tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / security / keys / keyctl.c
at v2.6.29-rc2 1304 lines 30 kB view raw
1/* keyctl.c: userspace keyctl operations 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12#include <linux/module.h> 13#include <linux/init.h> 14#include <linux/sched.h> 15#include <linux/slab.h> 16#include <linux/syscalls.h> 17#include <linux/keyctl.h> 18#include <linux/fs.h> 19#include <linux/capability.h> 20#include <linux/string.h> 21#include <linux/err.h> 22#include <linux/vmalloc.h> 23#include <linux/security.h> 24#include <asm/uaccess.h> 25#include "internal.h" 26 27static int key_get_type_from_user(char *type, 28 const char __user *_type, 29 unsigned len) 30{ 31 int ret; 32 33 ret = strncpy_from_user(type, _type, len); 34 35 if (ret < 0) 36 return -EFAULT; 37 38 if (ret == 0 || ret >= len) 39 return -EINVAL; 40 41 if (type[0] == '.') 42 return -EPERM; 43 44 type[len - 1] = '\0'; 45 46 return 0; 47} 48 49/*****************************************************************************/ 50/* 51 * extract the description of a new key from userspace and either add it as a 52 * new key to the specified keyring or update a matching key in that keyring 53 * - the keyring must be writable 54 * - returns the new key's serial number 55 * - implements add_key() 56 */ 57SYSCALL_DEFINE5(add_key, const char __user *, _type, 58 const char __user *, _description, 59 const void __user *, _payload, 60 size_t, plen, 61 key_serial_t, ringid) 62{ 63 key_ref_t keyring_ref, key_ref; 64 char type[32], *description; 65 void *payload; 66 long ret; 67 bool vm; 68 69 ret = -EINVAL; 70 if (plen > 1024 * 1024 - 1) 71 goto error; 72 73 /* draw all the data into kernel space */ 74 ret = key_get_type_from_user(type, _type, sizeof(type)); 75 if (ret < 0) 76 goto error; 77 78 description = strndup_user(_description, PAGE_SIZE); 79 if (IS_ERR(description)) { 80 ret = PTR_ERR(description); 81 goto error; 82 } 83 84 /* pull the payload in if one was supplied */ 85 payload = NULL; 86 87 vm = false; 88 if (_payload) { 89 ret = -ENOMEM; 90 payload = kmalloc(plen, GFP_KERNEL); 91 if (!payload) { 92 if (plen <= PAGE_SIZE) 93 goto error2; 94 vm = true; 95 payload = vmalloc(plen); 96 if (!payload) 97 goto error2; 98 } 99 100 ret = -EFAULT; 101 if (copy_from_user(payload, _payload, plen) != 0) 102 goto error3; 103 } 104 105 /* find the target keyring (which must be writable) */ 106 keyring_ref = lookup_user_key(ringid, 1, 0, KEY_WRITE); 107 if (IS_ERR(keyring_ref)) { 108 ret = PTR_ERR(keyring_ref); 109 goto error3; 110 } 111 112 /* create or update the requested key and add it to the target 113 * keyring */ 114 key_ref = key_create_or_update(keyring_ref, type, description, 115 payload, plen, KEY_PERM_UNDEF, 116 KEY_ALLOC_IN_QUOTA); 117 if (!IS_ERR(key_ref)) { 118 ret = key_ref_to_ptr(key_ref)->serial; 119 key_ref_put(key_ref); 120 } 121 else { 122 ret = PTR_ERR(key_ref); 123 } 124 125 key_ref_put(keyring_ref); 126 error3: 127 if (!vm) 128 kfree(payload); 129 else 130 vfree(payload); 131 error2: 132 kfree(description); 133 error: 134 return ret; 135 136} /* end sys_add_key() */ 137 138/*****************************************************************************/ 139/* 140 * search the process keyrings for a matching key 141 * - nested keyrings may also be searched if they have Search permission 142 * - if a key is found, it will be attached to the destination keyring if 143 * there's one specified 144 * - /sbin/request-key will be invoked if _callout_info is non-NULL 145 * - the _callout_info string will be passed to /sbin/request-key 146 * - if the _callout_info string is empty, it will be rendered as "-" 147 * - implements request_key() 148 */ 149SYSCALL_DEFINE4(request_key, const char __user *, _type, 150 const char __user *, _description, 151 const char __user *, _callout_info, 152 key_serial_t, destringid) 153{ 154 struct key_type *ktype; 155 struct key *key; 156 key_ref_t dest_ref; 157 size_t callout_len; 158 char type[32], *description, *callout_info; 159 long ret; 160 161 /* pull the type into kernel space */ 162 ret = key_get_type_from_user(type, _type, sizeof(type)); 163 if (ret < 0) 164 goto error; 165 166 /* pull the