1
2
3
4
5
6
7
8#include <linux/export.h>
9#include <linux/init.h>
10#include <linux/sched.h>
11#include <linux/slab.h>
12#include <linux/security.h>
13#include <linux/seq_file.h>
14#include <linux/err.h>
15#include <linux/user_namespace.h>
16#include <linux/nsproxy.h>
17#include <keys/keyring-type.h>
18#include <keys/user-type.h>
19#include <linux/assoc_array_priv.h>
20#include <linux/uaccess.h>
21#include <net/net_namespace.h>
22#include "internal.h"
23
24
25
26
27
28#define KEYRING_SEARCH_MAX_DEPTH 6
29
30
31
32
33
34#define KEYRING_PTR_SUBTYPE 0x2UL
35
36static inline bool keyring_ptr_is_keyring(const struct assoc_array_ptr *x)
37{
38 return (unsigned long)x & KEYRING_PTR_SUBTYPE;
39}
40static inline struct key *keyring_ptr_to_key(const struct assoc_array_ptr *x)
41{
42 void *object = assoc_array_ptr_to_leaf(x);
43 return (struct key *)((unsigned long)object & ~KEYRING_PTR_SUBTYPE);
44}
45static inline void *keyring_key_to_ptr(struct key *key)
46{
47 if (key->type == &key_type_keyring)
48 return (void *)((unsigned long)key | KEYRING_PTR_SUBTYPE);
49 return key;
50}
51
52static DEFINE_RWLOCK(keyring_name_lock);
53
54
55
56
57void key_free_user_ns(struct user_namespace *ns)
58{
59 write_lock(&keyring_name_lock);
60 list_del_init(&ns->keyring_name_list);
61 write_unlock(&keyring_name_lock);
62
63 key_put(ns->user_keyring_register);
64#ifdef CONFIG_PERSISTENT_KEYRINGS
65 key_put(ns->persistent_keyring_register);
66#endif
67}
68
69
70
71
72
73
74static int keyring_preparse(struct key_preparsed_payload *prep);
75static void keyring_free_preparse(struct key_preparsed_payload *prep);
76static int keyring_instantiate(struct key *keyring,
77 struct key_preparsed_payload *prep);
78static void keyring_revoke(struct key *keyring);
79static void keyring_destroy(struct key *keyring);
80static void keyring_describe(const struct key *keyring, struct seq_file *m);
81static long keyring_read(const struct key *keyring,
82 char __user *buffer, size_t buflen);
83
84struct key_type key_type_keyring = {
85 .name = "keyring",
86 .def_datalen = 0,
87 .preparse = keyring_preparse,
88 .free_preparse = keyring_free_preparse,
89 .instantiate = keyring_instantiate,
90 .revoke = keyring_revoke,
91 .destroy = keyring_destroy,
92 .describe = keyring_describe,
93 .read = keyring_read,
94};
95EXPORT_SYMBOL(key_type_keyring);
96
97
98
99
100
101static DEFINE_MUTEX(keyring_serialise_link_lock);
102
103
104
105
106
107static void keyring_publish_name(struct key *keyring)
108{
109 struct user_namespace *ns = current_user_ns();
110
111 if (keyring->description &&
112 keyring->description[0] &&
113 keyring->description[0] != '.') {
114 write_lock(&keyring_name_lock);
115 list_add_tail(&keyring->name_link, &ns->keyring_name_list);
116 write_unlock(&keyring_name_lock);
117 }
118}
119
120
121
122
123static int keyring_preparse(struct key_preparsed_payload *prep)
124{
125 return prep->datalen != 0 ? -EINVAL : 0;
126}
127
128
129
130
131static void keyring_free_preparse(struct key_preparsed_payload *prep)
132{
133}
134
135
136
137
138
139
140static int keyring_instantiate(struct key *keyring,
141 struct key_preparsed_payload *prep)
142{
143 assoc_array_init(&keyring->keys);
144
145 keyring_publish_name(keyring);
146 return 0;
147}
148
149
150
151
152
153static u64 mult_64x32_and_fold(u64 x, u32 y)
154{
155 u64 hi = (u64)(u32)(x >> 32) * y;
156 u64 lo = (u64)(u32)(x) * y;
157 return lo + ((u64)(u32)hi << 32) + (u32)(hi >> 32);
158}
159
160
161
162
163static void hash_key_type_and_desc(struct keyring_index_key *index_key)
164{
165 const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP;
166 const unsigned long fan_mask = ASSOC_ARRAY_FAN_MASK;
167 const char *description = index_key->description;
168 unsigned long hash, type;
169 u32 piece;
170 u64 acc;
171 int n, desc_len = index_key->desc_len;
172
173 type = (unsigned long)index_key->type;
174 acc = mult_64x32_and_fold(type, desc_len + 13);
175 acc = mult_64x32_and_fold(acc, 9207);
176 piece = (unsigned long)index_key->domain_tag;
177 acc = mult_64x32_and_fold(acc, piece);
178 acc = mult_64x32_and_fold(acc, 9207);
179
180 for (;;) {
181 n = desc_len;
182 if (n <= 0)
183 break;
184 if (n > 4)
185 n = 4;
186 piece = 0;
187 memcpy(&piece, description, n);
188 description += n;
189 desc_len -= n;
190 acc = mult_64x32_and_fold(acc, piece);
191 acc = mult_64x32_and_fold(acc, 9207);
192 }
193
194
195 hash = acc;
196 if (ASSOC_ARRAY_KEY_CHUNK_SIZE == 32)
197 hash ^= acc >> 32;
198
199
200
201
202
203 if (index_key->type != &key_type_keyring && (hash & fan_mask) == 0)
204 hash |= (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1;
