summaryrefslogtreecommitdiffstats
path: root/security/keys
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2019-07-08 22:56:57 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2019-07-08 22:56:57 -0400
commit0f75ef6a9cff49ff612f7ce0578bced9d0b38325 (patch)
treebdd2a6b7f35695b1d7ab1209efbb40187501fe7d /security/keys
parentc84ca912b07901be528e5184fd254fca1dddf2ac (diff)
parent7a1ade847596dadc94b37e49f8c03f167fd71748 (diff)
Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
Pull keyring ACL support from David Howells: "This changes the permissions model used by keys and keyrings to be based on an internal ACL by the following means: - Replace the permissions mask internally with an ACL that contains a list of ACEs, each with a specific subject with a permissions mask. Potted default ACLs are available for new keys and keyrings. ACE subjects can be macroised to indicate the UID and GID specified on the key (which remain). Future commits will be able to add additional subject types, such as specific UIDs or domain tags/namespaces. Also split a number of permissions to give finer control. Examples include splitting the revocation permit from the change-attributes permit, thereby allowing someone to be granted permission to revoke a key without allowing them to change the owner; also the ability to join a keyring is split from the ability to link to it, thereby stopping a process accessing a keyring by joining it and thus acquiring use of possessor permits. - Provide a keyctl to allow the granting or denial of one or more permits to a specific subject. Direct access to the ACL is not granted, and the ACL cannot be viewed" * tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: keys: Provide KEYCTL_GRANT_PERMISSION keys: Replace uid/gid/perm permissions checking with an ACL
Diffstat (limited to 'security/keys')
-rw-r--r--security/keys/compat.c2
-rw-r--r--security/keys/encrypted-keys/encrypted.c2
-rw-r--r--security/keys/encrypted-keys/masterkey_trusted.c2
-rw-r--r--security/keys/gc.c2
-rw-r--r--security/keys/internal.h16
-rw-r--r--security/keys/key.c29
-rw-r--r--security/keys/keyctl.c104
-rw-r--r--security/keys/keyring.c27
-rw-r--r--security/keys/permission.c361
-rw-r--r--security/keys/persistent.c27
-rw-r--r--security/keys/proc.c22
-rw-r--r--security/keys/process_keys.c86
-rw-r--r--security/keys/request_key.c34
-rw-r--r--security/keys/request_key_auth.c15
14 files changed, 573 insertions, 156 deletions
diff --git a/security/keys/compat.c b/security/keys/compat.c
index 9bcc404131aa..b0e59546e7bd 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -157,6 +157,8 @@ COMPAT_SYSCALL_DEFINE5(keyctl, u32, option,
157 157
158 case KEYCTL_MOVE: 158 case KEYCTL_MOVE:
159 return keyctl_keyring_move(arg2, arg3, arg4, arg5); 159 return keyctl_keyring_move(arg2, arg3, arg4, arg5);
160 case KEYCTL_GRANT_PERMISSION:
161 return keyctl_grant_permission(arg2, arg3, arg4, arg5);
160 162
161 case KEYCTL_CAPABILITIES: 163 case KEYCTL_CAPABILITIES:
162 return keyctl_capabilities(compat_ptr(arg2), arg3); 164 return keyctl_capabilities(compat_ptr(arg2), arg3);
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index 60720f58cbe0..9df560e477c2 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -304,7 +304,7 @@ static struct key *request_user_key(const char *master_desc, const u8 **master_k
304 const struct user_key_payload *upayload; 304 const struct user_key_payload *upayload;
305 struct key *ukey; 305 struct key *ukey;
306 306
307 ukey = request_key(&key_type_user, master_desc, NULL); 307 ukey = request_key(&key_type_user, master_desc, NULL, NULL);
308 if (IS_ERR(ukey)) 308 if (IS_ERR(ukey))
309 goto error; 309 goto error;
310 310
diff --git a/security/keys/encrypted-keys/masterkey_trusted.c b/security/keys/encrypted-keys/masterkey_trusted.c
index c68528aa49c6..d649f2f29475 100644
--- a/security/keys/encrypted-keys/masterkey_trusted.c
+++ b/security/keys/encrypted-keys/masterkey_trusted.c
@@ -30,7 +30,7 @@ struct key *request_trusted_key(const char *trusted_desc,
30 struct trusted_key_payload *tpayload; 30 struct trusted_key_payload *tpayload;
31 struct key *tkey; 31 struct key *tkey;
32 32
33 tkey = request_key(&key_type_trusted, trusted_desc, NULL); 33 tkey = request_key(&key_type_trusted, trusted_desc, NULL, NULL);
34 if (IS_ERR(tkey)) 34 if (IS_ERR(tkey))
35 goto error; 35 goto error;
36 36
diff --git a/security/keys/gc.c b/security/keys/gc.c
index 671dd730ecfc..48c3e124c272 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -151,6 +151,7 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
151 151
152 key_user_put(key->user); 152 key_user_put(key->user);
153 key_put_tag(key->domain_tag); 153 key_put_tag(key->domain_tag);
154 key_put_acl(rcu_access_pointer(key->acl));
154 kfree(key->description); 155 kfree(key->description);
155 156
156 memzero_explicit(key, sizeof(*key)); 157 memzero_explicit(key, sizeof(*key));
@@ -220,7 +221,6 @@ continue_scanning:
220 if (key->type == key_gc_dead_keytype) { 221 if (key->type == key_gc_dead_keytype) {
221 gc_state |= KEY_GC_FOUND_DEAD_KEY; 222 gc_state |= KEY_GC_FOUND_DEAD_KEY;
222 set_bit(KEY_FLAG_DEAD, &key->flags); 223 set_bit(KEY_FLAG_DEAD, &key->flags);
223 key->perm = 0;
224 goto skip_dead_key; 224 goto skip_dead_key;
225 } else if (key->type == &key_type_keyring && 225 } else if (key->type == &key_type_keyring &&
226 key->restrict_link) { 226 key->restrict_link) {
diff --git a/security/keys/internal.h b/security/keys/internal.h
index c039373488bd..e0c5bb8b1685 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -84,8 +84,11 @@ extern struct rb_root key_serial_tree;
84extern spinlock_t key_serial_lock; 84extern spinlock_t key_serial_lock;
85extern struct mutex key_construction_mutex; 85extern struct mutex key_construction_mutex;
86extern wait_queue_head_t request_key_conswq; 86extern wait_queue_head_t request_key_conswq;
87extern struct key_acl default_key_acl;
88extern struct key_acl joinable_keyring_acl;
87 89
88extern void key_set_index_key(struct keyring_index_key *index_key); 90extern void key_set_index_key(struct keyring_index_key *index_key);
91
89extern struct key_type *key_type_lookup(const char *type); 92extern struct key_type *key_type_lookup(const char *type);
90extern void key_type_put(struct key_type *ktype); 93extern void key_type_put(struct key_type *ktype);
91 94
@@ -156,6 +159,7 @@ extern struct key *request_key_and_link(struct key_type *type,
156 const void *callout_info, 159 const void *callout_info,
157 size_t callout_len, 160 size_t callout_len,
158 void *aux, 161 void *aux,
162 struct key_acl *acl,
159 struct key *dest_keyring, 163 struct key *dest_keyring,
160 unsigned long flags); 164 unsigned long flags);
161 165
@@ -179,7 +183,10 @@ extern void key_gc_keytype(struct key_type *ktype);
179 183
180extern int key_task_permission(const key_ref_t key_ref, 184extern int key_task_permission(const key_ref_t key_ref,
181 const struct cred *cred, 185 const struct cred *cred,
182 key_perm_t perm); 186 u32 desired_perm);
187extern unsigned int key_acl_to_perm(const struct key_acl *acl);
188extern long key_set_acl(struct key *key, struct key_acl *acl);
189extern void key_put_acl(struct key_acl *acl);
183 190
184/* 191/*
185 * Check to see whether permission is granted to use a key in the desired way. 192 * Check to see whether permission is granted to use a key in the desired way.
@@ -226,7 +233,7 @@ extern long keyctl_keyring_search(key_serial_t, const char __user *,
226 const char __user *, key_serial_t); 233 const char __user *, key_serial_t);
227extern long keyctl_read_key(key_serial_t, char __user *, size_t); 234extern long keyctl_read_key(key_serial_t, char __user *, size_t);
228extern long keyctl_chown_key(key_serial_t, uid_t, gid_t); 235extern long keyctl_chown_key(key_serial_t, uid_t, gid_t);
229extern long keyctl_setperm_key(key_serial_t, key_perm_t); 236extern long keyctl_setperm_key(key_serial_t, unsigned int);
230extern long keyctl_instantiate_key(key_serial_t, const void __user *, 237extern long keyctl_instantiate_key(key_serial_t, const void __user *,
231 size_t, key_serial_t); 238 size_t, key_serial_t);
232extern long keyctl_negate_key(key_serial_t, unsigned, key_serial_t); 239extern long keyctl_negate_key(key_serial_t, unsigned, key_serial_t);
@@ -331,6 +338,11 @@ static inline long keyctl_pkey_e_d_s(int op,
331 338
332extern long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen); 339extern long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen);
333 340
341extern long keyctl_grant_permission(key_serial_t keyid,
342 enum key_ace_subject_type type,
343 unsigned int subject,
344 unsigned int perm);
345
334/* 346/*
335 * Debugging key validation 347 * Debugging key validation
336 */ 348 */
diff --git a/security/keys/key.c b/security/keys/key.c
index 764f4c57913e..519211a996e7 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -195,7 +195,7 @@ serial_exists:
195 * @uid: The owner of the new key. 195 * @uid: The owner of the new key.
