xref: /linux/kernel/cred.c (revision 8b8eed05a1c650c27e78bc47d07f7d6c9ba779e8)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Task credentials management - see Documentation/security/credentials.rst
3  *
4  * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #define pr_fmt(fmt) "CRED: " fmt
9 
10 #include <linux/export.h>
11 #include <linux/cred.h>
12 #include <linux/slab.h>
13 #include <linux/sched.h>
14 #include <linux/sched/coredump.h>
15 #include <linux/key.h>
16 #include <linux/keyctl.h>
17 #include <linux/init_task.h>
18 #include <linux/security.h>
19 #include <linux/binfmts.h>
20 #include <linux/cn_proc.h>
21 #include <linux/uidgid.h>
22 
23 #if 0
24 #define kdebug(FMT, ...)						\
25 	printk("[%-5.5s%5u] " FMT "\n",					\
26 	       current->comm, current->pid, ##__VA_ARGS__)
27 #else
28 #define kdebug(FMT, ...)						\
29 do {									\
30 	if (0)								\
31 		no_printk("[%-5.5s%5u] " FMT "\n",			\
32 			  current->comm, current->pid, ##__VA_ARGS__);	\
33 } while (0)
34 #endif
35 
36 static struct kmem_cache *cred_jar;
37 
38 /* init to 2 - one for init_task, one to ensure it is never freed */
39 static struct group_info init_groups = { .usage = REFCOUNT_INIT(2) };
40 
41 /*
42  * The initial credentials for the initial task
43  */
44 struct cred init_cred = {
45 	.usage			= ATOMIC_INIT(4),
46 #ifdef CONFIG_DEBUG_CREDENTIALS
47 	.subscribers		= ATOMIC_INIT(2),
48 	.magic			= CRED_MAGIC,
49 #endif
50 	.uid			= GLOBAL_ROOT_UID,
51 	.gid			= GLOBAL_ROOT_GID,
52 	.suid			= GLOBAL_ROOT_UID,
53 	.sgid			= GLOBAL_ROOT_GID,
54 	.euid			= GLOBAL_ROOT_UID,
55 	.egid			= GLOBAL_ROOT_GID,
56 	.fsuid			= GLOBAL_ROOT_UID,
57 	.fsgid			= GLOBAL_ROOT_GID,
58 	.securebits		= SECUREBITS_DEFAULT,
59 	.cap_inheritable	= CAP_EMPTY_SET,
60 	.cap_permitted		= CAP_FULL_SET,
61 	.cap_effective		= CAP_FULL_SET,
62 	.cap_bset		= CAP_FULL_SET,
63 	.user			= INIT_USER,
64 	.user_ns		= &init_user_ns,
65 	.group_info		= &init_groups,
66 	.ucounts		= &init_ucounts,
67 };
68 
69 static inline void set_cred_subscribers(struct cred *cred, int n)
70 {
71 #ifdef CONFIG_DEBUG_CREDENTIALS
72 	atomic_set(&cred->subscribers, n);
73 #endif
74 }
75 
76 static inline int read_cred_subscribers(const struct cred *cred)
77 {
78 #ifdef CONFIG_DEBUG_CREDENTIALS
79 	return atomic_read(&cred->subscribers);
80 #else
81 	return 0;
82 #endif
83 }
84 
85 static inline void alter_cred_subscribers(const struct cred *_cred, int n)
86 {
87 #ifdef CONFIG_DEBUG_CREDENTIALS
88 	struct cred *cred = (struct cred *) _cred;
89 
90 	atomic_add(n, &cred->subscribers);
91 #endif
92 }
93 
94 /*
95  * The RCU callback to actually dispose of a set of credentials
96  */
97 static void put_cred_rcu(struct rcu_head *rcu)
98 {
99 	struct cred *cred = container_of(rcu, struct cred, rcu);
100 
101 	kdebug("put_cred_rcu(%p)", cred);
102 
103 #ifdef CONFIG_DEBUG_CREDENTIALS
104 	if (cred->magic != CRED_MAGIC_DEAD ||
105 	    atomic_read(&cred->usage) != 0 ||
106 	    read_cred_subscribers(cred) != 0)
107 		panic("CRED: put_cred_rcu() sees %p with"
108 		      " mag %x, put %p, usage %d, subscr %d\n",
109 		      cred, cred->magic, cred->put_addr,
110 		      atomic_read(&cred->usage),
111 		      read_cred_subscribers(cred));
112 #else
113 	if (atomic_read(&cred->usage) != 0)
114 		panic("CRED: put_cred_rcu() sees %p with usage %d\n",
115 		      cred, atomic_read(&cred->usage));
116 #endif
117 
118 	security_cred_free(cred);
119 	key_put(cred->session_keyring);
120 	key_put(cred->process_keyring);
121 	key_put(cred->thread_keyring);
122 	key_put(cred->request_key_auth);
123 	if (cred->group_info)
124 		put_group_info(cred->group_info);
125 	free_uid(cred->user);
126 	if (cred->ucounts)
127 		put_ucounts(cred->ucounts);
128 	put_user_ns(cred->user_ns);
129 	kmem_cache_free(cred_jar, cred);
130 }
131 
132 /**
133  * __put_cred - Destroy a set of credentials
134  * @cred: The record to release
135  *
136  * Destroy a set of credentials on which no references remain.
