xref: /openbmc/linux/security/keys/proc.c (revision 5a244f48)
1 /* procfs files for key database enumeration
2  *
3  * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11 
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/fs.h>
16 #include <linux/proc_fs.h>
17 #include <linux/seq_file.h>
18 #include <asm/errno.h>
19 #include "internal.h"
20 
21 static int proc_keys_open(struct inode *inode, struct file *file);
22 static void *proc_keys_start(struct seq_file *p, loff_t *_pos);
23 static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos);
24 static void proc_keys_stop(struct seq_file *p, void *v);
25 static int proc_keys_show(struct seq_file *m, void *v);
26 
27 static const struct seq_operations proc_keys_ops = {
28 	.start	= proc_keys_start,
29 	.next	= proc_keys_next,
30 	.stop	= proc_keys_stop,
31 	.show	= proc_keys_show,
32 };
33 
34 static const struct file_operations proc_keys_fops = {
35 	.open		= proc_keys_open,
36 	.read		= seq_read,
37 	.llseek		= seq_lseek,
38 	.release	= seq_release,
39 };
40 
41 static int proc_key_users_open(struct inode *inode, struct file *file);
42 static void *proc_key_users_start(struct seq_file *p, loff_t *_pos);
43 static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos);
44 static void proc_key_users_stop(struct seq_file *p, void *v);
45 static int proc_key_users_show(struct seq_file *m, void *v);
46 
47 static const struct seq_operations proc_key_users_ops = {
48 	.start	= proc_key_users_start,
49 	.next	= proc_key_users_next,
50 	.stop	= proc_key_users_stop,
51 	.show	= proc_key_users_show,
52 };
53 
54 static const struct file_operations proc_key_users_fops = {
55 	.open		= proc_key_users_open,
56 	.read		= seq_read,
57 	.llseek		= seq_lseek,
58 	.release	= seq_release,
59 };
60 
61 /*
62  * Declare the /proc files.
63  */
64 static int __init key_proc_init(void)
65 {
66 	struct proc_dir_entry *p;
67 
68 	p = proc_create("keys", 0, NULL, &proc_keys_fops);
69 	if (!p)
70 		panic("Cannot create /proc/keys\n");
71 
72 	p = proc_create("key-users", 0, NULL, &proc_key_users_fops);
73 	if (!p)
74 		panic("Cannot create /proc/key-users\n");
75 
76 	return 0;
77 }
78 
79 __initcall(key_proc_init);
80 
81 /*
82  * Implement "/proc/keys" to provide a list of the keys on the system that
83  * grant View permission to the caller.
84  */
85 static struct rb_node *key_serial_next(struct seq_file *p, struct rb_node *n)
86 {
87 	struct user_namespace *user_ns = seq_user_ns(p);
88 
89 	n = rb_next(n);
90 	while (n) {
91 		struct key *key = rb_entry(n, struct key, serial_node);
92 		if (kuid_has_mapping(user_ns, key->user->uid))
93 			break;
94 		n = rb_next(n);
95 	}
96 	return n;
97 }
98 
99 static int proc_keys_open(struct inode *inode, struct file *file)
100 {
101 	return seq_open(file, &proc_keys_ops);
102 }
103 
104 static struct key *find_ge_key(struct seq_file *p, key_serial_t id)
105 {
106 	struct user_namespace *user_ns = seq_user_ns(p);
107 	struct rb_node *n = key_serial_tree.rb_node;
108 	struct key *minkey = NULL;
109 
110 	while (n) {
111 		struct key *key = rb_entry(n, struct key, serial_node);
112 		if (id < key->serial) {
113 			if (!minkey || minkey->serial > key->serial)
114 				minkey = key;
115 			n = n->rb_left;
