1 /* keyctl.c: userspace keyctl operations 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/slab.h> 16 #include <linux/syscalls.h> 17 #include <linux/keyctl.h> 18 #include <linux/fs.h> 19 #include <linux/capability.h> 20 #include <linux/err.h> 21 #include <asm/uaccess.h> 22 #include "internal.h" 23 24 /*****************************************************************************/ 25 /* 26 * extract the description of a new key from userspace and either add it as a 27 * new key to the specified keyring or update a matching key in that keyring 28 * - the keyring must be writable 29 * - returns the new key's serial number 30 * - implements add_key() 31 */ 32 asmlinkage long sys_add_key(const char __user *_type, 33 const char __user *_description, 34 const void __user *_payload, 35 size_t plen, 36 key_serial_t ringid) 37 { 38 key_ref_t keyring_ref, key_ref; 39 char type[32], *description; 40 void *payload; 41 long dlen, ret; 42 43 ret = -EINVAL; 44 if (plen > 32767) 45 goto error; 46 47 /* draw all the data into kernel space */ 48 ret = strncpy_from_user(type, _type, sizeof(type) - 1); 49 if (ret < 0) 50 goto error; 51 type[31] = '\0'; 52 53 ret = -EPERM; 54 if (type[0] == '.') 55 goto error; 56 57 ret = -EFAULT; 58 dlen = strnlen_user(_description, PAGE_SIZE - 1); 59 if (dlen <= 0) 60 goto error; 61 62 ret = -EINVAL; 63 if (dlen > PAGE_SIZE - 1) 64 goto error; 65 66 ret = -ENOMEM; 67 description = kmalloc(dlen + 1, GFP_KERNEL); 68 if (!description) 69 goto error; 70 description[dlen] = '\0'; 71 72 ret = -EFAULT; 73 if (copy_from_user(description, _description, dlen) != 0) 74 goto error2; 75 76 /* pull the payload in if one was supplied */ 77 payload = NULL; 78 79 if (_payload) { 80 ret = -ENOMEM; 81 payload = kmalloc(plen, GFP_KERNEL); 82 if (!payload) 83 goto error2; 84 85 ret = -EFAULT; 86 if (copy_from_user(payload, _payload, plen) != 0) 87 goto error3; 88 } 89 90 /* find the target keyring (which must be writable) */ 91 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 92 if (IS_ERR(keyring_ref)) { 93 ret = PTR_ERR(keyring_ref); 94 goto error3; 95 } 96 97 /* create or update the requested key and add it to the target 98 * keyring */ 99 key_ref = key_create_or_update(keyring_ref, type, description, 100 payload, plen, 0); 101 if (!IS_ERR(key_ref)) { 102 ret = key_ref_to_ptr(key_ref)->serial; 103 key_ref_put(key_ref); 104 } 105 else { 106 ret = PTR_ERR(key_ref); 107 } 108 109 key_ref_put(keyring_ref); 110 error3: 111 kfree(payload); 112 error2: 113 kfree(description); 114 error: 115 return ret; 116 117 } /* end sys_add_key() */ 118 119 /*****************************************************************************/ 120 /* 121 * search the process keyrings for a matching key 122 * - nested keyrings may also be searched if they have Search permission 123 * - if a key is found, it will be attached to the destination keyring if 124 * there's one specified 125 * - /sbin/request-key will be invoked if _callout_info is non-NULL 126 * - the _callout_info string will be passed to /sbin/request-key 127 * - if the _callout_info string is empty, it will be rendered as "-" 128 * - implements request_key() 129 */ 130 asmlinkage long sys_request_key(const char __user *_type, 131 const char __user *_description, 132 const char __user *_callout_info, 133 key_serial_t destringid) 134 { 135 struct key_type *ktype; 136 struct key *key; 137 key_ref_t dest_ref; 138 char type[32], *description, *callout_info; 139 long dlen, ret; 140 141 /* pull the type into kernel space */ 142 ret = strncpy_from_user(type, _type, sizeof(type) - 1); 143 if (ret < 0) 144 goto error; 145 type[31] = '\0'; 146 147 ret = -EPERM; 148 if (type[0] == '.') 