security/keys/process_keys.c at v3.8-rc3 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / security / keys / process_keys.c
at v3.8-rc3 856 lines 21 kB view raw
  1/* Manage a process's keyrings
  2 *
  3 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
  4 * Written by David Howells (dhowells@redhat.com)
  5 *
  6 * This program is free software; you can redistribute it and/or
  7 * modify it under the terms of the GNU General Public License
  8 * as published by the Free Software Foundation; either version
  9 * 2 of the License, or (at your option) any later version.
 10 */
 11
 12#include <linux/module.h>
 13#include <linux/init.h>
 14#include <linux/sched.h>
 15#include <linux/keyctl.h>
 16#include <linux/fs.h>
 17#include <linux/err.h>
 18#include <linux/mutex.h>
 19#include <linux/security.h>
 20#include <linux/user_namespace.h>
 21#include <asm/uaccess.h>
 22#include "internal.h"
 23
 24/* Session keyring create vs join semaphore */
 25static DEFINE_MUTEX(key_session_mutex);
 26
 27/* User keyring creation semaphore */
 28static DEFINE_MUTEX(key_user_keyring_mutex);
 29
 30/* The root user's tracking struct */
 31struct key_user root_key_user = {
 32	.usage		= ATOMIC_INIT(3),
 33	.cons_lock	= __MUTEX_INITIALIZER(root_key_user.cons_lock),
 34	.lock		= __SPIN_LOCK_UNLOCKED(root_key_user.lock),
 35	.nkeys		= ATOMIC_INIT(2),
 36	.nikeys		= ATOMIC_INIT(2),
 37	.uid		= GLOBAL_ROOT_UID,
 38};
 39
 40/*
 41 * Install the user and user session keyrings for the current process's UID.
 42 */
 43int install_user_keyrings(void)
 44{
 45	struct user_struct *user;
 46	const struct cred *cred;
 47	struct key *uid_keyring, *session_keyring;
 48	key_perm_t user_keyring_perm;
 49	char buf[20];
 50	int ret;
 51	uid_t uid;
 52
 53	user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
 54	cred = current_cred();
 55	user = cred->user;
 56	uid = from_kuid(cred->user_ns, user->uid);
 57
 58	kenter("%p{%u}", user, uid);
 59
 60	if (user->uid_keyring) {
 61		kleave(" = 0 [exist]");
 62		return 0;
 63	}
 64
 65	mutex_lock(&key_user_keyring_mutex);
 66	ret = 0;
 67
 68	if (!user->uid_keyring) {
 69		/* get the UID-specific keyring
 70		 * - there may be one in existence already as it may have been
 71		 *   pinned by a session, but the user_struct pointing to it
 72		 *   may have been destroyed by setuid */
 73		sprintf(buf, "_uid.%u", uid);
 74
 75		uid_keyring = find_keyring_by_name(buf, true);
 76		if (IS_ERR(uid_keyring)) {
 77			uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
 78						    cred, user_keyring_perm,
 79						    KEY_ALLOC_IN_QUOTA, NULL);
 80			if (IS_ERR(uid_keyring)) {
 81				ret = PTR_ERR(uid_keyring);
 82				goto error;
 83			}
 84		}
 85
 86		/* get a default session keyring (which might also exist
 87		 * already) */
 88		sprintf(buf, "_uid_ses.%u", uid);
 89
 90		session_keyring = find_keyring_by_name(buf, true);
 91		if (IS_ERR(session_keyring)) {
 92			session_keyring =
 93				keyring_alloc(buf, user->uid, INVALID_GID,
 94					      cred, user_keyring_perm,
 95					      KEY_ALLOC_IN_QUOTA, NULL);
 96			if (IS_ERR(session_keyring)) {
 97				ret = PTR_ERR(session_keyring);
 98				goto error_release;
 99			}
100
101			/* we install a link from the user session keyring to
102			 * the user keyring */
103			ret = key_link(session_keyring, uid_keyring);
104			if (ret < 0)
105				goto error_release_both;
106		}
107
108		/* install the keyrings */
109		user->uid_keyring = uid_keyring;
110		user->session_keyring = session_keyring;
111	}
112
113	mutex_unlock(&key_user_keyring_mutex);
114	kleave(" = 0");
115	return 0;
116
117error_release_both:
118	key_put(session_keyring);
119error_release:
120	key_put(uid_keyring);
121error:
122	mutex_unlock(&key_user_keyring_mutex);
123	kleave(" = %d", ret);
124	return ret;
125}
126
127/*
128 * Install a fresh thread keyring directly to new credentials.  This keyring is
129 * allowed to overrun the quota.
