1 /* Manage a process's keyrings 2 * 3 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/init.h> 13 #include <linux/sched.h> 14 #include <linux/sched/user.h> 15 #include <linux/keyctl.h> 16 #include <linux/fs.h> 17 #include <linux/err.h> 18 #include <linux/mutex.h> 19 #include <linux/security.h> 20 #include <linux/user_namespace.h> 21 #include <linux/uaccess.h> 22 #include <linux/init_task.h> 23 #include <keys/request_key_auth-type.h> 24 #include "internal.h" 25 26 /* Session keyring create vs join semaphore */ 27 static DEFINE_MUTEX(key_session_mutex); 28 29 /* The root user's tracking struct */ 30 struct key_user root_key_user = { 31 .usage = REFCOUNT_INIT(3), 32 .cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock), 33 .lock = __SPIN_LOCK_UNLOCKED(root_key_user.lock), 34 .nkeys = ATOMIC_INIT(2), 35 .nikeys = ATOMIC_INIT(2), 36 .uid = GLOBAL_ROOT_UID, 37 }; 38 39 static struct key_acl user_reg_keyring_acl = { 40 .usage = REFCOUNT_INIT(1), 41 .possessor_viewable = true, 42 .nr_ace = 2, 43 .aces = { 44 KEY_POSSESSOR_ACE(KEY_ACE_WRITE | KEY_ACE_SEARCH), 45 KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ), 46 } 47 }; 48 49 static struct key_acl user_keyring_acl = { 50 .usage = REFCOUNT_INIT(1), 51 .possessor_viewable = true, 52 .nr_ace = 2, 53 .aces = { 54 KEY_POSSESSOR_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_WRITE | 55 KEY_ACE_SEARCH | KEY_ACE_LINK), 56 KEY_OWNER_ACE(KEY_ACE__PERMS & ~(KEY_ACE_JOIN | KEY_ACE_SET_SECURITY)), 57 } 58 }; 59 60 static struct key_acl session_keyring_acl = { 61 .usage = REFCOUNT_INIT(1), 62 .possessor_viewable = true, 63 .nr_ace = 2, 64 .aces = { 65 KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~KEY_ACE_JOIN), 66 KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ), 67 } 68 }; 69 70 static struct key_acl thread_and_process_keyring_acl = { 71 .usage = REFCOUNT_INIT(1), 72 .possessor_viewable = true, 73 .nr_ace = 2, 74 .aces = { 75 KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~(KEY_ACE_JOIN | KEY_ACE_SET_SECURITY)), 76 KEY_OWNER_ACE(KEY_ACE_VIEW), 77 } 78 }; 79 80 /* 81 * Get or create a user register keyring. 82 */ 83 static struct key *get_user_register(struct user_namespace *user_ns) 84 { 85 struct key *reg_keyring = READ_ONCE(user_ns->user_keyring_register); 86 87 if (reg_keyring) 88 return reg_keyring; 89 90 down_write(&user_ns->keyring_sem); 91 92 /* Make sure there's a register keyring. It gets owned by the 93 * user_namespace's owner. 94 */ 95 reg_keyring = user_ns->user_keyring_register; 96 if (!reg_keyring) { 97 reg_keyring = keyring_alloc(".user_reg", 98 user_ns->owner, INVALID_GID, 99 &init_cred, &user_reg_keyring_acl, 100 0, NULL, NULL); 101 if (!IS_ERR(reg_keyring)) 102 smp_store_release(&user_ns->user_keyring_register, 103 reg_keyring); 104 } 105 106 up_write(&user_ns->keyring_sem); 107 108 /* We don't return a ref since the keyring is pinned by the user_ns */ 109 return reg_keyring; 110 } 111 112 /* 113 * Look up the user and user session keyrings for the current process's UID, 114 * creating them if they don't exist. 