149 goto error; 150 151 /* pull the description into kernel space */ 152 ret = -EFAULT; 153 dlen = strnlen_user(_description, PAGE_SIZE - 1); 154 if (dlen <= 0) 155 goto error; 156 157 ret = -EINVAL; 158 if (dlen > PAGE_SIZE - 1) 159 goto error; 160 161 ret = -ENOMEM; 162 description = kmalloc(dlen + 1, GFP_KERNEL); 163 if (!description) 164 goto error; 165 description[dlen] = '\0'; 166 167 ret = -EFAULT; 168 if (copy_from_user(description, _description, dlen) != 0) 169 goto error2; 170 171 /* pull the callout info into kernel space */ 172 callout_info = NULL; 173 if (_callout_info) { 174 ret = -EFAULT; 175 dlen = strnlen_user(_callout_info, PAGE_SIZE - 1); 176 if (dlen <= 0) 177 goto error2; 178 179 ret = -EINVAL; 180 if (dlen > PAGE_SIZE - 1) 181 goto error2; 182 183 ret = -ENOMEM; 184 callout_info = kmalloc(dlen + 1, GFP_KERNEL); 185 if (!callout_info) 186 goto error2; 187 callout_info[dlen] = '\0'; 188 189 ret = -EFAULT; 190 if (copy_from_user(callout_info, _callout_info, dlen) != 0) 191 goto error3; 192 } 193 194 /* get the destination keyring if specified */ 195 dest_ref = NULL; 196 if (destringid) { 197 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 198 if (IS_ERR(dest_ref)) { 199 ret = PTR_ERR(dest_ref); 200 goto error3; 201 } 202 } 203 204 /* find the key type */ 205 ktype = key_type_lookup(type); 206 if (IS_ERR(ktype)) { 207 ret = PTR_ERR(ktype); 208 goto error4; 209 } 210 211 /* do the search */ 212 key = request_key_and_link(ktype, description, callout_info, 213 key_ref_to_ptr(dest_ref)); 214 if (IS_ERR(key)) { 215 ret = PTR_ERR(key); 216 goto error5; 217 } 218 219 ret = key->serial; 220 221 key_put(key); 222 error5: 223 key_type_put(ktype); 224 error4: 225 key_ref_put(dest_ref); 226 error3: 227 kfree(callout_info); 228 error2: 229 kfree(description); 230 error: 231 return ret; 232 233 } /* end sys_request_key() */ 234 235 /*****************************************************************************/ 236 /* 237 * get the ID of the specified process keyring 238 * - the keyring must have search permission to be found 239 * - implements keyctl(KEYCTL_GET_KEYRING_ID) 240 */ 241 long keyctl_get_keyring_ID(key_serial_t id, int create) 242 { 243 key_ref_t key_ref; 244 long ret; 245 246 key_ref = lookup_user_key(NULL, id, create, 0, KEY_SEARCH); 247 if (IS_ERR(key_ref)) { 248 ret = PTR_ERR(key_ref); 249 goto error; 250 } 251 252 ret = key_ref_to_ptr(key_ref)->serial; 253 key_ref_put(key_ref); 254 error: 255 return ret; 256 257 } /* end keyctl_get_keyring_ID() */ 258 259 /*****************************************************************************/ 260 /* 261 * join the session keyring 262 * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING) 263 */ 264 long keyctl_join_session_keyring(const char __user *_name) 265 { 266 char *name; 267 long nlen, ret; 268 269 /* fetch the name from userspace */ 270 name = NULL; 271 if (_name) { 272 ret = -EFAULT; 273 nlen = strnlen_user(_name, PAGE_SIZE - 1); 274 if (nlen <= 0) 275 goto error; 276 277 ret = -EINVAL; 278 if (nlen > PAGE_SIZE - 1) 279 goto error; 280 281 ret = -ENOMEM; 282 name = kmalloc(nlen + 1, GFP_KERNEL); 283 if (!name) 284 goto error; 285 name[nlen] = '\0'; 286 287 ret = -EFAULT; 288 if (copy_from_user(name, _name, nlen) != 0) 289 goto error2; 290 } 291 292 /* join the session */ 293 ret = join_session_keyring(name); 294 295 error2: 296 kfree(name); 297 error: 298 return ret; 299 300 } /* end keyctl_join_session_keyring() */ 301 302 /*****************************************************************************/ 303 /* 304 * update a key's data payload 305 * - the key must be writable 306 * - implements