1 /* Userspace key control operations 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/slab.h> 16 #include <linux/syscalls.h> 17 #include <linux/key.h> 18 #include <linux/keyctl.h> 19 #include <linux/fs.h> 20 #include <linux/capability.h> 21 #include <linux/string.h> 22 #include <linux/err.h> 23 #include <linux/vmalloc.h> 24 #include <linux/security.h> 25 #include <linux/uio.h> 26 #include <asm/uaccess.h> 27 #include "internal.h" 28 29 #define KEY_MAX_DESC_SIZE 4096 30 31 static int key_get_type_from_user(char *type, 32 const char __user *_type, 33 unsigned len) 34 { 35 int ret; 36 37 ret = strncpy_from_user(type, _type, len); 38 if (ret < 0) 39 return ret; 40 if (ret == 0 || ret >= len) 41 return -EINVAL; 42 if (type[0] == '.') 43 return -EPERM; 44 type[len - 1] = '\0'; 45 return 0; 46 } 47 48 /* 49 * Extract the description of a new key from userspace and either add it as a 50 * new key to the specified keyring or update a matching key in that keyring. 51 * 52 * If the description is NULL or an empty string, the key type is asked to 53 * generate one from the payload. 54 * 55 * The keyring must be writable so that we can attach the key to it. 56 * 57 * If successful, the new key's serial number is returned, otherwise an error 58 * code is returned. 59 */ 60 SYSCALL_DEFINE5(add_key, const char __user *, _type, 61 const char __user *, _description, 62 const void __user *, _payload, 63 size_t, plen, 64 key_serial_t, ringid) 65 { 66 key_ref_t keyring_ref, key_ref; 67 char type[32], *description; 68 void *payload; 69 long ret; 70 71 ret = -EINVAL; 72 if (plen > 1024 * 1024 - 1) 73 goto error; 74 75 /* draw all the data into kernel space */ 76 ret = key_get_type_from_user(type, _type, sizeof(type)); 77 if (ret < 0) 78 goto error; 79 80 description = NULL; 81 if (_description) { 82 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 83 if (IS_ERR(description)) { 84 ret = PTR_ERR(description); 85 goto error; 86 } 87 if (!*description) { 88 kfree(description); 89 description = NULL; 90 } else if ((description[0] == '.') && 91 (strncmp(type, "keyring", 7) == 0)) { 92 ret = -EPERM; 93 goto error2; 94 } 95 } 96 97 /* pull the payload in if one was supplied */ 98 payload = NULL; 99 100 if (_payload) { 101 ret = -ENOMEM; 102 payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN); 103 if (!payload) { 104 if (plen <= PAGE_SIZE) 105 goto error2; 106 payload = vmalloc(plen); 107 if (!payload) 108 goto error2; 109 } 110 111 ret = -EFAULT; 112 if (copy_from_user(payload, _payload, plen) != 0) 113 goto error3; 114 } 115 116 /* find the target keyring (which must be writable) */ 117 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 118 if (IS_ERR(keyring_ref)) { 119 ret = PTR_ERR(keyring_ref); 120 goto error3; 121 } 122 123 /* create or update the requested key and add it to the target 124 * keyring */ 125 key_ref = key_create_or_update(keyring_ref, type, description, 126 payload, plen, KEY_PERM_UNDEF, 127 KEY_ALLOC_IN_QUOTA); 128 if (!IS_ERR(key_ref)) { 129 ret = key_ref_to_ptr(key_ref)->serial; 130 key_ref_put(key_ref); 131 } 132 else { 133 ret = PTR_ERR(key_ref); 134 } 135 136 key_ref_put(keyring_ref); 137 error3: 138 kvfree(payload); 139 error2: 140 kfree(description); 141 error: 142 return ret; 143 } 144 145 /* 146 * Search the process keyrings and keyring trees linked from those for a 147 * matching key. Keyrings must have appropriate Search permission to be 148 * searched. 149 * 150 * If a key is found, it will be attached to the destination keyring if there's 151 * one specified and the serial number of the key will be returned. 152 * 153 * If no key is found, /sbin/request-key will be invoked if _callout_info is 154 * non-NULL in an attempt to create a key. The _callout_info string will be 155 * passed to /sbin/request-key to aid with completing the request. If the 156 * _callout_info string is "" then it will be changed to "-". 157 */ 158 SYSCALL_DEFINE4(request_key, const char __user *, _type, 159 const char __user *, _description, 160 const char __user *, _callout_info, 161 key_serial_t, destringid) 162 { 163 struct key_type *ktype; 164 struct key *key; 165 key_ref_t dest_ref; 166 size_t callout_len; 167 char type[32], *description, *callout_info; 168 long ret; 169 170 /* pull the type into kernel space */ 171 ret = key_get_type_from_user(type, _type, sizeof(type)); 172 if (ret < 0) 173 goto error; 174 175 /* pull the description into kernel space */ 176 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 177 if (IS_ERR(description)) { 178 ret = PTR_ERR(description); 179 goto error; 180 } 181 182 /* pull the callout info into kernel space */ 183 callout_info = NULL; 184 callout_len = 0; 185 if (_callout_info) { 186 callout_info = strndup_user(_callout_info, PAGE_SIZE); 187 if (IS_ERR(callout_info)) { 188 ret = PTR_ERR(callout_info); 189 goto error2; 190 } 191 callout_len = strlen(callout_info); 192 } 193 194 /* get the destination keyring if specified */ 195 dest_ref = NULL; 196 if (destringid) { 197 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 198 KEY_NEED_WRITE); 199 if (IS_ERR(dest_ref)) { 200 ret = PTR_ERR(dest_ref); 201 goto error3; 202 } 203 } 204 205 /* find the key type */ 206 ktype = key_type_lookup(type); 207 if (IS_ERR(ktype)) { 208 ret = PTR_ERR(ktype); 209 goto error4; 210 } 211 212 /* do the search */ 213 key = request_key_and_link(ktype, description, callout_info, 214 callout_len, NULL, key_ref_to_ptr(dest_ref), 215 KEY_ALLOC_IN_QUOTA); 216 if (IS_ERR(key)) { 217 ret = PTR_ERR(key); 218 goto error5; 219 } 220 221 /* wait for the key to finish being constructed */ 222 ret = wait_for_key_construction(key, 1); 223 if (ret < 0) 224 goto error6; 225 226 ret = key->serial; 227 228 error6: 229 key_put(key); 230 error5: 231 key_type_put(ktype); 232 error4: 233 key_ref_put(dest_ref); 234 error3: 235 kfree(callout_info); 236 error2: 237 kfree(description); 238 error: 239 return ret; 240 } 241 242 /* 243 * Get the ID of the specified process keyring. 