1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Keyring handling 3 * 4 * Copyright (C) 2004-2005, 2008, 2013 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #include <linux/export.h> 9 #include <linux/init.h> 10 #include <linux/sched.h> 11 #include <linux/slab.h> 12 #include <linux/security.h> 13 #include <linux/seq_file.h> 14 #include <linux/err.h> 15 #include <linux/user_namespace.h> 16 #include <linux/nsproxy.h> 17 #include <keys/keyring-type.h> 18 #include <keys/user-type.h> 19 #include <linux/assoc_array_priv.h> 20 #include <linux/uaccess.h> 21 #include <net/net_namespace.h> 22 #include "internal.h" 23 24 /* 25 * When plumbing the depths of the key tree, this sets a hard limit 26 * set on how deep we're willing to go. 27 */ 28 #define KEYRING_SEARCH_MAX_DEPTH 6 29 30 /* 31 * We mark pointers we pass to the associative array with bit 1 set if 32 * they're keyrings and clear otherwise. 33 */ 34 #define KEYRING_PTR_SUBTYPE 0x2UL 35 36 static inline bool keyring_ptr_is_keyring(const struct assoc_array_ptr *x) 37 { 38 return (unsigned long)x & KEYRING_PTR_SUBTYPE; 39 } 40 static inline struct key *keyring_ptr_to_key(const struct assoc_array_ptr *x) 41 { 42 void *object = assoc_array_ptr_to_leaf(x); 43 return (struct key *)((unsigned long)object & ~KEYRING_PTR_SUBTYPE); 44 } 45 static inline void *keyring_key_to_ptr(struct key *key) 46 { 47 if (key->type == &key_type_keyring) 48 return (void *)((unsigned long)key | KEYRING_PTR_SUBTYPE); 49 return key; 50 } 51 52 static DEFINE_RWLOCK(keyring_name_lock); 53 54 /* 55 * Clean up the bits of user_namespace that belong to us. 56 */ 57 void key_free_user_ns(struct user_namespace *ns) 58 { 59 write_lock(&keyring_name_lock); 60 list_del_init(&ns->keyring_name_list); 61 write_unlock(&keyring_name_lock); 62 63 key_put(ns->user_keyring_register); 64 #ifdef CONFIG_PERSISTENT_KEYRINGS 65 key_put(ns->persistent_keyring_register); 66 #endif 67 } 68 69 /* 70 * The keyring key type definition. Keyrings are simply keys of this type and 71 * can be treated as ordinary keys in addition to having their own special 72 * operations. 73 */ 74 static int keyring_preparse(struct key_preparsed_payload *prep); 75 static void keyring_free_preparse(struct key_preparsed_payload *prep); 76 static int keyring_instantiate(struct key *keyring, 77 struct key_preparsed_payload *prep); 78 static void keyring_revoke(struct key *keyring); 79 static void keyring_destroy(struct key *keyring); 80 static void keyring_describe(const struct key *keyring, struct seq_file *m); 81 static long keyring_read(const struct key *keyring, 82 char *buffer, size_t buflen); 83 84 struct key_type key_type_keyring = { 85 .name = "keyring", 86 .def_datalen = 0, 87 .preparse = keyring_preparse, 88 .free_preparse = keyring_free_preparse, 89 .instantiate = keyring_instantiate, 90 .revoke = keyring_revoke, 91 .destroy = keyring_destroy, 92 .describe = keyring_describe, 93 .read = keyring_read, 94 }; 95 EXPORT_SYMBOL(key_type_keyring); 96 97 /* 98 * Semaphore to serialise link/link calls to prevent two link calls in parallel 99 * introducing a cycle. 100 */ 101 static DEFINE_MUTEX(keyring_serialise_link_lock); 102 103 /* 104 * Publish the name of a keyring so that it can be found by name (if it has 105 * one and it doesn't begin with a dot). 106 */ 107 static void keyring_publish_name(struct key *keyring) 108 { 109 struct user_namespace *ns = current_user_ns(); 110 111 if (keyring->description && 112 keyring->description[0] && 113 keyring->description[0] != '.') { 114 write_lock(&keyring_name_lock); 115 list_add_tail(&keyring->name_link, &ns->keyring_name_list); 116 write_unlock(&keyring_name_lock); 117 } 118 } 119 120 /* 121 * Preparse a keyring payload 122 */ 123 static int keyring_preparse(struct key_preparsed_payload *prep) 124 { 125 return prep->datalen != 0 ? -EINVAL : 0; 126 } 127 128 /* 129 * Free a preparse of a user defined key payload 130 */ 131 static void keyring_free_preparse(struct key_preparsed_payload *prep) 132 { 133 } 134 135 /* 136 * Initialise a keyring. 137 * 138 * Returns 0 on success, -EINVAL if given any data. 139 */ 140 static int keyring_instantiate(struct key *keyring, 141 struct key_preparsed_payload *prep) 142 { 143 assoc_array_init(&keyring->keys); 144 /* make the keyring available by name if it has one */ 145 keyring_publish_name(keyring); 146 return 0; 147 } 148 149 /* 150 * Multiply 64-bits by 32-bits to 96-bits and fold back to 64-bit. Ideally we'd 151 * fold the carry back too, but that requires inline asm. 152 */ 153 static u64 mult_64x32_and_fold(u64 x, u32 y) 154 { 155 u64 hi = (u64)(u32)(x >> 32) * y; 156 u64 lo = (u64)(u32)(x) * y; 157 return lo + ((u64)(u32)hi << 32) + (u32)(hi >> 32); 158 } 159 160 /* 161 * Hash a key type and description. 162 */ 163 static void hash_key_type_and_desc(struct keyring_index_key *index_key) 164 { 165 const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP; 166 const unsigned long fan_mask = ASSOC_ARRAY_FAN_MASK; 167 const char *description = index_key->description; 168 unsigned long hash, type; 169 u32 piece; 170 u64 acc; 171 int n, desc_len = index_key->desc_len; 172 173 type = (unsigned long)index_key->type; 174 acc = mult_64x32_and_fold(type, desc_len + 13); 175 acc = mult_64x32_and_fold(acc, 9207); 176 piece = (unsigned long)index_key->domain_tag; 177 acc = mult_64x32_and_fold(acc, piece); 178 acc = mult_64x32_and_fold(acc, 9207); 179 180 for (;;) { 181 n = desc_len; 182 if (n <= 0) 183 break; 184 if (n > 4) 185 n = 4; 186 piece = 0; 187 memcpy(&piece, description, n); 188 description += n; 189 desc_len -= n; 190 acc = mult_64x32_and_fold(acc, piece); 191 acc = mult_64x32_and_fold(acc, 9207); 192 } 193 194 /* Fold the hash down to 32 bits if need be. */ 195 hash = acc; 196 if (ASSOC_ARRAY_KEY_CHUNK_SIZE == 32) 197 hash ^= acc >> 32; 198 199 /* Squidge all the keyrings into a separate part of the tree to 200 * ordinary keys by making sure the lowest level segment in the hash is 201 * zero for keyrings and non-zero otherwise. 202 */ 203 if (index_key->type != &key_type_keyring && (hash & fan_mask) == 0) 204 hash |= (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1; 205 else if (index_key->type == &key_type_keyring && (hash & fan_mask) != 0) 206 hash = (hash + (hash << level_shift)) & ~fan_mask; 207 index_key->hash = hash; 208 } 209 210 /* 211 * Finalise an index key to include a part of the description actually in the 212 * index key, to set the domain tag and to calculate the hash. 213 */ 214 void key_set_index_key(struct keyring_index_key *index_key) 215 { 216 static struct key_tag default_domain_tag = { .usage = REFCOUNT_INIT(1), }; 217 size_t n = min_t(size_t, index_key->desc_len, sizeof(index_key->desc)); 218 219 memcpy(index_key->desc, index_key->description, n); 220 221 if (!index_key->domain_tag) { 222 if (index_key->type->flags & KEY_TYPE_NET_DOMAIN) 223 index_key->domain_tag = current->nsproxy->net_ns->key_domain; 224 else 225 index_key->domain_tag = &default_domain_tag; 226 } 227 228 hash_key_type_and_desc(index_key); 229 } 230 231 /** 232 * key_put_tag - Release a ref on a tag. 233 * @tag: The tag to release. 