summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2019-07-08 22:36:47 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2019-07-08 22:36:47 -0400
commitc84ca912b07901be528e5184fd254fca1dddf2ac (patch)
tree328d6907358783914cc2e1ad61bb65b84f1145f1
parentc236b6dd48dcf2ae6ed14b9068830eccc3e181e6 (diff)
parenta58946c158a040068e7c94dc1d58bbd273258068 (diff)
Merge tag 'keys-namespace-20190627' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
Pull keyring namespacing from David Howells: "These patches help make keys and keyrings more namespace aware. Firstly some miscellaneous patches to make the process easier: - Simplify key index_key handling so that the word-sized chunks assoc_array requires don't have to be shifted about, making it easier to add more bits into the key. - Cache the hash value in the key so that we don't have to calculate on every key we examine during a search (it involves a bunch of multiplications). - Allow keying_search() to search non-recursively. Then the main patches: - Make it so that keyring names are per-user_namespace from the point of view of KEYCTL_JOIN_SESSION_KEYRING so that they're not accessible cross-user_namespace. keyctl_capabilities() shows KEYCTL_CAPS1_NS_KEYRING_NAME for this. - Move the user and user-session keyrings to the user_namespace rather than the user_struct. This prevents them propagating directly across user_namespaces boundaries (ie. the KEY_SPEC_* flags will only pick from the current user_namespace). - Make it possible to include the target namespace in which the key shall operate in the index_key. This will allow the possibility of multiple keys with the same description, but different target domains to be held in the same keyring. keyctl_capabilities() shows KEYCTL_CAPS1_NS_KEY_TAG for this. - Make it so that keys are implicitly invalidated by removal of a domain tag, causing them to be garbage collected. - Institute a network namespace domain tag that allows keys to be differentiated by the network namespace in which they operate. New keys that are of a type marked 'KEY_TYPE_NET_DOMAIN' are assigned the network domain in force when they are created. - Make it so that the desired network namespace can be handed down into the request_key() mechanism. This allows AFS, NFS, etc. to request keys specific to the network namespace of the superblock. This also means that the keys in the DNS record cache are thenceforth namespaced, provided network filesystems pass the appropriate network namespace down into dns_query(). For DNS, AFS and NFS are good, whilst CIFS and Ceph are not. Other cache keyrings, such as idmapper keyrings, also need to set the domain tag - for which they need access to the network namespace of the superblock" * tag 'keys-namespace-20190627' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: keys: Pass the network namespace into request_key mechanism keys: Network namespace domain tag keys: Garbage collect keys for which the domain has been removed keys: Include target namespace in match criteria keys: Move the user and user-session keyrings to the user_namespace keys: Namespace keyring names keys: Add a 'recurse' flag for keyring searches keys: Cache the hash value to avoid lots of recalculation keys: Simplify key description management
-rw-r--r--Documentation/security/keys/core.rst38
-rw-r--r--Documentation/security/keys/request-key.rst29
-rw-r--r--certs/blacklist.c2
-rw-r--r--crypto/asymmetric_keys/asymmetric_type.c2
-rw-r--r--fs/afs/addr_list.c4
-rw-r--r--fs/afs/dynroot.c8
-rw-r--r--fs/cifs/dns_resolve.c3
-rw-r--r--fs/nfs/dns_resolve.c3
-rw-r--r--fs/nfs/nfs4idmap.c2
-rw-r--r--include/linux/dns_resolver.h3
-rw-r--r--include/linux/key-type.h3
-rw-r--r--include/linux/key.h81
-rw-r--r--include/linux/sched/user.h14
-rw-r--r--include/linux/user_namespace.h12
-rw-r--r--include/net/net_namespace.h3
-rw-r--r--include/uapi/linux/keyctl.h2
-rw-r--r--kernel/user.c8
-rw-r--r--kernel/user_namespace.c9
-rw-r--r--lib/digsig.c2
-rw-r--r--net/ceph/messenger.c3
-rw-r--r--net/core/net_namespace.c20
-rw-r--r--net/dns_resolver/dns_key.c1
-rw-r--r--net/dns_resolver/dns_query.c7
-rw-r--r--net/rxrpc/key.c6
-rw-r--r--net/rxrpc/security.c2
-rw-r--r--security/integrity/digsig_asymmetric.c4
-rw-r--r--security/keys/gc.c2
-rw-r--r--security/keys/internal.h10
-rw-r--r--security/keys/key.c5
-rw-r--r--security/keys/keyctl.c8
-rw-r--r--security/keys/keyring.c263
-rw-r--r--security/keys/persistent.c10
-rw-r--r--security/keys/proc.c3
-rw-r--r--security/keys/process_keys.c262
-rw-r--r--security/keys/request_key.c62
-rw-r--r--security/keys/request_key_auth.c3
36 files changed, 589 insertions, 310 deletions
diff --git a/Documentation/security/keys/core.rst b/Documentation/security/keys/core.rst
index a0e245f9576f..0e74f372e58c 100644
--- a/Documentation/security/keys/core.rst
+++ b/Documentation/security/keys/core.rst
@@ -1102,26 +1102,42 @@ payload contents" for more information.
1102 See also Documentation/security/keys/request-key.rst. 1102 See also Documentation/security/keys/request-key.rst.
1103 1103
1104 1104
1105 * To search for a key in a specific domain, call:
1106
1107 struct key *request_key_tag(const struct key_type *type,
1108 const char *description,
1109 struct key_tag *domain_tag,
1110 const char *callout_info);
1111
1112 This is identical to request_key(), except that a domain tag may be
1113 specifies that causes search algorithm to only match keys matching that
1114 tag. The domain_tag may be NULL, specifying a global domain that is
1115 separate from any nominated domain.
1116
1117
1105 * To search for a key, passing auxiliary data to the upcaller, call:: 1118 * To search for a key, passing auxiliary data to the upcaller, call::
1106 1119
1107 struct key *request_key_with_auxdata(const struct key_type *type, 1120 struct key *request_key_with_auxdata(const struct key_type *type,
1108 const char *description, 1121 const char *description,
1122 struct key_tag *domain_tag,
1109 const void *callout_info, 1123 const void *callout_info,
1110 size_t callout_len, 1124 size_t callout_len,
1111 void *aux); 1125 void *aux);
1112 1126
1113 This is identical to request_key(), except that the auxiliary data is 1127 This is identical to request_key_tag(), except that the auxiliary data is
1114 passed to the key_type->request_key() op if it exists, and the callout_info 1128 passed to the key_type->request_key() op if it exists, and the
1115 is a blob of length callout_len, if given (the length may be 0). 1129 callout_info is a blob of length callout_len, if given (the length may be
1130 0).
1116 1131
1117 1132
1118 * To search for a key under RCU conditions, call:: 1133 * To search for a key under RCU conditions, call::
1119 1134
1120 struct key *request_key_rcu(const struct key_type *type, 1135 struct key *request_key_rcu(const struct key_type *type,
1121 const char *description); 1136 const char *description,
1137 struct key_tag *domain_tag);
1122 1138
1123 which is similar to request_key() except that it does not check for keys 1139 which is similar to request_key_tag() except that it does not check for
1124 that are under construction and it will not call out to userspace to 1140 keys that are under construction and it will not call out to userspace to
1125 construct a key if it can't find a match. 1141 construct a key if it can't find a match.
1126 1142
1127 1143
@@ -1162,11 +1178,13 @@ payload contents" for more information.
1162 1178
1163 key_ref_t keyring_search(key_ref_t keyring_ref, 1179 key_ref_t keyring_search(key_ref_t keyring_ref,
1164 const struct key_type *type, 1180 const struct key_type *type,
1165 const char *description) 1181 const char *description,
1182 bool recurse)
1166 1183
1167 This searches the keyring tree specified for a matching key. Error ENOKEY 1184 This searches the specified keyring only (recurse == false) or keyring tree
1168 is returned upon failure (use IS_ERR/PTR_ERR to determine). If successful, 1185 (recurse == true) specified for a matching key. Error ENOKEY is returned
1169 the returned key will need to be released. 1186 upon failure (use IS_ERR/PTR_ERR to determine). If successful, the returned
1187 key will need to be released.
1170 1188
1171 The possession attribute from the keyring reference is used to control 1189 The possession attribute from the keyring reference is used to control
1172 access through the permissions mask and is propagated to the returned key 1190 access through the permissions mask and is propagated to the returned key
diff --git a/Documentation/security/keys/request-key.rst b/Documentation/security/keys/request-key.rst
index 5a210baa583a..35f2296b704a 100644
--- a/Documentation/security/keys/request-key.rst
+++ b/Documentation/security/keys/request-key.rst
@@ -15,8 +15,16 @@ The process starts by either the kernel requesting a service by calling
15 15
16or:: 16or::
17 17
18 struct key *request_key_tag(const struct key_type *type,
19 const char *description,
20 const struct key_tag *domain_tag,
21 const char *callout_info);
22
23or::
24
18 struct key *request_key_with_auxdata(const struct key_type *type, 25 struct key *request_key_with_auxdata(const struct key_type *type,
19 const char *description, 26 const char *description,
27 const struct key_tag *domain_tag,
20 const char *callout_info, 28 const char *callout_info,
21 size_t callout_len, 29 size_t callout_len,
22 void *aux); 30 void *aux);
@@ -24,7 +32,8 @@ or::
24or:: 32or::
25 33
26 struct key *request_key_rcu(const struct key_type *type, 34 struct key *request_key_rcu(const struct key_type *type,
27 const char *description); 35 const char *description,
36 const struct key_tag *domain_tag);
28 37
29Or by userspace invoking the request_key system call:: 38Or by userspace invoking the request_key system call::
30 39
@@ -38,14 +47,18 @@ does not need to link the key to a keyring to prevent it from being immediately
38destroyed. The kernel interface returns a pointer directly to the key, and 47destroyed. The kernel interface returns a pointer directly to the key, and
39it's up to the caller to destroy the key. 48it's up to the caller to destroy the key.
40 49
41The request_key_with_auxdata() calls is like the in-kernel request_key() call, 50The request_key_tag() call is like the in-kernel request_key(), except that it
42except that they permit auxiliary data to be passed to the upcaller (the 51also takes a domain tag that allows keys to be separated by namespace and
43default is NULL). This is only useful for those key types that define their 52killed off as a group.
44own upcall mechanism rather than using /sbin/request-key. 53
54The request_key_with_auxdata() calls is like the request_key_tag() call, except
55that they permit auxiliary data to be passed to the upcaller (the default is
56NULL). This is only useful for those key types that define their own upcall
57mechanism rather than using /sbin/request-key.
45 58
46The request_key_rcu() call is like the in-kernel request_key() call, except 59The request_key_rcu() call is like the request_key_tag() call, except that it
47that it doesn't check for keys that are under construction and doesn't attempt 60doesn't check for keys that are under construction and doesn't attempt to
48to construct missing keys. 61construct missing keys.