keyctl(KEYCTL_UPDATE) 307 */ 308 long keyctl_update_key(key_serial_t id, 309 const void __user *_payload, 310 size_t plen) 311 { 312 key_ref_t key_ref; 313 void *payload; 314 long ret; 315 316 ret = -EINVAL; 317 if (plen > PAGE_SIZE) 318 goto error; 319 320 /* pull the payload in if one was supplied */ 321 payload = NULL; 322 if (_payload) { 323 ret = -ENOMEM; 324 payload = kmalloc(plen, GFP_KERNEL); 325 if (!payload) 326 goto error; 327 328 ret = -EFAULT; 329 if (copy_from_user(payload, _payload, plen) != 0) 330 goto error2; 331 } 332 333 /* find the target key (which must be writable) */ 334 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 335 if (IS_ERR(key_ref)) { 336 ret = PTR_ERR(key_ref); 337 goto error2; 338 } 339 340 /* update the key */ 341 ret = key_update(key_ref, payload, plen); 342 343 key_ref_put(key_ref); 344 error2: 345 kfree(payload); 346 error: 347 return ret; 348 349 } /* end keyctl_update_key() */ 350 351 /*****************************************************************************/ 352 /* 353 * revoke a key 354 * - the key must be writable 355 * - implements keyctl(KEYCTL_REVOKE) 356 */ 357 long keyctl_revoke_key(key_serial_t id) 358 { 359 key_ref_t key_ref; 360 long ret; 361 362 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 363 if (IS_ERR(key_ref)) { 364 ret = PTR_ERR(key_ref); 365 goto error; 366 } 367 368 key_revoke(key_ref_to_ptr(key_ref)); 369 ret = 0; 370 371 key_ref_put(key_ref); 372 error: 373 return ret; 374 375 } /* end keyctl_revoke_key() */ 376 377 /*****************************************************************************/ 378 /* 379 * clear the specified process keyring 380 * - the keyring must be writable 381 * - implements keyctl(KEYCTL_CLEAR) 382 */ 383 long keyctl_keyring_clear(key_serial_t ringid) 384 { 385 key_ref_t keyring_ref; 386 long ret; 387 388 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 389 if (IS_ERR(keyring_ref)) { 390 ret = PTR_ERR(keyring_ref); 391 goto error; 392 } 393 394 ret = keyring_clear(key_ref_to_ptr(keyring_ref)); 395 396 key_ref_put(keyring_ref); 397 error: 398 return ret; 399 400 } /* end keyctl_keyring_clear() */ 401 402 /*****************************************************************************/ 403 /* 404 * link a key into a keyring 405 * - the keyring must be writable 406 * - the key must be linkable 407 * - implements keyctl(KEYCTL_LINK) 408 */ 409 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 410 { 411 key_ref_t keyring_ref, key_ref; 412 long ret; 413 414 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 415 if (IS_ERR(keyring_ref)) { 416 ret = PTR_ERR(keyring_ref); 417 goto error; 418 } 419 420 key_ref = lookup_user_key(NULL, id, 1, 0, KEY_LINK); 421 if (IS_ERR(key_ref)) { 422 ret = PTR_ERR(key_ref); 423 goto error2; 424 } 425 426 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 427 428 key_ref_put(key_ref); 429 error2: 430 key_ref_put(keyring_ref); 431 error: 432 return ret; 433 434 } /* end keyctl_keyring_link() */ 435 436 /*****************************************************************************/ 437 /* 438 * unlink the first attachment of a key from a keyring 439 * - the keyring must be writable 440 * - we don't need any permissions on the key 441 * - implements keyctl(KEYCTL_UNLINK) 442 */ 443 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 444 { 445 key_ref_t keyring_ref, key_ref; 446 long ret; 447 448 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE); 449 if (IS_ERR(keyring_ref)) { 450 ret = PTR_ERR(keyring_ref); 451 goto error; 452 } 453 454 key_ref = lookup_user_key(NULL, id, 0, 0, 0); 455 if (IS_ERR(key_ref)) { 456 ret = PTR_ERR(key_ref); 457 goto error2; 458 } 