %d [%d]", keyring->serial, slot); 852 goto ascend_to_node; 853 854 /* We found a viable match */ 855 found: 856 key = key_ref_to_ptr(ctx->result); 857 key_check(key); 858 if (!(ctx->flags & KEYRING_SEARCH_NO_UPDATE_TIME)) { 859 key->last_used_at = ctx->now; 860 keyring->last_used_at = ctx->now; 861 while (sp > 0) 862 stack[--sp].keyring->last_used_at = ctx->now; 863 } 864 kleave(" = true"); 865 return true; 866 } 867 868 /** 869 * keyring_search_rcu - Search a keyring tree for a matching key under RCU 870 * @keyring_ref: A pointer to the keyring with possession indicator. 871 * @ctx: The keyring search context. 872 * 873 * Search the supplied keyring tree for a key that matches the criteria given. 874 * The root keyring and any linked keyrings must grant Search permission to the 875 * caller to be searchable and keys can only be found if they too grant Search 876 * to the caller. The possession flag on the root keyring pointer controls use 877 * of the possessor bits in permissions checking of the entire tree. In 878 * addition, the LSM gets to forbid keyring searches and key matches. 879 * 880 * The search is performed as a breadth-then-depth search up to the prescribed 881 * limit (KEYRING_SEARCH_MAX_DEPTH). The caller must hold the RCU read lock to 882 * prevent keyrings from being destroyed or rearranged whilst they are being 883 * searched. 884 * 885 * Keys are matched to the type provided and are then filtered by the match 886 * function, which is given the description to use in any way it sees fit. The 887 * match function may use any attributes of a key that it wishes to 888 * determine the match. Normally the match function from the key type would be 889 * used. 890 * 891 * RCU can be used to prevent the keyring key lists from disappearing without 892 * the need to take lots of locks. 893 * 894 * Returns a pointer to the found key and increments the key usage count if 895 * successful; -EAGAIN if no matching keys were found, or if expired or revoked 896 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the 897 * specified keyring wasn't a keyring. 898 * 899 * In the case of a successful return, the possession attribute from 900 * @keyring_ref is propagated to the returned key reference. 901 */ 902 key_ref_t keyring_search_rcu(key_ref_t keyring_ref, 903 struct keyring_search_context *ctx) 904 { 905 struct key *keyring; 906 long err; 907 908 ctx->iterator = keyring_search_iterator; 909 ctx->possessed = is_key_possessed(keyring_ref); 910 ctx->result = ERR_PTR(-EAGAIN); 911 912 keyring = key_ref_to_ptr(keyring_ref); 913 key_check(keyring); 914 915 if (keyring->type != &key_type_keyring) 916 return ERR_PTR(-ENOTDIR); 917 918 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) { 919 err = key_task_permission(keyring_ref, ctx->cred, KEY_NEED_SEARCH); 920 if (err < 0) 921 return ERR_PTR(err); 922 } 923 924 ctx->now = ktime_get_real_seconds(); 925 if (search_nested_keyrings(keyring, ctx)) 926 __key_get(key_ref_to_ptr(ctx->result)); 927 return ctx->result; 928 } 929 930 /** 931 * keyring_search - Search the supplied keyring tree for a matching key 932 * @keyring: The root of the keyring tree to be searched. 933 * @type: The type of keyring we want to find. 934 * @description: The name of the keyring we want to find. 935 * @recurse: True to search the children of @keyring also 936 * 937 * As keyring_search_rcu() above, but using the current task's credentials and 938 * type's default matching function and preferred search method. 