description into kernel space */ 167 description = strndup_user(_description, PAGE_SIZE); 168 if (IS_ERR(description)) { 169 ret = PTR_ERR(description); 170 goto error; 171 } 172 173 /* pull the callout info into kernel space */ 174 callout_info = NULL; 175 callout_len = 0; 176 if (_callout_info) { 177 callout_info = strndup_user(_callout_info, PAGE_SIZE); 178 if (IS_ERR(callout_info)) { 179 ret = PTR_ERR(callout_info); 180 goto error2; 181 } 182 callout_len = strlen(callout_info); 183 } 184 185 /* get the destination keyring if specified */ 186 dest_ref = NULL; 187 if (destringid) { 188 dest_ref = lookup_user_key(destringid, 1, 0, KEY_WRITE); 189 if (IS_ERR(dest_ref)) { 190 ret = PTR_ERR(dest_ref); 191 goto error3; 192 } 193 } 194 195 /* find the key type */ 196 ktype = key_type_lookup(type); 197 if (IS_ERR(ktype)) { 198 ret = PTR_ERR(ktype); 199 goto error4; 200 } 201 202 /* do the search */ 203 key = request_key_and_link(ktype, description, callout_info, 204 callout_len, NULL, key_ref_to_ptr(dest_ref), 205 KEY_ALLOC_IN_QUOTA); 206 if (IS_ERR(key)) { 207 ret = PTR_ERR(key); 208 goto error5; 209 } 210 211 ret = key->serial; 212 213 key_put(key); 214 error5: 215 key_type_put(ktype); 216 error4: 217 key_ref_put(dest_ref); 218 error3: 219 kfree(callout_info); 220 error2: 221 kfree(description); 222 error: 223 return ret; 224 225} /* end sys_request_key() */ 226 227/*****************************************************************************/ 228/* 229 * get the ID of the specified process keyring 230 * - the keyring must have search permission to be found 231 * - implements keyctl(KEYCTL_GET_KEYRING_ID) 232 */ 233long keyctl_get_keyring_ID(key_serial_t id, int create) 234{ 235 key_ref_t key_ref; 236 long ret; 237 238 key_ref = lookup_user_key(id, create, 0, KEY_SEARCH); 239 if (IS_ERR(key_ref)) { 240 ret = PTR_ERR(key_ref); 241 goto error; 242 } 243 244 ret = key_ref_to_ptr(key_ref)->serial; 245 key_ref_put(key_ref); 246 error: 247 return ret; 248 249} /* end keyctl_get_keyring_ID() */ 250 251/*****************************************************************************/ 252/* 253 * join the session keyring 254 * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING) 255 */ 256long keyctl_join_session_keyring(const char __user *_name) 257{ 258 char *name; 259 long ret; 260 261 /* fetch the name from userspace */ 262 name = NULL; 263 if (_name) { 264 name = strndup_user(_name, PAGE_SIZE); 265 if (IS_ERR(name)) { 266 ret = PTR_ERR(name); 267 goto error; 268 } 269 } 270 271 /* join the session */ 272 ret = join_session_keyring(name); 273 274 error: 275 return ret; 276 277} /* end keyctl_join_session_keyring() */ 278 279/*****************************************************************************/ 280/* 281 * update a key's data payload 282 * - the key must be writable 283 * - implements keyctl(KEYCTL_UPDATE) 284 */ 285long keyctl_update_key(key_serial_t id, 286 const void __user *_payload, 287 size_t plen) 288{ 289 key_ref_t key_ref; 290 void *payload; 291 long ret; 292 293 ret = -EINVAL; 294 if (plen > PAGE_SIZE) 295 goto error; 296 297 /* pull the payload in if one was supplied */ 298 payload = NULL; 299 if (_payload) { 300 ret = -ENOMEM; 301 payload = kmalloc(plen, GFP_KERNEL); 302 if (!payload) 303 goto error; 304 305 ret = -EFAULT; 306 if (copy_from_user(payload, _payload, plen) != 0) 307 goto error2; 308 } 309 310 /* find the target key (which must be writable) */ 311 key_ref = lookup_user_key(id, 0, 0, KEY_WRITE); 312 if (IS_ERR(key_ref)) { 313 ret = PTR_ERR(key_ref); 314 goto error2; 315 } 316 317 /* update the key */ 318 ret = key_update(key_ref, payload, plen); 319 320 key_ref_put(key_ref); 321 error2: 322 kfree(payload); 323 error: 324 return ret; 325 326} /* end keyctl_update_key() */ 327 328/*****************************************************************************/ 329/* 330 * revoke a key 331 * - the key must be writable 332 * - implements keyctl(KEYCTL_REVOKE) 333 */ 334long keyctl_revoke_key(key_serial_t id) 335{ 336 key_ref_t key_ref; 337 long ret; 338 339 key_ref = lookup_user_key(id, 0, 0, KEY_WRITE); 340 if (IS_ERR(key_ref)) { 341 ret = PTR_ERR(key_ref); 342 goto error; 343 } 344 345 