234 * 235 * This releases a reference the given tag and returns true if that ref was the 236 * last one. 237 */ 238 bool key_put_tag(struct key_tag *tag) 239 { 240 if (refcount_dec_and_test(&tag->usage)) { 241 kfree_rcu(tag, rcu); 242 return true; 243 } 244 245 return false; 246 } 247 248 /** 249 * key_remove_domain - Kill off a key domain and gc its keys 250 * @domain_tag: The domain tag to release. 251 * 252 * This marks a domain tag as being dead and releases a ref on it. If that 253 * wasn't the last reference, the garbage collector is poked to try and delete 254 * all keys that were in the domain. 255 */ 256 void key_remove_domain(struct key_tag *domain_tag) 257 { 258 domain_tag->removed = true; 259 if (!key_put_tag(domain_tag)) 260 key_schedule_gc_links(); 261 } 262 263 /* 264 * Build the next index key chunk. 265 * 266 * We return it one word-sized chunk at a time. 267 */ 268 static unsigned long keyring_get_key_chunk(const void *data, int level) 269 { 270 const struct keyring_index_key *index_key = data; 271 unsigned long chunk = 0; 272 const u8 *d; 273 int desc_len = index_key->desc_len, n = sizeof(chunk); 274 275 level /= ASSOC_ARRAY_KEY_CHUNK_SIZE; 276 switch (level) { 277 case 0: 278 return index_key->hash; 279 case 1: 280 return index_key->x; 281 case 2: 282 return (unsigned long)index_key->type; 283 case 3: 284 return (unsigned long)index_key->domain_tag; 285 default: 286 level -= 4; 287 if (desc_len <= sizeof(index_key->desc)) 288 return 0; 289 290 d = index_key->description + sizeof(index_key->desc); 291 d += level * sizeof(long); 292 desc_len -= sizeof(index_key->desc); 293 if (desc_len > n) 294 desc_len = n; 295 do { 296 chunk <<= 8; 297 chunk |= *d++; 298 } while (--desc_len > 0); 299 return chunk; 300 } 301 } 302 303 static unsigned long keyring_get_object_key_chunk(const void *object, int level) 304 { 305 const struct key *key = keyring_ptr_to_key(object); 306 return keyring_get_key_chunk(&key->index_key, level); 307 } 308 309 static bool keyring_compare_object(const void *object, const void *data) 310 { 311 const struct keyring_index_key *index_key = data; 312 const struct key *key = keyring_ptr_to_key(object); 313 314 return key->index_key.type == index_key->type && 315 key->index_key.domain_tag == index_key->domain_tag && 316 key->index_key.desc_len == index_key->desc_len && 317 memcmp(key->index_key.description, index_key->description, 318 index_key->desc_len) == 0; 319 } 320 321 /* 322 * Compare the index keys of a pair of objects and determine the bit position 323 * at which they differ - if they differ. 324 */ 325 static int keyring_diff_objects(const void *object, const void *data) 326 { 327 const struct key *key_a = keyring_ptr_to_key(object); 328 const struct keyring_index_key *a = &key_a->index_key; 329 const struct keyring_index_key *b = data; 330 unsigned long seg_a, seg_b; 331 int level, i; 332 333 level = 0; 334 seg_a = a->hash; 335 seg_b = b->hash; 336 if ((seg_a ^ seg_b) != 0) 337 goto differ; 338 level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8; 339 340 /* The number of bits contributed by the hash is controlled by a 341 * constant in the assoc_array headers. Everything else thereafter we 342 * can deal with as being machine word-size dependent. 343 */ 344 seg_a = a->x; 345 seg_b = b->x; 346 if ((seg_a ^ seg_b) != 0) 347 goto differ; 348 level += sizeof(unsigned long); 349 350 /* The next bit may not work on big endian */ 351 seg_a = (unsigned long)a->type; 352 seg_b = (unsigned long)b->type; 353 if ((seg_a ^ seg_b) != 0) 354 goto differ; 355 level += sizeof(unsigned long); 356 357 seg_a = (unsigned long)a->domain_tag; 358 seg_b = (unsigned long)b->domain_tag; 359 if ((seg_a ^ seg_b) != 0) 360 goto differ; 361 level += sizeof(unsigned long); 362 363 i = sizeof(a->desc); 364 if (a->desc_len <= i) 365 goto same; 366 367 for (; i < a->desc_len; i++) { 368 seg_a = *(unsigned char *)(a->description + i); 369 seg_b = *(unsigned char *)(b->description + i); 370 if ((seg_a ^ seg_b) != 0) 371 goto differ_plus_i; 372 } 373 374 same: 375 return -1; 376 377 differ_plus_i: 378 level += i; 379 differ: 380 i = level * 8 + __ffs(seg_a ^ seg_b); 381 return i; 382 } 383 384 /* 385 * Free an object after stripping the keyring flag off of the pointer. 386 */ 387 static void keyring_free_object(void *object) 388 { 389 key_put(keyring_ptr_to_key(object)); 390 } 391 392 /* 393 * Operations for keyring management by the index-tree routines. 394 */ 395 static const struct assoc_array_ops keyring_assoc_array_ops = { 396 .get_key_chunk = keyring_get_key_chunk, 397 .get_object_key_chunk = keyring_get_object_key_chunk, 398 .compare_object = keyring_compare_object, 399 .diff_objects = keyring_diff_objects, 400 .free_object = keyring_free_object, 401 }; 402 403 /* 404 * Clean up a keyring when it is destroyed. Unpublish its name if it had one 405 * and dispose of its data. 406 * 407 * The garbage collector detects the final key_put(), removes the keyring from 408 * the serial number tree and then does RCU synchronisation before coming here, 409 * so we shouldn't need to worry about code poking around here with the RCU 410 * readlock held by this time. 411 */ 412 static void keyring_destroy(struct key *keyring) 413 { 414 if (keyring->description) { 415 write_lock(&keyring_name_lock); 416 417 if (keyring->name_link.next != NULL && 418 !list_empty(&keyring->name_link)) 419 list_del(&keyring->name_link); 420 421 write_unlock(&keyring_name_lock); 422 } 423 424 if (keyring->restrict_link) { 425 struct key_restriction *keyres = keyring->restrict_link; 426 427 key_put(keyres->key); 428 kfree(keyres); 429 } 430 431 assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops); 432 } 433 434 /* 435 * Describe a keyring for /proc. 436 */ 437 static void keyring_describe(const struct key *keyring, struct seq_file *m) 438 { 439 if (keyring->description) 440 seq_puts(m, keyring->description); 441 else 442 seq_puts(m, "[anon]"); 443 444 if (key_is_positive(keyring)) { 445 if (keyring->keys.nr_leaves_on_tree != 0) 446 seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree); 447 else 448 seq_puts(m, ": empty"); 449 } 450 } 451 452 struct keyring_read_iterator_context { 453 size_t buflen; 454 size_t count; 455 key_serial_t *buffer; 456 }; 457 458 static int keyring_read_iterator(const void *object, void *data) 459 { 460 struct keyring_read_iterator_context *ctx = data; 461 const struct key *key = keyring_ptr_to_key(object); 462 463 kenter("{%s,%d},,{%zu/%zu}", 464 key->type->name, key->serial, ctx->count, ctx->buflen); 465 466 if (ctx->count >= ctx->buflen) 467 return 1; 468 469 *ctx->buffer++ = key->serial; 470 ctx->count += sizeof(key->serial); 471 return 0; 472 } 473 474 /* 475 * Read a list of key IDs from the keyring's contents in binary form 476 * 477 * The keyring's semaphore is read-locked by the caller. This prevents someone 478 * from modifying it under us - which could cause us to read key IDs multiple 479 * times. 