linux/security/keys/keyctl.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-or-later
   2/* Userspace key control operations
   3 *
   4 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
   5 * Written by David Howells (dhowells@redhat.com)
   6 */
   7
   8#include <linux/init.h>
   9#include <linux/sched.h>
  10#include <linux/sched/task.h>
  11#include <linux/slab.h>
  12#include <linux/syscalls.h>
  13#include <linux/key.h>
  14#include <linux/keyctl.h>
  15#include <linux/fs.h>
  16#include <linux/capability.h>
  17#include <linux/cred.h>
  18#include <linux/string.h>
  19#include <linux/err.h>
  20#include <linux/vmalloc.h>
  21#include <linux/security.h>
  22#include <linux/uio.h>
  23#include <linux/uaccess.h>
  24#include <keys/request_key_auth-type.h>
  25#include "internal.h"
  26
  27#define KEY_MAX_DESC_SIZE 4096
  28
  29static const unsigned char keyrings_capabilities[2] = {
  30        [0] = (KEYCTL_CAPS0_CAPABILITIES |
  31               (IS_ENABLED(CONFIG_PERSISTENT_KEYRINGS)  ? KEYCTL_CAPS0_PERSISTENT_KEYRINGS : 0) |
  32               (IS_ENABLED(CONFIG_KEY_DH_OPERATIONS)    ? KEYCTL_CAPS0_DIFFIE_HELLMAN : 0) |
  33               (IS_ENABLED(CONFIG_ASYMMETRIC_KEY_TYPE)  ? KEYCTL_CAPS0_PUBLIC_KEY : 0) |
  34               (IS_ENABLED(CONFIG_BIG_KEYS)             ? KEYCTL_CAPS0_BIG_KEY : 0) |
  35               KEYCTL_CAPS0_INVALIDATE |
  36               KEYCTL_CAPS0_RESTRICT_KEYRING |
  37               KEYCTL_CAPS0_MOVE
  38               ),
  39        [1] = (KEYCTL_CAPS1_NS_KEYRING_NAME |
  40               KEYCTL_CAPS1_NS_KEY_TAG),
  41};
  42
  43static int key_get_type_from_user(char *type,
  44                                  const char __user *_type,
  45                                  unsigned len)
  46{
  47        int ret;
  48
  49        ret = strncpy_from_user(type, _type, len);
  50        if (ret < 0)
  51                return ret;
  52        if (ret == 0 || ret >= len)
  53                return -EINVAL;
  54        if (type[0] == '.')
  55                return -EPERM;
  56        type[len - 1] = '\0';
  57        return 0;
  58}
  59
  60/*
  61 * Extract the description of a new key from userspace and either add it as a
  62 * new key to the specified keyring or update a matching key in that keyring.
  63 *
  64 * If the description is NULL or an empty string, the key type is asked to
  65 * generate one from the payload.
  66 *
  67 * The keyring must be writable so that we can attach the key to it.
  68 *
  69 * If successful, the new key's serial number is returned, otherwise an error
  70 * code is returned.
  71 */
  72SYSCALL_DEFINE5(add_key, const char __user *, _type,
  73                const char __user *, _description,
  74                const void __user *, _payload,
  75                size_t, plen,
  76                key_serial_t, ringid)
  77{
  78        key_ref_t keyring_ref, key_ref;
  79        char type[32], *description;
  80        void *payload;
  81        long ret;
  82
  83        ret = -EINVAL;
  84        if (plen > 1024 * 1024 - 1)
  85                goto error;
  86
  87        /* draw all the data into kernel space */
  88        ret = key_get_type_from_user(type, _type, sizeof(type));
  89        if (ret < 0)
  90                goto error;
  91
  92        description = NULL;
  93        if (_description) {
  94                description = strndup_user(_description, KEY_MAX_DESC_SIZE);
  95                if (IS_ERR(description)) {
  96                        ret = PTR_ERR(description);
  97                        goto error;
  98                }
  99                if (!*description) {
 100                        kfree(description);
 101                        description = NULL;
 102                } else if ((description[0] == '.') &&
 103                           (strncmp(type, "keyring", 7) == 0)) {
 104                        ret = -EPERM;
 105                        goto error2;
 106                }
 107        }
 108
 109        /* pull the payload in if one was supplied */
 110        payload = NULL;
 111
 112        if (plen) {
 113                ret = -ENOMEM;
 114                payload = kvmalloc(plen, GFP_KERNEL);
 115                if (!payload)
 116                        goto error2;
 117
 118                ret = -EFAULT;
 119                if (copy_from_user(payload, _payload, plen) != 0)
 120                        goto error3;
 121        }
 122
 123        /* find the target keyring (which must be writable) */
 124        keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
 125        if (IS_ERR(keyring_ref)) {
 126                ret = PTR_ERR(keyring_ref);
 127                goto error3;
 128        }
 129
 130        /* create or update the requested key and add it to the target
 131         * keyring */
 132        key_ref = key_create_or_update(keyring_ref, type, description,
 133                                       payload, plen, KEY_PERM_UNDEF,
 134                                       KEY_ALLOC_IN_QUOTA);
 135        if (!IS_ERR(key_ref)) {
 136                ret = key_ref_to_ptr(key_ref)->serial;
 137                key_ref_put(key_ref);
 138        }
 139        else {
 140                ret = PTR_ERR(key_ref);
 141        }
 142
 143        key_ref_put(keyring_ref);
 144 error3:
 145        if (payload) {
 146                memzero_explicit(payload, plen);
 147                kvfree(payload);
 148        }
 149 error2:
 150        kfree(description);
 151 error:
 152        return ret;
 153}
 154
 155/*
 156 * Search the process keyrings and keyring trees linked from those for a
 157 * matching key.  Keyrings must have appropriate Search permission to be
 158 * searched.
 159 *
 160 * If a key is found, it will be attached to the destination keyring if there's
 161 * one specified and the serial number of the key will be returned.
 162 *
 163 * If no key is found, /sbin/request-key will be invoked if _callout_info is
 164 * non-NULL in an attempt to create a key.  The _callout_info string will be
 165 * passed to /sbin/request-key to aid with completing the request.  If the
 166 * _callout_info string is "" then it will be changed to "-".
 167 */
 168SYSCALL_DEFINE4(request_key, const char __user *, _type,
 169                const char __user *, _description,
 170                const char __user *, _callout_info,
 171                key_serial_t, destringid)
 172{
 173        struct key_type *ktype;
 174        struct key *key;
 175        key_ref_t dest_ref;
 176        size_t callout_len;
 177        char type[32], *description, *callout_info;
 178        long ret;
 179
 180        /* pull the type into kernel space */
 181        ret = key_get_type_from_user(type, _type, sizeof(type));
 182        if (ret < 0)
 183                goto error;
 184
 185        /* pull the description into kernel space */
 186        description = strndup_user(_description, KEY_MAX_DESC_SIZE);
 187        if (IS_ERR(description)) {
 188                ret = PTR_ERR(description);
 189                goto error;
 190        }
 191
 192        /* pull the callout info into kernel space */
 193        callout_info = NULL;
 194        callout_len = 0;
 195        if (_callout_info) {
 196                callout_info = strndup_user(_callout_info, PAGE_SIZE);
 197                if (IS_ERR(callout_info)) {
 198                        ret = PTR_ERR(callout_info);
 199                        goto error2;
 200                }
 201                callout_len = strlen(callout_info);
 202        }
 203
 204        /* get the destination keyring if specified */
 205        dest_ref = NULL;
 206        if (destringid) {
 207                dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE,
 208                                           KEY_NEED_WRITE);
 209                if (IS_ERR(dest_ref)) {
 210                        ret = PTR_ERR(dest_ref);
 211                        goto error3;
 212                }
 213        }
 214
 215        /* find the key type */
 216        ktype = key_type_lookup(type);
 217        if (IS_ERR(ktype)) {
 218                ret = PTR_ERR(ktype);
 219                goto error4;
 220        }
 221
 222        /* do the search */
 223        key = request_key_and_link(ktype, description, NULL, callout_info,
 224                                   callout_len, NULL, key_ref_to_ptr(dest_ref),
 225                                   KEY_ALLOC_IN_QUOTA);
 226        if (IS_ERR(key)) {
 227                ret = PTR_ERR(key);
 228                goto error5;
 229        }
 230
 231        /* wait for the key to finish being constructed */
 232        ret = wait_for_key_construction(key, 1);
 233        if (ret < 0)
 234                goto error6;
 235
 236        ret = key->serial;
 237
 238error6:
 239        key_put(key);
 240error5:
 241        key_type_put(ktype);
 242error4:
 243        key_ref_put(dest_ref);
 244error3:
 245        kfree(callout_info);
 246error2:
 247        kfree(description);
 248error:
 249        return ret;
 250}
 251
 252/*
 253 * Get the ID of the specified process keyring.
