tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
Pull keyring ACL support from David Howells:
"This changes the permissions model used by keys and keyrings to be
based on an internal ACL by the following means:
- Replace the permissions mask internally with an ACL that contains a
list of ACEs, each with a specific subject with a permissions mask.
Potted default ACLs are available for new keys and keyrings.
ACE subjects can be macroised to indicate the UID and GID specified
on the key (which remain). Future commits will be able to add
additional subject types, such as specific UIDs or domain
tags/namespaces.
Also split a number of permissions to give finer control. Examples
include splitting the revocation permit from the change-attributes
permit, thereby allowing someone to be granted permission to revoke
a key without allowing them to change the owner; also the ability
to join a keyring is split from the ability to link to it, thereby
stopping a process accessing a keyring by joining it and thus
acquiring use of possessor permits.
- Provide a keyctl to allow the granting or denial of one or more
permits to a specific subject. Direct access to the ACL is not
granted, and the ACL cannot be viewed"
* tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
keys: Provide KEYCTL_GRANT_PERMISSION
keys: Replace uid/gid/perm permissions checking with an ACL
+995
-328
+100
-28
Documentation/security/keys/core.rst
+100
-28
Documentation/security/keys/core.rst
···
57
57
type provides an operation to perform a match between the description on a
58
58
key and a criterion string.
59
59
60
-
* Each key has an owner user ID, a group ID and a permissions mask. These
61
-
are used to control what a process may do to a key from userspace, and
62
-
whether a kernel service will be able to find the key.
60
+
* Each key has an owner user ID, a group ID and an ACL. These are used to
61
+
control what a process may do to a key from userspace, and whether a
62
+
kernel service will be able to find the key.
63
63
64
64
* Each key can be set to expire at a specific time by the key type's
65
65
instantiation function. Keys can also be immortal.
···
198
198
Key Access Permissions
199
199
======================
200
200
201
-
Keys have an owner user ID, a group access ID, and a permissions mask. The mask
202
-
has up to eight bits each for possessor, user, group and other access. Only
203
-
six of each set of eight bits are defined. These permissions granted are:
201
+
Keys have an owner user ID, a group ID and an ACL. The ACL is made up of a
202
+
sequence of ACEs that each contain three elements:
204
203
205
-
* View
204
+
* The type of subject.
205
+
* The subject.
206
206
207
-
This permits a key or keyring's attributes to be viewed - including key
208
-
type and description.
207
+
These two together indicate the subject to whom the permits are granted.
208
+
The type can be one of:
209
209
210
-
* Read
210
+
* ``KEY_ACE_SUBJ_STANDARD``
211
211
212
-
This permits a key's payload to be viewed or a keyring's list of linked
213
-
keys.
212
+
The subject is a standard 'macro' type. The subject can be one of:
214
213
215
-
* Write
214
+
* ``KEY_ACE_EVERYONE``
216
215
217
-
This permits a key's payload to be instantiated or updated, or it allows a
218
-
link to be added to or removed from a keyring.
216
+
The permits are granted to everyone. It replaces the old 'other'
217
+
type on the assumption that you wouldn't grant a permission to other
218
+
that you you wouldn't grant to everyone else.
219
219
220
-
* Search
220
+
* ``KEY_ACE_OWNER``
221
221
222
-
This permits keyrings to be searched and keys to be found. Searches can
223
-
only recurse into nested keyrings that have search permission set.
222
+
The permits are granted to the owner of the key (key->uid).
224
223
225
-
* Link
224
+
* ``KEY_ACE_GROUP``
226
225
227
-
This permits a key or keyring to be linked to. To create a link from a
228
-
keyring to a key, a process must have Write permission on the keyring and
229
-
Link permission on the key.
226
+
The permits are granted to the key's group (key->gid).
230
227
231
-
* Set Attribute
228
+
* ``KEY_ACE_POSSESSOR``
232
229
233
-
This permits a key's UID, GID and permissions mask to be changed.
230
+
The permits are granted to anyone who possesses the key.
231
+
232
+
* The set of permits granted to the subject. These include:
233
+
234
+
* ``KEY_ACE_VIEW``
235
+
236
+
This permits a key or keyring's attributes to be viewed - including the
237
+
key type and description.
238
+
239
+
* ``KEY_ACE_READ``
240
+
241
+
This permits a key's payload to be viewed or a keyring's list of linked
242
+
keys.
243
+
244
+
* ``KEY_ACE_WRITE``
245
+
246
+
This permits a key's payload to be instantiated or updated, or it allows
247
+
a link to be added to or removed from a keyring.
248
+
249
+
* ``KEY_ACE_SEARCH``
250
+
251
+
This permits keyrings to be searched and keys to be found. Searches can
252
+
only recurse into nested keyrings that have search permission set.
253
+
254
+
* ``KEY_ACE_LINK``
255
+
256
+
This permits a key or keyring to be linked to. To create a link from a
257
+
keyring to a key, a process must have Write permission on the keyring
258
+
and Link permission on the key.
259
+
260
+
* ``KEY_ACE_SET_SECURITY``
261
+
262
+
This permits a key's UID, GID and permissions mask to be changed.
263
+
264
+
* ``KEY_ACE_INVAL``
265
+
266
+
This permits a key to be invalidated with KEYCTL_INVALIDATE.
267
+
268
+
* ``KEY_ACE_REVOKE``
269
+
270
+
This permits a key to be revoked with KEYCTL_REVOKE.
271
+
272
+
* ``KEY_ACE_JOIN``
273
+
274
+
This permits a keyring to be joined as a session by
275
+
KEYCTL_JOIN_SESSION_KEYRING or KEYCTL_SESSION_TO_PARENT.
276
+
277
+
* ``KEY_ACE_CLEAR``
278
+
279
+
This permits a keyring to be cleared.
234
280
235
281
For changing the ownership, group ID or permissions mask, being the owner of
236
282
the key or having the sysadmin capability is sufficient.
283
+
284
+
The legacy KEYCTL_SETPERM and KEYCTL_DESCRIBE functions can only see/generate
285
+
View, Read, Write, Search, Link and SetAttr permits, and do this for each of
286
+
possessor, user, group and other permission sets as a 32-bit flag mask. These
287
+
will be approximated/inferred:
288
+
289
+
SETPERM Permit Implied ACE Permit
290
+
=============== =======================
291
+
Search Inval, Join
292
+
Write Revoke, Clear
293
+
Setattr Set Security, Revoke
294
+
295
+
ACE Permit Described as
296
+
=============== =======================
297
+
Inval Search
298
+
Join Search
299
+
Revoke Write (unless Setattr)
300
+
Clear write
301
+
Set Security Setattr
302
+
303
+
'Other' will be approximated as/inferred from the 'Everyone' subject.
237
304
238
305
239
306
SELinux Support
···
1151
1084
1152
1085
struct key *request_key(const struct key_type *type,
1153
1086
const char *description,
1154
-
const char *callout_info);
1087
+
const char *callout_info,
1088
+
struct key_acl *acl);
1155
1089
1156
1090
This is used to request a key or keyring with a description that matches
1157
1091
the description specified according to the key type's match_preparse()
···
1167
1099
If successful, the key will have been attached to the default keyring for
1168
1100
implicitly obtained request-key keys, as set by KEYCTL_SET_REQKEY_KEYRING.
1169
1101
1102
+
If a key is created, it will be given the specified ACL.
1103
+
1170
1104
See also Documentation/security/keys/request-key.rst.
1171
1105
1172
1106
···
1177
1107
struct key *request_key_tag(const struct key_type *type,
1178
1108
const char *description,
1179
1109
struct key_tag *domain_tag,
1180
-
const char *callout_info);
1110
+
const char *callout_info,
1111
+
struct key_acl *acl);
1181
1112
1182
1113
This is identical to request_key(), except that a domain tag may be
1183
1114
specifies that causes search algorithm to only match keys matching that
···
1193
1122
struct key_tag *domain_tag,
1194
1123
const void *callout_info,
1195
1124
size_t callout_len,
1196
-
void *aux);
1125
+
void *aux,
1126
+
struct key_acl *acl);
1197
1127
1198
1128
This is identical to request_key_tag(), except that the auxiliary data is
1199
1129
passed to the key_type->request_key() op if it exists, and the
···
1267
1195
1268
1196
struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
1269
1197
const struct cred *cred,
1270
-
key_perm_t perm,
1198
+
struct key_acl *acl,
1271
1199
struct key_restriction *restrict_link,
1272
1200
unsigned long flags,
1273
1201
struct key *dest);
+6
-3
Documentation/security/keys/request-key.rst
+6
-3
Documentation/security/keys/request-key.rst
···
11
11
12
12
struct key *request_key(const struct key_type *type,
13
13
const char *description,
14
-
const char *callout_info);
14
+
const char *callout_info,
15
+
struct key_acl *acl);
15
16
16
17
or::
17
18
18
19
struct key *request_key_tag(const struct key_type *type,
19
20
const char *description,
20
21
const struct key_tag *domain_tag,
21
-
const char *callout_info);
22
+
const char *callout_info,
23
+
struct key_acl *acl);
22
24
23
25
or::
24
26
···
29
27
const struct key_tag *domain_tag,
30
28
const char *callout_info,
31
29
size_t callout_len,
32
-
void *aux);
30
+
void *aux,
31
+
struct key_acl *acl);
33
32
34
33
or::
35
34
+2
-5
certs/blacklist.c
+2
-5
certs/blacklist.c
···
89
89
hash,
90
90
NULL,
91
91
0,
92
-
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
93
-
KEY_USR_VIEW),
92
+
&internal_key_acl,
94
93
KEY_ALLOC_NOT_IN_QUOTA |
95
94
KEY_ALLOC_BUILT_IN);
96
95
if (IS_ERR(key)) {
···
148
149
keyring_alloc(".blacklist",
149
150
KUIDT_INIT(0), KGIDT_INIT(0),
150
151
current_cred(),
151
-
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
152
-
KEY_USR_VIEW | KEY_USR_READ |
153
-
KEY_USR_SEARCH,
152
+
&internal_keyring_acl,
154
153
KEY_ALLOC_NOT_IN_QUOTA |
155
154
KEY_FLAG_KEEP,
156
155
NULL, NULL);
+3
-9
certs/system_keyring.c
+3
-9
certs/system_keyring.c
···
99
99
builtin_trusted_keys =
100
100
keyring_alloc(".builtin_trusted_keys",
101
101
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
102
-
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
103
-
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
104
-
KEY_ALLOC_NOT_IN_QUOTA,
102
+
&internal_key_acl, KEY_ALLOC_NOT_IN_QUOTA,
105
103
NULL, NULL);
106
104
if (IS_ERR(builtin_trusted_keys))
107
105
panic("Can't allocate builtin trusted keyring\n");
···
108
110
secondary_trusted_keys =
109
111
keyring_alloc(".secondary_trusted_keys",
110
112
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
111
-
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
112
-
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH |
113
-
KEY_USR_WRITE),
114
-
KEY_ALLOC_NOT_IN_QUOTA,
113
+
&internal_writable_keyring_acl, KEY_ALLOC_NOT_IN_QUOTA,
115
114
get_builtin_and_secondary_restriction(),
116
115
NULL);
117
116
if (IS_ERR(secondary_trusted_keys))
···
158
163
NULL,
159
164
p,
160
165
plen,
161
-
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
162
-
KEY_USR_VIEW | KEY_USR_READ),
166
+
&internal_key_acl,
163
167
KEY_ALLOC_NOT_IN_QUOTA |
164
168
KEY_ALLOC_BUILT_IN |
165
169
KEY_ALLOC_BYPASS_RESTRICTION);
+1
-1
drivers/md/dm-crypt.c
+1
-1
drivers/md/dm-crypt.c
+1
-1
drivers/nvdimm/security.c
+1
-1
drivers/nvdimm/security.c
···
55
55
struct device *dev = &nvdimm->dev;
56
56
57
57
sprintf(desc, "%s%s", NVDIMM_PREFIX, nvdimm->dimm_id);
58
-
key = request_key(&key_type_encrypted, desc, "");
58
+
key = request_key(&key_type_encrypted, desc, "", NULL);
59
59
if (IS_ERR(key)) {
60
60
if (PTR_ERR(key) == -ENOKEY)
61
61
dev_dbg(dev, "request_key() found no key\n");
+1
-1
fs/afs/security.c
+1
-1
fs/afs/security.c
+22
-3
fs/cifs/cifs_spnego.c
+22
-3
