1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Basic authentication token and access key management 3 * 4 * Copyright (C) 2004-2008 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #include <linux/export.h> 9 #include <linux/init.h> 10 #include <linux/poison.h> 11 #include <linux/sched.h> 12 #include <linux/slab.h> 13 #include <linux/security.h> 14 #include <linux/workqueue.h> 15 #include <linux/random.h> 16 #include <linux/err.h> 17 #include "internal.h" 18 19 struct kmem_cache *key_jar; 20 struct rb_root key_serial_tree; /* tree of keys indexed by serial */ 21 DEFINE_SPINLOCK(key_serial_lock); 22 23 struct rb_root key_user_tree; /* tree of quota records indexed by UID */ 24 DEFINE_SPINLOCK(key_user_lock); 25 26 unsigned int key_quota_root_maxkeys = 1000000; /* root's key count quota */ 27 unsigned int key_quota_root_maxbytes = 25000000; /* root's key space quota */ 28 unsigned int key_quota_maxkeys = 200; /* general key count quota */ 29 unsigned int key_quota_maxbytes = 20000; /* general key space quota */ 30 31 static LIST_HEAD(key_types_list); 32 static DECLARE_RWSEM(key_types_sem); 33 34 /* We serialise key instantiation and link */ 35 DEFINE_MUTEX(key_construction_mutex); 36 37 #ifdef KEY_DEBUGGING 38 void __key_check(const struct key *key) 39 { 40 printk("__key_check: key %p {%08x} should be {%08x}\n", 41 key, key->magic, KEY_DEBUG_MAGIC); 42 BUG(); 43 } 44 #endif 45 46 /* 47 * Get the key quota record for a user, allocating a new record if one doesn't 48 * already exist. 49 */ 50 struct key_user *key_user_lookup(kuid_t uid) 51 { 52 struct key_user *candidate = NULL, *user; 53 struct rb_node *parent, **p; 54 55 try_again: 56 parent = NULL; 57 p = &key_user_tree.rb_node; 58 spin_lock(&key_user_lock); 59 60 /* search the tree for a user record with a matching UID */ 61 while (*p) { 62 parent = *p; 63 user = rb_entry(parent, struct key_user, node); 64 65 if (uid_lt(uid, user->uid)) 66 p = &(*p)->rb_left; 67 else if (uid_gt(uid, user->uid)) 68 p = &(*p)->rb_right; 69 else 70 goto found; 71 } 72 73 /* if we get here, we failed to find a match in the tree */ 74 if (!candidate) { 75 /* allocate a candidate user record if we don't already have 76 * one */ 77 spin_unlock(&key_user_lock); 78 79 user = NULL; 80 candidate = kmalloc(sizeof(struct key_user), GFP_KERNEL); 81 if (unlikely(!candidate)) 82 goto out; 83 84 /* the allocation may have scheduled, so we need to repeat the 85 * search lest someone else added the record whilst we were 86 * asleep */ 87 goto try_again; 88 } 89 90 /* if we get here, then the user record still hadn't appeared on the 91 * second pass - so we use the candidate record */ 92 refcount_set(&candidate->usage, 1); 93 atomic_set(&candidate->nkeys, 0); 94 atomic_set(&candidate->nikeys, 0); 95 candidate->uid = uid; 96 candidate->qnkeys = 0; 97 candidate->qnbytes = 0; 98 spin_lock_init(&candidate->lock); 99 mutex_init(&candidate->cons_lock); 100 101 rb_link_node(&candidate->node, parent, p); 102 rb_insert_color(&candidate->node, &key_user_tree); 103 spin_unlock(&key_user_lock); 104 user = candidate; 105 goto out; 106 107 /* okay - we found a user record for this UID */ 108 found: 109 refcount_inc(&user->usage); 110 spin_unlock(&key_user_lock); 111 kfree(candidate); 112 out: 113 return user; 114 } 115 116 /* 117 * Dispose of a user structure 118 */ 119 void key_user_put(struct key_user *user) 120 { 121 if (refcount_dec_and_lock(&user->usage, &key_user_lock)) { 122 rb_erase(&user->node, &key_user_tree); 123 spin_unlock(&key_user_lock); 124 125 kfree(user); 126 } 127 } 128 129 /* 130 * Allocate a serial number for a key. These are assigned randomly to avoid 131 * security issues through covert channel problems. 132 */ 133 static inline void key_alloc_serial(struct key *key) 134 { 135 struct rb_node *parent, **p; 136 struct key *xkey; 137 138 /* propose a random serial number and look for a hole for it in the 139 * serial number tree */ 140 do { 141 get_random_bytes(&key->serial, sizeof(key->serial)); 142 143 key->serial >>= 1; /* negative numbers are not permitted */ 144 } while (key->serial < 3); 145 146 spin_lock(&key_serial_lock); 147 148 attempt_insertion: 149 parent = NULL; 150 p = &key_serial_tree.rb_node; 151 152 while (*p) { 153 parent = *p; 154 xkey = rb_entry(parent, struct key, serial_node); 155 156 if (key->serial < xkey->serial) 157 p = &(*p)->rb_left; 158 else if (key->serial > xkey->serial) 159 p = &(*p)->rb_right; 160 else 161 goto serial_exists; 162 } 163 164 /* we've found a suitable hole - arrange for this key to occupy it */ 165 rb_link_node(&key->serial_node, parent, p); 166 rb_insert_color(&key->serial_node, &key_serial_tree); 167 168 spin_unlock(&key_serial_lock); 169 return; 170 171 /* we found a key with the proposed serial number - walk the tree from 172 * that point looking for the next unused serial number */ 173 serial_exists: 174 for (;;) { 175 key->serial++; 176 if (key->serial < 3) { 177 key->serial = 3; 178 goto attempt_insertion; 179 } 180 181 parent = rb_next(parent); 182 if (!parent) 183 goto attempt_insertion; 184 185 xkey = rb_entry(parent, struct key, serial_node); 186 if (key->serial < xkey->serial) 187 goto attempt_insertion; 188 } 189 } 190 191 /** 192 * key_alloc - Allocate a key of the specified type. 193 * @type: The type of key to allocate. 