key_revoke(key_ref_to_ptr(key_ref)); 346 ret = 0; 347 348 key_ref_put(key_ref); 349 error: 350 return ret; 351 352} /* end keyctl_revoke_key() */ 353 354/*****************************************************************************/ 355/* 356 * clear the specified process keyring 357 * - the keyring must be writable 358 * - implements keyctl(KEYCTL_CLEAR) 359 */ 360long keyctl_keyring_clear(key_serial_t ringid) 361{ 362 key_ref_t keyring_ref; 363 long ret; 364 365 keyring_ref = lookup_user_key(ringid, 1, 0, KEY_WRITE); 366 if (IS_ERR(keyring_ref)) { 367 ret = PTR_ERR(keyring_ref); 368 goto error; 369 } 370 371 ret = keyring_clear(key_ref_to_ptr(keyring_ref)); 372 373 key_ref_put(keyring_ref); 374 error: 375 return ret; 376 377} /* end keyctl_keyring_clear() */ 378 379/*****************************************************************************/ 380/* 381 * link a key into a keyring 382 * - the keyring must be writable 383 * - the key must be linkable 384 * - implements keyctl(KEYCTL_LINK) 385 */ 386long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 387{ 388 key_ref_t keyring_ref, key_ref; 389 long ret; 390 391 keyring_ref = lookup_user_key(ringid, 1, 0, KEY_WRITE); 392 if (IS_ERR(keyring_ref)) { 393 ret = PTR_ERR(keyring_ref); 394 goto error; 395 } 396 397 key_ref = lookup_user_key(id, 1, 0, KEY_LINK); 398 if (IS_ERR(key_ref)) { 399 ret = PTR_ERR(key_ref); 400 goto error2; 401 } 402 403 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 404 405 key_ref_put(key_ref); 406 error2: 407 key_ref_put(keyring_ref); 408 error: 409 return ret; 410 411} /* end keyctl_keyring_link() */ 412 413/*****************************************************************************/ 414/* 415 * unlink the first attachment of a key from a keyring 416 * - the keyring must be writable 417 * - we don't need any permissions on the key 418 * - implements keyctl(KEYCTL_UNLINK) 419 */ 420long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 421{ 422 key_ref_t keyring_ref, key_ref; 423 long ret; 424 425 keyring_ref = lookup_user_key(ringid, 0, 0, KEY_WRITE); 426 if (IS_ERR(keyring_ref)) { 427 ret = PTR_ERR(keyring_ref); 428 goto error; 429 } 430 431 key_ref = lookup_user_key(id, 0, 0, 0); 432 if (IS_ERR(key_ref)) { 433 ret = PTR_ERR(key_ref); 434 goto error2; 435 } 436 437 ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 438 439 key_ref_put(key_ref); 440 error2: 441 key_ref_put(keyring_ref); 442 error: 443 return ret; 444 445} /* end keyctl_keyring_unlink() */ 446 447/*****************************************************************************/ 448/* 449 * describe a user key 450 * - the key must have view permission 451 * - if there's a buffer, we place up to buflen bytes of data into it 452 * - unless there's an error, we return the amount of description available, 453 * irrespective of how much we may have copied 454 * - the description is formatted thus: 455 * type;uid;gid;perm;description<NUL> 456 * - implements keyctl(KEYCTL_DESCRIBE) 457 */ 458long keyctl_describe_key(key_serial_t keyid, 459 char __user *buffer, 460 size_t buflen) 461{ 462 struct key *key, *instkey; 463 key_ref_t key_ref; 464 char *tmpbuf; 465 long ret; 466 467 key_ref = lookup_user_key(keyid, 0, 1, KEY_VIEW); 468 if (IS_ERR(key_ref)) { 469 /* viewing a key under construction is permitted if we have the 470 * authorisation token handy */ 471 if (PTR_ERR(key_ref) == -EACCES) { 472 instkey = key_get_instantiation_authkey(keyid); 473 if (!IS_ERR(instkey)) { 474 key_put(instkey); 475 key_ref = lookup_user_key(keyid, 476 0, 1, 0); 477 if (!IS_ERR(key_ref)) 478 goto okay; 479 } 480 } 481 482 ret = PTR_ERR(key_ref); 483 goto error; 484 } 485 486okay: 487 /* calculate how much description we're going to return */ 488 ret = -ENOMEM; 489 tmpbuf = kmalloc(PAGE_SIZE, GFP_KERNEL); 490 if (!tmpbuf) 491 goto error2; 492 493 key = key_ref_to_ptr(key_ref); 494 495 ret = snprintf(tmpbuf, PAGE_SIZE - 1, 496 "%s;%d;%d;%08x;%s", 497 key_ref_to_ptr(key_ref)->type->name, 498 key_ref_to_ptr(key_ref)->uid, 499 key_ref_to_ptr(key_ref)->gid, 500 key_ref_to_ptr(key_ref)->perm, 501 key_ref_to_ptr(key_ref)->description ? 