LXR linux/security/keys/process

   1// SPDX-License-Identifier: GPL-2.0-or-later
   2/* Manage a process's keyrings
   3 *
   4 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
   5 * Written by David Howells (dhowells@redhat.com)
   6 */
   7
   8#include <linux/init.h>
   9#include <linux/sched.h>
  10#include <linux/sched/user.h>
  11#include <linux/keyctl.h>
  12#include <linux/fs.h>
  13#include <linux/err.h>
  14#include <linux/mutex.h>
  15#include <linux/security.h>
  16#include <linux/user_namespace.h>
  17#include <linux/uaccess.h>
  18#include <linux/init_task.h>
  19#include <keys/request_key_auth-type.h>
  20#include "internal.h"
  21
  22/* Session keyring create vs join semaphore */
  23static DEFINE_MUTEX(key_session_mutex);
  24
  25/* The root user's tracking struct */
  26struct key_user root_key_user = {
  27        .usage          = REFCOUNT_INIT(3),
  28        .cons_lock      = __MUTEX_INITIALIZER(root_key_user.cons_lock),
  29        .lock           = __SPIN_LOCK_UNLOCKED(root_key_user.lock),
  30        .nkeys          = ATOMIC_INIT(2),
  31        .nikeys         = ATOMIC_INIT(2),
  32        .uid            = GLOBAL_ROOT_UID,
  33};
  34
  35/*
  36 * Get or create a user register keyring.
  37 */
  38static struct key *get_user_register(struct user_namespace *user_ns)
  39{
  40        struct key *reg_keyring = READ_ONCE(user_ns->user_keyring_register);
  41
  42        if (reg_keyring)
  43                return reg_keyring;
  44
  45        down_write(&user_ns->keyring_sem);
  46
  47        /* Make sure there's a register keyring.  It gets owned by the
  48         * user_namespace's owner.
  49         */
  50        reg_keyring = user_ns->user_keyring_register;
  51        if (!reg_keyring) {
  52                reg_keyring = keyring_alloc(".user_reg",
  53                                            user_ns->owner, INVALID_GID,
  54                                            &init_cred,
  55                                            KEY_POS_WRITE | KEY_POS_SEARCH |
  56                                            KEY_USR_VIEW | KEY_USR_READ,
  57                                            0,
  58                                            NULL, NULL);
  59                if (!IS_ERR(reg_keyring))
  60                        smp_store_release(&user_ns->user_keyring_register,
  61                                          reg_keyring);
  62        }
  63
  64        up_write(&user_ns->keyring_sem);
  65
  66        /* We don't return a ref since the keyring is pinned by the user_ns */
  67        return reg_keyring;
  68}
  69
  70/*
  71 * Look up the user and user session keyrings for the current process's UID,
  72 * creating them if they don't exist.
  73 */
  74int look_up_user_keyrings(struct key **_user_keyring,
  75                          struct key **_user_session_keyring)
  76{
  77        const struct cred *cred = current_cred();
  78        struct user_namespace *user_ns = current_user_ns();
  79        struct key *reg_keyring, *uid_keyring, *session_keyring;
  80        key_perm_t user_keyring_perm;
  81        key_ref_t uid_keyring_r, session_keyring_r;
  82        uid_t uid = from_kuid(user_ns, cred->user->uid);
  83        char buf[20];
  84        int ret;
  85
  86        user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
  87
  88        kenter("%u", uid);
  89
  90        reg_keyring = get_user_register(user_ns);
  91        if (IS_ERR(reg_keyring))
  92                return PTR_ERR(reg_keyring);
  93
  94        down_write(&user_ns->keyring_sem);
  95        ret = 0;
  96
  97        /* Get the user keyring.  Note that there may be one in existence
  98         * already as it may have been pinned by a session, but the user_struct
  99         * pointing to it may have been destroyed by setuid.