fs/cifs/cifs_spnego.c
···
32
32
#include "cifsproto.h"
33
33
static const struct cred *spnego_cred;
34
34
35
+
static struct key_acl cifs_spnego_key_acl = {
36
+
.usage = REFCOUNT_INIT(1),
37
+
.nr_ace = 2,
38
+
.possessor_viewable = true,
39
+
.aces = {
40
+
KEY_POSSESSOR_ACE(KEY_ACE_VIEW | KEY_ACE_SEARCH | KEY_ACE_READ),
41
+
KEY_OWNER_ACE(KEY_ACE_VIEW),
42
+
}
43
+
};
44
+
45
+
static struct key_acl cifs_spnego_keyring_acl = {
46
+
.usage = REFCOUNT_INIT(1),
47
+
.nr_ace = 2,
48
+
.aces = {
49
+
KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE),
50
+
KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_CLEAR),
51
+
}
52
+
};
53
+
35
54
/* create a new cifs key */
36
55
static int
37
56
cifs_spnego_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
···
189
170
190
171
cifs_dbg(FYI, "key description = %s\n", description);
191
172
saved_cred = override_creds(spnego_cred);
192
-
spnego_key = request_key(&cifs_spnego_key_type, description, "");
173
+
spnego_key = request_key(&cifs_spnego_key_type, description, "",
174
+
&cifs_spnego_key_acl);
193
175
revert_creds(saved_cred);
194
176
195
177
#ifdef CONFIG_CIFS_DEBUG2
···
227
207
228
208
keyring = keyring_alloc(".cifs_spnego",
229
209
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
230
-
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
231
-
KEY_USR_VIEW | KEY_USR_READ,
210
+
&cifs_spnego_keyring_acl,
232
211
KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
233
212
if (IS_ERR(keyring)) {
234
213
ret = PTR_ERR(keyring);
+24
-4
fs/cifs/cifsacl.c
+24
-4
fs/cifs/cifsacl.c
···
33
33
#include "cifsproto.h"
34
34
#include "cifs_debug.h"
35
35
36
+
static struct key_acl cifs_idmap_key_acl = {
37
+
.usage = REFCOUNT_INIT(1),
38
+
.nr_ace = 2,
39
+
.possessor_viewable = true,
40
+
.aces = {
41
+
KEY_POSSESSOR_ACE(KEY_ACE_VIEW | KEY_ACE_SEARCH | KEY_ACE_READ),
42
+
KEY_OWNER_ACE(KEY_ACE_VIEW),
43
+
}
44
+
};
45
+
46
+
static struct key_acl cifs_idmap_keyring_acl = {
47
+
.usage = REFCOUNT_INIT(1),
48
+
.nr_ace = 2,
49
+
.aces = {
50
+
KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE),
51
+
KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ),
52
+
}
53
+
};
54
+
36
55
/* security id for everyone/world system group */
37
56
static const struct cifs_sid sid_everyone = {
38
57
1, 1, {0, 0, 0, 0, 0, 1}, {0} };
···
317
298
318
299
rc = 0;
319
300
saved_cred = override_creds(root_cred);
320
-
sidkey = request_key(&cifs_idmap_key_type, desc, "");
301
+
sidkey = request_key(&cifs_idmap_key_type, desc, "",
302
+
&cifs_idmap_key_acl);
321
303
if (IS_ERR(sidkey)) {
322
304
rc = -EINVAL;
323
305
cifs_dbg(FYI, "%s: Can't map %cid %u to a SID\n",
···
423
403
return -ENOMEM;
424
404
425
405
saved_cred = override_creds(root_cred);
426
-
sidkey = request_key(&cifs_idmap_key_type, sidstr, "");
406
+
sidkey = request_key(&cifs_idmap_key_type, sidstr, "",
407
+
&cifs_idmap_key_acl);
427
408
if (IS_ERR(sidkey)) {
428
409
rc = -EINVAL;
429
410
cifs_dbg(FYI, "%s: Can't map SID %s to a %cid\n",
···
502
481
503
482
keyring = keyring_alloc(".cifs_idmap",
504
483
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
505
-
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
506
-
KEY_USR_VIEW | KEY_USR_READ,
484
+
&cifs_idmap_keyring_acl,
507
485
KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
508
486
if (IS_ERR(keyring)) {
509
487
ret = PTR_ERR(keyring);
+2
-2
fs/cifs/connect.c
+2
-2
fs/cifs/connect.c
···
2992
2992
}
2993
2993
2994
2994
cifs_dbg(FYI, "%s: desc=%s\n", __func__, desc);
2995
-
key = request_key(&key_type_logon, desc, "");
2995
+
key = request_key(&key_type_logon, desc, "", NULL);
2996
2996
if (IS_ERR(key)) {
2997
2997
if (!ses->domainName) {
2998
2998
cifs_dbg(FYI, "domainName is NULL\n");
···
3003
3003
/* didn't work, try to find a domain key */
3004
3004
sprintf(desc, "cifs:d:%s", ses->domainName);
3005
3005
cifs_dbg(FYI, "%s: desc=%s\n", __func__, desc);
3006
-
key = request_key(&key_type_logon, desc, "");
3006
+
key = request_key(&key_type_logon, desc, "", NULL);
3007
3007
if (IS_ERR(key)) {
3008
3008
rc = PTR_ERR(key);
3009
3009
goto out_err;
+1
-1
fs/crypto/keyinfo.c
+1
-1
fs/crypto/keyinfo.c
+1
-1
fs/ecryptfs/ecryptfs_kernel.h
+1
-1
fs/ecryptfs/ecryptfs_kernel.h
+1
-1
fs/ecryptfs/keystore.c
+1
-1
fs/ecryptfs/keystore.c
···
1610
1610
{
1611
1611
int rc = 0;
1612
1612
1613
-
(*auth_tok_key) = request_key(&key_type_user, sig, NULL);
1613
+
(*auth_tok_key) = request_key(&key_type_user, sig, NULL, NULL);
1614
1614
if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) {
1615
1615
(*auth_tok_key) = ecryptfs_get_encrypted_key(sig);
1616
1616
if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) {
+1
-1
fs/fscache/object-list.c
+1
-1
fs/fscache/object-list.c
+24
-6
fs/nfs/nfs4idmap.c
+24
-6
fs/nfs/nfs4idmap.c
···
72
72
const struct cred *cred;
73
73
};
74
74
75
+
static struct key_acl nfs_idmap_key_acl = {
76
+
.usage = REFCOUNT_INIT(1),
77
+
.nr_ace = 2,
78
+
.possessor_viewable = true,
79
+
.aces = {
80
+
KEY_POSSESSOR_ACE(KEY_ACE_VIEW | KEY_ACE_SEARCH | KEY_ACE_READ),
81
+
KEY_OWNER_ACE(KEY_ACE_VIEW),
82
+
}
83
+
};
84
+
85
+
static struct key_acl nfs_idmap_keyring_acl = {
86
+
.usage = REFCOUNT_INIT(1),
87
+
.nr_ace = 2,
88
+
.aces = {
89
+
KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE),
90
+
KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ),
91
+
}
92
+
};
93
+
75
94
static struct user_namespace *idmap_userns(const struct idmap *idmap)
76
95
{
77
96
if (idmap && idmap->cred)
···
227
208
228
209
keyring = keyring_alloc(".id_resolver",
229
210
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
230
-
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
231
-
KEY_USR_VIEW | KEY_USR_READ,
211
+
&nfs_idmap_keyring_acl,
232
212
KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
233
213
if (IS_ERR(keyring)) {
234
214
ret = PTR_ERR(keyring);
···
305
287
return ERR_PTR(ret);
306
288
307
289
if (!idmap->cred || idmap->cred->user_ns == &init_user_ns)
308
-
rkey = request_key(&key_type_id_resolver, desc, "");
290
+
rkey = request_key(&key_type_id_resolver, desc, "",
291
+
&nfs_idmap_key_acl);
309
292
if (IS_ERR(rkey)) {
310
293
mutex_lock(&idmap->idmap_mutex);
311
294
rkey = request_key_with_auxdata(&key_type_id_resolver_legacy,
312
-
desc, NULL, "", 0, idmap);
295
+
desc, NULL, "", 0, idmap,
296
+
&nfs_idmap_key_acl);
313
297
mutex_unlock(&idmap->idmap_mutex);
314
298
}
315
299
if (!IS_ERR(rkey))
···
340
320
}
341
321
342
322
rcu_read_lock();
343
-
rkey->perm |= KEY_USR_VIEW;
344
-
345
323
ret = key_validate(rkey);
346
324
if (ret < 0)
347
325
goto out_up;
+1
-1
fs/ubifs/auth.c
+1
-1
fs/ubifs/auth.c
···
227
227
snprintf(hmac_name, CRYPTO_MAX_ALG_NAME, "hmac(%s)",
228
228
c->auth_hash_name);
229
229
230
-
keyring_key = request_key(&key_type_logon, c->auth_key_name, NULL);
230
+
keyring_key = request_key(&key_type_logon, c->auth_key_name, NULL, NULL);
231
231
232
232
if (IS_ERR(keyring_key)) {
233
233
ubifs_err(c, "Failed to request key: %ld",
+66
-55
include/linux/key.h
+66
-55
include/linux/key.h
···
27
27
/* key handle serial number */
28
28
typedef int32_t key_serial_t;
29
29
30
-
/* key handle permissions mask */
31
-
typedef uint32_t key_perm_t;
32
-
33
30
struct key;
34
31
struct net;
35
32
36
33
#ifdef CONFIG_KEYS
37
34
35
+
#include <linux/keyctl.h>
36
+
38
37
#undef KEY_DEBUGGING
39
-
40
-
#define KEY_POS_VIEW 0x01000000 /* possessor can view a key's attributes */
41
-
#define KEY_POS_READ 0x02000000 /* possessor can read key payload / view keyring */
42
-
#define KEY_POS_WRITE 0x04000000 /* possessor can update key payload / add link to keyring */
43
-
#define KEY_POS_SEARCH 0x08000000 /* possessor can find a key in search / search a keyring */
44
-
#define KEY_POS_LINK 0x10000000 /* possessor can create a link to a key/keyring */
45
-
#define KEY_POS_SETATTR 0x20000000 /* possessor can set key attributes */
46
-
#define KEY_POS_ALL 0x3f000000
47
-
48
-
#define KEY_USR_VIEW 0x00010000 /* user permissions... */
49
-
#define KEY_USR_READ 0x00020000
50
-
#define KEY_USR_WRITE 0x00040000
51
-
#define KEY_USR_SEARCH 0x00080000
52
-
#define KEY_USR_LINK 0x00100000
53
-
#define KEY_USR_SETATTR 0x00200000
54
-
#define KEY_USR_ALL 0x003f0000
55
-
56
-
#define KEY_GRP_VIEW 0x00000100 /* group permissions... */
57
-
#define KEY_GRP_READ 0x00000200
58
-
#define KEY_GRP_WRITE 0x00000400
59
-
#define KEY_GRP_SEARCH 0x00000800
60
-
#define KEY_GRP_LINK 0x00001000
61
-
#define KEY_GRP_SETATTR 0x00002000
62
-
#define KEY_GRP_ALL 0x00003f00
63
-
64
-
#define KEY_OTH_VIEW 0x00000001 /* third party permissions... */
65
-
#define KEY_OTH_READ 0x00000002
66
-
#define KEY_OTH_WRITE 0x00000004
67
-
#define KEY_OTH_SEARCH 0x00000008
68
-
#define KEY_OTH_LINK 0x00000010
69
-
#define KEY_OTH_SETATTR 0x00000020
70
-
#define KEY_OTH_ALL 0x0000003f
71
-
72
-
#define KEY_PERM_UNDEF 0xffffffff
73
38
74
39
struct seq_file;
75
40
struct user_struct;
···
77
112
void __rcu *rcu_data0;
78
113
void *data[4];
79
114
};
115
+
116
+
struct key_ace {
117
+
unsigned int type;
118
+
unsigned int perm;
119
+
union {
120
+
kuid_t uid;
121
+
kgid_t gid;
122
+
unsigned int subject_id;
123
+
};
124
+
};
125
+
126
+
struct key_acl {
127
+
refcount_t usage;
128
+
unsigned short nr_ace;
129
+
bool possessor_viewable;
130
+
struct rcu_head rcu;
131
+
struct key_ace aces[];
132
+
};
133
+
134
+
#define KEY_POSSESSOR_ACE(perms) { \
135
+
.type = KEY_ACE_SUBJ_STANDARD, \
136
+
.perm = perms, \
137
+
.subject_id = KEY_ACE_POSSESSOR \
138
+
}
139
+
140
+
#define KEY_OWNER_ACE(perms) { \
141
+
.type = KEY_ACE_SUBJ_STANDARD, \
142
+
.perm = perms, \
143
+
.subject_id = KEY_ACE_OWNER \
144
+
}
80
145
81
146
/*****************************************************************************/
82
147
/*
···
174
179
struct rw_semaphore sem; /* change vs change sem */
175
180
struct key_user *user; /* owner of this key */
176
181
void *security; /* security data for this key */
182
+
struct key_acl __rcu *acl;
177
183
union {
178
184
time64_t expiry; /* time at which key expires (or 0) */
179
185
time64_t revoked_at; /* time at which key was revoked */
···
182
186
time64_t last_used_at; /* last time used for LRU keyring discard */
183
187
kuid_t uid;
184
188
kgid_t gid;
185
-
key_perm_t perm; /* access permissions */
186
189
unsigned short quotalen; /* length added to quota */
187
190
unsigned short datalen; /* payload data length
188
191
* - may not match RCU dereferenced payload
···
205
210
#define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */
206
211
#define KEY_FLAG_KEEP 8 /* set if key should not be removed */
207
212
#define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */
213
+
#define KEY_FLAG_HAS_ACL 10 /* Set if KEYCTL_SETACL called on key */
208
214
209
215
/* the key type and key description string
210
216
* - the desc is used to match a key against search criteria
···
254
258
const char *desc,
255
259
kuid_t uid, kgid_t gid,
256
260
const struct cred *cred,
257
-
key_perm_t perm,
261
+
struct key_acl *acl,
258
262
unsigned long flags,
259
263
struct key_restriction *restrict_link);
260
264
···
291
295
extern struct key *request_key_tag(struct key_type *type,
292
296
const char *description,
293
297
struct key_tag *domain_tag,
294
-
const char *callout_info);
298
+
const char *callout_info,
299
+
struct key_acl *acl);
295
300
296
301
extern struct key *request_key_rcu(struct key_type *type,
297
302
const char *description,
···
303
306
struct key_tag *domain_tag,
304
307
const void *callout_info,
305
308
size_t callout_len,
306
-
void *aux);
309
+
void *aux,
310
+
struct key_acl *acl);
307
311
308
312
/**
309
313
* request_key - Request a key and wait for construction
310
314
* @type: Type of key.