939 */ 940 key_ref_t keyring_search(key_ref_t keyring, 941 struct key_type *type, 942 const char *description, 943 bool recurse) 944 { 945 struct keyring_search_context ctx = { 946 .index_key.type = type, 947 .index_key.description = description, 948 .index_key.desc_len = strlen(description), 949 .cred = current_cred(), 950 .match_data.cmp = key_default_cmp, 951 .match_data.raw_data = description, 952 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 953 .flags = KEYRING_SEARCH_DO_STATE_CHECK, 954 }; 955 key_ref_t key; 956 int ret; 957 958 if (recurse) 959 ctx.flags |= KEYRING_SEARCH_RECURSE; 960 if (type->match_preparse) { 961 ret = type->match_preparse(&ctx.match_data); 962 if (ret < 0) 963 return ERR_PTR(ret); 964 } 965 966 rcu_read_lock(); 967 key = keyring_search_rcu(keyring, &ctx); 968 rcu_read_unlock(); 969 970 if (type->match_free) 971 type->match_free(&ctx.match_data); 972 return key; 973 } 974 EXPORT_SYMBOL(keyring_search); 975 976 static struct key_restriction *keyring_restriction_alloc( 977 key_restrict_link_func_t check) 978 { 979 struct key_restriction *keyres = 980 kzalloc(sizeof(struct key_restriction), GFP_KERNEL); 981 982 if (!keyres) 983 return ERR_PTR(-ENOMEM); 984 985 keyres->check = check; 986 987 return keyres; 988 } 989 990 /* 991 * Semaphore to serialise restriction setup to prevent reference count 992 * cycles through restriction key pointers. 993 */ 994 static DECLARE_RWSEM(keyring_serialise_restrict_sem); 995 996 /* 997 * Check for restriction cycles that would prevent keyring garbage collection. 998 * keyring_serialise_restrict_sem must be held. 999 */ 1000 static bool keyring_detect_restriction_cycle(const struct key *dest_keyring, 1001 struct key_restriction *keyres) 1002 { 1003 while (keyres && keyres->key && 1004 keyres->key->type == &key_type_keyring) { 1005 if (keyres->key == dest_keyring) 1006 return true; 1007 1008 keyres = keyres->key->restrict_link; 1009 } 1010 1011 return false; 1012 } 1013 1014 /** 1015 * keyring_restrict - Look up and apply a restriction to a keyring 1016 * @keyring_ref: The keyring to be restricted 1017 * @type: The key type that will provide the restriction checker. 1018 * @restriction: The restriction options to apply to the keyring 1019 * 1020 * Look up a keyring and apply a restriction to it. The restriction is managed 1021 * by the specific key type, but can be configured by the options specified in 1022 * the restriction string. 1023 */ 1024 int keyring_restrict(key_ref_t keyring_ref, const char *type, 1025 const char *restriction) 1026 { 1027 struct key *keyring; 1028 struct key_type *restrict_type = NULL; 1029 struct key_restriction *restrict_link; 1030 int ret = 0; 1031 1032 keyring = key_ref_to_ptr(keyring_ref); 1033 key_check(keyring); 1034 1035 if (keyring->type != &key_type_keyring) 1036 return -ENOTDIR; 1037 1038 if (!type) { 1039 restrict_link = keyring_restriction_alloc(restrict_link_reject); 1040 } else { 1041 restrict_type = key_type_lookup(type); 1042 1043 if (IS_ERR(restrict_type)) 1044 return PTR_ERR(restrict_type); 1045 1046 if (!restrict_type->lookup_restriction) { 1047 ret = -ENOENT; 1048 goto error; 1049 } 1050 1051 restrict_link = restrict_type->lookup_restriction(restriction); 1052 } 1053 1054 if (IS_ERR(restrict_link)) { 1055 ret = PTR_ERR(restrict_link); 1056 goto error; 1057 } 1058 1059 down_write(&keyring->sem); 1060 down_write(&keyring_serialise_restrict_sem); 1061 1062 if (keyring->restrict_link) { 1063 ret = -EEXIST; 1064 } else if (keyring_detect_restriction_cycle(keyring, restrict_link)) { 1065 ret = -EDEADLK; 1066 } else { 1067 keyring->restrict_link = restrict_link; 1068 notify_key(keyring, NOTIFY_KEY_SETATTR, 0); 1069 } 1070 1071 up_write(&keyring_serialise_restrict_sem); 1072 up_write(&keyring->sem); 1073 1074 if (ret < 0) { 1075 key_put(restrict_link->key); 1076 kfree(restrict_link); 1077 } 1078 1079 error: 1080 if (restrict_type) 1081 key_type_put(restrict_type); 1082 1083 return ret; 1084 } 1085 EXPORT_SYMBOL(keyring_restrict); 1086 1087 /* 1088 * Search the given keyring for a key that might be updated. 