502 key_ref_to_ptr(key_ref)->description : "" 503 ); 504 505 /* include a NUL char at the end of the data */ 506 if (ret > PAGE_SIZE - 1) 507 ret = PAGE_SIZE - 1; 508 tmpbuf[ret] = 0; 509 ret++; 510 511 /* consider returning the data */ 512 if (buffer && buflen > 0) { 513 if (buflen > ret) 514 buflen = ret; 515 516 if (copy_to_user(buffer, tmpbuf, buflen) != 0) 517 ret = -EFAULT; 518 } 519 520 kfree(tmpbuf); 521 error2: 522 key_ref_put(key_ref); 523 error: 524 return ret; 525 526} /* end keyctl_describe_key() */ 527 528/*****************************************************************************/ 529/* 530 * search the specified keyring for a matching key 531 * - the start keyring must be searchable 532 * - nested keyrings may also be searched if they are searchable 533 * - only keys with search permission may be found 534 * - if a key is found, it will be attached to the destination keyring if 535 * there's one specified 536 * - implements keyctl(KEYCTL_SEARCH) 537 */ 538long keyctl_keyring_search(key_serial_t ringid, 539 const char __user *_type, 540 const char __user *_description, 541 key_serial_t destringid) 542{ 543 struct key_type *ktype; 544 key_ref_t keyring_ref, key_ref, dest_ref; 545 char type[32], *description; 546 long ret; 547 548 /* pull the type and description into kernel space */ 549 ret = key_get_type_from_user(type, _type, sizeof(type)); 550 if (ret < 0) 551 goto error; 552 553 description = strndup_user(_description, PAGE_SIZE); 554 if (IS_ERR(description)) { 555 ret = PTR_ERR(description); 556 goto error; 557 } 558 559 /* get the keyring at which to begin the search */ 560 keyring_ref = lookup_user_key(ringid, 0, 0, KEY_SEARCH); 561 if (IS_ERR(keyring_ref)) { 562 ret = PTR_ERR(keyring_ref); 563 goto error2; 564 } 565 566 /* get the destination keyring if specified */ 567 dest_ref = NULL; 568 if (destringid) { 569 dest_ref = lookup_user_key(destringid, 1, 0, KEY_WRITE); 570 if (IS_ERR(dest_ref)) { 571 ret = PTR_ERR(dest_ref); 572 goto error3; 573 } 574 } 575 576 /* find the key type */ 577 ktype = key_type_lookup(type); 578 if (IS_ERR(ktype)) { 579 ret = PTR_ERR(ktype); 580 goto error4; 581 } 582 583 /* do the search */ 584 key_ref = keyring_search(keyring_ref, ktype, description); 585 if (IS_ERR(key_ref)) { 586 ret = PTR_ERR(key_ref); 587 588 /* treat lack or presence of a negative key the same */ 589 if (ret == -EAGAIN) 590 ret = -ENOKEY; 591 goto error5; 592 } 593 594 /* link the resulting key to the destination keyring if we can */ 595 if (dest_ref) { 596 ret = key_permission(key_ref, KEY_LINK); 597 if (ret < 0) 598 goto error6; 599 600 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 601 if (ret < 0) 602 goto error6; 603 } 604 605 ret = key_ref_to_ptr(key_ref)->serial; 606 607 error6: 608 key_ref_put(key_ref); 609 error5: 610 key_type_put(ktype); 611 error4: 612 key_ref_put(dest_ref); 613 error3: 614 key_ref_put(keyring_ref); 615 error2: 616 kfree(description); 617 error: 618 return ret; 619 620} /* end keyctl_keyring_search() */ 621 622/*****************************************************************************/ 623/* 624 * read a user key's payload 625 * - the keyring must be readable or the key must be searchable from the 626 * process's keyrings 627 * - if there's a buffer, we place up to buflen bytes of data into it 628 * - unless there's an error, we return the amount of data in the key, 629 * irrespective of how much we may have copied 630 * - implements keyctl(KEYCTL_READ) 631 */ 632long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 633{ 634 struct key *key; 635 key_ref_t key_ref; 636 long ret; 637 638 /* find the key first */ 639 key_ref = lookup_user_key(keyid, 0, 0, 0); 640 if (IS_ERR(key_ref)) { 641 ret = -ENOKEY; 642 goto error; 643 } 644 645 key = key_ref_to_ptr(key_ref); 646 647 /* see if we can read it directly */ 648 ret = key_permission(key_ref, KEY_READ); 649 if (ret == 0) 650 goto can_read_key; 651 if (ret != -EACCES) 652 goto error; 653 654 /* we can't; see if it's searchable from this process's keyrings 655 * - we automatically take account of the fact that it may be 656 * dangling off an instantiation key 657 */ 658 if (!is_key_possessed(key_ref)) { 659 ret = -EACCES; 660 goto error2; 661 } 662 663 /* the key is probably readable - now try to read it */ 664 can_read_key: 665 ret = key_validate(key); 666 if (ret == 0) { 667 ret = -EOPNOTSUPP; 668 if (key->type->read) { 669 /* read the data with the semaphore held (since we 670 * might sleep) */ 671 down_read(&key->sem); 672 ret = key->type->read(key, buffer, buflen); 673 up_read(&key->sem); 674 } 675 } 676 677 error2: 678 key_put(key); 679 error: 680 return ret; 681 682} /* end keyctl_read_key() */ 683 684/*****************************************************************************/ 685/* 686 * change the ownership of a key 687 * - the keyring owned by the changer 688 * - if the uid or gid is -1, then that parameter is not changed 689 * - implements keyctl(KEYCTL_CHOWN) 690 */ 691long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) 692{ 693 struct key_user *newowner, *zapowner = NULL; 694 struct key *key; 695 key_ref_t key_ref; 696 long ret; 697 698 ret = 0; 699 if (uid == (uid_t) -1 && gid == (gid_t) -1) 700 goto error; 701 702 key_ref = lookup_user_key(id, 1, 1, KEY_SETATTR); 703 if (IS_ERR(key_ref)) { 704 ret = PTR_ERR(key_ref); 705 goto error; 706 } 707 708 key = key_ref_to_ptr(key_ref); 709 710 /* make the changes with the locks held to prevent chown/chown races */ 711 ret = -EACCES; 712 down_write(&key->sem); 713 714 if (!capable(CAP_SYS_ADMIN)) { 715 /* only the sysadmin can chown a key to some other UID */ 716 if (uid != (uid_t) -1 && key->uid != uid) 717 goto error_put; 718 719 /* only the sysadmin can set the key's GID to a group other 720 * than one of those that the current process subscribes to */ 721 if (gid != (gid_t) -1 && gid != key->gid && !in_group_p(gid)) 722 goto error_put; 723 } 724 725 /* change the UID */ 726 if (uid != (uid_t) -1 && uid != key->uid) { 727 ret = -ENOMEM; 728 newowner = key_user_lookup(uid); 729 if (!newowner) 730 goto error_put; 731 732 /* transfer the quota burden to the new user */ 733 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 734 unsigned maxkeys = (uid == 0) ? 735 key_quota_root_maxkeys : key_quota_maxkeys; 736 unsigned maxbytes = (uid == 0) ? 737 key_quota_root_maxbytes : key_quota_maxbytes; 738 739 spin_lock(&newowner->lock); 740 if (newowner->qnkeys + 1 >= maxkeys || 741 newowner->qnbytes + key->quotalen >= maxbytes || 742 newowner->qnbytes + key->quotalen < 743 newowner->qnbytes) 744 goto quota_overrun; 745 746 newowner->qnkeys++; 747 newowner->qnbytes += key->quotalen; 748 spin_unlock(&newowner->lock); 749 750 spin_lock(&key->user->lock); 751 key->user->qnkeys--; 752 key->user->qnbytes -= key->quotalen; 753 spin_unlock(&key->user->lock); 754 } 755 756 atomic_dec(&key->user->nkeys); 757 atomic_inc(&newowner->nkeys); 758 759 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 760 atomic_dec(&key->user->nikeys); 761 atomic_inc(&newowner->nikeys); 762 } 763 764 zapowner = key->user; 765 key->user = newowner; 766 key->uid = uid; 767 } 768 769 /* change the GID */ 770 if (gid != (gid_t) -1) 771 key->gid = gid; 772 773 ret = 0; 774 775error_put: 776 up_write(&key->sem); 777 key_put(key); 778 if (zapowner) 779 key_user_put(zapowner); 780error: 781 return ret; 782 783quota_overrun: 784 spin_unlock(&newowner->lock); 785 zapowner = newowner; 786 ret = -EDQUOT; 787 goto error_put; 788 789} /* end keyctl_chown_key() */ 790 791/*****************************************************************************/ 792/* 793 * change the permission mask on a key 794 * - the keyring owned by the changer 795 * - implements keyctl(KEYCTL_SETPERM) 796 */ 797long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 798{ 799 struct key *key; 800 key_ref_t key_ref; 801 long ret; 802 803 ret = -EINVAL; 804 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 805 goto error; 806 807 key_ref = lookup_user_key(id, 1, 1, KEY_SETATTR); 808 if (IS_ERR(key_ref)) { 809 ret = PTR_ERR(key_ref); 810 goto error; 811 } 812 813 key = key_ref_to_ptr(key_ref); 814 815 /* make the changes with the locks held to prevent chown/chmod races */ 816 ret = -EACCES; 817 down_write(&key->sem); 818 819 /* if we're not the sysadmin, we can only change a key that we own */ 820 if (capable(CAP_SYS_ADMIN) || key->uid == current_fsuid()) { 821 key->perm = perm; 822 ret = 0; 823 } 824 825 