xref: /openbmc/linux/security/keys/process_keys.c (revision ae40e94f)
1 /* Manage a process's keyrings
2  *
3  * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11 
12 #include <linux/init.h>
13 #include <linux/sched.h>
14 #include <linux/sched/user.h>
15 #include <linux/keyctl.h>
16 #include <linux/fs.h>
17 #include <linux/err.h>
18 #include <linux/mutex.h>
19 #include <linux/security.h>
20 #include <linux/user_namespace.h>
21 #include <linux/uaccess.h>
22 #include <keys/request_key_auth-type.h>
23 #include "internal.h"
24 
25 /* Session keyring create vs join semaphore */
26 static DEFINE_MUTEX(key_session_mutex);
27 
28 /* User keyring creation semaphore */
29 static DEFINE_MUTEX(key_user_keyring_mutex);
30 
31 /* The root user's tracking struct */
32 struct key_user root_key_user = {
33 	.usage		= REFCOUNT_INIT(3),
34 	.cons_lock	= __MUTEX_INITIALIZER(root_key_user.cons_lock),
35 	.lock		= __SPIN_LOCK_UNLOCKED(root_key_user.lock),
36 	.nkeys		= ATOMIC_INIT(2),
37 	.nikeys		= ATOMIC_INIT(2),
38 	.uid		= GLOBAL_ROOT_UID,
39 };
40 
41 /*
42  * Install the user and user session keyrings for the current process's UID.
43  */
44 int install_user_keyrings(void)
45 {
46 	struct user_struct *user;
47 	const struct cred *cred;
48 	struct key *uid_keyring, *session_keyring;
49 	key_perm_t user_keyring_perm;
50 	char buf[20];
51 	int ret;
52 	uid_t uid;
53 
54 	user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
55 	cred = current_cred();
56 	user = cred->user;
57 	uid = from_kuid(cred->user_ns, user->uid);
58 
59 	kenter("%p{%u}", user, uid);
60 
61 	if (user->uid_keyring && user->session_keyring) {
62 		kleave(" = 0 [exist]");
63 		return 0;
64 	}
65 
66 	mutex_lock(&key_user_keyring_mutex);
67 	ret = 0;
68 
69 	if (!user->uid_keyring) {
70 		/* get the UID-specific keyring
71 		 * - there may be one in existence already as it may have been
72 		 *   pinned by a session, but the user_struct pointing to it
73 		 *   may have been destroyed by setuid */
74 		sprintf(buf, "_uid.%u", uid);
75 
76 		uid_keyring = find_keyring_by_name(buf, true);
77 		if (IS_ERR(uid_keyring)) {
78 			uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
79 						    cred, user_keyring_perm,
80 						    KEY_ALLOC_UID_KEYRING |
81 							KEY_ALLOC_IN_QUOTA,
82 						    NULL, NULL);
83 			if (IS_ERR(uid_keyring)) {
84 				ret = PTR_ERR(uid_keyring);
85 				goto error;
86 			}
87 		}
88 
89 		/* get a default session keyring (which might also exist
90 		 * already) */
91 		sprintf(buf, "_uid_ses.%u", uid);
92 
93 		session_keyring = find_keyring_by_name(buf, true);
94 		if (IS_ERR(session_keyring)) {
95 			session_keyring =
96 				keyring_alloc(buf, user->uid, INVALID_GID,
97 					      cred, user_keyring_perm,
98 					      KEY_ALLOC_UID_KEYRING |
99 						  KEY_ALLOC_IN_QUOTA,
100 					      NULL, NULL);
101 			if (IS_ERR(session_keyring)) {
102 				ret = PTR_ERR(session_keyring);
103 				goto error_release;
104 			}
105 
106 			/* we install a link from the user session keyring to
107 			 * the user keyring */
108 			ret = key_link(session_keyring, uid_keyring);
109 			if (ret < 0)
110 				goto error_release_both;
111 		}
112 
113 		/* install the keyrings */
114 		user->uid_keyring = uid_keyring;
115 		user->session_keyring = session_keyring;
116 	}
117 
118 	mutex_unlock(&key_user_keyring_mutex);
119 	kleave(" = 0");
120 	return 0;
121 
122 error_release_both:
123 	key_put(session_keyring);
124 error_release:
125 	key_put(uid_keyring);
126 error:
127 	mutex_unlock(&key_user_keyring_mutex);
128 	kleave(" = %d", ret);
129 	return ret;
130 }
131 
132 /*
133  * Install a thread keyring to the given credentials struct if it didn't have
134  * one already.  This is allowed to overrun the quota.
