1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Userspace key control operations 3 * 4 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #include <linux/init.h> 9 #include <linux/sched.h> 10 #include <linux/sched/task.h> 11 #include <linux/slab.h> 12 #include <linux/syscalls.h> 13 #include <linux/key.h> 14 #include <linux/keyctl.h> 15 #include <linux/fs.h> 16 #include <linux/capability.h> 17 #include <linux/cred.h> 18 #include <linux/string.h> 19 #include <linux/err.h> 20 #include <linux/vmalloc.h> 21 #include <linux/security.h> 22 #include <linux/uio.h> 23 #include <linux/uaccess.h> 24 #include <keys/request_key_auth-type.h> 25 #include "internal.h" 26 27 #define KEY_MAX_DESC_SIZE 4096 28 29 static const unsigned char keyrings_capabilities[2] = { 30 [0] = (KEYCTL_CAPS0_CAPABILITIES | 31 (IS_ENABLED(CONFIG_PERSISTENT_KEYRINGS) ? KEYCTL_CAPS0_PERSISTENT_KEYRINGS : 0) | 32 (IS_ENABLED(CONFIG_KEY_DH_OPERATIONS) ? KEYCTL_CAPS0_DIFFIE_HELLMAN : 0) | 33 (IS_ENABLED(CONFIG_ASYMMETRIC_KEY_TYPE) ? KEYCTL_CAPS0_PUBLIC_KEY : 0) | 34 (IS_ENABLED(CONFIG_BIG_KEYS) ? KEYCTL_CAPS0_BIG_KEY : 0) | 35 KEYCTL_CAPS0_INVALIDATE | 36 KEYCTL_CAPS0_RESTRICT_KEYRING | 37 KEYCTL_CAPS0_MOVE 38 ), 39 [1] = (KEYCTL_CAPS1_NS_KEYRING_NAME | 40 KEYCTL_CAPS1_NS_KEY_TAG | 41 (IS_ENABLED(CONFIG_KEY_NOTIFICATIONS) ? KEYCTL_CAPS1_NOTIFICATIONS : 0) 42 ), 43 }; 44 45 static int key_get_type_from_user(char *type, 46 const char __user *_type, 47 unsigned len) 48 { 49 int ret; 50 51 ret = strncpy_from_user(type, _type, len); 52 if (ret < 0) 53 return ret; 54 if (ret == 0 || ret >= len) 55 return -EINVAL; 56 if (type[0] == '.') 57 return -EPERM; 58 type[len - 1] = '\0'; 59 return 0; 60 } 61 62 /* 63 * Extract the description of a new key from userspace and either add it as a 64 * new key to the specified keyring or update a matching key in that keyring. 65 * 66 * If the description is NULL or an empty string, the key type is asked to 67 * generate one from the payload. 68 * 69 * The keyring must be writable so that we can attach the key to it. 70 * 71 * If successful, the new key's serial number is returned, otherwise an error 72 * code is returned. 73 */ 74 SYSCALL_DEFINE5(add_key, const char __user *, _type, 75 const char __user *, _description, 76 const void __user *, _payload, 77 size_t, plen, 78 key_serial_t, ringid) 79 { 80 key_ref_t keyring_ref, key_ref; 81 char type[32], *description; 82 void *payload; 83 long ret; 84 85 ret = -EINVAL; 86 if (plen > 1024 * 1024 - 1) 87 goto error; 88 89 /* draw all the data into kernel space */ 90 ret = key_get_type_from_user(type, _type, sizeof(type)); 91 if (ret < 0) 92 goto error; 93 94 description = NULL; 95 if (_description) { 96 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 97 if (IS_ERR(description)) { 98 ret = PTR_ERR(description); 99 goto error; 100 } 101 if (!*description) { 102 kfree(description); 103 description = NULL; 104 } else if ((description[0] == '.') && 105 (strncmp(type, "keyring", 7) == 0)) { 106 ret = -EPERM; 107 goto error2; 108 } 109 } 110 111 /* pull the payload in if one was supplied */ 112 payload = NULL; 113 114 if (plen) { 115 ret = -ENOMEM; 116 payload = kvmalloc(plen, GFP_KERNEL); 117 if (!payload) 118 goto error2; 119 120 ret = -EFAULT; 121 if (copy_from_user(payload, _payload, plen) != 0) 122 goto error3; 123 } 124 125 /* find the target keyring (which must be writable) */ 126 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 127 if (IS_ERR(keyring_ref)) { 128 ret = PTR_ERR(keyring_ref); 129 goto error3; 130 } 131 132 /* create or update the requested key and add it to the target 133 * keyring */ 134 key_ref = key_create_or_update(keyring_ref, type, description, 135 payload, plen, KEY_PERM_UNDEF, 136 KEY_ALLOC_IN_QUOTA); 137 if (!IS_ERR(key_ref)) { 138 ret = key_ref_to_ptr(key_ref)->serial; 139 key_ref_put(key_ref); 140 } 141 else { 142 ret = PTR_ERR(key_ref); 143 } 144 145 key_ref_put(keyring_ref); 146 error3: 147 if (payload) { 148 memzero_explicit(payload, plen); 149 kvfree(payload); 150 } 151 error2: 152 kfree(description); 153 error: 154 return ret; 155 } 156 157 /* 158 * Search the process keyrings and keyring trees linked from those for a 159 * matching key. Keyrings must have appropriate Search permission to be 160 * searched. 161 * 162 * If a key is found, it will be attached to the destination keyring if there's 163 * one specified and the serial number of the key will be returned. 164 * 165 * If no key is found, /sbin/request-key will be invoked if _callout_info is 166 * non-NULL in an attempt to create a key. The _callout_info string will be 167 * passed to /sbin/request-key to aid with completing the request. If the 168 * _callout_info string is "" then it will be changed to "-". 169 */ 170 SYSCALL_DEFINE4(request_key, const char __user *, _type, 171 const char __user *, _description, 172 const char __user *, _callout_info, 173 key_serial_t, destringid) 174 { 175 struct key_type *ktype; 176 struct key *key; 177 key_ref_t dest_ref; 178 size_t callout_len; 179 char type[32], *description, *callout_info; 180 long ret; 181 182 /* pull the type into kernel space */ 183 ret = key_get_type_from_user(type, _type, sizeof(type)); 184 if (ret < 0) 185 goto error; 186 187 /* pull the description into kernel space */ 188 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 189 if (IS_ERR(description)) { 190 ret = PTR_ERR(description); 191 goto error; 192 } 193 194 /* pull the callout info into kernel space */ 195 callout_info = NULL; 196 callout_len = 0; 197 if (_callout_info) { 198 callout_info = strndup_user(_callout_info, PAGE_SIZE); 199 if (IS_ERR(callout_info)) { 200 ret = PTR_ERR(callout_info); 201 goto error2; 202 } 203 callout_len = strlen(callout_info); 204 } 205 206 /* get the destination keyring if specified */ 207 dest_ref = NULL; 208 if (destringid) { 209 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 210 KEY_NEED_WRITE); 211 if (IS_ERR(dest_ref)) { 212 ret = PTR_ERR(dest_ref); 213 goto error3; 214 } 215 } 216 217 /* find the key type */ 218 ktype = key_type_lookup(type); 219 if (IS_ERR(ktype)) { 220 ret = PTR_ERR(ktype); 221 goto error4; 222 } 223 224 /* do the search */ 225 key = request_key_and_link(ktype, description, NULL, callout_info, 226 callout_len, NULL, key_ref_to_ptr(dest_ref), 227 KEY_ALLOC_IN_QUOTA); 228 if (IS_ERR(key)) { 229 ret = PTR_ERR(key); 230 goto error5; 231 } 232 233 /* wait for the key to finish being constructed */ 234 ret = wait_for_key_construction(key, 1); 235 if (ret < 0) 236 goto error6; 237 238 ret = key->serial; 239 240 error6: 241 key_put(key); 242 error5: 243 key_type_put(ktype); 244 error4: 245 key_ref_put(dest_ref); 246 error3: 247 kfree(callout_info); 248 error2: 249 kfree(description); 250 error: 251 return ret; 252 } 253 254 /* 255 * Get the ID of the specified process keyring. 256 * 257 * The requested keyring must have search permission to be found. 258 * 259 * If successful, the ID of the requested keyring will be returned. 