include/linux/key.h at v2.6.14 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / include / linux / key.h
at v2.6.14 11 kB view raw
  1/* key.h: authentication token and access key management
  2 *
  3 * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
  4 * Written by David Howells (dhowells@redhat.com)
  5 *
  6 * This program is free software; you can redistribute it and/or
  7 * modify it under the terms of the GNU General Public License
  8 * as published by the Free Software Foundation; either version
  9 * 2 of the License, or (at your option) any later version.
 10 *
 11 *
 12 * See Documentation/keys.txt for information on keys/keyrings.
 13 */
 14
 15#ifndef _LINUX_KEY_H
 16#define _LINUX_KEY_H
 17
 18#include <linux/types.h>
 19#include <linux/list.h>
 20#include <linux/rbtree.h>
 21#include <linux/rcupdate.h>
 22#include <asm/atomic.h>
 23
 24#ifdef __KERNEL__
 25
 26/* key handle serial number */
 27typedef int32_t key_serial_t;
 28
 29/* key handle permissions mask */
 30typedef uint32_t key_perm_t;
 31
 32struct key;
 33
 34#ifdef CONFIG_KEYS
 35
 36#undef KEY_DEBUGGING
 37
 38#define KEY_POS_VIEW	0x01000000	/* possessor can view a key's attributes */
 39#define KEY_POS_READ	0x02000000	/* possessor can read key payload / view keyring */
 40#define KEY_POS_WRITE	0x04000000	/* possessor can update key payload / add link to keyring */
 41#define KEY_POS_SEARCH	0x08000000	/* possessor can find a key in search / search a keyring */
 42#define KEY_POS_LINK	0x10000000	/* possessor can create a link to a key/keyring */
 43#define KEY_POS_ALL	0x1f000000
 44
 45#define KEY_USR_VIEW	0x00010000	/* user permissions... */
 46#define KEY_USR_READ	0x00020000
 47#define KEY_USR_WRITE	0x00040000
 48#define KEY_USR_SEARCH	0x00080000
 49#define KEY_USR_LINK	0x00100000
 50#define KEY_USR_ALL	0x001f0000
 51
 52#define KEY_GRP_VIEW	0x00000100	/* group permissions... */
 53#define KEY_GRP_READ	0x00000200
 54#define KEY_GRP_WRITE	0x00000400
 55#define KEY_GRP_SEARCH	0x00000800
 56#define KEY_GRP_LINK	0x00001000
 57#define KEY_GRP_ALL	0x00001f00
 58
 59#define KEY_OTH_VIEW	0x00000001	/* third party permissions... */
 60#define KEY_OTH_READ	0x00000002
 61#define KEY_OTH_WRITE	0x00000004
 62#define KEY_OTH_SEARCH	0x00000008
 63#define KEY_OTH_LINK	0x00000010
 64#define KEY_OTH_ALL	0x0000001f
 65
 66struct seq_file;
 67struct user_struct;
 68struct signal_struct;
 69
 70struct key_type;
 71struct key_owner;
 72struct keyring_list;
 73struct keyring_name;
 74
 75/*****************************************************************************/
 76/*
 77 * key reference with possession attribute handling
 78 *
 79 * NOTE! key_ref_t is a typedef'd pointer to a type that is not actually
 80 * defined. This is because we abuse the bottom bit of the reference to carry a
 81 * flag to indicate whether the calling process possesses that key in one of
 82 * its keyrings.
 83 *
 84 * the key_ref_t has been made a separate type so that the compiler can reject
 85 * attempts to dereference it without proper conversion.