480 */ 481 static long keyring_read(const struct key *keyring, 482 char *buffer, size_t buflen) 483 { 484 struct keyring_read_iterator_context ctx; 485 long ret; 486 487 kenter("{%d},,%zu", key_serial(keyring), buflen); 488 489 if (buflen & (sizeof(key_serial_t) - 1)) 490 return -EINVAL; 491 492 /* Copy as many key IDs as fit into the buffer */ 493 if (buffer && buflen) { 494 ctx.buffer = (key_serial_t *)buffer; 495 ctx.buflen = buflen; 496 ctx.count = 0; 497 ret = assoc_array_iterate(&keyring->keys, 498 keyring_read_iterator, &ctx); 499 if (ret < 0) { 500 kleave(" = %ld [iterate]", ret); 501 return ret; 502 } 503 } 504 505 /* Return the size of the buffer needed */ 506 ret = keyring->keys.nr_leaves_on_tree * sizeof(key_serial_t); 507 if (ret <= buflen) 508 kleave("= %ld [ok]", ret); 509 else 510 kleave("= %ld [buffer too small]", ret); 511 return ret; 512 } 513 514 /* 515 * Allocate a keyring and link into the destination keyring. 516 */ 517 struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid, 518 const struct cred *cred, key_perm_t perm, 519 unsigned long flags, 520 struct key_restriction *restrict_link, 521 struct key *dest) 522 { 523 struct key *keyring; 524 int ret; 525 526 keyring = key_alloc(&key_type_keyring, description, 527 uid, gid, cred, perm, flags, restrict_link); 528 if (!IS_ERR(keyring)) { 529 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); 530 if (ret < 0) { 531 key_put(keyring); 532 keyring = ERR_PTR(ret); 533 } 534 } 535 536 return keyring; 537 } 538 EXPORT_SYMBOL(keyring_alloc); 539 540 /** 541 * restrict_link_reject - Give -EPERM to restrict link 542 * @keyring: The keyring being added to. 543 * @type: The type of key being added. 544 * @payload: The payload of the key intended to be added. 545 * @restriction_key: Keys providing additional data for evaluating restriction. 546 * 547 * Reject the addition of any links to a keyring. It can be overridden by 548 * passing KEY_ALLOC_BYPASS_RESTRICTION to key_instantiate_and_link() when 549 * adding a key to a keyring. 550 * 551 * This is meant to be stored in a key_restriction structure which is passed 552 * in the restrict_link parameter to keyring_alloc(). 553 */ 554 int restrict_link_reject(struct key *keyring, 555 const struct key_type *type, 556 const union key_payload *payload, 557 struct key *restriction_key) 558 { 559 return -EPERM; 560 } 561 562 /* 563 * By default, we keys found by getting an exact match on their descriptions. 564 */ 565 bool key_default_cmp(const struct key *key, 566 const struct key_match_data *match_data) 567 { 568 return strcmp(key->description, match_data->raw_data) == 0; 569 } 570 571 /* 572 * Iteration function to consider each key found. 573 */ 574 static int keyring_search_iterator(const void *object, void *iterator_data) 575 { 576 struct keyring_search_context *ctx = iterator_data; 577 const struct key *key = keyring_ptr_to_key(object); 578 unsigned long kflags = READ_ONCE(key->flags); 579 short state = READ_ONCE(key->state); 580 581 kenter("{%d}", key->serial); 582 583 /* ignore keys not of this type */ 584 if (key->type != ctx->index_key.type) { 585 kleave(" = 0 [!type]"); 586 return 0; 587 } 588 589 /* skip invalidated, revoked and expired keys */ 590 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) { 591 time64_t expiry = READ_ONCE(key->expiry); 592 593 if (kflags & ((1 << KEY_FLAG_INVALIDATED) | 594 (1 << KEY_FLAG_REVOKED))) { 595 ctx->result = ERR_PTR(-EKEYREVOKED); 596 kleave(" = %d [invrev]", ctx->skipped_ret); 597 goto skipped; 598 } 599 600 if (expiry && ctx->now >= expiry) { 601 if (!(ctx->flags & KEYRING_SEARCH_SKIP_EXPIRED)) 602 ctx->result = ERR_PTR(-EKEYEXPIRED); 603 kleave(" = %d [expire]", ctx->skipped_ret); 604 goto skipped; 605 } 606 } 607 608 /* keys that don't match */ 609 if (!ctx->match_data.cmp(key, &ctx->match_data)) { 610 kleave(" = 0 [!match]"); 611 return 0; 612 } 613 614 /* key must have search permissions */ 615 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) && 616 key_task_permission(make_key_ref(key, ctx->possessed), 617 ctx->cred, KEY_NEED_SEARCH) < 0) { 618 ctx->result = ERR_PTR(-EACCES); 619 kleave(" = %d [!perm]", ctx->skipped_ret); 620 goto skipped; 621 } 622 623 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) { 624 /* we set a different error code if we pass a negative key */ 625 if (state < 0) { 626 ctx->result = ERR_PTR(state); 627 kleave(" = %d [neg]", ctx->skipped_ret); 628 goto skipped; 629 } 630 } 631 632 /* Found */ 633 ctx->result = make_key_ref(key, ctx->possessed); 634 kleave(" = 1 [found]"); 635 return 1; 636 637 skipped: 638 return ctx->skipped_ret; 639 } 640 641 /* 642 * Search inside a keyring for a key. We can search by walking to it 643 * directly based on its index-key or we can iterate over the entire 644 * tree looking for it, based on the match function. 645 */ 646 static int search_keyring(struct key *keyring, struct keyring_search_context *ctx) 647 { 648 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_DIRECT) { 649 const void *object; 650 651 object = assoc_array_find(&keyring->keys, 652 &keyring_assoc_array_ops, 653 &ctx->index_key); 654 return object ? ctx->iterator(object, ctx) : 0; 655 } 656 return assoc_array_iterate(&keyring->keys, ctx->iterator, ctx); 657 } 658 659 /* 660 * Search a tree of keyrings that point to other keyrings up to the maximum 661 * depth. 662 */ 663 static bool search_nested_keyrings(struct key *keyring, 664 struct keyring_search_context *ctx) 665 { 666 struct { 667 struct key *keyring; 668 struct assoc_array_node *node; 669 int slot; 670 } stack[KEYRING_SEARCH_MAX_DEPTH]; 671 672 struct assoc_array_shortcut *shortcut; 673 struct assoc_array_node *node; 674 struct assoc_array_ptr *ptr; 675 struct key *key; 676 int sp = 0, slot; 677 678 kenter("{%d},{%s,%s}", 679 keyring->serial, 680 ctx->index_key.type->name, 681 ctx->index_key.description); 682 683 #define STATE_CHECKS (KEYRING_SEARCH_NO_STATE_CHECK | KEYRING_SEARCH_DO_STATE_CHECK) 684 BUG_ON((ctx->flags & STATE_CHECKS) == 0 || 685 (ctx->flags & STATE_CHECKS) == STATE_CHECKS); 686 687 if (ctx->index_key.description) 688 key_set_index_key(&ctx->index_key); 689 690 /* Check to see if this top-level keyring is what we are looking for 691 * and whether it is valid or not. 692 */ 693 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_ITERATE || 694 keyring_compare_object(keyring, &ctx->index_key)) { 695 ctx->skipped_ret = 2; 696 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) { 697 case 1: 698 goto found; 699 case 2: 700 return false; 701 default: 702 break; 703 } 704 } 705 706 ctx->skipped_ret = 0; 707 708 /* Start processing a new keyring */ 709 descend_to_keyring: 710 kdebug("descend to %d", keyring->serial); 711 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) | 712 (1 << KEY_FLAG_REVOKED))) 713 goto not_this_keyring; 714 715 /* Search through the keys in this keyring before its searching its 716 * subtrees. 