1
2
3
4
5
6
7
8
9
10
11
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/sched.h>
15#include <linux/slab.h>
16#include <linux/security.h>
17#include <linux/seq_file.h>
18#include <linux/err.h>
19#include <keys/keyring-type.h>
20#include <keys/user-type.h>
21#include <linux/assoc_array_priv.h>
22#include <linux/uaccess.h>
23#include "internal.h"
24
25
26
27
28
29#define KEYRING_SEARCH_MAX_DEPTH 6
30
31
32
33
34#define KEYRING_NAME_HASH_SIZE (1 << 5)
35
36
37
38
39
40#define KEYRING_PTR_SUBTYPE 0x2UL
41
42static inline bool keyring_ptr_is_keyring(const struct assoc_array_ptr *x)
43{
44 return (unsigned long)x & KEYRING_PTR_SUBTYPE;
45}
46static inline struct key *keyring_ptr_to_key(const struct assoc_array_ptr *x)
47{
48 void *object = assoc_array_ptr_to_leaf(x);
49 return (struct key *)((unsigned long)object & ~KEYRING_PTR_SUBTYPE);
50}
51static inline void *keyring_key_to_ptr(struct key *key)
52{
53 if (key->type == &key_type_keyring)
54 return (void *)((unsigned long)key | KEYRING_PTR_SUBTYPE);
55 return key;
56}
57
58static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE];
59static DEFINE_RWLOCK(keyring_name_lock);
60
61static inline unsigned keyring_hash(const char *desc)
62{
63 unsigned bucket = 0;
64
65 for (; *desc; desc++)
66 bucket += (unsigned char)*desc;
67
68 return bucket & (KEYRING_NAME_HASH_SIZE - 1);
69}
70
71
72
73
74
75
76static int keyring_preparse(struct key_preparsed_payload *prep);
77static void keyring_free_preparse(struct key_preparsed_payload *prep);
78static int keyring_instantiate(struct key *keyring,
79 struct key_preparsed_payload *prep);
80static void keyring_revoke(struct key *keyring);
81static void keyring_destroy(struct key *keyring);
82static void keyring_describe(const struct key *keyring, struct seq_file *m);
83static long keyring_read(const struct key *keyring,
84 char __user *buffer, size_t buflen);
85
86struct key_type key_type_keyring = {
87 .name = "keyring",
88 .def_datalen = 0,
89 .preparse = keyring_preparse,
90 .free_preparse = keyring_free_preparse,
91 .instantiate = keyring_instantiate,
92 .revoke = keyring_revoke,
93 .destroy = keyring_destroy,
94 .describe = keyring_describe,
95 .read = keyring_read,
96};
97EXPORT_SYMBOL(key_type_keyring);
98
99
100
101
102
103static DECLARE_RWSEM(keyring_serialise_link_sem);
104
105
106
107
108
109static void keyring_publish_name(struct key *keyring)
110{
111 int bucket;
112
113 if (keyring->description) {
114 bucket = keyring_hash(keyring->description);
115
116 write_lock(&keyring_name_lock);
117
118 if (!keyring_name_hash[bucket].next)
119 INIT_LIST_HEAD(&keyring_name_hash[bucket]);
120
121 list_add_tail(&keyring->name_link,
122 &keyring_name_hash[bucket]);
123
124 write_unlock(&keyring_name_lock);
125 }
126}
127
128
129
130
131static int keyring_preparse(struct key_preparsed_payload *prep)
132{
133 return prep->datalen != 0 ? -EINVAL : 0;
134}
135
136
137
138
139static void keyring_free_preparse(struct key_preparsed_payload *prep)
140{
141}
142
143
144
145
146
147
148static int keyring_instantiate(struct key *keyring,
149 struct key_preparsed_payload *prep)
150{
151 assoc_array_init(&keyring->keys);
152
153 keyring_publish_name(keyring);
154 return 0;
155}
156
157
158
159
160
161static u64 mult_64x32_and_fold(u64 x, u32 y)
162{
163 u64 hi = (u64)(u32)(x >> 32) * y;
164 u64 lo = (u64)(u32)(x) * y;
165 return lo + ((u64)(u32)hi << 32) + (u32)(hi >> 32);
166}
167
168
169
170
171static unsigned long hash_key_type_and_desc(const struct keyring_index_key *index_key)
172{
173 const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP;
174 const unsigned long fan_mask = ASSOC_ARRAY_FAN_MASK;
175 const char *description = index_key->description;
176 unsigned long hash, type;
177 u32 piece;
178 u64 acc;
179 int n, desc_len = index_key->desc_len;
180
181 type = (unsigned long)index_key->type;
182
183 acc = mult_64x32_and_fold(type, desc_len + 13);
184 acc = mult_64x32_and_fold(acc, 9207);
185 for (;;) {
186 n = desc_len;
187 if (n <= 0)
188 break;
189 if (n > 4)
190 n = 4;
191 piece = 0;
192 memcpy(&piece, description, n);
193 description += n;
