1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0-or-later
2*4882a593Smuzhiyun /* Manage a process's keyrings
3*4882a593Smuzhiyun *
4*4882a593Smuzhiyun * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
5*4882a593Smuzhiyun * Written by David Howells (dhowells@redhat.com)
6*4882a593Smuzhiyun */
7*4882a593Smuzhiyun
8*4882a593Smuzhiyun #include <linux/init.h>
9*4882a593Smuzhiyun #include <linux/sched.h>
10*4882a593Smuzhiyun #include <linux/sched/user.h>
11*4882a593Smuzhiyun #include <linux/keyctl.h>
12*4882a593Smuzhiyun #include <linux/fs.h>
13*4882a593Smuzhiyun #include <linux/err.h>
14*4882a593Smuzhiyun #include <linux/mutex.h>
15*4882a593Smuzhiyun #include <linux/security.h>
16*4882a593Smuzhiyun #include <linux/user_namespace.h>
17*4882a593Smuzhiyun #include <linux/uaccess.h>
18*4882a593Smuzhiyun #include <linux/init_task.h>
19*4882a593Smuzhiyun #include <keys/request_key_auth-type.h>
20*4882a593Smuzhiyun #include "internal.h"
21*4882a593Smuzhiyun
22*4882a593Smuzhiyun /* Session keyring create vs join semaphore */
23*4882a593Smuzhiyun static DEFINE_MUTEX(key_session_mutex);
24*4882a593Smuzhiyun
25*4882a593Smuzhiyun /* The root user's tracking struct */
26*4882a593Smuzhiyun struct key_user root_key_user = {
27*4882a593Smuzhiyun .usage = REFCOUNT_INIT(3),
28*4882a593Smuzhiyun .cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock),
29*4882a593Smuzhiyun .lock = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
30*4882a593Smuzhiyun .nkeys = ATOMIC_INIT(2),
31*4882a593Smuzhiyun .nikeys = ATOMIC_INIT(2),
32*4882a593Smuzhiyun .uid = GLOBAL_ROOT_UID,
33*4882a593Smuzhiyun };
34*4882a593Smuzhiyun
35*4882a593Smuzhiyun /*
36*4882a593Smuzhiyun * Get or create a user register keyring.
37*4882a593Smuzhiyun */
get_user_register(struct user_namespace * user_ns)38*4882a593Smuzhiyun static struct key *get_user_register(struct user_namespace *user_ns)
39*4882a593Smuzhiyun {
40*4882a593Smuzhiyun struct key *reg_keyring = READ_ONCE(user_ns->user_keyring_register);
41*4882a593Smuzhiyun
42*4882a593Smuzhiyun if (reg_keyring)
43*4882a593Smuzhiyun return reg_keyring;
44*4882a593Smuzhiyun
45*4882a593Smuzhiyun down_write(&user_ns->keyring_sem);
46*4882a593Smuzhiyun
47*4882a593Smuzhiyun /* Make sure there's a register keyring. It gets owned by the
48*4882a593Smuzhiyun * user_namespace's owner.
49*4882a593Smuzhiyun */
50*4882a593Smuzhiyun reg_keyring = user_ns->user_keyring_register;
51*4882a593Smuzhiyun if (!reg_keyring) {
52*4882a593Smuzhiyun reg_keyring = keyring_alloc(".user_reg",
53*4882a593Smuzhiyun user_ns->owner, INVALID_GID,
54*4882a593Smuzhiyun &init_cred,
55*4882a593Smuzhiyun KEY_POS_WRITE | KEY_POS_SEARCH |
56*4882a593Smuzhiyun KEY_USR_VIEW | KEY_USR_READ,
57*4882a593Smuzhiyun 0,
58*4882a593Smuzhiyun NULL, NULL);
59*4882a593Smuzhiyun if (!IS_ERR(reg_keyring))
60*4882a593Smuzhiyun smp_store_release(&user_ns->user_keyring_register,
61*4882a593Smuzhiyun reg_keyring);
62*4882a593Smuzhiyun }
63*4882a593Smuzhiyun
64*4882a593Smuzhiyun up_write(&user_ns->keyring_sem);
65*4882a593Smuzhiyun
66*4882a593Smuzhiyun /* We don't return a ref since the keyring is pinned by the user_ns */
67*4882a593Smuzhiyun return reg_keyring;
68*4882a593Smuzhiyun }
69*4882a593Smuzhiyun
70*4882a593Smuzhiyun /*
71*4882a593Smuzhiyun * Look up the user and user session keyrings for the current process's UID,
72*4882a593Smuzhiyun * creating them if they don't exist.
73*4882a593Smuzhiyun */
look_up_user_keyrings(struct key ** _user_keyring,struct key ** _user_session_keyring)74*4882a593Smuzhiyun int look_up_user_keyrings(struct key **_user_keyring,
75*4882a593Smuzhiyun struct key **_user_session_keyring)
76*4882a593Smuzhiyun {
77*4882a593Smuzhiyun const struct cred *cred = current_cred();
78*4882a593Smuzhiyun struct user_namespace *user_ns = current_user_ns();
79*4882a593Smuzhiyun struct key *reg_keyring, *uid_keyring, *session_keyring;
80*4882a593Smuzhiyun key_perm_t user_keyring_perm;
81*4882a593Smuzhiyun key_ref_t uid_keyring_r, session_keyring_r;
82*4882a593Smuzhiyun uid_t uid = from_kuid(user_ns, cred->user->uid);
83*4882a593Smuzhiyun char buf[20];
84*4882a593Smuzhiyun int ret;
85*4882a593Smuzhiyun
86*4882a593Smuzhiyun user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
87*4882a593Smuzhiyun
88*4882a593Smuzhiyun kenter("%u", uid);
89*4882a593Smuzhiyun
90*4882a593Smuzhiyun reg_keyring = get_user_register(user_ns);
91*4882a593Smuzhiyun if (IS_ERR(reg_keyring))
92*4882a593Smuzhiyun return PTR_ERR(reg_keyring);
93*4882a593Smuzhiyun
94*4882a593Smuzhiyun down_write(&user_ns->keyring_sem);
95*4882a593Smuzhiyun ret = 0;
96*4882a593Smuzhiyun
97*4882a593Smuzhiyun /* Get the user keyring. Note that there may be one in existence
98*4882a593Smuzhiyun * already as it may have been pinned by a session, but the user_struct
99*4882a593Smuzhiyun * pointing to it may have been destroyed by setuid.