194 * @desc: The key description to allow the key to be searched out. 195 * @uid: The owner of the new key. 196 * @gid: The group ID for the new key's group permissions. 197 * @cred: The credentials specifying UID namespace. 198 * @perm: The permissions mask of the new key. 199 * @flags: Flags specifying quota properties. 200 * @restrict_link: Optional link restriction for new keyrings. 201 * 202 * Allocate a key of the specified type with the attributes given. The key is 203 * returned in an uninstantiated state and the caller needs to instantiate the 204 * key before returning. 205 * 206 * The restrict_link structure (if not NULL) will be freed when the 207 * keyring is destroyed, so it must be dynamically allocated. 208 * 209 * The user's key count quota is updated to reflect the creation of the key and 210 * the user's key data quota has the default for the key type reserved. The 211 * instantiation function should amend this as necessary. If insufficient 212 * quota is available, -EDQUOT will be returned. 213 * 214 * The LSM security modules can prevent a key being created, in which case 215 * -EACCES will be returned. 216 * 217 * Returns a pointer to the new key if successful and an error code otherwise. 218 * 219 * Note that the caller needs to ensure the key type isn't uninstantiated. 220 * Internally this can be done by locking key_types_sem. Externally, this can 221 * be done by either never unregistering the key type, or making sure 222 * key_alloc() calls don't race with module unloading. 223 */ 224 struct key *key_alloc(struct key_type *type, const char *desc, 225 kuid_t uid, kgid_t gid, const struct cred *cred, 226 key_perm_t perm, unsigned long flags, 227 struct key_restriction *restrict_link) 228 { 229 struct key_user *user = NULL; 230 struct key *key; 231 size_t desclen, quotalen; 232 int ret; 233 234 key = ERR_PTR(-EINVAL); 235 if (!desc || !*desc) 236 goto error; 237 238 if (type->vet_description) { 239 ret = type->vet_description(desc); 240 if (ret < 0) { 241 key = ERR_PTR(ret); 242 goto error; 243 } 244 } 245 246 desclen = strlen(desc); 247 quotalen = desclen + 1 + type->def_datalen; 248 249 /* get hold of the key tracking for this user */ 250 user = key_user_lookup(uid); 251 if (!user) 252 goto no_memory_1; 253 254 /* check that the user's quota permits allocation of another key and 255 * its description */ 256 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { 257 unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ? 258 key_quota_root_maxkeys : key_quota_maxkeys; 259 unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ? 260 key_quota_root_maxbytes : key_quota_maxbytes; 261 262 spin_lock(&user->lock); 263 if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) { 264 if (user->qnkeys + 1 > maxkeys || 265 user->qnbytes + quotalen > maxbytes || 266 user->qnbytes + quotalen < user->qnbytes) 267 goto no_quota; 268 } 269 270 user->qnkeys++; 271 user->qnbytes += quotalen; 272 spin_unlock(&user->lock); 273 } 274 275 /* allocate and initialise the key and its description */ 276 key = kmem_cache_zalloc(key_jar, GFP_KERNEL); 277 if (!key) 278 goto no_memory_2; 279 280 key->index_key.desc_len = desclen; 281 key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL); 282 if (!key->index_key.description) 283 goto no_memory_3; 284 key->index_key.type = type; 285 key_set_index_key(&key->index_key); 286 287 refcount_set(&key->usage, 1); 288 init_rwsem(&key->sem); 289 lockdep_set_class(&key->sem, &type->lock_class); 290 key->user = user; 291 key->quotalen = quotalen; 292 key->datalen = type->def_datalen; 293 key->uid = uid; 294 key->gid = gid; 295 key->perm = perm; 296 key->expiry = TIME64_MAX; 297 key->restrict_link = restrict_link; 298 key->last_used_at = ktime_get_real_seconds(); 299 300 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) 301 key->flags |= 1 << KEY_FLAG_IN_QUOTA; 302 if (flags & KEY_ALLOC_BUILT_IN) 303 key->flags |= 1 << KEY_FLAG_BUILTIN; 304 if (flags & KEY_ALLOC_UID_KEYRING) 305 key->flags |= 1 << KEY_FLAG_UID_KEYRING; 306 if (flags & KEY_ALLOC_SET_KEEP) 307 key->flags |= 1 << KEY_FLAG_KEEP; 308 309 #ifdef KEY_DEBUGGING 310 key->magic = KEY_DEBUG_MAGIC; 311 #endif 312 313 /* let the security module know about the key */ 314 ret = security_key_alloc(key, cred, flags); 315 if (ret < 0) 316 goto security_error; 317 318 /* publish the key by giving it a serial number */ 319 refcount_inc(&key->domain_tag->usage); 320 atomic_inc(&user->nkeys); 321 key_alloc_serial(key); 322 323 error: 324 return key; 325 326 security_error: 327 kfree(key->description); 328 kmem_cache_free(key_jar, key); 329 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { 330 spin_lock(&user->lock); 331 user->qnkeys--; 332 user->qnbytes -= quotalen; 333 spin_unlock(&user->lock); 334 } 335 key_user_put(user); 336 key = ERR_PTR(ret); 337 goto error; 338 339 no_memory_3: 340 kmem_cache_free(key_jar, key); 341 no_memory_2: 342 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { 343 spin_lock(&user->lock); 344 user->qnkeys--; 345 user->qnbytes -= quotalen; 346 spin_unlock(&user->lock); 347 } 348 key_user_put(user); 349 no_memory_1: 350 key = ERR_PTR(-ENOMEM); 351 goto error; 352 353 no_quota: 354 spin_unlock(&user->lock); 355 key_user_put(user); 356 key = ERR_PTR(-EDQUOT); 357 goto error; 358 } 359 EXPORT_SYMBOL(key_alloc); 360 361 /** 362 * key_payload_reserve - Adjust data quota reservation for the key's payload 363 * @key: The key to make the reservation for. 364 * @datalen: The amount of data payload the caller now wants. 365 * 366 * Adjust the amount of the owning user's key data quota that a key reserves. 367 * If the amount is increased, then -EDQUOT may be returned if there isn't 368 * enough free quota available. 369 * 370 * If successful, 0 is returned. 371 */ 372 int key_payload_reserve(struct key *key, size_t datalen) 373 { 374 int delta = (int)datalen - key->datalen; 375 int ret = 0; 376 377 key_check(key); 378 379 /* contemplate the quota adjustment */ 380 if (delta != 0 && test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 381 unsigned maxbytes = uid_eq(key->user->uid, GLOBAL_ROOT_UID) ? 382 key_quota_root_maxbytes : key_quota_maxbytes; 383 384 spin_lock(&key->user->lock); 385 386 if (delta > 0 && 387 (key->user->qnbytes + delta > maxbytes || 388 key->user->qnbytes + delta < key->user->qnbytes)) { 389 ret = -EDQUOT; 390 } 391 else { 392 key->user->qnbytes += delta; 393 key->quotalen += delta; 394 } 395 spin_unlock(&key->user->lock); 396 } 397 398 /* change the recorded data length if that didn't generate an error */ 399 if (ret == 0) 400 key->datalen = datalen; 401 402 return ret; 403 } 404 EXPORT_SYMBOL(key_payload_reserve); 405 406 /* 407 * Change the key state to being instantiated. 408 */ 409 static void mark_key_instantiated(struct key *key, int reject_error) 410 { 411 /* Commit the payload before setting the state; barrier versus 412 * key_read_state(). 413 */ 414 smp_store_release(&key->state, 415 (reject_error < 0) ? reject_error : KEY_IS_POSITIVE); 416 } 417 418 /* 419 * Instantiate a key and link it into the target keyring atomically. Must be 420 * called with the target keyring's semaphore writelocked. The target key's 421 * semaphore need not be locked as instantiation is serialised by 422 * key_construction_mutex. 423 */ 424 static int __key_instantiate_and_link(struct key *key, 425 struct key_preparsed_payload *prep, 426 struct key *keyring, 427 struct key *authkey, 428 struct assoc_array_edit **_edit) 429 { 430 int ret, awaken; 431 432 key_check(key); 433 key_check(keyring); 434 435 awaken = 0; 436 ret = -EBUSY; 437 438 mutex_lock(&key_construction_mutex); 439 440 /* can't instantiate twice */ 441 if (key->state == KEY_IS_UNINSTANTIATED) { 442 /* instantiate the key */ 443 ret = key->type->instantiate(key, prep); 444 445 if (ret == 0) { 446 /* mark the key as being instantiated */ 447 atomic_inc(&key->user->nikeys); 448 mark_key_instantiated(key, 0); 449 notify_key(key, NOTIFY_KEY_INSTANTIATED, 0); 450 451 if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) 452 awaken = 1; 453 454 /* and link it into the destination keyring */ 455 if (keyring) { 456 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) 457 set_bit(KEY_FLAG_KEEP, &key->flags); 458 459 __key_link(keyring, key, _edit); 460 } 461 462 /* disable the authorisation key */ 463 if (authkey) 464 key_invalidate(authkey); 465 466 key_set_expiry(key, prep->expiry); 467 } 468 } 469 470 mutex_unlock(&key_construction_mutex); 471 472 /* wake up anyone waiting for a key to be constructed */ 473 if (awaken) 474 wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT); 475 476 return ret; 477 } 478 479 /** 480 * key_instantiate_and_link - Instantiate a key and link it into the keyring. 481 * @key: The key to instantiate. 