aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/capability.c15
-rw-r--r--security/integrity/digsig.c7
-rw-r--r--security/integrity/digsig_asymmetric.c11
-rw-r--r--security/integrity/evm/evm_main.c4
-rw-r--r--security/integrity/evm/evm_posix_acl.c3
-rw-r--r--security/integrity/iint.c2
-rw-r--r--security/integrity/ima/Kconfig61
-rw-r--r--security/integrity/ima/Makefile2
-rw-r--r--security/integrity/ima/ima.h95
-rw-r--r--security/integrity/ima/ima_api.c128
-rw-r--r--security/integrity/ima/ima_appraise.c106
-rw-r--r--security/integrity/ima/ima_crypto.c134
-rw-r--r--security/integrity/ima/ima_fs.c67
-rw-r--r--security/integrity/ima/ima_init.c37
-rw-r--r--security/integrity/ima/ima_main.c60
-rw-r--r--security/integrity/ima/ima_policy.c1
-rw-r--r--security/integrity/ima/ima_queue.c10
-rw-r--r--security/integrity/ima/ima_template.c175
-rw-r--r--security/integrity/ima/ima_template_lib.c313
-rw-r--r--security/integrity/ima/ima_template_lib.h39
-rw-r--r--security/integrity/integrity.h40
-rw-r--r--security/keys/Kconfig29
-rw-r--r--security/keys/Makefile2
-rw-r--r--security/keys/big_key.c204
-rw-r--r--security/keys/compat.c3
-rw-r--r--security/keys/gc.c33
-rw-r--r--security/keys/internal.h74
-rw-r--r--security/keys/key.c99
-rw-r--r--security/keys/keyctl.c3
-rw-r--r--security/keys/keyring.c1485
-rw-r--r--security/keys/persistent.c169
-rw-r--r--security/keys/proc.c17
-rw-r--r--security/keys/process_keys.c141
-rw-r--r--security/keys/request_key.c56
-rw-r--r--security/keys/request_key_auth.c31
-rw-r--r--security/keys/sysctl.c11
-rw-r--r--security/keys/user_defined.c18
-rw-r--r--security/security.c13
-rw-r--r--security/selinux/hooks.c146
-rw-r--r--security/selinux/include/objsec.h4
-rw-r--r--security/selinux/include/security.h13
-rw-r--r--security/selinux/include/xfrm.h45
-rw-r--r--security/selinux/netlabel.c6
-rw-r--r--security/selinux/netnode.c2
-rw-r--r--security/selinux/selinuxfs.c4
-rw-r--r--security/selinux/ss/ebitmap.c20
-rw-r--r--security/selinux/ss/ebitmap.h10
-rw-r--r--security/selinux/ss/mls.c22
-rw-r--r--security/selinux/ss/mls_types.h2
-rw-r--r--security/selinux/ss/policydb.c3
-rw-r--r--security/selinux/ss/services.c66
-rw-r--r--security/selinux/xfrm.c453
52 files changed, 2996 insertions, 1498 deletions
diff --git a/security/capability.c b/security/capability.c
index dbeb9bc27b24..8b4f24ae4338 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -777,9 +777,15 @@ static int cap_xfrm_policy_delete_security(struct xfrm_sec_ctx *ctx)
777 return 0; 777 return 0;
778} 778}
779 779
780static int cap_xfrm_state_alloc_security(struct xfrm_state *x, 780static int cap_xfrm_state_alloc(struct xfrm_state *x,
781 struct xfrm_user_sec_ctx *sec_ctx, 781 struct xfrm_user_sec_ctx *sec_ctx)
782 u32 secid) 782{
783 return 0;
784}
785
786static int cap_xfrm_state_alloc_acquire(struct xfrm_state *x,
787 struct xfrm_sec_ctx *polsec,
788 u32 secid)
783{ 789{
784 return 0; 790 return 0;
785} 791}
@@ -1101,7 +1107,8 @@ void __init security_fixup_ops(struct security_operations *ops)
1101 set_to_cap_if_null(ops, xfrm_policy_clone_security); 1107 set_to_cap_if_null(ops, xfrm_policy_clone_security);
1102 set_to_cap_if_null(ops, xfrm_policy_free_security); 1108 set_to_cap_if_null(ops, xfrm_policy_free_security);
1103 set_to_cap_if_null(ops, xfrm_policy_delete_security); 1109 set_to_cap_if_null(ops, xfrm_policy_delete_security);
1104 set_to_cap_if_null(ops, xfrm_state_alloc_security); 1110 set_to_cap_if_null(ops, xfrm_state_alloc);
1111 set_to_cap_if_null(ops, xfrm_state_alloc_acquire);
1105 set_to_cap_if_null(ops, xfrm_state_free_security); 1112 set_to_cap_if_null(ops, xfrm_state_free_security);
1106 set_to_cap_if_null(ops, xfrm_state_delete_security); 1113 set_to_cap_if_null(ops, xfrm_state_delete_security);
1107 set_to_cap_if_null(ops, xfrm_policy_lookup); 1114 set_to_cap_if_null(ops, xfrm_policy_lookup);
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 0b759e17a131..b4af4ebc5be2 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -28,7 +28,7 @@ static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
28}; 28};
29 29
30int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, 30int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
31 const char *digest, int digestlen) 31 const char *digest, int digestlen)
32{ 32{
33 if (id >= INTEGRITY_KEYRING_MAX) 33 if (id >= INTEGRITY_KEYRING_MAX)
34 return -EINVAL; 34 return -EINVAL;
@@ -44,9 +44,10 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
44 } 44 }
45 } 45 }
46 46
47 switch (sig[0]) { 47 switch (sig[1]) {
48 case 1: 48 case 1:
49 return digsig_verify(keyring[id], sig, siglen, 49 /* v1 API expect signature without xattr type */
50 return digsig_verify(keyring[id], sig + 1, siglen - 1,
50 digest, digestlen); 51 digest, digestlen);
51 case 2: 52 case 2:
52 return asymmetric_verify(keyring[id], sig, siglen, 53 return asymmetric_verify(keyring[id], sig, siglen,
diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index b4754667659d..9eae4809006b 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -20,17 +20,6 @@
20#include "integrity.h" 20#include "integrity.h"
21 21
22/* 22/*
23 * signature format v2 - for using with asymmetric keys
24 */
25struct signature_v2_hdr {
26 uint8_t version; /* signature format version */
27 uint8_t hash_algo; /* Digest algorithm [enum pkey_hash_algo] */
28 uint32_t keyid; /* IMA key identifier - not X509/PGP specific*/
29 uint16_t sig_size; /* signature size */
30 uint8_t sig[0]; /* signature payload */
31} __packed;
32
33/*
34 * Request an asymmetric key. 23 * Request an asymmetric key.
35 */ 24 */
36static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid) 25static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid)
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index af9b6852f4e1..336b3ddfe63f 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -123,7 +123,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
123 goto out; 123 goto out;
124 } 124 }
125 125
126 xattr_len = rc - 1; 126 xattr_len = rc;
127 127
128 /* check value type */ 128 /* check value type */
129 switch (xattr_data->type) { 129 switch (xattr_data->type) {
@@ -143,7 +143,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
143 if (rc) 143 if (rc)
144 break; 144 break;
145 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 145 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
146 xattr_data->digest, xattr_len, 146 (const char *)xattr_data, xattr_len,
147 calc.digest, sizeof(calc.digest)); 147 calc.digest, sizeof(calc.digest));
148 if (!rc) { 148 if (!rc) {
149 /* we probably want to replace rsa with hmac here */ 149 /* we probably want to replace rsa with hmac here */
diff --git a/security/integrity/evm/evm_posix_acl.c b/security/integrity/evm/evm_posix_acl.c
index b1753e98bf9a..46408b9e62e8 100644
--- a/security/integrity/evm/evm_posix_acl.c
+++ b/security/integrity/evm/evm_posix_acl.c
@@ -11,8 +11,9 @@
11 11
12#include <linux/module.h> 12#include <linux/module.h>
13#include <linux/xattr.h> 13#include <linux/xattr.h>
14#include <linux/evm.h>
14 15
15int posix_xattr_acl(char *xattr) 16int posix_xattr_acl(const char *xattr)
16{ 17{
17 int xattr_len = strlen(xattr); 18 int xattr_len = strlen(xattr);
18 19
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 74522dbd10a6..c49d3f14cbec 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -70,6 +70,8 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode)
70 70
71static void iint_free(struct integrity_iint_cache *iint) 71static void iint_free(struct integrity_iint_cache *iint)
72{ 72{
73 kfree(iint->ima_hash);
74 iint->ima_hash = NULL;
73 iint->version = 0; 75 iint->version = 0;
74 iint->flags = 0UL; 76 iint->flags = 0UL;
75 iint->ima_file_status = INTEGRITY_UNKNOWN; 77 iint->ima_file_status = INTEGRITY_UNKNOWN;
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 39196abaff0d..351a58ed56ab 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -9,6 +9,7 @@ config IMA
9 select CRYPTO_HMAC 9 select CRYPTO_HMAC
10 select CRYPTO_MD5 10 select CRYPTO_MD5
11 select CRYPTO_SHA1 11 select CRYPTO_SHA1
12 select CRYPTO_HASH_INFO
12 select TCG_TPM if HAS_IOMEM && !UML 13 select TCG_TPM if HAS_IOMEM && !UML
13 select TCG_TIS if TCG_TPM && X86 14 select TCG_TIS if TCG_TPM && X86
14 select TCG_IBMVTPM if TCG_TPM && PPC64 15 select TCG_IBMVTPM if TCG_TPM && PPC64
@@ -45,6 +46,66 @@ config IMA_LSM_RULES
45 help 46 help
46 Disabling this option will disregard LSM based policy rules. 47 Disabling this option will disregard LSM based policy rules.
47 48
49choice
50 prompt "Default template"
51 default IMA_NG_TEMPLATE
52 depends on IMA
53 help
54 Select the default IMA measurement template.
55
56 The original 'ima' measurement list template contains a
57 hash, defined as 20 bytes, and a null terminated pathname,
58 limited to 255 characters. The 'ima-ng' measurement list
59 template permits both larger hash digests and longer
60 pathnames.
61
62 config IMA_TEMPLATE
63 bool "ima"
64 config IMA_NG_TEMPLATE
65 bool "ima-ng (default)"
66endchoice
67
68config IMA_DEFAULT_TEMPLATE
69 string
70 depends on IMA
71 default "ima" if IMA_TEMPLATE
72 default "ima-ng" if IMA_NG_TEMPLATE
73
74choice
75 prompt "Default integrity hash algorithm"
76 default IMA_DEFAULT_HASH_SHA1
77 depends on IMA
78 help
79 Select the default hash algorithm used for the measurement
80 list, integrity appraisal and audit log. The compiled default
81 hash algorithm can be overwritten using the kernel command
82 line 'ima_hash=' option.
83
84 config IMA_DEFAULT_HASH_SHA1
85 bool "SHA1 (default)"
86 depends on CRYPTO_SHA1
87
88 config IMA_DEFAULT_HASH_SHA256
89 bool "SHA256"
90 depends on CRYPTO_SHA256 && !IMA_TEMPLATE
91
92 config IMA_DEFAULT_HASH_SHA512
93 bool "SHA512"
94 depends on CRYPTO_SHA512 && !IMA_TEMPLATE
95
96 config IMA_DEFAULT_HASH_WP512
97 bool "WP512"
98 depends on CRYPTO_WP512 && !IMA_TEMPLATE
99endchoice
100
101config IMA_DEFAULT_HASH
102 string
103 depends on IMA
104 default "sha1" if IMA_DEFAULT_HASH_SHA1
105 default "sha256" if IMA_DEFAULT_HASH_SHA256
106 default "sha512" if IMA_DEFAULT_HASH_SHA512
107 default "wp512" if IMA_DEFAULT_HASH_WP512
108
48config IMA_APPRAISE 109config IMA_APPRAISE
49 bool "Appraise integrity measurements" 110 bool "Appraise integrity measurements"
50 depends on IMA 111 depends on IMA
diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
index 56dfee7cbf61..d79263d2fdbf 100644
--- a/security/integrity/ima/Makefile
+++ b/security/integrity/ima/Makefile
@@ -6,5 +6,5 @@
6obj-$(CONFIG_IMA) += ima.o 6obj-$(CONFIG_IMA) += ima.o
7 7
8ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \ 8ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
9 ima_policy.o 9 ima_policy.o ima_template.o ima_template_lib.o
10ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o 10ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index b3dd616560f7..72d013e190b1 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -36,23 +36,47 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
36#define IMA_HASH_BITS 9 36#define IMA_HASH_BITS 9
37#define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS) 37#define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS)
38 38
39#define IMA_TEMPLATE_FIELD_ID_MAX_LEN 16
40#define IMA_TEMPLATE_NUM_FIELDS_MAX 15
41
42#define IMA_TEMPLATE_IMA_NAME "ima"
43#define IMA_TEMPLATE_IMA_FMT "d|n"
44
39/* set during initialization */ 45/* set during initialization */
40extern int ima_initialized; 46extern int ima_initialized;
41extern int ima_used_chip; 47extern int ima_used_chip;
42extern char *ima_hash; 48extern int ima_hash_algo;
43extern int ima_appraise; 49extern int ima_appraise;
44 50
45/* IMA inode template definition */ 51/* IMA template field data definition */
46struct ima_template_data { 52struct ima_field_data {
47 u8 digest[IMA_DIGEST_SIZE]; /* sha1/md5 measurement hash */ 53 u8 *data;
48 char file_name[IMA_EVENT_NAME_LEN_MAX + 1]; /* name + \0 */ 54 u32 len;
55};
56
57/* IMA template field definition */
58struct ima_template_field {
59 const char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN];
60 int (*field_init) (struct integrity_iint_cache *iint, struct file *file,
61 const unsigned char *filename,
62 struct ima_field_data *field_data);
63 void (*field_show) (struct seq_file *m, enum ima_show_type show,
64 struct ima_field_data *field_data);
65};
66
67/* IMA template descriptor definition */
68struct ima_template_desc {
69 char *name;
70 char *fmt;
71 int num_fields;
72 struct ima_template_field **fields;
49}; 73};
50 74
51struct ima_template_entry { 75struct ima_template_entry {
52 u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */ 76 u8 digest[TPM_DIGEST_SIZE]; /* sha1 or md5 measurement hash */
53 const char *template_name; 77 struct ima_template_desc *template_desc; /* template descriptor */
54 int template_len; 78 u32 template_data_len;
55 struct ima_template_data template; 79 struct ima_field_data template_data[0]; /* template related data */
56}; 80};
57 81
58struct ima_queue_entry { 82struct ima_queue_entry {
@@ -69,13 +93,21 @@ int ima_fs_init(void);
69void ima_fs_cleanup(void); 93void ima_fs_cleanup(void);
70int ima_inode_alloc(struct inode *inode); 94int ima_inode_alloc(struct inode *inode);
71int ima_add_template_entry(struct ima_template_entry *entry, int violation, 95int ima_add_template_entry(struct ima_template_entry *entry, int violation,
72 const char *op, struct inode *inode); 96 const char *op, struct inode *inode,
73int ima_calc_file_hash(struct file *file, char *digest); 97 const unsigned char *filename);
74int ima_calc_buffer_hash(const void *data, int len, char *digest); 98int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
75int ima_calc_boot_aggregate(char *digest); 99int ima_calc_field_array_hash(struct ima_field_data *field_data, int num_fields,
76void ima_add_violation(struct inode *inode, const unsigned char *filename, 100 struct ima_digest_data *hash);
101int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
102void ima_add_violation(struct file *file, const unsigned char *filename,
77 const char *op, const char *cause); 103 const char *op, const char *cause);
78int ima_init_crypto(void); 104int ima_init_crypto(void);
105void ima_putc(struct seq_file *m, void *data, int datalen);
106void ima_print_digest(struct seq_file *m, u8 *digest, int size);
107struct ima_template_desc *ima_template_desc_current(void);
108int ima_init_template(void);
109
110int ima_init_template(void);
79 111
80/* 112/*
81 * used to protect h_table and sha_table 113 * used to protect h_table and sha_table
@@ -98,14 +130,18 @@ static inline unsigned long ima_hash_key(u8 *digest)
98int ima_get_action(struct inode *inode, int mask, int function); 130int ima_get_action(struct inode *inode, int mask, int function);
99int ima_must_measure(struct inode *inode, int mask, int function); 131int ima_must_measure(struct inode *inode, int mask, int function);
100int ima_collect_measurement(struct integrity_iint_cache *iint, 132int ima_collect_measurement(struct integrity_iint_cache *iint,
101 struct file *file); 133 struct file *file,
134 struct evm_ima_xattr_data **xattr_value,
135 int *xattr_len);
102void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, 136void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
103 const unsigned char *filename); 137 const unsigned char *filename);
104void ima_audit_measurement(struct integrity_iint_cache *iint, 138void ima_audit_measurement(struct integrity_iint_cache *iint,
105 const unsigned char *filename); 139 const unsigned char *filename);
140int ima_alloc_init_template(struct integrity_iint_cache *iint,
141 struct file *file, const unsigned char *filename,
142 struct ima_template_entry **entry);
106int ima_store_template(struct ima_template_entry *entry, int violation, 143int ima_store_template(struct ima_template_entry *entry, int violation,
107 struct inode *inode); 144 struct inode *inode, const unsigned char *filename);
108void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show);
109const char *ima_d_path(struct path *path, char **pathbuf); 145const char *ima_d_path(struct path *path, char **pathbuf);
110 146
111/* rbtree tree calls to lookup, insert, delete 147/* rbtree tree calls to lookup, insert, delete
@@ -131,17 +167,25 @@ void ima_delete_rules(void);
131 167
132#ifdef CONFIG_IMA_APPRAISE 168#ifdef CONFIG_IMA_APPRAISE
133int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, 169int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
134 struct file *file, const unsigned char *filename); 170 struct file *file, const unsigned char *filename,
171 struct evm_ima_xattr_data *xattr_value,
172 int xattr_len);
135int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func); 173int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
136void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file); 174void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
137enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, 175enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
138 int func); 176 int func);
177void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len,
178 struct ima_digest_data *hash);
179int ima_read_xattr(struct dentry *dentry,
180 struct evm_ima_xattr_data **xattr_value);
139 181
140#else 182#else
141static inline int ima_appraise_measurement(int func, 183static inline int ima_appraise_measurement(int func,
142 struct integrity_iint_cache *iint, 184 struct integrity_iint_cache *iint,
143 struct file *file, 185 struct file *file,
144 const unsigned char *filename) 186 const unsigned char *filename,
187 struct evm_ima_xattr_data *xattr_value,
188 int xattr_len)
145{ 189{
146 return INTEGRITY_UNKNOWN; 190 return INTEGRITY_UNKNOWN;
147} 191}
@@ -162,6 +206,19 @@ static inline enum integrity_status ima_get_cache_status(struct integrity_iint_c
162{ 206{
163 return INTEGRITY_UNKNOWN; 207 return INTEGRITY_UNKNOWN;
164} 208}
209
210static inline void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
211 int xattr_len,
212 struct ima_digest_data *hash)
213{
214}
215
216static inline int ima_read_xattr(struct dentry *dentry,
217 struct evm_ima_xattr_data **xattr_value)
218{
219 return 0;
220}
221
165#endif 222#endif
166 223
167/* LSM based policy rules require audit */ 224/* LSM based policy rules require audit */
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 1c03e8f1e0e1..5fcc80695d87 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -18,9 +18,44 @@
18#include <linux/fs.h> 18#include <linux/fs.h>
19#include <linux/xattr.h> 19#include <linux/xattr.h>
20#include <linux/evm.h> 20#include <linux/evm.h>
21#include <crypto/hash_info.h>
21#include "ima.h" 22#include "ima.h"
22 23
23static const char *IMA_TEMPLATE_NAME = "ima"; 24/*
25 * ima_alloc_init_template - create and initialize a new template entry
26 */
27int ima_alloc_init_template(struct integrity_iint_cache *iint,
28 struct file *file, const unsigned char *filename,
29 struct ima_template_entry **entry)
30{
31 struct ima_template_desc *template_desc = ima_template_desc_current();
32 int i, result = 0;
33
34 *entry = kzalloc(sizeof(**entry) + template_desc->num_fields *
35 sizeof(struct ima_field_data), GFP_NOFS);
36 if (!*entry)
37 return -ENOMEM;
38
39 for (i = 0; i < template_desc->num_fields; i++) {
40 struct ima_template_field *field = template_desc->fields[i];
41 u32 len;
42
43 result = field->field_init(iint, file, filename,
44 &((*entry)->template_data[i]));
45 if (result != 0)
46 goto out;
47
48 len = (*entry)->template_data[i].len;
49 (*entry)->template_data_len += sizeof(len);
50 (*entry)->template_data_len += len;
51 }
52 (*entry)->template_desc = template_desc;
53 return 0;
54out:
55 kfree(*entry);
56 *entry = NULL;
57 return result;
58}
24 59
25/* 60/*
26 * ima_store_template - store ima template measurements 61 * ima_store_template - store ima template measurements
@@ -39,28 +74,34 @@ static const char *IMA_TEMPLATE_NAME = "ima";
39 * Returns 0 on success, error code otherwise 74 * Returns 0 on success, error code otherwise
40 */ 75 */
41int ima_store_template(struct ima_template_entry *entry, 76int ima_store_template(struct ima_template_entry *entry,
42 int violation, struct inode *inode) 77 int violation, struct inode *inode,
78 const unsigned char *filename)
43{ 79{
44 const char *op = "add_template_measure"; 80 const char *op = "add_template_measure";
45 const char *audit_cause = "hashing_error"; 81 const char *audit_cause = "hashing_error";
82 char *template_name = entry->template_desc->name;
46 int result; 83 int result;
47 84 struct {
48 memset(entry->digest, 0, sizeof(entry->digest)); 85 struct ima_digest_data hdr;
49 entry->template_name = IMA_TEMPLATE_NAME; 86 char digest[TPM_DIGEST_SIZE];
50 entry->template_len = sizeof(entry->template); 87 } hash;
51 88
52 if (!violation) { 89 if (!violation) {
53 result = ima_calc_buffer_hash(&entry->template, 90 int num_fields = entry->template_desc->num_fields;
54 entry->template_len, 91
55 entry->digest); 92 /* this function uses default algo */
93 hash.hdr.algo = HASH_ALGO_SHA1;
94 result = ima_calc_field_array_hash(&entry->template_data[0],
95 num_fields, &hash.hdr);
56 if (result < 0) { 96 if (result < 0) {
57 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, 97 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
58 entry->template_name, op, 98 template_name, op,
59 audit_cause, result, 0); 99 audit_cause, result, 0);
60 return result; 100 return result;
61 } 101 }
102 memcpy(entry->digest, hash.hdr.digest, hash.hdr.length);
62 } 103 }
63 result = ima_add_template_entry(entry, violation, op, inode); 104 result = ima_add_template_entry(entry, violation, op, inode, filename);
64 return result; 105 return result;
65} 106}
66 107
@@ -71,24 +112,23 @@ int ima_store_template(struct ima_template_entry *entry,
71 * By extending the PCR with 0xFF's instead of with zeroes, the PCR 112 * By extending the PCR with 0xFF's instead of with zeroes, the PCR
72 * value is invalidated. 113 * value is invalidated.
73 */ 114 */
74void ima_add_violation(struct inode *inode, const unsigned char *filename, 115void ima_add_violation(struct file *file, const unsigned char *filename,
75 const char *op, const char *cause) 116 const char *op, const char *cause)
76{ 117{
77 struct ima_template_entry *entry; 118 struct ima_template_entry *entry;
119 struct inode *inode = file->f_dentry->d_inode;
78 int violation = 1; 120 int violation = 1;
79 int result; 121 int result;
80 122
81 /* can overflow, only indicator */ 123 /* can overflow, only indicator */
82 atomic_long_inc(&ima_htable.violations); 124 atomic_long_inc(&ima_htable.violations);
83 125
84 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 126 result = ima_alloc_init_template(NULL, file, filename, &entry);
85 if (!entry) { 127 if (result < 0) {
86 result = -ENOMEM; 128 result = -ENOMEM;
87 goto err_out; 129 goto err_out;
88 } 130 }
89 memset(&entry->template, 0, sizeof(entry->template)); 131 result = ima_store_template(entry, violation, inode, filename);
90 strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX);
91 result = ima_store_template(entry, violation, inode);
92 if (result < 0) 132 if (result < 0)
93 kfree(entry); 133 kfree(entry);
94err_out: 134err_out:
@@ -138,20 +178,42 @@ int ima_must_measure(struct inode *inode, int mask, int function)
138 * Return 0 on success, error code otherwise 178 * Return 0 on success, error code otherwise
139 */ 179 */
140int ima_collect_measurement(struct integrity_iint_cache *iint, 180int ima_collect_measurement(struct integrity_iint_cache *iint,
141 struct file *file) 181 struct file *file,
182 struct evm_ima_xattr_data **xattr_value,
183 int *xattr_len)
142{ 184{
143 struct inode *inode = file_inode(file); 185 struct inode *inode = file_inode(file);
144 const char *filename = file->f_dentry->d_name.name; 186 const char *filename = file->f_dentry->d_name.name;
145 int result = 0; 187 int result = 0;
188 struct {
189 struct ima_digest_data hdr;
190 char digest[IMA_MAX_DIGEST_SIZE];
191 } hash;
192
193 if (xattr_value)
194 *xattr_len = ima_read_xattr(file->f_dentry, xattr_value);
146 195
147 if (!(iint->flags & IMA_COLLECTED)) { 196 if (!(iint->flags & IMA_COLLECTED)) {
148 u64 i_version = file_inode(file)->i_version; 197 u64 i_version = file_inode(file)->i_version;
149 198
150 iint->ima_xattr.type = IMA_XATTR_DIGEST; 199 /* use default hash algorithm */
151 result = ima_calc_file_hash(file, iint->ima_xattr.digest); 200 hash.hdr.algo = ima_hash_algo;
201
202 if (xattr_value)
203 ima_get_hash_algo(*xattr_value, *xattr_len, &hash.hdr);
204
205 result = ima_calc_file_hash(file, &hash.hdr);
152 if (!result) { 206 if (!result) {
153 iint->version = i_version; 207 int length = sizeof(hash.hdr) + hash.hdr.length;
154 iint->flags |= IMA_COLLECTED; 208 void *tmpbuf = krealloc(iint->ima_hash, length,
209 GFP_NOFS);
210 if (tmpbuf) {
211 iint->ima_hash = tmpbuf;
212 memcpy(iint->ima_hash, &hash, length);
213 iint->version = i_version;
214 iint->flags |= IMA_COLLECTED;
215 } else
216 result = -ENOMEM;
155 } 217 }
156 } 218 }
157 if (result) 219 if (result)
@@ -189,19 +251,14 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
189 if (iint->flags & IMA_MEASURED) 251 if (iint->flags & IMA_MEASURED)
190 return; 252 return;
191 253
192 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 254 result = ima_alloc_init_template(iint, file, filename, &entry);
193 if (!entry) { 255 if (result < 0) {
194 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 256 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
195 op, audit_cause, result, 0); 257 op, audit_cause, result, 0);
196 return; 258 return;
197 } 259 }
198 memset(&entry->template, 0, sizeof(entry->template));
199 memcpy(entry->template.digest, iint->ima_xattr.digest, IMA_DIGEST_SIZE);
200 strcpy(entry->template.file_name,
201 (strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ?
