1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Userspace key control operations 3 * 4 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #include <linux/init.h> 9 #include <linux/sched.h> 10 #include <linux/sched/task.h> 11 #include <linux/slab.h> 12 #include <linux/syscalls.h> 13 #include <linux/key.h> 14 #include <linux/keyctl.h> 15 #include <linux/fs.h> 16 #include <linux/capability.h> 17 #include <linux/cred.h> 18 #include <linux/string.h> 19 #include <linux/err.h> 20 #include <linux/vmalloc.h> 21 #include <linux/security.h> 22 #include <linux/uio.h> 23 #include <linux/uaccess.h> 24 #include <keys/request_key_auth-type.h> 25 #include "internal.h" 26 27 #define KEY_MAX_DESC_SIZE 4096 28 29 static const unsigned char keyrings_capabilities[2] = { 30 [0] = (KEYCTL_CAPS0_CAPABILITIES | 31 (IS_ENABLED(CONFIG_PERSISTENT_KEYRINGS) ? KEYCTL_CAPS0_PERSISTENT_KEYRINGS : 0) | 32 (IS_ENABLED(CONFIG_KEY_DH_OPERATIONS) ? KEYCTL_CAPS0_DIFFIE_HELLMAN : 0) | 33 (IS_ENABLED(CONFIG_ASYMMETRIC_KEY_TYPE) ? KEYCTL_CAPS0_PUBLIC_KEY : 0) | 34 (IS_ENABLED(CONFIG_BIG_KEYS) ? KEYCTL_CAPS0_BIG_KEY : 0) | 35 KEYCTL_CAPS0_INVALIDATE | 36 KEYCTL_CAPS0_RESTRICT_KEYRING | 37 KEYCTL_CAPS0_MOVE 38 ), 39 [1] = (KEYCTL_CAPS1_NS_KEYRING_NAME | 40 KEYCTL_CAPS1_NS_KEY_TAG | 41 (IS_ENABLED(CONFIG_KEY_NOTIFICATIONS) ? KEYCTL_CAPS1_NOTIFICATIONS : 0) 42 ), 43 }; 44 45 static int key_get_type_from_user(char *type, 46 const char __user *_type, 47 unsigned len) 48 { 49 int ret; 50 51 ret = strncpy_from_user(type, _type, len); 52 if (ret < 0) 53 return ret; 54 if (ret == 0 || ret >= len) 55 return -EINVAL; 56 if (type[0] == '.') 57 return -EPERM; 58 type[len - 1] = '\0'; 59 return 0; 60 } 61 62 /* 63 * Extract the description of a new key from userspace and either add it as a 64 * new key to the specified keyring or update a matching key in that keyring. 65 * 66 * If the description is NULL or an empty string, the key type is asked to 67 * generate one from the payload. 68 * 69 * The keyring must be writable so that we can attach the key to it. 70 * 71 * If successful, the new key's serial number is returned, otherwise an error 72 * code is returned. 73 */ 74 SYSCALL_DEFINE5(add_key, const char __user *, _type, 75 const char __user *, _description, 76 const void __user *, _payload, 77 size_t, plen, 78 key_serial_t, ringid) 79 { 80 key_ref_t keyring_ref, key_ref; 81 char type[32], *description; 82 void *payload; 83 long ret; 84 85 ret = -EINVAL; 86 if (plen > 1024 * 1024 - 1) 87 goto error; 88 89 /* draw all the data into kernel space */ 90 ret = key_get_type_from_user(type, _type, sizeof(type)); 91 if (ret < 0) 92 goto error; 93 94 description = NULL; 95 if (_description) { 96 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 97 if (IS_ERR(description)) { 98 ret = PTR_ERR(description); 99 goto error; 100 } 101 if (!*description) { 102 kfree(description); 103 description = NULL; 104 } else if ((description[0] == '.') && 105 (strncmp(type, "keyring", 7) == 0)) { 106 ret = -EPERM; 107 goto error2; 108 } 109 } 110 111 /* pull the payload in if one was supplied */ 112 payload = NULL; 113 114 if (plen) { 115 ret = -ENOMEM; 116 payload = kvmalloc(plen, GFP_KERNEL); 117 if (!payload) 118 goto error2; 119 120 ret = -EFAULT; 121 if (copy_from_user(payload, _payload, plen) != 0) 122 goto error3; 123 } 124 125 /* find the target keyring (which must be writable) */ 126 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 127 if (IS_ERR(keyring_ref)) { 128 ret = PTR_ERR(keyring_ref); 129 goto error3; 130 } 131 132 /* create or update the requested key and add it to the target 133 * keyring */ 134 key_ref = key_create_or_update(keyring_ref, type, description, 135 payload, plen, KEY_PERM_UNDEF, 136 KEY_ALLOC_IN_QUOTA); 137 if (!IS_ERR(key_ref)) { 138 ret = key_ref_to_ptr(key_ref)->serial; 139 key_ref_put(key_ref); 140 } 141 else { 142 ret = PTR_ERR(key_ref); 143 } 144 145 key_ref_put(keyring_ref); 146 error3: 147 kvfree_sensitive(payload, plen); 148 error2: 149 kfree(description); 150 error: 151 return ret; 152 } 153 154 /* 155 * Search the process keyrings and keyring trees linked from those for a 156 * matching key. Keyrings must have appropriate Search permission to be 157 * searched. 158 * 159 * If a key is found, it will be attached to the destination keyring if there's 160 * one specified and the serial number of the key will be returned. 161 * 162 * If no key is found, /sbin/request-key will be invoked if _callout_info is 163 * non-NULL in an attempt to create a key. The _callout_info string will be 164 * passed to /sbin/request-key to aid with completing the request. If the 165 * _callout_info string is "" then it will be changed to "-". 166 */ 167 SYSCALL_DEFINE4(request_key, const char __user *, _type, 168 const char __user *, _description, 169 const char __user *, _callout_info, 170 key_serial_t, destringid) 171 { 172 struct key_type *ktype; 173 struct key *key; 174 key_ref_t dest_ref; 175 size_t callout_len; 176 char type[32], *description, *callout_info; 177 long ret; 178 179 /* pull the type into kernel space */ 180 ret = key_get_type_from_user(type, _type, sizeof(type)); 181 if (ret < 0) 182 goto error; 183 184 /* pull the description into kernel space */ 185 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 186 if (IS_ERR(description)) { 187 ret = PTR_ERR(description); 188 goto error; 189 } 190 191 /* pull the callout info into kernel space */ 192 callout_info = NULL; 193 callout_len = 0; 194 if (_callout_info) { 195 callout_info = strndup_user(_callout_info, PAGE_SIZE); 196 if (IS_ERR(callout_info)) { 197 ret = PTR_ERR(callout_info); 198 goto error2; 199 } 200 callout_len = strlen(callout_info); 201 } 202 203 /* get the destination keyring if specified */ 204 dest_ref = NULL; 205 if (destringid) { 206 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 207 KEY_NEED_WRITE); 208 if (IS_ERR(dest_ref)) { 209 ret = PTR_ERR(dest_ref); 210 goto error3; 211 } 212 } 213 214 /* find the key type */ 215 ktype = key_type_lookup(type); 216 if (IS_ERR(ktype)) { 217 ret = PTR_ERR(ktype); 218 goto error4; 219 } 220 221 /* do the search */ 222 key = request_key_and_link(ktype, description, NULL, callout_info, 223 callout_len, NULL, key_ref_to_ptr(dest_ref), 224 KEY_ALLOC_IN_QUOTA); 225 if (IS_ERR(key)) { 226 ret = PTR_ERR(key); 227 goto error5; 228 } 229 230 /* wait for the key to finish being constructed */ 231 ret = wait_for_key_construction(key, 1); 232 if (ret < 0) 233 goto error6; 234 235 ret = key->serial; 236 237 error6: 238 key_put(key); 239 error5: 240 key_type_put(ktype); 241 error4: 242 key_ref_put(dest_ref); 243 error3: 244 kfree(callout_info); 245 error2: 246 kfree(description); 247 error: 248 return ret; 249 } 250 251 /* 252 * Get the ID of the specified process keyring. 253 * 254 * The requested keyring must have search permission to be found. 255 * 256 * If successful, the ID of the requested keyring will be returned. 