linux/security/keys/keyctl.c
<<
>>
Prefs
   1/* keyctl.c: userspace keyctl operations
   2 *
   3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
   4 * Written by David Howells (dhowells@redhat.com)
   5 *
   6 * This program is free software; you can redistribute it and/or
   7 * modify it under the terms of the GNU General Public License
   8 * as published by the Free Software Foundation; either version
   9 * 2 of the License, or (at your option) any later version.
  10 */
  11
  12#include <linux/module.h>
  13#include <linux/init.h>
  14#include <linux/sched.h>
  15#include <linux/slab.h>
  16#include <linux/syscalls.h>
  17#include <linux/keyctl.h>
  18#include <linux/fs.h>
  19#include <linux/capability.h>
  20#include <linux/string.h>
  21#include <linux/err.h>
  22#include <linux/vmalloc.h>
  23#include <linux/security.h>
  24#include <asm/uaccess.h>
  25#include "internal.h"
  26
  27static int key_get_type_from_user(char *type,
  28                                  const char __user *_type,
  29                                  unsigned len)
  30{
  31        int ret;
  32
  33        ret = strncpy_from_user(type, _type, len);
  34
  35        if (ret < 0)
  36                return -EFAULT;
  37
  38        if (ret == 0 || ret >= len)
  39                return -EINVAL;
  40
  41        if (type[0] == '.')
  42                return -EPERM;
  43
  44        type[len - 1] = '\0';
  45
  46        return 0;
  47}
  48
  49/*****************************************************************************/
  50/*
  51 * extract the description of a new key from userspace and either add it as a
  52 * new key to the specified keyring or update a matching key in that keyring
  53 * - the keyring must be writable
  54 * - returns the new key's serial number
  55 * - implements add_key()
  56 */
  57SYSCALL_DEFINE5(add_key, const char __user *, _type,
  58                const char __user *, _description,
  59                const void __user *, _payload,
  60                size_t, plen,
  61                key_serial_t, ringid)
  62{
  63        key_ref_t keyring_ref, key_ref;
  64        char type[32], *description;
  65        void *payload;
  66        long ret;
  67        bool vm;
  68
  69        ret = -EINVAL;
  70        if (plen > 1024 * 1024 - 1)
  71                goto error;
  72
  73        /* draw all the data into kernel space */
  74        ret = key_get_type_from_user(type, _type, sizeof(type));
  75        if (ret < 0)
  76                goto error;
  77
  78        description = strndup_user(_description, PAGE_SIZE);
  79        if (IS_ERR(description)) {
  80                ret = PTR_ERR(description);
  81                goto error;
  82        }
  83
  84        /* pull the payload in if one was supplied */
  85        payload = NULL;
  86
  87        vm = false;
  88        if (_payload) {
  89                ret = -ENOMEM;
  90                payload = kmalloc(plen, GFP_KERNEL);
  91                if (!payload) {
  92                        if (plen <= PAGE_SIZE)
  93                                goto error2;
  94                        vm = true;
  95                        payload = vmalloc(plen);
  96                        if (!payload)
  97                                goto error2;
  98                }
  99
 100                ret = -EFAULT;
 101                if (copy_from_user(payload, _payload, plen) != 0)
 102                        goto error3;
 103        }
 104
 105        /* find the target keyring (which must be writable) */
 106        keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
 107        if (IS_ERR(keyring_ref)) {
 108                ret = PTR_ERR(keyring_ref);
 109                goto error3;
 110        }
 111
 112        /* create or update the requested key and add it to the target
 113         * keyring */
 114        key_ref = key_create_or_update(keyring_ref, type, description,
 115                                       payload, plen, KEY_PERM_UNDEF,
 116                                       KEY_ALLOC_IN_QUOTA);
 117        if (!IS_ERR(key_ref)) {
 118                ret = key_ref_to_ptr(key_ref)->serial;
 119                key_ref_put(key_ref);
 120        }
 121        else {
 122                ret = PTR_ERR(key_ref);
 123        }
 124
 125        key_ref_put(keyring_ref);
 126 error3:
 127        if (!vm)
 128                kfree(payload);
 129        else
 130                vfree(payload);
 131 error2:
 132        kfree(description);
 133 error:
 134        return ret;
 135
 136} /* end sys_add_key() */
 137
 138/*****************************************************************************/
 139/*
 140 * search the process keyrings for a matching key
 141 * - nested keyrings may also be searched if they have Search permission
 142 * - if a key is found, it will be attached to the destination keyring if
 143 *   there's one specified
 144 * - /sbin/request-key will be invoked if _callout_info is non-NULL
 145 *   - the _callout_info string will be passed to /sbin/request-key
 146 *   - if the _callout_info string is empty, it will be rendered as "-"
 147 * - implements request_key()
 148 */
 149SYSCALL_DEFINE4(request_key, const char __user *, _type,
 150                const char __user *, _description,
 151                const char __user *, _callout_info,
 152                key_serial_t, destringid)
 153{
 154        struct key_type *ktype;
 155        struct key *key;
 156        key_ref_t dest_ref;
 157        size_t callout_len;
 158        char type[32], *description, *callout_info;
 159        long ret;
 160
 161        /* pull the type into kernel space */
 162        ret = key_get_type_from_user(type, _type, sizeof(type));
 163        if (ret < 0)
