1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Basic authentication token and access key management 3 * 4 * Copyright (C) 2004-2008 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #include <linux/export.h> 9 #include <linux/init.h> 10 #include <linux/poison.h> 11 #include <linux/sched.h> 12 #include <linux/slab.h> 13 #include <linux/security.h> 14 #include <linux/workqueue.h> 15 #include <linux/random.h> 16 #include <linux/err.h> 17 #include "internal.h" 18 19 struct kmem_cache *key_jar; 20 struct rb_root key_serial_tree; /* tree of keys indexed by serial */ 21 DEFINE_SPINLOCK(key_serial_lock); 22 23 struct rb_root key_user_tree; /* tree of quota records indexed by UID */ 24 DEFINE_SPINLOCK(key_user_lock); 25 26 unsigned int key_quota_root_maxkeys = 1000000; /* root's key count quota */ 27 unsigned int key_quota_root_maxbytes = 25000000; /* root's key space quota */ 28 unsigned int key_quota_maxkeys = 200; /* general key count quota */ 29 unsigned int key_quota_maxbytes = 20000; /* general key space quota */ 30 31 static LIST_HEAD(key_types_list); 32 static DECLARE_RWSEM(key_types_sem); 33 34 /* We serialise key instantiation and link */ 35 DEFINE_MUTEX(key_construction_mutex); 36 37 #ifdef KEY_DEBUGGING 38 void __key_check(const struct key *key) 39 { 40 printk("__key_check: key %p {%08x} should be {%08x}\n", 41 key, key->magic, KEY_DEBUG_MAGIC); 42 BUG(); 43 } 44 #endif 45 46 /* 47 * Get the key quota record for a user, allocating a new record if one doesn't 48 * already exist. 49 */ 50 struct key_user *key_user_lookup(kuid_t uid) 51 { 52 struct key_user *candidate = NULL, *user; 53 struct rb_node *parent, **p; 54 55 try_again: 56 parent = NULL; 57 p = &key_user_tree.rb_node; 58 spin_lock(&key_user_lock); 59 60 /* search the tree for a user record with a matching UID */ 61 while (*p) { 62 parent = *p; 63 user = rb_entry(parent, struct key_user, node); 64 65 if (uid_lt(uid, user->uid)) 66 p = &(*p)->rb_left; 67 else if (uid_gt(uid, user->uid)) 68 p = &(*p)->rb_right; 69 else 70 goto found; 71 } 72 73 /* if we get here, we failed to find a match in the tree */ 74 if (!candidate) { 75 /* allocate a candidate user record if we don't already have 76 * one */ 77 spin_unlock(&key_user_lock); 78 79 user = NULL; 80 candidate = kmalloc(sizeof(struct key_user), GFP_KERNEL); 81 if (unlikely(!candidate)) 82 goto out; 83 84 /* the allocation may have scheduled, so we need to repeat the 85 * search lest someone else added the record whilst we were 86 * asleep */ 87 goto try_again; 88 } 89 90 /* if we get here, then the user record still hadn't appeared on the 91 * second pass - so we use the candidate record */ 92 refcount_set(&candidate->usage, 1); 93 atomic_set(&candidate->nkeys, 0); 94 atomic_set(&candidate->nikeys, 0); 95 candidate->uid = uid; 96 candidate->qnkeys = 0; 97 candidate->qnbytes = 0; 98 spin_lock_init(&candidate->lock); 99 mutex_init(&candidate->cons_lock); 100 101 rb_link_node(&candidate->node, parent, p); 102 rb_insert_color(&candidate->node, &key_user_tree); 103 spin_unlock(&key_user_lock); 104 user = candidate; 105 goto out; 106 107 /* okay - we found a user record for this UID */ 108 found: 109 refcount_inc(&user->usage); 110 spin_unlock(&key_user_lock); 111 kfree(candidate); 112 out: 113 return user; 114 } 115 116 /* 117 * Dispose of a user structure 118 */ 119 void key_user_put(struct key_user *user) 120 { 121 if (refcount_dec_and_lock(&user->usage, &key_user_lock)) { 122 rb_erase(&user->node, &key_user_tree); 123 spin_unlock(&key_user_lock); 124 125 kfree(user); 126 } 127 } 128 129 /* 130 * Allocate a serial number for a key. These are assigned randomly to avoid 131 * security issues through covert channel problems. 132 */ 133 static inline void key_alloc_serial(struct key *key) 134 { 135 struct rb_node *parent, **p; 136 struct key *xkey; 137 138 /* propose a random serial number and look for a hole for it in the 139 * serial number tree */ 140 do { 141 get_random_bytes(&key->serial, sizeof(key->serial)); 142 143 key->serial >>= 1; /* negative numbers are not permitted */ 144 } while (key->serial < 3); 145 146 spin_lock(&key_serial_lock); 147 148 attempt_insertion: 149 parent = NULL; 150 p = &key_serial_tree.rb_node; 151 152 while (*p) { 153 parent = *p; 154 xkey = rb_entry(parent, struct key, serial_node); 155 156 if (key->serial < xkey->serial) 157 p = &(*p)->rb_left; 158 else if (key->serial > xkey->serial) 159 p = &(*p)->rb_right; 160 else 161 goto serial_exists; 162 } 163 164 /* we've found a suitable hole - arrange for this key to occupy it */ 165 rb_link_node(&key->serial_node, parent, p); 166 rb_insert_color(&key->serial_node, &key_serial_tree); 167 168 spin_unlock(&key_serial_lock); 169 return; 170 171 /* we found a key with the proposed serial number - walk the tree from 172 * that point looking for the next unused serial number */ 173 serial_exists: 174 for (;;) { 175 key->serial++; 176 if (key->serial < 3) { 177 key->serial = 3; 178 goto attempt_insertion; 179 } 180 181 parent = rb_next(parent); 182 if (!parent) 183 goto attempt_insertion; 184 185 xkey = rb_entry(parent, struct key, serial_node); 186 if (key->serial < xkey->serial) 187 goto attempt_insertion; 188 } 189 } 190 191 /** 192 * key_alloc - Allocate a key of the specified type. 193 * @type: The type of key to allocate. 