244 * 245 * The requested keyring must have search permission to be found. 246 * 247 * If successful, the ID of the requested keyring will be returned. 248 */ 249 long keyctl_get_keyring_ID(key_serial_t id, int create) 250 { 251 key_ref_t key_ref; 252 unsigned long lflags; 253 long ret; 254 255 lflags = create ? KEY_LOOKUP_CREATE : 0; 256 key_ref = lookup_user_key(id, lflags, KEY_NEED_SEARCH); 257 if (IS_ERR(key_ref)) { 258 ret = PTR_ERR(key_ref); 259 goto error; 260 } 261 262 ret = key_ref_to_ptr(key_ref)->serial; 263 key_ref_put(key_ref); 264 error: 265 return ret; 266 } 267 268 /* 269 * Join a (named) session keyring. 270 * 271 * Create and join an anonymous session keyring or join a named session 272 * keyring, creating it if necessary. A named session keyring must have Search 273 * permission for it to be joined. Session keyrings without this permit will 274 * be skipped over. 275 * 276 * If successful, the ID of the joined session keyring will be returned. 277 */ 278 long keyctl_join_session_keyring(const char __user *_name) 279 { 280 char *name; 281 long ret; 282 283 /* fetch the name from userspace */ 284 name = NULL; 285 if (_name) { 286 name = strndup_user(_name, KEY_MAX_DESC_SIZE); 287 if (IS_ERR(name)) { 288 ret = PTR_ERR(name); 289 goto error; 290 } 291 } 292 293 /* join the session */ 294 ret = join_session_keyring(name); 295 kfree(name); 296 297 error: 298 return ret; 299 } 300 301 /* 302 * Update a key's data payload from the given data. 303 * 304 * The key must grant the caller Write permission and the key type must support 305 * updating for this to work. A negative key can be positively instantiated 306 * with this call. 307 * 308 * If successful, 0 will be returned. If the key type does not support 309 * updating, then -EOPNOTSUPP will be returned. 310 */ 311 long keyctl_update_key(key_serial_t id, 312 const void __user *_payload, 313 size_t plen) 314 { 315 key_ref_t key_ref; 316 void *payload; 317 long ret; 318 319 ret = -EINVAL; 320 if (plen > PAGE_SIZE) 321 goto error; 322 323 /* pull the payload in if one was supplied */ 324 payload = NULL; 325 if (_payload) { 326 ret = -ENOMEM; 327 payload = kmalloc(plen, GFP_KERNEL); 328 if (!payload) 329 goto error; 330 331 ret = -EFAULT; 332 if (copy_from_user(payload, _payload, plen) != 0) 333 goto error2; 334 } 335 336 /* find the target key (which must be writable) */ 337 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 338 if (IS_ERR(key_ref)) { 339 ret = PTR_ERR(key_ref); 340 goto error2; 341 } 342 343 /* update the key */ 344 ret = key_update(key_ref, payload, plen); 345 346 key_ref_put(key_ref); 347 error2: 348 kfree(payload); 349 error: 350 return ret; 351 } 352 353 /* 354 * Revoke a key. 355 * 356 * The key must be grant the caller Write or Setattr permission for this to 357 * work. The key type should give up its quota claim when revoked. The key 358 * and any links to the key will be automatically garbage collected after a 359 * certain amount of time (/proc/sys/kernel/keys/gc_delay). 360 * 361 * Keys with KEY_FLAG_KEEP set should not be revoked. 362 * 363 * If successful, 0 is returned. 364 */ 365 long keyctl_revoke_key(key_serial_t id) 366 { 367 key_ref_t key_ref; 368 struct key *key; 369 long ret; 370 371 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 372 if (IS_ERR(key_ref)) { 373 ret = PTR_ERR(key_ref); 374 if (ret != -EACCES) 375 goto error; 376 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 377 if (IS_ERR(key_ref)) { 378 ret = PTR_ERR(key_ref); 379 goto error; 380 } 381 } 382 383 key = key_ref_to_ptr(key_ref); 384 ret = 0; 385 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 386 ret = -EPERM; 387 else 388 key_revoke(key); 389 390 key_ref_put(key_ref); 391 error: 392 return ret; 393 } 394 395 /* 396 * Invalidate a key. 397 * 398 * The key must be grant the caller Invalidate permission for this to work. 399 * The key and any links to the key will be automatically garbage collected 400 * immediately. 401 * 402 * Keys with KEY_FLAG_KEEP set should not be invalidated. 403 * 404 * If successful, 0 is returned. 405 */ 406 long keyctl_invalidate_key(key_serial_t id) 407 { 408 key_ref_t key_ref; 409 struct key *key; 410 long ret; 411 412 kenter("%d", id); 413 414 key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH); 415 if (IS_ERR(key_ref)) { 416 ret = PTR_ERR(key_ref); 417 418 /* Root is permitted to invalidate certain special keys */ 419 if (capable(CAP_SYS_ADMIN)) { 420 key_ref = lookup_user_key(id, 0, 0); 421 if (IS_ERR(key_ref)) 422 goto error; 423 if (test_bit(KEY_FLAG_ROOT_CAN_INVAL, 424 &key_ref_to_ptr(key_ref)->flags)) 425 goto invalidate; 426 goto error_put; 427 } 428 429 goto error; 430 } 431 432 invalidate: 433 key = key_ref_to_ptr(key_ref); 434 ret = 0; 435 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 436 ret = -EPERM; 437 else 438 key_invalidate(key); 439 error_put: 440 key_ref_put(key_ref); 441 error: 442 kleave(" = %ld", ret); 443 return ret; 444 } 445 446 /* 447 * Clear the specified keyring, creating an empty process keyring if one of the 448 * special keyring IDs is used. 449 * 450 * The keyring must grant the caller Write permission and not have 451 * KEY_FLAG_KEEP set for this to work. If successful, 0 will be returned. 