260 */ 261 long keyctl_get_keyring_ID(key_serial_t id, int create) 262 { 263 key_ref_t key_ref; 264 unsigned long lflags; 265 long ret; 266 267 lflags = create ? KEY_LOOKUP_CREATE : 0; 268 key_ref = lookup_user_key(id, lflags, KEY_NEED_SEARCH); 269 if (IS_ERR(key_ref)) { 270 ret = PTR_ERR(key_ref); 271 goto error; 272 } 273 274 ret = key_ref_to_ptr(key_ref)->serial; 275 key_ref_put(key_ref); 276 error: 277 return ret; 278 } 279 280 /* 281 * Join a (named) session keyring. 282 * 283 * Create and join an anonymous session keyring or join a named session 284 * keyring, creating it if necessary. A named session keyring must have Search 285 * permission for it to be joined. Session keyrings without this permit will 286 * be skipped over. It is not permitted for userspace to create or join 287 * keyrings whose name begin with a dot. 288 * 289 * If successful, the ID of the joined session keyring will be returned. 290 */ 291 long keyctl_join_session_keyring(const char __user *_name) 292 { 293 char *name; 294 long ret; 295 296 /* fetch the name from userspace */ 297 name = NULL; 298 if (_name) { 299 name = strndup_user(_name, KEY_MAX_DESC_SIZE); 300 if (IS_ERR(name)) { 301 ret = PTR_ERR(name); 302 goto error; 303 } 304 305 ret = -EPERM; 306 if (name[0] == '.') 307 goto error_name; 308 } 309 310 /* join the session */ 311 ret = join_session_keyring(name); 312 error_name: 313 kfree(name); 314 error: 315 return ret; 316 } 317 318 /* 319 * Update a key's data payload from the given data. 320 * 321 * The key must grant the caller Write permission and the key type must support 322 * updating for this to work. A negative key can be positively instantiated 323 * with this call. 324 * 325 * If successful, 0 will be returned. If the key type does not support 326 * updating, then -EOPNOTSUPP will be returned. 327 */ 328 long keyctl_update_key(key_serial_t id, 329 const void __user *_payload, 330 size_t plen) 331 { 332 key_ref_t key_ref; 333 void *payload; 334 long ret; 335 336 ret = -EINVAL; 337 if (plen > PAGE_SIZE) 338 goto error; 339 340 /* pull the payload in if one was supplied */ 341 payload = NULL; 342 if (plen) { 343 ret = -ENOMEM; 344 payload = kvmalloc(plen, GFP_KERNEL); 345 if (!payload) 346 goto error; 347 348 ret = -EFAULT; 349 if (copy_from_user(payload, _payload, plen) != 0) 350 goto error2; 351 } 352 353 /* find the target key (which must be writable) */ 354 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 355 if (IS_ERR(key_ref)) { 356 ret = PTR_ERR(key_ref); 357 goto error2; 358 } 359 360 /* update the key */ 361 ret = key_update(key_ref, payload, plen); 362 363 key_ref_put(key_ref); 364 error2: 365 __kvzfree(payload, plen); 366 error: 367 return ret; 368 } 369 370 /* 371 * Revoke a key. 372 * 373 * The key must be grant the caller Write or Setattr permission for this to 374 * work. The key type should give up its quota claim when revoked. The key 375 * and any links to the key will be automatically garbage collected after a 376 * certain amount of time (/proc/sys/kernel/keys/gc_delay). 377 * 378 * Keys with KEY_FLAG_KEEP set should not be revoked. 379 * 380 * If successful, 0 is returned. 381 */ 382 long keyctl_revoke_key(key_serial_t id) 383 { 384 key_ref_t key_ref; 385 struct key *key; 386 long ret; 387 388 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 389 if (IS_ERR(key_ref)) { 390 ret = PTR_ERR(key_ref); 391 if (ret != -EACCES) 392 goto error; 393 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 394 if (IS_ERR(key_ref)) { 395 ret = PTR_ERR(key_ref); 396 goto error; 397 } 398 } 399 400 key = key_ref_to_ptr(key_ref); 401 ret = 0; 402 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 403 ret = -EPERM; 404 else 405 key_revoke(key); 406 407 key_ref_put(key_ref); 408 error: 409 return ret; 410 } 411 412 /* 413 * Invalidate a key. 414 * 415 * The key must be grant the caller Invalidate permission for this to work. 416 * The key and any links to the key will be automatically garbage collected 417 * immediately. 418 * 419 * Keys with KEY_FLAG_KEEP set should not be invalidated. 420 * 421 * If successful, 0 is returned. 422 */ 423 long keyctl_invalidate_key(key_serial_t id) 424 { 425 key_ref_t key_ref; 426 struct key *key; 427 long ret; 428 429 kenter("%d", id); 430 431 key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH); 432 if (IS_ERR(key_ref)) { 433 ret = PTR_ERR(key_ref); 434 435 /* Root is permitted to invalidate certain special keys */ 436 if (capable(CAP_SYS_ADMIN)) { 437 key_ref = lookup_user_key(id, 0, 0); 438 if (IS_ERR(key_ref)) 439 goto error; 440 if (test_bit(KEY_FLAG_ROOT_CAN_INVAL, 441 &key_ref_to_ptr(key_ref)->flags)) 442 goto invalidate; 443 goto error_put; 444 } 445 446 goto error; 447 } 448 449 invalidate: 450 key = key_ref_to_ptr(key_ref); 451 ret = 0; 452 if (test_bit(KEY_FLAG_KEEP, &key->flags)) 453 ret = -EPERM; 454 else 455 key_invalidate(key); 456 error_put: 457 key_ref_put(key_ref); 458 error: 459 kleave(" = %ld", ret); 460 return ret; 461 } 462 463 /* 464 * Clear the specified keyring, creating an empty process keyring if one of the 465 * special keyring IDs is used. 466 * 467 * The keyring must grant the caller Write permission and not have 468 * KEY_FLAG_KEEP set for this to work. If successful, 0 will be returned. 469 */ 470 long keyctl_keyring_clear(key_serial_t ringid) 471 { 472 key_ref_t keyring_ref; 473 struct key *keyring; 474 long ret; 475 476 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 477 if (IS_ERR(keyring_ref)) { 478 ret = PTR_ERR(keyring_ref); 479 480 /* Root is permitted to invalidate certain special keyrings */ 481 if (capable(CAP_SYS_ADMIN)) { 482 keyring_ref = lookup_user_key(ringid, 0, 0); 483 if (IS_ERR(keyring_ref)) 484 goto error; 485 if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR, 486 &key_ref_to_ptr(keyring_ref)->flags)) 487 goto clear; 488 goto error_put; 489 } 490 491 goto error; 492 } 493 494 clear: 495 keyring = key_ref_to_ptr(keyring_ref); 496 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) 497 ret = -EPERM; 498 else 499 ret = keyring_clear(keyring); 500 error_put: 501 key_ref_put(keyring_ref); 502 error: 503 return ret; 504 } 505 506 /* 507 * Create a link from a keyring to a key if there's no matching key in the 508 * keyring, otherwise replace the link to the matching key with a link to the 509 * new key. 510 * 511 * The key must grant the caller Link permission and the the keyring must grant 512 * the caller Write permission. Furthermore, if an additional link is created, 513 * the keyring's quota will be extended. 514 * 515 * If successful, 0 will be returned. 516 */ 517 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 518 { 519 key_ref_t keyring_ref, key_ref; 520 long ret; 521 522 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 523 if (IS_ERR(keyring_ref)) { 524 ret = PTR_ERR(keyring_ref); 525 goto error; 526 } 527 528 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 529 if (IS_ERR(key_ref)) { 530 ret = PTR_ERR(key_ref); 531 goto error2; 532 } 533 534 ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 535 536 key_ref_put(key_ref); 537 error2: 538 key_ref_put(keyring_ref); 539 error: 540 return ret; 541 } 542 543 /* 544 * Unlink a key from a keyring. 