diff options
Diffstat (limited to 'security/keys')
-rw-r--r-- | security/keys/Makefile | 1 | ||||
-rw-r--r-- | security/keys/internal.h | 26 | ||||
-rw-r--r-- | security/keys/key.c | 81 | ||||
-rw-r--r-- | security/keys/keyctl.c | 301 | ||||
-rw-r--r-- | security/keys/keyring.c | 86 | ||||
-rw-r--r-- | security/keys/permission.c | 70 | ||||
-rw-r--r-- | security/keys/proc.c | 2 | ||||
-rw-r--r-- | security/keys/process_keys.c | 164 | ||||
-rw-r--r-- | security/keys/request_key.c | 38 | ||||
-rw-r--r-- | security/keys/request_key_auth.c | 5 |
10 files changed, 467 insertions, 307 deletions
diff --git a/security/keys/Makefile b/security/keys/Makefile index c392d750b20..5145adfb6a0 100644 --- a/security/keys/Makefile +++ b/security/keys/Makefile | |||
@@ -6,6 +6,7 @@ obj-y := \ | |||
6 | key.o \ | 6 | key.o \ |
7 | keyring.o \ | 7 | keyring.o \ |
8 | keyctl.o \ | 8 | keyctl.o \ |
9 | permission.o \ | ||
9 | process_keys.o \ | 10 | process_keys.o \ |
10 | request_key.o \ | 11 | request_key.o \ |
11 | request_key_auth.o \ | 12 | request_key_auth.o \ |
diff --git a/security/keys/internal.h b/security/keys/internal.h index 46c8602661c..db99ed434f3 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h | |||
@@ -71,26 +71,26 @@ extern void keyring_publish_name(struct key *keyring); | |||
71 | 71 | ||
72 | extern int __key_link(struct key *keyring, struct key *key); | 72 | extern int __key_link(struct key *keyring, struct key *key); |
73 | 73 | ||
74 | extern struct key *__keyring_search_one(struct key *keyring, | 74 | extern key_ref_t __keyring_search_one(key_ref_t keyring_ref, |
75 | const struct key_type *type, | 75 | const struct key_type *type, |
76 | const char *description, | 76 | const char *description, |
77 | key_perm_t perm); | 77 | key_perm_t perm); |
78 | 78 | ||
79 | extern struct key *keyring_search_instkey(struct key *keyring, | 79 | extern struct key *keyring_search_instkey(struct key *keyring, |
80 | key_serial_t target_id); | 80 | key_serial_t target_id); |
81 | 81 | ||
82 | typedef int (*key_match_func_t)(const struct key *, const void *); | 82 | typedef int (*key_match_func_t)(const struct key *, const void *); |
83 | 83 | ||
84 | extern struct key *keyring_search_aux(struct key *keyring, | 84 | extern key_ref_t keyring_search_aux(key_ref_t keyring_ref, |
85 | struct task_struct *tsk, | 85 | struct task_struct *tsk, |
86 | struct key_type *type, | 86 | struct key_type *type, |
87 | const void *description, | 87 | const void *description, |
88 | key_match_func_t match); | 88 | key_match_func_t match); |
89 | 89 | ||
90 | extern struct key *search_process_keyrings(struct key_type *type, | 90 | extern key_ref_t search_process_keyrings(struct key_type *type, |
91 | const void *description, | 91 | const void *description, |
92 | key_match_func_t match, | 92 | key_match_func_t match, |
93 | struct task_struct *tsk); | 93 | struct task_struct *tsk); |
94 | 94 | ||
95 | extern struct key *find_keyring_by_name(const char *name, key_serial_t bound); | 95 | extern struct key *find_keyring_by_name(const char *name, key_serial_t bound); |
96 | 96 | ||
diff --git a/security/keys/key.c b/security/keys/key.c index fb89f984446..2182be9e930 100644 --- a/security/keys/key.c +++ b/security/keys/key.c | |||
@@ -693,14 +693,15 @@ void key_type_put(struct key_type *ktype) | |||
693 | * - the key has an incremented refcount | 693 | * - the key has an incremented refcount |
694 | * - we need to put the key if we get an error | 694 | * - we need to put the key if we get an error |
695 | */ | 695 | */ |
696 | static inline struct key *__key_update(struct key *key, const void *payload, | 696 | static inline key_ref_t __key_update(key_ref_t key_ref, |
697 | size_t plen) | 697 | const void *payload, size_t plen) |
698 | { | 698 | { |
699 | struct key *key = key_ref_to_ptr(key_ref); | ||
699 | int ret; | 700 | int ret; |
700 | 701 | ||
701 | /* need write permission on the key to update it */ | 702 | /* need write permission on the key to update it */ |
702 | ret = -EACCES; | 703 | ret = -EACCES; |
703 | if (!key_permission(key, KEY_WRITE)) | 704 | if (!key_permission(key_ref, KEY_WRITE)) |
704 | goto error; | 705 | goto error; |
705 | 706 | ||
706 | ret = -EEXIST; | 707 | ret = -EEXIST; |
@@ -719,12 +720,12 @@ static inline struct key *__key_update(struct key *key, const void *payload, | |||
719 | 720 | ||
720 | if (ret < 0) | 721 | if (ret < 0) |
721 | goto error; | 722 | goto error; |
722 | out: | 723 | out: |
723 | return key; | 724 | return key_ref; |
724 | 725 | ||
725 | error: | 726 | error: |
726 | key_put(key); | 727 | key_put(key); |
727 | key = ERR_PTR(ret); | 728 | key_ref = ERR_PTR(ret); |
728 | goto out; | 729 | goto out; |
729 | 730 | ||
730 | } /* end __key_update() */ | 731 | } /* end __key_update() */ |
@@ -734,52 +735,56 @@ static inline struct key *__key_update(struct key *key, const void *payload, | |||
734 | * search the specified keyring for a key of the same description; if one is | 735 | * search the specified keyring for a key of the same description; if one is |
735 | * found, update it, otherwise add a new one | 736 | * found, update it, otherwise add a new one |
736 | */ | 737 | */ |
737 | struct key *key_create_or_update(struct key *keyring, | 738 | key_ref_t key_create_or_update(key_ref_t keyring_ref, |
738 | const char *type, | 739 | const char *type, |
739 | const char *description, | 740 | const char *description, |
740 | const void *payload, | 741 | const void *payload, |
741 | size_t plen, | 742 | size_t plen, |
742 | int not_in_quota) | 743 | int not_in_quota) |
743 | { | 744 | { |
744 | struct key_type *ktype; | 745 | struct key_type *ktype; |
745 | struct key *key = NULL; | 746 | struct key *keyring, *key = NULL; |
746 | key_perm_t perm; | 747 | key_perm_t perm; |
748 | key_ref_t key_ref; | ||
747 | int ret; | 749 | int ret; |
748 | 750 | ||
749 | key_check(keyring); | ||
750 | |||
751 | /* look up the key type to see if it's one of the registered kernel | 751 | /* look up the key type to see if it's one of the registered kernel |
752 | * types */ | 752 | * types */ |
753 | ktype = key_type_lookup(type); | 753 | ktype = key_type_lookup(type); |
754 | if (IS_ERR(ktype)) { | 754 | if (IS_ERR(ktype)) { |
755 | key = ERR_PTR(-ENODEV); | 755 | key_ref = ERR_PTR(-ENODEV); |
756 | goto error; | 756 | goto error; |
757 | } | 757 | } |
758 | 758 | ||
759 | ret = -EINVAL; | 759 | key_ref = ERR_PTR(-EINVAL); |
760 | if (!ktype->match || !ktype->instantiate) | 760 | if (!ktype->match || !ktype->instantiate) |
761 | goto error_2; | 761 | goto error_2; |
762 | 762 | ||
763 | keyring = key_ref_to_ptr(keyring_ref); | ||
764 | |||
765 | key_check(keyring); | ||
766 | |||
767 | down_write(&keyring->sem); | ||
768 | |||
769 | /* if we're going to allocate a new key, we're going to have | ||
770 | * to modify the keyring */ | ||
771 | key_ref = ERR_PTR(-EACCES); | ||
772 | if (!key_permission(keyring_ref, KEY_WRITE)) | ||
773 | goto error_3; | ||
774 | |||
763 | /* search for an existing key of the same type and description in the | 775 | /* search for an existing key of the same type and description in the |
764 | * destination keyring | 776 | * destination keyring |
765 | */ | 777 | */ |
766 | down_write(&keyring->sem); | 778 | key_ref = __keyring_search_one(keyring_ref, ktype, description, 0); |
767 | 779 | if (!IS_ERR(key_ref)) | |
768 | key = __keyring_search_one(keyring, ktype, description, 0); | ||
769 | if (!IS_ERR(key)) | ||
770 | goto found_matching_key; | 780 | goto found_matching_key; |
771 | 781 | ||
772 | /* if we're going to allocate a new key, we're going to have to modify | ||
773 | * the keyring */ | ||
774 | ret = -EACCES; | ||
775 | if (!key_permission(keyring, KEY_WRITE)) | ||
776 | goto error_3; | ||
777 | |||
778 | /* decide on the permissions we want */ | 782 | /* decide on the permissions we want */ |
779 | perm = KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_LINK; | 783 | perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK; |
784 | perm |= KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_LINK; | ||
780 | 785 | ||
781 | if (ktype->read) | 786 | if (ktype->read) |
782 | perm |= KEY_USR_READ; | 787 | perm |= KEY_POS_READ | KEY_USR_READ; |
783 | 788 | ||
784 | if (ktype == &key_type_keyring || ktype->update) | 789 | if (ktype == &key_type_keyring || ktype->update) |
785 | perm |= KEY_USR_WRITE; | 790 | perm |= KEY_USR_WRITE; |
@@ -788,7 +793,7 @@ struct key *key_create_or_update(struct key *keyring, | |||
788 | key = key_alloc(ktype, description, current->fsuid, current->fsgid, | 793 | key = key_alloc(ktype, description, current->fsuid, current->fsgid, |
789 | perm, not_in_quota); | 794 | perm, not_in_quota); |
790 | if (IS_ERR(key)) { | 795 | if (IS_ERR(key)) { |
791 | ret = PTR_ERR(key); | 796 | key_ref = ERR_PTR(PTR_ERR(key)); |
792 | goto error_3; | 797 | goto error_3; |
793 | } | 798 | } |
794 | 799 | ||
@@ -796,15 +801,18 @@ struct key *key_create_or_update(struct key *keyring, | |||
796 | ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL); | 801 | ret = __key_instantiate_and_link(key, payload, plen, keyring, NULL); |
797 | if (ret < 0) { | 802 | if (ret < 0) { |
798 | key_put(key); | 803 | key_put(key); |
799 | key = ERR_PTR(ret); | 804 | key_ref = ERR_PTR(ret); |