 86 *
 87 * the three functions are used to assemble and disassemble references
 88 */
 89typedef struct __key_reference_with_attributes *key_ref_t;
 90
 91static inline key_ref_t make_key_ref(const struct key *key,
 92				     unsigned long possession)
 93{
 94	return (key_ref_t) ((unsigned long) key | possession);
 95}
 96
 97static inline struct key *key_ref_to_ptr(const key_ref_t key_ref)
 98{
 99	return (struct key *) ((unsigned long) key_ref & ~1UL);
100}
101
102static inline unsigned long is_key_possessed(const key_ref_t key_ref)
103{
104	return (unsigned long) key_ref & 1UL;
105}
106
107/*****************************************************************************/
108/*
109 * authentication token / access credential / keyring
110 * - types of key include:
111 *   - keyrings
112 *   - disk encryption IDs
113 *   - Kerberos TGTs and tickets
114 */
115struct key {
116	atomic_t		usage;		/* number of references */
117	key_serial_t		serial;		/* key serial number */
118	struct rb_node		serial_node;
119	struct key_type		*type;		/* type of key */
120	struct rw_semaphore	sem;		/* change vs change sem */
121	struct key_user		*user;		/* owner of this key */
122	time_t			expiry;		/* time at which key expires (or 0) */
123	uid_t			uid;
124	gid_t			gid;
125	key_perm_t		perm;		/* access permissions */
126	unsigned short		quotalen;	/* length added to quota */
127	unsigned short		datalen;	/* payload data length
128						 * - may not match RCU dereferenced payload
129						 * - payload should contain own length
130						 */
131
132#ifdef KEY_DEBUGGING
133	unsigned		magic;
134#define KEY_DEBUG_MAGIC		0x18273645u
135#define KEY_DEBUG_MAGIC_X	0xf8e9dacbu
136#endif
137
138	unsigned long		flags;		/* status flags (change with bitops) */
139#define KEY_FLAG_INSTANTIATED	0	/* set if key has been instantiated */
140#define KEY_FLAG_DEAD		1	/* set if key type has been deleted */
141#define KEY_FLAG_REVOKED	2	/* set if key had been revoked */
142#define KEY_FLAG_IN_QUOTA	3	/* set if key consumes quota */
143#define KEY_FLAG_USER_CONSTRUCT	4	/* set if key is being constructed in userspace */
144#define KEY_FLAG_NEGATIVE	5	/* set if key is negative */
145
146	/* the description string
147	 * - this is used to match a key against search criteria
148	 * - this should be a printable string
149	 * - eg: for krb5 AFS, this might be "afs@REDHAT.COM"
150	 */
151	char			*description;
152
153	/* type specific data
154	 * - this is used by the keyring type to index the name
155	 */
156	union {
157		struct list_head	link;
158	} type_data;
159
160	/* key data
161	 * - this is used to hold the data actually used in cryptography or
162	 *   whatever
163	 */
164	union {
165		unsigned long		value;
166		void			*data;
167		struct keyring_list	*subscriptions;
168	} payload;
169};
170
171/*****************************************************************************/
172/*
173 * kernel managed key type definition
174 */
175struct key_type {
176	/* name of the type */
177	const char *name;
178
179	/* default payload length for quota precalculation (optional)
180	 * - this can be used instead of calling key_payload_reserve(), that
181	 *   function only needs to be called if the real datalen is different
182	 */
183	size_t def_datalen;
184
185	/* instantiate a key of this type
186	 * - this method should call key_payload_reserve() to determine if the
187	 *   user's quota will hold the payload
188	 */
189	int (*instantiate)(struct key *key, const void *data, size_t datalen);
190
191	/* duplicate a key of this type (optional)
192	 * - the source key will be locked against change
193	 * - the new description will be attached
194	 * - the quota will have been adjusted automatically from
195	 *   source->quotalen
196	 */
197	int (*duplicate)(struct key *key, const struct key *source);
198
199	/* update a key of this type (optional)
200	 * - this method should call key_payload_reserve() to recalculate the
201	 *   quota consumption
202	 * - the key must be locked against read when modifying
203	 */
204	int (*update)(struct key *key, const void *data, size_t datalen);
205
206	/* match a key against a description */
207	int (*match)(const struct key *key, const void *desc);
208
209	/* clear the data from a key (optional) */
210	void (*destroy)(struct key *key);
211
212	/* describe a key */
213	void (*describe)(const struct key *key, struct seq_file *p);
214
215	/* read a key's data (optional)
216	 * - permission checks will be done by the caller
217	 * - the key's semaphore will be readlocked by the caller
