aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2013-11-21 22:46:00 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2013-11-21 22:46:00 -0500
commit78dc53c422172a317adb0776dfb687057ffa28b7 (patch)
tree7c5d15da75d769d01f6a992c24c3490b3867d5b2 /security
parent3eaded86ac3e7f00fb3eeb8162d89e9a34e42fb0 (diff)
parent62fe318256befbd1b4a6765e71d9c997f768fe79 (diff)
Merge branch 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris: "In this patchset, we finally get an SELinux update, with Paul Moore taking over as maintainer of that code. Also a significant update for the Keys subsystem, as well as maintenance updates to Smack, IMA, TPM, and Apparmor" and since I wanted to know more about the updates to key handling, here's the explanation from David Howells on that: "Okay. There are a number of separate bits. I'll go over the big bits and the odd important other bit, most of the smaller bits are just fixes and cleanups. If you want the small bits accounting for, I can do that too. (1) Keyring capacity expansion. KEYS: Consolidate the concept of an 'index key' for key access KEYS: Introduce a search context structure KEYS: Search for auth-key by name rather than target key ID Add a generic associative array implementation. KEYS: Expand the capacity of a keyring Several of the patches are providing an expansion of the capacity of a keyring. Currently, the maximum size of a keyring payload is one page. Subtract a small header and then divide up into pointers, that only gives you ~500 pointers on an x86_64 box. However, since the NFS idmapper uses a keyring to store ID mapping data, that has proven to be insufficient to the cause. Whatever data structure I use to handle the keyring payload, it can only store pointers to keys, not the keys themselves because several keyrings may point to a single key. This precludes inserting, say, and rb_node struct into the key struct for this purpose. I could make an rbtree of records such that each record has an rb_node and a key pointer, but that would use four words of space per key stored in the keyring. It would, however, be able to use much existing code. I selected instead a non-rebalancing radix-tree type approach as that could have a better space-used/key-pointer ratio. I could have used the radix tree implementation that we already have and insert keys into it by their serial numbers, but that means any sort of search must iterate over the whole radix tree. Further, its nodes are a bit on the capacious side for what I want - especially given that key serial numbers are randomly allocated, thus leaving a lot of empty space in the tree. So what I have is an associative array that internally is a radix-tree with 16 pointers per node where the index key is constructed from the key type pointer and the key description. This means that an exact lookup by type+description is very fast as this tells us how to navigate directly to the target key. I made the data structure general in lib/assoc_array.c as far as it is concerned, its index key is just a sequence of bits that leads to a pointer. It's possible that someone else will be able to make use of it also. FS-Cache might, for example. (2) Mark keys as 'trusted' and keyrings as 'trusted only'. KEYS: verify a certificate is signed by a 'trusted' key KEYS: Make the system 'trusted' keyring viewable by userspace KEYS: Add a 'trusted' flag and a 'trusted only' flag KEYS: Separate the kernel signature checking keyring from module signing These patches allow keys carrying asymmetric public keys to be marked as being 'trusted' and allow keyrings to be marked as only permitting the addition or linkage of trusted keys. Keys loaded from hardware during kernel boot or compiled into the kernel during build are marked as being trusted automatically. New keys can be loaded at runtime with add_key(). They are checked against the system keyring contents and if their signatures can be validated with keys that are already marked trusted, then they are marked trusted also and can thus be added into the master keyring. Patches from Mimi Zohar make this usable with the IMA keyrings also. (3) Remove the date checks on the key used to validate a module signature. X.509: Remove certificate date checks It's not reasonable to reject a signature just because the key that it was generated with is no longer valid datewise - especially if the kernel hasn't yet managed to set the system clock when the first module is loaded - so just remove those checks. (4) Make it simpler to deal with additional X.509 being loaded into the kernel. KEYS: Load *.x509 files into kernel keyring KEYS: Have make canonicalise the paths of the X.509 certs better to deduplicate The builder of the kernel now just places files with the extension ".x509" into the kernel source or build trees and they're concatenated by the kernel build and stuffed into the appropriate section. (5) Add support for userspace kerberos to use keyrings. KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches KEYS: Implement a big key type that can save to tmpfs Fedora went to, by default, storing kerberos tickets and tokens in tmpfs. We looked at storing it in keyrings instead as that confers certain advantages such as tickets being automatically deleted after a certain amount of time and the ability for the kernel to get at these tokens more easily. To make this work, two things were needed: (a) A way for the tickets to persist beyond the lifetime of all a user's sessions so that cron-driven processes can still use them. The problem is that a user's session keyrings are deleted when the session that spawned them logs out and the user's user keyring is deleted when the UID is deleted (typically when the last log out happens), so neither of these places is suitable. I've added a system keyring into which a 'persistent' keyring is created for each UID on request. Each time a user requests their persistent keyring, the expiry time on it is set anew. If the user doesn't ask for it for, say, three days, the keyring is automatically expired and garbage collected using the existing gc. All the kerberos tokens it held are then also gc'd. (b) A key type that can hold really big tickets (up to 1MB in size). The problem is that Active Directory can return huge tickets with lots of auxiliary data attached. We don't, however, want to eat up huge tracts of unswappable kernel space for this, so if the ticket is greater than a certain size, we create a swappable shmem file and dump the contents in there and just live with the fact we then have an inode and a dentry overhead. If the ticket is smaller than that, we slap it in a kmalloc()'d buffer" * 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (121 commits) KEYS: Fix keyring content gc scanner KEYS: Fix error handling in big_key instantiation KEYS: Fix UID check in keyctl_get_persistent() KEYS: The RSA public key algorithm needs to select MPILIB ima: define '_ima' as a builtin 'trusted' keyring ima: extend the measurement list to include the file signature kernel/system_certificate.S: use real contents instead of macro GLOBAL() KEYS: fix error return code in big_key_instantiate() KEYS: Fix keyring quota misaccounting on key replacement and unlink KEYS: Fix a race between negating a key and reading the error set KEYS: Make BIG_KEYS boolean apparmor: remove the "task" arg from may_change_ptraced_domain() apparmor: remove parent task info from audit logging apparmor: remove tsk field from the apparmor_audit_struct apparmor: fix capability to not use the current task, during reporting Smack: Ptrace access check mode ima: provide hash algo info in the xattr ima: enable support for larger default filedata hash algorithms ima: define kernel parameter 'ima_template=' to change configured default ima: add Kconfig default measurement list template ...
Diffstat (limited to 'security')
-rw-r--r--security/Makefile1
-rw-r--r--security/apparmor/audit.c14
-rw-r--r--security/apparmor/capability.c15
-rw-r--r--security/apparmor/domain.c16
-rw-r--r--security/apparmor/include/audit.h1
-rw-r--r--security/apparmor/include/capability.h5
-rw-r--r--security/apparmor/include/ipc.h4
-rw-r--r--security/apparmor/ipc.c9
-rw-r--r--security/apparmor/lsm.c2
-rw-r--r--security/capability.c15
-rw-r--r--security/integrity/digsig.c37
-rw-r--r--security/integrity/digsig_asymmetric.c11
-rw-r--r--security/integrity/evm/evm_main.c4
-rw-r--r--security/integrity/evm/evm_posix_acl.c3
-rw-r--r--security/integrity/iint.c2
-rw-r--r--security/integrity/ima/Kconfig72
-rw-r--r--security/integrity/ima/Makefile2
-rw-r--r--security/integrity/ima/ima.h101
-rw-r--r--security/integrity/ima/ima_api.c136
-rw-r--r--security/integrity/ima/ima_appraise.c117
-rw-r--r--security/integrity/ima/ima_crypto.c134
-rw-r--r--security/integrity/ima/ima_fs.c67
-rw-r--r--security/integrity/ima/ima_init.c37
-rw-r--r--security/integrity/ima/ima_main.c63
-rw-r--r--security/integrity/ima/ima_policy.c1
-rw-r--r--security/integrity/ima/ima_queue.c10
-rw-r--r--security/integrity/ima/ima_template.c178
-rw-r--r--security/integrity/ima/ima_template_lib.c347
-rw-r--r--security/integrity/ima/ima_template_lib.h49
-rw-r--r--security/integrity/integrity.h47
-rw-r--r--security/keys/Kconfig29
-rw-r--r--security/keys/Makefile2
-rw-r--r--security/keys/big_key.c207
-rw-r--r--security/keys/compat.c3
-rw-r--r--security/keys/gc.c47
-rw-r--r--security/keys/internal.h74
-rw-r--r--security/keys/key.c102
-rw-r--r--security/keys/keyctl.c3
-rw-r--r--security/keys/keyring.c1536
-rw-r--r--security/keys/persistent.c167
-rw-r--r--security/keys/proc.c17
-rw-r--r--security/keys/process_keys.c141
-rw-r--r--security/keys/request_key.c60
-rw-r--r--security/keys/request_key_auth.c31
-rw-r--r--security/keys/sysctl.c11
-rw-r--r--security/keys/user_defined.c18
-rw-r--r--security/security.c13
-rw-r--r--security/selinux/hooks.c146
-rw-r--r--security/selinux/include/objsec.h4
-rw-r--r--security/selinux/include/security.h13
-rw-r--r--security/selinux/include/xfrm.h45
-rw-r--r--security/selinux/netlabel.c6
-rw-r--r--security/selinux/netnode.c2
-rw-r--r--security/selinux/selinuxfs.c4
-rw-r--r--security/selinux/ss/ebitmap.c20
-rw-r--r--security/selinux/ss/ebitmap.h10
-rw-r--r--security/selinux/ss/mls.c22
-rw-r--r--security/selinux/ss/mls_types.h2
-rw-r--r--security/selinux/ss/policydb.c3
-rw-r--r--security/selinux/ss/services.c66
-rw-r--r--security/selinux/xfrm.c453
-rw-r--r--security/smack/smack.h12
-rw-r--r--security/smack/smack_access.c10
-rw-r--r--security/smack/smack_lsm.c11
-rw-r--r--security/smack/smackfs.c10
65 files changed, 3204 insertions, 1596 deletions
diff --git a/security/Makefile b/security/Makefile
index c26c81e92571..a5918e01a4f7 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -16,7 +16,6 @@ obj-$(CONFIG_MMU) += min_addr.o
16# Object file lists 16# Object file lists
17obj-$(CONFIG_SECURITY) += security.o capability.o 17obj-$(CONFIG_SECURITY) += security.o capability.o
18obj-$(CONFIG_SECURITYFS) += inode.o 18obj-$(CONFIG_SECURITYFS) += inode.o
19# Must precede capability.o in order to stack properly.
20obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o 19obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
21obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o 20obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
22obj-$(CONFIG_AUDIT) += lsm_audit.o 21obj-$(CONFIG_AUDIT) += lsm_audit.o
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 031d2d9dd695..89c78658031f 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -111,7 +111,6 @@ static const char *const aa_audit_type[] = {
111static void audit_pre(struct audit_buffer *ab, void *ca) 111static void audit_pre(struct audit_buffer *ab, void *ca)
112{ 112{
113 struct common_audit_data *sa = ca; 113 struct common_audit_data *sa = ca;
114 struct task_struct *tsk = sa->aad->tsk ? sa->aad->tsk : current;
115 114
116 if (aa_g_audit_header) { 115 if (aa_g_audit_header) {
117 audit_log_format(ab, "apparmor="); 116 audit_log_format(ab, "apparmor=");
@@ -132,11 +131,6 @@ static void audit_pre(struct audit_buffer *ab, void *ca)
132 131
133 if (sa->aad->profile) { 132 if (sa->aad->profile) {
134 struct aa_profile *profile = sa->aad->profile; 133 struct aa_profile *profile = sa->aad->profile;
135 pid_t pid;
136 rcu_read_lock();
137 pid = rcu_dereference(tsk->real_parent)->pid;
138 rcu_read_unlock();
139 audit_log_format(ab, " parent=%d", pid);
140 if (profile->ns != root_ns) { 134 if (profile->ns != root_ns) {
141 audit_log_format(ab, " namespace="); 135 audit_log_format(ab, " namespace=");
142 audit_log_untrustedstring(ab, profile->ns->base.hname); 136 audit_log_untrustedstring(ab, profile->ns->base.hname);
@@ -149,12 +143,6 @@ static void audit_pre(struct audit_buffer *ab, void *ca)
149 audit_log_format(ab, " name="); 143 audit_log_format(ab, " name=");
150 audit_log_untrustedstring(ab, sa->aad->name); 144 audit_log_untrustedstring(ab, sa->aad->name);
151 } 145 }
152
153 if (sa->aad->tsk) {
154 audit_log_format(ab, " pid=%d comm=", tsk->pid);
155 audit_log_untrustedstring(ab, tsk->comm);
156 }
157
158} 146}
159 147
160/** 148/**
@@ -212,7 +200,7 @@ int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
212 200
213 if (sa->aad->type == AUDIT_APPARMOR_KILL) 201 if (sa->aad->type == AUDIT_APPARMOR_KILL)
214 (void)send_sig_info(SIGKILL, NULL, 202 (void)send_sig_info(SIGKILL, NULL,
215 sa->aad->tsk ? sa->aad->tsk : current); 203 sa->u.tsk ? sa->u.tsk : current);
216 204
217 if (sa->aad->type == AUDIT_APPARMOR_ALLOWED) 205 if (sa->aad->type == AUDIT_APPARMOR_ALLOWED)
218 return complain_error(sa->aad->error); 206 return complain_error(sa->aad->error);
diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
index 84d1f5f53877..1101c6f64bb7 100644
--- a/security/apparmor/capability.c
+++ b/security/apparmor/capability.c
@@ -53,8 +53,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
53 53
54/** 54/**
55 * audit_caps - audit a capability 55 * audit_caps - audit a capability
56 * @profile: profile confining task (NOT NULL) 56 * @profile: profile being tested for confinement (NOT NULL)
57 * @task: task capability test was performed against (NOT NULL)
58 * @cap: capability tested 57 * @cap: capability tested
59 * @error: error code returned by test 58 * @error: error code returned by test
60 * 59 *
@@ -63,8 +62,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
63 * 62 *
64 * Returns: 0 or sa->error on success, error code on failure 63 * Returns: 0 or sa->error on success, error code on failure
65 */ 64 */
66static int audit_caps(struct aa_profile *profile, struct task_struct *task, 65static int audit_caps(struct aa_profile *profile, int cap, int error)
67 int cap, int error)
68{ 66{
69 struct audit_cache *ent; 67 struct audit_cache *ent;
70 int type = AUDIT_APPARMOR_AUTO; 68 int type = AUDIT_APPARMOR_AUTO;
@@ -73,7 +71,6 @@ static int audit_caps(struct aa_profile *profile, struct task_struct *task,
73 sa.type = LSM_AUDIT_DATA_CAP; 71 sa.type = LSM_AUDIT_DATA_CAP;
74 sa.aad = &aad; 72 sa.aad = &aad;
75 sa.u.cap = cap; 73 sa.u.cap = cap;
76 sa.aad->tsk = task;
77 sa.aad->op = OP_CAPABLE; 74 sa.aad->op = OP_CAPABLE;
78 sa.aad->error = error; 75 sa.aad->error = error;
79 76
@@ -124,8 +121,7 @@ static int profile_capable(struct aa_profile *profile, int cap)
124 121
125/** 122/**
126 * aa_capable - test permission to use capability 123 * aa_capable - test permission to use capability
127 * @task: task doing capability test against (NOT NULL) 124 * @profile: profile being tested against (NOT NULL)
128 * @profile: profile confining @task (NOT NULL)
129 * @cap: capability to be tested 125 * @cap: capability to be tested
130 * @audit: whether an audit record should be generated 126 * @audit: whether an audit record should be generated
131 * 127 *
@@ -133,8 +129,7 @@ static int profile_capable(struct aa_profile *profile, int cap)
133 * 129 *
134 * Returns: 0 on success, or else an error code. 130 * Returns: 0 on success, or else an error code.
135 */ 131 */
136int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap, 132int aa_capable(struct aa_profile *profile, int cap, int audit)
137 int audit)
138{ 133{
139 int error = profile_capable(profile, cap); 134 int error = profile_capable(profile, cap);
140 135
@@ -144,5 +139,5 @@ int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap,
144 return error; 139 return error;
145 } 140 }
146 141
147 return audit_caps(profile, task, cap, error); 142 return audit_caps(profile, cap, error);
148} 143}
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 26c607c971f5..452567d3a08e 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -50,23 +50,21 @@ void aa_free_domain_entries(struct aa_domain *domain)
50 50
51/** 51/**
52 * may_change_ptraced_domain - check if can change profile on ptraced task 52 * may_change_ptraced_domain - check if can change profile on ptraced task
53 * @task: task we want to change profile of (NOT NULL)
54 * @to_profile: profile to change to (NOT NULL) 53 * @to_profile: profile to change to (NOT NULL)
55 * 54 *
56 * Check if the task is ptraced and if so if the tracing task is allowed 55 * Check if current is ptraced and if so if the tracing task is allowed
57 * to trace the new domain 56 * to trace the new domain
58 * 57 *
59 * Returns: %0 or error if change not allowed 58 * Returns: %0 or error if change not allowed
60 */ 59 */
61static int may_change_ptraced_domain(struct task_struct *task, 60static int may_change_ptraced_domain(struct aa_profile *to_profile)
62 struct aa_profile *to_profile)
63{ 61{
64 struct task_struct *tracer; 62 struct task_struct *tracer;
65 struct aa_profile *tracerp = NULL; 63 struct aa_profile *tracerp = NULL;
66 int error = 0; 64 int error = 0;
67 65
68 rcu_read_lock(); 66 rcu_read_lock();
69 tracer = ptrace_parent(task); 67 tracer = ptrace_parent(current);
70 if (tracer) 68 if (tracer)
71 /* released below */ 69 /* released below */
72 tracerp = aa_get_task_profile(tracer); 70 tracerp = aa_get_task_profile(tracer);
@@ -75,7 +73,7 @@ static int may_change_ptraced_domain(struct task_struct *task,
75 if (!tracer || unconfined(tracerp)) 73 if (!tracer || unconfined(tracerp))
76 goto out; 74 goto out;
77 75
78 error = aa_may_ptrace(tracer, tracerp, to_profile, PTRACE_MODE_ATTACH); 76 error = aa_may_ptrace(tracerp, to_profile, PTRACE_MODE_ATTACH);
79 77
80out: 78out:
81 rcu_read_unlock(); 79 rcu_read_unlock();
@@ -477,7 +475,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
477 } 475 }
478 476
479 if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 477 if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
480 error = may_change_ptraced_domain(current, new_profile); 478 error = may_change_ptraced_domain(new_profile);
481 if (error) { 479 if (error) {
482 aa_put_profile(new_profile); 480 aa_put_profile(new_profile);
483 goto audit; 481 goto audit;
@@ -690,7 +688,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
690 } 688 }
691 } 689 }
692 690
693 error = may_change_ptraced_domain(current, hat); 691 error = may_change_ptraced_domain(hat);
694 if (error) { 692 if (error) {
695 info = "ptraced"; 693 info = "ptraced";
696 error = -EPERM; 694 error = -EPERM;
@@ -829,7 +827,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
829 } 827 }
830 828
831 /* check if tracing task is allowed to trace target domain */ 829 /* check if tracing task is allowed to trace target domain */
832 error = may_change_ptraced_domain(current, target); 830 error = may_change_ptraced_domain(target);
833 if (error) { 831 if (error) {
834 info = "ptrace prevents transition"; 832 info = "ptrace prevents transition";
835 goto audit; 833 goto audit;
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 30e8d7687259..ba3dfd17f23f 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -109,7 +109,6 @@ struct apparmor_audit_data {
109 void *profile; 109 void *profile;
110 const char *name; 110 const char *name;
111 const char *info; 111 const char *info;
112 struct task_struct *tsk;
113 union { 112 union {
114 void *target; 113 void *target;
115 struct { 114 struct {
diff --git a/security/apparmor/include/capability.h b/security/apparmor/include/capability.h
index 2e7c9d6a2f3b..fc3fa381d850 100644
--- a/security/apparmor/include/capability.h
+++ b/security/apparmor/include/capability.h
@@ -4,7 +4,7 @@
4 * This file contains AppArmor capability mediation definitions. 4 * This file contains AppArmor capability mediation definitions.
5 * 5 *
6 * Copyright (C) 1998-2008 Novell/SUSE 6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd. 7 * Copyright 2009-2013 Canonical Ltd.
8 * 8 *
9 * This program is free software; you can redistribute it and/or 9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as 10 * modify it under the terms of the GNU General Public License as
@@ -38,8 +38,7 @@ struct aa_caps {
38 38
39extern struct aa_fs_entry aa_fs_entry_caps[]; 39extern struct aa_fs_entry aa_fs_entry_caps[];
40 40
41int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap, 41int aa_capable(struct aa_profile *profile, int cap, int audit);
42 int audit);
43 42
44static inline void aa_free_cap_rules(struct aa_caps *caps) 43static inline void aa_free_cap_rules(struct aa_caps *caps)
45{ 44{
diff --git a/security/apparmor/include/ipc.h b/security/apparmor/include/ipc.h
index aeda0fbc8b2f..288ca76e2fb1 100644
--- a/security/apparmor/include/ipc.h
+++ b/security/apparmor/include/ipc.h
@@ -19,8 +19,8 @@
19 19
20struct aa_profile; 20struct aa_profile;
21 21
22int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer, 22int aa_may_ptrace(struct aa_profile *tracer, struct aa_profile *tracee,
23 struct aa_profile *tracee, unsigned int mode); 23 unsigned int mode);
24 24
25int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee, 25int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee,
26 unsigned int mode); 26 unsigned int mode);
diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c
index c51d2266587e..777ac1c47253 100644
--- a/security/apparmor/ipc.c
+++ b/security/apparmor/ipc.c
@@ -54,15 +54,14 @@ static int aa_audit_ptrace(struct aa_profile *profile,
54 54
55/** 55/**
56 * aa_may_ptrace - test if tracer task can trace the tracee 56 * aa_may_ptrace - test if tracer task can trace the tracee
57 * @tracer_task: task who will do the tracing (NOT NULL)
58 * @tracer: profile of the task doing the tracing (NOT NULL) 57 * @tracer: profile of the task doing the tracing (NOT NULL)
59 * @tracee: task to be traced 58 * @tracee: task to be traced
60 * @mode: whether PTRACE_MODE_READ || PTRACE_MODE_ATTACH 59 * @mode: whether PTRACE_MODE_READ || PTRACE_MODE_ATTACH
61 * 60 *
62 * Returns: %0 else error code if permission denied or error 61 * Returns: %0 else error code if permission denied or error
63 */ 62 */
64int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer, 63int aa_may_ptrace(struct aa_profile *tracer, struct aa_profile *tracee,
65 struct aa_profile *tracee, unsigned int mode) 64 unsigned int mode)
66{ 65{
67 /* TODO: currently only based on capability, not extended ptrace 66 /* TODO: currently only based on capability, not extended ptrace
68 * rules, 67 * rules,
@@ -72,7 +71,7 @@ int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer,
72 if (unconfined(tracer) || tracer == tracee) 71 if (unconfined(tracer) || tracer == tracee)
73 return 0; 72 return 0;
74 /* log this capability request */ 73 /* log this capability request */
75 return aa_capable(tracer_task, tracer, CAP_SYS_PTRACE, 1); 74 return aa_capable(tracer, CAP_SYS_PTRACE, 1);
76} 75}
77 76
78/** 77/**
@@ -101,7 +100,7 @@ int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee,
101 if (!unconfined(tracer_p)) { 100 if (!unconfined(tracer_p)) {
102 struct aa_profile *tracee_p = aa_get_task_profile(tracee); 101 struct aa_profile *tracee_p = aa_get_task_profile(tracee);
103 102
104 error = aa_may_ptrace(tracer, tracer_p, tracee_p, mode); 103 error = aa_may_ptrace(tracer_p, tracee_p, mode);
105 error = aa_audit_ptrace(tracer_p, tracee_p, error); 104 error = aa_audit_ptrace(tracer_p, tracee_p, error);
106 105
107 aa_put_profile(tracee_p); 106 aa_put_profile(tracee_p);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index fb99e18123b4..4257b7e2796b 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -145,7 +145,7 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
145 if (!error) { 145 if (!error) {
146 profile = aa_cred_profile(cred); 146 profile = aa_cred_profile(cred);
147 if (!unconfined(profile)) 147 if (!unconfined(profile))
148 error = aa_capable(current, profile, cap, audit); 148 error = aa_capable(profile, cap, audit);
149 } 149 }
150 return error; 150 return error;
151} 151}
diff --git a/security/capability.c b/security/capability.c
index dbeb9bc27b24..8b4f24ae4338 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -777,9 +777,15 @@ static int cap_xfrm_policy_delete_security(struct xfrm_sec_ctx *ctx)
777 return 0; 777 return 0;
778} 778}
779 779
780static int cap_xfrm_state_alloc_security(struct xfrm_state *x, 780static int cap_xfrm_state_alloc(struct xfrm_state *x,
781 struct xfrm_user_sec_ctx *sec_ctx, 781 struct xfrm_user_sec_ctx *sec_ctx)
782 u32 secid) 782{
783 return 0;
784}
785
786static int cap_xfrm_state_alloc_acquire(struct xfrm_state *x,
787 struct xfrm_sec_ctx *polsec,
788 u32 secid)
783{ 789{
784 return 0; 790 return 0;
785} 791}
@@ -1101,7 +1107,8 @@ void __init security_fixup_ops(struct security_operations *ops)
1101 set_to_cap_if_null(ops, xfrm_policy_clone_security); 1107 set_to_cap_if_null(ops, xfrm_policy_clone_security);
1102 set_to_cap_if_null(ops, xfrm_policy_free_security); 1108 set_to_cap_if_null(ops, xfrm_policy_free_security);
1103 set_to_cap_if_null(ops, xfrm_policy_delete_security); 1109 set_to_cap_if_null(ops, xfrm_policy_delete_security);
1104 set_to_cap_if_null(ops, xfrm_state_alloc_security); 1110 set_to_cap_if_null(ops, xfrm_state_alloc);
1111 set_to_cap_if_null(ops, xfrm_state_alloc_acquire);
1105 set_to_cap_if_null(ops, xfrm_state_free_security); 1112 set_to_cap_if_null(ops, xfrm_state_free_security);
1106 set_to_cap_if_null(ops, xfrm_state_delete_security); 1113 set_to_cap_if_null(ops, xfrm_state_delete_security);
1107 set_to_cap_if_null(ops, xfrm_policy_lookup); 1114 set_to_cap_if_null(ops, xfrm_policy_lookup);
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 0b759e17a131..77ca965ab684 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -13,7 +13,9 @@
13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14 14
15#include <linux/err.h> 15#include <linux/err.h>
16#include <linux/sched.h>
16#include <linux/rbtree.h> 17#include <linux/rbtree.h>
18#include <linux/cred.h>
17#include <linux/key-type.h> 19#include <linux/key-type.h>
18#include <linux/digsig.h> 20#include <linux/digsig.h>
19 21
@@ -21,21 +23,29 @@
21 23
22static struct key *keyring[INTEGRITY_KEYRING_MAX]; 24static struct key *keyring[INTEGRITY_KEYRING_MAX];
23 25
26#ifdef CONFIG_IMA_TRUSTED_KEYRING
27static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
28 ".evm",
29 ".module",
30 ".ima",
31};
32#else
24static const char *keyring_name[INTEGRITY_KEYRING_MAX] = { 33static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
25 "_evm", 34 "_evm",
26 "_module", 35 "_module",
27 "_ima", 36 "_ima",
28}; 37};
38#endif
29 39
30int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, 40int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
31 const char *digest, int digestlen) 41 const char *digest, int digestlen)
32{ 42{
33 if (id >= INTEGRITY_KEYRING_MAX) 43 if (id >= INTEGRITY_KEYRING_MAX)
34 return -EINVAL; 44 return -EINVAL;
35 45
36 if (!keyring[id]) { 46 if (!keyring[id]) {
37 keyring[id] = 47 keyring[id] =
38 request_key(&key_type_keyring, keyring_name[id], NULL); 48 request_key(&key_type_keyring, keyring_name[id], NULL);
39 if (IS_ERR(keyring[id])) { 49 if (IS_ERR(keyring[id])) {
40 int err = PTR_ERR(keyring[id]); 50 int err = PTR_ERR(keyring[id]);
41 pr_err("no %s keyring: %d\n", keyring_name[id], err); 51 pr_err("no %s keyring: %d\n", keyring_name[id], err);
@@ -44,9 +54,10 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
44 } 54 }
45 } 55 }
46 56
47 switch (sig[0]) { 57 switch (sig[1]) {
48 case 1: 58 case 1:
49 return digsig_verify(keyring[id], sig, siglen, 59 /* v1 API expect signature without xattr type */
60 return digsig_verify(keyring[id], sig + 1, siglen - 1,
50 digest, digestlen); 61 digest, digestlen);
51 case 2: 62 case 2:
52 return asymmetric_verify(keyring[id], sig, siglen, 63 return asymmetric_verify(keyring[id], sig, siglen,
@@ -55,3 +66,21 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
55 66
56 return -EOPNOTSUPP; 67 return -EOPNOTSUPP;
57} 68}
69
70int integrity_init_keyring(const unsigned int id)
71{
72 const struct cred *cred = current_cred();
73 const struct user_struct *user = cred->user;
74
75 keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
76 KGIDT_INIT(0), cred,
77 ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
78 KEY_USR_VIEW | KEY_USR_READ),
79 KEY_ALLOC_NOT_IN_QUOTA, user->uid_keyring);
80 if (!IS_ERR(keyring[id]))
81 set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
82 else
83 pr_info("Can't allocate %s keyring (%ld)\n",
84 keyring_name[id], PTR_ERR(keyring[id]));
85 return 0;
86}
diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index b4754667659d..9eae4809006b 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -20,17 +20,6 @@
20#include "integrity.h" 20#include "integrity.h"
21 21
22/* 22/*
23 * signature format v2 - for using with asymmetric keys
24 */
25struct signature_v2_hdr {
26 uint8_t version; /* signature format version */
27 uint8_t hash_algo; /* Digest algorithm [enum pkey_hash_algo] */
28 uint32_t keyid; /* IMA key identifier - not X509/PGP specific*/
29 uint16_t sig_size; /* signature size */
30 uint8_t sig[0]; /* signature payload */
31} __packed;
32
33/*
34 * Request an asymmetric key. 23 * Request an asymmetric key.
35 */ 24 */
36static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid) 25static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid)
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index af9b6852f4e1..336b3ddfe63f 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -123,7 +123,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
123 goto out; 123 goto out;
124 } 124 }
125 125
126 xattr_len = rc - 1; 126 xattr_len = rc;
127 127
128 /* check value type */ 128 /* check value type */
129 switch (xattr_data->type) { 129 switch (xattr_data->type) {
@@ -143,7 +143,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
143 if (rc) 143 if (rc)
144 break; 144 break;
145 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 145 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
146 xattr_data->digest, xattr_len, 146 (const char *)xattr_data, xattr_len,
147 calc.digest, sizeof(calc.digest)); 147 calc.digest, sizeof(calc.digest));
148 if (!rc) { 148 if (!rc) {
149 /* we probably want to replace rsa with hmac here */ 149 /* we probably want to replace rsa with hmac here */
diff --git a/security/integrity/evm/evm_posix_acl.c b/security/integrity/evm/evm_posix_acl.c
index b1753e98bf9a..46408b9e62e8 100644
--- a/security/integrity/evm/evm_posix_acl.c
+++ b/security/integrity/evm/evm_posix_acl.c
@@ -11,8 +11,9 @@
11 11
12#include <linux/module.h> 12#include <linux/module.h>
13#include <linux/xattr.h> 13#include <linux/xattr.h>
14#include <linux/evm.h>
14 15
15int posix_xattr_acl(char *xattr) 16int posix_xattr_acl(const char *xattr)
16{ 17{
17 int xattr_len = strlen(xattr); 18 int xattr_len = strlen(xattr);
18 19
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 74522dbd10a6..c49d3f14cbec 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -70,6 +70,8 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode)
70 70
71static void iint_free(struct integrity_iint_cache *iint) 71static void iint_free(struct integrity_iint_cache *iint)
72{ 72{
73 kfree(iint->ima_hash);
74 iint->ima_hash = NULL;
73 iint->version = 0; 75 iint->version = 0;
74 iint->flags = 0UL; 76 iint->flags = 0UL;
75 iint->ima_file_status = INTEGRITY_UNKNOWN; 77 iint->ima_file_status = INTEGRITY_UNKNOWN;
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 39196abaff0d..dad8d4ca2437 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -9,6 +9,7 @@ config IMA
9 select CRYPTO_HMAC 9 select CRYPTO_HMAC
10 select CRYPTO_MD5 10 select CRYPTO_MD5
11 select CRYPTO_SHA1 11 select CRYPTO_SHA1
12 select CRYPTO_HASH_INFO
12 select TCG_TPM if HAS_IOMEM && !UML 13 select TCG_TPM if HAS_IOMEM && !UML
13 select TCG_TIS if TCG_TPM && X86 14 select TCG_TIS if TCG_TPM && X86
14 select TCG_IBMVTPM if TCG_TPM && PPC64 15 select TCG_IBMVTPM if TCG_TPM && PPC64
@@ -45,6 +46,69 @@ config IMA_LSM_RULES
45 help 46 help
46 Disabling this option will disregard LSM based policy rules. 47 Disabling this option will disregard LSM based policy rules.
47 48
49choice
50 prompt "Default template"
51 default IMA_NG_TEMPLATE
52 depends on IMA
53 help
54 Select the default IMA measurement template.
55
56 The original 'ima' measurement list template contains a
57 hash, defined as 20 bytes, and a null terminated pathname,
58 limited to 255 characters. The 'ima-ng' measurement list
59 template permits both larger hash digests and longer
60 pathnames.
61
62 config IMA_TEMPLATE
63 bool "ima"
64 config IMA_NG_TEMPLATE
65 bool "ima-ng (default)"
66 config IMA_SIG_TEMPLATE
67 bool "ima-sig"
68endchoice
69
70config IMA_DEFAULT_TEMPLATE
71 string
72 depends on IMA
73 default "ima" if IMA_TEMPLATE
74 default "ima-ng" if IMA_NG_TEMPLATE
75 default "ima-sig" if IMA_SIG_TEMPLATE
76
77choice
78 prompt "Default integrity hash algorithm"
79 default IMA_DEFAULT_HASH_SHA1
80 depends on IMA
81 help
82 Select the default hash algorithm used for the measurement
83 list, integrity appraisal and audit log. The compiled default
84 hash algorithm can be overwritten using the kernel command
85 line 'ima_hash=' option.