135  *
136  * Return: 0 if a thread keyring is now present; -errno on failure.
137  */
138 int install_thread_keyring_to_cred(struct cred *new)
139 {
140 	struct key *keyring;
141 
142 	if (new->thread_keyring)
143 		return 0;
144 
145 	keyring = keyring_alloc("_tid", new->uid, new->gid, new,
146 				KEY_POS_ALL | KEY_USR_VIEW,
147 				KEY_ALLOC_QUOTA_OVERRUN,
148 				NULL, NULL);
149 	if (IS_ERR(keyring))
150 		return PTR_ERR(keyring);
151 
152 	new->thread_keyring = keyring;
153 	return 0;
154 }
155 
156 /*
157  * Install a thread keyring to the current task if it didn't have one already.
158  *
159  * Return: 0 if a thread keyring is now present; -errno on failure.
160  */
161 static int install_thread_keyring(void)
162 {
163 	struct cred *new;
164 	int ret;
165 
166 	new = prepare_creds();
167 	if (!new)
168 		return -ENOMEM;
169 
170 	ret = install_thread_keyring_to_cred(new);
171 	if (ret < 0) {
172 		abort_creds(new);
173 		return ret;
174 	}
175 
176 	return commit_creds(new);
177 }
178 
179 /*
180  * Install a process keyring to the given credentials struct if it didn't have
181  * one already.  This is allowed to overrun the quota.
182  *
183  * Return: 0 if a process keyring is now present; -errno on failure.
184  */
185 int install_process_keyring_to_cred(struct cred *new)
186 {
187 	struct key *keyring;
188 
189 	if (new->process_keyring)
190 		return 0;
191 
192 	keyring = keyring_alloc("_pid", new->uid, new->gid, new,
193 				KEY_POS_ALL | KEY_USR_VIEW,
194 				KEY_ALLOC_QUOTA_OVERRUN,
195 				NULL, NULL);
196 	if (IS_ERR(keyring))
197 		return PTR_ERR(keyring);
198 
199 	new->process_keyring = keyring;
200 	return 0;
201 }
202 
203 /*
204  * Install a process keyring to the current task if it didn't have one already.
205  *
206  * Return: 0 if a process keyring is now present; -errno on failure.
207  */
208 static int install_process_keyring(void)
209 {
210 	struct cred *new;
211 	int ret;
212 
213 	new = prepare_creds();
214 	if (!new)
215 		return -ENOMEM;
216 
217 	ret = install_process_keyring_to_cred(new);
218 	if (ret < 0) {
219 		abort_creds(new);
220 		return ret;
221 	}
222 
223 	return commit_creds(new);
224 }
225 
226 /*
227  * Install the given keyring as the session keyring of the given credentials
228  * struct, replacing the existing one if any.  If the given keyring is NULL,
229  * then install a new anonymous session keyring.
230  *
231  * Return: 0 on success; -errno on failure.
232  */
233 int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
234 {
235 	unsigned long flags;
236 	struct key *old;
237 
238 	might_sleep();
239 
240 	/* create an empty session keyring */
241 	if (!keyring) {
242 		flags = KEY_ALLOC_QUOTA_OVERRUN;
243 		if (cred->session_keyring)
244 			flags = KEY_ALLOC_IN_QUOTA;
245 
246 		keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred,
247 					KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
248 					flags, NULL, NULL);
249 		if (IS_ERR(keyring))
250 			return PTR_ERR(keyring);
251 	} else {
252 		__key_get(keyring);
253 	}
254 
255 	/* install the keyring */
256 	old = cred->session_keyring;
257 	rcu_assign_pointer(cred->session_keyring, keyring);
258 
259 	if (old)
260 		key_put(old);
261 
262 	return 0;
263 }
264 
265 /*
266  * Install the given keyring as the session keyring of the current task,
267  * replacing the existing one if any.  If the given keyring is NULL, then
268  * install a new anonymous session keyring.