 100         */
 101        snprintf(buf, sizeof(buf), "_uid.%u", uid);
 102        uid_keyring_r = keyring_search(make_key_ref(reg_keyring, true),
 103                                       &key_type_keyring, buf, false);
 104        kdebug("_uid %p", uid_keyring_r);
 105        if (uid_keyring_r == ERR_PTR(-EAGAIN)) {
 106                uid_keyring = keyring_alloc(buf, cred->user->uid, INVALID_GID,
 107                                            cred, user_keyring_perm,
 108                                            KEY_ALLOC_UID_KEYRING |
 109                                            KEY_ALLOC_IN_QUOTA,
 110                                            NULL, reg_keyring);
 111                if (IS_ERR(uid_keyring)) {
 112                        ret = PTR_ERR(uid_keyring);
 113                        goto error;
 114                }
 115        } else if (IS_ERR(uid_keyring_r)) {
 116                ret = PTR_ERR(uid_keyring_r);
 117                goto error;
 118        } else {
 119                uid_keyring = key_ref_to_ptr(uid_keyring_r);
 120        }
 121
 122        /* Get a default session keyring (which might also exist already) */
 123        snprintf(buf, sizeof(buf), "_uid_ses.%u", uid);
 124        session_keyring_r = keyring_search(make_key_ref(reg_keyring, true),
 125                                           &key_type_keyring, buf, false);
 126        kdebug("_uid_ses %p", session_keyring_r);
 127        if (session_keyring_r == ERR_PTR(-EAGAIN)) {
 128                session_keyring = keyring_alloc(buf, cred->user->uid, INVALID_GID,
 129                                                cred, user_keyring_perm,
 130                                                KEY_ALLOC_UID_KEYRING |
 131                                                KEY_ALLOC_IN_QUOTA,
 132                                                NULL, NULL);
 133                if (IS_ERR(session_keyring)) {
 134                        ret = PTR_ERR(session_keyring);
 135                        goto error_release;
 136                }
 137
 138                /* We install a link from the user session keyring to
 139                 * the user keyring.
 140                 */
 141                ret = key_link(session_keyring, uid_keyring);
 142                if (ret < 0)
 143                        goto error_release_session;
 144
 145                /* And only then link the user-session keyring to the
 146                 * register.
 147                 */
 148                ret = key_link(reg_keyring, session_keyring);
 149                if (ret < 0)
 150                        goto error_release_session;
 151        } else if (IS_ERR(session_keyring_r)) {
 152                ret = PTR_ERR(session_keyring_r);
 153                goto error_release;
 154        } else {
 155                session_keyring = key_ref_to_ptr(session_keyring_r);
 156        }
 157
 158        up_write(&user_ns->keyring_sem);
 159
 160        if (_user_session_keyring)
 161                *_user_session_keyring = session_keyring;
 162        else
 163                key_put(session_keyring);
 164        if (_user_keyring)
 165                *_user_keyring = uid_keyring;
 166        else
 167                key_put(uid_keyring);
 168        kleave(" = 0");
 169        return 0;
 170
 171error_release_session:
 172        key_put(session_keyring);
 173error_release:
 174        key_put(uid_keyring);
 175error:
 176        up_write(&user_ns->keyring_sem);
 177        kleave(" = %d", ret);
 178        return ret;
 179}
 180
 181/*
 182 * Get the user session keyring if it exists, but don't create it if it
 183 * doesn't.
 184 */
 185struct key *get_user_session_keyring_rcu(const struct cred *cred)
 186{
 187        struct key *reg_keyring = READ_ONCE(cred->user_ns->user_keyring_register);
 188        key_ref_t session_keyring_r;
 189        char buf[20];
 190
 191        struct keyring_search_context ctx = {
 192                .index_key.type         = &key_type_keyring,
 193                .index_key.description  = buf,
 194                .cred                   = cred,
 195                .match_data.cmp         = key_default_cmp,
 196                .match_data.raw_data    = buf,
 197                .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
 198                .flags                  = KEYRING_SEARCH_DO_STATE_CHECK,
 199        };
 200
 201        if (!reg_keyring)
 202                return NULL;
 203
 204        ctx.index_key.desc_len = snprintf(buf, sizeof(buf), "_uid_ses.%u",
 205                                          from_kuid(cred->user_ns,
 206                                                    cred->user->uid));
 207
 208        session_keyring_r = keyring_search_rcu(make_key_ref(reg_keyring, true),
 209                                               &ctx);
 210        if (IS_ERR(session_keyring_r))
 211                return NULL;
 212        return key_ref_to_ptr(session_keyring_r);
 213}
 214
 215/*
 216 * Install a thread keyring to the given credentials struct if it didn't have
 217 * one already.  This is allowed to overrun the quota.