116 		} else if (id > key->serial) {
117 			n = n->rb_right;
118 		} else {
119 			minkey = key;
120 			break;
121 		}
122 		key = NULL;
123 	}
124 
125 	if (!minkey)
126 		return NULL;
127 
128 	for (;;) {
129 		if (kuid_has_mapping(user_ns, minkey->user->uid))
130 			return minkey;
131 		n = rb_next(&minkey->serial_node);
132 		if (!n)
133 			return NULL;
134 		minkey = rb_entry(n, struct key, serial_node);
135 	}
136 }
137 
138 static void *proc_keys_start(struct seq_file *p, loff_t *_pos)
139 	__acquires(key_serial_lock)
140 {
141 	key_serial_t pos = *_pos;
142 	struct key *key;
143 
144 	spin_lock(&key_serial_lock);
145 
146 	if (*_pos > INT_MAX)
147 		return NULL;
148 	key = find_ge_key(p, pos);
149 	if (!key)
150 		return NULL;
151 	*_pos = key->serial;
152 	return &key->serial_node;
153 }
154 
155 static inline key_serial_t key_node_serial(struct rb_node *n)
156 {
157 	struct key *key = rb_entry(n, struct key, serial_node);
158 	return key->serial;
159 }
160 
161 static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos)
162 {
163 	struct rb_node *n;
164 
165 	n = key_serial_next(p, v);
166 	if (n)
167 		*_pos = key_node_serial(n);
168 	return n;
169 }
170 
171 static void proc_keys_stop(struct seq_file *p, void *v)
172 	__releases(key_serial_lock)
173 {
174 	spin_unlock(&key_serial_lock);
175 }
176 
177 static int proc_keys_show(struct seq_file *m, void *v)
178 {
179 	struct rb_node *_p = v;
180 	struct key *key = rb_entry(_p, struct key, serial_node);
181 	struct timespec now;
182 	unsigned long timo;
183 	key_ref_t key_ref, skey_ref;
184 	char xbuf[16];
185 	int rc;
186 
187 	struct keyring_search_context ctx = {
188 		.index_key.type		= key->type,
189 		.index_key.description	= key->description,
190 		.cred			= m->file->f_cred,
191 		.match_data.cmp		= lookup_user_key_possessed,
192 		.match_data.raw_data	= key,
193 		.match_data.lookup_type	= KEYRING_SEARCH_LOOKUP_DIRECT,
194 		.flags			= KEYRING_SEARCH_NO_STATE_CHECK,
195 	};
196 
197 	key_ref = make_key_ref(key, 0);
198 
199 	/* determine if the key is possessed by this process (a test we can
200 	 * skip if the key does not indicate the possessor can view it
201 	 */
202 	if (key->perm & KEY_POS_VIEW) {
203 		skey_ref = search_my_process_keyrings(&ctx);
204 		if (!IS_ERR(skey_ref)) {
205 			key_ref_put(skey_ref);
206 			key_ref = make_key_ref(key, 1);
207 		}
208 	}
209 
210 	/* check whether the current task is allowed to view the key */
211 	rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW);
212 	if (rc < 0)
213 		return 0;
214 
215 	now = current_kernel_time();
216 
217 	rcu_read_lock();
218 
219 	/* come up with a suitable timeout value */
220 	if (key->expiry == 0) {
221 		memcpy(xbuf, "perm", 5);
222 	} else if (now.tv_sec >= key->expiry) {
223 		memcpy(xbuf, "expd", 5);
224 	} else {
225 		timo = key->expiry - now.tv_sec;
226 
227 		if (timo < 60)
228 			sprintf(xbuf, "%lus", timo);
229 		else if (timo < 60*60)
230 			sprintf(xbuf, "%lum", timo / 60);
231 		else if (timo < 60*60*24)
232 			sprintf(xbuf, "%luh", timo / (60*60));
233 		else if (timo < 60*60*24*7)
234 			sprintf(xbuf, "%lud", timo / (60*60*24));
235 		else
236 			sprintf(xbuf, "%luw", timo / (60*60*24*7));
237 	}
238 