257 */ 258 long keyctl_get_keyring_ID(key_serial_t id, int create) 259 { 260 key_ref_t key_ref; 261 unsigned long lflags; 262 long ret; 263 264 lflags = create ? KEY_LOOKUP_CREATE : 0; 265 key_ref = lookup_user_key(id, lflags, KEY_NEED_SEARCH); 266 if (IS_ERR(key_ref)) { 267 ret = PTR_ERR(key_ref); 268 goto error; 269 } 270 271 ret = key_ref_to_ptr(key_ref)->serial; 272 key_ref_put(key_ref); 273 error: 274 return ret; 275 } 276 277 /* 278 * Join a (named) session keyring. 279 * 280 * Create and join an anonymous session keyring or join a named session 281 * keyring, creating it if necessary. A named session keyring must have Search 282 * permission for it to be joined. Session keyrings without this permit will 283 * be skipped over. It is not permitted for userspace to create or join 284 * keyrings whose name begin with a dot. 285 * 286 * If successful, the ID of the joined session keyring will be returned. 287 */ 288 long keyctl_join_session_keyring(const char __user *_name) 289 { 290 char *name; 291 long ret; 292 293 /* fetch the name from userspace */ 294 name = NULL; 295 if (_name) { 296 name = strndup_user(_name, KEY_MAX_DESC_SIZE); 297 if (IS_ERR(name)) { 298 ret = PTR_ERR(name); 299 goto error; 300 } 301 302 ret = -EPERM; 303 if (name[0] == '.') 304 goto error_name; 305 } 306 307 /* join the session */ 308 ret = join_session_keyring(name); 309 error_name: 310 kfree(name); 311 error: 312 return ret; 313 } 314 315 /* 316 * Update a key's data payload from the given data. 317 * 318 * The key must grant the caller Write permission and the key type must support 319 * updating for this to work. A negative key can be positively instantiated 320 * with this call. 321 * 322 * If successful, 0 will be returned. If the key type does not support 323 * updating, then -EOPNOTSUPP will be returned. 324 */ 325 long keyctl_update_key(key_serial_t id, 326 const void __user *_payload, 327 size_t plen) 328 { 329 key_ref_t key_ref; 330 void *payload; 331 long ret; 332 333 ret = -EINVAL; 334 if (plen > PAGE_SIZE) 335 goto error; 336 337 /* pull the payload in if one was supplied */ 338 payload = NULL; 339 if (plen) { 340 ret = -ENOMEM; 341 payload = kvmalloc(plen, GFP_KERNEL); 342 if (!payload) 343 goto error; 344 345 ret = -EFAULT; 346 if (copy_from_user(payload, _payload, plen) != 0) 347 goto error2; 348 } 349 350 /* find the target key (which must be writable) */ 351 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 352 if (IS_ERR(key_ref)) { 353 ret = PTR_ERR(key_ref); 354 goto error2; 355 } 356 357 /* update the key */ 358 ret = key_update(key_ref, payload, plen); 359 360 key_ref_put(key_ref); 361 error2: 362 kvfree_sensitive(payload, plen); 363 error: 364 return ret; 365 } 366 367 /* 368 * Revoke a key. 369 * 370 * The key must be grant the caller Write or Setattr permission for this to 371 * work. The key type should give up its quota claim when revoked. The key 372 * and any links to the key will be automatically garbage collected after a 373 * certain amount of time (/proc/sys/kernel/keys/gc_delay). 374 * 375 * Keys with KEY_FLAG_KEEP set should not be revoked. 376 * 377 * If successful, 0 is returned. 378 */ 379 long keyctl_revoke_key(key_serial_t id) 380 { 381 key_ref_t key_ref; 382 struct key *key; 383 long ret; 384 385 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 386 if (IS_ERR(key_ref)) { 387 ret = PTR_ERR(key_ref); 388 if (ret != -EACCES) 389 goto error; 390 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 391 if (IS_ERR(key_ref)) { 392 ret = PTR_ERR(key_ref); 393 goto error; 394 } 395 } 396 397 key = key_ref_to_ptr(key_ref); 398 ret = 0; 399 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 400 ret = -EPERM; 401 else 402 key_revoke(key); 403 404 key_ref_put(key_ref); 405 error: 406 return ret; 407 } 408 409 /* 410 * Invalidate a key. 411 * 412 * The key must be grant the caller Invalidate permission for this to work. 413 * The key and any links to the key will be automatically garbage collected 414 * immediately. 415 * 416 * Keys with KEY_FLAG_KEEP set should not be invalidated. 417 * 418 * If successful, 0 is returned. 419 */ 420 long keyctl_invalidate_key(key_serial_t id) 421 { 422 key_ref_t key_ref; 423 struct key *key; 424 long ret; 425 426 kenter("%d", id); 427 428 key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH); 429 if (IS_ERR(key_ref)) { 430 ret = PTR_ERR(key_ref); 431 432 /* Root is permitted to invalidate certain special keys */ 433 if (capable(CAP_SYS_ADMIN)) { 434 key_ref = lookup_user_key(id, 0, KEY_SYSADMIN_OVERRIDE); 435 if (IS_ERR(key_ref)) 436 goto error; 437 if (test_bit(KEY_FLAG_ROOT_CAN_INVAL, 438 &key_ref_to_ptr(key_ref)->flags)) 439 goto invalidate; 440 goto error_put; 441 } 442 443 goto error; 444 } 445 446 invalidate: 447 key = key_ref_to_ptr(key_ref); 448 ret = 0; 449 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 450 ret = -EPERM; 451 else 452 key_invalidate(key); 453 error_put: 454 key_ref_put(key_ref); 455 error: 456 kleave(" = %ld", ret); 457 return ret; 458 } 459 460 /* 461 * Clear the specified keyring, creating an empty process keyring if one of the 462 * special keyring IDs is used. 463 * 464 * The keyring must grant the caller Write permission and not have 465 * KEY_FLAG_KEEP set for this to work. If successful, 0 will be returned. 466 */ 467 long keyctl_keyring_clear(key_serial_t ringid) 468 { 469 key_ref_t keyring_ref; 470 struct key *keyring; 471 long ret; 472 473 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 474 if (IS_ERR(keyring_ref)) { 475 ret = PTR_ERR(keyring_ref); 476 477 /* Root is permitted to invalidate certain special keyrings */ 478 if (capable(CAP_SYS_ADMIN)) { 479 keyring_ref = lookup_user_key(ringid, 0, 480 KEY_SYSADMIN_OVERRIDE); 481 if (IS_ERR(keyring_ref)) 482 goto error; 483 if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR, 484 &key_ref_to_ptr(keyring_ref)->flags)) 485 goto clear; 486 goto error_put; 487 } 488 489 goto error; 490 } 491 492 clear: 493 keyring = key_ref_to_ptr(keyring_ref); 494 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) 495 ret = -EPERM; 496 else 497 ret = keyring_clear(keyring); 498 error_put: 499 key_ref_put(keyring_ref); 500 error: 501 return ret; 502 } 503 504 /* 505 * Create a link from a keyring to a key if there's no matching key in the 506 * keyring, otherwise replace the link to the matching key with a link to the 507 * new key. 508 * 509 * The key must grant the caller Link permission and the keyring must grant 510 * the caller Write permission. Furthermore, if an additional link is created, 511 * the keyring's quota will be extended. 512 * 513 * If successful, 0 will be returned. 514 */ 515 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 516 { 517 key_ref_t keyring_ref, key_ref; 518 long ret; 519 520 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 521 if (IS_ERR(keyring_ref)) { 522 ret = PTR_ERR(keyring_ref); 523 goto error; 524 } 525 526 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 527 if (IS_ERR(key_ref)) { 528 ret = PTR_ERR(key_ref); 529 goto error2; 530 } 531 532 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 533 534 key_ref_put(key_ref); 535 error2: 536 key_ref_put(keyring_ref); 537 error: 538 return ret; 539 } 540 541 /* 542 * Unlink a key from a keyring. 