205 else if (index_key->type == &key_type_keyring && (hash & fan_mask) != 0)
206 hash = (hash + (hash << level_shift)) & ~fan_mask;
207 index_key->hash = hash;
208}
209
210
211
212
213
214void key_set_index_key(struct keyring_index_key *index_key)
215{
216 static struct key_tag default_domain_tag = { .usage = REFCOUNT_INIT(1), };
217 size_t n = min_t(size_t, index_key->desc_len, sizeof(index_key->desc));
218
219 memcpy(index_key->desc, index_key->description, n);
220
221 if (!index_key->domain_tag) {
222 if (index_key->type->flags & KEY_TYPE_NET_DOMAIN)
223 index_key->domain_tag = current->nsproxy->net_ns->key_domain;
224 else
225 index_key->domain_tag = &default_domain_tag;
226 }
227
228 hash_key_type_and_desc(index_key);
229}
230
231
232
233
234
235
236
237
238bool key_put_tag(struct key_tag *tag)
239{
240 if (refcount_dec_and_test(&tag->usage)) {
241 kfree_rcu(tag, rcu);
242 return true;
243 }
244
245 return false;
246}
247
248
249
250
251
252
253
254
255
256void key_remove_domain(struct key_tag *domain_tag)
257{
258 domain_tag->removed = true;
259 if (!key_put_tag(domain_tag))
260 key_schedule_gc_links();
261}
262
263
264
265
266
267
268static unsigned long keyring_get_key_chunk(const void *data, int level)
269{
270 const struct keyring_index_key *index_key = data;
271 unsigned long chunk = 0;
272 const u8 *d;
273 int desc_len = index_key->desc_len, n = sizeof(chunk);
274
275 level /= ASSOC_ARRAY_KEY_CHUNK_SIZE;
276 switch (level) {
277 case 0:
278 return index_key->hash;
279 case 1:
280 return index_key->x;
281 case 2:
282 return (unsigned long)index_key->type;
283 case 3:
284 return (unsigned long)index_key->domain_tag;
285 default:
286 level -= 4;
287 if (desc_len <= sizeof(index_key->desc))
288 return 0;
289
290 d = index_key->description + sizeof(index_key->desc);
291 d += level * sizeof(long);
292 desc_len -= sizeof(index_key->desc);
293 if (desc_len > n)
294 desc_len = n;
295 do {
296 chunk <<= 8;
297 chunk |= *d++;
298 } while (--desc_len > 0);
299 return chunk;
300 }
301}
302
303static unsigned long keyring_get_object_key_chunk(const void *object, int level)
304{
305 const struct key *key = keyring_ptr_to_key(object);
306 return keyring_get_key_chunk(&key->index_key, level);
307}
308
309static bool keyring_compare_object(const void *object, const void *data)
310{
311 const struct keyring_index_key *index_key = data;
312 const struct key *key = keyring_ptr_to_key(object);
313
314 return key->index_key.type == index_key->type &&
315 key->index_key.domain_tag == index_key->domain_tag &&
316 key->index_key.desc_len == index_key->desc_len &&
317 memcmp(key->index_key.description, index_key->description,
318 index_key->desc_len) == 0;
319}
320
321
322
323
324
325static int keyring_diff_objects(const void *object, const void *data)
326{
327 const struct key *key_a = keyring_ptr_to_key(object);
328 const struct keyring_index_key *a = &key_a->index_key;
329 const struct keyring_index_key *b = data;
330 unsigned long seg_a, seg_b;
331 int level, i;
332
333 level = 0;
334 seg_a = a->hash;
335 seg_b = b->hash;
336 if ((seg_a ^ seg_b) != 0)
337 goto differ;
338 level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8;
339
340
341
342
343
344 seg_a = a->x;
345 seg_b = b->x;
346 if ((seg_a ^ seg_b) != 0)
347 goto differ;
348 level += sizeof(unsigned long);
349
350
351 seg_a = (unsigned long)a->type;
352 seg_b = (unsigned long)b->type;
353 if ((seg_a ^ seg_b) != 0)
354 goto differ;
355 level += sizeof(unsigned long);
356
357 seg_a = (unsigned long)a->domain_tag;
358 seg_b = (unsigned long)b->domain_tag;
359 if ((seg_a ^ seg_b) != 0)
360 goto differ;
361 level += sizeof(unsigned long);
362
363 i = sizeof(a->desc);
364 if (a->desc_len <= i)
365 goto same;
366
367 for (; i < a->desc_len; i++) {
368 seg_a = *(unsigned char *)(a->description + i);
369 seg_b = *(unsigned char *)(b->description + i);
370 if ((seg_a ^ seg_b) != 0)
371 goto differ_plus_i;
372 }
373
374same:
375 return -1;
376
377differ_plus_i:
378 level += i;
379differ:
380 i = level * 8 + __ffs(seg_a ^ seg_b);
381 return i;
382}
383
384
385
386
387static void keyring_free_object(void *object)
388{
389 key_put(keyring_ptr_to_key(object));
390}
391
392
393
394
395static const struct assoc_array_ops keyring_assoc_array_ops = {
396 .get_key_chunk = keyring_get_key_chunk,
397 .get_object_key_chunk = keyring_get_object_key_chunk,
398 .compare_object = keyring_compare_object,
399 .diff_objects = keyring_diff_objects,
400 .free_object = keyring_free_object,
401};
402
403
404
405
406
407
408
409
410
411
412static void keyring_destroy(struct key *keyring)
413{
414 if (keyring->description) {