86
87 config IMA_DEFAULT_HASH_SHA1
88 bool "SHA1 (default)"
89 depends on CRYPTO_SHA1
90
91 config IMA_DEFAULT_HASH_SHA256
92 bool "SHA256"
93 depends on CRYPTO_SHA256 && !IMA_TEMPLATE
94
95 config IMA_DEFAULT_HASH_SHA512
96 bool "SHA512"
97 depends on CRYPTO_SHA512 && !IMA_TEMPLATE
98
99 config IMA_DEFAULT_HASH_WP512
100 bool "WP512"
101 depends on CRYPTO_WP512 && !IMA_TEMPLATE
102endchoice
103
104config IMA_DEFAULT_HASH
105 string
106 depends on IMA
107 default "sha1" if IMA_DEFAULT_HASH_SHA1
108 default "sha256" if IMA_DEFAULT_HASH_SHA256
109 default "sha512" if IMA_DEFAULT_HASH_SHA512
110 default "wp512" if IMA_DEFAULT_HASH_WP512
111
48config IMA_APPRAISE 112config IMA_APPRAISE
49 bool "Appraise integrity measurements" 113 bool "Appraise integrity measurements"
50 depends on IMA 114 depends on IMA
@@ -59,3 +123,11 @@ config IMA_APPRAISE
59 For more information on integrity appraisal refer to: 123 For more information on integrity appraisal refer to:
60 <http://linux-ima.sourceforge.net> 124 <http://linux-ima.sourceforge.net>
61 If unsure, say N. 125 If unsure, say N.
126
127config IMA_TRUSTED_KEYRING
128 bool "Require all keys on the _ima keyring be signed"
129 depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
130 default y
131 help
132 This option requires that all keys added to the _ima
133 keyring be signed by a key on the system trusted keyring.
diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
index 56dfee7cbf61..d79263d2fdbf 100644
--- a/security/integrity/ima/Makefile
+++ b/security/integrity/ima/Makefile
@@ -6,5 +6,5 @@
6obj-$(CONFIG_IMA) += ima.o 6obj-$(CONFIG_IMA) += ima.o
7 7
8ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \ 8ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
9 ima_policy.o 9 ima_policy.o ima_template.o ima_template_lib.o
10ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o 10ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index b3dd616560f7..bf03c6a16cc8 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -36,23 +36,48 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
36#define IMA_HASH_BITS 9 36#define IMA_HASH_BITS 9
37#define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS) 37#define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS)
38 38
39#define IMA_TEMPLATE_FIELD_ID_MAX_LEN 16
40#define IMA_TEMPLATE_NUM_FIELDS_MAX 15
41
42#define IMA_TEMPLATE_IMA_NAME "ima"
43#define IMA_TEMPLATE_IMA_FMT "d|n"
44
39/* set during initialization */ 45/* set during initialization */
40extern int ima_initialized; 46extern int ima_initialized;
41extern int ima_used_chip; 47extern int ima_used_chip;
42extern char *ima_hash; 48extern int ima_hash_algo;
43extern int ima_appraise; 49extern int ima_appraise;
44 50
45/* IMA inode template definition */ 51/* IMA template field data definition */
46struct ima_template_data { 52struct ima_field_data {
47 u8 digest[IMA_DIGEST_SIZE]; /* sha1/md5 measurement hash */ 53 u8 *data;
48 char file_name[IMA_EVENT_NAME_LEN_MAX + 1]; /* name + \0 */ 54 u32 len;
55};
56
57/* IMA template field definition */
58struct ima_template_field {
59 const char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
60 int (*field_init) (struct integrity_iint_cache *iint, struct file *file,
61 const unsigned char *filename,
62 struct evm_ima_xattr_data *xattr_value,
63 int xattr_len, struct ima_field_data *field_data);
64 void (*field_show) (struct seq_file *m, enum ima_show_type show,
65 struct ima_field_data *field_data);
66};
67
68/* IMA template descriptor definition */
69struct ima_template_desc {
70 char *name;
71 char *fmt;
72 int num_fields;
73 struct ima_template_field **fields;
49}; 74};
50 75
51struct ima_template_entry { 76struct ima_template_entry {
52 u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */ 77 u8 digest[TPM_DIGEST_SIZE]; /* sha1 or md5 measurement hash */
53 const char *template_name; 78 struct ima_template_desc *template_desc; /* template descriptor */
54 int template_len; 79 u32 template_data_len;
55 struct ima_template_data template; 80 struct ima_field_data template_data[0]; /* template related data */
56}; 81};
57 82
58struct ima_queue_entry { 83struct ima_queue_entry {
@@ -69,13 +94,21 @@ int ima_fs_init(void);
69void ima_fs_cleanup(void); 94void ima_fs_cleanup(void);
70int ima_inode_alloc(struct inode *inode); 95int ima_inode_alloc(struct inode *inode);
71int ima_add_template_entry(struct ima_template_entry *entry, int violation, 96int ima_add_template_entry(struct ima_template_entry *entry, int violation,
72 const char *op, struct inode *inode); 97 const char *op, struct inode *inode,
73int ima_calc_file_hash(struct file *file, char *digest); 98 const unsigned char *filename);
74int ima_calc_buffer_hash(const void *data, int len, char *digest); 99int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
75int ima_calc_boot_aggregate(char *digest); 100int ima_calc_field_array_hash(struct ima_field_data *field_data, int num_fields,
76void ima_add_violation(struct inode *inode, const unsigned char *filename, 101 struct ima_digest_data *hash);
102int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
103void ima_add_violation(struct file *file, const unsigned char *filename,
77 const char *op, const char *cause); 104 const char *op, const char *cause);
78int ima_init_crypto(void); 105int ima_init_crypto(void);
106void ima_putc(struct seq_file *m, void *data, int datalen);
107void ima_print_digest(struct seq_file *m, u8 *digest, int size);
108struct ima_template_desc *ima_template_desc_current(void);
109int ima_init_template(void);
110
111int ima_init_template(void);
79 112
80/* 113/*
81 * used to protect h_table and sha_table 114 * used to protect h_table and sha_table
@@ -98,14 +131,21 @@ static inline unsigned long ima_hash_key(u8 *digest)
98int ima_get_action(struct inode *inode, int mask, int function); 131int ima_get_action(struct inode *inode, int mask, int function);
99int ima_must_measure(struct inode *inode, int mask, int function); 132int ima_must_measure(struct inode *inode, int mask, int function);
100int ima_collect_measurement(struct integrity_iint_cache *iint, 133int ima_collect_measurement(struct integrity_iint_cache *iint,
101 struct file *file); 134 struct file *file,
135 struct evm_ima_xattr_data **xattr_value,
136 int *xattr_len);
102void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, 137void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
103 const unsigned char *filename); 138 const unsigned char *filename,
139 struct evm_ima_xattr_data *xattr_value,
140 int xattr_len);
104void ima_audit_measurement(struct integrity_iint_cache *iint, 141void ima_audit_measurement(struct integrity_iint_cache *iint,
105 const unsigned char *filename); 142 const unsigned char *filename);
143int ima_alloc_init_template(struct integrity_iint_cache *iint,
144 struct file *file, const unsigned char *filename,
145 struct evm_ima_xattr_data *xattr_value,
146 int xattr_len, struct ima_template_entry **entry);
106int ima_store_template(struct ima_template_entry *entry, int violation, 147int ima_store_template(struct ima_template_entry *entry, int violation,
107 struct inode *inode); 148 struct inode *inode, const unsigned char *filename);
108void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show);
109const char *ima_d_path(struct path *path, char **pathbuf); 149const char *ima_d_path(struct path *path, char **pathbuf);
110 150
111/* rbtree tree calls to lookup, insert, delete 151/* rbtree tree calls to lookup, insert, delete
@@ -131,17 +171,25 @@ void ima_delete_rules(void);
131 171
132#ifdef CONFIG_IMA_APPRAISE 172#ifdef CONFIG_IMA_APPRAISE
133int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, 173int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
134 struct file *file, const unsigned char *filename); 174 struct file *file, const unsigned char *filename,
175 struct evm_ima_xattr_data *xattr_value,
176 int xattr_len);
135int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func); 177int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
136void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file); 178void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
137enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, 179enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
138 int func); 180 int func);
181void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len,
182 struct ima_digest_data *hash);
183int ima_read_xattr(struct dentry *dentry,
184 struct evm_ima_xattr_data **xattr_value);
139 185
140#else 186#else
141static inline int ima_appraise_measurement(int func, 187static inline int ima_appraise_measurement(int func,
142 struct integrity_iint_cache *iint, 188 struct integrity_iint_cache *iint,
143 struct file *file, 189 struct file *file,
144 const unsigned char *filename) 190 const unsigned char *filename,
191 struct evm_ima_xattr_data *xattr_value,
192 int xattr_len)
145{ 193{
146 return INTEGRITY_UNKNOWN; 194 return INTEGRITY_UNKNOWN;
147} 195}
@@ -162,6 +210,19 @@ static inline enum integrity_status ima_get_cache_status(struct integrity_iint_c
162{ 210{
163 return INTEGRITY_UNKNOWN; 211 return INTEGRITY_UNKNOWN;
164} 212}
213
214static inline void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
215 int xattr_len,
216 struct ima_digest_data *hash)
217{
218}
219
220static inline int ima_read_xattr(struct dentry *dentry,
221 struct evm_ima_xattr_data **xattr_value)
222{
223 return 0;
224}
225
165#endif 226#endif
166 227
167/* LSM based policy rules require audit */ 228/* LSM based policy rules require audit */
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 1c03e8f1e0e1..0e7540863fc2 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -18,9 +18,46 @@
18#include <linux/fs.h> 18#include <linux/fs.h>
19#include <linux/xattr.h> 19#include <linux/xattr.h>
20#include <linux/evm.h> 20#include <linux/evm.h>
21#include <crypto/hash_info.h>
21#include "ima.h" 22#include "ima.h"
22 23
23static const char *IMA_TEMPLATE_NAME = "ima"; 24/*
25 * ima_alloc_init_template - create and initialize a new template entry
26 */
27int ima_alloc_init_template(struct integrity_iint_cache *iint,
28 struct file *file, const unsigned char *filename,
29 struct evm_ima_xattr_data *xattr_value,
30 int xattr_len, struct ima_template_entry **entry)
31{
32 struct ima_template_desc *template_desc = ima_template_desc_current();
33 int i, result = 0;
34
35 *entry = kzalloc(sizeof(**entry) + template_desc->num_fields *
36 sizeof(struct ima_field_data), GFP_NOFS);
37 if (!*entry)
38 return -ENOMEM;
39
40 for (i = 0; i < template_desc->num_fields; i++) {
41 struct ima_template_field *field = template_desc->fields[i];
42 u32 len;
43
44 result = field->field_init(iint, file, filename,
45 xattr_value, xattr_len,
46 &((*entry)->template_data[i]));
47 if (result != 0)
48 goto out;
49
50 len = (*entry)->template_data[i].len;
51 (*entry)->template_data_len += sizeof(len);
52 (*entry)->template_data_len += len;
53 }
54 (*entry)->template_desc = template_desc;
55 return 0;
56out:
57 kfree(*entry);
58 *entry = NULL;
59 return result;
60}
24 61
25/* 62/*
26 * ima_store_template - store ima template measurements 63 * ima_store_template - store ima template measurements
@@ -39,28 +76,34 @@ static const char *IMA_TEMPLATE_NAME = "ima";
39 * Returns 0 on success, error code otherwise 76 * Returns 0 on success, error code otherwise
40 */ 77 */
41int ima_store_template(struct ima_template_entry *entry, 78int ima_store_template(struct ima_template_entry *entry,
42 int violation, struct inode *inode) 79 int violation, struct inode *inode,
80 const unsigned char *filename)
43{ 81{
44 const char *op = "add_template_measure"; 82 const char *op = "add_template_measure";
45 const char *audit_cause = "hashing_error"; 83 const char *audit_cause = "hashing_error";
84 char *template_name = entry->template_desc->name;
46 int result; 85 int result;
47 86 struct {
48 memset(entry->digest, 0, sizeof(entry->digest)); 87 struct ima_digest_data hdr;
49 entry->template_name = IMA_TEMPLATE_NAME; 88 char digest[TPM_DIGEST_SIZE];
50 entry->template_len = sizeof(entry->template); 89 } hash;
51 90
52 if (!violation) { 91 if (!violation) {
53 result = ima_calc_buffer_hash(&entry->template, 92 int num_fields = entry->template_desc->num_fields;
54 entry->template_len, 93
55 entry->digest); 94 /* this function uses default algo */
95 hash.hdr.algo = HASH_ALGO_SHA1;
96 result = ima_calc_field_array_hash(&entry->template_data[0],
97 num_fields, &hash.hdr);
56 if (result < 0) { 98 if (result < 0) {
57 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, 99 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
58 entry->template_name, op, 100 template_name, op,
59 audit_cause, result, 0); 101 audit_cause, result, 0);
60 return result; 102 return result;
61 } 103 }
104 memcpy(entry->digest, hash.hdr.digest, hash.hdr.length);
62 } 105 }
63 result = ima_add_template_entry(entry, violation, op, inode); 106 result = ima_add_template_entry(entry, violation, op, inode, filename);
64 return result; 107 return result;
65} 108}
66 109
@@ -71,24 +114,24 @@ int ima_store_template(struct ima_template_entry *entry,
71 * By extending the PCR with 0xFF's instead of with zeroes, the PCR 114 * By extending the PCR with 0xFF's instead of with zeroes, the PCR
72 * value is invalidated. 115 * value is invalidated.
73 */ 116 */
74void ima_add_violation(struct inode *inode, const unsigned char *filename, 117void ima_add_violation(struct file *file, const unsigned char *filename,
75 const char *op, const char *cause) 118 const char *op, const char *cause)
76{ 119{
77 struct ima_template_entry *entry; 120 struct ima_template_entry *entry;
121 struct inode *inode = file->f_dentry->d_inode;
78 int violation = 1; 122 int violation = 1;
79 int result; 123 int result;
80 124
81 /* can overflow, only indicator */ 125 /* can overflow, only indicator */
82 atomic_long_inc(&ima_htable.violations); 126 atomic_long_inc(&ima_htable.violations);
83 127
84 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 128 result = ima_alloc_init_template(NULL, file, filename,
85 if (!entry) { 129 NULL, 0, &entry);
130 if (result < 0) {
86 result = -ENOMEM; 131 result = -ENOMEM;
87 goto err_out; 132 goto err_out;
88 } 133 }
89 memset(&entry->template, 0, sizeof(entry->template)); 134 result = ima_store_template(entry, violation, inode, filename);
90 strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX);
91 result = ima_store_template(entry, violation, inode);
92 if (result < 0) 135 if (result < 0)
93 kfree(entry); 136 kfree(entry);
94err_out: 137err_out:
@@ -138,20 +181,42 @@ int ima_must_measure(struct inode *inode, int mask, int function)
138 * Return 0 on success, error code otherwise 181 * Return 0 on success, error code otherwise
139 */ 182 */
140int ima_collect_measurement(struct integrity_iint_cache *iint, 183int ima_collect_measurement(struct integrity_iint_cache *iint,
141 struct file *file) 184 struct file *file,
185 struct evm_ima_xattr_data **xattr_value,
186 int *xattr_len)
142{ 187{
143 struct inode *inode = file_inode(file); 188 struct inode *inode = file_inode(file);
144 const char *filename = file->f_dentry->d_name.name; 189 const char *filename = file->f_dentry->d_name.name;
145 int result = 0; 190 int result = 0;
191 struct {
192 struct ima_digest_data hdr;
193 char digest[IMA_MAX_DIGEST_SIZE];
194 } hash;
195
196 if (xattr_value)
197 *xattr_len = ima_read_xattr(file->f_dentry, xattr_value);
146 198
147 if (!(iint->flags & IMA_COLLECTED)) { 199 if (!(iint->flags & IMA_COLLECTED)) {
148 u64 i_version = file_inode(file)->i_version; 200 u64 i_version = file_inode(file)->i_version;
149 201
150 iint->ima_xattr.type = IMA_XATTR_DIGEST; 202 /* use default hash algorithm */
151 result = ima_calc_file_hash(file, iint->ima_xattr.digest); 203 hash.hdr.algo = ima_hash_algo;
204
205 if (xattr_value)
206 ima_get_hash_algo(*xattr_value, *xattr_len, &hash.hdr);
207
208 result = ima_calc_file_hash(file, &hash.hdr);
152 if (!result) { 209 if (!result) {
153 iint->version = i_version; 210 int length = sizeof(hash.hdr) + hash.hdr.length;
154 iint->flags |= IMA_COLLECTED; 211 void *tmpbuf = krealloc(iint->ima_hash, length,
212 GFP_NOFS);
213 if (tmpbuf) {
214 iint->ima_hash = tmpbuf;
215 memcpy(iint->ima_hash, &hash, length);
216 iint->version = i_version;
217 iint->flags |= IMA_COLLECTED;
218 } else
219 result = -ENOMEM;
155 } 220 }
156 } 221 }
157 if (result) 222 if (result)
@@ -177,7 +242,9 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
177 * Must be called with iint->mutex held. 242 * Must be called with iint->mutex held.
178 */ 243 */
179void ima_store_measurement(struct integrity_iint_cache *iint, 244void ima_store_measurement(struct integrity_iint_cache *iint,
180 struct file *file, const unsigned char *filename) 245 struct file *file, const unsigned char *filename,
246 struct evm_ima_xattr_data *xattr_value,
247 int xattr_len)
181{ 248{
182 const char *op = "add_template_measure"; 249 const char *op = "add_template_measure";
183 const char *audit_cause = "ENOMEM"; 250 const char *audit_cause = "ENOMEM";
@@ -189,19 +256,15 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
189 if (iint->flags & IMA_MEASURED) 256 if (iint->flags & IMA_MEASURED)
190 return; 257 return;
191 258
192 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 259 result = ima_alloc_init_template(iint, file, filename,
193 if (!entry) { 260 xattr_value, xattr_len, &entry);
261 if (result < 0) {
194 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 262 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
195 op, audit_cause, result, 0); 263 op, audit_cause, result, 0);
196 return; 264 return;
197 } 265 }
198 memset(&entry->template, 0, sizeof(entry->template));
199 memcpy(entry->template.digest, iint->ima_xattr.digest, IMA_DIGEST_SIZE);
200 strcpy(entry->template.file_name,
201 (strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ?
202 file->f_dentry->d_name.name : filename);
203 266
204 result = ima_store_template(entry, violation, inode); 267 result = ima_store_template(entry, violation, inode, filename);
205 if (!result || result == -EEXIST) 268 if (!result || result == -EEXIST)
206 iint->flags |= IMA_MEASURED; 269 iint->flags |= IMA_MEASURED;
207 if (result < 0) 270 if (result < 0)
@@ -212,14 +275,16 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
212 const unsigned char *filename) 275 const unsigned char *filename)
213{ 276{
214 struct audit_buffer *ab; 277 struct audit_buffer *ab;
215 char hash[(IMA_DIGEST_SIZE * 2) + 1]; 278 char hash[(iint->ima_hash->length * 2) + 1];
279 const char *algo_name = hash_algo_name[iint->ima_hash->algo];
280 char algo_hash[sizeof(hash) + strlen(algo_name) + 2];
216 int i; 281 int i;
217 282
218 if (iint->flags & IMA_AUDITED) 283 if (iint->flags & IMA_AUDITED)
219 return; 284 return;
220 285
221 for (i = 0; i < IMA_DIGEST_SIZE; i++) 286 for (i = 0; i < iint->ima_hash->length; i++)
222 hex_byte_pack(hash + (i * 2), iint->ima_xattr.digest[i]); 287 hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]);
223 hash[i * 2] = '\0'; 288 hash[i * 2] = '\0';
224 289
225 ab = audit_log_start(current->audit_context, GFP_KERNEL, 290 ab = audit_log_start(current->audit_context, GFP_KERNEL,
@@ -230,7 +295,8 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
230 audit_log_format(ab, "file="); 295 audit_log_format(ab, "file=");
231 audit_log_untrustedstring(ab, filename); 296 audit_log_untrustedstring(ab, filename);
232 audit_log_format(ab, " hash="); 297 audit_log_format(ab, " hash=");
233 audit_log_untrustedstring(ab, hash); 298 snprintf(algo_hash, sizeof(algo_hash), "%s:%s", algo_name, hash);
299 audit_log_untrustedstring(ab, algo_hash);
234 300
235 audit_log_task_info(ab, current); 301 audit_log_task_info(ab, current);
236 audit_log_end(ab); 302 audit_log_end(ab);
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 2d4becab8918..46353ee517f6 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -15,6 +15,7 @@
15#include <linux/magic.h> 15#include <linux/magic.h>
16#include <linux/ima.h> 16#include <linux/ima.h>
17#include <linux/evm.h> 17#include <linux/evm.h>
18#include <crypto/hash_info.h>
18 19
19#include "ima.h" 20#include "ima.h"
20 21
@@ -43,19 +44,31 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
43} 44}
44 45
45static int ima_fix_xattr(struct dentry *dentry, 46static int ima_fix_xattr(struct dentry *dentry,
46 struct integrity_iint_cache *iint) 47 struct integrity_iint_cache *iint)
47{ 48{
48 iint->ima_xattr.type = IMA_XATTR_DIGEST; 49 int rc, offset;
49 return __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA, 50 u8 algo = iint->ima_hash->algo;
50 (u8 *)&iint->ima_xattr, 51
51 sizeof(iint->ima_xattr), 0); 52 if (algo <= HASH_ALGO_SHA1) {
53 offset = 1;
54 iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
55 } else {
56 offset = 0;
57 iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
58 iint->ima_hash->xattr.ng.algo = algo;
59 }
60 rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
61 &iint->ima_hash->xattr.data[offset],
62 (sizeof(iint->ima_hash->xattr) - offset) +
63 iint->ima_hash->length, 0);
64 return rc;
52} 65}
53 66
54/* Return specific func appraised cached result */ 67/* Return specific func appraised cached result */
55enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, 68enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
56 int func) 69 int func)
57{ 70{
58 switch(func) { 71 switch (func) {
59 case MMAP_CHECK: 72 case MMAP_CHECK:
60 return iint->ima_mmap_status; 73 return iint->ima_mmap_status;
61 case BPRM_CHECK: 74 case BPRM_CHECK:
@@ -71,7 +84,7 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
71static void ima_set_cache_status(struct integrity_iint_cache *iint, 84static void ima_set_cache_status(struct integrity_iint_cache *iint,
72 int func, enum integrity_status status) 85 int func, enum integrity_status status)
73{ 86{
74 switch(func) { 87 switch (func) {
75 case MMAP_CHECK: 88 case MMAP_CHECK:
76 iint->ima_mmap_status = status; 89 iint->ima_mmap_status = status;
77 break; 90 break;
@@ -90,7 +103,7 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint,
90 103
91static void ima_cache_flags(struct integrity_iint_cache *iint, int func) 104static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
92{ 105{
93 switch(func) { 106 switch (func) {
94 case MMAP_CHECK: 107 case MMAP_CHECK:
95 iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED); 108 iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
96 break; 109 break;
@@ -107,6 +120,50 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
107 } 120 }
108} 121}
109 122
123void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len,
124 struct ima_digest_data *hash)
125{
126 struct signature_v2_hdr *sig;
127
128 if (!xattr_value || xattr_len < 2)
129 return;
130
131 switch (xattr_value->type) {
132 case EVM_IMA_XATTR_DIGSIG:
133 sig = (typeof(sig))xattr_value;
134 if (sig->version != 2 || xattr_len <= sizeof(*sig))
135 return;
136 hash->algo = sig->hash_algo;
137 break;
138 case IMA_XATTR_DIGEST_NG:
139 hash->algo = xattr_value->digest[0];
140 break;
141 case IMA_XATTR_DIGEST:
142 /* this is for backward compatibility */
143 if (xattr_len == 21) {
144 unsigned int zero = 0;
145 if (!memcmp(&xattr_value->digest[16], &zero, 4))
146 hash->algo = HASH_ALGO_MD5;
147 else
148 hash->algo = HASH_ALGO_SHA1;
149 } else if (xattr_len == 17)
150 hash->algo = HASH_ALGO_MD5;
151 break;
152 }
153}
154
155int ima_read_xattr(struct dentry *dentry,
156 struct evm_ima_xattr_data **xattr_value)
157{
158 struct inode *inode = dentry->d_inode;
159
160 if (!inode->i_op->getxattr)
161 return 0;
162
163 return vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)xattr_value,
164 0, GFP_NOFS);
165}
166
110/* 167/*
111 * ima_appraise_measurement - appraise file measurement 168 * ima_appraise_measurement - appraise file measurement
112 * 169 *
@@ -116,23 +173,22 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
116 * Return 0 on success, error code otherwise 173 * Return 0 on success, error code otherwise
117 */ 174 */
118int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, 175int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
119 struct file *file, const unsigned char *filename) 176 struct file *file, const unsigned char *filename,
177 struct evm_ima_xattr_data *xattr_value,
178 int xattr_len)
120{ 179{
121 struct dentry *dentry = file->f_dentry; 180 struct dentry *dentry = file->f_dentry;
122 struct inode *inode = dentry->d_inode; 181 struct inode *inode = dentry->d_inode;
123 struct evm_ima_xattr_data *xattr_value = NULL;
124 enum integrity_status status = INTEGRITY_UNKNOWN; 182 enum integrity_status status = INTEGRITY_UNKNOWN;
125 const char *op = "appraise_data"; 183 const char *op = "appraise_data";
126 char *cause = "unknown"; 184 char *cause = "unknown";
127 int rc; 185 int rc = xattr_len, hash_start = 0;
128 186
129 if (!ima_appraise) 187 if (!ima_appraise)
130 return 0; 188 return 0;
131 if (!inode->i_op->getxattr) 189 if (!inode->i_op->getxattr)
132 return INTEGRITY_UNKNOWN; 190 return INTEGRITY_UNKNOWN;
133 191
134 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)&xattr_value,
135 0, GFP_NOFS);
136 if (rc <= 0) { 192 if (rc <= 0) {
137 if (rc && rc != -ENODATA) 193 if (rc && rc != -ENODATA)
138 goto out; 194 goto out;
@@ -153,14 +209,25 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
153 goto out; 209 goto out;
154 } 210 }
155 switch (xattr_value->type) { 211 switch (xattr_value->type) {
212 case IMA_XATTR_DIGEST_NG:
213 /* first byte contains algorithm id */
214 hash_start = 1;
156 case IMA_XATTR_DIGEST: 215 case IMA_XATTR_DIGEST:
157 if (iint->flags & IMA_DIGSIG_REQUIRED) { 216 if (iint->flags & IMA_DIGSIG_REQUIRED) {
158 cause = "IMA signature required"; 217 cause = "IMA signature required";
159 status = INTEGRITY_FAIL; 218 status = INTEGRITY_FAIL;
160 break; 219 break;
161 } 220 }
162 rc = memcmp(xattr_value->digest, iint->ima_xattr.digest, 221 if (xattr_len - sizeof(xattr_value->type) - hash_start >=
163 IMA_DIGEST_SIZE); 222 iint->ima_hash->length)
223 /* xattr length may be longer. md5 hash in previous
224 version occupied 20 bytes in xattr, instead of 16
225 */
226 rc = memcmp(&xattr_value->digest[hash_start],
227 iint->ima_hash->digest,
228 iint->ima_hash->length);
229 else
230 rc = -EINVAL;
164 if (rc) { 231 if (rc) {
165 cause = "invalid-hash"; 232 cause = "invalid-hash";
166 status = INTEGRITY_FAIL; 233 status = INTEGRITY_FAIL;
@@ -171,9 +238,9 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
171 case EVM_IMA_XATTR_DIGSIG: 238 case EVM_IMA_XATTR_DIGSIG:
172 iint->flags |= IMA_DIGSIG; 239 iint->flags |= IMA_DIGSIG;
173 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, 240 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
174 xattr_value->digest, rc - 1, 241 (const char *)xattr_value, rc,
175 iint->ima_xattr.digest, 242 iint->ima_hash->digest,
176 IMA_DIGEST_SIZE); 243 iint->ima_hash->length);
177 if (rc == -EOPNOTSUPP) { 244 if (rc == -EOPNOTSUPP) {
178 status = INTEGRITY_UNKNOWN; 245 status = INTEGRITY_UNKNOWN;
179 } else if (rc) { 246 } else if (rc) {
@@ -203,7 +270,6 @@ out:
203 ima_cache_flags(iint, func); 270 ima_cache_flags(iint, func);
204 } 271 }
205 ima_set_cache_status(iint, func, status); 272 ima_set_cache_status(iint, func, status);
206 kfree(xattr_value);
207 return status; 273 return status;
208} 274}
209 275
@@ -219,7 +285,7 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
219 if (iint->flags & IMA_DIGSIG) 285 if (iint->flags & IMA_DIGSIG)
220 return; 286 return;
221 287
222 rc = ima_collect_measurement(iint, file); 288 rc = ima_collect_measurement(iint, file, NULL, NULL);
223 if (rc < 0) 289 if (rc < 0)
224 return; 290 return;
225 291
@@ -315,3 +381,14 @@ int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
315 } 381 }
316 return result; 382 return result;
317} 383}
384
385#ifdef CONFIG_IMA_TRUSTED_KEYRING
386static int __init init_ima_keyring(void)
387{
388 int ret;
389
390 ret = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
391 return 0;
392}
393late_initcall(init_ima_keyring);
394#endif
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index a02e0791cf15..676e0292dfec 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -20,6 +20,7 @@
20#include <linux/err.h> 20#include <linux/err.h>
21#include <linux/slab.h> 21#include <linux/slab.h>
22#include <crypto/hash.h> 22#include <crypto/hash.h>
23#include <crypto/hash_info.h>
23#include "ima.h" 24#include "ima.h"
24 25
25static struct crypto_shash *ima_shash_tfm; 26static struct crypto_shash *ima_shash_tfm;
@@ -28,31 +29,58 @@ int ima_init_crypto(void)
28{ 29{
29 long rc; 30 long rc;
30 31
31 ima_shash_tfm = crypto_alloc_shash(ima_hash, 0, 0); 32 ima_shash_tfm = crypto_alloc_shash(hash_algo_name[ima_hash_algo], 0, 0);
32 if (IS_ERR(ima_shash_tfm)) { 33 if (IS_ERR(ima_shash_tfm)) {
33 rc = PTR_ERR(ima_shash_tfm); 34 rc = PTR_ERR(ima_shash_tfm);
34 pr_err("Can not allocate %s (reason: %ld)\n", ima_hash, rc); 35 pr_err("Can not allocate %s (reason: %ld)\n",
36 hash_algo_name[ima_hash_algo], rc);
35 return rc; 37 return rc;
36 } 38 }
37 return 0; 39 return 0;
38} 40}
39 41
42static struct crypto_shash *ima_alloc_tfm(enum hash_algo algo)
43{
44 struct crypto_shash *tfm = ima_shash_tfm;
45 int rc;
46
47 if (algo != ima_hash_algo && algo < HASH_ALGO__LAST) {
48 tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0);
49 if (IS_ERR(tfm)) {
50 rc = PTR_ERR(tfm);
51 pr_err("Can not allocate %s (reason: %d)\n",
52 hash_algo_name[algo], rc);
53 }
54 }
55 return tfm;
56}
57
58static void ima_free_tfm(struct crypto_shash *tfm)
59{
60 if (tfm != ima_shash_tfm)
61 crypto_free_shash(tfm);
62}
63
40/* 64/*
41 * Calculate the MD5/SHA1 file digest 65 * Calculate the MD5/SHA1 file digest
42 */ 66 */
43int ima_calc_file_hash(struct file *file, char *digest) 67static int ima_calc_file_hash_tfm(struct file *file,
68 struct ima_digest_data *hash,
69 struct crypto_shash *tfm)
44{ 70{
45 loff_t i_size, offset = 0; 71 loff_t i_size, offset = 0;
46 char *rbuf; 72 char *rbuf;
47 int rc, read = 0; 73 int rc, read = 0;
48 struct { 74 struct {
49 struct shash_desc shash; 75 struct shash_desc shash;
50 char ctx[crypto_shash_descsize(ima_shash_tfm)]; 76 char ctx[crypto_shash_descsize(tfm)];
51 } desc; 77 } desc;
52 78
53 desc.shash.tfm = ima_shash_tfm; 79 desc.shash.tfm = tfm;
54 desc.shash.flags = 0; 80 desc.shash.flags = 0;
55 81
82 hash->length = crypto_shash_digestsize(tfm);
83
56 rc = crypto_shash_init(&desc.shash); 84 rc = crypto_shash_init(&desc.shash);
57 if (rc != 0) 85 if (rc != 0)
58 return rc; 86 return rc;
@@ -85,27 +113,83 @@ int ima_calc_file_hash(struct file *file, char *digest)
85 } 113 }
86 kfree(rbuf); 114 kfree(rbuf);
87 if (!rc) 115 if (!rc)
88 rc = crypto_shash_final(&desc.shash, digest); 116 rc = crypto_shash_final(&desc.shash, hash->digest);
89 if (read) 117 if (read)
90 file->f_mode &= ~FMODE_READ; 118 file->f_mode &= ~FMODE_READ;
91out: 119out:
92 return rc; 120 return rc;
93} 121}
94 122
123int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
124{
125 struct crypto_shash *tfm;
126 int rc;
127
128 tfm = ima_alloc_tfm(hash->algo);
129 if (IS_ERR(tfm))
130 return PTR_ERR(tfm);
131
132 rc = ima_calc_file_hash_tfm(file, hash, tfm);
133
134 ima_free_tfm(tfm);
135
136 return rc;
137}
138
95/* 139/*
96 * Calculate the hash of a given buffer 140 * Calculate the hash of template data
97 */ 141 */
98int ima_calc_buffer_hash(const void *data, int len, char *digest) 142static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
143 int num_fields,
144 struct ima_digest_data *hash,
145 struct crypto_shash *tfm)
99{ 146{
100 struct { 147 struct {
101 struct shash_desc shash; 148 struct shash_desc shash;
102 char ctx[crypto_shash_descsize(ima_shash_tfm)]; 149 char ctx[crypto_shash_descsize(tfm)];
103 } desc; 150 } desc;
151 int rc, i;
104 152
105 desc.shash.tfm = ima_shash_tfm; 153 desc.shash.tfm = tfm;
106 desc.shash.flags = 0; 154 desc.shash.flags = 0;
107 155
108 return crypto_shash_digest(&desc.shash, data, len, digest); 156 hash->length = crypto_shash_digestsize(tfm);
157
158 rc = crypto_shash_init(&desc.shash);
159 if (rc != 0)
160 return rc;
161
162 for (i = 0; i < num_fields; i++) {
163 rc = crypto_shash_update(&desc.shash,
164 (const u8 *) &field_data[i].len,
165 sizeof(field_data[i].len));
166 rc = crypto_shash_update(&desc.shash, field_data[i].data,
167 field_data[i].len);
168 if (rc)
169 break;
170 }
171
172 if (!rc)
173 rc = crypto_shash_final(&desc.shash, hash->digest);
174
175 return rc;
176}
177
178int ima_calc_field_array_hash(struct ima_field_data *field_data, int num_fields,
179 struct ima_digest_data *hash)
180{
181 struct crypto_shash *tfm;
182 int rc;
183
184 tfm = ima_alloc_tfm(hash->algo);
185 if (IS_ERR(tfm))
186 return PTR_ERR(tfm);
187
188 rc = ima_calc_field_array_hash_tfm(field_data, num_fields, hash, tfm);
189
190 ima_free_tfm(tfm);
191
192 return rc;
109} 193}
110 194
111static void __init ima_pcrread(int idx, u8 *pcr) 195static void __init ima_pcrread(int idx, u8 *pcr)
@@ -120,16 +204,17 @@ static void __init ima_pcrread(int idx, u8 *pcr)
120/* 204/*
121 * Calculate the boot aggregate hash 205 * Calculate the boot aggregate hash
122 */ 206 */
123int __init ima_calc_boot_aggregate(char *digest) 207static int __init ima_calc_boot_aggregate_tfm(char *digest,
208 struct crypto_shash *tfm)
124{ 209{
125 u8 pcr_i[IMA_DIGEST_SIZE]; 210 u8 pcr_i[TPM_DIGEST_SIZE];
126 int rc, i; 211 int rc, i;
127 struct { 212 struct {
128 struct shash_desc shash; 213 struct shash_desc shash;
129 char ctx[crypto_shash_descsize(ima_shash_tfm)]; 214 char ctx[crypto_shash_descsize(tfm)];
130 } desc; 215 } desc;
131 216
132 desc.shash.tfm = ima_shash_tfm; 217 desc.shash.tfm = tfm;
133 desc.shash.flags = 0; 218 desc.shash.flags = 0;
134 219
135 rc = crypto_shash_init(&desc.shash); 220 rc = crypto_shash_init(&desc.shash);
@@ -140,9 +225,26 @@ int __init ima_calc_boot_aggregate(char *digest)
140 for (i = TPM_PCR0; i < TPM_PCR8; i++) { 225 for (i = TPM_PCR0; i < TPM_PCR8; i++) {
141 ima_pcrread(i, pcr_i); 226 ima_pcrread(i, pcr_i);
142 /* now accumulate with current aggregate */ 227 /* now accumulate with current aggregate */
143 rc = crypto_shash_update(&desc.shash, pcr_i, IMA_DIGEST_SIZE); 228 rc = crypto_shash_update(&desc.shash, pcr_i, TPM_DIGEST_SIZE);
144 } 229 }
145 if (!rc) 230 if (!rc)
146 crypto_shash_final(&desc.shash, digest); 231 crypto_shash_final(&desc.shash, digest);
147 return rc; 232 return rc;
148} 233}
234
235int __init ima_calc_boot_aggregate(struct ima_digest_data *hash)
236{
237 struct crypto_shash *tfm;
238 int rc;
239
240 tfm = ima_alloc_tfm(hash->algo);
241 if (IS_ERR(tfm))
242 return PTR_ERR(tfm);
243
244 hash->length = crypto_shash_digestsize(tfm);
245 rc = ima_calc_boot_aggregate_tfm(hash->digest, tfm);
246
247 ima_free_tfm(tfm);
248
249 return rc;
250}
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 38477c9c3415..d47a7c86a21d 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -88,8 +88,7 @@ static void *ima_measurements_next(struct seq_file *m, void *v, loff_t *pos)
88 * against concurrent list-extension 88 * against concurrent list-extension
89 */ 89 */
90 rcu_read_lock(); 90 rcu_read_lock();
91 qe = list_entry_rcu(qe->later.next, 91 qe = list_entry_rcu(qe->later.next, struct ima_queue_entry, later);
92 struct ima_queue_entry, later);
93 rcu_read_unlock(); 92 rcu_read_unlock();
94 (*pos)++; 93 (*pos)++;
95 94
@@ -100,7 +99,7 @@ static void ima_measurements_stop(struct seq_file *m, void *v)
100{ 99{
101} 100}
102 101
103static void ima_putc(struct seq_file *m, void *data, int datalen) 102void ima_putc(struct seq_file *m, void *data, int datalen)
104{ 103{
105 while (datalen--) 104 while (datalen--)
106 seq_putc(m, *(char *)data++); 105 seq_putc(m, *(char *)data++);
@@ -111,6 +110,7 @@ static void ima_putc(struct seq_file *m, void *data, int datalen)
111 * char[20]=template digest 110 * char[20]=template digest
112 * 32bit-le=template name size 111 * 32bit-le=template name size
113 * char[n]=template name 112 * char[n]=template name
113 * [eventdata length]
114 * eventdata[n]=template specific data 114 * eventdata[n]=template specific data
115 */ 115 */
116static int ima_measurements_show(struct seq_file *m, void *v) 116static int ima_measurements_show(struct seq_file *m, void *v)
@@ -120,6 +120,7 @@ static int ima_measurements_show(struct seq_file *m, void *v)
120 struct ima_template_entry *e; 120 struct ima_template_entry *e;
121 int namelen; 121 int namelen;
122 u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX; 122 u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX;
123 int i;
123 124
124 /* get entry */ 125 /* get entry */
125 e = qe->entry; 126 e = qe->entry;
@@ -134,18 +135,25 @@ static int ima_measurements_show(struct seq_file *m, void *v)
134 ima_putc(m, &pcr, sizeof pcr); 135 ima_putc(m, &pcr, sizeof pcr);
135 136
136 /* 2nd: template digest */ 137 /* 2nd: template digest */
137 ima_putc(m, e->digest, IMA_DIGEST_SIZE); 138 ima_putc(m, e->digest, TPM_DIGEST_SIZE);
138 139
139 /* 3rd: template name size */ 140 /* 3rd: template name size */
140 namelen = strlen(e->template_name); 141 namelen = strlen(e->template_desc->name);
141 ima_putc(m, &namelen, sizeof namelen); 142 ima_putc(m, &namelen, sizeof namelen);
142 143
143 /* 4th: template name */ 144 /* 4th: template name */
144 ima_putc(m, (void *)e->template_name, namelen); 145 ima_putc(m, e->template_desc->name, namelen);
146
147 /* 5th: template length (except for 'ima' template) */
148 if (strcmp(e->template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
149 ima_putc(m, &e->template_data_len,
150 sizeof(e->template_data_len));
145 151
146 /* 5th: template specific data */ 152 /* 6th: template specific data */
147 ima_template_show(m, (struct ima_template_data *)&e->template, 153 for (i = 0; i < e->template_desc->num_fields; i++) {
148 IMA_SHOW_BINARY); 154 e->template_desc->fields[i]->field_show(m, IMA_SHOW_BINARY,
155 &e->template_data[i]);
156 }
149 return 0; 157 return 0;
150} 158}
151 159
@@ -168,41 +176,21 @@ static const struct file_operations ima_measurements_ops = {
168 .release = seq_release, 176 .release = seq_release,
169}; 177};
170 178
171static void ima_print_digest(struct seq_file *m, u8 *digest) 179void ima_print_digest(struct seq_file *m, u8 *digest, int size)
172{ 180{
173 int i; 181 int i;
174 182
175 for (i = 0; i < IMA_DIGEST_SIZE; i++) 183 for (i = 0; i < size; i++)
176 seq_printf(m, "%02x", *(digest + i)); 184 seq_printf(m, "%02x", *(digest + i));
177} 185}
178 186
179void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show)
180{
181 struct ima_template_data *entry = e;
182 int namelen;
183
184 switch (show) {
185 case IMA_SHOW_ASCII:
186 ima_print_digest(m, entry->digest);
187 seq_printf(m, " %s\n", entry->file_name);
188 break;
189 case IMA_SHOW_BINARY:
190 ima_putc(m, entry->digest, IMA_DIGEST_SIZE);
191
192 namelen = strlen(entry->file_name);
193 ima_putc(m, &namelen, sizeof namelen);
194 ima_putc(m, entry->file_name, namelen);
195 default:
196 break;
197 }
198}
199
200/* print in ascii */ 187/* print in ascii */
201static int ima_ascii_measurements_show(struct seq_file *m, void *v) 188static int ima_ascii_measurements_show(struct seq_file *m, void *v)
202{ 189{
203 /* the list never shrinks, so we don't need a lock here */ 190 /* the list never shrinks, so we don't need a lock here */
204 struct ima_queue_entry *qe = v; 191 struct ima_queue_entry *qe = v;
205 struct ima_template_entry *e; 192 struct ima_template_entry *e;
193 int i;
206 194
207 /* get entry */ 195 /* get entry */
208 e = qe->entry; 196 e = qe->entry;
@@ -213,14 +201,21 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
213 seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX); 201 seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX);
214 202
215 /* 2nd: SHA1 template hash */ 203 /* 2nd: SHA1 template hash */
216 ima_print_digest(m, e->digest); 204 ima_print_digest(m, e->digest, TPM_DIGEST_SIZE);
217 205
218 /* 3th: template name */ 206 /* 3th: template name */
219 seq_printf(m, " %s ", e->template_name); 207 seq_printf(m, " %s", e->template_desc->name);
220 208
221 /* 4th: template specific data */ 209 /* 4th: template specific data */
222 ima_template_show(m, (struct ima_template_data *)&e->template, 210 for (i = 0; i < e->template_desc->num_fields; i++) {
223 IMA_SHOW_ASCII); 211 seq_puts(m, " ");
212 if (e->template_data[i].len == 0)
213 continue;
214
215 e->template_desc->fields[i]->field_show(m, IMA_SHOW_ASCII,
216 &e->template_data[i]);
217 }
218 seq_puts(m, "\n");
224 return 0; 219 return 0;
225} 220}
226 221
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 162ea723db3d..15f34bd40abe 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -18,6 +18,7 @@
18#include <linux/scatterlist.h> 18#include <linux/scatterlist.h>
19#include <linux/slab.h> 19#include <linux/slab.h>
20#include <linux/err.h> 20#include <linux/err.h>
21#include <crypto/hash_info.h>
21#include "ima.h" 22#include "ima.h"
22 23
23/* name for boot aggregate entry */ 24/* name for boot aggregate entry */
@@ -42,28 +43,38 @@ int ima_used_chip;
42static void __init ima_add_boot_aggregate(void) 43static void __init ima_add_boot_aggregate(void)
43{ 44{
44 struct ima_template_entry *entry; 45 struct ima_template_entry *entry;
46 struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
45 const char *op = "add_boot_aggregate"; 47 const char *op = "add_boot_aggregate";
46 const char *audit_cause = "ENOMEM"; 48 const char *audit_cause = "ENOMEM";
47 int result = -ENOMEM; 49 int result = -ENOMEM;
48 int violation = 1; 50 int violation = 0;
51 struct {
52 struct ima_digest_data hdr;
53 char digest[TPM_DIGEST_SIZE];
54 } hash;
49 55
50 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 56 memset(iint, 0, sizeof(*iint));
51 if (!entry) 57 memset(&hash, 0, sizeof(hash));
52 goto err_out; 58 iint->ima_hash = &hash.hdr;
59 iint->ima_hash->algo = HASH_ALGO_SHA1;
60 iint->ima_hash->length = SHA1_DIGEST_SIZE;
53 61
54 memset(&entry->template, 0, sizeof(entry->template));
55 strncpy(entry->template.file_name, boot_aggregate_name,
56 IMA_EVENT_NAME_LEN_MAX);
57 if (ima_used_chip) { 62 if (ima_used_chip) {
58 violation = 0; 63 result = ima_calc_boot_aggregate(&hash.hdr);
59 result = ima_calc_boot_aggregate(entry->template.digest);
60 if (result < 0) { 64 if (result < 0) {
61 audit_cause = "hashing_error"; 65 audit_cause = "hashing_error";
62 kfree(entry); 66 kfree(entry);
63 goto err_out; 67 goto err_out;
64 } 68 }
65 } 69 }
66 result = ima_store_template(entry, violation, NULL); 70
71 result = ima_alloc_init_template(iint, NULL, boot_aggregate_name,
72 NULL, 0, &entry);
73 if (result < 0)
74 return;
75
76 result = ima_store_template(entry, violation, NULL,
77 boot_aggregate_name);
67 if (result < 0) 78 if (result < 0)
68 kfree(entry); 79 kfree(entry);
69 return; 80 return;
@@ -74,7 +85,7 @@ err_out:
74 85
75int __init ima_init(void) 86int __init ima_init(void)
76{ 87{
77 u8 pcr_i[IMA_DIGEST_SIZE]; 88 u8 pcr_i[TPM_DIGEST_SIZE];
78 int rc; 89 int rc;
79 90
80 ima_used_chip = 0; 91 ima_used_chip = 0;
@@ -88,6 +99,10 @@ int __init ima_init(void)
88 rc = ima_init_crypto(); 99 rc = ima_init_crypto();
89 if (rc) 100 if (rc)
90 return rc; 101 return rc;
102 rc = ima_init_template();
103 if (rc != 0)
104 return rc;
105
91 ima_add_boot_aggregate(); /* boot aggregate must be first entry */ 106 ima_add_boot_aggregate(); /* boot aggregate must be first entry */
92 ima_init_policy(); 107 ima_init_policy();
93 108
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index e9508d5bbfcf..149ee1119f87 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -24,6 +24,7 @@
24#include <linux/slab.h> 24#include <linux/slab.h>
25#include <linux/xattr.h> 25#include <linux/xattr.h>
26#include <linux/ima.h> 26#include <linux/ima.h>
27#include <crypto/hash_info.h>
27 28
28#include "ima.h" 29#include "ima.h"
29 30
@@ -35,11 +36,33 @@ int ima_appraise = IMA_APPRAISE_ENFORCE;
35int ima_appraise; 36int ima_appraise;
36#endif 37#endif
37 38
38char *ima_hash = "sha1"; 39int ima_hash_algo = HASH_ALGO_SHA1;
40static int hash_setup_done;
41
39static int __init hash_setup(char *str) 42static int __init hash_setup(char *str)
40{ 43{
41 if (strncmp(str, "md5", 3) == 0) 44 struct ima_template_desc *template_desc = ima_template_desc_current();
42 ima_hash = "md5"; 45 int i;
46
47 if (hash_setup_done)
48 return 1;
49
50 if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
51 if (strncmp(str, "sha1", 4) == 0)
52 ima_hash_algo = HASH_ALGO_SHA1;
53 else if (strncmp(str, "md5", 3) == 0)
54 ima_hash_algo = HASH_ALGO_MD5;
55 goto out;
56 }
57
58 for (i = 0; i < HASH_ALGO__LAST; i++) {
59 if (strcmp(str, hash_algo_name[i]) == 0) {
60 ima_hash_algo = i;
61 break;
62 }
63 }
64out:
65 hash_setup_done = 1;
43 return 1; 66 return 1;
44} 67}
45__setup("ima_hash=", hash_setup); 68__setup("ima_hash=", hash_setup);
@@ -92,10 +115,9 @@ out:
92 pathname = dentry->d_name.name; 115 pathname = dentry->d_name.name;
93 116
94 if (send_tomtou) 117 if (send_tomtou)
95 ima_add_violation(inode, pathname, 118 ima_add_violation(file, pathname, "invalid_pcr", "ToMToU");
96 "invalid_pcr", "ToMToU");
97 if (send_writers) 119 if (send_writers)
98 ima_add_violation(inode, pathname, 120 ima_add_violation(file, pathname,
99 "invalid_pcr", "open_writers"); 121 "invalid_pcr", "open_writers");
100 kfree(pathbuf); 122 kfree(pathbuf);
101} 123}
@@ -144,9 +166,12 @@ static int process_measurement(struct file *file, const char *filename,
144{ 166{
145 struct inode *inode = file_inode(file); 167 struct inode *inode = file_inode(file);
146 struct integrity_iint_cache *iint; 168 struct integrity_iint_cache *iint;
169 struct ima_template_desc *template_desc = ima_template_desc_current();
147 char *pathbuf = NULL; 170 char *pathbuf = NULL;
148 const char *pathname = NULL; 171 const char *pathname = NULL;
149 int rc = -ENOMEM, action, must_appraise, _func; 172 int rc = -ENOMEM, action, must_appraise, _func;
173 struct evm_ima_xattr_data *xattr_value = NULL, **xattr_ptr = NULL;
174 int xattr_len = 0;
150 175
151 if (!ima_initialized || !S_ISREG(inode->i_mode)) 176 if (!ima_initialized || !S_ISREG(inode->i_mode))
152 return 0; 177 return 0;
@@ -185,7 +210,13 @@ static int process_measurement(struct file *file, const char *filename,
185 goto out_digsig; 210 goto out_digsig;
186 } 211 }
187 212
188 rc = ima_collect_measurement(iint, file); 213 if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
214 if (action & IMA_APPRAISE_SUBMASK)
215 xattr_ptr = &xattr_value;
216 } else
217 xattr_ptr = &xattr_value;
218
219 rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len);
189 if (rc != 0) 220 if (rc != 0)
190 goto out_digsig; 221 goto out_digsig;
191 222
@@ -194,9 +225,11 @@ static int process_measurement(struct file *file, const char *filename,
194 pathname = (const char *)file->f_dentry->d_name.name; 225 pathname = (const char *)file->f_dentry->d_name.name;
195 226
196 if (action & IMA_MEASURE) 227 if (action & IMA_MEASURE)
197 ima_store_measurement(iint, file, pathname); 228 ima_store_measurement(iint, file, pathname,
229 xattr_value, xattr_len);
198 if (action & IMA_APPRAISE_SUBMASK) 230 if (action & IMA_APPRAISE_SUBMASK)
199 rc = ima_appraise_measurement(_func, iint, file, pathname); 231 rc = ima_appraise_measurement(_func, iint, file, pathname,
232 xattr_value, xattr_len);
200 if (action & IMA_AUDIT) 233 if (action & IMA_AUDIT)
201 ima_audit_measurement(iint, pathname); 234 ima_audit_measurement(iint, pathname);
202 kfree(pathbuf); 235 kfree(pathbuf);
@@ -205,6 +238,7 @@ out_digsig:
205 rc = -EACCES; 238 rc = -EACCES;
206out: 239out:
207 mutex_unlock(&inode->i_mutex); 240 mutex_unlock(&inode->i_mutex);
241 kfree(xattr_value);
208 if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) 242 if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))
209 return -EACCES; 243 return -EACCES;
210 return 0; 244 return 0;
@@ -244,9 +278,9 @@ int ima_file_mmap(struct file *file, unsigned long prot)
244int ima_bprm_check(struct linux_binprm *bprm) 278int ima_bprm_check(struct linux_binprm *bprm)
245{ 279{
246 return process_measurement(bprm->file, 280 return process_measurement(bprm->file,
247 (strcmp(bprm->filename, bprm->interp) == 0) ? 281 (strcmp(bprm->filename, bprm->interp) == 0) ?