239 #define showflag(KEY, LETTER, FLAG) \
240 	(test_bit(FLAG,	&(KEY)->flags) ? LETTER : '-')
241 
242 	seq_printf(m, "%08x %c%c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ",
243 		   key->serial,
244 		   showflag(key, 'I', KEY_FLAG_INSTANTIATED),
245 		   showflag(key, 'R', KEY_FLAG_REVOKED),
246 		   showflag(key, 'D', KEY_FLAG_DEAD),
247 		   showflag(key, 'Q', KEY_FLAG_IN_QUOTA),
248 		   showflag(key, 'U', KEY_FLAG_USER_CONSTRUCT),
249 		   showflag(key, 'N', KEY_FLAG_NEGATIVE),
250 		   showflag(key, 'i', KEY_FLAG_INVALIDATED),
251 		   refcount_read(&key->usage),
252 		   xbuf,
253 		   key->perm,
254 		   from_kuid_munged(seq_user_ns(m), key->uid),
255 		   from_kgid_munged(seq_user_ns(m), key->gid),
256 		   key->type->name);
257 
258 #undef showflag
259 
260 	if (key->type->describe)
261 		key->type->describe(key, m);
262 	seq_putc(m, '\n');
263 
264 	rcu_read_unlock();
265 	return 0;
266 }
267 
268 static struct rb_node *__key_user_next(struct user_namespace *user_ns, struct rb_node *n)
269 {
270 	while (n) {
271 		struct key_user *user = rb_entry(n, struct key_user, node);
272 		if (kuid_has_mapping(user_ns, user->uid))
273 			break;
274 		n = rb_next(n);
275 	}
276 	return n;
277 }
278 
279 static struct rb_node *key_user_next(struct user_namespace *user_ns, struct rb_node *n)
280 {
281 	return __key_user_next(user_ns, rb_next(n));
282 }
283 
284 static struct rb_node *key_user_first(struct user_namespace *user_ns, struct rb_root *r)
285 {
286 	struct rb_node *n = rb_first(r);
287 	return __key_user_next(user_ns, n);
288 }
289 
290 /*
291  * Implement "/proc/key-users" to provides a list of the key users and their
292  * quotas.
293  */
294 static int proc_key_users_open(struct inode *inode, struct file *file)
295 {
296 	return seq_open(file, &proc_key_users_ops);
297 }
298 
299 static void *proc_key_users_start(struct seq_file *p, loff_t *_pos)
300 	__acquires(key_user_lock)
301 {
302 	struct rb_node *_p;
303 	loff_t pos = *_pos;
304 
305 	spin_lock(&key_user_lock);
306 
307 	_p = key_user_first(seq_user_ns(p), &key_user_tree);
308 	while (pos > 0 && _p) {
309 		pos--;
310 		_p = key_user_next(seq_user_ns(p), _p);
311 	}
312 
313 	return _p;
314 }
315 
316 static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos)
317 {
318 	(*_pos)++;
319 	return key_user_next(seq_user_ns(p), (struct rb_node *)v);
320 }
321 
322 static void proc_key_users_stop(struct seq_file *p, void *v)
323 	__releases(key_user_lock)
324 {
325 	spin_unlock(&key_user_lock);
326 }
327 
328 static int proc_key_users_show(struct seq_file *m, void *v)
329 {
330 	struct rb_node *_p = v;
331 	struct key_user *user = rb_entry(_p, struct key_user, node);
332 	unsigned maxkeys = uid_eq(user->uid, GLOBAL_ROOT_UID) ?
333 		key_quota_root_maxkeys : key_quota_maxkeys;
334 	unsigned maxbytes = uid_eq(user->uid, GLOBAL_ROOT_UID) ?
335 		key_quota_root_maxbytes : key_quota_maxbytes;
336 
337 	seq_printf(m, "%5u: %5d %d/%d %d/%d %d/%d\n",
338 		   from_kuid_munged(seq_user_ns(m), user->uid),
339 		   refcount_read(&user->usage),
340 		   atomic_read(&user->nkeys),
341 		   atomic_read(&user->nikeys),
342 		   user->qnkeys,
343 		   maxkeys,
344 		   user->qnbytes,
345 		   maxbytes);
346 
347 	return 0;
348 }
349