415 write_lock(&keyring_name_lock);
416
417 if (keyring->name_link.next != NULL &&
418 !list_empty(&keyring->name_link))
419 list_del(&keyring->name_link);
420
421 write_unlock(&keyring_name_lock);
422 }
423
424 if (keyring->restrict_link) {
425 struct key_restriction *keyres = keyring->restrict_link;
426
427 key_put(keyres->key);
428 kfree(keyres);
429 }
430
431 assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops);
432}
433
434
435
436
437static void keyring_describe(const struct key *keyring, struct seq_file *m)
438{
439 if (keyring->description)
440 seq_puts(m, keyring->description);
441 else
442 seq_puts(m, "[anon]");
443
444 if (key_is_positive(keyring)) {
445 if (keyring->keys.nr_leaves_on_tree != 0)
446 seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree);
447 else
448 seq_puts(m, ": empty");
449 }
450}
451
452struct keyring_read_iterator_context {
453 size_t buflen;
454 size_t count;
455 key_serial_t __user *buffer;
456};
457
458static int keyring_read_iterator(const void *object, void *data)
459{
460 struct keyring_read_iterator_context *ctx = data;
461 const struct key *key = keyring_ptr_to_key(object);
462 int ret;
463
464 kenter("{%s,%d},,{%zu/%zu}",
465 key->type->name, key->serial, ctx->count, ctx->buflen);
466
467 if (ctx->count >= ctx->buflen)
468 return 1;
469
470 ret = put_user(key->serial, ctx->buffer);
471 if (ret < 0)
472 return ret;
473 ctx->buffer++;
474 ctx->count += sizeof(key->serial);
475 return 0;
476}
477
478
479
480
481
482
483
484
485static long keyring_read(const struct key *keyring,
486 char __user *buffer, size_t buflen)
487{
488 struct keyring_read_iterator_context ctx;
489 long ret;
490
491 kenter("{%d},,%zu", key_serial(keyring), buflen);
492
493 if (buflen & (sizeof(key_serial_t) - 1))
494 return -EINVAL;
495
496
497 if (buffer && buflen) {
498 ctx.buffer = (key_serial_t __user *)buffer;
499 ctx.buflen = buflen;
500 ctx.count = 0;
501 ret = assoc_array_iterate(&keyring->keys,
502 keyring_read_iterator, &ctx);
503 if (ret < 0) {
504 kleave(" = %ld [iterate]", ret);
505 return ret;
506 }
507 }
508
509
510 ret = keyring->keys.nr_leaves_on_tree * sizeof(key_serial_t);
511 if (ret <= buflen)
512 kleave("= %ld [ok]", ret);
513 else
514 kleave("= %ld [buffer too small]", ret);
515 return ret;
516}
517
518
519
520
521struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
522 const struct cred *cred, key_perm_t perm,
523 unsigned long flags,
524 struct key_restriction *restrict_link,
525 struct key *dest)
526{
527 struct key *keyring;
528 int ret;
529
530 keyring = key_alloc(&key_type_keyring, description,
531 uid, gid, cred, perm, flags, restrict_link);
532 if (!IS_ERR(keyring)) {
533 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
534 if (ret < 0) {
535 key_put(keyring);
536 keyring = ERR_PTR(ret);
537 }
538 }
539
540 return keyring;
541}
542EXPORT_SYMBOL(keyring_alloc);
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558int restrict_link_reject(struct key *keyring,
559 const struct key_type *type,
560 const union key_payload *payload,
561 struct key *restriction_key)
562{
563 return -EPERM;
564}
565
566
567
568
569bool key_default_cmp(const struct key *key,
570 const struct key_match_data *match_data)
571{
572 return strcmp(key->description, match_data->raw_data) == 0;
573}
574
575
576
577
578static int keyring_search_iterator(const void *object, void *iterator_data)
579{
580 struct keyring_search_context *ctx = iterator_data;
581 const struct key *key = keyring_ptr_to_key(object);
582 unsigned long kflags = READ_ONCE(key->flags);
583 short state = READ_ONCE(key->state);
584
585 kenter("{%d}", key->serial);
586
587
588 if (key->type != ctx->index_key.type) {
589 kleave(" = 0 [!type]");
590 return 0;
591 }
592
593
594 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
595 time64_t expiry = READ_ONCE(key->expiry);
596
597 if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
598 (1 << KEY_FLAG_REVOKED))) {
599 ctx->result = ERR_PTR(-EKEYREVOKED);
600 kleave(" = %d [invrev]", ctx->skipped_ret);
601 goto skipped;
602 }
603
604 if (expiry && ctx->now >= expiry) {
605 if (!(ctx->flags & KEYRING_SEARCH_SKIP_EXPIRED))
606 ctx->result = ERR_PTR(-EKEYEXPIRED);
607 kleave(" = %d [expire]", ctx->skipped_ret);
608 goto skipped;
609 }
610 }
611
612
613 if (!ctx->match_data.cmp(key, &ctx->match_data)) {
614 kleave(" = 0 [!match]");
615 return 0;
616 }
617
618
619 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
620 key_task_permission(make_key_ref(key, ctx->possessed),
621 ctx->cred, KEY_NEED_SEARCH) < 0) {
622 ctx->result = ERR_PTR(-EACCES);
623 kleave(" = %d [!perm]", ctx->skipped_ret);