545 * 546 * The keyring must grant the caller Write permission for this to work; the key 547 * itself need not grant the caller anything. If the last link to a key is 548 * removed then that key will be scheduled for destruction. 549 * 550 * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked. 551 * 552 * If successful, 0 will be returned. 553 */ 554 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 555 { 556 key_ref_t keyring_ref, key_ref; 557 struct key *keyring, *key; 558 long ret; 559 560 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE); 561 if (IS_ERR(keyring_ref)) { 562 ret = PTR_ERR(keyring_ref); 563 goto error; 564 } 565 566 key_ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0); 567 if (IS_ERR(key_ref)) { 568 ret = PTR_ERR(key_ref); 569 goto error2; 570 } 571 572 keyring = key_ref_to_ptr(keyring_ref); 573 key = key_ref_to_ptr(key_ref); 574 if (test_bit(KEY_FLAG_KEEP, &keyring->flags) && 575 test_bit(KEY_FLAG_KEEP, &key->flags)) 576 ret = -EPERM; 577 else 578 ret = key_unlink(keyring, key); 579 580 key_ref_put(key_ref); 581 error2: 582 key_ref_put(keyring_ref); 583 error: 584 return ret; 585 } 586 587 /* 588 * Move a link to a key from one keyring to another, displacing any matching 589 * key from the destination keyring. 590 * 591 * The key must grant the caller Link permission and both keyrings must grant 592 * the caller Write permission. There must also be a link in the from keyring 593 * to the key. If both keyrings are the same, nothing is done. 594 * 595 * If successful, 0 will be returned. 596 */ 597 long keyctl_keyring_move(key_serial_t id, key_serial_t from_ringid, 598 key_serial_t to_ringid, unsigned int flags) 599 { 600 key_ref_t key_ref, from_ref, to_ref; 601 long ret; 602 603 if (flags & ~KEYCTL_MOVE_EXCL) 604 return -EINVAL; 605 606 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK); 607 if (IS_ERR(key_ref)) 608 return PTR_ERR(key_ref); 609 610 from_ref = lookup_user_key(from_ringid, 0, KEY_NEED_WRITE); 611 if (IS_ERR(from_ref)) { 612 ret = PTR_ERR(from_ref); 613 goto error2; 614 } 615 616 to_ref = lookup_user_key(to_ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 617 if (IS_ERR(to_ref)) { 618 ret = PTR_ERR(to_ref); 619 goto error3; 620 } 621 622 ret = key_move(key_ref_to_ptr(key_ref), key_ref_to_ptr(from_ref), 623 key_ref_to_ptr(to_ref), flags); 624 625 key_ref_put(to_ref); 626 error3: 627 key_ref_put(from_ref); 628 error2: 629 key_ref_put(key_ref); 630 return ret; 631 } 632 633 /* 634 * Return a description of a key to userspace. 635 * 636 * The key must grant the caller View permission for this to work. 637 * 638 * If there's a buffer, we place up to buflen bytes of data into it formatted 639 * in the following way: 640 * 641 * type;uid;gid;perm;description<NUL> 642 * 643 * If successful, we return the amount of description available, irrespective 644 * of how much we may have copied into the buffer. 645 */ 646 long keyctl_describe_key(key_serial_t keyid, 647 char __user *buffer, 648 size_t buflen) 649 { 650 struct key *key, *instkey; 651 key_ref_t key_ref; 652 char *infobuf; 653 long ret; 654 int desclen, infolen; 655 656 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 657 if (IS_ERR(key_ref)) { 658 /* viewing a key under construction is permitted if we have the 659 * authorisation token handy */ 660 if (PTR_ERR(key_ref) == -EACCES) { 661 instkey = key_get_instantiation_authkey(keyid); 662 if (!IS_ERR(instkey)) { 663 key_put(instkey); 664 key_ref = lookup_user_key(keyid, 665 KEY_LOOKUP_PARTIAL, 666 0); 667 if (!IS_ERR(key_ref)) 668 goto okay; 669 } 670 } 671 672 ret = PTR_ERR(key_ref); 673 goto error; 674 } 675 676 okay: 677 key = key_ref_to_ptr(key_ref); 678 desclen = strlen(key->description); 679 680 /* calculate how much information we're going to return */ 681 ret = -ENOMEM; 682 infobuf = kasprintf(GFP_KERNEL, 683 "%s;%d;%d;%08x;", 684 key->type->name, 685 from_kuid_munged(current_user_ns(), key->uid), 686 from_kgid_munged(current_user_ns(), key->gid), 687 key->perm); 688 if (!infobuf) 689 goto error2; 690 infolen = strlen(infobuf); 691 ret = infolen + desclen + 1; 692 693 /* consider returning the data */ 694 if (buffer && buflen >= ret) { 695 if (copy_to_user(buffer, infobuf, infolen) != 0 || 696 copy_to_user(buffer + infolen, key->description, 697 desclen + 1) != 0) 698 ret = -EFAULT; 699 } 700 701 kfree(infobuf); 702 error2: 703 key_ref_put(key_ref); 704 error: 705 return ret; 706 } 707 708 /* 709 * Search the specified keyring and any keyrings it links to for a matching 710 * key. Only keyrings that grant the caller Search permission will be searched 711 * (this includes the starting keyring). Only keys with Search permission can 712 * be found. 713 * 714 * If successful, the found key will be linked to the destination keyring if 715 * supplied and the key has Link permission, and the found key ID will be 716 * returned. 717 */ 718 long keyctl_keyring_search(key_serial_t ringid, 719 const char __user *_type, 720 const char __user *_description, 721 key_serial_t destringid) 722 { 723 struct key_type *ktype; 724 key_ref_t keyring_ref, key_ref, dest_ref; 725 char type[32], *description; 726 long ret; 727 728 /* pull the type and description into kernel space */ 729 ret = key_get_type_from_user(type, _type, sizeof(type)); 730 if (ret < 0) 731 goto error; 732 733 description = strndup_user(_description, KEY_MAX_DESC_SIZE); 734 if (IS_ERR(description)) { 735 ret = PTR_ERR(description); 736 goto error; 737 } 738 739 /* get the keyring at which to begin the search */ 740 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_SEARCH); 741 if (IS_ERR(keyring_ref)) { 742 ret = PTR_ERR(keyring_ref); 743 goto error2; 744 } 745 746 /* get the destination keyring if specified */ 747 dest_ref = NULL; 748 if (destringid) { 749 dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE, 750 KEY_NEED_WRITE); 751 if (IS_ERR(dest_ref)) { 752 ret = PTR_ERR(dest_ref); 753 goto error3; 754 } 755 } 756 757 /* find the key type */ 758 ktype = key_type_lookup(type); 759 if (IS_ERR(ktype)) { 760 ret = PTR_ERR(ktype); 761 goto error4; 762 } 763 764 /* do the search */ 765 key_ref = keyring_search(keyring_ref, ktype, description, true); 766 if (IS_ERR(key_ref)) { 767 ret = PTR_ERR(key_ref); 768 769 /* treat lack or presence of a negative key the same */ 770 if (ret == -EAGAIN) 771 ret = -ENOKEY; 772 goto error5; 773 } 774 775 /* link the resulting key to the destination keyring if we can */ 776 if (dest_ref) { 777 ret = key_permission(key_ref, KEY_NEED_LINK); 778 if (ret < 0) 779 goto error6; 780 781 ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); 782 if (ret < 0) 783 goto error6; 784 } 785 786 ret = key_ref_to_ptr(key_ref)->serial; 787 788 error6: 789 key_ref_put(key_ref); 790 error5: 791 key_type_put(ktype); 792 error4: 793 key_ref_put(dest_ref); 794 error3: 795 key_ref_put(keyring_ref); 796 error2: 797 kfree(description); 798 error: 799 return ret; 800 } 801 802 /* 803 * Call the read method 804 */ 805 static long __keyctl_read_key(struct key *key, char *buffer, size_t buflen) 806 { 807 long ret; 808 809 down_read(&key->sem); 810 ret = key_validate(key); 811 if (ret == 0) 812 ret = key->type->read(key, buffer, buflen); 813 up_read(&key->sem); 814 return ret; 815 } 816 817 /* 818 * Read a key's payload. 