194 * @desc: The key description to allow the key to be searched out. 195 * @uid: The owner of the new key. 196 * @gid: The group ID for the new key's group permissions. 197 * @cred: The credentials specifying UID namespace. 198 * @perm: The permissions mask of the new key. 199 * @flags: Flags specifying quota properties. 200 * @restrict_link: Optional link restriction for new keyrings. 201 * 202 * Allocate a key of the specified type with the attributes given. The key is 203 * returned in an uninstantiated state and the caller needs to instantiate the 204 * key before returning. 205 * 206 * The restrict_link structure (if not NULL) will be freed when the 207 * keyring is destroyed, so it must be dynamically allocated. 208 * 209 * The user's key count quota is updated to reflect the creation of the key and 210 * the user's key data quota has the default for the key type reserved. The 211 * instantiation function should amend this as necessary. If insufficient 212 * quota is available, -EDQUOT will be returned. 213 * 214 * The LSM security modules can prevent a key being created, in which case 215 * -EACCES will be returned. 216 * 217 * Returns a pointer to the new key if successful and an error code otherwise. 218 * 219 * Note that the caller needs to ensure the key type isn't uninstantiated. 220 * Internally this can be done by locking key_types_sem. Externally, this can 221 * be done by either never unregistering the key type, or making sure 222 * key_alloc() calls don't race with module unloading. 223 */ 224 struct key *key_alloc(struct key_type *type, const char *desc, 225 kuid_t uid, kgid_t gid, const struct cred *cred, 226 key_perm_t perm, unsigned long flags, 227 struct key_restriction *restrict_link) 228 { 229 struct key_user *user = NULL; 230 struct key *key; 231 size_t desclen, quotalen; 232 int ret; 233 unsigned long irqflags; 234 235 key = ERR_PTR(-EINVAL); 236 if (!desc || !*desc) 237 goto error; 238 239 if (type->vet_description) { 240 ret = type->vet_description(desc); 241 if (ret < 0) { 242 key = ERR_PTR(ret); 243 goto error; 244 } 245 } 246 247 desclen = strlen(desc); 248 quotalen = desclen + 1 + type->def_datalen; 249 250 /* get hold of the key tracking for this user */ 251 user = key_user_lookup(uid); 252 if (!user) 253 goto no_memory_1; 254 255 /* check that the user's quota permits allocation of another key and 256 * its description */ 257 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { 258 unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ? 259 key_quota_root_maxkeys : key_quota_maxkeys; 260 unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ? 261 key_quota_root_maxbytes : key_quota_maxbytes; 262 263 spin_lock_irqsave(&user->lock, irqflags); 264 if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) { 265 if (user->qnkeys + 1 > maxkeys || 266 user->qnbytes + quotalen > maxbytes || 267 user->qnbytes + quotalen < user->qnbytes) 268 goto no_quota; 269 } 270 271 user->qnkeys++; 272 user->qnbytes += quotalen; 273 spin_unlock_irqrestore(&user->lock, irqflags); 274 } 275 276 /* allocate and initialise the key and its description */ 277 key = kmem_cache_zalloc(key_jar, GFP_KERNEL); 278 if (!key) 279 goto no_memory_2; 280 281 key->index_key.desc_len = desclen; 282 key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL); 283 if (!key->index_key.description) 284 goto no_memory_3; 285 key->index_key.type = type; 286 key_set_index_key(&key->index_key); 287 288 refcount_set(&key->usage, 1); 289 init_rwsem(&key->sem); 290 lockdep_set_class(&key->sem, &type->lock_class); 291 key->user = user; 292 key->quotalen = quotalen; 293 key->datalen = type->def_datalen; 294 key->uid = uid; 295 key->gid = gid; 296 key->perm = perm; 297 key->expiry = TIME64_MAX; 298 key->restrict_link = restrict_link; 299 key->last_used_at = ktime_get_real_seconds(); 300 301 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) 302 key->flags |= 1 << KEY_FLAG_IN_QUOTA; 303 if (flags & KEY_ALLOC_BUILT_IN) 304 key->flags |= 1 << KEY_FLAG_BUILTIN; 305 if (flags & KEY_ALLOC_UID_KEYRING) 306 key->flags |= 1 << KEY_FLAG_UID_KEYRING; 307 if (flags & KEY_ALLOC_SET_KEEP) 308 key->flags |= 1 << KEY_FLAG_KEEP; 309 310 #ifdef KEY_DEBUGGING 311 key->magic = KEY_DEBUG_MAGIC; 312 #endif 313 314 /* let the