115 */ 116 int look_up_user_keyrings(struct key **_user_keyring, 117 struct key **_user_session_keyring) 118 { 119 const struct cred *cred = current_cred(); 120 struct user_namespace *user_ns = current_user_ns(); 121 struct key *reg_keyring, *uid_keyring, *session_keyring; 122 key_ref_t uid_keyring_r, session_keyring_r; 123 uid_t uid = from_kuid(user_ns, cred->user->uid); 124 char buf[20]; 125 int ret; 126 127 kenter("%u", uid); 128 129 reg_keyring = get_user_register(user_ns); 130 if (IS_ERR(reg_keyring)) 131 return PTR_ERR(reg_keyring); 132 133 down_write(&user_ns->keyring_sem); 134 ret = 0; 135 136 /* Get the user keyring. Note that there may be one in existence 137 * already as it may have been pinned by a session, but the user_struct 138 * pointing to it may have been destroyed by setuid. 139 */ 140 snprintf(buf, sizeof(buf), "_uid.%u", uid); 141 uid_keyring_r = keyring_search(make_key_ref(reg_keyring, true), 142 &key_type_keyring, buf, false); 143 kdebug("_uid %p", uid_keyring_r); 144 if (uid_keyring_r == ERR_PTR(-EAGAIN)) { 145 uid_keyring = keyring_alloc(buf, cred->user->uid, INVALID_GID, 146 cred, &user_keyring_acl, 147 KEY_ALLOC_UID_KEYRING | 148 KEY_ALLOC_IN_QUOTA, 149 NULL, reg_keyring); 150 if (IS_ERR(uid_keyring)) { 151 ret = PTR_ERR(uid_keyring); 152 goto error; 153 } 154 } else if (IS_ERR(uid_keyring_r)) { 155 ret = PTR_ERR(uid_keyring_r); 156 goto error; 157 } else { 158 uid_keyring = key_ref_to_ptr(uid_keyring_r); 159 } 160 161 /* Get a default session keyring (which might also exist already) */ 162 snprintf(buf, sizeof(buf), "_uid_ses.%u", uid); 163 session_keyring_r = keyring_search(make_key_ref(reg_keyring, true), 164 &key_type_keyring, buf, false); 165 kdebug("_uid_ses %p", session_keyring_r); 166 if (session_keyring_r == ERR_PTR(-EAGAIN)) { 167 session_keyring = keyring_alloc(buf, cred->user->uid, INVALID_GID, 168 cred, &user_keyring_acl, 169 KEY_ALLOC_UID_KEYRING | 170 KEY_ALLOC_IN_QUOTA, 171 NULL, NULL); 172 if (IS_ERR(session_keyring)) { 173 ret = PTR_ERR(session_keyring); 174 goto error_release; 175 } 176 177 /* We install a link from the user session keyring to 178 * the user keyring. 179 */ 180 ret = key_link(session_keyring, uid_keyring); 181 if (ret < 0) 182 goto error_release_session; 183 184 /* And only then link the user-session keyring to the 185 * register. 186 */ 187 ret = key_link(reg_keyring, session_keyring); 188 if (ret < 0) 189 goto error_release_session; 190 } else if (IS_ERR(session_keyring_r)) { 191 ret = PTR_ERR(session_keyring_r); 192 goto error_release; 193 } else { 194 session_keyring = key_ref_to_ptr(session_keyring_r); 195 } 196 197 up_write(&user_ns->keyring_sem); 198 199 if (_user_session_keyring) 200 *_user_session_keyring = session_keyring; 201 else 202 key_put(session_keyring); 203 if (_user_keyring) 204 *_user_keyring = uid_keyring; 205 else 206 key_put(uid_keyring); 207 kleave(" = 0"); 208 return 0; 209 210 error_release_session: 211 key_put(session_keyring); 212 error_release: 213 key_put(uid_keyring); 214 error: 215 up_write(&user_ns->keyring_sem); 216 kleave(" = %d", ret); 217 return ret; 218 } 219 220 /* 221 * Get the user session keyring if it exists, but don't create it if it 222 * doesn't. 223 */ 224 struct key *get_user_session_keyring_rcu(const struct cred *cred) 225 { 226 struct key *reg_keyring = READ_ONCE(cred->user_ns->user_keyring_register); 227 key_ref_t session_keyring_r; 228 char buf[20]; 229 230 struct keyring_search_context ctx = { 231 .index_key.type = &key_type_keyring, 232 .index_key.description = buf, 233 .cred = cred, 234 .match_data.cmp = key_default_cmp, 235 .match_data.raw_data = buf, 236 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 237 .flags = KEYRING_SEARCH_DO_STATE_CHECK, 238 }; 239 240 if (!reg_keyring) 241 return NULL; 242 243 ctx.index_key.desc_len = snprintf(buf, sizeof(buf), "_uid_ses.