49 62
50The userspace interface links the key to a keyring associated with the process 63The userspace interface links the key to a keyring associated with the process
51to prevent the key from going away, and returns the serial number of the key to 64to prevent the key from going away, and returns the serial number of the key to
diff --git a/certs/blacklist.c b/certs/blacklist.c
index f1a8672123c3..ec00bf337eb6 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -124,7 +124,7 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
124 *p = 0; 124 *p = 0;
125 125
126 kref = keyring_search(make_key_ref(blacklist_keyring, true), 126 kref = keyring_search(make_key_ref(blacklist_keyring, true),
127 &key_type_blacklist, buffer); 127 &key_type_blacklist, buffer, false);
128 if (!IS_ERR(kref)) { 128 if (!IS_ERR(kref)) {
129 key_ref_put(kref); 129 key_ref_put(kref);
130 ret = -EKEYREJECTED; 130 ret = -EKEYREJECTED;
diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c
index 01945ab46382..6e5fc8e31f01 100644
--- a/crypto/asymmetric_keys/asymmetric_type.c
+++ b/crypto/asymmetric_keys/asymmetric_type.c
@@ -83,7 +83,7 @@ struct key *find_asymmetric_key(struct key *keyring,
83 pr_debug("Look up: \"%s\"\n", req); 83 pr_debug("Look up: \"%s\"\n", req);
84 84
85 ref = keyring_search(make_key_ref(keyring, 1), 85 ref = keyring_search(make_key_ref(keyring, 1),
86 &key_type_asymmetric, req); 86 &key_type_asymmetric, req, true);
87 if (IS_ERR(ref)) 87 if (IS_ERR(ref))
88 pr_debug("Request for key '%s' err %ld\n", req, PTR_ERR(ref)); 88 pr_debug("Request for key '%s' err %ld\n", req, PTR_ERR(ref));
89 kfree(req); 89 kfree(req);
diff --git a/fs/afs/addr_list.c b/fs/afs/addr_list.c
index 86da532c192f..df415c05939e 100644
--- a/fs/afs/addr_list.c
+++ b/fs/afs/addr_list.c
@@ -246,8 +246,8 @@ struct afs_vlserver_list *afs_dns_query(struct afs_cell *cell, time64_t *_expiry
246 246
247 _enter("%s", cell->name); 247 _enter("%s", cell->name);
248 248
249 ret = dns_query("afsdb", cell->name, cell->name_len, "srv=1", 249 ret = dns_query(cell->net->net, "afsdb", cell->name, cell->name_len,
250 &result, _expiry, true); 250 "srv=1", &result, _expiry, true);
251 if (ret < 0) { 251 if (ret < 0) {
252 _leave(" = %d [dns]", ret); 252 _leave(" = %d [dns]", ret);
253 return ERR_PTR(ret); 253 return ERR_PTR(ret);
diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
index 9b3b2f1f1fc0..bcd1bafb0278 100644
--- a/fs/afs/dynroot.c
+++ b/fs/afs/dynroot.c
@@ -24,6 +24,7 @@ const struct file_operations afs_dynroot_file_operations = {
24static int afs_probe_cell_name(struct dentry *dentry) 24static int afs_probe_cell_name(struct dentry *dentry)
25{ 25{
26 struct afs_cell *cell; 26 struct afs_cell *cell;
27 struct afs_net *net = afs_d2net(dentry);
27 const char *name = dentry->d_name.name; 28 const char *name = dentry->d_name.name;
28 size_t len = dentry->d_name.len; 29 size_t len = dentry->d_name.len;
29 int ret; 30 int ret;
@@ -36,13 +37,14 @@ static int afs_probe_cell_name(struct dentry *dentry)
36 len--; 37 len--;
37 } 38 }
38 39
39 cell = afs_lookup_cell_rcu(afs_d2net(dentry), name, len); 40 cell = afs_lookup_cell_rcu(net, name, len);
40 if (!IS_ERR(cell)) { 41 if (!IS_ERR(cell)) {
41 afs_put_cell(afs_d2net(dentry), cell); 42 afs_put_cell(net, cell);
42 return 0; 43 return 0;
43 } 44 }
44 45
45 ret = dns_query("afsdb", name, len, "srv=1", NULL, NULL, false); 46 ret = dns_query(net->net, "afsdb", name, len, "srv=1",
47 NULL, NULL, false);
46 if (ret == -ENODATA) 48 if (ret == -ENODATA)
47 ret = -EDESTADDRREQ; 49 ret = -EDESTADDRREQ;
48 return ret; 50 return ret;
diff --git a/fs/cifs/dns_resolve.c b/fs/cifs/dns_resolve.c
index 1e21b2528cfb..534cbba72789 100644
--- a/fs/cifs/dns_resolve.c
+++ b/fs/cifs/dns_resolve.c
@@ -77,7 +77,8 @@ dns_resolve_server_name_to_ip(const char *unc, char **ip_addr)
77 goto name_is_IP_address; 77 goto name_is_IP_address;
78 78
79 /* Perform the upcall */ 79 /* Perform the upcall */
80 rc = dns_query(NULL, hostname, len, NULL, ip_addr, NULL, false); 80 rc = dns_query(current->nsproxy->net_ns, NULL, hostname, len,
81 NULL, ip_addr, NULL, false);
81 if (rc < 0) 82 if (rc < 0)
82 cifs_dbg(FYI, "%s: unable to resolve: %*.*s\n", 83 cifs_dbg(FYI, "%s: unable to resolve: %*.*s\n",
83 __func__, len, len, hostname); 84 __func__, len, len, hostname);
diff --git a/fs/nfs/dns_resolve.c b/fs/nfs/dns_resolve.c
index e6a700f01452..aec769a500a1 100644
--- a/fs/nfs/dns_resolve.c
+++ b/fs/nfs/dns_resolve.c
@@ -22,7 +22,8 @@ ssize_t nfs_dns_resolve_name(struct net *net, char *name, size_t namelen,
22 char *ip_addr = NULL; 22 char *ip_addr = NULL;
23 int ip_len; 23 int ip_len;
24 24
25 ip_len = dns_query(NULL, name, namelen, NULL, &ip_addr, NULL, false); 25 ip_len = dns_query(net, NULL, name, namelen, NULL, &ip_addr, NULL,
26 false);
26 if (ip_len > 0) 27 if (ip_len > 0)
27 ret = rpc_pton(net, ip_addr, ip_len, sa, salen); 28 ret = rpc_pton(net, ip_addr, ip_len, sa, salen);
28 else 29 else
diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c
index 4884fdae28fb..1e7296395d71 100644
--- a/fs/nfs/nfs4idmap.c
+++ b/fs/nfs/nfs4idmap.c
@@ -291,7 +291,7 @@ static struct key *nfs_idmap_request_key(const char *name, size_t namelen,
291 if (IS_ERR(rkey)) { 291 if (IS_ERR(rkey)) {
292 mutex_lock(&idmap->idmap_mutex); 292 mutex_lock(&idmap->idmap_mutex);
293 rkey = request_key_with_auxdata(&key_type_id_resolver_legacy, 293 rkey = request_key_with_auxdata(&key_type_id_resolver_legacy,
294 desc, "", 0, idmap); 294 desc, NULL, "", 0, idmap);
295 mutex_unlock(&idmap->idmap_mutex); 295 mutex_unlock(&idmap->idmap_mutex);
296 } 296 }
297 if (!IS_ERR(rkey)) 297 if (!IS_ERR(rkey))
diff --git a/include/linux/dns_resolver.h b/include/linux/dns_resolver.h
index f2b3ae22e6b7..976cbbdb2832 100644
--- a/include/linux/dns_resolver.h
+++ b/include/linux/dns_resolver.h
@@ -26,7 +26,8 @@
26 26
27#include <uapi/linux/dns_resolver.h> 27#include <uapi/linux/dns_resolver.h>
28 28
29extern int dns_query(const char *type, const char *name, size_t namelen, 29struct net;
30extern int dns_query(struct net *net, const char *type, const char *name, size_t namelen,
30 const char *options, char **_result, time64_t *_expiry, 31 const char *options, char **_result, time64_t *_expiry,
31 bool invalidate); 32 bool invalidate);
32 33
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 331cab70db09..4ded94bcf274 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -70,6 +70,9 @@ struct key_type {
70 */ 70 */
71 size_t def_datalen; 71 size_t def_datalen;
72 72
73 unsigned int flags;
74#define KEY_TYPE_NET_DOMAIN 0x00000001 /* Keys of this type have a net namespace domain */
75
73 /* vet a description */ 76 /* vet a description */
74 int (*vet_description)(const char *description); 77 int (*vet_description)(const char *description);
75 78
diff --git a/include/linux/key.h b/include/linux/key.h
index ad17c8f30b4c..91f391cd272e 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -31,6 +31,7 @@ typedef int32_t key_serial_t;
31typedef uint32_t key_perm_t; 31typedef uint32_t key_perm_t;
32 32
33struct key; 33struct key;
34struct net;
34 35
35#ifdef CONFIG_KEYS 36#ifdef CONFIG_KEYS
36 37
@@ -77,13 +78,34 @@ struct cred;
77 78
78struct key_type; 79struct key_type;
79struct key_owner; 80struct key_owner;
81struct key_tag;
80struct keyring_list; 82struct keyring_list;
81struct keyring_name; 83struct keyring_name;
82 84
85struct key_tag {
86 struct rcu_head rcu;
87 refcount_t usage;
88 bool removed; /* T when subject removed */
89};
90
83struct keyring_index_key { 91struct keyring_index_key {
92 /* [!] If this structure is altered, the union in struct key must change too! */
93 unsigned long hash; /* Hash value */
94 union {
95 struct {
96#ifdef __LITTLE_ENDIAN /* Put desc_len at the LSB of x */
97 u8 desc_len;
98 char desc[sizeof(long) - 1]; /* First few chars of description */
99#else
100 char desc[sizeof(long) - 1]; /* First few chars of description */
101 u8 desc_len;
102#endif
103 };
104 unsigned long x;
105 };
84 struct key_type *type; 106 struct key_type *type;
107 struct key_tag *domain_tag; /* Domain of operation */
85 const char *description; 108 const char *description;
86 size_t desc_len;
87}; 109};
88 110
89union key_payload { 111union key_payload {
@@ -197,7 +219,10 @@ struct key {
197 union { 219 union {
198 struct keyring_index_key index_key; 220 struct keyring_index_key index_key;
199 struct { 221 struct {
222 unsigned long hash;
223 unsigned long len_desc;
200 struct key_type *type; /* type of key */ 224 struct key_type *type; /* type of key */
225 struct key_tag *domain_tag; /* Domain of operation */
201 char *description; 226 char *description;
202 }; 227 };
203 }; 228 };
@@ -248,6 +273,8 @@ extern struct key *key_alloc(struct key_type *type,
248extern void key_revoke(struct key *key); 273extern void key_revoke(struct key *key);
249extern void key_invalidate(struct key *key); 274extern void key_invalidate(struct key *key);
250extern void key_put(struct key *key); 275extern void key_put(struct key *key);
276extern bool key_put_tag(struct key_tag *tag);
277extern void key_remove_domain(struct key_tag *domain_tag);
251 278
252static inline struct key *__key_get(struct key *key) 279static inline struct key *__key_get(struct key *key)
253{ 280{
@@ -265,19 +292,57 @@ static inline void key_ref_put(key_ref_t key_ref)
265 key_put(key_ref_to_ptr(key_ref)); 292 key_put(key_ref_to_ptr(key_ref));
266} 293}
267 294
268extern struct key *request_key(struct key_type *type, 295extern struct key *request_key_tag(struct key_type *type,
269 const char *description, 296 const char *description,
270 const char *callout_info); 297 struct key_tag *domain_tag,
298 const char *callout_info);
271 299
272extern struct key *request_key_rcu(struct key_type *type, 300extern struct key *request_key_rcu(struct key_type *type,
273 const char *description); 301 const char *description,
302 struct key_tag *domain_tag);
274 303
275extern struct key *request_key_with_auxdata(struct key_type *type, 304extern struct key *request_key_with_auxdata(struct key_type *type,
276 const char *description, 305 const char *description,
306 struct key_tag *domain_tag,
277 const void *callout_info, 307 const void *callout_info,
278 size_t callout_len, 308 size_t callout_len,
279 void *aux); 309 void *aux);
280 310
311/**
312 * request_key - Request a key and wait for construction
313 * @type: Type of key.
314 * @description: The searchable description of the key.
315 * @callout_info: The data to pass to the instantiation upcall (or NULL).
316 *
317 * As for request_key_tag(), but with the default global domain tag.
318 */
319static inline struct key *request_key(struct key_type *type,
320 const char *description,
321 const char *callout_info)
322{
323 return request_key_tag(type, description, NULL, callout_info);
324}
325
326#ifdef CONFIG_NET
327/*
328 * request_key_net - Request a key for a net namespace and wait for construction
329 * @type: Type of key.
330 * @description: The searchable description of the key.
331 * @net: The network namespace that is the key's domain of operation.
332 * @callout_info: The data to pass to the instantiation upcall (or NULL).
333 *
334 * As for request_key() except that it does not add the returned key to a
335 * keyring if found, new keys are always allocated in the user's quota, the
336 * callout_info must be a NUL-terminated string and no auxiliary data can be
337 * passed. Only keys that operate the specified network namespace are used.
338 *
339 * Furthermore, it then works as wait_for_key_construction() to wait for the
340 * completion of keys undergoing construction with a non-interruptible wait.
341 */
342#define request_key_net(type, description, net, callout_info) \
343 request_key_tag(type, description, net->key_domain, callout_info);
344#endif /* CONFIG_NET */
345
281extern int wait_for_key_construction(struct key *key, bool intr); 346extern int wait_for_key_construction(struct key *key, bool intr);
282 347
283extern int key_validate(const struct key *key); 348extern int key_validate(const struct key *key);
@@ -321,7 +386,8 @@ extern int keyring_clear(struct key *keyring);
321 386
322extern key_ref_t keyring_search(key_ref_t keyring, 387extern key_ref_t keyring_search(key_ref_t keyring,
323 struct key_type *type, 388 struct key_type *type,
324 const char *description); 389 const char *description,
390 bool recurse);
325 391
326extern int keyring_add_key(struct key *keyring, 392extern int keyring_add_key(struct key *keyring,
327 struct key *key); 393 struct key *key);
@@ -340,6 +406,7 @@ extern void key_set_timeout(struct key *, unsigned);
340 406
341extern key_ref_t lookup_user_key(key_serial_t id, unsigned long flags, 407extern key_ref_t lookup_user_key(key_serial_t id, unsigned long flags,
342 key_perm_t perm); 408 key_perm_t perm);
409extern void key_free_user_ns(struct user_namespace *);
343 410
344/* 411/*
345 * The permissions required on a key that we're looking up. 412 * The permissions required on a key that we're looking up.
@@ -413,6 +480,8 @@ extern void key_init(void);
413#define key_fsuid_changed(c) do { } while(0) 480#define key_fsuid_changed(c) do { } while(0)
414#define key_fsgid_changed(c) do { } while(0) 481#define key_fsgid_changed(c) do { } while(0)
415#define key_init() do { } while(0) 482#define key_init() do { } while(0)
483#define key_free_user_ns(ns) do { } while(0)
484#define key_remove_domain(d) do { } while(0)
416 485
417#endif /* CONFIG_KEYS */ 486#endif /* CONFIG_KEYS */
418#endif /* __KERNEL__ */ 487#endif /* __KERNEL__ */
diff --git a/include/linux/sched/user.h b/include/linux/sched/user.h
index 468d2565a9fe..917d88edb7b9 100644
--- a/include/linux/sched/user.h
+++ b/include/linux/sched/user.h
@@ -7,8 +7,6 @@
7#include <linux/refcount.h> 7#include <linux/refcount.h>
8#include <linux/ratelimit.h> 8#include <linux/ratelimit.h>
9 9
10struct key;
11
12/* 10/*
13 * Some day this will be a full-fledged user tracking system.. 11 * Some day this will be a full-fledged user tracking system..
14 */ 12 */
@@ -30,18 +28,6 @@ struct user_struct {
30 unsigned long unix_inflight; /* How many files in flight in unix sockets */ 28 unsigned long unix_inflight; /* How many files in flight in unix sockets */
31 atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */ 29 atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */
32 30
33#ifdef CONFIG_KEYS
34 /*
35 * These pointers can only change from NULL to a non-NULL value once.