 254 *
 255 * The requested keyring must have search permission to be found.
 256 *
 257 * If successful, the ID of the requested keyring will be returned.
 258 */
 259long keyctl_get_keyring_ID(key_serial_t id, int create)
 260{
 261        key_ref_t key_ref;
 262        unsigned long lflags;
 263        long ret;
 264
 265        lflags = create ? KEY_LOOKUP_CREATE : 0;
 266        key_ref = lookup_user_key(id, lflags, KEY_NEED_SEARCH);
 267        if (IS_ERR(key_ref)) {
 268                ret = PTR_ERR(key_ref);
 269                goto error;
 270        }
 271
 272        ret = key_ref_to_ptr(key_ref)->serial;
 273        key_ref_put(key_ref);
 274error:
 275        return ret;
 276}
 277
 278/*
 279 * Join a (named) session keyring.
 280 *
 281 * Create and join an anonymous session keyring or join a named session
 282 * keyring, creating it if necessary.  A named session keyring must have Search
 283 * permission for it to be joined.  Session keyrings without this permit will
 284 * be skipped over.  It is not permitted for userspace to create or join
 285 * keyrings whose name begin with a dot.
 286 *
 287 * If successful, the ID of the joined session keyring will be returned.
 288 */
 289long keyctl_join_session_keyring(const char __user *_name)
 290{
 291        char *name;
 292        long ret;
 293
 294        /* fetch the name from userspace */
 295        name = NULL;
 296        if (_name) {
 297                name = strndup_user(_name, KEY_MAX_DESC_SIZE);
 298                if (IS_ERR(name)) {
 299                        ret = PTR_ERR(name);
 300                        goto error;
 301                }
 302
 303                ret = -EPERM;
 304                if (name[0] == '.')
 305                        goto error_name;
 306        }
 307
 308        /* join the session */
 309        ret = join_session_keyring(name);
 310error_name:
 311        kfree(name);
 312error:
 313        return ret;
 314}
 315
 316/*
 317 * Update a key's data payload from the given data.
 318 *
 319 * The key must grant the caller Write permission and the key type must support
 320 * updating for this to work.  A negative key can be positively instantiated
 321 * with this call.
 322 *
 323 * If successful, 0 will be returned.  If the key type does not support
 324 * updating, then -EOPNOTSUPP will be returned.
 325 */
 326long keyctl_update_key(key_serial_t id,
 327                       const void __user *_payload,
 328                       size_t plen)
 329{
 330        key_ref_t key_ref;
 331        void *payload;
 332        long ret;
 333
 334        ret = -EINVAL;
 335        if (plen > PAGE_SIZE)
 336                goto error;
 337
 338        /* pull the payload in if one was supplied */
 339        payload = NULL;
 340        if (plen) {
 341                ret = -ENOMEM;
 342                payload = kvmalloc(plen, GFP_KERNEL);
 343                if (!payload)
 344                        goto error;
 345
 346                ret = -EFAULT;
 347                if (copy_from_user(payload, _payload, plen) != 0)
 348                        goto error2;
 349        }
 350
 351        /* find the target key (which must be writable) */
 352        key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE);
 353        if (IS_ERR(key_ref)) {
 354                ret = PTR_ERR(key_ref);
 355                goto error2;
 356        }
 357
 358        /* update the key */
 359        ret = key_update(key_ref, payload, plen);
 360
 361        key_ref_put(key_ref);
 362error2:
 363        __kvzfree(payload, plen);
 364error:
 365        return ret;
 366}
 367
 368/*
 369 * Revoke a key.
 370 *
 371 * The key must be grant the caller Write or Setattr permission for this to
 372 * work.  The key type should give up its quota claim when revoked.  The key
 373 * and any links to the key will be automatically garbage collected after a
 374 * certain amount of time (/proc/sys/kernel/keys/gc_delay).
 375 *
 376 * Keys with KEY_FLAG_KEEP set should not be revoked.
 377 *
 378 * If successful, 0 is returned.
 379 */
 380long keyctl_revoke_key(key_serial_t id)
 381{
 382        key_ref_t key_ref;
 383        struct key *key;
 384        long ret;
 385
 386        key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE);
 387        if (IS_ERR(key_ref)) {
 388                ret = PTR_ERR(key_ref);
 389                if (ret != -EACCES)
 390                        goto error;
 391                key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR);
 392                if (IS_ERR(key_ref)) {
 393                        ret = PTR_ERR(key_ref);
 394                        goto error;
 395                }
 396        }
 397
 398        key = key_ref_to_ptr(key_ref);
 399        ret = 0;
 400        if (test_bit(KEY_FLAG_KEEP, &key->flags))
 401                ret = -EPERM;
 402        else
 403                key_revoke(key);
 404
 405        key_ref_put(key_ref);
 406error:
 407        return ret;
 408}
 409
 410/*
 411 * Invalidate a key.
 412 *
 413 * The key must be grant the caller Invalidate permission for this to work.
 414 * The key and any links to the key will be automatically garbage collected
 415 * immediately.
 416 *
 417 * Keys with KEY_FLAG_KEEP set should not be invalidated.
 418 *
 419 * If successful, 0 is returned.
 420 */
 421long keyctl_invalidate_key(key_serial_t id)
 422{
 423        key_ref_t key_ref;
 424        struct key *key;
 425        long ret;
 426
 427        kenter("%d", id);
 428
 429        key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH);
 430        if (IS_ERR(key_ref)) {
 431                ret = PTR_ERR(key_ref);
 432
 433                /* Root is permitted to invalidate certain special keys */
 434                if (capable(CAP_SYS_ADMIN)) {
 435                        key_ref = lookup_user_key(id, 0, 0);
 436                        if (IS_ERR(key_ref))
 437                                goto error;
 438                        if (test_bit(KEY_FLAG_ROOT_CAN_INVAL,
 439                                     &key_ref_to_ptr(key_ref)->flags))
 440                                goto invalidate;
 441                        goto error_put;
 442                }
 443
 444                goto error;
 445        }
 446
 447invalidate:
 448        key = key_ref_to_ptr(key_ref);
 449        ret = 0;
 450        if (test_bit(KEY_FLAG_KEEP, &key->flags))
 451                ret = -EPERM;
 452        else
 453                key_invalidate(key);
 454error_put:
 455        key_ref_put(key_ref);
 456error:
 457        kleave(" = %ld", ret);
 458        return ret;
 459}
 460
 461/*
 462 * Clear the specified keyring, creating an empty process keyring if one of the
 463 * special keyring IDs is used.
 464 *
 465 * The keyring must grant the caller Write permission and not have
 466 * KEY_FLAG_KEEP set for this to work.  If successful, 0 will be returned.