482 * @data: The data to use to instantiate the keyring. 483 * @datalen: The length of @data. 484 * @keyring: Keyring to create a link in on success (or NULL). 485 * @authkey: The authorisation token permitting instantiation. 486 * 487 * Instantiate a key that's in the uninstantiated state using the provided data 488 * and, if successful, link it in to the destination keyring if one is 489 * supplied. 490 * 491 * If successful, 0 is returned, the authorisation token is revoked and anyone 492 * waiting for the key is woken up. If the key was already instantiated, 493 * -EBUSY will be returned. 494 */ 495 int key_instantiate_and_link(struct key *key, 496 const void *data, 497 size_t datalen, 498 struct key *keyring, 499 struct key *authkey) 500 { 501 struct key_preparsed_payload prep; 502 struct assoc_array_edit *edit = NULL; 503 int ret; 504 505 memset(&prep, 0, sizeof(prep)); 506 prep.orig_description = key->description; 507 prep.data = data; 508 prep.datalen = datalen; 509 prep.quotalen = key->type->def_datalen; 510 prep.expiry = TIME64_MAX; 511 if (key->type->preparse) { 512 ret = key->type->preparse(&prep); 513 if (ret < 0) 514 goto error; 515 } 516 517 if (keyring) { 518 ret = __key_link_lock(keyring, &key->index_key); 519 if (ret < 0) 520 goto error; 521 522 ret = __key_link_begin(keyring, &key->index_key, &edit); 523 if (ret < 0) 524 goto error_link_end; 525 526 if (keyring->restrict_link && keyring->restrict_link->check) { 527 struct key_restriction *keyres = keyring->restrict_link; 528 529 ret = keyres->check(keyring, key->type, &prep.payload, 530 keyres->key); 531 if (ret < 0) 532 goto error_link_end; 533 } 534 } 535 536 ret = __key_instantiate_and_link(key, &prep, keyring, authkey, &edit); 537 538 error_link_end: 539 if (keyring) 540 __key_link_end(keyring, &key->index_key, edit); 541 542 error: 543 if (key->type->preparse) 544 key->type->free_preparse(&prep); 545 return ret; 546 } 547 548 EXPORT_SYMBOL(key_instantiate_and_link); 549 550 /** 551 * key_reject_and_link - Negatively instantiate a key and link it into the keyring. 552 * @key: The key to instantiate. 553 * @timeout: The timeout on the negative key. 554 * @error: The error to return when the key is hit. 555 * @keyring: Keyring to create a link in on success (or NULL). 556 * @authkey: The authorisation token permitting instantiation. 557 * 558 * Negatively instantiate a key that's in the uninstantiated state and, if 559 * successful, set its timeout and stored error and link it in to the 560 * destination keyring if one is supplied. The key and any links to the key 561 * will be automatically garbage collected after the timeout expires. 562 * 563 * Negative keys are used to rate limit repeated request_key() calls by causing 564 * them to return the stored error code (typically ENOKEY) until the negative 565 * key expires. 566 * 567 * If successful, 0 is returned, the authorisation token is revoked and anyone 568 * waiting for the key is woken up. If the key was already instantiated, 569 * -EBUSY will be returned. 570 */ 571 int key_reject_and_link(struct key *key, 572 unsigned timeout, 573 unsigned error, 574 struct key *keyring, 575 struct key *authkey) 576 { 577 struct assoc_array_edit *edit = NULL; 578 int ret, awaken, link_ret = 0; 579 580 key_check(key); 581 key_check(keyring); 582 583 awaken = 0; 584 ret = -EBUSY; 585 586 if (keyring) { 587 if (keyring->restrict_link) 588 return -EPERM; 589 590 link_ret = __key_link_lock(keyring, &key->index_key); 591 if (link_ret == 0) { 592 link_ret = __key_link_begin(keyring, &key->index_key, &edit); 593 if (link_ret < 0) 594 __key_link_end(keyring, &key->index_key, edit); 595 } 596 } 597 598 mutex_lock(&key_construction_mutex); 599 600 /* can't instantiate twice */ 601 if (key->state == KEY_IS_UNINSTANTIATED) { 602 /* mark the key as being negatively instantiated */ 603 atomic_inc(&key->user->nikeys); 604 mark_key_instantiated(key, -error); 605 notify_key(key, NOTIFY_KEY_INSTANTIATED, -error); 606 key_set_expiry(key, ktime_get_real_seconds() + timeout); 607 608 if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) 609 awaken = 1; 610 611 ret = 0; 612 613 /* and link it into the destination keyring */ 614 if (keyring && link_ret == 0) 615 __key_link(keyring, key, &edit); 616 617 /* disable the authorisation key */ 618 if (authkey) 619 key_invalidate(authkey); 620 } 621 622 mutex_unlock(&key_construction_mutex); 623 624 if (keyring && link_ret == 0) 625 __key_link_end(keyring, &key->index_key, edit); 626 627 /* wake up anyone waiting for a key to be constructed */ 628 if (awaken) 629 wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT); 630 631 return ret == 0 ? link_ret : ret; 632 } 633 EXPORT_SYMBOL(key_reject_and_link); 634 635 /** 636 * key_put - Discard a reference to a key. 637 * @key: The key to discard a reference from. 638 * 639 * Discard a reference to a key, and when all the references are gone, we 640 * schedule the cleanup task to come and pull it out of the tree in process 641 * context at some later time. 642 */ 643 void key_put(struct key *key) 644 { 645 if (key) { 646 key_check(key); 647 648 if (refcount_dec_and_test(&key->usage)) 649 schedule_work(&key_gc_work); 650 } 651 } 652 EXPORT_SYMBOL(key_put); 653 654 /* 655 * Find a key by its serial number. 