security module know about the key */ 315 ret = security_key_alloc(key, cred, flags); 316 if (ret < 0) 317 goto security_error; 318 319 /* publish the key by giving it a serial number */ 320 refcount_inc(&key->domain_tag->usage); 321 atomic_inc(&user->nkeys); 322 key_alloc_serial(key); 323 324 error: 325 return key; 326 327 security_error: 328 kfree(key->description); 329 kmem_cache_free(key_jar, key); 330 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { 331 spin_lock_irqsave(&user->lock, irqflags); 332 user->qnkeys--; 333 user->qnbytes -= quotalen; 334 spin_unlock_irqrestore(&user->lock, irqflags); 335 } 336 key_user_put(user); 337 key = ERR_PTR(ret); 338 goto error; 339 340 no_memory_3: 341 kmem_cache_free(key_jar, key); 342 no_memory_2: 343 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { 344 spin_lock_irqsave(&user->lock, irqflags); 345 user->qnkeys--; 346 user->qnbytes -= quotalen; 347 spin_unlock_irqrestore(&user->lock, irqflags); 348 } 349 key_user_put(user); 350 no_memory_1: 351 key = ERR_PTR(-ENOMEM); 352 goto error; 353 354 no_quota: 355 spin_unlock_irqrestore(&user->lock, irqflags); 356 key_user_put(user); 357 key = ERR_PTR(-EDQUOT); 358 goto error; 359 } 360 EXPORT_SYMBOL(key_alloc); 361 362 /** 363 * key_payload_reserve - Adjust data quota reservation for the key's payload 364 * @key: The key to make the reservation for. 365 * @datalen: The amount of data payload the caller now wants. 366 * 367 * Adjust the amount of the owning user's key data quota that a key reserves. 368 * If the amount is increased, then -EDQUOT may be returned if there isn't 369 * enough free quota available. 370 * 371 * If successful, 0 is returned. 372 */ 373 int key_payload_reserve(struct key *key, size_t datalen) 374 { 375 int delta = (int)datalen - key->datalen; 376 int ret = 0; 377 378 key_check(key); 379 380 /* contemplate the quota adjustment */ 381 if (delta != 0 && test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 382 unsigned maxbytes = uid_eq(key->user->uid, GLOBAL_ROOT_UID) ? 383 key_quota_root_maxbytes : key_quota_maxbytes; 384 unsigned long flags; 385 386 spin_lock_irqsave(&key->user->lock, flags); 387 388 if (delta > 0 && 389 (key->user->qnbytes + delta > maxbytes || 390 key->user->qnbytes + delta < key->user->qnbytes)) { 391 ret = -EDQUOT; 392 } 393 else { 394 key->user->qnbytes += delta; 395 key->quotalen += delta; 396 } 397 spin_unlock_irqrestore(&key->user->lock, flags); 398 } 399 400 /* change the recorded data length if that didn't generate an error */ 401 if (ret == 0) 402 key->datalen = datalen; 403 404 return ret; 405 } 406 EXPORT_SYMBOL(key_payload_reserve); 407 408 /* 409 * Change the key state to being instantiated. 410 */ 411 static void mark_key_instantiated(struct key *key, int reject_error) 412 { 413 /* Commit the payload before setting the state; barrier versus 414 * key_read_state(). 415 */ 416 smp_store_release(&key->state, 417 (reject_error < 0) ? reject_error : KEY_IS_POSITIVE); 418 } 419 420 /* 421 * Instantiate a key and link it into the target keyring atomically. Must be 422 * called with the target keyring's semaphore writelocked. The target key's 423 * semaphore need not be locked as instantiation is serialised by 424 * key_construction_mutex. 425 */ 426 static int __key_instantiate_and_link(struct key *key, 427 struct key_preparsed_payload *prep, 428 struct key *keyring, 429 struct key *authkey, 430 struct assoc_array_edit **_edit) 431 { 432 int ret, awaken; 433 434 key_check(key); 435 key_check(keyring); 436 437 awaken = 0; 438 ret = -EBUSY; 439 440 mutex_lock(&key_construction_mutex); 441 442 /* can't instantiate twice */ 443 if (key->state == KEY_IS_UNINSTANTIATED) { 444 /* instantiate the key */ 445 ret = key->type->instantiate(key, prep); 446 447 if (ret == 0) { 448 /* mark the key as being instantiated */ 449 atomic_inc(&key->user->nikeys); 450 mark_key_instantiated(key, 0); 451 notify_key(key, NOTIFY_KEY_INSTANTIATED, 0); 452 453 if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) 454 awaken = 1; 455 456 /* and link it into the destination keyring */ 457 if (keyring) { 458 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) 459 set_bit(KEY_FLAG_KEEP, &key->flags); 460 461 __key_link(keyring, key, _edit); 462 } 463 464 /* disable the authorisation key */ 465 if (authkey) 466 key_invalidate(authkey); 467 468 if (prep->expiry != TIME64_MAX) 469 key_set_expiry(key, prep->expiry); 470 } 471 } 472 473 mutex_unlock(&key_construction_mutex); 474 475 /* wake up anyone waiting for a key to be constructed */ 476 if (awaken) 477 wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT); 478 479 return ret; 480 } 481 482 /** 483 * key_instantiate_and_link - Instantiate a key and link it into the keyring. 484 * @key: The key to instantiate. 