624 goto skipped;
625 }
626
627 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
628
629 if (state < 0) {
630 ctx->result = ERR_PTR(state);
631 kleave(" = %d [neg]", ctx->skipped_ret);
632 goto skipped;
633 }
634 }
635
636
637 ctx->result = make_key_ref(key, ctx->possessed);
638 kleave(" = 1 [found]");
639 return 1;
640
641skipped:
642 return ctx->skipped_ret;
643}
644
645
646
647
648
649
650static int search_keyring(struct key *keyring, struct keyring_search_context *ctx)
651{
652 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_DIRECT) {
653 const void *object;
654
655 object = assoc_array_find(&keyring->keys,
656 &keyring_assoc_array_ops,
657 &ctx->index_key);
658 return object ? ctx->iterator(object, ctx) : 0;
659 }
660 return assoc_array_iterate(&keyring->keys, ctx->iterator, ctx);
661}
662
663
664
665
666
667static bool search_nested_keyrings(struct key *keyring,
668 struct keyring_search_context *ctx)
669{
670 struct {
671 struct key *keyring;
672 struct assoc_array_node *node;
673 int slot;
674 } stack[KEYRING_SEARCH_MAX_DEPTH];
675
676 struct assoc_array_shortcut *shortcut;
677 struct assoc_array_node *node;
678 struct assoc_array_ptr *ptr;
679 struct key *key;
680 int sp = 0, slot;
681
682 kenter("{%d},{%s,%s}",
683 keyring->serial,
684 ctx->index_key.type->name,
685 ctx->index_key.description);
686
687#define STATE_CHECKS (KEYRING_SEARCH_NO_STATE_CHECK | KEYRING_SEARCH_DO_STATE_CHECK)
688 BUG_ON((ctx->flags & STATE_CHECKS) == 0 ||
689 (ctx->flags & STATE_CHECKS) == STATE_CHECKS);
690
691 if (ctx->index_key.description)
692 key_set_index_key(&ctx->index_key);
693
694
695
696
697 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_ITERATE ||
698 keyring_compare_object(keyring, &ctx->index_key)) {
699 ctx->skipped_ret = 2;
700 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) {
701 case 1:
702 goto found;
703 case 2:
704 return false;
705 default:
706 break;
707 }
708 }
709
710 ctx->skipped_ret = 0;
711
712
713descend_to_keyring:
714 kdebug("descend to %d", keyring->serial);
715 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
716 (1 << KEY_FLAG_REVOKED)))
717 goto not_this_keyring;
718
719
720
721
722 if (search_keyring(keyring, ctx))
723 goto found;
724
725
726
727
728
729
730
731
732
733 if (!(ctx->flags & KEYRING_SEARCH_RECURSE))
734 goto not_this_keyring;
735
736 ptr = READ_ONCE(keyring->keys.root);
737 if (!ptr)
738 goto not_this_keyring;
739
740 if (assoc_array_ptr_is_shortcut(ptr)) {
741
742
743
744
745 shortcut = assoc_array_ptr_to_shortcut(ptr);
746 if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0)
747 goto not_this_keyring;
748
749 ptr = READ_ONCE(shortcut->next_node);
750 node = assoc_array_ptr_to_node(ptr);
751 goto begin_node;
752 }
753
754 node = assoc_array_ptr_to_node(ptr);
755 ptr = node->slots[0];
756 if (!assoc_array_ptr_is_meta(ptr))
757 goto begin_node;
758
759descend_to_node:
760
761
762
763 kdebug("descend");
764 if (assoc_array_ptr_is_shortcut(ptr)) {
765 shortcut = assoc_array_ptr_to_shortcut(ptr);
766 ptr = READ_ONCE(shortcut->next_node);
767 BUG_ON(!assoc_array_ptr_is_node(ptr));
768 }
769 node = assoc_array_ptr_to_node(ptr);
770
771begin_node:
772 kdebug("begin_node");
773 slot = 0;
774ascend_to_node:
775
776 for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) {
777 ptr = READ_ONCE(node->slots[slot]);
778
779 if (assoc_array_ptr_is_meta(ptr) && node->back_pointer)
780 goto descend_to_node;
781
782 if (!keyring_ptr_is_keyring(ptr))
783 continue;
784
785 key = keyring_ptr_to_key(ptr);
786
787 if (sp >= KEYRING_SEARCH_MAX_DEPTH) {
788 if (ctx->flags & KEYRING_SEARCH_DETECT_TOO_DEEP) {
789 ctx->result = ERR_PTR(-ELOOP);
790 return false;
791 }
792 goto not_this_keyring;
793 }
794
795
796 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
797 key_task_permission(make_key_ref(key, ctx->possessed),
798 ctx->cred, KEY_NEED_SEARCH) < 0)
799 continue;
800
801
802 stack[sp].keyring = keyring;
803 stack[sp].node = node;
804 stack[sp].slot = slot;
805 sp++;
806
807
808 keyring = key;
809 goto descend_to_keyring;
810 }
811
812
813
814
815 ptr = READ_ONCE(node->back_pointer);
816 slot = node->parent_slot;
817
818 if (ptr && assoc_array_ptr_is_shortcut(ptr)) {
819 shortcut = assoc_array_ptr_to_shortcut(ptr);
820 ptr = READ_ONCE(shortcut->back_pointer);
821 slot = shortcut->parent_slot;
822 }
823 if (!ptr)
824 goto not_this_keyring;
825 node = assoc_array_ptr_to_node(ptr);
826 slot++;
827
828
829
830
831
832 if (node->back_pointer) {
833 kdebug("ascend %d", slot);
834 goto ascend_to_node;
835 }
836
837
838
839
840not_this_keyring:
841 kdebug("not_this_keyring %d", sp);