202 file->f_dentry->d_name.name : filename);
203 260
204 result = ima_store_template(entry, violation, inode); 261 result = ima_store_template(entry, violation, inode, filename);
205 if (!result || result == -EEXIST) 262 if (!result || result == -EEXIST)
206 iint->flags |= IMA_MEASURED; 263 iint->flags |= IMA_MEASURED;
207 if (result < 0) 264 if (result < 0)
@@ -212,14 +269,16 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
212 const unsigned char *filename) 269 const unsigned char *filename)
213{ 270{
214 struct audit_buffer *ab; 271 struct audit_buffer *ab;
215 char hash[(IMA_DIGEST_SIZE * 2) + 1]; 272 char hash[(iint->ima_hash->length * 2) + 1];
273 const char *algo_name = hash_algo_name[iint->ima_hash->algo];
274 char algo_hash[sizeof(hash) + strlen(algo_name) + 2];
216 int i; 275 int i;
217 276
218 if (iint->flags & IMA_AUDITED) 277 if (iint->flags & IMA_AUDITED)
219 return; 278 return;
220 279
221 for (i = 0; i < IMA_DIGEST_SIZE; i++) 280 for (i = 0; i < iint->ima_hash->length; i++)
222 hex_byte_pack(hash + (i * 2), iint->ima_xattr.digest[i]); 281 hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]);
223 hash[i * 2] = '\0'; 282 hash[i * 2] = '\0';
224 283
225 ab = audit_log_start(current->audit_context, GFP_KERNEL, 284 ab = audit_log_start(current->audit_context, GFP_KERNEL,
@@ -230,7 +289,8 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
230 audit_log_format(ab, "file="); 289 audit_log_format(ab, "file=");
231 audit_log_untrustedstring(ab, filename); 290 audit_log_untrustedstring(ab, filename);
232 audit_log_format(ab, " hash="); 291 audit_log_format(ab, " hash=");
233 audit_log_untrustedstring(ab, hash); 292 snprintf(algo_hash, sizeof(algo_hash), "%s:%s", algo_name, hash);
293 audit_log_untrustedstring(ab, algo_hash);
234 294
235 audit_log_task_info(ab, current); 295 audit_log_task_info(ab, current);
236 audit_log_end(ab); 296 audit_log_end(ab);
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 2d4becab8918..734e9468aca0 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -15,6 +15,7 @@
15#include <linux/magic.h> 15#include <linux/magic.h>
16#include <linux/ima.h> 16#include <linux/ima.h>
17#include <linux/evm.h> 17#include <linux/evm.h>
18#include <crypto/hash_info.h>
18 19
19#include "ima.h" 20#include "ima.h"
20 21
@@ -43,19 +44,31 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
43} 44}
44 45
45static int ima_fix_xattr(struct dentry *dentry, 46static int ima_fix_xattr(struct dentry *dentry,
46 struct integrity_iint_cache *iint) 47 struct integrity_iint_cache *iint)
47{ 48{
48 iint->ima_xattr.type = IMA_XATTR_DIGEST; 49 int rc, offset;
49 return __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA, 50 u8 algo = iint->ima_hash->algo;
50 (u8 *)&iint->ima_xattr, 51
51 sizeof(iint->ima_xattr), 0); 52 if (algo <= HASH_ALGO_SHA1) {
53 offset = 1;
54 iint->ima_hash->xattr.sha1.type = IMA_XATTR_DIGEST;
55 } else {
56 offset = 0;
57 iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG;
58 iint->ima_hash->xattr.ng.algo = algo;
59 }
60 rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
61 &iint->ima_hash->xattr.data[offset],
62 (sizeof(iint->ima_hash->xattr) - offset) +
63 iint->ima_hash->length, 0);
64 return rc;
52} 65}
53 66
54/* Return specific func appraised cached result */ 67/* Return specific func appraised cached result */
55enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, 68enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
56 int func) 69 int func)
57{ 70{
58 switch(func) { 71 switch (func) {
59 case MMAP_CHECK: 72 case MMAP_CHECK:
60 return iint->ima_mmap_status; 73 return iint->ima_mmap_status;
61 case BPRM_CHECK: 74 case BPRM_CHECK:
@@ -71,7 +84,7 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
71static void ima_set_cache_status(struct integrity_iint_cache *iint, 84static void ima_set_cache_status(struct integrity_iint_cache *iint,
72 int func, enum integrity_status status) 85 int func, enum integrity_status status)
73{ 86{
74 switch(func) { 87 switch (func) {
75 case MMAP_CHECK: 88 case MMAP_CHECK:
76 iint->ima_mmap_status = status; 89 iint->ima_mmap_status = status;
77 break; 90 break;
@@ -90,7 +103,7 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint,
90 103
91static void ima_cache_flags(struct integrity_iint_cache *iint, int func) 104static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
92{ 105{
93 switch(func) { 106 switch (func) {
94 case MMAP_CHECK: 107 case MMAP_CHECK:
95 iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED); 108 iint->flags |= (IMA_MMAP_APPRAISED | IMA_APPRAISED);
96 break; 109 break;
@@ -107,6 +120,50 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
107 } 120 }
108} 121}
109 122
123void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len,
124 struct ima_digest_data *hash)
125{
126 struct signature_v2_hdr *sig;
127
128 if (!xattr_value || xattr_len < 2)
129 return;
130
131 switch (xattr_value->type) {
132 case EVM_IMA_XATTR_DIGSIG:
133 sig = (typeof(sig))xattr_value;
134 if (sig->version != 2 || xattr_len <= sizeof(*sig))
135 return;
136 hash->algo = sig->hash_algo;
137 break;
138 case IMA_XATTR_DIGEST_NG:
139 hash->algo = xattr_value->digest[0];
140 break;
141 case IMA_XATTR_DIGEST:
142 /* this is for backward compatibility */
143 if (xattr_len == 21) {
144 unsigned int zero = 0;
145 if (!memcmp(&xattr_value->digest[16], &zero, 4))
146 hash->algo = HASH_ALGO_MD5;
147 else
148 hash->algo = HASH_ALGO_SHA1;
149 } else if (xattr_len == 17)
150 hash->algo = HASH_ALGO_MD5;
151 break;
152 }
153}
154
155int ima_read_xattr(struct dentry *dentry,
156 struct evm_ima_xattr_data **xattr_value)
157{
158 struct inode *inode = dentry->d_inode;
159
160 if (!inode->i_op->getxattr)
161 return 0;
162
163 return vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)xattr_value,
164 0, GFP_NOFS);
165}
166
110/* 167/*
111 * ima_appraise_measurement - appraise file measurement 168 * ima_appraise_measurement - appraise file measurement
112 * 169 *
@@ -116,23 +173,22 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
116 * Return 0 on success, error code otherwise 173 * Return 0 on success, error code otherwise
117 */ 174 */
118int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, 175int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
119 struct file *file, const unsigned char *filename) 176 struct file *file, const unsigned char *filename,
177 struct evm_ima_xattr_data *xattr_value,
178 int xattr_len)
120{ 179{
121 struct dentry *dentry = file->f_dentry; 180 struct dentry *dentry = file->f_dentry;
122 struct inode *inode = dentry->d_inode; 181 struct inode *inode = dentry->d_inode;
123 struct evm_ima_xattr_data *xattr_value = NULL;
124 enum integrity_status status = INTEGRITY_UNKNOWN; 182 enum integrity_status status = INTEGRITY_UNKNOWN;
125 const char *op = "appraise_data"; 183 const char *op = "appraise_data";
126 char *cause = "unknown"; 184 char *cause = "unknown";
127 int rc; 185 int rc = xattr_len, hash_start = 0;
128 186
129 if (!ima_appraise) 187 if (!ima_appraise)
130 return 0; 188 return 0;
131 if (!inode->i_op->getxattr) 189 if (!inode->i_op->getxattr)
132 return INTEGRITY_UNKNOWN; 190 return INTEGRITY_UNKNOWN;
133 191
134 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)&xattr_value,
135 0, GFP_NOFS);
136 if (rc <= 0) { 192 if (rc <= 0) {
137 if (rc && rc != -ENODATA) 193 if (rc && rc != -ENODATA)
138 goto out; 194 goto out;
@@ -153,14 +209,25 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
153 goto out; 209 goto out;
154 } 210 }
155 switch (xattr_value->type) { 211 switch (xattr_value->type) {
212 case IMA_XATTR_DIGEST_NG:
213 /* first byte contains algorithm id */
214 hash_start = 1;
156 case IMA_XATTR_DIGEST: 215 case IMA_XATTR_DIGEST:
157 if (iint->flags & IMA_DIGSIG_REQUIRED) { 216 if (iint->flags & IMA_DIGSIG_REQUIRED) {
158 cause = "IMA signature required"; 217 cause = "IMA signature required";
159 status = INTEGRITY_FAIL; 218 status = INTEGRITY_FAIL;
160 break; 219 break;
161 } 220 }
162 rc = memcmp(xattr_value->digest, iint->ima_xattr.digest, 221 if (xattr_len - sizeof(xattr_value->type) - hash_start >=
163 IMA_DIGEST_SIZE); 222 iint->ima_hash->length)
223 /* xattr length may be longer. md5 hash in previous
224 version occupied 20 bytes in xattr, instead of 16
225 */
226 rc = memcmp(&xattr_value->digest[hash_start],
227 iint->ima_hash->digest,
228 iint->ima_hash->length);
229 else
230 rc = -EINVAL;
164 if (rc) { 231 if (rc) {
165 cause = "invalid-hash"; 232 cause = "invalid-hash";
166 status = INTEGRITY_FAIL; 233 status = INTEGRITY_FAIL;
@@ -171,9 +238,9 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
171 case EVM_IMA_XATTR_DIGSIG: 238 case EVM_IMA_XATTR_DIGSIG:
172 iint->flags |= IMA_DIGSIG; 239 iint->flags |= IMA_DIGSIG;
173 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, 240 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
174 xattr_value->digest, rc - 1, 241 (const char *)xattr_value, rc,
175 iint->ima_xattr.digest, 242 iint->ima_hash->digest,
176 IMA_DIGEST_SIZE); 243 iint->ima_hash->length);
177 if (rc == -EOPNOTSUPP) { 244 if (rc == -EOPNOTSUPP) {
178 status = INTEGRITY_UNKNOWN; 245 status = INTEGRITY_UNKNOWN;
179 } else if (rc) { 246 } else if (rc) {
@@ -203,7 +270,6 @@ out:
203 ima_cache_flags(iint, func); 270 ima_cache_flags(iint, func);
204 } 271 }
205 ima_set_cache_status(iint, func, status); 272 ima_set_cache_status(iint, func, status);
206 kfree(xattr_value);
207 return status; 273 return status;
208} 274}
209 275
@@ -219,7 +285,7 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
219 if (iint->flags & IMA_DIGSIG) 285 if (iint->flags & IMA_DIGSIG)
220 return; 286 return;
221 287
222 rc = ima_collect_measurement(iint, file); 288 rc = ima_collect_measurement(iint, file, NULL, NULL);
223 if (rc < 0) 289 if (rc < 0)
224 return; 290 return;
225 291
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index a02e0791cf15..676e0292dfec 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -20,6 +20,7 @@
20#include <linux/err.h> 20#include <linux/err.h>
21#include <linux/slab.h> 21#include <linux/slab.h>
22#include <crypto/hash.h> 22#include <crypto/hash.h>
23#include <crypto/hash_info.h>
23#include "ima.h" 24#include "ima.h"
24 25
25static struct crypto_shash *ima_shash_tfm; 26static struct crypto_shash *ima_shash_tfm;
@@ -28,31 +29,58 @@ int ima_init_crypto(void)
28{ 29{
29 long rc; 30 long rc;
30 31
31 ima_shash_tfm = crypto_alloc_shash(ima_hash, 0, 0); 32 ima_shash_tfm = crypto_alloc_shash(hash_algo_name[ima_hash_algo], 0, 0);
32 if (IS_ERR(ima_shash_tfm)) { 33 if (IS_ERR(ima_shash_tfm)) {
33 rc = PTR_ERR(ima_shash_tfm); 34 rc = PTR_ERR(ima_shash_tfm);
34 pr_err("Can not allocate %s (reason: %ld)\n", ima_hash, rc); 35 pr_err("Can not allocate %s (reason: %ld)\n",
36 hash_algo_name[ima_hash_algo], rc);
35 return rc; 37 return rc;
36 } 38 }
37 return 0; 39 return 0;
38} 40}
39 41
42static struct crypto_shash *ima_alloc_tfm(enum hash_algo algo)
43{
44 struct crypto_shash *tfm = ima_shash_tfm;
45 int rc;
46
47 if (algo != ima_hash_algo && algo < HASH_ALGO__LAST) {
48 tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0);
49 if (IS_ERR(tfm)) {
50 rc = PTR_ERR(tfm);
51 pr_err("Can not allocate %s (reason: %d)\n",
52 hash_algo_name[algo], rc);
53 }
54 }
55 return tfm;
56}
57
58static void ima_free_tfm(struct crypto_shash *tfm)
59{
60 if (tfm != ima_shash_tfm)
61 crypto_free_shash(tfm);
62}
63
40/* 64/*
41 * Calculate the MD5/SHA1 file digest 65 * Calculate the MD5/SHA1 file digest
42 */ 66 */
43int ima_calc_file_hash(struct file *file, char *digest) 67static int ima_calc_file_hash_tfm(struct file *file,
68 struct ima_digest_data *hash,
69 struct crypto_shash *tfm)
44{ 70{
45 loff_t i_size, offset = 0; 71 loff_t i_size, offset = 0;
46 char *rbuf; 72 char *rbuf;
47 int rc, read = 0; 73 int rc, read = 0;
48 struct { 74 struct {
49 struct shash_desc shash; 75 struct shash_desc shash;
50 char ctx[crypto_shash_descsize(ima_shash_tfm)]; 76 char ctx[crypto_shash_descsize(tfm)];
51 } desc; 77 } desc;
52 78
53 desc.shash.tfm = ima_shash_tfm; 79 desc.shash.tfm = tfm;
54 desc.shash.flags = 0; 80 desc.shash.flags = 0;
55 81
82 hash->length = crypto_shash_digestsize(tfm);
83
56 rc = crypto_shash_init(&desc.shash); 84 rc = crypto_shash_init(&desc.shash);
57 if (rc != 0) 85 if (rc != 0)
58 return rc; 86 return rc;
@@ -85,27 +113,83 @@ int ima_calc_file_hash(struct file *file, char *digest)
85 } 113 }
86 kfree(rbuf); 114 kfree(rbuf);
87 if (!rc) 115 if (!rc)
88 rc = crypto_shash_final(&desc.shash, digest); 116 rc = crypto_shash_final(&desc.shash, hash->digest);
89 if (read) 117 if (read)
90 file->f_mode &= ~FMODE_READ; 118 file->f_mode &= ~FMODE_READ;
91out: 119out:
92 return rc; 120 return rc;
93} 121}
94 122
123int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
124{
125 struct crypto_shash *tfm;
126 int rc;
127
128 tfm = ima_alloc_tfm(hash->algo);
129 if (IS_ERR(tfm))
130 return PTR_ERR(tfm);
131
132 rc = ima_calc_file_hash_tfm(file, hash, tfm);
133
134 ima_free_tfm(tfm);
135
136 return rc;
137}
138
95/* 139/*
96 * Calculate the hash of a given buffer 140 * Calculate the hash of template data
97 */ 141 */
98int ima_calc_buffer_hash(const void *data, int len, char *digest) 142static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
143 int num_fields,
144 struct ima_digest_data *hash,
145 struct crypto_shash *tfm)
99{ 146{
100 struct { 147 struct {
101 struct shash_desc shash; 148 struct shash_desc shash;
102 char ctx[crypto_shash_descsize(ima_shash_tfm)]; 149 char ctx[crypto_shash_descsize(tfm)];
103 } desc; 150 } desc;
151 int rc, i;
104 152
105 desc.shash.tfm = ima_shash_tfm; 153 desc.shash.tfm = tfm;
106 desc.shash.flags = 0; 154 desc.shash.flags = 0;
107 155
108 return crypto_shash_digest(&desc.shash, data, len, digest); 156 hash->length = crypto_shash_digestsize(tfm);
157
158 rc = crypto_shash_init(&desc.shash);
159 if (rc != 0)
160 return rc;
161
162 for (i = 0; i < num_fields; i++) {
163 rc = crypto_shash_update(&desc.shash,
164 (const u8 *) &field_data[i].len,
165 sizeof(field_data[i].len));
166 rc = crypto_shash_update(&desc.shash, field_data[i].data,
167 field_data[i].len);
168 if (rc)
169 break;
170 }
171
172 if (!rc)
173 rc = crypto_shash_final(&desc.shash, hash->digest);
174
175 return rc;
176}
177
178int ima_calc_field_array_hash(struct ima_field_data *field_data, int num_fields,
179 struct ima_digest_data *hash)
180{
181 struct crypto_shash *tfm;
182 int rc;
183
184 tfm = ima_alloc_tfm(hash->algo);
185 if (IS_ERR(tfm))
186 return PTR_ERR(tfm);
187
188 rc = ima_calc_field_array_hash_tfm(field_data, num_fields, hash, tfm);
189
190 ima_free_tfm(tfm);
191
192 return rc;
109} 193}
110 194
111static void __init ima_pcrread(int idx, u8 *pcr) 195static void __init ima_pcrread(int idx, u8 *pcr)
@@ -120,16 +204,17 @@ static void __init ima_pcrread(int idx, u8 *pcr)
120/* 204/*
121 * Calculate the boot aggregate hash 205 * Calculate the boot aggregate hash
122 */ 206 */
123int __init ima_calc_boot_aggregate(char *digest) 207static int __init ima_calc_boot_aggregate_tfm(char *digest,
208 struct crypto_shash *tfm)
124{ 209{
125 u8 pcr_i[IMA_DIGEST_SIZE]; 210 u8 pcr_i[TPM_DIGEST_SIZE];
126 int rc, i; 211 int rc, i;
127 struct { 212 struct {
128 struct shash_desc shash; 213 struct shash_desc shash;
129 char ctx[crypto_shash_descsize(ima_shash_tfm)]; 214 char ctx[crypto_shash_descsize(tfm)];
130 } desc; 215 } desc;
131 216
132 desc.shash.tfm = ima_shash_tfm; 217 desc.shash.tfm = tfm;
133 desc.shash.flags = 0; 218 desc.shash.flags = 0;
134 219
135 rc = crypto_shash_init(&desc.shash); 220 rc = crypto_shash_init(&desc.shash);
@@ -140,9 +225,26 @@ int __init ima_calc_boot_aggregate(char *digest)
140 for (i = TPM_PCR0; i < TPM_PCR8; i++) { 225 for (i = TPM_PCR0; i < TPM_PCR8; i++) {
141 ima_pcrread(i, pcr_i); 226 ima_pcrread(i, pcr_i);
142 /* now accumulate with current aggregate */ 227 /* now accumulate with current aggregate */
143 rc = crypto_shash_update(&desc.shash, pcr_i, IMA_DIGEST_SIZE); 228 rc = crypto_shash_update(&desc.shash, pcr_i, TPM_DIGEST_SIZE);
144 } 229 }
145 if (!rc) 230 if (!rc)
146 crypto_shash_final(&desc.shash, digest); 231 crypto_shash_final(&desc.shash, digest);
147 return rc; 232 return rc;
148} 233}
234
235int __init ima_calc_boot_aggregate(struct ima_digest_data *hash)
236{
237 struct crypto_shash *tfm;
238 int rc;
239
240 tfm = ima_alloc_tfm(hash->algo);
241 if (IS_ERR(tfm))
242 return PTR_ERR(tfm);
243
244 hash->length = crypto_shash_digestsize(tfm);
245 rc = ima_calc_boot_aggregate_tfm(hash->digest, tfm);
246
247 ima_free_tfm(tfm);
248
249 return rc;
250}
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 38477c9c3415..d47a7c86a21d 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -88,8 +88,7 @@ static void *ima_measurements_next(struct seq_file *m, void *v, loff_t *pos)
88 * against concurrent list-extension 88 * against concurrent list-extension
89 */ 89 */
90 rcu_read_lock(); 90 rcu_read_lock();
91 qe = list_entry_rcu(qe->later.next, 91 qe = list_entry_rcu(qe->later.next, struct ima_queue_entry, later);
92 struct ima_queue_entry, later);
93 rcu_read_unlock(); 92 rcu_read_unlock();
94 (*pos)++; 93 (*pos)++;
95 94
@@ -100,7 +99,7 @@ static void ima_measurements_stop(struct seq_file *m, void *v)
100{ 99{
101} 100}
102 101
103static void ima_putc(struct seq_file *m, void *data, int datalen) 102void ima_putc(struct seq_file *m, void *data, int datalen)
104{ 103{
105 while (datalen--) 104 while (datalen--)
106 seq_putc(m, *(char *)data++); 105 seq_putc(m, *(char *)data++);
@@ -111,6 +110,7 @@ static void ima_putc(struct seq_file *m, void *data, int datalen)
111 * char[20]=template digest 110 * char[20]=template digest
112 * 32bit-le=template name size 111 * 32bit-le=template name size
113 * char[n]=template name 112 * char[n]=template name
113 * [eventdata length]
114 * eventdata[n]=template specific data 114 * eventdata[n]=template specific data
115 */ 115 */
116static int ima_measurements_show(struct seq_file *m, void *v) 116static int ima_measurements_show(struct seq_file *m, void *v)
@@ -120,6 +120,7 @@ static int ima_measurements_show(struct seq_file *m, void *v)
120 struct ima_template_entry *e; 120 struct ima_template_entry *e;
121 int namelen; 121 int namelen;
122 u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX; 122 u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX;
123 int i;
123 124
124 /* get entry */ 125 /* get entry */
125 e = qe->entry; 126 e = qe->entry;
@@ -134,18 +135,25 @@ static int ima_measurements_show(struct seq_file *m, void *v)
134 ima_putc(m, &pcr, sizeof pcr); 135 ima_putc(m, &pcr, sizeof pcr);
135 136
136 /* 2nd: template digest */ 137 /* 2nd: template digest */
137 ima_putc(m, e->digest, IMA_DIGEST_SIZE); 138 ima_putc(m, e->digest, TPM_DIGEST_SIZE);
138 139
139 /* 3rd: template name size */ 140 /* 3rd: template name size */
140 namelen = strlen(e->template_name); 141 namelen = strlen(e->template_desc->name);
141 ima_putc(m, &namelen, sizeof namelen); 142 ima_putc(m, &namelen, sizeof namelen);
142 143
143 /* 4th: template name */ 144 /* 4th: template name */
144 ima_putc(m, (void *)e->template_name, namelen); 145 ima_putc(m, e->template_desc->name, namelen);
146
147 /* 5th: template length (except for 'ima' template) */
148 if (strcmp(e->template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
149 ima_putc(m, &e->template_data_len,
150 sizeof(e->template_data_len));
145 151
146 /* 5th: template specific data */ 152 /* 6th: template specific data */
147 ima_template_show(m, (struct ima_template_data *)&e->template, 153 for (i = 0; i < e->template_desc->num_fields; i++) {
148 IMA_SHOW_BINARY); 154 e->template_desc->fields[i]->field_show(m, IMA_SHOW_BINARY,
155 &e->template_data[i]);
156 }
149 return 0; 157 return 0;
150} 158}
151 159
@@ -168,41 +176,21 @@ static const struct file_operations ima_measurements_ops = {
168 .release = seq_release, 176 .release = seq_release,
169}; 177};
170 178
171static void ima_print_digest(struct seq_file *m, u8 *digest) 179void ima_print_digest(struct seq_file *m, u8 *digest, int size)
172{ 180{
173 int i; 181 int i;
174 182
175 for (i = 0; i < IMA_DIGEST_SIZE; i++) 183 for (i = 0; i < size; i++)
176 seq_printf(m, "%02x", *(digest + i)); 184 seq_printf(m, "%02x", *(digest + i));
177} 185}
178 186
179void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show)
180{
181 struct ima_template_data *entry = e;
182 int namelen;
183
184 switch (show) {
185 case IMA_SHOW_ASCII:
186 ima_print_digest(m, entry->digest);
187 seq_printf(m, " %s\n", entry->file_name);
188 break;
189 case IMA_SHOW_BINARY:
190 ima_putc(m, entry->digest, IMA_DIGEST_SIZE);
191
192 namelen = strlen(entry->file_name);
193 ima_putc(m, &namelen, sizeof namelen);
194 ima_putc(m, entry->file_name, namelen);
195 default:
196 break;
197 }
198}
199
200/* print in ascii */ 187/* print in ascii */
201static int ima_ascii_measurements_show(struct seq_file *m, void *v) 188static int ima_ascii_measurements_show(struct seq_file *m, void *v)
202{ 189{
203 /* the list never shrinks, so we don't need a lock here */ 190 /* the list never shrinks, so we don't need a lock here */
204 struct ima_queue_entry *qe = v; 191 struct ima_queue_entry *qe = v;
205 struct ima_template_entry *e; 192 struct ima_template_entry *e;
193 int i;
206 194
207 /* get entry */ 195 /* get entry */
208 e = qe->entry; 196 e = qe->entry;
@@ -213,14 +201,21 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
213 seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX); 201 seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX);
214 202
215 /* 2nd: SHA1 template hash */ 203 /* 2nd: SHA1 template hash */
216 ima_print_digest(m, e->digest); 204 ima_print_digest(m, e->digest, TPM_DIGEST_SIZE);
217 205
218 /* 3th: template name */ 206 /* 3th: template name */
219 seq_printf(m, " %s ", e->template_name); 207 seq_printf(m, " %s", e->template_desc->name);
220 208
221 /* 4th: template specific data */ 209 /* 4th: template specific data */
222 ima_template_show(m, (struct ima_template_data *)&e->template, 210 for (i = 0; i < e->template_desc->num_fields; i++) {
223 IMA_SHOW_ASCII); 211 seq_puts(m, " ");
212 if (e->template_data[i].len == 0)
213 continue;
214
215 e->template_desc->fields[i]->field_show(m, IMA_SHOW_ASCII,
216 &e->template_data[i]);
217 }
218 seq_puts(m, "\n");
224 return 0; 219 return 0;
225} 220}
226 221
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 162ea723db3d..f84aec5412f3 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -18,6 +18,7 @@
18#include <linux/scatterlist.h> 18#include <linux/scatterlist.h>
19#include <linux/slab.h> 19#include <linux/slab.h>
20#include <linux/err.h> 20#include <linux/err.h>
21#include <crypto/hash_info.h>
21#include "ima.h" 22#include "ima.h"
22 23
23/* name for boot aggregate entry */ 24/* name for boot aggregate entry */
@@ -42,28 +43,38 @@ int ima_used_chip;
42static void __init ima_add_boot_aggregate(void) 43static void __init ima_add_boot_aggregate(void)
43{ 44{
44 struct ima_template_entry *entry; 45 struct ima_template_entry *entry;
46 struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
45 const char *op = "add_boot_aggregate"; 47 const char *op = "add_boot_aggregate";
46 const char *audit_cause = "ENOMEM"; 48 const char *audit_cause = "ENOMEM";
47 int result = -ENOMEM; 49 int result = -ENOMEM;
48 int violation = 1; 50 int violation = 0;
51 struct {
52 struct ima_digest_data hdr;
53 char digest[TPM_DIGEST_SIZE];
54 } hash;
49 55
50 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 56 memset(iint, 0, sizeof(*iint));
51 if (!entry) 57 memset(&hash, 0, sizeof(hash));
52 goto err_out; 58 iint->ima_hash = &hash.hdr;
59 iint->ima_hash->algo = HASH_ALGO_SHA1;
60 iint->ima_hash->length = SHA1_DIGEST_SIZE;
53 61
54 memset(&entry->template, 0, sizeof(entry->template));
55 strncpy(entry->template.file_name, boot_aggregate_name,
56 IMA_EVENT_NAME_LEN_MAX);
57 if (ima_used_chip) { 62 if (ima_used_chip) {
58 violation = 0; 63 result = ima_calc_boot_aggregate(&hash.hdr);
59 result = ima_calc_boot_aggregate(entry->template.digest);
60 if (result < 0) { 64 if (result < 0) {
61 audit_cause = "hashing_error"; 65 audit_cause = "hashing_error";
62 kfree(entry); 66 kfree(entry);
63 goto err_out; 67 goto err_out;
64 } 68 }
65 } 69 }
66 result = ima_store_template(entry, violation, NULL); 70
71 result = ima_alloc_init_template(iint, NULL, boot_aggregate_name,
72 &entry);
73 if (result < 0)
74 return;
75
76 result = ima_store_template(entry, violation, NULL,
77 boot_aggregate_name);
67 if (result < 0) 78 if (result < 0)
68 kfree(entry); 79 kfree(entry);
69 return; 80 return;
@@ -74,7 +85,7 @@ err_out:
74 85
75int __init ima_init(void) 86int __init ima_init(void)
76{ 87{
77 u8 pcr_i[IMA_DIGEST_SIZE]; 88 u8 pcr_i[TPM_DIGEST_SIZE];
78 int rc; 89 int rc;
79 90
80 ima_used_chip = 0; 91 ima_used_chip = 0;
@@ -88,6 +99,10 @@ int __init ima_init(void)
88 rc = ima_init_crypto(); 99 rc = ima_init_crypto();
89 if (rc) 100 if (rc)
90 return rc; 101 return rc;
102 rc = ima_init_template();
103 if (rc != 0)
104 return rc;
105
91 ima_add_boot_aggregate(); /* boot aggregate must be first entry */ 106 ima_add_boot_aggregate(); /* boot aggregate must be first entry */
92 ima_init_policy(); 107 ima_init_policy();
93 108
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index e9508d5bbfcf..14d4cb557894 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -24,6 +24,7 @@
24#include <linux/slab.h> 24#include <linux/slab.h>
25#include <linux/xattr.h> 25#include <linux/xattr.h>
26#include <linux/ima.h> 26#include <linux/ima.h>
27#include <crypto/hash_info.h>
27 28
28#include "ima.h" 29#include "ima.h"
29 30
@@ -35,11 +36,33 @@ int ima_appraise = IMA_APPRAISE_ENFORCE;
35int ima_appraise; 36int ima_appraise;
36#endif 37#endif
37 38
38char *ima_hash = "sha1"; 39int ima_hash_algo = HASH_ALGO_SHA1;
40static int hash_setup_done;
41
39static int __init hash_setup(char *str) 42static int __init hash_setup(char *str)
40{ 43{
41 if (strncmp(str, "md5", 3) == 0) 44 struct ima_template_desc *template_desc = ima_template_desc_current();
42 ima_hash = "md5"; 45 int i;
46
47 if (hash_setup_done)
48 return 1;
49
50 if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
51 if (strncmp(str, "sha1", 4) == 0)
52 ima_hash_algo = HASH_ALGO_SHA1;
53 else if (strncmp(str, "md5", 3) == 0)
54 ima_hash_algo = HASH_ALGO_MD5;
55 goto out;
56 }
57
58 for (i = 0; i < HASH_ALGO__LAST; i++) {
59 if (strcmp(str, hash_algo_name[i]) == 0) {
60 ima_hash_algo = i;
61 break;
62 }
63 }
64out:
65 hash_setup_done = 1;
43 return 1; 66 return 1;
44} 67}
45__setup("ima_hash=", hash_setup); 68__setup("ima_hash=", hash_setup);
@@ -92,10 +115,9 @@ out:
92 pathname = dentry->d_name.name; 115 pathname = dentry->d_name.name;
93 116
94 if (send_tomtou) 117 if (send_tomtou)
95 ima_add_violation(inode, pathname, 118 ima_add_violation(file, pathname, "invalid_pcr", "ToMToU");
96 "invalid_pcr", "ToMToU");
97 if (send_writers) 119 if (send_writers)
98 ima_add_violation(inode, pathname, 120 ima_add_violation(file, pathname,
99 "invalid_pcr", "open_writers"); 121 "invalid_pcr", "open_writers");
100 kfree(pathbuf); 122 kfree(pathbuf);
101} 123}
@@ -144,9 +166,12 @@ static int process_measurement(struct file *file, const char *filename,
144{ 166{
145 struct inode *inode = file_inode(file); 167 struct inode *inode = file_inode(file);
146 struct integrity_iint_cache *iint; 168 struct integrity_iint_cache *iint;
169 struct ima_template_desc *template_desc = ima_template_desc_current();
147 char *pathbuf = NULL; 170 char *pathbuf = NULL;
148 const char *pathname = NULL; 171 const char *pathname = NULL;
149 int rc = -ENOMEM, action, must_appraise, _func; 172 int rc = -ENOMEM, action, must_appraise, _func;
173 struct evm_ima_xattr_data *xattr_value = NULL, **xattr_ptr = NULL;
174 int xattr_len = 0;
150 175
151 if (!ima_initialized || !S_ISREG(inode->i_mode)) 176 if (!ima_initialized || !S_ISREG(inode->i_mode))
152 return 0; 177 return 0;
@@ -185,7 +210,13 @@ static int process_measurement(struct file *file, const char *filename,
185 goto out_digsig; 210 goto out_digsig;
186 } 211 }
187 212
188 rc = ima_collect_measurement(iint, file); 213 if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
214 if (action & IMA_APPRAISE_SUBMASK)
215 xattr_ptr = &xattr_value;
216 } else
217 xattr_ptr = &xattr_value;
218
219 rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len);
189 if (rc != 0) 220 if (rc != 0)
190 goto out_digsig; 221 goto out_digsig;
191 222
@@ -196,7 +227,8 @@ static int process_measurement(struct file *file, const char *filename,
196 if (action & IMA_MEASURE) 227 if (action & IMA_MEASURE)
197 ima_store_measurement(iint, file, pathname); 228 ima_store_measurement(iint, file, pathname);
198 if (action & IMA_APPRAISE_SUBMASK) 229 if (action & IMA_APPRAISE_SUBMASK)
199 rc = ima_appraise_measurement(_func, iint, file, pathname); 230 rc = ima_appraise_measurement(_func, iint, file, pathname,
231 xattr_value, xattr_len);
200 if (action & IMA_AUDIT) 232 if (action & IMA_AUDIT)
201 ima_audit_measurement(iint, pathname); 233 ima_audit_measurement(iint, pathname);
202 kfree(pathbuf); 234 kfree(pathbuf);
@@ -205,6 +237,7 @@ out_digsig:
205 rc = -EACCES; 237 rc = -EACCES;
206out: 238out:
207 mutex_unlock(&inode->i_mutex); 239 mutex_unlock(&inode->i_mutex);
240 kfree(xattr_value);
208 if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) 241 if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))
209 return -EACCES; 242 return -EACCES;
210 return 0; 243 return 0;
@@ -244,9 +277,9 @@ int ima_file_mmap(struct file *file, unsigned long prot)
244int ima_bprm_check(struct linux_binprm *bprm) 277int ima_bprm_check(struct linux_binprm *bprm)
245{ 278{
246 return process_measurement(bprm->file, 279 return process_measurement(bprm->file,
247 (strcmp(bprm->filename, bprm->interp) == 0) ? 280 (strcmp(bprm->filename, bprm->interp) == 0) ?
248 bprm->filename : bprm->interp, 281 bprm->filename : bprm->interp,
249 MAY_EXEC, BPRM_CHECK); 282 MAY_EXEC, BPRM_CHECK);
250} 283}
251 284
252/** 285/**
@@ -263,8 +296,8 @@ int ima_file_check(struct file *file, int mask)
263{ 296{
264 ima_rdwr_violation_check(file); 297 ima_rdwr_violation_check(file);
265 return process_measurement(file, NULL, 298 return process_measurement(file, NULL,
266 mask & (MAY_READ | MAY_WRITE | MAY_EXEC), 299 mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
267 FILE_CHECK); 300 FILE_CHECK);
268} 301}
269EXPORT_SYMBOL_GPL(ima_file_check); 302EXPORT_SYMBOL_GPL(ima_file_check);
270 303
@@ -294,6 +327,7 @@ static int __init init_ima(void)
294{ 327{
295 int error; 328 int error;
296 329
330 hash_setup(CONFIG_IMA_DEFAULT_HASH);
297 error = ima_init(); 331 error = ima_init();
298 if (!error) 332 if (!error)
299 ima_initialized = 1; 333 ima_initialized = 1;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 399433ad614e..a9c3d3cd1990 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -73,7 +73,6 @@ static struct ima_rule_entry default_rules[] = {
73 {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC}, 73 {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
74 {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC}, 74 {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
75 {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC}, 75 {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
76 {.action = DONT_MEASURE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
77 {.action = DONT_MEASURE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC}, 76 {.action = DONT_MEASURE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC},
78 {.action = DONT_MEASURE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC}, 77 {.action = DONT_MEASURE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC},
79 {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC}, 78 {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index ff63fe00c195..d85e99761f4f 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -50,7 +50,7 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value)
50 key = ima_hash_key(digest_value); 50 key = ima_hash_key(digest_value);
51 rcu_read_lock(); 51 rcu_read_lock();
52 hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) { 52 hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) {
53 rc = memcmp(qe->entry->digest, digest_value, IMA_DIGEST_SIZE); 53 rc = memcmp(qe->entry->digest, digest_value, TPM_DIGEST_SIZE);
54 if (rc == 0) { 54 if (rc == 0) {
55 ret = qe; 55 ret = qe;
56 break; 56 break;
@@ -104,9 +104,10 @@ static int ima_pcr_extend(const u8 *hash)
104 * and extend the pcr. 104 * and extend the pcr.
105 */ 105 */
106int ima_add_template_entry(struct ima_template_entry *entry, int violation, 106int ima_add_template_entry(struct ima_template_entry *entry, int violation,
107 const char *op, struct inode *inode) 107 const char *op, struct inode *inode,
108 const unsigned char *filename)
108{ 109{
109 u8 digest[IMA_DIGEST_SIZE]; 110 u8 digest[TPM_DIGEST_SIZE];
110 const char *audit_cause = "hash_added"; 111 const char *audit_cause = "hash_added";
111 char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX]; 112 char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX];
112 int audit_info = 1; 113 int audit_info = 1;
@@ -141,8 +142,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
141 } 142 }
142out: 143out:
143 mutex_unlock(&ima_extend_list_mutex); 144 mutex_unlock(&ima_extend_list_mutex);
144 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, 145 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
145 entry->template.file_name,
146 op, audit_cause, result, audit_info); 146 op, audit_cause, result, audit_info);
147 return result; 147 return result;
148} 148}
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
new file mode 100644
index 000000000000..000221419f6c
--- /dev/null
+++ b/security/integrity/ima/ima_template.c
@@ -0,0 +1,175 @@
1/*
2 * Copyright (C) 2013 Politecnico di Torino, Italy
3 * TORSEC group -- http://security.polito.it
4 *
5 * Author: Roberto Sassu <roberto.sassu@polito.it>
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation, version 2 of the
10 * License.
11 *
12 * File: ima_template.c
13 * Helpers to manage template descriptors.
14 */
15#include <crypto/hash_info.h>
16
17#include "ima.h"
18#include "ima_template_lib.h"
19
20static struct ima_template_desc defined_templates[] = {
21 {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
22 {.name = "ima-ng",.fmt = "d-ng|n-ng"},
23};
24
25static struct ima_template_field supported_fields[] = {
26 {.field_id = "d",.field_init = ima_eventdigest_init,
27 .field_show = ima_show_template_digest},
28 {.field_id = "n",.field_init = ima_eventname_init,
29 .field_show = ima_show_template_string},
30 {.field_id = "d-ng",.field_init = ima_eventdigest_ng_init,
31 .field_show = ima_show_template_digest_ng},
32 {.field_id = "n-ng",.field_init = ima_eventname_ng_init,
33 .field_show = ima_show_template_string},
34};
35
36static struct ima_template_desc *ima_template;
37static struct ima_template_desc *lookup_template_desc(const char *name);
38
39static int __init ima_template_setup(char *str)
40{
41 struct ima_template_desc *template_desc;
42 int template_len = strlen(str);
43
44 /*
45 * Verify that a template with the supplied name exists.
46 * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
47 */
48 template_desc = lookup_template_desc(str);
49 if (!template_desc)
50 return 1;
51
52 /*
53 * Verify whether the current hash algorithm is supported
54 * by the 'ima' template.
55 */
56 if (template_len == 3 && strcmp(str, IMA_TEMPLATE_IMA_NAME) == 0 &&
57 ima_hash_algo != HASH_ALGO_SHA1 && ima_hash_algo != HASH_ALGO_MD5) {
58 pr_err("IMA: template does not support hash alg\n");
59 return 1;
60 }
61
62 ima_template = template_desc;
63 return 1;
64}
65__setup("ima_template=", ima_template_setup);
66
67static struct ima_template_desc *lookup_template_desc(const char *name)
68{
69 int i;
70
71 for (i = 0; i < ARRAY_SIZE(defined_templates); i++) {
72 if (strcmp(defined_templates[i].name, name) == 0)
73 return defined_templates + i;
74 }
75
76 return NULL;
77}
78
79static struct ima_template_field *lookup_template_field(const char *field_id)
80{
81 int i;
82
83 for (i = 0; i < ARRAY_SIZE(supported_fields); i++)
84 if (strncmp(supported_fields[i].field_id, field_id,
85 IMA_TEMPLATE_FIELD_ID_MAX_LEN) == 0)
86 return &supported_fields[i];
87 return NULL;
88}
89
90static int template_fmt_size(char *template_fmt)
91{
92 char c;
93 int template_fmt_len = strlen(template_fmt);
94 int i = 0, j = 0;
95
96 while (i < template_fmt_len) {
97 c = template_fmt[i];
98 if (c == '|')
99 j++;
100 i++;
101 }
102
103 return j + 1;
104}
105
106static int template_desc_init_fields(char *template_fmt,
107 struct ima_template_field ***fields,
108 int *num_fields)
109{
110 char *c, *template_fmt_ptr = template_fmt;
111 int template_num_fields = template_fmt_size(template_fmt);
112 int i, result = 0;
113
114 if (template_num_fields > IMA_TEMPLATE_NUM_FIELDS_MAX)
115 return -EINVAL;
116
117 *fields = kzalloc(template_num_fields * sizeof(*fields), GFP_KERNEL);
118 if (*fields == NULL) {
119 result = -ENOMEM;
120 goto out;
121 }
122 for (i = 0; (c = strsep(&template_fmt_ptr, "|")) != NULL &&
123 i < template_num_fields; i++) {
124 struct ima_template_field *f = lookup_template_field(c);
125
126 if (!f) {
127 result = -ENOENT;
128 goto out;
129 }
130 (*fields)[i] = f;
131 }
132 *num_fields = i;
133 return 0;
134out:
135 kfree(*fields);
136 *fields = NULL;
137 return result;
138}
139
140static int init_defined_templates(void)
141{
142 int i = 0;
143 int result = 0;
144
145 /* Init defined templates. */
146 for (i = 0; i < ARRAY_SIZE(defined_templates); i++) {
147 struct ima_template_desc *template = &defined_templates[i];
148
149 result = template_desc_init_fields(template->fmt,
150 &(template->fields),
151 &(template->num_fields));
152 if (result < 0)
153 return result;
154 }
155 return result;
156}
157
158struct ima_template_desc *ima_template_desc_current(void)
159{
160 if (!ima_template)
161 ima_template =
162 lookup_template_desc(CONFIG_IMA_DEFAULT_TEMPLATE);
163 return ima_template;
164}
165
166int ima_init_template(void)
167{
168 int result;
169
170 result = init_defined_templates();
171 if (result < 0)
172 return result;
173
174 return 0;
175}
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
new file mode 100644
index 000000000000..7d841448f246
--- /dev/null
+++ b/security/integrity/ima/ima_template_lib.c
@@ -0,0 +1,313 @@
1/*
2 * Copyright (C) 2013 Politecnico di Torino, Italy
3 * TORSEC group -- http://security.polito.it
4 *
5 * Author: Roberto Sassu <roberto.sassu@polito.it>
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation, version 2 of the
10 * License.