656 */ 657 struct key *key_lookup(key_serial_t id) 658 { 659 struct rb_node *n; 660 struct key *key; 661 662 spin_lock(&key_serial_lock); 663 664 /* search the tree for the specified key */ 665 n = key_serial_tree.rb_node; 666 while (n) { 667 key = rb_entry(n, struct key, serial_node); 668 669 if (id < key->serial) 670 n = n->rb_left; 671 else if (id > key->serial) 672 n = n->rb_right; 673 else 674 goto found; 675 } 676 677 not_found: 678 key = ERR_PTR(-ENOKEY); 679 goto error; 680 681 found: 682 /* A key is allowed to be looked up only if someone still owns a 683 * reference to it - otherwise it's awaiting the gc. 684 */ 685 if (!refcount_inc_not_zero(&key->usage)) 686 goto not_found; 687 688 error: 689 spin_unlock(&key_serial_lock); 690 return key; 691 } 692 EXPORT_SYMBOL(key_lookup); 693 694 /* 695 * Find and lock the specified key type against removal. 696 * 697 * We return with the sem read-locked if successful. If the type wasn't 698 * available -ENOKEY is returned instead. 699 */ 700 struct key_type *key_type_lookup(const char *type) 701 { 702 struct key_type *ktype; 703 704 down_read(&key_types_sem); 705 706 /* look up the key type to see if it's one of the registered kernel 707 * types */ 708 list_for_each_entry(ktype, &key_types_list, link) { 709 if (strcmp(ktype->name, type) == 0) 710 goto found_kernel_type; 711 } 712 713 up_read(&key_types_sem); 714 ktype = ERR_PTR(-ENOKEY); 715 716 found_kernel_type: 717 return ktype; 718 } 719 720 void key_set_timeout(struct key *key, unsigned timeout) 721 { 722 time64_t expiry = TIME64_MAX; 723 724 /* make the changes with the locks held to prevent races */ 725 down_write(&key->sem); 726 727 if (timeout > 0) 728 expiry = ktime_get_real_seconds() + timeout; 729 key_set_expiry(key, expiry); 730 731 up_write(&key->sem); 732 } 733 EXPORT_SYMBOL_GPL(key_set_timeout); 734 735 /* 736 * Unlock a key type locked by key_type_lookup(). 737 */ 738 void key_type_put(struct key_type *ktype) 739 { 740 up_read(&key_types_sem); 741 } 742 743 /* 744 * Attempt to update an existing key. 745 * 746 * The key is given to us with an incremented refcount that we need to discard 747 * if we get an error. 748 */ 749 static inline key_ref_t __key_update(key_ref_t key_ref, 750 struct key_preparsed_payload *prep) 751 { 752 struct key *key = key_ref_to_ptr(key_ref); 753 int ret; 754 755 /* need write permission on the key to update it */ 756 ret = key_permission(key_ref, KEY_NEED_WRITE); 757 if (ret < 0) 758 goto error; 759 760 ret = -EEXIST; 761 if (!key->type->update) 762 goto error; 763 764 down_write(&key->sem); 765 766 ret = key->type->update(key, prep); 767 if (ret == 0) { 768 /* Updating a negative key positively instantiates it */ 769 mark_key_instantiated(key, 0); 770 notify_key(key, NOTIFY_KEY_UPDATED, 0); 771 } 772 773 up_write(&key->sem); 774 775 if (ret < 0) 776 goto error; 777 out: 778 return key_ref; 779 780 error: 781 key_put(key); 782 key_ref = ERR_PTR(ret); 783 goto out; 784 } 785 786 /* 787 * Create or potentially update a key. The combined logic behind 788 * key_create_or_update() and key_create() 789 */ 790 static key_ref_t __key_create_or_update(key_ref_t keyring_ref, 791 const char *type, 792 const char *description, 793 const void *payload, 794 size_t plen, 795 key_perm_t perm, 796 unsigned long flags, 797 bool allow_update) 798 { 799 struct keyring_index_key index_key = { 800 .description = description, 801 }; 802 struct key_preparsed_payload prep; 803 struct assoc_array_edit *edit = NULL; 804 const struct cred *cred = current_cred(); 805 struct key *keyring, *key = NULL; 806 key_ref_t key_ref; 807 int ret; 808 struct key_restriction *restrict_link = NULL; 809 810 /* look up the key type to see if it's one of the registered kernel 811 * types */ 812 index_key.type = key_type_lookup(type); 813 if (IS_ERR(index_key.type)) { 814 key_ref = ERR_PTR(-ENODEV); 815 goto error; 816 } 817 818 key_ref = ERR_PTR(-EINVAL); 819 if (!index_key.type->instantiate || 820 (!index_key.description && !index_key.type->preparse)) 821 goto error_put_type; 822 823 keyring = key_ref_to_ptr(keyring_ref); 824 825 key_check(keyring); 826 827 if (!