1 /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 /* Credentials management - see Documentation/security/credentials.rst 3 * 4 * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #ifndef _LINUX_CRED_H 9 #define _LINUX_CRED_H 10 11 #include <linux/capability.h> 12 #include <linux/init.h> 13 #include <linux/key.h> 14 #include <linux/atomic.h> 15 #include <linux/refcount.h> 16 #include <linux/uidgid.h> 17 #include <linux/sched.h> 18 #include <linux/sched/user.h> 19 20 struct cred; 21 struct inode; 22 23 extern struct task_struct init_task; 24 25 /* 26 * COW Supplementary groups list 27 */ 28 struct group_info { 29 refcount_t usage; 30 int ngroups; 31 kgid_t gid[]; 32 } __randomize_layout; 33 34 /** 35 * get_group_info - Get a reference to a group info structure 36 * @group_info: The group info to reference 37 * 38 * This gets a reference to a set of supplementary groups. 39 * 40 * If the caller is accessing a task's credentials, they must hold the RCU read 41 * lock when reading. 42 */ 43 static inline struct group_info *get_group_info(struct group_info *gi) 44 { 45 refcount_inc(&gi->usage); 46 return gi; 47 } 48 49 /** 50 * put_group_info - Release a reference to a group info structure 51 * @group_info: The group info to release 52 */ 53 #define put_group_info(group_info) \ 54 do { \ 55 if (refcount_dec_and_test(&(group_info)->usage)) \ 56 groups_free(group_info); \ 57 } while (0) 58 59 #ifdef CONFIG_MULTIUSER 60 extern struct group_info *groups_alloc(int); 61 extern void groups_free(struct group_info *); 62 63 extern int in_group_p(kgid_t); 64 extern int in_egroup_p(kgid_t); 65 extern int groups_search(const struct group_info *, kgid_t); 66 67 extern int set_current_groups(struct group_info *); 68 extern void set_groups(struct cred *, struct group_info *); 69 extern bool may_setgroups(void); 70 extern void groups_sort(struct group_info *); 71 #else 72 static inline void groups_free(struct group_info *group_info) 73 { 74 } 75 76 static inline int in_group_p(kgid_t grp) 77 { 78 return 1; 79 } 80 static inline int in_egroup_p(kgid_t grp) 81 { 82 return 1; 83 } 84 static inline int groups_search(const struct group_info *group_info, kgid_t grp) 85 { 86 return 1; 87 } 88 #endif 89 90 /* 91 * The security context of a task 92 * 93 * The parts of the context break down into two categories: 94 * 95 * (1) The objective context of a task. These parts are used when some other 96 * task is attempting to affect this one. 97 * 98 * (2) The subjective context. These details are used when the task is acting 99 * upon another object, be that a file, a task, a key or whatever. 100 * 101 * Note that some members of this structure belong to both categories - the 102 * LSM security pointer for instance. 103 * 104 * A task has two security pointers. task->real_cred points to the objective 105 * context that defines that task's actual details. The objective part of this 106 * context is used whenever that task is acted upon. 107 * 108 * task->cred points to the subjective context that defines the details of how 109 * that task is going to act upon another object. This may be overridden 110 * temporarily to point to another security context, but normally points to the 111 * same context as task->real_cred. 112 */ 113 struct cred { 114 atomic_long_t usage; 115 kuid_t uid; /* real UID of the task */ 116 kgid_t gid; /* real GID of the task */ 117 kuid_t suid; /* saved UID of the task */ 118 kgid_t sgid; /* saved GID of the task */ 119 kuid_t euid; /* effective UID of the task */ 120 kgid_t egid; /* effective GID of the task */ 121 kuid_t fsuid; /* UID for VFS ops */ 122 kgid_t fsgid; /* GID for VFS ops */ 123 unsigned securebits; /* SUID-less security management */ 124 kernel_cap_t cap_inheritable; /* caps our children can inherit */ 125 kernel_cap_t cap_permitted; /* caps we're permitted */ 126 kernel_cap_t cap_effective; /* caps we can actually use */ 127 kernel_cap_t cap_bset; /* capability bounding set */ 128 kernel_cap_t cap_ambient; /* Ambient capability set */ 129 #ifdef CONFIG_KEYS 130 unsigned char jit_keyring; /* default keyring to attach requested 131 * keys to */ 132 struct key *session_keyring; /* keyring inherited over fork */ 133 struct key *process_keyring; /* keyring private to this process */ 134 struct key *thread_keyring; /* keyring private to this thread */ 135 struct key *request_key_auth; /* assumed request_key authority */ 136 #endif 137 #ifdef CONFIG_SECURITY 138 void *security; /* LSM security */ 139 #endif 140 struct user_struct *user; /* real user ID subscription */ 141 struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */ 142 struct ucounts *ucounts; 143 struct group_info *group_info; /* supplementary groups for euid/fsgid */ 144 /* RCU deletion */ 145 union { 146 int non_rcu; /* Can we skip RCU deletion? */ 147 struct rcu_head rcu; /* RCU deletion hook */ 148 }; 149 } __randomize_layout; 150 151 extern void __put_cred(struct cred *); 152 extern void exit_creds(struct task_struct *); 153 extern int copy_creds(struct task_struct *, u64); 154 extern const struct cred *get_task_cred(struct task_struct *); 155 extern struct cred *cred_alloc_blank(void); 156 extern struct cred *prepare_creds(void); 157 extern struct cred *prepare_exec_creds(void); 158 extern int commit_creds(struct cred *); 159 extern void abort_creds(struct cred *); 160 extern struct cred *prepare_kernel_cred(struct task_struct *); 161 static inline const struct cred *kernel_cred(void) 162 { 163 /* shut up sparse */ 164 return rcu_dereference_raw(init_task.cred); 165 } 166 extern int set_security_override(struct cred *, u32); 167 extern int set_create_files_as(struct cred *, struct inode *); 168 extern int cred_fscmp(const struct cred *, const struct cred *); 169 extern void __init cred_init(void); 170 extern int set_cred_ucounts(struct cred *); 171 172 static inline bool cap_ambient_invariant_ok(const struct cred *cred) 173 { 174 return cap_issubset(cred->cap_ambient, 175 cap_intersect(cred->cap_permitted, 176 cred->cap_inheritable)); 177 } 178 179 static inline const struct cred *override_creds(const struct cred *override_cred) 180 { 181 return rcu_replace_pointer(current->cred, override_cred, 1); 182 } 183 184 static inline const struct cred *revert_creds(const struct cred *revert_cred) 185 { 186 return rcu_replace_pointer(current->cred, revert_cred, 1); 187 } 188 189 DEFINE_CLASS(override_creds, 190 const struct cred *, 191 revert_creds(_T), 192 override_creds(override_cred), const struct cred *override_cred) 193 194 #define scoped_with_creds(cred) \ 195 scoped_class(override_creds, __UNIQUE_ID(label), cred) 196 197 #define scoped_with_kernel_creds() scoped_with_creds(kernel_cred()) 198 199 /** 200 * get_cred_many - Get references on a set of credentials 201 * @cred: The credentials to reference 202 * @nr: Number of references to acquire 203 * 204 * Get references on the specified set of credentials. The caller must release 205 * all acquired reference. If %NULL is passed, it is returned with no action. 206 * 207 * This is used to deal with a committed set of credentials. Although the 208 * pointer is const, this will temporarily discard the const and increment the 209 * usage count. The purpose of this is to attempt to catch at compile time the 210 * accidental alteration of a set of credentials that should be considered 211 * immutable. 212 */ 213 static inline const struct cred *get_cred_many(const struct cred *cred, int nr) 214 { 215 struct cred *nonconst_cred = (struct cred *) cred; 216 if (!cred) 217 return cred; 218 nonconst_cred->non_rcu = 0; 219 atomic_long_add(nr, &nonconst_cred->usage); 220 return cred; 221 } 222 223 /* 224 * get_cred - Get a reference on a set of credentials 225 * @cred: The credentials to reference 226 * 227 * Get a reference on the specified set of credentials. The caller must 228 * release the reference. If %NULL is passed, it is returned with no action. 229 * 230 * This is used to deal with a committed set of credentials. 231 */ 232 static inline const struct cred *get_cred(const struct cred *cred) 233 { 234 return get_cred_many(cred, 1); 235 } 236 237 static inline const struct cred *get_cred_rcu(const struct cred *cred) 238 { 239 struct cred *nonconst_cred = (struct cred *) cred; 240 if (!cred) 241 return NULL; 242 if (!atomic_long_inc_not_zero(&nonconst_cred->usage)) 243 return NULL; 244 nonconst_cred->non_rcu = 0; 245 return cred; 246 } 247 248 /** 249 * put_cred - Release a reference to a set of credentials 250 * @cred: The credentials to release 251 * @nr: Number of references to release 252 * 253 * Release a reference to a set of credentials, deleting them when the last ref 254 * is released. If %NULL is passed, nothing is done. 255 * 256 * This takes a const pointer to a set of credentials because the credentials 257 * on task_struct are attached by const pointers to prevent accidental 258 * alteration of otherwise immutable credential sets. 259 */ 260 static inline void put_cred_many(const struct cred *_cred, int nr) 261 { 262 struct cred *cred = (struct cred *) _cred; 263 264 if (cred) { 265 if (atomic_long_sub_and_test(nr, &cred->usage)) 266 __put_cred(cred); 267 } 268 } 269 270 /* 271 * put_cred - Release a