1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Userspace key control operations 3 * 4 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #include <linux/init.h> 9 #include <linux/sched.h> 10 #include <linux/sched/task.h> 11 #include <linux/slab.h> 12 #include <linux/syscalls.h> 13 #include <linux/key.h> 14 #include <linux/keyctl.h> 15 #include <linux/fs.h> 16 #include <linux/capability.h> 17 #include <linux/cred.h> 18 #include <linux/string.h> 19 #include <linux/err.h> 20 #include <linux/vmalloc.h> 21 #include <linux/security.h> 22 #include <linux/uio.h> 23 #include <linux/uaccess.h> 24 #include <keys/request_key_auth-type.h> 25 #include "internal.h" 26 27 #define KEY_MAX_DESC_SIZE 4096 28 29 static const unsigned char keyrings_capabilities[2] = { 30 [0] = (KEYCTL_CAPS0_CAPABILITIES | 31 (IS_ENABLED(CONFIG_PERSISTENT_KEYRINGS) ? KEYCTL_CAPS0_PERSISTENT_KEYRINGS : 0) | 32 (IS_ENABLED(CONFIG_KEY_DH_OPERATIONS) ? KEYCTL_CAPS0_DIFFIE_HELLMAN : 0) | 33 (IS_ENABLED(CONFIG_ASYMMETRIC_KEY_TYPE) ? KEYCTL_CAPS0_PUBLIC_KEY : 0) | 34 (IS_ENABLED(CONFIG_BIG_KEYS) ? KEYCTL_CAPS0_BIG_KEY : 0) | 35 KEYCTL_CAPS0_INVALIDATE | 36 KEYCTL_CAPS0_RESTRICT_KEYRING | 37 KEYCTL_CAPS0_MOVE 38 ), 39 [1] = (KEYCTL_CAPS1_NS_KEYRING_NAME | 40 KEYCTL_CAPS1_NS_KEY_TAG | 41 KEYCTL_CAPS1_ACL_ALTERABLE), 42 }; 43 44 static int key_get_type_from_user(char *type, 45 const char __user *_type, 46 unsigned len) 47 { 48 int ret; 49 50 ret = strncpy_from_user(type, _type, len); 51 if (ret < 0) 52 return ret; 53 if (ret == 0 || ret >= len) 54 return -EINVAL; 55 if (type[0] == '.') 56 return -EPERM; 57 type[len - 1] = '\0'; 58 return 0; 59 } 60 61 /* 62 * Extract the description of a new key from userspace and either add it as a 63 * new key to the specified keyring or update a matching key in that keyring. 64 * 65 * If the description is NULL or an empty string, the key type is asked to 66 * generate one from the payload. 67 * 68 * The keyring must be writable so that we can attach the key to it. 69 * 70 * If successful, the new key's serial number is returned, otherwise an error 71 * code is returned. 72 */ 73 SYSCALL_DEFINE5(add_key, const char __user *, _type, 74 const char __user *, _description, 75 const void __user *, _payload, 76 size_t, plen, 77 key_serial_t, ringid) 78 { 79 key_ref_t keyring_ref, key_ref; 80 char type[32], *description; 81 void *payload; 82 long ret; 83 84 ret = -EINVAL; 85 if (plen > 1024 * 1024 - 1) 86 goto error; 87 88 /* draw all the data into kernel space */ 89 ret = key_get_type_from_user(type, _type, sizeof(type)); 90 if (ret < 0) 91 goto error; 92 93 description = NULL; 94 if (_description) { 95 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 96 if (IS_ERR(description)) { 97 ret = PTR_ERR(description); 98 goto error; 99 } 100 if (!*description) { 101 kfree(description); 102 description = NULL; 103 } else if ((description[0] == '.') && 104 (strncmp(type, "keyring", 7) == 0)) { 105 ret = -EPERM; 106 goto error2; 107 } 108 } 109 110 /* pull the payload in if one was supplied */ 111 payload = NULL; 112 113 if (plen) { 114 ret = -ENOMEM; 115 payload = kvmalloc(plen, GFP_KERNEL); 116 if (!payload) 117 goto error2; 118 119 ret = -EFAULT; 120 if (copy_from_user(payload, _payload, plen) != 0) 121 goto error3; 122 } 123 124 /* find the target keyring (which must be writable) */ 125 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 126 if (IS_ERR(keyring_ref)) { 127 ret = PTR_ERR(keyring_ref); 128 goto error3; 129 } 130 131 /* create or update the requested key and add it to the target 132 * keyring */ 133 key_ref = key_create_or_update(keyring_ref, type, description, 134 payload, plen, NULL, KEY_ALLOC_IN_QUOTA); 135 if (!IS_ERR(key_ref)) { 136 ret = key_ref_to_ptr(key_ref)->serial; 137 key_ref_put(key_ref); 138 } 139 else { 140 ret = PTR_ERR(key_ref); 141 } 142 143 key_ref_put(keyring_ref); 144 error3: 145 if (payload) { 146 memzero_explicit(payload, plen); 147 kvfree(payload); 148 } 149 error2: 150 kfree(description); 151 error: 152 return ret; 153 } 154 155 /* 156 * Search the process keyrings and keyring trees linked from those for a 157 * matching key. Keyrings must have appropriate Search permission to be 158 * searched. 159 * 160 * If a key is found, it will be attached to the destination keyring if there's 161 * one specified and the serial number of the key will be returned. 162 * 163 * If no key is found, /sbin/request-key will be invoked if _callout_info is 164 * non-NULL in an attempt to create a key. The _callout_info string will be 165 * passed to /sbin/request-key to aid with completing the request. If the 166 * _callout_info string is "" then it will be changed to "-". 167 */ 168 SYSCALL_DEFINE4(request_key, const char __user *, _type, 169 const char __user *, _description, 170 const char __user *, _callout_info, 171 key_serial_t, destringid) 172 { 173 struct key_type *ktype; 174 struct key *key; 175 key_ref_t dest_ref; 176 size_t callout_len; 177 char type[32], *description, *callout_info; 178 long ret; 179 180 /* pull the type into kernel space */ 181 ret = key_get_type_from_user(type, _type, sizeof(type)); 182 if (ret < 0) 183 goto error; 184 185 /* pull the description into kernel space */ 186 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 187 if (IS_ERR(description)) { 188 ret = PTR_ERR(description); 189 goto error; 190 } 191 192 /* pull the callout info into kernel space */ 193 callout_info = NULL; 194 callout_len = 0; 195 if (_callout_info) { 196 callout_info = strndup_user(_callout_info, PAGE_SIZE); 197 if (IS_ERR(callout_info)) { 198 ret = PTR_ERR(callout_info); 199 goto error2; 200 } 201 callout_len = strlen(callout_info); 202 } 203 204 /* get the destination keyring if specified */ 205 dest_ref = NULL; 206 if (destringid) { 207 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 208 KEY_NEED_WRITE); 209 if (IS_ERR(dest_ref)) { 210 ret = PTR_ERR(dest_ref); 211 goto error3; 212 } 213 } 214 215 /* find the key type */ 216 ktype = key_type_lookup(type); 217 if (IS_ERR(ktype)) { 218 ret = PTR_ERR(ktype); 219 goto error4; 220 } 221 222 /* do the search */ 223 key = request_key_and_link(ktype, description, NULL, callout_info, 224 callout_len, NULL, NULL, 225 key_ref_to_ptr(dest_ref), 226 KEY_ALLOC_IN_QUOTA); 227 if (IS_ERR(key)) { 228 ret = PTR_ERR(key); 229 goto error5; 230 } 231 232 /* wait for the key to finish being constructed */ 233 ret = wait_for_key_construction(key, 1); 234 if (ret < 0) 235 goto error6; 236 237 ret = key->serial; 238 239 error6: 240 key_put(key); 241 error5: 242 key_type_put(ktype); 243 error4: 244 key_ref_put(dest_ref); 245 error3: 246 kfree(callout_info); 247 error2: 248 kfree(description); 249 error: 250 return ret; 251 } 252 253 /* 254 * Get the ID of the specified process keyring. 