11 *
12 * File: ima_template_lib.c
13 * Library of supported template fields.
14 */
15#include <crypto/hash_info.h>
16
17#include "ima_template_lib.h"
18
19static bool ima_template_hash_algo_allowed(u8 algo)
20{
21 if (algo == HASH_ALGO_SHA1 || algo == HASH_ALGO_MD5)
22 return true;
23
24 return false;
25}
26
27enum data_formats {
28 DATA_FMT_DIGEST = 0,
29 DATA_FMT_DIGEST_WITH_ALGO,
30 DATA_FMT_EVENT_NAME,
31 DATA_FMT_STRING
32};
33
34static int ima_write_template_field_data(const void *data, const u32 datalen,
35 enum data_formats datafmt,
36 struct ima_field_data *field_data)
37{
38 u8 *buf, *buf_ptr;
39 u32 buflen;
40
41 switch (datafmt) {
42 case DATA_FMT_EVENT_NAME:
43 buflen = IMA_EVENT_NAME_LEN_MAX + 1;
44 break;
45 case DATA_FMT_STRING:
46 buflen = datalen + 1;
47 break;
48 default:
49 buflen = datalen;
50 }
51
52 buf = kzalloc(buflen, GFP_KERNEL);
53 if (!buf)
54 return -ENOMEM;
55
56 memcpy(buf, data, datalen);
57
58 /*
59 * Replace all space characters with underscore for event names and
60 * strings. This avoid that, during the parsing of a measurements list,
61 * filenames with spaces or that end with the suffix ' (deleted)' are
62 * split into multiple template fields (the space is the delimitator
63 * character for measurements lists in ASCII format).
64 */
65 if (datafmt == DATA_FMT_EVENT_NAME || datafmt == DATA_FMT_STRING) {
66 for (buf_ptr = buf; buf_ptr - buf < datalen; buf_ptr++)
67 if (*buf_ptr == ' ')
68 *buf_ptr = '_';
69 }
70
71 field_data->data = buf;
72 field_data->len = buflen;
73 return 0;
74}
75
76static void ima_show_template_data_ascii(struct seq_file *m,
77 enum ima_show_type show,
78 enum data_formats datafmt,
79 struct ima_field_data *field_data)
80{
81 u8 *buf_ptr = field_data->data, buflen = field_data->len;
82
83 switch (datafmt) {
84 case DATA_FMT_DIGEST_WITH_ALGO:
85 buf_ptr = strnchr(field_data->data, buflen, ':');
86 if (buf_ptr != field_data->data)
87 seq_printf(m, "%s", field_data->data);
88
89 /* skip ':' and '\0' */
90 buf_ptr += 2;
91 buflen -= buf_ptr - field_data->data;
92 case DATA_FMT_DIGEST:
93 ima_print_digest(m, buf_ptr, buflen);
94 break;
95 case DATA_FMT_STRING:
96 seq_printf(m, "%s", buf_ptr);
97 break;
98 default:
99 break;
100 }
101}
102
103static void ima_show_template_data_binary(struct seq_file *m,
104 enum ima_show_type show,
105 enum data_formats datafmt,
106 struct ima_field_data *field_data)
107{
108 ima_putc(m, &field_data->len, sizeof(u32));
109 if (!field_data->len)
110 return;
111 ima_putc(m, field_data->data, field_data->len);
112}
113
114static void ima_show_template_field_data(struct seq_file *m,
115 enum ima_show_type show,
116 enum data_formats datafmt,
117 struct ima_field_data *field_data)
118{
119 switch (show) {
120 case IMA_SHOW_ASCII:
121 ima_show_template_data_ascii(m, show, datafmt, field_data);
122 break;
123 case IMA_SHOW_BINARY:
124 ima_show_template_data_binary(m, show, datafmt, field_data);
125 break;
126 default:
127 break;
128 }
129}
130
131void ima_show_template_digest(struct seq_file *m, enum ima_show_type show,
132 struct ima_field_data *field_data)
133{
134 ima_show_template_field_data(m, show, DATA_FMT_DIGEST, field_data);
135}
136
137void ima_show_template_digest_ng(struct seq_file *m, enum ima_show_type show,
138 struct ima_field_data *field_data)
139{
140 ima_show_template_field_data(m, show, DATA_FMT_DIGEST_WITH_ALGO,
141 field_data);
142}
143
144void ima_show_template_string(struct seq_file *m, enum ima_show_type show,
145 struct ima_field_data *field_data)
146{
147 ima_show_template_field_data(m, show, DATA_FMT_STRING, field_data);
148}
149
150static int ima_eventdigest_init_common(u8 *digest, u32 digestsize, u8 hash_algo,
151 struct ima_field_data *field_data,
152 bool size_limit)
153{
154 /*
155 * digest formats:
156 * - DATA_FMT_DIGEST: digest
157 * - DATA_FMT_DIGEST_WITH_ALGO: [<hash algo>] + ':' + '\0' + digest,
158 * where <hash algo> is provided if the hash algoritm is not
159 * SHA1 or MD5
160 */
161 u8 buffer[CRYPTO_MAX_ALG_NAME + 2 + IMA_MAX_DIGEST_SIZE] = { 0 };
162 enum data_formats fmt = DATA_FMT_DIGEST;
163 u32 offset = 0;
164
165 if (!size_limit) {
166 fmt = DATA_FMT_DIGEST_WITH_ALGO;
167 if (hash_algo < HASH_ALGO__LAST)
168 offset += snprintf(buffer, CRYPTO_MAX_ALG_NAME + 1,
169 "%s", hash_algo_name[hash_algo]);
170 buffer[offset] = ':';
171 offset += 2;
172 }
173
174 if (digest)
175 memcpy(buffer + offset, digest, digestsize);
176 else
177 /*
178 * If digest is NULL, the event being recorded is a violation.
179 * Make room for the digest by increasing the offset of
180 * IMA_DIGEST_SIZE.
181 */
182 offset += IMA_DIGEST_SIZE;
183
184 return ima_write_template_field_data(buffer, offset + digestsize,
185 fmt, field_data);
186}
187
188/*
189 * This function writes the digest of an event (with size limit).
190 */
191int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file,
192 const unsigned char *filename,
193 struct ima_field_data *field_data)
194{
195 struct {
196 struct ima_digest_data hdr;
197 char digest[IMA_MAX_DIGEST_SIZE];
198 } hash;
199 u8 *cur_digest = NULL;
200 u32 cur_digestsize = 0;
201 struct inode *inode;
202 int result;
203
204 memset(&hash, 0, sizeof(hash));
205
206 if (!iint) /* recording a violation. */
207 goto out;
208
209 if (ima_template_hash_algo_allowed(iint->ima_hash->algo)) {
210 cur_digest = iint->ima_hash->digest;
211 cur_digestsize = iint->ima_hash->length;
212 goto out;
213 }
214
215 if (!file) /* missing info to re-calculate the digest */
216 return -EINVAL;
217
218 inode = file_inode(file);
219 hash.hdr.algo = ima_template_hash_algo_allowed(ima_hash_algo) ?
220 ima_hash_algo : HASH_ALGO_SHA1;
221 result = ima_calc_file_hash(file, &hash.hdr);
222 if (result) {
223 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
224 filename, "collect_data",
225 "failed", result, 0);
226 return result;
227 }
228 cur_digest = hash.hdr.digest;
229 cur_digestsize = hash.hdr.length;
230out:
231 return ima_eventdigest_init_common(cur_digest, cur_digestsize, -1,
232 field_data, true);
233}
234
235/*
236 * This function writes the digest of an event (without size limit).
237 */
238int ima_eventdigest_ng_init(struct integrity_iint_cache *iint,
239 struct file *file, const unsigned char *filename,
240 struct ima_field_data *field_data)
241{
242 u8 *cur_digest = NULL, hash_algo = HASH_ALGO__LAST;
243 u32 cur_digestsize = 0;
244
245 /* If iint is NULL, we are recording a violation. */
246 if (!iint)
247 goto out;
248
249 cur_digest = iint->ima_hash->digest;
250 cur_digestsize = iint->ima_hash->length;
251
252 hash_algo = iint->ima_hash->algo;
253out:
254 return ima_eventdigest_init_common(cur_digest, cur_digestsize,
255 hash_algo, field_data, false);
256}
257
258static int ima_eventname_init_common(struct integrity_iint_cache *iint,
259 struct file *file,
260 const unsigned char *filename,
261 struct ima_field_data *field_data,
262 bool size_limit)
263{
264 const char *cur_filename = NULL;
265 u32 cur_filename_len = 0;
266 enum data_formats fmt = size_limit ?
267 DATA_FMT_EVENT_NAME : DATA_FMT_STRING;
268
269 BUG_ON(filename == NULL && file == NULL);
270
271 if (filename) {
272 cur_filename = filename;
273 cur_filename_len = strlen(filename);
274
275 if (!size_limit || cur_filename_len <= IMA_EVENT_NAME_LEN_MAX)
276 goto out;
277 }
278
279 if (file) {
280 cur_filename = file->f_dentry->d_name.name;
281 cur_filename_len = strlen(cur_filename);
282 } else
283 /*
284 * Truncate filename if the latter is too long and
285 * the file descriptor is not available.
286 */
287 cur_filename_len = IMA_EVENT_NAME_LEN_MAX;
288out:
289 return ima_write_template_field_data(cur_filename, cur_filename_len,
290 fmt, field_data);
291}
292
293/*
294 * This function writes the name of an event (with size limit).
295 */
296int ima_eventname_init(struct integrity_iint_cache *iint, struct file *file,
297 const unsigned char *filename,
298 struct ima_field_data *field_data)
299{
300 return ima_eventname_init_common(iint, file, filename,
301 field_data, true);
302}
303
304/*
305 * This function writes the name of an event (without size limit).
306 */
307int ima_eventname_ng_init(struct integrity_iint_cache *iint, struct file *file,
308 const unsigned char *filename,
309 struct ima_field_data *field_data)
310{
311 return ima_eventname_init_common(iint, file, filename,
312 field_data, false);
313}
diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h
new file mode 100644
index 000000000000..16c5e7810234
--- /dev/null
+++ b/security/integrity/ima/ima_template_lib.h
@@ -0,0 +1,39 @@
1/*
2 * Copyright (C) 2013 Politecnico di Torino, Italy
3 * TORSEC group -- http://security.polito.it
4 *
5 * Author: Roberto Sassu <roberto.sassu@polito.it>
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation, version 2 of the
10 * License.
11 *
12 * File: ima_template_lib.h
13 * Header for the library of supported template fields.
14 */
15#ifndef __LINUX_IMA_TEMPLATE_LIB_H
16#define __LINUX_IMA_TEMPLATE_LIB_H
17
18#include <linux/seq_file.h>
19#include "ima.h"
20
21void ima_show_template_digest(struct seq_file *m, enum ima_show_type show,
22 struct ima_field_data *field_data);
23void ima_show_template_digest_ng(struct seq_file *m, enum ima_show_type show,
24 struct ima_field_data *field_data);
25void ima_show_template_string(struct seq_file *m, enum ima_show_type show,
26 struct ima_field_data *field_data);
27int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file,
28 const unsigned char *filename,
29 struct ima_field_data *field_data);
30int ima_eventname_init(struct integrity_iint_cache *iint, struct file *file,
31 const unsigned char *filename,
32 struct ima_field_data *field_data);
33int ima_eventdigest_ng_init(struct integrity_iint_cache *iint,
34 struct file *file, const unsigned char *filename,
35 struct ima_field_data *field_data);
36int ima_eventname_ng_init(struct integrity_iint_cache *iint, struct file *file,
37 const unsigned char *filename,
38 struct ima_field_data *field_data);
39#endif /* __LINUX_IMA_TEMPLATE_LIB_H */
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index c42fb7a70dee..2fb5e53e927f 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -54,25 +54,57 @@ enum evm_ima_xattr_type {
54 IMA_XATTR_DIGEST = 0x01, 54 IMA_XATTR_DIGEST = 0x01,
55 EVM_XATTR_HMAC, 55 EVM_XATTR_HMAC,
56 EVM_IMA_XATTR_DIGSIG, 56 EVM_IMA_XATTR_DIGSIG,
57 IMA_XATTR_DIGEST_NG,
57}; 58};
58 59
59struct evm_ima_xattr_data { 60struct evm_ima_xattr_data {
60 u8 type; 61 u8 type;
61 u8 digest[SHA1_DIGEST_SIZE]; 62 u8 digest[SHA1_DIGEST_SIZE];
62} __attribute__((packed)); 63} __packed;
64
65#define IMA_MAX_DIGEST_SIZE 64
66
67struct ima_digest_data {
68 u8 algo;
69 u8 length;
70 union {
71 struct {
72 u8 unused;
73 u8 type;
74 } sha1;
75 struct {
76 u8 type;
77 u8 algo;
78 } ng;
79 u8 data[2];
80 } xattr;
81 u8 digest[0];
82} __packed;
83
84/*
85 * signature format v2 - for using with asymmetric keys
86 */
87struct signature_v2_hdr {
88 uint8_t type; /* xattr type */
89 uint8_t version; /* signature format version */
90 uint8_t hash_algo; /* Digest algorithm [enum pkey_hash_algo] */
91 uint32_t keyid; /* IMA key identifier - not X509/PGP specific */
92 uint16_t sig_size; /* signature size */
93 uint8_t sig[0]; /* signature payload */
94} __packed;
63 95
64/* integrity data associated with an inode */ 96/* integrity data associated with an inode */
65struct integrity_iint_cache { 97struct integrity_iint_cache {
66 struct rb_node rb_node; /* rooted in integrity_iint_tree */ 98 struct rb_node rb_node; /* rooted in integrity_iint_tree */
67 struct inode *inode; /* back pointer to inode in question */ 99 struct inode *inode; /* back pointer to inode in question */
68 u64 version; /* track inode changes */ 100 u64 version; /* track inode changes */
69 unsigned long flags; 101 unsigned long flags;
70 struct evm_ima_xattr_data ima_xattr;
71 enum integrity_status ima_file_status:4; 102 enum integrity_status ima_file_status:4;
72 enum integrity_status ima_mmap_status:4; 103 enum integrity_status ima_mmap_status:4;
73 enum integrity_status ima_bprm_status:4; 104 enum integrity_status ima_bprm_status:4;
74 enum integrity_status ima_module_status:4; 105 enum integrity_status ima_module_status:4;
75 enum integrity_status evm_status:4; 106 enum integrity_status evm_status:4;
107 struct ima_digest_data *ima_hash;
76}; 108};
77 109
78/* rbtree tree calls to lookup, insert, delete 110/* rbtree tree calls to lookup, insert, delete
@@ -89,7 +121,7 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
89#ifdef CONFIG_INTEGRITY_SIGNATURE 121#ifdef CONFIG_INTEGRITY_SIGNATURE
90 122
91int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, 123int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
92 const char *digest, int digestlen); 124 const char *digest, int digestlen);
93 125
94#else 126#else
95 127
diff --git a/security/keys/Kconfig b/security/keys/Kconfig
index a90d6d300dbd..53d8748c9564 100644
--- a/security/keys/Kconfig
+++ b/security/keys/Kconfig
@@ -4,6 +4,7 @@
4 4
5config KEYS 5config KEYS
6 bool "Enable access key retention support" 6 bool "Enable access key retention support"
7 select ASSOCIATIVE_ARRAY
7 help 8 help
8 This option provides support for retaining authentication tokens and 9 This option provides support for retaining authentication tokens and
9 access keys in the kernel. 10 access keys in the kernel.
@@ -19,6 +20,34 @@ config KEYS
19 20
20 If you are unsure as to whether this is required, answer N. 21 If you are unsure as to whether this is required, answer N.
21 22
23config PERSISTENT_KEYRINGS
24 bool "Enable register of persistent per-UID keyrings"
25 depends on KEYS
26 help
27 This option provides a register of persistent per-UID keyrings,
28 primarily aimed at Kerberos key storage. The keyrings are persistent
29 in the sense that they stay around after all processes of that UID
30 have exited, not that they survive the machine being rebooted.
31
32 A particular keyring may be accessed by either the user whose keyring
33 it is or by a process with administrative privileges. The active
34 LSMs gets to rule on which admin-level processes get to access the
35 cache.
36
37 Keyrings are created and added into the register upon demand and get
38 removed if they expire (a default timeout is set upon creation).
39
40config BIG_KEYS
41 tristate "Large payload keys"
42 depends on KEYS
43 depends on TMPFS
44 help
45 This option provides support for holding large keys within the kernel
46 (for example Kerberos ticket caches). The data may be stored out to
47 swapspace by tmpfs.
48
49 If you are unsure as to whether this is required, answer N.
50
22config TRUSTED_KEYS 51config TRUSTED_KEYS
23 tristate "TRUSTED KEYS" 52 tristate "TRUSTED KEYS"
24 depends on KEYS && TCG_TPM 53 depends on KEYS && TCG_TPM
diff --git a/security/keys/Makefile b/security/keys/Makefile
index 504aaa008388..dfb3a7bededf 100644
--- a/security/keys/Makefile
+++ b/security/keys/Makefile
@@ -18,9 +18,11 @@ obj-y := \
18obj-$(CONFIG_KEYS_COMPAT) += compat.o 18obj-$(CONFIG_KEYS_COMPAT) += compat.o
19obj-$(CONFIG_PROC_FS) += proc.o 19obj-$(CONFIG_PROC_FS) += proc.o
20obj-$(CONFIG_SYSCTL) += sysctl.o 20obj-$(CONFIG_SYSCTL) += sysctl.o
21obj-$(CONFIG_PERSISTENT_KEYRINGS) += persistent.o
21 22
22# 23#
23# Key types 24# Key types
24# 25#
26obj-$(CONFIG_BIG_KEYS) += big_key.o
25obj-$(CONFIG_TRUSTED_KEYS) += trusted.o 27obj-$(CONFIG_TRUSTED_KEYS) += trusted.o
26obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/ 28obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/
diff --git a/security/keys/big_key.c b/security/keys/big_key.c
new file mode 100644
index 000000000000..5f9defc4a807
--- /dev/null
+++ b/security/keys/big_key.c
@@ -0,0 +1,204 @@
1/* Large capacity key type
2 *
3 * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/seq_file.h>
15#include <linux/file.h>
16#include <linux/shmem_fs.h>
17#include <linux/err.h>
18#include <keys/user-type.h>
19#include <keys/big_key-type.h>
20
21MODULE_LICENSE("GPL");
22
23/*
24 * If the data is under this limit, there's no point creating a shm file to
25 * hold it as the permanently resident metadata for the shmem fs will be at
26 * least as large as the data.
27 */
28#define BIG_KEY_FILE_THRESHOLD (sizeof(struct inode) + sizeof(struct dentry))
29
30/*
31 * big_key defined keys take an arbitrary string as the description and an
32 * arbitrary blob of data as the payload
33 */
34struct key_type key_type_big_key = {
35 .name = "big_key",
36 .def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
37 .instantiate = big_key_instantiate,
38 .match = user_match,
39 .revoke = big_key_revoke,
40 .destroy = big_key_destroy,
41 .describe = big_key_describe,
42 .read = big_key_read,
43};
44
45/*
46 * Instantiate a big key
47 */
48int big_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
49{
50 struct path *path = (struct path *)&key->payload.data2;
51 struct file *file;
52 ssize_t written;
53 size_t datalen = prep->datalen;
54 int ret;
55
56 ret = -EINVAL;
57 if (datalen <= 0 || datalen > 1024 * 1024 || !prep->data)
58 goto error;
59
60 /* Set an arbitrary quota */
61 ret = key_payload_reserve(key, 16);
62 if (ret < 0)
63 goto error;
64
65 key->type_data.x[1] = datalen;
66
67 if (datalen > BIG_KEY_FILE_THRESHOLD) {
68 /* Create a shmem file to store the data in. This will permit the data
69 * to be swapped out if needed.
70 *
71 * TODO: Encrypt the stored data with a temporary key.
72 */
73 file = shmem_file_setup("", datalen, 0);
74 if (IS_ERR(file))
75 goto err_quota;
76
77 written = kernel_write(file, prep->data, prep->datalen, 0);
78 if (written != datalen) {
79 if (written >= 0)
80 ret = -ENOMEM;
81 goto err_fput;
82 }
83
84 /* Pin the mount and dentry to the key so that we can open it again
85 * later
86 */
87 *path = file->f_path;
88 path_get(path);
89 fput(file);
90 } else {
91 /* Just store the data in a buffer */
92 void *data = kmalloc(datalen, GFP_KERNEL);
93 if (!data) {
94 ret = -ENOMEM;
95 goto err_quota;
96 }
97
98 key->payload.data = memcpy(data, prep->data, prep->datalen);
99 }
100 return 0;
101
102err_fput:
103 fput(file);
104err_quota:
105 key_payload_reserve(key, 0);
106error:
107 return ret;
108}
109
110/*
111 * dispose of the links from a revoked keyring
112 * - called with the key sem write-locked
113 */
114void big_key_revoke(struct key *key)
115{
116 struct path *path = (struct path *)&key->payload.data2;
117
118 /* clear the quota */
119 key_payload_reserve(key, 0);
120 if (key_is_instantiated(key) && key->type_data.x[1] > BIG_KEY_FILE_THRESHOLD)
121 vfs_truncate(path, 0);
122}
123
124/*
125 * dispose of the data dangling from the corpse of a big_key key
126 */
127void big_key_destroy(struct key *key)
128{
129 if (key->type_data.x[1] > BIG_KEY_FILE_THRESHOLD) {
130 struct path *path = (struct path *)&key->payload.data2;
131 path_put(path);
132 path->mnt = NULL;
133 path->dentry = NULL;
134 } else {
135 kfree(key->payload.data);
136 key->payload.data = NULL;
137 }
138}
139
140/*
141 * describe the big_key key
142 */
143void big_key_describe(const struct key *key, struct seq_file *m)
144{
145 unsigned long datalen = key->type_data.x[1];
146
147 seq_puts(m, key->description);
148
149 if (key_is_instantiated(key))
150 seq_printf(m, ": %lu [%s]",
151 datalen,
152 datalen > BIG_KEY_FILE_THRESHOLD ? "file" : "buff");
153}
154
155/*
156 * read the key data
157 * - the key's semaphore is read-locked
158 */
159long big_key_read(const struct key *key, char __user *buffer, size_t buflen)
160{
161 unsigned long datalen = key->type_data.x[1];
162 long ret;
163
164 if (!buffer || buflen < datalen)
165 return datalen;
166
167 if (datalen > BIG_KEY_FILE_THRESHOLD) {
168 struct path *path = (struct path *)&key->payload.data2;
169 struct file *file;
170 loff_t pos;
171
172 file = dentry_open(path, O_RDONLY, current_cred());
173 if (IS_ERR(file))
174 return PTR_ERR(file);
175
176 pos = 0;
177 ret = vfs_read(file, buffer, datalen, &pos);
178 fput(file);
179 if (ret >= 0 && ret != datalen)
180 ret = -EIO;
181 } else {
182 ret = datalen;
183 if (copy_to_user(buffer, key->payload.data, datalen) != 0)
184 ret = -EFAULT;
185 }
186
187 return ret;
188}
189
190/*
191 * Module stuff
192 */
193static int __init big_key_init(void)
194{
195 return register_key_type(&key_type_big_key);
196}
197
198static void __exit big_key_cleanup(void)
199{
200 unregister_key_type(&key_type_big_key);
201}
202
203module_init(big_key_init);
204module_exit(big_key_cleanup);
diff --git a/security/keys/compat.c b/security/keys/compat.c
index d65fa7fa29ba..bbd32c729dbb 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -138,6 +138,9 @@ asmlinkage long compat_sys_keyctl(u32 option,
138 case KEYCTL_INVALIDATE: 138 case KEYCTL_INVALIDATE:
139 return keyctl_invalidate_key(arg2); 139 return keyctl_invalidate_key(arg2);
140 140
141 case KEYCTL_GET_PERSISTENT:
142 return keyctl_get_persistent(arg2, arg3);
143
141 default: 144 default:
142 return -EOPNOTSUPP; 145 return -EOPNOTSUPP;
143 } 146 }
diff --git a/security/keys/gc.c b/security/keys/gc.c
index d67c97bb1025..cce621c33dce 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -130,6 +130,13 @@ void key_gc_keytype(struct key_type *ktype)
130 kleave(""); 130 kleave("");
131} 131}
132 132
133static int key_gc_keyring_func(const void *object, void *iterator_data)
134{
135 const struct key *key = object;
136 time_t *limit = iterator_data;
137 return key_is_dead(key, *limit);
138}
139
133/* 140/*
134 * Garbage collect pointers from a keyring. 141 * Garbage collect pointers from a keyring.
135 * 142 *
@@ -138,10 +145,9 @@ void key_gc_keytype(struct key_type *ktype)
138 */ 145 */
139static void key_gc_keyring(struct key *keyring, time_t limit) 146static void key_gc_keyring(struct key *keyring, time_t limit)
140{ 147{
141 struct keyring_list *klist; 148 int result;
142 int loop;
143 149
144 kenter("%x", key_serial(keyring)); 150 kenter("%x{%s}", keyring->serial, keyring->description ?: "");
145 151
146 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) | 152 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
147 (1 << KEY_FLAG_REVOKED))) 153 (1 << KEY_FLAG_REVOKED)))
@@ -149,27 +155,17 @@ static void key_gc_keyring(struct key *keyring, time_t limit)
149 155
150 /* scan the keyring looking for dead keys */ 156 /* scan the keyring looking for dead keys */
151 rcu_read_lock(); 157 rcu_read_lock();
152 klist = rcu_dereference(keyring->payload.subscriptions); 158 result = assoc_array_iterate(&keyring->keys,
153 if (!klist) 159 key_gc_keyring_func, &limit);
154 goto unlock_dont_gc;
155
156 loop = klist->nkeys;
157 smp_rmb();
158 for (loop--; loop >= 0; loop--) {
159 struct key *key = rcu_dereference(klist->keys[loop]);
160 if (key_is_dead(key, limit))
161 goto do_gc;
162 }
163
164unlock_dont_gc:
165 rcu_read_unlock(); 160 rcu_read_unlock();
161 if (result == true)
162 goto do_gc;
163
166dont_gc: 164dont_gc:
167 kleave(" [no gc]"); 165 kleave(" [no gc]");
168 return; 166 return;
169 167
170do_gc: 168do_gc:
171 rcu_read_unlock();
172
173 keyring_gc(keyring, limit); 169 keyring_gc(keyring, limit);
174 kleave(" [gc]"); 170 kleave(" [gc]");
175} 171}
@@ -392,7 +388,6 @@ found_unreferenced_key:
392 */ 388 */
393found_keyring: 389found_keyring:
394 spin_unlock(&key_serial_lock); 390 spin_unlock(&key_serial_lock);
395 kdebug("scan keyring %d", key->serial);
396 key_gc_keyring(key, limit); 391 key_gc_keyring(key, limit);
397 goto maybe_resched; 392 goto maybe_resched;
398 393
diff --git a/security/keys/internal.h b/security/keys/internal.h
index d4f1468b9b50..80b2aac4f50c 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -89,42 +89,53 @@ extern struct key_type *key_type_lookup(const char *type);
89extern void key_type_put(struct key_type *ktype); 89extern void key_type_put(struct key_type *ktype);
90 90
91extern int __key_link_begin(struct key *keyring, 91extern int __key_link_begin(struct key *keyring,
92 const struct key_type *type, 92 const struct keyring_index_key *index_key,
93 const char *description, 93 struct assoc_array_edit **_edit);
94 unsigned long *_prealloc);
95extern int __key_link_check_live_key(struct key *keyring, struct key *key); 94extern int __key_link_check_live_key(struct key *keyring, struct key *key);
96extern void __key_link(struct key *keyring, struct key *key, 95extern void __key_link(struct key *key, struct assoc_array_edit **_edit);
97 unsigned long *_prealloc);
98extern void __key_link_end(struct key *keyring, 96extern void __key_link_end(struct key *keyring,
99 struct key_type *type, 97 const struct keyring_index_key *index_key,
100 unsigned long prealloc); 98 struct assoc_array_edit *edit);
101 99
102extern key_ref_t __keyring_search_one(key_ref_t keyring_ref, 100extern key_ref_t find_key_to_update(key_ref_t keyring_ref,
103 const struct key_type *type, 101 const struct keyring_index_key *index_key);
104 const char *description,
105 key_perm_t perm);
106 102
107extern struct key *keyring_search_instkey(struct key *keyring, 103extern struct key *keyring_search_instkey(struct key *keyring,
108 key_serial_t target_id); 104 key_serial_t target_id);
109 105
106extern int iterate_over_keyring(const struct key *keyring,
107 int (*func)(const struct key *key, void *data),
108 void *data);
109
110typedef int (*key_match_func_t)(const struct key *, const void *); 110typedef int (*key_match_func_t)(const struct key *, const void *);
111 111
112struct keyring_search_context {
113 struct keyring_index_key index_key;
114 const struct cred *cred;
115 key_match_func_t match;
116 const void *match_data;
117 unsigned flags;
118#define KEYRING_SEARCH_LOOKUP_TYPE 0x0001 /* [as type->def_lookup_type] */
119#define KEYRING_SEARCH_NO_STATE_CHECK 0x0002 /* Skip state checks */
120#define KEYRING_SEARCH_DO_STATE_CHECK 0x0004 /* Override NO_STATE_CHECK */
121#define KEYRING_SEARCH_NO_UPDATE_TIME 0x0008 /* Don't update times */
122#define KEYRING_SEARCH_NO_CHECK_PERM 0x0010 /* Don't check permissions */
123#define KEYRING_SEARCH_DETECT_TOO_DEEP 0x0020 /* Give an error on excessive depth */
124
125 int (*iterator)(const void *object, void *iterator_data);
126
127 /* Internal stuff */
128 int skipped_ret;
129 bool possessed;
130 key_ref_t result;
131 struct timespec now;
132};
133
112extern key_ref_t keyring_search_aux(key_ref_t keyring_ref, 134extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
113 const struct cred *cred, 135 struct keyring_search_context *ctx);
114 struct key_type *type, 136
115 const void *description, 137extern key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx);
116 key_match_func_t match, 138extern key_ref_t search_process_keyrings(struct keyring_search_context *ctx);
117 bool no_state_check);
118
119extern key_ref_t search_my_process_keyrings(struct key_type *type,
120 const void *description,
121 key_match_func_t match,
122 bool no_state_check,
123 const struct cred *cred);
124extern key_ref_t search_process_keyrings(struct key_type *type,
125 const void *description,
126 key_match_func_t match,
127 const struct cred *cred);
128 139
129extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check); 140extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check);
130 141
@@ -202,7 +213,7 @@ extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
202/* 213/*
203 * Determine whether a key is dead. 214 * Determine whether a key is dead.