452 */ 453 long keyctl_keyring_clear(key_serial_t ringid) 454 { 455 key_ref_t keyring_ref; 456 struct key *keyring; 457 long ret; 458 459 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 460 if (IS_ERR(keyring_ref)) { 461 ret = PTR_ERR(keyring_ref); 462 463 /* Root is permitted to invalidate certain special keyrings */ 464 if (capable(CAP_SYS_ADMIN)) { 465 keyring_ref = lookup_user_key(ringid, 0, 0); 466 if (IS_ERR(keyring_ref)) 467 goto error; 468 if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR, 469 &key_ref_to_ptr(keyring_ref)->flags)) 470 goto clear; 471 goto error_put; 472 } 473 474 goto error; 475 } 476 477 clear: 478 keyring = key_ref_to_ptr(keyring_ref); 479 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) 480 ret = -EPERM; 481 else 482 ret = keyring_clear(keyring); 483 error_put: 484 key_ref_put(keyring_ref); 485 error: 486 return ret; 487 } 488 489 /* 490 * Create a link from a keyring to a key if there's no matching key in the 491 * keyring, otherwise replace the link to the matching key with a link to the 492 * new key. 493 * 494 * The key must grant the caller Link permission and the the keyring must grant 495 * the caller Write permission. Furthermore, if an additional link is created, 496 * the keyring's quota will be extended. 497 * 498 * If successful, 0 will be returned. 499 */ 500 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 501 { 502 key_ref_t keyring_ref, key_ref; 503 long ret; 504 505 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 506 if (IS_ERR(keyring_ref)) { 507 ret = PTR_ERR(keyring_ref); 508 goto error; 509 } 510 511 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 512 if (IS_ERR(key_ref)) { 513 ret = PTR_ERR(key_ref); 514 goto error2; 515 } 516 517 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 518 519 key_ref_put(key_ref); 520 error2: 521 key_ref_put(keyring_ref); 522 error: 523 return ret; 524 } 525 526 /* 527 * Unlink a key from a keyring. 528 * 529 * The keyring must grant the caller Write permission for this to work; the key 530 * itself need not grant the caller anything. If the last link to a key is 531 * removed then that key will be scheduled for destruction. 532 * 533 * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked. 534 * 535 * If successful, 0 will be returned. 536 */ 537 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 538 { 539 key_ref_t keyring_ref, key_ref; 540 struct key *keyring, *key; 541 long ret; 542 543 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE); 544 if (IS_ERR(keyring_ref)) { 545 ret = PTR_ERR(keyring_ref); 546 goto error; 547 } 548 549 key_ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0); 550 if (IS_ERR(key_ref)) { 551 ret = PTR_ERR(key_ref); 552 goto error2; 553 } 554 555 keyring = key_ref_to_ptr(keyring_ref); 556 key = key_ref_to_ptr(key_ref); 557 if (test_bit(KEY_FLAG_KEEP, &keyring->flags) && 558 test_bit(KEY_FLAG_KEEP, &key->flags)) 559 ret = -EPERM; 560 else 561 ret = key_unlink(keyring, key); 562 563 key_ref_put(key_ref); 564 error2: 565 key_ref_put(keyring_ref); 566 error: 567 return ret; 568 } 569 570 /* 571 * Return a description of a key to userspace. 572 * 573 * The key must grant the caller View permission for this to work. 574 * 575 * If there's a buffer, we place up to buflen bytes of data into it formatted 576 * in the following way: 577 * 578 * type;uid;gid;perm;description<NUL> 579 * 580 * If successful, we return the amount of description available, irrespective 581 * of how much we may have copied into the buffer. 582 */ 583 long keyctl_describe_key(key_serial_t keyid, 584 char __user *buffer, 585 size_t buflen) 586 { 587 struct key *key, *instkey; 588 key_ref_t key_ref; 589 char *infobuf; 590 long ret; 591 int desclen, infolen; 592 593 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 594 if (IS_ERR(key_ref)) { 595 /* viewing a key under construction is permitted if we have the 596 * authorisation token handy */ 597 if (PTR_ERR(key_ref) == -EACCES) { 598 instkey = key_get_instantiation_authkey(keyid); 599 if (!IS_ERR(instkey)) { 600 key_put(instkey); 601 key_ref = lookup_user_key(keyid, 602 KEY_LOOKUP_PARTIAL, 603 0); 604 if (!IS_ERR(key_ref)) 605 goto okay; 606 } 607 } 608 609 ret = PTR_ERR(key_ref); 610 goto error; 611 } 612 613 okay: 614 key = key_ref_to_ptr(key_ref); 615 desclen = strlen(key->description); 616 617 /* calculate how much information we're going to return */ 618 ret = -ENOMEM; 619 infobuf = kasprintf(GFP_KERNEL, 620 "%s;%d;%d;%08x;", 621 key->type->name, 622 from_kuid_munged(current_user_ns(), key->uid), 623 from_kgid_munged(current_user_ns(), key->gid), 624 key->perm); 625 if (!infobuf) 626 goto error2; 627 infolen = strlen(infobuf); 628 ret = infolen + desclen + 1; 629 630 /* consider returning the data */ 631 if (buffer && buflen >= ret) { 632 if (copy_to_user(buffer, infobuf, infolen) != 0 || 633 copy_to_user(buffer + infolen, key->description, 634 desclen + 1) != 0) 635 ret = -EFAULT; 636 } 637 638 kfree(infobuf); 639 error2: 640 key_ref_put(key_ref); 641 error: 642 return ret; 643 } 644 645 /* 646 * Search the specified keyring and any keyrings it links to for a matching 647 * key. Only keyrings that grant the caller Search permission will be searched 648 * (this includes the starting keyring). Only keys with Search permission can 649 * be found. 650 * 651 * If successful, the found key will be linked to the destination keyring if 652 * supplied and the key has Link permission, and the found key ID will be 653 * returned. 