137  */
138 void __put_cred(struct cred *cred)
139 {
140 	kdebug("__put_cred(%p{%d,%d})", cred,
141 	       atomic_read(&cred->usage),
142 	       read_cred_subscribers(cred));
143 
144 	BUG_ON(atomic_read(&cred->usage) != 0);
145 #ifdef CONFIG_DEBUG_CREDENTIALS
146 	BUG_ON(read_cred_subscribers(cred) != 0);
147 	cred->magic = CRED_MAGIC_DEAD;
148 	cred->put_addr = __builtin_return_address(0);
149 #endif
150 	BUG_ON(cred == current->cred);
151 	BUG_ON(cred == current->real_cred);
152 
153 	if (cred->non_rcu)
154 		put_cred_rcu(&cred->rcu);
155 	else
156 		call_rcu(&cred->rcu, put_cred_rcu);
157 }
158 EXPORT_SYMBOL(__put_cred);
159 
160 /*
161  * Clean up a task's credentials when it exits
162  */
163 void exit_creds(struct task_struct *tsk)
164 {
165 	struct cred *real_cred, *cred;
166 
167 	kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
168 	       atomic_read(&tsk->cred->usage),
169 	       read_cred_subscribers(tsk->cred));
170 
171 	real_cred = (struct cred *) tsk->real_cred;
172 	tsk->real_cred = NULL;
173 
174 	cred = (struct cred *) tsk->cred;
175 	tsk->cred = NULL;
176 
177 	validate_creds(cred);
178 	if (real_cred == cred) {
179 		alter_cred_subscribers(cred, -2);
180 		put_cred_many(cred, 2);
181 	} else {
182 		validate_creds(real_cred);
183 		alter_cred_subscribers(real_cred, -1);
184 		put_cred(real_cred);
185 		alter_cred_subscribers(cred, -1);
186 		put_cred(cred);
187 	}
188 
189 #ifdef CONFIG_KEYS_REQUEST_CACHE
190 	key_put(tsk->cached_requested_key);
191 	tsk->cached_requested_key = NULL;
192 #endif
193 }
194 
195 /**
196  * get_task_cred - Get another task's objective credentials
197  * @task: The task to query
198  *
199  * Get the objective credentials of a task, pinning them so that they can't go
200  * away.  Accessing a task's credentials directly is not permitted.
201  *
202  * The caller must also make sure task doesn't get deleted, either by holding a
203  * ref on task or by holding tasklist_lock to prevent it from being unlinked.
204  */
205 const struct cred *get_task_cred(struct task_struct *task)
206 {
207 	const struct cred *cred;
208 
209 	rcu_read_lock();
210 
211 	do {
212 		cred = __task_cred((task));
213 		BUG_ON(!cred);
214 	} while (!get_cred_rcu(cred));
215 
216 	rcu_read_unlock();
217 	return cred;
218 }
219 EXPORT_SYMBOL(get_task_cred);
220 
221 /*
222  * Allocate blank credentials, such that the credentials can be filled in at a
223  * later date without risk of ENOMEM.