248 bprm->filename : bprm->interp, 282 bprm->filename : bprm->interp,
249 MAY_EXEC, BPRM_CHECK); 283 MAY_EXEC, BPRM_CHECK);
250} 284}
251 285
252/** 286/**
@@ -263,8 +297,8 @@ int ima_file_check(struct file *file, int mask)
263{ 297{
264 ima_rdwr_violation_check(file); 298 ima_rdwr_violation_check(file);
265 return process_measurement(file, NULL, 299 return process_measurement(file, NULL,
266 mask & (MAY_READ | MAY_WRITE | MAY_EXEC), 300 mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
267 FILE_CHECK); 301 FILE_CHECK);
268} 302}
269EXPORT_SYMBOL_GPL(ima_file_check); 303EXPORT_SYMBOL_GPL(ima_file_check);
270 304
@@ -294,6 +328,7 @@ static int __init init_ima(void)
294{ 328{
295 int error; 329 int error;
296 330
331 hash_setup(CONFIG_IMA_DEFAULT_HASH);
297 error = ima_init(); 332 error = ima_init();
298 if (!error) 333 if (!error)
299 ima_initialized = 1; 334 ima_initialized = 1;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 399433ad614e..a9c3d3cd1990 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -73,7 +73,6 @@ static struct ima_rule_entry default_rules[] = {
73 {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC}, 73 {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
74 {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC}, 74 {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
75 {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC}, 75 {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
76 {.action = DONT_MEASURE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
77 {.action = DONT_MEASURE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC}, 76 {.action = DONT_MEASURE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC},
78 {.action = DONT_MEASURE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC}, 77 {.action = DONT_MEASURE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC},
79 {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC}, 78 {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index ff63fe00c195..d85e99761f4f 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -50,7 +50,7 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value)
50 key = ima_hash_key(digest_value); 50 key = ima_hash_key(digest_value);
51 rcu_read_lock(); 51 rcu_read_lock();
52 hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) { 52 hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) {
53 rc = memcmp(qe->entry->digest, digest_value, IMA_DIGEST_SIZE); 53 rc = memcmp(qe->entry->digest, digest_value, TPM_DIGEST_SIZE);
54 if (rc == 0) { 54 if (rc == 0) {
55 ret = qe; 55 ret = qe;
56 break; 56 break;
@@ -104,9 +104,10 @@ static int ima_pcr_extend(const u8 *hash)
104 * and extend the pcr. 104 * and extend the pcr.
105 */ 105 */
106int ima_add_template_entry(struct ima_template_entry *entry, int violation, 106int ima_add_template_entry(struct ima_template_entry *entry, int violation,
107 const char *op, struct inode *inode) 107 const char *op, struct inode *inode,
108 const unsigned char *filename)
108{ 109{
109 u8 digest[IMA_DIGEST_SIZE]; 110 u8 digest[TPM_DIGEST_SIZE];
110 const char *audit_cause = "hash_added"; 111 const char *audit_cause = "hash_added";
111 char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX]; 112 char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX];
112 int audit_info = 1; 113 int audit_info = 1;
@@ -141,8 +142,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
141 } 142 }
142out: 143out:
143 mutex_unlock(&ima_extend_list_mutex); 144 mutex_unlock(&ima_extend_list_mutex);
144 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, 145 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
145 entry->template.file_name,
146 op, audit_cause, result, audit_info); 146 op, audit_cause, result, audit_info);
147 return result; 147 return result;
148} 148}
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
new file mode 100644
index 000000000000..4e5da990630b
--- /dev/null
+++ b/security/integrity/ima/ima_template.c
@@ -0,0 +1,178 @@
1/*
2 * Copyright (C) 2013 Politecnico di Torino, Italy
3 * TORSEC group -- http://security.polito.it
4 *
5 * Author: Roberto Sassu <roberto.sassu@polito.it>
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation, version 2 of the
10 * License.
11 *
12 * File: ima_template.c
13 * Helpers to manage template descriptors.
14 */
15#include <crypto/hash_info.h>
16
17#include "ima.h"
18#include "ima_template_lib.h"
19
20static struct ima_template_desc defined_templates[] = {
21 {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
22 {.name = "ima-ng",.fmt = "d-ng|n-ng"},
23 {.name = "ima-sig",.fmt = "d-ng|n-ng|sig"},
24};
25
26static struct ima_template_field supported_fields[] = {
27 {.field_id = "d",.field_init = ima_eventdigest_init,
28 .field_show = ima_show_template_digest},
29 {.field_id = "n",.field_init = ima_eventname_init,
30 .field_show = ima_show_template_string},
31 {.field_id = "d-ng",.field_init = ima_eventdigest_ng_init,
32 .field_show = ima_show_template_digest_ng},
33 {.field_id = "n-ng",.field_init = ima_eventname_ng_init,
34 .field_show = ima_show_template_string},
35 {.field_id = "sig",.field_init = ima_eventsig_init,
36 .field_show = ima_show_template_sig},
37};
38
39static struct ima_template_desc *ima_template;
40static struct ima_template_desc *lookup_template_desc(const char *name);
41
42static int __init ima_template_setup(char *str)
43{
44 struct ima_template_desc *template_desc;
45 int template_len = strlen(str);
46
47 /*
48 * Verify that a template with the supplied name exists.
49 * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
50 */
51 template_desc = lookup_template_desc(str);
52 if (!template_desc)
53 return 1;
54
55 /*
56 * Verify whether the current hash algorithm is supported
57 * by the 'ima' template.
58 */
59 if (template_len == 3 && strcmp(str, IMA_TEMPLATE_IMA_NAME) == 0 &&
60 ima_hash_algo != HASH_ALGO_SHA1 && ima_hash_algo != HASH_ALGO_MD5) {
61 pr_err("IMA: template does not support hash alg\n");
62 return 1;
63 }
64
65 ima_template = template_desc;
66 return 1;
67}
68__setup("ima_template=", ima_template_setup);
69
70static struct ima_template_desc *lookup_template_desc(const char *name)
71{
72 int i;
73
74 for (i = 0; i < ARRAY_SIZE(defined_templates); i++) {
75 if (strcmp(defined_templates[i].name, name) == 0)
76 return defined_templates + i;
77 }
78
79 return NULL;
80}
81
82static struct ima_template_field *lookup_template_field(const char *field_id)
83{
84 int i;
85
86 for (i = 0; i < ARRAY_SIZE(supported_fields); i++)
87 if (strncmp(supported_fields[i].field_id, field_id,
88 IMA_TEMPLATE_FIELD_ID_MAX_LEN) == 0)
89 return &supported_fields[i];
90 return NULL;
91}
92
93static int template_fmt_size(char *template_fmt)
94{
95 char c;
96 int template_fmt_len = strlen(template_fmt);
97 int i = 0, j = 0;
98
99 while (i < template_fmt_len) {
100 c = template_fmt[i];
101 if (c == '|')
102 j++;
103 i++;
104 }
105
106 return j + 1;
107}
108
109static int template_desc_init_fields(char *template_fmt,
110 struct ima_template_field ***fields,
111 int *num_fields)
112{
113 char *c, *template_fmt_ptr = template_fmt;
114 int template_num_fields = template_fmt_size(template_fmt);
115 int i, result = 0;
116
117 if (template_num_fields > IMA_TEMPLATE_NUM_FIELDS_MAX)
118 return -EINVAL;
119
120 *fields = kzalloc(template_num_fields * sizeof(*fields), GFP_KERNEL);
121 if (*fields == NULL) {
122 result = -ENOMEM;
123 goto out;
124 }
125 for (i = 0; (c = strsep(&template_fmt_ptr, "|")) != NULL &&
126 i < template_num_fields; i++) {
127 struct ima_template_field *f = lookup_template_field(c);
128
129 if (!f) {
130 result = -ENOENT;
131 goto out;
132 }
133 (*fields)[i] = f;
134 }
135 *num_fields = i;
136 return 0;
137out:
138 kfree(*fields);
139 *fields = NULL;
140 return result;
141}
142
143static int init_defined_templates(void)
144{
145 int i = 0;
146 int result = 0;
147
148 /* Init defined templates. */
149 for (i = 0; i < ARRAY_SIZE(defined_templates); i++) {
150 struct ima_template_desc *template = &defined_templates[i];
151
152 result = template_desc_init_fields(template->fmt,
153 &(template->fields),
154 &(template->num_fields));
155 if (result < 0)
156 return result;
157 }
158 return result;
159}
160
161struct ima_template_desc *ima_template_desc_current(void)
162{
163 if (!ima_template)
164 ima_template =
165 lookup_template_desc(CONFIG_IMA_DEFAULT_TEMPLATE);
166 return ima_template;
167}
168
169int ima_init_template(void)
170{
171 int result;
172
173 result = init_defined_templates();
174 if (result < 0)
175 return result;
176
177 return 0;
178}
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
new file mode 100644
index 000000000000..6d66ad6ed265
--- /dev/null
+++ b/security/integrity/ima/ima_template_lib.c
@@ -0,0 +1,347 @@
1/*
2 * Copyright (C) 2013 Politecnico di Torino, Italy
3 * TORSEC group -- http://security.polito.it
4 *
5 * Author: Roberto Sassu <roberto.sassu@polito.it>
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation, version 2 of the
10 * License.
11 *
12 * File: ima_template_lib.c
13 * Library of supported template fields.
14 */
15#include <crypto/hash_info.h>
16
17#include "ima_template_lib.h"
18
19static bool ima_template_hash_algo_allowed(u8 algo)
20{
21 if (algo == HASH_ALGO_SHA1 || algo == HASH_ALGO_MD5)
22 return true;
23
24 return false;
25}
26
27enum data_formats {
28 DATA_FMT_DIGEST = 0,
29 DATA_FMT_DIGEST_WITH_ALGO,
30 DATA_FMT_EVENT_NAME,
31 DATA_FMT_STRING,
32 DATA_FMT_HEX
33};
34
35static int ima_write_template_field_data(const void *data, const u32 datalen,
36 enum data_formats datafmt,
37 struct ima_field_data *field_data)
38{
39 u8 *buf, *buf_ptr;
40 u32 buflen;
41
42 switch (datafmt) {
43 case DATA_FMT_EVENT_NAME:
44 buflen = IMA_EVENT_NAME_LEN_MAX + 1;
45 break;
46 case DATA_FMT_STRING:
47 buflen = datalen + 1;
48 break;
49 default:
50 buflen = datalen;
51 }
52
53 buf = kzalloc(buflen, GFP_KERNEL);
54 if (!buf)
55 return -ENOMEM;
56
57 memcpy(buf, data, datalen);
58
59 /*
60 * Replace all space characters with underscore for event names and
61 * strings. This avoid that, during the parsing of a measurements list,
62 * filenames with spaces or that end with the suffix ' (deleted)' are
63 * split into multiple template fields (the space is the delimitator
64 * character for measurements lists in ASCII format).
65 */
66 if (datafmt == DATA_FMT_EVENT_NAME || datafmt == DATA_FMT_STRING) {
67 for (buf_ptr = buf; buf_ptr - buf < datalen; buf_ptr++)
68 if (*buf_ptr == ' ')
69 *buf_ptr = '_';
70 }
71
72 field_data->data = buf;
73 field_data->len = buflen;
74 return 0;
75}
76
77static void ima_show_template_data_ascii(struct seq_file *m,
78 enum ima_show_type show,
79 enum data_formats datafmt,
80 struct ima_field_data *field_data)
81{
82 u8 *buf_ptr = field_data->data, buflen = field_data->len;
83
84 switch (datafmt) {
85 case DATA_FMT_DIGEST_WITH_ALGO:
86 buf_ptr = strnchr(field_data->data, buflen, ':');
87 if (buf_ptr != field_data->data)
88 seq_printf(m, "%s", field_data->data);
89
90 /* skip ':' and '\0' */
91 buf_ptr += 2;
92 buflen -= buf_ptr - field_data->data;
93 case DATA_FMT_DIGEST:
94 case DATA_FMT_HEX:
95 if (!buflen)
96 break;
97 ima_print_digest(m, buf_ptr, buflen);
98 break;
99 case DATA_FMT_STRING:
100 seq_printf(m, "%s", buf_ptr);
101 break;
102 default:
103 break;
104 }
105}
106
107static void ima_show_template_data_binary(struct seq_file *m,
108 enum ima_show_type show,
109 enum data_formats datafmt,
110 struct ima_field_data *field_data)
111{
112 ima_putc(m, &field_data->len, sizeof(u32));
113 if (!field_data->len)
114 return;
115 ima_putc(m, field_data->data, field_data->len);
116}
117
118static void ima_show_template_field_data(struct seq_file *m,
119 enum ima_show_type show,
120 enum data_formats datafmt,
121 struct ima_field_data *field_data)
122{
123 switch (show) {
124 case IMA_SHOW_ASCII:
125 ima_show_template_data_ascii(m, show, datafmt, field_data);
126 break;
127 case IMA_SHOW_BINARY:
128 ima_show_template_data_binary(m, show, datafmt, field_data);
129 break;
130 default:
131 break;
132 }
133}
134
135void ima_show_template_digest(struct seq_file *m, enum ima_show_type show,
136 struct ima_field_data *field_data)
137{
138 ima_show_template_field_data(m, show, DATA_FMT_DIGEST, field_data);
139}
140
141void ima_show_template_digest_ng(struct seq_file *m, enum ima_show_type show,
142 struct ima_field_data *field_data)
143{
144 ima_show_template_field_data(m, show, DATA_FMT_DIGEST_WITH_ALGO,
145 field_data);
146}
147
148void ima_show_template_string(struct seq_file *m, enum ima_show_type show,
149 struct ima_field_data *field_data)
150{
151 ima_show_template_field_data(m, show, DATA_FMT_STRING, field_data);
152}
153
154void ima_show_template_sig(struct seq_file *m, enum ima_show_type show,
155 struct ima_field_data *field_data)
156{
157 ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data);
158}
159
160static int ima_eventdigest_init_common(u8 *digest, u32 digestsize, u8 hash_algo,
161 struct ima_field_data *field_data,
162 bool size_limit)
163{
164 /*
165 * digest formats:
166 * - DATA_FMT_DIGEST: digest
167 * - DATA_FMT_DIGEST_WITH_ALGO: [<hash algo>] + ':' + '\0' + digest,
168 * where <hash algo> is provided if the hash algoritm is not
169 * SHA1 or MD5
170 */
171 u8 buffer[CRYPTO_MAX_ALG_NAME + 2 + IMA_MAX_DIGEST_SIZE] = { 0 };
172 enum data_formats fmt = DATA_FMT_DIGEST;
173 u32 offset = 0;
174
175 if (!size_limit) {
176 fmt = DATA_FMT_DIGEST_WITH_ALGO;
177 if (hash_algo < HASH_ALGO__LAST)
178 offset += snprintf(buffer, CRYPTO_MAX_ALG_NAME + 1,
179 "%s", hash_algo_name[hash_algo]);
180 buffer[offset] = ':';
181 offset += 2;
182 }
183
184 if (digest)
185 memcpy(buffer + offset, digest, digestsize);
186 else
187 /*
188 * If digest is NULL, the event being recorded is a violation.
189 * Make room for the digest by increasing the offset of
190 * IMA_DIGEST_SIZE.
191 */
192 offset += IMA_DIGEST_SIZE;
193
194 return ima_write_template_field_data(buffer, offset + digestsize,
195 fmt, field_data);
196}
197
198/*
199 * This function writes the digest of an event (with size limit).
200 */
201int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file,
202 const unsigned char *filename,
203 struct evm_ima_xattr_data *xattr_value, int xattr_len,
204 struct ima_field_data *field_data)
205{
206 struct {
207 struct ima_digest_data hdr;
208 char digest[IMA_MAX_DIGEST_SIZE];
209 } hash;
210 u8 *cur_digest = NULL;
211 u32 cur_digestsize = 0;
212 struct inode *inode;
213 int result;
214
215 memset(&hash, 0, sizeof(hash));
216
217 if (!iint) /* recording a violation. */
218 goto out;
219
220 if (ima_template_hash_algo_allowed(iint->ima_hash->algo)) {
221 cur_digest = iint->ima_hash->digest;
222 cur_digestsize = iint->ima_hash->length;
223 goto out;
224 }
225
226 if (!file) /* missing info to re-calculate the digest */
227 return -EINVAL;
228
229 inode = file_inode(file);
230 hash.hdr.algo = ima_template_hash_algo_allowed(ima_hash_algo) ?
231 ima_hash_algo : HASH_ALGO_SHA1;
232 result = ima_calc_file_hash(file, &hash.hdr);
233 if (result) {
234 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
235 filename, "collect_data",
236 "failed", result, 0);
237 return result;
238 }
239 cur_digest = hash.hdr.digest;
240 cur_digestsize = hash.hdr.length;
241out:
242 return ima_eventdigest_init_common(cur_digest, cur_digestsize, -1,
243 field_data, true);
244}
245
246/*
247 * This function writes the digest of an event (without size limit).
248 */
249int ima_eventdigest_ng_init(struct integrity_iint_cache *iint,
250 struct file *file, const unsigned char *filename,
251 struct evm_ima_xattr_data *xattr_value,
252 int xattr_len, struct ima_field_data *field_data)
253{
254 u8 *cur_digest = NULL, hash_algo = HASH_ALGO__LAST;
255 u32 cur_digestsize = 0;
256
257 /* If iint is NULL, we are recording a violation. */
258 if (!iint)
259 goto out;
260
261 cur_digest = iint->ima_hash->digest;
262 cur_digestsize = iint->ima_hash->length;
263
264 hash_algo = iint->ima_hash->algo;
265out:
266 return ima_eventdigest_init_common(cur_digest, cur_digestsize,
267 hash_algo, field_data, false);
268}
269
270static int ima_eventname_init_common(struct integrity_iint_cache *iint,
271 struct file *file,
272 const unsigned char *filename,
273 struct ima_field_data *field_data,
274 bool size_limit)
275{
276 const char *cur_filename = NULL;
277 u32 cur_filename_len = 0;
278 enum data_formats fmt = size_limit ?
279 DATA_FMT_EVENT_NAME : DATA_FMT_STRING;
280
281 BUG_ON(filename == NULL && file == NULL);
282
283 if (filename) {
284 cur_filename = filename;
285 cur_filename_len = strlen(filename);
286
287 if (!size_limit || cur_filename_len <= IMA_EVENT_NAME_LEN_MAX)
288 goto out;
289 }
290
291 if (file) {
292 cur_filename = file->f_dentry->d_name.name;
293 cur_filename_len = strlen(cur_filename);
294 } else
295 /*
296 * Truncate filename if the latter is too long and
297 * the file descriptor is not available.
298 */
299 cur_filename_len = IMA_EVENT_NAME_LEN_MAX;
300out:
301 return ima_write_template_field_data(cur_filename, cur_filename_len,
302 fmt, field_data);
303}
304
305/*
306 * This function writes the name of an event (with size limit).
307 */
308int ima_eventname_init(struct integrity_iint_cache *iint, struct file *file,
309 const unsigned char *filename,
310 struct evm_ima_xattr_data *xattr_value, int xattr_len,
311 struct ima_field_data *field_data)
312{
313 return ima_eventname_init_common(iint, file, filename,
314 field_data, true);
315}
316
317/*
318 * This function writes the name of an event (without size limit).
319 */
320int ima_eventname_ng_init(struct integrity_iint_cache *iint, struct file *file,
321 const unsigned char *filename,
322 struct evm_ima_xattr_data *xattr_value, int xattr_len,
323 struct ima_field_data *field_data)
324{
325 return ima_eventname_init_common(iint, file, filename,
326 field_data, false);
327}
328
329/*
330 * ima_eventsig_init - include the file signature as part of the template data
331 */
332int ima_eventsig_init(struct integrity_iint_cache *iint, struct file *file,
333 const unsigned char *filename,
334 struct evm_ima_xattr_data *xattr_value, int xattr_len,
335 struct ima_field_data *field_data)
336{
337 enum data_formats fmt = DATA_FMT_HEX;
338 int rc = 0;
339
340 if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG))
341 goto out;
342
343 rc = ima_write_template_field_data(xattr_value, xattr_len, fmt,
344 field_data);
345out:
346 return rc;
347}
diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h
new file mode 100644
index 000000000000..63f6b52cb1c2
--- /dev/null
+++ b/security/integrity/ima/ima_template_lib.h
@@ -0,0 +1,49 @@
1/*
2 * Copyright (C) 2013 Politecnico di Torino, Italy
3 * TORSEC group -- http://security.polito.it
4 *
5 * Author: Roberto Sassu <roberto.sassu@polito.it>
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation, version 2 of the
10 * License.
11 *
12 * File: ima_template_lib.h
13 * Header for the library of supported template fields.
14 */
15#ifndef __LINUX_IMA_TEMPLATE_LIB_H
16#define __LINUX_IMA_TEMPLATE_LIB_H
17
18#include <linux/seq_file.h>
19#include "ima.h"
20
21void ima_show_template_digest(struct seq_file *m, enum ima_show_type show,
22 struct ima_field_data *field_data);
23void ima_show_template_digest_ng(struct seq_file *m, enum ima_show_type show,
24 struct ima_field_data *field_data);
25void ima_show_template_string(struct seq_file *m, enum ima_show_type show,
26 struct ima_field_data *field_data);
27void ima_show_template_sig(struct seq_file *m, enum ima_show_type show,
28 struct ima_field_data *field_data);
29int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file,
30 const unsigned char *filename,
31 struct evm_ima_xattr_data *xattr_value, int xattr_len,
32 struct ima_field_data *field_data);
33int ima_eventname_init(struct integrity_iint_cache *iint, struct file *file,
34 const unsigned char *filename,
35 struct evm_ima_xattr_data *xattr_value, int xattr_len,
36 struct ima_field_data *field_data);
37int ima_eventdigest_ng_init(struct integrity_iint_cache *iint,
38 struct file *file, const unsigned char *filename,
39 struct evm_ima_xattr_data *xattr_value,
40 int xattr_len, struct ima_field_data *field_data);
41int ima_eventname_ng_init(struct integrity_iint_cache *iint, struct file *file,
42 const unsigned char *filename,
43 struct evm_ima_xattr_data *xattr_value, int xattr_len,
44 struct ima_field_data *field_data);
45int ima_eventsig_init(struct integrity_iint_cache *iint, struct file *file,
46 const unsigned char *filename,
47 struct evm_ima_xattr_data *xattr_value, int xattr_len,
48 struct ima_field_data *field_data);
49#endif /* __LINUX_IMA_TEMPLATE_LIB_H */
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index c42fb7a70dee..b9e7c133734a 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -54,25 +54,57 @@ enum evm_ima_xattr_type {
54 IMA_XATTR_DIGEST = 0x01, 54 IMA_XATTR_DIGEST = 0x01,
55 EVM_XATTR_HMAC, 55 EVM_XATTR_HMAC,
56 EVM_IMA_XATTR_DIGSIG, 56 EVM_IMA_XATTR_DIGSIG,
57 IMA_XATTR_DIGEST_NG,
57}; 58};
58 59
59struct evm_ima_xattr_data { 60struct evm_ima_xattr_data {
60 u8 type; 61 u8 type;
61 u8 digest[SHA1_DIGEST_SIZE]; 62 u8 digest[SHA1_DIGEST_SIZE];
62} __attribute__((packed)); 63} __packed;
64
65#define IMA_MAX_DIGEST_SIZE 64
66
67struct ima_digest_data {
68 u8 algo;
69 u8 length;
70 union {
71 struct {
72 u8 unused;
73 u8 type;
74 } sha1;
75 struct {
76 u8 type;
77 u8 algo;
78 } ng;
79 u8 data[2];
80 } xattr;
81 u8 digest[0];
82} __packed;
83
84/*
85 * signature format v2 - for using with asymmetric keys
86 */
87struct signature_v2_hdr {
88 uint8_t type; /* xattr type */
89 uint8_t version; /* signature format version */
90 uint8_t hash_algo; /* Digest algorithm [enum pkey_hash_algo] */
91 uint32_t keyid; /* IMA key identifier - not X509/PGP specific */
92 uint16_t sig_size; /* signature size */
93 uint8_t sig[0]; /* signature payload */
94} __packed;
63 95
64/* integrity data associated with an inode */ 96/* integrity data associated with an inode */
65struct integrity_iint_cache { 97struct integrity_iint_cache {
66 struct rb_node rb_node; /* rooted in integrity_iint_tree */ 98 struct rb_node rb_node; /* rooted in integrity_iint_tree */
67 struct inode *inode; /* back pointer to inode in question */ 99 struct inode *inode; /* back pointer to inode in question */
68 u64 version; /* track inode changes */ 100 u64 version; /* track inode changes */
69 unsigned long flags; 101 unsigned long flags;
70 struct evm_ima_xattr_data ima_xattr;
71 enum integrity_status ima_file_status:4; 102 enum integrity_status ima_file_status:4;
72 enum integrity_status ima_mmap_status:4; 103 enum integrity_status ima_mmap_status:4;
73 enum integrity_status ima_bprm_status:4; 104 enum integrity_status ima_bprm_status:4;
74 enum integrity_status ima_module_status:4; 105 enum integrity_status ima_module_status:4;
75 enum integrity_status evm_status:4; 106 enum integrity_status evm_status:4;
107 struct ima_digest_data *ima_hash;
76}; 108};
77 109
78/* rbtree tree calls to lookup, insert, delete 110/* rbtree tree calls to lookup, insert, delete
@@ -89,7 +121,7 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
89#ifdef CONFIG_INTEGRITY_SIGNATURE 121#ifdef CONFIG_INTEGRITY_SIGNATURE
90 122
91int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, 123int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
92 const char *digest, int digestlen); 124 const char *digest, int digestlen);
93 125
94#else 126#else
95 127
@@ -105,12 +137,19 @@ static inline int integrity_digsig_verify(const unsigned int id,
105#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS 137#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
106int asymmetric_verify(struct key *keyring, const char *sig, 138int asymmetric_verify(struct key *keyring, const char *sig,
107 int siglen, const char *data, int datalen); 139 int siglen, const char *data, int datalen);
140
141int integrity_init_keyring(const unsigned int id);
108#else 142#else
109static inline int asymmetric_verify(struct key *keyring, const char *sig, 143static inline int asymmetric_verify(struct key *keyring, const char *sig,
110 int siglen, const char *data, int datalen) 144 int siglen, const char *data, int datalen)
111{ 145{
112 return -EOPNOTSUPP; 146 return -EOPNOTSUPP;
113} 147}
148
149static int integrity_init_keyring(const unsigned int id)
150{
151 return 0;
152}
114#endif 153#endif
115 154
116#ifdef CONFIG_INTEGRITY_AUDIT 155#ifdef CONFIG_INTEGRITY_AUDIT
diff --git a/security/keys/Kconfig b/security/keys/Kconfig
index a90d6d300dbd..a4f3f8c48d6e 100644
--- a/security/keys/Kconfig
+++ b/security/keys/Kconfig
@@ -4,6 +4,7 @@
4 4
5config KEYS 5config KEYS
6 bool "Enable access key retention support" 6 bool "Enable access key retention support"
7 select ASSOCIATIVE_ARRAY
7 help 8 help
8 This option provides support for retaining authentication tokens and 9 This option provides support for retaining authentication tokens and
9 access keys in the kernel. 10 access keys in the kernel.
@@ -19,6 +20,34 @@ config KEYS
19 20
20 If you are unsure as to whether this is required, answer N. 21 If you are unsure as to whether this is required, answer N.
21 22
23config PERSISTENT_KEYRINGS
24 bool "Enable register of persistent per-UID keyrings"
25 depends on KEYS
26 help
27 This option provides a register of persistent per-UID keyrings,
28 primarily aimed at Kerberos key storage. The keyrings are persistent
29 in the sense that they stay around after all processes of that UID
30 have exited, not that they survive the machine being rebooted.
31
32 A particular keyring may be accessed by either the user whose keyring
33 it is or by a process with administrative privileges. The active
34 LSMs gets to rule on which admin-level processes get to access the
35 cache.
36
37 Keyrings are created and added into the register upon demand and get
38 removed if they expire (a default timeout is set upon creation).
39
40config BIG_KEYS
41 bool "Large payload keys"
42 depends on KEYS
43 depends on TMPFS
44 help
45 This option provides support for holding large keys within the kernel
46 (for example Kerberos ticket caches). The data may be stored out to
47 swapspace by tmpfs.
48
49 If you are unsure as to whether this is required, answer N.
50
22config TRUSTED_KEYS 51config TRUSTED_KEYS
23 tristate "TRUSTED KEYS" 52 tristate "TRUSTED KEYS"
24 depends on KEYS && TCG_TPM 53 depends on KEYS && TCG_TPM
diff --git a/security/keys/Makefile b/security/keys/Makefile
index 504aaa008388..dfb3a7bededf 100644
--- a/security/keys/Makefile
+++ b/security/keys/Makefile
@@ -18,9 +18,11 @@ obj-y := \
18obj-$(CONFIG_KEYS_COMPAT) += compat.o 18obj-$(CONFIG_KEYS_COMPAT) += compat.o
19obj-$(CONFIG_PROC_FS) += proc.o 19obj-$(CONFIG_PROC_FS) += proc.o
20obj-$(CONFIG_SYSCTL) += sysctl.o 20obj-$(CONFIG_SYSCTL) += sysctl.o
21obj-$(CONFIG_PERSISTENT_KEYRINGS) += persistent.o
21 22
22# 23#
23# Key types 24# Key types
24# 25#
26obj-$(CONFIG_BIG_KEYS) += big_key.o
25obj-$(CONFIG_TRUSTED_KEYS) += trusted.o 27obj-$(CONFIG_TRUSTED_KEYS) += trusted.o
26obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/ 28obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/
diff --git a/security/keys/big_key.c b/security/keys/big_key.c
new file mode 100644
index 000000000000..7f44c3207a9b
--- /dev/null
+++ b/security/keys/big_key.c
@@ -0,0 +1,207 @@
1/* Large capacity key type
2 *
3 * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/seq_file.h>
15#include <linux/file.h>
16#include <linux/shmem_fs.h>
17#include <linux/err.h>
18#include <keys/user-type.h>
19#include <keys/big_key-type.h>
20
21MODULE_LICENSE("GPL");
22
23/*
24 * If the data is under this limit, there's no point creating a shm file to
25 * hold it as the permanently resident metadata for the shmem fs will be at
26 * least as large as the data.
27 */
28#define BIG_KEY_FILE_THRESHOLD (sizeof(struct inode) + sizeof(struct dentry))
29
30/*
31 * big_key defined keys take an arbitrary string as the description and an
32 * arbitrary blob of data as the payload
33 */
34struct key_type key_type_big_key = {
35 .name = "big_key",
36 .def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
37 .instantiate = big_key_instantiate,
38 .match = user_match,
39 .revoke = big_key_revoke,
40 .destroy = big_key_destroy,
41 .describe = big_key_describe,
42 .read = big_key_read,
43};
44
45/*
46 * Instantiate a big key
47 */
48int big_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
49{
50 struct path *path = (struct path *)&key->payload.data2;
51 struct file *file;
52 ssize_t written;
53 size_t datalen = prep->datalen;
54 int ret;
55
56 ret = -EINVAL;
57 if (datalen <= 0 || datalen > 1024 * 1024 || !prep->data)
58 goto error;
59
60 /* Set an arbitrary quota */
61 ret = key_payload_reserve(key, 16);
62 if (ret < 0)
63 goto error;
64
65 key->type_data.x[1] = datalen;
66
67 if (datalen > BIG_KEY_FILE_THRESHOLD) {
68 /* Create a shmem file to store the data in. This will permit the data
69 * to be swapped out if needed.