1089 * 1090 * The caller must guarantee that the keyring is a keyring and that the 1091 * permission is granted to modify the keyring as no check is made here. The 1092 * caller must also hold a lock on the keyring semaphore. 1093 * 1094 * Returns a pointer to the found key with usage count incremented if 1095 * successful and returns NULL if not found. Revoked and invalidated keys are 1096 * skipped over. 1097 * 1098 * If successful, the possession indicator is propagated from the keyring ref 1099 * to the returned key reference. 1100 */ 1101 key_ref_t find_key_to_update(key_ref_t keyring_ref, 1102 const struct keyring_index_key *index_key) 1103 { 1104 struct key *keyring, *key; 1105 const void *object; 1106 1107 keyring = key_ref_to_ptr(keyring_ref); 1108 1109 kenter("{%d},{%s,%s}", 1110 keyring->serial, index_key->type->name, index_key->description); 1111 1112 object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops, 1113 index_key); 1114 1115 if (object) 1116 goto found; 1117 1118 kleave(" = NULL"); 1119 return NULL; 1120 1121 found: 1122 key = keyring_ptr_to_key(object); 1123 if (key->flags & ((1 << KEY_FLAG_INVALIDATED) | 1124 (1 << KEY_FLAG_REVOKED))) { 1125 kleave(" = NULL [x]"); 1126 return NULL; 1127 } 1128 __key_get(key); 1129 kleave(" = {%d}", key->serial); 1130 return make_key_ref(key, is_key_possessed(keyring_ref)); 1131 } 1132 1133 /* 1134 * Find a keyring with the specified name. 1135 * 1136 * Only keyrings that have nonzero refcount, are not revoked, and are owned by a 1137 * user in the current user namespace are considered. If @uid_keyring is %true, 1138 * the keyring additionally must have been allocated as a user or user session 1139 * keyring; otherwise, it must grant Search permission directly to the caller. 1140 * 1141 * Returns a pointer to the keyring with the keyring's refcount having being 1142 * incremented on success. -ENOKEY is returned if a key could not be found. 1143 */ 1144 struct key *find_keyring_by_name(const char *name, bool uid_keyring) 1145 { 1146 struct user_namespace *ns = current_user_ns(); 1147 struct key *keyring; 1148 1149 if (!name) 1150 return ERR_PTR(-EINVAL); 1151 1152 read_lock(&keyring_name_lock); 1153 1154 /* Search this hash bucket for a keyring with a matching name that 1155 * grants Search permission and that hasn't been revoked 1156 */ 1157 list_for_each_entry(keyring, &ns->keyring_name_list, name_link) { 1158 if (!kuid_has_mapping(ns, keyring->user->uid)) 1159 continue; 1160 1161 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 1162 continue; 1163 1164 if (strcmp(keyring->description, name) != 0) 1165 continue; 1166 1167 if (uid_keyring) { 1168 if (!test_bit(KEY_FLAG_UID_KEYRING, 1169 &keyring->flags)) 1170 continue; 1171 } else { 1172 if (key_permission(make_key_ref(keyring, 0), 1173 KEY_NEED_SEARCH) < 0) 1174 continue; 1175 } 1176 1177 /* we've got a match but we might end up racing with 1178 * key_cleanup() if the keyring is currently 'dead' 1179 * (ie. it has a zero usage count) */ 1180 if (!refcount_inc_not_zero(&keyring->usage)) 1181 continue; 1182 keyring->last_used_at = ktime_get_real_seconds(); 1183 goto out; 1184 } 1185 1186 keyring = ERR_PTR(-ENOKEY); 1187 out: 1188 read_unlock(&keyring_name_lock); 1189 return keyring; 1190 } 1191 1192 static int keyring_detect_cycle_iterator(const void *object, 1193 void *iterator_data) 1194 { 1195 struct keyring_search_context *ctx = iterator_data; 1196 const struct key *key = keyring_ptr_to_key(object); 1197 1198 kenter("{%d}", key->serial); 1199 1200 /* We might get a keyring with matching index-key that is nonetheless a 1201 * different keyring. */ 1202 if (key != ctx->match_data.raw_data) 1203 return 0; 1204 1205 ctx->result = ERR_PTR(-EDEADLK); 1206 return 1; 1207 } 1208 1209 /* 1210 * See if a cycle will be created by inserting acyclic tree B in acyclic 1211 * tree A at the topmost level (ie: as a direct child of A). 