805 | goto error_3; | ||
800 | } | 806 | } |
801 | 807 | ||
808 | key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); | ||
809 | |||
802 | error_3: | 810 | error_3: |
803 | up_write(&keyring->sem); | 811 | up_write(&keyring->sem); |
804 | error_2: | 812 | error_2: |
805 | key_type_put(ktype); | 813 | key_type_put(ktype); |
806 | error: | 814 | error: |
807 | return key; | 815 | return key_ref; |
808 | 816 | ||
809 | found_matching_key: | 817 | found_matching_key: |
810 | /* we found a matching key, so we're going to try to update it | 818 | /* we found a matching key, so we're going to try to update it |
@@ -813,7 +821,7 @@ struct key *key_create_or_update(struct key *keyring, | |||
813 | up_write(&keyring->sem); | 821 | up_write(&keyring->sem); |
814 | key_type_put(ktype); | 822 | key_type_put(ktype); |
815 | 823 | ||
816 | key = __key_update(key, payload, plen); | 824 | key_ref = __key_update(key_ref, payload, plen); |
817 | goto error; | 825 | goto error; |
818 | 826 | ||
819 | } /* end key_create_or_update() */ | 827 | } /* end key_create_or_update() */ |
@@ -824,15 +832,16 @@ EXPORT_SYMBOL(key_create_or_update); | |||
824 | /* | 832 | /* |
825 | * update a key | 833 | * update a key |
826 | */ | 834 | */ |
827 | int key_update(struct key *key, const void *payload, size_t plen) | 835 | int key_update(key_ref_t key_ref, const void *payload, size_t plen) |
828 | { | 836 | { |
837 | struct key *key = key_ref_to_ptr(key_ref); | ||
829 | int ret; | 838 | int ret; |
830 | 839 | ||
831 | key_check(key); | 840 | key_check(key); |
832 | 841 | ||
833 | /* the key must be writable */ | 842 | /* the key must be writable */ |
834 | ret = -EACCES; | 843 | ret = -EACCES; |
835 | if (!key_permission(key, KEY_WRITE)) | 844 | if (!key_permission(key_ref, KEY_WRITE)) |
836 | goto error; | 845 | goto error; |
837 | 846 | ||
838 | /* attempt to update it if supported */ | 847 | /* attempt to update it if supported */ |
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index a6516a64b29..4c670ee6acf 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c | |||
@@ -34,7 +34,7 @@ asmlinkage long sys_add_key(const char __user *_type, | |||
34 | size_t plen, | 34 | size_t plen, |
35 | key_serial_t ringid) | 35 | key_serial_t ringid) |
36 | { | 36 | { |
37 | struct key *keyring, *key; | 37 | key_ref_t keyring_ref, key_ref; |
38 | char type[32], *description; | 38 | char type[32], *description; |
39 | void *payload; | 39 | void *payload; |
40 | long dlen, ret; | 40 | long dlen, ret; |
@@ -86,25 +86,25 @@ asmlinkage long sys_add_key(const char __user *_type, | |||
86 | } | 86 | } |
87 | 87 | ||
88 | /* find the target keyring (which must be writable) */ | 88 | /* find the target keyring (which must be writable) */ |
89 | keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); | 89 | keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); |
90 | if (IS_ERR(keyring)) { | 90 | if (IS_ERR(keyring_ref)) { |
91 | ret = PTR_ERR(keyring); | 91 | ret = PTR_ERR(keyring_ref); |
92 | goto error3; | 92 | goto error3; |
93 | } | 93 | } |
94 | 94 | ||
95 | /* create or update the requested key and add it to the target | 95 | /* create or update the requested key and add it to the target |
96 | * keyring */ | 96 | * keyring */ |
97 | key = key_create_or_update(keyring, type, description, | 97 | key_ref = key_create_or_update(keyring_ref, type, description, |
98 | payload, plen, 0); | 98 | payload, plen, 0); |
99 | if (!IS_ERR(key)) { | 99 | if (!IS_ERR(key_ref)) { |
100 | ret = key->serial; | 100 | ret = key_ref_to_ptr(key_ref)->serial; |
101 | key_put(key); | 101 | key_ref_put(key_ref); |
102 | } | 102 | } |
103 | else { | 103 | else { |
104 | ret = PTR_ERR(key); | 104 | ret = PTR_ERR(key_ref); |
105 | } | 105 | } |
106 | 106 | ||
107 | key_put(keyring); | 107 | key_ref_put(keyring_ref); |
108 | error3: | 108 | error3: |
109 | kfree(payload); | 109 | kfree(payload); |
110 | error2: | 110 | error2: |
@@ -131,7 +131,8 @@ asmlinkage long sys_request_key(const char __user *_type, | |||
131 | key_serial_t destringid) | 131 | key_serial_t destringid) |
132 | { | 132 | { |
133 | struct key_type *ktype; | 133 | struct key_type *ktype; |
134 | struct key *key, *dest; | 134 | struct key *key; |
135 | key_ref_t dest_ref; | ||
135 | char type[32], *description, *callout_info; | 136 | char type[32], *description, *callout_info; |
136 | long dlen, ret; | 137 | long dlen, ret; |
137 | 138 | ||
@@ -187,11 +188,11 @@ asmlinkage long sys_request_key(const char __user *_type, | |||
187 | } | 188 | } |
188 | 189 | ||
189 | /* get the destination keyring if specified */ | 190 | /* get the destination keyring if specified */ |
190 | dest = NULL; | 191 | dest_ref = NULL; |
191 | if (destringid) { | 192 | if (destringid) { |
192 | dest = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); | 193 | dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); |
193 | if (IS_ERR(dest)) { | 194 | if (IS_ERR(dest_ref)) { |
194 | ret = PTR_ERR(dest); | 195 | ret = PTR_ERR(dest_ref); |
195 | goto error3; | 196 | goto error3; |
196 | } | 197 | } |
197 | } | 198 | } |
@@ -204,7 +205,8 @@ asmlinkage long sys_request_key(const char __user *_type, | |||
204 | } | 205 | } |
205 | 206 | ||
206 | /* do the search */ | 207 | /* do the search */ |
207 | key = request_key_and_link(ktype, description, callout_info, dest); | 208 | key = request_key_and_link(ktype, description, callout_info, |
209 | key_ref_to_ptr(dest_ref)); | ||
208 | if (IS_ERR(key)) { | 210 | if (IS_ERR(key)) { |
209 | ret = PTR_ERR(key); | 211 | ret = PTR_ERR(key); |
210 | goto error5; | 212 | goto error5; |
@@ -216,7 +218,7 @@ asmlinkage long sys_request_key(const char __user *_type, | |||
216 | error5: | 218 | error5: |
217 | key_type_put(ktype); | 219 | key_type_put(ktype); |
218 | error4: | 220 | error4: |
219 | key_put(dest); | 221 | key_ref_put(dest_ref); |
220 | error3: | 222 | error3: |
221 | kfree(callout_info); | 223 | kfree(callout_info); |
222 | error2: | 224 | error2: |
@@ -234,17 +236,17 @@ asmlinkage long sys_request_key(const char __user *_type, | |||
234 | */ | 236 | */ |
235 | long keyctl_get_keyring_ID(key_serial_t id, int create) | 237 | long keyctl_get_keyring_ID(key_serial_t id, int create) |
236 | { | 238 | { |
237 | struct key *key; | 239 | key_ref_t key_ref; |
238 | long ret; | 240 | long ret; |
239 | 241 | ||
240 | key = lookup_user_key(NULL, id, create, 0, KEY_SEARCH); | 242 | key_ref = lookup_user_key(NULL, id, create, 0, KEY_SEARCH); |
241 | if (IS_ERR(key)) { | 243 | if (IS_ERR(key_ref)) { |
242 | ret = PTR_ERR(key); | 244 | ret = PTR_ERR(key_ref); |
243 | goto error; | 245 | goto error; |
244 | } | 246 | } |
245 | 247 | ||
246 | ret = key->serial; | 248 | ret = key_ref_to_ptr(key_ref)->serial; |
247 | key_put(key); | 249 | key_ref_put(key_ref); |
248 | error: | 250 | error: |
249 | return ret; | 251 | return ret; |
250 | 252 | ||
@@ -302,7 +304,7 @@ long keyctl_update_key(key_serial_t id, | |||
302 | const void __user *_payload, | 304 | const void __user *_payload, |
303 | size_t plen) | 305 | size_t plen) |
304 | { | 306 | { |
305 | struct key *key; | 307 | key_ref_t key_ref; |
306 | void *payload; | 308 | void *payload; |
307 | long ret; | 309 | long ret; |
308 | 310 | ||
@@ -324,16 +326,16 @@ long keyctl_update_key(key_serial_t id, | |||
324 | } | 326 | } |
325 | 327 | ||
326 | /* find the target key (which must be writable) */ | 328 | /* find the target key (which must be writable) */ |
327 | key = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); | 329 | key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); |
328 | if (IS_ERR(key)) { | 330 | if (IS_ERR(key_ref)) { |
329 | ret = PTR_ERR(key); | 331 | ret = PTR_ERR(key_ref); |
330 | goto error2; | 332 | goto error2; |
331 | } | 333 | } |
332 | 334 | ||
333 | /* update the key */ | 335 | /* update the key */ |
334 | ret = key_update(key, payload, plen); | 336 | ret = key_update(key_ref, payload, plen); |
335 | 337 | ||
336 | key_put(key); | 338 | key_ref_put(key_ref); |
337 | error2: | 339 | error2: |
338 | kfree(payload); | 340 | kfree(payload); |
339 | error: | 341 | error: |
@@ -349,19 +351,19 @@ long keyctl_update_key(key_serial_t id, | |||
349 | */ | 351 | */ |
350 | long keyctl_revoke_key(key_serial_t id) | 352 | long keyctl_revoke_key(key_serial_t id) |
351 | { | 353 | { |
352 | struct key *key; | 354 | key_ref_t key_ref; |
353 | long ret; | 355 | long ret; |
354 | 356 | ||
355 | key = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); | 357 | key_ref = lookup_user_key(NULL, id, 0, 0, KEY_WRITE); |
356 | if (IS_ERR(key)) { | 358 | if (IS_ERR(key_ref)) { |
357 | ret = PTR_ERR(key); | 359 | ret = PTR_ERR(key_ref); |
358 | goto error; | 360 | goto error; |
359 | } | 361 | } |
360 | 362 | ||
361 | key_revoke(key); | 363 | key_revoke(key_ref_to_ptr(key_ref)); |
362 | ret = 0; | 364 | ret = 0; |
363 | 365 | ||
364 | key_put(key); | 366 | key_ref_put(key_ref); |
365 | error: | 367 | error: |
366 | return ret; | 368 | return ret; |
367 | 369 | ||
@@ -375,18 +377,18 @@ long keyctl_revoke_key(key_serial_t id) | |||
375 | */ | 377 | */ |
376 | long keyctl_keyring_clear(key_serial_t ringid) | 378 | long keyctl_keyring_clear(key_serial_t ringid) |
377 | { | 379 | { |
378 | struct key *keyring; | 380 | key_ref_t keyring_ref; |