36 * Writes are protected by key_user_keyring_mutex.
37 * Unlocked readers should use READ_ONCE() unless they know that
38 * install_user_keyrings() has been called successfully (which sets
39 * these members to non-NULL values, preventing further modifications).
40 */
41 struct key *uid_keyring; /* UID specific keyring */
42 struct key *session_keyring; /* UID's default session keyring */
43#endif
44
45 /* Hash table maintenance information */ 31 /* Hash table maintenance information */
46 struct hlist_node uidhash_node; 32 struct hlist_node uidhash_node;
47 kuid_t uid; 33 kuid_t uid;
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index d6b74b91096b..fb9f4f799554 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -64,10 +64,20 @@ struct user_namespace {
64 struct ns_common ns; 64 struct ns_common ns;
65 unsigned long flags; 65 unsigned long flags;
66 66
67#ifdef CONFIG_KEYS
68 /* List of joinable keyrings in this namespace. Modification access of
69 * these pointers is controlled by keyring_sem. Once
70 * user_keyring_register is set, it won't be changed, so it can be
71 * accessed directly with READ_ONCE().
72 */
73 struct list_head keyring_name_list;
74 struct key *user_keyring_register;
75 struct rw_semaphore keyring_sem;
76#endif
77
67 /* Register of per-UID persistent keyrings for this namespace */ 78 /* Register of per-UID persistent keyrings for this namespace */
68#ifdef CONFIG_PERSISTENT_KEYRINGS 79#ifdef CONFIG_PERSISTENT_KEYRINGS
69 struct key *persistent_keyring_register; 80 struct key *persistent_keyring_register;
70 struct rw_semaphore persistent_keyring_register_sem;
71#endif 81#endif
72 struct work_struct work; 82 struct work_struct work;
73#ifdef CONFIG_SYSCTL 83#ifdef CONFIG_SYSCTL
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 12689ddfc24c..a56bf7fc7c2b 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -71,6 +71,9 @@ struct net {
71 */ 71 */
72 struct llist_node cleanup_list; /* namespaces on death row */ 72 struct llist_node cleanup_list; /* namespaces on death row */
73 73
74#ifdef CONFIG_KEYS
75 struct key_tag *key_domain; /* Key domain of operation tag */
76#endif
74 struct user_namespace *user_ns; /* Owning user namespace */ 77 struct user_namespace *user_ns; /* Owning user namespace */
75 struct ucounts *ucounts; 78 struct ucounts *ucounts;
76 spinlock_t nsid_lock; 79 spinlock_t nsid_lock;
diff --git a/include/uapi/linux/keyctl.h b/include/uapi/linux/keyctl.h
index 551b5814f53e..ed3d5893830d 100644
--- a/include/uapi/linux/keyctl.h
+++ b/include/uapi/linux/keyctl.h
@@ -128,5 +128,7 @@ struct keyctl_pkey_params {
128#define KEYCTL_CAPS0_INVALIDATE 0x20 /* KEYCTL_INVALIDATE supported */ 128#define KEYCTL_CAPS0_INVALIDATE 0x20 /* KEYCTL_INVALIDATE supported */
129#define KEYCTL_CAPS0_RESTRICT_KEYRING 0x40 /* KEYCTL_RESTRICT_KEYRING supported */ 129#define KEYCTL_CAPS0_RESTRICT_KEYRING 0x40 /* KEYCTL_RESTRICT_KEYRING supported */
130#define KEYCTL_CAPS0_MOVE 0x80 /* KEYCTL_MOVE supported */ 130#define KEYCTL_CAPS0_MOVE 0x80 /* KEYCTL_MOVE supported */
131#define KEYCTL_CAPS1_NS_KEYRING_NAME 0x01 /* Keyring names are per-user_namespace */
132#define KEYCTL_CAPS1_NS_KEY_TAG 0x02 /* Key indexing can include a namespace tag */
131 133
132#endif /* _LINUX_KEYCTL_H */ 134#endif /* _LINUX_KEYCTL_H */
diff --git a/kernel/user.c b/kernel/user.c
index 78b17e36e705..5235d7f49982 100644
--- a/kernel/user.c
+++ b/kernel/user.c
@@ -63,9 +63,9 @@ struct user_namespace init_user_ns = {
63 .ns.ops = &userns_operations, 63 .ns.ops = &userns_operations,
64#endif 64#endif
65 .flags = USERNS_INIT_FLAGS, 65 .flags = USERNS_INIT_FLAGS,
66#ifdef CONFIG_PERSISTENT_KEYRINGS 66#ifdef CONFIG_KEYS
67 .persistent_keyring_register_sem = 67 .keyring_name_list = LIST_HEAD_INIT(init_user_ns.keyring_name_list),
68 __RWSEM_INITIALIZER(init_user_ns.persistent_keyring_register_sem), 68 .keyring_sem = __RWSEM_INITIALIZER(init_user_ns.keyring_sem),
69#endif 69#endif
70}; 70};
71EXPORT_SYMBOL_GPL(init_user_ns); 71EXPORT_SYMBOL_GPL(init_user_ns);
@@ -141,8 +141,6 @@ static void free_user(struct user_struct *up, unsigned long flags)
141{ 141{
142 uid_hash_remove(up); 142 uid_hash_remove(up);
143 spin_unlock_irqrestore(&uidhash_lock, flags); 143 spin_unlock_irqrestore(&uidhash_lock, flags);
144 key_put(up->uid_keyring);
145 key_put(up->session_keyring);
146 kmem_cache_free(uid_cachep, up); 144 kmem_cache_free(uid_cachep, up);
147} 145}
148 146
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 0eff45ce7703..8eadadc478f9 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -128,8 +128,9 @@ int create_user_ns(struct cred *new)
128 ns->flags = parent_ns->flags; 128 ns->flags = parent_ns->flags;
129 mutex_unlock(&userns_state_mutex); 129 mutex_unlock(&userns_state_mutex);
130 130
131#ifdef CONFIG_PERSISTENT_KEYRINGS 131#ifdef CONFIG_KEYS
132 init_rwsem(&ns->persistent_keyring_register_sem); 132 INIT_LIST_HEAD(&ns->keyring_name_list);
133 init_rwsem(&ns->keyring_sem);
133#endif 134#endif
134 ret = -ENOMEM; 135 ret = -ENOMEM;
135 if (!setup_userns_sysctls(ns)) 136 if (!setup_userns_sysctls(ns))
@@ -191,9 +192,7 @@ static void free_user_ns(struct work_struct *work)
191 kfree(ns->projid_map.reverse); 192 kfree(ns->projid_map.reverse);
192 } 193 }
193 retire_userns_sysctls(ns); 194 retire_userns_sysctls(ns);
194#ifdef CONFIG_PERSISTENT_KEYRINGS 195 key_free_user_ns(ns);
195 key_put(ns->persistent_keyring_register);
196#endif
197 ns_free_inum(&ns->ns); 196 ns_free_inum(&ns->ns);
198 kmem_cache_free(user_ns_cachep, ns); 197 kmem_cache_free(user_ns_cachep, ns);
199 dec_user_namespaces(ucounts); 198 dec_user_namespaces(ucounts);
diff --git a/lib/digsig.c b/lib/digsig.c
index 3cf89c775ab2..e0627c3e53b2 100644
--- a/lib/digsig.c
+++ b/lib/digsig.c
@@ -218,7 +218,7 @@ int digsig_verify(struct key *keyring, const char *sig, int siglen,
218 /* search in specific keyring */ 218 /* search in specific keyring */
219 key_ref_t kref; 219 key_ref_t kref;
220 kref = keyring_search(make_key_ref(keyring, 1UL), 220 kref = keyring_search(make_key_ref(keyring, 1UL),
221 &key_type_user, name); 221 &key_type_user, name, true);
222 if (IS_ERR(kref)) 222 if (IS_ERR(kref))
223 key = ERR_CAST(kref); 223 key = ERR_CAST(kref);
224 else 224 else
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index cd0b094468b6..a33402c99321 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -1887,7 +1887,8 @@ static int ceph_dns_resolve_name(const char *name, size_t namelen,
1887 return -EINVAL; 1887 return -EINVAL;
1888 1888
1889 /* do dns_resolve upcall */ 1889 /* do dns_resolve upcall */
1890 ip_len = dns_query(NULL, name, end - name, NULL, &ip_addr, NULL, false); 1890 ip_len = dns_query(current->nsproxy->net_ns,
1891 NULL, name, end - name, NULL, &ip_addr, NULL, false);
1891 if (ip_len > 0) 1892 if (ip_len > 0)
1892 ret = ceph_pton(ip_addr, ip_len, addr, -1, NULL); 1893 ret = ceph_pton(ip_addr, ip_len, addr, -1, NULL);
1893 else 1894 else
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 15f68842ac6b..f7b6dda798e0 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -39,9 +39,16 @@ EXPORT_SYMBOL_GPL(net_namespace_list);
39DECLARE_RWSEM(net_rwsem); 39DECLARE_RWSEM(net_rwsem);
40EXPORT_SYMBOL_GPL(net_rwsem); 40EXPORT_SYMBOL_GPL(net_rwsem);
41 41
42#ifdef CONFIG_KEYS
43static struct key_tag init_net_key_domain = { .usage = REFCOUNT_INIT(1) };
44#endif
45
42struct net init_net = { 46struct net init_net = {
43 .count = REFCOUNT_INIT(1), 47 .count = REFCOUNT_INIT(1),
44 .dev_base_head = LIST_HEAD_INIT(init_net.dev_base_head), 48 .dev_base_head = LIST_HEAD_INIT(init_net.dev_base_head),
49#ifdef CONFIG_KEYS
50 .key_domain = &init_net_key_domain,
51#endif
45}; 52};
46EXPORT_SYMBOL(init_net); 53EXPORT_SYMBOL(init_net);
47 54
@@ -387,10 +394,22 @@ static struct net *net_alloc(void)
387 if (!net) 394 if (!net)
388 goto out_free; 395 goto out_free;
389 396
397#ifdef CONFIG_KEYS
398 net->key_domain = kzalloc(sizeof(struct key_tag), GFP_KERNEL);
399 if (!net->key_domain)
400 goto out_free_2;
401 refcount_set(&net->key_domain->usage, 1);
402#endif
403
390 rcu_assign_pointer(net->gen, ng); 404 rcu_assign_pointer(net->gen, ng);
391out: 405out:
392 return net; 406 return net;
393 407
408#ifdef CONFIG_KEYS
409out_free_2:
410 kmem_cache_free(net_cachep, net);
411 net = NULL;
412#endif
394out_free: 413out_free:
395 kfree(ng); 414 kfree(ng);
396 goto out; 415 goto out;
@@ -567,6 +586,7 @@ static void cleanup_net(struct work_struct *work)
567 list_for_each_entry_safe(net, tmp, &net_exit_list, exit_list) { 586 list_for_each_entry_safe(net, tmp, &net_exit_list, exit_list) {
568 list_del_init(&net->exit_list); 587 list_del_init(&net->exit_list);
569 dec_net_namespaces(net->ucounts); 588 dec_net_namespaces(net->ucounts);
589 key_remove_domain(net->key_domain);
570 put_user_ns(net->user_ns); 590 put_user_ns(net->user_ns);
571 net_drop_ns(net); 591 net_drop_ns(net);
572 } 592 }
diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
index a65d553e730d..3e1a90669006 100644
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -314,6 +314,7 @@ static long dns_resolver_read(const struct key *key,
314 314
315struct key_type key_type_dns_resolver = { 315struct key_type key_type_dns_resolver = {
316 .name = "dns_resolver", 316 .name = "dns_resolver",
317 .flags = KEY_TYPE_NET_DOMAIN,
317 .preparse = dns_resolver_preparse, 318 .preparse = dns_resolver_preparse,
318 .free_preparse = dns_resolver_free_preparse, 319 .free_preparse = dns_resolver_free_preparse,
319 .instantiate = generic_key_instantiate, 320 .instantiate = generic_key_instantiate,
diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
index 2d260432b3be..cab4e0df924f 100644
--- a/net/dns_resolver/dns_query.c
+++ b/net/dns_resolver/dns_query.c
@@ -40,6 +40,7 @@
40#include <linux/cred.h> 40#include <linux/cred.h>
41#include <linux/dns_resolver.h> 41#include <linux/dns_resolver.h>
42#include <linux/err.h> 42#include <linux/err.h>
43#include <net/net_namespace.h>
43 44
44#include <keys/dns_resolver-type.h> 45#include <keys/dns_resolver-type.h>
45#include <keys/user-type.h> 46#include <keys/user-type.h>
@@ -48,6 +49,7 @@
48 49
49/** 50/**
50 * dns_query - Query the DNS 51 * dns_query - Query the DNS
52 * @net: The network namespace to operate in.
51 * @type: Query type (or NULL for straight host->IP lookup) 53 * @type: Query type (or NULL for straight host->IP lookup)
52 * @name: Name to look up 54 * @name: Name to look up
53 * @namelen: Length of name 55 * @namelen: Length of name
@@ -69,7 +71,8 @@
69 * 71 *
70 * Returns the size of the result on success, -ve error code otherwise. 72 * Returns the size of the result on success, -ve error code otherwise.