100*4882a593Smuzhiyun */
101*4882a593Smuzhiyun snprintf(buf, sizeof(buf), "_uid.%u", uid);
102*4882a593Smuzhiyun uid_keyring_r = keyring_search(make_key_ref(reg_keyring, true),
103*4882a593Smuzhiyun &key_type_keyring, buf, false);
104*4882a593Smuzhiyun kdebug("_uid %p", uid_keyring_r);
105*4882a593Smuzhiyun if (uid_keyring_r == ERR_PTR(-EAGAIN)) {
106*4882a593Smuzhiyun uid_keyring = keyring_alloc(buf, cred->user->uid, INVALID_GID,
107*4882a593Smuzhiyun cred, user_keyring_perm,
108*4882a593Smuzhiyun KEY_ALLOC_UID_KEYRING |
109*4882a593Smuzhiyun KEY_ALLOC_IN_QUOTA,
110*4882a593Smuzhiyun NULL, reg_keyring);
111*4882a593Smuzhiyun if (IS_ERR(uid_keyring)) {
112*4882a593Smuzhiyun ret = PTR_ERR(uid_keyring);
113*4882a593Smuzhiyun goto error;
114*4882a593Smuzhiyun }
115*4882a593Smuzhiyun } else if (IS_ERR(uid_keyring_r)) {
116*4882a593Smuzhiyun ret = PTR_ERR(uid_keyring_r);
117*4882a593Smuzhiyun goto error;
118*4882a593Smuzhiyun } else {
119*4882a593Smuzhiyun uid_keyring = key_ref_to_ptr(uid_keyring_r);
120*4882a593Smuzhiyun }
121*4882a593Smuzhiyun
122*4882a593Smuzhiyun /* Get a default session keyring (which might also exist already) */
123*4882a593Smuzhiyun snprintf(buf, sizeof(buf), "_uid_ses.%u", uid);
124*4882a593Smuzhiyun session_keyring_r = keyring_search(make_key_ref(reg_keyring, true),
125*4882a593Smuzhiyun &key_type_keyring, buf, false);
126*4882a593Smuzhiyun kdebug("_uid_ses %p", session_keyring_r);
127*4882a593Smuzhiyun if (session_keyring_r == ERR_PTR(-EAGAIN)) {
128*4882a593Smuzhiyun session_keyring = keyring_alloc(buf, cred->user->uid, INVALID_GID,
129*4882a593Smuzhiyun cred, user_keyring_perm,
130*4882a593Smuzhiyun KEY_ALLOC_UID_KEYRING |
131*4882a593Smuzhiyun KEY_ALLOC_IN_QUOTA,
132*4882a593Smuzhiyun NULL, NULL);
133*4882a593Smuzhiyun if (IS_ERR(session_keyring)) {
134*4882a593Smuzhiyun ret = PTR_ERR(session_keyring);
135*4882a593Smuzhiyun goto error_release;
136*4882a593Smuzhiyun }
137*4882a593Smuzhiyun
138*4882a593Smuzhiyun /* We install a link from the user session keyring to
139*4882a593Smuzhiyun * the user keyring.
140*4882a593Smuzhiyun */
141*4882a593Smuzhiyun ret = key_link(session_keyring, uid_keyring);
142*4882a593Smuzhiyun if (ret < 0)
143*4882a593Smuzhiyun goto error_release_session;
144*4882a593Smuzhiyun
145*4882a593Smuzhiyun /* And only then link the user-session keyring to the
146*4882a593Smuzhiyun * register.
147*4882a593Smuzhiyun */
148*4882a593Smuzhiyun ret = key_link(reg_keyring, session_keyring);
149*4882a593Smuzhiyun if (ret < 0)
150*4882a593Smuzhiyun goto error_release_session;
151*4882a593Smuzhiyun } else if (IS_ERR(session_keyring_r)) {
152*4882a593Smuzhiyun ret = PTR_ERR(session_keyring_r);
153*4882a593Smuzhiyun goto error_release;
154*4882a593Smuzhiyun } else {
155*4882a593Smuzhiyun session_keyring = key_ref_to_ptr(session_keyring_r);
156*4882a593Smuzhiyun }
157*4882a593Smuzhiyun
158*4882a593Smuzhiyun up_write(&user_ns->keyring_sem);
159*4882a593Smuzhiyun
160*4882a593Smuzhiyun if (_user_session_keyring)
161*4882a593Smuzhiyun *_user_session_keyring = session_keyring;
162*4882a593Smuzhiyun else
163*4882a593Smuzhiyun key_put(session_keyring);
164*4882a593Smuzhiyun if (_user_keyring)
165*4882a593Smuzhiyun *_user_keyring = uid_keyring;
166*4882a593Smuzhiyun else
167*4882a593Smuzhiyun key_put(uid_keyring);
168*4882a593Smuzhiyun kleave(" = 0");
169*4882a593Smuzhiyun return 0;
170*4882a593Smuzhiyun
171*4882a593Smuzhiyun error_release_session:
172*4882a593Smuzhiyun key_put(session_keyring);
173*4882a593Smuzhiyun error_release:
174*4882a593Smuzhiyun key_put(uid_keyring);
175*4882a593Smuzhiyun error:
176*4882a593Smuzhiyun up_write(&user_ns->keyring_sem);
177*4882a593Smuzhiyun kleave(" = %d", ret);
178*4882a593Smuzhiyun return ret;
179*4882a593Smuzhiyun }
180*4882a593Smuzhiyun
181*4882a593Smuzhiyun /*
182*4882a593Smuzhiyun * Get the user session keyring if it exists, but don't create it if it
183*4882a593Smuzhiyun * doesn't.
184*4882a593Smuzhiyun */
get_user_session_keyring_rcu(const struct cred * cred)185*4882a593Smuzhiyun struct key *get_user_session_keyring_rcu(const struct cred *cred)
186*4882a593Smuzhiyun {
187*4882a593Smuzhiyun struct key *reg_keyring = READ_ONCE(cred->user_ns->user_keyring_register);
188*4882a593Smuzhiyun key_ref_t session_keyring_r;
189*4882a593Smuzhiyun char buf[20];
190*4882a593Smuzhiyun
191*4882a593Smuzhiyun struct keyring_search_context ctx = {
192*4882a593Smuzhiyun .index_key.type = &key_type_keyring,
193*4882a593Smuzhiyun .index_key.description = buf,
194*4882a593Smuzhiyun .cred = cred,
195*4882a593Smuzhiyun .match_data.cmp = key_default_cmp,
196*4882a593Smuzhiyun .match_data.raw_data = buf,
197*4882a593Smuzhiyun .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
198*4882a593Smuzhiyun .flags = KEYRING_SEARCH_DO_STATE_CHECK,
199*4882a593Smuzhiyun };
200*4882a593Smuzhiyun
201*4882a593Smuzhiyun if (!reg_keyring)
202*4882a593Smuzhiyun return NULL;
203*4882a593Smuzhiyun
204*4882a593Smuzhiyun ctx.index_key.desc_len = snprintf(buf, sizeof(buf), "_uid_ses.%u",
205*4882a593Smuzhiyun from_kuid(cred->user_ns,
206*4882a593Smuzhiyun cred->user->uid));
207*4882a593Smuzhiyun
208*4882a593Smuzhiyun session_keyring_r = keyring_search_rcu(make_key_ref(reg_keyring, true),
209*4882a593Smuzhiyun &ctx);
210*4882a593Smuzhiyun if (IS_ERR(session_keyring_r))
211*4882a593Smuzhiyun return NULL;
212*4882a593Smuzhiyun return key_ref_to_ptr(session_keyring_r);
213*4882a593Smuzhiyun }
214*4882a593Smuzhiyun
215*4882a593Smuzhiyun /*
216*4882a593Smuzhiyun * Install a thread keyring to the given credentials struct if it didn't have
217*4882a593Smuzhiyun * one already. This is allowed to overrun the quota.
218*4882a593Smuzhiyun *
219*4882a593Smuzhiyun * Return: 0 if a thread keyring is now present; -errno on failure.