255 * 256 * The requested keyring must have search permission to be found. 257 * 258 * If successful, the ID of the requested keyring will be returned. 259 */ 260 long keyctl_get_keyring_ID(key_serial_t id, int create) 261 { 262 key_ref_t key_ref; 263 unsigned long lflags; 264 long ret; 265 266 lflags = create ? KEY_LOOKUP_CREATE : 0; 267 key_ref = lookup_user_key(id, lflags, KEY_NEED_SEARCH); 268 if (IS_ERR(key_ref)) { 269 ret = PTR_ERR(key_ref); 270 goto error; 271 } 272 273 ret = key_ref_to_ptr(key_ref)->serial; 274 key_ref_put(key_ref); 275 error: 276 return ret; 277 } 278 279 /* 280 * Join a (named) session keyring. 281 * 282 * Create and join an anonymous session keyring or join a named session 283 * keyring, creating it if necessary. A named session keyring must have Search 284 * permission for it to be joined. Session keyrings without this permit will 285 * be skipped over. It is not permitted for userspace to create or join 286 * keyrings whose name begin with a dot. 287 * 288 * If successful, the ID of the joined session keyring will be returned. 289 */ 290 long keyctl_join_session_keyring(const char __user *_name) 291 { 292 char *name; 293 long ret; 294 295 /* fetch the name from userspace */ 296 name = NULL; 297 if (_name) { 298 name = strndup_user(_name, KEY_MAX_DESC_SIZE); 299 if (IS_ERR(name)) { 300 ret = PTR_ERR(name); 301 goto error; 302 } 303 304 ret = -EPERM; 305 if (name[0] == '.') 306 goto error_name; 307 } 308 309 /* join the session */ 310 ret = join_session_keyring(name); 311 error_name: 312 kfree(name); 313 error: 314 return ret; 315 } 316 317 /* 318 * Update a key's data payload from the given data. 319 * 320 * The key must grant the caller Write permission and the key type must support 321 * updating for this to work. A negative key can be positively instantiated 322 * with this call. 323 * 324 * If successful, 0 will be returned. If the key type does not support 325 * updating, then -EOPNOTSUPP will be returned. 326 */ 327 long keyctl_update_key(key_serial_t id, 328 const void __user *_payload, 329 size_t plen) 330 { 331 key_ref_t key_ref; 332 void *payload; 333 long ret; 334 335 ret = -EINVAL; 336 if (plen > PAGE_SIZE) 337 goto error; 338 339 /* pull the payload in if one was supplied */ 340 payload = NULL; 341 if (plen) { 342 ret = -ENOMEM; 343 payload = kmalloc(plen, GFP_KERNEL); 344 if (!payload) 345 goto error; 346 347 ret = -EFAULT; 348 if (copy_from_user(payload, _payload, plen) != 0) 349 goto error2; 350 } 351 352 /* find the target key (which must be writable) */ 353 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 354 if (IS_ERR(key_ref)) { 355 ret = PTR_ERR(key_ref); 356 goto error2; 357 } 358 359 /* update the key */ 360 ret = key_update(key_ref, payload, plen); 361 362 key_ref_put(key_ref); 363 error2: 364 kzfree(payload); 365 error: 366 return ret; 367 } 368 369 /* 370 * Revoke a key. 371 * 372 * The key must be grant the caller Write or Setattr permission for this to 373 * work. The key type should give up its quota claim when revoked. The key 374 * and any links to the key will be automatically garbage collected after a 375 * certain amount of time (/proc/sys/kernel/keys/gc_delay). 376 * 377 * Keys with KEY_FLAG_KEEP set should not be revoked. 378 * 379 * If successful, 0 is returned. 380 */ 381 long keyctl_revoke_key(key_serial_t id) 382 { 383 key_ref_t key_ref; 384 struct key *key; 385 long ret; 386 387 key_ref = lookup_user_key(id, 0, KEY_NEED_REVOKE); 388 if (IS_ERR(key_ref)) { 389 ret = PTR_ERR(key_ref); 390 goto error; 391 } 392 393 key = key_ref_to_ptr(key_ref); 394 ret = 0; 395 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 396 ret = -EPERM; 397 else 398 key_revoke(key); 399 400 key_ref_put(key_ref); 401 error: 402 return ret; 403 } 404 405 /* 406 * Invalidate a key. 407 * 408 * The key must be grant the caller Invalidate permission for this to work. 409 * The key and any links to the key will be automatically garbage collected 410 * immediately. 411 * 412 * Keys with KEY_FLAG_KEEP set should not be invalidated. 413 * 414 * If successful, 0 is returned. 415 */ 416 long keyctl_invalidate_key(key_serial_t id) 417 { 418 key_ref_t key_ref; 419 struct key *key; 420 long ret; 421 422 kenter("%d", id); 423 424 key_ref = lookup_user_key(id, 0, KEY_NEED_INVAL); 425 if (IS_ERR(key_ref)) { 426 ret = PTR_ERR(key_ref); 427 428 /* Root is permitted to invalidate certain special keys */ 429 if (capable(CAP_SYS_ADMIN)) { 430 key_ref = lookup_user_key(id, 0, 0); 431 if (IS_ERR(key_ref)) 432 goto error; 433 if (test_bit(KEY_FLAG_ROOT_CAN_INVAL, 434 &key_ref_to_ptr(key_ref)->flags)) 435 goto invalidate; 436 goto error_put; 437 } 438 439 goto error; 440 } 441 442 invalidate: 443 key = key_ref_to_ptr(key_ref); 444 ret = 0; 445 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 446 ret = -EPERM; 447 else 448 key_invalidate(key); 449 error_put: 450 key_ref_put(key_ref); 451 error: 452 kleave(" = %ld", ret); 453 return ret; 454 } 455 456 /* 457 * Clear the specified keyring, creating an empty process keyring if one of the 458 * special keyring IDs is used. 459 * 460 * The keyring must grant the caller Write permission and not have 461 * KEY_FLAG_KEEP set for this to work. If successful, 0 will be returned. 462 */ 463 long keyctl_keyring_clear(key_serial_t ringid) 464 { 465 key_ref_t keyring_ref; 466 struct key *keyring; 467 long ret; 468 469 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_CLEAR); 470 if (IS_ERR(keyring_ref)) { 471 ret = PTR_ERR(keyring_ref); 472 473 /* Root is permitted to invalidate certain special keyrings */ 474 if (capable(CAP_SYS_ADMIN)) { 475 keyring_ref = lookup_user_key(ringid, 0, 0); 476 if (IS_ERR(keyring_ref)) 477 goto error; 478 if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR, 479 &key_ref_to_ptr(keyring_ref)->flags)) 480 goto clear; 481 goto error_put; 482 } 483 484 goto error; 485 } 486 487 clear: 488 keyring = key_ref_to_ptr(keyring_ref); 489 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) 490 ret = -EPERM; 491 else 492 ret = keyring_clear(keyring); 493 error_put: 494 key_ref_put(keyring_ref); 495 error: 496 return ret; 497 } 498 499 /* 500 * Create a link from a keyring to a key if there's no matching key in the 501 * keyring, otherwise replace the link to the matching key with a link to the 502 * new key. 503 * 504 * The key must grant the caller Link permission and the the keyring must grant 505 * the caller Write permission. Furthermore, if an additional link is created, 506 * the keyring's quota will be extended. 