1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Keyring handling 3 * 4 * Copyright (C) 2004-2005, 2008, 2013 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #include <linux/export.h> 9 #include <linux/init.h> 10 #include <linux/sched.h> 11 #include <linux/slab.h> 12 #include <linux/security.h> 13 #include <linux/seq_file.h> 14 #include <linux/err.h> 15 #include <linux/user_namespace.h> 16 #include <linux/nsproxy.h> 17 #include <keys/keyring-type.h> 18 #include <keys/user-type.h> 19 #include <linux/assoc_array_priv.h> 20 #include <linux/uaccess.h> 21 #include <net/net_namespace.h> 22 #include "internal.h" 23 24 /* 25 * When plumbing the depths of the key tree, this sets a hard limit 26 * set on how deep we're willing to go. 27 */ 28 #define KEYRING_SEARCH_MAX_DEPTH 6 29 30 /* 31 * We mark pointers we pass to the associative array with bit 1 set if 32 * they're keyrings and clear otherwise. 33 */ 34 #define KEYRING_PTR_SUBTYPE 0x2UL 35 36 static inline bool keyring_ptr_is_keyring(const struct assoc_array_ptr *x) 37 { 38 return (unsigned long)x & KEYRING_PTR_SUBTYPE; 39 } 40 static inline struct key *keyring_ptr_to_key(const struct assoc_array_ptr *x) 41 { 42 void *object = assoc_array_ptr_to_leaf(x); 43 return (struct key *)((unsigned long)object & ~KEYRING_PTR_SUBTYPE); 44 } 45 static inline void *keyring_key_to_ptr(struct key *key) 46 { 47 if (key->type == &key_type_keyring) 48 return (void *)((unsigned long)key | KEYRING_PTR_SUBTYPE); 49 return key; 50 } 51 52 static DEFINE_RWLOCK(keyring_name_lock); 53 54 /* 55 * Clean up the bits of user_namespace that belong to us. 56 */ 57 void key_free_user_ns(struct user_namespace *ns) 58 { 59 write_lock(&keyring_name_lock); 60 list_del_init(&ns->keyring_name_list); 61 write_unlock(&keyring_name_lock); 62 63 key_put(ns->user_keyring_register); 64 #ifdef CONFIG_PERSISTENT_KEYRINGS 65 key_put(ns->persistent_keyring_register); 66 #endif 67 } 68 69 /* 70 * The keyring key type definition. Keyrings are simply keys of this type and 71 * can be treated as ordinary keys in addition to having their own special 72 * operations. 73 */ 74 static int keyring_preparse(struct key_preparsed_payload *prep); 75 static void keyring_free_preparse(struct key_preparsed_payload *prep); 76 static int keyring_instantiate(struct key *keyring, 77 struct key_preparsed_payload *prep); 78 static void keyring_revoke(struct key *keyring); 79 static void keyring_destroy(struct key *keyring); 80 static void keyring_describe(const struct key *keyring, struct seq_file *m); 81 static long keyring_read(const struct key *keyring, 82 char __user *buffer, size_t buflen); 83 84 struct key_type key_type_keyring = { 85 .name = "keyring", 86 .def_datalen = 0, 87 .preparse = keyring_preparse, 88 .free_preparse = keyring_free_preparse, 89 .instantiate = keyring_instantiate, 90 .revoke = keyring_revoke, 91 .destroy = keyring_destroy, 92 .describe = keyring_describe, 93 .read = keyring_read, 94 }; 95 EXPORT_SYMBOL(key_type_keyring); 96 97 /* 98 * Semaphore to serialise link/link calls to prevent two link calls in parallel 99 * introducing a cycle. 100 */ 101 static DEFINE_MUTEX(keyring_serialise_link_lock); 102 103 /* 104 * Publish the name of a keyring so that it can be found by name (if it has 105 * one and it doesn't begin with a dot). 106 */ 107 static void keyring_publish_name(struct key *keyring) 108 { 109 struct user_namespace *ns = current_user_ns(); 110 111 if (keyring->description && 112 keyring->description[0] && 113 keyring->description[0] != '.') { 114 write_lock(&keyring_name_lock); 115 list_add_tail(&keyring->name_link, &ns->keyring_name_list); 116 write_unlock(&keyring_name_lock); 117 } 118 } 119 120 /* 121 * Preparse a keyring payload 122 */ 123 static int keyring_preparse(struct key_preparsed_payload *prep) 124 { 125 return prep->datalen != 0 ? -EINVAL : 0; 126 } 127 128 /* 129 * Free a preparse of a user defined key payload 130 */ 131 static void keyring_free_preparse(struct key_preparsed_payload *prep) 132 { 133 } 134 135 /* 136 * Initialise a keyring. 137 * 138 * Returns 0 on success, -EINVAL if given any data. 139 */ 140 static int keyring_instantiate(struct key *keyring, 141 struct key_preparsed_payload *prep) 142 { 143 assoc_array_init(&keyring->keys); 144 /* make the keyring available by name if it has one */ 145 keyring_publish_name(keyring); 146 return 0; 147 } 148 149 /* 150 * Multiply 64-bits by 32-bits to 96-bits and fold back to 64-bit. Ideally we'd 151 * fold the carry back too, but that requires inline asm. 152 */ 153 static u64 mult_64x32_and_fold(u64 x, u32 y) 154 { 155 u64 hi = (u64)(u32)(x >> 32) * y; 156 u64 lo = (u64)(u32)(x) * y; 157 return lo + ((u64)(u32)hi << 32) + (u32)(hi >> 32); 158 } 159 160 /* 161 * Hash a key type and description. 162 */ 163 static void hash_key_type_and_desc(struct keyring_index_key *index_key) 164 { 165 const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP; 166 const unsigned long fan_mask = ASSOC_ARRAY_FAN_MASK; 167 const char *description = index_key->description; 168 unsigned long hash, type; 169 u32 piece; 170 u64 acc; 171 int n, desc_len = index_key->desc_len; 172 173 type = (unsigned long)index_key->type; 174 acc = mult_64x32_and_fold(type, desc_len + 13); 175 acc = mult_64x32_and_fold(acc, 9207); 176 piece = (unsigned long)index_key->domain_tag; 177 acc = mult_64x32_and_fold(acc, piece); 178 acc = mult_64x32_and_fold(acc, 9207); 179 180 for (;;) { 181 n = desc_len; 182 if (n <= 0) 183 break; 184 if (n > 4) 185 n = 4; 186 piece = 0; 187 memcpy(&piece, description, n); 188 description += n; 189 desc_len -= n; 190 acc = mult_64x32_and_fold(acc, piece); 191 acc = mult_64x32_and_fold(acc, 9207); 192 } 193 194 /* Fold the hash down to 32 bits if need be. */ 195 hash = acc; 196 if (ASSOC_ARRAY_KEY_CHUNK_SIZE == 32) 197 hash ^= acc >> 32; 198 199 /* Squidge all the keyrings into a separate part of the tree to 200 * ordinary keys by making sure the lowest level segment in the hash is 201 * zero for keyrings and non-zero otherwise. 202 */ 203 if (index_key->type != &key_type_keyring && (hash & fan_mask) == 0) 204 hash |= (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1; 205 else if (index_key->type == &key_type_keyring && (hash & fan_mask) != 0) 206 hash = (hash + (hash << level_shift)) & ~fan_mask; 207 index_key->hash = hash; 208 } 209 210 /* 211 * Finalise an index key to include a part of the description actually in the 212 * index key, to set the domain tag and to calculate the hash. 213 */ 214 void key_set_index_key(struct keyring_index_key *index_key) 215 { 216 static struct key_tag default_domain_tag = { .usage = REFCOUNT_INIT(1), }; 217 size_t n = min_t(size_t, index_key->desc_len, sizeof(index_key->desc)); 218 219 memcpy(index_key->desc, index_key->description, n); 220 221 if (!index_key->domain_tag) { 222 if (index_key->type->flags & KEY_TYPE_NET_DOMAIN) 223 index_key->domain_tag = current->nsproxy->net_ns->key_domain; 224 else 225 index_key->domain_tag = &default_domain_tag; 226 } 227 228 hash_key_type_and_desc(index_key); 229 } 230 231 /** 232 * key_put_tag - Release a ref on a tag. 233 * @tag: The tag to release. 