70 *
71 * TODO: Encrypt the stored data with a temporary key.
72 */
73 file = shmem_file_setup("", datalen, 0);
74 if (IS_ERR(file)) {
75 ret = PTR_ERR(file);
76 goto err_quota;
77 }
78
79 written = kernel_write(file, prep->data, prep->datalen, 0);
80 if (written != datalen) {
81 ret = written;
82 if (written >= 0)
83 ret = -ENOMEM;
84 goto err_fput;
85 }
86
87 /* Pin the mount and dentry to the key so that we can open it again
88 * later
89 */
90 *path = file->f_path;
91 path_get(path);
92 fput(file);
93 } else {
94 /* Just store the data in a buffer */
95 void *data = kmalloc(datalen, GFP_KERNEL);
96 if (!data) {
97 ret = -ENOMEM;
98 goto err_quota;
99 }
100
101 key->payload.data = memcpy(data, prep->data, prep->datalen);
102 }
103 return 0;
104
105err_fput:
106 fput(file);
107err_quota:
108 key_payload_reserve(key, 0);
109error:
110 return ret;
111}
112
113/*
114 * dispose of the links from a revoked keyring
115 * - called with the key sem write-locked
116 */
117void big_key_revoke(struct key *key)
118{
119 struct path *path = (struct path *)&key->payload.data2;
120
121 /* clear the quota */
122 key_payload_reserve(key, 0);
123 if (key_is_instantiated(key) && key->type_data.x[1] > BIG_KEY_FILE_THRESHOLD)
124 vfs_truncate(path, 0);
125}
126
127/*
128 * dispose of the data dangling from the corpse of a big_key key
129 */
130void big_key_destroy(struct key *key)
131{
132 if (key->type_data.x[1] > BIG_KEY_FILE_THRESHOLD) {
133 struct path *path = (struct path *)&key->payload.data2;
134 path_put(path);
135 path->mnt = NULL;
136 path->dentry = NULL;
137 } else {
138 kfree(key->payload.data);
139 key->payload.data = NULL;
140 }
141}
142
143/*
144 * describe the big_key key
145 */
146void big_key_describe(const struct key *key, struct seq_file *m)
147{
148 unsigned long datalen = key->type_data.x[1];
149
150 seq_puts(m, key->description);
151
152 if (key_is_instantiated(key))
153 seq_printf(m, ": %lu [%s]",
154 datalen,
155 datalen > BIG_KEY_FILE_THRESHOLD ? "file" : "buff");
156}
157
158/*
159 * read the key data
160 * - the key's semaphore is read-locked
161 */
162long big_key_read(const struct key *key, char __user *buffer, size_t buflen)
163{
164 unsigned long datalen = key->type_data.x[1];
165 long ret;
166
167 if (!buffer || buflen < datalen)
168 return datalen;
169
170 if (datalen > BIG_KEY_FILE_THRESHOLD) {
171 struct path *path = (struct path *)&key->payload.data2;
172 struct file *file;
173 loff_t pos;
174
175 file = dentry_open(path, O_RDONLY, current_cred());
176 if (IS_ERR(file))
177 return PTR_ERR(file);
178
179 pos = 0;
180 ret = vfs_read(file, buffer, datalen, &pos);
181 fput(file);
182 if (ret >= 0 && ret != datalen)
183 ret = -EIO;
184 } else {
185 ret = datalen;
186 if (copy_to_user(buffer, key->payload.data, datalen) != 0)
187 ret = -EFAULT;
188 }
189
190 return ret;
191}
192
193/*
194 * Module stuff
195 */
196static int __init big_key_init(void)
197{
198 return register_key_type(&key_type_big_key);
199}
200
201static void __exit big_key_cleanup(void)
202{
203 unregister_key_type(&key_type_big_key);
204}
205
206module_init(big_key_init);
207module_exit(big_key_cleanup);
diff --git a/security/keys/compat.c b/security/keys/compat.c
index d65fa7fa29ba..bbd32c729dbb 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -138,6 +138,9 @@ asmlinkage long compat_sys_keyctl(u32 option,
138 case KEYCTL_INVALIDATE: 138 case KEYCTL_INVALIDATE:
139 return keyctl_invalidate_key(arg2); 139 return keyctl_invalidate_key(arg2);
140 140
141 case KEYCTL_GET_PERSISTENT:
142 return keyctl_get_persistent(arg2, arg3);
143
141 default: 144 default:
142 return -EOPNOTSUPP; 145 return -EOPNOTSUPP;
143 } 146 }
diff --git a/security/keys/gc.c b/security/keys/gc.c
index d67c97bb1025..d3222b6d7d59 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -131,50 +131,6 @@ void key_gc_keytype(struct key_type *ktype)
131} 131}
132 132
133/* 133/*
134 * Garbage collect pointers from a keyring.
135 *
136 * Not called with any locks held. The keyring's key struct will not be
137 * deallocated under us as only our caller may deallocate it.
138 */
139static void key_gc_keyring(struct key *keyring, time_t limit)
140{
141 struct keyring_list *klist;
142 int loop;
143
144 kenter("%x", key_serial(keyring));
145
146 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
147 (1 << KEY_FLAG_REVOKED)))
148 goto dont_gc;
149
150 /* scan the keyring looking for dead keys */
151 rcu_read_lock();
152 klist = rcu_dereference(keyring->payload.subscriptions);
153 if (!klist)
154 goto unlock_dont_gc;
155
156 loop = klist->nkeys;
157 smp_rmb();
158 for (loop--; loop >= 0; loop--) {
159 struct key *key = rcu_dereference(klist->keys[loop]);
160 if (key_is_dead(key, limit))
161 goto do_gc;
162 }
163
164unlock_dont_gc:
165 rcu_read_unlock();
166dont_gc:
167 kleave(" [no gc]");
168 return;
169
170do_gc:
171 rcu_read_unlock();
172
173 keyring_gc(keyring, limit);
174 kleave(" [gc]");
175}
176
177/*
178 * Garbage collect a list of unreferenced, detached keys 134 * Garbage collect a list of unreferenced, detached keys
179 */ 135 */
180static noinline void key_gc_unused_keys(struct list_head *keys) 136static noinline void key_gc_unused_keys(struct list_head *keys)
@@ -392,8 +348,7 @@ found_unreferenced_key:
392 */ 348 */
393found_keyring: 349found_keyring:
394 spin_unlock(&key_serial_lock); 350 spin_unlock(&key_serial_lock);
395 kdebug("scan keyring %d", key->serial); 351 keyring_gc(key, limit);
396 key_gc_keyring(key, limit);
397 goto maybe_resched; 352 goto maybe_resched;
398 353
399 /* We found a dead key that is still referenced. Reset its type and 354 /* We found a dead key that is still referenced. Reset its type and
diff --git a/security/keys/internal.h b/security/keys/internal.h
index d4f1468b9b50..80b2aac4f50c 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -89,42 +89,53 @@ extern struct key_type *key_type_lookup(const char *type);
89extern void key_type_put(struct key_type *ktype); 89extern void key_type_put(struct key_type *ktype);
90 90
91extern int __key_link_begin(struct key *keyring, 91extern int __key_link_begin(struct key *keyring,
92 const struct key_type *type, 92 const struct keyring_index_key *index_key,
93 const char *description, 93 struct assoc_array_edit **_edit);
94 unsigned long *_prealloc);
95extern int __key_link_check_live_key(struct key *keyring, struct key *key); 94extern int __key_link_check_live_key(struct key *keyring, struct key *key);
96extern void __key_link(struct key *keyring, struct key *key, 95extern void __key_link(struct key *key, struct assoc_array_edit **_edit);
97 unsigned long *_prealloc);
98extern void __key_link_end(struct key *keyring, 96extern void __key_link_end(struct key *keyring,
99 struct key_type *type, 97 const struct keyring_index_key *index_key,
100 unsigned long prealloc); 98 struct assoc_array_edit *edit);
101 99
102extern key_ref_t __keyring_search_one(key_ref_t keyring_ref, 100extern key_ref_t find_key_to_update(key_ref_t keyring_ref,
103 const struct key_type *type, 101 const struct keyring_index_key *index_key);
104 const char *description,
105 key_perm_t perm);
106 102
107extern struct key *keyring_search_instkey(struct key *keyring, 103extern struct key *keyring_search_instkey(struct key *keyring,
108 key_serial_t target_id); 104 key_serial_t target_id);
109 105
106extern int iterate_over_keyring(const struct key *keyring,
107 int (*func)(const struct key *key, void *data),
108 void *data);
109
110typedef int (*key_match_func_t)(const struct key *, const void *); 110typedef int (*key_match_func_t)(const struct key *, const void *);
111 111
112struct keyring_search_context {
113 struct keyring_index_key index_key;
114 const struct cred *cred;
115 key_match_func_t match;
116 const void *match_data;
117 unsigned flags;
118#define KEYRING_SEARCH_LOOKUP_TYPE 0x0001 /* [as type->def_lookup_type] */
119#define KEYRING_SEARCH_NO_STATE_CHECK 0x0002 /* Skip state checks */
120#define KEYRING_SEARCH_DO_STATE_CHECK 0x0004 /* Override NO_STATE_CHECK */
121#define KEYRING_SEARCH_NO_UPDATE_TIME 0x0008 /* Don't update times */
122#define KEYRING_SEARCH_NO_CHECK_PERM 0x0010 /* Don't check permissions */
123#define KEYRING_SEARCH_DETECT_TOO_DEEP 0x0020 /* Give an error on excessive depth */
124
125 int (*iterator)(const void *object, void *iterator_data);
126
127 /* Internal stuff */
128 int skipped_ret;
129 bool possessed;
130 key_ref_t result;
131 struct timespec now;
132};
133
112extern key_ref_t keyring_search_aux(key_ref_t keyring_ref, 134extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
113 const struct cred *cred, 135 struct keyring_search_context *ctx);
114 struct key_type *type, 136
115 const void *description, 137extern key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx);
116 key_match_func_t match, 138extern key_ref_t search_process_keyrings(struct keyring_search_context *ctx);
117 bool no_state_check);
118
119extern key_ref_t search_my_process_keyrings(struct key_type *type,
120 const void *description,
121 key_match_func_t match,
122 bool no_state_check,
123 const struct cred *cred);
124extern key_ref_t search_process_keyrings(struct key_type *type,
125 const void *description,
126 key_match_func_t match,
127 const struct cred *cred);
128 139
129extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check); 140extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check);
130 141
@@ -202,7 +213,7 @@ extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
202/* 213/*
203 * Determine whether a key is dead. 214 * Determine whether a key is dead.
204 */ 215 */
205static inline bool key_is_dead(struct key *key, time_t limit) 216static inline bool key_is_dead(const struct key *key, time_t limit)
206{ 217{
207 return 218 return
208 key->flags & ((1 << KEY_FLAG_DEAD) | 219 key->flags & ((1 << KEY_FLAG_DEAD) |
@@ -244,6 +255,15 @@ extern long keyctl_invalidate_key(key_serial_t);
244extern long keyctl_instantiate_key_common(key_serial_t, 255extern long keyctl_instantiate_key_common(key_serial_t,
245 const struct iovec *, 256 const struct iovec *,
246 unsigned, size_t, key_serial_t); 257 unsigned, size_t, key_serial_t);
258#ifdef CONFIG_PERSISTENT_KEYRINGS
259extern long keyctl_get_persistent(uid_t, key_serial_t);
260extern unsigned persistent_keyring_expiry;
261#else
262static inline long keyctl_get_persistent(uid_t uid, key_serial_t destring)
263{
264 return -EOPNOTSUPP;
265}
266#endif
247 267
248/* 268/*
249 * Debugging key validation 269 * Debugging key validation
diff --git a/security/keys/key.c b/security/keys/key.c
index 8fb7c7bd4657..55d110f0aced 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -242,8 +242,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
242 } 242 }
243 } 243 }
244 244
245 desclen = strlen(desc) + 1; 245 desclen = strlen(desc);
246 quotalen = desclen + type->def_datalen; 246 quotalen = desclen + 1 + type->def_datalen;
247 247
248 /* get hold of the key tracking for this user */ 248 /* get hold of the key tracking for this user */
249 user = key_user_lookup(uid); 249 user = key_user_lookup(uid);
@@ -277,7 +277,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
277 goto no_memory_2; 277 goto no_memory_2;
278 278
279 if (desc) { 279 if (desc) {
280 key->description = kmemdup(desc, desclen, GFP_KERNEL); 280 key->index_key.desc_len = desclen;
281 key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL);
281 if (!key->description) 282 if (!key->description)
282 goto no_memory_3; 283 goto no_memory_3;
283 } 284 }
@@ -285,7 +286,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
285 atomic_set(&key->usage, 1); 286 atomic_set(&key->usage, 1);
286 init_rwsem(&key->sem); 287 init_rwsem(&key->sem);
287 lockdep_set_class(&key->sem, &type->lock_class); 288 lockdep_set_class(&key->sem, &type->lock_class);
288 key->type = type; 289 key->index_key.type = type;
289 key->user = user; 290 key->user = user;
290 key->quotalen = quotalen; 291 key->quotalen = quotalen;
291 key->datalen = type->def_datalen; 292 key->datalen = type->def_datalen;
@@ -299,6 +300,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
299 300
300 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) 301 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA))
301 key->flags |= 1 << KEY_FLAG_IN_QUOTA; 302 key->flags |= 1 << KEY_FLAG_IN_QUOTA;
303 if (flags & KEY_ALLOC_TRUSTED)
304 key->flags |= 1 << KEY_FLAG_TRUSTED;
302 305
303 memset(&key->type_data, 0, sizeof(key->type_data)); 306 memset(&key->type_data, 0, sizeof(key->type_data));
304 307
@@ -408,7 +411,7 @@ static int __key_instantiate_and_link(struct key *key,
408 struct key_preparsed_payload *prep, 411 struct key_preparsed_payload *prep,
409 struct key *keyring, 412 struct key *keyring,
410 struct key *authkey, 413 struct key *authkey,
411 unsigned long *_prealloc) 414 struct assoc_array_edit **_edit)
412{ 415{
413 int ret, awaken; 416 int ret, awaken;
414 417
@@ -435,7 +438,7 @@ static int __key_instantiate_and_link(struct key *key,
435 438
436 /* and link it into the destination keyring */ 439 /* and link it into the destination keyring */
437 if (keyring) 440 if (keyring)
438 __key_link(keyring, key, _prealloc); 441 __key_link(key, _edit);
439 442
440 /* disable the authorisation key */ 443 /* disable the authorisation key */
441 if (authkey) 444 if (authkey)
@@ -475,7 +478,7 @@ int key_instantiate_and_link(struct key *key,
475 struct key *authkey) 478 struct key *authkey)
476{ 479{
477 struct key_preparsed_payload prep; 480 struct key_preparsed_payload prep;
478 unsigned long prealloc; 481 struct assoc_array_edit *edit;
479 int ret; 482 int ret;
480 483
481 memset(&prep, 0, sizeof(prep)); 484 memset(&prep, 0, sizeof(prep));
@@ -489,17 +492,15 @@ int key_instantiate_and_link(struct key *key,
489 } 492 }
490 493
491 if (keyring) { 494 if (keyring) {
492 ret = __key_link_begin(keyring, key->type, key->description, 495 ret = __key_link_begin(keyring, &key->index_key, &edit);
493 &prealloc);
494 if (ret < 0) 496 if (ret < 0)
495 goto error_free_preparse; 497 goto error_free_preparse;
496 } 498 }
497 499
498 ret = __key_instantiate_and_link(key, &prep, keyring, authkey, 500 ret = __key_instantiate_and_link(key, &prep, keyring, authkey, &edit);
499 &prealloc);
500 501
501 if (keyring) 502 if (keyring)
502 __key_link_end(keyring, key->type, prealloc); 503 __key_link_end(keyring, &key->index_key, edit);
503 504
504error_free_preparse: 505error_free_preparse:
505 if (key->type->preparse) 506 if (key->type->preparse)
@@ -537,7 +538,7 @@ int key_reject_and_link(struct key *key,
537 struct key *keyring, 538 struct key *keyring,
538 struct key *authkey) 539 struct key *authkey)
539{ 540{
540 unsigned long prealloc; 541 struct assoc_array_edit *edit;
541 struct timespec now; 542 struct timespec now;
542 int ret, awaken, link_ret = 0; 543 int ret, awaken, link_ret = 0;
543 544
@@ -548,8 +549,7 @@ int key_reject_and_link(struct key *key,
548 ret = -EBUSY; 549 ret = -EBUSY;
549 550
550 if (keyring) 551 if (keyring)
551 link_ret = __key_link_begin(keyring, key->type, 552 link_ret = __key_link_begin(keyring, &key->index_key, &edit);
552 key->description, &prealloc);
553 553
554 mutex_lock(&key_construction_mutex); 554 mutex_lock(&key_construction_mutex);
555 555
@@ -557,9 +557,10 @@ int key_reject_and_link(struct key *key,
557 if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { 557 if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) {
558 /* mark the key as being negatively instantiated */ 558 /* mark the key as being negatively instantiated */
559 atomic_inc(&key->user->nikeys); 559 atomic_inc(&key->user->nikeys);
560 key->type_data.reject_error = -error;
561 smp_wmb();
560 set_bit(KEY_FLAG_NEGATIVE, &key->flags); 562 set_bit(KEY_FLAG_NEGATIVE, &key->flags);
561 set_bit(KEY_FLAG_INSTANTIATED, &key->flags); 563 set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
562 key->type_data.reject_error = -error;
563 now = current_kernel_time(); 564 now = current_kernel_time();
564 key->expiry = now.tv_sec + timeout; 565 key->expiry = now.tv_sec + timeout;
565 key_schedule_gc(key->expiry + key_gc_delay); 566 key_schedule_gc(key->expiry + key_gc_delay);
@@ -571,7 +572,7 @@ int key_reject_and_link(struct key *key,
571 572
572 /* and link it into the destination keyring */ 573 /* and link it into the destination keyring */
573 if (keyring && link_ret == 0) 574 if (keyring && link_ret == 0)
574 __key_link(keyring, key, &prealloc); 575 __key_link(key, &edit);
575 576
576 /* disable the authorisation key */ 577 /* disable the authorisation key */
577 if (authkey) 578 if (authkey)
@@ -581,7 +582,7 @@ int key_reject_and_link(struct key *key,
581 mutex_unlock(&key_construction_mutex); 582 mutex_unlock(&key_construction_mutex);
582 583
583 if (keyring) 584 if (keyring)
584 __key_link_end(keyring, key->type, prealloc); 585 __key_link_end(keyring, &key->index_key, edit);
585 586
586 /* wake up anyone waiting for a key to be constructed */ 587 /* wake up anyone waiting for a key to be constructed */
587 if (awaken) 588 if (awaken)
@@ -645,7 +646,7 @@ found:
645 /* this races with key_put(), but that doesn't matter since key_put() 646 /* this races with key_put(), but that doesn't matter since key_put()
646 * doesn't actually change the key 647 * doesn't actually change the key
647 */ 648 */
648 atomic_inc(&key->usage); 649 __key_get(key);
649 650
650error: 651error:
651 spin_unlock(&key_serial_lock); 652 spin_unlock(&key_serial_lock);
@@ -780,25 +781,27 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
780 key_perm_t perm, 781 key_perm_t perm,
781 unsigned long flags) 782 unsigned long flags)
782{ 783{
783 unsigned long prealloc; 784 struct keyring_index_key index_key = {
785 .description = description,
786 };
784 struct key_preparsed_payload prep; 787 struct key_preparsed_payload prep;
788 struct assoc_array_edit *edit;
785 const struct cred *cred = current_cred(); 789 const struct cred *cred = current_cred();
786 struct key_type *ktype;
787 struct key *keyring, *key = NULL; 790 struct key *keyring, *key = NULL;
788 key_ref_t key_ref; 791 key_ref_t key_ref;
789 int ret; 792 int ret;
790 793
791 /* look up the key type to see if it's one of the registered kernel 794 /* look up the key type to see if it's one of the registered kernel
792 * types */ 795 * types */
793 ktype = key_type_lookup(type); 796 index_key.type = key_type_lookup(type);
794 if (IS_ERR(ktype)) { 797 if (IS_ERR(index_key.type)) {
795 key_ref = ERR_PTR(-ENODEV); 798 key_ref = ERR_PTR(-ENODEV);
796 goto error; 799 goto error;
797 } 800 }
798 801
799 key_ref = ERR_PTR(-EINVAL); 802 key_ref = ERR_PTR(-EINVAL);
800 if (!ktype->match || !ktype->instantiate || 803 if (!index_key.type->match || !index_key.type->instantiate ||
801 (!description && !ktype->preparse)) 804 (!index_key.description && !index_key.type->preparse))
802 goto error_put_type; 805 goto error_put_type;
803 806
804 keyring = key_ref_to_ptr(keyring_ref); 807 keyring = key_ref_to_ptr(keyring_ref);
@@ -812,21 +815,28 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
812 memset(&prep, 0, sizeof(prep)); 815 memset(&prep, 0, sizeof(prep));
813 prep.data = payload; 816 prep.data = payload;
814 prep.datalen = plen; 817 prep.datalen = plen;
815 prep.quotalen = ktype->def_datalen; 818 prep.quotalen = index_key.type->def_datalen;
816 if (ktype->preparse) { 819 prep.trusted = flags & KEY_ALLOC_TRUSTED;
817 ret = ktype->preparse(&prep); 820 if (index_key.type->preparse) {
821 ret = index_key.type->preparse(&prep);
818 if (ret < 0) { 822 if (ret < 0) {
819 key_ref = ERR_PTR(ret); 823 key_ref = ERR_PTR(ret);
820 goto error_put_type; 824 goto error_put_type;
821 } 825 }
822 if (!description) 826 if (!index_key.description)
823 description = prep.description; 827 index_key.description = prep.description;
824 key_ref = ERR_PTR(-EINVAL); 828 key_ref = ERR_PTR(-EINVAL);
825 if (!description) 829 if (!index_key.description)
826 goto error_free_prep; 830 goto error_free_prep;
827 } 831 }
832 index_key.desc_len = strlen(index_key.description);
833
834 key_ref = ERR_PTR(-EPERM);
835 if (!prep.trusted && test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags))
836 goto error_free_prep;
837 flags |= prep.trusted ? KEY_ALLOC_TRUSTED : 0;
828 838
829 ret = __key_link_begin(keyring, ktype, description, &prealloc); 839 ret = __key_link_begin(keyring, &index_key, &edit);
830 if (ret < 0) { 840 if (ret < 0) {
831 key_ref = ERR_PTR(ret); 841 key_ref = ERR_PTR(ret);
832 goto error_free_prep; 842 goto error_free_prep;
@@ -844,10 +854,9 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
844 * key of the same type and description in the destination keyring and 854 * key of the same type and description in the destination keyring and
845 * update that instead if possible 855 * update that instead if possible
846 */ 856 */
847 if (ktype->update) { 857 if (index_key.type->update) {
848 key_ref = __keyring_search_one(keyring_ref, ktype, description, 858 key_ref = find_key_to_update(keyring_ref, &index_key);
849 0); 859 if (key_ref)
850 if (!IS_ERR(key_ref))
851 goto found_matching_key; 860 goto found_matching_key;
852 } 861 }
853 862
@@ -856,23 +865,24 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
856 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR; 865 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
857 perm |= KEY_USR_VIEW; 866 perm |= KEY_USR_VIEW;
858 867
859 if (ktype->read) 868 if (index_key.type->read)
860 perm |= KEY_POS_READ; 869 perm |= KEY_POS_READ;
861 870
862 if (ktype == &key_type_keyring || ktype->update) 871 if (index_key.type == &key_type_keyring ||
872 index_key.type->update)
863 perm |= KEY_POS_WRITE; 873 perm |= KEY_POS_WRITE;
864 } 874 }
865 875
866 /* allocate a new key */ 876 /* allocate a new key */
867 key = key_alloc(ktype, description, cred->fsuid, cred->fsgid, cred, 877 key = key_alloc(index_key.type, index_key.description,
868 perm, flags); 878 cred->fsuid, cred->fsgid, cred, perm, flags);
869 if (IS_ERR(key)) { 879 if (IS_ERR(key)) {
870 key_ref = ERR_CAST(key); 880 key_ref = ERR_CAST(key);
871 goto error_link_end; 881 goto error_link_end;
872 } 882 }
873 883
874 /* instantiate it and link it into the target keyring */ 884 /* instantiate it and link it into the target keyring */
875 ret = __key_instantiate_and_link(key, &prep, keyring, NULL, &prealloc); 885 ret = __key_instantiate_and_link(key, &prep, keyring, NULL, &edit);
876 if (ret < 0) { 886 if (ret < 0) {
877 key_put(key); 887 key_put(key);
878 key_ref = ERR_PTR(ret); 888 key_ref = ERR_PTR(ret);
@@ -882,12 +892,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
882 key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); 892 key_ref = make_key_ref(key, is_key_possessed(keyring_ref));
883 893
884error_link_end: 894error_link_end:
885 __key_link_end(keyring, ktype, prealloc); 895 __key_link_end(keyring, &index_key, edit);
886error_free_prep: 896error_free_prep:
887 if (ktype->preparse) 897 if (index_key.type->preparse)
888 ktype->free_preparse(&prep); 898 index_key.type->free_preparse(&prep);
889error_put_type: 899error_put_type:
890 key_type_put(ktype); 900 key_type_put(index_key.type);
891error: 901error:
892 return key_ref; 902 return key_ref;
893 903
@@ -895,7 +905,7 @@ error:
895 /* we found a matching key, so we're going to try to update it 905 /* we found a matching key, so we're going to try to update it
896 * - we can drop the locks first as we have the key pinned 906 * - we can drop the locks first as we have the key pinned
897 */ 907 */
898 __key_link_end(keyring, ktype, prealloc); 908 __key_link_end(keyring, &index_key, edit);
899 909
900 key_ref = __key_update(key_ref, &prep); 910 key_ref = __key_update(key_ref, &prep);
901 goto error_free_prep; 911 goto error_free_prep;
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 33cfd27b4de2..cee72ce64222 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1667,6 +1667,9 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1667 case KEYCTL_INVALIDATE: 1667 case KEYCTL_INVALIDATE:
1668 return keyctl_invalidate_key((key_serial_t) arg2); 1668 return keyctl_invalidate_key((key_serial_t) arg2);
1669 1669
1670 case KEYCTL_GET_PERSISTENT:
1671 return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3);
1672
1670 default: 1673 default:
1671 return -EOPNOTSUPP; 1674 return -EOPNOTSUPP;
1672 } 1675 }
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 6ece7f2e5707..69f0cb7bab7e 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -1,6 +1,6 @@
1/* Keyring handling 1/* Keyring handling
2 * 2 *
3 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved. 3 * Copyright (C) 2004-2005, 2008, 2013 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com) 4 * Written by David Howells (dhowells@redhat.com)
5 * 5 *
6 * This program is free software; you can redistribute it and/or 6 * This program is free software; you can redistribute it and/or
@@ -17,25 +17,11 @@
17#include <linux/seq_file.h> 17#include <linux/seq_file.h>
18#include <linux/err.h> 18#include <linux/err.h>
19#include <keys/keyring-type.h> 19#include <keys/keyring-type.h>
20#include <keys/user-type.h>
21#include <linux/assoc_array_priv.h>
20#include <linux/uaccess.h> 22#include <linux/uaccess.h>
21#include "internal.h" 23#include "internal.h"
22 24
23#define rcu_dereference_locked_keyring(keyring) \
24 (rcu_dereference_protected( \
25 (keyring)->payload.subscriptions, \
26 rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem)))
27
28#define rcu_deref_link_locked(klist, index, keyring) \
29 (rcu_dereference_protected( \
30 (klist)->keys[index], \
31 rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem)))
32
33#define MAX_KEYRING_LINKS \
34 min_t(size_t, USHRT_MAX - 1, \
35 ((PAGE_SIZE - sizeof(struct keyring_list)) / sizeof(struct key *)))
36
37#define KEY_LINK_FIXQUOTA 1UL
38
39/* 25/*
40 * When plumbing the depths of the key tree, this sets a hard limit 26 * When plumbing the depths of the key tree, this sets a hard limit
41 * set on how deep we're willing to go. 27 * set on how deep we're willing to go.
@@ -47,6 +33,28 @@
47 */ 33 */
48#define KEYRING_NAME_HASH_SIZE (1 << 5) 34#define KEYRING_NAME_HASH_SIZE (1 << 5)
49 35
36/*
37 * We mark pointers we pass to the associative array with bit 1 set if
38 * they're keyrings and clear otherwise.
39 */
40#define KEYRING_PTR_SUBTYPE 0x2UL
41
42static inline bool keyring_ptr_is_keyring(const struct assoc_array_ptr *x)
43{
44 return (unsigned long)x & KEYRING_PTR_SUBTYPE;
45}
46static inline struct key *keyring_ptr_to_key(const struct assoc_array_ptr *x)
47{
48 void *object = assoc_array_ptr_to_leaf(x);
49 return (struct key *)((unsigned long)object & ~KEYRING_PTR_SUBTYPE);
50}
51static inline void *keyring_key_to_ptr(struct key *key)
52{
53 if (key->type == &key_type_keyring)
54 return (void *)((unsigned long)key | KEYRING_PTR_SUBTYPE);
55 return key;
56}
57
50static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE]; 58static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE];
51static DEFINE_RWLOCK(keyring_name_lock); 59static DEFINE_RWLOCK(keyring_name_lock);
52 60
@@ -67,7 +75,6 @@ static inline unsigned keyring_hash(const char *desc)
67 */ 75 */
68static int keyring_instantiate(struct key *keyring, 76static int keyring_instantiate(struct key *keyring,
69 struct key_preparsed_payload *prep); 77 struct key_preparsed_payload *prep);
70static int keyring_match(const struct key *keyring, const void *criterion);
71static void keyring_revoke(struct key *keyring); 78static void keyring_revoke(struct key *keyring);
72static void keyring_destroy(struct key *keyring); 79static void keyring_destroy(struct key *keyring);
73static void keyring_describe(const struct key *keyring, struct seq_file *m); 80static void keyring_describe(const struct key *keyring, struct seq_file *m);
@@ -76,9 +83,9 @@ static long keyring_read(const struct key *keyring,
76 83
77struct key_type key_type_keyring = { 84struct key_type key_type_keyring = {
78 .name = "keyring", 85 .name = "keyring",
79 .def_datalen = sizeof(struct keyring_list), 86 .def_datalen = 0,
80 .instantiate = keyring_instantiate, 87 .instantiate = keyring_instantiate,
81 .match = keyring_match, 88 .match = user_match,
82 .revoke = keyring_revoke, 89 .revoke = keyring_revoke,
83 .destroy = keyring_destroy, 90 .destroy = keyring_destroy,
84 .describe = keyring_describe, 91 .describe = keyring_describe,
@@ -127,6 +134,7 @@ static int keyring_instantiate(struct key *keyring,
127 134
128 ret = -EINVAL; 135 ret = -EINVAL;
129 if (prep->datalen == 0) { 136 if (prep->datalen == 0) {
137 assoc_array_init(&keyring->keys);
130 /* make the keyring available by name if it has one */ 138 /* make the keyring available by name if it has one */
131 keyring_publish_name(keyring); 139 keyring_publish_name(keyring);
132 ret = 0; 140 ret = 0;
@@ -136,15 +144,226 @@ static int keyring_instantiate(struct key *keyring,
136} 144}
137 145
138/* 146/*
139 * Match keyrings on their name 147 * Multiply 64-bits by 32-bits to 96-bits and fold back to 64-bit. Ideally we'd
148 * fold the carry back too, but that requires inline asm.
149 */
150static u64 mult_64x32_and_fold(u64 x, u32 y)
151{
152 u64 hi = (u64)(u32)(x >> 32) * y;
153 u64 lo = (u64)(u32)(x) * y;
154 return lo + ((u64)(u32)hi << 32) + (u32)(hi >> 32);
155}
156
157/*
158 * Hash a key type and description.
159 */
160static unsigned long hash_key_type_and_desc(const struct keyring_index_key *index_key)
161{
162 const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP;
163 const unsigned long level_mask = ASSOC_ARRAY_LEVEL_STEP_MASK;
164 const char *description = index_key->description;
165 unsigned long hash, type;
166 u32 piece;
167 u64 acc;
168 int n, desc_len = index_key->desc_len;
169
170 type = (unsigned long)index_key->type;
171
172 acc = mult_64x32_and_fold(type, desc_len + 13);
173 acc = mult_64x32_and_fold(acc, 9207);
174 for (;;) {
175 n = desc_len;
176 if (n <= 0)
177 break;
178 if (n > 4)
179 n = 4;
180 piece = 0;
181 memcpy(&piece, description, n);
182 description += n;
183 desc_len -= n;
184 acc = mult_64x32_and_fold(acc, piece);
185 acc = mult_64x32_and_fold(acc, 9207);
186 }
187
188 /* Fold the hash down to 32 bits if need be. */
189 hash = acc;
190 if (ASSOC_ARRAY_KEY_CHUNK_SIZE == 32)
191 hash ^= acc >> 32;
192
193 /* Squidge all the keyrings into a separate part of the tree to
194 * ordinary keys by making sure the lowest level segment in the hash is
195 * zero for keyrings and non-zero otherwise.
196 */
197 if (index_key->type != &key_type_keyring && (hash & level_mask) == 0)
198 return hash | (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1;
199 if (index_key->type == &key_type_keyring && (hash & level_mask) != 0)
200 return (hash + (hash << level_shift)) & ~level_mask;
201 return hash;
202}
203
204/*
205 * Build the next index key chunk.
206 *
207 * On 32-bit systems the index key is laid out as:
208 *
209 * 0 4 5 9...
210 * hash desclen typeptr desc[]
211 *
212 * On 64-bit systems:
213 *
214 * 0 8 9 17...
215 * hash desclen typeptr desc[]
216 *
217 * We return it one word-sized chunk at a time.
140 */ 218 */
141static int keyring_match(const struct key *keyring, const void *description) 219static unsigned long keyring_get_key_chunk(const void *data, int level)
220{
221 const struct keyring_index_key *index_key = data;
222 unsigned long chunk = 0;
223 long offset = 0;
224 int desc_len = index_key->desc_len, n = sizeof(chunk);
225
226 level /= ASSOC_ARRAY_KEY_CHUNK_SIZE;
227 switch (level) {
228 case 0:
229 return hash_key_type_and_desc(index_key);
230 case 1:
231 return ((unsigned long)index_key->type << 8) | desc_len;
232 case 2:
233 if (desc_len == 0)
234 return (u8)((unsigned long)index_key->type >>
235 (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8));
236 n--;
237 offset = 1;
238 default:
239 offset += sizeof(chunk) - 1;
240 offset += (level - 3) * sizeof(chunk);
241 if (offset >= desc_len)
242 return 0;
243 desc_len -= offset;
244 if (desc_len > n)
245 desc_len = n;
246 offset += desc_len;
247 do {
248 chunk <<= 8;
249 chunk |= ((u8*)index_key->description)[--offset];
250 } while (--desc_len > 0);
251
252 if (level == 2) {
253 chunk <<= 8;
254 chunk |= (u8)((unsigned long)index_key->type >>
255 (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8));
256 }
257 return chunk;
258 }
259}
260
261static unsigned long keyring_get_object_key_chunk(const void *object, int level)
262{
263 const struct key *key = keyring_ptr_to_key(object);
264 return keyring_get_key_chunk(&key->index_key, level);
265}
266
267static bool keyring_compare_object(const void *object, const void *data)
142{ 268{
143 return keyring->description && 269 const struct keyring_index_key *index_key = data;
144 strcmp(keyring->description, description) == 0; 270 const struct key *key = keyring_ptr_to_key(object);
271
272 return key->index_key.type == index_key->type &&
273 key->index_key.desc_len == index_key->desc_len &&
274 memcmp(key->index_key.description, index_key->description,
275 index_key->desc_len) == 0;
145} 276}
146 277
147/* 278/*
279 * Compare the index keys of a pair of objects and determine the bit position
280 * at which they differ - if they differ.
281 */
282static int keyring_diff_objects(const void *_a, const void *_b)
283{
284 const struct key *key_a = keyring_ptr_to_key(_a);
285 const struct key *key_b = keyring_ptr_to_key(_b);
286 const struct keyring_index_key *a = &key_a->index_key;
287 const struct keyring_index_key *b = &key_b->index_key;
288 unsigned long seg_a, seg_b;
289 int level, i;
290
291 level = 0;
292 seg_a = hash_key_type_and_desc(a);
293 seg_b = hash_key_type_and_desc(b);
294 if ((seg_a ^ seg_b) != 0)
295 goto differ;
296
297 /* The number of bits contributed by the hash is controlled by a
298 * constant in the assoc_array headers. Everything else thereafter we
299 * can deal with as being machine word-size dependent.
300 */
301 level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8;
302 seg_a = a->desc_len;
303 seg_b = b->desc_len;
304 if ((seg_a ^ seg_b) != 0)
305 goto differ;
306
307 /* The next bit may not work on big endian */
308 level++;
309 seg_a = (unsigned long)a->type;
310 seg_b = (unsigned long)b->type;
311 if ((seg_a ^ seg_b) != 0)
312 goto differ;
313
314 level += sizeof(unsigned long);
315 if (a->desc_len == 0)
316 goto same;
317
318 i = 0;
319 if (((unsigned long)a->description | (unsigned long)b->description) &
320 (sizeof(unsigned long) - 1)) {
321 do {
322 seg_a = *(unsigned long *)(a->description + i);
323 seg_b = *(unsigned long *)(b->description + i);
324 if ((seg_a ^ seg_b) != 0)
325 goto differ_plus_i;
326 i += sizeof(unsigned long);
327 } while (i < (a->desc_len & (sizeof(unsigned long) - 1)));
328 }
329
330 for (; i < a->desc_len; i++) {
331 seg_a = *(unsigned char *)(a->description + i);
332 seg_b = *(unsigned char *)(b->description + i);
333 if ((seg_a ^ seg_b) != 0)
334 goto differ_plus_i;
335 }
336
337same:
338 return -1;
339
340differ_plus_i:
341 level += i;
342differ:
343 i = level * 8 + __ffs(seg_a ^ seg_b);
344 return i;
345}
346
347/*
348 * Free an object after stripping the keyring flag off of the pointer.
349 */
350static void keyring_free_object(void *object)
351{
352 key_put(keyring_ptr_to_key(object));
353}
354
355/*
356 * Operations for keyring management by the index-tree routines.
357 */
358static const struct assoc_array_ops keyring_assoc_array_ops = {
359 .get_key_chunk = keyring_get_key_chunk,
360 .get_object_key_chunk = keyring_get_object_key_chunk,
361 .compare_object = keyring_compare_object,
362 .diff_objects = keyring_diff_objects,
363 .free_object = keyring_free_object,
364};
365
366/*
148 * Clean up a keyring when it is destroyed. Unpublish its name if it had one 367 * Clean up a keyring when it is destroyed. Unpublish its name if it had one
149 * and dispose of its data. 368 * and dispose of its data.
