1 /* Basic authentication token and access key management 2 * 3 * Copyright (C) 2004-2008 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/poison.h> 15 #include <linux/sched.h> 16 #include <linux/slab.h> 17 #include <linux/security.h> 18 #include <linux/workqueue.h> 19 #include <linux/random.h> 20 #include <linux/err.h> 21 #include <linux/user_namespace.h> 22 #include "internal.h" 23 24 static struct kmem_cache *key_jar; 25 struct rb_root key_serial_tree; /* tree of keys indexed by serial */ 26 DEFINE_SPINLOCK(key_serial_lock); 27 28 struct rb_root key_user_tree; /* tree of quota records indexed by UID */ 29 DEFINE_SPINLOCK(key_user_lock); 30 31 unsigned int key_quota_root_maxkeys = 200; /* root's key count quota */ 32 unsigned int key_quota_root_maxbytes = 20000; /* root's key space quota */ 33 unsigned int key_quota_maxkeys = 200; /* general key count quota */ 34 unsigned int key_quota_maxbytes = 20000; /* general key space quota */ 35 36 static LIST_HEAD(key_types_list); 37 static DECLARE_RWSEM(key_types_sem); 38 39 static void key_cleanup(struct work_struct *work); 40 static DECLARE_WORK(key_cleanup_task, key_cleanup); 41 42 /* We serialise key instantiation and link */ 43 DEFINE_MUTEX(key_construction_mutex); 44 45 /* Any key who's type gets unegistered will be re-typed to this */ 46 static struct key_type key_type_dead = { 47 .name = "dead", 48 }; 49 50 #ifdef KEY_DEBUGGING 51 void __key_check(const struct key *key) 52 { 53 printk("__key_check: key %p {%08x} should be {%08x}\n", 54 key, key->magic, KEY_DEBUG_MAGIC); 55 BUG(); 56 } 57 #endif 58 59 /* 60 * Get the key quota record for a user, allocating a new record if one doesn't 61 * already exist. 62 */ 63 struct key_user *key_user_lookup(uid_t uid, struct user_namespace *user_ns) 64 { 65 struct key_user *candidate = NULL, *user; 66 struct rb_node *parent = NULL; 67 struct rb_node **p; 68 69 try_again: 70 p = &key_user_tree.rb_node; 71 spin_lock(&key_user_lock); 72 73 /* search the tree for a user record with a matching UID */ 74 while (*p) { 75 parent = *p; 76 user = rb_entry(parent, struct key_user, node); 77 78 if (uid < user->uid) 79 p = &(*p)->rb_left; 80 else if (uid > user->uid) 81 p = &(*p)->rb_right; 82 else if (user_ns < user->user_ns) 83 p = &(*p)->rb_left; 84 else if (user_ns > user->user_ns) 85 p = &(*p)->rb_right; 86 else 87 goto found; 88 } 89 90 /* if we get here, we failed to find a match in the tree */ 91 if (!candidate) { 92 /* allocate a candidate user record if we don't already have 93 * one */ 94 spin_unlock(&key_user_lock); 95 96 user = NULL; 97 candidate = kmalloc(sizeof(struct key_user), GFP_KERNEL); 98 if (unlikely(!candidate)) 99 goto out; 100 101 /* the allocation may have scheduled, so we need to repeat the 102 * search lest someone else added the record whilst we were 103 * asleep */ 104 goto try_again; 105 } 106 107 /* if we get here, then the user record still hadn't appeared on the 108 * second pass - so we use the candidate record */ 109 atomic_set(&candidate->usage, 1); 110 atomic_set(&candidate->nkeys, 0); 111 atomic_set(&candidate->nikeys, 0); 112 candidate->uid = uid; 113 candidate->user_ns = get_user_ns(user_ns); 114 candidate->qnkeys = 0; 115 candidate->qnbytes = 0; 116 spin_lock_init(&candidate->lock); 117 mutex_init(&candidate->cons_lock); 118 119 rb_link_node(&candidate->node, parent, p); 120 rb_insert_color(&candidate->node, &key_user_tree); 121 spin_unlock(&key_user_lock); 122 user = candidate; 123 goto out; 124 125 /* okay - we found a user record for this UID */ 126 found: 127 atomic_inc(&user->usage); 128 spin_unlock(&key_user_lock); 129 kfree(candidate); 130 out: 131 return user; 132 } 133 134 /* 135 * Dispose of a user structure 136 */ 137 void key_user_put(struct key_user *user) 138 { 139 if (atomic_dec_and_lock(&user->usage, &key_user_lock)) { 140 rb_erase(&user->node, &key_user_tree); 141 spin_unlock(&key_user_lock); 142 put_user_ns(user->user_ns); 143 144 kfree(user); 145 } 146 } 147 148 /* 149 * Allocate a serial number for a key. These are assigned randomly to avoid 150 * security issues through covert channel problems. 