 218 *
 219 * Return: 0 if a thread keyring is now present; -errno on failure.
 220 */
 221int install_thread_keyring_to_cred(struct cred *new)
 222{
 223        struct key *keyring;
 224
 225        if (new->thread_keyring)
 226                return 0;
 227
 228        keyring = keyring_alloc("_tid", new->uid, new->gid, new,
 229                                KEY_POS_ALL | KEY_USR_VIEW,
 230                                KEY_ALLOC_QUOTA_OVERRUN,
 231                                NULL, NULL);
 232        if (IS_ERR(keyring))
 233                return PTR_ERR(keyring);
 234
 235        new->thread_keyring = keyring;
 236        return 0;
 237}
 238
 239/*
 240 * Install a thread keyring to the current task if it didn't have one already.
 241 *
 242 * Return: 0 if a thread keyring is now present; -errno on failure.
 243 */
 244static int install_thread_keyring(void)
 245{
 246        struct cred *new;
 247        int ret;
 248
 249        new = prepare_creds();
 250        if (!new)
 251                return -ENOMEM;
 252
 253        ret = install_thread_keyring_to_cred(new);
 254        if (ret < 0) {
 255                abort_creds(new);
 256                return ret;
 257        }
 258
 259        return commit_creds(new);
 260}
 261
 262/*
 263 * Install a process keyring to the given credentials struct if it didn't have
 264 * one already.  This is allowed to overrun the quota.
 265 *
 266 * Return: 0 if a process keyring is now present; -errno on failure.
 267 */
 268int install_process_keyring_to_cred(struct cred *new)
 269{
 270        struct key *keyring;
 271
 272        if (new->process_keyring)
 273                return 0;
 274
 275        keyring = keyring_alloc("_pid", new->uid, new->gid, new,
 276                                KEY_POS_ALL | KEY_USR_VIEW,
 277                                KEY_ALLOC_QUOTA_OVERRUN,
 278                                NULL, NULL);
 279        if (IS_ERR(keyring))
 280                return PTR_ERR(keyring);
 281
 282        new->process_keyring = keyring;
 283        return 0;
 284}
 285
 286/*
 287 * Install a process keyring to the current task if it didn't have one already.
 288 *
 289 * Return: 0 if a process keyring is now present; -errno on failure.
 290 */
 291static int install_process_keyring(void)
 292{
 293        struct cred *new;
 294        int ret;
 295
 296        new = prepare_creds();
 297        if (!new)
 298                return -ENOMEM;
 299
 300        ret = install_process_keyring_to_cred(new);
 301        if (ret < 0) {
 302                abort_creds(new);
 303                return ret;
 304        }
 305
 306        return commit_creds(new);
 307}
 308
 309/*
 310 * Install the given keyring as the session keyring of the given credentials
 311 * struct, replacing the existing one if any.  If the given keyring is NULL,
 312 * then install a new anonymous session keyring.
 313 * @cred can not be in use by any task yet.
 314 *
 315 * Return: 0 on success; -errno on failure.
 316 */
 317int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
 318{
 319        unsigned long flags;
 320        struct key *old;
 321
 322        might_sleep();
 323
 324        /* create an empty session keyring */
 325        if (!keyring) {
 326                flags = KEY_ALLOC_QUOTA_OVERRUN;
 327                if (cred->session_keyring)
 328                        flags = KEY_ALLOC_IN_QUOTA;
 329
 330                keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred,
 331                                        KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
 332                                        flags, NULL, NULL);
 333                if (IS_ERR(keyring))
 334                        return PTR_ERR(keyring);
 335        } else {
 336                __key_get(keyring);
 337        }
 338
 339        /* install the keyring */
 340        old = cred->session_keyring;
 341        cred->session_keyring = keyring;
 342
 343        if (old)
 344                key_put(old);
 345
 346        return 0;
 347}
 348
 349/*
 350 * Install the given keyring as the session keyring of the current task,
 351 * replacing the existing one if any.  If the given keyring is NULL, then
 352 * install a new anonymous session keyring.