379 | long ret; | 381 | long ret; |
380 | 382 | ||
381 | keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); | 383 | keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); |
382 | if (IS_ERR(keyring)) { | 384 | if (IS_ERR(keyring_ref)) { |
383 | ret = PTR_ERR(keyring); | 385 | ret = PTR_ERR(keyring_ref); |
384 | goto error; | 386 | goto error; |
385 | } | 387 | } |
386 | 388 | ||
387 | ret = keyring_clear(keyring); | 389 | ret = keyring_clear(key_ref_to_ptr(keyring_ref)); |
388 | 390 | ||
389 | key_put(keyring); | 391 | key_ref_put(keyring_ref); |
390 | error: | 392 | error: |
391 | return ret; | 393 | return ret; |
392 | 394 | ||
@@ -401,26 +403,26 @@ long keyctl_keyring_clear(key_serial_t ringid) | |||
401 | */ | 403 | */ |
402 | long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) | 404 | long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) |
403 | { | 405 | { |
404 | struct key *keyring, *key; | 406 | key_ref_t keyring_ref, key_ref; |
405 | long ret; | 407 | long ret; |
406 | 408 | ||
407 | keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); | 409 | keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); |
408 | if (IS_ERR(keyring)) { | 410 | if (IS_ERR(keyring_ref)) { |
409 | ret = PTR_ERR(keyring); | 411 | ret = PTR_ERR(keyring_ref); |
410 | goto error; | 412 | goto error; |
411 | } | 413 | } |
412 | 414 | ||
413 | key = lookup_user_key(NULL, id, 1, 0, KEY_LINK); | 415 | key_ref = lookup_user_key(NULL, id, 1, 0, KEY_LINK); |
414 | if (IS_ERR(key)) { | 416 | if (IS_ERR(key_ref)) { |
415 | ret = PTR_ERR(key); | 417 | ret = PTR_ERR(key_ref); |
416 | goto error2; | 418 | goto error2; |
417 | } | 419 | } |
418 | 420 | ||
419 | ret = key_link(keyring, key); | 421 | ret = key_link(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); |
420 | 422 | ||
421 | key_put(key); | 423 | key_ref_put(key_ref); |
422 | error2: | 424 | error2: |
423 | key_put(keyring); | 425 | key_ref_put(keyring_ref); |
424 | error: | 426 | error: |
425 | return ret; | 427 | return ret; |
426 | 428 | ||
@@ -435,26 +437,26 @@ long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) | |||
435 | */ | 437 | */ |
436 | long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) | 438 | long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) |
437 | { | 439 | { |
438 | struct key *keyring, *key; | 440 | key_ref_t keyring_ref, key_ref; |
439 | long ret; | 441 | long ret; |
440 | 442 | ||
441 | keyring = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE); | 443 | keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_WRITE); |
442 | if (IS_ERR(keyring)) { | 444 | if (IS_ERR(keyring_ref)) { |
443 | ret = PTR_ERR(keyring); | 445 | ret = PTR_ERR(keyring_ref); |
444 | goto error; | 446 | goto error; |
445 | } | 447 | } |
446 | 448 | ||
447 | key = lookup_user_key(NULL, id, 0, 0, 0); | 449 | key_ref = lookup_user_key(NULL, id, 0, 0, 0); |
448 | if (IS_ERR(key)) { | 450 | if (IS_ERR(key_ref)) { |
449 | ret = PTR_ERR(key); | 451 | ret = PTR_ERR(key_ref); |
450 | goto error2; | 452 | goto error2; |
451 | } | 453 | } |
452 | 454 | ||
453 | ret = key_unlink(keyring, key); | 455 | ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); |
454 | 456 | ||
455 | key_put(key); | 457 | key_ref_put(key_ref); |
456 | error2: | 458 | error2: |
457 | key_put(keyring); | 459 | key_ref_put(keyring_ref); |
458 | error: | 460 | error: |
459 | return ret; | 461 | return ret; |
460 | 462 | ||
@@ -476,24 +478,26 @@ long keyctl_describe_key(key_serial_t keyid, | |||
476 | size_t buflen) | 478 | size_t buflen) |
477 | { | 479 | { |
478 | struct key *key, *instkey; | 480 | struct key *key, *instkey; |
481 | key_ref_t key_ref; | ||
479 | char *tmpbuf; | 482 | char *tmpbuf; |
480 | long ret; | 483 | long ret; |
481 | 484 | ||
482 | key = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); | 485 | key_ref = lookup_user_key(NULL, keyid, 0, 1, KEY_VIEW); |
483 | if (IS_ERR(key)) { | 486 | if (IS_ERR(key_ref)) { |
484 | /* viewing a key under construction is permitted if we have the | 487 | /* viewing a key under construction is permitted if we have the |
485 | * authorisation token handy */ | 488 | * authorisation token handy */ |
486 | if (PTR_ERR(key) == -EACCES) { | 489 | if (PTR_ERR(key_ref) == -EACCES) { |
487 | instkey = key_get_instantiation_authkey(keyid); | 490 | instkey = key_get_instantiation_authkey(keyid); |
488 | if (!IS_ERR(instkey)) { | 491 | if (!IS_ERR(instkey)) { |
489 | key_put(instkey); | 492 | key_put(instkey); |
490 | key = lookup_user_key(NULL, keyid, 0, 1, 0); | 493 | key_ref = lookup_user_key(NULL, keyid, |
491 | if (!IS_ERR(key)) | 494 | 0, 1, 0); |
495 | if (!IS_ERR(key_ref)) | ||
492 | goto okay; | 496 | goto okay; |
493 | } | 497 | } |
494 | } | 498 | } |
495 | 499 | ||
496 | ret = PTR_ERR(key); | 500 | ret = PTR_ERR(key_ref); |
497 | goto error; | 501 | goto error; |
498 | } | 502 | } |
499 | 503 | ||
@@ -504,13 +508,16 @@ okay: | |||
504 | if (!tmpbuf) | 508 | if (!tmpbuf) |
505 | goto error2; | 509 | goto error2; |
506 | 510 | ||
511 | key = key_ref_to_ptr(key_ref); | ||
512 | |||
507 | ret = snprintf(tmpbuf, PAGE_SIZE - 1, | 513 | ret = snprintf(tmpbuf, PAGE_SIZE - 1, |
508 | "%s;%d;%d;%06x;%s", | 514 | "%s;%d;%d;%08x;%s", |
509 | key->type->name, | 515 | key_ref_to_ptr(key_ref)->type->name, |
510 | key->uid, | 516 | key_ref_to_ptr(key_ref)->uid, |
511 | key->gid, | 517 | key_ref_to_ptr(key_ref)->gid, |
512 | key->perm, | 518 | key_ref_to_ptr(key_ref)->perm, |
513 | key->description ? key->description :"" | 519 | key_ref_to_ptr(key_ref)->description ? |
520 | key_ref_to_ptr(key_ref)->description : "" | ||
514 | ); | 521 | ); |
515 | 522 | ||
516 | /* include a NUL char at the end of the data */ | 523 | /* include a NUL char at the end of the data */ |
@@ -530,7 +537,7 @@ okay: | |||
530 | 537 | ||
531 | kfree(tmpbuf); | 538 | kfree(tmpbuf); |
532 | error2: | 539 | error2: |
533 | key_put(key); | 540 | key_ref_put(key_ref); |
534 | error: | 541 | error: |
535 | return ret; | 542 | return ret; |
536 | 543 | ||
@@ -552,7 +559,7 @@ long keyctl_keyring_search(key_serial_t ringid, | |||
552 | key_serial_t destringid) | 559 | key_serial_t destringid) |
553 | { | 560 | { |
554 | struct key_type *ktype; | 561 | struct key_type *ktype; |
555 | struct key *keyring, *key, *dest; | 562 | key_ref_t keyring_ref, key_ref, dest_ref; |
556 | char type[32], *description; | 563 | char type[32], *description; |
557 | long dlen, ret; | 564 | long dlen, ret; |
558 | 565 | ||
@@ -581,18 +588,18 @@ long keyctl_keyring_search(key_serial_t ringid, | |||
581 | goto error2; | 588 | goto error2; |
582 | 589 | ||
583 | /* get the keyring at which to begin the search */ | 590 | /* get the keyring at which to begin the search */ |
584 | keyring = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH); | 591 | keyring_ref = lookup_user_key(NULL, ringid, 0, 0, KEY_SEARCH); |
585 | if (IS_ERR(keyring)) { | 592 | if (IS_ERR(keyring_ref)) { |
586 | ret = PTR_ERR(keyring); | 593 | ret = PTR_ERR(keyring_ref); |
587 | goto error2; | 594 | goto error2; |
588 | } | 595 | } |
589 | 596 | ||
590 | /* get the destination keyring if specified */ | 597 | /* get the destination keyring if specified */ |
591 | dest = NULL; | 598 | dest_ref = NULL; |
592 | if (destringid) { | 599 | if (destringid) { |
593 | dest = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); | 600 | dest_ref = lookup_user_key(NULL, destringid, 1, 0, KEY_WRITE); |
594 | if (IS_ERR(dest)) { | 601 | if (IS_ERR(dest_ref)) { |
595 | ret = PTR_ERR(dest); | 602 | ret = PTR_ERR(dest_ref); |
596 | goto error3; | 603 | goto error3; |
597 | } | 604 | } |
598 | } | 605 | } |
@@ -605,9 +612,9 @@ long keyctl_keyring_search(key_serial_t ringid, | |||
605 | } | 612 | } |
606 | 613 | ||
607 | /* do the search */ | 614 | /* do the search */ |
608 | key = keyring_search(keyring, ktype, description); | 615 | key_ref = keyring_search(keyring_ref, ktype, description); |
609 | if (IS_ERR(key)) { | 616 | if (IS_ERR(key_ref)) { |
610 | ret = PTR_ERR(key); | 617 | ret = PTR_ERR(key_ref); |
611 | 618 | ||
612 | /* treat lack or presence of a negative key the same */ | 619 | /* treat lack or presence of a negative key the same */ |
613 | if (ret == -EAGAIN) | 620 | if (ret == -EAGAIN) |
@@ -616,26 +623,26 @@ long keyctl_keyring_search(key_serial_t ringid, | |||
616 | } | 623 | } |
617 | 624 | ||
618 | /* link the resulting key to the destination keyring if we can */ | 625 | /* link the resulting key to the destination keyring if we can */ |
619 | if (dest) { | 626 | if (dest_ref) { |
620 | ret = -EACCES; | 627 | ret = -EACCES; |
621 | if (!key_permission(key, KEY_LINK)) | 628 | if (!key_permission(key_ref, KEY_LINK)) |
622 | goto error6; | 629 | goto error6; |
623 | 630 | ||
624 | ret = key_link(dest, key); | 631 | ret = key_link(key_ref_to_ptr(dest_ref), key_ref_to_ptr(key_ref)); |
625 | if (ret < 0) | 632 | if (ret < 0) |
626 | goto error6; | 633 | goto error6; |
627 | } | 634 | } |
628 | 635 | ||
629 | ret = key->serial; | 636 | ret = key_ref_to_ptr(key_ref)->serial; |
630 | 637 | ||
631 | error6: | 638 | error6: |
632 | key_put(key); | 639 | key_ref_put(key_ref); |
633 | error5: | 640 | error5: |
634 | key_type_put(ktype); | 641 | key_type_put(ktype); |
635 | error4: | 642 | error4: |