151 */ 152 static inline void key_alloc_serial(struct key *key) 153 { 154 struct rb_node *parent, **p; 155 struct key *xkey; 156 157 /* propose a random serial number and look for a hole for it in the 158 * serial number tree */ 159 do { 160 get_random_bytes(&key->serial, sizeof(key->serial)); 161 162 key->serial >>= 1; /* negative numbers are not permitted */ 163 } while (key->serial < 3); 164 165 spin_lock(&key_serial_lock); 166 167 attempt_insertion: 168 parent = NULL; 169 p = &key_serial_tree.rb_node; 170 171 while (*p) { 172 parent = *p; 173 xkey = rb_entry(parent, struct key, serial_node); 174 175 if (key->serial < xkey->serial) 176 p = &(*p)->rb_left; 177 else if (key->serial > xkey->serial) 178 p = &(*p)->rb_right; 179 else 180 goto serial_exists; 181 } 182 183 /* we've found a suitable hole - arrange for this key to occupy it */ 184 rb_link_node(&key->serial_node, parent, p); 185 rb_insert_color(&key->serial_node, &key_serial_tree); 186 187 spin_unlock(&key_serial_lock); 188 return; 189 190 /* we found a key with the proposed serial number - walk the tree from 191 * that point looking for the next unused serial number */ 192 serial_exists: 193 for (;;) { 194 key->serial++; 195 if (key->serial < 3) { 196 key->serial = 3; 197 goto attempt_insertion; 198 } 199 200 parent = rb_next(parent); 201 if (!parent) 202 goto attempt_insertion; 203 204 xkey = rb_entry(parent, struct key, serial_node); 205 if (key->serial < xkey->serial) 206 goto attempt_insertion; 207 } 208 } 209 210 /** 211 * key_alloc - Allocate a key of the specified type. 212 * @type: The type of key to allocate. 213 * @desc: The key description to allow the key to be searched out. 214 * @uid: The owner of the new key. 215 * @gid: The group ID for the new key's group permissions. 216 * @cred: The credentials specifying UID namespace. 217 * @perm: The permissions mask of the new key. 218 * @flags: Flags specifying quota properties. 219 * 220 * Allocate a key of the specified type with the attributes given. The key is 221 * returned in an uninstantiated state and the caller needs to instantiate the 222 * key before returning. 223 * 224 * The user's key count quota is updated to reflect the creation of the key and 225 * the user's key data quota has the default for the key type reserved. The 226 * instantiation function should amend this as necessary. If insufficient 227 * quota is available, -EDQUOT will be returned. 228 * 229 * The LSM security modules can prevent a key being created, in which case 230 * -EACCES will be returned. 231 * 232 * Returns a pointer to the new key if successful and an error code otherwise. 233 * 234 * Note that the caller needs to ensure the key type isn't uninstantiated. 235 * Internally this can be done by locking key_types_sem. Externally, this can 236 * be done by either never unregistering the key type, or making sure 237 * key_alloc() calls don't race with module unloading. 238 */ 239 struct key *key_alloc(struct key_type *type, const char *desc, 240 uid_t uid, gid_t gid, const struct cred *cred, 241 key_perm_t perm, unsigned long flags) 242 { 243 struct key_user *user = NULL; 244 struct key *key; 245 size_t desclen, quotalen; 246 int ret; 247 248 key = ERR_PTR(-EINVAL); 249 if (!desc || !*desc) 250 goto error; 251 252 if (type->vet_description) { 253 ret = type->vet_description(desc); 254 if (ret < 0) { 255 key = ERR_PTR(ret); 256 goto error; 257 } 258 } 259 260 desclen = strlen(desc) + 1; 261 quotalen = desclen + type->def_datalen; 262 263 /* get hold of the key tracking for this user */ 264 user = key_user_lookup(uid, cred->user->user_ns); 265 if (!user) 266 goto no_memory_1; 267 268 /* check that the user's quota permits allocation of another key and 269 * its description */ 270 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { 271 unsigned maxkeys = (uid == 0) ? 