543 * 544 * The keyring must grant the caller Write permission for this to work; the key 545 * itself need not grant the caller anything. If the last link to a key is 546 * removed then that key will be scheduled for destruction. 547 * 548 * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked. 549 * 550 * If successful, 0 will be returned. 551 */ 552 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 553 { 554 key_ref_t keyring_ref, key_ref; 555 struct key *keyring, *key; 556 long ret; 557 558 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE); 559 if (IS_ERR(keyring_ref)) { 560 ret = PTR_ERR(keyring_ref); 561 goto error; 562 } 563 564 key_ref = lookup_user_key(id, KEY_LOOKUP_PARTIAL, KEY_NEED_UNLINK); 565 if (IS_ERR(key_ref)) { 566 ret = PTR_ERR(key_ref); 567 goto error2; 568 } 569 570 keyring = key_ref_to_ptr(keyring_ref); 571 key = key_ref_to_ptr(key_ref); 572 if (test_bit(KEY_FLAG_KEEP, &keyring->flags) && 573 test_bit(KEY_FLAG_KEEP, &key->flags)) 574 ret = -EPERM; 575 else 576 ret = key_unlink(keyring, key); 577 578 key_ref_put(key_ref); 579 error2: 580 key_ref_put(keyring_ref); 581 error: 582 return ret; 583 } 584 585 /* 586 * Move a link to a key from one keyring to another, displacing any matching 587 * key from the destination keyring. 588 * 589 * The key must grant the caller Link permission and both keyrings must grant 590 * the caller Write permission. There must also be a link in the from keyring 591 * to the key. If both keyrings are the same, nothing is done. 592 * 593 * If successful, 0 will be returned. 594 */ 595 long keyctl_keyring_move(key_serial_t id, key_serial_t from_ringid, 596 key_serial_t to_ringid, unsigned int flags) 597 { 598 key_ref_t key_ref, from_ref, to_ref; 599 long ret; 600 601 if (flags & ~KEYCTL_MOVE_EXCL) 602 return -EINVAL; 603 604 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 605 if (IS_ERR(key_ref)) 606 return PTR_ERR(key_ref); 607 608 from_ref = lookup_user_key(from_ringid, 0, KEY_NEED_WRITE); 609 if (IS_ERR(from_ref)) { 610 ret = PTR_ERR(from_ref); 611 goto error2; 612 } 613 614 to_ref = lookup_user_key(to_ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 615 if (IS_ERR(to_ref)) { 616 ret = PTR_ERR(to_ref); 617 goto error3; 618 } 619 620 ret = key_move(key_ref_to_ptr(key_ref), key_ref_to_ptr(from_ref), 621 key_ref_to_ptr(to_ref), flags); 622 623 key_ref_put(to_ref); 624 error3: 625 key_ref_put(from_ref); 626 error2: 627 key_ref_put(key_ref); 628 return ret; 629 } 630 631 /* 632 * Return a description of a key to userspace. 633 * 634 * The key must grant the caller View permission for this to work. 635 * 636 * If there's a buffer, we place up to buflen bytes of data into it formatted 637 * in the following way: 638 * 639 * type;uid;gid;perm;description<NUL> 640 * 641 * If successful, we return the amount of description available, irrespective 642 * of how much we may have copied into the buffer. 643 */ 644 long keyctl_describe_key(key_serial_t keyid, 645 char __user *buffer, 646 size_t buflen) 647 { 648 struct key *key, *instkey; 649 key_ref_t key_ref; 650 char *infobuf; 651 long ret; 652 int desclen, infolen; 653 654 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 655 if (IS_ERR(key_ref)) { 656 /* viewing a key under construction is permitted if we have the 657 * authorisation token handy */ 658 if (PTR_ERR(key_ref) == -EACCES) { 659 instkey = key_get_instantiation_authkey(keyid); 660 if (!IS_ERR(instkey)) { 661 key_put(instkey); 662 key_ref = lookup_user_key(keyid, 663 KEY_LOOKUP_PARTIAL, 664 KEY_AUTHTOKEN_OVERRIDE); 665 if (!IS_ERR(key_ref)) 666 goto okay; 667 } 668 } 669 670 ret = PTR_ERR(key_ref); 671 goto error; 672 } 673 674 okay: 675 key = key_ref_to_ptr(key_ref); 676 desclen = strlen(key->description); 677 678 /* calculate how much information we're going to return */ 679 ret = -ENOMEM; 680 infobuf = kasprintf(GFP_KERNEL, 681 "%s;%d;%d;%08x;", 682 key->type->name, 683 from_kuid_munged(current_user_ns(), key->uid), 684 from_kgid_munged(current_user_ns(), key->gid), 685 key->perm); 686 if (!infobuf) 687 goto error2; 688 infolen = strlen(infobuf); 689 ret = infolen + desclen + 1; 690 691 /* consider returning the data */ 692 if (buffer && buflen >= ret) { 693 if (copy_to_user(buffer, infobuf, infolen) != 0 || 694 copy_to_user(buffer + infolen, key->description, 695 desclen + 1) != 0) 696 ret = -EFAULT; 697 } 698 699 kfree(infobuf); 700 error2: 701 key_ref_put(key_ref); 702 error: 703 return ret; 704 } 705 706 /* 707 * Search the specified keyring and any keyrings it links to for a matching 708 * key. Only keyrings that grant the caller Search permission will be searched 709 * (this includes the starting keyring). Only keys with Search permission can 710 * be found. 711 * 712 * If successful, the found key will be linked to the destination keyring if 713 * supplied and the key has Link permission, and the found key ID will be 714 * returned. 715 */ 716 long keyctl_keyring_search(key_serial_t ringid, 717 const char __user *_type, 718 const char __user *_description, 719 key_serial_t destringid) 720 { 721 struct key_type *ktype; 722 key_ref_t keyring_ref, key_ref, dest_ref; 723 char type[32], *description; 724 long ret; 725 726 /* pull the type and description into kernel space */ 727 ret = key_get_type_from_user(type, _type, sizeof(type)); 728 if (ret < 0) 729 goto error; 730 731 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 732 if (IS_ERR(description)) { 733 ret = PTR_ERR(description); 734 goto error; 735 } 736 737 /* get the keyring at which to begin the search */ 738 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_SEARCH); 739 if (IS_ERR(keyring_ref)) { 740 ret = PTR_ERR(keyring_ref); 741 goto error2; 742 } 743 744 /* get the destination keyring if specified */ 745 dest_ref = NULL; 746 if (destringid) { 747 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 748 KEY_NEED_WRITE); 749 if (IS_ERR(dest_ref)) { 750 ret = PTR_ERR(dest_ref); 751 goto error3; 752 } 753 } 754 755 /* find the key type */ 756 ktype = key_type_lookup(type); 757 if (IS_ERR(ktype)) { 758 ret = PTR_ERR(ktype); 759 goto error4; 760 } 761 762 /* do the search */ 763 key_ref = keyring_search(keyring_ref, ktype, description, true); 764 if (IS_ERR(key_ref)) { 765 ret = PTR_ERR(key_ref); 766 767 /* treat lack or presence of a negative key the same */ 768 if (ret == -EAGAIN) 769 ret = -ENOKEY; 770 goto error5; 771 } 772 773 /* link the resulting key to the destination keyring if we can */ 774 if (dest_ref) { 775 ret = key_permission(key_ref, KEY_NEED_LINK); 776 if (ret < 0) 777 goto error6; 778 779 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 780 if (ret < 0) 781 goto error6; 782 } 783 784 ret = key_ref_to_ptr(key_ref)->serial; 785 786 error6: 787 key_ref_put(key_ref); 788 error5: 789 key_type_put(ktype); 790 error4: 791 key_ref_put(dest_ref); 792 error3: 793 key_ref_put(keyring_ref); 794 error2: 795 kfree(description); 796 error: 797 return ret; 798 } 799 800 /* 801 * Call the read method 802 */ 803 static long __keyctl_read_key(struct key *key, char *buffer, size_t buflen) 804 { 805 long ret; 806 807 down_read(&key->sem); 808 ret = key_validate(key); 809 if (ret == 0) 810 ret = key->type->read(key, buffer, buflen); 811 up_read(&key->sem); 812 return ret; 813 } 814 815 /* 816 * Read a key's payload. 