196 * @gid: The group ID for the new key's group permissions. 196 * @gid: The group ID for the new key's group permissions.
197 * @cred: The credentials specifying UID namespace. 197 * @cred: The credentials specifying UID namespace.
198 * @perm: The permissions mask of the new key. 198 * @acl: The ACL to attach to the new key.
199 * @flags: Flags specifying quota properties. 199 * @flags: Flags specifying quota properties.
200 * @restrict_link: Optional link restriction for new keyrings. 200 * @restrict_link: Optional link restriction for new keyrings.
201 * 201 *
@@ -223,7 +223,7 @@ serial_exists:
223 */ 223 */
224struct key *key_alloc(struct key_type *type, const char *desc, 224struct key *key_alloc(struct key_type *type, const char *desc,
225 kuid_t uid, kgid_t gid, const struct cred *cred, 225 kuid_t uid, kgid_t gid, const struct cred *cred,
226 key_perm_t perm, unsigned long flags, 226 struct key_acl *acl, unsigned long flags,
227 struct key_restriction *restrict_link) 227 struct key_restriction *restrict_link)
228{ 228{
229 struct key_user *user = NULL; 229 struct key_user *user = NULL;
@@ -246,6 +246,9 @@ struct key *key_alloc(struct key_type *type, const char *desc,
246 desclen = strlen(desc); 246 desclen = strlen(desc);
247 quotalen = desclen + 1 + type->def_datalen; 247 quotalen = desclen + 1 + type->def_datalen;
248 248
249 if (!acl)
250 acl = &default_key_acl;
251
249 /* get hold of the key tracking for this user */ 252 /* get hold of the key tracking for this user */
250 user = key_user_lookup(uid); 253 user = key_user_lookup(uid);
251 if (!user) 254 if (!user)
@@ -292,7 +295,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
292 key->datalen = type->def_datalen; 295 key->datalen = type->def_datalen;
293 key->uid = uid; 296 key->uid = uid;
294 key->gid = gid; 297 key->gid = gid;
295 key->perm = perm; 298 refcount_inc(&acl->usage);
299 rcu_assign_pointer(key->acl, acl);
296 key->restrict_link = restrict_link; 300 key->restrict_link = restrict_link;
297 key->last_used_at = ktime_get_real_seconds(); 301 key->last_used_at = ktime_get_real_seconds();
298 302
@@ -787,7 +791,7 @@ error:
787 * @description: The searchable description for the key. 791 * @description: The searchable description for the key.
788 * @payload: The data to use to instantiate or update the key. 792 * @payload: The data to use to instantiate or update the key.
789 * @plen: The length of @payload. 793 * @plen: The length of @payload.
790 * @perm: The permissions mask for a new key. 794 * @acl: The ACL to attach if a key is created.
791 * @flags: The quota flags for a new key. 795 * @flags: The quota flags for a new key.
792 * 796 *
793 * Search the destination keyring for a key of the same description and if one 797 * Search the destination keyring for a key of the same description and if one
@@ -810,7 +814,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
810 const char *description, 814 const char *description,
811 const void *payload, 815 const void *payload,
812 size_t plen, 816 size_t plen,
813 key_perm_t perm, 817 struct key_acl *acl,
814 unsigned long flags) 818 unsigned long flags)
815{ 819{
816 struct keyring_index_key index_key = { 820 struct keyring_index_key index_key = {
@@ -907,22 +911,9 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
907 goto found_matching_key; 911 goto found_matching_key;
908 } 912 }
909 913
910 /* if the client doesn't provide, decide on the permissions we want */
911 if (perm == KEY_PERM_UNDEF) {
912 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
913 perm |= KEY_USR_VIEW;
914
915 if (index_key.type->read)
916 perm |= KEY_POS_READ;
917
918 if (index_key.type == &key_type_keyring ||
919 index_key.type->update)
920 perm |= KEY_POS_WRITE;
921 }
922
923 /* allocate a new key */ 914 /* allocate a new key */
924 key = key_alloc(index_key.type, index_key.description, 915 key = key_alloc(index_key.type, index_key.description,
925 cred->fsuid, cred->fsgid, cred, perm, flags, NULL); 916 cred->fsuid, cred->fsgid, cred, acl, flags, NULL);
926 if (IS_ERR(key)) { 917 if (IS_ERR(key)) {
927 key_ref = ERR_CAST(key); 918 key_ref = ERR_CAST(key);
928 goto error_link_end; 919 goto error_link_end;
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 9b898c969558..c2dd66d556d4 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -37,7 +37,8 @@ static const unsigned char keyrings_capabilities[2] = {
37 KEYCTL_CAPS0_MOVE 37 KEYCTL_CAPS0_MOVE
38 ), 38 ),
39 [1] = (KEYCTL_CAPS1_NS_KEYRING_NAME | 39 [1] = (KEYCTL_CAPS1_NS_KEYRING_NAME |
40 KEYCTL_CAPS1_NS_KEY_TAG), 40 KEYCTL_CAPS1_NS_KEY_TAG |
41 KEYCTL_CAPS1_ACL_ALTERABLE),
41}; 42};
42 43
43static int key_get_type_from_user(char *type, 44static int key_get_type_from_user(char *type,
@@ -130,8 +131,7 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
130 /* create or update the requested key and add it to the target 131 /* create or update the requested key and add it to the target
131 * keyring */ 132 * keyring */
132 key_ref = key_create_or_update(keyring_ref, type, description, 133 key_ref = key_create_or_update(keyring_ref, type, description,
133 payload, plen, KEY_PERM_UNDEF, 134 payload, plen, NULL, KEY_ALLOC_IN_QUOTA);
134 KEY_ALLOC_IN_QUOTA);
135 if (!IS_ERR(key_ref)) { 135 if (!IS_ERR(key_ref)) {
136 ret = key_ref_to_ptr(key_ref)->serial; 136 ret = key_ref_to_ptr(key_ref)->serial;
137 key_ref_put(key_ref); 137 key_ref_put(key_ref);
@@ -221,7 +221,8 @@ SYSCALL_DEFINE4(request_key, const char __user *, _type,
221 221
222 /* do the search */ 222 /* do the search */
223 key = request_key_and_link(ktype, description, NULL, callout_info, 223 key = request_key_and_link(ktype, description, NULL, callout_info,
224 callout_len, NULL, key_ref_to_ptr(dest_ref), 224 callout_len, NULL, NULL,
225 key_ref_to_ptr(dest_ref),
225 KEY_ALLOC_IN_QUOTA); 226 KEY_ALLOC_IN_QUOTA);
226 if (IS_ERR(key)) { 227 if (IS_ERR(key)) {
227 ret = PTR_ERR(key); 228 ret = PTR_ERR(key);
@@ -383,16 +384,10 @@ long keyctl_revoke_key(key_serial_t id)
383 struct key *key; 384 struct key *key;
384 long ret; 385 long ret;
385 386
386 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); 387 key_ref = lookup_user_key(id, 0, KEY_NEED_REVOKE);
387 if (IS_ERR(key_ref)) { 388 if (IS_ERR(key_ref)) {
388 ret = PTR_ERR(key_ref); 389 ret = PTR_ERR(key_ref);
389 if (ret != -EACCES) 390 goto error;
390 goto error;
391 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR);
392 if (IS_ERR(key_ref)) {
393 ret = PTR_ERR(key_ref);
394 goto error;
395 }
396 } 391 }
397 392
398 key = key_ref_to_ptr(key_ref); 393 key = key_ref_to_ptr(key_ref);
@@ -426,7 +421,7 @@ long keyctl_invalidate_key(key_serial_t id)
426 421
427 kenter("%d", id); 422 kenter("%d", id);
428 423
429 key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH); 424 key_ref = lookup_user_key(id, 0, KEY_NEED_INVAL);
430 if (IS_ERR(key_ref)) { 425 if (IS_ERR(key_ref)) {
431 ret = PTR_ERR(key_ref); 426 ret = PTR_ERR(key_ref);
432 427
@@ -471,7 +466,7 @@ long keyctl_keyring_clear(key_serial_t ringid)
471 struct key *keyring; 466 struct key *keyring;
472 long ret; 467 long ret;
473 468
474 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); 469 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_CLEAR);
475 if (IS_ERR(keyring_ref)) { 470 if (IS_ERR(keyring_ref)) {
476 ret = PTR_ERR(keyring_ref); 471 ret = PTR_ERR(keyring_ref);
477 472
@@ -646,6 +641,7 @@ long keyctl_describe_key(key_serial_t keyid,
646 size_t buflen) 641 size_t buflen)
647{ 642{
648 struct key *key, *instkey; 643 struct key *key, *instkey;
644 unsigned int perm;
649 key_ref_t key_ref; 645 key_ref_t key_ref;
650 char *infobuf; 646 char *infobuf;
651 long ret; 647 long ret;
@@ -675,6 +671,10 @@ okay:
675 key = key_ref_to_ptr(key_ref); 671 key = key_ref_to_ptr(key_ref);
676 desclen = strlen(key->description); 672 desclen = strlen(key->description);
677 673
674 rcu_read_lock();
675 perm = key_acl_to_perm(rcu_dereference(key->acl));
676 rcu_read_unlock();
677
678 /* calculate how much information we're going to return */ 678 /* calculate how much information we're going to return */
679 ret = -ENOMEM; 679 ret = -ENOMEM;
680 infobuf = kasprintf(GFP_KERNEL, 680 infobuf = kasprintf(GFP_KERNEL,
@@ -682,7 +682,7 @@ okay:
682 key->type->name, 682 key->type->name,
683 from_kuid_munged(current_user_ns(), key->uid), 683 from_kuid_munged(current_user_ns(), key->uid),
684 from_kgid_munged(current_user_ns(), key->gid), 684 from_kgid_munged(current_user_ns(), key->gid),
685 key->perm); 685 perm);
686 if (!infobuf) 686 if (!infobuf)
687 goto error2; 687 goto error2;
688 infolen = strlen(infobuf); 688 infolen = strlen(infobuf);
@@ -899,7 +899,7 @@ long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group)
899 goto error; 899 goto error;
900 900
901 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 901 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
902 KEY_NEED_SETATTR); 902 KEY_NEED_SETSEC);
903 if (IS_ERR(key_ref)) { 903 if (IS_ERR(key_ref)) {
904 ret = PTR_ERR(key_ref); 904 ret = PTR_ERR(key_ref);
905 goto error; 905 goto error;
@@ -994,18 +994,25 @@ quota_overrun:
994 * the key need not be fully instantiated yet. If the caller does not have 994 * the key need not be fully instantiated yet. If the caller does not have
995 * sysadmin capability, it may only change the permission on keys that it owns. 995 * sysadmin capability, it may only change the permission on keys that it owns.