224  */
225 struct cred *cred_alloc_blank(void)
226 {
227 	struct cred *new;
228 
229 	new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
230 	if (!new)
231 		return NULL;
232 
233 	atomic_set(&new->usage, 1);
234 #ifdef CONFIG_DEBUG_CREDENTIALS
235 	new->magic = CRED_MAGIC;
236 #endif
237 	if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0)
238 		goto error;
239 
240 	return new;
241 
242 error:
243 	abort_creds(new);
244 	return NULL;
245 }
246 
247 /**
248  * prepare_creds - Prepare a new set of credentials for modification
249  *
250  * Prepare a new set of task credentials for modification.  A task's creds
251  * shouldn't generally be modified directly, therefore this function is used to
252  * prepare a new copy, which the caller then modifies and then commits by
253  * calling commit_creds().
254  *
255  * Preparation involves making a copy of the objective creds for modification.
256  *
257  * Returns a pointer to the new creds-to-be if successful, NULL otherwise.
258  *
259  * Call commit_creds() or abort_creds() to clean up.
260  */
261 struct cred *prepare_creds(void)
262 {
263 	struct task_struct *task = current;
264 	const struct cred *old;
265 	struct cred *new;
266 
267 	validate_process_creds();
268 
269 	new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
270 	if (!new)
271 		return NULL;
272 
273 	kdebug("prepare_creds() alloc %p", new);
274 
275 	old = task->cred;
276 	memcpy(new, old, sizeof(struct cred));
277 
278 	new->non_rcu = 0;
279 	atomic_set(&new->usage, 1);
280 	set_cred_subscribers(new, 0);
281 	get_group_info(new->group_info);
282 	get_uid(new->user);
283 	get_user_ns(new->user_ns);
284 
285 #ifdef CONFIG_KEYS
286 	key_get(new->session_keyring);
287 	key_get(new->process_keyring);
288 	key_get(new->thread_keyring);
289 	key_get(new->request_key_auth);
290 #endif
291 
292 #ifdef CONFIG_SECURITY
293 	new->security = NULL;
294 #endif
295 
296 	new->ucounts = get_ucounts(new->ucounts);
297 	if (!new->ucounts)
298 		goto error;
299 
300 	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
301 		goto error;
302 
303 	validate_creds(new);
304 	return new;
305 
306 error:
307 	abort_creds(new);
308 	return NULL;
309 }
310 EXPORT_SYMBOL(prepare_creds);
311 
312 /*
313  * Prepare credentials for current to perform an execve()
314  * - The caller must hold ->cred_guard_mutex
315  */
316 struct cred *prepare_exec_creds(void)
317 {
318 	struct cred *new;
319 
320 	new = prepare_creds();
321 	if (!new)
322 		return new;
323 
324 #ifdef CONFIG_KEYS
325 	/* newly exec'd tasks don't get a thread keyring */
326 	key_put(new->thread_keyring);
327 	new->thread_keyring = NULL;
328 
329 	/* inherit the session keyring; new process keyring */
330 	key_put(new->process_keyring);
331 	new->process_keyring = NULL;
332 #endif
333 
334 	new->suid = new->fsuid = new->euid;
335 	new->sgid = new->fsgid = new->egid;
336 
337 	return new;
338 }
339 
340 /*
341  * Copy credentials for the new process created by fork()
342  *
343  * We share if we can, but under some circumstances we have to generate a new
344  * set.