%u", 244 from_kuid(cred->user_ns, 245 cred->user->uid)); 246 247 session_keyring_r = keyring_search_rcu(make_key_ref(reg_keyring, true), 248 &ctx); 249 if (IS_ERR(session_keyring_r)) 250 return NULL; 251 return key_ref_to_ptr(session_keyring_r); 252 } 253 254 /* 255 * Install a thread keyring to the given credentials struct if it didn't have 256 * one already. This is allowed to overrun the quota. 257 * 258 * Return: 0 if a thread keyring is now present; -errno on failure. 259 */ 260 int install_thread_keyring_to_cred(struct cred *new) 261 { 262 struct key *keyring; 263 264 if (new->thread_keyring) 265 return 0; 266 267 keyring = keyring_alloc("_tid", new->uid, new->gid, new, 268 &thread_and_process_keyring_acl, 269 KEY_ALLOC_QUOTA_OVERRUN, 270 NULL, NULL); 271 if (IS_ERR(keyring)) 272 return PTR_ERR(keyring); 273 274 new->thread_keyring = keyring; 275 return 0; 276 } 277 278 /* 279 * Install a thread keyring to the current task if it didn't have one already. 280 * 281 * Return: 0 if a thread keyring is now present; -errno on failure. 282 */ 283 static int install_thread_keyring(void) 284 { 285 struct cred *new; 286 int ret; 287 288 new = prepare_creds(); 289 if (!new) 290 return -ENOMEM; 291 292 ret = install_thread_keyring_to_cred(new); 293 if (ret < 0) { 294 abort_creds(new); 295 return ret; 296 } 297 298 return commit_creds(new); 299 } 300 301 /* 302 * Install a process keyring to the given credentials struct if it didn't have 303 * one already. This is allowed to overrun the quota. 304 * 305 * Return: 0 if a process keyring is now present; -errno on failure. 306 */ 307 int install_process_keyring_to_cred(struct cred *new) 308 { 309 struct key *keyring; 310 311 if (new->process_keyring) 312 return 0; 313 314 keyring = keyring_alloc("_pid", new->uid, new->gid, new, 315 &thread_and_process_keyring_acl, 316 KEY_ALLOC_QUOTA_OVERRUN, 317 NULL, NULL); 318 if (IS_ERR(keyring)) 319 return PTR_ERR(keyring); 320 321 new->process_keyring = keyring; 322 return 0; 323 } 324 325 /* 326 * Install a process keyring to the current task if it didn't have one already. 327 * 328 * Return: 0 if a process keyring is now present; -errno on failure. 329 */ 330 static int install_process_keyring(void) 331 { 332 struct cred *new; 333 int ret; 334 335 new = prepare_creds(); 336 if (!new) 337 return -ENOMEM; 338 339 ret = install_process_keyring_to_cred(new); 340 if (ret < 0) { 341 abort_creds(new); 342 return ret; 343 } 344 345 return commit_creds(new); 346 } 347 348 /* 349 * Install the given keyring as the session keyring of the given credentials 350 * struct, replacing the existing one if any. If the given keyring is NULL, 351 * then install a new anonymous session keyring. 352 * @cred can not be in use by any task yet. 353 * 354 * Return: 0 on success; -errno on failure. 