194 desc_len -= n;
195 acc = mult_64x32_and_fold(acc, piece);
196 acc = mult_64x32_and_fold(acc, 9207);
197 }
198
199
200 hash = acc;
201 if (ASSOC_ARRAY_KEY_CHUNK_SIZE == 32)
202 hash ^= acc >> 32;
203
204
205
206
207
208 if (index_key->type != &key_type_keyring && (hash & fan_mask) == 0)
209 return hash | (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1;
210 if (index_key->type == &key_type_keyring && (hash & fan_mask) != 0)
211 return (hash + (hash << level_shift)) & ~fan_mask;
212 return hash;
213}
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230static unsigned long keyring_get_key_chunk(const void *data, int level)
231{
232 const struct keyring_index_key *index_key = data;
233 unsigned long chunk = 0;
234 long offset = 0;
235 int desc_len = index_key->desc_len, n = sizeof(chunk);
236
237 level /= ASSOC_ARRAY_KEY_CHUNK_SIZE;
238 switch (level) {
239 case 0:
240 return hash_key_type_and_desc(index_key);
241 case 1:
242 return ((unsigned long)index_key->type << 8) | desc_len;
243 case 2:
244 if (desc_len == 0)
245 return (u8)((unsigned long)index_key->type >>
246 (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8));
247 n--;
248 offset = 1;
249 default:
250 offset += sizeof(chunk) - 1;
251 offset += (level - 3) * sizeof(chunk);
252 if (offset >= desc_len)
253 return 0;
254 desc_len -= offset;
255 if (desc_len > n)
256 desc_len = n;
257 offset += desc_len;
258 do {
259 chunk <<= 8;
260 chunk |= ((u8*)index_key->description)[--offset];
261 } while (--desc_len > 0);
262
263 if (level == 2) {
264 chunk <<= 8;
265 chunk |= (u8)((unsigned long)index_key->type >>
266 (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8));
267 }
268 return chunk;
269 }
270}
271
272static unsigned long keyring_get_object_key_chunk(const void *object, int level)
273{
274 const struct key *key = keyring_ptr_to_key(object);
275 return keyring_get_key_chunk(&key->index_key, level);
276}
277
278static bool keyring_compare_object(const void *object, const void *data)
279{
280 const struct keyring_index_key *index_key = data;
281 const struct key *key = keyring_ptr_to_key(object);
282
283 return key->index_key.type == index_key->type &&
284 key->index_key.desc_len == index_key->desc_len &&
285 memcmp(key->index_key.description, index_key->description,
286 index_key->desc_len) == 0;
287}
288
289
290
291
292
293static int keyring_diff_objects(const void *object, const void *data)
294{
295 const struct key *key_a = keyring_ptr_to_key(object);
296 const struct keyring_index_key *a = &key_a->index_key;
297 const struct keyring_index_key *b = data;
298 unsigned long seg_a, seg_b;
299 int level, i;
300
301 level = 0;
302 seg_a = hash_key_type_and_desc(a);
303 seg_b = hash_key_type_and_desc(b);
304 if ((seg_a ^ seg_b) != 0)
305 goto differ;
306
307
308
309
310
311 level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8;
312 seg_a = a->desc_len;
313 seg_b = b->desc_len;
314 if ((seg_a ^ seg_b) != 0)
315 goto differ;
316
317
318 level++;
319 seg_a = (unsigned long)a->type;
320 seg_b = (unsigned long)b->type;
321 if ((seg_a ^ seg_b) != 0)
322 goto differ;
323
324 level += sizeof(unsigned long);
325 if (a->desc_len == 0)
326 goto same;
327
328 i = 0;
329 if (((unsigned long)a->description | (unsigned long)b->description) &
330 (sizeof(unsigned long) - 1)) {
331 do {
332 seg_a = *(unsigned long *)(a->description + i);
333 seg_b = *(unsigned long *)(b->description + i);
334 if ((seg_a ^ seg_b) != 0)
335 goto differ_plus_i;
336 i += sizeof(unsigned long);
337 } while (i < (a->desc_len & (sizeof(unsigned long) - 1)));
338 }
339
340 for (; i < a->desc_len; i++) {
341 seg_a = *(unsigned char *)(a->description + i);
342 seg_b = *(unsigned char *)(b->description + i);
343 if ((seg_a ^ seg_b) != 0)
344 goto differ_plus_i;
345 }
346
347same:
348 return -1;
349
350differ_plus_i:
351 level += i;
352differ:
353 i = level * 8 + __ffs(seg_a ^ seg_b);
354 return i;
355}
356
357
358
359
360static void keyring_free_object(void *object)
361{
362 key_put(keyring_ptr_to_key(object));
363}
364
365
366
367
368static const struct assoc_array_ops keyring_assoc_array_ops = {