345  *
346  * The new process gets the current process's subjective credentials as its
347  * objective and subjective credentials
348  */
349 int copy_creds(struct task_struct *p, unsigned long clone_flags)
350 {
351 	struct cred *new;
352 	int ret;
353 
354 #ifdef CONFIG_KEYS_REQUEST_CACHE
355 	p->cached_requested_key = NULL;
356 #endif
357 
358 	if (
359 #ifdef CONFIG_KEYS
360 		!p->cred->thread_keyring &&
361 #endif
362 		clone_flags & CLONE_THREAD
363 	    ) {
364 		p->real_cred = get_cred_many(p->cred, 2);
365 		alter_cred_subscribers(p->cred, 2);
366 		kdebug("share_creds(%p{%d,%d})",
367 		       p->cred, atomic_read(&p->cred->usage),
368 		       read_cred_subscribers(p->cred));
369 		inc_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
370 		return 0;
371 	}
372 
373 	new = prepare_creds();
374 	if (!new)
375 		return -ENOMEM;
376 
377 	if (clone_flags & CLONE_NEWUSER) {
378 		ret = create_user_ns(new);
379 		if (ret < 0)
380 			goto error_put;
381 		ret = set_cred_ucounts(new);
382 		if (ret < 0)
383 			goto error_put;
384 	}
385 
386 #ifdef CONFIG_KEYS
387 	/* new threads get their own thread keyrings if their parent already
388 	 * had one */
389 	if (new->thread_keyring) {
390 		key_put(new->thread_keyring);
391 		new->thread_keyring = NULL;
392 		if (clone_flags & CLONE_THREAD)
393 			install_thread_keyring_to_cred(new);
394 	}
395 
396 	/* The process keyring is only shared between the threads in a process;
397 	 * anything outside of those threads doesn't inherit.
398 	 */
399 	if (!(clone_flags & CLONE_THREAD)) {
400 		key_put(new->process_keyring);
401 		new->process_keyring = NULL;
402 	}
403 #endif
404 
405 	p->cred = p->real_cred = get_cred(new);
406 	inc_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
407 	alter_cred_subscribers(new, 2);
408 	validate_creds(new);
409 	return 0;
410 
411 error_put:
412 	put_cred(new);
413 	return ret;
414 }
415 
416 static bool cred_cap_issubset(const struct cred *set, const struct cred *subset)
417 {
418 	const struct user_namespace *set_ns = set->user_ns;
419 	const struct user_namespace *subset_ns = subset->user_ns;
420 
421 	/* If the two credentials are in the same user namespace see if
422 	 * the capabilities of subset are a subset of set.
423 	 */
424 	if (set_ns == subset_ns)
425 		return cap_issubset(subset->cap_permitted, set->cap_permitted);
426 
427 	/* The credentials are in a different user namespaces
428 	 * therefore one is a subset of the other only if a set is an
429 	 * ancestor of subset and set->euid is owner of subset or one
430 	 * of subsets ancestors.
431 	 */
432 	for (;subset_ns != &init_user_ns; subset_ns = subset_ns->parent) {
433 		if ((set_ns == subset_ns->parent)  &&
434 		    uid_eq(subset_ns->owner, set->euid))
435 			return true;
436 	}
437 
438 	return false;
439 }
440 
441 /**
442  * commit_creds - Install new credentials upon the current task
443  * @new: The credentials to be assigned
444  *
445  * Install a new set of credentials to the current task, using RCU to replace
446  * the old set.  Both the objective and the subjective credentials pointers are
447  * updated.  This function may not be called if the subjective credentials are
448  * in an overridden state.
449  *
450  * This function eats the caller's reference to the new credentials.
451  *
452  * Always returns 0 thus allowing this function to be tail-called at the end
453  * of, say, sys_setgid().
454  */
455 int commit_creds(struct cred *new)
456 {
457 	struct task_struct *task = current;
458 	const struct cred *old = task->real_cred;
459 
460 	kdebug("commit_creds(%p{%d,%d})", new,
461 	       atomic_read(&new->usage),
462 	       read_cred_subscribers(new));
463 
464 	BUG_ON(task->cred != old);
465 #ifdef CONFIG_DEBUG_CREDENTIALS
466 	BUG_ON(read_cred_subscribers(old) < 2);
467 	validate_creds(old);
468 	validate_creds(new);
469 #endif
470 	BUG_ON(atomic_read(&new->usage) < 1);
471 
472 	get_cred(new); /* we will require a ref for the subj creds too */
473 
474 	/* dumpability changes */
475 	if (!uid_eq(old->euid, new->euid) ||
476 	    !gid_eq(old->egid, new->egid) ||
477 	    !uid_eq(old->fsuid, new->fsuid) ||
478 	    !gid_eq(old->fsgid, new->fsgid) ||
479 	    !cred_cap_issubset(old, new)) {
480 		if (task->mm)
481 			set_dumpable(task->mm, suid_dumpable);
482 		task->pdeath_signal = 0;
483 		/*
484 		 * If a task drops privileges and becomes nondumpable,
485 		 * the dumpability change must become visible before
486 		 * the credential change; otherwise, a __ptrace_may_access()
487 		 * racing with this change may be able to attach to a task it
488 		 * shouldn't be able to attach to (as if the task had dropped
489 		 * privileges without becoming nondumpable).
