1 /* Management of a process's keyrings 2 * 3 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/keyctl.h> 16 #include <linux/fs.h> 17 #include <linux/err.h> 18 #include <linux/mutex.h> 19 #include <linux/security.h> 20 #include <linux/user_namespace.h> 21 #include <asm/uaccess.h> 22 #include "internal.h" 23 24 /* session keyring create vs join semaphore */ 25 static DEFINE_MUTEX(key_session_mutex); 26 27 /* user keyring creation semaphore */ 28 static DEFINE_MUTEX(key_user_keyring_mutex); 29 30 /* the root user's tracking struct */ 31 struct key_user root_key_user = { 32 .usage = ATOMIC_INIT(3), 33 .cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock), 34 .lock = __SPIN_LOCK_UNLOCKED(root_key_user.lock), 35 .nkeys = ATOMIC_INIT(2), 36 .nikeys = ATOMIC_INIT(2), 37 .uid = 0, 38 .user_ns = &init_user_ns, 39 }; 40 41 /*****************************************************************************/ 42 /* 43 * install user and user session keyrings for a particular UID 44 */ 45 int install_user_keyrings(void) 46 { 47 struct user_struct *user; 48 const struct cred *cred; 49 struct key *uid_keyring, *session_keyring; 50 char buf[20]; 51 int ret; 52 53 cred = current_cred(); 54 user = cred->user; 55 56 kenter("%p{%u}", user, user->uid); 57 58 if (user->uid_keyring) { 59 kleave(" = 0 [exist]"); 60 return 0; 61 } 62 63 mutex_lock(&key_user_keyring_mutex); 64 ret = 0; 65 66 if (!user->uid_keyring) { 67 /* get the UID-specific keyring 68 * - there may be one in existence already as it may have been 69 * pinned by a session, but the user_struct pointing to it 70 * may have been destroyed by setuid */ 71 sprintf(buf, "_uid.%u", user->uid); 72 73 uid_keyring = find_keyring_by_name(buf, true); 74 if (IS_ERR(uid_keyring)) { 75 uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1, 76 cred, KEY_ALLOC_IN_QUOTA, 77 NULL); 78 if (IS_ERR(uid_keyring)) { 79 ret = PTR_ERR(uid_keyring); 80 goto error; 81 } 82 } 83 84 /* get a default session keyring (which might also exist 85 * already) */ 86 sprintf(buf, "_uid_ses.%u", user->uid); 87 88 session_keyring = find_keyring_by_name(buf, true); 89 if (IS_ERR(session_keyring)) { 90 session_keyring = 91 keyring_alloc(buf, user->uid, (gid_t) -1, 92 cred, KEY_ALLOC_IN_QUOTA, NULL); 93 if (IS_ERR(session_keyring)) { 94 ret = PTR_ERR(session_keyring); 95 goto error_release; 96 } 97 98 /* we install a link from the user session keyring to 99 * the user keyring */ 100 ret = key_link(session_keyring, uid_keyring); 101 if (ret < 0) 102 goto error_release_both; 103 } 104 105 /* install the keyrings */ 106 user->uid_keyring = uid_keyring; 107 user->session_keyring = session_keyring; 108 } 109 110 mutex_unlock(&key_user_keyring_mutex); 111 kleave(" = 0"); 112 return 0; 113 114 error_release_both: 115 key_put(session_keyring); 116 error_release: 117 key_put(uid_keyring); 118 error: 119 mutex_unlock(&key_user_keyring_mutex); 120 kleave(" = %d", ret); 121 return ret; 122 } 123 124 /* 125 * install a fresh thread keyring directly to new credentials 126 */ 127 int install_thread_keyring_to_cred(struct cred *new) 128 { 129 struct key *keyring; 130 131 keyring = keyring_alloc("_tid", new->uid, new->gid, new, 132 KEY_ALLOC_QUOTA_OVERRUN, NULL); 133 if (IS_ERR(keyring)) 134 return PTR_ERR(keyring); 135 136 new->thread_keyring = keyring; 137 return 0; 138 } 139 140 /* 141 * install a fresh thread keyring, discarding