(flags & KEY_ALLOC_BYPASS_RESTRICTION)) 828 restrict_link = keyring->restrict_link; 829 830 key_ref = ERR_PTR(-ENOTDIR); 831 if (keyring->type != &key_type_keyring) 832 goto error_put_type; 833 834 memset(&prep, 0, sizeof(prep)); 835 prep.orig_description = description; 836 prep.data = payload; 837 prep.datalen = plen; 838 prep.quotalen = index_key.type->def_datalen; 839 prep.expiry = TIME64_MAX; 840 if (index_key.type->preparse) { 841 ret = index_key.type->preparse(&prep); 842 if (ret < 0) { 843 key_ref = ERR_PTR(ret); 844 goto error_free_prep; 845 } 846 if (!index_key.description) 847 index_key.description = prep.description; 848 key_ref = ERR_PTR(-EINVAL); 849 if (!index_key.description) 850 goto error_free_prep; 851 } 852 index_key.desc_len = strlen(index_key.description); 853 key_set_index_key(&index_key); 854 855 ret = __key_link_lock(keyring, &index_key); 856 if (ret < 0) { 857 key_ref = ERR_PTR(ret); 858 goto error_free_prep; 859 } 860 861 ret = __key_link_begin(keyring, &index_key, &edit); 862 if (ret < 0) { 863 key_ref = ERR_PTR(ret); 864 goto error_link_end; 865 } 866 867 if (restrict_link && restrict_link->check) { 868 ret = restrict_link->check(keyring, index_key.type, 869 &prep.payload, restrict_link->key); 870 if (ret < 0) { 871 key_ref = ERR_PTR(ret); 872 goto error_link_end; 873 } 874 } 875 876 /* if we're going to allocate a new key, we're going to have 877 * to modify the keyring */ 878 ret = key_permission(keyring_ref, KEY_NEED_WRITE); 879 if (ret < 0) { 880 key_ref = ERR_PTR(ret); 881 goto error_link_end; 882 } 883 884 /* if it's requested and possible to update this type of key, search 885 * for an existing key of the same type and description in the 886 * destination keyring and update that instead if possible 887 */ 888 if (allow_update) { 889 if (index_key.type->update) { 890 key_ref = find_key_to_update(keyring_ref, &index_key); 891 if (key_ref) 892 goto found_matching_key; 893 } 894 } else { 895 key_ref = find_key_to_update(keyring_ref, &index_key); 896 if (key_ref) { 897 key_ref_put(key_ref); 898 key_ref = ERR_PTR(-EEXIST); 899 goto error_link_end; 900 } 901 } 902 903 /* if the client doesn't provide, decide on the permissions we want */ 904 if (perm == KEY_PERM_UNDEF) { 905 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR; 906 perm |= KEY_USR_VIEW; 907 908 if (index_key.type->read) 909 perm |= KEY_POS_READ; 910 911 if (index_key.type == &key_type_keyring || 912 index_key.type->update) 913 perm |= KEY_POS_WRITE; 914 } 915 916 /* allocate a new key */ 917 key = key_alloc(index_key.type, index_key.description, 918 cred->fsuid, cred->fsgid, cred, perm, flags, NULL); 919 if (IS_ERR(key)) { 920 key_ref = ERR_CAST(key); 921 goto error_link_end; 922 } 923 924 /* instantiate it and link it into the target keyring */ 925 ret = __key_instantiate_and_link(key, &prep, keyring, NULL, &edit); 926 if (ret < 0) { 927 key_put(key); 928 key_ref = ERR_PTR(ret); 929 goto error_link_end; 930 } 931 932 security_key_post_create_or_update(keyring, key, payload, plen, flags, 933 true); 934 935 key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); 936 937 error_link_end: 938 __key_link_end(keyring, &index_key, edit); 939 error_free_prep: 940 if (index_key.type->preparse) 941 index_key.type->free_preparse(&prep); 942 error_put_type: 943 key_type_put(index_key.type); 944 error: 945 return key_ref; 946 947 found_matching_key: 948 /* we found a matching key, so we're going to try to update it 949 * - we can drop the locks first as we have the key pinned 950 */ 951 __key_link_end(keyring, &index_key, edit); 952 953 key = key_ref_to_ptr(key_ref); 954 if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) { 955 ret = wait_for_key_construction(key, true); 956 if (ret < 0) { 957 key_ref_put(key_ref); 958 key_ref = ERR_PTR(ret); 959 goto error_free_prep; 960 } 961 } 962 963 key_ref = __key_update(key_ref, &prep); 964 965 if (!IS_ERR(key_ref)) 966 security_key_post_create_or_update(keyring, key, payload, plen, 967 flags, false); 968 969 goto error_free_prep; 970 } 971 972 /** 973 * key_create_or_update - Update or create and instantiate a key. 974 * @keyring_ref: A pointer to the destination keyring with possession flag. 975 * @type: The type of key. 976 * @description: The searchable description for the key. 977 * @payload: The data to use to instantiate or update the key. 978 * @plen: The length of @payload. 979 * @perm: The permissions mask for a new key. 980 * @flags: The quota flags for a new key. 981 * 982 * Search the destination keyring for a key of the same description and if one 983 * is found, update it, otherwise create and instantiate a new one and create a 984 * link to it from that keyring. 