490 		 * Pairs with a read barrier in __ptrace_may_access().
491 		 */
492 		smp_wmb();
493 	}
494 
495 	/* alter the thread keyring */
496 	if (!uid_eq(new->fsuid, old->fsuid))
497 		key_fsuid_changed(new);
498 	if (!gid_eq(new->fsgid, old->fsgid))
499 		key_fsgid_changed(new);
500 
501 	/* do it
502 	 * RLIMIT_NPROC limits on user->processes have already been checked
503 	 * in set_user().
504 	 */
505 	alter_cred_subscribers(new, 2);
506 	if (new->user != old->user || new->user_ns != old->user_ns)
507 		inc_rlimit_ucounts(new->ucounts, UCOUNT_RLIMIT_NPROC, 1);
508 	rcu_assign_pointer(task->real_cred, new);
509 	rcu_assign_pointer(task->cred, new);
510 	if (new->user != old->user || new->user_ns != old->user_ns)
511 		dec_rlimit_ucounts(old->ucounts, UCOUNT_RLIMIT_NPROC, 1);
512 	alter_cred_subscribers(old, -2);
513 
514 	/* send notifications */
515 	if (!uid_eq(new->uid,   old->uid)  ||
516 	    !uid_eq(new->euid,  old->euid) ||
517 	    !uid_eq(new->suid,  old->suid) ||
518 	    !uid_eq(new->fsuid, old->fsuid))
519 		proc_id_connector(task, PROC_EVENT_UID);
520 
521 	if (!gid_eq(new->gid,   old->gid)  ||
522 	    !gid_eq(new->egid,  old->egid) ||
523 	    !gid_eq(new->sgid,  old->sgid) ||
524 	    !gid_eq(new->fsgid, old->fsgid))
525 		proc_id_connector(task, PROC_EVENT_GID);
526 
527 	/* release the old obj and subj refs both */
528 	put_cred_many(old, 2);
529 	return 0;
530 }
531 EXPORT_SYMBOL(commit_creds);
532 
533 /**
534  * abort_creds - Discard a set of credentials and unlock the current task
535  * @new: The credentials that were going to be applied
536  *
537  * Discard a set of credentials that were under construction and unlock the
538  * current task.
539  */
540 void abort_creds(struct cred *new)
541 {
542 	kdebug("abort_creds(%p{%d,%d})", new,
543 	       atomic_read(&new->usage),
544 	       read_cred_subscribers(new));
545 
546 #ifdef CONFIG_DEBUG_CREDENTIALS
547 	BUG_ON(read_cred_subscribers(new) != 0);
548 #endif
549 	BUG_ON(atomic_read(&new->usage) < 1);
550 	put_cred(new);
551 }
552 EXPORT_SYMBOL(abort_creds);
553 
554 /**
555  * override_creds - Override the current process's subjective credentials
556  * @new: The credentials to be assigned
557  *
558  * Install a set of temporary override subjective credentials on the current
559  * process, returning the old set for later reversion.
560  */
561 const struct cred *override_creds(const struct cred *new)
562 {
563 	const struct cred *old = current->cred;
564 
565 	kdebug("override_creds(%p{%d,%d})", new,
566 	       atomic_read(&new->usage),
567 	       read_cred_subscribers(new));
568 
569 	validate_creds(old);
570 	validate_creds(new);
571 
572 	/*
573 	 * NOTE! This uses 'get_new_cred()' rather than 'get_cred()'.
574 	 *
575 	 * That means that we do not clear the 'non_rcu' flag, since
576 	 * we are only installing the cred into the thread-synchronous
577 	 * '->cred' pointer, not the '->real_cred' pointer that is
578 	 * visible to other threads under RCU.