996 */ 996 */
997long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 997long keyctl_setperm_key(key_serial_t id, unsigned int perm)
998{ 998{
999 struct key_acl *acl;
999 struct key *key; 1000 struct key *key;
1000 key_ref_t key_ref; 1001 key_ref_t key_ref;
1001 long ret; 1002 long ret;
1003 int nr, i, j;
1002 1004
1003 ret = -EINVAL;
1004 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) 1005 if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL))
1005 goto error; 1006 return -EINVAL;
1007
1008 nr = 0;
1009 if (perm & KEY_POS_ALL) nr++;
1010 if (perm & KEY_USR_ALL) nr++;
1011 if (perm & KEY_GRP_ALL) nr++;
1012 if (perm & KEY_OTH_ALL) nr++;
1006 1013
1007 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1014 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
1008 KEY_NEED_SETATTR); 1015 KEY_NEED_SETSEC);
1009 if (IS_ERR(key_ref)) { 1016 if (IS_ERR(key_ref)) {
1010 ret = PTR_ERR(key_ref); 1017 ret = PTR_ERR(key_ref);
1011 goto error; 1018 goto error;
@@ -1013,17 +1020,45 @@ long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
1013 1020
1014 key = key_ref_to_ptr(key_ref); 1021 key = key_ref_to_ptr(key_ref);
1015 1022
1016 /* make the changes with the locks held to prevent chown/chmod races */ 1023 ret = -EOPNOTSUPP;
1017 ret = -EACCES; 1024 if (test_bit(KEY_FLAG_HAS_ACL, &key->flags))
1018 down_write(&key->sem); 1025 goto error_key;
1019 1026
1020 /* if we're not the sysadmin, we can only change a key that we own */ 1027 ret = -ENOMEM;
1021 if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) { 1028 acl = kzalloc(struct_size(acl, aces, nr), GFP_KERNEL);
1022 key->perm = perm; 1029 if (!acl)
1023 ret = 0; 1030 goto error_key;
1031
1032 refcount_set(&acl->usage, 1);
1033 acl->nr_ace = nr;
1034 j = 0;
1035 for (i = 0; i < 4; i++) {
1036 struct key_ace *ace = &acl->aces[j];
1037 unsigned int subset = (perm >> (i * 8)) & KEY_OTH_ALL;
1038
1039 if (!subset)
1040 continue;
1041 ace->type = KEY_ACE_SUBJ_STANDARD;
1042 ace->subject_id = KEY_ACE_EVERYONE + i;
1043 ace->perm = subset;
1044 if (subset & (KEY_OTH_WRITE | KEY_OTH_SETATTR))
1045 ace->perm |= KEY_ACE_REVOKE;
1046 if (subset & KEY_OTH_SEARCH)
1047 ace->perm |= KEY_ACE_INVAL;
1048 if (key->type == &key_type_keyring) {
1049 if (subset & KEY_OTH_SEARCH)
1050 ace->perm |= KEY_ACE_JOIN;
1051 if (subset & KEY_OTH_WRITE)
1052 ace->perm |= KEY_ACE_CLEAR;
1053 }
1054 j++;
1024 } 1055 }
1025 1056
1057 /* make the changes with the locks held to prevent chown/chmod races */
1058 down_write(&key->sem);
1059 ret = key_set_acl(key, acl);
1026 up_write(&key->sem); 1060 up_write(&key->sem);
1061error_key:
1027 key_put(key); 1062 key_put(key);
1028error: 1063error:
1029 return ret; 1064 return ret;
@@ -1388,7 +1423,7 @@ long keyctl_set_timeout(key_serial_t id, unsigned timeout)
1388 long ret; 1423 long ret;
1389 1424
1390 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL, 1425 key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
1391 KEY_NEED_SETATTR); 1426 KEY_NEED_SETSEC);
1392 if (IS_ERR(key_ref)) { 1427 if (IS_ERR(key_ref)) {
1393 /* setting the timeout on a key under construction is permitted 1428 /* setting the timeout on a key under construction is permitted
1394 * if we have the authorisation token handy */ 1429 * if we have the authorisation token handy */
@@ -1539,7 +1574,7 @@ long keyctl_get_security(key_serial_t keyid,
1539 * Attempt to install the calling process's session keyring on the process's 1574 * Attempt to install the calling process's session keyring on the process's
1540 * parent process. 1575 * parent process.
1541 * 1576 *
1542 * The keyring must exist and must grant the caller LINK permission, and the 1577 * The keyring must exist and must grant the caller JOIN permission, and the
1543 * parent process must be single-threaded and must have the same effective 1578 * parent process must be single-threaded and must have the same effective
1544 * ownership as this process and mustn't be SUID/SGID. 1579 * ownership as this process and mustn't be SUID/SGID.
1545 * 1580 *
@@ -1556,7 +1591,7 @@ long keyctl_session_to_parent(void)
1556 struct cred *cred; 1591 struct cred *cred;
1557 int ret; 1592 int ret;
1558 1593
1559 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK); 1594 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_JOIN);
1560 if (IS_ERR(keyring_r)) 1595 if (IS_ERR(keyring_r))
1561 return PTR_ERR(keyring_r); 1596 return PTR_ERR(keyring_r);
1562 1597
@@ -1658,7 +1693,7 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type,
1658 char *restriction = NULL; 1693 char *restriction = NULL;
1659 long ret; 1694 long ret;
1660 1695
1661 key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR); 1696 key_ref = lookup_user_key(id, 0, KEY_NEED_SETSEC);
1662 if (IS_ERR(key_ref)) 1697 if (IS_ERR(key_ref))
1663 return PTR_ERR(key_ref); 1698 return PTR_ERR(key_ref);
1664 1699
@@ -1764,7 +1799,7 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1764 1799
1765 case KEYCTL_SETPERM: 1800 case KEYCTL_SETPERM:
1766 return keyctl_setperm_key((key_serial_t) arg2, 1801 return keyctl_setperm_key((key_serial_t) arg2,
1767 (key_perm_t) arg3); 1802 (unsigned int)arg3);
1768 1803
1769 case KEYCTL_INSTANTIATE: 1804 case KEYCTL_INSTANTIATE:
1770 return keyctl_instantiate_key((key_serial_t) arg2, 1805 return keyctl_instantiate_key((key_serial_t) arg2,
@@ -1853,6 +1888,11 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1853 (key_serial_t)arg3, 1888 (key_serial_t)arg3,
1854 (key_serial_t)arg4, 1889 (key_serial_t)arg4,
1855 (unsigned int)arg5); 1890 (unsigned int)arg5);
1891 case KEYCTL_GRANT_PERMISSION:
1892 return keyctl_grant_permission((key_serial_t)arg2,
1893 (enum key_ace_subject_type)arg3,
1894 (unsigned int)arg4,
1895 (unsigned int)arg5);
1856 1896
1857 case KEYCTL_CAPABILITIES: 1897 case KEYCTL_CAPABILITIES:
1858 return keyctl_capabilities((unsigned char __user *)arg2, (size_t)arg3); 1898 return keyctl_capabilities((unsigned char __user *)arg2, (size_t)arg3);
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index febf36c6ddc5..3b5458f23a95 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -515,11 +515,19 @@ static long keyring_read(const struct key *keyring,
515 return ret; 515 return ret;
516} 516}
517 517
518/* 518/**
519 * Allocate a keyring and link into the destination keyring. 519 * keyring_alloc - Allocate a keyring and link into the destination
520 * @description: The key description to allow the key to be searched out.
521 * @uid: The owner of the new key.