1212 * 1213 * Since we are adding B to A at the top level, checking for cycles should just 1214 * be a matter of seeing if node A is somewhere in tree B. 1215 */ 1216 static int keyring_detect_cycle(struct key *A, struct key *B) 1217 { 1218 struct keyring_search_context ctx = { 1219 .index_key = A->index_key, 1220 .match_data.raw_data = A, 1221 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 1222 .iterator = keyring_detect_cycle_iterator, 1223 .flags = (KEYRING_SEARCH_NO_STATE_CHECK | 1224 KEYRING_SEARCH_NO_UPDATE_TIME | 1225 KEYRING_SEARCH_NO_CHECK_PERM | 1226 KEYRING_SEARCH_DETECT_TOO_DEEP | 1227 KEYRING_SEARCH_RECURSE), 1228 }; 1229 1230 rcu_read_lock(); 1231 search_nested_keyrings(B, &ctx); 1232 rcu_read_unlock(); 1233 return PTR_ERR(ctx.result) == -EAGAIN ? 0 : PTR_ERR(ctx.result); 1234 } 1235 1236 /* 1237 * Lock keyring for link. 1238 */ 1239 int __key_link_lock(struct key *keyring, 1240 const struct keyring_index_key *index_key) 1241 __acquires(&keyring->sem) 1242 __acquires(&keyring_serialise_link_lock) 1243 { 1244 if (keyring->type != &key_type_keyring) 1245 return -ENOTDIR; 1246 1247 down_write(&keyring->sem); 1248 1249 /* Serialise link/link calls to prevent parallel calls causing a cycle 1250 * when linking two keyring in opposite orders. 1251 */ 1252 if (index_key->type == &key_type_keyring) 1253 mutex_lock(&keyring_serialise_link_lock); 1254 1255 return 0; 1256 } 1257 1258 /* 1259 * Lock keyrings for move (link/unlink combination). 1260 */ 1261 int __key_move_lock(struct key *l_keyring, struct key *u_keyring, 1262 const struct keyring_index_key *index_key) 1263 __acquires(&l_keyring->sem) 1264 __acquires(&u_keyring->sem) 1265 __acquires(&keyring_serialise_link_lock) 1266 { 1267 if (l_keyring->type != &key_type_keyring || 1268 u_keyring->type != &key_type_keyring) 1269 return -ENOTDIR; 1270 1271 /* We have to be very careful here to take the keyring locks in the 1272 * right order, lest we open ourselves to deadlocking against another 1273 * move operation. 1274 */ 1275 if (l_keyring < u_keyring) { 1276 down_write(&l_keyring->sem); 1277 down_write_nested(&u_keyring->sem, 1); 1278 } else { 1279 down_write(&u_keyring->sem); 1280 down_write_nested(&l_keyring->sem, 1); 1281 } 1282 1283 /* Serialise link/link calls to prevent parallel calls causing a cycle 1284 * when linking two keyring in opposite orders. 1285 */ 1286 if (index_key->type == &key_type_keyring) 1287 mutex_lock(&keyring_serialise_link_lock); 1288 1289 return 0; 1290 } 1291 1292 /* 1293 * Preallocate memory so that a key can be linked into to a keyring. 1294 */ 1295 int __key_link_begin(struct key *keyring, 1296 const struct keyring_index_key *index_key, 1297 struct assoc_array_edit **_edit) 1298 { 1299 struct assoc_array_edit *edit; 1300 int ret; 1301 1302 kenter("%d,%s,%s,", 1303 keyring->serial, index_key->type->name, index_key->description); 1304 1305 BUG_ON(index_key->desc_len == 0); 1306 BUG_ON(*_edit != NULL); 1307 1308 *_edit = NULL; 1309 1310 ret = -EKEYREVOKED; 1311 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 1312 goto error; 1313 1314 /* Create an edit script that will insert/replace the key in the 1315 * keyring tree. 1316 */ 1317 edit = assoc_array_insert(&keyring->keys, 1318 &keyring_assoc_array_ops, 1319 index_key, 1320 NULL); 1321 if (IS_ERR(edit)) { 1322 ret = PTR_ERR(edit); 1323 goto error; 1324 } 1325 1326 /* If we're not replacing a link in-place then we're going to need some 1327 * extra quota. 