485 * @data: The data to use to instantiate the keyring. 486 * @datalen: The length of @data. 487 * @keyring: Keyring to create a link in on success (or NULL). 488 * @authkey: The authorisation token permitting instantiation. 489 * 490 * Instantiate a key that's in the uninstantiated state using the provided data 491 * and, if successful, link it in to the destination keyring if one is 492 * supplied. 493 * 494 * If successful, 0 is returned, the authorisation token is revoked and anyone 495 * waiting for the key is woken up. If the key was already instantiated, 496 * -EBUSY will be returned. 497 */ 498 int key_instantiate_and_link(struct key *key, 499 const void *data, 500 size_t datalen, 501 struct key *keyring, 502 struct key *authkey) 503 { 504 struct key_preparsed_payload prep; 505 struct assoc_array_edit *edit = NULL; 506 int ret; 507 508 memset(&prep, 0, sizeof(prep)); 509 prep.orig_description = key->description; 510 prep.data = data; 511 prep.datalen = datalen; 512 prep.quotalen = key->type->def_datalen; 513 prep.expiry = TIME64_MAX; 514 if (key->type->preparse) { 515 ret = key->type->preparse(&prep); 516 if (ret < 0) 517 goto error; 518 } 519 520 if (keyring) { 521 ret = __key_link_lock(keyring, &key->index_key); 522 if (ret < 0) 523 goto error; 524 525 ret = __key_link_begin(keyring, &key->index_key, &edit); 526 if (ret < 0) 527 goto error_link_end; 528 529 if (keyring->restrict_link && keyring->restrict_link->check) { 530 struct key_restriction *keyres = keyring->restrict_link; 531 532 ret = keyres->check(keyring, key->type, &prep.payload, 533 keyres->key); 534 if (ret < 0) 535 goto error_link_end; 536 } 537 } 538 539 ret = __key_instantiate_and_link(key, &prep, keyring, authkey, &edit); 540 541 error_link_end: 542 if (keyring) 543 __key_link_end(keyring, &key->index_key, edit); 544 545 error: 546 if (key->type->preparse) 547 key->type->free_preparse(&prep); 548 return ret; 549 } 550 551 EXPORT_SYMBOL(key_instantiate_and_link); 552 553 /** 554 * key_reject_and_link - Negatively instantiate a key and link it into the keyring. 555 * @key: The key to instantiate. 556 * @timeout: The timeout on the negative key. 557 * @error: The error to return when the key is hit. 558 * @keyring: Keyring to create a link in on success (or NULL). 559 * @authkey: The authorisation token permitting instantiation. 560 * 561 * Negatively instantiate a key that's in the uninstantiated state and, if 562 * successful, set its timeout and stored error and link it in to the 563 * destination keyring if one is supplied. The key and any links to the key 564 * will be automatically garbage collected after the timeout expires. 565 * 566 * Negative keys are used to rate limit repeated request_key() calls by causing 567 * them to return the stored error code (typically ENOKEY) until the negative 568 * key expires. 569 * 570 * If successful, 0 is returned, the authorisation token is revoked and anyone 571 * waiting for the key is woken up. If the key was already instantiated, 572 * -EBUSY will be returned. 573 */ 574 int key_reject_and_link(struct key *key, 575 unsigned timeout, 576 unsigned error, 577 struct key *keyring, 578 struct key *authkey) 579 { 580 struct assoc_array_edit *edit = NULL; 581 int ret, awaken, link_ret = 0; 582 583 key_check(key); 584 key_check(keyring); 585 586 awaken = 0; 587 ret = -EBUSY; 588 589 if (keyring) { 590 if (keyring->restrict_link) 591 return -EPERM; 592 593 link_ret = __key_link_lock(keyring, &key->index_key); 594 if (link_ret == 0) { 595 link_ret = __key_link_begin(keyring, &key->index_key, &edit); 596 if (link_ret < 0) 597 __key_link_end(keyring, &key->index_key, edit); 598 } 599 } 600 601 mutex_lock(&key_construction_mutex); 602 603 /* can't instantiate twice */ 604 if (key->state == KEY_IS_UNINSTANTIATED) { 605 /* mark the key as being negatively instantiated */ 606 atomic_inc(&key->user->nikeys); 607 mark_key_instantiated(key, -error); 608 notify_key(key, NOTIFY_KEY_INSTANTIATED, -error); 609 key_set_expiry(key, ktime_get_real_seconds() + timeout); 610 611 if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) 612 awaken = 1; 613 614 ret = 0; 615 616 /* and link it into the destination keyring */ 617 if (keyring && link_ret == 0) 618 __key_link(keyring, key, &edit); 619 620 /* disable the authorisation key */ 621 if (authkey) 622 key_invalidate(authkey); 623 } 624 625 mutex_unlock(&key_construction_mutex); 626 627 if (keyring && link_ret == 0) 628 __key_link_end(keyring, &key->index_key, edit); 629 630 /* wake up anyone waiting for a key to be constructed */ 631 if (awaken) 632 wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT); 633 634 return ret == 0 ? link_ret : ret; 635 } 636 EXPORT_SYMBOL(key_reject_and_link); 637 638 /** 639 * key_put - Discard a reference to a key. 640 * @key: The key