1 /* procfs files for key database enumeration 2 * 3 * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/fs.h> 16 #include <linux/proc_fs.h> 17 #include <linux/seq_file.h> 18 #include <asm/errno.h> 19 #include "internal.h" 20 21 static int proc_keys_open(struct inode *inode, struct file *file); 22 static void *proc_keys_start(struct seq_file *p, loff_t *_pos); 23 static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos); 24 static void proc_keys_stop(struct seq_file *p, void *v); 25 static int proc_keys_show(struct seq_file *m, void *v); 26 27 static const struct seq_operations proc_keys_ops = { 28 .start = proc_keys_start, 29 .next = proc_keys_next, 30 .stop = proc_keys_stop, 31 .show = proc_keys_show, 32 }; 33 34 static const struct file_operations proc_keys_fops = { 35 .open = proc_keys_open, 36 .read = seq_read, 37 .llseek = seq_lseek, 38 .release = seq_release, 39 }; 40 41 static int proc_key_users_open(struct inode *inode, struct file *file); 42 static void *proc_key_users_start(struct seq_file *p, loff_t *_pos); 43 static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos); 44 static void proc_key_users_stop(struct seq_file *p, void *v); 45 static int proc_key_users_show(struct seq_file *m, void *v); 46 47 static const struct seq_operations proc_key_users_ops = { 48 .start = proc_key_users_start, 49 .next = proc_key_users_next, 50 .stop = proc_key_users_stop, 51 .show = proc_key_users_show, 52 }; 53 54 static const struct file_operations proc_key_users_fops = { 55 .open = proc_key_users_open, 56 .read = seq_read, 57 .llseek = seq_lseek, 58 .release = seq_release, 59 }; 60 61 /* 62 * Declare the /proc files. 63 */ 64 static int __init key_proc_init(void) 65 { 66 struct proc_dir_entry *p; 67 68 p = proc_create("keys", 0, NULL, &proc_keys_fops); 69 if (!p) 70 panic("Cannot create /proc/keys\n"); 71 72 p = proc_create("key-users", 0, NULL, &proc_key_users_fops); 73 if (!p) 74 panic("Cannot create /proc/key-users\n"); 75 76 return 0; 77 } 78 79 __initcall(key_proc_init); 80 81 /* 82 * Implement "/proc/keys" to provide a list of the keys on the system that 83 * grant View permission to the caller. 84 */ 85 static struct rb_node *key_serial_next(struct seq_file *p, struct rb_node *n) 86 { 87 struct user_namespace *user_ns = seq_user_ns(p); 88 89 n = rb_next(n); 90 while (n) { 91 struct key *key = rb_entry(n, struct key, serial_node); 92 if (kuid_has_mapping(user_ns, key->user->uid)) 93 break; 94 n = rb_next(n); 95 } 96 return n; 97 } 98 99 static int proc_keys_open(struct inode *inode, struct file *file) 100 { 101 return seq_open(file, &proc_keys_ops); 102 } 103 104 static struct key *find_ge_key(struct seq_file *p, key_serial_t id) 105 { 106 struct user_namespace *user_ns = seq_user_ns(p); 107 struct rb_node *n = key_serial_tree.rb_node; 108 struct key *minkey = NULL; 109 110 while (n) { 111 struct key *key = rb_entry(n, struct key, serial_node); 112 if (id < key->serial) { 113 if (!minkey || minkey->serial > key->serial) 114 minkey = key; 115 n = n->rb_left; 116 } else if (id > key->serial) { 117 n = n->rb_right; 118 } else { 119 minkey = key; 120 break; 121 } 122 key = NULL; 123 } 124 125 if (!minkey) 126 return NULL; 127 128 for (;;) { 129 if (kuid_has_mapping(user_ns, minkey->user->uid)) 130 return minkey; 131 n = rb_next(&minkey->serial_node); 132 if (!n) 133 return NULL; 134 minkey = rb_entry(n, struct key, serial_node); 135 } 136 } 137 138 static void *proc_keys_start(struct seq_file *p, loff_t *_pos) 139 __acquires(key_serial_lock) 140 { 141 key_serial_t pos = *_pos; 142 struct key *key; 143 144 spin_lock(&key_serial_lock); 145 146 if (*_pos > INT_MAX) 147 return NULL; 148 key = find_ge_key(p, pos); 149 if (!key) 150 return NULL; 151 *_pos = key->serial; 152 return &key->serial_node; 153 } 154 155 static inline key_serial_t key_node_serial(struct rb_node *n) 156 { 157 struct key *key = rb_entry(n, struct key, serial_node); 158 return key->serial; 159 } 160 161 static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos) 162 { 163 struct rb_node *n; 164 165 n = key_serial_next(p, v); 166 if (n) 167 *_pos = key_node_serial(n); 168 return n; 169 } 170 171 static void proc_keys_stop(struct seq_file *p, void *v) 172 __releases(key_serial_lock) 173 { 174 spin_unlock(&key_serial_lock); 175 } 176 177 static int proc_keys_show(struct seq_file *m, void *v) 178 { 179 struct rb_node *_p = v; 180 struct key *key = rb_entry(_p, struct key, serial_node); 181 struct timespec now; 182 unsigned long timo; 183 key_ref_t key_ref, skey_ref; 184 char xbuf[16]; 185 int rc; 186 187 struct keyring_search_context ctx = { 188 .index_key.type = key->type, 189 .index_key.description = key->description, 190 .cred = current_cred(), 191 .match_data.cmp = lookup_user_key_possessed, 192 .match_data.raw_data = key, 193 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 194 .flags = KEYRING_SEARCH_NO_STATE_CHECK, 195 }; 196 197 key_ref = make_key_ref(key, 0); 198 199 /* determine if the key is possessed by this process (a test we can 200 * skip if the key does not indicate the possessor can view it 201 */ 202 if (key->perm & KEY_POS_VIEW) { 203 skey_ref = search_my_process_keyrings(&ctx); 204 if (!IS_ERR(skey_ref)) { 205 key_ref_put(skey_ref); 206 key_ref = make_key_ref(key, 1); 207 } 208 } 209 210 /* check whether the current task is allowed to view the key (assuming 211 * non-possession) 212 * - the caller holds a spinlock, and thus the RCU read lock, making our 213 * access to __current_cred() safe 214 */ 215 rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW); 216 if (rc < 0) 217 return 0; 218 219 now = current_kernel_time(); 220 221 rcu_read_lock(); 222 223 /* come up with a suitable timeout value */ 224 if (key->expiry == 0) { 225 memcpy(xbuf, "perm", 5); 226 } else if (now.tv_sec >= key->expiry) { 227 memcpy(xbuf, "expd", 5); 228 } else { 229 timo = key->expiry - now.tv_sec; 230 231 if (timo < 60) 232 sprintf(xbuf, "%lus", timo); 233 else if (timo < 60*60) 234 sprintf(xbuf, "%lum", timo / 60); 235 else if (timo < 60*60*24) 236 sprintf(xbuf, "%luh", timo / (60*60)); 237 else if (timo < 60*60*24*7) 238 sprintf(xbuf, "%lud", timo / (60*60*24)); 239 else 240 sprintf(xbuf, "%luw", timo / (60*60*24*7)); 241 } 242 243 #define showflag(KEY, LETTER, FLAG) \ 244 (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-') 245 246 seq_printf(m, "%08x %c%c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ", 247 key->serial, 248 showflag(key, 'I', KEY_FLAG_INSTANTIATED), 249 showflag(key, 'R', KEY_FLAG_REVOKED), 250 showflag(key, 'D', KEY_FLAG_DEAD), 251 showflag(key, 'Q', KEY_FLAG_IN_QUOTA), 252 showflag(key, 'U', KEY_FLAG_USER_CONSTRUCT), 253 showflag(key, 'N', KEY_FLAG_NEGATIVE), 254 showflag(key, 'i', KEY_FLAG_INVALIDATED), 255 atomic_read(&key->usage), 256 xbuf, 257 key->perm, 258 from_kuid_munged(seq_user_ns(m), key->uid), 259 from_kgid_munged(seq_user_ns(m), key->gid), 260 key->type->name); 261 262 #undef showflag 263 264 if (key->type->describe) 265 key->type->describe(key, m); 266 seq_putc(m, '\n'); 267 268 rcu_read_unlock(); 269 return 0; 270 } 271 272 static struct rb_node *__key_user_next(struct user_namespace *user_ns, struct rb_node *n) 273 { 274 while (n) { 275 struct key_user *user = rb_entry(n, struct key_user, node); 276 if (kuid_has_mapping(user_ns, user->uid)) 277 break; 278 n = rb_next(n); 279 } 280 return n; 281 } 282 283 static struct rb_node *key_user_next(struct user_namespace *user_ns, struct rb_node *n) 284 { 285 return __key_user_next(user_ns, rb_next(n)); 286 } 287 288 static struct rb_node *key_user_first(struct user_namespace *user_ns, struct rb_root *r) 289 { 290 struct rb_node *n = rb_first(r); 291 return __key_user_next(user_ns, n); 292 } 293 294 /* 295 * Implement "/proc/key-users" to provides a list of the key users and their 296 * quotas. 297 */ 298 static int proc_key_users_open(struct inode *inode, struct file *file) 299 { 300 return seq_open(file, &proc_key_users_ops); 301 } 302 303 static void *proc_key_users_start(struct seq_file *p, loff_t *_pos) 304 __acquires(key_user_lock) 305 { 306 struct rb_node *_p; 307 loff_t pos = *_pos; 308 309 spin_lock(&key_user_lock); 310 311 _p = key_user_first(seq_user_ns(p), &key_user_tree); 312 while (pos > 0 && _p) { 313 pos--; 314 _p = key_user_next(seq_user_ns(p), _p); 315 } 316 317 return _p; 318 } 319 320 static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos) 321 { 322 (*_pos)++; 323 return key_user_next(seq_user_ns(p), (struct rb_node *)v); 324 } 325 326 static void proc_key_users_stop(struct seq_file *p, void *v) 327 __releases(key_user_lock) 328 { 329 spin_unlock(&key_user_lock); 330 } 331 332 static int proc_key_users_show(struct seq_file *m, void *v) 333 { 334 struct rb_node *_p = v; 335 struct key_user *user = rb_entry(_p, struct key_user, node); 336 unsigned maxkeys = uid_eq(user->uid, GLOBAL_ROOT_UID) ? 337 key_quota_root_maxkeys : key_quota_maxkeys; 338 unsigned maxbytes = uid_eq(user->uid, GLOBAL_ROOT_UID) ? 339 key_quota_root_maxbytes : key_quota_maxbytes; 340 341 seq_printf(m, "%5u: %5d %d/%d %d/%d %d/%d\n", 342 from_kuid_munged(seq_user_ns(m), user->uid), 343 atomic_read(&user->usage), 344 atomic_read(&user->nkeys), 345 atomic_read(&user->nikeys), 346 user->qnkeys, 347 maxkeys, 348 user->qnbytes, 349 maxbytes); 350 351 return 0; 352 } 353