1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Basic authentication token and access key management 3 * 4 * Copyright (C) 2004-2008 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #include <linux/export.h> 9 #include <linux/init.h> 10 #include <linux/poison.h> 11 #include <linux/sched.h> 12 #include <linux/slab.h> 13 #include <linux/security.h> 14 #include <linux/workqueue.h> 15 #include <linux/random.h> 16 #include <linux/err.h> 17 #include "internal.h" 18 19 struct kmem_cache *key_jar; 20 struct rb_root key_serial_tree; /* tree of keys indexed by serial */ 21 DEFINE_SPINLOCK(key_serial_lock); 22 23 struct rb_root key_user_tree; /* tree of quota records indexed by UID */ 24 DEFINE_SPINLOCK(key_user_lock); 25 26 unsigned int key_quota_root_maxkeys = 1000000; /* root's key count quota */ 27 unsigned int key_quota_root_maxbytes = 25000000; /* root's key space quota */ 28 unsigned int key_quota_maxkeys = 200; /* general key count quota */ 29 unsigned int key_quota_maxbytes = 20000; /* general key space quota */ 30 31 static LIST_HEAD(key_types_list); 32 static DECLARE_RWSEM(key_types_sem); 33 34 /* We serialise key instantiation and link */ 35 DEFINE_MUTEX(key_construction_mutex); 36 37 #ifdef KEY_DEBUGGING 38 void __key_check(const struct key *key) 39 { 40 printk("__key_check: key %p {%08x} should be {%08x}\n", 41 key, key->magic, KEY_DEBUG_MAGIC); 42 BUG(); 43 } 44 #endif 45 46 /* 47 * Get the key quota record for a user, allocating a new record if one doesn't 48 * already exist. 49 */ 50 struct key_user *key_user_lookup(kuid_t uid) 51 { 52 struct key_user *candidate = NULL, *user; 53 struct rb_node *parent, **p; 54 55 try_again: 56 parent = NULL; 57 p = &key_user_tree.rb_node; 58 spin_lock(&key_user_lock); 59 60 /* search the tree for a user record with a matching UID */ 61 while (*p) { 62 parent = *p; 63 user = rb_entry(parent, struct key_user, node); 64 65 if (uid_lt(uid, user->uid)) 66 p = &(*p)->rb_left; 67 else if (uid_gt(uid, user->uid)) 68 p = &(*p)->rb_right; 69 else 70 goto found; 71 } 72 73 /* if we get here, we failed to find a match in the tree */ 74 if (!candidate) { 75 /* allocate a candidate user record if we don't already have 76 * one */ 77 spin_unlock(&key_user_lock); 78 79 user = NULL; 80 candidate = kmalloc(sizeof(struct key_user), GFP_KERNEL); 81 if (unlikely(!candidate)) 82 goto out; 83 84 /* the allocation may have scheduled, so we need to repeat the 85 * search lest someone else added the record whilst we were 86 * asleep */ 87 goto try_again; 88 } 89 90 /* if we get here, then the user record still hadn't appeared on the 91 * second pass - so we use the candidate record */ 92 refcount_set(&candidate->usage, 1); 93 atomic_set(&candidate->nkeys, 0); 94 atomic_set(&candidate->nikeys, 0); 95 candidate->uid = uid; 96 candidate->qnkeys = 0; 97 candidate->qnbytes = 0; 98 spin_lock_init(&candidate->lock); 99 mutex_init(&candidate->cons_lock); 100 101 rb_link_node(&candidate->node, parent, p); 102 rb_insert_color(&candidate->node, &key_user_tree); 103 spin_unlock(&key_user_lock); 104 user = candidate; 105 goto out; 106 107 /* okay - we found a user record for this UID */ 108 found: 109 refcount_inc(&user->usage); 110 spin_unlock(&key_user_lock); 111 kfree(candidate); 112 out: 113 return user; 114 } 115 116 /* 117 * Dispose of a user structure 118 */ 119 void key_user_put(struct key_user *user) 120 { 121 if (refcount_dec_and_lock(&user->usage, &key_user_lock)) { 122 rb_erase(&user->node, &key_user_tree); 123 spin_unlock(&key_user_lock); 124 125 kfree(user); 126 } 127 } 128 129 /* 130 * Allocate a serial number for a key. These are assigned randomly to avoid 131 * security issues through covert channel problems. 132 */ 133 static inline void key_alloc_serial(struct key *key) 134 { 135 struct rb_node *parent, **p; 136 struct key *xkey; 137 138 /* propose a random serial number and look for a hole for it in the 139 * serial number tree */ 140 do { 141 get_random_bytes(&key->serial, sizeof(key->serial)); 142 143 key->serial >>= 1; /* negative numbers are not permitted */ 144 } while (key->serial < 3); 145 146 spin_lock(&key_serial_lock); 147 148 attempt_insertion: 149 parent = NULL; 150 p = &key_serial_tree.rb_node; 151 152 while (*p) { 153 parent = *p; 154 xkey = rb_entry(parent, struct key, serial_node); 155 156 if (key->serial < xkey->serial) 157 p = &(*p)->rb_left; 158 else if (key->serial > xkey->serial) 159 p = &(*p)->rb_right; 160 else 161 goto serial_exists; 162 } 163 164 /* we've found a suitable hole - arrange for this key to occupy it */ 165 rb_link_node(&key->serial_node, parent, p); 166 rb_insert_color(&key->serial_node, &key_serial_tree); 167 168 spin_unlock(&key_serial_lock); 169 return; 170 171 /* we found a key with the proposed serial number - walk the tree from 172 * that point looking for the next unused serial number */ 173 serial_exists: 174 for (;;) { 175 key->serial++; 176 if (key->serial < 3) { 177 key->serial = 3; 178 goto attempt_insertion; 179 } 180 181 parent = rb_next(parent); 182 if (!parent) 183 goto attempt_insertion; 184 185 xkey = rb_entry(parent, struct key, serial_node); 186 if (key->serial < xkey->serial) 187 goto attempt_insertion; 188 } 189 } 190 191 /** 192 * key_alloc - Allocate a key of the specified type. 193 * @type: The type of key to allocate. 