507 * 508 * If successful, 0 will be returned. 509 */ 510 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 511 { 512 key_ref_t keyring_ref, key_ref; 513 long ret; 514 515 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 516 if (IS_ERR(keyring_ref)) { 517 ret = PTR_ERR(keyring_ref); 518 goto error; 519 } 520 521 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 522 if (IS_ERR(key_ref)) { 523 ret = PTR_ERR(key_ref); 524 goto error2; 525 } 526 527 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 528 529 key_ref_put(key_ref); 530 error2: 531 key_ref_put(keyring_ref); 532 error: 533 return ret; 534 } 535 536 /* 537 * Unlink a key from a keyring. 538 * 539 * The keyring must grant the caller Write permission for this to work; the key 540 * itself need not grant the caller anything. If the last link to a key is 541 * removed then that key will be scheduled for destruction. 542 * 543 * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked. 544 * 545 * If successful, 0 will be returned. 546 */ 547 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 548 { 549 key_ref_t keyring_ref, key_ref; 550 struct key *keyring, *key; 551 long ret; 552 553 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE); 554 if (IS_ERR(keyring_ref)) { 555 ret = PTR_ERR(keyring_ref); 556 goto error; 557 } 558 559 key_ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0); 560 if (IS_ERR(key_ref)) { 561 ret = PTR_ERR(key_ref); 562 goto error2; 563 } 564 565 keyring = key_ref_to_ptr(keyring_ref); 566 key = key_ref_to_ptr(key_ref); 567 if (test_bit(KEY_FLAG_KEEP, &keyring->flags) && 568 test_bit(KEY_FLAG_KEEP, &key->flags)) 569 ret = -EPERM; 570 else 571 ret = key_unlink(keyring, key); 572 573 key_ref_put(key_ref); 574 error2: 575 key_ref_put(keyring_ref); 576 error: 577 return ret; 578 } 579 580 /* 581 * Move a link to a key from one keyring to another, displacing any matching 582 * key from the destination keyring. 583 * 584 * The key must grant the caller Link permission and both keyrings must grant 585 * the caller Write permission. There must also be a link in the from keyring 586 * to the key. If both keyrings are the same, nothing is done. 587 * 588 * If successful, 0 will be returned. 589 */ 590 long keyctl_keyring_move(key_serial_t id, key_serial_t from_ringid, 591 key_serial_t to_ringid, unsigned int flags) 592 { 593 key_ref_t key_ref, from_ref, to_ref; 594 long ret; 595 596 if (flags & ~KEYCTL_MOVE_EXCL) 597 return -EINVAL; 598 599 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 600 if (IS_ERR(key_ref)) 601 return PTR_ERR(key_ref); 602 603 from_ref = lookup_user_key(from_ringid, 0, KEY_NEED_WRITE); 604 if (IS_ERR(from_ref)) { 605 ret = PTR_ERR(from_ref); 606 goto error2; 607 } 608 609 to_ref = lookup_user_key(to_ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 610 if (IS_ERR(to_ref)) { 611 ret = PTR_ERR(to_ref); 612 goto error3; 613 } 614 615 ret = key_move(key_ref_to_ptr(key_ref), key_ref_to_ptr(from_ref), 616 key_ref_to_ptr(to_ref), flags); 617 618 key_ref_put(to_ref); 619 error3: 620 key_ref_put(from_ref); 621 error2: 622 key_ref_put(key_ref); 623 return ret; 624 } 625 626 /* 627 * Return a description of a key to userspace. 628 * 629 * The key must grant the caller View permission for this to work. 630 * 631 * If there's a buffer, we place up to buflen bytes of data into it formatted 632 * in the following way: 633 * 634 * type;uid;gid;perm;description<NUL> 635 * 636 * If successful, we return the amount of description available, irrespective 637 * of how much we may have copied into the buffer. 638 */ 639 long keyctl_describe_key(key_serial_t keyid, 640 char __user *buffer, 641 size_t buflen) 642 { 643 struct key *key, *instkey; 644 unsigned int perm; 645 key_ref_t key_ref; 646 char *infobuf; 647 long ret; 648 int desclen, infolen; 649 650 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 651 if (IS_ERR(key_ref)) { 652 /* viewing a key under construction is permitted if we have the 653 * authorisation token handy */ 654 if (PTR_ERR(key_ref) == -EACCES) { 655 instkey = key_get_instantiation_authkey(keyid); 656 if (!IS_ERR(instkey)) { 657 key_put(instkey); 658 key_ref = lookup_user_key(keyid, 659 KEY_LOOKUP_PARTIAL, 660 0); 661 if (!IS_ERR(key_ref)) 662 goto okay; 663 } 664 } 665 666 ret = PTR_ERR(key_ref); 667 goto error; 668 } 669 670 okay: 671 key = key_ref_to_ptr(key_ref); 672 desclen = strlen(key->description); 673 674 rcu_read_lock(); 675 perm = key_acl_to_perm(rcu_dereference(key->acl)); 676 rcu_read_unlock(); 677 678 /* calculate how much information we're going to return */ 679 ret = -ENOMEM; 680 infobuf = kasprintf(GFP_KERNEL, 681 "%s;%d;%d;%08x;", 682 key->type->name, 683 from_kuid_munged(current_user_ns(), key->uid), 684 from_kgid_munged(current_user_ns(), key->gid), 685 perm); 686 if (!infobuf) 687 goto error2; 688 infolen = strlen(infobuf); 689 ret = infolen + desclen + 1; 690 691 /* consider returning the data */ 692 if (buffer && buflen >= ret) { 693 if (copy_to_user(buffer, infobuf, infolen) != 0 || 694 copy_to_user(buffer + infolen, key->description, 695 desclen + 1) != 0) 696 ret = -EFAULT; 697 } 698 699 kfree(infobuf); 700 error2: 701 key_ref_put(key_ref); 702 error: 703 return ret; 704 } 705 706 /* 707 * Search the specified keyring and any keyrings it links to for a matching 708 * key. Only keyrings that grant the caller Search permission will be searched 709 * (this includes the starting keyring). Only keys with Search permission can 710 * be found. 711 * 712 * If successful, the found key will be linked to the destination keyring if 713 * supplied and the key has Link permission, and the found key ID will be 714 * returned. 