311
315
* @description: The searchable description of the key.
312
316
* @callout_info: The data to pass to the instantiation upcall (or NULL).
317
+
* @acl: The ACL to attach to a new key (or NULL).
313
318
*
314
319
* As for request_key_tag(), but with the default global domain tag.
315
320
*/
316
321
static inline struct key *request_key(struct key_type *type,
317
322
const char *description,
318
-
const char *callout_info)
323
+
const char *callout_info,
324
+
struct key_acl *acl)
319
325
{
320
-
return request_key_tag(type, description, NULL, callout_info);
326
+
return request_key_tag(type, description, NULL, callout_info, acl);
321
327
}
322
328
323
329
#ifdef CONFIG_NET
···
330
330
* @description: The searchable description of the key.
331
331
* @net: The network namespace that is the key's domain of operation.
332
332
* @callout_info: The data to pass to the instantiation upcall (or NULL).
333
+
* @acl: The ACL to attach to a new key (or NULL).
333
334
*
334
335
* As for request_key() except that it does not add the returned key to a
335
336
* keyring if found, new keys are always allocated in the user's quota, the
···
340
339
* Furthermore, it then works as wait_for_key_construction() to wait for the
341
340
* completion of keys undergoing construction with a non-interruptible wait.
342
341
*/
343
-
#define request_key_net(type, description, net, callout_info) \
344
-
request_key_tag(type, description, net->key_domain, callout_info);
342
+
#define request_key_net(type, description, net, callout_info, acl) \
343
+
request_key_tag(type, description, net->key_domain, callout_info, acl);
345
344
#endif /* CONFIG_NET */
346
345
347
346
extern int wait_for_key_construction(struct key *key, bool intr);
···
353
352
const char *description,
354
353
const void *payload,
355
354
size_t plen,
356
-
key_perm_t perm,
355
+
struct key_acl *acl,
357
356
unsigned long flags);
358
357
359
358
extern int key_update(key_ref_t key,
···
373
372
374
373
extern struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
375
374
const struct cred *cred,
376
-
key_perm_t perm,
375
+
struct key_acl *acl,
377
376
unsigned long flags,
378
377
struct key_restriction *restrict_link,
379
378
struct key *dest);
···
406
405
extern void key_set_timeout(struct key *, unsigned);
407
406
408
407
extern key_ref_t lookup_user_key(key_serial_t id, unsigned long flags,
409
-
key_perm_t perm);
408
+
u32 desired_perm);
410
409
extern void key_free_user_ns(struct user_namespace *);
411
410
412
411
/*
413
412
* The permissions required on a key that we're looking up.
414
413
*/
415
-
#define KEY_NEED_VIEW 0x01 /* Require permission to view attributes */
416
-
#define KEY_NEED_READ 0x02 /* Require permission to read content */
417
-
#define KEY_NEED_WRITE 0x04 /* Require permission to update / modify */
418
-
#define KEY_NEED_SEARCH 0x08 /* Require permission to search (keyring) or find (key) */
419
-
#define KEY_NEED_LINK 0x10 /* Require permission to link */
420
-
#define KEY_NEED_SETATTR 0x20 /* Require permission to change attributes */
421
-
#define KEY_NEED_ALL 0x3f /* All the above permissions */
414
+
#define KEY_NEED_VIEW 0x001 /* Require permission to view attributes */
415
+
#define KEY_NEED_READ 0x002 /* Require permission to read content */
416
+
#define KEY_NEED_WRITE 0x004 /* Require permission to update / modify */
417
+
#define KEY_NEED_SEARCH 0x008 /* Require permission to search (keyring) or find (key) */
418
+
#define KEY_NEED_LINK 0x010 /* Require permission to link */
419
+
#define KEY_NEED_SETSEC 0x020 /* Require permission to set owner, group, ACL */
420
+
#define KEY_NEED_INVAL 0x040 /* Require permission to invalidate key */
421
+
#define KEY_NEED_REVOKE 0x080 /* Require permission to revoke key */
422
+
#define KEY_NEED_JOIN 0x100 /* Require permission to join keyring as session */
423
+
#define KEY_NEED_CLEAR 0x200 /* Require permission to clear a keyring */
424
+
#define KEY_NEED_ALL 0x3ff
425
+
426
+
#define OLD_KEY_NEED_SETATTR 0x20 /* Used to be Require permission to change attributes */
427
+
428
+
extern struct key_acl internal_key_acl;
429
+
extern struct key_acl internal_keyring_acl;
430
+
extern struct key_acl internal_writable_keyring_acl;
422
431
423
432
static inline short key_read_state(const struct key *key)
424
433
{
+65
include/uapi/linux/keyctl.h
+65
include/uapi/linux/keyctl.h
···
15
15
16
16
#include <linux/types.h>
17
17
18
+
/*
19
+
* Keyring permission grant definitions
20
+
*/
21
+
enum key_ace_subject_type {
22
+
KEY_ACE_SUBJ_STANDARD = 0, /* subject is one of key_ace_standard_subject */
23
+
nr__key_ace_subject_type
24
+
};
25
+
26
+
enum key_ace_standard_subject {
27
+
KEY_ACE_EVERYONE = 0, /* Everyone, including owner and group */
28
+
KEY_ACE_GROUP = 1, /* The key's group */
29
+
KEY_ACE_OWNER = 2, /* The owner of the key */
30
+
KEY_ACE_POSSESSOR = 3, /* Any process that possesses of the key */
31
+
nr__key_ace_standard_subject
32
+
};
33
+
34
+
#define KEY_ACE_VIEW 0x00000001 /* Can describe the key */
35
+
#define KEY_ACE_READ 0x00000002 /* Can read the key content */
36
+
#define KEY_ACE_WRITE 0x00000004 /* Can update/modify the key content */
37
+
#define KEY_ACE_SEARCH 0x00000008 /* Can find the key by search */
38
+
#define KEY_ACE_LINK 0x00000010 /* Can make a link to the key */
39
+
#define KEY_ACE_SET_SECURITY 0x00000020 /* Can set owner, group, ACL */
40
+
#define KEY_ACE_INVAL 0x00000040 /* Can invalidate the key */
41
+
#define KEY_ACE_REVOKE 0x00000080 /* Can revoke the key */
42
+
#define KEY_ACE_JOIN 0x00000100 /* Can join keyring */
43
+
#define KEY_ACE_CLEAR 0x00000200 /* Can clear keyring */
44
+
#define KEY_ACE__PERMS 0xffffffff
45
+
46
+
/*
47
+
* Old-style permissions mask, deprecated in favour of ACL.
48
+
*/
49
+
#define KEY_POS_VIEW 0x01000000 /* possessor can view a key's attributes */
50
+
#define KEY_POS_READ 0x02000000 /* possessor can read key payload / view keyring */
51
+
#define KEY_POS_WRITE 0x04000000 /* possessor can update key payload / add link to keyring */
52
+
#define KEY_POS_SEARCH 0x08000000 /* possessor can find a key in search / search a keyring */
53
+
#define KEY_POS_LINK 0x10000000 /* possessor can create a link to a key/keyring */
54
+
#define KEY_POS_SETATTR 0x20000000 /* possessor can set key attributes */
55
+
#define KEY_POS_ALL 0x3f000000
56
+
57
+
#define KEY_USR_VIEW 0x00010000 /* user permissions... */
58
+
#define KEY_USR_READ 0x00020000
59
+
#define KEY_USR_WRITE 0x00040000
60
+
#define KEY_USR_SEARCH 0x00080000
61
+
#define KEY_USR_LINK 0x00100000
62
+
#define KEY_USR_SETATTR 0x00200000
63
+
#define KEY_USR_ALL 0x003f0000
64
+
65
+
#define KEY_GRP_VIEW 0x00000100 /* group permissions... */
66
+
#define KEY_GRP_READ 0x00000200
67
+
#define KEY_GRP_WRITE 0x00000400
68
+
#define KEY_GRP_SEARCH 0x00000800
69
+
#define KEY_GRP_LINK 0x00001000
70
+
#define KEY_GRP_SETATTR 0x00002000
71
+
#define KEY_GRP_ALL 0x00003f00
72
+
73
+
#define KEY_OTH_VIEW 0x00000001 /* third party permissions... */
74
+
#define KEY_OTH_READ 0x00000002
75
+
#define KEY_OTH_WRITE 0x00000004
76
+
#define KEY_OTH_SEARCH 0x00000008
77
+
#define KEY_OTH_LINK 0x00000010
78
+
#define KEY_OTH_SETATTR 0x00000020
79
+
#define KEY_OTH_ALL 0x0000003f
80
+
18
81
/* special process keyring shortcut IDs */
19
82
#define KEY_SPEC_THREAD_KEYRING -1 /* - key ID for thread-specific keyring */
20
83
#define KEY_SPEC_PROCESS_KEYRING -2 /* - key ID for process-specific keyring */
···
132
69
#define KEYCTL_RESTRICT_KEYRING 29 /* Restrict keys allowed to link to a keyring */
133
70
#define KEYCTL_MOVE 30 /* Move keys between keyrings */
134
71
#define KEYCTL_CAPABILITIES 31 /* Find capabilities of keyrings subsystem */
72
+
#define KEYCTL_GRANT_PERMISSION 32 /* Grant a permit to a key */
135
73
136
74
/* keyctl structures */
137
75
struct keyctl_dh_params {
···
194
130
#define KEYCTL_CAPS0_MOVE 0x80 /* KEYCTL_MOVE supported */
195
131
#define KEYCTL_CAPS1_NS_KEYRING_NAME 0x01 /* Keyring names are per-user_namespace */
196
132
#define KEYCTL_CAPS1_NS_KEY_TAG 0x02 /* Key indexing can include a namespace tag */
133
+
#define KEYCTL_CAPS1_ACL_ALTERABLE 0x04 /* Keys have internal ACL that can be altered */
197
134
198
135
#endif /* _LINUX_KEYCTL_H */
+1
-1
lib/digsig.c
+1
-1
lib/digsig.c
+1
-1
net/ceph/ceph_common.c
+1
-1
net/ceph/ceph_common.c
···
306
306
int err = 0;
307
307
struct ceph_crypto_key *ckey;
308
308
309
-
ukey = request_key(&key_type_ceph, name, NULL);
309
+
ukey = request_key(&key_type_ceph, name, NULL, NULL);
310
310
if (IS_ERR(ukey)) {
311
311
/* request_key errors don't map nicely to mount(2)
312
312
errors; don't even try, but still printk */
+10
-2
net/dns_resolver/dns_key.c
+10
-2
net/dns_resolver/dns_key.c
···
46
46
47
47
#define DNS_ERRORNO_OPTION "dnserror"
48
48
49
+
static struct key_acl dns_keyring_acl = {
50
+
.usage = REFCOUNT_INIT(1),
51
+
.nr_ace = 2,
52
+
.aces = {
53
+
KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE),
54
+
KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_CLEAR),
55
+
}
56
+
};
57
+
49
58
/*
50
59
* Preparse instantiation data for a dns_resolver key.
51
60
*
···
352
343
353
344
keyring = keyring_alloc(".dns_resolver",
354
345
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
355
-
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
356
-
KEY_USR_VIEW | KEY_USR_READ,
346
+
&dns_keyring_acl,
357
347
KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
358
348
if (IS_ERR(keyring)) {
359
349
ret = PTR_ERR(keyring);
+12
-3
net/dns_resolver/dns_query.c
+12
-3
net/dns_resolver/dns_query.c
···
47
47
48
48
#include "internal.h"
49
49
50
+
static struct key_acl dns_key_acl = {
51
+
.usage = REFCOUNT_INIT(1),
52
+
.nr_ace = 2,
53
+
.possessor_viewable = true,
54
+
.aces = {
55
+
KEY_POSSESSOR_ACE(KEY_ACE_VIEW | KEY_ACE_SEARCH | KEY_ACE_READ),
56
+
KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_INVAL),
57
+
}
58
+
};
59
+
50
60
/**
51
61
* dns_query - Query the DNS
52
62
* @net: The network namespace to operate in.