220*4882a593Smuzhiyun */
install_thread_keyring_to_cred(struct cred * new)221*4882a593Smuzhiyun int install_thread_keyring_to_cred(struct cred *new)
222*4882a593Smuzhiyun {
223*4882a593Smuzhiyun struct key *keyring;
224*4882a593Smuzhiyun
225*4882a593Smuzhiyun if (new->thread_keyring)
226*4882a593Smuzhiyun return 0;
227*4882a593Smuzhiyun
228*4882a593Smuzhiyun keyring = keyring_alloc("_tid", new->uid, new->gid, new,
229*4882a593Smuzhiyun KEY_POS_ALL | KEY_USR_VIEW,
230*4882a593Smuzhiyun KEY_ALLOC_QUOTA_OVERRUN,
231*4882a593Smuzhiyun NULL, NULL);
232*4882a593Smuzhiyun if (IS_ERR(keyring))
233*4882a593Smuzhiyun return PTR_ERR(keyring);
234*4882a593Smuzhiyun
235*4882a593Smuzhiyun new->thread_keyring = keyring;
236*4882a593Smuzhiyun return 0;
237*4882a593Smuzhiyun }
238*4882a593Smuzhiyun
239*4882a593Smuzhiyun /*
240*4882a593Smuzhiyun * Install a thread keyring to the current task if it didn't have one already.
241*4882a593Smuzhiyun *
242*4882a593Smuzhiyun * Return: 0 if a thread keyring is now present; -errno on failure.
243*4882a593Smuzhiyun */
install_thread_keyring(void)244*4882a593Smuzhiyun static int install_thread_keyring(void)
245*4882a593Smuzhiyun {
246*4882a593Smuzhiyun struct cred *new;
247*4882a593Smuzhiyun int ret;
248*4882a593Smuzhiyun
249*4882a593Smuzhiyun new = prepare_creds();
250*4882a593Smuzhiyun if (!new)
251*4882a593Smuzhiyun return -ENOMEM;
252*4882a593Smuzhiyun
253*4882a593Smuzhiyun ret = install_thread_keyring_to_cred(new);
254*4882a593Smuzhiyun if (ret < 0) {
255*4882a593Smuzhiyun abort_creds(new);
256*4882a593Smuzhiyun return ret;
257*4882a593Smuzhiyun }
258*4882a593Smuzhiyun
259*4882a593Smuzhiyun return commit_creds(new);
260*4882a593Smuzhiyun }
261*4882a593Smuzhiyun
262*4882a593Smuzhiyun /*
263*4882a593Smuzhiyun * Install a process keyring to the given credentials struct if it didn't have
264*4882a593Smuzhiyun * one already. This is allowed to overrun the quota.
265*4882a593Smuzhiyun *
266*4882a593Smuzhiyun * Return: 0 if a process keyring is now present; -errno on failure.
267*4882a593Smuzhiyun */
install_process_keyring_to_cred(struct cred * new)268*4882a593Smuzhiyun int install_process_keyring_to_cred(struct cred *new)
269*4882a593Smuzhiyun {
270*4882a593Smuzhiyun struct key *keyring;
271*4882a593Smuzhiyun
272*4882a593Smuzhiyun if (new->process_keyring)
273*4882a593Smuzhiyun return 0;
274*4882a593Smuzhiyun
275*4882a593Smuzhiyun keyring = keyring_alloc("_pid", new->uid, new->gid, new,
276*4882a593Smuzhiyun KEY_POS_ALL | KEY_USR_VIEW,
277*4882a593Smuzhiyun KEY_ALLOC_QUOTA_OVERRUN,
278*4882a593Smuzhiyun NULL, NULL);
279*4882a593Smuzhiyun if (IS_ERR(keyring))
280*4882a593Smuzhiyun return PTR_ERR(keyring);
281*4882a593Smuzhiyun
282*4882a593Smuzhiyun new->process_keyring = keyring;
283*4882a593Smuzhiyun return 0;
284*4882a593Smuzhiyun }
285*4882a593Smuzhiyun
286*4882a593Smuzhiyun /*
287*4882a593Smuzhiyun * Install a process keyring to the current task if it didn't have one already.
288*4882a593Smuzhiyun *
289*4882a593Smuzhiyun * Return: 0 if a process keyring is now present; -errno on failure.
290*4882a593Smuzhiyun */
install_process_keyring(void)291*4882a593Smuzhiyun static int install_process_keyring(void)
292*4882a593Smuzhiyun {
293*4882a593Smuzhiyun struct cred *new;
294*4882a593Smuzhiyun int ret;
295*4882a593Smuzhiyun
296*4882a593Smuzhiyun new = prepare_creds();
297*4882a593Smuzhiyun if (!new)
298*4882a593Smuzhiyun return -ENOMEM;
299*4882a593Smuzhiyun
300*4882a593Smuzhiyun ret = install_process_keyring_to_cred(new);
301*4882a593Smuzhiyun if (ret < 0) {
302*4882a593Smuzhiyun abort_creds(new);
303*4882a593Smuzhiyun return ret;
304*4882a593Smuzhiyun }
305*4882a593Smuzhiyun
306*4882a593Smuzhiyun return commit_creds(new);
307*4882a593Smuzhiyun }
308*4882a593Smuzhiyun
309*4882a593Smuzhiyun /*
310*4882a593Smuzhiyun * Install the given keyring as the session keyring of the given credentials
311*4882a593Smuzhiyun * struct, replacing the existing one if any. If the given keyring is NULL,
312*4882a593Smuzhiyun * then install a new anonymous session keyring.
313*4882a593Smuzhiyun * @cred can not be in use by any task yet.
314*4882a593Smuzhiyun *
315*4882a593Smuzhiyun * Return: 0 on success; -errno on failure.
316*4882a593Smuzhiyun */
install_session_keyring_to_cred(struct cred * cred,struct key * keyring)317*4882a593Smuzhiyun int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
318*4882a593Smuzhiyun {
319*4882a593Smuzhiyun unsigned long flags;
320*4882a593Smuzhiyun struct key *old;
321*4882a593Smuzhiyun
322*4882a593Smuzhiyun might_sleep();
323*4882a593Smuzhiyun
324*4882a593Smuzhiyun /* create an empty session keyring */
325*4882a593Smuzhiyun if (!keyring) {
326*4882a593Smuzhiyun flags = KEY_ALLOC_QUOTA_OVERRUN;
327*4882a593Smuzhiyun if (cred->session_keyring)
328*4882a593Smuzhiyun flags = KEY_ALLOC_IN_QUOTA;
329*4882a593Smuzhiyun
330*4882a593Smuzhiyun keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred,
331*4882a593Smuzhiyun KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
332*4882a593Smuzhiyun flags, NULL, NULL);
333*4882a593Smuzhiyun if (IS_ERR(keyring))
334*4882a593Smuzhiyun return PTR_ERR(keyring);
335*4882a593Smuzhiyun } else {
336*4882a593Smuzhiyun __key_get(keyring);
337*4882a593Smuzhiyun }
338*4882a593Smuzhiyun
339*4882a593Smuzhiyun /* install the keyring */
340*4882a593Smuzhiyun old = cred->session_keyring;
341*4882a593Smuzhiyun cred->session_keyring = keyring;
342*4882a593Smuzhiyun
343*4882a593Smuzhiyun if (old)
344*4882a593Smuzhiyun key_put(old);
345*4882a593Smuzhiyun
346*4882a593Smuzhiyun return 0;
347*4882a593Smuzhiyun }
348*4882a593Smuzhiyun
349*4882a593Smuzhiyun /*
350*4882a593Smuzhiyun * Install the given keyring as the session keyring of the current task,
351*4882a593Smuzhiyun * replacing the existing one if any. If the given keyring is NULL, then
352*4882a593Smuzhiyun * install a new anonymous session keyring.
353*4882a593Smuzhiyun *
354*4882a593Smuzhiyun * Return: 0 on success; -errno on failure.