234 * 235 * This releases a reference the given tag and returns true if that ref was the 236 * last one. 237 */ 238 bool key_put_tag(struct key_tag *tag) 239 { 240 if (refcount_dec_and_test(&tag->usage)) { 241 kfree_rcu(tag, rcu); 242 return true; 243 } 244 245 return false; 246 } 247 248 /** 249 * key_remove_domain - Kill off a key domain and gc its keys 250 * @domain_tag: The domain tag to release. 251 * 252 * This marks a domain tag as being dead and releases a ref on it. If that 253 * wasn't the last reference, the garbage collector is poked to try and delete 254 * all keys that were in the domain. 255 */ 256 void key_remove_domain(struct key_tag *domain_tag) 257 { 258 domain_tag->removed = true; 259 if (!key_put_tag(domain_tag)) 260 key_schedule_gc_links(); 261 } 262 263 /* 264 * Build the next index key chunk. 265 * 266 * We return it one word-sized chunk at a time. 267 */ 268 static unsigned long keyring_get_key_chunk(const void *data, int level) 269 { 270 const struct keyring_index_key *index_key = data; 271 unsigned long chunk = 0; 272 const u8 *d; 273 int desc_len = index_key->desc_len, n = sizeof(chunk); 274 275 level /= ASSOC_ARRAY_KEY_CHUNK_SIZE; 276 switch (level) { 277 case 0: 278 return index_key->hash; 279 case 1: 280 return index_key->x; 281 case 2: 282 return (unsigned long)index_key->type; 283 case 3: 284 return (unsigned long)index_key->domain_tag; 285 default: 286 level -= 4; 287 if (desc_len <= sizeof(index_key->desc)) 288 return 0; 289 290 d = index_key->description + sizeof(index_key->desc); 291 d += level * sizeof(long); 292 desc_len -= sizeof(index_key->desc); 293 if (desc_len > n) 294 desc_len = n; 295 do { 296 chunk <<= 8; 297 chunk |= *d++; 298 } while (--desc_len > 0); 299 return chunk; 300 } 301 } 302 303 static unsigned long keyring_get_object_key_chunk(const void *object, int level) 304 { 305 const struct key *key = keyring_ptr_to_key(object); 306 return keyring_get_key_chunk(&key->index_key, level); 307 } 308 309 static bool keyring_compare_object(const void *object, const void *data) 310 { 311 const struct keyring_index_key *index_key = data; 312 const struct key *key = keyring_ptr_to_key(object); 313 314 return key->index_key.type == index_key->type && 315 key->index_key.domain_tag == index_key->domain_tag && 316 key->index_key.desc_len == index_key->desc_len && 317 memcmp(key->index_key.description, index_key->description, 318 index_key->desc_len) == 0; 319 } 320 321 /* 322 * Compare the index keys of a pair of objects and determine the bit position 323 * at which they differ - if they differ. 324 */ 325 static int keyring_diff_objects(const void *object, const void *data) 326 { 327 const struct key *key_a = keyring_ptr_to_key(object); 328 const struct keyring_index_key *a = &key_a->index_key; 329 const struct keyring_index_key *b = data; 330 unsigned long seg_a, seg_b; 331 int level, i; 332 333 level = 0; 334 seg_a = a->hash; 335 seg_b = b->hash; 336 if ((seg_a ^ seg_b) != 0) 337 goto differ; 338 level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8; 339 340 /* The number of bits contributed by the hash is controlled by a 341 * constant in the assoc_array headers. Everything else thereafter we 342 * can deal with as being machine word-size dependent. 343 */ 344 seg_a = a->x; 345 seg_b = b->x; 346 if ((seg_a ^ seg_b) != 0) 347 goto differ; 348 level += sizeof(unsigned long); 349 350 /* The next bit may not work on big endian */ 351 seg_a = (unsigned long)a->type; 352 seg_b = (unsigned long)b->type; 353 if ((seg_a ^ seg_b) != 0) 354 goto differ; 355 level += sizeof(unsigned long); 356 357 seg_a = (unsigned long)a->domain_tag; 358 seg_b = (unsigned long)b->domain_tag; 359 if ((seg_a ^ seg_b) != 0) 360 goto differ; 361 level += sizeof(unsigned long); 362 363 i = sizeof(a->desc); 364 if (a->desc_len <= i) 365 goto same; 366 367 for (; i < a->desc_len; i++) { 368 seg_a = *(unsigned char *)(a->description + i); 369 seg_b = *(unsigned char *)(b->description + i); 370 if ((seg_a ^ seg_b) != 0) 371 goto differ_plus_i; 372 } 373 374 same: 375 return -1; 376 377 differ_plus_i: 378 level += i; 379 differ: 380 i = level * 8 + __ffs(seg_a ^ seg_b); 381 return i; 382 } 383 384 /* 385 * Free an object after stripping the keyring flag off of the pointer. 386 */ 387 static void keyring_free_object(void *object) 388 { 389 key_put(keyring_ptr_to_key(object)); 390 } 391 392 /* 393 * Operations for keyring management by the index-tree routines. 394 */ 395 static const struct assoc_array_ops keyring_assoc_array_ops = { 396 .get_key_chunk = keyring_get_key_chunk, 397 .get_object_key_chunk = keyring_get_object_key_chunk, 398 .compare_object = keyring_compare_object, 399 .diff_objects = keyring_diff_objects, 400 .free_object = keyring_free_object, 401 }; 402 403 /* 404 * Clean up a keyring when it is destroyed. Unpublish its name if it had one 405 * and dispose of its data. 406 * 407 * The garbage collector detects the final key_put(), removes the keyring from 408 * the serial number tree and then does RCU synchronisation before coming here, 409 * so we shouldn't need to worry about code poking around here with the RCU 410 * readlock held by this time. 411 */ 412 static void keyring_destroy(struct key *keyring) 413 { 414 if (keyring->description) { 415 write_lock(&keyring_name_lock); 416 417 if (keyring->name_link.next != NULL && 418 !list_empty(&keyring->name_link)) 419 list_del(&keyring->name_link); 420 421 write_unlock(&keyring_name_lock); 422 } 423 424 if (keyring->restrict_link) { 425 struct key_restriction *keyres = keyring->restrict_link; 426 427 key_put(keyres->key); 428 kfree(keyres); 429 } 430 431 assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops); 432 } 433 434 /* 435 * Describe a keyring for /proc. 436 */ 437 static void keyring_describe(const struct key *keyring, struct seq_file *m) 438 { 439 if (keyring->description) 440 seq_puts(m, keyring->description); 441 else 442 seq_puts(m, "[anon]"); 443 444 if (key_is_positive(keyring)) { 445 if (keyring->keys.nr_leaves_on_tree != 0) 446 seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree); 447 else 448 seq_puts(m, ": empty"); 449 } 450 } 451 452 struct keyring_read_iterator_context { 453 size_t buflen; 454 size_t count; 455 key_serial_t __user *buffer; 456 }; 457 458 static int keyring_read_iterator(const void *object, void *data) 459 { 460 struct keyring_read_iterator_context *ctx = data; 461 const struct key *key = keyring_ptr_to_key(object); 462 int ret; 463 464 kenter("{%s,%d},,{%zu/%zu}", 465 key->type->name, key->serial, ctx->count, ctx->buflen); 466 467 if (ctx->count >= ctx->buflen) 468 return 1; 469 470 ret = put_user(key->serial, ctx->buffer); 471 if (ret < 0) 472 return ret; 473 ctx->buffer++; 474 ctx->count += sizeof(key->serial); 475 return 0; 476 } 477 478 /* 479 * Read a list of key IDs from the keyring's contents in binary form 480 * 481 * The keyring's semaphore is read-locked by the caller. This prevents someone 482 * from modifying it under us - which could cause us to read key IDs multiple 483 * times. 