579 	 *
580 	 * Also note that we did validate_creds() manually, not depending
581 	 * on the validation in 'get_cred()'.
582 	 */
583 	get_new_cred((struct cred *)new);
584 	alter_cred_subscribers(new, 1);
585 	rcu_assign_pointer(current->cred, new);
586 	alter_cred_subscribers(old, -1);
587 
588 	kdebug("override_creds() = %p{%d,%d}", old,
589 	       atomic_read(&old->usage),
590 	       read_cred_subscribers(old));
591 	return old;
592 }
593 EXPORT_SYMBOL(override_creds);
594 
595 /**
596  * revert_creds - Revert a temporary subjective credentials override
597  * @old: The credentials to be restored
598  *
599  * Revert a temporary set of override subjective credentials to an old set,
600  * discarding the override set.
601  */
602 void revert_creds(const struct cred *old)
603 {
604 	const struct cred *override = current->cred;
605 
606 	kdebug("revert_creds(%p{%d,%d})", old,
607 	       atomic_read(&old->usage),
608 	       read_cred_subscribers(old));
609 
610 	validate_creds(old);
611 	validate_creds(override);
612 	alter_cred_subscribers(old, 1);
613 	rcu_assign_pointer(current->cred, old);
614 	alter_cred_subscribers(override, -1);
615 	put_cred(override);
616 }
617 EXPORT_SYMBOL(revert_creds);
618 
619 /**
620  * cred_fscmp - Compare two credentials with respect to filesystem access.
621  * @a: The first credential
622  * @b: The second credential
623  *
624  * cred_cmp() will return zero if both credentials have the same
625  * fsuid, fsgid, and supplementary groups.  That is, if they will both
626  * provide the same access to files based on mode/uid/gid.
627  * If the credentials are different, then either -1 or 1 will
628  * be returned depending on whether @a comes before or after @b
629  * respectively in an arbitrary, but stable, ordering of credentials.
630  *
631  * Return: -1, 0, or 1 depending on comparison
632  */
633 int cred_fscmp(const struct cred *a, const struct cred *b)
634 {
635 	struct group_info *ga, *gb;
636 	int g;
637 
638 	if (a == b)
639 		return 0;
640 	if (uid_lt(a->fsuid, b->fsuid))
641 		return -1;
642 	if (uid_gt(a->fsuid, b->fsuid))
643 		return 1;
644 
645 	if (gid_lt(a->fsgid, b->fsgid))
646 		return -1;
647 	if (gid_gt(a->fsgid, b->fsgid))
648 		return 1;
649 
650 	ga = a->group_info;
651 	gb = b->group_info;
652 	if (ga == gb)
653 		return 0;
654 	if (ga == NULL)
655 		return -1;
656 	if (gb == NULL)
657 		return 1;
658 	if (ga->ngroups < gb->ngroups)
659 		return -1;
660 	if (ga->ngroups > gb->ngroups)
661 		return 1;
662 
663 	for (g = 0; g < ga->ngroups; g++) {
664 		if (gid_lt(ga->gid[g], gb->gid[g]))
665 			return -1;
666 		if (gid_gt(ga->gid[g], gb->gid[g]))
667 			return 1;
668 	}
669 	return 0;
670 }
671 EXPORT_SYMBOL(cred_fscmp);
672 
673 int set_cred_ucounts(struct cred *new)
674 {
675 	struct ucounts *new_ucounts, *old_ucounts = new->ucounts;
676 
677 	/*
678 	 * This optimization is needed because alloc_ucounts() uses locks
679 	 * for table lookups.
680 	 */
681 	if (old_ucounts->ns == new->user_ns && uid_eq(old_ucounts->uid, new->uid))
682 		return 0;
683 
684 	if (!(new_ucounts = alloc_ucounts(new->user_ns, new->uid)))
685 		return -EAGAIN;
686 
687 	new->ucounts = new_ucounts;
688 	put_ucounts(old_ucounts);
689 
690 	return 0;
691 }
692 
693 /*
694  * initialise the credentials stuff
695  */
696 void __init cred_init(void)
697 {
698 	/* allocate a slab in which we can store credentials */
699 	cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred), 0,
700 			SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT, NULL);
701 }
702 
703 /**
704  * prepare_kernel_cred - Prepare a set of credentials for a kernel service
705  * @daemon: A userspace daemon to be used as a reference
706  *
707  * Prepare a set of credentials for a kernel service.  This can then be used to
708  * override a task's own credentials so that work can be done on behalf of that
709  * task that requires a different subjective context.