up_write(&key->sem); 826 key_put(key); 827error: 828 return ret; 829 830} /* end keyctl_setperm_key() */ 831 832/* 833 * get the destination keyring for instantiation 834 */ 835static long get_instantiation_keyring(key_serial_t ringid, 836 struct request_key_auth *rka, 837 struct key **_dest_keyring) 838{ 839 key_ref_t dkref; 840 841 *_dest_keyring = NULL; 842 843 /* just return a NULL pointer if we weren't asked to make a link */ 844 if (ringid == 0) 845 return 0; 846 847 /* if a specific keyring is nominated by ID, then use that */ 848 if (ringid > 0) { 849 dkref = lookup_user_key(ringid, 1, 0, KEY_WRITE); 850 if (IS_ERR(dkref)) 851 return PTR_ERR(dkref); 852 *_dest_keyring = key_ref_to_ptr(dkref); 853 return 0; 854 } 855 856 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY) 857 return -EINVAL; 858 859 /* otherwise specify the destination keyring recorded in the 860 * authorisation key (any KEY_SPEC_*_KEYRING) */ 861 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { 862 *_dest_keyring = rka->dest_keyring; 863 return 0; 864 } 865 866 return -ENOKEY; 867} 868 869/* 870 * change the request_key authorisation key on the current process 871 */ 872static int keyctl_change_reqkey_auth(struct key *key) 873{ 874 struct cred *new; 875 876 new = prepare_creds(); 877 if (!new) 878 return -ENOMEM; 879 880 key_put(new->request_key_auth); 881 new->request_key_auth = key_get(key); 882 883 return commit_creds(new); 884} 885 886/*****************************************************************************/ 887/* 888 * instantiate the key with the specified payload, and, if one is given, link 889 * the key into the keyring 890 */ 891long keyctl_instantiate_key(key_serial_t id, 892 const void __user *_payload, 893 size_t plen, 894 key_serial_t ringid) 895{ 896 const struct cred *cred = current_cred(); 897 struct request_key_auth *rka; 898 struct key *instkey, *dest_keyring; 899 void *payload; 900 long ret; 901 bool vm = false; 902 903 kenter("%d,,%zu,%d", id, plen, ringid); 904 905 ret = -EINVAL; 906 if (plen > 1024 * 1024 - 1) 907 goto error; 908 909 /* the appropriate instantiation authorisation key must have been 910 * assumed before calling this */ 911 ret = -EPERM; 912 instkey = cred->request_key_auth; 913 if (!instkey) 914 goto error; 915 916 rka = instkey->payload.data; 917 if (rka->target_key->serial != id) 918 goto error; 919 920 /* pull the payload in if one was supplied */ 921 payload = NULL; 922 923 if (_payload) { 924 ret = -ENOMEM; 925 payload = kmalloc(plen, GFP_KERNEL); 926 if (!payload) { 927 if (plen <= PAGE_SIZE) 928 goto error; 929 vm = true; 930 payload = vmalloc(plen); 931 if (!payload) 932 goto error; 933 } 934 935 ret = -EFAULT; 936 if (copy_from_user(payload, _payload, plen) != 0) 937 goto error2; 938 } 939 940 /* find the destination keyring amongst those belonging to the 941 * requesting task */ 942 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 943 if (ret < 0) 944 goto error2; 945 946 /* instantiate the key and link it into a keyring */ 947 ret = key_instantiate_and_link(rka->target_key, payload, plen, 948 dest_keyring, instkey); 949 950 key_put(dest_keyring); 951 952 /* discard the assumed authority if it's just been disabled by 953 * instantiation of the key */ 954 if (ret == 0) 955 keyctl_change_reqkey_auth(NULL); 956 957error2: 958 if (!vm) 959 kfree(payload); 960 else 961 vfree(payload); 962error: 963 return ret; 964 965} /* end keyctl_instantiate_key() */ 966 967/*****************************************************************************/ 968/* 969 * negatively instantiate the key with the given timeout (in seconds), and, if 970 * one is given, link the key into the keyring 971 */ 972long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 973{ 974 const struct cred *cred = current_cred(); 975 struct request_key_auth *rka; 976 struct key *instkey, *dest_keyring; 977 long ret; 978 979 kenter("%d,%u,%d", id, timeout, ringid); 980 981 /* the appropriate instantiation authorisation key must have been 982 * assumed before calling this */ 983 ret = -EPERM; 984 instkey = cred->request_key_auth; 985 if (!instkey) 986 goto error; 987 988 rka = instkey->payload.data; 989 if (rka->target_key->serial != id) 990 goto error; 991 992 /* find the destination keyring if present (which must also be 993 * writable) */ 994 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 995 if (ret < 0) 996 goto error; 997 998 /* instantiate the key and link it into a keyring */ 999 ret = key_negate_and_link(rka->target_key, timeout, 1000 dest_keyring, instkey); 1001 1002 key_put(dest_keyring); 1003 1004 /* discard the assumed authority if it's just been disabled by 1005 * instantiation of the key */ 1006 if (ret == 0) 1007 keyctl_change_reqkey_auth(NULL); 1008 1009error: 1010 return ret; 1011 1012} /* end keyctl_negate_key() */ 1013 1014/*****************************************************************************/ 1015/* 1016 * set the default keyring in which request_key() will cache keys 1017 * - return the old setting 1018 */ 1019long keyctl_set_reqkey_keyring(int reqkey_defl) 1020{ 1021 struct cred *new; 1022 int ret, old_setting; 1023 1024 old_setting = current_cred_xxx(jit_keyring); 1025 1026 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE) 1027 return old_setting; 1028 1029 new = prepare_creds(); 1030 if (!new) 1031 return -ENOMEM; 1032 1033 switch (reqkey_defl) { 1034 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1035 ret = install_thread_keyring_to_cred(new); 1036 if (ret < 0) 1037 goto error; 1038 goto set; 1039 1040 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1041 ret = install_process_keyring_to_cred(new); 1042 if (ret < 0) { 1043 if (ret != -EEXIST) 1044 goto error; 1045 ret = 0; 1046 } 1047 goto set; 1048 1049 case KEY_REQKEY_DEFL_DEFAULT: 1050 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1051 case KEY_REQKEY_DEFL_USER_KEYRING: 1052 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1053 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: 1054 goto set; 1055 1056 case KEY_REQKEY_DEFL_NO_CHANGE: 1057 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1058 default: 1059 ret = -EINVAL; 1060 goto error; 1061 } 1062 1063set: 1064 new->jit_keyring = reqkey_defl; 1065 commit_creds(new); 1066 return old_setting; 1067error: 1068 abort_creds(new); 1069 return -EINVAL; 1070 1071} /* end keyctl_set_reqkey_keyring() */ 1072 1073/*****************************************************************************/ 1074/* 1075 * set or clear the timeout for a key 1076 */ 1077long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1078{ 1079 struct timespec now; 1080 struct key *key; 1081 key_ref_t key_ref; 1082 time_t expiry; 1083 long ret; 1084 1085 key_ref = lookup_user_key(id, 1, 1, KEY_SETATTR); 1086 if (IS_ERR(key_ref)) { 1087 ret = PTR_ERR(key_ref); 1088 goto error; 1089 } 1090 1091 key = key_ref_to_ptr(key_ref); 1092 1093 /* make the changes with the locks held to prevent races */ 1094 down_write(&key->sem); 1095 1096 expiry = 0; 1097 if (timeout > 0) { 1098 now = current_kernel_time(); 1099 expiry = now.tv_sec + timeout; 1100 } 1101 1102 key->expiry = expiry; 1103 1104 up_write(&key->sem); 1105 key_put(key); 1106 1107 ret = 0; 1108error: 1109 return ret; 1110 1111} /* end keyctl_set_timeout() */ 1112 1113/*****************************************************************************/ 1114/* 1115 * assume the authority to instantiate the specified key 1116 */ 1117long keyctl_assume_authority(key_serial_t id) 1118{ 1119 struct key *authkey; 1120 long ret; 1121 1122 /* special key IDs aren't permitted */ 1123 ret = -EINVAL; 1124 if (id < 0) 1125 goto error; 1126 1127 /* we divest ourselves of authority if given an ID of 0 */ 1128 if (id == 0) { 1129 ret = keyctl_change_reqkey_auth(NULL); 1130 goto error; 1131 } 1132 1133 /* attempt to assume the authority temporarily granted to us whilst we 1134 * instantiate the specified key 1135 * - the authorisation key must be in the current task's keyrings 1136 * somewhere 1137 */ 1138 authkey = key_get_instantiation_authkey(id); 1139 if (IS_ERR(authkey)) { 1140 ret = PTR_ERR(authkey); 1141 goto error; 1142 } 1143 1144 ret = keyctl_change_reqkey_auth(authkey); 1145 if (ret < 0) 1146 goto error; 1147 key_put(authkey); 1148 1149 ret = authkey->serial; 1150error: 1151 return ret; 1152 1153} /* end keyctl_assume_authority() */ 1154 1155/* 1156 * get the