···
135
125
* add_key() to preinstall malicious redirections
136
126
*/
137
127
saved_cred = override_creds(dns_resolver_cache);
138
-
rkey = request_key_net(&key_type_dns_resolver, desc, net, options);
128
+
rkey = request_key_net(&key_type_dns_resolver, desc, net, options,
129
+
&dns_key_acl);
139
130
revert_creds(saved_cred);
140
131
kfree(desc);
141
132
if (IS_ERR(rkey)) {
···
146
135
147
136
down_read(&rkey->sem);
148
137
set_bit(KEY_FLAG_ROOT_CAN_INVAL, &rkey->flags);
149
-
rkey->perm |= KEY_USR_VIEW;
150
-
151
138
ret = key_validate(rkey);
152
139
if (ret < 0)
153
140
goto put;
+15
-4
net/rxrpc/key.c
+15
-4
net/rxrpc/key.c
···
23
23
#include <keys/user-type.h>
24
24
#include "ar-internal.h"
25
25
26
+
static struct key_acl rxrpc_null_key_acl = {
27
+
.usage = REFCOUNT_INIT(1),
28
+
.nr_ace = 1,
29
+
.aces = {
30
+
KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_READ),
31
+
}
32
+
};
33
+
26
34
static int rxrpc_vet_description_s(const char *);
27
35
static int rxrpc_preparse(struct key_preparsed_payload *);
28
36
static int rxrpc_preparse_s(struct key_preparsed_payload *);
···
918
910
if (IS_ERR(description))
919
911
return PTR_ERR(description);
920
912
921
-
key = request_key_net(&key_type_rxrpc, description, sock_net(&rx->sk), NULL);
913
+
key = request_key_net(&key_type_rxrpc, description, sock_net(&rx->sk),
914
+
NULL, NULL);
922
915
if (IS_ERR(key)) {
923
916
kfree(description);
924
917
_leave(" = %ld", PTR_ERR(key));
···
950
941
if (IS_ERR(description))
951
942
return PTR_ERR(description);
952
943
953
-
key = request_key_net(&key_type_keyring, description, sock_net(&rx->sk), NULL);
944
+
key = request_key_net(&key_type_keyring, description, sock_net(&rx->sk),
945
+
NULL, NULL);
954
946
if (IS_ERR(key)) {
955
947
kfree(description);
956
948
_leave(" = %ld", PTR_ERR(key));
···
984
974
_enter("");
985
975
986
976
key = key_alloc(&key_type_rxrpc, "x",
987
-
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, 0,
977
+
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
978
+
&internal_key_acl,
988
979
KEY_ALLOC_NOT_IN_QUOTA, NULL);
989
980
if (IS_ERR(key)) {
990
981
_leave(" = -ENOMEM [alloc %ld]", PTR_ERR(key));
···
1033
1022
1034
1023
key = key_alloc(&key_type_rxrpc, keyname,
1035
1024
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
1036
-
KEY_POS_SEARCH, KEY_ALLOC_NOT_IN_QUOTA, NULL);
1025
+
&rxrpc_null_key_acl, KEY_ALLOC_NOT_IN_QUOTA, NULL);
1037
1026
if (IS_ERR(key))
1038
1027
return key;
1039
1028
+2
-4
net/wireless/reg.c
+2
-4
net/wireless/reg.c
···
741
741
742
742
key = key_create_or_update(make_key_ref(builtin_regdb_keys, 1),
743
743
"asymmetric", NULL, p, plen,
744
-
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
745
-
KEY_USR_VIEW | KEY_USR_READ),
744
+
&internal_key_acl,
746
745
KEY_ALLOC_NOT_IN_QUOTA |
747
746
KEY_ALLOC_BUILT_IN |
748
747
KEY_ALLOC_BYPASS_RESTRICTION);
···
767
768
builtin_regdb_keys =
768
769
keyring_alloc(".builtin_regdb_keys",
769
770
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
770
-
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
771
-
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
771
+
&internal_keyring_acl,
772
772
KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
773
773
if (IS_ERR(builtin_regdb_keys))
774
774
return PTR_ERR(builtin_regdb_keys);
+13
-18
security/integrity/digsig.c
+13
-18
security/integrity/digsig.c
···
47
47
48
48
if (!keyring[id]) {
49
49
keyring[id] =
50
-
request_key(&key_type_keyring, keyring_name[id], NULL);
50
+
request_key(&key_type_keyring, keyring_name[id],
51
+
NULL, NULL);
51
52
if (IS_ERR(keyring[id])) {
52
53
int err = PTR_ERR(keyring[id]);
53
54
pr_err("no %s keyring: %d\n", keyring_name[id], err);
···
70
69
return -EOPNOTSUPP;
71
70
}
72
71
73
-
static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
72
+
static int __integrity_init_keyring(const unsigned int id, struct key_acl *acl,
74
73
struct key_restriction *restriction)
75
74
{
76
75
const struct cred *cred = current_cred();
77
76
int err = 0;
78
77
79
78
keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
80
-
KGIDT_INIT(0), cred, perm,
79
+
KGIDT_INIT(0), cred, acl,
81
80
KEY_ALLOC_NOT_IN_QUOTA, restriction, NULL);
82
81
if (IS_ERR(keyring[id])) {
83
82
err = PTR_ERR(keyring[id]);
···
95
94
int __init integrity_init_keyring(const unsigned int id)
96
95
{
97
96
struct key_restriction *restriction;
98
-
key_perm_t perm;
99
-
100
-
perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW
101
-
| KEY_USR_READ | KEY_USR_SEARCH;
97
+
struct key_acl *acl = &internal_keyring_acl;
102
98
103
99
if (id == INTEGRITY_KEYRING_PLATFORM) {
104
100
restriction = NULL;
···
110
112
return -ENOMEM;
111
113
112
114
restriction->check = restrict_link_to_ima;
113
-
perm |= KEY_USR_WRITE;
115
+
acl = &internal_writable_keyring_acl;
114
116
115
117
out:
116
-
return __integrity_init_keyring(id, perm, restriction);
118
+
return __integrity_init_keyring(id, acl, restriction);
117
119
}
118
120
119
-
int __init integrity_add_key(const unsigned int id, const void *data,
120
-
off_t size, key_perm_t perm)
121
+
static int __init integrity_add_key(const unsigned int id, const void *data,
122
+
off_t size, struct key_acl *acl)
121
123
{
122
124
key_ref_t key;
123
125
int rc = 0;
···
126
128
return -EINVAL;
127
129
128
130
key = key_create_or_update(make_key_ref(keyring[id], 1), "asymmetric",
129
-
NULL, data, size, perm,
131
+
NULL, data, size, acl ?: &internal_key_acl,
130
132
KEY_ALLOC_NOT_IN_QUOTA);
131
133
if (IS_ERR(key)) {
132
134
rc = PTR_ERR(key);
···
146
148
void *data;
147
149
loff_t size;
148
150
int rc;
149
-
key_perm_t perm;
150
151
151
152
rc = kernel_read_file_from_path(path, &data, &size, 0,
152
153
READING_X509_CERTIFICATE);
···
154
157
return rc;
155
158
}
156
159
157
-
perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ;
158
-
159
160
pr_info("Loading X.509 certificate: %s\n", path);
160
-
rc = integrity_add_key(id, (const void *)data, size, perm);
161
+
rc = integrity_add_key(id, data, size, NULL);
161
162
162
163
vfree(data);
163
164
return rc;
164
165
}
165
166
166
167
int __init integrity_load_cert(const unsigned int id, const char *source,
167
-
const void *data, size_t len, key_perm_t perm)
168
+
const void *data, size_t len, struct key_acl *acl)
168
169
{
169
170
if (!data)
170
171
return -EINVAL;
171
172
172
173
pr_info("Loading X.509 certificate: %s\n", source);
173
-
return integrity_add_key(id, data, len, perm);
174
+
return integrity_add_key(id, data, len, acl);
174
175
}
+1
-1
security/integrity/digsig_asymmetric.c
+1
-1
security/integrity/digsig_asymmetric.c
+1
-1
security/integrity/evm/evm_crypto.c
+1
-1
security/integrity/evm/evm_crypto.c
+10
-3
security/integrity/ima/ima_mok.c
+10
-3
security/integrity/ima/ima_mok.c
···
16
16
#include <keys/system_keyring.h>
17
17
18
18
19
+
static struct key_acl integrity_blacklist_keyring_acl = {
20
+
.usage = REFCOUNT_INIT(1),
21
+
.nr_ace = 2,
22
+
.aces = {
23
+
KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE),
24
+
KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_WRITE | KEY_ACE_SEARCH),
25
+
}
26
+
};
27
+
19
28
struct key *ima_blacklist_keyring;
20
29
21
30
/*
···
44
35
45
36
ima_blacklist_keyring = keyring_alloc(".ima_blacklist",
46
37
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
47
-
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
48
-
KEY_USR_VIEW | KEY_USR_READ |
49
-
KEY_USR_WRITE | KEY_USR_SEARCH,
38
+
&integrity_blacklist_keyring_acl,
50
39
KEY_ALLOC_NOT_IN_QUOTA,
51
40
restriction, NULL);
52
41
+4
-2
security/integrity/integrity.h
+4
-2
security/integrity/integrity.h
···
12
12
#include <linux/key.h>
13
13
#include <linux/audit.h>
14
14
15
+
struct key_acl;
16
+
15
17
/* iint action cache flags */
16
18
#define IMA_MEASURE 0x00000001
17
19
#define IMA_MEASURED 0x00000002
···
151
149
int __init integrity_init_keyring(const unsigned int id);
152
150
int __init integrity_load_x509(const unsigned int id, const char *path);
153
151
int __init integrity_load_cert(const unsigned int id, const char *source,
154
-
const void *data, size_t len, key_perm_t perm);
152
+
const void *data, size_t len, struct key_acl *acl);
155
153
#else
156
154
157
155
static inline int integrity_digsig_verify(const unsigned int id,
···
169
167
static inline int __init integrity_load_cert(const unsigned int id,
170
168
const char *source,
171
169
const void *data, size_t len,
172
-
key_perm_t perm)
170
+
struct key_acl *acl)
173
171
{
174
172
return 0;
175
173
}
+10
-4
security/integrity/platform_certs/platform_keyring.c
+10
-4
security/integrity/platform_certs/platform_keyring.c
···
14
14
#include <linux/slab.h>
15
15
#include "../integrity.h"
16
16
17
+
static struct key_acl platform_key_acl = {
18
+
.usage = REFCOUNT_INIT(1),
19
+
.nr_ace = 2,
20
+
.aces = {
21
+
KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_READ),
22
+
KEY_OWNER_ACE(KEY_ACE_VIEW),
23
+
}
24
+
};
25
+
17
26
/**
18
27
* add_to_platform_keyring - Add to platform keyring without validation.
19
28
* @source: Source of key
···
35
26
void __init add_to_platform_keyring(const char *source, const void *data,
36
27
size_t len)
37
28
{
38
-
key_perm_t perm;
39
29
int rc;
40
30
41
-
perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
42
-
43
31
rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, data, len,
44
-
perm);
32
+
&platform_key_acl);
45
33
if (rc)
46
34
pr_info("Error adding keys to platform keyring %s\n", source);
47
35
}
+2
security/keys/compat.c
+2
security/keys/compat.c
+1
-1
security/keys/encrypted-keys/encrypted.c
+1
-1
security/keys/encrypted-keys/encrypted.c
+1
-1
security/keys/encrypted-keys/masterkey_trusted.c
+1
-1
security/keys/encrypted-keys/masterkey_trusted.c
+1
-1
security/keys/gc.c
+1
-1
security/keys/gc.c
···
151
151
152
152
key_user_put(key->user);
153
153
key_put_tag(key->domain_tag);
154
+
key_put_acl(rcu_access_pointer(key->acl));
154
155
kfree(key->description);
155
156
156
157
memzero_explicit(key, sizeof(*key));
···
221
220
if (key->type == key_gc_dead_keytype) {
222
221
gc_state |= KEY_GC_FOUND_DEAD_KEY;
223
222
set_bit(KEY_FLAG_DEAD, &key->flags);
224
-
key->perm = 0;
225
223
goto skip_dead_key;
226
224
} else if (key->type == &key_type_keyring &&
227
225
key->restrict_link) {
+14
-2
security/keys/internal.h
+14
-2
security/keys/internal.h
···
84
84
extern spinlock_t key_serial_lock;
85
85
extern struct mutex key_construction_mutex;
86
86
extern wait_queue_head_t request_key_conswq;
87
+
extern struct key_acl default_key_acl;
88
+
extern struct key_acl joinable_keyring_acl;
87
89
88
90
extern void key_set_index_key(struct keyring_index_key *index_key);
91
+
89
92
extern struct key_type *key_type_lookup(const char *type);
90
93
extern void key_type_put(struct key_type *ktype);
91
94
···
159
156
const void *callout_info,
160
157
size_t callout_len,
161
158
void *aux,
159
+
struct key_acl *acl,
162
160
struct key *dest_keyring,
163
161
unsigned long flags);
164
162
···
183
179
184
180
extern int key_task_permission(const key_ref_t key_ref,
185
181
const struct cred *cred,
186
-
key_perm_t perm);
182
+
u32 desired_perm);
183
+
extern unsigned int key_acl_to_perm(const struct key_acl *acl);
184
+
extern long key_set_acl(struct key *key, struct key_acl *acl);
185
+
extern void key_put_acl(struct key_acl *acl);
187
186
188
187
/*
189
188
* Check to see whether permission is granted to use a key in the desired way.