 467 */
 468long keyctl_keyring_clear(key_serial_t ringid)
 469{
 470        key_ref_t keyring_ref;
 471        struct key *keyring;
 472        long ret;
 473
 474        keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
 475        if (IS_ERR(keyring_ref)) {
 476                ret = PTR_ERR(keyring_ref);
 477
 478                /* Root is permitted to invalidate certain special keyrings */
 479                if (capable(CAP_SYS_ADMIN)) {
 480                        keyring_ref = lookup_user_key(ringid, 0, 0);
 481                        if (IS_ERR(keyring_ref))
 482                                goto error;
 483                        if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR,
 484                                     &key_ref_to_ptr(keyring_ref)->flags))
 485                                goto clear;
 486                        goto error_put;
 487                }
 488
 489                goto error;
 490        }
 491
 492clear:
 493        keyring = key_ref_to_ptr(keyring_ref);
 494        if (test_bit(KEY_FLAG_KEEP, &keyring->flags))
 495                ret = -EPERM;
 496        else
 497                ret = keyring_clear(keyring);
 498error_put:
 499        key_ref_put(keyring_ref);
 500error:
 501        return ret;
 502}
 503
 504/*
 505 * Create a link from a keyring to a key if there's no matching key in the
 506 * keyring, otherwise replace the link to the matching key with a link to the
 507 * new key.
 508 *
 509 * The key must grant the caller Link permission and the the keyring must grant
 510 * the caller Write permission.  Furthermore, if an additional link is created,
 511 * the keyring's quota will be extended.
 512 *
 513 * If successful, 0 will be returned.
 514 */
 515long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
 516{
 517        key_ref_t keyring_ref, key_ref;
 518        long ret;
 519
 520        keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
 521        if (IS_ERR(keyring_ref)) {
 522                ret = PTR_ERR(keyring_ref);
 523                goto error;
 524        }
 525
 526        key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK);
 527        if (IS_ERR(key_ref)) {
 528                ret = PTR_ERR(key_ref);
 529                goto error2;
 530        }
 531
 532        ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref));
 533
 534        key_ref_put(key_ref);
 535error2:
 536        key_ref_put(keyring_ref);
 537error:
 538        return ret;
 539}
 540
 541/*
 542 * Unlink a key from a keyring.
 543 *
 544 * The keyring must grant the caller Write permission for this to work; the key
 545 * itself need not grant the caller anything.  If the last link to a key is
 546 * removed then that key will be scheduled for destruction.
 547 *
 548 * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked.
 549 *
 550 * If successful, 0 will be returned.
 551 */
 552long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
 553{
 554        key_ref_t keyring_ref, key_ref;
 555        struct key *keyring, *key;
 556        long ret;
 557
 558        keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE);
 559        if (IS_ERR(keyring_ref)) {
 560                ret = PTR_ERR(keyring_ref);
 561                goto error;
 562        }
 563
 564        key_ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0);
 565        if (IS_ERR(key_ref)) {
 566                ret = PTR_ERR(key_ref);
 567                goto error2;
 568        }
 569
 570        keyring = key_ref_to_ptr(keyring_ref);
 571        key = key_ref_to_ptr(key_ref);
 572        if (test_bit(KEY_FLAG_KEEP, &keyring->flags) &&
 573            test_bit(KEY_FLAG_KEEP, &key->flags))
 574                ret = -EPERM;
 575        else
 576                ret = key_unlink(keyring, key);
 577
 578        key_ref_put(key_ref);
 579error2:
 580        key_ref_put(keyring_ref);
 581error:
 582        return ret;
 583}
 584
 585/*
 586 * Move a link to a key from one keyring to another, displacing any matching
 587 * key from the destination keyring.
 588 *
 589 * The key must grant the caller Link permission and both keyrings must grant
 590 * the caller Write permission.  There must also be a link in the from keyring
 591 * to the key.  If both keyrings are the same, nothing is done.
 592 *
 593 * If successful, 0 will be returned.
 594 */
 595long keyctl_keyring_move(key_serial_t id, key_serial_t from_ringid,
 596                         key_serial_t to_ringid, unsigned int flags)
 597{
 598        key_ref_t key_ref, from_ref, to_ref;
 599        long ret;
 600
 601        if (flags & ~KEYCTL_MOVE_EXCL)
 602                return -EINVAL;
 603
 604        key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK);
 605        if (IS_ERR(key_ref))
 606                return PTR_ERR(key_ref);
 607
 608        from_ref = lookup_user_key(from_ringid, 0, KEY_NEED_WRITE);
 609        if (IS_ERR(from_ref)) {
 610                ret = PTR_ERR(from_ref);
 611                goto error2;
 612        }
 613
 614        to_ref = lookup_user_key(to_ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
 615        if (IS_ERR(to_ref)) {
 616                ret = PTR_ERR(to_ref);
 617                goto error3;
 618        }
 619
 620        ret = key_move(key_ref_to_ptr(key_ref), key_ref_to_ptr(from_ref),
 621                       key_ref_to_ptr(to_ref), flags);
 622
 623        key_ref_put(to_ref);
 624error3:
 625        key_ref_put(from_ref);
 626error2:
 627        key_ref_put(key_ref);
 628        return ret;
 629}
 630
 631/*
 632 * Return a description of a key to userspace.
 633 *
 634 * The key must grant the caller View permission for this to work.
 635 *
 636 * If there's a buffer, we place up to buflen bytes of data into it formatted
 637 * in the following way:
 638 *
 639 *      type;uid;gid;perm;description<NUL>
 640 *
 641 * If successful, we return the amount of description available, irrespective
 642 * of how much we may have copied into the buffer.
 643 */
 644long keyctl_describe_key(key_serial_t keyid,
 645                         char __user *buffer,
 646                         size_t buflen)
 647{
 648        struct key *key, *instkey;
 649        key_ref_t key_ref;
 650        char *infobuf;
 651        long ret;
 652        int desclen, infolen;
 653
 654        key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW);
 655        if (IS_ERR(key_ref)) {
 656                /* viewing a key under construction is permitted if we have the
 657                 * authorisation token handy */
 658                if (PTR_ERR(key_ref) == -EACCES) {
 659                        instkey = key_get_instantiation_authkey(keyid);
 660                        if (!IS_ERR(instkey)) {
 661                                key_put(instkey);
 662                                key_ref = lookup_user_key(keyid,
 663                                                          KEY_LOOKUP_PARTIAL,
 664                                                          0);
 665                                if (!IS_ERR(key_ref))
 666                                        goto okay;
 667                        }
 668                }
 669
 670                ret = PTR_ERR(key_ref);
 671                goto error;
 672        }
 673
 674okay:
 675        key = key_ref_to_ptr(key_ref);
 676        desclen = strlen(key->description);
 677
 678        /* calculate how much information we're going to return */
 679        ret = -ENOMEM;
 680        infobuf = kasprintf(GFP_KERNEL,
 681                            "%s;%d;%d;%08x;",
 682                            key->type->name,
 683                            from_kuid_munged(current_user_ns(), key->uid),
 684                            from_kgid_munged(current_user_ns(), key->gid),
 685                            key->perm);
 686        if (!infobuf)
 687                goto error2;
 688        infolen = strlen(infobuf);
 689        ret = infolen + desclen + 1;
 690
 691        /* consider returning the data */
 692        if (buffer && buflen >= ret) {
 693                if (copy_to_user(buffer, infobuf, infolen) != 0 ||
 694                    copy_to_user(buffer + infolen, key->description,
 695                                 desclen + 1) != 0)
 696                        ret = -EFAULT;
 697        }
 698
 699        kfree(infobuf);
 700error2:
 701        key_ref_put(key_ref);
 702error:
 703        return ret;
 704}
 705
 706/*
 707 * Search the specified keyring and any keyrings it links to for a matching
 708 * key.  Only keyrings that grant the caller Search permission will be searched
 709 * (this includes the starting keyring).  Only keys with Search permission can
 710 * be found.
 711 *
 712 * If successful, the found key will be linked to the destination keyring if
 713 * supplied and the key has Link permission, and the found key ID will be
 714 * returned.