204 */ 215 */
205static inline bool key_is_dead(struct key *key, time_t limit) 216static inline bool key_is_dead(const struct key *key, time_t limit)
206{ 217{
207 return 218 return
208 key->flags & ((1 << KEY_FLAG_DEAD) | 219 key->flags & ((1 << KEY_FLAG_DEAD) |
@@ -244,6 +255,15 @@ extern long keyctl_invalidate_key(key_serial_t);
244extern long keyctl_instantiate_key_common(key_serial_t, 255extern long keyctl_instantiate_key_common(key_serial_t,
245 const struct iovec *, 256 const struct iovec *,
246 unsigned, size_t, key_serial_t); 257 unsigned, size_t, key_serial_t);
258#ifdef CONFIG_PERSISTENT_KEYRINGS
259extern long keyctl_get_persistent(uid_t, key_serial_t);
260extern unsigned persistent_keyring_expiry;
261#else
262static inline long keyctl_get_persistent(uid_t uid, key_serial_t destring)
263{
264 return -EOPNOTSUPP;
265}
266#endif
247 267
248/* 268/*
249 * Debugging key validation 269 * Debugging key validation
diff --git a/security/keys/key.c b/security/keys/key.c
index 8fb7c7bd4657..d331ea9ef380 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -242,8 +242,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
242 } 242 }
243 } 243 }
244 244
245 desclen = strlen(desc) + 1; 245 desclen = strlen(desc);
246 quotalen = desclen + type->def_datalen; 246 quotalen = desclen + 1 + type->def_datalen;
247 247
248 /* get hold of the key tracking for this user */ 248 /* get hold of the key tracking for this user */
249 user = key_user_lookup(uid); 249 user = key_user_lookup(uid);
@@ -277,7 +277,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
277 goto no_memory_2; 277 goto no_memory_2;
278 278
279 if (desc) { 279 if (desc) {
280 key->description = kmemdup(desc, desclen, GFP_KERNEL); 280 key->index_key.desc_len = desclen;
281 key->index_key.description = kmemdup(desc, desclen + 1, GFP_KERNEL);
281 if (!key->description) 282 if (!key->description)
282 goto no_memory_3; 283 goto no_memory_3;
283 } 284 }
@@ -285,7 +286,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
285 atomic_set(&key->usage, 1); 286 atomic_set(&key->usage, 1);
286 init_rwsem(&key->sem); 287 init_rwsem(&key->sem);
287 lockdep_set_class(&key->sem, &type->lock_class); 288 lockdep_set_class(&key->sem, &type->lock_class);
288 key->type = type; 289 key->index_key.type = type;
289 key->user = user; 290 key->user = user;
290 key->quotalen = quotalen; 291 key->quotalen = quotalen;
291 key->datalen = type->def_datalen; 292 key->datalen = type->def_datalen;
@@ -299,6 +300,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
299 300
300 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) 301 if (!(flags & KEY_ALLOC_NOT_IN_QUOTA))
301 key->flags |= 1 << KEY_FLAG_IN_QUOTA; 302 key->flags |= 1 << KEY_FLAG_IN_QUOTA;
303 if (flags & KEY_ALLOC_TRUSTED)
304 key->flags |= 1 << KEY_FLAG_TRUSTED;
302 305
303 memset(&key->type_data, 0, sizeof(key->type_data)); 306 memset(&key->type_data, 0, sizeof(key->type_data));
304 307
@@ -408,7 +411,7 @@ static int __key_instantiate_and_link(struct key *key,
408 struct key_preparsed_payload *prep, 411 struct key_preparsed_payload *prep,
409 struct key *keyring, 412 struct key *keyring,
410 struct key *authkey, 413 struct key *authkey,
411 unsigned long *_prealloc) 414 struct assoc_array_edit **_edit)
412{ 415{
413 int ret, awaken; 416 int ret, awaken;
414 417
@@ -435,7 +438,7 @@ static int __key_instantiate_and_link(struct key *key,
435 438
436 /* and link it into the destination keyring */ 439 /* and link it into the destination keyring */
437 if (keyring) 440 if (keyring)
438 __key_link(keyring, key, _prealloc); 441 __key_link(key, _edit);
439 442
440 /* disable the authorisation key */ 443 /* disable the authorisation key */
441 if (authkey) 444 if (authkey)
@@ -475,7 +478,7 @@ int key_instantiate_and_link(struct key *key,
475 struct key *authkey) 478 struct key *authkey)
476{ 479{
477 struct key_preparsed_payload prep; 480 struct key_preparsed_payload prep;
478 unsigned long prealloc; 481 struct assoc_array_edit *edit;
479 int ret; 482 int ret;
480 483
481 memset(&prep, 0, sizeof(prep)); 484 memset(&prep, 0, sizeof(prep));
@@ -489,17 +492,15 @@ int key_instantiate_and_link(struct key *key,
489 } 492 }
490 493
491 if (keyring) { 494 if (keyring) {
492 ret = __key_link_begin(keyring, key->type, key->description, 495 ret = __key_link_begin(keyring, &key->index_key, &edit);
493 &prealloc);
494 if (ret < 0) 496 if (ret < 0)
495 goto error_free_preparse; 497 goto error_free_preparse;
496 } 498 }
497 499
498 ret = __key_instantiate_and_link(key, &prep, keyring, authkey, 500 ret = __key_instantiate_and_link(key, &prep, keyring, authkey, &edit);
499 &prealloc);
500 501
501 if (keyring) 502 if (keyring)
502 __key_link_end(keyring, key->type, prealloc); 503 __key_link_end(keyring, &key->index_key, edit);
503 504
504error_free_preparse: 505error_free_preparse:
505 if (key->type->preparse) 506 if (key->type->preparse)
@@ -537,7 +538,7 @@ int key_reject_and_link(struct key *key,
537 struct key *keyring, 538 struct key *keyring,
538 struct key *authkey) 539 struct key *authkey)
539{ 540{
540 unsigned long prealloc; 541 struct assoc_array_edit *edit;
541 struct timespec now; 542 struct timespec now;
542 int ret, awaken, link_ret = 0; 543 int ret, awaken, link_ret = 0;
543 544
@@ -548,8 +549,7 @@ int key_reject_and_link(struct key *key,
548 ret = -EBUSY; 549 ret = -EBUSY;
549 550
550 if (keyring) 551 if (keyring)
551 link_ret = __key_link_begin(keyring, key->type, 552 link_ret = __key_link_begin(keyring, &key->index_key, &edit);
552 key->description, &prealloc);
553 553
554 mutex_lock(&key_construction_mutex); 554 mutex_lock(&key_construction_mutex);
555 555
@@ -571,7 +571,7 @@ int key_reject_and_link(struct key *key,
571 571
572 /* and link it into the destination keyring */ 572 /* and link it into the destination keyring */
573 if (keyring && link_ret == 0) 573 if (keyring && link_ret == 0)
574 __key_link(keyring, key, &prealloc); 574 __key_link(key, &edit);
575 575
576 /* disable the authorisation key */ 576 /* disable the authorisation key */
577 if (authkey) 577 if (authkey)
@@ -581,7 +581,7 @@ int key_reject_and_link(struct key *key,
581 mutex_unlock(&key_construction_mutex); 581 mutex_unlock(&key_construction_mutex);
582 582
583 if (keyring) 583 if (keyring)
584 __key_link_end(keyring, key->type, prealloc); 584 __key_link_end(keyring, &key->index_key, edit);
585 585
586 /* wake up anyone waiting for a key to be constructed */ 586 /* wake up anyone waiting for a key to be constructed */
587 if (awaken) 587 if (awaken)
@@ -645,7 +645,7 @@ found:
645 /* this races with key_put(), but that doesn't matter since key_put() 645 /* this races with key_put(), but that doesn't matter since key_put()
646 * doesn't actually change the key 646 * doesn't actually change the key
647 */ 647 */
648 atomic_inc(&key->usage); 648 __key_get(key);
649 649
650error: 650error:
651 spin_unlock(&key_serial_lock); 651 spin_unlock(&key_serial_lock);
@@ -780,25 +780,27 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
780 key_perm_t perm, 780 key_perm_t perm,
781 unsigned long flags) 781 unsigned long flags)
782{ 782{
783 unsigned long prealloc; 783 struct keyring_index_key index_key = {
784 .description = description,
785 };
784 struct key_preparsed_payload prep; 786 struct key_preparsed_payload prep;
787 struct assoc_array_edit *edit;
785 const struct cred *cred = current_cred(); 788 const struct cred *cred = current_cred();
786 struct key_type *ktype;
787 struct key *keyring, *key = NULL; 789 struct key *keyring, *key = NULL;
788 key_ref_t key_ref; 790 key_ref_t key_ref;
789 int ret; 791 int ret;
790 792
791 /* look up the key type to see if it's one of the registered kernel 793 /* look up the key type to see if it's one of the registered kernel
792 * types */ 794 * types */
793 ktype = key_type_lookup(type); 795 index_key.type = key_type_lookup(type);
794 if (IS_ERR(ktype)) { 796 if (IS_ERR(index_key.type)) {
795 key_ref = ERR_PTR(-ENODEV); 797 key_ref = ERR_PTR(-ENODEV);
796 goto error; 798 goto error;
797 } 799 }
798 800
799 key_ref = ERR_PTR(-EINVAL); 801 key_ref = ERR_PTR(-EINVAL);
800 if (!ktype->match || !ktype->instantiate || 802 if (!index_key.type->match || !index_key.type->instantiate ||
801 (!description && !ktype->preparse)) 803 (!index_key.description && !index_key.type->preparse))
802 goto error_put_type; 804 goto error_put_type;
803 805
804 keyring = key_ref_to_ptr(keyring_ref); 806 keyring = key_ref_to_ptr(keyring_ref);
@@ -812,21 +814,28 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
812 memset(&prep, 0, sizeof(prep)); 814 memset(&prep, 0, sizeof(prep));
813 prep.data = payload; 815 prep.data = payload;
814 prep.datalen = plen; 816 prep.datalen = plen;
815 prep.quotalen = ktype->def_datalen; 817 prep.quotalen = index_key.type->def_datalen;
816 if (ktype->preparse) { 818 prep.trusted = flags & KEY_ALLOC_TRUSTED;
817 ret = ktype->preparse(&prep); 819 if (index_key.type->preparse) {
820 ret = index_key.type->preparse(&prep);
818 if (ret < 0) { 821 if (ret < 0) {
819 key_ref = ERR_PTR(ret); 822 key_ref = ERR_PTR(ret);
820 goto error_put_type; 823 goto error_put_type;
821 } 824 }
822 if (!description) 825 if (!index_key.description)
823 description = prep.description; 826 index_key.description = prep.description;
824 key_ref = ERR_PTR(-EINVAL); 827 key_ref = ERR_PTR(-EINVAL);
825 if (!description) 828 if (!index_key.description)
826 goto error_free_prep; 829 goto error_free_prep;
827 } 830 }
831 index_key.desc_len = strlen(index_key.description);
832
833 key_ref = ERR_PTR(-EPERM);
834 if (!prep.trusted && test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags))
835 goto error_free_prep;
836 flags |= prep.trusted ? KEY_ALLOC_TRUSTED : 0;
828 837
829 ret = __key_link_begin(keyring, ktype, description, &prealloc); 838 ret = __key_link_begin(keyring, &index_key, &edit);
830 if (ret < 0) { 839 if (ret < 0) {
831 key_ref = ERR_PTR(ret); 840 key_ref = ERR_PTR(ret);
832 goto error_free_prep; 841 goto error_free_prep;
@@ -844,10 +853,9 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
844 * key of the same type and description in the destination keyring and 853 * key of the same type and description in the destination keyring and
845 * update that instead if possible 854 * update that instead if possible
846 */ 855 */
847 if (ktype->update) { 856 if (index_key.type->update) {
848 key_ref = __keyring_search_one(keyring_ref, ktype, description, 857 key_ref = find_key_to_update(keyring_ref, &index_key);
849 0); 858 if (key_ref)
850 if (!IS_ERR(key_ref))
851 goto found_matching_key; 859 goto found_matching_key;
852 } 860 }
853 861
@@ -856,23 +864,24 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
856 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR; 864 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
857 perm |= KEY_USR_VIEW; 865 perm |= KEY_USR_VIEW;
858 866
859 if (ktype->read) 867 if (index_key.type->read)
860 perm |= KEY_POS_READ; 868 perm |= KEY_POS_READ;
861 869
862 if (ktype == &key_type_keyring || ktype->update) 870 if (index_key.type == &key_type_keyring ||
871 index_key.type->update)
863 perm |= KEY_POS_WRITE; 872 perm |= KEY_POS_WRITE;
864 } 873 }
865 874
866 /* allocate a new key */ 875 /* allocate a new key */
867 key = key_alloc(ktype, description, cred->fsuid, cred->fsgid, cred, 876 key = key_alloc(index_key.type, index_key.description,
868 perm, flags); 877 cred->fsuid, cred->fsgid, cred, perm, flags);
869 if (IS_ERR(key)) { 878 if (IS_ERR(key)) {
870 key_ref = ERR_CAST(key); 879 key_ref = ERR_CAST(key);
871 goto error_link_end; 880 goto error_link_end;
872 } 881 }
873 882
874 /* instantiate it and link it into the target keyring */ 883 /* instantiate it and link it into the target keyring */
875 ret = __key_instantiate_and_link(key, &prep, keyring, NULL, &prealloc); 884 ret = __key_instantiate_and_link(key, &prep, keyring, NULL, &edit);
876 if (ret < 0) { 885 if (ret < 0) {
877 key_put(key); 886 key_put(key);
878 key_ref = ERR_PTR(ret); 887 key_ref = ERR_PTR(ret);
@@ -882,12 +891,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
882 key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); 891 key_ref = make_key_ref(key, is_key_possessed(keyring_ref));
883 892
884error_link_end: 893error_link_end:
885 __key_link_end(keyring, ktype, prealloc); 894 __key_link_end(keyring, &index_key, edit);
886error_free_prep: 895error_free_prep:
887 if (ktype->preparse) 896 if (index_key.type->preparse)
888 ktype->free_preparse(&prep); 897 index_key.type->free_preparse(&prep);
889error_put_type: 898error_put_type:
890 key_type_put(ktype); 899 key_type_put(index_key.type);
891error: 900error:
892 return key_ref; 901 return key_ref;
893 902
@@ -895,7 +904,7 @@ error:
895 /* we found a matching key, so we're going to try to update it 904 /* we found a matching key, so we're going to try to update it
896 * - we can drop the locks first as we have the key pinned 905 * - we can drop the locks first as we have the key pinned
897 */ 906 */
898 __key_link_end(keyring, ktype, prealloc); 907 __key_link_end(keyring, &index_key, edit);
899 908
900 key_ref = __key_update(key_ref, &prep); 909 key_ref = __key_update(key_ref, &prep);
901 goto error_free_prep; 910 goto error_free_prep;
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 33cfd27b4de2..cee72ce64222 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1667,6 +1667,9 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1667 case KEYCTL_INVALIDATE: 1667 case KEYCTL_INVALIDATE:
1668 return keyctl_invalidate_key((key_serial_t) arg2); 1668 return keyctl_invalidate_key((key_serial_t) arg2);
1669 1669
1670 case KEYCTL_GET_PERSISTENT:
1671 return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3);
1672
1670 default: 1673 default:
1671 return -EOPNOTSUPP; 1674 return -EOPNOTSUPP;
1672 } 1675 }
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 6ece7f2e5707..9b6f6e09b50c 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -1,6 +1,6 @@
1/* Keyring handling 1/* Keyring handling
2 * 2 *
3 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved. 3 * Copyright (C) 2004-2005, 2008, 2013 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com) 4 * Written by David Howells (dhowells@redhat.com)
5 * 5 *
6 * This program is free software; you can redistribute it and/or 6 * This program is free software; you can redistribute it and/or
@@ -17,25 +17,11 @@
17#include <linux/seq_file.h> 17#include <linux/seq_file.h>
18#include <linux/err.h> 18#include <linux/err.h>
19#include <keys/keyring-type.h> 19#include <keys/keyring-type.h>
20#include <keys/user-type.h>
21#include <linux/assoc_array_priv.h>
20#include <linux/uaccess.h> 22#include <linux/uaccess.h>
21#include "internal.h" 23#include "internal.h"
22 24
23#define rcu_dereference_locked_keyring(keyring) \
24 (rcu_dereference_protected( \
25 (keyring)->payload.subscriptions, \
26 rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem)))
27
28#define rcu_deref_link_locked(klist, index, keyring) \
29 (rcu_dereference_protected( \
30 (klist)->keys[index], \
31 rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem)))
32
33#define MAX_KEYRING_LINKS \
34 min_t(size_t, USHRT_MAX - 1, \
35 ((PAGE_SIZE - sizeof(struct keyring_list)) / sizeof(struct key *)))
36
37#define KEY_LINK_FIXQUOTA 1UL
38
39/* 25/*
40 * When plumbing the depths of the key tree, this sets a hard limit 26 * When plumbing the depths of the key tree, this sets a hard limit
41 * set on how deep we're willing to go. 27 * set on how deep we're willing to go.
@@ -47,6 +33,28 @@
47 */ 33 */
48#define KEYRING_NAME_HASH_SIZE (1 << 5) 34#define KEYRING_NAME_HASH_SIZE (1 << 5)
49 35
36/*
37 * We mark pointers we pass to the associative array with bit 1 set if
38 * they're keyrings and clear otherwise.
39 */
40#define KEYRING_PTR_SUBTYPE 0x2UL
41
42static inline bool keyring_ptr_is_keyring(const struct assoc_array_ptr *x)
43{
44 return (unsigned long)x & KEYRING_PTR_SUBTYPE;
45}
46static inline struct key *keyring_ptr_to_key(const struct assoc_array_ptr *x)
47{
48 void *object = assoc_array_ptr_to_leaf(x);
49 return (struct key *)((unsigned long)object & ~KEYRING_PTR_SUBTYPE);
50}
51static inline void *keyring_key_to_ptr(struct key *key)
52{
53 if (key->type == &key_type_keyring)
54 return (void *)((unsigned long)key | KEYRING_PTR_SUBTYPE);
55 return key;
56}
57
50static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE]; 58static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE];
51static DEFINE_RWLOCK(keyring_name_lock); 59static DEFINE_RWLOCK(keyring_name_lock);
52 60
@@ -67,7 +75,6 @@ static inline unsigned keyring_hash(const char *desc)
67 */ 75 */
68static int keyring_instantiate(struct key *keyring, 76static int keyring_instantiate(struct key *keyring,
69 struct key_preparsed_payload *prep); 77 struct key_preparsed_payload *prep);
70static int keyring_match(const struct key *keyring, const void *criterion);
71static void keyring_revoke(struct key *keyring); 78static void keyring_revoke(struct key *keyring);
72static void keyring_destroy(struct key *keyring); 79static void keyring_destroy(struct key *keyring);
73static void keyring_describe(const struct key *keyring, struct seq_file *m); 80static void keyring_describe(const struct key *keyring, struct seq_file *m);
@@ -76,9 +83,9 @@ static long keyring_read(const struct key *keyring,
76 83
77struct key_type key_type_keyring = { 84struct key_type key_type_keyring = {
78 .name = "keyring", 85 .name = "keyring",
79 .def_datalen = sizeof(struct keyring_list), 86 .def_datalen = 0,
80 .instantiate = keyring_instantiate, 87 .instantiate = keyring_instantiate,
81 .match = keyring_match, 88 .match = user_match,
82 .revoke = keyring_revoke, 89 .revoke = keyring_revoke,
83 .destroy = keyring_destroy, 90 .destroy = keyring_destroy,
84 .describe = keyring_describe, 91 .describe = keyring_describe,
@@ -127,6 +134,7 @@ static int keyring_instantiate(struct key *keyring,
127 134
128 ret = -EINVAL; 135 ret = -EINVAL;
129 if (prep->datalen == 0) { 136 if (prep->datalen == 0) {
137 assoc_array_init(&keyring->keys);
130 /* make the keyring available by name if it has one */ 138 /* make the keyring available by name if it has one */
131 keyring_publish_name(keyring); 139 keyring_publish_name(keyring);
132 ret = 0; 140 ret = 0;
@@ -136,15 +144,226 @@ static int keyring_instantiate(struct key *keyring,
136} 144}
137 145
138/* 146/*
139 * Match keyrings on their name 147 * Multiply 64-bits by 32-bits to 96-bits and fold back to 64-bit. Ideally we'd
148 * fold the carry back too, but that requires inline asm.
149 */
150static u64 mult_64x32_and_fold(u64 x, u32 y)
151{
152 u64 hi = (u64)(u32)(x >> 32) * y;
153 u64 lo = (u64)(u32)(x) * y;
154 return lo + ((u64)(u32)hi << 32) + (u32)(hi >> 32);
155}
156
157/*
158 * Hash a key type and description.
140 */ 159 */
141static int keyring_match(const struct key *keyring, const void *description) 160static unsigned long hash_key_type_and_desc(const struct keyring_index_key *index_key)
142{ 161{
143 return keyring->description && 162 const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP;
144 strcmp(keyring->description, description) == 0; 163 const unsigned long level_mask = ASSOC_ARRAY_LEVEL_STEP_MASK;
164 const char *description = index_key->description;
165 unsigned long hash, type;
166 u32 piece;
167 u64 acc;
168 int n, desc_len = index_key->desc_len;
169
170 type = (unsigned long)index_key->type;
171
172 acc = mult_64x32_and_fold(type, desc_len + 13);
173 acc = mult_64x32_and_fold(acc, 9207);
174 for (;;) {
175 n = desc_len;
176 if (n <= 0)
177 break;
178 if (n > 4)
179 n = 4;
180 piece = 0;
181 memcpy(&piece, description, n);
182 description += n;
183 desc_len -= n;
184 acc = mult_64x32_and_fold(acc, piece);
185 acc = mult_64x32_and_fold(acc, 9207);
186 }
187
188 /* Fold the hash down to 32 bits if need be. */
189 hash = acc;
190 if (ASSOC_ARRAY_KEY_CHUNK_SIZE == 32)
191 hash ^= acc >> 32;
192
193 /* Squidge all the keyrings into a separate part of the tree to
194 * ordinary keys by making sure the lowest level segment in the hash is
195 * zero for keyrings and non-zero otherwise.
196 */
197 if (index_key->type != &key_type_keyring && (hash & level_mask) == 0)
198 return hash | (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1;
199 if (index_key->type == &key_type_keyring && (hash & level_mask) != 0)
200 return (hash + (hash << level_shift)) & ~level_mask;
201 return hash;
145} 202}
146 203
147/* 204/*
205 * Build the next index key chunk.
206 *
207 * On 32-bit systems the index key is laid out as:
208 *
209 * 0 4 5 9...
210 * hash desclen typeptr desc[]
211 *
212 * On 64-bit systems:
213 *
214 * 0 8 9 17...
215 * hash desclen typeptr desc[]
216 *
217 * We return it one word-sized chunk at a time.
218 */
219static unsigned long keyring_get_key_chunk(const void *data, int level)
220{
221 const struct keyring_index_key *index_key = data;
222 unsigned long chunk = 0;
223 long offset = 0;
224 int desc_len = index_key->desc_len, n = sizeof(chunk);
225
226 level /= ASSOC_ARRAY_KEY_CHUNK_SIZE;
227 switch (level) {
228 case 0:
229 return hash_key_type_and_desc(index_key);
230 case 1:
231 return ((unsigned long)index_key->type << 8) | desc_len;
232 case 2:
233 if (desc_len == 0)
234 return (u8)((unsigned long)index_key->type >>
235 (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8));
236 n--;
237 offset = 1;
238 default:
239 offset += sizeof(chunk) - 1;
240 offset += (level - 3) * sizeof(chunk);
241 if (offset >= desc_len)
242 return 0;
243 desc_len -= offset;
244 if (desc_len > n)
245 desc_len = n;
246 offset += desc_len;
247 do {
248 chunk <<= 8;
249 chunk |= ((u8*)index_key->description)[--offset];
250 } while (--desc_len > 0);
251
252 if (level == 2) {
253 chunk <<= 8;
254 chunk |= (u8)((unsigned long)index_key->type >>
255 (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8));
256 }
257 return chunk;
258 }
259}
260
261static unsigned long keyring_get_object_key_chunk(const void *object, int level)
262{
263 const struct key *key = keyring_ptr_to_key(object);
264 return keyring_get_key_chunk(&key->index_key, level);
265}
266
267static bool keyring_compare_object(const void *object, const void *data)
268{
269 const struct keyring_index_key *index_key = data;
270 const struct key *key = keyring_ptr_to_key(object);
271
272 return key->index_key.type == index_key->type &&
273 key->index_key.desc_len == index_key->desc_len &&
274 memcmp(key->index_key.description, index_key->description,
275 index_key->desc_len) == 0;
276}
277
278/*
279 * Compare the index keys of a pair of objects and determine the bit position
280 * at which they differ - if they differ.
281 */
282static int keyring_diff_objects(const void *_a, const void *_b)
283{
284 const struct key *key_a = keyring_ptr_to_key(_a);
285 const struct key *key_b = keyring_ptr_to_key(_b);
286 const struct keyring_index_key *a = &key_a->index_key;
287 const struct keyring_index_key *b = &key_b->index_key;
288 unsigned long seg_a, seg_b;
289 int level, i;
290
291 level = 0;
292 seg_a = hash_key_type_and_desc(a);
293 seg_b = hash_key_type_and_desc(b);
294 if ((seg_a ^ seg_b) != 0)
295 goto differ;
296
297 /* The number of bits contributed by the hash is controlled by a
298 * constant in the assoc_array headers. Everything else thereafter we
299 * can deal with as being machine word-size dependent.
300 */
301 level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8;
302 seg_a = a->desc_len;
303 seg_b = b->desc_len;
304 if ((seg_a ^ seg_b) != 0)
305 goto differ;
306
307 /* The next bit may not work on big endian */
308 level++;
309 seg_a = (unsigned long)a->type;
310 seg_b = (unsigned long)b->type;
311 if ((seg_a ^ seg_b) != 0)
312 goto differ;
313
314 level += sizeof(unsigned long);
315 if (a->desc_len == 0)
316 goto same;
317
318 i = 0;
319 if (((unsigned long)a->description | (unsigned long)b->description) &
320 (sizeof(unsigned long) - 1)) {
321 do {
322 seg_a = *(unsigned long *)(a->description + i);
323 seg_b = *(unsigned long *)(b->description + i);
324 if ((seg_a ^ seg_b) != 0)
325 goto differ_plus_i;
326 i += sizeof(unsigned long);
327 } while (i < (a->desc_len & (sizeof(unsigned long) - 1)));
328 }
329
330 for (; i < a->desc_len; i++) {
331 seg_a = *(unsigned char *)(a->description + i);
332 seg_b = *(unsigned char *)(b->description + i);
333 if ((seg_a ^ seg_b) != 0)
334 goto differ_plus_i;
335 }
336
337same:
338 return -1;
339
340differ_plus_i:
341 level += i;
342differ:
343 i = level * 8 + __ffs(seg_a ^ seg_b);
344 return i;
345}
346
347/*
348 * Free an object after stripping the keyring flag off of the pointer.
349 */
350static void keyring_free_object(void *object)
351{
352 key_put(keyring_ptr_to_key(object));
353}
354
355/*
356 * Operations for keyring management by the index-tree routines.
357 */
358static const struct assoc_array_ops keyring_assoc_array_ops = {
359 .get_key_chunk = keyring_get_key_chunk,
360 .get_object_key_chunk = keyring_get_object_key_chunk,
361 .compare_object = keyring_compare_object,
362 .diff_objects = keyring_diff_objects,
363 .free_object = keyring_free_object,
364};
365
366/*
148 * Clean up a keyring when it is destroyed. Unpublish its name if it had one 367 * Clean up a keyring when it is destroyed. Unpublish its name if it had one
149 * and dispose of its data. 368 * and dispose of its data.
150 * 369 *
@@ -155,9 +374,6 @@ static int keyring_match(const struct key *keyring, const void *description)
155 */ 374 */
156static void keyring_destroy(struct key *keyring) 375static void keyring_destroy(struct key *keyring)
157{ 376{
158 struct keyring_list *klist;
159 int loop;
160
161 if (keyring->description) { 377 if (keyring->description) {
162 write_lock(&keyring_name_lock); 378 write_lock(&keyring_name_lock);
163 379
@@ -168,12 +384,7 @@ static void keyring_destroy(struct key *keyring)
168 write_unlock(&keyring_name_lock); 384 write_unlock(&keyring_name_lock);
169 } 385 }
170 386
171 klist = rcu_access_pointer(keyring->payload.subscriptions); 387 assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops);
172 if (klist) {
173 for (loop = klist->nkeys - 1; loop >= 0; loop--)
174 key_put(rcu_access_pointer(klist->keys[loop]));
175 kfree(klist);
176 }
177} 388}
178 389
179/* 390/*
@@ -181,76 +392,88 @@ static void keyring_destroy(struct key *keyring)
181 */ 392 */
182static void keyring_describe(const struct key *keyring, struct seq_file *m) 393static void keyring_describe(const struct key *keyring, struct seq_file *m)
183{ 394{
184 struct keyring_list *klist;
185
186 if (keyring->description) 395 if (keyring->description)
187 seq_puts(m, keyring->description); 396 seq_puts(m, keyring->description);
188 else 397 else
189 seq_puts(m, "[anon]"); 398 seq_puts(m, "[anon]");
190 399
191 if (key_is_instantiated(keyring)) { 400 if (key_is_instantiated(keyring)) {
192 rcu_read_lock(); 401 if (keyring->keys.nr_leaves_on_tree != 0)
193 klist = rcu_dereference(keyring->payload.subscriptions); 402 seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree);
194 if (klist)
195 seq_printf(m, ": %u/%u", klist->nkeys, klist->maxkeys);
196 else 403 else
197 seq_puts(m, ": empty"); 404 seq_puts(m, ": empty");
198 rcu_read_unlock();
199 } 405 }
200} 406}
201 407
408struct keyring_read_iterator_context {
409 size_t qty;
410 size_t count;
411 key_serial_t __user *buffer;
412};
413
414static int keyring_read_iterator(const void *object, void *data)
415{
416 struct keyring_read_iterator_context *ctx = data;
417 const struct key *key = keyring_ptr_to_key(object);
418 int ret;
419
420 kenter("{%s,%d},,{%zu/%zu}",
421 key->type->name, key->serial, ctx->count, ctx->qty);
422
423 if (ctx->count >= ctx->qty)
424 return 1;
425
426 ret = put_user(key->serial, ctx->buffer);
427 if (ret < 0)
428 return ret;
429 ctx->buffer++;
430 ctx->count += sizeof(key->serial);
431 return 0;
432}
433
202/* 434/*
203 * Read a list of key IDs from the keyring's contents in binary form 435 * Read a list of key IDs from the keyring's contents in binary form
204 * 436 *
205 * The keyring's semaphore is read-locked by the caller. 437 * The keyring's semaphore is read-locked by the caller. This prevents someone
438 * from modifying it under us - which could cause us to read key IDs multiple
439 * times.
206 */ 440 */
207static long keyring_read(const struct key *keyring, 441static long keyring_read(const struct key *keyring,
208 char __user *buffer, size_t buflen) 442 char __user *buffer, size_t buflen)
209{ 443{
210 struct keyring_list *klist; 444 struct keyring_read_iterator_context ctx;
211 struct key *key; 445 unsigned long nr_keys;
212 size_t qty, tmp; 446 int ret;
213 int loop, ret;
214 447
215 ret = 0; 448 kenter("{%d},,%zu", key_serial(keyring), buflen);
216 klist = rcu_dereference_locked_keyring(keyring);
217 if (klist) {
218 /* calculate how much data we could return */
219 qty = klist->nkeys * sizeof(key_serial_t);
220
221 if (buffer && buflen > 0) {
222 if (buflen > qty)
223 buflen = qty;
224
225 /* copy the IDs of the subscribed keys into the
226 * buffer */
227 ret = -EFAULT;
228
229 for (loop = 0; loop < klist->nkeys; loop++) {
230 key = rcu_deref_link_locked(klist, loop,
231 keyring);
232
233 tmp = sizeof(key_serial_t);
234 if (tmp > buflen)
235 tmp = buflen;
236
237 if (copy_to_user(buffer,
238 &key->serial,
239 tmp) != 0)
240 goto error;
241
242 buflen -= tmp;
243 if (buflen == 0)
244 break;
245 buffer += tmp;
246 }
247 }
248 449
249 ret = qty; 450 if (buflen & (sizeof(key_serial_t) - 1))
451 return -EINVAL;
452
453 nr_keys = keyring->keys.nr_leaves_on_tree;
454 if (nr_keys == 0)
455 return 0;
456
457 /* Calculate how much data we could return */
458 ctx.qty = nr_keys * sizeof(key_serial_t);
459
460 if (!buffer || !buflen)
461 return ctx.qty;
462
463 if (buflen > ctx.qty)
464 ctx.qty = buflen;
465
466 /* Copy the IDs of the subscribed keys into the buffer */
467 ctx.buffer = (key_serial_t __user *)buffer;
468 ctx.count = 0;
469 ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
470 if (ret < 0) {
471 kleave(" = %d [iterate]", ret);
472 return ret;
250 } 473 }
251 474
252error: 475 kleave(" = %zu [ok]", ctx.count);
253 return ret; 476 return ctx.count;
254} 477}
255 478
256/* 479/*
@@ -277,227 +500,360 @@ struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
277} 500}
278EXPORT_SYMBOL(keyring_alloc); 501EXPORT_SYMBOL(keyring_alloc);
279 502
280/** 503/*
281 * keyring_search_aux - Search a keyring tree for a key matching some criteria 504 * Iteration function to consider each key found.
282 * @keyring_ref: A pointer to the keyring with possession indicator.
283 * @cred: The credentials to use for permissions checks.
284 * @type: The type of key to search for.
285 * @description: Parameter for @match.
286 * @match: Function to rule on whether or not a key is the one required.
287 * @no_state_check: Don't check if a matching key is bad
288 *
289 * Search the supplied keyring tree for a key that matches the criteria given.
290 * The root keyring and any linked keyrings must grant Search permission to the
291 * caller to be searchable and keys can only be found if they too grant Search
292 * to the caller. The possession flag on the root keyring pointer controls use
293 * of the possessor bits in permissions checking of the entire tree. In
294 * addition, the LSM gets to forbid keyring searches and key matches.
295 *
296 * The search is performed as a breadth-then-depth search up to the prescribed
297 * limit (KEYRING_SEARCH_MAX_DEPTH).
298 *
299 * Keys are matched to the type provided and are then filtered by the match
300 * function, which is given the description to use in any way it sees fit. The
301 * match function may use any attributes of a key that it wishes to to
302 * determine the match. Normally the match function from the key type would be
303 * used.
304 *
305 * RCU is used to prevent the keyring key lists from disappearing without the
306 * need to take lots of locks.
307 *
308 * Returns a pointer to the found key and increments the key usage count if
309 * successful; -EAGAIN if no matching keys were found, or if expired or revoked
310 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the
311 * specified keyring wasn't a keyring.
312 *
313 * In the case of a successful return, the possession attribute from
314 * @keyring_ref is propagated to the returned key reference.
315 */ 505 */
316key_ref_t keyring_search_aux(key_ref_t keyring_ref, 506static int keyring_search_iterator(const void *object, void *iterator_data)
317 const struct cred *cred,
318 struct key_type *type,
319 const void *description,
320 key_match_func_t match,
321 bool no_state_check)
322{ 507{
323 struct { 508 struct keyring_search_context *ctx = iterator_data;
324 /* Need a separate keylist pointer for RCU purposes */ 509 const struct key *key = keyring_ptr_to_key(object);
325 struct key *keyring; 510 unsigned long kflags = key->flags;
326 struct keyring_list *keylist;
327 int kix;
328 } stack[KEYRING_SEARCH_MAX_DEPTH];
329 511
330 struct keyring_list *keylist; 512 kenter("{%d}", key->serial);
331 struct timespec now;
332 unsigned long possessed, kflags;
333 struct key *keyring, *key;
334 key_ref_t key_ref;
335 long err;
336 int sp, nkeys, kix;
337
338 keyring = key_ref_to_ptr(keyring_ref);
339 possessed = is_key_possessed(keyring_ref);
340 key_check(keyring);
341 513
342 /* top keyring must have search permission to begin the search */ 514 /* ignore keys not of this type */
343 err = key_task_permission(keyring_ref, cred, KEY_SEARCH); 515 if (key->type != ctx->index_key.type) {
344 if (err < 0) { 516 kleave(" = 0 [!type]");
345 key_ref = ERR_PTR(err); 517 return 0;
346 goto error;
347 } 518 }
348 519
349 key_ref = ERR_PTR(-ENOTDIR); 520 /* skip invalidated, revoked and expired keys */
350 if (keyring->type != &key_type_keyring) 521 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
351 goto error; 522 if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
523 (1 << KEY_FLAG_REVOKED))) {
524 ctx->result = ERR_PTR(-EKEYREVOKED);
525 kleave(" = %d [invrev]", ctx->skipped_ret);
526 goto skipped;
527 }
352 528
353 rcu_read_lock(); 529 if (key->expiry && ctx->now.tv_sec >= key->expiry) {
530 ctx->result = ERR_PTR(-EKEYEXPIRED);
531 kleave(" = %d [expire]", ctx->skipped_ret);
532 goto skipped;
533 }
534 }
354 535
355 now = current_kernel_time(); 536 /* keys that don't match */
356 err = -EAGAIN; 537 if (!ctx->match(key, ctx->match_data)) {
357 sp = 0; 538 kleave(" = 0 [!match]");
358 539 return 0;
359 /* firstly we should check to see if this top-level keyring is what we 540 }
360 * are looking for */
361 key_ref = ERR_PTR(-EAGAIN);
362 kflags = keyring->flags;
363 if (keyring->type == type && match(keyring, description)) {
364 key = keyring;
365 if (no_state_check)
366 goto found;
367 541
368 /* check it isn't negative and hasn't expired or been 542 /* key must have search permissions */
369 * revoked */ 543 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
370 if (kflags & (1 << KEY_FLAG_REVOKED)) 544 key_task_permission(make_key_ref(key, ctx->possessed),
371 goto error_2; 545 ctx->cred, KEY_SEARCH) < 0) {
372 if (key->expiry && now.tv_sec >= key->expiry) 546 ctx->result = ERR_PTR(-EACCES);
373 goto error_2; 547 kleave(" = %d [!perm]", ctx->skipped_ret);
374 key_ref = ERR_PTR(key->type_data.reject_error); 548 goto skipped;
375 if (kflags & (1 << KEY_FLAG_NEGATIVE))
376 goto error_2;
377 goto found;
378 } 549 }
379 550
380 /* otherwise, the top keyring must not be revoked, expired, or 551 if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
381 * negatively instantiated if we are to search it */ 552 /* we set a different error code if we pass a negative key */
382 key_ref = ERR_PTR(-EAGAIN); 553 if (kflags & (1 << KEY_FLAG_NEGATIVE)) {
383 if (kflags & ((1 << KEY_FLAG_INVALIDATED) | 554 ctx->result = ERR_PTR(key->type_data.reject_error);
384 (1 << KEY_FLAG_REVOKED) | 555 kleave(" = %d [neg]", ctx->skipped_ret);
385 (1 << KEY_FLAG_NEGATIVE)) || 556 goto skipped;
386 (keyring->expiry && now.tv_sec >= keyring->expiry)) 557 }
387 goto error_2; 558 }
388
389 /* start processing a new keyring */
390descend:
391 kflags = keyring->flags;
392 if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
393 (1 << KEY_FLAG_REVOKED)))
394 goto not_this_keyring;
395 559
396 keylist = rcu_dereference(keyring->payload.subscriptions); 560 /* Found */
397 if (!keylist) 561 ctx->result = make_key_ref(key, ctx->possessed);
398 goto not_this_keyring; 562 kleave(" = 1 [found]");
563 return 1;
399 564
400 /* iterate through the keys in this keyring first */ 565skipped:
401 nkeys = keylist->nkeys; 566 return ctx->skipped_ret;
402 smp_rmb(); 567}
403 for (kix = 0; kix < nkeys; kix++) {
404 key = rcu_dereference(keylist->keys[kix]);
405 kflags = key->flags;
406 568
407 /* ignore keys not of this type */ 569/*
408 if (key->type != type) 570 * Search inside a keyring for a key. We can search by walking to it
409 continue; 571 * directly based on its index-key or we can iterate over the entire
572 * tree looking for it, based on the match function.