 353 *
 354 * Return: 0 on success; -errno on failure.
 355 */
 356static int install_session_keyring(struct key *keyring)
 357{
 358        struct cred *new;
 359        int ret;
 360
 361        new = prepare_creds();
 362        if (!new)
 363                return -ENOMEM;
 364
 365        ret = install_session_keyring_to_cred(new, keyring);
 366        if (ret < 0) {
 367                abort_creds(new);
 368                return ret;
 369        }
 370
 371        return commit_creds(new);
 372}
 373
 374/*
 375 * Handle the fsuid changing.
 376 */
 377void key_fsuid_changed(struct cred *new_cred)
 378{
 379        /* update the ownership of the thread keyring */
 380        if (new_cred->thread_keyring) {
 381                down_write(&new_cred->thread_keyring->sem);
 382                new_cred->thread_keyring->uid = new_cred->fsuid;
 383                up_write(&new_cred->thread_keyring->sem);
 384        }
 385}
 386
 387/*
 388 * Handle the fsgid changing.
 389 */
 390void key_fsgid_changed(struct cred *new_cred)
 391{
 392        /* update the ownership of the thread keyring */
 393        if (new_cred->thread_keyring) {
 394                down_write(&new_cred->thread_keyring->sem);
 395                new_cred->thread_keyring->gid = new_cred->fsgid;
 396                up_write(&new_cred->thread_keyring->sem);
 397        }
 398}
 399
 400/*
 401 * Search the process keyrings attached to the supplied cred for the first
 402 * matching key under RCU conditions (the caller must be holding the RCU read
 403 * lock).
 404 *
 405 * The search criteria are the type and the match function.  The description is
 406 * given to the match function as a parameter, but doesn't otherwise influence
 407 * the search.  Typically the match function will compare the description
 408 * parameter to the key's description.
 409 *
 410 * This can only search keyrings that grant Search permission to the supplied
 411 * credentials.  Keyrings linked to searched keyrings will also be searched if
 412 * they grant Search permission too.  Keys can only be found if they grant
 413 * Search permission to the credentials.
 414 *
 415 * Returns a pointer to the key with the key usage count incremented if
 416 * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only
 417 * matched negative keys.
 418 *
 419 * In the case of a successful return, the possession attribute is set on the
 420 * returned key reference.
 421 */
 422key_ref_t search_cred_keyrings_rcu(struct keyring_search_context *ctx)
 423{
 424        struct key *user_session;
 425        key_ref_t key_ref, ret, err;
 426        const struct cred *cred = ctx->cred;
 427
 428        /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
 429         * searchable, but we failed to find a key or we found a negative key;
 430         * otherwise we want to return a sample error (probably -EACCES) if
 431         * none of the keyrings were searchable
 432         *
 433         * in terms of priority: success > -ENOKEY > -EAGAIN > other error
 434         */
 435        key_ref = NULL;
 436        ret = NULL;
 437        err = ERR_PTR(-EAGAIN);
 438
 439        /* search the thread keyring first */
 440        if (cred->thread_keyring) {
 441                key_ref = keyring_search_rcu(
 442                        make_key_ref(cred->thread_keyring, 1), ctx);
 443                if (!IS_ERR(key_ref))
 444                        goto found;
 445
 446                switch (PTR_ERR(key_ref)) {
 447                case -EAGAIN: /* no key */
 448                case -ENOKEY: /* negative key */
 449                        ret = key_ref;
 450                        break;
 451                default:
 452                        err = key_ref;
 453                        break;
 454                }
 455        }
 456
 457        /* search the process keyring second */
 458        if (cred->process_keyring) {
 459                key_ref = keyring_search_rcu(
 460                        make_key_ref(cred->process_keyring, 1), ctx);
 461                if (!IS_ERR(key_ref))
 462                        goto found;
 463
 464                switch (PTR_ERR(key_ref)) {
 465                case -EAGAIN: /* no key */
 466                        if (ret)
 467                                break;
 468                        fallthrough;
 469                case -ENOKEY: /* negative key */
 470                        ret = key_ref;
 471                        break;
 472                default:
 473                        err = key_ref;
 474                        break;
 475                }
 476        }
 477