71 */ 73 */
72int dns_query(const char *type, const char *name, size_t namelen, 74int dns_query(struct net *net,
75 const char *type, const char *name, size_t namelen,
73 const char *options, char **_result, time64_t *_expiry, 76 const char *options, char **_result, time64_t *_expiry,
74 bool invalidate) 77 bool invalidate)
75{ 78{
@@ -122,7 +125,7 @@ int dns_query(const char *type, const char *name, size_t namelen,
122 * add_key() to preinstall malicious redirections 125 * add_key() to preinstall malicious redirections
123 */ 126 */
124 saved_cred = override_creds(dns_resolver_cache); 127 saved_cred = override_creds(dns_resolver_cache);
125 rkey = request_key(&key_type_dns_resolver, desc, options); 128 rkey = request_key_net(&key_type_dns_resolver, desc, net, options);
126 revert_creds(saved_cred); 129 revert_creds(saved_cred);
127 kfree(desc); 130 kfree(desc);
128 if (IS_ERR(rkey)) { 131 if (IS_ERR(rkey)) {
diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
index 83e3357a65a6..6c3f35fac42d 100644
--- a/net/rxrpc/key.c
+++ b/net/rxrpc/key.c
@@ -39,6 +39,7 @@ static long rxrpc_read(const struct key *, char __user *, size_t);
39 */ 39 */
40struct key_type key_type_rxrpc = { 40struct key_type key_type_rxrpc = {
41 .name = "rxrpc", 41 .name = "rxrpc",
42 .flags = KEY_TYPE_NET_DOMAIN,
42 .preparse = rxrpc_preparse, 43 .preparse = rxrpc_preparse,
43 .free_preparse = rxrpc_free_preparse, 44 .free_preparse = rxrpc_free_preparse,
44 .instantiate = generic_key_instantiate, 45 .instantiate = generic_key_instantiate,
@@ -54,6 +55,7 @@ EXPORT_SYMBOL(key_type_rxrpc);
54 */ 55 */
55struct key_type key_type_rxrpc_s = { 56struct key_type key_type_rxrpc_s = {
56 .name = "rxrpc_s", 57 .name = "rxrpc_s",
58 .flags = KEY_TYPE_NET_DOMAIN,
57 .vet_description = rxrpc_vet_description_s, 59 .vet_description = rxrpc_vet_description_s,
58 .preparse = rxrpc_preparse_s, 60 .preparse = rxrpc_preparse_s,
59 .free_preparse = rxrpc_free_preparse_s, 61 .free_preparse = rxrpc_free_preparse_s,
@@ -908,7 +910,7 @@ int rxrpc_request_key(struct rxrpc_sock *rx, char __user *optval, int optlen)
908 if (IS_ERR(description)) 910 if (IS_ERR(description))
909 return PTR_ERR(description); 911 return PTR_ERR(description);
910 912
911 key = request_key(&key_type_rxrpc, description, NULL); 913 key = request_key_net(&key_type_rxrpc, description, sock_net(&rx->sk), NULL);
912 if (IS_ERR(key)) { 914 if (IS_ERR(key)) {
913 kfree(description); 915 kfree(description);
914 _leave(" = %ld", PTR_ERR(key)); 916 _leave(" = %ld", PTR_ERR(key));
@@ -939,7 +941,7 @@ int rxrpc_server_keyring(struct rxrpc_sock *rx, char __user *optval,
939 if (IS_ERR(description)) 941 if (IS_ERR(description))
940 return PTR_ERR(description); 942 return PTR_ERR(description);
941 943
942 key = request_key(&key_type_keyring, description, NULL); 944 key = request_key_net(&key_type_keyring, description, sock_net(&rx->sk), NULL);
943 if (IS_ERR(key)) { 945 if (IS_ERR(key)) {
944 kfree(description); 946 kfree(description);
945 _leave(" = %ld", PTR_ERR(key)); 947 _leave(" = %ld", PTR_ERR(key));
diff --git a/net/rxrpc/security.c b/net/rxrpc/security.c
index 2e78f0cc7ef1..a4c47d2b7054 100644
--- a/net/rxrpc/security.c
+++ b/net/rxrpc/security.c
@@ -144,7 +144,7 @@ found_service:
144 144
145 /* look through the service's keyring */ 145 /* look through the service's keyring */
146 kref = keyring_search(make_key_ref(rx->securities, 1UL), 146 kref = keyring_search(make_key_ref(rx->securities, 1UL),
147 &key_type_rxrpc_s, kdesc); 147 &key_type_rxrpc_s, kdesc, true);
148 if (IS_ERR(kref)) { 148 if (IS_ERR(kref)) {
149 read_unlock(&local->services_lock); 149 read_unlock(&local->services_lock);
150 _leave(" = %ld [search]", PTR_ERR(kref)); 150 _leave(" = %ld [search]", PTR_ERR(kref));
diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index ad4b323ecea1..55aec161d0e1 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -35,7 +35,7 @@ static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid)
35 key_ref_t kref; 35 key_ref_t kref;
36 36
37 kref = keyring_search(make_key_ref(key, 1), 37 kref = keyring_search(make_key_ref(key, 1),
38 &key_type_asymmetric, name); 38 &key_type_asymmetric, name, true);
39 if (!IS_ERR(kref)) { 39 if (!IS_ERR(kref)) {
40 pr_err("Key '%s' is in ima_blacklist_keyring\n", name); 40 pr_err("Key '%s' is in ima_blacklist_keyring\n", name);
41 return ERR_PTR(-EKEYREJECTED); 41 return ERR_PTR(-EKEYREJECTED);
@@ -47,7 +47,7 @@ static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid)
47 key_ref_t kref; 47 key_ref_t kref;
48 48
49 kref = keyring_search(make_key_ref(keyring, 1), 49 kref = keyring_search(make_key_ref(keyring, 1),
50 &key_type_asymmetric, name); 50 &key_type_asymmetric, name, true);
51 if (IS_ERR(kref)) 51 if (IS_ERR(kref))
52 key = ERR_CAST(kref); 52 key = ERR_CAST(kref);
53 else 53 else
diff --git a/security/keys/gc.c b/security/keys/gc.c
index 44e58a3e5663..671dd730ecfc 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -150,7 +150,7 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
150 atomic_dec(&key->user->nikeys); 150 atomic_dec(&key->user->nikeys);
151 151
152 key_user_put(key->user); 152 key_user_put(key->user);
153 153 key_put_tag(key->domain_tag);
154 kfree(key->description); 154 kfree(key->description);
155 155
156 memzero_explicit(key, sizeof(*key)); 156 memzero_explicit(key, sizeof(*key));
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 663f291e30d4..c039373488bd 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -85,7 +85,7 @@ extern spinlock_t key_serial_lock;
85extern struct mutex key_construction_mutex; 85extern struct mutex key_construction_mutex;
86extern wait_queue_head_t request_key_conswq; 86extern wait_queue_head_t request_key_conswq;
87 87
88 88extern void key_set_index_key(struct keyring_index_key *index_key);
89extern struct key_type *key_type_lookup(const char *type); 89extern struct key_type *key_type_lookup(const char *type);
90extern void key_type_put(struct key_type *ktype); 90extern void key_type_put(struct key_type *ktype);
91 91
@@ -123,6 +123,7 @@ struct keyring_search_context {
123#define KEYRING_SEARCH_NO_CHECK_PERM 0x0008 /* Don't check permissions */ 123#define KEYRING_SEARCH_NO_CHECK_PERM 0x0008 /* Don't check permissions */
124#define KEYRING_SEARCH_DETECT_TOO_DEEP 0x0010 /* Give an error on excessive depth */ 124#define KEYRING_SEARCH_DETECT_TOO_DEEP 0x0010 /* Give an error on excessive depth */
125#define KEYRING_SEARCH_SKIP_EXPIRED 0x0020 /* Ignore expired keys (intention to replace) */ 125#define KEYRING_SEARCH_SKIP_EXPIRED 0x0020 /* Ignore expired keys (intention to replace) */
126#define KEYRING_SEARCH_RECURSE 0x0040 /* Search child keyrings also */
126 127
127 int (*iterator)(const void *object, void *iterator_data); 128 int (*iterator)(const void *object, void *iterator_data);
128 129
@@ -143,13 +144,15 @@ extern key_ref_t search_process_keyrings_rcu(struct keyring_search_context *ctx)
143 144
144extern struct key *find_keyring_by_name(const char *name, bool uid_keyring); 145extern struct key *find_keyring_by_name(const char *name, bool uid_keyring);
145 146
146extern int install_user_keyrings(void); 147extern int look_up_user_keyrings(struct key **, struct key **);
148extern struct key *get_user_session_keyring_rcu(const struct cred *);
147extern int install_thread_keyring_to_cred(struct cred *); 149extern int install_thread_keyring_to_cred(struct cred *);
148extern int install_process_keyring_to_cred(struct cred *); 150extern int install_process_keyring_to_cred(struct cred *);
149extern int install_session_keyring_to_cred(struct cred *, struct key *); 151extern int install_session_keyring_to_cred(struct cred *, struct key *);
150 152
151extern struct key *request_key_and_link(struct key_type *type, 153extern struct key *request_key_and_link(struct key_type *type,
152 const char *description, 154 const char *description,
155 struct key_tag *domain_tag,
153 const void *callout_info, 156 const void *callout_info,
154 size_t callout_len, 157 size_t callout_len,
155 void *aux, 158 void *aux,
@@ -203,7 +206,8 @@ static inline bool key_is_dead(const struct key *key, time64_t limit)
203 return 206 return
204 key->flags & ((1 << KEY_FLAG_DEAD) | 207 key->flags & ((1 << KEY_FLAG_DEAD) |
205 (1 << KEY_FLAG_INVALIDATED)) || 208 (1 << KEY_FLAG_INVALIDATED)) ||
206 (key->expiry > 0 && key->expiry <= limit); 209 (key->expiry > 0 && key->expiry <= limit) ||
210 key->domain_tag->removed;
207} 211}
208 212
209/* 213/*
diff --git a/security/keys/key.c b/security/keys/key.c
index 85dddc0190a7..764f4c57913e 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -281,11 +281,12 @@ struct key *key_alloc(struct key_type *type, const char *desc,
281 key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL); 281 key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL);
282 if (!key->index_key.description) 282 if (!key->index_key.description)
283 goto no_memory_3; 283 goto no_memory_3;
284 key->index_key.type = type;
285 key_set_index_key(&key->index_key);
284 286
285 refcount_set(&key->usage, 1); 287 refcount_set(&key->usage, 1);
286 init_rwsem(&key->sem); 288 init_rwsem(&key->sem);
287 lockdep_set_class(&key->sem, &type->lock_class); 289 lockdep_set_class(&key->sem, &type->lock_class);
288 key->index_key.type = type;
289 key->user = user; 290 key->user = user;
290 key->quotalen = quotalen; 291 key->quotalen = quotalen;
291 key->datalen = type->def_datalen; 292 key->datalen = type->def_datalen;
@@ -312,6 +313,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
312 goto security_error; 313 goto security_error;
313 314
314 /* publish the key by giving it a serial number */ 315 /* publish the key by giving it a serial number */
316 refcount_inc(&key->domain_tag->usage);
315 atomic_inc(&user->nkeys); 317 atomic_inc(&user->nkeys);
316 key_alloc_serial(key); 318 key_alloc_serial(key);
317 319
@@ -864,6 +866,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
864 goto error_free_prep; 866 goto error_free_prep;
865 } 867 }
866 index_key.desc_len = strlen(index_key.description); 868 index_key.desc_len = strlen(index_key.description);
869 key_set_index_key(&index_key);
867 870
868 ret = __key_link_lock(keyring, &index_key); 871 ret = __key_link_lock(keyring, &index_key);
869 if (ret < 0) { 872 if (ret < 0) {
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 741e4ba382df..9b898c969558 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -26,7 +26,7 @@
26 26
27#define KEY_MAX_DESC_SIZE 4096 27#define KEY_MAX_DESC_SIZE 4096
28 28
29static const unsigned char keyrings_capabilities[1] = { 29static const unsigned char keyrings_capabilities[2] = {
30 [0] = (KEYCTL_CAPS0_CAPABILITIES | 30 [0] = (KEYCTL_CAPS0_CAPABILITIES |
31 (IS_ENABLED(CONFIG_PERSISTENT_KEYRINGS) ? KEYCTL_CAPS0_PERSISTENT_KEYRINGS : 0) | 31 (IS_ENABLED(CONFIG_PERSISTENT_KEYRINGS) ? KEYCTL_CAPS0_PERSISTENT_KEYRINGS : 0) |
32 (IS_ENABLED(CONFIG_KEY_DH_OPERATIONS) ? KEYCTL_CAPS0_DIFFIE_HELLMAN : 0) | 32 (IS_ENABLED(CONFIG_KEY_DH_OPERATIONS) ? KEYCTL_CAPS0_DIFFIE_HELLMAN : 0) |
@@ -36,6 +36,8 @@ static const unsigned char keyrings_capabilities[1] = {
36 KEYCTL_CAPS0_RESTRICT_KEYRING | 36 KEYCTL_CAPS0_RESTRICT_KEYRING |
37 KEYCTL_CAPS0_MOVE 37 KEYCTL_CAPS0_MOVE
38 ), 38 ),
39 [1] = (KEYCTL_CAPS1_NS_KEYRING_NAME |
40 KEYCTL_CAPS1_NS_KEY_TAG),
39}; 41};
40 42
41static int key_get_type_from_user(char *type, 43static int key_get_type_from_user(char *type,
@@ -218,7 +220,7 @@ SYSCALL_DEFINE4(request_key, const char __user *, _type,
218 } 220 }
219 221
220 /* do the search */ 222 /* do the search */
221 key = request_key_and_link(ktype, description, callout_info, 223 key = request_key_and_link(ktype, description, NULL, callout_info,
222 callout_len, NULL, key_ref_to_ptr(dest_ref), 224 callout_len, NULL, key_ref_to_ptr(dest_ref),
223 KEY_ALLOC_IN_QUOTA); 225 KEY_ALLOC_IN_QUOTA);
224 if (IS_ERR(key)) { 226 if (IS_ERR(key)) {
@@ -758,7 +760,7 @@ long keyctl_keyring_search(key_serial_t ringid,
758 } 760 }
759 761
760 /* do the search */ 762 /* do the search */
761 key_ref = keyring_search(keyring_ref, ktype, description); 763 key_ref = keyring_search(keyring_ref, ktype, description, true);
762 if (IS_ERR(key_ref)) { 764 if (IS_ERR(key_ref)) {
763 ret = PTR_ERR(key_ref); 765 ret = PTR_ERR(key_ref);
764 766
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index e4de4070c754..febf36c6ddc5 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -12,10 +12,13 @@
12#include <linux/security.h> 12#include <linux/security.h>
13#include <linux/seq_file.h> 13#include <linux/seq_file.h>
14#include <linux/err.h> 14#include <linux/err.h>
15#include <linux/user_namespace.h>
16#include <linux/nsproxy.h>
15#include <keys/keyring-type.h> 17#include <keys/keyring-type.h>
16#include <keys/user-type.h> 18#include <keys/user-type.h>
17#include <linux/assoc_array_priv.h> 19#include <linux/assoc_array_priv.h>
18#include <linux/uaccess.h> 20#include <linux/uaccess.h>
21#include <net/net_namespace.h>
19#include "internal.h" 22#include "internal.h"
20 23
21/* 24/*
@@ -25,11 +28,6 @@
25#define KEYRING_SEARCH_MAX_DEPTH 6 28#define KEYRING_SEARCH_MAX_DEPTH 6
26 29
27/* 30/*
28 * We keep all named keyrings in a hash to speed looking them up.