484 */ 485 static long keyring_read(const struct key *keyring, 486 char __user *buffer, size_t buflen) 487 { 488 struct keyring_read_iterator_context ctx; 489 long ret; 490 491 kenter("{%d},,%zu", key_serial(keyring), buflen); 492 493 if (buflen & (sizeof(key_serial_t) - 1)) 494 return -EINVAL; 495 496 /* Copy as many key IDs as fit into the buffer */ 497 if (buffer && buflen) { 498 ctx.buffer = (key_serial_t __user *)buffer; 499 ctx.buflen = buflen; 500 ctx.count = 0; 501 ret = assoc_array_iterate(&keyring->keys, 502 keyring_read_iterator, &ctx); 503 if (ret < 0) { 504 kleave(" = %ld [iterate]", ret); 505 return ret; 506 } 507 } 508 509 /* Return the size of the buffer needed */ 510 ret = keyring->keys.nr_leaves_on_tree * sizeof(key_serial_t); 511 if (ret <= buflen) 512 kleave("= %ld [ok]", ret); 513 else 514 kleave("= %ld [buffer too small]", ret); 515 return ret; 516 } 517 518 /** 519 * keyring_alloc - Allocate a keyring and link into the destination 520 * @description: The key description to allow the key to be searched out. 521 * @uid: The owner of the new key. 522 * @gid: The group ID for the new key's group permissions. 523 * @cred: The credentials specifying UID namespace. 524 * @acl: The ACL to attach to the new key. 525 * @flags: Flags specifying quota properties. 526 * @restrict_link: Optional link restriction for new keyrings. 527 * @dest: Destination keyring. 528 */ 529 struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid, 530 const struct cred *cred, struct key_acl *acl, 531 unsigned long flags, 532 struct key_restriction *restrict_link, 533 struct key *dest) 534 { 535 struct key *keyring; 536 int ret; 537 538 keyring = key_alloc(&key_type_keyring, description, 539 uid, gid, cred, acl, flags, restrict_link); 540 if (!IS_ERR(keyring)) { 541 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); 542 if (ret < 0) { 543 key_put(keyring); 544 keyring = ERR_PTR(ret); 545 } 546 } 547 548 return keyring; 549 } 550 EXPORT_SYMBOL(keyring_alloc); 551 552 /** 553 * restrict_link_reject - Give -EPERM to restrict link 554 * @keyring: The keyring being added to. 555 * @type: The type of key being added. 556 * @payload: The payload of the key intended to be added. 557 * @restriction_key: Keys providing additional data for evaluating restriction. 558 * 559 * Reject the addition of any links to a keyring. It can be overridden by 560 * passing KEY_ALLOC_BYPASS_RESTRICTION to key_instantiate_and_link() when 561 * adding a key to a keyring. 562 * 563 * This is meant to be stored in a key_restriction structure which is passed 564 * in the restrict_link parameter to keyring_alloc(). 565 */ 566 int restrict_link_reject(struct key *keyring, 567 const struct key_type *type, 568 const union key_payload *payload, 569 struct key *restriction_key) 570 { 571 return -EPERM; 572 } 573 574 /* 575 * By default, we keys found by getting an exact match on their descriptions. 576 */ 577 bool key_default_cmp(const struct key *key, 578 const struct key_match_data *match_data) 579 { 580 return strcmp(key->description, match_data->raw_data) == 0; 581 } 582 583 /* 584 * Iteration function to consider each key found. 585 */ 586 static int keyring_search_iterator(const void *object, void *iterator_data) 587 { 588 struct keyring_search_context *ctx = iterator_data; 589 const struct key *key = keyring_ptr_to_key(object); 590 unsigned long kflags = READ_ONCE(key->flags); 591 short state = READ_ONCE(key->state); 592 593 kenter("{%d}", key->serial); 594 595 /* ignore keys not of this type */ 596 if (key->type != ctx->index_key.type) { 597 kleave(" = 0 [!type]"); 598 return 0; 599 } 600 601 /* skip invalidated, revoked and expired keys */ 602 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) { 603 time64_t expiry = READ_ONCE(key->expiry); 604 605 if (kflags & ((1 << KEY_FLAG_INVALIDATED) | 606 (1 << KEY_FLAG_REVOKED))) { 607 ctx->result = ERR_PTR(-EKEYREVOKED); 608 kleave(" = %d [invrev]", ctx->skipped_ret); 609 goto skipped; 610 } 611 612 if (expiry && ctx->now >= expiry) { 613 if (!(ctx->flags & KEYRING_SEARCH_SKIP_EXPIRED)) 614 ctx->result = ERR_PTR(-EKEYEXPIRED); 615 kleave(" = %d [expire]", ctx->skipped_ret); 616 goto skipped; 617 } 618 } 619 620 /* keys that don't match */ 621 if (!ctx->match_data.cmp(key, &ctx->match_data)) { 622 kleave(" = 0 [!match]"); 623 return 0; 624 } 625 626 /* key must have search permissions */ 627 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) && 628 key_task_permission(make_key_ref(key, ctx->possessed), 629 ctx->cred, KEY_NEED_SEARCH) < 0) { 630 ctx->result = ERR_PTR(-EACCES); 631 kleave(" = %d [!perm]", ctx->skipped_ret); 632 goto skipped; 633 } 634 635 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) { 636 /* we set a different error code if we pass a negative key */ 637 if (state < 0) { 638 ctx->result = ERR_PTR(state); 639 kleave(" = %d [neg]", ctx->skipped_ret); 640 goto skipped; 641 } 642 } 643 644 /* Found */ 645 ctx->result = make_key_ref(key, ctx->possessed); 646 kleave(" = 1 [found]"); 647 return 1; 648 649 skipped: 650 return ctx->skipped_ret; 651 } 652 653 /* 654 * Search inside a keyring for a key. We can search by walking to it 655 * directly based on its index-key or we can iterate over the entire 656 * tree looking for it, based on the match function. 657 */ 658 static int search_keyring(struct key *keyring, struct keyring_search_context *ctx) 659 { 660 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_DIRECT) { 661 const void *object; 662 663 object = assoc_array_find(&keyring->keys, 664 &keyring_assoc_array_ops, 665 &ctx->index_key); 666 return object ? ctx->iterator(object, ctx) : 0; 667 } 668 return assoc_array_iterate(&keyring->keys, ctx->iterator, ctx); 669 } 670 671 /* 672 * Search a tree of keyrings that point to other keyrings up to the maximum 673 * depth. 