Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
[PATCH] Keys: Add possessor permissions to keys [try #3]
The attached patch adds extra permission grants to keys for the possessor of a
key in addition to the owner, group and other permissions bits. This makes
SUID binaries easier to support without going as far as labelling keys and key
targets using the LSM facilities.
This patch adds a second "pointer type" to key structures (struct key_ref *)
that can have the bottom bit of the address set to indicate the possession of
a key. This is propagated through searches from the keyring to the discovered
key. It has been made a separate type so that the compiler can spot attempts
to dereference a potentially incorrect pointer.
The "possession" attribute can't be attached to a key structure directly as
it's not an intrinsic property of a key.
Pointers to keys have been replaced with struct key_ref *'s wherever
possession information needs to be passed through.
This does assume that the bottom bit of the pointer will always be zero on
return from kmem_cache_alloc().
The key reference type has been made into a typedef so that at least it can be
located in the sources, even though it's basically a pointer to an undefined
type. I've also renamed the accessor functions to be more useful, and all
reference variables should now end in "_ref".
Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
authored by
David Howells
and committed by
Linus Torvalds
664cceb0
5134fc15
+55
-19
Documentation/keys.txt
+55
-19
Documentation/keys.txt
···
195
======================
196
197
Keys have an owner user ID, a group access ID, and a permissions mask. The mask
198
-
has up to eight bits each for user, group and other access. Only five of each
199
-
set of eight bits are defined. These permissions granted are:
200
201
(*) View
202
···
241
type, description and permissions. The payload of the key is not available
242
this way:
243
244
-
SERIAL FLAGS USAGE EXPY PERM UID GID TYPE DESCRIPTION: SUMMARY
245
-
00000001 I----- 39 perm 1f0000 0 0 keyring _uid_ses.0: 1/4
246
-
00000002 I----- 2 perm 1f0000 0 0 keyring _uid.0: empty
247
-
00000007 I----- 1 perm 1f0000 0 0 keyring _pid.1: empty
248
-
0000018d I----- 1 perm 1f0000 0 0 keyring _pid.412: empty
249
-
000004d2 I--Q-- 1 perm 1f0000 32 -1 keyring _uid.32: 1/4
250
-
000004d3 I--Q-- 3 perm 1f0000 32 -1 keyring _uid_ses.32: empty
251
-
00000892 I--QU- 1 perm 1f0000 0 0 user metal:copper: 0
252
-
00000893 I--Q-N 1 35s 1f0000 0 0 user metal:silver: 0
253
-
00000894 I--Q-- 1 10h 1f0000 0 0 user metal:gold: 0
254
255
The flags are:
256
···
637
two different users opening the same file is left to the filesystem author to
638
solve.
639
640
When accessing a key's payload contents, certain precautions must be taken to
641
prevent access vs modification races. See the section "Notes on accessing
642
payload contents" for more information.
···
693
694
void key_put(struct key *key);
695
696
-
This can be called from interrupt context. If CONFIG_KEYS is not set then
697
the argument will not be parsed.
698
699
···
721
722
(*) If a keyring was found in the search, this can be further searched by:
723
724
-
struct key *keyring_search(struct key *keyring,
725
-
const struct key_type *type,
726
-
const char *description)
727
728
This searches the keyring tree specified for a matching key. Error ENOKEY
729
-
is returned upon failure. If successful, the returned key will need to be
730
-
released.
731
732
733
(*) To check the validity of a key, this function can be called:
···
768
key->payload.data. One of the following ways must be selected to access the
769
data:
770
771
-
(1) Unmodifyable key type.
772
773
If the key type does not have a modify method, then the key's payload can
774
be accessed without any form of locking, provided that it's known to be
···
195
======================
196
197
Keys have an owner user ID, a group access ID, and a permissions mask. The mask
198
+
has up to eight bits each for possessor, user, group and other access. Only
199
+
five of each set of eight bits are defined. These permissions granted are:
200
201
(*) View
202
···
241
type, description and permissions. The payload of the key is not available
242
this way:
243
244
+
SERIAL FLAGS USAGE EXPY PERM UID GID TYPE DESCRIPTION: SUMMARY
245
+
00000001 I----- 39 perm 1f1f0000 0 0 keyring _uid_ses.0: 1/4
246
+
00000002 I----- 2 perm 1f1f0000 0 0 keyring _uid.0: empty
247
+
00000007 I----- 1 perm 1f1f0000 0 0 keyring _pid.1: empty
248
+
0000018d I----- 1 perm 1f1f0000 0 0 keyring _pid.412: empty
249
+
000004d2 I--Q-- 1 perm 1f1f0000 32 -1 keyring _uid.32: 1/4
250
+
000004d3 I--Q-- 3 perm 1f1f0000 32 -1 keyring _uid_ses.32: empty
251
+
00000892 I--QU- 1 perm 1f000000 0 0 user metal:copper: 0
252
+
00000893 I--Q-N 1 35s 1f1f0000 0 0 user metal:silver: 0
253
+
00000894 I--Q-- 1 10h 001f0000 0 0 user metal:gold: 0
254
255
The flags are:
256
···
637
two different users opening the same file is left to the filesystem author to
638
solve.
639
640
+
Note that there are two different types of pointers to keys that may be
641
+
encountered:
642
+
643
+
(*) struct key *
644
+
645
+
This simply points to the key structure itself. Key structures will be at
646
+
least four-byte aligned.
647
+
648
+
(*) key_ref_t
649
+
650
+
This is equivalent to a struct key *, but the least significant bit is set
651
+
if the caller "possesses" the key. By "possession" it is meant that the
652
+
calling processes has a searchable link to the key from one of its
653
+
keyrings. There are three functions for dealing with these:
654
+
655
+
key_ref_t make_key_ref(const struct key *key,
656
+
unsigned long possession);
657
+
658
+
struct key *key_ref_to_ptr(const key_ref_t key_ref);
659
+
660
+
unsigned long is_key_possessed(const key_ref_t key_ref);
661
+
662
+
The first function constructs a key reference from a key pointer and
663
+
possession information (which must be 0 or 1 and not any other value).
664
+
665
+
The second function retrieves the key pointer from a reference and the
666
+
third retrieves the possession flag.
667
+
668
When accessing a key's payload contents, certain precautions must be taken to
669
prevent access vs modification races. See the section "Notes on accessing
670
payload contents" for more information.
···
665
666
void key_put(struct key *key);
667
668
+
Or:
669
+
670
+
void key_ref_put(key_ref_t key_ref);
671
+
672
+
These can be called from interrupt context. If CONFIG_KEYS is not set then
673
the argument will not be parsed.
674
675
···
689
690
(*) If a keyring was found in the search, this can be further searched by:
691
692
+
key_ref_t keyring_search(key_ref_t keyring_ref,
693
+
const struct key_type *type,
694
+
const char *description)
695
696
This searches the keyring tree specified for a matching key. Error ENOKEY
697
+
is returned upon failure (use IS_ERR/PTR_ERR to determine). If successful,
698
+
the returned key will need to be released.
699
+
700
+
The possession attribute from the keyring reference is used to control
701
+
access through the permissions mask and is propagated to the returned key
702
+
reference pointer if successful.
703
704
705
(*) To check the validity of a key, this function can be called:
···
732
key->payload.data. One of the following ways must be selected to access the
733
data:
734
735
+
(1) Unmodifiable key type.
