xref: /linux/security/keys/process_keys.c (revision b233b28eac0cc37d07c2d007ea08c86c778c5af4) 
1 /* Management of a process's keyrings
2  *
3  * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11 
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/slab.h>
16 #include <linux/keyctl.h>
17 #include <linux/fs.h>
18 #include <linux/err.h>
19 #include <linux/mutex.h>
20 #include <asm/uaccess.h>
21 #include "internal.h"
22 
23 /* session keyring create vs join semaphore */
24 static DEFINE_MUTEX(key_session_mutex);
25 
26 /* user keyring creation semaphore */
27 static DEFINE_MUTEX(key_user_keyring_mutex);
28 
29 /* the root user's tracking struct */
30 struct key_user root_key_user = {
31 	.usage		= ATOMIC_INIT(3),
32 	.cons_lock	= __MUTEX_INITIALIZER(root_key_user.cons_lock),
33 	.lock		= __SPIN_LOCK_UNLOCKED(root_key_user.lock),
34 	.nkeys		= ATOMIC_INIT(2),
35 	.nikeys		= ATOMIC_INIT(2),
36 	.uid		= 0,
37 };
38 
39 /*****************************************************************************/
40 /*
41  * install user and user session keyrings for a particular UID
42  */
43 int install_user_keyrings(void)
44 {
45 	struct user_struct *user;
46 	const struct cred *cred;
47 	struct key *uid_keyring, *session_keyring;
48 	char buf[20];
49 	int ret;
50 
51 	cred = current_cred();
52 	user = cred->user;
53 
54 	kenter("%p{%u}", user, user->uid);
55 
56 	if (user->uid_keyring) {
57 		kleave(" = 0 [exist]");
58 		return 0;
59 	}
60 
61 	mutex_lock(&key_user_keyring_mutex);
62 	ret = 0;
63 
64 	if (!user->uid_keyring) {
65 		/* get the UID-specific keyring
66 		 * - there may be one in existence already as it may have been
67 		 *   pinned by a session, but the user_struct pointing to it
68 		 *   may have been destroyed by setuid */
69 		sprintf(buf, "_uid.%u", user->uid);
70 
71 		uid_keyring = find_keyring_by_name(buf, true);
72 		if (IS_ERR(uid_keyring)) {
73 			uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1,
74 						    cred, KEY_ALLOC_IN_QUOTA,
75 						    NULL);
76 			if (IS_ERR(uid_keyring)) {
77 				ret = PTR_ERR(uid_keyring);
78 				goto error;
79 			}
80 		}
81 
82 		/* get a default session keyring (which might also exist
83 		 * already) */
84 		sprintf(buf, "_uid_ses.%u", user->uid);
85 
86 		session_keyring = find_keyring_by_name(buf, true);
87 		if (IS_ERR(session_keyring)) {
88 			session_keyring =
89 				keyring_alloc(buf, user->uid, (gid_t) -1,
90 					      cred, KEY_ALLOC_IN_QUOTA, NULL);
91 			if (IS_ERR(session_keyring)) {
92 				ret = PTR_ERR(session_keyring);
93 				goto error_release;
94 			}
95 
96 			/* we install a link from the user session keyring to
97 			 * the user keyring */
98 			ret = key_link(session_keyring, uid_keyring);
99 			if (ret < 0)
100 				goto error_release_both;
101 		}
102 
103 		/* install the keyrings */
104 		user->uid_keyring = uid_keyring;
105 		user->session_keyring = session_keyring;
106 	}
107 
108 	mutex_unlock(&key_user_keyring_mutex);
109 	kleave(" = 0");
110 	return 0;
111 
112 error_release_both:
113 	key_put(session_keyring);
114 error_release:
115 	key_put(uid_keyring);
116 error:
117 	mutex_unlock(&key_user_keyring_mutex);
118 	kleave(" = %d", ret);
119 	return ret;
120 }
121 
122 /*
123  * install a fresh thread keyring directly to new credentials
124  */
125 int install_thread_keyring_to_cred(struct cred *new)