674 */ 675 static bool search_nested_keyrings(struct key *keyring, 676 struct keyring_search_context *ctx) 677 { 678 struct { 679 struct key *keyring; 680 struct assoc_array_node *node; 681 int slot; 682 } stack[KEYRING_SEARCH_MAX_DEPTH]; 683 684 struct assoc_array_shortcut *shortcut; 685 struct assoc_array_node *node; 686 struct assoc_array_ptr *ptr; 687 struct key *key; 688 int sp = 0, slot; 689 690 kenter("{%d},{%s,%s}", 691 keyring->serial, 692 ctx->index_key.type->name, 693 ctx->index_key.description); 694 695 #define STATE_CHECKS (KEYRING_SEARCH_NO_STATE_CHECK | KEYRING_SEARCH_DO_STATE_CHECK) 696 BUG_ON((ctx->flags & STATE_CHECKS) == 0 || 697 (ctx->flags & STATE_CHECKS) == STATE_CHECKS); 698 699 if (ctx->index_key.description) 700 key_set_index_key(&ctx->index_key); 701 702 /* Check to see if this top-level keyring is what we are looking for 703 * and whether it is valid or not. 704 */ 705 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_ITERATE || 706 keyring_compare_object(keyring, &ctx->index_key)) { 707 ctx->skipped_ret = 2; 708 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) { 709 case 1: 710 goto found; 711 case 2: 712 return false; 713 default: 714 break; 715 } 716 } 717 718 ctx->skipped_ret = 0; 719 720 /* Start processing a new keyring */ 721 descend_to_keyring: 722 kdebug("descend to %d", keyring->serial); 723 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) | 724 (1 << KEY_FLAG_REVOKED))) 725 goto not_this_keyring; 726 727 /* Search through the keys in this keyring before its searching its 728 * subtrees. 729 */ 730 if (search_keyring(keyring, ctx)) 731 goto found; 732 733 /* Then manually iterate through the keyrings nested in this one. 734 * 735 * Start from the root node of the index tree. Because of the way the 736 * hash function has been set up, keyrings cluster on the leftmost 737 * branch of the root node (root slot 0) or in the root node itself. 738 * Non-keyrings avoid the leftmost branch of the root entirely (root 739 * slots 1-15). 740 */ 741 if (!(ctx->flags & KEYRING_SEARCH_RECURSE)) 742 goto not_this_keyring; 743 744 ptr = READ_ONCE(keyring->keys.root); 745 if (!ptr) 746 goto not_this_keyring; 747 748 if (assoc_array_ptr_is_shortcut(ptr)) { 749 /* If the root is a shortcut, either the keyring only contains 750 * keyring pointers (everything clusters behind root slot 0) or 751 * doesn't contain any keyring pointers. 752 */ 753 shortcut = assoc_array_ptr_to_shortcut(ptr); 754 if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0) 755 goto not_this_keyring; 756 757 ptr = READ_ONCE(shortcut->next_node); 758 node = assoc_array_ptr_to_node(ptr); 759 goto begin_node; 760 } 761 762 node = assoc_array_ptr_to_node(ptr); 763 ptr = node->slots[0]; 764 if (!assoc_array_ptr_is_meta(ptr)) 765 goto begin_node; 766 767 descend_to_node: 768 /* Descend to a more distal node in this keyring's content tree and go 769 * through that. 770 */ 771 kdebug("descend"); 772 if (assoc_array_ptr_is_shortcut(ptr)) { 773 shortcut = assoc_array_ptr_to_shortcut(ptr); 774 ptr = READ_ONCE(shortcut->next_node); 775 BUG_ON(!assoc_array_ptr_is_node(ptr)); 776 } 777 node = assoc_array_ptr_to_node(ptr); 778 779 begin_node: 780 kdebug("begin_node"); 781 slot = 0; 782 ascend_to_node: 783 /* Go through the slots in a node */ 784 for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) { 785 ptr = READ_ONCE(node->slots[slot]); 786 787 if (assoc_array_ptr_is_meta(ptr) && node->back_pointer) 788 goto descend_to_node; 789 790 if (!keyring_ptr_is_keyring(ptr)) 791 continue; 792 793 key = keyring_ptr_to_key(ptr); 794 795 if (sp >= KEYRING_SEARCH_MAX_DEPTH) { 796 if (ctx->flags & KEYRING_SEARCH_DETECT_TOO_DEEP) { 797 ctx->result = ERR_PTR(-ELOOP); 798 return false; 799 } 800 goto not_this_keyring; 801 } 802 803 /* Search a nested keyring */ 804 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) && 805 key_task_permission(make_key_ref(key, ctx->possessed), 806 ctx->cred, KEY_NEED_SEARCH) < 0) 807 continue; 808 809 /* stack the current position */ 810 stack[sp].keyring = keyring; 811 stack[sp].node = node; 812 stack[sp].slot = slot; 813 sp++; 814 815 /* begin again with the new keyring */ 816 keyring = key; 817 goto descend_to_keyring; 818 } 819 820 /* We've dealt with all the slots in the current node, so now we need 821 * to ascend to the parent and continue processing there. 822 */ 823 ptr = READ_ONCE(node->back_pointer); 824 slot = node->parent_slot; 825 826 if (ptr && assoc_array_ptr_is_shortcut(ptr)) { 827 shortcut = assoc_array_ptr_to_shortcut(ptr); 828 ptr = READ_ONCE(shortcut->back_pointer); 829 slot = shortcut->parent_slot; 830 } 831 if (!ptr) 832 goto not_this_keyring; 833 node = assoc_array_ptr_to_node(ptr); 834 slot++; 835 836 /* If we've ascended to the root (zero backpointer), we must have just 837 * finished processing the leftmost branch rather than the root slots - 838 * so there can't be any more keyrings for us to find. 839 */ 840 if (node->back_pointer) { 841 kdebug("ascend %d", slot); 842 goto ascend_to_node; 843 } 844 845 /* The keyring we're looking at was disqualified or didn't contain a 846 * matching key. 847 */ 848 not_this_keyring: 849 kdebug("not_this_keyring %d", sp); 850 if (sp <= 0) { 851 kleave(" = false"); 852 return false; 853 } 854 855 /* Resume the processing of a keyring higher up in the tree */ 856 sp--; 857 keyring = stack[sp].keyring; 858 node = stack[sp].node; 859 slot = stack[sp].slot + 1; 860 kdebug("ascend to %d [%d]", keyring->serial, slot); 861 goto ascend_to_node; 862 863 /* We found a viable match */ 864 found: 865 key = key_ref_to_ptr(ctx->result); 866 key_check(key); 867 if (!(ctx->flags & KEYRING_SEARCH_NO_UPDATE_TIME)) { 868 key->last_used_at = ctx->now; 869 keyring->last_used_at = ctx->now; 870 while (sp > 0) 871 stack[--sp].keyring->last_used_at = ctx->now; 872 } 873 kleave(" = true"); 874 return true; 875 } 876 877 /** 878 * keyring_search_rcu - Search a keyring tree for a matching key under RCU 879 * @keyring_ref: A pointer to the keyring with possession indicator. 880 * @ctx: The keyring search context. 881 * 882 * Search the supplied keyring tree for a key that matches the criteria given. 883 * The root keyring and any linked keyrings must grant Search permission to the 884 * caller to be searchable and keys can only be found if they too grant Search 885 * to the caller. The possession flag on the root keyring pointer controls use 886 * of the possessor bits in permissions checking of the entire tree. In 887 * addition, the LSM gets to forbid keyring searches and key matches. 888 * 889 * The search is performed as a breadth-then-depth search up to the prescribed 890 * limit (KEYRING_SEARCH_MAX_DEPTH). The caller must hold the RCU read lock to 891 * prevent keyrings from being destroyed or rearranged whilst they are being 892 * searched. 893 * 894 * Keys are matched to the type provided and are then filtered by the match 895 * function, which is given the description to use in any way it sees fit. The 896 * match function may use any attributes of a key that it wishes to to 897 * determine the match. Normally the match function from the key type would be 898 * used. 899 * 900 * RCU can be used to prevent the keyring key lists from disappearing without 901 * the need to take lots of locks. 