130 */
131int install_thread_keyring_to_cred(struct cred *new)
132{
133	struct key *keyring;
134
135	keyring = keyring_alloc("_tid", new->uid, new->gid, new,
136				KEY_POS_ALL | KEY_USR_VIEW,
137				KEY_ALLOC_QUOTA_OVERRUN, NULL);
138	if (IS_ERR(keyring))
139		return PTR_ERR(keyring);
140
141	new->thread_keyring = keyring;
142	return 0;
143}
144
145/*
146 * Install a fresh thread keyring, discarding the old one.
147 */
148static int install_thread_keyring(void)
149{
150	struct cred *new;
151	int ret;
152
153	new = prepare_creds();
154	if (!new)
155		return -ENOMEM;
156
157	BUG_ON(new->thread_keyring);
158
159	ret = install_thread_keyring_to_cred(new);
160	if (ret < 0) {
161		abort_creds(new);
162		return ret;
163	}
164
165	return commit_creds(new);
166}
167
168/*
169 * Install a process keyring directly to a credentials struct.
170 *
171 * Returns -EEXIST if there was already a process keyring, 0 if one installed,
172 * and other value on any other error
173 */
174int install_process_keyring_to_cred(struct cred *new)
175{
176	struct key *keyring;
177
178	if (new->process_keyring)
179		return -EEXIST;
180
181	keyring = keyring_alloc("_pid", new->uid, new->gid, new,
182				KEY_POS_ALL | KEY_USR_VIEW,
183				KEY_ALLOC_QUOTA_OVERRUN, NULL);
184	if (IS_ERR(keyring))
185		return PTR_ERR(keyring);
186
187	new->process_keyring = keyring;
188	return 0;
189}
190
191/*
192 * Make sure a process keyring is installed for the current process.  The
193 * existing process keyring is not replaced.
194 *
195 * Returns 0 if there is a process keyring by the end of this function, some
196 * error otherwise.
197 */
198static int install_process_keyring(void)
199{
200	struct cred *new;
201	int ret;
202
203	new = prepare_creds();
204	if (!new)
205		return -ENOMEM;
206
207	ret = install_process_keyring_to_cred(new);
208	if (ret < 0) {
209		abort_creds(new);
210		return ret != -EEXIST ? ret : 0;
211	}
212
213	return commit_creds(new);
214}
215
216/*
217 * Install a session keyring directly to a credentials struct.
218 */
219int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
220{
221	unsigned long flags;
222	struct key *old;
223
224	might_sleep();
225
226	/* create an empty session keyring */
227	if (!keyring) {
228		flags = KEY_ALLOC_QUOTA_OVERRUN;
229		if (cred->session_keyring)
230			flags = KEY_ALLOC_IN_QUOTA;
231
232		keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred,
233					KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
234					flags, NULL);
235		if (IS_ERR(keyring))
236			return PTR_ERR(keyring);
237	} else {
238		atomic_inc(&keyring->usage);
239	}
240
241	/* install the keyring */
242	old = cred->session_keyring;
243	rcu_assign_pointer(cred->session_keyring, keyring);
244
245	if (old)
246		key_put(old);
247
248	return 0;
249}
250
251/*
252 * Install a session keyring, discarding the old one.  If a keyring is not
253 * supplied, an empty one is invented.
254 */
255static int install_session_keyring(struct key *keyring)
256{
257	struct cred *new;
258	int ret;
259
260	new = prepare_creds();
261	if (!new)
262		return -ENOMEM;
263
264	ret = install_session_keyring_to_cred(new, keyring);
265	if (ret < 0) {
266		abort_creds(new);
267		return ret;
268	}
269
270	return commit_creds(new);
271}
272
273/*
274 * Handle the fsuid changing.
275 */
276void key_fsuid_changed(struct task_struct *tsk)
277{
278	/* update the ownership of the thread keyring */
279	BUG_ON(!tsk->cred);
280	if (tsk->cred->thread_keyring) {
281		down_write(&tsk->cred->thread_keyring->sem);
282		tsk->cred->thread_keyring->uid = tsk->cred->fsuid;
283		up_write(&tsk->cred->thread_keyring->sem);
284	}
285}
286
287/*
288 * Handle the fsgid changing.