272 key_quota_root_maxkeys : key_quota_maxkeys; 273 unsigned maxbytes = (uid == 0) ? 274 key_quota_root_maxbytes : key_quota_maxbytes; 275 276 spin_lock(&user->lock); 277 if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) { 278 if (user->qnkeys + 1 >= maxkeys || 279 user->qnbytes + quotalen >= maxbytes || 280 user->qnbytes + quotalen < user->qnbytes) 281 goto no_quota; 282 } 283 284 user->qnkeys++; 285 user->qnbytes += quotalen; 286 spin_unlock(&user->lock); 287 } 288 289 /* allocate and initialise the key and its description */ 290 key = kmem_cache_alloc(key_jar, GFP_KERNEL); 291 if (!key) 292 goto no_memory_2; 293 294 if (desc) { 295 key->description = kmemdup(desc, desclen, GFP_KERNEL); 296 if (!key->description) 297 goto no_memory_3; 298 } 299 300 atomic_set(&key->usage, 1); 301 init_rwsem(&key->sem); 302 key->type = type; 303 key->user = user; 304 key->quotalen = quotalen; 305 key->datalen = type->def_datalen; 306 key->uid = uid; 307 key->gid = gid; 308 key->perm = perm; 309 key->flags = 0; 310 key->expiry = 0; 311 key->payload.data = NULL; 312 key->security = NULL; 313 314 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) 315 key->flags |= 1 << KEY_FLAG_IN_QUOTA; 316 317 memset(&key->type_data, 0, sizeof(key->type_data)); 318 319 #ifdef KEY_DEBUGGING 320 key->magic = KEY_DEBUG_MAGIC; 321 #endif 322 323 /* let the security module know about the key */ 324 ret = security_key_alloc(key, cred, flags); 325 if (ret < 0) 326 goto security_error; 327 328 /* publish the key by giving it a serial number */ 329 atomic_inc(&user->nkeys); 330 key_alloc_serial(key); 331 332 error: 333 return key; 334 335 security_error: 336 kfree(key->description); 337 kmem_cache_free(key_jar, key); 338 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { 339 spin_lock(&user->lock); 340 user->qnkeys--; 341 user->qnbytes -= quotalen; 342 spin_unlock(&user->lock); 343 } 344 key_user_put(user); 345 key = ERR_PTR(ret); 346 goto error; 347 348 no_memory_3: 349 kmem_cache_free(key_jar, key); 350 no_memory_2: 351 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { 352 spin_lock(&user->lock); 353 user->qnkeys--; 354 user->qnbytes -= quotalen; 355 spin_unlock(&user->lock); 356 } 357 key_user_put(user); 358 no_memory_1: 359 key = ERR_PTR(-ENOMEM); 360 goto error; 361 362 no_quota: 363 spin_unlock(&user->lock); 364 key_user_put(user); 365 key = ERR_PTR(-EDQUOT); 366 goto error; 367 } 368 EXPORT_SYMBOL(key_alloc); 369 370 /** 371 * key_payload_reserve - Adjust data quota reservation for the key's payload 372 * @key: The key to make the reservation for. 373 * @datalen: The amount of data payload the caller now wants. 374 * 375 * Adjust the amount of the owning user's key data quota that a key reserves. 376 * If the amount is increased, then -EDQUOT may be returned if there isn't 377 * enough free quota available. 378 * 379 * If successful, 0 is returned. 380 */ 381 int key_payload_reserve(struct key *key, size_t datalen) 382 { 383 int delta = (int)datalen - key->datalen; 384 int ret = 0; 385 386 key_check(key); 387 388 /* contemplate the quota adjustment */ 389 if (delta != 0 && test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 390 unsigned maxbytes = (key->user->uid == 0) ? 391 key_quota_root_maxbytes : key_quota_maxbytes; 392 393 spin_lock(&key->user->lock); 394 395 if (delta > 0 && 396 (key->user->qnbytes + delta >= maxbytes || 397 key->user->qnbytes + delta < key->user->qnbytes)) { 398 ret = -EDQUOT; 399 } 400 else { 401 key->user->qnbytes += delta; 402 key->quotalen += delta; 403 } 404 spin_unlock(&key->user->lock); 405 } 406 407 /* change the recorded data length if that didn't generate an error */ 408 if (ret == 0) 409 key->datalen = datalen; 410 411 return ret; 412 } 413 EXPORT_SYMBOL(key_payload_reserve); 414 415 /* 416 * Instantiate a key and link it into the target keyring atomically. Must be 417 * called with the target keyring's semaphore writelocked. The target key's 418 * semaphore need not be locked as instantiation is serialised by 419 * key_construction_mutex. 