29 */
30#define KEYRING_NAME_HASH_SIZE (1 << 5)
31
32/*
33 * We mark pointers we pass to the associative array with bit 1 set if 31 * We mark pointers we pass to the associative array with bit 1 set if
34 * they're keyrings and clear otherwise. 32 * they're keyrings and clear otherwise.
35 */ 33 */
@@ -51,17 +49,21 @@ static inline void *keyring_key_to_ptr(struct key *key)
51 return key; 49 return key;
52} 50}
53 51
54static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE];
55static DEFINE_RWLOCK(keyring_name_lock); 52static DEFINE_RWLOCK(keyring_name_lock);
56 53
57static inline unsigned keyring_hash(const char *desc) 54/*
55 * Clean up the bits of user_namespace that belong to us.
56 */
57void key_free_user_ns(struct user_namespace *ns)
58{ 58{
59 unsigned bucket = 0; 59 write_lock(&keyring_name_lock);
60 60 list_del_init(&ns->keyring_name_list);
61 for (; *desc; desc++) 61 write_unlock(&keyring_name_lock);
62 bucket += (unsigned char)*desc; 62
63 63 key_put(ns->user_keyring_register);
64 return bucket & (KEYRING_NAME_HASH_SIZE - 1); 64#ifdef CONFIG_PERSISTENT_KEYRINGS
65 key_put(ns->persistent_keyring_register);
66#endif
65} 67}
66 68
67/* 69/*
@@ -100,23 +102,17 @@ static DEFINE_MUTEX(keyring_serialise_link_lock);
100 102
101/* 103/*
102 * Publish the name of a keyring so that it can be found by name (if it has 104 * Publish the name of a keyring so that it can be found by name (if it has
103 * one). 105 * one and it doesn't begin with a dot).
104 */ 106 */
105static void keyring_publish_name(struct key *keyring) 107static void keyring_publish_name(struct key *keyring)
106{ 108{
107 int bucket; 109 struct user_namespace *ns = current_user_ns();
108
109 if (keyring->description) {
110 bucket = keyring_hash(keyring->description);
111 110
111 if (keyring->description &&
112 keyring->description[0] &&
113 keyring->description[0] != '.') {
112 write_lock(&keyring_name_lock); 114 write_lock(&keyring_name_lock);
113 115 list_add_tail(&keyring->name_link, &ns->keyring_name_list);
114 if (!keyring_name_hash[bucket].next)
115 INIT_LIST_HEAD(&keyring_name_hash[bucket]);
116
117 list_add_tail(&keyring->name_link,
118 &keyring_name_hash[bucket]);
119
120 write_unlock(&keyring_name_lock); 116 write_unlock(&keyring_name_lock);
121 } 117 }
122} 118}
@@ -164,7 +160,7 @@ static u64 mult_64x32_and_fold(u64 x, u32 y)
164/* 160/*
165 * Hash a key type and description. 161 * Hash a key type and description.
166 */ 162 */
167static unsigned long hash_key_type_and_desc(const struct keyring_index_key *index_key) 163static void hash_key_type_and_desc(struct keyring_index_key *index_key)
168{ 164{
169 const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP; 165 const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP;
170 const unsigned long fan_mask = ASSOC_ARRAY_FAN_MASK; 166 const unsigned long fan_mask = ASSOC_ARRAY_FAN_MASK;
@@ -175,9 +171,12 @@ static unsigned long hash_key_type_and_desc(const struct keyring_index_key *inde
175 int n, desc_len = index_key->desc_len; 171 int n, desc_len = index_key->desc_len;
176 172
177 type = (unsigned long)index_key->type; 173 type = (unsigned long)index_key->type;
178
179 acc = mult_64x32_and_fold(type, desc_len + 13); 174 acc = mult_64x32_and_fold(type, desc_len + 13);
180 acc = mult_64x32_and_fold(acc, 9207); 175 acc = mult_64x32_and_fold(acc, 9207);
176 piece = (unsigned long)index_key->domain_tag;
177 acc = mult_64x32_and_fold(acc, piece);
178 acc = mult_64x32_and_fold(acc, 9207);
179
181 for (;;) { 180 for (;;) {
182 n = desc_len; 181 n = desc_len;
183 if (n <= 0) 182 if (n <= 0)
@@ -202,24 +201,67 @@ static unsigned long hash_key_type_and_desc(const struct keyring_index_key *inde
202 * zero for keyrings and non-zero otherwise. 201 * zero for keyrings and non-zero otherwise.
203 */ 202 */
204 if (index_key->type != &key_type_keyring && (hash & fan_mask) == 0) 203 if (index_key->type != &key_type_keyring && (hash & fan_mask) == 0)
205 return hash | (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1; 204 hash |= (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1;
206 if (index_key->type == &key_type_keyring && (hash & fan_mask) != 0) 205 else if (index_key->type == &key_type_keyring && (hash & fan_mask) != 0)
207 return (hash + (hash << level_shift)) & ~fan_mask; 206 hash = (hash + (hash << level_shift)) & ~fan_mask;
208 return hash; 207 index_key->hash = hash;
209} 208}
210 209
211/* 210/*
212 * Build the next index key chunk. 211 * Finalise an index key to include a part of the description actually in the
213 * 212 * index key, to set the domain tag and to calculate the hash.
214 * On 32-bit systems the index key is laid out as: 213 */
215 * 214void key_set_index_key(struct keyring_index_key *index_key)
216 * 0 4 5 9... 215{
217 * hash desclen typeptr desc[] 216 static struct key_tag default_domain_tag = { .usage = REFCOUNT_INIT(1), };
217 size_t n = min_t(size_t, index_key->desc_len, sizeof(index_key->desc));
218
219 memcpy(index_key->desc, index_key->description, n);
220
221 if (!index_key->domain_tag) {
222 if (index_key->type->flags & KEY_TYPE_NET_DOMAIN)
223 index_key->domain_tag = current->nsproxy->net_ns->key_domain;
224 else
225 index_key->domain_tag = &default_domain_tag;
226 }
227
228 hash_key_type_and_desc(index_key);
229}
230
231/**
232 * key_put_tag - Release a ref on a tag.
233 * @tag: The tag to release.
218 * 234 *
219 * On 64-bit systems: 235 * This releases a reference the given tag and returns true if that ref was the
236 * last one.
237 */
238bool key_put_tag(struct key_tag *tag)
239{
240 if (refcount_dec_and_test(&tag->usage)) {
241 kfree_rcu(tag, rcu);
242 return true;
243 }
244
245 return false;
246}
247
248/**
249 * key_remove_domain - Kill off a key domain and gc its keys
250 * @domain_tag: The domain tag to release.
220 * 251 *
221 * 0 8 9 17... 252 * This marks a domain tag as being dead and releases a ref on it. If that
222 * hash desclen typeptr desc[] 253 * wasn't the last reference, the garbage collector is poked to try and delete
254 * all keys that were in the domain.
255 */
256void key_remove_domain(struct key_tag *domain_tag)
257{
258 domain_tag->removed = true;
259 if (!key_put_tag(domain_tag))
260 key_schedule_gc_links();
261}
262
263/*
264 * Build the next index key chunk.
223 * 265 *
224 * We return it one word-sized chunk at a time. 266 * We return it one word-sized chunk at a time.
225 */ 267 */
@@ -227,41 +269,33 @@ static unsigned long keyring_get_key_chunk(const void *data, int level)
227{ 269{
228 const struct keyring_index_key *index_key = data; 270 const struct keyring_index_key *index_key = data;
229 unsigned long chunk = 0; 271 unsigned long chunk = 0;
230 long offset = 0; 272 const u8 *d;
231 int desc_len = index_key->desc_len, n = sizeof(chunk); 273 int desc_len = index_key->desc_len, n = sizeof(chunk);
232 274
233 level /= ASSOC_ARRAY_KEY_CHUNK_SIZE; 275 level /= ASSOC_ARRAY_KEY_CHUNK_SIZE;
234 switch (level) { 276 switch (level) {
235 case 0: 277 case 0:
236 return hash_key_type_and_desc(index_key); 278 return index_key->hash;
237 case 1: 279 case 1:
238 return ((unsigned long)index_key->type << 8) | desc_len; 280 return index_key->x;
239 case 2: 281 case 2:
240 if (desc_len == 0) 282 return (unsigned long)index_key->type;
241 return (u8)((unsigned long)index_key->type >> 283 case 3:
242 (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8)); 284 return (unsigned long)index_key->domain_tag;
243 n--;
244 offset = 1;
245 /* fall through */
246 default: 285 default:
247 offset += sizeof(chunk) - 1; 286 level -= 4;
248 offset += (level - 3) * sizeof(chunk); 287 if (desc_len <= sizeof(index_key->desc))
249 if (offset >= desc_len)
250 return 0; 288 return 0;
251 desc_len -= offset; 289
290 d = index_key->description + sizeof(index_key->desc);
291 d += level * sizeof(long);
292 desc_len -= sizeof(index_key->desc);
252 if (desc_len > n) 293 if (desc_len > n)
253 desc_len = n; 294 desc_len = n;
254 offset += desc_len;
255 do { 295 do {
256 chunk <<= 8; 296 chunk <<= 8;
257 chunk |= ((u8*)index_key->description)[--offset]; 297 chunk |= *d++;
258 } while (--desc_len > 0); 298 } while (--desc_len > 0);
259
260 if (level == 2) {
261 chunk <<= 8;
262 chunk |= (u8)((unsigned long)index_key->type >>
263 (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8));
264 }
265 return chunk; 299 return chunk;
266 } 300 }
267} 301}
@@ -278,6 +312,7 @@ static bool keyring_compare_object(const void *object, const void *data)
278 const struct key *key = keyring_ptr_to_key(object); 312 const struct key *key = keyring_ptr_to_key(object);
279 313
280 return key->index_key.type == index_key->type && 314 return key->index_key.type == index_key->type &&
315 key->index_key.domain_tag == index_key->domain_tag &&
281 key->index_key.desc_len == index_key->desc_len && 316 key->index_key.desc_len == index_key->desc_len &&
282 memcmp(key->index_key.description, index_key->description, 317 memcmp(key->index_key.description, index_key->description,
283 index_key->desc_len) == 0; 318 index_key->desc_len) == 0;
@@ -296,43 +331,38 @@ static int keyring_diff_objects(const void *object, const void *data)
296 int level, i; 331 int level, i;
297 332
298 level = 0; 333 level = 0;
299 seg_a = hash_key_type_and_desc(a); 334 seg_a = a->hash;
300 seg_b = hash_key_type_and_desc(b); 335 seg_b = b->hash;
301 if ((seg_a ^ seg_b) != 0) 336 if ((seg_a ^ seg_b) != 0)
302 goto differ; 337 goto differ;
338 level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8;
303 339
304 /* The number of bits contributed by the hash is controlled by a 340 /* The number of bits contributed by the hash is controlled by a
305 * constant in the assoc_array headers. Everything else thereafter we 341 * constant in the assoc_array headers. Everything else thereafter we
306 * can deal with as being machine word-size dependent. 342 * can deal with as being machine word-size dependent.