269  *
270  * Return: 0 on success; -errno on failure.
271  */
272 static int install_session_keyring(struct key *keyring)
273 {
274 	struct cred *new;
275 	int ret;
276 
277 	new = prepare_creds();
278 	if (!new)
279 		return -ENOMEM;
280 
281 	ret = install_session_keyring_to_cred(new, keyring);
282 	if (ret < 0) {
283 		abort_creds(new);
284 		return ret;
285 	}
286 
287 	return commit_creds(new);
288 }
289 
290 /*
291  * Handle the fsuid changing.
292  */
293 void key_fsuid_changed(struct task_struct *tsk)
294 {
295 	/* update the ownership of the thread keyring */
296 	BUG_ON(!tsk->cred);
297 	if (tsk->cred->thread_keyring) {
298 		down_write(&tsk->cred->thread_keyring->sem);
299 		tsk->cred->thread_keyring->uid = tsk->cred->fsuid;
300 		up_write(&tsk->cred->thread_keyring->sem);
301 	}
302 }
303 
304 /*
305  * Handle the fsgid changing.
306  */
307 void key_fsgid_changed(struct task_struct *tsk)
308 {
309 	/* update the ownership of the thread keyring */
310 	BUG_ON(!tsk->cred);
311 	if (tsk->cred->thread_keyring) {
312 		down_write(&tsk->cred->thread_keyring->sem);
313 		tsk->cred->thread_keyring->gid = tsk->cred->fsgid;
314 		up_write(&tsk->cred->thread_keyring->sem);
315 	}
316 }
317 
318 /*
319  * Search the process keyrings attached to the supplied cred for the first
320  * matching key.
321  *
322  * The search criteria are the type and the match function.  The description is
323  * given to the match function as a parameter, but doesn't otherwise influence
324  * the search.  Typically the match function will compare the description
325  * parameter to the key's description.
326  *
327  * This can only search keyrings that grant Search permission to the supplied
328  * credentials.  Keyrings linked to searched keyrings will also be searched if
329  * they grant Search permission too.  Keys can only be found if they grant
330  * Search permission to the credentials.
331  *
332  * Returns a pointer to the key with the key usage count incremented if
333  * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only
334  * matched negative keys.
335  *
336  * In the case of a successful return, the possession attribute is set on the
337  * returned key reference.
338  */
339 key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx)
340 {
341 	key_ref_t key_ref, ret, err;
342 
343 	/* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
344 	 * searchable, but we failed to find a key or we found a negative key;
345 	 * otherwise we want to return a sample error (probably -EACCES) if
346 	 * none of the keyrings were searchable
347 	 *
348 	 * in terms of priority: success > -ENOKEY > -EAGAIN > other error
349 	 */
350 	key_ref = NULL;
351 	ret = NULL;
352 	err = ERR_PTR(-EAGAIN);
353 
354 	/* search the thread keyring first */
355 	if (ctx->cred->thread_keyring) {
356 		key_ref = keyring_search_aux(
357 			make_key_ref(ctx->cred->thread_keyring, 1), ctx);
358 		if (!IS_ERR(key_ref))
359 			goto found;
360 
361 		switch (PTR_ERR(key_ref)) {
362 		case -EAGAIN: /* no key */
363 		case -ENOKEY: /* negative key */
364 			ret = key_ref;
365 			break;
366 		default:
367 			err = key_ref;
368 			break;
369 		}
370 	}
371 
372 	/* search the process keyring second */
373 	if (ctx->cred->process_keyring) {
374 		key_ref = keyring_search_aux(
375 			make_key_ref(ctx->cred->process_keyring, 1), ctx);
376 		if (!IS_ERR(key_ref))
377 			goto found;
378 
379 		switch (PTR_ERR(key_ref)) {
380 		case -EAGAIN: /* no key */
381 			if (ret)
382 				break;
383 			/* fall through */
384 		case -ENOKEY: /* negative key */
385 			ret = key_ref;
386 			break;
387 		default:
388 			err = key_ref;
389 			break;
390 		}
391 	}
392 
393 	/* search the session keyring */