420 */ 421 static int __key_instantiate_and_link(struct key *key, 422 const void *data, 423 size_t datalen, 424 struct key *keyring, 425 struct key *authkey, 426 unsigned long *_prealloc) 427 { 428 int ret, awaken; 429 430 key_check(key); 431 key_check(keyring); 432 433 awaken = 0; 434 ret = -EBUSY; 435 436 mutex_lock(&key_construction_mutex); 437 438 /* can't instantiate twice */ 439 if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 440 /* instantiate the key */ 441 ret = key->type->instantiate(key, data, datalen); 442 443 if (ret == 0) { 444 /* mark the key as being instantiated */ 445 atomic_inc(&key->user->nikeys); 446 set_bit(KEY_FLAG_INSTANTIATED, &key->flags); 447 448 if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) 449 awaken = 1; 450 451 /* and link it into the destination keyring */ 452 if (keyring) 453 __key_link(keyring, key, _prealloc); 454 455 /* disable the authorisation key */ 456 if (authkey) 457 key_revoke(authkey); 458 } 459 } 460 461 mutex_unlock(&key_construction_mutex); 462 463 /* wake up anyone waiting for a key to be constructed */ 464 if (awaken) 465 wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT); 466 467 return ret; 468 } 469 470 /** 471 * key_instantiate_and_link - Instantiate a key and link it into the keyring. 472 * @key: The key to instantiate. 473 * @data: The data to use to instantiate the keyring. 474 * @datalen: The length of @data. 475 * @keyring: Keyring to create a link in on success (or NULL). 476 * @authkey: The authorisation token permitting instantiation. 477 * 478 * Instantiate a key that's in the uninstantiated state using the provided data 479 * and, if successful, link it in to the destination keyring if one is 480 * supplied. 481 * 482 * If successful, 0 is returned, the authorisation token is revoked and anyone 483 * waiting for the key is woken up. If the key was already instantiated, 484 * -EBUSY will be returned. 485 */ 486 int key_instantiate_and_link(struct key *key, 487 const void *data, 488 size_t datalen, 489 struct key *keyring, 490 struct key *authkey) 491 { 492 unsigned long prealloc; 493 int ret; 494 495 if (keyring) { 496 ret = __key_link_begin(keyring, key->type, key->description, 497 &prealloc); 498 if (ret < 0) 499 return ret; 500 } 501 502 ret = __key_instantiate_and_link(key, data, datalen, keyring, authkey, 503 &prealloc); 504 505 if (keyring) 506 __key_link_end(keyring, key->type, prealloc); 507 508 return ret; 509 } 510 511 EXPORT_SYMBOL(key_instantiate_and_link); 512 513 /** 514 * key_reject_and_link - Negatively instantiate a key and link it into the keyring. 515 * @key: The key to instantiate. 516 * @timeout: The timeout on the negative key. 517 * @error: The error to return when the key is hit. 518 * @keyring: Keyring to create a link in on success (or NULL). 519 * @authkey: The authorisation token permitting instantiation. 520 * 521 * Negatively instantiate a key that's in the uninstantiated state and, if 522 * successful, set its timeout and stored error and link it in to the 523 * destination keyring if one is supplied. The key and any links to the key 524 * will be automatically garbage collected after the timeout expires. 525 * 526 * Negative keys are used to rate limit repeated request_key() calls by causing 527 * them to return the stored error code (typically ENOKEY) until the negative 528 * key expires. 529 * 530 * If successful, 0 is returned, the authorisation token is revoked and anyone 531 * waiting for the key is woken up. If the key was already instantiated, 532 * -EBUSY will be returned. 