126 {
127 	struct key *keyring;
128 
129 	keyring = keyring_alloc("_tid", new->uid, new->gid, new,
130 				KEY_ALLOC_QUOTA_OVERRUN, NULL);
131 	if (IS_ERR(keyring))
132 		return PTR_ERR(keyring);
133 
134 	new->thread_keyring = keyring;
135 	return 0;
136 }
137 
138 /*
139  * install a fresh thread keyring, discarding the old one
140  */
141 static int install_thread_keyring(void)
142 {
143 	struct cred *new;
144 	int ret;
145 
146 	new = prepare_creds();
147 	if (!new)
148 		return -ENOMEM;
149 
150 	BUG_ON(new->thread_keyring);
151 
152 	ret = install_thread_keyring_to_cred(new);
153 	if (ret < 0) {
154 		abort_creds(new);
155 		return ret;
156 	}
157 
158 	return commit_creds(new);
159 }
160 
161 /*
162  * install a process keyring directly to a credentials struct
163  * - returns -EEXIST if there was already a process keyring, 0 if one installed,
164  *   and other -ve on any other error
165  */
166 int install_process_keyring_to_cred(struct cred *new)
167 {
168 	struct key *keyring;
169 	int ret;
170 
171 	if (new->tgcred->process_keyring)
172 		return -EEXIST;
173 
174 	keyring = keyring_alloc("_pid", new->uid, new->gid,
175 				new, KEY_ALLOC_QUOTA_OVERRUN, NULL);
176 	if (IS_ERR(keyring))
177 		return PTR_ERR(keyring);
178 
179 	spin_lock_irq(&new->tgcred->lock);
180 	if (!new->tgcred->process_keyring) {
181 		new->tgcred->process_keyring = keyring;
182 		keyring = NULL;
183 		ret = 0;
184 	} else {
185 		ret = -EEXIST;
186 	}
187 	spin_unlock_irq(&new->tgcred->lock);
188 	key_put(keyring);
189 	return ret;
190 }
191 
192 /*
193  * make sure a process keyring is installed
194  * - we
195  */
196 static int install_process_keyring(void)
197 {
198 	struct cred *new;
199 	int ret;
200 
201 	new = prepare_creds();
202 	if (!new)
203 		return -ENOMEM;
204 
205 	ret = install_process_keyring_to_cred(new);
206 	if (ret < 0) {
207 		abort_creds(new);
208 		return ret != -EEXIST ?: 0;
209 	}
210 
211 	return commit_creds(new);
212 }
213 
214 /*
215  * install a session keyring directly to a credentials struct
216  */
217 static int install_session_keyring_to_cred(struct cred *cred,
218 					   struct key *keyring)
219 {
220 	unsigned long flags;
221 	struct key *old;
222 
223 	might_sleep();
224 
225 	/* create an empty session keyring */
226 	if (!keyring) {
227 		flags = KEY_ALLOC_QUOTA_OVERRUN;
228 		if (cred->tgcred->session_keyring)
229 			flags = KEY_ALLOC_IN_QUOTA;
230 
231 		keyring = keyring_alloc("_ses", cred->uid, cred->gid,
232 					cred, flags, NULL);
233 		if (IS_ERR(keyring))
234 			return PTR_ERR(keyring);
235 	} else {
236 		atomic_inc(&keyring->usage);
237 	}
238 
239 	/* install the keyring */
240 	spin_lock_irq(&cred->tgcred->lock);
241 	old = cred->tgcred->session_keyring;
242 	rcu_assign_pointer(cred->tgcred->session_keyring, keyring);
243 	spin_unlock_irq(&cred->tgcred->lock);
244 
245 	/* we're using RCU on the pointer, but there's no point synchronising
246 	 * on it if it didn't previously point to anything */
247 	if (old) {
248 		synchronize_rcu();
249 		key_put(old);
250 	}
251 
252 	return 0;
253 }
254 
255 /*
256  * install a session keyring, discarding the old one
257  * - if a keyring is not supplied, an empty one is invented
258  */
259 static int install_session_keyring(struct key *keyring)
260 {
261 	struct cred *new;
262 	int ret;