636 | key_put(dest); | 643 | key_ref_put(dest_ref); |
637 | error3: | 644 | error3: |
638 | key_put(keyring); | 645 | key_ref_put(keyring_ref); |
639 | error2: | 646 | error2: |
640 | kfree(description); | 647 | kfree(description); |
641 | error: | 648 | error: |
@@ -645,16 +652,6 @@ long keyctl_keyring_search(key_serial_t ringid, | |||
645 | 652 | ||
646 | /*****************************************************************************/ | 653 | /*****************************************************************************/ |
647 | /* | 654 | /* |
648 | * see if the key we're looking at is the target key | ||
649 | */ | ||
650 | static int keyctl_read_key_same(const struct key *key, const void *target) | ||
651 | { | ||
652 | return key == target; | ||
653 | |||
654 | } /* end keyctl_read_key_same() */ | ||
655 | |||
656 | /*****************************************************************************/ | ||
657 | /* | ||
658 | * read a user key's payload | 655 | * read a user key's payload |
659 | * - the keyring must be readable or the key must be searchable from the | 656 | * - the keyring must be readable or the key must be searchable from the |
660 | * process's keyrings | 657 | * process's keyrings |
@@ -665,38 +662,33 @@ static int keyctl_read_key_same(const struct key *key, const void *target) | |||
665 | */ | 662 | */ |
666 | long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) | 663 | long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) |
667 | { | 664 | { |
668 | struct key *key, *skey; | 665 | struct key *key; |
666 | key_ref_t key_ref; | ||
669 | long ret; | 667 | long ret; |
670 | 668 | ||
671 | /* find the key first */ | 669 | /* find the key first */ |
672 | key = lookup_user_key(NULL, keyid, 0, 0, 0); | 670 | key_ref = lookup_user_key(NULL, keyid, 0, 0, 0); |
673 | if (!IS_ERR(key)) { | 671 | if (IS_ERR(key_ref)) { |
674 | /* see if we can read it directly */ | 672 | ret = -ENOKEY; |
675 | if (key_permission(key, KEY_READ)) | 673 | goto error; |
676 | goto can_read_key; | ||
677 | |||
678 | /* we can't; see if it's searchable from this process's | ||
679 | * keyrings | ||
680 | * - we automatically take account of the fact that it may be | ||
681 | * dangling off an instantiation key | ||
682 | */ | ||
683 | skey = search_process_keyrings(key->type, key, | ||
684 | keyctl_read_key_same, current); | ||
685 | if (!IS_ERR(skey)) | ||
686 | goto can_read_key2; | ||
687 | |||
688 | ret = PTR_ERR(skey); | ||
689 | if (ret == -EAGAIN) | ||
690 | ret = -EACCES; | ||
691 | goto error2; | ||
692 | } | 674 | } |
693 | 675 | ||
694 | ret = -ENOKEY; | 676 | key = key_ref_to_ptr(key_ref); |
695 | goto error; | 677 | |
678 | /* see if we can read it directly */ | ||
679 | if (key_permission(key_ref, KEY_READ)) | ||
680 | goto can_read_key; | ||
681 | |||
682 | /* we can't; see if it's searchable from this process's keyrings | ||
683 | * - we automatically take account of the fact that it may be | ||
684 | * dangling off an instantiation key | ||
685 | */ | ||
686 | if (!is_key_possessed(key_ref)) { | ||
687 | ret = -EACCES; | ||
688 | goto error2; | ||
689 | } | ||
696 | 690 | ||
697 | /* the key is probably readable - now try to read it */ | 691 | /* the key is probably readable - now try to read it */ |
698 | can_read_key2: | ||
699 | key_put(skey); | ||
700 | can_read_key: | 692 | can_read_key: |
701 | ret = key_validate(key); | 693 | ret = key_validate(key); |
702 | if (ret == 0) { | 694 | if (ret == 0) { |
@@ -727,18 +719,21 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) | |||
727 | long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) | 719 | long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) |
728 | { | 720 | { |
729 | struct key *key; | 721 | struct key *key; |
722 | key_ref_t key_ref; | ||
730 | long ret; | 723 | long ret; |
731 | 724 | ||
732 | ret = 0; | 725 | ret = 0; |
733 | if (uid == (uid_t) -1 && gid == (gid_t) -1) | 726 | if (uid == (uid_t) -1 && gid == (gid_t) -1) |
734 | goto error; | 727 | goto error; |
735 | 728 | ||
736 | key = lookup_user_key(NULL, id, 1, 1, 0); | 729 | key_ref = lookup_user_key(NULL, id, 1, 1, 0); |
737 | if (IS_ERR(key)) { | 730 | if (IS_ERR(key_ref)) { |
738 | ret = PTR_ERR(key); | 731 | ret = PTR_ERR(key_ref); |
739 | goto error; | 732 | goto error; |
740 | } | 733 | } |
741 | 734 | ||
735 | key = key_ref_to_ptr(key_ref); | ||
736 | |||
742 | /* make the changes with the locks held to prevent chown/chown races */ | 737 | /* make the changes with the locks held to prevent chown/chown races */ |
743 | ret = -EACCES; | 738 | ret = -EACCES; |
744 | down_write(&key->sem); | 739 | down_write(&key->sem); |
@@ -784,18 +779,21 @@ long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) | |||
784 | long keyctl_setperm_key(key_serial_t id, key_perm_t perm) | 779 | long keyctl_setperm_key(key_serial_t id, key_perm_t perm) |
785 | { | 780 | { |
786 | struct key *key; | 781 | struct key *key; |
782 | key_ref_t key_ref; | ||
787 | long ret; | 783 | long ret; |
788 | 784 | ||
789 | ret = -EINVAL; | 785 | ret = -EINVAL; |
790 | if (perm & ~(KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) | 786 | if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL)) |
791 | goto error; | 787 | goto error; |
792 | 788 | ||
793 | key = lookup_user_key(NULL, id, 1, 1, 0); | 789 | key_ref = lookup_user_key(NULL, id, 1, 1, 0); |
794 | if (IS_ERR(key)) { | 790 | if (IS_ERR(key_ref)) { |
795 | ret = PTR_ERR(key); | 791 | ret = PTR_ERR(key_ref); |
796 | goto error; | 792 | goto error; |
797 | } | 793 | } |
798 | 794 | ||
795 | key = key_ref_to_ptr(key_ref); | ||
796 | |||
799 | /* make the changes with the locks held to prevent chown/chmod races */ | 797 | /* make the changes with the locks held to prevent chown/chmod races */ |
800 | ret = -EACCES; | 798 | ret = -EACCES; |
801 | down_write(&key->sem); | 799 | down_write(&key->sem); |
@@ -824,7 +822,8 @@ long keyctl_instantiate_key(key_serial_t id, | |||
824 | key_serial_t ringid) | 822 | key_serial_t ringid) |
825 | { | 823 | { |
826 | struct request_key_auth *rka; | 824 | struct request_key_auth *rka; |
827 | struct key *instkey, *keyring; | 825 | struct key *instkey; |
826 | key_ref_t keyring_ref; | ||
828 | void *payload; | 827 | void *payload; |
829 | long ret; | 828 | long ret; |
830 | 829 | ||
@@ -857,21 +856,21 @@ long keyctl_instantiate_key(key_serial_t id, | |||
857 | 856 | ||
858 | /* find the destination keyring amongst those belonging to the | 857 | /* find the destination keyring amongst those belonging to the |
859 | * requesting task */ | 858 | * requesting task */ |
860 | keyring = NULL; | 859 | keyring_ref = NULL; |
861 | if (ringid) { | 860 | if (ringid) { |
862 | keyring = lookup_user_key(rka->context, ringid, 1, 0, | 861 | keyring_ref = lookup_user_key(rka->context, ringid, 1, 0, |
863 | KEY_WRITE); | 862 | KEY_WRITE); |
864 | if (IS_ERR(keyring)) { | 863 | if (IS_ERR(keyring_ref)) { |
865 | ret = PTR_ERR(keyring); | 864 | ret = PTR_ERR(keyring_ref); |
866 | goto error3; | 865 | goto error3; |
867 | } | 866 | } |
868 | } | 867 | } |
869 | 868 | ||
870 | /* instantiate the key and link it into a keyring */ | 869 | /* instantiate the key and link it into a keyring */ |
871 | ret = key_instantiate_and_link(rka->target_key, payload, plen, | 870 | ret = key_instantiate_and_link(rka->target_key, payload, plen, |
872 | keyring, instkey); | 871 | key_ref_to_ptr(keyring_ref), instkey); |
873 | 872 | ||
874 | key_put(keyring); | 873 | key_ref_put(keyring_ref); |
875 | error3: | 874 | error3: |
876 | key_put(instkey); | 875 | key_put(instkey); |
877 | error2: | 876 | error2: |
@@ -889,7 +888,8 @@ long keyctl_instantiate_key(key_serial_t id, | |||
889 | long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) | 888 | long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) |
890 | { | 889 | { |
891 | struct request_key_auth *rka; | 890 | struct request_key_auth *rka; |
892 | struct key *instkey, *keyring; | 891 | struct key *instkey; |
892 | key_ref_t keyring_ref; | ||
893 | long ret; | 893 | long ret; |
894 | 894 | ||
895 | /* find the instantiation authorisation key */ | 895 | /* find the instantiation authorisation key */ |
@@ -903,19 +903,20 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) | |||
903 | 903 | ||
904 | /* find the destination keyring if present (which must also be | 904 | /* find the destination keyring if present (which must also be |
905 | * writable) */ | 905 | * writable) */ |
906 | keyring = NULL; | 906 | keyring_ref = NULL; |
907 | if (ringid) { | 907 | if (ringid) { |
908 | keyring = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); | 908 | keyring_ref = lookup_user_key(NULL, ringid, 1, 0, KEY_WRITE); |
909 | if (IS_ERR(keyring)) { | 909 | if (IS_ERR(keyring_ref)) { |
910 | ret = PTR_ERR(keyring); | 910 | ret = PTR_ERR(keyring_ref); |
911 | goto error2; | 911 | goto error2; |
912 | } | 912 | } |
913 | } | 913 | } |
914 | 914 | ||
915 | /* instantiate the key and link it into a keyring */ | 915 | /* instantiate the key and link it into a keyring */ |
916 | ret = key_negate_and_link(rka->target_key, timeout, keyring, instkey); | 916 | ret = key_negate_and_link(rka->target_key, timeout, |
917 | key_ref_to_ptr(keyring_ref), instkey); | ||
917 | 918 | ||