573 */
574static int search_keyring(struct key *keyring, struct keyring_search_context *ctx)
575{
576 if ((ctx->flags & KEYRING_SEARCH_LOOKUP_TYPE) ==
577 KEYRING_SEARCH_LOOKUP_DIRECT) {
578 const void *object;
579
580 object = assoc_array_find(&keyring->keys,
581 &keyring_assoc_array_ops,
582 &ctx->index_key);
583 return object ? ctx->iterator(object, ctx) : 0;
584 }
585 return assoc_array_iterate(&keyring->keys, ctx->iterator, ctx);
586}
410 587
411 /* skip invalidated, revoked and expired keys */ 588/*
412 if (!no_state_check) { 589 * Search a tree of keyrings that point to other keyrings up to the maximum
413 if (kflags & ((1 << KEY_FLAG_INVALIDATED) | 590 * depth.
414 (1 << KEY_FLAG_REVOKED))) 591 */
415 continue; 592static bool search_nested_keyrings(struct key *keyring,
593 struct keyring_search_context *ctx)
594{
595 struct {
596 struct key *keyring;
597 struct assoc_array_node *node;
598 int slot;
599 } stack[KEYRING_SEARCH_MAX_DEPTH];
416 600
417 if (key->expiry && now.tv_sec >= key->expiry) 601 struct assoc_array_shortcut *shortcut;
418 continue; 602 struct assoc_array_node *node;
419 } 603 struct assoc_array_ptr *ptr;
604 struct key *key;
605 int sp = 0, slot;
420 606
421 /* keys that don't match */ 607 kenter("{%d},{%s,%s}",
422 if (!match(key, description)) 608 keyring->serial,
423 continue; 609 ctx->index_key.type->name,
610 ctx->index_key.description);
424 611
425 /* key must have search permissions */ 612 if (ctx->index_key.description)
426 if (key_task_permission(make_key_ref(key, possessed), 613 ctx->index_key.desc_len = strlen(ctx->index_key.description);
427 cred, KEY_SEARCH) < 0)
428 continue;
429 614
430 if (no_state_check) 615 /* Check to see if this top-level keyring is what we are looking for
616 * and whether it is valid or not.
617 */
618 if (ctx->flags & KEYRING_SEARCH_LOOKUP_ITERATE ||
619 keyring_compare_object(keyring, &ctx->index_key)) {
620 ctx->skipped_ret = 2;
621 ctx->flags |= KEYRING_SEARCH_DO_STATE_CHECK;
622 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) {
623 case 1:
431 goto found; 624 goto found;
432 625 case 2:
433 /* we set a different error code if we pass a negative key */ 626 return false;
434 if (kflags & (1 << KEY_FLAG_NEGATIVE)) { 627 default:
435 err = key->type_data.reject_error; 628 break;
436 continue;
437 } 629 }
630 }
438 631
632 ctx->skipped_ret = 0;
633 if (ctx->flags & KEYRING_SEARCH_NO_STATE_CHECK)
634 ctx->flags &= ~KEYRING_SEARCH_DO_STATE_CHECK;
635
636 /* Start processing a new keyring */
637descend_to_keyring:
638 kdebug("descend to %d", keyring->serial);
639 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
640 (1 << KEY_FLAG_REVOKED)))
641 goto not_this_keyring;
642
643 /* Search through the keys in this keyring before its searching its
644 * subtrees.
645 */
646 if (search_keyring(keyring, ctx))
439 goto found; 647 goto found;
440 }
441 648
442 /* search through the keyrings nested in this one */ 649 /* Then manually iterate through the keyrings nested in this one.
443 kix = 0; 650 *
444ascend: 651 * Start from the root node of the index tree. Because of the way the
445 nkeys = keylist->nkeys; 652 * hash function has been set up, keyrings cluster on the leftmost
446 smp_rmb(); 653 * branch of the root node (root slot 0) or in the root node itself.
447 for (; kix < nkeys; kix++) { 654 * Non-keyrings avoid the leftmost branch of the root entirely (root
448 key = rcu_dereference(keylist->keys[kix]); 655 * slots 1-15).
449 if (key->type != &key_type_keyring) 656 */
450 continue; 657 ptr = ACCESS_ONCE(keyring->keys.root);
658 if (!ptr)
659 goto not_this_keyring;
451 660
452 /* recursively search nested keyrings 661 if (assoc_array_ptr_is_shortcut(ptr)) {
453 * - only search keyrings for which we have search permission 662 /* If the root is a shortcut, either the keyring only contains
663 * keyring pointers (everything clusters behind root slot 0) or
664 * doesn't contain any keyring pointers.
454 */ 665 */
455 if (sp >= KEYRING_SEARCH_MAX_DEPTH) 666 shortcut = assoc_array_ptr_to_shortcut(ptr);
667 smp_read_barrier_depends();
668 if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0)
669 goto not_this_keyring;
670
671 ptr = ACCESS_ONCE(shortcut->next_node);
672 node = assoc_array_ptr_to_node(ptr);
673 goto begin_node;
674 }
675
676 node = assoc_array_ptr_to_node(ptr);
677 smp_read_barrier_depends();
678
679 ptr = node->slots[0];
680 if (!assoc_array_ptr_is_meta(ptr))
681 goto begin_node;
682
683descend_to_node:
684 /* Descend to a more distal node in this keyring's content tree and go
685 * through that.
686 */
687 kdebug("descend");
688 if (assoc_array_ptr_is_shortcut(ptr)) {
689 shortcut = assoc_array_ptr_to_shortcut(ptr);
690 smp_read_barrier_depends();
691 ptr = ACCESS_ONCE(shortcut->next_node);
692 BUG_ON(!assoc_array_ptr_is_node(ptr));
693 node = assoc_array_ptr_to_node(ptr);
694 }
695
696begin_node:
697 kdebug("begin_node");
698 smp_read_barrier_depends();
699 slot = 0;
700ascend_to_node:
701 /* Go through the slots in a node */
702 for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) {
703 ptr = ACCESS_ONCE(node->slots[slot]);
704
705 if (assoc_array_ptr_is_meta(ptr) && node->back_pointer)
706 goto descend_to_node;
707
708 if (!keyring_ptr_is_keyring(ptr))
456 continue; 709 continue;
457 710
458 if (key_task_permission(make_key_ref(key, possessed), 711 key = keyring_ptr_to_key(ptr);
459 cred, KEY_SEARCH) < 0) 712
713 if (sp >= KEYRING_SEARCH_MAX_DEPTH) {
714 if (ctx->flags & KEYRING_SEARCH_DETECT_TOO_DEEP) {
715 ctx->result = ERR_PTR(-ELOOP);
716 return false;
717 }
718 goto not_this_keyring;
719 }
720
721 /* Search a nested keyring */
722 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
723 key_task_permission(make_key_ref(key, ctx->possessed),
724 ctx->cred, KEY_SEARCH) < 0)
460 continue; 725 continue;
461 726
462 /* stack the current position */ 727 /* stack the current position */
463 stack[sp].keyring = keyring; 728 stack[sp].keyring = keyring;
464 stack[sp].keylist = keylist; 729 stack[sp].node = node;
465 stack[sp].kix = kix; 730 stack[sp].slot = slot;
466 sp++; 731 sp++;
467 732
468 /* begin again with the new keyring */ 733 /* begin again with the new keyring */
469 keyring = key; 734 keyring = key;
470 goto descend; 735 goto descend_to_keyring;
736 }
737
738 /* We've dealt with all the slots in the current node, so now we need
739 * to ascend to the parent and continue processing there.
740 */
741 ptr = ACCESS_ONCE(node->back_pointer);
742 slot = node->parent_slot;
743
744 if (ptr && assoc_array_ptr_is_shortcut(ptr)) {
745 shortcut = assoc_array_ptr_to_shortcut(ptr);
746 smp_read_barrier_depends();
747 ptr = ACCESS_ONCE(shortcut->back_pointer);
748 slot = shortcut->parent_slot;
749 }
750 if (!ptr)
751 goto not_this_keyring;
752 node = assoc_array_ptr_to_node(ptr);
753 smp_read_barrier_depends();
754 slot++;
755
756 /* If we've ascended to the root (zero backpointer), we must have just
757 * finished processing the leftmost branch rather than the root slots -
758 * so there can't be any more keyrings for us to find.
759 */
760 if (node->back_pointer) {
761 kdebug("ascend %d", slot);
762 goto ascend_to_node;
471 } 763 }
472 764
473 /* the keyring we're looking at was disqualified or didn't contain a 765 /* The keyring we're looking at was disqualified or didn't contain a
474 * matching key */ 766 * matching key.
767 */
475not_this_keyring: 768not_this_keyring:
476 if (sp > 0) { 769 kdebug("not_this_keyring %d", sp);
477 /* resume the processing of a keyring higher up in the tree */ 770 if (sp <= 0) {
478 sp--; 771 kleave(" = false");
479 keyring = stack[sp].keyring; 772 return false;
480 keylist = stack[sp].keylist;
481 kix = stack[sp].kix + 1;
482 goto ascend;
483 } 773 }
484 774
485 key_ref = ERR_PTR(err); 775 /* Resume the processing of a keyring higher up in the tree */
486 goto error_2; 776 sp--;
777 keyring = stack[sp].keyring;
778 node = stack[sp].node;
779 slot = stack[sp].slot + 1;
780 kdebug("ascend to %d [%d]", keyring->serial, slot);
781 goto ascend_to_node;
487 782
488 /* we found a viable match */ 783 /* We found a viable match */
489found: 784found:
490 atomic_inc(&key->usage); 785 key = key_ref_to_ptr(ctx->result);
491 key->last_used_at = now.tv_sec;
492 keyring->last_used_at = now.tv_sec;
493 while (sp > 0)
494 stack[--sp].keyring->last_used_at = now.tv_sec;
495 key_check(key); 786 key_check(key);
496 key_ref = make_key_ref(key, possessed); 787 if (!(ctx->flags & KEYRING_SEARCH_NO_UPDATE_TIME)) {
497error_2: 788 key->last_used_at = ctx->now.tv_sec;
789 keyring->last_used_at = ctx->now.tv_sec;
790 while (sp > 0)
791 stack[--sp].keyring->last_used_at = ctx->now.tv_sec;
792 }
793 kleave(" = true");
794 return true;
795}
796
797/**
798 * keyring_search_aux - Search a keyring tree for a key matching some criteria
799 * @keyring_ref: A pointer to the keyring with possession indicator.
800 * @ctx: The keyring search context.
801 *
802 * Search the supplied keyring tree for a key that matches the criteria given.
803 * The root keyring and any linked keyrings must grant Search permission to the
804 * caller to be searchable and keys can only be found if they too grant Search
805 * to the caller. The possession flag on the root keyring pointer controls use
806 * of the possessor bits in permissions checking of the entire tree. In
807 * addition, the LSM gets to forbid keyring searches and key matches.
808 *
809 * The search is performed as a breadth-then-depth search up to the prescribed
810 * limit (KEYRING_SEARCH_MAX_DEPTH).
811 *
812 * Keys are matched to the type provided and are then filtered by the match
813 * function, which is given the description to use in any way it sees fit. The
814 * match function may use any attributes of a key that it wishes to to
815 * determine the match. Normally the match function from the key type would be
816 * used.
817 *
818 * RCU can be used to prevent the keyring key lists from disappearing without
819 * the need to take lots of locks.
820 *
821 * Returns a pointer to the found key and increments the key usage count if
822 * successful; -EAGAIN if no matching keys were found, or if expired or revoked
823 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the
824 * specified keyring wasn't a keyring.
825 *
826 * In the case of a successful return, the possession attribute from
827 * @keyring_ref is propagated to the returned key reference.
828 */
829key_ref_t keyring_search_aux(key_ref_t keyring_ref,
830 struct keyring_search_context *ctx)
831{
832 struct key *keyring;
833 long err;
834
835 ctx->iterator = keyring_search_iterator;
836 ctx->possessed = is_key_possessed(keyring_ref);
837 ctx->result = ERR_PTR(-EAGAIN);
838
839 keyring = key_ref_to_ptr(keyring_ref);
840 key_check(keyring);
841
842 if (keyring->type != &key_type_keyring)
843 return ERR_PTR(-ENOTDIR);
844
845 if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) {
846 err = key_task_permission(keyring_ref, ctx->cred, KEY_SEARCH);
847 if (err < 0)
848 return ERR_PTR(err);
849 }
850
851 rcu_read_lock();
852 ctx->now = current_kernel_time();
853 if (search_nested_keyrings(keyring, ctx))
854 __key_get(key_ref_to_ptr(ctx->result));
498 rcu_read_unlock(); 855 rcu_read_unlock();
499error: 856 return ctx->result;
500 return key_ref;
501} 857}
502 858
503/** 859/**
@@ -507,77 +863,73 @@ error:
507 * @description: The name of the keyring we want to find. 863 * @description: The name of the keyring we want to find.
508 * 864 *
509 * As keyring_search_aux() above, but using the current task's credentials and 865 * As keyring_search_aux() above, but using the current task's credentials and
510 * type's default matching function. 866 * type's default matching function and preferred search method.
511 */ 867 */
512key_ref_t keyring_search(key_ref_t keyring, 868key_ref_t keyring_search(key_ref_t keyring,
513 struct key_type *type, 869 struct key_type *type,
514 const char *description) 870 const char *description)
515{ 871{
516 if (!type->match) 872 struct keyring_search_context ctx = {
873 .index_key.type = type,
874 .index_key.description = description,
875 .cred = current_cred(),
876 .match = type->match,
877 .match_data = description,
878 .flags = (type->def_lookup_type |
879 KEYRING_SEARCH_DO_STATE_CHECK),
880 };
881
882 if (!ctx.match)
517 return ERR_PTR(-ENOKEY); 883 return ERR_PTR(-ENOKEY);
518 884
519 return keyring_search_aux(keyring, current->cred, 885 return keyring_search_aux(keyring, &ctx);
520 type, description, type->match, false);
521} 886}
522EXPORT_SYMBOL(keyring_search); 887EXPORT_SYMBOL(keyring_search);
523 888
524/* 889/*
525 * Search the given keyring only (no recursion). 890 * Search the given keyring for a key that might be updated.
526 * 891 *
527 * The caller must guarantee that the keyring is a keyring and that the 892 * The caller must guarantee that the keyring is a keyring and that the
528 * permission is granted to search the keyring as no check is made here. 893 * permission is granted to modify the keyring as no check is made here. The
529 * 894 * caller must also hold a lock on the keyring semaphore.
530 * RCU is used to make it unnecessary to lock the keyring key list here.
531 * 895 *
532 * Returns a pointer to the found key with usage count incremented if 896 * Returns a pointer to the found key with usage count incremented if
533 * successful and returns -ENOKEY if not found. Revoked keys and keys not 897 * successful and returns NULL if not found. Revoked and invalidated keys are
534 * providing the requested permission are skipped over. 898 * skipped over.
535 * 899 *
536 * If successful, the possession indicator is propagated from the keyring ref 900 * If successful, the possession indicator is propagated from the keyring ref
537 * to the returned key reference. 901 * to the returned key reference.
538 */ 902 */
539key_ref_t __keyring_search_one(key_ref_t keyring_ref, 903key_ref_t find_key_to_update(key_ref_t keyring_ref,
540 const struct key_type *ktype, 904 const struct keyring_index_key *index_key)
541 const char *description,
542 key_perm_t perm)
543{ 905{
544 struct keyring_list *klist;
545 unsigned long possessed;
546 struct key *keyring, *key; 906 struct key *keyring, *key;
547 int nkeys, loop; 907 const void *object;
548 908
549 keyring = key_ref_to_ptr(keyring_ref); 909 keyring = key_ref_to_ptr(keyring_ref);
550 possessed = is_key_possessed(keyring_ref);
551 910
552 rcu_read_lock(); 911 kenter("{%d},{%s,%s}",
912 keyring->serial, index_key->type->name, index_key->description);
553 913
554 klist = rcu_dereference(keyring->payload.subscriptions); 914 object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops,
555 if (klist) { 915 index_key);
556 nkeys = klist->nkeys;
557 smp_rmb();
558 for (loop = 0; loop < nkeys ; loop++) {
559 key = rcu_dereference(klist->keys[loop]);
560 if (key->type == ktype &&
561 (!key->type->match ||
562 key->type->match(key, description)) &&
563 key_permission(make_key_ref(key, possessed),
564 perm) == 0 &&
565 !(key->flags & ((1 << KEY_FLAG_INVALIDATED) |
566 (1 << KEY_FLAG_REVOKED)))
567 )
568 goto found;
569 }
570 }
571 916
572 rcu_read_unlock(); 917 if (object)
573 return ERR_PTR(-ENOKEY); 918 goto found;
919
920 kleave(" = NULL");
921 return NULL;
574 922
575found: 923found:
576 atomic_inc(&key->usage); 924 key = keyring_ptr_to_key(object);
577 keyring->last_used_at = key->last_used_at = 925 if (key->flags & ((1 << KEY_FLAG_INVALIDATED) |
578 current_kernel_time().tv_sec; 926 (1 << KEY_FLAG_REVOKED))) {
579 rcu_read_unlock(); 927 kleave(" = NULL [x]");
580 return make_key_ref(key, possessed); 928 return NULL;
929 }
930 __key_get(key);
931 kleave(" = {%d}", key->serial);
932 return make_key_ref(key, is_key_possessed(keyring_ref));
581} 933}
582 934
583/* 935/*
@@ -640,6 +992,19 @@ out:
640 return keyring; 992 return keyring;
641} 993}
642 994
995static int keyring_detect_cycle_iterator(const void *object,
996 void *iterator_data)
997{
998 struct keyring_search_context *ctx = iterator_data;
999 const struct key *key = keyring_ptr_to_key(object);
1000
1001 kenter("{%d}", key->serial);
1002
1003 BUG_ON(key != ctx->match_data);
1004 ctx->result = ERR_PTR(-EDEADLK);
1005 return 1;
1006}
1007
643/* 1008/*
644 * See if a cycle will will be created by inserting acyclic tree B in acyclic 1009 * See if a cycle will will be created by inserting acyclic tree B in acyclic
645 * tree A at the topmost level (ie: as a direct child of A). 1010 * tree A at the topmost level (ie: as a direct child of A).
@@ -649,116 +1014,39 @@ out:
649 */ 1014 */
650static int keyring_detect_cycle(struct key *A, struct key *B) 1015static int keyring_detect_cycle(struct key *A, struct key *B)
651{ 1016{
652 struct { 1017 struct keyring_search_context ctx = {
653 struct keyring_list *keylist; 1018 .index_key = A->index_key,
654 int kix; 1019 .match_data = A,
655 } stack[KEYRING_SEARCH_MAX_DEPTH]; 1020 .iterator = keyring_detect_cycle_iterator,
656 1021 .flags = (KEYRING_SEARCH_LOOKUP_DIRECT |
657 struct keyring_list *keylist; 1022 KEYRING_SEARCH_NO_STATE_CHECK |
658 struct key *subtree, *key; 1023 KEYRING_SEARCH_NO_UPDATE_TIME |
659 int sp, nkeys, kix, ret; 1024 KEYRING_SEARCH_NO_CHECK_PERM |
1025 KEYRING_SEARCH_DETECT_TOO_DEEP),
1026 };
660 1027
661 rcu_read_lock(); 1028 rcu_read_lock();
662 1029 search_nested_keyrings(B, &ctx);
663 ret = -EDEADLK;
664 if (A == B)
665 goto cycle_detected;
666
667 subtree = B;
668 sp = 0;
669
670 /* start processing a new keyring */
671descend:
672 if (test_bit(KEY_FLAG_REVOKED, &subtree->flags))
673 goto not_this_keyring;
674
675 keylist = rcu_dereference(subtree->payload.subscriptions);
676 if (!keylist)
677 goto not_this_keyring;
678 kix = 0;
679
680ascend:
681 /* iterate through the remaining keys in this keyring */
682 nkeys = keylist->nkeys;
683 smp_rmb();
684 for (; kix < nkeys; kix++) {
685 key = rcu_dereference(keylist->keys[kix]);
686
687 if (key == A)
688 goto cycle_detected;
689
690 /* recursively check nested keyrings */
691 if (key->type == &key_type_keyring) {
692 if (sp >= KEYRING_SEARCH_MAX_DEPTH)
693 goto too_deep;
694
695 /* stack the current position */
696 stack[sp].keylist = keylist;
697 stack[sp].kix = kix;
698 sp++;
699
700 /* begin again with the new keyring */
701 subtree = key;
702 goto descend;
703 }
704 }
705
706 /* the keyring we're looking at was disqualified or didn't contain a
707 * matching key */
708not_this_keyring:
709 if (sp > 0) {
710 /* resume the checking of a keyring higher up in the tree */
711 sp--;
712 keylist = stack[sp].keylist;
713 kix = stack[sp].kix + 1;
714 goto ascend;
715 }
716
717 ret = 0; /* no cycles detected */
718
719error:
720 rcu_read_unlock(); 1030 rcu_read_unlock();
721 return ret; 1031 return PTR_ERR(ctx.result) == -EAGAIN ? 0 : PTR_ERR(ctx.result);
722
723too_deep:
724 ret = -ELOOP;
725 goto error;
726
727cycle_detected:
728 ret = -EDEADLK;
729 goto error;
730}
731
732/*
733 * Dispose of a keyring list after the RCU grace period, freeing the unlinked
734 * key
735 */
736static void keyring_unlink_rcu_disposal(struct rcu_head *rcu)
737{
738 struct keyring_list *klist =
739 container_of(rcu, struct keyring_list, rcu);
740
741 if (klist->delkey != USHRT_MAX)
742 key_put(rcu_access_pointer(klist->keys[klist->delkey]));
743 kfree(klist);
744} 1032}
745 1033
746/* 1034/*
747 * Preallocate memory so that a key can be linked into to a keyring. 1035 * Preallocate memory so that a key can be linked into to a keyring.
748 */ 1036 */
749int __key_link_begin(struct key *keyring, const struct key_type *type, 1037int __key_link_begin(struct key *keyring,
750 const char *description, unsigned long *_prealloc) 1038 const struct keyring_index_key *index_key,
1039 struct assoc_array_edit **_edit)
751 __acquires(&keyring->sem) 1040 __acquires(&keyring->sem)
752 __acquires(&keyring_serialise_link_sem) 1041 __acquires(&keyring_serialise_link_sem)
753{ 1042{
754 struct keyring_list *klist, *nklist; 1043 struct assoc_array_edit *edit;
755 unsigned long prealloc; 1044 int ret;
756 unsigned max; 1045
757 time_t lowest_lru; 1046 kenter("%d,%s,%s,",
758 size_t size; 1047 keyring->serial, index_key->type->name, index_key->description);
759 int loop, lru, ret;
760 1048
761 kenter("%d,%s,%s,", key_serial(keyring), type->name, description); 1049 BUG_ON(index_key->desc_len == 0);
762 1050
763 if (keyring->type != &key_type_keyring) 1051 if (keyring->type != &key_type_keyring)
764 return -ENOTDIR; 1052 return -ENOTDIR;
@@ -771,91 +1059,28 @@ int __key_link_begin(struct key *keyring, const struct key_type *type,
771 1059
772 /* serialise link/link calls to prevent parallel calls causing a cycle 1060 /* serialise link/link calls to prevent parallel calls causing a cycle
773 * when linking two keyring in opposite orders */ 1061 * when linking two keyring in opposite orders */
774 if (type == &key_type_keyring) 1062 if (index_key->type == &key_type_keyring)
775 down_write(&keyring_serialise_link_sem); 1063 down_write(&keyring_serialise_link_sem);
776 1064
777 klist = rcu_dereference_locked_keyring(keyring);
778
779 /* see if there's a matching key we can displace */
780 lru = -1;
781 if (klist && klist->nkeys > 0) {
782 lowest_lru = TIME_T_MAX;
783 for (loop = klist->nkeys - 1; loop >= 0; loop--) {
784 struct key *key = rcu_deref_link_locked(klist, loop,
785 keyring);
786 if (key->type == type &&
787 strcmp(key->description, description) == 0) {
788 /* Found a match - we'll replace the link with
789 * one to the new key. We record the slot
790 * position.
791 */
792 klist->delkey = loop;
793 prealloc = 0;
794 goto done;
795 }
796 if (key->last_used_at < lowest_lru) {
797 lowest_lru = key->last_used_at;
798 lru = loop;
799 }
800 }
801 }
802
803 /* If the keyring is full then do an LRU discard */
804 if (klist &&
805 klist->nkeys == klist->maxkeys &&
806 klist->maxkeys >= MAX_KEYRING_LINKS) {
807 kdebug("LRU discard %d\n", lru);
808 klist->delkey = lru;
809 prealloc = 0;
810 goto done;
811 }
812
813 /* check that we aren't going to overrun the user's quota */ 1065 /* check that we aren't going to overrun the user's quota */
814 ret = key_payload_reserve(keyring, 1066 ret = key_payload_reserve(keyring,
815 keyring->datalen + KEYQUOTA_LINK_BYTES); 1067 keyring->datalen + KEYQUOTA_LINK_BYTES);
816 if (ret < 0) 1068 if (ret < 0)
817 goto error_sem; 1069 goto error_sem;
818 1070
819 if (klist && klist->nkeys < klist->maxkeys) { 1071 /* Create an edit script that will insert/replace the key in the
820 /* there's sufficient slack space to append directly */ 1072 * keyring tree.
821 klist->delkey = klist->nkeys; 1073 */
822 prealloc = KEY_LINK_FIXQUOTA; 1074 edit = assoc_array_insert(&keyring->keys,
823 } else { 1075 &keyring_assoc_array_ops,
824 /* grow the key list */ 1076 index_key,
825 max = 4; 1077 NULL);
826 if (klist) { 1078 if (IS_ERR(edit)) {
827 max += klist->maxkeys; 1079 ret = PTR_ERR(edit);
828 if (max > MAX_KEYRING_LINKS) 1080 goto error_quota;
829 max = MAX_KEYRING_LINKS;
830 BUG_ON(max <= klist->maxkeys);
831 }
832
833 size = sizeof(*klist) + sizeof(struct key *) * max;
834
835 ret = -ENOMEM;
836 nklist = kmalloc(size, GFP_KERNEL);
837 if (!nklist)
838 goto error_quota;
839
840 nklist->maxkeys = max;
841 if (klist) {
842 memcpy(nklist->keys, klist->keys,
843 sizeof(struct key *) * klist->nkeys);
844 nklist->delkey = klist->nkeys;
845 nklist->nkeys = klist->nkeys + 1;
846 klist->delkey = USHRT_MAX;
847 } else {
848 nklist->nkeys = 1;
849 nklist->delkey = 0;
850 }
851
852 /* add the key into the new space */
853 RCU_INIT_POINTER(nklist->keys[nklist->delkey], NULL);
854 prealloc = (unsigned long)nklist | KEY_LINK_FIXQUOTA;
855 } 1081 }
856 1082
857done: 1083 *_edit = edit;
858 *_prealloc = prealloc;
859 kleave(" = 0"); 1084 kleave(" = 0");
860 return 0; 1085 return 0;
861 1086
@@ -864,7 +1089,7 @@ error_quota:
864 key_payload_reserve(keyring, 1089 key_payload_reserve(keyring,
865 keyring->datalen - KEYQUOTA_LINK_BYTES); 1090 keyring->datalen - KEYQUOTA_LINK_BYTES);
866error_sem: 1091error_sem:
867 if (type == &key_type_keyring) 1092 if (index_key->type == &key_type_keyring)
868 up_write(&keyring_serialise_link_sem); 1093 up_write(&keyring_serialise_link_sem);
869error_krsem: 1094error_krsem:
870 up_write(&keyring->sem); 1095 up_write(&keyring->sem);
@@ -895,60 +1120,12 @@ int __key_link_check_live_key(struct key *keyring, struct key *key)
895 * holds at most one link to any given key of a particular type+description 1120 * holds at most one link to any given key of a particular type+description
896 * combination. 1121 * combination.
897 */ 1122 */
898void __key_link(struct key *keyring, struct key *key, 1123void __key_link(struct key *key, struct assoc_array_edit **_edit)
899 unsigned long *_prealloc)
900{ 1124{
901 struct keyring_list *klist, *nklist; 1125 __key_get(key);
902 struct key *discard; 1126 assoc_array_insert_set_object(*_edit, keyring_key_to_ptr(key));
903 1127 assoc_array_apply_edit(*_edit);
904 nklist = (struct keyring_list *)(*_prealloc & ~KEY_LINK_FIXQUOTA); 1128 *_edit = NULL;
905 *_prealloc = 0;
906
907 kenter("%d,%d,%p", keyring->serial, key->serial, nklist);
908
909 klist = rcu_dereference_locked_keyring(keyring);
910
911 atomic_inc(&key->usage);
912 keyring->last_used_at = key->last_used_at =
913 current_kernel_time().tv_sec;
914
915 /* there's a matching key we can displace or an empty slot in a newly
916 * allocated list we can fill */
917 if (nklist) {
918 kdebug("reissue %hu/%hu/%hu",
919 nklist->delkey, nklist->nkeys, nklist->maxkeys);
920
921 RCU_INIT_POINTER(nklist->keys[nklist->delkey], key);
922
923 rcu_assign_pointer(keyring->payload.subscriptions, nklist);
924
925 /* dispose of the old keyring list and, if there was one, the
926 * displaced key */
927 if (klist) {
928 kdebug("dispose %hu/%hu/%hu",
929 klist->delkey, klist->nkeys, klist->maxkeys);
930 call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);
931 }
932 } else if (klist->delkey < klist->nkeys) {
933 kdebug("replace %hu/%hu/%hu",
934 klist->delkey, klist->nkeys, klist->maxkeys);
935
936 discard = rcu_dereference_protected(
937 klist->keys[klist->delkey],
938 rwsem_is_locked(&keyring->sem));
939 rcu_assign_pointer(klist->keys[klist->delkey], key);
940 /* The garbage collector will take care of RCU
941 * synchronisation */
942 key_put(discard);
943 } else {
944 /* there's sufficient slack space to append directly */
945 kdebug("append %hu/%hu/%hu",
946 klist->delkey, klist->nkeys, klist->maxkeys);
947
948 RCU_INIT_POINTER(klist->keys[klist->delkey], key);
949 smp_wmb();
950 klist->nkeys++;
951 }
952} 1129}
953 1130
954/* 1131/*
@@ -956,24 +1133,22 @@ void __key_link(struct key *keyring, struct key *key,
956 * 1133 *
957 * Must be called with __key_link_begin() having being called. 1134 * Must be called with __key_link_begin() having being called.