to discard a reference from. 641 * 642 * Discard a reference to a key, and when all the references are gone, we 643 * schedule the cleanup task to come and pull it out of the tree in process 644 * context at some later time. 645 */ 646 void key_put(struct key *key) 647 { 648 if (key) { 649 key_check(key); 650 651 if (refcount_dec_and_test(&key->usage)) { 652 unsigned long flags; 653 654 /* deal with the user's key tracking and quota */ 655 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 656 spin_lock_irqsave(&key->user->lock, flags); 657 key->user->qnkeys--; 658 key->user->qnbytes -= key->quotalen; 659 spin_unlock_irqrestore(&key->user->lock, flags); 660 } 661 smp_mb(); /* key->user before FINAL_PUT set. */ 662 set_bit(KEY_FLAG_FINAL_PUT, &key->flags); 663 schedule_work(&key_gc_work); 664 } 665 } 666 } 667 EXPORT_SYMBOL(key_put); 668 669 /* 670 * Find a key by its serial number. 671 */ 672 struct key *key_lookup(key_serial_t id) 673 { 674 struct rb_node *n; 675 struct key *key; 676 677 spin_lock(&key_serial_lock); 678 679 /* search the tree for the specified key */ 680 n = key_serial_tree.rb_node; 681 while (n) { 682 key = rb_entry(n, struct key, serial_node); 683 684 if (id < key->serial) 685 n = n->rb_left; 686 else if (id > key->serial) 687 n = n->rb_right; 688 else 689 goto found; 690 } 691 692 not_found: 693 key = ERR_PTR(-ENOKEY); 694 goto error; 695 696 found: 697 /* A key is allowed to be looked up only if someone still owns a 698 * reference to it - otherwise it's awaiting the gc. 699 */ 700 if (!refcount_inc_not_zero(&key->usage)) 701 goto not_found; 702 703 error: 704 spin_unlock(&key_serial_lock); 705 return key; 706 } 707 EXPORT_SYMBOL(key_lookup); 708 709 /* 710 * Find and lock the specified key type against removal. 711 * 712 * We return with the sem read-locked if successful. If the type wasn't 713 * available -ENOKEY is returned instead. 714 */ 715 struct key_type *key_type_lookup(const char *type) 716 { 717 struct key_type *ktype; 718 719 down_read(&key_types_sem); 720 721 /* look up the key type to see if it's one of the registered kernel 722 * types */ 723 list_for_each_entry(ktype, &key_types_list, link) { 724 if (strcmp(ktype->name, type) == 0) 725 goto found_kernel_type; 726 } 727 728 up_read(&key_types_sem); 729 ktype = ERR_PTR(-ENOKEY); 730 731 found_kernel_type: 732 return ktype; 733 } 734 735 void key_set_timeout(struct key *key, unsigned timeout) 736 { 737 time64_t expiry = TIME64_MAX; 738 739 /* make the changes with the locks held to prevent races */ 740 down_write(&key->sem); 741 742 if (timeout > 0) 743 expiry = ktime_get_real_seconds() + timeout; 744 key_set_expiry(key, expiry); 745 746 up_write(&key->sem); 747 } 748 EXPORT_SYMBOL_GPL(key_set_timeout); 749 750 /* 751 * Unlock a key type locked by key_type_lookup(). 752 */ 753 void key_type_put(struct key_type *ktype) 754 { 755 up_read(&key_types_sem); 756 } 757 758 /* 759 * Attempt to update an existing key. 760 * 761 * The key is given to us with an incremented refcount that we need to discard 762 * if we get an error. 763 */ 764 static inline key_ref_t __key_update(key_ref_t key_ref, 765 struct key_preparsed_payload *prep) 766 { 767 struct key *key = key_ref_to_ptr(key_ref); 768 int ret; 769 770 /* need write permission on the key to update it */ 771 ret = key_permission(key_ref, KEY_NEED_WRITE); 772 if (ret < 0) 773 goto error; 774 775 ret = -EEXIST; 776 if (!key->type->update) 777 goto error; 778 779 down_write(&key->sem); 780 781 ret = key->type->update(key, prep); 782 if (ret == 0) { 783 /* Updating a negative key positively instantiates it */ 784 mark_key_instantiated(key, 0); 785 notify_key(key, NOTIFY_KEY_UPDATED, 0); 786 } 787 788 up_write(&key->sem); 789 790 if (ret < 0) 791 goto error; 792 out: 793 return key_ref; 794 795 error: 796 key_put(key); 797 key_ref = ERR_PTR(ret); 798 goto out; 799 } 800 801 /* 802 * Create or potentially update a key. The combined logic behind 803 * key_create_or_update() and key_create() 804 */ 805 static key_ref_t __key_create_or_update(key_ref_t keyring_ref, 806 const char *type, 807 const char *description, 808 const void *payload, 809 size_t plen, 810 key_perm_t perm, 811 unsigned long flags, 812 bool allow_update) 813 { 814 struct keyring_index_key index_key = { 815 .description = description, 816 }; 817 struct key_preparsed_payload prep; 818 struct assoc_array_edit *edit = NULL; 819 const struct cred *cred = current_cred(); 820 struct key *keyring, *key = NULL; 821 key_ref_t key_ref; 822 int ret; 823 struct key_restriction *restrict_link = NULL; 824 825 /* look up the key type to see if it's one of the registered kernel 826 * types */ 827 index_key.type = key_type_lookup(type); 828 if (IS_ERR(index_key.type)) { 829 key_ref = ERR_PTR(-ENODEV); 830 goto error; 831 } 832 833 key_ref = ERR_PTR(-EINVAL); 834 if (!index_key.type->instantiate || 835 (!index_key.description && !index_key.type->preparse)) 836 goto error_put_type; 837 838 keyring = key_ref_to_ptr(keyring_ref); 839 840 key_check(keyring); 841 842 if (!