918 | key_put(keyring); | 919 | key_ref_put(keyring_ref); |
919 | error2: | 920 | error2: |
920 | key_put(instkey); | 921 | key_put(instkey); |
921 | error: | 922 | error: |
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 9c208c756df..0639396dd44 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c | |||
@@ -309,7 +309,7 @@ struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, | |||
309 | int ret; | 309 | int ret; |
310 | 310 | ||
311 | keyring = key_alloc(&key_type_keyring, description, | 311 | keyring = key_alloc(&key_type_keyring, description, |
312 | uid, gid, KEY_USR_ALL, not_in_quota); | 312 | uid, gid, KEY_POS_ALL | KEY_USR_ALL, not_in_quota); |
313 | 313 | ||
314 | if (!IS_ERR(keyring)) { | 314 | if (!IS_ERR(keyring)) { |
315 | ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); | 315 | ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); |
@@ -333,12 +333,13 @@ struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, | |||
333 | * - we rely on RCU to prevent the keyring lists from disappearing on us | 333 | * - we rely on RCU to prevent the keyring lists from disappearing on us |
334 | * - we return -EAGAIN if we didn't find any matching key | 334 | * - we return -EAGAIN if we didn't find any matching key |
335 | * - we return -ENOKEY if we only found negative matching keys | 335 | * - we return -ENOKEY if we only found negative matching keys |
336 | * - we propagate the possession attribute from the keyring ref to the key ref | ||
336 | */ | 337 | */ |
337 | struct key *keyring_search_aux(struct key *keyring, | 338 | key_ref_t keyring_search_aux(key_ref_t keyring_ref, |
338 | struct task_struct *context, | 339 | struct task_struct *context, |
339 | struct key_type *type, | 340 | struct key_type *type, |
340 | const void *description, | 341 | const void *description, |
341 | key_match_func_t match) | 342 | key_match_func_t match) |
342 | { | 343 | { |
343 | struct { | 344 | struct { |
344 | struct keyring_list *keylist; | 345 | struct keyring_list *keylist; |
@@ -347,29 +348,33 @@ struct key *keyring_search_aux(struct key *keyring, | |||
347 | 348 | ||
348 | struct keyring_list *keylist; | 349 | struct keyring_list *keylist; |
349 | struct timespec now; | 350 | struct timespec now; |
350 | struct key *key; | 351 | unsigned long possessed; |
352 | struct key *keyring, *key; | ||
353 | key_ref_t key_ref; | ||
351 | long err; | 354 | long err; |
352 | int sp, kix; | 355 | int sp, kix; |
353 | 356 | ||
357 | keyring = key_ref_to_ptr(keyring_ref); | ||
358 | possessed = is_key_possessed(keyring_ref); | ||
354 | key_check(keyring); | 359 | key_check(keyring); |
355 | 360 | ||
356 | rcu_read_lock(); | ||
357 | |||
358 | /* top keyring must have search permission to begin the search */ | 361 | /* top keyring must have search permission to begin the search */ |
359 | key = ERR_PTR(-EACCES); | 362 | key_ref = ERR_PTR(-EACCES); |
360 | if (!key_task_permission(keyring, context, KEY_SEARCH)) | 363 | if (!key_task_permission(keyring_ref, context, KEY_SEARCH)) |
361 | goto error; | 364 | goto error; |
362 | 365 | ||
363 | key = ERR_PTR(-ENOTDIR); | 366 | key_ref = ERR_PTR(-ENOTDIR); |
364 | if (keyring->type != &key_type_keyring) | 367 | if (keyring->type != &key_type_keyring) |
365 | goto error; | 368 | goto error; |
366 | 369 | ||
370 | rcu_read_lock(); | ||
371 | |||
367 | now = current_kernel_time(); | 372 | now = current_kernel_time(); |
368 | err = -EAGAIN; | 373 | err = -EAGAIN; |
369 | sp = 0; | 374 | sp = 0; |
370 | 375 | ||
371 | /* start processing a new keyring */ | 376 | /* start processing a new keyring */ |
372 | descend: | 377 | descend: |
373 | if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) | 378 | if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) |
374 | goto not_this_keyring; | 379 | goto not_this_keyring; |
375 | 380 | ||
@@ -397,7 +402,8 @@ struct key *keyring_search_aux(struct key *keyring, | |||
397 | continue; | 402 | continue; |
398 | 403 | ||
399 | /* key must have search permissions */ | 404 | /* key must have search permissions */ |
400 | if (!key_task_permission(key, context, KEY_SEARCH)) | 405 | if (!key_task_permission(make_key_ref(key, possessed), |
406 | context, KEY_SEARCH)) | ||
401 | continue; | 407 | continue; |
402 | 408 | ||
403 | /* we set a different error code if we find a negative key */ | 409 | /* we set a different error code if we find a negative key */ |
@@ -411,7 +417,7 @@ struct key *keyring_search_aux(struct key *keyring, | |||
411 | 417 | ||
412 | /* search through the keyrings nested in this one */ | 418 | /* search through the keyrings nested in this one */ |
413 | kix = 0; | 419 | kix = 0; |
414 | ascend: | 420 | ascend: |
415 | for (; kix < keylist->nkeys; kix++) { | 421 | for (; kix < keylist->nkeys; kix++) { |
416 | key = keylist->keys[kix]; | 422 | key = keylist->keys[kix]; |
417 | if (key->type != &key_type_keyring) | 423 | if (key->type != &key_type_keyring) |
@@ -423,7 +429,8 @@ struct key *keyring_search_aux(struct key *keyring, | |||
423 | if (sp >= KEYRING_SEARCH_MAX_DEPTH) | 429 | if (sp >= KEYRING_SEARCH_MAX_DEPTH) |
424 | continue; | 430 | continue; |
425 | 431 | ||
426 | if (!key_task_permission(key, context, KEY_SEARCH)) | 432 | if (!key_task_permission(make_key_ref(key, possessed), |
433 | context, KEY_SEARCH)) | ||
427 | continue; | 434 | continue; |
428 | 435 | ||
429 | /* stack the current position */ | 436 | /* stack the current position */ |
@@ -438,7 +445,7 @@ struct key *keyring_search_aux(struct key *keyring, | |||
438 | 445 | ||
439 | /* the keyring we're looking at was disqualified or didn't contain a | 446 | /* the keyring we're looking at was disqualified or didn't contain a |
440 | * matching key */ | 447 | * matching key */ |
441 | not_this_keyring: | 448 | not_this_keyring: |
442 | if (sp > 0) { | 449 | if (sp > 0) { |
443 | /* resume the processing of a keyring higher up in the tree */ | 450 | /* resume the processing of a keyring higher up in the tree */ |
444 | sp--; | 451 | sp--; |
@@ -447,16 +454,18 @@ struct key *keyring_search_aux(struct key *keyring, | |||
447 | goto ascend; | 454 | goto ascend; |
448 | } | 455 | } |
449 | 456 | ||
450 | key = ERR_PTR(err); | 457 | key_ref = ERR_PTR(err); |
451 | goto error; | 458 | goto error_2; |
452 | 459 | ||
453 | /* we found a viable match */ | 460 | /* we found a viable match */ |
454 | found: | 461 | found: |
455 | atomic_inc(&key->usage); | 462 | atomic_inc(&key->usage); |
456 | key_check(key); | 463 | key_check(key); |
457 | error: | 464 | key_ref = make_key_ref(key, possessed); |
465 | error_2: | ||
458 | rcu_read_unlock(); | 466 | rcu_read_unlock(); |
459 | return key; | 467 | error: |
468 | return key_ref; | ||
460 | 469 | ||
461 | } /* end keyring_search_aux() */ | 470 | } /* end keyring_search_aux() */ |
462 | 471 | ||
@@ -469,9 +478,9 @@ struct key *keyring_search_aux(struct key *keyring, | |||
469 | * - we return -EAGAIN if we didn't find any matching key | 478 | * - we return -EAGAIN if we didn't find any matching key |
470 | * - we return -ENOKEY if we only found negative matching keys | 479 | * - we return -ENOKEY if we only found negative matching keys |
471 | */ | 480 | */ |
472 | struct key *keyring_search(struct key *keyring, | 481 | key_ref_t keyring_search(key_ref_t keyring, |
473 | struct key_type *type, | 482 | struct key_type *type, |
474 | const char *description) | 483 | const char *description) |
475 | { | 484 | { |
476 | if (!type->match) | 485 | if (!type->match) |
477 | return ERR_PTR(-ENOKEY); | 486 | return ERR_PTR(-ENOKEY); |
@@ -488,15 +497,19 @@ EXPORT_SYMBOL(keyring_search); | |||
488 | * search the given keyring only (no recursion) | 497 | * search the given keyring only (no recursion) |
489 | * - keyring must be locked by caller | 498 | * - keyring must be locked by caller |
490 | */ | 499 | */ |
491 | struct key *__keyring_search_one(struct key *keyring, | 500 | key_ref_t __keyring_search_one(key_ref_t keyring_ref, |
492 | const struct key_type *ktype, | 501 | const struct key_type *ktype, |
493 | const char *description, | 502 | const char *description, |
494 | key_perm_t perm) | 503 | key_perm_t perm) |
495 | { | 504 | { |
496 | struct keyring_list *klist; | 505 | struct keyring_list *klist; |
497 | struct key *key; | 506 | unsigned long possessed; |
507 | struct key *keyring, *key; | ||
498 | int loop; | 508 | int loop; |
499 | 509 | ||
510 | keyring = key_ref_to_ptr(keyring_ref); | ||
511 | possessed = is_key_possessed(keyring_ref); | ||
512 | |||
500 | rcu_read_lock(); | 513 | rcu_read_lock(); |
501 | 514 | ||
502 | klist = rcu_dereference(keyring->payload.subscriptions); | 515 | klist = rcu_dereference(keyring->payload.subscriptions); |
@@ -507,21 +520,21 @@ struct key *__keyring_search_one(struct key *keyring, | |||
507 | if (key->type == ktype && | 520 | if (key->type == ktype && |
508 | (!key->type->match || | 521 | (!key->type->match || |
509 | key->type->match(key, description)) && | 522 | key->type->match(key, description)) && |
510 | key_permission(key, perm) && | 523 | key_permission(make_key_ref(key, possessed), |
524 | perm) && | ||
511 | !test_bit(KEY_FLAG_REVOKED, &key->flags) | 525 | !test_bit(KEY_FLAG_REVOKED, &key->flags) |
512 | ) | 526 | ) |
513 | goto found; | 527 | goto found; |