 715 */
 716long keyctl_keyring_search(key_serial_t ringid,
 717                           const char __user *_type,
 718                           const char __user *_description,
 719                           key_serial_t destringid)
 720{
 721        struct key_type *ktype;
 722        key_ref_t keyring_ref, key_ref, dest_ref;
 723        char type[32], *description;
 724        long ret;
 725
 726        /* pull the type and description into kernel space */
 727        ret = key_get_type_from_user(type, _type, sizeof(type));
 728        if (ret < 0)
 729                goto error;
 730
 731        description = strndup_user(_description, KEY_MAX_DESC_SIZE);
 732        if (IS_ERR(description)) {
 733                ret = PTR_ERR(description);
 734                goto error;
 735        }
 736
 737        /* get the keyring at which to begin the search */
 738        keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_SEARCH);
 739        if (IS_ERR(keyring_ref)) {
 740                ret = PTR_ERR(keyring_ref);
 741                goto error2;
 742        }
 743
 744        /* get the destination keyring if specified */
 745        dest_ref = NULL;
 746        if (destringid) {
 747                dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE,
 748                                           KEY_NEED_WRITE);
 749                if (IS_ERR(dest_ref)) {
 750                        ret = PTR_ERR(dest_ref);
 751                        goto error3;
 752                }
 753        }
 754
 755        /* find the key type */
 756        ktype = key_type_lookup(type);
 757        if (IS_ERR(ktype)) {
 758                ret = PTR_ERR(ktype);
 759                goto error4;
 760        }
 761
 762        /* do the search */
 763        key_ref = keyring_search(keyring_ref, ktype, description, true);
 764        if (IS_ERR(key_ref)) {
 765                ret = PTR_ERR(key_ref);
 766
 767                /* treat lack or presence of a negative key the same */
 768                if (ret == -EAGAIN)
 769                        ret = -ENOKEY;
 770                goto error5;
 771        }
 772
 773        /* link the resulting key to the destination keyring if we can */
 774        if (dest_ref) {
 775                ret = key_permission(key_ref, KEY_NEED_LINK);
 776                if (ret < 0)
 777                        goto error6;
 778
 779                ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref));
 780                if (ret < 0)
 781                        goto error6;
 782        }
 783
 784        ret = key_ref_to_ptr(key_ref)->serial;
 785
 786error6:
 787        key_ref_put(key_ref);
 788error5:
 789        key_type_put(ktype);
 790error4:
 791        key_ref_put(dest_ref);
 792error3:
 793        key_ref_put(keyring_ref);
 794error2:
 795        kfree(description);
 796error:
 797        return ret;
 798}
 799
 800/*
 801 * Call the read method
 802 */
 803static long __keyctl_read_key(struct key *key, char *buffer, size_t buflen)
 804{
 805        long ret;
 806
 807        down_read(&key->sem);
 808        ret = key_validate(key);
 809        if (ret == 0)
 810                ret = key->type->read(key, buffer, buflen);
 811        up_read(&key->sem);
 812        return ret;
 813}
 814
 815/*
 816 * Read a key's payload.
 817 *
 818 * The key must either grant the caller Read permission, or it must grant the
 819 * caller Search permission when searched for from the process keyrings.
 820 *
 821 * If successful, we place up to buflen bytes of data into the buffer, if one
 822 * is provided, and return the amount of data that is available in the key,
 823 * irrespective of how much we copied into the buffer.
 824 */
 825long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
 826{
 827        struct key *key;
 828        key_ref_t key_ref;
 829        long ret;
 830        char *key_data = NULL;
 831        size_t key_data_len;
 832
 833        /* find the key first */
 834        key_ref = lookup_user_key(keyid, 0, 0);
 835        if (IS_ERR(key_ref)) {
 836                ret = -ENOKEY;
 837                goto out;
 838        }
 839
 840        key = key_ref_to_ptr(key_ref);
 841
 842        ret = key_read_state(key);
 843        if (ret < 0)
 844                goto key_put_out; /* Negatively instantiated */
 845
 846        /* see if we can read it directly */
 847        ret = key_permission(key_ref, KEY_NEED_READ);
 848        if (ret == 0)
 849                goto can_read_key;
 850        if (ret != -EACCES)
 851                goto key_put_out;
 852
 853        /* we can't; see if it's searchable from this process's keyrings
 854         * - we automatically take account of the fact that it may be
 855         *   dangling off an instantiation key
 856         */
 857        if (!is_key_possessed(key_ref)) {
 858                ret = -EACCES;
 859                goto key_put_out;
 860        }
 861
 862        /* the key is probably readable - now try to read it */
 863can_read_key:
 864        if (!key->type->read) {
 865                ret = -EOPNOTSUPP;
 866                goto key_put_out;
 867        }
 868
 869        if (!buffer || !buflen) {
 870                /* Get the key length from the read method */
 871                ret = __keyctl_read_key(key, NULL, 0);
 872                goto key_put_out;
 873        }
 874
 875        /*
 876         * Read the data with the semaphore held (since we might sleep)
 877         * to protect against the key being updated or revoked.
 878         *
 879         * Allocating a temporary buffer to hold the keys before
 880         * transferring them to user buffer to avoid potential
 881         * deadlock involving page fault and mmap_sem.
 882         *
 883         * key_data_len = (buflen <= PAGE_SIZE)
 884         *              ? buflen : actual length of key data
 885         *
 886         * This prevents allocating arbitrary large buffer which can
 887         * be much larger than the actual key length. In the latter case,
 888         * at least 2 passes of this loop is required.
 889         */
 890        key_data_len = (buflen <= PAGE_SIZE) ? buflen : 0;
 891        for (;;) {
 892                if (key_data_len) {
 893                        key_data = kvmalloc(key_data_len, GFP_KERNEL);
 894                        if (!key_data) {
 895                                ret = -ENOMEM;
 896                                goto key_put_out;
 897                        }
 898                }
 899
 900                ret = __keyctl_read_key(key, key_data, key_data_len);
 901
 902                /*
 903                 * Read methods will just return the required length without
 904                 * any copying if the provided length isn't large enough.
 905                 */
 906                if (ret <= 0 || ret > buflen)
 907                        break;
 908
 909                /*
 910                 * The key may change (unlikely) in between 2 consecutive
 911                 * __keyctl_read_key() calls. In this case, we reallocate
 912                 * a larger buffer and redo the key read when
 913                 * key_data_len < ret <= buflen.
 914                 */
 915                if (ret > key_data_len) {
 916                        if (unlikely(key_data))
 917                                __kvzfree(key_data, key_data_len);
 918                        key_data_len = ret;
 919                        continue;       /* Allocate buffer */
 920                }
 921
 922                if (copy_to_user(buffer, key_data, ret))
 923                        ret = -EFAULT;
 924                break;
 925        }
 926        __kvzfree(key_data, key_data_len);
 927
 928key_put_out:
 929        key_put(key);
 930out:
 931        return ret;
 932}
 933
 934/*
 935 * Change the ownership of a key
 936 *
 937 * The key must grant the caller Setattr permission for this to work, though
 938 * the key need not be fully instantiated yet.  For the UID to be changed, or
 939 * for the GID to be changed to a group the caller is not a member of, the
 940 * caller must have sysadmin capability.  If either uid or gid is -1 then that
 941 * attribute is not changed.
 942 *
 943 * If the UID is to be changed, the new user must have sufficient quota to
 944 * accept the key.  The quota deduction will be removed from the old user to
 945 * the new user should the attribute be changed.
 946 *
 947 * If successful, 0 will be returned.
 948 */
 949long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group)
 950{
 951        struct key_user *newowner, *zapowner = NULL;
 952        struct key *key;
 953        key_ref_t key_ref;
 954        long ret;
 955        kuid_t uid;
 956        kgid_t gid;
 957
 958        uid = make_kuid(current_user_ns(), user);
 959        gid = make_kgid(current_user_ns(), group);
 960        ret = -EINVAL;
 961        if ((user != (uid_t) -1) && !uid_valid(uid))
 962                goto error;
 963        if ((group != (gid_t) -1) && !gid_valid(gid))
 964                goto error;
 965
 966        ret = 0;
 967        if (user == (uid_t) -1 && group == (gid_t) -1)
 968                goto error;
 969
 970        key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
 971                                  KEY_NEED_SETATTR);
 972        if (IS_ERR(key_ref)) {
 973                ret = PTR_ERR(key_ref);
 974                goto error;
 975        }
 976
 977        key = key_ref_to_ptr(key_ref);
 978
 979        /* make the changes with the locks held to prevent chown/chown races */
 980        ret = -EACCES;
 981        down_write(&key->sem);
 982
 983        if (!capable(CAP_SYS_ADMIN)) {
 984                /* only the sysadmin can chown a key to some other UID */
 985                if (user != (uid_t) -1 && !uid_eq(key->uid, uid))
 986                        goto error_put;
 987
 988                /* only the sysadmin can set the key's GID to a group other
 989                 * than one of those that the current process subscribes to */
 990                if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid))
 991                        goto error_put;
 992        }
 993
 994        /* change the UID */
 995        if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) {
 996                ret = -ENOMEM;
 997                newowner = key_user_lookup(uid);
 998                if (!newowner)
 999                        goto error_put;
1000
1001                /* transfer the quota burden to the new user */
1002                if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
1003                        unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ?