307 */ 343 */
308 level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8; 344 seg_a = a->x;
309 seg_a = a->desc_len; 345 seg_b = b->x;
310 seg_b = b->desc_len;
311 if ((seg_a ^ seg_b) != 0) 346 if ((seg_a ^ seg_b) != 0)
312 goto differ; 347 goto differ;
348 level += sizeof(unsigned long);
313 349
314 /* The next bit may not work on big endian */ 350 /* The next bit may not work on big endian */
315 level++;
316 seg_a = (unsigned long)a->type; 351 seg_a = (unsigned long)a->type;
317 seg_b = (unsigned long)b->type; 352 seg_b = (unsigned long)b->type;
318 if ((seg_a ^ seg_b) != 0) 353 if ((seg_a ^ seg_b) != 0)
319 goto differ; 354 goto differ;
355 level += sizeof(unsigned long);
320 356
357 seg_a = (unsigned long)a->domain_tag;
358 seg_b = (unsigned long)b->domain_tag;
359 if ((seg_a ^ seg_b) != 0)
360 goto differ;
321 level += sizeof(unsigned long); 361 level += sizeof(unsigned long);
322 if (a->desc_len == 0)
323 goto same;
324 362
325 i = 0; 363 i = sizeof(a->desc);
326 if (((unsigned long)a->description | (unsigned long)b->description) & 364 if (a->desc_len <= i)
327 (sizeof(unsigned long) - 1)) { 365 goto same;
328 do {
329 seg_a = *(unsigned long *)(a->description + i);
330 seg_b = *(unsigned long *)(b->description + i);
331 if ((seg_a ^ seg_b) != 0)
332 goto differ_plus_i;
333 i += sizeof(unsigned long);
334 } while (i < (a->desc_len & (sizeof(unsigned long) - 1)));
335 }
336 366
337 for (; i < a->desc_len; i++) { 367 for (; i < a->desc_len; i++) {
338 seg_a = *(unsigned char *)(a->description + i); 368 seg_a = *(unsigned char *)(a->description + i);
@@ -658,6 +688,9 @@ static bool search_nested_keyrings(struct key *keyring,
658 BUG_ON((ctx->flags & STATE_CHECKS) == 0 || 688 BUG_ON((ctx->flags & STATE_CHECKS) == 0 ||
659 (ctx->flags & STATE_CHECKS) == STATE_CHECKS); 689 (ctx->flags & STATE_CHECKS) == STATE_CHECKS);
660 690
691 if (ctx->index_key.description)
692 key_set_index_key(&ctx->index_key);
693
661 /* Check to see if this top-level keyring is what we are looking for 694 /* Check to see if this top-level keyring is what we are looking for
662 * and whether it is valid or not. 695 * and whether it is valid or not.
663 */ 696 */
@@ -697,6 +730,9 @@ descend_to_keyring:
697 * Non-keyrings avoid the leftmost branch of the root entirely (root 730 * Non-keyrings avoid the leftmost branch of the root entirely (root
698 * slots 1-15). 731 * slots 1-15).
699 */ 732 */
733 if (!(ctx->flags & KEYRING_SEARCH_RECURSE))
734 goto not_this_keyring;
735
700 ptr = READ_ONCE(keyring->keys.root); 736 ptr = READ_ONCE(keyring->keys.root);
701 if (!ptr) 737 if (!ptr)
702 goto not_this_keyring; 738 goto not_this_keyring;
@@ -897,13 +933,15 @@ key_ref_t keyring_search_rcu(key_ref_t keyring_ref,
897 * @keyring: The root of the keyring tree to be searched. 933 * @keyring: The root of the keyring tree to be searched.
898 * @type: The type of keyring we want to find. 934 * @type: The type of keyring we want to find.
899 * @description: The name of the keyring we want to find. 935 * @description: The name of the keyring we want to find.
936 * @recurse: True to search the children of @keyring also
900 * 937 *
901 * As keyring_search_rcu() above, but using the current task's credentials and 938 * As keyring_search_rcu() above, but using the current task's credentials and
902 * type's default matching function and preferred search method. 939 * type's default matching function and preferred search method.
903 */ 940 */
904key_ref_t keyring_search(key_ref_t keyring, 941key_ref_t keyring_search(key_ref_t keyring,
905 struct key_type *type, 942 struct key_type *type,
906 const char *description) 943 const char *description,
944 bool recurse)
907{ 945{
908 struct keyring_search_context ctx = { 946 struct keyring_search_context ctx = {
909 .index_key.type = type, 947 .index_key.type = type,
@@ -918,6 +956,8 @@ key_ref_t keyring_search(key_ref_t keyring,
918 key_ref_t key; 956 key_ref_t key;
919 int ret; 957 int ret;
920 958
959 if (recurse)
960 ctx.flags |= KEYRING_SEARCH_RECURSE;
921 if (type->match_preparse) { 961 if (type->match_preparse) {
922 ret = type->match_preparse(&ctx.match_data); 962 ret = type->match_preparse(&ctx.match_data);
923 if (ret < 0) 963 if (ret < 0)
@@ -1102,50 +1142,44 @@ found:
1102 */ 1142 */
1103struct key *find_keyring_by_name(const char *name, bool uid_keyring) 1143struct key *find_keyring_by_name(const char *name, bool uid_keyring)
1104{ 1144{
1145 struct user_namespace *ns = current_user_ns();
1105 struct key *keyring; 1146 struct key *keyring;
1106 int bucket;
1107 1147
1108 if (!name) 1148 if (!name)
1109 return ERR_PTR(-EINVAL); 1149 return ERR_PTR(-EINVAL);
1110 1150
1111 bucket = keyring_hash(name);
1112
1113 read_lock(&keyring_name_lock); 1151 read_lock(&keyring_name_lock);
1114 1152
1115 if (keyring_name_hash[bucket].next) { 1153 /* Search this hash bucket for a keyring with a matching name that
1116 /* search this hash bucket for a keyring with a matching name 1154 * grants Search permission and that hasn't been revoked
1117 * that's readable and that hasn't been revoked */ 1155 */
1118 list_for_each_entry(keyring, 1156 list_for_each_entry(keyring, &ns->keyring_name_list, name_link) {
1119 &keyring_name_hash[bucket], 1157 if (!kuid_has_mapping(ns, keyring->user->uid))
1120 name_link 1158 continue;
1121 ) {
1122 if (!kuid_has_mapping(current_user_ns(), keyring->user->uid))
1123 continue;
1124
1125 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
1126 continue;
1127 1159
1128 if (strcmp(keyring->description, name) != 0) 1160 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
1129 continue; 1161 continue;
1130 1162
1131 if (uid_keyring) { 1163 if (strcmp(keyring->description, name) != 0)
1132 if (!test_bit(KEY_FLAG_UID_KEYRING, 1164 continue;
1133 &keyring->flags))
1134 continue;
1135 } else {
1136 if (key_permission(make_key_ref(keyring, 0),
1137 KEY_NEED_SEARCH) < 0)
1138 continue;
1139 }
1140 1165
1141 /* we've got a match but we might end up racing with 1166 if (uid_keyring) {
1142 * key_cleanup() if the keyring is currently 'dead' 1167 if (!test_bit(KEY_FLAG_UID_KEYRING,
1143 * (ie. it has a zero usage count) */ 1168 &keyring->flags))
1144 if (!refcount_inc_not_zero(&keyring->usage)) 1169 continue;
1170 } else {
1171 if (key_permission(make_key_ref(keyring, 0),
1172 KEY_NEED_SEARCH) < 0)
1145 continue; 1173 continue;
1146 keyring->last_used_at = ktime_get_real_seconds();
1147 goto out;
1148 } 1174 }
1175
1176 /* we've got a match but we might end up racing with
1177 * key_cleanup() if the keyring is currently 'dead'
1178 * (ie. it has a zero usage count) */
1179 if (!refcount_inc_not_zero(&keyring->usage))
1180 continue;
1181 keyring->last_used_at = ktime_get_real_seconds();
1182 goto out;
1149 } 1183 }
1150 1184
1151 keyring = ERR_PTR(-ENOKEY); 1185 keyring = ERR_PTR(-ENOKEY);
@@ -1188,7 +1222,8 @@ static int keyring_detect_cycle(struct key *A, struct key *B)
1188 .flags = (KEYRING_SEARCH_NO_STATE_CHECK | 1222 .flags = (KEYRING_SEARCH_NO_STATE_CHECK |
1189 KEYRING_SEARCH_NO_UPDATE_TIME | 1223 KEYRING_SEARCH_NO_UPDATE_TIME |
1190 KEYRING_SEARCH_NO_CHECK_PERM | 1224 KEYRING_SEARCH_NO_CHECK_PERM |
1191 KEYRING_SEARCH_DETECT_TOO_DEEP), 1225 KEYRING_SEARCH_DETECT_TOO_DEEP |
1226 KEYRING_SEARCH_RECURSE),
1192 }; 1227 };
1193 1228
1194 rcu_read_lock(); 1229 rcu_read_lock();
diff --git a/security/keys/persistent.c b/security/keys/persistent.c
index da9a0f42b795..97af230aa4b2 100644
--- a/security/keys/persistent.c
+++ b/security/keys/persistent.c
@@ -80,15 +80,17 @@ static long key_get_persistent(struct user_namespace *ns, kuid_t uid,
80 long ret; 80 long ret;
81 81
82 /* Look in the register if it exists */ 82 /* Look in the register if it exists */
83 memset(&index_key, 0, sizeof(index_key));
83 index_key.type = &key_type_keyring; 84 index_key.type = &key_type_keyring;
84 index_key.description = buf; 85 index_key.description = buf;
85 index_key.desc_len = sprintf(buf, "_persistent.%u", from_kuid(ns, uid)); 86 index_key.desc_len = sprintf(buf, "_persistent.%u", from_kuid(ns, uid));
87 key_set_index_key(&index_key);
86 88
87 if (ns->persistent_keyring_register) { 89 if (ns->persistent_keyring_register) {
88 reg_ref = make_key_ref(ns->persistent_keyring_register, true); 90 reg_ref = make_key_ref(ns->persistent_keyring_register, true);
89 down_read(&ns->persistent_keyring_register_sem); 91 down_read(&ns->keyring_sem);
90 persistent_ref = find_key_to_update(reg_ref, &index_key); 92 persistent_ref = find_key_to_update(reg_ref, &index_key);
91 up_read(&ns->persistent_keyring_register_sem); 93 up_read(&ns->keyring_sem);
92 94
93 if (persistent_ref) 95 if (persistent_ref)
94 goto found; 96 goto found;
@@ -97,9 +99,9 @@ static long key_get_persistent(struct user_namespace *ns, kuid_t uid,
97 /* It wasn't in the register, so we'll need to create it. We might 99 /* It wasn't in the register, so we'll need to create it. We might
98 * also need to create the register. 100 * also need to create the register.
99 */ 101 */
100 down_write(&ns->persistent_keyring_register_sem); 102 down_write(&ns->keyring_sem);
101 persistent_ref = key_create_persistent(ns, uid, &index_key); 103 persistent_ref = key_create_persistent(ns, uid, &index_key);
102 up_write(&ns->persistent_keyring_register_sem); 104 up_write(&ns->keyring_sem);
103 if (!IS_ERR(persistent_ref)) 105 if (!IS_ERR(persistent_ref))
104 goto found; 106 goto found;
105 107
diff --git a/security/keys/proc.c b/security/keys/proc.c
index 7f15550c10f5..415f3f1c2da0 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -166,7 +166,8 @@ static int proc_keys_show(struct seq_file *m, void *v)
166 .match_data.cmp = lookup_user_key_possessed, 166 .match_data.cmp = lookup_user_key_possessed,
167 .match_data.raw_data = key, 167 .match_data.raw_data = key,
168 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 168 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
169 .flags = KEYRING_SEARCH_NO_STATE_CHECK, 169 .flags = (KEYRING_SEARCH_NO_STATE_CHECK |
170 KEYRING_SEARCH_RECURSE),
170 }; 171 };
171 172
172 key_ref = make_key_ref(key, 0); 173 key_ref = make_key_ref(key, 0);
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index b99ad2c5342f..09541de31f2f 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -15,15 +15,13 @@
15#include <linux/security.h> 15#include <linux/security.h>
16#include <linux/user_namespace.h> 16#include <linux/user_namespace.h>
17#include <linux/uaccess.h> 17#include <linux/uaccess.h>
18#include <linux/init_task.h>
18#include <keys/request_key_auth-type.h> 19#include <keys/request_key_auth-type.h>
19#include "internal.h" 20#include "internal.h"
20 21
21/* Session keyring create vs join semaphore */ 22/* Session keyring create vs join semaphore */
22static DEFINE_MUTEX(key_session_mutex); 23static DEFINE_MUTEX(key_session_mutex);
23 24
24/* User keyring creation semaphore */
25static DEFINE_MUTEX(key_user_keyring_mutex);
26
27/* The root user's tracking struct */ 25/* The root user's tracking struct */
28struct key_user root_key_user = { 26struct key_user root_key_user = {
29 .usage = REFCOUNT_INIT(3), 27 .usage = REFCOUNT_INIT(3),
@@ -35,99 +33,186 @@ struct key_user root_key_user = {
35}; 33};
36 34
37/* 35/*
38 * Install the user and user session keyrings for the current process's UID. 36 * Get or create a user register keyring.
37 */
38static struct key *get_user_register(struct user_namespace *user_ns)
39{
40 struct key *reg_keyring = READ_ONCE(user_ns->user_keyring_register);
41
42 if (reg_keyring)
43 return reg_keyring;
44
45 down_write(&user_ns->keyring_sem);
46
47 /* Make sure there's a register keyring. It gets owned by the
48 * user_namespace's owner.
49 */
50 reg_keyring = user_ns->user_keyring_register;
51 if (!reg_keyring) {
52 reg_keyring = keyring_alloc(".user_reg",
53 user_ns->owner, INVALID_GID,
54 &init_cred,
55 KEY_POS_WRITE | KEY_POS_SEARCH |
56 KEY_USR_VIEW | KEY_USR_READ,
57 0,
58 NULL, NULL);
59 if (!IS_ERR(reg_keyring))
60 smp_store_release(&user_ns->user_keyring_register,
61 reg_keyring);
62 }
63
64 up_write(&user_ns->keyring_sem);
65
66 /* We don't return a ref since the keyring is pinned by the user_ns */
67 return reg_keyring;
68}
69
70/*
71 * Look up the user and user session keyrings for the current process's UID,
72 * creating them if they don't exist.