 164                goto error;
 165
 166        /* pull the description into kernel space */
 167        description = strndup_user(_description, PAGE_SIZE);
 168        if (IS_ERR(description)) {
 169                ret = PTR_ERR(description);
 170                goto error;
 171        }
 172
 173        /* pull the callout info into kernel space */
 174        callout_info = NULL;
 175        callout_len = 0;
 176        if (_callout_info) {
 177                callout_info = strndup_user(_callout_info, PAGE_SIZE);
 178                if (IS_ERR(callout_info)) {
 179                        ret = PTR_ERR(callout_info);
 180                        goto error2;
 181                }
 182                callout_len = strlen(callout_info);
 183        }
 184
 185        /* get the destination keyring if specified */
 186        dest_ref = NULL;
 187        if (destringid) {
 188                dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE,
 189                                           KEY_WRITE);
 190                if (IS_ERR(dest_ref)) {
 191                        ret = PTR_ERR(dest_ref);
 192                        goto error3;
 193                }
 194        }
 195
 196        /* find the key type */
 197        ktype = key_type_lookup(type);
 198        if (IS_ERR(ktype)) {
 199                ret = PTR_ERR(ktype);
 200                goto error4;
 201        }
 202
 203        /* do the search */
 204        key = request_key_and_link(ktype, description, callout_info,
 205                                   callout_len, NULL, key_ref_to_ptr(dest_ref),
 206                                   KEY_ALLOC_IN_QUOTA);
 207        if (IS_ERR(key)) {
 208                ret = PTR_ERR(key);
 209                goto error5;
 210        }
 211
 212        ret = key->serial;
 213
 214        key_put(key);
 215 error5:
 216        key_type_put(ktype);
 217 error4:
 218        key_ref_put(dest_ref);
 219 error3:
 220        kfree(callout_info);
 221 error2:
 222        kfree(description);
 223 error:
 224        return ret;
 225
 226} /* end sys_request_key() */
 227
 228/*****************************************************************************/
 229/*
 230 * get the ID of the specified process keyring
 231 * - the keyring must have search permission to be found
 232 * - implements keyctl(KEYCTL_GET_KEYRING_ID)
 233 */
 234long keyctl_get_keyring_ID(key_serial_t id, int create)
 235{
 236        key_ref_t key_ref;
 237        unsigned long lflags;
 238        long ret;
 239
 240        lflags = create ? KEY_LOOKUP_CREATE : 0;
 241        key_ref = lookup_user_key(id, lflags, KEY_SEARCH);
 242        if (IS_ERR(key_ref)) {
 243                ret = PTR_ERR(key_ref);
 244                goto error;
 245        }
 246
 247        ret = key_ref_to_ptr(key_ref)->serial;
 248        key_ref_put(key_ref);
 249 error:
 250        return ret;
 251
 252} /* end keyctl_get_keyring_ID() */
 253
 254/*****************************************************************************/
 255/*
 256 * join the session keyring
 257 * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING)
 258 */
 259long keyctl_join_session_keyring(const char __user *_name)
 260{
 261        char *name;
 262        long ret;
 263
 264        /* fetch the name from userspace */
 265        name = NULL;
 266        if (_name) {
 267                name = strndup_user(_name, PAGE_SIZE);
 268                if (IS_ERR(name)) {
 269                        ret = PTR_ERR(name);
 270                        goto error;
 271                }
 272        }
 273
 274        /* join the session */
 275        ret = join_session_keyring(name);
 276        kfree(name);
 277
 278 error:
 279        return ret;
 280
 281} /* end keyctl_join_session_keyring() */
 282
 283/*****************************************************************************/
 284/*
 285 * update a key's data payload
 286 * - the key must be writable
 287 * - implements keyctl(KEYCTL_UPDATE)
 288 */
 289long keyctl_update_key(key_serial_t id,
 290                       const void __user *_payload,
 291                       size_t plen)
 292{
 293        key_ref_t key_ref;
 294        void *payload;
 295        long ret;
 296
 297        ret = -EINVAL;
 298        if (plen > PAGE_SIZE)
 299                goto error;
 300
 301        /* pull the payload in if one was supplied */
 302        payload = NULL;
 303        if (_payload) {
 304                ret = -ENOMEM;
 305                payload = kmalloc(plen, GFP_KERNEL);
 306                if (!payload)
 307                        goto error;
 308
 309                ret = -EFAULT;
 310                if (copy_from_user(payload, _payload, plen) != 0)
 311                        goto error2;
 312        }
 313
 314        /* find the target key (which must be writable) */
 315        key_ref = lookup_user_key(id, 0, KEY_WRITE);
 316        if (IS_ERR(key_ref)) {
 317                ret = PTR_ERR(key_ref);
 318                goto error2;
 319        }
 320
 321        /* update the key */
 322        ret = key_update(key_ref, payload, plen);
 323
 324        key_ref_put(key_ref);
 325 error2:
 326        kfree(payload);
 327 error:
 328        return ret;
 329
 330} /* end keyctl_update_key() */
 331
 332/*****************************************************************************/
 333/*
 334 * revoke a key
 335 * - the key must be writable
 336 * - implements keyctl(KEYCTL_REVOKE)
 337 */
 338long keyctl_revoke_key(key_serial_t id)
 339{
 340        key_ref_t key_ref;
 341        long ret;
 342
 343        key_ref = lookup_user_key(id, 0, KEY_WRITE);
 344        if (IS_ERR(key_ref)) {
 345                ret = PTR_ERR(key_ref);
 346                if (ret != -EACCES)