 478        /* search the session keyring */
 479        if (cred->session_keyring) {
 480                key_ref = keyring_search_rcu(
 481                        make_key_ref(cred->session_keyring, 1), ctx);
 482
 483                if (!IS_ERR(key_ref))
 484                        goto found;
 485
 486                switch (PTR_ERR(key_ref)) {
 487                case -EAGAIN: /* no key */
 488                        if (ret)
 489                                break;
 490                        fallthrough;
 491                case -ENOKEY: /* negative key */
 492                        ret = key_ref;
 493                        break;
 494                default:
 495                        err = key_ref;
 496                        break;
 497                }
 498        }
 499        /* or search the user-session keyring */
 500        else if ((user_session = get_user_session_keyring_rcu(cred))) {
 501                key_ref = keyring_search_rcu(make_key_ref(user_session, 1),
 502                                             ctx);
 503                key_put(user_session);
 504
 505                if (!IS_ERR(key_ref))
 506                        goto found;
 507
 508                switch (PTR_ERR(key_ref)) {
 509                case -EAGAIN: /* no key */
 510                        if (ret)
 511                                break;
 512                        fallthrough;
 513                case -ENOKEY: /* negative key */
 514                        ret = key_ref;
 515                        break;
 516                default:
 517                        err = key_ref;
 518                        break;
 519                }
 520        }
 521
 522        /* no key - decide on the error we're going to go for */
 523        key_ref = ret ? ret : err;
 524
 525found:
 526        return key_ref;
 527}
 528
 529/*
 530 * Search the process keyrings attached to the supplied cred for the first
 531 * matching key in the manner of search_my_process_keyrings(), but also search
 532 * the keys attached to the assumed authorisation key using its credentials if
 533 * one is available.
 534 *
 535 * The caller must be holding the RCU read lock.
 536 *
 537 * Return same as search_cred_keyrings_rcu().
 538 */
 539key_ref_t search_process_keyrings_rcu(struct keyring_search_context *ctx)
 540{
 541        struct request_key_auth *rka;
 542        key_ref_t key_ref, ret = ERR_PTR(-EACCES), err;
 543
 544        key_ref = search_cred_keyrings_rcu(ctx);
 545        if (!IS_ERR(key_ref))
 546                goto found;
 547        err = key_ref;
 548
 549        /* if this process has an instantiation authorisation key, then we also
 550         * search the keyrings of the process mentioned there
 551         * - we don't permit access to request_key auth keys via this method
 552         */
 553        if (ctx->cred->request_key_auth &&
 554            ctx->cred == current_cred() &&
 555            ctx->index_key.type != &key_type_request_key_auth
 556            ) {
 557                const struct cred *cred = ctx->cred;
 558
 559                if (key_validate(cred->request_key_auth) == 0) {
 560                        rka = ctx->cred->request_key_auth->payload.data[0];
 561
 562                        //// was search_process_keyrings() [ie. recursive]
 563                        ctx->cred = rka->cred;
 564                        key_ref = search_cred_keyrings_rcu(ctx);
 565                        ctx->cred = cred;
 566
 567                        if (!IS_ERR(key_ref))
 568                                goto found;
 569                        ret = key_ref;
 570                }
 571        }
 572
 573        /* no key - decide on the error we're going to go for */
 574        if (err == ERR_PTR(-ENOKEY) || ret == ERR_PTR(-ENOKEY))
 575                key_ref = ERR_PTR(-ENOKEY);
 576        else if (err == ERR_PTR(-EACCES))
 577                key_ref = ret;
 578        else
 579                key_ref = err;
 580
 581found:
 582        return key_ref;
 583}
 584/*
 585 * See if the key we're looking at is the target key.
 586 */
 587bool lookup_user_key_possessed(const struct key *key,
 588                               const struct key_match_data *match_data)
 589{
 590        return key == match_data->raw_data;
 591}
 592
 593/*
 594 * Look up a key ID given us by userspace with a given permissions mask to get
 595 * the key it refers to.
 596 *
 597 * Flags can be passed to request that special keyrings be created if referred
 598 * to directly, to permit partially constructed keys to be found and to skip
 599 * validity and permission checks on the found key.