39 */ 73 */
40int install_user_keyrings(void) 74int look_up_user_keyrings(struct key **_user_keyring,
75 struct key **_user_session_keyring)
41{ 76{
42 struct user_struct *user; 77 const struct cred *cred = current_cred();
43 const struct cred *cred; 78 struct user_namespace *user_ns = current_user_ns();
44 struct key *uid_keyring, *session_keyring; 79 struct key *reg_keyring, *uid_keyring, *session_keyring;
45 key_perm_t user_keyring_perm; 80 key_perm_t user_keyring_perm;
81 key_ref_t uid_keyring_r, session_keyring_r;
82 uid_t uid = from_kuid(user_ns, cred->user->uid);
46 char buf[20]; 83 char buf[20];
47 int ret; 84 int ret;
48 uid_t uid;
49 85
50 user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL; 86 user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
51 cred = current_cred();
52 user = cred->user;
53 uid = from_kuid(cred->user_ns, user->uid);
54 87
55 kenter("%p{%u}", user, uid); 88 kenter("%u", uid);
56 89
57 if (READ_ONCE(user->uid_keyring) && READ_ONCE(user->session_keyring)) { 90 reg_keyring = get_user_register(user_ns);
58 kleave(" = 0 [exist]"); 91 if (IS_ERR(reg_keyring))
59 return 0; 92 return PTR_ERR(reg_keyring);
60 }
61 93
62 mutex_lock(&key_user_keyring_mutex); 94 down_write(&user_ns->keyring_sem);
63 ret = 0; 95 ret = 0;
64 96
65 if (!user->uid_keyring) { 97 /* Get the user keyring. Note that there may be one in existence
66 /* get the UID-specific keyring 98 * already as it may have been pinned by a session, but the user_struct
67 * - there may be one in existence already as it may have been 99 * pointing to it may have been destroyed by setuid.
68 * pinned by a session, but the user_struct pointing to it 100 */
69 * may have been destroyed by setuid */ 101 snprintf(buf, sizeof(buf), "_uid.%u", uid);
70 sprintf(buf, "_uid.%u", uid); 102 uid_keyring_r = keyring_search(make_key_ref(reg_keyring, true),
71 103 &key_type_keyring, buf, false);
72 uid_keyring = find_keyring_by_name(buf, true); 104 kdebug("_uid %p", uid_keyring_r);
105 if (uid_keyring_r == ERR_PTR(-EAGAIN)) {
106 uid_keyring = keyring_alloc(buf, cred->user->uid, INVALID_GID,
107 cred, user_keyring_perm,
108 KEY_ALLOC_UID_KEYRING |
109 KEY_ALLOC_IN_QUOTA,
110 NULL, reg_keyring);
73 if (IS_ERR(uid_keyring)) { 111 if (IS_ERR(uid_keyring)) {
74 uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID, 112 ret = PTR_ERR(uid_keyring);
75 cred, user_keyring_perm, 113 goto error;
76 KEY_ALLOC_UID_KEYRING |
77 KEY_ALLOC_IN_QUOTA,
78 NULL, NULL);
79 if (IS_ERR(uid_keyring)) {
80 ret = PTR_ERR(uid_keyring);
81 goto error;
82 }
83 } 114 }
115 } else if (IS_ERR(uid_keyring_r)) {
116 ret = PTR_ERR(uid_keyring_r);
117 goto error;
118 } else {
119 uid_keyring = key_ref_to_ptr(uid_keyring_r);
120 }
84 121
85 /* get a default session keyring (which might also exist 122 /* Get a default session keyring (which might also exist already) */
86 * already) */ 123 snprintf(buf, sizeof(buf), "_uid_ses.%u", uid);
87 sprintf(buf, "_uid_ses.%u", uid); 124 session_keyring_r = keyring_search(make_key_ref(reg_keyring, true),
88 125 &key_type_keyring, buf, false);
89 session_keyring = find_keyring_by_name(buf, true); 126 kdebug("_uid_ses %p", session_keyring_r);
127 if (session_keyring_r == ERR_PTR(-EAGAIN)) {
128 session_keyring = keyring_alloc(buf, cred->user->uid, INVALID_GID,
129 cred, user_keyring_perm,
130 KEY_ALLOC_UID_KEYRING |
131 KEY_ALLOC_IN_QUOTA,
132 NULL, NULL);
90 if (IS_ERR(session_keyring)) { 133 if (IS_ERR(session_keyring)) {
91 session_keyring = 134 ret = PTR_ERR(session_keyring);
92 keyring_alloc(buf, user->uid, INVALID_GID, 135 goto error_release;
93 cred, user_keyring_perm,
94 KEY_ALLOC_UID_KEYRING |
95 KEY_ALLOC_IN_QUOTA,
96 NULL, NULL);
97 if (IS_ERR(session_keyring)) {
98 ret = PTR_ERR(session_keyring);
99 goto error_release;
100 }
101
102 /* we install a link from the user session keyring to
103 * the user keyring */
104 ret = key_link(session_keyring, uid_keyring);
105 if (ret < 0)
106 goto error_release_both;
107 } 136 }
108 137
109 /* install the keyrings */ 138 /* We install a link from the user session keyring to
110 /* paired with READ_ONCE() */ 139 * the user keyring.
111 smp_store_release(&user->uid_keyring, uid_keyring); 140 */
112 /* paired with READ_ONCE() */ 141 ret = key_link(session_keyring, uid_keyring);
113 smp_store_release(&user->session_keyring, session_keyring); 142 if (ret < 0)
143 goto error_release_session;
144
145 /* And only then link the user-session keyring to the
146 * register.
147 */
148 ret = key_link(reg_keyring, session_keyring);
149 if (ret < 0)
150 goto error_release_session;
151 } else if (IS_ERR(session_keyring_r)) {
152 ret = PTR_ERR(session_keyring_r);
153 goto error_release;
154 } else {
155 session_keyring = key_ref_to_ptr(session_keyring_r);
114 } 156 }
115 157
116 mutex_unlock(&key_user_keyring_mutex); 158 up_write(&user_ns->keyring_sem);
159
160 if (_user_session_keyring)
161 *_user_session_keyring = session_keyring;
162 else
163 key_put(session_keyring);
164 if (_user_keyring)
165 *_user_keyring = uid_keyring;
166 else
167 key_put(uid_keyring);
117 kleave(" = 0"); 168 kleave(" = 0");
118 return 0; 169 return 0;
119 170
120error_release_both: 171error_release_session:
121 key_put(session_keyring); 172 key_put(session_keyring);
122error_release: 173error_release:
123 key_put(uid_keyring); 174 key_put(uid_keyring);
124error: 175error:
125 mutex_unlock(&key_user_keyring_mutex); 176 up_write(&user_ns->keyring_sem);
126 kleave(" = %d", ret); 177 kleave(" = %d", ret);
127 return ret; 178 return ret;
128} 179}
129 180
130/* 181/*
182 * Get the user session keyring if it exists, but don't create it if it
183 * doesn't.
184 */
185struct key *get_user_session_keyring_rcu(const struct cred *cred)
186{
187 struct key *reg_keyring = READ_ONCE(cred->user_ns->user_keyring_register);
188 key_ref_t session_keyring_r;
189 char buf[20];
190
191 struct keyring_search_context ctx = {
192 .index_key.type = &key_type_keyring,
193 .index_key.description = buf,
194 .cred = cred,
195 .match_data.cmp = key_default_cmp,
196 .match_data.raw_data = buf,
197 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
198 .flags = KEYRING_SEARCH_DO_STATE_CHECK,
199 };
200
201 if (!reg_keyring)
202 return NULL;
203
204 ctx.index_key.desc_len = snprintf(buf, sizeof(buf), "_uid_ses.%u",
205 from_kuid(cred->user_ns,
206 cred->user->uid));
207
208 session_keyring_r = keyring_search_rcu(make_key_ref(reg_keyring, true),
209 &ctx);
210 if (IS_ERR(session_keyring_r))
211 return NULL;
212 return key_ref_to_ptr(session_keyring_r);
213}
214
215/*
131 * Install a thread keyring to the given credentials struct if it didn't have 216 * Install a thread keyring to the given credentials struct if it didn't have
132 * one already. This is allowed to overrun the quota. 217 * one already. This is allowed to overrun the quota.
133 * 218 *
@@ -336,6 +421,7 @@ void key_fsgid_changed(struct cred *new_cred)
336 */ 421 */
337key_ref_t search_cred_keyrings_rcu(struct keyring_search_context *ctx) 422key_ref_t search_cred_keyrings_rcu(struct keyring_search_context *ctx)
338{ 423{
424 struct key *user_session;
339 key_ref_t key_ref, ret, err; 425 key_ref_t key_ref, ret, err;
340 const struct cred *cred = ctx->cred; 426 const struct cred *cred = ctx->cred;
341 427
@@ -411,10 +497,11 @@ key_ref_t search_cred_keyrings_rcu(struct keyring_search_context *ctx)
411 } 497 }
412 } 498 }
413 /* or search the user-session keyring */ 499 /* or search the user-session keyring */
414 else if (READ_ONCE(cred->user->session_keyring)) { 500 else if ((user_session = get_user_session_keyring_rcu(cred))) {
415 key_ref = keyring_search_rcu( 501 key_ref = keyring_search_rcu(make_key_ref(user_session, 1),
416 make_key_ref(READ_ONCE(cred->user->session_keyring), 1), 502 ctx);
417 ctx); 503 key_put(user_session);
504
418 if (!IS_ERR(key_ref)) 505 if (!IS_ERR(key_ref))
419 goto found; 506 goto found;
420 507
@@ -527,10 +614,11 @@ key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
527 struct keyring_search_context ctx = { 614 struct keyring_search_context ctx = {
528 .match_data.cmp = lookup_user_key_possessed, 615 .match_data.cmp = lookup_user_key_possessed,
529 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 616 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
530 .flags = KEYRING_SEARCH_NO_STATE_CHECK, 617 .flags = (KEYRING_SEARCH_NO_STATE_CHECK |
618 KEYRING_SEARCH_RECURSE),
531 }; 619 };
532 struct request_key_auth *rka; 620 struct request_key_auth *rka;
533 struct key *key; 621 struct key *key, *user_session;
534 key_ref_t key_ref, skey_ref; 622 key_ref_t key_ref, skey_ref;
535 int ret; 623 int ret;
536 624
@@ -579,20 +667,20 @@ try_again:
579 if (!ctx.cred->session_keyring) { 667 if (!ctx.cred->session_keyring) {
580 /* always install a session keyring upon access if one 668 /* always install a session keyring upon access if one
581 * doesn't exist yet */ 669 * doesn't exist yet */
582 ret = install_user_keyrings(); 670 ret = look_up_user_keyrings(NULL, &user_session);
583 if (ret < 0) 671 if (ret < 0)
584 goto error; 672 goto error;
585 if (lflags & KEY_LOOKUP_CREATE) 673 if (lflags & KEY_LOOKUP_CREATE)
586 ret = join_session_keyring(NULL); 674 ret = join_session_keyring(NULL);
587 else 675 else
588 ret = install_session_keyring( 676 ret = install_session_keyring(user_session);
589 ctx.cred->user->session_keyring);
590 677
678 key_put(user_session);
591 if (ret < 0) 679 if (ret < 0)
592 goto error; 680 goto error;
593 goto reget_creds; 681 goto reget_creds;
594 } else if (ctx.cred->session_keyring == 682 } else if (test_bit(KEY_FLAG_UID_KEYRING,
595 READ_ONCE(ctx.cred->user->session_keyring) && 683 &ctx.cred->session_keyring->flags) &&
596 lflags & KEY_LOOKUP_CREATE) { 684 lflags & KEY_LOOKUP_CREATE) {
597 ret = join_session_keyring(NULL); 685 ret = join_session_keyring(NULL);
598 if (ret < 0) 686 if (ret < 0)
@@ -606,26 +694,16 @@ try_again:
606 break; 694 break;
607 695
608 case KEY_SPEC_USER_KEYRING: 696 case KEY_SPEC_USER_KEYRING:
609 if (!READ_ONCE(ctx.cred->user->uid_keyring)) { 697 ret = look_up_user_keyrings(&key, NULL);
610 ret = install_user_keyrings(); 698 if (ret < 0)
611 if (ret < 0) 699 goto error;
612 goto error;
613 }
614
615 key = ctx.cred->user->uid_keyring;
616 __key_get(key);
617 key_ref = make_key_ref(key, 1); 700 key_ref = make_key_ref(key, 1);
618 break; 701 break;
619 702
620 case KEY_SPEC_USER_SESSION_KEYRING: 703 case KEY_SPEC_USER_SESSION_KEYRING:
621 if (!READ_ONCE(ctx.cred->user->session_keyring)) { 704 ret = look_up_user_keyrings(NULL, &key);
622 ret = install_user_keyrings(); 705 if (ret < 0)
623 if (ret < 0) 706 goto error;
624 goto error;
625 }
626
627 key = ctx.cred->user->session_keyring;
628 __key_get(key);
629 key_ref = make_key_ref(key, 1); 707 key_ref = make_key_ref(key, 1);
630 break; 708 break;
631 709
@@ -874,7 +952,7 @@ void key_change_session_keyring(struct callback_head *twork)
874 */ 952 */
875static int __init init_root_keyring(void) 953static int __init init_root_keyring(void)
876{ 954{
877 return install_user_keyrings(); 955 return look_up_user_keyrings(NULL, NULL);
878} 956}
879 957
880late_initcall(init_root_keyring); 958late_initcall(init_root_keyring);
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index f2b4da143963..7325f382dbf4 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -13,6 +13,7 @@
13#include <linux/err.h> 13#include <linux/err.h>
14#include <linux/keyctl.h> 14#include <linux/keyctl.h>
15#include <linux/slab.h> 15#include <linux/slab.h>
16#include <net/net_namespace.h>
16#include "internal.h" 17#include "internal.h"
17#include <keys/request_key_auth-type.h> 18#include <keys/request_key_auth-type.h>
18 19
@@ -117,7 +118,7 @@ static int call_sbin_request_key(struct key *authkey, void *aux)
117 struct request_key_auth *rka = get_request_key_auth(authkey); 118 struct request_key_auth *rka = get_request_key_auth(authkey);
118 const struct cred *cred = current_cred(); 119 const struct cred *cred = current_cred();
119 key_serial_t prkey, sskey; 120 key_serial_t prkey, sskey;
120 struct key *key = rka->target_key, *keyring, *session; 121 struct key *key = rka->target_key, *keyring, *session, *user_session;
121 char *argv[9], *envp[3], uid_str[12], gid_str[12]; 122 char *argv[9], *envp[3], uid_str[12], gid_str[12];
122 char key_str[12], keyring_str[3][12]; 123 char key_str[12], keyring_str[3][12];
123 char desc[20]; 124 char desc[20];
@@ -125,9 +126,9 @@ static int call_sbin_request_key(struct key *authkey, void *aux)
125 126
126 kenter("{%d},{%d},%s", key->serial, authkey->serial, rka->op); 127 kenter("{%d},{%d},%s", key->serial, authkey->serial, rka->op);
127 128
128 ret = install_user_keyrings(); 129 ret = look_up_user_keyrings(NULL, &user_session);
129 if (ret < 0) 130 if (ret < 0)
130 goto error_alloc; 131 goto error_us;
131 132
132 /* allocate a new session keyring */ 133 /* allocate a new session keyring */
133 sprintf(desc, "_req.%u", key->serial); 134 sprintf(desc, "_req.%u", key->serial);
@@ -165,7 +166,7 @@ static int call_sbin_request_key(struct key *authkey, void *aux)
165 166
166 session = cred->session_keyring; 167 session = cred->session_keyring;
167 if (!session) 168 if (!session)
168 session = cred->user->session_keyring; 169 session = user_session;
169 sskey = session->serial; 170 sskey = session->serial;
170 171
171 sprintf(keyring_str[2], "%d", sskey); 172 sprintf(keyring_str[2], "%d", sskey);
@@ -207,6 +208,8 @@ error_link:
207 key_put(keyring); 208 key_put(keyring);
208 209
209error_alloc: 210error_alloc:
211 key_put(user_session);
212error_us:
210 complete_request_key(authkey, ret); 213 complete_request_key(authkey, ret);
211 kleave(" = %d", ret); 214 kleave(" = %d", ret);
212 return ret; 215 return ret;
@@ -313,13 +316,15 @@ static int construct_get_dest_keyring(struct key **_dest_keyring)
313 316
314 /* fall through */ 317 /* fall through */
315 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING: 318 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
316 dest_keyring = 319 ret = look_up_user_keyrings(NULL, &dest_keyring);
317 key_get(READ_ONCE(cred->user->session_keyring)); 320 if (ret < 0)
321 return ret;
318 break; 322 break;
319 323
320 case KEY_REQKEY_DEFL_USER_KEYRING: 324 case KEY_REQKEY_DEFL_USER_KEYRING:
321 dest_keyring = 325 ret = look_up_user_keyrings(&dest_keyring, NULL);
322 key_get(READ_ONCE(cred->user->uid_keyring)); 326 if (ret < 0)
327 return ret;
323 break; 328 break;
324 329
325 case KEY_REQKEY_DEFL_GROUP_KEYRING: 330 case KEY_REQKEY_DEFL_GROUP_KEYRING:
@@ -525,16 +530,18 @@ error:
525 * request_key_and_link - Request a key and cache it in a keyring. 530 * request_key_and_link - Request a key and cache it in a keyring.