1328 */ 1329 if (!edit->dead_leaf) { 1330 ret = key_payload_reserve(keyring, 1331 keyring->datalen + KEYQUOTA_LINK_BYTES); 1332 if (ret < 0) 1333 goto error_cancel; 1334 } 1335 1336 *_edit = edit; 1337 kleave(" = 0"); 1338 return 0; 1339 1340 error_cancel: 1341 assoc_array_cancel_edit(edit); 1342 error: 1343 kleave(" = %d", ret); 1344 return ret; 1345 } 1346 1347 /* 1348 * Check already instantiated keys aren't going to be a problem. 1349 * 1350 * The caller must have called __key_link_begin(). Don't need to call this for 1351 * keys that were created since __key_link_begin() was called. 1352 */ 1353 int __key_link_check_live_key(struct key *keyring, struct key *key) 1354 { 1355 if (key->type == &key_type_keyring) 1356 /* check that we aren't going to create a cycle by linking one 1357 * keyring to another */ 1358 return keyring_detect_cycle(keyring, key); 1359 return 0; 1360 } 1361 1362 /* 1363 * Link a key into to a keyring. 1364 * 1365 * Must be called with __key_link_begin() having being called. Discards any 1366 * already extant link to matching key if there is one, so that each keyring 1367 * holds at most one link to any given key of a particular type+description 1368 * combination. 1369 */ 1370 void __key_link(struct key *keyring, struct key *key, 1371 struct assoc_array_edit **_edit) 1372 { 1373 __key_get(key); 1374 assoc_array_insert_set_object(*_edit, keyring_key_to_ptr(key)); 1375 assoc_array_apply_edit(*_edit); 1376 *_edit = NULL; 1377 notify_key(keyring, NOTIFY_KEY_LINKED, key_serial(key)); 1378 } 1379 1380 /* 1381 * Finish linking a key into to a keyring. 1382 * 1383 * Must be called with __key_link_begin() having being called. 1384 */ 1385 void __key_link_end(struct key *keyring, 1386 const struct keyring_index_key *index_key, 1387 struct assoc_array_edit *edit) 1388 __releases(&keyring->sem) 1389 __releases(&keyring_serialise_link_lock) 1390 { 1391 BUG_ON(index_key->type == NULL); 1392 kenter("%d,%s,", keyring->serial, index_key->type->name); 1393 1394 if (edit) { 1395 if (!edit->dead_leaf) { 1396 key_payload_reserve(keyring, 1397 keyring->datalen - KEYQUOTA_LINK_BYTES); 1398 } 1399 assoc_array_cancel_edit(edit); 1400 } 1401 up_write(&keyring->sem); 1402 1403 if (index_key->type == &key_type_keyring) 1404 mutex_unlock(&keyring_serialise_link_lock); 1405 } 1406 1407 /* 1408 * Check addition of keys to restricted keyrings. 1409 */ 1410 static int __key_link_check_restriction(struct key *keyring, struct key *key) 1411 { 1412 if (!keyring->restrict_link || !keyring->restrict_link->check) 1413 return 0; 1414 return keyring->restrict_link->check(keyring, key->type, &key->payload, 1415 keyring->restrict_link->key); 1416 } 1417 1418 /** 1419 * key_link - Link a key to a keyring 1420 * @keyring: The keyring to make the link in. 1421 * @key: The key to link to. 1422 * 1423 * Make a link in a keyring to a key, such that the keyring holds a reference 1424 * on that key and the key can potentially be found by searching that keyring. 1425 * 1426 * This function will write-lock the keyring's semaphore and will consume some 1427 * of the user's key data quota to hold the link. 1428 * 1429 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, 1430 * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is 1431 * full, -EDQUOT if there is insufficient key data quota remaining to add 1432 * another link or -ENOMEM if there's insufficient memory. 