715 */ 716 long keyctl_keyring_search(key_serial_t ringid, 717 const char __user *_type, 718 const char __user *_description, 719 key_serial_t destringid) 720 { 721 struct key_type *ktype; 722 key_ref_t keyring_ref, key_ref, dest_ref; 723 char type[32], *description; 724 long ret; 725 726 /* pull the type and description into kernel space */ 727 ret = key_get_type_from_user(type, _type, sizeof(type)); 728 if (ret < 0) 729 goto error; 730 731 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 732 if (IS_ERR(description)) { 733 ret = PTR_ERR(description); 734 goto error; 735 } 736 737 /* get the keyring at which to begin the search */ 738 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_SEARCH); 739 if (IS_ERR(keyring_ref)) { 740 ret = PTR_ERR(keyring_ref); 741 goto error2; 742 } 743 744 /* get the destination keyring if specified */ 745 dest_ref = NULL; 746 if (destringid) { 747 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 748 KEY_NEED_WRITE); 749 if (IS_ERR(dest_ref)) { 750 ret = PTR_ERR(dest_ref); 751 goto error3; 752 } 753 } 754 755 /* find the key type */ 756 ktype = key_type_lookup(type); 757 if (IS_ERR(ktype)) { 758 ret = PTR_ERR(ktype); 759 goto error4; 760 } 761 762 /* do the search */ 763 key_ref = keyring_search(keyring_ref, ktype, description, true); 764 if (IS_ERR(key_ref)) { 765 ret = PTR_ERR(key_ref); 766 767 /* treat lack or presence of a negative key the same */ 768 if (ret == -EAGAIN) 769 ret = -ENOKEY; 770 goto error5; 771 } 772 773 /* link the resulting key to the destination keyring if we can */ 774 if (dest_ref) { 775 ret = key_permission(key_ref, KEY_NEED_LINK); 776 if (ret < 0) 777 goto error6; 778 779 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 780 if (ret < 0) 781 goto error6; 782 } 783 784 ret = key_ref_to_ptr(key_ref)->serial; 785 786 error6: 787 key_ref_put(key_ref); 788 error5: 789 key_type_put(ktype); 790 error4: 791 key_ref_put(dest_ref); 792 error3: 793 key_ref_put(keyring_ref); 794 error2: 795 kfree(description); 796 error: 797 return ret; 798 } 799 800 /* 801 * Read a key's payload. 802 * 803 * The key must either grant the caller Read permission, or it must grant the 804 * caller Search permission when searched for from the process keyrings. 805 * 806 * If successful, we place up to buflen bytes of data into the buffer, if one 807 * is provided, and return the amount of data that is available in the key, 808 * irrespective of how much we copied into the buffer. 809 */ 810 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 811 { 812 struct key *key; 813 key_ref_t key_ref; 814 long ret; 815 816 /* find the key first */ 817 key_ref = lookup_user_key(keyid, 0, 0); 818 if (IS_ERR(key_ref)) { 819 ret = -ENOKEY; 820 goto error; 821 } 822 823 key = key_ref_to_ptr(key_ref); 824 825 ret = key_read_state(key); 826 if (ret < 0) 827 goto error2; /* Negatively instantiated */ 828 829 /* see if we can read it directly */ 830 ret = key_permission(key_ref, KEY_NEED_READ); 831 if (ret == 0) 832 goto can_read_key; 833 if (ret != -EACCES) 834 goto error2; 835 836 /* we can't; see if it's searchable from this process's keyrings 837 * - we automatically take account of the fact that it may be 838 * dangling off an instantiation key 839 */ 840 if (!is_key_possessed(key_ref)) { 841 ret = -EACCES; 842 goto error2; 843 } 844 845 /* the key is probably readable - now try to read it */ 846 can_read_key: 847 ret = -EOPNOTSUPP; 848 if (key->type->read) { 849 /* Read the data with the semaphore held (since we might sleep) 850 * to protect against the key being updated or revoked. 851 */ 852 down_read(&key->sem); 853 ret = key_validate(key); 854 if (ret == 0) 855 ret = key->type->read(key, buffer, buflen); 856 up_read(&key->sem); 857 } 858 859 error2: 860 key_put(key); 861 error: 862 return ret; 863 } 864 865 /* 866 * Change the ownership of a key 867 * 868 * The key must grant the caller Setattr permission for this to work, though 869 * the key need not be fully instantiated yet. For the UID to be changed, or 870 * for the GID to be changed to a group the caller is not a member of, the 871 * caller must have sysadmin capability. If either uid or gid is -1 then that 872 * attribute is not changed. 873 * 874 * If the UID is to be changed, the new user must have sufficient quota to 875 * accept the key. The quota deduction will be removed from the old user to 876 * the new user should the attribute be changed. 877 * 878 * If successful, 0 will be returned. 879 */ 880 long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group) 881 { 882 struct key_user *newowner, *zapowner = NULL; 883 struct key *key; 884 key_ref_t key_ref; 885 long ret; 886 kuid_t uid; 887 kgid_t gid; 888 889 uid = make_kuid(current_user_ns(), user); 890 gid = make_kgid(current_user_ns(), group); 891 ret = -EINVAL; 892 if ((user != (uid_t) -1) && !uid_valid(uid)) 893 goto error; 894 if ((group != (gid_t) -1) && !gid_valid(gid)) 895 goto error; 896 897 ret = 0; 898 if (user == (uid_t) -1 && group == (gid_t) -1) 899 goto error; 900 901 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 902 KEY_NEED_SETSEC); 903 if (IS_ERR(key_ref)) { 904 ret = PTR_ERR(key_ref); 905 goto error; 906 } 907 908 key = key_ref_to_ptr(key_ref); 909 910 /* make the changes with the locks held to prevent chown/chown races */ 911 ret = -EACCES; 912 down_write(&key->sem); 913 914 if (!capable(CAP_SYS_ADMIN)) { 915 /* only the sysadmin can chown a key to some other UID */ 916 if (user != (uid_t) -1 && !uid_eq(key->uid, uid)) 917 goto error_put; 918 919 /* only the sysadmin can set the key's GID to a group other 920 * than one of those that the current process subscribes to */ 921 if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid)) 922 goto error_put; 923 } 924 925 /* change the UID */ 926 if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) { 927 ret = -ENOMEM; 928 newowner = key_user_lookup(uid); 929 if (!newowner) 930 goto error_put; 931 932 /* transfer the quota burden to the new user */ 933 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 934 unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ? 935 key_quota_root_maxkeys : key_quota_maxkeys; 936 unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ? 937 key_quota_root_maxbytes : key_quota_maxbytes; 938 939 spin_lock(&newowner->lock); 940 if (newowner->qnkeys + 1 >= maxkeys || 941 newowner->qnbytes + key->quotalen >= maxbytes || 942 newowner->qnbytes + key->quotalen < 943 newowner->qnbytes) 944 goto quota_overrun; 945 946 newowner->qnkeys++; 947 newowner->qnbytes += key->quotalen; 948 spin_unlock(&newowner->lock); 949 950 spin_lock(&key->user->lock); 951 key->user->qnkeys--; 952 key->user->qnbytes -= key->quotalen; 953 spin_unlock(&key->user->lock); 954 } 955 956 atomic_dec(&key->user->nkeys); 957 atomic_inc(&newowner->nkeys); 958 959 if (key->state != KEY_IS_UNINSTANTIATED) { 960 atomic_dec(&key->user->nikeys); 961 atomic_inc(&newowner->nikeys); 962 } 963 964 zapowner = key->user; 965 key->user = newowner; 966 key->uid = uid; 967 } 968 969 /* change the GID */ 970 if (group != (gid_t) -1) 971 key->gid = gid; 972 973 ret = 0; 974 975 error_put: 976 up_write(&key->sem); 977 key_put(key); 978 if (zapowner) 979 key_user_put(zapowner); 980 error: 981 return ret; 982 983 quota_overrun: 984 spin_unlock(&newowner->lock); 985 zapowner = newowner; 986 ret = -EDQUOT; 987 goto error_put; 988 } 989 990 /* 991 * Change the permission mask on a key. 992 * 993 * The key must grant the caller Setattr permission for this to