194 * @desc: The key description to allow the key to be searched out. 195 * @uid: The owner of the new key. 196 * @gid: The group ID for the new key's group permissions. 197 * @cred: The credentials specifying UID namespace. 198 * @perm: The permissions mask of the new key. 199 * @flags: Flags specifying quota properties. 200 * @restrict_link: Optional link restriction for new keyrings. 201 * 202 * Allocate a key of the specified type with the attributes given. The key is 203 * returned in an uninstantiated state and the caller needs to instantiate the 204 * key before returning. 205 * 206 * The restrict_link structure (if not NULL) will be freed when the 207 * keyring is destroyed, so it must be dynamically allocated. 208 * 209 * The user's key count quota is updated to reflect the creation of the key and 210 * the user's key data quota has the default for the key type reserved. The 211 * instantiation function should amend this as necessary. If insufficient 212 * quota is available, -EDQUOT will be returned. 213 * 214 * The LSM security modules can prevent a key being created, in which case 215 * -EACCES will be returned. 216 * 217 * Returns a pointer to the new key if successful and an error code otherwise. 218 * 219 * Note that the caller needs to ensure the key type isn't uninstantiated. 220 * Internally this can be done by locking key_types_sem. Externally, this can 221 * be done by either never unregistering the key type, or making sure 222 * key_alloc() calls don't race with module unloading. 223 */ 224 struct key *key_alloc(struct key_type *type, const char *desc, 225 kuid_t uid, kgid_t gid, const struct cred *cred, 226 key_perm_t perm, unsigned long flags, 227 struct key_restriction *restrict_link) 228 { 229 struct key_user *user = NULL; 230 struct key *key; 231 size_t desclen, quotalen; 232 int ret; 233 unsigned long irqflags; 234 235 key = ERR_PTR(-EINVAL); 236 if (!desc || !*desc) 237 goto error; 238 239 if (type->vet_description) { 240 ret = type->vet_description(desc); 241 if (ret < 0) { 242 key = ERR_PTR(ret); 243 goto error; 244 } 245 } 246 247 desclen = strlen(desc); 248 quotalen = desclen + 1 + type->def_datalen; 249 250 /* get hold of the key tracking for this user */ 251 user = key_user_lookup(uid); 252 if (!user) 253 goto no_memory_1; 254 255 /* check that the user's quota permits allocation of another key and 256 * its description */ 257 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { 258 unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ? 259 key_quota_root_maxkeys : key_quota_maxkeys; 260 unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ? 261 key_quota_root_maxbytes : key_quota_maxbytes; 262 263 spin_lock_irqsave(&user->lock, irqflags); 264 if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) { 265 if (user->qnkeys + 1 > maxkeys || 266 user->qnbytes + quotalen > maxbytes || 267 user->qnbytes + quotalen < user->qnbytes) 268 goto no_quota; 269 } 270 271 user->qnkeys++; 272 user->qnbytes += quotalen; 273 spin_unlock_irqrestore(&user->lock, irqflags); 274 } 275 276 /* allocate and initialise the key and its description */ 277 key = kmem_cache_zalloc(key_jar, GFP_KERNEL); 278 if (!key) 279 goto no_memory_2; 280 281 key->index_key.desc_len = desclen; 282 key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL); 283 if (!key->index_key.description) 284 goto no_memory_3; 285 key->index_key.type = type; 286 key_set_index_key(&key->index_key); 287 288 refcount_set(&key->usage, 1); 289 init_rwsem(&key->sem); 290 lockdep_set_class(&key->sem, &type->lock_class); 291 key->user = user; 292 key->quotalen = quotalen; 293 key->datalen = type->def_datalen; 294 key->uid = uid; 295 key->gid = gid; 296 key->perm = perm; 297 key->expiry = TIME64_MAX; 298 key->restrict_link = restrict_link; 299 key->last_used_at = ktime_get_real_seconds(); 300 301 key->flags |= 1 << KEY_FLAG_USER_ALIVE; 302 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) 303 key->flags |= 1 << KEY_FLAG_IN_QUOTA; 304 if (flags & KEY_ALLOC_BUILT_IN) 305 key->flags |= 1 << KEY_FLAG_BUILTIN; 306 if (flags & KEY_ALLOC_UID_KEYRING) 307 key->flags |= 1 << KEY_FLAG_UID_KEYRING; 308 if (flags & KEY_ALLOC_SET_KEEP) 309 key->flags |= 1 << KEY_FLAG_KEEP; 310 311 #ifdef KEY_DEBUGGING 312 key->magic = KEY_DEBUG_MAGIC; 313 #endif 314 315 /* let the security module know about the key */ 316 ret = security_key_alloc(key, cred, flags); 317 if (ret < 0) 318 goto security_error; 319 320 /* publish the key by giving it a serial number */ 321 refcount_inc(&key->domain_tag->usage); 322 atomic_inc(&user->nkeys); 323 key_alloc_serial(key); 324 325 error: 326 return key; 327 328 security_error: 329 kfree(key->description); 330 kmem_cache_free(key_jar, key); 331 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { 332 spin_lock_irqsave(&user->lock, irqflags); 333 user->qnkeys--; 334 user->qnbytes -= quotalen; 335 spin_unlock_irqrestore(&user->lock, irqflags); 336 } 337 key_user_put(user); 338 key = ERR_PTR(ret); 339 goto error; 340 341 no_memory_3: 342 kmem_cache_free(key_jar, key); 343 no_memory_2: 344 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { 345 spin_lock_irqsave(&user->lock, irqflags); 346 user->qnkeys--; 347 user->qnbytes -= quotalen; 348 spin_unlock_irqrestore(&user->lock, irqflags); 349 } 350 key_user_put(user); 351 no_memory_1: 352 key = ERR_PTR(-ENOMEM); 353 goto error; 354 355 no_quota: 356 spin_unlock_irqrestore(&user->lock, irqflags); 357 key_user_put(user); 358 key = ERR_PTR(-EDQUOT); 359 goto error; 360 } 361 EXPORT_SYMBOL(key_alloc); 362 363 /** 364 * key_payload_reserve - Adjust data quota reservation for the key's payload 365 * @key: The key to make the reservation for. 366 * @datalen: The amount of data payload the caller now wants. 367 * 368 * Adjust the amount of the owning user's key data quota that a key reserves. 369 * If the amount is increased, then -EDQUOT may be returned if there isn't 370 * enough free quota available. 371 * 372 * If successful, 0 is returned. 373 */ 374 int key_payload_reserve(struct key *key, size_t datalen) 375 { 376 int delta = (int)datalen - key->datalen; 377 int ret = 0; 378 379 key_check(key); 380 381 /* contemplate the quota adjustment */ 382 if (delta != 0 && test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 383 unsigned maxbytes = uid_eq(key->user->uid, GLOBAL_ROOT_UID) ? 384 key_quota_root_maxbytes : key_quota_maxbytes; 385 unsigned long flags; 386 387 spin_lock_irqsave(&key->user->lock, flags); 388 389 if (delta > 0 && 390 (key->user->qnbytes + delta > maxbytes || 391 key->user->qnbytes + delta < key->user->qnbytes)) { 392 ret = -EDQUOT; 393 } 394 else { 395 key->user->qnbytes += delta; 396 key->quotalen += delta; 397 } 398 spin_unlock_irqrestore(&key->user->lock, flags); 399 } 400 401 /* change the recorded data length if that didn't generate an error */ 402 if (ret == 0) 403 key->datalen = datalen; 404 405 return ret; 406 } 407 EXPORT_SYMBOL(key_payload_reserve); 408 409 /* 410 * Change the key state to being instantiated. 411 */ 412 static void mark_key_instantiated(struct key *key, int reject_error) 413 { 414 /* Commit the payload before setting the state; barrier versus 415 * key_read_state(). 416 */ 417 smp_store_release(&key->state, 418 (reject_error < 0) ? reject_error : KEY_IS_POSITIVE); 419 } 420 421 /* 422 * Instantiate a key and link it into the target keyring atomically. Must be 423 * called with the target keyring's semaphore writelocked. The target key's 424 * semaphore need not be locked as instantiation is serialised by 425 * key_construction_mutex. 426 */ 427 static int __key_instantiate_and_link(struct key *key, 428 struct key_preparsed_payload *prep, 429 struct key *keyring, 430 struct key *authkey, 431 struct assoc_array_edit **_edit) 432 { 433 int ret, awaken; 434 435 key_check(key); 436 key_check(keyring); 437 438 awaken = 0; 439 ret = -EBUSY; 440 441 mutex_lock(&key_construction_mutex); 442 443 /* can't instantiate twice */ 444 if (key->state == KEY_IS_UNINSTANTIATED) { 445 /* instantiate the key */ 446 ret = key->type->instantiate(key, prep); 447 448 if (ret == 0) { 449 /* mark the key as being instantiated */ 450 atomic_inc(&key->user->nikeys); 451 mark_key_instantiated(key, 0); 452 notify_key(key, NOTIFY_KEY_INSTANTIATED, 0); 453 454 if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) 455 awaken = 1; 456 457 /* and link it into the destination keyring */ 458 if (keyring) { 459 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) 460 set_bit(KEY_FLAG_KEEP, &key->flags); 461 462 __key_link(keyring, key, _edit); 463 } 464 465 /* disable the authorisation key */ 466 if (authkey) 467 key_invalidate(authkey); 468 469 if (prep->expiry != TIME64_MAX) 470 key_set_expiry(key, prep->expiry); 471 } 472 } 473 474 mutex_unlock(&key_construction_mutex); 475 476 /* wake up anyone waiting for a key to be constructed */ 477 if (awaken) 478 wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT); 479 480 return ret; 481 } 482 483 /** 484 * key_instantiate_and_link - Instantiate a key and link it into the keyring. 485 * @key: The key to instantiate. 