 347                        goto error;
 348                key_ref = lookup_user_key(id, 0, KEY_SETATTR);
 349                if (IS_ERR(key_ref)) {
 350                        ret = PTR_ERR(key_ref);
 351                        goto error;
 352                }
 353        }
 354
 355        key_revoke(key_ref_to_ptr(key_ref));
 356        ret = 0;
 357
 358        key_ref_put(key_ref);
 359 error:
 360        return ret;
 361
 362} /* end keyctl_revoke_key() */
 363
 364/*****************************************************************************/
 365/*
 366 * clear the specified process keyring
 367 * - the keyring must be writable
 368 * - implements keyctl(KEYCTL_CLEAR)
 369 */
 370long keyctl_keyring_clear(key_serial_t ringid)
 371{
 372        key_ref_t keyring_ref;
 373        long ret;
 374
 375        keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
 376        if (IS_ERR(keyring_ref)) {
 377                ret = PTR_ERR(keyring_ref);
 378                goto error;
 379        }
 380
 381        ret = keyring_clear(key_ref_to_ptr(keyring_ref));
 382
 383        key_ref_put(keyring_ref);
 384 error:
 385        return ret;
 386
 387} /* end keyctl_keyring_clear() */
 388
 389/*****************************************************************************/
 390/*
 391 * link a key into a keyring
 392 * - the keyring must be writable
 393 * - the key must be linkable
 394 * - implements keyctl(KEYCTL_LINK)
 395 */
 396long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
 397{
 398        key_ref_t keyring_ref, key_ref;
 399        long ret;
 400
 401        keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
 402        if (IS_ERR(keyring_ref)) {
 403                ret = PTR_ERR(keyring_ref);
 404                goto error;
 405        }
 406
 407        key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_LINK);
 408        if (IS_ERR(key_ref)) {
 409                ret = PTR_ERR(key_ref);
 410                goto error2;
 411        }
 412
 413        ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref));
 414
 415        key_ref_put(key_ref);
 416 error2:
 417        key_ref_put(keyring_ref);
 418 error:
 419        return ret;
 420
 421} /* end keyctl_keyring_link() */
 422
 423/*****************************************************************************/
 424/*
 425 * unlink the first attachment of a key from a keyring
 426 * - the keyring must be writable
 427 * - we don't need any permissions on the key
 428 * - implements keyctl(KEYCTL_UNLINK)
 429 */
 430long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
 431{
 432        key_ref_t keyring_ref, key_ref;
 433        long ret;
 434
 435        keyring_ref = lookup_user_key(ringid, 0, KEY_WRITE);
 436        if (IS_ERR(keyring_ref)) {
 437                ret = PTR_ERR(keyring_ref);
 438                goto error;
 439        }
 440
 441        key_ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0);
 442        if (IS_ERR(key_ref)) {
 443                ret = PTR_ERR(key_ref);
 444                goto error2;
 445        }
 446
 447        ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref));
 448
 449        key_ref_put(key_ref);
 450 error2:
 451        key_ref_put(keyring_ref);
 452 error:
 453        return ret;
 454
 455} /* end keyctl_keyring_unlink() */
 456
 457/*****************************************************************************/
 458/*
 459 * describe a user key
 460 * - the key must have view permission
 461 * - if there's a buffer, we place up to buflen bytes of data into it
 462 * - unless there's an error, we return the amount of description available,
 463 *   irrespective of how much we may have copied
 464 * - the description is formatted thus:
 465 *      type;uid;gid;perm;description<NUL>
 466 * - implements keyctl(KEYCTL_DESCRIBE)
 467 */
 468long keyctl_describe_key(key_serial_t keyid,
 469                         char __user *buffer,
 470                         size_t buflen)
 471{
 472        struct key *key, *instkey;
 473        key_ref_t key_ref;
 474        char *tmpbuf;
 475        long ret;
 476
 477        key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_VIEW);
 478        if (IS_ERR(key_ref)) {
 479                /* viewing a key under construction is permitted if we have the
 480                 * authorisation token handy */
 481                if (PTR_ERR(key_ref) == -EACCES) {
 482                        instkey = key_get_instantiation_authkey(keyid);
 483                        if (!IS_ERR(instkey)) {
 484                                key_put(instkey);
 485                                key_ref = lookup_user_key(keyid,
 486                                                          KEY_LOOKUP_PARTIAL,
 487                                                          0);
 488                                if (!IS_ERR(key_ref))
 489                                        goto okay;
 490                        }
 491                }
 492
 493                ret = PTR_ERR(key_ref);
 494                goto error;
 495        }
 496
 497okay:
 498        /* calculate how much description we're going to return */
 499        ret = -ENOMEM;
 500        tmpbuf = kmalloc(PAGE_SIZE, GFP_KERNEL);
 501        if (!tmpbuf)
 502                goto error2;
 503
 504        key = key_ref_to_ptr(key_ref);
 505
 506        ret = snprintf(tmpbuf, PAGE_SIZE - 1,
 507                       "%s;%d;%d;%08x;%s",
 508                       key_ref_to_ptr(key_ref)->type->name,
 509                       key_ref_to_ptr(key_ref)->uid,
 510                       key_ref_to_ptr(key_ref)->gid,
 511                       key_ref_to_ptr(key_ref)->perm,
 512                       key_ref_to_ptr(key_ref)->description ?