514 | } | 528 | } |
515 | } | 529 | } |
516 | 530 | ||
517 | key = ERR_PTR(-ENOKEY); | 531 | rcu_read_unlock(); |
518 | goto error; | 532 | return ERR_PTR(-ENOKEY); |
519 | 533 | ||
520 | found: | 534 | found: |
521 | atomic_inc(&key->usage); | 535 | atomic_inc(&key->usage); |
522 | error: | ||
523 | rcu_read_unlock(); | 536 | rcu_read_unlock(); |
524 | return key; | 537 | return make_key_ref(key, possessed); |
525 | 538 | ||
526 | } /* end __keyring_search_one() */ | 539 | } /* end __keyring_search_one() */ |
527 | 540 | ||
@@ -603,7 +616,8 @@ struct key *find_keyring_by_name(const char *name, key_serial_t bound) | |||
603 | if (strcmp(keyring->description, name) != 0) | 616 | if (strcmp(keyring->description, name) != 0) |
604 | continue; | 617 | continue; |
605 | 618 | ||
606 | if (!key_permission(keyring, KEY_SEARCH)) | 619 | if (!key_permission(make_key_ref(keyring, 0), |
620 | KEY_SEARCH)) | ||
607 | continue; | 621 | continue; |
608 | 622 | ||
609 | /* found a potential candidate, but we still need to | 623 | /* found a potential candidate, but we still need to |
diff --git a/security/keys/permission.c b/security/keys/permission.c new file mode 100644 index 00000000000..03db073ba45 --- /dev/null +++ b/security/keys/permission.c | |||
@@ -0,0 +1,70 @@ | |||
1 | /* permission.c: key permission determination | ||
2 | * | ||
3 | * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. | ||
4 | * Written by David Howells (dhowells@redhat.com) | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or | ||
7 | * modify it under the terms of the GNU General Public License | ||
8 | * as published by the Free Software Foundation; either version | ||
9 | * 2 of the License, or (at your option) any later version. | ||
10 | */ | ||
11 | |||
12 | #include <linux/module.h> | ||
13 | #include "internal.h" | ||
14 | |||
15 | /*****************************************************************************/ | ||
16 | /* | ||
17 | * check to see whether permission is granted to use a key in the desired way, | ||
18 | * but permit the security modules to override | ||
19 | */ | ||
20 | int key_task_permission(const key_ref_t key_ref, | ||
21 | struct task_struct *context, | ||
22 | key_perm_t perm) | ||
23 | { | ||
24 | struct key *key; | ||
25 | key_perm_t kperm; | ||
26 | int ret; | ||
27 | |||
28 | key = key_ref_to_ptr(key_ref); | ||
29 | |||
30 | /* use the second 8-bits of permissions for keys the caller owns */ | ||
31 | if (key->uid == context->fsuid) { | ||
32 | kperm = key->perm >> 16; | ||
33 | goto use_these_perms; | ||
34 | } | ||
35 | |||
36 | /* use the third 8-bits of permissions for keys the caller has a group | ||
37 | * membership in common with */ | ||
38 | if (key->gid != -1 && key->perm & KEY_GRP_ALL) { | ||
39 | if (key->gid == context->fsgid) { | ||
40 | kperm = key->perm >> 8; | ||
41 | goto use_these_perms; | ||
42 | } | ||
43 | |||
44 | task_lock(context); | ||
45 | ret = groups_search(context->group_info, key->gid); | ||
46 | task_unlock(context); | ||
47 | |||
48 | if (ret) { | ||
49 | kperm = key->perm >> 8; | ||
50 | goto use_these_perms; | ||
51 | } | ||
52 | } | ||
53 | |||
54 | /* otherwise use the least-significant 8-bits */ | ||
55 | kperm = key->perm; | ||
56 | |||
57 | use_these_perms: | ||
58 | /* use the top 8-bits of permissions for keys the caller possesses | ||
59 | * - possessor permissions are additive with other permissions | ||
60 | */ | ||
61 | if (is_key_possessed(key_ref)) | ||
62 | kperm |= key->perm >> 24; | ||
63 | |||
64 | kperm = kperm & perm & KEY_ALL; | ||
65 | |||
66 | return kperm == perm; | ||
67 | |||
68 | } /* end key_task_permission() */ | ||
69 | |||
70 | EXPORT_SYMBOL(key_task_permission); | ||
diff --git a/security/keys/proc.c b/security/keys/proc.c index c55cf1fd082..12b750e51fb 100644 --- a/security/keys/proc.c +++ b/security/keys/proc.c | |||
@@ -167,7 +167,7 @@ static int proc_keys_show(struct seq_file *m, void *v) | |||
167 | #define showflag(KEY, LETTER, FLAG) \ | 167 | #define showflag(KEY, LETTER, FLAG) \ |
168 | (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-') | 168 | (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-') |
169 | 169 | ||
170 | seq_printf(m, "%08x %c%c%c%c%c%c %5d %4s %06x %5d %5d %-9.9s ", | 170 | seq_printf(m, "%08x %c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ", |
171 | key->serial, | 171 | key->serial, |
172 | showflag(key, 'I', KEY_FLAG_INSTANTIATED), | 172 | showflag(key, 'I', KEY_FLAG_INSTANTIATED), |
173 | showflag(key, 'R', KEY_FLAG_REVOKED), | 173 | showflag(key, 'R', KEY_FLAG_REVOKED), |
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index c089f78fb94..d42d2158ce1 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c | |||
@@ -39,7 +39,7 @@ struct key root_user_keyring = { | |||
39 | .type = &key_type_keyring, | 39 | .type = &key_type_keyring, |
40 | .user = &root_key_user, | 40 | .user = &root_key_user, |
41 | .sem = __RWSEM_INITIALIZER(root_user_keyring.sem), | 41 | .sem = __RWSEM_INITIALIZER(root_user_keyring.sem), |
42 | .perm = KEY_USR_ALL, | 42 | .perm = KEY_POS_ALL | KEY_USR_ALL, |
43 | .flags = 1 << KEY_FLAG_INSTANTIATED, | 43 | .flags = 1 << KEY_FLAG_INSTANTIATED, |
44 | .description = "_uid.0", | 44 | .description = "_uid.0", |
45 | #ifdef KEY_DEBUGGING | 45 | #ifdef KEY_DEBUGGING |
@@ -54,7 +54,7 @@ struct key root_session_keyring = { | |||
54 | .type = &key_type_keyring, | 54 | .type = &key_type_keyring, |
55 | .user = &root_key_user, | 55 | .user = &root_key_user, |
56 | .sem = __RWSEM_INITIALIZER(root_session_keyring.sem), | 56 | .sem = __RWSEM_INITIALIZER(root_session_keyring.sem), |
57 | .perm = KEY_USR_ALL, | 57 | .perm = KEY_POS_ALL | KEY_USR_ALL, |
58 | .flags = 1 << KEY_FLAG_INSTANTIATED, | 58 | .flags = 1 << KEY_FLAG_INSTANTIATED, |
59 | .description = "_uid_ses.0", | 59 | .description = "_uid_ses.0", |
60 | #ifdef KEY_DEBUGGING | 60 | #ifdef KEY_DEBUGGING |
@@ -98,7 +98,7 @@ int alloc_uid_keyring(struct user_struct *user) | |||
98 | user->session_keyring = session_keyring; | 98 | user->session_keyring = session_keyring; |
99 | ret = 0; | 99 | ret = 0; |
100 | 100 | ||
101 | error: | 101 | error: |
102 | return ret; | 102 | return ret; |
103 | 103 | ||
104 | } /* end alloc_uid_keyring() */ | 104 | } /* end alloc_uid_keyring() */ |
@@ -156,7 +156,7 @@ int install_thread_keyring(struct task_struct *tsk) | |||
156 | ret = 0; | 156 | ret = 0; |
157 | 157 | ||
158 | key_put(old); | 158 | key_put(old); |
159 | error: | 159 | error: |
160 | return ret; | 160 | return ret; |
161 | 161 | ||
162 | } /* end install_thread_keyring() */ | 162 | } /* end install_thread_keyring() */ |
@@ -193,7 +193,7 @@ int install_process_keyring(struct task_struct *tsk) | |||
193 | } | 193 | } |
194 | 194 | ||
195 | ret = 0; | 195 | ret = 0; |
196 | error: | 196 | error: |
197 | return ret; | 197 | return ret; |
198 | 198 | ||
199 | } /* end install_process_keyring() */ | 199 | } /* end install_process_keyring() */ |
@@ -236,7 +236,7 @@ static int install_session_keyring(struct task_struct *tsk, | |||
236 | /* we're using RCU on the pointer */ | 236 | /* we're using RCU on the pointer */ |
237 | synchronize_rcu(); | 237 | synchronize_rcu(); |
238 | key_put(old); | 238 | key_put(old); |
239 | error: | 239 | error: |
240 | return ret; | 240 | return ret; |
241 | 241 | ||
242 | } /* end install_session_keyring() */ | 242 | } /* end install_session_keyring() */ |
@@ -376,13 +376,13 @@ void key_fsgid_changed(struct task_struct *tsk) | |||
376 | * - we return -EAGAIN if we didn't find any matching key | 376 | * - we return -EAGAIN if we didn't find any matching key |
377 | * - we return -ENOKEY if we found only negative matching keys | 377 | * - we return -ENOKEY if we found only negative matching keys |
378 | */ | 378 | */ |
379 | struct key *search_process_keyrings(struct key_type *type, | 379 | key_ref_t search_process_keyrings(struct key_type *type, |
380 | const void *description, | 380 | const void *description, |
381 | key_match_func_t match, | 381 | key_match_func_t match, |
382 | struct task_struct *context) | 382 | struct task_struct *context) |
383 | { | 383 | { |
384 | struct request_key_auth *rka; | 384 | struct request_key_auth *rka; |
385 | struct key *key, *ret, *err, *instkey; | 385 | key_ref_t key_ref, ret, err, instkey_ref; |
386 | 386 | ||
387 | /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were | 387 | /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were |
388 | * searchable, but we failed to find a key or we found a negative key; | 388 | * searchable, but we failed to find a key or we found a negative key; |
@@ -391,46 +391,48 @@ struct key *search_process_keyrings(struct key_type *type, | |||
391 | * | 391 | * |
392 | * in terms of priority: success > -ENOKEY > -EAGAIN > other error | 392 | * in terms of priority: success > -ENOKEY > -EAGAIN > other error |
393 | */ | 393 | */ |
394 | key = NULL; | 394 | key_ref = NULL; |
395 | ret = NULL; | 395 | ret = NULL; |
396 | err = ERR_PTR(-EAGAIN); | 396 | err = ERR_PTR(-EAGAIN); |
397 | 397 | ||
398 | /* search the thread keyring first */ | 398 | /* search the thread keyring first */ |
399 | if (context->thread_keyring) { | 399 | if (context->thread_keyring) { |
400 | key = keyring_search_aux(context->thread_keyring, | 400 | key_ref = keyring_search_aux( |