 600 *
 601 * Returns a pointer to the key with an incremented usage count if successful;
 602 * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond
 603 * to a key or the best found key was a negative key; -EKEYREVOKED or
 604 * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the
 605 * found key doesn't grant the requested permit or the LSM denied access to it;
 606 * or -ENOMEM if a special keyring couldn't be created.
 607 *
 608 * In the case of a successful return, the possession attribute is set on the
 609 * returned key reference.
 610 */
 611key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
 612                          enum key_need_perm need_perm)
 613{
 614        struct keyring_search_context ctx = {
 615                .match_data.cmp         = lookup_user_key_possessed,
 616                .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
 617                .flags                  = (KEYRING_SEARCH_NO_STATE_CHECK |
 618                                           KEYRING_SEARCH_RECURSE),
 619        };
 620        struct request_key_auth *rka;
 621        struct key *key, *user_session;
 622        key_ref_t key_ref, skey_ref;
 623        int ret;
 624
 625try_again:
 626        ctx.cred = get_current_cred();
 627        key_ref = ERR_PTR(-ENOKEY);
 628
 629        switch (id) {
 630        case KEY_SPEC_THREAD_KEYRING:
 631                if (!ctx.cred->thread_keyring) {
 632                        if (!(lflags & KEY_LOOKUP_CREATE))
 633                                goto error;
 634
 635                        ret = install_thread_keyring();
 636                        if (ret < 0) {
 637                                key_ref = ERR_PTR(ret);
 638                                goto error;
 639                        }
 640                        goto reget_creds;
 641                }
 642
 643                key = ctx.cred->thread_keyring;
 644                __key_get(key);
 645                key_ref = make_key_ref(key, 1);
 646                break;
 647
 648        case KEY_SPEC_PROCESS_KEYRING:
 649                if (!ctx.cred->process_keyring) {
 650                        if (!(lflags & KEY_LOOKUP_CREATE))
 651                                goto error;
 652
 653                        ret = install_process_keyring();
 654                        if (ret < 0) {
 655                                key_ref = ERR_PTR(ret);
 656                                goto error;
 657                        }
 658                        goto reget_creds;
 659                }
 660
 661                key = ctx.cred->process_keyring;
 662                __key_get(key);
 663                key_ref = make_key_ref(key, 1);
 664                break;
 665
 666        case KEY_SPEC_SESSION_KEYRING:
 667                if (!ctx.cred->session_keyring) {
 668                        /* always install a session keyring upon access if one
 669                         * doesn't exist yet */
 670                        ret = look_up_user_keyrings(NULL, &user_session);
 671                        if (ret < 0)
 672                                goto error;
 673                        if (lflags & KEY_LOOKUP_CREATE)
 674                                ret = join_session_keyring(NULL);
 675                        else
 676                                ret = install_session_keyring(user_session);
 677
 678                        key_put(user_session);
 679                        if (ret < 0)
 680                                goto error;
 681                        goto reget_creds;
 682                } else if (test_bit(KEY_FLAG_UID_KEYRING,
 683                                    &ctx.cred->session_keyring->flags) &&
 684                           lflags & KEY_LOOKUP_CREATE) {
 685                        ret = join_session_keyring(NULL);
 686                        if (ret < 0)
 687                                goto error;
 688                        goto reget_creds;
 689                }
 690
 691                key = ctx.cred->session_keyring;
 692                __key_get(key);
 693                key_ref = make_key_ref(key, 1);
 694                break;
 695
 696        case KEY_SPEC_USER_KEYRING:
 697                ret = look_up_user_keyrings(&key, NULL);
 698                if (ret < 0)
 699                        goto error;
 700                key_ref = make_key_ref(key, 1);
 701                break;
 702
 703        case KEY_SPEC_USER_SESSION_KEYRING:
 704                ret = look_up_user_keyrings(NULL, &key);
 705                if (ret < 0)
 706                        goto error;
 707                key_ref = make_key_ref(key, 1);
 708                break;
 709