486 * @data: The data to use to instantiate the keyring. 487 * @datalen: The length of @data. 488 * @keyring: Keyring to create a link in on success (or NULL). 489 * @authkey: The authorisation token permitting instantiation. 490 * 491 * Instantiate a key that's in the uninstantiated state using the provided data 492 * and, if successful, link it in to the destination keyring if one is 493 * supplied. 494 * 495 * If successful, 0 is returned, the authorisation token is revoked and anyone 496 * waiting for the key is woken up. If the key was already instantiated, 497 * -EBUSY will be returned. 498 */ 499 int key_instantiate_and_link(struct key *key, 500 const void *data, 501 size_t datalen, 502 struct key *keyring, 503 struct key *authkey) 504 { 505 struct key_preparsed_payload prep; 506 struct assoc_array_edit *edit = NULL; 507 int ret; 508 509 memset(&prep, 0, sizeof(prep)); 510 prep.orig_description = key->description; 511 prep.data = data; 512 prep.datalen = datalen; 513 prep.quotalen = key->type->def_datalen; 514 prep.expiry = TIME64_MAX; 515 if (key->type->preparse) { 516 ret = key->type->preparse(&prep); 517 if (ret < 0) 518 goto error; 519 } 520 521 if (keyring) { 522 ret = __key_link_lock(keyring, &key->index_key); 523 if (ret < 0) 524 goto error; 525 526 ret = __key_link_begin(keyring, &key->index_key, &edit); 527 if (ret < 0) 528 goto error_link_end; 529 530 if (keyring->restrict_link && keyring->restrict_link->check) { 531 struct key_restriction *keyres = keyring->restrict_link; 532 533 ret = keyres->check(keyring, key->type, &prep.payload, 534 keyres->key); 535 if (ret < 0) 536 goto error_link_end; 537 } 538 } 539 540 ret = __key_instantiate_and_link(key, &prep, keyring, authkey, &edit); 541 542 error_link_end: 543 if (keyring) 544 __key_link_end(keyring, &key->index_key, edit); 545 546 error: 547 if (key->type->preparse) 548 key->type->free_preparse(&prep); 549 return ret; 550 } 551 552 EXPORT_SYMBOL(key_instantiate_and_link); 553 554 /** 555 * key_reject_and_link - Negatively instantiate a key and link it into the keyring. 556 * @key: The key to instantiate. 557 * @timeout: The timeout on the negative key. 558 * @error: The error to return when the key is hit. 559 * @keyring: Keyring to create a link in on success (or NULL). 560 * @authkey: The authorisation token permitting instantiation. 561 * 562 * Negatively instantiate a key that's in the uninstantiated state and, if 563 * successful, set its timeout and stored error and link it in to the 564 * destination keyring if one is supplied. The key and any links to the key 565 * will be automatically garbage collected after the timeout expires. 566 * 567 * Negative keys are used to rate limit repeated request_key() calls by causing 568 * them to return the stored error code (typically ENOKEY) until the negative 569 * key expires. 570 * 571 * If successful, 0 is returned, the authorisation token is revoked and anyone 572 * waiting for the key is woken up. If the key was already instantiated, 573 * -EBUSY will be returned. 574 */ 575 int key_reject_and_link(struct key *key, 576 unsigned timeout, 577 unsigned error, 578 struct key *keyring, 579 struct key *authkey) 580 { 581 struct assoc_array_edit *edit = NULL; 582 int ret, awaken, link_ret = 0; 583 584 key_check(key); 585 key_check(keyring); 586 587 awaken = 0; 588 ret = -EBUSY; 589 590 if (keyring) { 591 if (keyring->restrict_link) 592 return -EPERM; 593 594 link_ret = __key_link_lock(keyring, &key->index_key); 595 if (link_ret == 0) { 596 link_ret = __key_link_begin(keyring, &key->index_key, &edit); 597 if (link_ret < 0) 598 __key_link_end(keyring, &key->index_key, edit); 599 } 600 } 601 602 mutex_lock(&key_construction_mutex); 603 604 /* can't instantiate twice */ 605 if (key->state == KEY_IS_UNINSTANTIATED) { 606 /* mark the key as being negatively instantiated */ 607 atomic_inc(&key->user->nikeys); 608 mark_key_instantiated(key, -error); 609 notify_key(key, NOTIFY_KEY_INSTANTIATED, -error); 610 key_set_expiry(key, ktime_get_real_seconds() + timeout); 611 612 if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) 613 awaken = 1; 614 615 ret = 0; 616 617 /* and link it into the destination keyring */ 618 if (keyring && link_ret == 0) 619 __key_link(keyring, key, &edit); 620 621 /* disable the authorisation key */ 622 if (authkey) 623 key_invalidate(authkey); 624 } 625 626 mutex_unlock(&key_construction_mutex); 627 628 if (keyring && link_ret == 0) 629 __key_link_end(keyring, &key->index_key, edit); 630 631 /* wake up anyone waiting for a key to be constructed */ 632 if (awaken) 633 wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT); 634 635 return ret == 0 ? link_ret : ret; 636 } 637 EXPORT_SYMBOL(key_reject_and_link); 638 639 /** 640 * key_put - Discard a reference to a key. 641 * @key: The key to discard a reference from. 642 * 643 * Discard a reference to a key, and when all the references are gone, we 644 * schedule the cleanup task to come and pull it out of the tree in process 645 * context at some later time. 646 */ 647 void key_put(struct key *key) 648 { 649 if (key) { 650 key_check(key); 651 652 if (refcount_dec_and_test(&key->usage)) { 653 unsigned long flags; 654 655 /* deal with the user's key tracking and quota */ 656 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 657 spin_lock_irqsave(&key->user->lock, flags); 658 key->user->qnkeys--; 659 key->user->qnbytes -= key->quotalen; 660 spin_unlock_irqrestore(&key->user->lock, flags); 661 } 662 /* Mark key as safe for GC after key->user done. */ 663 clear_bit_unlock(KEY_FLAG_USER_ALIVE, &key->flags); 664 schedule_work(&key_gc_work); 665 } 666 } 667 } 668 EXPORT_SYMBOL(key_put); 669 670 /* 671 * Find a key by its serial number. 672 */ 673 struct key *key_lookup(key_serial_t id) 674 { 675 struct rb_node *n; 676 struct key *key; 677 678 spin_lock(&key_serial_lock); 679 680 /* search the tree for the specified key */ 681 n = key_serial_tree.rb_node; 682 while (n) { 683 key = rb_entry(n, struct key, serial_node); 684 685 if (id < key->serial) 686 n = n->rb_left; 687 else if (id > key->serial) 688 n = n->rb_right; 689 else 690 goto found; 691 } 692 693 not_found: 694 key = ERR_PTR(-ENOKEY); 695 goto error; 696 697 found: 698 /* A key is allowed to be looked up only if someone still owns a 699 * reference to it - otherwise it's awaiting the gc. 700 */ 701 if (!refcount_inc_not_zero(&key->usage)) 702 goto not_found; 703 704 error: 705 spin_unlock(&key_serial_lock); 706 return key; 707 } 708 EXPORT_SYMBOL(key_lookup); 709 710 /* 711 * Find and lock the specified key type against removal. 712 * 713 * We return with the sem read-locked if successful. If the type wasn't 714 * available -ENOKEY is returned instead. 715 */ 716 struct key_type *key_type_lookup(const char *type) 717 { 718 struct key_type *ktype; 719 720 down_read(&key_types_sem); 721 722 /* look up the key type to see if it's one of the registered kernel 723 * types */ 724 list_for_each_entry(ktype, &key_types_list, link) { 725 if (strcmp(ktype->name, type) == 0) 726 goto found_kernel_type; 727 } 728 729 up_read(&key_types_sem); 730 ktype = ERR_PTR(-ENOKEY); 731 732 found_kernel_type: 733 return ktype; 734 } 735 736 void key_set_timeout(struct key *key, unsigned timeout) 737 { 738 time64_t expiry = TIME64_MAX; 739 740 /* make the changes with the locks held to prevent races */ 741 down_write(&key->sem); 742 743 if (timeout > 0) 744 expiry = ktime_get_real_seconds() + timeout; 745 key_set_expiry(key, expiry); 746 747 up_write(&key->sem); 748 } 749 EXPORT_SYMBOL_GPL(key_set_timeout); 750 751 /* 752 * Unlock a key type locked by key_type_lookup(). 753 */ 754 void key_type_put(struct key_type *ktype) 755 { 756 up_read(&key_types_sem); 757 } 758 759 /* 760 * Attempt to update an existing key. 761 * 762 * The key is given to us with an incremented refcount that we need to discard 763 * if we get an error. 764 */ 765 static inline key_ref_t __key_update(key_ref_t key_ref, 766 struct key_preparsed_payload *prep) 767 { 768 struct key *key = key_ref_to_ptr(key_ref); 769 int ret; 770 771 /* need write permission on the key to update it */ 772 ret = key_permission(key_ref, KEY_NEED_WRITE); 773 if (ret < 0) 774 goto error; 775 776 ret = -EEXIST; 777 if (!key->type->update) 778 goto error; 779 780 down_write(&key->sem); 781 782 ret = key->type->update(key, prep); 783 if (ret == 0) { 784 /* Updating a negative key positively instantiates it */ 785 mark_key_instantiated(key, 0); 786 notify_key(key, NOTIFY_KEY_UPDATED, 0); 787 } 788 789 up_write(&key->sem); 790 791 if (ret < 0) 792 goto error; 793 out: 794 return key_ref; 795 796 error: 797 key_put(key); 798 key_ref = ERR_PTR(ret); 799 goto out; 800 } 801 802 /* 803 * Create or potentially update a key. The combined logic behind 804 * key_create_or_update() and key_create() 805 */ 806 static key_ref_t __key_create_or_update(key_ref_t keyring_ref, 807 const char *type, 808 const char *description, 809 const void *payload, 810 size_t plen, 811 key_perm_t perm, 812 unsigned long flags, 813 bool allow_update) 814 { 815 struct keyring_index_key index_key = { 816 .description = description, 817 }; 818 struct key_preparsed_payload prep; 819 struct assoc_array_edit *edit = NULL; 820 const struct cred *cred = current_cred(); 821 struct key *keyring, *key = NULL; 822 key_ref_t key_ref; 823 int ret; 824 struct key_restriction *restrict_link = NULL; 825 826 /* look up the key type to see if it's one of the registered kernel 827 * types */ 828 index_key.type = key_type_lookup(type); 829 if (IS_ERR(index_key.type)) { 830 key_ref = ERR_PTR(-ENODEV); 831 goto error; 832 } 833 834 key_ref = ERR_PTR(-EINVAL); 835 if (!index_key.type->instantiate || 836 (!index_key.description && !index_key.type->preparse)) 837 goto error_put_type; 838 839 keyring = key_ref_to_ptr(keyring_ref); 840 841 key_check(keyring); 842 843 if (!