817 * 818 * The key must either grant the caller Read permission, or it must grant the 819 * caller Search permission when searched for from the process keyrings. 820 * 821 * If successful, we place up to buflen bytes of data into the buffer, if one 822 * is provided, and return the amount of data that is available in the key, 823 * irrespective of how much we copied into the buffer. 824 */ 825 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 826 { 827 struct key *key; 828 key_ref_t key_ref; 829 long ret; 830 char *key_data = NULL; 831 size_t key_data_len; 832 833 /* find the key first */ 834 key_ref = lookup_user_key(keyid, 0, KEY_DEFER_PERM_CHECK); 835 if (IS_ERR(key_ref)) { 836 ret = -ENOKEY; 837 goto out; 838 } 839 840 key = key_ref_to_ptr(key_ref); 841 842 ret = key_read_state(key); 843 if (ret < 0) 844 goto key_put_out; /* Negatively instantiated */ 845 846 /* see if we can read it directly */ 847 ret = key_permission(key_ref, KEY_NEED_READ); 848 if (ret == 0) 849 goto can_read_key; 850 if (ret != -EACCES) 851 goto key_put_out; 852 853 /* we can't; see if it's searchable from this process's keyrings 854 * - we automatically take account of the fact that it may be 855 * dangling off an instantiation key 856 */ 857 if (!is_key_possessed(key_ref)) { 858 ret = -EACCES; 859 goto key_put_out; 860 } 861 862 /* the key is probably readable - now try to read it */ 863 can_read_key: 864 if (!key->type->read) { 865 ret = -EOPNOTSUPP; 866 goto key_put_out; 867 } 868 869 if (!buffer || !buflen) { 870 /* Get the key length from the read method */ 871 ret = __keyctl_read_key(key, NULL, 0); 872 goto key_put_out; 873 } 874 875 /* 876 * Read the data with the semaphore held (since we might sleep) 877 * to protect against the key being updated or revoked. 878 * 879 * Allocating a temporary buffer to hold the keys before 880 * transferring them to user buffer to avoid potential 881 * deadlock involving page fault and mmap_lock. 882 * 883 * key_data_len = (buflen <= PAGE_SIZE) 884 * ? buflen : actual length of key data 885 * 886 * This prevents allocating arbitrary large buffer which can 887 * be much larger than the actual key length. In the latter case, 888 * at least 2 passes of this loop is required. 889 */ 890 key_data_len = (buflen <= PAGE_SIZE) ? buflen : 0; 891 for (;;) { 892 if (key_data_len) { 893 key_data = kvmalloc(key_data_len, GFP_KERNEL); 894 if (!key_data) { 895 ret = -ENOMEM; 896 goto key_put_out; 897 } 898 } 899 900 ret = __keyctl_read_key(key, key_data, key_data_len); 901 902 /* 903 * Read methods will just return the required length without 904 * any copying if the provided length isn't large enough. 905 */ 906 if (ret <= 0 || ret > buflen) 907 break; 908 909 /* 910 * The key may change (unlikely) in between 2 consecutive 911 * __keyctl_read_key() calls. In this case, we reallocate 912 * a larger buffer and redo the key read when 913 * key_data_len < ret <= buflen. 914 */ 915 if (ret > key_data_len) { 916 if (unlikely(key_data)) 917 kvfree_sensitive(key_data, key_data_len); 918 key_data_len = ret; 919 continue; /* Allocate buffer */ 920 } 921 922 if (copy_to_user(buffer, key_data, ret)) 923 ret = -EFAULT; 924 break; 925 } 926 kvfree_sensitive(key_data, key_data_len); 927 928 key_put_out: 929 key_put(key); 930 out: 931 return ret; 932 } 933 934 /* 935 * Change the ownership of a key 936 * 937 * The key must grant the caller Setattr permission for this to work, though 938 * the key need not be fully instantiated yet. For the UID to be changed, or 939 * for the GID to be changed to a group the caller is not a member of, the 940 * caller must have sysadmin capability. If either uid or gid is -1 then that 941 * attribute is not changed. 942 * 943 * If the UID is to be changed, the new user must have sufficient quota to 944 * accept the key. The quota deduction will be removed from the old user to 945 * the new user should the attribute be changed. 946 * 947 * If successful, 0 will be returned. 948 */ 949 long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group) 950 { 951 struct key_user *newowner, *zapowner = NULL; 952 struct key *key; 953 key_ref_t key_ref; 954 long ret; 955 kuid_t uid; 956 kgid_t gid; 957 unsigned long flags; 958 959 uid = make_kuid(current_user_ns(), user); 960 gid = make_kgid(current_user_ns(), group); 961 ret = -EINVAL; 962 if ((user != (uid_t) -1) && !uid_valid(uid)) 963 goto error; 964 if ((group != (gid_t) -1) && !gid_valid(gid)) 965 goto error; 966 967 ret = 0; 968 if (user == (uid_t) -1 && group == (gid_t) -1) 969 goto error; 970 971 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 972 KEY_NEED_SETATTR); 973 if (IS_ERR(key_ref)) { 974 ret = PTR_ERR(key_ref); 975 goto error; 976 } 977 978 key = key_ref_to_ptr(key_ref); 979 980 /* make the changes with the locks held to prevent chown/chown races */ 981 ret = -EACCES; 982 down_write(&key->sem); 983 984 { 985 bool is_privileged_op = false; 986 987 /* only the sysadmin can chown a key to some other UID */ 988 if (user != (uid_t) -1 && !uid_eq(key->uid, uid)) 989 is_privileged_op = true; 990 991 /* only the sysadmin can set the key's GID to a group other 992 * than one of those that the current process subscribes to */ 993 if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid)) 994 is_privileged_op = true; 995 996 if (is_privileged_op && !capable(CAP_SYS_ADMIN)) 997 goto error_put; 998 } 999 1000 /* change the UID */ 1001 if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) { 1002 ret = -ENOMEM; 1003 newowner = key_user_lookup(uid); 1004 if (!newowner) 1005 goto error_put; 1006 1007 /* transfer the quota burden to the new user */ 1008 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 1009 unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ? 1010 key_quota_root_maxkeys : key_quota_maxkeys; 1011 unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ? 