···
233
226
const char __user *, key_serial_t);
234
227
extern long keyctl_read_key(key_serial_t, char __user *, size_t);
235
228
extern long keyctl_chown_key(key_serial_t, uid_t, gid_t);
236
-
extern long keyctl_setperm_key(key_serial_t, key_perm_t);
229
+
extern long keyctl_setperm_key(key_serial_t, unsigned int);
237
230
extern long keyctl_instantiate_key(key_serial_t, const void __user *,
238
231
size_t, key_serial_t);
239
232
extern long keyctl_negate_key(key_serial_t, unsigned, key_serial_t);
···
337
330
#endif
338
331
339
332
extern long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen);
333
+
334
+
extern long keyctl_grant_permission(key_serial_t keyid,
335
+
enum key_ace_subject_type type,
336
+
unsigned int subject,
337
+
unsigned int perm);
340
338
341
339
/*
342
340
* Debugging key validation
+10
-19
security/keys/key.c
+10
-19
security/keys/key.c
···
195
195
* @uid: The owner of the new key.
196
196
* @gid: The group ID for the new key's group permissions.
197
197
* @cred: The credentials specifying UID namespace.
198
-
* @perm: The permissions mask of the new key.
198
+
* @acl: The ACL to attach to the new key.
199
199
* @flags: Flags specifying quota properties.
200
200
* @restrict_link: Optional link restriction for new keyrings.
201
201
*
···
223
223
*/
224
224
struct key *key_alloc(struct key_type *type, const char *desc,
225
225
kuid_t uid, kgid_t gid, const struct cred *cred,
226
-
key_perm_t perm, unsigned long flags,
226
+
struct key_acl *acl, unsigned long flags,
227
227
struct key_restriction *restrict_link)
228
228
{
229
229
struct key_user *user = NULL;
···
245
245
246
246
desclen = strlen(desc);
247
247
quotalen = desclen + 1 + type->def_datalen;
248
+
249
+
if (!acl)
250
+
acl = &default_key_acl;
248
251
249
252
/* get hold of the key tracking for this user */
250
253
user = key_user_lookup(uid);
···
295
292
key->datalen = type->def_datalen;
296
293
key->uid = uid;
297
294
key->gid = gid;
298
-
key->perm = perm;
295
+
refcount_inc(&acl->usage);
296
+
rcu_assign_pointer(key->acl, acl);
299
297
key->restrict_link = restrict_link;
300
298
key->last_used_at = ktime_get_real_seconds();
301
299
···
791
787
* @description: The searchable description for the key.
792
788
* @payload: The data to use to instantiate or update the key.
793
789
* @plen: The length of @payload.
794
-
* @perm: The permissions mask for a new key.
790
+
* @acl: The ACL to attach if a key is created.
795
791
* @flags: The quota flags for a new key.
796
792
*
797
793
* Search the destination keyring for a key of the same description and if one
···
814
810
const char *description,
815
811
const void *payload,
816
812
size_t plen,
817
-
key_perm_t perm,
813
+
struct key_acl *acl,
818
814
unsigned long flags)
819
815
{
820
816
struct keyring_index_key index_key = {
···
911
907
goto found_matching_key;
912
908
}
913
909
914
-
/* if the client doesn't provide, decide on the permissions we want */
915
-
if (perm == KEY_PERM_UNDEF) {
916
-
perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
917
-
perm |= KEY_USR_VIEW;
918
-
919
-
if (index_key.type->read)
920
-
perm |= KEY_POS_READ;
921
-
922
-
if (index_key.type == &key_type_keyring ||
923
-
index_key.type->update)
924
-
perm |= KEY_POS_WRITE;
925
-
}
926
-
927
910
/* allocate a new key */
928
911
key = key_alloc(index_key.type, index_key.description,
929
-
cred->fsuid, cred->fsgid, cred, perm, flags, NULL);
912
+
cred->fsuid, cred->fsgid, cred, acl, flags, NULL);
930
913
if (IS_ERR(key)) {
931
914
key_ref = ERR_CAST(key);
932
915
goto error_link_end;
+72
-32
security/keys/keyctl.c
+72
-32
security/keys/keyctl.c
···
37
37
KEYCTL_CAPS0_MOVE
38
38
),
39
39
[1] = (KEYCTL_CAPS1_NS_KEYRING_NAME |
40
-
KEYCTL_CAPS1_NS_KEY_TAG),
40
+
KEYCTL_CAPS1_NS_KEY_TAG |
41
+
KEYCTL_CAPS1_ACL_ALTERABLE),
41
42
};
42
43
43
44
static int key_get_type_from_user(char *type,
···
131
130
/* create or update the requested key and add it to the target
132
131
* keyring */
133
132
key_ref = key_create_or_update(keyring_ref, type, description,
134
-
payload, plen, KEY_PERM_UNDEF,
135
-
KEY_ALLOC_IN_QUOTA);
133
+
payload, plen, NULL, KEY_ALLOC_IN_QUOTA);
136
134
if (!IS_ERR(key_ref)) {
137
135
ret = key_ref_to_ptr(key_ref)->serial;
138
136
key_ref_put(key_ref);
···
221
221
222
222
/* do the search */
223
223
key = request_key_and_link(ktype, description, NULL, callout_info,
224
-
callout_len, NULL, key_ref_to_ptr(dest_ref),
224
+
callout_len, NULL, NULL,
225
+
key_ref_to_ptr(dest_ref),
225
226
KEY_ALLOC_IN_QUOTA);
226
227
if (IS_ERR(key)) {
227
228
ret = PTR_ERR(key);
···
384
383
struct key *key;
385
384
long ret;
386
385
387
-
key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE);
386
+
key_ref = lookup_user_key(id, 0, KEY_NEED_REVOKE);
388
387
if (IS_ERR(key_ref)) {
389
388
ret = PTR_ERR(key_ref);
390
-
if (ret != -EACCES)
391
-
goto error;
392
-
key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR);
393
-
if (IS_ERR(key_ref)) {
394
-
ret = PTR_ERR(key_ref);
395
-
goto error;
396
-
}
389
+
goto error;
397
390
}
398
391
399
392
key = key_ref_to_ptr(key_ref);
···
421
426
422
427
kenter("%d", id);
423
428
424
-
key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH);
429
+
key_ref = lookup_user_key(id, 0, KEY_NEED_INVAL);
425
430
if (IS_ERR(key_ref)) {
426
431
ret = PTR_ERR(key_ref);
427
432
···
466
471
struct key *keyring;
467
472
long ret;
468
473
469
-
keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
474
+
keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_CLEAR);
470
475
if (IS_ERR(keyring_ref)) {
471
476
ret = PTR_ERR(keyring_ref);
472
477
···
641
646
size_t buflen)
642
647
{
643
648
struct key *key, *instkey;
649
+
unsigned int perm;
644
650
key_ref_t key_ref;
645
651
char *infobuf;
646
652
long ret;
···
671
675
key = key_ref_to_ptr(key_ref);
672
676
desclen = strlen(key->description);
673
677
678
+
rcu_read_lock();
679
+
perm = key_acl_to_perm(rcu_dereference(key->acl));
680
+
rcu_read_unlock();
681
+
674
682
/* calculate how much information we're going to return */
675
683
ret = -ENOMEM;
676
684
infobuf = kasprintf(GFP_KERNEL,
···
682
682
key->type->name,
683
683
from_kuid_munged(current_user_ns(), key->uid),
684
684
from_kgid_munged(current_user_ns(), key->gid),
685
-
key->perm);
685
+
perm);
686
686
if (!infobuf)
687
687
goto error2;
688
688
infolen = strlen(infobuf);
···
899
899
goto error;
900
900
901
901
key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
902
-
KEY_NEED_SETATTR);
902
+
KEY_NEED_SETSEC);
903
903
if (IS_ERR(key_ref)) {
904
904
ret = PTR_ERR(key_ref);
905
905
goto error;
···
994
994
* the key need not be fully instantiated yet. If the caller does not have
995
995
* sysadmin capability, it may only change the permission on keys that it owns.
996
996
*/
997
-
long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
997
+
long keyctl_setperm_key(key_serial_t id, unsigned int perm)
998
998
{
999
+
struct key_acl *acl;
999
1000
struct key *key;
1000
1001
key_ref_t key_ref;
1001
1002
long ret;
1003
+
int nr, i, j;
1002
1004
1003
-
ret = -EINVAL;
1004
1005
if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL))
1005
-
goto error;
1006
+
return -EINVAL;
1007
+
1008
+
nr = 0;
1009
+
if (perm & KEY_POS_ALL) nr++;
1010
+
if (perm & KEY_USR_ALL) nr++;
1011
+
if (perm & KEY_GRP_ALL) nr++;
1012
+
if (perm & KEY_OTH_ALL) nr++;
1006
1013
1007
1014
key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
1008
-
KEY_NEED_SETATTR);
1015
+
KEY_NEED_SETSEC);
1009
1016
if (IS_ERR(key_ref)) {
1010
1017
ret = PTR_ERR(key_ref);
1011
1018
goto error;
···
1020
1013
1021
1014
key = key_ref_to_ptr(key_ref);
1022
1015
1023
-
/* make the changes with the locks held to prevent chown/chmod races */
1024
-
ret = -EACCES;
1025
-
down_write(&key->sem);
1016
+
ret = -EOPNOTSUPP;
1017
+
if (test_bit(KEY_FLAG_HAS_ACL, &key->flags))
1018
+
goto error_key;
1026
1019
1027
-
/* if we're not the sysadmin, we can only change a key that we own */
1028
-
if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) {
1029
-
key->perm = perm;
1030
-
ret = 0;
1020
+
ret = -ENOMEM;
1021
+
acl = kzalloc(struct_size(acl, aces, nr), GFP_KERNEL);
1022
+
if (!acl)
1023
+
goto error_key;
1024
+
1025
+
refcount_set(&acl->usage, 1);
1026
+
acl->nr_ace = nr;
1027
+
j = 0;
1028
+
for (i = 0; i < 4; i++) {
1029
+
struct key_ace *ace = &acl->aces[j];
1030
+
unsigned int subset = (perm >> (i * 8)) & KEY_OTH_ALL;
1031
+
1032
+
if (!subset)
1033
+
continue;
1034
+
ace->type = KEY_ACE_SUBJ_STANDARD;
1035
+
ace->subject_id = KEY_ACE_EVERYONE + i;
1036
+
ace->perm = subset;
1037
+
if (subset & (KEY_OTH_WRITE | KEY_OTH_SETATTR))
1038
+
ace->perm |= KEY_ACE_REVOKE;
1039
+
if (subset & KEY_OTH_SEARCH)
1040
+
ace->perm |= KEY_ACE_INVAL;
1041
+
if (key->type == &key_type_keyring) {
1042
+
if (subset & KEY_OTH_SEARCH)
1043
+
ace->perm |= KEY_ACE_JOIN;
1044
+
if (subset & KEY_OTH_WRITE)
1045
+
ace->perm |= KEY_ACE_CLEAR;
1046
+
}
1047
+
j++;
1031
1048
}
1032
1049
1050
+
/* make the changes with the locks held to prevent chown/chmod races */
1051
+
down_write(&key->sem);
1052
+
ret = key_set_acl(key, acl);
1033
1053
up_write(&key->sem);
1054
+
error_key:
1034
1055
key_put(key);
1035
1056
error:
1036
1057
return ret;
···
1423
1388
long ret;
1424
1389
1425
1390
key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
1426
-
KEY_NEED_SETATTR);
1391
+
KEY_NEED_SETSEC);
1427
1392
if (IS_ERR(key_ref)) {
1428
1393
/* setting the timeout on a key under construction is permitted
1429
1394
* if we have the authorisation token handy */
···
1574
1539
* Attempt to install the calling process's session keyring on the process's
1575
1540
* parent process.
1576
1541
*
1577
-
* The keyring must exist and must grant the caller LINK permission, and the
1542
+
* The keyring must exist and must grant the caller JOIN permission, and the
1578
1543
* parent process must be single-threaded and must have the same effective
1579
1544
* ownership as this process and mustn't be SUID/SGID.
1580
1545
*
···
1591
1556
struct cred *cred;
1592
1557
int ret;
1593
1558
1594
-
keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK);
1559
+
keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_JOIN);
1595
1560
if (IS_ERR(keyring_r))
1596
1561
return PTR_ERR(keyring_r);
1597
1562
···
1693
1658
char *restriction = NULL;
1694
1659
long ret;
1695
1660
1696
-
key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR);
1661
+
key_ref = lookup_user_key(id, 0, KEY_NEED_SETSEC);
1697
1662
if (IS_ERR(key_ref))
1698
1663
return PTR_ERR(key_ref);
1699
1664
···
1799
1764
1800
1765
case KEYCTL_SETPERM:
1801
1766
return keyctl_setperm_key((key_serial_t) arg2,
1802
-
(key_perm_t) arg3);
1767
+
(unsigned int)arg3);
1803
1768
1804
1769
case KEYCTL_INSTANTIATE:
1805
1770
return keyctl_instantiate_key((key_serial_t) arg2,
···
1888
1853
(key_serial_t)arg3,
1889
1854
(key_serial_t)arg4,
1890
1855
(unsigned int)arg5);
1856
+
case KEYCTL_GRANT_PERMISSION:
1857
+
return keyctl_grant_permission((key_serial_t)arg2,
1858
+
(enum key_ace_subject_type)arg3,
1859
+
(unsigned int)arg4,
1860
+
(unsigned int)arg5);
1891
1861
1892
1862
case KEYCTL_CAPABILITIES:
1893
1863
return keyctl_capabilities((unsigned char __user *)arg2, (size_t)arg3);
+18
-9
security/keys/keyring.c
+18
-9
security/keys/keyring.c
···
515
515
return ret;
516
516
}
517
517
518
-
/*
519
-
* Allocate a keyring and link into the destination keyring.