717 */ 718 if (search_keyring(keyring, ctx)) 719 goto found; 720 721 /* Then manually iterate through the keyrings nested in this one. 722 * 723 * Start from the root node of the index tree. Because of the way the 724 * hash function has been set up, keyrings cluster on the leftmost 725 * branch of the root node (root slot 0) or in the root node itself. 726 * Non-keyrings avoid the leftmost branch of the root entirely (root 727 * slots 1-15). 728 */ 729 if (!(ctx->flags & KEYRING_SEARCH_RECURSE)) 730 goto not_this_keyring; 731 732 ptr = READ_ONCE(keyring->keys.root); 733 if (!ptr) 734 goto not_this_keyring; 735 736 if (assoc_array_ptr_is_shortcut(ptr)) { 737 /* If the root is a shortcut, either the keyring only contains 738 * keyring pointers (everything clusters behind root slot 0) or 739 * doesn't contain any keyring pointers. 740 */ 741 shortcut = assoc_array_ptr_to_shortcut(ptr); 742 if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0) 743 goto not_this_keyring; 744 745 ptr = READ_ONCE(shortcut->next_node); 746 node = assoc_array_ptr_to_node(ptr); 747 goto begin_node; 748 } 749 750 node = assoc_array_ptr_to_node(ptr); 751 ptr = node->slots[0]; 752 if (!assoc_array_ptr_is_meta(ptr)) 753 goto begin_node; 754 755 descend_to_node: 756 /* Descend to a more distal node in this keyring's content tree and go 757 * through that. 758 */ 759 kdebug("descend"); 760 if (assoc_array_ptr_is_shortcut(ptr)) { 761 shortcut = assoc_array_ptr_to_shortcut(ptr); 762 ptr = READ_ONCE(shortcut->next_node); 763 BUG_ON(!assoc_array_ptr_is_node(ptr)); 764 } 765 node = assoc_array_ptr_to_node(ptr); 766 767 begin_node: 768 kdebug("begin_node"); 769 slot = 0; 770 ascend_to_node: 771 /* Go through the slots in a node */ 772 for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) { 773 ptr = READ_ONCE(node->slots[slot]); 774 775 if (assoc_array_ptr_is_meta(ptr)) { 776 if (node->back_pointer || 777 assoc_array_ptr_is_shortcut(ptr)) 778 goto descend_to_node; 779 } 780 781 if (!keyring_ptr_is_keyring(ptr)) 782 continue; 783 784 key = keyring_ptr_to_key(ptr); 785 786 if (sp >= KEYRING_SEARCH_MAX_DEPTH) { 787 if (ctx->flags & KEYRING_SEARCH_DETECT_TOO_DEEP) { 788 ctx->result = ERR_PTR(-ELOOP); 789 return false; 790 } 791 goto not_this_keyring; 792 } 793 794 /* Search a nested keyring */ 795 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) && 796 key_task_permission(make_key_ref(key, ctx->possessed), 797 ctx->cred, KEY_NEED_SEARCH) < 0) 798 continue; 799 800 /* stack the current position */ 801 stack[sp].keyring = keyring; 802 stack[sp].node = node; 803 stack[sp].slot = slot; 804 sp++; 805 806 /* begin again with the new keyring */ 807 keyring = key; 808 goto descend_to_keyring; 809 } 810 811 /* We've dealt with all the slots in the current node, so now we need 812 * to ascend to the parent and continue processing there. 813 */ 814 ptr = READ_ONCE(node->back_pointer); 815 slot = node->parent_slot; 816 817 if (ptr && assoc_array_ptr_is_shortcut(ptr)) { 818 shortcut = assoc_array_ptr_to_shortcut(ptr); 819 ptr = READ_ONCE(shortcut->back_pointer); 820 slot = shortcut->parent_slot; 821 } 822 if (!ptr) 823 goto not_this_keyring; 824 node = assoc_array_ptr_to_node(ptr); 825 slot++; 826 827 /* If we've ascended to the root (zero backpointer), we must have just 828 * finished processing the leftmost branch rather than the root slots - 829 * so there can't be any more keyrings for us to find. 830 */ 831 if (node->back_pointer) { 832 kdebug("ascend %d", slot); 833 goto ascend_to_node; 834 } 835 836 /* The keyring we're looking at was disqualified or didn't contain a 837 * matching key. 838 */ 839 not_this_keyring: 840 kdebug("not_this_keyring %d", sp); 841 if (sp <= 0) { 842 kleave(" = false"); 843 return false; 844 } 845 846 /* Resume the processing of a keyring higher up in the tree */ 847 sp--; 848 keyring = stack[sp].keyring; 849 node = stack[sp].node; 850 slot = stack[sp].slot + 1; 851 kdebug("ascend to %d [%d]", keyring->serial, slot); 852 goto ascend_to_node; 853 854 /* We found a viable match */ 855 found: 856 key = key_ref_to_ptr(ctx->result); 857 key_check(key); 858 if (!(ctx->flags & KEYRING_SEARCH_NO_UPDATE_TIME)) { 859 key->last_used_at = ctx->now; 860 keyring->last_used_at = ctx->now; 861 while (sp > 0) 862 stack[--sp].keyring->last_used_at = ctx->now; 863 } 864 kleave(" = true"); 865 return true; 866 } 867 868 /** 869 * keyring_search_rcu - Search a keyring tree for a matching key under RCU 870 * @keyring_ref: A pointer to the keyring with possession indicator. 871 * @ctx: The keyring search context. 872 * 873 * Search the supplied keyring tree for a key that matches the criteria given. 874 * The root keyring and any linked keyrings must grant Search permission to the 875 * caller to be searchable and keys can only be found if they too grant Search 876 * to the caller. The possession flag on the root keyring pointer controls use 877 * of the possessor bits in permissions checking of the entire tree. In 878 * addition, the LSM gets to forbid keyring searches and key matches. 879 * 880 * The search is performed as a breadth-then-depth search up to the prescribed 881 * limit (KEYRING_SEARCH_MAX_DEPTH). The caller must hold the RCU read lock to 882 * prevent keyrings from being destroyed or rearranged whilst they are being 883 * searched. 884 * 885 * Keys are matched to the type provided and are then filtered by the match 886 * function, which is given the description to use in any way it sees fit. The 887 * match function may use any attributes of a key that it wishes to 888 * determine the match. Normally the match function from the key type would be 889 * used. 890 * 891 * RCU can be used to prevent the keyring key lists from disappearing without 892 * the need to take lots of locks. 893 * 894 * Returns a pointer to the found key and increments the key usage count if 895 * successful; -EAGAIN if no matching keys were found, or if expired or revoked 896 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the 897 * specified keyring wasn't a keyring. 