 513                       key_ref_to_ptr(key_ref)->description : ""
 514                       );
 515
 516        /* include a NUL char at the end of the data */
 517        if (ret > PAGE_SIZE - 1)
 518                ret = PAGE_SIZE - 1;
 519        tmpbuf[ret] = 0;
 520        ret++;
 521
 522        /* consider returning the data */
 523        if (buffer && buflen > 0) {
 524                if (buflen > ret)
 525                        buflen = ret;
 526
 527                if (copy_to_user(buffer, tmpbuf, buflen) != 0)
 528                        ret = -EFAULT;
 529        }
 530
 531        kfree(tmpbuf);
 532 error2:
 533        key_ref_put(key_ref);
 534 error:
 535        return ret;
 536
 537} /* end keyctl_describe_key() */
 538
 539/*****************************************************************************/
 540/*
 541 * search the specified keyring for a matching key
 542 * - the start keyring must be searchable
 543 * - nested keyrings may also be searched if they are searchable
 544 * - only keys with search permission may be found
 545 * - if a key is found, it will be attached to the destination keyring if
 546 *   there's one specified
 547 * - implements keyctl(KEYCTL_SEARCH)
 548 */
 549long keyctl_keyring_search(key_serial_t ringid,
 550                           const char __user *_type,
 551                           const char __user *_description,
 552                           key_serial_t destringid)
 553{
 554        struct key_type *ktype;
 555        key_ref_t keyring_ref, key_ref, dest_ref;
 556        char type[32], *description;
 557        long ret;
 558
 559        /* pull the type and description into kernel space */
 560        ret = key_get_type_from_user(type, _type, sizeof(type));
 561        if (ret < 0)
 562                goto error;
 563
 564        description = strndup_user(_description, PAGE_SIZE);
 565        if (IS_ERR(description)) {
 566                ret = PTR_ERR(description);
 567                goto error;
 568        }
 569
 570        /* get the keyring at which to begin the search */
 571        keyring_ref = lookup_user_key(ringid, 0, KEY_SEARCH);
 572        if (IS_ERR(keyring_ref)) {
 573                ret = PTR_ERR(keyring_ref);
 574                goto error2;
 575        }
 576
 577        /* get the destination keyring if specified */
 578        dest_ref = NULL;
 579        if (destringid) {
 580                dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE,
 581                                           KEY_WRITE);
 582                if (IS_ERR(dest_ref)) {
 583                        ret = PTR_ERR(dest_ref);
 584                        goto error3;
 585                }
 586        }
 587
 588        /* find the key type */
 589        ktype = key_type_lookup(type);
 590        if (IS_ERR(ktype)) {
 591                ret = PTR_ERR(ktype);
 592                goto error4;
 593        }
 594
 595        /* do the search */
 596        key_ref = keyring_search(keyring_ref, ktype, description);
 597        if (IS_ERR(key_ref)) {
 598                ret = PTR_ERR(key_ref);
 599
 600                /* treat lack or presence of a negative key the same */
 601                if (ret == -EAGAIN)
 602                        ret = -ENOKEY;
 603                goto error5;
 604        }
 605
 606        /* link the resulting key to the destination keyring if we can */
 607        if (dest_ref) {
 608                ret = key_permission(key_ref, KEY_LINK);
 609                if (ret < 0)
 610                        goto error6;
 611
 612                ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref));
 613                if (ret < 0)
 614                        goto error6;
 615        }
 616
 617        ret = key_ref_to_ptr(key_ref)->serial;
 618
 619 error6:
 620        key_ref_put(key_ref);
 621 error5:
 622        key_type_put(ktype);
 623 error4:
 624        key_ref_put(dest_ref);
 625 error3:
 626        key_ref_put(keyring_ref);
 627 error2:
 628        kfree(description);
 629 error:
 630        return ret;
 631
 632} /* end keyctl_keyring_search() */
 633
 634/*****************************************************************************/
 635/*
 636 * read a user key's payload
 637 * - the keyring must be readable or the key must be searchable from the
 638 *   process's keyrings
 639 * - if there's a buffer, we place up to buflen bytes of data into it
 640 * - unless there's an error, we return the amount of data in the key,
 641 *   irrespective of how much we may have copied
 642 * - implements keyctl(KEYCTL_READ)
 643 */
 644long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
 645{
 646        struct key *key;
 647        key_ref_t key_ref;
 648        long ret;
 649
 650        /* find the key first */
 651        key_ref = lookup_user_key(keyid, 0, 0);
 652        if (IS_ERR(key_ref)) {
 653                ret = -ENOKEY;
 654                goto error;
 655        }
 656
 657        key = key_ref_to_ptr(key_ref);
 658
 659        /* see if we can read it directly */
 660        ret = key_permission(key_ref, KEY_READ);
 661        if (ret == 0)
 662                goto can_read_key;
 663        if (ret != -EACCES)
 664                goto error;
 665
 666        /* we can't; see if it's searchable from this process's keyrings
 667         * - we automatically take account of the fact that it may be
 668         *   dangling off an instantiation key
 669         */
 670        if (!is_key_possessed(key_ref)) {
 671                ret = -EACCES;
 672                goto error2;
 673        }
 674
 675        /* the key is probably readable - now try to read it */
 676 can_read_key:
 677        ret = key_validate(key);
 678        if (ret == 0) {
 679                ret = -EOPNOTSUPP;
 680                if (key->type->read) {
 681                        /* read the data with the semaphore held (since we
 682                         * might sleep) */
 683                        down_read(&key->sem);
 684                        ret = key->type->read(key, buffer, buflen);
 685                        up_read(&key->sem);
 686                }
 687        }
 688
 689 error2:
 690        key_put(key);
 691 error:
 692        return ret;
 693
 694} /* end keyctl_read_key() */
 695
 696/*****************************************************************************/
 697/*
 698 * change the ownership of a key
 699 * - the keyring owned by the changer
 700 * - if the uid or gid is -1, then that parameter is not changed
 701 * - implements keyctl(KEYCTL_CHOWN)
 702 */
 703long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
 704{
 705        struct key_user *newowner, *zapowner = NULL;
 706        struct key *key;
 707        key_ref_t key_ref;
 708        long ret;
 709
 710        ret = 0;
 711        if (uid == (uid_t) -1 && gid == (gid_t) -1)
 712                goto error;
 713
 714        key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
 715                                  KEY_SETATTR);
 716        if (IS_ERR(key_ref)) {
 717                ret = PTR_ERR(key_ref);
 718                goto error;
 719        }
 720
 721        key = key_ref_to_ptr(key_ref);
 722
 723        /* make the changes with the locks held to prevent chown/chown races */
 724        ret = -EACCES;
 725        down_write(&key->sem);
 726
 727        if (!capable(CAP_SYS_ADMIN)) {
 728                /* only the sysadmin can chown a key to some other UID */
 729                if (uid != (uid_t) -1 && key->uid != uid)
 730                        goto error_put;
 731
 732                /* only the sysadmin can set the key's GID to a group other
 733                 * than one of those that the current process subscribes to */
 734                if (gid != (gid_t) -1 && gid != key->gid && !in_group_p(gid))
 735                        goto error_put;
 736        }
 737
 738        /* change the UID */
 739        if (uid != (uid_t) -1 && uid != key->uid) {
 740                ret = -ENOMEM;
 741                newowner = key_user_lookup(uid, current_user_ns());
 742                if (!newowner)
 743                        goto error_put;
 744
 745                /* transfer the quota burden to the new user */
 746                if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
 747                        unsigned maxkeys = (uid == 0) ?