355*4882a593Smuzhiyun */
install_session_keyring(struct key * keyring)356*4882a593Smuzhiyun static int install_session_keyring(struct key *keyring)
357*4882a593Smuzhiyun {
358*4882a593Smuzhiyun struct cred *new;
359*4882a593Smuzhiyun int ret;
360*4882a593Smuzhiyun
361*4882a593Smuzhiyun new = prepare_creds();
362*4882a593Smuzhiyun if (!new)
363*4882a593Smuzhiyun return -ENOMEM;
364*4882a593Smuzhiyun
365*4882a593Smuzhiyun ret = install_session_keyring_to_cred(new, keyring);
366*4882a593Smuzhiyun if (ret < 0) {
367*4882a593Smuzhiyun abort_creds(new);
368*4882a593Smuzhiyun return ret;
369*4882a593Smuzhiyun }
370*4882a593Smuzhiyun
371*4882a593Smuzhiyun return commit_creds(new);
372*4882a593Smuzhiyun }
373*4882a593Smuzhiyun
374*4882a593Smuzhiyun /*
375*4882a593Smuzhiyun * Handle the fsuid changing.
376*4882a593Smuzhiyun */
key_fsuid_changed(struct cred * new_cred)377*4882a593Smuzhiyun void key_fsuid_changed(struct cred *new_cred)
378*4882a593Smuzhiyun {
379*4882a593Smuzhiyun /* update the ownership of the thread keyring */
380*4882a593Smuzhiyun if (new_cred->thread_keyring) {
381*4882a593Smuzhiyun down_write(&new_cred->thread_keyring->sem);
382*4882a593Smuzhiyun new_cred->thread_keyring->uid = new_cred->fsuid;
383*4882a593Smuzhiyun up_write(&new_cred->thread_keyring->sem);
384*4882a593Smuzhiyun }
385*4882a593Smuzhiyun }
386*4882a593Smuzhiyun
387*4882a593Smuzhiyun /*
388*4882a593Smuzhiyun * Handle the fsgid changing.
389*4882a593Smuzhiyun */
key_fsgid_changed(struct cred * new_cred)390*4882a593Smuzhiyun void key_fsgid_changed(struct cred *new_cred)
391*4882a593Smuzhiyun {
392*4882a593Smuzhiyun /* update the ownership of the thread keyring */
393*4882a593Smuzhiyun if (new_cred->thread_keyring) {
394*4882a593Smuzhiyun down_write(&new_cred->thread_keyring->sem);
395*4882a593Smuzhiyun new_cred->thread_keyring->gid = new_cred->fsgid;
396*4882a593Smuzhiyun up_write(&new_cred->thread_keyring->sem);
397*4882a593Smuzhiyun }
398*4882a593Smuzhiyun }
399*4882a593Smuzhiyun
400*4882a593Smuzhiyun /*
401*4882a593Smuzhiyun * Search the process keyrings attached to the supplied cred for the first
402*4882a593Smuzhiyun * matching key under RCU conditions (the caller must be holding the RCU read
403*4882a593Smuzhiyun * lock).
404*4882a593Smuzhiyun *
405*4882a593Smuzhiyun * The search criteria are the type and the match function. The description is
406*4882a593Smuzhiyun * given to the match function as a parameter, but doesn't otherwise influence
407*4882a593Smuzhiyun * the search. Typically the match function will compare the description
408*4882a593Smuzhiyun * parameter to the key's description.
409*4882a593Smuzhiyun *
410*4882a593Smuzhiyun * This can only search keyrings that grant Search permission to the supplied
411*4882a593Smuzhiyun * credentials. Keyrings linked to searched keyrings will also be searched if
412*4882a593Smuzhiyun * they grant Search permission too. Keys can only be found if they grant
413*4882a593Smuzhiyun * Search permission to the credentials.
414*4882a593Smuzhiyun *
415*4882a593Smuzhiyun * Returns a pointer to the key with the key usage count incremented if
416*4882a593Smuzhiyun * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only
417*4882a593Smuzhiyun * matched negative keys.
418*4882a593Smuzhiyun *
419*4882a593Smuzhiyun * In the case of a successful return, the possession attribute is set on the
420*4882a593Smuzhiyun * returned key reference.
421*4882a593Smuzhiyun */
search_cred_keyrings_rcu(struct keyring_search_context * ctx)422*4882a593Smuzhiyun key_ref_t search_cred_keyrings_rcu(struct keyring_search_context *ctx)
423*4882a593Smuzhiyun {
424*4882a593Smuzhiyun struct key *user_session;
425*4882a593Smuzhiyun key_ref_t key_ref, ret, err;
426*4882a593Smuzhiyun const struct cred *cred = ctx->cred;
427*4882a593Smuzhiyun
428*4882a593Smuzhiyun /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
429*4882a593Smuzhiyun * searchable, but we failed to find a key or we found a negative key;
430*4882a593Smuzhiyun * otherwise we want to return a sample error (probably -EACCES) if
431*4882a593Smuzhiyun * none of the keyrings were searchable
432*4882a593Smuzhiyun *
433*4882a593Smuzhiyun * in terms of priority: success > -ENOKEY > -EAGAIN > other error
434*4882a593Smuzhiyun */
435*4882a593Smuzhiyun key_ref = NULL;
436*4882a593Smuzhiyun ret = NULL;
437*4882a593Smuzhiyun err = ERR_PTR(-EAGAIN);
438*4882a593Smuzhiyun
439*4882a593Smuzhiyun /* search the thread keyring first */
440*4882a593Smuzhiyun if (cred->thread_keyring) {
441*4882a593Smuzhiyun key_ref = keyring_search_rcu(
442*4882a593Smuzhiyun make_key_ref(cred->thread_keyring, 1), ctx);
443*4882a593Smuzhiyun if (!IS_ERR(key_ref))
444*4882a593Smuzhiyun goto found;
445*4882a593Smuzhiyun
446*4882a593Smuzhiyun switch (PTR_ERR(key_ref)) {
447*4882a593Smuzhiyun case -EAGAIN: /* no key */
448*4882a593Smuzhiyun case -ENOKEY: /* negative key */
449*4882a593Smuzhiyun ret = key_ref;
450*4882a593Smuzhiyun break;
451*4882a593Smuzhiyun default:
452*4882a593Smuzhiyun err = key_ref;
453*4882a593Smuzhiyun break;
454*4882a593Smuzhiyun }
455*4882a593Smuzhiyun }
456*4882a593Smuzhiyun
457*4882a593Smuzhiyun /* search the process keyring second */
458*4882a593Smuzhiyun if (cred->process_keyring) {
459*4882a593Smuzhiyun key_ref = keyring_search_rcu(
460*4882a593Smuzhiyun make_key_ref(cred->process_keyring, 1), ctx);
461*4882a593Smuzhiyun if (!IS_ERR(key_ref))
462*4882a593Smuzhiyun goto found;
463*4882a593Smuzhiyun
464*4882a593Smuzhiyun switch (PTR_ERR(key_ref)) {
465*4882a593Smuzhiyun case -EAGAIN: /* no key */
466*4882a593Smuzhiyun if (ret)
467*4882a593Smuzhiyun break;
468*4882a593Smuzhiyun fallthrough;