263 
264 	new = prepare_creds();
265 	if (!new)
266 		return -ENOMEM;
267 
268 	ret = install_session_keyring_to_cred(new, NULL);
269 	if (ret < 0) {
270 		abort_creds(new);
271 		return ret;
272 	}
273 
274 	return commit_creds(new);
275 }
276 
277 /*****************************************************************************/
278 /*
279  * the filesystem user ID changed
280  */
281 void key_fsuid_changed(struct task_struct *tsk)
282 {
283 	/* update the ownership of the thread keyring */
284 	BUG_ON(!tsk->cred);
285 	if (tsk->cred->thread_keyring) {
286 		down_write(&tsk->cred->thread_keyring->sem);
287 		tsk->cred->thread_keyring->uid = tsk->cred->fsuid;
288 		up_write(&tsk->cred->thread_keyring->sem);
289 	}
290 
291 } /* end key_fsuid_changed() */
292 
293 /*****************************************************************************/
294 /*
295  * the filesystem group ID changed
296  */
297 void key_fsgid_changed(struct task_struct *tsk)
298 {
299 	/* update the ownership of the thread keyring */
300 	BUG_ON(!tsk->cred);
301 	if (tsk->cred->thread_keyring) {
302 		down_write(&tsk->cred->thread_keyring->sem);
303 		tsk->cred->thread_keyring->gid = tsk->cred->fsgid;
304 		up_write(&tsk->cred->thread_keyring->sem);
305 	}
306 
307 } /* end key_fsgid_changed() */
308 
309 /*****************************************************************************/
310 /*
311  * search the process keyrings for the first matching key
312  * - we use the supplied match function to see if the description (or other
313  *   feature of interest) matches
314  * - we return -EAGAIN if we didn't find any matching key
315  * - we return -ENOKEY if we found only negative matching keys
316  */
317 key_ref_t search_process_keyrings(struct key_type *type,
318 				  const void *description,
319 				  key_match_func_t match,
320 				  const struct cred *cred)
321 {
322 	struct request_key_auth *rka;
323 	key_ref_t key_ref, ret, err;
324 
325 	might_sleep();
326 
327 	/* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
328 	 * searchable, but we failed to find a key or we found a negative key;
329 	 * otherwise we want to return a sample error (probably -EACCES) if
330 	 * none of the keyrings were searchable
331 	 *
332 	 * in terms of priority: success > -ENOKEY > -EAGAIN > other error
333 	 */
334 	key_ref = NULL;
335 	ret = NULL;
336 	err = ERR_PTR(-EAGAIN);
337 
338 	/* search the thread keyring first */
339 	if (cred->thread_keyring) {
340 		key_ref = keyring_search_aux(
341 			make_key_ref(cred->thread_keyring, 1),
342 			cred, type, description, match);
343 		if (!IS_ERR(key_ref))
344 			goto found;
345 
346 		switch (PTR_ERR(key_ref)) {
347 		case -EAGAIN: /* no key */
348 			if (ret)
349 				break;
350 		case -ENOKEY: /* negative key */
351 			ret = key_ref;
352 			break;
353 		default:
354 			err = key_ref;
355 			break;
356 		}
357 	}
358 
359 	/* search the process keyring second */
360 	if (cred->tgcred->process_keyring) {
361 		key_ref = keyring_search_aux(
362 			make_key_ref(cred->tgcred->process_keyring, 1),
363 			cred, type, description, match);
364 		if (!IS_ERR(key_ref))
365 			goto found;
366 
367 		switch (PTR_ERR(key_ref)) {
368 		case -EAGAIN: /* no key */
369 			if (ret)
370 				break;
371 		case -ENOKEY: /* negative key */
372 			ret = key_ref;
373 			break;