the old one 142 */ 143 static int install_thread_keyring(void) 144 { 145 struct cred *new; 146 int ret; 147 148 new = prepare_creds(); 149 if (!new) 150 return -ENOMEM; 151 152 BUG_ON(new->thread_keyring); 153 154 ret = install_thread_keyring_to_cred(new); 155 if (ret < 0) { 156 abort_creds(new); 157 return ret; 158 } 159 160 return commit_creds(new); 161 } 162 163 /* 164 * install a process keyring directly to a credentials struct 165 * - returns -EEXIST if there was already a process keyring, 0 if one installed, 166 * and other -ve on any other error 167 */ 168 int install_process_keyring_to_cred(struct cred *new) 169 { 170 struct key *keyring; 171 int ret; 172 173 if (new->tgcred->process_keyring) 174 return -EEXIST; 175 176 keyring = keyring_alloc("_pid", new->uid, new->gid, 177 new, KEY_ALLOC_QUOTA_OVERRUN, NULL); 178 if (IS_ERR(keyring)) 179 return PTR_ERR(keyring); 180 181 spin_lock_irq(&new->tgcred->lock); 182 if (!new->tgcred->process_keyring) { 183 new->tgcred->process_keyring = keyring; 184 keyring = NULL; 185 ret = 0; 186 } else { 187 ret = -EEXIST; 188 } 189 spin_unlock_irq(&new->tgcred->lock); 190 key_put(keyring); 191 return ret; 192 } 193 194 /* 195 * make sure a process keyring is installed 196 * - we 197 */ 198 static int install_process_keyring(void) 199 { 200 struct cred *new; 201 int ret; 202 203 new = prepare_creds(); 204 if (!new) 205 return -ENOMEM; 206 207 ret = install_process_keyring_to_cred(new); 208 if (ret < 0) { 209 abort_creds(new); 210 return ret != -EEXIST ?: 0; 211 } 212 213 return commit_creds(new); 214 } 215 216 /* 217 * install a session keyring directly to a credentials struct 218 */ 219 int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) 220 { 221 unsigned long flags; 222 struct key *old; 223 224 might_sleep(); 225 226 /* create an empty session keyring */ 227 if (!keyring) { 228 flags = KEY_ALLOC_QUOTA_OVERRUN; 229 if (cred->tgcred->session_keyring) 230 flags = KEY_ALLOC_IN_QUOTA; 231 232 keyring = keyring_alloc("_ses", cred->uid, cred->gid, 233 cred, flags, NULL); 234 if (IS_ERR(keyring)) 235 return PTR_ERR(keyring); 236 } else { 237 atomic_inc(&keyring->usage); 238 } 239 240 /* install the keyring */ 241 spin_lock_irq(&cred->tgcred->lock); 242 old = cred->tgcred->session_keyring; 243 rcu_assign_pointer(cred->tgcred->session_keyring, keyring); 244 spin_unlock_irq(&cred->tgcred->lock); 245 246 /* we're using RCU on the pointer, but there's no point synchronising 247 * on it if it didn't previously point to anything */ 248 if (old) { 249 synchronize_rcu(); 250 key_put(old); 251 } 252 253 return 0; 254 } 255 256 /* 257 * install a session keyring, discarding the old one 258 * - if a keyring is not supplied, an empty one is invented 259 */ 260 static int install_session_keyring(struct key *keyring) 261 { 262 struct cred *new; 263 int ret; 264 265 new = prepare_creds(); 266 if (!new) 267 return -ENOMEM; 268 269 ret = install_session_keyring_to_cred(new, NULL); 270 if (ret < 0) { 271 abort_creds(new); 272 return ret; 273 } 274 275 return commit_creds(new); 276 } 277 278 /*****************************************************************************/ 279 /* 280 * the filesystem user ID changed 281 */ 282 void key_fsuid_changed(struct task_struct *tsk) 283 { 284 /* update the ownership of the thread keyring */ 285 BUG_ON(!tsk->cred); 286 if (tsk->cred->thread_keyring) { 287 