654 */ 655 long keyctl_keyring_search(key_serial_t ringid, 656 const char __user *_type, 657 const char __user *_description, 658 key_serial_t destringid) 659 { 660 struct key_type *ktype; 661 key_ref_t keyring_ref, key_ref, dest_ref; 662 char type[32], *description; 663 long ret; 664 665 /* pull the type and description into kernel space */ 666 ret = key_get_type_from_user(type, _type, sizeof(type)); 667 if (ret < 0) 668 goto error; 669 670 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 671 if (IS_ERR(description)) { 672 ret = PTR_ERR(description); 673 goto error; 674 } 675 676 /* get the keyring at which to begin the search */ 677 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_SEARCH); 678 if (IS_ERR(keyring_ref)) { 679 ret = PTR_ERR(keyring_ref); 680 goto error2; 681 } 682 683 /* get the destination keyring if specified */ 684 dest_ref = NULL; 685 if (destringid) { 686 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 687 KEY_NEED_WRITE); 688 if (IS_ERR(dest_ref)) { 689 ret = PTR_ERR(dest_ref); 690 goto error3; 691 } 692 } 693 694 /* find the key type */ 695 ktype = key_type_lookup(type); 696 if (IS_ERR(ktype)) { 697 ret = PTR_ERR(ktype); 698 goto error4; 699 } 700 701 /* do the search */ 702 key_ref = keyring_search(keyring_ref, ktype, description); 703 if (IS_ERR(key_ref)) { 704 ret = PTR_ERR(key_ref); 705 706 /* treat lack or presence of a negative key the same */ 707 if (ret == -EAGAIN) 708 ret = -ENOKEY; 709 goto error5; 710 } 711 712 /* link the resulting key to the destination keyring if we can */ 713 if (dest_ref) { 714 ret = key_permission(key_ref, KEY_NEED_LINK); 715 if (ret < 0) 716 goto error6; 717 718 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 719 if (ret < 0) 720 goto error6; 721 } 722 723 ret = key_ref_to_ptr(key_ref)->serial; 724 725 error6: 726 key_ref_put(key_ref); 727 error5: 728 key_type_put(ktype); 729 error4: 730 key_ref_put(dest_ref); 731 error3: 732 key_ref_put(keyring_ref); 733 error2: 734 kfree(description); 735 error: 736 return ret; 737 } 738 739 /* 740 * Read a key's payload. 741 * 742 * The key must either grant the caller Read permission, or it must grant the 743 * caller Search permission when searched for from the process keyrings. 744 * 745 * If successful, we place up to buflen bytes of data into the buffer, if one 746 * is provided, and return the amount of data that is available in the key, 747 * irrespective of how much we copied into the buffer. 748 */ 749 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 750 { 751 struct key *key; 752 key_ref_t key_ref; 753 long ret; 754 755 /* find the key first */ 756 key_ref = lookup_user_key(keyid, 0, 0); 757 if (IS_ERR(key_ref)) { 758 ret = -ENOKEY; 759 goto error; 760 } 761 762 key = key_ref_to_ptr(key_ref); 763 764 /* see if we can read it directly */ 765 ret = key_permission(key_ref, KEY_NEED_READ); 766 if (ret == 0) 767 goto can_read_key; 768 if (ret != -EACCES) 769 goto error; 770 771 /* we can't; see if it's searchable from this process's keyrings 772 * - we automatically take account of the fact that it may be 773 * dangling off an instantiation key 774 */ 775 if (!is_key_possessed(key_ref)) { 776 ret = -EACCES; 777 goto error2; 778 } 779 780 /* the key is probably readable - now try to read it */ 781 can_read_key: 782 ret = -EOPNOTSUPP; 783 if (key->type->read) { 784 /* Read the data with the semaphore held (since we might sleep) 785 * to protect against the key being updated or revoked. 786 */ 787 down_read(&key->sem); 788 ret = key_validate(key); 789 if (ret == 0) 790 ret = key->type->read(key, buffer, buflen); 791 up_read(&key->sem); 792 } 793 794 error2: 795 key_put(key); 796 error: 797 return ret; 798 } 799 800 /* 801 * Change the ownership of a key 802 * 803 * The key must grant the caller Setattr permission for this to work, though 804 * the key need not be fully instantiated yet. For the UID to be changed, or 805 * for the GID to be changed to a group the caller is not a member of, the 806 * caller must have sysadmin capability. If either uid or gid is -1 then that 807 * attribute is not changed. 808 * 809 * If the UID is to be changed, the new user must have sufficient quota to 810 * accept the key. The quota deduction will be removed from the old user to 811 * the new user should the attribute be changed. 812 * 813 * If successful, 0 will be returned. 814 */ 815 long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group) 816 { 817 struct key_user *newowner, *zapowner = NULL; 818 struct key *key; 819 key_ref_t key_ref; 820 long ret; 821 kuid_t uid; 822 kgid_t gid; 823 824 uid = make_kuid(current_user_ns(), user); 825 gid = make_kgid(current_user_ns(), group); 826 ret = -EINVAL; 827 if ((user != (uid_t) -1) && !uid_valid(uid)) 828 goto error; 829 if ((group != (gid_t) -1) && !gid_valid(gid)) 830 goto error; 831 832 ret = 0; 833 if (user == (uid_t) -1 && group == (gid_t) -1) 834 goto error; 835 836 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 837 KEY_NEED_SETATTR); 838 if (IS_ERR(key_ref)) { 839 ret = PTR_ERR(key_ref); 840 goto error; 841 } 842 843 key = key_ref_to_ptr(key_ref); 844 845 /* make the changes with the locks held to prevent chown/chown races */ 846 ret = -EACCES; 847 down_write(&key->sem); 848 849 if (!capable(CAP_SYS_ADMIN)) { 850 /* only the sysadmin can chown a key to some other UID */ 851 if (user != (uid_t) -1 && !uid_eq(key->uid, uid)) 852 goto error_put; 853 854 /* only the sysadmin can set the key's GID to a group other 855 * than one of those that the current process subscribes to */ 856 if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid)) 857 goto error_put; 858 } 859 860 /* change the UID */ 861 if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) { 862 ret = -ENOMEM; 863 newowner = key_user_lookup(uid); 864 if (!newowner) 865 goto error_put; 866 867 /* transfer the quota burden to the new user */ 868 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 869 unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ? 870 key_quota_root_maxkeys : key_quota_maxkeys; 871 unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ? 