369 .get_key_chunk = keyring_get_key_chunk,
370 .get_object_key_chunk = keyring_get_object_key_chunk,
371 .compare_object = keyring_compare_object,
372 .diff_objects = keyring_diff_objects,
373 .free_object = keyring_free_object,
374};
375
376
377
378
379
380
381
382
383
384
385static void keyring_destroy(struct key *keyring)
386{
387 if (keyring->description) {
388 write_lock(&keyring_name_lock);
389
390 if (keyring->name_link.next != NULL &&
391 !list_empty(&keyring->name_link))
392 list_del(&keyring->name_link);
393
394 write_unlock(&keyring_name_lock);
395 }
396
397 if (keyring->restrict_link) {
398 struct key_restriction *keyres = keyring->restrict_link;
399
400 key_put(keyres->key);
401 kfree(keyres);
402 }
403
404 assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops);
405}
406
407
408
409
410static void keyring_describe(const struct key *keyring, struct seq_file *m)
411{
412 if (keyring->description)
413 seq_puts(m, keyring->description);
414 else
415 seq_puts(m, "[anon]");
416
417 if (key_is_positive(keyring)) {
418 if (keyring->keys.nr_leaves_on_tree != 0)
419 seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree);
420 else
421 seq_puts(m, ": empty");
422 }
423}
424
425struct keyring_read_iterator_context {
426 size_t buflen;
427 size_t count;
428 key_serial_t __user *buffer;
429};
430
431static int keyring_read_iterator(const void *object, void *data)
432{
433 struct keyring_read_iterator_context *ctx = data;
434 const struct key *key = keyring_ptr_to_key(object);
435 int ret;
436
437 kenter("{%s,%d},,{%zu/%zu}",
438 key->type->name, key->serial, ctx->count, ctx->buflen);
439
440 if (ctx->count >= ctx->buflen)
441 return 1;
442
443 ret = put_user(key->serial, ctx->buffer);
444 if (ret < 0)
445 return ret;
446 ctx->buffer++;
447 ctx->count += sizeof(key->serial);
448 return 0;
449}
450
451
452
453
454
455
456
457
458static long keyring_read(const struct key *keyring,
459 char __user *buffer, size_t buflen)
460{
461 struct keyring_read_iterator_context ctx;
462 long ret;
463
464 kenter("{%d},,%zu", key_serial(keyring), buflen);
465
466 if (buflen & (sizeof(key_serial_t) - 1))
467 return -EINVAL;
468
469
470 if (buffer && buflen) {
471 ctx.buffer = (key_serial_t __user *)buffer;
472 ctx.buflen = buflen;
473 ctx.count = 0;
474 ret = assoc_array_iterate(&keyring->keys,
475 keyring_read_iterator, &ctx);
476 if (ret < 0) {
477 kleave(" = %ld [iterate]", ret);
478 return ret;
479 }
480 }
481
482
483 ret = keyring->keys.nr_leaves_on_tree * sizeof(key_serial_t);
484 if (ret <= buflen)
485 kleave("= %ld [ok]", ret);
486 else
487 kleave("= %ld [buffer too small]", ret);
488 return ret;
489}
490
491
492
493
494struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
495 const struct cred *cred, key_perm_t perm,
496 unsigned long flags,
497 struct key_restriction *restrict_link,
498 struct key *dest)
499{
500 struct key *keyring;
501 int ret;
502
503 keyring = key_alloc(&key_type_keyring, description,
504 uid, gid, cred, perm, flags, restrict_link);
505 if (!IS_ERR(keyring)) {
506 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
507 if (ret < 0) {
508 key_put(keyring);
509 keyring = ERR_PTR(ret);
510 }
511 }
512
513 return keyring;
514}
515EXPORT_SYMBOL(keyring_alloc);
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531int restrict_link_reject(struct key *keyring,
532 const struct key_type *type,
533 const union key_payload *payload,
534 struct key *restriction_key)
535{
536 return -EPERM;
537}
538
539
540
541
542bool key_default_cmp(const struct key *key,
543 const struct key_match_data *match_data)
544{
545 return strcmp(key->description, match_data->raw_data) == 0;
546}
547
548
549
550
551static int keyring_search_iterator(const void *object, void *iterator_data)
552{
553 struct keyring_search_context *ctx = iterator_data;
554 const struct key *key = keyring_ptr_to_key(object);
555 unsigned long kflags = READ_ONCE(key->flags);
556 short state = READ_ONCE(key->state);
557
558 kenter("{%d}", key->serial);
559
560
561 if (key->type != ctx->index_key.type) {
562 kleave(" = 0 [!type]");
563 return 0;
564 }
565
566