 748                                key_quota_root_maxkeys : key_quota_maxkeys;
 749                        unsigned maxbytes = (uid == 0) ?
 750                                key_quota_root_maxbytes : key_quota_maxbytes;
 751
 752                        spin_lock(&newowner->lock);
 753                        if (newowner->qnkeys + 1 >= maxkeys ||
 754                            newowner->qnbytes + key->quotalen >= maxbytes ||
 755                            newowner->qnbytes + key->quotalen <
 756                            newowner->qnbytes)
 757                                goto quota_overrun;
 758
 759                        newowner->qnkeys++;
 760                        newowner->qnbytes += key->quotalen;
 761                        spin_unlock(&newowner->lock);
 762
 763                        spin_lock(&key->user->lock);
 764                        key->user->qnkeys--;
 765                        key->user->qnbytes -= key->quotalen;
 766                        spin_unlock(&key->user->lock);
 767                }
 768
 769                atomic_dec(&key->user->nkeys);
 770                atomic_inc(&newowner->nkeys);
 771
 772                if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) {
 773                        atomic_dec(&key->user->nikeys);
 774                        atomic_inc(&newowner->nikeys);
 775                }
 776
 777                zapowner = key->user;
 778                key->user = newowner;
 779                key->uid = uid;
 780        }
 781
 782        /* change the GID */
 783        if (gid != (gid_t) -1)
 784                key->gid = gid;
 785
 786        ret = 0;
 787
 788error_put:
 789        up_write(&key->sem);
 790        key_put(key);
 791        if (zapowner)
 792                key_user_put(zapowner);
 793error:
 794        return ret;
 795
 796quota_overrun:
 797        spin_unlock(&newowner->lock);
 798        zapowner = newowner;
 799        ret = -EDQUOT;
 800        goto error_put;
 801
 802} /* end keyctl_chown_key() */
 803
 804/*****************************************************************************/
 805/*
 806 * change the permission mask on a key
 807 * - the keyring owned by the changer
 808 * - implements keyctl(KEYCTL_SETPERM)
 809 */
 810long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
 811{
 812        struct key *key;
 813        key_ref_t key_ref;
 814        long ret;
 815
 816        ret = -EINVAL;
 817        if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL))
 818                goto error;
 819
 820        key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
 821                                  KEY_SETATTR);
 822        if (IS_ERR(key_ref)) {
 823                ret = PTR_ERR(key_ref);
 824                goto error;
 825        }
 826
 827        key = key_ref_to_ptr(key_ref);
 828
 829        /* make the changes with the locks held to prevent chown/chmod races */
 830        ret = -EACCES;
 831        down_write(&key->sem);
 832
 833        /* if we're not the sysadmin, we can only change a key that we own */
 834        if (capable(CAP_SYS_ADMIN) || key->uid == current_fsuid()) {
 835                key->perm = perm;
 836                ret = 0;
 837        }
 838
 839        up_write(&key->sem);
 840        key_put(key);
 841error:
 842        return ret;
 843
 844} /* end keyctl_setperm_key() */
 845
 846/*
 847 * get the destination keyring for instantiation
 848 */
 849static long get_instantiation_keyring(key_serial_t ringid,
 850                                      struct request_key_auth *rka,
 851                                      struct key **_dest_keyring)
 852{
 853        key_ref_t dkref;
 854
 855        *_dest_keyring = NULL;
 856
 857        /* just return a NULL pointer if we weren't asked to make a link */
 858        if (ringid == 0)
 859                return 0;
 860
 861        /* if a specific keyring is nominated by ID, then use that */
 862        if (ringid > 0) {
 863                dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
 864                if (IS_ERR(dkref))
 865                        return PTR_ERR(dkref);
 866                *_dest_keyring = key_ref_to_ptr(dkref);
 867                return 0;
 868        }
 869
 870        if (ringid == KEY_SPEC_REQKEY_AUTH_KEY)
 871                return -EINVAL;
 872
 873        /* otherwise specify the destination keyring recorded in the
 874         * authorisation key (any KEY_SPEC_*_KEYRING) */
 875        if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) {
 876                *_dest_keyring = key_get(rka->dest_keyring);
 877                return 0;
 878        }
 879
 880        return -ENOKEY;
 881}
 882
 883/*
 884 * change the request_key authorisation key on the current process
 885 */
 886static int keyctl_change_reqkey_auth(struct key *key)
 887{
 888        struct cred *new;
 889
 890        new = prepare_creds();
 891        if (!new)
 892                return -ENOMEM;
 893
 894        key_put(new->request_key_auth);
 895        new->request_key_auth = key_get(key);
 896
 897        return commit_creds(new);
 898}
 899
 900/*****************************************************************************/
 901/*
 902 * instantiate the key with the specified payload, and, if one is given, link
 903 * the key into the keyring
 904 */
 905long keyctl_instantiate_key(key_serial_t id,
 906                            const void __user *_payload,
 907                            size_t plen,
 908                            key_serial_t ringid)
 909{
 910        const struct cred *cred = current_cred();
 911        struct request_key_auth *rka;
 912        struct key *instkey, *dest_keyring;
 913        void *payload;
 914        long ret;
 915        bool vm = false;
 916
 917        kenter("%d,,%zu,%d", id, plen, ringid);
 918
 919        ret = -EINVAL;
 920        if (plen > 1024 * 1024 - 1)
 921                goto error;
 922
 923        /* the appropriate instantiation authorisation key must have been