374 		default:
375 			err = key_ref;
376 			break;
377 		}
378 	}
379 
380 	/* search the session keyring */
381 	if (cred->tgcred->session_keyring) {
382 		rcu_read_lock();
383 		key_ref = keyring_search_aux(
384 			make_key_ref(rcu_dereference(
385 					     cred->tgcred->session_keyring),
386 				     1),
387 			cred, type, description, match);
388 		rcu_read_unlock();
389 
390 		if (!IS_ERR(key_ref))
391 			goto found;
392 
393 		switch (PTR_ERR(key_ref)) {
394 		case -EAGAIN: /* no key */
395 			if (ret)
396 				break;
397 		case -ENOKEY: /* negative key */
398 			ret = key_ref;
399 			break;
400 		default:
401 			err = key_ref;
402 			break;
403 		}
404 	}
405 	/* or search the user-session keyring */
406 	else if (cred->user->session_keyring) {
407 		key_ref = keyring_search_aux(
408 			make_key_ref(cred->user->session_keyring, 1),
409 			cred, type, description, match);
410 		if (!IS_ERR(key_ref))
411 			goto found;
412 
413 		switch (PTR_ERR(key_ref)) {
414 		case -EAGAIN: /* no key */
415 			if (ret)
416 				break;
417 		case -ENOKEY: /* negative key */
418 			ret = key_ref;
419 			break;
420 		default:
421 			err = key_ref;
422 			break;
423 		}
424 	}
425 
426 	/* if this process has an instantiation authorisation key, then we also
427 	 * search the keyrings of the process mentioned there
428 	 * - we don't permit access to request_key auth keys via this method
429 	 */
430 	if (cred->request_key_auth &&
431 	    cred == current_cred() &&
432 	    type != &key_type_request_key_auth
433 	    ) {
434 		/* defend against the auth key being revoked */
435 		down_read(&cred->request_key_auth->sem);
436 
437 		if (key_validate(cred->request_key_auth) == 0) {
438 			rka = cred->request_key_auth->payload.data;
439 
440 			key_ref = search_process_keyrings(type, description,
441 							  match, rka->cred);
442 
443 			up_read(&cred->request_key_auth->sem);
444 
445 			if (!IS_ERR(key_ref))
446 				goto found;
447 
448 			switch (PTR_ERR(key_ref)) {
449 			case -EAGAIN: /* no key */
450 				if (ret)
451 					break;
452 			case -ENOKEY: /* negative key */
453 				ret = key_ref;
454 				break;
455 			default:
456 				err = key_ref;
457 				break;
458 			}
459 		} else {
460 			up_read(&cred->request_key_auth->sem);
461 		}
462 	}
463 
464 	/* no key - decide on the error we're going to go for */
465 	key_ref = ret ? ret : err;
466 
467 found:
468 	return key_ref;
469 
470 } /* end search_process_keyrings() */
471 
472 /*****************************************************************************/
473 /*
474  * see if the key we're looking at is the target key
475  */
476 static int lookup_user_key_possessed(const struct key *key, const void *target)
477 {
478 	return key == target;
479 
480 } /* end lookup_user_key_possessed() */
481 
482 /*****************************************************************************/
483 /*
484  * lookup a key given a key ID from userspace with a given permissions mask
485  * - don't create special keyrings unless so requested
486  * - partially constructed keys aren't found unless requested
487  */
488 key_ref_t lookup_user_key(key_serial_t id, int create, int partial,
489 			  key_perm_t perm)
490 {
491 	struct request_key_auth *rka;
492 	const struct cred *cred;
493 	struct key *key;
494 	key_ref_t key_ref, skey_ref;
495 	int ret;
496 