 710        case KEY_SPEC_GROUP_KEYRING:
 711                /* group keyrings are not yet supported */
 712                key_ref = ERR_PTR(-EINVAL);
 713                goto error;
 714
 715        case KEY_SPEC_REQKEY_AUTH_KEY:
 716                key = ctx.cred->request_key_auth;
 717                if (!key)
 718                        goto error;
 719
 720                __key_get(key);
 721                key_ref = make_key_ref(key, 1);
 722                break;
 723
 724        case KEY_SPEC_REQUESTOR_KEYRING:
 725                if (!ctx.cred->request_key_auth)
 726                        goto error;
 727
 728                down_read(&ctx.cred->request_key_auth->sem);
 729                if (test_bit(KEY_FLAG_REVOKED,
 730                             &ctx.cred->request_key_auth->flags)) {
 731                        key_ref = ERR_PTR(-EKEYREVOKED);
 732                        key = NULL;
 733                } else {
 734                        rka = ctx.cred->request_key_auth->payload.data[0];
 735                        key = rka->dest_keyring;
 736                        __key_get(key);
 737                }
 738                up_read(&ctx.cred->request_key_auth->sem);
 739                if (!key)
 740                        goto error;
 741                key_ref = make_key_ref(key, 1);
 742                break;
 743
 744        default:
 745                key_ref = ERR_PTR(-EINVAL);
 746                if (id < 1)
 747                        goto error;
 748
 749                key = key_lookup(id);
 750                if (IS_ERR(key)) {
 751                        key_ref = ERR_CAST(key);
 752                        goto error;
 753                }
 754
 755                key_ref = make_key_ref(key, 0);
 756
 757                /* check to see if we possess the key */
 758                ctx.index_key                   = key->index_key;
 759                ctx.match_data.raw_data         = key;
 760                kdebug("check possessed");
 761                rcu_read_lock();
 762                skey_ref = search_process_keyrings_rcu(&ctx);
 763                rcu_read_unlock();
 764                kdebug("possessed=%p", skey_ref);
 765
 766                if (!IS_ERR(skey_ref)) {
 767                        key_put(key);
 768                        key_ref = skey_ref;
 769                }
 770
 771                break;
 772        }
 773
 774        /* unlink does not use the nominated key in any way, so can skip all
 775         * the permission checks as it is only concerned with the keyring */
 776        if (need_perm != KEY_NEED_UNLINK) {
 777                if (!(lflags & KEY_LOOKUP_PARTIAL)) {
 778                        ret = wait_for_key_construction(key, true);
 779                        switch (ret) {
 780                        case -ERESTARTSYS:
 781                                goto invalid_key;
 782                        default:
 783                                if (need_perm != KEY_AUTHTOKEN_OVERRIDE &&
 784                                    need_perm != KEY_DEFER_PERM_CHECK)
 785                                        goto invalid_key;
 786                                break;
 787                        case 0:
 788                                break;
 789                        }
 790                } else if (need_perm != KEY_DEFER_PERM_CHECK) {
 791                        ret = key_validate(key);
 792                        if (ret < 0)
 793                                goto invalid_key;
 794                }
 795
 796                ret = -EIO;
 797                if (!(lflags & KEY_LOOKUP_PARTIAL) &&
 798                    key_read_state(key) == KEY_IS_UNINSTANTIATED)
 799                        goto invalid_key;
 800        }
 801
 802        /* check the permissions */
 803        ret = key_task_permission(key_ref, ctx.cred, need_perm);
 804        if (ret < 0)
 805                goto invalid_key;
 806
 807        key->last_used_at = ktime_get_real_seconds();
 808
 809error:
 810        put_cred(ctx.cred);
 811        return key_ref;
 812
 813invalid_key:
 814        key_ref_put(key_ref);
 815        key_ref = ERR_PTR(ret);
 816        goto error;
 817
 818        /* if we attempted to install a keyring, then it may have caused new
 819         * creds to be installed */
 820reget_creds:
 821        put_cred(ctx.cred);
 822        goto try_again;
 823}
 824EXPORT_SYMBOL(lookup_user_key);
 825
 826/*
 827 * Join the named keyring as the session keyring if possible else attempt to
 828 * create a new one of that name and join that.
 829 *
 830 * If the name is NULL, an empty anonymous keyring will be installed as the
 831 * session keyring.