1012 key_quota_root_maxbytes : key_quota_maxbytes; 1013 1014 spin_lock_irqsave(&newowner->lock, flags); 1015 if (newowner->qnkeys + 1 > maxkeys || 1016 newowner->qnbytes + key->quotalen > maxbytes || 1017 newowner->qnbytes + key->quotalen < 1018 newowner->qnbytes) 1019 goto quota_overrun; 1020 1021 newowner->qnkeys++; 1022 newowner->qnbytes += key->quotalen; 1023 spin_unlock_irqrestore(&newowner->lock, flags); 1024 1025 spin_lock_irqsave(&key->user->lock, flags); 1026 key->user->qnkeys--; 1027 key->user->qnbytes -= key->quotalen; 1028 spin_unlock_irqrestore(&key->user->lock, flags); 1029 } 1030 1031 atomic_dec(&key->user->nkeys); 1032 atomic_inc(&newowner->nkeys); 1033 1034 if (key->state != KEY_IS_UNINSTANTIATED) { 1035 atomic_dec(&key->user->nikeys); 1036 atomic_inc(&newowner->nikeys); 1037 } 1038 1039 zapowner = key->user; 1040 key->user = newowner; 1041 key->uid = uid; 1042 } 1043 1044 /* change the GID */ 1045 if (group != (gid_t) -1) 1046 key->gid = gid; 1047 1048 notify_key(key, NOTIFY_KEY_SETATTR, 0); 1049 ret = 0; 1050 1051 error_put: 1052 up_write(&key->sem); 1053 key_put(key); 1054 if (zapowner) 1055 key_user_put(zapowner); 1056 error: 1057 return ret; 1058 1059 quota_overrun: 1060 spin_unlock_irqrestore(&newowner->lock, flags); 1061 zapowner = newowner; 1062 ret = -EDQUOT; 1063 goto error_put; 1064 } 1065 1066 /* 1067 * Change the permission mask on a key. 1068 * 1069 * The key must grant the caller Setattr permission for this to work, though 1070 * the key need not be fully instantiated yet. If the caller does not have 1071 * sysadmin capability, it may only change the permission on keys that it owns. 1072 */ 1073 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 1074 { 1075 struct key *key; 1076 key_ref_t key_ref; 1077 long ret; 1078 1079 ret = -EINVAL; 1080 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 1081 goto error; 1082 1083 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1084 KEY_NEED_SETATTR); 1085 if (IS_ERR(key_ref)) { 1086 ret = PTR_ERR(key_ref); 1087 goto error; 1088 } 1089 1090 key = key_ref_to_ptr(key_ref); 1091 1092 /* make the changes with the locks held to prevent chown/chmod races */ 1093 ret = -EACCES; 1094 down_write(&key->sem); 1095 1096 /* if we're not the sysadmin, we can only change a key that we own */ 1097 if (uid_eq(key->uid, current_fsuid()) || capable(CAP_SYS_ADMIN)) { 1098 key->perm = perm; 1099 notify_key(key, NOTIFY_KEY_SETATTR, 0); 1100 ret = 0; 1101 } 1102 1103 up_write(&key->sem); 1104 key_put(key); 1105 error: 1106 return ret; 1107 } 1108 1109 /* 1110 * Get the destination keyring for instantiation and check that the caller has 1111 * Write permission on it. 1112 */ 1113 static long get_instantiation_keyring(key_serial_t ringid, 1114 struct request_key_auth *rka, 1115 struct key **_dest_keyring) 1116 { 1117 key_ref_t dkref; 1118 1119 *_dest_keyring = NULL; 1120 1121 /* just return a NULL pointer if we weren't asked to make a link */ 1122 if (ringid == 0) 1123 return 0; 1124 1125 /* if a specific keyring is nominated by ID, then use that */ 1126 if (ringid > 0) { 1127 dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 1128 if (IS_ERR(dkref)) 1129 return PTR_ERR(dkref); 1130 *_dest_keyring = key_ref_to_ptr(dkref); 1131 return 0; 1132 } 1133 1134 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY) 1135 return -EINVAL; 1136 1137 /* otherwise specify the destination keyring recorded in the 1138 * authorisation key (any KEY_SPEC_*_KEYRING) */ 1139 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { 1140 *_dest_keyring = key_get(rka->dest_keyring); 1141 return 0; 1142 } 1143 1144 return -ENOKEY; 1145 } 1146 1147 /* 1148 * Change the request_key authorisation key on the current process. 1149 */ 1150 static int keyctl_change_reqkey_auth(struct key *key) 1151 { 1152 struct cred *new; 1153 1154 new = prepare_creds(); 1155 if (!new) 1156 return -ENOMEM; 1157 1158 key_put(new->request_key_auth); 1159 new->request_key_auth = key_get(key); 1160 1161 return commit_creds(new); 1162 } 1163 1164 /* 1165 * Instantiate a key with the specified payload and link the key into the 1166 * destination keyring if one is given. 1167 * 1168 * The caller must have the appropriate instantiation permit set for this to 1169 * work (see keyctl_assume_authority). No other permissions are required. 1170 * 1171 * If successful, 0 will be returned. 1172 */ 1173 static long keyctl_instantiate_key_common(key_serial_t id, 1174 struct iov_iter *from, 1175 key_serial_t ringid) 1176 { 1177 const struct cred *cred = current_cred(); 1178 struct request_key_auth *rka; 1179 struct key *instkey, *dest_keyring; 1180 size_t plen = from ? iov_iter_count(from) : 0; 1181 void *payload; 1182 long ret; 1183 1184 kenter("%d,,%zu,%d", id, plen, ringid); 1185 1186 if (!plen) 1187 from = NULL; 1188 1189 ret = -EINVAL; 1190 if (plen > 1024 * 1024 - 1) 1191 goto error; 1192 1193 /* the appropriate instantiation authorisation key must have been 1194 * assumed before calling this */ 1195 ret = -EPERM; 1196 instkey = cred->request_key_auth; 1197 if (!instkey) 1198 goto error; 1199 1200 rka = request_key_auth_get(instkey); 1201 if (!rka) { 1202 ret = -EKEYREVOKED; 1203 goto error; 1204 } 1205 if (rka->target_key->serial != id) 1206 goto error_put_rka; 1207 1208 /* pull the payload in if one was supplied */ 1209 payload = NULL; 1210 1211 if (from) { 1212 ret = -ENOMEM; 1213 payload = kvmalloc(plen, GFP_KERNEL); 1214 if (!payload) 1215 goto error_put_rka; 1216 1217 ret = -EFAULT; 1218 if (!copy_from_iter_full(payload, plen, from)) 1219 goto error2; 1220 } 1221 1222 /* find the destination keyring amongst those belonging to the 1223 * requesting task */ 1224 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1225 if (ret < 0) 1226 goto error2; 1227 1228 /* instantiate the key and link it into a keyring */ 1229 ret = key_instantiate_and_link(rka->target_key, payload, plen, 1230 dest_keyring, instkey); 1231 1232 key_put(dest_keyring); 1233 1234 /* discard the assumed authority if it's just been disabled by 1235 * instantiation of the key */ 1236 if (ret == 0) 1237 keyctl_change_reqkey_auth(NULL); 1238 1239 error2: 1240 kvfree_sensitive(payload, plen); 1241 error_put_rka: 1242 request_key_auth_put(rka); 1243 error: 1244 return ret; 1245 } 1246 1247 /* 1248 * Instantiate a key with the specified payload and link the key into the 1249 * destination keyring if one is given. 1250 * 1251 * The caller must have the appropriate instantiation permit set for this to 1252 * work (see keyctl_assume_authority). No other permissions are required. 1253 * 1254 * If successful, 0 will be returned. 1255 */ 1256 long keyctl_instantiate_key(key_serial_t id, 1257 const void __user *_payload, 1258 size_t plen, 1259 key_serial_t ringid) 1260 { 1261 if (_payload && plen) { 1262 struct iov_iter from; 1263 int ret; 1264 1265 ret = import_ubuf(ITER_SOURCE, (void __user *)_payload, plen, 1266 &from); 1267 if (unlikely(ret)) 1268 return ret; 1269 1270 return keyctl_instantiate_key_common(id, &from, ringid); 1271 } 1272 1273 return keyctl_instantiate_key_common(id, NULL, ringid); 1274 } 1275 1276 /* 1277 * Instantiate a key with the specified multipart payload and link the key into 1278 * the destination keyring if one is given. 1279 * 1280 * The caller must have the appropriate instantiation permit set for this to 1281 * work (see keyctl_assume_authority). No other permissions are required. 1282 * 1283 * If successful, 0 will be returned. 1284 */ 1285 long keyctl_instantiate_key_iov(key_serial_t id, 1286 const struct iovec __user *_payload_iov, 1287 unsigned ioc, 1288 key_serial_t ringid) 1289 { 1290 struct iovec iovstack[UIO_FASTIOV], *iov = iovstack; 1291 struct iov_iter from; 1292 long ret; 1293 1294 if (!_payload_iov) 1295 ioc = 0; 1296 1297 ret = import_iovec(ITER_SOURCE, _payload_iov, ioc, 1298 ARRAY_SIZE(iovstack), &iov, &from); 1299 if (ret < 0) 1300 return ret; 1301 ret = keyctl_instantiate_key_common(id, &from, ringid); 1302 kfree(iov); 1303 return ret; 1304 } 1305 1306 /* 1307 * Negatively instantiate the key with the given timeout (in seconds) and link 1308 * the key into the destination keyring if one is given. 