(flags & KEY_ALLOC_BYPASS_RESTRICTION)) 843 restrict_link = keyring->restrict_link; 844 845 key_ref = ERR_PTR(-ENOTDIR); 846 if (keyring->type != &key_type_keyring) 847 goto error_put_type; 848 849 memset(&prep, 0, sizeof(prep)); 850 prep.orig_description = description; 851 prep.data = payload; 852 prep.datalen = plen; 853 prep.quotalen = index_key.type->def_datalen; 854 prep.expiry = TIME64_MAX; 855 if (index_key.type->preparse) { 856 ret = index_key.type->preparse(&prep); 857 if (ret < 0) { 858 key_ref = ERR_PTR(ret); 859 goto error_free_prep; 860 } 861 if (!index_key.description) 862 index_key.description = prep.description; 863 key_ref = ERR_PTR(-EINVAL); 864 if (!index_key.description) 865 goto error_free_prep; 866 } 867 index_key.desc_len = strlen(index_key.description); 868 key_set_index_key(&index_key); 869 870 ret = __key_link_lock(keyring, &index_key); 871 if (ret < 0) { 872 key_ref = ERR_PTR(ret); 873 goto error_free_prep; 874 } 875 876 ret = __key_link_begin(keyring, &index_key, &edit); 877 if (ret < 0) { 878 key_ref = ERR_PTR(ret); 879 goto error_link_end; 880 } 881 882 if (restrict_link && restrict_link->check) { 883 ret = restrict_link->check(keyring, index_key.type, 884 &prep.payload, restrict_link->key); 885 if (ret < 0) { 886 key_ref = ERR_PTR(ret); 887 goto error_link_end; 888 } 889 } 890 891 /* if we're going to allocate a new key, we're going to have 892 * to modify the keyring */ 893 ret = key_permission(keyring_ref, KEY_NEED_WRITE); 894 if (ret < 0) { 895 key_ref = ERR_PTR(ret); 896 goto error_link_end; 897 } 898 899 /* if it's requested and possible to update this type of key, search 900 * for an existing key of the same type and description in the 901 * destination keyring and update that instead if possible 902 */ 903 if (allow_update) { 904 if (index_key.type->update) { 905 key_ref = find_key_to_update(keyring_ref, &index_key); 906 if (key_ref) 907 goto found_matching_key; 908 } 909 } else { 910 key_ref = find_key_to_update(keyring_ref, &index_key); 911 if (key_ref) { 912 key_ref_put(key_ref); 913 key_ref = ERR_PTR(-EEXIST); 914 goto error_link_end; 915 } 916 } 917 918 /* if the client doesn't provide, decide on the permissions we want */ 919 if (perm == KEY_PERM_UNDEF) { 920 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR; 921 perm |= KEY_USR_VIEW; 922 923 if (index_key.type->read) 924 perm |= KEY_POS_READ; 925 926 if (index_key.type == &key_type_keyring || 927 index_key.type->update) 928 perm |= KEY_POS_WRITE; 929 } 930 931 /* allocate a new key */ 932 key = key_alloc(index_key.type, index_key.description, 933 cred->fsuid, cred->fsgid, cred, perm, flags, NULL); 934 if (IS_ERR(key)) { 935 key_ref = ERR_CAST(key); 936 goto error_link_end; 937 } 938 939 /* instantiate it and link it into the target keyring */ 940 ret = __key_instantiate_and_link(key, &prep, keyring, NULL, &edit); 941 if (ret < 0) { 942 key_put(key); 943 key_ref = ERR_PTR(ret); 944 goto error_link_end; 945 } 946 947 security_key_post_create_or_update(keyring, key, payload, plen, flags, 948 true); 949 950 key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); 951 952 error_link_end: 953 __key_link_end(keyring, &index_key, edit); 954 error_free_prep: 955 if (index_key.type->preparse) 956 index_key.type->free_preparse(&prep); 957 error_put_type: 958 key_type_put(index_key.type); 959 error: 960 return key_ref; 961 962 found_matching_key: 963 /* we found a matching key, so we're going to try to update it 964 * - we can drop the locks first as we have the key pinned 965 */ 966 __key_link_end(keyring, &index_key, edit); 967 968 key = key_ref_to_ptr(key_ref); 969 if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) { 970 ret = wait_for_key_construction(key, true); 971 if (ret < 0) { 972 key_ref_put(key_ref); 973 key_ref = ERR_PTR(ret); 974 goto error_free_prep; 975 } 976 } 977 978 key_ref = __key_update(key_ref, &prep); 979 980 if (!IS_ERR(key_ref)) 981 security_key_post_create_or_update(keyring, key, payload, plen, 982 flags, false); 983 984 goto error_free_prep; 985 } 986 987 /** 988 * key_create_or_update - Update or create and instantiate a key. 989 * @keyring_ref: A pointer to the destination keyring with possession flag. 990 * @type: The type of key. 991 * @description: The searchable description for the key. 992 * @payload: The data to use to instantiate or update the key. 993 * @plen: The length of @payload. 