 832 *
 833 * Named session keyrings are joined with a semaphore held to prevent the
 834 * keyrings from going away whilst the attempt is made to going them and also
 835 * to prevent a race in creating compatible session keyrings.
 836 */
 837long join_session_keyring(const char *name)
 838{
 839        const struct cred *old;
 840        struct cred *new;
 841        struct key *keyring;
 842        long ret, serial;
 843
 844        new = prepare_creds();
 845        if (!new)
 846                return -ENOMEM;
 847        old = current_cred();
 848
 849        /* if no name is provided, install an anonymous keyring */
 850        if (!name) {
 851                ret = install_session_keyring_to_cred(new, NULL);
 852                if (ret < 0)
 853                        goto error;
 854
 855                serial = new->session_keyring->serial;
 856                ret = commit_creds(new);
 857                if (ret == 0)
 858                        ret = serial;
 859                goto okay;
 860        }
 861
 862        /* allow the user to join or create a named keyring */
 863        mutex_lock(&key_session_mutex);
 864
 865        /* look for an existing keyring of this name */
 866        keyring = find_keyring_by_name(name, false);
 867        if (PTR_ERR(keyring) == -ENOKEY) {
 868                /* not found - try and create a new one */
 869                keyring = keyring_alloc(
 870                        name, old->uid, old->gid, old,
 871                        KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK,
 872                        KEY_ALLOC_IN_QUOTA, NULL, NULL);
 873                if (IS_ERR(keyring)) {
 874                        ret = PTR_ERR(keyring);
 875                        goto error2;
 876                }
 877        } else if (IS_ERR(keyring)) {
 878                ret = PTR_ERR(keyring);
 879                goto error2;
 880        } else if (keyring == new->session_keyring) {
 881                ret = 0;
 882                goto error3;
 883        }
 884
 885        /* we've got a keyring - now to install it */
 886        ret = install_session_keyring_to_cred(new, keyring);
 887        if (ret < 0)
 888                goto error3;
 889
 890        commit_creds(new);
 891        mutex_unlock(&key_session_mutex);
 892
 893        ret = keyring->serial;
 894        key_put(keyring);
 895okay:
 896        return ret;
 897
 898error3:
 899        key_put(keyring);
 900error2:
 901        mutex_unlock(&key_session_mutex);
 902error:
 903        abort_creds(new);
 904        return ret;
 905}
 906
 907/*
 908 * Replace a process's session keyring on behalf of one of its children when
 909 * the target  process is about to resume userspace execution.
 910 */
 911void key_change_session_keyring(struct callback_head *twork)
 912{
 913        const struct cred *old = current_cred();
 914        struct cred *new = container_of(twork, struct cred, rcu);
 915
 916        if (unlikely(current->flags & PF_EXITING)) {
 917                put_cred(new);
 918                return;
 919        }
 920
 921        new->  uid      = old->  uid;
 922        new-> euid      = old-> euid;
 923        new-> suid      = old-> suid;
 924        new->fsuid      = old->fsuid;
 925        new->  gid      = old->  gid;
 926        new-> egid      = old-> egid;
 927        new-> sgid      = old-> sgid;
 928        new->fsgid      = old->fsgid;
 929        new->user       = get_uid(old->user);
 930        new->user_ns    = get_user_ns(old->user_ns);
 931        new->group_info = get_group_info(old->group_info);
 932
 933        new->securebits = old->securebits;
 934        new->cap_inheritable    = old->cap_inheritable;
 935        new->cap_permitted      = old->cap_permitted;
 936        new->cap_effective      = old->cap_effective;
 937        new->cap_ambient        = old->cap_ambient;
 938        new->cap_bset           = old->cap_bset;
 939
 940        new->jit_keyring        = old->jit_keyring;
 941        new->thread_keyring     = key_get(old->thread_keyring);
 942        new->process_keyring    = key_get(old->process_keyring);
 943
 944        security_transfer_creds(new, old);
 945
 946        commit_creds(new);
 947}
 948
 949/*
 950 * Make sure that root's user and user-session keyrings exist.
 951 */
 952static int __init init_root_keyring(void)
 953{
 954        return look_up_user_keyrings(NULL, NULL);
 955}
 956
 957late_initcall(init_root_keyring);
 958