872 key_quota_root_maxbytes : key_quota_maxbytes; 873 874 spin_lock(&newowner->lock); 875 if (newowner->qnkeys + 1 >= maxkeys || 876 newowner->qnbytes + key->quotalen >= maxbytes || 877 newowner->qnbytes + key->quotalen < 878 newowner->qnbytes) 879 goto quota_overrun; 880 881 newowner->qnkeys++; 882 newowner->qnbytes += key->quotalen; 883 spin_unlock(&newowner->lock); 884 885 spin_lock(&key->user->lock); 886 key->user->qnkeys--; 887 key->user->qnbytes -= key->quotalen; 888 spin_unlock(&key->user->lock); 889 } 890 891 atomic_dec(&key->user->nkeys); 892 atomic_inc(&newowner->nkeys); 893 894 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 895 atomic_dec(&key->user->nikeys); 896 atomic_inc(&newowner->nikeys); 897 } 898 899 zapowner = key->user; 900 key->user = newowner; 901 key->uid = uid; 902 } 903 904 /* change the GID */ 905 if (group != (gid_t) -1) 906 key->gid = gid; 907 908 ret = 0; 909 910 error_put: 911 up_write(&key->sem); 912 key_put(key); 913 if (zapowner) 914 key_user_put(zapowner); 915 error: 916 return ret; 917 918 quota_overrun: 919 spin_unlock(&newowner->lock); 920 zapowner = newowner; 921 ret = -EDQUOT; 922 goto error_put; 923 } 924 925 /* 926 * Change the permission mask on a key. 927 * 928 * The key must grant the caller Setattr permission for this to work, though 929 * the key need not be fully instantiated yet. If the caller does not have 930 * sysadmin capability, it may only change the permission on keys that it owns. 931 */ 932 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 933 { 934 struct key *key; 935 key_ref_t key_ref; 936 long ret; 937 938 ret = -EINVAL; 939 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 940 goto error; 941 942 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 943 KEY_NEED_SETATTR); 944 if (IS_ERR(key_ref)) { 945 ret = PTR_ERR(key_ref); 946 goto error; 947 } 948 949 key = key_ref_to_ptr(key_ref); 950 951 /* make the changes with the locks held to prevent chown/chmod races */ 952 ret = -EACCES; 953 down_write(&key->sem); 954 955 /* if we're not the sysadmin, we can only change a key that we own */ 956 if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) { 957 key->perm = perm; 958 ret = 0; 959 } 960 961 up_write(&key->sem); 962 key_put(key); 963 error: 964 return ret; 965 } 966 967 /* 968 * Get the destination keyring for instantiation and check that the caller has 969 * Write permission on it. 970 */ 971 static long get_instantiation_keyring(key_serial_t ringid, 972 struct request_key_auth *rka, 973 struct key **_dest_keyring) 974 { 975 key_ref_t dkref; 976 977 *_dest_keyring = NULL; 978 979 /* just return a NULL pointer if we weren't asked to make a link */ 980 if (ringid == 0) 981 return 0; 982 983 /* if a specific keyring is nominated by ID, then use that */ 984 if (ringid > 0) { 985 dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 986 if (IS_ERR(dkref)) 987 return PTR_ERR(dkref); 988 *_dest_keyring = key_ref_to_ptr(dkref); 989 return 0; 990 } 991 992 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY) 993 return -EINVAL; 994 995 /* otherwise specify the destination keyring recorded in the 996 * authorisation key (any KEY_SPEC_*_KEYRING) */ 997 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { 998 *_dest_keyring = key_get(rka->dest_keyring); 999 return 0; 1000 } 1001 1002 return -ENOKEY; 1003 } 1004 1005 /* 1006 * Change the request_key authorisation key on the current process. 1007 */ 1008 static int keyctl_change_reqkey_auth(struct key *key) 1009 { 1010 struct cred *new; 1011 1012 new = prepare_creds(); 1013 if (!new) 1014 return -ENOMEM; 1015 1016 key_put(new->request_key_auth); 1017 new->request_key_auth = key_get(key); 1018 1019 return commit_creds(new); 1020 } 1021 1022 /* 1023 * Instantiate a key with the specified payload and link the key into the 1024 * destination keyring if one is given. 1025 * 1026 * The caller must have the appropriate instantiation permit set for this to 1027 * work (see keyctl_assume_authority). No other permissions are required. 1028 * 1029 * If successful, 0 will be returned. 1030 */ 1031 long keyctl_instantiate_key_common(key_serial_t id, 1032 struct iov_iter *from, 1033 key_serial_t ringid) 1034 { 1035 const struct cred *cred = current_cred(); 1036 struct request_key_auth *rka; 1037 struct key *instkey, *dest_keyring; 1038 size_t plen = from ? iov_iter_count(from) : 0; 1039 void *payload; 1040 long ret; 1041 1042 kenter("%d,,%zu,%d", id, plen, ringid); 1043 1044 if (!plen) 1045 from = NULL; 1046 1047 ret = -EINVAL; 1048 if (plen > 1024 * 1024 - 1) 1049 goto error; 1050 1051 /* the appropriate instantiation authorisation key must have been 1052 * assumed before calling this */ 1053 ret = -EPERM; 1054 instkey = cred->request_key_auth; 1055 if (!instkey) 1056 goto error; 1057 1058 rka = instkey->payload.data[0]; 1059 if (rka->target_key->serial != id) 1060 goto error; 1061 1062 /* pull the payload in if one was supplied */ 1063 payload = NULL; 1064 1065 if (from) { 1066 ret = -ENOMEM; 1067 payload = kmalloc(plen, GFP_KERNEL); 1068 if (!payload) { 1069 if (plen <= PAGE_SIZE) 1070 goto error; 1071 payload = vmalloc(plen); 1072 if (!payload) 1073 goto error; 1074 } 1075 1076 ret = -EFAULT; 1077 if (copy_from_iter(payload, plen, from) != plen) 1078 goto error2; 1079 } 1080 1081 /* find the destination keyring amongst those belonging to the 1082 * requesting task */ 1083 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1084 if (ret < 0) 1085 goto error2; 1086 1087 /* instantiate the key and link it into a keyring */ 1088 ret = key_instantiate_and_link(rka->target_key, payload, plen, 1089 dest_keyring, instkey); 1090 1091 key_put(dest_keyring); 1092 1093 /* discard the assumed authority if it's just been disabled by 1094 * instantiation of the key */ 1095 if (ret == 0) 1096 keyctl_change_reqkey_auth(NULL); 1097 1098 error2: 1099 kvfree(payload); 1100 error: 1101 return ret; 1102 } 1103 1104 /* 1105 * Instantiate a key with the specified payload and link the key into the 1106 * destination keyring if one is given. 