1004                                key_quota_root_maxkeys : key_quota_maxkeys;
1005                        unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ?
1006                                key_quota_root_maxbytes : key_quota_maxbytes;
1007
1008                        spin_lock(&newowner->lock);
1009                        if (newowner->qnkeys + 1 > maxkeys ||
1010                            newowner->qnbytes + key->quotalen > maxbytes ||
1011                            newowner->qnbytes + key->quotalen <
1012                            newowner->qnbytes)
1013                                goto quota_overrun;
1014
1015                        newowner->qnkeys++;
1016                        newowner->qnbytes += key->quotalen;
1017                        spin_unlock(&newowner->lock);
1018
1019                        spin_lock(&key->user->lock);
1020                        key->user->qnkeys--;
1021                        key->user->qnbytes -= key->quotalen;
1022                        spin_unlock(&key->user->lock);
1023                }
1024
1025                atomic_dec(&key->user->nkeys);
1026                atomic_inc(&newowner->nkeys);
1027
1028                if (key->state != KEY_IS_UNINSTANTIATED) {
1029                        atomic_dec(&key->user->nikeys);
1030                        atomic_inc(&newowner->nikeys);
1031                }
1032
1033                zapowner = key->user;
1034                key->user = newowner;
1035                key->uid = uid;
1036        }
1037
1038        /* change the GID */
1039        if (group != (gid_t) -1)
1040                key->gid = gid;
1041
1042        ret = 0;
1043
1044error_put:
1045        up_write(&key->sem);
1046        key_put(key);
1047        if (zapowner)
1048                key_user_put(zapowner);
1049error:
1050        return ret;
1051
1052quota_overrun:
1053        spin_unlock(&newowner->lock);
1054        zapowner = newowner;
1055        ret = -EDQUOT;
1056        goto error_put;
1057}
1058
1059/*
1060 * Change the permission mask on a key.
1061 *
1062 * The key must grant the caller Setattr permission for this to work, though
1063 * the key need not be fully instantiated yet.  If the caller does not have
1064 * sysadmin capability, it may only change the permission on keys that it owns.
1065 */
1066long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
1067{
1068        struct key *key;
1069        key_ref_t key_ref;
1070        long ret;
1071
1072        ret = -EINVAL;
1073        if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL))
1074                goto error;
1075
1076        key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
1077                                  KEY_NEED_SETATTR);
1078        if (IS_ERR(key_ref)) {
1079                ret = PTR_ERR(key_ref);
1080                goto error;
1081        }
1082
1083        key = key_ref_to_ptr(key_ref);
1084
1085        /* make the changes with the locks held to prevent chown/chmod races */
1086        ret = -EACCES;
1087        down_write(&key->sem);
1088
1089        /* if we're not the sysadmin, we can only change a key that we own */
1090        if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) {
1091                key->perm = perm;
1092                ret = 0;
1093        }
1094
1095        up_write(&key->sem);
1096        key_put(key);
1097error:
1098        return ret;
1099}
1100
1101/*
1102 * Get the destination keyring for instantiation and check that the caller has
1103 * Write permission on it.
1104 */
1105static long get_instantiation_keyring(key_serial_t ringid,
1106                                      struct request_key_auth *rka,
1107                                      struct key **_dest_keyring)
1108{
1109        key_ref_t dkref;
1110
1111        *_dest_keyring = NULL;
1112
1113        /* just return a NULL pointer if we weren't asked to make a link */
1114        if (ringid == 0)
1115                return 0;
1116
1117        /* if a specific keyring is nominated by ID, then use that */
1118        if (ringid > 0) {
1119                dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
1120                if (IS_ERR(dkref))
1121                        return PTR_ERR(dkref);
1122                *_dest_keyring = key_ref_to_ptr(dkref);
1123                return 0;
1124        }
1125
1126        if (ringid == KEY_SPEC_REQKEY_AUTH_KEY)
1127                return -EINVAL;
1128
1129        /* otherwise specify the destination keyring recorded in the
1130         * authorisation key (any KEY_SPEC_*_KEYRING) */
1131        if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) {
1132                *_dest_keyring = key_get(rka->dest_keyring);
1133                return 0;
1134        }
1135
1136        return -ENOKEY;
1137}
1138
1139/*
1140 * Change the request_key authorisation key on the current process.
1141 */
1142static int keyctl_change_reqkey_auth(struct key *key)
1143{
1144        struct cred *new;
1145
1146        new = prepare_creds();
1147        if (!new)
1148                return -ENOMEM;
1149
1150        key_put(new->request_key_auth);
1151        new->request_key_auth = key_get(key);
1152
1153        return commit_creds(new);
1154}
1155
1156/*
1157 * Instantiate a key with the specified payload and link the key into the
1158 * destination keyring if one is given.
1159 *
1160 * The caller must have the appropriate instantiation permit set for this to
1161 * work (see keyctl_assume_authority).  No other permissions are required.
1162 *
1163 * If successful, 0 will be returned.
1164 */
1165long keyctl_instantiate_key_common(key_serial_t id,
1166                                   struct iov_iter *from,
1167                                   key_serial_t ringid)
1168{
1169        const struct cred *cred = current_cred();
1170        struct request_key_auth *rka;
1171        struct key *instkey, *dest_keyring;
1172        size_t plen = from ? iov_iter_count(from) : 0;
1173        void *payload;
1174        long ret;
1175
1176        kenter("%d,,%zu,%d", id, plen, ringid);
1177
1178        if (!plen)
1179                from = NULL;
1180
1181        ret = -EINVAL;
1182        if (plen > 1024 * 1024 - 1)
1183                goto error;
1184
1185        /* the appropriate instantiation authorisation key must have been
1186         * assumed before calling this */
1187        ret = -EPERM;
1188        instkey = cred->request_key_auth;
1189        if (!instkey)
1190                goto error;
1191
1192        rka = instkey->payload.data[0];
1193        if (rka->target_key->serial != id)
1194                goto error;
1195
1196        /* pull the payload in if one was supplied */
1197        payload = NULL;
1198
1199        if (from) {
1200                ret = -ENOMEM;
1201                payload = kvmalloc(plen, GFP_KERNEL);
1202                if (!payload)
1203                        goto error;
1204
1205                ret = -EFAULT;
1206                if (!copy_from_iter_full(payload, plen, from))
1207                        goto error2;
1208        }
1209
1210        /* find the destination keyring amongst those belonging to the
1211         * requesting task */
1212        ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
1213        if (ret < 0)
1214                goto error2;
1215
1216        /* instantiate the key and link it into a keyring */
1217        ret = key_instantiate_and_link(rka->target_key, payload, plen,
1218                                       dest_keyring, instkey);
1219
1220        key_put(dest_keyring);
1221
1222        /* discard the assumed authority if it's just been disabled by
1223         * instantiation of the key */
1224        if (ret == 0)
1225                keyctl_change_reqkey_auth(NULL);
1226
1227error2:
1228        if (payload) {
1229                memzero_explicit(payload, plen);
1230                kvfree(payload);
1231        }
1232error:
1233        return ret;
1234}
1235
1236/*
1237 * Instantiate a key with the specified payload and link the key into the
1238 * destination keyring if one is given.
1239 *
1240 * The caller must have the appropriate instantiation permit set for this to
1241 * work (see keyctl_assume_authority).  No other permissions are required.