526 * @type: The type of key we want. 531 * @type: The type of key we want.
527 * @description: The searchable description of the key. 532 * @description: The searchable description of the key.
533 * @domain_tag: The domain in which the key operates.
528 * @callout_info: The data to pass to the instantiation upcall (or NULL). 534 * @callout_info: The data to pass to the instantiation upcall (or NULL).
529 * @callout_len: The length of callout_info. 535 * @callout_len: The length of callout_info.
530 * @aux: Auxiliary data for the upcall. 536 * @aux: Auxiliary data for the upcall.
531 * @dest_keyring: Where to cache the key. 537 * @dest_keyring: Where to cache the key.
532 * @flags: Flags to key_alloc(). 538 * @flags: Flags to key_alloc().
533 * 539 *
534 * A key matching the specified criteria is searched for in the process's 540 * A key matching the specified criteria (type, description, domain_tag) is
535 * keyrings and returned with its usage count incremented if found. Otherwise, 541 * searched for in the process's keyrings and returned with its usage count
536 * if callout_info is not NULL, a key will be allocated and some service 542 * incremented if found. Otherwise, if callout_info is not NULL, a key will be
537 * (probably in userspace) will be asked to instantiate it. 543 * allocated and some service (probably in userspace) will be asked to
544 * instantiate it.
538 * 545 *
539 * If successfully found or created, the key will be linked to the destination 546 * If successfully found or created, the key will be linked to the destination
540 * keyring if one is provided. 547 * keyring if one is provided.
@@ -550,6 +557,7 @@ error:
550 */ 557 */
551struct key *request_key_and_link(struct key_type *type, 558struct key *request_key_and_link(struct key_type *type,
552 const char *description, 559 const char *description,
560 struct key_tag *domain_tag,
553 const void *callout_info, 561 const void *callout_info,
554 size_t callout_len, 562 size_t callout_len,
555 void *aux, 563 void *aux,
@@ -558,6 +566,7 @@ struct key *request_key_and_link(struct key_type *type,
558{ 566{
559 struct keyring_search_context ctx = { 567 struct keyring_search_context ctx = {
560 .index_key.type = type, 568 .index_key.type = type,
569 .index_key.domain_tag = domain_tag,
561 .index_key.description = description, 570 .index_key.description = description,
562 .index_key.desc_len = strlen(description), 571 .index_key.desc_len = strlen(description),
563 .cred = current_cred(), 572 .cred = current_cred(),
@@ -565,7 +574,8 @@ struct key *request_key_and_link(struct key_type *type,
565 .match_data.raw_data = description, 574 .match_data.raw_data = description,
566 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 575 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
567 .flags = (KEYRING_SEARCH_DO_STATE_CHECK | 576 .flags = (KEYRING_SEARCH_DO_STATE_CHECK |
568 KEYRING_SEARCH_SKIP_EXPIRED), 577 KEYRING_SEARCH_SKIP_EXPIRED |
578 KEYRING_SEARCH_RECURSE),
569 }; 579 };
570 struct key *key; 580 struct key *key;
571 key_ref_t key_ref; 581 key_ref_t key_ref;
@@ -663,9 +673,10 @@ int wait_for_key_construction(struct key *key, bool intr)
663EXPORT_SYMBOL(wait_for_key_construction); 673EXPORT_SYMBOL(wait_for_key_construction);
664 674
665/** 675/**
666 * request_key - Request a key and wait for construction 676 * request_key_tag - Request a key and wait for construction
667 * @type: Type of key. 677 * @type: Type of key.
668 * @description: The searchable description of the key. 678 * @description: The searchable description of the key.
679 * @domain_tag: The domain in which the key operates.
669 * @callout_info: The data to pass to the instantiation upcall (or NULL). 680 * @callout_info: The data to pass to the instantiation upcall (or NULL).
670 * 681 *
671 * As for request_key_and_link() except that it does not add the returned key 682 * As for request_key_and_link() except that it does not add the returned key
@@ -676,9 +687,10 @@ EXPORT_SYMBOL(wait_for_key_construction);
676 * Furthermore, it then works as wait_for_key_construction() to wait for the 687 * Furthermore, it then works as wait_for_key_construction() to wait for the
677 * completion of keys undergoing construction with a non-interruptible wait. 688 * completion of keys undergoing construction with a non-interruptible wait.
678 */ 689 */
679struct key *request_key(struct key_type *type, 690struct key *request_key_tag(struct key_type *type,
680 const char *description, 691 const char *description,
681 const char *callout_info) 692 struct key_tag *domain_tag,
693 const char *callout_info)
682{ 694{
683 struct key *key; 695 struct key *key;
684 size_t callout_len = 0; 696 size_t callout_len = 0;
@@ -686,7 +698,8 @@ struct key *request_key(struct key_type *type,
686 698
687 if (callout_info) 699 if (callout_info)
688 callout_len = strlen(callout_info); 700 callout_len = strlen(callout_info);
689 key = request_key_and_link(type, description, callout_info, callout_len, 701 key = request_key_and_link(type, description, domain_tag,
702 callout_info, callout_len,
690 NULL, NULL, KEY_ALLOC_IN_QUOTA); 703 NULL, NULL, KEY_ALLOC_IN_QUOTA);
691 if (!IS_ERR(key)) { 704 if (!IS_ERR(key)) {
692 ret = wait_for_key_construction(key, false); 705 ret = wait_for_key_construction(key, false);
@@ -697,12 +710,13 @@ struct key *request_key(struct key_type *type,
697 } 710 }
698 return key; 711 return key;
699} 712}
700EXPORT_SYMBOL(request_key); 713EXPORT_SYMBOL(request_key_tag);
701 714
702/** 715/**
703 * request_key_with_auxdata - Request a key with auxiliary data for the upcaller 716 * request_key_with_auxdata - Request a key with auxiliary data for the upcaller
704 * @type: The type of key we want. 717 * @type: The type of key we want.
705 * @description: The searchable description of the key. 718 * @description: The searchable description of the key.
719 * @domain_tag: The domain in which the key operates.
706 * @callout_info: The data to pass to the instantiation upcall (or NULL). 720 * @callout_info: The data to pass to the instantiation upcall (or NULL).
707 * @callout_len: The length of callout_info. 721 * @callout_len: The length of callout_info.
708 * @aux: Auxiliary data for the upcall. 722 * @aux: Auxiliary data for the upcall.
@@ -715,6 +729,7 @@ EXPORT_SYMBOL(request_key);
715 */ 729 */
716struct key *request_key_with_auxdata(struct key_type *type, 730struct key *request_key_with_auxdata(struct key_type *type,
717 const char *description, 731 const char *description,
732 struct key_tag *domain_tag,
718 const void *callout_info, 733 const void *callout_info,
719 size_t callout_len, 734 size_t callout_len,
720 void *aux) 735 void *aux)
@@ -722,7 +737,8 @@ struct key *request_key_with_auxdata(struct key_type *type,
722 struct key *key; 737 struct key *key;
723 int ret; 738 int ret;
724 739
725 key = request_key_and_link(type, description, callout_info, callout_len, 740 key = request_key_and_link(type, description, domain_tag,
741 callout_info, callout_len,
726 aux, NULL, KEY_ALLOC_IN_QUOTA); 742 aux, NULL, KEY_ALLOC_IN_QUOTA);
727 if (!IS_ERR(key)) { 743 if (!IS_ERR(key)) {
728 ret = wait_for_key_construction(key, false); 744 ret = wait_for_key_construction(key, false);
@@ -739,6 +755,7 @@ EXPORT_SYMBOL(request_key_with_auxdata);
739 * request_key_rcu - Request key from RCU-read-locked context 755 * request_key_rcu - Request key from RCU-read-locked context
740 * @type: The type of key we want. 756 * @type: The type of key we want.
741 * @description: The name of the key we want. 757 * @description: The name of the key we want.
758 * @domain_tag: The domain in which the key operates.
742 * 759 *
743 * Request a key from a context that we may not sleep in (such as RCU-mode 760 * Request a key from a context that we may not sleep in (such as RCU-mode
744 * pathwalk). Keys under construction are ignored. 761 * pathwalk). Keys under construction are ignored.
@@ -746,10 +763,13 @@ EXPORT_SYMBOL(request_key_with_auxdata);
746 * Return a pointer to the found key if successful, -ENOKEY if we couldn't find 763 * Return a pointer to the found key if successful, -ENOKEY if we couldn't find
747 * a key or some other error if the key found was unsuitable or inaccessible. 764 * a key or some other error if the key found was unsuitable or inaccessible.
748 */ 765 */
749struct key *request_key_rcu(struct key_type *type, const char *description) 766struct key *request_key_rcu(struct key_type *type,
767 const char *description,
768 struct key_tag *domain_tag)
750{ 769{
751 struct keyring_search_context ctx = { 770 struct keyring_search_context ctx = {
752 .index_key.type = type, 771 .index_key.type = type,
772 .index_key.domain_tag = domain_tag,
753 .index_key.description = description, 773 .index_key.description = description,
754 .index_key.desc_len = strlen(description), 774 .index_key.desc_len = strlen(description),
755 .cred = current_cred(), 775 .cred = current_cred(),
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index 5456c0c72857..e73ec040e250 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -248,7 +248,8 @@ struct key *key_get_instantiation_authkey(key_serial_t target_id)
248 .match_data.cmp = key_default_cmp, 248 .match_data.cmp = key_default_cmp,
249 .match_data.raw_data = description, 249 .match_data.raw_data = description,
250 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 250 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
251 .flags = KEYRING_SEARCH_DO_STATE_CHECK, 251 .flags = (KEYRING_SEARCH_DO_STATE_CHECK |
252 KEYRING_SEARCH_RECURSE),
252 }; 253 };
253 struct key *authkey; 254 struct key *authkey;
254 key_ref_t authkey_ref; 255 key_ref_t authkey_ref;