522 * @gid: The group ID for the new key's group permissions.
523 * @cred: The credentials specifying UID namespace.
524 * @acl: The ACL to attach to the new key.
525 * @flags: Flags specifying quota properties.
526 * @restrict_link: Optional link restriction for new keyrings.
527 * @dest: Destination keyring.
520 */ 528 */
521struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid, 529struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
522 const struct cred *cred, key_perm_t perm, 530 const struct cred *cred, struct key_acl *acl,
523 unsigned long flags, 531 unsigned long flags,
524 struct key_restriction *restrict_link, 532 struct key_restriction *restrict_link,
525 struct key *dest) 533 struct key *dest)
@@ -528,7 +536,7 @@ struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
528 int ret; 536 int ret;
529 537
530 keyring = key_alloc(&key_type_keyring, description, 538 keyring = key_alloc(&key_type_keyring, description,
531 uid, gid, cred, perm, flags, restrict_link); 539 uid, gid, cred, acl, flags, restrict_link);
532 if (!IS_ERR(keyring)) { 540 if (!IS_ERR(keyring)) {
533 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); 541 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
534 if (ret < 0) { 542 if (ret < 0) {
@@ -1132,10 +1140,11 @@ found:
1132/* 1140/*
1133 * Find a keyring with the specified name. 1141 * Find a keyring with the specified name.
1134 * 1142 *
1135 * Only keyrings that have nonzero refcount, are not revoked, and are owned by a 1143 * Only keyrings that have nonzero refcount, are not revoked, and are owned by
1136 * user in the current user namespace are considered. If @uid_keyring is %true, 1144 * a user in the current user namespace are considered. If @uid_keyring is
1137 * the keyring additionally must have been allocated as a user or user session 1145 * %true, the keyring additionally must have been allocated as a user or user
1138 * keyring; otherwise, it must grant Search permission directly to the caller. 1146 * session keyring; otherwise, it must grant JOIN permission directly to the
1147 * caller (ie. not through possession).
1139 * 1148 *
1140 * Returns a pointer to the keyring with the keyring's refcount having being 1149 * Returns a pointer to the keyring with the keyring's refcount having being
1141 * incremented on success. -ENOKEY is returned if a key could not be found. 1150 * incremented on success. -ENOKEY is returned if a key could not be found.
@@ -1169,7 +1178,7 @@ struct key *find_keyring_by_name(const char *name, bool uid_keyring)
1169 continue; 1178 continue;
1170 } else { 1179 } else {
1171 if (key_permission(make_key_ref(keyring, 0), 1180 if (key_permission(make_key_ref(keyring, 0),
1172 KEY_NEED_SEARCH) < 0) 1181 KEY_NEED_JOIN) < 0)
1173 continue; 1182 continue;
1174 } 1183 }
1175 1184
diff --git a/security/keys/permission.c b/security/keys/permission.c
index 085f907b64ac..fd8a5dc6910a 100644
--- a/security/keys/permission.c
+++ b/security/keys/permission.c
@@ -7,13 +7,67 @@
7 7
8#include <linux/export.h> 8#include <linux/export.h>
9#include <linux/security.h> 9#include <linux/security.h>
10#include <linux/user_namespace.h>
11#include <linux/uaccess.h>
10#include "internal.h" 12#include "internal.h"
11 13
14struct key_acl default_key_acl = {
15 .usage = REFCOUNT_INIT(1),
16 .nr_ace = 2,
17 .possessor_viewable = true,
18 .aces = {
19 KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~KEY_ACE_JOIN),
20 KEY_OWNER_ACE(KEY_ACE_VIEW),
21 }
22};
23EXPORT_SYMBOL(default_key_acl);
24
25struct key_acl joinable_keyring_acl = {
26 .usage = REFCOUNT_INIT(1),
27 .nr_ace = 2,
28 .possessor_viewable = true,
29 .aces = {
30 KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~KEY_ACE_JOIN),
31 KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_LINK | KEY_ACE_JOIN),
32 }
33};
34EXPORT_SYMBOL(joinable_keyring_acl);
35
36struct key_acl internal_key_acl = {
37 .usage = REFCOUNT_INIT(1),
38 .nr_ace = 2,
39 .aces = {
40 KEY_POSSESSOR_ACE(KEY_ACE_SEARCH),
41 KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_SEARCH),
42 }
43};
44EXPORT_SYMBOL(internal_key_acl);
45
46struct key_acl internal_keyring_acl = {
47 .usage = REFCOUNT_INIT(1),
48 .nr_ace = 2,
49 .aces = {
50 KEY_POSSESSOR_ACE(KEY_ACE_SEARCH),
51 KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_SEARCH),
52 }
53};
54EXPORT_SYMBOL(internal_keyring_acl);
55
56struct key_acl internal_writable_keyring_acl = {
57 .usage = REFCOUNT_INIT(1),
58 .nr_ace = 2,
59 .aces = {
60 KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE),
61 KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_WRITE | KEY_ACE_SEARCH),
62 }
63};
64EXPORT_SYMBOL(internal_writable_keyring_acl);
65
12/** 66/**
13 * key_task_permission - Check a key can be used 67 * key_task_permission - Check a key can be used
14 * @key_ref: The key to check. 68 * @key_ref: The key to check.
15 * @cred: The credentials to use. 69 * @cred: The credentials to use.
16 * @perm: The permissions to check for. 70 * @desired_perm: The permission to check for.
17 * 71 *
18 * Check to see whether permission is granted to use a key in the desired way, 72 * Check to see whether permission is granted to use a key in the desired way,
19 * but permit the security modules to override. 73 * but permit the security modules to override.
@@ -24,53 +78,73 @@
24 * permissions bits or the LSM check. 78 * permissions bits or the LSM check.
25 */ 79 */
26int key_task_permission(const key_ref_t key_ref, const struct cred *cred, 80int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
27 unsigned perm) 81 unsigned int desired_perm)
28{ 82{
29 struct key *key; 83 const struct key_acl *acl;
30 key_perm_t kperm; 84 const struct key *key;
31 int ret; 85 unsigned int allow = 0;
86 int i;
87
88 BUILD_BUG_ON(KEY_NEED_VIEW != KEY_ACE_VIEW ||
89 KEY_NEED_READ != KEY_ACE_READ ||
90 KEY_NEED_WRITE != KEY_ACE_WRITE ||
91 KEY_NEED_SEARCH != KEY_ACE_SEARCH ||
92 KEY_NEED_LINK != KEY_ACE_LINK ||
93 KEY_NEED_SETSEC != KEY_ACE_SET_SECURITY ||
94 KEY_NEED_INVAL != KEY_ACE_INVAL ||
95 KEY_NEED_REVOKE != KEY_ACE_REVOKE ||
96 KEY_NEED_JOIN != KEY_ACE_JOIN ||
97 KEY_NEED_CLEAR != KEY_ACE_CLEAR);
32 98
33 key = key_ref_to_ptr(key_ref); 99 key = key_ref_to_ptr(key_ref);
34 100
35 /* use the second 8-bits of permissions for keys the caller owns */ 101 rcu_read_lock();
36 if (uid_eq(key->uid, cred->fsuid)) {
37 kperm = key->perm >> 16;
38 goto use_these_perms;
39 }
40 102
41 /* use the third 8-bits of permissions for keys the caller has a group 103 acl = rcu_dereference(key->acl);
42 * membership in common with */ 104 if (!acl || acl->nr_ace == 0)
43 if (gid_valid(key->gid) && key->perm & KEY_GRP_ALL) { 105 goto no_access_rcu;
44 if (gid_eq(key->gid, cred->fsgid)) {
45 kperm = key->perm >> 8;
46 goto use_these_perms;
47 }
48 106
49 ret = groups_search(cred->group_info, key->gid); 107 for (i = 0; i < acl->nr_ace; i++) {
50 if (ret) { 108 const struct key_ace *ace = &acl->aces[i];
51 kperm = key->perm >> 8; 109
52 goto use_these_perms; 110 switch (ace->type) {
111 case KEY_ACE_SUBJ_STANDARD:
112 switch (ace->subject_id) {
113 case KEY_ACE_POSSESSOR:
114 if (is_key_possessed(key_ref))
115 allow |= ace->perm;
116 break;
117 case KEY_ACE_OWNER:
118 if (uid_eq(key->uid, cred->fsuid))
119 allow |= ace->perm;
120 break;
121 case KEY_ACE_GROUP:
122 if (gid_valid(key->gid)) {
123 if (gid_eq(key->gid, cred->fsgid))
124 allow |= ace->perm;
125 else if (groups_search(cred->group_info, key->gid))
126 allow |= ace->perm;
127 }
128 break;
129 case KEY_ACE_EVERYONE:
130 allow |= ace->perm;
131 break;
132 }
133 break;
53 } 134 }
54 } 135 }
55 136
56 /* otherwise use the least-significant 8-bits */ 137 rcu_read_unlock();
57 kperm = key->perm;
58
59use_these_perms:
60 138
61 /* use the top 8-bits of permissions for keys the caller possesses 139 if (!(allow & desired_perm))
62 * - possessor permissions are additive with other permissions 140 goto no_access;
63 */
64 if (is_key_possessed(key_ref))
65 kperm |= key->perm >> 24;
66 141
67 kperm = kperm & perm & KEY_NEED_ALL; 142 return security_key_permission(key_ref, cred, desired_perm);
68 143
69 if (kperm != perm) 144no_access_rcu:
70 return -EACCES; 145 rcu_read_unlock();
71 146no_access:
72 /* let LSM be the final arbiter */ 147 return -EACCES;
73 return security_key_permission(key_ref, cred, perm);
74} 148}
75EXPORT_SYMBOL(key_task_permission); 149EXPORT_SYMBOL(key_task_permission);
76 150
@@ -104,3 +178,218 @@ int key_validate(const struct key *key)
104 return 0; 178 return 0;
105} 179}
106EXPORT_SYMBOL(key_validate); 180EXPORT_SYMBOL(key_validate);
181
182/*
183 * Roughly render an ACL to an old-style permissions mask. We cannot
184 * accurately render what the ACL, particularly if it has ACEs that represent
185 * subjects outside of { poss, user, group, other }.