518
+
/**
519
+
* keyring_alloc - Allocate a keyring and link into the destination
520
+
* @description: The key description to allow the key to be searched out.
521
+
* @uid: The owner of the new key.
522
+
* @gid: The group ID for the new key's group permissions.
523
+
* @cred: The credentials specifying UID namespace.
524
+
* @acl: The ACL to attach to the new key.
525
+
* @flags: Flags specifying quota properties.
526
+
* @restrict_link: Optional link restriction for new keyrings.
527
+
* @dest: Destination keyring.
520
528
*/
521
529
struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
522
-
const struct cred *cred, key_perm_t perm,
530
+
const struct cred *cred, struct key_acl *acl,
523
531
unsigned long flags,
524
532
struct key_restriction *restrict_link,
525
533
struct key *dest)
···
536
528
int ret;
537
529
538
530
keyring = key_alloc(&key_type_keyring, description,
539
-
uid, gid, cred, perm, flags, restrict_link);
531
+
uid, gid, cred, acl, flags, restrict_link);
540
532
if (!IS_ERR(keyring)) {
541
533
ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
542
534
if (ret < 0) {
···
1140
1132
/*
1141
1133
* Find a keyring with the specified name.
1142
1134
*
1143
-
* Only keyrings that have nonzero refcount, are not revoked, and are owned by a
1144
-
* user in the current user namespace are considered. If @uid_keyring is %true,
1145
-
* the keyring additionally must have been allocated as a user or user session
1146
-
* keyring; otherwise, it must grant Search permission directly to the caller.
1135
+
* Only keyrings that have nonzero refcount, are not revoked, and are owned by
1136
+
* a user in the current user namespace are considered. If @uid_keyring is
1137
+
* %true, the keyring additionally must have been allocated as a user or user
1138
+
* session keyring; otherwise, it must grant JOIN permission directly to the
1139
+
* caller (ie. not through possession).
1147
1140
*
1148
1141
* Returns a pointer to the keyring with the keyring's refcount having being
1149
1142
* incremented on success. -ENOKEY is returned if a key could not be found.
···
1178
1169
continue;
1179
1170
} else {
1180
1171
if (key_permission(make_key_ref(keyring, 0),
1181
-
KEY_NEED_SEARCH) < 0)
1172
+
KEY_NEED_JOIN) < 0)
1182
1173
continue;
1183
1174
}
1184
1175
+328
-39
security/keys/permission.c
+328
-39
security/keys/permission.c
···
7
7
8
8
#include <linux/export.h>
9
9
#include <linux/security.h>
10
+
#include <linux/user_namespace.h>
11
+
#include <linux/uaccess.h>
10
12
#include "internal.h"
13
+
14
+
struct key_acl default_key_acl = {
15
+
.usage = REFCOUNT_INIT(1),
16
+
.nr_ace = 2,
17
+
.possessor_viewable = true,
18
+
.aces = {
19
+
KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~KEY_ACE_JOIN),
20
+
KEY_OWNER_ACE(KEY_ACE_VIEW),
21
+
}
22
+
};
23
+
EXPORT_SYMBOL(default_key_acl);
24
+
25
+
struct key_acl joinable_keyring_acl = {
26
+
.usage = REFCOUNT_INIT(1),
27
+
.nr_ace = 2,
28
+
.possessor_viewable = true,
29
+
.aces = {
30
+
KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~KEY_ACE_JOIN),
31
+
KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_LINK | KEY_ACE_JOIN),
32
+
}
33
+
};
34
+
EXPORT_SYMBOL(joinable_keyring_acl);
35
+
36
+
struct key_acl internal_key_acl = {
37
+
.usage = REFCOUNT_INIT(1),
38
+
.nr_ace = 2,
39
+
.aces = {
40
+
KEY_POSSESSOR_ACE(KEY_ACE_SEARCH),
41
+
KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_SEARCH),
42
+
}
43
+
};
44
+
EXPORT_SYMBOL(internal_key_acl);
45
+
46
+
struct key_acl internal_keyring_acl = {
47
+
.usage = REFCOUNT_INIT(1),
48
+
.nr_ace = 2,
49
+
.aces = {
50
+
KEY_POSSESSOR_ACE(KEY_ACE_SEARCH),
51
+
KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_SEARCH),
52
+
}
53
+
};
54
+
EXPORT_SYMBOL(internal_keyring_acl);
55
+
56
+
struct key_acl internal_writable_keyring_acl = {
57
+
.usage = REFCOUNT_INIT(1),
58
+
.nr_ace = 2,
59
+
.aces = {
60
+
KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE),
61
+
KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_WRITE | KEY_ACE_SEARCH),
62
+
}
63
+
};
64
+
EXPORT_SYMBOL(internal_writable_keyring_acl);
11
65
12
66
/**
13
67
* key_task_permission - Check a key can be used
14
68
* @key_ref: The key to check.
15
69
* @cred: The credentials to use.
16
-
* @perm: The permissions to check for.
70
+
* @desired_perm: The permission to check for.
17
71
*
18
72
* Check to see whether permission is granted to use a key in the desired way,
19
73
* but permit the security modules to override.
···
78
24
* permissions bits or the LSM check.
79
25
*/
80
26
int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
81
-
unsigned perm)
27
+
unsigned int desired_perm)
82
28
{
83
-
struct key *key;
84
-
key_perm_t kperm;
85
-
int ret;
29
+
const struct key_acl *acl;
30
+
const struct key *key;
31
+
unsigned int allow = 0;
32
+
int i;
33
+
34
+
BUILD_BUG_ON(KEY_NEED_VIEW != KEY_ACE_VIEW ||
35
+
KEY_NEED_READ != KEY_ACE_READ ||
36
+
KEY_NEED_WRITE != KEY_ACE_WRITE ||
37
+
KEY_NEED_SEARCH != KEY_ACE_SEARCH ||
38
+
KEY_NEED_LINK != KEY_ACE_LINK ||
39
+
KEY_NEED_SETSEC != KEY_ACE_SET_SECURITY ||
40
+
KEY_NEED_INVAL != KEY_ACE_INVAL ||
41
+
KEY_NEED_REVOKE != KEY_ACE_REVOKE ||
42
+
KEY_NEED_JOIN != KEY_ACE_JOIN ||
43
+
KEY_NEED_CLEAR != KEY_ACE_CLEAR);
86
44
87
45
key = key_ref_to_ptr(key_ref);
88
46
89
-
/* use the second 8-bits of permissions for keys the caller owns */
90
-
if (uid_eq(key->uid, cred->fsuid)) {
91
-
kperm = key->perm >> 16;
92
-
goto use_these_perms;
47
+
rcu_read_lock();
48
+
49
+
acl = rcu_dereference(key->acl);
50
+
if (!acl || acl->nr_ace == 0)
51
+
goto no_access_rcu;
52
+
53
+
for (i = 0; i < acl->nr_ace; i++) {
54
+
const struct key_ace *ace = &acl->aces[i];
55
+
56
+
switch (ace->type) {
57
+
case KEY_ACE_SUBJ_STANDARD:
58
+
switch (ace->subject_id) {
59
+
case KEY_ACE_POSSESSOR:
60
+
if (is_key_possessed(key_ref))
61
+
allow |= ace->perm;
62
+
break;
63
+
case KEY_ACE_OWNER:
64
+
if (uid_eq(key->uid, cred->fsuid))
65
+
allow |= ace->perm;
66
+
break;
67
+
case KEY_ACE_GROUP:
68
+
if (gid_valid(key->gid)) {
69
+
if (gid_eq(key->gid, cred->fsgid))
70
+
allow |= ace->perm;
71
+
else if (groups_search(cred->group_info, key->gid))
72
+
allow |= ace->perm;
73
+
}
74
+
break;
75
+
case KEY_ACE_EVERYONE:
76
+
allow |= ace->perm;
77
+
break;
78
+
}
79
+
break;
80
+
}
93
81
}
94
82
95
-
/* use the third 8-bits of permissions for keys the caller has a group
96
-
* membership in common with */
97
-
if (gid_valid(key->gid) && key->perm & KEY_GRP_ALL) {
98
-
if (gid_eq(key->gid, cred->fsgid)) {
99
-
kperm = key->perm >> 8;
100
-
goto use_these_perms;
101
-
}
83
+
rcu_read_unlock();
102
84
103
-
ret = groups_search(cred->group_info, key->gid);
104
-
if (ret) {
105
-
kperm = key->perm >> 8;
106
-
goto use_these_perms;
107
-
}
108
-
}
85
+
if (!(allow & desired_perm))
86
+
goto no_access;
109
87
110
-
/* otherwise use the least-significant 8-bits */
111
-
kperm = key->perm;
88
+
return security_key_permission(key_ref, cred, desired_perm);
112
89
113
-
use_these_perms:
114
-
115
-
/* use the top 8-bits of permissions for keys the caller possesses
116
-
* - possessor permissions are additive with other permissions
117
-
*/
118
-
if (is_key_possessed(key_ref))
119
-
kperm |= key->perm >> 24;
120
-
121
-
kperm = kperm & perm & KEY_NEED_ALL;
122
-
123
-
if (kperm != perm)
124
-
return -EACCES;
125
-
126
-
/* let LSM be the final arbiter */
127
-
return security_key_permission(key_ref, cred, perm);
90
+
no_access_rcu:
91
+
rcu_read_unlock();
92
+
no_access:
93
+
return -EACCES;
128
94
}
129
95
EXPORT_SYMBOL(key_task_permission);
130
96
···
178
104
return 0;
179
105
}
180
106
EXPORT_SYMBOL(key_validate);
107
+
108
+
/*
109
+
* Roughly render an ACL to an old-style permissions mask. We cannot
110
+
* accurately render what the ACL, particularly if it has ACEs that represent
111
+
* subjects outside of { poss, user, group, other }.
112
+
*/
113
+
unsigned int key_acl_to_perm(const struct key_acl *acl)
114
+
{
115
+
unsigned int perm = 0, tperm;
116
+
int i;
117
+
118
+
BUILD_BUG_ON(KEY_OTH_VIEW != KEY_ACE_VIEW ||
119
+
KEY_OTH_READ != KEY_ACE_READ ||
120
+
KEY_OTH_WRITE != KEY_ACE_WRITE ||
121
+
KEY_OTH_SEARCH != KEY_ACE_SEARCH ||
122
+
KEY_OTH_LINK != KEY_ACE_LINK ||
123
+
KEY_OTH_SETATTR != KEY_ACE_SET_SECURITY);
124
+
125
+
if (!acl || acl->nr_ace == 0)
126
+
return 0;
127
+
128
+
for (i = 0; i < acl->nr_ace; i++) {
129
+
const struct key_ace *ace = &acl->aces[i];
130
+
131
+
switch (ace->type) {
132
+
case KEY_ACE_SUBJ_STANDARD:
133
+
tperm = ace->perm & KEY_OTH_ALL;
134
+
135
+
/* Invalidation and joining were allowed by SEARCH */
136
+
if (ace->perm & (KEY_ACE_INVAL | KEY_ACE_JOIN))
137
+
tperm |= KEY_OTH_SEARCH;
138
+
139
+
/* Revocation was allowed by either SETATTR or WRITE */
140
+
if ((ace->perm & KEY_ACE_REVOKE) && !(tperm & KEY_OTH_SETATTR))
141
+
tperm |= KEY_OTH_WRITE;
142
+
143
+
/* Clearing was allowed by WRITE */
144
+
if (ace->perm & KEY_ACE_CLEAR)
145
+
tperm |= KEY_OTH_WRITE;
146
+
147
+
switch (ace->subject_id) {
148
+
case KEY_ACE_POSSESSOR:
149
+
perm |= tperm << 24;
150
+
break;
151
+
case KEY_ACE_OWNER:
152
+
perm |= tperm << 16;
153
+
break;
154
+
case KEY_ACE_GROUP:
155
+
perm |= tperm << 8;
156
+
break;
157
+
case KEY_ACE_EVERYONE:
158
+
perm |= tperm << 0;
159
+
break;
160
+
}
161
+
}
162
+
}
163
+
164
+
return perm;
165
+
}
166
+
167
+
/*
168
+
* Destroy a key's ACL.
169
+
*/
170
+
void key_put_acl(struct key_acl *acl)
171
+
{
172
+
if (acl && refcount_dec_and_test(&acl->usage))
173
+
kfree_rcu(acl, rcu);
174
+
}
175
+
176
+
/*
177
+
* Try to set the ACL. This either attaches or discards the proposed ACL.