736
737
If the key type does not have a modify method, then the key's payload can
738
be accessed without any form of locking, provided that it's known to be
+19
-9
include/linux/key-ui.h
+19
-9
include/linux/key-ui.h
···
42
/*
43
* check to see whether permission is granted to use a key in the desired way
44
*/
45
-
static inline int key_permission(const struct key *key, key_perm_t perm)
46
{
47
key_perm_t kperm;
48
49
-
if (key->uid == current->fsuid)
50
kperm = key->perm >> 16;
51
else if (key->gid != -1 &&
52
key->perm & KEY_GRP_ALL &&
···
68
* check to see whether permission is granted to use a key in at least one of
69
* the desired ways
70
*/
71
-
static inline int key_any_permission(const struct key *key, key_perm_t perm)
72
{
73
key_perm_t kperm;
74
75
-
if (key->uid == current->fsuid)
76
kperm = key->perm >> 16;
77
else if (key->gid != -1 &&
78
key->perm & KEY_GRP_ALL &&
···
100
return ret;
101
}
102
103
-
static inline int key_task_permission(const struct key *key,
104
struct task_struct *context,
105
key_perm_t perm)
106
{
107
key_perm_t kperm;
108
109
-
if (key->uid == context->fsuid) {
110
kperm = key->perm >> 16;
111
}
112
else if (key->gid != -1 &&
···
131
132
}
133
134
-
extern struct key *lookup_user_key(struct task_struct *context,
135
-
key_serial_t id, int create, int partial,
136
-
key_perm_t perm);
137
138
extern long join_session_keyring(const char *name);
139
···
42
/*
43
* check to see whether permission is granted to use a key in the desired way
44
*/
45
+
static inline int key_permission(const key_ref_t key_ref, key_perm_t perm)
46
{
47
+
struct key *key = key_ref_to_ptr(key_ref);
48
key_perm_t kperm;
49
50
+
if (is_key_possessed(key_ref))
51
+
kperm = key->perm >> 24;
52
+
else if (key->uid == current->fsuid)
53
kperm = key->perm >> 16;
54
else if (key->gid != -1 &&
55
key->perm & KEY_GRP_ALL &&
···
65
* check to see whether permission is granted to use a key in at least one of
66
* the desired ways
67
*/
68
+
static inline int key_any_permission(const key_ref_t key_ref, key_perm_t perm)
69
{
70
+
struct key *key = key_ref_to_ptr(key_ref);
71
key_perm_t kperm;
72
73
+
if (is_key_possessed(key_ref))
74
+
kperm = key->perm >> 24;
75
+
else if (key->uid == current->fsuid)
76
kperm = key->perm >> 16;
77
else if (key->gid != -1 &&
78
key->perm & KEY_GRP_ALL &&
···
94
return ret;
95
}
96
97
+
static inline int key_task_permission(const key_ref_t key_ref,
98
struct task_struct *context,
99
key_perm_t perm)
100
{
101
+
struct key *key = key_ref_to_ptr(key_ref);
102
key_perm_t kperm;
103
104
+
if (is_key_possessed(key_ref)) {
105
+
kperm = key->perm >> 24;
106
+
}
107
+
else if (key->uid == context->fsuid) {
108
kperm = key->perm >> 16;
109
}
110
else if (key->gid != -1 &&
···
121
122
}
123
124
+
extern key_ref_t lookup_user_key(struct task_struct *context,
125
+
key_serial_t id, int create, int partial,
126
+
key_perm_t perm);
127
128
extern long join_session_keyring(const char *name);
129
+63
-15
include/linux/key.h
+63
-15
include/linux/key.h
···
35
36
#undef KEY_DEBUGGING
37
38
-
#define KEY_USR_VIEW 0x00010000 /* user can view a key's attributes */
39
-
#define KEY_USR_READ 0x00020000 /* user can read key payload / view keyring */
40
-
#define KEY_USR_WRITE 0x00040000 /* user can update key payload / add link to keyring */
41
-
#define KEY_USR_SEARCH 0x00080000 /* user can find a key in search / search a keyring */
42
-
#define KEY_USR_LINK 0x00100000 /* user can create a link to a key/keyring */
43
#define KEY_USR_ALL 0x001f0000
44
45
#define KEY_GRP_VIEW 0x00000100 /* group permissions... */
···
71
struct key_owner;
72
struct keyring_list;
73
struct keyring_name;
74
75
/*****************************************************************************/
76
/*
···
254
return key;
255
}
256
257
extern struct key *request_key(struct key_type *type,
258
const char *description,
259
const char *callout_info);
260
261
extern int key_validate(struct key *key);
262
263
-
extern struct key *key_create_or_update(struct key *keyring,
264
-
const char *type,
265
-
const char *description,
266
-
const void *payload,
267
-
size_t plen,
268
-
int not_in_quota);
269
270
-
extern int key_update(struct key *key,
271
const void *payload,
272
size_t plen);
273
···
287
288
extern int keyring_clear(struct key *keyring);
289
290
-
extern struct key *keyring_search(struct key *keyring,
291
-
struct key_type *type,
292
-
const char *description);
293
294
extern int keyring_add_key(struct key *keyring,
295
struct key *key);
···
329
#define key_serial(k) 0
330
#define key_get(k) ({ NULL; })
331
#define key_put(k) do { } while(0)
332
#define alloc_uid_keyring(u) 0
333
#define switch_uid_keyring(u) do { } while(0)
334
#define __install_session_keyring(t, k) ({ NULL; })
···
35
36
#undef KEY_DEBUGGING
37
38
+
#define KEY_POS_VIEW 0x01000000 /* possessor can view a key's attributes */
39
+
#define KEY_POS_READ 0x02000000 /* possessor can read key payload / view keyring */
40
+
#define KEY_POS_WRITE 0x04000000 /* possessor can update key payload / add link to keyring */
41
+
#define KEY_POS_SEARCH 0x08000000 /* possessor can find a key in search / search a keyring */
42
+
#define KEY_POS_LINK 0x10000000 /* possessor can create a link to a key/keyring */
43
+
#define KEY_POS_ALL 0x1f000000
44
+
45
+
#define KEY_USR_VIEW 0x00010000 /* user permissions... */
46
+
#define KEY_USR_READ 0x00020000
47
+
#define KEY_USR_WRITE 0x00040000
48
+
#define KEY_USR_SEARCH 0x00080000
49
+
#define KEY_USR_LINK 0x00100000
50
#define KEY_USR_ALL 0x001f0000
51
52
#define KEY_GRP_VIEW 0x00000100 /* group permissions... */
···
64
struct key_owner;
65
struct keyring_list;
66
struct keyring_name;
67
+
68
+
/*****************************************************************************/
69
+
/*
70
+
* key reference with possession attribute handling
71
+
*
72
+
* NOTE! key_ref_t is a typedef'd pointer to a type that is not actually
73
+
* defined. This is because we abuse the bottom bit of the reference to carry a
74
+
* flag to indicate whether the calling process possesses that key in one of
75
+
* its keyrings.
76
+
*
77
+
* the key_ref_t has been made a separate type so that the compiler can reject
78
+
* attempts to dereference it without proper conversion.
79
+
*
80
+
* the three functions are used to assemble and disassemble references
81
+
*/
82
+
typedef struct __key_reference_with_attributes *key_ref_t;
83
+
84
+
static inline key_ref_t make_key_ref(const struct key *key,
85
+
unsigned long possession)
86
+
{
87
+
return (key_ref_t) ((unsigned long) key | possession);
88
+
}
89
+
90
+
static inline struct key *key_ref_to_ptr(const key_ref_t key_ref)
91
+
{
92
+
return (struct key *) ((unsigned long) key_ref & ~1UL);
93
+
}
94
+
95
+
static inline unsigned long is_key_possessed(const key_ref_t key_ref)
96
+
{
97
+
return (unsigned long) key_ref & 1UL;
98
+
}
99
100
/*****************************************************************************/
101
/*
···
215
return key;
216
}
217
218
+
static inline void key_ref_put(key_ref_t key_ref)
219
+
{
220
+
key_put(key_ref_to_ptr(key_ref));
221
+
}
222
+
223
extern struct key *request_key(struct key_type *type,
224
const char *description,
225
const char *callout_info);
226
227
extern int key_validate(struct key *key);
228
229
+
extern key_ref_t key_create_or_update(key_ref_t keyring,
230
+
const char *type,
231
+
const char *description,
232
+
const void *payload,
233
+
size_t plen,
234
+
int not_in_quota);
235
236
+
extern int key_update(key_ref_t key,
237
const void *payload,
238
size_t plen);
239
···
243
244
extern int keyring_clear(struct key *keyring);
245
246
+
extern key_ref_t keyring_search(key_ref_t keyring,
247
+
struct key_type *type,
248
+
const char *description);
249
250
extern int keyring_add_key(struct key *keyring,
251
struct key *key);
···
285
#define key_serial(k) 0
286
#define key_get(k) ({ NULL; })
287
#define key_put(k) do { } while(0)
288
+
#define key_ref_put(k) do { } while(0)
289
+
#define make_key_ref(k) ({ NULL; })
290
+
#define key_ref_to_ptr(k) ({ NULL; })
291
+
#define is_key_possessed(k) 0
292
#define alloc_uid_keyring(u) 0
293
#define switch_uid_keyring(u) do { } while(0)
294
#define __install_session_keyring(t, k) ({ NULL; })
+13
-13
security/keys/internal.h
+13
-13
security/keys/internal.h
···
71
72
extern int __key_link(struct key *keyring, struct key *key);
73
74
-
extern struct key *__keyring_search_one(struct key *keyring,
75
-
const struct key_type *type,
76
-
const char *description,
77
-
key_perm_t perm);
78
79
extern struct key *keyring_search_instkey(struct key *keyring,
80
key_serial_t target_id);
81
82
typedef int (*key_match_func_t)(const struct key *, const void *);
83
84
-
extern struct key *keyring_search_aux(struct key *keyring,
85
-
struct task_struct *tsk,
86
-
struct key_type *type,
87
-
const void *description,
88
-
key_match_func_t match);
