1 /* keyctl.c: userspace keyctl operations 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/slab.h> 16 #include <linux/syscalls.h> 17 #include <linux/keyctl.h> 18 #include <linux/fs.h> 19 #include <linux/capability.h> 20 #include <linux/string.h> 21 #include <linux/err.h> 22 #include <asm/uaccess.h> 23 #include "internal.h" 24 25 static int key_get_type_from_user(char *type, 26 const char __user *_type, 27 unsigned len) 28 { 29 int ret; 30 31 ret = strncpy_from_user(type, _type, len); 32 33 if (ret < 0) 34 return -EFAULT; 35 36 if (ret == 0 || ret >= len) 37 return -EINVAL; 38 39 if (type[0] == '.') 40 return -EPERM; 41 42 type[len - 1] = '\0'; 43 44 return 0; 45 } 46 47 /*****************************************************************************/ 48 /* 49 * extract the description of a new key from userspace and either add it as a 50 * new key to the specified keyring or update a matching key in that keyring 51 * - the keyring must be writable 52 * - returns the new key's serial number 53 * - implements add_key() 54 */ 55 asmlinkage long sys_add_key(const char __user *_type, 56 const char __user *_description, 57 const void __user *_payload, 58 size_t plen, 59 key_serial_t ringid) 60 { 61 key_ref_t keyring_ref, key_ref; 62 char type[32], *description; 63 void *payload; 64 long ret; 65 66 ret = -EINVAL; 67 if (plen > 32767) 68 goto error; 69 70 /* draw all the data into kernel space */ 71 ret = key_get_type_from_user(type, _type, sizeof(type)); 72 if (ret < 0) 73 goto error; 74 75 description = strndup_user(_description, PAGE_SIZE); 76 if (IS_ERR(description)) { 77 ret = PTR_ERR(description); 78 goto error; 79 } 80 81 /* pull the payload in if one was supplied */ 82 payload = NULL; 83 84 if (_payload) { 85 ret = -ENOMEM; 86 payload = kmalloc(plen, GFP_KERNEL); 87 if (!payload) 88 goto error2; 89 90 ret = -EFAULT; 91 if (copy_from_user(payload, _payload, plen) != 0) 92 goto error3; 93 } 94 95 /* find the target keyring (which must be writable) */ 96 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 97 if (IS_ERR(keyring_ref)) { 98 ret = PTR_ERR(keyring_ref); 99 goto error3; 100 } 101 102 /* create or update the requested key and add it to the target 103 * keyring */ 104 key_ref = key_create_or_update(keyring_ref, type, description, 105 payload, plen, 0); 106 if (!IS_ERR(key_ref)) { 107 ret = key_ref_to_ptr(key_ref)->serial; 108 key_ref_put(key_ref); 109 } 110 else { 111 ret = PTR_ERR(key_ref); 112 } 113 114 key_ref_put(keyring_ref); 115 error3: 116 kfree(payload); 117 error2: 118 kfree(description); 119 error: 120 return ret; 121 122 } /* end sys_add_key() */ 123 124 /*****************************************************************************/ 125 /* 126 * search the process keyrings for a matching key 127 * - nested keyrings may also be searched if they have Search permission 128 * - if a key is found, it will be attached to the destination keyring if 129 * there's one specified 130 * - /sbin/request-key will be invoked if _callout_info is non-NULL 131 * - the _callout_info string will be passed to /sbin/request-key 132 * - if the _callout_info string is empty, it will be rendered as "-" 133 * - implements request_key() 134 */ 135 asmlinkage long sys_request_key(const char __user *_type, 136 const char __user *_description, 137 const char __user *_callout_info, 138 key_serial_t destringid) 139 { 140 struct key_type *ktype; 141 struct key *key; 142 key_ref_t dest_ref; 143 char type[32], *description, *callout_info; 144 long ret; 145 