394 	if (ctx->cred->session_keyring) {
395 		rcu_read_lock();
396 		key_ref = keyring_search_aux(
397 			make_key_ref(rcu_dereference(ctx->cred->session_keyring), 1),
398 			ctx);
399 		rcu_read_unlock();
400 
401 		if (!IS_ERR(key_ref))
402 			goto found;
403 
404 		switch (PTR_ERR(key_ref)) {
405 		case -EAGAIN: /* no key */
406 			if (ret)
407 				break;
408 			/* fall through */
409 		case -ENOKEY: /* negative key */
410 			ret = key_ref;
411 			break;
412 		default:
413 			err = key_ref;
414 			break;
415 		}
416 	}
417 	/* or search the user-session keyring */
418 	else if (ctx->cred->user->session_keyring) {
419 		key_ref = keyring_search_aux(
420 			make_key_ref(ctx->cred->user->session_keyring, 1),
421 			ctx);
422 		if (!IS_ERR(key_ref))
423 			goto found;
424 
425 		switch (PTR_ERR(key_ref)) {
426 		case -EAGAIN: /* no key */
427 			if (ret)
428 				break;
429 			/* fall through */
430 		case -ENOKEY: /* negative key */
431 			ret = key_ref;
432 			break;
433 		default:
434 			err = key_ref;
435 			break;
436 		}
437 	}
438 
439 	/* no key - decide on the error we're going to go for */
440 	key_ref = ret ? ret : err;
441 
442 found:
443 	return key_ref;
444 }
445 
446 /*
447  * Search the process keyrings attached to the supplied cred for the first
448  * matching key in the manner of search_my_process_keyrings(), but also search
449  * the keys attached to the assumed authorisation key using its credentials if
450  * one is available.
451  *
452  * Return same as search_my_process_keyrings().
453  */
454 key_ref_t search_process_keyrings(struct keyring_search_context *ctx)
455 {
456 	struct request_key_auth *rka;
457 	key_ref_t key_ref, ret = ERR_PTR(-EACCES), err;
458 
459 	might_sleep();
460 
461 	key_ref = search_my_process_keyrings(ctx);
462 	if (!IS_ERR(key_ref))
463 		goto found;
464 	err = key_ref;
465 
466 	/* if this process has an instantiation authorisation key, then we also
467 	 * search the keyrings of the process mentioned there
468 	 * - we don't permit access to request_key auth keys via this method
469 	 */
470 	if (ctx->cred->request_key_auth &&
471 	    ctx->cred == current_cred() &&
472 	    ctx->index_key.type != &key_type_request_key_auth
473 	    ) {
474 		const struct cred *cred = ctx->cred;
475 
476 		/* defend against the auth key being revoked */
477 		down_read(&cred->request_key_auth->sem);
478 
479 		if (key_validate(ctx->cred->request_key_auth) == 0) {
480 			rka = ctx->cred->request_key_auth->payload.data[0];
481 
482 			ctx->cred = rka->cred;
483 			key_ref = search_process_keyrings(ctx);
484 			ctx->cred = cred;
485 
486 			up_read(&cred->request_key_auth->sem);
487 
488 			if (!IS_ERR(key_ref))
489 				goto found;
490 
491 			ret = key_ref;
492 		} else {
493 			up_read(&cred->request_key_auth->sem);
494 		}
495 	}
496 
497 	/* no key - decide on the error we're going to go for */
498 	if (err == ERR_PTR(-ENOKEY) || ret == ERR_PTR(-ENOKEY))
499 		key_ref = ERR_PTR(-ENOKEY);
500 	else if (err == ERR_PTR(-EACCES))
501 		key_ref = ret;
502 	else
503 		key_ref = err;
504 
505 found:
506 	return key_ref;
507 }
508 
509 /*
510  * See if the key we're looking at is the target key.
511  */
512 bool lookup_user_key_possessed(const struct key *key,
513 			       const struct key_match_data *match_data)
514 {
515 	return key == match_data->raw_data;
516 }
517 
518 /*
519  * Look up a key ID given us by userspace with a given permissions mask to get
520  * the key it refers to.
521  *
522  * Flags can be passed to request that special keyrings be created if referred
523  * to directly, to permit partially constructed keys to be found and to skip
524  * validity and permission checks on the found key.