289 */
290void key_fsgid_changed(struct task_struct *tsk)
291{
292	/* update the ownership of the thread keyring */
293	BUG_ON(!tsk->cred);
294	if (tsk->cred->thread_keyring) {
295		down_write(&tsk->cred->thread_keyring->sem);
296		tsk->cred->thread_keyring->gid = tsk->cred->fsgid;
297		up_write(&tsk->cred->thread_keyring->sem);
298	}
299}
300
301/*
302 * Search the process keyrings attached to the supplied cred for the first
303 * matching key.
304 *
305 * The search criteria are the type and the match function.  The description is
306 * given to the match function as a parameter, but doesn't otherwise influence
307 * the search.  Typically the match function will compare the description
308 * parameter to the key's description.
309 *
310 * This can only search keyrings that grant Search permission to the supplied
311 * credentials.  Keyrings linked to searched keyrings will also be searched if
312 * they grant Search permission too.  Keys can only be found if they grant
313 * Search permission to the credentials.
314 *
315 * Returns a pointer to the key with the key usage count incremented if
316 * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only
317 * matched negative keys.
318 *
319 * In the case of a successful return, the possession attribute is set on the
320 * returned key reference.
321 */
322key_ref_t search_my_process_keyrings(struct key_type *type,
323				     const void *description,
324				     key_match_func_t match,
325				     bool no_state_check,
326				     const struct cred *cred)
327{
328	key_ref_t key_ref, ret, err;
329
330	/* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
331	 * searchable, but we failed to find a key or we found a negative key;
332	 * otherwise we want to return a sample error (probably -EACCES) if
333	 * none of the keyrings were searchable
334	 *
335	 * in terms of priority: success > -ENOKEY > -EAGAIN > other error
336	 */
337	key_ref = NULL;
338	ret = NULL;
339	err = ERR_PTR(-EAGAIN);
340
341	/* search the thread keyring first */
342	if (cred->thread_keyring) {
343		key_ref = keyring_search_aux(
344			make_key_ref(cred->thread_keyring, 1),
345			cred, type, description, match, no_state_check);
346		if (!IS_ERR(key_ref))
347			goto found;
348
349		switch (PTR_ERR(key_ref)) {
350		case -EAGAIN: /* no key */
351		case -ENOKEY: /* negative key */
352			ret = key_ref;
353			break;
354		default:
355			err = key_ref;
356			break;
357		}
358	}
359
360	/* search the process keyring second */
361	if (cred->process_keyring) {
362		key_ref = keyring_search_aux(
363			make_key_ref(cred->process_keyring, 1),
364			cred, type, description, match, no_state_check);
365		if (!IS_ERR(key_ref))
366			goto found;
367
368		switch (PTR_ERR(key_ref)) {
369		case -EAGAIN: /* no key */
370		case -ENOKEY: /* negative key */
371			ret = key_ref;
372			break;
373		default:
374			err = key_ref;
375			break;
376		}
377	}
378
379	/* search the session keyring */
380	if (cred->session_keyring) {
381		rcu_read_lock();
382		key_ref = keyring_search_aux(
383			make_key_ref(rcu_dereference(cred->session_keyring), 1),
384			cred, type, description, match, no_state_check);
385		rcu_read_unlock();
386
387		if (!IS_ERR(key_ref))
388			goto found;
389
390		switch (PTR_ERR(key_ref)) {
391		case -EAGAIN: /* no key */
392			if (ret)
393				break;
394		case -ENOKEY: /* negative key */
395			ret = key_ref;
396			break;
397		default:
398			err = key_ref;
399			break;
400		}
401	}
402	/* or search the user-session keyring */
403	else if (cred->user->session_keyring) {
404		key_ref = keyring_search_aux(
405			make_key_ref(cred->user->session_keyring, 1),
406			cred, type, description, match, no_state_check);
407		if (!IS_ERR(key_ref))
408			goto found;
409
410		switch (PTR_ERR(key_ref)) {
411		case -EAGAIN: /* no key */
412			if (ret)
413				break;
414		case -ENOKEY: /* negative key */
415			ret = key_ref;
416			break;
417		default:
418			err = key_ref;
419			break;
420		}
421	}
422
423	/* no key - decide on the error we're going to go for */
424	key_ref = ret ? ret : err;
425
426found:
427	return key_ref;
428}
429
430/*
431 * Search the process keyrings attached to the supplied cred for the first
432 * matching key in the manner of search_my_process_keyrings(), but also search
433 * the keys attached to the assumed authorisation key using its credentials if
434 * one is available.