710  *
711  * @daemon is used to provide a base cred, with the security data derived from
712  * that; if this is "&init_task", they'll be set to 0, no groups, full
713  * capabilities, and no keys.
714  *
715  * The caller may change these controls afterwards if desired.
716  *
717  * Returns the new credentials or NULL if out of memory.
718  */
719 struct cred *prepare_kernel_cred(struct task_struct *daemon)
720 {
721 	const struct cred *old;
722 	struct cred *new;
723 
724 	if (WARN_ON_ONCE(!daemon))
725 		return NULL;
726 
727 	new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
728 	if (!new)
729 		return NULL;
730 
731 	kdebug("prepare_kernel_cred() alloc %p", new);
732 
733 	old = get_task_cred(daemon);
734 	validate_creds(old);
735 
736 	*new = *old;
737 	new->non_rcu = 0;
738 	atomic_set(&new->usage, 1);
739 	set_cred_subscribers(new, 0);
740 	get_uid(new->user);
741 	get_user_ns(new->user_ns);
742 	get_group_info(new->group_info);
743 
744 #ifdef CONFIG_KEYS
745 	new->session_keyring = NULL;
746 	new->process_keyring = NULL;
747 	new->thread_keyring = NULL;
748 	new->request_key_auth = NULL;
749 	new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
750 #endif
751 
752 #ifdef CONFIG_SECURITY
753 	new->security = NULL;
754 #endif
755 	new->ucounts = get_ucounts(new->ucounts);
756 	if (!new->ucounts)
757 		goto error;
758 
759 	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
760 		goto error;
761 
762 	put_cred(old);
763 	validate_creds(new);
764 	return new;
765 
766 error:
767 	put_cred(new);
768 	put_cred(old);
769 	return NULL;
770 }
771 EXPORT_SYMBOL(prepare_kernel_cred);
772 
773 /**
774  * set_security_override - Set the security ID in a set of credentials
775  * @new: The credentials to alter
776  * @secid: The LSM security ID to set
777  *
778  * Set the LSM security ID in a set of credentials so that the subjective
779  * security is overridden when an alternative set of credentials is used.
780  */
781 int set_security_override(struct cred *new, u32 secid)
782 {
783 	return security_kernel_act_as(new, secid);
784 }
785 EXPORT_SYMBOL(set_security_override);
786 
787 /**
788  * set_security_override_from_ctx - Set the security ID in a set of credentials
789  * @new: The credentials to alter
790  * @secctx: The LSM security context to generate the security ID from.
791  *
792  * Set the LSM security ID in a set of credentials so that the subjective
793  * security is overridden when an alternative set of credentials is used.  The
794  * security ID is specified in string form as a security context to be
795  * interpreted by the LSM.
796  */
797 int set_security_override_from_ctx(struct cred *new, const char *secctx)
798 {
799 	u32 secid;
800 	int ret;
801 
802 	ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
803 	if (ret < 0)
804 		return ret;
805 
806 	return set_security_override(new, secid);
807 }
808 EXPORT_SYMBOL(set_security_override_from_ctx);
809 
810 /**
811  * set_create_files_as - Set the LSM file create context in a set of credentials
812  * @new: The credentials to alter
813  * @inode: The inode to take the context from
814  *
815  * Change the LSM file creation context in a set of credentials to be the same
816  * as the object context of the specified inode, so that the new inodes have
817  * the same MAC context as that inode.