150 * 369 *
@@ -155,9 +374,6 @@ static int keyring_match(const struct key *keyring, const void *description)
155 */ 374 */
156static void keyring_destroy(struct key *keyring) 375static void keyring_destroy(struct key *keyring)
157{ 376{
158 struct keyring_list *klist;
159 int loop;
160
161 if (keyring->description) { 377 if (keyring->description) {
162 write_lock(&keyring_name_lock); 378 write_lock(&keyring_name_lock);
163 379
@@ -168,12 +384,7 @@ static void keyring_destroy(struct key *keyring)
168 write_unlock(&keyring_name_lock); 384 write_unlock(&keyring_name_lock);
169 } 385 }
170 386
171 klist = rcu_access_pointer(keyring->payload.subscriptions); 387 assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops);
172 if (klist) {
173 for (loop = klist->nkeys - 1; loop >= 0; loop--)
174 key_put(rcu_access_pointer(klist->keys[loop]));
175 kfree(klist);
176 }
177} 388}
178 389
179/* 390/*
@@ -181,76 +392,88 @@ static void keyring_destroy(struct key *keyring)
181 */ 392 */
182static void keyring_describe(const struct key *keyring, struct seq_file *m) 393static void keyring_describe(const struct key *keyring, struct seq_file *m)
183{ 394{
184 struct keyring_list *klist;
185
186 if (keyring->description) 395 if (keyring->description)
187 seq_puts(m, keyring->description); 396 seq_puts(m, keyring->description);
188 else 397 else
189 seq_puts(m, "[anon]"); 398 seq_puts(m, "[anon]");
190 399
191 if (key_is_instantiated(keyring)) { 400 if (key_is_instantiated(keyring)) {
192 rcu_read_lock(); 401 if (keyring->keys.nr_leaves_on_tree != 0)
193 klist = rcu_dereference(keyring->payload.subscriptions); 402 seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree);
194 if (klist)
195 seq_printf(m, ": %u/%u", klist->nkeys, klist->maxkeys);
196 else 403 else
197 seq_puts(m, ": empty"); 404 seq_puts(m, ": empty");
198 rcu_read_unlock();
199 } 405 }
200} 406}
201 407
408struct keyring_read_iterator_context {
409 size_t qty;
410 size_t count;
411 key_serial_t __user *buffer;
412};
413
414static int keyring_read_iterator(const void *object, void *data)
415{
416 struct keyring_read_iterator_context *ctx = data;
417 const struct key *key = keyring_ptr_to_key(object);
418 int ret;
419
420 kenter("{%s,%d},,{%zu/%zu}",
421 key->type->name, key->serial, ctx->count, ctx->qty);
422
423 if (ctx->count >= ctx->qty)
424 return 1;
425
426 ret = put_user(key->serial, ctx->buffer);
427 if (ret < 0)
428 return ret;
429 ctx->buffer++;
430 ctx->count += sizeof(key->serial);
431 return 0;
432}
433
202/* 434/*
203 * Read a list of key IDs from the keyring's contents in binary form 435 * Read a list of key IDs from the keyring's contents in binary form
204 * 436 *
205 * The keyring's semaphore is read-locked by the caller. 437 * The keyring's semaphore is read-locked by the caller. This prevents someone
438 * from modifying it under us - which could cause us to read key IDs multiple
439 * times.
206 */ 440 */
207static long keyring_read(const struct key *keyring, 441static long keyring_read(const struct key *keyring,
208 char __user *buffer, size_t buflen) 442 char __user *buffer, size_t buflen)
209{ 443{
210 struct keyring_list *klist; 444 struct keyring_read_iterator_context ctx;
211 struct key *key; 445 unsigned long nr_keys;
212 size_t qty, tmp; 446 int ret;
213 int loop, ret;
214 447
215 ret = 0; 448 kenter("{%d},,%zu", key_serial(keyring), buflen);
216 klist = rcu_dereference_locked_keyring(keyring); 449
217 if (klist) { 450 if (buflen & (sizeof(key_serial_t) - 1))
218 /* calculate how much data we could return */ 451 return -EINVAL;
219 qty = klist->nkeys * sizeof(key_serial_t); 452
220 453 nr_keys = keyring->keys.nr_leaves_on_tree;
221 if (buffer && buflen > 0) { 454 if (nr_keys == 0)
222 if (buflen > qty) 455 return 0;
223 buflen = qty;
224
225 /* copy the IDs of the subscribed keys into the
226 * buffer */
227 ret = -EFAULT;
228
229 for (loop = 0; loop < klist->nkeys; loop++) {
230 key = rcu_deref_link_locked(klist, loop,
231 keyring);
232
233 tmp = sizeof(key_serial_t);
234 if (tmp > buflen)
235 tmp = buflen;
236
237 if (copy_to_user(buffer,
238 &key->serial,
239 tmp) != 0)
240 goto error;
241
242 buflen -= tmp;
243 if (buflen == 0)
244 break;
245 buffer += tmp;
246 }
247 }
248 456
249 ret = qty; 457 /* Calculate how much data we could return */
458 ctx.qty = nr_keys * sizeof(key_serial_t);
459
460 if (!buffer || !buflen)
461 return ctx.qty;
462
463 if (buflen > ctx.qty)
464 ctx.qty = buflen;
465
466 /* Copy the IDs of the subscribed keys into the buffer */
467 ctx.buffer = (key_serial_t __user *)buffer;
468 ctx.count = 0;
469 ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
470 if (ret < 0) {
471 kleave(" = %d [iterate]", ret);
472 return ret;
250 } 473 }
251 474
252error: 475 kleave(" = %zu [ok]", ctx.count);
253 return ret; 476 return ctx.count;
254} 477}
255 478
256/* 479/*
@@ -277,227 +500,361 @@ struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
277} 500}
278EXPORT_SYMBOL(keyring_alloc); 501EXPORT_SYMBOL(keyring_alloc);
279 502
280/** 503/*
281 * keyring_search_aux - Search a keyring tree for a key matching some criteria 504 * Iteration function to consider each key found.
282 * @keyring_ref: A pointer to the keyring with possession indicator.
283 * @cred: The credentials to use for permissions checks.
284 * @type: The type of key to search for.
285 * @description: Parameter for @match.
286 * @match: Function to rule on whether or not a key is the one required.
287 * @no_state_check: Don't check if a matching key is bad
288 *
289 * Search the supplied keyring tree for a key that matches the criteria given.
290 * The root keyring and any linked keyrings must grant Search permission to the
291 * caller to be searchable and keys can only be found if they too grant Search
292 * to the caller. The possession flag on the root keyring pointer controls use
293 * of the possessor bits in permissions checking of the entire tree. In
294 * addition, the LSM gets to forbid keyring searches and key matches.
295 *
296 * The search is performed as a breadth-then-depth search up to the prescribed
297 * limit (KEYRING_SEARCH_MAX_DEPTH).
298 *
299 * Keys are matched to the type provided and are then filtered by the match
300 * function, which is given the description to use in any way it sees fit. The
301 * match function may use any attributes of a key that it wishes to to
302 * determine the match. Normally the match function from the key type would be
303 * used.
304 *
305 * RCU is used to prevent the keyring key lists from disappearing without the
306 * need to take lots of locks.
307 *
308 * Returns a pointer to the found key and increments the key usage count if
309 * successful; -EAGAIN if no matching keys were found, or if expired or revoked
310 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the
311 * specified keyring wasn't a keyring.
312 *
313 * In the case of a successful return, the possession attribute from
314 * @keyring_ref is propagated to the returned key reference.
315 */ 505 */
316key_ref_t keyring_search_aux(key_ref_t keyring_ref, 506static int keyring_search_iterator(const void *object, void *iterator_data)
317 const struct cred *cred,
318 struct key_type *type,
319 const void *description,
320 key_match_func_t match,
321 bool no_state_check)
322{ 507{
323 struct { 508 struct keyring_search_context *ctx = iterator_data;
324 /* Need a separate keylist pointer for RCU purposes */ 509 const struct key *key = keyring_ptr_to_key(object);
325 struct key *keyring; 510 unsigned long kflags = key->flags;
326 struct keyring_list *keylist;
327 int kix;
328 } stack[KEYRING_SEARCH_MAX_DEPTH];
329
330 struct keyring_list *keylist;
331 struct timespec now;
332 unsigned long possessed, kflags;
333 struct key *keyring, *key;
334 key_ref_t key_ref;
335 long err;
336 int sp, nkeys, kix;
337 511
338 keyring = key_ref_to_ptr(keyring_ref); 512 kenter("{%d}", key->serial);
339 possessed = is_key_possessed(keyring_ref);
340 key_check(keyring);
341 513
342 /* top keyring must have search permission to begin the search */ 514 /* ignore keys not of this type */
343 err = key_task_permission(keyring_ref, cred, KEY_SEARCH); 515 if (key->type != ctx->index_key.type) {
344 if (err < 0) { 516 kleave(" = 0 [!type]");
345 key_ref = ERR_PTR(err); 517 return 0;
346 goto error;
347 } 518 }
348 519
349 key_ref = ERR_PTR(-ENOTDIR); 520 /* skip invalidated, revoked and expired keys */
350 if (keyring->type != &key_type_keyring) 521 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
351 goto error; 522 if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
523 (1 << KEY_FLAG_REVOKED))) {
524 ctx->result = ERR_PTR(-EKEYREVOKED);
525 kleave(" = %d [invrev]", ctx->skipped_ret);
526 goto skipped;
527 }
352 528
353 rcu_read_lock(); 529 if (key->expiry && ctx->now.tv_sec >= key->expiry) {
530 ctx->result = ERR_PTR(-EKEYEXPIRED);
531 kleave(" = %d [expire]", ctx->skipped_ret);
532 goto skipped;
533 }
534 }
354 535
355 now = current_kernel_time(); 536 /* keys that don't match */
356 err = -EAGAIN; 537 if (!ctx->match(key, ctx->match_data)) {
357 sp = 0; 538 kleave(" = 0 [!match]");
358 539 return 0;
359 /* firstly we should check to see if this top-level keyring is what we 540 }
360 * are looking for */
361 key_ref = ERR_PTR(-EAGAIN);
362 kflags = keyring->flags;
363 if (keyring->type == type && match(keyring, description)) {
364 key = keyring;
365 if (no_state_check)
366 goto found;
367 541
368 /* check it isn't negative and hasn't expired or been 542 /* key must have search permissions */
369 * revoked */ 543 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
370 if (kflags & (1 << KEY_FLAG_REVOKED)) 544 key_task_permission(make_key_ref(key, ctx->possessed),
371 goto error_2; 545 ctx->cred, KEY_SEARCH) < 0) {
372 if (key->expiry && now.tv_sec >= key->expiry) 546 ctx->result = ERR_PTR(-EACCES);
373 goto error_2; 547 kleave(" = %d [!perm]", ctx->skipped_ret);
374 key_ref = ERR_PTR(key->type_data.reject_error); 548 goto skipped;
375 if (kflags & (1 << KEY_FLAG_NEGATIVE))
376 goto error_2;
377 goto found;
378 } 549 }
379 550
380 /* otherwise, the top keyring must not be revoked, expired, or 551 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
381 * negatively instantiated if we are to search it */ 552 /* we set a different error code if we pass a negative key */
382 key_ref = ERR_PTR(-EAGAIN); 553 if (kflags & (1 << KEY_FLAG_NEGATIVE)) {
383 if (kflags & ((1 << KEY_FLAG_INVALIDATED) | 554 smp_rmb();
384 (1 << KEY_FLAG_REVOKED) | 555 ctx->result = ERR_PTR(key->type_data.reject_error);
385 (1 << KEY_FLAG_NEGATIVE)) || 556 kleave(" = %d [neg]", ctx->skipped_ret);
386 (keyring->expiry && now.tv_sec >= keyring->expiry)) 557 goto skipped;
387 goto error_2; 558 }
388 559 }
389 /* start processing a new keyring */
390descend:
391 kflags = keyring->flags;
392 if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
393 (1 << KEY_FLAG_REVOKED)))
394 goto not_this_keyring;
395 560
396 keylist = rcu_dereference(keyring->payload.subscriptions); 561 /* Found */
397 if (!keylist) 562 ctx->result = make_key_ref(key, ctx->possessed);
398 goto not_this_keyring; 563 kleave(" = 1 [found]");
564 return 1;
399 565
400 /* iterate through the keys in this keyring first */ 566skipped:
401 nkeys = keylist->nkeys; 567 return ctx->skipped_ret;
402 smp_rmb(); 568}
403 for (kix = 0; kix < nkeys; kix++) {
404 key = rcu_dereference(keylist->keys[kix]);
405 kflags = key->flags;
406 569
407 /* ignore keys not of this type */ 570/*
408 if (key->type != type) 571 * Search inside a keyring for a key. We can search by walking to it
409 continue; 572 * directly based on its index-key or we can iterate over the entire
573 * tree looking for it, based on the match function.
574 */
575static int search_keyring(struct key *keyring, struct keyring_search_context *ctx)
576{
577 if ((ctx->flags & KEYRING_SEARCH_LOOKUP_TYPE) ==
578 KEYRING_SEARCH_LOOKUP_DIRECT) {
579 const void *object;
580
581 object = assoc_array_find(&keyring->keys,
582 &keyring_assoc_array_ops,
583 &ctx->index_key);
584 return object ? ctx->iterator(object, ctx) : 0;
585 }
586 return assoc_array_iterate(&keyring->keys, ctx->iterator, ctx);
587}
410 588
411 /* skip invalidated, revoked and expired keys */ 589/*
412 if (!no_state_check) { 590 * Search a tree of keyrings that point to other keyrings up to the maximum
413 if (kflags & ((1 << KEY_FLAG_INVALIDATED) | 591 * depth.
414 (1 << KEY_FLAG_REVOKED))) 592 */
415 continue; 593static bool search_nested_keyrings(struct key *keyring,
594 struct keyring_search_context *ctx)
595{
596 struct {
597 struct key *keyring;
598 struct assoc_array_node *node;
599 int slot;
600 } stack[KEYRING_SEARCH_MAX_DEPTH];
416 601
417 if (key->expiry && now.tv_sec >= key->expiry) 602 struct assoc_array_shortcut *shortcut;
418 continue; 603 struct assoc_array_node *node;
419 } 604 struct assoc_array_ptr *ptr;
605 struct key *key;
606 int sp = 0, slot;
420 607
421 /* keys that don't match */ 608 kenter("{%d},{%s,%s}",
422 if (!match(key, description)) 609 keyring->serial,
423 continue; 610 ctx->index_key.type->name,
611 ctx->index_key.description);
424 612
425 /* key must have search permissions */ 613 if (ctx->index_key.description)
426 if (key_task_permission(make_key_ref(key, possessed), 614 ctx->index_key.desc_len = strlen(ctx->index_key.description);
427 cred, KEY_SEARCH) < 0)
428 continue;
429 615
430 if (no_state_check) 616 /* Check to see if this top-level keyring is what we are looking for
617 * and whether it is valid or not.
618 */
619 if (ctx->flags & KEYRING_SEARCH_LOOKUP_ITERATE ||
620 keyring_compare_object(keyring, &ctx->index_key)) {
621 ctx->skipped_ret = 2;
622 ctx->flags |= KEYRING_SEARCH_DO_STATE_CHECK;
623 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) {
624 case 1:
431 goto found; 625 goto found;
432 626 case 2:
433 /* we set a different error code if we pass a negative key */ 627 return false;
434 if (kflags & (1 << KEY_FLAG_NEGATIVE)) { 628 default:
435 err = key->type_data.reject_error; 629 break;
436 continue;
437 } 630 }
631 }
632
633 ctx->skipped_ret = 0;
634 if (ctx->flags & KEYRING_SEARCH_NO_STATE_CHECK)
635 ctx->flags &= ~KEYRING_SEARCH_DO_STATE_CHECK;
438 636
637 /* Start processing a new keyring */
638descend_to_keyring:
639 kdebug("descend to %d", keyring->serial);
640 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
641 (1 << KEY_FLAG_REVOKED)))
642 goto not_this_keyring;
643
644 /* Search through the keys in this keyring before its searching its
645 * subtrees.
646 */
647 if (search_keyring(keyring, ctx))
439 goto found; 648 goto found;
440 }
441 649
442 /* search through the keyrings nested in this one */ 650 /* Then manually iterate through the keyrings nested in this one.
443 kix = 0; 651 *
444ascend: 652 * Start from the root node of the index tree. Because of the way the
445 nkeys = keylist->nkeys; 653 * hash function has been set up, keyrings cluster on the leftmost
446 smp_rmb(); 654 * branch of the root node (root slot 0) or in the root node itself.
447 for (; kix < nkeys; kix++) { 655 * Non-keyrings avoid the leftmost branch of the root entirely (root
448 key = rcu_dereference(keylist->keys[kix]); 656 * slots 1-15).
449 if (key->type != &key_type_keyring) 657 */
450 continue; 658 ptr = ACCESS_ONCE(keyring->keys.root);
659 if (!ptr)
660 goto not_this_keyring;
451 661
452 /* recursively search nested keyrings 662 if (assoc_array_ptr_is_shortcut(ptr)) {
453 * - only search keyrings for which we have search permission 663 /* If the root is a shortcut, either the keyring only contains
664 * keyring pointers (everything clusters behind root slot 0) or
665 * doesn't contain any keyring pointers.
454 */ 666 */
455 if (sp >= KEYRING_SEARCH_MAX_DEPTH) 667 shortcut = assoc_array_ptr_to_shortcut(ptr);
668 smp_read_barrier_depends();
669 if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0)
670 goto not_this_keyring;
671
672 ptr = ACCESS_ONCE(shortcut->next_node);
673 node = assoc_array_ptr_to_node(ptr);
674 goto begin_node;
675 }
676
677 node = assoc_array_ptr_to_node(ptr);
678 smp_read_barrier_depends();
679
680 ptr = node->slots[0];
681 if (!assoc_array_ptr_is_meta(ptr))
682 goto begin_node;
683
684descend_to_node:
685 /* Descend to a more distal node in this keyring's content tree and go
686 * through that.
687 */
688 kdebug("descend");
689 if (assoc_array_ptr_is_shortcut(ptr)) {
690 shortcut = assoc_array_ptr_to_shortcut(ptr);
691 smp_read_barrier_depends();
692 ptr = ACCESS_ONCE(shortcut->next_node);
693 BUG_ON(!assoc_array_ptr_is_node(ptr));
694 node = assoc_array_ptr_to_node(ptr);
695 }
696
697begin_node:
698 kdebug("begin_node");
699 smp_read_barrier_depends();
700 slot = 0;
701ascend_to_node:
702 /* Go through the slots in a node */
703 for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) {
704 ptr = ACCESS_ONCE(node->slots[slot]);
705
706 if (assoc_array_ptr_is_meta(ptr) && node->back_pointer)
707 goto descend_to_node;
708
709 if (!keyring_ptr_is_keyring(ptr))
456 continue; 710 continue;
457 711
458 if (key_task_permission(make_key_ref(key, possessed), 712 key = keyring_ptr_to_key(ptr);
459 cred, KEY_SEARCH) < 0) 713
714 if (sp >= KEYRING_SEARCH_MAX_DEPTH) {
715 if (ctx->flags & KEYRING_SEARCH_DETECT_TOO_DEEP) {
716 ctx->result = ERR_PTR(-ELOOP);
717 return false;
718 }
719 goto not_this_keyring;
720 }
721
722 /* Search a nested keyring */
723 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
724 key_task_permission(make_key_ref(key, ctx->possessed),
725 ctx->cred, KEY_SEARCH) < 0)
460 continue; 726 continue;
461 727
462 /* stack the current position */ 728 /* stack the current position */
463 stack[sp].keyring = keyring; 729 stack[sp].keyring = keyring;
464 stack[sp].keylist = keylist; 730 stack[sp].node = node;
465 stack[sp].kix = kix; 731 stack[sp].slot = slot;
466 sp++; 732 sp++;
467 733
468 /* begin again with the new keyring */ 734 /* begin again with the new keyring */
469 keyring = key; 735 keyring = key;
470 goto descend; 736 goto descend_to_keyring;
471 } 737 }
472 738
473 /* the keyring we're looking at was disqualified or didn't contain a 739 /* We've dealt with all the slots in the current node, so now we need
474 * matching key */ 740 * to ascend to the parent and continue processing there.
741 */
742 ptr = ACCESS_ONCE(node->back_pointer);
743 slot = node->parent_slot;
744
745 if (ptr && assoc_array_ptr_is_shortcut(ptr)) {
746 shortcut = assoc_array_ptr_to_shortcut(ptr);
747 smp_read_barrier_depends();
748 ptr = ACCESS_ONCE(shortcut->back_pointer);
749 slot = shortcut->parent_slot;
750 }
751 if (!ptr)
752 goto not_this_keyring;
753 node = assoc_array_ptr_to_node(ptr);
754 smp_read_barrier_depends();
755 slot++;
756
757 /* If we've ascended to the root (zero backpointer), we must have just
758 * finished processing the leftmost branch rather than the root slots -
759 * so there can't be any more keyrings for us to find.
760 */
761 if (node->back_pointer) {
762 kdebug("ascend %d", slot);
763 goto ascend_to_node;
764 }
765
766 /* The keyring we're looking at was disqualified or didn't contain a
767 * matching key.
768 */
475not_this_keyring: 769not_this_keyring:
476 if (sp > 0) { 770 kdebug("not_this_keyring %d", sp);
477 /* resume the processing of a keyring higher up in the tree */ 771 if (sp <= 0) {
478 sp--; 772 kleave(" = false");
479 keyring = stack[sp].keyring; 773 return false;
480 keylist = stack[sp].keylist;
481 kix = stack[sp].kix + 1;
482 goto ascend;
483 } 774 }
484 775
485 key_ref = ERR_PTR(err); 776 /* Resume the processing of a keyring higher up in the tree */
486 goto error_2; 777 sp--;
778 keyring = stack[sp].keyring;
779 node = stack[sp].node;
780 slot = stack[sp].slot + 1;
781 kdebug("ascend to %d [%d]", keyring->serial, slot);
782 goto ascend_to_node;
487 783
488 /* we found a viable match */ 784 /* We found a viable match */
489found: 785found:
490 atomic_inc(&key->usage); 786 key = key_ref_to_ptr(ctx->result);
491 key->last_used_at = now.tv_sec;
492 keyring->last_used_at = now.tv_sec;
493 while (sp > 0)
494 stack[--sp].keyring->last_used_at = now.tv_sec;
495 key_check(key); 787 key_check(key);
496 key_ref = make_key_ref(key, possessed); 788 if (!(ctx->flags & KEYRING_SEARCH_NO_UPDATE_TIME)) {
497error_2: 789 key->last_used_at = ctx->now.tv_sec;
790 keyring->last_used_at = ctx->now.tv_sec;
791 while (sp > 0)
792 stack[--sp].keyring->last_used_at = ctx->now.tv_sec;
793 }
794 kleave(" = true");
795 return true;
796}
797
798/**
799 * keyring_search_aux - Search a keyring tree for a key matching some criteria
800 * @keyring_ref: A pointer to the keyring with possession indicator.
801 * @ctx: The keyring search context.
802 *
803 * Search the supplied keyring tree for a key that matches the criteria given.
804 * The root keyring and any linked keyrings must grant Search permission to the
805 * caller to be searchable and keys can only be found if they too grant Search
806 * to the caller. The possession flag on the root keyring pointer controls use
807 * of the possessor bits in permissions checking of the entire tree. In
808 * addition, the LSM gets to forbid keyring searches and key matches.
809 *
810 * The search is performed as a breadth-then-depth search up to the prescribed
811 * limit (KEYRING_SEARCH_MAX_DEPTH).
812 *
813 * Keys are matched to the type provided and are then filtered by the match
814 * function, which is given the description to use in any way it sees fit. The
815 * match function may use any attributes of a key that it wishes to to
816 * determine the match. Normally the match function from the key type would be
817 * used.
818 *
819 * RCU can be used to prevent the keyring key lists from disappearing without
820 * the need to take lots of locks.
821 *
822 * Returns a pointer to the found key and increments the key usage count if
823 * successful; -EAGAIN if no matching keys were found, or if expired or revoked
824 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the
825 * specified keyring wasn't a keyring.
826 *
827 * In the case of a successful return, the possession attribute from
828 * @keyring_ref is propagated to the returned key reference.
829 */
830key_ref_t keyring_search_aux(key_ref_t keyring_ref,
831 struct keyring_search_context *ctx)
832{
833 struct key *keyring;
834 long err;
835
836 ctx->iterator = keyring_search_iterator;
837 ctx->possessed = is_key_possessed(keyring_ref);
838 ctx->result = ERR_PTR(-EAGAIN);
839
840 keyring = key_ref_to_ptr(keyring_ref);
841 key_check(keyring);
842
843 if (keyring->type != &key_type_keyring)
844 return ERR_PTR(-ENOTDIR);
845
846 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) {
847 err = key_task_permission(keyring_ref, ctx->cred, KEY_SEARCH);
848 if (err < 0)
849 return ERR_PTR(err);
850 }
851
852 rcu_read_lock();
853 ctx->now = current_kernel_time();
854 if (search_nested_keyrings(keyring, ctx))
855 __key_get(key_ref_to_ptr(ctx->result));
498 rcu_read_unlock(); 856 rcu_read_unlock();
499error: 857 return ctx->result;
500 return key_ref;
501} 858}
502 859
503/** 860/**
@@ -507,77 +864,73 @@ error:
507 * @description: The name of the keyring we want to find. 864 * @description: The name of the keyring we want to find.
508 * 865 *
509 * As keyring_search_aux() above, but using the current task's credentials and 866 * As keyring_search_aux() above, but using the current task's credentials and
510 * type's default matching function. 867 * type's default matching function and preferred search method.
511 */ 868 */
512key_ref_t keyring_search(key_ref_t keyring, 869key_ref_t keyring_search(key_ref_t keyring,
513 struct key_type *type, 870 struct key_type *type,
514 const char *description) 871 const char *description)
515{ 872{
516 if (!type->match) 873 struct keyring_search_context ctx = {
874 .index_key.type = type,
875 .index_key.description = description,
876 .cred = current_cred(),
877 .match = type->match,
878 .match_data = description,
879 .flags = (type->def_lookup_type |
880 KEYRING_SEARCH_DO_STATE_CHECK),
881 };
882
883 if (!ctx.match)
517 return ERR_PTR(-ENOKEY); 884 return ERR_PTR(-ENOKEY);
518 885
519 return keyring_search_aux(keyring, current->cred, 886 return keyring_search_aux(keyring, &ctx);
520 type, description, type->match, false);
521} 887}
522EXPORT_SYMBOL(keyring_search); 888EXPORT_SYMBOL(keyring_search);
523 889
524/* 890/*
525 * Search the given keyring only (no recursion). 891 * Search the given keyring for a key that might be updated.
526 * 892 *
527 * The caller must guarantee that the keyring is a keyring and that the 893 * The caller must guarantee that the keyring is a keyring and that the
528 * permission is granted to search the keyring as no check is made here. 894 * permission is granted to modify the keyring as no check is made here. The
529 * 895 * caller must also hold a lock on the keyring semaphore.
530 * RCU is used to make it unnecessary to lock the keyring key list here.
531 * 896 *
532 * Returns a pointer to the found key with usage count incremented if 897 * Returns a pointer to the found key with usage count incremented if
533 * successful and returns -ENOKEY if not found. Revoked keys and keys not 898 * successful and returns NULL if not found. Revoked and invalidated keys are
534 * providing the requested permission are skipped over. 899 * skipped over.
535 * 900 *
536 * If successful, the possession indicator is propagated from the keyring ref 901 * If successful, the possession indicator is propagated from the keyring ref
537 * to the returned key reference. 902 * to the returned key reference.
538 */ 903 */
539key_ref_t __keyring_search_one(key_ref_t keyring_ref, 904key_ref_t find_key_to_update(key_ref_t keyring_ref,
540 const struct key_type *ktype, 905 const struct keyring_index_key *index_key)
541 const char *description,
542 key_perm_t perm)
543{ 906{
544 struct keyring_list *klist;
545 unsigned long possessed;
546 struct key *keyring, *key; 907 struct key *keyring, *key;
547 int nkeys, loop; 908 const void *object;
548 909
549 keyring = key_ref_to_ptr(keyring_ref); 910 keyring = key_ref_to_ptr(keyring_ref);
550 possessed = is_key_possessed(keyring_ref);
551 911
552 rcu_read_lock(); 912 kenter("{%d},{%s,%s}",
913 keyring->serial, index_key->type->name, index_key->description);
553 914
554 klist = rcu_dereference(keyring->payload.subscriptions); 915 object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops,
555 if (klist) { 916 index_key);
556 nkeys = klist->nkeys;
557 smp_rmb();
558 for (loop = 0; loop < nkeys ; loop++) {
559 key = rcu_dereference(klist->keys[loop]);
560 if (key->type == ktype &&
561 (!key->type->match ||
562 key->type->match(key, description)) &&
563 key_permission(make_key_ref(key, possessed),
564 perm) == 0 &&
565 !(key->flags & ((1 << KEY_FLAG_INVALIDATED) |
566 (1 << KEY_FLAG_REVOKED)))
567 )
568 goto found;
569 }
570 }
571 917
572 rcu_read_unlock(); 918 if (object)
573 return ERR_PTR(-ENOKEY); 919 goto found;
920
921 kleave(" = NULL");
922 return NULL;
574 923
575found: 924found:
576 atomic_inc(&key->usage); 925 key = keyring_ptr_to_key(object);
577 keyring->last_used_at = key->last_used_at = 926 if (key->flags & ((1 << KEY_FLAG_INVALIDATED) |
578 current_kernel_time().tv_sec; 927 (1 << KEY_FLAG_REVOKED))) {
579 rcu_read_unlock(); 928 kleave(" = NULL [x]");
580 return make_key_ref(key, possessed); 929 return NULL;
930 }
931 __key_get(key);
932 kleave(" = {%d}", key->serial);
933 return make_key_ref(key, is_key_possessed(keyring_ref));
581} 934}
582 935
583/* 936/*
@@ -640,6 +993,19 @@ out:
640 return keyring; 993 return keyring;
641} 994}
642 995
996static int keyring_detect_cycle_iterator(const void *object,
997 void *iterator_data)
998{
999 struct keyring_search_context *ctx = iterator_data;
1000 const struct key *key = keyring_ptr_to_key(object);
1001
1002 kenter("{%d}", key->serial);
1003
1004 BUG_ON(key != ctx->match_data);
1005 ctx->result = ERR_PTR(-EDEADLK);
1006 return 1;
1007}
1008
643/* 1009/*
644 * See if a cycle will will be created by inserting acyclic tree B in acyclic 1010 * See if a cycle will will be created by inserting acyclic tree B in acyclic
645 * tree A at the topmost level (ie: as a direct child of A). 1011 * tree A at the topmost level (ie: as a direct child of A).
@@ -649,116 +1015,39 @@ out:
649 */ 1015 */
650static int keyring_detect_cycle(struct key *A, struct key *B) 1016static int keyring_detect_cycle(struct key *A, struct key *B)
651{ 1017{
652 struct { 1018 struct keyring_search_context ctx = {
653 struct keyring_list *keylist; 1019 .index_key = A->index_key,
654 int kix; 1020 .match_data = A,
655 } stack[KEYRING_SEARCH_MAX_DEPTH]; 1021 .iterator = keyring_detect_cycle_iterator,
656 1022 .flags = (KEYRING_SEARCH_LOOKUP_DIRECT |
657 struct keyring_list *keylist; 1023 KEYRING_SEARCH_NO_STATE_CHECK |
658 struct key *subtree, *key; 1024 KEYRING_SEARCH_NO_UPDATE_TIME |
659 int sp, nkeys, kix, ret; 1025 KEYRING_SEARCH_NO_CHECK_PERM |
1026 KEYRING_SEARCH_DETECT_TOO_DEEP),
1027 };
660 1028
661 rcu_read_lock(); 1029 rcu_read_lock();
662 1030 search_nested_keyrings(B, &ctx);
663 ret = -EDEADLK;
664 if (A == B)
665 goto cycle_detected;
666
667 subtree = B;
668 sp = 0;
669
670 /* start processing a new keyring */
671descend:
672 if (test_bit(KEY_FLAG_REVOKED, &subtree->flags))
673 goto not_this_keyring;
674
675 keylist = rcu_dereference(subtree->payload.subscriptions);
676 if (!keylist)
677 goto not_this_keyring;
678 kix = 0;
679
680ascend:
681 /* iterate through the remaining keys in this keyring */
682 nkeys = keylist->nkeys;
683 smp_rmb();
684 for (; kix < nkeys; kix++) {
685 key = rcu_dereference(keylist->keys[kix]);
686
687 if (key == A)
688 goto cycle_detected;
689
690 /* recursively check nested keyrings */
691 if (key->type == &key_type_keyring) {
692 if (sp >= KEYRING_SEARCH_MAX_DEPTH)
693 goto too_deep;
694
695 /* stack the current position */
696 stack[sp].keylist = keylist;
697 stack[sp].kix = kix;
698 sp++;
699
700 /* begin again with the new keyring */
701 subtree = key;
702 goto descend;
703 }
704 }
705
706 /* the keyring we're looking at was disqualified or didn't contain a
707 * matching key */
708not_this_keyring:
709 if (sp > 0) {
710 /* resume the checking of a keyring higher up in the tree */
711 sp--;
712 keylist = stack[sp].keylist;
713 kix = stack[sp].kix + 1;
714 goto ascend;
715 }
716
717 ret = 0; /* no cycles detected */
718
719error:
720 rcu_read_unlock(); 1031 rcu_read_unlock();
721 return ret; 1032 return PTR_ERR(ctx.result) == -EAGAIN ? 0 : PTR_ERR(ctx.result);
722
723too_deep:
724 ret = -ELOOP;
725 goto error;
726
727cycle_detected:
728 ret = -EDEADLK;
729 goto error;
730}
731
732/*
733 * Dispose of a keyring list after the RCU grace period, freeing the unlinked
734 * key
735 */
736static void keyring_unlink_rcu_disposal(struct rcu_head *rcu)
737{
738 struct keyring_list *klist =
739 container_of(rcu, struct keyring_list, rcu);
740
741 if (klist->delkey != USHRT_MAX)
742 key_put(rcu_access_pointer(klist->keys[klist->delkey]));
743 kfree(klist);
744} 1033}
745 1034
746/* 1035/*
747 * Preallocate memory so that a key can be linked into to a keyring. 1036 * Preallocate memory so that a key can be linked into to a keyring.
748 */ 1037 */
749int __key_link_begin(struct key *keyring, const struct key_type *type, 1038int __key_link_begin(struct key *keyring,
750 const char *description, unsigned long *_prealloc) 1039 const struct keyring_index_key *index_key,
1040 struct assoc_array_edit **_edit)
751 __acquires(&keyring->sem) 1041 __acquires(&keyring->sem)
752 __acquires(&keyring_serialise_link_sem) 1042 __acquires(&keyring_serialise_link_sem)
753{ 1043{
754 struct keyring_list *klist, *nklist; 1044 struct assoc_array_edit *edit;
755 unsigned long prealloc; 1045 int ret;
756 unsigned max; 1046
757 time_t lowest_lru; 1047 kenter("%d,%s,%s,",
758 size_t size; 1048 keyring->serial, index_key->type->name, index_key->description);
759 int loop, lru, ret;
760 1049
761 kenter("%d,%s,%s,", key_serial(keyring), type->name, description); 1050 BUG_ON(index_key->desc_len == 0);
762 1051
763 if (keyring->type != &key_type_keyring) 1052 if (keyring->type != &key_type_keyring)
764 return -ENOTDIR; 1053 return -ENOTDIR;
@@ -771,100 +1060,39 @@ int __key_link_begin(struct key *keyring, const struct key_type *type,
771 1060
772 /* serialise link/link calls to prevent parallel calls causing a cycle 1061 /* serialise link/link calls to prevent parallel calls causing a cycle
773 * when linking two keyring in opposite orders */ 1062 * when linking two keyring in opposite orders */
774 if (type == &key_type_keyring) 1063 if (index_key->type == &key_type_keyring)
775 down_write(&keyring_serialise_link_sem); 1064 down_write(&keyring_serialise_link_sem);
776 1065
777 klist = rcu_dereference_locked_keyring(keyring); 1066 /* Create an edit script that will insert/replace the key in the
778 1067 * keyring tree.
779 /* see if there's a matching key we can displace */ 1068 */
780 lru = -1; 1069 edit = assoc_array_insert(&keyring->keys,
781 if (klist && klist->nkeys > 0) { 1070 &keyring_assoc_array_ops,
782 lowest_lru = TIME_T_MAX; 1071 index_key,
783 for (loop = klist->nkeys - 1; loop >= 0; loop--) { 1072 NULL);
784 struct key *key = rcu_deref_link_locked(klist, loop, 1073 if (IS_ERR(edit)) {
785 keyring); 1074 ret = PTR_ERR(edit);
786 if (key->type == type &&
787 strcmp(key->description, description) == 0) {
788 /* Found a match - we'll replace the link with
789 * one to the new key. We record the slot
790 * position.
791 */
792 klist->delkey = loop;
793 prealloc = 0;
794 goto done;
795 }
796 if (key->last_used_at < lowest_lru) {
797 lowest_lru = key->last_used_at;
798 lru = loop;
799 }
800 }
801 }
802
803 /* If the keyring is full then do an LRU discard */
804 if (klist &&
805 klist->nkeys == klist->maxkeys &&
806 klist->maxkeys >= MAX_KEYRING_LINKS) {
807 kdebug("LRU discard %d\n", lru);
808 klist->delkey = lru;
809 prealloc = 0;
810 goto done;
811 }
812
813 /* check that we aren't going to overrun the user's quota */
814 ret = key_payload_reserve(keyring,
815 keyring->datalen + KEYQUOTA_LINK_BYTES);
816 if (ret < 0)
817 goto error_sem; 1075 goto error_sem;
1076 }
818 1077
819 if (klist && klist->nkeys < klist->maxkeys) { 1078 /* If we're not replacing a link in-place then we're going to need some
820 /* there's sufficient slack space to append directly */ 1079 * extra quota.
821 klist->delkey = klist->nkeys; 1080 */
822 prealloc = KEY_LINK_FIXQUOTA; 1081 if (!edit->dead_leaf) {
823 } else { 1082 ret = key_payload_reserve(keyring,
824 /* grow the key list */ 1083 keyring->datalen + KEYQUOTA_LINK_BYTES);
825 max = 4; 1084 if (ret < 0)
826 if (klist) { 1085 goto error_cancel;
827 max += klist->maxkeys;
828 if (max > MAX_KEYRING_LINKS)
829 max = MAX_KEYRING_LINKS;
830 BUG_ON(max <= klist->maxkeys);
831 }
832
833 size = sizeof(*klist) + sizeof(struct key *) * max;
834
835 ret = -ENOMEM;
836 nklist = kmalloc(size, GFP_KERNEL);
837 if (!nklist)
838 goto error_quota;
839
840 nklist->maxkeys = max;
841 if (klist) {
842 memcpy(nklist->keys, klist->keys,
843 sizeof(struct key *) * klist->nkeys);
844 nklist->delkey = klist->nkeys;
845 nklist->nkeys = klist->nkeys + 1;
846 klist->delkey = USHRT_MAX;
847 } else {
848 nklist->nkeys = 1;
849 nklist->delkey = 0;
850 }
851
852 /* add the key into the new space */
853 RCU_INIT_POINTER(nklist->keys[nklist->delkey], NULL);
854 prealloc = (unsigned long)nklist | KEY_LINK_FIXQUOTA;
855 } 1086 }
856 1087
857done: 1088 *_edit = edit;
858 *_prealloc = prealloc;
859 kleave(" = 0"); 1089 kleave(" = 0");
860 return 0; 1090 return 0;
861 1091
862error_quota: 1092error_cancel:
863 /* undo the quota changes */ 1093 assoc_array_cancel_edit(edit);
864 key_payload_reserve(keyring,
865 keyring->datalen - KEYQUOTA_LINK_BYTES);
866error_sem: 1094error_sem:
867 if (type == &key_type_keyring) 1095 if (index_key->type == &key_type_keyring)
868 up_write(&keyring_serialise_link_sem); 1096 up_write(&keyring_serialise_link_sem);
869error_krsem: 1097error_krsem:
870 up_write(&keyring->sem); 1098 up_write(&keyring->sem);
@@ -895,60 +1123,12 @@ int __key_link_check_live_key(struct key *keyring, struct key *key)
895 * holds at most one link to any given key of a particular type+description 1123 * holds at most one link to any given key of a particular type+description
896 * combination. 1124 * combination.