533 */ 534 int key_reject_and_link(struct key *key, 535 unsigned timeout, 536 unsigned error, 537 struct key *keyring, 538 struct key *authkey) 539 { 540 unsigned long prealloc; 541 struct timespec now; 542 int ret, awaken, link_ret = 0; 543 544 key_check(key); 545 key_check(keyring); 546 547 awaken = 0; 548 ret = -EBUSY; 549 550 if (keyring) 551 link_ret = __key_link_begin(keyring, key->type, 552 key->description, &prealloc); 553 554 mutex_lock(&key_construction_mutex); 555 556 /* can't instantiate twice */ 557 if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 558 /* mark the key as being negatively instantiated */ 559 atomic_inc(&key->user->nikeys); 560 set_bit(KEY_FLAG_NEGATIVE, &key->flags); 561 set_bit(KEY_FLAG_INSTANTIATED, &key->flags); 562 key->type_data.reject_error = -error; 563 now = current_kernel_time(); 564 key->expiry = now.tv_sec + timeout; 565 key_schedule_gc(key->expiry + key_gc_delay); 566 567 if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) 568 awaken = 1; 569 570 ret = 0; 571 572 /* and link it into the destination keyring */ 573 if (keyring && link_ret == 0) 574 __key_link(keyring, key, &prealloc); 575 576 /* disable the authorisation key */ 577 if (authkey) 578 key_revoke(authkey); 579 } 580 581 mutex_unlock(&key_construction_mutex); 582 583 if (keyring) 584 __key_link_end(keyring, key->type, prealloc); 585 586 /* wake up anyone waiting for a key to be constructed */ 587 if (awaken) 588 wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT); 589 590 return ret == 0 ? link_ret : ret; 591 } 592 EXPORT_SYMBOL(key_reject_and_link); 593 594 /* 595 * Garbage collect keys in process context so that we don't have to disable 596 * interrupts all over the place. 597 * 598 * key_put() schedules this rather than trying to do the cleanup itself, which 599 * means key_put() doesn't have to sleep. 600 */ 601 static void key_cleanup(struct work_struct *work) 602 { 603 struct rb_node *_n; 604 struct key *key; 605 606 go_again: 607 /* look for a dead key in the tree */ 608 spin_lock(&key_serial_lock); 609 610 for (_n = rb_first(&key_serial_tree); _n; _n = rb_next(_n)) { 611 key = rb_entry(_n, struct key, serial_node); 612 613 if (atomic_read(&key->usage) == 0) 614 goto found_dead_key; 615 } 616 617 spin_unlock(&key_serial_lock); 618 return; 619 620 found_dead_key: 621 /* we found a dead key - once we've removed it from the tree, we can 622 * drop the lock */ 623 rb_erase(&key->serial_node, &key_serial_tree); 624 spin_unlock(&key_serial_lock); 625 626 key_check(key); 627 628 security_key_free(key); 629 630 /* deal with the user's key tracking and quota */ 631 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 632 spin_lock(&key->user->lock); 633 key->user->qnkeys--; 634 key->user->qnbytes -= key->quotalen; 635 spin_unlock(&key->user->lock); 636 } 637 638 atomic_dec(&key->user->nkeys); 639 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) 640 atomic_dec(&key->user->nikeys); 641 642 key_user_put(key->user); 643 644 /* now throw away the key memory */ 645 if (key->type->destroy) 646 key->type->destroy(key); 647 648 kfree(key->description); 649 650 #ifdef KEY_DEBUGGING 651 key->magic = KEY_DEBUG_MAGIC_X; 652 #endif 653 kmem_cache_free(key_jar, key); 654 655 /* there may, of course, be more than one key to destroy */ 656 goto go_again; 657 } 658 659 /** 660 * key_put - Discard a reference to a key. 661 * @key: The key to discard a reference from. 662 * 663 * Discard a reference to a key, and when all the references are gone, we 664 * schedule the cleanup task to come and pull it out of the tree in process 665 * context at some later time. 666 */ 667 void key_put(struct key *key) 668 { 669 if (key) { 670 key_check(key); 671 672 if (atomic_dec_and_test(&key->usage)) 673 schedule_work(&key_cleanup_task); 674 } 675 } 676 EXPORT_SYMBOL(key_put); 677 678 /* 679 * Find a key by its serial number. 