567 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
568 time64_t expiry = READ_ONCE(key->expiry);
569
570 if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
571 (1 << KEY_FLAG_REVOKED))) {
572 ctx->result = ERR_PTR(-EKEYREVOKED);
573 kleave(" = %d [invrev]", ctx->skipped_ret);
574 goto skipped;
575 }
576
577 if (expiry && ctx->now >= expiry) {
578 if (!(ctx->flags & KEYRING_SEARCH_SKIP_EXPIRED))
579 ctx->result = ERR_PTR(-EKEYEXPIRED);
580 kleave(" = %d [expire]", ctx->skipped_ret);
581 goto skipped;
582 }
583 }
584
585
586 if (!ctx->match_data.cmp(key, &ctx->match_data)) {
587 kleave(" = 0 [!match]");
588 return 0;
589 }
590
591
592 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
593 key_task_permission(make_key_ref(key, ctx->possessed),
594 ctx->cred, KEY_NEED_SEARCH) < 0) {
595 ctx->result = ERR_PTR(-EACCES);
596 kleave(" = %d [!perm]", ctx->skipped_ret);
597 goto skipped;
598 }
599
600 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
601
602 if (state < 0) {
603 ctx->result = ERR_PTR(state);
604 kleave(" = %d [neg]", ctx->skipped_ret);
605 goto skipped;
606 }
607 }
608
609
610 ctx->result = make_key_ref(key, ctx->possessed);
611 kleave(" = 1 [found]");
612 return 1;
613
614skipped:
615 return ctx->skipped_ret;
616}
617
618
619
620
621
622
623static int search_keyring(struct key *keyring, struct keyring_search_context *ctx)
624{
625 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_DIRECT) {
626 const void *object;
627
628 object = assoc_array_find(&keyring->keys,
629 &keyring_assoc_array_ops,
630 &ctx->index_key);
631 return object ? ctx->iterator(object, ctx) : 0;
632 }
633 return assoc_array_iterate(&keyring->keys, ctx->iterator, ctx);
634}
635
636
637
638
639
640static bool search_nested_keyrings(struct key *keyring,
641 struct keyring_search_context *ctx)
642{
643 struct {
644 struct key *keyring;
645 struct assoc_array_node *node;
646 int slot;
647 } stack[KEYRING_SEARCH_MAX_DEPTH];
648
649 struct assoc_array_shortcut *shortcut;
650 struct assoc_array_node *node;
651 struct assoc_array_ptr *ptr;
652 struct key *key;
653 int sp = 0, slot;
654
655 kenter("{%d},{%s,%s}",
656 keyring->serial,
657 ctx->index_key.type->name,
658 ctx->index_key.description);
659
660#define STATE_CHECKS (KEYRING_SEARCH_NO_STATE_CHECK | KEYRING_SEARCH_DO_STATE_CHECK)
661 BUG_ON((ctx->flags & STATE_CHECKS) == 0 ||
662 (ctx->flags & STATE_CHECKS) == STATE_CHECKS);
663
664 if (ctx->index_key.description)
665 ctx->index_key.desc_len = strlen(ctx->index_key.description);
666
667
668
669
670 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_ITERATE ||
671 keyring_compare_object(keyring, &ctx->index_key)) {
672 ctx->skipped_ret = 2;
673 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) {
674 case 1:
675 goto found;
676 case 2:
677 return false;
678 default:
679 break;
680 }
681 }
682
683 ctx->skipped_ret = 0;
684
685
686descend_to_keyring:
687 kdebug("descend to %d", keyring->serial);
688 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
689 (1 << KEY_FLAG_REVOKED)))
690 goto not_this_keyring;
691
692
693
694
695 if (search_keyring(keyring, ctx))
696 goto found;
697
698
699
700
701
702
703
704
705
706 ptr = READ_ONCE(keyring->keys.root);
707 if (!ptr)
708 goto not_this_keyring;
709
710 if (assoc_array_ptr_is_shortcut(ptr)) {
711
712
713
714
715 shortcut = assoc_array_ptr_to_shortcut(ptr);
716 if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0)
717 goto not_this_keyring;
718
719 ptr = READ_ONCE(shortcut->next_node);
720 node = assoc_array_ptr_to_node(ptr);
721 goto begin_node;
722 }
723
724 node = assoc_array_ptr_to_node(ptr);
725 ptr = node->slots[0];
726 if (!assoc_array_ptr_is_meta(ptr))
727 goto begin_node;
728
729descend_to_node:
730
731
732
733 kdebug("descend");
734 if (assoc_array_ptr_is_shortcut(ptr)) {
735 shortcut = assoc_array_ptr_to_shortcut(ptr);
736 ptr = READ_ONCE(shortcut->next_node);
737 BUG_ON(!assoc_array_ptr_is_node(ptr));
738 }
739 node = assoc_array_ptr_to_node(ptr);
740
741begin_node:
742 kdebug("begin_node");
743 slot = 0;
744ascend_to_node:
745
746 for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) {