146 /* pull the type into kernel space */ 147 ret = key_get_type_from_user(type, _type, sizeof(type)); 148 if (ret < 0) 149 goto error; 150 151 /* pull the description into kernel space */ 152 description = strndup_user(_description, PAGE_SIZE); 153 if (IS_ERR(description)) { 154 ret = PTR_ERR(description); 155 goto error; 156 } 157 158 /* pull the callout info into kernel space */ 159 callout_info = NULL; 160 if (_callout_info) { 161 callout_info = strndup_user(_callout_info, PAGE_SIZE); 162 if (IS_ERR(callout_info)) { 163 ret = PTR_ERR(callout_info); 164 goto error2; 165 } 166 } 167 168 /* get the destination keyring if specified */ 169 dest_ref = NULL; 170 if (destringid) { 171 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 172 if (IS_ERR(dest_ref)) { 173 ret = PTR_ERR(dest_ref); 174 goto error3; 175 } 176 } 177 178 /* find the key type */ 179 ktype = key_type_lookup(type); 180 if (IS_ERR(ktype)) { 181 ret = PTR_ERR(ktype); 182 goto error4; 183 } 184 185 /* do the search */ 186 key = request_key_and_link(ktype, description, callout_info, 187 key_ref_to_ptr(dest_ref)); 188 if (IS_ERR(key)) { 189 ret = PTR_ERR(key); 190 goto error5; 191 } 192 193 ret = key->serial; 194 195 key_put(key); 196 error5: 197 key_type_put(ktype); 198 error4: 199 key_ref_put(dest_ref); 200 error3: 201 kfree(callout_info); 202 error2: 203 kfree(description); 204 error: 205 return ret; 206 207 } /* end sys_request_key() */ 208 209 /*****************************************************************************/ 210 /* 211 * get the ID of the specified process keyring 212 * - the keyring must have search permission to be found 213 * - implements keyctl(KEYCTL_GET_KEYRING_ID) 214 */ 215 long keyctl_get_keyring_ID(key_serial_t id, int create) 216 { 217 key_ref_t key_ref; 218 long ret; 219 220 key_ref = lookup_user_key(NULL, id, create, 0, KEY_SEARCH); 221 if (IS_ERR(key_ref)) { 222 ret = PTR_ERR(key_ref); 223 goto error; 224 } 225 226 ret = key_ref_to_ptr(key_ref)->serial; 227 key_ref_put(key_ref); 228 error: 229 return ret; 230 231 } /* end keyctl_get_keyring_ID() */ 232 233 /*****************************************************************************/ 234 /* 235 * join the session keyring 236 * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING) 237 */ 238 long keyctl_join_session_keyring(const char __user *_name) 239 { 240 char *name; 241 long ret; 242 243 /* fetch the name from userspace */ 244 name = NULL; 245 if (_name) { 246 name = strndup_user(_name, PAGE_SIZE); 247 if (IS_ERR(name)) { 248 ret = PTR_ERR(name); 249 goto error; 250 } 251 } 252 253 /* join the session */ 254 ret = join_session_keyring(name); 255 256 error: 257 return ret; 258 259 } /* end keyctl_join_session_keyring() */ 260 261 /*****************************************************************************/ 262 /* 263 * update a key's data payload 264 * - the key must be writable 265 * - implements keyctl(KEYCTL_UPDATE) 266 */ 267 long keyctl_update_key(key_serial_t id, 268 const void __user *_payload, 269 size_t plen) 270 { 271 key_ref_t key_ref; 272 void *payload; 273 long ret; 274 275 ret = -EINVAL; 276 if (plen > PAGE_SIZE) 277 goto error; 278 279 /* pull the payload in if one was supplied */ 280 payload = NULL; 281 if (_payload) { 282 ret = -ENOMEM; 283 payload = kmalloc(plen, GFP_KERNEL); 284 if (!payload) 285 goto error; 286 287 ret = -EFAULT; 288 if (copy_from_user(payload, _payload, plen) != 0) 289 goto error2; 290 } 291 292 /* find the target key (which must be writable) */ 293 