178
+
*/
179
+
long key_set_acl(struct key *key, struct key_acl *acl)
180
+
{
181
+
int i;
182
+
183
+
/* If we're not the sysadmin, we can only change a key that we own. */
184
+
if (!capable(CAP_SYS_ADMIN) && !uid_eq(key->uid, current_fsuid())) {
185
+
key_put_acl(acl);
186
+
return -EACCES;
187
+
}
188
+
189
+
for (i = 0; i < acl->nr_ace; i++) {
190
+
const struct key_ace *ace = &acl->aces[i];
191
+
if (ace->type == KEY_ACE_SUBJ_STANDARD &&
192
+
ace->subject_id == KEY_ACE_POSSESSOR) {
193
+
if (ace->perm & KEY_ACE_VIEW)
194
+
acl->possessor_viewable = true;
195
+
break;
196
+
}
197
+
}
198
+
199
+
rcu_swap_protected(key->acl, acl, lockdep_is_held(&key->sem));
200
+
key_put_acl(acl);
201
+
return 0;
202
+
}
203
+
204
+
/*
205
+
* Allocate a new ACL with an extra ACE slot.
206
+
*/
207
+
static struct key_acl *key_alloc_acl(const struct key_acl *old_acl, int nr, int skip)
208
+
{
209
+
struct key_acl *acl;
210
+
int nr_ace, i, j = 0;
211
+
212
+
nr_ace = old_acl->nr_ace + nr;
213
+
if (nr_ace > 16)
214
+
return ERR_PTR(-EINVAL);
215
+
216
+
acl = kzalloc(struct_size(acl, aces, nr_ace), GFP_KERNEL);
217
+
if (!acl)
218
+
return ERR_PTR(-ENOMEM);
219
+
220
+
refcount_set(&acl->usage, 1);
221
+
acl->nr_ace = nr_ace;
222
+
for (i = 0; i < old_acl->nr_ace; i++) {
223
+
if (i == skip)
224
+
continue;
225
+
acl->aces[j] = old_acl->aces[i];
226
+
j++;
227
+
}
228
+
return acl;
229
+
}
230
+
231
+
/*
232
+
* Generate the revised ACL.
233
+
*/
234
+
static long key_change_acl(struct key *key, struct key_ace *new_ace)
235
+
{
236
+
struct key_acl *acl, *old;
237
+
int i;
238
+
239
+
old = rcu_dereference_protected(key->acl, lockdep_is_held(&key->sem));
240
+
241
+
for (i = 0; i < old->nr_ace; i++)
242
+
if (old->aces[i].type == new_ace->type &&
243
+
old->aces[i].subject_id == new_ace->subject_id)
244
+
goto found_match;
245
+
246
+
if (new_ace->perm == 0)
247
+
return 0; /* No permissions to remove. Add deny record? */
248
+
249
+
acl = key_alloc_acl(old, 1, -1);
250
+
if (IS_ERR(acl))
251
+
return PTR_ERR(acl);
252
+
acl->aces[i] = *new_ace;
253
+
goto change;
254
+
255
+
found_match:
256
+
if (new_ace->perm == 0)
257
+
goto delete_ace;
258
+
if (new_ace->perm == old->aces[i].perm)
259
+
return 0;
260
+
acl = key_alloc_acl(old, 0, -1);
261
+
if (IS_ERR(acl))
262
+
return PTR_ERR(acl);
263
+
acl->aces[i].perm = new_ace->perm;
264
+
goto change;
265
+
266
+
delete_ace:
267
+
acl = key_alloc_acl(old, -1, i);
268
+
if (IS_ERR(acl))
269
+
return PTR_ERR(acl);
270
+
goto change;
271
+
272
+
change:
273
+
return key_set_acl(key, acl);
274
+
}
275
+
276
+
/*
277
+
* Add, alter or remove (if perm == 0) an ACE in a key's ACL.
278
+
*/
279
+
long keyctl_grant_permission(key_serial_t keyid,
280
+
enum key_ace_subject_type type,
281
+
unsigned int subject,
282
+
unsigned int perm)
283
+
{
284
+
struct key_ace new_ace;
285
+
struct key *key;
286
+
key_ref_t key_ref;
287
+
long ret;
288
+
289
+
new_ace.type = type;
290
+
new_ace.perm = perm;
291
+
292
+
switch (type) {
293
+
case KEY_ACE_SUBJ_STANDARD:
294
+
if (subject >= nr__key_ace_standard_subject)
295
+
return -ENOENT;
296
+
new_ace.subject_id = subject;
297
+
break;
298
+
299
+
default:
300
+
return -ENOENT;
301
+
}
302
+
303
+
key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_SETSEC);
304
+
if (IS_ERR(key_ref)) {
305
+
ret = PTR_ERR(key_ref);
306
+
goto error;
307
+
}
308
+
309
+
key = key_ref_to_ptr(key_ref);
310
+
311
+
down_write(&key->sem);
312
+
313
+
/* If we're not the sysadmin, we can only change a key that we own */
314
+
ret = -EACCES;
315
+
if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid()))
316
+
ret = key_change_acl(key, &new_ace);
317
+
up_write(&key->sem);
318
+
key_put(key);
319
+
error:
320
+
return ret;
321
+
}
+23
-4
security/keys/persistent.c
+23
-4
security/keys/persistent.c
···
12
12
13
13
unsigned persistent_keyring_expiry = 3 * 24 * 3600; /* Expire after 3 days of non-use */
14
14
15
+
static struct key_acl persistent_register_keyring_acl = {
16
+
.usage = REFCOUNT_INIT(1),
17
+
.nr_ace = 2,
18
+
.aces = {
19
+
KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE),
20
+
KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ),
21
+
}
22
+
};
23
+
24
+
static struct key_acl persistent_keyring_acl = {
25
+
.usage = REFCOUNT_INIT(1),
26
+
.nr_ace = 2,
27
+
.possessor_viewable = true,
28
+
.aces = {
29
+
KEY_POSSESSOR_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_WRITE |
30
+
KEY_ACE_SEARCH | KEY_ACE_LINK |
31
+
KEY_ACE_CLEAR | KEY_ACE_INVAL),
32
+
KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ),
33
+
}
34
+
};
35
+
15
36
/*
16
37
* Create the persistent keyring register for the current user namespace.
17
38
*
···
43
22
struct key *reg = keyring_alloc(".persistent_register",
44
23
KUIDT_INIT(0), KGIDT_INIT(0),
45
24
current_cred(),
46
-
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
47
-
KEY_USR_VIEW | KEY_USR_READ),
25
+
&persistent_register_keyring_acl,
48
26
KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
49
27
if (IS_ERR(reg))
50
28
return PTR_ERR(reg);
···
76
56
77
57
persistent = keyring_alloc(index_key->description,
78
58
uid, INVALID_GID, current_cred(),
79
-
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
80
-
KEY_USR_VIEW | KEY_USR_READ),
59
+
&persistent_keyring_acl,
81
60
KEY_ALLOC_NOT_IN_QUOTA, NULL,
82
61
ns->persistent_keyring_register);
83
62
if (IS_ERR(persistent))
+13
-9
security/keys/proc.c
+13
-9
security/keys/proc.c
···
110
110
}
111
111
112
112
static void *proc_keys_start(struct seq_file *p, loff_t *_pos)
113
+
__acquires(rcu)
113
114
__acquires(key_serial_lock)
114
115
{
115
116
key_serial_t pos = *_pos;
116
117
struct key *key;
117
118
119
+
rcu_read_lock();
118
120
spin_lock(&key_serial_lock);
119
121
120
122
if (*_pos > INT_MAX)
···
146
144
147
145
static void proc_keys_stop(struct seq_file *p, void *v)
148
146
__releases(key_serial_lock)
147
+
__releases(rcu)
149
148
{
150
149
spin_unlock(&key_serial_lock);
150
+
rcu_read_unlock();
151
151
}
152
152
153
153
static int proc_keys_show(struct seq_file *m, void *v)
154
154
{
155
+
const struct key_acl *acl;
155
156
struct rb_node *_p = v;
156
157
struct key *key = rb_entry(_p, struct key, serial_node);
157
158
unsigned long flags;
···
162
157
time64_t now, expiry;
163
158
char xbuf[16];
164
159
short state;
160
+
bool check_pos;
165
161
u64 timo;
166
162
int rc;
167
163
···
176
170
KEYRING_SEARCH_RECURSE),
177
171
};
178
172
179
-
key_ref = make_key_ref(key, 0);
173
+
acl = rcu_dereference(key->acl);
174
+
check_pos = acl->possessor_viewable;
180
175
181
176
/* determine if the key is possessed by this process (a test we can
182
177
* skip if the key does not indicate the possessor can view it
183
178
*/
184
-
if (key->perm & KEY_POS_VIEW) {
185
-
rcu_read_lock();
179
+
key_ref = make_key_ref(key, 0);
180
+
if (check_pos) {
186
181
skey_ref = search_cred_keyrings_rcu(&ctx);
187
-
rcu_read_unlock();
188
182
if (!IS_ERR(skey_ref)) {
189
183
key_ref_put(skey_ref);
190
184
key_ref = make_key_ref(key, 1);
···
194
188
/* check whether the current task is allowed to view the key */
195
189
rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW);
196
190
if (rc < 0)
197
-
return 0;
191
+
goto out;
198
192
199
193
now = ktime_get_real_seconds();
200
-
201
-
rcu_read_lock();
202
194
203
195
/* come up with a suitable timeout value */
204
196
expiry = READ_ONCE(key->expiry);
···
236
232
showflag(flags, 'i', KEY_FLAG_INVALIDATED),
237
233
refcount_read(&key->usage),
238
234
xbuf,
239
-
key->perm,
235
+
key_acl_to_perm(acl),
240
236
from_kuid_munged(seq_user_ns(m), key->uid),
241
237
from_kgid_munged(seq_user_ns(m), key->gid),
242
238
key->type->name);
···
247
243
key->type->describe(key, m);
248
244
seq_putc(m, '\n');
249
245
250
-
rcu_read_unlock();
246
+
out:
251
247
return 0;
252
248
}
253
249
+64
-22
security/keys/process_keys.c
+64
-22
security/keys/process_keys.c
···
32
32
.uid = GLOBAL_ROOT_UID,
33
33
};
34
34
35
+
static struct key_acl user_reg_keyring_acl = {
36
+
.usage = REFCOUNT_INIT(1),
37
+
.possessor_viewable = true,
38
+
.nr_ace = 2,
39
+
.aces = {
40
+
KEY_POSSESSOR_ACE(KEY_ACE_WRITE | KEY_ACE_SEARCH),
41
+
KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ),
42
+
}
43
+
};
44
+
45
+
static struct key_acl user_keyring_acl = {
46
+
.usage = REFCOUNT_INIT(1),
47
+
.possessor_viewable = true,
48
+
.nr_ace = 2,
49
+
.aces = {
50
+
KEY_POSSESSOR_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_WRITE |
51
+
KEY_ACE_SEARCH | KEY_ACE_LINK),
52
+
KEY_OWNER_ACE(KEY_ACE__PERMS & ~(KEY_ACE_JOIN | KEY_ACE_SET_SECURITY)),
53
+
}
54
+
};
55
+
56
+
static struct key_acl session_keyring_acl = {
57
+
.usage = REFCOUNT_INIT(1),
58
+
.possessor_viewable = true,
59
+
.nr_ace = 2,
60
+
.aces = {
61
+
KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~KEY_ACE_JOIN),
62
+
KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ),
63
+
}
64
+
};
65
+
66
+
static struct key_acl thread_and_process_keyring_acl = {
67
+
.usage = REFCOUNT_INIT(1),
68
+
.possessor_viewable = true,
69
+
.nr_ace = 2,
70
+
.aces = {
71
+
KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~(KEY_ACE_JOIN | KEY_ACE_SET_SECURITY)),
72
+
KEY_OWNER_ACE(KEY_ACE_VIEW),
73
+
}
74
+
};
75
+
35
76
/*
36
77
* Get or create a user register keyring.