435 *
436 * Return same as search_my_process_keyrings().
437 */
438key_ref_t search_process_keyrings(struct key_type *type,
439				  const void *description,
440				  key_match_func_t match,
441				  const struct cred *cred)
442{
443	struct request_key_auth *rka;
444	key_ref_t key_ref, ret = ERR_PTR(-EACCES), err;
445
446	might_sleep();
447
448	key_ref = search_my_process_keyrings(type, description, match,
449					     false, cred);
450	if (!IS_ERR(key_ref))
451		goto found;
452	err = key_ref;
453
454	/* if this process has an instantiation authorisation key, then we also
455	 * search the keyrings of the process mentioned there
456	 * - we don't permit access to request_key auth keys via this method
457	 */
458	if (cred->request_key_auth &&
459	    cred == current_cred() &&
460	    type != &key_type_request_key_auth
461	    ) {
462		/* defend against the auth key being revoked */
463		down_read(&cred->request_key_auth->sem);
464
465		if (key_validate(cred->request_key_auth) == 0) {
466			rka = cred->request_key_auth->payload.data;
467
468			key_ref = search_process_keyrings(type, description,
469							  match, rka->cred);
470
471			up_read(&cred->request_key_auth->sem);
472
473			if (!IS_ERR(key_ref))
474				goto found;
475
476			ret = key_ref;
477		} else {
478			up_read(&cred->request_key_auth->sem);
479		}
480	}
481
482	/* no key - decide on the error we're going to go for */
483	if (err == ERR_PTR(-ENOKEY) || ret == ERR_PTR(-ENOKEY))
484		key_ref = ERR_PTR(-ENOKEY);
485	else if (err == ERR_PTR(-EACCES))
486		key_ref = ret;
487	else
488		key_ref = err;
489
490found:
491	return key_ref;
492}
493
494/*
495 * See if the key we're looking at is the target key.
496 */
497int lookup_user_key_possessed(const struct key *key, const void *target)
498{
499	return key == target;
500}
501
502/*
503 * Look up a key ID given us by userspace with a given permissions mask to get
504 * the key it refers to.
505 *
506 * Flags can be passed to request that special keyrings be created if referred
507 * to directly, to permit partially constructed keys to be found and to skip
508 * validity and permission checks on the found key.
509 *
510 * Returns a pointer to the key with an incremented usage count if successful;
511 * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond
512 * to a key or the best found key was a negative key; -EKEYREVOKED or
513 * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the
514 * found key doesn't grant the requested permit or the LSM denied access to it;
515 * or -ENOMEM if a special keyring couldn't be created.
516 *
517 * In the case of a successful return, the possession attribute is set on the
518 * returned key reference.
519 */
520key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
521			  key_perm_t perm)
522{
523	struct request_key_auth *rka;
524	const struct cred *cred;
525	struct key *key;
526	key_ref_t key_ref, skey_ref;
527	int ret;
528
529try_again:
530	cred = get_current_cred();
531	key_ref = ERR_PTR(-ENOKEY);
532
533	switch (id) {
534	case KEY_SPEC_THREAD_KEYRING:
535		if (!cred->thread_keyring) {
536			if (!(lflags & KEY_LOOKUP_CREATE))
537				goto error;
538
539			ret = install_thread_keyring();
540			if (ret < 0) {
541				key_ref = ERR_PTR(ret);
542				goto error;
543			}
544			goto reget_creds;
545		}
546
547		key = cred->thread_keyring;
548		atomic_inc(&key->usage);
549		key_ref = make_key_ref(key, 1);
550		break;
551
552	case KEY_SPEC_PROCESS_KEYRING:
553		if (!cred->process_keyring) {
554			if (!(lflags & KEY_LOOKUP_CREATE))
555				goto error;
556
557			ret = install_process_keyring();
558			if (ret < 0) {
559				key_ref = ERR_PTR(ret);
560				goto error;
561			}
562			goto reget_creds;
563		}
564
565		key = cred->process_keyring;
566		atomic_inc(&key->usage);
567		key_ref = make_key_ref(key, 1);
568		break;
569
570	case KEY_SPEC_SESSION_KEYRING:
571		if (!cred->session_keyring) {
572			/* always install a session keyring upon access if one
573			 * doesn't exist yet */
574			ret = install_user_keyrings();