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 294 if (IS_ERR(key_ref)) { 295 ret = PTR_ERR(key_ref); 296 goto error2; 297 } 298 299 /* update the key */ 300 ret = key_update(key_ref, payload, plen); 301 302 key_ref_put(key_ref); 303 error2: 304 kfree(payload); 305 error: 306 return ret; 307 308 } /* end keyctl_update_key() */ 309 310 /*****************************************************************************/ 311 /* 312 * revoke a key 313 * - the key must be writable 314 * - implements keyctl(KEYCTL_REVOKE) 315 */ 316 long keyctl_revoke_key(key_serial_t id) 317 { 318 key_ref_t key_ref; 319 long ret; 320 321 key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); 322 if (IS_ERR(key_ref)) { 323 ret = PTR_ERR(key_ref); 324 goto error; 325 } 326 327 key_revoke(key_ref_to_ptr(key_ref)); 328 ret = 0; 329 330 key_ref_put(key_ref); 331 error: 332 return ret; 333 334 } /* end keyctl_revoke_key() */ 335 336 /*****************************************************************************/ 337 /* 338 * clear the specified process keyring 339 * - the keyring must be writable 340 * - implements keyctl(KEYCTL_CLEAR) 341 */ 342 long keyctl_keyring_clear(key_serial_t ringid) 343 { 344 key_ref_t keyring_ref; 345 long ret; 346 347 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 348 if (IS_ERR(keyring_ref)) { 349 ret = PTR_ERR(keyring_ref); 350 goto error; 351 } 352 353 ret = keyring_clear(key_ref_to_ptr(keyring_ref)); 354 355 key_ref_put(keyring_ref); 356 error: 357 return ret; 358 359 } /* end keyctl_keyring_clear() */ 360 361 /*****************************************************************************/ 362 /* 363 * link a key into a keyring 364 * - the keyring must be writable 365 * - the key must be linkable 366 * - implements keyctl(KEYCTL_LINK) 367 */ 368 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 369 { 370 key_ref_t keyring_ref, key_ref; 371 long ret; 372 373 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 374 if (IS_ERR(keyring_ref)) { 375 ret = PTR_ERR(keyring_ref); 376 goto error; 377 } 378 379 key_ref = lookup_user_key(NULL, id, 1, 0, KEY_LINK); 380 if (IS_ERR(key_ref)) { 381 ret = PTR_ERR(key_ref); 382 goto error2; 383 } 384 385 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 386 387 key_ref_put(key_ref); 388 error2: 389 key_ref_put(keyring_ref); 390 error: 391 return ret; 392 393 } /* end keyctl_keyring_link() */ 394 395 /*****************************************************************************/ 396 /* 397 * unlink the first attachment of a key from a keyring 398 * - the keyring must be writable 399 * - we don't need any permissions on the key 400 * - implements keyctl(KEYCTL_UNLINK) 401 */ 402 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 403 { 404 key_ref_t keyring_ref, key_ref; 405 long ret; 406 407 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE); 408 if (IS_ERR(keyring_ref)) { 409 ret = PTR_ERR(keyring_ref); 410 goto error; 411 } 412 413 key_ref = lookup_user_key(NULL, id, 0, 0, 0); 414 if (IS_ERR(key_ref)) { 415 ret = PTR_ERR(key_ref); 416 goto error2; 417 } 418 419 ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 420 421 key_ref_put(key_ref); 422 error2: 423 key_ref_put(keyring_ref); 424 error: 425 return ret; 426 427 } /* end keyctl_keyring_unlink() */ 428 429 /*****************************************************************************/ 430 /* 431 * describe a user key 432 * - the key must have view permission 433 * - if there's a buffer, we place up to buflen bytes of data