958 */ 1135 */
959void __key_link_end(struct key *keyring, struct key_type *type, 1136void __key_link_end(struct key *keyring,
960 unsigned long prealloc) 1137 const struct keyring_index_key *index_key,
1138 struct assoc_array_edit *edit)
961 __releases(&keyring->sem) 1139 __releases(&keyring->sem)
962 __releases(&keyring_serialise_link_sem) 1140 __releases(&keyring_serialise_link_sem)
963{ 1141{
964 BUG_ON(type == NULL); 1142 BUG_ON(index_key->type == NULL);
965 BUG_ON(type->name == NULL); 1143 kenter("%d,%s,", keyring->serial, index_key->type->name);
966 kenter("%d,%s,%lx", keyring->serial, type->name, prealloc);
967 1144
968 if (type == &key_type_keyring) 1145 if (index_key->type == &key_type_keyring)
969 up_write(&keyring_serialise_link_sem); 1146 up_write(&keyring_serialise_link_sem);
970 1147
971 if (prealloc) { 1148 if (edit) {
972 if (prealloc & KEY_LINK_FIXQUOTA) 1149 key_payload_reserve(keyring,
973 key_payload_reserve(keyring, 1150 keyring->datalen - KEYQUOTA_LINK_BYTES);
974 keyring->datalen - 1151 assoc_array_cancel_edit(edit);
975 KEYQUOTA_LINK_BYTES);
976 kfree((struct keyring_list *)(prealloc & ~KEY_LINK_FIXQUOTA));
977 } 1152 }
978 up_write(&keyring->sem); 1153 up_write(&keyring->sem);
979} 1154}
@@ -1000,20 +1175,28 @@ void __key_link_end(struct key *keyring, struct key_type *type,
1000 */ 1175 */
1001int key_link(struct key *keyring, struct key *key) 1176int key_link(struct key *keyring, struct key *key)
1002{ 1177{
1003 unsigned long prealloc; 1178 struct assoc_array_edit *edit;
1004 int ret; 1179 int ret;
1005 1180
1181 kenter("{%d,%d}", keyring->serial, atomic_read(&keyring->usage));
1182
1006 key_check(keyring); 1183 key_check(keyring);
1007 key_check(key); 1184 key_check(key);
1008 1185
1009 ret = __key_link_begin(keyring, key->type, key->description, &prealloc); 1186 if (test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags) &&
1187 !test_bit(KEY_FLAG_TRUSTED, &key->flags))
1188 return -EPERM;
1189
1190 ret = __key_link_begin(keyring, &key->index_key, &edit);
1010 if (ret == 0) { 1191 if (ret == 0) {
1192 kdebug("begun {%d,%d}", keyring->serial, atomic_read(&keyring->usage));
1011 ret = __key_link_check_live_key(keyring, key); 1193 ret = __key_link_check_live_key(keyring, key);
1012 if (ret == 0) 1194 if (ret == 0)
1013 __key_link(keyring, key, &prealloc); 1195 __key_link(key, &edit);
1014 __key_link_end(keyring, key->type, prealloc); 1196 __key_link_end(keyring, &key->index_key, edit);
1015 } 1197 }
1016 1198
1199 kleave(" = %d {%d,%d}", ret, keyring->serial, atomic_read(&keyring->usage));
1017 return ret; 1200 return ret;
1018} 1201}
1019EXPORT_SYMBOL(key_link); 1202EXPORT_SYMBOL(key_link);
@@ -1037,90 +1220,36 @@ EXPORT_SYMBOL(key_link);
1037 */ 1220 */
1038int key_unlink(struct key *keyring, struct key *key) 1221int key_unlink(struct key *keyring, struct key *key)
1039{ 1222{
1040 struct keyring_list *klist, *nklist; 1223 struct assoc_array_edit *edit;
1041 int loop, ret; 1224 int ret;
1042 1225
1043 key_check(keyring); 1226 key_check(keyring);
1044 key_check(key); 1227 key_check(key);
1045 1228
1046 ret = -ENOTDIR;
1047 if (keyring->type != &key_type_keyring) 1229 if (keyring->type != &key_type_keyring)
1048 goto error; 1230 return -ENOTDIR;
1049 1231
1050 down_write(&keyring->sem); 1232 down_write(&keyring->sem);
1051 1233
1052 klist = rcu_dereference_locked_keyring(keyring); 1234 edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops,
1053 if (klist) { 1235 &key->index_key);
1054 /* search the keyring for the key */ 1236 if (IS_ERR(edit)) {
1055 for (loop = 0; loop < klist->nkeys; loop++) 1237 ret = PTR_ERR(edit);
1056 if (rcu_access_pointer(klist->keys[loop]) == key) 1238 goto error;
1057 goto key_is_present;
1058 } 1239 }
1059
1060 up_write(&keyring->sem);
1061 ret = -ENOENT; 1240 ret = -ENOENT;
1062 goto error; 1241 if (edit == NULL)
1063 1242 goto error;
1064key_is_present:
1065 /* we need to copy the key list for RCU purposes */
1066 nklist = kmalloc(sizeof(*klist) +
1067 sizeof(struct key *) * klist->maxkeys,
1068 GFP_KERNEL);
1069 if (!nklist)
1070 goto nomem;
1071 nklist->maxkeys = klist->maxkeys;
1072 nklist->nkeys = klist->nkeys - 1;
1073
1074 if (loop > 0)
1075 memcpy(&nklist->keys[0],
1076 &klist->keys[0],
1077 loop * sizeof(struct key *));
1078
1079 if (loop < nklist->nkeys)
1080 memcpy(&nklist->keys[loop],
1081 &klist->keys[loop + 1],
1082 (nklist->nkeys - loop) * sizeof(struct key *));
1083
1084 /* adjust the user's quota */
1085 key_payload_reserve(keyring,
1086 keyring->datalen - KEYQUOTA_LINK_BYTES);
1087
1088 rcu_assign_pointer(keyring->payload.subscriptions, nklist);
1089
1090 up_write(&keyring->sem);
1091
1092 /* schedule for later cleanup */
1093 klist->delkey = loop;
1094 call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);
1095 1243
1244 assoc_array_apply_edit(edit);
1096 ret = 0; 1245 ret = 0;
1097 1246
1098error: 1247error:
1099 return ret;
1100nomem:
1101 ret = -ENOMEM;
1102 up_write(&keyring->sem); 1248 up_write(&keyring->sem);
1103 goto error; 1249 return ret;
1104} 1250}
1105EXPORT_SYMBOL(key_unlink); 1251EXPORT_SYMBOL(key_unlink);
1106 1252
1107/*
1108 * Dispose of a keyring list after the RCU grace period, releasing the keys it
1109 * links to.
1110 */
1111static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
1112{
1113 struct keyring_list *klist;
1114 int loop;
1115
1116 klist = container_of(rcu, struct keyring_list, rcu);
1117
1118 for (loop = klist->nkeys - 1; loop >= 0; loop--)
1119 key_put(rcu_access_pointer(klist->keys[loop]));
1120
1121 kfree(klist);
1122}
1123
1124/** 1253/**
1125 * keyring_clear - Clear a keyring 1254 * keyring_clear - Clear a keyring
1126 * @keyring: The keyring to clear. 1255 * @keyring: The keyring to clear.
@@ -1131,33 +1260,25 @@ static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
1131 */ 1260 */
1132int keyring_clear(struct key *keyring) 1261int keyring_clear(struct key *keyring)
1133{ 1262{
1134 struct keyring_list *klist; 1263 struct assoc_array_edit *edit;
1135 int ret; 1264 int ret;
1136 1265
1137 ret = -ENOTDIR; 1266 if (keyring->type != &key_type_keyring)
1138 if (keyring->type == &key_type_keyring) { 1267 return -ENOTDIR;
1139 /* detach the pointer block with the locks held */
1140 down_write(&keyring->sem);
1141
1142 klist = rcu_dereference_locked_keyring(keyring);
1143 if (klist) {
1144 /* adjust the quota */
1145 key_payload_reserve(keyring,
1146 sizeof(struct keyring_list));
1147
1148 rcu_assign_pointer(keyring->payload.subscriptions,
1149 NULL);
1150 }
1151
1152 up_write(&keyring->sem);
1153 1268
1154 /* free the keys after the locks have been dropped */ 1269 down_write(&keyring->sem);
1155 if (klist)
1156 call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
1157 1270
1271 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1272 if (IS_ERR(edit)) {
1273 ret = PTR_ERR(edit);
1274 } else {
1275 if (edit)
1276 assoc_array_apply_edit(edit);
1277 key_payload_reserve(keyring, 0);
1158 ret = 0; 1278 ret = 0;
1159 } 1279 }
1160 1280
1281 up_write(&keyring->sem);
1161 return ret; 1282 return ret;
1162} 1283}
1163EXPORT_SYMBOL(keyring_clear); 1284EXPORT_SYMBOL(keyring_clear);
@@ -1169,17 +1290,25 @@ EXPORT_SYMBOL(keyring_clear);
1169 */ 1290 */
1170static void keyring_revoke(struct key *keyring) 1291static void keyring_revoke(struct key *keyring)
1171{ 1292{
1172 struct keyring_list *klist; 1293 struct assoc_array_edit *edit;
1173 1294
1174 klist = rcu_dereference_locked_keyring(keyring); 1295 edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1296 if (!IS_ERR(edit)) {
1297 if (edit)
1298 assoc_array_apply_edit(edit);
1299 key_payload_reserve(keyring, 0);
1300 }
1301}
1175 1302
1176 /* adjust the quota */ 1303static bool gc_iterator(void *object, void *iterator_data)
1177 key_payload_reserve(keyring, 0); 1304{
1305 struct key *key = keyring_ptr_to_key(object);
1306 time_t *limit = iterator_data;
1178 1307
1179 if (klist) { 1308 if (key_is_dead(key, *limit))
1180 rcu_assign_pointer(keyring->payload.subscriptions, NULL); 1309 return false;
1181 call_rcu(&klist->rcu, keyring_clear_rcu_disposal); 1310 key_get(key);
1182 } 1311 return true;
1183} 1312}
1184 1313
1185/* 1314/*
@@ -1192,88 +1321,12 @@ static void keyring_revoke(struct key *keyring)
1192 */ 1321 */
1193void keyring_gc(struct key *keyring, time_t limit) 1322void keyring_gc(struct key *keyring, time_t limit)
1194{ 1323{
1195 struct keyring_list *klist, *new;
1196 struct key *key;
1197 int loop, keep, max;
1198
1199 kenter("{%x,%s}", key_serial(keyring), keyring->description); 1324 kenter("{%x,%s}", key_serial(keyring), keyring->description);
1200 1325
1201 down_write(&keyring->sem); 1326 down_write(&keyring->sem);
1202 1327 assoc_array_gc(&keyring->keys, &keyring_assoc_array_ops,
1203 klist = rcu_dereference_locked_keyring(keyring); 1328 gc_iterator, &limit);
1204 if (!klist)
1205 goto no_klist;
1206
1207 /* work out how many subscriptions we're keeping */
1208 keep = 0;
1209 for (loop = klist->nkeys - 1; loop >= 0; loop--)
1210 if (!key_is_dead(rcu_deref_link_locked(klist, loop, keyring),
1211 limit))
1212 keep++;
1213
1214 if (keep == klist->nkeys)
1215 goto just_return;
1216
1217 /* allocate a new keyring payload */
1218 max = roundup(keep, 4);
1219 new = kmalloc(sizeof(struct keyring_list) + max * sizeof(struct key *),
1220 GFP_KERNEL);
1221 if (!new)
1222 goto nomem;
1223 new->maxkeys = max;
1224 new->nkeys = 0;
1225 new->delkey = 0;
1226
1227 /* install the live keys
1228 * - must take care as expired keys may be updated back to life
1229 */
1230 keep = 0;
1231 for (loop = klist->nkeys - 1; loop >= 0; loop--) {
1232 key = rcu_deref_link_locked(klist, loop, keyring);
1233 if (!key_is_dead(key, limit)) {
1234 if (keep >= max)
1235 goto discard_new;
1236 RCU_INIT_POINTER(new->keys[keep++], key_get(key));
1237 }
1238 }
1239 new->nkeys = keep;
1240
1241 /* adjust the quota */
1242 key_payload_reserve(keyring,
1243 sizeof(struct keyring_list) +
1244 KEYQUOTA_LINK_BYTES * keep);
1245
1246 if (keep == 0) {
1247 rcu_assign_pointer(keyring->payload.subscriptions, NULL);
1248 kfree(new);
1249 } else {
1250 rcu_assign_pointer(keyring->payload.subscriptions, new);
1251 }
1252
1253 up_write(&keyring->sem);
1254
1255 call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
1256 kleave(" [yes]");
1257 return;
1258
1259discard_new:
1260 new->nkeys = keep;
1261 keyring_clear_rcu_disposal(&new->rcu);
1262 up_write(&keyring->sem); 1329 up_write(&keyring->sem);
1263 kleave(" [discard]");
1264 return;
1265 1330
1266just_return: 1331 kleave("");
1267 up_write(&keyring->sem);
1268 kleave(" [no dead]");
1269 return;
1270
1271no_klist:
1272 up_write(&keyring->sem);
1273 kleave(" [no_klist]");
1274 return;
1275
1276nomem:
1277 up_write(&keyring->sem);
1278 kleave(" [oom]");
1279} 1332}
diff --git a/security/keys/persistent.c b/security/keys/persistent.c
new file mode 100644
index 000000000000..82f4957a7acf
--- /dev/null
+++ b/security/keys/persistent.c
@@ -0,0 +1,169 @@
1/* General persistent per-UID keyrings register
2 *
3 * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12#include <linux/user_namespace.h>
13#include "internal.h"
14
15unsigned persistent_keyring_expiry = 3 * 24 * 3600; /* Expire after 3 days of non-use */
16
17/*
18 * Create the persistent keyring register for the current user namespace.
19 *
20 * Called with the namespace's sem locked for writing.
21 */
22static int key_create_persistent_register(struct user_namespace *ns)
23{
24 struct key *reg = keyring_alloc(".persistent_register",
25 KUIDT_INIT(0), KGIDT_INIT(0),
26 current_cred(),
27 ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
28 KEY_USR_VIEW | KEY_USR_READ),
29 KEY_ALLOC_NOT_IN_QUOTA, NULL);
30 if (IS_ERR(reg))
31 return PTR_ERR(reg);
32
33 ns->persistent_keyring_register = reg;
34 return 0;
35}
36
37/*
38 * Create the persistent keyring for the specified user.
39 *
40 * Called with the namespace's sem locked for writing.
41 */
42static key_ref_t key_create_persistent(struct user_namespace *ns, kuid_t uid,
43 struct keyring_index_key *index_key)
44{
45 struct key *persistent;
46 key_ref_t reg_ref, persistent_ref;
47
48 if (!ns->persistent_keyring_register) {
49 long err = key_create_persistent_register(ns);
50 if (err < 0)
51 return ERR_PTR(err);
52 } else {
53 reg_ref = make_key_ref(ns->persistent_keyring_register, true);
54 persistent_ref = find_key_to_update(reg_ref, index_key);
55 if (persistent_ref)
56 return persistent_ref;
57 }
58
59 persistent = keyring_alloc(index_key->description,
60 uid, INVALID_GID, current_cred(),
61 ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
62 KEY_USR_VIEW | KEY_USR_READ),
63 KEY_ALLOC_NOT_IN_QUOTA,
64 ns->persistent_keyring_register);
65 if (IS_ERR(persistent))
66 return ERR_CAST(persistent);
67
68 return make_key_ref(persistent, true);
69}
70
71/*
72 * Get the persistent keyring for a specific UID and link it to the nominated
73 * keyring.
74 */
75static long key_get_persistent(struct user_namespace *ns, kuid_t uid,
76 key_ref_t dest_ref)
77{
78 struct keyring_index_key index_key;
79 struct key *persistent;
80 key_ref_t reg_ref, persistent_ref;
81 char buf[32];
82 long ret;
83
84 /* Look in the register if it exists */
85 index_key.type = &key_type_keyring;
86 index_key.description = buf;
87 index_key.desc_len = sprintf(buf, "_persistent.%u", from_kuid(ns, uid));
88
89 if (ns->persistent_keyring_register) {
90 reg_ref = make_key_ref(ns->persistent_keyring_register, true);
91 down_read(&ns->persistent_keyring_register_sem);
92 persistent_ref = find_key_to_update(reg_ref, &index_key);
93 up_read(&ns->persistent_keyring_register_sem);
94
95 if (persistent_ref)
96 goto found;
97 }
98
99 /* It wasn't in the register, so we'll need to create it. We might
100 * also need to create the register.
101 */
102 down_write(&ns->persistent_keyring_register_sem);
103 persistent_ref = key_create_persistent(ns, uid, &index_key);
104 up_write(&ns->persistent_keyring_register_sem);
105 if (!IS_ERR(persistent_ref))
106 goto found;
107
108 return PTR_ERR(persistent_ref);
109
110found:
111 ret = key_task_permission(persistent_ref, current_cred(), KEY_LINK);
112 if (ret == 0) {
113 persistent = key_ref_to_ptr(persistent_ref);
114 ret = key_link(key_ref_to_ptr(dest_ref), persistent);
115 if (ret == 0) {
116 key_set_timeout(persistent, persistent_keyring_expiry);
117 ret = persistent->serial;
118 }
119 }
120
121 key_ref_put(persistent_ref);
122 return ret;
123}
124
125/*
126 * Get the persistent keyring for a specific UID and link it to the nominated
127 * keyring.
128 */
129long keyctl_get_persistent(uid_t _uid, key_serial_t destid)
130{
131 struct user_namespace *ns = current_user_ns();
132 key_ref_t dest_ref;
133 kuid_t uid;
134 long ret;
135
136 /* -1 indicates the current user */
137 if (_uid == (uid_t)-1) {
138 uid = current_uid();
139 } else {
140 uid = make_kuid(ns, _uid);
141 if (!uid_valid(uid))
142 return -EINVAL;
143
144 /* You can only see your own persistent cache if you're not
145 * sufficiently privileged.
146 */
147 if (uid_eq(uid, current_uid()) &&
148 uid_eq(uid, current_suid()) &&
149 uid_eq(uid, current_euid()) &&
150 uid_eq(uid, current_fsuid()) &&
151 !ns_capable(ns, CAP_SETUID))
152 return -EPERM;
153 }
154
155 /* There must be a destination keyring */
156 dest_ref = lookup_user_key(destid, KEY_LOOKUP_CREATE, KEY_WRITE);
157 if (IS_ERR(dest_ref))
158 return PTR_ERR(dest_ref);
159 if (key_ref_to_ptr(dest_ref)->type != &key_type_keyring) {
160 ret = -ENOTDIR;
161 goto out_put_dest;
162 }
163
164 ret = key_get_persistent(ns, uid, dest_ref);
165
166out_put_dest:
167 key_ref_put(dest_ref);
168 return ret;
169}
diff --git a/security/keys/proc.c b/security/keys/proc.c
index 217b6855e815..88e9a466940f 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -182,7 +182,6 @@ static void proc_keys_stop(struct seq_file *p, void *v)
182 182
183static int proc_keys_show(struct seq_file *m, void *v) 183static int proc_keys_show(struct seq_file *m, void *v)
184{ 184{
185 const struct cred *cred = current_cred();
186 struct rb_node *_p = v; 185 struct rb_node *_p = v;
187 struct key *key = rb_entry(_p, struct key, serial_node); 186 struct key *key = rb_entry(_p, struct key, serial_node);
188 struct timespec now; 187 struct timespec now;
@@ -191,15 +190,23 @@ static int proc_keys_show(struct seq_file *m, void *v)
191 char xbuf[12]; 190 char xbuf[12];
192 int rc; 191 int rc;
193 192
193 struct keyring_search_context ctx = {
194 .index_key.type = key->type,
195 .index_key.description = key->description,
196 .cred = current_cred(),
197 .match = lookup_user_key_possessed,
198 .match_data = key,
199 .flags = (KEYRING_SEARCH_NO_STATE_CHECK |
200 KEYRING_SEARCH_LOOKUP_DIRECT),
201 };
202
194 key_ref = make_key_ref(key, 0); 203 key_ref = make_key_ref(key, 0);
195 204
196 /* determine if the key is possessed by this process (a test we can 205 /* determine if the key is possessed by this process (a test we can
197 * skip if the key does not indicate the possessor can view it 206 * skip if the key does not indicate the possessor can view it
198 */ 207 */
199 if (key->perm & KEY_POS_VIEW) { 208 if (key->perm & KEY_POS_VIEW) {
200 skey_ref = search_my_process_keyrings(key->type, key, 209 skey_ref = search_my_process_keyrings(&ctx);
201 lookup_user_key_possessed,
202 true, cred);
203 if (!IS_ERR(skey_ref)) { 210 if (!IS_ERR(skey_ref)) {
204 key_ref_put(skey_ref); 211 key_ref_put(skey_ref);
205 key_ref = make_key_ref(key, 1); 212 key_ref = make_key_ref(key, 1);
@@ -211,7 +218,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
211 * - the caller holds a spinlock, and thus the RCU read lock, making our 218 * - the caller holds a spinlock, and thus the RCU read lock, making our
212 * access to __current_cred() safe 219 * access to __current_cred() safe
213 */ 220 */
214 rc = key_task_permission(key_ref, cred, KEY_VIEW); 221 rc = key_task_permission(key_ref, ctx.cred, KEY_VIEW);
215 if (rc < 0) 222 if (rc < 0)
216 return 0; 223 return 0;
217 224
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 42defae1e161..0cf8a130a267 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -235,7 +235,7 @@ int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
235 if (IS_ERR(keyring)) 235 if (IS_ERR(keyring))
236 return PTR_ERR(keyring); 236 return PTR_ERR(keyring);
237 } else { 237 } else {
238 atomic_inc(&keyring->usage); 238 __key_get(keyring);
239 } 239 }
240 240
241 /* install the keyring */ 241 /* install the keyring */
@@ -319,11 +319,7 @@ void key_fsgid_changed(struct task_struct *tsk)
319 * In the case of a successful return, the possession attribute is set on the 319 * In the case of a successful return, the possession attribute is set on the
320 * returned key reference. 320 * returned key reference.
321 */ 321 */
322key_ref_t search_my_process_keyrings(struct key_type *type, 322key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx)
323 const void *description,
324 key_match_func_t match,
325 bool no_state_check,
326 const struct cred *cred)
327{ 323{
328 key_ref_t key_ref, ret, err; 324 key_ref_t key_ref, ret, err;
329 325
@@ -339,10 +335,9 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
339 err = ERR_PTR(-EAGAIN); 335 err = ERR_PTR(-EAGAIN);
340 336
341 /* search the thread keyring first */ 337 /* search the thread keyring first */
342 if (cred->thread_keyring) { 338 if (ctx->cred->thread_keyring) {
343 key_ref = keyring_search_aux( 339 key_ref = keyring_search_aux(
344 make_key_ref(cred->thread_keyring, 1), 340 make_key_ref(ctx->cred->thread_keyring, 1), ctx);
345 cred, type, description, match, no_state_check);
346 if (!IS_ERR(key_ref)) 341 if (!IS_ERR(key_ref))
347 goto found; 342 goto found;
348 343
@@ -358,10 +353,9 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
358 } 353 }
359 354
360 /* search the process keyring second */ 355 /* search the process keyring second */
361 if (cred->process_keyring) { 356 if (ctx->cred->process_keyring) {
362 key_ref = keyring_search_aux( 357 key_ref = keyring_search_aux(
363 make_key_ref(cred->process_keyring, 1), 358 make_key_ref(ctx->cred->process_keyring, 1), ctx);
364 cred, type, description, match, no_state_check);
365 if (!IS_ERR(key_ref)) 359 if (!IS_ERR(key_ref))
366 goto found; 360 goto found;
367 361
@@ -379,11 +373,11 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
379 } 373 }
380 374
381 /* search the session keyring */ 375 /* search the session keyring */
382 if (cred->session_keyring) { 376 if (ctx->cred->session_keyring) {
383 rcu_read_lock(); 377 rcu_read_lock();
384 key_ref = keyring_search_aux( 378 key_ref = keyring_search_aux(
385 make_key_ref(rcu_dereference(cred->session_keyring), 1), 379 make_key_ref(rcu_dereference(ctx->cred->session_keyring), 1),
386 cred, type, description, match, no_state_check); 380 ctx);
387 rcu_read_unlock(); 381 rcu_read_unlock();
388 382
389 if (!IS_ERR(key_ref)) 383 if (!IS_ERR(key_ref))
@@ -402,10 +396,10 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
402 } 396 }
403 } 397 }
404 /* or search the user-session keyring */ 398 /* or search the user-session keyring */
405 else if (cred->user->session_keyring) { 399 else if (ctx->cred->user->session_keyring) {
406 key_ref = keyring_search_aux( 400 key_ref = keyring_search_aux(
407 make_key_ref(cred->user->session_keyring, 1), 401 make_key_ref(ctx->cred->user->session_keyring, 1),
408 cred, type, description, match, no_state_check); 402 ctx);
409 if (!IS_ERR(key_ref)) 403 if (!IS_ERR(key_ref))
410 goto found; 404 goto found;
411 405
@@ -437,18 +431,14 @@ found:
437 * 431 *
438 * Return same as search_my_process_keyrings(). 432 * Return same as search_my_process_keyrings().
439 */ 433 */
440key_ref_t search_process_keyrings(struct key_type *type, 434key_ref_t search_process_keyrings(struct keyring_search_context *ctx)
441 const void *description,
442 key_match_func_t match,
443 const struct cred *cred)
444{ 435{
445 struct request_key_auth *rka; 436 struct request_key_auth *rka;
446 key_ref_t key_ref, ret = ERR_PTR(-EACCES), err; 437 key_ref_t key_ref, ret = ERR_PTR(-EACCES), err;
447 438
448 might_sleep(); 439 might_sleep();
449 440
450 key_ref = search_my_process_keyrings(type, description, match, 441 key_ref = search_my_process_keyrings(ctx);
451 false, cred);
452 if (!IS_ERR(key_ref)) 442 if (!IS_ERR(key_ref))
453 goto found; 443 goto found;
454 err = key_ref; 444 err = key_ref;
@@ -457,18 +447,21 @@ key_ref_t search_process_keyrings(struct key_type *type,
457 * search the keyrings of the process mentioned there 447 * search the keyrings of the process mentioned there
458 * - we don't permit access to request_key auth keys via this method 448 * - we don't permit access to request_key auth keys via this method
459 */ 449 */
460 if (cred->request_key_auth && 450 if (ctx->cred->request_key_auth &&
461 cred == current_cred() && 451 ctx->cred == current_cred() &&
462 type != &key_type_request_key_auth 452 ctx->index_key.type != &key_type_request_key_auth
463 ) { 453 ) {
454 const struct cred *cred = ctx->cred;
455
464 /* defend against the auth key being revoked */ 456 /* defend against the auth key being revoked */
465 down_read(&cred->request_key_auth->sem); 457 down_read(&cred->request_key_auth->sem);
466 458
467 if (key_validate(cred->request_key_auth) == 0) { 459 if (key_validate(ctx->cred->request_key_auth) == 0) {
468 rka = cred->request_key_auth->payload.data; 460 rka = ctx->cred->request_key_auth->payload.data;
469 461
470 key_ref = search_process_keyrings(type, description, 462 ctx->cred = rka->cred;
471 match, rka->cred); 463 key_ref = search_process_keyrings(ctx);
464 ctx->cred = cred;
472 465
473 up_read(&cred->request_key_auth->sem); 466 up_read(&cred->request_key_auth->sem);
474 467
@@ -522,19 +515,23 @@ int lookup_user_key_possessed(const struct key *key, const void *target)
522key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, 515key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
523 key_perm_t perm) 516 key_perm_t perm)
524{ 517{
518 struct keyring_search_context ctx = {
519 .match = lookup_user_key_possessed,
520 .flags = (KEYRING_SEARCH_NO_STATE_CHECK |
521 KEYRING_SEARCH_LOOKUP_DIRECT),
522 };
525 struct request_key_auth *rka; 523 struct request_key_auth *rka;
526 const struct cred *cred;
527 struct key *key; 524 struct key *key;
528 key_ref_t key_ref, skey_ref; 525 key_ref_t key_ref, skey_ref;
529 int ret; 526 int ret;
530 527
531try_again: 528try_again:
532 cred = get_current_cred(); 529 ctx.cred = get_current_cred();
533 key_ref = ERR_PTR(-ENOKEY); 530 key_ref = ERR_PTR(-ENOKEY);
534 531
535 switch (id) { 532 switch (id) {
536 case KEY_SPEC_THREAD_KEYRING: 533 case KEY_SPEC_THREAD_KEYRING:
537 if (!cred->thread_keyring) { 534 if (!ctx.cred->thread_keyring) {
538 if (!(lflags & KEY_LOOKUP_CREATE)) 535 if (!(lflags & KEY_LOOKUP_CREATE))
539 goto error; 536 goto error;
540 537
@@ -546,13 +543,13 @@ try_again:
546 goto reget_creds; 543 goto reget_creds;
547 } 544 }
548 545
549 key = cred->thread_keyring; 546 key = ctx.cred->thread_keyring;
550 atomic_inc(&key->usage); 547 __key_get(key);
551 key_ref = make_key_ref(key, 1); 548 key_ref = make_key_ref(key, 1);
552 break; 549 break;
553 550
554 case KEY_SPEC_PROCESS_KEYRING: 551 case KEY_SPEC_PROCESS_KEYRING:
555 if (!cred->process_keyring) { 552 if (!ctx.cred->process_keyring) {
556 if (!(lflags & KEY_LOOKUP_CREATE)) 553 if (!(lflags & KEY_LOOKUP_CREATE))
557 goto error; 554 goto error;
558 555
@@ -564,13 +561,13 @@ try_again:
564 goto reget_creds; 561 goto reget_creds;
565 } 562 }
566 563
567 key = cred->process_keyring; 564 key = ctx.cred->process_keyring;
568 atomic_inc(&key->usage); 565 __key_get(key);
569 key_ref = make_key_ref(key, 1); 566 key_ref = make_key_ref(key, 1);
570 break; 567 break;
571 568
572 case KEY_SPEC_SESSION_KEYRING: 569 case KEY_SPEC_SESSION_KEYRING:
573 if (!cred->session_keyring) { 570 if (!ctx.cred->session_keyring) {
574 /* always install a session keyring upon access if one 571 /* always install a session keyring upon access if one
575 * doesn't exist yet */ 572 * doesn't exist yet */
576 ret = install_user_keyrings(); 573 ret = install_user_keyrings();
@@ -580,13 +577,13 @@ try_again:
580 ret = join_session_keyring(NULL); 577 ret = join_session_keyring(NULL);
581 else 578 else
582 ret = install_session_keyring( 579 ret = install_session_keyring(
583 cred->user->session_keyring); 580 ctx.cred->user->session_keyring);
584 581
585 if (ret < 0) 582 if (ret < 0)
586 goto error; 583 goto error;
587 goto reget_creds; 584 goto reget_creds;
588 } else if (cred->session_keyring == 585 } else if (ctx.cred->session_keyring ==
589 cred->user->session_keyring && 586 ctx.cred->user->session_keyring &&
590 lflags & KEY_LOOKUP_CREATE) { 587 lflags & KEY_LOOKUP_CREATE) {
591 ret = join_session_keyring(NULL); 588 ret = join_session_keyring(NULL);
592 if (ret < 0) 589 if (ret < 0)
@@ -595,33 +592,33 @@ try_again:
595 } 592 }
596 593
597 rcu_read_lock(); 594 rcu_read_lock();
598 key = rcu_dereference(cred->session_keyring); 595 key = rcu_dereference(ctx.cred->session_keyring);
599 atomic_inc(&key->usage); 596 __key_get(key);
600 rcu_read_unlock(); 597 rcu_read_unlock();
601 key_ref = make_key_ref(key, 1); 598 key_ref = make_key_ref(key, 1);
602 break; 599 break;
603 600
604 case KEY_SPEC_USER_KEYRING: 601 case KEY_SPEC_USER_KEYRING:
605 if (!cred->user->uid_keyring) { 602 if (!ctx.cred->user->uid_keyring) {
606 ret = install_user_keyrings(); 603 ret = install_user_keyrings();
607 if (ret < 0) 604 if (ret < 0)
608 goto error; 605 goto error;
609 } 606 }
610 607
611 key = cred->user->uid_keyring; 608 key = ctx.cred->user->uid_keyring;
612 atomic_inc(&key->usage); 609 __key_get(key);
613 key_ref = make_key_ref(key, 1); 610 key_ref = make_key_ref(key, 1);
614 break; 611 break;
615 612
616 case KEY_SPEC_USER_SESSION_KEYRING: 613 case KEY_SPEC_USER_SESSION_KEYRING:
617 if (!cred->user->session_keyring) { 614 if (!ctx.cred->user->session_keyring) {
618 ret = install_user_keyrings(); 615 ret = install_user_keyrings();
619 if (ret < 0) 616 if (ret < 0)
620 goto error; 617 goto error;
621 } 618 }
622 619
623 key = cred->user->session_keyring; 620 key = ctx.cred->user->session_keyring;
624 atomic_inc(&key->usage); 621 __key_get(key);
625 key_ref = make_key_ref(key, 1); 622 key_ref = make_key_ref(key, 1);
626 break; 623 break;
627 624
@@ -631,29 +628,29 @@ try_again:
631 goto error; 628 goto error;
632 629
633 case KEY_SPEC_REQKEY_AUTH_KEY: 630 case KEY_SPEC_REQKEY_AUTH_KEY:
634 key = cred->request_key_auth; 631 key = ctx.cred->request_key_auth;
635 if (!key) 632 if (!key)
636 goto error; 633 goto error;
637 634
638 atomic_inc(&key->usage); 635 __key_get(key);
639 key_ref = make_key_ref(key, 1); 636 key_ref = make_key_ref(key, 1);
640 break; 637 break;
641 638
642 case KEY_SPEC_REQUESTOR_KEYRING: 639 case KEY_SPEC_REQUESTOR_KEYRING:
643 if (!cred->request_key_auth) 640 if (!ctx.cred->request_key_auth)
644 goto error; 641 goto error;
645 642
646 down_read(&cred->request_key_auth->sem); 643 down_read(&ctx.cred->request_key_auth->sem);
647 if (test_bit(KEY_FLAG_REVOKED, 644 if (test_bit(KEY_FLAG_REVOKED,
648 &cred->request_key_auth->flags)) { 645 &ctx.cred->request_key_auth->flags)) {
649 key_ref = ERR_PTR(-EKEYREVOKED); 646 key_ref = ERR_PTR(-EKEYREVOKED);
650 key = NULL; 647 key = NULL;
651 } else { 648 } else {
652 rka = cred->request_key_auth->payload.data; 649 rka = ctx.cred->request_key_auth->payload.data;
653 key = rka->dest_keyring; 650 key = rka->dest_keyring;
654 atomic_inc(&key->usage); 651 __key_get(key);
655 } 652 }
656 up_read(&cred->request_key_auth->sem); 653 up_read(&ctx.cred->request_key_auth->sem);
657 if (!key) 654 if (!key)
658 goto error; 655 goto error;
659 key_ref = make_key_ref(key, 1); 656 key_ref = make_key_ref(key, 1);
@@ -673,9 +670,13 @@ try_again:
673 key_ref = make_key_ref(key, 0); 670 key_ref = make_key_ref(key, 0);
674 671
675 /* check to see if we possess the key */ 672 /* check to see if we possess the key */
676 skey_ref = search_process_keyrings(key->type, key, 673 ctx.index_key.type = key->type;
677 lookup_user_key_possessed, 674 ctx.index_key.description = key->description;
678 cred); 675 ctx.index_key.desc_len = strlen(key->description);
676 ctx.match_data = key;
677 kdebug("check possessed");
678 skey_ref = search_process_keyrings(&ctx);
679 kdebug("possessed=%p", skey_ref);
679 680
680 if (!IS_ERR(skey_ref)) { 681 if (!IS_ERR(skey_ref)) {
681 key_put(key); 682 key_put(key);
@@ -715,14 +716,14 @@ try_again:
715 goto invalid_key; 716 goto invalid_key;
716 717
717 /* check the permissions */ 718 /* check the permissions */
718 ret = key_task_permission(key_ref, cred, perm); 719 ret = key_task_permission(key_ref, ctx.cred, perm);
719 if (ret < 0) 720 if (ret < 0)
720 goto invalid_key; 721 goto invalid_key;
721 722
722 key->last_used_at = current_kernel_time().tv_sec; 723 key->last_used_at = current_kernel_time().tv_sec;
723 724
724error: 725error:
725 put_cred(cred); 726 put_cred(ctx.cred);
726 return key_ref; 727 return key_ref;
727 728
728invalid_key: 729invalid_key:
@@ -733,7 +734,7 @@ invalid_key:
733 /* if we attempted to install a keyring, then it may have caused new 734 /* if we attempted to install a keyring, then it may have caused new
734 * creds to be installed */ 735 * creds to be installed */
735reget_creds: 736reget_creds:
736 put_cred(cred); 737 put_cred(ctx.cred);
737 goto try_again; 738 goto try_again;
738} 739}
739 740
@@ -856,3 +857,13 @@ void key_change_session_keyring(struct callback_head *twork)
856 857
857 commit_creds(new); 858 commit_creds(new);
858} 859}
860
861/*
862 * Make sure that root's user and user-session keyrings exist.
863 */
864static int __init init_root_keyring(void)
865{
866 return install_user_keyrings();
867}
868
869late_initcall(init_root_keyring);
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index c411f9bb156b..df94827103d0 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -345,33 +345,34 @@ static void construct_get_dest_keyring(struct key **_dest_keyring)
345 * May return a key that's already under construction instead if there was a 345 * May return a key that's already under construction instead if there was a
346 * race between two thread calling request_key(). 346 * race between two thread calling request_key().