680 */ 681 struct key *key_lookup(key_serial_t id) 682 { 683 struct rb_node *n; 684 struct key *key; 685 686 spin_lock(&key_serial_lock); 687 688 /* search the tree for the specified key */ 689 n = key_serial_tree.rb_node; 690 while (n) { 691 key = rb_entry(n, struct key, serial_node); 692 693 if (id < key->serial) 694 n = n->rb_left; 695 else if (id > key->serial) 696 n = n->rb_right; 697 else 698 goto found; 699 } 700 701 not_found: 702 key = ERR_PTR(-ENOKEY); 703 goto error; 704 705 found: 706 /* pretend it doesn't exist if it is awaiting deletion */ 707 if (atomic_read(&key->usage) == 0) 708 goto not_found; 709 710 /* this races with key_put(), but that doesn't matter since key_put() 711 * doesn't actually change the key 712 */ 713 atomic_inc(&key->usage); 714 715 error: 716 spin_unlock(&key_serial_lock); 717 return key; 718 } 719 720 /* 721 * Find and lock the specified key type against removal. 722 * 723 * We return with the sem read-locked if successful. If the type wasn't 724 * available -ENOKEY is returned instead. 725 */ 726 struct key_type *key_type_lookup(const char *type) 727 { 728 struct key_type *ktype; 729 730 down_read(&key_types_sem); 731 732 /* look up the key type to see if it's one of the registered kernel 733 * types */ 734 list_for_each_entry(ktype, &key_types_list, link) { 735 if (strcmp(ktype->name, type) == 0) 736 goto found_kernel_type; 737 } 738 739 up_read(&key_types_sem); 740 ktype = ERR_PTR(-ENOKEY); 741 742 found_kernel_type: 743 return ktype; 744 } 745 746 /* 747 * Unlock a key type locked by key_type_lookup(). 748 */ 749 void key_type_put(struct key_type *ktype) 750 { 751 up_read(&key_types_sem); 752 } 753 754 /* 755 * Attempt to update an existing key. 756 * 757 * The key is given to us with an incremented refcount that we need to discard 758 * if we get an error. 759 */ 760 static inline key_ref_t __key_update(key_ref_t key_ref, 761 const void *payload, size_t plen) 762 { 763 struct key *key = key_ref_to_ptr(key_ref); 764 int ret; 765 766 /* need write permission on the key to update it */ 767 ret = key_permission(key_ref, KEY_WRITE); 768 if (ret < 0) 769 goto error; 770 771 ret = -EEXIST; 772 if (!key->type->update) 773 goto error; 774 775 down_write(&key->sem); 776 777 ret = key->type->update(key, payload, plen); 778 if (ret == 0) 779 /* updating a negative key instantiates it */ 780 clear_bit(KEY_FLAG_NEGATIVE, &key->flags); 781 782 up_write(&key->sem); 783 784 if (ret < 0) 785 goto error; 786 out: 787 return key_ref; 788 789 error: 790 key_put(key); 791 key_ref = ERR_PTR(ret); 792 goto out; 793 } 794 795 /** 796 * key_create_or_update - Update or create and instantiate a key. 797 * @keyring_ref: A pointer to the destination keyring with possession flag. 798 * @type: The type of key. 799 * @description: The searchable description for the key. 800 * @payload: The data to use to instantiate or update the key. 801 * @plen: The length of @payload. 802 * @perm: The permissions mask for a new key. 803 * @flags: The quota flags for a new key. 804 * 805 * Search the destination keyring for a key of the same description and if one 806 * is found, update it, otherwise create and instantiate a new one and create a 807 * link to it from that keyring. 808 * 809 * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be 810 * concocted. 811 * 812 * Returns a pointer to the new key if successful, -ENODEV if the key type 813 * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the 814 * caller isn't permitted to modify the keyring or the LSM did not permit 815 * creation of the key. 816 * 817 * On success, the possession flag from the keyring ref will be tacked on to 818 * the key ref before it is returned. 