898 * 899 * In the case of a successful return, the possession attribute from 900 * @keyring_ref is propagated to the returned key reference. 901 */ 902 key_ref_t keyring_search_rcu(key_ref_t keyring_ref, 903 struct keyring_search_context *ctx) 904 { 905 struct key *keyring; 906 long err; 907 908 ctx->iterator = keyring_search_iterator; 909 ctx->possessed = is_key_possessed(keyring_ref); 910 ctx->result = ERR_PTR(-EAGAIN); 911 912 keyring = key_ref_to_ptr(keyring_ref); 913 key_check(keyring); 914 915 if (keyring->type != &key_type_keyring) 916 return ERR_PTR(-ENOTDIR); 917 918 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) { 919 err = key_task_permission(keyring_ref, ctx->cred, KEY_NEED_SEARCH); 920 if (err < 0) 921 return ERR_PTR(err); 922 } 923 924 ctx->now = ktime_get_real_seconds(); 925 if (search_nested_keyrings(keyring, ctx)) 926 __key_get(key_ref_to_ptr(ctx->result)); 927 return ctx->result; 928 } 929 930 /** 931 * keyring_search - Search the supplied keyring tree for a matching key 932 * @keyring: The root of the keyring tree to be searched. 933 * @type: The type of keyring we want to find. 934 * @description: The name of the keyring we want to find. 935 * @recurse: True to search the children of @keyring also 936 * 937 * As keyring_search_rcu() above, but using the current task's credentials and 938 * type's default matching function and preferred search method. 939 */ 940 key_ref_t keyring_search(key_ref_t keyring, 941 struct key_type *type, 942 const char *description, 943 bool recurse) 944 { 945 struct keyring_search_context ctx = { 946 .index_key.type = type, 947 .index_key.description = description, 948 .index_key.desc_len = strlen(description), 949 .cred = current_cred(), 950 .match_data.cmp = key_default_cmp, 951 .match_data.raw_data = description, 952 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 953 .flags = KEYRING_SEARCH_DO_STATE_CHECK, 954 }; 955 key_ref_t key; 956 int ret; 957 958 if (recurse) 959 ctx.flags |= KEYRING_SEARCH_RECURSE; 960 if (type->match_preparse) { 961 ret = type->match_preparse(&ctx.match_data); 962 if (ret < 0) 963 return ERR_PTR(ret); 964 } 965 966 rcu_read_lock(); 967 key = keyring_search_rcu(keyring, &ctx); 968 rcu_read_unlock(); 969 970 if (type->match_free) 971 type->match_free(&ctx.match_data); 972 return key; 973 } 974 EXPORT_SYMBOL(keyring_search); 975 976 static struct key_restriction *keyring_restriction_alloc( 977 key_restrict_link_func_t check) 978 { 979 struct key_restriction *keyres = 980 kzalloc_obj(struct key_restriction); 981 982 if (!keyres) 983 return ERR_PTR(-ENOMEM); 984 985 keyres->check = check; 986 987 return keyres; 988 } 989 990 /* 991 * Semaphore to serialise restriction setup to prevent reference count 992 * cycles through restriction key pointers. 993 */ 994 static DECLARE_RWSEM(keyring_serialise_restrict_sem); 995 996 /* 997 * Check for restriction cycles that would prevent keyring garbage collection. 998 * keyring_serialise_restrict_sem must be held. 999 */ 1000 static bool keyring_detect_restriction_cycle(const struct key *dest_keyring, 1001 struct key_restriction *keyres) 1002 { 1003 while (keyres && keyres->key && 1004 keyres->key->type == &key_type_keyring) { 1005 if (keyres->key == dest_keyring) 1006 return true; 1007 1008 keyres = keyres->key->restrict_link; 1009 } 1010 1011 return false; 1012 } 1013 1014 /** 1015 * keyring_restrict - Look up and apply a restriction to a keyring 1016 * @keyring_ref: The keyring to be restricted 1017 * @type: The key type that will provide the restriction checker. 1018 * @restriction: The restriction options to apply to the keyring 1019 * 1020 * Look up a keyring and apply a restriction to it. The restriction is managed 1021 * by the specific key type, but can be configured by the options specified in 1022 * the restriction string. 1023 */ 1024 int keyring_restrict(key_ref_t keyring_ref, const char *type, 1025 const char *restriction) 1026 { 1027 struct key *keyring; 1028 struct key_type *restrict_type = NULL; 1029 struct key_restriction *restrict_link; 1030 int ret = 0; 1031 1032 keyring = key_ref_to_ptr(keyring_ref); 1033 key_check(keyring); 1034 1035 if (keyring->type != &key_type_keyring) 1036 return -ENOTDIR; 1037 1038 if (!type) { 1039 restrict_link = keyring_restriction_alloc(restrict_link_reject); 1040 } else { 1041 restrict_type = key_type_lookup(type); 1042 1043 if (IS_ERR(restrict_type)) 1044 return PTR_ERR(restrict_type); 1045 1046 if (!restrict_type->lookup_restriction) { 1047 ret = -ENOENT; 1048 goto error; 1049 } 1050 1051 restrict_link = restrict_type->lookup_restriction(restriction); 1052 } 1053 1054 if (IS_ERR(restrict_link)) { 1055 ret = PTR_ERR(restrict_link); 1056 goto error; 1057 } 1058 1059 down_write(&keyring->sem); 1060 down_write(&keyring_serialise_restrict_sem); 1061 1062 if (keyring->restrict_link) { 1063 ret = -EEXIST; 1064 } else if (keyring_detect_restriction_cycle(keyring, restrict_link)) { 1065 ret = -EDEADLK; 1066 } else { 1067 keyring->restrict_link = restrict_link; 1068 notify_key(keyring, NOTIFY_KEY_SETATTR, 0); 1069 } 1070 1071 up_write(&keyring_serialise_restrict_sem); 1072 up_write(&keyring->sem); 1073 1074 if (ret < 0) { 1075 key_put(restrict_link->key); 1076 kfree(restrict_link); 1077 } 1078 1079 error: 1080 if (restrict_type) 1081 key_type_put(restrict_type); 1082 1083 return ret; 1084 } 1085 EXPORT_SYMBOL(keyring_restrict); 1086 1087 /* 1088 * Search the given keyring for a key that might be updated. 1089 * 1090 * The caller must guarantee that the keyring is a keyring and that the 1091 * permission is granted to modify the keyring as no check is made here. The 1092 * caller must also hold a lock on the keyring semaphore. 1093 * 1094 * Returns a pointer to the found key with usage count incremented if 1095 * successful and returns NULL if not found. Revoked and invalidated keys are 1096 * skipped over. 1097 * 1098 * If successful, the possession indicator is propagated from the keyring ref 1099 * to the returned key reference. 1100 */ 1101 key_ref_t find_key_to_update(key_ref_t keyring_ref, 1102 const struct keyring_index_key *index_key) 1103 { 1104 struct key *keyring, *key; 1105 const void *object; 1106 1107 keyring = key_ref_to_ptr(keyring_ref); 1108 1109 kenter("{%d},{%s,%s}", 1110 keyring->serial, index_key->type->name, index_key->description); 1111 1112 guard(rcu)(); 1113 object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops, 1114 index_key); 1115 1116 if (object) 1117 goto found; 1118 1119 kleave(" = NULL"); 1120 return NULL; 1121 1122 found: 1123 key = keyring_ptr_to_key(object); 1124 if (key->flags & ((1 << KEY_FLAG_INVALIDATED) | 1125 (1 << KEY_FLAG_REVOKED))) { 1126 kleave(" = NULL [x]"); 1127 return NULL; 1128 } 1129 __key_get(key); 1130 kleave(" = {%d}", key->serial); 1131 return make_key_ref(key, is_key_possessed(keyring_ref)); 1132 } 1133 1134 /* 1135 * Find a keyring with the specified name. 1136 * 1137 * Only keyrings that have nonzero refcount, are not revoked, and are owned by a 1138 * user in the current user namespace are considered. If @uid_keyring is %true, 1139 * the keyring additionally must have been allocated as a user or user session 1140 * keyring; otherwise, it must grant Search permission directly to the caller. 