994 * @perm: The permissions mask for a new key. 995 * @flags: The quota flags for a new key. 996 * 997 * Search the destination keyring for a key of the same description and if one 998 * is found, update it, otherwise create and instantiate a new one and create a 999 * link to it from that keyring. 1000 * 1001 * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be 1002 * concocted. 1003 * 1004 * Returns a pointer to the new key if successful, -ENODEV if the key type 1005 * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the 1006 * caller isn't permitted to modify the keyring or the LSM did not permit 1007 * creation of the key. 1008 * 1009 * On success, the possession flag from the keyring ref will be tacked on to 1010 * the key ref before it is returned. 1011 */ 1012 key_ref_t key_create_or_update(key_ref_t keyring_ref, 1013 const char *type, 1014 const char *description, 1015 const void *payload, 1016 size_t plen, 1017 key_perm_t perm, 1018 unsigned long flags) 1019 { 1020 return __key_create_or_update(keyring_ref, type, description, payload, 1021 plen, perm, flags, true); 1022 } 1023 EXPORT_SYMBOL(key_create_or_update); 1024 1025 /** 1026 * key_create - Create and instantiate a key. 1027 * @keyring_ref: A pointer to the destination keyring with possession flag. 1028 * @type: The type of key. 1029 * @description: The searchable description for the key. 1030 * @payload: The data to use to instantiate or update the key. 1031 * @plen: The length of @payload. 1032 * @perm: The permissions mask for a new key. 1033 * @flags: The quota flags for a new key. 1034 * 1035 * Create and instantiate a new key and link to it from the destination keyring. 1036 * 1037 * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be 1038 * concocted. 1039 * 1040 * Returns a pointer to the new key if successful, -EEXIST if a key with the 1041 * same description already exists, -ENODEV if the key type wasn't available, 1042 * -ENOTDIR if the keyring wasn't a keyring, -EACCES if the caller isn't 1043 * permitted to modify the keyring or the LSM did not permit creation of the 1044 * key. 1045 * 1046 * On success, the possession flag from the keyring ref will be tacked on to 1047 * the key ref before it is returned. 1048 */ 1049 key_ref_t key_create(key_ref_t keyring_ref, 1050 const char *type, 1051 const char *description, 1052 const void *payload, 1053 size_t plen, 1054 key_perm_t perm, 1055 unsigned long flags) 1056 { 1057 return __key_create_or_update(keyring_ref, type, description, payload, 1058 plen, perm, flags, false); 1059 } 1060 EXPORT_SYMBOL(key_create); 1061 1062 /** 1063 * key_update - Update a key's contents. 1064 * @key_ref: The pointer (plus possession flag) to the key. 1065 * @payload: The data to be used to update the key. 1066 * @plen: The length of @payload. 1067 * 1068 * Attempt to update the contents of a key with the given payload data. The 1069 * caller must be granted Write permission on the key. Negative keys can be 1070 * instantiated by this method. 1071 * 1072 * Returns 0 on success, -EACCES if not permitted and -EOPNOTSUPP if the key 1073 * type does not support updating. The key type may return other errors. 1074 */ 1075 int key_update(key_ref_t key_ref, const void *payload, size_t plen) 1076 { 1077 struct key_preparsed_payload prep; 1078 struct key *key = key_ref_to_ptr(key_ref); 1079 int ret; 1080 1081 key_check(key); 1082 1083 /* the key must be writable */ 1084 ret = key_permission(key_ref, KEY_NEED_WRITE); 1085 if (ret < 0) 1086 return ret; 1087 1088 /* attempt to update it if supported */ 1089 if (!key->type->update) 1090 return -EOPNOTSUPP; 1091 1092 memset(&prep, 0, sizeof(prep)); 1093 prep.data = payload; 1094 prep.datalen = plen; 1095 prep.quotalen = key->type->def_datalen; 1096 prep.expiry = TIME64_MAX; 1097 if (key->type->preparse) { 1098 ret = key->type->preparse(&prep); 1099 if (ret < 0) 1100 goto error; 1101 } 1102 1103 down_write(&key->sem); 1104 1105 ret = key->type->update(key, &prep); 1106 if (ret == 0) { 1107 /* Updating a negative key positively instantiates it */ 1108 mark_key_instantiated(key, 0); 1109 notify_key(key, NOTIFY_KEY_UPDATED, 0); 1110 } 1111 1112 up_write(&key->sem); 1113 1114 error: 1115 if (key->type->preparse) 1116 key->type->free_preparse(&prep); 1117 return ret; 1118 } 1119 EXPORT_SYMBOL(key_update); 1120 1121 /** 1122 * key_revoke - Revoke a key. 1123 * @key: The key to be revoked. 1124 * 1125 * Mark a key as being revoked and ask the type to free up its resources. The 1126 * revocation timeout is set and the key and all its links will be 1127 * automatically garbage collected after key_gc_delay amount of time if they 1128 * are not manually dealt with first. 