469*4882a593Smuzhiyun case -ENOKEY: /* negative key */
470*4882a593Smuzhiyun ret = key_ref;
471*4882a593Smuzhiyun break;
472*4882a593Smuzhiyun default:
473*4882a593Smuzhiyun err = key_ref;
474*4882a593Smuzhiyun break;
475*4882a593Smuzhiyun }
476*4882a593Smuzhiyun }
477*4882a593Smuzhiyun
478*4882a593Smuzhiyun /* search the session keyring */
479*4882a593Smuzhiyun if (cred->session_keyring) {
480*4882a593Smuzhiyun key_ref = keyring_search_rcu(
481*4882a593Smuzhiyun make_key_ref(cred->session_keyring, 1), ctx);
482*4882a593Smuzhiyun
483*4882a593Smuzhiyun if (!IS_ERR(key_ref))
484*4882a593Smuzhiyun goto found;
485*4882a593Smuzhiyun
486*4882a593Smuzhiyun switch (PTR_ERR(key_ref)) {
487*4882a593Smuzhiyun case -EAGAIN: /* no key */
488*4882a593Smuzhiyun if (ret)
489*4882a593Smuzhiyun break;
490*4882a593Smuzhiyun fallthrough;
491*4882a593Smuzhiyun case -ENOKEY: /* negative key */
492*4882a593Smuzhiyun ret = key_ref;
493*4882a593Smuzhiyun break;
494*4882a593Smuzhiyun default:
495*4882a593Smuzhiyun err = key_ref;
496*4882a593Smuzhiyun break;
497*4882a593Smuzhiyun }
498*4882a593Smuzhiyun }
499*4882a593Smuzhiyun /* or search the user-session keyring */
500*4882a593Smuzhiyun else if ((user_session = get_user_session_keyring_rcu(cred))) {
501*4882a593Smuzhiyun key_ref = keyring_search_rcu(make_key_ref(user_session, 1),
502*4882a593Smuzhiyun ctx);
503*4882a593Smuzhiyun key_put(user_session);
504*4882a593Smuzhiyun
505*4882a593Smuzhiyun if (!IS_ERR(key_ref))
506*4882a593Smuzhiyun goto found;
507*4882a593Smuzhiyun
508*4882a593Smuzhiyun switch (PTR_ERR(key_ref)) {
509*4882a593Smuzhiyun case -EAGAIN: /* no key */
510*4882a593Smuzhiyun if (ret)
511*4882a593Smuzhiyun break;
512*4882a593Smuzhiyun fallthrough;
513*4882a593Smuzhiyun case -ENOKEY: /* negative key */
514*4882a593Smuzhiyun ret = key_ref;
515*4882a593Smuzhiyun break;
516*4882a593Smuzhiyun default:
517*4882a593Smuzhiyun err = key_ref;
518*4882a593Smuzhiyun break;
519*4882a593Smuzhiyun }
520*4882a593Smuzhiyun }
521*4882a593Smuzhiyun
522*4882a593Smuzhiyun /* no key - decide on the error we're going to go for */
523*4882a593Smuzhiyun key_ref = ret ? ret : err;
524*4882a593Smuzhiyun
525*4882a593Smuzhiyun found:
526*4882a593Smuzhiyun return key_ref;
527*4882a593Smuzhiyun }
528*4882a593Smuzhiyun
529*4882a593Smuzhiyun /*
530*4882a593Smuzhiyun * Search the process keyrings attached to the supplied cred for the first
531*4882a593Smuzhiyun * matching key in the manner of search_my_process_keyrings(), but also search
532*4882a593Smuzhiyun * the keys attached to the assumed authorisation key using its credentials if
533*4882a593Smuzhiyun * one is available.
534*4882a593Smuzhiyun *
535*4882a593Smuzhiyun * The caller must be holding the RCU read lock.
536*4882a593Smuzhiyun *
537*4882a593Smuzhiyun * Return same as search_cred_keyrings_rcu().
538*4882a593Smuzhiyun */
search_process_keyrings_rcu(struct keyring_search_context * ctx)539*4882a593Smuzhiyun key_ref_t search_process_keyrings_rcu(struct keyring_search_context *ctx)
540*4882a593Smuzhiyun {
541*4882a593Smuzhiyun struct request_key_auth *rka;
542*4882a593Smuzhiyun key_ref_t key_ref, ret = ERR_PTR(-EACCES), err;
543*4882a593Smuzhiyun
544*4882a593Smuzhiyun key_ref = search_cred_keyrings_rcu(ctx);
545*4882a593Smuzhiyun if (!IS_ERR(key_ref))
546*4882a593Smuzhiyun goto found;
547*4882a593Smuzhiyun err = key_ref;
548*4882a593Smuzhiyun
549*4882a593Smuzhiyun /* if this process has an instantiation authorisation key, then we also
550*4882a593Smuzhiyun * search the keyrings of the process mentioned there
551*4882a593Smuzhiyun * - we don't permit access to request_key auth keys via this method
552*4882a593Smuzhiyun */
553*4882a593Smuzhiyun if (ctx->cred->request_key_auth &&
554*4882a593Smuzhiyun ctx->cred == current_cred() &&
555*4882a593Smuzhiyun ctx->index_key.type != &key_type_request_key_auth
556*4882a593Smuzhiyun ) {
557*4882a593Smuzhiyun const struct cred *cred = ctx->cred;
558*4882a593Smuzhiyun
559*4882a593Smuzhiyun if (key_validate(cred->request_key_auth) == 0) {
560*4882a593Smuzhiyun rka = ctx->cred->request_key_auth->payload.data[0];
561*4882a593Smuzhiyun
562*4882a593Smuzhiyun //// was search_process_keyrings() [ie. recursive]
563*4882a593Smuzhiyun ctx->cred = rka->cred;
564*4882a593Smuzhiyun key_ref = search_cred_keyrings_rcu(ctx);
565*4882a593Smuzhiyun ctx->cred = cred;
566*4882a593Smuzhiyun
567*4882a593Smuzhiyun if (!IS_ERR(key_ref))
568*4882a593Smuzhiyun goto found;
569*4882a593Smuzhiyun ret = key_ref;
570*4882a593Smuzhiyun }
571*4882a593Smuzhiyun }
572*4882a593Smuzhiyun
573*4882a593Smuzhiyun /* no key - decide on the error we're going to go for */
574*4882a593Smuzhiyun if (err == ERR_PTR(-ENOKEY) || ret == ERR_PTR(-ENOKEY))
575*4882a593Smuzhiyun key_ref = ERR_PTR(-ENOKEY);
576*4882a593Smuzhiyun else if (err == ERR_PTR(-EACCES))
577*4882a593Smuzhiyun key_ref = ret;
578*4882a593Smuzhiyun else
579*4882a593Smuzhiyun key_ref = err;
580*4882a593Smuzhiyun
581*4882a593Smuzhiyun found:
582*4882a593Smuzhiyun return key_ref;
583*4882a593Smuzhiyun }
584*4882a593Smuzhiyun /*
585*4882a593Smuzhiyun * See if the key we're looking at is the target key.
586*4882a593Smuzhiyun */
lookup_user_key_possessed(const struct key * key,const struct key_match_data * match_data)587*4882a593Smuzhiyun bool lookup_user_key_possessed(const struct key *key,
588*4882a593Smuzhiyun const struct key_match_data *match_data)
589*4882a593Smuzhiyun {
590*4882a593Smuzhiyun return key == match_data->raw_data;
591*4882a593Smuzhiyun }
592*4882a593Smuzhiyun
593*4882a593Smuzhiyun /*
594*4882a593Smuzhiyun * Look up a key ID given us by userspace with a given permissions mask to get
595*4882a593Smuzhiyun * the key it refers to.