747 ptr = READ_ONCE(node->slots[slot]);
748
749 if (assoc_array_ptr_is_meta(ptr) && node->back_pointer)
750 goto descend_to_node;
751
752 if (!keyring_ptr_is_keyring(ptr))
753 continue;
754
755 key = keyring_ptr_to_key(ptr);
756
757 if (sp >= KEYRING_SEARCH_MAX_DEPTH) {
758 if (ctx->flags & KEYRING_SEARCH_DETECT_TOO_DEEP) {
759 ctx->result = ERR_PTR(-ELOOP);
760 return false;
761 }
762 goto not_this_keyring;
763 }
764
765
766 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
767 key_task_permission(make_key_ref(key, ctx->possessed),
768 ctx->cred, KEY_NEED_SEARCH) < 0)
769 continue;
770
771
772 stack[sp].keyring = keyring;
773 stack[sp].node = node;
774 stack[sp].slot = slot;
775 sp++;
776
777
778 keyring = key;
779 goto descend_to_keyring;
780 }
781
782
783
784
785 ptr = READ_ONCE(node->back_pointer);
786 slot = node->parent_slot;
787
788 if (ptr && assoc_array_ptr_is_shortcut(ptr)) {
789 shortcut = assoc_array_ptr_to_shortcut(ptr);
790 ptr = READ_ONCE(shortcut->back_pointer);
791 slot = shortcut->parent_slot;
792 }
793 if (!ptr)
794 goto not_this_keyring;
795 node = assoc_array_ptr_to_node(ptr);
796 slot++;
797
798
799
800
801
802 if (node->back_pointer) {
803 kdebug("ascend %d", slot);
804 goto ascend_to_node;
805 }
806
807
808
809
810not_this_keyring:
811 kdebug("not_this_keyring %d", sp);
812 if (sp <= 0) {
813 kleave(" = false");
814 return false;
815 }
816
817
818 sp--;
819 keyring = stack[sp].keyring;
820 node = stack[sp].node;
821 slot = stack[sp].slot + 1;
822 kdebug("ascend to %d [%d]", keyring->serial, slot);
823 goto ascend_to_node;
824
825
826found:
827 key = key_ref_to_ptr(ctx->result);
828 key_check(key);
829 if (!(ctx->flags & KEYRING_SEARCH_NO_UPDATE_TIME)) {
830 key->last_used_at = ctx->now;
831 keyring->last_used_at = ctx->now;
832 while (sp > 0)
833 stack[--sp].keyring->last_used_at = ctx->now;
834 }
835 kleave(" = true");
836 return true;
837}
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871key_ref_t keyring_search_aux(key_ref_t keyring_ref,
872 struct keyring_search_context *ctx)
873{
874 struct key *keyring;
875 long err;
876
877 ctx->iterator = keyring_search_iterator;
878 ctx->possessed = is_key_possessed(keyring_ref);
879 ctx->result = ERR_PTR(-EAGAIN);
880
881 keyring = key_ref_to_ptr(keyring_ref);
882 key_check(keyring);
883
884 if (keyring->type != &key_type_keyring)
885 return ERR_PTR(-ENOTDIR);
886
887 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) {
888 err = key_task_permission(keyring_ref, ctx->cred, KEY_NEED_SEARCH);
889 if (err < 0)
890 return ERR_PTR(err);
891 }
892
893 rcu_read_lock();
894 ctx->now = ktime_get_real_seconds();
895 if (search_nested_keyrings(keyring, ctx))
896 __key_get(key_ref_to_ptr(ctx->result));
897 rcu_read_unlock();
898 return ctx->result;
899}
900
901
902
903
904
905
906
907
908
909
910key_ref_t keyring_search(key_ref_t keyring,
911 struct key_type *type,
912 const char *description)
913{
914 struct keyring_search_context ctx = {
915 .index_key.type = type,
916 .index_key.description = description,
917 .cred = current_cred(),
918 .match_data.cmp = key_default_cmp,
919 .match_data.raw_data = description,
920 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
921 .flags = KEYRING_SEARCH_DO_STATE_CHECK,
922 };
923 key_ref_t key;
924 int ret;
925
926 if (type->match_preparse) {
927 ret = type->match_preparse(&ctx.match_data);
928 if (ret < 0)
929 return ERR_PTR(ret);
930 }
931
932 key = keyring_search_aux(keyring, &ctx);
933
934 if (type->match_free)
935 type->match_free(&ctx.match_data);
936 return key;
937}
938EXPORT_SYMBOL(keyring_search);
939
940static struct key_restriction *keyring_restriction_alloc(
941 key_restrict_link_func_t check)
942{
943 struct key_restriction *keyres =
944 kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
945
946 if (!keyres)
947 return ERR_PTR(-ENOMEM);
948
949 keyres->check = check;
950
951 return keyres;
952}
953
954
955
956
957
958static DECLARE_RWSEM(keyring_serialise_restrict_sem);
959
960
961
962
963
964static bool keyring_detect_restriction_cycle(const struct key *dest_keyring,
965 struct key_restriction *keyres)