37
78
*/
···
92
51
if (!reg_keyring) {
93
52
reg_keyring = keyring_alloc(".user_reg",
94
53
user_ns->owner, INVALID_GID,
95
-
&init_cred,
96
-
KEY_POS_WRITE | KEY_POS_SEARCH |
97
-
KEY_USR_VIEW | KEY_USR_READ,
98
-
0,
99
-
NULL, NULL);
54
+
&init_cred, &user_reg_keyring_acl,
55
+
0, NULL, NULL);
100
56
if (!IS_ERR(reg_keyring))
101
57
smp_store_release(&user_ns->user_keyring_register,
102
58
reg_keyring);
···
115
77
const struct cred *cred = current_cred();
116
78
struct user_namespace *user_ns = current_user_ns();
117
79
struct key *reg_keyring, *uid_keyring, *session_keyring;
118
-
key_perm_t user_keyring_perm;
119
80
key_ref_t uid_keyring_r, session_keyring_r;
120
81
uid_t uid = from_kuid(user_ns, cred->user->uid);
121
82
char buf[20];
122
83
int ret;
123
-
124
-
user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
125
84
126
85
kenter("%u", uid);
127
86
···
139
104
kdebug("_uid %p", uid_keyring_r);
140
105
if (uid_keyring_r == ERR_PTR(-EAGAIN)) {
141
106
uid_keyring = keyring_alloc(buf, cred->user->uid, INVALID_GID,
142
-
cred, user_keyring_perm,
107
+
cred, &user_keyring_acl,
143
108
KEY_ALLOC_UID_KEYRING |
144
109
KEY_ALLOC_IN_QUOTA,
145
110
NULL, reg_keyring);
···
161
126
kdebug("_uid_ses %p", session_keyring_r);
162
127
if (session_keyring_r == ERR_PTR(-EAGAIN)) {
163
128
session_keyring = keyring_alloc(buf, cred->user->uid, INVALID_GID,
164
-
cred, user_keyring_perm,
129
+
cred, &user_keyring_acl,
165
130
KEY_ALLOC_UID_KEYRING |
166
131
KEY_ALLOC_IN_QUOTA,
167
132
NULL, NULL);
···
261
226
return 0;
262
227
263
228
keyring = keyring_alloc("_tid", new->uid, new->gid, new,
264
-
KEY_POS_ALL | KEY_USR_VIEW,
229
+
&thread_and_process_keyring_acl,
265
230
KEY_ALLOC_QUOTA_OVERRUN,
266
231
NULL, NULL);
267
232
if (IS_ERR(keyring))
···
308
273
return 0;
309
274
310
275
keyring = keyring_alloc("_pid", new->uid, new->gid, new,
311
-
KEY_POS_ALL | KEY_USR_VIEW,
276
+
&thread_and_process_keyring_acl,
312
277
KEY_ALLOC_QUOTA_OVERRUN,
313
278
NULL, NULL);
314
279
if (IS_ERR(keyring))
···
363
328
flags = KEY_ALLOC_IN_QUOTA;
364
329
365
330
keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred,
366
-
KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
367
-
flags, NULL, NULL);
331
+
&session_keyring_acl, flags, NULL, NULL);
368
332
if (IS_ERR(keyring))
369
333
return PTR_ERR(keyring);
370
334
} else {
···
643
609
* returned key reference.
644
610
*/
645
611
key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
646
-
key_perm_t perm)
612
+
unsigned int desired_perm)
647
613
{
648
614
struct keyring_search_context ctx = {
649
615
.match_data.cmp = lookup_user_key_possessed,
···
818
784
case -ERESTARTSYS:
819
785
goto invalid_key;
820
786
default:
821
-
if (perm)
787
+
if (desired_perm)
822
788
goto invalid_key;
823
789
case 0:
824
790
break;
825
791
}
826
-
} else if (perm) {
792
+
} else if (desired_perm) {
827
793
ret = key_validate(key);
828
794
if (ret < 0)
829
795
goto invalid_key;
···
835
801
goto invalid_key;
836
802
837
803
/* check the permissions */
838
-
ret = key_task_permission(key_ref, ctx.cred, perm);
839
-
if (ret < 0)
840
-
goto invalid_key;
804
+
if (desired_perm) {
805
+
ret = key_task_permission(key_ref, ctx.cred, desired_perm);
806
+
if (ret < 0)
807
+
goto invalid_key;
808
+
}
841
809
842
810
key->last_used_at = ktime_get_real_seconds();
843
811
···
904
868
if (PTR_ERR(keyring) == -ENOKEY) {
905
869
/* not found - try and create a new one */
906
870
keyring = keyring_alloc(
907
-
name, old->uid, old->gid, old,
908
-
KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK,
871
+
name, old->uid, old->gid, old, &joinable_keyring_acl,
909
872
KEY_ALLOC_IN_QUOTA, NULL, NULL);
910
873
if (IS_ERR(keyring)) {
911
874
ret = PTR_ERR(keyring);
912
875
goto error2;
913
876
}
877
+
goto no_perm_test;
914
878
} else if (IS_ERR(keyring)) {
915
879
ret = PTR_ERR(keyring);
916
880
goto error2;
···
919
883
goto error3;
920
884
}
921
885
886
+
ret = key_task_permission(make_key_ref(keyring, false), old,
887
+
KEY_NEED_JOIN);
888
+
if (ret < 0)
889
+
goto error3;
890
+
891
+
no_perm_test:
922
892
/* we've got a keyring - now to install it */
923
893
ret = install_session_keyring_to_cred(new, keyring);
924
894
if (ret < 0)
+16
-18
security/keys/request_key.c
+16
-18
security/keys/request_key.c
···
135
135
136
136
cred = get_current_cred();
137
137
keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred,
138
-
KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
139
-
KEY_ALLOC_QUOTA_OVERRUN, NULL, NULL);
138
+
NULL, KEY_ALLOC_QUOTA_OVERRUN, NULL, NULL);
140
139
put_cred(cred);
141
140
if (IS_ERR(keyring)) {
142
141
ret = PTR_ERR(keyring);
···
366
367
struct key *dest_keyring,
367
368
unsigned long flags,
368
369
struct key_user *user,
370
+
struct key_acl *acl,
369
371
struct key **_key)
370
372
{
371
373
struct assoc_array_edit *edit = NULL;
372
374
struct key *key;
373
-
key_perm_t perm;
374
375
key_ref_t key_ref;
375
376
int ret;
376
377
···
380
381
*_key = NULL;
381
382
mutex_lock(&user->cons_lock);
382
383
383
-
perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
384
-
perm |= KEY_USR_VIEW;
385
-
if (ctx->index_key.type->read)
386
-
perm |= KEY_POS_READ;
387
-
if (ctx->index_key.type == &key_type_keyring ||
388
-
ctx->index_key.type->update)
389
-
perm |= KEY_POS_WRITE;
390
-
391
384
key = key_alloc(ctx->index_key.type, ctx->index_key.description,
392
385
ctx->cred->fsuid, ctx->cred->fsgid, ctx->cred,
393
-
perm, flags, NULL);
386
+
acl, flags, NULL);
394
387
if (IS_ERR(key))
395
388
goto alloc_failed;
396
389
···
465
474
const char *callout_info,
466
475
size_t callout_len,
467
476
void *aux,
477
+
struct key_acl *acl,
468
478
struct key *dest_keyring,
469
479
unsigned long flags)
470
480
{
···
488
496
goto error_put_dest_keyring;
489
497
}
490
498
491
-
ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
499
+
ret = construct_alloc_key(ctx, dest_keyring, flags, user, acl, &key);
492
500
key_user_put(user);
493
501
494
502
if (ret == 0) {
···
526
534
* @callout_info: The data to pass to the instantiation upcall (or NULL).
527
535
* @callout_len: The length of callout_info.
528
536
* @aux: Auxiliary data for the upcall.
537
+
* @acl: The ACL to attach if a new key is created.
529
538
* @dest_keyring: Where to cache the key.
530
539
* @flags: Flags to key_alloc().
531
540
*
···
554
561
const void *callout_info,
555
562
size_t callout_len,
556
563
void *aux,
564
+
struct key_acl *acl,
557
565
struct key *dest_keyring,
558
566
unsigned long flags)
559
567
{
···
629
635
goto error_free;
630
636
631
637
key = construct_key_and_link(&ctx, callout_info, callout_len,
632
-
aux, dest_keyring, flags);
638
+
aux, acl, dest_keyring, flags);
633
639
}
634
640
635
641
error_free:
···
672
678
* @description: The searchable description of the key.
673
679
* @domain_tag: The domain in which the key operates.
674
680
* @callout_info: The data to pass to the instantiation upcall (or NULL).
681
+
* @acl: The ACL to attach if a new key is created.
675
682
*
676
683
* As for request_key_and_link() except that it does not add the returned key
677
684
* to a keyring if found, new keys are always allocated in the user's quota,
···
685
690
struct key *request_key_tag(struct key_type *type,
686
691
const char *description,
687
692
struct key_tag *domain_tag,
688
-
const char *callout_info)
693
+
const char *callout_info,
694
+
struct key_acl *acl)
689
695
{
690
696
struct key *key;
691
697
size_t callout_len = 0;
···
696
700
callout_len = strlen(callout_info);
697
701
key = request_key_and_link(type, description, domain_tag,
698
702
callout_info, callout_len,
699
-
NULL, NULL, KEY_ALLOC_IN_QUOTA);
703
+
NULL, acl, NULL, KEY_ALLOC_IN_QUOTA);
700
704
if (!IS_ERR(key)) {
701
705
ret = wait_for_key_construction(key, false);
702
706
if (ret < 0) {
···
716
720
* @callout_info: The data to pass to the instantiation upcall (or NULL).
717
721
* @callout_len: The length of callout_info.
718
722
* @aux: Auxiliary data for the upcall.
723
+
* @acl: The ACL to attach if a new key is created.
719
724
*
720
725
* As for request_key_and_link() except that it does not add the returned key
721
726
* to a keyring if found and new keys are always allocated in the user's quota.
···
729
732
struct key_tag *domain_tag,
730
733
const void *callout_info,
731
734
size_t callout_len,
732
-
void *aux)
735
+
void *aux,
736
+
struct key_acl *acl)
733
737
{
734
738
struct key *key;
735
739
int ret;
736
740
737
741
key = request_key_and_link(type, description, domain_tag,
738
742
callout_info, callout_len,
739
-
aux, NULL, KEY_ALLOC_IN_QUOTA);
743
+
aux, acl, NULL, KEY_ALLOC_IN_QUOTA);
740
744
if (!IS_ERR(key)) {
741
745
ret = wait_for_key_construction(key, false);
742
746
if (ret < 0) {
+13
-2
security/keys/request_key_auth.c
+13
-2
security/keys/request_key_auth.c
···
24
24
static void request_key_auth_destroy(struct key *);
25
25
static long request_key_auth_read(const struct key *, char __user *, size_t);
26
26
27
+
static struct key_acl request_key_auth_acl = {
28
+
.usage = REFCOUNT_INIT(1),
29
+
.nr_ace = 2,
30
+
.possessor_viewable = true,
31
+
.aces = {
32
+
KEY_POSSESSOR_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_SEARCH |
33
+
KEY_ACE_LINK),
34
+
KEY_OWNER_ACE(KEY_ACE_VIEW),
35
+
}
36
+
};
37
+
27
38
/*
28
39
* The request-key authorisation key type definition.
29
40
*/
···
221
210
222
211
authkey = key_alloc(&key_type_request_key_auth, desc,
223
212
cred->fsuid, cred->fsgid, cred,
224
-
KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH | KEY_POS_LINK |
225
-
KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA, NULL);
213
+
&request_key_auth_acl,
214
+
KEY_ALLOC_NOT_IN_QUOTA, NULL);
226
215
if (IS_ERR(authkey)) {
227
216
ret = PTR_ERR(authkey);
228
217
goto error_free_rka;
+15
-1
security/selinux/hooks.c
+15
-1
security/selinux/hooks.c
···
6502
6502
{
6503
6503
struct key *key;
6504
6504
struct key_security_struct *ksec;
6505
+
unsigned oldstyle_perm;
6505
6506
u32 sid;
6506
6507
6507
6508
/* if no specific permissions are requested, we skip the
···
6511
6510
if (perm == 0)
6512
6511
return 0;
6513
6512
6513
+
oldstyle_perm = perm & (KEY_NEED_VIEW | KEY_NEED_READ | KEY_NEED_WRITE |
6514
+
KEY_NEED_SEARCH | KEY_NEED_LINK);
6515
+
if (perm & KEY_NEED_SETSEC)
6516
+
oldstyle_perm |= OLD_KEY_NEED_SETATTR;
6517
+
if (perm & KEY_NEED_INVAL)
6518
+
oldstyle_perm |= KEY_NEED_SEARCH;
6519
+
if (perm & KEY_NEED_REVOKE && !(perm & OLD_KEY_NEED_SETATTR))
6520
+
oldstyle_perm |= KEY_NEED_WRITE;
6521
+
if (perm & KEY_NEED_JOIN)
6522
+
oldstyle_perm |= KEY_NEED_SEARCH;
6523
+
if (perm & KEY_NEED_CLEAR)
6524
+
oldstyle_perm |= KEY_NEED_WRITE;
6525
+
6514
6526
sid = cred_sid(cred);
6515
6527
6516
6528
key = key_ref_to_ptr(key_ref);
6517
6529
ksec = key->security;
6518
6530
6519
6531
return avc_has_perm(&selinux_state,
6520
-
sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6532
+
sid, ksec->sid, SECCLASS_KEY, oldstyle_perm, NULL);
6521
6533
}
6522
6534
6523
6535
static int selinux_key_getsecurity(struct key *key, char **_buffer)
+2
-1
security/smack/smack_lsm.c
+2
-1
security/smack/smack_lsm.c
···
4284
4284
#endif
4285
4285
if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW))
4286
4286
request |= MAY_READ;
4287
-
if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
4287
+
if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETSEC |
4288
+
KEY_NEED_INVAL | KEY_NEED_REVOKE | KEY_NEED_CLEAR))
4288
4289
request |= MAY_WRITE;
4289
4290
rc = smk_access(tkp, keyp->security, request, &ad);
4290
4291
rc = smk_bu_note("key access", tkp, keyp->security, request, rc);