347 */ 347 */
348static int construct_alloc_key(struct key_type *type, 348static int construct_alloc_key(struct keyring_search_context *ctx,
349 const char *description,
350 struct key *dest_keyring, 349 struct key *dest_keyring,
351 unsigned long flags, 350 unsigned long flags,
352 struct key_user *user, 351 struct key_user *user,
353 struct key **_key) 352 struct key **_key)
354{ 353{
355 const struct cred *cred = current_cred(); 354 struct assoc_array_edit *edit;
356 unsigned long prealloc;
357 struct key *key; 355 struct key *key;
358 key_perm_t perm; 356 key_perm_t perm;
359 key_ref_t key_ref; 357 key_ref_t key_ref;
360 int ret; 358 int ret;
361 359
362 kenter("%s,%s,,,", type->name, description); 360 kenter("%s,%s,,,",
361 ctx->index_key.type->name, ctx->index_key.description);
363 362
364 *_key = NULL; 363 *_key = NULL;
365 mutex_lock(&user->cons_lock); 364 mutex_lock(&user->cons_lock);
366 365
367 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR; 366 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
368 perm |= KEY_USR_VIEW; 367 perm |= KEY_USR_VIEW;
369 if (type->read) 368 if (ctx->index_key.type->read)
370 perm |= KEY_POS_READ; 369 perm |= KEY_POS_READ;
371 if (type == &key_type_keyring || type->update) 370 if (ctx->index_key.type == &key_type_keyring ||
371 ctx->index_key.type->update)
372 perm |= KEY_POS_WRITE; 372 perm |= KEY_POS_WRITE;
373 373
374 key = key_alloc(type, description, cred->fsuid, cred->fsgid, cred, 374 key = key_alloc(ctx->index_key.type, ctx->index_key.description,
375 ctx->cred->fsuid, ctx->cred->fsgid, ctx->cred,
375 perm, flags); 376 perm, flags);
376 if (IS_ERR(key)) 377 if (IS_ERR(key))
377 goto alloc_failed; 378 goto alloc_failed;
@@ -379,8 +380,7 @@ static int construct_alloc_key(struct key_type *type,
379 set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); 380 set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);
380 381
381 if (dest_keyring) { 382 if (dest_keyring) {
382 ret = __key_link_begin(dest_keyring, type, description, 383 ret = __key_link_begin(dest_keyring, &ctx->index_key, &edit);
383 &prealloc);
384 if (ret < 0) 384 if (ret < 0)
385 goto link_prealloc_failed; 385 goto link_prealloc_failed;
386 } 386 }
@@ -390,16 +390,16 @@ static int construct_alloc_key(struct key_type *type,
390 * waited for locks */ 390 * waited for locks */
391 mutex_lock(&key_construction_mutex); 391 mutex_lock(&key_construction_mutex);
392 392
393 key_ref = search_process_keyrings(type, description, type->match, cred); 393 key_ref = search_process_keyrings(ctx);
394 if (!IS_ERR(key_ref)) 394 if (!IS_ERR(key_ref))
395 goto key_already_present; 395 goto key_already_present;
396 396
397 if (dest_keyring) 397 if (dest_keyring)
398 __key_link(dest_keyring, key, &prealloc); 398 __key_link(key, &edit);
399 399
400 mutex_unlock(&key_construction_mutex); 400 mutex_unlock(&key_construction_mutex);
401 if (dest_keyring) 401 if (dest_keyring)
402 __key_link_end(dest_keyring, type, prealloc); 402 __key_link_end(dest_keyring, &ctx->index_key, edit);
403 mutex_unlock(&user->cons_lock); 403 mutex_unlock(&user->cons_lock);
404 *_key = key; 404 *_key = key;
405 kleave(" = 0 [%d]", key_serial(key)); 405 kleave(" = 0 [%d]", key_serial(key));
@@ -414,8 +414,8 @@ key_already_present:
414 if (dest_keyring) { 414 if (dest_keyring) {
415 ret = __key_link_check_live_key(dest_keyring, key); 415 ret = __key_link_check_live_key(dest_keyring, key);
416 if (ret == 0) 416 if (ret == 0)
417 __key_link(dest_keyring, key, &prealloc); 417 __key_link(key, &edit);
418 __key_link_end(dest_keyring, type, prealloc); 418 __key_link_end(dest_keyring, &ctx->index_key, edit);
419 if (ret < 0) 419 if (ret < 0)
420 goto link_check_failed; 420 goto link_check_failed;
421 } 421 }
@@ -444,8 +444,7 @@ alloc_failed:
444/* 444/*
445 * Commence key construction. 445 * Commence key construction.
446 */ 446 */
447static struct key *construct_key_and_link(struct key_type *type, 447static struct key *construct_key_and_link(struct keyring_search_context *ctx,
448 const char *description,
449 const char *callout_info, 448 const char *callout_info,
450 size_t callout_len, 449 size_t callout_len,
451 void *aux, 450 void *aux,
@@ -464,8 +463,7 @@ static struct key *construct_key_and_link(struct key_type *type,
464 463
465 construct_get_dest_keyring(&dest_keyring); 464 construct_get_dest_keyring(&dest_keyring);
466 465
467 ret = construct_alloc_key(type, description, dest_keyring, flags, user, 466 ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
468 &key);
469 key_user_put(user); 467 key_user_put(user);
470 468
471 if (ret == 0) { 469 if (ret == 0) {
@@ -529,17 +527,24 @@ struct key *request_key_and_link(struct key_type *type,
529 struct key *dest_keyring, 527 struct key *dest_keyring,
530 unsigned long flags) 528 unsigned long flags)
531{ 529{
532 const struct cred *cred = current_cred(); 530 struct keyring_search_context ctx = {
531 .index_key.type = type,
532 .index_key.description = description,
533 .cred = current_cred(),
534 .match = type->match,
535 .match_data = description,
536 .flags = KEYRING_SEARCH_LOOKUP_DIRECT,
537 };
533 struct key *key; 538 struct key *key;
534 key_ref_t key_ref; 539 key_ref_t key_ref;
535 int ret; 540 int ret;
536 541
537 kenter("%s,%s,%p,%zu,%p,%p,%lx", 542 kenter("%s,%s,%p,%zu,%p,%p,%lx",
538 type->name, description, callout_info, callout_len, aux, 543 ctx.index_key.type->name, ctx.index_key.description,
539 dest_keyring, flags); 544 callout_info, callout_len, aux, dest_keyring, flags);
540 545
541 /* search all the process keyrings for a key */ 546 /* search all the process keyrings for a key */
542 key_ref = search_process_keyrings(type, description, type->match, cred); 547 key_ref = search_process_keyrings(&ctx);
543 548
544 if (!IS_ERR(key_ref)) { 549 if (!IS_ERR(key_ref)) {
545 key = key_ref_to_ptr(key_ref); 550 key = key_ref_to_ptr(key_ref);
@@ -562,9 +567,8 @@ struct key *request_key_and_link(struct key_type *type,
562 if (!callout_info) 567 if (!callout_info)
563 goto error; 568 goto error;
564 569
565 key = construct_key_and_link(type, description, callout_info, 570 key = construct_key_and_link(&ctx, callout_info, callout_len,
566 callout_len, aux, dest_keyring, 571 aux, dest_keyring, flags);
567 flags);
568 } 572 }
569 573
570error: 574error:
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index 85730d5a5a59..7495a93b4b90 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -18,6 +18,7 @@
18#include <linux/slab.h> 18#include <linux/slab.h>
19#include <asm/uaccess.h> 19#include <asm/uaccess.h>
20#include "internal.h" 20#include "internal.h"
21#include <keys/user-type.h>
21 22
22static int request_key_auth_instantiate(struct key *, 23static int request_key_auth_instantiate(struct key *,
23 struct key_preparsed_payload *); 24 struct key_preparsed_payload *);
@@ -222,32 +223,26 @@ error_alloc:
222} 223}
223 224
224/* 225/*
225 * See if an authorisation key is associated with a particular key.
226 */
227static int key_get_instantiation_authkey_match(const struct key *key,
228 const void *_id)
229{
230 struct request_key_auth *rka = key->payload.data;
231 key_serial_t id = (key_serial_t)(unsigned long) _id;
232
233 return rka->target_key->serial == id;
234}
235
236/*
237 * Search the current process's keyrings for the authorisation key for 226 * Search the current process's keyrings for the authorisation key for
238 * instantiation of a key. 227 * instantiation of a key.
239 */ 228 */
240struct key *key_get_instantiation_authkey(key_serial_t target_id) 229struct key *key_get_instantiation_authkey(key_serial_t target_id)
241{ 230{
242 const struct cred *cred = current_cred(); 231 char description[16];
232 struct keyring_search_context ctx = {
233 .index_key.type = &key_type_request_key_auth,
234 .index_key.description = description,
235 .cred = current_cred(),
236 .match = user_match,
237 .match_data = description,
238 .flags = KEYRING_SEARCH_LOOKUP_DIRECT,
239 };
243 struct key *authkey; 240 struct key *authkey;
244 key_ref_t authkey_ref; 241 key_ref_t authkey_ref;
245 242
246 authkey_ref = search_process_keyrings( 243 sprintf(description, "%x", target_id);
247 &key_type_request_key_auth, 244
248 (void *) (unsigned long) target_id, 245 authkey_ref = search_process_keyrings(&ctx);
249 key_get_instantiation_authkey_match,
250 cred);
251 246
252 if (IS_ERR(authkey_ref)) { 247 if (IS_ERR(authkey_ref)) {
253 authkey = ERR_CAST(authkey_ref); 248 authkey = ERR_CAST(authkey_ref);
diff --git a/security/keys/sysctl.c b/security/keys/sysctl.c
index ee32d181764a..8c0af08760c8 100644
--- a/security/keys/sysctl.c
+++ b/security/keys/sysctl.c
@@ -61,5 +61,16 @@ ctl_table key_sysctls[] = {
61 .extra1 = (void *) &zero, 61 .extra1 = (void *) &zero,
62 .extra2 = (void *) &max, 62 .extra2 = (void *) &max,
63 }, 63 },
64#ifdef CONFIG_PERSISTENT_KEYRINGS
65 {
66 .procname = "persistent_keyring_expiry",
67 .data = &persistent_keyring_expiry,
68 .maxlen = sizeof(unsigned),
69 .mode = 0644,
70 .proc_handler = proc_dointvec_minmax,
71 .extra1 = (void *) &zero,
72 .extra2 = (void *) &max,
73 },
74#endif
64 { } 75 { }
65}; 76};
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 55dc88939185..faa2caeb593f 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -25,14 +25,15 @@ static int logon_vet_description(const char *desc);
25 * arbitrary blob of data as the payload 25 * arbitrary blob of data as the payload
26 */ 26 */
27struct key_type key_type_user = { 27struct key_type key_type_user = {
28 .name = "user", 28 .name = "user",
29 .instantiate = user_instantiate, 29 .def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
30 .update = user_update, 30 .instantiate = user_instantiate,
31 .match = user_match, 31 .update = user_update,
32 .revoke = user_revoke, 32 .match = user_match,
33 .destroy = user_destroy, 33 .revoke = user_revoke,
34 .describe = user_describe, 34 .destroy = user_destroy,
35 .read = user_read, 35 .describe = user_describe,
36 .read = user_read,
36}; 37};
37 38
38EXPORT_SYMBOL_GPL(key_type_user); 39EXPORT_SYMBOL_GPL(key_type_user);
@@ -45,6 +46,7 @@ EXPORT_SYMBOL_GPL(key_type_user);
45 */ 46 */
46struct key_type key_type_logon = { 47struct key_type key_type_logon = {
47 .name = "logon", 48 .name = "logon",
49 .def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
48 .instantiate = user_instantiate, 50 .instantiate = user_instantiate,
49 .update = user_update, 51 .update = user_update,
50 .match = user_match, 52 .match = user_match,
diff --git a/security/security.c b/security/security.c
index 4dc31f4f2700..15b6928592ef 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1340,22 +1340,17 @@ int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
1340 return security_ops->xfrm_policy_delete_security(ctx); 1340 return security_ops->xfrm_policy_delete_security(ctx);
1341} 1341}
1342 1342
1343int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) 1343int security_xfrm_state_alloc(struct xfrm_state *x,
1344 struct xfrm_user_sec_ctx *sec_ctx)
1344{ 1345{
1345 return security_ops->xfrm_state_alloc_security(x, sec_ctx, 0); 1346 return security_ops->xfrm_state_alloc(x, sec_ctx);
1346} 1347}
1347EXPORT_SYMBOL(security_xfrm_state_alloc); 1348EXPORT_SYMBOL(security_xfrm_state_alloc);
1348 1349
1349int security_xfrm_state_alloc_acquire(struct xfrm_state *x, 1350int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
1350 struct xfrm_sec_ctx *polsec, u32 secid) 1351 struct xfrm_sec_ctx *polsec, u32 secid)
1351{ 1352{
1352 if (!polsec) 1353 return security_ops->xfrm_state_alloc_acquire(x, polsec, secid);
1353 return 0;
1354 /*
1355 * We want the context to be taken from secid which is usually
1356 * from the sock.
1357 */
1358 return security_ops->xfrm_state_alloc_security(x, NULL, secid);
1359} 1354}
1360 1355
1361int security_xfrm_state_delete(struct xfrm_state *x) 1356int security_xfrm_state_delete(struct xfrm_state *x)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a5091ec06aa6..6d0bf5c0c832 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -95,7 +95,9 @@
95#include "audit.h" 95#include "audit.h"
96#include "avc_ss.h" 96#include "avc_ss.h"
97 97
98#define NUM_SEL_MNT_OPTS 5 98#define SB_TYPE_FMT "%s%s%s"
99#define SB_SUBTYPE(sb) (sb->s_subtype && sb->s_subtype[0])
100#define SB_TYPE_ARGS(sb) sb->s_type->name, SB_SUBTYPE(sb) ? "." : "", SB_SUBTYPE(sb) ? sb->s_subtype : ""
99 101
100extern struct security_operations *security_ops; 102extern struct security_operations *security_ops;
101 103
@@ -139,12 +141,28 @@ static struct kmem_cache *sel_inode_cache;
139 * This function checks the SECMARK reference counter to see if any SECMARK 141 * This function checks the SECMARK reference counter to see if any SECMARK
140 * targets are currently configured, if the reference counter is greater than 142 * targets are currently configured, if the reference counter is greater than
141 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 143 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
142 * enabled, false (0) if SECMARK is disabled. 144 * enabled, false (0) if SECMARK is disabled. If the always_check_network
145 * policy capability is enabled, SECMARK is always considered enabled.
143 * 146 *
144 */ 147 */
145static int selinux_secmark_enabled(void) 148static int selinux_secmark_enabled(void)
146{ 149{
147 return (atomic_read(&selinux_secmark_refcount) > 0); 150 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
151}
152
153/**
154 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
155 *
156 * Description:
157 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
158 * (1) if any are enabled or false (0) if neither are enabled. If the
159 * always_check_network policy capability is enabled, peer labeling
160 * is always considered enabled.
161 *
162 */
163static int selinux_peerlbl_enabled(void)
164{
165 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
148} 166}
149 167
150/* 168/*
@@ -309,8 +327,11 @@ enum {
309 Opt_defcontext = 3, 327 Opt_defcontext = 3,
310 Opt_rootcontext = 4, 328 Opt_rootcontext = 4,
311 Opt_labelsupport = 5, 329 Opt_labelsupport = 5,
330 Opt_nextmntopt = 6,
312}; 331};
313 332
333#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
334
314static const match_table_t tokens = { 335static const match_table_t tokens = {
315 {Opt_context, CONTEXT_STR "%s"}, 336 {Opt_context, CONTEXT_STR "%s"},
316 {Opt_fscontext, FSCONTEXT_STR "%s"}, 337 {Opt_fscontext, FSCONTEXT_STR "%s"},
@@ -355,6 +376,29 @@ static int may_context_mount_inode_relabel(u32 sid,
355 return rc; 376 return rc;
356} 377}
357 378
379static int selinux_is_sblabel_mnt(struct super_block *sb)
380{
381 struct superblock_security_struct *sbsec = sb->s_security;
382
383 if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
384 sbsec->behavior == SECURITY_FS_USE_TRANS ||
385 sbsec->behavior == SECURITY_FS_USE_TASK)
386 return 1;
387
388 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
389 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
390 return 1;
391
392 /*
393 * Special handling for rootfs. Is genfs but supports
394 * setting SELinux context on in-core inodes.
395 */
396 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
397 return 1;
398
399 return 0;
400}
401
358static int sb_finish_set_opts(struct super_block *sb) 402static int sb_finish_set_opts(struct super_block *sb)
359{ 403{
360 struct superblock_security_struct *sbsec = sb->s_security; 404 struct superblock_security_struct *sbsec = sb->s_security;
@@ -369,8 +413,8 @@ static int sb_finish_set_opts(struct super_block *sb)
369 the first boot of the SELinux kernel before we have 413 the first boot of the SELinux kernel before we have
370 assigned xattr values to the filesystem. */ 414 assigned xattr values to the filesystem. */
371 if (!root_inode->i_op->getxattr) { 415 if (!root_inode->i_op->getxattr) {
372 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 416 printk(KERN_WARNING "SELinux: (dev %s, type "SB_TYPE_FMT") has no "
373 "xattr support\n", sb->s_id, sb->s_type->name); 417 "xattr support\n", sb->s_id, SB_TYPE_ARGS(sb));
374 rc = -EOPNOTSUPP; 418 rc = -EOPNOTSUPP;
375 goto out; 419 goto out;
376 } 420 }
@@ -378,35 +422,27 @@ static int sb_finish_set_opts(struct super_block *sb)
378 if (rc < 0 && rc != -ENODATA) { 422 if (rc < 0 && rc != -ENODATA) {
379 if (rc == -EOPNOTSUPP) 423 if (rc == -EOPNOTSUPP)
380 printk(KERN_WARNING "SELinux: (dev %s, type " 424 printk(KERN_WARNING "SELinux: (dev %s, type "
381 "%s) has no security xattr handler\n", 425 SB_TYPE_FMT") has no security xattr handler\n",
382 sb->s_id, sb->s_type->name); 426 sb->s_id, SB_TYPE_ARGS(sb));
383 else 427 else
384 printk(KERN_WARNING "SELinux: (dev %s, type " 428 printk(KERN_WARNING "SELinux: (dev %s, type "
385 "%s) getxattr errno %d\n", sb->s_id, 429 SB_TYPE_FMT") getxattr errno %d\n", sb->s_id,
386 sb->s_type->name, -rc); 430 SB_TYPE_ARGS(sb), -rc);
387 goto out; 431 goto out;
388 } 432 }
389 } 433 }
390 434
391 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
392
393 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 435 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
394 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 436 printk(KERN_ERR "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), unknown behavior\n",
395 sb->s_id, sb->s_type->name); 437 sb->s_id, SB_TYPE_ARGS(sb));
396 else 438 else
397 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", 439 printk(KERN_DEBUG "SELinux: initialized (dev %s, type "SB_TYPE_FMT"), %s\n",
398 sb->s_id, sb->s_type->name, 440 sb->s_id, SB_TYPE_ARGS(sb),
399 labeling_behaviors[sbsec->behavior-1]); 441 labeling_behaviors[sbsec->behavior-1]);
400 442
401 if (sbsec->behavior == SECURITY_FS_USE_GENFS || 443 sbsec->flags |= SE_SBINITIALIZED;
402 sbsec->behavior == SECURITY_FS_USE_MNTPOINT || 444 if (selinux_is_sblabel_mnt(sb))
403 sbsec->behavior == SECURITY_FS_USE_NONE || 445 sbsec->flags |= SBLABEL_MNT;
404 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
405 sbsec->flags &= ~SE_SBLABELSUPP;
406
407 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
408 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
409 sbsec->flags |= SE_SBLABELSUPP;
410 446
411 /* Initialize the root inode. */ 447 /* Initialize the root inode. */
412 rc = inode_doinit_with_dentry(root_inode, root); 448 rc = inode_doinit_with_dentry(root_inode, root);
@@ -460,15 +496,18 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
460 if (!ss_initialized) 496 if (!ss_initialized)
461 return -EINVAL; 497 return -EINVAL;
462 498
499 /* make sure we always check enough bits to cover the mask */
500 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
501
463 tmp = sbsec->flags & SE_MNTMASK; 502 tmp = sbsec->flags & SE_MNTMASK;
464 /* count the number of mount options for this sb */ 503 /* count the number of mount options for this sb */
465 for (i = 0; i < 8; i++) { 504 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
466 if (tmp & 0x01) 505 if (tmp & 0x01)
467 opts->num_mnt_opts++; 506 opts->num_mnt_opts++;
468 tmp >>= 1; 507 tmp >>= 1;
469 } 508 }
470 /* Check if the Label support flag is set */ 509 /* Check if the Label support flag is set */
471 if (sbsec->flags & SE_SBLABELSUPP) 510 if (sbsec->flags & SBLABEL_MNT)
472 opts->num_mnt_opts++; 511 opts->num_mnt_opts++;
473 512
474 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 513 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
@@ -515,9 +554,9 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
515 opts->mnt_opts[i] = context; 554 opts->mnt_opts[i] = context;
516 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 555 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
517 } 556 }
518 if (sbsec->flags & SE_SBLABELSUPP) { 557 if (sbsec->flags & SBLABEL_MNT) {
519 opts->mnt_opts[i] = NULL; 558 opts->mnt_opts[i] = NULL;
520 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP; 559 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
521 } 560 }
522 561
523 BUG_ON(i != opts->num_mnt_opts); 562 BUG_ON(i != opts->num_mnt_opts);
@@ -561,7 +600,6 @@ static int selinux_set_mnt_opts(struct super_block *sb,
561 const struct cred *cred = current_cred(); 600 const struct cred *cred = current_cred();
562 int rc = 0, i; 601 int rc = 0, i;
563 struct superblock_security_struct *sbsec = sb->s_security; 602 struct superblock_security_struct *sbsec = sb->s_security;
564 const char *name = sb->s_type->name;
565 struct inode *inode = sbsec->sb->s_root->d_inode; 603 struct inode *inode = sbsec->sb->s_root->d_inode;
566 struct inode_security_struct *root_isec = inode->i_security; 604 struct inode_security_struct *root_isec = inode->i_security;
567 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 605 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
@@ -614,14 +652,14 @@ static int selinux_set_mnt_opts(struct super_block *sb,
614 for (i = 0; i < num_opts; i++) { 652 for (i = 0; i < num_opts; i++) {
615 u32 sid; 653 u32 sid;
616 654
617 if (flags[i] == SE_SBLABELSUPP) 655 if (flags[i] == SBLABEL_MNT)
618 continue; 656 continue;
619 rc = security_context_to_sid(mount_options[i], 657 rc = security_context_to_sid(mount_options[i],
620 strlen(mount_options[i]), &sid); 658 strlen(mount_options[i]), &sid);
621 if (rc) { 659 if (rc) {
622 printk(KERN_WARNING "SELinux: security_context_to_sid" 660 printk(KERN_WARNING "SELinux: security_context_to_sid"
623 "(%s) failed for (dev %s, type %s) errno=%d\n", 661 "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
624 mount_options[i], sb->s_id, name, rc); 662 mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
625 goto out; 663 goto out;
626 } 664 }
627 switch (flags[i]) { 665 switch (flags[i]) {
@@ -685,9 +723,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
685 * Determine the labeling behavior to use for this 723 * Determine the labeling behavior to use for this
686 * filesystem type. 724 * filesystem type.
687 */ 725 */
688 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? 726 rc = security_fs_use(sb);
689 "proc" : sb->s_type->name,
690 &sbsec->behavior, &sbsec->sid);
691 if (rc) { 727 if (rc) {
692 printk(KERN_WARNING 728 printk(KERN_WARNING
693 "%s: security_fs_use(%s) returned %d\n", 729 "%s: security_fs_use(%s) returned %d\n",
@@ -770,7 +806,8 @@ out:
770out_double_mount: 806out_double_mount:
771 rc = -EINVAL; 807 rc = -EINVAL;
772 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 808 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
773 "security settings for (dev %s, type %s)\n", sb->s_id, name); 809 "security settings for (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
810 SB_TYPE_ARGS(sb));
774 goto out; 811 goto out;
775} 812}
776 813
@@ -1037,7 +1074,7 @@ static void selinux_write_opts(struct seq_file *m,
1037 case DEFCONTEXT_MNT: 1074 case DEFCONTEXT_MNT:
1038 prefix = DEFCONTEXT_STR; 1075 prefix = DEFCONTEXT_STR;
1039 break; 1076 break;
1040 case SE_SBLABELSUPP: 1077 case SBLABEL_MNT:
1041 seq_putc(m, ','); 1078 seq_putc(m, ',');
1042 seq_puts(m, LABELSUPP_STR); 1079 seq_puts(m, LABELSUPP_STR);
1043 continue; 1080 continue;
@@ -1650,7 +1687,7 @@ static int may_create(struct inode *dir,
1650 if (rc) 1687 if (rc)
1651 return rc; 1688 return rc;
1652 1689
1653 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { 1690 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1654 rc = security_transition_sid(sid, dsec->sid, tclass, 1691 rc = security_transition_sid(sid, dsec->sid, tclass,
1655 &dentry->d_name, &newsid); 1692 &dentry->d_name, &newsid);
1656 if (rc) 1693 if (rc)
@@ -2438,14 +2475,14 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
2438 u32 sid; 2475 u32 sid;
2439 size_t len; 2476 size_t len;
2440 2477
2441 if (flags[i] == SE_SBLABELSUPP) 2478 if (flags[i] == SBLABEL_MNT)
2442 continue; 2479 continue;
2443 len = strlen(mount_options[i]); 2480 len = strlen(mount_options[i]);
2444 rc = security_context_to_sid(mount_options[i], len, &sid); 2481 rc = security_context_to_sid(mount_options[i], len, &sid);
2445 if (rc) { 2482 if (rc) {
2446 printk(KERN_WARNING "SELinux: security_context_to_sid" 2483 printk(KERN_WARNING "SELinux: security_context_to_sid"
2447 "(%s) failed for (dev %s, type %s) errno=%d\n", 2484 "(%s) failed for (dev %s, type "SB_TYPE_FMT") errno=%d\n",
2448 mount_options[i], sb->s_id, sb->s_type->name, rc); 2485 mount_options[i], sb->s_id, SB_TYPE_ARGS(sb), rc);
2449 goto out_free_opts; 2486 goto out_free_opts;
2450 } 2487 }
2451 rc = -EINVAL; 2488 rc = -EINVAL;
@@ -2483,8 +2520,8 @@ out_free_secdata:
2483 return rc; 2520 return rc;
2484out_bad_option: 2521out_bad_option:
2485 printk(KERN_WARNING "SELinux: unable to change security options " 2522 printk(KERN_WARNING "SELinux: unable to change security options "
2486 "during remount (dev %s, type=%s)\n", sb->s_id, 2523 "during remount (dev %s, type "SB_TYPE_FMT")\n", sb->s_id,
2487 sb->s_type->name); 2524 SB_TYPE_ARGS(sb));
2488 goto out_free_opts; 2525 goto out_free_opts;
2489} 2526}
2490 2527
@@ -2607,7 +2644,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2607 if ((sbsec->flags & SE_SBINITIALIZED) && 2644 if ((sbsec->flags & SE_SBINITIALIZED) &&
2608 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) 2645 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2609 newsid = sbsec->mntpoint_sid; 2646 newsid = sbsec->mntpoint_sid;
2610 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { 2647 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2611 rc = security_transition_sid(sid, dsec->sid, 2648 rc = security_transition_sid(sid, dsec->sid,
2612 inode_mode_to_security_class(inode->i_mode), 2649 inode_mode_to_security_class(inode->i_mode),
2613 qstr, &newsid); 2650 qstr, &newsid);
@@ -2629,7 +2666,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2629 isec->initialized = 1; 2666 isec->initialized = 1;
2630 } 2667 }
2631 2668
2632 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP)) 2669 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2633 return -EOPNOTSUPP; 2670 return -EOPNOTSUPP;
2634 2671
2635 if (name) 2672 if (name)
@@ -2831,7 +2868,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2831 return selinux_inode_setotherxattr(dentry, name); 2868 return selinux_inode_setotherxattr(dentry, name);
2832 2869
2833 sbsec = inode->i_sb->s_security; 2870 sbsec = inode->i_sb->s_security;
2834 if (!(sbsec->flags & SE_SBLABELSUPP)) 2871 if (!(sbsec->flags & SBLABEL_MNT))
2835 return -EOPNOTSUPP; 2872 return -EOPNOTSUPP;
2836 2873
2837 if (!inode_owner_or_capable(inode)) 2874 if (!inode_owner_or_capable(inode))
@@ -3792,8 +3829,12 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3792 u32 nlbl_sid; 3829 u32 nlbl_sid;
3793 u32 nlbl_type; 3830 u32 nlbl_type;
3794 3831
3795 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3832 err = selinux_skb_xfrm_sid(skb, &xfrm_sid);
3796 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 3833 if (unlikely(err))
3834 return -EACCES;
3835 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3836 if (unlikely(err))
3837 return -EACCES;
3797 3838
3798 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 3839 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3799 if (unlikely(err)) { 3840 if (unlikely(err)) {
@@ -4247,7 +4288,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4247 return selinux_sock_rcv_skb_compat(sk, skb, family); 4288 return selinux_sock_rcv_skb_compat(sk, skb, family);
4248 4289
4249 secmark_active = selinux_secmark_enabled(); 4290 secmark_active = selinux_secmark_enabled();
4250 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4291 peerlbl_active = selinux_peerlbl_enabled();
4251 if (!secmark_active && !peerlbl_active) 4292 if (!secmark_active && !peerlbl_active)
4252 return 0; 4293 return 0;
4253 4294
@@ -4629,7 +4670,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4629 4670
4630 secmark_active = selinux_secmark_enabled(); 4671 secmark_active = selinux_secmark_enabled();
4631 netlbl_active = netlbl_enabled(); 4672 netlbl_active = netlbl_enabled();
4632 peerlbl_active = netlbl_active || selinux_xfrm_enabled(); 4673 peerlbl_active = selinux_peerlbl_enabled();
4633 if (!secmark_active && !peerlbl_active) 4674 if (!secmark_active && !peerlbl_active)
4634 return NF_ACCEPT; 4675 return NF_ACCEPT;
4635 4676
@@ -4781,7 +4822,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4781 return NF_ACCEPT; 4822 return NF_ACCEPT;
4782#endif 4823#endif
4783 secmark_active = selinux_secmark_enabled(); 4824 secmark_active = selinux_secmark_enabled();
4784 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4825 peerlbl_active = selinux_peerlbl_enabled();
4785 if (!secmark_active && !peerlbl_active) 4826 if (!secmark_active && !peerlbl_active)
4786 return NF_ACCEPT; 4827 return NF_ACCEPT;
4787 4828
@@ -5785,7 +5826,8 @@ static struct security_operations selinux_ops = {
5785 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 5826 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5786 .xfrm_policy_free_security = selinux_xfrm_policy_free, 5827 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5787 .xfrm_policy_delete_security = selinux_xfrm_policy_delete, 5828 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5788 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 5829 .xfrm_state_alloc = selinux_xfrm_state_alloc,
5830 .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire,
5789 .xfrm_state_free_security = selinux_xfrm_state_free, 5831 .xfrm_state_free_security = selinux_xfrm_state_free,
5790 .xfrm_state_delete_security = selinux_xfrm_state_delete, 5832 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5791 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 5833 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index aa47bcabb5f6..b1dfe1049450 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -58,8 +58,8 @@ struct superblock_security_struct {
58 u32 sid; /* SID of file system superblock */ 58 u32 sid; /* SID of file system superblock */
59 u32 def_sid; /* default SID for labeling */ 59 u32 def_sid; /* default SID for labeling */
60 u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ 60 u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */
61 unsigned int behavior; /* labeling behavior */ 61 unsigned short behavior; /* labeling behavior */
62 unsigned char flags; /* which mount options were specified */ 62 unsigned short flags; /* which mount options were specified */
63 struct mutex lock; 63 struct mutex lock;
64 struct list_head isec_head; 64 struct list_head isec_head;
65 spinlock_t isec_lock; 65 spinlock_t isec_lock;
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 8fd8e18ea340..fe341ae37004 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -45,14 +45,15 @@
45/* Mask for just the mount related flags */ 45/* Mask for just the mount related flags */
46#define SE_MNTMASK 0x0f 46#define SE_MNTMASK 0x0f
47/* Super block security struct flags for mount options */ 47/* Super block security struct flags for mount options */
48/* BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts */
48#define CONTEXT_MNT 0x01 49#define CONTEXT_MNT 0x01
49#define FSCONTEXT_MNT 0x02 50#define FSCONTEXT_MNT 0x02
50#define ROOTCONTEXT_MNT 0x04 51#define ROOTCONTEXT_MNT 0x04
51#define DEFCONTEXT_MNT 0x08 52#define DEFCONTEXT_MNT 0x08
53#define SBLABEL_MNT 0x10
52/* Non-mount related flags */ 54/* Non-mount related flags */
53#define SE_SBINITIALIZED 0x10 55#define SE_SBINITIALIZED 0x0100
54#define SE_SBPROC 0x20 56#define SE_SBPROC 0x0200
55#define SE_SBLABELSUPP 0x40
56 57
57#define CONTEXT_STR "context=" 58#define CONTEXT_STR "context="
58#define FSCONTEXT_STR "fscontext=" 59#define FSCONTEXT_STR "fscontext="
@@ -68,12 +69,15 @@ extern int selinux_enabled;
68enum { 69enum {
69 POLICYDB_CAPABILITY_NETPEER, 70 POLICYDB_CAPABILITY_NETPEER,
70 POLICYDB_CAPABILITY_OPENPERM, 71 POLICYDB_CAPABILITY_OPENPERM,
72 POLICYDB_CAPABILITY_REDHAT1,
73 POLICYDB_CAPABILITY_ALWAYSNETWORK,
71 __POLICYDB_CAPABILITY_MAX 74 __POLICYDB_CAPABILITY_MAX
72}; 75};
73#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) 76#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
74 77
75extern int selinux_policycap_netpeer; 78extern int selinux_policycap_netpeer;
76extern int selinux_policycap_openperm; 79extern int selinux_policycap_openperm;
80extern int selinux_policycap_alwaysnetwork;
77 81
78/* 82/*
79 * type_datum properties 83 * type_datum properties
@@ -172,8 +176,7 @@ int security_get_allow_unknown(void);
172#define SECURITY_FS_USE_NATIVE 7 /* use native label support */ 176#define SECURITY_FS_USE_NATIVE 7 /* use native label support */
173#define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */ 177#define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */
174 178
175int security_fs_use(const char *fstype, unsigned int *behavior, 179int security_fs_use(struct super_block *sb);
176 u32 *sid);
177 180
178int security_genfs_sid(const char *fstype, char *name, u16 sclass, 181int security_genfs_sid(const char *fstype, char *name, u16 sclass,
179 u32 *sid); 182 u32 *sid);
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 6713f04e30ba..0dec76c64cf5 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -10,29 +10,21 @@
10#include <net/flow.h> 10#include <net/flow.h>
11 11
12int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, 12int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
13 struct xfrm_user_sec_ctx *sec_ctx); 13 struct xfrm_user_sec_ctx *uctx);
14int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, 14int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
15 struct xfrm_sec_ctx **new_ctxp); 15 struct xfrm_sec_ctx **new_ctxp);
16void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx); 16void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
17int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx); 17int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
18int selinux_xfrm_state_alloc(struct xfrm_state *x, 18int selinux_xfrm_state_alloc(struct xfrm_state *x,
19 struct xfrm_user_sec_ctx *sec_ctx, u32 secid); 19 struct xfrm_user_sec_ctx *uctx);
20int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
21 struct xfrm_sec_ctx *polsec, u32 secid);
20void selinux_xfrm_state_free(struct xfrm_state *x); 22void selinux_xfrm_state_free(struct xfrm_state *x);
21int selinux_xfrm_state_delete(struct xfrm_state *x); 23int selinux_xfrm_state_delete(struct xfrm_state *x);
22int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); 24int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
23int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, 25int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
24 struct xfrm_policy *xp, const struct flowi *fl); 26 struct xfrm_policy *xp,
25 27 const struct flowi *fl);
26/*
27 * Extract the security blob from the sock (it's actually on the socket)
28 */
29static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
30{
31 if (!sk->sk_socket)
32 return NULL;
33
34 return SOCK_INODE(sk->sk_socket)->i_security;
35}
36 28
37#ifdef CONFIG_SECURITY_NETWORK_XFRM 29#ifdef CONFIG_SECURITY_NETWORK_XFRM
38extern atomic_t selinux_xfrm_refcount; 30extern atomic_t selinux_xfrm_refcount;
@@ -42,10 +34,10 @@ static inline int selinux_xfrm_enabled(void)
42 return (atomic_read(&selinux_xfrm_refcount) > 0); 34 return (atomic_read(&selinux_xfrm_refcount) > 0);
43} 35}
44 36
45int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, 37int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
46 struct common_audit_data *ad); 38 struct common_audit_data *ad);
47int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 39int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
48 struct common_audit_data *ad, u8 proto); 40 struct common_audit_data *ad, u8 proto);
49int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); 41int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
50 42
51static inline void selinux_xfrm_notify_policyload(void) 43static inline void selinux_xfrm_notify_policyload(void)
@@ -64,19 +56,21 @@ static inline int selinux_xfrm_enabled(void)
64 return 0; 56 return 0;
65} 57}
66 58
67static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, 59static inline int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
68 struct common_audit_data *ad) 60 struct common_audit_data *ad)
69{ 61{
70 return 0; 62 return 0;
71} 63}
72 64
73static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 65static inline int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
74 struct common_audit_data *ad, u8 proto) 66 struct common_audit_data *ad,
67 u8 proto)
75{ 68{
76 return 0; 69 return 0;
77} 70}
78 71
79static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) 72static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid,
73 int ckall)
80{ 74{
81 *sid = SECSID_NULL; 75 *sid = SECSID_NULL;
82 return 0; 76 return 0;
@@ -87,10 +81,9 @@ static inline void selinux_xfrm_notify_policyload(void)
87} 81}
88#endif 82#endif
89 83
90static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid) 84static inline int selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid)
91{ 85{
92 int err = selinux_xfrm_decode_session(skb, sid, 0); 86 return selinux_xfrm_decode_session(skb, sid, 0);
93 BUG_ON(err);
94} 87}
95 88
96#endif /* _SELINUX_XFRM_H_ */ 89#endif /* _SELINUX_XFRM_H_ */
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index da4b8b233280..6235d052338b 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -442,8 +442,7 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
442 sksec->nlbl_state != NLBL_CONNLABELED) 442 sksec->nlbl_state != NLBL_CONNLABELED)
443 return 0; 443 return 0;
444 444
445 local_bh_disable(); 445 lock_sock(sk);
446 bh_lock_sock_nested(sk);
447 446
448 /* connected sockets are allowed to disconnect when the address family 447 /* connected sockets are allowed to disconnect when the address family
449 * is set to AF_UNSPEC, if that is what is happening we want to reset 448 * is set to AF_UNSPEC, if that is what is happening we want to reset
@@ -464,7 +463,6 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
464 sksec->nlbl_state = NLBL_CONNLABELED; 463 sksec->nlbl_state = NLBL_CONNLABELED;
465 464
466socket_connect_return: 465socket_connect_return:
467 bh_unlock_sock(sk); 466 release_sock(sk);
468 local_bh_enable();
469 return rc; 467 return rc;
470} 468}
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index c5454c0477c3..03a72c32afd7 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -166,6 +166,7 @@ static void sel_netnode_insert(struct sel_netnode *node)
166 break; 166 break;
167 default: 167 default:
168 BUG(); 168 BUG();
169 return;
169 } 170 }
170 171
171 /* we need to impose a limit on the growth of the hash table so check 172 /* we need to impose a limit on the growth of the hash table so check
@@ -225,6 +226,7 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid)
225 break; 226 break;
226 default: 227 default:
227 BUG(); 228 BUG();
229 ret = -EINVAL;
228 } 230 }
229 if (ret != 0) 231 if (ret != 0)
230 goto out; 232 goto out;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index ff427733c290..5122affe06a8 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -44,7 +44,9 @@
44/* Policy capability filenames */ 44/* Policy capability filenames */
45static char *policycap_names[] = { 45static char *policycap_names[] = {
46 "network_peer_controls", 46 "network_peer_controls",
47 "open_perms" 47 "open_perms",
48 "redhat1",
49 "always_check_network"
48}; 50};
49 51
50unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 52unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index 30f119b1d1ec..820313a04d49 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -213,7 +213,12 @@ netlbl_import_failure:
213} 213}
214#endif /* CONFIG_NETLABEL */ 214#endif /* CONFIG_NETLABEL */
215 215
216int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2) 216/*
217 * Check to see if all the bits set in e2 are also set in e1. Optionally,
218 * if last_e2bit is non-zero, the highest set bit in e2 cannot exceed
219 * last_e2bit.