355 */ 356 int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) 357 { 358 unsigned long flags; 359 struct key *old; 360 361 might_sleep(); 362 363 /* create an empty session keyring */ 364 if (!keyring) { 365 flags = KEY_ALLOC_QUOTA_OVERRUN; 366 if (cred->session_keyring) 367 flags = KEY_ALLOC_IN_QUOTA; 368 369 keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred, 370 &session_keyring_acl, flags, NULL, NULL); 371 if (IS_ERR(keyring)) 372 return PTR_ERR(keyring); 373 } else { 374 __key_get(keyring); 375 } 376 377 /* install the keyring */ 378 old = cred->session_keyring; 379 cred->session_keyring = keyring; 380 381 if (old) 382 key_put(old); 383 384 return 0; 385 } 386 387 /* 388 * Install the given keyring as the session keyring of the current task, 389 * replacing the existing one if any. If the given keyring is NULL, then 390 * install a new anonymous session keyring. 391 * 392 * Return: 0 on success; -errno on failure. 393 */ 394 static int install_session_keyring(struct key *keyring) 395 { 396 struct cred *new; 397 int ret; 398 399 new = prepare_creds(); 400 if (!new) 401 return -ENOMEM; 402 403 ret = install_session_keyring_to_cred(new, keyring); 404 if (ret < 0) { 405 abort_creds(new); 406 return ret; 407 } 408 409 return commit_creds(new); 410 } 411 412 /* 413 * Handle the fsuid changing. 414 */ 415 void key_fsuid_changed(struct cred *new_cred) 416 { 417 /* update the ownership of the thread keyring */ 418 if (new_cred->thread_keyring) { 419 down_write(&new_cred->thread_keyring->sem); 420 new_cred->thread_keyring->uid = new_cred->fsuid; 421 up_write(&new_cred->thread_keyring->sem); 422 } 423 } 424 425 /* 426 * Handle the fsgid changing. 427 */ 428 void key_fsgid_changed(struct cred *new_cred) 429 { 430 /* update the ownership of the thread keyring */ 431 if (new_cred->thread_keyring) { 432 down_write(&new_cred->thread_keyring->sem); 433 new_cred->thread_keyring->gid = new_cred->fsgid; 434 up_write(&new_cred->thread_keyring->sem); 435 } 436 } 437 438 /* 439 * Search the process keyrings attached to the supplied cred for the first 440 * matching key under RCU conditions (the caller must be holding the RCU read 441 * lock). 442 * 443 * The search criteria are the type and the match function. The description is 444 * given to the match function as a parameter, but doesn't otherwise influence 445 * the search. Typically the match function will compare the description 446 * parameter to the key's description. 447 * 448 * This can only search keyrings that grant Search permission to the supplied 449 * credentials. Keyrings linked to searched keyrings will also be searched if 450 * they grant Search permission too. Keys can only be found if they grant 451 * Search permission to the credentials. 452 * 453 * Returns a pointer to the key with the key usage count incremented if 454 * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only 455 * matched negative keys. 456 * 457 * In the case of a successful return, the possession attribute is set on the 458 * returned key reference. 459 */ 460 key_ref_t search_cred_keyrings_rcu(struct keyring_search_context *ctx) 461 { 462 struct key *user_session; 463 key_ref_t key_ref, ret, err; 464 const struct cred *cred = ctx->cred; 465 466 /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were 467 * searchable, but we failed to find a key or we found a negative key; 468 * otherwise we want to return a sample error (probably -EACCES) if 469 * none of the keyrings were searchable 470 * 471 * in terms of priority: success > -ENOKEY > -EAGAIN > other error 472 */ 473 key_ref = NULL; 474 ret = NULL; 475 err = ERR_PTR(-EAGAIN); 476 477 /* search the thread keyring first */ 478 if (cred->thread_keyring) { 479 key_ref = keyring_search_rcu( 480 make_key_ref(cred->thread_keyring, 1), ctx); 481 if (!IS_ERR(key_ref)) 482 goto found; 483 484 switch (PTR_ERR(key_ref)) { 485 case -EAGAIN: /* no key */ 486 case -ENOKEY: /* negative key */ 487 ret = key_ref; 488 break; 489 default: 490 err = key_ref; 491 break; 492 } 493 } 494 495 /* search the process keyring second */ 496 if (cred->process_keyring) { 497 key_ref = keyring_search_rcu( 498 make_key_ref(cred->process_keyring, 1), ctx); 499 if (!IS_ERR(key_ref)) 500 goto found; 501 502 switch (PTR_ERR(key_ref)) { 503 case -EAGAIN: /* no key */ 504 if (ret) 505 break; 506 /* fall through */ 507 case -ENOKEY: /* negative key */ 508 ret = key_ref; 509 break; 510 default: 511 err = key_ref; 512 break; 513 } 514 } 515 516 /* search the session keyring */ 517 if (cred->session_keyring) { 518 key_ref = keyring_search_rcu( 519 make_key_ref(cred->session_keyring, 1), ctx); 520 521 if (!IS_ERR(key_ref)) 522 goto found; 523 524 switch (PTR_ERR(key_ref)) { 525 case -EAGAIN: /* no key */ 526 if (ret) 527 break; 528 /* fall through */ 529 case -ENOKEY: /* negative key */ 530 ret = key_ref; 531 break; 532 default: 533 err = key_ref; 534 break; 535 } 536 } 537 /* or search the user-session keyring */ 538 else if ((user_session = get_user_session_keyring_rcu(cred))) { 539 key_ref = keyring_search_rcu(make_key_ref(user_session, 1), 540 ctx); 541 key_put(user_session); 542 543 if (!IS_ERR(key_ref)) 544 goto found; 545 546 switch (PTR_ERR(key_ref)) { 547 case -EAGAIN: /* no key */ 548 if (ret) 549 break; 550 /* fall through */ 551 case -ENOKEY: /* negative key */ 552 ret = key_ref; 553 break; 554 default: 555 err = key_ref; 556 break; 557 } 558 } 559 560 /* no key - decide on the error we're going to go for */ 561 key_ref = ret ? ret : err; 562 563 found: 564 return key_ref; 565 } 566 567 /* 568 * Search the process keyrings attached to the supplied cred for the first 569 * matching key in the manner of search_my_process_keyrings(), but also search 570 * the keys attached to the assumed authorisation key using its credentials if 571 * one is available. 572 * 573 * The caller must be holding the RCU read lock. 574 * 575 * Return same as search_cred_keyrings_rcu(). 576 */ 577 key_ref_t search_process_keyrings_rcu(struct keyring_search_context *ctx) 578 { 579 struct request_key_auth *rka; 580 key_ref_t key_ref, ret = ERR_PTR(-EACCES), err; 581 582 key_ref = search_cred_keyrings_rcu(ctx); 583 if (!IS_ERR(key_ref)) 584 goto found; 585 err = key_ref; 586 587 /* if this process has an instantiation authorisation key, then we also 588 * search the keyrings of the process mentioned there 589 * - we don't permit access to request_key auth keys via this method 590 */ 591 if (ctx->cred->request_key_auth && 592 ctx->cred == current_cred() && 593 ctx->index_key.type != &key_type_request_key_auth 594 ) { 595 const struct cred *cred = ctx->cred; 596 597 if (key_validate(cred->request_key_auth) == 0) { 598 rka = ctx->cred->request_key_auth->payload.data[0]; 599 600 //// was search_process_keyrings() [ie. recursive] 601 ctx->cred = rka->cred; 602 key_ref = search_cred_keyrings_rcu(ctx); 603 ctx->cred = cred; 604 605 if (!IS_ERR(key_ref)) 606 goto found; 607 ret = key_ref; 608 } 609 } 610 611 /* no key - decide on the error we're going to go for */ 612 if (err == ERR_PTR(-ENOKEY) || ret == ERR_PTR(-ENOKEY)) 613 key_ref = ERR_PTR(-ENOKEY); 614 else if (err == ERR_PTR(-EACCES)) 615 key_ref = ret; 616 else 617 key_ref = err; 618 619 found: 620 return key_ref; 621 } 622 /* 623 * See if the key we're looking at is the target key. 624 */ 625 bool lookup_user_key_possessed(const struct key *key, 626 const struct key_match_data *match_data) 627 { 628 return key == match_data->raw_data; 629 } 630 631 /* 632 * Look up a key ID given us by userspace with a given permissions mask to get 633 * the key it refers to. 634 * 635 * Flags can be passed to request that special keyrings be created if referred 636 * to directly, to permit partially constructed keys to be found and to skip 637 * validity and permission checks on the found key. 638 * 639 * Returns a pointer to the key with an incremented usage count if successful; 640 * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond 641 * to a key or the best found key was a negative key; -EKEYREVOKED or 642 * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the 643 * found key doesn't grant the requested permit or the LSM denied access to it; 644 * or -ENOMEM if a special keyring couldn't be created. 645 * 646 * In the case of a successful return, the possession attribute is set on the 647 * returned key reference. 648 */ 649 key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, 650 unsigned int desired_perm) 651 { 652 struct keyring_search_context ctx = { 653 .match_data.cmp = lookup_user_key_possessed, 654 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 655 .flags = (KEYRING_SEARCH_NO_STATE_CHECK | 656 KEYRING_SEARCH_RECURSE), 657 }; 658 struct request_key_auth *rka; 659 struct key *key, *user_session; 660 key_ref_t key_ref, skey_ref; 661 int ret; 662 663 try_again: 664 ctx.cred = get_current_cred(); 665 key_ref = ERR_PTR(-ENOKEY); 666 667 switch (id) { 668 case KEY_SPEC_THREAD_KEYRING: 669 if (!ctx.cred->thread_keyring) { 670 if (!(lflags & KEY_LOOKUP_CREATE)) 671 goto error; 672 673 ret = install_thread_keyring(); 674 if (ret < 0) { 675 key_ref = ERR_PTR(ret); 676 goto error; 677 } 678 goto reget_creds; 679 } 680 681 key = ctx.cred->thread_keyring; 682 __key_get(key); 683 key_ref = make_key_ref(key, 1); 684 break; 685 686 case KEY_SPEC_PROCESS_KEYRING: 687 if (!ctx.cred->process_keyring) { 688 if (!(lflags & KEY_LOOKUP_CREATE)) 689 goto error; 690 691 ret = install_process_keyring(); 692 if (ret < 0) { 693 key_ref = ERR_PTR(ret); 694 goto error; 695 } 696 goto reget_creds; 697 } 698 699 key = ctx.cred->process_keyring; 700 __key_get(key); 701 key_ref = make_key_ref(key, 1); 702 break; 703 704 case KEY_SPEC_SESSION_KEYRING: 705 if (!ctx.cred->session_keyring) { 706 /* always install a session keyring upon access if one 707 * doesn't exist yet */ 708 ret = look_up_user_keyrings(NULL, &user_session); 709 if (ret < 0) 710 goto error; 711 if (lflags & KEY_LOOKUP_CREATE) 712 ret = join_session_keyring(NULL); 713 else 714 ret = install_session_keyring(user_session); 715 716 key_put(user_session); 717 if (ret < 0) 718 goto error; 719 goto reget_creds; 720 } else if (test_bit(KEY_FLAG_UID_KEYRING, 721 &ctx.cred->session_keyring->flags) && 722 lflags & KEY_LOOKUP_CREATE) { 723 ret = join_session_keyring(NULL); 724 if (ret < 0) 725 goto error; 726 goto reget_creds; 727 } 728 729 key = ctx.cred->session_keyring; 730 __key_get(key); 731 key_ref = make_key_ref(key, 1); 732 break; 733 734 case KEY_SPEC_USER_KEYRING: 735 ret = look_up_user_keyrings(&key, NULL); 736 if (ret < 0) 737 goto error; 738 