818  */
819 int set_create_files_as(struct cred *new, struct inode *inode)
820 {
821 	if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid))
822 		return -EINVAL;
823 	new->fsuid = inode->i_uid;
824 	new->fsgid = inode->i_gid;
825 	return security_kernel_create_files_as(new, inode);
826 }
827 EXPORT_SYMBOL(set_create_files_as);
828 
829 #ifdef CONFIG_DEBUG_CREDENTIALS
830 
831 bool creds_are_invalid(const struct cred *cred)
832 {
833 	if (cred->magic != CRED_MAGIC)
834 		return true;
835 	return false;
836 }
837 EXPORT_SYMBOL(creds_are_invalid);
838 
839 /*
840  * dump invalid credentials
841  */
842 static void dump_invalid_creds(const struct cred *cred, const char *label,
843 			       const struct task_struct *tsk)
844 {
845 	pr_err("%s credentials: %p %s%s%s\n",
846 	       label, cred,
847 	       cred == &init_cred ? "[init]" : "",
848 	       cred == tsk->real_cred ? "[real]" : "",
849 	       cred == tsk->cred ? "[eff]" : "");
850 	pr_err("->magic=%x, put_addr=%p\n",
851 	       cred->magic, cred->put_addr);
852 	pr_err("->usage=%d, subscr=%d\n",
853 	       atomic_read(&cred->usage),
854 	       read_cred_subscribers(cred));
855 	pr_err("->*uid = { %d,%d,%d,%d }\n",
856 		from_kuid_munged(&init_user_ns, cred->uid),
857 		from_kuid_munged(&init_user_ns, cred->euid),
858 		from_kuid_munged(&init_user_ns, cred->suid),
859 		from_kuid_munged(&init_user_ns, cred->fsuid));
860 	pr_err("->*gid = { %d,%d,%d,%d }\n",
861 		from_kgid_munged(&init_user_ns, cred->gid),
862 		from_kgid_munged(&init_user_ns, cred->egid),
863 		from_kgid_munged(&init_user_ns, cred->sgid),
864 		from_kgid_munged(&init_user_ns, cred->fsgid));
865 #ifdef CONFIG_SECURITY
866 	pr_err("->security is %p\n", cred->security);
867 	if ((unsigned long) cred->security >= PAGE_SIZE &&
868 	    (((unsigned long) cred->security & 0xffffff00) !=
869 	     (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
870 		pr_err("->security {%x, %x}\n",
871 		       ((u32*)cred->security)[0],
872 		       ((u32*)cred->security)[1]);
873 #endif
874 }
875 
876 /*
877  * report use of invalid credentials
878  */
879 void __noreturn __invalid_creds(const struct cred *cred, const char *file, unsigned line)
880 {
881 	pr_err("Invalid credentials\n");
882 	pr_err("At %s:%u\n", file, line);
883 	dump_invalid_creds(cred, "Specified", current);
884 	BUG();
885 }
886 EXPORT_SYMBOL(__invalid_creds);
887 
888 /*
889  * check the credentials on a process
890  */
891 void __validate_process_creds(struct task_struct *tsk,
892 			      const char *file, unsigned line)
893 {
894 	if (tsk->cred == tsk->real_cred) {
895 		if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
896 			     creds_are_invalid(tsk->cred)))
897 			goto invalid_creds;
898 	} else {
899 		if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
900 			     read_cred_subscribers(tsk->cred) < 1 ||
901 			     creds_are_invalid(tsk->real_cred) ||
902 			     creds_are_invalid(tsk->cred)))
903 			goto invalid_creds;
904 	}
905 	return;
906 
907 invalid_creds:
908 	pr_err("Invalid process credentials\n");
909 	pr_err("At %s:%u\n", file, line);
910 
911 	dump_invalid_creds(tsk->real_cred, "Real", tsk);
912 	if (tsk->cred != tsk->real_cred)
913 		dump_invalid_creds(tsk->cred, "Effective", tsk);
914 	else
915 		pr_err("Effective creds == Real creds\n");
916 	BUG();
917 }
918 EXPORT_SYMBOL(__validate_process_creds);
919 
920 /*
921  * check creds for do_exit()
922  */
923 void validate_creds_for_do_exit(struct task_struct *tsk)
924 {
925 	kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
926 	       tsk->real_cred, tsk->cred,
927 	       atomic_read(&tsk->cred->usage),
928 	       read_cred_subscribers(tsk->cred));
929 
930 	__validate_process_creds(tsk, __FILE__, __LINE__);
931 }
932 
933 #endif /* CONFIG_DEBUG_CREDENTIALS */
934