1107 * 1108 * The caller must have the appropriate instantiation permit set for this to 1109 * work (see keyctl_assume_authority). No other permissions are required. 1110 * 1111 * If successful, 0 will be returned. 1112 */ 1113 long keyctl_instantiate_key(key_serial_t id, 1114 const void __user *_payload, 1115 size_t plen, 1116 key_serial_t ringid) 1117 { 1118 if (_payload && plen) { 1119 struct iovec iov; 1120 struct iov_iter from; 1121 int ret; 1122 1123 ret = import_single_range(WRITE, (void __user *)_payload, plen, 1124 &iov, &from); 1125 if (unlikely(ret)) 1126 return ret; 1127 1128 return keyctl_instantiate_key_common(id, &from, ringid); 1129 } 1130 1131 return keyctl_instantiate_key_common(id, NULL, ringid); 1132 } 1133 1134 /* 1135 * Instantiate a key with the specified multipart payload and link the key into 1136 * the destination keyring if one is given. 1137 * 1138 * The caller must have the appropriate instantiation permit set for this to 1139 * work (see keyctl_assume_authority). No other permissions are required. 1140 * 1141 * If successful, 0 will be returned. 1142 */ 1143 long keyctl_instantiate_key_iov(key_serial_t id, 1144 const struct iovec __user *_payload_iov, 1145 unsigned ioc, 1146 key_serial_t ringid) 1147 { 1148 struct iovec iovstack[UIO_FASTIOV], *iov = iovstack; 1149 struct iov_iter from; 1150 long ret; 1151 1152 if (!_payload_iov) 1153 ioc = 0; 1154 1155 ret = import_iovec(WRITE, _payload_iov, ioc, 1156 ARRAY_SIZE(iovstack), &iov, &from); 1157 if (ret < 0) 1158 return ret; 1159 ret = keyctl_instantiate_key_common(id, &from, ringid); 1160 kfree(iov); 1161 return ret; 1162 } 1163 1164 /* 1165 * Negatively instantiate the key with the given timeout (in seconds) and link 1166 * the key into the destination keyring if one is given. 1167 * 1168 * The caller must have the appropriate instantiation permit set for this to 1169 * work (see keyctl_assume_authority). No other permissions are required. 1170 * 1171 * The key and any links to the key will be automatically garbage collected 1172 * after the timeout expires. 1173 * 1174 * Negative keys are used to rate limit repeated request_key() calls by causing 1175 * them to return -ENOKEY until the negative key expires. 1176 * 1177 * If successful, 0 will be returned. 1178 */ 1179 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 1180 { 1181 return keyctl_reject_key(id, timeout, ENOKEY, ringid); 1182 } 1183 1184 /* 1185 * Negatively instantiate the key with the given timeout (in seconds) and error 1186 * code and link the key into the destination keyring if one is given. 1187 * 1188 * The caller must have the appropriate instantiation permit set for this to 1189 * work (see keyctl_assume_authority). No other permissions are required. 1190 * 1191 * The key and any links to the key will be automatically garbage collected 1192 * after the timeout expires. 1193 * 1194 * Negative keys are used to rate limit repeated request_key() calls by causing 1195 * them to return the specified error code until the negative key expires. 1196 * 1197 * If successful, 0 will be returned. 1198 */ 1199 long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error, 1200 key_serial_t ringid) 1201 { 1202 const struct cred *cred = current_cred(); 1203 struct request_key_auth *rka; 1204 struct key *instkey, *dest_keyring; 1205 long ret; 1206 1207 kenter("%d,%u,%u,%d", id, timeout, error, ringid); 1208 1209 /* must be a valid error code and mustn't be a kernel special */ 1210 if (error <= 0 || 1211 error >= MAX_ERRNO || 1212 error == ERESTARTSYS || 1213 error == ERESTARTNOINTR || 1214 error == ERESTARTNOHAND || 1215 error == ERESTART_RESTARTBLOCK) 1216 return -EINVAL; 1217 1218 /* the appropriate instantiation authorisation key must have been 1219 * assumed before calling this */ 1220 ret = -EPERM; 1221 instkey = cred->request_key_auth; 1222 if (!instkey) 1223 goto error; 1224 1225 rka = instkey->payload.data[0]; 1226 if (rka->target_key->serial != id) 1227 goto error; 1228 1229 /* find the destination keyring if present (which must also be 1230 * writable) */ 1231 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1232 if (ret < 0) 1233 goto error; 1234 1235 /* instantiate the key and link it into a keyring */ 1236 ret = key_reject_and_link(rka->target_key, timeout, error, 1237 dest_keyring, instkey); 1238 1239 key_put(dest_keyring); 1240 1241 /* discard the assumed authority if it's just been disabled by 1242 * instantiation of the key */ 1243 if (ret == 0) 1244 keyctl_change_reqkey_auth(NULL); 1245 1246 error: 1247 return ret; 1248 } 1249 1250 /* 1251 * Read or set the default keyring in which request_key() will cache keys and 1252 * return the old setting. 1253 * 1254 * If a process keyring is specified then this will be created if it doesn't 1255 * yet exist. The old setting will be returned if successful. 1256 */ 1257 long keyctl_set_reqkey_keyring(int reqkey_defl) 1258 { 1259 struct cred *new; 1260 int ret, old_setting; 1261 1262 old_setting = current_cred_xxx(jit_keyring); 1263 1264 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE) 1265 return old_setting; 1266 1267 new = prepare_creds(); 1268 if (!new) 1269 return -ENOMEM; 1270 1271 switch (reqkey_defl) { 1272 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1273 ret = install_thread_keyring_to_cred(new); 1274 if (ret < 0) 1275 goto error; 1276 goto set; 1277 1278 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1279 ret = install_process_keyring_to_cred(new); 1280 if (ret < 0) { 1281 if (ret != -EEXIST) 1282 goto error; 1283 ret = 0; 1284 } 1285 goto set; 1286 1287 case KEY_REQKEY_DEFL_DEFAULT: 1288 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1289 case KEY_REQKEY_DEFL_USER_KEYRING: 1290 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1291 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: 1292 goto set; 1293 1294 case KEY_REQKEY_DEFL_NO_CHANGE: 1295 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1296 default: 1297 ret = -EINVAL; 1298 goto error; 1299 } 1300 1301 set: 1302 new->jit_keyring = reqkey_defl; 1303 commit_creds(new); 1304 return old_setting; 1305 error: 1306 abort_creds(new); 1307 return ret; 1308 } 1309 1310 /* 1311 * Set or clear the timeout on a key. 1312 * 1313 * Either the key must grant the caller Setattr permission or else the caller 1314 * must hold an instantiation authorisation token for the key. 1315 * 1316 * The timeout is either 0 to clear the timeout, or a number of seconds from 1317 * the current time. The key and any links to the key will be automatically 1318 * garbage collected after the timeout expires. 