down_write(&tsk->cred->thread_keyring->sem); 288 tsk->cred->thread_keyring->uid = tsk->cred->fsuid; 289 up_write(&tsk->cred->thread_keyring->sem); 290 } 291 292 } /* end key_fsuid_changed() */ 293 294 /*****************************************************************************/ 295 /* 296 * the filesystem group ID changed 297 */ 298 void key_fsgid_changed(struct task_struct *tsk) 299 { 300 /* update the ownership of the thread keyring */ 301 BUG_ON(!tsk->cred); 302 if (tsk->cred->thread_keyring) { 303 down_write(&tsk->cred->thread_keyring->sem); 304 tsk->cred->thread_keyring->gid = tsk->cred->fsgid; 305 up_write(&tsk->cred->thread_keyring->sem); 306 } 307 308 } /* end key_fsgid_changed() */ 309 310 /*****************************************************************************/ 311 /* 312 * search the process keyrings for the first matching key 313 * - we use the supplied match function to see if the description (or other 314 * feature of interest) matches 315 * - we return -EAGAIN if we didn't find any matching key 316 * - we return -ENOKEY if we found only negative matching keys 317 */ 318 key_ref_t search_process_keyrings(struct key_type *type, 319 const void *description, 320 key_match_func_t match, 321 const struct cred *cred) 322 { 323 struct request_key_auth *rka; 324 key_ref_t key_ref, ret, err; 325 326 might_sleep(); 327 328 /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were 329 * searchable, but we failed to find a key or we found a negative key; 330 * otherwise we want to return a sample error (probably -EACCES) if 331 * none of the keyrings were searchable 332 * 333 * in terms of priority: success > -ENOKEY > -EAGAIN > other error 334 */ 335 key_ref = NULL; 336 ret = NULL; 337 err = ERR_PTR(-EAGAIN); 338 339 /* search the thread keyring first */ 340 if (cred->thread_keyring) { 341 key_ref = keyring_search_aux( 342 make_key_ref(cred->thread_keyring, 1), 343 cred, type, description, match); 344 if (!IS_ERR(key_ref)) 345 goto found; 346 347 switch (PTR_ERR(key_ref)) { 348 case -EAGAIN: /* no key */ 349 if (ret) 350 break; 351 case -ENOKEY: /* negative key */ 352 ret = key_ref; 353 break; 354 default: 355 err = key_ref; 356 break; 357 } 358 } 359 360 /* search the process keyring second */ 361 if (cred->tgcred->process_keyring) { 362 key_ref = keyring_search_aux( 363 make_key_ref(cred->tgcred->process_keyring, 1), 364 cred, type, description, match); 365 if (!IS_ERR(key_ref)) 366 goto found; 367 368 switch (PTR_ERR(key_ref)) { 369 case -EAGAIN: /* no key */ 370 if (ret) 371 break; 372 case -ENOKEY: /* negative key */ 373 ret = key_ref; 374 break; 375 default: 376 err = key_ref; 377 break; 378 } 379 } 380 381 /* search the session keyring */ 382 if (cred->tgcred->session_keyring) { 383 rcu_read_lock(); 384 key_ref = keyring_search_aux( 385 make_key_ref(rcu_dereference( 386 cred->tgcred->session_keyring), 387 1), 388 cred, type, description, match); 389 rcu_read_unlock(); 390 391 if (!IS_ERR(key_ref)) 392 goto found; 393 394 switch (PTR_ERR(key_ref)) { 395 case -EAGAIN: /* no key */ 396 if (ret) 397 break; 398 case -ENOKEY: /* negative key */ 399 ret = key_ref; 400 break; 401 default: 402 err = key_ref; 403 break; 404 } 405 } 406 /* or search the user-session keyring */ 407 else if (cred->user->session_keyring) { 408 key_ref = keyring_search_aux( 409 make_key_ref(cred->user->session_keyring, 1), 410 cred, type, description, match); 