89
90
-
extern struct key *search_process_keyrings(struct key_type *type,
91
-
const void *description,
92
-
key_match_func_t match,
93
-
struct task_struct *tsk);
94
95
extern struct key *find_keyring_by_name(const char *name, key_serial_t bound);
96
···
71
72
extern int __key_link(struct key *keyring, struct key *key);
73
74
+
extern key_ref_t __keyring_search_one(key_ref_t keyring_ref,
75
+
const struct key_type *type,
76
+
const char *description,
77
+
key_perm_t perm);
78
79
extern struct key *keyring_search_instkey(struct key *keyring,
80
key_serial_t target_id);
81
82
typedef int (*key_match_func_t)(const struct key *, const void *);
83
84
+
extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
85
+
struct task_struct *tsk,
86
+
struct key_type *type,
87
+
const void *description,
88
+
key_match_func_t match);
89
90
+
extern key_ref_t search_process_keyrings(struct key_type *type,
91
+
const void *description,
92
+
key_match_func_t match,
93
+
struct task_struct *tsk);
94
95
extern struct key *find_keyring_by_name(const char *name, key_serial_t bound);
96
+45
-36
security/keys/key.c
+45
-36
security/keys/key.c
···
693
* - the key has an incremented refcount
694
* - we need to put the key if we get an error
695
*/
696
-
static inline struct key *__key_update(struct key *key, const void *payload,
697
-
size_t plen)
698
{
699
int ret;
700
701
/* need write permission on the key to update it */
702
ret = -EACCES;
703
-
if (!key_permission(key, KEY_WRITE))
704
goto error;
705
706
ret = -EEXIST;
···
720
721
if (ret < 0)
722
goto error;
723
-
out:
724
-
return key;
725
726
-
error:
727
key_put(key);
728
-
key = ERR_PTR(ret);
729
goto out;
730
731
} /* end __key_update() */
···
735
* search the specified keyring for a key of the same description; if one is
736
* found, update it, otherwise add a new one
737
*/
738
-
struct key *key_create_or_update(struct key *keyring,
739
-
const char *type,
740
-
const char *description,
741
-
const void *payload,
742
-
size_t plen,
743
-
int not_in_quota)
744
{
745
struct key_type *ktype;
746
-
struct key *key = NULL;
747
key_perm_t perm;
748
int ret;
749
-
750
-
key_check(keyring);
751
752
/* look up the key type to see if it's one of the registered kernel
753
* types */
754
ktype = key_type_lookup(type);
755
if (IS_ERR(ktype)) {
756
-
key = ERR_PTR(-ENODEV);
757
goto error;
758
}
759
760
-
ret = -EINVAL;
761
if (!ktype->match || !ktype->instantiate)
762
goto error_2;
763
764
/* search for an existing key of the same type and description in the
765
* destination keyring
766
*/
767
-
down_write(&keyring->sem);
768
-
769
-
key = __keyring_search_one(keyring, ktype, description, 0);
770
-
if (!IS_ERR(key))
771
goto found_matching_key;
772
773
-
/* if we're going to allocate a new key, we're going to have to modify
774
-
* the keyring */
775
-
ret = -EACCES;
776
-
if (!key_permission(keyring, KEY_WRITE))
777
-
goto error_3;
778
-
779
/* decide on the permissions we want */
780
-
perm = KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_LINK;
781
782
if (ktype->read)
783
-
perm |= KEY_USR_READ;
784
785
if (ktype == &key_type_keyring || ktype->update)
786
perm |= KEY_USR_WRITE;
···
793
key = key_alloc(ktype, description, current->fsuid, current->fsgid,
794
perm, not_in_quota);
795
if (IS_ERR(key)) {
796
-
ret = PTR_ERR(key);
797
goto error_3;
798
}
799
···
801
ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL);
802
if (ret < 0) {
803
key_put(key);
804
-
key = ERR_PTR(ret);
805
}
806
807
error_3:
808
up_write(&keyring->sem);
809
error_2:
810
key_type_put(ktype);
811
error:
812
-
return key;
813
814
found_matching_key:
815
/* we found a matching key, so we're going to try to update it
···
821
up_write(&keyring->sem);
822
key_type_put(ktype);
823
824
-
key = __key_update(key, payload, plen);
825
goto error;
826
827
} /* end key_create_or_update() */
···
832
/*
833
* update a key
834
*/
835
-
int key_update(struct key *key, const void *payload, size_t plen)
836
{
837
int ret;
838
839
key_check(key);
840
841
/* the key must be writable */
842
ret = -EACCES;
843
-
if (!key_permission(key, KEY_WRITE))
844
goto error;
845
846
/* attempt to update it if supported */
···
693
* - the key has an incremented refcount
694
* - we need to put the key if we get an error
695
*/
696
+
static inline key_ref_t __key_update(key_ref_t key_ref,
697
+
const void *payload, size_t plen)
698
{
699
+
struct key *key = key_ref_to_ptr(key_ref);
700
int ret;
701
702
/* need write permission on the key to update it */
703
ret = -EACCES;
704
+
if (!key_permission(key_ref, KEY_WRITE))
705
goto error;
706
707
ret = -EEXIST;
···
719
720
if (ret < 0)
721
goto error;
722
+
out:
723
+
return key_ref;
724
725
+
error:
726
key_put(key);
727
+
key_ref = ERR_PTR(ret);
728
goto out;
729
730
} /* end __key_update() */
···
734
* search the specified keyring for a key of the same description; if one is
735
* found, update it, otherwise add a new one
736
*/
737
+
key_ref_t key_create_or_update(key_ref_t keyring_ref,
738
+
const char *type,
739
+
const char *description,
740
+
const void *payload,
741
+
size_t plen,
742
+
int not_in_quota)
743
{
744
struct key_type *ktype;
745
+
struct key *keyring, *key = NULL;
746
key_perm_t perm;
747
+
key_ref_t key_ref;
748
int ret;
749
750
/* look up the key type to see if it's one of the registered kernel
751
* types */
752
ktype = key_type_lookup(type);
753
if (IS_ERR(ktype)) {
754
+
key_ref = ERR_PTR(-ENODEV);
755
goto error;
756
}
757
758
+
key_ref = ERR_PTR(-EINVAL);
759
if (!ktype->match || !ktype->instantiate)
760
goto error_2;
761
+
762
+
keyring = key_ref_to_ptr(keyring_ref);
763
+
764
+
key_check(keyring);
765
+
766
+
down_write(&keyring->sem);
767
+
768
+
/* if we're going to allocate a new key, we're going to have
769
+
* to modify the keyring */
770
+
key_ref = ERR_PTR(-EACCES);
771
+
if (!key_permission(keyring_ref, KEY_WRITE))
772
+
goto error_3;
773
774
/* search for an existing key of the same type and description in the
775
* destination keyring
776
*/
777
+
key_ref = __keyring_search_one(keyring_ref, ktype, description, 0);
778
+
if (!IS_ERR(key_ref))
779
goto found_matching_key;
780
781
/* decide on the permissions we want */
782
+
perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK;
783
+
perm |= KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_LINK;
784
785
if (ktype->read)
786
+
perm |= KEY_POS_READ | KEY_USR_READ;
787
788
if (ktype == &key_type_keyring || ktype->update)
789
perm |= KEY_USR_WRITE;
···
788
key = key_alloc(ktype, description, current->fsuid, current->fsgid,
789
perm, not_in_quota);
790
if (IS_ERR(key)) {
791
+
key_ref = ERR_PTR(PTR_ERR(key));
792
goto error_3;
793
}
794
···
796
ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL);
797
if (ret < 0) {
798
key_put(key);
799
+
key_ref = ERR_PTR(ret);
800
+
goto error_3;
801
}
802
+
803
+
key_ref = make_key_ref(key, is_key_possessed(keyring_ref));
804
805
error_3:
806
up_write(&keyring->sem);
807
error_2:
808
key_type_put(ktype);
809
error:
810
+
return key_ref;
811
812
found_matching_key:
813
/* we found a matching key, so we're going to try to update it
···
813
up_write(&keyring->sem);
814
key_type_put(ktype);
815
816
+
key_ref = __key_update(key_ref, payload, plen);
817
goto error;
818
819
} /* end key_create_or_update() */
···
824
/*
825
* update a key
826
*/
827
+
int key_update(key_ref_t key_ref, const void *payload, size_t plen)
828
{
829
+
struct key *key = key_ref_to_ptr(key_ref);
830
int ret;
831
832
key_check(key);
833
834
/* the key must be writable */
835
ret = -EACCES;
836
+
if (!key_permission(key_ref, KEY_WRITE))
837
goto error;
838
839
/* attempt to update it if supported */
+149
-148
security/keys/keyctl.c
+149
-148
security/keys/keyctl.c
···
34
size_t plen,
35
key_serial_t ringid)
36
{
37
-
struct key *keyring, *key;
38
char type[32], *description;
39
void *payload;
40
long dlen, ret;
···
86
}
87
88
/* find the target keyring (which must be writable) */
89
-
keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
90
-
if (IS_ERR(keyring)) {
91
-
ret = PTR_ERR(keyring);
92
goto error3;
93
}
94
95
/* create or update the requested key and add it to the target
96
* keyring */
97
-
key = key_create_or_update(keyring, type, description,
98
-
payload, plen, 0);
99
-
if (!IS_ERR(key)) {
100
-
ret = key->serial;
101
-
key_put(key);
102
}
103
else {
104
-
ret = PTR_ERR(key);
105
}
106
107
-
key_put(keyring);
108
error3:
109
kfree(payload);
110
error2:
···
131
key_serial_t destringid)
132
{
133
struct key_type *ktype;
134
-
struct key *key, *dest;
135
char type[32], *description, *callout_info;
136
long dlen, ret;
137
···
188
}
189
190
/* get the destination keyring if specified */
191
-
dest = NULL;
192
if (destringid) {
193
-
dest = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE);
194
-
if (IS_ERR(dest)) {
195
-
ret = PTR_ERR(dest);
196
goto error3;