security label of a key 1157 * - the key must grant us view permission 1158 * - if there's a buffer, we place up to buflen bytes of data into it 1159 * - unless there's an error, we return the amount of information available, 1160 * irrespective of how much we may have copied (including the terminal NUL) 1161 * - implements keyctl(KEYCTL_GET_SECURITY) 1162 */ 1163long keyctl_get_security(key_serial_t keyid, 1164 char __user *buffer, 1165 size_t buflen) 1166{ 1167 struct key *key, *instkey; 1168 key_ref_t key_ref; 1169 char *context; 1170 long ret; 1171 1172 key_ref = lookup_user_key(keyid, 0, 1, KEY_VIEW); 1173 if (IS_ERR(key_ref)) { 1174 if (PTR_ERR(key_ref) != -EACCES) 1175 return PTR_ERR(key_ref); 1176 1177 /* viewing a key under construction is also permitted if we 1178 * have the authorisation token handy */ 1179 instkey = key_get_instantiation_authkey(keyid); 1180 if (IS_ERR(instkey)) 1181 return PTR_ERR(key_ref); 1182 key_put(instkey); 1183 1184 key_ref = lookup_user_key(keyid, 0, 1, 0); 1185 if (IS_ERR(key_ref)) 1186 return PTR_ERR(key_ref); 1187 } 1188 1189 key = key_ref_to_ptr(key_ref); 1190 ret = security_key_getsecurity(key, &context); 1191 if (ret == 0) { 1192 /* if no information was returned, give userspace an empty 1193 * string */ 1194 ret = 1; 1195 if (buffer && buflen > 0 && 1196 copy_to_user(buffer, "", 1) != 0) 1197 ret = -EFAULT; 1198 } else if (ret > 0) { 1199 /* return as much data as there's room for */ 1200 if (buffer && buflen > 0) { 1201 if (buflen > ret) 1202 buflen = ret; 1203 1204 if (copy_to_user(buffer, context, buflen) != 0) 1205 ret = -EFAULT; 1206 } 1207 1208 kfree(context); 1209 } 1210 1211 key_ref_put(key_ref); 1212 return ret; 1213} 1214 1215/*****************************************************************************/ 1216/* 1217 * the key control system call 1218 */ 1219SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, 1220 unsigned long, arg4, unsigned long, arg5) 1221{ 1222 switch (option) { 1223 case KEYCTL_GET_KEYRING_ID: 1224 return keyctl_get_keyring_ID((key_serial_t) arg2, 1225 (int) arg3); 1226 1227 case KEYCTL_JOIN_SESSION_KEYRING: 1228 return keyctl_join_session_keyring((const char __user *) arg2); 1229 1230 case KEYCTL_UPDATE: 1231 return keyctl_update_key((key_serial_t) arg2, 1232 (const void __user *) arg3, 1233 (size_t) arg4); 1234 1235 case KEYCTL_REVOKE: 1236 return keyctl_revoke_key((key_serial_t) arg2); 1237 1238 case KEYCTL_DESCRIBE: 1239 return keyctl_describe_key((key_serial_t) arg2, 1240 (char __user *) arg3, 1241 (unsigned) arg4); 1242 1243 case KEYCTL_CLEAR: 1244 return keyctl_keyring_clear((key_serial_t) arg2); 1245 1246 case KEYCTL_LINK: 1247 return keyctl_keyring_link((key_serial_t) arg2, 1248 (key_serial_t) arg3); 1249 1250 case KEYCTL_UNLINK: 1251 return keyctl_keyring_unlink((key_serial_t) arg2, 1252 (key_serial_t) arg3); 1253 1254 case KEYCTL_SEARCH: 1255 return keyctl_keyring_search((key_serial_t) arg2, 1256 (const char __user *) arg3, 1257 (const char __user *) arg4, 1258 (key_serial_t) arg5); 1259 1260 case KEYCTL_READ: 1261 return keyctl_read_key((key_serial_t) arg2, 1262 (char __user *) arg3, 1263 (size_t) arg4); 1264 1265 case KEYCTL_CHOWN: 1266 return keyctl_chown_key((key_serial_t) arg2, 1267 (uid_t) arg3, 1268 (gid_t) arg4); 1269 1270 case KEYCTL_SETPERM: 1271 return keyctl_setperm_key((key_serial_t) arg2, 1272 (key_perm_t) arg3); 1273 1274 case KEYCTL_INSTANTIATE: 1275 return keyctl_instantiate_key((key_serial_t) arg2, 1276 (const void __user *) arg3, 1277 (size_t) arg4, 1278 (key_serial_t) arg5); 1279 1280 case KEYCTL_NEGATE: 1281 return keyctl_negate_key((key_serial_t) arg2, 1282 (unsigned) arg3, 1283 (key_serial_t) arg4); 1284 1285 case KEYCTL_SET_REQKEY_KEYRING: 1286 return keyctl_set_reqkey_keyring(arg2); 1287 1288 case KEYCTL_SET_TIMEOUT: 1289 return keyctl_set_timeout((key_serial_t) arg2, 1290 (unsigned) arg3); 1291 1292 case KEYCTL_ASSUME_AUTHORITY: 1293 return keyctl_assume_authority((key_serial_t) arg2); 1294 1295 case KEYCTL_GET_SECURITY: 1296 return keyctl_get_security((key_serial_t) arg2, 1297 (char __user *) arg3, 1298 (size_t) arg4); 1299 1300 default: 1301 return -EOPNOTSUPP; 1302 } 1303 1304} /* end sys_keyctl() */