411 if (!IS_ERR(key_ref)) 412 goto found; 413 414 switch (PTR_ERR(key_ref)) { 415 case -EAGAIN: /* no key */ 416 if (ret) 417 break; 418 case -ENOKEY: /* negative key */ 419 ret = key_ref; 420 break; 421 default: 422 err = key_ref; 423 break; 424 } 425 } 426 427 /* if this process has an instantiation authorisation key, then we also 428 * search the keyrings of the process mentioned there 429 * - we don't permit access to request_key auth keys via this method 430 */ 431 if (cred->request_key_auth && 432 cred == current_cred() && 433 type != &key_type_request_key_auth 434 ) { 435 /* defend against the auth key being revoked */ 436 down_read(&cred->request_key_auth->sem); 437 438 if (key_validate(cred->request_key_auth) == 0) { 439 rka = cred->request_key_auth->payload.data; 440 441 key_ref = search_process_keyrings(type, description, 442 match, rka->cred); 443 444 up_read(&cred->request_key_auth->sem); 445 446 if (!IS_ERR(key_ref)) 447 goto found; 448 449 switch (PTR_ERR(key_ref)) { 450 case -EAGAIN: /* no key */ 451 if (ret) 452 break; 453 case -ENOKEY: /* negative key */ 454 ret = key_ref; 455 break; 456 default: 457 err = key_ref; 458 break; 459 } 460 } else { 461 up_read(&cred->request_key_auth->sem); 462 } 463 } 464 465 /* no key - decide on the error we're going to go for */ 466 key_ref = ret ? ret : err; 467 468 found: 469 return key_ref; 470 471 } /* end search_process_keyrings() */ 472 473 /*****************************************************************************/ 474 /* 475 * see if the key we're looking at is the target key 476 */ 477 static int lookup_user_key_possessed(const struct key *key, const void *target) 478 { 479 return key == target; 480 481 } /* end lookup_user_key_possessed() */ 482 483 /*****************************************************************************/ 484 /* 485 * lookup a key given a key ID from userspace with a given permissions mask 486 * - don't create special keyrings unless so requested 487 * - partially constructed keys aren't found unless requested 488 */ 489 key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, 490 key_perm_t perm) 491 { 492 struct request_key_auth *rka; 493 const struct cred *cred; 494 struct key *key; 495 key_ref_t key_ref, skey_ref; 496 int ret; 497 498 try_again: 499 cred = get_current_cred(); 500 key_ref = ERR_PTR(-ENOKEY); 501 502 switch (id) { 503 case KEY_SPEC_THREAD_KEYRING: 504 if (!cred->thread_keyring) { 505 if (!(lflags & KEY_LOOKUP_CREATE)) 506 goto error; 507 508 ret = install_thread_keyring(); 509 if (ret < 0) { 510 key_ref = ERR_PTR(ret); 511 goto error; 512 } 513 goto reget_creds; 514 } 515 516 key = cred->thread_keyring; 517 atomic_inc(&key->usage); 518 key_ref = make_key_ref(key, 1); 519 break; 520 521 case KEY_SPEC_PROCESS_KEYRING: 522 if (!cred->tgcred->process_keyring) { 523 if (!(lflags & KEY_LOOKUP_CREATE)) 524 goto error; 525 526 ret = install_process_keyring(); 527 if (ret < 0) { 528 key_ref = ERR_PTR(ret); 529 goto error; 530 } 531 goto reget_creds; 532 } 533 534 key = cred->tgcred->process_keyring; 535 atomic_inc(&key->usage); 536 key_ref = make_key_ref(key, 1); 537 break; 538 539 case KEY_SPEC_SESSION_KEYRING: 540 if (!cred->tgcred->session_keyring) { 541 /* always install a session keyring upon access if one 542 * doesn't exist yet */ 543 ret = install_user_keyrings(); 544 if (ret < 0) 545 goto error; 546 ret = install_session_keyring( 547 cred->user->session_keyring); 548 549 if (ret < 0) 550 goto error; 551 goto reget_creds; 552 } 553 554 rcu_read_lock(); 555 key = rcu_dereference(cred->tgcred->session_keyring); 556 atomic_inc(&key->usage); 557 rcu_read_unlock(); 558 key_ref = make_key_ref(key, 1); 559 break; 560 561 case KEY_SPEC_USER_KEYRING: 562 if (!cred->user->uid_keyring) { 563 ret = install_user_keyrings(); 564 if (ret < 0) 565 goto error; 566 } 567 568 key = cred->user->uid_keyring; 569 atomic_inc(&key->usage); 570 key_ref = make_key_ref(key, 1); 571 break; 572 573 case KEY_SPEC_USER_SESSION_KEYRING: 574 if (!cred->user->session_keyring) { 575 ret = install_user_keyrings(); 576 if (ret < 0) 577 goto error; 578 } 579 580 key = cred->user->session_keyring; 581 atomic_inc(&key->usage); 582 key_ref = make_key_ref(key, 1); 583 break; 584 585 case KEY_SPEC_GROUP_KEYRING: 586 /* group keyrings are not yet supported */ 587 key_ref = ERR_PTR(-EINVAL); 588 goto error; 589 590 case KEY_SPEC_REQKEY_AUTH_KEY: 591 key = cred->request_key_auth; 592 if (!key) 593 goto error; 594 595 atomic_inc(&key->usage); 596 key_ref = make_key_ref(key, 1); 597 break; 598 599 case KEY_SPEC_REQUESTOR_KEYRING: 600 if (!cred->request_key_auth) 601 goto error; 602 603 down_read(&cred->request_key_auth->sem); 604 if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) { 605 key_ref = ERR_PTR(-EKEYREVOKED); 606 key = NULL; 607 } else { 608 rka = cred->request_key_auth->payload.data; 609 key = rka->dest_keyring; 610 atomic_inc(&key->usage); 611 } 612 up_read(&cred->request_key_auth->sem); 613 if (!key) 614 goto error; 615 key_ref = make_key_ref(key, 1); 616 break; 617 618 default: 619 key_ref = ERR_PTR(-EINVAL); 620 if (id < 1) 621 goto error; 622 623 key = key_lookup(id); 624 if (IS_ERR(key)) { 625 key_ref = ERR_CAST(key); 626 goto error; 627 } 628 629 key_ref = make_key_ref(key, 0); 630 631 /* check to see if we possess the key */ 632 skey_ref = search_process_keyrings(key->type, key, 633 lookup_user_key_possessed, 634 cred); 635 636 if (!IS_ERR(skey_ref)) { 637 key_put(key); 638 key_ref = skey_ref; 639 } 640 641 break; 642 } 643 644 /* unlink does not use the nominated key in any way, so can skip all 645 * the permission checks as it is only concerned with the keyring */ 646 if (lflags & KEY_LOOKUP_FOR_UNLINK) { 647 ret = 0; 648 goto error; 649 } 650 651 if (!(lflags & KEY_LOOKUP_PARTIAL)) { 652 ret = wait_for_key_construction(key, true); 653 switch (ret) { 654 case -ERESTARTSYS: 655 goto invalid_key; 656 default: 657 if (perm) 658 goto invalid_key; 659 case 0: 660 break; 661 } 662 } else if (perm) { 663 ret = key_validate(key); 664 if (ret < 0) 665 goto invalid_key; 666 } 667 668 ret = -EIO; 669 if (!(lflags & KEY_LOOKUP_PARTIAL) && 670 !test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) 671 goto invalid_key; 672 673 /* check the permissions */ 674 ret = key_task_permission(key_ref, cred, perm); 675 if (ret < 0) 676 goto invalid_key; 677 678 error: 679 put_cred(cred); 680 return key_ref; 681 682 invalid_key: 683 key_ref_put(key_ref); 684 key_ref = ERR_PTR(ret); 685 goto error; 686 687 /* if we attempted to install a keyring, then it may have caused new 688 * creds to be installed */ 689 reget_creds: 690 put_cred(cred); 691 goto try_again; 692 693 } /* end lookup_user_key() */ 694 695 /*****************************************************************************/ 