1319 * 1320 * Keys with KEY_FLAG_KEEP set should not be timed out. 1321 * 1322 * If successful, 0 is returned. 1323 */ 1324 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1325 { 1326 struct key *key, *instkey; 1327 key_ref_t key_ref; 1328 long ret; 1329 1330 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1331 KEY_NEED_SETATTR); 1332 if (IS_ERR(key_ref)) { 1333 /* setting the timeout on a key under construction is permitted 1334 * if we have the authorisation token handy */ 1335 if (PTR_ERR(key_ref) == -EACCES) { 1336 instkey = key_get_instantiation_authkey(id); 1337 if (!IS_ERR(instkey)) { 1338 key_put(instkey); 1339 key_ref = lookup_user_key(id, 1340 KEY_LOOKUP_PARTIAL, 1341 0); 1342 if (!IS_ERR(key_ref)) 1343 goto okay; 1344 } 1345 } 1346 1347 ret = PTR_ERR(key_ref); 1348 goto error; 1349 } 1350 1351 okay: 1352 key = key_ref_to_ptr(key_ref); 1353 ret = 0; 1354 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 1355 ret = -EPERM; 1356 else 1357 key_set_timeout(key, timeout); 1358 key_put(key); 1359 1360 error: 1361 return ret; 1362 } 1363 1364 /* 1365 * Assume (or clear) the authority to instantiate the specified key. 1366 * 1367 * This sets the authoritative token currently in force for key instantiation. 1368 * This must be done for a key to be instantiated. It has the effect of making 1369 * available all the keys from the caller of the request_key() that created a 1370 * key to request_key() calls made by the caller of this function. 1371 * 1372 * The caller must have the instantiation key in their process keyrings with a 1373 * Search permission grant available to the caller. 1374 * 1375 * If the ID given is 0, then the setting will be cleared and 0 returned. 1376 * 1377 * If the ID given has a matching an authorisation key, then that key will be 1378 * set and its ID will be returned. The authorisation key can be read to get 1379 * the callout information passed to request_key(). 1380 */ 1381 long keyctl_assume_authority(key_serial_t id) 1382 { 1383 struct key *authkey; 1384 long ret; 1385 1386 /* special key IDs aren't permitted */ 1387 ret = -EINVAL; 1388 if (id < 0) 1389 goto error; 1390 1391 /* we divest ourselves of authority if given an ID of 0 */ 1392 if (id == 0) { 1393 ret = keyctl_change_reqkey_auth(NULL); 1394 goto error; 1395 } 1396 1397 /* attempt to assume the authority temporarily granted to us whilst we 1398 * instantiate the specified key 1399 * - the authorisation key must be in the current task's keyrings 1400 * somewhere 1401 */ 1402 authkey = key_get_instantiation_authkey(id); 1403 if (IS_ERR(authkey)) { 1404 ret = PTR_ERR(authkey); 1405 goto error; 1406 } 1407 1408 ret = keyctl_change_reqkey_auth(authkey); 1409 if (ret < 0) 1410 goto error; 1411 key_put(authkey); 1412 1413 ret = authkey->serial; 1414 error: 1415 return ret; 1416 } 1417 1418 /* 1419 * Get a key's the LSM security label. 1420 * 1421 * The key must grant the caller View permission for this to work. 1422 * 1423 * If there's a buffer, then up to buflen bytes of data will be placed into it. 1424 * 1425 * If successful, the amount of information available will be returned, 1426 * irrespective of how much was copied (including the terminal NUL). 1427 */ 1428 long keyctl_get_security(key_serial_t keyid, 1429 char __user *buffer, 1430 size_t buflen) 1431 { 1432 struct key *key, *instkey; 1433 key_ref_t key_ref; 1434 char *context; 1435 long ret; 1436 1437 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 1438 if (IS_ERR(key_ref)) { 1439 if (PTR_ERR(key_ref) != -EACCES) 1440 return PTR_ERR(key_ref); 1441 1442 /* viewing a key under construction is also permitted if we 1443 * have the authorisation token handy */ 1444 instkey = key_get_instantiation_authkey(keyid); 1445 if (IS_ERR(instkey)) 1446 return PTR_ERR(instkey); 1447 key_put(instkey); 1448 1449 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0); 1450 if (IS_ERR(key_ref)) 1451 return PTR_ERR(key_ref); 1452 } 1453 1454 key = key_ref_to_ptr(key_ref); 1455 ret = security_key_getsecurity(key, &context); 1456 if (ret == 0) { 1457 /* if no information was returned, give userspace an empty 1458 * string */ 1459 ret = 1; 1460 if (buffer && buflen > 0 && 1461 copy_to_user(buffer, "", 1) != 0) 1462 ret = -EFAULT; 1463 } else if (ret > 0) { 1464 /* return as much data as there's room for */ 1465 if (buffer && buflen > 0) { 1466 if (buflen > ret) 1467 buflen = ret; 1468 1469 if (copy_to_user(buffer, context, buflen) != 0) 1470 ret = -EFAULT; 1471 } 1472 1473 kfree(context); 1474 } 1475 1476 key_ref_put(key_ref); 1477 return ret; 1478 } 1479 1480 /* 1481 * Attempt to install the calling process's session keyring on the process's 1482 * parent process. 1483 * 1484 * The keyring must exist and must grant the caller LINK permission, and the 1485 * parent process must be single-threaded and must have the same effective 1486 * ownership as this process and mustn't be SUID/SGID. 1487 * 1488 * The keyring will be emplaced on the parent when it next resumes userspace. 