819 * 820 * The key must either grant the caller Read permission, or it must grant the 821 * caller Search permission when searched for from the process keyrings. 822 * 823 * If successful, we place up to buflen bytes of data into the buffer, if one 824 * is provided, and return the amount of data that is available in the key, 825 * irrespective of how much we copied into the buffer. 826 */ 827 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 828 { 829 struct key *key; 830 key_ref_t key_ref; 831 long ret; 832 char *key_data = NULL; 833 size_t key_data_len; 834 835 /* find the key first */ 836 key_ref = lookup_user_key(keyid, 0, 0); 837 if (IS_ERR(key_ref)) { 838 ret = -ENOKEY; 839 goto out; 840 } 841 842 key = key_ref_to_ptr(key_ref); 843 844 ret = key_read_state(key); 845 if (ret < 0) 846 goto key_put_out; /* Negatively instantiated */ 847 848 /* see if we can read it directly */ 849 ret = key_permission(key_ref, KEY_NEED_READ); 850 if (ret == 0) 851 goto can_read_key; 852 if (ret != -EACCES) 853 goto key_put_out; 854 855 /* we can't; see if it's searchable from this process's keyrings 856 * - we automatically take account of the fact that it may be 857 * dangling off an instantiation key 858 */ 859 if (!is_key_possessed(key_ref)) { 860 ret = -EACCES; 861 goto key_put_out; 862 } 863 864 /* the key is probably readable - now try to read it */ 865 can_read_key: 866 if (!key->type->read) { 867 ret = -EOPNOTSUPP; 868 goto key_put_out; 869 } 870 871 if (!buffer || !buflen) { 872 /* Get the key length from the read method */ 873 ret = __keyctl_read_key(key, NULL, 0); 874 goto key_put_out; 875 } 876 877 /* 878 * Read the data with the semaphore held (since we might sleep) 879 * to protect against the key being updated or revoked. 880 * 881 * Allocating a temporary buffer to hold the keys before 882 * transferring them to user buffer to avoid potential 883 * deadlock involving page fault and mmap_sem. 884 * 885 * key_data_len = (buflen <= PAGE_SIZE) 886 * ? buflen : actual length of key data 887 * 888 * This prevents allocating arbitrary large buffer which can 889 * be much larger than the actual key length. In the latter case, 890 * at least 2 passes of this loop is required. 891 */ 892 key_data_len = (buflen <= PAGE_SIZE) ? buflen : 0; 893 for (;;) { 894 if (key_data_len) { 895 key_data = kvmalloc(key_data_len, GFP_KERNEL); 896 if (!key_data) { 897 ret = -ENOMEM; 898 goto key_put_out; 899 } 900 } 901 902 ret = __keyctl_read_key(key, key_data, key_data_len); 903 904 /* 905 * Read methods will just return the required length without 906 * any copying if the provided length isn't large enough. 907 */ 908 if (ret <= 0 || ret > buflen) 909 break; 910 911 /* 912 * The key may change (unlikely) in between 2 consecutive 913 * __keyctl_read_key() calls. In this case, we reallocate 914 * a larger buffer and redo the key read when 915 * key_data_len < ret <= buflen. 916 */ 917 if (ret > key_data_len) { 918 if (unlikely(key_data)) 919 __kvzfree(key_data, key_data_len); 920 key_data_len = ret; 921 continue; /* Allocate buffer */ 922 } 923 924 if (copy_to_user(buffer, key_data, ret)) 925 ret = -EFAULT; 926 break; 927 } 928 __kvzfree(key_data, key_data_len); 929 930 key_put_out: 931 key_put(key); 932 out: 933 return ret; 934 } 935 936 /* 937 * Change the ownership of a key 938 * 939 * The key must grant the caller Setattr permission for this to work, though 940 * the key need not be fully instantiated yet. For the UID to be changed, or 941 * for the GID to be changed to a group the caller is not a member of, the 942 * caller must have sysadmin capability. If either uid or gid is -1 then that 943 * attribute is not changed. 944 * 945 * If the UID is to be changed, the new user must have sufficient quota to 946 * accept the key. The quota deduction will be removed from the old user to 947 * the new user should the attribute be changed. 948 * 949 * If successful, 0 will be returned. 950 */ 951 long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group) 952 { 953 struct key_user *newowner, *zapowner = NULL; 954 struct key *key; 955 key_ref_t key_ref; 956 long ret; 957 kuid_t uid; 958 kgid_t gid; 959 960 uid = make_kuid(current_user_ns(), user); 961 gid = make_kgid(current_user_ns(), group); 962 ret = -EINVAL; 963 if ((user != (uid_t) -1) && !uid_valid(uid)) 964 goto error; 965 if ((group != (gid_t) -1) && !gid_valid(gid)) 966 goto error; 967 968 ret = 0; 969 if (user == (uid_t) -1 && group == (gid_t) -1) 970 goto error; 971 972 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 973 KEY_NEED_SETATTR); 974 if (IS_ERR(key_ref)) { 975 ret = PTR_ERR(key_ref); 976 goto error; 977 } 978 979 key = key_ref_to_ptr(key_ref); 980 981 /* make the changes with the locks held to prevent chown/chown races */ 982 ret = -EACCES; 983 down_write(&key->sem); 984 985 if (!capable(CAP_SYS_ADMIN)) { 986 /* only the sysadmin can chown a key to some other UID */ 987 if (user != (uid_t) -1 && !uid_eq(key->uid, uid)) 988 goto error_put; 989 990 /* only the sysadmin can set the key's GID to a group other 991 * than one of those that the current process subscribes to */ 992 if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid)) 993 goto error_put; 994 } 995 996 /* change the UID */ 997 if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) { 998 ret = -ENOMEM; 999 newowner = key_user_lookup(uid); 1000 if (!newowner) 1001 goto error_put; 1002 1003 /* transfer the quota burden to the new user */ 1004 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 1005 unsigned maxkeys = uid_eq(uid, GLOBAL_ROOT_UID) ? 1006 key_quota_root_maxkeys : key_quota_maxkeys; 1007 unsigned maxbytes = uid_eq(uid, GLOBAL_ROOT_UID) ? 