1242 *
1243 * If successful, 0 will be returned.
1244 */
1245long keyctl_instantiate_key(key_serial_t id,
1246                            const void __user *_payload,
1247                            size_t plen,
1248                            key_serial_t ringid)
1249{
1250        if (_payload && plen) {
1251                struct iovec iov;
1252                struct iov_iter from;
1253                int ret;
1254
1255                ret = import_single_range(WRITE, (void __user *)_payload, plen,
1256                                          &iov, &from);
1257                if (unlikely(ret))
1258                        return ret;
1259
1260                return keyctl_instantiate_key_common(id, &from, ringid);
1261        }
1262
1263        return keyctl_instantiate_key_common(id, NULL, ringid);
1264}
1265
1266/*
1267 * Instantiate a key with the specified multipart payload and link the key into
1268 * the destination keyring if one is given.
1269 *
1270 * The caller must have the appropriate instantiation permit set for this to
1271 * work (see keyctl_assume_authority).  No other permissions are required.
1272 *
1273 * If successful, 0 will be returned.
1274 */
1275long keyctl_instantiate_key_iov(key_serial_t id,
1276                                const struct iovec __user *_payload_iov,
1277                                unsigned ioc,
1278                                key_serial_t ringid)
1279{
1280        struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
1281        struct iov_iter from;
1282        long ret;
1283
1284        if (!_payload_iov)
1285                ioc = 0;
1286
1287        ret = import_iovec(WRITE, _payload_iov, ioc,
1288                                    ARRAY_SIZE(iovstack), &iov, &from);
1289        if (ret < 0)
1290                return ret;
1291        ret = keyctl_instantiate_key_common(id, &from, ringid);
1292        kfree(iov);
1293        return ret;
1294}
1295
1296/*
1297 * Negatively instantiate the key with the given timeout (in seconds) and link
1298 * the key into the destination keyring if one is given.
1299 *
1300 * The caller must have the appropriate instantiation permit set for this to
1301 * work (see keyctl_assume_authority).  No other permissions are required.
1302 *
1303 * The key and any links to the key will be automatically garbage collected
1304 * after the timeout expires.
1305 *
1306 * Negative keys are used to rate limit repeated request_key() calls by causing
1307 * them to return -ENOKEY until the negative key expires.
1308 *
1309 * If successful, 0 will be returned.
1310 */
1311long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
1312{
1313        return keyctl_reject_key(id, timeout, ENOKEY, ringid);
1314}
1315
1316/*
1317 * Negatively instantiate the key with the given timeout (in seconds) and error
1318 * code and link the key into the destination keyring if one is given.
1319 *
1320 * The caller must have the appropriate instantiation permit set for this to
1321 * work (see keyctl_assume_authority).  No other permissions are required.
1322 *
1323 * The key and any links to the key will be automatically garbage collected
1324 * after the timeout expires.
1325 *
1326 * Negative keys are used to rate limit repeated request_key() calls by causing
1327 * them to return the specified error code until the negative key expires.
1328 *
1329 * If successful, 0 will be returned.
1330 */
1331long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error,
1332                       key_serial_t ringid)
1333{
1334        const struct cred *cred = current_cred();
1335        struct request_key_auth *rka;
1336        struct key *instkey, *dest_keyring;
1337        long ret;
1338
1339        kenter("%d,%u,%u,%d", id, timeout, error, ringid);
1340
1341        /* must be a valid error code and mustn't be a kernel special */
1342        if (error <= 0 ||
1343            error >= MAX_ERRNO ||
1344            error == ERESTARTSYS ||
1345            error == ERESTARTNOINTR ||
1346            error == ERESTARTNOHAND ||
1347            error == ERESTART_RESTARTBLOCK)
1348                return -EINVAL;
1349
1350        /* the appropriate instantiation authorisation key must have been
1351         * assumed before calling this */
1352        ret = -EPERM;
1353        instkey = cred->request_key_auth;
1354        if (!instkey)
1355                goto error;
1356
1357        rka = instkey->payload.data[0];
1358        if (rka->target_key->serial != id)
1359                goto error;
1360
1361        /* find the destination keyring if present (which must also be
1362         * writable) */
1363        ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
1364        if (ret < 0)
1365                goto error;
1366
1367        /* instantiate the key and link it into a keyring */
1368        ret = key_reject_and_link(rka->target_key, timeout, error,
1369                                  dest_keyring, instkey);
1370
1371        key_put(dest_keyring);
1372
1373        /* discard the assumed authority if it's just been disabled by
1374         * instantiation of the key */
1375        if (ret == 0)
1376                keyctl_change_reqkey_auth(NULL);
1377
1378error:
1379        return ret;
1380}
1381
1382/*
1383 * Read or set the default keyring in which request_key() will cache keys and
1384 * return the old setting.
1385 *
1386 * If a thread or process keyring is specified then it will be created if it
1387 * doesn't yet exist.  The old setting will be returned if successful.
1388 */
1389long keyctl_set_reqkey_keyring(int reqkey_defl)
1390{
1391        struct cred *new;
1392        int ret, old_setting;
1393
1394        old_setting = current_cred_xxx(jit_keyring);
1395
1396        if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE)
1397                return old_setting;
1398
1399        new = prepare_creds();
1400        if (!new)
1401                return -ENOMEM;
1402
1403        switch (reqkey_defl) {
1404        case KEY_REQKEY_DEFL_THREAD_KEYRING:
1405                ret = install_thread_keyring_to_cred(new);
1406                if (ret < 0)
1407                        goto error;
1408                goto set;
1409
1410        case KEY_REQKEY_DEFL_PROCESS_KEYRING:
1411                ret = install_process_keyring_to_cred(new);
1412                if (ret < 0)
1413                        goto error;
1414                goto set;
1415
1416        case KEY_REQKEY_DEFL_DEFAULT:
1417        case KEY_REQKEY_DEFL_SESSION_KEYRING:
1418        case KEY_REQKEY_DEFL_USER_KEYRING:
1419        case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
1420        case KEY_REQKEY_DEFL_REQUESTOR_KEYRING:
1421                goto set;
1422
1423        case KEY_REQKEY_DEFL_NO_CHANGE:
1424        case KEY_REQKEY_DEFL_GROUP_KEYRING:
1425        default:
1426                ret = -EINVAL;
1427                goto error;
1428        }
1429
1430set:
1431        new->jit_keyring = reqkey_defl;
1432        commit_creds(new);
1433        return old_setting;
1434error:
1435        abort_creds(new);
1436        return ret;
1437}
1438
1439/*
1440 * Set or clear the timeout on a key.
1441 *
1442 * Either the key must grant the caller Setattr permission or else the caller
1443 * must hold an instantiation authorisation token for the key.
1444 *
1445 * The timeout is either 0 to clear the timeout, or a number of seconds from
1446 * the current time.  The key and any links to the key will be automatically
1447 * garbage collected after the timeout expires.
1448 *
1449 * Keys with KEY_FLAG_KEEP set should not be timed out.
1450 *
1451 * If successful, 0 is returned.
1452 */
1453long keyctl_set_timeout(key_serial_t id, unsigned timeout)
1454{
1455        struct key *key, *instkey;
1456        key_ref_t key_ref;
1457        long ret;
1458
1459        key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
1460                                  KEY_NEED_SETATTR);
1461        if (IS_ERR(key_ref)) {
1462                /* setting the timeout on a key under construction is permitted
1463                 * if we have the authorisation token handy */
1464                if (PTR_ERR(key_ref) == -EACCES) {
1465                        instkey = key_get_instantiation_authkey(id);
1466                        if (!IS_ERR(instkey)) {
1467                                key_put(instkey);
1468                                key_ref = lookup_user_key(id,
1469                                                          KEY_LOOKUP_PARTIAL,
1470                                                          0);
1471                                if (!IS_ERR(key_ref))
1472                                        goto okay;
1473                        }
1474                }
1475
1476                ret = PTR_ERR(key_ref);
1477                goto error;
1478        }
1479
1480okay:
1481        key = key_ref_to_ptr(key_ref);
1482        ret = 0;
1483        if (test_bit(KEY_FLAG_KEEP, &key->flags))
1484                ret = -EPERM;
1485        else
1486                key_set_timeout(key, timeout);
1487        key_put(key);
1488
1489error:
1490        return ret;
1491}
1492
1493/*
1494 * Assume (or clear) the authority to instantiate the specified key.