902 * 903 * Returns a pointer to the found key and increments the key usage count if 904 * successful; -EAGAIN if no matching keys were found, or if expired or revoked 905 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the 906 * specified keyring wasn't a keyring. 907 * 908 * In the case of a successful return, the possession attribute from 909 * @keyring_ref is propagated to the returned key reference. 910 */ 911 key_ref_t keyring_search_rcu(key_ref_t keyring_ref, 912 struct keyring_search_context *ctx) 913 { 914 struct key *keyring; 915 long err; 916 917 ctx->iterator = keyring_search_iterator; 918 ctx->possessed = is_key_possessed(keyring_ref); 919 ctx->result = ERR_PTR(-EAGAIN); 920 921 keyring = key_ref_to_ptr(keyring_ref); 922 key_check(keyring); 923 924 if (keyring->type != &key_type_keyring) 925 return ERR_PTR(-ENOTDIR); 926 927 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) { 928 err = key_task_permission(keyring_ref, ctx->cred, KEY_NEED_SEARCH); 929 if (err < 0) 930 return ERR_PTR(err); 931 } 932 933 ctx->now = ktime_get_real_seconds(); 934 if (search_nested_keyrings(keyring, ctx)) 935 __key_get(key_ref_to_ptr(ctx->result)); 936 return ctx->result; 937 } 938 939 /** 940 * keyring_search - Search the supplied keyring tree for a matching key 941 * @keyring: The root of the keyring tree to be searched. 942 * @type: The type of keyring we want to find. 943 * @description: The name of the keyring we want to find. 944 * @recurse: True to search the children of @keyring also 945 * 946 * As keyring_search_rcu() above, but using the current task's credentials and 947 * type's default matching function and preferred search method. 948 */ 949 key_ref_t keyring_search(key_ref_t keyring, 950 struct key_type *type, 951 const char *description, 952 bool recurse) 953 { 954 struct keyring_search_context ctx = { 955 .index_key.type = type, 956 .index_key.description = description, 957 .index_key.desc_len = strlen(description), 958 .cred = current_cred(), 959 .match_data.cmp = key_default_cmp, 960 .match_data.raw_data = description, 961 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 962 .flags = KEYRING_SEARCH_DO_STATE_CHECK, 963 }; 964 key_ref_t key; 965 int ret; 966 967 if (recurse) 968 ctx.flags |= KEYRING_SEARCH_RECURSE; 969 if (type->match_preparse) { 970 ret = type->match_preparse(&ctx.match_data); 971 if (ret < 0) 972 return ERR_PTR(ret); 973 } 974 975 rcu_read_lock(); 976 key = keyring_search_rcu(keyring, &ctx); 977 rcu_read_unlock(); 978 979 if (type->match_free) 980 type->match_free(&ctx.match_data); 981 return key; 982 } 983 EXPORT_SYMBOL(keyring_search); 984 985 static struct key_restriction *keyring_restriction_alloc( 986 key_restrict_link_func_t check) 987 { 988 struct key_restriction *keyres = 989 kzalloc(sizeof(struct key_restriction), GFP_KERNEL); 990 991 if (!keyres) 992 return ERR_PTR(-ENOMEM); 993 994 keyres->check = check; 995 996 return keyres; 997 } 998 999 /* 1000 * Semaphore to serialise restriction setup to prevent reference count 1001 * cycles through restriction key pointers. 1002 */ 1003 static DECLARE_RWSEM(keyring_serialise_restrict_sem); 1004 1005 /* 1006 * Check for restriction cycles that would prevent keyring garbage collection. 1007 * keyring_serialise_restrict_sem must be held. 1008 */ 1009 static bool keyring_detect_restriction_cycle(const struct key *dest_keyring, 1010 struct key_restriction *keyres) 1011 { 1012 while (keyres && keyres->key && 1013 keyres->key->type == &key_type_keyring) { 1014 if (keyres->key == dest_keyring) 1015 return true; 1016 1017 keyres = keyres->key->restrict_link; 1018 } 1019 1020 return false; 1021 } 1022 1023 /** 1024 * keyring_restrict - Look up and apply a restriction to a keyring 1025 * @keyring_ref: The keyring to be restricted 1026 * @type: The key type that will provide the restriction checker. 1027 * @restriction: The restriction options to apply to the keyring 1028 * 1029 * Look up a keyring and apply a restriction to it. The restriction is managed 1030 * by the specific key type, but can be configured by the options specified in 1031 * the restriction string. 1032 */ 1033 int keyring_restrict(key_ref_t keyring_ref, const char *type, 1034 const char *restriction) 1035 { 1036 struct key *keyring; 1037 struct key_type *restrict_type = NULL; 1038 struct key_restriction *restrict_link; 1039 int ret = 0; 1040 1041 keyring = key_ref_to_ptr(keyring_ref); 1042 key_check(keyring); 1043 1044 if (keyring->type != &key_type_keyring) 1045 return -ENOTDIR; 1046 1047 if (!type) { 1048 restrict_link = keyring_restriction_alloc(restrict_link_reject); 1049 } else { 1050 restrict_type = key_type_lookup(type); 1051 1052 if (IS_ERR(restrict_type)) 1053 return PTR_ERR(restrict_type); 1054 1055 if (!restrict_type->lookup_restriction) { 1056 ret = -ENOENT; 1057 goto error; 1058 } 1059 1060 restrict_link = restrict_type->lookup_restriction(restriction); 1061 } 1062 1063 if (IS_ERR(restrict_link)) { 1064 ret = PTR_ERR(restrict_link); 1065 goto error; 1066 } 1067 1068 down_write(&keyring->sem); 1069 down_write(&keyring_serialise_restrict_sem); 1070 1071 if (keyring->restrict_link) 1072 ret = -EEXIST; 1073 else if (keyring_detect_restriction_cycle(keyring, restrict_link)) 1074 ret = -EDEADLK; 1075 else 1076 keyring->restrict_link = restrict_link; 1077 1078 up_write(&keyring_serialise_restrict_sem); 1079 up_write(&keyring->sem); 1080 1081 if (ret < 0) { 1082 key_put(restrict_link->key); 1083 kfree(restrict_link); 1084 } 1085 1086 error: 1087 if (restrict_type) 1088 key_type_put(restrict_type); 1089 1090 return ret; 1091 } 1092 EXPORT_SYMBOL(keyring_restrict); 1093 1094 /* 1095 * Search the given keyring for a key that might be updated. 1096 * 1097 * The caller must guarantee that the keyring is a keyring and that the 1098 * permission is granted to modify the keyring as no check is made here. The 1099 * caller must also hold a lock on the keyring semaphore. 1100 * 1101 * Returns a pointer to the found key with usage count incremented if 1102 * successful and returns NULL if not found. Revoked and invalidated keys are 1103 * skipped over. 1104 * 1105 * If successful, the possession indicator is propagated from the keyring ref 1106 * to the returned key reference. 