1008 key_quota_root_maxbytes : key_quota_maxbytes; 1009 1010 spin_lock(&newowner->lock); 1011 if (newowner->qnkeys + 1 > maxkeys || 1012 newowner->qnbytes + key->quotalen > maxbytes || 1013 newowner->qnbytes + key->quotalen < 1014 newowner->qnbytes) 1015 goto quota_overrun; 1016 1017 newowner->qnkeys++; 1018 newowner->qnbytes += key->quotalen; 1019 spin_unlock(&newowner->lock); 1020 1021 spin_lock(&key->user->lock); 1022 key->user->qnkeys--; 1023 key->user->qnbytes -= key->quotalen; 1024 spin_unlock(&key->user->lock); 1025 } 1026 1027 atomic_dec(&key->user->nkeys); 1028 atomic_inc(&newowner->nkeys); 1029 1030 if (key->state != KEY_IS_UNINSTANTIATED) { 1031 atomic_dec(&key->user->nikeys); 1032 atomic_inc(&newowner->nikeys); 1033 } 1034 1035 zapowner = key->user; 1036 key->user = newowner; 1037 key->uid = uid; 1038 } 1039 1040 /* change the GID */ 1041 if (group != (gid_t) -1) 1042 key->gid = gid; 1043 1044 notify_key(key, NOTIFY_KEY_SETATTR, 0); 1045 ret = 0; 1046 1047 error_put: 1048 up_write(&key->sem); 1049 key_put(key); 1050 if (zapowner) 1051 key_user_put(zapowner); 1052 error: 1053 return ret; 1054 1055 quota_overrun: 1056 spin_unlock(&newowner->lock); 1057 zapowner = newowner; 1058 ret = -EDQUOT; 1059 goto error_put; 1060 } 1061 1062 /* 1063 * Change the permission mask on a key. 1064 * 1065 * The key must grant the caller Setattr permission for this to work, though 1066 * the key need not be fully instantiated yet. If the caller does not have 1067 * sysadmin capability, it may only change the permission on keys that it owns. 1068 */ 1069 long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 1070 { 1071 struct key *key; 1072 key_ref_t key_ref; 1073 long ret; 1074 1075 ret = -EINVAL; 1076 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 1077 goto error; 1078 1079 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1080 KEY_NEED_SETATTR); 1081 if (IS_ERR(key_ref)) { 1082 ret = PTR_ERR(key_ref); 1083 goto error; 1084 } 1085 1086 key = key_ref_to_ptr(key_ref); 1087 1088 /* make the changes with the locks held to prevent chown/chmod races */ 1089 ret = -EACCES; 1090 down_write(&key->sem); 1091 1092 /* if we're not the sysadmin, we can only change a key that we own */ 1093 if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) { 1094 key->perm = perm; 1095 notify_key(key, NOTIFY_KEY_SETATTR, 0); 1096 ret = 0; 1097 } 1098 1099 up_write(&key->sem); 1100 key_put(key); 1101 error: 1102 return ret; 1103 } 1104 1105 /* 1106 * Get the destination keyring for instantiation and check that the caller has 1107 * Write permission on it. 1108 */ 1109 static long get_instantiation_keyring(key_serial_t ringid, 1110 struct request_key_auth *rka, 1111 struct key **_dest_keyring) 1112 { 1113 key_ref_t dkref; 1114 1115 *_dest_keyring = NULL; 1116 1117 /* just return a NULL pointer if we weren't asked to make a link */ 1118 if (ringid == 0) 1119 return 0; 1120 1121 /* if a specific keyring is nominated by ID, then use that */ 1122 if (ringid > 0) { 1123 dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 1124 if (IS_ERR(dkref)) 1125 return PTR_ERR(dkref); 1126 *_dest_keyring = key_ref_to_ptr(dkref); 1127 return 0; 1128 } 1129 1130 if (ringid == KEY_SPEC_REQKEY_AUTH_KEY) 1131 return -EINVAL; 1132 1133 /* otherwise specify the destination keyring recorded in the 1134 * authorisation key (any KEY_SPEC_*_KEYRING) */ 1135 if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { 1136 *_dest_keyring = key_get(rka->dest_keyring); 1137 return 0; 1138 } 1139 1140 return -ENOKEY; 1141 } 1142 1143 /* 1144 * Change the request_key authorisation key on the current process. 1145 */ 1146 static int keyctl_change_reqkey_auth(struct key *key) 1147 { 1148 struct cred *new; 1149 1150 new = prepare_creds(); 1151 if (!new) 1152 return -ENOMEM; 1153 1154 key_put(new->request_key_auth); 1155 new->request_key_auth = key_get(key); 1156 1157 return commit_creds(new); 1158 } 1159 1160 /* 1161 * Instantiate a key with the specified payload and link the key into the 1162 * destination keyring if one is given. 1163 * 1164 * The caller must have the appropriate instantiation permit set for this to 1165 * work (see keyctl_assume_authority). No other permissions are required. 1166 * 1167 * If successful, 0 will be returned. 1168 */ 1169 long keyctl_instantiate_key_common(key_serial_t id, 1170 struct iov_iter *from, 1171 key_serial_t ringid) 1172 { 1173 const struct cred *cred = current_cred(); 1174 struct request_key_auth *rka; 1175 struct key *instkey, *dest_keyring; 1176 size_t plen = from ? iov_iter_count(from) : 0; 1177 void *payload; 1178 long ret; 1179 1180 kenter("%d,,%zu,%d", id, plen, ringid); 1181 1182 if (!plen) 1183 from = NULL; 1184 1185 ret = -EINVAL; 1186 if (plen > 1024 * 1024 - 1) 1187 goto error; 1188 1189 /* the appropriate instantiation authorisation key must have been 1190 * assumed before calling this */ 1191 ret = -EPERM; 1192 instkey = cred->request_key_auth; 1193 if (!instkey) 1194 goto error; 1195 1196 rka = instkey->payload.data[0]; 1197 if (rka->target_key->serial != id) 1198 goto error; 1199 1200 /* pull the payload in if one was supplied */ 1201 payload = NULL; 1202 1203 if (from) { 1204 ret = -ENOMEM; 1205 payload = kvmalloc(plen, GFP_KERNEL); 1206 if (!payload) 1207 goto error; 1208 1209 ret = -EFAULT; 1210 if (!copy_from_iter_full(payload, plen, from)) 1211 goto error2; 1212 } 1213 1214 /* find the destination keyring amongst those belonging to the 1215 * requesting task */ 1216 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1217 if (ret < 0) 1218 goto error2; 1219 1220 /* instantiate the key and link it into a keyring */ 1221 ret = key_instantiate_and_link(rka->target_key, payload, plen, 1222 dest_keyring, instkey); 1223 1224 key_put(dest_keyring); 1225 1226 /* discard the assumed authority if it's just been disabled by 1227 * instantiation of the key */ 1228 if (ret == 0) 1229 keyctl_change_reqkey_auth(NULL); 1230 1231 error2: 1232 if (payload) { 1233 memzero_explicit(payload, plen); 1234 kvfree(payload); 1235 } 1236 error: 1237 return ret; 1238 } 1239 1240 /* 1241 * Instantiate a key with the specified payload and link the key into the 1242 * destination keyring if one is given. 1243 * 1244 * The caller must have the appropriate instantiation permit set for this to 1245 * work (see keyctl_assume_authority). No other permissions are required. 1246 * 1247 * If successful, 0 will be returned. 1248 */ 1249 long keyctl_instantiate_key(key_serial_t id, 1250 const void __user *_payload, 1251 size_t plen, 1252 key_serial_t ringid) 1253 { 1254 if (_payload && plen) { 1255 struct iovec iov; 1256 struct iov_iter from; 1257 int ret; 1258 1259 ret = import_single_range(WRITE, (void __user *)_payload, plen, 1260 &iov, &from); 1261 if (unlikely(ret)) 1262 return ret; 1263 1264 return keyctl_instantiate_key_common(id, &from, ringid); 1265 } 1266 1267 return keyctl_instantiate_key_common(id, NULL, ringid); 1268 } 1269 1270 /* 1271 * Instantiate a key with the specified multipart payload and link the key into 1272 * the destination keyring if one is given. 1273 * 1274 * The caller must have the appropriate instantiation permit set for this to 1275 * work (see keyctl_assume_authority). No other permissions are required. 1276 * 1277 * If successful, 0 will be returned. 1278 */ 1279 long keyctl_instantiate_key_iov(key_serial_t id, 1280 const struct iovec __user *_payload_iov, 1281 unsigned ioc, 1282 key_serial_t ringid) 1283 { 1284 struct iovec iovstack[UIO_FASTIOV], *iov = iovstack; 1285 struct iov_iter from; 1286 long ret; 1287 1288 if (!_payload_iov) 1289 ioc = 0; 1290 1291 ret = import_iovec(WRITE, _payload_iov, ioc, 1292 ARRAY_SIZE(iovstack), &iov, &from); 1293 if (ret < 0) 1294 return ret; 1295 ret = keyctl_instantiate_key_common(id, &from, ringid); 1296 kfree(iov); 1297 return ret; 1298 } 1299 1300 /* 1301 * Negatively instantiate the key with the given timeout (in seconds) and link 1302 * the key into the destination keyring if one is given. 