197
}
198
}
···
205
}
206
207
/* do the search */
208
-
key = request_key_and_link(ktype, description, callout_info, dest);
209
if (IS_ERR(key)) {
210
ret = PTR_ERR(key);
211
goto error5;
···
218
error5:
219
key_type_put(ktype);
220
error4:
221
-
key_put(dest);
222
error3:
223
kfree(callout_info);
224
error2:
···
236
*/
237
long keyctl_get_keyring_ID(key_serial_t id, int create)
238
{
239
-
struct key *key;
240
long ret;
241
242
-
key = lookup_user_key(NULL, id, create, 0, KEY_SEARCH);
243
-
if (IS_ERR(key)) {
244
-
ret = PTR_ERR(key);
245
goto error;
246
}
247
248
-
ret = key->serial;
249
-
key_put(key);
250
error:
251
return ret;
252
···
304
const void __user *_payload,
305
size_t plen)
306
{
307
-
struct key *key;
308
void *payload;
309
long ret;
310
···
326
}
327
328
/* find the target key (which must be writable) */
329
-
key = lookup_user_key(NULL, id, 0, 0, KEY_WRITE);
330
-
if (IS_ERR(key)) {
331
-
ret = PTR_ERR(key);
332
goto error2;
333
}
334
335
/* update the key */
336
-
ret = key_update(key, payload, plen);
337
338
-
key_put(key);
339
error2:
340
kfree(payload);
341
error:
···
351
*/
352
long keyctl_revoke_key(key_serial_t id)
353
{
354
-
struct key *key;
355
long ret;
356
357
-
key = lookup_user_key(NULL, id, 0, 0, KEY_WRITE);
358
-
if (IS_ERR(key)) {
359
-
ret = PTR_ERR(key);
360
goto error;
361
}
362
363
-
key_revoke(key);
364
ret = 0;
365
366
-
key_put(key);
367
error:
368
return ret;
369
···
377
*/
378
long keyctl_keyring_clear(key_serial_t ringid)
379
{
380
-
struct key *keyring;
381
long ret;
382
383
-
keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
384
-
if (IS_ERR(keyring)) {
385
-
ret = PTR_ERR(keyring);
386
goto error;
387
}
388
389
-
ret = keyring_clear(keyring);
390
391
-
key_put(keyring);
392
error:
393
return ret;
394
···
403
*/
404
long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
405
{
406
-
struct key *keyring, *key;
407
long ret;
408
409
-
keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
410
-
if (IS_ERR(keyring)) {
411
-
ret = PTR_ERR(keyring);
412
goto error;
413
}
414
415
-
key = lookup_user_key(NULL, id, 1, 0, KEY_LINK);
416
-
if (IS_ERR(key)) {
417
-
ret = PTR_ERR(key);
418
goto error2;
419
}
420
421
-
ret = key_link(keyring, key);
422
423
-
key_put(key);
424
error2:
425
-
key_put(keyring);
426
error:
427
return ret;
428
···
437
*/
438
long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
439
{
440
-
struct key *keyring, *key;
441
long ret;
442
443
-
keyring = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE);
444
-
if (IS_ERR(keyring)) {
445
-
ret = PTR_ERR(keyring);
446
goto error;
447
}
448
449
-
key = lookup_user_key(NULL, id, 0, 0, 0);
450
-
if (IS_ERR(key)) {
451
-
ret = PTR_ERR(key);
452
goto error2;
453
}
454
455
-
ret = key_unlink(keyring, key);
456
457
-
key_put(key);
458
error2:
459
-
key_put(keyring);
460
error:
461
return ret;
462
···
478
size_t buflen)
479
{
480
struct key *key, *instkey;
481
char *tmpbuf;
482
long ret;
483
484
-
key = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW);
485
-
if (IS_ERR(key)) {
486
/* viewing a key under construction is permitted if we have the
487
* authorisation token handy */
488
-
if (PTR_ERR(key) == -EACCES) {
489
instkey = key_get_instantiation_authkey(keyid);
490
if (!IS_ERR(instkey)) {
491
key_put(instkey);
492
-
key = lookup_user_key(NULL, keyid, 0, 1, 0);
493
-
if (!IS_ERR(key))
494
goto okay;
495
}
496
}
497
498
-
ret = PTR_ERR(key);
499
goto error;
500
}
501
···
508
if (!tmpbuf)
509
goto error2;
510
511
ret = snprintf(tmpbuf, PAGE_SIZE - 1,
512
-
"%s;%d;%d;%06x;%s",
513
-
key->type->name,
514
-
key->uid,
515
-
key->gid,
516
-
key->perm,
517
-
key->description ? key->description :""
518
);
519
520
/* include a NUL char at the end of the data */
···
537
538
kfree(tmpbuf);
539
error2:
540
-
key_put(key);
541
error:
542
return ret;
543
···
559
key_serial_t destringid)
560
{
561
struct key_type *ktype;
562
-
struct key *keyring, *key, *dest;
563
char type[32], *description;
564
long dlen, ret;
565
···
588
goto error2;
589
590
/* get the keyring at which to begin the search */
591
-
keyring = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH);
592
-
if (IS_ERR(keyring)) {
593
-
ret = PTR_ERR(keyring);
594
goto error2;
595
}
596
597
/* get the destination keyring if specified */
598
-
dest = NULL;
599
if (destringid) {
600
-
dest = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE);
601
-
if (IS_ERR(dest)) {
602
-
ret = PTR_ERR(dest);
603
goto error3;
604
}
605
}
···
612
}
613
614
/* do the search */
615
-
key = keyring_search(keyring, ktype, description);
616
-
if (IS_ERR(key)) {
617
-
ret = PTR_ERR(key);
618
619
/* treat lack or presence of a negative key the same */
620
if (ret == -EAGAIN)
···
623
}
624
625
/* link the resulting key to the destination keyring if we can */
626
-
if (dest) {
627
ret = -EACCES;
628
-
if (!key_permission(key, KEY_LINK))
629
goto error6;
630
631
-
ret = key_link(dest, key);
632
if (ret < 0)
633
goto error6;
634
}
635
636
-
ret = key->serial;
637
638
error6:
639
-
key_put(key);
640
error5:
641
key_type_put(ktype);
642
error4:
643
-
key_put(dest);
644
error3:
645
-
key_put(keyring);
646
error2:
647
kfree(description);
648
error:
649
return ret;
650
651
} /* end keyctl_keyring_search() */
652
-
653
-
/*****************************************************************************/
654
-
/*
655
-
* see if the key we're looking at is the target key
656
-
*/
657
-
static int keyctl_read_key_same(const struct key *key, const void *target)
658
-
{
659
-
return key == target;
660
-
661
-
} /* end keyctl_read_key_same() */
662
663
/*****************************************************************************/
664
/*
···
662
*/
663
long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
664
{
665
-
struct key *key, *skey;
666
long ret;
667
668
/* find the key first */
669
-
key = lookup_user_key(NULL, keyid, 0, 0, 0);
670
-
if (!IS_ERR(key)) {
671
-
/* see if we can read it directly */
672
-
if (key_permission(key, KEY_READ))
673
-
goto can_read_key;
674
675
-
/* we can't; see if it's searchable from this process's
676
-
* keyrings
677
-
* - we automatically take account of the fact that it may be
678
-
* dangling off an instantiation key
679
-
*/
680
-
skey = search_process_keyrings(key->type, key,
681
-
keyctl_read_key_same, current);
682
-
if (!IS_ERR(skey))
683
-
goto can_read_key2;
684
685
-
ret = PTR_ERR(skey);
686
-
if (ret == -EAGAIN)
687
-
ret = -EACCES;
688
goto error2;
689
}
690
691
-
ret = -ENOKEY;
692
-
goto error;
693
-
694
/* the key is probably readable - now try to read it */
695
-
can_read_key2:
696
-
key_put(skey);
697
can_read_key:
698
ret = key_validate(key);
699
if (ret == 0) {
···
719
long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
720
{
721
struct key *key;
722
long ret;
723
724
ret = 0;
725
if (uid == (uid_t) -1 && gid == (gid_t) -1)
726
goto error;
727
728
-
key = lookup_user_key(NULL, id, 1, 1, 0);
729
-
if (IS_ERR(key)) {
730
-
ret = PTR_ERR(key);
731
goto error;
732
}
733
734
/* make the changes with the locks held to prevent chown/chown races */
735
ret = -EACCES;
···
779
long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
780
{
781
struct key *key;
782
long ret;
783
784
ret = -EINVAL;
785
-
if (perm & ~(KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL))
786
goto error;
787
788
-
key = lookup_user_key(NULL, id, 1, 1, 0);
789
-
if (IS_ERR(key)) {
790
-
ret = PTR_ERR(key);
791
goto error;
792
}
793
794
/* make the changes with the locks held to prevent chown/chmod races */
795
ret = -EACCES;
···
822
key_serial_t ringid)
823
{
824
struct request_key_auth *rka;
825
-
struct key *instkey, *keyring;
826
void *payload;
827
long ret;
828
···
856
857
/* find the destination keyring amongst those belonging to the
858
* requesting task */
859
-
keyring = NULL;
860
if (ringid) {
861
-
keyring = lookup_user_key(rka->context, ringid, 1, 0,
862
-
KEY_WRITE);
863
-
if (IS_ERR(keyring)) {
864
-
ret = PTR_ERR(keyring);
865
goto error3;
866
}
867
}
868
869
/* instantiate the key and link it into a keyring */
870
ret = key_instantiate_and_link(rka->target_key, payload, plen,
871
-
keyring, instkey);
872
873
-
key_put(keyring);
874
error3:
875
key_put(instkey);
876
error2:
···
888
long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
889
{
890
struct request_key_auth *rka;
891
-
struct key *instkey, *keyring;
892
long ret;
893
894
/* find the instantiation authorisation key */
···
903
904
/* find the destination keyring if present (which must also be
905
* writable) */
906
-
keyring = NULL;
907
if (ringid) {
908
-
keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
909
-
if (IS_ERR(keyring)) {
910
-
ret = PTR_ERR(keyring);
911
goto error2;
912
}
913
}
914
915
/* instantiate the key and link it into a keyring */
916
-
ret = key_negate_and_link(rka->target_key, timeout, keyring, instkey);
917
918
-