1495 *
1496 * This sets the authoritative token currently in force for key instantiation.
1497 * This must be done for a key to be instantiated.  It has the effect of making
1498 * available all the keys from the caller of the request_key() that created a
1499 * key to request_key() calls made by the caller of this function.
1500 *
1501 * The caller must have the instantiation key in their process keyrings with a
1502 * Search permission grant available to the caller.
1503 *
1504 * If the ID given is 0, then the setting will be cleared and 0 returned.
1505 *
1506 * If the ID given has a matching an authorisation key, then that key will be
1507 * set and its ID will be returned.  The authorisation key can be read to get
1508 * the callout information passed to request_key().
1509 */
1510long keyctl_assume_authority(key_serial_t id)
1511{
1512        struct key *authkey;
1513        long ret;
1514
1515        /* special key IDs aren't permitted */
1516        ret = -EINVAL;
1517        if (id < 0)
1518                goto error;
1519
1520        /* we divest ourselves of authority if given an ID of 0 */
1521        if (id == 0) {
1522                ret = keyctl_change_reqkey_auth(NULL);
1523                goto error;
1524        }
1525
1526        /* attempt to assume the authority temporarily granted to us whilst we
1527         * instantiate the specified key
1528         * - the authorisation key must be in the current task's keyrings
1529         *   somewhere
1530         */
1531        authkey = key_get_instantiation_authkey(id);
1532        if (IS_ERR(authkey)) {
1533                ret = PTR_ERR(authkey);
1534                goto error;
1535        }
1536
1537        ret = keyctl_change_reqkey_auth(authkey);
1538        if (ret == 0)
1539                ret = authkey->serial;
1540        key_put(authkey);
1541error:
1542        return ret;
1543}
1544
1545/*
1546 * Get a key's the LSM security label.
1547 *
1548 * The key must grant the caller View permission for this to work.
1549 *
1550 * If there's a buffer, then up to buflen bytes of data will be placed into it.
1551 *
1552 * If successful, the amount of information available will be returned,
1553 * irrespective of how much was copied (including the terminal NUL).
1554 */
1555long keyctl_get_security(key_serial_t keyid,
1556                         char __user *buffer,
1557                         size_t buflen)
1558{
1559        struct key *key, *instkey;
1560        key_ref_t key_ref;
1561        char *context;
1562        long ret;
1563
1564        key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW);
1565        if (IS_ERR(key_ref)) {
1566                if (PTR_ERR(key_ref) != -EACCES)
1567                        return PTR_ERR(key_ref);
1568
1569                /* viewing a key under construction is also permitted if we
1570                 * have the authorisation token handy */
1571                instkey = key_get_instantiation_authkey(keyid);
1572                if (IS_ERR(instkey))
1573                        return PTR_ERR(instkey);
1574                key_put(instkey);
1575
1576                key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0);
1577                if (IS_ERR(key_ref))
1578                        return PTR_ERR(key_ref);
1579        }
1580
1581        key = key_ref_to_ptr(key_ref);
1582        ret = security_key_getsecurity(key, &context);
1583        if (ret == 0) {
1584                /* if no information was returned, give userspace an empty
1585                 * string */
1586                ret = 1;
1587                if (buffer && buflen > 0 &&
1588                    copy_to_user(buffer, "", 1) != 0)
1589                        ret = -EFAULT;
1590        } else if (ret > 0) {
1591                /* return as much data as there's room for */
1592                if (buffer && buflen > 0) {
1593                        if (buflen > ret)
1594                                buflen = ret;
1595
1596                        if (copy_to_user(buffer, context, buflen) != 0)
1597                                ret = -EFAULT;
1598                }
1599
1600                kfree(context);
1601        }
1602
1603        key_ref_put(key_ref);
1604        return ret;
1605}
1606
1607/*
1608 * Attempt to install the calling process's session keyring on the process's
1609 * parent process.
1610 *
1611 * The keyring must exist and must grant the caller LINK permission, and the
1612 * parent process must be single-threaded and must have the same effective
1613 * ownership as this process and mustn't be SUID/SGID.
1614 *
1615 * The keyring will be emplaced on the parent when it next resumes userspace.
1616 *
1617 * If successful, 0 will be returned.
1618 */
1619long keyctl_session_to_parent(void)
1620{
1621        struct task_struct *me, *parent;
1622        const struct cred *mycred, *pcred;
1623        struct callback_head *newwork, *oldwork;
1624        key_ref_t keyring_r;
1625        struct cred *cred;
1626        int ret;
1627
1628        keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK);
1629        if (IS_ERR(keyring_r))
1630                return PTR_ERR(keyring_r);
1631
1632        ret = -ENOMEM;
1633
1634        /* our parent is going to need a new cred struct, a new tgcred struct
1635         * and new security data, so we allocate them here to prevent ENOMEM in
1636         * our parent */
1637        cred = cred_alloc_blank();
1638        if (!cred)
1639                goto error_keyring;
1640        newwork = &cred->rcu;
1641
1642        cred->session_keyring = key_ref_to_ptr(keyring_r);
1643        keyring_r = NULL;
1644        init_task_work(newwork, key_change_session_keyring);
1645
1646        me = current;
1647        rcu_read_lock();
1648        write_lock_irq(&tasklist_lock);
1649
1650        ret = -EPERM;
1651        oldwork = NULL;
1652        parent = rcu_dereference_protected(me->real_parent,
1653                                           lockdep_is_held(&tasklist_lock));
1654
1655        /* the parent mustn't be init and mustn't be a kernel thread */
1656        if (parent->pid <= 1 || !parent->mm)
1657                goto unlock;
1658
1659        /* the parent must be single threaded */
1660        if (!thread_group_empty(parent))
1661                goto unlock;
1662
1663        /* the parent and the child must have different session keyrings or
1664         * there's no point */
1665        mycred = current_cred();
1666        pcred = __task_cred(parent);
1667        if (mycred == pcred ||
1668            mycred->session_keyring == pcred->session_keyring) {
1669                ret = 0;
1670                goto unlock;
1671        }
1672
1673        /* the parent must have the same effective ownership and mustn't be
1674         * SUID/SGID */
1675        if (!uid_eq(pcred->uid,  mycred->euid) ||
1676            !uid_eq(pcred->euid, mycred->euid) ||
1677            !uid_eq(pcred->suid, mycred->euid) ||
1678            !gid_eq(pcred->gid,  mycred->egid) ||
1679            !gid_eq(pcred->egid, mycred->egid) ||
1680            !gid_eq(pcred->sgid, mycred->egid))
1681                goto unlock;
1682
1683        /* the keyrings must have the same UID */
1684        if ((pcred->session_keyring &&
1685             !uid_eq(pcred->session_keyring->uid, mycred->euid)) ||
1686            !uid_eq(mycred->session_keyring->uid, mycred->euid))
1687                goto unlock;
1688
1689        /* cancel an already pending keyring replacement */
1690        oldwork = task_work_cancel(parent, key_change_session_keyring);
1691
1692        /* the replacement session keyring is applied just prior to userspace
1693         * restarting */
1694        ret = task_work_add(parent, newwork, true);
1695        if (!ret)
1696                newwork = NULL;
1697unlock:
1698        write_unlock_irq(&tasklist_lock);
1699        rcu_read_unlock();
1700        if (oldwork)
1701                put_cred(container_of(oldwork, struct cred, rcu));
1702        if (newwork)
1703                put_cred(cred);
1704        return ret;
1705
1706error_keyring:
1707        key_ref_put(keyring_r);
1708        return ret;
1709}
1710
1711/*
1712 * Apply a restriction to a given keyring.
1713 *
1714 * The caller must have Setattr permission to change keyring restrictions.
1715 *
1716 * The requested type name may be a NULL pointer to reject all attempts
1717 * to link to the keyring.  In this case, _restriction must also be NULL.