1129 */ 1130 void key_revoke(struct key *key) 1131 { 1132 time64_t time; 1133 1134 key_check(key); 1135 1136 /* make sure no one's trying to change or use the key when we mark it 1137 * - we tell lockdep that we might nest because we might be revoking an 1138 * authorisation key whilst holding the sem on a key we've just 1139 * instantiated 1140 */ 1141 down_write_nested(&key->sem, 1); 1142 if (!test_and_set_bit(KEY_FLAG_REVOKED, &key->flags)) { 1143 notify_key(key, NOTIFY_KEY_REVOKED, 0); 1144 if (key->type->revoke) 1145 key->type->revoke(key); 1146 1147 /* set the death time to no more than the expiry time */ 1148 time = ktime_get_real_seconds(); 1149 if (key->revoked_at == 0 || key->revoked_at > time) { 1150 key->revoked_at = time; 1151 key_schedule_gc(key->revoked_at + key_gc_delay); 1152 } 1153 } 1154 1155 up_write(&key->sem); 1156 } 1157 EXPORT_SYMBOL(key_revoke); 1158 1159 /** 1160 * key_invalidate - Invalidate a key. 1161 * @key: The key to be invalidated. 1162 * 1163 * Mark a key as being invalidated and have it cleaned up immediately. The key 1164 * is ignored by all searches and other operations from this point. 1165 */ 1166 void key_invalidate(struct key *key) 1167 { 1168 kenter("%d", key_serial(key)); 1169 1170 key_check(key); 1171 1172 if (!test_bit(KEY_FLAG_INVALIDATED, &key->flags)) { 1173 down_write_nested(&key->sem, 1); 1174 if (!test_and_set_bit(KEY_FLAG_INVALIDATED, &key->flags)) { 1175 notify_key(key, NOTIFY_KEY_INVALIDATED, 0); 1176 key_schedule_gc_links(); 1177 } 1178 up_write(&key->sem); 1179 } 1180 } 1181 EXPORT_SYMBOL(key_invalidate); 1182 1183 /** 1184 * generic_key_instantiate - Simple instantiation of a key from preparsed data 1185 * @key: The key to be instantiated 1186 * @prep: The preparsed data to load. 1187 * 1188 * Instantiate a key from preparsed data. We assume we can just copy the data 1189 * in directly and clear the old pointers. 1190 * 1191 * This can be pointed to directly by the key type instantiate op pointer. 1192 */ 1193 int generic_key_instantiate(struct key *key, struct key_preparsed_payload *prep) 1194 { 1195 int ret; 1196 1197 pr_devel("==>%s()\n", __func__); 1198 1199 ret = key_payload_reserve(key, prep->quotalen); 1200 if (ret == 0) { 1201 rcu_assign_keypointer(key, prep->payload.data[0]); 1202 key->payload.data[1] = prep->payload.data[1]; 1203 key->payload.data[2] = prep->payload.data[2]; 1204 key->payload.data[3] = prep->payload.data[3]; 1205 prep->payload.data[0] = NULL; 1206 prep->payload.data[1] = NULL; 1207 prep->payload.data[2] = NULL; 1208 prep->payload.data[3] = NULL; 1209 } 1210 pr_devel("<==%s() = %d\n", __func__, ret); 1211 return ret; 1212 } 1213 EXPORT_SYMBOL(generic_key_instantiate); 1214 1215 /** 1216 * register_key_type - Register a type of key. 1217 * @ktype: The new key type. 1218 * 1219 * Register a new key type. 1220 * 1221 * Returns 0 on success or -EEXIST if a type of this name already exists. 1222 */ 1223 int register_key_type(struct key_type *ktype) 1224 { 1225 struct key_type *p; 1226 int ret; 1227 1228 memset(&ktype->lock_class, 0, sizeof(ktype->lock_class)); 1229 1230 ret = -EEXIST; 1231 down_write(&key_types_sem); 1232 1233 /* disallow key types with the same name */ 1234 list_for_each_entry(p, &key_types_list, link) { 1235 if (strcmp(p->name, ktype->name) == 0) 1236 goto out; 1237 } 1238 1239 /* store the type */ 1240 list_add(&ktype->link, &key_types_list); 1241 1242 pr_notice("Key type %s registered\n", ktype->name); 1243 ret = 0; 1244 1245 out: 1246 up_write(&key_types_sem); 1247 return ret; 1248 } 1249 EXPORT_SYMBOL(register_key_type); 1250 1251 /** 1252 * unregister_key_type - Unregister a type of key. 1253 * @ktype: The key type. 1254 * 1255 * Unregister a key type and mark all the extant keys of this type as dead. 1256 * Those keys of this type are then destroyed to get rid of their payloads and 1257 * they and their links will be garbage collected as soon as possible. 1258 */ 1259 void unregister_key_type(struct key_type *ktype) 1260 { 1261 down_write(&key_types_sem); 1262 list_del_init(&ktype->link); 1263 downgrade_write(&key_types_sem); 1264 key_gc_keytype(ktype); 1265 pr_notice("Key type %s unregistered\n", ktype->name); 1266 up_read(&key_types_sem); 1267 } 1268 EXPORT_SYMBOL(unregister_key_type); 1269 1270 /* 1271 * Initialise the key management state. 1272 */ 1273 void __init key_init(void) 1274 { 1275 /* allocate a slab in which we can store keys */ 1276 key_jar = kmem_cache_create("key_jar", sizeof(struct key), 1277 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); 1278 1279 /* add the special key types */ 1280 list_add_tail(&key_type_keyring.link, &key_types_list); 1281 list_add_tail(&key_type_dead.link, &key_types_list); 1282 list_add_tail(&key_type_user.link, &key_types_list); 1283 list_add_tail(&key_type_logon.link, &key_types_list); 1284 1285 /* record the root user tracking */ 1286 rb_link_node(&root_key_user.node, 1287 NULL, 1288 &key_user_tree.rb_node); 1289 1290 rb_insert_color(&root_key_user.node, 1291 &key_user_tree); 1292 } 1293