key_put(keyring);
919
error2:
920
key_put(instkey);
921
error:
···
34
size_t plen,
35
key_serial_t ringid)
36
{
37
+
key_ref_t keyring_ref, key_ref;
38
char type[32], *description;
39
void *payload;
40
long dlen, ret;
···
86
}
87
88
/* find the target keyring (which must be writable) */
89
+
keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
90
+
if (IS_ERR(keyring_ref)) {
91
+
ret = PTR_ERR(keyring_ref);
92
goto error3;
93
}
94
95
/* create or update the requested key and add it to the target
96
* keyring */
97
+
key_ref = key_create_or_update(keyring_ref, type, description,
98
+
payload, plen, 0);
99
+
if (!IS_ERR(key_ref)) {
100
+
ret = key_ref_to_ptr(key_ref)->serial;
101
+
key_ref_put(key_ref);
102
}
103
else {
104
+
ret = PTR_ERR(key_ref);
105
}
106
107
+
key_ref_put(keyring_ref);
108
error3:
109
kfree(payload);
110
error2:
···
131
key_serial_t destringid)
132
{
133
struct key_type *ktype;
134
+
struct key *key;
135
+
key_ref_t dest_ref;
136
char type[32], *description, *callout_info;
137
long dlen, ret;
138
···
187
}
188
189
/* get the destination keyring if specified */
190
+
dest_ref = NULL;
191
if (destringid) {
192
+
dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE);
193
+
if (IS_ERR(dest_ref)) {
194
+
ret = PTR_ERR(dest_ref);
195
goto error3;
196
}
197
}
···
204
}
205
206
/* do the search */
207
+
key = request_key_and_link(ktype, description, callout_info,
208
+
key_ref_to_ptr(dest_ref));
209
if (IS_ERR(key)) {
210
ret = PTR_ERR(key);
211
goto error5;
···
216
error5:
217
key_type_put(ktype);
218
error4:
219
+
key_ref_put(dest_ref);
220
error3:
221
kfree(callout_info);
222
error2:
···
234
*/
235
long keyctl_get_keyring_ID(key_serial_t id, int create)
236
{
237
+
key_ref_t key_ref;
238
long ret;
239
240
+
key_ref = lookup_user_key(NULL, id, create, 0, KEY_SEARCH);
241
+
if (IS_ERR(key_ref)) {
242
+
ret = PTR_ERR(key_ref);
243
goto error;
244
}
245
246
+
ret = key_ref_to_ptr(key_ref)->serial;
247
+
key_ref_put(key_ref);
248
error:
249
return ret;
250
···
302
const void __user *_payload,
303
size_t plen)
304
{
305
+
key_ref_t key_ref;
306
void *payload;
307
long ret;
308
···
324
}
325
326
/* find the target key (which must be writable) */
327
+
key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE);
328
+
if (IS_ERR(key_ref)) {
329
+
ret = PTR_ERR(key_ref);
330
goto error2;
331
}
332
333
/* update the key */
334
+
ret = key_update(key_ref, payload, plen);
335
336
+
key_ref_put(key_ref);
337
error2:
338
kfree(payload);
339
error:
···
349
*/
350
long keyctl_revoke_key(key_serial_t id)
351
{
352
+
key_ref_t key_ref;
353
long ret;
354
355
+
key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE);
356
+
if (IS_ERR(key_ref)) {
357
+
ret = PTR_ERR(key_ref);
358
goto error;
359
}
360
361
+
key_revoke(key_ref_to_ptr(key_ref));
362
ret = 0;
363
364
+
key_ref_put(key_ref);
365
error:
366
return ret;
367
···
375
*/
376
long keyctl_keyring_clear(key_serial_t ringid)
377
{
378
+
key_ref_t keyring_ref;
379
long ret;
380
381
+
keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
382
+
if (IS_ERR(keyring_ref)) {
383
+
ret = PTR_ERR(keyring_ref);
384
goto error;
385
}
386
387
+
ret = keyring_clear(key_ref_to_ptr(keyring_ref));
388
389
+
key_ref_put(keyring_ref);
390
error:
391
return ret;
392
···
401
*/
402
long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
403
{
404
+
key_ref_t keyring_ref, key_ref;
405
long ret;
406
407
+
keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
408
+
if (IS_ERR(keyring_ref)) {
409
+
ret = PTR_ERR(keyring_ref);
410
goto error;
411
}
412
413
+
key_ref = lookup_user_key(NULL, id, 1, 0, KEY_LINK);
414
+
if (IS_ERR(key_ref)) {
415
+
ret = PTR_ERR(key_ref);
416
goto error2;
417
}
418
419
+
ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref));
420
421
+
key_ref_put(key_ref);
422
error2:
423
+
key_ref_put(keyring_ref);
424
error:
425
return ret;
426
···
435
*/
436
long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
437
{
438
+
key_ref_t keyring_ref, key_ref;
439
long ret;
440
441
+
keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE);
442
+
if (IS_ERR(keyring_ref)) {
443
+
ret = PTR_ERR(keyring_ref);
444
goto error;
445
}
446
447
+
key_ref = lookup_user_key(NULL, id, 0, 0, 0);
448
+
if (IS_ERR(key_ref)) {
449
+
ret = PTR_ERR(key_ref);
450
goto error2;
451
}
452
453
+
ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref));
454
455
+
key_ref_put(key_ref);
456
error2:
457
+
key_ref_put(keyring_ref);
458
error:
459
return ret;
460
···
476
size_t buflen)
477
{
478
struct key *key, *instkey;
479
+
key_ref_t key_ref;
480
char *tmpbuf;
481
long ret;
482
483
+
key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW);
484
+
if (IS_ERR(key_ref)) {
485
/* viewing a key under construction is permitted if we have the
486
* authorisation token handy */
487
+
if (PTR_ERR(key_ref) == -EACCES) {
488
instkey = key_get_instantiation_authkey(keyid);
489
if (!IS_ERR(instkey)) {
490
key_put(instkey);
491
+
key_ref = lookup_user_key(NULL, keyid,
492
+
0, 1, 0);
493
+
if (!IS_ERR(key_ref))
494
goto okay;
495
}
496
}
497
498
+
ret = PTR_ERR(key_ref);
499
goto error;
500
}
501
···
504
if (!tmpbuf)
505
goto error2;
506
507
+
key = key_ref_to_ptr(key_ref);
508
+
509
ret = snprintf(tmpbuf, PAGE_SIZE - 1,
510
+
"%s;%d;%d;%08x;%s",
511
+
key_ref_to_ptr(key_ref)->type->name,
512
+
key_ref_to_ptr(key_ref)->uid,
513
+
key_ref_to_ptr(key_ref)->gid,
514
+
key_ref_to_ptr(key_ref)->perm,
515
+
key_ref_to_ptr(key_ref)->description ?
516
+
key_ref_to_ptr(key_ref)->description : ""
517
);
518
519
/* include a NUL char at the end of the data */
···
530
531
kfree(tmpbuf);
532
error2:
533
+
key_ref_put(key_ref);
534
error:
535
return ret;
536
···
552
key_serial_t destringid)
553
{
554
struct key_type *ktype;
555
+
key_ref_t keyring_ref, key_ref, dest_ref;
556
char type[32], *description;
557
long dlen, ret;
558
···
581
goto error2;
582
583
/* get the keyring at which to begin the search */
584
+
keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH);
585
+
if (IS_ERR(keyring_ref)) {
586
+
ret = PTR_ERR(keyring_ref);
587
goto error2;
588
}
589
590
/* get the destination keyring if specified */
591
+
dest_ref = NULL;
592
if (destringid) {
593
+
dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE);
594
+
if (IS_ERR(dest_ref)) {
595
+
ret = PTR_ERR(dest_ref);
596
goto error3;
597
}
598
}
···
605
}
606
607
/* do the search */
608
+
key_ref = keyring_search(keyring_ref, ktype, description);
609
+
if (IS_ERR(key_ref)) {
610
+
ret = PTR_ERR(key_ref);
611
612
/* treat lack or presence of a negative key the same */
613
if (ret == -EAGAIN)
···
616
}
617
618
/* link the resulting key to the destination keyring if we can */
619
+
if (dest_ref) {
620
ret = -EACCES;
621
+
if (!key_permission(key_ref, KEY_LINK))
622
goto error6;
623
624
+
ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref));
625
if (ret < 0)
626
goto error6;
627
}
628
629
+
ret = key_ref_to_ptr(key_ref)->serial;
630
631
error6:
632
+
key_ref_put(key_ref);
633
error5:
634
key_type_put(ktype);
635
error4:
636
+
key_ref_put(dest_ref);
637
error3:
638
+
key_ref_put(keyring_ref);
639
error2:
640
kfree(description);
641
error:
642
return ret;
643
644
} /* end keyctl_keyring_search() */
645
646
/*****************************************************************************/
647
/*
···
665
*/
666
long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
667
{
668
+
struct key *key;
669
+
key_ref_t key_ref;
670
long ret;
671
672
/* find the key first */
673
+
key_ref = lookup_user_key(NULL, keyid, 0, 0, 0);
674
+
if (IS_ERR(key_ref)) {
675
+
ret = -ENOKEY;
676
+
goto error;
677
+
}
678
679
+
key = key_ref_to_ptr(key_ref);
680
681
+
/* see if we can read it directly */
682
+
if (key_permission(key_ref, KEY_READ))
683
+
goto can_read_key;
684
+
685
+
/* we can't; see if it's searchable from this process's keyrings
686
+
* - we automatically take account of the fact that it may be
687
+
* dangling off an instantiation key
688
+
*/
689
+
if (!is_key_possessed(key_ref)) {
690
+
ret = -EACCES;
691
goto error2;
692
}
693
694
/* the key is probably readable - now try to read it */
695
can_read_key:
696
ret = key_validate(key);
697
if (ret == 0) {
···
727
long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
728
{
729
struct key *key;
730
+
key_ref_t key_ref;
731
long ret;
732
733
ret = 0;
734
if (uid == (uid_t) -1 && gid == (gid_t) -1)
735
goto error;
736
737
+
key_ref = lookup_user_key(NULL, id, 1, 1, 0);
738
+
if (IS_ERR(key_ref)) {
739
+
ret = PTR_ERR(key_ref);
740
goto error;
741
}
742
+
743
+
key = key_ref_to_ptr(key_ref);
744
745
/* make the changes with the locks held to prevent chown/chown races */
746
ret = -EACCES;
···
784
long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
785
{
786
struct key *key;
787
+
key_ref_t key_ref;
788
long ret;
789
790
ret = -EINVAL;
791
+
if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL))