into it 434 * - unless there's an error, we return the amount of description available, 435 * irrespective of how much we may have copied 436 * - the description is formatted thus: 437 * type;uid;gid;perm;description<NUL> 438 * - implements keyctl(KEYCTL_DESCRIBE) 439 */ 440 long keyctl_describe_key(key_serial_t keyid, 441 char __user *buffer, 442 size_t buflen) 443 { 444 struct key *key, *instkey; 445 key_ref_t key_ref; 446 char *tmpbuf; 447 long ret; 448 449 key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); 450 if (IS_ERR(key_ref)) { 451 /* viewing a key under construction is permitted if we have the 452 * authorisation token handy */ 453 if (PTR_ERR(key_ref) == -EACCES) { 454 instkey = key_get_instantiation_authkey(keyid); 455 if (!IS_ERR(instkey)) { 456 key_put(instkey); 457 key_ref = lookup_user_key(NULL, keyid, 458 0, 1, 0); 459 if (!IS_ERR(key_ref)) 460 goto okay; 461 } 462 } 463 464 ret = PTR_ERR(key_ref); 465 goto error; 466 } 467 468 okay: 469 /* calculate how much description we're going to return */ 470 ret = -ENOMEM; 471 tmpbuf = kmalloc(PAGE_SIZE, GFP_KERNEL); 472 if (!tmpbuf) 473 goto error2; 474 475 key = key_ref_to_ptr(key_ref); 476 477 ret = snprintf(tmpbuf, PAGE_SIZE - 1, 478 "%s;%d;%d;%08x;%s", 479 key_ref_to_ptr(key_ref)->type->name, 480 key_ref_to_ptr(key_ref)->uid, 481 key_ref_to_ptr(key_ref)->gid, 482 key_ref_to_ptr(key_ref)->perm, 483 key_ref_to_ptr(key_ref)->description ? 484 key_ref_to_ptr(key_ref)->description : "" 485 ); 486 487 /* include a NUL char at the end of the data */ 488 if (ret > PAGE_SIZE - 1) 489 ret = PAGE_SIZE - 1; 490 tmpbuf[ret] = 0; 491 ret++; 492 493 /* consider returning the data */ 494 if (buffer && buflen > 0) { 495 if (buflen > ret) 496 buflen = ret; 497 498 if (copy_to_user(buffer, tmpbuf, buflen) != 0) 499 ret = -EFAULT; 500 } 501 502 kfree(tmpbuf); 503 error2: 504 key_ref_put(key_ref); 505 error: 506 return ret; 507 508 } /* end keyctl_describe_key() */ 509 510 /*****************************************************************************/ 511 /* 512 * search the specified keyring for a matching key 513 * - the start keyring must be searchable 514 * - nested keyrings may also be searched if they are searchable 515 * - only keys with search permission may be found 516 * - if a key is found, it will be attached to the destination keyring if 517 * there's one specified 518 * - implements keyctl(KEYCTL_SEARCH) 519 */ 520 long keyctl_keyring_search(key_serial_t ringid, 521 const char __user *_type, 522 const char __user *_description, 523 key_serial_t destringid) 524 { 525 struct key_type *ktype; 526 key_ref_t keyring_ref, key_ref, dest_ref; 527 char type[32], *description; 528 long ret; 529 530 /* pull the type and description into kernel space */ 531 ret = key_get_type_from_user(type, _type, sizeof(type)); 532 if (ret < 0) 533 goto error; 534 535 description = strndup_user(_description, PAGE_SIZE); 536 if (IS_ERR(description)) { 537 ret = PTR_ERR(description); 538 goto error; 539 } 540 541 /* get the keyring at which to begin the search */ 542 keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH); 543 if (IS_ERR(keyring_ref)) { 544 ret = PTR_ERR(keyring_ref); 545 goto error2; 546 } 547 548 /* get the destination keyring if specified */ 549 dest_ref = NULL; 550 if (destringid) { 551 dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); 552 if (IS_ERR(dest_ref)) { 553 ret = PTR_ERR(dest_ref); 554 goto error3; 555 } 556 } 557 558 /* find the key type */ 559 ktype = key_type_lookup(type); 