1433 * 1434 * It is assumed that the caller has checked that it is permitted for a link to 1435 * be made (the keyring should have Write permission and the key Link 1436 * permission). 1437 */ 1438 int key_link(struct key *keyring, struct key *key) 1439 { 1440 struct assoc_array_edit *edit = NULL; 1441 int ret; 1442 1443 kenter("{%d,%d}", keyring->serial, refcount_read(&keyring->usage)); 1444 1445 key_check(keyring); 1446 key_check(key); 1447 1448 ret = __key_link_lock(keyring, &key->index_key); 1449 if (ret < 0) 1450 goto error; 1451 1452 ret = __key_link_begin(keyring, &key->index_key, &edit); 1453 if (ret < 0) 1454 goto error_end; 1455 1456 kdebug("begun {%d,%d}", keyring->serial, refcount_read(&keyring->usage)); 1457 ret = __key_link_check_restriction(keyring, key); 1458 if (ret == 0) 1459 ret = __key_link_check_live_key(keyring, key); 1460 if (ret == 0) 1461 __key_link(keyring, key, &edit); 1462 1463 error_end: 1464 __key_link_end(keyring, &key->index_key, edit); 1465 error: 1466 kleave(" = %d {%d,%d}", ret, keyring->serial, refcount_read(&keyring->usage)); 1467 return ret; 1468 } 1469 EXPORT_SYMBOL(key_link); 1470 1471 /* 1472 * Lock a keyring for unlink. 1473 */ 1474 static int __key_unlink_lock(struct key *keyring) 1475 __acquires(&keyring->sem) 1476 { 1477 if (keyring->type != &key_type_keyring) 1478 return -ENOTDIR; 1479 1480 down_write(&keyring->sem); 1481 return 0; 1482 } 1483 1484 /* 1485 * Begin the process of unlinking a key from a keyring. 1486 */ 1487 static int __key_unlink_begin(struct key *keyring, struct key *key, 1488 struct assoc_array_edit **_edit) 1489 { 1490 struct assoc_array_edit *edit; 1491 1492 BUG_ON(*_edit != NULL); 1493 1494 edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops, 1495 &key->index_key); 1496 if (IS_ERR(edit)) 1497 return PTR_ERR(edit); 1498 1499 if (!edit) 1500 return -ENOENT; 1501 1502 *_edit = edit; 1503 return 0; 1504 } 1505 1506 /* 1507 * Apply an unlink change. 1508 */ 1509 static void __key_unlink(struct key *keyring, struct key *key, 1510 struct assoc_array_edit **_edit) 1511 { 1512 assoc_array_apply_edit(*_edit); 1513 notify_key(keyring, NOTIFY_KEY_UNLINKED, key_serial(key)); 1514 *_edit = NULL; 1515 key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES); 1516 } 1517 1518 /* 1519 * Finish unlinking a key from to a keyring. 1520 */ 1521 static void __key_unlink_end(struct key *keyring, 1522 struct key *key, 1523 struct assoc_array_edit *edit) 1524 __releases(&keyring->sem) 1525 { 1526 if (edit) 1527 assoc_array_cancel_edit(edit); 1528 up_write(&keyring->sem); 1529 } 1530 1531 /** 1532 * key_unlink - Unlink the first link to a key from a keyring. 1533 * @keyring: The keyring to remove the link from. 1534 * @key: The key the link is to. 1535 * 1536 * Remove a link from a keyring to a key. 1537 * 1538 * This function will write-lock the keyring's semaphore. 1539 * 1540 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if 1541 * the key isn't linked to by the keyring or -ENOMEM if there's insufficient 1542 * memory. 1543 * 1544 * It is assumed that the caller has checked that it is permitted for a link to 1545 * be removed (the keyring should have Write permission; no permissions are 1546 * required on the key). 