1718 * Otherwise, both _type and _restriction must be non-NULL.
1719 *
1720 * Returns 0 if successful.
1721 */
1722long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
1723                             const char __user *_restriction)
1724{
1725        key_ref_t key_ref;
1726        char type[32];
1727        char *restriction = NULL;
1728        long ret;
1729
1730        key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR);
1731        if (IS_ERR(key_ref))
1732                return PTR_ERR(key_ref);
1733
1734        ret = -EINVAL;
1735        if (_type) {
1736                if (!_restriction)
1737                        goto error;
1738
1739                ret = key_get_type_from_user(type, _type, sizeof(type));
1740                if (ret < 0)
1741                        goto error;
1742
1743                restriction = strndup_user(_restriction, PAGE_SIZE);
1744                if (IS_ERR(restriction)) {
1745                        ret = PTR_ERR(restriction);
1746                        goto error;
1747                }
1748        } else {
1749                if (_restriction)
1750                        goto error;
1751        }
1752
1753        ret = keyring_restrict(key_ref, _type ? type : NULL, restriction);
1754        kfree(restriction);
1755error:
1756        key_ref_put(key_ref);
1757        return ret;
1758}
1759
1760/*
1761 * Get keyrings subsystem capabilities.
1762 */
1763long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen)
1764{
1765        size_t size = buflen;
1766
1767        if (size > 0) {
1768                if (size > sizeof(keyrings_capabilities))
1769                        size = sizeof(keyrings_capabilities);
1770                if (copy_to_user(_buffer, keyrings_capabilities, size) != 0)
1771                        return -EFAULT;
1772                if (size < buflen &&
1773                    clear_user(_buffer + size, buflen - size) != 0)
1774                        return -EFAULT;
1775        }
1776
1777        return sizeof(keyrings_capabilities);
1778}
1779
1780/*
1781 * The key control system call
1782 */
1783SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1784                unsigned long, arg4, unsigned long, arg5)
1785{
1786        switch (option) {
1787        case KEYCTL_GET_KEYRING_ID:
1788                return keyctl_get_keyring_ID((key_serial_t) arg2,
1789                                             (int) arg3);
1790
1791        case KEYCTL_JOIN_SESSION_KEYRING:
1792                return keyctl_join_session_keyring((const char __user *) arg2);
1793
1794        case KEYCTL_UPDATE:
1795                return keyctl_update_key((key_serial_t) arg2,
1796                                         (const void __user *) arg3,
1797                                         (size_t) arg4);
1798
1799        case KEYCTL_REVOKE:
1800                return keyctl_revoke_key((key_serial_t) arg2);
1801
1802        case KEYCTL_DESCRIBE:
1803                return keyctl_describe_key((key_serial_t) arg2,
1804                                           (char __user *) arg3,
1805                                           (unsigned) arg4);
1806
1807        case KEYCTL_CLEAR:
1808                return keyctl_keyring_clear((key_serial_t) arg2);
1809
1810        case KEYCTL_LINK:
1811                return keyctl_keyring_link((key_serial_t) arg2,
1812                                           (key_serial_t) arg3);
1813
1814        case KEYCTL_UNLINK:
1815                return keyctl_keyring_unlink((key_serial_t) arg2,
1816                                             (key_serial_t) arg3);
1817
1818        case KEYCTL_SEARCH:
1819                return keyctl_keyring_search((key_serial_t) arg2,
1820                                             (const char __user *) arg3,
1821                                             (const char __user *) arg4,
1822                                             (key_serial_t) arg5);
1823
1824        case KEYCTL_READ:
1825                return keyctl_read_key((key_serial_t) arg2,
1826                                       (char __user *) arg3,
1827                                       (size_t) arg4);
1828
1829        case KEYCTL_CHOWN:
1830                return keyctl_chown_key((key_serial_t) arg2,
1831                                        (uid_t) arg3,
1832                                        (gid_t) arg4);
1833
1834        case KEYCTL_SETPERM:
1835                return keyctl_setperm_key((key_serial_t) arg2,
1836                                          (key_perm_t) arg3);
1837
1838        case KEYCTL_INSTANTIATE:
1839                return keyctl_instantiate_key((key_serial_t) arg2,
1840                                              (const void __user *) arg3,
1841                                              (size_t) arg4,
1842                                              (key_serial_t) arg5);
1843
1844        case KEYCTL_NEGATE:
1845                return keyctl_negate_key((key_serial_t) arg2,
1846                                         (unsigned) arg3,
1847                                         (key_serial_t) arg4);
1848
1849        case KEYCTL_SET_REQKEY_KEYRING:
1850                return keyctl_set_reqkey_keyring(arg2);
1851
1852        case KEYCTL_SET_TIMEOUT:
1853                return keyctl_set_timeout((key_serial_t) arg2,
1854                                          (unsigned) arg3);
1855
1856        case KEYCTL_ASSUME_AUTHORITY:
1857                return keyctl_assume_authority((key_serial_t) arg2);
1858
1859        case KEYCTL_GET_SECURITY:
1860                return keyctl_get_security((key_serial_t) arg2,
1861                                           (char __user *) arg3,
1862                                           (size_t) arg4);
1863
1864        case KEYCTL_SESSION_TO_PARENT:
1865                return keyctl_session_to_parent();
1866
1867        case KEYCTL_REJECT:
1868                return keyctl_reject_key((key_serial_t) arg2,
1869                                         (unsigned) arg3,
1870                                         (unsigned) arg4,
1871                                         (key_serial_t) arg5);
1872
1873        case KEYCTL_INSTANTIATE_IOV:
1874                return keyctl_instantiate_key_iov(
1875                        (key_serial_t) arg2,
1876                        (const struct iovec __user *) arg3,
1877                        (unsigned) arg4,
1878                        (key_serial_t) arg5);
1879
1880        case KEYCTL_INVALIDATE:
1881                return keyctl_invalidate_key((key_serial_t) arg2);
1882
1883        case KEYCTL_GET_PERSISTENT:
1884                return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3);
1885
1886        case KEYCTL_DH_COMPUTE:
1887                return keyctl_dh_compute((struct keyctl_dh_params __user *) arg2,
1888                                         (char __user *) arg3, (size_t) arg4,
1889                                         (struct keyctl_kdf_params __user *) arg5);
1890
1891        case KEYCTL_RESTRICT_KEYRING:
1892                return keyctl_restrict_keyring((key_serial_t) arg2,
1893                                               (const char __user *) arg3,
1894                                               (const char __user *) arg4);
1895
1896        case KEYCTL_PKEY_QUERY:
1897                if (arg3 != 0)
1898                        return -EINVAL;
1899                return keyctl_pkey_query((key_serial_t)arg2,
1900                                         (const char __user *)arg4,
1901                                         (struct keyctl_pkey_query __user *)arg5);
1902
1903        case KEYCTL_PKEY_ENCRYPT:
1904        case KEYCTL_PKEY_DECRYPT:
1905        case KEYCTL_PKEY_SIGN:
1906                return keyctl_pkey_e_d_s(
1907                        option,
1908                        (const struct keyctl_pkey_params __user *)arg2,
1909                        (const char __user *)arg3,
1910                        (const void __user *)arg4,
1911                        (void __user *)arg5);
1912
1913        case KEYCTL_PKEY_VERIFY:
1914                return keyctl_pkey_verify(
1915                        (const struct keyctl_pkey_params __user *)arg2,
1916                        (const char __user *)arg3,
1917                        (const void __user *)arg4,
1918                        (const void __user *)arg5);
1919
1920        case KEYCTL_MOVE:
1921                return keyctl_keyring_move((key_serial_t)arg2,
1922                                           (key_serial_t)arg3,
1923                                           (key_serial_t)arg4,
1924                                           (unsigned int)arg5);
1925
1926        case KEYCTL_CAPABILITIES:
1927                return keyctl_capabilities((unsigned char __user *)arg2, (size_t)arg3);
1928
1929        default:
1930                return -EOPNOTSUPP;
1931        }
1932}
1933