966{
967 while (keyres && keyres->key &&
968 keyres->key->type == &key_type_keyring) {
969 if (keyres->key == dest_keyring)
970 return true;
971
972 keyres = keyres->key->restrict_link;
973 }
974
975 return false;
976}
977
978
979
980
981
982
983
984int keyring_restrict(key_ref_t keyring_ref, const char *type,
985 const char *restriction)
986{
987 struct key *keyring;
988 struct key_type *restrict_type = NULL;
989 struct key_restriction *restrict_link;
990 int ret = 0;
991
992 keyring = key_ref_to_ptr(keyring_ref);
993 key_check(keyring);
994
995 if (keyring->type != &key_type_keyring)
996 return -ENOTDIR;
997
998 if (!type) {
999 restrict_link = keyring_restriction_alloc(restrict_link_reject);
1000 } else {
1001 restrict_type = key_type_lookup(type);
1002
1003 if (IS_ERR(restrict_type))
1004 return PTR_ERR(restrict_type);
1005
1006 if (!restrict_type->lookup_restriction) {
1007 ret = -ENOENT;
1008 goto error;
1009 }
1010
1011 restrict_link = restrict_type->lookup_restriction(restriction);
1012 }
1013
1014 if (IS_ERR(restrict_link)) {
1015 ret = PTR_ERR(restrict_link);
1016 goto error;
1017 }
1018
1019 down_write(&keyring->sem);
1020 down_write(&keyring_serialise_restrict_sem);
1021
1022 if (keyring->restrict_link)
1023 ret = -EEXIST;
1024 else if (keyring_detect_restriction_cycle(keyring, restrict_link))
1025 ret = -EDEADLK;
1026 else
1027 keyring->restrict_link = restrict_link;
1028
1029 up_write(&keyring_serialise_restrict_sem);
1030 up_write(&keyring->sem);
1031
1032 if (ret < 0) {
1033 key_put(restrict_link->key);
1034 kfree(restrict_link);
1035 }
1036
1037error:
1038 if (restrict_type)
1039 key_type_put(restrict_type);
1040
1041 return ret;
1042}
1043EXPORT_SYMBOL(keyring_restrict);
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059key_ref_t find_key_to_update(key_ref_t keyring_ref,
1060 const struct keyring_index_key *index_key)
1061{
1062 struct key *keyring, *key;
1063 const void *object;
1064
1065 keyring = key_ref_to_ptr(keyring_ref);
1066
1067 kenter("{%d},{%s,%s}",
1068 keyring->serial, index_key->type->name, index_key->description);
1069
1070 object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops,
1071 index_key);
1072
1073 if (object)
1074 goto found;
1075
1076 kleave(" = NULL");
1077 return NULL;
1078
1079found:
1080 key = keyring_ptr_to_key(object);
1081 if (key->flags & ((1 << KEY_FLAG_INVALIDATED) |
1082 (1 << KEY_FLAG_REVOKED))) {
1083 kleave(" = NULL [x]");
1084 return NULL;
1085 }
1086 __key_get(key);
1087 kleave(" = {%d}", key->serial);
1088 return make_key_ref(key, is_key_possessed(keyring_ref));
1089}
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102struct key *find_keyring_by_name(const char *name, bool uid_keyring)
1103{
1104 struct key *keyring;
1105 int bucket;
1106
1107 if (!name)
1108 return ERR_PTR(-EINVAL);
1109
1110 bucket = keyring_hash(name);
1111
1112 read_lock(&keyring_name_lock);
1113
1114 if (keyring_name_hash[bucket].next) {
1115
1116
1117 list_for_each_entry(keyring,
1118 &keyring_name_hash[bucket],
1119 name_link
1120 ) {
1121 if (!kuid_has_mapping(current_user_ns(), keyring->user->uid))
1122 continue;
1123
1124 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
1125 continue;
1126
1127 if (strcmp(keyring->description, name) != 0)
1128 continue;
1129
1130 if (uid_keyring) {
1131 if (!test_bit(KEY_FLAG_UID_KEYRING,
1132 &keyring->flags))
1133 continue;
1134 } else {
1135 if (key_permission(make_key_ref(keyring, 0),
1136 KEY_NEED_SEARCH) < 0)
1137 continue;
1138 }
1139
1140
1141
1142
1143 if (!refcount_inc_not_zero(&keyring->usage))
1144 continue;
1145 keyring->last_used_at = ktime_get_real_seconds();
1146 goto out;
1147 }
1148 }
1149
1150 keyring = ERR_PTR(-ENOKEY);
1151out:
1152 read_unlock(&keyring_name_lock);
1153 return keyring;
1154}
1155
1156static int keyring_detect_cycle_iterator(const void *object,
1157 void *iterator_data)
1158{
1159 struct keyring_search_context *ctx = iterator_data;
1160 const struct key *key = keyring_ptr_to_key(object);
1161
1162 kenter("{%d}", key->serial);
1163
1164
1165
1166 if (key != ctx->match_data.raw_data)
1167 return 0;