1547 */ 1548 int key_unlink(struct key *keyring, struct key *key) 1549 { 1550 struct assoc_array_edit *edit = NULL; 1551 int ret; 1552 1553 key_check(keyring); 1554 key_check(key); 1555 1556 ret = __key_unlink_lock(keyring); 1557 if (ret < 0) 1558 return ret; 1559 1560 ret = __key_unlink_begin(keyring, key, &edit); 1561 if (ret == 0) 1562 __key_unlink(keyring, key, &edit); 1563 __key_unlink_end(keyring, key, edit); 1564 return ret; 1565 } 1566 EXPORT_SYMBOL(key_unlink); 1567 1568 /** 1569 * key_move - Move a key from one keyring to another 1570 * @key: The key to move 1571 * @from_keyring: The keyring to remove the link from. 1572 * @to_keyring: The keyring to make the link in. 1573 * @flags: Qualifying flags, such as KEYCTL_MOVE_EXCL. 1574 * 1575 * Make a link in @to_keyring to a key, such that the keyring holds a reference 1576 * on that key and the key can potentially be found by searching that keyring 1577 * whilst simultaneously removing a link to the key from @from_keyring. 1578 * 1579 * This function will write-lock both keyring's semaphores and will consume 1580 * some of the user's key data quota to hold the link on @to_keyring. 1581 * 1582 * Returns 0 if successful, -ENOTDIR if either keyring isn't a keyring, 1583 * -EKEYREVOKED if either keyring has been revoked, -ENFILE if the second 1584 * keyring is full, -EDQUOT if there is insufficient key data quota remaining 1585 * to add another link or -ENOMEM if there's insufficient memory. If 1586 * KEYCTL_MOVE_EXCL is set, then -EEXIST will be returned if there's already a 1587 * matching key in @to_keyring. 1588 * 1589 * It is assumed that the caller has checked that it is permitted for a link to 1590 * be made (the keyring should have Write permission and the key Link 1591 * permission). 1592 */ 1593 int key_move(struct key *key, 1594 struct key *from_keyring, 1595 struct key *to_keyring, 1596 unsigned int flags) 1597 { 1598 struct assoc_array_edit *from_edit = NULL, *to_edit = NULL; 1599 int ret; 1600 1601 kenter("%d,%d,%d", key->serial, from_keyring->serial, to_keyring->serial); 1602 1603 if (from_keyring == to_keyring) 1604 return 0; 1605 1606 key_check(key); 1607 key_check(from_keyring); 1608 key_check(to_keyring); 1609 1610 ret = __key_move_lock(from_keyring, to_keyring, &key->index_key); 1611 if (ret < 0) 1612 goto out; 1613 ret = __key_unlink_begin(from_keyring, key, &from_edit); 1614 if (ret < 0) 1615 goto error; 1616 ret = __key_link_begin(to_keyring, &key->index_key, &to_edit); 1617 if (ret < 0) 1618 goto error; 1619 1620 ret = -EEXIST; 1621 if (to_edit->dead_leaf && (flags & KEYCTL_MOVE_EXCL)) 1622 goto error; 1623 1624 ret = __key_link_check_restriction(to_keyring, key); 1625 if (ret < 0) 1626 goto error; 1627 ret = __key_link_check_live_key(to_keyring, key); 1628 if (ret < 0) 1629 goto error; 1630 1631 __key_unlink(from_keyring, key, &from_edit); 1632 __key_link(to_keyring, key, &to_edit); 1633 error: 1634 __key_link_end(to_keyring, &key->index_key, to_edit); 1635 __key_unlink_end(from_keyring, key, from_edit); 1636 out: 1637 kleave(" = %d", ret); 1638 return ret; 1639 } 1640 EXPORT_SYMBOL(key_move); 1641 1642 /** 1643 * keyring_clear - Clear a keyring 1644 * @keyring: The keyring to clear. 1645 * 1646 * Clear the contents of the specified keyring. 1647 * 1648 * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring. 1649 */ 1650 int keyring_clear(struct key *keyring) 1651 { 1652 struct assoc_array_edit *edit; 1653 int ret; 1654 1655 if (keyring->type != &key_type_keyring) 1656 return -ENOTDIR; 1657 1658 down_write(&keyring->sem); 1659 1660 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops); 1661 if (IS_ERR(edit)) { 1662 ret = PTR_ERR(edit); 1663 } else { 1664 if (edit) 1665 assoc_array_apply_edit(edit); 1666 notify_key(keyring, NOTIFY_KEY_CLEARED, 0); 1667 key_payload_reserve(keyring, 0); 1668 ret = 0; 1669 } 1670 1671 up_write(&keyring->sem); 1672 return ret; 1673 } 1674 EXPORT_SYMBOL(keyring_clear); 1675 1676 /* 1677 * Dispose of the links from a revoked keyring. 