1 /* procfs files for key database enumeration 2 * 3 * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/fs.h> 16 #include <linux/proc_fs.h> 17 #include <linux/seq_file.h> 18 #include <asm/errno.h> 19 #include "internal.h" 20 21 static int proc_keys_open(struct inode *inode, struct file *file); 22 static void *proc_keys_start(struct seq_file *p, loff_t *_pos); 23 static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos); 24 static void proc_keys_stop(struct seq_file *p, void *v); 25 static int proc_keys_show(struct seq_file *m, void *v); 26 27 static const struct seq_operations proc_keys_ops = { 28 .start = proc_keys_start, 29 .next = proc_keys_next, 30 .stop = proc_keys_stop, 31 .show = proc_keys_show, 32 }; 33 34 static const struct file_operations proc_keys_fops = { 35 .open = proc_keys_open, 36 .read = seq_read, 37 .llseek = seq_lseek, 38 .release = seq_release, 39 }; 40 41 static int proc_key_users_open(struct inode *inode, struct file *file); 42 static void *proc_key_users_start(struct seq_file *p, loff_t *_pos); 43 static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos); 44 static void proc_key_users_stop(struct seq_file *p, void *v); 45 static int proc_key_users_show(struct seq_file *m, void *v); 46 47 static const struct seq_operations proc_key_users_ops = { 48 .start = proc_key_users_start, 49 .next = proc_key_users_next, 50 .stop = proc_key_users_stop, 51 .show = proc_key_users_show, 52 }; 53 54 static const struct file_operations proc_key_users_fops = { 55 .open = proc_key_users_open, 56 .read = seq_read, 57 .llseek = seq_lseek, 58 .release = seq_release, 59 }; 60 61 /* 62 * Declare the /proc files. 63 */ 64 static int __init key_proc_init(void) 65 { 66 struct proc_dir_entry *p; 67 68 p = proc_create("keys", 0, NULL, &proc_keys_fops); 69 if (!p) 70 panic("Cannot create /proc/keys\n"); 71 72 p = proc_create("key-users", 0, NULL, &proc_key_users_fops); 73 if (!p) 74 panic("Cannot create /proc/key-users\n"); 75 76 return 0; 77 } 78 79 __initcall(key_proc_init); 80 81 /* 82 * Implement "/proc/keys" to provide a list of the keys on the system that 83 * grant View permission to the caller. 84 */ 85 static struct rb_node *key_serial_next(struct seq_file *p, struct rb_node *n) 86 { 87 struct user_namespace *user_ns = seq_user_ns(p); 88 89 n = rb_next(n); 90 while (n) { 91 struct key *key = rb_entry(n, struct key, serial_node); 92 if (kuid_has_mapping(user_ns, key->user->uid)) 93 break; 94 n = rb_next(n); 95 } 96 return n; 97 } 98 99 static int proc_keys_open(struct inode *inode, struct file *file) 100 { 101 return seq_open(file, &proc_keys_ops); 102 } 103 104 static struct key *find_ge_key(struct seq_file *p, key_serial_t id) 105 { 106 struct user_namespace *user_ns = seq_user_ns(p); 107 struct rb_node *n = key_serial_tree.rb_node; 108 struct key *minkey = NULL; 109 110 while (n) { 111 struct key *key = rb_entry(n, struct key, serial_node); 112 if (id < key->serial) { 113 if (!minkey || minkey->serial > key->serial) 114 minkey = key; 115 n = n->rb_left; 116 } else if (id > key->serial) { 117 n = n->rb_right; 118 } else { 119 minkey = key; 120 break; 121 } 122 key = NULL; 123 } 124 125 if (!minkey) 126 return NULL; 127 128 for (;;) { 129 if (kuid_has_mapping(user_ns, minkey->user->uid)) 130 return minkey; 131 n = rb_next(&minkey->serial_node); 132 if (!n) 133 return NULL; 134 minkey = rb_entry(n, struct key, serial_node); 135 } 136 } 137 138 static void *proc_keys_start(struct seq_file *p, loff_t *_pos) 139 __acquires(key_serial_lock) 140 { 141 key_serial_t pos = *_pos; 142 struct key *key; 143 144 spin_lock(&key_serial_lock); 145 146 if (*_pos > INT_MAX) 147 return NULL; 148 key = find_ge_key(p, pos); 149 if (!key) 150 return NULL; 151 *_pos = key->serial; 152 return &key->serial_node; 153 } 154 155 static inline key_serial_t key_node_serial(struct rb_node *n) 156 { 157 struct key *key = rb_entry(n, struct key, serial_node); 158 return key->serial; 159 } 160 161 static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos) 162 { 163 struct rb_node *n; 164 165 n = key_serial_next(p, v); 166 if (n) 167 *_pos = key_node_serial(n); 168 return n; 169 } 170 171 static void proc_keys_stop(struct seq_file *p, void *v) 172 __releases(key_serial_lock) 173 { 174 spin_unlock(&key_serial_lock); 175 } 176 177 static int proc_keys_show(struct seq_file *m, void *v) 178 { 179 struct rb_node *_p = v; 180 struct key *key = rb_entry(_p, struct key, serial_node); 181 unsigned long flags; 182 key_ref_t key_ref, skey_ref; 183 time64_t now, expiry; 184 char xbuf[16]; 185 short state; 186 u64 timo; 187 int rc; 188 189 struct keyring_search_context ctx = { 190 .index_key.type = key->type, 191 .index_key.description = key->description, 192 .cred = m->file->f_cred, 193 .match_data.cmp = lookup_user_key_possessed, 194 .match_data.raw_data = key, 195 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 196 .flags = KEYRING_SEARCH_NO_STATE_CHECK, 197 }; 198 199 key_ref = make_key_ref(key, 0); 200 201 /* determine if the key is possessed by this process (a test we can 202 * skip if the key does not indicate the possessor can view it 203 */ 204 if (key->perm & KEY_POS_VIEW) { 205 skey_ref = search_my_process_keyrings(&ctx); 206 if (!IS_ERR(skey_ref)) { 207 key_ref_put(skey_ref); 208 key_ref = make_key_ref(key, 1); 209 } 210 } 211 212 /* check whether the current task is allowed to view the key */ 213 rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW); 214 if (rc < 0) 215 return 0; 216 217 now = ktime_get_real_seconds(); 218 219 rcu_read_lock(); 220 221 /* come up with a suitable timeout value */ 222 expiry = READ_ONCE(key->expiry); 223 if (expiry == 0) { 224 memcpy(xbuf, "perm", 5); 225 } else if (now >= expiry) { 226 memcpy(xbuf, "expd", 5); 227 } else { 228 timo = expiry - now; 229 230 if (timo < 60) 231 sprintf(xbuf, "%llus", timo); 232 else if (timo < 60*60) 233 sprintf(xbuf, "%llum", div_u64(timo, 60)); 234 else if (timo < 60*60*24) 235 sprintf(xbuf, "%lluh", div_u64(timo, 60 * 60)); 236 else if (timo < 60*60*24*7) 237 sprintf(xbuf, "%llud", div_u64(timo, 60 * 60 * 24)); 238 else 239 sprintf(xbuf, "%lluw", div_u64(timo, 60 * 60 * 24 * 7)); 240 } 241 242 state = key_read_state(key); 243 244 #define showflag(FLAGS, LETTER, FLAG) \ 245 ((FLAGS & (1 << FLAG)) ? LETTER : '-') 246 247 flags = READ_ONCE(key->flags); 248 seq_printf(m, "%08x %c%c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ", 249 key->serial, 250 state != KEY_IS_UNINSTANTIATED ? 'I' : '-', 251 showflag(flags, 'R', KEY_FLAG_REVOKED), 252 showflag(flags, 'D', KEY_FLAG_DEAD), 253 showflag(flags, 'Q', KEY_FLAG_IN_QUOTA), 254 showflag(flags, 'U', KEY_FLAG_USER_CONSTRUCT), 255 state < 0 ? 'N' : '-', 256 showflag(flags, 'i', KEY_FLAG_INVALIDATED), 257 refcount_read(&key->usage), 258 xbuf, 259 key->perm, 260 from_kuid_munged(seq_user_ns(m), key->uid), 261 from_kgid_munged(seq_user_ns(m), key->gid), 262 key->type->name); 263 264 #undef showflag 265 266 if (key->type->describe) 267 key->type->describe(key, m); 268 seq_putc(m, '\n'); 269 270 rcu_read_unlock(); 271 return 0; 272 } 273 274 static struct rb_node *__key_user_next(struct user_namespace *user_ns, struct rb_node *n) 275 { 276 while (n) { 277 struct key_user *user = rb_entry(n, struct key_user, node); 278 if (kuid_has_mapping(user_ns, user->uid)) 279 break; 280 n = rb_next(n); 281 } 282 return n; 283 } 284 285 static struct rb_node *key_user_next(struct user_namespace *user_ns, struct rb_node *n) 286 { 287 return __key_user_next(user_ns, rb_next(n)); 288 } 289 290 static struct rb_node *key_user_first(struct user_namespace *user_ns, struct rb_root *r) 291 { 292 struct rb_node *n = rb_first(r); 293 return __key_user_next(user_ns, n); 294 } 295 296 /* 297 * Implement "/proc/key-users" to provides a list of the key users and their 298 * quotas. 299 */ 300 static int proc_key_users_open(struct inode *inode, struct file *file) 301 { 302 return seq_open(file, &proc_key_users_ops); 303 } 304 305 static void *proc_key_users_start(struct seq_file *p, loff_t *_pos) 306 __acquires(key_user_lock) 307 { 308 struct rb_node *_p; 309 loff_t pos = *_pos; 310 311 spin_lock(&key_user_lock); 312 313 _p = key_user_first(seq_user_ns(p), &key_user_tree); 314 while (pos > 0 && _p) { 315 pos--; 316 _p = key_user_next(seq_user_ns(p), _p); 317 } 318 319 return _p; 320 } 321 322 static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos) 323 { 324 (*_pos)++; 325 return key_user_next(seq_user_ns(p), (struct rb_node *)v); 326 } 327 328 static void proc_key_users_stop(struct seq_file *p, void *v) 329 __releases(key_user_lock) 330 { 331 spin_unlock(&key_user_lock); 332 } 333 334 static int proc_key_users_show(struct seq_file *m, void *v) 335 { 336 struct rb_node *_p = v; 337 struct key_user *user = rb_entry(_p, struct key_user, node); 338 unsigned maxkeys = uid_eq(user->uid, GLOBAL_ROOT_UID) ? 339 key_quota_root_maxkeys : key_quota_maxkeys; 340 unsigned maxbytes = uid_eq(user->uid, GLOBAL_ROOT_UID) ? 341 key_quota_root_maxbytes : key_quota_maxbytes; 342 343 seq_printf(m, "%5u: %5d %d/%d %d/%d %d/%d\n", 344 from_kuid_munged(seq_user_ns(m), user->uid), 345 refcount_read(&user->usage), 346 atomic_read(&user->nkeys), 347 atomic_read(&user->nikeys), 348 user->qnkeys, 349 maxkeys, 350 user->qnbytes, 351 maxbytes); 352 353 return 0; 354 } 355