985 * 986 * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be 987 * concocted. 988 * 989 * Returns a pointer to the new key if successful, -ENODEV if the key type 990 * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the 991 * caller isn't permitted to modify the keyring or the LSM did not permit 992 * creation of the key. 993 * 994 * On success, the possession flag from the keyring ref will be tacked on to 995 * the key ref before it is returned. 996 */ 997 key_ref_t key_create_or_update(key_ref_t keyring_ref, 998 const char *type, 999 const char *description, 1000 const void *payload, 1001 size_t plen, 1002 key_perm_t perm, 1003 unsigned long flags) 1004 { 1005 return __key_create_or_update(keyring_ref, type, description, payload, 1006 plen, perm, flags, true); 1007 } 1008 EXPORT_SYMBOL(key_create_or_update); 1009 1010 /** 1011 * key_create - Create and instantiate a key. 1012 * @keyring_ref: A pointer to the destination keyring with possession flag. 1013 * @type: The type of key. 1014 * @description: The searchable description for the key. 1015 * @payload: The data to use to instantiate or update the key. 1016 * @plen: The length of @payload. 1017 * @perm: The permissions mask for a new key. 1018 * @flags: The quota flags for a new key. 1019 * 1020 * Create and instantiate a new key and link to it from the destination keyring. 1021 * 1022 * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be 1023 * concocted. 1024 * 1025 * Returns a pointer to the new key if successful, -EEXIST if a key with the 1026 * same description already exists, -ENODEV if the key type wasn't available, 1027 * -ENOTDIR if the keyring wasn't a keyring, -EACCES if the caller isn't 1028 * permitted to modify the keyring or the LSM did not permit creation of the 1029 * key. 1030 * 1031 * On success, the possession flag from the keyring ref will be tacked on to 1032 * the key ref before it is returned. 1033 */ 1034 key_ref_t key_create(key_ref_t keyring_ref, 1035 const char *type, 1036 const char *description, 1037 const void *payload, 1038 size_t plen, 1039 key_perm_t perm, 1040 unsigned long flags) 1041 { 1042 return __key_create_or_update(keyring_ref, type, description, payload, 1043 plen, perm, flags, false); 1044 } 1045 EXPORT_SYMBOL(key_create); 1046 1047 /** 1048 * key_update - Update a key's contents. 1049 * @key_ref: The pointer (plus possession flag) to the key. 1050 * @payload: The data to be used to update the key. 1051 * @plen: The length of @payload. 1052 * 1053 * Attempt to update the contents of a key with the given payload data. The 1054 * caller must be granted Write permission on the key. Negative keys can be 1055 * instantiated by this method. 1056 * 1057 * Returns 0 on success, -EACCES if not permitted and -EOPNOTSUPP if the key 1058 * type does not support updating. The key type may return other errors. 1059 */ 1060 int key_update(key_ref_t key_ref, const void *payload, size_t plen) 1061 { 1062 struct key_preparsed_payload prep; 1063 struct key *key = key_ref_to_ptr(key_ref); 1064 int ret; 1065 1066 key_check(key); 1067 1068 /* the key must be writable */ 1069 ret = key_permission(key_ref, KEY_NEED_WRITE); 1070 if (ret < 0) 1071 return ret; 1072 1073 /* attempt to update it if supported */ 1074 if (!key->type->update) 1075 return -EOPNOTSUPP; 1076 1077 memset(&prep, 0, sizeof(prep)); 1078 prep.data = payload; 1079 prep.datalen = plen; 1080 prep.quotalen = key->type->def_datalen; 1081 prep.expiry = TIME64_MAX; 1082 if (key->type->preparse) { 1083 ret = key->type->preparse(&prep); 1084 if (ret < 0) 1085 goto error; 1086 } 1087 1088 down_write(&key->sem); 1089 1090 ret = key->type->update(key, &prep); 1091 if (ret == 0) { 1092 /* Updating a negative key positively instantiates it */ 1093 mark_key_instantiated(key, 0); 1094 notify_key(key, NOTIFY_KEY_UPDATED, 0); 1095 } 1096 1097 up_write(&key->sem); 1098 1099 error: 1100 if (key->type->preparse) 1101 key->type->free_preparse(&prep); 1102 return ret; 1103 } 1104 EXPORT_SYMBOL(key_update); 1105 1106 /** 1107 * key_revoke - Revoke a key. 1108 * @key: The key to be revoked. 1109 * 1110 * Mark a key as being revoked and ask the type to free up its resources. The 1111 * revocation timeout is set and the key and all its links will be 1112 * automatically garbage collected after key_gc_delay amount of time if they 1113 * are not manually dealt with first. 