1309 * 1310 * The caller must have the appropriate instantiation permit set for this to 1311 * work (see keyctl_assume_authority). No other permissions are required. 1312 * 1313 * The key and any links to the key will be automatically garbage collected 1314 * after the timeout expires. 1315 * 1316 * Negative keys are used to rate limit repeated request_key() calls by causing 1317 * them to return -ENOKEY until the negative key expires. 1318 * 1319 * If successful, 0 will be returned. 1320 */ 1321 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 1322 { 1323 return keyctl_reject_key(id, timeout, ENOKEY, ringid); 1324 } 1325 1326 /* 1327 * Negatively instantiate the key with the given timeout (in seconds) and error 1328 * code and link the key into the destination keyring if one is given. 1329 * 1330 * The caller must have the appropriate instantiation permit set for this to 1331 * work (see keyctl_assume_authority). No other permissions are required. 1332 * 1333 * The key and any links to the key will be automatically garbage collected 1334 * after the timeout expires. 1335 * 1336 * Negative keys are used to rate limit repeated request_key() calls by causing 1337 * them to return the specified error code until the negative key expires. 1338 * 1339 * If successful, 0 will be returned. 1340 */ 1341 long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error, 1342 key_serial_t ringid) 1343 { 1344 const struct cred *cred = current_cred(); 1345 struct request_key_auth *rka; 1346 struct key *instkey, *dest_keyring; 1347 long ret; 1348 1349 kenter("%d,%u,%u,%d", id, timeout, error, ringid); 1350 1351 /* must be a valid error code and mustn't be a kernel special */ 1352 if (error <= 0 || 1353 error >= MAX_ERRNO || 1354 error == ERESTARTSYS || 1355 error == ERESTARTNOINTR || 1356 error == ERESTARTNOHAND || 1357 error == ERESTART_RESTARTBLOCK) 1358 return -EINVAL; 1359 1360 /* the appropriate instantiation authorisation key must have been 1361 * assumed before calling this */ 1362 ret = -EPERM; 1363 instkey = cred->request_key_auth; 1364 if (!instkey) 1365 goto error; 1366 1367 rka = request_key_auth_get(instkey); 1368 if (!rka) { 1369 ret = -EKEYREVOKED; 1370 goto error; 1371 } 1372 if (rka->target_key->serial != id) 1373 goto error_put_rka; 1374 1375 /* find the destination keyring if present (which must also be 1376 * writable) */ 1377 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1378 if (ret < 0) 1379 goto error_put_rka; 1380 1381 /* instantiate the key and link it into a keyring */ 1382 ret = key_reject_and_link(rka->target_key, timeout, error, 1383 dest_keyring, instkey); 1384 1385 key_put(dest_keyring); 1386 1387 /* discard the assumed authority if it's just been disabled by 1388 * instantiation of the key */ 1389 if (ret == 0) 1390 keyctl_change_reqkey_auth(NULL); 1391 1392 error_put_rka: 1393 request_key_auth_put(rka); 1394 error: 1395 return ret; 1396 } 1397 1398 /* 1399 * Read or set the default keyring in which request_key() will cache keys and 1400 * return the old setting. 1401 * 1402 * If a thread or process keyring is specified then it will be created if it 1403 * doesn't yet exist. The old setting will be returned if successful. 1404 */ 1405 long keyctl_set_reqkey_keyring(int reqkey_defl) 1406 { 1407 struct cred *new; 1408 int ret, old_setting; 1409 1410 old_setting = current_cred_xxx(jit_keyring); 1411 1412 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE) 1413 return old_setting; 1414 1415 new = prepare_creds(); 1416 if (!new) 1417 return -ENOMEM; 1418 1419 switch (reqkey_defl) { 1420 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1421 ret = install_thread_keyring_to_cred(new); 1422 if (ret < 0) 1423 goto error; 1424 goto set; 1425 1426 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1427 ret = install_process_keyring_to_cred(new); 1428 if (ret < 0) 1429 goto error; 1430 goto set; 1431 1432 case KEY_REQKEY_DEFL_DEFAULT: 1433 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1434 case KEY_REQKEY_DEFL_USER_KEYRING: 1435 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1436 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: 1437 goto set; 1438 1439 case KEY_REQKEY_DEFL_NO_CHANGE: 1440 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1441 default: 1442 ret = -EINVAL; 1443 goto error; 1444 } 1445 1446 set: 1447 new->jit_keyring = reqkey_defl; 1448 commit_creds(new); 1449 return old_setting; 1450 error: 1451 abort_creds(new); 1452 return ret; 1453 } 1454 1455 /* 1456 * Set or clear the timeout on a key. 1457 * 1458 * Either the key must grant the caller Setattr permission or else the caller 1459 * must hold an instantiation authorisation token for the key. 1460 * 1461 * The timeout is either 0 to clear the timeout, or a number of seconds from 1462 * the current time. The key and any links to the key will be automatically 1463 * garbage collected after the timeout expires. 1464 * 1465 * Keys with KEY_FLAG_KEEP set should not be timed out. 1466 * 1467 * If successful, 0 is returned. 1468 */ 1469 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1470 { 1471 struct key *key, *instkey; 1472 key_ref_t key_ref; 1473 long ret; 1474 1475 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1476 KEY_NEED_SETATTR); 1477 if (IS_ERR(key_ref)) { 1478 /* setting the timeout on a key under construction is permitted 1479 * if we have the authorisation token handy */ 1480 if (PTR_ERR(key_ref) == -EACCES) { 1481 instkey = key_get_instantiation_authkey(id); 1482 if (!IS_ERR(instkey)) { 1483 key_put(instkey); 1484 key_ref = lookup_user_key(id, 1485 KEY_LOOKUP_PARTIAL, 1486 KEY_AUTHTOKEN_OVERRIDE); 1487 if (!IS_ERR(key_ref)) 1488 goto okay; 1489 } 1490 } 1491 1492 ret = PTR_ERR(key_ref); 1493 goto error; 1494 } 1495 1496 okay: 1497 key = key_ref_to_ptr(key_ref); 1498 ret = 0; 1499 if (test_bit(KEY_FLAG_KEEP, &key->flags)) { 1500 ret = -EPERM; 1501 } else { 1502 key_set_timeout(key, timeout); 1503 notify_key(key, NOTIFY_KEY_SETATTR, 0); 1504 } 1505 key_put(key); 1506 1507 error: 1508 return ret; 1509 } 1510 1511 /* 1512 * Assume (or clear) the authority to instantiate the specified key. 1513 * 1514 * This sets the authoritative token currently in force for key instantiation. 1515 * This must be done for a key to be instantiated. It has the effect of making 1516 * available all the keys from the caller of the request_key() that created a 1517 * key to request_key() calls made by the caller of this function. 1518 * 1519 * The caller must have the instantiation key in their process keyrings with a 1520 * Search permission grant available to the caller. 1521 * 1522 * If the ID given is 0, then the setting will be cleared and 0 returned. 1523 * 1524 * If the ID given has a matching an authorisation key, then that key will be 1525 * set and its ID will be returned. The authorisation key can be read to get 1526 * the callout information passed to request_key(). 