 924         * assumed before calling this */
 925        ret = -EPERM;
 926        instkey = cred->request_key_auth;
 927        if (!instkey)
 928                goto error;
 929
 930        rka = instkey->payload.data;
 931        if (rka->target_key->serial != id)
 932                goto error;
 933
 934        /* pull the payload in if one was supplied */
 935        payload = NULL;
 936
 937        if (_payload) {
 938                ret = -ENOMEM;
 939                payload = kmalloc(plen, GFP_KERNEL);
 940                if (!payload) {
 941                        if (plen <= PAGE_SIZE)
 942                                goto error;
 943                        vm = true;
 944                        payload = vmalloc(plen);
 945                        if (!payload)
 946                                goto error;
 947                }
 948
 949                ret = -EFAULT;
 950                if (copy_from_user(payload, _payload, plen) != 0)
 951                        goto error2;
 952        }
 953
 954        /* find the destination keyring amongst those belonging to the
 955         * requesting task */
 956        ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
 957        if (ret < 0)
 958                goto error2;
 959
 960        /* instantiate the key and link it into a keyring */
 961        ret = key_instantiate_and_link(rka->target_key, payload, plen,
 962                                       dest_keyring, instkey);
 963
 964        key_put(dest_keyring);
 965
 966        /* discard the assumed authority if it's just been disabled by
 967         * instantiation of the key */
 968        if (ret == 0)
 969                keyctl_change_reqkey_auth(NULL);
 970
 971error2:
 972        if (!vm)
 973                kfree(payload);
 974        else
 975                vfree(payload);
 976error:
 977        return ret;
 978
 979} /* end keyctl_instantiate_key() */
 980
 981/*****************************************************************************/
 982/*
 983 * negatively instantiate the key with the given timeout (in seconds), and, if
 984 * one is given, link the key into the keyring
 985 */
 986long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
 987{
 988        const struct cred *cred = current_cred();
 989        struct request_key_auth *rka;
 990        struct key *instkey, *dest_keyring;
 991        long ret;
 992
 993        kenter("%d,%u,%d", id, timeout, ringid);
 994
 995        /* the appropriate instantiation authorisation key must have been
 996         * assumed before calling this */
 997        ret = -EPERM;
 998        instkey = cred->request_key_auth;
 999        if (!instkey)
1000                goto error;
1001
1002        rka = instkey->payload.data;
1003        if (rka->target_key->serial != id)
1004                goto error;
1005
1006        /* find the destination keyring if present (which must also be
1007         * writable) */
1008        ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
1009        if (ret < 0)
1010                goto error;
1011
1012        /* instantiate the key and link it into a keyring */
1013        ret = key_negate_and_link(rka->target_key, timeout,
1014                                  dest_keyring, instkey);
1015
1016        key_put(dest_keyring);
1017
1018        /* discard the assumed authority if it's just been disabled by
1019         * instantiation of the key */
1020        if (ret == 0)
1021                keyctl_change_reqkey_auth(NULL);
1022
1023error:
1024        return ret;
1025
1026} /* end keyctl_negate_key() */
1027
1028/*****************************************************************************/
1029/*
1030 * set the default keyring in which request_key() will cache keys
1031 * - return the old setting
1032 */
1033long keyctl_set_reqkey_keyring(int reqkey_defl)
1034{
1035        struct cred *new;
1036        int ret, old_setting;
1037
1038        old_setting = current_cred_xxx(jit_keyring);
1039
1040        if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE)
1041                return old_setting;
1042
1043        new = prepare_creds();
1044        if (!new)
1045                return -ENOMEM;
1046
1047        switch (reqkey_defl) {
1048        case KEY_REQKEY_DEFL_THREAD_KEYRING:
1049                ret = install_thread_keyring_to_cred(new);
1050                if (ret < 0)
1051                        goto error;
1052                goto set;
1053
1054        case KEY_REQKEY_DEFL_PROCESS_KEYRING:
1055                ret = install_process_keyring_to_cred(new);
1056                if (ret < 0) {
1057                        if (ret != -EEXIST)
1058                                goto error;
1059                        ret = 0;
1060                }
1061                goto set;
1062
1063        case KEY_REQKEY_DEFL_DEFAULT:
1064        case KEY_REQKEY_DEFL_SESSION_KEYRING:
1065        case KEY_REQKEY_DEFL_USER_KEYRING:
1066        case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
1067        case KEY_REQKEY_DEFL_REQUESTOR_KEYRING:
1068                goto set;
1069
1070        case KEY_REQKEY_DEFL_NO_CHANGE:
1071        case KEY_REQKEY_DEFL_GROUP_KEYRING:
1072        default:
1073                ret = -EINVAL;
1074                goto error;
1075        }
1076
1077set:
1078        new->jit_keyring = reqkey_defl;
1079        commit_creds(new);
1080        return old_setting;
1081error:
1082        abort_creds(new);
1083        return -EINVAL;
1084
1085} /* end keyctl_set_reqkey_keyring() */
1086
1087/*****************************************************************************/
1088/*
1089 * set or clear the timeout for a key
1090 */
1091long keyctl_set_timeout(key_serial_t id, unsigned timeout)
1092{
1093        struct timespec now;
1094        struct key *key;
1095        key_ref_t key_ref;
1096        time_t expiry;
1097        long ret;
1098
1099        key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
1100                                  KEY_SETATTR);
1101        if (IS_ERR(key_ref)) {
1102                ret = PTR_ERR(key_ref);