560 if (IS_ERR(ktype)) { 561 ret = PTR_ERR(ktype); 562 goto error4; 563 } 564 565 /* do the search */ 566 key_ref = keyring_search(keyring_ref, ktype, description); 567 if (IS_ERR(key_ref)) { 568 ret = PTR_ERR(key_ref); 569 570 /* treat lack or presence of a negative key the same */ 571 if (ret == -EAGAIN) 572 ret = -ENOKEY; 573 goto error5; 574 } 575 576 /* link the resulting key to the destination keyring if we can */ 577 if (dest_ref) { 578 ret = key_permission(key_ref, KEY_LINK); 579 if (ret < 0) 580 goto error6; 581 582 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 583 if (ret < 0) 584 goto error6; 585 } 586 587 ret = key_ref_to_ptr(key_ref)->serial; 588 589 error6: 590 key_ref_put(key_ref); 591 error5: 592 key_type_put(ktype); 593 error4: 594 key_ref_put(dest_ref); 595 error3: 596 key_ref_put(keyring_ref); 597 error2: 598 kfree(description); 599 error: 600 return ret; 601 602 } /* end keyctl_keyring_search() */ 603 604 /*****************************************************************************/ 605 /* 606 * read a user key's payload 607 * - the keyring must be readable or the key must be searchable from the 608 * process's keyrings 609 * - if there's a buffer, we place up to buflen bytes of data into it 610 * - unless there's an error, we return the amount of data in the key, 611 * irrespective of how much we may have copied 612 * - implements keyctl(KEYCTL_READ) 613 */ 614 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 615 { 616 struct key *key; 617 key_ref_t key_ref; 618 long ret; 619 620 /* find the key first */ 621 key_ref = lookup_user_key(NULL, keyid, 0, 0, 0); 622 if (IS_ERR(key_ref)) { 623 ret = -ENOKEY; 624 goto error; 625 } 626 627 key = key_ref_to_ptr(key_ref); 628 629 /* see if we can read it directly */ 630 ret = key_permission(key_ref, KEY_READ); 631 if (ret == 0) 632 goto can_read_key; 633 if (ret != -EACCES) 634 goto error; 635 636 /* we can't; see if it's searchable from this process's keyrings 637 * - we automatically take account of the fact that it may be 638 * dangling off an instantiation key 639 */ 640 if (!is_key_possessed(key_ref)) { 641 ret = -EACCES; 642 goto error2; 643 } 644 645 /* the key is probably readable - now try to read it */ 646 can_read_key: 647 ret = key_validate(key); 648 if (ret == 0) { 649 ret = -EOPNOTSUPP; 650 if (key->type->read) { 651 /* read the data with the semaphore held (since we 652 * might sleep) */ 653 down_read(&key->sem); 654 ret = key->type->read(key, buffer, buflen); 655 up_read(&key->sem); 656 } 657 } 658 659 error2: 660 key_put(key); 661 error: 662 return ret; 663 664 } /* end keyctl_read_key() */ 665 666 /*****************************************************************************/ 667 /* 668 * change the ownership of a key 669 * - the keyring owned by the changer 670 * - if the uid or gid is -1, then that parameter is not changed 671 * - implements keyctl(KEYCTL_CHOWN) 672 */ 673 long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) 674 { 675 struct key *key; 676 key_ref_t key_ref; 677 long ret; 678 679 ret = 0; 680 if (uid == (uid_t) -1 && gid == (gid_t) -1) 681 goto error; 682 683 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 684 if (IS_ERR(key_ref)) { 685 ret = PTR_ERR(key_ref); 686 goto error; 687 } 688 689 key = key_ref_to_ptr(key_ref); 690 691 /* make the changes with the locks held to prevent chown/chown races */ 692 ret = -EACCES; 693 down_write(&key->sem); 694 695 if (!capable(CAP_SYS_ADMIN)) { 696 /* only the sysadmin can chown a