220 */
221int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit)
217{ 222{
218 struct ebitmap_node *n1, *n2; 223 struct ebitmap_node *n1, *n2;
219 int i; 224 int i;
@@ -223,14 +228,25 @@ int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2)
223 228
224 n1 = e1->node; 229 n1 = e1->node;
225 n2 = e2->node; 230 n2 = e2->node;
231
226 while (n1 && n2 && (n1->startbit <= n2->startbit)) { 232 while (n1 && n2 && (n1->startbit <= n2->startbit)) {
227 if (n1->startbit < n2->startbit) { 233 if (n1->startbit < n2->startbit) {
228 n1 = n1->next; 234 n1 = n1->next;
229 continue; 235 continue;
230 } 236 }
231 for (i = 0; i < EBITMAP_UNIT_NUMS; i++) { 237 for (i = EBITMAP_UNIT_NUMS - 1; (i >= 0) && !n2->maps[i]; )
238 i--; /* Skip trailing NULL map entries */
239 if (last_e2bit && (i >= 0)) {
240 u32 lastsetbit = n2->startbit + i * EBITMAP_UNIT_SIZE +
241 __fls(n2->maps[i]);
242 if (lastsetbit > last_e2bit)
243 return 0;
244 }
245
246 while (i >= 0) {
232 if ((n1->maps[i] & n2->maps[i]) != n2->maps[i]) 247 if ((n1->maps[i] & n2->maps[i]) != n2->maps[i])
233 return 0; 248 return 0;
249 i--;
234 } 250 }
235 251
236 n1 = n1->next; 252 n1 = n1->next;
diff --git a/security/selinux/ss/ebitmap.h b/security/selinux/ss/ebitmap.h
index 922f8afa89dd..712c8a7b8e8b 100644
--- a/security/selinux/ss/ebitmap.h
+++ b/security/selinux/ss/ebitmap.h
@@ -16,7 +16,13 @@
16 16
17#include <net/netlabel.h> 17#include <net/netlabel.h>
18 18
19#define EBITMAP_UNIT_NUMS ((32 - sizeof(void *) - sizeof(u32)) \ 19#ifdef CONFIG_64BIT
20#define EBITMAP_NODE_SIZE 64
21#else
22#define EBITMAP_NODE_SIZE 32
23#endif
24
25#define EBITMAP_UNIT_NUMS ((EBITMAP_NODE_SIZE-sizeof(void *)-sizeof(u32))\
20 / sizeof(unsigned long)) 26 / sizeof(unsigned long))
21#define EBITMAP_UNIT_SIZE BITS_PER_LONG 27#define EBITMAP_UNIT_SIZE BITS_PER_LONG
22#define EBITMAP_SIZE (EBITMAP_UNIT_NUMS * EBITMAP_UNIT_SIZE) 28#define EBITMAP_SIZE (EBITMAP_UNIT_NUMS * EBITMAP_UNIT_SIZE)
@@ -117,7 +123,7 @@ static inline void ebitmap_node_clr_bit(struct ebitmap_node *n,
117 123
118int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2); 124int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2);
119int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src); 125int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src);
120int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2); 126int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2, u32 last_e2bit);
121int ebitmap_get_bit(struct ebitmap *e, unsigned long bit); 127int ebitmap_get_bit(struct ebitmap *e, unsigned long bit);
122int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value); 128int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value);
123void ebitmap_destroy(struct ebitmap *e); 129void ebitmap_destroy(struct ebitmap *e);
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 40de8d3f208e..c85bc1ec040c 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -160,8 +160,6 @@ void mls_sid_to_context(struct context *context,
160int mls_level_isvalid(struct policydb *p, struct mls_level *l) 160int mls_level_isvalid(struct policydb *p, struct mls_level *l)
161{ 161{
162 struct level_datum *levdatum; 162 struct level_datum *levdatum;
163 struct ebitmap_node *node;
164 int i;
165 163
166 if (!l->sens || l->sens > p->p_levels.nprim) 164 if (!l->sens || l->sens > p->p_levels.nprim)
167 return 0; 165 return 0;
@@ -170,19 +168,13 @@ int mls_level_isvalid(struct policydb *p, struct mls_level *l)
170 if (!levdatum) 168 if (!levdatum)
171 return 0; 169 return 0;
172 170
173 ebitmap_for_each_positive_bit(&l->cat, node, i) { 171 /*
174 if (i > p->p_cats.nprim) 172 * Return 1 iff all the bits set in l->cat are also be set in
175 return 0; 173 * levdatum->level->cat and no bit in l->cat is larger than
176 if (!ebitmap_get_bit(&levdatum->level->cat, i)) { 174 * p->p_cats.nprim.
177 /* 175 */
178 * Category may not be associated with 176 return ebitmap_contains(&levdatum->level->cat, &l->cat,
179 * sensitivity. 177 p->p_cats.nprim);
180 */
181 return 0;
182 }
183 }
184
185 return 1;
186} 178}
187 179
188int mls_range_isvalid(struct policydb *p, struct mls_range *r) 180int mls_range_isvalid(struct policydb *p, struct mls_range *r)
diff --git a/security/selinux/ss/mls_types.h b/security/selinux/ss/mls_types.h
index 03bed52a8052..e93648774137 100644
--- a/security/selinux/ss/mls_types.h
+++ b/security/selinux/ss/mls_types.h
@@ -35,7 +35,7 @@ static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
35static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2) 35static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
36{ 36{
37 return ((l1->sens >= l2->sens) && 37 return ((l1->sens >= l2->sens) &&
38 ebitmap_contains(&l1->cat, &l2->cat)); 38 ebitmap_contains(&l1->cat, &l2->cat, 0));
39} 39}
40 40
41#define mls_level_incomp(l1, l2) \ 41#define mls_level_incomp(l1, l2) \
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index c8adde3aff8f..f6195ebde3c9 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -3203,9 +3203,8 @@ static int range_write_helper(void *key, void *data, void *ptr)
3203 3203
3204static int range_write(struct policydb *p, void *fp) 3204static int range_write(struct policydb *p, void *fp)
3205{ 3205{
3206 size_t nel;
3207 __le32 buf[1]; 3206 __le32 buf[1];
3208 int rc; 3207 int rc, nel;
3209 struct policy_data pd; 3208 struct policy_data pd;
3210 3209
3211 pd.p = p; 3210 pd.p = p;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b4feecc3fe01..ee470a0b5c27 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -72,6 +72,7 @@
72 72
73int selinux_policycap_netpeer; 73int selinux_policycap_netpeer;
74int selinux_policycap_openperm; 74int selinux_policycap_openperm;
75int selinux_policycap_alwaysnetwork;
75 76
76static DEFINE_RWLOCK(policy_rwlock); 77static DEFINE_RWLOCK(policy_rwlock);
77 78
@@ -1812,6 +1813,8 @@ static void security_load_policycaps(void)
1812 POLICYDB_CAPABILITY_NETPEER); 1813 POLICYDB_CAPABILITY_NETPEER);
1813 selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps, 1814 selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
1814 POLICYDB_CAPABILITY_OPENPERM); 1815 POLICYDB_CAPABILITY_OPENPERM);
1816 selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
1817 POLICYDB_CAPABILITY_ALWAYSNETWORK);
1815} 1818}
1816 1819
1817static int security_preserve_bools(struct policydb *p); 1820static int security_preserve_bools(struct policydb *p);
@@ -2323,43 +2326,74 @@ out:
2323 2326
2324/** 2327/**
2325 * security_fs_use - Determine how to handle labeling for a filesystem. 2328 * security_fs_use - Determine how to handle labeling for a filesystem.
2326 * @fstype: filesystem type 2329 * @sb: superblock in question
2327 * @behavior: labeling behavior
2328 * @sid: SID for filesystem (superblock)
2329 */ 2330 */
2330int security_fs_use( 2331int security_fs_use(struct super_block *sb)
2331 const char *fstype,
2332 unsigned int *behavior,
2333 u32 *sid)
2334{ 2332{
2335 int rc = 0; 2333 int rc = 0;
2336 struct ocontext *c; 2334 struct ocontext *c;
2335 struct superblock_security_struct *sbsec = sb->s_security;
2336 const char *fstype = sb->s_type->name;
2337 const char *subtype = (sb->s_subtype && sb->s_subtype[0]) ? sb->s_subtype : NULL;
2338 struct ocontext *base = NULL;
2337 2339
2338 read_lock(&policy_rwlock); 2340 read_lock(&policy_rwlock);
2339 2341
2340 c = policydb.ocontexts[OCON_FSUSE]; 2342 for (c = policydb.ocontexts[OCON_FSUSE]; c; c = c->next) {
2341 while (c) { 2343 char *sub;
2342 if (strcmp(fstype, c->u.name) == 0) 2344 int baselen;
2345
2346 baselen = strlen(fstype);
2347
2348 /* if base does not match, this is not the one */
2349 if (strncmp(fstype, c->u.name, baselen))
2350 continue;
2351
2352 /* if there is no subtype, this is the one! */
2353 if (!subtype)
2354 break;
2355
2356 /* skip past the base in this entry */
2357 sub = c->u.name + baselen;
2358
2359 /* entry is only a base. save it. keep looking for subtype */
2360 if (sub[0] == '\0') {
2361 base = c;
2362 continue;
2363 }
2364
2365 /* entry is not followed by a subtype, so it is not a match */
2366 if (sub[0] != '.')
2367 continue;
2368
2369 /* whew, we found a subtype of this fstype */
2370 sub++; /* move past '.' */
2371
2372 /* exact match of fstype AND subtype */
2373 if (!strcmp(subtype, sub))
2343 break; 2374 break;
2344 c = c->next;
2345 } 2375 }
2346 2376
2377 /* in case we had found an fstype match but no subtype match */
2378 if (!c)
2379 c = base;
2380
2347 if (c) { 2381 if (c) {
2348 *behavior = c->v.behavior; 2382 sbsec->behavior = c->v.behavior;
2349 if (!c->sid[0]) { 2383 if (!c->sid[0]) {
2350 rc = sidtab_context_to_sid(&sidtab, &c->context[0], 2384 rc = sidtab_context_to_sid(&sidtab, &c->context[0],
2351 &c->sid[0]); 2385 &c->sid[0]);
2352 if (rc) 2386 if (rc)
2353 goto out; 2387 goto out;
2354 } 2388 }
2355 *sid = c->sid[0]; 2389 sbsec->sid = c->sid[0];
2356 } else { 2390 } else {
2357 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid); 2391 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, &sbsec->sid);
2358 if (rc) { 2392 if (rc) {
2359 *behavior = SECURITY_FS_USE_NONE; 2393 sbsec->behavior = SECURITY_FS_USE_NONE;
2360 rc = 0; 2394 rc = 0;
2361 } else { 2395 } else {
2362 *behavior = SECURITY_FS_USE_GENFS; 2396 sbsec->behavior = SECURITY_FS_USE_GENFS;
2363 } 2397 }
2364 } 2398 }
2365 2399
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index d03081886214..a91d205ec0c6 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -56,7 +56,7 @@
56atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0); 56atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0);
57 57
58/* 58/*
59 * Returns true if an LSM/SELinux context 59 * Returns true if the context is an LSM/SELinux context.
60 */ 60 */
61static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) 61static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
62{ 62{
@@ -66,7 +66,7 @@ static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
66} 66}
67 67
68/* 68/*
69 * Returns true if the xfrm contains a security blob for SELinux 69 * Returns true if the xfrm contains a security blob for SELinux.
70 */ 70 */
71static inline int selinux_authorizable_xfrm(struct xfrm_state *x) 71static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
72{ 72{
@@ -74,48 +74,111 @@ static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
74} 74}
75 75
76/* 76/*
77 * LSM hook implementation that authorizes that a flow can use 77 * Allocates a xfrm_sec_state and populates it using the supplied security
78 * a xfrm policy rule. 78 * xfrm_user_sec_ctx context.
79 */ 79 */
80int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) 80static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
81 struct xfrm_user_sec_ctx *uctx)
81{ 82{
82 int rc; 83 int rc;
83 u32 sel_sid; 84 const struct task_security_struct *tsec = current_security();
85 struct xfrm_sec_ctx *ctx = NULL;
86 u32 str_len;
84 87
85 /* Context sid is either set to label or ANY_ASSOC */ 88 if (ctxp == NULL || uctx == NULL ||
86 if (ctx) { 89 uctx->ctx_doi != XFRM_SC_DOI_LSM ||
87 if (!selinux_authorizable_ctx(ctx)) 90 uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
88 return -EINVAL; 91 return -EINVAL;
89
90 sel_sid = ctx->ctx_sid;
91 } else
92 /*
93 * All flows should be treated as polmatch'ing an
94 * otherwise applicable "non-labeled" policy. This
95 * would prevent inadvertent "leaks".
96 */
97 return 0;
98 92
99 rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION, 93 str_len = uctx->ctx_len;
100 ASSOCIATION__POLMATCH, 94 if (str_len >= PAGE_SIZE)
101 NULL); 95 return -ENOMEM;
102 96
103 if (rc == -EACCES) 97 ctx = kmalloc(sizeof(*ctx) + str_len + 1, GFP_KERNEL);
104 return -ESRCH; 98 if (!ctx)
99 return -ENOMEM;
105 100
101 ctx->ctx_doi = XFRM_SC_DOI_LSM;
102 ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
103 ctx->ctx_len = str_len;
104 memcpy(ctx->ctx_str, &uctx[1], str_len);
105 ctx->ctx_str[str_len] = '\0';
106 rc = security_context_to_sid(ctx->ctx_str, str_len, &ctx->ctx_sid);
107 if (rc)
108 goto err;
109
110 rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
111 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
112 if (rc)
113 goto err;
114
115 *ctxp = ctx;
116 atomic_inc(&selinux_xfrm_refcount);
117 return 0;
118
119err:
120 kfree(ctx);
106 return rc; 121 return rc;
107} 122}
108 123
109/* 124/*
125 * Free the xfrm_sec_ctx structure.
126 */
127static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
128{
129 if (!ctx)
130 return;
131
132 atomic_dec(&selinux_xfrm_refcount);
133 kfree(ctx);
134}
135
136/*
137 * Authorize the deletion of a labeled SA or policy rule.
138 */
139static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
140{
141 const struct task_security_struct *tsec = current_security();
142
143 if (!ctx)
144 return 0;
145
146 return avc_has_perm(tsec->sid, ctx->ctx_sid,
147 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
148 NULL);
149}
150
151/*
152 * LSM hook implementation that authorizes that a flow can use a xfrm policy
153 * rule.
154 */
155int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
156{
157 int rc;
158
159 /* All flows should be treated as polmatch'ing an otherwise applicable
160 * "non-labeled" policy. This would prevent inadvertent "leaks". */
161 if (!ctx)
162 return 0;
163
164 /* Context sid is either set to label or ANY_ASSOC */
165 if (!selinux_authorizable_ctx(ctx))
166 return -EINVAL;
167
168 rc = avc_has_perm(fl_secid, ctx->ctx_sid,
169 SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
170 return (rc == -EACCES ? -ESRCH : rc);
171}
172
173/*
110 * LSM hook implementation that authorizes that a state matches 174 * LSM hook implementation that authorizes that a state matches
111 * the given policy, flow combo. 175 * the given policy, flow combo.
112 */ 176 */
113 177int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
114int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, 178 struct xfrm_policy *xp,
115 const struct flowi *fl) 179 const struct flowi *fl)
116{ 180{
117 u32 state_sid; 181 u32 state_sid;
118 int rc;
119 182
120 if (!xp->security) 183 if (!xp->security)
121 if (x->security) 184 if (x->security)
@@ -138,187 +201,80 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *
138 if (fl->flowi_secid != state_sid) 201 if (fl->flowi_secid != state_sid)
139 return 0; 202 return 0;
140 203
141 rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION, 204 /* We don't need a separate SA Vs. policy polmatch check since the SA
142 ASSOCIATION__SENDTO, 205 * is now of the same label as the flow and a flow Vs. policy polmatch
143 NULL)? 0:1; 206 * check had already happened in selinux_xfrm_policy_lookup() above. */
144 207 return (avc_has_perm(fl->flowi_secid, state_sid,
145 /* 208 SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
146 * We don't need a separate SA Vs. policy polmatch check 209 NULL) ? 0 : 1);
147 * since the SA is now of the same label as the flow and
148 * a flow Vs. policy polmatch check had already happened
149 * in selinux_xfrm_policy_lookup() above.
150 */
151
152 return rc;
153} 210}
154 211
155/* 212/*
156 * LSM hook implementation that checks and/or returns the xfrm sid for the 213 * LSM hook implementation that checks and/or returns the xfrm sid for the
157 * incoming packet. 214 * incoming packet.
158 */ 215 */
159
160int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) 216int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
161{ 217{
218 u32 sid_session = SECSID_NULL;
162 struct sec_path *sp; 219 struct sec_path *sp;
163 220
164 *sid = SECSID_NULL;
165
166 if (skb == NULL) 221 if (skb == NULL)
167 return 0; 222 goto out;
168 223
169 sp = skb->sp; 224 sp = skb->sp;
170 if (sp) { 225 if (sp) {
171 int i, sid_set = 0; 226 int i;
172 227
173 for (i = sp->len-1; i >= 0; i--) { 228 for (i = sp->len - 1; i >= 0; i--) {
174 struct xfrm_state *x = sp->xvec[i]; 229 struct xfrm_state *x = sp->xvec[i];
175 if (selinux_authorizable_xfrm(x)) { 230 if (selinux_authorizable_xfrm(x)) {
176 struct xfrm_sec_ctx *ctx = x->security; 231 struct xfrm_sec_ctx *ctx = x->security;
177 232
178 if (!sid_set) { 233 if (sid_session == SECSID_NULL) {
179 *sid = ctx->ctx_sid; 234 sid_session = ctx->ctx_sid;
180 sid_set = 1;
181
182 if (!ckall) 235 if (!ckall)
183 break; 236 goto out;
184 } else if (*sid != ctx->ctx_sid) 237 } else if (sid_session != ctx->ctx_sid) {
238 *sid = SECSID_NULL;
185 return -EINVAL; 239 return -EINVAL;
240 }
186 } 241 }
187 } 242 }
188 } 243 }
189 244
190 return 0;
191}
192
193/*
194 * Security blob allocation for xfrm_policy and xfrm_state
195 * CTX does not have a meaningful value on input
196 */
197static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
198 struct xfrm_user_sec_ctx *uctx, u32 sid)
199{
200 int rc = 0;
201 const struct task_security_struct *tsec = current_security();
202 struct xfrm_sec_ctx *ctx = NULL;
203 char *ctx_str = NULL;
204 u32 str_len;
205
206 BUG_ON(uctx && sid);
207
208 if (!uctx)
209 goto not_from_user;
210
211 if (uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
212 return -EINVAL;
213
214 str_len = uctx->ctx_len;
215 if (str_len >= PAGE_SIZE)
216 return -ENOMEM;
217
218 *ctxp = ctx = kmalloc(sizeof(*ctx) +
219 str_len + 1,
220 GFP_KERNEL);
221
222 if (!ctx)
223 return -ENOMEM;
224
225 ctx->ctx_doi = uctx->ctx_doi;
226 ctx->ctx_len = str_len;
227 ctx->ctx_alg = uctx->ctx_alg;
228
229 memcpy(ctx->ctx_str,
230 uctx+1,
231 str_len);
232 ctx->ctx_str[str_len] = 0;
233 rc = security_context_to_sid(ctx->ctx_str,
234 str_len,
235 &ctx->ctx_sid);
236
237 if (rc)
238 goto out;
239
240 /*
241 * Does the subject have permission to set security context?
242 */
243 rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
244 SECCLASS_ASSOCIATION,
245 ASSOCIATION__SETCONTEXT, NULL);
246 if (rc)
247 goto out;
248
249 return rc;
250
251not_from_user:
252 rc = security_sid_to_context(sid, &ctx_str, &str_len);
253 if (rc)
254 goto out;
255
256 *ctxp = ctx = kmalloc(sizeof(*ctx) +
257 str_len,
258 GFP_ATOMIC);
259
260 if (!ctx) {
261 rc = -ENOMEM;
262 goto out;
263 }
264
265 ctx->ctx_doi = XFRM_SC_DOI_LSM;
266 ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
267 ctx->ctx_sid = sid;
268 ctx->ctx_len = str_len;
269 memcpy(ctx->ctx_str,
270 ctx_str,
271 str_len);
272
273 goto out2;
274
275out: 245out:
276 *ctxp = NULL; 246 *sid = sid_session;
277 kfree(ctx); 247 return 0;
278out2:
279 kfree(ctx_str);
280 return rc;
281} 248}
282 249
283/* 250/*
284 * LSM hook implementation that allocs and transfers uctx spec to 251 * LSM hook implementation that allocs and transfers uctx spec to xfrm_policy.
285 * xfrm_policy.
286 */ 252 */
287int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, 253int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
288 struct xfrm_user_sec_ctx *uctx) 254 struct xfrm_user_sec_ctx *uctx)
289{ 255{
290 int err; 256 return selinux_xfrm_alloc_user(ctxp, uctx);
291
292 BUG_ON(!uctx);
293
294 err = selinux_xfrm_sec_ctx_alloc(ctxp, uctx, 0);
295 if (err == 0)
296 atomic_inc(&selinux_xfrm_refcount);
297
298 return err;
299} 257}
300 258
301
302/* 259/*
303 * LSM hook implementation that copies security data structure from old to 260 * LSM hook implementation that copies security data structure from old to new
304 * new for policy cloning. 261 * for policy cloning.
305 */ 262 */
306int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, 263int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
307 struct xfrm_sec_ctx **new_ctxp) 264 struct xfrm_sec_ctx **new_ctxp)
308{ 265{
309 struct xfrm_sec_ctx *new_ctx; 266 struct xfrm_sec_ctx *new_ctx;
310 267
311 if (old_ctx) { 268 if (!old_ctx)
312 new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, 269 return 0;
313 GFP_ATOMIC); 270
314 if (!new_ctx) 271 new_ctx = kmemdup(old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len,
315 return -ENOMEM; 272 GFP_ATOMIC);
273 if (!new_ctx)
274 return -ENOMEM;
275 atomic_inc(&selinux_xfrm_refcount);
276 *new_ctxp = new_ctx;
316 277
317 memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
318 memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
319 atomic_inc(&selinux_xfrm_refcount);
320 *new_ctxp = new_ctx;
321 }
322 return 0; 278 return 0;
323} 279}
324 280
@@ -327,8 +283,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
327 */ 283 */
328void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) 284void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
329{ 285{
330 atomic_dec(&selinux_xfrm_refcount); 286 selinux_xfrm_free(ctx);
331 kfree(ctx);
332} 287}
333 288
334/* 289/*
@@ -336,31 +291,55 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
336 */ 291 */
337int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) 292int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
338{ 293{
339 const struct task_security_struct *tsec = current_security(); 294 return selinux_xfrm_delete(ctx);
340 295}
341 if (!ctx)
342 return 0;
343 296
344 return avc_has_perm(tsec->sid, ctx->ctx_sid, 297/*
345 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, 298 * LSM hook implementation that allocates a xfrm_sec_state, populates it using
346 NULL); 299 * the supplied security context, and assigns it to the xfrm_state.
300 */
301int selinux_xfrm_state_alloc(struct xfrm_state *x,
302 struct xfrm_user_sec_ctx *uctx)
303{
304 return selinux_xfrm_alloc_user(&x->security, uctx);
347} 305}
348 306
349/* 307/*
350 * LSM hook implementation that allocs and transfers sec_ctx spec to 308 * LSM hook implementation that allocates a xfrm_sec_state and populates based
351 * xfrm_state. 309 * on a secid.
352 */ 310 */
353int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx, 311int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
354 u32 secid) 312 struct xfrm_sec_ctx *polsec, u32 secid)
355{ 313{
356 int err; 314 int rc;
315 struct xfrm_sec_ctx *ctx;
316 char *ctx_str = NULL;
317 int str_len;
318
319 if (!polsec)
320 return 0;
357 321
358 BUG_ON(!x); 322 if (secid == 0)
323 return -EINVAL;
359 324
360 err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid); 325 rc = security_sid_to_context(secid, &ctx_str, &str_len);
361 if (err == 0) 326 if (rc)
362 atomic_inc(&selinux_xfrm_refcount); 327 return rc;
363 return err; 328
329 ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC);
330 if (!ctx)
331 return -ENOMEM;
332
333 ctx->ctx_doi = XFRM_SC_DOI_LSM;
334 ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
335 ctx->ctx_sid = secid;
336 ctx->ctx_len = str_len;
337 memcpy(ctx->ctx_str, ctx_str, str_len);
338 kfree(ctx_str);
339
340 x->security = ctx;
341 atomic_inc(&selinux_xfrm_refcount);
342 return 0;
364} 343}
365 344
366/* 345/*
@@ -368,24 +347,15 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct
368 */ 347 */
369void selinux_xfrm_state_free(struct xfrm_state *x) 348void selinux_xfrm_state_free(struct xfrm_state *x)
370{ 349{
371 atomic_dec(&selinux_xfrm_refcount); 350 selinux_xfrm_free(x->security);
372 kfree(x->security);
373} 351}
374 352
375 /* 353/*
376 * LSM hook implementation that authorizes deletion of labeled SAs. 354 * LSM hook implementation that authorizes deletion of labeled SAs.
377 */ 355 */
378int selinux_xfrm_state_delete(struct xfrm_state *x) 356int selinux_xfrm_state_delete(struct xfrm_state *x)
379{ 357{
380 const struct task_security_struct *tsec = current_security(); 358 return selinux_xfrm_delete(x->security);
381 struct xfrm_sec_ctx *ctx = x->security;
382
383 if (!ctx)
384 return 0;
385
386 return avc_has_perm(tsec->sid, ctx->ctx_sid,
387 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
388 NULL);
389} 359}
390 360
391/* 361/*
@@ -395,14 +365,12 @@ int selinux_xfrm_state_delete(struct xfrm_state *x)
395 * we need to check for unlabelled access since this may not have 365 * we need to check for unlabelled access since this may not have
396 * gone thru the IPSec process. 366 * gone thru the IPSec process.
397 */ 367 */
398int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, 368int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
399 struct common_audit_data *ad) 369 struct common_audit_data *ad)
400{ 370{
401 int i, rc = 0; 371 int i;
402 struct sec_path *sp; 372 struct sec_path *sp = skb->sp;
403 u32 sel_sid = SECINITSID_UNLABELED; 373 u32 peer_sid = SECINITSID_UNLABELED;
404
405 sp = skb->sp;
406 374
407 if (sp) { 375 if (sp) {
408 for (i = 0; i < sp->len; i++) { 376 for (i = 0; i < sp->len; i++) {
@@ -410,23 +378,17 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
410 378
411 if (x && selinux_authorizable_xfrm(x)) { 379 if (x && selinux_authorizable_xfrm(x)) {
412 struct xfrm_sec_ctx *ctx = x->security; 380 struct xfrm_sec_ctx *ctx = x->security;
413 sel_sid = ctx->ctx_sid; 381 peer_sid = ctx->ctx_sid;
414 break; 382 break;
415 } 383 }
416 } 384 }
417 } 385 }
418 386
419 /* 387 /* This check even when there's no association involved is intended,
420 * This check even when there's no association involved is 388 * according to Trent Jaeger, to make sure a process can't engage in
421 * intended, according to Trent Jaeger, to make sure a 389 * non-IPsec communication unless explicitly allowed by policy. */
422 * process can't engage in non-ipsec communication unless 390 return avc_has_perm(sk_sid, peer_sid,
423 * explicitly allowed by policy. 391 SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad);
424 */
425
426 rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
427 ASSOCIATION__RECVFROM, ad);
428
429 return rc;
430} 392}
431 393
432/* 394/*
@@ -436,49 +398,38 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
436 * If we do have a authorizable security association, then it has already been 398 * If we do have a authorizable security association, then it has already been
437 * checked in the selinux_xfrm_state_pol_flow_match hook above. 399 * checked in the selinux_xfrm_state_pol_flow_match hook above.
438 */ 400 */
439int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 401int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
440 struct common_audit_data *ad, u8 proto) 402 struct common_audit_data *ad, u8 proto)
441{ 403{
442 struct dst_entry *dst; 404 struct dst_entry *dst;
443 int rc = 0;
444
445 dst = skb_dst(skb);
446
447 if (dst) {
448 struct dst_entry *dst_test;
449
450 for (dst_test = dst; dst_test != NULL;
451 dst_test = dst_test->child) {
452 struct xfrm_state *x = dst_test->xfrm;
453
454 if (x && selinux_authorizable_xfrm(x))
455 goto out;
456 }
457 }
458 405
459 switch (proto) { 406 switch (proto) {
460 case IPPROTO_AH: 407 case IPPROTO_AH:
461 case IPPROTO_ESP: 408 case IPPROTO_ESP:
462 case IPPROTO_COMP: 409 case IPPROTO_COMP:
463 /* 410 /* We should have already seen this packet once before it
464 * We should have already seen this packet once before 411 * underwent xfrm(s). No need to subject it to the unlabeled
465 * it underwent xfrm(s). No need to subject it to the 412 * check. */
466 * unlabeled check. 413 return 0;
467 */
468 goto out;
469 default: 414 default:
470 break; 415 break;
471 } 416 }
472 417
473 /* 418 dst = skb_dst(skb);
474 * This check even when there's no association involved is 419 if (dst) {
475 * intended, according to Trent Jaeger, to make sure a 420 struct dst_entry *iter;
476 * process can't engage in non-ipsec communication unless
477 * explicitly allowed by policy.
478 */
479 421
480 rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION, 422 for (iter = dst; iter != NULL; iter = iter->child) {
481 ASSOCIATION__SENDTO, ad); 423 struct xfrm_state *x = iter->xfrm;
482out: 424
483 return rc; 425 if (x && selinux_authorizable_xfrm(x))
426 return 0;
427 }
428 }
429
430 /* This check even when there's no association involved is intended,
431 * according to Trent Jaeger, to make sure a process can't engage in
432 * non-IPsec communication unless explicitly allowed by policy. */
433 return avc_has_perm(sk_sid, SECINITSID_UNLABELED,
434 SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad);
484} 435}
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-25 17:42:33 -0500