459 460 ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 461 462 key_ref_put(key_ref); 463 error2: 464 key_ref_put(keyring_ref); 465 error: 466 return ret; 467 468 } /* end keyctl_keyring_unlink() */ 469 470 /*****************************************************************************/ 471 /* 472 * describe a user key 473 * - the key must have view permission 474 * - if there's a buffer, we place up to buflen bytes of data into it 475 * - unless there's an error, we return the amount of description available, 476 * irrespective of how much we may have copied 477 * - the description is formatted thus: 478 * type;uid;gid;perm;description<NUL> 479 * - implements keyctl(KEYCTL_DESCRIBE) 480 */ 481 long keyctl_describe_key(key_serial_t keyid, 482 char __user *buffer, 483 size_t buflen) 484 { 485 struct key *key, *instkey; 486 key_ref_t key_ref; 487 char *tmpbuf; 488 long ret; 489 490 key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); 491 if (IS_ERR(key_ref)) { 492 /* viewing a key under construction is permitted if we have the 493 * authorisation token handy */ 494 if (PTR_ERR(key_ref) == -EACCES) { 495 instkey = key_get_instantiation_authkey(keyid); 496 if (!IS_ERR(instkey)) { 497 key_put(instkey); 498 key_ref = lookup_user_key(NULL, keyid, 499 0, 1, 0); 500 if (!IS_ERR(key_ref)) 501 goto okay; 502 } 503 } 504 505 ret = PTR_ERR(key_ref); 506 goto error; 507 } 508 509 okay: 510 /* calculate how much description we're going to return */ 511 ret = -ENOMEM; 512 tmpbuf = kmalloc(PAGE_SIZE, GFP_KERNEL); 513 if (!tmpbuf) 514 goto error2; 515 516 key = key_ref_to_ptr(key_ref); 517 518 ret = snprintf(tmpbuf, PAGE_SIZE - 1, 519 "%s;%d;%d;%08x;%s", 520 key_ref_to_ptr(key_ref)->type->name, 521 key_ref_to_ptr(key_ref)->uid, 522 key_ref_to_ptr(key_ref)->gid, 523 key_ref_to_ptr(key_ref)->perm, 524 key_ref_to_ptr(key_ref)->description ? 525 key_ref_to_ptr(key_ref)->description : "" 526 ); 527 528 /* include a NUL char at the end of the data */ 529 if (ret > PAGE_SIZE - 1) 530 ret = PAGE_SIZE - 1; 531 tmpbuf[ret] = 0; 532 ret++; 533 534 /* consider returning the data */ 535 if (buffer && buflen > 0) { 536 if (buflen > ret) 537 buflen = ret; 538 539 if (copy_to_user(buffer, tmpbuf, buflen) != 0) 540 ret = -EFAULT; 541 } 542 543 kfree(tmpbuf); 544 error2: 545 key_ref_put(key_ref); 546 error: 547 return ret; 548 549 } /* end keyctl_describe_key() */ 550 551 /*****************************************************************************/ 552 /* 553 * search the specified keyring for a matching key 554 * - the start keyring must be searchable 555 * - nested keyrings may also be searched if they are searchable 556 * - only keys with search permission may be found 557 * - if a key is found, it will be attached to the destination keyring if 558 * there's one specified 559 * - implements keyctl(KEYCTL_SEARCH) 560 */ 561 long keyctl_keyring_search(key_serial_t ringid, 562 const char __user *_type, 563 const char __user *_description, 564 key_serial_t destringid) 565 { 566 struct key_type *ktype; 567 key_ref_t keyring_ref, key_ref, dest_ref; 568 char type[32], *description; 569 long dlen, ret; 570 571 /* pull the type and description into kernel space */ 572 ret = strncpy_from_user(type, _type, sizeof(type) - 1); 573 if (ret < 0) 574 goto error; 575 type[31] = '\0'; 576 577 ret = -EFAULT; 578 dlen = strnlen_user(_description, PAGE_SIZE - 1); 579 if (dlen <= 0) 580 goto error; 581 582 ret = -EINVAL; 583 if (dlen > PAGE_SIZE - 1) 584 goto error; 585 586 ret = -ENOMEM; 587 description = kmalloc(dlen + 1, GFP_KERNEL); 588 if (!description) 589 goto error; 590 description[dlen] = '\0'; 591 592 ret = -EFAULT; 593 if (copy_from_user(description, _description, dlen) != 0) 594 goto error2; 595 596 /* get the keyring at which to begin the search */ 597 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH); 598 if (IS_ERR(keyring_ref)) { 599 ret = PTR_ERR(keyring_ref); 600 goto error2; 601 } 602 603 /* get the destination keyring if specified */ 604 dest_ref = NULL; 605 if (destringid) { 606 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 607 if (IS_ERR(dest_ref)) { 608 ret = PTR_ERR(dest_ref); 609 goto error3; 610 } 611 } 612 613 /* find the key type */ 614 ktype = key_type_lookup(type); 615 if (IS_ERR(ktype)) { 616 ret = PTR_ERR(ktype); 617 goto error4; 618 } 619 620 /* do the search */ 621 key_ref = keyring_search(keyring_ref, ktype, description); 622 if (IS_ERR(key_ref)) { 623 ret = PTR_ERR(key_ref); 624 625 /* treat lack or presence of a negative key the same */ 626 if (ret == -EAGAIN) 627 ret = -ENOKEY; 628 goto error5; 629 } 630 631 /* link the resulting key to the destination keyring if we can */ 632 if (dest_ref) { 633 ret = key_permission(key_ref, KEY_LINK); 634 if (ret < 0) 635 goto error6; 636 637 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 638 if (ret < 0) 639 goto error6; 640 } 641 642 ret = key_ref_to_ptr(key_ref)->serial; 643 644 error6: 645 key_ref_put(key_ref); 646 error5: 647 key_type_put(ktype); 648 error4: 649 key_ref_put(dest_ref); 650 error3: 651 key_ref_put(keyring_ref); 652 error2: 653 kfree(description); 654 error: 655 return ret; 656 657 } /* end keyctl_keyring_search() */ 658 659 /*****************************************************************************/ 660 /* 661 * read a user key's payload 662 * - the keyring must be readable or the key must be searchable from the 663 * process's keyrings 664 * - if there's a buffer, we place up to buflen bytes of data into it 665 * - unless there's an error, we return the amount of data in the key, 666 * irrespective of how much we may have copied 667 * - implements keyctl(KEYCTL_READ) 668 */ 669 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 670 { 671 struct key *key; 672 key_ref_t key_ref; 673 long ret; 674 675 /* find the key first */ 676 key_ref = lookup_user_key(NULL, keyid, 0, 0, 0); 677 if (IS_ERR(key_ref)) { 678 ret = -ENOKEY; 679 goto error; 680 } 681 682 key = key_ref_to_ptr(key_ref); 683 684 /* see if we can read it directly */ 685 ret = key_permission(key_ref, KEY_READ); 686 if (ret == 0) 687 goto can_read_key; 688 if (ret != -EACCES) 689 goto error; 690 691 /* we can't; see if it's searchable from this process's keyrings 692 * - we automatically take account of the fact that it may be 693 * dangling off an instantiation key 694 */ 695 if (!is_key_possessed(key_ref)) { 696 ret = -EACCES; 697 goto error2; 698 } 699 700 /* the key is probably readable - now try to read it */ 701 can_read_key: 702 ret = key_validate(key); 703 if (ret == 0) { 704 ret = -EOPNOTSUPP; 705 if (key->type->read) { 706 /* read the data with the semaphore held (since we 707 * might sleep) */ 708 down_read(&key->sem); 709 ret = key->type->read(key, buffer, buflen); 710 up_read(&key->sem); 711 } 712 } 713 714 error2: 715 key_put(key); 716 error: 717 return ret; 718 719 } /* end keyctl_read_key() */ 720 721 /*****************************************************************************/ 722 /* 723 * change the ownership of a key 724 * - the keyring owned by the changer 725 * - if the uid or gid is -1, then that parameter is not changed 726 * - implements keyctl(KEYCTL_CHOWN) 727 */ 728 long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) 729 { 730 struct key *key; 731 key_ref_t key_ref; 732 long ret; 733 734 ret = 0; 735 if (uid == (uid_t) -1 && gid == (gid_t) -1) 736 goto error; 737 738 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 739 if (IS_ERR(key_ref)) { 740 ret = PTR_ERR(key_ref); 741 goto error; 742 } 743 744 key = key_ref_to_ptr(key_ref); 745 746 /* make the changes with the locks held to prevent chown/chown races */ 747 ret = -EACCES; 748 down_write(&key->sem); 749 750 if (!capable(CAP_SYS_ADMIN)) { 751 /* only the sysadmin can chown a key to some other UID */ 752 if (uid != (uid_t) -1 && key->uid != uid) 753 goto no_access; 754 755 /* only the sysadmin can set the key's GID to a group other 756 * than one of those that the current process subscribes to */ 757 if (gid != (gid_t) -1 && gid != key->gid && !in_group_p(gid)) 758 goto no_access; 759 } 760 761 /* change the UID (have to update the quotas) */ 762 if (uid != (uid_t) -1 && uid != key->uid) { 763 /* don't support UID changing yet */ 764 ret = -EOPNOTSUPP; 765 goto no_access; 766 } 767 768 /* change the GID */ 769 if (gid != (gid_t) -1) 770 key->gid = gid; 771 772 ret = 0; 773 774 no_access: 775 up_write(&key->sem); 776 key_put(key); 777 error: 778 return ret; 779 780 } /* end keyctl_chown_key() */ 781 782 /*****************************************************************************/ 783 /* 784 * change the permission mask on a key 785 * - the keyring owned by the changer 786 * - implements keyctl(KEYCTL_SETPERM) 787 */ 788 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 789 { 790 struct key *key; 791 key_ref_t key_ref; 792 long ret; 793 794 ret = -EINVAL; 795 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 796 goto error; 797 798 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 799 if (IS_ERR(key_ref)) { 800 ret = PTR_ERR(key_ref); 801 goto error; 802 } 803 804 key = key_ref_to_ptr(key_ref); 805 806 /* make the changes with the locks held to prevent chown/chmod races */ 807 ret = -EACCES; 808 down_write(&key->sem); 809 810 /* if we're not the sysadmin, we can only change a key that we own */ 811 if (capable(CAP_SYS_ADMIN) || key->uid == current->fsuid) { 812 key->perm = perm; 813 ret = 0; 814 } 815 816 up_write(&key->sem); 817 key_put(key); 818 error: 819 return ret; 820 821 } /* end keyctl_setperm_key() */ 822 823 /*****************************************************************************/ 824 /* 825 * instantiate the key with the specified payload, and, if one is given, link 826 * the key into the keyring 827 */ 828 long keyctl_instantiate_key(key_serial_t id, 829 const void __user *_payload, 830 size_t plen, 831 key_serial_t ringid) 832 { 833 struct request_key_auth *rka; 834 struct key *instkey; 835 key_ref_t keyring_ref; 836 void *payload; 837 long ret; 838 839 ret = -EINVAL; 840 if (plen > 32767) 841 goto error; 842 843 /* the appropriate instantiation authorisation key must have been 844 * assumed before calling this */ 845 ret = -EPERM; 846 instkey = current->request_key_auth; 847 if (!instkey) 848 goto error; 849 850 rka = instkey->payload.data; 851 if (rka->target_key->serial != id) 852 goto error; 853 854 /* pull the payload in if one was supplied */ 855 payload = NULL; 856 857 if (_payload) { 858 ret = -ENOMEM; 859 payload = kmalloc(plen, GFP_KERNEL); 860 if (!payload) 861 goto error; 862 863 ret = -EFAULT; 864 if (copy_from_user(payload, _payload, plen) != 0) 865 goto error2; 866 } 867 868 /* find the destination keyring amongst those belonging to the 869 * requesting task */ 870 keyring_ref = NULL; 871 if (ringid) { 872 keyring_ref = lookup_user_key(rka->context, ringid, 1, 0, 873 KEY_WRITE); 874 if (IS_ERR(keyring_ref)) { 875 ret = PTR_ERR(keyring_ref); 876 goto error2; 877 } 878 } 879 880 /* instantiate the key and link it