reference to a set of credentials 272 * @cred: The credentials to release 273 * 274 * Release a reference to a set of credentials, deleting them when the last ref 275 * is released. If %NULL is passed, nothing is done. 276 */ 277 static inline void put_cred(const struct cred *cred) 278 { 279 put_cred_many(cred, 1); 280 } 281 282 DEFINE_CLASS(prepare_creds, 283 struct cred *, 284 if (_T) put_cred(_T), 285 prepare_creds(), void) 286 287 DEFINE_FREE(put_cred, struct cred *, if (!IS_ERR_OR_NULL(_T)) put_cred(_T)) 288 289 /** 290 * current_cred - Access the current task's subjective credentials 291 * 292 * Access the subjective credentials of the current task. RCU-safe, 293 * since nobody else can modify it. 294 */ 295 #define current_cred() \ 296 rcu_dereference_protected(current->cred, 1) 297 298 /** 299 * current_real_cred - Access the current task's objective credentials 300 * 301 * Access the objective credentials of the current task. RCU-safe, 302 * since nobody else can modify it. 303 */ 304 #define current_real_cred() \ 305 rcu_dereference_protected(current->real_cred, 1) 306 307 /** 308 * __task_cred - Access a task's objective credentials 309 * @task: The task to query 310 * 311 * Access the objective credentials of a task. The caller must hold the RCU 312 * readlock. 313 * 314 * The result of this function should not be passed directly to get_cred(); 315 * rather get_task_cred() should be used instead. 316 */ 317 #define __task_cred(task) \ 318 rcu_dereference((task)->real_cred) 319 320 /** 321 * get_current_cred - Get the current task's subjective credentials 322 * 323 * Get the subjective credentials of the current task, pinning them so that 324 * they can't go away. Accessing the current task's credentials directly is 325 * not permitted. 326 */ 327 #define get_current_cred() \ 328 (get_cred(current_cred())) 329 330 /** 331 * get_current_user - Get the current task's user_struct 332 * 333 * Get the user record of the current task, pinning it so that it can't go 334 * away. 335 */ 336 #define get_current_user() \ 337 ({ \ 338 struct user_struct *__u; \ 339 const struct cred *__cred; \ 340 __cred = current_cred(); \ 341 __u = get_uid(__cred->user); \ 342 __u; \ 343 }) 344 345 /** 346 * get_current_groups - Get the current task's supplementary group list 347 * 348 * Get the supplementary group list of the current task, pinning it so that it 349 * can't go away. 350 */ 351 #define get_current_groups() \ 352 ({ \ 353 struct group_info *__groups; \ 354 const struct cred *__cred; \ 355 __cred = current_cred(); \ 356 __groups = get_group_info(__cred->group_info); \ 357 __groups; \ 358 }) 359 360 #define task_cred_xxx(task, xxx) \ 361 ({ \ 362 __typeof__(((struct cred *)NULL)->xxx) ___val; \ 363 rcu_read_lock(); \ 364 ___val = __task_cred((task))->xxx; \ 365 rcu_read_unlock(); \ 366 ___val; \ 367 }) 368 369 #define task_uid(task) (task_cred_xxx((task), uid)) 370 #define task_euid(task) (task_cred_xxx((task), euid)) 371 #define task_ucounts(task) (task_cred_xxx((task), ucounts)) 372 373 #define current_cred_xxx(xxx) \ 374 ({ \ 375 current_cred()->xxx; \ 376 }) 377 378 #define current_uid() (current_cred_xxx(uid)) 379 #define current_gid() (current_cred_xxx(gid)) 380 #define current_euid() (current_cred_xxx(euid)) 381 #define current_egid() (current_cred_xxx(egid)) 382 #define current_suid() (current_cred_xxx(suid)) 383 #define current_sgid() (current_cred_xxx(sgid)) 384 #define current_fsuid() (current_cred_xxx(fsuid)) 385 #define current_fsgid() (current_cred_xxx(fsgid)) 386 #define current_cap() (current_cred_xxx(cap_effective)) 387 #define current_user() (current_cred_xxx(user)) 388 #define current_ucounts() (current_cred_xxx(ucounts)) 389 390 extern struct user_namespace init_user_ns; 391 #ifdef CONFIG_USER_NS 392 #define current_user_ns() (current_cred_xxx(user_ns)) 393 #else 394 static inline struct user_namespace *current_user_ns(void) 395 { 396 return &init_user_ns; 397 } 398 #endif 399 400 401 #define current_uid_gid(_uid, _gid) \ 402 do { \ 403 const struct cred *__cred; \ 404 __cred = current_cred(); \ 405 *(_uid) = __cred->uid; \ 406 *(_gid) = __cred->gid; \ 407 } while(0) 408 409 #define current_euid_egid(_euid, _egid) \ 410 do { \ 411 const struct cred *__cred; \ 412 __cred = current_cred(); \ 413 *(_euid) = __cred->euid; \ 414 *(_egid) = __cred->egid; \ 415 } while(0) 416 417 #define current_fsuid_fsgid(_fsuid, _fsgid) \ 418 do { \ 419 const struct cred *__cred; \ 420 __cred = current_cred(); \ 421 *(_fsuid) = __cred->fsuid; \ 422 *(_fsgid) = __cred->fsgid; \ 423 } while(0) 424 425 #endif /* _LINUX_CRED_H */ 426