1141 * 1142 * Returns a pointer to the keyring with the keyring's refcount having being 1143 * incremented on success. -ENOKEY is returned if a key could not be found. 1144 */ 1145 struct key *find_keyring_by_name(const char *name, bool uid_keyring) 1146 { 1147 struct user_namespace *ns = current_user_ns(); 1148 struct key *keyring; 1149 1150 if (!name) 1151 return ERR_PTR(-EINVAL); 1152 1153 read_lock(&keyring_name_lock); 1154 1155 /* Search this hash bucket for a keyring with a matching name that 1156 * grants Search permission and that hasn't been revoked 1157 */ 1158 list_for_each_entry(keyring, &ns->keyring_name_list, name_link) { 1159 if (!kuid_has_mapping(ns, keyring->user->uid)) 1160 continue; 1161 1162 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 1163 continue; 1164 1165 if (strcmp(keyring->description, name) != 0) 1166 continue; 1167 1168 if (uid_keyring) { 1169 if (!test_bit(KEY_FLAG_UID_KEYRING, 1170 &keyring->flags)) 1171 continue; 1172 } else { 1173 if (key_permission(make_key_ref(keyring, 0), 1174 KEY_NEED_SEARCH) < 0) 1175 continue; 1176 } 1177 1178 /* we've got a match but we might end up racing with 1179 * key_cleanup() if the keyring is currently 'dead' 1180 * (ie. it has a zero usage count) */ 1181 if (!refcount_inc_not_zero(&keyring->usage)) 1182 continue; 1183 keyring->last_used_at = ktime_get_real_seconds(); 1184 goto out; 1185 } 1186 1187 keyring = ERR_PTR(-ENOKEY); 1188 out: 1189 read_unlock(&keyring_name_lock); 1190 return keyring; 1191 } 1192 1193 static int keyring_detect_cycle_iterator(const void *object, 1194 void *iterator_data) 1195 { 1196 struct keyring_search_context *ctx = iterator_data; 1197 const struct key *key = keyring_ptr_to_key(object); 1198 1199 kenter("{%d}", key->serial); 1200 1201 /* We might get a keyring with matching index-key that is nonetheless a 1202 * different keyring. */ 1203 if (key != ctx->match_data.raw_data) 1204 return 0; 1205 1206 ctx->result = ERR_PTR(-EDEADLK); 1207 return 1; 1208 } 1209 1210 /* 1211 * See if a cycle will be created by inserting acyclic tree B in acyclic 1212 * tree A at the topmost level (ie: as a direct child of A). 1213 * 1214 * Since we are adding B to A at the top level, checking for cycles should just 1215 * be a matter of seeing if node A is somewhere in tree B. 1216 */ 1217 static int keyring_detect_cycle(struct key *A, struct key *B) 1218 { 1219 struct keyring_search_context ctx = { 1220 .index_key = A->index_key, 1221 .match_data.raw_data = A, 1222 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 1223 .iterator = keyring_detect_cycle_iterator, 1224 .flags = (KEYRING_SEARCH_NO_STATE_CHECK | 1225 KEYRING_SEARCH_NO_UPDATE_TIME | 1226 KEYRING_SEARCH_NO_CHECK_PERM | 1227 KEYRING_SEARCH_DETECT_TOO_DEEP | 1228 KEYRING_SEARCH_RECURSE), 1229 }; 1230 1231 rcu_read_lock(); 1232 search_nested_keyrings(B, &ctx); 1233 rcu_read_unlock(); 1234 return PTR_ERR(ctx.result) == -EAGAIN ? 0 : PTR_ERR(ctx.result); 1235 } 1236 1237 /* 1238 * Lock keyring for link. 1239 */ 1240 int __key_link_lock(struct key *keyring, 1241 const struct keyring_index_key *index_key) 1242 __acquires(&keyring->sem) 1243 __acquires(&keyring_serialise_link_lock) 1244 { 1245 if (keyring->type != &key_type_keyring) 1246 return -ENOTDIR; 1247 1248 down_write(&keyring->sem); 1249 1250 /* Serialise link/link calls to prevent parallel calls causing a cycle 1251 * when linking two keyring in opposite orders. 1252 */ 1253 if (index_key->type == &key_type_keyring) 1254 mutex_lock(&keyring_serialise_link_lock); 1255 1256 return 0; 1257 } 1258 1259 /* 1260 * Lock keyrings for move (link/unlink combination). 1261 */ 1262 int __key_move_lock(struct key *l_keyring, struct key *u_keyring, 1263 const struct keyring_index_key *index_key) 1264 __acquires(&l_keyring->sem) 1265 __acquires(&u_keyring->sem) 1266 __acquires(&keyring_serialise_link_lock) 1267 { 1268 if (l_keyring->type != &key_type_keyring || 1269 u_keyring->type != &key_type_keyring) 1270 return -ENOTDIR; 1271 1272 /* We have to be very careful here to take the keyring locks in the 1273 * right order, lest we open ourselves to deadlocking against another 1274 * move operation. 1275 */ 1276 if (l_keyring < u_keyring) { 1277 down_write(&l_keyring->sem); 1278 down_write_nested(&u_keyring->sem, 1); 1279 } else { 1280 down_write(&u_keyring->sem); 1281 down_write_nested(&l_keyring->sem, 1); 1282 } 1283 1284 /* Serialise link/link calls to prevent parallel calls causing a cycle 1285 * when linking two keyring in opposite orders. 1286 */ 1287 if (index_key->type == &key_type_keyring) 1288 mutex_lock(&keyring_serialise_link_lock); 1289 1290 return 0; 1291 } 1292 1293 /* 1294 * Preallocate memory so that a key can be linked into to a keyring. 1295 */ 1296 int __key_link_begin(struct key *keyring, 1297 const struct keyring_index_key *index_key, 1298 struct assoc_array_edit **_edit) 1299 { 1300 struct assoc_array_edit *edit; 1301 int ret; 1302 1303 kenter("%d,%s,%s,", 1304 keyring->serial, index_key->type->name, index_key->description); 1305 1306 BUG_ON(index_key->desc_len == 0); 1307 BUG_ON(*_edit != NULL); 1308 1309 *_edit = NULL; 1310 1311 ret = -EKEYREVOKED; 1312 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 1313 goto error; 1314 1315 /* Create an edit script that will insert/replace the key in the 1316 * keyring tree. 1317 */ 1318 edit = assoc_array_insert(&keyring->keys, 1319 &keyring_assoc_array_ops, 1320 index_key, 1321 NULL); 1322 if (IS_ERR(edit)) { 1323 ret = PTR_ERR(edit); 1324 goto error; 1325 } 1326 1327 /* If we're not replacing a link in-place then we're going to need some 1328 * extra quota. 1329 */ 1330 if (!edit->dead_leaf) { 1331 ret = key_payload_reserve(keyring, 1332 keyring->datalen + KEYQUOTA_LINK_BYTES); 1333 if (ret < 0) 1334 goto error_cancel; 1335 } 1336 1337 *_edit = edit; 1338 kleave(" = 0"); 1339 return 0; 1340 1341 error_cancel: 1342 assoc_array_cancel_edit(edit); 1343 error: 1344 kleave(" = %d", ret); 1345 return ret; 1346 } 1347 1348 /* 1349 * Check already instantiated keys aren't going to be a problem. 1350 * 1351 * The caller must have called __key_link_begin(). Don't need to call this for 1352 * keys that were created since __key_link_begin() was called. 1353 */ 1354 int __key_link_check_live_key(struct key *keyring, struct key *key) 1355 { 1356 if (key->type == &key_type_keyring) 1357 /* check that we aren't going to create a cycle by linking one 1358 * keyring to another */ 1359 return keyring_detect_cycle(keyring, key); 1360 return 0; 1361 } 1362 1363 /* 1364 * Link a key into to a keyring. 