842 if (sp <= 0) {
843 kleave(" = false");
844 return false;
845 }
846
847
848 sp--;
849 keyring = stack[sp].keyring;
850 node = stack[sp].node;
851 slot = stack[sp].slot + 1;
852 kdebug("ascend to %d [%d]", keyring->serial, slot);
853 goto ascend_to_node;
854
855
856found:
857 key = key_ref_to_ptr(ctx->result);
858 key_check(key);
859 if (!(ctx->flags & KEYRING_SEARCH_NO_UPDATE_TIME)) {
860 key->last_used_at = ctx->now;
861 keyring->last_used_at = ctx->now;
862 while (sp > 0)
863 stack[--sp].keyring->last_used_at = ctx->now;
864 }
865 kleave(" = true");
866 return true;
867}
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903key_ref_t keyring_search_rcu(key_ref_t keyring_ref,
904 struct keyring_search_context *ctx)
905{
906 struct key *keyring;
907 long err;
908
909 ctx->iterator = keyring_search_iterator;
910 ctx->possessed = is_key_possessed(keyring_ref);
911 ctx->result = ERR_PTR(-EAGAIN);
912
913 keyring = key_ref_to_ptr(keyring_ref);
914 key_check(keyring);
915
916 if (keyring->type != &key_type_keyring)
917 return ERR_PTR(-ENOTDIR);
918
919 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) {
920 err = key_task_permission(keyring_ref, ctx->cred, KEY_NEED_SEARCH);
921 if (err < 0)
922 return ERR_PTR(err);
923 }
924
925 ctx->now = ktime_get_real_seconds();
926 if (search_nested_keyrings(keyring, ctx))
927 __key_get(key_ref_to_ptr(ctx->result));
928 return ctx->result;
929}
930
931
932
933
934
935
936
937
938
939
940
941key_ref_t keyring_search(key_ref_t keyring,
942 struct key_type *type,
943 const char *description,
944 bool recurse)
945{
946 struct keyring_search_context ctx = {
947 .index_key.type = type,
948 .index_key.description = description,
949 .index_key.desc_len = strlen(description),
950 .cred = current_cred(),
951 .match_data.cmp = key_default_cmp,
952 .match_data.raw_data = description,
953 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
954 .flags = KEYRING_SEARCH_DO_STATE_CHECK,
955 };
956 key_ref_t key;
957 int ret;
958
959 if (recurse)
960 ctx.flags |= KEYRING_SEARCH_RECURSE;
961 if (type->match_preparse) {
962 ret = type->match_preparse(&ctx.match_data);
963 if (ret < 0)
964 return ERR_PTR(ret);
965 }
966
967 rcu_read_lock();
968 key = keyring_search_rcu(keyring, &ctx);
969 rcu_read_unlock();
970
971 if (type->match_free)
972 type->match_free(&ctx.match_data);
973 return key;
974}
975EXPORT_SYMBOL(keyring_search);
976
977static struct key_restriction *keyring_restriction_alloc(
978 key_restrict_link_func_t check)
979{
980 struct key_restriction *keyres =
981 kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
982
983 if (!keyres)
984 return ERR_PTR(-ENOMEM);
985
986 keyres->check = check;
987
988 return keyres;
989}
990
991
992
993
994
995static DECLARE_RWSEM(keyring_serialise_restrict_sem);
996
997
998
999
1000
1001static bool keyring_detect_restriction_cycle(const struct key *dest_keyring,
1002 struct key_restriction *keyres)
1003{
1004 while (keyres && keyres->key &&
1005 keyres->key->type == &key_type_keyring) {
1006 if (keyres->key == dest_keyring)
1007 return true;
1008
1009 keyres = keyres->key->restrict_link;
1010 }
1011
1012 return false;
1013}
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025int keyring_restrict(key_ref_t keyring_ref, const char *type,
1026 const char *restriction)
1027{
1028 struct key *keyring;
1029 struct key_type *restrict_type = NULL;
1030 struct key_restriction *restrict_link;
1031 int ret = 0;
1032
1033 keyring = key_ref_to_ptr(keyring_ref);
1034 key_check(keyring);
1035
1036 if (keyring->type != &key_type_keyring)
1037 return -ENOTDIR;
1038
1039 if (!type) {
1040 restrict_link = keyring_restriction_alloc(restrict_link_reject);
1041 } else {
1042 restrict_type = key_type_lookup(type);
1043
1044 if (IS_ERR(restrict_type))
1045 return PTR_ERR(restrict_type);
1046
1047 if (!restrict_type->lookup_restriction) {
1048 ret = -ENOENT;
1049 goto error;
1050 }
1051
1052 restrict_link = restrict_type->lookup_restriction(restriction);
1053 }
1054
1055 if (IS_ERR(restrict_link)) {
1056 ret = PTR_ERR(restrict_link);
1057 goto error;
1058 }
1059
1060 down_write(&keyring->sem);
1061 down_write(&keyring_serialise_restrict_sem);
1062
1063 if (keyring->restrict_link)
1064 ret = -EEXIST;
1065 else if (keyring_detect_restriction_cycle(keyring, restrict_link))
1066 ret = -EDEADLK;
1067 else
1068 keyring->restrict_link = restrict_link;
1069
1070 up_write(&keyring_serialise_restrict_sem);
1071 up_write(&keyring->sem);
1072
1073 if (ret < 0) {
1074 key_put(restrict_link->key);
1075 kfree(restrict_link);
1076 }
1077
1078error:
1079 if (restrict_type)
1080 key_type_put(restrict_type);