work, though 994 * the key need not be fully instantiated yet. If the caller does not have 995 * sysadmin capability, it may only change the permission on keys that it owns. 996 */ 997 long keyctl_setperm_key(key_serial_t id, unsigned int perm) 998 { 999 struct key_acl *acl; 1000 struct key *key; 1001 key_ref_t key_ref; 1002 long ret; 1003 int nr, i, j; 1004 1005 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 1006 return -EINVAL; 1007 1008 nr = 0; 1009 if (perm & KEY_POS_ALL) nr++; 1010 if (perm & KEY_USR_ALL) nr++; 1011 if (perm & KEY_GRP_ALL) nr++; 1012 if (perm & KEY_OTH_ALL) nr++; 1013 1014 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1015 KEY_NEED_SETSEC); 1016 if (IS_ERR(key_ref)) { 1017 ret = PTR_ERR(key_ref); 1018 goto error; 1019 } 1020 1021 key = key_ref_to_ptr(key_ref); 1022 1023 ret = -EOPNOTSUPP; 1024 if (test_bit(KEY_FLAG_HAS_ACL, &key->flags)) 1025 goto error_key; 1026 1027 ret = -ENOMEM; 1028 acl = kzalloc(struct_size(acl, aces, nr), GFP_KERNEL); 1029 if (!acl) 1030 goto error_key; 1031 1032 refcount_set(&acl->usage, 1); 1033 acl->nr_ace = nr; 1034 j = 0; 1035 for (i = 0; i < 4; i++) { 1036 struct key_ace *ace = &acl->aces[j]; 1037 unsigned int subset = (perm >> (i * 8)) & KEY_OTH_ALL; 1038 1039 if (!subset) 1040 continue; 1041 ace->type = KEY_ACE_SUBJ_STANDARD; 1042 ace->subject_id = KEY_ACE_EVERYONE + i; 1043 ace->perm = subset; 1044 if (subset & (KEY_OTH_WRITE | KEY_OTH_SETATTR)) 1045 ace->perm |= KEY_ACE_REVOKE; 1046 if (subset & KEY_OTH_SEARCH) 1047 ace->perm |= KEY_ACE_INVAL; 1048 if (key->type == &key_type_keyring) { 1049 if (subset & KEY_OTH_SEARCH) 1050 ace->perm |= KEY_ACE_JOIN; 1051 if (subset & KEY_OTH_WRITE) 1052 ace->perm |= KEY_ACE_CLEAR; 1053 } 1054 j++; 1055 } 1056 1057 /* make the changes with the locks held to prevent chown/chmod races */ 1058 down_write(&key->sem); 1059 ret = key_set_acl(key, acl); 1060 up_write(&key->sem); 1061 error_key: 1062 key_put(key); 1063 error: 1064 return ret; 1065 } 1066 1067 /* 1068 * Get the destination keyring for instantiation and check that the caller has 1069 * Write permission on it. 1070 */ 1071 static long get_instantiation_keyring(key_serial_t ringid, 1072 struct request_key_auth *rka, 1073 struct key **_dest_keyring) 1074 { 1075 key_ref_t dkref; 1076 1077 *_dest_keyring = NULL; 1078 1079 /* just return a NULL pointer if we weren't asked to make a link */ 1080 if (ringid == 0) 1081 return 0; 1082 1083 /* if a specific keyring is nominated by ID, then use that */ 1084 if (ringid > 0) { 1085 dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 1086 if (IS_ERR(dkref)) 1087 return PTR_ERR(dkref); 1088 *_dest_keyring = key_ref_to_ptr(dkref); 1089 return 0; 1090 } 1091 1092 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY) 1093 return -EINVAL; 1094 1095 /* otherwise specify the destination keyring recorded in the 1096 * authorisation key (any KEY_SPEC_*_KEYRING) */ 1097 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { 1098 *_dest_keyring = key_get(rka->dest_keyring); 1099 return 0; 1100 } 1101 1102 return -ENOKEY; 1103 } 1104 1105 /* 1106 * Change the request_key authorisation key on the current process. 1107 */ 1108 static int keyctl_change_reqkey_auth(struct key *key) 1109 { 1110 struct cred *new; 1111 1112 new = prepare_creds(); 1113 if (!new) 1114 return -ENOMEM; 1115 1116 key_put(new->request_key_auth); 1117 new->request_key_auth = key_get(key); 1118 1119 return commit_creds(new); 1120 } 1121 1122 /* 1123 * Instantiate a key with the specified payload and link the key into the 1124 * destination keyring if one is given. 1125 * 1126 * The caller must have the appropriate instantiation permit set for this to 1127 * work (see keyctl_assume_authority). No other permissions are required. 1128 * 1129 * If successful, 0 will be returned. 1130 */ 1131 long keyctl_instantiate_key_common(key_serial_t id, 1132 struct iov_iter *from, 1133 key_serial_t ringid) 1134 { 1135 const struct cred *cred = current_cred(); 1136 struct request_key_auth *rka; 1137 struct key *instkey, *dest_keyring; 1138 size_t plen = from ? iov_iter_count(from) : 0; 1139 void *payload; 1140 long ret; 1141 1142 kenter("%d,,%zu,%d", id, plen, ringid); 1143 1144 if (!plen) 1145 from = NULL; 1146 1147 ret = -EINVAL; 1148 if (plen > 1024 * 1024 - 1) 1149 goto error; 1150 1151 /* the appropriate instantiation authorisation key must have been 1152 * assumed before calling this */ 1153 ret = -EPERM; 1154 instkey = cred->request_key_auth; 1155 if (!instkey) 1156 goto error; 1157 1158 rka = instkey->payload.data[0]; 1159 if (rka->target_key->serial != id) 1160 goto error; 1161 1162 /* pull the payload in if one was supplied */ 1163 payload = NULL; 1164 1165 if (from) { 1166 ret = -ENOMEM; 1167 payload = kvmalloc(plen, GFP_KERNEL); 1168 if (!payload) 1169 goto error; 1170 1171 ret = -EFAULT; 1172 if (!copy_from_iter_full(payload, plen, from)) 1173 goto error2; 1174 } 1175 1176 /* find the destination keyring amongst those belonging to the 1177 * requesting task */ 1178 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1179 if (ret < 0) 1180 goto error2; 1181 1182 /* instantiate the key and link it into a keyring */ 1183 ret = key_instantiate_and_link(rka->target_key, payload, plen, 1184 dest_keyring, instkey); 1185 1186 key_put(dest_keyring); 1187 1188 /* discard the assumed authority if it's just been disabled by 1189 * instantiation of the key */ 1190 if (ret == 0) 1191 keyctl_change_reqkey_auth(NULL); 1192 1193 error2: 1194 if (payload) { 1195 memzero_explicit(payload, plen); 1196 kvfree(payload); 1197 } 1198 error: 1199 return ret; 1200 } 1201 1202 /* 1203 * Instantiate a key with the specified payload and link the key into the 1204 * destination keyring if one is given. 1205 * 1206 * The caller must have the appropriate instantiation permit set for this to 1207 * work (see keyctl_assume_authority). No other permissions are required. 1208 * 1209 * If successful, 0 will be returned. 1210 */ 1211 long keyctl_instantiate_key(key_serial_t id, 1212 const void __user *_payload, 1213 size_t plen, 1214 key_serial_t ringid) 1215 { 1216 if (_payload && plen) { 1217 struct iovec iov; 1218 struct iov_iter from; 1219 int ret; 1220 1221 ret = import_single_range(WRITE, (void __user *)_payload, plen, 1222 &iov, &from); 1223 if (unlikely(ret)) 1224 return ret; 1225 1226 return keyctl_instantiate_key_common(id, &from, ringid); 1227 } 1228 1229 return keyctl_instantiate_key_common(id, NULL, ringid); 1230 } 1231 1232 /* 1233 * Instantiate a key with the specified multipart payload and link the key into 1234 * the destination keyring if one is given. 