1103                goto error;
1104        }
1105
1106        key = key_ref_to_ptr(key_ref);
1107
1108        /* make the changes with the locks held to prevent races */
1109        down_write(&key->sem);
1110
1111        expiry = 0;
1112        if (timeout > 0) {
1113                now = current_kernel_time();
1114                expiry = now.tv_sec + timeout;
1115        }
1116
1117        key->expiry = expiry;
1118        key_schedule_gc(key->expiry + key_gc_delay);
1119
1120        up_write(&key->sem);
1121        key_put(key);
1122
1123        ret = 0;
1124error:
1125        return ret;
1126
1127} /* end keyctl_set_timeout() */
1128
1129/*****************************************************************************/
1130/*
1131 * assume the authority to instantiate the specified key
1132 */
1133long keyctl_assume_authority(key_serial_t id)
1134{
1135        struct key *authkey;
1136        long ret;
1137
1138        /* special key IDs aren't permitted */
1139        ret = -EINVAL;
1140        if (id < 0)
1141                goto error;
1142
1143        /* we divest ourselves of authority if given an ID of 0 */
1144        if (id == 0) {
1145                ret = keyctl_change_reqkey_auth(NULL);
1146                goto error;
1147        }
1148
1149        /* attempt to assume the authority temporarily granted to us whilst we
1150         * instantiate the specified key
1151         * - the authorisation key must be in the current task's keyrings
1152         *   somewhere
1153         */
1154        authkey = key_get_instantiation_authkey(id);
1155        if (IS_ERR(authkey)) {
1156                ret = PTR_ERR(authkey);
1157                goto error;
1158        }
1159
1160        ret = keyctl_change_reqkey_auth(authkey);
1161        if (ret < 0)
1162                goto error;
1163        key_put(authkey);
1164
1165        ret = authkey->serial;
1166error:
1167        return ret;
1168
1169} /* end keyctl_assume_authority() */
1170
1171/*
1172 * get the security label of a key
1173 * - the key must grant us view permission
1174 * - if there's a buffer, we place up to buflen bytes of data into it
1175 * - unless there's an error, we return the amount of information available,
1176 *   irrespective of how much we may have copied (including the terminal NUL)
1177 * - implements keyctl(KEYCTL_GET_SECURITY)
1178 */
1179long keyctl_get_security(key_serial_t keyid,
1180                         char __user *buffer,
1181                         size_t buflen)
1182{
1183        struct key *key, *instkey;
1184        key_ref_t key_ref;
1185        char *context;
1186        long ret;
1187
1188        key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_VIEW);
1189        if (IS_ERR(key_ref)) {
1190                if (PTR_ERR(key_ref) != -EACCES)
1191                        return PTR_ERR(key_ref);
1192
1193                /* viewing a key under construction is also permitted if we
1194                 * have the authorisation token handy */
1195                instkey = key_get_instantiation_authkey(keyid);
1196                if (IS_ERR(instkey))
1197                        return PTR_ERR(key_ref);
1198                key_put(instkey);
1199
1200                key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0);
1201                if (IS_ERR(key_ref))
1202                        return PTR_ERR(key_ref);
1203        }
1204
1205        key = key_ref_to_ptr(key_ref);
1206        ret = security_key_getsecurity(key, &context);
1207        if (ret == 0) {
1208                /* if no information was returned, give userspace an empty
1209                 * string */
1210                ret = 1;
1211                if (buffer && buflen > 0 &&
1212                    copy_to_user(buffer, "", 1) != 0)
1213                        ret = -EFAULT;
1214        } else if (ret > 0) {
1215                /* return as much data as there's room for */
1216                if (buffer && buflen > 0) {
1217                        if (buflen > ret)
1218                                buflen = ret;
1219
1220                        if (copy_to_user(buffer, context, buflen) != 0)
1221                                ret = -EFAULT;
1222                }
1223
1224                kfree(context);
1225        }
1226
1227        key_ref_put(key_ref);
1228        return ret;
1229}
1230
1231/*
1232 * attempt to install the calling process's session keyring on the process's
1233 * parent process
1234 * - the keyring must exist and must grant us LINK permission
1235 * - implements keyctl(KEYCTL_SESSION_TO_PARENT)
1236 */
1237long keyctl_session_to_parent(void)
1238{
1239        struct task_struct *me, *parent;
1240        const struct cred *mycred, *pcred;
1241        struct cred *cred, *oldcred;
1242        key_ref_t keyring_r;
1243        int ret;
1244
1245        keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_LINK);
1246        if (IS_ERR(keyring_r))
1247                return PTR_ERR(keyring_r);
1248
1249        /* our parent is going to need a new cred struct, a new tgcred struct
1250         * and new security data, so we allocate them here to prevent ENOMEM in
1251         * our parent */
1252        ret = -ENOMEM;
1253        cred = cred_alloc_blank();
1254        if (!cred)
1255                goto error_keyring;
1256
1257        cred->tgcred->session_keyring = key_ref_to_ptr(keyring_r);
1258        keyring_r = NULL;
1259
1260        me = current;
1261        write_lock_irq(&tasklist_lock);
1262
1263        parent = me->real_parent;
1264        ret = -EPERM;
1265
1266        /* the parent mustn't be init and mustn't be a kernel thread */
1267        if (parent->pid <= 1 || !parent->mm)
1268                goto not_permitted;
1269
1270        /* the parent must be single threaded */
1271        if (atomic_read(&parent->signal->count) != 1)
1272                goto not_permitted;
1273
1274        /* the parent and the child must have different session keyrings or
1275         * there's no point */
1276        mycred = current_cred();