792
goto error;
793
794
+
key_ref = lookup_user_key(NULL, id, 1, 1, 0);
795
+
if (IS_ERR(key_ref)) {
796
+
ret = PTR_ERR(key_ref);
797
goto error;
798
}
799
+
800
+
key = key_ref_to_ptr(key_ref);
801
802
/* make the changes with the locks held to prevent chown/chmod races */
803
ret = -EACCES;
···
824
key_serial_t ringid)
825
{
826
struct request_key_auth *rka;
827
+
struct key *instkey;
828
+
key_ref_t keyring_ref;
829
void *payload;
830
long ret;
831
···
857
858
/* find the destination keyring amongst those belonging to the
859
* requesting task */
860
+
keyring_ref = NULL;
861
if (ringid) {
862
+
keyring_ref = lookup_user_key(rka->context, ringid, 1, 0,
863
+
KEY_WRITE);
864
+
if (IS_ERR(keyring_ref)) {
865
+
ret = PTR_ERR(keyring_ref);
866
goto error3;
867
}
868
}
869
870
/* instantiate the key and link it into a keyring */
871
ret = key_instantiate_and_link(rka->target_key, payload, plen,
872
+
key_ref_to_ptr(keyring_ref), instkey);
873
874
+
key_ref_put(keyring_ref);
875
error3:
876
key_put(instkey);
877
error2:
···
889
long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
890
{
891
struct request_key_auth *rka;
892
+
struct key *instkey;
893
+
key_ref_t keyring_ref;
894
long ret;
895
896
/* find the instantiation authorisation key */
···
903
904
/* find the destination keyring if present (which must also be
905
* writable) */
906
+
keyring_ref = NULL;
907
if (ringid) {
908
+
keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE);
909
+
if (IS_ERR(keyring_ref)) {
910
+
ret = PTR_ERR(keyring_ref);
911
goto error2;
912
}
913
}
914
915
/* instantiate the key and link it into a keyring */
916
+
ret = key_negate_and_link(rka->target_key, timeout,
917
+
key_ref_to_ptr(keyring_ref), instkey);
918
919
+
key_ref_put(keyring_ref);
920
error2:
921
key_put(instkey);
922
error:
+50
-36
security/keys/keyring.c
+50
-36
security/keys/keyring.c
···
309
int ret;
310
311
keyring = key_alloc(&key_type_keyring, description,
312
-
uid, gid, KEY_USR_ALL, not_in_quota);
313
314
if (!IS_ERR(keyring)) {
315
ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
···
333
* - we rely on RCU to prevent the keyring lists from disappearing on us
334
* - we return -EAGAIN if we didn't find any matching key
335
* - we return -ENOKEY if we only found negative matching keys
336
*/
337
-
struct key *keyring_search_aux(struct key *keyring,
338
-
struct task_struct *context,
339
-
struct key_type *type,
340
-
const void *description,
341
-
key_match_func_t match)
342
{
343
struct {
344
struct keyring_list *keylist;
···
348
349
struct keyring_list *keylist;
350
struct timespec now;
351
-
struct key *key;
352
long err;
353
int sp, kix;
354
355
key_check(keyring);
356
357
-
rcu_read_lock();
358
-
359
/* top keyring must have search permission to begin the search */
360
-
key = ERR_PTR(-EACCES);
361
-
if (!key_task_permission(keyring, context, KEY_SEARCH))
362
goto error;
363
364
-
key = ERR_PTR(-ENOTDIR);
365
if (keyring->type != &key_type_keyring)
366
goto error;
367
368
now = current_kernel_time();
369
err = -EAGAIN;
370
sp = 0;
371
372
/* start processing a new keyring */
373
-
descend:
374
if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
375
goto not_this_keyring;
376
···
402
continue;
403
404
/* key must have search permissions */
405
-
if (!key_task_permission(key, context, KEY_SEARCH))
406
continue;
407
408
/* we set a different error code if we find a negative key */
···
417
418
/* search through the keyrings nested in this one */
419
kix = 0;
420
-
ascend:
421
for (; kix < keylist->nkeys; kix++) {
422
key = keylist->keys[kix];
423
if (key->type != &key_type_keyring)
···
429
if (sp >= KEYRING_SEARCH_MAX_DEPTH)
430
continue;
431
432
-
if (!key_task_permission(key, context, KEY_SEARCH))
433
continue;
434
435
/* stack the current position */
···
445
446
/* the keyring we're looking at was disqualified or didn't contain a
447
* matching key */
448
-
not_this_keyring:
449
if (sp > 0) {
450
/* resume the processing of a keyring higher up in the tree */
451
sp--;
···
454
goto ascend;
455
}
456
457
-
key = ERR_PTR(err);
458
-
goto error;
459
460
/* we found a viable match */
461
-
found:
462
atomic_inc(&key->usage);
463
key_check(key);
464
-
error:
465
rcu_read_unlock();
466
-
return key;
467
468
} /* end keyring_search_aux() */
469
···
478
* - we return -EAGAIN if we didn't find any matching key
479
* - we return -ENOKEY if we only found negative matching keys
480
*/
481
-
struct key *keyring_search(struct key *keyring,
482
-
struct key_type *type,
483
-
const char *description)
484
{
485
if (!type->match)
486
return ERR_PTR(-ENOKEY);
···
497
* search the given keyring only (no recursion)
498
* - keyring must be locked by caller
499
*/
500
-
struct key *__keyring_search_one(struct key *keyring,
501
-
const struct key_type *ktype,
502
-
const char *description,
503
-
key_perm_t perm)
504
{
505
struct keyring_list *klist;
506
-
struct key *key;
507
int loop;
508
509
rcu_read_lock();
510
···
520
if (key->type == ktype &&
521
(!key->type->match ||
522
key->type->match(key, description)) &&
523
-
key_permission(key, perm) &&
524
!test_bit(KEY_FLAG_REVOKED, &key->flags)
525
)
526
goto found;
527
}
528
}
529
530
-
key = ERR_PTR(-ENOKEY);
531
-
goto error;
532
533
found:
534
atomic_inc(&key->usage);
535
-
error:
536
rcu_read_unlock();
537
-
return key;
538
539
} /* end __keyring_search_one() */
540
···
616
if (strcmp(keyring->description, name) != 0)
617
continue;
618
619
-
if (!key_permission(keyring, KEY_SEARCH))
620
continue;
621
622
/* found a potential candidate, but we still need to
···
309
int ret;
310
311
keyring = key_alloc(&key_type_keyring, description,
312
+
uid, gid, KEY_POS_ALL | KEY_USR_ALL, not_in_quota);
313
314
if (!IS_ERR(keyring)) {
315
ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
···
333
* - we rely on RCU to prevent the keyring lists from disappearing on us
334
* - we return -EAGAIN if we didn't find any matching key
335
* - we return -ENOKEY if we only found negative matching keys
336
+
* - we propagate the possession attribute from the keyring ref to the key ref
337
*/
338
+
key_ref_t keyring_search_aux(key_ref_t keyring_ref,
339
+
struct task_struct *context,
340
+
struct key_type *type,
341
+
const void *description,
342
+
key_match_func_t match)
343
{
344
struct {
345
struct keyring_list *keylist;
···
347
348
struct keyring_list *keylist;
349
struct timespec now;
350
+
unsigned long possessed;
351
+
struct key *keyring, *key;
352
+
key_ref_t key_ref;
353
long err;
354
int sp, kix;
355
356
+
keyring = key_ref_to_ptr(keyring_ref);
357
+
possessed = is_key_possessed(keyring_ref);
358
key_check(keyring);
359
360
/* top keyring must have search permission to begin the search */
361
+
key_ref = ERR_PTR(-EACCES);
362
+
if (!key_task_permission(keyring_ref, context, KEY_SEARCH))
363
goto error;
364
365
+
key_ref = ERR_PTR(-ENOTDIR);
366
if (keyring->type != &key_type_keyring)
367
goto error;
368
+
369
+
rcu_read_lock();
370
371
now = current_kernel_time();
372
err = -EAGAIN;
373
sp = 0;
374
375
/* start processing a new keyring */
376
+
descend:
377
if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
378
goto not_this_keyring;
379
···
397
continue;
398
399
/* key must have search permissions */
400
+
if (!key_task_permission(make_key_ref(key, possessed),
401
+
context, KEY_SEARCH))
402
continue;
403
404
/* we set a different error code if we find a negative key */
···
411
412
/* search through the keyrings nested in this one */
413
kix = 0;
414
+
ascend:
415
for (; kix < keylist->nkeys; kix++) {
416
key = keylist->keys[kix];
417
if (key->type != &key_type_keyring)
···
423
if (sp >= KEYRING_SEARCH_MAX_DEPTH)
424
continue;
425
426
+
if (!key_task_permission(make_key_ref(key, possessed),
427
+
context, KEY_SEARCH))
428
continue;
429
430
/* stack the current position */
···
438
439
/* the keyring we're looking at was disqualified or didn't contain a
440
* matching key */
441
+
not_this_keyring:
442
if (sp > 0) {
443
/* resume the processing of a keyring higher up in the tree */
444
sp--;
···
447
goto ascend;
448
}
449
450
+
key_ref = ERR_PTR(err);
451
+
goto error_2;
452
453
/* we found a viable match */
454
+
found:
455
atomic_inc(&key->usage);
456
key_check(key);
457
+
key_ref = make_key_ref(key, possessed);
458
+
error_2:
459
rcu_read_unlock();
460
+
error:
461
+
return key_ref;
462
463
} /* end keyring_search_aux() */
464
···
469
* - we return -EAGAIN if we didn't find any matching key
470
* - we return -ENOKEY if we only found negative matching keys
471
*/
472
+
key_ref_t keyring_search(key_ref_t keyring,
473
+
struct key_type *type,
474
+
const char *description)
475
{
476
if (!type->match)
477
return ERR_PTR(-ENOKEY);
···
488
* search the given keyring only (no recursion)
489
* - keyring must be locked by caller
490
*/
491
+
key_ref_t __keyring_search_one(key_ref_t keyring_ref,
492
+