696 /* 697 * join the named keyring as the session keyring if possible, or attempt to 698 * create a new one of that name if not 699 * - if the name is NULL, an empty anonymous keyring is installed instead 700 * - named session keyring joining is done with a semaphore held 701 */ 702 long join_session_keyring(const char *name) 703 { 704 const struct cred *old; 705 struct cred *new; 706 struct key *keyring; 707 long ret, serial; 708 709 /* only permit this if there's a single thread in the thread group - 710 * this avoids us having to adjust the creds on all threads and risking 711 * ENOMEM */ 712 if (!current_is_single_threaded()) 713 return -EMLINK; 714 715 new = prepare_creds(); 716 if (!new) 717 return -ENOMEM; 718 old = current_cred(); 719 720 /* if no name is provided, install an anonymous keyring */ 721 if (!name) { 722 ret = install_session_keyring_to_cred(new, NULL); 723 if (ret < 0) 724 goto error; 725 726 serial = new->tgcred->session_keyring->serial; 727 ret = commit_creds(new); 728 if (ret == 0) 729 ret = serial; 730 goto okay; 731 } 732 733 /* allow the user to join or create a named keyring */ 734 mutex_lock(&key_session_mutex); 735 736 /* look for an existing keyring of this name */ 737 keyring = find_keyring_by_name(name, false); 738 if (PTR_ERR(keyring) == -ENOKEY) { 739 /* not found - try and create a new one */ 740 keyring = keyring_alloc(name, old->uid, old->gid, old, 741 KEY_ALLOC_IN_QUOTA, NULL); 742 if (IS_ERR(keyring)) { 743 ret = PTR_ERR(keyring); 744 goto error2; 745 } 746 } else if (IS_ERR(keyring)) { 747 ret = PTR_ERR(keyring); 748 goto error2; 749 } 750 751 /* we've got a keyring - now to install it */ 752 ret = install_session_keyring_to_cred(new, keyring); 753 if (ret < 0) 754 goto error2; 755 756 commit_creds(new); 757 mutex_unlock(&key_session_mutex); 758 759 ret = keyring->serial; 760 key_put(keyring); 761 okay: 762 return ret; 763 764 error2: 765 mutex_unlock(&key_session_mutex); 766 error: 767 abort_creds(new); 768 return ret; 769 } 770 771 /* 772 * Replace a process's session keyring when that process resumes userspace on 773 * behalf of one of its children 774 */ 775 void key_replace_session_keyring(void) 776 { 777 const struct cred *old; 778 struct cred *new; 779 780 if (!current->replacement_session_keyring) 781 return; 782 783 write_lock_irq(&tasklist_lock); 784 new = current->replacement_session_keyring; 785 current->replacement_session_keyring = NULL; 786 write_unlock_irq(&tasklist_lock); 787 788 if (!new) 789 return; 790 791 old = current_cred(); 792 new-> uid = old-> uid; 793 new-> euid = old-> euid; 794 new-> suid = old-> suid; 795 new->fsuid = old->fsuid; 796 new-> gid = old-> gid; 797 new-> egid = old-> egid; 798 new-> sgid = old-> sgid; 799 new->fsgid = old->fsgid; 800 new->user = get_uid(old->user); 801 new->group_info = get_group_info(old->group_info); 802 803 new->securebits = old->securebits; 804 new->cap_inheritable = old->cap_inheritable; 805 new->cap_permitted = old->cap_permitted; 806 new->cap_effective = old->cap_effective; 807 new->cap_bset = old->cap_bset; 808 809 new->jit_keyring = old->jit_keyring; 810 new->thread_keyring = key_get(old->thread_keyring); 811 new->tgcred->tgid = old->tgcred->tgid; 812 new->tgcred->process_keyring = key_get(old->tgcred->process_keyring); 813 814 security_transfer_creds(new, old); 815 816 commit_creds(new); 817 } 818