1081
1082 return ret;
1083}
1084EXPORT_SYMBOL(keyring_restrict);
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100key_ref_t find_key_to_update(key_ref_t keyring_ref,
1101 const struct keyring_index_key *index_key)
1102{
1103 struct key *keyring, *key;
1104 const void *object;
1105
1106 keyring = key_ref_to_ptr(keyring_ref);
1107
1108 kenter("{%d},{%s,%s}",
1109 keyring->serial, index_key->type->name, index_key->description);
1110
1111 object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops,
1112 index_key);
1113
1114 if (object)
1115 goto found;
1116
1117 kleave(" = NULL");
1118 return NULL;
1119
1120found:
1121 key = keyring_ptr_to_key(object);
1122 if (key->flags & ((1 << KEY_FLAG_INVALIDATED) |
1123 (1 << KEY_FLAG_REVOKED))) {
1124 kleave(" = NULL [x]");
1125 return NULL;
1126 }
1127 __key_get(key);
1128 kleave(" = {%d}", key->serial);
1129 return make_key_ref(key, is_key_possessed(keyring_ref));
1130}
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143struct key *find_keyring_by_name(const char *name, bool uid_keyring)
1144{
1145 struct user_namespace *ns = current_user_ns();
1146 struct key *keyring;
1147
1148 if (!name)
1149 return ERR_PTR(-EINVAL);
1150
1151 read_lock(&keyring_name_lock);
1152
1153
1154
1155
1156 list_for_each_entry(keyring, &ns->keyring_name_list, name_link) {
1157 if (!kuid_has_mapping(ns, keyring->user->uid))
1158 continue;
1159
1160 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
1161 continue;
1162
1163 if (strcmp(keyring->description, name) != 0)
1164 continue;
1165
1166 if (uid_keyring) {
1167 if (!test_bit(KEY_FLAG_UID_KEYRING,
1168 &keyring->flags))
1169 continue;
1170 } else {
1171 if (key_permission(make_key_ref(keyring, 0),
1172 KEY_NEED_SEARCH) < 0)
1173 continue;
1174 }
1175
1176
1177
1178
1179 if (!refcount_inc_not_zero(&keyring->usage))
1180 continue;
1181 keyring->last_used_at = ktime_get_real_seconds();
1182 goto out;
1183 }
1184
1185 keyring = ERR_PTR(-ENOKEY);
1186out:
1187 read_unlock(&keyring_name_lock);
1188 return keyring;
1189}
1190
1191static int keyring_detect_cycle_iterator(const void *object,
1192 void *iterator_data)
1193{
1194 struct keyring_search_context *ctx = iterator_data;
1195 const struct key *key = keyring_ptr_to_key(object);
1196
1197 kenter("{%d}", key->serial);
1198
1199
1200
1201 if (key != ctx->match_data.raw_data)
1202 return 0;
1203
1204 ctx->result = ERR_PTR(-EDEADLK);
1205 return 1;
1206}
1207
1208
1209
1210
1211
1212
1213
1214
1215static int keyring_detect_cycle(struct key *A, struct key *B)
1216{
1217 struct keyring_search_context ctx = {
1218 .index_key = A->index_key,
1219 .match_data.raw_data = A,
1220 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
1221 .iterator = keyring_detect_cycle_iterator,
1222 .flags = (KEYRING_SEARCH_NO_STATE_CHECK |
1223 KEYRING_SEARCH_NO_UPDATE_TIME |
1224 KEYRING_SEARCH_NO_CHECK_PERM |
1225 KEYRING_SEARCH_DETECT_TOO_DEEP |
1226 KEYRING_SEARCH_RECURSE),
1227 };
1228
1229 rcu_read_lock();
1230 search_nested_keyrings(B, &ctx);
1231 rcu_read_unlock();
1232 return PTR_ERR(ctx.result) == -EAGAIN ? 0 : PTR_ERR(ctx.result);
1233}
1234
1235
1236
1237
1238int __key_link_lock(struct key *keyring,
1239 const struct keyring_index_key *index_key)
1240 __acquires(&keyring->sem)
1241 __acquires(&keyring_serialise_link_lock)
1242{
1243 if (keyring->type != &key_type_keyring)
1244 return -ENOTDIR;
1245
1246 down_write(&keyring->sem);
1247
1248
1249
1250
1251 if (index_key->type == &key_type_keyring)
1252 mutex_lock(&keyring_serialise_link_lock);
1253
1254 return 0;
1255}
1256
1257
1258
1259
1260int __key_move_lock(struct key *l_keyring, struct key *u_keyring,
1261 const struct keyring_index_key *index_key)
1262 __acquires(&l_keyring->sem)
1263 __acquires(&u_keyring->sem)
1264 __acquires(&keyring_serialise_link_lock)
1265{
1266 if (l_keyring->type != &key_type_keyring ||
1267 u_keyring->type != &key_type_keyring)
1268 return -ENOTDIR;
1269
1270
1271
1272
1273
1274 if (l_keyring < u_keyring) {
1275 down_write(&l_keyring->sem);
1276 down_write_nested(&u_keyring->sem, 1);
1277 } else {
1278 down_write(&u_keyring->sem);
1279 down_write_nested(&l_keyring->sem, 1);
1280 }
1281
1282
1283
1284
1285 if (index_key->type == &key_type_keyring)
1286 mutex_lock(&keyring_serialise_link_lock);
1287
1288 return 0;
1289}
1290
1291
1292
1293
1294int __key_link_begin(struct key *keyring,
1295 const struct keyring_index_key *index_key,
1296 struct assoc_array_edit **_edit)
1297{
1298 struct assoc_array_edit *edit;
1299 int ret;
1300
1301 kenter("%d,%s,%s,",
1302 keyring->serial, index_key->type->name, index_key->description);
1303