525  *
526  * Returns a pointer to the key with an incremented usage count if successful;
527  * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond
528  * to a key or the best found key was a negative key; -EKEYREVOKED or
529  * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the
530  * found key doesn't grant the requested permit or the LSM denied access to it;
531  * or -ENOMEM if a special keyring couldn't be created.
532  *
533  * In the case of a successful return, the possession attribute is set on the
534  * returned key reference.
535  */
536 key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
537 			  key_perm_t perm)
538 {
539 	struct keyring_search_context ctx = {
540 		.match_data.cmp		= lookup_user_key_possessed,
541 		.match_data.lookup_type	= KEYRING_SEARCH_LOOKUP_DIRECT,
542 		.flags			= KEYRING_SEARCH_NO_STATE_CHECK,
543 	};
544 	struct request_key_auth *rka;
545 	struct key *key;
546 	key_ref_t key_ref, skey_ref;
547 	int ret;
548 
549 try_again:
550 	ctx.cred = get_current_cred();
551 	key_ref = ERR_PTR(-ENOKEY);
552 
553 	switch (id) {
554 	case KEY_SPEC_THREAD_KEYRING:
555 		if (!ctx.cred->thread_keyring) {
556 			if (!(lflags & KEY_LOOKUP_CREATE))
557 				goto error;
558 
559 			ret = install_thread_keyring();
560 			if (ret < 0) {
561 				key_ref = ERR_PTR(ret);
562 				goto error;
563 			}
564 			goto reget_creds;
565 		}
566 
567 		key = ctx.cred->thread_keyring;
568 		__key_get(key);
569 		key_ref = make_key_ref(key, 1);
570 		break;
571 
572 	case KEY_SPEC_PROCESS_KEYRING:
573 		if (!ctx.cred->process_keyring) {
574 			if (!(lflags & KEY_LOOKUP_CREATE))
575 				goto error;
576 
577 			ret = install_process_keyring();
578 			if (ret < 0) {
579 				key_ref = ERR_PTR(ret);
580 				goto error;
581 			}
582 			goto reget_creds;
583 		}
584 
585 		key = ctx.cred->process_keyring;
586 		__key_get(key);
587 		key_ref = make_key_ref(key, 1);
588 		break;
589 
590 	case KEY_SPEC_SESSION_KEYRING:
591 		if (!ctx.cred->session_keyring) {
592 			/* always install a session keyring upon access if one
593 			 * doesn't exist yet */
594 			ret = install_user_keyrings();
595 			if (ret < 0)
596 				goto error;
597 			if (lflags & KEY_LOOKUP_CREATE)
598 				ret = join_session_keyring(NULL);
599 			else
600 				ret = install_session_keyring(
601 					ctx.cred->user->session_keyring);
602 
603 			if (ret < 0)
604 				goto error;
605 			goto reget_creds;
606 		} else if (ctx.cred->session_keyring ==
607 			   ctx.cred->user->session_keyring &&
608 			   lflags & KEY_LOOKUP_CREATE) {
609 			ret = join_session_keyring(NULL);
610 			if (ret < 0)
611 				goto error;
612 			goto reget_creds;
613 		}
614 
615 		rcu_read_lock();
616 		key = rcu_dereference(ctx.cred->session_keyring);
617 		__key_get(key);
618 		rcu_read_unlock();
619 		key_ref = make_key_ref(key, 1);
620 		break;
621 
622 	case KEY_SPEC_USER_KEYRING:
623 		if (!ctx.cred->user->uid_keyring) {
624 			ret = install_user_keyrings();
625 			if (ret < 0)
626 				goto error;
627 		}
628 
629 		key = ctx.cred->user->uid_keyring;
630 		__key_get(key);
631 		key_ref = make_key_ref(key, 1);
632 		break;
633 
634 	case KEY_SPEC_USER_SESSION_KEYRING:
635 		if (!ctx.cred->user->session_keyring) {
636 			ret = install_user_keyrings();
637 			if (ret < 0)
638 				goto error;
639 		}
640 