key_ref = make_key_ref(key, 1); 739 break; 740 741 case KEY_SPEC_USER_SESSION_KEYRING: 742 ret = look_up_user_keyrings(NULL, &key); 743 if (ret < 0) 744 goto error; 745 key_ref = make_key_ref(key, 1); 746 break; 747 748 case KEY_SPEC_GROUP_KEYRING: 749 /* group keyrings are not yet supported */ 750 key_ref = ERR_PTR(-EINVAL); 751 goto error; 752 753 case KEY_SPEC_REQKEY_AUTH_KEY: 754 key = ctx.cred->request_key_auth; 755 if (!key) 756 goto error; 757 758 __key_get(key); 759 key_ref = make_key_ref(key, 1); 760 break; 761 762 case KEY_SPEC_REQUESTOR_KEYRING: 763 if (!ctx.cred->request_key_auth) 764 goto error; 765 766 down_read(&ctx.cred->request_key_auth->sem); 767 if (test_bit(KEY_FLAG_REVOKED, 768 &ctx.cred->request_key_auth->flags)) { 769 key_ref = ERR_PTR(-EKEYREVOKED); 770 key = NULL; 771 } else { 772 rka = ctx.cred->request_key_auth->payload.data[0]; 773 key = rka->dest_keyring; 774 __key_get(key); 775 } 776 up_read(&ctx.cred->request_key_auth->sem); 777 if (!key) 778 goto error; 779 key_ref = make_key_ref(key, 1); 780 break; 781 782 default: 783 key_ref = ERR_PTR(-EINVAL); 784 if (id < 1) 785 goto error; 786 787 key = key_lookup(id); 788 if (IS_ERR(key)) { 789 key_ref = ERR_CAST(key); 790 goto error; 791 } 792 793 key_ref = make_key_ref(key, 0); 794 795 /* check to see if we possess the key */ 796 ctx.index_key = key->index_key; 797 ctx.match_data.raw_data = key; 798 kdebug("check possessed"); 799 rcu_read_lock(); 800 skey_ref = search_process_keyrings_rcu(&ctx); 801 rcu_read_unlock(); 802 kdebug("possessed=%p", skey_ref); 803 804 if (!IS_ERR(skey_ref)) { 805 key_put(key); 806 key_ref = skey_ref; 807 } 808 809 break; 810 } 811 812 /* unlink does not use the nominated key in any way, so can skip all 813 * the permission checks as it is only concerned with the keyring */ 814 if (lflags & KEY_LOOKUP_FOR_UNLINK) { 815 ret = 0; 816 goto error; 817 } 818 819 if (!(lflags & KEY_LOOKUP_PARTIAL)) { 820 ret = wait_for_key_construction(key, true); 821 switch (ret) { 822 case -ERESTARTSYS: 823 goto invalid_key; 824 default: 825 if (desired_perm) 826 goto invalid_key; 827 case 0: 828 break; 829 } 830 } else if (desired_perm) { 831 ret = key_validate(key); 832 if (ret < 0) 833 goto invalid_key; 834 } 835 836 ret = -EIO; 837 if (!(lflags & KEY_LOOKUP_PARTIAL) && 838 key_read_state(key) == KEY_IS_UNINSTANTIATED) 839 goto invalid_key; 840 841 /* check the permissions */ 842 if (desired_perm) { 843 ret = key_task_permission(key_ref, ctx.cred, desired_perm); 844 if (ret < 0) 845 goto invalid_key; 846 } 847 848 key->last_used_at = ktime_get_real_seconds(); 849 850 error: 851 put_cred(ctx.cred); 852 return key_ref; 853 854 invalid_key: 855 key_ref_put(key_ref); 856 key_ref = ERR_PTR(ret); 857 goto error; 858 859 /* if we attempted to install a keyring, then it may have caused new 860 * creds to be installed */ 861 reget_creds: 862 put_cred(ctx.cred); 863 goto try_again; 864 } 865 EXPORT_SYMBOL(lookup_user_key); 866 867 /* 868 * Join the named keyring as the session keyring if possible else attempt to 869 * create a new one of that name and join that. 870 * 871 * If the name is NULL, an empty anonymous keyring will be installed as the 872 * session keyring. 873 * 874 * Named session keyrings are joined with a semaphore held to prevent the 875 * keyrings from going away whilst the attempt is made to going them and also 876 * to prevent a race in creating compatible session keyrings. 