1235 * 1236 * The caller must have the appropriate instantiation permit set for this to 1237 * work (see keyctl_assume_authority). No other permissions are required. 1238 * 1239 * If successful, 0 will be returned. 1240 */ 1241 long keyctl_instantiate_key_iov(key_serial_t id, 1242 const struct iovec __user *_payload_iov, 1243 unsigned ioc, 1244 key_serial_t ringid) 1245 { 1246 struct iovec iovstack[UIO_FASTIOV], *iov = iovstack; 1247 struct iov_iter from; 1248 long ret; 1249 1250 if (!_payload_iov) 1251 ioc = 0; 1252 1253 ret = import_iovec(WRITE, _payload_iov, ioc, 1254 ARRAY_SIZE(iovstack), &iov, &from); 1255 if (ret < 0) 1256 return ret; 1257 ret = keyctl_instantiate_key_common(id, &from, ringid); 1258 kfree(iov); 1259 return ret; 1260 } 1261 1262 /* 1263 * Negatively instantiate the key with the given timeout (in seconds) and link 1264 * the key into the destination keyring if one is given. 1265 * 1266 * The caller must have the appropriate instantiation permit set for this to 1267 * work (see keyctl_assume_authority). No other permissions are required. 1268 * 1269 * The key and any links to the key will be automatically garbage collected 1270 * after the timeout expires. 1271 * 1272 * Negative keys are used to rate limit repeated request_key() calls by causing 1273 * them to return -ENOKEY until the negative key expires. 1274 * 1275 * If successful, 0 will be returned. 1276 */ 1277 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 1278 { 1279 return keyctl_reject_key(id, timeout, ENOKEY, ringid); 1280 } 1281 1282 /* 1283 * Negatively instantiate the key with the given timeout (in seconds) and error 1284 * code and link the key into the destination keyring if one is given. 1285 * 1286 * The caller must have the appropriate instantiation permit set for this to 1287 * work (see keyctl_assume_authority). No other permissions are required. 1288 * 1289 * The key and any links to the key will be automatically garbage collected 1290 * after the timeout expires. 1291 * 1292 * Negative keys are used to rate limit repeated request_key() calls by causing 1293 * them to return the specified error code until the negative key expires. 1294 * 1295 * If successful, 0 will be returned. 1296 */ 1297 long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error, 1298 key_serial_t ringid) 1299 { 1300 const struct cred *cred = current_cred(); 1301 struct request_key_auth *rka; 1302 struct key *instkey, *dest_keyring; 1303 long ret; 1304 1305 kenter("%d,%u,%u,%d", id, timeout, error, ringid); 1306 1307 /* must be a valid error code and mustn't be a kernel special */ 1308 if (error <= 0 || 1309 error >= MAX_ERRNO || 1310 error == ERESTARTSYS || 1311 error == ERESTARTNOINTR || 1312 error == ERESTARTNOHAND || 1313 error == ERESTART_RESTARTBLOCK) 1314 return -EINVAL; 1315 1316 /* the appropriate instantiation authorisation key must have been 1317 * assumed before calling this */ 1318 ret = -EPERM; 1319 instkey = cred->request_key_auth; 1320 if (!instkey) 1321 goto error; 1322 1323 rka = instkey->payload.data[0]; 1324 if (rka->target_key->serial != id) 1325 goto error; 1326 1327 /* find the destination keyring if present (which must also be 1328 * writable) */ 1329 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1330 if (ret < 0) 1331 goto error; 1332 1333 /* instantiate the key and link it into a keyring */ 1334 ret = key_reject_and_link(rka->target_key, timeout, error, 1335 dest_keyring, instkey); 1336 1337 key_put(dest_keyring); 1338 1339 /* discard the assumed authority if it's just been disabled by 1340 * instantiation of the key */ 1341 if (ret == 0) 1342 keyctl_change_reqkey_auth(NULL); 1343 1344 error: 1345 return ret; 1346 } 1347 1348 /* 1349 * Read or set the default keyring in which request_key() will cache keys and 1350 * return the old setting. 1351 * 1352 * If a thread or process keyring is specified then it will be created if it 1353 * doesn't yet exist. The old setting will be returned if successful. 1354 */ 1355 long keyctl_set_reqkey_keyring(int reqkey_defl) 1356 { 1357 struct cred *new; 1358 int ret, old_setting; 1359 1360 old_setting = current_cred_xxx(jit_keyring); 1361 1362 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE) 1363 return old_setting; 1364 1365 new = prepare_creds(); 1366 if (!new) 1367 return -ENOMEM; 1368 1369 switch (reqkey_defl) { 1370 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1371 ret = install_thread_keyring_to_cred(new); 1372 if (ret < 0) 1373 goto error; 1374 goto set; 1375 1376 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1377 ret = install_process_keyring_to_cred(new); 1378 if (ret < 0) 1379 goto error; 1380 goto set; 1381 1382 case KEY_REQKEY_DEFL_DEFAULT: 1383 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1384 case KEY_REQKEY_DEFL_USER_KEYRING: 1385 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1386 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: 1387 goto set; 1388 1389 case KEY_REQKEY_DEFL_NO_CHANGE: 1390 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1391 default: 1392 ret = -EINVAL; 1393 goto error; 1394 } 1395 1396 set: 1397 new->jit_keyring = reqkey_defl; 1398 commit_creds(new); 1399 return old_setting; 1400 error: 1401 abort_creds(new); 1402 return ret; 1403 } 1404 1405 /* 1406 * Set or clear the timeout on a key. 1407 * 1408 * Either the key must grant the caller Setattr permission or else the caller 1409 * must hold an instantiation authorisation token for the key. 1410 * 1411 * The timeout is either 0 to clear the timeout, or a number of seconds from 1412 * the current time. The key and any links to the key will be automatically 1413 * garbage collected after the timeout expires. 1414 * 1415 * Keys with KEY_FLAG_KEEP set should not be timed out. 1416 * 1417 * If successful, 0 is returned. 1418 */ 1419 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1420 { 1421 struct key *key, *instkey; 1422 key_ref_t key_ref; 1423 long ret; 1424 1425 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1426 KEY_NEED_SETSEC); 1427 if (IS_ERR(key_ref)) { 1428 /* setting the timeout on a key under construction is permitted 1429 * if we have the authorisation token handy */ 1430 if (PTR_ERR(key_ref) == -EACCES) { 1431 instkey = key_get_instantiation_authkey(id); 1432 if (!IS_ERR(instkey)) { 1433 key_put(instkey); 1434 key_ref = lookup_user_key(id, 1435 KEY_LOOKUP_PARTIAL, 1436 0); 1437 if (!IS_ERR(key_ref)) 1438 goto okay; 1439 } 1440 } 1441 1442 ret = PTR_ERR(key_ref); 1443 goto error; 1444 } 1445 1446 okay: 1447 key = key_ref_to_ptr(key_ref); 1448 ret = 0; 1449 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 1450 ret = -EPERM; 1451 else 1452 key_set_timeout(key, timeout); 1453 key_put(key); 1454 1455 error: 1456 return ret; 1457 } 1458 1459 /* 1460 * Assume (or clear) the authority to instantiate the specified key. 1461 * 1462 * This sets the authoritative token currently in force for key instantiation. 