1303 * 1304 * The caller must have the appropriate instantiation permit set for this to 1305 * work (see keyctl_assume_authority). No other permissions are required. 1306 * 1307 * The key and any links to the key will be automatically garbage collected 1308 * after the timeout expires. 1309 * 1310 * Negative keys are used to rate limit repeated request_key() calls by causing 1311 * them to return -ENOKEY until the negative key expires. 1312 * 1313 * If successful, 0 will be returned. 1314 */ 1315 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 1316 { 1317 return keyctl_reject_key(id, timeout, ENOKEY, ringid); 1318 } 1319 1320 /* 1321 * Negatively instantiate the key with the given timeout (in seconds) and error 1322 * code and link the key into the destination keyring if one is given. 1323 * 1324 * The caller must have the appropriate instantiation permit set for this to 1325 * work (see keyctl_assume_authority). No other permissions are required. 1326 * 1327 * The key and any links to the key will be automatically garbage collected 1328 * after the timeout expires. 1329 * 1330 * Negative keys are used to rate limit repeated request_key() calls by causing 1331 * them to return the specified error code until the negative key expires. 1332 * 1333 * If successful, 0 will be returned. 1334 */ 1335 long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error, 1336 key_serial_t ringid) 1337 { 1338 const struct cred *cred = current_cred(); 1339 struct request_key_auth *rka; 1340 struct key *instkey, *dest_keyring; 1341 long ret; 1342 1343 kenter("%d,%u,%u,%d", id, timeout, error, ringid); 1344 1345 /* must be a valid error code and mustn't be a kernel special */ 1346 if (error <= 0 || 1347 error >= MAX_ERRNO || 1348 error == ERESTARTSYS || 1349 error == ERESTARTNOINTR || 1350 error == ERESTARTNOHAND || 1351 error == ERESTART_RESTARTBLOCK) 1352 return -EINVAL; 1353 1354 /* the appropriate instantiation authorisation key must have been 1355 * assumed before calling this */ 1356 ret = -EPERM; 1357 instkey = cred->request_key_auth; 1358 if (!instkey) 1359 goto error; 1360 1361 rka = instkey->payload.data[0]; 1362 if (rka->target_key->serial != id) 1363 goto error; 1364 1365 /* find the destination keyring if present (which must also be 1366 * writable) */ 1367 ret = get_instantiation_keyring(ringid, rka, &dest_keyring); 1368 if (ret < 0) 1369 goto error; 1370 1371 /* instantiate the key and link it into a keyring */ 1372 ret = key_reject_and_link(rka->target_key, timeout, error, 1373 dest_keyring, instkey); 1374 1375 key_put(dest_keyring); 1376 1377 /* discard the assumed authority if it's just been disabled by 1378 * instantiation of the key */ 1379 if (ret == 0) 1380 keyctl_change_reqkey_auth(NULL); 1381 1382 error: 1383 return ret; 1384 } 1385 1386 /* 1387 * Read or set the default keyring in which request_key() will cache keys and 1388 * return the old setting. 1389 * 1390 * If a thread or process keyring is specified then it will be created if it 1391 * doesn't yet exist. The old setting will be returned if successful. 1392 */ 1393 long keyctl_set_reqkey_keyring(int reqkey_defl) 1394 { 1395 struct cred *new; 1396 int ret, old_setting; 1397 1398 old_setting = current_cred_xxx(jit_keyring); 1399 1400 if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE) 1401 return old_setting; 1402 1403 new = prepare_creds(); 1404 if (!new) 1405 return -ENOMEM; 1406 1407 switch (reqkey_defl) { 1408 case KEY_REQKEY_DEFL_THREAD_KEYRING: 1409 ret = install_thread_keyring_to_cred(new); 1410 if (ret < 0) 1411 goto error; 1412 goto set; 1413 1414 case KEY_REQKEY_DEFL_PROCESS_KEYRING: 1415 ret = install_process_keyring_to_cred(new); 1416 if (ret < 0) 1417 goto error; 1418 goto set; 1419 1420 case KEY_REQKEY_DEFL_DEFAULT: 1421 case KEY_REQKEY_DEFL_SESSION_KEYRING: 1422 case KEY_REQKEY_DEFL_USER_KEYRING: 1423 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 1424 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING: 1425 goto set; 1426 1427 case KEY_REQKEY_DEFL_NO_CHANGE: 1428 case KEY_REQKEY_DEFL_GROUP_KEYRING: 1429 default: 1430 ret = -EINVAL; 1431 goto error; 1432 } 1433 1434 set: 1435 new->jit_keyring = reqkey_defl; 1436 commit_creds(new); 1437 return old_setting; 1438 error: 1439 abort_creds(new); 1440 return ret; 1441 } 1442 1443 /* 1444 * Set or clear the timeout on a key. 1445 * 1446 * Either the key must grant the caller Setattr permission or else the caller 1447 * must hold an instantiation authorisation token for the key. 1448 * 1449 * The timeout is either 0 to clear the timeout, or a number of seconds from 1450 * the current time. The key and any links to the key will be automatically 1451 * garbage collected after the timeout expires. 1452 * 1453 * Keys with KEY_FLAG_KEEP set should not be timed out. 1454 * 1455 * If successful, 0 is returned. 1456 */ 1457 long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1458 { 1459 struct key *key, *instkey; 1460 key_ref_t key_ref; 1461 long ret; 1462 1463 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1464 KEY_NEED_SETATTR); 1465 if (IS_ERR(key_ref)) { 1466 /* setting the timeout on a key under construction is permitted 1467 * if we have the authorisation token handy */ 1468 if (PTR_ERR(key_ref) == -EACCES) { 1469 instkey = key_get_instantiation_authkey(id); 1470 if (!IS_ERR(instkey)) { 1471 key_put(instkey); 1472 key_ref = lookup_user_key(id, 1473 KEY_LOOKUP_PARTIAL, 1474 0); 1475 if (!IS_ERR(key_ref)) 1476 goto okay; 1477 } 1478 } 1479 1480 ret = PTR_ERR(key_ref); 1481 goto error; 1482 } 1483 1484 okay: 1485 key = key_ref_to_ptr(key_ref); 1486 ret = 0; 1487 if (test_bit(KEY_FLAG_KEEP, &key->flags)) { 1488 ret = -EPERM; 1489 } else { 1490 key_set_timeout(key, timeout); 1491 notify_key(key, NOTIFY_KEY_SETATTR, 0); 1492 } 1493 key_put(key); 1494 1495 error: 1496 return ret; 1497 } 1498 1499 /* 1500 * Assume (or clear) the authority to instantiate the specified key. 1501 * 1502 * This sets the authoritative token currently in force for key instantiation. 1503 * This must be done for a key to be instantiated. It has the effect of making 1504 * available all the keys from the caller of the request_key() that created a 1505 * key to request_key() calls made by the caller of this function. 1506 * 1507 * The caller must have the instantiation key in their process keyrings with a 1508 * Search permission grant available to the caller. 1509 * 1510 * If the ID given is 0, then the setting will be cleared and 0 returned. 1511 * 1512 * If the ID given has a matching an authorisation key, then that key will be 1513 * set and its ID will be returned. The authorisation key can be read to get 1514 * the callout information passed to request_key(). 