641 		key = ctx.cred->user->session_keyring;
642 		__key_get(key);
643 		key_ref = make_key_ref(key, 1);
644 		break;
645 
646 	case KEY_SPEC_GROUP_KEYRING:
647 		/* group keyrings are not yet supported */
648 		key_ref = ERR_PTR(-EINVAL);
649 		goto error;
650 
651 	case KEY_SPEC_REQKEY_AUTH_KEY:
652 		key = ctx.cred->request_key_auth;
653 		if (!key)
654 			goto error;
655 
656 		__key_get(key);
657 		key_ref = make_key_ref(key, 1);
658 		break;
659 
660 	case KEY_SPEC_REQUESTOR_KEYRING:
661 		if (!ctx.cred->request_key_auth)
662 			goto error;
663 
664 		down_read(&ctx.cred->request_key_auth->sem);
665 		if (test_bit(KEY_FLAG_REVOKED,
666 			     &ctx.cred->request_key_auth->flags)) {
667 			key_ref = ERR_PTR(-EKEYREVOKED);
668 			key = NULL;
669 		} else {
670 			rka = ctx.cred->request_key_auth->payload.data[0];
671 			key = rka->dest_keyring;
672 			__key_get(key);
673 		}
674 		up_read(&ctx.cred->request_key_auth->sem);
675 		if (!key)
676 			goto error;
677 		key_ref = make_key_ref(key, 1);
678 		break;
679 
680 	default:
681 		key_ref = ERR_PTR(-EINVAL);
682 		if (id < 1)
683 			goto error;
684 
685 		key = key_lookup(id);
686 		if (IS_ERR(key)) {
687 			key_ref = ERR_CAST(key);
688 			goto error;
689 		}
690 
691 		key_ref = make_key_ref(key, 0);
692 
693 		/* check to see if we possess the key */
694 		ctx.index_key.type		= key->type;
695 		ctx.index_key.description	= key->description;
696 		ctx.index_key.desc_len		= strlen(key->description);
697 		ctx.match_data.raw_data		= key;
698 		kdebug("check possessed");
699 		skey_ref = search_process_keyrings(&ctx);
700 		kdebug("possessed=%p", skey_ref);
701 
702 		if (!IS_ERR(skey_ref)) {
703 			key_put(key);
704 			key_ref = skey_ref;
705 		}
706 
707 		break;
708 	}
709 
710 	/* unlink does not use the nominated key in any way, so can skip all
711 	 * the permission checks as it is only concerned with the keyring */
712 	if (lflags & KEY_LOOKUP_FOR_UNLINK) {
713 		ret = 0;
714 		goto error;
715 	}
716 
717 	if (!(lflags & KEY_LOOKUP_PARTIAL)) {
718 		ret = wait_for_key_construction(key, true);
719 		switch (ret) {
720 		case -ERESTARTSYS:
721 			goto invalid_key;
722 		default:
723 			if (perm)
724 				goto invalid_key;
725 		case 0:
726 			break;
727 		}
728 	} else if (perm) {
729 		ret = key_validate(key);
730 		if (ret < 0)
731 			goto invalid_key;
732 	}
733 
734 	ret = -EIO;
735 	if (!(lflags & KEY_LOOKUP_PARTIAL) &&
736 	    key_read_state(key) == KEY_IS_UNINSTANTIATED)
737 		goto invalid_key;
738 
739 	/* check the permissions */
740 	ret = key_task_permission(key_ref, ctx.cred, perm);
741 	if (ret < 0)
742 		goto invalid_key;
743 
744 	key->last_used_at = ktime_get_real_seconds();
745 
746 error:
747 	put_cred(ctx.cred);
748 	return key_ref;
749 
750 invalid_key:
751 	key_ref_put(key_ref);
752 	key_ref = ERR_PTR(ret);
753 	goto error;
754 
755 	/* if we attempted to install a keyring, then it may have caused new
756 	 * creds to be installed */
757 reget_creds:
758 	put_cred(ctx.cred);
759 	goto try_again;
760 }
761 EXPORT_SYMBOL(lookup_user_key);
762 
763 /*
764  * Join the named keyring as the session keyring if possible else attempt to
765  * create a new one of that name and join that.
766  *
767  * If the name is NULL, an empty anonymous keyring will be installed as the
768  * session keyring.