(flags & KEY_ALLOC_BYPASS_RESTRICTION)) 844 restrict_link = keyring->restrict_link; 845 846 key_ref = ERR_PTR(-ENOTDIR); 847 if (keyring->type != &key_type_keyring) 848 goto error_put_type; 849 850 memset(&prep, 0, sizeof(prep)); 851 prep.orig_description = description; 852 prep.data = payload; 853 prep.datalen = plen; 854 prep.quotalen = index_key.type->def_datalen; 855 prep.expiry = TIME64_MAX; 856 if (index_key.type->preparse) { 857 ret = index_key.type->preparse(&prep); 858 if (ret < 0) { 859 key_ref = ERR_PTR(ret); 860 goto error_free_prep; 861 } 862 if (!index_key.description) 863 index_key.description = prep.description; 864 key_ref = ERR_PTR(-EINVAL); 865 if (!index_key.description) 866 goto error_free_prep; 867 } 868 index_key.desc_len = strlen(index_key.description); 869 key_set_index_key(&index_key); 870 871 ret = __key_link_lock(keyring, &index_key); 872 if (ret < 0) { 873 key_ref = ERR_PTR(ret); 874 goto error_free_prep; 875 } 876 877 ret = __key_link_begin(keyring, &index_key, &edit); 878 if (ret < 0) { 879 key_ref = ERR_PTR(ret); 880 goto error_link_end; 881 } 882 883 if (restrict_link && restrict_link->check) { 884 ret = restrict_link->check(keyring, index_key.type, 885 &prep.payload, restrict_link->key); 886 if (ret < 0) { 887 key_ref = ERR_PTR(ret); 888 goto error_link_end; 889 } 890 } 891 892 /* if we're going to allocate a new key, we're going to have 893 * to modify the keyring */ 894 ret = key_permission(keyring_ref, KEY_NEED_WRITE); 895 if (ret < 0) { 896 key_ref = ERR_PTR(ret); 897 goto error_link_end; 898 } 899 900 /* if it's requested and possible to update this type of key, search 901 * for an existing key of the same type and description in the 902 * destination keyring and update that instead if possible 903 */ 904 if (allow_update) { 905 if (index_key.type->update) { 906 key_ref = find_key_to_update(keyring_ref, &index_key); 907 if (key_ref) 908 goto found_matching_key; 909 } 910 } else { 911 key_ref = find_key_to_update(keyring_ref, &index_key); 912 if (key_ref) { 913 key_ref_put(key_ref); 914 key_ref = ERR_PTR(-EEXIST); 915 goto error_link_end; 916 } 917 } 918 919 /* if the client doesn't provide, decide on the permissions we want */ 920 if (perm == KEY_PERM_UNDEF) { 921 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR; 922 perm |= KEY_USR_VIEW; 923 924 if (index_key.type->read) 925 perm |= KEY_POS_READ; 926 927 if (index_key.type == &key_type_keyring || 928 index_key.type->update) 929 perm |= KEY_POS_WRITE; 930 } 931 932 /* allocate a new key */ 933 key = key_alloc(index_key.type, index_key.description, 934 cred->fsuid, cred->fsgid, cred, perm, flags, NULL); 935 if (IS_ERR(key)) { 936 key_ref = ERR_CAST(key); 937 goto error_link_end; 938 } 939 940 /* instantiate it and link it into the target keyring */ 941 ret = __key_instantiate_and_link(key, &prep, keyring, NULL, &edit); 942 if (ret < 0) { 943 key_put(key); 944 key_ref = ERR_PTR(ret); 945 goto error_link_end; 946 } 947 948 security_key_post_create_or_update(keyring, key, payload, plen, flags, 949 true); 950 951 key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); 952 953 error_link_end: 954 __key_link_end(keyring, &index_key, edit); 955 error_free_prep: 956 if (index_key.type->preparse) 957 index_key.type->free_preparse(&prep); 958 error_put_type: 959 key_type_put(index_key.type); 960 error: 961 return key_ref; 962 963 found_matching_key: 964 /* we found a matching key, so we're going to try to update it 965 * - we can drop the locks first as we have the key pinned 966 */ 967 __key_link_end(keyring, &index_key, edit); 968 969 key = key_ref_to_ptr(key_ref); 970 if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) { 971 ret = wait_for_key_construction(key, true); 972 if (ret < 0) { 973 key_ref_put(key_ref); 974 key_ref = ERR_PTR(ret); 975 goto error_free_prep; 976 } 977 } 978 979 key_ref = __key_update(key_ref, &prep); 980 981 if (!IS_ERR(key_ref)) 982 security_key_post_create_or_update(keyring, key, payload, plen, 983 flags, false); 984 985 goto error_free_prep; 986 } 987 988 /** 989 * key_create_or_update - Update or create and instantiate a key. 990 * @keyring_ref: A pointer to the destination keyring with possession flag. 991 * @type: The type of key. 992 * @description: The searchable description for the key. 993 * @payload: The data to use to instantiate or update the key. 994 * @plen: The length of @payload. 