key to some other UID */ 697 if (uid != (uid_t) -1 && key->uid != uid) 698 goto no_access; 699 700 /* only the sysadmin can set the key's GID to a group other 701 * than one of those that the current process subscribes to */ 702 if (gid != (gid_t) -1 && gid != key->gid && !in_group_p(gid)) 703 goto no_access; 704 } 705 706 /* change the UID (have to update the quotas) */ 707 if (uid != (uid_t) -1 && uid != key->uid) { 708 /* don't support UID changing yet */ 709 ret = -EOPNOTSUPP; 710 goto no_access; 711 } 712 713 /* change the GID */ 714 if (gid != (gid_t) -1) 715 key->gid = gid; 716 717 ret = 0; 718 719 no_access: 720 up_write(&key->sem); 721 key_put(key); 722 error: 723 return ret; 724 725 } /* end keyctl_chown_key() */ 726 727 /*****************************************************************************/ 728 /* 729 * change the permission mask on a key 730 * - the keyring owned by the changer 731 * - implements keyctl(KEYCTL_SETPERM) 732 */ 733 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 734 { 735 struct key *key; 736 key_ref_t key_ref; 737 long ret; 738 739 ret = -EINVAL; 740 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 741 goto error; 742 743 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 744 if (IS_ERR(key_ref)) { 745 ret = PTR_ERR(key_ref); 746 goto error; 747 } 748 749 key = key_ref_to_ptr(key_ref); 750 751 /* make the changes with the locks held to prevent chown/chmod races */ 752 ret = -EACCES; 753 down_write(&key->sem); 754 755 /* if we're not the sysadmin, we can only change a key that we own */ 756 if (capable(CAP_SYS_ADMIN) || key->uid == current->fsuid) { 757 key->perm = perm; 758 ret = 0; 759 } 760 761 up_write(&key->sem); 762 key_put(key); 763 error: 764 return ret; 765 766 } /* end keyctl_setperm_key() */ 767 768 /*****************************************************************************/ 769 /* 770 * instantiate the key with the specified payload, and, if one is given, link 771 * the key into the keyring 772 */ 773 long keyctl_instantiate_key(key_serial_t id, 774 const void __user *_payload, 775 size_t plen, 776 key_serial_t ringid) 777 { 778 struct request_key_auth *rka; 779 struct key *instkey; 780 key_ref_t keyring_ref; 781 void *payload; 782 long ret; 783 784 ret = -EINVAL; 785 if (plen > 32767) 786 goto error; 787 788 /* the appropriate instantiation authorisation key must have been 789 * assumed before calling this */ 790 ret = -EPERM; 791 instkey = current->request_key_auth; 792 if (!instkey) 793 goto error; 794 795 rka = instkey->payload.data; 796 if (rka->target_key->serial != id) 797 goto error; 798 799 /* pull the payload in if one was supplied */ 800 payload = NULL; 801 802 if (_payload) { 803 ret = -ENOMEM; 804 payload = kmalloc(plen, GFP_KERNEL); 805 if (!payload) 806 goto error; 807 808 ret = -EFAULT; 809 if (copy_from_user(payload, _payload, plen) != 0) 810 goto error2; 811 } 812 813 /* find the destination keyring amongst those belonging to the 814 * requesting task */ 815 keyring_ref = NULL; 816 if (ringid) { 817 keyring_ref = lookup_user_key(rka->context, ringid, 1, 0, 818 KEY_WRITE); 819 if (IS_ERR(keyring_ref)) { 820 ret = PTR_ERR(keyring_ref); 821 goto error2; 822 } 823 } 824 825 /* instantiate the key and link it into a keyring */ 826 ret = key_instantiate_and_link(rka->target_key, payload, plen, 827 key_ref_to_ptr(keyring_ref), instkey); 828 829 key_ref_put(keyring_ref); 830 831 /* discard the assumed authority if it's just been disabled by 832 * instantiation of the key */ 833 if (ret == 0) { 834 key_put(current->request_key_auth); 835 current->request_key_auth = NULL; 836 } 837 838 error2: 839 kfree(payload); 840 error: 841 return ret; 842 843 } /* end keyctl_instantiate_key() */ 844 845 /*****************************************************************************/ 846 /* 847 * negatively instantiate the key with the given timeout (in seconds), and, if 848 * one is given, link the key into the keyring 849 */ 850 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 851 { 852 struct request_key_auth *rka; 853 struct key *instkey; 854 key_ref_t keyring_ref; 855 long ret; 856 857 /* the appropriate instantiation authorisation key must have been 858 * assumed before calling this */ 859 ret = -EPERM; 860 instkey = current->request_key_auth; 861 if (!instkey) 862 goto error; 863 864 rka = instkey->payload.data; 865 if (rka->target_key->serial != id) 866 goto error; 867 868 /* find the destination keyring if present (which must also be 869 * writable) */ 870 keyring_ref = NULL; 871 if (ringid) { 872 keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); 873 if (IS_ERR(keyring_ref)) { 874 ret = PTR_ERR(keyring_ref); 875 goto error; 876 } 877 } 878 879 /* instantiate the key and link it into a keyring */ 880 ret = key_negate_and_link(rka->target_key, timeout, 881 key_ref_to_ptr(keyring_ref), instkey); 882 883 key_ref_put(keyring_ref); 884 885 /* discard the assumed authority if it's just been disabled by 886 * instantiation of the key */ 887 if (ret == 0) { 888 key_put(current->request_key_auth); 889 current->request_key_auth = NULL; 890 } 891 892 error: 893 return ret; 894 895 } /* end keyctl_negate_key() */ 896 897 /*****************************************************************************/ 898 /* 899 * set the default keyring in which request_key() will cache keys 900 * - return the old setting 901 */ 902 long keyctl_set_reqkey_keyring(int reqkey_defl) 903 { 904 int ret; 905 906 switch (reqkey_defl) { 907 case KEY_REQKEY_DEFL_THREAD_KEYRING: 908 ret = install_thread_keyring(current); 909 if (ret < 0) 910 return ret; 911 goto set; 912 913 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 914 ret = install_process_keyring(current); 915 if (ret < 0) 916 return ret; 917 918 case KEY_REQKEY_DEFL_DEFAULT: 919 case KEY_REQKEY_DEFL_SESSION_KEYRING: 920 case KEY_REQKEY_DEFL_USER_KEYRING: 921 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 922 set: 923 current->jit_keyring = reqkey_defl; 924 925 case KEY_REQKEY_DEFL_NO_CHANGE: 926 return current->jit_keyring; 927 928 case KEY_REQKEY_DEFL_GROUP_KEYRING: 929 default: 930 return -EINVAL; 931 } 932 933 } /* end keyctl_set_reqkey_keyring() */ 934 935 /*****************************************************************************/ 936 /* 937 * set or clear the timeout for a key 938 */ 939 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 940 { 941 struct timespec now; 942 struct key *key; 943 key_ref_t key_ref; 944 time_t expiry; 945 long ret; 946 947 key_ref = lookup_user_key(NULL, id, 1, 1, KEY_SETATTR); 948 if (IS_ERR(key_ref)) { 949 ret = PTR_ERR(key_ref); 950 goto error; 951 } 952 953 key = key_ref_to_ptr(key_ref); 954 955 /* make the changes with the locks held to prevent races */ 956 down_write(&key->sem); 957 958 expiry = 0; 959 if (timeout > 0) { 960 now = current_kernel_time(); 961 expiry = now.tv_sec + timeout; 962 } 963 964 key->expiry = expiry; 965 966 up_write(&key->sem); 967 key_put(key); 968 969 ret = 0; 970 error: 971 return ret; 972 973 } /* end