186 */
187unsigned int key_acl_to_perm(const struct key_acl *acl)
188{
189 unsigned int perm = 0, tperm;
190 int i;
191
192 BUILD_BUG_ON(KEY_OTH_VIEW != KEY_ACE_VIEW ||
193 KEY_OTH_READ != KEY_ACE_READ ||
194 KEY_OTH_WRITE != KEY_ACE_WRITE ||
195 KEY_OTH_SEARCH != KEY_ACE_SEARCH ||
196 KEY_OTH_LINK != KEY_ACE_LINK ||
197 KEY_OTH_SETATTR != KEY_ACE_SET_SECURITY);
198
199 if (!acl || acl->nr_ace == 0)
200 return 0;
201
202 for (i = 0; i < acl->nr_ace; i++) {
203 const struct key_ace *ace = &acl->aces[i];
204
205 switch (ace->type) {
206 case KEY_ACE_SUBJ_STANDARD:
207 tperm = ace->perm & KEY_OTH_ALL;
208
209 /* Invalidation and joining were allowed by SEARCH */
210 if (ace->perm & (KEY_ACE_INVAL | KEY_ACE_JOIN))
211 tperm |= KEY_OTH_SEARCH;
212
213 /* Revocation was allowed by either SETATTR or WRITE */
214 if ((ace->perm & KEY_ACE_REVOKE) && !(tperm & KEY_OTH_SETATTR))
215 tperm |= KEY_OTH_WRITE;
216
217 /* Clearing was allowed by WRITE */
218 if (ace->perm & KEY_ACE_CLEAR)
219 tperm |= KEY_OTH_WRITE;
220
221 switch (ace->subject_id) {
222 case KEY_ACE_POSSESSOR:
223 perm |= tperm << 24;
224 break;
225 case KEY_ACE_OWNER:
226 perm |= tperm << 16;
227 break;
228 case KEY_ACE_GROUP:
229 perm |= tperm << 8;
230 break;
231 case KEY_ACE_EVERYONE:
232 perm |= tperm << 0;
233 break;
234 }
235 }
236 }
237
238 return perm;
239}
240
241/*
242 * Destroy a key's ACL.
243 */
244void key_put_acl(struct key_acl *acl)
245{
246 if (acl && refcount_dec_and_test(&acl->usage))
247 kfree_rcu(acl, rcu);
248}
249
250/*
251 * Try to set the ACL. This either attaches or discards the proposed ACL.
252 */
253long key_set_acl(struct key *key, struct key_acl *acl)
254{
255 int i;
256
257 /* If we're not the sysadmin, we can only change a key that we own. */
258 if (!capable(CAP_SYS_ADMIN) && !uid_eq(key->uid, current_fsuid())) {
259 key_put_acl(acl);
260 return -EACCES;
261 }
262
263 for (i = 0; i < acl->nr_ace; i++) {
264 const struct key_ace *ace = &acl->aces[i];
265 if (ace->type == KEY_ACE_SUBJ_STANDARD &&
266 ace->subject_id == KEY_ACE_POSSESSOR) {
267 if (ace->perm & KEY_ACE_VIEW)
268 acl->possessor_viewable = true;
269 break;
270 }
271 }
272
273 rcu_swap_protected(key->acl, acl, lockdep_is_held(&key->sem));
274 key_put_acl(acl);
275 return 0;
276}
277
278/*
279 * Allocate a new ACL with an extra ACE slot.
280 */
281static struct key_acl *key_alloc_acl(const struct key_acl *old_acl, int nr, int skip)
282{
283 struct key_acl *acl;
284 int nr_ace, i, j = 0;
285
286 nr_ace = old_acl->nr_ace + nr;
287 if (nr_ace > 16)
288 return ERR_PTR(-EINVAL);
289
290 acl = kzalloc(struct_size(acl, aces, nr_ace), GFP_KERNEL);
291 if (!acl)
292 return ERR_PTR(-ENOMEM);
293
294 refcount_set(&acl->usage, 1);
295 acl->nr_ace = nr_ace;
296 for (i = 0; i < old_acl->nr_ace; i++) {
297 if (i == skip)
298 continue;
299 acl->aces[j] = old_acl->aces[i];
300 j++;
301 }
302 return acl;
303}
304
305/*
306 * Generate the revised ACL.
307 */
308static long key_change_acl(struct key *key, struct key_ace *new_ace)
309{
310 struct key_acl *acl, *old;
311 int i;
312
313 old = rcu_dereference_protected(key->acl, lockdep_is_held(&key->sem));
314
315 for (i = 0; i < old->nr_ace; i++)
316 if (old->aces[i].type == new_ace->type &&
317 old->aces[i].subject_id == new_ace->subject_id)
318 goto found_match;
319
320 if (new_ace->perm == 0)
321 return 0; /* No permissions to remove. Add deny record? */
322
323 acl = key_alloc_acl(old, 1, -1);
324 if (IS_ERR(acl))
325 return PTR_ERR(acl);
326 acl->aces[i] = *new_ace;
327 goto change;
328
329found_match:
330 if (new_ace->perm == 0)
331 goto delete_ace;
332 if (new_ace->perm == old->aces[i].perm)
333 return 0;
334 acl = key_alloc_acl(old, 0, -1);
335 if (IS_ERR(acl))
336 return PTR_ERR(acl);
337 acl->aces[i].perm = new_ace->perm;
338 goto change;
339
340delete_ace:
341 acl = key_alloc_acl(old, -1, i);
342 if (IS_ERR(acl))
343 return PTR_ERR(acl);
344 goto change;
345
346change:
347 return key_set_acl(key, acl);
348}
349
350/*
351 * Add, alter or remove (if perm == 0) an ACE in a key's ACL.
352 */
353long keyctl_grant_permission(key_serial_t keyid,
354 enum key_ace_subject_type type,
355 unsigned int subject,
356 unsigned int perm)
357{
358 struct key_ace new_ace;
359 struct key *key;
360 key_ref_t key_ref;
361 long ret;
362
363 new_ace.type = type;
364 new_ace.perm = perm;
365
366 switch (type) {
367 case KEY_ACE_SUBJ_STANDARD:
368 if (subject >= nr__key_ace_standard_subject)
369 return -ENOENT;
370 new_ace.subject_id = subject;
371 break;
372
373 default:
374 return -ENOENT;
375 }
376
377 key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_SETSEC);
378 if (IS_ERR(key_ref)) {
379 ret = PTR_ERR(key_ref);
380 goto error;
381 }
382
383 key = key_ref_to_ptr(key_ref);
384
385 down_write(&key->sem);
386
387 /* If we're not the sysadmin, we can only change a key that we own */
388 ret = -EACCES;
389 if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid()))
390 ret = key_change_acl(key, &new_ace);
391 up_write(&key->sem);
392 key_put(key);
393error:
394 return ret;
395}
diff --git a/security/keys/persistent.c b/security/keys/persistent.c
index 97af230aa4b2..8171c90d4c9a 100644
--- a/security/keys/persistent.c
+++ b/security/keys/persistent.c
@@ -12,6 +12,27 @@
12 12
13unsigned persistent_keyring_expiry = 3 * 24 * 3600; /* Expire after 3 days of non-use */ 13unsigned persistent_keyring_expiry = 3 * 24 * 3600; /* Expire after 3 days of non-use */
14 14
15static struct key_acl persistent_register_keyring_acl = {
16 .usage = REFCOUNT_INIT(1),
17 .nr_ace = 2,
18 .aces = {
19 KEY_POSSESSOR_ACE(KEY_ACE_SEARCH | KEY_ACE_WRITE),
20 KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ),
21 }
22};
23
24static struct key_acl persistent_keyring_acl = {
25 .usage = REFCOUNT_INIT(1),
26 .nr_ace = 2,
27 .possessor_viewable = true,
28 .aces = {
29 KEY_POSSESSOR_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_WRITE |
30 KEY_ACE_SEARCH | KEY_ACE_LINK |
31 KEY_ACE_CLEAR | KEY_ACE_INVAL),
32 KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ),
33 }
34};
35
15/* 36/*
16 * Create the persistent keyring register for the current user namespace. 37 * Create the persistent keyring register for the current user namespace.