877 */ 878 long join_session_keyring(const char *name) 879 { 880 const struct cred *old; 881 struct cred *new; 882 struct key *keyring; 883 long ret, serial; 884 885 new = prepare_creds(); 886 if (!new) 887 return -ENOMEM; 888 old = current_cred(); 889 890 /* if no name is provided, install an anonymous keyring */ 891 if (!name) { 892 ret = install_session_keyring_to_cred(new, NULL); 893 if (ret < 0) 894 goto error; 895 896 serial = new->session_keyring->serial; 897 ret = commit_creds(new); 898 if (ret == 0) 899 ret = serial; 900 goto okay; 901 } 902 903 /* allow the user to join or create a named keyring */ 904 mutex_lock(&key_session_mutex); 905 906 /* look for an existing keyring of this name */ 907 keyring = find_keyring_by_name(name, false); 908 if (PTR_ERR(keyring) == -ENOKEY) { 909 /* not found - try and create a new one */ 910 keyring = keyring_alloc( 911 name, old->uid, old->gid, old, &joinable_keyring_acl, 912 KEY_ALLOC_IN_QUOTA, NULL, NULL); 913 if (IS_ERR(keyring)) { 914 ret = PTR_ERR(keyring); 915 goto error2; 916 } 917 goto no_perm_test; 918 } else if (IS_ERR(keyring)) { 919 ret = PTR_ERR(keyring); 920 goto error2; 921 } else if (keyring == new->session_keyring) { 922 ret = 0; 923 goto error3; 924 } 925 926 ret = key_task_permission(make_key_ref(keyring, false), old, 927 KEY_NEED_JOIN); 928 if (ret < 0) 929 goto error3; 930 931 no_perm_test: 932 /* we've got a keyring - now to install it */ 933 ret = install_session_keyring_to_cred(new, keyring); 934 if (ret < 0) 935 goto error3; 936 937 commit_creds(new); 938 mutex_unlock(&key_session_mutex); 939 940 ret = keyring->serial; 941 key_put(keyring); 942 okay: 943 return ret; 944 945 error3: 946 key_put(keyring); 947 error2: 948 mutex_unlock(&key_session_mutex); 949 error: 950 abort_creds(new); 951 return ret; 952 } 953 954 /* 955 * Replace a process's session keyring on behalf of one of its children when 956 * the target process is about to resume userspace execution. 957 */ 958 void key_change_session_keyring(struct callback_head *twork) 959 { 960 const struct cred *old = current_cred(); 961 struct cred *new = container_of(twork, struct cred, rcu); 962 963 if (unlikely(current->flags & PF_EXITING)) { 964 put_cred(new); 965 return; 966 } 967 968 new-> uid = old-> uid; 969 new-> euid = old-> euid; 970 new-> suid = old-> suid; 971 new->fsuid = old->fsuid; 972 new-> gid = old-> gid; 973 new-> egid = old-> egid; 974 new-> sgid = old-> sgid; 975 new->fsgid = old->fsgid; 976 new->user = get_uid(old->user); 977 new->user_ns = get_user_ns(old->user_ns); 978 new->group_info = get_group_info(old->group_info); 979 980 new->securebits = old->securebits; 981 new->cap_inheritable = old->cap_inheritable; 982 new->cap_permitted = old->cap_permitted; 983 new->cap_effective = old->cap_effective; 984 new->cap_ambient = old->cap_ambient; 985 new->cap_bset = old->cap_bset; 986 987 new->jit_keyring = old->jit_keyring; 988 new->thread_keyring = key_get(old->thread_keyring); 989 new->process_keyring = key_get(old->process_keyring); 990 991 security_transfer_creds(new, old); 992 993 commit_creds(new); 994 } 995 996 /* 997 * Make sure that root's user and user-session keyrings exist. 998 */ 999 static int __init init_root_keyring(void) 1000 { 1001 return look_up_user_keyrings(NULL, NULL); 1002 } 1003 1004 late_initcall(init_root_keyring); 1005