1463 * This must be done for a key to be instantiated. It has the effect of making 1464 * available all the keys from the caller of the request_key() that created a 1465 * key to request_key() calls made by the caller of this function. 1466 * 1467 * The caller must have the instantiation key in their process keyrings with a 1468 * Search permission grant available to the caller. 1469 * 1470 * If the ID given is 0, then the setting will be cleared and 0 returned. 1471 * 1472 * If the ID given has a matching an authorisation key, then that key will be 1473 * set and its ID will be returned. The authorisation key can be read to get 1474 * the callout information passed to request_key(). 1475 */ 1476 long keyctl_assume_authority(key_serial_t id) 1477 { 1478 struct key *authkey; 1479 long ret; 1480 1481 /* special key IDs aren't permitted */ 1482 ret = -EINVAL; 1483 if (id < 0) 1484 goto error; 1485 1486 /* we divest ourselves of authority if given an ID of 0 */ 1487 if (id == 0) { 1488 ret = keyctl_change_reqkey_auth(NULL); 1489 goto error; 1490 } 1491 1492 /* attempt to assume the authority temporarily granted to us whilst we 1493 * instantiate the specified key 1494 * - the authorisation key must be in the current task's keyrings 1495 * somewhere 1496 */ 1497 authkey = key_get_instantiation_authkey(id); 1498 if (IS_ERR(authkey)) { 1499 ret = PTR_ERR(authkey); 1500 goto error; 1501 } 1502 1503 ret = keyctl_change_reqkey_auth(authkey); 1504 if (ret == 0) 1505 ret = authkey->serial; 1506 key_put(authkey); 1507 error: 1508 return ret; 1509 } 1510 1511 /* 1512 * Get a key's the LSM security label. 1513 * 1514 * The key must grant the caller View permission for this to work. 1515 * 1516 * If there's a buffer, then up to buflen bytes of data will be placed into it. 1517 * 1518 * If successful, the amount of information available will be returned, 1519 * irrespective of how much was copied (including the terminal NUL). 1520 */ 1521 long keyctl_get_security(key_serial_t keyid, 1522 char __user *buffer, 1523 size_t buflen) 1524 { 1525 struct key *key, *instkey; 1526 key_ref_t key_ref; 1527 char *context; 1528 long ret; 1529 1530 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 1531 if (IS_ERR(key_ref)) { 1532 if (PTR_ERR(key_ref) != -EACCES) 1533 return PTR_ERR(key_ref); 1534 1535 /* viewing a key under construction is also permitted if we 1536 * have the authorisation token handy */ 1537 instkey = key_get_instantiation_authkey(keyid); 1538 if (IS_ERR(instkey)) 1539 return PTR_ERR(instkey); 1540 key_put(instkey); 1541 1542 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0); 1543 if (IS_ERR(key_ref)) 1544 return PTR_ERR(key_ref); 1545 } 1546 1547 key = key_ref_to_ptr(key_ref); 1548 ret = security_key_getsecurity(key, &context); 1549 if (ret == 0) { 1550 /* if no information was returned, give userspace an empty 1551 * string */ 1552 ret = 1; 1553 if (buffer && buflen > 0 && 1554 copy_to_user(buffer, "", 1) != 0) 1555 ret = -EFAULT; 1556 } else if (ret > 0) { 1557 /* return as much data as there's room for */ 1558 if (buffer && buflen > 0) { 1559 if (buflen > ret) 1560 buflen = ret; 1561 1562 if (copy_to_user(buffer, context, buflen) != 0) 1563 ret = -EFAULT; 1564 } 1565 1566 kfree(context); 1567 } 1568 1569 key_ref_put(key_ref); 1570 return ret; 1571 } 1572 1573 /* 1574 * Attempt to install the calling process's session keyring on the process's 1575 * parent process. 1576 * 1577 * The keyring must exist and must grant the caller JOIN permission, and the 1578 * parent process must be single-threaded and must have the same effective 1579 * ownership as this process and mustn't be SUID/SGID. 1580 * 1581 * The keyring will be emplaced on the parent when it next resumes userspace. 1582 * 1583 * If successful, 0 will be returned. 1584 */ 1585 long keyctl_session_to_parent(void) 1586 { 1587 struct task_struct *me, *parent; 1588 const struct cred *mycred, *pcred; 1589 struct callback_head *newwork, *oldwork; 1590 key_ref_t keyring_r; 1591 struct cred *cred; 1592 int ret; 1593 1594 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_JOIN); 1595 if (IS_ERR(keyring_r)) 1596 return PTR_ERR(keyring_r); 1597 1598 ret = -ENOMEM; 1599 1600 /* our parent is going to need a new cred struct, a new tgcred struct 1601 * and new security data, so we allocate them here to prevent ENOMEM in 1602 * our parent */ 1603 cred = cred_alloc_blank(); 1604 if (!cred) 1605 goto error_keyring; 1606 newwork = &cred->rcu; 1607 1608 cred->session_keyring = key_ref_to_ptr(keyring_r); 1609 keyring_r = NULL; 1610 init_task_work(newwork, key_change_session_keyring); 1611 1612 me = current; 1613 rcu_read_lock(); 1614 write_lock_irq(&tasklist_lock); 1615 1616 ret = -EPERM; 1617 oldwork = NULL; 1618 parent = rcu_dereference_protected(me->real_parent, 1619 lockdep_is_held(&tasklist_lock)); 1620 1621 /* the parent mustn't be init and mustn't be a kernel thread */ 1622 if (parent->pid <= 1 || !parent->mm) 1623 goto unlock; 1624 1625 /* the parent must be single threaded */ 1626 if (!thread_group_empty(parent)) 1627 goto unlock; 1628 1629 /* the parent and the child must have different session keyrings or 1630 * there's no point */ 1631 mycred = current_cred(); 1632 pcred = __task_cred(parent); 1633 if (mycred == pcred || 1634 mycred->session_keyring == pcred->session_keyring) { 1635 ret = 0; 1636 goto unlock; 1637 } 1638 1639 /* the parent must have the same effective ownership and mustn't be 1640 * SUID/SGID */ 1641 if (!uid_eq(pcred->uid, mycred->euid) || 1642 !uid_eq(pcred->euid, mycred->euid) || 1643 !uid_eq(pcred->suid, mycred->euid) || 1644 !gid_eq(pcred->gid, mycred->egid) || 1645 !gid_eq(pcred->egid, mycred->egid) || 1646 !gid_eq(pcred->sgid, mycred->egid)) 1647 goto unlock; 1648 1649 /* the keyrings must have the same UID */ 1650 if ((pcred->session_keyring && 1651 !uid_eq(pcred->session_keyring->uid, mycred->euid)) || 1652 !uid_eq(mycred->session_keyring->uid, mycred->euid)) 1653 goto unlock; 1654 1655 /* cancel an already pending keyring replacement */ 1656 oldwork = task_work_cancel(parent, key_change_session_keyring); 1657 1658 /* the replacement session keyring is applied just prior to userspace 1659 * restarting */ 1660 ret = task_work_add(parent, newwork, true); 1661 if (!ret) 1662 newwork = NULL; 1663 unlock: 1664 write_unlock_irq(&tasklist_lock); 1665 rcu_read_unlock(); 1666 if (oldwork) 1667 put_cred(container_of(oldwork, struct cred, rcu)); 1668 if (newwork) 1669 put_cred(cred); 1670 return ret; 1671 1672 error_keyring: 1673 key_ref_put(keyring_r); 1674 return ret; 1675 } 1676 1677 /* 1678 * Apply a restriction to a given keyring. 