897 */ 1125 */
898void __key_link(struct key *keyring, struct key *key, 1126void __key_link(struct key *key, struct assoc_array_edit **_edit)
899 unsigned long *_prealloc)
900{ 1127{
901 struct keyring_list *klist, *nklist; 1128 __key_get(key);
902 struct key *discard; 1129 assoc_array_insert_set_object(*_edit, keyring_key_to_ptr(key));
903 1130 assoc_array_apply_edit(*_edit);
904 nklist = (struct keyring_list *)(*_prealloc & ~KEY_LINK_FIXQUOTA); 1131 *_edit = NULL;
905 *_prealloc = 0;
906
907 kenter("%d,%d,%p", keyring->serial, key->serial, nklist);
908
909 klist = rcu_dereference_locked_keyring(keyring);
910
911 atomic_inc(&key->usage);
912 keyring->last_used_at = key->last_used_at =
913 current_kernel_time().tv_sec;
914
915 /* there's a matching key we can displace or an empty slot in a newly
916 * allocated list we can fill */
917 if (nklist) {
918 kdebug("reissue %hu/%hu/%hu",
919 nklist->delkey, nklist->nkeys, nklist->maxkeys);
920
921 RCU_INIT_POINTER(nklist->keys[nklist->delkey], key);
922
923 rcu_assign_pointer(keyring->payload.subscriptions, nklist);
924
925 /* dispose of the old keyring list and, if there was one, the
926 * displaced key */
927 if (klist) {
928 kdebug("dispose %hu/%hu/%hu",
929 klist->delkey, klist->nkeys, klist->maxkeys);
930 call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);
931 }
932 } else if (klist->delkey < klist->nkeys) {
933 kdebug("replace %hu/%hu/%hu",
934 klist->delkey, klist->nkeys, klist->maxkeys);
935
936 discard = rcu_dereference_protected(
937 klist->keys[klist->delkey],
938 rwsem_is_locked(&keyring->sem));
939 rcu_assign_pointer(klist->keys[klist->delkey], key);
940 /* The garbage collector will take care of RCU
941 * synchronisation */
942 key_put(discard);
943 } else {
944 /* there's sufficient slack space to append directly */
945 kdebug("append %hu/%hu/%hu",
946 klist->delkey, klist->nkeys, klist->maxkeys);
947
948 RCU_INIT_POINTER(klist->keys[klist->delkey], key);
949 smp_wmb();
950 klist->nkeys++;
951 }
952} 1132}
953 1133
954/* 1134/*
@@ -956,24 +1136,22 @@ void __key_link(struct key *keyring, struct key *key,
956 * 1136 *
957 * Must be called with __key_link_begin() having being called. 1137 * Must be called with __key_link_begin() having being called.
958 */ 1138 */
959void __key_link_end(struct key *keyring, struct key_type *type, 1139void __key_link_end(struct key *keyring,
960 unsigned long prealloc) 1140 const struct keyring_index_key *index_key,
1141 struct assoc_array_edit *edit)
961 __releases(&keyring->sem) 1142 __releases(&keyring->sem)
962 __releases(&keyring_serialise_link_sem) 1143 __releases(&keyring_serialise_link_sem)
963{ 1144{
964 BUG_ON(type == NULL); 1145 BUG_ON(index_key->type == NULL);
965 BUG_ON(type->name == NULL); 1146 kenter("%d,%s,", keyring->serial, index_key->type->name);
966 kenter("%d,%s,%lx", keyring->serial, type->name, prealloc);
967 1147
968 if (type == &key_type_keyring) 1148 if (index_key->type == &key_type_keyring)
969 up_write(&keyring_serialise_link_sem); 1149 up_write(&keyring_serialise_link_sem);
970 1150
971 if (prealloc) { 1151 if (edit && !edit->dead_leaf) {
972 if (prealloc & KEY_LINK_FIXQUOTA) 1152 key_payload_reserve(keyring,
973 key_payload_reserve(keyring, 1153 keyring->datalen - KEYQUOTA_LINK_BYTES);
974 keyring->datalen - 1154 assoc_array_cancel_edit(edit);
975 KEYQUOTA_LINK_BYTES);
976 kfree((struct keyring_list *)(prealloc & ~KEY_LINK_FIXQUOTA));
977 } 1155 }
978 up_write(&keyring->sem); 1156 up_write(&keyring->sem);
979} 1157}
@@ -1000,20 +1178,28 @@ void __key_link_end(struct key *keyring, struct key_type *type,
1000 */ 1178 */
1001int key_link(struct key *keyring, struct key *key) 1179int key_link(struct key *keyring, struct key *key)
1002{ 1180{
1003 unsigned long prealloc; 1181 struct assoc_array_edit *edit;
1004 int ret; 1182 int ret;
1005 1183
1184 kenter("{%d,%d}", keyring->serial, atomic_read(&keyring->usage));
1185
1006 key_check(keyring); 1186 key_check(keyring);
1007 key_check(key); 1187 key_check(key);
1008 1188
1009 ret = __key_link_begin(keyring, key->type, key->description, &prealloc); 1189 if (test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags) &&
1190 !test_bit(KEY_FLAG_TRUSTED, &key->flags))
1191 return -EPERM;
1192
1193 ret = __key_link_begin(keyring, &key->index_key, &edit);
1010 if (ret == 0) { 1194 if (ret == 0) {
1195 kdebug("begun {%d,%d}", keyring->serial, atomic_read(&keyring->usage));
1011 ret = __key_link_check_live_key(keyring, key); 1196 ret = __key_link_check_live_key(keyring, key);
1012 if (ret == 0) 1197 if (ret == 0)
1013 __key_link(keyring, key, &prealloc); 1198 __key_link(key, &edit);
1014 __key_link_end(keyring, key->type, prealloc); 1199 __key_link_end(keyring, &key->index_key, edit);
1015 } 1200 }
1016 1201
1202 kleave(" = %d {%d,%d}", ret, keyring->serial, atomic_read(&keyring->usage));
1017 return ret; 1203 return ret;
1018} 1204}
1019EXPORT_SYMBOL(key_link); 1205EXPORT_SYMBOL(key_link);
@@ -1037,90 +1223,37 @@ EXPORT_SYMBOL(key_link);
1037 */ 1223 */
1038int key_unlink(struct key *keyring, struct key *key) 1224int key_unlink(struct key *keyring, struct key *key)
1039{ 1225{
1040 struct keyring_list *klist, *nklist; 1226 struct assoc_array_edit *edit;
1041 int loop, ret; 1227 int ret;
1042 1228
1043 key_check(keyring); 1229 key_check(keyring);
1044 key_check(key); 1230 key_check(key);
1045 1231
1046 ret = -ENOTDIR;
1047 if (keyring->type != &key_type_keyring) 1232 if (keyring->type != &key_type_keyring)
1048 goto error; 1233 return -ENOTDIR;
1049 1234
1050 down_write(&keyring->sem); 1235 down_write(&keyring->sem);
1051 1236
1052 klist = rcu_dereference_locked_keyring(keyring); 1237 edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops,
1053 if (klist) { 1238 &key->index_key);
1054 /* search the keyring for the key */ 1239 if (IS_ERR(edit)) {
1055 for (loop = 0; loop < klist->nkeys; loop++) 1240 ret = PTR_ERR(edit);
1056 if (rcu_access_pointer(klist->keys[loop]) == key) 1241 goto error;
1057 goto key_is_present;
1058 } 1242 }
1059
1060 up_write(&keyring->sem);
1061 ret = -ENOENT; 1243 ret = -ENOENT;
1062 goto error; 1244 if (edit == NULL)
1063 1245 goto error;
1064key_is_present:
1065 /* we need to copy the key list for RCU purposes */
1066 nklist = kmalloc(sizeof(*klist) +
1067 sizeof(struct key *) * klist->maxkeys,
1068 GFP_KERNEL);
1069 if (!nklist)
1070 goto nomem;
1071 nklist->maxkeys = klist->maxkeys;
1072 nklist->nkeys = klist->nkeys - 1;
1073
1074 if (loop > 0)
1075 memcpy(&nklist->keys[0],
1076 &klist->keys[0],
1077 loop * sizeof(struct key *));
1078
1079 if (loop < nklist->nkeys)
1080 memcpy(&nklist->keys[loop],
1081 &klist->keys[loop + 1],
1082 (nklist->nkeys - loop) * sizeof(struct key *));
1083
1084 /* adjust the user's quota */
1085 key_payload_reserve(keyring,
1086 keyring->datalen - KEYQUOTA_LINK_BYTES);
1087
1088 rcu_assign_pointer(keyring->payload.subscriptions, nklist);
1089
1090 up_write(&keyring->sem);
1091
1092 /* schedule for later cleanup */
1093 klist->delkey = loop;
1094 call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);
1095 1246
1247 assoc_array_apply_edit(edit);
1248 key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES);
1096 ret = 0; 1249 ret = 0;
1097 1250
1098error: 1251error:
1099 return ret;
1100nomem:
1101 ret = -ENOMEM;
1102 up_write(&keyring->sem); 1252 up_write(&keyring->sem);
1103 goto error; 1253 return ret;
1104} 1254}
1105EXPORT_SYMBOL(key_unlink); 1255EXPORT_SYMBOL(key_unlink);
1106 1256
1107/*
1108 * Dispose of a keyring list after the RCU grace period, releasing the keys it
1109 * links to.
1110 */
1111static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
1112{
1113 struct keyring_list *klist;
1114 int loop;
1115
1116 klist = container_of(rcu, struct keyring_list, rcu);
1117
1118 for (loop = klist->nkeys - 1; loop >= 0; loop--)
1119 key_put(rcu_access_pointer(klist->keys[loop]));
1120
1121 kfree(klist);
1122}
1123
1124/** 1257/**
1125 * keyring_clear - Clear a keyring 1258 * keyring_clear - Clear a keyring
1126 * @keyring: The keyring to clear. 1259 * @keyring: The keyring to clear.
@@ -1131,33 +1264,25 @@ static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
1131 */ 1264 */
1132int keyring_clear(struct key *keyring) 1265int keyring_clear(struct key *keyring)
1133{ 1266{
1134 struct keyring_list *klist; 1267 struct assoc_array_edit *edit;
1135 int ret; 1268 int ret;
1136 1269
1137 ret = -ENOTDIR; 1270 if (keyring->type != &key_type_keyring)
1138 if (keyring->type == &key_type_keyring) { 1271 return -ENOTDIR;
1139 /* detach the pointer block with the locks held */
1140 down_write(&keyring->sem);
1141
1142 klist = rcu_dereference_locked_keyring(keyring);
1143 if (klist) {
1144 /* adjust the quota */
1145 key_payload_reserve(keyring,
1146 sizeof(struct keyring_list));
1147
1148 rcu_assign_pointer(keyring->payload.subscriptions,
1149 NULL);
1150 }
1151
1152 up_write(&keyring->sem);
1153 1272
1154 /* free the keys after the locks have been dropped */ 1273 down_write(&keyring->sem);
1155 if (klist)
1156 call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
1157 1274
1275 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1276 if (IS_ERR(edit)) {
1277 ret = PTR_ERR(edit);
1278 } else {
1279 if (edit)
1280 assoc_array_apply_edit(edit);
1281 key_payload_reserve(keyring, 0);
1158 ret = 0; 1282 ret = 0;
1159 } 1283 }
1160 1284
1285 up_write(&keyring->sem);
1161 return ret; 1286 return ret;
1162} 1287}
1163EXPORT_SYMBOL(keyring_clear); 1288EXPORT_SYMBOL(keyring_clear);
@@ -1169,111 +1294,68 @@ EXPORT_SYMBOL(keyring_clear);
1169 */ 1294 */
1170static void keyring_revoke(struct key *keyring) 1295static void keyring_revoke(struct key *keyring)
1171{ 1296{
1172 struct keyring_list *klist; 1297 struct assoc_array_edit *edit;
1298
1299 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1300 if (!IS_ERR(edit)) {
1301 if (edit)
1302 assoc_array_apply_edit(edit);
1303 key_payload_reserve(keyring, 0);
1304 }
1305}
1306
1307static bool keyring_gc_select_iterator(void *object, void *iterator_data)
1308{
1309 struct key *key = keyring_ptr_to_key(object);
1310 time_t *limit = iterator_data;
1173 1311
1174 klist = rcu_dereference_locked_keyring(keyring); 1312 if (key_is_dead(key, *limit))
1313 return false;
1314 key_get(key);
1315 return true;
1316}
1175 1317
1176 /* adjust the quota */ 1318static int keyring_gc_check_iterator(const void *object, void *iterator_data)
1177 key_payload_reserve(keyring, 0); 1319{
1320 const struct key *key = keyring_ptr_to_key(object);
1321 time_t *limit = iterator_data;
1178 1322
1179 if (klist) { 1323 key_check(key);
1180 rcu_assign_pointer(keyring->payload.subscriptions, NULL); 1324 return key_is_dead(key, *limit);
1181 call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
1182 }
1183} 1325}
1184 1326
1185/* 1327/*
1186 * Collect garbage from the contents of a keyring, replacing the old list with 1328 * Garbage collect pointers from a keyring.
1187 * a new one with the pointers all shuffled down.
1188 * 1329 *
1189 * Dead keys are classed as oned that are flagged as being dead or are revoked, 1330 * Not called with any locks held. The keyring's key struct will not be
1190 * expired or negative keys that were revoked or expired before the specified 1331 * deallocated under us as only our caller may deallocate it.
1191 * limit.
1192 */ 1332 */
1193void keyring_gc(struct key *keyring, time_t limit) 1333void keyring_gc(struct key *keyring, time_t limit)
1194{ 1334{
1195 struct keyring_list *klist, *new; 1335 int result;
1196 struct key *key;
1197 int loop, keep, max;
1198
1199 kenter("{%x,%s}", key_serial(keyring), keyring->description);
1200
1201 down_write(&keyring->sem);
1202
1203 klist = rcu_dereference_locked_keyring(keyring);
1204 if (!klist)
1205 goto no_klist;
1206
1207 /* work out how many subscriptions we're keeping */
1208 keep = 0;
1209 for (loop = klist->nkeys - 1; loop >= 0; loop--)
1210 if (!key_is_dead(rcu_deref_link_locked(klist, loop, keyring),
1211 limit))
1212 keep++;
1213
1214 if (keep == klist->nkeys)
1215 goto just_return;
1216
1217 /* allocate a new keyring payload */
1218 max = roundup(keep, 4);
1219 new = kmalloc(sizeof(struct keyring_list) + max * sizeof(struct key *),
1220 GFP_KERNEL);
1221 if (!new)
1222 goto nomem;
1223 new->maxkeys = max;
1224 new->nkeys = 0;
1225 new->delkey = 0;
1226
1227 /* install the live keys
1228 * - must take care as expired keys may be updated back to life
1229 */
1230 keep = 0;
1231 for (loop = klist->nkeys - 1; loop >= 0; loop--) {
1232 key = rcu_deref_link_locked(klist, loop, keyring);
1233 if (!key_is_dead(key, limit)) {
1234 if (keep >= max)
1235 goto discard_new;
1236 RCU_INIT_POINTER(new->keys[keep++], key_get(key));
1237 }
1238 }
1239 new->nkeys = keep;
1240
1241 /* adjust the quota */
1242 key_payload_reserve(keyring,
1243 sizeof(struct keyring_list) +
1244 KEYQUOTA_LINK_BYTES * keep);
1245 1336
1246 if (keep == 0) { 1337 kenter("%x{%s}", keyring->serial, keyring->description ?: "");
1247 rcu_assign_pointer(keyring->payload.subscriptions, NULL);
1248 kfree(new);
1249 } else {
1250 rcu_assign_pointer(keyring->payload.subscriptions, new);
1251 }
1252 1338
1253 up_write(&keyring->sem); 1339 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
1340 (1 << KEY_FLAG_REVOKED)))
1341 goto dont_gc;
1254 1342
1255 call_rcu(&klist->rcu, keyring_clear_rcu_disposal); 1343 /* scan the keyring looking for dead keys */
1256 kleave(" [yes]"); 1344 rcu_read_lock();
1257 return; 1345 result = assoc_array_iterate(&keyring->keys,
1258 1346 keyring_gc_check_iterator, &limit);
1259discard_new: 1347 rcu_read_unlock();
1260 new->nkeys = keep; 1348 if (result == true)
1261 keyring_clear_rcu_disposal(&new->rcu); 1349 goto do_gc;
1262 up_write(&keyring->sem);
1263 kleave(" [discard]");
1264 return;
1265
1266just_return:
1267 up_write(&keyring->sem);
1268 kleave(" [no dead]");
1269 return;
1270 1350
1271no_klist: 1351dont_gc:
1272 up_write(&keyring->sem); 1352 kleave(" [no gc]");
1273 kleave(" [no_klist]");
1274 return; 1353 return;
1275 1354
1276nomem: 1355do_gc:
1356 down_write(&keyring->sem);
1357 assoc_array_gc(&keyring->keys, &keyring_assoc_array_ops,
1358 keyring_gc_select_iterator, &limit);
1277 up_write(&keyring->sem); 1359 up_write(&keyring->sem);
1278 kleave(" [oom]"); 1360 kleave(" [gc]");
1279} 1361}
diff --git a/security/keys/persistent.c b/security/keys/persistent.c
new file mode 100644
index 000000000000..0ad3ee283781
--- /dev/null
+++ b/security/keys/persistent.c
@@ -0,0 +1,167 @@
1/* General persistent per-UID keyrings register
2 *
3 * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12#include <linux/user_namespace.h>
13#include "internal.h"
14
15unsigned persistent_keyring_expiry = 3 * 24 * 3600; /* Expire after 3 days of non-use */
16
17/*
18 * Create the persistent keyring register for the current user namespace.
19 *
20 * Called with the namespace's sem locked for writing.
21 */
22static int key_create_persistent_register(struct user_namespace *ns)
23{
24 struct key *reg = keyring_alloc(".persistent_register",
25 KUIDT_INIT(0), KGIDT_INIT(0),
26 current_cred(),
27 ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
28 KEY_USR_VIEW | KEY_USR_READ),
29 KEY_ALLOC_NOT_IN_QUOTA, NULL);
30 if (IS_ERR(reg))
31 return PTR_ERR(reg);
32
33 ns->persistent_keyring_register = reg;
34 return 0;
35}
36
37/*
38 * Create the persistent keyring for the specified user.
39 *
40 * Called with the namespace's sem locked for writing.
41 */
42static key_ref_t key_create_persistent(struct user_namespace *ns, kuid_t uid,
43 struct keyring_index_key *index_key)
44{
45 struct key *persistent;
46 key_ref_t reg_ref, persistent_ref;
47
48 if (!ns->persistent_keyring_register) {
49 long err = key_create_persistent_register(ns);
50 if (err < 0)
51 return ERR_PTR(err);
52 } else {
53 reg_ref = make_key_ref(ns->persistent_keyring_register, true);
54 persistent_ref = find_key_to_update(reg_ref, index_key);
55 if (persistent_ref)
56 return persistent_ref;
57 }
58
59 persistent = keyring_alloc(index_key->description,
60 uid, INVALID_GID, current_cred(),
61 ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
62 KEY_USR_VIEW | KEY_USR_READ),
63 KEY_ALLOC_NOT_IN_QUOTA,
64 ns->persistent_keyring_register);
65 if (IS_ERR(persistent))
66 return ERR_CAST(persistent);
67
68 return make_key_ref(persistent, true);
69}
70
71/*
72 * Get the persistent keyring for a specific UID and link it to the nominated
73 * keyring.
74 */
75static long key_get_persistent(struct user_namespace *ns, kuid_t uid,
76 key_ref_t dest_ref)
77{
78 struct keyring_index_key index_key;
79 struct key *persistent;
80 key_ref_t reg_ref, persistent_ref;
81 char buf[32];
82 long ret;
83
84 /* Look in the register if it exists */
85 index_key.type = &key_type_keyring;
86 index_key.description = buf;
87 index_key.desc_len = sprintf(buf, "_persistent.%u", from_kuid(ns, uid));
88
89 if (ns->persistent_keyring_register) {
90 reg_ref = make_key_ref(ns->persistent_keyring_register, true);
91 down_read(&ns->persistent_keyring_register_sem);
92 persistent_ref = find_key_to_update(reg_ref, &index_key);
93 up_read(&ns->persistent_keyring_register_sem);
94
95 if (persistent_ref)
96 goto found;
97 }
98
99 /* It wasn't in the register, so we'll need to create it. We might
100 * also need to create the register.
101 */
102 down_write(&ns->persistent_keyring_register_sem);
103 persistent_ref = key_create_persistent(ns, uid, &index_key);
104 up_write(&ns->persistent_keyring_register_sem);
105 if (!IS_ERR(persistent_ref))
106 goto found;
107
108 return PTR_ERR(persistent_ref);
109
110found:
111 ret = key_task_permission(persistent_ref, current_cred(), KEY_LINK);
112 if (ret == 0) {
113 persistent = key_ref_to_ptr(persistent_ref);
114 ret = key_link(key_ref_to_ptr(dest_ref), persistent);
115 if (ret == 0) {
116 key_set_timeout(persistent, persistent_keyring_expiry);
117 ret = persistent->serial;
118 }
119 }
120
121 key_ref_put(persistent_ref);
122 return ret;
123}
124
125/*
126 * Get the persistent keyring for a specific UID and link it to the nominated
127 * keyring.
128 */
129long keyctl_get_persistent(uid_t _uid, key_serial_t destid)
130{
131 struct user_namespace *ns = current_user_ns();
132 key_ref_t dest_ref;
133 kuid_t uid;
134 long ret;
135
136 /* -1 indicates the current user */
137 if (_uid == (uid_t)-1) {
138 uid = current_uid();
139 } else {
140 uid = make_kuid(ns, _uid);
141 if (!uid_valid(uid))
142 return -EINVAL;
143
144 /* You can only see your own persistent cache if you're not
145 * sufficiently privileged.
146 */
147 if (!uid_eq(uid, current_uid()) &&
148 !uid_eq(uid, current_euid()) &&
149 !ns_capable(ns, CAP_SETUID))
150 return -EPERM;
151 }
152
153 /* There must be a destination keyring */
154 dest_ref = lookup_user_key(destid, KEY_LOOKUP_CREATE, KEY_WRITE);
155 if (IS_ERR(dest_ref))
156 return PTR_ERR(dest_ref);
157 if (key_ref_to_ptr(dest_ref)->type != &key_type_keyring) {
158 ret = -ENOTDIR;
159 goto out_put_dest;
160 }
161
162 ret = key_get_persistent(ns, uid, dest_ref);
163
164out_put_dest:
165 key_ref_put(dest_ref);
166 return ret;
167}
diff --git a/security/keys/proc.c b/security/keys/proc.c
index 217b6855e815..88e9a466940f 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -182,7 +182,6 @@ static void proc_keys_stop(struct seq_file *p, void *v)
182 182
183static int proc_keys_show(struct seq_file *m, void *v) 183static int proc_keys_show(struct seq_file *m, void *v)
184{ 184{
185 const struct cred *cred = current_cred();
186 struct rb_node *_p = v; 185 struct rb_node *_p = v;
187 struct key *key = rb_entry(_p, struct key, serial_node); 186 struct key *key = rb_entry(_p, struct key, serial_node);
188 struct timespec now; 187 struct timespec now;
@@ -191,15 +190,23 @@ static int proc_keys_show(struct seq_file *m, void *v)
191 char xbuf[12]; 190 char xbuf[12];
192 int rc; 191 int rc;
193 192
193 struct keyring_search_context ctx = {
194 .index_key.type = key->type,
195 .index_key.description = key->description,
196 .cred = current_cred(),
197 .match = lookup_user_key_possessed,
198 .match_data = key,
199 .flags = (KEYRING_SEARCH_NO_STATE_CHECK |
200 KEYRING_SEARCH_LOOKUP_DIRECT),
201 };
202
194 key_ref = make_key_ref(key, 0); 203 key_ref = make_key_ref(key, 0);
195 204
196 /* determine if the key is possessed by this process (a test we can 205 /* determine if the key is possessed by this process (a test we can
197 * skip if the key does not indicate the possessor can view it 206 * skip if the key does not indicate the possessor can view it
198 */ 207 */
199 if (key->perm & KEY_POS_VIEW) { 208 if (key->perm & KEY_POS_VIEW) {
200 skey_ref = search_my_process_keyrings(key->type, key, 209 skey_ref = search_my_process_keyrings(&ctx);
201 lookup_user_key_possessed,
202 true, cred);
203 if (!IS_ERR(skey_ref)) { 210 if (!IS_ERR(skey_ref)) {
204 key_ref_put(skey_ref); 211 key_ref_put(skey_ref);
205 key_ref = make_key_ref(key, 1); 212 key_ref = make_key_ref(key, 1);
@@ -211,7 +218,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
211 * - the caller holds a spinlock, and thus the RCU read lock, making our 218 * - the caller holds a spinlock, and thus the RCU read lock, making our
212 * access to __current_cred() safe 219 * access to __current_cred() safe
213 */ 220 */
214 rc = key_task_permission(key_ref, cred, KEY_VIEW); 221 rc = key_task_permission(key_ref, ctx.cred, KEY_VIEW);
215 if (rc < 0) 222 if (rc < 0)
216 return 0; 223 return 0;
217 224
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 42defae1e161..0cf8a130a267 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -235,7 +235,7 @@ int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
235 if (IS_ERR(keyring)) 235 if (IS_ERR(keyring))
236 return PTR_ERR(keyring); 236 return PTR_ERR(keyring);
237 } else { 237 } else {
238 atomic_inc(&keyring->usage); 238 __key_get(keyring);
239 } 239 }
240 240
241 /* install the keyring */ 241 /* install the keyring */
@@ -319,11 +319,7 @@ void key_fsgid_changed(struct task_struct *tsk)
319 * In the case of a successful return, the possession attribute is set on the 319 * In the case of a successful return, the possession attribute is set on the
320 * returned key reference. 320 * returned key reference.
321 */ 321 */
322key_ref_t search_my_process_keyrings(struct key_type *type, 322key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx)
323 const void *description,
324 key_match_func_t match,
325 bool no_state_check,
326 const struct cred *cred)
327{ 323{
328 key_ref_t key_ref, ret, err; 324 key_ref_t key_ref, ret, err;
329 325
@@ -339,10 +335,9 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
339 err = ERR_PTR(-EAGAIN); 335 err = ERR_PTR(-EAGAIN);
340 336
341 /* search the thread keyring first */ 337 /* search the thread keyring first */
342 if (cred->thread_keyring) { 338 if (ctx->cred->thread_keyring) {
343 key_ref = keyring_search_aux( 339 key_ref = keyring_search_aux(
344 make_key_ref(cred->thread_keyring, 1), 340 make_key_ref(ctx->cred->thread_keyring, 1), ctx);
345 cred, type, description, match, no_state_check);
346 if (!IS_ERR(key_ref)) 341 if (!IS_ERR(key_ref))
347 goto found; 342 goto found;
348 343
@@ -358,10 +353,9 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
358 } 353 }
359 354
360 /* search the process keyring second */ 355 /* search the process keyring second */
361 if (cred->process_keyring) { 356 if (ctx->cred->process_keyring) {
362 key_ref = keyring_search_aux( 357 key_ref = keyring_search_aux(
363 make_key_ref(cred->process_keyring, 1), 358 make_key_ref(ctx->cred->process_keyring, 1), ctx);
364 cred, type, description, match, no_state_check);
365 if (!IS_ERR(key_ref)) 359 if (!IS_ERR(key_ref))
366 goto found; 360 goto found;
367 361
@@ -379,11 +373,11 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
379 } 373 }
380 374
381 /* search the session keyring */ 375 /* search the session keyring */
382 if (cred->session_keyring) { 376 if (ctx->cred->session_keyring) {
383 rcu_read_lock(); 377 rcu_read_lock();
384 key_ref = keyring_search_aux( 378 key_ref = keyring_search_aux(
385 make_key_ref(rcu_dereference(cred->session_keyring), 1), 379 make_key_ref(rcu_dereference(ctx->cred->session_keyring), 1),
386 cred, type, description, match, no_state_check); 380 ctx);
387 rcu_read_unlock(); 381 rcu_read_unlock();
388 382
389 if (!IS_ERR(key_ref)) 383 if (!IS_ERR(key_ref))
@@ -402,10 +396,10 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
402 } 396 }
403 } 397 }
404 /* or search the user-session keyring */ 398 /* or search the user-session keyring */
405 else if (cred->user->session_keyring) { 399 else if (ctx->cred->user->session_keyring) {
406 key_ref = keyring_search_aux( 400 key_ref = keyring_search_aux(
407 make_key_ref(cred->user->session_keyring, 1), 401 make_key_ref(ctx->cred->user->session_keyring, 1),
408 cred, type, description, match, no_state_check); 402 ctx);
409 if (!IS_ERR(key_ref)) 403 if (!IS_ERR(key_ref))
410 goto found; 404 goto found;
411 405
@@ -437,18 +431,14 @@ found:
437 * 431 *
438 * Return same as search_my_process_keyrings(). 432 * Return same as search_my_process_keyrings().
439 */ 433 */
440key_ref_t search_process_keyrings(struct key_type *type, 434key_ref_t search_process_keyrings(struct keyring_search_context *ctx)
441 const void *description,
442 key_match_func_t match,
443 const struct cred *cred)
444{ 435{
445 struct request_key_auth *rka; 436 struct request_key_auth *rka;
446 key_ref_t key_ref, ret = ERR_PTR(-EACCES), err; 437 key_ref_t key_ref, ret = ERR_PTR(-EACCES), err;
447 438
448 might_sleep(); 439 might_sleep();
449 440
450 key_ref = search_my_process_keyrings(type, description, match, 441 key_ref = search_my_process_keyrings(ctx);
451 false, cred);
452 if (!IS_ERR(key_ref)) 442 if (!IS_ERR(key_ref))
453 goto found; 443 goto found;
454 err = key_ref; 444 err = key_ref;
@@ -457,18 +447,21 @@ key_ref_t search_process_keyrings(struct key_type *type,
457 * search the keyrings of the process mentioned there 447 * search the keyrings of the process mentioned there
458 * - we don't permit access to request_key auth keys via this method 448 * - we don't permit access to request_key auth keys via this method
459 */ 449 */
460 if (cred->request_key_auth && 450 if (ctx->cred->request_key_auth &&
461 cred == current_cred() && 451 ctx->cred == current_cred() &&
462 type != &key_type_request_key_auth 452 ctx->index_key.type != &key_type_request_key_auth
463 ) { 453 ) {
454 const struct cred *cred = ctx->cred;
455
464 /* defend against the auth key being revoked */ 456 /* defend against the auth key being revoked */
465 down_read(&cred->request_key_auth->sem); 457 down_read(&cred->request_key_auth->sem);
466 458
467 if (key_validate(cred->request_key_auth) == 0) { 459 if (key_validate(ctx->cred->request_key_auth) == 0) {
468 rka = cred->request_key_auth->payload.data; 460 rka = ctx->cred->request_key_auth->payload.data;
469 461
470 key_ref = search_process_keyrings(type, description, 462 ctx->cred = rka->cred;
471 match, rka->cred); 463 key_ref = search_process_keyrings(ctx);
464 ctx->cred = cred;
472 465
473 up_read(&cred->request_key_auth->sem); 466 up_read(&cred->request_key_auth->sem);
474 467
@@ -522,19 +515,23 @@ int lookup_user_key_possessed(const struct key *key, const void *target)
522key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, 515key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
523 key_perm_t perm) 516 key_perm_t perm)
524{ 517{
518 struct keyring_search_context ctx = {
519 .match = lookup_user_key_possessed,
520 .flags = (KEYRING_SEARCH_NO_STATE_CHECK |
521 KEYRING_SEARCH_LOOKUP_DIRECT),
522 };
525 struct request_key_auth *rka; 523 struct request_key_auth *rka;
526 const struct cred *cred;
527 struct key *key; 524 struct key *key;
528 key_ref_t key_ref, skey_ref; 525 key_ref_t key_ref, skey_ref;
529 int ret; 526 int ret;
530 527
531try_again: 528try_again:
532 cred = get_current_cred(); 529 ctx.cred = get_current_cred();
533 key_ref = ERR_PTR(-ENOKEY); 530 key_ref = ERR_PTR(-ENOKEY);
534 531
535 switch (id) { 532 switch (id) {
536 case KEY_SPEC_THREAD_KEYRING: 533 case KEY_SPEC_THREAD_KEYRING:
537 if (!cred->thread_keyring) { 534 if (!ctx.cred->thread_keyring) {
538 if (!(lflags & KEY_LOOKUP_CREATE)) 535 if (!(lflags & KEY_LOOKUP_CREATE))
539 goto error; 536 goto error;
540 537
@@ -546,13 +543,13 @@ try_again:
546 goto reget_creds; 543 goto reget_creds;
547 } 544 }
548 545
549 key = cred->thread_keyring; 546 key = ctx.cred->thread_keyring;
550 atomic_inc(&key->usage); 547 __key_get(key);
551 key_ref = make_key_ref(key, 1); 548 key_ref = make_key_ref(key, 1);
552 break; 549 break;
553 550
554 case KEY_SPEC_PROCESS_KEYRING: 551 case KEY_SPEC_PROCESS_KEYRING:
555 if (!cred->process_keyring) { 552 if (!ctx.cred->process_keyring) {
556 if (!(lflags & KEY_LOOKUP_CREATE)) 553 if (!(lflags & KEY_LOOKUP_CREATE))
557 goto error; 554 goto error;
558 555
@@ -564,13 +561,13 @@ try_again:
564 goto reget_creds; 561 goto reget_creds;
565 } 562 }
566 563
567 key = cred->process_keyring; 564 key = ctx.cred->process_keyring;
568 atomic_inc(&key->usage); 565 __key_get(key);
569 key_ref = make_key_ref(key, 1); 566 key_ref = make_key_ref(key, 1);
570 break; 567 break;
571 568
572 case KEY_SPEC_SESSION_KEYRING: 569 case KEY_SPEC_SESSION_KEYRING:
573 if (!cred->session_keyring) { 570 if (!ctx.cred->session_keyring) {
574 /* always install a session keyring upon access if one 571 /* always install a session keyring upon access if one
575 * doesn't exist yet */ 572 * doesn't exist yet */
576 ret = install_user_keyrings(); 573 ret = install_user_keyrings();
@@ -580,13 +577,13 @@ try_again:
580 ret = join_session_keyring(NULL); 577 ret = join_session_keyring(NULL);
581 else 578 else
582 ret = install_session_keyring( 579 ret = install_session_keyring(
583 cred->user->session_keyring); 580 ctx.cred->user->session_keyring);
584 581
585 if (ret < 0) 582 if (ret < 0)
586 goto error; 583 goto error;
587 goto reget_creds; 584 goto reget_creds;
588 } else if (cred->session_keyring == 585 } else if (ctx.cred->session_keyring ==
589 cred->user->session_keyring && 586 ctx.cred->user->session_keyring &&
590 lflags & KEY_LOOKUP_CREATE) { 587 lflags & KEY_LOOKUP_CREATE) {
591 ret = join_session_keyring(NULL); 588 ret = join_session_keyring(NULL);
592 if (ret < 0) 589 if (ret < 0)
@@ -595,33 +592,33 @@ try_again:
595 } 592 }
596 593
597 rcu_read_lock(); 594 rcu_read_lock();
598 key = rcu_dereference(cred->session_keyring); 595 key = rcu_dereference(ctx.cred->session_keyring);
599 atomic_inc(&key->usage); 596 __key_get(key);
600 rcu_read_unlock(); 597 rcu_read_unlock();
601 key_ref = make_key_ref(key, 1); 598 key_ref = make_key_ref(key, 1);
602 break; 599 break;
603 600
604 case KEY_SPEC_USER_KEYRING: 601 case KEY_SPEC_USER_KEYRING:
605 if (!cred->user->uid_keyring) { 602 if (!ctx.cred->user->uid_keyring) {
606 ret = install_user_keyrings(); 603 ret = install_user_keyrings();
607 if (ret < 0) 604 if (ret < 0)
608 goto error; 605 goto error;
609 } 606 }
610 607
611 key = cred->user->uid_keyring; 608 key = ctx.cred->user->uid_keyring;
612 atomic_inc(&key->usage); 609 __key_get(key);
613 key_ref = make_key_ref(key, 1); 610 key_ref = make_key_ref(key, 1);
614 break; 611 break;
615 612
616 case KEY_SPEC_USER_SESSION_KEYRING: 613 case KEY_SPEC_USER_SESSION_KEYRING:
617 if (!cred->user->session_keyring) { 614 if (!ctx.cred->user->session_keyring) {
618 ret = install_user_keyrings(); 615 ret = install_user_keyrings();
619 if (ret < 0) 616 if (ret < 0)
620 goto error; 617 goto error;
621 } 618 }
622 619
623 key = cred->user->session_keyring; 620 key = ctx.cred->user->session_keyring;
624 atomic_inc(&key->usage); 621 __key_get(key);
625 key_ref = make_key_ref(key, 1); 622 key_ref = make_key_ref(key, 1);
626 break; 623 break;
627 624
@@ -631,29 +628,29 @@ try_again:
631 goto error; 628 goto error;
632 629
633 case KEY_SPEC_REQKEY_AUTH_KEY: 630 case KEY_SPEC_REQKEY_AUTH_KEY:
634 key = cred->request_key_auth; 631 key = ctx.cred->request_key_auth;
635 if (!key) 632 if (!key)
636 goto error; 633 goto error;
637 634
638 atomic_inc(&key->usage); 635 __key_get(key);
639 key_ref = make_key_ref(key, 1); 636 key_ref = make_key_ref(key, 1);
640 break; 637 break;
641 638
642 case KEY_SPEC_REQUESTOR_KEYRING: 639 case KEY_SPEC_REQUESTOR_KEYRING:
643 if (!cred->request_key_auth) 640 if (!ctx.cred->request_key_auth)
644 goto error; 641 goto error;
645 642
646 down_read(&cred->request_key_auth->sem); 643 down_read(&ctx.cred->request_key_auth->sem);
647 if (test_bit(KEY_FLAG_REVOKED, 644 if (test_bit(KEY_FLAG_REVOKED,
648 &cred->request_key_auth->flags)) { 645 &ctx.cred->request_key_auth->flags)) {
649 key_ref = ERR_PTR(-EKEYREVOKED); 646 key_ref = ERR_PTR(-EKEYREVOKED);
650 key = NULL; 647 key = NULL;
651 } else { 648 } else {
652 rka = cred->request_key_auth->payload.data; 649 rka = ctx.cred->request_key_auth->payload.data;
653 key = rka->dest_keyring; 650 key = rka->dest_keyring;
654 atomic_inc(&key->usage); 651 __key_get(key);
655 } 652 }
656 up_read(&cred->request_key_auth->sem); 653 up_read(&ctx.cred->request_key_auth->sem);
657 if (!key) 654 if (!key)
658 goto error; 655 goto error;
659 key_ref = make_key_ref(key, 1); 656 key_ref = make_key_ref(key, 1);
@@ -673,9 +670,13 @@ try_again:
673 key_ref = make_key_ref(key, 0); 670 key_ref = make_key_ref(key, 0);
674 671
675 /* check to see if we possess the key */ 672 /* check to see if we possess the key */
676 skey_ref = search_process_keyrings(key->type, key, 673 ctx.index_key.type = key->type;
677 lookup_user_key_possessed, 674 ctx.index_key.description = key->description;
678 cred); 675 ctx.index_key.desc_len = strlen(key->description);
676 ctx.match_data = key;
677 kdebug("check possessed");
678 skey_ref = search_process_keyrings(&ctx);
679 kdebug("possessed=%p", skey_ref);
679 680
680 if (!IS_ERR(skey_ref)) { 681 if (!IS_ERR(skey_ref)) {
681 key_put(key); 682 key_put(key);
@@ -715,14 +716,14 @@ try_again:
715 goto invalid_key; 716 goto invalid_key;
716 717
717 /* check the permissions */ 718 /* check the permissions */
718 ret = key_task_permission(key_ref, cred, perm); 719 ret = key_task_permission(key_ref, ctx.cred, perm);
719 if (ret < 0) 720 if (ret < 0)
720 goto invalid_key; 721 goto invalid_key;
721 722
722 key->last_used_at = current_kernel_time().tv_sec; 723 key->last_used_at = current_kernel_time().tv_sec;
723 724
724error: 725error:
725 put_cred(cred); 726 put_cred(ctx.cred);
726 return key_ref; 727 return key_ref;
727 728
728invalid_key: 729invalid_key:
@@ -733,7 +734,7 @@ invalid_key:
733 /* if we attempted to install a keyring, then it may have caused new 734 /* if we attempted to install a keyring, then it may have caused new
734 * creds to be installed */ 735 * creds to be installed */
735reget_creds: 736reget_creds:
736 put_cred(cred); 737 put_cred(ctx.cred);
737 goto try_again; 738 goto try_again;
738} 739}
739 740
@@ -856,3 +857,13 @@ void key_change_session_keyring(struct callback_head *twork)
856 857
857 commit_creds(new); 858 commit_creds(new);
858} 859}
860
861/*
862 * Make sure that root's user and user-session keyrings exist.