1107 */ 1108 key_ref_t find_key_to_update(key_ref_t keyring_ref, 1109 const struct keyring_index_key *index_key) 1110 { 1111 struct key *keyring, *key; 1112 const void *object; 1113 1114 keyring = key_ref_to_ptr(keyring_ref); 1115 1116 kenter("{%d},{%s,%s}", 1117 keyring->serial, index_key->type->name, index_key->description); 1118 1119 object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops, 1120 index_key); 1121 1122 if (object) 1123 goto found; 1124 1125 kleave(" = NULL"); 1126 return NULL; 1127 1128 found: 1129 key = keyring_ptr_to_key(object); 1130 if (key->flags & ((1 << KEY_FLAG_INVALIDATED) | 1131 (1 << KEY_FLAG_REVOKED))) { 1132 kleave(" = NULL [x]"); 1133 return NULL; 1134 } 1135 __key_get(key); 1136 kleave(" = {%d}", key->serial); 1137 return make_key_ref(key, is_key_possessed(keyring_ref)); 1138 } 1139 1140 /* 1141 * Find a keyring with the specified name. 1142 * 1143 * Only keyrings that have nonzero refcount, are not revoked, and are owned by 1144 * a user in the current user namespace are considered. If @uid_keyring is 1145 * %true, the keyring additionally must have been allocated as a user or user 1146 * session keyring; otherwise, it must grant JOIN permission directly to the 1147 * caller (ie. not through possession). 1148 * 1149 * Returns a pointer to the keyring with the keyring's refcount having being 1150 * incremented on success. -ENOKEY is returned if a key could not be found. 1151 */ 1152 struct key *find_keyring_by_name(const char *name, bool uid_keyring) 1153 { 1154 struct user_namespace *ns = current_user_ns(); 1155 struct key *keyring; 1156 1157 if (!name) 1158 return ERR_PTR(-EINVAL); 1159 1160 read_lock(&keyring_name_lock); 1161 1162 /* Search this hash bucket for a keyring with a matching name that 1163 * grants Search permission and that hasn't been revoked 1164 */ 1165 list_for_each_entry(keyring, &ns->keyring_name_list, name_link) { 1166 if (!kuid_has_mapping(ns, keyring->user->uid)) 1167 continue; 1168 1169 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 1170 continue; 1171 1172 if (strcmp(keyring->description, name) != 0) 1173 continue; 1174 1175 if (uid_keyring) { 1176 if (!test_bit(KEY_FLAG_UID_KEYRING, 1177 &keyring->flags)) 1178 continue; 1179 } else { 1180 if (key_permission(make_key_ref(keyring, 0), 1181 KEY_NEED_JOIN) < 0) 1182 continue; 1183 } 1184 1185 /* we've got a match but we might end up racing with 1186 * key_cleanup() if the keyring is currently 'dead' 1187 * (ie. it has a zero usage count) */ 1188 if (!refcount_inc_not_zero(&keyring->usage)) 1189 continue; 1190 keyring->last_used_at = ktime_get_real_seconds(); 1191 goto out; 1192 } 1193 1194 keyring = ERR_PTR(-ENOKEY); 1195 out: 1196 read_unlock(&keyring_name_lock); 1197 return keyring; 1198 } 1199 1200 static int keyring_detect_cycle_iterator(const void *object, 1201 void *iterator_data) 1202 { 1203 struct keyring_search_context *ctx = iterator_data; 1204 const struct key *key = keyring_ptr_to_key(object); 1205 1206 kenter("{%d}", key->serial); 1207 1208 /* We might get a keyring with matching index-key that is nonetheless a 1209 * different keyring. */ 1210 if (key != ctx->match_data.raw_data) 1211 return 0; 1212 1213 ctx->result = ERR_PTR(-EDEADLK); 1214 return 1; 1215 } 1216 1217 /* 1218 * See if a cycle will will be created by inserting acyclic tree B in acyclic 1219 * tree A at the topmost level (ie: as a direct child of A). 1220 * 1221 * Since we are adding B to A at the top level, checking for cycles should just 1222 * be a matter of seeing if node A is somewhere in tree B. 1223 */ 1224 static int keyring_detect_cycle(struct key *A, struct key *B) 1225 { 1226 struct keyring_search_context ctx = { 1227 .index_key = A->index_key, 1228 .match_data.raw_data = A, 1229 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 1230 .iterator = keyring_detect_cycle_iterator, 1231 .flags = (KEYRING_SEARCH_NO_STATE_CHECK | 1232 KEYRING_SEARCH_NO_UPDATE_TIME | 1233 KEYRING_SEARCH_NO_CHECK_PERM | 1234 KEYRING_SEARCH_DETECT_TOO_DEEP | 1235 KEYRING_SEARCH_RECURSE), 1236 }; 1237 1238 rcu_read_lock(); 1239 search_nested_keyrings(B, &ctx); 1240 rcu_read_unlock(); 1241 return PTR_ERR(ctx.result) == -EAGAIN ? 0 : PTR_ERR(ctx.result); 1242 } 1243 1244 /* 1245 * Lock keyring for link. 1246 */ 1247 int __key_link_lock(struct key *keyring, 1248 const struct keyring_index_key *index_key) 1249 __acquires(&keyring->sem) 1250 __acquires(&keyring_serialise_link_lock) 1251 { 1252 if (keyring->type != &key_type_keyring) 1253 return -ENOTDIR; 1254 1255 down_write(&keyring->sem); 1256 1257 /* Serialise link/link calls to prevent parallel calls causing a cycle 1258 * when linking two keyring in opposite orders. 1259 */ 1260 if (index_key->type == &key_type_keyring) 1261 mutex_lock(&keyring_serialise_link_lock); 1262 1263 return 0; 1264 } 1265 1266 /* 1267 * Lock keyrings for move (link/unlink combination). 1268 */ 1269 int __key_move_lock(struct key *l_keyring, struct key *u_keyring, 1270 const struct keyring_index_key *index_key) 1271 __acquires(&l_keyring->sem) 1272 __acquires(&u_keyring->sem) 1273 __acquires(&keyring_serialise_link_lock) 1274 { 1275 if (l_keyring->type != &key_type_keyring || 1276 u_keyring->type != &key_type_keyring) 1277 return -ENOTDIR; 1278 1279 /* We have to be very careful here to take the keyring locks in the 1280 * right order, lest we open ourselves to deadlocking against another 1281 * move operation. 1282 */ 1283 if (l_keyring < u_keyring) { 1284 down_write(&l_keyring->sem); 1285 down_write_nested(&u_keyring->sem, 1); 1286 } else { 1287 down_write(&u_keyring->sem); 1288 down_write_nested(&l_keyring->sem, 1); 1289 } 1290 1291 /* Serialise link/link calls to prevent parallel calls causing a cycle 1292 * when linking two keyring in opposite orders. 1293 */ 1294 if (index_key->type == &key_type_keyring) 1295 mutex_lock(&keyring_serialise_link_lock); 1296 1297 return 0; 1298 } 1299 1300 /* 1301 * Preallocate memory so that a key can be linked into to a keyring. 1302 */ 1303 int __key_link_begin(struct key *keyring, 1304 const struct keyring_index_key *index_key, 1305 struct assoc_array_edit **_edit) 1306 { 1307 struct assoc_array_edit *edit; 1308 int ret; 1309 1310 kenter("%d,%s,%s,", 1311 keyring->serial, index_key->type->name, index_key->description); 1312 1313 BUG_ON(index_key->desc_len == 0); 1314 BUG_ON(*_edit != NULL); 1315 1316 *_edit = NULL; 1317 1318 ret = -EKEYREVOKED; 1319 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 1320 goto error; 1321 1322 /* Create an edit script that will insert/replace the key in the 1323 * keyring tree. 1324 */ 1325 edit = assoc_array_insert(&keyring->keys, 1326 &keyring_assoc_array_ops, 1327 index_key, 1328 NULL); 1329 if (IS_ERR(edit)) { 1330 ret = PTR_ERR(edit); 1331 goto error; 1332 } 1333 1334 /* If we're not replacing a link in-place then we're going to need some 1335 * extra quota. 1336 */ 1337 if (!edit->dead_leaf) { 1338 ret = key_payload_reserve(keyring, 1339 keyring->datalen + KEYQUOTA_LINK_BYTES); 1340 if (ret < 0) 1341 goto error_cancel; 1342 } 1343 1344 *_edit = edit; 1345 kleave(" = 0"); 1346 return 0; 1347 1348 error_cancel: 1349 assoc_array_cancel_edit(edit); 1350 error: 1351 kleave(" = %d", ret); 1352 return ret; 1353 } 1354 1355 /* 1356 * Check already instantiated keys aren't going to be a problem. 