596*4882a593Smuzhiyun *
597*4882a593Smuzhiyun * Flags can be passed to request that special keyrings be created if referred
598*4882a593Smuzhiyun * to directly, to permit partially constructed keys to be found and to skip
599*4882a593Smuzhiyun * validity and permission checks on the found key.
600*4882a593Smuzhiyun *
601*4882a593Smuzhiyun * Returns a pointer to the key with an incremented usage count if successful;
602*4882a593Smuzhiyun * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond
603*4882a593Smuzhiyun * to a key or the best found key was a negative key; -EKEYREVOKED or
604*4882a593Smuzhiyun * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the
605*4882a593Smuzhiyun * found key doesn't grant the requested permit or the LSM denied access to it;
606*4882a593Smuzhiyun * or -ENOMEM if a special keyring couldn't be created.
607*4882a593Smuzhiyun *
608*4882a593Smuzhiyun * In the case of a successful return, the possession attribute is set on the
609*4882a593Smuzhiyun * returned key reference.
610*4882a593Smuzhiyun */
lookup_user_key(key_serial_t id,unsigned long lflags,enum key_need_perm need_perm)611*4882a593Smuzhiyun key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
612*4882a593Smuzhiyun enum key_need_perm need_perm)
613*4882a593Smuzhiyun {
614*4882a593Smuzhiyun struct keyring_search_context ctx = {
615*4882a593Smuzhiyun .match_data.cmp = lookup_user_key_possessed,
616*4882a593Smuzhiyun .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
617*4882a593Smuzhiyun .flags = (KEYRING_SEARCH_NO_STATE_CHECK |
618*4882a593Smuzhiyun KEYRING_SEARCH_RECURSE),
619*4882a593Smuzhiyun };
620*4882a593Smuzhiyun struct request_key_auth *rka;
621*4882a593Smuzhiyun struct key *key, *user_session;
622*4882a593Smuzhiyun key_ref_t key_ref, skey_ref;
623*4882a593Smuzhiyun int ret;
624*4882a593Smuzhiyun
625*4882a593Smuzhiyun try_again:
626*4882a593Smuzhiyun ctx.cred = get_current_cred();
627*4882a593Smuzhiyun key_ref = ERR_PTR(-ENOKEY);
628*4882a593Smuzhiyun
629*4882a593Smuzhiyun switch (id) {
630*4882a593Smuzhiyun case KEY_SPEC_THREAD_KEYRING:
631*4882a593Smuzhiyun if (!ctx.cred->thread_keyring) {
632*4882a593Smuzhiyun if (!(lflags & KEY_LOOKUP_CREATE))
633*4882a593Smuzhiyun goto error;
634*4882a593Smuzhiyun
635*4882a593Smuzhiyun ret = install_thread_keyring();
636*4882a593Smuzhiyun if (ret < 0) {
637*4882a593Smuzhiyun key_ref = ERR_PTR(ret);
638*4882a593Smuzhiyun goto error;
639*4882a593Smuzhiyun }
640*4882a593Smuzhiyun goto reget_creds;
641*4882a593Smuzhiyun }
642*4882a593Smuzhiyun
643*4882a593Smuzhiyun key = ctx.cred->thread_keyring;
644*4882a593Smuzhiyun __key_get(key);
645*4882a593Smuzhiyun key_ref = make_key_ref(key, 1);
646*4882a593Smuzhiyun break;
647*4882a593Smuzhiyun
648*4882a593Smuzhiyun case KEY_SPEC_PROCESS_KEYRING:
649*4882a593Smuzhiyun if (!ctx.cred->process_keyring) {
650*4882a593Smuzhiyun if (!(lflags & KEY_LOOKUP_CREATE))
651*4882a593Smuzhiyun goto error;
652*4882a593Smuzhiyun
653*4882a593Smuzhiyun ret = install_process_keyring();
654*4882a593Smuzhiyun if (ret < 0) {
655*4882a593Smuzhiyun key_ref = ERR_PTR(ret);
656*4882a593Smuzhiyun goto error;
657*4882a593Smuzhiyun }
658*4882a593Smuzhiyun goto reget_creds;
659*4882a593Smuzhiyun }
660*4882a593Smuzhiyun
661*4882a593Smuzhiyun key = ctx.cred->process_keyring;
662*4882a593Smuzhiyun __key_get(key);
663*4882a593Smuzhiyun key_ref = make_key_ref(key, 1);
664*4882a593Smuzhiyun break;
665*4882a593Smuzhiyun
666*4882a593Smuzhiyun case KEY_SPEC_SESSION_KEYRING:
667*4882a593Smuzhiyun if (!ctx.cred->session_keyring) {
668*4882a593Smuzhiyun /* always install a session keyring upon access if one
669*4882a593Smuzhiyun * doesn't exist yet */
670*4882a593Smuzhiyun ret = look_up_user_keyrings(NULL, &user_session);
671*4882a593Smuzhiyun if (ret < 0)
672*4882a593Smuzhiyun goto error;
673*4882a593Smuzhiyun if (lflags & KEY_LOOKUP_CREATE)
674*4882a593Smuzhiyun ret = join_session_keyring(NULL);
675*4882a593Smuzhiyun else
676*4882a593Smuzhiyun ret = install_session_keyring(user_session);
677*4882a593Smuzhiyun
678*4882a593Smuzhiyun key_put(user_session);
679*4882a593Smuzhiyun if (ret < 0)
680*4882a593Smuzhiyun goto error;
681*4882a593Smuzhiyun goto reget_creds;
682*4882a593Smuzhiyun } else if (test_bit(KEY_FLAG_UID_KEYRING,
683*4882a593Smuzhiyun &ctx.cred->session_keyring->flags) &&
684*4882a593Smuzhiyun lflags & KEY_LOOKUP_CREATE) {
685*4882a593Smuzhiyun ret = join_session_keyring(NULL);
686*4882a593Smuzhiyun if (ret < 0)
687*4882a593Smuzhiyun goto error;
688*4882a593Smuzhiyun goto reget_creds;
689*4882a593Smuzhiyun }
690*4882a593Smuzhiyun
691*4882a593Smuzhiyun key = ctx.cred->session_keyring;
692*4882a593Smuzhiyun __key_get(key);
693*4882a593Smuzhiyun key_ref = make_key_ref(key, 1);
694*4882a593Smuzhiyun break;
695*4882a593Smuzhiyun
696*4882a593Smuzhiyun case KEY_SPEC_USER_KEYRING:
697*4882a593Smuzhiyun ret = look_up_user_keyrings(&key, NULL);
698*4882a593Smuzhiyun if (ret < 0)
699*4882a593Smuzhiyun goto error;
700*4882a593Smuzhiyun key_ref = make_key_ref(key, 1);
701*4882a593Smuzhiyun break;
702*4882a593Smuzhiyun
703*4882a593Smuzhiyun case KEY_SPEC_USER_SESSION_KEYRING:
704*4882a593Smuzhiyun ret = look_up_user_keyrings(NULL, &key);
705*4882a593Smuzhiyun if (ret < 0)
706*4882a593Smuzhiyun goto error;
707*4882a593Smuzhiyun key_ref = make_key_ref(key, 1);
708*4882a593Smuzhiyun break;
709*4882a593Smuzhiyun
710*4882a593Smuzhiyun case KEY_SPEC_GROUP_KEYRING:
711*4882a593Smuzhiyun /* group keyrings are not yet supported */
712*4882a593Smuzhiyun key_ref = ERR_PTR(-EINVAL);
713*4882a593Smuzhiyun goto error;
714*4882a593Smuzhiyun
715*4882a593Smuzhiyun case KEY_SPEC_REQKEY_AUTH_KEY:
716*4882a593Smuzhiyun key = ctx.cred->request_key_auth;
717*4882a593Smuzhiyun if (!key)
718*4882a593Smuzhiyun goto error;
719*4882a593Smuzhiyun
720*4882a593Smuzhiyun __key_get(key);
721*4882a593Smuzhiyun key_ref = make_key_ref(key, 1);
722*4882a593Smuzhiyun break;
723*4882a593Smuzhiyun
724*4882a593Smuzhiyun case KEY_SPEC_REQUESTOR_KEYRING:
725*4882a593Smuzhiyun if (!ctx.cred->request_key_auth)
726*4882a593Smuzhiyun goto error;
727*4882a593Smuzhiyun
728*4882a593Smuzhiyun down_read(&ctx.cred->request_key_auth->sem);
729*4882a593Smuzhiyun if (test_bit(KEY_FLAG_REVOKED,
730*4882a593Smuzhiyun &ctx.cred->request_key_auth->flags)) {
731*4882a593Smuzhiyun key_ref = ERR_PTR(-EKEYREVOKED);
732*4882a593Smuzhiyun key = NULL;
733*4882a593Smuzhiyun } else {
734*4882a593Smuzhiyun rka = ctx.cred->request_key_auth->payload.data[0];
735*4882a593Smuzhiyun key = rka->dest_keyring;
736*4882a593Smuzhiyun __key_get(key);
737*4882a593Smuzhiyun }
738*4882a593Smuzhiyun up_read(&ctx.cred->request_key_auth->sem);
739*4882a593Smuzhiyun if (!key)
740*4882a593Smuzhiyun goto error;
741*4882a593Smuzhiyun key_ref = make_key_ref(key, 1);
742*4882a593Smuzhiyun break;
743*4882a593Smuzhiyun
744*4882a593Smuzhiyun default:
745*4882a593Smuzhiyun key_ref = ERR_PTR(-EINVAL);
746*4882a593Smuzhiyun if (id < 1)
747*4882a593Smuzhiyun goto error;
748*4882a593Smuzhiyun
749*4882a593Smuzhiyun key = key_lookup(id);
750*4882a593Smuzhiyun if (IS_ERR(key)) {
751*4882a593Smuzhiyun key_ref = ERR_CAST(key);
752*4882a593Smuzhiyun goto error;
753*4882a593Smuzhiyun }
754*4882a593Smuzhiyun
755*4882a593Smuzhiyun key_ref = make_key_ref(key, 0);
756*4882a593Smuzhiyun
757*4882a593Smuzhiyun /* check to see if we possess the key */
758*4882a593Smuzhiyun ctx.index_key = key->index_key;
759*4882a593Smuzhiyun ctx.match_data.raw_data = key;
760*4882a593Smuzhiyun kdebug("check possessed");
761*4882a593Smuzhiyun rcu_read_lock();
762*4882a593Smuzhiyun skey_ref = search_process_keyrings_rcu(&ctx);
763*4882a593Smuzhiyun rcu_read_unlock();
764*4882a593Smuzhiyun kdebug("possessed=%p", skey_ref);
765*4882a593Smuzhiyun
766*4882a593Smuzhiyun if (!IS_ERR(skey_ref)) {
767*4882a593Smuzhiyun key_put(key);
768*4882a593Smuzhiyun key_ref = skey_ref;
769*4882a593Smuzhiyun }
770*4882a593Smuzhiyun
771*4882a593Smuzhiyun break;
772*4882a593Smuzhiyun }
773*4882a593Smuzhiyun
774*4882a593Smuzhiyun /* unlink does not use the nominated key in any way, so can skip all
775*4882a593Smuzhiyun * the permission checks as it is only concerned with the keyring */
776*4882a593Smuzhiyun if (need_perm != KEY_NEED_UNLINK) {
777*4882a593Smuzhiyun if (!(lflags & KEY_LOOKUP_PARTIAL)) {
778*4882a593Smuzhiyun ret = wait_for_key_construction(key, true);
779*4882a593Smuzhiyun switch (ret) {
780*4882a593Smuzhiyun case -ERESTARTSYS:
781*4882a593Smuzhiyun goto invalid_key;
782*4882a593Smuzhiyun default:
783*4882a593Smuzhiyun if (need_perm != KEY_AUTHTOKEN_OVERRIDE &&
784*4882a593Smuzhiyun need_perm != KEY_DEFER_PERM_CHECK)
785*4882a593Smuzhiyun goto invalid_key;
786*4882a593Smuzhiyun case 0:
787*4882a593Smuzhiyun break;
788*4882a593Smuzhiyun }
789*4882a593Smuzhiyun } else if (need_perm != KEY_DEFER_PERM_CHECK) {
790*4882a593Smuzhiyun ret = key_validate(key);
791*4882a593Smuzhiyun if (ret < 0)
792*4882a593Smuzhiyun goto invalid_key;
793*4882a593Smuzhiyun }
794*4882a593Smuzhiyun
795*4882a593Smuzhiyun ret = -EIO;
796*4882a593Smuzhiyun if (!(lflags & KEY_LOOKUP_PARTIAL) &&
797*4882a593Smuzhiyun key_read_state(key) == KEY_IS_UNINSTANTIATED)
798*4882a593Smuzhiyun goto invalid_key;
799*4882a593Smuzhiyun }
800*4882a593Smuzhiyun
801*4882a593Smuzhiyun /* check the permissions */
802*4882a593Smuzhiyun ret = key_task_permission(key_ref, ctx.cred, need_perm);
803*4882a593Smuzhiyun if (ret < 0)
804*4882a593Smuzhiyun goto invalid_key;
805*4882a593Smuzhiyun
806*4882a593Smuzhiyun key->last_used_at = ktime_get_real_seconds();
807*4882a593Smuzhiyun
808*4882a593Smuzhiyun error:
809*4882a593Smuzhiyun put_cred(ctx.cred);
810*4882a593Smuzhiyun return key_ref;
811*4882a593Smuzhiyun
812*4882a593Smuzhiyun invalid_key:
813*4882a593Smuzhiyun key_ref_put(key_ref);
814*4882a593Smuzhiyun key_ref = ERR_PTR(ret);
815*4882a593Smuzhiyun goto error;
816*4882a593Smuzhiyun
817*4882a593Smuzhiyun /* if we attempted to install a keyring, then it may have caused new
818*4882a593Smuzhiyun * creds to be installed */
819*4882a593Smuzhiyun reget_creds:
820*4882a593Smuzhiyun put_cred(ctx.cred);
821*4882a593Smuzhiyun goto try_again;
822*4882a593Smuzhiyun }
823*4882a593Smuzhiyun EXPORT_SYMBOL(lookup_user_key);
824*4882a593Smuzhiyun
825*4882a593Smuzhiyun /*
826*4882a593Smuzhiyun * Join the named keyring as the session keyring if possible else attempt to
827*4882a593Smuzhiyun * create a new one of that name and join that.
828*4882a593Smuzhiyun *
829*4882a593Smuzhiyun * If the name is NULL, an empty anonymous keyring will be installed as the
830*4882a593Smuzhiyun * session keyring.
831*4882a593Smuzhiyun *
832*4882a593Smuzhiyun * Named session keyrings are joined with a semaphore held to prevent the
833*4882a593Smuzhiyun * keyrings from going away whilst the attempt is made to going them and also
834*4882a593Smuzhiyun * to prevent a race in creating compatible session keyrings.