into a keyring */ 881 ret = key_instantiate_and_link(rka->target_key, payload, plen, 882 key_ref_to_ptr(keyring_ref), instkey); 883 884 key_ref_put(keyring_ref); 885 886 /* discard the assumed authority if it's just been disabled by 887 * instantiation of the key */ 888 if (ret == 0) { 889 key_put(current->request_key_auth); 890 current->request_key_auth = NULL; 891 } 892 893 error2: 894 kfree(payload); 895 error: 896 return ret; 897 898 } /* end keyctl_instantiate_key() */ 899 900 /*****************************************************************************/ 901 /* 902 * negatively instantiate the key with the given timeout (in seconds), and, if 903 * one is given, link the key into the keyring 904 */ 905 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 906 { 907 struct request_key_auth *rka; 908 struct key *instkey; 909 key_ref_t keyring_ref; 910 long ret; 911 912 /* the appropriate instantiation authorisation key must have been 913 * assumed before calling this */ 914 ret = -EPERM; 915 instkey = current->request_key_auth; 916 if (!instkey) 917 goto error; 918 919 rka = instkey->payload.data; 920 if (rka->target_key->serial != id) 921 goto error; 922 923 /* find the destination keyring if present (which must also be 924 * writable) */ 925 keyring_ref = NULL; 926 if (ringid) { 927 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 928 if (IS_ERR(keyring_ref)) { 929 ret = PTR_ERR(keyring_ref); 930 goto error; 931 } 932 } 933 934 /* instantiate the key and link it into a keyring */ 935 ret = key_negate_and_link(rka->target_key, timeout, 936 key_ref_to_ptr(keyring_ref), instkey); 937 938 key_ref_put(keyring_ref); 939 940 /* discard the assumed authority if it's just been disabled by 941 * instantiation of the key */ 942 if (ret == 0) { 943 key_put(current->request_key_auth); 944 current->request_key_auth = NULL; 945 } 946 947 error: 948 return ret; 949 950 } /* end keyctl_negate_key() */ 951 952 /*****************************************************************************/ 953 /* 954 * set the default keyring in which request_key() will cache keys 955 * - return the old setting 956 */ 957 long keyctl_set_reqkey_keyring(int reqkey_defl) 958 { 959 int ret; 960 961 switch (reqkey_defl) { 962 case KEY_REQKEY_DEFL_THREAD_KEYRING: 963 ret = install_thread_keyring(current); 964 if (ret < 0) 965 return ret; 966 goto set; 967 968 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 969 ret = install_process_keyring(current); 970 if (ret < 0) 971 return ret; 972 973 case KEY_REQKEY_DEFL_DEFAULT: 974 case KEY_REQKEY_DEFL_SESSION_KEYRING: 975 case KEY_REQKEY_DEFL_USER_KEYRING: 976 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 977 set: 978 current->jit_keyring = reqkey_defl; 979 980 case KEY_REQKEY_DEFL_NO_CHANGE: 981 return current->jit_keyring; 982 983 case KEY_REQKEY_DEFL_GROUP_KEYRING: 984 default: 985 return -EINVAL; 986 } 987 988 } /* end keyctl_set_reqkey_keyring() */ 989 990 /*****************************************************************************/ 991 /* 992 * set or clear the timeout for a key 993 */ 994 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 995 { 996 struct timespec now; 997 struct key *key; 998 key_ref_t key_ref; 999 time_t expiry; 1000 long ret; 1001 1002 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 1003 if (IS_ERR(key_ref)) { 1004 ret = PTR_ERR(key_ref); 1005 goto error; 1006 } 1007 1008 key = key_ref_to_ptr(key_ref); 1009 1010 /* make the changes with the locks held to prevent races */ 1011 down_write(&key->sem); 1012 1013 expiry = 0; 1014 if (timeout > 0) { 1015 now = current_kernel_time(); 1016 expiry = now.tv_sec + timeout; 1017 } 1018 1019 key->expiry = expiry; 1020 1021 up_write(&key->sem); 1022 key_put(key); 1023 1024 ret = 0; 1025 error: 1026 return ret; 1027 1028 } /* end keyctl_set_timeout() */ 1029 1030 /*****************************************************************************/ 1031 /* 1032 * assume the authority to instantiate the specified key 1033 */ 1034 long keyctl_assume_authority(key_serial_t id) 1035 { 1036 struct key *authkey; 1037 long ret; 1038 1039 /* special key IDs aren't permitted */ 1040 ret = -EINVAL; 1041 if (id < 0) 1042 goto error; 1043 1044 /* we divest ourselves of authority if given an ID of 0 */ 1045 if (id == 0) { 1046 key_put(current->request_key_auth); 1047 current->request_key_auth = NULL; 1048 ret = 0; 1049 goto error; 1050 } 1051 1052 /* attempt to assume the authority temporarily granted to us whilst we 1053 * instantiate the specified key 1054 * - the authorisation key must be in the current task's keyrings 1055 * somewhere 1056 */ 1057 authkey = key_get_instantiation_authkey(id); 1058 if (IS_ERR(authkey)) { 1059 ret = PTR_ERR(authkey); 1060 goto error; 1061 } 1062 1063 key_put(current->request_key_auth); 1064 current->request_key_auth = authkey; 1065 ret = authkey->serial; 1066 1067 error: 1068 return ret; 1069 1070 } /* end keyctl_assume_authority() */ 1071 1072 /*****************************************************************************/ 1073 /* 1074 * the key control system call 1075 */ 1076 asmlinkage long sys_keyctl(int option, unsigned long arg2, unsigned long arg3, 1077 unsigned long arg4, unsigned long arg5) 1078 { 1079 switch (option) { 1080 case KEYCTL_GET_KEYRING_ID: 1081 return keyctl_get_keyring_ID((key_serial_t) arg2, 1082 (int) arg3); 1083 1084 case KEYCTL_JOIN_SESSION_KEYRING: 1085 return keyctl_join_session_keyring((const char __user *) arg2); 1086 1087 case KEYCTL_UPDATE: 1088 return keyctl_update_key((key_serial_t) arg2, 1089 (const void __user *) arg3, 1090 (size_t) arg4); 1091 1092 case KEYCTL_REVOKE: 1093 return keyctl_revoke_key((key_serial_t) arg2); 1094 1095 case KEYCTL_DESCRIBE: 1096 return keyctl_describe_key((key_serial_t) arg2, 1097 (char __user *) arg3, 1098 (unsigned) arg4); 1099 1100 case KEYCTL_CLEAR: 1101 return keyctl_keyring_clear((key_serial_t) arg2); 1102 1103 case KEYCTL_LINK: 1104 return keyctl_keyring_link((key_serial_t) arg2, 1105 (key_serial_t) arg3); 1106 1107 case KEYCTL_UNLINK: 1108 return keyctl_keyring_unlink((key_serial_t) arg2, 1109 (key_serial_t) arg3); 1110 1111 case KEYCTL_SEARCH: 1112 return keyctl_keyring_search((key_serial_t) arg2, 1113 (const char __user *) arg3, 1114 (const char __user *) arg4, 1115 (key_serial_t) arg5); 1116 1117 case KEYCTL_READ: 1118 return keyctl_read_key((key_serial_t) arg2, 1119 (char __user *) arg3, 1120 (size_t) arg4); 1121 1122 case KEYCTL_CHOWN: 1123 return keyctl_chown_key((key_serial_t) arg2, 1124 (uid_t) arg3, 1125 (gid_t) arg4); 1126 1127 case KEYCTL_SETPERM: 1128 return keyctl_setperm_key((key_serial_t) arg2, 1129 (key_perm_t) arg3); 1130 1131 case KEYCTL_INSTANTIATE: 1132 return keyctl_instantiate_key((key_serial_t) arg2, 1133 (const void __user *) arg3, 1134 (size_t) arg4, 1135 (key_serial_t) arg5); 1136 1137 case KEYCTL_NEGATE: 1138 return keyctl_negate_key((key_serial_t) arg2, 1139 (unsigned) arg3, 1140 (key_serial_t) arg4); 1141 1142 case KEYCTL_SET_REQKEY_KEYRING: 1143 return keyctl_set_reqkey_keyring(arg2); 1144 1145 case KEYCTL_SET_TIMEOUT: 1146 return keyctl_set_timeout((key_serial_t) arg2, 1147 (unsigned) arg3); 1148 1149 case KEYCTL_ASSUME_AUTHORITY: 1150 return keyctl_assume_authority((key_serial_t) arg2); 1151 1152 default: 1153 return -EOPNOTSUPP; 1154 } 1155 1156 } /* end sys_keyctl() */ 1157