1277        pcred = __task_cred(parent);
1278        if (mycred == pcred ||
1279            mycred->tgcred->session_keyring == pcred->tgcred->session_keyring)
1280                goto already_same;
1281
1282        /* the parent must have the same effective ownership and mustn't be
1283         * SUID/SGID */
1284        if (pcred-> uid != mycred->euid ||
1285            pcred->euid != mycred->euid ||
1286            pcred->suid != mycred->euid ||
1287            pcred-> gid != mycred->egid ||
1288            pcred->egid != mycred->egid ||
1289            pcred->sgid != mycred->egid)
1290                goto not_permitted;
1291
1292        /* the keyrings must have the same UID */
1293        if (pcred ->tgcred->session_keyring->uid != mycred->euid ||
1294            mycred->tgcred->session_keyring->uid != mycred->euid)
1295                goto not_permitted;
1296
1297        /* the LSM must permit the replacement of the parent's keyring with the
1298         * keyring from this process */
1299        ret = security_key_session_to_parent(mycred, pcred,
1300                                             key_ref_to_ptr(keyring_r));
1301        if (ret < 0)
1302                goto not_permitted;
1303
1304        /* if there's an already pending keyring replacement, then we replace
1305         * that */
1306        oldcred = parent->replacement_session_keyring;
1307
1308        /* the replacement session keyring is applied just prior to userspace
1309         * restarting */
1310        parent->replacement_session_keyring = cred;
1311        cred = NULL;
1312        set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME);
1313
1314        write_unlock_irq(&tasklist_lock);
1315        if (oldcred)
1316                put_cred(oldcred);
1317        return 0;
1318
1319already_same:
1320        ret = 0;
1321not_permitted:
1322        write_unlock_irq(&tasklist_lock);
1323        put_cred(cred);
1324        return ret;
1325
1326error_keyring:
1327        key_ref_put(keyring_r);
1328        return ret;
1329}
1330
1331/*****************************************************************************/
1332/*
1333 * the key control system call
1334 */
1335SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1336                unsigned long, arg4, unsigned long, arg5)
1337{
1338        switch (option) {
1339        case KEYCTL_GET_KEYRING_ID:
1340                return keyctl_get_keyring_ID((key_serial_t) arg2,
1341                                             (int) arg3);
1342
1343        case KEYCTL_JOIN_SESSION_KEYRING:
1344                return keyctl_join_session_keyring((const char __user *) arg2);
1345
1346        case KEYCTL_UPDATE:
1347                return keyctl_update_key((key_serial_t) arg2,
1348                                         (const void __user *) arg3,
1349                                         (size_t) arg4);
1350
1351        case KEYCTL_REVOKE:
1352                return keyctl_revoke_key((key_serial_t) arg2);
1353
1354        case KEYCTL_DESCRIBE:
1355                return keyctl_describe_key((key_serial_t) arg2,
1356                                           (char __user *) arg3,
1357                                           (unsigned) arg4);
1358
1359        case KEYCTL_CLEAR:
1360                return keyctl_keyring_clear((key_serial_t) arg2);
1361
1362        case KEYCTL_LINK:
1363                return keyctl_keyring_link((key_serial_t) arg2,
1364                                           (key_serial_t) arg3);
1365
1366        case KEYCTL_UNLINK:
1367                return keyctl_keyring_unlink((key_serial_t) arg2,
1368                                             (key_serial_t) arg3);
1369
1370        case KEYCTL_SEARCH:
1371                return keyctl_keyring_search((key_serial_t) arg2,
1372                                             (const char __user *) arg3,
1373                                             (const char __user *) arg4,
1374                                             (key_serial_t) arg5);
1375
1376        case KEYCTL_READ:
1377                return keyctl_read_key((key_serial_t) arg2,
1378                                       (char __user *) arg3,
1379                                       (size_t) arg4);
1380
1381        case KEYCTL_CHOWN:
1382                return keyctl_chown_key((key_serial_t) arg2,
1383                                        (uid_t) arg3,
1384                                        (gid_t) arg4);
1385
1386        case KEYCTL_SETPERM:
1387                return keyctl_setperm_key((key_serial_t) arg2,
1388                                          (key_perm_t) arg3);
1389
1390        case KEYCTL_INSTANTIATE:
1391                return keyctl_instantiate_key((key_serial_t) arg2,
1392                                              (const void __user *) arg3,
1393                                              (size_t) arg4,
1394                                              (key_serial_t) arg5);
1395
1396        case KEYCTL_NEGATE:
1397                return keyctl_negate_key((key_serial_t) arg2,
1398                                         (unsigned) arg3,
1399                                         (key_serial_t) arg4);
1400
1401        case KEYCTL_SET_REQKEY_KEYRING:
1402                return keyctl_set_reqkey_keyring(arg2);
1403
1404        case KEYCTL_SET_TIMEOUT:
1405                return keyctl_set_timeout((key_serial_t) arg2,
1406                                          (unsigned) arg3);
1407
1408        case KEYCTL_ASSUME_AUTHORITY:
1409                return keyctl_assume_authority((key_serial_t) arg2);
1410
1411        case KEYCTL_GET_SECURITY:
1412                return keyctl_get_security((key_serial_t) arg2,
1413                                           (char __user *) arg3,
1414                                           (size_t) arg4);
1415
1416        case KEYCTL_SESSION_TO_PARENT:
1417                return keyctl_session_to_parent();
1418
1419        default:
1420                return -EOPNOTSUPP;
1421        }
1422
1423} /* end sys_keyctl() */
1424