17 * 38 *
@@ -22,8 +43,7 @@ static int key_create_persistent_register(struct user_namespace *ns)
22 struct key *reg = keyring_alloc(".persistent_register", 43 struct key *reg = keyring_alloc(".persistent_register",
23 KUIDT_INIT(0), KGIDT_INIT(0), 44 KUIDT_INIT(0), KGIDT_INIT(0),
24 current_cred(), 45 current_cred(),
25 ((KEY_POS_ALL & ~KEY_POS_SETATTR) | 46 &persistent_register_keyring_acl,
26 KEY_USR_VIEW | KEY_USR_READ),
27 KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); 47 KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
28 if (IS_ERR(reg)) 48 if (IS_ERR(reg))
29 return PTR_ERR(reg); 49 return PTR_ERR(reg);
@@ -56,8 +76,7 @@ static key_ref_t key_create_persistent(struct user_namespace *ns, kuid_t uid,
56 76
57 persistent = keyring_alloc(index_key->description, 77 persistent = keyring_alloc(index_key->description,
58 uid, INVALID_GID, current_cred(), 78 uid, INVALID_GID, current_cred(),
59 ((KEY_POS_ALL & ~KEY_POS_SETATTR) | 79 &persistent_keyring_acl,
60 KEY_USR_VIEW | KEY_USR_READ),
61 KEY_ALLOC_NOT_IN_QUOTA, NULL, 80 KEY_ALLOC_NOT_IN_QUOTA, NULL,
62 ns->persistent_keyring_register); 81 ns->persistent_keyring_register);
63 if (IS_ERR(persistent)) 82 if (IS_ERR(persistent))
diff --git a/security/keys/proc.c b/security/keys/proc.c
index 415f3f1c2da0..b394ad1e874b 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -110,11 +110,13 @@ static struct key *find_ge_key(struct seq_file *p, key_serial_t id)
110} 110}
111 111
112static void *proc_keys_start(struct seq_file *p, loff_t *_pos) 112static void *proc_keys_start(struct seq_file *p, loff_t *_pos)
113 __acquires(rcu)
113 __acquires(key_serial_lock) 114 __acquires(key_serial_lock)
114{ 115{
115 key_serial_t pos = *_pos; 116 key_serial_t pos = *_pos;
116 struct key *key; 117 struct key *key;
117 118
119 rcu_read_lock();
118 spin_lock(&key_serial_lock); 120 spin_lock(&key_serial_lock);
119 121
120 if (*_pos > INT_MAX) 122 if (*_pos > INT_MAX)
@@ -144,12 +146,15 @@ static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos)
144 146
145static void proc_keys_stop(struct seq_file *p, void *v) 147static void proc_keys_stop(struct seq_file *p, void *v)
146 __releases(key_serial_lock) 148 __releases(key_serial_lock)
149 __releases(rcu)
147{ 150{
148 spin_unlock(&key_serial_lock); 151 spin_unlock(&key_serial_lock);
152 rcu_read_unlock();
149} 153}
150 154
151static int proc_keys_show(struct seq_file *m, void *v) 155static int proc_keys_show(struct seq_file *m, void *v)
152{ 156{
157 const struct key_acl *acl;
153 struct rb_node *_p = v; 158 struct rb_node *_p = v;
154 struct key *key = rb_entry(_p, struct key, serial_node); 159 struct key *key = rb_entry(_p, struct key, serial_node);
155 unsigned long flags; 160 unsigned long flags;
@@ -157,6 +162,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
157 time64_t now, expiry; 162 time64_t now, expiry;
158 char xbuf[16]; 163 char xbuf[16];
159 short state; 164 short state;
165 bool check_pos;
160 u64 timo; 166 u64 timo;
161 int rc; 167 int rc;
162 168
@@ -170,15 +176,15 @@ static int proc_keys_show(struct seq_file *m, void *v)
170 KEYRING_SEARCH_RECURSE), 176 KEYRING_SEARCH_RECURSE),
171 }; 177 };
172 178
173 key_ref = make_key_ref(key, 0); 179 acl = rcu_dereference(key->acl);
180 check_pos = acl->possessor_viewable;
174 181
175 /* determine if the key is possessed by this process (a test we can 182 /* determine if the key is possessed by this process (a test we can
176 * skip if the key does not indicate the possessor can view it 183 * skip if the key does not indicate the possessor can view it
177 */ 184 */
178 if (key->perm & KEY_POS_VIEW) { 185 key_ref = make_key_ref(key, 0);
179 rcu_read_lock(); 186 if (check_pos) {
180 skey_ref = search_cred_keyrings_rcu(&ctx); 187 skey_ref = search_cred_keyrings_rcu(&ctx);
181 rcu_read_unlock();
182 if (!IS_ERR(skey_ref)) { 188 if (!IS_ERR(skey_ref)) {
183 key_ref_put(skey_ref); 189 key_ref_put(skey_ref);
184 key_ref = make_key_ref(key, 1); 190 key_ref = make_key_ref(key, 1);
@@ -188,12 +194,10 @@ static int proc_keys_show(struct seq_file *m, void *v)
188 /* check whether the current task is allowed to view the key */ 194 /* check whether the current task is allowed to view the key */
189 rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW); 195 rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW);
190 if (rc < 0) 196 if (rc < 0)
191 return 0; 197 goto out;
192 198
193 now = ktime_get_real_seconds(); 199 now = ktime_get_real_seconds();
194 200
195 rcu_read_lock();
196
197 /* come up with a suitable timeout value */ 201 /* come up with a suitable timeout value */
198 expiry = READ_ONCE(key->expiry); 202 expiry = READ_ONCE(key->expiry);
199 if (expiry == 0) { 203 if (expiry == 0) {
@@ -232,7 +236,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
232 showflag(flags, 'i', KEY_FLAG_INVALIDATED), 236 showflag(flags, 'i', KEY_FLAG_INVALIDATED),
233 refcount_read(&key->usage), 237 refcount_read(&key->usage),
234 xbuf, 238 xbuf,
235 key->perm, 239 key_acl_to_perm(acl),
236 from_kuid_munged(seq_user_ns(m), key->uid), 240 from_kuid_munged(seq_user_ns(m), key->uid),
237 from_kgid_munged(seq_user_ns(m), key->gid), 241 from_kgid_munged(seq_user_ns(m), key->gid),
238 key->type->name); 242 key->type->name);
@@ -243,7 +247,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
243 key->type->describe(key, m); 247 key->type->describe(key, m);
244 seq_putc(m, '\n'); 248 seq_putc(m, '\n');
245 249
246 rcu_read_unlock(); 250out:
247 return 0; 251 return 0;
248} 252}
249 253
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 09541de31f2f..aa3bfcadbc66 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -32,6 +32,47 @@ struct key_user root_key_user = {
32 .uid = GLOBAL_ROOT_UID, 32 .uid = GLOBAL_ROOT_UID,
33}; 33};
34 34
35static struct key_acl user_reg_keyring_acl = {
36 .usage = REFCOUNT_INIT(1),
37 .possessor_viewable = true,
38 .nr_ace = 2,
39 .aces = {
40 KEY_POSSESSOR_ACE(KEY_ACE_WRITE | KEY_ACE_SEARCH),
41 KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ),
42 }
43};
44
45static struct key_acl user_keyring_acl = {
46 .usage = REFCOUNT_INIT(1),
47 .possessor_viewable = true,
48 .nr_ace = 2,
49 .aces = {
50 KEY_POSSESSOR_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_WRITE |
51 KEY_ACE_SEARCH | KEY_ACE_LINK),
52 KEY_OWNER_ACE(KEY_ACE__PERMS & ~(KEY_ACE_JOIN | KEY_ACE_SET_SECURITY)),
53 }
54};
55
56static struct key_acl session_keyring_acl = {
57 .usage = REFCOUNT_INIT(1),
58 .possessor_viewable = true,
59 .nr_ace = 2,
60 .aces = {
61 KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~KEY_ACE_JOIN),
62 KEY_OWNER_ACE(KEY_ACE_VIEW | KEY_ACE_READ),
63 }
64};
65
66static struct key_acl thread_and_process_keyring_acl = {
67 .usage = REFCOUNT_INIT(1),
68 .possessor_viewable = true,
69 .nr_ace = 2,
70 .aces = {
71 KEY_POSSESSOR_ACE(KEY_ACE__PERMS & ~(KEY_ACE_JOIN | KEY_ACE_SET_SECURITY)),
72 KEY_OWNER_ACE(KEY_ACE_VIEW),
73 }
74};
75
35/* 76/*
36 * Get or create a user register keyring. 77 * Get or create a user register keyring.