1365 * 1366 * Must be called with __key_link_begin() having being called. Discards any 1367 * already extant link to matching key if there is one, so that each keyring 1368 * holds at most one link to any given key of a particular type+description 1369 * combination. 1370 */ 1371 void __key_link(struct key *keyring, struct key *key, 1372 struct assoc_array_edit **_edit) 1373 { 1374 __key_get(key); 1375 assoc_array_insert_set_object(*_edit, keyring_key_to_ptr(key)); 1376 assoc_array_apply_edit(*_edit); 1377 *_edit = NULL; 1378 notify_key(keyring, NOTIFY_KEY_LINKED, key_serial(key)); 1379 } 1380 1381 /* 1382 * Finish linking a key into to a keyring. 1383 * 1384 * Must be called with __key_link_begin() having being called. 1385 */ 1386 void __key_link_end(struct key *keyring, 1387 const struct keyring_index_key *index_key, 1388 struct assoc_array_edit *edit) 1389 __releases(&keyring->sem) 1390 __releases(&keyring_serialise_link_lock) 1391 { 1392 BUG_ON(index_key->type == NULL); 1393 kenter("%d,%s,", keyring->serial, index_key->type->name); 1394 1395 if (edit) { 1396 if (!edit->dead_leaf) { 1397 key_payload_reserve(keyring, 1398 keyring->datalen - KEYQUOTA_LINK_BYTES); 1399 } 1400 assoc_array_cancel_edit(edit); 1401 } 1402 up_write(&keyring->sem); 1403 1404 if (index_key->type == &key_type_keyring) 1405 mutex_unlock(&keyring_serialise_link_lock); 1406 } 1407 1408 /* 1409 * Check addition of keys to restricted keyrings. 1410 */ 1411 static int __key_link_check_restriction(struct key *keyring, struct key *key) 1412 { 1413 if (!keyring->restrict_link || !keyring->restrict_link->check) 1414 return 0; 1415 return keyring->restrict_link->check(keyring, key->type, &key->payload, 1416 keyring->restrict_link->key); 1417 } 1418 1419 /** 1420 * key_link - Link a key to a keyring 1421 * @keyring: The keyring to make the link in. 1422 * @key: The key to link to. 1423 * 1424 * Make a link in a keyring to a key, such that the keyring holds a reference 1425 * on that key and the key can potentially be found by searching that keyring. 1426 * 1427 * This function will write-lock the keyring's semaphore and will consume some 1428 * of the user's key data quota to hold the link. 1429 * 1430 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, 1431 * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is 1432 * full, -EDQUOT if there is insufficient key data quota remaining to add 1433 * another link or -ENOMEM if there's insufficient memory. 1434 * 1435 * It is assumed that the caller has checked that it is permitted for a link to 1436 * be made (the keyring should have Write permission and the key Link 1437 * permission). 1438 */ 1439 int key_link(struct key *keyring, struct key *key) 1440 { 1441 struct assoc_array_edit *edit = NULL; 1442 int ret; 1443 1444 kenter("{%d,%d}", keyring->serial, refcount_read(&keyring->usage)); 1445 1446 key_check(keyring); 1447 key_check(key); 1448 1449 ret = __key_link_lock(keyring, &key->index_key); 1450 if (ret < 0) 1451 goto error; 1452 1453 ret = __key_link_begin(keyring, &key->index_key, &edit); 1454 if (ret < 0) 1455 goto error_end; 1456 1457 kdebug("begun {%d,%d}", keyring->serial, refcount_read(&keyring->usage)); 1458 ret = __key_link_check_restriction(keyring, key); 1459 if (ret == 0) 1460 ret = __key_link_check_live_key(keyring, key); 1461 if (ret == 0) 1462 __key_link(keyring, key, &edit); 1463 1464 error_end: 1465 __key_link_end(keyring, &key->index_key, edit); 1466 error: 1467 kleave(" = %d {%d,%d}", ret, keyring->serial, refcount_read(&keyring->usage)); 1468 return ret; 1469 } 1470 EXPORT_SYMBOL(key_link); 1471 1472 /* 1473 * Lock a keyring for unlink. 1474 */ 1475 static int __key_unlink_lock(struct key *keyring) 1476 __acquires(&keyring->sem) 1477 { 1478 if (keyring->type != &key_type_keyring) 1479 return -ENOTDIR; 1480 1481 down_write(&keyring->sem); 1482 return 0; 1483 } 1484 1485 /* 1486 * Begin the process of unlinking a key from a keyring. 1487 */ 1488 static int __key_unlink_begin(struct key *keyring, struct key *key, 1489 struct assoc_array_edit **_edit) 1490 { 1491 struct assoc_array_edit *edit; 1492 1493 BUG_ON(*_edit != NULL); 1494 1495 edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops, 1496 &key->index_key); 1497 if (IS_ERR(edit)) 1498 return PTR_ERR(edit); 1499 1500 if (!edit) 1501 return -ENOENT; 1502 1503 *_edit = edit; 1504 return 0; 1505 } 1506 1507 /* 1508 * Apply an unlink change. 1509 */ 1510 static void __key_unlink(struct key *keyring, struct key *key, 1511 struct assoc_array_edit **_edit) 1512 { 1513 assoc_array_apply_edit(*_edit); 1514 notify_key(keyring, NOTIFY_KEY_UNLINKED, key_serial(key)); 1515 *_edit = NULL; 1516 key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES); 1517 } 1518 1519 /* 1520 * Finish unlinking a key from to a keyring. 1521 */ 1522 static void __key_unlink_end(struct key *keyring, 1523 struct key *key, 1524 struct assoc_array_edit *edit) 1525 __releases(&keyring->sem) 1526 { 1527 if (edit) 1528 assoc_array_cancel_edit(edit); 1529 up_write(&keyring->sem); 1530 } 1531 1532 /** 1533 * key_unlink - Unlink the first link to a key from a keyring. 1534 * @keyring: The keyring to remove the link from. 1535 * @key: The key the link is to. 1536 * 1537 * Remove a link from a keyring to a key. 1538 * 1539 * This function will write-lock the keyring's semaphore. 1540 * 1541 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if 1542 * the key isn't linked to by the keyring or -ENOMEM if there's insufficient 1543 * memory. 1544 * 1545 * It is assumed that the caller has checked that it is permitted for a link to 1546 * be removed (the keyring should have Write permission; no permissions are 1547 * required on the key). 1548 */ 1549 int key_unlink(struct key *keyring, struct key *key) 1550 { 1551 struct assoc_array_edit *edit = NULL; 1552 int ret; 1553 1554 key_check(keyring); 1555 key_check(key); 1556 1557 ret = __key_unlink_lock(keyring); 1558 if (ret < 0) 1559 return ret; 1560 1561 ret = __key_unlink_begin(keyring, key, &edit); 1562 if (ret == 0) 1563 __key_unlink(keyring, key, &edit); 1564 __key_unlink_end(keyring, key, edit); 1565 return ret; 1566 } 1567 EXPORT_SYMBOL(key_unlink); 1568 1569 /** 1570 * key_move - Move a key from one keyring to another 1571 * @key: The key to move 1572 * @from_keyring: The keyring to remove the link from. 1573 * @to_keyring: The keyring to make the link in. 1574 * @flags: Qualifying flags, such as KEYCTL_MOVE_EXCL. 1575 * 1576 * Make a link in @to_keyring to a key, such that the keyring holds a reference 1577 * on that key and the key can potentially be found by searching that keyring 1578 * whilst simultaneously removing a link to the key from @from_keyring. 