1357 * 1358 * The caller must have called __key_link_begin(). Don't need to call this for 1359 * keys that were created since __key_link_begin() was called. 1360 */ 1361 int __key_link_check_live_key(struct key *keyring, struct key *key) 1362 { 1363 if (key->type == &key_type_keyring) 1364 /* check that we aren't going to create a cycle by linking one 1365 * keyring to another */ 1366 return keyring_detect_cycle(keyring, key); 1367 return 0; 1368 } 1369 1370 /* 1371 * Link a key into to a keyring. 1372 * 1373 * Must be called with __key_link_begin() having being called. Discards any 1374 * already extant link to matching key if there is one, so that each keyring 1375 * holds at most one link to any given key of a particular type+description 1376 * combination. 1377 */ 1378 void __key_link(struct key *key, struct assoc_array_edit **_edit) 1379 { 1380 __key_get(key); 1381 assoc_array_insert_set_object(*_edit, keyring_key_to_ptr(key)); 1382 assoc_array_apply_edit(*_edit); 1383 *_edit = NULL; 1384 } 1385 1386 /* 1387 * Finish linking a key into to a keyring. 1388 * 1389 * Must be called with __key_link_begin() having being called. 1390 */ 1391 void __key_link_end(struct key *keyring, 1392 const struct keyring_index_key *index_key, 1393 struct assoc_array_edit *edit) 1394 __releases(&keyring->sem) 1395 __releases(&keyring_serialise_link_lock) 1396 { 1397 BUG_ON(index_key->type == NULL); 1398 kenter("%d,%s,", keyring->serial, index_key->type->name); 1399 1400 if (edit) { 1401 if (!edit->dead_leaf) { 1402 key_payload_reserve(keyring, 1403 keyring->datalen - KEYQUOTA_LINK_BYTES); 1404 } 1405 assoc_array_cancel_edit(edit); 1406 } 1407 up_write(&keyring->sem); 1408 1409 if (index_key->type == &key_type_keyring) 1410 mutex_unlock(&keyring_serialise_link_lock); 1411 } 1412 1413 /* 1414 * Check addition of keys to restricted keyrings. 1415 */ 1416 static int __key_link_check_restriction(struct key *keyring, struct key *key) 1417 { 1418 if (!keyring->restrict_link || !keyring->restrict_link->check) 1419 return 0; 1420 return keyring->restrict_link->check(keyring, key->type, &key->payload, 1421 keyring->restrict_link->key); 1422 } 1423 1424 /** 1425 * key_link - Link a key to a keyring 1426 * @keyring: The keyring to make the link in. 1427 * @key: The key to link to. 1428 * 1429 * Make a link in a keyring to a key, such that the keyring holds a reference 1430 * on that key and the key can potentially be found by searching that keyring. 1431 * 1432 * This function will write-lock the keyring's semaphore and will consume some 1433 * of the user's key data quota to hold the link. 1434 * 1435 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, 1436 * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is 1437 * full, -EDQUOT if there is insufficient key data quota remaining to add 1438 * another link or -ENOMEM if there's insufficient memory. 1439 * 1440 * It is assumed that the caller has checked that it is permitted for a link to 1441 * be made (the keyring should have Write permission and the key Link 1442 * permission). 1443 */ 1444 int key_link(struct key *keyring, struct key *key) 1445 { 1446 struct assoc_array_edit *edit = NULL; 1447 int ret; 1448 1449 kenter("{%d,%d}", keyring->serial, refcount_read(&keyring->usage)); 1450 1451 key_check(keyring); 1452 key_check(key); 1453 1454 ret = __key_link_lock(keyring, &key->index_key); 1455 if (ret < 0) 1456 goto error; 1457 1458 ret = __key_link_begin(keyring, &key->index_key, &edit); 1459 if (ret < 0) 1460 goto error_end; 1461 1462 kdebug("begun {%d,%d}", keyring->serial, refcount_read(&keyring->usage)); 1463 ret = __key_link_check_restriction(keyring, key); 1464 if (ret == 0) 1465 ret = __key_link_check_live_key(keyring, key); 1466 if (ret == 0) 1467 __key_link(key, &edit); 1468 1469 error_end: 1470 __key_link_end(keyring, &key->index_key, edit); 1471 error: 1472 kleave(" = %d {%d,%d}", ret, keyring->serial, refcount_read(&keyring->usage)); 1473 return ret; 1474 } 1475 EXPORT_SYMBOL(key_link); 1476 1477 /* 1478 * Lock a keyring for unlink. 1479 */ 1480 static int __key_unlink_lock(struct key *keyring) 1481 __acquires(&keyring->sem) 1482 { 1483 if (keyring->type != &key_type_keyring) 1484 return -ENOTDIR; 1485 1486 down_write(&keyring->sem); 1487 return 0; 1488 } 1489 1490 /* 1491 * Begin the process of unlinking a key from a keyring. 1492 */ 1493 static int __key_unlink_begin(struct key *keyring, struct key *key, 1494 struct assoc_array_edit **_edit) 1495 { 1496 struct assoc_array_edit *edit; 1497 1498 BUG_ON(*_edit != NULL); 1499 1500 edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops, 1501 &key->index_key); 1502 if (IS_ERR(edit)) 1503 return PTR_ERR(edit); 1504 1505 if (!edit) 1506 return -ENOENT; 1507 1508 *_edit = edit; 1509 return 0; 1510 } 1511 1512 /* 1513 * Apply an unlink change. 1514 */ 1515 static void __key_unlink(struct key *keyring, struct key *key, 1516 struct assoc_array_edit **_edit) 1517 { 1518 assoc_array_apply_edit(*_edit); 1519 *_edit = NULL; 1520 key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES); 1521 } 1522 1523 /* 1524 * Finish unlinking a key from to a keyring. 1525 */ 1526 static void __key_unlink_end(struct key *keyring, 1527 struct key *key, 1528 struct assoc_array_edit *edit) 1529 __releases(&keyring->sem) 1530 { 1531 if (edit) 1532 assoc_array_cancel_edit(edit); 1533 up_write(&keyring->sem); 1534 } 1535 1536 /** 1537 * key_unlink - Unlink the first link to a key from a keyring. 1538 * @keyring: The keyring to remove the link from. 1539 * @key: The key the link is to. 1540 * 1541 * Remove a link from a keyring to a key. 1542 * 1543 * This function will write-lock the keyring's semaphore. 1544 * 1545 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if 1546 * the key isn't linked to by the keyring or -ENOMEM if there's insufficient 1547 * memory. 1548 * 1549 * It is assumed that the caller has checked that it is permitted for a link to 1550 * be removed (the keyring should have Write permission; no permissions are 1551 * required on the key). 1552 */ 1553 int key_unlink(struct key *keyring, struct key *key) 1554 { 1555 struct assoc_array_edit *edit = NULL; 1556 int ret; 1557 1558 key_check(keyring); 1559 key_check(key); 1560 1561 ret = __key_unlink_lock(keyring); 1562 if (ret < 0) 1563 return ret; 1564 1565 ret = __key_unlink_begin(keyring, key, &edit); 1566 if (ret == 0) 1567 __key_unlink(keyring, key, &edit); 1568 __key_unlink_end(keyring, key, edit); 1569 return ret; 1570 } 1571 EXPORT_SYMBOL(key_unlink); 1572 1573 /** 1574 * key_move - Move a key from one keyring to another 1575 * @key: The key to move 1576 * @from_keyring: The keyring to remove the link from. 1577 * @to_keyring: The keyring to make the link in. 1578 * @flags: Qualifying flags, such as KEYCTL_MOVE_EXCL. 1579 * 1580 * Make a link in @to_keyring to a key, such that the keyring holds a reference 1581 * on that key and the key can potentially be found by searching that keyring 1582 * whilst simultaneously removing a link to the key from @from_keyring. 