863 */
864static int __init init_root_keyring(void)
865{
866 return install_user_keyrings();
867}
868
869late_initcall(init_root_keyring);
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index c411f9bb156b..381411941cc1 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -345,33 +345,34 @@ static void construct_get_dest_keyring(struct key **_dest_keyring)
345 * May return a key that's already under construction instead if there was a 345 * May return a key that's already under construction instead if there was a
346 * race between two thread calling request_key(). 346 * race between two thread calling request_key().
347 */ 347 */
348static int construct_alloc_key(struct key_type *type, 348static int construct_alloc_key(struct keyring_search_context *ctx,
349 const char *description,
350 struct key *dest_keyring, 349 struct key *dest_keyring,
351 unsigned long flags, 350 unsigned long flags,
352 struct key_user *user, 351 struct key_user *user,
353 struct key **_key) 352 struct key **_key)
354{ 353{
355 const struct cred *cred = current_cred(); 354 struct assoc_array_edit *edit;
356 unsigned long prealloc;
357 struct key *key; 355 struct key *key;
358 key_perm_t perm; 356 key_perm_t perm;
359 key_ref_t key_ref; 357 key_ref_t key_ref;
360 int ret; 358 int ret;
361 359
362 kenter("%s,%s,,,", type->name, description); 360 kenter("%s,%s,,,",
361 ctx->index_key.type->name, ctx->index_key.description);
363 362
364 *_key = NULL; 363 *_key = NULL;
365 mutex_lock(&user->cons_lock); 364 mutex_lock(&user->cons_lock);
366 365
367 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR; 366 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
368 perm |= KEY_USR_VIEW; 367 perm |= KEY_USR_VIEW;
369 if (type->read) 368 if (ctx->index_key.type->read)
370 perm |= KEY_POS_READ; 369 perm |= KEY_POS_READ;
371 if (type == &key_type_keyring || type->update) 370 if (ctx->index_key.type == &key_type_keyring ||
371 ctx->index_key.type->update)
372 perm |= KEY_POS_WRITE; 372 perm |= KEY_POS_WRITE;
373 373
374 key = key_alloc(type, description, cred->fsuid, cred->fsgid, cred, 374 key = key_alloc(ctx->index_key.type, ctx->index_key.description,
375 ctx->cred->fsuid, ctx->cred->fsgid, ctx->cred,
375 perm, flags); 376 perm, flags);
376 if (IS_ERR(key)) 377 if (IS_ERR(key))
377 goto alloc_failed; 378 goto alloc_failed;
@@ -379,8 +380,7 @@ static int construct_alloc_key(struct key_type *type,
379 set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); 380 set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);
380 381
381 if (dest_keyring) { 382 if (dest_keyring) {
382 ret = __key_link_begin(dest_keyring, type, description, 383 ret = __key_link_begin(dest_keyring, &ctx->index_key, &edit);
383 &prealloc);
384 if (ret < 0) 384 if (ret < 0)
385 goto link_prealloc_failed; 385 goto link_prealloc_failed;
386 } 386 }
@@ -390,16 +390,16 @@ static int construct_alloc_key(struct key_type *type,
390 * waited for locks */ 390 * waited for locks */
391 mutex_lock(&key_construction_mutex); 391 mutex_lock(&key_construction_mutex);
392 392
393 key_ref = search_process_keyrings(type, description, type->match, cred); 393 key_ref = search_process_keyrings(ctx);
394 if (!IS_ERR(key_ref)) 394 if (!IS_ERR(key_ref))
395 goto key_already_present; 395 goto key_already_present;
396 396
397 if (dest_keyring) 397 if (dest_keyring)
398 __key_link(dest_keyring, key, &prealloc); 398 __key_link(key, &edit);
399 399
400 mutex_unlock(&key_construction_mutex); 400 mutex_unlock(&key_construction_mutex);
401 if (dest_keyring) 401 if (dest_keyring)
402 __key_link_end(dest_keyring, type, prealloc); 402 __key_link_end(dest_keyring, &ctx->index_key, edit);
403 mutex_unlock(&user->cons_lock); 403 mutex_unlock(&user->cons_lock);
404 *_key = key; 404 *_key = key;
405 kleave(" = 0 [%d]", key_serial(key)); 405 kleave(" = 0 [%d]", key_serial(key));
@@ -414,8 +414,8 @@ key_already_present:
414 if (dest_keyring) { 414 if (dest_keyring) {
415 ret = __key_link_check_live_key(dest_keyring, key); 415 ret = __key_link_check_live_key(dest_keyring, key);
416 if (ret == 0) 416 if (ret == 0)
417 __key_link(dest_keyring, key, &prealloc); 417 __key_link(key, &edit);
418 __key_link_end(dest_keyring, type, prealloc); 418 __key_link_end(dest_keyring, &ctx->index_key, edit);
419 if (ret < 0) 419 if (ret < 0)
420 goto link_check_failed; 420 goto link_check_failed;
421 } 421 }
@@ -444,8 +444,7 @@ alloc_failed:
444/* 444/*
445 * Commence key construction. 445 * Commence key construction.
446 */ 446 */
447static struct key *construct_key_and_link(struct key_type *type, 447static struct key *construct_key_and_link(struct keyring_search_context *ctx,
448 const char *description,
449 const char *callout_info, 448 const char *callout_info,
450 size_t callout_len, 449 size_t callout_len,
451 void *aux, 450 void *aux,
@@ -464,8 +463,7 @@ static struct key *construct_key_and_link(struct key_type *type,
464 463
465 construct_get_dest_keyring(&dest_keyring); 464 construct_get_dest_keyring(&dest_keyring);
466 465
467 ret = construct_alloc_key(type, description, dest_keyring, flags, user, 466 ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
468 &key);
469 key_user_put(user); 467 key_user_put(user);
470 468
471 if (ret == 0) { 469 if (ret == 0) {
@@ -529,17 +527,24 @@ struct key *request_key_and_link(struct key_type *type,
529 struct key *dest_keyring, 527 struct key *dest_keyring,
530 unsigned long flags) 528 unsigned long flags)
531{ 529{
532 const struct cred *cred = current_cred(); 530 struct keyring_search_context ctx = {
531 .index_key.type = type,
532 .index_key.description = description,
533 .cred = current_cred(),
534 .match = type->match,
535 .match_data = description,
536 .flags = KEYRING_SEARCH_LOOKUP_DIRECT,
537 };
533 struct key *key; 538 struct key *key;
534 key_ref_t key_ref; 539 key_ref_t key_ref;
535 int ret; 540 int ret;
536 541
537 kenter("%s,%s,%p,%zu,%p,%p,%lx", 542 kenter("%s,%s,%p,%zu,%p,%p,%lx",
538 type->name, description, callout_info, callout_len, aux, 543 ctx.index_key.type->name, ctx.index_key.description,
539 dest_keyring, flags); 544 callout_info, callout_len, aux, dest_keyring, flags);
540 545
541 /* search all the process keyrings for a key */ 546 /* search all the process keyrings for a key */
542 key_ref = search_process_keyrings(type, description, type->match, cred); 547 key_ref = search_process_keyrings(&ctx);
543 548
544 if (!IS_ERR(key_ref)) { 549 if (!IS_ERR(key_ref)) {
545 key = key_ref_to_ptr(key_ref); 550 key = key_ref_to_ptr(key_ref);
@@ -562,9 +567,8 @@ struct key *request_key_and_link(struct key_type *type,
562 if (!callout_info) 567 if (!callout_info)
563 goto error; 568 goto error;
564 569
565 key = construct_key_and_link(type, description, callout_info, 570 key = construct_key_and_link(&ctx, callout_info, callout_len,
566 callout_len, aux, dest_keyring, 571 aux, dest_keyring, flags);
567 flags);
568 } 572 }
569 573
570error: 574error:
@@ -592,8 +596,10 @@ int wait_for_key_construction(struct key *key, bool intr)
592 intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE); 596 intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE);
593 if (ret < 0) 597 if (ret < 0)
594 return ret; 598 return ret;
595 if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) 599 if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
600 smp_rmb();
596 return key->type_data.reject_error; 601 return key->type_data.reject_error;
602 }
597 return key_validate(key); 603 return key_validate(key);
598} 604}
599EXPORT_SYMBOL(wait_for_key_construction); 605EXPORT_SYMBOL(wait_for_key_construction);
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index 85730d5a5a59..7495a93b4b90 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -18,6 +18,7 @@
18#include <linux/slab.h> 18#include <linux/slab.h>
19#include <asm/uaccess.h> 19#include <asm/uaccess.h>
20#include "internal.h" 20#include "internal.h"
21#include <keys/user-type.h>
21 22
22static int request_key_auth_instantiate(struct key *, 23static int request_key_auth_instantiate(struct key *,
23 struct key_preparsed_payload *); 24 struct key_preparsed_payload *);
@@ -222,32 +223,26 @@ error_alloc:
222} 223}
223 224
224/* 225/*
225 * See if an authorisation key is associated with a particular key.
226 */
227static int key_get_instantiation_authkey_match(const struct key *key,
228 const void *_id)
229{
230 struct request_key_auth *rka = key->payload.data;
231 key_serial_t id = (key_serial_t)(unsigned long) _id;
232
233 return rka->target_key->serial == id;
234}
235
236/*
237 * Search the current process's keyrings for the authorisation key for 226 * Search the current process's keyrings for the authorisation key for
238 * instantiation of a key. 227 * instantiation of a key.
239 */ 228 */
240struct key *key_get_instantiation_authkey(key_serial_t target_id) 229struct key *key_get_instantiation_authkey(key_serial_t target_id)
241{ 230{
242 const struct cred *cred = current_cred(); 231 char description[16];
232 struct keyring_search_context ctx = {
233 .index_key.type = &key_type_request_key_auth,
234 .index_key.description = description,
235 .cred = current_cred(),
236 .match = user_match,
237 .match_data = description,
238 .flags = KEYRING_SEARCH_LOOKUP_DIRECT,
239 };
243 struct key *authkey; 240 struct key *authkey;
244 key_ref_t authkey_ref; 241 key_ref_t authkey_ref;
245 242
246 authkey_ref = search_process_keyrings( 243 sprintf(description, "%x", target_id);
247 &key_type_request_key_auth, 244
248 (void *) (unsigned long) target_id, 245 authkey_ref = search_process_keyrings(&ctx);
249 key_get_instantiation_authkey_match,
250 cred);
251 246
252 if (IS_ERR(authkey_ref)) { 247 if (IS_ERR(authkey_ref)) {
253 authkey = ERR_CAST(authkey_ref); 248 authkey = ERR_CAST(authkey_ref);
diff --git a/security/keys/sysctl.c b/security/keys/sysctl.c
index ee32d181764a..8c0af08760c8 100644
--- a/security/keys/sysctl.c
+++ b/security/keys/sysctl.c
@@ -61,5 +61,16 @@ ctl_table key_sysctls[] = {
61 .extra1 = (void *) &zero, 61 .extra1 = (void *) &zero,
62 .extra2 = (void *) &max, 62 .extra2 = (void *) &max,
63 }, 63 },
64#ifdef CONFIG_PERSISTENT_KEYRINGS
65 {
66 .procname = "persistent_keyring_expiry",
67 .data = &persistent_keyring_expiry,
68 .maxlen = sizeof(unsigned),
69 .mode = 0644,
70 .proc_handler = proc_dointvec_minmax,
71 .extra1 = (void *) &zero,
72 .extra2 = (void *) &max,
73 },
74#endif
64 { } 75 { }
65}; 76};
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 55dc88939185..faa2caeb593f 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -25,14 +25,15 @@ static int logon_vet_description(const char *desc);
25 * arbitrary blob of data as the payload 25 * arbitrary blob of data as the payload
26 */ 26 */
27struct key_type key_type_user = { 27struct key_type key_type_user = {
28 .name = "user", 28 .name = "user",
29 .instantiate = user_instantiate, 29 .def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
30 .update = user_update, 30 .instantiate = user_instantiate,
31 .match = user_match, 31 .update = user_update,
32 .revoke = user_revoke, 32 .match = user_match,
33 .destroy = user_destroy, 33 .revoke = user_revoke,
34 .describe = user_describe, 34 .destroy = user_destroy,
35 .read = user_read, 35 .describe = user_describe,
36 .read = user_read,
36}; 37};
37 38
38EXPORT_SYMBOL_GPL(key_type_user); 39EXPORT_SYMBOL_GPL(key_type_user);
@@ -45,6 +46,7 @@ EXPORT_SYMBOL_GPL(key_type_user);
45 */ 46 */
46struct key_type key_type_logon = { 47struct key_type key_type_logon = {
47 .name = "logon", 48 .name = "logon",
49 .def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
48 .instantiate = user_instantiate, 50 .instantiate = user_instantiate,
49 .update = user_update, 51 .update = user_update,
50 .match = user_match, 52 .match = user_match,
diff --git a/security/security.c b/security/security.c
index 4dc31f4f2700..15b6928592ef 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1340,22 +1340,17 @@ int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
1340 return security_ops->xfrm_policy_delete_security(ctx); 1340 return security_ops->xfrm_policy_delete_security(ctx);
1341} 1341}
1342 1342
1343int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) 1343int security_xfrm_state_alloc(struct xfrm_state *x,
1344 struct xfrm_user_sec_ctx *sec_ctx)
1344{ 1345{
1345 return security_ops->xfrm_state_alloc_security(x, sec_ctx, 0); 1346 return security_ops->xfrm_state_alloc(x, sec_ctx);
1346} 1347}
1347EXPORT_SYMBOL(security_xfrm_state_alloc); 1348EXPORT_SYMBOL(security_xfrm_state_alloc);
1348 1349
1349int security_xfrm_state_alloc_acquire(struct xfrm_state *x, 1350int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
1350 struct xfrm_sec_ctx *polsec, u32 secid) 1351 struct xfrm_sec_ctx *polsec, u32 secid)
1351{ 1352{
1352 if (!polsec) 1353 return security_ops->xfrm_state_alloc_acquire(x, polsec, secid);
1353 return 0;
1354 /*
1355 * We want the context to be taken from secid which is usually
1356 * from the sock.
1357 */
1358 return security_ops->xfrm_state_alloc_security(x, NULL, secid);
1359} 1354}
1360 1355
1361int security_xfrm_state_delete(struct xfrm_state *x) 1356int security_xfrm_state_delete(struct xfrm_state *x)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c540795fb3f2..794c3ca49eac 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -95,7 +95,9 @@
95#include "audit.h" 95#include "audit.h"
96#include "avc_ss.h" 96#include "avc_ss.h"
97 97
98#define NUM_SEL_MNT_OPTS 5 98#define SB_TYPE_FMT "%s%s%s"
99#define SB_SUBTYPE(sb) (sb->s_subtype && sb->s_subtype[0])
100#define SB_TYPE_ARGS(sb) sb->s_type->name, SB_SUBTYPE(sb) ? "." : "", SB_SUBTYPE(sb) ? sb->s_subtype : ""
99 101
100extern struct security_operations *security_ops; 102extern struct security_operations *security_ops;
101 103
@@ -139,12 +141,28 @@ static struct kmem_cache *sel_inode_cache;
139 * This function checks the SECMARK reference counter to see if any SECMARK 141 * This function checks the SECMARK reference counter to see if any SECMARK
140 * targets are currently configured, if the reference counter is greater than 142 * targets are currently configured, if the reference counter is greater than
141 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 143 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
142 * enabled, false (0) if SECMARK is disabled. 144 * enabled, false (0) if SECMARK is disabled. If the always_check_network
145 * policy capability is enabled, SECMARK is always considered enabled.
143 * 146 *
144 */ 147 */
145static int selinux_secmark_enabled(void) 148static int selinux_secmark_enabled(void)
146{ 149{
147 return (atomic_read(&selinux_secmark_refcount) > 0); 150 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
151}
152
153/**
154 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
155 *
156 * Description:
157 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
158 * (1) if any are enabled or false (0) if neither are enabled. If the
159 * always_check_network policy capability is enabled, peer labeling
160 * is always considered enabled.
161 *
162 */
163static int selinux_peerlbl_enabled(void)
164{
165 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
148} 166}
149 167
150/* 168/*
@@ -309,8 +327,11 @@ enum {
309 Opt_defcontext = 3, 327 Opt_defcontext = 3,
310 Opt_rootcontext = 4, 328 Opt_rootcontext = 4,
311 Opt_labelsupport = 5, 329 Opt_labelsupport = 5,
330 Opt_nextmntopt = 6,
312}; 331};
313 332
333#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
334
314static const match_table_t tokens = { 335static const match_table_t tokens = {
315 {Opt_context, CONTEXT_STR "%s"}, 336 {Opt_context, CONTEXT_STR "%s"},
316 {Opt_fscontext, FSCONTEXT_STR "%s"}, 337 {Opt_fscontext, FSCONTEXT_STR "%s"},
@@ -355,6 +376,29 @@ static int may_context_mount_inode_relabel(u32 sid,
355 return rc; 376 return rc;
356} 377}
357 378
379static int selinux_is_sblabel_mnt(struct super_block *sb)
380{
381 struct superblock_security_struct *sbsec = sb->s_security;
382
383 if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
384 sbsec->behavior == SECURITY_FS_USE_TRANS ||
385 sbsec->behavior == SECURITY_FS_USE_TASK)
386 return 1;
387
388 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
389 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
390 return 1;
391
392 /*
393 * Special handling for rootfs. Is genfs but supports
394 * setting SELinux context on in-core inodes.
395 */
396 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
397 return 1;
398
399 return 0;
400}
401
358static int sb_finish_set_opts(struct super_block *sb) 402static int sb_finish_set_opts(struct super_block *sb)
359{ 403{
360 struct superblock_security_struct *sbsec = sb->s_security; 404 struct superblock_security_struct *sbsec = sb->s_security;
@@ -369,8 +413,8 @@ static int sb_finish_set_opts(struct super_block *sb)
369 the first boot of the SELinux kernel before we have 413 the first boot of the SELinux kernel before we have
370 assigned xattr values to the filesystem. */ 414 assigned xattr values to the filesystem. */
371 if (!root_inode->i_op->getxattr) { 415 if (!root_inode->i_op->getxattr) {
372 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 416 printk(KERN_WARNING "SELinux: (dev %s, type "SB_TYPE_FMT") has no "
373 "xattr support\n", sb->s_id, sb->s_type->name); 417 "xattr support\n", sb->s_id, SB_TYPE_ARGS(sb));
374 rc = -EOPNOTSUPP; 418 rc = -EOPNOTSUPP;
375 goto out; 419 goto out;
376 } 420 }
@@ -378,35 +422,27 @@ static int sb_finish_set_opts(struct super_block *sb)
378 if (rc < 0 && rc != -ENODATA) { 422 if (rc < 0 && rc != -ENODATA) {
379 if (rc == -EOPNOTSUPP) 423 if (rc == -EOPNOTSUPP)
380 printk(KERN_WARNING "SELinux: (dev %s, type " 424 printk(KERN_WARNING "SELinux: (dev %s, type "
381 "%s) has no security xattr handler\n", 425 SB_TYPE_FMT") has no security xattr handler\n",
382 sb->s_id, sb->s_type->name); 426 sb->s_id, SB_TYPE_ARGS(sb));
383 else 427 else
384 printk(KERN_WARNING "SELinux: (dev %s, type " 428 printk(KERN_WARNING "SELinux: (dev %s, type "
385 "%s) getxattr errno %d\n", sb->s_id, 429 SB_TYPE_FMT") getxattr errno %d\n", sb->s_id,
386 sb->s_type->name, -rc); 430 SB_TYPE_ARGS(sb), -rc);
387 goto out; 431 goto out;
388 } 432 }
389 } 433 }
390 434
391 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
392
393 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 435 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
394 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 436 printk(KERN_ERR "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), unknown behavior\n",
395 sb->s_id, sb->s_type->name); 437 sb->s_id, SB_TYPE_ARGS(sb));
396 else 438 else
397 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", 439 printk(KERN_DEBUG "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), %s\n",
398 sb->s_id, sb->s_type->name, 440 sb->s_id, SB_TYPE_ARGS(sb),
399 labeling_behaviors[sbsec->behavior-1]); 441 labeling_behaviors[sbsec->behavior-1]);
400 442
401 if (sbsec->behavior == SECURITY_FS_USE_GENFS || 443 sbsec->flags |= SE_SBINITIALIZED;
402 sbsec->behavior == SECURITY_FS_USE_MNTPOINT || 444 if (selinux_is_sblabel_mnt(sb))
403 sbsec->behavior == SECURITY_FS_USE_NONE || 445 sbsec->flags |= SBLABEL_MNT;
404 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
405 sbsec->flags &= ~SE_SBLABELSUPP;
406
407 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
408 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
409 sbsec->flags |= SE_SBLABELSUPP;
410 446
411 /* Initialize the root inode. */ 447 /* Initialize the root inode. */
412 rc = inode_doinit_with_dentry(root_inode, root); 448 rc = inode_doinit_with_dentry(root_inode, root);
@@ -460,15 +496,18 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
460 if (!ss_initialized) 496 if (!ss_initialized)
461 return -EINVAL; 497 return -EINVAL;
462 498
499 /* make sure we always check enough bits to cover the mask */
500 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
501
463 tmp = sbsec->flags & SE_MNTMASK; 502 tmp = sbsec->flags & SE_MNTMASK;
464 /* count the number of mount options for this sb */ 503 /* count the number of mount options for this sb */
465 for (i = 0; i < 8; i++) { 504 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
466 if (tmp & 0x01) 505 if (tmp & 0x01)
467 opts->num_mnt_opts++; 506 opts->num_mnt_opts++;
468 tmp >>= 1; 507 tmp >>= 1;
469 } 508 }
470 /* Check if the Label support flag is set */ 509 /* Check if the Label support flag is set */
471 if (sbsec->flags & SE_SBLABELSUPP) 510 if (sbsec->flags & SBLABEL_MNT)
472 opts->num_mnt_opts++; 511 opts->num_mnt_opts++;
473 512
474 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 513 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
@@ -515,9 +554,9 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
515 opts->mnt_opts[i] = context; 554 opts->mnt_opts[i] = context;
516 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 555 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
517 } 556 }
518 if (sbsec->flags & SE_SBLABELSUPP) { 557 if (sbsec->flags & SBLABEL_MNT) {
519 opts->mnt_opts[i] = NULL; 558 opts->mnt_opts[i] = NULL;
520 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP; 559 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
521 } 560 }
522 561
523 BUG_ON(i != opts->num_mnt_opts); 562 BUG_ON(i != opts->num_mnt_opts);
@@ -561,7 +600,6 @@ static int selinux_set_mnt_opts(struct super_block *sb,
561 const struct cred *cred = current_cred(); 600 const struct cred *cred = current_cred();
562 int rc = 0, i; 601 int rc = 0, i;
563 struct superblock_security_struct *sbsec = sb->s_security; 602 struct superblock_security_struct *sbsec = sb->s_security;
564 const char *name = sb->s_type->name;
565 struct inode *inode = sbsec->sb->s_root->d_inode; 603 struct inode *inode = sbsec->sb->s_root->d_inode;
566 struct inode_security_struct *root_isec = inode->i_security; 604 struct inode_security_struct *root_isec = inode->i_security;
567 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 605 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
@@ -614,14 +652,14 @@ static int selinux_set_mnt_opts(struct super_block *sb,
614 for (i = 0; i < num_opts; i++) { 652 for (i = 0; i < num_opts; i++) {
615 u32 sid; 653 u32 sid;
616 654
617 if (flags[i] == SE_SBLABELSUPP) 655 if (flags[i] == SBLABEL_MNT)
618 continue; 656 continue;
619 rc = security_context_to_sid(mount_options[i], 657 rc = security_context_to_sid(mount_options[i],
620 strlen(mount_options[i]), &sid); 658 strlen(mount_options[i]), &sid);
621 if (rc) { 659 if (rc) {
622 printk(KERN_WARNING "SELinux: security_context_to_sid" 660 printk(KERN_WARNING "SELinux: security_context_to_sid"
623 "(%s) failed for (dev %s, type %s) errno=%d\n", 661 "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
624 mount_options[i], sb->s_id, name, rc); 662 mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
625 goto out; 663 goto out;
626 } 664 }
627 switch (flags[i]) { 665 switch (flags[i]) {
@@ -685,9 +723,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
685 * Determine the labeling behavior to use for this 723 * Determine the labeling behavior to use for this
686 * filesystem type. 724 * filesystem type.
687 */ 725 */
688 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? 726 rc = security_fs_use(sb);
689 "proc" : sb->s_type->name,
690 &sbsec->behavior, &sbsec->sid);
691 if (rc) { 727 if (rc) {
692 printk(KERN_WARNING 728 printk(KERN_WARNING
693 "%s: security_fs_use(%s) returned %d\n", 729 "%s: security_fs_use(%s) returned %d\n",
@@ -770,7 +806,8 @@ out:
770out_double_mount: 806out_double_mount:
771 rc = -EINVAL; 807 rc = -EINVAL;
772 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 808 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
773 "security settings for (dev %s, type %s)\n", sb->s_id, name); 809 "security settings for (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
810 SB_TYPE_ARGS(sb));
774 goto out; 811 goto out;
775} 812}
776 813
@@ -1037,7 +1074,7 @@ static void selinux_write_opts(struct seq_file *m,
1037 case DEFCONTEXT_MNT: 1074 case DEFCONTEXT_MNT:
1038 prefix = DEFCONTEXT_STR; 1075 prefix = DEFCONTEXT_STR;
1039 break; 1076 break;
1040 case SE_SBLABELSUPP: 1077 case SBLABEL_MNT:
1041 seq_putc(m, ','); 1078 seq_putc(m, ',');
1042 seq_puts(m, LABELSUPP_STR); 1079 seq_puts(m, LABELSUPP_STR);
1043 continue; 1080 continue;
@@ -1649,7 +1686,7 @@ static int may_create(struct inode *dir,
1649 if (rc) 1686 if (rc)
1650 return rc; 1687 return rc;
1651 1688
1652 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { 1689 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1653 rc = security_transition_sid(sid, dsec->sid, tclass, 1690 rc = security_transition_sid(sid, dsec->sid, tclass,
1654 &dentry->d_name, &newsid); 1691 &dentry->d_name, &newsid);
1655 if (rc) 1692 if (rc)
@@ -2437,14 +2474,14 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
2437 u32 sid; 2474 u32 sid;
2438 size_t len; 2475 size_t len;
2439 2476
2440 if (flags[i] == SE_SBLABELSUPP) 2477 if (flags[i] == SBLABEL_MNT)
2441 continue; 2478 continue;
2442 len = strlen(mount_options[i]); 2479 len = strlen(mount_options[i]);
2443 rc = security_context_to_sid(mount_options[i], len, &sid); 2480 rc = security_context_to_sid(mount_options[i], len, &sid);
2444 if (rc) { 2481 if (rc) {
2445 printk(KERN_WARNING "SELinux: security_context_to_sid" 2482 printk(KERN_WARNING "SELinux: security_context_to_sid"
2446 "(%s) failed for (dev %s, type %s) errno=%d\n", 2483 "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
2447 mount_options[i], sb->s_id, sb->s_type->name, rc); 2484 mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
2448 goto out_free_opts; 2485 goto out_free_opts;
2449 } 2486 }
2450 rc = -EINVAL; 2487 rc = -EINVAL;
@@ -2482,8 +2519,8 @@ out_free_secdata:
2482 return rc; 2519 return rc;
2483out_bad_option: 2520out_bad_option:
2484 printk(KERN_WARNING "SELinux: unable to change security options " 2521 printk(KERN_WARNING "SELinux: unable to change security options "
2485 "during remount (dev %s, type=%s)\n", sb->s_id, 2522 "during remount (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
2486 sb->s_type->name); 2523 SB_TYPE_ARGS(sb));
2487 goto out_free_opts; 2524 goto out_free_opts;
2488} 2525}
2489 2526
@@ -2606,7 +2643,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2606 if ((sbsec->flags & SE_SBINITIALIZED) && 2643 if ((sbsec->flags & SE_SBINITIALIZED) &&
2607 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) 2644 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2608 newsid = sbsec->mntpoint_sid; 2645 newsid = sbsec->mntpoint_sid;
2609 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { 2646 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2610 rc = security_transition_sid(sid, dsec->sid, 2647 rc = security_transition_sid(sid, dsec->sid,
2611 inode_mode_to_security_class(inode->i_mode), 2648 inode_mode_to_security_class(inode->i_mode),
2612 qstr, &newsid); 2649 qstr, &newsid);
@@ -2628,7 +2665,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2628 isec->initialized = 1; 2665 isec->initialized = 1;
2629 } 2666 }
2630 2667
2631 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP)) 2668 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2632 return -EOPNOTSUPP; 2669 return -EOPNOTSUPP;
2633 2670
2634 if (name) 2671 if (name)
@@ -2830,7 +2867,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2830 return selinux_inode_setotherxattr(dentry, name); 2867 return selinux_inode_setotherxattr(dentry, name);
2831 2868
2832 sbsec = inode->i_sb->s_security; 2869 sbsec = inode->i_sb->s_security;
2833 if (!(sbsec->flags & SE_SBLABELSUPP)) 2870 if (!(sbsec->flags & SBLABEL_MNT))
2834 return -EOPNOTSUPP; 2871 return -EOPNOTSUPP;
2835 2872
2836 if (!inode_owner_or_capable(inode)) 2873 if (!inode_owner_or_capable(inode))
@@ -3791,8 +3828,12 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3791 u32 nlbl_sid; 3828 u32 nlbl_sid;
3792 u32 nlbl_type; 3829 u32 nlbl_type;
3793 3830
3794 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3831 err = selinux_skb_xfrm_sid(skb, &xfrm_sid);
3795 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 3832 if (unlikely(err))
3833 return -EACCES;
3834 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3835 if (unlikely(err))
3836 return -EACCES;
3796 3837
3797 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 3838 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3798 if (unlikely(err)) { 3839 if (unlikely(err)) {
@@ -4246,7 +4287,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4246 return selinux_sock_rcv_skb_compat(sk, skb, family); 4287 return selinux_sock_rcv_skb_compat(sk, skb, family);
4247 4288
4248 secmark_active = selinux_secmark_enabled(); 4289 secmark_active = selinux_secmark_enabled();
4249 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4290 peerlbl_active = selinux_peerlbl_enabled();
4250 if (!secmark_active && !peerlbl_active) 4291 if (!secmark_active && !peerlbl_active)
4251 return 0; 4292 return 0;
4252 4293
@@ -4628,7 +4669,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4628 4669
4629 secmark_active = selinux_secmark_enabled(); 4670 secmark_active = selinux_secmark_enabled();
4630 netlbl_active = netlbl_enabled(); 4671 netlbl_active = netlbl_enabled();
4631 peerlbl_active = netlbl_active || selinux_xfrm_enabled(); 4672 peerlbl_active = selinux_peerlbl_enabled();
4632 if (!secmark_active && !peerlbl_active) 4673 if (!secmark_active && !peerlbl_active)
4633 return NF_ACCEPT; 4674 return NF_ACCEPT;
4634 4675
@@ -4780,7 +4821,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4780 return NF_ACCEPT; 4821 return NF_ACCEPT;
4781#endif 4822#endif
4782 secmark_active = selinux_secmark_enabled(); 4823 secmark_active = selinux_secmark_enabled();
4783 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4824 peerlbl_active = selinux_peerlbl_enabled();
4784 if (!secmark_active && !peerlbl_active) 4825 if (!secmark_active && !peerlbl_active)
4785 return NF_ACCEPT; 4826 return NF_ACCEPT;
4786 4827
@@ -5784,7 +5825,8 @@ static struct security_operations selinux_ops = {
5784 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 5825 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5785 .xfrm_policy_free_security = selinux_xfrm_policy_free, 5826 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5786 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 5827 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5787 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 5828 .xfrm_state_alloc = selinux_xfrm_state_alloc,
5829 .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire,
5788 .xfrm_state_free_security = selinux_xfrm_state_free, 5830 .xfrm_state_free_security = selinux_xfrm_state_free,
5789 .xfrm_state_delete_security = selinux_xfrm_state_delete, 5831 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5790 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 5832 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index aa47bcabb5f6..b1dfe1049450 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -58,8 +58,8 @@ struct superblock_security_struct {
58 u32 sid; /* SID of file system superblock */ 58 u32 sid; /* SID of file system superblock */
59 u32 def_sid; /* default SID for labeling */ 59 u32 def_sid; /* default SID for labeling */
60 u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ 60 u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */
61 unsigned int behavior; /* labeling behavior */ 61 unsigned short behavior; /* labeling behavior */
62 unsigned char flags; /* which mount options were specified */ 62 unsigned short flags; /* which mount options were specified */
63 struct mutex lock; 63 struct mutex lock;
64 struct list_head isec_head; 64 struct list_head isec_head;
65 spinlock_t isec_lock; 65 spinlock_t isec_lock;
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 8fd8e18ea340..fe341ae37004 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -45,14 +45,15 @@
45/* Mask for just the mount related flags */ 45/* Mask for just the mount related flags */
46#define SE_MNTMASK 0x0f 46#define SE_MNTMASK 0x0f
47/* Super block security struct flags for mount options */ 47/* Super block security struct flags for mount options */
48/* BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts */
48#define CONTEXT_MNT 0x01 49#define CONTEXT_MNT 0x01
49#define FSCONTEXT_MNT 0x02 50#define FSCONTEXT_MNT 0x02
50#define ROOTCONTEXT_MNT 0x04 51#define ROOTCONTEXT_MNT 0x04
51#define DEFCONTEXT_MNT 0x08 52#define DEFCONTEXT_MNT 0x08
53#define SBLABEL_MNT 0x10
52/* Non-mount related flags */ 54/* Non-mount related flags */
53#define SE_SBINITIALIZED 0x10 55#define SE_SBINITIALIZED 0x0100
54#define SE_SBPROC 0x20 56#define SE_SBPROC 0x0200
55#define SE_SBLABELSUPP 0x40
56 57
57#define CONTEXT_STR "context=" 58#define CONTEXT_STR "context="
58#define FSCONTEXT_STR "fscontext=" 59#define FSCONTEXT_STR "fscontext="
@@ -68,12 +69,15 @@ extern int selinux_enabled;
68enum { 69enum {
69 POLICYDB_CAPABILITY_NETPEER, 70 POLICYDB_CAPABILITY_NETPEER,
70 POLICYDB_CAPABILITY_OPENPERM, 71 POLICYDB_CAPABILITY_OPENPERM,
72 POLICYDB_CAPABILITY_REDHAT1,
73 POLICYDB_CAPABILITY_ALWAYSNETWORK,
71 __POLICYDB_CAPABILITY_MAX 74 __POLICYDB_CAPABILITY_MAX
72}; 75};
73#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) 76#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
74 77
75extern int selinux_policycap_netpeer; 78extern int selinux_policycap_netpeer;
76extern int selinux_policycap_openperm; 79extern int selinux_policycap_openperm;
80extern int selinux_policycap_alwaysnetwork;
77 81
78/* 82/*
79 * type_datum properties 83 * type_datum properties
@@ -172,8 +176,7 @@ int security_get_allow_unknown(void);
172#define SECURITY_FS_USE_NATIVE 7 /* use native label support */ 176#define SECURITY_FS_USE_NATIVE 7 /* use native label support */
173#define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */ 177#define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */
174 178
175int security_fs_use(const char *fstype, unsigned int *behavior, 179int security_fs_use(struct super_block *sb);
176 u32 *sid);
177 180
178int security_genfs_sid(const char *fstype, char *name, u16 sclass, 181int security_genfs_sid(const char *fstype, char *name, u16 sclass,
179 u32 *sid); 182 u32 *sid);
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 6713f04e30ba..0dec76c64cf5 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -10,29 +10,21 @@
10#include <net/flow.h> 10#include <net/flow.h>
11 11
12int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, 12int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
13 struct xfrm_user_sec_ctx *sec_ctx); 13 struct xfrm_user_sec_ctx *uctx);
14int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, 14int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
15 struct xfrm_sec_ctx **new_ctxp); 15 struct xfrm_sec_ctx **new_ctxp);
16void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx); 16void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
17int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx); 17int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
18int selinux_xfrm_state_alloc(struct xfrm_state *x, 18int selinux_xfrm_state_alloc(struct xfrm_state *x,
19 struct xfrm_user_sec_ctx *sec_ctx, u32 secid); 19 struct xfrm_user_sec_ctx *uctx);
20int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
21 struct xfrm_sec_ctx *polsec, u32 secid);
20void selinux_xfrm_state_free(struct xfrm_state *x); 22void selinux_xfrm_state_free(struct xfrm_state *x);
21int selinux_xfrm_state_delete(struct xfrm_state *x); 23int selinux_xfrm_state_delete(struct xfrm_state *x);
22int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); 24int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
23int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, 25int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
24 struct xfrm_policy *xp, const struct flowi *fl); 26 struct xfrm_policy *xp,
25 27 const struct flowi *fl);
26/*
27 * Extract the security blob from the sock (it's actually on the socket)
28 */
29static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
30{
31 if (!sk->sk_socket)
32 return NULL;
33
34 return SOCK_INODE(sk->sk_socket)->i_security;
35}
36 28
37#ifdef CONFIG_SECURITY_NETWORK_XFRM 29#ifdef CONFIG_SECURITY_NETWORK_XFRM
38extern atomic_t selinux_xfrm_refcount; 30extern atomic_t selinux_xfrm_refcount;
@@ -42,10 +34,10 @@ static inline int selinux_xfrm_enabled(void)
42 return (atomic_read(&selinux_xfrm_refcount) > 0); 34 return (atomic_read(&selinux_xfrm_refcount) > 0);
43} 35}
44 36
45int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, 37int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
46 struct common_audit_data *ad); 38 struct common_audit_data *ad);
47int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 39int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
48 struct common_audit_data *ad, u8 proto); 40 struct common_audit_data *ad, u8 proto);
49int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); 41int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
50 42
51static inline void selinux_xfrm_notify_policyload(void) 43static inline void selinux_xfrm_notify_policyload(void)
@@ -64,19 +56,21 @@ static inline int selinux_xfrm_enabled(void)
64 return 0; 56 return 0;
65} 57}
66 58
67static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, 59static inline int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
68 struct common_audit_data *ad) 60 struct common_audit_data *ad)
69{ 61{
70 return 0; 62 return 0;
71} 63}
72 64
73static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 65static inline int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
74 struct common_audit_data *ad, u8 proto) 66 struct common_audit_data *ad,
67 u8 proto)
75{ 68{
76 return 0; 69 return 0;
77} 70}
78 71
79static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) 72static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid,
73 int ckall)
80{ 74{
81 *sid = SECSID_NULL; 75 *sid = SECSID_NULL;
82 return 0; 76 return 0;
@@ -87,10 +81,9 @@ static inline void selinux_xfrm_notify_policyload(void)
87} 81}
88#endif 82#endif
89 83
90static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid) 84static inline int selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid)
91{ 85{
92 int err = selinux_xfrm_decode_session(skb, sid, 0); 86 return selinux_xfrm_decode_session(skb, sid, 0);
93 BUG_ON(err);
94} 87}
95 88
96#endif /* _SELINUX_XFRM_H_ */ 89#endif /* _SELINUX_XFRM_H_ */
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index da4b8b233280..6235d052338b 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -442,8 +442,7 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
442 sksec->nlbl_state != NLBL_CONNLABELED) 442 sksec->nlbl_state != NLBL_CONNLABELED)
443 return 0; 443 return 0;
444 444
445 local_bh_disable(); 445 lock_sock(sk);
446 bh_lock_sock_nested(sk);
447 446
448 /* connected sockets are allowed to disconnect when the address family 447 /* connected sockets are allowed to disconnect when the address family
449 * is set to AF_UNSPEC, if that is what is happening we want to reset 448 * is set to AF_UNSPEC, if that is what is happening we want to reset
@@ -464,7 +463,6 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
464 sksec->nlbl_state = NLBL_CONNLABELED; 463 sksec->nlbl_state = NLBL_CONNLABELED;
465 464
466socket_connect_return: 465socket_connect_return:
467 bh_unlock_sock(sk); 466 release_sock(sk);
468 local_bh_enable();
469 return rc; 467 return rc;
470} 468}
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index c5454c0477c3..03a72c32afd7 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -166,6 +166,7 @@ static void sel_netnode_insert(struct sel_netnode *node)
166 break; 166 break;
167 default: 167 default:
168 BUG(); 168 BUG();
169 return;
169 } 170 }
170 171
171 /* we need to impose a limit on the growth of the hash table so check 172 /* we need to impose a limit on the growth of the hash table so check
@@ -225,6 +226,7 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid)
225 break; 226 break;
226 default: 227 default:
227 BUG(); 228 BUG();
229 ret = -EINVAL;
228 } 230 }
229 if (ret != 0) 231 if (ret != 0)
230 goto out; 232 goto out;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index ff427733c290..5122affe06a8 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -44,7 +44,9 @@
44/* Policy capability filenames */ 44/* Policy capability filenames */
45static char *policycap_names[] = { 45static char *policycap_names[] = {
46 "network_peer_controls", 46 "network_peer_controls",
47 "open_perms" 47 "open_perms",
48 "redhat1",
49 "always_check_network"
48}; 50};
49 51
50unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 52unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index 30f119b1d1ec..820313a04d49 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -213,7 +213,12 @@ netlbl_import_failure:
213} 213}
214#endif /* CONFIG_NETLABEL */ 214#endif /* CONFIG_NETLABEL */
215 215
216int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2) 216/*
217 * Check to see if all the bits set in e2 are also set in e1. Optionally,
218 * if last_e2bit is non-zero, the highest set bit in e2 cannot exceed
219 * last_e2bit.