575			if (ret < 0)
576				goto error;
577			if (lflags & KEY_LOOKUP_CREATE)
578				ret = join_session_keyring(NULL);
579			else
580				ret = install_session_keyring(
581					cred->user->session_keyring);
582
583			if (ret < 0)
584				goto error;
585			goto reget_creds;
586		} else if (cred->session_keyring ==
587			   cred->user->session_keyring &&
588			   lflags & KEY_LOOKUP_CREATE) {
589			ret = join_session_keyring(NULL);
590			if (ret < 0)
591				goto error;
592			goto reget_creds;
593		}
594
595		rcu_read_lock();
596		key = rcu_dereference(cred->session_keyring);
597		atomic_inc(&key->usage);
598		rcu_read_unlock();
599		key_ref = make_key_ref(key, 1);
600		break;
601
602	case KEY_SPEC_USER_KEYRING:
603		if (!cred->user->uid_keyring) {
604			ret = install_user_keyrings();
605			if (ret < 0)
606				goto error;
607		}
608
609		key = cred->user->uid_keyring;
610		atomic_inc(&key->usage);
611		key_ref = make_key_ref(key, 1);
612		break;
613
614	case KEY_SPEC_USER_SESSION_KEYRING:
615		if (!cred->user->session_keyring) {
616			ret = install_user_keyrings();
617			if (ret < 0)
618				goto error;
619		}
620
621		key = cred->user->session_keyring;
622		atomic_inc(&key->usage);
623		key_ref = make_key_ref(key, 1);
624		break;
625
626	case KEY_SPEC_GROUP_KEYRING:
627		/* group keyrings are not yet supported */
628		key_ref = ERR_PTR(-EINVAL);
629		goto error;
630
631	case KEY_SPEC_REQKEY_AUTH_KEY:
632		key = cred->request_key_auth;
633		if (!key)
634			goto error;
635
636		atomic_inc(&key->usage);
637		key_ref = make_key_ref(key, 1);
638		break;
639
640	case KEY_SPEC_REQUESTOR_KEYRING:
641		if (!cred->request_key_auth)
642			goto error;
643
644		down_read(&cred->request_key_auth->sem);
645		if (test_bit(KEY_FLAG_REVOKED,
646			     &cred->request_key_auth->flags)) {
647			key_ref = ERR_PTR(-EKEYREVOKED);
648			key = NULL;
649		} else {
650			rka = cred->request_key_auth->payload.data;
651			key = rka->dest_keyring;
652			atomic_inc(&key->usage);
653		}
654		up_read(&cred->request_key_auth->sem);
655		if (!key)
656			goto error;
657		key_ref = make_key_ref(key, 1);
658		break;
659
660	default:
661		key_ref = ERR_PTR(-EINVAL);
662		if (id < 1)
663			goto error;
664
665		key = key_lookup(id);
666		if (IS_ERR(key)) {
667			key_ref = ERR_CAST(key);
668			goto error;
669		}
670
671		key_ref = make_key_ref(key, 0);
672
673		/* check to see if we possess the key */
674		skey_ref = search_process_keyrings(key->type, key,
675						   lookup_user_key_possessed,
676						   cred);
677
678		if (!IS_ERR(skey_ref)) {
679			key_put(key);
680			key_ref = skey_ref;
681		}
682
683		break;
684	}
685
686	/* unlink does not use the nominated key in any way, so can skip all
687	 * the permission checks as it is only concerned with the keyring */
688	if (lflags & KEY_LOOKUP_FOR_UNLINK) {
689		ret = 0;
690		goto error;
691	}
692
693	if (!(lflags & KEY_LOOKUP_PARTIAL)) {
694		ret = wait_for_key_construction(key, true);
695		switch (ret) {
696		case -ERESTARTSYS:
697			goto invalid_key;
698		default:
699			if (perm)
700				goto invalid_key;
701		case 0:
702			break;
703		}
704	} else if (perm) {
705		ret = key_validate(key);
706		if (ret < 0)
707			goto invalid_key;
708	}
709
710	ret = -EIO;
711	if (!(lflags & KEY_LOOKUP_PARTIAL) &&
712	    !test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
713		goto invalid_key;
714
715	/* check the permissions */
716	ret = key_task_permission(key_ref, cred, perm);
717	if (ret < 0)
718		goto invalid_key;
719
720	key->last_used_at = current_kernel_time().tv_sec;
721
722error:
723	put_cred(cred);
724	return key_ref;
725
726invalid_key:
727	key_ref_put(key_ref);
728	key_ref = ERR_PTR(ret);
729	goto error;
730
731	/* if we attempted to install a keyring, then it may have caused new
732	 * creds to be installed */
733reget_creds:
734	put_cred(cred);
735	goto try_again;
736}
737
738/*
739 * Join the named keyring as the session keyring if possible else attempt to
740 * create a new one of that name and join that.