401 | context, type, description, match); | 401 | make_key_ref(context->thread_keyring, 1), |
402 | if (!IS_ERR(key)) | 402 | context, type, description, match); |
403 | if (!IS_ERR(key_ref)) | ||
403 | goto found; | 404 | goto found; |
404 | 405 | ||
405 | switch (PTR_ERR(key)) { | 406 | switch (PTR_ERR(key_ref)) { |
406 | case -EAGAIN: /* no key */ | 407 | case -EAGAIN: /* no key */ |
407 | if (ret) | 408 | if (ret) |
408 | break; | 409 | break; |
409 | case -ENOKEY: /* negative key */ | 410 | case -ENOKEY: /* negative key */ |
410 | ret = key; | 411 | ret = key_ref; |
411 | break; | 412 | break; |
412 | default: | 413 | default: |
413 | err = key; | 414 | err = key_ref; |
414 | break; | 415 | break; |
415 | } | 416 | } |
416 | } | 417 | } |
417 | 418 | ||
418 | /* search the process keyring second */ | 419 | /* search the process keyring second */ |
419 | if (context->signal->process_keyring) { | 420 | if (context->signal->process_keyring) { |
420 | key = keyring_search_aux(context->signal->process_keyring, | 421 | key_ref = keyring_search_aux( |
421 | context, type, description, match); | 422 | make_key_ref(context->signal->process_keyring, 1), |
422 | if (!IS_ERR(key)) | 423 | context, type, description, match); |
424 | if (!IS_ERR(key_ref)) | ||
423 | goto found; | 425 | goto found; |
424 | 426 | ||
425 | switch (PTR_ERR(key)) { | 427 | switch (PTR_ERR(key_ref)) { |
426 | case -EAGAIN: /* no key */ | 428 | case -EAGAIN: /* no key */ |
427 | if (ret) | 429 | if (ret) |
428 | break; | 430 | break; |
429 | case -ENOKEY: /* negative key */ | 431 | case -ENOKEY: /* negative key */ |
430 | ret = key; | 432 | ret = key_ref; |
431 | break; | 433 | break; |
432 | default: | 434 | default: |
433 | err = key; | 435 | err = key_ref; |
434 | break; | 436 | break; |
435 | } | 437 | } |
436 | } | 438 | } |
@@ -438,23 +440,25 @@ struct key *search_process_keyrings(struct key_type *type, | |||
438 | /* search the session keyring */ | 440 | /* search the session keyring */ |
439 | if (context->signal->session_keyring) { | 441 | if (context->signal->session_keyring) { |
440 | rcu_read_lock(); | 442 | rcu_read_lock(); |
441 | key = keyring_search_aux( | 443 | key_ref = keyring_search_aux( |
442 | rcu_dereference(context->signal->session_keyring), | 444 | make_key_ref(rcu_dereference( |
445 | context->signal->session_keyring), | ||
446 | 1), | ||
443 | context, type, description, match); | 447 | context, type, description, match); |
444 | rcu_read_unlock(); | 448 | rcu_read_unlock(); |
445 | 449 | ||
446 | if (!IS_ERR(key)) | 450 | if (!IS_ERR(key_ref)) |
447 | goto found; | 451 | goto found; |
448 | 452 | ||
449 | switch (PTR_ERR(key)) { | 453 | switch (PTR_ERR(key_ref)) { |
450 | case -EAGAIN: /* no key */ | 454 | case -EAGAIN: /* no key */ |
451 | if (ret) | 455 | if (ret) |
452 | break; | 456 | break; |
453 | case -ENOKEY: /* negative key */ | 457 | case -ENOKEY: /* negative key */ |
454 | ret = key; | 458 | ret = key_ref; |
455 | break; | 459 | break; |
456 | default: | 460 | default: |
457 | err = key; | 461 | err = key_ref; |
458 | break; | 462 | break; |
459 | } | 463 | } |
460 | 464 | ||
@@ -465,51 +469,54 @@ struct key *search_process_keyrings(struct key_type *type, | |||
465 | goto no_key; | 469 | goto no_key; |
466 | 470 | ||
467 | rcu_read_lock(); | 471 | rcu_read_lock(); |
468 | instkey = __keyring_search_one( | 472 | instkey_ref = __keyring_search_one( |
469 | rcu_dereference(context->signal->session_keyring), | 473 | make_key_ref(rcu_dereference( |
474 | context->signal->session_keyring), | ||
475 | 1), | ||
470 | &key_type_request_key_auth, NULL, 0); | 476 | &key_type_request_key_auth, NULL, 0); |
471 | rcu_read_unlock(); | 477 | rcu_read_unlock(); |
472 | 478 | ||
473 | if (IS_ERR(instkey)) | 479 | if (IS_ERR(instkey_ref)) |
474 | goto no_key; | 480 | goto no_key; |
475 | 481 | ||
476 | rka = instkey->payload.data; | 482 | rka = key_ref_to_ptr(instkey_ref)->payload.data; |
477 | 483 | ||
478 | key = search_process_keyrings(type, description, match, | 484 | key_ref = search_process_keyrings(type, description, match, |
479 | rka->context); | 485 | rka->context); |
480 | key_put(instkey); | 486 | key_ref_put(instkey_ref); |
481 | 487 | ||
482 | if (!IS_ERR(key)) | 488 | if (!IS_ERR(key_ref)) |
483 | goto found; | 489 | goto found; |
484 | 490 | ||
485 | switch (PTR_ERR(key)) { | 491 | switch (PTR_ERR(key_ref)) { |
486 | case -EAGAIN: /* no key */ | 492 | case -EAGAIN: /* no key */ |
487 | if (ret) | 493 | if (ret) |
488 | break; | 494 | break; |
489 | case -ENOKEY: /* negative key */ | 495 | case -ENOKEY: /* negative key */ |
490 | ret = key; | 496 | ret = key_ref; |
491 | break; | 497 | break; |
492 | default: | 498 | default: |
493 | err = key; | 499 | err = key_ref; |
494 | break; | 500 | break; |
495 | } | 501 | } |
496 | } | 502 | } |
497 | /* or search the user-session keyring */ | 503 | /* or search the user-session keyring */ |
498 | else { | 504 | else { |
499 | key = keyring_search_aux(context->user->session_keyring, | 505 | key_ref = keyring_search_aux( |
500 | context, type, description, match); | 506 | make_key_ref(context->user->session_keyring, 1), |
501 | if (!IS_ERR(key)) | 507 | context, type, description, match); |
508 | if (!IS_ERR(key_ref)) | ||
502 | goto found; | 509 | goto found; |
503 | 510 | ||
504 | switch (PTR_ERR(key)) { | 511 | switch (PTR_ERR(key_ref)) { |
505 | case -EAGAIN: /* no key */ | 512 | case -EAGAIN: /* no key */ |
506 | if (ret) | 513 | if (ret) |
507 | break; | 514 | break; |
508 | case -ENOKEY: /* negative key */ | 515 | case -ENOKEY: /* negative key */ |
509 | ret = key; | 516 | ret = key_ref; |
510 | break; | 517 | break; |
511 | default: | 518 | default: |
512 | err = key; | 519 | err = key_ref; |
513 | break; | 520 | break; |
514 | } | 521 | } |
515 | } | 522 | } |
@@ -517,29 +524,40 @@ struct key *search_process_keyrings(struct key_type *type, | |||
517 | 524 | ||
518 | no_key: | 525 | no_key: |
519 | /* no key - decide on the error we're going to go for */ | 526 | /* no key - decide on the error we're going to go for */ |
520 | key = ret ? ret : err; | 527 | key_ref = ret ? ret : err; |
521 | 528 | ||
522 | found: | 529 | found: |
523 | return key; | 530 | return key_ref; |
524 | 531 | ||
525 | } /* end search_process_keyrings() */ | 532 | } /* end search_process_keyrings() */ |
526 | 533 | ||
527 | /*****************************************************************************/ | 534 | /*****************************************************************************/ |
528 | /* | 535 | /* |
536 | * see if the key we're looking at is the target key | ||
537 | */ | ||
538 | static int lookup_user_key_possessed(const struct key *key, const void *target) | ||
539 | { | ||
540 | return key == target; | ||
541 | |||
542 | } /* end lookup_user_key_possessed() */ | ||
543 | |||
544 | /*****************************************************************************/ | ||
545 | /* | ||
529 | * lookup a key given a key ID from userspace with a given permissions mask | 546 | * lookup a key given a key ID from userspace with a given permissions mask |
530 | * - don't create special keyrings unless so requested | 547 | * - don't create special keyrings unless so requested |
531 | * - partially constructed keys aren't found unless requested | 548 | * - partially constructed keys aren't found unless requested |
532 | */ | 549 | */ |
533 | struct key *lookup_user_key(struct task_struct *context, key_serial_t id, | 550 | key_ref_t lookup_user_key(struct task_struct *context, key_serial_t id, |
534 | int create, int partial, key_perm_t perm) | 551 | int create, int partial, key_perm_t perm) |
535 | { | 552 | { |
553 | key_ref_t key_ref, skey_ref; | ||
536 | struct key *key; | 554 | struct key *key; |
537 | int ret; | 555 | int ret; |
538 | 556 | ||
539 | if (!context) | 557 | if (!context) |
540 | context = current; | 558 | context = current; |
541 | 559 | ||
542 | key = ERR_PTR(-ENOKEY); | 560 | key_ref = ERR_PTR(-ENOKEY); |
543 | 561 | ||
544 | switch (id) { | 562 | switch (id) { |
545 | case KEY_SPEC_THREAD_KEYRING: | 563 | case KEY_SPEC_THREAD_KEYRING: |
@@ -556,6 +574,7 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id, | |||
556 | 574 | ||
557 | key = context->thread_keyring; | 575 | key = context->thread_keyring; |
558 | atomic_inc(&key->usage); | 576 | atomic_inc(&key->usage); |
577 | key_ref = make_key_ref(key, 1); | ||
559 | break; | 578 | break; |
560 | 579 | ||
561 | case KEY_SPEC_PROCESS_KEYRING: | 580 | case KEY_SPEC_PROCESS_KEYRING: |
@@ -572,6 +591,7 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id, | |||
572 | 591 | ||
573 | key = context->signal->process_keyring; | 592 | key = context->signal->process_keyring; |
574 | atomic_inc(&key->usage); | 593 | atomic_inc(&key->usage); |
594 | key_ref = make_key_ref(key, 1); | ||
575 | break; | 595 | break; |
576 | 596 | ||
577 | case KEY_SPEC_SESSION_KEYRING: | 597 | case KEY_SPEC_SESSION_KEYRING: |
@@ -579,7 +599,7 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id, | |||
579 | /* always install a session keyring upon access if one | 599 | /* always install a session keyring upon access if one |
580 | * doesn't exist yet */ | 600 | * doesn't exist yet */ |