819 */ 820 key_ref_t key_create_or_update(key_ref_t keyring_ref, 821 const char *type, 822 const char *description, 823 const void *payload, 824 size_t plen, 825 key_perm_t perm, 826 unsigned long flags) 827 { 828 unsigned long prealloc; 829 const struct cred *cred = current_cred(); 830 struct key_type *ktype; 831 struct key *keyring, *key = NULL; 832 key_ref_t key_ref; 833 int ret; 834 835 /* look up the key type to see if it's one of the registered kernel 836 * types */ 837 ktype = key_type_lookup(type); 838 if (IS_ERR(ktype)) { 839 key_ref = ERR_PTR(-ENODEV); 840 goto error; 841 } 842 843 key_ref = ERR_PTR(-EINVAL); 844 if (!ktype->match || !ktype->instantiate) 845 goto error_2; 846 847 keyring = key_ref_to_ptr(keyring_ref); 848 849 key_check(keyring); 850 851 key_ref = ERR_PTR(-ENOTDIR); 852 if (keyring->type != &key_type_keyring) 853 goto error_2; 854 855 ret = __key_link_begin(keyring, ktype, description, &prealloc); 856 if (ret < 0) 857 goto error_2; 858 859 /* if we're going to allocate a new key, we're going to have 860 * to modify the keyring */ 861 ret = key_permission(keyring_ref, KEY_WRITE); 862 if (ret < 0) { 863 key_ref = ERR_PTR(ret); 864 goto error_3; 865 } 866 867 /* if it's possible to update this type of key, search for an existing 868 * key of the same type and description in the destination keyring and 869 * update that instead if possible 870 */ 871 if (ktype->update) { 872 key_ref = __keyring_search_one(keyring_ref, ktype, description, 873 0); 874 if (!IS_ERR(key_ref)) 875 goto found_matching_key; 876 } 877 878 /* if the client doesn't provide, decide on the permissions we want */ 879 if (perm == KEY_PERM_UNDEF) { 880 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR; 881 perm |= KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_LINK | KEY_USR_SETATTR; 882 883 if (ktype->read) 884 perm |= KEY_POS_READ | KEY_USR_READ; 885 886 if (ktype == &key_type_keyring || ktype->update) 887 perm |= KEY_USR_WRITE; 888 } 889 890 /* allocate a new key */ 891 key = key_alloc(ktype, description, cred->fsuid, cred->fsgid, cred, 892 perm, flags); 893 if (IS_ERR(key)) { 894 key_ref = ERR_CAST(key); 895 goto error_3; 896 } 897 898 /* instantiate it and link it into the target keyring */ 899 ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL, 900 &prealloc); 901 if (ret < 0) { 902 key_put(key); 903 key_ref = ERR_PTR(ret); 904 goto error_3; 905 } 906 907 key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); 908 909 error_3: 910 __key_link_end(keyring, ktype, prealloc); 911 error_2: 912 key_type_put(ktype); 913 error: 914 return key_ref; 915 916 found_matching_key: 917 /* we found a matching key, so we're going to try to update it 918 * - we can drop the locks first as we have the key pinned 919 */ 920 __key_link_end(keyring, ktype, prealloc); 921 key_type_put(ktype); 922 923 key_ref = __key_update(key_ref, payload, plen); 924 goto error; 925 } 926 EXPORT_SYMBOL(key_create_or_update); 927 928 /** 929 * key_update - Update a key's contents. 930 * @key_ref: The pointer (plus possession flag) to the key. 931 * @payload: The data to be used to update the key. 932 * @plen: The length of @payload. 933 * 934 * Attempt to update the contents of a key with the given payload data. The 935 * caller must be granted Write permission on the key. Negative keys can be 936 * instantiated by this method. 937 * 938 * Returns 0 on success, -EACCES if not permitted and -EOPNOTSUPP if the key 939 * type does not support updating. The key type may return other errors. 940 */ 941 int key_update(key_ref_t key_ref, const void *payload, size_t plen) 942 { 943 struct key *key = key_ref_to_ptr(key_ref); 944 int ret; 945 946 key_check(key); 947 948 /* the key must be writable */ 949 ret = key_permission(key_ref, KEY_WRITE); 950 if (ret < 0) 951 goto error; 952 953 /* attempt to update it if supported */ 954 ret = -EOPNOTSUPP; 955 if (key->type->update) { 956 down_write(&key->sem); 957 958 ret = key->type->update(key, payload, plen); 959 if (ret == 0) 960 /* updating a negative key instantiates it */ 961 clear_bit(KEY_FLAG_NEGATIVE, &key->flags); 962 963 up_write(&key->sem); 964 } 965 966 error: 967 return ret; 968 } 969 EXPORT_SYMBOL(key_update); 970 971 /** 972 * key_revoke - Revoke a key. 973 * @key: The key to be revoked. 974 * 975 * Mark a key as being revoked and ask the type to free up its resources. The 976 * revocation timeout is set and the key and all its links will be 977 * automatically garbage collected after key_gc_delay amount of time if they 978 * are not manually dealt with first. 