741 *
742 * If the name is NULL, an empty anonymous keyring will be installed as the
743 * session keyring.
744 *
745 * Named session keyrings are joined with a semaphore held to prevent the
746 * keyrings from going away whilst the attempt is made to going them and also
747 * to prevent a race in creating compatible session keyrings.
748 */
749long join_session_keyring(const char *name)
750{
751	const struct cred *old;
752	struct cred *new;
753	struct key *keyring;
754	long ret, serial;
755
756	new = prepare_creds();
757	if (!new)
758		return -ENOMEM;
759	old = current_cred();
760
761	/* if no name is provided, install an anonymous keyring */
762	if (!name) {
763		ret = install_session_keyring_to_cred(new, NULL);
764		if (ret < 0)
765			goto error;
766
767		serial = new->session_keyring->serial;
768		ret = commit_creds(new);
769		if (ret == 0)
770			ret = serial;
771		goto okay;
772	}
773
774	/* allow the user to join or create a named keyring */
775	mutex_lock(&key_session_mutex);
776
777	/* look for an existing keyring of this name */
778	keyring = find_keyring_by_name(name, false);
779	if (PTR_ERR(keyring) == -ENOKEY) {
780		/* not found - try and create a new one */
781		keyring = keyring_alloc(
782			name, old->uid, old->gid, old,
783			KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK,
784			KEY_ALLOC_IN_QUOTA, NULL);
785		if (IS_ERR(keyring)) {
786			ret = PTR_ERR(keyring);
787			goto error2;
788		}
789	} else if (IS_ERR(keyring)) {
790		ret = PTR_ERR(keyring);
791		goto error2;
792	} else if (keyring == new->session_keyring) {
793		ret = 0;
794		goto error2;
795	}
796
797	/* we've got a keyring - now to install it */
798	ret = install_session_keyring_to_cred(new, keyring);
799	if (ret < 0)
800		goto error2;
801
802	commit_creds(new);
803	mutex_unlock(&key_session_mutex);
804
805	ret = keyring->serial;
806	key_put(keyring);
807okay:
808	return ret;
809
810error2:
811	mutex_unlock(&key_session_mutex);
812error:
813	abort_creds(new);
814	return ret;
815}
816
817/*
818 * Replace a process's session keyring on behalf of one of its children when
819 * the target  process is about to resume userspace execution.
820 */
821void key_change_session_keyring(struct callback_head *twork)
822{
823	const struct cred *old = current_cred();
824	struct cred *new = container_of(twork, struct cred, rcu);
825
826	if (unlikely(current->flags & PF_EXITING)) {
827		put_cred(new);
828		return;
829	}
830
831	new->  uid	= old->  uid;
832	new-> euid	= old-> euid;
833	new-> suid	= old-> suid;
834	new->fsuid	= old->fsuid;
835	new->  gid	= old->  gid;
836	new-> egid	= old-> egid;
837	new-> sgid	= old-> sgid;
838	new->fsgid	= old->fsgid;
839	new->user	= get_uid(old->user);
840	new->user_ns	= get_user_ns(new->user_ns);
841	new->group_info	= get_group_info(old->group_info);
842
843	new->securebits	= old->securebits;
844	new->cap_inheritable	= old->cap_inheritable;
845	new->cap_permitted	= old->cap_permitted;
846	new->cap_effective	= old->cap_effective;
847	new->cap_bset		= old->cap_bset;
848
849	new->jit_keyring	= old->jit_keyring;
850	new->thread_keyring	= key_get(old->thread_keyring);
851	new->process_keyring	= key_get(old->process_keyring);
852
853	security_transfer_creds(new, old);
854
855	commit_creds(new);
856}