995 * @perm: The permissions mask for a new key. 996 * @flags: The quota flags for a new key. 997 * 998 * Search the destination keyring for a key of the same description and if one 999 * is found, update it, otherwise create and instantiate a new one and create a 1000 * link to it from that keyring. 1001 * 1002 * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be 1003 * concocted. 1004 * 1005 * Returns a pointer to the new key if successful, -ENODEV if the key type 1006 * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the 1007 * caller isn't permitted to modify the keyring or the LSM did not permit 1008 * creation of the key. 1009 * 1010 * On success, the possession flag from the keyring ref will be tacked on to 1011 * the key ref before it is returned. 1012 */ 1013 key_ref_t key_create_or_update(key_ref_t keyring_ref, 1014 const char *type, 1015 const char *description, 1016 const void *payload, 1017 size_t plen, 1018 key_perm_t perm, 1019 unsigned long flags) 1020 { 1021 return __key_create_or_update(keyring_ref, type, description, payload, 1022 plen, perm, flags, true); 1023 } 1024 EXPORT_SYMBOL(key_create_or_update); 1025 1026 /** 1027 * key_create - Create and instantiate a key. 1028 * @keyring_ref: A pointer to the destination keyring with possession flag. 1029 * @type: The type of key. 1030 * @description: The searchable description for the key. 1031 * @payload: The data to use to instantiate or update the key. 1032 * @plen: The length of @payload. 1033 * @perm: The permissions mask for a new key. 1034 * @flags: The quota flags for a new key. 1035 * 1036 * Create and instantiate a new key and link to it from the destination keyring. 1037 * 1038 * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be 1039 * concocted. 1040 * 1041 * Returns a pointer to the new key if successful, -EEXIST if a key with the 1042 * same description already exists, -ENODEV if the key type wasn't available, 1043 * -ENOTDIR if the keyring wasn't a keyring, -EACCES if the caller isn't 1044 * permitted to modify the keyring or the LSM did not permit creation of the 1045 * key. 1046 * 1047 * On success, the possession flag from the keyring ref will be tacked on to 1048 * the key ref before it is returned. 1049 */ 1050 key_ref_t key_create(key_ref_t keyring_ref, 1051 const char *type, 1052 const char *description, 1053 const void *payload, 1054 size_t plen, 1055 key_perm_t perm, 1056 unsigned long flags) 1057 { 1058 return __key_create_or_update(keyring_ref, type, description, payload, 1059 plen, perm, flags, false); 1060 } 1061 EXPORT_SYMBOL(key_create); 1062 1063 /** 1064 * key_update - Update a key's contents. 1065 * @key_ref: The pointer (plus possession flag) to the key. 1066 * @payload: The data to be used to update the key. 1067 * @plen: The length of @payload. 1068 * 1069 * Attempt to update the contents of a key with the given payload data. The 1070 * caller must be granted Write permission on the key. Negative keys can be 1071 * instantiated by this method. 1072 * 1073 * Returns 0 on success, -EACCES if not permitted and -EOPNOTSUPP if the key 1074 * type does not support updating. The key type may return other errors. 1075 */ 1076 int key_update(key_ref_t key_ref, const void *payload, size_t plen) 1077 { 1078 struct key_preparsed_payload prep; 1079 struct key *key = key_ref_to_ptr(key_ref); 1080 int ret; 1081 1082 key_check(key); 1083 1084 /* the key must be writable */ 1085 ret = key_permission(key_ref, KEY_NEED_WRITE); 1086 if (ret < 0) 1087 return ret; 1088 1089 /* attempt to update it if supported */ 1090 if (!key->type->update) 1091 return -EOPNOTSUPP; 1092 1093 memset(&prep, 0, sizeof(prep)); 1094 prep.data = payload; 1095 prep.datalen = plen; 1096 prep.quotalen = key->type->def_datalen; 1097 prep.expiry = TIME64_MAX; 1098 if (key->type->preparse) { 1099 ret = key->type->preparse(&prep); 1100 if (ret < 0) 1101 goto error; 1102 } 1103 1104 down_write(&key->sem); 1105 1106 ret = key->type->update(key, &prep); 1107 if (ret == 0) { 1108 /* Updating a negative key positively instantiates it */ 1109 mark_key_instantiated(key, 0); 1110 notify_key(key, NOTIFY_KEY_UPDATED, 0); 1111 } 1112 1113 up_write(&key->sem); 1114 1115 error: 1116 if (key->type->preparse) 1117 key->type->free_preparse(&prep); 1118 return ret; 1119 } 1120 EXPORT_SYMBOL(key_update); 1121 1122 /** 1123 * key_revoke - Revoke a key. 1124 * @key: The key to be revoked. 1125 * 1126 * Mark a key as being revoked and ask the type to free up its resources. The 1127 * revocation timeout is set and the key and all its links will be 1128 * automatically garbage collected after key_gc_delay amount of time if they 1129 * are not manually dealt with first. 