497 try_again:
498 	cred = get_current_cred();
499 	key_ref = ERR_PTR(-ENOKEY);
500 
501 	switch (id) {
502 	case KEY_SPEC_THREAD_KEYRING:
503 		if (!cred->thread_keyring) {
504 			if (!create)
505 				goto error;
506 
507 			ret = install_thread_keyring();
508 			if (ret < 0) {
509 				key = ERR_PTR(ret);
510 				goto error;
511 			}
512 			goto reget_creds;
513 		}
514 
515 		key = cred->thread_keyring;
516 		atomic_inc(&key->usage);
517 		key_ref = make_key_ref(key, 1);
518 		break;
519 
520 	case KEY_SPEC_PROCESS_KEYRING:
521 		if (!cred->tgcred->process_keyring) {
522 			if (!create)
523 				goto error;
524 
525 			ret = install_process_keyring();
526 			if (ret < 0) {
527 				key = ERR_PTR(ret);
528 				goto error;
529 			}
530 			goto reget_creds;
531 		}
532 
533 		key = cred->tgcred->process_keyring;
534 		atomic_inc(&key->usage);
535 		key_ref = make_key_ref(key, 1);
536 		break;
537 
538 	case KEY_SPEC_SESSION_KEYRING:
539 		if (!cred->tgcred->session_keyring) {
540 			/* always install a session keyring upon access if one
541 			 * doesn't exist yet */
542 			ret = install_user_keyrings();
543 			if (ret < 0)
544 				goto error;
545 			ret = install_session_keyring(
546 				cred->user->session_keyring);
547 
548 			if (ret < 0)
549 				goto error;
550 			goto reget_creds;
551 		}
552 
553 		rcu_read_lock();
554 		key = rcu_dereference(cred->tgcred->session_keyring);
555 		atomic_inc(&key->usage);
556 		rcu_read_unlock();
557 		key_ref = make_key_ref(key, 1);
558 		break;
559 
560 	case KEY_SPEC_USER_KEYRING:
561 		if (!cred->user->uid_keyring) {
562 			ret = install_user_keyrings();
563 			if (ret < 0)
564 				goto error;
565 		}
566 
567 		key = cred->user->uid_keyring;
568 		atomic_inc(&key->usage);
569 		key_ref = make_key_ref(key, 1);
570 		break;
571 
572 	case KEY_SPEC_USER_SESSION_KEYRING:
573 		if (!cred->user->session_keyring) {
574 			ret = install_user_keyrings();
575 			if (ret < 0)
576 				goto error;
577 		}
578 
579 		key = cred->user->session_keyring;
580 		atomic_inc(&key->usage);
581 		key_ref = make_key_ref(key, 1);
582 		break;
583 
584 	case KEY_SPEC_GROUP_KEYRING:
585 		/* group keyrings are not yet supported */
586 		key = ERR_PTR(-EINVAL);
587 		goto error;
588 
589 	case KEY_SPEC_REQKEY_AUTH_KEY:
590 		key = cred->request_key_auth;
591 		if (!key)
592 			goto error;
593 
594 		atomic_inc(&key->usage);
595 		key_ref = make_key_ref(key, 1);
596 		break;
597 
598 	case KEY_SPEC_REQUESTOR_KEYRING:
599 		if (!cred->request_key_auth)
600 			goto error;
601 
602 		down_read(&cred->request_key_auth->sem);
603 		if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) {
604 			key_ref = ERR_PTR(-EKEYREVOKED);
605 			key = NULL;
606 		} else {
607 			rka = cred->request_key_auth->payload.data;
608 			key = rka->dest_keyring;
609 			atomic_inc(&key->usage);
610 		}
611 		up_read(&cred->request_key_auth->sem);
612 		if (!key)
613 			goto error;
614 		key_ref = make_key_ref(key, 1);
615 		break;
616 
617 	default:
618 		key_ref = ERR_PTR(-EINVAL);
619 		if (id < 1)
620 			goto error;
621 
622 		key = key_lookup(id);
623 		if (IS_ERR(key)) {
624 			key_ref = ERR_CAST(key);
625 			goto error;
626 		}
627 
628 		key_ref = make_key_ref(key, 0);
629 
630 		/* check to see if we possess the key */
631 		skey_ref = search_process_keyrings(key->type, key,