1583 * 1584 * This function will write-lock both keyring's semaphores and will consume 1585 * some of the user's key data quota to hold the link on @to_keyring. 1586 * 1587 * Returns 0 if successful, -ENOTDIR if either keyring isn't a keyring, 1588 * -EKEYREVOKED if either keyring has been revoked, -ENFILE if the second 1589 * keyring is full, -EDQUOT if there is insufficient key data quota remaining 1590 * to add another link or -ENOMEM if there's insufficient memory. If 1591 * KEYCTL_MOVE_EXCL is set, then -EEXIST will be returned if there's already a 1592 * matching key in @to_keyring. 1593 * 1594 * It is assumed that the caller has checked that it is permitted for a link to 1595 * be made (the keyring should have Write permission and the key Link 1596 * permission). 1597 */ 1598 int key_move(struct key *key, 1599 struct key *from_keyring, 1600 struct key *to_keyring, 1601 unsigned int flags) 1602 { 1603 struct assoc_array_edit *from_edit = NULL, *to_edit = NULL; 1604 int ret; 1605 1606 kenter("%d,%d,%d", key->serial, from_keyring->serial, to_keyring->serial); 1607 1608 if (from_keyring == to_keyring) 1609 return 0; 1610 1611 key_check(key); 1612 key_check(from_keyring); 1613 key_check(to_keyring); 1614 1615 ret = __key_move_lock(from_keyring, to_keyring, &key->index_key); 1616 if (ret < 0) 1617 goto out; 1618 ret = __key_unlink_begin(from_keyring, key, &from_edit); 1619 if (ret < 0) 1620 goto error; 1621 ret = __key_link_begin(to_keyring, &key->index_key, &to_edit); 1622 if (ret < 0) 1623 goto error; 1624 1625 ret = -EEXIST; 1626 if (to_edit->dead_leaf && (flags & KEYCTL_MOVE_EXCL)) 1627 goto error; 1628 1629 ret = __key_link_check_restriction(to_keyring, key); 1630 if (ret < 0) 1631 goto error; 1632 ret = __key_link_check_live_key(to_keyring, key); 1633 if (ret < 0) 1634 goto error; 1635 1636 __key_unlink(from_keyring, key, &from_edit); 1637 __key_link(key, &to_edit); 1638 error: 1639 __key_link_end(to_keyring, &key->index_key, to_edit); 1640 __key_unlink_end(from_keyring, key, from_edit); 1641 out: 1642 kleave(" = %d", ret); 1643 return ret; 1644 } 1645 EXPORT_SYMBOL(key_move); 1646 1647 /** 1648 * keyring_clear - Clear a keyring 1649 * @keyring: The keyring to clear. 1650 * 1651 * Clear the contents of the specified keyring. 1652 * 1653 * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring. 1654 */ 1655 int keyring_clear(struct key *keyring) 1656 { 1657 struct assoc_array_edit *edit; 1658 int ret; 1659 1660 if (keyring->type != &key_type_keyring) 1661 return -ENOTDIR; 1662 1663 down_write(&keyring->sem); 1664 1665 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops); 1666 if (IS_ERR(edit)) { 1667 ret = PTR_ERR(edit); 1668 } else { 1669 if (edit) 1670 assoc_array_apply_edit(edit); 1671 key_payload_reserve(keyring, 0); 1672 ret = 0; 1673 } 1674 1675 up_write(&keyring->sem); 1676 return ret; 1677 } 1678 EXPORT_SYMBOL(keyring_clear); 1679 1680 /* 1681 * Dispose of the links from a revoked keyring. 1682 * 1683 * This is called with the key sem write-locked. 1684 */ 1685 static void keyring_revoke(struct key *keyring) 1686 { 1687 struct assoc_array_edit *edit; 1688 1689 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops); 1690 if (!IS_ERR(edit)) { 1691 if (edit) 1692 assoc_array_apply_edit(edit); 1693 key_payload_reserve(keyring, 0); 1694 } 1695 } 1696 1697 static bool keyring_gc_select_iterator(void *object, void *iterator_data) 1698 { 1699 struct key *key = keyring_ptr_to_key(object); 1700 time64_t *limit = iterator_data; 1701 1702 if (key_is_dead(key, *limit)) 1703 return false; 1704 key_get(key); 1705 return true; 1706 } 1707 1708 static int keyring_gc_check_iterator(const void *object, void *iterator_data) 1709 { 1710 const struct key *key = keyring_ptr_to_key(object); 1711 time64_t *limit = iterator_data; 1712 1713 key_check(key); 1714 return key_is_dead(key, *limit); 1715 } 1716 1717 /* 1718 * Garbage collect pointers from a keyring. 1719 * 1720 * Not called with any locks held. The keyring's key struct will not be 1721 * deallocated under us as only our caller may deallocate it. 1722 */ 1723 void keyring_gc(struct key *keyring, time64_t limit) 1724 { 1725 int result; 1726 1727 kenter("%x{%s}", keyring->serial, keyring->description ?: ""); 1728 1729 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) | 1730 (1 << KEY_FLAG_REVOKED))) 1731 goto dont_gc; 1732 1733 /* scan the keyring looking for dead keys */ 1734 rcu_read_lock(); 1735 result = assoc_array_iterate(&keyring->keys, 1736 keyring_gc_check_iterator, &limit); 1737 rcu_read_unlock(); 1738 if (result == true) 1739 goto do_gc; 1740 1741 dont_gc: 1742 kleave(" [no gc]"); 1743 return; 1744 1745 do_gc: 1746 down_write(&keyring->sem); 1747 assoc_array_gc(&keyring->keys, &keyring_assoc_array_ops, 1748 keyring_gc_select_iterator, &limit); 1749 up_write(&keyring->sem); 1750 kleave(" [gc]"); 1751 } 1752 1753 /* 1754 * Garbage collect restriction pointers from a keyring. 1755 * 1756 * Keyring restrictions are associated with a key type, and must be cleaned 1757 * up if the key type is unregistered. The restriction is altered to always 1758 * reject additional keys so a keyring cannot be opened up by unregistering 1759 * a key type. 1760 * 1761 * Not called with any keyring locks held. The keyring's key struct will not 1762 * be deallocated under us as only our caller may deallocate it. 1763 * 1764 * The caller is required to hold key_types_sem and dead_type->sem. This is 1765 * fulfilled by key_gc_keytype() holding the locks on behalf of 1766 * key_garbage_collector(), which it invokes on a workqueue. 1767 */ 1768 void keyring_restriction_gc(struct key *keyring, struct key_type *dead_type) 1769 { 1770 struct key_restriction *keyres; 1771 1772 kenter("%x{%s}", keyring->serial, keyring->description ?: ""); 1773 1774 /* 1775 * keyring->restrict_link is only assigned at key allocation time 1776 * or with the key type locked, so the only values that could be 1777 * concurrently assigned to keyring->restrict_link are for key 1778 * types other than dead_type. Given this, it's ok to check 1779 * the key type before acquiring keyring->sem. 1780 */ 1781 if (!dead_type || !keyring->restrict_link || 1782 keyring->restrict_link->keytype != dead_type) { 1783 kleave(" [no restriction gc]"); 1784 return; 1785 } 1786 1787 /* Lock the keyring to ensure that a link is not in progress */ 1788 down_write(&keyring->sem); 1789 1790 keyres = keyring->restrict_link; 1791 1792 keyres->check = restrict_link_reject; 1793 1794 key_put(keyres->key); 1795 keyres->key = NULL; 1796 keyres->keytype = NULL; 1797 1798 up_write(&keyring->sem); 1799 1800 kleave(" [restriction gc]"); 1801 } 1802