979 */ 980 void key_revoke(struct key *key) 981 { 982 struct timespec now; 983 time_t time; 984 985 key_check(key); 986 987 /* make sure no one's trying to change or use the key when we mark it 988 * - we tell lockdep that we might nest because we might be revoking an 989 * authorisation key whilst holding the sem on a key we've just 990 * instantiated 991 */ 992 down_write_nested(&key->sem, 1); 993 if (!test_and_set_bit(KEY_FLAG_REVOKED, &key->flags) && 994 key->type->revoke) 995 key->type->revoke(key); 996 997 /* set the death time to no more than the expiry time */ 998 now = current_kernel_time(); 999 time = now.tv_sec; 1000 if (key->revoked_at == 0 || key->revoked_at > time) { 1001 key->revoked_at = time; 1002 key_schedule_gc(key->revoked_at + key_gc_delay); 1003 } 1004 1005 up_write(&key->sem); 1006 } 1007 EXPORT_SYMBOL(key_revoke); 1008 1009 /** 1010 * register_key_type - Register a type of key. 1011 * @ktype: The new key type. 1012 * 1013 * Register a new key type. 1014 * 1015 * Returns 0 on success or -EEXIST if a type of this name already exists. 1016 */ 1017 int register_key_type(struct key_type *ktype) 1018 { 1019 struct key_type *p; 1020 int ret; 1021 1022 ret = -EEXIST; 1023 down_write(&key_types_sem); 1024 1025 /* disallow key types with the same name */ 1026 list_for_each_entry(p, &key_types_list, link) { 1027 if (strcmp(p->name, ktype->name) == 0) 1028 goto out; 1029 } 1030 1031 /* store the type */ 1032 list_add(&ktype->link, &key_types_list); 1033 ret = 0; 1034 1035 out: 1036 up_write(&key_types_sem); 1037 return ret; 1038 } 1039 EXPORT_SYMBOL(register_key_type); 1040 1041 /** 1042 * unregister_key_type - Unregister a type of key. 1043 * @ktype: The key type. 1044 * 1045 * Unregister a key type and mark all the extant keys of this type as dead. 1046 * Those keys of this type are then destroyed to get rid of their payloads and 1047 * they and their links will be garbage collected as soon as possible. 1048 */ 1049 void unregister_key_type(struct key_type *ktype) 1050 { 1051 struct rb_node *_n; 1052 struct key *key; 1053 1054 down_write(&key_types_sem); 1055 1056 /* withdraw the key type */ 1057 list_del_init(&ktype->link); 1058 1059 /* mark all the keys of this type dead */ 1060 spin_lock(&key_serial_lock); 1061 1062 for (_n = rb_first(&key_serial_tree); _n; _n = rb_next(_n)) { 1063 key = rb_entry(_n, struct key, serial_node); 1064 1065 if (key->type == ktype) { 1066 key->type = &key_type_dead; 1067 set_bit(KEY_FLAG_DEAD, &key->flags); 1068 } 1069 } 1070 1071 spin_unlock(&key_serial_lock); 1072 1073 /* make sure everyone revalidates their keys */ 1074 synchronize_rcu(); 1075 1076 /* we should now be able to destroy the payloads of all the keys of 1077 * this type with impunity */ 1078 spin_lock(&key_serial_lock); 1079 1080 for (_n = rb_first(&key_serial_tree); _n; _n = rb_next(_n)) { 1081 key = rb_entry(_n, struct key, serial_node); 1082 1083 if (key->type == ktype) { 1084 if (ktype->destroy) 1085 ktype->destroy(key); 1086 memset(&key->payload, KEY_DESTROY, sizeof(key->payload)); 1087 } 1088 } 1089 1090 spin_unlock(&key_serial_lock); 1091 up_write(&key_types_sem); 1092 1093 key_schedule_gc(0); 1094 } 1095 EXPORT_SYMBOL(unregister_key_type); 1096 1097 /* 1098 * Initialise the key management state. 1099 */ 1100 void __init key_init(void) 1101 { 1102 /* allocate a slab in which we can store keys */ 1103 key_jar = kmem_cache_create("key_jar", sizeof(struct key), 1104 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); 1105 1106 /* add the special key types */ 1107 list_add_tail(&key_type_keyring.link, &key_types_list); 1108 list_add_tail(&key_type_dead.link, &key_types_list); 1109 list_add_tail(&key_type_user.link, &key_types_list); 1110 1111 /* record the root user tracking */ 1112 rb_link_node(&root_key_user.node, 1113 NULL, 1114 &key_user_tree.rb_node); 1115 1116 rb_insert_color(&root_key_user.node, 1117 &key_user_tree); 1118 } 1119