835*4882a593Smuzhiyun */
join_session_keyring(const char * name)836*4882a593Smuzhiyun long join_session_keyring(const char *name)
837*4882a593Smuzhiyun {
838*4882a593Smuzhiyun const struct cred *old;
839*4882a593Smuzhiyun struct cred *new;
840*4882a593Smuzhiyun struct key *keyring;
841*4882a593Smuzhiyun long ret, serial;
842*4882a593Smuzhiyun
843*4882a593Smuzhiyun new = prepare_creds();
844*4882a593Smuzhiyun if (!new)
845*4882a593Smuzhiyun return -ENOMEM;
846*4882a593Smuzhiyun old = current_cred();
847*4882a593Smuzhiyun
848*4882a593Smuzhiyun /* if no name is provided, install an anonymous keyring */
849*4882a593Smuzhiyun if (!name) {
850*4882a593Smuzhiyun ret = install_session_keyring_to_cred(new, NULL);
851*4882a593Smuzhiyun if (ret < 0)
852*4882a593Smuzhiyun goto error;
853*4882a593Smuzhiyun
854*4882a593Smuzhiyun serial = new->session_keyring->serial;
855*4882a593Smuzhiyun ret = commit_creds(new);
856*4882a593Smuzhiyun if (ret == 0)
857*4882a593Smuzhiyun ret = serial;
858*4882a593Smuzhiyun goto okay;
859*4882a593Smuzhiyun }
860*4882a593Smuzhiyun
861*4882a593Smuzhiyun /* allow the user to join or create a named keyring */
862*4882a593Smuzhiyun mutex_lock(&key_session_mutex);
863*4882a593Smuzhiyun
864*4882a593Smuzhiyun /* look for an existing keyring of this name */
865*4882a593Smuzhiyun keyring = find_keyring_by_name(name, false);
866*4882a593Smuzhiyun if (PTR_ERR(keyring) == -ENOKEY) {
867*4882a593Smuzhiyun /* not found - try and create a new one */
868*4882a593Smuzhiyun keyring = keyring_alloc(
869*4882a593Smuzhiyun name, old->uid, old->gid, old,
870*4882a593Smuzhiyun KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK,
871*4882a593Smuzhiyun KEY_ALLOC_IN_QUOTA, NULL, NULL);
872*4882a593Smuzhiyun if (IS_ERR(keyring)) {
873*4882a593Smuzhiyun ret = PTR_ERR(keyring);
874*4882a593Smuzhiyun goto error2;
875*4882a593Smuzhiyun }
876*4882a593Smuzhiyun } else if (IS_ERR(keyring)) {
877*4882a593Smuzhiyun ret = PTR_ERR(keyring);
878*4882a593Smuzhiyun goto error2;
879*4882a593Smuzhiyun } else if (keyring == new->session_keyring) {
880*4882a593Smuzhiyun ret = 0;
881*4882a593Smuzhiyun goto error3;
882*4882a593Smuzhiyun }
883*4882a593Smuzhiyun
884*4882a593Smuzhiyun /* we've got a keyring - now to install it */
885*4882a593Smuzhiyun ret = install_session_keyring_to_cred(new, keyring);
886*4882a593Smuzhiyun if (ret < 0)
887*4882a593Smuzhiyun goto error3;
888*4882a593Smuzhiyun
889*4882a593Smuzhiyun commit_creds(new);
890*4882a593Smuzhiyun mutex_unlock(&key_session_mutex);
891*4882a593Smuzhiyun
892*4882a593Smuzhiyun ret = keyring->serial;
893*4882a593Smuzhiyun key_put(keyring);
894*4882a593Smuzhiyun okay:
895*4882a593Smuzhiyun return ret;
896*4882a593Smuzhiyun
897*4882a593Smuzhiyun error3:
898*4882a593Smuzhiyun key_put(keyring);
899*4882a593Smuzhiyun error2:
900*4882a593Smuzhiyun mutex_unlock(&key_session_mutex);
901*4882a593Smuzhiyun error:
902*4882a593Smuzhiyun abort_creds(new);
903*4882a593Smuzhiyun return ret;
904*4882a593Smuzhiyun }
905*4882a593Smuzhiyun
906*4882a593Smuzhiyun /*
907*4882a593Smuzhiyun * Replace a process's session keyring on behalf of one of its children when
908*4882a593Smuzhiyun * the target process is about to resume userspace execution.
909*4882a593Smuzhiyun */
key_change_session_keyring(struct callback_head * twork)910*4882a593Smuzhiyun void key_change_session_keyring(struct callback_head *twork)
911*4882a593Smuzhiyun {
912*4882a593Smuzhiyun const struct cred *old = current_cred();
913*4882a593Smuzhiyun struct cred *new = container_of(twork, struct cred, rcu);
914*4882a593Smuzhiyun
915*4882a593Smuzhiyun if (unlikely(current->flags & PF_EXITING)) {
916*4882a593Smuzhiyun put_cred(new);
917*4882a593Smuzhiyun return;
918*4882a593Smuzhiyun }
919*4882a593Smuzhiyun
920*4882a593Smuzhiyun new-> uid = old-> uid;
921*4882a593Smuzhiyun new-> euid = old-> euid;
922*4882a593Smuzhiyun new-> suid = old-> suid;
923*4882a593Smuzhiyun new->fsuid = old->fsuid;
924*4882a593Smuzhiyun new-> gid = old-> gid;
925*4882a593Smuzhiyun new-> egid = old-> egid;
926*4882a593Smuzhiyun new-> sgid = old-> sgid;
927*4882a593Smuzhiyun new->fsgid = old->fsgid;
928*4882a593Smuzhiyun new->user = get_uid(old->user);
929*4882a593Smuzhiyun new->user_ns = get_user_ns(old->user_ns);
930*4882a593Smuzhiyun new->group_info = get_group_info(old->group_info);
931*4882a593Smuzhiyun
932*4882a593Smuzhiyun new->securebits = old->securebits;
933*4882a593Smuzhiyun new->cap_inheritable = old->cap_inheritable;
934*4882a593Smuzhiyun new->cap_permitted = old->cap_permitted;
935*4882a593Smuzhiyun new->cap_effective = old->cap_effective;
936*4882a593Smuzhiyun new->cap_ambient = old->cap_ambient;
937*4882a593Smuzhiyun new->cap_bset = old->cap_bset;
938*4882a593Smuzhiyun
939*4882a593Smuzhiyun new->jit_keyring = old->jit_keyring;
940*4882a593Smuzhiyun new->thread_keyring = key_get(old->thread_keyring);
941*4882a593Smuzhiyun new->process_keyring = key_get(old->process_keyring);
942*4882a593Smuzhiyun
943*4882a593Smuzhiyun security_transfer_creds(new, old);
944*4882a593Smuzhiyun
945*4882a593Smuzhiyun commit_creds(new);
946*4882a593Smuzhiyun }
947*4882a593Smuzhiyun
948*4882a593Smuzhiyun /*
949*4882a593Smuzhiyun * Make sure that root's user and user-session keyrings exist.
950*4882a593Smuzhiyun */
init_root_keyring(void)951*4882a593Smuzhiyun static int __init init_root_keyring(void)
952*4882a593Smuzhiyun {
953*4882a593Smuzhiyun return look_up_user_keyrings(NULL, NULL);
954*4882a593Smuzhiyun }
955*4882a593Smuzhiyun
956*4882a593Smuzhiyun late_initcall(init_root_keyring);
957