1527 */ 1528 long keyctl_assume_authority(key_serial_t id) 1529 { 1530 struct key *authkey; 1531 long ret; 1532 1533 /* special key IDs aren't permitted */ 1534 ret = -EINVAL; 1535 if (id < 0) 1536 goto error; 1537 1538 /* we divest ourselves of authority if given an ID of 0 */ 1539 if (id == 0) { 1540 ret = keyctl_change_reqkey_auth(NULL); 1541 goto error; 1542 } 1543 1544 /* attempt to assume the authority temporarily granted to us whilst we 1545 * instantiate the specified key 1546 * - the authorisation key must be in the current task's keyrings 1547 * somewhere 1548 */ 1549 authkey = key_get_instantiation_authkey(id); 1550 if (IS_ERR(authkey)) { 1551 ret = PTR_ERR(authkey); 1552 goto error; 1553 } 1554 1555 ret = keyctl_change_reqkey_auth(authkey); 1556 if (ret == 0) 1557 ret = authkey->serial; 1558 key_put(authkey); 1559 error: 1560 return ret; 1561 } 1562 1563 /* 1564 * Get a key's the LSM security label. 1565 * 1566 * The key must grant the caller View permission for this to work. 1567 * 1568 * If there's a buffer, then up to buflen bytes of data will be placed into it. 1569 * 1570 * If successful, the amount of information available will be returned, 1571 * irrespective of how much was copied (including the terminal NUL). 1572 */ 1573 long keyctl_get_security(key_serial_t keyid, 1574 char __user *buffer, 1575 size_t buflen) 1576 { 1577 struct key *key, *instkey; 1578 key_ref_t key_ref; 1579 char *context; 1580 long ret; 1581 1582 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 1583 if (IS_ERR(key_ref)) { 1584 if (PTR_ERR(key_ref) != -EACCES) 1585 return PTR_ERR(key_ref); 1586 1587 /* viewing a key under construction is also permitted if we 1588 * have the authorisation token handy */ 1589 instkey = key_get_instantiation_authkey(keyid); 1590 if (IS_ERR(instkey)) 1591 return PTR_ERR(instkey); 1592 key_put(instkey); 1593 1594 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 1595 KEY_AUTHTOKEN_OVERRIDE); 1596 if (IS_ERR(key_ref)) 1597 return PTR_ERR(key_ref); 1598 } 1599 1600 key = key_ref_to_ptr(key_ref); 1601 ret = security_key_getsecurity(key, &context); 1602 if (ret == 0) { 1603 /* if no information was returned, give userspace an empty 1604 * string */ 1605 ret = 1; 1606 if (buffer && buflen > 0 && 1607 copy_to_user(buffer, "", 1) != 0) 1608 ret = -EFAULT; 1609 } else if (ret > 0) { 1610 /* return as much data as there's room for */ 1611 if (buffer && buflen > 0) { 1612 if (buflen > ret) 1613 buflen = ret; 1614 1615 if (copy_to_user(buffer, context, buflen) != 0) 1616 ret = -EFAULT; 1617 } 1618 1619 kfree(context); 1620 } 1621 1622 key_ref_put(key_ref); 1623 return ret; 1624 } 1625 1626 /* 1627 * Attempt to install the calling process's session keyring on the process's 1628 * parent process. 1629 * 1630 * The keyring must exist and must grant the caller LINK permission, and the 1631 * parent process must be single-threaded and must have the same effective 1632 * ownership as this process and mustn't be SUID/SGID. 1633 * 1634 * The keyring will be emplaced on the parent when it next resumes userspace. 1635 * 1636 * If successful, 0 will be returned. 1637 */ 1638 long keyctl_session_to_parent(void) 1639 { 1640 struct task_struct *me, *parent; 1641 const struct cred *mycred, *pcred; 1642 struct callback_head *newwork, *oldwork; 1643 key_ref_t keyring_r; 1644 struct cred *cred; 1645 int ret; 1646 1647 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK); 1648 if (IS_ERR(keyring_r)) 1649 return PTR_ERR(keyring_r); 1650 1651 ret = -ENOMEM; 1652 1653 /* our parent is going to need a new cred struct, a new tgcred struct 1654 * and new security data, so we allocate them here to prevent ENOMEM in 1655 * our parent */ 1656 cred = cred_alloc_blank(); 1657 if (!cred) 1658 goto error_keyring; 1659 newwork = &cred->rcu; 1660 1661 cred->session_keyring = key_ref_to_ptr(keyring_r); 1662 keyring_r = NULL; 1663 init_task_work(newwork, key_change_session_keyring); 1664 1665 me = current; 1666 rcu_read_lock(); 1667 write_lock_irq(&tasklist_lock); 1668 1669 ret = -EPERM; 1670 oldwork = NULL; 1671 parent = rcu_dereference_protected(me->real_parent, 1672 lockdep_is_held(&tasklist_lock)); 1673 1674 /* the parent mustn't be init and mustn't be a kernel thread */ 1675 if (parent->pid <= 1 || !parent->mm) 1676 goto unlock; 1677 1678 /* the parent must be single threaded */ 1679 if (!thread_group_empty(parent)) 1680 goto unlock; 1681 1682 /* the parent and the child must have different session keyrings or 1683 * there's no point */ 1684 mycred = current_cred(); 1685 pcred = __task_cred(parent); 1686 if (mycred == pcred || 1687 mycred->session_keyring == pcred->session_keyring) { 1688 ret = 0; 1689 goto unlock; 1690 } 1691 1692 /* the parent must have the same effective ownership and mustn't be 1693 * SUID/SGID */ 1694 if (!uid_eq(pcred->uid, mycred->euid) || 1695 !uid_eq(pcred->euid, mycred->euid) || 1696 !uid_eq(pcred->suid, mycred->euid) || 1697 !gid_eq(pcred->gid, mycred->egid) || 1698 !gid_eq(pcred->egid, mycred->egid) || 1699 !gid_eq(pcred->sgid, mycred->egid)) 1700 goto unlock; 1701 1702 /* the keyrings must have the same UID */ 1703 if ((pcred->session_keyring && 1704 !uid_eq(pcred->session_keyring->uid, mycred->euid)) || 1705 !uid_eq(mycred->session_keyring->uid, mycred->euid)) 1706 goto unlock; 1707 1708 /* cancel an already pending keyring replacement */ 1709 oldwork = task_work_cancel_func(parent, key_change_session_keyring); 1710 1711 /* the replacement session keyring is applied just prior to userspace 1712 * restarting */ 1713 ret = task_work_add(parent, newwork, TWA_RESUME); 1714 if (!ret) 1715 newwork = NULL; 1716 unlock: 1717 write_unlock_irq(&tasklist_lock); 1718 rcu_read_unlock(); 1719 if (oldwork) 1720 put_cred(container_of(oldwork, struct cred, rcu)); 1721 if (newwork) 1722 put_cred(cred); 1723 return ret; 1724 1725 error_keyring: 1726 key_ref_put(keyring_r); 1727 return ret; 1728 } 1729 1730 /* 1731 * Apply a restriction to a given keyring. 1732 * 1733 * The caller must have Setattr permission to change keyring restrictions. 1734 * 1735 * The requested type name may be a NULL pointer to reject all attempts 1736 * to link to the keyring. In this case, _restriction must also be NULL. 1737 * Otherwise, both _type and _restriction must be non-NULL. 1738 * 1739 * Returns 0 if successful. 1740 */ 1741 long keyctl_restrict_keyring(key_serial_t id, const char __user *_type, 1742 const char __user *_restriction) 1743 { 1744 key_ref_t key_ref; 1745 char type[32]; 1746 char *restriction = NULL; 1747 long ret; 1748 1749 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 1750 if (IS_ERR(key_ref)) 1751 return PTR_ERR(key_ref); 1752 1753 ret = -EINVAL; 1754 if (_type) { 1755 if (!_restriction) 1756 goto error; 1757 1758 ret = key_get_type_from_user(type, _type, sizeof(type)); 1759 if (ret < 0) 1760 goto error; 1761 1762 restriction = strndup_user(_restriction, PAGE_SIZE); 1763 if (IS_ERR(restriction)) { 1764 ret = PTR_ERR(restriction); 1765 goto error; 1766 } 1767 } else { 1768 if (_restriction) 1769 goto error; 1770 } 1771 1772 ret = keyring_restrict(key_ref, _type ? type : NULL, restriction); 1773 kfree(restriction); 1774 error: 1775 key_ref_put(key_ref); 1776 return ret; 1777 } 1778 1779 #ifdef CONFIG_KEY_NOTIFICATIONS 1780 /* 1781 * Watch for changes to a key. 1782 * 1783 * The caller must have View permission to watch a key or keyring. 