769  *
770  * Named session keyrings are joined with a semaphore held to prevent the
771  * keyrings from going away whilst the attempt is made to going them and also
772  * to prevent a race in creating compatible session keyrings.
773  */
774 long join_session_keyring(const char *name)
775 {
776 	const struct cred *old;
777 	struct cred *new;
778 	struct key *keyring;
779 	long ret, serial;
780 
781 	new = prepare_creds();
782 	if (!new)
783 		return -ENOMEM;
784 	old = current_cred();
785 
786 	/* if no name is provided, install an anonymous keyring */
787 	if (!name) {
788 		ret = install_session_keyring_to_cred(new, NULL);
789 		if (ret < 0)
790 			goto error;
791 
792 		serial = new->session_keyring->serial;
793 		ret = commit_creds(new);
794 		if (ret == 0)
795 			ret = serial;
796 		goto okay;
797 	}
798 
799 	/* allow the user to join or create a named keyring */
800 	mutex_lock(&key_session_mutex);
801 
802 	/* look for an existing keyring of this name */
803 	keyring = find_keyring_by_name(name, false);
804 	if (PTR_ERR(keyring) == -ENOKEY) {
805 		/* not found - try and create a new one */
806 		keyring = keyring_alloc(
807 			name, old->uid, old->gid, old,
808 			KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK,
809 			KEY_ALLOC_IN_QUOTA, NULL, NULL);
810 		if (IS_ERR(keyring)) {
811 			ret = PTR_ERR(keyring);
812 			goto error2;
813 		}
814 	} else if (IS_ERR(keyring)) {
815 		ret = PTR_ERR(keyring);
816 		goto error2;
817 	} else if (keyring == new->session_keyring) {
818 		ret = 0;
819 		goto error3;
820 	}
821 
822 	/* we've got a keyring - now to install it */
823 	ret = install_session_keyring_to_cred(new, keyring);
824 	if (ret < 0)
825 		goto error3;
826 
827 	commit_creds(new);
828 	mutex_unlock(&key_session_mutex);
829 
830 	ret = keyring->serial;
831 	key_put(keyring);
832 okay:
833 	return ret;
834 
835 error3:
836 	key_put(keyring);
837 error2:
838 	mutex_unlock(&key_session_mutex);
839 error:
840 	abort_creds(new);
841 	return ret;
842 }
843 
844 /*
845  * Replace a process's session keyring on behalf of one of its children when
846  * the target  process is about to resume userspace execution.
847  */
848 void key_change_session_keyring(struct callback_head *twork)
849 {
850 	const struct cred *old = current_cred();
851 	struct cred *new = container_of(twork, struct cred, rcu);
852 
853 	if (unlikely(current->flags & PF_EXITING)) {
854 		put_cred(new);
855 		return;
856 	}
857 
858 	new->  uid	= old->  uid;
859 	new-> euid	= old-> euid;
860 	new-> suid	= old-> suid;
861 	new->fsuid	= old->fsuid;
862 	new->  gid	= old->  gid;
863 	new-> egid	= old-> egid;
864 	new-> sgid	= old-> sgid;
865 	new->fsgid	= old->fsgid;
866 	new->user	= get_uid(old->user);
867 	new->user_ns	= get_user_ns(old->user_ns);
868 	new->group_info	= get_group_info(old->group_info);
869 
870 	new->securebits	= old->securebits;
871 	new->cap_inheritable	= old->cap_inheritable;
872 	new->cap_permitted	= old->cap_permitted;
873 	new->cap_effective	= old->cap_effective;
874 	new->cap_ambient	= old->cap_ambient;
875 	new->cap_bset		= old->cap_bset;
876 
877 	new->jit_keyring	= old->jit_keyring;
878 	new->thread_keyring	= key_get(old->thread_keyring);
879 	new->process_keyring	= key_get(old->process_keyring);
880 
881 	security_transfer_creds(new, old);
882 
883 	commit_creds(new);
884 }
885 
886 /*
887  * Make sure that root's user and user-session keyrings exist.
888  */
889 static int __init init_root_keyring(void)
890 {
891 	return install_user_keyrings();
892 }
893 
894 late_initcall(init_root_keyring);
895