1679 * 1680 * The caller must have Setattr permission to change keyring restrictions. 1681 * 1682 * The requested type name may be a NULL pointer to reject all attempts 1683 * to link to the keyring. In this case, _restriction must also be NULL. 1684 * Otherwise, both _type and _restriction must be non-NULL. 1685 * 1686 * Returns 0 if successful. 1687 */ 1688 long keyctl_restrict_keyring(key_serial_t id, const char __user *_type, 1689 const char __user *_restriction) 1690 { 1691 key_ref_t key_ref; 1692 char type[32]; 1693 char *restriction = NULL; 1694 long ret; 1695 1696 key_ref = lookup_user_key(id, 0, KEY_NEED_SETSEC); 1697 if (IS_ERR(key_ref)) 1698 return PTR_ERR(key_ref); 1699 1700 ret = -EINVAL; 1701 if (_type) { 1702 if (!_restriction) 1703 goto error; 1704 1705 ret = key_get_type_from_user(type, _type, sizeof(type)); 1706 if (ret < 0) 1707 goto error; 1708 1709 restriction = strndup_user(_restriction, PAGE_SIZE); 1710 if (IS_ERR(restriction)) { 1711 ret = PTR_ERR(restriction); 1712 goto error; 1713 } 1714 } else { 1715 if (_restriction) 1716 goto error; 1717 } 1718 1719 ret = keyring_restrict(key_ref, _type ? type : NULL, restriction); 1720 kfree(restriction); 1721 error: 1722 key_ref_put(key_ref); 1723 return ret; 1724 } 1725 1726 /* 1727 * Get keyrings subsystem capabilities. 1728 */ 1729 long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen) 1730 { 1731 size_t size = buflen; 1732 1733 if (size > 0) { 1734 if (size > sizeof(keyrings_capabilities)) 1735 size = sizeof(keyrings_capabilities); 1736 if (copy_to_user(_buffer, keyrings_capabilities, size) != 0) 1737 return -EFAULT; 1738 if (size < buflen && 1739 clear_user(_buffer + size, buflen - size) != 0) 1740 return -EFAULT; 1741 } 1742 1743 return sizeof(keyrings_capabilities); 1744 } 1745 1746 /* 1747 * The key control system call 1748 */ 1749 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, 1750 unsigned long, arg4, unsigned long, arg5) 1751 { 1752 switch (option) { 1753 case KEYCTL_GET_KEYRING_ID: 1754 return keyctl_get_keyring_ID((key_serial_t) arg2, 1755 (int) arg3); 1756 1757 case KEYCTL_JOIN_SESSION_KEYRING: 1758 return keyctl_join_session_keyring((const char __user *) arg2); 1759 1760 case KEYCTL_UPDATE: 1761 return keyctl_update_key((key_serial_t) arg2, 1762 (const void __user *) arg3, 1763 (size_t) arg4); 1764 1765 case KEYCTL_REVOKE: 1766 return keyctl_revoke_key((key_serial_t) arg2); 1767 1768 case KEYCTL_DESCRIBE: 1769 return keyctl_describe_key((key_serial_t) arg2, 1770 (char __user *) arg3, 1771 (unsigned) arg4); 1772 1773 case KEYCTL_CLEAR: 1774 return keyctl_keyring_clear((key_serial_t) arg2); 1775 1776 case KEYCTL_LINK: 1777 return keyctl_keyring_link((key_serial_t) arg2, 1778 (key_serial_t) arg3); 1779 1780 case KEYCTL_UNLINK: 1781 return keyctl_keyring_unlink((key_serial_t) arg2, 1782 (key_serial_t) arg3); 1783 1784 case KEYCTL_SEARCH: 1785 return keyctl_keyring_search((key_serial_t) arg2, 1786 (const char __user *) arg3, 1787 (const char __user *) arg4, 1788 (key_serial_t) arg5); 1789 1790 case KEYCTL_READ: 1791 return keyctl_read_key((key_serial_t) arg2, 1792 (char __user *) arg3, 1793 (size_t) arg4); 1794 1795 case KEYCTL_CHOWN: 1796 return keyctl_chown_key((key_serial_t) arg2, 1797 (uid_t) arg3, 1798 (gid_t) arg4); 1799 1800 case KEYCTL_SETPERM: 1801 return keyctl_setperm_key((key_serial_t) arg2, 1802 (unsigned int)arg3); 1803 1804 case KEYCTL_INSTANTIATE: 1805 return keyctl_instantiate_key((key_serial_t) arg2, 1806 (const void __user *) arg3, 1807 (size_t) arg4, 1808 (key_serial_t) arg5); 1809 1810 case KEYCTL_NEGATE: 1811 return keyctl_negate_key((key_serial_t) arg2, 1812 (unsigned) arg3, 1813 (key_serial_t) arg4); 1814 1815 case KEYCTL_SET_REQKEY_KEYRING: 1816 return keyctl_set_reqkey_keyring(arg2); 1817 1818 case KEYCTL_SET_TIMEOUT: 1819 return keyctl_set_timeout((key_serial_t) arg2, 1820 (unsigned) arg3); 1821 1822 case KEYCTL_ASSUME_AUTHORITY: 1823 return keyctl_assume_authority((key_serial_t) arg2); 1824 1825 case KEYCTL_GET_SECURITY: 1826 return keyctl_get_security((key_serial_t) arg2, 1827 (char __user *) arg3, 1828 (size_t) arg4); 1829 1830 case KEYCTL_SESSION_TO_PARENT: 1831 return keyctl_session_to_parent(); 1832 1833 case KEYCTL_REJECT: 1834 return keyctl_reject_key((key_serial_t) arg2, 1835 (unsigned) arg3, 1836 (unsigned) arg4, 1837 (key_serial_t) arg5); 1838 1839 case KEYCTL_INSTANTIATE_IOV: 1840 return keyctl_instantiate_key_iov( 1841 (key_serial_t) arg2, 1842 (const struct iovec __user *) arg3, 1843 (unsigned) arg4, 1844 (key_serial_t) arg5); 1845 1846 case KEYCTL_INVALIDATE: 1847 return keyctl_invalidate_key((key_serial_t) arg2); 1848 1849 case KEYCTL_GET_PERSISTENT: 1850 return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3); 1851 1852 case KEYCTL_DH_COMPUTE: 1853 return keyctl_dh_compute((struct keyctl_dh_params __user *) arg2, 1854 (char __user *) arg3, (size_t) arg4, 1855 (struct keyctl_kdf_params __user *) arg5); 1856 1857 case KEYCTL_RESTRICT_KEYRING: 1858 return keyctl_restrict_keyring((key_serial_t) arg2, 1859 (const char __user *) arg3, 1860 (const char __user *) arg4); 1861 1862 case KEYCTL_PKEY_QUERY: 1863 if (arg3 != 0) 1864 return -EINVAL; 1865 return keyctl_pkey_query((key_serial_t)arg2, 1866 (const char __user *)arg4, 1867 (struct keyctl_pkey_query __user *)arg5); 1868 1869 case KEYCTL_PKEY_ENCRYPT: 1870 case KEYCTL_PKEY_DECRYPT: 1871 case KEYCTL_PKEY_SIGN: 1872 return keyctl_pkey_e_d_s( 1873 option, 1874 (const struct keyctl_pkey_params __user *)arg2, 1875 (const char __user *)arg3, 1876 (const void __user *)arg4, 1877 (void __user *)arg5); 1878 1879 case KEYCTL_PKEY_VERIFY: 1880 return keyctl_pkey_verify( 1881 (const struct keyctl_pkey_params __user *)arg2, 1882 (const char __user *)arg3, 1883 (const void __user *)arg4, 1884 (const void __user *)arg5); 1885 1886 case KEYCTL_MOVE: 1887 return keyctl_keyring_move((key_serial_t)arg2, 1888 (key_serial_t)arg3, 1889 (key_serial_t)arg4, 1890 (unsigned int)arg5); 1891 case KEYCTL_GRANT_PERMISSION: 1892 return keyctl_grant_permission((key_serial_t)arg2, 1893 (enum key_ace_subject_type)arg3, 1894 (unsigned int)arg4, 1895 (unsigned int)arg5); 1896 1897 case KEYCTL_CAPABILITIES: 1898 return keyctl_capabilities((unsigned char __user *)arg2, (size_t)arg3); 1899 1900 default: 1901 return -EOPNOTSUPP; 1902 } 1903 } 1904