1515 */ 1516 long keyctl_assume_authority(key_serial_t id) 1517 { 1518 struct key *authkey; 1519 long ret; 1520 1521 /* special key IDs aren't permitted */ 1522 ret = -EINVAL; 1523 if (id < 0) 1524 goto error; 1525 1526 /* we divest ourselves of authority if given an ID of 0 */ 1527 if (id == 0) { 1528 ret = keyctl_change_reqkey_auth(NULL); 1529 goto error; 1530 } 1531 1532 /* attempt to assume the authority temporarily granted to us whilst we 1533 * instantiate the specified key 1534 * - the authorisation key must be in the current task's keyrings 1535 * somewhere 1536 */ 1537 authkey = key_get_instantiation_authkey(id); 1538 if (IS_ERR(authkey)) { 1539 ret = PTR_ERR(authkey); 1540 goto error; 1541 } 1542 1543 ret = keyctl_change_reqkey_auth(authkey); 1544 if (ret == 0) 1545 ret = authkey->serial; 1546 key_put(authkey); 1547 error: 1548 return ret; 1549 } 1550 1551 /* 1552 * Get a key's the LSM security label. 1553 * 1554 * The key must grant the caller View permission for this to work. 1555 * 1556 * If there's a buffer, then up to buflen bytes of data will be placed into it. 1557 * 1558 * If successful, the amount of information available will be returned, 1559 * irrespective of how much was copied (including the terminal NUL). 1560 */ 1561 long keyctl_get_security(key_serial_t keyid, 1562 char __user *buffer, 1563 size_t buflen) 1564 { 1565 struct key *key, *instkey; 1566 key_ref_t key_ref; 1567 char *context; 1568 long ret; 1569 1570 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW); 1571 if (IS_ERR(key_ref)) { 1572 if (PTR_ERR(key_ref) != -EACCES) 1573 return PTR_ERR(key_ref); 1574 1575 /* viewing a key under construction is also permitted if we 1576 * have the authorisation token handy */ 1577 instkey = key_get_instantiation_authkey(keyid); 1578 if (IS_ERR(instkey)) 1579 return PTR_ERR(instkey); 1580 key_put(instkey); 1581 1582 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, 0); 1583 if (IS_ERR(key_ref)) 1584 return PTR_ERR(key_ref); 1585 } 1586 1587 key = key_ref_to_ptr(key_ref); 1588 ret = security_key_getsecurity(key, &context); 1589 if (ret == 0) { 1590 /* if no information was returned, give userspace an empty 1591 * string */ 1592 ret = 1; 1593 if (buffer && buflen > 0 && 1594 copy_to_user(buffer, "", 1) != 0) 1595 ret = -EFAULT; 1596 } else if (ret > 0) { 1597 /* return as much data as there's room for */ 1598 if (buffer && buflen > 0) { 1599 if (buflen > ret) 1600 buflen = ret; 1601 1602 if (copy_to_user(buffer, context, buflen) != 0) 1603 ret = -EFAULT; 1604 } 1605 1606 kfree(context); 1607 } 1608 1609 key_ref_put(key_ref); 1610 return ret; 1611 } 1612 1613 /* 1614 * Attempt to install the calling process's session keyring on the process's 1615 * parent process. 1616 * 1617 * The keyring must exist and must grant the caller LINK permission, and the 1618 * parent process must be single-threaded and must have the same effective 1619 * ownership as this process and mustn't be SUID/SGID. 1620 * 1621 * The keyring will be emplaced on the parent when it next resumes userspace. 1622 * 1623 * If successful, 0 will be returned. 1624 */ 1625 long keyctl_session_to_parent(void) 1626 { 1627 struct task_struct *me, *parent; 1628 const struct cred *mycred, *pcred; 1629 struct callback_head *newwork, *oldwork; 1630 key_ref_t keyring_r; 1631 struct cred *cred; 1632 int ret; 1633 1634 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK); 1635 if (IS_ERR(keyring_r)) 1636 return PTR_ERR(keyring_r); 1637 1638 ret = -ENOMEM; 1639 1640 /* our parent is going to need a new cred struct, a new tgcred struct 1641 * and new security data, so we allocate them here to prevent ENOMEM in 1642 * our parent */ 1643 cred = cred_alloc_blank(); 1644 if (!cred) 1645 goto error_keyring; 1646 newwork = &cred->rcu; 1647 1648 cred->session_keyring = key_ref_to_ptr(keyring_r); 1649 keyring_r = NULL; 1650 init_task_work(newwork, key_change_session_keyring); 1651 1652 me = current; 1653 rcu_read_lock(); 1654 write_lock_irq(&tasklist_lock); 1655 1656 ret = -EPERM; 1657 oldwork = NULL; 1658 parent = rcu_dereference_protected(me->real_parent, 1659 lockdep_is_held(&tasklist_lock)); 1660 1661 /* the parent mustn't be init and mustn't be a kernel thread */ 1662 if (parent->pid <= 1 || !parent->mm) 1663 goto unlock; 1664 1665 /* the parent must be single threaded */ 1666 if (!thread_group_empty(parent)) 1667 goto unlock; 1668 1669 /* the parent and the child must have different session keyrings or 1670 * there's no point */ 1671 mycred = current_cred(); 1672 pcred = __task_cred(parent); 1673 if (mycred == pcred || 1674 mycred->session_keyring == pcred->session_keyring) { 1675 ret = 0; 1676 goto unlock; 1677 } 1678 1679 /* the parent must have the same effective ownership and mustn't be 1680 * SUID/SGID */ 1681 if (!uid_eq(pcred->uid, mycred->euid) || 1682 !uid_eq(pcred->euid, mycred->euid) || 1683 !uid_eq(pcred->suid, mycred->euid) || 1684 !gid_eq(pcred->gid, mycred->egid) || 1685 !gid_eq(pcred->egid, mycred->egid) || 1686 !gid_eq(pcred->sgid, mycred->egid)) 1687 goto unlock; 1688 1689 /* the keyrings must have the same UID */ 1690 if ((pcred->session_keyring && 1691 !uid_eq(pcred->session_keyring->uid, mycred->euid)) || 1692 !uid_eq(mycred->session_keyring->uid, mycred->euid)) 1693 goto unlock; 1694 1695 /* cancel an already pending keyring replacement */ 1696 oldwork = task_work_cancel(parent, key_change_session_keyring); 1697 1698 /* the replacement session keyring is applied just prior to userspace 1699 * restarting */ 1700 ret = task_work_add(parent, newwork, true); 1701 if (!ret) 1702 newwork = NULL; 1703 unlock: 1704 write_unlock_irq(&tasklist_lock); 1705 rcu_read_unlock(); 1706 if (oldwork) 1707 put_cred(container_of(oldwork, struct cred, rcu)); 1708 if (newwork) 1709 put_cred(cred); 1710 return ret; 1711 1712 error_keyring: 1713 key_ref_put(keyring_r); 1714 return ret; 1715 } 1716 1717 /* 1718 * Apply a restriction to a given keyring. 1719 * 1720 * The caller must have Setattr permission to change keyring restrictions. 1721 * 1722 * The requested type name may be a NULL pointer to reject all attempts 1723 * to link to the keyring. In this case, _restriction must also be NULL. 1724 * Otherwise, both _type and _restriction must be non-NULL. 1725 * 1726 * Returns 0 if successful. 1727 */ 1728 long keyctl_restrict_keyring(key_serial_t id, const char __user *_type, 1729 const char __user *_restriction) 1730 { 1731 key_ref_t key_ref; 1732 char type[32]; 1733 char *restriction = NULL; 1734 long ret; 1735 1736 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 1737 if (IS_ERR(key_ref)) 1738 return PTR_ERR(key_ref); 1739 1740 ret = -EINVAL; 1741 if (_type) { 1742 if (!_restriction) 1743 goto error; 1744 1745 ret = key_get_type_from_user(type, _type, sizeof(type)); 1746 if (ret < 0) 1747 goto error; 1748 1749 restriction = strndup_user(_restriction, PAGE_SIZE); 1750 if (IS_ERR(restriction)) { 1751 ret = PTR_ERR(restriction); 1752 goto error; 1753 } 1754 } else { 1755 if (_restriction) 1756 goto error; 1757 } 1758 1759 ret = keyring_restrict(key_ref, _type ? type : NULL, restriction); 1760 kfree(restriction); 1761 error: 1762 key_ref_put(key_ref); 1763 return ret; 1764 } 1765 1766 #ifdef CONFIG_KEY_NOTIFICATIONS 1767 /* 1768 * Watch for changes to a key. 1769 * 1770 * The caller must have View permission to watch a key or keyring. 