1168
1169 ctx->result = ERR_PTR(-EDEADLK);
1170 return 1;
1171}
1172
1173
1174
1175
1176
1177
1178
1179
1180static int keyring_detect_cycle(struct key *A, struct key *B)
1181{
1182 struct keyring_search_context ctx = {
1183 .index_key = A->index_key,
1184 .match_data.raw_data = A,
1185 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
1186 .iterator = keyring_detect_cycle_iterator,
1187 .flags = (KEYRING_SEARCH_NO_STATE_CHECK |
1188 KEYRING_SEARCH_NO_UPDATE_TIME |
1189 KEYRING_SEARCH_NO_CHECK_PERM |
1190 KEYRING_SEARCH_DETECT_TOO_DEEP),
1191 };
1192
1193 rcu_read_lock();
1194 search_nested_keyrings(B, &ctx);
1195 rcu_read_unlock();
1196 return PTR_ERR(ctx.result) == -EAGAIN ? 0 : PTR_ERR(ctx.result);
1197}
1198
1199
1200
1201
1202int __key_link_begin(struct key *keyring,
1203 const struct keyring_index_key *index_key,
1204 struct assoc_array_edit **_edit)
1205 __acquires(&keyring->sem)
1206 __acquires(&keyring_serialise_link_sem)
1207{
1208 struct assoc_array_edit *edit;
1209 int ret;
1210
1211 kenter("%d,%s,%s,",
1212 keyring->serial, index_key->type->name, index_key->description);
1213
1214 BUG_ON(index_key->desc_len == 0);
1215
1216 if (keyring->type != &key_type_keyring)
1217 return -ENOTDIR;
1218
1219 down_write(&keyring->sem);
1220
1221 ret = -EKEYREVOKED;
1222 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
1223 goto error_krsem;
1224
1225
1226
1227 if (index_key->type == &key_type_keyring)
1228 down_write(&keyring_serialise_link_sem);
1229
1230
1231
1232
1233 edit = assoc_array_insert(&keyring->keys,
1234 &keyring_assoc_array_ops,
1235 index_key,
1236 NULL);
1237 if (IS_ERR(edit)) {
1238 ret = PTR_ERR(edit);
1239 goto error_sem;
1240 }
1241
1242
1243
1244
1245 if (!edit->dead_leaf) {
1246 ret = key_payload_reserve(keyring,
1247 keyring->datalen + KEYQUOTA_LINK_BYTES);
1248 if (ret < 0)
1249 goto error_cancel;
1250 }
1251
1252 *_edit = edit;
1253 kleave(" = 0");
1254 return 0;
1255
1256error_cancel:
1257 assoc_array_cancel_edit(edit);
1258error_sem:
1259 if (index_key->type == &key_type_keyring)
1260 up_write(&keyring_serialise_link_sem);
1261error_krsem:
1262 up_write(&keyring->sem);
1263 kleave(" = %d", ret);
1264 return ret;
1265}
1266
1267
1268
1269
1270
1271
1272
1273int __key_link_check_live_key(struct key *keyring, struct key *key)
1274{
1275 if (key->type == &key_type_keyring)
1276
1277
1278 return keyring_detect_cycle(keyring, key);
1279 return 0;
1280}
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290void __key_link(struct key *key, struct assoc_array_edit **_edit)
1291{
1292 __key_get(key);
1293 assoc_array_insert_set_object(*_edit, keyring_key_to_ptr(key));
1294 assoc_array_apply_edit(*_edit);
1295 *_edit = NULL;
1296}
1297
1298
1299
1300
1301
1302
1303void __key_link_end(struct key *keyring,
1304 const struct keyring_index_key *index_key,
1305 struct assoc_array_edit *edit)
1306 __releases(&keyring->sem)
1307 __releases(&keyring_serialise_link_sem)
1308{
1309 BUG_ON(index_key->type == NULL);
1310 kenter("%d,%s,", keyring->serial, index_key->type->name);
1311
1312 if (index_key->type == &key_type_keyring)
1313 up_write(&keyring_serialise_link_sem);
1314
1315 if (edit) {
1316 if (!edit->dead_leaf) {
1317 key_payload_reserve(keyring,
1318 keyring->datalen - KEYQUOTA_LINK_BYTES);
1319 }
1320 assoc_array_cancel_edit(edit);
1321 }
1322 up_write(&keyring->sem);
1323}
1324
1325
1326
1327
1328static int __key_link_check_restriction(struct key *keyring, struct key *key)
1329{
1330 if (!keyring->restrict_link || !keyring->restrict_link->check)
1331 return 0;
1332 return keyring->restrict_link->check(keyring, key->type, &key->payload,
1333 keyring->restrict_link->key);
1334}
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356int key_link(struct key *keyring, struct key *key)
1357{
1358 struct assoc_array_edit *edit;
1359 int ret;
1360
1361 kenter("{%d,%d}", keyring->serial, refcount_read(&keyring->usage));
1362
1363 key_check(keyring);
1364 key_check(key);
1365
1366 ret = __key_link_begin(keyring, &key->index_key, &edit);
1367 if (ret == 0) {
1368 kdebug("begun {%d,%d}", keyring->serial, refcount_read(&keyring->usage));