1304 BUG_ON(index_key->desc_len == 0);
1305 BUG_ON(*_edit != NULL);
1306
1307 *_edit = NULL;
1308
1309 ret = -EKEYREVOKED;
1310 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
1311 goto error;
1312
1313
1314
1315
1316 edit = assoc_array_insert(&keyring->keys,
1317 &keyring_assoc_array_ops,
1318 index_key,
1319 NULL);
1320 if (IS_ERR(edit)) {
1321 ret = PTR_ERR(edit);
1322 goto error;
1323 }
1324
1325
1326
1327
1328 if (!edit->dead_leaf) {
1329 ret = key_payload_reserve(keyring,
1330 keyring->datalen + KEYQUOTA_LINK_BYTES);
1331 if (ret < 0)
1332 goto error_cancel;
1333 }
1334
1335 *_edit = edit;
1336 kleave(" = 0");
1337 return 0;
1338
1339error_cancel:
1340 assoc_array_cancel_edit(edit);
1341error:
1342 kleave(" = %d", ret);
1343 return ret;
1344}
1345
1346
1347
1348
1349
1350
1351
1352int __key_link_check_live_key(struct key *keyring, struct key *key)
1353{
1354 if (key->type == &key_type_keyring)
1355
1356
1357 return keyring_detect_cycle(keyring, key);
1358 return 0;
1359}
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369void __key_link(struct key *key, struct assoc_array_edit **_edit)
1370{
1371 __key_get(key);
1372 assoc_array_insert_set_object(*_edit, keyring_key_to_ptr(key));
1373 assoc_array_apply_edit(*_edit);
1374 *_edit = NULL;
1375}
1376
1377
1378
1379
1380
1381
1382void __key_link_end(struct key *keyring,
1383 const struct keyring_index_key *index_key,
1384 struct assoc_array_edit *edit)
1385 __releases(&keyring->sem)
1386 __releases(&keyring_serialise_link_lock)
1387{
1388 BUG_ON(index_key->type == NULL);
1389 kenter("%d,%s,", keyring->serial, index_key->type->name);
1390
1391 if (edit) {
1392 if (!edit->dead_leaf) {
1393 key_payload_reserve(keyring,
1394 keyring->datalen - KEYQUOTA_LINK_BYTES);
1395 }
1396 assoc_array_cancel_edit(edit);
1397 }
1398 up_write(&keyring->sem);
1399
1400 if (index_key->type == &key_type_keyring)
1401 mutex_unlock(&keyring_serialise_link_lock);
1402}
1403
1404
1405
1406
1407static int __key_link_check_restriction(struct key *keyring, struct key *key)
1408{
1409 if (!keyring->restrict_link || !keyring->restrict_link->check)
1410 return 0;
1411 return keyring->restrict_link->check(keyring, key->type, &key->payload,
1412 keyring->restrict_link->key);
1413}
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435int key_link(struct key *keyring, struct key *key)
1436{
1437 struct assoc_array_edit *edit = NULL;
1438 int ret;
1439
1440 kenter("{%d,%d}", keyring->serial, refcount_read(&keyring->usage));
1441
1442 key_check(keyring);
1443 key_check(key);
1444
1445 ret = __key_link_lock(keyring, &key->index_key);
1446 if (ret < 0)
1447 goto error;
1448
1449 ret = __key_link_begin(keyring, &key->index_key, &edit);
1450 if (ret < 0)
1451 goto error_end;
1452
1453 kdebug("begun {%d,%d}", keyring->serial, refcount_read(&keyring->usage));
1454 ret = __key_link_check_restriction(keyring, key);
1455 if (ret == 0)
1456 ret = __key_link_check_live_key(keyring, key);
1457 if (ret == 0)
1458 __key_link(key, &edit);
1459
1460error_end:
1461 __key_link_end(keyring, &key->index_key, edit);
1462error:
1463 kleave(" = %d {%d,%d}", ret, keyring->serial, refcount_read(&keyring->usage));
1464 return ret;
1465}
1466EXPORT_SYMBOL(key_link);
1467
1468
1469
1470
1471static int __key_unlink_lock(struct key *keyring)
1472 __acquires(&keyring->sem)
1473{
1474 if (keyring->type != &key_type_keyring)
1475 return -ENOTDIR;
1476
1477 down_write(&keyring->sem);
1478 return 0;
1479}
1480
1481
1482
1483
1484static int __key_unlink_begin(struct key *keyring, struct key *key,
1485 struct assoc_array_edit **_edit)
1486{
1487 struct assoc_array_edit *edit;
1488
1489 BUG_ON(*_edit != NULL);
1490
1491 edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops,
1492 &key->index_key);
1493 if (IS_ERR(edit))
1494 return PTR_ERR(edit);
1495
1496 if (!edit)
1497 return -ENOENT;
1498
1499 *_edit = edit;
1500 return 0;
1501}
1502
1503
1504
1505
1506static void __key_unlink(struct key *keyring, struct key *key,
1507 struct assoc_array_edit **_edit)
1508{
1509 assoc_array_apply_edit(*_edit);
1510 *_edit = NULL;
1511 key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES);
1512}
1513
1514
1515
1516
1517static void __key_unlink_end(struct key *keyring,
1518 struct key *key,
1519 struct assoc_array_edit *edit)
1520 __releases(&keyring->sem)
1521{
1522 if (edit)
1523 assoc_array_cancel_edit(edit);
1524 up_write(&keyring->sem);
1525}
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544int key_unlink(struct key *keyring, struct key *key)
1545{
1546 struct assoc_array_edit *edit = NULL;
1547 int ret;
1548
1549 key_check(keyring);
1550 key_check(key);