1130 */ 1131 void key_revoke(struct key *key) 1132 { 1133 time64_t time; 1134 1135 key_check(key); 1136 1137 /* make sure no one's trying to change or use the key when we mark it 1138 * - we tell lockdep that we might nest because we might be revoking an 1139 * authorisation key whilst holding the sem on a key we've just 1140 * instantiated 1141 */ 1142 down_write_nested(&key->sem, 1); 1143 if (!test_and_set_bit(KEY_FLAG_REVOKED, &key->flags)) { 1144 notify_key(key, NOTIFY_KEY_REVOKED, 0); 1145 if (key->type->revoke) 1146 key->type->revoke(key); 1147 1148 /* set the death time to no more than the expiry time */ 1149 time = ktime_get_real_seconds(); 1150 if (key->revoked_at == 0 || key->revoked_at > time) { 1151 key->revoked_at = time; 1152 key_schedule_gc(key->revoked_at + key_gc_delay); 1153 } 1154 } 1155 1156 up_write(&key->sem); 1157 } 1158 EXPORT_SYMBOL(key_revoke); 1159 1160 /** 1161 * key_invalidate - Invalidate a key. 1162 * @key: The key to be invalidated. 1163 * 1164 * Mark a key as being invalidated and have it cleaned up immediately. The key 1165 * is ignored by all searches and other operations from this point. 1166 */ 1167 void key_invalidate(struct key *key) 1168 { 1169 kenter("%d", key_serial(key)); 1170 1171 key_check(key); 1172 1173 if (!test_bit(KEY_FLAG_INVALIDATED, &key->flags)) { 1174 down_write_nested(&key->sem, 1); 1175 if (!test_and_set_bit(KEY_FLAG_INVALIDATED, &key->flags)) { 1176 notify_key(key, NOTIFY_KEY_INVALIDATED, 0); 1177 key_schedule_gc_links(); 1178 } 1179 up_write(&key->sem); 1180 } 1181 } 1182 EXPORT_SYMBOL(key_invalidate); 1183 1184 /** 1185 * generic_key_instantiate - Simple instantiation of a key from preparsed data 1186 * @key: The key to be instantiated 1187 * @prep: The preparsed data to load. 1188 * 1189 * Instantiate a key from preparsed data. We assume we can just copy the data 1190 * in directly and clear the old pointers. 1191 * 1192 * This can be pointed to directly by the key type instantiate op pointer. 1193 */ 1194 int generic_key_instantiate(struct key *key, struct key_preparsed_payload *prep) 1195 { 1196 int ret; 1197 1198 pr_devel("==>%s()\n", __func__); 1199 1200 ret = key_payload_reserve(key, prep->quotalen); 1201 if (ret == 0) { 1202 rcu_assign_keypointer(key, prep->payload.data[0]); 1203 key->payload.data[1] = prep->payload.data[1]; 1204 key->payload.data[2] = prep->payload.data[2]; 1205 key->payload.data[3] = prep->payload.data[3]; 1206 prep->payload.data[0] = NULL; 1207 prep->payload.data[1] = NULL; 1208 prep->payload.data[2] = NULL; 1209 prep->payload.data[3] = NULL; 1210 } 1211 pr_devel("<==%s() = %d\n", __func__, ret); 1212 return ret; 1213 } 1214 EXPORT_SYMBOL(generic_key_instantiate); 1215 1216 /** 1217 * register_key_type - Register a type of key. 1218 * @ktype: The new key type. 1219 * 1220 * Register a new key type. 1221 * 1222 * Returns 0 on success or -EEXIST if a type of this name already exists. 1223 */ 1224 int register_key_type(struct key_type *ktype) 1225 { 1226 struct key_type *p; 1227 int ret; 1228 1229 memset(&ktype->lock_class, 0, sizeof(ktype->lock_class)); 1230 1231 ret = -EEXIST; 1232 down_write(&key_types_sem); 1233 1234 /* disallow key types with the same name */ 1235 list_for_each_entry(p, &key_types_list, link) { 1236 if (strcmp(p->name, ktype->name) == 0) 1237 goto out; 1238 } 1239 1240 /* store the type */ 1241 list_add(&ktype->link, &key_types_list); 1242 1243 pr_notice("Key type %s registered\n", ktype->name); 1244 ret = 0; 1245 1246 out: 1247 up_write(&key_types_sem); 1248 return ret; 1249 } 1250 EXPORT_SYMBOL(register_key_type); 1251 1252 /** 1253 * unregister_key_type - Unregister a type of key. 1254 * @ktype: The key type. 1255 * 1256 * Unregister a key type and mark all the extant keys of this type as dead. 1257 * Those keys of this type are then destroyed to get rid of their payloads and 1258 * they and their links will be garbage collected as soon as possible. 1259 */ 1260 void unregister_key_type(struct key_type *ktype) 1261 { 1262 down_write(&key_types_sem); 1263 list_del_init(&ktype->link); 1264 downgrade_write(&key_types_sem); 1265 key_gc_keytype(ktype); 1266 pr_notice("Key type %s unregistered\n", ktype->name); 1267 up_read(&key_types_sem); 1268 } 1269 EXPORT_SYMBOL(unregister_key_type); 1270 1271 /* 1272 * Initialise the key management state. 1273 */ 1274 void __init key_init(void) 1275 { 1276 /* allocate a slab in which we can store keys */ 1277 key_jar = kmem_cache_create("key_jar", sizeof(struct key), 1278 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); 1279 1280 /* add the special key types */ 1281 list_add_tail(&key_type_keyring.link, &key_types_list); 1282 list_add_tail(&key_type_dead.link, &key_types_list); 1283 list_add_tail(&key_type_user.link, &key_types_list); 1284 list_add_tail(&key_type_logon.link, &key_types_list); 1285 1286 /* record the root user tracking */ 1287 rb_link_node(&root_key_user.node, 1288 NULL, 1289 &key_user_tree.rb_node); 1290 1291 rb_insert_color(&root_key_user.node, 1292 &key_user_tree); 1293 } 1294