218	 * - should return the amount of data that could be read, no matter how
219	 *   much is copied into the buffer
220	 * - shouldn't do the copy if the buffer is NULL
221	 */
222	long (*read)(const struct key *key, char __user *buffer, size_t buflen);
223
224	/* internal fields */
225	struct list_head	link;		/* link in types list */
226};
227
228extern struct key_type key_type_keyring;
229
230extern int register_key_type(struct key_type *ktype);
231extern void unregister_key_type(struct key_type *ktype);
232
233extern struct key *key_alloc(struct key_type *type,
234			     const char *desc,
235			     uid_t uid, gid_t gid, key_perm_t perm,
236			     int not_in_quota);
237extern int key_payload_reserve(struct key *key, size_t datalen);
238extern int key_instantiate_and_link(struct key *key,
239				    const void *data,
240				    size_t datalen,
241				    struct key *keyring,
242				    struct key *instkey);
243extern int key_negate_and_link(struct key *key,
244			       unsigned timeout,
245			       struct key *keyring,
246			       struct key *instkey);
247extern void key_revoke(struct key *key);
248extern void key_put(struct key *key);
249
250static inline struct key *key_get(struct key *key)
251{
252	if (key)
253		atomic_inc(&key->usage);
254	return key;
255}
256
257static inline void key_ref_put(key_ref_t key_ref)
258{
259	key_put(key_ref_to_ptr(key_ref));
260}
261
262extern struct key *request_key(struct key_type *type,
263			       const char *description,
264			       const char *callout_info);
265
266extern int key_validate(struct key *key);
267
268extern key_ref_t key_create_or_update(key_ref_t keyring,
269				      const char *type,
270				      const char *description,
271				      const void *payload,
272				      size_t plen,
273				      int not_in_quota);
274
275extern int key_update(key_ref_t key,
276		      const void *payload,
277		      size_t plen);
278
279extern int key_link(struct key *keyring,
280		    struct key *key);
281
282extern int key_unlink(struct key *keyring,
283		      struct key *key);
284
285extern struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
286				 int not_in_quota, struct key *dest);
287
288extern int keyring_clear(struct key *keyring);
289
290extern key_ref_t keyring_search(key_ref_t keyring,
291				struct key_type *type,
292				const char *description);
293
294extern int keyring_add_key(struct key *keyring,
295			   struct key *key);
296
297extern struct key *key_lookup(key_serial_t id);
298
299extern void keyring_replace_payload(struct key *key, void *replacement);
300
301#define key_serial(key) ((key) ? (key)->serial : 0)
302
303/*
304 * the userspace interface
305 */
306extern struct key root_user_keyring, root_session_keyring;
307extern int alloc_uid_keyring(struct user_struct *user);
308extern void switch_uid_keyring(struct user_struct *new_user);
309extern int copy_keys(unsigned long clone_flags, struct task_struct *tsk);
310extern int copy_thread_group_keys(struct task_struct *tsk);
311extern void exit_keys(struct task_struct *tsk);
312extern void exit_thread_group_keys(struct signal_struct *tg);
313extern int suid_keys(struct task_struct *tsk);
314extern int exec_keys(struct task_struct *tsk);
315extern void key_fsuid_changed(struct task_struct *tsk);
316extern void key_fsgid_changed(struct task_struct *tsk);
317extern void key_init(void);
318
319#define __install_session_keyring(tsk, keyring)			\
320({								\
321	struct key *old_session = tsk->signal->session_keyring;	\
322	tsk->signal->session_keyring = keyring;			\
323	old_session;						\
324})
325
326#else /* CONFIG_KEYS */
327
328#define key_validate(k)			0
329#define key_serial(k)			0
330#define key_get(k) 			({ NULL; })
331#define key_put(k)			do { } while(0)
332#define key_ref_put(k)			do { } while(0)
333#define make_key_ref(k)			({ NULL; })
334#define key_ref_to_ptr(k)		({ NULL; })
335#define is_key_possessed(k)		0
336#define alloc_uid_keyring(u)		0
337#define switch_uid_keyring(u)		do { } while(0)
338#define __install_session_keyring(t, k)	({ NULL; })
339#define copy_keys(f,t)			0
340#define copy_thread_group_keys(t)	0
341#define exit_keys(t)			do { } while(0)
342#define exit_thread_group_keys(tg)	do { } while(0)
343#define suid_keys(t)			do { } while(0)
344#define exec_keys(t)			do { } while(0)
345#define key_fsuid_changed(t)		do { } while(0)
346#define key_fsgid_changed(t)		do { } while(0)
347#define key_init()			do { } while(0)
348
349#endif /* CONFIG_KEYS */
350#endif /* __KERNEL__ */
351#endif /* _LINUX_KEY_H */