581 | ret = install_session_keyring( | 601 | ret = install_session_keyring( |
582 | context, context->user->session_keyring); | 602 | context, context->user->session_keyring); |
583 | if (ret < 0) | 603 | if (ret < 0) |
584 | goto error; | 604 | goto error; |
585 | } | 605 | } |
@@ -588,16 +608,19 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id, | |||
588 | key = rcu_dereference(context->signal->session_keyring); | 608 | key = rcu_dereference(context->signal->session_keyring); |
589 | atomic_inc(&key->usage); | 609 | atomic_inc(&key->usage); |
590 | rcu_read_unlock(); | 610 | rcu_read_unlock(); |
611 | key_ref = make_key_ref(key, 1); | ||
591 | break; | 612 | break; |
592 | 613 | ||
593 | case KEY_SPEC_USER_KEYRING: | 614 | case KEY_SPEC_USER_KEYRING: |
594 | key = context->user->uid_keyring; | 615 | key = context->user->uid_keyring; |
595 | atomic_inc(&key->usage); | 616 | atomic_inc(&key->usage); |
617 | key_ref = make_key_ref(key, 1); | ||
596 | break; | 618 | break; |
597 | 619 | ||
598 | case KEY_SPEC_USER_SESSION_KEYRING: | 620 | case KEY_SPEC_USER_SESSION_KEYRING: |
599 | key = context->user->session_keyring; | 621 | key = context->user->session_keyring; |
600 | atomic_inc(&key->usage); | 622 | atomic_inc(&key->usage); |
623 | key_ref = make_key_ref(key, 1); | ||
601 | break; | 624 | break; |
602 | 625 | ||
603 | case KEY_SPEC_GROUP_KEYRING: | 626 | case KEY_SPEC_GROUP_KEYRING: |
@@ -606,13 +629,28 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id, | |||
606 | goto error; | 629 | goto error; |
607 | 630 | ||
608 | default: | 631 | default: |
609 | key = ERR_PTR(-EINVAL); | 632 | key_ref = ERR_PTR(-EINVAL); |
610 | if (id < 1) | 633 | if (id < 1) |
611 | goto error; | 634 | goto error; |
612 | 635 | ||
613 | key = key_lookup(id); | 636 | key = key_lookup(id); |
614 | if (IS_ERR(key)) | 637 | if (IS_ERR(key)) { |
638 | key_ref = ERR_PTR(PTR_ERR(key)); | ||
615 | goto error; | 639 | goto error; |
640 | } | ||
641 | |||
642 | key_ref = make_key_ref(key, 0); | ||
643 | |||
644 | /* check to see if we possess the key */ | ||
645 | skey_ref = search_process_keyrings(key->type, key, | ||
646 | lookup_user_key_possessed, | ||
647 | current); | ||
648 | |||
649 | if (!IS_ERR(skey_ref)) { | ||
650 | key_put(key); | ||
651 | key_ref = skey_ref; | ||
652 | } | ||
653 | |||
616 | break; | 654 | break; |
617 | } | 655 | } |
618 | 656 | ||
@@ -630,15 +668,15 @@ struct key *lookup_user_key(struct task_struct *context, key_serial_t id, | |||
630 | /* check the permissions */ | 668 | /* check the permissions */ |
631 | ret = -EACCES; | 669 | ret = -EACCES; |
632 | 670 | ||
633 | if (!key_task_permission(key, context, perm)) | 671 | if (!key_task_permission(key_ref, context, perm)) |
634 | goto invalid_key; | 672 | goto invalid_key; |
635 | 673 | ||
636 | error: | 674 | error: |
637 | return key; | 675 | return key_ref; |
638 | 676 | ||
639 | invalid_key: | 677 | invalid_key: |
640 | key_put(key); | 678 | key_ref_put(key_ref); |
641 | key = ERR_PTR(ret); | 679 | key_ref = ERR_PTR(ret); |
642 | goto error; | 680 | goto error; |
643 | 681 | ||
644 | } /* end lookup_user_key() */ | 682 | } /* end lookup_user_key() */ |
@@ -694,9 +732,9 @@ long join_session_keyring(const char *name) | |||
694 | ret = keyring->serial; | 732 | ret = keyring->serial; |
695 | key_put(keyring); | 733 | key_put(keyring); |
696 | 734 | ||
697 | error2: | 735 | error2: |
698 | up(&key_session_sem); | 736 | up(&key_session_sem); |
699 | error: | 737 | error: |
700 | return ret; | 738 | return ret; |
701 | 739 | ||
702 | } /* end join_session_keyring() */ | 740 | } /* end join_session_keyring() */ |
diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 90c1506d007..5cc4bba70db 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c | |||
@@ -7,6 +7,8 @@ | |||
7 | * modify it under the terms of the GNU General Public License | 7 | * modify it under the terms of the GNU General Public License |
8 | * as published by the Free Software Foundation; either version | 8 | * as published by the Free Software Foundation; either version |
9 | * 2 of the License, or (at your option) any later version. | 9 | * 2 of the License, or (at your option) any later version. |
10 | * | ||
11 | * See Documentation/keys-request-key.txt | ||
10 | */ | 12 | */ |
11 | 13 | ||
12 | #include <linux/module.h> | 14 | #include <linux/module.h> |
@@ -129,7 +131,7 @@ static struct key *__request_key_construction(struct key_type *type, | |||
129 | 131 | ||
130 | /* create a key and add it to the queue */ | 132 | /* create a key and add it to the queue */ |
131 | key = key_alloc(type, description, | 133 | key = key_alloc(type, description, |
132 | current->fsuid, current->fsgid, KEY_USR_ALL, 0); | 134 | current->fsuid, current->fsgid, KEY_POS_ALL, 0); |
133 | if (IS_ERR(key)) | 135 | if (IS_ERR(key)) |
134 | goto alloc_failed; | 136 | goto alloc_failed; |
135 | 137 | ||
@@ -365,14 +367,24 @@ struct key *request_key_and_link(struct key_type *type, | |||
365 | { | 367 | { |
366 | struct key_user *user; | 368 | struct key_user *user; |
367 | struct key *key; | 369 | struct key *key; |
370 | key_ref_t key_ref; | ||
368 | 371 | ||
369 | kenter("%s,%s,%s,%p", | 372 | kenter("%s,%s,%s,%p", |
370 | type->name, description, callout_info, dest_keyring); | 373 | type->name, description, callout_info, dest_keyring); |
371 | 374 | ||
372 | /* search all the process keyrings for a key */ | 375 | /* search all the process keyrings for a key */ |
373 | key = search_process_keyrings(type, description, type->match, current); | 376 | key_ref = search_process_keyrings(type, description, type->match, |
377 | current); | ||
378 | |||
379 | kdebug("search 1: %p", key_ref); | ||
374 | 380 | ||
375 | if (PTR_ERR(key) == -EAGAIN) { | 381 | if (!IS_ERR(key_ref)) { |
382 | key = key_ref_to_ptr(key_ref); | ||
383 | } | ||
384 | else if (PTR_ERR(key_ref) != -EAGAIN) { | ||
385 | key = ERR_PTR(PTR_ERR(key_ref)); | ||
386 | } | ||
387 | else { | ||
376 | /* the search failed, but the keyrings were searchable, so we | 388 | /* the search failed, but the keyrings were searchable, so we |
377 | * should consult userspace if we can */ | 389 | * should consult userspace if we can */ |
378 | key = ERR_PTR(-ENOKEY); | 390 | key = ERR_PTR(-ENOKEY); |
@@ -384,7 +396,7 @@ struct key *request_key_and_link(struct key_type *type, | |||
384 | if (!user) | 396 | if (!user) |
385 | goto nomem; | 397 | goto nomem; |
386 | 398 | ||
387 | do { | 399 | for (;;) { |
388 | if (signal_pending(current)) | 400 | if (signal_pending(current)) |
389 | goto interrupted; | 401 | goto interrupted; |
390 | 402 | ||
@@ -397,10 +409,22 @@ struct key *request_key_and_link(struct key_type *type, | |||
397 | 409 | ||
398 | /* someone else made the key we want, so we need to | 410 | /* someone else made the key we want, so we need to |
399 | * search again as it might now be available to us */ | 411 | * search again as it might now be available to us */ |
400 | key = search_process_keyrings(type, description, | 412 | key_ref = search_process_keyrings(type, description, |
401 | type->match, current); | 413 | type->match, |
414 | current); | ||
415 | |||
416 | kdebug("search 2: %p", key_ref); | ||
402 | 417 | ||
403 | } while (PTR_ERR(key) == -EAGAIN); | 418 | if (!IS_ERR(key_ref)) { |
419 | key = key_ref_to_ptr(key_ref); | ||
420 | break; | ||
421 | } | ||
422 | |||
423 | if (PTR_ERR(key_ref) != -EAGAIN) { | ||
424 | key = ERR_PTR(PTR_ERR(key_ref)); | ||
425 | break; | ||
426 | } | ||
427 | } | ||
404 | 428 | ||
405 | key_user_put(user); | 429 | key_user_put(user); |
406 | 430 | ||
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c index f2226463222..a8e4069d48c 100644 --- a/security/keys/request_key_auth.c +++ b/security/keys/request_key_auth.c | |||
@@ -7,6 +7,8 @@ | |||
7 | * modify it under the terms of the GNU General Public License | 7 | * modify it under the terms of the GNU General Public License |
8 | * as published by the Free Software Foundation; either version | 8 | * as published by the Free Software Foundation; either version |
9 | * 2 of the License, or (at your option) any later version. | 9 | * 2 of the License, or (at your option) any later version. |
10 | * | ||
11 | * See Documentation/keys-request-key.txt | ||
10 | */ | 12 | */ |
11 | 13 | ||
12 | #include <linux/module.h> | 14 | #include <linux/module.h> |
@@ -96,6 +98,7 @@ static void request_key_auth_destroy(struct key *key) | |||
96 | kenter("{%d}", key->serial); | 98 | kenter("{%d}", key->serial); |
97 | 99 | ||
98 | key_put(rka->target_key); | 100 | key_put(rka->target_key); |
101 | kfree(rka); | ||
99 | 102 | ||
100 | } /* end request_key_auth_destroy() */ | 103 | } /* end request_key_auth_destroy() */ |
101 | 104 | ||
@@ -126,7 +129,7 @@ struct key *request_key_auth_new(struct key *target, struct key **_rkakey) | |||
126 | 129 | ||
127 | rkakey = key_alloc(&key_type_request_key_auth, desc, | 130 | rkakey = key_alloc(&key_type_request_key_auth, desc, |
128 | current->fsuid, current->fsgid, | 131 | current->fsuid, current->fsgid, |
129 | KEY_USR_VIEW, 1); | 132 | KEY_POS_VIEW | KEY_USR_VIEW, 1); |
130 | if (IS_ERR(rkakey)) { | 133 | if (IS_ERR(rkakey)) { |
131 | key_put(keyring); | 134 | key_put(keyring); |
132 | kleave("= %ld", PTR_ERR(rkakey)); | 135 | kleave("= %ld", PTR_ERR(rkakey)); |