const struct key_type *ktype,
493
+
const char *description,
494
+
key_perm_t perm)
495
{
496
struct keyring_list *klist;
497
+
unsigned long possessed;
498
+
struct key *keyring, *key;
499
int loop;
500
+
501
+
keyring = key_ref_to_ptr(keyring_ref);
502
+
possessed = is_key_possessed(keyring_ref);
503
504
rcu_read_lock();
505
···
507
if (key->type == ktype &&
508
(!key->type->match ||
509
key->type->match(key, description)) &&
510
+
key_permission(make_key_ref(key, possessed),
511
+
perm) &&
512
!test_bit(KEY_FLAG_REVOKED, &key->flags)
513
)
514
goto found;
515
}
516
}
517
518
+
rcu_read_unlock();
519
+
return ERR_PTR(-ENOKEY);
520
521
found:
522
atomic_inc(&key->usage);
523
rcu_read_unlock();
524
+
return make_key_ref(key, possessed);
525
526
} /* end __keyring_search_one() */
527
···
603
if (strcmp(keyring->description, name) != 0)
604
continue;
605
606
+
if (!key_permission(make_key_ref(keyring, 0),
607
+
KEY_SEARCH))
608
continue;
609
610
/* found a potential candidate, but we still need to
+1
-1
security/keys/proc.c
+1
-1
security/keys/proc.c
+101
-63
security/keys/process_keys.c
+101
-63
security/keys/process_keys.c
···
39
.type = &key_type_keyring,
40
.user = &root_key_user,
41
.sem = __RWSEM_INITIALIZER(root_user_keyring.sem),
42
-
.perm = KEY_USR_ALL,
43
.flags = 1 << KEY_FLAG_INSTANTIATED,
44
.description = "_uid.0",
45
#ifdef KEY_DEBUGGING
···
54
.type = &key_type_keyring,
55
.user = &root_key_user,
56
.sem = __RWSEM_INITIALIZER(root_session_keyring.sem),
57
-
.perm = KEY_USR_ALL,
58
.flags = 1 << KEY_FLAG_INSTANTIATED,
59
.description = "_uid_ses.0",
60
#ifdef KEY_DEBUGGING
···
98
user->session_keyring = session_keyring;
99
ret = 0;
100
101
-
error:
102
return ret;
103
104
} /* end alloc_uid_keyring() */
···
156
ret = 0;
157
158
key_put(old);
159
-
error:
160
return ret;
161
162
} /* end install_thread_keyring() */
···
193
}
194
195
ret = 0;
196
-
error:
197
return ret;
198
199
} /* end install_process_keyring() */
···
236
/* we're using RCU on the pointer */
237
synchronize_rcu();
238
key_put(old);
239
-
error:
240
return ret;
241
242
} /* end install_session_keyring() */
···
376
* - we return -EAGAIN if we didn't find any matching key
377
* - we return -ENOKEY if we found only negative matching keys
378
*/
379
-
struct key *search_process_keyrings(struct key_type *type,
380
-
const void *description,
381
-
key_match_func_t match,
382
-
struct task_struct *context)
383
{
384
struct request_key_auth *rka;
385
-
struct key *key, *ret, *err, *instkey;
386
387
/* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
388
* searchable, but we failed to find a key or we found a negative key;
···
391
*
392
* in terms of priority: success > -ENOKEY > -EAGAIN > other error
393
*/
394
-
key = NULL;
395
ret = NULL;
396
err = ERR_PTR(-EAGAIN);
397
398
/* search the thread keyring first */
399
if (context->thread_keyring) {
400
-
key = keyring_search_aux(context->thread_keyring,
401
-
context, type, description, match);
402
-
if (!IS_ERR(key))
403
goto found;
404
405
-
switch (PTR_ERR(key)) {
406
case -EAGAIN: /* no key */
407
if (ret)
408
break;
409
case -ENOKEY: /* negative key */
410
-
ret = key;
411
break;
412
default:
413
-
err = key;
414
break;
415
}
416
}
417
418
/* search the process keyring second */
419
if (context->signal->process_keyring) {
420
-
key = keyring_search_aux(context->signal->process_keyring,
421
-
context, type, description, match);
422
-
if (!IS_ERR(key))
423
goto found;
424
425
-
switch (PTR_ERR(key)) {
426
case -EAGAIN: /* no key */
427
if (ret)
428
break;
429
case -ENOKEY: /* negative key */
430
-
ret = key;
431
break;
432
default:
433
-
err = key;
434
break;
435
}
436
}
···
440
/* search the session keyring */
441
if (context->signal->session_keyring) {
442
rcu_read_lock();
443
-
key = keyring_search_aux(
444
-
rcu_dereference(context->signal->session_keyring),
445
context, type, description, match);
446
rcu_read_unlock();
447
448
-
if (!IS_ERR(key))
449
goto found;
450
451
-
switch (PTR_ERR(key)) {
452
case -EAGAIN: /* no key */
453
if (ret)
454
break;
455
case -ENOKEY: /* negative key */
456
-
ret = key;
457
break;
458
default:
459
-
err = key;
460
break;
461
}
462
···
469
goto no_key;
470
471
rcu_read_lock();
472
-
instkey = __keyring_search_one(
473
-
rcu_dereference(context->signal->session_keyring),
474
&key_type_request_key_auth, NULL, 0);
475
rcu_read_unlock();
476
477
-
if (IS_ERR(instkey))
478
goto no_key;
479
480
-
rka = instkey->payload.data;
481
482
-
key = search_process_keyrings(type, description, match,
483
-
rka->context);
484
-
key_put(instkey);
485
486
-
if (!IS_ERR(key))
487
goto found;
488
489
-
switch (PTR_ERR(key)) {
490
case -EAGAIN: /* no key */
491
if (ret)
492
break;
493
case -ENOKEY: /* negative key */
494
-
ret = key;
495
break;
496
default:
497
-
err = key;
498
break;
499
}
500
}
501
/* or search the user-session keyring */
502
else {
503
-
key = keyring_search_aux(context->user->session_keyring,
504
-
context, type, description, match);
505
-
if (!IS_ERR(key))
506
goto found;
507
508
-
switch (PTR_ERR(key)) {
509
case -EAGAIN: /* no key */
510
if (ret)
511
break;
512
case -ENOKEY: /* negative key */
513
-
ret = key;
514
break;
515
default:
516
-
err = key;
517
break;
518
}
519
}
···
524
525
no_key:
526
/* no key - decide on the error we're going to go for */
527
-
key = ret ? ret : err;
528
529
found:
530
-
return key;
531
532
} /* end search_process_keyrings() */
533
534
/*****************************************************************************/
535
/*
···
547
* - don't create special keyrings unless so requested
548
* - partially constructed keys aren't found unless requested
549
*/
550
-
struct key *lookup_user_key(struct task_struct *context, key_serial_t id,
551
-
int create, int partial, key_perm_t perm)
552
{
553
struct key *key;
554
int ret;
555
556
if (!context)
557
context = current;
558
559
-
key = ERR_PTR(-ENOKEY);
560
561
switch (id) {
562
case KEY_SPEC_THREAD_KEYRING:
···
574
575
key = context->thread_keyring;
576
atomic_inc(&key->usage);
577
break;
578
579
case KEY_SPEC_PROCESS_KEYRING:
···
591
592
key = context->signal->process_keyring;
593
atomic_inc(&key->usage);
594
break;
595
596
case KEY_SPEC_SESSION_KEYRING:
···
599
/* always install a session keyring upon access if one
600
* doesn't exist yet */
601
ret = install_session_keyring(
602
-
context, context->user->session_keyring);
603
if (ret < 0)
604
goto error;
605
}
···
608
key = rcu_dereference(context->signal->session_keyring);
609
atomic_inc(&key->usage);
610
rcu_read_unlock();
611
break;
612
613
case KEY_SPEC_USER_KEYRING:
614
key = context->user->uid_keyring;
615
atomic_inc(&key->usage);
616
break;
617
618
case KEY_SPEC_USER_SESSION_KEYRING:
619
key = context->user->session_keyring;
620
atomic_inc(&key->usage);
621
break;
622
623
case KEY_SPEC_GROUP_KEYRING:
···
629
goto error;
630
631
default:
632
-
key = ERR_PTR(-EINVAL);
633
if (id < 1)
634
goto error;
635
636
key = key_lookup(id);
637
-
if (IS_ERR(key))
638
goto error;
639
break;
640
}
641
···
668
/* check the permissions */
669
ret = -EACCES;
670
671
-
if (!key_task_permission(key, context, perm))
672
goto invalid_key;
673
674
-
error:
675
-
return key;
676
677
-
invalid_key:
678
-
key_put(key);
679
-
key = ERR_PTR(ret);
680
goto error;
681
682
} /* end lookup_user_key() */
···
732
ret = keyring->serial;
733
key_put(keyring);
734
735
-
error2:
736
up(&key_session_sem);
737
-
error:
738
return ret;
739
740
} /* end join_session_keyring() */
···
39
.type = &key_type_keyring,
40
.user = &root_key_user,
41
.sem = __RWSEM_INITIALIZER(root_user_keyring.sem),
42
+
.perm = KEY_POS_ALL | KEY_USR_ALL,
43
.flags = 1 << KEY_FLAG_INSTANTIATED,
44
.description = "_uid.0",
45
#ifdef KEY_DEBUGGING
···
54
.type = &key_type_keyring,
55
.user = &root_key_user,
56
.sem = __RWSEM_INITIALIZER(root_session_keyring.sem),
57
+
.perm = KEY_POS_ALL | KEY_USR_ALL,
58
.flags = 1 << KEY_FLAG_INSTANTIATED,
59
.description = "_uid_ses.0",
60
#ifdef KEY_DEBUGGING
···
98
user->session_keyring = session_keyring;
99
ret = 0;
100
101
+
error:
102
return ret;
103
104
} /* end alloc_uid_keyring() */
···
156
ret = 0;
157
158
key_put(old);
159
+
error:
160
return ret;
161
162
} /* end install_thread_keyring() */
···
193
}
194
195
ret = 0;
196
+
error:
197
return ret;
198
199
} /* end install_process_keyring() */
···
236
/* we're using RCU on the pointer */
237
synchronize_rcu();
238
key_put(old);
239
+
error:
240
return ret;
241
242
} /* end install_session_keyring() */
···
376
* - we return -EAGAIN if we didn't find any matching key
377
* - we return -ENOKEY if we found only negative matching keys
378
*/
379
+
key_ref_t search_process_keyrings(struct key_type *type,
380
+
const void *description,
381
+
key_match_func_t match,
382
+
struct task_struct *context)
383
{
384
struct request_key_auth *rka;
385
+
key_ref_t key_ref, ret, err, instkey_ref;