1369 ret = __key_link_check_restriction(keyring, key);
1370 if (ret == 0)
1371 ret = __key_link_check_live_key(keyring, key);
1372 if (ret == 0)
1373 __key_link(key, &edit);
1374 __key_link_end(keyring, &key->index_key, edit);
1375 }
1376
1377 kleave(" = %d {%d,%d}", ret, keyring->serial, refcount_read(&keyring->usage));
1378 return ret;
1379}
1380EXPORT_SYMBOL(key_link);
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399int key_unlink(struct key *keyring, struct key *key)
1400{
1401 struct assoc_array_edit *edit;
1402 int ret;
1403
1404 key_check(keyring);
1405 key_check(key);
1406
1407 if (keyring->type != &key_type_keyring)
1408 return -ENOTDIR;
1409
1410 down_write(&keyring->sem);
1411
1412 edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops,
1413 &key->index_key);
1414 if (IS_ERR(edit)) {
1415 ret = PTR_ERR(edit);
1416 goto error;
1417 }
1418 ret = -ENOENT;
1419 if (edit == NULL)
1420 goto error;
1421
1422 assoc_array_apply_edit(edit);
1423 key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES);
1424 ret = 0;
1425
1426error:
1427 up_write(&keyring->sem);
1428 return ret;
1429}
1430EXPORT_SYMBOL(key_unlink);
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440int keyring_clear(struct key *keyring)
1441{
1442 struct assoc_array_edit *edit;
1443 int ret;
1444
1445 if (keyring->type != &key_type_keyring)
1446 return -ENOTDIR;
1447
1448 down_write(&keyring->sem);
1449
1450 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1451 if (IS_ERR(edit)) {
1452 ret = PTR_ERR(edit);
1453 } else {
1454 if (edit)
1455 assoc_array_apply_edit(edit);
1456 key_payload_reserve(keyring, 0);
1457 ret = 0;
1458 }
1459
1460 up_write(&keyring->sem);
1461 return ret;
1462}
1463EXPORT_SYMBOL(keyring_clear);
1464
1465
1466
1467
1468
1469
1470static void keyring_revoke(struct key *keyring)
1471{
1472 struct assoc_array_edit *edit;
1473
1474 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1475 if (!IS_ERR(edit)) {
1476 if (edit)
1477 assoc_array_apply_edit(edit);
1478 key_payload_reserve(keyring, 0);
1479 }
1480}
1481
1482static bool keyring_gc_select_iterator(void *object, void *iterator_data)
1483{
1484 struct key *key = keyring_ptr_to_key(object);
1485 time64_t *limit = iterator_data;
1486
1487 if (key_is_dead(key, *limit))
1488 return false;
1489 key_get(key);
1490 return true;
1491}
1492
1493static int keyring_gc_check_iterator(const void *object, void *iterator_data)
1494{
1495 const struct key *key = keyring_ptr_to_key(object);
1496 time64_t *limit = iterator_data;
1497
1498 key_check(key);
1499 return key_is_dead(key, *limit);
1500}
1501
1502
1503
1504
1505
1506
1507
1508void keyring_gc(struct key *keyring, time64_t limit)
1509{
1510 int result;
1511
1512 kenter("%x{%s}", keyring->serial, keyring->description ?: "");
1513
1514 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
1515 (1 << KEY_FLAG_REVOKED)))
1516 goto dont_gc;
1517
1518
1519 rcu_read_lock();
1520 result = assoc_array_iterate(&keyring->keys,
1521 keyring_gc_check_iterator, &limit);
1522 rcu_read_unlock();
1523 if (result == true)
1524 goto do_gc;
1525
1526dont_gc:
1527 kleave(" [no gc]");
1528 return;
1529
1530do_gc:
1531 down_write(&keyring->sem);
1532 assoc_array_gc(&keyring->keys, &keyring_assoc_array_ops,
1533 keyring_gc_select_iterator, &limit);
1534 up_write(&keyring->sem);
1535 kleave(" [gc]");
1536}
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553void keyring_restriction_gc(struct key *keyring, struct key_type *dead_type)
1554{
1555 struct key_restriction *keyres;
1556
1557 kenter("%x{%s}", keyring->serial, keyring->description ?: "");
1558
1559
1560
1561
1562
1563
1564
1565
1566 if (!dead_type || !keyring->restrict_link ||
1567 keyring->restrict_link->keytype != dead_type) {
1568 kleave(" [no restriction gc]");
1569 return;
1570 }
1571
1572
1573 down_write(&keyring->sem);
1574
1575 keyres = keyring->restrict_link;
1576
1577 keyres->check = restrict_link_reject;
1578
1579 key_put(keyres->key);
1580 keyres->key = NULL;
1581 keyres->keytype = NULL;
1582
1583 up_write(&keyring->sem);
1584
1585 kleave(" [restriction gc]");
1586}
1587