1579 * 1580 * This function will write-lock both keyring's semaphores and will consume 1581 * some of the user's key data quota to hold the link on @to_keyring. 1582 * 1583 * Returns 0 if successful, -ENOTDIR if either keyring isn't a keyring, 1584 * -EKEYREVOKED if either keyring has been revoked, -ENFILE if the second 1585 * keyring is full, -EDQUOT if there is insufficient key data quota remaining 1586 * to add another link or -ENOMEM if there's insufficient memory. If 1587 * KEYCTL_MOVE_EXCL is set, then -EEXIST will be returned if there's already a 1588 * matching key in @to_keyring. 1589 * 1590 * It is assumed that the caller has checked that it is permitted for a link to 1591 * be made (the keyring should have Write permission and the key Link 1592 * permission). 1593 */ 1594 int key_move(struct key *key, 1595 struct key *from_keyring, 1596 struct key *to_keyring, 1597 unsigned int flags) 1598 { 1599 struct assoc_array_edit *from_edit = NULL, *to_edit = NULL; 1600 int ret; 1601 1602 kenter("%d,%d,%d", key->serial, from_keyring->serial, to_keyring->serial); 1603 1604 if (from_keyring == to_keyring) 1605 return 0; 1606 1607 key_check(key); 1608 key_check(from_keyring); 1609 key_check(to_keyring); 1610 1611 ret = __key_move_lock(from_keyring, to_keyring, &key->index_key); 1612 if (ret < 0) 1613 goto out; 1614 ret = __key_unlink_begin(from_keyring, key, &from_edit); 1615 if (ret < 0) 1616 goto error; 1617 ret = __key_link_begin(to_keyring, &key->index_key, &to_edit); 1618 if (ret < 0) 1619 goto error; 1620 1621 ret = -EEXIST; 1622 if (to_edit->dead_leaf && (flags & KEYCTL_MOVE_EXCL)) 1623 goto error; 1624 1625 ret = __key_link_check_restriction(to_keyring, key); 1626 if (ret < 0) 1627 goto error; 1628 ret = __key_link_check_live_key(to_keyring, key); 1629 if (ret < 0) 1630 goto error; 1631 1632 __key_unlink(from_keyring, key, &from_edit); 1633 __key_link(to_keyring, key, &to_edit); 1634 error: 1635 __key_link_end(to_keyring, &key->index_key, to_edit); 1636 __key_unlink_end(from_keyring, key, from_edit); 1637 out: 1638 kleave(" = %d", ret); 1639 return ret; 1640 } 1641 EXPORT_SYMBOL(key_move); 1642 1643 /** 1644 * keyring_clear - Clear a keyring 1645 * @keyring: The keyring to clear. 1646 * 1647 * Clear the contents of the specified keyring. 1648 * 1649 * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring. 1650 */ 1651 int keyring_clear(struct key *keyring) 1652 { 1653 struct assoc_array_edit *edit; 1654 int ret; 1655 1656 if (keyring->type != &key_type_keyring) 1657 return -ENOTDIR; 1658 1659 down_write(&keyring->sem); 1660 1661 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops); 1662 if (IS_ERR(edit)) { 1663 ret = PTR_ERR(edit); 1664 } else { 1665 if (edit) 1666 assoc_array_apply_edit(edit); 1667 notify_key(keyring, NOTIFY_KEY_CLEARED, 0); 1668 key_payload_reserve(keyring, 0); 1669 ret = 0; 1670 } 1671 1672 up_write(&keyring->sem); 1673 return ret; 1674 } 1675 EXPORT_SYMBOL(keyring_clear); 1676 1677 /* 1678 * Dispose of the links from a revoked keyring. 1679 * 1680 * This is called with the key sem write-locked. 1681 */ 1682 static void keyring_revoke(struct key *keyring) 1683 { 1684 struct assoc_array_edit *edit; 1685 1686 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops); 1687 if (!IS_ERR(edit)) { 1688 if (edit) 1689 assoc_array_apply_edit(edit); 1690 key_payload_reserve(keyring, 0); 1691 } 1692 } 1693 1694 static bool keyring_gc_select_iterator(void *object, void *iterator_data) 1695 { 1696 struct key *key = keyring_ptr_to_key(object); 1697 time64_t *limit = iterator_data; 1698 1699 if (key_is_dead(key, *limit)) 1700 return false; 1701 key_get(key); 1702 return true; 1703 } 1704 1705 static int keyring_gc_check_iterator(const void *object, void *iterator_data) 1706 { 1707 const struct key *key = keyring_ptr_to_key(object); 1708 time64_t *limit = iterator_data; 1709 1710 key_check(key); 1711 return key_is_dead(key, *limit); 1712 } 1713 1714 /* 1715 * Garbage collect pointers from a keyring. 1716 * 1717 * Not called with any locks held. The keyring's key struct will not be 1718 * deallocated under us as only our caller may deallocate it. 1719 */ 1720 void keyring_gc(struct key *keyring, time64_t limit) 1721 { 1722 int result; 1723 1724 kenter("%x{%s}", keyring->serial, keyring->description ?: ""); 1725 1726 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) | 1727 (1 << KEY_FLAG_REVOKED))) 1728 goto dont_gc; 1729 1730 /* scan the keyring looking for dead keys */ 1731 rcu_read_lock(); 1732 result = assoc_array_iterate(&keyring->keys, 1733 keyring_gc_check_iterator, &limit); 1734 rcu_read_unlock(); 1735 if (result == true) 1736 goto do_gc; 1737 1738 dont_gc: 1739 kleave(" [no gc]"); 1740 return; 1741 1742 do_gc: 1743 down_write(&keyring->sem); 1744 assoc_array_gc(&keyring->keys, &keyring_assoc_array_ops, 1745 keyring_gc_select_iterator, &limit); 1746 up_write(&keyring->sem); 1747 kleave(" [gc]"); 1748 } 1749 1750 /* 1751 * Garbage collect restriction pointers from a keyring. 1752 * 1753 * Keyring restrictions are associated with a key type, and must be cleaned 1754 * up if the key type is unregistered. The restriction is altered to always 1755 * reject additional keys so a keyring cannot be opened up by unregistering 1756 * a key type. 1757 * 1758 * Not called with any keyring locks held. The keyring's key struct will not 1759 * be deallocated under us as only our caller may deallocate it. 1760 * 1761 * The caller is required to hold key_types_sem and dead_type->sem. This is 1762 * fulfilled by key_gc_keytype() holding the locks on behalf of 1763 * key_garbage_collector(), which it invokes on a workqueue. 1764 */ 1765 void keyring_restriction_gc(struct key *keyring, struct key_type *dead_type) 1766 { 1767 struct key_restriction *keyres; 1768 1769 kenter("%x{%s}", keyring->serial, keyring->description ?: ""); 1770 1771 /* 1772 * keyring->restrict_link is only assigned at key allocation time 1773 * or with the key type locked, so the only values that could be 1774 * concurrently assigned to keyring->restrict_link are for key 1775 * types other than dead_type. Given this, it's ok to check 1776 * the key type before acquiring keyring->sem. 1777 */ 1778 if (!dead_type || !keyring->restrict_link || 1779 keyring->restrict_link->keytype != dead_type) { 1780 kleave(" [no restriction gc]"); 1781 return; 1782 } 1783 1784 /* Lock the keyring to ensure that a link is not in progress */ 1785 down_write(&keyring->sem); 1786 1787 keyres = keyring->restrict_link; 1788 1789 keyres->check = restrict_link_reject; 1790 1791 key_put(keyres->key); 1792 keyres->key = NULL; 1793 keyres->keytype = NULL; 1794 1795 up_write(&keyring->sem); 1796 1797 kleave(" [restriction gc]"); 1798 } 1799