386
387
/* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
388
* searchable, but we failed to find a key or we found a negative key;
···
391
*
392
* in terms of priority: success > -ENOKEY > -EAGAIN > other error
393
*/
394
+
key_ref = NULL;
395
ret = NULL;
396
err = ERR_PTR(-EAGAIN);
397
398
/* search the thread keyring first */
399
if (context->thread_keyring) {
400
+
key_ref = keyring_search_aux(
401
+
make_key_ref(context->thread_keyring, 1),
402
+
context, type, description, match);
403
+
if (!IS_ERR(key_ref))
404
goto found;
405
406
+
switch (PTR_ERR(key_ref)) {
407
case -EAGAIN: /* no key */
408
if (ret)
409
break;
410
case -ENOKEY: /* negative key */
411
+
ret = key_ref;
412
break;
413
default:
414
+
err = key_ref;
415
break;
416
}
417
}
418
419
/* search the process keyring second */
420
if (context->signal->process_keyring) {
421
+
key_ref = keyring_search_aux(
422
+
make_key_ref(context->signal->process_keyring, 1),
423
+
context, type, description, match);
424
+
if (!IS_ERR(key_ref))
425
goto found;
426
427
+
switch (PTR_ERR(key_ref)) {
428
case -EAGAIN: /* no key */
429
if (ret)
430
break;
431
case -ENOKEY: /* negative key */
432
+
ret = key_ref;
433
break;
434
default:
435
+
err = key_ref;
436
break;
437
}
438
}
···
438
/* search the session keyring */
439
if (context->signal->session_keyring) {
440
rcu_read_lock();
441
+
key_ref = keyring_search_aux(
442
+
make_key_ref(rcu_dereference(
443
+
context->signal->session_keyring),
444
+
1),
445
context, type, description, match);
446
rcu_read_unlock();
447
448
+
if (!IS_ERR(key_ref))
449
goto found;
450
451
+
switch (PTR_ERR(key_ref)) {
452
case -EAGAIN: /* no key */
453
if (ret)
454
break;
455
case -ENOKEY: /* negative key */
456
+
ret = key_ref;
457
break;
458
default:
459
+
err = key_ref;
460
break;
461
}
462
···
465
goto no_key;
466
467
rcu_read_lock();
468
+
instkey_ref = __keyring_search_one(
469
+
make_key_ref(rcu_dereference(
470
+
context->signal->session_keyring),
471
+
1),
472
&key_type_request_key_auth, NULL, 0);
473
rcu_read_unlock();
474
475
+
if (IS_ERR(instkey_ref))
476
goto no_key;
477
478
+
rka = key_ref_to_ptr(instkey_ref)->payload.data;
479
480
+
key_ref = search_process_keyrings(type, description, match,
481
+
rka->context);
482
+
key_ref_put(instkey_ref);
483
484
+
if (!IS_ERR(key_ref))
485
goto found;
486
487
+
switch (PTR_ERR(key_ref)) {
488
case -EAGAIN: /* no key */
489
if (ret)
490
break;
491
case -ENOKEY: /* negative key */
492
+
ret = key_ref;
493
break;
494
default:
495
+
err = key_ref;
496
break;
497
}
498
}
499
/* or search the user-session keyring */
500
else {
501
+
key_ref = keyring_search_aux(
502
+
make_key_ref(context->user->session_keyring, 1),
503
+
context, type, description, match);
504
+
if (!IS_ERR(key_ref))
505
goto found;
506
507
+
switch (PTR_ERR(key_ref)) {
508
case -EAGAIN: /* no key */
509
if (ret)
510
break;
511
case -ENOKEY: /* negative key */
512
+
ret = key_ref;
513
break;
514
default:
515
+
err = key_ref;
516
break;
517
}
518
}
···
517
518
no_key:
519
/* no key - decide on the error we're going to go for */
520
+
key_ref = ret ? ret : err;
521
522
found:
523
+
return key_ref;
524
525
} /* end search_process_keyrings() */
526
+
527
+
/*****************************************************************************/
528
+
/*
529
+
* see if the key we're looking at is the target key
530
+
*/
531
+
static int lookup_user_key_possessed(const struct key *key, const void *target)
532
+
{
533
+
return key == target;
534
+
535
+
} /* end lookup_user_key_possessed() */
536
537
/*****************************************************************************/
538
/*
···
530
* - don't create special keyrings unless so requested
531
* - partially constructed keys aren't found unless requested
532
*/
533
+
key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id,
534
+
int create, int partial, key_perm_t perm)
535
{
536
+
key_ref_t key_ref, skey_ref;
537
struct key *key;
538
int ret;
539
540
if (!context)
541
context = current;
542
543
+
key_ref = ERR_PTR(-ENOKEY);
544
545
switch (id) {
546
case KEY_SPEC_THREAD_KEYRING:
···
556
557
key = context->thread_keyring;
558
atomic_inc(&key->usage);
559
+
key_ref = make_key_ref(key, 1);
560
break;
561
562
case KEY_SPEC_PROCESS_KEYRING:
···
572
573
key = context->signal->process_keyring;
574
atomic_inc(&key->usage);
575
+
key_ref = make_key_ref(key, 1);
576
break;
577
578
case KEY_SPEC_SESSION_KEYRING:
···
579
/* always install a session keyring upon access if one
580
* doesn't exist yet */
581
ret = install_session_keyring(
582
+
context, context->user->session_keyring);
583
if (ret < 0)
584
goto error;
585
}
···
588
key = rcu_dereference(context->signal->session_keyring);
589
atomic_inc(&key->usage);
590
rcu_read_unlock();
591
+
key_ref = make_key_ref(key, 1);
592
break;
593
594
case KEY_SPEC_USER_KEYRING:
595
key = context->user->uid_keyring;
596
atomic_inc(&key->usage);
597
+
key_ref = make_key_ref(key, 1);
598
break;
599
600
case KEY_SPEC_USER_SESSION_KEYRING:
601
key = context->user->session_keyring;
602
atomic_inc(&key->usage);
603
+
key_ref = make_key_ref(key, 1);
604
break;
605
606
case KEY_SPEC_GROUP_KEYRING:
···
606
goto error;
607
608
default:
609
+
key_ref = ERR_PTR(-EINVAL);
610
if (id < 1)
611
goto error;
612
613
key = key_lookup(id);
614
+
if (IS_ERR(key)) {
615
+
key_ref = ERR_PTR(PTR_ERR(key));
616
goto error;
617
+
}
618
+
619
+
key_ref = make_key_ref(key, 0);
620
+
621
+
/* check to see if we possess the key */
622
+
skey_ref = search_process_keyrings(key->type, key,
623
+
lookup_user_key_possessed,
624
+
current);
625
+
626
+
if (!IS_ERR(skey_ref)) {
627
+
key_put(key);
628
+
key_ref = skey_ref;
629
+
}
630
+
631
break;
632
}
633
···
630
/* check the permissions */
631
ret = -EACCES;
632
633
+
if (!key_task_permission(key_ref, context, perm))
634
goto invalid_key;
635
636
+
error:
637
+
return key_ref;
638
639
+
invalid_key:
640
+
key_ref_put(key_ref);
641
+
key_ref = ERR_PTR(ret);
642
goto error;
643
644
} /* end lookup_user_key() */
···
694
ret = keyring->serial;
695
key_put(keyring);
696
697
+
error2:
698
up(&key_session_sem);
699
+
error:
700
return ret;
701
702
} /* end join_session_keyring() */
+29
-7
security/keys/request_key.c
+29
-7
security/keys/request_key.c
···
129
130
/* create a key and add it to the queue */
131
key = key_alloc(type, description,
132
-
current->fsuid, current->fsgid, KEY_USR_ALL, 0);
133
if (IS_ERR(key))
134
goto alloc_failed;
135
···
365
{
366
struct key_user *user;
367
struct key *key;
368
369
kenter("%s,%s,%s,%p",
370
type->name, description, callout_info, dest_keyring);
371
372
/* search all the process keyrings for a key */
373
-
key = search_process_keyrings(type, description, type->match, current);
374
375
-
if (PTR_ERR(key) == -EAGAIN) {
376
/* the search failed, but the keyrings were searchable, so we
377
* should consult userspace if we can */
378
key = ERR_PTR(-ENOKEY);
···
394
if (!user)
395
goto nomem;
396
397
-
do {
398
if (signal_pending(current))
399
goto interrupted;
400
···
407
408
/* someone else made the key we want, so we need to
409
* search again as it might now be available to us */
410
-
key = search_process_keyrings(type, description,
411
-
type->match, current);
412
413
-
} while (PTR_ERR(key) == -EAGAIN);
414
415
key_user_put(user);
416
···
129
130
/* create a key and add it to the queue */
131
key = key_alloc(type, description,
132
+
current->fsuid, current->fsgid, KEY_POS_ALL, 0);
133
if (IS_ERR(key))
134
goto alloc_failed;
135
···
365
{
366
struct key_user *user;
367
struct key *key;
368
+
key_ref_t key_ref;
369
370
kenter("%s,%s,%s,%p",
371
type->name, description, callout_info, dest_keyring);
372
373
/* search all the process keyrings for a key */
374
+
key_ref = search_process_keyrings(type, description, type->match,
375
+
current);
376
377
+
kdebug("search 1: %p", key_ref);
378
+
379
+
if (!IS_ERR(key_ref)) {
380
+
key = key_ref_to_ptr(key_ref);
381
+
}
382
+
else if (PTR_ERR(key_ref) != -EAGAIN) {
383
+
key = ERR_PTR(PTR_ERR(key_ref));
384
+
}
385
+
else {
386
/* the search failed, but the keyrings were searchable, so we
387
* should consult userspace if we can */
388
key = ERR_PTR(-ENOKEY);
···
384
if (!user)
385
goto nomem;
386
387
+
for (;;) {
388
if (signal_pending(current))
389
goto interrupted;
390
···
397
398
/* someone else made the key we want, so we need to
399
* search again as it might now be available to us */
400
+
key_ref = search_process_keyrings(type, description,
401
+
type->match,
402
+
current);
403
404
+
kdebug("search 2: %p", key_ref);
405
+
406
+
if (!IS_ERR(key_ref)) {
407
+
key = key_ref_to_ptr(key_ref);
408
+
break;
409
+
}
410
+
411
+
if (PTR_ERR(key_ref) != -EAGAIN) {
412
+
key = ERR_PTR(PTR_ERR(key_ref));
413
+
break;
414
+
}
415
+
}
416
417
key_user_put(user);
418
+1
-1
security/keys/request_key_auth.c
+1
-1
security/keys/request_key_auth.c