1771 */ 1772 long keyctl_watch_key(key_serial_t id, int watch_queue_fd, int watch_id) 1773 { 1774 struct watch_queue *wqueue; 1775 struct watch_list *wlist = NULL; 1776 struct watch *watch = NULL; 1777 struct key *key; 1778 key_ref_t key_ref; 1779 long ret; 1780 1781 if (watch_id < -1 || watch_id > 0xff) 1782 return -EINVAL; 1783 1784 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_VIEW); 1785 if (IS_ERR(key_ref)) 1786 return PTR_ERR(key_ref); 1787 key = key_ref_to_ptr(key_ref); 1788 1789 wqueue = get_watch_queue(watch_queue_fd); 1790 if (IS_ERR(wqueue)) { 1791 ret = PTR_ERR(wqueue); 1792 goto err_key; 1793 } 1794 1795 if (watch_id >= 0) { 1796 ret = -ENOMEM; 1797 if (!key->watchers) { 1798 wlist = kzalloc(sizeof(*wlist), GFP_KERNEL); 1799 if (!wlist) 1800 goto err_wqueue; 1801 init_watch_list(wlist, NULL); 1802 } 1803 1804 watch = kzalloc(sizeof(*watch), GFP_KERNEL); 1805 if (!watch) 1806 goto err_wlist; 1807 1808 init_watch(watch, wqueue); 1809 watch->id = key->serial; 1810 watch->info_id = (u32)watch_id << WATCH_INFO_ID__SHIFT; 1811 1812 ret = security_watch_key(key); 1813 if (ret < 0) 1814 goto err_watch; 1815 1816 down_write(&key->sem); 1817 if (!key->watchers) { 1818 key->watchers = wlist; 1819 wlist = NULL; 1820 } 1821 1822 ret = add_watch_to_object(watch, key->watchers); 1823 up_write(&key->sem); 1824 1825 if (ret == 0) 1826 watch = NULL; 1827 } else { 1828 ret = -EBADSLT; 1829 if (key->watchers) { 1830 down_write(&key->sem); 1831 ret = remove_watch_from_object(key->watchers, 1832 wqueue, key_serial(key), 1833 false); 1834 up_write(&key->sem); 1835 } 1836 } 1837 1838 err_watch: 1839 kfree(watch); 1840 err_wlist: 1841 kfree(wlist); 1842 err_wqueue: 1843 put_watch_queue(wqueue); 1844 err_key: 1845 key_put(key); 1846 return ret; 1847 } 1848 #endif /* CONFIG_KEY_NOTIFICATIONS */ 1849 1850 /* 1851 * Get keyrings subsystem capabilities. 1852 */ 1853 long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen) 1854 { 1855 size_t size = buflen; 1856 1857 if (size > 0) { 1858 if (size > sizeof(keyrings_capabilities)) 1859 size = sizeof(keyrings_capabilities); 1860 if (copy_to_user(_buffer, keyrings_capabilities, size) != 0) 1861 return -EFAULT; 1862 if (size < buflen && 1863 clear_user(_buffer + size, buflen - size) != 0) 1864 return -EFAULT; 1865 } 1866 1867 return sizeof(keyrings_capabilities); 1868 } 1869 1870 /* 1871 * The key control system call 1872 */ 1873 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, 1874 unsigned long, arg4, unsigned long, arg5) 1875 { 1876 switch (option) { 1877 case KEYCTL_GET_KEYRING_ID: 1878 return keyctl_get_keyring_ID((key_serial_t) arg2, 1879 (int) arg3); 1880 1881 case KEYCTL_JOIN_SESSION_KEYRING: 1882 return keyctl_join_session_keyring((const char __user *) arg2); 1883 1884 case KEYCTL_UPDATE: 1885 return keyctl_update_key((key_serial_t) arg2, 1886 (const void __user *) arg3, 1887 (size_t) arg4); 1888 1889 case KEYCTL_REVOKE: 1890 return keyctl_revoke_key((key_serial_t) arg2); 1891 1892 case KEYCTL_DESCRIBE: 1893 return keyctl_describe_key((key_serial_t) arg2, 1894 (char __user *) arg3, 1895 (unsigned) arg4); 1896 1897 case KEYCTL_CLEAR: 1898 return keyctl_keyring_clear((key_serial_t) arg2); 1899 1900 case KEYCTL_LINK: 1901 return keyctl_keyring_link((key_serial_t) arg2, 1902 (key_serial_t) arg3); 1903 1904 case KEYCTL_UNLINK: 1905 return keyctl_keyring_unlink((key_serial_t) arg2, 1906 (key_serial_t) arg3); 1907 1908 case KEYCTL_SEARCH: 1909 return keyctl_keyring_search((key_serial_t) arg2, 1910 (const char __user *) arg3, 1911 (const char __user *) arg4, 1912 (key_serial_t) arg5); 1913 1914 case KEYCTL_READ: 1915 return keyctl_read_key((key_serial_t) arg2, 1916 (char __user *) arg3, 1917 (size_t) arg4); 1918 1919 case KEYCTL_CHOWN: 1920 return keyctl_chown_key((key_serial_t) arg2, 1921 (uid_t) arg3, 1922 (gid_t) arg4); 1923 1924 case KEYCTL_SETPERM: 1925 return keyctl_setperm_key((key_serial_t) arg2, 1926 (key_perm_t) arg3); 1927 1928 case KEYCTL_INSTANTIATE: 1929 return keyctl_instantiate_key((key_serial_t) arg2, 1930 (const void __user *) arg3, 1931 (size_t) arg4, 1932 (key_serial_t) arg5); 1933 1934 case KEYCTL_NEGATE: 1935 return keyctl_negate_key((key_serial_t) arg2, 1936 (unsigned) arg3, 1937 (key_serial_t) arg4); 1938 1939 case KEYCTL_SET_REQKEY_KEYRING: 1940 return keyctl_set_reqkey_keyring(arg2); 1941 1942 case KEYCTL_SET_TIMEOUT: 1943 return keyctl_set_timeout((key_serial_t) arg2, 1944 (unsigned) arg3); 1945 1946 case KEYCTL_ASSUME_AUTHORITY: 1947 return keyctl_assume_authority((key_serial_t) arg2); 1948 1949 case KEYCTL_GET_SECURITY: 1950 return keyctl_get_security((key_serial_t) arg2, 1951 (char __user *) arg3, 1952 (size_t) arg4); 1953 1954 case KEYCTL_SESSION_TO_PARENT: 1955 return keyctl_session_to_parent(); 1956 1957 case KEYCTL_REJECT: 1958 return keyctl_reject_key((key_serial_t) arg2, 1959 (unsigned) arg3, 1960 (unsigned) arg4, 1961 (key_serial_t) arg5); 1962 1963 case KEYCTL_INSTANTIATE_IOV: 1964 return keyctl_instantiate_key_iov( 1965 (key_serial_t) arg2, 1966 (const struct iovec __user *) arg3, 1967 (unsigned) arg4, 1968 (key_serial_t) arg5); 1969 1970 case KEYCTL_INVALIDATE: 1971 return keyctl_invalidate_key((key_serial_t) arg2); 1972 1973 case KEYCTL_GET_PERSISTENT: 1974 return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3); 1975 1976 case KEYCTL_DH_COMPUTE: 1977 return keyctl_dh_compute((struct keyctl_dh_params __user *) arg2, 1978 (char __user *) arg3, (size_t) arg4, 1979 (struct keyctl_kdf_params __user *) arg5); 1980 1981 case KEYCTL_RESTRICT_KEYRING: 1982 return keyctl_restrict_keyring((key_serial_t) arg2, 1983 (const char __user *) arg3, 1984 (const char __user *) arg4); 1985 1986 case KEYCTL_PKEY_QUERY: 1987 if (arg3 != 0) 1988 return -EINVAL; 1989 return keyctl_pkey_query((key_serial_t)arg2, 1990 (const char __user *)arg4, 1991 (struct keyctl_pkey_query __user *)arg5); 1992 1993 case KEYCTL_PKEY_ENCRYPT: 1994 case KEYCTL_PKEY_DECRYPT: 1995 case KEYCTL_PKEY_SIGN: 1996 return keyctl_pkey_e_d_s( 1997 option, 1998 (const struct keyctl_pkey_params __user *)arg2, 1999 (const char __user *)arg3, 2000 (const void __user *)arg4, 2001 (void __user *)arg5); 2002 2003 case KEYCTL_PKEY_VERIFY: 2004 return keyctl_pkey_verify( 2005 (const struct keyctl_pkey_params __user *)arg2, 2006 (const char __user *)arg3, 2007 (const void __user *)arg4, 2008 (const void __user *)arg5); 2009 2010 case KEYCTL_MOVE: 2011 return keyctl_keyring_move((key_serial_t)arg2, 2012 (key_serial_t)arg3, 2013 (key_serial_t)arg4, 2014 (unsigned int)arg5); 2015 2016 case KEYCTL_CAPABILITIES: 2017 return keyctl_capabilities((unsigned char __user *)arg2, (size_t)arg3); 2018 2019 case KEYCTL_WATCH_KEY: 2020 return keyctl_watch_key((key_serial_t)arg2, (int)arg3, (int)arg4); 2021 2022 default: 2023 return -EOPNOTSUPP; 2024 } 2025 } 2026