keyctl_set_timeout() */ 974 975 /*****************************************************************************/ 976 /* 977 * assume the authority to instantiate the specified key 978 */ 979 long keyctl_assume_authority(key_serial_t id) 980 { 981 struct key *authkey; 982 long ret; 983 984 /* special key IDs aren't permitted */ 985 ret = -EINVAL; 986 if (id < 0) 987 goto error; 988 989 /* we divest ourselves of authority if given an ID of 0 */ 990 if (id == 0) { 991 key_put(current->request_key_auth); 992 current->request_key_auth = NULL; 993 ret = 0; 994 goto error; 995 } 996 997 /* attempt to assume the authority temporarily granted to us whilst we 998 * instantiate the specified key 999 * - the authorisation key must be in the current task's keyrings 1000 * somewhere 1001 */ 1002 authkey = key_get_instantiation_authkey(id); 1003 if (IS_ERR(authkey)) { 1004 ret = PTR_ERR(authkey); 1005 goto error; 1006 } 1007 1008 key_put(current->request_key_auth); 1009 current->request_key_auth = authkey; 1010 ret = authkey->serial; 1011 1012 error: 1013 return ret; 1014 1015 } /* end keyctl_assume_authority() */ 1016 1017 /*****************************************************************************/ 1018 /* 1019 * the key control system call 1020 */ 1021 asmlinkage long sys_keyctl(int option, unsigned long arg2, unsigned long arg3, 1022 unsigned long arg4, unsigned long arg5) 1023 { 1024 switch (option) { 1025 case KEYCTL_GET_KEYRING_ID: 1026 return keyctl_get_keyring_ID((key_serial_t) arg2, 1027 (int) arg3); 1028 1029 case KEYCTL_JOIN_SESSION_KEYRING: 1030 return keyctl_join_session_keyring((const char __user *) arg2); 1031 1032 case KEYCTL_UPDATE: 1033 return keyctl_update_key((key_serial_t) arg2, 1034 (const void __user *) arg3, 1035 (size_t) arg4); 1036 1037 case KEYCTL_REVOKE: 1038 return keyctl_revoke_key((key_serial_t) arg2); 1039 1040 case KEYCTL_DESCRIBE: 1041 return keyctl_describe_key((key_serial_t) arg2, 1042 (char __user *) arg3, 1043 (unsigned) arg4); 1044 1045 case KEYCTL_CLEAR: 1046 return keyctl_keyring_clear((key_serial_t) arg2); 1047 1048 case KEYCTL_LINK: 1049 return keyctl_keyring_link((key_serial_t) arg2, 1050 (key_serial_t) arg3); 1051 1052 case KEYCTL_UNLINK: 1053 return keyctl_keyring_unlink((key_serial_t) arg2, 1054 (key_serial_t) arg3); 1055 1056 case KEYCTL_SEARCH: 1057 return keyctl_keyring_search((key_serial_t) arg2, 1058 (const char __user *) arg3, 1059 (const char __user *) arg4, 1060 (key_serial_t) arg5); 1061 1062 case KEYCTL_READ: 1063 return keyctl_read_key((key_serial_t) arg2, 1064 (char __user *) arg3, 1065 (size_t) arg4); 1066 1067 case KEYCTL_CHOWN: 1068 return keyctl_chown_key((key_serial_t) arg2, 1069 (uid_t) arg3, 1070 (gid_t) arg4); 1071 1072 case KEYCTL_SETPERM: 1073 return keyctl_setperm_key((key_serial_t) arg2, 1074 (key_perm_t) arg3); 1075 1076 case KEYCTL_INSTANTIATE: 1077 return keyctl_instantiate_key((key_serial_t) arg2, 1078 (const void __user *) arg3, 1079 (size_t) arg4, 1080 (key_serial_t) arg5); 1081 1082 case KEYCTL_NEGATE: 1083 return keyctl_negate_key((key_serial_t) arg2, 1084 (unsigned) arg3, 1085 (key_serial_t) arg4); 1086 1087 case KEYCTL_SET_REQKEY_KEYRING: 1088 return keyctl_set_reqkey_keyring(arg2); 1089 1090 case KEYCTL_SET_TIMEOUT: 1091 return keyctl_set_timeout((key_serial_t) arg2, 1092 (unsigned) arg3); 1093 1094 case KEYCTL_ASSUME_AUTHORITY: 1095 return keyctl_assume_authority((key_serial_t) arg2); 1096 1097 default: 1098 return -EOPNOTSUPP; 1099 } 1100 1101 } /* end sys_keyctl() */ 1102