37 */ 78 */
@@ -51,11 +92,8 @@ static struct key *get_user_register(struct user_namespace *user_ns)
51 if (!reg_keyring) { 92 if (!reg_keyring) {
52 reg_keyring = keyring_alloc(".user_reg", 93 reg_keyring = keyring_alloc(".user_reg",
53 user_ns->owner, INVALID_GID, 94 user_ns->owner, INVALID_GID,
54 &init_cred, 95 &init_cred, &user_reg_keyring_acl,
55 KEY_POS_WRITE | KEY_POS_SEARCH | 96 0, NULL, NULL);
56 KEY_USR_VIEW | KEY_USR_READ,
57 0,
58 NULL, NULL);
59 if (!IS_ERR(reg_keyring)) 97 if (!IS_ERR(reg_keyring))
60 smp_store_release(&user_ns->user_keyring_register, 98 smp_store_release(&user_ns->user_keyring_register,
61 reg_keyring); 99 reg_keyring);
@@ -77,14 +115,11 @@ int look_up_user_keyrings(struct key **_user_keyring,
77 const struct cred *cred = current_cred(); 115 const struct cred *cred = current_cred();
78 struct user_namespace *user_ns = current_user_ns(); 116 struct user_namespace *user_ns = current_user_ns();
79 struct key *reg_keyring, *uid_keyring, *session_keyring; 117 struct key *reg_keyring, *uid_keyring, *session_keyring;
80 key_perm_t user_keyring_perm;
81 key_ref_t uid_keyring_r, session_keyring_r; 118 key_ref_t uid_keyring_r, session_keyring_r;
82 uid_t uid = from_kuid(user_ns, cred->user->uid); 119 uid_t uid = from_kuid(user_ns, cred->user->uid);
83 char buf[20]; 120 char buf[20];
84 int ret; 121 int ret;
85 122
86 user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
87
88 kenter("%u", uid); 123 kenter("%u", uid);
89 124
90 reg_keyring = get_user_register(user_ns); 125 reg_keyring = get_user_register(user_ns);
@@ -104,7 +139,7 @@ int look_up_user_keyrings(struct key **_user_keyring,
104 kdebug("_uid %p", uid_keyring_r); 139 kdebug("_uid %p", uid_keyring_r);
105 if (uid_keyring_r == ERR_PTR(-EAGAIN)) { 140 if (uid_keyring_r == ERR_PTR(-EAGAIN)) {
106 uid_keyring = keyring_alloc(buf, cred->user->uid, INVALID_GID, 141 uid_keyring = keyring_alloc(buf, cred->user->uid, INVALID_GID,
107 cred, user_keyring_perm, 142 cred, &user_keyring_acl,
108 KEY_ALLOC_UID_KEYRING | 143 KEY_ALLOC_UID_KEYRING |
109 KEY_ALLOC_IN_QUOTA, 144 KEY_ALLOC_IN_QUOTA,
110 NULL, reg_keyring); 145 NULL, reg_keyring);
@@ -126,7 +161,7 @@ int look_up_user_keyrings(struct key **_user_keyring,
126 kdebug("_uid_ses %p", session_keyring_r); 161 kdebug("_uid_ses %p", session_keyring_r);
127 if (session_keyring_r == ERR_PTR(-EAGAIN)) { 162 if (session_keyring_r == ERR_PTR(-EAGAIN)) {
128 session_keyring = keyring_alloc(buf, cred->user->uid, INVALID_GID, 163 session_keyring = keyring_alloc(buf, cred->user->uid, INVALID_GID,
129 cred, user_keyring_perm, 164 cred, &user_keyring_acl,
130 KEY_ALLOC_UID_KEYRING | 165 KEY_ALLOC_UID_KEYRING |
131 KEY_ALLOC_IN_QUOTA, 166 KEY_ALLOC_IN_QUOTA,
132 NULL, NULL); 167 NULL, NULL);
@@ -226,7 +261,7 @@ int install_thread_keyring_to_cred(struct cred *new)
226 return 0; 261 return 0;
227 262
228 keyring = keyring_alloc("_tid", new->uid, new->gid, new, 263 keyring = keyring_alloc("_tid", new->uid, new->gid, new,
229 KEY_POS_ALL | KEY_USR_VIEW, 264 &thread_and_process_keyring_acl,
230 KEY_ALLOC_QUOTA_OVERRUN, 265 KEY_ALLOC_QUOTA_OVERRUN,
231 NULL, NULL); 266 NULL, NULL);
232 if (IS_ERR(keyring)) 267 if (IS_ERR(keyring))
@@ -273,7 +308,7 @@ int install_process_keyring_to_cred(struct cred *new)
273 return 0; 308 return 0;
274 309
275 keyring = keyring_alloc("_pid", new->uid, new->gid, new, 310 keyring = keyring_alloc("_pid", new->uid, new->gid, new,
276 KEY_POS_ALL | KEY_USR_VIEW, 311 &thread_and_process_keyring_acl,
277 KEY_ALLOC_QUOTA_OVERRUN, 312 KEY_ALLOC_QUOTA_OVERRUN,
278 NULL, NULL); 313 NULL, NULL);
279 if (IS_ERR(keyring)) 314 if (IS_ERR(keyring))
@@ -328,8 +363,7 @@ int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
328 flags = KEY_ALLOC_IN_QUOTA; 363 flags = KEY_ALLOC_IN_QUOTA;
329 364
330 keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred, 365 keyring = keyring_alloc("_ses", cred->uid, cred->gid, cred,
331 KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ, 366 &session_keyring_acl, flags, NULL, NULL);
332 flags, NULL, NULL);
333 if (IS_ERR(keyring)) 367 if (IS_ERR(keyring))
334 return PTR_ERR(keyring); 368 return PTR_ERR(keyring);
335 } else { 369 } else {
@@ -609,7 +643,7 @@ bool lookup_user_key_possessed(const struct key *key,
609 * returned key reference. 643 * returned key reference.
610 */ 644 */
611key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, 645key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
612 key_perm_t perm) 646 unsigned int desired_perm)
613{ 647{
614 struct keyring_search_context ctx = { 648 struct keyring_search_context ctx = {
615 .match_data.cmp = lookup_user_key_possessed, 649 .match_data.cmp = lookup_user_key_possessed,
@@ -784,12 +818,12 @@ try_again:
784 case -ERESTARTSYS: 818 case -ERESTARTSYS:
785 goto invalid_key; 819 goto invalid_key;
786 default: 820 default:
787 if (perm) 821 if (desired_perm)
788 goto invalid_key; 822 goto invalid_key;
789 case 0: 823 case 0:
790 break; 824 break;
791 } 825 }
792 } else if (perm) { 826 } else if (desired_perm) {
793 ret = key_validate(key); 827 ret = key_validate(key);
794 if (ret < 0) 828 if (ret < 0)
795 goto invalid_key; 829 goto invalid_key;
@@ -801,9 +835,11 @@ try_again:
801 goto invalid_key; 835 goto invalid_key;
802 836
803 /* check the permissions */ 837 /* check the permissions */
804 ret = key_task_permission(key_ref, ctx.cred, perm); 838 if (desired_perm) {
805 if (ret < 0) 839 ret = key_task_permission(key_ref, ctx.cred, desired_perm);
806 goto invalid_key; 840 if (ret < 0)
841 goto invalid_key;
842 }
807 843
808 key->last_used_at = ktime_get_real_seconds(); 844 key->last_used_at = ktime_get_real_seconds();
809 845
@@ -868,13 +904,13 @@ long join_session_keyring(const char *name)
868 if (PTR_ERR(keyring) == -ENOKEY) { 904 if (PTR_ERR(keyring) == -ENOKEY) {
869 /* not found - try and create a new one */ 905 /* not found - try and create a new one */
870 keyring = keyring_alloc( 906 keyring = keyring_alloc(
871 name, old->uid, old->gid, old, 907 name, old->uid, old->gid, old, &joinable_keyring_acl,
872 KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK,
873 KEY_ALLOC_IN_QUOTA, NULL, NULL); 908 KEY_ALLOC_IN_QUOTA, NULL, NULL);
874 if (IS_ERR(keyring)) { 909 if (IS_ERR(keyring)) {
875 ret = PTR_ERR(keyring); 910 ret = PTR_ERR(keyring);
876 goto error2; 911 goto error2;
877 } 912 }
913 goto no_perm_test;
878 } else if (IS_ERR(keyring)) { 914 } else if (IS_ERR(keyring)) {
879 ret = PTR_ERR(keyring); 915 ret = PTR_ERR(keyring);
880 goto error2; 916 goto error2;
@@ -883,6 +919,12 @@ long join_session_keyring(const char *name)
883 goto error3; 919 goto error3;
884 } 920 }
885 921
922 ret = key_task_permission(make_key_ref(keyring, false), old,
923 KEY_NEED_JOIN);
924 if (ret < 0)
925 goto error3;
926
927no_perm_test:
886 /* we've got a keyring - now to install it */ 928 /* we've got a keyring - now to install it */
887 ret = install_session_keyring_to_cred(new, keyring); 929 ret = install_session_keyring_to_cred(new, keyring);
888 if (ret < 0) 930 if (ret < 0)
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index 7325f382dbf4..46c5187ce03f 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -135,8 +135,7 @@ static int call_sbin_request_key(struct key *authkey, void *aux)
135 135
136 cred = get_current_cred(); 136 cred = get_current_cred();
137 keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred, 137 keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred,
138 KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ, 138 NULL, KEY_ALLOC_QUOTA_OVERRUN, NULL, NULL);
139 KEY_ALLOC_QUOTA_OVERRUN, NULL, NULL);
140 put_cred(cred); 139 put_cred(cred);
141 if (IS_ERR(keyring)) { 140 if (IS_ERR(keyring)) {
142 ret = PTR_ERR(keyring); 141 ret = PTR_ERR(keyring);
@@ -367,11 +366,11 @@ static int construct_alloc_key(struct keyring_search_context *ctx,
367 struct key *dest_keyring, 366 struct key *dest_keyring,
368 unsigned long flags, 367 unsigned long flags,
369 struct key_user *user, 368 struct key_user *user,
369 struct key_acl *acl,
370 struct key **_key) 370 struct key **_key)
371{ 371{
372 struct assoc_array_edit *edit = NULL; 372 struct assoc_array_edit *edit = NULL;
373 struct key *key; 373 struct key *key;
374 key_perm_t perm;
375 key_ref_t key_ref; 374 key_ref_t key_ref;
376 int ret; 375 int ret;
377 376
@@ -381,17 +380,9 @@ static int construct_alloc_key(struct keyring_search_context *ctx,
381 *_key = NULL; 380 *_key = NULL;
382 mutex_lock(&user->cons_lock); 381 mutex_lock(&user->cons_lock);
383 382
384 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
385 perm |= KEY_USR_VIEW;
386 if (ctx->index_key.type->read)
387 perm |= KEY_POS_READ;
388 if (ctx->index_key.type == &key_type_keyring ||
389 ctx->index_key.type->update)
390 perm |= KEY_POS_WRITE;
391
392 key = key_alloc(ctx->index_key.type, ctx->index_key.description, 383 key = key_alloc(ctx->index_key.type, ctx->index_key.description,
393 ctx->cred->fsuid, ctx->cred->fsgid, ctx->cred, 384 ctx->cred->fsuid, ctx->cred->fsgid, ctx->cred,
394 perm, flags, NULL); 385 acl, flags, NULL);
395 if (IS_ERR(key)) 386 if (IS_ERR(key))
396 goto alloc_failed; 387 goto alloc_failed;
397 388
@@ -474,6 +465,7 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
474 const char *callout_info, 465 const char *callout_info,
475 size_t callout_len, 466 size_t callout_len,
476 void *aux, 467 void *aux,
468 struct key_acl *acl,
477 struct key *dest_keyring, 469 struct key *dest_keyring,
478 unsigned long flags) 470 unsigned long flags)
479{ 471{
@@ -496,7 +488,7 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
496 goto error_put_dest_keyring; 488 goto error_put_dest_keyring;
497 } 489 }
498 490
499 ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key); 491 ret = construct_alloc_key(ctx, dest_keyring, flags, user, acl, &key);
500 key_user_put(user); 492 key_user_put(user);
501 493
502 if (ret == 0) { 494 if (ret == 0) {
@@ -534,6 +526,7 @@ error:
534 * @callout_info: The data to pass to the instantiation upcall (or NULL). 526 * @callout_info: The data to pass to the instantiation upcall (or NULL).