1114 */ 1115 void key_revoke(struct key *key) 1116 { 1117 time64_t time; 1118 1119 key_check(key); 1120 1121 /* make sure no one's trying to change or use the key when we mark it 1122 * - we tell lockdep that we might nest because we might be revoking an 1123 * authorisation key whilst holding the sem on a key we've just 1124 * instantiated 1125 */ 1126 down_write_nested(&key->sem, 1); 1127 if (!test_and_set_bit(KEY_FLAG_REVOKED, &key->flags)) { 1128 notify_key(key, NOTIFY_KEY_REVOKED, 0); 1129 if (key->type->revoke) 1130 key->type->revoke(key); 1131 1132 /* set the death time to no more than the expiry time */ 1133 time = ktime_get_real_seconds(); 1134 if (key->revoked_at == 0 || key->revoked_at > time) { 1135 key->revoked_at = time; 1136 key_schedule_gc(key->revoked_at + key_gc_delay); 1137 } 1138 } 1139 1140 up_write(&key->sem); 1141 } 1142 EXPORT_SYMBOL(key_revoke); 1143 1144 /** 1145 * key_invalidate - Invalidate a key. 1146 * @key: The key to be invalidated. 1147 * 1148 * Mark a key as being invalidated and have it cleaned up immediately. The key 1149 * is ignored by all searches and other operations from this point. 1150 */ 1151 void key_invalidate(struct key *key) 1152 { 1153 kenter("%d", key_serial(key)); 1154 1155 key_check(key); 1156 1157 if (!test_bit(KEY_FLAG_INVALIDATED, &key->flags)) { 1158 down_write_nested(&key->sem, 1); 1159 if (!test_and_set_bit(KEY_FLAG_INVALIDATED, &key->flags)) { 1160 notify_key(key, NOTIFY_KEY_INVALIDATED, 0); 1161 key_schedule_gc_links(); 1162 } 1163 up_write(&key->sem); 1164 } 1165 } 1166 EXPORT_SYMBOL(key_invalidate); 1167 1168 /** 1169 * generic_key_instantiate - Simple instantiation of a key from preparsed data 1170 * @key: The key to be instantiated 1171 * @prep: The preparsed data to load. 1172 * 1173 * Instantiate a key from preparsed data. We assume we can just copy the data 1174 * in directly and clear the old pointers. 1175 * 1176 * This can be pointed to directly by the key type instantiate op pointer. 1177 */ 1178 int generic_key_instantiate(struct key *key, struct key_preparsed_payload *prep) 1179 { 1180 int ret; 1181 1182 pr_devel("==>%s()\n", __func__); 1183 1184 ret = key_payload_reserve(key, prep->quotalen); 1185 if (ret == 0) { 1186 rcu_assign_keypointer(key, prep->payload.data[0]); 1187 key->payload.data[1] = prep->payload.data[1]; 1188 key->payload.data[2] = prep->payload.data[2]; 1189 key->payload.data[3] = prep->payload.data[3]; 1190 prep->payload.data[0] = NULL; 1191 prep->payload.data[1] = NULL; 1192 prep->payload.data[2] = NULL; 1193 prep->payload.data[3] = NULL; 1194 } 1195 pr_devel("<==%s() = %d\n", __func__, ret); 1196 return ret; 1197 } 1198 EXPORT_SYMBOL(generic_key_instantiate); 1199 1200 /** 1201 * register_key_type - Register a type of key. 1202 * @ktype: The new key type. 1203 * 1204 * Register a new key type. 1205 * 1206 * Returns 0 on success or -EEXIST if a type of this name already exists. 1207 */ 1208 int register_key_type(struct key_type *ktype) 1209 { 1210 struct key_type *p; 1211 int ret; 1212 1213 memset(&ktype->lock_class, 0, sizeof(ktype->lock_class)); 1214 1215 ret = -EEXIST; 1216 down_write(&key_types_sem); 1217 1218 /* disallow key types with the same name */ 1219 list_for_each_entry(p, &key_types_list, link) { 1220 if (strcmp(p->name, ktype->name) == 0) 1221 goto out; 1222 } 1223 1224 /* store the type */ 1225 list_add(&ktype->link, &key_types_list); 1226 1227 pr_notice("Key type %s registered\n", ktype->name); 1228 ret = 0; 1229 1230 out: 1231 up_write(&key_types_sem); 1232 return ret; 1233 } 1234 EXPORT_SYMBOL(register_key_type); 1235 1236 /** 1237 * unregister_key_type - Unregister a type of key. 1238 * @ktype: The key type. 1239 * 1240 * Unregister a key type and mark all the extant keys of this type as dead. 1241 * Those keys of this type are then destroyed to get rid of their payloads and 1242 * they and their links will be garbage collected as soon as possible. 1243 */ 1244 void unregister_key_type(struct key_type *ktype) 1245 { 1246 down_write(&key_types_sem); 1247 list_del_init(&ktype->link); 1248 downgrade_write(&key_types_sem); 1249 key_gc_keytype(ktype); 1250 pr_notice("Key type %s unregistered\n", ktype->name); 1251 up_read(&key_types_sem); 1252 } 1253 EXPORT_SYMBOL(unregister_key_type); 1254 1255 /* 1256 * Initialise the key management state. 1257 */ 1258 void __init key_init(void) 1259 { 1260 /* allocate a slab in which we can store keys */ 1261 key_jar = kmem_cache_create("key_jar", sizeof(struct key), 1262 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); 1263 1264 /* add the special key types */ 1265 list_add_tail(&key_type_keyring.link, &key_types_list); 1266 list_add_tail(&key_type_dead.link, &key_types_list); 1267 list_add_tail(&key_type_user.link, &key_types_list); 1268 list_add_tail(&key_type_logon.link, &key_types_list); 1269 1270 /* record the root user tracking */ 1271 rb_link_node(&root_key_user.node, 1272 NULL, 1273 &key_user_tree.rb_node); 1274 1275 rb_insert_color(&root_key_user.node, 1276 &key_user_tree); 1277 } 1278