632 						   lookup_user_key_possessed,
633 						   cred);
634 
635 		if (!IS_ERR(skey_ref)) {
636 			key_put(key);
637 			key_ref = skey_ref;
638 		}
639 
640 		break;
641 	}
642 
643 	if (!partial) {
644 		ret = wait_for_key_construction(key, true);
645 		switch (ret) {
646 		case -ERESTARTSYS:
647 			goto invalid_key;
648 		default:
649 			if (perm)
650 				goto invalid_key;
651 		case 0:
652 			break;
653 		}
654 	} else if (perm) {
655 		ret = key_validate(key);
656 		if (ret < 0)
657 			goto invalid_key;
658 	}
659 
660 	ret = -EIO;
661 	if (!partial && !test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
662 		goto invalid_key;
663 
664 	/* check the permissions */
665 	ret = key_task_permission(key_ref, cred, perm);
666 	if (ret < 0)
667 		goto invalid_key;
668 
669 error:
670 	put_cred(cred);
671 	return key_ref;
672 
673 invalid_key:
674 	key_ref_put(key_ref);
675 	key_ref = ERR_PTR(ret);
676 	goto error;
677 
678 	/* if we attempted to install a keyring, then it may have caused new
679 	 * creds to be installed */
680 reget_creds:
681 	put_cred(cred);
682 	goto try_again;
683 
684 } /* end lookup_user_key() */
685 
686 /*****************************************************************************/
687 /*
688  * join the named keyring as the session keyring if possible, or attempt to
689  * create a new one of that name if not
690  * - if the name is NULL, an empty anonymous keyring is installed instead
691  * - named session keyring joining is done with a semaphore held
692  */
693 long join_session_keyring(const char *name)
694 {
695 	const struct cred *old;
696 	struct cred *new;
697 	struct key *keyring;
698 	long ret, serial;
699 
700 	/* only permit this if there's a single thread in the thread group -
701 	 * this avoids us having to adjust the creds on all threads and risking
702 	 * ENOMEM */
703 	if (!is_single_threaded(current))
704 		return -EMLINK;
705 
706 	new = prepare_creds();
707 	if (!new)
708 		return -ENOMEM;
709 	old = current_cred();
710 
711 	/* if no name is provided, install an anonymous keyring */
712 	if (!name) {
713 		ret = install_session_keyring_to_cred(new, NULL);
714 		if (ret < 0)
715 			goto error;
716 
717 		serial = new->tgcred->session_keyring->serial;
718 		ret = commit_creds(new);
719 		if (ret == 0)
720 			ret = serial;
721 		goto okay;
722 	}
723 
724 	/* allow the user to join or create a named keyring */
725 	mutex_lock(&key_session_mutex);
726 
727 	/* look for an existing keyring of this name */
728 	keyring = find_keyring_by_name(name, false);
729 	if (PTR_ERR(keyring) == -ENOKEY) {
730 		/* not found - try and create a new one */
731 		keyring = keyring_alloc(name, old->uid, old->gid, old,
732 					KEY_ALLOC_IN_QUOTA, NULL);
733 		if (IS_ERR(keyring)) {
734 			ret = PTR_ERR(keyring);
735 			goto error2;
736 		}
737 	} else if (IS_ERR(keyring)) {
738 		ret = PTR_ERR(keyring);
739 		goto error2;
740 	}
741 
742 	/* we've got a keyring - now to install it */
743 	ret = install_session_keyring_to_cred(new, keyring);
744 	if (ret < 0)
745 		goto error2;
746 
747 	commit_creds(new);
748 	mutex_unlock(&key_session_mutex);
749 
750 	ret = keyring->serial;
751 	key_put(keyring);
752 okay:
753 	return ret;
754 
755 error2:
756 	mutex_unlock(&key_session_mutex);
757 error:
758 	abort_creds(new);
759 	return ret;
760 }
761