535 * @callout_len: The length of callout_info. 527 * @callout_len: The length of callout_info.
536 * @aux: Auxiliary data for the upcall. 528 * @aux: Auxiliary data for the upcall.
529 * @acl: The ACL to attach if a new key is created.
537 * @dest_keyring: Where to cache the key. 530 * @dest_keyring: Where to cache the key.
538 * @flags: Flags to key_alloc(). 531 * @flags: Flags to key_alloc().
539 * 532 *
@@ -561,6 +554,7 @@ struct key *request_key_and_link(struct key_type *type,
561 const void *callout_info, 554 const void *callout_info,
562 size_t callout_len, 555 size_t callout_len,
563 void *aux, 556 void *aux,
557 struct key_acl *acl,
564 struct key *dest_keyring, 558 struct key *dest_keyring,
565 unsigned long flags) 559 unsigned long flags)
566{ 560{
@@ -635,7 +629,7 @@ struct key *request_key_and_link(struct key_type *type,
635 goto error_free; 629 goto error_free;
636 630
637 key = construct_key_and_link(&ctx, callout_info, callout_len, 631 key = construct_key_and_link(&ctx, callout_info, callout_len,
638 aux, dest_keyring, flags); 632 aux, acl, dest_keyring, flags);
639 } 633 }
640 634
641error_free: 635error_free:
@@ -678,6 +672,7 @@ EXPORT_SYMBOL(wait_for_key_construction);
678 * @description: The searchable description of the key. 672 * @description: The searchable description of the key.
679 * @domain_tag: The domain in which the key operates. 673 * @domain_tag: The domain in which the key operates.
680 * @callout_info: The data to pass to the instantiation upcall (or NULL). 674 * @callout_info: The data to pass to the instantiation upcall (or NULL).
675 * @acl: The ACL to attach if a new key is created.
681 * 676 *
682 * As for request_key_and_link() except that it does not add the returned key 677 * As for request_key_and_link() except that it does not add the returned key
683 * to a keyring if found, new keys are always allocated in the user's quota, 678 * to a keyring if found, new keys are always allocated in the user's quota,
@@ -690,7 +685,8 @@ EXPORT_SYMBOL(wait_for_key_construction);
690struct key *request_key_tag(struct key_type *type, 685struct key *request_key_tag(struct key_type *type,
691 const char *description, 686 const char *description,
692 struct key_tag *domain_tag, 687 struct key_tag *domain_tag,
693 const char *callout_info) 688 const char *callout_info,
689 struct key_acl *acl)
694{ 690{
695 struct key *key; 691 struct key *key;
696 size_t callout_len = 0; 692 size_t callout_len = 0;
@@ -700,7 +696,7 @@ struct key *request_key_tag(struct key_type *type,
700 callout_len = strlen(callout_info); 696 callout_len = strlen(callout_info);
701 key = request_key_and_link(type, description, domain_tag, 697 key = request_key_and_link(type, description, domain_tag,
702 callout_info, callout_len, 698 callout_info, callout_len,
703 NULL, NULL, KEY_ALLOC_IN_QUOTA); 699 NULL, acl, NULL, KEY_ALLOC_IN_QUOTA);
704 if (!IS_ERR(key)) { 700 if (!IS_ERR(key)) {
705 ret = wait_for_key_construction(key, false); 701 ret = wait_for_key_construction(key, false);
706 if (ret < 0) { 702 if (ret < 0) {
@@ -720,6 +716,7 @@ EXPORT_SYMBOL(request_key_tag);
720 * @callout_info: The data to pass to the instantiation upcall (or NULL). 716 * @callout_info: The data to pass to the instantiation upcall (or NULL).
721 * @callout_len: The length of callout_info. 717 * @callout_len: The length of callout_info.
722 * @aux: Auxiliary data for the upcall. 718 * @aux: Auxiliary data for the upcall.
719 * @acl: The ACL to attach if a new key is created.
723 * 720 *
724 * As for request_key_and_link() except that it does not add the returned key 721 * As for request_key_and_link() except that it does not add the returned key
725 * to a keyring if found and new keys are always allocated in the user's quota. 722 * to a keyring if found and new keys are always allocated in the user's quota.
@@ -732,14 +729,15 @@ struct key *request_key_with_auxdata(struct key_type *type,
732 struct key_tag *domain_tag, 729 struct key_tag *domain_tag,
733 const void *callout_info, 730 const void *callout_info,
734 size_t callout_len, 731 size_t callout_len,
735 void *aux) 732 void *aux,
733 struct key_acl *acl)
736{ 734{
737 struct key *key; 735 struct key *key;
738 int ret; 736 int ret;
739 737
740 key = request_key_and_link(type, description, domain_tag, 738 key = request_key_and_link(type, description, domain_tag,
741 callout_info, callout_len, 739 callout_info, callout_len,
742 aux, NULL, KEY_ALLOC_IN_QUOTA); 740 aux, acl, NULL, KEY_ALLOC_IN_QUOTA);
743 if (!IS_ERR(key)) { 741 if (!IS_ERR(key)) {
744 ret = wait_for_key_construction(key, false); 742 ret = wait_for_key_construction(key, false);
745 if (ret < 0) { 743 if (ret < 0) {
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index e73ec040e250..27e437d94b81 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -24,6 +24,17 @@ static void request_key_auth_revoke(struct key *);
24static void request_key_auth_destroy(struct key *); 24static void request_key_auth_destroy(struct key *);
25static long request_key_auth_read(const struct key *, char __user *, size_t); 25static long request_key_auth_read(const struct key *, char __user *, size_t);
26 26
27static struct key_acl request_key_auth_acl = {
28 .usage = REFCOUNT_INIT(1),
29 .nr_ace = 2,
30 .possessor_viewable = true,
31 .aces = {
32 KEY_POSSESSOR_ACE(KEY_ACE_VIEW | KEY_ACE_READ | KEY_ACE_SEARCH |
33 KEY_ACE_LINK),
34 KEY_OWNER_ACE(KEY_ACE_VIEW),
35 }
36};
37
27/* 38/*
28 * The request-key authorisation key type definition. 39 * The request-key authorisation key type definition.
29 */ 40 */
@@ -210,8 +221,8 @@ struct key *request_key_auth_new(struct key *target, const char *op,
210 221
211 authkey = key_alloc(&key_type_request_key_auth, desc, 222 authkey = key_alloc(&key_type_request_key_auth, desc,
212 cred->fsuid, cred->fsgid, cred, 223 cred->fsuid, cred->fsgid, cred,
213 KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH | KEY_POS_LINK | 224 &request_key_auth_acl,
214 KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA, NULL); 225 KEY_ALLOC_NOT_IN_QUOTA, NULL);
215 if (IS_ERR(authkey)) { 226 if (IS_ERR(authkey)) {
216 ret = PTR_ERR(authkey); 227 ret = PTR_ERR(authkey);
217 goto error_free_rka; 228 goto error_free_rka;
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-15 20:36:06 -0400