1678 * 1679 * This is called with the key sem write-locked. 1680 */ 1681 static void keyring_revoke(struct key *keyring) 1682 { 1683 struct assoc_array_edit *edit; 1684 1685 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops); 1686 if (!IS_ERR(edit)) { 1687 if (edit) 1688 assoc_array_apply_edit(edit); 1689 key_payload_reserve(keyring, 0); 1690 } 1691 } 1692 1693 static bool keyring_gc_select_iterator(void *object, void *iterator_data) 1694 { 1695 struct key *key = keyring_ptr_to_key(object); 1696 time64_t *limit = iterator_data; 1697 1698 if (key_is_dead(key, *limit)) 1699 return false; 1700 key_get(key); 1701 return true; 1702 } 1703 1704 static int keyring_gc_check_iterator(const void *object, void *iterator_data) 1705 { 1706 const struct key *key = keyring_ptr_to_key(object); 1707 time64_t *limit = iterator_data; 1708 1709 key_check(key); 1710 return key_is_dead(key, *limit); 1711 } 1712 1713 /* 1714 * Garbage collect pointers from a keyring. 1715 * 1716 * Not called with any locks held. The keyring's key struct will not be 1717 * deallocated under us as only our caller may deallocate it. 1718 */ 1719 void keyring_gc(struct key *keyring, time64_t limit) 1720 { 1721 int result; 1722 1723 kenter("%x{%s}", keyring->serial, keyring->description ?: ""); 1724 1725 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) | 1726 (1 << KEY_FLAG_REVOKED))) 1727 goto dont_gc; 1728 1729 /* scan the keyring looking for dead keys */ 1730 rcu_read_lock(); 1731 result = assoc_array_iterate(&keyring->keys, 1732 keyring_gc_check_iterator, &limit); 1733 rcu_read_unlock(); 1734 if (result == true) 1735 goto do_gc; 1736 1737 dont_gc: 1738 kleave(" [no gc]"); 1739 return; 1740 1741 do_gc: 1742 down_write(&keyring->sem); 1743 assoc_array_gc(&keyring->keys, &keyring_assoc_array_ops, 1744 keyring_gc_select_iterator, &limit); 1745 up_write(&keyring->sem); 1746 kleave(" [gc]"); 1747 } 1748 1749 /* 1750 * Garbage collect restriction pointers from a keyring. 1751 * 1752 * Keyring restrictions are associated with a key type, and must be cleaned 1753 * up if the key type is unregistered. The restriction is altered to always 1754 * reject additional keys so a keyring cannot be opened up by unregistering 1755 * a key type. 1756 * 1757 * Not called with any keyring locks held. The keyring's key struct will not 1758 * be deallocated under us as only our caller may deallocate it. 1759 * 1760 * The caller is required to hold key_types_sem and dead_type->sem. This is 1761 * fulfilled by key_gc_keytype() holding the locks on behalf of 1762 * key_garbage_collector(), which it invokes on a workqueue. 1763 */ 1764 void keyring_restriction_gc(struct key *keyring, struct key_type *dead_type) 1765 { 1766 struct key_restriction *keyres; 1767 1768 kenter("%x{%s}", keyring->serial, keyring->description ?: ""); 1769 1770 /* 1771 * keyring->restrict_link is only assigned at key allocation time 1772 * or with the key type locked, so the only values that could be 1773 * concurrently assigned to keyring->restrict_link are for key 1774 * types other than dead_type. Given this, it's ok to check 1775 * the key type before acquiring keyring->sem. 1776 */ 1777 if (!dead_type || !keyring->restrict_link || 1778 keyring->restrict_link->keytype != dead_type) { 1779 kleave(" [no restriction gc]"); 1780 return; 1781 } 1782 1783 /* Lock the keyring to ensure that a link is not in progress */ 1784 down_write(&keyring->sem); 1785 1786 keyres = keyring->restrict_link; 1787 1788 keyres->check = restrict_link_reject; 1789 1790 key_put(keyres->key); 1791 keyres->key = NULL; 1792 keyres->keytype = NULL; 1793 1794 up_write(&keyring->sem); 1795 1796 kleave(" [restriction gc]"); 1797 } 1798