1489 * 1490 * If successful, 0 will be returned. 1491 */ 1492 long keyctl_session_to_parent(void) 1493 { 1494 struct task_struct *me, *parent; 1495 const struct cred *mycred, *pcred; 1496 struct callback_head *newwork, *oldwork; 1497 key_ref_t keyring_r; 1498 struct cred *cred; 1499 int ret; 1500 1501 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK); 1502 if (IS_ERR(keyring_r)) 1503 return PTR_ERR(keyring_r); 1504 1505 ret = -ENOMEM; 1506 1507 /* our parent is going to need a new cred struct, a new tgcred struct 1508 * and new security data, so we allocate them here to prevent ENOMEM in 1509 * our parent */ 1510 cred = cred_alloc_blank(); 1511 if (!cred) 1512 goto error_keyring; 1513 newwork = &cred->rcu; 1514 1515 cred->session_keyring = key_ref_to_ptr(keyring_r); 1516 keyring_r = NULL; 1517 init_task_work(newwork, key_change_session_keyring); 1518 1519 me = current; 1520 rcu_read_lock(); 1521 write_lock_irq(&tasklist_lock); 1522 1523 ret = -EPERM; 1524 oldwork = NULL; 1525 parent = me->real_parent; 1526 1527 /* the parent mustn't be init and mustn't be a kernel thread */ 1528 if (parent->pid <= 1 || !parent->mm) 1529 goto unlock; 1530 1531 /* the parent must be single threaded */ 1532 if (!thread_group_empty(parent)) 1533 goto unlock; 1534 1535 /* the parent and the child must have different session keyrings or 1536 * there's no point */ 1537 mycred = current_cred(); 1538 pcred = __task_cred(parent); 1539 if (mycred == pcred || 1540 mycred->session_keyring == pcred->session_keyring) { 1541 ret = 0; 1542 goto unlock; 1543 } 1544 1545 /* the parent must have the same effective ownership and mustn't be 1546 * SUID/SGID */ 1547 if (!uid_eq(pcred->uid, mycred->euid) || 1548 !uid_eq(pcred->euid, mycred->euid) || 1549 !uid_eq(pcred->suid, mycred->euid) || 1550 !gid_eq(pcred->gid, mycred->egid) || 1551 !gid_eq(pcred->egid, mycred->egid) || 1552 !gid_eq(pcred->sgid, mycred->egid)) 1553 goto unlock; 1554 1555 /* the keyrings must have the same UID */ 1556 if ((pcred->session_keyring && 1557 !uid_eq(pcred->session_keyring->uid, mycred->euid)) || 1558 !uid_eq(mycred->session_keyring->uid, mycred->euid)) 1559 goto unlock; 1560 1561 /* cancel an already pending keyring replacement */ 1562 oldwork = task_work_cancel(parent, key_change_session_keyring); 1563 1564 /* the replacement session keyring is applied just prior to userspace 1565 * restarting */ 1566 ret = task_work_add(parent, newwork, true); 1567 if (!ret) 1568 newwork = NULL; 1569 unlock: 1570 write_unlock_irq(&tasklist_lock); 1571 rcu_read_unlock(); 1572 if (oldwork) 1573 put_cred(container_of(oldwork, struct cred, rcu)); 1574 if (newwork) 1575 put_cred(cred); 1576 return ret; 1577 1578 error_keyring: 1579 key_ref_put(keyring_r); 1580 return ret; 1581 } 1582 1583 /* 1584 * The key control system call 1585 */ 1586 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, 1587 unsigned long, arg4, unsigned long, arg5) 1588 { 1589 switch (option) { 1590 case KEYCTL_GET_KEYRING_ID: 1591 return keyctl_get_keyring_ID((key_serial_t) arg2, 1592 (int) arg3); 1593 1594 case KEYCTL_JOIN_SESSION_KEYRING: 1595 return keyctl_join_session_keyring((const char __user *) arg2); 1596 1597 case KEYCTL_UPDATE: 1598 return keyctl_update_key((key_serial_t) arg2, 1599 (const void __user *) arg3, 1600 (size_t) arg4); 1601 1602 case KEYCTL_REVOKE: 1603 return keyctl_revoke_key((key_serial_t) arg2); 1604 1605 case KEYCTL_DESCRIBE: 1606 return keyctl_describe_key((key_serial_t) arg2, 1607 (char __user *) arg3, 1608 (unsigned) arg4); 1609 1610 case KEYCTL_CLEAR: 1611 return keyctl_keyring_clear((key_serial_t) arg2); 1612 1613 case KEYCTL_LINK: 1614 return keyctl_keyring_link((key_serial_t) arg2, 1615 (key_serial_t) arg3); 1616 1617 case KEYCTL_UNLINK: 1618 return keyctl_keyring_unlink((key_serial_t) arg2, 1619 (key_serial_t) arg3); 1620 1621 case KEYCTL_SEARCH: 1622 return keyctl_keyring_search((key_serial_t) arg2, 1623 (const char __user *) arg3, 1624 (const char __user *) arg4, 1625 (key_serial_t) arg5); 1626 1627 case KEYCTL_READ: 1628 return keyctl_read_key((key_serial_t) arg2, 1629 (char __user *) arg3, 1630 (size_t) arg4); 1631 1632 case KEYCTL_CHOWN: 1633 return keyctl_chown_key((key_serial_t) arg2, 1634 (uid_t) arg3, 1635 (gid_t) arg4); 1636 1637 case KEYCTL_SETPERM: 1638 return keyctl_setperm_key((key_serial_t) arg2, 1639 (key_perm_t) arg3); 1640 1641 case KEYCTL_INSTANTIATE: 1642 return keyctl_instantiate_key((key_serial_t) arg2, 1643 (const void __user *) arg3, 1644 (size_t) arg4, 1645 (key_serial_t) arg5); 1646 1647 case KEYCTL_NEGATE: 1648 return keyctl_negate_key((key_serial_t) arg2, 1649 (unsigned) arg3, 1650 (key_serial_t) arg4); 1651 1652 case KEYCTL_SET_REQKEY_KEYRING: 1653 return keyctl_set_reqkey_keyring(arg2); 1654 1655 case KEYCTL_SET_TIMEOUT: 1656 return keyctl_set_timeout((key_serial_t) arg2, 1657 (unsigned) arg3); 1658 1659 case KEYCTL_ASSUME_AUTHORITY: 1660 return keyctl_assume_authority((key_serial_t) arg2); 1661 1662 case KEYCTL_GET_SECURITY: 1663 return keyctl_get_security((key_serial_t) arg2, 1664 (char __user *) arg3, 1665 (size_t) arg4); 1666 1667 case KEYCTL_SESSION_TO_PARENT: 1668 return keyctl_session_to_parent(); 1669 1670 case KEYCTL_REJECT: 1671 return keyctl_reject_key((key_serial_t) arg2, 1672 (unsigned) arg3, 1673 (unsigned) arg4, 1674 (key_serial_t) arg5); 1675 1676 case KEYCTL_INSTANTIATE_IOV: 1677 return keyctl_instantiate_key_iov( 1678 (key_serial_t) arg2, 1679 (const struct iovec __user *) arg3, 1680 (unsigned) arg4, 1681 (key_serial_t) arg5); 1682 1683 case KEYCTL_INVALIDATE: 1684 return keyctl_invalidate_key((key_serial_t) arg2); 1685 1686 case KEYCTL_GET_PERSISTENT: 1687 return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3); 1688 1689 default: 1690 return -EOPNOTSUPP; 1691 } 1692 } 1693