1784 */ 1785 long keyctl_watch_key(key_serial_t id, int watch_queue_fd, int watch_id) 1786 { 1787 struct watch_queue *wqueue; 1788 struct watch_list *wlist = NULL; 1789 struct watch *watch = NULL; 1790 struct key *key; 1791 key_ref_t key_ref; 1792 long ret; 1793 1794 if (watch_id < -1 || watch_id > 0xff) 1795 return -EINVAL; 1796 1797 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_VIEW); 1798 if (IS_ERR(key_ref)) 1799 return PTR_ERR(key_ref); 1800 key = key_ref_to_ptr(key_ref); 1801 1802 wqueue = get_watch_queue(watch_queue_fd); 1803 if (IS_ERR(wqueue)) { 1804 ret = PTR_ERR(wqueue); 1805 goto err_key; 1806 } 1807 1808 if (watch_id >= 0) { 1809 ret = -ENOMEM; 1810 if (!key->watchers) { 1811 wlist = kzalloc_obj(*wlist); 1812 if (!wlist) 1813 goto err_wqueue; 1814 init_watch_list(wlist, NULL); 1815 } 1816 1817 watch = kzalloc_obj(*watch); 1818 if (!watch) 1819 goto err_wlist; 1820 1821 init_watch(watch, wqueue); 1822 watch->id = key->serial; 1823 watch->info_id = (u32)watch_id << WATCH_INFO_ID__SHIFT; 1824 1825 ret = security_watch_key(key); 1826 if (ret < 0) 1827 goto err_watch; 1828 1829 down_write(&key->sem); 1830 if (!key->watchers) { 1831 key->watchers = wlist; 1832 wlist = NULL; 1833 } 1834 1835 ret = add_watch_to_object(watch, key->watchers); 1836 up_write(&key->sem); 1837 1838 if (ret == 0) 1839 watch = NULL; 1840 } else { 1841 ret = -EBADSLT; 1842 if (key->watchers) { 1843 down_write(&key->sem); 1844 ret = remove_watch_from_object(key->watchers, 1845 wqueue, key_serial(key), 1846 false); 1847 up_write(&key->sem); 1848 } 1849 } 1850 1851 err_watch: 1852 kfree(watch); 1853 err_wlist: 1854 kfree(wlist); 1855 err_wqueue: 1856 put_watch_queue(wqueue); 1857 err_key: 1858 key_put(key); 1859 return ret; 1860 } 1861 #endif /* CONFIG_KEY_NOTIFICATIONS */ 1862 1863 /* 1864 * Get keyrings subsystem capabilities. 1865 */ 1866 long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen) 1867 { 1868 size_t size = buflen; 1869 1870 if (size > 0) { 1871 if (size > sizeof(keyrings_capabilities)) 1872 size = sizeof(keyrings_capabilities); 1873 if (copy_to_user(_buffer, keyrings_capabilities, size) != 0) 1874 return -EFAULT; 1875 if (size < buflen && 1876 clear_user(_buffer + size, buflen - size) != 0) 1877 return -EFAULT; 1878 } 1879 1880 return sizeof(keyrings_capabilities); 1881 } 1882 1883 /* 1884 * The key control system call 1885 */ 1886 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, 1887 unsigned long, arg4, unsigned long, arg5) 1888 { 1889 switch (option) { 1890 case KEYCTL_GET_KEYRING_ID: 1891 return keyctl_get_keyring_ID((key_serial_t) arg2, 1892 (int) arg3); 1893 1894 case KEYCTL_JOIN_SESSION_KEYRING: 1895 return keyctl_join_session_keyring((const char __user *) arg2); 1896 1897 case KEYCTL_UPDATE: 1898 return keyctl_update_key((key_serial_t) arg2, 1899 (const void __user *) arg3, 1900 (size_t) arg4); 1901 1902 case KEYCTL_REVOKE: 1903 return keyctl_revoke_key((key_serial_t) arg2); 1904 1905 case KEYCTL_DESCRIBE: 1906 return keyctl_describe_key((key_serial_t) arg2, 1907 (char __user *) arg3, 1908 (unsigned) arg4); 1909 1910 case KEYCTL_CLEAR: 1911 return keyctl_keyring_clear((key_serial_t) arg2); 1912 1913 case KEYCTL_LINK: 1914 return keyctl_keyring_link((key_serial_t) arg2, 1915 (key_serial_t) arg3); 1916 1917 case KEYCTL_UNLINK: 1918 return keyctl_keyring_unlink((key_serial_t) arg2, 1919 (key_serial_t) arg3); 1920 1921 case KEYCTL_SEARCH: 1922 return keyctl_keyring_search((key_serial_t) arg2, 1923 (const char __user *) arg3, 1924 (const char __user *) arg4, 1925 (key_serial_t) arg5); 1926 1927 case KEYCTL_READ: 1928 return keyctl_read_key((key_serial_t) arg2, 1929 (char __user *) arg3, 1930 (size_t) arg4); 1931 1932 case KEYCTL_CHOWN: 1933 return keyctl_chown_key((key_serial_t) arg2, 1934 (uid_t) arg3, 1935 (gid_t) arg4); 1936 1937 case KEYCTL_SETPERM: 1938 return keyctl_setperm_key((key_serial_t) arg2, 1939 (key_perm_t) arg3); 1940 1941 case KEYCTL_INSTANTIATE: 1942 return keyctl_instantiate_key((key_serial_t) arg2, 1943 (const void __user *) arg3, 1944 (size_t) arg4, 1945 (key_serial_t) arg5); 1946 1947 case KEYCTL_NEGATE: 1948 return keyctl_negate_key((key_serial_t) arg2, 1949 (unsigned) arg3, 1950 (key_serial_t) arg4); 1951 1952 case KEYCTL_SET_REQKEY_KEYRING: 1953 return keyctl_set_reqkey_keyring(arg2); 1954 1955 case KEYCTL_SET_TIMEOUT: 1956 return keyctl_set_timeout((key_serial_t) arg2, 1957 (unsigned) arg3); 1958 1959 case KEYCTL_ASSUME_AUTHORITY: 1960 return keyctl_assume_authority((key_serial_t) arg2); 1961 1962 case KEYCTL_GET_SECURITY: 1963 return keyctl_get_security((key_serial_t) arg2, 1964 (char __user *) arg3, 1965 (size_t) arg4); 1966 1967 case KEYCTL_SESSION_TO_PARENT: 1968 return keyctl_session_to_parent(); 1969 1970 case KEYCTL_REJECT: 1971 return keyctl_reject_key((key_serial_t) arg2, 1972 (unsigned) arg3, 1973 (unsigned) arg4, 1974 (key_serial_t) arg5); 1975 1976 case KEYCTL_INSTANTIATE_IOV: 1977 return keyctl_instantiate_key_iov( 1978 (key_serial_t) arg2, 1979 (const struct iovec __user *) arg3, 1980 (unsigned) arg4, 1981 (key_serial_t) arg5); 1982 1983 case KEYCTL_INVALIDATE: 1984 return keyctl_invalidate_key((key_serial_t) arg2); 1985 1986 case KEYCTL_GET_PERSISTENT: 1987 return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3); 1988 1989 case KEYCTL_DH_COMPUTE: 1990 return keyctl_dh_compute((struct keyctl_dh_params __user *) arg2, 1991 (char __user *) arg3, (size_t) arg4, 1992 (struct keyctl_kdf_params __user *) arg5); 1993 1994 case KEYCTL_RESTRICT_KEYRING: 1995 return keyctl_restrict_keyring((key_serial_t) arg2, 1996 (const char __user *) arg3, 1997 (const char __user *) arg4); 1998 1999 case KEYCTL_PKEY_QUERY: 2000 if (arg3 != 0) 2001 return -EINVAL; 2002 return keyctl_pkey_query((key_serial_t)arg2, 2003 (const char __user *)arg4, 2004 (struct keyctl_pkey_query __user *)arg5); 2005 2006 case KEYCTL_PKEY_ENCRYPT: 2007 case KEYCTL_PKEY_DECRYPT: 2008 case KEYCTL_PKEY_SIGN: 2009 return keyctl_pkey_e_d_s( 2010 option, 2011 (const struct keyctl_pkey_params __user *)arg2, 2012 (const char __user *)arg3, 2013 (const void __user *)arg4, 2014 (void __user *)arg5); 2015 2016 case KEYCTL_PKEY_VERIFY: 2017 return keyctl_pkey_verify( 2018 (const struct keyctl_pkey_params __user *)arg2, 2019 (const char __user *)arg3, 2020 (const void __user *)arg4, 2021 (const void __user *)arg5); 2022 2023 case KEYCTL_MOVE: 2024 return keyctl_keyring_move((key_serial_t)arg2, 2025 (key_serial_t)arg3, 2026 (key_serial_t)arg4, 2027 (unsigned int)arg5); 2028 2029 case KEYCTL_CAPABILITIES: 2030 return keyctl_capabilities((unsigned char __user *)arg2, (size_t)arg3); 2031 2032 case KEYCTL_WATCH_KEY: 2033 return keyctl_watch_key((key_serial_t)arg2, (int)arg3, (int)arg4); 2034 2035 default: 2036 return -EOPNOTSUPP; 2037 } 2038 } 2039