220 */
221int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit)
217{ 222{
218 struct ebitmap_node *n1, *n2; 223 struct ebitmap_node *n1, *n2;
219 int i; 224 int i;
@@ -223,14 +228,25 @@ int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2)
223 228
224 n1 = e1->node; 229 n1 = e1->node;
225 n2 = e2->node; 230 n2 = e2->node;
231
226 while (n1 && n2 && (n1->startbit <= n2->startbit)) { 232 while (n1 && n2 && (n1->startbit <= n2->startbit)) {
227 if (n1->startbit < n2->startbit) { 233 if (n1->startbit < n2->startbit) {
228 n1 = n1->next; 234 n1 = n1->next;
229 continue; 235 continue;
230 } 236 }
231 for (i = 0; i < EBITMAP_UNIT_NUMS; i++) { 237 for (i = EBITMAP_UNIT_NUMS - 1; (i >= 0) && !n2->maps[i]; )
238 i--; /* Skip trailing NULL map entries */
239 if (last_e2bit && (i >= 0)) {
240 u32 lastsetbit = n2->startbit + i * EBITMAP_UNIT_SIZE +
241 __fls(n2->maps[i]);
242 if (lastsetbit > last_e2bit)
243 return 0;
244 }
245
246 while (i >= 0) {
232 if ((n1->maps[i] & n2->maps[i]) != n2->maps[i]) 247 if ((n1->maps[i] & n2->maps[i]) != n2->maps[i])
233 return 0; 248 return 0;
249 i--;
234 } 250 }
235 251
236 n1 = n1->next; 252 n1 = n1->next;
diff --git a/security/selinux/ss/ebitmap.h b/security/selinux/ss/ebitmap.h
index 922f8afa89dd..712c8a7b8e8b 100644
--- a/security/selinux/ss/ebitmap.h
+++ b/security/selinux/ss/ebitmap.h
@@ -16,7 +16,13 @@
16 16
17#include <net/netlabel.h> 17#include <net/netlabel.h>
18 18
19#define EBITMAP_UNIT_NUMS ((32 - sizeof(void *) - sizeof(u32)) \ 19#ifdef CONFIG_64BIT
20#define EBITMAP_NODE_SIZE 64
21#else
22#define EBITMAP_NODE_SIZE 32
23#endif
24
25#define EBITMAP_UNIT_NUMS ((EBITMAP_NODE_SIZE-sizeof(void *)-sizeof(u32))\
20 / sizeof(unsigned long)) 26 / sizeof(unsigned long))
21#define EBITMAP_UNIT_SIZE BITS_PER_LONG 27#define EBITMAP_UNIT_SIZE BITS_PER_LONG
22#define EBITMAP_SIZE (EBITMAP_UNIT_NUMS * EBITMAP_UNIT_SIZE) 28#define EBITMAP_SIZE (EBITMAP_UNIT_NUMS * EBITMAP_UNIT_SIZE)
@@ -117,7 +123,7 @@ static inline void ebitmap_node_clr_bit(struct ebitmap_node *n,
117 123
118int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2); 124int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2);
119int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src); 125int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src);
120int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2); 126int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit);
121int ebitmap_get_bit(struct ebitmap *e, unsigned long bit); 127int ebitmap_get_bit(struct ebitmap *e, unsigned long bit);
122int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value); 128int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value);
123void ebitmap_destroy(struct ebitmap *e); 129void ebitmap_destroy(struct ebitmap *e);
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 40de8d3f208e..c85bc1ec040c 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -160,8 +160,6 @@ void mls_sid_to_context(struct context *context,
160int mls_level_isvalid(struct policydb *p, struct mls_level *l) 160int mls_level_isvalid(struct policydb *p, struct mls_level *l)
161{ 161{
162 struct level_datum *levdatum; 162 struct level_datum *levdatum;
163 struct ebitmap_node *node;
164 int i;
165 163
166 if (!l->sens || l->sens > p->p_levels.nprim) 164 if (!l->sens || l->sens > p->p_levels.nprim)
167 return 0; 165 return 0;
@@ -170,19 +168,13 @@ int mls_level_isvalid(struct policydb *p, struct mls_level *l)
170 if (!levdatum) 168 if (!levdatum)
171 return 0; 169 return 0;
172 170
173 ebitmap_for_each_positive_bit(&l->cat, node, i) { 171 /*
174 if (i > p->p_cats.nprim) 172 * Return 1 iff all the bits set in l->cat are also be set in
175 return 0; 173 * levdatum->level->cat and no bit in l->cat is larger than
176 if (!ebitmap_get_bit(&levdatum->level->cat, i)) { 174 * p->p_cats.nprim.
177 /* 175 */
178 * Category may not be associated with 176 return ebitmap_contains(&levdatum->level->cat, &l->cat,
179 * sensitivity. 177 p->p_cats.nprim);
180 */
181 return 0;
182 }
183 }
184
185 return 1;
186} 178}
187 179
188int mls_range_isvalid(struct policydb *p, struct mls_range *r) 180int mls_range_isvalid(struct policydb *p, struct mls_range *r)
diff --git a/security/selinux/ss/mls_types.h b/security/selinux/ss/mls_types.h
index 03bed52a8052..e93648774137 100644
--- a/security/selinux/ss/mls_types.h
+++ b/security/selinux/ss/mls_types.h
@@ -35,7 +35,7 @@ static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
35static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2) 35static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
36{ 36{
37 return ((l1->sens >= l2->sens) && 37 return ((l1->sens >= l2->sens) &&
38 ebitmap_contains(&l1->cat, &l2->cat)); 38 ebitmap_contains(&l1->cat, &l2->cat, 0));
39} 39}
40 40
41#define mls_level_incomp(l1, l2) \ 41#define mls_level_incomp(l1, l2) \
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index c8adde3aff8f..f6195ebde3c9 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -3203,9 +3203,8 @@ static int range_write_helper(void *key, void *data, void *ptr)
3203 3203
3204static int range_write(struct policydb *p, void *fp) 3204static int range_write(struct policydb *p, void *fp)
3205{ 3205{
3206 size_t nel;
3207 __le32 buf[1]; 3206 __le32 buf[1];
3208 int rc; 3207 int rc, nel;
3209 struct policy_data pd; 3208 struct policy_data pd;
3210 3209
3211 pd.p = p; 3210 pd.p = p;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b4feecc3fe01..ee470a0b5c27 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -72,6 +72,7 @@
72 72
73int selinux_policycap_netpeer; 73int selinux_policycap_netpeer;
74int selinux_policycap_openperm; 74int selinux_policycap_openperm;
75int selinux_policycap_alwaysnetwork;
75 76
76static DEFINE_RWLOCK(policy_rwlock); 77static DEFINE_RWLOCK(policy_rwlock);
77 78
@@ -1812,6 +1813,8 @@ static void security_load_policycaps(void)
1812 POLICYDB_CAPABILITY_NETPEER); 1813 POLICYDB_CAPABILITY_NETPEER);
1813 selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps, 1814 selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
1814 POLICYDB_CAPABILITY_OPENPERM); 1815 POLICYDB_CAPABILITY_OPENPERM);
1816 selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
1817 POLICYDB_CAPABILITY_ALWAYSNETWORK);
1815} 1818}
1816 1819
1817static int security_preserve_bools(struct policydb *p); 1820static int security_preserve_bools(struct policydb *p);
@@ -2323,43 +2326,74 @@ out:
2323 2326
2324/** 2327/**
2325 * security_fs_use - Determine how to handle labeling for a filesystem. 2328 * security_fs_use - Determine how to handle labeling for a filesystem.
2326 * @fstype: filesystem type 2329 * @sb: superblock in question
2327 * @behavior: labeling behavior
2328 * @sid: SID for filesystem (superblock)
2329 */ 2330 */
2330int security_fs_use( 2331int security_fs_use(struct super_block *sb)
2331 const char *fstype,
2332 unsigned int *behavior,
2333 u32 *sid)
2334{ 2332{
2335 int rc = 0; 2333 int rc = 0;
2336 struct ocontext *c; 2334 struct ocontext *c;
2335 struct superblock_security_struct *sbsec = sb->s_security;
2336 const char *fstype = sb->s_type->name;
2337 const char *subtype = (sb->s_subtype && sb->s_subtype[0]) ? sb->s_subtype : NULL;
2338 struct ocontext *base = NULL;
2337 2339
2338 read_lock(&policy_rwlock); 2340 read_lock(&policy_rwlock);
2339 2341
2340 c = policydb.ocontexts[OCON_FSUSE]; 2342 for (c = policydb.ocontexts[OCON_FSUSE]; c; c = c->next) {
2341 while (c) { 2343 char *sub;
2342 if (strcmp(fstype, c->u.name) == 0) 2344 int baselen;
2345
2346 baselen = strlen(fstype);
2347
2348 /* if base does not match, this is not the one */
2349 if (strncmp(fstype, c->u.name, baselen))
2350 continue;
2351
2352 /* if there is no subtype, this is the one! */
2353 if (!subtype)
2354 break;
2355
2356 /* skip past the base in this entry */
2357 sub = c->u.name + baselen;
2358
2359 /* entry is only a base. save it. keep looking for subtype */
2360 if (sub[0] == '\0') {
2361 base = c;
2362 continue;
2363 }
2364
2365 /* entry is not followed by a subtype, so it is not a match */
2366 if (sub[0] != '.')
2367 continue;
2368
2369 /* whew, we found a subtype of this fstype */
2370 sub++; /* move past '.' */
2371
2372 /* exact match of fstype AND subtype */
2373 if (!strcmp(subtype, sub))
2343 break; 2374 break;
2344 c = c->next;
2345 } 2375 }
2346 2376
2377 /* in case we had found an fstype match but no subtype match */
2378 if (!c)
2379 c = base;
2380
2347 if (c) { 2381 if (c) {
2348 *behavior = c->v.behavior; 2382 sbsec->behavior = c->v.behavior;
2349 if (!c->sid[0]) { 2383 if (!c->sid[0]) {
2350 rc = sidtab_context_to_sid(&sidtab, &c->context[0], 2384 rc = sidtab_context_to_sid(&sidtab, &c->context[0],
2351 &c->sid[0]); 2385 &c->sid[0]);
2352 if (rc) 2386 if (rc)
2353 goto out; 2387 goto out;
2354 } 2388 }
2355 *sid = c->sid[0]; 2389 sbsec->sid = c->sid[0];
2356 } else { 2390 } else {
2357 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid); 2391 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, &sbsec->sid);
2358 if (rc) { 2392 if (rc) {
2359 *behavior = SECURITY_FS_USE_NONE; 2393 sbsec->behavior = SECURITY_FS_USE_NONE;
2360 rc = 0; 2394 rc = 0;
2361 } else { 2395 } else {
2362 *behavior = SECURITY_FS_USE_GENFS; 2396 sbsec->behavior = SECURITY_FS_USE_GENFS;
2363 } 2397 }
2364 } 2398 }
2365 2399
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index d03081886214..a91d205ec0c6 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -56,7 +56,7 @@
56atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0); 56atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0);
57 57
58/* 58/*
59 * Returns true if an LSM/SELinux context 59 * Returns true if the context is an LSM/SELinux context.
60 */ 60 */
61static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) 61static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
62{ 62{
@@ -66,7 +66,7 @@ static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
66} 66}
67 67
68/* 68/*
69 * Returns true if the xfrm contains a security blob for SELinux 69 * Returns true if the xfrm contains a security blob for SELinux.
70 */ 70 */
71static inline int selinux_authorizable_xfrm(struct xfrm_state *x) 71static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
72{ 72{
@@ -74,48 +74,111 @@ static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
74} 74}
75 75
76/* 76/*
77 * LSM hook implementation that authorizes that a flow can use 77 * Allocates a xfrm_sec_state and populates it using the supplied security
78 * a xfrm policy rule. 78 * xfrm_user_sec_ctx context.
79 */ 79 */
80int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) 80static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
81 struct xfrm_user_sec_ctx *uctx)
81{ 82{
82 int rc; 83 int rc;
83 u32 sel_sid; 84 const struct task_security_struct *tsec = current_security();
85 struct xfrm_sec_ctx *ctx = NULL;
86 u32 str_len;
84 87
85 /* Context sid is either set to label or ANY_ASSOC */ 88 if (ctxp == NULL || uctx == NULL ||
86 if (ctx) { 89 uctx->ctx_doi != XFRM_SC_DOI_LSM ||
87 if (!selinux_authorizable_ctx(ctx)) 90 uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
88 return -EINVAL; 91 return -EINVAL;
89
90 sel_sid = ctx->ctx_sid;
91 } else
92 /*
93 * All flows should be treated as polmatch'ing an
94 * otherwise applicable "non-labeled" policy. This
95 * would prevent inadvertent "leaks".
96 */
97 return 0;
98 92
99 rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION, 93 str_len = uctx->ctx_len;
100 ASSOCIATION__POLMATCH, 94 if (str_len >= PAGE_SIZE)
101 NULL); 95 return -ENOMEM;
102 96
103 if (rc == -EACCES) 97 ctx = kmalloc(sizeof(*ctx) + str_len + 1, GFP_KERNEL);
104 return -ESRCH; 98 if (!ctx)
99 return -ENOMEM;
105 100
101 ctx->ctx_doi = XFRM_SC_DOI_LSM;
102 ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
103 ctx->ctx_len = str_len;
104 memcpy(ctx->ctx_str, &uctx[1], str_len);
105 ctx->ctx_str[str_len] = '\0';
106 rc = security_context_to_sid(ctx->ctx_str, str_len, &ctx->ctx_sid);
107 if (rc)
108 goto err;
109
110 rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
111 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
112 if (rc)
113 goto err;
114
115 *ctxp = ctx;
116 atomic_inc(&selinux_xfrm_refcount);
117 return 0;
118
119err:
120 kfree(ctx);
106 return rc; 121 return rc;
107} 122}
108 123
109/* 124/*
125 * Free the xfrm_sec_ctx structure.
126 */
127static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
128{
129 if (!ctx)
130 return;
131
132 atomic_dec(&selinux_xfrm_refcount);
133 kfree(ctx);
134}
135
136/*
137 * Authorize the deletion of a labeled SA or policy rule.
138 */
139static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
140{
141 const struct task_security_struct *tsec = current_security();
142
143 if (!ctx)
144 return 0;
145
146 return avc_has_perm(tsec->sid, ctx->ctx_sid,
147 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
148 NULL);
149}
150
151/*
152 * LSM hook implementation that authorizes that a flow can use a xfrm policy
153 * rule.
154 */
155int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
156{
157 int rc;
158
159 /* All flows should be treated as polmatch'ing an otherwise applicable
160 * "non-labeled" policy. This would prevent inadvertent "leaks". */
161 if (!ctx)
162 return 0;
163
164 /* Context sid is either set to label or ANY_ASSOC */
165 if (!selinux_authorizable_ctx(ctx))
166 return -EINVAL;
167
168 rc = avc_has_perm(fl_secid, ctx->ctx_sid,
169 SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
170 return (rc == -EACCES ? -ESRCH : rc);
171}
172
173/*
110 * LSM hook implementation that authorizes that a state matches 174 * LSM hook implementation that authorizes that a state matches
111 * the given policy, flow combo. 175 * the given policy, flow combo.
112 */ 176 */
113 177int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
114int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, 178 struct xfrm_policy *xp,
115 const struct flowi *fl) 179 const struct flowi *fl)
116{ 180{
117 u32 state_sid; 181 u32 state_sid;
118 int rc;
119 182
120 if (!xp->security) 183 if (!xp->security)
121 if (x->security) 184 if (x->security)
@@ -138,187 +201,80 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *
138 if (fl->flowi_secid != state_sid) 201 if (fl->flowi_secid != state_sid)
139 return 0; 202 return 0;
140 203
141 rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION, 204 /* We don't need a separate SA Vs. policy polmatch check since the SA
142 ASSOCIATION__SENDTO, 205 * is now of the same label as the flow and a flow Vs. policy polmatch
143 NULL)? 0:1; 206 * check had already happened in selinux_xfrm_policy_lookup() above. */
144 207 return (avc_has_perm(fl->flowi_secid, state_sid,
145 /* 208 SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
146 * We don't need a separate SA Vs. policy polmatch check 209 NULL) ? 0 : 1);
147 * since the SA is now of the same label as the flow and
148 * a flow Vs. policy polmatch check had already happened
149 * in selinux_xfrm_policy_lookup() above.
150 */
151
152 return rc;
153} 210}
154 211
155/* 212/*
156 * LSM hook implementation that checks and/or returns the xfrm sid for the 213 * LSM hook implementation that checks and/or returns the xfrm sid for the
157 * incoming packet. 214 * incoming packet.
158 */ 215 */
159
160int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) 216int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
161{ 217{
218 u32 sid_session = SECSID_NULL;
162 struct sec_path *sp; 219 struct sec_path *sp;
163 220
164 *sid = SECSID_NULL;
165
166 if (skb == NULL) 221 if (skb == NULL)
167 return 0; 222 goto out;
168 223
169 sp = skb->sp; 224 sp = skb->sp;
170 if (sp) { 225 if (sp) {
171 int i, sid_set = 0; 226 int i;
172 227
173 for (i = sp->len-1; i >= 0; i--) { 228 for (i = sp->len - 1; i >= 0; i--) {
174 struct xfrm_state *x = sp->xvec[i]; 229 struct xfrm_state *x = sp->xvec[i];
175 if (selinux_authorizable_xfrm(x)) { 230 if (selinux_authorizable_xfrm(x)) {
176 struct xfrm_sec_ctx *ctx = x->security; 231 struct xfrm_sec_ctx *ctx = x->security;
177 232
178 if (!sid_set) { 233 if (sid_session == SECSID_NULL) {
179 *sid = ctx->ctx_sid; 234 sid_session = ctx->ctx_sid;
180 sid_set = 1;
181
182 if (!ckall) 235 if (!ckall)
183 break; 236 goto out;
184 } else if (*sid != ctx->ctx_sid) 237 } else if (sid_session != ctx->ctx_sid) {
238 *sid = SECSID_NULL;
185 return -EINVAL; 239 return -EINVAL;
240 }
186 } 241 }
187 } 242 }
188 } 243 }
189 244
190 return 0;
191}
192
193/*
194 * Security blob allocation for xfrm_policy and xfrm_state
195 * CTX does not have a meaningful value on input
196 */
197static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
198 struct xfrm_user_sec_ctx *uctx, u32 sid)
199{
200 int rc = 0;
201 const struct task_security_struct *tsec = current_security();
202 struct xfrm_sec_ctx *ctx = NULL;
203 char *ctx_str = NULL;
204 u32 str_len;
205
206 BUG_ON(uctx && sid);
207
208 if (!uctx)
209 goto not_from_user;
210
211 if (uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
212 return -EINVAL;
213
214 str_len = uctx->ctx_len;
215 if (str_len >= PAGE_SIZE)
216 return -ENOMEM;
217
218 *ctxp = ctx = kmalloc(sizeof(*ctx) +
219 str_len + 1,
220 GFP_KERNEL);
221
222 if (!ctx)
223 return -ENOMEM;
224
225 ctx->ctx_doi = uctx->ctx_doi;
226 ctx->ctx_len = str_len;
227 ctx->ctx_alg = uctx->ctx_alg;
228
229 memcpy(ctx->ctx_str,
230 uctx+1,
231 str_len);
232 ctx->ctx_str[str_len] = 0;
233 rc = security_context_to_sid(ctx->ctx_str,
234 str_len,
235 &ctx->ctx_sid);
236
237 if (rc)
238 goto out;
239
240 /*
241 * Does the subject have permission to set security context?
242 */
243 rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
244 SECCLASS_ASSOCIATION,
245 ASSOCIATION__SETCONTEXT, NULL);
246 if (rc)
247 goto out;
248
249 return rc;
250
251not_from_user:
252 rc = security_sid_to_context(sid, &ctx_str, &str_len);
253 if (rc)
254 goto out;
255
256 *ctxp = ctx = kmalloc(sizeof(*ctx) +
257 str_len,
258 GFP_ATOMIC);
259
260 if (!ctx) {
261 rc = -ENOMEM;
262 goto out;
263 }
264
265 ctx->ctx_doi = XFRM_SC_DOI_LSM;
266 ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
267 ctx->ctx_sid = sid;
268 ctx->ctx_len = str_len;
269 memcpy(ctx->ctx_str,
270 ctx_str,
271 str_len);
272
273 goto out2;
274
275out: 245out:
276 *ctxp = NULL; 246 *sid = sid_session;
277 kfree(ctx); 247 return 0;
278out2:
279 kfree(ctx_str);
280 return rc;
281} 248}
282 249
283/* 250/*
284 * LSM hook implementation that allocs and transfers uctx spec to 251 * LSM hook implementation that allocs and transfers uctx spec to xfrm_policy.
285 * xfrm_policy.
286 */ 252 */
287int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, 253int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
288 struct xfrm_user_sec_ctx *uctx) 254 struct xfrm_user_sec_ctx *uctx)
289{ 255{
290 int err; 256 return selinux_xfrm_alloc_user(ctxp, uctx);
291
292 BUG_ON(!uctx);
293
294 err = selinux_xfrm_sec_ctx_alloc(ctxp, uctx, 0);
295 if (err == 0)
296 atomic_inc(&selinux_xfrm_refcount);
297
298 return err;
299} 257}
300 258
301
302/* 259/*
303 * LSM hook implementation that copies security data structure from old to 260 * LSM hook implementation that copies security data structure from old to new
304 * new for policy cloning. 261 * for policy cloning.
305 */ 262 */
306int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, 263int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
307 struct xfrm_sec_ctx **new_ctxp) 264 struct xfrm_sec_ctx **new_ctxp)
308{ 265{
309 struct xfrm_sec_ctx *new_ctx; 266 struct xfrm_sec_ctx *new_ctx;
310 267
311 if (old_ctx) { 268 if (!old_ctx)
312 new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, 269 return 0;
313 GFP_ATOMIC); 270
314 if (!new_ctx) 271 new_ctx = kmemdup(old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len,
315 return -ENOMEM; 272 GFP_ATOMIC);
273 if (!new_ctx)
274 return -ENOMEM;
275 atomic_inc(&selinux_xfrm_refcount);
276 *new_ctxp = new_ctx;
316 277
317 memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
318 memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
319 atomic_inc(&selinux_xfrm_refcount);
320 *new_ctxp = new_ctx;
321 }
322 return 0; 278 return 0;
323} 279}
324 280
@@ -327,8 +283,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
327 */ 283 */
328void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) 284void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
329{ 285{
330 atomic_dec(&selinux_xfrm_refcount); 286 selinux_xfrm_free(ctx);
331 kfree(ctx);
332} 287}
333 288
334/* 289/*
@@ -336,31 +291,55 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
336 */ 291 */
337int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) 292int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
338{ 293{
339 const struct task_security_struct *tsec = current_security(); 294 return selinux_xfrm_delete(ctx);
340 295}
341 if (!ctx)
342 return 0;
343 296
344 return avc_has_perm(tsec->sid, ctx->ctx_sid, 297/*
345 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, 298 * LSM hook implementation that allocates a xfrm_sec_state, populates it using
346 NULL); 299 * the supplied security context, and assigns it to the xfrm_state.
300 */
301int selinux_xfrm_state_alloc(struct xfrm_state *x,
302 struct xfrm_user_sec_ctx *uctx)
303{
304 return selinux_xfrm_alloc_user(&x->security, uctx);
347} 305}
348 306
349/* 307/*
350 * LSM hook implementation that allocs and transfers sec_ctx spec to 308 * LSM hook implementation that allocates a xfrm_sec_state and populates based
351 * xfrm_state. 309 * on a secid.
352 */ 310 */
353int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx, 311int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
354 u32 secid) 312 struct xfrm_sec_ctx *polsec, u32 secid)
355{ 313{
356 int err; 314 int rc;
315 struct xfrm_sec_ctx *ctx;
316 char *ctx_str = NULL;
317 int str_len;
318
319 if (!polsec)
320 return 0;
357 321
358 BUG_ON(!x); 322 if (secid == 0)
323 return -EINVAL;
359 324
360 err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid); 325 rc = security_sid_to_context(secid, &ctx_str, &str_len);
361 if (err == 0) 326 if (rc)
362 atomic_inc(&selinux_xfrm_refcount); 327 return rc;
363 return err; 328
329 ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC);
330 if (!ctx)
331 return -ENOMEM;
332
333 ctx->ctx_doi = XFRM_SC_DOI_LSM;
334 ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
335 ctx->ctx_sid = secid;
336 ctx->ctx_len = str_len;
337 memcpy(ctx->ctx_str, ctx_str, str_len);
338 kfree(ctx_str);
339
340 x->security = ctx;
341 atomic_inc(&selinux_xfrm_refcount);
342 return 0;
364} 343}
365 344
366/* 345/*
@@ -368,24 +347,15 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct
368 */ 347 */
369void selinux_xfrm_state_free(struct xfrm_state *x) 348void selinux_xfrm_state_free(struct xfrm_state *x)
370{ 349{
371 atomic_dec(&selinux_xfrm_refcount); 350 selinux_xfrm_free(x->security);
372 kfree(x->security);
373} 351}
374 352
375 /* 353/*
376 * LSM hook implementation that authorizes deletion of labeled SAs. 354 * LSM hook implementation that authorizes deletion of labeled SAs.
377 */ 355 */
378int selinux_xfrm_state_delete(struct xfrm_state *x) 356int selinux_xfrm_state_delete(struct xfrm_state *x)
379{ 357{
380 const struct task_security_struct *tsec = current_security(); 358 return selinux_xfrm_delete(x->security);
381 struct xfrm_sec_ctx *ctx = x->security;
382
383 if (!ctx)
384 return 0;
385
386 return avc_has_perm(tsec->sid, ctx->ctx_sid,
387 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
388 NULL);
389} 359}
390 360
391/* 361/*
@@ -395,14 +365,12 @@ int selinux_xfrm_state_delete(struct xfrm_state *x)
395 * we need to check for unlabelled access since this may not have 365 * we need to check for unlabelled access since this may not have
396 * gone thru the IPSec process. 366 * gone thru the IPSec process.
397 */ 367 */
398int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, 368int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
399 struct common_audit_data *ad) 369 struct common_audit_data *ad)
400{ 370{
401 int i, rc = 0; 371 int i;
402 struct sec_path *sp; 372 struct sec_path *sp = skb->sp;
403 u32 sel_sid = SECINITSID_UNLABELED; 373 u32 peer_sid = SECINITSID_UNLABELED;
404
405 sp = skb->sp;
406 374
407 if (sp) { 375 if (sp) {
408 for (i = 0; i < sp->len; i++) { 376 for (i = 0; i < sp->len; i++) {
@@ -410,23 +378,17 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
410 378
411 if (x && selinux_authorizable_xfrm(x)) { 379 if (x && selinux_authorizable_xfrm(x)) {
412 struct xfrm_sec_ctx *ctx = x->security; 380 struct xfrm_sec_ctx *ctx = x->security;
413 sel_sid = ctx->ctx_sid; 381 peer_sid = ctx->ctx_sid;
414 break; 382 break;
415 } 383 }
416 } 384 }
417 } 385 }
418 386
419 /* 387 /* This check even when there's no association involved is intended,
420 * This check even when there's no association involved is 388 * according to Trent Jaeger, to make sure a process can't engage in
421 * intended, according to Trent Jaeger, to make sure a 389 * non-IPsec communication unless explicitly allowed by policy. */
422 * process can't engage in non-ipsec communication unless 390 return avc_has_perm(sk_sid, peer_sid,
423 * explicitly allowed by policy. 391 SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad);
424 */
425
426 rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
427 ASSOCIATION__RECVFROM, ad);
428
429 return rc;
430} 392}
431 393
432/* 394/*
@@ -436,49 +398,38 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
436 * If we do have a authorizable security association, then it has already been 398 * If we do have a authorizable security association, then it has already been
437 * checked in the selinux_xfrm_state_pol_flow_match hook above. 399 * checked in the selinux_xfrm_state_pol_flow_match hook above.
438 */ 400 */
439int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 401int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
440 struct common_audit_data *ad, u8 proto) 402 struct common_audit_data *ad, u8 proto)
441{ 403{
442 struct dst_entry *dst; 404 struct dst_entry *dst;
443 int rc = 0;
444
445 dst = skb_dst(skb);
446
447 if (dst) {
448 struct dst_entry *dst_test;
449
450 for (dst_test = dst; dst_test != NULL;
451 dst_test = dst_test->child) {
452 struct xfrm_state *x = dst_test->xfrm;
453
454 if (x && selinux_authorizable_xfrm(x))
455 goto out;
456 }
457 }
458 405
459 switch (proto) { 406 switch (proto) {
460 case IPPROTO_AH: 407 case IPPROTO_AH:
461 case IPPROTO_ESP: 408 case IPPROTO_ESP:
462 case IPPROTO_COMP: 409 case IPPROTO_COMP:
463 /* 410 /* We should have already seen this packet once before it
464 * We should have already seen this packet once before 411 * underwent xfrm(s). No need to subject it to the unlabeled
465 * it underwent xfrm(s). No need to subject it to the 412 * check. */
466 * unlabeled check. 413 return 0;
467 */
468 goto out;
469 default: 414 default:
470 break; 415 break;
471 } 416 }
472 417
473 /* 418 dst = skb_dst(skb);
474 * This check even when there's no association involved is 419 if (dst) {
475 * intended, according to Trent Jaeger, to make sure a 420 struct dst_entry *iter;
476 * process can't engage in non-ipsec communication unless
477 * explicitly allowed by policy.
478 */
479 421
480 rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION, 422 for (iter = dst; iter != NULL; iter = iter->child) {
481 ASSOCIATION__SENDTO, ad); 423 struct xfrm_state *x = iter->xfrm;
482out: 424
483 return rc; 425 if (x && selinux_authorizable_xfrm(x))
426 return 0;
427 }
428 }
429
430 /* This check even when there's no association involved is intended,
431 * according to Trent Jaeger, to make sure a process can't engage in
432 * non-IPsec communication unless explicitly allowed by policy. */
433 return avc_has_perm(sk_sid, SECINITSID_UNLABELED,
434 SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad);
484} 435}
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 076b8e8a51ab..364cc64fce71 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -177,9 +177,13 @@ struct smk_port_label {
177#define SMACK_CIPSO_MAXCATNUM 184 /* 23 * 8 */ 177#define SMACK_CIPSO_MAXCATNUM 184 /* 23 * 8 */
178 178
179/* 179/*
180 * Flag for transmute access 180 * Flags for untraditional access modes.
181 * It shouldn't be necessary to avoid conflicts with definitions
182 * in fs.h, but do so anyway.
181 */ 183 */
182#define MAY_TRANSMUTE 64 184#define MAY_TRANSMUTE 0x00001000 /* Controls directory labeling */
185#define MAY_LOCK 0x00002000 /* Locks should be writes, but ... */
186
183/* 187/*
184 * Just to make the common cases easier to deal with 188 * Just to make the common cases easier to deal with
185 */ 189 */
@@ -188,9 +192,9 @@ struct smk_port_label {
188#define MAY_NOT 0 192#define MAY_NOT 0
189 193
190/* 194/*
191 * Number of access types used by Smack (rwxat) 195 * Number of access types used by Smack (rwxatl)
192 */ 196 */
193#define SMK_NUM_ACCESS_TYPE 5 197#define SMK_NUM_ACCESS_TYPE 6
194 198
195/* SMACK data */ 199/* SMACK data */
196struct smack_audit_data { 200struct smack_audit_data {
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index b3b59b1e93d6..14293cd9b1e5 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -84,6 +84,8 @@ int log_policy = SMACK_AUDIT_DENIED;
84 * 84 *
85 * Do the object check first because that is more 85 * Do the object check first because that is more
86 * likely to differ. 86 * likely to differ.
87 *
88 * Allowing write access implies allowing locking.
87 */ 89 */
88int smk_access_entry(char *subject_label, char *object_label, 90int smk_access_entry(char *subject_label, char *object_label,
89 struct list_head *rule_list) 91 struct list_head *rule_list)
@@ -99,6 +101,11 @@ int smk_access_entry(char *subject_label, char *object_label,
99 } 101 }
100 } 102 }
101 103
104 /*
105 * MAY_WRITE implies MAY_LOCK.
106 */
107 if ((may & MAY_WRITE) == MAY_WRITE)
108 may |= MAY_LOCK;
102 return may; 109 return may;
103} 110}
104 111
@@ -245,6 +252,7 @@ out_audit:
245static inline void smack_str_from_perm(char *string, int access) 252static inline void smack_str_from_perm(char *string, int access)
246{ 253{
247 int i = 0; 254 int i = 0;
255
248 if (access & MAY_READ) 256 if (access & MAY_READ)
249 string[i++] = 'r'; 257 string[i++] = 'r';
250 if (access & MAY_WRITE) 258 if (access & MAY_WRITE)
@@ -255,6 +263,8 @@ static inline void smack_str_from_perm(char *string, int access)
255 string[i++] = 'a'; 263 string[i++] = 'a';
256 if (access & MAY_TRANSMUTE) 264 if (access & MAY_TRANSMUTE)
257 string[i++] = 't'; 265 string[i++] = 't';
266 if (access & MAY_LOCK)
267 string[i++] = 'l';
258 string[i] = '\0'; 268 string[i] = '\0';
259} 269}
260/** 270/**
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 8825375cc031..b0be893ad44d 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -185,7 +185,7 @@ static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
185 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 185 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
186 smk_ad_setfield_u_tsk(&ad, ctp); 186 smk_ad_setfield_u_tsk(&ad, ctp);
187 187
188 rc = smk_curacc(skp->smk_known, MAY_READWRITE, &ad); 188 rc = smk_curacc(skp->smk_known, mode, &ad);
189 return rc; 189 return rc;
190} 190}
191 191
@@ -1146,7 +1146,7 @@ static int smack_file_ioctl(struct file *file, unsigned int cmd,
1146 * @file: the object 1146 * @file: the object
1147 * @cmd: unused 1147 * @cmd: unused
1148 * 1148 *
1149 * Returns 0 if current has write access, error code otherwise 1149 * Returns 0 if current has lock access, error code otherwise
1150 */ 1150 */
1151static int smack_file_lock(struct file *file, unsigned int cmd) 1151static int smack_file_lock(struct file *file, unsigned int cmd)
1152{ 1152{
@@ -1154,7 +1154,7 @@ static int smack_file_lock(struct file *file, unsigned int cmd)
1154 1154
1155 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1155 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1156 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1156 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1157 return smk_curacc(file->f_security, MAY_WRITE, &ad); 1157 return smk_curacc(file->f_security, MAY_LOCK, &ad);
1158} 1158}
1159 1159
1160/** 1160/**
@@ -1178,8 +1178,13 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
1178 1178
1179 switch (cmd) { 1179 switch (cmd) {
1180 case F_GETLK: 1180 case F_GETLK:
1181 break;
1181 case F_SETLK: 1182 case F_SETLK:
1182 case F_SETLKW: 1183 case F_SETLKW:
1184 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1185 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1186 rc = smk_curacc(file->f_security, MAY_LOCK, &ad);
1187 break;
1183 case F_SETOWN: 1188 case F_SETOWN:
1184 case F_SETSIG: 1189 case F_SETSIG:
1185 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1190 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 80f4b4a45725..160aa08e3cd5 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -139,7 +139,7 @@ const char *smack_cipso_option = SMACK_CIPSO_OPTION;
139 * SMK_LOADLEN: Smack rule length 139 * SMK_LOADLEN: Smack rule length
140 */ 140 */
141#define SMK_OACCESS "rwxa" 141#define SMK_OACCESS "rwxa"
142#define SMK_ACCESS "rwxat" 142#define SMK_ACCESS "rwxatl"
143#define SMK_OACCESSLEN (sizeof(SMK_OACCESS) - 1) 143#define SMK_OACCESSLEN (sizeof(SMK_OACCESS) - 1)
144#define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1) 144#define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1)
145#define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN) 145#define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN)
@@ -282,6 +282,10 @@ static int smk_perm_from_str(const char *string)
282 case 'T': 282 case 'T':
283 perm |= MAY_TRANSMUTE; 283 perm |= MAY_TRANSMUTE;
284 break; 284 break;
285 case 'l':
286 case 'L':
287 perm |= MAY_LOCK;
288 break;
285 default: 289 default:
286 return perm; 290 return perm;
287 } 291 }
@@ -452,7 +456,7 @@ static ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
452 /* 456 /*
453 * Minor hack for backward compatibility 457 * Minor hack for backward compatibility
454 */ 458 */
455 if (count != SMK_OLOADLEN && count != SMK_LOADLEN) 459 if (count < SMK_OLOADLEN || count > SMK_LOADLEN)
456 return -EINVAL; 460 return -EINVAL;
457 } else { 461 } else {
458 if (count >= PAGE_SIZE) { 462 if (count >= PAGE_SIZE) {
@@ -592,6 +596,8 @@ static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
592 seq_putc(s, 'a'); 596 seq_putc(s, 'a');
593 if (srp->smk_access & MAY_TRANSMUTE) 597 if (srp->smk_access & MAY_TRANSMUTE)
594 seq_putc(s, 't'); 598 seq_putc(s, 't');
599 if (srp->smk_access & MAY_LOCK)
600 seq_putc(s, 'l');
595 601
596 seq_putc(s, '\n'); 602 seq_putc(s, '\n');
597} 603}
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-25 13:11:46 -0500