1551
1552 ret = __key_unlink_lock(keyring);
1553 if (ret < 0)
1554 return ret;
1555
1556 ret = __key_unlink_begin(keyring, key, &edit);
1557 if (ret == 0)
1558 __key_unlink(keyring, key, &edit);
1559 __key_unlink_end(keyring, key, edit);
1560 return ret;
1561}
1562EXPORT_SYMBOL(key_unlink);
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589int key_move(struct key *key,
1590 struct key *from_keyring,
1591 struct key *to_keyring,
1592 unsigned int flags)
1593{
1594 struct assoc_array_edit *from_edit = NULL, *to_edit = NULL;
1595 int ret;
1596
1597 kenter("%d,%d,%d", key->serial, from_keyring->serial, to_keyring->serial);
1598
1599 if (from_keyring == to_keyring)
1600 return 0;
1601
1602 key_check(key);
1603 key_check(from_keyring);
1604 key_check(to_keyring);
1605
1606 ret = __key_move_lock(from_keyring, to_keyring, &key->index_key);
1607 if (ret < 0)
1608 goto out;
1609 ret = __key_unlink_begin(from_keyring, key, &from_edit);
1610 if (ret < 0)
1611 goto error;
1612 ret = __key_link_begin(to_keyring, &key->index_key, &to_edit);
1613 if (ret < 0)
1614 goto error;
1615
1616 ret = -EEXIST;
1617 if (to_edit->dead_leaf && (flags & KEYCTL_MOVE_EXCL))
1618 goto error;
1619
1620 ret = __key_link_check_restriction(to_keyring, key);
1621 if (ret < 0)
1622 goto error;
1623 ret = __key_link_check_live_key(to_keyring, key);
1624 if (ret < 0)
1625 goto error;
1626
1627 __key_unlink(from_keyring, key, &from_edit);
1628 __key_link(key, &to_edit);
1629error:
1630 __key_link_end(to_keyring, &key->index_key, to_edit);
1631 __key_unlink_end(from_keyring, key, from_edit);
1632out:
1633 kleave(" = %d", ret);
1634 return ret;
1635}
1636EXPORT_SYMBOL(key_move);
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646int keyring_clear(struct key *keyring)
1647{
1648 struct assoc_array_edit *edit;
1649 int ret;
1650
1651 if (keyring->type != &key_type_keyring)
1652 return -ENOTDIR;
1653
1654 down_write(&keyring->sem);
1655
1656 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1657 if (IS_ERR(edit)) {
1658 ret = PTR_ERR(edit);
1659 } else {
1660 if (edit)
1661 assoc_array_apply_edit(edit);
1662 key_payload_reserve(keyring, 0);
1663 ret = 0;
1664 }
1665
1666 up_write(&keyring->sem);
1667 return ret;
1668}
1669EXPORT_SYMBOL(keyring_clear);
1670
1671
1672
1673
1674
1675
1676static void keyring_revoke(struct key *keyring)
1677{
1678 struct assoc_array_edit *edit;
1679
1680 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1681 if (!IS_ERR(edit)) {
1682 if (edit)
1683 assoc_array_apply_edit(edit);
1684 key_payload_reserve(keyring, 0);
1685 }
1686}
1687
1688static bool keyring_gc_select_iterator(void *object, void *iterator_data)
1689{
1690 struct key *key = keyring_ptr_to_key(object);
1691 time64_t *limit = iterator_data;
1692
1693 if (key_is_dead(key, *limit))
1694 return false;
1695 key_get(key);
1696 return true;
1697}
1698
1699static int keyring_gc_check_iterator(const void *object, void *iterator_data)
1700{
1701 const struct key *key = keyring_ptr_to_key(object);
1702 time64_t *limit = iterator_data;
1703
1704 key_check(key);
1705 return key_is_dead(key, *limit);
1706}
1707
1708
1709
1710
1711
1712
1713
1714void keyring_gc(struct key *keyring, time64_t limit)
1715{
1716 int result;
1717
1718 kenter("%x{%s}", keyring->serial, keyring->description ?: "");
1719
1720 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
1721 (1 << KEY_FLAG_REVOKED)))
1722 goto dont_gc;
1723
1724
1725 rcu_read_lock();
1726 result = assoc_array_iterate(&keyring->keys,
1727 keyring_gc_check_iterator, &limit);
1728 rcu_read_unlock();
1729 if (result == true)
1730 goto do_gc;
1731
1732dont_gc:
1733 kleave(" [no gc]");
1734 return;
1735
1736do_gc:
1737 down_write(&keyring->sem);
1738 assoc_array_gc(&keyring->keys, &keyring_assoc_array_ops,
1739 keyring_gc_select_iterator, &limit);
1740 up_write(&keyring->sem);
1741 kleave(" [gc]");
1742}
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759void keyring_restriction_gc(struct key *keyring, struct key_type *dead_type)
1760{
1761 struct key_restriction *keyres;
1762
1763 kenter("%x{%s}", keyring->serial, keyring->description ?: "");
1764
1765
1766
1767
1768
1769
1770
1771
1772 if (!dead_type || !keyring->restrict_link ||
1773 keyring->restrict_link->keytype != dead_type) {
1774 kleave(" [no restriction gc]");
1775 return;
1776 }
1777
1778
1779 down_write(&keyring->sem);
1780
1781 keyres = keyring->restrict_link;
1782
1783 keyres->check = restrict_link_reject;
1784
1785 key_put(keyres->key);
1786 keyres->key = NULL;
1787 keyres->keytype = NULL;
1788
1789 up_write(&keyring->sem);
1790
1791 kleave(" [restriction gc]");
1792}
1793